From 6780dbbba465db5feb41e978e6a878224b00988c Mon Sep 17 00:00:00 2001 From: Omar Trigui Date: Sat, 24 Jan 2026 00:16:52 +0100 Subject: [PATCH 1/2] Enable Redis TLS without client certificates Signed-off-by: Omar Trigui --- registry/handlers/app.go | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/registry/handlers/app.go b/registry/handlers/app.go index 6b4d1409e..1f2591e40 100644 --- a/registry/handlers/app.go +++ b/registry/handlers/app.go @@ -571,13 +571,15 @@ func (app *App) configureRedis(cfg *configuration.Configuration) { } // redis TLS config - if cfg.Redis.TLS.Certificate != "" || cfg.Redis.TLS.Key != "" { + if cfg.Redis.TLS.Certificate != "" || cfg.Redis.TLS.Key != "" || len(cfg.Redis.TLS.RootCAs) != 0 { var err error tlsConf := &tls.Config{} - tlsConf.Certificates = make([]tls.Certificate, 1) - tlsConf.Certificates[0], err = tls.LoadX509KeyPair(cfg.Redis.TLS.Certificate, cfg.Redis.TLS.Key) - if err != nil { - panic(err) + if cfg.Redis.TLS.Certificate != "" && cfg.Redis.TLS.Key != "" { + tlsConf.Certificates = make([]tls.Certificate, 1) + tlsConf.Certificates[0], err = tls.LoadX509KeyPair(cfg.Redis.TLS.Certificate, cfg.Redis.TLS.Key) + if err != nil { + panic(err) + } } if len(cfg.Redis.TLS.RootCAs) != 0 { pool := x509.NewCertPool() From e74754839eb262c1600c1cc71e9d71d70b5bc6b9 Mon Sep 17 00:00:00 2001 From: Omar Trigui Date: Sat, 24 Jan 2026 00:31:02 +0100 Subject: [PATCH 2/2] Update Redis TLS configuration docs Updated TLS configuration parameters to indicate that 'certificate' and 'key' are optional for mTLS. Added notes and examples for server-side TLS and mutual TLS. Signed-off-by: Omar Trigui --- docs/content/about/configuration.md | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/docs/content/about/configuration.md b/docs/content/about/configuration.md index e0358f93f..d7727ad0a 100644 --- a/docs/content/about/configuration.md +++ b/docs/content/about/configuration.md @@ -1087,11 +1087,21 @@ Use these settings to configure Redis TLS: | Parameter | Required | Description | |-----------|----------|-------------------------------------------------------| -| `certificate` | yes | Absolute path to the x509 certificate file. | -| `key` | yes | Absolute path to the x509 private key file. | +| `certificate` | no | Absolute path to the x509 client certificate file. Required for mTLS. | +| `key` | no | Absolute path to the x509 client private key file. Required for mTLS. | | `rootcas` | no | An array of absolute paths to x509 CA files. | +**Note:** For server-side TLS only (e.g., AWS Elasticache), provide only `rootcas`. For mutual TLS (mTLS), provide both `certificate` and `key` along with optional `rootcas`. + ```yaml +# Server-side TLS only (validate server certificate) +redis: + tls: + rootcas: + - /path/to/ca-bundle.crt + addrs: [localhost:6379] + +# Mutual TLS (client and server certificates) redis: tls: certificate: /path/to/cert.crt