feat: Add SSL Support for Redis and Redis Sentinel Connections

.gitignore

@@ -137,3 +137,5 @@ logs/
 
 # Generated files
 docs/manager/rest-reference/openapi.json
+
+fixtures/redis

changes/1605.feature.md

@@ -0,0 +1 @@
+Add SSL Support for Redis and Redis Sentinel Connections

configs/manager/sample.etcd.redis-tls.json

@@ -0,0 +1,9 @@
+{
+  "redis_helper_config": {
+    "ssl": true,
+    "ssl_cert_reqs": "required",
+    "ssl_ca_certs": "${SSL_CA_CERTS_PATH}",
+    "ssl_certfile": "${SSL_CERTFILE_PATH}",
+    "ssl_keyfile": "${SSL_KEYFILE_PATH}"
+  }
+}

configs/redis/sentinel.conf

@@ -1,12 +1,19 @@
 port REDIS_SENTINEL_SELF_PORT
 requirepass develove
 
+tls-cert-file /fixtures/cert.pem
+tls-key-file /fixtures/key.pem
+tls-ca-cert-file /fixtures/cert.pem
+tls-auth-clients no
+tls-port REDIS_SENTINEL_SELF_EXPOSED_PORT
+tls-replication yes
+
 sentinel resolve-hostnames yes
 sentinel announce-ip REDIS_SENTINEL_SELF_HOST
-sentinel announce-port REDIS_SENTINEL_SELF_PORT
+sentinel announce-port REDIS_SENTINEL_SELF_EXPOSED_PORT
 sentinel auth-pass mymaster develove
 sentinel down-after-milliseconds mymaster 1000
 sentinel failover-timeout mymaster 5000
 sentinel parallel-syncs mymaster 2
-sentinel monitor mymaster node01 9500 2
+sentinel monitor mymaster node01 REDIS_MASTER_EXPOSED_PORT 2
 protected-mode no

configs/webserver/halfstack.conf

@@ -55,6 +55,12 @@ redis.addr = "localhost:6379"
 # redis.redis_helper_config.socket_connect_timeout = 2
 # redis.redis_helper_config.reconnect_poll_timeout = 0.3
 
+# redis.redis_helper_config.ssl = true
+# redis.redis_helper_config.ssl_cert_reqs = "required"
+# redis.redis_helper_config.ssl_ca_certs = ${SSL_CA_CERTS_PATH}
+# redis.redis_helper_config.ssl_certfile = ${SSL_CERTFILE_PATH}
+# redis.redis_helper_config.ssl_keyfile = ${SSL_KEYFILE_PATH}
+
 max_age = 604800  # 1 week
 flush_on_startup = false
 login_block_time = 1200  # 20 min (in sec)

configs/webserver/sample.conf

@@ -132,6 +132,12 @@ redis.addr = "localhost:6379"
 # redis.redis_helper_config.socket_connect_timeout = 2
 # redis.redis_helper_config.reconnect_poll_timeout = 0.3
 
+# redis.redis_helper_config.ssl = true
+# redis.redis_helper_config.ssl_cert_reqs = "required"
+# redis.redis_helper_config.ssl_ca_certs = ${SSL_CA_CERTS_PATH}
+# redis.redis_helper_config.ssl_certfile = ${SSL_CERTFILE_PATH}
+# redis.redis_helper_config.ssl_keyfile = ${SSL_KEYFILE_PATH}
+
 max_age = 604800  # 1 week
 flush_on_startup = false
 # Time to block login when an email consecutively fails to login

docker-compose.halfstack-2303.yml

@@ -30,9 +30,16 @@ services:
       - "8110:6379"
     volumes:
       - "./volumes/${DATADIR_PREFIX:-.}/redis-data:/data:rw"
+      - "./fixtures/redis:/fixtures:rw"
     command: >
       redis-server
       --appendonly yes
+      --tls-auth-clients no
+      --tls-port 6380
+      --tls-cert-file /fixtures/cert.pem
+      --tls-ca-cert-file /fixtures/cert.pem
+      --tls-key-file /fixtures/key.pem
+
     healthcheck:
       test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
       interval: 5s

docker-compose.halfstack-ha.yml

@@ -22,16 +22,26 @@ services:
     networks:
     - half
     ports:
-    - 0.0.0.0:${REDIS_MASTER_PORT}:${REDIS_MASTER_PORT}
+    - 0.0.0.0:${REDIS_MASTER_EXPOSED_PORT}:${REDIS_MASTER_EXPOSED_PORT}
+    volumes:
+      - "./volumes/${DATADIR_PREFIX:-.}/redis-data:/data:rw"
+      - "./fixtures/redis:/fixtures:rw"
     command: >
       redis-server
       --port ${REDIS_MASTER_PORT}
       --requirepass ${REDIS_PASSWORD:-develove}
       --masterauth ${REDIS_PASSWORD:-develove}
       --replica-announce-ip node01
-      --replica-announce-port ${REDIS_MASTER_PORT}
+      --replica-announce-port ${REDIS_MASTER_EXPOSED_PORT}
       --min-slaves-to-write 1
       --min-slaves-max-lag 10
+      --tls-port ${REDIS_MASTER_EXPOSED_PORT}
+      --tls-replication yes
+      --tls-auth-clients no
+      --tls-cert-file /fixtures/cert.pem
+      --tls-ca-cert-file /fixtures/cert.pem
+      --tls-key-file /fixtures/key.pem
+
     # IMPORTANT: We have INTENTIONALLY OMITTED the healthchecks
     # because it interferes with pause/unpause of container to simulate
     # network partitioning.
@@ -42,35 +52,53 @@ services:
     networks:
     - half
     ports:
-    - 0.0.0.0:${REDIS_SLAVE1_PORT}:${REDIS_SLAVE1_PORT}
+    - 0.0.0.0:${REDIS_SLAVE1_EXPOSED_PORT}:${REDIS_SLAVE1_EXPOSED_PORT}
+    volumes:
+      - "./volumes/${DATADIR_PREFIX:-.}/redis-data:/data:rw"
+      - "./fixtures/redis:/fixtures:rw"
     command: >
       redis-server
       --port ${REDIS_SLAVE1_PORT}
       --requirepass ${REDIS_PASSWORD:-develove}
       --masterauth ${REDIS_PASSWORD:-develove}
-      --slaveof node01 ${REDIS_MASTER_PORT}
+      --slaveof node01 ${REDIS_MASTER_EXPOSED_PORT}
       --replica-announce-ip node02
-      --replica-announce-port ${REDIS_SLAVE1_PORT}
+      --replica-announce-port ${REDIS_SLAVE1_EXPOSED_PORT}
       --min-slaves-to-write 1
       --min-slaves-max-lag 10
+      --tls-port ${REDIS_SLAVE1_EXPOSED_PORT}
+      --tls-replication yes
+      --tls-auth-clients no
+      --tls-cert-file /fixtures/cert.pem
+      --tls-ca-cert-file /fixtures/cert.pem
+      --tls-key-file /fixtures/key.pem
 
