Skip to content

External Scaler gRPC Pool Ignores TLS Context #7687

Description

@JorTurFer

The external scaler implementation maintains a shared gRPC connection pool to optimize resource usage. However, the pool cache key is derived exclusively from the scalerAddress value and does not incorporate the transport security parameters that define dialing credentials.

While getClientForConnectionPool assembles a tlsConfig based on ScaledObject metadata (including client certificates and CA bundles), these settings are missing from the cache key. Consequently, if a connection already exists for a specific address, that connection is reused even when a new ScaledObject requires completely different TLS or mTLS settings.

We have to include the TLS settings in the cache key to ensure that credentials are not reused unexpectedly

Metadata

Metadata

Assignees

Labels

bugSomething isn't workinghelp wantedLooking for support from communitysecurityAll issues related to security

Type

No type

Fields

No fields configured for issues without a type.

Projects

Status
Ready To Ship

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions