kedacore
diff --git a/‎.github/ISSUE_TEMPLATE/3_bug_report.yml‎
Lines changed: 1 addition & 0 deletions b/‎.github/ISSUE_TEMPLATE/3_bug_report.yml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎BUILD.md‎
Lines changed: 1 addition & 1 deletion b/‎BUILD.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎CHANGELOG.md‎
Lines changed: 11 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎cmd/adapter/main.go‎
Lines changed: 1 addition & 1 deletion b/‎cmd/adapter/main.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎go.mod‎
Lines changed: 1 addition & 1 deletion b/‎go.mod‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎go.sum‎
Lines changed: 2 additions & 2 deletions b/‎go.sum‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎pkg/metricsservice/client.go‎
Lines changed: 2 additions & 2 deletions b/‎pkg/metricsservice/client.go‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎pkg/metricsservice/server.go‎
Lines changed: 1 addition & 1 deletion b/‎pkg/metricsservice/server.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎pkg/metricsservice/utils/tls.go‎
Lines changed: 91 additions & 6 deletions b/‎pkg/metricsservice/utils/tls.go‎
Lines changed: 91 additions & 6 deletions
diff --git a/‎pkg/scalers/temporal.go‎
Lines changed: 13 additions & 9 deletions b/‎pkg/scalers/temporal.go‎
Lines changed: 13 additions & 9 deletions
@@ -57,6 +57,7 @@ body:
     label: KEDA Version
     description: What version of KEDA that are you running?
     options:
+    - "2.17.2"
     - "2.17.1"
     - "2.17.0"
     - "2.16.1"
 
@@ -135,7 +135,7 @@ All components inspect the folder `/certs` for any certificates inside it. Argum
 
 ```bash
 mkdir -p /certs
-openssl req -newkey rsa:2048 -subj '/CN=localhost' -nodes -keyout /certs/tls.key -x509 -days 3650 -out /certs/tls.crt
+openssl req -newkey rsa:2048 -subj '/CN=localhost' -addext "subjectAltName = DNS:localhost" -nodes -keyout /certs/tls.key -x509 -days 3650 -out /certs/tls.crt
 cp /certs/tls.crt /certs/ca.crt
 ```
 
 
@@ -16,6 +16,7 @@ To learn more about active deprecations, we recommend checking [GitHub Discussio
 ## History
 
 - [Unreleased](#unreleased)
+- [v2.17.2](#v2172)
 - [v2.17.1](#v2171)
 - [v2.17.0](#v2170)
 - [v2.16.1](#v2161)
@@ -91,6 +92,16 @@ New deprecation(s):
 
 - TODO ([#XXX](https://github.com/kedacore/keda/issues/XXX))
 
+## v2.17.2
+
+### Improvements
+
+- **General**: Internal gRPC connection's certificates are hot reloaded ([#6756](https://github.com/kedacore/keda/pull/6756))
+
+### Fixes
+
+- **Temporal Scaler**: Fix Temporal Scaler TLS version ([#6707](https://github.com/kedacore/keda/pull/6707))
+
 ## v2.17.1
 
 ### Improvements
 
@@ -109,7 +109,7 @@ func (a *Adapter) makeProvider(ctx context.Context) (provider.ExternalMetricsPro
 	}
 
 	logger.Info("Connecting Metrics Service gRPC client to the server", "address", metricsServiceAddr)
-	grpcClient, err := metricsservice.NewGrpcClient(metricsServiceAddr, a.SecureServing.ServerCert.CertDirectory, metricsServiceGRPCAuthority, clientMetrics)
+	grpcClient, err := metricsservice.NewGrpcClient(ctx, metricsServiceAddr, a.SecureServing.ServerCert.CertDirectory, metricsServiceGRPCAuthority, clientMetrics)
 	if err != nil {
 		logger.Error(err, "error connecting Metrics Service gRPC client to the server", "address", metricsServiceAddr)
 		return nil, err
 
