-
-
Notifications
You must be signed in to change notification settings - Fork 143
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kubernete: Support for tls/x509 redis session connections #349
base: master
Are you sure you want to change the base?
Conversation
@@ -22,7 +22,7 @@ spec: | |||
- | | |||
echo "Copying configuration file" | |||
cp /tmp/redis/redis.conf /etc/redis/redis.conf | |||
if [ "$(redis-cli -h sentinel -p 5000 ping)" != "PONG" ]; then | |||
if [ "$(redis-cli --tls --cacert /certs/ca.crt -h sentinel -p 5000 ping)" != "PONG" ]; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
issue will probably crop up here if forcing x509, which can deal with when can test in future
@@ -33,11 +33,13 @@ spec: | |||
fi | |||
else | |||
echo "Sentinel found, finding master" | |||
MASTER="$(redis-cli -h sentinel -p 5000 sentinel get-master-addr-by-name mymaster | grep -E '(^redis-\d{1,})|([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})')" | |||
MASTER="$(redis-cli --tls --cacert /certs/ca.crt -h sentinel -p 5000 sentinel get-master-addr-by-name mymaster | grep -E '(^redis-\d{1,})|([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})')" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
issue will probably crop up here if forcing x509, which can deal with when can test in future
@@ -27,7 +27,7 @@ spec: | |||
do | |||
for i in ${nodes//,/ } | |||
do | |||
MASTER=$(redis-cli --no-auth-warning --raw -h $i --user admin -a $REDIS_PASSWORD info replication | awk '{print $1}' | grep master_host: | cut -d ":" -f2) | |||
MASTER=$(redis-cli --tls --cacert /certs/ca.crt --no-auth-warning --raw -h $i --user admin -a $REDIS_PASSWORD info replication | awk '{print $1}' | grep master_host: | cut -d ":" -f2) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
issue will probably crop up here if forcing x509, which can deal with when can test in future
66f49f5
to
1cc76ba
Compare
1cc76ba
to
51df175
Compare
51df175
to
c18ddf9
Compare
Good news @bradymiller; the latest release of PHPRedis v6.0.2 (released on 12/16/23) has support for TLS connections and sentinel mode! This should satisfy 6 and 7 on the list above. Additionally there's some good guidance on how to deploy a web application with Redis without the use of haproxy to Kubernetes that can be found here. It's also possible to use nginx + cert-manager to set up encryption between services (i.e. OpenEMR and Redis) within a cluster as well which may eliminate the need entirely to implement x.509 connections for Redis by going down the current path. Finally you should be able to configure a readiness probe within the cluster to detect when the OpenEMR containers are ready to serve traffic. You may be able to specify something like Hope this is helpful! |
fixes #347
Several more steps to get this project ready for commit:
6. FUTURE - Currently building a development version of phpredis to support TLS. In future when the support for TLS is in the production version, can then remove need/support to do the build.When bring this in, change the 7.0.2 to nothing in the deployment script (so will then use the latest)
Some random commands (so I don't forget them) when I come back to this project in future: