diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -6,6 +6,10 @@ name: CI
 
 on: pull_request
 
+concurrency:
+  group: ${{ github.head_ref }}
+  cancel-in-progress: true
+
 jobs:
   setup_matrix:
     name: 'Setup Test Matrix'

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,19 @@ All notable changes to this project will be documented in this file.
 Each new release typically also includes the latest modulesync defaults.
 These should not affect the functionality of the module.
 
+## [v8.2.0](https://github.com/voxpupuli/puppet-redis/tree/v8.2.0) (2021-10-11)
+
+[Full Changelog](https://github.com/voxpupuli/puppet-redis/compare/v8.1.1...v8.2.0)
+
+**Implemented enhancements:**
+
+- allow bin\_path overrides for custom redis installs [\#423](https://github.com/voxpupuli/puppet-redis/pull/423) ([aamerik](https://github.com/aamerik))
+- Add TLS support [\#421](https://github.com/voxpupuli/puppet-redis/pull/421) ([aamerik](https://github.com/aamerik))
+
+**Fixed bugs:**
+
+- Skip ensuring package if sentinel requires no additional package [\#417](https://github.com/voxpupuli/puppet-redis/pull/417) ([kajinamit](https://github.com/kajinamit))
+
 ## [v8.1.1](https://github.com/voxpupuli/puppet-redis/tree/v8.1.1) (2021-08-30)
 
 [Full Changelog](https://github.com/voxpupuli/puppet-redis/compare/v8.1.0...v8.1.1)

diff --git a/REFERENCE.md b/REFERENCE.md
@@ -92,6 +92,7 @@ The following parameters are available in the `redis` class:
 * [`auto_aof_rewrite_min_size`](#auto_aof_rewrite_min_size)
 * [`auto_aof_rewrite_percentage`](#auto_aof_rewrite_percentage)
 * [`bind`](#bind)
+* [`bin_path`](#bin_path)
 * [`config_dir`](#config_dir)
 * [`config_dir_mode`](#config_dir_mode)
 * [`config_file_orig`](#config_file_orig)
@@ -164,6 +165,18 @@ The following parameters are available in the `redis` class:
 * [`tcp_backlog`](#tcp_backlog)
 * [`tcp_keepalive`](#tcp_keepalive)
 * [`timeout`](#timeout)
+* [`tls_port`](#tls_port)
+* [`tls_cert_file`](#tls_cert_file)
+* [`tls_key_file`](#tls_key_file)
+* [`tls_ca_cert_file`](#tls_ca_cert_file)
+* [`tls_ca_cert_dir`](#tls_ca_cert_dir)
+* [`tls_auth_clients`](#tls_auth_clients)
+* [`tls_replication`](#tls_replication)
+* [`tls_cluster`](#tls_cluster)
+* [`tls_ciphers`](#tls_ciphers)
+* [`tls_ciphersuites`](#tls_ciphersuites)
+* [`tls_protocols`](#tls_protocols)
+* [`tls_prefer_server_ciphers`](#tls_prefer_server_ciphers)
 * [`ulimit`](#ulimit)
 * [`ulimit_managed`](#ulimit_managed)
 * [`unixsocket`](#unixsocket)
@@ -255,6 +268,14 @@ Configure which IP address(es) to listen on. To bind on all interfaces, use an e
 
 Default value: `['127.0.0.1']`
 
+##### <a name="bin_path"></a>`bin_path`
+
+Data type: `Stdlib::Absolutepath`
+
+Directory containing redis binary executables.
+
+Default value: `$redis::params::bin_path`
+
 ##### <a name="config_dir"></a>`config_dir`
 
 Data type: `Stdlib::Absolutepath`
@@ -843,6 +864,102 @@ Close the connection after a client is idle for N seconds (0 to disable).
 
