Accept new parameters and ENV variables

3scale · Oct 25, 2023 · b99e307 · b99e307
1 parent be9c1e6
commit b99e307
Show file tree

Hide file tree

Showing 4 changed files with 121 additions and 7 deletions.
diff --git a/docs/configuration.md b/docs/configuration.md
@@ -26,6 +26,41 @@ variables.
 - Applies to: listener, worker, cron.
 - Format: string.
 
+###  CONFIG_REDIS_USERNAME
+
+- Redis ACL user name
+- Optional. Defaults to empty.
+- Applies to: listener, worker, cron.
+- Format: string.
+
+###  CONFIG_REDIS_PASSWORD
+
+- Redis ACL password
+- Optional. Defaults to empty.
+- Applies to: listener, worker, cron.
+- Format: string.
+
+###  CONFIG_REDIS_CA_FILE
+
+- Certification authority to validate Redis server TLS connections with
+- Optional. Defaults to empty.
+- Applies to: listener, worker, cron.
+- Format: path to file as string.
+
+###  CONFIG_REDIS_CERT
+
+- User certificate to connect to Redis through TLS
+- Optional. Defaults to empty.
+- Applies to: listener, worker, cron.
+- Format: path to file as string.
+
+###  CONFIG_REDIS_PRIVATE_KEY
+
+- User key to connect to Redis through TLS
+- Optional. Defaults to empty.
+- Applies to: listener, worker, cron.
+- Format: path to file as string.
+
 ###  CONFIG_REDIS_SENTINEL_HOSTS
 
 - URL of Redis sentinels.
@@ -80,6 +115,41 @@ sentinels.
 - Applies to: listener, worker, cron.
 - Format: string.
 
+###  CONFIG_QUEUES_USERNAME
+
+- Redis ACL user name
+- Optional. Defaults to empty.
+- Applies to: listener, worker, cron.
+- Format: string.
+
+###  CONFIG_QUEUES_PASSWORD
+
+- Redis ACL password
+- Optional. Defaults to empty.
+- Applies to: listener, worker, cron.
+- Format: string.
+
+###  CONFIG_QUEUES_CA_FILE
+
+- Certification authority certificate Redis should trust to accept TLS connections
+- Optional. Defaults to empty.
+- Applies to: listener, worker, cron.
+- Format: path to file as string.
+
+###  CONFIG_QUEUES_CERT
+
+- User certificate to connect to Redis through TLS
+- Optional. Defaults to empty.
+- Applies to: listener, worker, cron.
+- Format: path to file as string.
+
+###  CONFIG_QUEUES_PRIVATE_KEY
+
+- User key to connect to Redis through TLS
+- Optional. Defaults to empty.
+- Applies to: listener, worker, cron.
+- Format: path to file as string.
+
 ### CONFIG_QUEUES_SENTINEL_HOSTS
 
 - URL of Redis sentinels.

diff --git a/lib/3scale/backend/configuration.rb b/lib/3scale/backend/configuration.rb
@@ -38,11 +38,10 @@ def parse_int(value, default)
       config.workers_logger_formatter = :text
 
       # Add configuration sections
-      config.add_section(:queues, :master_name, :sentinels, :role,
+      config.add_section(:queues, :master_name, :username, :password, :ssl_params, :sentinels, :role,
                          :connect_timeout, :read_timeout, :write_timeout, :max_connections)
-      config.add_section(:redis, :url, :proxy, :sentinels, :role,
-                         :connect_timeout, :read_timeout, :write_timeout, :max_connections,
-                         :async)
+      config.add_section(:redis, :url, :proxy, :username, :password, :ssl_params, :sentinels, :role,
+                         :connect_timeout, :read_timeout, :write_timeout, :max_connections, :async)
       config.add_section(:hoptoad, :service, :api_key)
       config.add_section(:internal_api, :user, :password)
       config.add_section(:master, :metrics)

diff --git a/lib/3scale/backend/storage_helpers.rb b/lib/3scale/backend/storage_helpers.rb
@@ -62,7 +62,7 @@ class << self
           # CONN_WHITELIST - Connection options that can be specified in config
           # Note: we don't expose reconnect_attempts until the bug above is fixed
           CONN_WHITELIST = [
-            :connect_timeout, :read_timeout, :write_timeout, :max_connections
+            :connect_timeout, :read_timeout, :write_timeout, :max_connections, :username, :password, :ssl_params
           ].freeze
           private_constant :CONN_WHITELIST
 
