The external scaler implementation maintains a shared gRPC connection pool to optimize resource usage. However, the pool cache key is derived exclusively from the scalerAddress value and does not incorporate the transport security parameters that define dialing credentials.
While getClientForConnectionPool assembles a tlsConfig based on ScaledObject metadata (including client certificates and CA bundles), these settings are missing from the cache key. Consequently, if a connection already exists for a specific address, that connection is reused even when a new ScaledObject requires completely different TLS or mTLS settings.
We have to include the TLS settings in the cache key to ensure that credentials are not reused unexpectedly
The external scaler implementation maintains a shared gRPC connection pool to optimize resource usage. However, the pool cache key is derived exclusively from the scalerAddress value and does not incorporate the transport security parameters that define dialing credentials.
While getClientForConnectionPool assembles a tlsConfig based on ScaledObject metadata (including client certificates and CA bundles), these settings are missing from the cache key. Consequently, if a connection already exists for a specific address, that connection is reused even when a new ScaledObject requires completely different TLS or mTLS settings.
We have to include the TLS settings in the cache key to ensure that credentials are not reused unexpectedly