diff --git a/docs/content/about/configuration.md b/docs/content/about/configuration.md index e0358f93f..d7727ad0a 100644 --- a/docs/content/about/configuration.md +++ b/docs/content/about/configuration.md @@ -1087,11 +1087,21 @@ Use these settings to configure Redis TLS: | Parameter | Required | Description | |-----------|----------|-------------------------------------------------------| -| `certificate` | yes | Absolute path to the x509 certificate file. | -| `key` | yes | Absolute path to the x509 private key file. | +| `certificate` | no | Absolute path to the x509 client certificate file. Required for mTLS. | +| `key` | no | Absolute path to the x509 client private key file. Required for mTLS. | | `rootcas` | no | An array of absolute paths to x509 CA files. | +**Note:** For server-side TLS only (e.g., AWS Elasticache), provide only `rootcas`. For mutual TLS (mTLS), provide both `certificate` and `key` along with optional `rootcas`. + ```yaml +# Server-side TLS only (validate server certificate) +redis: + tls: + rootcas: + - /path/to/ca-bundle.crt + addrs: [localhost:6379] + +# Mutual TLS (client and server certificates) redis: tls: certificate: /path/to/cert.crt diff --git a/registry/handlers/app.go b/registry/handlers/app.go index 02350969a..96761bfef 100644 --- a/registry/handlers/app.go +++ b/registry/handlers/app.go @@ -571,13 +571,15 @@ func (app *App) configureRedis(cfg *configuration.Configuration) { } // redis TLS config - if cfg.Redis.TLS.Certificate != "" || cfg.Redis.TLS.Key != "" { + if cfg.Redis.TLS.Certificate != "" || cfg.Redis.TLS.Key != "" || len(cfg.Redis.TLS.RootCAs) != 0 { var err error tlsConf := &tls.Config{} - tlsConf.Certificates = make([]tls.Certificate, 1) - tlsConf.Certificates[0], err = tls.LoadX509KeyPair(cfg.Redis.TLS.Certificate, cfg.Redis.TLS.Key) - if err != nil { - panic(err) + if cfg.Redis.TLS.Certificate != "" && cfg.Redis.TLS.Key != "" { + tlsConf.Certificates = make([]tls.Certificate, 1) + tlsConf.Certificates[0], err = tls.LoadX509KeyPair(cfg.Redis.TLS.Certificate, cfg.Redis.TLS.Key) + if err != nil { + panic(err) + } } if len(cfg.Redis.TLS.RootCAs) != 0 { pool := x509.NewCertPool()