From b9cb4c20443668604fdf76da5bc10ac88dc31412 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mihkel=20P=C3=A4rna?= Date: Tue, 6 Feb 2024 13:31:49 +0200 Subject: [PATCH 1/8] Add TLS support for Redis Client implementation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Mihkel Pärna --- cmd/backfill-redis/main.go | 33 ++++++++++++++++++++------------- pkg/api/api.go | 6 +++++- 2 files changed, 25 insertions(+), 14 deletions(-) diff --git a/cmd/backfill-redis/main.go b/cmd/backfill-redis/main.go index 718d6c5c7..64aafa3bc 100644 --- a/cmd/backfill-redis/main.go +++ b/cmd/backfill-redis/main.go @@ -29,6 +29,7 @@ package main import ( "bytes" "context" + "crypto/tls" "encoding/base64" "errors" "flag" @@ -64,15 +65,16 @@ import ( ) var ( - redisHostname = flag.String("hostname", "", "Hostname for Redis application") - redisPort = flag.String("port", "", "Port to Redis application") - redisPassword = flag.String("password", "", "Password for Redis authentication") - startIndex = flag.Int("start", -1, "First index to backfill") - endIndex = flag.Int("end", -1, "Last index to backfill") - rekorAddress = flag.String("rekor-address", "", "Address for Rekor, e.g. https://rekor.sigstore.dev") - versionFlag = flag.Bool("version", false, "Print the current version of Backfill Redis") - concurrency = flag.Int("concurrency", 1, "Number of workers to use for backfill") - dryRun = flag.Bool("dry-run", false, "Dry run - don't actually insert into Redis") + redisHostname = flag.String("hostname", "", "Hostname for Redis application") + redisPort = flag.String("port", "", "Port to Redis application") + redisPassword = flag.String("password", "", "Password for Redis authentication") + startIndex = flag.Int("start", -1, "First index to backfill") + endIndex = flag.Int("end", -1, "Last index to backfill") + insecureSkipVerify = flag.Bool("insecure-skip-verify", false, "Whether to skip TLS verification or not") + rekorAddress = flag.String("rekor-address", "", "Address for Rekor, e.g. https://rekor.sigstore.dev") + versionFlag = flag.Bool("version", false, "Print the current version of Backfill Redis") + concurrency = flag.Int("concurrency", 1, "Number of workers to use for backfill") + dryRun = flag.Bool("dry-run", false, "Dry run - don't actually insert into Redis") ) func main() { @@ -102,11 +104,16 @@ func main() { log.Printf("running backfill redis Version: %s GitCommit: %s BuildDate: %s", versionInfo.GitVersion, versionInfo.GitCommit, versionInfo.BuildDate) + tlsConfig := &tls.Config{ + InsecureSkipVerify: *insecureSkipVerify, + } + redisClient := redis.NewClient(&redis.Options{ - Addr: fmt.Sprintf("%s:%s", *redisHostname, *redisPort), - Password: *redisPassword, - Network: "tcp", - DB: 0, // default DB + Addr: fmt.Sprintf("%s:%s", *redisHostname, *redisPort), + Password: *redisPassword, + Network: "tcp", + TLSConfig: tlsConfig, + DB: 0, // default DB }) rekorClient, err := client.GetRekorClient(*rekorAddress) diff --git a/pkg/api/api.go b/pkg/api/api.go index 9eabb747c..0c8e674cb 100644 --- a/pkg/api/api.go +++ b/pkg/api/api.go @@ -18,6 +18,7 @@ package api import ( "context" "crypto/sha256" + "crypto/tls" "crypto/x509" "encoding/hex" "fmt" @@ -179,7 +180,10 @@ func ConfigureAPI(treeID uint) { Addr: fmt.Sprintf("%v:%v", viper.GetString("redis_server.address"), viper.GetUint64("redis_server.port")), Password: viper.GetString("redis_server.password"), Network: "tcp", - DB: 0, // default DB + TLSConfig: &tls.Config{ + InsecureSkipVerify: viper.GetBool("redis_server.insecure-skip-verify"), + }, + DB: 0, // default DB }) checkpointPublisher := witness.NewCheckpointPublisher(context.Background(), api.logClient, api.logRanges.ActiveTreeID(), viper.GetString("rekor_server.hostname"), api.signer, redisClient, viper.GetUint("publish_frequency"), CheckpointPublishCount) From d50deec0996eaff908b9032257cc822315655e18 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mihkel=20P=C3=A4rna?