Add Redis TLS settings for KAS

balasankarc · balasankarc · commit b27aa99c0668 · 2023-10-18T14:32:49.000+05:30
Changelog: added
Signed-off-by: Balasankar "Balu" C &lt;balasankar@gitlab.com&gt;
diff --git a/files/gitlab-config-template/gitlab.rb.template b/files/gitlab-config-template/gitlab.rb.template
@@ -2112,6 +2112,11 @@ external_url 'GENERATED_EXTERNAL_URL'
 # gitlab_kas['redis_sentinels_master_name'] = nil
 # gitlab_kas['redis_sentinels_password'] = ''
 
+# gitlab_kas['redis_ssl'] = false
+# gitlab_kas['redis_tls_ca_cert_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'
+# gitlab_kas['redis_tls_client_cert_file'] = nil
+# gitlab_kas['redis_tls_client_key_file'] = nil
+
 ################################################################################
 ## GitLab Suggested Reviewers (EE Only)
 ##! Docs: https://docs.gitlab.com/ee/user/project/merge_requests/reviews/#suggested-reviewers
diff --git a/files/gitlab-cookbooks/gitlab-kas/attributes/default.rb b/files/gitlab-cookbooks/gitlab-kas/attributes/default.rb
@@ -54,3 +54,7 @@
 default['gitlab_kas']['redis_sentinels'] = nil
 default['gitlab_kas']['redis_sentinels_master_name'] = nil
 default['gitlab_kas']['redis_sentinels_password'] = nil
+default['gitlab_kas']['redis_ssl'] = nil
+default['gitlab_kas']['redis_tls_ca_cert_file'] = nil
+default['gitlab_kas']['redis_tls_client_cert_file'] = nil
+default['gitlab_kas']['redis_tls_client_key_file'] = nil
diff --git a/files/gitlab-cookbooks/gitlab-kas/libraries/gitlab_kas.rb b/files/gitlab-cookbooks/gitlab-kas/libraries/gitlab_kas.rb
@@ -114,6 +114,10 @@ def parse_redis_settings
         redis_password
         redis_sentinels
         redis_sentinels_password
+        redis_ssl
+        redis_tls_ca_cert_file
+        redis_tls_client_cert_file
+        redis_tls_client_key_file
       ]
       settings_copied_from_gitlab_rails.each do |setting|
         Gitlab['gitlab_kas'][setting] = Gitlab['gitlab_rails'][setting] || Gitlab['node']['gitlab']['gitlab_rails'][setting] unless Gitlab['gitlab_kas'].key?(setting)
diff --git a/files/gitlab-cookbooks/gitlab-kas/recipes/enable.rb b/files/gitlab-cookbooks/gitlab-kas/recipes/enable.rb
@@ -37,12 +37,15 @@
 gitlab_kas_redis_sentinels_password_file = File.join(working_dir, 'redis_sentinels_password_file')
 redis_default_port = URI::Redis::DEFAULT_PORT
 redis_network = redis_helper.redis_url.scheme == 'unix' ? 'unix' : 'tcp'
-redis_ssl = node['gitlab']['gitlab_rails']['redis_ssl']
+redis_ssl = node['gitlab_kas']['redis_ssl']
 redis_address = if redis_network == 'tcp'
                   "#{redis_host}:#{redis_port || redis_default_port}"
                 else
                   node['gitlab_kas']['redis_socket']
                 end
+redis_tls_ca_cert_file = node['gitlab_kas']['redis_tls_ca_cert_file']
+redis_tls_client_cert_file = node['gitlab_kas']['redis_tls_client_cert_file']
+redis_tls_client_key_file = node['gitlab_kas']['redis_tls_client_key_file']
 
 [
   working_dir,
@@ -119,6 +122,9 @@
       redis_network: redis_network,
       redis_address: redis_address,
       redis_ssl: redis_ssl,
+      redis_tls_ca_cert_file: redis_tls_ca_cert_file,
+      redis_tls_client_cert_file: redis_tls_client_cert_file,
+      redis_tls_client_key_file: redis_tls_client_key_file,
       redis_default_port: redis_default_port,
       redis_password_file: redis_password_present ? gitlab_kas_redis_password_file : nil,
       redis_sentinels_master_name: redis_sentinels_master_name,
diff --git a/files/gitlab-cookbooks/gitlab-kas/templates/default/gitlab-kas-config.yml.erb b/files/gitlab-cookbooks/gitlab-kas/templates/default/gitlab-kas-config.yml.erb
@@ -45,6 +45,17 @@ redis:
   network: <%= @redis_network %>
   tls:
     enabled: <%= @redis_ssl %>
+    <%- if @redis_ssl %>
+    <%- if @redis_tls_ca_cert_file %>
+    ca_certificate_file: "<%= @redis_tls_ca_cert_file %>"
+    <% end %>
+    <%- if @redis_tls_client_cert_file %>
+    certificate_file: "<%= @redis_tls_client_cert_file %>"
+    <% end %>
+    <%- if @redis_tls_client_key_file %>
+    key_file: "<%= @redis_tls_client_key_file %>"
+    <% end %>
+    <% end %>
   <%- if @redis_password_file %>
   password_file: <%= @redis_password_file %>
   <%- end %>
diff --git a/spec/chef/cookbooks/gitlab-kas/recipes/gitlab-kas_spec.rb b/spec/chef/cookbooks/gitlab-kas/recipes/gitlab-kas_spec.rb
@@ -445,6 +445,8 @@
               redis_host: 'the-host',
               redis_port: 12345,
               redis_ssl: true,
+              redis_tls_client_cert_file: '/etc/gitlab/self_signed.crt',
+              redis_tls_client_key_file: '/etc/gitlab/self_signed.key'
             }
           )
         end
@@ -457,6 +459,9 @@
                 'network' => 'tcp',
                 'tls' => {
                   'enabled' => true,
+                  'ca_certificate_file' => '/opt/gitlab/embedded/ssl/certs/cacert.pem',
+                  'certificate_file' => '/etc/gitlab/self_signed.crt',
+                  'key_file' => '/etc/gitlab/self_signed.key',
                 },
                 'server' => {
                   'address' => 'the-host:12345'
