Skip to content

Commit

Permalink
Storage: backport upstream TLS fixes for Redis connections (#1388)
Browse files Browse the repository at this point in the history 
* Storage: basic TLS support for Redis (#1336)

* Storage: support configuring a truststore when connecting to a Redis server over TLS (#1378)

* Storage: support configuring a truststore when connecting to a Redis server over TLS

* codeclimate

* typo
  • Loading branch information
@reinkrul
reinkrul authored Aug 29, 2022
1 parent 5afcf39 commit 22df847
Show file tree
Hide file tree
Showing 9 changed files with 157 additions and 30 deletions.
7 changes: 4 additions & 3 deletions README.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -230,10 +230,11 @@ The following options can be configured on the server:
**Storage**
storage.bbolt.backup.directory Target directory for BBolt database backups.
storage.bbolt.backup.interval 0s Interval, formatted as Golang duration (e.g. 10m, 1h) at which BBolt database backups will be performed.
storage.redis.address Redis database server address.
storage.redis.address Redis database server address. This can be a simple `host:port` or a Redis connection URL with scheme, auth and other options.
storage.redis.database Redis database name, which is used as prefix every key. Can be used to have multiple instances use the same Redis instance.
storage.redis.password Redis database password.
storage.redis.username Redis database username.
storage.redis.password Redis database password. If set, it overrides the username in the connection URL.
storage.redis.tls.truststorefile PEM file containing the trusted CA certificate(s) for authenticating remote Redis servers. Can only be used when connecting over TLS (use 'rediss://' as scheme in address).
storage.redis.username Redis database username. If set, it overrides the username in the connection URL.
================================= =============================================================================================================================================================================================================================================================================================================== ==================================================================================================================================================================================================================================

