Helm部署Redis集群（使用SSL）

添加helm仓库

# 添加bitnami仓库
[root@master redis]# helm repo add bitnami https://charts.bitnami.com/bitnami
"bitnami" already exists with the same configuration, skipping

# 查看所有的仓库
[root@master redis]# helm repo list
NAME            URL                                      
appscode        https://charts.appscode.com/stable/      
harbor          https://helm.goharbor.io                 
kvaps           https://kvaps.github.io/charts           
stable          http://mirror.azure.cn/kubernetes/charts/
bitnami         https://charts.bitnami.com/bitnami

查找redis Chart

[root@master redis]# helm search repo redis
NAME                                    CHART VERSION   APP VERSION     DESCRIPTION                                       
appscode/redis-alerts                   v2023.05.09     v0.2.0          A Helm chart for Redis Alert by AppsCode          
bitnami/redis                           18.0.4          7.2.1           Redis(R) is an open source, advanced key-value ...
bitnami/redis-cluster                   9.0.5           7.2.1           Redis(R) is an open source, scalable, distribut...
stable/prometheus-redis-exporter        3.5.1           1.3.4           DEPRECATED Prometheus exporter for Redis metrics  
stable/redis                            10.5.7          5.0.7           DEPRECATED Open source, advanced key-value stor...
stable/redis-ha                         4.4.6           5.0.6           DEPRECATED - Highly available Kubernetes implem...
stable/sensu                            0.2.5           0.28            DEPRECATED Sensu monitoring framework backed by...

下载bitnami的redis Chart包

[root@master redis]# helm fetch bitnami/redis-cluster
[root@master redis]# ls
redis-cluster-9.0.5.tgz

解压缩并进入目录

[root@master redis]# tar -xf redis-cluster-9.0.5.tgz 
[root@master redis]# cd redis-cluster/
[root@master redis-cluster]# 

创建所需的证书文件

使用redis官方提供的脚本生成证书文件

将脚本保存到sh文件，直接执行下面的脚本即可

#!/bin/bash

# Generate some test certificates which are used by the regression test suite:
#
#   tests/tls/ca.{crt,key}          Self signed CA certificate.
#   tests/tls/redis.{crt,key}       A certificate with no key usage/policy restrictions.
#   tests/tls/client.{crt,key}      A certificate restricted for SSL client usage.
#   tests/tls/server.{crt,key}      A certificate restricted for SSL server usage.
#   tests/tls/redis.dh              DH Params file.

generate_cert() {
    local name=$1
    local cn="$2"
    local opts="$3"

    local keyfile=tests/tls/${name}.key
    local certfile=tests/tls/${name}.crt

    [ -f $keyfile ] || openssl genrsa -out $keyfile 2048
    openssl req \
        -new -sha256 \
        -subj "/O=Redis Test/CN=$cn" \
        -key $keyfile | \
        openssl x509 \
            -req -sha256 \
            -CA tests/tls/ca.crt \
            -CAkey tests/tls/ca.key \
            -CAserial tests/tls/ca.txt \
            -CAcreateserial \
            -days 365 \
            $opts \
            -out $certfile
}

mkdir -p tests/tls
[ -f tests/tls/ca.key ] || openssl genrsa -out tests/tls/ca.key 4096
openssl req \
    -x509 -new -nodes -sha256 \
    -key tests/tls/ca.key \
    -days 3650 \
    -subj '/O=Redis Test/CN=Certificate Authority' \
    -out tests/tls/ca.crt

cat > tests/tls/openssl.cnf <<_END_
[ server_cert ]
keyUsage = digitalSignature, keyEncipherment
nsCertType = server

[ client_cert ]
keyUsage = digitalSignature, keyEncipherment
nsCertType = client
_END_

generate_cert server "Server-only" "-extfile tests/tls/openssl.cnf -extensions server_cert"
generate_cert client "Client-only" "-extfile tests/tls/openssl.cnf -extensions client_cert"
generate_cert redis "Generic-cert"

[ -f tests/tls/redis.dh ] || openssl dhparam -out tests/tls/redis.dh 2048

脚本生成的证书文件如下

[root@node1 cert3]# ls tests/tls/
ca.crt  ca.key  ca.txt  client.crt  client.key  openssl.cnf  redis.crt  redis.dh  redis.key  server.crt  server.key

