onprem: redis mtls (#997)

Author: mikhail-klimko

codefresh/.ci/values/mongodb-mtls.yaml renamed to codefresh/.ci/values/mtls-mongodb-redis.yaml

@@ -9,29 +9,49 @@ global:
   mongoURI: "mongodb://cf-mongodb:27017/?ssl=true&authMechanism=MONGODB-X509&authSource=$external"
   runtimeMongoURI: "mongodb://cf-mongodb:27017/?ssl=true&authMechanism=MONGODB-X509&authSource=$external"
 
+  redisUrl: cf-redis-master.codefresh.svc.cluster.local
+  runtimeRedisHost: cf-redis-master.codefresh.svc.cluster.local
+
   volumes:
     mongodb-tls:
       enabled: true
       type: secret
       optional: true
       nameOverride: cf-codefresh-mongodb-tls
+    redis-tls:
+      enabled: true
+      type: secret
+      optional: true
+      nameOverride: cf-redis-crt
 
   volumeMounts:
     mongodb-tls:
       path:
       - mountPath: /etc/ssl/mongodb/ca.pem
         subPath: ca.pem
+    redis-tls:
+      path:
+      - mountPath: /etc/ssl/redis
+
   env:
+    # Mongo MTLS
     MTLS_CERT_PATH: /etc/ssl/mongodb/ca.pem
     RUNTIME_MTLS_CERT_PATH: /etc/ssl/mongodb/ca.pem
     RUNTIME_MONGO_TLS: "true"
     RUNTIME_MONGO_TLS_VALIDATE: "false"
     MONGO_MTLS_VALIDATE: "false"
+    # Redis MTLS
+    REDIS_TLS: true
+    REDIS_REJECT_UNAUTHORIZED: false
+    REDIS_TLS_SKIP_VERIFY: true
+    REDIS_CA_PATH: /etc/ssl/redis/ca.crt
+    REDIS_CLIENT_CERT_PATH : /etc/ssl/redis/tls.crt
+    REDIS_CLIENT_KEY_PATH: /etc/ssl/redis/tls.key
 
 ingress:
   enabled: true
   tls:
-    enabled: false
+    enabled: true
     cert: ""  # placeholder for ${WEB_TLS_CERT}
     key: "" # placeholder for ${WEB_TLS_KEY}
 
