Local Redis
Bring your own local Redis instance, such as a Redis Enterprise deployment in your cluster.
About
Instead of using the built-in local RedisĀ®*
1 instances, you can achieve higher availability, disaster recovery, and enhanced control and security by deploying your own Redis instances locally to the cluster. For more information, see About Redis.
Step 1: Deploy Redis to your cluster
Deploy a local Redis instance to your cluster.
Determine the cluster that you want to deploy Redis instances to. For multicluster setups, use an external Redis instance in a cloud provider instead.
Make sure that the local Redis instance can connect to the Gloo Mesh Gateway components that you want to back up. For example, you might choose to deploy the Redis instance to the same Kubernetes namespace as the component. Otherwise, you might need to ensure connectivity across the namespaces.
Configure any deployment options that you want, such as resource requests and limits.
Set up data persistence. You can also configure single-region, multi-zone HA with automatic failover by using a single, sharded Redis Enterprise instance with one primary and up to five replicas. For more information, see the Redis docs.
Deploy your Redis instance. For more information, see the Redis Enterprise for Kubernetes docs or Redis Community Edition docs.
Step 2: Get your Gloo environment details
You can configure Redis during an initial installation or by performing an upgrade. Either way, you can configure the Redis details in your Helm values file.
Installation
If you have not installed Gloo Mesh Gateway yet, prepare details for your installation.
Decide the Helm release namespace to use. The example uses the names suggested throughout the documentation,
gloo-platform
andgloo-mesh
.export GLOO_MESH_RELEASE_NAMESPACE=gloo-mesh
Create a Helm values file for your installation, such as
gloo-single.yaml
for a single cluster ormgmt-plane.yaml
anddata-plane.yaml
for a multicluster environment.
Upgrade
If you are upgrading Gloo Mesh Gateway to set up Redis, get the details of your installation.
Save the details of your Gloo Mesh Gateway installation, including the Helm chart namespace for the component that you want to set up the Redis instance for. In the following example, the release name is
gloo-platform
and the namespace isgloo-mesh
, but you can update your values accordingly.export GLOO_MESH_RELEASE_NAMESPACE=gloo-mesh
To get the values for your own release, run the following Helm command.
helm list --all-namespaces
NAME NAMESPACE REVISION UPDATED STATUS CHART gloo-platform gloo-mesh 1 2023-09-01 13:26:56.061102 -0400 EDT deployed gloo-platform-2.6.6
Get your Gloo Platform Helm values file. For more information, see Upgrade guide.
Single cluster:
helm get values gloo-platform -o yaml -n gloo-mesh > gloo-single.yaml open gloo-single.yaml
Multicluster:
helm get values gloo-platform -n gloo-mesh -o yaml --kube-context $MGMT_CONTEXT > mgmt-plane.yaml open mgmt-plane.yaml
helm get values gloo-platform -n gloo-mesh -o yaml --kube-context $REMOTE_CONTEXT > data-plane.yaml open data-plane.yaml
Step 3: Set up the Redis store
Through Helm, you can configure Redis to store the data for several Gloo Mesh Gateway, as described in About Redis. After, Gloo deploys a Redis instance for each one based on the details that you configure.
When you install or upgrade Gloo Mesh Gateway, include the following Helm values to enable each component to use your own local Redis instance.
Step 4: Set up Redis authentication
Choose how to authenticate with your Redis cluster. Depending on your Redis provider, you might be required to use a specific authentication method, such as TLS certificates or a username and password.
TLS-encryption
Use your own public Certificate Authority (CA) certificate so that the Gloo client can establish trust for the TLS connection to the Redis server instance. Note that server-side credentials for a mutual TLS (mTLS) connection are currently not supported.
Enable TLS connections in your Redis instance. For more information, see the Redis Enterprise docs or the Redis Community Edition docs.
Create your own certificates such as with
openssl
orcert-manager
to make the public CA certificate,ca.crt
.Create a Kubernetes secret to store the TLS credentials in the same namespace as the Gloo component that uses the Redis instance, such as
gloo-mesh
for the management server or UI. Run the following command from the local directory where your TLS certificates and key were created. Update the filenames of the certificate as necessary.kubectl apply -f - <<EOF apiVersion: v1 kind: Secret type: Opaque metadata: name: "redis-certs" namespace: $GLOO_MESH_RELEASE_NAMESPACE data: ca.crt: $(cat ca.crt | base64 | tr -d '\n') EOF
Prepare the
redis.certs
section of the Helm values file that you previously retrieved with the details of the secret that you previously created.
Password authentication
For a username and password auth, complete the following steps.
Enable password auth for your Redis instance. For more information, see the Redis Enterprise docs or Redis Community Edition docs.
Save the following values as environment variables.
- Username: If your Redis instance does not have a username, you can omit this value.
- Password: Note the password string.
export REDIS_UN=default export REDIS_PW=<password>
Create a Kubernetes secret to store the credentials in the same namespace as the management server.
kubectl apply -f- <<EOF apiVersion: v1 kind: Secret type: Opaque metadata: name: redis-auth-secrets namespace: $GLOO_MESH_RELEASE_NAMESPACE stringData: # If Redis doesn't have an explicit username, omit the username field. username: "$REDIS_UN" password: "$REDIS_PW" EOF
Prepare the
redis.auth
section of the Helm values file that you previously retrieved.
Step 5: Configure the telemetry pipeline
If you enable the insights engine and bring your own Redis instance, you must also update the Gloo telemetry pipeline installation in your Helm values file with the details for your Redis instance.
Update the telemetry collector section with the extra volumes that are required to bring your own Redis instance.
- redis-certs
secretName
: If you use a TLS connection for Redis, update the redis-certssecretName
field with the name of the secret that you created in a previous step.
telemetryCollector: enabled: true extraVolumes: - name: tls-keys projected: sources: - secret: name: gloo-telemetry-gateway-ca-certs optional: true - secret: name: gloo-telemetry-gateway-tls-secret optional: true - name: telemetry-configmap configMap: name: gloo-telemetry-gateway-config items: - key: relay path: relay.yaml - name: redis-certs secret: secretName: redis-certs optional: true extraVolumeMounts: - name: tls-keys readOnly: true mountPath: /etc/otel-certs - name: telemetry-configmap mountPath: /conf - mountPath: /etc/redis-certs name: redis-certs
- redis-certs
Customize the telemetry collector with an extra exporter that sends data to your own Redis instance. The example includes required stream attributes. Update the following fields with the details of your Redis instance.
endpoint
: Provide the address to your own external Redis instance. For local instances in the cluster, this value is typically the Kubernetes service name that the Gloo component can access, such asmy-redis.redis:6379
.tls
: Provide the details to use for the TLS connection. Include the key name in the data section of the redis-certs Kubernetes secret that has the CA certificate to use, such asca.crt
, that you previously mounted.username
: If you use Redis auth password security, include the username in this field. If you do not have a username, omit this field.password
: If you use Redis auth password security, include the password in this field.
telemetryCollectorCustomization: extraExporters: redisstream/ui: endpoint: <my-redis.redis:6379> expire: 30m stream: ui stream_attributes: resource_attributes: - cluster_name - source - component - k8s.pod.name - k8s.container.name tls: ca_file: /etc/redis-certs/ca.crt insecure: false username: <username> password: <password>
Multicluster setup: Update the telemetry collector section with the extra volumes that are required to bring your own Redis instance.
- redis-certs
secretName
: If you use a TLS connection for Redis, update the redis-certssecretName
field with the name of the secret that you created in a previous step.
telemetryGateway: enabled: true extraVolumes: - name: redis-certs secret: secretName: redis-certs optional: true extraVolumeMounts: - mountPath: /etc/redis-certs name: redis-certs
- redis-certs
Customize the telemetry gateway with an extra exporter that sends data to your own Redis instance. The example includes required stream attributes and an example for AWS ElastiCache. Update the following fields with the details of your Redis instance.
endpoint
: Provide the address to your own external Redis instance. For local instances in the cluster, this value is typically the Kubernetes service name that the Gloo component can access, such asmy-redis.redis:6379
.tls
: Provide the details to use for the TLS connection. Include the key name in the data section of the redis-certs Kubernetes secret that has the CA certificate to use, such asca.crt
, that you previously mounted.username
: If you use Redis auth password security, include the username in this field. If you do not have a username, omit this field.password
: If you use Redis auth password security, include the password in this field.
telemetryGatewayCustomization: extraExporters: redisstream/basic: endpoint: <my-redis.redis:6379> tls: {} username: <username> password: <redis-password> redisstream/ui: endpoint: <my-redis.redis:6379> expire: 30m stream: ui stream_attributes: resource_attributes: - cluster_name - source - component - k8s.pod.name - k8s.container.name tls: ca_file: /etc/redis-certs/ca.crt insecure: false username: <username> password: <password>
Now, the Gloo telemetry pipeline is ready to use your own Redis instance to store logs about the insights. Later, you can set up Istio insights to display in the Gloo UI by configuring the logs/analyzer
pipeline in Gloo telemetry. For more information, see Add Istio insights.
