Skip to content

sfe/redis: Add limiter config to SFE and cleanup creds #8501

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
beautifulentropy merged 2 commits into from
Nov 21, 2025
Merged

sfe/redis: Add limiter config to SFE and cleanup creds #8501

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
43c27d6
sfe/redis: Add limiter config to SFE and cleanup creds
beautifulentropy Nov 20, 2025
b7379d5
Fix last 2 renames
beautifulentropy Nov 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion ra/ra_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -362,7 +362,7 @@ func initAuthorities(t *testing.T) (*DummyValidationAuthority, sapb.StorageAutho
rlSource := ratelimits.NewInmemSource()
limiter, err := ratelimits.NewLimiter(fc, rlSource, stats)
test.AssertNotError(t, err, "making limiter")
txnBuilder, err := ratelimits.NewTransactionBuilderFromFiles("../test/config-next/wfe2-ratelimit-defaults.yml", "", metrics.NoopRegisterer, log)
txnBuilder, err := ratelimits.NewTransactionBuilderFromFiles("../test/config-next/ratelimit-defaults.yml", "", metrics.NoopRegisterer, log)
test.AssertNotError(t, err, "making transaction composer")

testKeyPolicy, err := goodkey.NewPolicy(nil, nil)
Expand Down
4 changes: 2 additions & 2 deletions ratelimits/limit_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -259,11 +259,11 @@ func TestLoadAndParseOverrideLimitsFromFile(t *testing.T) {
func TestLoadOverrides(t *testing.T) {
mockLog := blog.NewMock()

tb, err := NewTransactionBuilderFromFiles("../test/config-next/wfe2-ratelimit-defaults.yml", "../test/config-next/wfe2-ratelimit-overrides.yml", metrics.NoopRegisterer, mockLog)
tb, err := NewTransactionBuilderFromFiles("../test/config-next/ratelimit-defaults.yml", "../test/config-next/ratelimit-overrides.yml", metrics.NoopRegisterer, mockLog)
test.AssertNotError(t, err, "creating TransactionBuilder")
err = tb.loadOverrides(context.Background())
test.AssertNotError(t, err, "loading overrides in TransactionBuilder")
overridesData, err := loadOverridesFromFile("../test/config-next/wfe2-ratelimit-overrides.yml")
overridesData, err := loadOverridesFromFile("../test/config-next/ratelimit-overrides.yml")
test.AssertNotError(t, err, "loading overrides from file")
testOverrides, err := parseOverrideLimits(overridesData)
test.AssertNotError(t, err, "parsing overrides")
Expand Down
2 changes: 1 addition & 1 deletion ratelimits/source_redis_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ func newTestRedisSource(clk clock.FakeClock, addrs map[string]string) *RedisSour

client := redis.NewRing(&redis.RingOptions{
Addrs: addrs,
Username: "unittest-rw",
Username: "boulder",
Password: "824968fa490f4ecec1e52d5e34916bdb60d45f8d",
TLSConfig: tlsConfig2,
})
Expand Down
18 changes: 9 additions & 9 deletions ratelimits/transaction_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ func sortTransactions(txns []Transaction) []Transaction {
func TestNewRegistrationsPerIPAddressTransactions(t *testing.T) {
t.Parallel()

tb, err := NewTransactionBuilderFromFiles("../test/config-next/wfe2-ratelimit-defaults.yml", "", metrics.NoopRegisterer, blog.NewMock())
tb, err := NewTransactionBuilderFromFiles("../test/config-next/ratelimit-defaults.yml", "", metrics.NoopRegisterer, blog.NewMock())
test.AssertNotError(t, err, "creating TransactionBuilder")

// A check-and-spend transaction for the global limit.
Expand All @@ -56,7 +56,7 @@ func TestNewRegistrationsPerIPAddressTransactions(t *testing.T) {
func TestNewRegistrationsPerIPv6AddressTransactions(t *testing.T) {
t.Parallel()

tb, err := NewTransactionBuilderFromFiles("../test/config-next/wfe2-ratelimit-defaults.yml", "", metrics.NoopRegisterer, blog.NewMock())
tb, err := NewTransactionBuilderFromFiles("../test/config-next/ratelimit-defaults.yml", "", metrics.NoopRegisterer, blog.NewMock())
test.AssertNotError(t, err, "creating TransactionBuilder")

