About

Instead of using the built-in local RedisĀ®* 1 instances, you can achieve higher availability, disaster recovery, and enhanced control and security by deploying your own Redis instances locally to the cluster. For more information, see About Redis.

Step 1: Deploy Redis to your cluster

Deploy a local Redis instance to your cluster.

  1. Determine the cluster that you want to deploy Redis instances to. For multicluster setups, use an external Redis instance in a cloud provider instead.

  2. Make sure that the local Redis instance can connect to the Gloo Mesh Gateway components that you want to back up. For example, you might choose to deploy the Redis instance to the same Kubernetes namespace as the component. Otherwise, you might need to ensure connectivity across the namespaces.

  3. Configure any deployment options that you want, such as resource requests and limits.

  4. Set up data persistence. You can also configure single-region, multi-zone HA with automatic failover by using a single, sharded Redis Enterprise instance with one primary and up to five replicas. For more information, see the Redis docs.

  5. Deploy your Redis instance. For more information, see the Redis Enterprise for Kubernetes docs or Redis Community Edition docs.

Step 2: Get your Gloo environment details

You can configure Redis during an initial installation or by performing an upgrade. Either way, you can configure the Redis details in your Helm values file.

Installation

If you have not installed Gloo Mesh Gateway yet, prepare details for your installation.

  1. Decide the Helm release namespace to use. The example uses the names suggested throughout the documentation, gloo-platform and gloo-mesh.

      export GLOO_MESH_RELEASE_NAMESPACE=gloo-mesh
      
  2. Create a Helm values file for your installation, such as gloo-single.yaml for a single cluster or mgmt-plane.yaml and data-plane.yaml for a multicluster environment.

Upgrade

If you are upgrading Gloo Mesh Gateway to set up Redis, get the details of your installation.

  1. Save the details of your Gloo Mesh Gateway installation, including the Helm chart namespace for the component that you want to set up the Redis instance for. In the following example, the release name is gloo-platform and the namespace is gloo-mesh, but you can update your values accordingly.

      export GLOO_MESH_RELEASE_NAMESPACE=gloo-mesh
      

    To get the values for your own release, run the following Helm command.

      helm list --all-namespaces
      
      NAME                 	NAMESPACE       	REVISION	UPDATED                             	STATUS  	CHART
    gloo-platform        	gloo-mesh       	1      	  2023-09-01 13:26:56.061102 -0400 EDT	deployed	gloo-platform-2.7.0-beta1
      
  2. Get your Gloo Platform Helm values file. For more information, see Upgrade guide.

    • Single cluster:

        helm get values gloo-platform -o yaml -n gloo-mesh > gloo-single.yaml
      open gloo-single.yaml
        
    • Multicluster:

        helm get values gloo-platform -n gloo-mesh -o yaml --kube-context $MGMT_CONTEXT > mgmt-plane.yaml
      open mgmt-plane.yaml
        
        helm get values gloo-platform -n gloo-mesh -o yaml --kube-context $REMOTE_CONTEXT > data-plane.yaml
      open data-plane.yaml
        

Step 3: Set up the Redis store

Through Helm, you can configure Redis to store the data for several Gloo Mesh Gateway, as described in About Redis. After, Gloo deploys a Redis instance for each one based on the details that you configure.

When you install or upgrade Gloo Mesh Gateway, include the following Helm values to enable each component to use your own local Redis instance.

Step 4: Set up Redis authentication

Choose how to authenticate with your Redis cluster. Depending on your Redis provider, you might be required to use a specific authentication method, such as TLS certificates or a username and password.

TLS-encryption

Use your own public Certificate Authority (CA) certificate so that the Gloo client can establish trust for the TLS connection to the Redis server instance. Note that server-side credentials for a mutual TLS (mTLS) connection are currently not supported.

  1. Enable TLS connections in your Redis instance. For more information, see the Redis Enterprise docs or the Redis Community Edition docs.

  2. Create your own certificates such as with openssl or cert-manager to make the public CA certificate, ca.crt.

  3. Create a Kubernetes secret to store the TLS credentials in the same namespace as the Gloo component that uses the Redis instance, such as gloo-mesh for the management server or UI. Run the following command from the local directory where your TLS certificates and key were created. Update the filenames of the certificate as necessary.

      kubectl apply -f - <<EOF
    apiVersion: v1
    kind: Secret
    type: Opaque
    metadata:
      name: "redis-certs"
      namespace: $GLOO_MESH_RELEASE_NAMESPACE
    data:
      ca.crt: $(cat ca.crt | base64 | tr -d '\n')
    EOF
      
  4. Prepare the redis.certs section of the Helm values file that you previously retrieved with the details of the secret that you previously created.

Password authentication

For a username and password auth, complete the following steps.

  1. Enable password auth for your Redis instance. For more information, see the Redis Enterprise docs or Redis Community Edition docs.

