Fix redis ssl issues 4

2026-01-24 21:33:40 +01:00
parent 8568aea9a8
commit 0e95bdc468
8 changed files with 104 additions and 11 deletions
--- a/infrastructure/environments/common/configs/configmap.yaml
+++ b/infrastructure/environments/common/configs/configmap.yaml
@@ -488,4 +488,4 @@ data:
  EXTERNAL_ENABLED_CITIES: "madrid"
  EXTERNAL_RETENTION_MONTHS: "6"  # Reduced from 24 to avoid memory issues during init
  EXTERNAL_CACHE_TTL_DAYS: "7"
-  EXTERNAL_REDIS_URL: "rediss://redis-service:6379/0?ssl_cert_reqs=none"
+  EXTERNAL_REDIS_URL: "rediss://redis-service:6379/0"
--- a/infrastructure/services/microservices/alert-processor/alert-processor.yaml
+++ b/infrastructure/services/microservices/alert-processor/alert-processor.yaml
@@ -121,6 +121,15 @@ spec:
          periodSeconds: 10
          timeoutSeconds: 5
          failureThreshold: 3
+        volumeMounts:
+        - name: redis-tls
+          mountPath: /tls
+          readOnly: true
+      volumes:
+      - name: redis-tls
+        secret:
+          secretName: redis-tls-secret
+          defaultMode: 0400
 ---
 apiVersion: v1
 kind: Service
--- a/infrastructure/services/microservices/auth/auth-service.yaml
+++ b/infrastructure/services/microservices/auth/auth-service.yaml
@@ -178,6 +178,10 @@ spec:
          timeoutSeconds: 3
          periodSeconds: 5
          failureThreshold: 5
+        volumeMounts:
+        - name: redis-tls
+          mountPath: /tls
+          readOnly: true
      volumes:
      - name: redis-tls
        secret:
--- a/infrastructure/services/microservices/demo-session/demo-cleanup-worker.yaml
+++ b/infrastructure/services/microservices/demo-session/demo-cleanup-worker.yaml
@@ -71,7 +71,7 @@ spec:
              name: redis-secrets
              key: REDIS_PASSWORD
        - name: REDIS_URL
-          value: "rediss://:$(REDIS_PASSWORD)@redis-service:6379/0?ssl_cert_reqs=none"
+          value: "rediss://:$(REDIS_PASSWORD)@redis-service:6379/0"
        - name: LOG_LEVEL
          value: "INFO"
        - name: INVENTORY_SERVICE_URL
@@ -120,4 +120,13 @@ spec:
          initialDelaySeconds: 10
          periodSeconds: 30
          timeoutSeconds: 5
+        volumeMounts:
+        - name: redis-tls
+          mountPath: /tls
+          readOnly: true
      restartPolicy: Always
+      volumes:
+      - name: redis-tls
+        secret:
+          secretName: redis-tls-secret
+          defaultMode: 0400
--- a/infrastructure/services/microservices/demo-session/deployment.yaml
+++ b/infrastructure/services/microservices/demo-session/deployment.yaml
@@ -43,7 +43,7 @@ spec:
              name: redis-secrets
              key: REDIS_PASSWORD
        - name: REDIS_URL
-          value: "rediss://:$(REDIS_PASSWORD)@redis-service:6379/0?ssl_cert_reqs=none"
+          value: "rediss://:$(REDIS_PASSWORD)@redis-service:6379/0"
        - name: AUTH_SERVICE_URL
          value: "http://auth-service:8000"
        - name: TENANT_SERVICE_URL
@@ -77,6 +77,10 @@ spec:
          httpGet:
            path: /health
            port: 8000
+        volumeMounts:
+        - name: redis-tls
+          mountPath: /tls
+          readOnly: true
          initialDelaySeconds: 30
          periodSeconds: 30
        readinessProbe:
@@ -133,3 +137,8 @@ spec:
          limits:
            memory: "128Mi"
            cpu: "100m"
+      volumes:
+      - name: redis-tls
+        secret:
+          secretName: redis-tls-secret
+          defaultMode: 0400
--- a/infrastructure/services/microservices/external/external-service.yaml
+++ b/infrastructure/services/microservices/external/external-service.yaml
@@ -187,6 +187,10 @@ spec:
          timeoutSeconds: 3
          periodSeconds: 5
          failureThreshold: 5
+        volumeMounts:
+        - name: redis-tls
+          mountPath: /tls
+          readOnly: true
      volumes:
      - name: redis-tls
        secret:
--- a/services/procurement/app/services/delivery_tracking_service.py
+++ b/services/procurement/app/services/delivery_tracking_service.py
@@ -67,7 +67,9 @@ class DeliveryTrackingService:
            redis_host = getattr(self.config, 'REDIS_HOST', 'localhost')
            redis_port = getattr(self.config, 'REDIS_PORT', 6379)
            redis_db = getattr(self.config, 'REDIS_DB', 0)
-            redis_url = f"redis://:{redis_password}@{redis_host}:{redis_port}/{redis_db}"
+            # Use rediss:// for TLS connections (matches the shared config base)
+            redis_protocol = "rediss" if getattr(self.config, 'REDIS_TLS_ENABLED', 'true').lower() == 'true' else "redis"
+            redis_url = f"{redis_protocol}://:{redis_password}@{redis_host}:{redis_port}/{redis_db}"

        # Create Redis connection using shared manager (handles SSL, pooling, health checks)
        self._redis_manager = await RedisConnectionManager.create(redis_url, decode_responses=False)
--- a/shared/redis_utils/client.py
+++ b/shared/redis_utils/client.py
@@ -173,9 +173,68 @@ class RedisConnectionManager:
                if ssl_kwargs:
                    client_params['ssl'] = True
                    client_params['ssl_cert_reqs'] = ssl_kwargs.get('ssl_cert_reqs', ssl.CERT_NONE)
-                    client_params['ssl_ca_certs'] = ssl_kwargs.get('ssl_ca_certs')
-                    client_params['ssl_certfile'] = ssl_kwargs.get('ssl_certfile')
-                    client_params['ssl_keyfile'] = ssl_kwargs.get('ssl_keyfile')
+                    
+                    # For Kubernetes environments, try to use mounted TLS certificates
+                    # These are typically mounted at /tls/redis-cert.pem, /tls/redis-key.pem, /tls/ca-cert.pem
+                    import os
+                    ca_certs_path = os.getenv('REDIS_CA_CERTS_PATH', '/tls/ca-cert.pem')
+                    certfile_path = os.getenv('REDIS_CERTFILE_PATH', '/tls/redis-cert.pem')
+                    keyfile_path = os.getenv('REDIS_KEYFILE_PATH', '/tls/redis-key.pem')
+                    
+                    # Use environment variables or mounted files if they exist
+                    if os.path.exists(ca_certs_path):
+                        client_params['ssl_ca_certs'] = ca_certs_path
+                    elif ssl_kwargs.get('ssl_ca_certs'):
+                        client_params['ssl_ca_certs'] = ssl_kwargs.get('ssl_ca_certs')
+                    
+                    if os.path.exists(certfile_path):
+                        client_params['ssl_certfile'] = certfile_path
+                    elif ssl_kwargs.get('ssl_certfile'):
+                        client_params['ssl_certfile'] = ssl_kwargs.get('ssl_certfile')
+                    
+                    if os.path.exists(keyfile_path):
+                        client_params['ssl_keyfile'] = keyfile_path
+                    elif ssl_kwargs.get('ssl_keyfile'):
+                        client_params['ssl_keyfile'] = ssl_kwargs.get('ssl_keyfile')
+                    
+                    # Add additional SSL context parameters for better compatibility
+                    # These help with SSL handshake issues and protocol compatibility
+                    client_params['ssl_check_hostname'] = False  # Disable hostname verification for self-signed certs
+                    
+                    # Add SSL context with specific protocol versions for better compatibility
+                    # This helps with "wrong version number" and "unexpected eof" SSL errors
+                    import ssl as ssl_module
+                    ssl_context = ssl_module.create_default_context(
+                        purpose=ssl_module.Purpose.SERVER_AUTH,
+                        cafile=client_params.get('ssl_ca_certs')
+                    )
+                    ssl_context.check_hostname = False
+                    ssl_context.verify_mode = client_params.get('ssl_cert_reqs', ssl_module.CERT_NONE)
+                    
+                    # Set minimum TLS version for better security and compatibility
+                    # TLS 1.2 is widely supported and secure enough for internal cluster communication
+                    ssl_context.minimum_version = ssl_module.TLSVersion.TLSv1_2
+                    
+                    # If client certificates are provided, load them
+                    if client_params.get('ssl_certfile') and client_params.get('ssl_keyfile'):
+                        ssl_context.load_cert_chain(
+                            certfile=client_params.get('ssl_certfile'),
+                            keyfile=client_params.get('ssl_keyfile')
+                        )
+                    
+                    client_params['ssl_context'] = ssl_context
+                    
+                    # Debug: Log the SSL configuration being used
+                    self.logger.debug(
+                        "redis_ssl_config",
+                        ssl_enabled=True,
+                        ssl_cert_reqs=client_params.get('ssl_cert_reqs'),
+                        ssl_ca_certs=client_params.get('ssl_ca_certs'),
+                        ssl_certfile=client_params.get('ssl_certfile'),
+                        ssl_keyfile=client_params.get('ssl_keyfile'),
+                        ssl_check_hostname=False,
+                        ssl_minimum_version="TLSv1_2"
+                    )
                
                self._client = redis.Redis(**client_params)
            else:
@@ -199,9 +258,6 @@ class RedisConnectionManager:

                self._client = redis.Redis(connection_pool=self._pool)

-            # Create Redis client with pool
-            self._client = redis.Redis(connection_pool=self._pool)
-
            # Test connection
            await self._client.ping()