feat: Add TLS support with client certificates to Artemis scaler#7106
feat: Add TLS support with client certificates to Artemis scaler#7106zroubalik merged 6 commits intokedacore:mainfrom
Conversation
Implements TLS/HTTPS support for ActiveMQ Artemis scaler to enable secure connections following the pattern from ActiveMQ scaler. Changes: - Added UnsafeSsl metadata field (default: false) to artemisMetadata - Updated HTTP client creation to use kedautil.CreateHTTPClient with TLS - Added 4 test cases for HTTPS endpoints in testArtemisMetadata - Added 3 dedicated unit tests for TLS configuration validation - Supports both HTTP (backward compatible) and HTTPS endpoints - Secure by default with optional self-signed certificate support Related to: kedacore#6448 Test Coverage: - HTTP endpoints (backward compatibility) - HTTPS with valid certificates (unsafeSsl=false) - HTTPS with self-signed certificates (unsafeSsl=true) - Custom HTTPS restApiTemplate support - Default UnsafeSsl value validation Signed-off-by: thc1006 <84045975+thc1006@users.noreply.github.com>
This commit implements comprehensive TLS/HTTPS support for the ActiveMQ Artemis scaler, addressing GitHub issue kedacore#6448. Changes: - Add unsafeSsl field to allow self-signed certificates - Add ca, cert, key, keyPassword fields for mutual TLS authentication - Implement certificate validation (cert and key must be provided together) - Integrate with kedautil.NewTLSConfigWithPassword for TLS configuration - Add 9 comprehensive test cases covering all TLS scenarios: * Basic unsafeSsl functionality (default, true, false) * Client certificate authentication * Password-protected private keys * CA certificate validation * Error handling for mismatched cert/key pairs The implementation follows the established pattern from RabbitMQ, Temporal, and IBM MQ scalers, ensuring consistency across the KEDA codebase. Fixes kedacore#6448 Signed-off-by: thc1006 <84045975+thc1006@users.noreply.github.com>
|
Thank you for your contribution! 🙏 Please understand that we will do our best to review your PR and give you feedback as soon as possible, but please bear with us if it takes a little longer as expected. While you are waiting, make sure to:
Once the initial tests are successful, a KEDA member will ensure that the e2e tests are run. Once the e2e tests have been successfully completed, the PR may be merged at a later date. Please be patient. Learn more about our contribution guide. |
Update generated schema files to include new TLS configuration fields (unsafeSsl, ca, cert, key, keyPassword) for the Artemis scaler. Signed-off-by: thc1006 <84045975+thc1006@users.noreply.github.com>
|
/run-e2e artemis |
There was a problem hiding this comment.
Pull Request Overview
This PR adds comprehensive TLS/HTTPS support to the ActiveMQ Artemis scaler to enable secure connections with client certificates and custom CA validation. The implementation follows established patterns from other KEDA scalers (RabbitMQ, Temporal, IBM MQ) for consistency.
- Adds TLS configuration fields (
unsafeSsl,ca,cert,key,keyPassword) to support various TLS scenarios - Integrates with existing KEDA TLS utilities for secure HTTP client configuration
- Implements validation to ensure cert and key are provided together for mutual TLS
Reviewed Changes
Copilot reviewed 3 out of 5 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| pkg/scalers/artemis_scaler.go | Adds TLS metadata fields, certificate validation logic, and TLS-enabled HTTP client configuration |
| pkg/scalers/artemis_scaler_test.go | Comprehensive test coverage for all TLS scenarios including validation, error cases, and configuration parsing |
| CHANGELOG.md | Documents the new TLS feature addition |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 3 out of 5 changed files in this pull request and generated no new comments.
