Add redis transit encryption (#3473)

KarstenSiemer · web-flow · commit 12984f36819e · 2020-12-29T16:06:12.000+01:00
diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py
@@ -56,6 +56,7 @@
     DD_CELERY_BROKER_HOST=(str, ''),
     DD_CELERY_BROKER_PORT=(int, -1),
     DD_CELERY_BROKER_PATH=(str, '/dojo.celerydb.sqlite'),
+    DD_CELERY_BROKER_PARAMS=(str, ''),
     DD_CELERY_TASK_IGNORE_RESULT=(bool, True),
     DD_CELERY_RESULT_BACKEND=(str, 'django-db'),
     DD_CELERY_RESULT_EXPIRES=(int, 86400),
@@ -162,7 +163,7 @@
 )
 
 
-def generate_url(scheme, double_slashes, user, password, host, port, path):
+def generate_url(scheme, double_slashes, user, password, host, port, path, params):
     result_list = []
     result_list.append(scheme)
     result_list.append(':')
@@ -181,6 +182,9 @@ def generate_url(scheme, double_slashes, user, password, host, port, path):
     if len(path) > 0 and path[0] != '/':
         result_list.append('/')
     result_list.append(path)
+    if len(params) > 0 and params[0] != '?':
+        result_list.append('?')
+    result_list.append(params)
     return ''.join(result_list)
 
 
@@ -675,6 +679,7 @@ def generate_url(scheme, double_slashes, user, password, host, port, path):
     env('DD_CELERY_BROKER_HOST'),
     env('DD_CELERY_BROKER_PORT'),
     env('DD_CELERY_BROKER_PATH'),
+    env('DD_CELERY_BROKER_PARAMS')
 )
 CELERY_TASK_IGNORE_RESULT = env('DD_CELERY_TASK_IGNORE_RESULT')
 CELERY_RESULT_BACKEND = env('DD_CELERY_RESULT_BACKEND')
diff --git a/helm/defectdojo/Chart.yaml b/helm/defectdojo/Chart.yaml
@@ -2,5 +2,5 @@ apiVersion: v1
 appVersion: "1.11.0-dev"
 description: A Helm chart for Kubernetes to install DefectDojo
 name: defectdojo
-version: 1.4.2
+version: 1.4.3
 icon: https://www.defectdojo.org/img/favicon.ico
diff --git a/helm/defectdojo/templates/_helpers.tpl b/helm/defectdojo/templates/_helpers.tpl
@@ -63,6 +63,19 @@ Create chart name and version as used by the chart label.
 {{- end -}}
 {{- end -}}
 
+{{/*
+  Determine the protocol to use for Redis.
+*/}}
+{{- define "redis.scheme" -}}
+{{- if eq .Values.celery.broker "redis" -}}
+{{- if .Values.redis.transportEncryption.enabled -}}
+{{- printf "rediss" -}}
+{{- else -}}
+{{- printf "redis" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
   Builds the repository names for use with local or private registries
 */}}
diff --git a/helm/defectdojo/templates/configmap.yaml b/helm/defectdojo/templates/configmap.yaml
@@ -14,10 +14,11 @@ data:
   DD_ADMIN_FIRST_NAME: {{ .Values.admin.FirstName | default "Admin" }}
   DD_ADMIN_LAST_NAME: {{ .Values.admin.LastName | default "User" }}
   DD_ALLOWED_HOSTS: {{ .Values.host }}
-  DD_CELERY_BROKER_SCHEME: {{ if eq .Values.celery.broker "rabbitmq" }}amqp{{ end }}{{ if eq .Values.celery.broker "redis" }}redis{{ end }}
+  DD_CELERY_BROKER_SCHEME: {{ if eq .Values.celery.broker "rabbitmq" }}amqp{{ end }}{{ if eq .Values.celery.broker "redis" }}{{ template "redis.scheme" . }}{{ end }}
   DD_CELERY_BROKER_USER: '{{ if eq .Values.celery.broker "rabbitmq" }}user{{ end }}'
   DD_CELERY_BROKER_HOST: {{ if eq .Values.celery.broker "rabbitmq" }}{{ .Release.Name }}-rabbitmq{{ else if eq .Values.celery.broker "redis" }}{{ template "redis.hostname" . }}{{ end }}
   DD_CELERY_BROKER_PORT: '{{ if eq .Values.celery.broker "rabbitmq" }}5672{{ end }}{{ if eq .Values.celery.broker "redis" }}6379{{ end }}'
+  DD_CELERY_BROKER_PARAMS: '{{ if eq .Values.celery.broker "redis" }}{{- if .Values.redis.transportEncryption.enabled -}}{{ .Values.redis.transportEncryption.params | default "ssl_cert_reqs=optional" }}{{ end }}{{ end }}'
   DD_CELERY_LOG_LEVEL: {{ .Values.celery.logLevel }}
   DD_CELERY_WORKER_POOL_TYPE: {{ .Values.celery.worker.app_settings.pool_type | default "solo" }}
   DD_CELERY_WORKER_AUTOSCALE_MIN: '{{ if eq .Values.celery.worker.app_settings.pool_type "prefork" }}2{{ end }}'
diff --git a/helm/defectdojo/values.yaml b/helm/defectdojo/values.yaml
@@ -191,9 +191,10 @@ postgresql:
     enabled: false
   service:
     port: 5432
+
   # To use an external PostgreSQL instance, set enabled to false and uncomment
   # the line below:
-  postgresServer: "127.0.0.1"
+  # postgresServer: "127.0.0.1"
   master:
     affinity: {}
     nodeSelector: {}
@@ -233,6 +234,9 @@ rabbitmq:
 
 redis:
   enabled: false
+  transportEncryption:
+    enabled: false
+    params: ''
   existingSecret: defectdojo-redis-specific
   secretKey: redis-password
   password: ""
