chore: redis support tls (#2368)

(cherry picked from commit ce73cc3)

Author: wangyelei

addons-cluster/redis/templates/_helpers.tpl

@@ -1,3 +1,17 @@
+{{- define "redis-cluster.tls" }}
+tls: {{ .Values.tlsEnable }}
+{{- if .Values.tlsEnable }}
+issuer:
+  name: UserProvided
+  secretRef:
+    name: {{ include "kblib.clusterName" . }}-tls
+    namespace: {{ .Release.Namespace }}
+    ca: ca.crt
+    cert: tls.crt
+    key: tls.key
+{{- end }}
+{{- end }}
+
 {{/*
 Define redis cluster shardingSpec with ComponentDefinition.
 */}}
@@ -6,6 +20,7 @@ Define redis cluster shardingSpec with ComponentDefinition.
   shards: {{ .Values.redisCluster.shardCount }}
   template:
     name: redis
+    {{- include "redis-cluster.tls" . | indent 4 }}
     componentDef: redis-cluster
     replicas: {{ .Values.replicas }}
     {{- if .Values.podAntiAffinityEnabled }}
@@ -111,13 +126,15 @@ Define redis ComponentSpec with ComponentDefinition.
   {{- end }}
   {{- include "kblib.componentResources" . | indent 2 }}
   {{- include "kblib.componentStorages" . | indent 2 }}
+  {{- include "redis-cluster.tls" . | indent 2 }}
 {{- end }}
 
 {{/*
 Define redis sentinel ComponentSpec with ComponentDefinition.
 */}}
 {{- define "redis-cluster.sentinelComponentSpec" }}
 - name: redis-sentinel
+  {{- include "redis-cluster.tls" . | indent 2 }}
   replicas: {{ .Values.sentinel.replicas }}
   {{- if .Values.podAntiAffinityEnabled }}
   {{- include "redis-cluster.sentinelschedulingPolicy" . | indent 2 }}

addons-cluster/redis/templates/secret.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.tlsEnable }}
+{{- $cn := (printf "%s-%s" (include "kblib.clusterName" .) .Release.Namespace) }}
+{{- $ca := genCA "KubeBlocks" 36500 -}}
+{{- $cert := genSignedCert $cn (list "127.0.0.1" "::1") (list "localhost" "*.svc.cluster.local") 36500 $ca -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "kblib.clusterName" . }}-tls
+  labels: {{ include "kblib.clusterLabels" . | nindent 4 }}
+  annotations:
+    self-signed-cert: "true"
+type: kubernetes.io/tls
+data:
+  tls.key: {{ $cert.Key | b64enc }}
+  tls.crt: {{ $cert.Cert | b64enc }}
+  ca.crt: {{ $ca.Cert | b64enc }}
+{{- end }}

addons-cluster/redis/values.yaml

@@ -105,3 +105,5 @@ extra:
 
 prometheus:
   enabled: false
+
+tlsEnable: false

addons/redis/config/redis-cluster6-config-constraint.cue

@@ -366,6 +366,41 @@
     "aof-use-rdb-preamble": string & "yes" | "no" | *"yes"
 
     "activerehashing": string & "yes" | "no" | *"yes"
+
+    // By default, TLS/SSL is disabled. To enable it, the "tls-port" configuration
+    // directive can be used to define TLS-listening ports. To enable TLS on the
+    // default port, use 7379 and set port to 0
+    "tls-port": int | *0
+
+    // Configure a X.509 certificate and private key to use for authenticating the server to connected clients, masters or cluster peers.  These files should be PEM formatted.
+    "tls-cert-file": string | *"redis.crt"
+
+    "tls-key-file": string | *"redis.key"
+
+    "tls-ca-cert-file": string | *""
+
+    "tls-ca-cert-dir": string | *""
+
+    "tls-auth-clients": string & "optional" | "no" | *""
+
+    "tls-replication": string & "yes" | "no" | *"no"
+
+    // By default, TLS session caching is enabled to allow faster and less expensive
+    // reconnections by clients that support it. Use the following directive to disable
+    // caching.
+    "tls-session-caching": string & "yes" | "no" | *"yes"
+
+    // Change the default number of TLS sessions cached. A zero value sets the cache
+    // to unlimited size. The default size is 20480.
+    "tls-session-cache-size": int | *20480
+
+    // Change the default timeout of cached TLS sessions. The default timeout is 300
+    // seconds.
+    "tls-session-cache-timeout": int | *300
+
+    "tls-cluster": string & "yes" | "no" | *"no"
+
+    "cluster-announce-tls-port": int | *0
 	...
 }
 

