fix: add TLS config to redis client (#254)

* Add TLS config to redis client

* Add flag to enable TLS for redis connection

---------

Co-authored-by: aalexand <[email protected]>

Author: aalexandru

cmd/apiserver/apiserver.go

@@ -14,6 +14,7 @@ package main
 
 import (
 	"context"
+	"crypto/tls"
 	"github.com/adobe/cluster-registry/pkg/apiserver/docs"
 	"github.com/adobe/cluster-registry/pkg/apiserver/event"
 	"github.com/adobe/cluster-registry/pkg/apiserver/web"
@@ -32,6 +33,8 @@ import (
 	"github.com/labstack/gommon/log"
 	"github.com/redis/go-redis/v9"
 	echoSwagger "github.com/swaggo/echo-swagger"
+	"net"
+	"strings"
 )
 
 // Version it's passed as ldflags in the build process
@@ -82,9 +85,21 @@ func main() {
 		return
 	}
 
-	redisClient := redis.NewClient(&redis.Options{
+	redisOptions := &redis.Options{
 		Addr: appConfig.ApiCacheRedisHost,
-	})
+	}
+
+	if appConfig.ApiCacheRedisTLSEnabled {
+		redisOptions.TLSConfig = &tls.Config{
+			MinVersion: tls.VersionTLS12,
+		}
+		redisHost := strings.Split(appConfig.ApiCacheRedisHost, ":")[0]
+		if ipAddr := net.ParseIP(redisHost); ipAddr == nil {
+			redisOptions.TLSConfig.ServerName = redisHost
+		}
+	}
+
+	redisClient := redis.NewClient(redisOptions)
 	cmd := redisClient.Info(context.Background())
 	if cmd.Err() != nil {
 		log.Fatalf("Cannot connect to redis: %s", cmd.Err().Error())

local/.env.local

@@ -46,5 +46,6 @@ export IMAGE_REDIS="redis/redis-stack-server:latest"
 export CONTAINER_REDIS="redis"
 export API_CACHE_TTL=1h
 export API_CACHE_REDIS_HOST="localhost:6379"
+export API_CACHE_REDIS_TLS_ENABLED="false"
 export CONTAINER_SYNC_MANAGER="cluster-registry-sync-manager"
 export IMAGE_SYNC_MANAGER="ghcr.io/adobe/cluster-registry-sync-manager"

local/setup.sh

@@ -179,6 +179,7 @@ if [[ "${RUN_APISERVER}" == 1 ]]; then
         -e API_AUTHORIZED_GROUP_ID="${API_AUTHORIZED_GROUP_ID}" \
         -e API_CACHE_TTL \
         -e API_CACHE_REDIS_HOST=${CONTAINER_REDIS}:6379 \
+        -e API_CACHE_REDIS_TLS_ENABLED \
         --network "${NETWORK}" \
         "${IMAGE_APISERVER}":"${TAG}" || die "Failed to create $CONTAINER_API container."
 fi

pkg/config/config.go

@@ -22,29 +22,30 @@ import (
 )
 
 type AppConfig struct {
-	ApiRateLimiterEnabled bool
-	ApiHost               string
-	AwsRegion             string
-	DbEndpoint            string
-	DbAwsRegion           string
-	DbTableName           string
-	DbIndexName           string
-	LogLevel              log.Lvl
-	OidcClientId          string
-	OidcIssuerUrl         string
-	SqsEndpoint           string
-	SqsAwsRegion          string
-	SqsQueueName          string
-	SqsBatchSize          int64
-	SqsWaitSeconds        int64
-	SqsRunInterval        int
-	K8sResourceId         string
-	ApiTenantId           string
-	ApiClientId           string
-	ApiClientSecret       string
-	ApiAuthorizedGroupId  string
-	ApiCacheTTL           time.Duration
-	ApiCacheRedisHost     string
+	ApiRateLimiterEnabled   bool
+	ApiHost                 string
+	AwsRegion               string
+	DbEndpoint              string
+	DbAwsRegion             string
+	DbTableName             string
+	DbIndexName             string
+	LogLevel                log.Lvl
+	OidcClientId            string
+	OidcIssuerUrl           string
+	SqsEndpoint             string
+	SqsAwsRegion            string
+	SqsQueueName            string
+	SqsBatchSize            int64
+	SqsWaitSeconds          int64
+	SqsRunInterval          int
+	K8sResourceId           string
+	ApiTenantId             string
+	ApiClientId             string
+	ApiClientSecret         string
+	ApiAuthorizedGroupId    string
+	ApiCacheTTL             time.Duration
+	ApiCacheRedisHost       string
+	ApiCacheRedisTLSEnabled bool
 }
 
 func LoadApiConfig() (*AppConfig, error) {
@@ -174,30 +175,37 @@ func LoadApiConfig() (*AppConfig, error) {
 		return nil, fmt.Errorf("environment variable API_CACHE_REDIS_HOST is not set")
 	}
 
