RabbitMQ HTTP Triggers ignore provided TLS Configuration

[nicholass-alcidion]

Report

When configuring a RabbitMQ Trigger with tls=enable and ca=x509cert in the assoicated TriggerAuthentication the provided CA certificate is ignored when the Trigger is in http mode.

This forces the use of unsafeSSL to connect to a TLS only RabbitMQ cluster.

Expected Behavior

Supplied TLS paramters (including CA only) shuold be used for both the HTTP and AMQP connection modes.

Actual Behavior

Trigger fails to active and Events on the ScalledObject and logs from Keda show tls: failed to verify certificate

Steps to Reproduce the Problem

apiVersion: v1
data:
  amqpUri: X==
  httpUri: X==
  tls: ZW5hYmxl
kind: Secret
metadata:
  name: abbitmq-user
  namespace: app
type: opaque

apiVersion: v1
kind: Secret
metadata:
  name: intermediate-ca
  namespace: app
type: kubernetes.io/tls
data:
  ca.crt: PEM Encoded Cluster CA Cert
  tls.crt: PEM Encoded Intermediate CA Cert
  tls.key: PEM Encoded Private

apiVersion: keda.sh/v1alpha1
kind: TriggerAuthentication
metadata:
  name: rabbitmq
  namespace: app
spec:
  secretTargetRef:
    - parameter: host
      name: rabbitmq-user
      key: httpUri
    - parameter: tls
      name: rabbitmq-user
      key: tls
    - parameter: ca
      name: app-intermediate-ca
      key: "ca.crt"

apiVersion: keda.sh/v1alpha1
kind: ScaledObject
metadata:
  name: app-component
spec:
  scaleTargetRef:
    name: app-component
  minReplicaCount: 0
  maxReplicaCount: 8
  fallback:
    failureThreshold: 3
    replicas: 2
  triggers:
  - type: rabbitmq
    metadata:
      protocol: http
      queueName: xxxx
      mode: QueueLength
      value: "20"
      vhostName: "xxxx"
    authenticationRef:
      name: rabbitmq
  - type: rabbitmq
    metadata:
      protocol: http
      queueName: xxxx
      mode: MessageRate
      value: "100"
      vhostName: "xxxx"
    authenticationRef:
      name: rabbitmq

Logs from KEDA operator

2024-04-09T04:25:32Z    ERROR   scale_handler   error getting scale decision    {"scaledObject.Namespace": "xxxx", "scaledObject.Name": "xxxx", "scaler": "rabbitMQScaler", "error": "error inspecting rabbitMQ: Get \"https://user:password@rabbitmq.rabbitmq.svc:15671/api/queues/xxxx/xxxx\": tls: failed to verify certificate: x509: certificate signed by unknown authority"}
github.com/kedacore/keda/v2/pkg/scaling.(*scaleHandler).getScalerState
        /workspace/pkg/scaling/scale_handler.go:764
github.com/kedacore/keda/v2/pkg/scaling.(*scaleHandl

KEDA Version

2.13.1

Kubernetes Version

1.29

Platform

Other

Scaler Details

RabbitMQ

Anything else?

No response

[JorTurFer]

I've checked the code and you're totally right, the cert data is parsed but the HTTP client doesn't use it at all. Are you willing to open a PR fixing it?

[JorTurFer]

Probably we should add here some logic like the logic we execute on other scalers, for example metrics api:

keda/pkg/scalers/metrics_api_scaler.go

Lines 105 to 113 in e7ff90a

	httpClient := kedautil.CreateHTTPClient(config.GlobalHTTPTimeout, meta.unsafeSsl)
	if meta.enableTLS || len(meta.ca) > 0 {
	config, err := kedautil.NewTLSConfig(meta.cert, meta.key, meta.ca, meta.unsafeSsl)
	if err != nil {
	return nil, err
	}
	httpClient.Transport = kedautil.CreateHTTPTransportWithTLSConfig(config)
	}