kedacore · JorTurFer · Feb 9, 2023 · Feb 2, 2023 · Feb 2, 2023 · Feb 2, 2023
@@ -62,6 +62,7 @@ Here is an overview of all new **experimental** features:
 
 - **General**: Add a warning when KEDA run outside supported k8s versions ([#4130](https://github.com/kedacore/keda/issues/4130))
 - **General**: Use (self-signed) certificates for all the communications (internals and externals) ([#3931](https://github.com/kedacore/keda/issues/3931))
+- **General**: Use TLS1.2 as minimum TLS version ([#4193](https://github.com/kedacore/keda/issues/4193))
 - **Hashicorp Vault**: Add support to secrets backend version 1 ([#2645](https://github.com/kedacore/keda/issues/2645))
 - **RabbitMQ Scaler**:  Add TLS support ([#967](https://github.com/kedacore/keda/issues/967))
 - **Redis Scalers**: Add support to Redis 7 ([#4052](https://github.com/kedacore/keda/issues/4052))

@@ -94,7 +94,10 @@ func NewTLSConfig(auth *AuthMeta) (*tls.Config, error) {
 }
 
 func CreateHTTPRoundTripper(roundTripperType TransportType, auth *AuthMeta, conf ...*HTTPTransport) (rt http.RoundTripper, err error) {
-	tlsConfig := &tls.Config{InsecureSkipVerify: false}
+	tlsConfig := &tls.Config{
+		MinVersion:         kedautil.GetMinTLSVersion(),
+		InsecureSkipVerify: false,
+	}
 	if auth != nil && (auth.CA != "" || auth.EnableTLS) {
 		tlsConfig, err = NewTLSConfig(auth)
 		if err != nil || tlsConfig == nil {

@@ -244,7 +244,10 @@ func newElasticsearchClient(meta *elasticsearchMetadata, logger logr.Logger) (*e
 	}
 
 	transport := http.DefaultTransport.(*http.Transport)
-	transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: meta.unsafeSsl}
+	transport.TLSClientConfig = &tls.Config{
+		MinVersion:         kedautil.GetMinTLSVersion(),
+		InsecureSkipVerify: meta.unsafeSsl,
+	}
 	config.Transport = transport
 
 	esClient, err := elasticsearch.NewClient(config)

@@ -179,7 +179,10 @@ func (s *IBMMQScaler) getQueueDepthViaHTTP(ctx context.Context) (int64, error) {
 	req.SetBasicAuth(s.metadata.username, s.metadata.password)
 
 	tr := &http.Transport{
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: s.metadata.tlsDisabled},
+		TLSClientConfig: &tls.Config{
+			MinVersion:         kedautil.GetMinTLSVersion(),
+			InsecureSkipVerify: s.metadata.tlsDisabled,
+		},
 	}
 	client := kedautil.CreateHTTPClient(s.defaultHTTPTimeout, false)
 	client.Transport = tr

@@ -52,7 +52,10 @@ func NewInfluxDBScaler(config *ScalerConfig) (Scaler, error) {
 	client := influxdb2.NewClientWithOptions(
 		meta.serverURL,
 		meta.authToken,
-		influxdb2.DefaultOptions().SetTLSConfig(&tls.Config{InsecureSkipVerify: meta.unsafeSsl}))
+		influxdb2.DefaultOptions().SetTLSConfig(&tls.Config{
+			MinVersion:         kedautil.GetMinTLSVersion(),
+			InsecureSkipVerify: meta.unsafeSsl,
+		}))
 
 	return &influxDBScaler{
 		client:     client,

@@ -113,6 +113,7 @@ func (s *PredictKubeScaler) setupClientConn() error {
 	if !grpcConf.Conn.Insecure {
 		clientOpt = append(clientOpt, grpc.WithTransportCredentials(
 			credentials.NewTLS(&tls.Config{
+				MinVersion: kedautil.GetMinTLSVersion(),
 				ServerName: mlEngineHost,
 			}),
 		))

