From 02d9e3f0b771312f433db08c93d1b557adcf9200 Mon Sep 17 00:00:00 2001 From: Andrei Alexandru Date: Fri, 27 Sep 2024 12:29:19 +0300 Subject: [PATCH] fix: add TLS config to redis client (#254) * Add TLS config to redis client * Add flag to enable TLS for redis connection --------- Co-authored-by: aalexand --- cmd/apiserver/apiserver.go | 19 ++++++- local/.env.local | 1 + local/setup.sh | 1 + pkg/config/config.go | 100 ++++++++++++++++++++----------------- pkg/config/config_test.go | 94 +++++++++++++++++----------------- 5 files changed, 121 insertions(+), 94 deletions(-) diff --git a/cmd/apiserver/apiserver.go b/cmd/apiserver/apiserver.go index 32cd43f..c2086cc 100644 --- a/cmd/apiserver/apiserver.go +++ b/cmd/apiserver/apiserver.go @@ -14,6 +14,7 @@ package main import ( "context" + "crypto/tls" "github.com/adobe/cluster-registry/pkg/apiserver/docs" "github.com/adobe/cluster-registry/pkg/apiserver/event" "github.com/adobe/cluster-registry/pkg/apiserver/web" @@ -32,6 +33,8 @@ import ( "github.com/labstack/gommon/log" "github.com/redis/go-redis/v9" echoSwagger "github.com/swaggo/echo-swagger" + "net" + "strings" ) // Version it's passed as ldflags in the build process @@ -82,9 +85,21 @@ func main() { return } - redisClient := redis.NewClient(&redis.Options{ + redisOptions := &redis.Options{ Addr: appConfig.ApiCacheRedisHost, - }) + } + + if appConfig.ApiCacheRedisTLSEnabled { + redisOptions.TLSConfig = &tls.Config{ + MinVersion: tls.VersionTLS12, + } + redisHost := strings.Split(appConfig.ApiCacheRedisHost, ":")[0] + if ipAddr := net.ParseIP(redisHost); ipAddr == nil { + redisOptions.TLSConfig.ServerName = redisHost + } + } + + redisClient := redis.NewClient(redisOptions) cmd := redisClient.Info(context.Background()) if cmd.Err() != nil { log.Fatalf("Cannot connect to redis: %s", cmd.Err().Error()) diff --git a/local/.env.local b/local/.env.local index 7c3e994..5455d51 100644 --- a/local/.env.local +++ b/local/.env.local @@ -46,5 +46,6 @@ export IMAGE_REDIS="redis/redis-stack-server:latest" export CONTAINER_REDIS="redis" export API_CACHE_TTL=1h export API_CACHE_REDIS_HOST="localhost:6379" +export API_CACHE_REDIS_TLS_ENABLED="false" export CONTAINER_SYNC_MANAGER="cluster-registry-sync-manager" export IMAGE_SYNC_MANAGER="ghcr.io/adobe/cluster-registry-sync-manager" \ No newline at end of file diff --git a/local/setup.sh b/local/setup.sh index 63e0840..08b7afd 100755 --- a/local/setup.sh +++ b/local/setup.sh @@ -179,6 +179,7 @@ if [[ "${RUN_APISERVER}" == 1 ]]; then -e API_AUTHORIZED_GROUP_ID="${API_AUTHORIZED_GROUP_ID}" \ -e API_CACHE_TTL \ -e API_CACHE_REDIS_HOST=${CONTAINER_REDIS}:6379 \ + -e API_CACHE_REDIS_TLS_ENABLED \ --network "${NETWORK}" \ "${IMAGE_APISERVER}":"${TAG}" || die "Failed to create $CONTAINER_API container." fi diff --git a/pkg/config/config.go b/pkg/config/config.go index b3f13e2..7b14d82 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -22,29 +22,30 @@ import ( ) type AppConfig struct { - ApiRateLimiterEnabled bool - ApiHost string - AwsRegion string - DbEndpoint string - DbAwsRegion string - DbTableName string - DbIndexName string - LogLevel log.Lvl - OidcClientId string - OidcIssuerUrl string - SqsEndpoint string - SqsAwsRegion string - SqsQueueName string - SqsBatchSize int64 - SqsWaitSeconds int64 - SqsRunInterval int - K8sResourceId string - ApiTenantId string - ApiClientId string - ApiClientSecret string - ApiAuthorizedGroupId string - ApiCacheTTL time.Duration - ApiCacheRedisHost string + ApiRateLimiterEnabled bool + ApiHost string + AwsRegion string + DbEndpoint string + DbAwsRegion string + DbTableName string + DbIndexName string + LogLevel log.Lvl + OidcClientId string + OidcIssuerUrl string + SqsEndpoint string + SqsAwsRegion string + SqsQueueName string + SqsBatchSize int64 + SqsWaitSeconds int64 + SqsRunInterval int + K8sResourceId string + ApiTenantId string + ApiClientId string + ApiClientSecret string + ApiAuthorizedGroupId string + ApiCacheTTL time.Duration + ApiCacheRedisHost string + ApiCacheRedisTLSEnabled bool } func LoadApiConfig() (*AppConfig, error) { @@ -174,30 +175,37 @@ func LoadApiConfig() (*AppConfig, error) { return nil, fmt.Errorf("environment variable API_CACHE_REDIS_HOST is not set") } + apiCacheRedisTLSEnabled := getEnv("API_CACHE_REDIS_TLS_ENABLED", "true") + apiCacheRedisTLSEnabledBool, err := strconv.ParseBool(apiCacheRedisTLSEnabled) + if err != nil { + return nil, fmt.Errorf("error parsing API_CACHE_REDIS_TLS_ENABLED: %v", err) + } + return &AppConfig{ - AwsRegion: awsRegion, - DbEndpoint: dbEndpoint, - DbAwsRegion: dbAwsRegion, - DbTableName: dbTableName, - DbIndexName: dbIndexName, - SqsEndpoint: sqsEndpoint, - SqsAwsRegion: sqsAwsRegion, - SqsQueueName: sqsQueueName, - SqsBatchSize: sqsBatchSizeInt, - SqsWaitSeconds: sqsWaitSecondsInt, - SqsRunInterval: sqsRunIntervalInt, - OidcClientId: oidcClientId, - OidcIssuerUrl: oidcIssuerUrl, - ApiRateLimiterEnabled: apiRateLimiterEnabled, - LogLevel: logLevel, - ApiHost: apiHost, - K8sResourceId: k8sResourceId, - ApiTenantId: apiTenantId, - ApiClientId: apiClientId, - ApiClientSecret: apiClientSecret, - ApiAuthorizedGroupId: authorizedGroupId, - ApiCacheTTL: apiCacheTTL, - ApiCacheRedisHost: apiCacheRedisHost, + AwsRegion: awsRegion, + DbEndpoint: dbEndpoint, + DbAwsRegion: dbAwsRegion, + DbTableName: dbTableName, + DbIndexName: dbIndexName, + SqsEndpoint: sqsEndpoint, + SqsAwsRegion: sqsAwsRegion, + SqsQueueName: sqsQueueName, + SqsBatchSize: sqsBatchSizeInt, + SqsWaitSeconds: sqsWaitSecondsInt, + SqsRunInterval: sqsRunIntervalInt, + OidcClientId: oidcClientId, + OidcIssuerUrl: oidcIssuerUrl, + ApiRateLimiterEnabled: apiRateLimiterEnabled, + LogLevel: logLevel, + ApiHost: apiHost, + K8sResourceId: k8sResourceId, + ApiTenantId: apiTenantId, + ApiClientId: apiClientId, + ApiClientSecret: apiClientSecret, + ApiAuthorizedGroupId: authorizedGroupId, + ApiCacheTTL: apiCacheTTL, + ApiCacheRedisHost: apiCacheRedisHost, + ApiCacheRedisTLSEnabled: apiCacheRedisTLSEnabledBool, }, nil } diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go index 933b084..f099e26 100644 --- a/pkg/config/config_test.go +++ b/pkg/config/config_test.go @@ -72,54 +72,56 @@ func TestLoadApiConfig(t *testing.T) { { name: "valid api config", envVars: map[string]string{ - "AWS_REGION": "aws-region", - "DB_ENDPOINT": "http://localhost:8000", - "DB_AWS_REGION": "db-aws-region", - "DB_TABLE_NAME": "cluster-registry-local", - "DB_INDEX_NAME": "search-index-local", - "SQS_ENDPOINT": "http://localhost:9324", - "SQS_AWS_REGION": "sqs-aws-region", - "SQS_QUEUE_NAME": "cluster-registry-local", - "OIDC_CLIENT_ID": "oidc-client-id", - "OIDC_ISSUER_URL": "http://fake-oidc-provider", - "API_RATE_LIMITER": "enabled", - "LOG_LEVEL": "DEBUG", - "SQS_BATCH_SIZE": "10", - "SQS_WAIT_SECONDS": "5", - "SQS_RUN_INTERVAL": "30", - "API_HOST": "custom-host:8080", - "K8S_RESOURCE_ID": "k8s-resource-id", - "API_TENANT_ID": "api-tenant-id", - "API_CLIENT_ID": "api-client-id", - "API_CLIENT_SECRET": "api-client-secret", - "API_AUTHORIZED_GROUP_ID": "api-authorized-group-id", - "API_CACHE_TTL": "1h", - "API_CACHE_REDIS_HOST": "localhost:6379", + "AWS_REGION": "aws-region", + "DB_ENDPOINT": "http://localhost:8000", + "DB_AWS_REGION": "db-aws-region", + "DB_TABLE_NAME": "cluster-registry-local", + "DB_INDEX_NAME": "search-index-local", + "SQS_ENDPOINT": "http://localhost:9324", + "SQS_AWS_REGION": "sqs-aws-region", + "SQS_QUEUE_NAME": "cluster-registry-local", + "OIDC_CLIENT_ID": "oidc-client-id", + "OIDC_ISSUER_URL": "http://fake-oidc-provider", + "API_RATE_LIMITER": "enabled", + "LOG_LEVEL": "DEBUG", + "SQS_BATCH_SIZE": "10", + "SQS_WAIT_SECONDS": "5", + "SQS_RUN_INTERVAL": "30", + "API_HOST": "custom-host:8080", + "K8S_RESOURCE_ID": "k8s-resource-id", + "API_TENANT_ID": "api-tenant-id", + "API_CLIENT_ID": "api-client-id", + "API_CLIENT_SECRET": "api-client-secret", + "API_AUTHORIZED_GROUP_ID": "api-authorized-group-id", + "API_CACHE_TTL": "1h", + "API_CACHE_REDIS_HOST": "localhost:6379", + "API_CACHE_REDIS_TLS_ENABLED": "true", }, expectedAppConfig: &AppConfig{ - ApiRateLimiterEnabled: true, - ApiHost: "custom-host:8080", - AwsRegion: "aws-region", - DbEndpoint: "http://localhost:8000", - DbAwsRegion: "db-aws-region", - DbTableName: "cluster-registry-local", - DbIndexName: "search-index-local", - LogLevel: log.DEBUG, - OidcClientId: "oidc-client-id", - OidcIssuerUrl: "http://fake-oidc-provider", - SqsEndpoint: "http://localhost:9324", - SqsAwsRegion: "sqs-aws-region", - SqsQueueName: "cluster-registry-local", - SqsBatchSize: 10, - SqsWaitSeconds: 5, - SqsRunInterval: 30, - K8sResourceId: "k8s-resource-id", - ApiTenantId: "api-tenant-id", - ApiClientId: "api-client-id", - ApiClientSecret: "api-client-secret", - ApiAuthorizedGroupId: "api-authorized-group-id", - ApiCacheTTL: time.Hour, - ApiCacheRedisHost: "localhost:6379", + ApiRateLimiterEnabled: true, + ApiHost: "custom-host:8080", + AwsRegion: "aws-region", + DbEndpoint: "http://localhost:8000", + DbAwsRegion: "db-aws-region", + DbTableName: "cluster-registry-local", + DbIndexName: "search-index-local", + LogLevel: log.DEBUG, + OidcClientId: "oidc-client-id", + OidcIssuerUrl: "http://fake-oidc-provider", + SqsEndpoint: "http://localhost:9324", + SqsAwsRegion: "sqs-aws-region", + SqsQueueName: "cluster-registry-local", + SqsBatchSize: 10, + SqsWaitSeconds: 5, + SqsRunInterval: 30, + K8sResourceId: "k8s-resource-id", + ApiTenantId: "api-tenant-id", + ApiClientId: "api-client-id", + ApiClientSecret: "api-client-secret", + ApiAuthorizedGroupId: "api-authorized-group-id", + ApiCacheTTL: time.Hour, + ApiCacheRedisHost: "localhost:6379", + ApiCacheRedisTLSEnabled: true, }, expectedError: nil, },