[bitnami/redis] Add new environment variable REDIS_TLS_CA_DIR to support tls-ca-cert-dir config in redis.conf (#56375)
This commit is contained in:
Uchenna Nebedum
GitHub
parent
2272d4b10b
commit
dcc0347c00
|
|
@ -228,7 +228,11 @@ redis_validate() {
|
|||
print_validation_error "The private key file in the specified path ${REDIS_TLS_KEY_FILE} does not exist"
|
||||
fi
|
||||
if [[ -z "$REDIS_TLS_CA_FILE" ]]; then
|
||||
print_validation_error "You must provide a CA X.509 certificate in order to use TLS"
|
||||
if [[ -z "$REDIS_TLS_CA_DIR" ]]; then
|
||||
print_validation_error "You must provide either a CA X.509 certificate or a CA certificates directory in order to use TLS"
|
||||
elif [[ ! -d "$REDIS_TLS_CA_DIR" ]]; then
|
||||
print_validation_error "The CA certificates directory specified by path ${REDIS_TLS_CA_DIR} does not exist"
|
||||
fi
|
||||
elif [[ ! -f "$REDIS_TLS_CA_FILE" ]]; then
|
||||
print_validation_error "The CA X.509 certificate file in the specified path ${REDIS_TLS_CA_FILE} does not exist"
|
||||
fi
|
||||
|
|
@ -265,7 +269,8 @@ redis_configure_replication() {
|
|||
elif [[ "$REDIS_REPLICATION_MODE" =~ ^(slave|replica)$ ]]; then
|
||||
if [[ -n "$REDIS_SENTINEL_HOST" ]]; then
|
||||
local -a sentinel_info_command=("redis-cli" "-h" "${REDIS_SENTINEL_HOST}" "-p" "${REDIS_SENTINEL_PORT_NUMBER}")
|
||||
is_boolean_yes "$REDIS_TLS_ENABLED" && sentinel_info_command+=("--tls" "--cert" "${REDIS_TLS_CERT_FILE}" "--key" "${REDIS_TLS_KEY_FILE}" "--cacert" "${REDIS_TLS_CA_FILE}")
|
||||
is_boolean_yes "$REDIS_TLS_ENABLED" && sentinel_info_command+=("--tls" "--cert" "${REDIS_TLS_CERT_FILE}" "--key" "${REDIS_TLS_KEY_FILE}")
|
||||
is_empty_value "$REDIS_TLS_CA_FILE" && sentinel_info_command+=("--cacertdir" "${REDIS_TLS_CA_DIR}") || sentinel_info_command+=("--cacert" "${REDIS_TLS_CA_FILE}")
|
||||
sentinel_info_command+=("sentinel" "get-master-addr-by-name" "${REDIS_SENTINEL_MASTER_NAME}")
|
||||
read -r -a REDIS_SENTINEL_INFO <<< "$("${sentinel_info_command[@]}" | tr '\n' ' ')"
|
||||
REDIS_MASTER_HOST=${REDIS_SENTINEL_INFO[0]}
|
||||
|
|
@ -431,7 +436,7 @@ redis_configure_default() {
|
|||
fi
|
||||
redis_conf_set tls-cert-file "$REDIS_TLS_CERT_FILE"
|
||||
redis_conf_set tls-key-file "$REDIS_TLS_KEY_FILE"
|
||||
redis_conf_set tls-ca-cert-file "$REDIS_TLS_CA_FILE"
|
||||
is_empty_value "$REDIS_TLS_CA_FILE" && redis_conf_set tls-ca-cert-dir "$REDIS_TLS_CA_DIR" || redis_conf_set tls-ca-cert-file "$REDIS_TLS_CA_FILE"
|
||||
! is_empty_value "$REDIS_TLS_KEY_FILE_PASS" && redis_conf_set tls-key-file-pass "$REDIS_TLS_KEY_FILE_PASS"
|
||||
[[ -n "$REDIS_TLS_DH_PARAMS_FILE" ]] && redis_conf_set tls-dh-params-file "$REDIS_TLS_DH_PARAMS_FILE"
|
||||
redis_conf_set tls-auth-clients "$REDIS_TLS_AUTH_CLIENTS"
|
||||
|
|
|
|||
|
|
@ -51,6 +51,7 @@ redis_env_vars=(
|
|||
REDIS_TLS_KEY_FILE
|
||||
REDIS_TLS_KEY_FILE_PASS
|
||||
REDIS_TLS_CA_FILE
|
||||
REDIS_TLS_CA_DIR
|
||||
REDIS_TLS_DH_PARAMS_FILE
|
||||
REDIS_TLS_AUTH_CLIENTS
|
||||
REDIS_SENTINEL_MASTER_NAME
|
||||
|
|
@ -120,6 +121,7 @@ export REDIS_TLS_CERT_FILE="${REDIS_TLS_CERT_FILE:-}"
|
|||
export REDIS_TLS_KEY_FILE="${REDIS_TLS_KEY_FILE:-}"
|
||||
export REDIS_TLS_KEY_FILE_PASS="${REDIS_TLS_KEY_FILE_PASS:-}"
|
||||
export REDIS_TLS_CA_FILE="${REDIS_TLS_CA_FILE:-}"
|
||||
export REDIS_TLS_CA_DIR="${REDIS_TLS_CA_DIR:-}"
|
||||
export REDIS_TLS_DH_PARAMS_FILE="${REDIS_TLS_DH_PARAMS_FILE:-}"
|
||||
export REDIS_TLS_AUTH_CLIENTS="${REDIS_TLS_AUTH_CLIENTS:-yes}"
|
||||
|
||||
|
|
|
|||
|
|
@ -228,7 +228,11 @@ redis_validate() {
|
|||
print_validation_error "The private key file in the specified path ${REDIS_TLS_KEY_FILE} does not exist"
|
||||
fi
|
||||
if [[ -z "$REDIS_TLS_CA_FILE" ]]; then
|
||||
print_validation_error "You must provide a CA X.509 certificate in order to use TLS"
|
||||
if [[ -z "$REDIS_TLS_CA_DIR" ]]; then
|
||||
print_validation_error "You must provide either a CA X.509 certificate or a CA certificates directory in order to use TLS"
|
||||
elif [[ ! -d "$REDIS_TLS_CA_DIR" ]]; then
|
||||
print_validation_error "The CA certificates directory specified by path ${REDIS_TLS_CA_DIR} does not exist"
|
||||
fi
|
||||
elif [[ ! -f "$REDIS_TLS_CA_FILE" ]]; then
|
||||
print_validation_error "The CA X.509 certificate file in the specified path ${REDIS_TLS_CA_FILE} does not exist"
|
||||
fi
|
||||
|
|
@ -265,7 +269,8 @@ redis_configure_replication() {
|
|||
elif [[ "$REDIS_REPLICATION_MODE" =~ ^(slave|replica)$ ]]; then
|
||||
if [[ -n "$REDIS_SENTINEL_HOST" ]]; then
|
||||
local -a sentinel_info_command=("redis-cli" "-h" "${REDIS_SENTINEL_HOST}" "-p" "${REDIS_SENTINEL_PORT_NUMBER}")
|
||||
is_boolean_yes "$REDIS_TLS_ENABLED" && sentinel_info_command+=("--tls" "--cert" "${REDIS_TLS_CERT_FILE}" "--key" "${REDIS_TLS_KEY_FILE}" "--cacert" "${REDIS_TLS_CA_FILE}")
|
||||
is_boolean_yes "$REDIS_TLS_ENABLED" && sentinel_info_command+=("--tls" "--cert" "${REDIS_TLS_CERT_FILE}" "--key" "${REDIS_TLS_KEY_FILE}")
|
||||
is_empty_value "$REDIS_TLS_CA_FILE" && sentinel_info_command+=("--cacertdir" "${REDIS_TLS_CA_DIR}") || sentinel_info_command+=("--cacert" "${REDIS_TLS_CA_FILE}")
|
||||
sentinel_info_command+=("sentinel" "get-master-addr-by-name" "${REDIS_SENTINEL_MASTER_NAME}")
|
||||
read -r -a REDIS_SENTINEL_INFO <<< "$("${sentinel_info_command[@]}" | tr '\n' ' ')"
|
||||
REDIS_MASTER_HOST=${REDIS_SENTINEL_INFO[0]}
|
||||
|
|
@ -431,7 +436,7 @@ redis_configure_default() {
|
|||
fi
|
||||
redis_conf_set tls-cert-file "$REDIS_TLS_CERT_FILE"
|
||||
redis_conf_set tls-key-file "$REDIS_TLS_KEY_FILE"
|
||||
redis_conf_set tls-ca-cert-file "$REDIS_TLS_CA_FILE"
|
||||
is_empty_value "$REDIS_TLS_CA_FILE" && redis_conf_set tls-ca-cert-dir "$REDIS_TLS_CA_DIR" || redis_conf_set tls-ca-cert-file "$REDIS_TLS_CA_FILE"
