Merge branch '8217-rails-redis-tls' into 'master'

Enable GitLab to connect with Redis over TLS

Closes #6628 and #8217

See merge request https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7151

Merged-by: Robert Marshall <[email protected]>
Approved-by: Clemens Beck <[email protected]>
Approved-by: Robert Marshall <[email protected]>
Reviewed-by: Balasankar 'Balu' C <[email protected]>
Reviewed-by: Robert Marshall <[email protected]>
Reviewed-by: Clemens Beck <[email protected]>
Co-authored-by: Balasankar "Balu" C <[email protected]>

Author: Robert Marshall

config/software/gitlab-redis-cli.rb

@@ -41,6 +41,17 @@
   echo "$1" 2>& 1
 }
 
+set_tls_params()
+{
+  REDIS_PARAMS="${REDIS_PARAMS} -p ${redis_tls_port} --tls"
+  if [ "${redis_tls_auth_clients}" = "yes" ]; then
+    REDIS_PARAMS="${REDIS_PARAMS} --cacertdir ${redis_tls_cacert_dir} \
+      --cacert ${redis_tls_cacert_file} \
+      --cert ${redis_tls_cert_file} \
+      --key ${redis_tls_key_file}"
+  fi
+}
+
 gitlab_redis_cli_rc='/opt/gitlab/etc/gitlab-redis-cli-rc'
 
 if ! [ -f ${gitlab_redis_cli_rc} ] || ! [ -r ${gitlab_redis_cli_rc} ] ; then
@@ -52,10 +63,16 @@
 
 . "${gitlab_redis_cli_rc}"
 
+
 if [ -e "${redis_socket}" ]; then
-	REDIS_PARAMS="-s ${redis_socket}"
+  REDIS_PARAMS="-s ${redis_socket}"
 else
-  REDIS_PARAMS="-h ${redis_host} -p ${redis_port}"
+  REDIS_PARAMS="-h ${redis_host}"
+  if ! [ "${redis_port}" = "0" ]; then
+    REDIS_PARAMS="${REDIS_PARAMS} -p ${redis_port}"
+  elif ! [ "${redis_tls_port}" = "0" ]; then
+    set_tls_params
+  fi
 fi
 
 REDISCLI_AUTH="$(awk '/^requirepass /{
@@ -66,7 +83,7 @@
 
 
 if [ -n "${REDISCLI_AUTH}" ]; then
-    export REDISCLI_AUTH
+  export REDISCLI_AUTH
 fi
 
 exec /opt/gitlab/embedded/bin/redis-cli $REDIS_PARAMS "$@"

files/gitlab-config-template/gitlab.rb.template

@@ -776,6 +776,10 @@ external_url 'GENERATED_EXTERNAL_URL'
 # gitlab_rails['redis_password'] = nil
 # gitlab_rails['redis_database'] = 0
 # gitlab_rails['redis_enable_client'] = true
+# gitlab_rails['redis_tls_ca_cert_dir'] = '/opt/gitlab/embedded/ssl/certs/'
+# gitlab_rails['redis_tls_ca_cert_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'
+# gitlab_rails['redis_tls_client_cert_file'] = nil
+# gitlab_rails['redis_tls_client_key_file'] = nil
 
 #### Redis local UNIX socket (will be disabled if TCP method is used)
 # gitlab_rails['redis_socket'] = "/var/opt/gitlab/redis/redis.socket"
@@ -810,60 +814,100 @@ external_url 'GENERATED_EXTERNAL_URL'
 # gitlab_rails['redis_cache_username'] = nil
 # gitlab_rails['redis_cache_password'] = nil
 # gitlab_rails['redis_cache_cluster_nodes'] = nil
+# gitlab_rails['redis_cache_tls_ca_cert_dir'] = '/opt/gitlab/embedded/ssl/certs/'
+# gitlab_rails['redis_cache_tls_ca_cert_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'
+# gitlab_rails['redis_cache_tls_client_cert_file'] = nil
+# gitlab_rails['redis_cache_tls_client_key_file'] = nil
 # gitlab_rails['redis_queues_instance'] = nil
 # gitlab_rails['redis_queues_sentinels'] = nil
 # gitlab_rails['redis_queues_sentinels_password'] = nil
 # gitlab_rails['redis_queues_username'] = nil
 # gitlab_rails['redis_queues_password'] = nil
 # gitlab_rails['redis_queues_cluster_nodes'] = nil
+# gitlab_rails['redis_queues_tls_ca_cert_dir'] = '/opt/gitlab/embedded/ssl/certs/'
+# gitlab_rails['redis_queues_tls_ca_cert_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'
+# gitlab_rails['redis_queues_tls_client_cert_file'] = nil
+# gitlab_rails['redis_queues_tls_client_key_file'] = nil
 # gitlab_rails['redis_shared_state_instance'] = nil
 # gitlab_rails['redis_shared_state_sentinels'] = nil
 # gitlab_rails['redis_shared_state_sentinels_password'] = nil
 # gitlab_rails['redis_shared_state_username'] = nil
 # gitlab_rails['redis_shared_state_password'] = nil
 # gitlab_rails['redis_shared_state_cluster_nodes'] = nil
+# gitlab_rails['redis_shared_state_tls_ca_cert_dir'] = '/opt/gitlab/embedded/ssl/certs/'
+# gitlab_rails['redis_shared_state_tls_ca_cert_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'
+# gitlab_rails['redis_shared_state_tls_client_cert_file'] = nil
+# gitlab_rails['redis_shared_state_tls_client_key_file'] = nil
 # gitlab_rails['redis_trace_chunks_instance'] = nil
 # gitlab_rails['redis_trace_chunks_sentinels'] = nil
 # gitlab_rails['redis_trace_chunks_sentinels_password'] = nil
 # gitlab_rails['redis_trace_chunks_username'] = nil
 # gitlab_rails['redis_trace_chunks_password'] = nil
 # gitlab_rails['redis_trace_chunks_cluster_nodes'] = nil
+# gitlab_rails['redis_trace_chunks_tls_ca_cert_dir'] = '/opt/gitlab/embedded/ssl/certs/'
+# gitlab_rails['redis_trace_chunks_tls_ca_cert_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'
+# gitlab_rails['redis_trace_chunks_tls_client_cert_file'] = nil
+# gitlab_rails['redis_trace_chunks_tls_client_key_file'] = nil
 # gitlab_rails['redis_actioncable_instance'] = nil
 # gitlab_rails['redis_actioncable_sentinels'] = nil
 # gitlab_rails['redis_actioncable_sentinels_password'] = nil
 # gitlab_rails['redis_actioncable_username'] = nil
 # gitlab_rails['redis_actioncable_password'] = nil
 # gitlab_rails['redis_actioncable_cluster_nodes'] = nil
+# gitlab_rails['redis_actioncable_tls_ca_cert_dir'] = '/opt/gitlab/embedded/ssl/certs/'
+# gitlab_rails['redis_actioncable_tls_ca_cert_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'
+# gitlab_rails['redis_actioncable_tls_client_cert_file'] = nil
+# gitlab_rails['redis_actioncable_tls_client_key_file'] = nil
