Support connecting to Redis with client certificates
Release notes
Enable GitLab to connect with Redis over TLS with client certificates.
Problem to solve
Redis and Sentinel supports configuring TLS with client authentication so that clients can connect to them only if they present a valid client certificate/key pair for requests. redis-rb
supports doing this via ssl_params
setting, which is directly passed on to OpenSSL::SSL::SSLContext
.
However, because we store our Redis related information in resque.yml
which is parsed and passed on to Redis.new
call, and because both cert
and key
components of the ssl_params
hash expects Ruby objects, it is not exactly straight forward.
Proposal
Support ssl_params.{cert_file,key_file}
settings in resque.yml
which takes paths to certificate and key files. While parsing the yml file, convert the String paths to Ruby objects via OpenSSL::X509::Certificate.new(File.read(<path>)
and OpenSSL::PKey.read(File.read(<path>))
methods.
Something like the following
diff --git a/lib/gitlab/redis/wrapper.rb b/lib/gitlab/redis/wrapper.rb
index 45fe04835cc5..ce89ec6ae08b 100644
--- a/lib/gitlab/redis/wrapper.rb
+++ b/lib/gitlab/redis/wrapper.rb
@@ -122,12 +122,14 @@ def redis_store_options
config = raw_config_hash
config[:instrumentation_class] ||= self.class.instrumentation_class
- if config[:cluster].present?
+ result = if config[:cluster].present?
config[:db] = 0 # Redis Cluster only supports db 0
config
else
parse_redis_url(config)
end
+
+ parse_tls_options(result)
end
def parse_redis_url(config)
@@ -153,6 +155,18 @@ def parse_redis_url(config)
end
end
+ def parse_tls_options(config)
+ # ca_file and ca_path are Strings, so they can be passed as-is
+ # cert_store is not currently supported
+ cert_file = config[:ssl_params].delete(:cert_file)
+ key_file = config[:ssl_params].delete(:key_file)
+
+ config[:ssl_params][:cert] = OpenSSL::X509::Certificate.new(File.read(cert_file)) if File.exist?(cert_file)
+ config[:ssl_params][:key] = OpenSSL::PKey.read(File.read(key_file)) if File.exist?(key_file)
+
+ config
+ end
+
def raw_config_hash
config_data = fetch_config
Intended users
Feature Usage Metrics
Does this feature require an audit event?
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.