 Default value: `0`
 
+##### <a name="tls_port"></a>`tls_port`
+
+Data type: `Optional[Stdlib::Port]`
+
+Configure which TLS port to listen on.
+
+Default value: ``undef``
+
+##### <a name="tls_cert_file"></a>`tls_cert_file`
+
+Data type: `Optional[Stdlib::Absolutepath]`
+
+Specify which X.509 certificate file to use for TLS connections.
+
+Default value: ``undef``
+
+##### <a name="tls_key_file"></a>`tls_key_file`
+
+Data type: `Optional[Stdlib::Absolutepath]`
+
+Specify which privaye key file to use for TLS connections.
+
+Default value: ``undef``
+
+##### <a name="tls_ca_cert_file"></a>`tls_ca_cert_file`
+
+Data type: `Optional[Stdlib::Absolutepath]`
+
+Specify which X.509 CA certificate(s) bundle file to use.
+
+Default value: ``undef``
+
+##### <a name="tls_ca_cert_dir"></a>`tls_ca_cert_dir`
+
+Data type: `Optional[Stdlib::Absolutepath]`
+
+Specify which X.509 CA certificate(s) bundle directory to use.
+
+Default value: ``undef``
+
+##### <a name="tls_auth_clients"></a>`tls_auth_clients`
+
+Data type: `Enum['yes', 'no', 'optional']`
+
+Specify if clients and replicas are required to authenticate using valid client side certificates.
+
+Default value: `'no'`
+
+##### <a name="tls_replication"></a>`tls_replication`
+
+Data type: `Boolean`
+
+Specify if TLS should be enabled on replication links.
+
+Default value: ``false``
+
+##### <a name="tls_cluster"></a>`tls_cluster`
+
+Data type: `Boolean`
+
+Specify if TLS should be used for the bus protocol.
+
+Default value: ``false``
+
+##### <a name="tls_ciphers"></a>`tls_ciphers`
+
+Data type: `Optional[String[1]]`
+
+Configure allowed ciphers for TLS <= TLSv1.2.
+
+Default value: ``undef``
+
+##### <a name="tls_ciphersuites"></a>`tls_ciphersuites`
+
+Data type: `Optional[String[1]]`
+
+Configure allowed TLSv1.3 ciphersuites.
+
+Default value: ``undef``
+
+##### <a name="tls_protocols"></a>`tls_protocols`
+
+Data type: `Optional[String[1]]`
+
+Configure allowed TLS protocol versions.
+
+Default value: ``undef``
+
+##### <a name="tls_prefer_server_ciphers"></a>`tls_prefer_server_ciphers`
+
+Data type: `Boolean`
+
+Specify if the server's preference should be used when choosing a cipher.
+
+Default value: ``false``
+
 ##### <a name="ulimit"></a>`ulimit`
 
 Data type: `Integer[0]`
@@ -1258,7 +1375,8 @@ Default value: `$redis::params::sentinel_package_name`
 
 Data type: `String[1]`
 
-Do we ensure this package.
+Do we ensure this package. This parameter takes effect only if
+an independent package is required for sentinel.
 
 Default value: `'installed'`
 
@@ -1461,6 +1579,18 @@ The following parameters are available in the `redis::instance` defined type:
 * [`tcp_backlog`](#tcp_backlog)
 * [`tcp_keepalive`](#tcp_keepalive)
 * [`timeout`](#timeout)
+* [`tls_port`](#tls_port)
+* [`tls_cert_file`](#tls_cert_file)
+* [`tls_key_file`](#tls_key_file)
+* [`tls_ca_cert_file`](#tls_ca_cert_file)
+* [`tls_ca_cert_dir`](#tls_ca_cert_dir)
+* [`tls_auth_clients`](#tls_auth_clients)
+* [`tls_replication`](#tls_replication)
+* [`tls_cluster`](#tls_cluster)
+* [`tls_ciphers`](#tls_ciphers)
+* [`tls_ciphersuites`](#tls_ciphersuites)
+* [`tls_protocols`](#tls_protocols)
+* [`tls_prefer_server_ciphers`](#tls_prefer_server_ciphers)
 * [`ulimit`](#ulimit)
 * [`ulimit_managed`](#ulimit_managed)
 * [`unixsocket`](#unixsocket)
@@ -2053,6 +2183,102 @@ Close the connection after a client is idle for N seconds (0 to disable).
 
 Default value: `$redis::timeout`
 
+##### <a name="tls_port"></a>`tls_port`
+
+Data type: `Optional[Stdlib::Port]`
+
+Configure which TLS port to listen on.
+
+Default value: `$redis::tls_port`
+
+##### <a name="tls_cert_file"></a>`tls_cert_file`
+
+Data type: `Optional[Stdlib::Absolutepath]`
+
+Specify which X.509 certificate file to use for TLS connections.
+
+Default value: `$redis::tls_cert_file`
+
+##### <a name="tls_key_file"></a>`tls_key_file`
+
+Data type: `Optional[Stdlib::Absolutepath]`
+
+Specify which privaye key file to use for TLS connections.
+
+Default value: `$redis::tls_key_file`
+
+##### <a name="tls_ca_cert_file"></a>`tls_ca_cert_file`
+
+Data type: `Optional[Stdlib::Absolutepath]`
+
+Specify which X.509 CA certificate(s) bundle file to use.
+
+Default value: `$redis::tls_ca_cert_file`
+
+##### <a name="tls_ca_cert_dir"></a>`tls_ca_cert_dir`
+
+Data type: `Optional[Stdlib::Absolutepath]`
+
+Specify which X.509 CA certificate(s) bundle directory to use.
+
+Default value: `$redis::tls_ca_cert_dir`
+
+##### <a name="tls_auth_clients"></a>`tls_auth_clients`
+
+Data type: `Enum['yes', 'no', 'optional']`
+
+Specify if clients and replicas are required to authenticate using valid client side certificates.
+
+Default value: `$redis::tls_auth_clients`
+
+##### <a name="tls_replication"></a>`tls_replication`
+
+Data type: `Boolean`
+
+Specify if TLS should be enabled on replication links.
+
+Default value: `$redis::tls_replication`
+
+##### <a name="tls_cluster"></a>`tls_cluster`
+
+Data type: `Boolean`
+
+Specify if TLS should be used for the bus protocol.
+
+Default value: `$redis::tls_cluster`
+
+##### <a name="tls_ciphers"></a>`tls_ciphers`
+
+Data type: `Optional[String[1]]`
+
+Configure allowed ciphers for TLS <= TLSv1.2.
+
+Default value: `$redis::tls_ciphers`
+
+##### <a name="tls_ciphersuites"></a>`tls_ciphersuites`
+
+Data type: `Optional[String[1]]`
+
+Configure allowed TLSv1.3 ciphersuites.
+
+Default value: `$redis::tls_ciphersuites`
+
+##### <a name="tls_protocols"></a>`tls_protocols`
+
+Data type: `Optional[String[1]]`
+
+Configure allowed TLS protocol versions.
+
+Default value: `$redis::tls_protocols`
+
+##### <a name="tls_prefer_server_ciphers"></a>`tls_prefer_server_ciphers`
+
+Data type: `Optional[Boolean]`
+
+Specify if the server's preference should be used when choosing a cipher.
+
+Default value: `$redis::tls_prefer_server_ciphers`
+
 ##### <a name="ulimit"></a>`ulimit`
 
