githubSupport for external Redis 6 database was implemented at release 2.11.0 GA (by this RFE) and QE was unable to test TLS because it wasn't documented (at this comment).
Also, it should be possible to specify user credentials to access external Redis, that's currently not possible.
i.e. the implementation that enables customers to use external Redis database must be improved to be able to do that in a secure way, enabling TLS (with possible certificate validation) and credentials.
Dev notes
See this comment for more information on what is required to complete this request. (It doesn't have all the necessary low level details regarding the code changes required on the backend component though)
Rabbit hole explanation here.
Release notes
Apisonator
- Redis 6+ required
- TLS and ACL features aren't compatible with Twemproxy
To Document
This adds a way to provide a CA certificate to be trusted by porta: by adding a file called config/ca_cert.pem. This is the load sequence:
- Trust the certificate specified by the operator, configured as a secret referenced from a yaml.
- If the above is not provided, then trust on system certificates installed through update-ca-trust
The file ca_cert.pem can contain a single certificate or a bundle, and it'll be loaded by a Ruby OpenSSL::SSL::SSLContext instance: https://rubyapi.org/2.7/o/openssl/ssl/sslcontext#ca_file
So far this is only used for Redis but it could be extended to other integrations in the future.
- blocks
-
THREESCALE-10908 3scale Operator changes to support TLS/ACL changes for Redis
- Closed
- depends on
-
THREESCALE-10027 Update Sidekiq to version 6
- Closed
- is related to
-
THREESCALE-10606 Bump redis to 6+ in backend CI container image
- Closed
-
THREESCALE-11061 Add support for Redis logical DBs in async mode
- Closed
-
THREESCALE-11020 Add a way for the user to provide Redis TLS certs and keys for porta and backend
- Developing
-
THREESCALE-11021 Add a way for the client to provide redis ACL credentials to system and backend
- Developing
-
THREESCALE-10180 Upgrade to sidekiq 7
- To Test (QE)
-
THREESCALE-10870 Apisonator: CI: Add jobs for all supported Redis deployments
- Closed
- relates to
-
THREESCALE-11629 3Scale on Openshift: Pods should use TLS
- New
- links to
-
RHEA-2024:140142 3scale-operator 0.13.0-mas for RHOAM - Containers
- mentioned on