@@ -464,6 +464,7 @@ func getRedisClusterClient(ctx context.Context, info redisConnectionInfo) (*redi
 	}
 	if info.enableTLS {
 		options.TLSConfig = &tls.Config{
+			MinVersion:         kedautil.GetMinTLSVersion(),
 			InsecureSkipVerify: info.unsafeSsl,
 		}
 	}
@@ -488,6 +489,7 @@ func getRedisSentinelClient(ctx context.Context, info redisConnectionInfo, dbInd
 	}
 	if info.enableTLS {
 		options.TLSConfig = &tls.Config{
+			MinVersion:         kedautil.GetMinTLSVersion(),
 			InsecureSkipVerify: info.unsafeSsl,
 		}
 	}
@@ -509,6 +511,7 @@ func getRedisClient(ctx context.Context, info redisConnectionInfo, dbIndex int)
 	}
 	if info.enableTLS {
 		options.TLSConfig = &tls.Config{
+			MinVersion:         kedautil.GetMinTLSVersion(),
 			InsecureSkipVerify: info.unsafeSsl,
 		}
 	}

@@ -18,18 +18,42 @@ package util
 
 import (
 	"crypto/tls"
+	"fmt"
 	"net/http"
+	"os"
 	"time"
+
+	ctrl "sigs.k8s.io/controller-runtime"
 )
 
 var disableKeepAlives bool
+var minTLSVersion uint16
 
 func init() {
+	setupLog := ctrl.Log.WithName("http_setup")
 	var err error
 	disableKeepAlives, err = ResolveOsEnvBool("KEDA_HTTP_DISABLE_KEEP_ALIVE", false)
 	if err != nil {
 		disableKeepAlives = false
 	}
+
+	minTLSVersion = tls.VersionTLS12
+	version, found := os.LookupEnv("KEDA_HTTP_MIN_TLS_VERSION")
+	if found {
+		switch version {
+		case "TLS13":
+			minTLSVersion = tls.VersionTLS13
+		case "TLS12":
+			minTLSVersion = tls.VersionTLS12
+		case "TLS11":
+			minTLSVersion = tls.VersionTLS11
+		case "TLS10":
+			minTLSVersion = tls.VersionTLS10
+		default:
+			setupLog.Info(fmt.Sprintf("%s is not a valid value, using `TLS12`. Allowed values are: `TLS13`,`TLS12`,`TLS11`,`TLS10`", version))
+			minTLSVersion = tls.VersionTLS12
+		}
+	}
 }
 
 // HTTPDoer is an interface that matches the Do method on
@@ -48,8 +72,11 @@ func CreateHTTPClient(timeout time.Duration, unsafeSsl bool) *http.Client {
 		timeout = 300 * time.Millisecond
 	}
 	transport := &http.Transport{
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: unsafeSsl},
-		Proxy:           http.ProxyFromEnvironment,
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: unsafeSsl,
+			MinVersion:         GetMinTLSVersion(),
+		},
+		Proxy: http.ProxyFromEnvironment,
 	}
 	if disableKeepAlives {
 		// disable keep http connection alive
@@ -62,3 +89,7 @@ func CreateHTTPClient(timeout time.Duration, unsafeSsl bool) *http.Client {
 	}
 	return httpClient
 }
+
+func GetMinTLSVersion() uint16 {
+	return minTLSVersion
+}
@@ -54,7 +54,9 @@ func decryptClientKey(clientKey, clientKeyPassword string) ([]byte, error) {
 func NewTLSConfigWithPassword(clientCert, clientKey, clientKeyPassword, caCert string) (*tls.Config, error) {
 	valid := false
 
-	config := &tls.Config{}
+	config := &tls.Config{
+		MinVersion: GetMinTLSVersion(),
+	}
 
 	if clientCert != "" && clientKey != "" {
 		key := []byte(clientKey)