Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP]THREESCALE-11020 Redis TLS certs and keys for porta and backend #1025

Closed
wants to merge 1 commit into from
Closed

[WIP]THREESCALE-11020 Redis TLS certs and keys for porta and backend #1025

wants to merge 1 commit into from

Conversation

valerymo
Copy link
Contributor

@valerymo valerymo commented Oct 15, 2024
edited
Loading

Jira: https://issues.redhat.com/browse/THREESCALE-11020

Add a way for the user to provide Redis TLS certs and keys for porta and backend

This PR is moved to new one - #1035

New PR is created from current. So all review comments that addressed here are included in new PR.
The reason of new PR - the cleanup is required - remove Certificates Paths and SSL flags that were added in current PR - from Secret; to avoid editing it by User. The cleanup is significant, so decided to close current PR (save it meanwhile) and continue with cleanup/updates on new PR.

  • New environment variables have been added to the existing secrets - system-redis and backend-redis

  • Redis TLS Enabling optional flag (boolean) redisTLSEnabled has been added to Apimanager CR.

    • New env vars are populated in system and backend deployments if redisTLSEnabled is true (deployments: system-app, system-sidekiq, backend-worker, backend-listener)
    • redisTLSEnabled change (false/true )in Apimanager CR will cause removal or adding Redis TLS env vars in these deployments.

  • REDIS_SSL, CONFIG_REDIS_SSL, CONFIG_QUEUES_SSL env will set to "true" if any other env var was set, otherwise they will set to false.

Validation-1 - check new env vars and RedisTLSEnabled boolean parameter

1. Check that All new environment variables have been added to system-redis and backend-redis secrets, as as requested in Jira. Also check env vars in pods.
  • Secret system-redis
$ oc describe secret system-redis |grep REDIS
REDIS_SSL:          4 bytes
REDIS_CA_FILE:      37 bytes
REDIS_CLIENT_CERT:  41 bytes
REDIS_PRIVATE_KEY:  42 bytes
  • Secret backend
$ oc describe secret backend-redis |grep CONF
oc describe secret backend-redis |grep CONF
CONFIG_QUEUES_CERT:            29 bytes
CONFIG_QUEUES_SSL:             4 bytes
CONFIG_REDIS_CA_FILE:          39 bytes
CONFIG_REDIS_PRIVATE_KEY:      44 bytes
CONFIG_QUEUES_CA_FILE:         25 bytes
CONFIG_QUEUES_PRIVATE_KEY:     30 bytes
CONFIG_REDIS_CERT:             43 bytes
CONFIG_REDIS_SSL:              4 bytes
  1. Check SSL env vars behavior - should be set to "true" if any other env var was set

Example:
oc get secret backend-redis -oyaml |grep CONF |grep SSL
CONFIG_QUEUES_SSL: dHJ1ZQ==
CONFIG_REDIS_SSL: dHJ1ZQ==
~/work/56_THREESCALE-11020_3scale_RedisTLS_Secrets

Check Mutation when RedisTLSEnabled boolean parameter changed in ApiManager CR

1. redisTLSEnabled not defined in ApiManager CR

$ oc get -oyaml  apimanager example-apimanager |grep redisTLSEnabled

$ oc describe secret system-redis  |grep REDIS |grep -v SENT
REDIS_CA_FILE:      0 bytes
REDIS_CLIENT_CERT:  0 bytes
REDIS_PRIVATE_KEY:  0 bytes
REDIS_SSL:          5 bytes

$ oc describe secret backend-redis  |grep REDIS |grep -v SENT |grep -v URL
CONFIG_REDIS_CA_FILE:          0 bytes
CONFIG_REDIS_SSL:              5 bytes
CONFIG_REDIS_PRIVATE_KEY:      0 bytes
CONFIG_REDIS_CERT:             0 bytes

$ oc describe deploy backend-redis  |grep REDIS |grep -v SENT |grep -v REDIS_CONF
$
$ oc describe deploy system-redis  |grep REDIS |grep -v SENT |grep -v REDIS_CONF
$
$ oc describe deploy system-app  |grep REDIS_CLIENT_CERT
$
$ oc describe deploy system-sidekiq  |grep REDIS_CLIENT_CERT
$
$ oc describe deploy backend-listener |grep CERT |grep REDIS
$
$ oc describe deploy backend-worker |grep CERT |grep REDIS

2. Add redisTLSEnabled true to ApiManager CR

$  oc get -oyaml  apimanager example-apimanager |grep redisTLSEnabled
  redisTLSEnabled: true

oc describe deploy system-app  |grep REDIS |grep -v SENT |grep -v URL
      REDIS_CA_FILE:                                 /tls/system-redis/system-redis-ca.crt
      REDIS_CLIENT_CERT:                             /tls/system-redis/system-redis-client.crt
      REDIS_PRIVATE_KEY:                             /tls/system-redis/system-redis-private.key
      REDIS_SSL:                                     <set to the key 'REDIS_SSL' in secret 'system-redis'>                      Optional: false
      BACKEND_REDIS_CA_FILE:                         /tls/backend-redis/backend-redis-ca.crt
      BACKEND_REDIS_CLIENT_CERT:                     /tls/backend-redis/backend-redis-client.crt
      BACKEND_REDIS_PRIVATE_KEY:                     /tls/backend-redis/backend-redis-private.key
      BACKEND_REDIS_SSL:                             <set to the key 'CONFIG_REDIS_SSL' in secret 'backend-redis'>        Optional: false
      REDIS_CA_FILE:                                 /tls/system-redis/system-redis-ca.crt
      REDIS_CLIENT_CERT:                             /t
...

 oc describe deploy system-sidekiq  |grep REDIS |grep -v SENT |grep -v URL
      REDIS_CA_FILE:         /tls/system-redis/system-redis-ca.crt
      REDIS_CLIENT_CERT:     /tls/system-redis/system-redis-client.crt
      REDIS_PRIVATE_KEY:     /tls/system-redis/system-redis-private.key
      REDIS_SSL:             <set to the key 'REDIS_SSL' in secret 'system-redis'>  Optional: false
      REDIS_CA_FILE:                                 /tls/system-redis/system-redis-ca.crt
      REDIS_CLIENT_CERT:                             /tls/system-redis/system-redis-client.crt
      REDIS_PRIVATE_KEY:                             /tls/system-redis/system-redis-private.key
      REDIS_SSL:                                     <set to the key 'REDIS_SSL' in secret 'system-redis'>                      Optional: false
      BACKEND_REDIS_CA_FILE:                         /tls/backend-redis/backend-redis-ca.crt
      BACKEND_REDIS_CLIENT_CERT:                     /tls/backend-redis/backend-redis-client.crt
      BACKEND_REDIS_PRIVATE_KEY:                     /tls/backend-redis/backend-redis-private.key
      BACKEND_REDIS_SSL:                             <set to the key 'CONFIG_REDIS_SSL' in secret 'backend-redis'>        Optional: false

 oc describe deploy backend-listener  |grep -E "tls|SSL"
      CONFIG_REDIS_CA_FILE:                        /tls/backend-redis/backend-redis-ca.crt
      CONFIG_REDIS_CERT:                           /tls/backend-redis/backend-redis-client.crt
      CONFIG_REDIS_PRIVATE_KEY:                    /tls/backend-redis/backend-redis-private.key
      CONFIG_REDIS_SSL:                            <set to the key 'CONFIG_REDIS_SSL' in secret 'backend-redis'>  Optional: false
      CONFIG_QUEUES_CA_FILE:                       /tls/config-queues-ca.crt
      CONFIG_QUEUES_CERT:                          /tls/config-queues-client.crt
      CONFIG_QUEUES_PRIVATE_KEY:                   /tls/config-queues-private.key
      CONFIG_QUEUES_SSL:                           <set to the key 'CONFIG_QUEUES_SSL' in secret 'backend-redis'>  Optional: false

 oc describe deploy backend-worker  |grep -E "tls|SSL"
      CONFIG_REDIS_CA_FILE:                      /tls/backend-redis/backend-redis-ca.crt
      CONFIG_REDIS_CERT:                         /tls/backend-redis/backend-redis-client.crt
      CONFIG_REDIS_PRIVATE_KEY:                  /tls/backend-redis/backend-redis-private.key
      CONFIG_REDIS_SSL:                          <set to the key 'CONFIG_REDIS_SSL' in secret 'backend-redis'>  Optional: false
      CONFIG_QUEUES_CA_FILE:                     /tls/config-queues-ca.crt
      CONFIG_QUEUES_CERT:                        /tls/config-queues-client.crt
      CONFIG_QUEUES_PRIVATE_KEY:                 /tls/config-queues-private.key
      CONFIG_QUEUES_SSL:                         <set to the key 'CONFIG_QUEUES_SSL' in secret 'backend-redis'>  Optional: false

3. Set redisTLSEnabled false to ApiManager CR

$ oc get -oyaml  apimanager example-apimanager |grep redisTLSEnabled
$ redisTLSEnabled: false

$ oc describe deploy backend-redis  |grep REDIS |grep -v SENT |grep -v REDIS_CONF
$
$ oc describe deploy system-redis  |grep REDIS |grep -v SENT |grep -v REDIS_CONF
$
$ oc describe deploy system-app  |grep REDIS_CLIENT_CERT
$
$ oc describe deploy system-sidekiq  |grep REDIS_CLIENT_CERT
$
$ oc describe deploy backend-listener |grep CERT |grep REDIS
$
$ oc describe deploy backend-worker |grep CERT |grep REDIS

