From a5bb58326822a7025730e427c305079a0bf9e95f Mon Sep 17 00:00:00 2001 From: Starz0r Date: Thu, 15 Jul 2021 04:48:52 -0500 Subject: [PATCH] root: optional TLS support on redis connections (#1147) * root: optional TLS support on redis connections * root: don't use f-strings when not interpolating variables * root: use f-string in redis protocol prefix interpolation * root: glaring typo * formatting * small formatting change I missed * root: swap around default redis protocol prefixes --- authentik/lib/default.yml | 1 + authentik/root/settings.py | 20 ++++++++++++++------ lifecycle/wait_for_db.py | 6 +++++- 3 files changed, 20 insertions(+), 7 deletions(-) diff --git a/authentik/lib/default.yml b/authentik/lib/default.yml index 53091b011..95abf56ff 100644 --- a/authentik/lib/default.yml +++ b/authentik/lib/default.yml @@ -15,6 +15,7 @@ redis: host: localhost port: 6379 password: '' + tls: false cache_db: 0 message_queue_db: 1 ws_db: 2 diff --git a/authentik/root/settings.py b/authentik/root/settings.py index 0b27cf31f..003462416 100644 --- a/authentik/root/settings.py +++ b/authentik/root/settings.py @@ -188,11 +188,16 @@ REST_FRAMEWORK = { "DEFAULT_SCHEMA_CLASS": "drf_spectacular.openapi.AutoSchema", } +REDIS_PROTOCOL_PREFIX = "redis://" +if CONFIG.y_bool("redis.tls", False): + REDIS_PROTOCOL_PREFIX = "rediss://" + CACHES = { "default": { "BACKEND": "django_redis.cache.RedisCache", "LOCATION": ( - f"redis://:{CONFIG.y('redis.password')}@{CONFIG.y('redis.host')}:" + f"{REDIS_PROTOCOL_PREFIX}:" + f"{CONFIG.y('redis.password')}@{CONFIG.y('redis.host')}:" f"{int(CONFIG.y('redis.port'))}/{CONFIG.y('redis.cache_db')}" ), "TIMEOUT": int(CONFIG.y("redis.cache_timeout", 300)), @@ -252,7 +257,8 @@ CHANNEL_LAYERS = { "BACKEND": "channels_redis.core.RedisChannelLayer", "CONFIG": { "hosts": [ - f"redis://:{CONFIG.y('redis.password')}@{CONFIG.y('redis.host')}:" + f"{REDIS_PROTOCOL_PREFIX}:" + f"{CONFIG.y('redis.password')}@{CONFIG.y('redis.host')}:" f"{int(CONFIG.y('redis.port'))}/{CONFIG.y('redis.ws_db')}" ], }, @@ -331,12 +337,14 @@ CELERY_BEAT_SCHEDULE = { CELERY_TASK_CREATE_MISSING_QUEUES = True CELERY_TASK_DEFAULT_QUEUE = "authentik" CELERY_BROKER_URL = ( - f"redis://:{CONFIG.y('redis.password')}@{CONFIG.y('redis.host')}" - f":{int(CONFIG.y('redis.port'))}/{CONFIG.y('redis.message_queue_db')}" + f"{REDIS_PROTOCOL_PREFIX}:" + f"{CONFIG.y('redis.password')}@{CONFIG.y('redis.host')}:" + f"{int(CONFIG.y('redis.port'))}/{CONFIG.y('redis.message_queue_db')}" ) CELERY_RESULT_BACKEND = ( - f"redis://:{CONFIG.y('redis.password')}@{CONFIG.y('redis.host')}" - f":{int(CONFIG.y('redis.port'))}/{CONFIG.y('redis.message_queue_db')}" + f"{REDIS_PROTOCOL_PREFIX}:" + f"{CONFIG.y('redis.password')}@{CONFIG.y('redis.host')}:" + f"{int(CONFIG.y('redis.port'))}/{CONFIG.y('redis.message_queue_db')}" ) # Database backup diff --git a/lifecycle/wait_for_db.py b/lifecycle/wait_for_db.py index fe78f8fd9..b2b908fd2 100755 --- a/lifecycle/wait_for_db.py +++ b/lifecycle/wait_for_db.py @@ -40,10 +40,14 @@ while True: sleep(1) j_print(f"PostgreSQL Connection failed, retrying... ({exc})") +REDIS_PROTOCOL_PREFIX = "redis://" +if CONFIG.y_bool("redis.tls", False): + REDIS_PROTOCOL_PREFIX = "rediss://" while True: try: redis = Redis.from_url( - f"redis://:{CONFIG.y('redis.password')}@{CONFIG.y('redis.host')}:" + f"{REDIS_PROTOCOL_PREFIX}:" + f"{CONFIG.y('redis.password')}@{CONFIG.y('redis.host')}:" f"{int(CONFIG.y('redis.port'))}/{CONFIG.y('redis.ws_db')}" ) redis.ping()