   backendai-half-redis-node03:
     image: redis:7.0.5-alpine
     hostname: node03
     ports:
-    - 0.0.0.0:${REDIS_SLAVE2_PORT}:${REDIS_SLAVE2_PORT}
+    - 0.0.0.0:${REDIS_SLAVE2_EXPOSED_PORT}:${REDIS_SLAVE2_EXPOSED_PORT}
     networks:
     - half
+    volumes:
+      - "./volumes/${DATADIR_PREFIX:-.}/redis-data:/data:rw"
+      - "./fixtures/redis:/fixtures:rw"
     command: >
       redis-server
-      --port ${REDIS_SLAVE2_PORT}
+      --port 9502
       --requirepass ${REDIS_PASSWORD:-develove}
       --masterauth ${REDIS_PASSWORD:-develove}
-      --slaveof node01 ${REDIS_MASTER_PORT}
+      --slaveof node01 ${REDIS_MASTER_EXPOSED_PORT}
       --replica-announce-ip node03
-      --replica-announce-port ${REDIS_SLAVE2_PORT}
+      --replica-announce-port ${REDIS_SLAVE2_EXPOSED_PORT}
       --min-slaves-to-write 1
       --min-slaves-max-lag 10
+      --tls-port ${REDIS_SLAVE2_EXPOSED_PORT}
+      --tls-replication yes
+      --tls-auth-clients no
+      --tls-cert-file /fixtures/cert.pem
+      --tls-ca-cert-file /fixtures/cert.pem
+      --tls-key-file /fixtures/key.pem
 
   backendai-half-redis-sentinel01:
     image: redis:7.0.5-alpine
@@ -81,16 +109,16 @@ services:
     - type: bind
       source: ${COMPOSE_PATH}
       target: /config
+    - "./volumes/${DATADIR_PREFIX:-.}/redis-data:/data:rw"
+    - "./fixtures/redis:/fixtures:rw"
     ports:
-    - 0.0.0.0:${REDIS_SENTINEL1_PORT}:${REDIS_SENTINEL1_PORT}
+    - 0.0.0.0:${REDIS_SENTINEL1_EXPOSED_PORT}:${REDIS_SENTINEL1_EXPOSED_PORT}
     depends_on:
     - backendai-half-redis-node01
     - backendai-half-redis-node02
     - backendai-half-redis-node03
     command: >
       redis-sentinel /config/sentinel01.conf
-    environment:
-      - REDIS_PASSWORD=${REDIS_PASSWORD:-develove}
 
   backendai-half-redis-sentinel02:
     image: redis:7.0.5-alpine
@@ -101,16 +129,16 @@ services:
     - type: bind
       source: ${COMPOSE_PATH}
       target: /config
+    - "./volumes/${DATADIR_PREFIX:-.}/redis-data:/data:rw"
+    - "./fixtures/redis:/fixtures:rw"
     ports:
-    - 0.0.0.0:${REDIS_SENTINEL2_PORT}:${REDIS_SENTINEL2_PORT}
+    - 0.0.0.0:${REDIS_SENTINEL2_EXPOSED_PORT}:${REDIS_SENTINEL2_EXPOSED_PORT}
     depends_on:
     - backendai-half-redis-node01
     - backendai-half-redis-node02
     - backendai-half-redis-node03
     command: >
       redis-sentinel /config/sentinel02.conf
-    environment:
-    - REDIS_PASSWORD=${REDIS_PASSWORD:-develove}
 
   backendai-half-redis-sentinel03:
     image: redis:7.0.5-alpine
@@ -121,16 +149,16 @@ services:
     - type: bind
       source: ${COMPOSE_PATH}
       target: /config
+    - "./volumes/${DATADIR_PREFIX:-.}/redis-data:/data:rw"
+    - "./fixtures/redis:/fixtures:rw"
     ports:
-    - 0.0.0.0:${REDIS_SENTINEL3_PORT}:${REDIS_SENTINEL3_PORT}
+    - 0.0.0.0:${REDIS_SENTINEL3_EXPOSED_PORT}:${REDIS_SENTINEL3_EXPOSED_PORT}
     depends_on:
     - backendai-half-redis-node01
     - backendai-half-redis-node02
     - backendai-half-redis-node03
     command: >
       redis-sentinel /config/sentinel03.conf
-    environment:
-    - REDIS_PASSWORD=${REDIS_PASSWORD:-develove}
 
   backendai-half-etcd-proxy:
     image: quay.io/coreos/etcd:v3.5.4