Redis TLS

To enable TLS within the deployment of Nautobot and the embedded Bitnami Redis subchart set the following helm values:

nautobot:
  redis:
    ssl: true
  extraVolumeMounts:
    - mountPath: "/opt/nautobot/redis"
      name: "redis-tls"
  extraVolumes:
    - name: "redis-tls"
      secret:
        secretName: "nautobot-redis-crt"

celery:
  extraVolumeMounts:
    - mountPath: "/opt/nautobot/redis"
      name: "redis-tls"
  extraVolumes:
    - name: "redis-tls"
      secret:
        secretName: "nautobot-redis-crt"

redis:
  tls:
    enabled: true
    authClients: false
    autoGenerated: true
    # certificatesSecret: "nautobot-redis-crt"
    # certFilename: "tls.crt"
    # certKeyFilename: "tls.key"
    # certCAFilename: "ca.crt"

This will autogenerate certificates for use with Redis. Unfortunately, this CA will not be trusted by Nautobot. In order to trust these certificates in Nautobot, a custom nautobot_config.py must be created and the following values set in nautobot_config.py:

import ssl
DATABASES["default"]["OPTIONS"] = {"sslmode": "require"}
CACHES["default"]["OPTIONS"]["CONNECTION_POOL_KWARGS"] = {
    "ssl_cert_reqs": ssl.CERT_REQUIRED,
    "ssl_ca_certs": "/opt/nautobot/redis/ca.crt",
    "ssl_certfile": "/opt/nautobot/redis/tls.crt",
    "ssl_keyfile": "/opt/nautobot/redis/tls.key",
}
CELERY_REDIS_BACKEND_USE_SSL = {
    "ssl_cert_reqs": ssl.CERT_REQUIRED,
    "ssl_ca_certs": "/opt/nautobot/redis/ca.crt",
    "ssl_certfile": "/opt/nautobot/redis/tls.crt",
    "ssl_keyfile": "/opt/nautobot/redis/tls.key",
}
CELERY_BROKER_USE_SSL = CELERY_REDIS_BACKEND_USE_SSL
CACHEOPS_REDIS = {
    "host": os.getenv("NAUTOBOT_REDIS_HOST", "localhost"),
    "port": int(os.getenv("NAUTOBOT_REDIS_PORT", 6379)),
    "password": os.getenv("NAUTOBOT_REDIS_PASSWORD", ""),
    "ssl": True,
    "ssl_cert_reqs": ssl.CERT_REQUIRED,
    "ssl_ca_certs": "/opt/nautobot/redis/ca.crt",
    "ssl_certfile": "/opt/nautobot/redis/tls.crt",
    "ssl_keyfile": "/opt/nautobot/redis/tls.key",
}

The secret name will change based on your Helm release name. It is also possible and likely more secure to generate your own certificates and secrets, doing so is beyond the scope of this documentation, however, is described in the additional resources listed below.

Additional Resources

• Redis TLS Encryption
• Bitnami Redis Helm Chart Administration - Enabling TLS
• Bitnami Redis Helm Chart Readme - Using TLS