Hi Team, To give you the context, currently in our deployment we are using the Redis utility both in DB and Sentinel mode over SSL. For a scenario of SSL certificate rotation, in order to make the new rotated certificates to take effect at run time redis DB mode exposes the command "CONFIG SET ...". But for Sentinel mode, we don't see such Command/option being available till date, for which we need to restart the Sentinel deployment to take effect the new rotated certificates every time. Is there any work around available for this issue and any associated cause that redis doesn't support this option in Sentinel mode till date? We are using redis version 7.0.8.

Thanks!

Comment From: hwware

Hi @sswain123 Did you mean you want the commands similar to "config set" in the DB mode? The sentinel mode provide some configurable parameters by sentinel config get parameter and sentnel config set parameter value, and also, sentinel provide sentinel set for some specific parameter.

However, becuase the sentinel is a special mode for redis db model, we disable some config parameters. Thanks

Comment From: sswain123

Hi, The query is majorly for the redis DB mode commands "CONFIG SET tls-cert-file \<certfile>", "CONFIG SET tls-key-file \<keyfile>", "CONFIG SET tls-ca-cert-file \" which we can use to reload the certificates in runtime for redis DB deployment. But we don't see similar/equivalent commands for redis Sentinel mode deployments to reload the certificates in run time for the Sentinel itself. Is this feature to reload certificates in run time for redis Sentinels supported till date? We see the below parameters being supported in a Sentinel deployment and don't find any equivalent command as that of redis DB's "CONFIG SET tls-cert-file/tls-key-file/tls-ca-cert-file" 127.0.0.1:26379> SENTINEL CONFIG GET * 1) "resolve-hostnames" 2) "no" 3) "announce-hostnames" 4) "no" 5) "announce-ip" 6) "" 7) "announce-port" 8) "0" 9) "sentinel-user" 10) "" 11) "sentinel-pass" 12) ""

Comment From: hwware

@moticless @yossigo Maybe I understand incorrect, It looks like sentinel do not have support any tls config right now. If it is case, do we have plan to support it? If it support tls, do we need add this part in our conf file? Thanks

Comment From: moticless

Unlike redis server, since sentinel is very light weight process it is very cheap to restart the process. Is there anything behind ease of use?

Comment From: sswain123

Hi, Just to give you the full context, we use both the redis DB and Sentinel mode in our deployments. Due to certain measures we have to rotate the TLS certs every one hour or less. So every time there is a cert rotation, we have to restart every sentinel pod and it is a costly/overhead for the operation. For this reason we wanted to check if this is expected nature on Sentinel mode and if any future plans for introducing the support for the same. Any clarity/input on this would be good for us for now.

Comment From: moticless

To my best understanding there is no option to rotate certificate wihtout restart sentinel process.

@yossigo, fyi

Comment From: yossigo

This is another symptom of Sentinel having a separate CONFIG command, although it does share a lot of the Redis configuration which gets loaded on startup.

At this point in time, I guess it'll make sense to hand pick those Redis config parameters that are greatly missing (like tls-cert-file and tls-key-file) and explicitly expose them in Sentinel as well.