feat: Add redis password support (#49)

feat: Add redis password support (#49)

Author: adskyiproger

infrastructure/deployment/deploy.sh

@@ -217,6 +217,19 @@ rotate_secrets() {
   configured_ssh '/opt/opencrvs/$STACK/infrastructure/rotate-secrets.sh '$files_to_rotate' | tee -a '$LOG_LOCATION'/rotate-secrets.log'
 }
 
+save_redis_acl(){
+  echo "Saving redis acl"
+  printf """
+user default on >$DEFAULT_REDIS_PASSWORD ~* +@all
+user $GATEWAY_REDIS_USERNAME on >$GATEWAY_REDIS_PASSWORD ~* +@all
+user $WORKFLOW_REDIS_USERNAME on >$WORKFLOW_REDIS_PASSWORD ~* +@all
+user $AUTH_REDIS_USERNAME on >$AUTH_REDIS_PASSWORD ~* +@all
+user $WEBHOOKS_REDIS_USERNAME on >$WEBHOOKS_REDIS_PASSWORD ~* +@all
+""" > $INFRASTRUCTURE_DIRECTORY/redis-acl.conf
+  echo "Redis acl saved to $INFRASTRUCTURE_DIRECTORY/redis-acl.conf"
+  cat $INFRASTRUCTURE_DIRECTORY/redis-acl.conf
+}
+
 split_and_join() {
    separator_for_splitting=$1
    separator_for_joining=$2
@@ -265,6 +278,15 @@ export WEBHOOKS_MONGODB_PASSWORD=`generate_password`
 export NOTIFICATION_MONGODB_PASSWORD=`generate_password`
 export EVENTS_MONGODB_PASSWORD=`generate_password`
 
+export DEFAULT_REDIS_PASSWORD=`generate_password`
+export GATEWAY_REDIS_USERNAME=`generate_password`
+export GATEWAY_REDIS_PASSWORD=`generate_password`
+export WORKFLOW_REDIS_USERNAME=`generate_password`
+export WORKFLOW_REDIS_PASSWORD=`generate_password`
+export AUTH_REDIS_USERNAME=`generate_password`
+export AUTH_REDIS_PASSWORD=`generate_password`
+export WEBHOOKS_REDIS_USERNAME=`generate_password`
+export WEBHOOKS_REDIS_PASSWORD=`generate_password`
 #
 # Elasticsearch credentials
 #
@@ -291,6 +313,8 @@ done
 
 validate_environment_variables
 
+save_redis_acl
+
 if [ "$SSH_PORT" -eq 22 ]; then
     SSH_HOST_TO_CHECK="$SSH_HOST"
 else

infrastructure/deployment/download-images.sh

@@ -216,6 +216,18 @@ rotate_secrets() {
   configured_ssh '/opt/opencrvs/$STACK/infrastructure/rotate-secrets.sh '$files_to_rotate' | tee -a '$LOG_LOCATION'/rotate-secrets.log'
 }
 
+save_redis_acl(){
+  echo "Saving redis acl"
+  printf """
+user default on >$DEFAULT_REDIS_PASSWORD ~* +@all
+user $GATEWAY_REDIS_USERNAME on >$GATEWAY_REDIS_PASSWORD ~* +@all
+user $WORKFLOW_REDIS_USERNAME on >$WORKFLOW_REDIS_PASSWORD ~* +@all
+user $AUTH_REDIS_USERNAME on >$AUTH_REDIS_PASSWORD ~* +@all
+user $WEBHOOKS_REDIS_USERNAME on >$WEBHOOKS_REDIS_PASSWORD ~* +@all
+""" > $INFRASTRUCTURE_DIRECTORY/redis-acl.conf
+  echo "Redis acl saved to $INFRASTRUCTURE_DIRECTORY/redis-acl.conf"
+  cat $INFRASTRUCTURE_DIRECTORY/redis-acl.conf
+}
 
 # Takes in a space separated string of docker-compose.yml files
 # returns a new line separated list of images defined in those files
@@ -343,6 +355,15 @@ export WEBHOOKS_MONGODB_PASSWORD=`generate_password`
 export NOTIFICATION_MONGODB_PASSWORD=`generate_password`
 export EVENTS_MONGODB_PASSWORD=`generate_password`
 
+export DEFAULT_REDIS_PASSWORD=`generate_password`
+export GATEWAY_REDIS_USERNAME=`generate_password`
+export GATEWAY_REDIS_PASSWORD=`generate_password`
+export WORKFLOW_REDIS_USERNAME=`generate_password`
+export WORKFLOW_REDIS_PASSWORD=`generate_password`
+export AUTH_REDIS_USERNAME=`generate_password`
+export AUTH_REDIS_PASSWORD=`generate_password`
+export WEBHOOKS_REDIS_USERNAME=`generate_password`
+export WEBHOOKS_REDIS_PASSWORD=`generate_password`
 #
 # Elasticsearch credentials
 #
@@ -369,6 +390,8 @@ done
 
 validate_environment_variables
 
+save_redis_acl
+
 if [ "$SSH_PORT" -eq 22 ]; then
     SSH_HOST_TO_CHECK="$SSH_HOST"
 else

infrastructure/docker-compose.app.yml

@@ -4,7 +4,14 @@ services:
   redis:
     image: docker.io/bitnami/valkey:8.1
     environment:
-      - ALLOW_EMPTY_PASSWORD=yes
+      - VALKEY_PASSWORD=false
+      - VALKEY_ACLFILE=/run/secrets/redis-acl.{{STACK}}.{{ts}}
+      - VALKEY_OVERRIDES_FILE=/opt/bitnami/valkey/mounted-etc/overrides.conf
+    secrets:
+      - redis-acl.{{STACK}}.{{ts}}
+    configs:
+      - source: redis-overrides.{{ts}}
+        target: /opt/bitnami/valkey/mounted-etc/overrides.conf
     networks:
       app_net:
       dependencies_monitoring_net:
@@ -226,6 +233,8 @@ services:
       - SENTRY_DSN=${SENTRY_DSN:-}
       - DISABLE_RATE_LIMIT=true
       - REDIS_HOST=redis.${STACK}_app_net
+      - REDIS_USERNAME=${GATEWAY_REDIS_USERNAME}
+      - REDIS_PASSWORD=${GATEWAY_REDIS_PASSWORD}
       - APN_SERVICE_URL=http://dependencies_apm-server:8200
       - CERT_PUBLIC_KEY_PATH=/run/secrets/jwt-public-key.{{STACK}}.{{ts}}
       - LOGIN_URL=https://login.${STACK}.{{hostname}}
@@ -305,6 +314,8 @@ services:
       - QA_ENV=true
       - HOST=0.0.0.0
       - REDIS_HOST=redis.${STACK}_app_net
+      - REDIS_USERNAME=${WORKFLOW_REDIS_USERNAME}
+      - REDIS_PASSWORD=${WORKFLOW_REDIS_PASSWORD}
       - NODE_ENV=production
       - LANGUAGES=en,fr
       - SENTRY_DSN=${SENTRY_DSN:-}
@@ -452,6 +463,8 @@ services:
       - CLIENT_APP_URL=https://register.${STACK}.{{hostname}}
       - DOMAIN=${STACK}.{{hostname}}
       - REDIS_HOST=redis.${STACK}_app_net
+      - REDIS_USERNAME=${AUTH_REDIS_USERNAME}
+      - REDIS_PASSWORD=${AUTH_REDIS_PASSWORD}
       - USER_MANAGEMENT_URL=http://user-mgnt.{{STACK}}_app_net:3030/
       - CONFIG_TOKEN_EXPIRY_SECONDS=604800
       - CONFIG_SMS_CODE_EXPIRY_SECONDS=600
@@ -524,6 +537,8 @@ services:
       - SENTRY_DSN=${SENTRY_DSN:-}
       - CERT_PRIVATE_KEY_PATH="THIS IS NOT EVEN USED ANYWHERE @todo"
       - REDIS_HOST=redis.${STACK}_app_net
+      - REDIS_USERNAME=${WEBHOOKS_REDIS_USERNAME}
+      - REDIS_PASSWORD=${WEBHOOKS_REDIS_PASSWORD}
       - APN_SERVICE_URL=http://dependencies_apm-server:8200
       - MONGO_URL=mongodb://${STACK}__webhooks:${WEBHOOKS_MONGODB_PASSWORD}@mongo1/${STACK}__webhooks?replicaSet=rs0
       - CERT_PUBLIC_KEY_PATH=/run/secrets/jwt-public-key.{{STACK}}.{{ts}}
@@ -741,13 +756,17 @@ secrets:
     external: true
   jwt-private-key.{{STACK}}.{{ts}}:
     external: true
+  redis-acl.{{STACK}}.{{ts}}:
+    external: true
 configs:
   hearth-dupe.{{ts}}:
     file: /opt/opencrvs/{{STACK}}/infrastructure/hearth-plugins/checkDuplicateTask.js
   hearth-ext-conf.{{ts}}:
     file: /opt/opencrvs/{{STACK}}/infrastructure/hearth-queryparam-extensions.json
   mongo-on-deploy.{{ts}}:
     file: /opt/opencrvs/{{STACK}}/infrastructure/mongodb/on-deploy.sh
+  redis-overrides.{{ts}}:
+    file: /opt/opencrvs/{{STACK}}/infrastructure/redis/overrides.conf
 networks:
   dependencies_mongo_net_1:
     external: true

infrastructure/redis/overrides.conf

@@ -0,0 +1 @@
+protected-mode no

infrastructure/rotate-secrets.sh

@@ -1,3 +1,4 @@
+#!/bin/bash
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at https://mozilla.org/MPL/2.0/.
@@ -17,6 +18,9 @@ UNIX_TS=$(date +%s)
 echo "$PUB_KEY" | docker secret create jwt-public-key.$STACK.$UNIX_TS -
 echo "$PRIV_KEY" | docker secret create jwt-private-key.$STACK.$UNIX_TS -
 
+INFRASTRUCTURE_DIRECTORY=$(dirname "$0")
+cat $INFRASTRUCTURE_DIRECTORY/redis-acl.conf | docker secret create redis-acl.$STACK.$UNIX_TS -
+
 sed -i "s/{{ts}}/$UNIX_TS/g" "$@"
 sed -i "s/{{STACK}}/$STACK/g" "$@"
 echo "DONE - `date --iso-8601=ns`"