Fix redis ssl issues 4

infrastructure/environments/common/configs/configmap.yaml

@@ -488,4 +488,4 @@ data:
   EXTERNAL_ENABLED_CITIES: "madrid"
   EXTERNAL_RETENTION_MONTHS: "6"  # Reduced from 24 to avoid memory issues during init
   EXTERNAL_CACHE_TTL_DAYS: "7"
-  EXTERNAL_REDIS_URL: "rediss://redis-service:6379/0?ssl_cert_reqs=none"
+  EXTERNAL_REDIS_URL: "rediss://redis-service:6379/0"

infrastructure/services/microservices/alert-processor/alert-processor.yaml

@@ -121,6 +121,15 @@ spec:
           periodSeconds: 10
           timeoutSeconds: 5
           failureThreshold: 3
+        volumeMounts:
+        - name: redis-tls
+          mountPath: /tls
+          readOnly: true
+      volumes:
+      - name: redis-tls
+        secret:
+          secretName: redis-tls-secret
+          defaultMode: 0400
 ---
 apiVersion: v1
 kind: Service

infrastructure/services/microservices/auth/auth-service.yaml

@@ -178,6 +178,10 @@ spec:
           timeoutSeconds: 3
           periodSeconds: 5
           failureThreshold: 5
+        volumeMounts:
+        - name: redis-tls
+          mountPath: /tls
+          readOnly: true
       volumes:
       - name: redis-tls
         secret:

infrastructure/services/microservices/demo-session/demo-cleanup-worker.yaml

@@ -71,7 +71,7 @@ spec:
               name: redis-secrets
               key: REDIS_PASSWORD
         - name: REDIS_URL
-          value: "rediss://:$(REDIS_PASSWORD)@redis-service:6379/0?ssl_cert_reqs=none"
+          value: "rediss://:$(REDIS_PASSWORD)@redis-service:6379/0"
         - name: LOG_LEVEL
           value: "INFO"
         - name: INVENTORY_SERVICE_URL
@@ -120,4 +120,13 @@ spec:
           initialDelaySeconds: 10
           periodSeconds: 30
           timeoutSeconds: 5
+        volumeMounts:
+        - name: redis-tls
+          mountPath: /tls
+          readOnly: true
       restartPolicy: Always
+      volumes:
+      - name: redis-tls
+        secret:
+          secretName: redis-tls-secret
+          defaultMode: 0400

infrastructure/services/microservices/demo-session/deployment.yaml

@@ -43,7 +43,7 @@ spec:
               name: redis-secrets
               key: REDIS_PASSWORD
         - name: REDIS_URL
-          value: "rediss://:$(REDIS_PASSWORD)@redis-service:6379/0?ssl_cert_reqs=none"
+          value: "rediss://:$(REDIS_PASSWORD)@redis-service:6379/0"
         - name: AUTH_SERVICE_URL
           value: "http://auth-service:8000"
         - name: TENANT_SERVICE_URL
@@ -77,6 +77,10 @@ spec:
           httpGet:
             path: /health
             port: 8000
+        volumeMounts:
+        - name: redis-tls
+          mountPath: /tls
+          readOnly: true
           initialDelaySeconds: 30
           periodSeconds: 30
         readinessProbe:
@@ -133,3 +137,8 @@ spec:
           limits:
             memory: "128Mi"
             cpu: "100m"
+      volumes:
+      - name: redis-tls
+        secret:
+          secretName: redis-tls-secret
+          defaultMode: 0400

infrastructure/services/microservices/external/external-service.yaml

@@ -187,6 +187,10 @@ spec:
           timeoutSeconds: 3
           periodSeconds: 5
           failureThreshold: 5
+        volumeMounts:
+        - name: redis-tls
+          mountPath: /tls
+          readOnly: true
       volumes:
       - name: redis-tls
         secret:

services/procurement/app/services/delivery_tracking_service.py

@@ -67,7 +67,9 @@ class DeliveryTrackingService:
             redis_host = getattr(self.config, 'REDIS_HOST', 'localhost')
             redis_port = getattr(self.config, 'REDIS_PORT', 6379)
             redis_db = getattr(self.config, 'REDIS_DB', 0)
-            redis_url = f"redis://:{redis_password}@{redis_host}:{redis_port}/{redis_db}"
+            # Use rediss:// for TLS connections (matches the shared config base)
+            redis_protocol = "rediss" if getattr(self.config, 'REDIS_TLS_ENABLED', 'true').lower() == 'true' else "redis"
+            redis_url = f"{redis_protocol}://:{redis_password}@{redis_host}:{redis_port}/{redis_db}"
 