addons/redis/config/redis-cluster6-config.tpl

@@ -86,3 +86,13 @@ cluster-replica-validity-factor 0
 cluster-require-full-coverage yes
 cluster-allow-reads-when-down no
 
+{{- if eq (index $ "TLS_ENABLED") "true"  }}
+tls-cert-file {{ $.TLS_MOUNT_PATH }}/tls.crt
+tls-key-file {{ $.TLS_MOUNT_PATH }}/tls.key
+tls-ca-cert-file {{ $.TLS_MOUNT_PATH }}/ca.crt
+tls-auth-clients no
+tls-replication yes
+tls-cluster yes
+port 0
+{{- end -}}
+

addons/redis/config/redis-cluster7-config-constraint.cue

@@ -383,6 +383,42 @@
     "aof-use-rdb-preamble": string & "yes" | "no" | *"yes"
 
     "activerehashing": string & "yes" | "no" | *"yes"
+
+    // By default, TLS/SSL is disabled. To enable it, the "tls-port" configuration
+    // directive can be used to define TLS-listening ports. To enable TLS on the
+    // default port, use 7379 and set port to 0
+    "tls-port": int | *0
+
+    // Configure a X.509 certificate and private key to use for authenticating the server to connected clients, masters or cluster peers.  These files should be PEM formatted.
+    "tls-cert-file": string | *"redis.crt"
+
+    "tls-key-file": string | *"redis.key"
+
+    "tls-ca-cert-file": string | *""
+
+    "tls-ca-cert-dir": string | *""
+
+    "tls-auth-clients": string & "optional" | "no" | *""
+
+    "tls-replication": string & "yes" | "no" | *"no"
+
+    // By default, TLS session caching is enabled to allow faster and less expensive
+    // reconnections by clients that support it. Use the following directive to disable
+    // caching.
+    "tls-session-caching": string & "yes" | "no" | *"yes"
+
+    // Change the default number of TLS sessions cached. A zero value sets the cache
+    // to unlimited size. The default size is 20480.
+    "tls-session-cache-size": int | *20480
+
+    // Change the default timeout of cached TLS sessions. The default timeout is 300
+    // seconds.
+    "tls-session-cache-timeout": int | *300
+
+    "tls-cluster": string & "yes" | "no" | *"no"
+
+    "cluster-announce-tls-port": int | *0
+
 	...
 }
 

addons/redis/config/redis-cluster7-config.tpl

@@ -90,4 +90,14 @@ maxmemory-policy volatile-lru
 {{- $request_memory := default 0 $.PHY_MEMORY | int }}
 {{- if gt $request_memory 0 }}
 maxmemory {{ mulf $request_memory 0.8 | int }}
-{{- end }}
+{{- end }}
+
+{{- if eq (index $ "TLS_ENABLED") "true"  }}
+tls-cert-file {{ $.TLS_MOUNT_PATH }}/tls.crt
+tls-key-file {{ $.TLS_MOUNT_PATH }}/tls.key
+tls-ca-cert-file {{ $.TLS_MOUNT_PATH }}/ca.crt
+tls-auth-clients no
+tls-replication yes
+tls-cluster yes
+port 0
+{{- end -}}

addons/redis/config/redis-cluster8-config-constraint.cue

@@ -687,6 +687,42 @@
     "aof-use-rdb-preamble": string & "yes" | "no" | *"yes"
 
