[stable/redis-ha] Add optional encrypted communication between HAProxy and Redis/Sentinel

Signed-off-by: Alexander Klimenko <alex@erix.ru>

Author: meteozond

.github/workflows/test.yaml

@@ -56,8 +56,21 @@ jobs:
         kubectl get nodes -o wide
         kubectl get pods -n kube-system
 
+    - name: Create test TLS secret
+      if: steps.list-changed.outputs.changed == 'true'
+      run: |
+        kubectl create namespace ct-test
+        openssl req -x509 -newkey rsa:2048 -keyout tls.key -out tls.crt \
+          -days 1 -nodes -subj "/CN=test"
+        cat tls.crt tls.key > tls.pem
+        cp tls.crt ca.crt
+        kubectl create secret generic test-tls-secret \
+          --namespace ct-test \
+          --from-file=tls.crt --from-file=tls.key \
+          --from-file=ca.crt --from-file=tls.pem
+
     - name: Run chart-testing linting (lint)
       run: ct lint --config .ci/ct-config.yaml --chart-repos hashicorp=https://helm.releases.hashicorp.com
 
     - name: Run chart-testing (install)
-      run: ct install --config .ci/ct-config.yaml
+      run: ct install --config .ci/ct-config.yaml --namespace ct-test

charts/redis-ha/Chart.yaml

@@ -5,7 +5,7 @@ keywords:
 - redis
 - keyvalue
 - database
-version: 4.35.10
+version: 4.36.0
 appVersion: 8.2.4
 description: This Helm chart provides a highly available Redis implementation with a master/slave configuration and uses Sentinel sidecars for failover management
 icon: https://img.icons8.com/external-tal-revivo-shadow-tal-revivo/24/external-redis-an-in-memory-data-structure-project-implementing-a-distributed-logo-shadow-tal-revivo.png

