This blue print describes the requirements, design and implementation of REDIS TLS Support.
The requests from contrail-analytics clients to Redis server are not encrypted and can pose a security request.
Redis does not support encryption. In order to implement setups where trusted parties can access a Redis instance over the internet or other untrusted networks, an additional layer of protection should be implemented. We will use a secure tunneling program called stunnel to encrypt the Redis traffic. Traffic between Redis clients and servers will be routed through a dedicated SSL encrypted tunnel.
Currently, alarm-gen, analytics-api, collector, query-engine and webui connect to Redis. Out of theses collector and webui connect to local redis instance listening on localhost 127.0.0.1. Since, they do not connect to any remote redis instance over internet, there is no need to enable SSL for these 2 services.
Following change will be needed to enable SSL between Redis clients and servers.
-
All clients, namely, alarm-gen, analytics-api and query-engine will have following conf file changes redis_use_ssl=True redis_keyfile=/etc/contrail/ssl/private/server-privkey.pem redis_certfile=/etc/contrail/ssl/certs/server.pem redis_ca_cert=/etc/contrail/ssl/certs/ca-cert.pem
-
Stunnel program needs to run within a new container with following conf parameters. cert = /etc/contrail/ssl/certs/ca-cert.pem pid = /var/run/stunnel.pid foreground = yes [redis] accept = 10.204.217.62:6379 connect = 127.0.0.1:6379
In case of SSL enabled, client of redis-server is stunnel which will always run locally. Stunnel will send the packets to redis server on localhost port 6379. So, redis will always listen on localhost:6379. Analytics clients will connect to stunnel on public ip-address and port 6379.
In case of no SSL, behavior will remain unchanged.
-
Alarmgen and Analytics api are using StrictRedis to connect to Redis. It has SSL supports. So, we just need to pass SSL parameters when SSL is enabled.
-
Query Engine are using hiredis library to connect to Redis. As of now, hiredis 0.14.0 release is officially available but it does not have SSL support. However SSL code is present in latest hiredis github master branch. We have to get an official hiredis 0.15.0 release which has SSL support. If latest release is not available, then we can use 0.14.0 release and apply SSL patch on top of it.
-
Contrail provisioning will be updated to populate SSL parameters in redis client configuration files. New docker files will be added to run stunnel service.
None
Not Applicable
Please see above for the required configuration to be done.
None
None
- Redis client side changes to use SSL certificates when SSL is enabled. This needs changes in analytics and webui backend.
- Stunnel docker creation in Redis POD. This needs changes in contrail-container-builder.
- Deployer changes - Priority order for the deployers is the following one: RHOSP /TripleO -- Stunnel docker will be created if SSL_ENABLE is true in contrail configuration settings. OpenShift Juju Ansible-deployer -- Stunnel docker will be created if REDIS_SSL_ENABLE is true in contrail configuration. Helm
TODO
None
None
None
None
None
- Extend existing Redis testcases to use SSL.
- Stunnel and Redis restart tests.
- Negative tests.