We need porta and apisonator to be able to load TLS details to connect to Redis. In particular, we need:

• CA certificate
• Client certificate
• Client private key

Those can be mounted wherever the operator decides, but the operator should set the next environment variables to inform porta and apisonator where the files are:

• Backend:
  • CONFIG_REDIS_CA_FILE and CONFIG_QUEUES_CA_FILE for the CA certificate
  • CONFIG_REDIS_CERT and CONFIG_QUEUES_CERT for the client certificate
  • CONFIG_REDIS_PRIVATE_KEY and CONFIG_QUEUES_PRIVATE_KEY for the client key
  • CONFIG_REDIS_SSL and CONFIG_QUEUES_SSL must be set to true when any of the above is present
• System:
  • REDIS_CA_FILE and BACKEND_REDIS_CA_FILE for the CA certificate
  • REDIS_CLIENT_CERT and BACKEND_REDIS_CLIENT_CERT for the client certificate
  • REDIS_PRIVATE_KEY and BACKEND_REDIS_PRIVATE_KEY for the client key
  • REDIS_SSL and BACKEND_REDIS_SSL must be set to true when any of the above is present

The client should create the next resources

• TLS Secret (docs) for the CA certificate
• TLS Secret for the client cert and key

• • Would like this:

  • apiVersion: v1
    kind: Secret
    metadata:
      name: secret-tls
    type: kubernetes.io/tls
    data:
      # values are base64 encoded, which obscures them but does NOT provide
      # any useful level of confidentiality
      tls.crt: |
        LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNVakNDQWJzQ0FnMytNQTBHQ1NxR1NJYjNE
        UUVCQlFVQU1JR2JNUXN3Q1FZRFZRUUdFd0pLVURFT01Bd0cKQTFVRUNCTUZWRzlyZVc4eEVEQU9C
        Z05WQkFjVEIwTm9kVzh0YTNVeEVUQVBCZ05WQkFvVENFWnlZVzVyTkVSRQpNUmd3RmdZRFZRUUxF
        dzlYWldKRFpYSjBJRk4xY0hCdmNuUXhHREFXQmdOVkJBTVREMFp5WVc1ck5FUkVJRmRsCllpQkRR
        VEVqTUNFR0NTcUdTSWIzRFFFSkFSWVVjM1Z3Y0c5eWRFQm1jbUZ1YXpSa1pDNWpiMjB3SGhjTk1U
        TXcKTVRFeE1EUTFNVE01V2hjTk1UZ3dNVEV3TURRMU1UTTVXakJMTVFzd0NRWURWUVFHREFKS1VE
        RVBNQTBHQTFVRQpDQXdHWEZSdmEzbHZNUkV3RHdZRFZRUUtEQWhHY21GdWF6UkVSREVZTUJZR0Ex
        VUVBd3dQZDNkM0xtVjRZVzF3CmJHVXVZMjl0TUlHYU1BMEdDU3FHU0liM0RRRUJBUVVBQTRHSUFE
        Q0JoQUo5WThFaUhmeHhNL25PbjJTbkkxWHgKRHdPdEJEVDFKRjBReTliMVlKanV2YjdjaTEwZjVN
        Vm1UQllqMUZTVWZNOU1vejJDVVFZdW4yRFljV29IcFA4ZQpqSG1BUFVrNVd5cDJRN1ArMjh1bklI
        QkphVGZlQ09PekZSUFY2MEdTWWUzNmFScG04L3dVVm16eGFLOGtCOWVaCmhPN3F1TjdtSWQxL2pW
        cTNKODhDQXdFQUFUQU5CZ2txaGtpRzl3MEJBUVVGQUFPQmdRQU1meTQzeE15OHh3QTUKVjF2T2NS
        OEtyNWNaSXdtbFhCUU8xeFEzazlxSGtyNFlUY1JxTVQ5WjVKTm1rWHYxK2VSaGcwTi9WMW5NUTRZ
        RgpnWXcxbnlESnBnOTduZUV4VzQyeXVlMFlHSDYyV1hYUUhyOVNVREgrRlowVnQvRGZsdklVTWRj
        UUFEZjM4aU9zCjlQbG1kb3YrcE0vNCs5a1h5aDhSUEkzZXZ6OS9NQT09Ci0tLS0tRU5EIENFUlRJ
        RklDQVRFLS0tLS0K    
      # In this example, the key data is not a real PEM-encoded private key
      tls.key: |
        RXhhbXBsZSBkYXRhIGZvciB0aGUgVExTIGNydCBmaWVsZA==  

Then, we would need some yaml keywords so the user can mount the files easily. This is a suggestion:

apiVersion: apps.3scale.net/v1alpha1
kind: APIManager
metadata:
  name: apimanager1
spec:
  system:
    redisCaCertRef:
      name: my-secret-with-ca-cert
    redisClientCertRef:
      name: my-secret-with-client-cert
  backend:
    redisCaCertRef:
      name: my-secret-with-ca-cert
    redisClientCertRef:
      name: my-secret-with-client-cert

Essentially, this is create a secret with the tls cert and key, mount that to the pod and create an envar pointing at the file location. This should work for backend and system:

• Backend: listener and worker pods
• System: app and sidekiq pods