= Date: Tue, 6 Feb 2024 14:16:17 +0200 Subject: [PATCH 2/8] Define 'redis_server.insecure-skip-verify' flag in 'rekor-server' to allow skipping TLS verification MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Mihkel Pärna --- cmd/rekor-server/app/root.go | 1 + 1 file changed, 1 insertion(+) diff --git a/cmd/rekor-server/app/root.go b/cmd/rekor-server/app/root.go index 23a0c70db..677500cd3 100644 --- a/cmd/rekor-server/app/root.go +++ b/cmd/rekor-server/app/root.go @@ -115,6 +115,7 @@ Memory and file-based signers should only be used for testing.`) rootCmd.PersistentFlags().String("redis_server.address", "127.0.0.1", "Redis server address") rootCmd.PersistentFlags().Uint16("redis_server.port", 6379, "Redis server port") rootCmd.PersistentFlags().String("redis_server.password", "", "Redis server password") + rootCmd.PersistentFlags().Bool("redis_server.insecure-skip-verify", false, "Whether to skip TLS verification or not") rootCmd.PersistentFlags().Bool("enable_attestation_storage", false, "enables rich attestation storage") rootCmd.PersistentFlags().String("attestation_storage_bucket", "", "url for attestation storage bucket") From f32ed88dc5863c1470d0b306d99edde0cb9cd13d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mihkel=20P=C3=A4rna?= Date: Tue, 6 Feb 2024 14:25:54 +0200 Subject: [PATCH 3/8] Change flag comment to reference that this only applies to the redis endpoint MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Mihkel Pärna --- cmd/rekor-server/app/root.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/rekor-server/app/root.go b/cmd/rekor-server/app/root.go index 677500cd3..6bf50ef61 100644 --- a/cmd/rekor-server/app/root.go +++ b/cmd/rekor-server/app/root.go @@ -115,7 +115,7 @@ Memory and file-based signers should only be used for testing.`) rootCmd.PersistentFlags().String("redis_server.address", "127.0.0.1", "Redis server address") rootCmd.PersistentFlags().Uint16("redis_server.port", 6379, "Redis server port") rootCmd.PersistentFlags().String("redis_server.password", "", "Redis server password") - rootCmd.PersistentFlags().Bool("redis_server.insecure-skip-verify", false, "Whether to skip TLS verification or not") + rootCmd.PersistentFlags().Bool("redis_server.insecure-skip-verify", false, "Whether to skip TLS verification when connecting to Redis endpoint") rootCmd.PersistentFlags().Bool("enable_attestation_storage", false, "enables rich attestation storage") rootCmd.PersistentFlags().String("attestation_storage_bucket", "", "url for attestation storage bucket") From cb36049c8c150a7d6c7bebb540de56832b85ea76 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mihkel=20P=C3=A4rna?= Date: Tue, 6 Feb 2024 15:10:16 +0200 Subject: [PATCH 4/8] Add '#nosec G402' annotation to suppress known warning MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Mihkel Pärna --- cmd/backfill-redis/main.go | 2 +- pkg/api/api.go | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/cmd/backfill-redis/main.go b/cmd/backfill-redis/main.go index 64aafa3bc..5c37626a0 100644 --- a/cmd/backfill-redis/main.go +++ b/cmd/backfill-redis/main.go @@ -103,7 +103,7 @@ func main() { } log.Printf("running backfill redis Version: %s GitCommit: %s BuildDate: %s", versionInfo.GitVersion, versionInfo.GitCommit, versionInfo.BuildDate) - + // #nosec G402 tlsConfig := &tls.Config{ InsecureSkipVerify: *insecureSkipVerify, } diff --git a/pkg/api/api.go b/pkg/api/api.go index 0c8e674cb..43932bcab 100644 --- a/pkg/api/api.go +++ b/pkg/api/api.go @@ -181,6 +181,7 @@ func ConfigureAPI(treeID uint) { Password: viper.GetString("redis_server.password"), Network: "tcp", TLSConfig: &tls.Config{ + // #nosec G402 InsecureSkipVerify: viper.GetBool("redis_server.insecure-skip-verify"), }, DB: 0, // default DB From 37f23c328a09791bafc059f48411d5afb5590bfe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mihkel=20P=C3=A4rna?