Validation -2, TLS Enabled, Internal Redis, Certificates mounts

~/go/3scale-operator git branch |grep "*" * [THREESCALE-11020](https://issues.redhat.com//browse/THREESCALE-11020)-1 ~/go/3scale-operator oc get pod NAME READY STATUS RESTARTS AGE apicast-production-6d4d589848-9vxq8 1/1 Running 0 79m apicast-staging-767df4cbd8-xl4zc 1/1 Running 0 79m backend-cron-6bbd4d5846-8h4xg 1/1 Running 0 80m backend-listener-76b477f78c-pndbf 1/1 Running 2 (58m ago) 80m backend-redis-7ddddd89f5-vxtvp 1/1 Running 0 80m backend-worker-675b4944b8-plb6m 1/1 Running 0 50m system-app-85cb4d5c64-x7fh4 3/3 Running 0 78m system-app-post-h4hfw 0/1 Completed 0 76m system-app-pre-8mst2 0/1 Completed 0 78m system-memcache-6b4df58598-rbgmf 1/1 Running 0 80m system-mysql-6b9d494fdc-vrgnn 1/1 Running 0 80m system-redis-86555f978c-cffmw 1/1 Running 0 80m system-searchd-6b74944c59-s4bw8 1/1 Running 0 80m system-searchd-manticore-reindex-7gfjz 0/1 Completed 0 78m system-searchd-manticore-reindex-h72sx 0/1 Error 0 79m system-sidekiq-7555f7494b-zq6hk 1/1 Running 0 79m throwaway-redis 1/1 Running 0 21h zync-5d866556bf-x2pf6 1/1 Running 0 79m zync-database-5cfdcdd654-979s8 1/1 Running 0 79m zync-que-67d4d96c46-tzxrt 1/1 Running 2 (79m ago) 79m ~/go/3scale-operator oc get deploy NAME READY UP-TO-DATE AVAILABLE AGE apicast-production 1/1 1 1 79m apicast-staging 1/1 1 1 79m backend-cron 1/1 1 1 80m backend-listener 1/1 1 1 80m backend-redis 1/1 1 1 80m backend-worker 1/1 1 1 80m system-app 1/1 1 1 78m system-memcache 1/1 1 1 80m system-mysql 1/1 1 1 80m system-redis 1/1 1 1 80m system-searchd 1/1 1 1 80m system-sidekiq 1/1 1 1 79m zync 1/1 1 1 79m zync-database 1/1 1 1 79m zync-que 1/1 1 1 79m ~/go/3scale-operator ~/go/3scale-operator oc get secret system-redis -oyaml apiVersion: v1 data: REDIS_CA_FILE: L3Rscy9zeXN0ZW0tcmVkaXMvc3lzdGVtLXJlZGlzLWNhLmNydA== REDIS_CLIENT_CERT: L3Rscy9zeXN0ZW0tcmVkaXMvc3lzdGVtLXJlZGlzLWNsaWVudC5jcnQ= REDIS_PRIVATE_KEY: L3Rscy9zeXN0ZW0tcmVkaXMvc3lzdGVtLXJlZGlzLXByaXZhdGUua2V5 REDIS_SSL: dHJ1ZQ== SENTINEL_HOSTS: "" SENTINEL_ROLE: "" SSL_CA: cmVwbGFjZW1l SSL_CERT: cmVwbGFjZW1l SSL_KEY: cmVwbGFjZW1l URL: cmVkaXM6Ly9zeXN0ZW0tcmVkaXM6NjM3OS8x kind: Secret metadata: creationTimestamp: "2024-11-12T05:18:17Z" labels: apimanager.apps.3scale.net/watched-by: system app: 3scale-api-management threescale_component: system name: system-redis namespace: 3scale-test resourceVersion: "1434610" uid: 5f13f072-dca3-4eca-ba6a-0d1442665bc1 type: Opaque ~/go/3scale-operator oc get secret backend-redis -oyaml apiVersion: v1 data: CONFIG_QUEUES_CA_FILE: L3Rscy9jb25maWctcXVldWVzLWNhLmNydA== CONFIG_QUEUES_CERT: L3Rscy9jb25maWctcXVldWVzLWNsaWVudC5jcnQ= CONFIG_QUEUES_PRIVATE_KEY: L3Rscy9jb25maWctcXVldWVzLXByaXZhdGUua2V5 CONFIG_QUEUES_SSL: dHJ1ZQ== CONFIG_REDIS_CA_FILE: L3Rscy9iYWNrZW5kLXJlZGlzL2JhY2tlbmQtcmVkaXMtY2EuY3J0 CONFIG_REDIS_CERT: L3Rscy9iYWNrZW5kLXJlZGlzL2JhY2tlbmQtcmVkaXMtY2xpZW50LmNydA== CONFIG_REDIS_PRIVATE_KEY: L3Rscy9iYWNrZW5kLXJlZGlzL2JhY2tlbmQtcmVkaXMtcHJpdmF0ZS5rZXk= CONFIG_REDIS_SSL: dHJ1ZQ== REDIS_QUEUES_SENTINEL_HOSTS: "" REDIS_QUEUES_SENTINEL_ROLE: "" REDIS_QUEUES_URL: cmVkaXM6Ly9iYWNrZW5kLXJlZGlzOjYzNzkvMQ== REDIS_STORAGE_SENTINEL_HOSTS: "" REDIS_STORAGE_SENTINEL_ROLE: "" REDIS_STORAGE_URL: cmVkaXM6Ly9iYWNrZW5kLXJlZGlzOjYzNzkvMA== SSL_CA: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURRVENDQWltZ0F3SUJBZ0lUQm15Zno1bS9qQW81NHZCNGlrUG1salpieWpBTkJna3Foa2lHOXcwQkFRc0YKQURBNU1Rc3dDUVlEVlFRR0V3SlZVekVQTUEwR0ExVUVDaE1HUVcxaGVtOXVNUmt3RndZRFZRUURFeEJCYldGNgpiMjRnVW05dmRDQkRRU0F4TUI0WERURTFNRFV5TmpBd01EQXdNRm9YRFRNNE1ERXhOekF3TURBd01Gb3dPVEVMCk1Ba0dBMVVFQmhNQ1ZWTXhEekFOQmdOVkJBb1RCa0Z0WVhwdmJqRVpNQmNHQTFVRUF4TVFRVzFoZW05dUlGSnYKYjNRZ1EwRWdNVENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFMSjRnSEhLZU5YagpjYTlIZ0ZCMGZXN1kxNGgyOUpsbzkxZ2hZUGwwaEFFdnJBSXRodE9nUTNwT3NxVFFOcm9Cdm8zYlNNZ0hGelpNCjlPNklJOGMrNnpmMXRSbjRTV2l3M3RlNWRqZ2RZWjZrL29JMnBlVktWdVJGNGZuOXRCYjZkTnFjbXpVNUwvcXcKSUZBR2JIclFnTEttK2Evc1J4bVBVRGdIM0tLSE9WajR1dFdwK1Vobk1KYnVsSGhlYjRtalVjQXdobWFoUldhNgpWT3VqdzVINVNOei8wZWd3TFgwdGRIQTExNGdrOTU3RVdXNjdjNGNYOGpKR0tMaEQrcmNkcXNxMDhwOGtEaTFMCjkzRmNYbW4vNnBVQ3l6aUtybEE0Yjl2N0xXSWJ4Y2NlVk9GMzRHZklENXlISTlZL1FDQi9JSURFZ0V3K095UW0KamdTdWJKcklxZzBDQXdFQUFhTkNNRUF3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFPQmdOVkhROEJBZjhFQkFNQwpBWVl3SFFZRFZSME9CQllFRklRWXpJVTA3THdNbEpRdUNGbWN4N0lRVGdvSU1BMEdDU3FHU0liM0RRRUJDd1VBCkE0SUJBUUNZOGpkYVFaQ2hHc1YyVVNnZ05pTU9ydVlvdTZyNGxLNUlwREIvRy93a2pVdTB5S0dYOXJieGVuREkKVTVQTUNDamptQ1hQSTZUNTNpSFRmSVVKclU2YWRUckNDMnFKZUhaRVJ4aGxiSTFCamp0L21zdjB0YWRRMXdVcwpOK2dEUzYzcFlhQUNidlh5OE1XeTdWdTMzUHFVWEhlZUU2Vi9VcTJWOHZpVE85NkxYRnZLV2xKYllLOFU5MHZ2Cm8vdWZRSlZ0TVZUOFF0UEhSaDhqcmRrUFNIQ2EyWFY0Y2RGeVF6UjFibGRad2dKY0ptQXB6eU1aRm82SVE2WFUKNU1zSSt5TVJRK2hES1hKaW9hbGRYZ2pVa0s2NDJNNFV3dEJWOG9iMnhKTkRkMlpod0xub1FkZVhlR0FEYmtweQpycVhSZmJvUW5vWnNHNHE1V1RQNDY4U1F2dkc1Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K SSL_CERT: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURIVENDQWdXZ0F3SUJBZ0lVVmZzcTVabWx5ODRsQkJYZ0pyTlNTaVBJU29Nd0RRWUpLb1pJaHZjTkFRRUwKQlFBd056RVJNQThHQTFVRUF3d0lkbTF2WjJsc1pYWXhJakFnQmdrcWhraUc5dzBCQ1FFV0UzWnRiMmRwYkdWMgpRSEpsWkdoaGRDNWpiMjB3SGhjTk1qUXhNVEV4TVRVek16QTRXaGNOTWpReE1qRXhNVFV6TXpBNFdqQTNNUkV3CkR3WURWUVFEREFoMmJXOW5hV3hsZGpFaU1DQUdDU3FHU0liM0RRRUpBUllUZG0xdloybHNaWFpBY21Wa2FHRjAKTG1OdmJUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUkvTi9xYk1HOHhtSVROVgpMZ1kzUkJsSVd3OGtmbFc4c1VsMU15dGVCSFAyeEYzRGZZSDlSUW5VczVnVER3RmI1SXpaU1lYYTdZMTBhdkRSCmJRZ2dCUThJZ2tUem50ODBwTityWkk5eEFRTUVRczczMGlPSXRTb3FiVGJaeldDUzVPaFNhY0RQLzkycTdoZFcKS0tiajBiR3N6L2wyUHpXUDM5STAyY3FaVEdoRHU1QkNiWHAxLzlYSkgvRElqNkNZOGdFbVVrM0Ntck04NE5oWAp6T2szTnIzS0gwbFJvVjBZa3FSWkJSekhqV0haV2NYK1QzVk0yYVVqUUdEZmJzT1ZXbTFqSm5QS0N5TW5aOHhYCkRzUFlmeWFMZm84Z3FXMkl0TlM0MFNxTXEwMDcyR05UWHJGT1hHa0xFWXlFNUNPNG12OFh6YTI3aU5oK05MM1cKOWc1SHRQOENBd0VBQWFNaE1COHdIUVlEVlIwT0JCWUVGTFpwbW5oMlpsSW1KcklBa2tla3k5elJNYm5BTUEwRwpDU3FHU0liM0RRRUJDd1VBQTRJQkFRQnBtQ2dVNTFDQm9RRkhHN2w1Q0VyVklUWGtBZjV3eDh4WXRhTUVlRHpSCjBVWWlacmkwWUlrM2xVK1hGeXQvOHU2ek1aV0tWd0M5UTVOcWxvYmZEZ3d6UHA2UlM1dkV0eEExbHpmd2xwYmMKeERqZ3REbitMd2lRbzdpZHVUZnlxb3ZCUjVTQjZZWUhIbzYySm5MMEtFbEduR0hkMVJ6ODBEYTFTdFhzU1Q2TgorczEzOVVZUWpDaE9qWXdrb3YyeHJxNW5CVE9uejNEeVZpaFVuR3JLUXFLUnpFcXpuc0FkVUsrVlh1ZjhWUGRMCjN3ZGtMOTBxNnZ3M0M0dzZVTk4wZnVOeVBRZTBJMnRkeWFDUS9EbEdEQWN4UnBqbUdGcnlyZXpUZGloVDBrVXUKSjc4RDFreHlnMmdFRmc0aHJJcTE4elJKSkxTcnZmSjNNbmowSXFlNm5kWlUKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= SSL_KEY: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2QUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktZd2dnU2lBZ0VBQW9JQkFRQ1B6ZjZtekJ2TVppRXoKVlM0R04wUVpTRnNQSkg1VnZMRkpkVE1yWGdSejlzUmR3MzJCL1VVSjFMT1lFdzhCVytTTTJVbUYydTJOZEdydwowVzBJSUFVUENJSkU4NTdmTktUZnEyU1BjUUVEQkVMTzk5SWppTFVxS20wMjJjMWdrdVRvVW1uQXovL2RxdTRYClZpaW00OUd4ck0vNWRqODFqOS9TTk5uS21VeG9RN3VRUW0xNmRmL1Z5Ui93eUkrZ21QSUJKbEpOd3BxelBPRFkKVjh6cE56YTl5aDlKVWFGZEdKS2tXUVVjeDQxaDJWbkYvazkxVE5tbEkwQmczMjdEbFZwdFl5Wnp5Z3NqSjJmTQpWdzdEMkg4bWkzNlBJS2x0aUxUVXVORXFqS3ROTzloalUxNnhUbHhwQ3hHTWhPUWp1SnIvRjgydHU0allmalM5CjF2WU9SN1QvQWdNQkFBRUNnZ0VBTm1Kd1NRSnVET29lNmp2dmtQZzdyOWdXWCs2c1BKNkU2Y1FDR3dlT1paRFEKaUtsVEFPTVl4ZlFFQzZKQmpZRUVPV1Eva3ZqTjJDNUw5MUVzaStNWUpxeFFIK1dHa3VGazdSWHpqTy91c3daYwpnY3RsVkh6eURzVkcwblNpWUVDTmczTVBmWlRzTGhmanZUMmZXQ1pXZW54aGx2VnFTRVptSGloUXFYYzZWeitkClFmZnEwMWFLdVRETkhEMmd0YWJDLzNOUExMMUIrMnBUN2lhcjVieXFGbW5CUnpIdXZwQldPcFRHdE1RTmZsdGYKT3M1dDNqbGZnRTFBVis5NTA2K1FpcldhbGE5NE9sRTBTS29vZ0V4UktVV3hNLzZqbDRqbi82QlhvZ2wyS25PSApvVEdjTHptWGtZeVdmNWErdEpWSk0yT2phdEYrRW5xVHF3c1I2eXpmU1FLQmdRREF1VXIxaVk1enNCUkplY2FXCnpGTytpL0VnUlRlY21DeEFzMkpETStzK3JpQjQvWXpVTnlZQUFOaUt5QTVjS3pCc2FpVGoxSnJJQ0dtNmY0U1gKVkpOUmtPQk10VkdBbDkxa2JnY3JObURqYVBJNVdhaVZMZThqMkxjeG1pSXRzczhmTXdFR0V0eEVKQ0pFSmpiNwppYkhpeFN5a0JPeEhOalU3c1laZnJCMVdNd0tCZ1FDL0JQclQyQ1I2QUpicGV0VUMyR0w3amxoUlBIdHVFRElnCjgwTE1DOGpZcVNhVWVBdlgrbUUwLzVWVUs3Q0F4YkhpOUxCQXlZM09uMjd6MXN6M216TnlCQzdDc29wZW9NeXkKbG9iOTBHa0U4YWhUS3BXSDVnWHJxbjkvZitEb2x4SXJjdmlhKzd6clFUTWd5dklua3JsT3EwSXN2alk4WmNNQgpwVWJ3MGZUaUJRS0JnRjhjVXNFQVpOdjFIdDN3Q2pDcm4veWVwWjR1YXJhT1p2QjdWdGdoakV3L3RPamhBSnBPCnFTTkJSNXllQkhBNkpFaXN6WTNlZzVDS2psc3F5VzNCb0g2VmlBeHpRMGk2S2RtQmIycEZDT1hTQ2hDQmpmQXAKWGlhTHNrVDVjenFvVHcxdnAyYXU4aU55emJKaVJhbzNseUY1KzREcXFReXYxTytqdWRRSFplYi9Bb0dBSVoxeAp1b2dGMjBaeFNFTXFheWJEUEh1UFJUUjhrQ0RmZ1hidG9WVE5rbnNwNCtUQVNOQ3gvSTZocTc5SWYxREsvaUtMClJjdHlYaE1taGxpZGwxRkRtMlByQ3E0NnRXNWN0MnpQOHFpVFlxQllPOUo1b0FHMXR3UTVEYW5tWFdnQWRZNzAKK3Vra0ZNNVRmZ2pZMW1mMm5rWjdEYjZuY3JlQnVxOW9MWWIxTGpVQ2dZQjdId3VWQjhFZHhFczBsSHhIUjdaagpqbUZ3UzhVUXRFL21ZdVFBT3puTVp4clVzaisyb2ZsaVdyZ1Qyb01nMUpxc1RHeEg3dzN5dXBwNEpMbDZlQ2dnCkFkMTZmL3NtbjYzTDBwRWhpL2RoZnhQaDFLK1BuUjFIVUlWZHVKazdmTGhoRWJLRStFbmZyeHhOKytkVWZKYmYKU2c2NmZCTDNRaEF2UHE1OHlya2VnZz09Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K SSL_QUEUES_CA: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURRVENDQWltZ0F3SUJBZ0lUQm15Zno1bS9qQW81NHZCNGlrUG1salpieWpBTkJna3Foa2lHOXcwQkFRc0YKQURBNU1Rc3dDUVlEVlFRR0V3SlZVekVQTUEwR0ExVUVDaE1HUVcxaGVtOXVNUmt3RndZRFZRUURFeEJCYldGNgpiMjRnVW05dmRDQkRRU0F4TUI0WERURTFNRFV5TmpBd01EQXdNRm9YRFRNNE1ERXhOekF3TURBd01Gb3dPVEVMCk1Ba0dBMVVFQmhNQ1ZWTXhEekFOQmdOVkJBb1RCa0Z0WVhwdmJqRVpNQmNHQTFVRUF4TVFRVzFoZW05dUlGSnYKYjNRZ1EwRWdNVENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFMSjRnSEhLZU5YagpjYTlIZ0ZCMGZXN1kxNGgyOUpsbzkxZ2hZUGwwaEFFdnJBSXRodE9nUTNwT3NxVFFOcm9Cdm8zYlNNZ0hGelpNCjlPNklJOGMrNnpmMXRSbjRTV2l3M3RlNWRqZ2RZWjZrL29JMnBlVktWdVJGNGZuOXRCYjZkTnFjbXpVNUwvcXcKSUZBR2JIclFnTEttK2Evc1J4bVBVRGdIM0tLSE9WajR1dFdwK1Vobk1KYnVsSGhlYjRtalVjQXdobWFoUldhNgpWT3VqdzVINVNOei8wZWd3TFgwdGRIQTExNGdrOTU3RVdXNjdjNGNYOGpKR0tMaEQrcmNkcXNxMDhwOGtEaTFMCjkzRmNYbW4vNnBVQ3l6aUtybEE0Yjl2N0xXSWJ4Y2NlVk9GMzRHZklENXlISTlZL1FDQi9JSURFZ0V3K095UW0KamdTdWJKcklxZzBDQXdFQUFhTkNNRUF3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFPQmdOVkhROEJBZjhFQkFNQwpBWVl3SFFZRFZSME9CQllFRklRWXpJVTA3THdNbEpRdUNGbWN4N0lRVGdvSU1BMEdDU3FHU0liM0RRRUJDd1VBCkE0SUJBUUNZOGpkYVFaQ2hHc1YyVVNnZ05pTU9ydVlvdTZyNGxLNUlwREIvRy93a2pVdTB5S0dYOXJieGVuREkKVTVQTUNDamptQ1hQSTZUNTNpSFRmSVVKclU2YWRUckNDMnFKZUhaRVJ4aGxiSTFCamp0L21zdjB0YWRRMXdVcwpOK2dEUzYzcFlhQUNidlh5OE1XeTdWdTMzUHFVWEhlZUU2Vi9VcTJWOHZpVE85NkxYRnZLV2xKYllLOFU5MHZ2Cm8vdWZRSlZ0TVZUOFF0UEhSaDhqcmRrUFNIQ2EyWFY0Y2RGeVF6UjFibGRad2dKY0ptQXB6eU1aRm82SVE2WFUKNU1zSSt5TVJRK2hES1hKaW9hbGRYZ2pVa0s2NDJNNFV3dEJWOG9iMnhKTkRkMlpod0xub1FkZVhlR0FEYmtweQpycVhSZmJvUW5vWnNHNHE1V1RQNDY4U1F2dkc1Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K SSL_QUEUES_CERT: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURIVENDQWdXZ0F3SUJBZ0lVVmZzcTVabWx5ODRsQkJYZ0pyTlNTaVBJU29Nd0RRWUpLb1pJaHZjTkFRRUwKQlFBd056RVJNQThHQTFVRUF3d0lkbTF2WjJsc1pYWXhJakFnQmdrcWhraUc5dzBCQ1FFV0UzWnRiMmRwYkdWMgpRSEpsWkdoaGRDNWpiMjB3SGhjTk1qUXhNVEV4TVRVek16QTRXaGNOTWpReE1qRXhNVFV6TXpBNFdqQTNNUkV3CkR3WURWUVFEREFoMmJXOW5hV3hsZGpFaU1DQUdDU3FHU0liM0RRRUpBUllUZG0xdloybHNaWFpBY21Wa2FHRjAKTG1OdmJUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUkvTi9xYk1HOHhtSVROVgpMZ1kzUkJsSVd3OGtmbFc4c1VsMU15dGVCSFAyeEYzRGZZSDlSUW5VczVnVER3RmI1SXpaU1lYYTdZMTBhdkRSCmJRZ2dCUThJZ2tUem50ODBwTityWkk5eEFRTUVRczczMGlPSXRTb3FiVGJaeldDUzVPaFNhY0RQLzkycTdoZFcKS0tiajBiR3N6L2wyUHpXUDM5STAyY3FaVEdoRHU1QkNiWHAxLzlYSkgvRElqNkNZOGdFbVVrM0Ntck04NE5oWAp6T2szTnIzS0gwbFJvVjBZa3FSWkJSekhqV0haV2NYK1QzVk0yYVVqUUdEZmJzT1ZXbTFqSm5QS0N5TW5aOHhYCkRzUFlmeWFMZm84Z3FXMkl0TlM0MFNxTXEwMDcyR05UWHJGT1hHa0xFWXlFNUNPNG12OFh6YTI3aU5oK05MM1cKOWc1SHRQOENBd0VBQWFNaE1COHdIUVlEVlIwT0JCWUVGTFpwbW5oMlpsSW1KcklBa2tla3k5elJNYm5BTUEwRwpDU3FHU0liM0RRRUJDd1VBQTRJQkFRQnBtQ2dVNTFDQm9RRkhHN2w1Q0VyVklUWGtBZjV3eDh4WXRhTUVlRHpSCjBVWWlacmkwWUlrM2xVK1hGeXQvOHU2ek1aV0tWd0M5UTVOcWxvYmZEZ3d6UHA2UlM1dkV0eEExbHpmd2xwYmMKeERqZ3REbitMd2lRbzdpZHVUZnlxb3ZCUjVTQjZZWUhIbzYySm5MMEtFbEduR0hkMVJ6ODBEYTFTdFhzU1Q2TgorczEzOVVZUWpDaE9qWXdrb3YyeHJxNW5CVE9uejNEeVZpaFVuR3JLUXFLUnpFcXpuc0FkVUsrVlh1ZjhWUGRMCjN3ZGtMOTBxNnZ3M0M0dzZVTk4wZnVOeVBRZTBJMnRkeWFDUS9EbEdEQWN4UnBqbUdGcnlyZXpUZGloVDBrVXUKSjc4RDFreHlnMmdFRmc0aHJJcTE4elJKSkxTcnZmSjNNbmowSXFlNm5kWlUKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= SSL_QUEUES_KEY: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2QUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktZd2dnU2lBZ0VBQW9JQkFRQ1B6ZjZtekJ2TVppRXoKVlM0R04wUVpTRnNQSkg1VnZMRkpkVE1yWGdSejlzUmR3MzJCL1VVSjFMT1lFdzhCVytTTTJVbUYydTJOZEdydwowVzBJSUFVUENJSkU4NTdmTktUZnEyU1BjUUVEQkVMTzk5SWppTFVxS20wMjJjMWdrdVRvVW1uQXovL2RxdTRYClZpaW00OUd4ck0vNWRqODFqOS9TTk5uS21VeG9RN3VRUW0xNmRmL1Z5Ui93eUkrZ21QSUJKbEpOd3BxelBPRFkKVjh6cE56YTl5aDlKVWFGZEdKS2tXUVVjeDQxaDJWbkYvazkxVE5tbEkwQmczMjdEbFZwdFl5Wnp5Z3NqSjJmTQpWdzdEMkg4bWkzNlBJS2x0aUxUVXVORXFqS3ROTzloalUxNnhUbHhwQ3hHTWhPUWp1SnIvRjgydHU0allmalM5CjF2WU9SN1QvQWdNQkFBRUNnZ0VBTm1Kd1NRSnVET29lNmp2dmtQZzdyOWdXWCs2c1BKNkU2Y1FDR3dlT1paRFEKaUtsVEFPTVl4ZlFFQzZKQmpZRUVPV1Eva3ZqTjJDNUw5MUVzaStNWUpxeFFIK1dHa3VGazdSWHpqTy91c3daYwpnY3RsVkh6eURzVkcwblNpWUVDTmczTVBmWlRzTGhmanZUMmZXQ1pXZW54aGx2VnFTRVptSGloUXFYYzZWeitkClFmZnEwMWFLdVRETkhEMmd0YWJDLzNOUExMMUIrMnBUN2lhcjVieXFGbW5CUnpIdXZwQldPcFRHdE1RTmZsdGYKT3M1dDNqbGZnRTFBVis5NTA2K1FpcldhbGE5NE9sRTBTS29vZ0V4UktVV3hNLzZqbDRqbi82QlhvZ2wyS25PSApvVEdjTHptWGtZeVdmNWErdEpWSk0yT2phdEYrRW5xVHF3c1I2eXpmU1FLQmdRREF1VXIxaVk1enNCUkplY2FXCnpGTytpL0VnUlRlY21DeEFzMkpETStzK3JpQjQvWXpVTnlZQUFOaUt5QTVjS3pCc2FpVGoxSnJJQ0dtNmY0U1gKVkpOUmtPQk10VkdBbDkxa2JnY3JObURqYVBJNVdhaVZMZThqMkxjeG1pSXRzczhmTXdFR0V0eEVKQ0pFSmpiNwppYkhpeFN5a0JPeEhOalU3c1laZnJCMVdNd0tCZ1FDL0JQclQyQ1I2QUpicGV0VUMyR0w3amxoUlBIdHVFRElnCjgwTE1DOGpZcVNhVWVBdlgrbUUwLzVWVUs3Q0F4YkhpOUxCQXlZM09uMjd6MXN6M216TnlCQzdDc29wZW9NeXkKbG9iOTBHa0U4YWhUS3BXSDVnWHJxbjkvZitEb2x4SXJjdmlhKzd6clFUTWd5dklua3JsT3EwSXN2alk4WmNNQgpwVWJ3MGZUaUJRS0JnRjhjVXNFQVpOdjFIdDN3Q2pDcm4veWVwWjR1YXJhT1p2QjdWdGdoakV3L3RPamhBSnBPCnFTTkJSNXllQkhBNkpFaXN6WTNlZzVDS2psc3F5VzNCb0g2VmlBeHpRMGk2S2RtQmIycEZDT1hTQ2hDQmpmQXAKWGlhTHNrVDVjenFvVHcxdnAyYXU4aU55emJKaVJhbzNseUY1KzREcXFReXYxTytqdWRRSFplYi9Bb0dBSVoxeAp1b2dGMjBaeFNFTXFheWJEUEh1UFJUUjhrQ0RmZ1hidG9WVE5rbnNwNCtUQVNOQ3gvSTZocTc5SWYxREsvaUtMClJjdHlYaE1taGxpZGwxRkRtMlByQ3E0NnRXNWN0MnpQOHFpVFlxQllPOUo1b0FHMXR3UTVEYW5tWFdnQWRZNzAKK3Vra0ZNNVRmZ2pZMW1mMm5rWjdEYjZuY3JlQnVxOW9MWWIxTGpVQ2dZQjdId3VWQjhFZHhFczBsSHhIUjdaagpqbUZ3UzhVUXRFL21ZdVFBT3puTVp4clVzaisyb2ZsaVdyZ1Qyb01nMUpxc1RHeEg3dzN5dXBwNEpMbDZlQ2dnCkFkMTZmL3NtbjYzTDBwRWhpL2RoZnhQaDFLK1BuUjFIVUlWZHVKazdmTGhoRWJLRStFbmZyeHhOKytkVWZKYmYKU2c2NmZCTDNRaEF2UHE1OHlya2VnZz09Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K kind: Secret metadata: creationTimestamp: "2024-11-12T05:18:18Z" labels: apimanager.apps.3scale.net/watched-by: backend app: 3scale-api-management threescale_component: backend name: backend-redis namespace: 3scale-test resourceVersion: "1448237" uid: e756ccdf-0604-45c3-9c23-9089da9c2a1e type: Opaque ~/go/3scale-operator ~/go/3scale-operator

