Loading...

Type: Task
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: None
Component/s: 3scale Operator
Labels:
- MGDAPI
- discussed

Epic Link:
Customer provided secrets to 3scale
Blocked:
True
Blocked Reason:
https://issues.redhat.com/browse/THREESCALE-11296
Ready:
False
3Scale PT Tested upstream:
Not Started
3scale PT Docs:
Not Started
3scale PT Product Specs:
Not Started
3scale PT Product Update Ready:
Not Started
3scale PT Released In Saas:
Not Started
3scale PT Verified Product:
Not Started
Target Release:

2.16.0 GA
Intelligence Requested:
Market:

Sprint:
RHOAM Sprint 64, RHOAM Sprint 65, RHOAM Sprint 66, RHOAM Sprint 67

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

We need a way for the user to set the ACL credentials to connect to Redis. Those are:

username
password

Porta and apisonator read the credentials from the next variables:

Backend:
- CONFIG_REDIS_USERNAME and CONFIG_QUEUES_USERNAME for the username
- CONFIG_REDIS_PASSWORD and CONFIG_QUEUES_PASSWORD for the password
System:
- REDIS_USERNAME and BACKEND_REDIS_USERNAME for the username
- REDIS_PASSWORD and BACKEND_REDIS_PASSWORD for the password

We would need a new YAML keyword to provide those credentials. This is a suggestion: redisACLSecret

apiVersion: apps.3scale.net/v1alpha1
kind: APIManager
metadata:
  name: apimanager1
spec:
  system:
    redisACLSecret:
      name: my-acl-credentials

The user then should provide a secret looking like this:

apiVersion: v1
kind: Secret
metadata:
  name: my-acl-credentials
type: Opaque
data:
  username: my-username
  password: bXktcGFzc3dvcmQ=

From this configuration, the operator should map the credentials to the above environment variables.

When working with sentinels, they can have their own username and password. So the user should be able to provide credentials for sentinels as well. In the case the client uses sentinels, then the next environment variables should be set as well:

Backend:
- CONFIG_REDIS_SENTINEL_USERNAME and CONFIG_QUEUES_SENTINEL_USERNAME for the username
- CONFIG_REDIS_SENTINEL_PASSWORD and CONFIG_QUEUES_SENTINEL_PASSWORD for the password
System:
- REDIS_SENTINEL_USERNAME and BACKEND_REDIS_SENTINEL_USERNAME for the username
- REDIS_SENTINEL_PASSWORD and BACKEND_REDIS_SENTINEL_PASSWORD for the password

In most of cases, the redis master and the sentinels would share the same credentials. So the variables above should take the values from the secret specified in redisACLSecret.

If the user is a particular case when redis master and sentinels don't use the same credentials, then we would need another YAML keyword only for setting sentinel credentials. In this case the YAML would look like this:

apiVersion: apps.3scale.net/v1alpha1
kind: APIManager
metadata:
  name: apimanager1
spec:
  system:
    redisACLSecret:
       name: my-acl-credentials
    redisSentinelsACLSecret:
      name: my-sentinels-acl-credentials

However it's important to remember that the sentinel env variables should never be set if the user doesn't use sentinels. Setting them would make the Redis client fail to connect.

blocks

THREESCALE-11453 Add validation for TLS and ACL certs/creds

New

is related to

THREESCALE-10908 3scale Operator changes to support TLS/ACL changes for Redis

To Develop

THREESCALE-10870 Apisonator: CI: Add jobs for all supported Redis deployments

Closed

relates to

THREESCALE-8404 TLS and ACL support for Redis connection

To Test (QE)

mentioned on

Merge request - Updated US source to: a48c695 Merge pull request #393 from jlledom/async-empty-credentials

Merge request - Updated US source to: e0a9b07 Accept sentinels credentials in the URL (#398)

Merge request - Updated US source to: f53f084 Merge pull request #391 from jlledom/THREESCALE-8404-acl-tls-redis

(2 mentioned on)

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates