Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RabbitMQ HTTP Triggers ignore provided TLS Configuration #5668

Closed
Tracked by #5671
nicholass-alcidion opened this issue Apr 9, 2024 · 2 comments · Fixed by #5672
Closed
Tracked by #5671

RabbitMQ HTTP Triggers ignore provided TLS Configuration #5668

nicholass-alcidion opened this issue Apr 9, 2024 · 2 comments · Fixed by #5672
Labels
bug Something isn't working

Comments

@nicholass-alcidion
Copy link
Contributor

nicholass-alcidion commented Apr 9, 2024

Report

When configuring a RabbitMQ Trigger with tls=enable and ca=x509cert in the assoicated TriggerAuthentication the provided CA certificate is ignored when the Trigger is in http mode.

This forces the use of unsafeSSL to connect to a TLS only RabbitMQ cluster.

Expected Behavior

Supplied TLS paramters (including CA only) shuold be used for both the HTTP and AMQP connection modes.

Actual Behavior

Trigger fails to active and Events on the ScalledObject and logs from Keda show tls: failed to verify certificate

Steps to Reproduce the Problem

apiVersion: v1
data:
  amqpUri: X==
  httpUri: X==
  tls: ZW5hYmxl
kind: Secret
metadata:
  name: abbitmq-user
  namespace: app
type: opaque
apiVersion: v1
kind: Secret
metadata:
  name: intermediate-ca
  namespace: app
type: kubernetes.io/tls
data:
  ca.crt: PEM Encoded Cluster CA Cert
  tls.crt: PEM Encoded Intermediate CA Cert
  tls.key: PEM Encoded Private
apiVersion: keda.sh/v1alpha1
kind: TriggerAuthentication
metadata:
  name: rabbitmq
  namespace: app
spec:
  secretTargetRef:
    - parameter: host
      name: rabbitmq-user
      key: httpUri
    - parameter: tls
      name: rabbitmq-user
      key: tls
    - parameter: ca
      name: app-intermediate-ca
      key: "ca.crt"
apiVersion: keda.sh/v1alpha1
kind: ScaledObject
metadata:
  name: app-component
spec:
  scaleTargetRef:
    name: app-component
  minReplicaCount: 0
  maxReplicaCount: 8
  fallback:
    failureThreshold: 3
    replicas: 2
  triggers:
  - type: rabbitmq
    metadata:
      protocol: http
      queueName: xxxx
      mode: QueueLength
      value: "20"
      vhostName: "xxxx"
    authenticationRef:
      name: rabbitmq
  - type: rabbitmq
    metadata:
      protocol: http
      queueName: xxxx
      mode: MessageRate
      value: "100"
      vhostName: "xxxx"
    authenticationRef:
      name: rabbitmq

Logs from KEDA operator

2024-04-09T04:25:32Z    ERROR   scale_handler   error getting scale decision    {"scaledObject.Namespace": "xxxx", "scaledObject.Name": "xxxx", "scaler": "rabbitMQScaler", "error": "error inspecting rabbitMQ: Get \"https://user:[email protected]:15671/api/queues/xxxx/xxxx\": tls: failed to verify certificate: x509: certificate signed by unknown authority"}
github.com/kedacore/keda/v2/pkg/scaling.(*scaleHandler).getScalerState
        /workspace/pkg/scaling/scale_handler.go:764
github.com/kedacore/keda/v2/pkg/scaling.(*scaleHandl

KEDA Version

2.13.1

Kubernetes Version

1.29

Platform

Other

Scaler Details

RabbitMQ

Anything else?

No response

@nicholass-alcidion nicholass-alcidion added the bug Something isn't working label Apr 9, 2024
@JorTurFer
Copy link
Member

I've checked the code and you're totally right, the cert data is parsed but the HTTP client doesn't use it at all. Are you willing to open a PR fixing it?

@JorTurFer JorTurFer mentioned this issue Apr 9, 2024
35 tasks
@JorTurFer
Copy link
Member

Probably we should add here some logic like the logic we execute on other scalers, for example metrics api:

httpClient := kedautil.CreateHTTPClient(config.GlobalHTTPTimeout, meta.unsafeSsl)
if meta.enableTLS || len(meta.ca) > 0 {
config, err := kedautil.NewTLSConfig(meta.cert, meta.key, meta.ca, meta.unsafeSsl)
if err != nil {
return nil, err
}
httpClient.Transport = kedautil.CreateHTTPTransportWithTLSConfig(config)
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
Archived in project
Development

Successfully merging a pull request may close this issue.

2 participants