feat: add TLS support for Redis templates#260
Merged
Conversation
Add a `.tls(certs_dir)` builder to RedisTemplate and RedisClusterTemplate that bind-mounts a host certificate directory read-only into the container and starts redis-server with `--tls-port`, `--tls-cert-file`, `--tls-key-file` and `--tls-ca-cert-file`. Certs are read from a fixed `/tls` mount using the conventional `redis.crt`/`redis.key`/`ca.crt` file names. Single-node RedisTemplate keeps both plaintext and TLS open by default (TLS on container port 6380, published on a configurable host `tls_port`, default 6380). A `.tls_only()` toggle disables plaintext via `--port 0` and stops publishing it. `connection_string()` returns the `rediss://` endpoint in TLS-only mode; `tls_connection_string()` exposes the TLS URL otherwise. TLS composes with password auth. RedisClusterTemplate runs nodes TLS-only on the data port with `--tls-cluster yes`/`--tls-replication yes`, mirroring Redis's documented cluster-over-TLS layout (the gossip protocol cannot mix plaintext and TLS). Readiness, `--cluster create`, info and role checks connect with `redis-cli --tls` and the mounted certificates. No new default dependencies: throwaway certs are generated with a documented `openssl` recipe in the rustdoc and in the integration test. The test starts a TLS Redis, connects with `redis-cli --tls`, and verifies plaintext is refused in TLS-only mode; it is skipped when Docker or openssl is unavailable. Closes #244.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds TLS support to the Redis templates, so a TLS Redis no longer needs hand-rolled
RunCommandplumbing with cert volume mounts and--tls-*args.Single-node
RedisTemplate.tls(certs_dir)-- bind-mounts the host cert directory read-only at/tlsand startsredis-serverwith--tls-port,--tls-cert-file,--tls-key-file,--tls-ca-cert-file. Expects the conventionalredis.crt/redis.key/ca.crtfile names (documented)..tls_port(port), default 6380)..tls_only()-- disables the plaintext port via--port 0and stops publishing it.tls_connection_string()returns therediss://URL;connection_string()falls back to therediss://endpoint in TLS-only mode (since plaintext is closed). TLS composes with password auth.RedisClusterTemplate.tls(certs_dir)-- every node runs TLS-only on its data port with--tls-cluster yes/--tls-replication yes, mirroring Redis's documented cluster-over-TLS layout (the gossip protocol cannot mix plaintext and TLS nodes). Readiness polling,redis-cli --cluster create,cluster info, andnode_roleall connect withredis-cli --tlsand the mounted certificates.No new default dependencies
Self-signed cert generation is not pulled in as a heavyweight default. Instead the
tls()rustdoc documents anopensslone-liner recipe, and the integration test generates throwaway certs withopensslin a temp dir.Why
Closes the gap noted in the issue: redis-tower keeps TLS coverage on its process-based harness because the containerized templates could not exercise TLS. Template TLS lets the containerized version-matrix tier cover TLS paths too.
Evidence / test plan
--port 0in TLS-only, custom TLS port, password coexistence,rediss://connection strings, clusterredis-cli --tlsflag assembly).cargo test --lib --all-features: 841 passed.tests/redis_tls_integration.rs: generates a self-signed CA + server cert withopenssl, starts a TLS Redis, and asserts aredis-cli --tlsping returnsPONG; a second test asserts plaintext is refused in TLS-only mode. Skipped automatically when Docker oropensslis unavailable. Both pass against a live Docker daemon (29.4.3).tests/redis_template_integration.rs(7 tests incl. password and Redis Stack, which share the refactoredbuild_commandpath) pass against live Docker -- no regression.cargo fmt --all,cargo clippy --all-targets --all-features -- -D warnings,cargo clippy --all-targets --no-default-features -- -D warnings,cargo doc --no-deps --all-features,cargo test --doc --all-features(422 passed).Closes #244.