Details
Description
githubSupport for external Redis 6 database was implemented at release 2.11.0 GA (by this RFE) and QE was unable to test TLS because it wasn't documented (at this comment).
Also, it should be possible to specify user credentials to access external Redis, that's currently not possible.
i.e. the implementation that enables customers to use external Redis database must be improved to be able to do that in a secure way, enabling TLS (with possible certificate validation) and credentials.
Dev notes
See this comment for more information on what is required to complete this request. (It doesn't have all the necessary low level details regarding the code changes required on the backend component though)
Rabbit hole explanation here.
Release notes
Porta
- For those using redis sentinels the :name param is now mandatory.
Apisonator
- Redis 6+ required
- TLS and ACL features aren't compatible with Twemproxy
To Document
This adds a way to provide a CA certificate to be trusted by porta: by adding a file called config/ca_cert.pem. This is the load sequence:
- Trust the certificate specified by the ssl_params -> ca_file in config files
- If the above is not provided, then trust the certificate at config/ca_cert.pem or $EXTRA_CONFIGS_DIR/ca_cert.pem **
- If the above is not provided, then trust on system certificates installed through update-ca-trust
The file ca_cert.pem can contain a single certificate or a bundle, and it'll be loaded by a Ruby OpenSSL::SSL::SSLContext instance: https://rubyapi.org/2.7/o/openssl/ssl/sslcontext#ca_file
So far this is only used for Redis but it could be extended to other integrations in the future.
Attachments
Issue Links
- blocks
-
THREESCALE-10908 3scale Operator changes to support TLS/ACL changes for Redis
- To Develop
- depends on
-
THREESCALE-10027 Update Sidekiq to version 6
- Closed
- is related to
-
THREESCALE-10606 Bump redis to 6+ in backend CI container image
- Closed
-
THREESCALE-10180 Upgrade to sidekiq 7
- Developing
- mentioned on