POC: redis TLS

e3c6037c · Matthias Kaeppler · 697a02fb · e3c6037c · e3c6037c · e3c6037c
Commit e3c6037c authored 3 years ago by Matthias Kaeppler
--- a/config/initializers/action_cable.rb
+++ b/config/initializers/action_cable.rb
@@ -17,7 +17,14 @@
  args = config.except(:adapter, :channel_prefix)
    .merge(instrumentation_class: ::Gitlab::Instrumentation::Redis::ActionCable)

-  ::Redis.new(args)
+  ::Redis.new(args.merge(
+    ssl: true,
+    :ssl_params => {
+      :ca_file => "/gck/ca.crt",
+      :cert    => OpenSSL::X509::Certificate.new(File.read("/gck/redis.crt")),
+      :key     => OpenSSL::PKey::RSA.new(File.read("/gck/redis.key"))
+    }
+  ))
 end

 Gitlab::ActionCable::RequestStoreCallbacks.install

--- a/config/initializers/active_record_transaction_observer.rb
+++ b/config/initializers/active_record_transaction_observer.rb
@@ -2,6 +2,15 @@

 return unless Gitlab.com? || Gitlab.dev_or_test_env?

+$stdout.sync = true
+
+TracePoint.new(:call) do |tp|
+  next unless tp.method_id == :connect && tp.defined_class.to_s.include?('Connection::SSLSocket')
+  pp tp.defined_class
+  pp tp.binding.eval('host')
+  pp tp.binding.eval('ssl_params')
+end.enable
+
 Gitlab::Application.configure do
  if Feature.feature_flags_available? && ::Feature.enabled?(:active_record_transactions_tracking, type: :ops, default_enabled: :yaml)
    Gitlab::Database::Transaction::Observer.register!

--- a/config/initializers/session_store.rb
+++ b/config/initializers/session_store.rb
@@ -25,7 +25,7 @@
  :redis_store, # Using the cookie_store would enable session replay attacks.
  redis_store: store,
  key: cookie_key,
-  secure: Gitlab.config.gitlab.https,
+  secure: true,#Gitlab.config.gitlab.https,
  httponly: true,
  expires_in: Settings.gitlab['session_expire_delay'] * 60,
  path: Rails.application.config.relative_url_root.presence || '/'

--- a/lib/gitlab/redis/wrapper.rb
+++ b/lib/gitlab/redis/wrapper.rb
@@ -108,6 +108,7 @@ def instrumentation_class
        private

        def redis
+          pp "New Redis for #{self}"
          ::Redis.new(params)
        end
      end
@@ -117,7 +118,14 @@ def initialize(rails_env = nil)
      end

      def params
-        redis_store_options
+        redis_store_options.merge(
+          ssl: true,
+          :ssl_params => {
+            :ca_file => "/gck/ca.crt",
+            :cert    => OpenSSL::X509::Certificate.new(File.read("/gck/redis.crt")),
+            :key     => OpenSSL::PKey::RSA.new(File.read("/gck/redis.key"))
+          }
+        )
      end

      def url