// A check-and-spend transaction for the global limit.
Expand All @@ -69,7 +69,7 @@ func TestNewRegistrationsPerIPv6AddressTransactions(t *testing.T) {
func TestNewOrdersPerAccountTransactions(t *testing.T) {
t.Parallel()

tb, err := NewTransactionBuilderFromFiles("../test/config-next/wfe2-ratelimit-defaults.yml", "", metrics.NoopRegisterer, blog.NewMock())
tb, err := NewTransactionBuilderFromFiles("../test/config-next/ratelimit-defaults.yml", "", metrics.NoopRegisterer, blog.NewMock())
test.AssertNotError(t, err, "creating TransactionBuilder")

// A check-and-spend transaction for the global limit.
Expand All @@ -82,7 +82,7 @@ func TestNewOrdersPerAccountTransactions(t *testing.T) {
func TestFailedAuthorizationsPerDomainPerAccountTransactions(t *testing.T) {
t.Parallel()

tb, err := NewTransactionBuilderFromFiles("../test/config-next/wfe2-ratelimit-defaults.yml", "testdata/working_override_13371338.yml", metrics.NoopRegisterer, blog.NewMock())
tb, err := NewTransactionBuilderFromFiles("../test/config-next/ratelimit-defaults.yml", "testdata/working_override_13371338.yml", metrics.NoopRegisterer, blog.NewMock())
test.AssertNotError(t, err, "creating TransactionBuilder")
err = tb.loadOverrides(context.Background())
test.AssertNotError(t, err, "loading overrides")
Expand Down Expand Up @@ -121,7 +121,7 @@ func TestFailedAuthorizationsPerDomainPerAccountTransactions(t *testing.T) {
func TestFailedAuthorizationsForPausingPerDomainPerAccountTransactions(t *testing.T) {
t.Parallel()

tb, err := NewTransactionBuilderFromFiles("../test/config-next/wfe2-ratelimit-defaults.yml", "testdata/working_override_13371338.yml", metrics.NoopRegisterer, blog.NewMock())
tb, err := NewTransactionBuilderFromFiles("../test/config-next/ratelimit-defaults.yml", "testdata/working_override_13371338.yml", metrics.NoopRegisterer, blog.NewMock())
test.AssertNotError(t, err, "creating TransactionBuilder")
err = tb.loadOverrides(context.Background())
test.AssertNotError(t, err, "loading overrides")
Expand All @@ -137,7 +137,7 @@ func TestFailedAuthorizationsForPausingPerDomainPerAccountTransactions(t *testin
func TestCertificatesPerDomainTransactions(t *testing.T) {
t.Parallel()

tb, err := NewTransactionBuilderFromFiles("../test/config-next/wfe2-ratelimit-defaults.yml", "", metrics.NoopRegisterer, blog.NewMock())
tb, err := NewTransactionBuilderFromFiles("../test/config-next/ratelimit-defaults.yml", "", metrics.NoopRegisterer, blog.NewMock())
test.AssertNotError(t, err, "creating TransactionBuilder")

// One check-only transaction for the global limit.
Expand All @@ -158,7 +158,7 @@ func TestCertificatesPerDomainTransactions(t *testing.T) {
func TestCertificatesPerDomainPerAccountTransactions(t *testing.T) {
t.Parallel()

tb, err := NewTransactionBuilderFromFiles("../test/config-next/wfe2-ratelimit-defaults.yml", "testdata/working_override_13371338.yml", metrics.NoopRegisterer, blog.NewMock())
tb, err := NewTransactionBuilderFromFiles("../test/config-next/ratelimit-defaults.yml", "testdata/working_override_13371338.yml", metrics.NoopRegisterer, blog.NewMock())
test.AssertNotError(t, err, "creating TransactionBuilder")
err = tb.loadOverrides(context.Background())
test.AssertNotError(t, err, "loading overrides")
Expand Down Expand Up @@ -211,7 +211,7 @@ func TestCertificatesPerDomainPerAccountTransactions(t *testing.T) {
func TestCertificatesPerFQDNSetTransactions(t *testing.T) {
t.Parallel()

tb, err := NewTransactionBuilderFromFiles("../test/config-next/wfe2-ratelimit-defaults.yml", "", metrics.NoopRegisterer, blog.NewMock())
tb, err := NewTransactionBuilderFromFiles("../test/config-next/ratelimit-defaults.yml", "", metrics.NoopRegisterer, blog.NewMock())
test.AssertNotError(t, err, "creating TransactionBuilder")