charts/redis-ha/README.md

@@ -88,7 +88,7 @@ The following table lists the configurable parameters of the Redis chart and the
 | `hostPath.path` | Use this path on the host for data storage. path is evaluated as template so placeholders are replaced | string | `""` |
 | `image.pullPolicy` | Redis image pull policy | string | `"IfNotPresent"` |
 | `image.repository` | Redis image repository | string | `"public.ecr.aws/docker/library/redis"` |
-| `image.tag` | Redis image tag | string | `"8.2.1-alpine"` |
+| `image.tag` | Redis image tag | string | `"8.2.4-alpine"` |
 | `imagePullSecrets` | Reference to one or more secrets to be used when pulling redis images | list | `[]` |
 | `init.resources` | Extra init resources | object | `{}` |
 | `labels` | Custom labels for the redis pod | object | `{}` |
@@ -173,8 +173,22 @@ The following table lists the configurable parameters of the Redis chart and the
 | `serviceAccount.automountToken` | opt in/out of automounting API credentials into container. Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ | bool | `false` |
 | `serviceAccount.create` | Specifies whether a ServiceAccount should be created | bool | `true` |
 | `serviceAccount.name` | The name of the ServiceAccount to use. If not set and create is true, a name is generated using the redis-ha.fullname template | string | `""` |
+| `podAnnotations` | Annotations for redis statefulset pods (top-level) | object | `{}` |
+| `serviceAnnotations` | Custom annotations for redis services | object | `{}` |
 | `serviceLabels` | Custom labels for redis service | object | `{}` |
 | `splitBrainDetection.interval` | Interval between redis sentinel and server split brain checks (in seconds) | int | `60` |
+| `splitBrainDetection.livenessProbe.exec.command` | Command for liveness probe exec check | list | `["cat", "/readonly-config/redis.conf"]` |
+| `splitBrainDetection.livenessProbe.failureThreshold` | Failure threshold for liveness probe | int | `5` |
+| `splitBrainDetection.livenessProbe.initialDelaySeconds` | Initial delay in seconds for liveness probe | int | `30` |
+| `splitBrainDetection.livenessProbe.periodSeconds` | Period in seconds after which liveness probe will be repeated | int | `15` |
+| `splitBrainDetection.livenessProbe.successThreshold` | Success threshold for liveness probe | int | `1` |
+| `splitBrainDetection.livenessProbe.timeoutSeconds` | Timeout seconds for liveness probe | int | `15` |
+| `splitBrainDetection.readinessProbe.exec.command` | Command for readiness probe exec check | list | `["sh", "-c", "test -d /proc/1"]` |
+| `splitBrainDetection.readinessProbe.failureThreshold` | Failure threshold for readiness probe | int | `5` |
+| `splitBrainDetection.readinessProbe.initialDelaySeconds` | Initial delay in seconds for readiness probe | int | `30` |
+| `splitBrainDetection.readinessProbe.periodSeconds` | Period in seconds after which readiness probe will be repeated | int | `15` |
+| `splitBrainDetection.readinessProbe.successThreshold` | Success threshold for readiness probe | int | `1` |
+| `splitBrainDetection.readinessProbe.timeoutSeconds` | Timeout seconds for readiness probe | int | `15` |
 | `splitBrainDetection.resources` | splitBrainDetection resources | object | `{}` |
 | `splitBrainDetection.retryInterval` |  | int | `10` |
 | `sysctlImage.command` | sysctlImage command to execute | list | `[]` |
@@ -187,6 +201,7 @@ The following table lists the configurable parameters of the Redis chart and the
 | `sysctlImage.tag` | sysctlImage Init container tag | string | `"1.34.1"` |
 | `tls.caCertFile` | Name of CA certificate file | string | `"ca.crt"` |
 | `tls.certFile` | Name of certificate file | string | `"redis.crt"` |
+| `tls.secretName` | Name of existing secret with TLS certificates. Supports templates. | string | `""` |
 | `tls.dhParamsFile` | Name of Diffie-Hellman (DH) key exchange parameters file (Example: redis.dh) | string | `nil` |
 | `tls.keyFile` | Name of key file | string | `"redis.key"` |
 | `tolerations` |  | list | `[]` |
@@ -202,6 +217,7 @@ The following table lists the configurable parameters of the Redis chart and the
 | `sentinel.auth` | Enables or disables sentinel AUTH (Requires `sentinel.password` to be set) | bool | `false` |
 | `sentinel.authClients` | It is possible to disable client side certificates authentication when "authClients" is set to "no" | string | `""` |
 | `sentinel.authKey` | The key holding the sentinel password in an existing secret. | string | `"sentinel-password"` |
+| `sentinel.bind` | Configure the bind directive for sentinel | string | `nil` |
 | `sentinel.config` | Valid sentinel config options in this section will be applied as config options to each sentinel (see below) | object | see values.yaml |
 | `sentinel.customArgs` |  | list | `[]` |
 | `sentinel.customCommand` |  | list | `[]` |
@@ -245,10 +261,10 @@ The following table lists the configurable parameters of the Redis chart and the
 | `haproxy.additionalAffinities` | Additional affinities to add to the haproxy pods. | object | `{}` |
 | `haproxy.additionalPorts` | Additional ports to expose on HAProxy service and deployment. Each port should have a name, containerPort, and optionally servicePort (defaults to containerPort) | list | `[]` |
 | `haproxy.affinity` | Override all other affinity settings for the haproxy pods with a string. | string | `""` |
-| `haproxy.annotations` | HAProxy template annotations | object | `{}` |
 | `haproxy.checkFall` | haproxy.cfg `check fall` setting | int | `1` |
 | `haproxy.checkInterval` | haproxy.cfg `check inter` setting | string | `"1s"` |
 | `haproxy.containerPort` | Modify HAProxy deployment container port | int | `6379` |
+| `haproxy.tlsPort` | Dedicated TLS port for HAProxy frontend. When set together with `haproxy.tls.enabled`, plaintext stays on `containerPort` and TLS binds to `tlsPort`. When not set, `haproxy.tls.enabled` replaces plaintext with TLS on `containerPort` (current behavior). | int | `nil` |
 | `haproxy.containerSecurityContext` | Security context to be added to the HAProxy containers. | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` |
 | `haproxy.customConfig` | Allows for custom config-haproxy.cfg file to be applied. If this is used then default config will be overwriten | string | `nil` |
 | `haproxy.deploymentAnnotations` | HAProxy deployment annotations | object | `{}` |
@@ -309,10 +325,10 @@ The following table lists the configurable parameters of the Redis chart and the
 | `haproxy.timeout.connect` | haproxy.cfg `timeout connect` setting | string | `"4s"` |
 | `haproxy.timeout.server` | haproxy.cfg `timeout server` setting | string | `"330s"` |
 | `haproxy.timeout.tunnel` | haproxy.cfg `timeout tunnel` setting | string | `"1h"` |
-| `haproxy.tls` | Enable TLS termination on HAproxy, This will create a volume mount | object | `{"certMountPath":"/tmp/","enabled":false,"keyName":null,"secretName":""}` |
+| `haproxy.tls` | Enable TLS termination on HAproxy, This will create a volume mount | object | `{"certMountPath":"/tmp/","enabled":false,"keyName":"tls.pem","secretName":""}` |
 | `haproxy.tls.certMountPath` | Path to mount the secret that contains the certificates. haproxy | string | `"/tmp/"` |
 | `haproxy.tls.enabled` | If "true" this will enable TLS termination on haproxy | bool | `false` |
-| `haproxy.tls.keyName` | Key file name | string | `nil` |
+| `haproxy.tls.keyName` | Key file name (PEM bundle containing cert and private key) | string | `"tls.pem"` |
 | `haproxy.tls.secretName` | Secret containing the .pem file | string | `""` |
 