     "activerehashing": string & "yes" | "no" | *"yes"
+
+    // By default, TLS/SSL is disabled. To enable it, the "tls-port" configuration
+    // directive can be used to define TLS-listening ports. To enable TLS on the
+    // default port, use 7379 and set port to 0
+    "tls-port": int | *0
+
+    // Configure a X.509 certificate and private key to use for authenticating the server to connected clients, masters or cluster peers.  These files should be PEM formatted.
+    "tls-cert-file": string | *"redis.crt"
+
+    "tls-key-file": string | *"redis.key"
+
+    "tls-ca-cert-file": string | *""
+
+    "tls-ca-cert-dir": string | *""
+
+    "tls-auth-clients": string & "optional" | "no" | *""
+
+    "tls-replication": string & "yes" | "no" | *"no"
+
+    // By default, TLS session caching is enabled to allow faster and less expensive
+    // reconnections by clients that support it. Use the following directive to disable
+    // caching.
+    "tls-session-caching": string & "yes" | "no" | *"yes"
+
+    // Change the default number of TLS sessions cached. A zero value sets the cache
+    // to unlimited size. The default size is 20480.
+    "tls-session-cache-size": int | *20480
+
+    // Change the default timeout of cached TLS sessions. The default timeout is 300
+    // seconds.
+    "tls-session-cache-timeout": int | *300
+
+    "tls-cluster": string & "yes" | "no" | *"no"
+
+    "cluster-announce-tls-port": int | *0
+
 	...
 }
 

addons/redis/config/redis-cluster8-config.tpl

@@ -91,3 +91,13 @@ maxmemory-policy volatile-lru
 {{- if gt $request_memory 0 }}
 maxmemory {{ mulf $request_memory 0.8 | int }}
 {{- end }}
+
+{{- if eq (index $ "TLS_ENABLED") "true"  }}
+tls-cert-file {{ $.TLS_MOUNT_PATH }}/tls.crt
+tls-key-file {{ $.TLS_MOUNT_PATH }}/tls.key
+tls-ca-cert-file {{ $.TLS_MOUNT_PATH }}/ca.crt
+tls-auth-clients no
+tls-replication yes
+tls-cluster yes
+port 0
+{{- end -}}

addons/redis/config/redis6-config-constraint.cue

@@ -376,6 +376,38 @@
     "aof-use-rdb-preamble": string & "yes" | "no" | *"yes"
 
     "activerehashing": string & "yes" | "no" | *"yes"
+
+    // By default, TLS/SSL is disabled. To enable it, the "tls-port" configuration
+    // directive can be used to define TLS-listening ports. To enable TLS on the
+    // default port, use 7379 and set port to 0
+    "tls-port": int | *0
+
+    // Configure a X.509 certificate and private key to use for authenticating the server to connected clients, masters or cluster peers.  These files should be PEM formatted.
+    "tls-cert-file": string | *"redis.crt"
+
+    "tls-key-file": string | *"redis.key"
+
+    "tls-ca-cert-file": string | *""
+
+    "tls-ca-cert-dir": string | *""
+
+    "tls-auth-clients": string & "optional" | "no" | *""
+
+    "tls-replication": string & "yes" | "no" | *"no"
+
+    // By default, TLS session caching is enabled to allow faster and less expensive
+    // reconnections by clients that support it. Use the following directive to disable
+    // caching.
+    "tls-session-caching": string & "yes" | "no" | *"yes"
+
+    // Change the default number of TLS sessions cached. A zero value sets the cache
+    // to unlimited size. The default size is 20480.
+    "tls-session-cache-size": int | *20480
+
+    // Change the default timeout of cached TLS sessions. The default timeout is 300
+    // seconds.
+    "tls-session-cache-timeout": int | *300
+
 	...
 }