@@ -213,7 +213,7 @@ require (
 	github.com/facebookgo/clock v0.0.0-20150410010913-600d898af40a // indirect
 	github.com/fatih/color v1.18.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/fsnotify/fsnotify v1.8.0 // indirect
+	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.8 // indirect
 	github.com/go-errors/errors v1.5.1 // indirect
 
@@ -970,8 +970,8 @@ github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHk
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
-github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M=
-github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
+github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
+github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
 github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
 github.com/gabriel-vasile/mimetype v1.4.8 h1:FfZ3gj38NjllZIeJAmMhr+qKL8Wu+nOoI3GqacKw1NM=
 
@@ -37,7 +37,7 @@ type GrpcClient struct {
 	connection *grpc.ClientConn
 }
 
-func NewGrpcClient(url, certDir, authority string, clientMetrics *grpcprom.ClientMetrics) (*GrpcClient, error) {
+func NewGrpcClient(ctx context.Context, url, certDir, authority string, clientMetrics *grpcprom.ClientMetrics) (*GrpcClient, error) {
 	defaultConfig := `{
 		"methodConfig": [{
 		  "timeout": "3s",
@@ -50,7 +50,7 @@ func NewGrpcClient(url, certDir, authority string, clientMetrics *grpcprom.Clien
 		  }
 		}]}`
 
-	creds, err := utils.LoadGrpcTLSCredentials(certDir, false)
+	creds, err := utils.LoadGrpcTLSCredentials(ctx, certDir, false)
 	if err != nil {
 		return nil, err
 	}
 
@@ -88,7 +88,7 @@ func (s *GrpcServer) startServer() error {
 func (s *GrpcServer) Start(ctx context.Context) error {
 	<-s.certsReady
 	if s.server == nil {
-		creds, err := utils.LoadGrpcTLSCredentials(s.certDir, true)
+		creds, err := utils.LoadGrpcTLSCredentials(ctx, s.certDir, true)
 		if err != nil {
 			return err
 		}
 
@@ -17,19 +17,30 @@ limitations under the License.
 package utils
 
 import (
+	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
 	"os"
 	"path"
+	"strings"
+	"sync"
 
+	"github.com/fsnotify/fsnotify"
 	"google.golang.org/grpc/credentials"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
 )
 
+var log = logf.Log.WithName("grpc_server_certificates")
+
 // LoadGrpcTLSCredentials reads the certificate from the given path and returns TLS transport credentials
-func LoadGrpcTLSCredentials(certDir string, server bool) (credentials.TransportCredentials, error) {
+func LoadGrpcTLSCredentials(ctx context.Context, certDir string, server bool) (credentials.TransportCredentials, error) {
+	caPath := path.Join(certDir, "ca.crt")
+	certPath := path.Join(certDir, "tls.crt")
+	keyPath := path.Join(certDir, "tls.key")
+
 	// Load certificate of the CA who signed client's certificate
-	pemClientCA, err := os.ReadFile(path.Join(certDir, "ca.crt"))
+	pemClientCA, err := os.ReadFile(caPath)
 	if err != nil {
 		return nil, err
 	}
@@ -43,16 +54,90 @@ func LoadGrpcTLSCredentials(certDir string, server bool) (credentials.TransportC
 		return nil, fmt.Errorf("failed to add client CA's certificate")
 	}
 
-	// Load certificate and private key
-	cert, err := tls.LoadX509KeyPair(path.Join(certDir, "tls.crt"), path.Join(certDir, "tls.key"))
+	// Load initial certificate and private key
+	mTLSCertificate, err := tls.LoadX509KeyPair(certPath, keyPath)
 	if err != nil {
 		return nil, err
 	}
 
