sfe/redis: Add limiter config to SFE and cleanup creds (letsencrypt#8501)

beautifulentropy · natalia.astashenko · commit 43ec1b5a90b7 · 2025-11-25T10:09:15.000+02:00
Add limiter stanza to the SFE's config-next JSON. This should have happened in [letsencrypt#8359](letsencrypt#8359). Also, Cleanup our Redis credentials and secrets. These were a little overly specific, especially now that we've dropped support for OCSP and thus ROCSP. Instead, rely on a single `boulder` user with the same permissions that each of the other users had.
diff --git a/ra/ra_test.go b/ra/ra_test.go
@@ -362,7 +362,7 @@ func initAuthorities(t *testing.T) (*DummyValidationAuthority, sapb.StorageAutho
 	rlSource := ratelimits.NewInmemSource()
 	limiter, err := ratelimits.NewLimiter(fc, rlSource, stats)
 	test.AssertNotError(t, err, "making limiter")
-	txnBuilder, err := ratelimits.NewTransactionBuilderFromFiles("../test/config-next/wfe2-ratelimit-defaults.yml", "", metrics.NoopRegisterer, log)
+	txnBuilder, err := ratelimits.NewTransactionBuilderFromFiles("../test/config-next/ratelimit-defaults.yml", "", metrics.NoopRegisterer, log)
 	test.AssertNotError(t, err, "making transaction composer")
 
 	testKeyPolicy, err := goodkey.NewPolicy(nil, nil)
diff --git a/ratelimits/limit_test.go b/ratelimits/limit_test.go
@@ -259,11 +259,11 @@ func TestLoadAndParseOverrideLimitsFromFile(t *testing.T) {
 func TestLoadOverrides(t *testing.T) {
 	mockLog := blog.NewMock()
 
-	tb, err := NewTransactionBuilderFromFiles("../test/config-next/wfe2-ratelimit-defaults.yml", "../test/config-next/wfe2-ratelimit-overrides.yml", metrics.NoopRegisterer, mockLog)
+	tb, err := NewTransactionBuilderFromFiles("../test/config-next/ratelimit-defaults.yml", "../test/config-next/ratelimit-overrides.yml", metrics.NoopRegisterer, mockLog)
 	test.AssertNotError(t, err, "creating TransactionBuilder")
 	err = tb.loadOverrides(context.Background())
 	test.AssertNotError(t, err, "loading overrides in TransactionBuilder")
-	overridesData, err := loadOverridesFromFile("../test/config-next/wfe2-ratelimit-overrides.yml")
+	overridesData, err := loadOverridesFromFile("../test/config-next/ratelimit-overrides.yml")
 	test.AssertNotError(t, err, "loading overrides from file")
 	testOverrides, err := parseOverrideLimits(overridesData)
 	test.AssertNotError(t, err, "parsing overrides")
diff --git a/ratelimits/source_redis_test.go b/ratelimits/source_redis_test.go
@@ -29,7 +29,7 @@ func newTestRedisSource(clk clock.FakeClock, addrs map[string]string) *RedisSour
 
 	client := redis.NewRing(&redis.RingOptions{
 		Addrs:     addrs,
-		Username:  "unittest-rw",
+		Username:  "boulder",
 		Password:  "824968fa490f4ecec1e52d5e34916bdb60d45f8d",
 		TLSConfig: tlsConfig2,
 	})
diff --git a/ratelimits/transaction_test.go b/ratelimits/transaction_test.go
@@ -43,7 +43,7 @@ func sortTransactions(txns []Transaction) []Transaction {
 func TestNewRegistrationsPerIPAddressTransactions(t *testing.T) {
 	t.Parallel()
 
-	tb, err := NewTransactionBuilderFromFiles("../test/config-next/wfe2-ratelimit-defaults.yml", "", metrics.NoopRegisterer, blog.NewMock())
+	tb, err := NewTransactionBuilderFromFiles("../test/config-next/ratelimit-defaults.yml", "", metrics.NoopRegisterer, blog.NewMock())
 	test.AssertNotError(t, err, "creating TransactionBuilder")
 
