# Configure an external in-memory cache (Helm)

{% hint style="info" %}
This documentation only applies to **advanced Orchestrated container deployments** using **Kubernetes** and **Helm**
{% endhint %}

CARTO Self-Hosted requires Redis (version 6 or above) to work. This Redis instance does not need persistence, as it is used solely as a cache.

Both [**Single VM deployment**](https://docs.carto.com/overview#single-vm-deployment-docker-compose) and [**Orchestrated container deployment**](https://docs.carto.com/overview#orchestrated-container-deployment-kubernetes) come already with an internal Redis deployment, but they lack any backups, autoscaling, or monitoring. Cloud vendors already offer Redis deployments at scale as a service:

* [Google Memorystore for Redis](https://cloud.google.com/memorystore).
* [Amazon ElastiCache for Redis](https://aws.amazon.com/elasticache/redis/).
* [Azure Cache for Redis](https://azure.microsoft.com/en-us/products/cache).

In this section, you will see how to configure the Self-hosted to use an external Redis provided by your cloud vendor.

## Setup

### Configuration

{% tabs %}
{% tab title="Manually secrets creation" %}

1. Add the secret:

```bash
kubectl create secret generic \
  -n <namespace> \
  mycarto-custom-redis-secret \
  --from-literal=password=<AUTH string password>
```

2. Configure the package:

Add the following lines to your <mark style="color:orange;">customizations.yaml</mark> to connect to the external Redis:

```yaml
internalRedis:
  # Disable the internal Redis
  enabled: false
externalRedis:
  host: <Redis IP/Hostname>
  port: "6379"
  existingSecret: "mycarto-custom-redis-secret"
  existingSecretPasswordKey: "password"
  tlsEnabled: true
  # Only applies if your Redis TLS certificate it's self-signed
  # tlsCA: |
  #   -----BEGIN CERTIFICATE-----
  #   ...
  #   -----END CERTIFICATE-----
```

{% endtab %}

{% tab title="Automatic secrets creation" %}

1. Add the following lines to your <mark style="color:orange;">customizations.yaml</mark> to connect to the external Redis:

```
internalRedis:
  # Disable the internal Redis
  enabled: false
externalRedis:
  host: <Redis IP/Hostname>
  port: "6379"
  password: <Redis password>
  tlsEnabled: true
  # Only applies if your Redis TLS certificate it's self-signed
  # tlsCA: |
  #   -----BEGIN CERTIFICATE-----
  #   ...
  #   -----END CERTIFICATE-----
```

> Note: One kubernetes secret is going to be created automatically during the installation process with the `externalRedis.password` that you set in previous lines.
> {% endtab %}
> {% endtabs %}

### Configure TLS

By default, CARTO will try to connect to your Redis without TLS enabled. In case you want to connect via TLS, you can configure it via the `externalRedis.tlsEnabled` parameter.

```yaml
externalRedis:
  ...
  tlsEnabled: true
```

{% hint style="info" %}
In case you are connecting to a Redis where the TLS certificate is selfsigned or from a custom CA you can configure it via the `externalRedis.tlsCA` parameter
{% endhint %}

```yaml
externalRedis:
  ...
  tlsEnabled: true
  tlsCA: |
    #   -----BEGIN CERTIFICATE-----
    #   ...
    #   -----END CERTIFICATE-----
```