+	// Start the watcher for cert updates
+	watcher, err := fsnotify.NewWatcher()
+	if err != nil {
+		return nil, err
+	}
+	err = watcher.Add(certDir)
+	if err != nil {
+		return nil, err
+	}
+
+	certMutex := sync.RWMutex{}
+	go func() {
+		log.V(1).Info("starting mTLS certificates monitoring")
+		for {
+			select {
+			case event, ok := <-watcher.Events:
+				if !ok { // Channel was closed (i.e. Watcher.Close() was called).
+					log.Error(err, "watcher stopped")
+					return
+				}
+				// We are only interested on Create changes on ..data dir
+				// as kubernetes creates first a temp folder with the new
+				// cert and then rename the whole folder.
+				// This unix.IN_MOVED_TO is treated as fsnotify.Create
+				if !event.Has(fsnotify.Create) ||
+					!strings.HasSuffix(event.Name, "..data") {
+					continue
+				}
+				log.V(1).Info("detected change on certificates, reloading")
+
+				pemClientCA, err := os.ReadFile(caPath)
+				if err != nil {
+					log.Error(err, "error reading grpc ca certificate")
+					continue
+				}
+				if !certPool.AppendCertsFromPEM(pemClientCA) {
+					log.Error(err, "failed to add client CA's certificate")
+					continue
+				}
+				log.V(1).Info("grpc ca certificate has been updated")
+
+				// Load certificate of the CA who signed client's certificate
+				cert, err := tls.LoadX509KeyPair(certPath, keyPath)
+				if err != nil {
+					log.Error(err, "error reading grpc certificate")
+					continue
+				}
+				certMutex.Lock()
+				mTLSCertificate = cert
+				certMutex.Unlock()
+				log.V(1).Info("grpc mTLS certificate has been updated")
+
+			case err, ok := <-watcher.Errors:
+				if !ok { // Channel was closed (i.e. Watcher.Close() was called).
+					log.Error(err, "watcher stopped")
+					return
+				}
+				log.Error(err, "error reading grpc certificate changes")
+			case <-ctx.Done():
+				log.V(1).Info("stopping mTLS certificates monitoring")
+				return
+			}
+		}
+	}()
+
 	// Create the credentials and return it
 	config := &tls.Config{
-		MinVersion:   tls.VersionTLS13,
-		Certificates: []tls.Certificate{cert},
+		MinVersion: tls.VersionTLS13,
+		GetCertificate: func(_ *tls.ClientHelloInfo) (*tls.Certificate, error) {
+			certMutex.RLock()
+			defer certMutex.RUnlock()
+			return &mTLSCertificate, nil
+		},
+		GetClientCertificate: func(_ *tls.CertificateRequestInfo) (*tls.Certificate, error) {
+			certMutex.RLock()
+			defer certMutex.RUnlock()
+			return &mTLSCertificate, nil
+		},
 	}
 	if server {
 		config.ClientAuth = tls.RequireAndVerifyClientCert
 
@@ -209,10 +209,13 @@ func getTemporalClient(ctx context.Context, meta *temporalMetadata, log logr.Log
 		}),
 	}
 
+	var tlsConfig *tls.Config
+
 	if meta.APIKey != "" {
 		dialOptions = append(dialOptions, grpc.WithUnaryInterceptor(
 			func(ctx context.Context, method string, req any, reply any,
-				cc *grpc.ClientConn, invoker grpc.UnaryInvoker, opts ...grpc.CallOption) error {
+				cc *grpc.ClientConn, invoker grpc.UnaryInvoker, opts ...grpc.CallOption,
+			) error {
 				return invoker(
 					metadata.AppendToOutgoingContext(ctx, "temporal-namespace", meta.Namespace),
 					method,
@@ -224,21 +227,22 @@ func getTemporalClient(ctx context.Context, meta *temporalMetadata, log logr.Log
 			},
 		))
 		options.Credentials = sdk.NewAPIKeyStaticCredentials(meta.APIKey)
-		options.ConnectionOptions.TLS = &tls.Config{
-			MinVersion: tls.VersionTLS13,
+		tlsConfig = &tls.Config{
+			MinVersion: kedautil.GetMinTLSVersion(),
 		}
 	}
 
-	options.ConnectionOptions = sdk.ConnectionOptions{
-		DialOptions: dialOptions,
-	}
-
 	if meta.Cert != "" && meta.Key != "" {
-		tlsConfig, err := kedautil.NewTLSConfigWithPassword(meta.Cert, meta.Key, meta.KeyPassword, meta.CA, meta.UnsafeSsl)
+		var err error
+		tlsConfig, err = kedautil.NewTLSConfigWithPassword(meta.Cert, meta.Key, meta.KeyPassword, meta.CA, meta.UnsafeSsl)
 		if err != nil {
 			return nil, err
 		}
-		options.ConnectionOptions.TLS = tlsConfig
+	}
+
+	options.ConnectionOptions = sdk.ConnectionOptions{
+		DialOptions: dialOptions,
+		TLS:         tlsConfig,
 	}
 
 	return sdk.DialContext(ctx, options)
Original file line number	Diff line number	Diff line change
`@@ -109,7 +109,7 @@ func (a *Adapter) makeProvider(ctx context.Context) (provider.ExternalMetricsPro`
`109`	`109`	`}`
`110`	`110`
`111`	`111`	`logger.Info("Connecting Metrics Service gRPC client to the server", "address", metricsServiceAddr)`
`112`		`- grpcClient, err := metricsservice.NewGrpcClient(metricsServiceAddr, a.SecureServing.ServerCert.CertDirectory, metricsServiceGRPCAuthority, clientMetrics)`
	`112`	`+ grpcClient, err := metricsservice.NewGrpcClient(ctx, metricsServiceAddr, a.SecureServing.ServerCert.CertDirectory, metricsServiceGRPCAuthority, clientMetrics)`
`113`	`113`	`if err != nil {`
`114`	`114`	`logger.Error(err, "error connecting Metrics Service gRPC client to the server", "address", metricsServiceAddr)`
`115`	`115`	`return nil, err`
Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,7 @@ type GrpcClient struct {`
`37`	`37`	`connection *grpc.ClientConn`
`38`	`38`	`}`
`39`	`39`
`40`		`-func NewGrpcClient(url, certDir, authority string, clientMetrics grpcprom.ClientMetrics) (GrpcClient, error) {`
	`40`	`+func NewGrpcClient(ctx context.Context, url, certDir, authority string, clientMetrics grpcprom.ClientMetrics) (GrpcClient, error) {`
`41`	`41`	defaultConfig := `{
`42`	`42`	`"methodConfig": [{`
`43`	`43`	`"timeout": "3s",`
`@@ -50,7 +50,7 @@ func NewGrpcClient(url, certDir, authority string, clientMetrics *grpcprom.Clien`
`50`	`50`	`}`
`51`	`51`	}]}`
`52`	`52`
`53`		`- creds, err := utils.LoadGrpcTLSCredentials(certDir, false)`
	`53`	`+ creds, err := utils.LoadGrpcTLSCredentials(ctx, certDir, false)`
`54`	`54`	`if err != nil {`
`55`	`55`	`return nil, err`
`56`	`56`	`}`
Original file line number	Diff line number	Diff line change
`@@ -88,7 +88,7 @@ func (s *GrpcServer) startServer() error {`
`88`	`88`	`func (s *GrpcServer) Start(ctx context.Context) error {`
`89`	`89`	`<-s.certsReady`
`90`	`90`	`if s.server == nil {`
`91`		`- creds, err := utils.LoadGrpcTLSCredentials(s.certDir, true)`
	`91`	`+ creds, err := utils.LoadGrpcTLSCredentials(ctx, s.certDir, true)`
`92`	`92`	`if err != nil {`
`93`	`93`	`return err`
`94`	`94`	`}`