[chart/redis-ha][REQUEST] Redis Sentinel with TLS: go-redis fails host verification because Sentinel advertises IPs (no IP SANs) #354
Description
Is your feature request related to a problem? Please describe.
yes, I'm getting the following error form my golang redis client:
WARN: failed to establish connection to redis primary server, Error: tls: failed to verify certificate: x509: cannot validate certificate for 10.107.244.10 because it doesn't contain any IP SANs.
Describe the solution you'd like
A chart option or documented configuration that lets Sentinel (and Redis) use hostnames instead of IPs, so clients can verify TLS certs containing DNS SANs.
Additional context
Chart: dandydev/redis-ha
Use case: Enable TLS for Redis+Sentinel on Kubernetes where certificates include DNS SANs only (no IP SANs).
Client: Go (github.com/redis/go-redis) talking to Redis master discovered via Sentinel.
when I pass the following helm values:
auth: true
authKey: redis-password
existingSecret: "myredispass-secret"
tls:
secretName: "mytls-secret"
certFile: tls.crt
keyFile: tls.key
caCertFile: ca.crt
redis:
port: 0
tlsPort: 6379
tlsReplication: true
masterGroupName: "mymaster"
sentinel:
port: 0
tlsPort: 26379
tlsReplication: true
I'm getting the following error form my golang redis client:
WARN: failed to establish connection to redis primary server, Error: tls: failed to verify certificate: x509: cannot validate certificate for 10.107.244.10 because it doesn't contain any IP SANs.
/data/conf/sentinel.conf:
sentinel myid cbd4eca4b68e668fb637b464f0fafc8a439021fc
sentinel monitor mymaster 10.98.150.136 6379 2
dir "/data"
port 0
tls-port 26379
tls-cert-file "/tls-certs/tls.crt"
tls-key-file "/tls-certs/tls.key"
tls-ca-cert-file "/tls-certs/ca.crt"
tls-replication yes
sentinel down-after-milliseconds mymaster 10000
maxclients 10000
sentinel parallel-syncs mymaster 5
sentinel auth-pass mymaster <secret redis pass content>
sentinel announce-ip "10.98.34.188"
sentinel announce-port 26379
# Generated by CONFIG REWRITE
latency-tracking-info-percentiles 50 99 99.9
user default on nopass sanitize-payload ~* &* +@all
sentinel config-epoch mymaster 0
sentinel leader-epoch mymaster 0
sentinel known-replica mymaster 10.111.234.38 6379
sentinel current-epoch 0
sentinel known-replica mymaster 10.98.34.188 6379
sentinel known-sentinel mymaster 10.98.150.136 26379 e7e44533b73a8af89229dafb5608330cba08fa20
sentinel known-sentinel mymaster 10.111.234.38 26379 da6bbb41d4c02a348620d284b1321b8a282f63b2
Notes:
- The
mytls-secretcontains SANs for hostnames, not IP addresses, because we're working with modern Kubernetes environments where I cannot guarantee the IP address that will be used. - Does the sentinel support hostnames instead of IP addresses?
apparently, the sentinel.conf is missing something like that
# sentinel.conf
sentinel monitor mymaster <redis master>.<namespace>.svc 6379 2
sentinel resolve-hostnames yes
# optional but helpful so Sentinel keeps writing/returning hostnames instead of IPs
sentinel announce-hostnames yes
# if Sentinels need to announce themselves by DNS too
sentinel announce-ip <redis master>-<index>.<namespace>.svc
replica-announce-ip <redis master>.<namespace>.svc