From e5a421c9c24e694f641b15abfff3552ae9da1d0a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Du=C5=A1an?= Date: Thu, 17 Oct 2024 12:57:54 +0200 Subject: [PATCH 1/6] docs(GcpRedisInstance): update docs --- docs/user/resources/04-60-gcp-redis-instance.md | 3 +-- docs/user/tutorials/01-60-gcp-redis-instance.md | 9 ++++++++- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/docs/user/resources/04-60-gcp-redis-instance.md b/docs/user/resources/04-60-gcp-redis-instance.md index 6acd86b72..d0bb68dbc 100644 --- a/docs/user/resources/04-60-gcp-redis-instance.md +++ b/docs/user/resources/04-60-gcp-redis-instance.md @@ -14,6 +14,7 @@ If the default IpRange does not exist, it is automatically created. Manually create a non-default IpRange with specified Classless Inter-Domain Routing (CIDR) and use it only in advanced cases of network topology when you want to control the network segments to avoid range conflicts with other networks. When creating GcpRedisInstance, two fields are mandatry: `memorySizeGb`, and `tier`. +As in-transit encryption is always enabled, communication with Redis instance requires a certificate. The certificate can be found in the Secret on the `.data.CaCert.pem` path. Optionally, you can specify the `redisVersion`, `authEnabled`, `transitEncryption`, `redisConfigs`, and `maintenancePolicy` fields. @@ -29,7 +30,6 @@ This table lists the parameters of GcpRedisInstance, together with their descrip | **memorySizeGb** | int | Required. Redis memory size in GiB. | | **redisVersion** | int | Optional. The version of Redis software. Defaults to `REDIS_7_0`. | | **authEnabled** | bool | Optional. Indicates whether OSS Redis AUTH is enabled for the instance. If set to `true,` AUTH is enabled on the instance. Defaults to `false` | -| **transitEncryptionMode** | object | Optional. Defines the way TLS is executed. Supports two modes, `SERVER_AUTHENTICATION` and `DISABLED`. When set to `SERVER_AUTHENTICATION`, Client to Server traffic encryption is enabled with server authentication. If set to `DISABLED`, or not provided, in-transit encryption is disabled. To learn more about in-transit encryption, see [About in-transit encryption](https://cloud.google.com/memorystore/docs/redis/about-in-transit-encryption). | | **redisConfigs** | object | Optional. Provided values are passed to the Redis configuration. Supported values can be read on [Google's Supported Redis configurations page](https://cloud.google.com/memorystore/docs/redis/supported-redis-configurations). If left empty, defaults to an empty object. | | **maintenancePolicy** | object | Optional. Defines a desired maintenance policy. Only one policy can be active at a time. If not provided, maintenance events can be performed at any time. To learn more about maintenance policy limitations and requirements, see [About maintenance on Memorystore for Redis](https://cloud.google.com/memorystore/docs/redis/about-maintenance). | | **maintenancePolicy.dayOfWeek** | object | Optional. Defines maintenance policy to a specific day. | @@ -70,7 +70,6 @@ spec: tier: "STANDARD_HA" redisVersion: REDIS_7_0 authEnabled: true - transitEncryptionMode: SERVER_AUTHENTICATION redisConfigs: maxmemory-policy: volatile-lru activedefrag: "yes" diff --git a/docs/user/tutorials/01-60-gcp-redis-instance.md b/docs/user/tutorials/01-60-gcp-redis-instance.md index 98bc91a89..dc23d9098 100644 --- a/docs/user/tutorials/01-60-gcp-redis-instance.md +++ b/docs/user/tutorials/01-60-gcp-redis-instance.md @@ -44,6 +44,13 @@ spec: secretKeyRef: key: port name: gcpredisinstance-simple-example + volumeMounts: + - name: mounted + mountPath: /mnt + volumes: + - name: mounted + secret: + secretName: gcpredisinstance-simple-example ``` 3. Exec into the Pod: @@ -55,7 +62,7 @@ kubectl exec -i -t gcpredisinstance-simple-example-probe -c redis-cli -- sh -c " 4. Exec a PING command: ```bash -redis-cli -h $HOST -p $PORT PING +redis-cli -h $HOST -p $PORT --tls --cacert /mnt/CaCert.pem PING ``` You should receive `PONG` back from the server. From 3ec38c171152ce13c38455c15192604f90901e59 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Du=C5=A1an?= Date: Thu, 17 Oct 2024 13:08:57 +0200 Subject: [PATCH 2/6] docs(AwsRedisInstance): update docs --- docs/user/resources/04-70-aws-redis-instance.md | 4 ++-- docs/user/tutorials/01-70-aws-redis-instance.md | 12 +++++++++--- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/docs/user/resources/04-70-aws-redis-instance.md b/docs/user/resources/04-70-aws-redis-instance.md index 754adb4bd..15fafd1de 100644 --- a/docs/user/resources/04-70-aws-redis-instance.md +++ b/docs/user/resources/04-70-aws-redis-instance.md @@ -14,6 +14,8 @@ Manually create a non-default IpRange with specified CIDR and use it only in adv When creating AwsRedisInstance, there is only one mandatory field: `cacheNodeType`. It specifies the underlying machine that will be used for the cache. +As in-transit encryption is always enabled, communication with Redis instance requires a trusted CA (Certificate Authority). It should be installed on the container (e.g. via `apt-get install -y ca-certificates && update-ca-certificate`). + Optionally, you can specify the `engineVersion`, `authEnabled`, `transitEncryptionEnabled`, `parameters`, and `preferredMaintenanceWindow` fields. # Specification @@ -27,7 +29,6 @@ This table lists the parameters of AwsRedisInstance, together with their descrip | **cacheNodeType** | string | Required. A node is the smallest building block of an Amazon ElastiCache deployment. It is a fixed-size chunk of secure, network-attached RAM. For supported node tyes, check [Amazon's Supported node types page](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/CacheNodes.SupportedTypes.html) | | **engineVersion** | string | Optional. The version number of the cache engine to be used for the clusters in this replication group. To see all supported versions, check [Amazon's Supported ElastiCache (Redis OSS) versions page](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/supported-engine-versions.html). Defaults to `"7.0"`. | | **authEnabled** | bool | Optional. Enables using an AuthToken (password) when issuing Redis OSS commands. Defaults to `false`. | -| **transitEncryptionEnabled** | bool | Optional. If true, enables in-transit encryption. Defaults to `false`. | | **parameters** | object | Optional. Provided values are passed to the Redis configuration. Supported values can be read on [Amazons's Redis OSS-specific parameters page](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/ParameterGroups.Redis.html). If left empty, defaults to an empty object. | | **preferredMaintenanceWindow** | string | Optional. Defines a desired window during which updates can be applied. If not provided, maintenance events can be performed at any time during the default time window. To learn more about maintenance window limitations and requirements, see [Managing maintenance](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/maintenance-window.html). | | **authSecret** | object | Optional. Auth Secret options. | @@ -61,7 +62,6 @@ spec: cacheNodeType: cache.t2.micro engineVersion: "7.0" autoMinorVersionUpgrade: true - transitEncryptionEnabled: true authEnabled: true parameters: maxmemory-policy: volatile-lru diff --git a/docs/user/tutorials/01-70-aws-redis-instance.md b/docs/user/tutorials/01-70-aws-redis-instance.md index fadedaf32..19f4dcf2b 100644 --- a/docs/user/tutorials/01-70-aws-redis-instance.md +++ b/docs/user/tutorials/01-70-aws-redis-instance.md @@ -49,10 +49,17 @@ To instantiate Redis and connect the Pod with only the required fields, use the kubectl exec -i -t awsredisinstance-minimal-example-probe -c redis-cli -- sh -c "clear; (bash || ash || sh)" ``` -4. Run a PING command: +4. Install and update ca-certificates: + + ```bash + apt-get update && \ + apt-get install -y ca-certificates && \ + update-ca-c + +5. Run a PING command: ```bash - redis-cli -h $HOST -p $PORT PING + redis-cli -h $HOST -p $PORT --tls PING ``` If your setup was successful, you get `PONG` back from the server. @@ -71,7 +78,6 @@ To specify advanced features (such as Redis version, configuration, and maintena cacheNodeType: cache.t3.micro engineVersion: "7.0" authEnabled: true - transitEncryptionEnabled: true parameters: maxmemory-policy: volatile-lru activedefrag: "yes" From 801070aa925088fa78677af0015d268a1e7d397e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Du=C5=A1an?= Date: Thu, 17 Oct 2024 13:10:18 +0200 Subject: [PATCH 3/6] chore: update samples --- config/samples/cloud-resources_v1beta1_awsredisinstance.yaml | 4 +++- config/samples/cloud-resources_v1beta1_gcpredisinstance.yaml | 1 - 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/config/samples/cloud-resources_v1beta1_awsredisinstance.yaml b/config/samples/cloud-resources_v1beta1_awsredisinstance.yaml index e3b276ef3..2a3260714 100644 --- a/config/samples/cloud-resources_v1beta1_awsredisinstance.yaml +++ b/config/samples/cloud-resources_v1beta1_awsredisinstance.yaml @@ -15,6 +15,8 @@ spec: # optional fields engineVersion: "7.0" autoMinorVersionUpgrade: true - transitEncryptionEnabled: true + parameters: + maxmemory-policy: volatile-lru + activedefrag: "yes" preferredMaintenanceWindow: sun:23:00-mon:01:30 diff --git a/config/samples/cloud-resources_v1beta1_gcpredisinstance.yaml b/config/samples/cloud-resources_v1beta1_gcpredisinstance.yaml index 5949bbe3f..20b9b2281 100644 --- a/config/samples/cloud-resources_v1beta1_gcpredisinstance.yaml +++ b/config/samples/cloud-resources_v1beta1_gcpredisinstance.yaml @@ -16,7 +16,6 @@ spec: # optional fields redisVersion: REDIS_7_0 authEnabled: true - transitEncryptionMode: SERVER_AUTHENTICATION redisConfigs: maxmemory-policy: volatile-lru activedefrag: "yes" From f40a92cedb563a83ab460a12ae68a7fe37295436 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Du=C5=A1an?= Date: Thu, 17 Oct 2024 13:11:10 +0200 Subject: [PATCH 4/6] chore: add Redis to ff docs --- pkg/feature/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/feature/README.md b/pkg/feature/README.md index 75986eb1d..81197d374 100644 --- a/pkg/feature/README.md +++ b/pkg/feature/README.md @@ -38,4 +38,5 @@ The evaluation context is stored in the golang context and is built using the [` | nfs | All NFS Volume related features. | | nfsBackup | All NFS Volume Backup related features. | | peering | All VPC Peering related features. | +| redis | All Redis Peering related features. | From 85af0392b0a3d45a541caeaffc05b71b47b3d402 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Du=C5=A1an?= Date: Thu, 17 Oct 2024 13:12:34 +0200 Subject: [PATCH 5/6] chore: fix formatting --- pkg/feature/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/feature/README.md b/pkg/feature/README.md index 81197d374..43bab365c 100644 --- a/pkg/feature/README.md +++ b/pkg/feature/README.md @@ -38,5 +38,5 @@ The evaluation context is stored in the golang context and is built using the [` | nfs | All NFS Volume related features. | | nfsBackup | All NFS Volume Backup related features. | | peering | All VPC Peering related features. | -| redis | All Redis Peering related features. | +| redis | All Redis Peering related features. | From d649b0e943c36db2a3cf4f5d2d1292a8c6b853d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Du=C5=A1an=20Panti=C4=87?= Date: Fri, 18 Oct 2024 10:27:31 +0200 Subject: [PATCH 6/6] Apply suggestions from code review Co-authored-by: Grzegorz Karaluch --- docs/user/resources/04-60-gcp-redis-instance.md | 2 +- docs/user/resources/04-70-aws-redis-instance.md | 2 +- docs/user/tutorials/01-70-aws-redis-instance.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/user/resources/04-60-gcp-redis-instance.md b/docs/user/resources/04-60-gcp-redis-instance.md index d0bb68dbc..f78dd887a 100644 --- a/docs/user/resources/04-60-gcp-redis-instance.md +++ b/docs/user/resources/04-60-gcp-redis-instance.md @@ -14,7 +14,7 @@ If the default IpRange does not exist, it is automatically created. Manually create a non-default IpRange with specified Classless Inter-Domain Routing (CIDR) and use it only in advanced cases of network topology when you want to control the network segments to avoid range conflicts with other networks. When creating GcpRedisInstance, two fields are mandatry: `memorySizeGb`, and `tier`. -As in-transit encryption is always enabled, communication with Redis instance requires a certificate. The certificate can be found in the Secret on the `.data.CaCert.pem` path. +As in-transit encryption is always enabled, communication with the Redis instance requires a certificate. The certificate can be found in the Secret on the `.data.CaCert.pem` path. Optionally, you can specify the `redisVersion`, `authEnabled`, `transitEncryption`, `redisConfigs`, and `maintenancePolicy` fields. diff --git a/docs/user/resources/04-70-aws-redis-instance.md b/docs/user/resources/04-70-aws-redis-instance.md index 15fafd1de..907dbe336 100644 --- a/docs/user/resources/04-70-aws-redis-instance.md +++ b/docs/user/resources/04-70-aws-redis-instance.md @@ -14,7 +14,7 @@ Manually create a non-default IpRange with specified CIDR and use it only in adv When creating AwsRedisInstance, there is only one mandatory field: `cacheNodeType`. It specifies the underlying machine that will be used for the cache. -As in-transit encryption is always enabled, communication with Redis instance requires a trusted CA (Certificate Authority). It should be installed on the container (e.g. via `apt-get install -y ca-certificates && update-ca-certificate`). +As in-transit encryption is always enabled, communication with the Redis instance requires a trusted Certificate Authority (CA). You must install it on the container (e.g., using `apt-get install -y ca-certificates && update-ca-certificate`). Optionally, you can specify the `engineVersion`, `authEnabled`, `transitEncryptionEnabled`, `parameters`, and `preferredMaintenanceWindow` fields. diff --git a/docs/user/tutorials/01-70-aws-redis-instance.md b/docs/user/tutorials/01-70-aws-redis-instance.md index 19f4dcf2b..76d2dac80 100644 --- a/docs/user/tutorials/01-70-aws-redis-instance.md +++ b/docs/user/tutorials/01-70-aws-redis-instance.md @@ -49,7 +49,7 @@ To instantiate Redis and connect the Pod with only the required fields, use the kubectl exec -i -t awsredisinstance-minimal-example-probe -c redis-cli -- sh -c "clear; (bash || ash || sh)" ``` -4. Install and update ca-certificates: +4. Install and update CA certificates: ```bash apt-get update && \