Add configuration option for Redis TLS

Signed-off-by: Josh Dolitsky <josh@dolit.ski>
This commit is contained in:
Josh Dolitsky 2021-03-01 18:55:56 -05:00
parent 90e62ac24c
commit 32ccbf193d
No known key found for this signature in database
GPG key ID: B2B93673243A65FB
3 changed files with 27 additions and 2 deletions

View file

@ -174,6 +174,11 @@ type Configuration struct {
// DB specifies the database to connect to on the redis instance.
DB int `yaml:"db,omitempty"`
// TLS configures settings for redis in-transit encryption
TLS struct {
Enabled bool `yaml:"enabled,omitempty"`
} `yaml:"tls,omitempty"`
DialTimeout time.Duration `yaml:"dialtimeout,omitempty"` // timeout for connect
ReadTimeout time.Duration `yaml:"readtimeout,omitempty"` // timeout for reads of data
WriteTimeout time.Duration `yaml:"writetimeout,omitempty"` // timeout for writes of data

View file

@ -268,6 +268,8 @@ redis:
maxidle: 16
maxactive: 64
idletimeout: 300s
tls:
enabled: false
health:
storagedriver:
enabled: true
@ -1018,13 +1020,16 @@ redis:
maxidle: 16
maxactive: 64
idletimeout: 300s
tls:
enabled: false
```
Declare parameters for constructing the `redis` connections. Registry instances
may use the Redis instance for several applications. Currently, it caches
information about immutable blobs. Most of the `redis` options control
how the registry connects to the `redis` instance. You can control the pool's
behavior with the [pool](#pool) subsection.
behavior with the [pool](#pool) subsection. Additionally, you can control
TLS connection settings with the [tls](#tls) subsection (in-transit encryption).
You should configure Redis with the **allkeys-lru** eviction policy, because the
registry does not set an expiration value on keys.
@ -1055,6 +1060,20 @@ Use these settings to configure the behavior of the Redis connection pool.
| `maxactive`| no | The maximum number of connections which can be open before blocking a connection request. |
| `idletimeout`| no | How long to wait before closing inactive connections. |
### `tls`
```none
tls:
enabled: false
```
Use these settings to configure Redis TLS.
| Parameter | Required | Description |
|-----------|----------|-------------------------------------- |
| `enabled` | no | Whether or not to use TLS in-transit. |
## `health`
```none

View file

@ -518,7 +518,8 @@ func (app *App) configureRedis(configuration *configuration.Configuration) {
configuration.Redis.Addr,
redis.DialConnectTimeout(configuration.Redis.DialTimeout),
redis.DialReadTimeout(configuration.Redis.ReadTimeout),
redis.DialWriteTimeout(configuration.Redis.WriteTimeout))
redis.DialWriteTimeout(configuration.Redis.WriteTimeout),
redis.DialUseTLS(configuration.Redis.TLS.Enabled))
if err != nil {
dcontext.GetLogger(app).Errorf("error connecting to redis instance %s: %v",
configuration.Redis.Addr, err)