// A single check-only transaction for the global limit.
Expand Down Expand Up @@ -314,7 +314,7 @@ func TestNewTransactionBuilderFromDatabase(t *testing.T) {
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
mockLog := blog.NewMock()
tb, err := NewTransactionBuilderFromDatabase("../test/config-next/wfe2-ratelimit-defaults.yml", tc.overrides, metrics.NoopRegisterer, mockLog)
tb, err := NewTransactionBuilderFromDatabase("../test/config-next/ratelimit-defaults.yml", tc.overrides, metrics.NoopRegisterer, mockLog)
test.AssertNotError(t, err, "creating TransactionBuilder")
err = tb.limitRegistry.loadOverrides(context.Background())
if tc.expectError != "" {
Expand Down
2 changes: 1 addition & 1 deletion redis/lookup_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ func newTestRedisRing() *redis.Ring {
}

client := redis.NewRing(&redis.RingOptions{
Username: "unittest-rw",
Username: "boulder",
Password: "824968fa490f4ecec1e52d5e34916bdb60d45f8d",
TLSConfig: tlsConfig2,
})
Expand Down
4 changes: 2 additions & 2 deletions test/boulder-tools/flushredis/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ import (

func main() {
rc := bredis.Config{
Username: "unittest-rw",
Username: "boulder",
TLS: cmd.TLSConfig{
CACertFile: "test/certs/ipki/minica.pem",
CertFile: "test/certs/ipki/localhost/cert.pem",
Expand All @@ -30,7 +30,7 @@ func main() {
LookupDNSAuthority: "consul.service.consul",
}
rc.PasswordConfig = cmd.PasswordConfig{
PasswordFile: "test/secrets/ratelimits_redis_password",
PasswordFile: "test/secrets/redis_password",
}

stats := metrics.NoopRegisterer
Expand Down
6 changes: 3 additions & 3 deletions test/config-next/ra.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@
"ra": {
"limiter": {
"redis": {
"username": "boulder-wfe",
"passwordFile": "test/secrets/wfe_ratelimits_redis_password",
"username": "boulder",
"passwordFile": "test/secrets/redis_password",
"lookups": [
{
"Service": "redisratelimits",
Expand All @@ -21,7 +21,7 @@
"keyFile": "test/certs/ipki/wfe.boulder/key.pem"
}
},
"Defaults": "test/config-next/wfe2-ratelimit-defaults.yml",
"Defaults": "test/config-next/ratelimit-defaults.yml",
"OverridesFromDB": true
},
"maxContactsPerRegistration": 3,
Expand Down
0 test/config-next/wfe2-ratelimit-defaults.yml → test/config-next/ratelimit-defaults.yml
View file
Open in desktop
File renamed without changes.
0 .../config-next/wfe2-ratelimit-overrides.yml → test/config-next/ratelimit-overrides.yml
View file
Open in desktop
File renamed without changes.
23 changes: 23 additions & 0 deletions test/config-next/sfe.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,29 @@
"noWaitForReady": true,
"hostOverride": "sa.boulder"
},
"limiter": {
"redis": {
"username": "boulder",
"passwordFile": "test/secrets/redis_password",
"lookups": [
{
"Service": "redisratelimits",
"Domain": "service.consul"
}
],
"lookupDNSAuthority": "consul.service.consul",
"readTimeout": "250ms",
"writeTimeout": "250ms",
"poolSize": 100,
"routeRandomly": true,
"tls": {
"caCertFile": "test/certs/ipki/minica.pem",
"certFile": "test/certs/ipki/wfe.boulder/cert.pem",
"keyFile": "test/certs/ipki/wfe.boulder/key.pem"
}
},
"Defaults": "test/config-next/sfe-ratelimit-defaults.yml"
},
"emailExporter": {
"dnsAuthority": "consul.service.consul",
"srvLookup": {
Expand Down
6 changes: 3 additions & 3 deletions test/config-next/wfe2.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,8 +111,8 @@
"staleTimeout": "5m",
"limiter": {
"redis": {
"username": "boulder-wfe",
"passwordFile": "test/secrets/wfe_ratelimits_redis_password",
"username": "boulder",
"passwordFile": "test/secrets/redis_password",
"lookups": [
{
"Service": "redisratelimits",
Expand All @@ -130,7 +130,7 @@
"keyFile": "test/certs/ipki/wfe.boulder/key.pem"
}
},
"Defaults": "test/config-next/wfe2-ratelimit-defaults.yml",
"Defaults": "test/config-next/ratelimit-defaults.yml",
"OverridesFromDB": true
},
"features": {
Expand Down
8 changes: 4 additions & 4 deletions test/config/ra.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@
"ra": {
"limiter": {
"redis": {
"username": "boulder-wfe",
"passwordFile": "test/secrets/wfe_ratelimits_redis_password",
"username": "boulder",
"passwordFile": "test/secrets/redis_password",
"lookups": [
{
"Service": "redisratelimits",
Expand All @@ -21,8 +21,8 @@
"keyFile": "test/certs/ipki/wfe.boulder/key.pem"
}
},
"Defaults": "test/config/wfe2-ratelimit-defaults.yml",
"Overrides": "test/config/wfe2-ratelimit-overrides.yml"
"Defaults": "test/config/ratelimit-defaults.yml",
"Overrides": "test/config/ratelimit-overrides.yml"
},
"maxContactsPerRegistration": 3,
"debugAddr": ":8002",
Expand Down
0 test/config/wfe2-ratelimit-defaults.yml → test/config/ratelimit-defaults.yml
View file
Open in desktop
File renamed without changes.
0 test/config/wfe2-ratelimit-overrides.yml → test/config/ratelimit-overrides.yml
View file
Open in desktop
File renamed without changes.
8 changes: 4 additions & 4 deletions test/config/wfe2.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,8 +103,8 @@
"staleTimeout": "5m",
"limiter": {
"redis": {
"username": "boulder-wfe",
"passwordFile": "test/secrets/wfe_ratelimits_redis_password",
"username": "boulder",
"passwordFile": "test/secrets/redis_password",
"lookups": [
{
"Service": "redisratelimits",
Expand All @@ -122,8 +122,8 @@
"keyFile": "test/certs/ipki/wfe.boulder/key.pem"
}
},
"Defaults": "test/config/wfe2-ratelimit-defaults.yml",
"Overrides": "test/config/wfe2-ratelimit-overrides.yml"
"Defaults": "test/config/ratelimit-defaults.yml",
"Overrides": "test/config/ratelimit-overrides.yml"
},
"features": {
"ServeRenewalInfo": true,
Expand Down
4 changes: 2 additions & 2 deletions test/redis-cli.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ ARGS="-p 4218 \
--cert /test/certs/ipki/redis/cert.pem \
--key /test/certs/ipki/redis/key.pem \
--cacert /test/certs/ipki/minica.pem \
--user admin-user \
--pass 435e9c4225f08813ef3af7c725f0d30d263b9cd3"
--user boulder \
--pass 824968fa490f4ecec1e52d5e34916bdb60d45f8d"

