The problem/use-case that the feature addresses
Currently replication is not working with right Public Key Infrastructure (in my case with Subordinate CA) because the config file does not have any option to specify the client certificate and key.
Description of the feature
An option to specify the client certificate and the client key (tls-client-cert-file and tls-client-key-file).
Additional information
Without it, the sentinel changes the Redis instance between master and replica and fails to connect without the client certificate/key (that acts as a client certificate, not server certificate).
Note: This issue is strictly related to the DNS inssue: https://github.com/redis/redis/issues/7928. For two way TLS authentication, valid domain name is needed. (SAN field in X509.v3)
Comment From: yossigo
Thank you @mvasi90 for raising this. This definitely makes sense to me as an optional configuration, which should affect all scenarios where Redis establishes a TLS connection as a client:
- Replica connecting to master
- Sentinel connecting to Redis
- Cluster bus client side
- Cluster node migrating keys to remote node
Adding SAN validation also makes sense (again, optionally) but will probably be more difficult to do, as Redis tends to use IPs rather than hostnames in all sorts of places.