adds redis_auth (#1627)

Signed-off-by: ianhundere <138915+ianhundere@users.noreply.github.com>
sigstore · Oct 31, 2023 · 9f49d7b · 9f49d7b
1 parent 1f00b2d
commit 9f49d7b
Show file tree

Hide file tree

Showing 7 changed files with 22 additions and 13 deletions.
diff --git a/cmd/backfill-redis/main.go b/cmd/backfill-redis/main.go
@@ -66,6 +66,7 @@ import (
 var (
 	redisHostname = flag.String("hostname", "", "Hostname for Redis application")
 	redisPort     = flag.String("port", "", "Port to Redis application")
+	redisPassword = flag.String("password", "", "Password for Redis authentication")
 	startIndex    = flag.Int("start", -1, "First index to backfill")
 	endIndex      = flag.Int("end", -1, "Last index to backfill")
 	rekorAddress  = flag.String("rekor-address", "", "Address for Rekor, e.g. https://rekor.sigstore.dev")
@@ -102,9 +103,10 @@ func main() {
 	log.Printf("running backfill redis Version: %s GitCommit: %s BuildDate: %s", versionInfo.GitVersion, versionInfo.GitCommit, versionInfo.BuildDate)
 
 	redisClient := redis.NewClient(&redis.Options{
-		Addr:    fmt.Sprintf("%s:%s", *redisHostname, *redisPort),
-		Network: "tcp",
-		DB:      0, // default DB
+		Addr:     fmt.Sprintf("%s:%s", *redisHostname, *redisPort),
+		Password: *redisPassword,
+		Network:  "tcp",
+		DB:       0, // default DB
 	})
 
 	rekorClient, err := client.GetRekorClient(*rekorAddress)

diff --git a/cmd/rekor-server/app/root.go b/cmd/rekor-server/app/root.go
@@ -113,6 +113,7 @@ Memory and file-based signers should only be used for testing.`)
 		`Index Storage provider to use. Valid options are: [redis].`)
 	rootCmd.PersistentFlags().String("redis_server.address", "127.0.0.1", "Redis server address")
 	rootCmd.PersistentFlags().Uint16("redis_server.port", 6379, "Redis server port")
+	rootCmd.PersistentFlags().String("redis_server.password", "", "Redis server password")
 
 	rootCmd.PersistentFlags().Bool("enable_attestation_storage", false, "enables rich attestation storage")
 	rootCmd.PersistentFlags().String("attestation_storage_bucket", "", "url for attestation storage bucket")

diff --git a/docker-compose.test.yml b/docker-compose.test.yml
@@ -30,6 +30,7 @@ services:
       "--trillian_log_server.port=8090",
       "--redis_server.address=redis-server",
       "--redis_server.port=6379",
+      "--redis_server.password=test",
       "--rekor_server.address=0.0.0.0",
       "--rekor_server.signer=memory",
       "--enable_attestation_storage",

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -36,13 +36,15 @@ services:
       "--bind",
       "0.0.0.0",
       "--appendonly",
-      "yes"
+      "yes",
+      "--requirepass",
+      "test"
     ]
     ports:
       - "6379:6379"
     restart: always # keep the redis server running
     healthcheck:
-      test: ["CMD", "redis-cli", "ping"]
+      test: ["CMD", "redis-cli", "-a", "test", "ping"]
       interval: 10s
       timeout: 3s
       retries: 3
@@ -91,6 +93,7 @@ services:
       "--trillian_log_server.address=trillian-log-server",
       "--trillian_log_server.port=8090",
       "--redis_server.address=redis-server",
+      "--redis_server.password=test",
       "--redis_server.port=6379",
       "--rekor_server.address=0.0.0.0",
       "--rekor_server.signer=memory",

diff --git a/pkg/api/api.go b/pkg/api/api.go
@@ -176,9 +176,10 @@ func ConfigureAPI(treeID uint) {
 
 	if viper.GetBool("enable_stable_checkpoint") {
 		redisClient = redis.NewClient(&redis.Options{
-			Addr:    fmt.Sprintf("%v:%v", viper.GetString("redis_server.address"), viper.GetUint64("redis_server.port")),
-			Network: "tcp",
-			DB:      0, // default DB
+			Addr:     fmt.Sprintf("%v:%v", viper.GetString("redis_server.address"), viper.GetUint64("redis_server.port")),
+			Password: viper.GetString("redis_server.password"),
+			Network:  "tcp",
+			DB:       0, // default DB
 		})
 		checkpointPublisher := witness.NewCheckpointPublisher(context.Background(), api.logClient, api.logRanges.ActiveTreeID(),
 			viper.GetString("rekor_server.hostname"), api.signer, redisClient, viper.GetUint("publish_frequency"), CheckpointPublishCount)

diff --git a/pkg/indexstorage/indexstorage.go b/pkg/indexstorage/indexstorage.go
@@ -31,7 +31,7 @@ type IndexStorage interface {
 func NewIndexStorage(providerType string) (IndexStorage, error) {
 	switch providerType {
 	case redis.ProviderType:
-		return redis.NewProvider(viper.GetString("redis_server.address"), viper.GetString("redis_server.port"))
+		return redis.NewProvider(viper.GetString("redis_server.address"), viper.GetString("redis_server.port"), viper.GetString("redis_server.password"))
 	default:
 		return nil, fmt.Errorf("invalid index storage provider type: %v", providerType)
 	}

diff --git a/pkg/indexstorage/redis/redis.go b/pkg/indexstorage/redis/redis.go
@@ -30,12 +30,13 @@ type IndexStorageProvider struct {
 	client *redis.Client
 }
 
-func NewProvider(address, port string) (*IndexStorageProvider, error) {
+func NewProvider(address, port, password string) (*IndexStorageProvider, error) {
 	provider := &IndexStorageProvider{}
 	provider.client = redis.NewClient(&redis.Options{
-		Addr:    fmt.Sprintf("%v:%v", address, port),
-		Network: "tcp",
-		DB:      0, // default DB
+		Addr:     fmt.Sprintf("%v:%v", address, port),
+		Network:  "tcp",
+		Password: password,
+		DB:       0, // default DB
 	})
 	return provider, nil
 }