Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-11021

Add a way for the client to provide redis ACL credentials to system and backend

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • 3scale Operator
    • None
    • False
    • None
    • False
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started

      We need a way for the user to set the ACL credentials to connect to Redis. Those are:

      • username
      • password

      Porta and apisonator read the credentials from the next variables:

      • Backend:
        • CONFIG_REDIS_USERNAME and CONFIG_QUEUES_USERNAME for the username
        • CONFIG_REDIS_PASSWORD and CONFIG_QUEUES_PASSWORD for the password
      • System:
        • REDIS_USERNAME and BACKEND_REDIS_USERNAME for the username
        • REDIS_PASSWORD and BACKEND_REDIS_PASSWORD for the password

      We would need a new YAML keyword to provide those credentials. This is a suggestion: redisACLSecret

      apiVersion: apps.3scale.net/v1alpha1
kind: APIManager
metadata:
  name: apimanager1
spec:
  system:
    redisACLSecret:
      name: my-acl-credentials

      The user then should provide a secret looking like this:

      apiVersion: v1
kind: Secret
metadata:
  name: my-acl-credentials
type: Opaque
data:
  username: my-username
  password: bXktcGFzc3dvcmQ=

      From this configuration, the operator should map the credentials to the above environment variables.

      When working with sentinels, they can have their own username and password. So the user should be able to provide credentials for sentinels as well. In the case the client uses sentinels, then the next environment variables should be set as well:

      • Backend:
        • CONFIG_REDIS_SENTINEL_USERNAME and CONFIG_QUEUES_SENTINEL_USERNAME for the username
        • CONFIG_REDIS_SENTINEL_PASSWORD and CONFIG_QUEUES_SENTINEL_PASSWORD for the password
      • System:
        • REDIS_SENTINEL_USERNAME and BACKEND_REDIS_SENTINEL_USERNAME for the username
        • REDIS_SENTINEL_PASSWORD and BACKEND_REDIS_SENTINEL_PASSWORD for the password

      In most of cases, the redis master and the sentinels would share the same credentials. So the variables above should take the values from the secret specified in redisACLSecret.

      If the user is a particular case when redis master and sentinels don't use the same credentials, then we would need another YAML keyword only for setting sentinel credentials. In this case the YAML would look like this:

       

      apiVersion: apps.3scale.net/v1alpha1
kind: APIManager
metadata:
  name: apimanager1
spec:
  system:
    redisACLSecret:
       name: my-acl-credentials
    redisSentinelsACLSecret:
      name: my-sentinels-acl-credentials

      However it's important to remember that the sentinel env variables should never be set if the user doesn't use sentinels. Setting them would make the Redis client fail to connect.

       

            Unassigned Unassigned
            rh-ee-jlledo Joan Lledo
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: