Support running Redis only over SSL

Changelog: fixed
Signed-off-by: Balasankar "Balu" C <[email protected]>

Author: balasankarc

files/gitlab-cookbooks/gitlab/libraries/redis.rb

@@ -80,12 +80,27 @@ def parse_redis_daemon!
       redis_bind = Gitlab['redis']['bind'] || node['redis']['bind']
 
       Gitlab['gitlab_rails']['redis_host'] ||= redis_bind
-      Gitlab['gitlab_rails']['redis_port'] ||= Gitlab['redis']['port']
+
+      redis_port_config_key = if Gitlab['redis'].key?('port') && !Gitlab['redis']['port'].zero?
+                                # If Redis is specified to run on a non-TLS port
+                                'port'
+                              elsif Gitlab['redis'].key?('tls_port') && !Gitlab['redis']['tls_port'].zero?
+                                # If Redis is specified to run on a TLS port
+                                'tls_port'
+                              else
+                                # If Redis is running on neither ports, then it doesn't matter which
+                                # key we choose as both will return `nil`.
+                                'port'
+                              end
+
+      redis_port = Gitlab['redis'][redis_port_config_key]
+      Gitlab['gitlab_rails']['redis_port'] ||= redis_port
+
       Gitlab['gitlab_rails']['redis_password'] ||= Gitlab['redis']['master_password']
 
       Chef::Log.warn "gitlab-rails 'redis_host' is different than 'bind' value defined for managed redis instance. Are you sure you are pointing to the same redis instance?" if Gitlab['gitlab_rails']['redis_host'] != redis_bind
 
-      Chef::Log.warn "gitlab-rails 'redis_port' is different than 'port' value defined for managed redis instance. Are you sure you are pointing to the same redis instance?" if Gitlab['gitlab_rails']['redis_port'] != Gitlab['redis']['port']
+      Chef::Log.warn "gitlab-rails 'redis_port' is different than '#{redis_port_config_key}' value defined for managed redis instance. Are you sure you are pointing to the same redis instance?" if Gitlab['gitlab_rails']['redis_port'] != redis_port
 
       Chef::Log.warn "gitlab-rails 'redis_password' is different than 'master_password' value defined for managed redis instance. Are you sure you are pointing to the same redis instance?" if Gitlab['gitlab_rails']['redis_password'] != Gitlab['redis']['master_password']
     end

files/gitlab-cookbooks/gitlab/libraries/redis_helper.rb

@@ -9,14 +9,17 @@ def initialize(node)
     @node = node
   end
 
+  def redis
+    @node['redis']
+  end
+
   def redis_params(support_sentinel_groupname: true)
     gitlab_rails_config = @node['gitlab']['gitlab_rails']
-    redis_config = @node['redis']
 
-    raise 'Redis announce_ip and announce_ip_from_hostname are mutually exclusive, please unset one of them' if redis_config['announce_ip'] && redis_config['announce_ip_from_hostname']
+    raise 'Redis announce_ip and announce_ip_from_hostname are mutually exclusive, please unset one of them' if redis['announce_ip'] && redis['announce_ip_from_hostname']
 
     params = if RedisHelper::Checks.has_sentinels? && support_sentinel_groupname
-               [redis_config['master_name'], redis_config['master_port'], redis_config['master_password']]
+               [redis['master_name'], redis['master_port'], redis['master_password']]
              else
                host = gitlab_rails_config['redis_host'] || Gitlab['redis']['master_ip']
                port = gitlab_rails_config['redis_port'] || Gitlab['redis']['master_port']
@@ -66,8 +69,8 @@ def workhorse_params
         url: redis_url,
         password: redis_params.last,
         sentinels: redis_sentinel_urls('redis_sentinels'),
-        sentinelMaster: @node['redis']['master_name'],
-        sentinelPassword: @node['redis']['master_password']
+        sentinelMaster: redis['master_name'],
+        sentinelPassword: redis['master_password']
       }
     end
   end
@@ -119,15 +122,7 @@ def running_version
     return unless OmnibusHelper.new(@node).service_up?('redis')
 
     commands = ['/opt/gitlab/embedded/bin/redis-cli']
-
-    commands << if RedisHelper::Checks.is_redis_tcp?
-                  "-h #{@node['redis']['bind']} -p #{@node['redis']['port']}"
-                else
-                  "-s #{@node['redis']['unixsocket']}"
-                end
-
-    commands << "-a '#{Gitlab['redis']['password']}'" if Gitlab['redis']['password']
-
+    commands << redis_cli_connect_options
     commands << "INFO"
     command = commands.join(" ")
 
@@ -154,10 +149,63 @@ def installed_version
     version_match['redis_version']
   end
 
+  def redis_cli_connect_options
+    args = []
+    if RedisHelper::Checks.is_redis_tcp?
+      args = redis_cli_tcp_connect_options(args)
+    else
+      args << "-s #{redis['unixsocket']}"
+    end
+
+    args << "-a '#{Gitlab['redis']['password']}'" if Gitlab['redis']['password']
+
+    args
+  end
+
+  def redis_cli_tcp_connect_options(args)
+    args << ["-h #{redis['bind']}"]
+    port = redis['port'].to_i
+
+    if port.zero?
+      args = redis_cli_tls_options(args)
+    else
+      args << "-p #{port}"
+    end
+
+    args
+  end
+
+  def redis_cli_tls_options(args)
+    tls_port = redis['tls_port'].to_i
+
+    args << "--tls"
+    args << "-p #{tls_port}"
+    args << "--cacert '#{redis['tls_ca_cert_file']}'" if redis['tls_ca_cert_file']
+    args << "--cacertdir '#{redis['tls_ca_cert_dir']}'" if redis['tls_ca_cert_dir']
+
+    return args unless client_certs_required?
+
+    raise "Redis TLS client authentication requires redis['tls_cert_file'] and redis['tls_key_file'] options" unless client_cert_and_key_available?
+
+    args << "--cert '#{redis['tls_cert_file']}'"
+    args << "--key '#{redis['tls_key_file']}'"
+
+    args
+  end
+
+  def client_certs_required?
+    redis['tls_auth_clients'] == 'yes'
+  end
+
+  def client_cert_and_key_available?
+    redis['tls_cert_file'] && !redis['tls_cert_file'].empty? &&
+      redis['tls_key_file'] && !redis['tls_key_file'].empty?
+  end
+
   class Checks
     class << self
       def is_redis_tcp?
-        Gitlab['redis']['port'] && Gitlab['redis']['port'].positive?
+        (Gitlab['redis']['port'] && Gitlab['redis']['port'].positive?) || (Gitlab['redis']['tls_port'] && Gitlab['redis']['tls_port'].positive?)
       end
 
       def is_redis_replica?

spec/chef/cookbooks/gitlab/libraries/redis_helper_spec.rb

@@ -274,40 +274,63 @@
       end
 
       context 'over TCP' do
-        before do
-          stub_gitlab_rb(
-            redis: {
-              bind: '0.0.0.0',
-              port: 6379
-            }
-          )
-        end
+        context 'on non-TLS port' do
+          before do
+            stub_gitlab_rb(
+              redis: {
+                bind: '0.0.0.0',
+                port: 6379
+              }
+            )
+          end
 
-        it 'calls VersionHelper.version with correct arguments' do
-          expect(VersionHelper).to receive(:version).with('/opt/gitlab/embedded/bin/redis-cli -h 0.0.0.0 -p 6379 INFO')
+          it 'calls VersionHelper.version with correct arguments' do
+            expect(VersionHelper).to receive(:version).with('/opt/gitlab/embedded/bin/redis-cli -h 0.0.0.0 -p 6379 INFO')
 
-          subject.running_version
+            subject.running_version
+          end
         end
 
-        context 'with a Redis password specified' do
+        context 'on TLS port' do
           before do
             stub_gitlab_rb(
               redis: {
                 bind: '0.0.0.0',
-                port: 6379,
-                password: 'toomanysecrets'
+                tls_port: 6380,
+                tls_cert_file: '/tmp/self_signed.crt',
+                tls_key_file: '/tmp/self_signed.key',
+                tls_auth_clients: 'yes'
               }
             )
           end
 
-          it 'it passes password to the command' do
-            expect(VersionHelper).to receive(:version).with("/opt/gitlab/embedded/bin/redis-cli -h 0.0.0.0 -p 6379 -a 'toomanysecrets' INFO")
+          it 'calls VersionHelper.version with correct arguments' do
+            expected_args = "-h 0.0.0.0 --tls -p 6380 --cacert '/opt/gitlab/embedded/ssl/certs/cacert.pem' --cacertdir '/opt/gitlab/embedded/ssl/certs/' --cert '/tmp/self_signed.crt' --key '/tmp/self_signed.key'"
+            expect(VersionHelper).to receive(:version).with("/opt/gitlab/embedded/bin/redis-cli #{expected_args} INFO")
 
             subject.running_version
           end
         end
       end
 
+      context 'with a Redis password specified' do
+        before do
+          stub_gitlab_rb(
+            redis: {
+              bind: '0.0.0.0',
+              port: 6379,
+              password: 'toomanysecrets'
+            }
+          )
+        end
+
+        it 'it passes password to the command' do
+          expect(VersionHelper).to receive(:version).with("/opt/gitlab/embedded/bin/redis-cli -h 0.0.0.0 -p 6379 -a 'toomanysecrets' INFO")
+
+          subject.running_version
+        end
+      end
+
       it 'parses version from redis-cli output properly' do
         expect(subject.running_version).to eq('3.2.12')
       end