= Date: Mon, 12 Feb 2024 14:56:42 +0200 Subject: [PATCH 5/8] Wrap redis client creation to a separate function to return different implementations based on 'enable-tls' flag MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Mihkel Pärna --- cmd/backfill-redis/main.go | 40 +++++++++++++++++++++++++----------- cmd/rekor-server/app/root.go | 3 ++- pkg/api/api.go | 29 ++++++++++++++++++-------- 3 files changed, 51 insertions(+), 21 deletions(-) diff --git a/cmd/backfill-redis/main.go b/cmd/backfill-redis/main.go index 5c37626a0..b6eeebe69 100644 --- a/cmd/backfill-redis/main.go +++ b/cmd/backfill-redis/main.go @@ -70,7 +70,8 @@ var ( redisPassword = flag.String("password", "", "Password for Redis authentication") startIndex = flag.Int("start", -1, "First index to backfill") endIndex = flag.Int("end", -1, "Last index to backfill") - insecureSkipVerify = flag.Bool("insecure-skip-verify", false, "Whether to skip TLS verification or not") + enableTls = flag.Bool("enable-tls", false, "Enable TLS for Redis client") + insecureSkipVerify = flag.Bool("insecure-skip-verify", false, "Whether to skip TLS verification for Redis client or not") rekorAddress = flag.String("rekor-address", "", "Address for Rekor, e.g. https://rekor.sigstore.dev") versionFlag = flag.Bool("version", false, "Print the current version of Backfill Redis") concurrency = flag.Int("concurrency", 1, "Number of workers to use for backfill") @@ -103,18 +104,8 @@ func main() { } log.Printf("running backfill redis Version: %s GitCommit: %s BuildDate: %s", versionInfo.GitVersion, versionInfo.GitCommit, versionInfo.BuildDate) - // #nosec G402 - tlsConfig := &tls.Config{ - InsecureSkipVerify: *insecureSkipVerify, - } - redisClient := redis.NewClient(&redis.Options{ - Addr: fmt.Sprintf("%s:%s", *redisHostname, *redisPort), - Password: *redisPassword, - Network: "tcp", - TLSConfig: tlsConfig, - DB: 0, // default DB - }) + redisClient := redisClient() rekorClient, err := client.GetRekorClient(*rekorAddress) if err != nil { @@ -217,6 +208,31 @@ func main() { } } +func redisClient() *redis.Client { + + // #nosec G402 + tlsConfig := &tls.Config{ + InsecureSkipVerify: *insecureSkipVerify, + } + + if *enableTls == true { + return redis.NewClient(&redis.Options{ + Addr: fmt.Sprintf("%s:%s", *redisHostname, *redisPort), + Password: *redisPassword, + Network: "tcp", + TLSConfig: tlsConfig, + DB: 0, // default DB + }) + } else { + return redis.NewClient(&redis.Options{ + Addr: fmt.Sprintf("%s:%s", *redisHostname, *redisPort), + Password: *redisPassword, + Network: "tcp", + DB: 0, // default DB + }) + } +} + // unmarshalEntryImpl decodes the base64-encoded entry to a specific entry type (types.EntryImpl). // Taken from Cosign func unmarshalEntryImpl(e string) (types.EntryImpl, string, string, error) { diff --git a/cmd/rekor-server/app/root.go b/cmd/rekor-server/app/root.go index 6bf50ef61..a17054ff9 100644 --- a/cmd/rekor-server/app/root.go +++ b/cmd/rekor-server/app/root.go @@ -115,7 +115,8 @@ Memory and file-based signers should only be used for testing.