interim

bradymiller · bradymiller · commit 51df17543ac5 · 2023-04-09T13:30:57.000-07:00
diff --git a/kubernetes/certs/redis.yaml b/kubernetes/certs/redis.yaml
@@ -15,10 +15,16 @@ spec:
     - digital signature
     - key encipherment
     - server auth
+    - client auth
   subject:
     organizations:
       - redis
   commonName: redis
+  dnsNames:
+    - redisproxy
+    - redis-0.redis
+    - redis-1.redis
+    - redis-2.redis
   issuerRef:
     name: ca-issuer
     kind: Issuer
diff --git a/kubernetes/certs/redisproxy.yaml b/kubernetes/certs/redisproxy.yaml
@@ -15,6 +15,7 @@ spec:
     - digital signature
     - key encipherment
     - server auth
+    - client auth
   subject:
     organizations:
       - redisproxy
diff --git a/kubernetes/certs/sentinel.yaml b/kubernetes/certs/sentinel.yaml
@@ -15,6 +15,7 @@ spec:
     - digital signature
     - key encipherment
     - server auth
+    - client auth
   subject:
     organizations:
       - sentinel
diff --git a/kubernetes/kub-down b/kubernetes/kub-down
@@ -8,7 +8,7 @@ kubectl delete \
     -f certs/mysql-replication.yaml \
     -f certs/mysql-openemr-client.yaml \
     -f certs/phpmyadmin.yaml \
-    -f certs/mysql-phpmyadmin-client.yaml
+    -f certs/mysql-phpmyadmin-client.yaml \
     -f certs/redis.yaml \
     -f certs/redis-openemr-client.yaml \
     -f certs/sentinel.yaml \
diff --git a/kubernetes/kub-down.bat b/kubernetes/kub-down.bat
@@ -8,7 +8,7 @@ kubectl delete ^
     -f certs/mysql-replication.yaml ^
     -f certs/mysql-openemr-client.yaml ^
     -f certs/phpmyadmin.yaml ^
-    -f certs/mysql-phpmyadmin-client.yaml
+    -f certs/mysql-phpmyadmin-client.yaml ^
     -f certs/redis.yaml ^
     -f certs/redis-openemr-client.yaml ^
     -f certs/sentinel.yaml ^
diff --git a/kubernetes/kub-up b/kubernetes/kub-up
@@ -13,7 +13,7 @@ kubectl apply \
     -f certs/mysql-replication.yaml \
     -f certs/mysql-openemr-client.yaml \
     -f certs/phpmyadmin.yaml \
-    -f certs/mysql-phpmyadmin-client.yaml
+    -f certs/mysql-phpmyadmin-client.yaml \
     -f certs/redis.yaml \
     -f certs/redis-openemr-client.yaml \
     -f certs/sentinel.yaml \
diff --git a/kubernetes/kub-up.bat b/kubernetes/kub-up.bat
@@ -11,7 +11,7 @@ kubectl apply ^
     -f certs/mysql-replication.yaml ^
     -f certs/mysql-openemr-client.yaml ^
     -f certs/phpmyadmin.yaml ^
-    -f certs/mysql-phpmyadmin-client.yaml
+    -f certs/mysql-phpmyadmin-client.yaml ^
     -f certs/redis.yaml ^
     -f certs/redis-openemr-client.yaml ^
     -f certs/sentinel.yaml ^
diff --git a/kubernetes/openemr/deployment.yaml b/kubernetes/openemr/deployment.yaml
@@ -46,9 +46,11 @@ spec:
               key: admin-pass
         - name: OE_USER
           value: "admin"
+        - name: PHPREDIS_BUILD
+          value: "e571a81f8d3009aab38cbb88dde865edeb0607ac"
         - name: REDIS_SERVER
           # TODO - change below back to redisproxy after get the proxy working
-          value: "redis"
+          value: "redis-0.redis"
         - name: REDIS_PASSWORD
           value: "defaultpassword"
         - name: REDIS_TLS
diff --git a/kubernetes/redis/configmap-pipy.yaml b/kubernetes/redis/configmap-pipy.yaml
@@ -7,11 +7,11 @@ data:
     {
         "redisAdminUser" : "admin",
         "redisAdminPass" : "adminpassword",
-        "caCert" : "certs/ca.crt",
-        "tlsKey" : "certs/tls.key",
         "debug" : true,
         "port" : 6379,
         "servers" : ["redis-0.redis:6379", "redis-1.redis:6379", "redis-2.redis:6379"],
+        "caCert" : "certs/ca.crt",
+        "tlsKey" : "certs/tls.key",
         "connectTimeout" : "1s",
         "readTimeout" : "1s",
         "healthcheck" : {
@@ -36,21 +36,14 @@ data:
         _check: resp => (
           (data, role) => (
             unhealthy_nodes.remove(_target),
+            config.debug && console.log(`Response data: ${resp.toString()}`),
             data = resp.shift(40).toString().split('\r\n'),
             role = data[3].split(':')[1],
             config.debug && console.log(`Role is ${role} for ${_target}`),
             role === 'master' && unhealthy_master.remove(_target)
           ))()
       })
-        .listen(config.port)    
-        .acceptTLS({
-          certificate: {
-            cert: new crypto.Certificate(pipy.load(config.caCert)),
-            key: new crypto.PrivateKey(pipy.load(config.tlsKey))
-          }
-        }).to('preconnection')
-
-        .pipeline('preconnection')
+        .listen(config.port)
         .handleData(
           (data, query, command, master_only) => (
             query = new Data(data).shift(20).toString(),
@@ -73,14 +66,6 @@ data:
             config.debug && console.log(`Sending request to node ${_target}`)
           )
         )
-        .connectTLS({
-          certificate: {
-            cert: new crypto.Certificate(pipy.load(config.caCert)),
-            key: new crypto.PrivateKey(pipy.load(config.tlsKey))
-          }
-        }).to('sendconnection')
-    
-        .pipeline('sendconnection')
