Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: allow configuring min tls for grpc #6320

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

or-shachar
Copy link
Contributor

@or-shachar or-shachar commented Nov 7, 2024

This will allow configuring grpc min grpc version very similarly to how we allow configuring the HTTP version.

Checklist

Fixes #6270

Copy link
Member

@zroubalik zroubalik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good in general

@@ -50,8 +53,12 @@ func LoadGrpcTLSCredentials(certDir string, server bool) (credentials.TransportC
}

// Create the credentials and return it
minTlsVersion, err := kedatls.GetMinGrpcTlsVersion()
if err != nil {
ctrl.Log.WithName("grpc_tls_setup").Info(err.Error())
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should imho return err here

Copy link
Contributor Author

@or-shachar or-shachar Nov 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I followed the previous behavior that didn't fail the process for invalid value, but selected the default value + returned an error. I can change the function signature to not return an error and perform the logging in the function. wdyt?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hm, I am not sure if we shouldn't just fail here. I mean, the grpc connection wouldn't be functional -> KEDA wouldn't be fully functional either.

WDYT @kedacore/keda-maintainers

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not functional? The error only means that it fell back to default value because the configuration value was wrong.

Copy link
Member

@wozniakjan wozniakjan Nov 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

iiuc, if this returns error, KEDA will default back to TLS 1.3 as min for gRPC. So it might again cause difficulties with boring crypto?

I am also leaning towards failing here because that will tell the user their desired and configured min TLS version wasn't respected. They can then either fix the configuration or knowingly leave the default to KEDA.

Copy link
Contributor Author

@or-shachar or-shachar Nov 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok. I'd make it fail here but I'll keep the same behavior for the HTTP client, because I don't want to introduce breaking change.

Comment on lines +36 to +37
string(TLS10): ctls.VersionTLS10,
string(TLS11): ctls.VersionTLS11,
Copy link
Member

@wozniakjan wozniakjan Nov 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not sure if it's a good idea to enable TLS 1.0 and 1.1, these are not considered secure anymore. If this code is getting refactored, maybe we remove these?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, probably makes more sense

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even though this will make this change a breaking change for those brave people who still wants to configure it with older TLS... 🫨
should we do it in a different PR?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I defer to @kedacore/keda-core-contributors for their opinion, maybe we announce deprecation first and then remove TLS 1.0 and 1.1 in KEDA 2.18 or 2.19?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah

Copy link
Contributor Author

@or-shachar or-shachar Nov 11, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can probably add a warning print in case TLS10 or TLS11 was requested:

if version == string(TLS11) || version == string(TLS10) {
		ctrl.Log.WithName("tls_setup").Info(fmt.Sprintf("Warning: Min TLS value %s is insecure and will be removed in KEDA 2.18. Please use TLS12 and above",  version))
	}

Copy link
Member

@JorTurFer JorTurFer Nov 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that we should allow TLS10 until it's deprecated/removed, despite the security of it. We are using TLS1.2 as minimum by default, so I'd just keep them as optional for the users if they enable them (for HTTP, for gRPC is a new feature and we can use 1.2 or above only)

@or-shachar or-shachar force-pushed the ors/grpc-min-tls branch 2 times, most recently from ae7defe to 873f7f5 Compare November 7, 2024 23:16
or-shachar added a commit to or-shachar/keda-docs that referenced this pull request Nov 11, 2024
or-shachar added a commit to or-shachar/keda-docs that referenced this pull request Nov 11, 2024
Supporting kedacore/keda#6320

Signed-off-by: Or Shachar <[email protected]>
Signed-off-by: Or Shachar <[email protected]>
@or-shachar or-shachar marked this pull request as ready for review November 11, 2024 20:34
@or-shachar or-shachar requested a review from a team as a code owner November 11, 2024 20:34
@zroubalik
Copy link
Member

zroubalik commented Nov 18, 2024

/run-e2e internal
Update: You can check the progress here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Cannot configure GRPC TLS minimum version
4 participants