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
|
@zroubalik @wozniakjan Review request |
|
/run-e2e artemis |
|
Could you open a PR in docs repo documenting new values? |
Signed-off-by: Jan Wozniak <wozniak.jan@gmail.com>
|
/run-e2e artemis |
- Add metadataVariableReadable, envVariableReadable, and triggerAuthenticationVariableReadable to validation whitelist - Add parameters field to validation whitelist - Add deprecated field support (in addition to deprecatedAnnounce) Fixes s390x CI validation failure caused by schema format changes in main branch. Signed-off-by: thc1006 <84045975+thc1006@users.noreply.github.com>
|
Hi @JorTurFer, I've identified and fixed the CI issue: ProblemThe s390x validation job was failing due to new schema fields (, , , ) not being in the validation whitelist in SolutionUpdated the schema validation script to include these new fields. The schema is now properly validated. Documentation PRI'm preparing a documentation PR for the keda-docs repository to document the new TLS parameters. I'll link it here once it's ready. Latest commit: a2cf50c fix: Update schema validation script for new schema fields |
|
/run-e2e artemis |
Sorry, I meant opening a PR changing this file -> https://github.com/kedacore/keda-docs/blob/main/content/docs/2.18/scalers/artemis.md It's the public documentation published in keda.sh |
|
@thc1006 FYI, we plan to ship a new release tomorrow. In case you would like to include this feature in this release, we would need the docs PR ready. |
- Document unsafeSsl parameter for HTTPS connections - Add TLS authentication parameters (ca, cert, key, keyPassword) - Include example configurations for TLS scenarios: * HTTPS with self-signed certificates * Mutual TLS with client certificates Related to kedacore/keda#7106 Signed-off-by: thc1006 <84045975+thc1006@users.noreply.github.com>
|
Hi @JorTurFer @zroubalik, Documentation PR is now ready! Docs PR: kedacore/keda-docs#1637 What's IncludedThe documentation covers all new TLS parameters:
Examples Provided
Ready for tomorrow's release! |
|
awesome! Thanks a lot! 🙇 |
|
/run-e2e artemis |
- Document unsafeSsl parameter for HTTPS connections - Add TLS authentication parameters (ca, cert, key, keyPassword) - Include example configurations for TLS scenarios: * HTTPS with self-signed certificates * Mutual TLS with client certificates Related to kedacore/keda#7106 Signed-off-by: thc1006 <84045975+thc1006@users.noreply.github.com>
…acore#7106) Signed-off-by: thc1006 <84045975+thc1006@users.noreply.github.com> Signed-off-by: Jan Wozniak <wozniak.jan@gmail.com> Co-authored-by: Jan Wozniak <wozniak.jan@gmail.com> Signed-off-by: Dmitriy Altuhov <altuhovd@gmail.com>
…acore#7106) Signed-off-by: thc1006 <84045975+thc1006@users.noreply.github.com> Signed-off-by: Jan Wozniak <wozniak.jan@gmail.com> Co-authored-by: Jan Wozniak <wozniak.jan@gmail.com>
…acore#7106) Signed-off-by: thc1006 <84045975+thc1006@users.noreply.github.com> Signed-off-by: Jan Wozniak <wozniak.jan@gmail.com> Co-authored-by: Jan Wozniak <wozniak.jan@gmail.com>
Description
This PR implements comprehensive TLS/HTTPS support for the ActiveMQ Artemis scaler, addressing issue #6448.
Changes
Core Implementation
unsafeSslfield to allow connections to HTTPS endpoints with self-signed certificatesca,cert,key,keyPasswordfields for mutual TLS authenticationkedautil.NewTLSConfigWithPasswordfor TLS configurationTest Coverage
Documentation
Implementation Details
The implementation follows the established pattern from RabbitMQ, Temporal, and IBM MQ scalers, ensuring consistency across the KEDA codebase.
TLS Parameters:
unsafeSsl(triggerMetadata) - Skip TLS certificate verificationca(authParams) - CA certificate for server verificationcert(authParams) - Client certificate for mTLSkey(authParams) - Client private key for mTLSkeyPassword(authParams) - Password for encrypted private keyUse Cases:
unsafeSsl: true)unsafeSsl: false)Testing
All tests pass successfully:
Checklist
Fixes #6448