jessebot
commented
1 month ago Hoi!
Looks like redis host is templated here: https://github.com/nextcloud/helm/blob/1ae7421fd91a9e3b30f4f3fa27f60e2481dbbd63/charts/nextcloud/templates/_helpers.tpl#L215-L231
And the redis config is templated here if you're using default (which you're not): https://github.com/nextcloud/helm/blob/1ae7421fd91a9e3b30f4f3fa27f60e2481dbbd63/charts/nextcloud/templates/config.yaml#L32-L48
And your custom redis config would be templated here:
According to the above, it should allow your override, unless I'm missing something (which I could be).
Digging a bit further into this...
It looks like redis ssl support in nextcloud/server was added here 3 years ago: https://github.com/nextcloud/server/commit/ed10d85ff36f4fc72eb7c3ba62589105505a999e
but it doesn't look like the ssl_context options were passed in to the configs above or the one in nextcloud/docker here.
The config.sample.php for redis under the ssl section in the official nextcloud/server repo shows you may need an additional section. I've included the samples below for you to reference:
click for config.sample.php redis sections
```php
/**
* Connection details for redis to use for memory caching in a single server configuration.
*
* For enhanced security it is recommended to configure Redis
* to require a password. See http://redis.io/topics/security
* for more information.
*
* We also support redis SSL/TLS encryption as of version 6.
* See https://redis.io/topics/encryption for more information.
*/
'redis' => [
'host' => 'localhost', // can also be a unix domain socket: '/tmp/redis.sock'
'port' => 6379,
'timeout' => 0.0,
'read_timeout' => 0.0,
'user' => '', // Optional: if not defined, no password will be used.
'password' => '', // Optional: if not defined, no password will be used.
'dbindex' => 0, // Optional: if undefined SELECT will not run and will use Redis Server's default DB Index.
// If redis in-transit encryption is enabled, provide certificates
// SSL context https://www.php.net/manual/en/context.ssl.php
'ssl_context' => [
'local_cert' => '/certs/redis.crt',
'local_pk' => '/certs/redis.key',
'cafile' => '/certs/ca.crt'
]
],
/**
* Connection details for a Redis Cluster.
*
* Redis Cluster support requires the php module phpredis in version 3.0.0 or
* higher.
*
* Available failover modes:
* - \RedisCluster::FAILOVER_NONE - only send commands to master nodes (default)
* - \RedisCluster::FAILOVER_ERROR - failover to slaves for read commands if master is unavailable (recommended)
* - \RedisCluster::FAILOVER_DISTRIBUTE - randomly distribute read commands across master and slaves
*
* WARNING: FAILOVER_DISTRIBUTE is a not recommended setting, and we strongly
* suggest to not use it if you use Redis for file locking. Due to the way Redis
* is synchronized it could happen, that the read for an existing lock is
* scheduled to a slave that is not fully synchronized with the connected master
* which then causes a FileLocked exception.
*
* See https://redis.io/topics/cluster-spec for details about the Redis cluster
*
* Authentication works with phpredis version 4.2.1+. See
* https://github.com/phpredis/phpredis/commit/c5994f2a42b8a348af92d3acb4edff1328ad8ce1
*/
'redis.cluster' => [
'seeds' => [ // provide some or all of the cluster servers to bootstrap discovery, port required
'localhost:7000',
'localhost:7001',
],
'timeout' => 0.0,
'read_timeout' => 0.0,
'failover_mode' => \RedisCluster::FAILOVER_ERROR,
'user' => '', // Optional: if not defined, no password will be used.
'password' => '', // Optional: if not defined, no password will be used.
// If redis in-transit encryption is enabled, provide certificates
// SSL context https://www.php.net/manual/en/context.ssl.php
'ssl_context' => [
'local_cert' => '/certs/redis.crt',
'local_pk' => '/certs/redis.key',
'cafile' => '/certs/ca.crt'
]
],
```
Perhaps you need to try passing in those ssl_context optons to your custom config? Let us know if that helps. Anyone else in the community familiar with this, please feel free to chime in.
Kaurin
albundy83
Describe your Issue
In my example I want to use TLS with the builtin redis. Config overrides get provisioned, but environmnet variables take precedence not allowing my config to use the
tls://prefix. Instead, the defaulttcp://prefix is used.Housekeeping
Clean setup, PVCs deleted
Config
Error
Error from
/var/www/html/data/nextcloud.log(removed "Trace" and "Previous" to save space)Notice
tcp://instead oftls://Provisioned configs
Configs look good (not sure why doubled, but OK)
Output:
Environment variables
Environment variables seem to have precedence over configs, rendering configs useless.
Output (notice
tcp://)Probable culprit
First, the env variables are populated in the helpers file Then,
nextcloud.envis used in nextcloud containersIf I am correct in saying that nextcloud favors env variables, then this helm chart approach probably has to be reworked so these customizations can actually take place.
Workaround
I thought I could just provision redis separately and just make sure to have the
REDIS_HOST_PASSWORDinextraEnv. Unfortunately, this doesn't work either (different error - Redis went away). The workaround might be possible, but I have given up on it for now and will just go without TLS for now.Conclusion
Would be nice if helm logic would allow us to override certain aspects of the redis config.
It would be even nicer if I'm completely wrong here and missing like one line of config :)