feat: support self-signed certs for redis/valkey

[MrDuartePT]

Description

Despite ioredis supported TLS connection out of the box, the support never was implemented in immich.

This means if a user already have Redis/Valkey setup on there environment will need a separate instance of Redis to run immich, since the authentication will fail

So this PR allow, by the use of environment variable to:

• Enable TLS, by using REDIS_TLS = true (disable by default)
• Allow the use of Insecure Connection by using REDIS_INSECURE_TLS = true
• Allow to specify TLS cert (REDIS_TLS_CERT) and client certs (REDIS_TLS_CA and REDIS_TLS_KEY) for setup the require (my valkey setup)
• Add ValidateIf and FileExist validation to all the TLS files environment

How Has This Been Tested?

In this link you have a docker image (older version but with all the changes) and there 2 ways to test the changes, these test assume a existing Redis/Valkey is already setup with TLS

• Test 1: Setup the Redis as describe in documentation (I using REDIS_HOSTNAME, REDIS_USERNAME and REDIS_PASSWORD) and then enable both REDIS_TLS and REDIS_TLS_INSECURE, this way no certs need to be provided

• Test 2: Setup the Redis as describe in documentation and setup a mount point with the Redis Certificates (I just mounted the secret valkey-tls in /tls-redis). Then you just add the following env:

  REDIS_TLS_CERT: /tls-redis/ca.crt
  # This one are only need if `tls.authClients` is on
  REDIS_TLS_CA: /tls-redis/tls.crt
  REDIS_TLS_KEY: /tls-redis/tls.key

Notes: In my k3s cluster I use valkey bitnami chart with the following values for tls:

tls:
  authClients: true
  autoGenerated: false
  certCAFilename: ca.crt
  certFilename: tls.crt
  certKeyFilename: tls.key
  dhParamsFilename: ''
  enabled: true
  existingSecret: valkey-tls

Exemple deployment for Test 2 (based on my setup):

apiVersion: apps/v1
kind: Deployment
metadata:
  name: immich
  namespace: immich
spec:
  replicas: 1
  selector:
    matchLabels:
      app: immich
  template:
    metadata:
      labels:
        app: immich
    spec:
      containers:
      - name: immich-server
        #image: ghcr.io/immich-app/immich-server:release
        image: mrduartept/immich-server-redis-tls:latest
        imagePullPolicy: Always
        envFrom:
        - configMapRef:
            name: immich-env
        - secretRef:
            name: immich
        volumeMounts:
        - name: immich-photos
          mountPath: /usr/src/app/upload
        - name: localtime
          mountPath: /etc/localtime
          readOnly: true
        - name: valkey-tls
          mountPath: /tls-redis
          readOnly: true
        ports:
        - containerPort: 2283
      nodeName: master1-k3s
      volumes:
      - name: immich-vol
        persistentVolumeClaim:
          claimName: immich-pvc
      - name: localtime
        hostPath:
          path: /etc/localtime
          type: File
      - name: immich-photos
        hostPath:
          path: /mnt/nfs-proxmox/immich-photos/
          type: DirectoryOrCreate
      - name: valkey-tls
        secret:
          secretName: valkey-tls
---
apiVersion: v1
kind: Service
metadata:
  name: immich
  namespace: immich
spec:
  type: ClusterIP
  selector:
    app: immich
  ports:
  - name: web
    port: 2283
    targetPort: 2283
    protocol: TCP
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: immich-env
  namespace: immich
data:
  UPLOAD_LOCATION: "./photos"
  TZ: "Europe/Lisbon"
  IMMICH_HOST: "0.0.0.0"
  IMMICH_PORT: "2283"
  REDIS_TLS: "true"
  REDIS_TLS_INSECURE: "false"
  REDIS_TLS_CERT: /tls-redis/ca.crt
  REDIS_TLS_CA: /tls-redis/tls.crt
  REDIS_TLS_KEY: /tls-redis/tls.key
---
apiVersion: v1
kind: Secret
metadata:
  name: immich
  namespace: immich
stringData:
  DB_URL: <hidden>
  REDIS_HOSTNAME: <hidden>
  REDIS_USERNAME: <hidden>
  REDIS_PASSWORD: <hidden>
  type: Opaque
---

Checklist:

• I have performed a self-review of my own code
• I have made corresponding changes to the documentation if applicable
• I have no unrelated changes in the PR.
• I have confirmed that any new dependencies are strictly necessary.
• I have followed naming conventions/patterns in the surrounding code
• All code in src/services/ uses repositories implementations for database calls, filesystem operations, etc.
• All code in src/repositories/ is pretty basic/simple and does not have any immich specific logic (that belongs in src/services/)

[github-actions]

Label error. Requires exactly 1 of: changelog:.*. Found: . A maintainer will add the required label.

[danieldietzler]

Correct me if I'm wrong but afaict we already support a TLS connection (by providing the entire URL). Thus, the only addition this PR brings is support for fake certs, which I'm not sure I am a fan of.

[MrDuartePT]

Correct me if I'm wrong but afaict we already support a TLS connection (by providing the entire URL). Thus, the only addition this PR brings is support for fake certs, which I'm not sure I am a fan of.

Yes my setup use self sign certs to connect.
I did try with the full url even with tls.authclient: false but still complain about the ca.crt not being provided. That why I created the PR.

For clarification this certs in the example are automatically generated by cert-manager during the deployment of valkey