Added Initial TLS support for ValkeyCluster#91
Added Initial TLS support for ValkeyCluster#91sandeepkunusoth wants to merge 5 commits intovalkey-io:mainfrom
Conversation
Signed-off-by: Sandeep Kunusoth <sandeepkunsoth000@gmail.com>
Signed-off-by: Sandeep Kunusoth <sandeepkunsoth000@gmail.com>
Signed-off-by: Sandeep Kunusoth <sandeepkunsoth000@gmail.com>
Signed-off-by: Sandeep Kunusoth <sandeepkunsoth000@gmail.com>
| return &tls.Config{ | ||
| Certificates: []tls.Certificate{cert}, | ||
| RootCAs: caCertPool, | ||
| InsecureSkipVerify: true, |
There was a problem hiding this comment.
I guess we aim to remove InsecureSkipVerify soon? Or should it be configurable?
There was a problem hiding this comment.
i tried removing it. getting connection errors due to cert validation will check on this. the same works from valkey-cli but go client throws error
| Enabled bool `json:"enabled,omitempty"` | ||
|
|
||
| // Name of the Secret containing TLS keys | ||
| ExistingSecret string `json:"existingSecret,omitempty"` |
There was a problem hiding this comment.
Since we use the name "existing" here, will the cert-manager create a separate secret which it updates?
Or it named so that a user should know that is needs to exist?
There was a problem hiding this comment.
maybe we can change ExistingSecret to secretRef so that it can be used for both exisiting secret or secret generated by Certificate CRD.
|
|
||
| envVars = append(envVars, corev1.EnvVar{ | ||
| Name: "VALKEY_TLS_ARGS", | ||
| Value: fmt.Sprintf("--tls --cert %s --key %s --cacert %s", certPath, keyPath, caPath), |
There was a problem hiding this comment.
Ah, we don't need --insecure here but we have InsecureSkipVerify=true?
2 participants
This PR adds initial TLS support to the Valkey Cluster, fixes #59. TLS enabled for ValkeyCluster using pre-created / existing Kubernetes Secrets. Updated e2e tests to test TLS.
Followup features not included in this PR: