Skip to content

feat: support setting multiple TLS certs for different domains on the interceptor proxy #1116

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
wozniakjan merged 1 commit into from
Aug 27, 2024
Merged

feat: support setting multiple TLS certs for different domains on the interceptor proxy #1116

wozniakjan merged 1 commit into from
Aug 27, 2024

Conversation

@wozniakjan
Copy link
Member

@wozniakjan wozniakjan commented Aug 23, 2024
edited
Loading

#928 added rudimentary support for interceptor data path TLS. A major limitation is that it allows only a single cert/key pair, meaning that user must have all their domains as SANs in this single cert. In Kubernetes, this is rarely the case. Frequently each Ingress has a dedicated cert.

This PR adds a new ENV variable KEDA_HTTP_PROXY_TLS_CERT_STORE_PATHS where users can define a comma-separated list of directories that will be recursively searched for any valid cert/key pairs. Currently, two naming patterns are supported

  • XYZ.crt + XYZ.key - this is a convention when using Kubernetes Secrets of type tls
  • XYZ.pem + XYZ-key.pem

The matching between certs and requests is performed during the TLS ClientHello message, where the SNI service name is compared to SANs provided in each cert and the first matching cert will be used for the rest of the TLS handshake.

Checklist

@wozniakjan wozniakjan changed the title feat: support setting multiple TLS certs for different domains feat: support setting multiple TLS certs for different domains on the interceptor proxy Aug 23, 2024
@wozniakjan wozniakjan force-pushed the interceptor/support_multiple_tls_certs branch 5 times, most recently from 74e218e to 378388b Compare August 23, 2024 14:15
@wozniakjan wozniakjan force-pushed the interceptor/support_multiple_tls_certs branch 4 times, most recently from df71d14 to ace3a9d Compare August 27, 2024 08:53
@wozniakjan wozniakjan force-pushed the interceptor/support_multiple_tls_certs branch from ace3a9d to 2a565cf Compare August 27, 2024 11:26
@wozniakjan wozniakjan marked this pull request as ready for review August 27, 2024 11:58
@wozniakjan wozniakjan requested a review from a team as a code owner August 27, 2024 11:58
@wozniakjan wozniakjan merged commit 8a1d490 into kedacore:main Aug 27, 2024
@wozniakjan wozniakjan mentioned this pull request Aug 27, 2024
Merged
kahirokunn pushed a commit to kahirokunn/http-add-on that referenced this pull request Oct 22, 2024
@wozniakjan @kahirokunn
feat: support setting multiple TLS certs for different domains on the…
6a85ab8 
… interceptor proxy (kedacore#1116)

Signed-off-by: Jan Wozniak <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zroubalik zroubalik zroubalik approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@wozniakjan @zroubalik