redis tls (#1341)

* redis tls

Author: gbarc-dt

Gemfile

@@ -9,7 +9,7 @@ gem 'travis-support',  git: 'https://github.com/travis-ci/travis-support'
 gem 'travis-amqp',     git: 'https://github.com/travis-ci/travis-amqp'
 gem 'travis-config',  git: 'https://github.com/travis-ci/travis-config'
 gem 'travis-settings', git: 'https://github.com/travis-ci/travis-settings'
-gem 'travis-lock',     git: 'https://github.com/travis-ci/travis-lock'
+gem 'travis-lock',     git: 'https://github.com/travis-ci/travis-lock', branch: 'ga-tbt151-redistls'
 gem 'travis-github_apps', git: 'https://github.com/travis-ci/travis-github_apps'
 gem 'travis-rollout',  git: 'https://github.com/travis-ci/travis-rollout'
 gem 'simple_states',  git: 'https://github.com/travis-ci/simple_states', branch: 'prd-ruby-upgrade-dev'

Gemfile.lock

@@ -90,7 +90,8 @@ GIT
 
 GIT
   remote: https://github.com/travis-ci/travis-lock
-  revision: aeee7b5d11e3d44f19d0a113c2e54ec54756f20f
+  revision: 535bbe651e1d407c58b1f1c7f521dd1d7a08691c
+  branch: ga-tbt151-redistls
   specs:
     travis-lock (0.2.0)
 

lib/travis.rb

@@ -52,7 +52,9 @@ def setup(options = {})
     end
 
     def redis
-      @redis ||= Redis.new(config.redis.to_h)
+      cfg = config.redis.to_h
+      cfg = cfg.merge(ssl_params: redis_ssl_params) if config.redis.ssl
+      @redis ||= Redis.new(cfg.to_h)
     end
 
     def pusher
@@ -66,6 +68,19 @@ def pusher
       end
     end
 
+    def redis_ssl_params
+      @redis_ssl_params ||= begin
+        return nil unless Travis.config.redis.ssl
+
+        value = {}
+        value[:ca_file] = ENV['REDIS_SSL_CA_FILE'] if ENV['REDIS_SSL_CA_FILE']
+        value[:cert] = OpenSSL::X509::Certificate.new(File.read(ENV['REDIS_SSL_CERT_FILE'])) if ENV['REDIS_SSL_CERT_FILE']
+        value[:key] = OpenSSL::PKEY::RSA.new(File.read(ENV['REDIS_SSL_KEY_FILE'])) if ENV['REDIS_SSL_KEY_FILE']
+        value[:verify_mode] = OpenSSL::SSL::VERIFY_NONE if Travis.config.ssl_verify == false
+        value
+      end
+    end
+
     def states_cache
       @states_cache ||= Travis::StatesCache.new
     end

lib/travis/api/app.rb

@@ -222,7 +222,9 @@ def self.setup_travis
         setup_database_connections
 
         Sidekiq.configure_client do |config|
-          config.redis = Travis.config.redis.to_h
+          cfg = Travis.config.redis.to_h
+          cfg = cfg.merge(ssl_params: Travis.redis_ssl_params) if Travis.config.redis.ssl && Travis.redis_ssl_params
+          config.redis = cfg
         end
 
         if use_monitoring? && !console?

