Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enabling TLS on redis cluster not working #1036

Open
Leo791 opened this issue Jul 30, 2024 · 0 comments
Open

Enabling TLS on redis cluster not working #1036

Leo791 opened this issue Jul 30, 2024 · 0 comments
Labels
question Further information is requested

Comments

@Leo791
Copy link

Leo791 commented Jul 30, 2024

What version of redis-operator are you using?

redis-operator version: v0.18.0

What operating system and processor architecture are you using (kubectl version)?

Client Version: v1.30.2
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.30.0

Describe your question

I'm trying to enable TLS on a redis cluster and am encountering some issues. I am using namespaces to isolate everything that has to do with a single instance in its own namespace.

The first issue is that when using v6 of Redis, I get the following error:

sed: /node-conf/nodes.conf: No such file or directory

Running without persistence mode

ACL_MODE is not true, skipping 
ACL file modification

Starting redis service in cluster mode.....
 
*** FATAL CONFIG FILE ERROR (Redis 6.2.14) ***

Reading the configuration file, at line 24

>>> 'cluster-preferred-endpoint-type hostname'

Bad directive or wrong number of arguments

I was hoping there was a way to override the redis.conf and remove this line.

The other is that when using v7 I manage to spin up a leader container. But then the probes fail to ping the instance and the pod get stuck in a crash loop:

Events:
  Type     Reason     Age   From               Message
  ----     ------     ----  ----               -------
  Normal   Scheduled  47s   default-scheduler  Successfully assigned redis-12/redis-cluster-leader-0 to kind-worker2
  Normal   Pulled     46s   kubelet            Container image "quay.io/opstree/redis:v7.0.12" already present on machine
  Normal   Created    46s   kubelet            Created container redis-cluster-leader
  Normal   Started    46s   kubelet            Started container redis-cluster-leader
  Warning  Unhealthy  44s   kubelet            Readiness probe failed: Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
Could not connect to Redis at redis-cluster-leader-0:6379: Connection refused
  Warning  Unhealthy  15s (x3 over 35s)  kubelet  Liveness probe failed: command "sh -c redis-cli -h $(hostname) -p ${REDIS_PORT} -a ${REDIS_PASSWORD} --tls --cert ${REDIS_TLS_CERT} --key ${REDIS_TLS_CERT_KEY} --cacert ${REDIS_TLS_CA_KEY} ping" timed out
  Normal   Killing    15s                kubelet  Container redis-cluster-leader failed liveness probe, will be restarted
  Warning  Unhealthy  5s (x6 over 43s)   kubelet  Readiness probe failed: command "sh -c redis-cli -h $(hostname) -p ${REDIS_PORT} -a ${REDIS_PASSWORD} --tls --cert ${REDIS_TLS_CERT} --key ${REDIS_TLS_CERT_KEY} --cacert ${REDIS_TLS_CA_KEY} ping" timed out

Anyone have any ideas on how to get around these issues?

Additional context

I'm adding the certificates and crd we are currently using:

---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: selfsigned-issuer
  namespace: redis-12
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: redis-tls-ca
  namespace: redis-12
spec:
  ca:
    secretName: redis-tls-ca-cert
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: redis-tls-ca
  namespace: redis-12
spec:
  isCA: true
  commonName: redis
  secretName: redis-tls-ca-cert
  issuerRef:
    name: selfsigned-issuer
    kind: Issuer
    group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: redis-tls # this name should match the one appeared in kustomizeconfig.yaml
  namespace: redis-12
spec:
  dnsNames:
    - redis-cluster-leader-headless.redis-12.svc.cluster.local
    - redis-cluster-leader-headless.redis-12.svc
    - redis-cluster-leader-headless
  issuerRef:
    kind: Issuer
    name: redis-tls-ca
    group: cert-manager.io
  secretName: redis-tls-cert

---
apiVersion: redis.redis.opstreelabs.in/v1beta2
kind: RedisCluster
metadata:
  name: redis-cluster
  namespace: redis-12
spec:
  clusterSize: 3

  TLS:
    secret:
      optional: false
      secretName: redis-tls-cert

  kubernetesConfig:
    image: quay.io/opstree/redis:v7.0.12
    imagePullPolicy: IfNotPresent
    resources:
      requests:
        cpu: 101m
        memory: 128Mi
      limits:
        cpu: 101m
        memory: 128Mi
    redisSecret:
      name: redis-12-secret
      key: password

  redisExporter:
    enabled: false
    image: quay.io/opstree/redis-exporter:1.0
    imagePullPolicy: Always
    resources:
      requests:
        cpu: 100m
        memory: 128Mi
      limits:
        cpu: 100m
        memory: 128Mi

  storage:
    nodeConfVolume: true
    nodeConfVolumeClaimTemplate:
      spec:
        accessModes: ['ReadWriteOnce']
        resources:
          requests:
            storage: 1Gi
    volumeClaimTemplate:
      spec:
        accessModes: ['ReadWriteOnce']
        resources:
          requests:
            storage: 1Gi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Leo791