Step 6: Configure API key details for the developer portal
If you use the developer portal, configure details related to storing API keys in the Redis instance for the external auth service. By default, the configuration that you set for redisStore.extAuthService
is also used by the portal server. This way, the portal server can write API keys that protect the APIs exposed in the developer portal, and the external auth service can read the same API keys to authenticate requests.
redisStore.extAuthService.client.secretKey
: Replace with a random string to use to hash the API keys that are stored in Redis. The example uses"ThisIsSecret"
.
redisStore:
extAuthService:
client:
secretKey: "ThisIsSecret"
Step 7: Configure other Redis settings
Further configure the default Redis values. For specific fields and more information, check the Helm reference for each component of the redisStore
section.
Common configuration sections include:
- Client connection details, such as redirects, retries, and max connections.
Step 8: Install or upgrade with Helm
You can continue to install or upgrade Gloo Mesh Gateway to use your own Redis instance. Include the Helm values file that you prepared in the previous steps.
The following example commands are provided for quick reference. For more details, consult the install or upgrade guides.
Step 9: Verify the connection
To review the data that is stored in Redis, you can connect to the local Redis instance. If you bring your own Redis, you must use those connection values. For more information, see your Redis provider docs, such as Amazon ElastiCache or Google Cloud Memorystore.
Choose between using the Redis CLI or RedisInsights.
Redis CLI
You can use the Redis CLI that is built into your deployment to review the data in your database.
Install Redis in your cluster so that you can use the
redis-cli
to connect to your Redis instance.From your terminal, log in to the Redis pod and open a Redis CLI shell.
Run Redis CLI commands, such as
monitor
orkeys
. For more information, see the Redis docs.Example response of data populated by the management server:
keys * 1) "$CLUSTER_NAME~apps~v1~Deployment" 2) "reports#$CLUSTER_NAME#httpbin#$CLUSTER_NAME" 3) "$CLUSTER_NAME~install.istio.io~v1alpha1~IstioOperator" 4) "reports#$CLUSTER_NAME#gloo-mesh#globalcccfde00-e4a9-4867-b6c0-5df8601f6e1e" 5) "$CLUSTER_NAME~admissionregistration.k8s.io~v1~MutatingWebhookConfiguration" 6) "reports#idx" 7) "reports#$CLUSTER_NAME#store#$CLUSTER_NAME" 8) "gloo.mesh.key.set"
Example response of rate limit counters:
monitor OK 1681223733.198361 [0 10.xxx.x.x:xxxxx] "INCRBY" "tree|solo.io|generic_key^gloo-mesh.rl-server-config-gloo-mesh-$CLUSTER_NAME-rate-limiter|generic_key^counter|1718236800" "1"
Example response of API keys for the external auth service and portal server add-ons. Note that the API key name and value are hashed based on the
apiKeyStorage.secretKey
that you configured when setting up the add-ons.keys * 1) "1bbe3f25-5a2a-4797-8ac0-d59c7480377a" 2) "abcmHk2Iwcy3VL+NNswyrs3B4YIEx39BG84jzwcoWB8=" get "1bbe3f25-5a2a-4797-8ac0-d59c7480377a" "xksmHk2Iwcy3VL+NNswyrs3B4YIEx39BG84jzwcoWB8=" get "abcmHk2Iwcy3VL+NNswyrs3B4YIEx39BG84jzwcoWB8=" "{\"api_key\":\"abcmHk2Iwcy3VL+NNswyrs3B4YIEx39BG84jzwcoWB8=\",\"labels\":[\"first.last@example.com\"],\"metadata\":{\"config_id\":\"gloo-mesh.api-key-auth-default-cluster-name-mgt-ext-auth-service\",\"created-ts-unix\":\"1718742070\",\"name\":\"gold-api-key-name\",\"usagePlan\":\"gold\",\"username\":\"first.last@example.com\"},\"uuid\":\"1bbe3f25-5a2a-4797-8ac0-d59c7480377a\"}"
RedisInsights
RedisInsights is a desktop application that you can install for UI- and CLI-based interactions. For more information, see the Redis docs.
- Install RedisInsights. The steps vary depending on where you want to install the app.
- On your local machine: Download RedisInsights.
- In your Kubernetes cluster: See the Redis docs.
- Enable port forwarding on the Redis deployment. Update the namespace and deployment to match the Redis instance in your cluster.
kubectl port-forward -n gloo-mesh deploy/gloo-mesh-redis 6379
- Launch the RedisInsights app.
- Click + Add Redis Database and enter in your localhost and port details, which by default are
127.0.0.1:6379
. - Click the database that you just added.
- Use the UI or CLI to explore the data. For example, you can click the Browser tab (the key icon) and toggle the Key view to explore all of the keys in the database instance, as shown in the following screenshot.
*
Redis is a registered trademark of Redis Ltd. Any rights therein are reserved to Redis Ltd. Any use by Solo.io, Inc. is for referential purposes only and does not indicate any sponsorship, endorsement or affiliation between Redis and Solo.io. ↩︎