 	// A check-and-spend transaction for the global limit.
@@ -56,7 +56,7 @@ func TestNewRegistrationsPerIPAddressTransactions(t *testing.T) {
 func TestNewRegistrationsPerIPv6AddressTransactions(t *testing.T) {
 	t.Parallel()
 
-	tb, err := NewTransactionBuilderFromFiles("../test/config-next/wfe2-ratelimit-defaults.yml", "", metrics.NoopRegisterer, blog.NewMock())
+	tb, err := NewTransactionBuilderFromFiles("../test/config-next/ratelimit-defaults.yml", "", metrics.NoopRegisterer, blog.NewMock())
 	test.AssertNotError(t, err, "creating TransactionBuilder")
 
 	// A check-and-spend transaction for the global limit.
@@ -69,7 +69,7 @@ func TestNewRegistrationsPerIPv6AddressTransactions(t *testing.T) {
 func TestNewOrdersPerAccountTransactions(t *testing.T) {
 	t.Parallel()
 
-	tb, err := NewTransactionBuilderFromFiles("../test/config-next/wfe2-ratelimit-defaults.yml", "", metrics.NoopRegisterer, blog.NewMock())
+	tb, err := NewTransactionBuilderFromFiles("../test/config-next/ratelimit-defaults.yml", "", metrics.NoopRegisterer, blog.NewMock())
 	test.AssertNotError(t, err, "creating TransactionBuilder")
 
 	// A check-and-spend transaction for the global limit.
@@ -82,7 +82,7 @@ func TestNewOrdersPerAccountTransactions(t *testing.T) {
 func TestFailedAuthorizationsPerDomainPerAccountTransactions(t *testing.T) {
 	t.Parallel()
 
-	tb, err := NewTransactionBuilderFromFiles("../test/config-next/wfe2-ratelimit-defaults.yml", "testdata/working_override_13371338.yml", metrics.NoopRegisterer, blog.NewMock())
+	tb, err := NewTransactionBuilderFromFiles("../test/config-next/ratelimit-defaults.yml", "testdata/working_override_13371338.yml", metrics.NoopRegisterer, blog.NewMock())
 	test.AssertNotError(t, err, "creating TransactionBuilder")
 	err = tb.loadOverrides(context.Background())
 	test.AssertNotError(t, err, "loading overrides")
@@ -121,7 +121,7 @@ func TestFailedAuthorizationsPerDomainPerAccountTransactions(t *testing.T) {
 func TestFailedAuthorizationsForPausingPerDomainPerAccountTransactions(t *testing.T) {
 	t.Parallel()
 
-	tb, err := NewTransactionBuilderFromFiles("../test/config-next/wfe2-ratelimit-defaults.yml", "testdata/working_override_13371338.yml", metrics.NoopRegisterer, blog.NewMock())
+	tb, err := NewTransactionBuilderFromFiles("../test/config-next/ratelimit-defaults.yml", "testdata/working_override_13371338.yml", metrics.NoopRegisterer, blog.NewMock())
 	test.AssertNotError(t, err, "creating TransactionBuilder")
 	err = tb.loadOverrides(context.Background())
 	test.AssertNotError(t, err, "loading overrides")
@@ -137,7 +137,7 @@ func TestFailedAuthorizationsForPausingPerDomainPerAccountTransactions(t *testin
 func TestCertificatesPerDomainTransactions(t *testing.T) {
 	t.Parallel()
 
-	tb, err := NewTransactionBuilderFromFiles("../test/config-next/wfe2-ratelimit-defaults.yml", "", metrics.NoopRegisterer, blog.NewMock())
+	tb, err := NewTransactionBuilderFromFiles("../test/config-next/ratelimit-defaults.yml", "", metrics.NoopRegisterer, blog.NewMock())
 	test.AssertNotError(t, err, "creating TransactionBuilder")
 
 	// One check-only transaction for the global limit.
@@ -158,7 +158,7 @@ func TestCertificatesPerDomainTransactions(t *testing.T) {
 func TestCertificatesPerDomainPerAccountTransactions(t *testing.T) {
 	t.Parallel()
 
-	tb, err := NewTransactionBuilderFromFiles("../test/config-next/wfe2-ratelimit-defaults.yml", "testdata/working_override_13371338.yml", metrics.NoopRegisterer, blog.NewMock())
+	tb, err := NewTransactionBuilderFromFiles("../test/config-next/ratelimit-defaults.yml", "testdata/working_override_13371338.yml", metrics.NoopRegisterer, blog.NewMock())
 	test.AssertNotError(t, err, "creating TransactionBuilder")
 	err = tb.loadOverrides(context.Background())
 	test.AssertNotError(t, err, "loading overrides")
@@ -211,7 +211,7 @@ func TestCertificatesPerDomainPerAccountTransactions(t *testing.T) {
 func TestCertificatesPerFQDNSetTransactions(t *testing.T) {
 	t.Parallel()
 
-	tb, err := NewTransactionBuilderFromFiles("../test/config-next/wfe2-ratelimit-defaults.yml", "", metrics.NoopRegisterer, blog.NewMock())
+	tb, err := NewTransactionBuilderFromFiles("../test/config-next/ratelimit-defaults.yml", "", metrics.NoopRegisterer, blog.NewMock())
 	test.AssertNotError(t, err, "creating TransactionBuilder")
 
 	// A single check-only transaction for the global limit.
@@ -314,7 +314,7 @@ func TestNewTransactionBuilderFromDatabase(t *testing.T) {
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
 			mockLog := blog.NewMock()
-			tb, err := NewTransactionBuilderFromDatabase("../test/config-next/wfe2-ratelimit-defaults.yml", tc.overrides, metrics.NoopRegisterer, mockLog)
+			tb, err := NewTransactionBuilderFromDatabase("../test/config-next/ratelimit-defaults.yml", tc.overrides, metrics.NoopRegisterer, mockLog)
 			test.AssertNotError(t, err, "creating TransactionBuilder")
 			err = tb.limitRegistry.loadOverrides(context.Background())
 			if tc.expectError != "" {
diff --git a/redis/lookup_test.go b/redis/lookup_test.go
@@ -28,7 +28,7 @@ func newTestRedisRing() *redis.Ring {
 	}
 
 	client := redis.NewRing(&redis.RingOptions{
-		Username:  "unittest-rw",
+		Username:  "boulder",
 		Password:  "824968fa490f4ecec1e52d5e34916bdb60d45f8d",
 		TLSConfig: tlsConfig2,
 	})
diff --git a/test/boulder-tools/flushredis/main.go b/test/boulder-tools/flushredis/main.go
@@ -15,7 +15,7 @@ import (
 
 func main() {
 	rc := bredis.Config{
-		Username: "unittest-rw",
+		Username: "boulder",
 		TLS: cmd.TLSConfig{
 			CACertFile: "test/certs/ipki/minica.pem",
 			CertFile:   "test/certs/ipki/localhost/cert.pem",
@@ -30,7 +30,7 @@ func main() {
 		LookupDNSAuthority: "consul.service.consul",
 	}
 	rc.PasswordConfig = cmd.PasswordConfig{
-		PasswordFile: "test/secrets/ratelimits_redis_password",
+		PasswordFile: "test/secrets/redis_password",
 	}
 
 	stats := metrics.NoopRegisterer
diff --git a/test/config-next/ra.json b/test/config-next/ra.json
@@ -2,8 +2,8 @@
 	"ra": {
 		"limiter": {
 			"redis": {
-				"username": "boulder-wfe",
-				"passwordFile": "test/secrets/wfe_ratelimits_redis_password",
+				"username": "boulder",
+				"passwordFile": "test/secrets/redis_password",
 				"lookups": [
 					{
 						"Service": "redisratelimits",
@@ -21,7 +21,7 @@
 					"keyFile": "test/certs/ipki/wfe.boulder/key.pem"
 				}
 			},
-			"Defaults": "test/config-next/wfe2-ratelimit-defaults.yml",
+			"Defaults": "test/config-next/ratelimit-defaults.yml",
 			"OverridesFromDB": true
 		},
 		"maxContactsPerRegistration": 3,
diff --git a/test/config-next/ratelimit-defaults.yml b/test/config-next/ratelimit-defaults.yml
diff --git a/test/config-next/ratelimit-overrides.yml b/test/config-next/ratelimit-overrides.yml
diff --git a/test/config-next/sfe.json b/test/config-next/sfe.json
@@ -28,6 +28,29 @@
 			"noWaitForReady": true,
 			"hostOverride": "sa.boulder"
 		},
+		"limiter": {
+			"redis": {
+				"username": "boulder",
+				"passwordFile": "test/secrets/redis_password",
+				"lookups": [
+					{
+						"Service": "redisratelimits",
+						"Domain": "service.consul"
+					}
+				],
+				"lookupDNSAuthority": "consul.service.consul",
+				"readTimeout": "250ms",
+				"writeTimeout": "250ms",
+				"poolSize": 100,
+				"routeRandomly": true,
+				"tls": {
+					"caCertFile": "test/certs/ipki/minica.pem",
+					"certFile": "test/certs/ipki/wfe.boulder/cert.pem",
+					"keyFile": "test/certs/ipki/wfe.boulder/key.pem"
+				}
+			},
+			"Defaults": "test/config-next/sfe-ratelimit-defaults.yml"
+		},
 		"emailExporter": {
 			"dnsAuthority": "consul.service.consul",
 			"srvLookup": {
diff --git a/test/config-next/wfe2.json b/test/config-next/wfe2.json
@@ -111,8 +111,8 @@
 		"staleTimeout": "5m",
 		"limiter": {
 			"redis": {
-				"username": "boulder-wfe",
-				"passwordFile": "test/secrets/wfe_ratelimits_redis_password",
+				"username": "boulder",
+				"passwordFile": "test/secrets/redis_password",
 				"lookups": [
 					{
 						"Service": "redisratelimits",
@@ -130,7 +130,7 @@
 					"keyFile": "test/certs/ipki/wfe.boulder/key.pem"
 				}
 			},
-			"Defaults": "test/config-next/wfe2-ratelimit-defaults.yml",
+			"Defaults": "test/config-next/ratelimit-defaults.yml",
 			"OverridesFromDB": true
 		},
 		"features": {
diff --git a/test/config/ra.json b/test/config/ra.json
@@ -2,8 +2,8 @@
 	"ra": {
 		"limiter": {
 			"redis": {
-				"username": "boulder-wfe",
-				"passwordFile": "test/secrets/wfe_ratelimits_redis_password",
+				"username": "boulder",
+				"passwordFile": "test/secrets/redis_password",
 				"lookups": [
 					{
 						"Service": "redisratelimits",
@@ -21,8 +21,8 @@
 					"keyFile": "test/certs/ipki/wfe.boulder/key.pem"
 				}
 			},
-			"Defaults": "test/config/wfe2-ratelimit-defaults.yml",
-			"Overrides": "test/config/wfe2-ratelimit-overrides.yml"
+			"Defaults": "test/config/ratelimit-defaults.yml",
+			"Overrides": "test/config/ratelimit-overrides.yml"
 		},
 		"maxContactsPerRegistration": 3,
 		"debugAddr": ":8002",
diff --git a/test/config/ratelimit-defaults.yml b/test/config/ratelimit-defaults.yml
diff --git a/test/config/ratelimit-overrides.yml b/test/config/ratelimit-overrides.yml
diff --git a/test/config/wfe2.json b/test/config/wfe2.json
@@ -103,8 +103,8 @@
 		"staleTimeout": "5m",
 		"limiter": {
 			"redis": {
-				"username": "boulder-wfe",
-				"passwordFile": "test/secrets/wfe_ratelimits_redis_password",
+				"username": "boulder",
+				"passwordFile": "test/secrets/redis_password",
 				"lookups": [
 					{
 						"Service": "redisratelimits",
@@ -122,8 +122,8 @@
 					"keyFile": "test/certs/ipki/wfe.boulder/key.pem"
 				}
 			},
-			"Defaults": "test/config/wfe2-ratelimit-defaults.yml",
-			"Overrides": "test/config/wfe2-ratelimit-overrides.yml"
+			"Defaults": "test/config/ratelimit-defaults.yml",
+			"Overrides": "test/config/ratelimit-overrides.yml"
 		},
 		"features": {
 			"ServeRenewalInfo": true,
diff --git a/test/redis-cli.sh b/test/redis-cli.sh
@@ -7,7 +7,7 @@ ARGS="-p 4218 \
     --cert /test/certs/ipki/redis/cert.pem \
     --key /test/certs/ipki/redis/key.pem \
     --cacert /test/certs/ipki/minica.pem \
-    --user admin-user \
-    --pass 435e9c4225f08813ef3af7c725f0d30d263b9cd3"
+    --user boulder \
+    --pass 824968fa490f4ecec1e52d5e34916bdb60d45f8d"
 