lib/travis/api/app/schedulers/schedule_cron_jobs.rb

@@ -21,11 +21,20 @@ def self.run
       end
 
       def self.options
-        @options ||= {
-          strategy: :redis,
-          url:      Travis.config.redis.url,
-          retries:  0
-        }
+        @options ||=
+          begin
+            opt = {
+              strategy: :redis,
+              url:      Travis.config.redis.url,
+              retries:  0,
+              ssl: Travis.config.redis.ssl || false,
+            }
+            opt[:ca_file] ||= ENV['REDIS_SSL_CA_FILE'] if ENV['REDIS_SSL_CA_FILE']
+            opt[:cert] ||= OpenSSL::X509::Certificate.new(File.read(ENV['REDIS_SSL_CERT_FILE'])) if ENV['REDIS_SSL_CERT_FILE']
+            opt[:key] ||= OpenSSL::PKEY::RSA.new(File.read(ENV['REDIS_SSL_KEY_FILE'])) if ENV['REDIS_SSL_KEY_FILE']
+            opt[:verify_mode] ||= OpenSSL::SSL::VERIFY_NONE if Travis.config.ssl_verify == false
+            opt
+          end
       end
 
       def self.enqueue

lib/travis/api/sidekiq.rb

@@ -27,10 +27,25 @@ def gatekeeper_client
       def gatekeeper_pool
         ::Sidekiq::RedisConnection.create(
           url: config.redis_gatekeeper.url,
-          id: nil
+          id: nil,
+          ssl: config.redis_gatekeeper.ssl || false,
+          ssl_params: redis_ssl_params
         )
       end
 
+      def redis_ssl_params
+        @redis_ssl_params ||= begin
+            return {} unless Travis.config.redis_gatekeeper.ssl
+
+            value = {}
+            value[:ca_file] = ENV['REDIS_GATEKEEPER_SSL_CA_FILE'] if ENV['REDIS_GATEKEEPER_SSL_CA_FILE']
+            value[:cert] = OpenSSL::X509::Certificate.new(File.read(ENV['REDIS_GATEKEEPER_SSL_CERT_FILE'])) if ENV['REDIS_GATEKEEPER_SSL_CERT_FILE']
+            value[:key] = OpenSSL::PKEY::RSA.new(File.read(ENV['REDIS_GATEKEEPER_SSL_KEY_FILE'])) if ENV['REDIS_GATEKEEPER_SSL_KEY_FILE']
+            value[:verify_mode] = OpenSSL::SSL::VERIFY_NONE if Travis.config.ssl_verify == false
+            value
+       end
+      end
+
       def config
         Travis.config
       end

lib/travis/config/defaults.rb

@@ -76,8 +76,8 @@ def fallback_logs_api_auth_token
             roles:                {},
             archive:              {},
             ssl:                  {},
-            redis:                { url: 'redis://localhost:6379' },
-            redis_gatekeeper:     { url: ENV['REDIS_GATEKEEPER_URL'] || 'redis://localhost:6379' },
+            redis:                { url: 'redis://localhost:6379' , ssl: ENV['REDIS_SSL'] || false },
+            redis_gatekeeper:     { url: ENV['REDIS_GATEKEEPER_URL'] || 'redis://localhost:6379', ssl: ENV['REDIS_GATEKEEPER_SSL'] || false },
             repository:           { ssl_key: { size: 4096 } },
             encryption:           Travis.env == 'development' || Travis.env == 'test' ? { key: 'secret' * 10 } : {},
             sync:                 { organizations: { repositories_limit: 1000 } },

lib/travis/sidekiq.rb

@@ -13,9 +13,13 @@
 Travis::Notification.setup
 
 Sidekiq.configure_server do |config|
-  config.redis = Travis.config.redis.to_h.merge(namespace: Travis.config.sidekiq.namespace, id: nil)
+  cfg = Travis.config.redis.to_h.merge(id: nil)
+  cfg = cfg.merge(ssl_params: Travis.redis_ssl_params) if Travis.config.redis.ssl
+  config.redis = cfg
 end
 
 Sidekiq.configure_client do |config|
-  config.redis = Travis.config.redis.to_h.merge(size: 1, namespace: Travis.config.sidekiq.namespace, id: nil)
+  cfg = Travis.config.redis.to_h.merge(size: 1, id: nil)
+  cfg = cfg.merge(ssl_params: Travis.redis_ssl_params) if Travis.config.redis.ssl
+  config.redis = cfg
 end