How-to Deploy Terraform Enterprise (TFE) with Redis mTLS

Avatar
Harshit Dixit
  • Updated

 

Introduction -:
 

Terraform Enterprise (TFE) supports connecting to an external Redis instance over mutual TLS (mTLS) from TFE version 202506-1 . This ensures secure communication by requiring both server and client certificates for authentication. As official documentation is currently missing few things ,This document explains the steps to configure TFE with Redis using mTLS

 

Prerequisites -:


An external Redis instance is already configured with TLS and mTLS enabled.

The following Redis certificates/keys are available:

  • ca.crt – Certificate Authority file

  • client.crt – Client certificate for TFE

  • client.key – Client private key for TFE

 

Use Case -:

 

Organizations that deploy TFE in Kubernetes may require all external services (such as Redis) to use encrypted and mutually authenticated communication. Configuring mTLS for Redis ensures:

  • Data in transit is encrypted.

  • Both TFE and Redis authenticate each other.

  • Compliance with strict security requirements.

 

Procedure -:

 

As per official documentation we need to add the below environment variable to use the Redis mTLS ( Taking example of AKS deployment here ) 

 

    TFE_REDIS_HOST: "redis.example.com:6379"
    TFE_REDIS_USE_TLS: "false"
    TFE_REDIS_USE_AUTH: "false"
    TFE_REDIS_USE_MTLS: "true"

    # Paths to mounted certs
    TFE_REDIS_CA_CERT_PATH: "<certs path mounted in pod>/ca.crt"
    TFE_REDIS_CLIENT_CERT_PATH: "<certs path mounted in pod>/client.crt"
    TFE_REDIS_CLIENT_KEY_PATH: "<certs path mounted in pod>/client.key"

 

And to provide the certs to TFE Pod the one way we can do is by creating the secret with the certificate file and then adding the extraVolumes and extraVolumeMounts in the TFE deployment file like below -:

Creating secret -:

kubectl -n terraform-enterprise create secret generic redis-mtls-certs \
  --from-file=ca.crt=/path/to/ca.crt \
  --from-file=client.crt=/path/to/client.crt \
  --from-file=client.key=/path/to/client.key


Adding the extraVolumes and extraVolumeMounts -:

# Mount redis certs
extraVolumes:
  - name: redis-mtls-certs
    secret:
      secretName: redis-mtls-certs

extraVolumeMounts:
  - name: redis-mtls-certs
    mountPath: <certs path to mount in pod>
    readOnly: true

 

Additional Information

  • https://developer.hashicorp.com/terraform/enterprise/v202506-1/deploy/kubernetes#aws-elastic-kubernetes-service-eks

Articles in this section

See more