add redis tls support for core&jobservice (#21654)

Signed-off-by: yminer <miner.yang@broadcom.com>
2025-02-26 16:51:47 +01:00 · 2025-02-25 15:09:36 +08:00 · 2025-02-25 15:09:36 +08:00 · 9e84d03720
commit 9e84d03720
parent 4cd06777c0
6 changed files with 32 additions and 7 deletions
--- a/src/go.mod
+++ b/src/go.mod
@ -200,6 +200,6 @@ replace (
 	github.com/docker/distribution => github.com/distribution/distribution v2.8.2+incompatible
 	github.com/gocraft/work => github.com/goharbor/work v0.5.1-patch
 	github.com/goharbor/harbor => ../
-	github.com/gomodule/redigo => github.com/gomodule/redigo v1.8.8
+	github.com/gomodule/redigo => github.com/gomodule/redigo v1.9.2
 	google.golang.org/api => google.golang.org/api v0.0.0-20160322025152-9bf6e6e569ff
 )
--- a/src/go.sum
+++ b/src/go.sum
@ -230,8 +230,8 @@ github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaS
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
-github.com/gomodule/redigo v1.8.8 h1:f6cXq6RRfiyrOJEV7p3JhLDlmawGBVBBP1MggY8Mo4E=
-github.com/gomodule/redigo v1.8.8/go.mod h1:7ArFNvsTjH8GMMzB4uy1snslv2BwmginuMs06a1uzZE=
+github.com/gomodule/redigo v1.9.2 h1:HrutZBLhSIU8abiSfW8pj8mPhOyMYjZT/wcA4/L9L9s=
+github.com/gomodule/redigo v1.9.2/go.mod h1:KsU3hiK/Ay8U42qpaJk+kuNa3C+spxapWpM+ywhcgtw=
 github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
 github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
--- a/src/lib/cache/cache.go
+++ b/src/lib/cache/cache.go
@ -32,8 +32,12 @@ const (
 	Memory = "memory"
 	// Redis the cache name of redis
 	Redis = "redis"
+	// Redis the cache name of redis TLS
+	RedisTLS = "rediss"
 	// RedisSentinel the cache name of redis sentinel
 	RedisSentinel = "redis+sentinel"
+	// RedisSentinel with TLS connection
+	RedisSentinelTLS = "rediss+sentinel"
 )

 var (
--- a/src/lib/cache/redis/redis.go
+++ b/src/lib/cache/redis/redis.go
@ -179,14 +179,20 @@ func New(opts cache.Options) (cache.Cache, error) {
 	*/

 	switch u.Scheme {
-	case cache.Redis:
+	case cache.Redis, cache.RedisTLS:
+		/*
+			Harbor will only support standard TLS for server-certificate-athentication on Redis connection.
+			mTLS is not the goal
+		*/
+		// tls.Options{Servername:h} will need to be set by ParseURL
 		rdbOpts, err := redis.ParseURL(u.String())
 		if err != nil {
 			return nil, err
 		}

 		client = redis.NewClient(rdbOpts)
-	case cache.RedisSentinel:
+	case cache.RedisSentinel, cache.RedisSentinelTLS:
+		// TLS config will be set by ParseSentinelURL
 		failoverOpts, err := ParseSentinelURL(u.String())
 		if err != nil {
 			return nil, err
@ -203,4 +209,6 @@ func New(opts cache.Options) (cache.Cache, error) {
 func init() {
 	cache.Register(cache.Redis, New)
 	cache.Register(cache.RedisSentinel, New)
+	cache.Register(cache.RedisTLS, New)
+	cache.Register(cache.RedisSentinelTLS, New)
 }
--- a/src/lib/cache/redis/util.go
+++ b/src/lib/cache/redis/util.go
@ -15,6 +15,7 @@
 package redis

 import (
+	"crypto/tls"
 	"fmt"
 	"net/url"
 	"sort"
@ -35,6 +36,7 @@ var (
 // ParseSentinelURL parses sentinel url to redis FailoverOptions.
 // It's a modified version of go-redis ParseURL(https://github.com/go-redis/redis/blob/997118894af9d4244d4a471f2b317eead9c9ca62/options.go#L222) because official version does
 // not support parse sentinel mode.
+// redis+sentinel://user:pass@redis_sentinel1:port1,redis_sentinel2:port2/monitor_name/db?idle_timeout_seconds=100
 func ParseSentinelURL(redisURL string) (*redis.FailoverOptions, error) {
 	u, err := url.Parse(redisURL)
 	if err != nil {
@ -64,6 +66,13 @@ func ParseSentinelURL(redisURL string) (*redis.FailoverOptions, error) {
 		return nil, errors.Errorf("redis: invalid redis URL path: %s", u.Path)
 	}

+	// set tls config for redis+sentinel client use tls connections
+	if u.Scheme == "rediss+sentinel" {
+		o.TLSConfig = &tls.Config{
+			MinVersion: tls.VersionTLS12,
+		}
+	}
+
 	return setupConnParams(u, o)
 }

--- a/src/lib/redis/pool.go
+++ b/src/lib/redis/pool.go
@ -79,7 +79,7 @@ func GetRedisPool(name string, rawurl string, param *PoolParam) (*redis.Pool, er
 	}

 	log.Debug("get redis pool:", name, rawurl)
-	if u.Scheme == "redis" {
+	if u.Scheme == "redis" || u.Scheme == "rediss" {
 		pool := &redis.Pool{
 			Dial: func() (redis.Conn, error) {
 				return redis.DialURL(rawurl)
@ -95,7 +95,7 @@ func GetRedisPool(name string, rawurl string, param *PoolParam) (*redis.Pool, er
 		}
 		knownPool.Store(name, pool)
 		return pool, nil
-	} else if u.Scheme == "redis+sentinel" {
+	} else if u.Scheme == "redis+sentinel" || u.Scheme == "rediss+sentinel" {
 		pool, err := getSentinelPool(u, param, name)
 		if err != nil {
 			return nil, err
@ -128,6 +128,10 @@ func getSentinelPool(u *url.URL, param *PoolParam, name string) (*redis.Pool, er
 		sentinelOptions = append(sentinelOptions, redis.DialWriteTimeout(param.DialWriteTimeout))
 	}

+	if u.Scheme == "rediss+sentinel" {
+		sentinelOptions = append(sentinelOptions, redis.DialUseTLS(true))
+	}
+
 	redisOptions := sentinelOptions

 	if u.User != nil {