Spring Cloud Gateway for Kubernetes now has configuration support that allows you to use Redis for managing shared state between API gateway instances. This shared state includes SSO authentication, rate limit counts and active client sessions. Redis has become a popular data service for managing a shared cache between applications.

Using Redis as session storage implementation

By default, Hazelcast is used as session storage implementation when single sign-on is activated. However, the in-memory key-value database, Redis, can be used to store data in a distributed way with HA capabilities.

Note Activating Redis for session storage implicitly activates the use of Redis for RateLimit filter. When updating a running instance, any information previously held in Hazelcast about requests counts or user sessions won't be migrated.

To activate Redis as a session storage, you need to add a Redis binding:

  1. Create a secret with the following properties (example: redis-session-config-secret) in the same namespace of the Spring Cloud Gateway definition

    • spring.data.redis.host (Required)
    • spring.data.redis.port (Optional - 6379 is configured by default)
    • spring.data.redis.username (Optional - no username is configured by default)
    • spring.data.redis.password (Optional - no password is configured by default)
    • spring.data.redis.ssl (Optional - false by default; true requires configuring a certificate, see Configure client TLS for Redis)
    • spring.session.redis.repository-type (Optional - default type is configured; indexed can be configured for WebSockets)
    • spring.cloud.gateway.k8s.redis.key-prefix (Optional - scg by default; prefix applied to all Redis keys managed by SCG for K8s, including rate limit)
    • spring.session.redis.namespace (Optional - spring:session: by default, appended to the previous prefix to better isolate data belonging to different gateway instances in a shared Redis instance)

  2. Define the redis properties secret in the bindings

    apiVersion: "tanzu.vmware.com/v1"
kind: SpringCloudGateway
metadata:
  name: test-gateway-sso
spec:
  count: 1
  sso:
    secret: test-gateway-sso-credentials
  bindings:
    redis:
      secret: redis-session-config-secret

Configure client TLS for Redis

To configure TLS for connecting SCG with Redis, you need to add the next properties into the secret specified by spec.binding.redis.secret:

  • spring.data.redis.ssl=true

Additionally, if your Redis service is using custom certificates, not included as a public CA, you need to configure the client certificates using the property spring.cloud.gateway.k8s.redis.trustedCertificate.

Example using a custom certificate:

  1. Create the certificate secret:

    kubectl create secret tls redis-tls-custom-cert --cert=/path/to/redis-tls.cert --key=/path/to/redis-tls.key

  2. Create the bindings secret:

    kubectl create secret generic redis-session-config-secret   \
   --from-literal spring.data.redis.host=your-redis-host    \
   --from-literal spring.data.redis.ssl=true                \
   --from-literal spring.data.redis.username=username       \
   --from-literal spring.data.redis.password=password       \
   --from-literal spring.data.redis.port=port               \
   --from-literal spring.cloud.gateway.k8s.redis.trustedCertificate=redis-tls-custom-cert

Using Redis as session storage implementation in Standalone Gateway

The same properties defined in the secret of the previous section can be used to configured Redis in Standalone Gateway. Additionally, you can also specify

  • spring.cloud.gateway.k8s.redis.trustedCertificate (Optional - for a TLS with custom certificates, you can specify the path of the public certificate to use)
  • spring.cloud.gateway.k8s.redis.key-prefix (Optional - scg by default; prefix applied to all Redis keys managed by SCG for K8s, including rate limit)
  • spring.session.redis.namespace (Optional - spring:session: by default, appended to the previous prefix to better isolate data belonging to different gateway instances in a shared Redis instance)

Both spring.cloud.gateway.k8s.redis.key-prefix and spring.session.redis.namespace can be used to avoid any possible conflicts between different applications or gateway instances. For example, configuring the following keys in the binding secret will result in all keys within Redis to be prefixed with my-org:my-gateway:.

spring.cloud.gateway.k8s.redis.key-prefix=my-org
spring.session.redis.namespace=my-gateway
check-circle-line exclamation-circle-line close-line
Scroll to top icon