diff --git a/kubernetes/certs/redis.yaml b/kubernetes/certs/redis.yaml index 0bef0cb7..b4f94e45 100644 --- a/kubernetes/certs/redis.yaml +++ b/kubernetes/certs/redis.yaml @@ -15,10 +15,16 @@ spec: - digital signature - key encipherment - server auth + - client auth subject: organizations: - redis commonName: redis + dnsNames: + - redisproxy + - redis-0.redis + - redis-1.redis + - redis-2.redis issuerRef: name: ca-issuer kind: Issuer diff --git a/kubernetes/certs/redisproxy.yaml b/kubernetes/certs/redisproxy.yaml index 8dc83f03..40fddbfa 100644 --- a/kubernetes/certs/redisproxy.yaml +++ b/kubernetes/certs/redisproxy.yaml @@ -15,6 +15,7 @@ spec: - digital signature - key encipherment - server auth + - client auth subject: organizations: - redisproxy diff --git a/kubernetes/certs/sentinel.yaml b/kubernetes/certs/sentinel.yaml index 2b61f834..54578ef7 100644 --- a/kubernetes/certs/sentinel.yaml +++ b/kubernetes/certs/sentinel.yaml @@ -15,6 +15,7 @@ spec: - digital signature - key encipherment - server auth + - client auth subject: organizations: - sentinel diff --git a/kubernetes/kub-down b/kubernetes/kub-down index af2ef68b..27cf9a5b 100644 --- a/kubernetes/kub-down +++ b/kubernetes/kub-down @@ -8,7 +8,7 @@ kubectl delete \ -f certs/mysql-replication.yaml \ -f certs/mysql-openemr-client.yaml \ -f certs/phpmyadmin.yaml \ - -f certs/mysql-phpmyadmin-client.yaml + -f certs/mysql-phpmyadmin-client.yaml \ -f certs/redis.yaml \ -f certs/redis-openemr-client.yaml \ -f certs/sentinel.yaml \ diff --git a/kubernetes/kub-down.bat b/kubernetes/kub-down.bat index fb95d5fc..05c0e3c5 100644 --- a/kubernetes/kub-down.bat +++ b/kubernetes/kub-down.bat @@ -8,7 +8,7 @@ kubectl delete ^ -f certs/mysql-replication.yaml ^ -f certs/mysql-openemr-client.yaml ^ -f certs/phpmyadmin.yaml ^ - -f certs/mysql-phpmyadmin-client.yaml + -f certs/mysql-phpmyadmin-client.yaml ^ -f certs/redis.yaml ^ -f certs/redis-openemr-client.yaml ^ -f certs/sentinel.yaml ^ diff --git a/kubernetes/kub-up b/kubernetes/kub-up index fee871fd..2af1fc3c 100644 --- a/kubernetes/kub-up +++ b/kubernetes/kub-up @@ -13,7 +13,7 @@ kubectl apply \ -f certs/mysql-replication.yaml \ -f certs/mysql-openemr-client.yaml \ -f certs/phpmyadmin.yaml \ - -f certs/mysql-phpmyadmin-client.yaml + -f certs/mysql-phpmyadmin-client.yaml \ -f certs/redis.yaml \ -f certs/redis-openemr-client.yaml \ -f certs/sentinel.yaml \ diff --git a/kubernetes/kub-up.bat b/kubernetes/kub-up.bat index 8e0dd458..0a32a891 100644 --- a/kubernetes/kub-up.bat +++ b/kubernetes/kub-up.bat @@ -11,7 +11,7 @@ kubectl apply ^ -f certs/mysql-replication.yaml ^ -f certs/mysql-openemr-client.yaml ^ -f certs/phpmyadmin.yaml ^ - -f certs/mysql-phpmyadmin-client.yaml + -f certs/mysql-phpmyadmin-client.yaml ^ -f certs/redis.yaml ^ -f certs/redis-openemr-client.yaml ^ -f certs/sentinel.yaml ^ diff --git a/kubernetes/openemr/deployment.yaml b/kubernetes/openemr/deployment.yaml index 6be2d2e2..a2fbaf1b 100644 --- a/kubernetes/openemr/deployment.yaml +++ b/kubernetes/openemr/deployment.yaml @@ -46,9 +46,11 @@ spec: key: admin-pass - name: OE_USER value: "admin" + - name: PHPREDIS_BUILD + value: "e571a81f8d3009aab38cbb88dde865edeb0607ac" - name: REDIS_SERVER # TODO - change below back to redisproxy after get the proxy working - value: "redis" + value: "redis-0.redis" - name: REDIS_PASSWORD value: "defaultpassword" - name: REDIS_TLS diff --git a/kubernetes/redis/configmap-pipy.yaml b/kubernetes/redis/configmap-pipy.yaml index f43e3afb..d7a06b7f 100644 --- a/kubernetes/redis/configmap-pipy.yaml +++ b/kubernetes/redis/configmap-pipy.yaml @@ -7,11 +7,11 @@ data: { "redisAdminUser" : "admin", "redisAdminPass" : "adminpassword", - "caCert" : "certs/ca.crt", - "tlsKey" : "certs/tls.key", "debug" : true, "port" : 6379, "servers" : ["redis-0.redis:6379", "redis-1.redis:6379", "redis-2.redis:6379"], + "caCert" : "certs/ca.crt", + "tlsKey" : "certs/tls.key", "connectTimeout" : "1s", "readTimeout" : "1s", "healthcheck" : { @@ -36,21 +36,14 @@ data: _check: resp => ( (data, role) => ( unhealthy_nodes.remove(_target), + config.debug && console.log(`Response data: ${resp.toString()}`), data = resp.shift(40).toString().split('\r\n'), role = data[3].split(':')[1], config.debug && console.log(`Role is ${role} for ${_target}`), role === 'master' && unhealthy_master.remove(_target) ))() }) - .listen(config.port) - .acceptTLS({ - certificate: { - cert: new crypto.Certificate(pipy.load(config.caCert)), - key: new crypto.PrivateKey(pipy.load(config.tlsKey)) - } - }).to('preconnection') - - .pipeline('preconnection') + .listen(config.port) .handleData( (data, query, command, master_only) => ( query = new Data(data).shift(20).toString(), @@ -73,14 +66,6 @@ data: config.debug && console.log(`Sending request to node ${_target}`) ) ) - .connectTLS({ - certificate: { - cert: new crypto.Certificate(pipy.load(config.caCert)), - key: new crypto.PrivateKey(pipy.load(config.tlsKey)) - } - }).to('sendconnection') - - .pipeline('sendconnection') .connect(() => _target, { connectTimeout: config.connectTimeout, @@ -103,8 +88,7 @@ data: unhealthy_nodes.set(t, true), unhealthy_master.set(t, true) )), - _counter = { n: 0 }, - console.log(`Debug 0`) + _counter = { n: 0 } ) ) .fork('per-node', @@ -115,13 +99,12 @@ data: .wait( () => _counter.n === 0 ) - + .pipeline('per-node') .replaceMessage( () => ( _counter.n++, - new Message(`AUTH ${config.redisAdminUser} ${config.redisAdminPass}\r\ninfo replication\r\n`), - console.log(`Debug 1`) + new Message(`AUTH ${config.redisAdminUser} ${config.redisAdminPass}\r\ninfo replication\r\n`) ) ) .connectTLS({ @@ -129,9 +112,9 @@ data: cert: new crypto.Certificate(pipy.load(config.caCert)), key: new crypto.PrivateKey(pipy.load(config.tlsKey)) } - }).to('healthconnection') - - .pipeline('healthconnection') + }).to('sendconnection') + + .pipeline('sendconnection') .connect( () => _target, { @@ -140,8 +123,7 @@ data: } ) .handleData( - data => _check(data), - console.log(`Debug 2`) + data => _check(data) ) .handleStreamEnd( () => _counter.n-- diff --git a/kubernetes/redis/deployment-redisproxy.yaml b/kubernetes/redis/deployment-redisproxy.yaml index