|
||||
! is_empty_value "$REDIS_TLS_KEY_FILE_PASS" && redis_conf_set tls-key-file-pass "$REDIS_TLS_KEY_FILE_PASS"
|
||||
[[ -n "$REDIS_TLS_DH_PARAMS_FILE" ]] && redis_conf_set tls-dh-params-file "$REDIS_TLS_DH_PARAMS_FILE"
|
||||
redis_conf_set tls-auth-clients "$REDIS_TLS_AUTH_CLIENTS"
|
||||
|
|
|
|||
|
|
@ -51,6 +51,7 @@ redis_env_vars=(
|
|||
REDIS_TLS_KEY_FILE
|
||||
REDIS_TLS_KEY_FILE_PASS
|
||||
REDIS_TLS_CA_FILE
|
||||
REDIS_TLS_CA_DIR
|
||||
REDIS_TLS_DH_PARAMS_FILE
|
||||
REDIS_TLS_AUTH_CLIENTS
|
||||
REDIS_SENTINEL_MASTER_NAME
|
||||
|
|
@ -120,6 +121,7 @@ export REDIS_TLS_CERT_FILE="${REDIS_TLS_CERT_FILE:-}"
|
|||
export REDIS_TLS_KEY_FILE="${REDIS_TLS_KEY_FILE:-}"
|
||||
export REDIS_TLS_KEY_FILE_PASS="${REDIS_TLS_KEY_FILE_PASS:-}"
|
||||
export REDIS_TLS_CA_FILE="${REDIS_TLS_CA_FILE:-}"
|
||||
export REDIS_TLS_CA_DIR="${REDIS_TLS_CA_DIR:-}"
|
||||
export REDIS_TLS_DH_PARAMS_FILE="${REDIS_TLS_DH_PARAMS_FILE:-}"
|
||||
export REDIS_TLS_AUTH_CLIENTS="${REDIS_TLS_AUTH_CLIENTS:-yes}"
|
||||
|
||||
|
|
|
|||
|
|
@ -228,7 +228,11 @@ redis_validate() {
|
|||
print_validation_error "The private key file in the specified path ${REDIS_TLS_KEY_FILE} does not exist"
|
||||
fi
|
||||
if [[ -z "$REDIS_TLS_CA_FILE" ]]; then
|
||||
print_validation_error "You must provide a CA X.509 certificate in order to use TLS"
|
||||
if [[ -z "$REDIS_TLS_CA_DIR" ]]; then
|
||||
print_validation_error "You must provide either a CA X.509 certificate or a CA certificates directory in order to use TLS"
|
||||
elif [[ ! -d "$REDIS_TLS_CA_DIR" ]]; then
|
||||
print_validation_error "The CA certificates directory specified by path ${REDIS_TLS_CA_DIR} does not exist"
|
||||
fi
|
||||
elif [[ ! -f "$REDIS_TLS_CA_FILE" ]]; then
|
||||
print_validation_error "The CA X.509 certificate file in the specified path ${REDIS_TLS_CA_FILE} does not exist"
|
||||
fi
|
||||
|
|
@ -265,7 +269,8 @@ redis_configure_replication() {
|
|||
elif [[ "$REDIS_REPLICATION_MODE" =~ ^(slave|replica)$ ]]; then
|
||||
if [[ -n "$REDIS_SENTINEL_HOST" ]]; then
|
||||
local -a sentinel_info_command=("redis-cli" "-h" "${REDIS_SENTINEL_HOST}" "-p" "${REDIS_SENTINEL_PORT_NUMBER}")
|
||||
is_boolean_yes "$REDIS_TLS_ENABLED" && sentinel_info_command+=("--tls" "--cert" "${REDIS_TLS_CERT_FILE}" "--key" "${REDIS_TLS_KEY_FILE}" "--cacert" "${REDIS_TLS_CA_FILE}")
|
||||
is_boolean_yes "$REDIS_TLS_ENABLED" && sentinel_info_command+=("--tls" "--cert" "${REDIS_TLS_CERT_FILE}" "--key" "${REDIS_TLS_KEY_FILE}")
|
||||
is_empty_value "$REDIS_TLS_CA_FILE" && sentinel_info_command+=("--cacertdir" "${REDIS_TLS_CA_DIR}") || sentinel_info_command+=("--cacert" "${REDIS_TLS_CA_FILE}")
|
||||
sentinel_info_command+=("sentinel" "get-master-addr-by-name" "${REDIS_SENTINEL_MASTER_NAME}")
|
||||