+	apiCacheRedisTLSEnabled := getEnv("API_CACHE_REDIS_TLS_ENABLED", "true")
+	apiCacheRedisTLSEnabledBool, err := strconv.ParseBool(apiCacheRedisTLSEnabled)
+	if err != nil {
+		return nil, fmt.Errorf("error parsing API_CACHE_REDIS_TLS_ENABLED: %v", err)
+	}
+
 	return &AppConfig{
-		AwsRegion:             awsRegion,
-		DbEndpoint:            dbEndpoint,
-		DbAwsRegion:           dbAwsRegion,
-		DbTableName:           dbTableName,
-		DbIndexName:           dbIndexName,
-		SqsEndpoint:           sqsEndpoint,
-		SqsAwsRegion:          sqsAwsRegion,
-		SqsQueueName:          sqsQueueName,
-		SqsBatchSize:          sqsBatchSizeInt,
-		SqsWaitSeconds:        sqsWaitSecondsInt,
-		SqsRunInterval:        sqsRunIntervalInt,
-		OidcClientId:          oidcClientId,
-		OidcIssuerUrl:         oidcIssuerUrl,
-		ApiRateLimiterEnabled: apiRateLimiterEnabled,
-		LogLevel:              logLevel,
-		ApiHost:               apiHost,
-		K8sResourceId:         k8sResourceId,
-		ApiTenantId:           apiTenantId,
-		ApiClientId:           apiClientId,
-		ApiClientSecret:       apiClientSecret,
-		ApiAuthorizedGroupId:  authorizedGroupId,
-		ApiCacheTTL:           apiCacheTTL,
-		ApiCacheRedisHost:     apiCacheRedisHost,
+		AwsRegion:               awsRegion,
+		DbEndpoint:              dbEndpoint,
+		DbAwsRegion:             dbAwsRegion,
+		DbTableName:             dbTableName,
+		DbIndexName:             dbIndexName,
+		SqsEndpoint:             sqsEndpoint,
+		SqsAwsRegion:            sqsAwsRegion,
+		SqsQueueName:            sqsQueueName,
+		SqsBatchSize:            sqsBatchSizeInt,
+		SqsWaitSeconds:          sqsWaitSecondsInt,
+		SqsRunInterval:          sqsRunIntervalInt,
+		OidcClientId:            oidcClientId,
+		OidcIssuerUrl:           oidcIssuerUrl,
+		ApiRateLimiterEnabled:   apiRateLimiterEnabled,
+		LogLevel:                logLevel,
+		ApiHost:                 apiHost,
+		K8sResourceId:           k8sResourceId,
+		ApiTenantId:             apiTenantId,
+		ApiClientId:             apiClientId,
+		ApiClientSecret:         apiClientSecret,
+		ApiAuthorizedGroupId:    authorizedGroupId,
+		ApiCacheTTL:             apiCacheTTL,
+		ApiCacheRedisHost:       apiCacheRedisHost,
+		ApiCacheRedisTLSEnabled: apiCacheRedisTLSEnabledBool,
 	}, nil
 }
 

