Kubernete: Support for tls/x509 redis session connections #349
Conversation
| @@ -22,7 +22,7 @@ spec: | |||
| - | | |||
| echo "Copying configuration file" | |||
| cp /tmp/redis/redis.conf /etc/redis/redis.conf | |||
| if [ "$(redis-cli -h sentinel -p 5000 ping)" != "PONG" ]; then | |||
| if [ "$(redis-cli --tls --cacert /certs/ca.crt -h sentinel -p 5000 ping)" != "PONG" ]; then | |||
There was a problem hiding this comment.
issue will probably crop up here if forcing x509, which can deal with when can test in future
| @@ -33,11 +33,13 @@ spec: | |||
| fi | |||
| else | |||
| echo "Sentinel found, finding master" | |||
| MASTER="$(redis-cli -h sentinel -p 5000 sentinel get-master-addr-by-name mymaster | grep -E '(^redis-\d{1,})|([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})')" | |||
| MASTER="$(redis-cli --tls --cacert /certs/ca.crt -h sentinel -p 5000 sentinel get-master-addr-by-name mymaster | grep -E '(^redis-\d{1,})|([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})')" | |||
There was a problem hiding this comment.
issue will probably crop up here if forcing x509, which can deal with when can test in future
| @@ -27,7 +27,7 @@ spec: | |||
| do | |||
| for i in ${nodes//,/ } | |||
| do | |||
| MASTER=$(redis-cli --no-auth-warning --raw -h $i --user admin -a $REDIS_PASSWORD info replication | awk '{print $1}' | grep master_host: | cut -d ":" -f2) | |||
| MASTER=$(redis-cli --tls --cacert /certs/ca.crt --no-auth-warning --raw -h $i --user admin -a $REDIS_PASSWORD info replication | awk '{print $1}' | grep master_host: | cut -d ":" -f2) | |||
There was a problem hiding this comment.
issue will probably crop up here if forcing x509, which can deal with when can test in future
bradymiller
force-pushed
the
redis-tls-kub
branch
from
66f49f5
to
1cc76ba
Compare
bradymiller
force-pushed
the
redis-tls-kub
branch
from
1cc76ba
to
51df175
Compare
bradymiller
changed the title
bradymiller
force-pushed
the
redis-tls-kub
branch
from
51df175
to
c18ddf9
Compare
|
Good news @bradymiller; the latest release of PHPRedis v6.0.2 (released on 12/16/23) has support for TLS connections and sentinel mode! This should satisfy 6 and 7 on the list above. Additionally there's some good guidance on how to deploy a web application with Redis without the use of haproxy to Kubernetes that can be found here. It's also possible to use nginx + cert-manager to set up encryption between services (i.e. OpenEMR and Redis) within a cluster as well which may eliminate the need entirely to implement x.509 connections for Redis by going down the current path. Finally you should be able to configure a readiness probe within the cluster to detect when the OpenEMR containers are ready to serve traffic. You may be able to specify something like Hope this is helpful! |
fixes #347
Several more steps to get this project ready for commit:
6. FUTURE - Currently building a development version of phpredis to support TLS. In future when the support for TLS is in the production version, can then remove need/support to do the build.When bring this in, change the 7.0.2 to nothing in the deployment script (so will then use the latest)
Some random commands (so I don't forget them) when I come back to this project in future: