kyma-project · dushanpantic · Oct 17, 2024 · Oct 17, 2024 · Oct 17, 2024 · Oct 17, 2024
@@ -15,6 +15,8 @@ spec:
   # optional fields
   engineVersion: "7.0"
   autoMinorVersionUpgrade: true
-  transitEncryptionEnabled: true
+  parameters:
+    maxmemory-policy: volatile-lru
+    activedefrag: "yes"
   preferredMaintenanceWindow: sun:23:00-mon:01:30
 
@@ -16,7 +16,6 @@ spec:
   # optional fields
   redisVersion: REDIS_7_0
   authEnabled: true
-  transitEncryptionMode: SERVER_AUTHENTICATION
   redisConfigs:
     maxmemory-policy: volatile-lru
     activedefrag: "yes"

@@ -14,6 +14,7 @@ If the default IpRange does not exist, it is automatically created.
 Manually create a non-default IpRange with specified Classless Inter-Domain Routing (CIDR) and use it only in advanced cases of network topology when you want to control the network segments to avoid range conflicts with other networks.
 
 When creating GcpRedisInstance, two fields are mandatry: `memorySizeGb`, and `tier`.
+As in-transit encryption is always enabled, communication with the Redis instance requires a certificate. The certificate can be found in the Secret on the `.data.CaCert.pem` path.
 
 Optionally, you can specify the `redisVersion`, `authEnabled`, `transitEncryption`, `redisConfigs`, and `maintenancePolicy` fields.
 
@@ -29,7 +30,6 @@ This table lists the parameters of GcpRedisInstance, together with their descrip
 | **memorySizeGb**                                  | int    | Required. Redis memory size in GiB.                                                                                                                                                                         |
 | **redisVersion**                                  | int    | Optional. The version of Redis software. Defaults to `REDIS_7_0`.                                                                                                                                           |
 | **authEnabled**                                   | bool   | Optional. Indicates whether OSS Redis AUTH is enabled for the instance. If set to `true,` AUTH is enabled on the instance. Defaults to `false`                                                              |
-| **transitEncryptionMode**                         | object | Optional. Defines the way TLS is executed. Supports two modes, `SERVER_AUTHENTICATION` and `DISABLED`. When set to `SERVER_AUTHENTICATION`, Client to Server traffic encryption is enabled with server authentication. If set to `DISABLED`, or not provided, in-transit encryption is disabled. To learn more about in-transit encryption, see [About in-transit encryption](https://cloud.google.com/memorystore/docs/redis/about-in-transit-encryption). |
 | **redisConfigs**                                  | object | Optional. Provided values are passed to the Redis configuration. Supported values can be read on [Google's Supported Redis configurations page](https://cloud.google.com/memorystore/docs/redis/supported-redis-configurations). If left empty, defaults to an empty object. |
 | **maintenancePolicy**                             | object | Optional. Defines a desired maintenance policy. Only one policy can be active at a time.  If not provided, maintenance events can be performed at any time. To learn more about maintenance policy limitations and requirements, see [About maintenance on Memorystore for Redis](https://cloud.google.com/memorystore/docs/redis/about-maintenance). |
 | **maintenancePolicy.dayOfWeek**                   | object | Optional. Defines maintenance policy to a specific day.                                                                                                                                                     |
@@ -70,7 +70,6 @@ spec:
   tier: "STANDARD_HA"
   redisVersion: REDIS_7_0
   authEnabled: true
-  transitEncryptionMode: SERVER_AUTHENTICATION
   redisConfigs:
     maxmemory-policy: volatile-lru
     activedefrag: "yes"

@@ -14,6 +14,8 @@ Manually create a non-default IpRange with specified CIDR and use it only in adv
 When creating AwsRedisInstance, there is only one mandatory field: `cacheNodeType`.
 It specifies the underlying machine that will be used for the cache.
 
+As in-transit encryption is always enabled, communication with the Redis instance requires a trusted Certificate Authority (CA). You must install it on the container (e.g., using `apt-get install -y ca-certificates && update-ca-certificate`).
+
 Optionally, you can specify the `engineVersion`, `authEnabled`, `transitEncryptionEnabled`, `parameters`, and `preferredMaintenanceWindow` fields.
 