 ### Prometheus exporter parameters
@@ -350,7 +366,8 @@ The following table lists the configurable parameters of the Redis chart and the
 | `exporter.serviceMonitor.relabelings` |  | list | `[]` |
 | `exporter.serviceMonitor.telemetryPath` | Set path to redis-exporter telemtery-path (default is /metrics) | string | `""` |
 | `exporter.serviceMonitor.timeout` | Set timeout for scrape (default is 10s) | string | `""` |
-| `exporter.tag` | Exporter image tag | string | `"v1.67.0"` |
+| `exporter.sslEnabled` | Enable SSL for exporter connection to redis | bool | `false` |
+| `exporter.tag` | Exporter image tag | string | `"v1.80.2"` |
 | `prometheusRule.additionalLabels` | Additional labels to be set in metadata. | object | `{}` |
 | `prometheusRule.enabled` | If true, creates a Prometheus Operator PrometheusRule. | bool | `false` |
 | `prometheusRule.interval` | How often rules in the group are evaluated (falls back to `global.evaluation_interval` if not set). | string | `"10s"` |

charts/redis-ha/ci/haproxy-enabled-values.yaml

@@ -2,7 +2,7 @@
 ## Enable HAProxy to manage Load Balancing
 haproxy:
   enabled: true
-  annotations:
+  deploymentAnnotations:
     any.domain/key: "value"
   serviceAccount:
     create: true

charts/redis-ha/ci/tls-enabled-values.yaml

@@ -0,0 +1,21 @@
+---
+## Enable HAProxy with backend TLS
+haproxy:
+  enabled: true
+  tls:
+    enabled: true
+    secretName: "test-tls-secret"
+    keyName: tls.pem
+  tlsPort: 6381
+
+redis:
+  tlsPort: 6479
+
+sentinel:
+  tlsPort: 26479
+
+tls:
+  secretName: "test-tls-secret"
+  certFile: tls.crt
+  keyFile: tls.key
+  caCertFile: ca.crt