`) rootCmd.PersistentFlags().String("redis_server.address", "127.0.0.1", "Redis server address") rootCmd.PersistentFlags().Uint16("redis_server.port", 6379, "Redis server port") rootCmd.PersistentFlags().String("redis_server.password", "", "Redis server password") - rootCmd.PersistentFlags().Bool("redis_server.insecure-skip-verify", false, "Whether to skip TLS verification when connecting to Redis endpoint") + rootCmd.PersistentFlags().Bool("redis_server.enable-tls", false, "Whether to enable TLS verification when connecting to Redis endpoint") + rootCmd.PersistentFlags().Bool("redis_server.insecure-skip-verify", false, "Whether to skip TLS verification when connecting to Redis endpoint, only applicable when 'redis_server.enable-tls' is set to 'true'") rootCmd.PersistentFlags().Bool("enable_attestation_storage", false, "enables rich attestation storage") rootCmd.PersistentFlags().String("attestation_storage_bucket", "", "url for attestation storage bucket") diff --git a/pkg/api/api.go b/pkg/api/api.go index 43932bcab..6e6bfc804 100644 --- a/pkg/api/api.go +++ b/pkg/api/api.go @@ -176,7 +176,20 @@ func ConfigureAPI(treeID uint) { } if viper.GetBool("enable_stable_checkpoint") { - redisClient = redis.NewClient(&redis.Options{ + redisClient = NewRedisClient() + checkpointPublisher := witness.NewCheckpointPublisher(context.Background(), api.logClient, api.logRanges.ActiveTreeID(), + viper.GetString("rekor_server.hostname"), api.signer, redisClient, viper.GetUint("publish_frequency"), CheckpointPublishCount) + + // create context to cancel goroutine on server shutdown + ctx, cancel := context.WithCancel(context.Background()) + api.checkpointPublishCancel = cancel + checkpointPublisher.StartPublisher(ctx) + } +} + +func NewRedisClient() *redis.Client { + if viper.GetBool("redis_server.enable-tls") == true { + return redis.NewClient(&redis.Options{ Addr: fmt.Sprintf("%v:%v", viper.GetString("redis_server.address"), viper.GetUint64("redis_server.port")), Password: viper.GetString("redis_server.password"), Network: "tcp", @@ -186,13 +199,13 @@ func ConfigureAPI(treeID uint) { }, DB: 0, // default DB }) - checkpointPublisher := witness.NewCheckpointPublisher(context.Background(), api.logClient, api.logRanges.ActiveTreeID(), - viper.GetString("rekor_server.hostname"), api.signer, redisClient, viper.GetUint("publish_frequency"), CheckpointPublishCount) - - // create context to cancel goroutine on server shutdown - ctx, cancel := context.WithCancel(context.Background()) - api.checkpointPublishCancel = cancel - checkpointPublisher.StartPublisher(ctx) + } else { + return redis.NewClient(&redis.Options{ + Addr: fmt.Sprintf("%v:%v", viper.GetString("redis_server.address"), viper.GetUint64("redis_server.port")), + Password: viper.GetString("redis_server.password"), + Network: "tcp", + DB: 0, // default DB + }) } } From ab2e71d3fc0e365ae0aefda303d1e25621eb5ede Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mihkel=20P=C3=A4rna?= Date: Tue, 13 Feb 2024 10:27:57 +0200 Subject: [PATCH 6/8] Fix flag name from 'enableTls' -> 'enableTLS'. Make bool comparisons conform to go best practices. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Mihkel Pärna --- cmd/backfill-redis/main.go | 17 ++++++++--------- pkg/api/api.go | 15 +++++++-------- 2 files changed, 15 insertions(+), 17 deletions(-) diff --git a/cmd/backfill-redis/main.go b/cmd/backfill-redis/main.go index b6eeebe69..be7a78cca 100644 --- a/cmd/backfill-redis/main.go +++ b/cmd/backfill-redis/main.go @@ -70,7 +70,7 @@ var ( redisPassword = flag.String("password", "", "Password for Redis authentication") startIndex = flag.Int("start", -1, "First index to backfill") endIndex = flag.Int("end", -1, "Last index to backfill") - enableTls = flag.Bool("enable-tls", false, "Enable