[bitnami/harbor] Lack of TLS support for External Redis

[jowko]

Which chart:
[bitnami/harbor]

Is your feature request related to a problem? Please describe.
Harbor doesn't support TLS communication for External Redis instances.
This is a problem because of:

• Unsecured communication between Harbor and Redis - the data sent between these services can be exposed to third party.
• Some Cloud providers, for example IBM Cloud Databases for Redis don't allow for unsecured communication. In such case we cannot use such Redis instances together with Harbor.

Official Helm Chart and Harbor also doesn't support this feature yet:
goharbor/harbor-helm#549

Describe the solution you'd like
It would be great to extend externalRedis values with options to configure TLS connection and certificate.
TLS is supported in Redis bitnami chart, so we could take this solution as an example:
https://docs.bitnami.com/kubernetes/infrastructure/redis/administration/enable-tls/

Redis documentation:
https://redis.io/topics/encryption

Describe alternatives you've considered
There is a potential workaround to add a sidecar container for all services which are using Redis. This sidecar would open TLS connection to a Redis and a Harbor could connect to the sidecar without TLS. I will try to access this workaround to check if such thing will work.

[yilmi]

Hi @jowko, thanks for reporting this! I opened an internal tracker for this such that it can be picked up at some point. But feel free to submit a pull request with a contribution if you are in a hurry.

[yilmi]

Hi @jowko, I just wanted to give you an update here. I looked at it hoping I could prepare a PR for it but it seems that we're lacking upstream support to implement something that would be straight forward.

For example, changing the redis connection string from redis:// to rediss:// to use tls or not, as mentioned on this upstream ticket

At the chart level we seem to be building connection strings for various components, which also have to support it

• Harbor core: Unsupported (see harbor ticket)
• Job service: Unsupported (see harbor ticket)
• Garbage collector: Unsupported (see harbor ticket)
• Clair Adapter: Seems to support it through rediss:/ scheme
• Trivy Adapter: Unsupported, but this was open Support SSL/TLS redis connection aquasecurity/harbor-scanner-trivy#155

So for now, I'm leaving this one opened such that we can revisit it later once upstream support allows us to do it.

[carrodher]

Unfortunately, after some time it seems this was not implemented by the upstream project so it is difficult to implement this feature by ourselves. We will monitor upstream GH tickets related to this topic in order to work on it when possible, but it is not something we can address right now.

That said, we will keep this ticket open until the stale bot closes it just in case someone from the community adds some valuable info or want to contribute by creating a PR. The Bitnami team will be happy to review it and provide feedback. Here you can find the contributing guidelines.

[github-actions]

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

[github-actions]

Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.