exec docker compose exec bredis_1 redis-cli $ARGS "${@}"
8 changes: 3 additions & 5 deletions test/redis-ratelimits.config
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,9 @@ rename-command SHUTDOWN ""
rename-command SPOP ""
rename-command SREM ""
user default off
user boulder-wfe on +@all ~* >b3b2fcbbf46fe39fd522c395a51f84d93a98ff2f
user admin-user on +@all ~* >435e9c4225f08813ef3af7c725f0d30d263b9cd3
user unittest-rw on +@all ~* >824968fa490f4ecec1e52d5e34916bdb60d45f8d
masteruser admin-user
masterauth 435e9c4225f08813ef3af7c725f0d30d263b9cd3
user boulder on +@all ~* >824968fa490f4ecec1e52d5e34916bdb60d45f8d
masteruser boulder
masterauth 824968fa490f4ecec1e52d5e34916bdb60d45f8d
tls-protocols "TLSv1.3"
tls-cert-file /test/certs/ipki/redis/cert.pem
tls-key-file /test/certs/ipki/redis/key.pem
Expand Down
0 test/secrets/ratelimits_redis_password → test/secrets/redis_password
View file
Open in desktop
File renamed without changes.
1 change: 0 additions & 1 deletion test/secrets/wfe_ratelimits_redis_password
View file
Open in desktop

This file was deleted.

2 changes: 1 addition & 1 deletion wfe2/wfe_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -412,7 +412,7 @@ func setupWFE(t *testing.T) (WebFrontEndImpl, clock.FakeClock, requestSigner) {
// Setup rate limiting.
limiter, err := ratelimits.NewLimiter(fc, ratelimits.NewInmemSource(), stats)
test.AssertNotError(t, err, "making limiter")
txnBuilder, err := ratelimits.NewTransactionBuilderFromFiles("../test/config-next/wfe2-ratelimit-defaults.yml", "", stats, logger)
txnBuilder, err := ratelimits.NewTransactionBuilderFromFiles("../test/config-next/ratelimit-defaults.yml", "", stats, logger)
test.AssertNotError(t, err, "making transaction composer")

unpauseSigner, err := unpause.NewJWTSigner(cmd.HMACKeyConfig{KeyFile: "../test/secrets/sfe_unpause_key"})
Expand Down
Loading