创建命名空间

后面使用helm部署的话将资源都创建在namespace下

[root@master redis-cluster]# kubectl create ns ssl-redis2
namespace/ssl-redis2 created

使用上面创建的证书文件创建Secret

# 在前面生成证书文件的目录执行如下操作
kubectl create secret generic certificates-tls-secret --from-file=./ca.crt --from-file=./redis.crt --from-file=./redis.key -n ssl-redis2

修改values.yaml中的一些变量

# 修改下其中的密码和默认的storageclass
global:
  imageRegistry: ""
  ## E.g.
  ## imagePullSecrets:
  ##   - myRegistryKeySecretName
  ##
  imagePullSecrets: []
  storageClass: "rook-ceph-block"   # 需要改下自己服务器上的sc名称
  redis:
    password: "new_password123456"  # 连接redis集群使用的密码
    
# 修改文件中tls的部分如下
tls:
  ## @param tls.enabled Enable TLS support for replication traffic
  ##
  enabled: true   # 启用tls
  ## @param tls.authClients Require clients to authenticate or not
  ##
  authClients: true
  ## @param tls.autoGenerated Generate automatically self-signed TLS certificates
  ##
  autoGenerated: false
  ## @param tls.existingSecret The name of the existing secret that contains the TLS certificates
  ##
  existingSecret: "certificates-tls-secret"   # 使用前面创建的Secret
  ## @param tls.certificatesSecret DEPRECATED. Use tls.existingSecret instead
  ##
  certificatesSecret: ""
  ## @param tls.certFilename Certificate filename
  ##
  certFilename: "redis.crt"   # certificates-tls-secret这个Secret中的键
  ## @param tls.certKeyFilename Certificate key filename
  ##
  certKeyFilename: "redis.key" # certificates-tls-secret这个Secret中的键
  ## @param tls.certCAFilename CA Certificate filename
  ##
  certCAFilename: "ca.crt"  # certificates-tls-secret这个Secret中的键
  ## @param tls.dhParamsFilename File containing DH params (in order to support DH based ciphers)
  ##
  dhParamsFilename: ""

使用helm部署redis集群

# -n 指定名称空间
# . 表示使用当前修改后的Chart进行部署
[root@master redis-cluster]# helm install redis-cluster . -n ssl-redis2

查看部署情况

[root@node1 ~]# kubectl get pods -n ssl-redis2
NAME                             READY   STATUS    RESTARTS      AGE
redis-cluester-redis-cluster-0   1/1     Running   0             15m
redis-cluester-redis-cluster-1   1/1     Running   1 (14m ago)   15m
redis-cluester-redis-cluster-2   1/1     Running   1 (14m ago)   15m
redis-cluester-redis-cluster-3   1/1     Running   0             15m
redis-cluester-redis-cluster-4   1/1     Running   1 (14m ago)   15m
redis-cluester-redis-cluster-5   1/1     Running   1 (14m ago)   15m

测试连接

[root@node1 ~]# kubectl get service -n ssl-redis2
NAME                                    TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)              AGE
redis-cluester-redis-cluster            ClusterIP   10.98.159.145   <none>        6379/TCP             15m
redis-cluester-redis-cluster-headless   ClusterIP   None            <none>        6379/TCP,16379/TCP   15m

# 不使用ssl登陆发现登陆失败
# -c参数指定连接时候使用集群模式
# -h指定连接的主机
# -a指定密码

[root@node1 ~]# redis-cli -c -h 10.98.159.145 -a new_password123456
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.

I/O error
10.98.159.145:6379> 

# 使用ssl连接
[root@node1 tls]# redis-cli -c -h 10.98.159.145 --tls --cert ./redis.crt --key redis.key --cacert ca.crt -a new_password123456
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
10.98.159.145:6379> set book 10
-> Redirected to slot [1337] located at 10.244.3.64:6379
OK
10.244.3.64:6379> get book
"10"
10.244.3.64:6379> 

遇到的错误

错误一

[root@node1 tls]# redis-cli -h 10.98.159.145 --tls --cert ./redis.crt --key redis.key --cacert ca.crt -a new_password123456
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
10.98.159.145:6379> set a 10
(error) MOVED 15495 10.244.4.33:6379

解决办法： 连接时候没有用集群方式进行连接，在redis-cli连接时候使用-c参数

参考链接

• www.cnblogs.com/devopsyyds/…
• docs.bitnami.com/kubernetes/…
• github.com/redis/redis…