Configure an external in-memory cache (Helm)

For CARTO Self-hosted using Kubernetes and Helm

This documentation only applies to advanced Orchestrated container deployments using Kubernetes and Helm

Valkey replaces Redis as of CARTO Self-Hosted 2026.04. Valkey is an open-source fork of Redis 7.2 and is fully wire-compatible: existing external Redis instances continue to work as a drop-in cache without configuration changes. For versions earlier than 2026.04, see the legacy documentation.

CARTO Self-Hosted requires Valkey (version 6 or above) to work. This Valkey instance does not need persistence, as it is used solely as a cache.

Both Single VM deployment and Orchestrated container deployment come already with an internal Valkey deployment, but they lack any backups, autoscaling, or monitoring. Cloud vendors already offer Valkey deployments at scale as a service:

In this section, you will see how to configure the Self-hosted to use an external Valkey provided by your cloud vendor.

Setup

Configuration

Add the secret:

kubectl create secret generic \
  -n <namespace> \
  mycarto-custom-redis-secret \
  --from-literal=password=<AUTH string password>

Configure the package:

Add the following lines to your customizations.yaml to connect to the external Valkey:

internalRedis:
  # Disable the internal Valkey
  enabled: false
externalRedis:
  host: <Valkey IP/Hostname>
  port: "6379"
  existingSecret: "mycarto-custom-redis-secret"
  existingSecretPasswordKey: "password"
  tlsEnabled: true
  # Only applies if your Valkey TLS certificate it's self-signed
  # tlsCA: |
  #   -----BEGIN CERTIFICATE-----
  #   ...
  #   -----END CERTIFICATE-----

Add the following lines to your customizations.yaml to connect to the external Valkey:

internalRedis:
  # Disable the internal Valkey
  enabled: false
externalRedis:
  host: <Valkey IP/Hostname>
  port: "6379"
  password: <Valkey password>
  tlsEnabled: true
  # Only applies if your Valkey TLS certificate it's self-signed
  # tlsCA: |
  #   -----BEGIN CERTIFICATE-----
  #   ...
  #   -----END CERTIFICATE-----

Note: One kubernetes secret is going to be created automatically during the installation process with the externalRedis.password that you set in previous lines.

Configure TLS

By default, CARTO will try to connect to your Valkey without TLS enabled. In case you want to connect via TLS, you can configure it via the externalRedis.tlsEnabled parameter.

externalRedis:
  ...
  tlsEnabled: true

In case you are connecting to a Valkey where the TLS certificate is selfsigned or from a custom CA you can configure it via the externalRedis.tlsCA parameter

externalRedis:
  ...
  tlsEnabled: true
  tlsCA: |
    #   -----BEGIN CERTIFICATE-----
    #   ...
    #   -----END CERTIFICATE-----

PreviousConfigure your own buckets (Helm)NextEnable Google Basemaps (Helm)

Last updated 14 days ago

Was this helpful?