 exec docker compose exec bredis_1 redis-cli $ARGS "${@}"
diff --git a/test/redis-ratelimits.config b/test/redis-ratelimits.config
@@ -18,11 +18,9 @@ rename-command SHUTDOWN ""
 rename-command SPOP ""
 rename-command SREM ""
 user default off
-user boulder-wfe       on +@all ~* >b3b2fcbbf46fe39fd522c395a51f84d93a98ff2f
-user admin-user        on +@all ~* >435e9c4225f08813ef3af7c725f0d30d263b9cd3
-user unittest-rw       on +@all ~* >824968fa490f4ecec1e52d5e34916bdb60d45f8d
-masteruser admin-user
-masterauth 435e9c4225f08813ef3af7c725f0d30d263b9cd3
+user boulder on +@all ~* >824968fa490f4ecec1e52d5e34916bdb60d45f8d
+masteruser boulder
+masterauth 824968fa490f4ecec1e52d5e34916bdb60d45f8d
 tls-protocols "TLSv1.3"
 tls-cert-file /test/certs/ipki/redis/cert.pem
 tls-key-file /test/certs/ipki/redis/key.pem
diff --git a/test/secrets/redis_password b/test/secrets/redis_password
diff --git a/test/secrets/wfe_ratelimits_redis_password b/test/secrets/wfe_ratelimits_redis_password
diff --git a/wfe2/wfe_test.go b/wfe2/wfe_test.go
@@ -412,7 +412,7 @@ func setupWFE(t *testing.T) (WebFrontEndImpl, clock.FakeClock, requestSigner) {
 	// Setup rate limiting.
 	limiter, err := ratelimits.NewLimiter(fc, ratelimits.NewInmemSource(), stats)
 	test.AssertNotError(t, err, "making limiter")
-	txnBuilder, err := ratelimits.NewTransactionBuilderFromFiles("../test/config-next/wfe2-ratelimit-defaults.yml", "", stats, logger)
+	txnBuilder, err := ratelimits.NewTransactionBuilderFromFiles("../test/config-next/ratelimit-defaults.yml", "", stats, logger)
 	test.AssertNotError(t, err, "making transaction composer")
 
 	unpauseSigner, err := unpause.NewJWTSigner(cmd.HMACKeyConfig{KeyFile: "../test/secrets/sfe_unpause_key"})

Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@ func newTestRedisRing() *redis.Ring {`
`28`	`28`	`}`
`29`	`29`
`30`	`30`	`client := redis.NewRing(&redis.RingOptions{`
`31`		`- Username: "unittest-rw",`
	`31`	`+ Username: "boulder",`
`32`	`32`	`Password: "824968fa490f4ecec1e52d5e34916bdb60d45f8d",`
`33`	`33`	`TLSConfig: tlsConfig2,`
`34`	`34`	`})`