Check Certificates mounts

~/go/3scale-operator oc rsh backend-worker-675b4944b8-plb6m
Defaulted container "backend-worker" out of: backend-worker, backend-redis-svc (init)
sh-4.4$ ls -l /tls
total 0
lrwxrwxrwx. 1 root 1001050000 27 Nov 12 05:48 backend-redis-ca.crt -> ..data/backend-redis-ca.crt
lrwxrwxrwx. 1 root 1001050000 31 Nov 12 05:48 backend-redis-client.crt -> ..data/backend-redis-client.crt
lrwxrwxrwx. 1 root 1001050000 32 Nov 12 05:48 backend-redis-private.key -> ..data/backend-redis-private.key
lrwxrwxrwx. 1 root 1001050000 27 Nov 12 05:48 config-queues-ca.crt -> ..data/config-queues-ca.crt
lrwxrwxrwx. 1 root 1001050000 31 Nov 12 05:48 config-queues-client.crt -> ..data/config-queues-client.crt
lrwxrwxrwx. 1 root 1001050000 32 Nov 12 05:48 config-queues-private.key -> ..data/config-queues-private.key
sh-4.4$
sh-4.4$
sh-4.4$ cat /tls/backend-redis-private.key
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCPzf6mzBvMZiEz
.......==
-----END PRIVATE KEY-----
sh-4.4$ cat /tls/backend-redis-client.crt
-----BEGIN CERTIFICATE-----
MIIDHTCCAgWgAwIBAgIUVfsq5Zmly84lBBXgJrNSSiPISoMwDQYJKoZIhvcNAQEL
......
-----END CERTIFICATE-----
sh-4.4$ cat /tls/backend-redis-ca.crt
-----BEGIN CERTIFICATE-----
MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF
.....
-----END CERTIFICATE-----
sh-4.4$ ^C
sh-4.4$ exit
command terminated with exit code 130
~/go/3scale-operator
~/go/3scale-operator
~/go/3scale-operator oc rsh backend-listener-76b477f78c-pndbf
sh-4.4$ ls -l /tls
total 0
lrwxrwxrwx. 1 root 1001050000 27 Nov 12 05:18 backend-redis-ca.crt -> ..data/backend-redis-ca.crt
lrwxrwxrwx. 1 root 1001050000 31 Nov 12 05:18 backend-redis-client.crt -> ..data/backend-redis-client.crt
lrwxrwxrwx. 1 root 1001050000 32 Nov 12 05:18 backend-redis-private.key -> ..data/backend-redis-private.key
lrwxrwxrwx. 1 root 1001050000 27 Nov 12 05:18 config-queues-ca.crt -> ..data/config-queues-ca.crt
lrwxrwxrwx. 1 root 1001050000 31 Nov 12 05:18 config-queues-client.crt -> ..data/config-queues-client.crt
lrwxrwxrwx. 1 root 1001050000 32 Nov 12 05:18 config-queues-private.key -> ..data/config-queues-private.key
sh-4.4$
sh-4.4$
sh-4.4$ exit
exit
~/go/3scale-operator oc rsh system-app-85cb4d5c64-x7fh4
Defaulted container "system-master" out of: system-master, system-provider, system-developer
sh-4.4$ ls /tls
backend-redis system-redis
sh-4.4$ ls /tls/backend-redis/
backend-redis-ca.crt backend-redis-client.crt backend-redis-private.key
sh-4.4$ ls /tls/system-redis/
system-redis-ca.crt system-redis-client.crt system-redis-private.key
sh-4.4$ cat /tls/backend-redis/backend-redis-private.key
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCPzf6mzBvMZiEz
.....
-----END PRIVATE KEY-----
sh-4.4$ cat /tls/system-redis/system-redis-private.key
replacemesh-4.4$ exit
exit
~/go/3scale-operator
~/go/3scale-operator oc rsh system-sidekiq-7555f7494b-zq6hk
Defaulted container "system-sidekiq" out of: system-sidekiq, check-svc (init)
sh-4.4$ ls /tls
backend-redis system-redis
sh-4.4$ ls /tls/backend-redis/
backend-redis-ca.crt backend-redis-client.crt backend-redis-private.key
sh-4.4$ ls /tls/system-redis/
system-redis-ca.crt system-redis-client.crt system-redis-private.key
sh-4.4$