charts/redis-ha/templates/_configs.tpl

@@ -6,7 +6,7 @@
 {{- else }}
     dir "/data"
     port {{ .Values.redis.port }}
-    {{- if .Values.sentinel.tlsPort }}
+    {{- if .Values.redis.tlsPort }}
     tls-port {{ .Values.redis.tlsPort }}
     tls-cert-file /tls-certs/{{ .Values.tls.certFile }}
     tls-key-file /tls-certs/{{ .Values.tls.keyFile }}
@@ -561,12 +561,16 @@
     {{- $fullName := include "redis-ha.fullname" . }}
     {{- $replicas := int (toString .Values.replicas) }}
     {{- $masterGroupName := include "redis-ha.masterGroupName" . }}
+    {{- $sentinelPort := default .Values.sentinel.port .Values.sentinel.tlsPort }}
+    {{- $sentinelTLS := .Values.sentinel.tlsPort }}
+    {{- $redisPort := default .Values.redis.port .Values.redis.tlsPort }}
+    {{- $redisTLS := .Values.redis.tlsPort }}
     {{- range $i := until $replicas }}
     # Check Sentinel and whether they are nominated master
     backend check_if_redis_is_master_{{ $i }}
       mode tcp
       option tcp-check
-      tcp-check connect
+      tcp-check connect default
       {{- if $root.Values.sentinel.auth }}
       tcp-check send "AUTH ${SENTINELAUTH}"\r\n
       tcp-check expect string +OK
@@ -578,19 +582,22 @@
       tcp-check send QUIT\r\n
       {{- range $i := until $replicas }}
       {{- if $.Values.sentinel.resolveHostnames }}
-      server R{{ $i }} {{ $fullName }}-announce-{{ $i }}.{{ $.Release.Namespace }}.svc:26379 check inter {{ $root.Values.haproxy.checkInterval }}
+      server R{{ $i }} {{ $fullName }}-announce-{{ $i }}.{{ $.Release.Namespace }}.svc:{{ $sentinelPort }} check inter {{ $root.Values.haproxy.checkInterval }}{{ if $sentinelTLS }} ssl verify required ca-file /tls-certs/{{ $root.Values.tls.caCertFile }} crt /usr/local/etc/haproxy/backend-tls.pem{{ end }}
       {{- else }}
-      server R{{ $i }} {{ $fullName }}-announce-{{ $i }}:26379 check inter {{ $root.Values.haproxy.checkInterval }}
+      server R{{ $i }} {{ $fullName }}-announce-{{ $i }}:{{ $sentinelPort }} check inter {{ $root.Values.haproxy.checkInterval }}{{ if $sentinelTLS }} ssl verify required ca-file /tls-certs/{{ $root.Values.tls.caCertFile }} crt /usr/local/etc/haproxy/backend-tls.pem{{ end }}
       {{- end }}
       {{- end }}
     {{- end }}
 
