Redis Can the same Sentinel be used to monitor Redis TLS and non-TLS servers?

Here is my setup:

• Redis1 - TCP only (port 6379)
• Redis2 - TLS and TCP (port 6379, tls-port 7379)
• Redis3 - TLS only (port 0, tls-port 6379)

All 3 servers have these settings: tls-cert-file, tls-key-file tls-ca-cert-file, tls-auth-clients optional, tls-replication yes

Now I want to monitor them with Sentinels.

• If I set sentinel.conf tls-replication no that Sentinel can monitor Redis1 and Redis2 (on 6379) but not Redis3.
• If I set sentinel.conf tls-replication yes that Sentinel can monitor Redis2 (on 7379) and Redis3 but not Redis1.

Am I correct or is there a way to monitor all three Redis servers with the same Sentinel?

Comment From: itamarhaber

Hi @dmitrypol - long time...

I believe you are correct. Afaik, a Sentinel deployment is supposed to be homogeneous also in terms of connectivity configuration. Is this a real use case or a theoretical question?

Comment From: dmitrypol

hi @itamarhaber. Thanks for such quick response. Yes, it's been a while, hope you are doing well. Yes, it is a real use case.

Question - enabling TLS causes perf impact on Redis. Does it have perf impact on Sentinels? If Sentinel can monitor X number of Redis servers w plain TCP, will Sentinels be able to monitor <X once we enable TLS for both Sentinels and Redis?

Also, is there a way to protect the private keys (tls-key-file "redis.key") via keystore or another way in Sentinels and Redis? Or do keys have to be stored on the file system in plain text?

Comment From: itamarhaber

Yes, it is a real use case.

Please expand and elaborate. IIUC, because of the nature of a Sentinel's deployment, this use case (even if Sentinel was to support it) would provide a nondeterministic discovery/handshake for clients.

Question...

There is an impact, for sure, as encryption is still done by the main thread. I don't know/have the numbers, i.e. X (perhaps you'd want to do some benchmarks? ;P), but I would make an educated guess that the impact on Sentinel is lower than that of Redis, based on the scales of traffic that each usually handles.

Also...

Just saw #11276 and attempted a reply. TL; DR it could be a feature request but doesn't exist within the project currently.

Comment From: dmitrypol

Please expand and elaborate. IIUC, because of the nature of a Sentinel's deployment, this use case (even if Sentinel was to support it) would provide a nondeterministic discovery/handshake for clients.

Some of our Redis servers require TLS and for some we can make do w plain TCP (and get faster perf). Would nice to NOT have to run two different sets of Sentinels.

educated guess that the impact on Sentinel is lower than that of Redis, based on the scales of traffic that each usually handles.

I also think that impact on Sentinels will be less but was curious if other people have done it.

Another question: To enable Sentinels to monitor Redis TLS servers I have to specify tls-replication yes in sentinel.conf. Then I am foced to provide tls-cert-file, tls-key-file and tls-ca-cert-file in the same sentinel.conf. I can set tls-au th-clients optional so I can at least connect to Sentinels w/o providing certs.
Is there a simpler way to tell Sentinels to connect to Redis via TLS?
Do I have to use the same certs for Sentinels as for Redis servers?