pkg/config/config_test.go

@@ -72,54 +72,56 @@ func TestLoadApiConfig(t *testing.T) {
 		{
 			name: "valid api config",
 			envVars: map[string]string{
-				"AWS_REGION":              "aws-region",
-				"DB_ENDPOINT":             "http://localhost:8000",
-				"DB_AWS_REGION":           "db-aws-region",
-				"DB_TABLE_NAME":           "cluster-registry-local",
-				"DB_INDEX_NAME":           "search-index-local",
-				"SQS_ENDPOINT":            "http://localhost:9324",
-				"SQS_AWS_REGION":          "sqs-aws-region",
-				"SQS_QUEUE_NAME":          "cluster-registry-local",
-				"OIDC_CLIENT_ID":          "oidc-client-id",
-				"OIDC_ISSUER_URL":         "http://fake-oidc-provider",
-				"API_RATE_LIMITER":        "enabled",
-				"LOG_LEVEL":               "DEBUG",
-				"SQS_BATCH_SIZE":          "10",
-				"SQS_WAIT_SECONDS":        "5",
-				"SQS_RUN_INTERVAL":        "30",
-				"API_HOST":                "custom-host:8080",
-				"K8S_RESOURCE_ID":         "k8s-resource-id",
-				"API_TENANT_ID":           "api-tenant-id",
-				"API_CLIENT_ID":           "api-client-id",
-				"API_CLIENT_SECRET":       "api-client-secret",
-				"API_AUTHORIZED_GROUP_ID": "api-authorized-group-id",
-				"API_CACHE_TTL":           "1h",
-				"API_CACHE_REDIS_HOST":    "localhost:6379",
+				"AWS_REGION":                  "aws-region",
+				"DB_ENDPOINT":                 "http://localhost:8000",
+				"DB_AWS_REGION":               "db-aws-region",
+				"DB_TABLE_NAME":               "cluster-registry-local",
+				"DB_INDEX_NAME":               "search-index-local",
+				"SQS_ENDPOINT":                "http://localhost:9324",
+				"SQS_AWS_REGION":              "sqs-aws-region",
+				"SQS_QUEUE_NAME":              "cluster-registry-local",
+				"OIDC_CLIENT_ID":              "oidc-client-id",
+				"OIDC_ISSUER_URL":             "http://fake-oidc-provider",
+				"API_RATE_LIMITER":            "enabled",
+				"LOG_LEVEL":                   "DEBUG",
+				"SQS_BATCH_SIZE":              "10",
+				"SQS_WAIT_SECONDS":            "5",
+				"SQS_RUN_INTERVAL":            "30",
+				"API_HOST":                    "custom-host:8080",
+				"K8S_RESOURCE_ID":             "k8s-resource-id",
+				"API_TENANT_ID":               "api-tenant-id",
+				"API_CLIENT_ID":               "api-client-id",
+				"API_CLIENT_SECRET":           "api-client-secret",
+				"API_AUTHORIZED_GROUP_ID":     "api-authorized-group-id",
+				"API_CACHE_TTL":               "1h",
+				"API_CACHE_REDIS_HOST":        "localhost:6379",
+				"API_CACHE_REDIS_TLS_ENABLED": "true",
 			},
 			expectedAppConfig: &AppConfig{
-				ApiRateLimiterEnabled: true,
-				ApiHost:               "custom-host:8080",
-				AwsRegion:             "aws-region",
-				DbEndpoint:            "http://localhost:8000",
-				DbAwsRegion:           "db-aws-region",
-				DbTableName:           "cluster-registry-local",
-				DbIndexName:           "search-index-local",
-				LogLevel:              log.DEBUG,
-				OidcClientId:          "oidc-client-id",
-				OidcIssuerUrl:         "http://fake-oidc-provider",
-				SqsEndpoint:           "http://localhost:9324",
-				SqsAwsRegion:          "sqs-aws-region",
-				SqsQueueName:          "cluster-registry-local",
-				SqsBatchSize:          10,
-				SqsWaitSeconds:        5,
-				SqsRunInterval:        30,
-				K8sResourceId:         "k8s-resource-id",
-				ApiTenantId:           "api-tenant-id",
-				ApiClientId:           "api-client-id",
-				ApiClientSecret:       "api-client-secret",
-				ApiAuthorizedGroupId:  "api-authorized-group-id",
-				ApiCacheTTL:           time.Hour,
-				ApiCacheRedisHost:     "localhost:6379",
+				ApiRateLimiterEnabled:   true,
+				ApiHost:                 "custom-host:8080",
+				AwsRegion:               "aws-region",
+				DbEndpoint:              "http://localhost:8000",
+				DbAwsRegion:             "db-aws-region",
+				DbTableName:             "cluster-registry-local",
+				DbIndexName:             "search-index-local",
+				LogLevel:                log.DEBUG,
+				OidcClientId:            "oidc-client-id",
+				OidcIssuerUrl:           "http://fake-oidc-provider",
+				SqsEndpoint:             "http://localhost:9324",
+				SqsAwsRegion:            "sqs-aws-region",
+				SqsQueueName:            "cluster-registry-local",
+				SqsBatchSize:            10,
+				SqsWaitSeconds:          5,
+				SqsRunInterval:          30,
+				K8sResourceId:           "k8s-resource-id",
+				ApiTenantId:             "api-tenant-id",
+				ApiClientId:             "api-client-id",
+				ApiClientSecret:         "api-client-secret",
+				ApiAuthorizedGroupId:    "api-authorized-group-id",
+				ApiCacheTTL:             time.Hour,
+				ApiCacheRedisHost:       "localhost:6379",
+				ApiCacheRedisTLSEnabled: true,
 			},
 			expectedError: nil,
 		},