     # decide redis backend to use
     #master
     frontend ft_redis_master
-      {{- if .Values.haproxy.tls.enabled }}
+      {{- if and .Values.haproxy.tls.enabled .Values.haproxy.tlsPort }}
+      bind {{ if .Values.haproxy.IPv6.enabled }}[::]{{ end }}:{{ $root.Values.haproxy.containerPort }} {{ if .Values.haproxy.IPv6.enabled }}v4v6{{ end }}
+      bind {{ if .Values.haproxy.IPv6.enabled }}[::]{{ end }}:{{ $root.Values.haproxy.tlsPort }} ssl crt {{ .Values.haproxy.tls.certMountPath }}{{ .Values.haproxy.tls.keyName }} {{ if .Values.haproxy.IPv6.enabled }}v4v6{{ end }}
+      {{- else if .Values.haproxy.tls.enabled }}
       bind {{ if .Values.haproxy.IPv6.enabled }}[::]{{ end }}:{{ $root.Values.haproxy.containerPort }} ssl crt {{ .Values.haproxy.tls.certMountPath }}{{ .Values.haproxy.tls.keyName }} {{ if .Values.haproxy.IPv6.enabled }}v4v6{{ end }}
-      {{ else }}
+      {{- else }}
       bind {{ if .Values.haproxy.IPv6.enabled }}[::]{{ end }}:{{ if ne (int $root.Values.redis.port) 0 }}{{ $root.Values.redis.port }}{{ else }}{{ $root.Values.redis.tlsPort }}{{ end }} {{ if .Values.haproxy.IPv6.enabled }}v4v6{{ end }}
       {{- end }}
       use_backend bk_redis_master
@@ -608,7 +615,7 @@
       {{- end }}
       mode tcp
       option tcp-check
-      tcp-check connect
+      tcp-check connect default
       {{- if .Values.auth }}
       tcp-check send "AUTH ${AUTH}"\r\n
       tcp-check expect string +OK
@@ -622,9 +629,9 @@
       {{- range $i := until $replicas }}
       use-server R{{ $i }} if { srv_is_up(R{{ $i }}) } { nbsrv(check_if_redis_is_master_{{ $i }}) ge 2 }
       {{- if $.Values.sentinel.resolveHostnames }}
-      server R{{ $i }} {{ $fullName }}-announce-{{ $i }}.{{ $.Release.Namespace }}.svc:{{ $root.Values.redis.port }} check inter {{ $root.Values.haproxy.checkInterval }} fall {{ $root.Values.haproxy.checkFall }} rise 1
+      server R{{ $i }} {{ $fullName }}-announce-{{ $i }}.{{ $.Release.Namespace }}.svc:{{ $redisPort }} check inter {{ $root.Values.haproxy.checkInterval }} fall {{ $root.Values.haproxy.checkFall }} rise 1{{ if $redisTLS }} ssl verify required ca-file /tls-certs/{{ $root.Values.tls.caCertFile }} crt /usr/local/etc/haproxy/backend-tls.pem{{ end }}
       {{- else }}
-      server R{{ $i }} {{ $fullName }}-announce-{{ $i }}:{{ $root.Values.redis.port }} check inter {{ $root.Values.haproxy.checkInterval }} fall {{ $root.Values.haproxy.checkFall }} rise 1
+      server R{{ $i }} {{ $fullName }}-announce-{{ $i }}:{{ $redisPort }} check inter {{ $root.Values.haproxy.checkInterval }} fall {{ $root.Values.haproxy.checkFall }} rise 1{{ if $redisTLS }} ssl verify required ca-file /tls-certs/{{ $root.Values.tls.caCertFile }} crt /usr/local/etc/haproxy/backend-tls.pem{{ end }}
       {{- end }}
       {{- end }}
     {{- if .Values.haproxy.readOnly.enabled }}
@@ -635,7 +642,7 @@
       {{- end }}
       mode tcp
       option tcp-check
-      tcp-check connect
+      tcp-check connect default
       {{- if .Values.auth }}
       tcp-check send "AUTH ${AUTH}"\r\n
       tcp-check expect string +OK
@@ -648,9 +655,9 @@
       tcp-check expect string +OK
       {{- range $i := until $replicas }}
       {{- if $.Values.sentinel.resolveHostnames }}
-      server R{{ $i }} {{ $fullName }}-announce-{{ $i }}.{{ $.Release.Namespace }}.svc:{{ $root.Values.redis.port }} check inter {{ $root.Values.haproxy.checkInterval }} fall {{ $root.Values.haproxy.checkFall }} rise 1
+      server R{{ $i }} {{ $fullName }}-announce-{{ $i }}.{{ $.Release.Namespace }}.svc:{{ $redisPort }} check inter {{ $root.Values.haproxy.checkInterval }} fall {{ $root.Values.haproxy.checkFall }} rise 1{{ if $redisTLS }} ssl verify required ca-file /tls-certs/{{ $root.Values.tls.caCertFile }} crt /usr/local/etc/haproxy/backend-tls.pem{{ end }}
       {{- else }}
-      server R{{ $i }} {{ $fullName }}-announce-{{ $i }}:{{ $root.Values.redis.port }} check inter {{ $root.Values.haproxy.checkInterval }} fall {{ $root.Values.haproxy.checkFall }} rise 1
+      server R{{ $i }} {{ $fullName }}-announce-{{ $i }}:{{ $redisPort }} check inter {{ $root.Values.haproxy.checkInterval }} fall {{ $root.Values.haproxy.checkFall }} rise 1{{ if $redisTLS }} ssl verify required ca-file /tls-certs/{{ $root.Values.tls.caCertFile }} crt /usr/local/etc/haproxy/backend-tls.pem{{ end }}
       {{- end }}
       {{- end }}
     {{- end }}
@@ -674,6 +681,9 @@
 {{- define "config-haproxy_init.sh" }}
     HAPROXY_CONF=/data/haproxy.cfg
     cp /readonly/haproxy.cfg "$HAPROXY_CONF"
+    {{- if or .Values.redis.tlsPort .Values.sentinel.tlsPort }}
+    cat /tls-certs/{{ .Values.tls.certFile }} /tls-certs/{{ .Values.tls.keyFile }} > /data/backend-tls.pem
+    {{- end }}
     {{- $fullName := include "redis-ha.fullname" . }}
     {{- $replicas := int (toString .Values.replicas) }}
     {{- $resolveHostnames := .Values.sentinel.resolveHostnames }}

