Cannot use redis chart with cert-manager?

[thomastvedt]

Name and Version

bitnami/redis 16.4.5

What steps will reproduce the bug?

1. Create a cert-manager "Certificate" for redis.mydomain.com. I want to use cert manager to automatically renew certificates etc.
2. Cert-manager will pick up the Certificate resource, and create a secret with name redis-certificate that looks like this:

apiVersion: v1
kind: Secret
metadata:
  name: redis-certificate
  namespace: redis
  annotations:
    cert-manager.io/alt-names: redis.mydomain.com
    cert-manager.io/certificate-name: redis-certificate
    cert-manager.io/common-name: redis.mydomain.com
    cert-manager.io/issuer-kind: ClusterIssuer
    cert-manager.io/issuer-name: vn-letsencrypt-issuer
data:
  tls.crt: >-
    LS0tremoved
  tls.key: >-
    LS0tremoved
type: kubernetes.io/tls

3. According to instructions in readme, I can only point to one existing secret, and specify certCAFilename.
   

   charts/bitnami/redis/README.md

   Lines 604 to 614 in fd8ac49

   	### Securing traffic using TLS
   	TLS support can be enabled in the chart by specifying the `tls.` parameters while creating a release. The following parameters should be configured to properly enable the TLS support in the chart:
   	- `tls.enabled`: Enable TLS support. Defaults to `false`
   	- `tls.existingSecret`: Name of the secret that contains the certificates. No defaults.
   	- `tls.certFilename`: Certificate filename. No defaults.
   	- `tls.certKeyFilename`: Certificate key filename. No defaults.
   	- `tls.certCAFilename`: CA Certificate filename. No defaults.
   	Refer to the chart documentation for more information on [creating the secret and a TLS deployment example](https://docs.bitnami.com/kubernetes/infrastructure/redis/administration/enable-tls/).

Are you using any custom parameters or values?

No response

What is the expected behavior?

I want to be able to use the secret generated by cert-manager redis-certificate for tls.certFilename and tls.certKeyFilename, and another separate secret for the CA certificate.

What do you see instead?

I cannot figure out how to use this chart with TLS and cert-manager

Additional information

No response

[juan131]

Hi @thomastvedt

AFAIK adding the CA certificate is optional, isn't it? Did you found any issue when the CA isn't present in the TLS secret?

[thomastvedt]

Ahh..
Cert manager doesn't have to include the CA cert in the secret since it's optional, and uses a trusted root.
I thought that redis server needed to load the CA cert too and didn't check the machine store for trusted roots, but this was just an assumption. I did get a connection error, but that was probable a issue on the client side..

Anyway, we moved to a self signed version using a cert manager issuer with self signed cert. This did include the CA cert in the secret, since it's not a trusted root.

I'm closing this, certificates are still hard to get right... 🙈

[thomastvedt]

From https://redis.io/topics/encryption:

Certificate Configuration
In order to support TLS, Redis must be configured with a X.509 certificate and a private key. In addition, it is necessary to specify a CA certificate bundle file or path to be used as a trusted root when validating certificates.

[juan131]

I'm glad that you were able to workaround the issue @thomastvedt

[mamachanko]

But how do you know which common name (or DNS names) to configure in the Certificate?

[thisurawijesekera]

Many CA does not provide ca.crt. How to use this chart with ca signed certificate?

[tdg5]

@thisurawijesekera I've found something that works with cert-manager and Let's Encrypt.

See #30305 or https://github.com/tdg5/bitnami-redis-ca-cert-shenanigans for a hack to make the redis chart work with a cert-manager certificate that doesn't include ca.crt.