d0eada29..dac2c9db 100644 --- a/kubernetes/redis/deployment-redisproxy.yaml +++ b/kubernetes/redis/deployment-redisproxy.yaml @@ -37,7 +37,7 @@ spec: - env: - name: PIPY_CONFIG_FILE value: /proxy/proxy.js - image: naqvis/pipy-worker:0.70.0-2-33-g1164e36 + image: naqvis/pipy:0.40.0-rc3-37-ga91d1a0 name: redisproxy volumeMounts: - name: redisproxy-certs @@ -61,4 +61,4 @@ spec: path: tls.key - name: redisproxyconf configMap: - name: pipy-config \ No newline at end of file + name: pipy-config diff --git a/kubernetes/redis/statefulset-redis.yaml b/kubernetes/redis/statefulset-redis.yaml index 02e62f7f..533295ab 100644 --- a/kubernetes/redis/statefulset-redis.yaml +++ b/kubernetes/redis/statefulset-redis.yaml @@ -20,9 +20,15 @@ spec: command: [ "sh", "-c" ] args: - | + # Set below to true if using redis x509 + REDISX509=false + TLSPARAMETERS="--tls --cacert /certs/ca.crt" + if $REDISX509; then + TLSPARAMETERS="$TLSPARAMETERS --cert /certs/tls.crt --key /certs/tls.key" + fi echo "Copying configuration file" cp /tmp/redis/redis.conf /etc/redis/redis.conf - if [ "$(redis-cli --tls --cacert /certs/ca.crt -h sentinel -p 5000 ping)" != "PONG" ]; then + if [ "$(redis-cli $TLSPARAMETERS -h sentinel -p 5000 ping)" != "PONG" ]; then echo "Sentinel not found to get the master info, defaulting to redis-0" if [ "$(hostname)" == "redis-0" ]; then echo "This is redis-0, No need to update config." @@ -33,7 +39,7 @@ spec: fi else echo "Sentinel found, finding master" - MASTER="$(redis-cli --tls --cacert /certs/ca.crt -h sentinel -p 5000 sentinel get-master-addr-by-name mymaster | grep -E '(^redis-\d{1,})|([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})')" + MASTER="$(redis-cli $TLSPARAMETERS -h sentinel -p 5000 sentinel get-master-addr-by-name mymaster | grep -E '(^redis-\d{1,})|([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})')" echo "Master got: $MASTER, updating this in redis.conf" echo "REPLICAOF $MASTER 6379" >> /etc/redis/redis.conf fi diff --git a/kubernetes/redis/statefulset-sentinel.yaml b/kubernetes/redis/statefulset-sentinel.yaml index 9f0b650a..c567f806 100644 --- a/kubernetes/redis/statefulset-sentinel.yaml +++ b/kubernetes/redis/statefulset-sentinel.yaml @@ -21,13 +21,19 @@ spec: args: - | REDIS_PASSWORD=adminpassword + # Set below to true if using redis x509 + REDISX509=false nodes=redis-0.redis,redis-1.redis,redis-2.redis + TLSPARAMETERS="--tls --cacert /certs/ca.crt" + if $REDISX509; then + TLSPARAMETERS="$TLSPARAMETERS --cert /certs/tls.crt --key /certs/tls.key" + fi echo "Looping through the redis list to see if Redis Master node is available now" while [ 1 ] do for i in ${nodes//,/ } do - MASTER=$(redis-cli --tls --cacert /certs/ca.crt --no-auth-warning --raw -h $i --user admin -a $REDIS_PASSWORD info replication | awk '{print $1}' | grep master_host: | cut -d ":" -f2) + MASTER=$(redis-cli $TLSPARAMETERS --no-auth-warning --raw -h $i --user admin -a $REDIS_PASSWORD info replication | awk '{print $1}' | grep master_host: | cut -d ":" -f2) if [ "$MASTER" == "" ]; then echo "no master info found in $i" MASTER=