charts/redis-ha/templates/redis-haproxy-deployment.yaml

@@ -122,6 +122,11 @@ spec:
           readOnly: true
         - name: data
           mountPath: /data
+{{- if or .Values.redis.tlsPort .Values.sentinel.tlsPort }}
+        - name: tls-certs
+          mountPath: /tls-certs
+          readOnly: true
+{{- end }}
       {{- if .Values.haproxy.imagePullSecrets }}
       imagePullSecrets: {{ toYaml .Values.haproxy.imagePullSecrets | nindent 8 }}
       {{- end }}
@@ -172,6 +177,10 @@ spec:
           containerPort: 8888
         - name: redis
           containerPort: {{ default "6379" .Values.haproxy.containerPort }}
+        {{- if and .Values.haproxy.tls.enabled .Values.haproxy.tlsPort }}
+        - name: redis-tls
+          containerPort: {{ .Values.haproxy.tlsPort }}
+        {{- end }}
         {{- if .Values.haproxy.readOnly.enabled }}
         - name: readonlyport
           containerPort: {{ default "6380" .Values.haproxy.readOnly.port }}
@@ -194,6 +203,11 @@ spec:
 {{- if .Values.haproxy.tls.enabled }}
         - name: pemfile
           mountPath: {{ .Values.haproxy.tls.certMountPath }}
+{{- end }}
+{{- if or .Values.redis.tlsPort .Values.sentinel.tlsPort }}
+        - name: tls-certs
+          mountPath: /tls-certs
+          readOnly: true
 {{- end }}
         lifecycle:
 {{ toYaml .Values.haproxy.lifecycle | indent 10 }}
@@ -205,6 +219,11 @@ spec:
       - name: pemfile
         secret:
           secretName: {{ tpl .Values.haproxy.tls.secretName . }}
+{{- end }}
+{{- if or .Values.redis.tlsPort .Values.sentinel.tlsPort }}
+      - name: tls-certs
+        secret:
+          secretName: {{ tpl (.Values.tls.secretName | default (printf "%s-tls-secret" (include "redis-ha.fullname" .))) . }}
 {{- end }}
       - name: config-volume
         configMap:

charts/redis-ha/templates/redis-haproxy-service.yaml

@@ -42,6 +42,12 @@ spec:
   {{- if and (eq .Values.haproxy.service.type "NodePort") .Values.haproxy.service.nodePort }}
     nodePort: {{ .Values.haproxy.service.nodePort }}
   {{- end }}
+{{- if and .Values.haproxy.tls.enabled .Values.haproxy.tlsPort }}
+  - name: tcp-haproxy-tls
+    port: {{ .Values.haproxy.tlsPort }}
+    protocol: TCP
+    targetPort: redis-tls
+{{- end }}
 {{- if .Values.haproxy.readOnly.enabled }}
   - name: tcp-haproxyreadonly
     port: {{ .Values.haproxy.readOnly.port }}