Merge pull request #3161 from bloodorangeio/redis-tls

Add configuration option for Redis TLS

configuration/configuration.go

@@ -174,6 +174,11 @@ type Configuration struct {
 		// DB specifies the database to connect to on the redis instance.
 		DB int `yaml:"db,omitempty"`
 
+		// TLS configures settings for redis in-transit encryption
+		TLS struct {
+			Enabled bool `yaml:"enabled,omitempty"`
+		} `yaml:"tls,omitempty"`
+
 		DialTimeout  time.Duration `yaml:"dialtimeout,omitempty"`  // timeout for connect
 		ReadTimeout  time.Duration `yaml:"readtimeout,omitempty"`  // timeout for reads of data
 		WriteTimeout time.Duration `yaml:"writetimeout,omitempty"` // timeout for writes of data

docs/configuration.md

@@ -268,6 +268,8 @@ redis:
     maxidle: 16
     maxactive: 64
     idletimeout: 300s
+  tls:
+    enabled: false
 health:
   storagedriver:
     enabled: true
@@ -1018,13 +1020,16 @@ redis:
     maxidle: 16
     maxactive: 64
     idletimeout: 300s
+  tls:
+    enabled: false
 ```
 
 Declare parameters for constructing the `redis` connections. Registry instances
 may use the Redis instance for several applications. Currently, it caches
 information about immutable blobs. Most of the `redis` options control
 how the registry connects to the `redis` instance. You can control the pool's
-behavior with the [pool](#pool) subsection.
+behavior with the [pool](#pool) subsection. Additionally, you can control
+TLS connection settings with the [tls](#tls) subsection (in-transit encryption).
 
 You should configure Redis with the **allkeys-lru** eviction policy, because the
 registry does not set an expiration value on keys.
@@ -1055,6 +1060,20 @@ Use these settings to configure the behavior of the Redis connection pool.
 | `maxactive`| no      | The maximum number of connections which can be open before blocking a connection request. |
 | `idletimeout`| no    | How long to wait before closing inactive connections. |
 
+### `tls`
+
+```none
+tls:
+  enabled: false
+```
+
+Use these settings to configure Redis TLS.
+
+| Parameter | Required | Description                           |
+|-----------|----------|-------------------------------------- |
+| `enabled` | no       | Whether or not to use TLS in-transit. |
+
+
 ## `health`
 
 ```none

registry/handlers/app.go

@@ -518,7 +518,8 @@ func (app *App) configureRedis(configuration *configuration.Configuration) {
 				configuration.Redis.Addr,
 				redis.DialConnectTimeout(configuration.Redis.DialTimeout),
 				redis.DialReadTimeout(configuration.Redis.ReadTimeout),
-				redis.DialWriteTimeout(configuration.Redis.WriteTimeout))
+				redis.DialWriteTimeout(configuration.Redis.WriteTimeout),
+				redis.DialUseTLS(configuration.Redis.TLS.Enabled))
 			if err != nil {
 				dcontext.GetLogger(app).Errorf("error connecting to redis instance %s: %v",
 					configuration.Redis.Addr, err)