Open
Description
Report
- We uses always TLS 1.3 as minimum TLS version for grpc client.
- When compiling in FIPS mode (Boringcrpyto with limited approved TLS versions) and Go 1.23, this causes runtime issue:
no supported versions satisfy MinVersion and MaxVersion
For http client we allow setting the min TLS version with KEDA_HTTP_MIN_TLS_VERSION. Not sure why we don't allow configuring the value for grpc client as well.
Expected Behavior
- It would be nice if we could control the min TLS version for grpc client.
- Not sure if through the same env variable (
KEDA_HTTP_MIN_TLS_VERSION) or introduce a different one.
Actual Behavior
For grpc client - the min tls version is hardcoded to 1.3.
Steps to Reproduce the Problem
If you want to see FIPS issue:
- Compile with
go 1.23.2withGOEXPERIMENT=boringcrypto - Run the services in cluster
- You'll see this in the metrics adapter:
W1024 18:24:27.886000 1 logging.go:55] [core] [Channel #1 SubChannel #53]grpc: addrConn.createTransport failed to connect to {Addr: "172.20.74.146:9666", ServerName: "keda-operator.keda.svc.cluster.local:9666", }. Err: connection error: desc = "transport: authentication handshake failed: tls: no supported versions satisfy MinVersion and MaxVersion"
KEDA Version
2.15.0
Kubernetes Version
1.30
Platform
Any
Scaler Details
No response
Anything else?
In Go main branch they approved TLS 1.3 for FIPS but in 1.23.2 it's still not there.
Metadata
Metadata
Assignees
Labels
Type
Projects
Status
Proposed