  2. Save the following values as environment variables.

    • Username: If your Redis instance does not have a username, you can omit this value.
    • Password: Note the password string.
      export REDIS_UN=default
    export REDIS_PW=<password>
      
  3. Create a Kubernetes secret to store the credentials in the same namespace as the management server.

      kubectl apply -f- <<EOF
    apiVersion: v1
    kind: Secret
    type: Opaque
    metadata:
       name: redis-auth-secrets
       namespace: $GLOO_MESH_RELEASE_NAMESPACE
    stringData:
      # If Redis doesn't have an explicit username, omit the username field.
      username: "$REDIS_UN"
      password: "$REDIS_PW"
    EOF 
      
  4. Prepare the redis.auth section of the Helm values file that you previously retrieved.

Step 5: Configure the telemetry pipeline

If you enable the insights engine and bring your own Redis instance, you must also update the Gloo telemetry pipeline installation in your Helm values file with the details for your Redis instance.

  1. Update the telemetry collector section with the extra volumes that are required to bring your own Redis instance.

    • redis-certs secretName: If you use a TLS connection for Redis, update the redis-certs secretName field with the name of the secret that you created in a previous step.
      
    telemetryCollector:
      enabled: true
      extraVolumes:
      - name: tls-keys
        projected:
          sources:
            - secret:
                name: gloo-telemetry-gateway-ca-certs
                optional: true
            - secret:
                name: gloo-telemetry-gateway-tls-secret
                optional: true
      - name: telemetry-configmap
        configMap:
          name: gloo-telemetry-gateway-config
          items:
            - key: relay
              path: relay.yaml
      - name: redis-certs
        secret:
          secretName: redis-certs
          optional: true
      extraVolumeMounts:                  
      - name: tls-keys
        readOnly: true
        mountPath: /etc/otel-certs
      - name: telemetry-configmap
        mountPath: /conf
      - mountPath: /etc/redis-certs
        name: redis-certs  
      
  2. Customize the telemetry collector with an extra exporter that sends data to your own Redis instance. The example includes required stream attributes. Update the following fields with the details of your Redis instance.

    • endpoint: Provide the address to your own external Redis instance. For local instances in the cluster, this value is typically the Kubernetes service name that the Gloo component can access, such as my-redis.redis:6379.
    • tls: Provide the details to use for the TLS connection. Include the key name in the data section of the redis-certs Kubernetes secret that has the CA certificate to use, such as ca.crt, that you previously mounted.
    • username: If you use Redis auth password security, include the username in this field. If you do not have a username, omit this field.
    • password: If you use Redis auth password security, include the password in this field.
      
    telemetryCollectorCustomization:
      extraExporters:
        redisstream/ui:
          endpoint: <my-redis.redis:6379>
          expire: 30m
          stream: ui
          stream_attributes:
            resource_attributes:
              - cluster_name
              - source
              - component
              - k8s.pod.name
              - k8s.container.name
          tls:
            ca_file: /etc/redis-certs/ca.crt
            insecure: false
          username: <username>
          password: <password>
      
  3. Multicluster setup: Update the telemetry collector section with the extra volumes that are required to bring your own Redis instance.

    • redis-certs secretName: If you use a TLS connection for Redis, update the redis-certs secretName field with the name of the secret that you created in a previous step.
      
    telemetryGateway:
      enabled: true
      extraVolumes:
      - name: redis-certs
        secret:
          secretName: redis-certs
          optional: true
      extraVolumeMounts:
      - mountPath: /etc/redis-certs
        name: redis-certs  
      
  4. Customize the telemetry gateway with an extra exporter that sends data to your own Redis instance. The example includes required stream attributes and an example for AWS ElastiCache. Update the following fields with the details of your Redis instance.

    • endpoint: Provide the address to your own external Redis instance. For local instances in the cluster, this value is typically the Kubernetes service name that the Gloo component can access, such as my-redis.redis:6379.
    • tls: Provide the details to use for the TLS connection. Include the key name in the data section of the redis-certs Kubernetes secret that has the CA certificate to use, such as ca.crt, that you previously mounted.
    • username: If you use Redis auth password security, include the username in this field. If you do not have a username, omit this field.
    • password: If you use Redis auth password security, include the password in this field.
      
    telemetryGatewayCustomization:
      extraExporters:
        redisstream/basic:
          endpoint: <my-redis.redis:6379>
          tls: {} 
          username: <username>
          password: <redis-password> 
        redisstream/ui:
          endpoint: <my-redis.redis:6379>
          expire: 30m
          stream: ui
          stream_attributes:
            resource_attributes:
              - cluster_name
              - source
              - component
              - k8s.pod.name
              - k8s.container.name
          tls:
            ca_file: /etc/redis-certs/ca.crt
            insecure: false
          username: <username>
          password: <password>
      

Now, the Gloo telemetry pipeline is ready to use your own Redis instance to store logs about the insights. Later, you can set up Istio insights to display in the Gloo UI by configuring the logs/analyzer pipeline in Gloo telemetry. For more information, see Add Istio insights.

