[bitnami/redis] Expose ports for TLS and non-TLS connections

[romankarnaukh]

Name and Version

bitnami/redis 17.7.4

What is the problem this feature will solve?

When enabling TLS with a certificate issued by Letsencrypt, the certificate does not include cluster local domain as well as "localhost" and "127.0.0.1" in the SAN which is expected because the domain name should end with a valid public suffix (TLD). So the probes and connections via cluster DNS to redis fail.

What is the feature you are proposing to solve the problem?

According to the documentation https://redis.io/docs/management/security/encryption/ it is possible to access Redis on different ports using TLS and non-TLS connections simultaneously.

In my setup I use replication, so replicas connect to the master via tls even internally within the cluster network but because sometimes it's not possible to provide a proper certificate the internal connections to the master should be done without TLS.

So with this feature, we want to connect to Redis master outside of the kubernetes cluster (AKS) via TLS using an external load balancer and keep non-TLS connections internally. The Kubernetes load balancer exposes IP which is then added to a private subdomain zone.

What alternatives have you considered?

Would be good to receive any suggests if you have

[jotamartos]

Thank you for your suggestion but the Redis container supports TLS and non-TLS connections at the same time (REDIS_PORT_NUMBER vs REDIS_TLS_PORT)

https://github.com/bitnami/containers/tree/main/bitnami/redis#securing-redisr-traffic
https://github.com/bitnami/containers/blob/main/bitnami/redis/7.0/debian-11/rootfs/opt/bitnami/scripts/libredis.sh#L418

The chart uses .Values.master.containerPorts.redis to set both env vars depending on if TLS is enabled or not, but you can configure the TLS settings in the chart as usual and set the REDIS_PORT_NUMBER env var in the extraEnvVars parameter to set a non-TLS port.

Will that work for you?

[github-actions]

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

[eric-oracle]

Will that work for you?

The suggested approach doesn't work because as soon as tls.enabled is set to true, the argument --port 0 is added which makes redis not look at the environment variable REDIS_PORT.

In other words, the author of the bitnami/redis chart have on purpose disabled the non-authenticated port when TLS is enabled, without leaving any option to allow both plain and tls.

[jotamartos]

You are right @eric-oracle. I just created an internal task to update the solution to allow tls and non-tls ports work simultaneously. I can't provide you with an ETA on when this will be available but we will update this ticket once we have more information.

Thanks

[jelmokri]

any news ? need also the possiblity to have both TLS & non TLS port

[carrodher]

Thank you for bringing this issue to our attention. We appreciate your involvement!
Due to other priorities in the team, we didn't work on this feature. If you're interested in contributing a solution, we welcome you to create a pull request. The Bitnami team is excited to review your submission and offer feedback. You can find the contributing guidelines here.

Your contribution will greatly benefit the community. Please feel free to contact us if you have any questions or need assistance.

[gabriel-suela]

any news?