Fix TLS support for workhorse redis dialer to standalone Redis
What does this MR do and why?
This MR adds tls.DialWithDialer
to support TLS connections. This fixes the regression introduced in !134596 (merged) where TLS support was missing.
Related to omnibus-gitlab#8329 (comment 1668323442)
Note that this MR fixes the TLS support for standalone Redis. TLS support for sentinel is not provided yet ( track efforts in #421656 (closed))
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
Before | After |
---|---|
How to set up and validate locally
To replicate
- Set up Redis using TLS
- you may need to build it using the steps in https://redis.io/docs/management/security/encryption/ as asdf/rtx installed redis does not seem to be built with
BUILD_TLS=yes
- Run
./utils/gen-test-certs.sh
to generate certs and keys - In the redis folder, run
./src/redis-server --tls-port 6379 --port 0 --tls-cert-file ./tests/tls/redis.crt --tls-key-file ./tests/tls/redis.key --tls-ca-cert-file ./tests/tls/redis.crt --tls-auth-clients no
- Connect to it using the cli:
./src/redis-cli --tls --insecure
- On master branch, run
cd workhorse && make && gdk restart gitlab-workhorse
.gdk tail gitlab-workhorse
would show errors like the following
2023-11-28_02:33:18.97408 gitlab-workhorse : {"error":"keywatcher: read tcp 127.0.0.1:49945-\u003e127.0.0.1:6379: read: connection reset by peer","level":"error","msg":"","time":"2023-11-28T10:33:18+08:00"}
- Using this branch, set
tlsConfig.InsecureSkipVerify = true
diff --git a/workhorse/internal/redis/redis.go b/workhorse/internal/redis/redis.go
index e21dae916e45..77fe8693bbda 100644
--- a/workhorse/internal/redis/redis.go
+++ b/workhorse/internal/redis/redis.go
@@ -86,6 +86,7 @@ func createDialer(sentinels []string, tlsConfig *tls.Config) func(ctx context.Co
var err error
if tlsConfig != nil {
+ tlsConfig.InsecureSkipVerify = true
conn, err = tls.DialWithDialer(netDialer, network, addr, tlsConfig)
} else {
conn, err = netDialer.DialContext(ctx, network, addr)
-
Run
make
andgdk restart gitlab-workhorse
-
gdk tail gitlab-workhorse
to see that there are no more errors.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Sylvester Chin