Step 6: Configure API key details for the developer portal

If you use the developer portal, configure details related to storing API keys in the Redis instance for the external auth service. By default, the configuration that you set for redisStore.extAuthService is also used by the portal server. This way, the portal server can write API keys that protect the APIs exposed in the developer portal, and the external auth service can read the same API keys to authenticate requests.

  • redisStore.extAuthService.client.secretKey: Replace with a random string to use to hash the API keys that are stored in Redis. The example uses "ThisIsSecret".
  
redisStore:
  extAuthService:
    client:
      secretKey: "ThisIsSecret"
  

Step 7: Configure other Redis settings

Further configure the default Redis values. For specific fields and more information, check the Helm reference for each component of the redisStore section.

Common configuration sections include:

  • Client connection details, such as redirects, retries, and max connections.

Step 8: Install or upgrade with Helm

You can continue to install or upgrade Gloo Mesh Gateway to use your own Redis instance. Include the Helm values file that you prepared in the previous steps.

The following example commands are provided for quick reference. For more details, consult the install or upgrade guides.

Step 9: Verify the connection

To review the data that is stored in Redis, you can connect to the local Redis instance. If you bring your own Redis, you must use those connection values. For more information, see your Redis provider docs, such as Amazon ElastiCache or Google Cloud Memorystore.

Choose between using the Redis CLI or RedisInsights.

Redis CLI

You can use the Redis CLI that is built into your deployment to review the data in your database.

  1. Install Redis in your cluster so that you can use the redis-cli to connect to your Redis instance.

  2. From your terminal, log in to the Redis pod and open a Redis CLI shell.

  3. Run Redis CLI commands, such as monitor or keys. For more information, see the Redis docs.

    Example response of data populated by the management server:

      keys *
    1) "$CLUSTER_NAME~apps~v1~Deployment"
    2) "reports#$CLUSTER_NAME#httpbin#$CLUSTER_NAME"
    3) "$CLUSTER_NAME~install.istio.io~v1alpha1~IstioOperator"
    4) "reports#$CLUSTER_NAME#gloo-mesh#globalcccfde00-e4a9-4867-b6c0-5df8601f6e1e"
    5) "$CLUSTER_NAME~admissionregistration.k8s.io~v1~MutatingWebhookConfiguration"
    6) "reports#idx"
    7) "reports#$CLUSTER_NAME#store#$CLUSTER_NAME"
    8) "gloo.mesh.key.set"
      

    Example response of rate limit counters:

      monitor
    OK
    1681223733.198361 [0 10.xxx.x.x:xxxxx] "INCRBY" "tree|solo.io|generic_key^gloo-mesh.rl-server-config-gloo-mesh-$CLUSTER_NAME-rate-limiter|generic_key^counter|1718236800" "1"
      

    Example response of API keys for the external auth service and portal server add-ons. Note that the API key name and value are hashed based on the apiKeyStorage.secretKey that you configured when setting up the add-ons.

      keys *
    1) "1bbe3f25-5a2a-4797-8ac0-d59c7480377a"
    2) "abcmHk2Iwcy3VL+NNswyrs3B4YIEx39BG84jzwcoWB8="
    
    get "1bbe3f25-5a2a-4797-8ac0-d59c7480377a"
    "xksmHk2Iwcy3VL+NNswyrs3B4YIEx39BG84jzwcoWB8="
    
    get "abcmHk2Iwcy3VL+NNswyrs3B4YIEx39BG84jzwcoWB8="
    "{\"api_key\":\"abcmHk2Iwcy3VL+NNswyrs3B4YIEx39BG84jzwcoWB8=\",\"labels\":[\"first.last@example.com\"],\"metadata\":{\"config_id\":\"gloo-mesh.api-key-auth-default-cluster-name-mgt-ext-auth-service\",\"created-ts-unix\":\"1718742070\",\"name\":\"gold-api-key-name\",\"usagePlan\":\"gold\",\"username\":\"first.last@example.com\"},\"uuid\":\"1bbe3f25-5a2a-4797-8ac0-d59c7480377a\"}"
      

RedisInsights

RedisInsights is a desktop application that you can install for UI- and CLI-based interactions. For more information, see the Redis docs.

  1. Install RedisInsights. The steps vary depending on where you want to install the app.
  2. Enable port forwarding on the Redis deployment. Update the namespace and deployment to match the Redis instance in your cluster.
      kubectl port-forward -n gloo-mesh deploy/gloo-mesh-redis 6379
      
  3. Launch the RedisInsights app.
  4. Click + Add Redis Database and enter in your localhost and port details, which by default are 127.0.0.1:6379.
  5. Click the database that you just added.
  6. Use the UI or CLI to explore the data. For example, you can click the Browser tab (the key icon) and toggle the Key view to explore all of the keys in the database instance, as shown in the following screenshot.

RedisInsights view of all keys in the database
RedisInsights view of all keys in the database


  1. * Redis is a registered trademark of Redis Ltd. Any rights therein are reserved to Redis Ltd. Any use by Solo.io, Inc. is for referential purposes only and does not indicate any sponsorship, endorsement or affiliation between Redis and Solo.io. ↩︎