root: optional TLS support on redis connections (#1147)

* root: optional TLS support on redis connections * root: don't use f-strings when not interpolating variables * root: use f-string in redis protocol prefix interpolation * root: glaring typo * formatting * small formatting change I missed * root: swap around default redis protocol prefixes
2021-07-15 04:48:52 -05:00 · 2021-07-15 04:48:52 -05:00 · a5bb583268
parent 212ff11b6d
commit a5bb583268
3 changed files with 20 additions and 7 deletions
--- a/authentik/lib/default.yml
+++ b/authentik/lib/default.yml
@ -15,6 +15,7 @@ redis:
  host: localhost
  port: 6379
  password: ''
+  tls: false
  cache_db: 0
  message_queue_db: 1
  ws_db: 2
--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@ -188,11 +188,16 @@ REST_FRAMEWORK = {
    "DEFAULT_SCHEMA_CLASS": "drf_spectacular.openapi.AutoSchema",
 }

+REDIS_PROTOCOL_PREFIX = "redis://"
+if CONFIG.y_bool("redis.tls", False):
+    REDIS_PROTOCOL_PREFIX = "rediss://"
+
 CACHES = {
    "default": {
        "BACKEND": "django_redis.cache.RedisCache",
        "LOCATION": (
-            f"redis://:{CONFIG.y('redis.password')}@{CONFIG.y('redis.host')}:"
+            f"{REDIS_PROTOCOL_PREFIX}:"
+            f"{CONFIG.y('redis.password')}@{CONFIG.y('redis.host')}:"
            f"{int(CONFIG.y('redis.port'))}/{CONFIG.y('redis.cache_db')}"
        ),
        "TIMEOUT": int(CONFIG.y("redis.cache_timeout", 300)),
@ -252,7 +257,8 @@ CHANNEL_LAYERS = {
        "BACKEND": "channels_redis.core.RedisChannelLayer",
        "CONFIG": {
            "hosts": [
-                f"redis://:{CONFIG.y('redis.password')}@{CONFIG.y('redis.host')}:"
+                f"{REDIS_PROTOCOL_PREFIX}:"
+                f"{CONFIG.y('redis.password')}@{CONFIG.y('redis.host')}:"
                f"{int(CONFIG.y('redis.port'))}/{CONFIG.y('redis.ws_db')}"
            ],
        },
@ -331,12 +337,14 @@ CELERY_BEAT_SCHEDULE = {
 CELERY_TASK_CREATE_MISSING_QUEUES = True
 CELERY_TASK_DEFAULT_QUEUE = "authentik"
 CELERY_BROKER_URL = (
-    f"redis://:{CONFIG.y('redis.password')}@{CONFIG.y('redis.host')}"
-    f":{int(CONFIG.y('redis.port'))}/{CONFIG.y('redis.message_queue_db')}"
+    f"{REDIS_PROTOCOL_PREFIX}:"
+    f"{CONFIG.y('redis.password')}@{CONFIG.y('redis.host')}:"
+    f"{int(CONFIG.y('redis.port'))}/{CONFIG.y('redis.message_queue_db')}"
 )
 CELERY_RESULT_BACKEND = (
-    f"redis://:{CONFIG.y('redis.password')}@{CONFIG.y('redis.host')}"
-    f":{int(CONFIG.y('redis.port'))}/{CONFIG.y('redis.message_queue_db')}"
+    f"{REDIS_PROTOCOL_PREFIX}:"
+    f"{CONFIG.y('redis.password')}@{CONFIG.y('redis.host')}:"
+    f"{int(CONFIG.y('redis.port'))}/{CONFIG.y('redis.message_queue_db')}"
 )

 # Database backup
--- a/lifecycle/wait_for_db.py
+++ b/lifecycle/wait_for_db.py
@ -40,10 +40,14 @@ while True:
        sleep(1)
        j_print(f"PostgreSQL Connection failed, retrying... ({exc})")

+REDIS_PROTOCOL_PREFIX = "redis://"
+if CONFIG.y_bool("redis.tls", False):
+    REDIS_PROTOCOL_PREFIX = "rediss://"
 while True:
    try:
        redis = Redis.from_url(
-            f"redis://:{CONFIG.y('redis.password')}@{CONFIG.y('redis.host')}:"
+            f"{REDIS_PROTOCOL_PREFIX}:"
+            f"{CONFIG.y('redis.password')}@{CONFIG.y('redis.host')}:"
            f"{int(CONFIG.y('redis.port'))}/{CONFIG.y('redis.ws_db')}"
        )
        redis.ping()