 # Specification
@@ -27,7 +29,6 @@ This table lists the parameters of AwsRedisInstance, together with their descrip
 | **cacheNodeType**                                 | string | Required. A node is the smallest building block of an Amazon ElastiCache deployment. It is a fixed-size chunk of secure, network-attached RAM. For supported node tyes, check [Amazon's Supported node types page](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/CacheNodes.SupportedTypes.html) |
 | **engineVersion**                                 | string | Optional. The version number of the cache engine to be used for the clusters in this replication group. To see all supported versions, check [Amazon's Supported ElastiCache (Redis OSS) versions page](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/supported-engine-versions.html). Defaults to `"7.0"`. |
 | **authEnabled**                                   | bool   | Optional. Enables using an AuthToken (password) when issuing Redis OSS commands. Defaults to `false`.                                                                                                       |
-| **transitEncryptionEnabled**                      | bool   | Optional. If true, enables in-transit encryption. Defaults to `false`.                                                                                                                                      |
 | **parameters**                                    | object | Optional. Provided values are passed to the Redis configuration. Supported values can be read on [Amazons's Redis OSS-specific parameters page](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/ParameterGroups.Redis.html). If left empty, defaults to an empty object. |
 | **preferredMaintenanceWindow**                    | string | Optional. Defines a desired window during which updates can be applied. If not provided, maintenance events can be performed at any time during the default time window. To learn more about maintenance window limitations and requirements, see [Managing maintenance](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/maintenance-window.html). |
 | **authSecret**                                    | object | Optional. Auth Secret options.                                                                                                                                                                              |
@@ -61,7 +62,6 @@ spec:
   cacheNodeType: cache.t2.micro
   engineVersion: "7.0"
   autoMinorVersionUpgrade: true
-  transitEncryptionEnabled: true
   authEnabled: true
   parameters:
     maxmemory-policy: volatile-lru

@@ -44,6 +44,13 @@ spec:
         secretKeyRef:
           key: port
           name: gcpredisinstance-simple-example
+    volumeMounts:
+    - name: mounted
+      mountPath: /mnt
+  volumes:
+  - name: mounted
+    secret:
+      secretName: gcpredisinstance-simple-example
 ```
 
 3. Exec into the Pod:
@@ -55,7 +62,7 @@ kubectl exec -i -t gcpredisinstance-simple-example-probe -c redis-cli -- sh -c "
 4. Exec a PING command:
 
 ```bash
-redis-cli -h $HOST -p $PORT PING
+redis-cli -h $HOST -p $PORT --tls --cacert /mnt/CaCert.pem PING
 ```
 You should receive `PONG` back from the server.
 

@@ -49,10 +49,17 @@ To instantiate Redis and connect the Pod with only the required fields, use the
    kubectl exec -i -t awsredisinstance-minimal-example-probe -c redis-cli -- sh -c "clear; (bash || ash || sh)"
    ```
 
-4. Run a PING command:
+4. Install and update CA certificates:
 
    ```bash
-   redis-cli -h $HOST -p $PORT PING
+   apt-get update && \
+     apt-get install -y ca-certificates && \
+     update-ca-c
+
+5. Run a PING command:
+
+   ```bash
+   redis-cli -h $HOST -p $PORT --tls PING
    ```
    If your setup was successful, you get `PONG` back from the server.
 
@@ -71,7 +78,6 @@ To specify advanced features (such as Redis version, configuration, and maintena
      cacheNodeType: cache.t3.micro
      engineVersion: "7.0"
      authEnabled: true
-     transitEncryptionEnabled: true
      parameters:
        maxmemory-policy: volatile-lru
        activedefrag: "yes"

@@ -38,4 +38,5 @@ The evaluation context is stored in the golang context and is built using the [`
 | nfs       | All NFS Volume related features.        |
 | nfsBackup | All NFS Volume Backup related features. |
 | peering   | All VPC Peering related features.       |
+| redis     | All Redis Peering related features.     |