         # Create Redis connection using shared manager (handles SSL, pooling, health checks)
         self._redis_manager = await RedisConnectionManager.create(redis_url, decode_responses=False)

shared/redis_utils/client.py

@@ -173,9 +173,68 @@ class RedisConnectionManager:
                 if ssl_kwargs:
                     client_params['ssl'] = True
                     client_params['ssl_cert_reqs'] = ssl_kwargs.get('ssl_cert_reqs', ssl.CERT_NONE)
-                    client_params['ssl_ca_certs'] = ssl_kwargs.get('ssl_ca_certs')
+                    
-                    client_params['ssl_certfile'] = ssl_kwargs.get('ssl_certfile')
+                    # For Kubernetes environments, try to use mounted TLS certificates
-                    client_params['ssl_keyfile'] = ssl_kwargs.get('ssl_keyfile')
+                    # These are typically mounted at /tls/redis-cert.pem, /tls/redis-key.pem, /tls/ca-cert.pem
+                    import os
+                    ca_certs_path = os.getenv('REDIS_CA_CERTS_PATH', '/tls/ca-cert.pem')
+                    certfile_path = os.getenv('REDIS_CERTFILE_PATH', '/tls/redis-cert.pem')
+                    keyfile_path = os.getenv('REDIS_KEYFILE_PATH', '/tls/redis-key.pem')
+                    
+                    # Use environment variables or mounted files if they exist
+                    if os.path.exists(ca_certs_path):
+                        client_params['ssl_ca_certs'] = ca_certs_path
+                    elif ssl_kwargs.get('ssl_ca_certs'):
+                        client_params['ssl_ca_certs'] = ssl_kwargs.get('ssl_ca_certs')
+                    
+                    if os.path.exists(certfile_path):
+                        client_params['ssl_certfile'] = certfile_path
+                    elif ssl_kwargs.get('ssl_certfile'):
+                        client_params['ssl_certfile'] = ssl_kwargs.get('ssl_certfile')
+                    
+                    if os.path.exists(keyfile_path):
+                        client_params['ssl_keyfile'] = keyfile_path
+                    elif ssl_kwargs.get('ssl_keyfile'):
+                        client_params['ssl_keyfile'] = ssl_kwargs.get('ssl_keyfile')
+                    
+                    # Add additional SSL context parameters for better compatibility
+                    # These help with SSL handshake issues and protocol compatibility
+                    client_params['ssl_check_hostname'] = False  # Disable hostname verification for self-signed certs
+                    
+                    # Add SSL context with specific protocol versions for better compatibility
+                    # This helps with "wrong version number" and "unexpected eof" SSL errors
+                    import ssl as ssl_module
+                    ssl_context = ssl_module.create_default_context(
+                        purpose=ssl_module.Purpose.SERVER_AUTH,
+                        cafile=client_params.get('ssl_ca_certs')
+                    )
+                    ssl_context.check_hostname = False
+                    ssl_context.verify_mode = client_params.get('ssl_cert_reqs', ssl_module.CERT_NONE)
+                    
+                    # Set minimum TLS version for better security and compatibility
+                    # TLS 1.2 is widely supported and secure enough for internal cluster communication
+                    ssl_context.minimum_version = ssl_module.TLSVersion.TLSv1_2
+                    
+                    # If client certificates are provided, load them
+                    if client_params.get('ssl_certfile') and client_params.get('ssl_keyfile'):
+                        ssl_context.load_cert_chain(
+                            certfile=client_params.get('ssl_certfile'),
+                            keyfile=client_params.get('ssl_keyfile')
+                        )
+                    
+                    client_params['ssl_context'] = ssl_context
+                    
+                    # Debug: Log the SSL configuration being used
+                    self.logger.debug(
+                        "redis_ssl_config",
+                        ssl_enabled=True,
+                        ssl_cert_reqs=client_params.get('ssl_cert_reqs'),
+                        ssl_ca_certs=client_params.get('ssl_ca_certs'),
+                        ssl_certfile=client_params.get('ssl_certfile'),
+                        ssl_keyfile=client_params.get('ssl_keyfile'),
+                        ssl_check_hostname=False,
+                        ssl_minimum_version="TLSv1_2"
+                    )
                 
                 self._client = redis.Redis(**client_params)
             else:
@@ -199,9 +258,6 @@ class RedisConnectionManager:
 
                 self._client = redis.Redis(connection_pool=self._pool)
 
-            # Create Redis client with pool
-            self._client = redis.Redis(connection_pool=self._pool)
-
             # Test connection
             await self._client.ping()