Add: support TLS mode for redis client

Implements #21

.env.defaults

@@ -16,4 +16,6 @@ REDIS_PREFIX=ui-middleware
 REDIS_HOSTS=localhost:6379
 REDIS_USERNAME=
 REDIS_PASSWORD=
+REDIS_TLS_ENABLED=false
+REDIS_TLS_CA=
 ORIGINS=*

README.md

@@ -47,6 +47,8 @@ It is possible to horizontally scale the UI Middleware, as more clients are fetc
 | `redis.username`         | `REDIS_USERNAME`           | Redis username                               | `""`                 |
 | `redis.password`         | `REDIS_PASSWORD`           | Redis password                               | `""`                 |
 | `redis.sidecar.image`    | N/A                        | Redis sidecar image                          | `"redis:latest"`     |
+| `redis.tls.enabled`      | `REDIS_TLS_ENABLED`        | Enable TLS for Redis                         | `false`              |
+| `redis.tls.ca`           | `REDIS_TLS_CA`             | PEM version of redis server CA certificate   | `""`                 |
 | `compressFileSize`       | `COMPRESS_FILE_SIZE`       | Larger files will be gzipped                 | `600`                |
 | `compressFileTypes`      | `COMPRESS_FILE_TYPES`      | Set of compression mime types                | application/javascript application/json application/x-javascript application/xml application/xml+rss text/css text/html text/javascript text/plain text/xml image/svg+xml |
 | `slowRequestThreshold`   | `SLOW_REQUEST_THRESHOLD`   | Slow request threshold in ms                 | `4000`               |

helm/core-ui-middleware/templates/deployment.yaml

@@ -59,6 +59,15 @@ spec:
             {{- end }}
             - name: REDIS_PREFIX
               value: "{{ .Values.redis.prefix }}"
+            - name: REDIS_TLS_ENABLED
+              value: "{{ .Values.redis.tls.enabled }}"
+            {{- if .Values.redis.tls.enabled }}
+            - name: REDIS_TLS_CA
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "core-ui-middleware.redisSecret" . }}
+                  key: ca.crt
+            {{- end }}
           ports:
             - name: http
               containerPort: {{ .Values.containerPort | default 8080 }}

helm/core-ui-middleware/templates/redis-secret.yaml

-{{- if .Values.redis.auth.enabled -}}
+{{- if or .Values.redis.auth.enabled  .Values.redis.tls.enabled -}}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -7,4 +7,5 @@ type: Opaque
 data:
   username: {{ .Values.redis.auth.username | b64enc | quote }}
   password: {{ .Values.redis.auth.password | b64enc | quote }}
+  ca.crt: {{ .Values.redis.auth.ca | b64enc | quote }}
 {{- end -}}

helm/core-ui-middleware/templates/updater.yaml

@@ -59,6 +59,15 @@ spec:
             {{- end }}
             - name: REDIS_PREFIX
               value: "{{ .Values.redis.prefix }}"
+            - name: REDIS_TLS_ENABLED
+              value: "{{ .Values.redis.tls.enabled }}"
+            {{- if .Values.redis.tls.enabled }}
+            - name: REDIS_TLS_CA
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "core-ui-middleware.redisSecret" . }}
+                  key: ca.crt
+            {{- end }}
           ports:
             - name: tcp-monitoring
               containerPort: 9090

helm/core-ui-middleware/values.yaml

@@ -111,6 +111,9 @@ redis:
     - localhost:6379
   db: 0
   sentinelMasterId: "mymaster"
+  tls:
+    enabled: false
+    ca: ""
   auth:
     enabled: false
     username: ""

src/redis.js

@@ -30,11 +30,18 @@ const hosts = (process.env.REDIS_HOSTS || '').split(',').map(host => {
   return { host: hostname, port: Number(port) }
 })
 
+const tlsOptions = {}
+if (process.env.REDIS_TLS_ENABLED === 'true') {
+  tlsOptions.tls = {}
+  if (process.env.REDIS_TLS_CA) tlsOptions.tls.ca = process.env.REDIS_TLS_CA
+}
+
 export function createClient (id, options = commonQueueOptions) {
   options = {
     username: process.env.REDIS_USERNAME,
     db: Number(process.env.REDIS_DB),
     password: process.env.REDIS_PASSWORD,
+    ...tlsOptions,
     ...options
   }