@@ -85,6 +105,12 @@ mongodb:
     caKey: "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBdVdKYkFkUGozMXJqZno1Qjl5a3RMbnhRNXFWYW41VEYxaFhRSHAxVDBUUDA4aWMzCkRhNitQbVJ6dTJaSTdWRTFERUZCWHFMeXdCZkErcmZsbFZlN2pyekZNVVliVzhBeUdRMFBuM1pYQ3NUZ2dFbEwKYWhiZ1ROQnM0YXFYQjhDT3d1QlI0WHNDVzJjOFF6YlJFTEdMZnc3aC9oTzh4M00rT0VlUnd4Snd1R3hwdmg3cgo2WS9qUkVDa1lxeUdsWi9TZlBiV3I1Zzd0K2ZUcmxmRENoQStqODlpUUFxNXdaOHlvWDJacTBGcUJQWlNrNFlkCmhDU093U2F3bVVPOGVWWk1ERG5yRmpGQTVPWVJWS0YxejBrUGQ5Y1VOVWJQOUpSc1ZZRG1lTThyOFArYkNLU0wKY05uOGZNZ1FPYWtnOGlvTU9VdUFmK3JPaXQ2Z0luYlM1dklHaFFJREFRQUJBb0lCQUNIQ3JxNHJoMkVpclRGOApCZ2xiMzFXSzREVFF3aXN6cmIrcUkwZWdBU2FsSHFPR3pyallMTjh4N2YyZnlBSW4rdEFyaGhzVTg3NVYxUmdUCnEyVENJRzhESTZvd2lVVHhRRzVkZVkzaHdFSSt6bCt1ZVdSdG5CV0JFNE1aVFAzbGJGcEMvY1poWDNHRDRHNmgKS2Z1dlNhY3U3NnNVcnhsbmZGcEZkbDhmR1pZTUlOOUNZWHArWWVJZzRuYW5ZSFJsbk1LM05QSjIzZUVHdkpjeQpLdUZWNndIUzFlWmg1M0J0aWRlY3czcmFzZFhJWmMzdFJidlFid3lDbjZ5dVlING0vUXJzMVFUckp2dzdyWU1sCkxyZGxlZm5uWk9XNFNVc3dINkVCWmF3RC9FTFc4eFNORVhudUkzUFp0di9oRVVZd3RKOVdMbk0rRitzc21ldm8KaHVGMUI5VUNnWUVBMFBHSmc2U3N6dHlKNkhyM0tTaEhyN3h5eVVPOVJTK0N3LzBSV2cranJ3SGFlRGRIalpvKwpaYXhxWVdoRUR0aUZieWpJdWR2MFF1aUZhMHVObDUvMGl3YXR2Tm81RitNZWV3WGt1T0YraWE3RFdFODk0a2ZECkVqYXJYWUk3ZkpnTkdxVmthWUw1cGdGcmxpUDhkZDFkK0VlTWV4dmJadTdwYUZzaXBaZWs1NE1DZ1lFQTR5S0cKdzAyMHJTTGRwdlYyQmE2WG4zbFRXUW0wMFlOaVFuY0YrVjJXNm95RjREK2liRUppTUdUZzRESzZLVllNVElpNQpmaVV4WHlib0Fkd1hvTlpqMmhPWmhmMVZSa3g1WGIrOVorbDV3ZFlBMGR4RmV1ajBDakpmd3p1UTNuOUxZOWxlCnJSSi91SklkbHhKWkx2Z0RLZzdRZ2NuNkJCN2Y1Ujlwa1JKaTgxY0NnWUJYZ2xITnlOSjNjUFp4WDg3VWRnSlEKSCtVVFZrT1hEbWIrSHFkOXlMOE5OUUdEQitQMzhubmZxMjZDaldDenR3dHJtdkUycG1DUEJVT2J4SER3NkJWTApoT2lQQi9hUmdwWHBnSFppMkU1ZTY4cjAyWHRab2lTWkpEeHhWWElFcE1vWU50enZNK1BMR3gwc0xMWTN4eGJzClBVc2c1SEhua25nL05LdzJIbVQ2Y1FLQmdEaW9lQzFueU5ZWGlHc0pkL05hNWYrbDZDQ2h4elVzTE9xZmZpSUMKTW84M2xuMmw0Z0pYWE43dGl4cmlESVliTE40NmpPcm1wRFkwSWxPMGIwQnp1bHkvM3VBSm5hZjNrNTdMSVpnMgpLV1VzMk8rQW51UldEK29yUHJBWXY3NkF5bkdSMjRnWXdUdHRWMnhENjNOSDhxSWZKK3Y0VWlHTkFoVEpqUy9mCkFrZnBBb0dBQ0pRS0lOU0hZOWN2RGZseWNWNmRCcndGS0hRb3oyZGg5Z0EvSjBGazYyc0VrNDY1SUtINm96VDQKQTlSZi8yMHBLZG40dmRnTktJQ3R1cUNKN1JIMC82bVRZWXUwSEJTWHo1elZIdWczTHpFbGxOdVB4MnRhc0x0MgpjdElsVkVrdk96L1hCa3BMVUE2TDlaR01Ha2tyeUJoNEdXd2FCajBHeldUQ2JMUGZ3N3c9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0t"
     mode: allowTLS
 
+redis:
+  tls:
+    enabled: true
+    autoGenerated: true
+    authClients: true
+
 secrets:
   mongodb-tls:
     enabled: true

codefresh/Chart.lock

@@ -58,58 +58,58 @@ dependencies:
   version: 1.13.5
 - name: cfapi
   repository: https://chartmuseum.codefresh.io/cfapi
-  version: 21.222.17
+  version: 21.222.20
 - name: cfapi
   repository: https://chartmuseum.codefresh.io/cfapi
-  version: 21.222.17
+  version: 21.222.20
 - name: cfapi
   repository: https://chartmuseum.codefresh.io/cfapi
-  version: 21.222.17
+  version: 21.222.20
 - name: cfapi
   repository: https://chartmuseum.codefresh.io/cfapi
-  version: 21.222.17
+  version: 21.222.20
 - name: cfapi
   repository: https://chartmuseum.codefresh.io/cfapi
-  version: 21.222.17
+  version: 21.222.20
 - name: cfapi
   repository: https://chartmuseum.codefresh.io/cfapi
-  version: 21.222.17
+  version: 21.222.20
 - name: cfapi
   repository: https://chartmuseum.codefresh.io/cfapi
-  version: 21.222.17
+  version: 21.222.20
 - name: cfapi
   repository: https://chartmuseum.codefresh.io/cfapi
-  version: 21.222.17
+  version: 21.222.20
 - name: cfapi
   repository: https://chartmuseum.codefresh.io/cfapi
-  version: 21.222.17
+  version: 21.222.20
 - name: cfapi
   repository: https://chartmuseum.codefresh.io/cfapi
-  version: 21.222.17
+  version: 21.222.20
 - name: cfapi
   repository: https://chartmuseum.codefresh.io/cfapi
-  version: 21.222.17
+  version: 21.222.20
 - name: cfapi
   repository: https://chartmuseum.codefresh.io/cfapi
-  version: 21.222.17
+  version: 21.222.20
 - name: cfapi
   repository: https://chartmuseum.codefresh.io/cfapi
-  version: 21.222.17
+  version: 21.222.20
 - name: cfapi
   repository: https://chartmuseum.codefresh.io/cfapi
-  version: 21.222.17
+  version: 21.222.20
 - name: cfapi
   repository: https://chartmuseum.codefresh.io/cfapi
-  version: 21.222.17
+  version: 21.222.20
 - name: cfapi
   repository: https://chartmuseum.codefresh.io/cfapi
-  version: 21.222.17
+  version: 21.222.20
 - name: cfapi
   repository: https://chartmuseum.codefresh.io/cfapi
-  version: 21.222.17
+  version: 21.222.20
 - name: cfui
   repository: https://chartmuseum.codefresh.io/cfui
-  version: 14.88.45
+  version: 14.88.47
 - name: k8s-monitor
   repository: https://chartmuseum.codefresh.io/k8s-monitor
   version: 4.10.2
@@ -118,13 +118,13 @@ dependencies:
   version: 3.25.2
 - name: cf-broadcaster
   repository: https://chartmuseum.codefresh.io/cf-broadcaster
-  version: 1.11.3
+  version: 1.11.4
 - name: helm-repo-manager
   repository: https://chartmuseum.codefresh.io/helm-repo-manager
   version: 0.10.3
 - name: hermes
   repository: https://chartmuseum.codefresh.io/hermes
-  version: 0.20.1
+  version: 0.20.2
 - name: nomios
   repository: https://chartmuseum.codefresh.io/nomios
   version: 0.10.3
@@ -133,18 +133,18 @@ dependencies:
   version: 0.7.3
 - name: cf-platform-analytics
   repository: https://chartmuseum.codefresh.io/cf-platform-analytics
-  version: 0.45.8
+  version: 0.46.3
 - name: cf-platform-analytics
   repository: https://chartmuseum.codefresh.io/cf-platform-analytics
-  version: 0.45.8
+  version: 0.46.3
 - name: argo-platform
   repository: https://chartmuseum.codefresh.io/argo-platform
-  version: 1.2258.0
+  version: 1.2258.1
 - name: argo-hub-platform
   repository: https://chartmuseum.codefresh.io/argo-hub-platform
   version: 0.1.1
 - name: codefresh-tunnel-server
   repository: https://chartmuseum.codefresh.io/codefresh-tunnel-server
   version: 0.1.12
-digest: sha256:d86f9c468ccb49fa90dcd74dd70cbf6333671038ca9490dad1540a8076c4a51a
-generated: "2023-05-19T22:30:12.602319405+03:00"
+digest: sha256:a5cb5fc0ab5d508d46d1999e102ae9486d5c42d8bcbc1b11e85e779df3d4688c
+generated: "2023-05-22T12:07:12.977656719+03:00"

