Skip to content

feat: Add Server Certificate Verification (TLS) Support for MySQL Scaler #7151

New issue
New issue
Open
#7153
Open
feat: Add Server Certificate Verification (TLS) Support for MySQL Scaler#7151
#7153
Labels
feature-requestAll issues for new features that have not been committed toneeds-discussion
@mattsunkun

Description

@mattsunkun
mattsunkun
opened on Oct 2, 2025

Proposal

I propose adding new metadata parameters, tls and ca, to the KEDA MySQL scaler configuration to enable server certificate verification during TLS/SSL connections.

This feature will allow users to provide a trusted Certificate Authority (CA) certificate, ensuring that the KEDA scaler only connects to an authentic and verified MySQL server, which is a critical requirement for secure production environments.

Use-Case

Currently, the MySQL scaler lacks a dedicated mechanism to explicitly trust a specific CA certificate when connecting to a TLS-enabled MySQL server. This limitation means users cannot guarantee the identity of the MySQL server, leading to potentially insecure connections or preventing secure operation in compliance-heavy environments where strong server identity verification is mandatory.

By adding the proposed parameters, we will support the following use cases:

  • Secure Production Access: Connect reliably to MySQL servers using certificates signed by a private or known public CA by explicitly providing the CA certificate to KEDA.
  • Custom TLS Modes: Offer flexibility for secure connections while aligning with the security features already present in other KEDA scalers (e.g., Kafka, Etcd).

Proposed Metadata Parameters:

Parameter Type Required Description Example Values
tls string Optional Specifies the desired TLS connection mode for server verification. "verify-ca", "skip-verify", "disable"
ca string Optional Required when tls: verify-ca is set. The content of the trusted CA certificate in PEM format, expected to be injected via a Kubernetes Secret or ConfigMap. PEM certificate content

Is this a feature you are interested in implementing yourself?

Yes

Anything else?

The implementation will primarily involve changes to pkg/scalers/mysql_scaler.go. We will utilize the underlying Go MySQL driver (go-sql-driver/mysql) to register a custom crypto/tls.Config which will load the certificate provided in the ca parameter into the RootCAs and enforce server verification when tls is set to verify-ca.

This change enhances security and improves feature consistency across the KEDA scaler ecosystem.

Metadata

Metadata

Assignees

No one assigned

    Labels

    feature-requestAll issues for new features that have not been committed toneeds-discussion

    Type

    No type

    Projects

    Roadmap - KEDA Core

    Status

    To Triage

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions