Skip to main content

Configure TLS in Aonnis Valkey Cluster

TLS configuration is suported with cert-manager

Refer to the cert-manager documentation for detailed guidance on configuring certificates. The Getting started Helm charts currently use self-signed certificates. However, for production environments, it is recommended to use a trusted Certificate Authority (CA) instead of self-signed certificates.

The following TLS configuration should be used to secure your cluster's TLS traffic:

tlsConfig

  • Type: Dictionary or Map
  • Description: TLS config for valkey cluster. TLS secret must to be prepopulated before creatinng a valkey clsuter.
  • Fields:
    • enabled:
      • Type: bool
      • Description: Is TLS enabled on valkey cluster or not.
      • Required: false
      • Default: false
    • insecure:
      • Type: bool
      • Description: Are TLS certificates signed by trusted CA or not
      • Required: false
      • Default: false
    • tlsCertSecretRef:
      • Type: CertSecretRef
      • Description: Reference of secret where tls cert is stored
      • Required: true
    • tlsKeySecretRef:
      • Type: CertSecretRef
      • Description: Reference of secret where tls key is stored
      • Required: true
    • tlsCaSecretRef:
      • Type: CertSecretRef
      • Description: Reference of secret where tls ca cert is stored
      • Required: true
  • Example: 
    tlsConfig:
    	enabled: true
    	insecure: true
    	tlsCertSecretRef:
    		name: valkey-tls-secret
    		key: tls.crt
    	tlsKeySecretRef:
    		name: valkey-tls-secret
    		key: tls.key
    	tlsCaSecretRef:
    		name: valkey-tls-secret
    		key: ca.crt

What is insecure in tlsConfig

The insecure flag in tlsConfig determines how Aonnis Valkey Panther handles TLS certificate validation. Since Aonnis Valkey Panther must distinguish between self-signed and CA-issued certificates to manage them effectively, this flag provides a mechanism to indicate whether self-signed certificates are being used.

By default, Aonnis Valkey Panther assumes that TLS certificates are issued by a trusted Certificate Authority (CA). If self-signed certificates are in use, setting insecure: true explicitly informs the system to bypass strict certificate validation, ensuring proper handling of TLS connections. However, for production environments, it is strongly recommended to use CA-signed certificates and keep insecure set to false to maintain security and compliance best practices.

danger

Once a cluster is created with the insecure flag enabled or dissabled, changing this flag at a later stage is strongly discouraged. Modifying this setting after deployment may causeAonnis Valkey Pantherto lose its ability to manage the cluster effectively. As a result, the Valkey cluster could become unmanaged, leading to potential security and operational risks.

To ensure stability and maintain proper cluster management, it is recommended to carefully determine the insecure flag value during the initial setup and avoid altering it post-deployment.

We are actively working on enhancing this functionality to allow seamless updates to the insecure flag in the future without impacting cluster management.