read -r -a REDIS_SENTINEL_INFO <<< "$("${sentinel_info_command[@]}" | tr '\n' ' ')"
|
||||
REDIS_MASTER_HOST=${REDIS_SENTINEL_INFO[0]}
|
||||
|
|
@ -431,7 +436,7 @@ redis_configure_default() {
|
|||
fi
|
||||
redis_conf_set tls-cert-file "$REDIS_TLS_CERT_FILE"
|
||||
redis_conf_set tls-key-file "$REDIS_TLS_KEY_FILE"
|
||||
redis_conf_set tls-ca-cert-file "$REDIS_TLS_CA_FILE"
|
||||
is_empty_value "$REDIS_TLS_CA_FILE" && redis_conf_set tls-ca-cert-dir "$REDIS_TLS_CA_DIR" || redis_conf_set tls-ca-cert-file "$REDIS_TLS_CA_FILE"
|
||||
! is_empty_value "$REDIS_TLS_KEY_FILE_PASS" && redis_conf_set tls-key-file-pass "$REDIS_TLS_KEY_FILE_PASS"
|
||||
[[ -n "$REDIS_TLS_DH_PARAMS_FILE" ]] && redis_conf_set tls-dh-params-file "$REDIS_TLS_DH_PARAMS_FILE"
|
||||
redis_conf_set tls-auth-clients "$REDIS_TLS_AUTH_CLIENTS"
|
||||
|
|
|
|||
|
|
@ -51,6 +51,7 @@ redis_env_vars=(
|
|||
REDIS_TLS_KEY_FILE
|
||||
REDIS_TLS_KEY_FILE_PASS
|
||||
REDIS_TLS_CA_FILE
|
||||
REDIS_TLS_CA_DIR
|
||||
REDIS_TLS_DH_PARAMS_FILE
|
||||
REDIS_TLS_AUTH_CLIENTS
|
||||
REDIS_SENTINEL_MASTER_NAME
|
||||
|
|
@ -120,6 +121,7 @@ export REDIS_TLS_CERT_FILE="${REDIS_TLS_CERT_FILE:-}"
|
|||
export REDIS_TLS_KEY_FILE="${REDIS_TLS_KEY_FILE:-}"
|
||||
export REDIS_TLS_KEY_FILE_PASS="${REDIS_TLS_KEY_FILE_PASS:-}"
|
||||
export REDIS_TLS_CA_FILE="${REDIS_TLS_CA_FILE:-}"
|
||||
export REDIS_TLS_CA_DIR="${REDIS_TLS_CA_DIR:-}"
|
||||
export REDIS_TLS_DH_PARAMS_FILE="${REDIS_TLS_DH_PARAMS_FILE:-}"
|
||||
export REDIS_TLS_AUTH_CLIENTS="${REDIS_TLS_AUTH_CLIENTS:-yes}"
|
||||
|
||||
|
|
|
|||
|
|
@ -475,10 +475,10 @@ Starting with version 6, Redis(R) adds the support for SSL/TLS connections. Shou
|
|||
* `REDIS_TLS_PORT_NUMBER`: Port used for TLS secure traffic. Defaults to `6379`.
|
||||
* `REDIS_TLS_CERT_FILE`: File containing the certificate file for the TLS traffic. No defaults.
|
||||
* `REDIS_TLS_KEY_FILE`: File containing the key for certificate. No defaults.
|
||||
* `REDIS_TLS_CA_FILE`: File containing the CA of the certificate. No defaults.
|
||||
* `REDIS_TLS_CA_FILE`: File containing the CA of the certificate (takes precedence over `REDIS_TLS_CA_DIR`). No defaults.
|
||||
* `REDIS_TLS_CA_DIR`: Directory containing the CA certificates. No defaults.
|
||||
* `REDIS_TLS_DH_PARAMS_FILE`: File containing DH params (in order to support DH based ciphers). No defaults.
|
||||
* `REDIS_TLS_AUTH_CLIENTS`: Whether to require clients to authenticate or not. Defaults to `yes`.
|
||||
|
||||
When enabling TLS, conventional standard traffic is disabled by default. However this new feature is not mutually exclusive, which means it is possible to listen to both TLS and non-TLS connection simultaneously. To enable non-TLS traffic, set `REDIS_TLS_PORT_NUMBER` to another port different than `0`.
|
||||
|
||||
1. Using `docker run`
|
||||
|
|
|
|||
Loading…
Reference in New Issue