docs(interceptor): document TLS SNI certificate selection#1609
docs(interceptor): document TLS SNI certificate selection#1609onthebed wants to merge 2 commits intokedacore:mainfrom
Conversation
Document how the interceptor selects SNI-specific certificates, when it falls back to the default certificate, and what happens when no match is configured. Add a unit test proving an SNI match is preferred over the default certificate and record the change in the changelog. Fixes kedacore#1600 Signed-off-by: onthebed <1136664562@qq.com>
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
There was a problem hiding this comment.
Pull request overview
Updates interceptor documentation and tests to clearly describe and validate TLS certificate selection when SNI is present, including the fallback behavior when no SNI-specific certificate matches.
Changes:
- Added a unit test ensuring SNI-matched certificates are preferred over the default certificate.
- Expanded interceptor serving configuration comments to document SNI/SAN selection and fallback behavior.
- Documented TLS SNI certificate selection flow in developer docs and recorded the change in the changelog.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| interceptor/tls_config_test.go | Adds a unit test for SNI cert preference over the default cert. |
| interceptor/config/serving.go | Documents cert-store based SNI selection and fallback to the default cert paths. |
| docs/developing.md | Adds a “TLS SNI behavior” section describing selection/fallback/handshake failure behavior. |
| CHANGELOG.md | Adds an unreleased Improvements entry for the SNI docs/tests update. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| ### TLS SNI behavior | ||
|
|
||
| The interceptor can serve more than one certificate from the TLS listener by setting `KEDA_HTTP_PROXY_TLS_CERT_STORE_PATHS` to one or more directories that contain certificate/key pairs. During the TLS handshake it: |
There was a problem hiding this comment.
Done — the docs now call out that KEDA_HTTP_PROXY_TLS_CERT_STORE_PATHS expects a comma-separated list when multiple directories are configured.
| writeCert(t, dir, "app", "app.example.com") | ||
|
|
||
| opts := TLSOptions{ | ||
| CertificatePath: filepath.Join(dir, "default.crt"), | ||
| KeyPath: filepath.Join(dir, "default.key"), | ||
| CertStorePaths: dir, |
There was a problem hiding this comment.
Done — I moved the additional certificate into a separate temp store directory so the test exercises SNI preference without re-loading the default cert via the store path.
Tighten the TLS SNI docs to mention the comma-separated cert store format and isolate the SNI preference test so the default certificate is not loaded through the store path. Signed-off-by: onthebed <1136664562@qq.com>
|
Thanks for the review — I addressed the follow-up comments in Changes in this revision:
Verification:
|
|
I'll get the CLA signed — will follow up once it's done. |
1 similar comment
|
I'll get the CLA signed — will follow up once it's done. |
linkvt
left a comment
linkvt
left a comment
There was a problem hiding this comment.
Thanks for the PR, I left two comments about the docs though, would be great if you could update that.
| The `PROFILE` variable selects a test profile directory under `test/e2e/` (e.g. `PROFILE=tls` runs `./test/e2e/tls/...`). Each subdirectory in `test/e2e/` is a profile. | ||
| The `RUN` variable filters tests by name using Go's `-run` flag (supports regex, e.g. `RUN=TestColdStart` or `RUN="TestHost|TestPath"`). | ||
| The `E2E_ARGS` variable passes flags to the [e2e-framework](https://github.com/kubernetes-sigs/e2e-framework) via `-args` (e.g. `--labels`, `--feature`, `--skip-labels`, `--dry-run`). | ||
|
|
There was a problem hiding this comment.
We moved the docs a few hours before you opened the PR here, could you move it there? https://keda.sh/http-add-on/0.14/operations/configure-tls/ (See the Suggest changes button)
|
|
||
| ### TLS SNI behavior | ||
|
|
||
| The interceptor can serve more than one certificate from the TLS listener by setting `KEDA_HTTP_PROXY_TLS_CERT_STORE_PATHS` to a comma-separated list of one or more directories that contain certificate/key pairs. During the TLS handshake it: |
There was a problem hiding this comment.
We should probably include more details about the exact file names we expect/support.
Documented the interceptor's TLS SNI certificate selection flow and added coverage for the missing fallback edge case.
The docs now spell out that the proxy first looks for an exact SNI/SAN match from
KEDA_HTTP_PROXY_TLS_CERT_STORE_PATHS, then falls back toKEDA_HTTP_PROXY_TLS_CERT_PATH/KEDA_HTTP_PROXY_TLS_KEY_PATH, and fails the handshake if no default certificate exists. Added a unit test proving that an SNI-specific certificate is preferred over the default certificate.go test ./interceptor/... ./pkg/...and./hack/validate-changelog.shpass.Checklist
README.mdFixes #1600