diff --git a/configuration/configuration.go b/configuration/configuration.go index dd315485..796fc359 100644 --- a/configuration/configuration.go +++ b/configuration/configuration.go @@ -174,6 +174,11 @@ type Configuration struct { // DB specifies the database to connect to on the redis instance. DB int `yaml:"db,omitempty"` + // TLS configures settings for redis in-transit encryption + TLS struct { + Enabled bool `yaml:"enabled,omitempty"` + } `yaml:"tls,omitempty"` + DialTimeout time.Duration `yaml:"dialtimeout,omitempty"` // timeout for connect ReadTimeout time.Duration `yaml:"readtimeout,omitempty"` // timeout for reads of data WriteTimeout time.Duration `yaml:"writetimeout,omitempty"` // timeout for writes of data diff --git a/docs/configuration.md b/docs/configuration.md index 6027ad96..1bec821e 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -268,6 +268,8 @@ redis: maxidle: 16 maxactive: 64 idletimeout: 300s + tls: + enabled: false health: storagedriver: enabled: true @@ -1018,13 +1020,16 @@ redis: maxidle: 16 maxactive: 64 idletimeout: 300s + tls: + enabled: false ``` Declare parameters for constructing the `redis` connections. Registry instances may use the Redis instance for several applications. Currently, it caches information about immutable blobs. Most of the `redis` options control how the registry connects to the `redis` instance. You can control the pool's -behavior with the [pool](#pool) subsection. +behavior with the [pool](#pool) subsection. Additionally, you can control +TLS connection settings with the [tls](#tls) subsection (in-transit encryption). You should configure Redis with the **allkeys-lru** eviction policy, because the registry does not set an expiration value on keys. @@ -1055,6 +1060,20 @@ Use these settings to configure the behavior of the Redis connection pool. | `maxactive`| no | The maximum number of connections which can be open before blocking a connection request. | | `idletimeout`| no | How long to wait before closing inactive connections. | +### `tls` + +```none +tls: + enabled: false +``` + +Use these settings to configure Redis TLS. + +| Parameter | Required | Description | +|-----------|----------|-------------------------------------- | +| `enabled` | no | Whether or not to use TLS in-transit. | + + ## `health` ```none diff --git a/registry/handlers/app.go b/registry/handlers/app.go index 6ace01ac..212c79a7 100644 --- a/registry/handlers/app.go +++ b/registry/handlers/app.go @@ -518,7 +518,8 @@ func (app *App) configureRedis(configuration *configuration.Configuration) { configuration.Redis.Addr, redis.DialConnectTimeout(configuration.Redis.DialTimeout), redis.DialReadTimeout(configuration.Redis.ReadTimeout), - redis.DialWriteTimeout(configuration.Redis.WriteTimeout)) + redis.DialWriteTimeout(configuration.Redis.WriteTimeout), + redis.DialUseTLS(configuration.Redis.TLS.Enabled)) if err != nil { dcontext.GetLogger(app).Errorf("error connecting to redis instance %s: %v", configuration.Redis.Addr, err)