TLS for Redis client") + enableTLS = flag.Bool("enable-tls", false, "Enable TLS for Redis client") insecureSkipVerify = flag.Bool("insecure-skip-verify", false, "Whether to skip TLS verification for Redis client or not") rekorAddress = flag.String("rekor-address", "", "Address for Rekor, e.g. https://rekor.sigstore.dev") versionFlag = flag.Bool("version", false, "Print the current version of Backfill Redis") @@ -215,7 +215,7 @@ func redisClient() *redis.Client { InsecureSkipVerify: *insecureSkipVerify, } - if *enableTls == true { + if *enableTLS { return redis.NewClient(&redis.Options{ Addr: fmt.Sprintf("%s:%s", *redisHostname, *redisPort), Password: *redisPassword, @@ -223,14 +223,13 @@ func redisClient() *redis.Client { TLSConfig: tlsConfig, DB: 0, // default DB }) - } else { - return redis.NewClient(&redis.Options{ - Addr: fmt.Sprintf("%s:%s", *redisHostname, *redisPort), - Password: *redisPassword, - Network: "tcp", - DB: 0, // default DB - }) } + return redis.NewClient(&redis.Options{ + Addr: fmt.Sprintf("%s:%s", *redisHostname, *redisPort), + Password: *redisPassword, + Network: "tcp", + DB: 0, // default DB + }) } // unmarshalEntryImpl decodes the base64-encoded entry to a specific entry type (types.EntryImpl). diff --git a/pkg/api/api.go b/pkg/api/api.go index 6e6bfc804..13d2f0e66 100644 --- a/pkg/api/api.go +++ b/pkg/api/api.go @@ -188,7 +188,7 @@ func ConfigureAPI(treeID uint) { } func NewRedisClient() *redis.Client { - if viper.GetBool("redis_server.enable-tls") == true { + if viper.GetBool("redis_server.enable-tls") { return redis.NewClient(&redis.Options{ Addr: fmt.Sprintf("%v:%v", viper.GetString("redis_server.address"), viper.GetUint64("redis_server.port")), Password: viper.GetString("redis_server.password"), @@ -199,14 +199,13 @@ func NewRedisClient() *redis.Client { }, DB: 0, // default DB }) - } else { - return redis.NewClient(&redis.Options{ - Addr: fmt.Sprintf("%v:%v", viper.GetString("redis_server.address"), viper.GetUint64("redis_server.port")), - Password: viper.GetString("redis_server.password"), - Network: "tcp", - DB: 0, // default DB - }) } + return redis.NewClient(&redis.Options{ + Addr: fmt.Sprintf("%v:%v", viper.GetString("redis_server.address"), viper.GetUint64("redis_server.port")), + Password: viper.GetString("redis_server.password"), + Network: "tcp", + DB: 0, // default DB + }) } func StopAPI() { From 0245c868bf2dffc850a62e1f3a5484883de6b3fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mihkel=20P=C3=A4rna?= Date: Tue, 13 Feb 2024 14:25:54 +0200 Subject: [PATCH 7/8] Reduce duplicate code. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Mihkel Pärna --- cmd/backfill-redis/main.go | 27 +++++++++++---------------- pkg/api/api.go | 26 ++++++++++++-------------- 2 files changed, 23 insertions(+), 30 deletions(-) diff --git a/cmd/backfill-redis/main.go b/cmd/backfill-redis/main.go index be7a78cca..ea8921592 100644 --- a/cmd/backfill-redis/main.go +++ b/cmd/backfill-redis/main.go @@ -210,26 +210,21 @@ func main() { func redisClient() *redis.Client { - // #nosec G402 - tlsConfig := &tls.Config{ - InsecureSkipVerify: *insecureSkipVerify, - } - - if *enableTLS { - return redis.NewClient(&redis.Options{ - Addr: fmt.Sprintf("%s:%s", *redisHostname, *redisPort), - Password: *redisPassword, - Network: "tcp", - TLSConfig: tlsConfig, - DB: 0, // default DB - }) - } - return redis.NewClient(&redis.Options{ + opts := &redis.Options{ Addr: fmt.Sprintf("%s:%s", *redisHostname, *redisPort), Password: *redisPassword, Network: "tcp", DB: 0, // default DB - }) + } + + // #nosec G402 + if *enableTLS { + opts.TLSConfig = &tls.Config{ + InsecureSkipVerify: *insecureSkipVerify, + } + } + + return redis.NewClient(opts) } // unmarshalEntryImpl decodes the base64-encoded entry to a specific entry type (types.EntryImpl). diff --git a/pkg/api/api.go b/pkg/api/api.go index 13d2f0e66..47b112afa 100644 --- a/pkg/api/api.go +++ b/pkg/api/api.go @@ -188,24 +188,22 @@ func ConfigureAPI(treeID uint) { } func NewRedisClient() *redis.Client { - if viper.GetBool("redis_server.enable-tls") { - return redis.NewClient(&redis.Options{ - Addr: fmt.Sprintf("%v:%v", viper.GetString("redis_server.address"), viper.GetUint64("redis_server.port")), - Password: viper.GetString("redis_server.password"), - Network: "tcp", - TLSConfig: &tls.Config{ - // #nosec G402 - InsecureSkipVerify: viper.GetBool("redis_server.insecure-skip-verify"), - }, - DB: 0, // default DB - }) - } - return redis.NewClient(&redis.Options{ + + opts := &redis.Options{ Addr: fmt.Sprintf("%v:%v", viper.GetString("redis_server.address"), viper.GetUint64("redis_server.port")), Password: viper.GetString("redis_server.password"), Network: "tcp", DB: 0, // default DB - }) + } + + // #nosec G402 + if viper.GetBool("redis_server.enable-tls") { + opts.TLSConfig = &tls.Config{ + InsecureSkipVerify: viper.GetBool("redis_server.insecure-skip-verify"), + } + } + + return redis.NewClient(opts) } func StopAPI() { From 3b7485d056d94714704829590f586ba2a40630c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mihkel=20P=C3=A4rna?= Date: Tue, 13 Feb 2024 17:36:58 +0200 Subject: [PATCH 8/8] Add TLS option for Redis for the search index client MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Mihkel Pärna --- pkg/indexstorage/indexstorage.go | 2 +- pkg/indexstorage/redis/redis.go | 10 +++++++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/pkg/indexstorage/indexstorage.go b/pkg/indexstorage/indexstorage.go index 53f38c3d1..009d0d178 100644 --- a/pkg/indexstorage/indexstorage.go +++ b/pkg/indexstorage/indexstorage.go @@ -33,7 +33,7 @@ type IndexStorage interface { func NewIndexStorage(providerType string) (IndexStorage, error) { switch providerType { case redis.ProviderType: - return redis.NewProvider(viper.GetString("redis_server.address"), viper.GetString("redis_server.port"), viper.GetString("redis_server.password")) + return redis.NewProvider(viper.GetString("redis_server.address"), viper.GetString("redis_server.port"), viper.GetString("redis_server.password"), viper.GetBool("redis_server.enable-tls"), viper.GetBool("redis_server.insecure-skip-verify")) case mysql.ProviderType: return mysql.NewProvider(viper.GetString("search_index.mysql.dsn"), mysql.WithConnMaxIdleTime(viper.GetDuration("search_index.mysql.conn_max_idletime")), diff --git a/pkg/indexstorage/redis/redis.go b/pkg/indexstorage/redis/redis.go index 4c3819e09..65d741c7c 100644 --- a/pkg/indexstorage/redis/redis.go +++ b/pkg/indexstorage/redis/redis.go @@ -16,6 +16,7 @@ package redis import ( "context" + "crypto/tls" "errors" "fmt" "strings" @@ -30,7 +31,7 @@ type IndexStorageProvider struct { client *redis.Client } -func NewProvider(address, port, password string) (*IndexStorageProvider, error) { +func NewProvider(address, port, password string, enableTLS bool, insecureSkipVerify bool) (*IndexStorageProvider, error) { provider := &IndexStorageProvider{} provider.client = redis.NewClient(&redis.Options{ Addr: fmt.Sprintf("%v:%v", address, port), @@ -38,6 +39,13 @@ func NewProvider(address, port, password string) (*IndexStorageProvider, error) Password: password, DB: 0, // default DB }) + + // #nosec G402 + if enableTLS { + provider.client.Options().TLSConfig = &tls.Config{ + InsecureSkipVerify: insecureSkipVerify, + } + } return provider, nil }