fix(relay): enable Redis TLS for rediss:// (ElastiCache)#1417
Merged
Conversation
Prod ElastiCache uses rediss:// (TLS), but the redis crate was compiled without a TLS feature, so relay startup died at Redis pool creation with "can't connect with TLS, the feature is not enabled". Dev uses plaintext redis://, so it never surfaced. Two coupled changes are required: 1. Add "tokio-rustls-comp" to the workspace redis dependency so the client can negotiate TLS for rediss:// URLs. 2. Install a rustls CryptoProvider at relay startup. With the TLS feature enabled, both aws-lc-rs and ring are compiled in transitively, so rustls cannot auto-select a provider and panics at first use. We install ring explicitly in main(), mirroring buzz-acp's existing rustls setup for wss://. Adding only the feature (without the provider) swaps the clean startup error for a runtime panic; both parts are needed. Plaintext redis:// (local/dev) is unchanged: the TLS path is only taken for rediss:// URLs, and the provider install is a no-op cost otherwise. Co-authored-by: Tyler Longwell <tlongwell@block.xyz> Signed-off-by: Tyler Longwell <tlongwell@block.xyz>
The workspace redis TLS feature added in the prior commit also applies to buzz-admin, which publishes membership changes (add-member/remove-member) over Redis. Run inside the prod container against rediss:// ElastiCache, its main() would hit the same panic the relay did: both aws-lc-rs and ring are compiled in transitively, so rustls can't auto-select a CryptoProvider. Install ring at the top of buzz-admin's main(), mirroring buzz-relay, so the whole prod image is TLS-safe rather than just the relay binary. Co-authored-by: Tyler Longwell <tlongwell@block.xyz> Signed-off-by: Tyler Longwell <tlongwell@block.xyz>
tellaho
pushed a commit
that referenced
this pull request
Jul 1, 2026
…-preview * origin/main: fix(relay): enable Redis TLS for rediss:// (ElastiCache) (#1417) chore(release): release Buzz Desktop version 0.3.40 (#1414) fix(desktop): stabilize channel-timeline scrollback with per-row height reserves (#1413) fix(sidebar): trim working badge label and name working agents in tooltip (#1408) Mobile tab bar polish (#1368) feat(desktop): let thread pane expand on ultrawide monitors (#1407) chore(release): release Buzz Desktop version 0.3.39 (#1410) fix: close cross-process keychain race and namespace dev-build nest (#1409) feat(relay): allow agent owners to edit/manage agent-owned content (#1403) fix(media): support IRSA/credential-chain S3 auth and configurable signing region (#1406) fix(desktop): fold baked build env into in-process model discovery (#1376) docs: link VISION_ACTIVITY from the VISION index (#1405)
tellaho
pushed a commit
that referenced
this pull request
Jul 1, 2026
…vity-embed * origin/main: fix(relay): enable Redis TLS for rediss:// (ElastiCache) (#1417) chore(release): release Buzz Desktop version 0.3.40 (#1414) fix(desktop): stabilize channel-timeline scrollback with per-row height reserves (#1413) fix(sidebar): trim working badge label and name working agents in tooltip (#1408) Mobile tab bar polish (#1368) feat(desktop): let thread pane expand on ultrawide monitors (#1407) chore(release): release Buzz Desktop version 0.3.39 (#1410) fix: close cross-process keychain race and namespace dev-build nest (#1409) feat(relay): allow agent owners to edit/manage agent-owned content (#1403) fix(media): support IRSA/credential-chain S3 auth and configurable signing region (#1406) fix(desktop): fold baked build env into in-process model discovery (#1376) docs: link VISION_ACTIVITY from the VISION index (#1405)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The relay crashes at startup on the bb-block (prod) cluster:
Prod ElastiCache is addressed via
rediss://(TLS), but therediscrate was compiled with no TLS feature (tokio-comp,connection-manageronly). Local/dev uses plaintextredis://, so this never surfaced there — same shape as the S3/IRSA fix (#1406): a prod-only path dev never exercised.This is the blocker after #1406 — kubectl confirms the relay now gets past S3/git (Postgres connects, migrations run, owner bootstrapped) and dies at Redis pool creation.
Fix — two coupled parts
Empirically, either part alone is insufficient:
redisdep — addtokio-rustls-compso the client can negotiate TLS forrediss://.CryptoProviderat relay startup — with the TLS feature on, bothaws-lc-rsandringare compiled in transitively, so rustls cannot auto-select a provider and panics at first TLS use. We installringexplicitly inmain(), mirroringbuzz-acp's existing rustls setup forwss://.A probe confirmed adding only the feature swaps the clean startup error for a runtime panic in
CryptoProvider::get_default_or_install_from_crate_features()— hence both parts.Blast radius
redis://(local/dev) is unchanged: the TLS path is only taken forrediss://URLs; the provider install is a cheap no-op otherwise.install_default()runs once at the top ofmain(), before any TLS is attempted — Redis, wss, or S3-over-TLS).Files
Cargo.toml— addtokio-rustls-compto the workspaceredisdepcrates/buzz-relay/Cargo.toml— addrustls(ring, std) depcrates/buzz-relay/src/main.rs— installringprovider at startupCargo.lockValidation
cargo test -p buzz-relay— 428 pass; the one Redis integration test (redis_presence_publish...) times out only under parallel full-suite pool contention and passes cleanly in isolation (env-dependent, not this change).cargo fmt --check✅ ·cargo clippy -p buzz-relay✅Deploy path
After this merges and the image builds, a third bb-block PR bumps the relay image tag. Deploy is not declared fixed until the pod is observed Running/Ready via read-only kubectl.