@valerymo valerymo requested a review from a team as a code owner October 15, 2024 07:17
@valerymo valerymo force-pushed the THREESCALE-11020-1 branch 8 times, most recently from 6300d72 to bbd4687 Compare October 22, 2024 09:43
@valerymo valerymo force-pushed the THREESCALE-11020-1 branch 8 times, most recently from 2f61cac to 0330ce7 Compare October 28, 2024 17:26
@valerymo valerymo changed the title [WIP] THREESCALE-11020 Redis TLS certs and keys for porta and backend THREESCALE-11020 Redis TLS certs and keys for porta and backend Oct 28, 2024
carlkyrillos
carlkyrillos reviewed Oct 29, 2024
View reviewed changes
Copy link
Contributor

@carlkyrillos carlkyrillos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@valerymo Overall the changes look good but need to remove generic watched-by Data-Only implementation (Predicates) as we'll implement those changes in THREESCALE-11395

apis/apps/v1alpha1/apimanager_types.go Outdated Show resolved Hide resolved
controllers/apps/apimanager_controller.go Outdated
Comment on lines 374 to 378
Watches(
&v1.Secret{},
handler.EnqueueRequestsFromMapFunc(secretToApimanagerEventMapper.Map),
builder.WithPredicates(watchedByDataOnlySecretLabelPredicate),
).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@valerymo I think it would be best if we remove the partial watched-by improvements from this PR and do it entirely in THREESCALE-11395.

We also want to use the same implementation (tracking changes to secret's .data using the master hashed secret) from the apicast-operator PR.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@carlkyrillos Maybe we can use combined approach ? Seems to me, there are following Pros/Cons of both methods:

  • ApiCast approach - Pros: Flexable, allows implement complex logics without being constrained by predicate. Cons: Performance, checking Data in each reconciliation (if I'm not wrong)
  • Predicate in Watch - Pros: Efficiency , Cons: Not Flexable if need to react to other events or changes in the future
    What do you think? Thank you for your comments and review

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @carlkyrillos I will remove my Predicate based watching from the PR from here to make Jiras purpose clear. I will send update when done.
Also -
I added suggestion to THREESCALE-11395 to consider combined
approach - use both methods.
Thank you for comments!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. Thank you

doc/apimanager-reference.md Outdated Show resolved Hide resolved
doc/apimanager-reference.md Outdated Show resolved Hide resolved
@valerymo valerymo force-pushed the THREESCALE-11020-1 branch 3 times, most recently from 1086bc0 to 10086fd Compare October 30, 2024 07:08
@valerymo
Copy link
Contributor Author

valerymo commented Oct 31, 2024
edited
Loading

Hi @carlkyrillos ,
The RedisTLSEnabled flag has been added to the ApiManager CR, so setting TLS related environment variables in a deployments relies now on the boolean flag.
Thank you

@valerymo valerymo force-pushed the THREESCALE-11020-1 branch 5 times, most recently from d2c23c1 to f501e2e Compare November 4, 2024 11:28
@valerymo valerymo force-pushed the THREESCALE-11020-1 branch 4 times, most recently from f4bc009 to 516f117 Compare November 4, 2024 12:19
@austincunningham
Copy link
Contributor

austincunningham commented Nov 4, 2024
edited
Loading

@valerymo wondering about this implementation, I was looking for where you set the mount path for the cert as the cert env var should be pointing at a path to the cert and not the contents of the cert ?
e.g.

redis-cli -h redis-server.example.com -p 6380 --tls --cert /path/to/client-cert.pem --key /path/to/client-key.pem --cacert /path/to/ca-cert.pem
redis-cli -h redis-server.example.com -p 6380 --tls --cacert /path/to/ca-cert.pem

I have confirmed this with the system team in this thread https://gitlab.cee.redhat.com/red-hat-3scale-documentation/3scale-documentation/-/merge_requests/1554#note_13233849

@valerymo valerymo changed the title THREESCALE-11020 Redis TLS certs and keys for porta and backend [WIP]THREESCALE-11020 Redis TLS certs and keys for porta and backend Nov 4, 2024
@valerymo valerymo force-pushed the THREESCALE-11020-1 branch 4 times, most recently from 66b0c05 to ba6ec55 Compare November 7, 2024 14:53
@carlkyrillos carlkyrillos mentioned this pull request Nov 7, 2024
Open
@valerymo valerymo force-pushed the THREESCALE-11020-1 branch 2 times, most recently from 4c11a56 to ff24cf1 Compare November 12, 2024 12:19
@valerymo
Copy link
Contributor Author

This PR is moved to new one - #1035
New PR is created from current. So all review comments that addressed here are included in new PR.
The reason of new PR - the cleanup is required - remove Certificates Paths and SSL flags that were added in current PR - from Secret; to avoid editing it by User. The cleanup is significant, so decided to close current PR (save it meanwhile) and continue with cleanup/updates on new PR.

@valerymo valerymo closed this Nov 25, 2024
@valerymo valerymo mentioned this pull request Nov 25, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@carlkyrillos carlkyrillos carlkyrillos left review comments

Assignees
No one assigned
Labels
do-not-merge/work-in-progress
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@valerymo @austincunningham @carlkyrillos