From 0e95bdc4685be715dca600c0e4f5c583ff0418c7 Mon Sep 17 00:00:00 2001 From: Bakery Admin Date: Sat, 24 Jan 2026 21:33:40 +0100 Subject: [PATCH] Fix redis ssl issues 4 --- .../common/configs/configmap.yaml | 2 +- .../alert-processor/alert-processor.yaml | 9 +++ .../microservices/auth/auth-service.yaml | 4 ++ .../demo-session/demo-cleanup-worker.yaml | 11 ++- .../demo-session/deployment.yaml | 11 ++- .../external/external-service.yaml | 4 ++ .../app/services/delivery_tracking_service.py | 4 +- shared/redis_utils/client.py | 70 +++++++++++++++++-- 8 files changed, 104 insertions(+), 11 deletions(-) diff --git a/infrastructure/environments/common/configs/configmap.yaml b/infrastructure/environments/common/configs/configmap.yaml index 3e5eda4c..4909add0 100644 --- a/infrastructure/environments/common/configs/configmap.yaml +++ b/infrastructure/environments/common/configs/configmap.yaml @@ -488,4 +488,4 @@ data: EXTERNAL_ENABLED_CITIES: "madrid" EXTERNAL_RETENTION_MONTHS: "6" # Reduced from 24 to avoid memory issues during init EXTERNAL_CACHE_TTL_DAYS: "7" - EXTERNAL_REDIS_URL: "rediss://redis-service:6379/0?ssl_cert_reqs=none" + EXTERNAL_REDIS_URL: "rediss://redis-service:6379/0" diff --git a/infrastructure/services/microservices/alert-processor/alert-processor.yaml b/infrastructure/services/microservices/alert-processor/alert-processor.yaml index 8a862c1d..df17b671 100644 --- a/infrastructure/services/microservices/alert-processor/alert-processor.yaml +++ b/infrastructure/services/microservices/alert-processor/alert-processor.yaml @@ -121,6 +121,15 @@ spec: periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 3 + volumeMounts: + - name: redis-tls + mountPath: /tls + readOnly: true + volumes: + - name: redis-tls + secret: + secretName: redis-tls-secret + defaultMode: 0400 --- apiVersion: v1 kind: Service diff --git a/infrastructure/services/microservices/auth/auth-service.yaml b/infrastructure/services/microservices/auth/auth-service.yaml index 45232852..1f4720a0 100644 --- a/infrastructure/services/microservices/auth/auth-service.yaml +++ b/infrastructure/services/microservices/auth/auth-service.yaml @@ -178,6 +178,10 @@ spec: timeoutSeconds: 3 periodSeconds: 5 failureThreshold: 5 + volumeMounts: + - name: redis-tls + mountPath: /tls + readOnly: true volumes: - name: redis-tls secret: diff --git a/infrastructure/services/microservices/demo-session/demo-cleanup-worker.yaml b/infrastructure/services/microservices/demo-session/demo-cleanup-worker.yaml index fd19c031..4d77aaa3 100644 --- a/infrastructure/services/microservices/demo-session/demo-cleanup-worker.yaml +++ b/infrastructure/services/microservices/demo-session/demo-cleanup-worker.yaml @@ -71,7 +71,7 @@ spec: name: redis-secrets key: REDIS_PASSWORD - name: REDIS_URL - value: "rediss://:$(REDIS_PASSWORD)@redis-service:6379/0?ssl_cert_reqs=none" + value: "rediss://:$(REDIS_PASSWORD)@redis-service:6379/0" - name: LOG_LEVEL value: "INFO" - name: INVENTORY_SERVICE_URL @@ -120,4 +120,13 @@ spec: initialDelaySeconds: 10 periodSeconds: 30 timeoutSeconds: 5 + volumeMounts: + - name: redis-tls + mountPath: /tls + readOnly: true restartPolicy: Always + volumes: + - name: redis-tls + secret: + secretName: redis-tls-secret + defaultMode: 0400 diff --git a/infrastructure/services/microservices/demo-session/deployment.yaml b/infrastructure/services/microservices/demo-session/deployment.yaml index ea09647d..19cc1879 100644 --- a/infrastructure/services/microservices/demo-session/deployment.yaml +++ b/infrastructure/services/microservices/demo-session/deployment.yaml @@ -43,7 +43,7 @@ spec: name: redis-secrets key: REDIS_PASSWORD - name: REDIS_URL - value: "rediss://:$(REDIS_PASSWORD)@redis-service:6379/0?ssl_cert_reqs=none" + value: "rediss://:$(REDIS_PASSWORD)@redis-service:6379/0" - name: AUTH_SERVICE_URL value: "http://auth-service:8000" - name: TENANT_SERVICE_URL @@ -77,6 +77,10 @@ spec: httpGet: path: /health port: 8000 + volumeMounts: + - name: redis-tls + mountPath: /tls + readOnly: true initialDelaySeconds: 30 periodSeconds: 30 readinessProbe: @@ -133,3 +137,8 @@ spec: limits: memory: "128Mi" cpu: "100m" + volumes: + - name: redis-tls + secret: + secretName: redis-tls-secret + defaultMode: 0400 diff --git a/infrastructure/services/microservices/external/external-service.yaml b/infrastructure/services/microservices/external/external-service.yaml index 889d45c5..7ed552d9 100644 --- a/infrastructure/services/microservices/external/external-service.yaml +++ b/infrastructure/services/microservices/external/external-service.yaml @@ -187,6 +187,10 @@ spec: timeoutSeconds: 3 periodSeconds: 5 failureThreshold: 5 + volumeMounts: + - name: redis-tls + mountPath: /tls + readOnly: true volumes: - name: redis-tls secret: diff --git a/services/procurement/app/services/delivery_tracking_service.py b/services/procurement/app/services/delivery_tracking_service.py index d745da81..819a1267 100644 --- a/services/procurement/app/services/delivery_tracking_service.py +++ b/services/procurement/app/services/delivery_tracking_service.py @@ -67,7 +67,9 @@ class DeliveryTrackingService: redis_host = getattr(self.config, 'REDIS_HOST', 'localhost') redis_port = getattr(self.config, 'REDIS_PORT', 6379) redis_db = getattr(self.config, 'REDIS_DB', 0) - redis_url = f"redis://:{redis_password}@{redis_host}:{redis_port}/{redis_db}" + # Use rediss:// for TLS connections (matches the shared config base) + redis_protocol = "rediss" if getattr(self.config, 'REDIS_TLS_ENABLED', 'true').lower() == 'true' else "redis" + redis_url = f"{redis_protocol}://:{redis_password}@{redis_host}:{redis_port}/{redis_db}" # Create Redis connection using shared manager (handles SSL, pooling, health checks) self._redis_manager = await RedisConnectionManager.create(redis_url, decode_responses=False) diff --git a/shared/redis_utils/client.py b/shared/redis_utils/client.py index 3b5a69a4..ff2fb456 100755 --- a/shared/redis_utils/client.py +++ b/shared/redis_utils/client.py @@ -173,9 +173,68 @@ class RedisConnectionManager: if ssl_kwargs: client_params['ssl'] = True client_params['ssl_cert_reqs'] = ssl_kwargs.get('ssl_cert_reqs', ssl.CERT_NONE) - client_params['ssl_ca_certs'] = ssl_kwargs.get('ssl_ca_certs') - client_params['ssl_certfile'] = ssl_kwargs.get('ssl_certfile') - client_params['ssl_keyfile'] = ssl_kwargs.get('ssl_keyfile') + + # For Kubernetes environments, try to use mounted TLS certificates + # These are typically mounted at /tls/redis-cert.pem, /tls/redis-key.pem, /tls/ca-cert.pem + import os + ca_certs_path = os.getenv('REDIS_CA_CERTS_PATH', '/tls/ca-cert.pem') + certfile_path = os.getenv('REDIS_CERTFILE_PATH', '/tls/redis-cert.pem') + keyfile_path = os.getenv('REDIS_KEYFILE_PATH', '/tls/redis-key.pem') + + # Use environment variables or mounted files if they exist + if os.path.exists(ca_certs_path): + client_params['ssl_ca_certs'] = ca_certs_path + elif ssl_kwargs.get('ssl_ca_certs'): + client_params['ssl_ca_certs'] = ssl_kwargs.get('ssl_ca_certs') + + if os.path.exists(certfile_path): + client_params['ssl_certfile'] = certfile_path + elif ssl_kwargs.get('ssl_certfile'): + client_params['ssl_certfile'] = ssl_kwargs.get('ssl_certfile') + + if os.path.exists(keyfile_path): + client_params['ssl_keyfile'] = keyfile_path + elif ssl_kwargs.get('ssl_keyfile'): + client_params['ssl_keyfile'] = ssl_kwargs.get('ssl_keyfile') + + # Add additional SSL context parameters for better compatibility + # These help with SSL handshake issues and protocol compatibility + client_params['ssl_check_hostname'] = False # Disable hostname verification for self-signed certs + + # Add SSL context with specific protocol versions for better compatibility + # This helps with "wrong version number" and "unexpected eof" SSL errors + import ssl as ssl_module + ssl_context = ssl_module.create_default_context( + purpose=ssl_module.Purpose.SERVER_AUTH, + cafile=client_params.get('ssl_ca_certs') + ) + ssl_context.check_hostname = False + ssl_context.verify_mode = client_params.get('ssl_cert_reqs', ssl_module.CERT_NONE) + + # Set minimum TLS version for better security and compatibility + # TLS 1.2 is widely supported and secure enough for internal cluster communication + ssl_context.minimum_version = ssl_module.TLSVersion.TLSv1_2 + + # If client certificates are provided, load them + if client_params.get('ssl_certfile') and client_params.get('ssl_keyfile'): + ssl_context.load_cert_chain( + certfile=client_params.get('ssl_certfile'), + keyfile=client_params.get('ssl_keyfile') + ) + + client_params['ssl_context'] = ssl_context + + # Debug: Log the SSL configuration being used + self.logger.debug( + "redis_ssl_config", + ssl_enabled=True, + ssl_cert_reqs=client_params.get('ssl_cert_reqs'), + ssl_ca_certs=client_params.get('ssl_ca_certs'), + ssl_certfile=client_params.get('ssl_certfile'), + ssl_keyfile=client_params.get('ssl_keyfile'), + ssl_check_hostname=False, + ssl_minimum_version="TLSv1_2" + ) self._client = redis.Redis(**client_params) else: @@ -196,11 +255,8 @@ class RedisConnectionManager: redis_url, **connection_kwargs ) - - self._client = redis.Redis(connection_pool=self._pool) - # Create Redis client with pool - self._client = redis.Redis(connection_pool=self._pool) + self._client = redis.Redis(connection_pool=self._pool) # Test connection await self._client.ping()