From f44c8d4182f682b30e0f92734ae595231ad32983 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Julian=20B=C3=A4ume?= <julian.baeume@open-xchange.com>
Date: Fri, 22 Mar 2024 14:51:55 +0100
Subject: [PATCH] Add: support TLS mode for redis client
Implements #21
---
.env.defaults | 2 ++
README.md | 2 ++
helm/core-ui-middleware/templates/deployment.yaml | 9 +++++++++
helm/core-ui-middleware/templates/redis-secret.yaml | 3 ++-
helm/core-ui-middleware/templates/updater.yaml | 9 +++++++++
helm/core-ui-middleware/values.yaml | 3 +++
src/redis.js | 7 +++++++
7 files changed, 34 insertions(+), 1 deletion(-)
diff --git a/.env.defaults b/.env.defaults
index b80b50c..b4dfb61 100644
--- a/.env.defaults
+++ b/.env.defaults
@@ -16,4 +16,6 @@ REDIS_PREFIX=ui-middleware
REDIS_HOSTS=localhost:6379
REDIS_USERNAME=
REDIS_PASSWORD=
+REDIS_TLS_ENABLED=false
+REDIS_TLS_CA=
ORIGINS=*
diff --git a/README.md b/README.md
index b3fc64e..c6c24a0 100644
--- a/README.md
+++ b/README.md
@@ -47,6 +47,8 @@ It is possible to horizontally scale the UI Middleware, as more clients are fetc
| `redis.username` | `REDIS_USERNAME` | Redis username | `""` |
| `redis.password` | `REDIS_PASSWORD` | Redis password | `""` |
| `redis.sidecar.image` | N/A | Redis sidecar image | `"redis:latest"` |
+| `redis.tls.enabled` | `REDIS_TLS_ENABLED` | Enable TLS for Redis | `false` |
+| `redis.tls.ca` | `REDIS_TLS_CA` | PEM version of redis server CA certificate | `""` |
| `compressFileSize` | `COMPRESS_FILE_SIZE` | Larger files will be gzipped | `600` |
| `compressFileTypes` | `COMPRESS_FILE_TYPES` | Set of compression mime types | application/javascript application/json application/x-javascript application/xml application/xml+rss text/css text/html text/javascript text/plain text/xml image/svg+xml |
| `slowRequestThreshold` | `SLOW_REQUEST_THRESHOLD` | Slow request threshold in ms | `4000` |
diff --git a/helm/core-ui-middleware/templates/deployment.yaml b/helm/core-ui-middleware/templates/deployment.yaml
index 1574374..c85ee1a 100644
--- a/helm/core-ui-middleware/templates/deployment.yaml
+++ b/helm/core-ui-middleware/templates/deployment.yaml
@@ -59,6 +59,15 @@ spec:
{{- end }}
- name: REDIS_PREFIX
value: "{{ .Values.redis.prefix }}"
+ - name: REDIS_TLS_ENABLED
+ value: "{{ .Values.redis.tls.enabled }}"
+ {{- if .Values.redis.tls.enabled }}
+ - name: REDIS_TLS_CA
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "core-ui-middleware.redisSecret" . }}
+ key: ca.crt
+ {{- end }}
ports:
- name: http
containerPort: {{ .Values.containerPort | default 8080 }}
diff --git a/helm/core-ui-middleware/templates/redis-secret.yaml b/helm/core-ui-middleware/templates/redis-secret.yaml
index 749fdb4..6d70bd0 100644
--- a/helm/core-ui-middleware/templates/redis-secret.yaml
+++ b/helm/core-ui-middleware/templates/redis-secret.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.redis.auth.enabled -}}
+{{- if or .Values.redis.auth.enabled .Values.redis.tls.enabled -}}
apiVersion: v1
kind: Secret
metadata:
@@ -7,4 +7,5 @@ type: Opaque
data:
username: {{ .Values.redis.auth.username | b64enc | quote }}
password: {{ .Values.redis.auth.password | b64enc | quote }}
+ ca.crt: {{ .Values.redis.auth.ca | b64enc | quote }}
{{- end -}}
diff --git a/helm/core-ui-middleware/templates/updater.yaml b/helm/core-ui-middleware/templates/updater.yaml
index b71741e..040467e 100644
--- a/helm/core-ui-middleware/templates/updater.yaml
+++ b/helm/core-ui-middleware/templates/updater.yaml
@@ -59,6 +59,15 @@ spec:
{{- end }}
- name: REDIS_PREFIX
value: "{{ .Values.redis.prefix }}"
+ - name: REDIS_TLS_ENABLED
+ value: "{{ .Values.redis.tls.enabled }}"
+ {{- if .Values.redis.tls.enabled }}
+ - name: REDIS_TLS_CA
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "core-ui-middleware.redisSecret" . }}
+ key: ca.crt
+ {{- end }}
ports:
- name: tcp-monitoring
containerPort: 9090
diff --git a/helm/core-ui-middleware/values.yaml b/helm/core-ui-middleware/values.yaml
index 7449163..0842833 100644
--- a/helm/core-ui-middleware/values.yaml
+++ b/helm/core-ui-middleware/values.yaml
@@ -111,6 +111,9 @@ redis:
- localhost:6379
db: 0
sentinelMasterId: "mymaster"
+ tls:
+ enabled: false
+ ca: ""
auth:
enabled: false
username: ""
diff --git a/src/redis.js b/src/redis.js
index 70c03e2..38d55bf 100644
--- a/src/redis.js
+++ b/src/redis.js
@@ -30,11 +30,18 @@ const hosts = (process.env.REDIS_HOSTS || '').split(',').map(host => {
return { host: hostname, port: Number(port) }
})
+const tlsOptions = {}
+if (process.env.REDIS_TLS_ENABLED === 'true') {
+ tlsOptions.tls = {}
+ if (process.env.REDIS_TLS_CA) tlsOptions.tls.ca = process.env.REDIS_TLS_CA
+}
+
export function createClient (id, options = commonQueueOptions) {
options = {
username: process.env.REDIS_USERNAME,
db: Number(process.env.REDIS_DB),
password: process.env.REDIS_PASSWORD,
+ ...tlsOptions,
...options
}
--
GitLab