         .connect(() => _target,
           {
             connectTimeout: config.connectTimeout,
@@ -103,8 +88,7 @@ data:
               unhealthy_nodes.set(t, true),
               unhealthy_master.set(t, true)
             )),
-            _counter = { n: 0 },
-            console.log(`Debug 0`)
+            _counter = { n: 0 }
           )
         )
         .fork('per-node',
@@ -115,23 +99,22 @@ data:
         .wait(
           () => _counter.n === 0
         )
-    
+
         .pipeline('per-node')
         .replaceMessage(
           () => (
             _counter.n++,
-            new Message(`AUTH ${config.redisAdminUser} ${config.redisAdminPass}\r\ninfo replication\r\n`),
-            console.log(`Debug 1`)
+            new Message(`AUTH ${config.redisAdminUser} ${config.redisAdminPass}\r\ninfo replication\r\n`)
           )
         )
         .connectTLS({
           certificate: {
             cert: new crypto.Certificate(pipy.load(config.caCert)),
             key: new crypto.PrivateKey(pipy.load(config.tlsKey))
           }
-        }).to('healthconnection')
-    
-        .pipeline('healthconnection')
+        }).to('sendconnection')
+
+        .pipeline('sendconnection')
         .connect(
           () => _target,
           {
@@ -140,8 +123,7 @@ data:
           }
         )
         .handleData(
-          data => _check(data),
-          console.log(`Debug 2`)
+          data => _check(data)
         )
         .handleStreamEnd(
           () => _counter.n--
diff --git a/kubernetes/redis/deployment-redisproxy.yaml b/kubernetes/redis/deployment-redisproxy.yaml
@@ -37,7 +37,7 @@ spec:
       - env:
         - name: PIPY_CONFIG_FILE
           value: /proxy/proxy.js
-        image: naqvis/pipy-worker:0.70.0-2-33-g1164e36
+        image: naqvis/pipy:0.40.0-rc3-37-ga91d1a0
         name: redisproxy
         volumeMounts:
         - name: redisproxy-certs
@@ -61,4 +61,4 @@ spec:
             path: tls.key
       - name: redisproxyconf
         configMap:
-          name: pipy-config
+          name: pipy-config
diff --git a/kubernetes/redis/statefulset-redis.yaml b/kubernetes/redis/statefulset-redis.yaml
@@ -20,9 +20,15 @@ spec:
         command: [ "sh", "-c" ]
         args:
           - |
+            # Set below to true if using redis x509
+            REDISX509=false
+            TLSPARAMETERS="--tls --cacert /certs/ca.crt"
+            if $REDISX509; then
+                TLSPARAMETERS="$TLSPARAMETERS --cert /certs/tls.crt --key /certs/tls.key"
+            fi
             echo "Copying configuration file"
             cp /tmp/redis/redis.conf /etc/redis/redis.conf            
-            if [ "$(redis-cli --tls --cacert /certs/ca.crt -h sentinel -p 5000 ping)" != "PONG" ]; then
+            if [ "$(redis-cli $TLSPARAMETERS -h sentinel -p 5000 ping)" != "PONG" ]; then
               echo "Sentinel not found to get the master info, defaulting to redis-0"
               if [ "$(hostname)" == "redis-0" ]; then
                 echo "This is redis-0, No need to update config."
@@ -33,7 +39,7 @@ spec:
               fi
             else
               echo "Sentinel found, finding master"
-              MASTER="$(redis-cli --tls --cacert /certs/ca.crt -h sentinel -p 5000 sentinel get-master-addr-by-name mymaster | grep -E '(^redis-\d{1,})|([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})')"
+              MASTER="$(redis-cli $TLSPARAMETERS -h sentinel -p 5000 sentinel get-master-addr-by-name mymaster | grep -E '(^redis-\d{1,})|([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})')"
               echo "Master got: $MASTER, updating this in redis.conf"
               echo "REPLICAOF $MASTER 6379" >> /etc/redis/redis.conf
             fi
diff --git a/kubernetes/redis/statefulset-sentinel.yaml b/kubernetes/redis/statefulset-sentinel.yaml
@@ -21,13 +21,19 @@ spec:
         args:
           - |
             REDIS_PASSWORD=adminpassword
+            # Set below to true if using redis x509
+            REDISX509=false
             nodes=redis-0.redis,redis-1.redis,redis-2.redis
+            TLSPARAMETERS="--tls --cacert /certs/ca.crt"
+            if $REDISX509; then
+                TLSPARAMETERS="$TLSPARAMETERS --cert /certs/tls.crt --key /certs/tls.key"
+            fi
             echo "Looping through the redis list to see if Redis Master node is available now"
             while [ 1 ]
             do
                 for i in ${nodes//,/ }
                 do
-                    MASTER=$(redis-cli --tls --cacert /certs/ca.crt --no-auth-warning --raw -h $i --user admin -a $REDIS_PASSWORD info replication | awk '{print $1}' | grep master_host: | cut -d ":" -f2)
+                    MASTER=$(redis-cli $TLSPARAMETERS --no-auth-warning --raw -h $i --user admin -a $REDIS_PASSWORD info replication | awk '{print $1}' | grep master_host: | cut -d ":" -f2)
                     if [ "$MASTER" == "" ]; then
                         echo "no master info found in $i"
                         MASTER=