codefresh/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 description: Helm Chart for Codefresh On-Prem
 name: codefresh
-version: 2.0.0-alpha.12
+version: 2.0.0-alpha.13
 keywords:
 - codefresh
 home: https://codefresh.io/
@@ -17,13 +17,9 @@ annotations:
   artifacthub.io/prerelease: "true"
   artifacthub.io/changes: |
     - kind: added
-      description: Added MongoDB MTLS test case in CI
+      description: Added Redis MTLS support
     - kind: changed
-      description: Changed replicas number for broadcaster and hermes
-    - kind: changed
-      description: Bump cluster-providers, argo-platform, etc
-    - kind: changed
-      description: Updated mongo seed job script and job template
+      description: Bump cf-api, cf-ui, argo-platform
 dependencies:
 - name: cf-common
   repository: https://chartmuseum.codefresh.io/cf-common

codefresh/README.md

@@ -1,6 +1,6 @@
 ## Codefresh On-Premises
 
-![Version: 2.0.0-alpha.12](https://img.shields.io/badge/Version-2.0.0--alpha.12-informational?style=flat-square) ![AppVersion: 2.0.0](https://img.shields.io/badge/AppVersion-2.0.0-informational?style=flat-square)
+![Version: 2.0.0-alpha.13](https://img.shields.io/badge/Version-2.0.0--alpha.13-informational?style=flat-square) ![AppVersion: 2.0.0](https://img.shields.io/badge/AppVersion-2.0.0-informational?style=flat-square)
 
 ## Table of Content
 
@@ -13,6 +13,7 @@
     - [External MongoDB with MTLS](#external-mongodb-with-mtls)
     - [External PostgresSQL](#external-postgressql)
     - [External Redis](#external-redis)
+    - [External Redis with MTLS](#external-redis-with-mtls)
     - [External RabbitMQ](#external-rabbitmq)
   - [Configuring Ingress-NGINX](#configuring-ingress-nginx)
     - [ELB with SSL Termination (Classic Load Balancer)](#elb-with-ssl-termination-classic-load-balancer)
@@ -175,7 +176,7 @@ secrets:
       ca.pem: <base64 encoded sting>
 ```
 
-*  Add `.Values.global.volumes` and `.Values.global.container.volumeMounts` to mount the secret into all the services.
+*  Add `.Values.global.volumes` and `.Values.global.volumeMounts` to mount the secret into all the services.
 ```yaml
 global:
   volumes:
@@ -196,7 +197,7 @@ global:
     MTLS_CERT_PATH: /etc/ssl/mongodb/ca.pem
     RUNTIME_MTLS_CERT_PATH: /etc/ssl/mongodb/ca.pem
     RUNTIME_MONGO_TLS: "true"
-    # Set these var to 'false' if self-signed certificate is used to avoid x509 errors
+    # Set these env vars to 'false' if self-signed certificate is used to avoid x509 errors
     RUNTIME_MONGO_TLS_VALIDATE: "false"
     MONGO_MTLS_VALIDATE: "false"
 ```
@@ -258,6 +259,54 @@ redis:
 
 ```
 
+#### External Redis with MTLS
+
+In order to use [MTLS (Mutual TLS) for Redis](https://redis.io/docs/management/security/encryption/), you need:
+
+* Create a K8S secret that contains the certificate (ca, certificate and private key).
+```console
+cat ca.crt tls.crt > tls.crt
+kubectl create secret tls my-redis-tls --cert=tls.crt --key=tls.key --dry-run=client -o yaml | kubectl apply -f -
+```
+
+  Or you can create certificate using templates provided in Codefresh Helm chart.
+  Add `.Values.secrets` into `values.yaml` as follows.
+```yaml
+secrets:
+  redis-tls:
+    enabled: true
+    data:
+      ca.crt: <base64 encoded string>
+      tls.crt: <base64 encoded string>
+      tls.key: <base64 encoded string>
+```
+
+*  Add `.Values.global.volumes` and `.Values.global.volumeMounts` to mount the secret into all the services.
+```yaml
+global:
+  volumes:
+    redis-tls:
+      enabled: true
+      type: secret
+      # Existing secret with TLS certificates (keys: `ca.crt` , `tls.crt`, `tls.key`)
+      # existingName: my-redis-tls
+      optional: true
+
+  volumeMounts:
+    redis-tls:
+      path:
+      - mountPath: /etc/ssl/redis
+
+  env:
+    REDIS_TLS: true
+    REDIS_CA_PATH: /etc/ssl/redis/ca.crt
+    REDIS_CLIENT_CERT_PATH : /etc/ssl/redis/tls.crt
+    REDIS_CLIENT_KEY_PATH: /etc/ssl/redis/tls.key
+    # Set these env vars like that if self-signed certificate is used to avoid x509 errors
+    REDIS_REJECT_UNAUTHORIZED: false
+    REDIS_TLS_SKIP_VERIFY: true
+```
+
 #### External RabbitMQ
 