 # gitlab_rails['redis_rate_limiting_instance'] = nil
 # gitlab_rails['redis_rate_limiting_sentinels'] = nil
 # gitlab_rails['redis_rate_limiting_sentinels_password'] = nil
 # gitlab_rails['redis_rate_limiting_username'] = nil
 # gitlab_rails['redis_rate_limiting_password'] = nil
 # gitlab_rails['redis_rate_limiting_cluster_nodes'] = nil
+# gitlab_rails['redis_rate_limiting_tls_ca_cert_dir'] = '/opt/gitlab/embedded/ssl/certs/'
+# gitlab_rails['redis_rate_limiting_tls_ca_cert_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'
+# gitlab_rails['redis_rate_limiting_tls_client_cert_file'] = nil
+# gitlab_rails['redis_rate_limiting_tls_client_key_file'] = nil
 # gitlab_rails['redis_sessions_instance'] = nil
 # gitlab_rails['redis_sessions_sentinels'] = nil
 # gitlab_rails['redis_sessions_sentinels_password'] = nil
 # gitlab_rails['redis_sessions_username'] = nil
 # gitlab_rails['redis_sessions_password'] = nil
 # gitlab_rails['redis_sessions_cluster_nodes'] = nil
+# gitlab_rails['redis_sessions_tls_ca_cert_dir'] = '/opt/gitlab/embedded/ssl/certs/'
+# gitlab_rails['redis_sessions_tls_ca_cert_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'
+# gitlab_rails['redis_sessions_tls_client_cert_file'] = nil
+# gitlab_rails['redis_sessions_tls_client_key_file'] = nil
 # gitlab_rails['redis_cluster_rate_limiting_instance'] = nil
 # gitlab_rails['redis_cluster_rate_limiting_sentinels'] = nil
 # gitlab_rails['redis_cluster_rate_limiting_sentinels_password'] = nil
 # gitlab_rails['redis_cluster_rate_limiting_username'] = nil
 # gitlab_rails['redis_cluster_rate_limiting_password'] = nil
 # gitlab_rails['redis_cluster_rate_limiting_cluster_nodes'] = nil
+# gitlab_rails['redis_cluster_rate_limiting_tls_ca_cert_dir'] = '/opt/gitlab/embedded/ssl/certs/'
+# gitlab_rails['redis_cluster_rate_limiting_tls_ca_cert_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'
+# gitlab_rails['redis_cluster_rate_limiting_tls_client_cert_file'] = nil
+# gitlab_rails['redis_cluster_rate_limiting_tls_client_key_file'] = nil
 # gitlab_rails['redis_repository_cache_instance'] = nil
 # gitlab_rails['redis_repository_cache_sentinels'] = nil
 # gitlab_rails['redis_repository_cache_sentinels_password'] = nil
 # gitlab_rails['redis_repository_cache_username'] = nil
 # gitlab_rails['redis_repository_cache_password'] = nil
 # gitlab_rails['redis_repository_cache_cluster_nodes'] = nil
+# gitlab_rails['redis_repository_cache_tls_ca_cert_dir'] = '/opt/gitlab/embedded/ssl/certs/'
+# gitlab_rails['redis_repository_cache_tls_ca_cert_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'
+# gitlab_rails['redis_repository_cache_tls_client_cert_file'] = nil
+# gitlab_rails['redis_repository_cache_tls_client_key_file'] = nil
 # gitlab_rails['redis_workhorse_instance'] = nil
 # gitlab_rails['redis_workhorse_sentinels'] = nil
 # gitlab_rails['redis_workhorse_sentinels_password'] = nil
 # gitlab_rails['redis_workhorse_username'] = nil
 # gitlab_rails['redis_workhorse_password'] = nil
 # gitlab_rails['redis_workhorse_cluster_nodes'] = nil
+# gitlab_rails['redis_workhorse_tls_ca_cert_dir'] = '/opt/gitlab/embedded/ssl/certs/'
+# gitlab_rails['redis_workhorse_tls_ca_cert_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'
+# gitlab_rails['redis_workhorse_tls_client_cert_file'] = nil
+# gitlab_rails['redis_workhorse_tls_client_key_file'] = nil
 
 # gitlab_rails['redis_workhorse_sentinel_master'] = nil
 

files/gitlab-cookbooks/gitlab/attributes/default.rb

@@ -440,6 +440,10 @@
 default['gitlab']['gitlab_rails']['redis_host'] = "127.0.0.1"
 default['gitlab']['gitlab_rails']['redis_port'] = nil
 default['gitlab']['gitlab_rails']['redis_ssl'] = false
+default['gitlab']['gitlab_rails']['redis_tls_ca_cert_dir'] = "#{node['package']['install-dir']}/embedded/ssl/certs/"
+default['gitlab']['gitlab_rails']['redis_tls_ca_cert_file'] = "#{node['package']['install-dir']}/embedded/ssl/certs/cacert.pem"
+default['gitlab']['gitlab_rails']['redis_tls_client_cert_file'] = nil
+default['gitlab']['gitlab_rails']['redis_tls_client_key_file'] = nil
 default['gitlab']['gitlab_rails']['redis_password'] = nil
 default['gitlab']['gitlab_rails']['redis_socket'] = "/var/opt/gitlab/redis/redis.socket"
 default['gitlab']['gitlab_rails']['redis_enable_client'] = true
@@ -451,60 +455,110 @@
 default['gitlab']['gitlab_rails']['redis_cache_username'] = nil
 default['gitlab']['gitlab_rails']['redis_cache_password'] = nil
 default['gitlab']['gitlab_rails']['redis_cache_cluster_nodes'] = []
+default['gitlab']['gitlab_rails']['redis_cache_ssl'] = false
+default['gitlab']['gitlab_rails']['redis_cache_tls_ca_cert_dir'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_dir'].dup
+default['gitlab']['gitlab_rails']['redis_cache_tls_ca_cert_file'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_file'].dup
+default['gitlab']['gitlab_rails']['redis_cache_tls_client_cert_file'] = nil
+default['gitlab']['gitlab_rails']['redis_cache_tls_client_key_file'] = nil
 default['gitlab']['gitlab_rails']['redis_queues_instance'] = nil
 default['gitlab']['gitlab_rails']['redis_queues_username'] = nil
 default['gitlab']['gitlab_rails']['redis_queues_password'] = nil
 default['gitlab']['gitlab_rails']['redis_queues_sentinels'] = []
 default['gitlab']['gitlab_rails']['redis_queues_sentinels_password'] = nil
 default['gitlab']['gitlab_rails']['redis_queues_cluster_nodes'] = []
+default['gitlab']['gitlab_rails']['redis_queues_ssl'] = false
+default['gitlab']['gitlab_rails']['redis_queues_tls_ca_cert_dir'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_dir'].dup
+default['gitlab']['gitlab_rails']['redis_queues_tls_ca_cert_file'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_file'].dup
+default['gitlab']['gitlab_rails']['redis_queues_tls_client_cert_file'] = nil
+default['gitlab']['gitlab_rails']['redis_queues_tls_client_key_file'] = nil
 default['gitlab']['gitlab_rails']['redis_shared_state_instance'] = nil
 default['gitlab']['gitlab_rails']['redis_shared_state_sentinels'] = []
 default['gitlab']['gitlab_rails']['redis_shared_state_sentinels_password'] = nil
 default['gitlab']['gitlab_rails']['redis_shared_state_username'] = nil
 default['gitlab']['gitlab_rails']['redis_shared_state_password'] = nil
 default['gitlab']['gitlab_rails']['redis_shared_state_cluster_nodes'] = []
+default['gitlab']['gitlab_rails']['redis_shared_state_ssl'] = false
+default['gitlab']['gitlab_rails']['redis_shared_state_tls_ca_cert_dir'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_dir'].dup
+default['gitlab']['gitlab_rails']['redis_shared_state_tls_ca_cert_file'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_file'].dup
+default['gitlab']['gitlab_rails']['redis_shared_state_tls_client_cert_file'] = nil
+default['gitlab']['gitlab_rails']['redis_shared_state_tls_client_key_file'] = nil
 default['gitlab']['gitlab_rails']['redis_trace_chunks_instance'] = nil
 default['gitlab']['gitlab_rails']['redis_trace_chunks_sentinels'] = []
 default['gitlab']['gitlab_rails']['redis_trace_chunks_sentinels_password'] = nil
 default['gitlab']['gitlab_rails']['redis_trace_chunks_username'] = nil
 default['gitlab']['gitlab_rails']['redis_trace_chunks_password'] = nil
 default['gitlab']['gitlab_rails']['redis_trace_chunks_cluster_nodes'] = []
+default['gitlab']['gitlab_rails']['redis_trace_chunks_ssl'] = false
+default['gitlab']['gitlab_rails']['redis_trace_chunks_tls_ca_cert_dir'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_dir'].dup
+default['gitlab']['gitlab_rails']['redis_trace_chunks_tls_ca_cert_file'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_file'].dup
+default['gitlab']['gitlab_rails']['redis_trace_chunks_tls_client_cert_file'] = nil
+default['gitlab']['gitlab_rails']['redis_trace_chunks_tls_client_key_file'] = nil
 default['gitlab']['gitlab_rails']['redis_actioncable_instance'] = nil
 default['gitlab']['gitlab_rails']['redis_actioncable_sentinels'] = []
 default['gitlab']['gitlab_rails']['redis_actioncable_sentinels_password'] = nil
 default['gitlab']['gitlab_rails']['redis_actioncable_username'] = nil
 default['gitlab']['gitlab_rails']['redis_actioncable_password'] = nil
 default['gitlab']['gitlab_rails']['redis_actioncable_cluster_nodes'] = []
+default['gitlab']['gitlab_rails']['redis_actioncable_ssl'] = false
+default['gitlab']['gitlab_rails']['redis_actioncable_tls_ca_cert_dir'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_dir'].dup
+default['gitlab']['gitlab_rails']['redis_actioncable_tls_ca_cert_file'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_file'].dup
+default['gitlab']['gitlab_rails']['redis_actioncable_tls_client_cert_file'] = nil
+default['gitlab']['gitlab_rails']['redis_actioncable_tls_client_key_file'] = nil
 default['gitlab']['gitlab_rails']['redis_rate_limiting_instance'] = nil
 default['gitlab']['gitlab_rails']['redis_rate_limiting_sentinels'] = []
 default['gitlab']['gitlab_rails']['redis_rate_limiting_sentinels_password'] = nil
 default['gitlab']['gitlab_rails']['redis_rate_limiting_username'] = nil
 default['gitlab']['gitlab_rails']['redis_rate_limiting_password'] = nil
 default['gitlab']['gitlab_rails']['redis_rate_limiting_cluster_nodes'] = []
+default['gitlab']['gitlab_rails']['redis_rate_limiting_ssl'] = false
+default['gitlab']['gitlab_rails']['redis_rate_limiting_tls_ca_cert_dir'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_dir'].dup
+default['gitlab']['gitlab_rails']['redis_rate_limiting_tls_ca_cert_file'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_file'].dup
+default['gitlab']['gitlab_rails']['redis_rate_limiting_tls_client_cert_file'] = nil
+default['gitlab']['gitlab_rails']['redis_rate_limiting_tls_client_key_file'] = nil
 default['gitlab']['gitlab_rails']['redis_sessions_instance'] = nil
 default['gitlab']['gitlab_rails']['redis_sessions_sentinels'] = []
 default['gitlab']['gitlab_rails']['redis_sessions_sentinels_password'] = nil
 default['gitlab']['gitlab_rails']['redis_sessions_username'] = nil
 default['gitlab']['gitlab_rails']['redis_sessions_password'] = nil
 default['gitlab']['gitlab_rails']['redis_sessions_cluster_nodes'] = []
+default['gitlab']['gitlab_rails']['redis_sessions_ssl'] = false
+default['gitlab']['gitlab_rails']['redis_sessions_tls_ca_cert_dir'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_dir'].dup
+default['gitlab']['gitlab_rails']['redis_sessions_tls_ca_cert_file'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_file'].dup
+default['gitlab']['gitlab_rails']['redis_sessions_tls_client_cert_file'] = nil
+default['gitlab']['gitlab_rails']['redis_sessions_tls_client_key_file'] = nil
 default['gitlab']['gitlab_rails']['redis_repository_cache_instance'] = nil
 default['gitlab']['gitlab_rails']['redis_repository_cache_sentinels'] = []
 default['gitlab']['gitlab_rails']['redis_repository_cache_sentinels_password'] = nil
 default['gitlab']['gitlab_rails']['redis_repository_cache_username'] = nil
 default['gitlab']['gitlab_rails']['redis_repository_cache_password'] = nil
 default['gitlab']['gitlab_rails']['redis_repository_cache_cluster_nodes'] = []
+default['gitlab']['gitlab_rails']['redis_repository_cache_ssl'] = false
+default['gitlab']['gitlab_rails']['redis_repository_cache_tls_ca_cert_dir'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_dir'].dup
+default['gitlab']['gitlab_rails']['redis_repository_cache_tls_ca_cert_file'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_file'].dup
+default['gitlab']['gitlab_rails']['redis_repository_cache_tls_client_cert_file'] = nil
+default['gitlab']['gitlab_rails']['redis_repository_cache_tls_client_key_file'] = nil
 default['gitlab']['gitlab_rails']['redis_cluster_rate_limiting_instance'] = nil
 default['gitlab']['gitlab_rails']['redis_cluster_rate_limiting_sentinels'] = []
 default['gitlab']['gitlab_rails']['redis_cluster_rate_limiting_sentinels_password'] = nil
 default['gitlab']['gitlab_rails']['redis_cluster_rate_limiting_username'] = nil
 default['gitlab']['gitlab_rails']['redis_cluster_rate_limiting_password'] = nil
 default['gitlab']['gitlab_rails']['redis_cluster_rate_limiting_cluster_nodes'] = []
+default['gitlab']['gitlab_rails']['redis_cluster_rate_limiting_ssl'] = false
+default['gitlab']['gitlab_rails']['redis_cluster_rate_limiting_tls_ca_cert_dir'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_dir'].dup
+default['gitlab']['gitlab_rails']['redis_cluster_rate_limiting_tls_ca_cert_file'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_file'].dup
+default['gitlab']['gitlab_rails']['redis_cluster_rate_limiting_tls_client_cert_file'] = nil
+default['gitlab']['gitlab_rails']['redis_cluster_rate_limiting_tls_client_key_file'] = nil
 default['gitlab']['gitlab_rails']['redis_workhorse_instance'] = nil
 default['gitlab']['gitlab_rails']['redis_workhorse_sentinels'] = []
 default['gitlab']['gitlab_rails']['redis_workhorse_sentinels_password'] = nil
 default['gitlab']['gitlab_rails']['redis_workhorse_username'] = nil
 default['gitlab']['gitlab_rails']['redis_workhorse_password'] = nil
 default['gitlab']['gitlab_rails']['redis_workhorse_cluster_nodes'] = []
+default['gitlab']['gitlab_rails']['redis_workhorse_ssl'] = false
+default['gitlab']['gitlab_rails']['redis_workhorse_tls_ca_cert_dir'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_dir'].dup
+default['gitlab']['gitlab_rails']['redis_workhorse_tls_ca_cert_file'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_file'].dup
+default['gitlab']['gitlab_rails']['redis_workhorse_tls_client_cert_file'] = nil
+default['gitlab']['gitlab_rails']['redis_workhorse_tls_client_key_file'] = nil
 
 # used by workhorse to connect to a separate external redis instead of the omnibus-gitlab redis
 default['gitlab']['gitlab_rails']['redis_workhorse_sentinel_master'] = nil