diff --git a/keda/README.md b/keda/README.md index fa4f30539..14a77f2d2 100644 --- a/keda/README.md +++ b/keda/README.md @@ -92,6 +92,7 @@ their default values. | `hostAliases` | list | `[]` | HostAliases for pod networking ([docs](https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/)) | | `http.keepAlive.enabled` | bool | `true` | Enable HTTP connection keep alive | | `http.minTlsVersion` | string | `"TLS12"` | The minimum TLS version to use for all scalers that use raw HTTP clients (some scalers use SDKs to access target services. These have built-in HTTP clients, and this value does not necessarily apply to them) | +| `http.tlsCipherList` | string | `""` | The list of ciphersuites to use when making HTTP over TLS connections. When left empty or unset, the TLS implementaion will provide a default list of ciphersuites which are believed to be secure. | | `http.timeout` | int | `3000` | The default HTTP timeout to use for all scalers that use raw HTTP clients (some scalers use SDKs to access target services. These have built-in HTTP clients, and the timeout does not necessarily apply to them) | | `image.pullPolicy` | string | `"Always"` | Image pullPolicy for all KEDA components | | `imagePullSecrets` | list | `[]` | Name of secret to use to pull images to use to pull Docker images | @@ -119,6 +120,8 @@ their default values. | `rbac.enabledCustomScaledRefKinds` | bool | `true` | Whether RBAC for configured CRDs that can have a `scale` subresource should be created | | `rbac.scaledRefKinds` | list | `[{"apiGroup":"*","kind":"*"}]` | List of custom resources that support the `scale` subresource and can be referenced by `scaledobject.spec.scaleTargetRef`. The feature needs to be also enabled by `enabledCustomScaledRefKinds`. If left empty, RBAC for `apiGroups: *` and `resources: *, */scale` will be created note: Deployments and StatefulSets are supported out of the box | | `securityContext` | object | [See below](#KEDA-is-secure-by-default) | [Security context] for all containers | +| `service.minTlsVersion` | string | `"TLS13"` | The minimum TLS version to use when KEDA components listen via TLS-enabled services (gRPC & Webhook). | +| `service.tlsCipherList` | string | `""` | The list of ciphersuites to use when KEDA comonents listen via TLS-enabled services. When left empty or unset, the TLS implementaion will provide a default list of ciphersuites which are believed to be secure. | | `tolerations` | list | `[]` | Tolerations for pod scheduling ([docs](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)) | | `watchNamespace` | string | `""` | Defines Kubernetes namespaces to watch to scale their workloads. Default watches all namespaces | diff --git a/keda/templates/manager/deployment.yaml b/keda/templates/manager/deployment.yaml index b1a7c5ef6..b4d70175b 100644 --- a/keda/templates/manager/deployment.yaml +++ b/keda/templates/manager/deployment.yaml @@ -164,6 +164,12 @@ spec: value: {{ .Values.http.timeout | quote }} - name: KEDA_HTTP_MIN_TLS_VERSION value: {{ .Values.http.minTlsVersion }} + - name: KEDA_HTTP_TLS_CIPHER_LIST + value: {{ .Values.http.tlsCipherList }} + - name: KEDA_SERVICE_MIN_TLS_VERSION + value: {{ .Values.service.minTlsVersion }} + - name: KEDA_SERVICE_TLS_CIPHER_LIST + value: {{ .Values.service.tlsCipherList }} {{- if ( not .Values.http.keepAlive.enabled ) }} - name: KEDA_HTTP_DISABLE_KEEP_ALIVE value: "true" diff --git a/keda/templates/metrics-server/deployment.yaml b/keda/templates/metrics-server/deployment.yaml index a0973d576..c7d7357a3 100644 --- a/keda/templates/metrics-server/deployment.yaml +++ b/keda/templates/metrics-server/deployment.yaml @@ -107,6 +107,12 @@ spec: value: {{ .Values.http.timeout | quote }} - name: KEDA_HTTP_MIN_TLS_VERSION value: {{ .Values.http.minTlsVersion }} + - name: KEDA_HTTP_TLS_CIPHER_LIST + value: {{ .Values.http.tlsCipherList }} + - name: KEDA_SERVICE_MIN_TLS_VERSION + value: {{ .Values.service.minTlsVersion }} + - name: KEDA_SERVICE_TLS_CIPHER_LIST + value: {{ .Values.service.tlsCipherList }} {{- if ( not .Values.http.keepAlive.enabled ) }} - name: KEDA_HTTP_DISABLE_KEEP_ALIVE value: "true" diff --git a/keda/values.yaml b/keda/values.yaml index b9320e2be..fdfe3ea4d 100644 --- a/keda/values.yaml +++ b/keda/values.yaml @@ -596,6 +596,13 @@ affinity: {} # -- priorityClassName for all KEDA components priorityClassName: "" +## Service settings for KEDA components which provide a network service or server +service: + # -- The minimum TLS version to use when KEDA components provide a TLS-enabled service. + minTlsVersion: "TLS13" + # -- The list of ciphersuites to use when KEDA comonents provide a TLS-enabled service. When left empty or unset, the TLS implementaion will provide a default list of ciphersuites which are believed to be secure. + tlsCipherList: "" + ## The default HTTP timeout in milliseconds that KEDA should use ## when making requests to external services. Removing this defaults to a ## reasonable default @@ -607,6 +614,8 @@ http: enabled: true # -- The minimum TLS version to use for all scalers that use raw HTTP clients (some scalers use SDKs to access target services. These have built-in HTTP clients, and this value does not necessarily apply to them) minTlsVersion: TLS12 + # -- The list of ciphersuites to use when making HTTP over TLS connections. When left empty or unset, the TLS implementaion will provide a default list of ciphersuites which are believed to be secure. + tlsCipherList: "" ## This setting lets you enable profiling for all of the components of KEDA and in the specific port you choose ## This can be useful when trying to investigate errors like memory leaks or CPU or even look at goroutines to understand better