 Data type: `Integer[0]`
@@ -2080,7 +2306,7 @@ Default value: `"/var/run/redis/redis-server-${name}.sock"`
 
 ##### <a name="unixsocketperm"></a>`unixsocketperm`
 
-Data type: `Variant[Stdlib::Filemode , Enum['']]`
+Data type: `Variant[Stdlib::Filemode, Enum['']]`
 
 Define unix socket file permissions
 

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -37,6 +37,8 @@
 #   Adjust percentatge for auto-aof-rewrite.
 # @param bind
 #   Configure which IP address(es) to listen on. To bind on all interfaces, use an empty array.
+# @param bin_path
+#   Directory containing redis binary executables.
 # @param config_dir
 #   Directory containing the configuration files.
 # @param config_dir_mode
@@ -193,6 +195,30 @@
 #   TCP keepalive.
 # @param timeout
 #   Close the connection after a client is idle for N seconds (0 to disable).
+# @param tls_port
+#   Configure which TLS port to listen on.
+# @param tls_cert_file
+#   Specify which X.509 certificate file to use for TLS connections.
+# @param tls_key_file
+#   Specify which privaye key file to use for TLS connections.
+# @param tls_ca_cert_file
+#   Specify which X.509 CA certificate(s) bundle file to use.
+# @param tls_ca_cert_dir
+#   Specify which X.509 CA certificate(s) bundle directory to use.
+# @param tls_auth_clients
+#   Specify if clients and replicas are required to authenticate using valid client side certificates.
+# @param tls_replication
+#   Specify if TLS should be enabled on replication links.
+# @param tls_cluster
+#   Specify if TLS should be used for the bus protocol.
+# @param tls_ciphers
+#   Configure allowed ciphers for TLS <= TLSv1.2.
+# @param tls_ciphersuites
+#   Configure allowed TLSv1.3 ciphersuites.
+# @param tls_protocols
+#   Configure allowed TLS protocol versions.
+# @param tls_prefer_server_ciphers
+#   Specify if the server's preference should be used when choosing a cipher.
 # @param ulimit
 #   Limit the use of system-wide resources.
 # @param ulimit_managed
@@ -242,6 +268,7 @@
   Variant[Stdlib::IP::Address, Array[Stdlib::IP::Address]] $bind = ['127.0.0.1'],
   String[1] $output_buffer_limit_slave                           = '256mb 64mb 60',
   String[1] $output_buffer_limit_pubsub                          = '32mb 8mb 60',
+  Stdlib::Absolutepath $bin_path                                 = $redis::params::bin_path,
   String[1] $conf_template                                       = 'redis/redis.conf.epp',
   Stdlib::Absolutepath $config_dir                               = $redis::params::config_dir,
   Stdlib::Filemode $config_dir_mode                              = $redis::params::config_dir_mode,
@@ -315,6 +342,18 @@
   Integer[0] $tcp_backlog                                        = 511,
   Integer[0] $tcp_keepalive                                      = 0,
   Integer[0] $timeout                                            = 0,
+  Optional[Stdlib::Port] $tls_port                               = undef,
+  Optional[Stdlib::Absolutepath] $tls_cert_file                  = undef,
+  Optional[Stdlib::Absolutepath] $tls_key_file                   = undef,
+  Optional[Stdlib::Absolutepath] $tls_ca_cert_file               = undef,
+  Optional[Stdlib::Absolutepath] $tls_ca_cert_dir                = undef,
+  Enum['yes', 'no', 'optional'] $tls_auth_clients                = 'no',
+  Boolean $tls_replication                                       = false,
+  Boolean $tls_cluster                                           = false,
+  Optional[String[1]] $tls_ciphers                               = undef,
+  Optional[String[1]] $tls_ciphersuites                          = undef,
+  Optional[String[1]] $tls_protocols                             = undef,
+  Boolean $tls_prefer_server_ciphers                             = false,
   Variant[Stdlib::Absolutepath, Enum['']] $unixsocket            = '/var/run/redis/redis.sock',
   Variant[Stdlib::Filemode, Enum['']] $unixsocketperm            = '0755',
   Integer[0] $ulimit                                             = 65536,