 **Important:** Recommended version of RabbitMQ is 3.x

codefresh/README.md.gotmpl

@@ -13,6 +13,7 @@
     - [External MongoDB with MTLS](#external-mongodb-with-mtls)
     - [External PostgresSQL](#external-postgressql)
     - [External Redis](#external-redis)
+    - [External Redis with MTLS](#external-redis-with-mtls)
     - [External RabbitMQ](#external-rabbitmq)
   - [Configuring Ingress-NGINX](#configuring-ingress-nginx)
     - [ELB with SSL Termination (Classic Load Balancer)](#elb-with-ssl-termination-classic-load-balancer)
@@ -177,7 +178,7 @@ secrets:
       ca.pem: <base64 encoded sting>
 ```
 
-*  Add `.Values.global.volumes` and `.Values.global.container.volumeMounts` to mount the secret into all the services.
+*  Add `.Values.global.volumes` and `.Values.global.volumeMounts` to mount the secret into all the services.
 ```yaml
 global:
   volumes:
@@ -198,7 +199,7 @@ global:
     MTLS_CERT_PATH: /etc/ssl/mongodb/ca.pem
     RUNTIME_MTLS_CERT_PATH: /etc/ssl/mongodb/ca.pem
     RUNTIME_MONGO_TLS: "true"
-    # Set these var to 'false' if self-signed certificate is used to avoid x509 errors
+    # Set these env vars to 'false' if self-signed certificate is used to avoid x509 errors
     RUNTIME_MONGO_TLS_VALIDATE: "false"
     MONGO_MTLS_VALIDATE: "false"
 ```
@@ -260,6 +261,54 @@ redis:
 
 ```
 
+#### External Redis with MTLS
+
+In order to use [MTLS (Mutual TLS) for Redis](https://redis.io/docs/management/security/encryption/), you need:
+
+* Create a K8S secret that contains the certificate (ca, certificate and private key).
+```console
+cat ca.crt tls.crt > tls.crt
+kubectl create secret tls my-redis-tls --cert=tls.crt --key=tls.key --dry-run=client -o yaml | kubectl apply -f -
+```
+
+  Or you can create certificate using templates provided in Codefresh Helm chart.
+  Add `.Values.secrets` into `values.yaml` as follows.
+```yaml
+secrets:
+  redis-tls:
+    enabled: true
+    data:
+      ca.crt: <base64 encoded string>
+      tls.crt: <base64 encoded string>
+      tls.key: <base64 encoded string>
+```
+
+*  Add `.Values.global.volumes` and `.Values.global.volumeMounts` to mount the secret into all the services.
+```yaml
+global:
+  volumes:
+    redis-tls:
+      enabled: true
+      type: secret
+      # Existing secret with TLS certificates (keys: `ca.crt` , `tls.crt`, `tls.key`)
+      # existingName: my-redis-tls
+      optional: true
+
+  volumeMounts:
+    redis-tls:
+      path:
+      - mountPath: /etc/ssl/redis
+
+  env:
+    REDIS_TLS: true
+    REDIS_CA_PATH: /etc/ssl/redis/ca.crt
+    REDIS_CLIENT_CERT_PATH : /etc/ssl/redis/tls.crt
+    REDIS_CLIENT_KEY_PATH: /etc/ssl/redis/tls.key
+    # Set these env vars like that if self-signed certificate is used to avoid x509 errors
+    REDIS_REJECT_UNAUTHORIZED: false
+    REDIS_TLS_SKIP_VERIFY: true
+```
+
 #### External RabbitMQ
 
 **Important:** Recommended version of RabbitMQ is 3.x