This table is automatically generated using the configuration flags in the core and engines. When they're changed
Expand Down
21 changes: 12 additions & 9 deletions docs/pages/deployment/cli-reference.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,10 +65,11 @@ Prints the current config
--network.v2.gossipinterval int Interval (in milliseconds) that specifies how often the node should gossip its new hashes to other nodes. (default 5000)
--storage.bbolt.backup.directory string Target directory for BBolt database backups.
--storage.bbolt.backup.interval duration Interval, formatted as Golang duration (e.g. 10m, 1h) at which BBolt database backups will be performed.
--storage.redis.address string Redis database server address.
--storage.redis.address host:port Redis database server address. This can be a simple host:port or a Redis connection URL with scheme, auth and other options.
--storage.redis.database string Redis database name, which is used as prefix every key. Can be used to have multiple instances use the same Redis instance.
--storage.redis.password string Redis database password.
--storage.redis.username string Redis database username.
--storage.redis.password string Redis database password. If set, it overrides the username in the connection URL.
--storage.redis.tls.truststorefile string PEM file containing the trusted CA certificate(s) for authenticating remote Redis servers. Can only be used when connecting over TLS (use 'rediss://' as scheme in address).
--storage.redis.username string Redis database username. If set, it overrides the username in the connection URL.
--strictmode When set, insecure settings are forbidden.
--tls.certheader string Name of the HTTP header that will contain the client certificate when TLS is offloaded.
--tls.offload tls.certheader Whether to enable TLS offloading for incoming connections. If enabled tls.certheader must be configured as well.
Expand Down Expand Up @@ -124,10 +125,11 @@ Imports private keys from filesystem based storage into Vault. The given directo
--network.v2.gossipinterval int Interval (in milliseconds) that specifies how often the node should gossip its new hashes to other nodes. (default 5000)
--storage.bbolt.backup.directory string Target directory for BBolt database backups.
--storage.bbolt.backup.interval duration Interval, formatted as Golang duration (e.g. 10m, 1h) at which BBolt database backups will be performed.
--storage.redis.address string Redis database server address.
--storage.redis.address host:port Redis database server address. This can be a simple host:port or a Redis connection URL with scheme, auth and other options.
--storage.redis.database string Redis database name, which is used as prefix every key. Can be used to have multiple instances use the same Redis instance.
--storage.redis.password string Redis database password.
--storage.redis.username string Redis database username.
--storage.redis.password string Redis database password. If set, it overrides the username in the connection URL.
--storage.redis.tls.truststorefile string PEM file containing the trusted CA certificate(s) for authenticating remote Redis servers. Can only be used when connecting over TLS (use 'rediss://' as scheme in address).
--storage.redis.username string Redis database username. If set, it overrides the username in the connection URL.
--strictmode When set, insecure settings are forbidden.
--tls.certheader string Name of the HTTP header that will contain the client certificate when TLS is offloaded.
--tls.offload tls.certheader Whether to enable TLS offloading for incoming connections. If enabled tls.certheader must be configured as well.
Expand Down Expand Up @@ -282,10 +284,11 @@ Starts the Nuts server
--network.v2.gossipinterval int Interval (in milliseconds) that specifies how often the node should gossip its new hashes to other nodes. (default 5000)
--storage.bbolt.backup.directory string Target directory for BBolt database backups.
--storage.bbolt.backup.interval duration Interval, formatted as Golang duration (e.g. 10m, 1h) at which BBolt database backups will be performed.
--storage.redis.address string Redis database server address.
--storage.redis.address host:port Redis database server address. This can be a simple host:port or a Redis connection URL with scheme, auth and other options.
--storage.redis.database string Redis database name, which is used as prefix every key. Can be used to have multiple instances use the same Redis instance.
--storage.redis.password string Redis database password.
--storage.redis.username string Redis database username.
--storage.redis.password string Redis database password. If set, it overrides the username in the connection URL.
--storage.redis.tls.truststorefile string PEM file containing the trusted CA certificate(s) for authenticating remote Redis servers. Can only be used when connecting over TLS (use 'rediss://' as scheme in address).
--storage.redis.username string Redis database username. If set, it overrides the username in the connection URL.
--strictmode When set, insecure settings are forbidden.
--tls.certheader string Name of the HTTP header that will contain the client certificate when TLS is offloaded.
--tls.offload tls.certheader Whether to enable TLS offloading for incoming connections. If enabled tls.certheader must be configured as well.
Expand Down
4 changes: 4 additions & 0 deletions docs/pages/deployment/database-configuration.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,10 @@ You can configure username/password authentication using ``storage.redis.usernam
If you need to prefix the keys (e.g. you have multiple Nuts nodes using the same Redis server) you can set ``storage.redis.database``
with an alphanumeric string. All keys written to Redis will then have that prefix followed by a separator.

You can connect to your Redis server over TLS by specifying a Redis connection URL in ``storage.redis.address``,
e.g.: ``rediss://database.mycluster.com:1234567``.
The server's certificate will be verified against the OS' CA bundle.

Make sure to `configure persistence for your Redis server <https://redis.io/docs/manual/persistence/>`_.

Private Keys
Expand Down
7 changes: 4 additions & 3 deletions docs/pages/deployment/server_options.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,8 +55,9 @@
**Storage**
storage.bbolt.backup.directory Target directory for BBolt database backups.
storage.bbolt.backup.interval 0s Interval, formatted as Golang duration (e.g. 10m, 1h) at which BBolt database backups will be performed.
storage.redis.address Redis database server address.
storage.redis.address Redis database server address. This can be a simple `host:port` or a Redis connection URL with scheme, auth and other options.
storage.redis.database Redis database name, which is used as prefix every key. Can be used to have multiple instances use the same Redis instance.
storage.redis.password Redis database password.
storage.redis.username Redis database username.
storage.redis.password Redis database password. If set, it overrides the username in the connection URL.
storage.redis.tls.truststorefile PEM file containing the trusted CA certificate(s) for authenticating remote Redis servers. Can only be used when connecting over TLS (use 'rediss://' as scheme in address).
storage.redis.username Redis database username. If set, it overrides the username in the connection URL.
================================= =============================================================================================================================================================================================================================================================================================================== ==================================================================================================================================================================================================================================
Loading

0 comments on commit 22df847

Please sign in to comment.