Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: support setting multiple TLS certs for different domains on the interceptor proxy #1116

Merged
merged 1 commit into from
Aug 27, 2024
Merged

feat: support setting multiple TLS certs for different domains on the interceptor proxy #1116

merged 1 commit into from
Aug 27, 2024
+346 −28

Conversation

wozniakjan
Copy link
Member

@wozniakjan wozniakjan commented Aug 23, 2024
edited
Loading

#928 added rudimentary support for interceptor data path TLS. A major limitation is that it allows only a single cert/key pair, meaning that user must have all their domains as SANs in this single cert. In Kubernetes, this is rarely the case. Frequently each Ingress has a dedicated cert.

This PR adds a new ENV variable KEDA_HTTP_PROXY_TLS_CERT_STORE_PATHS where users can define a comma-separated list of directories that will be recursively searched for any valid cert/key pairs. Currently, two naming patterns are supported

  • XYZ.crt + XYZ.key - this is a convention when using Kubernetes Secrets of type tls
  • XYZ.pem + XYZ-key.pem

The matching between certs and requests is performed during the TLS ClientHello message, where the SNI service name is compared to SANs provided in each cert and the first matching cert will be used for the rest of the TLS handshake.

Checklist

@wozniakjan wozniakjan changed the title feat: support setting multiple TLS certs for different domains feat: support setting multiple TLS certs for different domains on the interceptor proxy Aug 23, 2024
@wozniakjan wozniakjan force-pushed the interceptor/support_multiple_tls_certs branch 5 times, most recently from 74e218e to 378388b Compare August 23, 2024 14:15
@wozniakjan wozniakjan force-pushed the interceptor/support_multiple_tls_certs branch 4 times, most recently from df71d14 to ace3a9d Compare August 27, 2024 08:53
@wozniakjan
feat: support setting multiple TLS certs for different domains on the…
2a565cf 
… interceptor proxy

Signed-off-by: Jan Wozniak <wozniak.jan@gmail.com>
@wozniakjan wozniakjan force-pushed the interceptor/support_multiple_tls_certs branch from ace3a9d to 2a565cf Compare August 27, 2024 11:26
@wozniakjan wozniakjan marked this pull request as ready for review August 27, 2024 11:58
@wozniakjan wozniakjan requested a review from a team as a code owner August 27, 2024 11:58
@wozniakjan wozniakjan merged commit 8a1d490 into kedacore:main Aug 27, 2024
18 checks passed
@wozniakjan wozniakjan mentioned this pull request Aug 27, 2024
Merged
kahirokunn pushed a commit to kahirokunn/http-add-on that referenced this pull request Oct 22, 2024
@wozniakjan @kahirokunn
feat: support setting multiple TLS certs for different domains on the…
6a85ab8 
… interceptor proxy (kedacore#1116)

Signed-off-by: Jan Wozniak <wozniak.jan@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zroubalik zroubalik zroubalik approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@wozniakjan @zroubalik