search

goharbor / harbor-helm

The helm chart to deploy Harbor
Apache License 2.0
1.17k stars 761 forks source link

External Redis TLS is not possible to set via helm chart. #549

Open lukasmrtvy opened 4 years ago

lukasmrtvy commented 4 years ago

External Redis TLS is not possible to set via helm chart. Related: https://github.com/goharbor/harbor/issues/11331

reasonerjt commented 4 years ago

@lukasmrtvy By external Redis TLS do you mean the component need to trust the CA of external Redis? Or do you mean they need to use a client certificate to access the Redis?

aitorpazos commented 3 years ago

We are facing the same issue trying to connect to AWS Elasticache Redis instances. In a default in-transit encryption setup they use CAs that should be supported by most OSs:

$ openssl s_client -connect master.<hidden>.cache.amazonaws.com:6379                
CONNECTED(00000003)
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
verify return:1
depth=0 CN = *.<hidden>.cache.amazonaws.com
verify return:1
---
Certificate chain
 0 s:CN = *.<hidden>.cache.amazonaws.com
   i:C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
 1 s:C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
   i:C = US, O = Amazon, CN = Amazon Root CA 1
 2 s:C = US, O = Amazon, CN = Amazon Root CA 1
   i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
 3 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
   i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
---
Server certificate
[...]

and it connected successfully from my PC without any CA store customization:

./src/redis-cli --tls -a <hidden> -h master.<hidden>.cache.amazonaws.com -p 6379 PING
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
PONG

No client TLS auth need initially.

@reasonerjt IMO the initial requirement would be to allow configuring TLS connections to Redis relying on OS/libraries default CAs store.

jowko commented 2 years ago

It is worth to mention that some Cloud providers which offer managed Redis instances doesn't allow unsecure traffic (like IBM Cloud Databases for Redis). So we cannot use such Redis instances together with Harbor. Redis didn't supported tls communication for some time, but from version 6 it is already supported: https://redis.io/topics/encryption We would need to add new settings for Helm charts to configure tls and certificate and probably update Redis libraries to enable support for TLS.