@@ -99,8 +99,7 @@ def config_with(config,
             end.merge(options)
 
             cfg_with_sentinels = cfg_sentinels_handler cfg
-
-            defaults.merge(ensure_url_param(cfg_with_sentinels))
+            cfg_defaults_handler cfg_with_sentinels, defaults
           end
 
           private
@@ -241,6 +240,38 @@ def cfg_sentinels_handler(options)
             options
           end
 
+          # The new Redis client accepts either `:url` or `:path`, but not both.
+          # In the case of a path, Redis expects it to not include the `unix://` prefix.
+          # On the other hand, Apisonator accepts only `:url`, for both Sockets and TCP connections.
+          # For paths, Apisonator expects it to be given as a URL using the `unix://` scheme.
+          #
+          # This method handles the conversion.
+          def cfg_unix_path_handler(options)
+            if options.key? :path
+              options.delete(:url)
+              return options
+            end
+
+            if options[:url].start_with? "unix://"
+              options[:path] = options.delete(:url).delete_prefix("unix://")
+            end
+
+            options
+          end
+
+          # This ensures some default values are valid for the redis client.
+          # In particular:
+          #
+          # - The :url key is always present
+          #   - Except when connecting to a unix socket
+          # - :max_connections is only present for async mode
+          def cfg_defaults_handler(options, defaults)
+            cfg_with_defaults = defaults.merge(ensure_url_param(options))
+            cfg_with_defaults = cfg_unix_path_handler(cfg_with_defaults)
+            cfg_with_defaults.delete(:max_connections) unless options[:async]
+            cfg_with_defaults
+          end
+
           # helper to convert a sentinel object to a Hash
           def sentinel_to_hash(sentinel)
             return if sentinel.nil?

diff --git a/openshift/3scale_backend.conf b/openshift/3scale_backend.conf
@@ -22,13 +22,27 @@ ThreeScale::Backend.configure do |config|
   config.internal_api.user = "#{ENV['CONFIG_INTERNAL_API_USER']}"
   config.internal_api.password = "#{ENV['CONFIG_INTERNAL_API_PASSWORD']}"
   config.queues.master_name = "#{ENV['CONFIG_QUEUES_MASTER_NAME']}"
+  config.queues.username = "#{ENV['CONFIG_QUEUES_USERNAME']}"
+  config.queues.password = "#{ENV['CONFIG_QUEUES_PASSWORD']}"
+  config.queues.ssl_params = {
+    ca_file: "#{ENV['CONFIG_QUEUES_CA_FILE]}",
+    cert: "#{ENV['CONFIG_QUEUES_CERT]}",
+    key: "#{ENV['CONFIG_QUEUES_PRIVATE_KEY]}"
+  }
   config.queues.sentinels = "#{ENV['CONFIG_QUEUES_SENTINEL_HOSTS'] && !ENV['CONFIG_QUEUES_SENTINEL_HOSTS'].empty? ? ENV['CONFIG_QUEUES_SENTINEL_HOSTS'] : ENV['SENTINEL_HOSTS']}"
   config.queues.role = "#{ENV['CONFIG_QUEUES_SENTINEL_ROLE']}".to_sym
   config.queues.connect_timeout = parse_int_env('CONFIG_QUEUES_CONNECT_TIMEOUT')
   config.queues.read_timeout = parse_int_env('CONFIG_QUEUES_READ_TIMEOUT')
   config.queues.write_timeout = parse_int_env('CONFIG_QUEUES_WRITE_TIMEOUT')
   config.queues.max_connections = parse_int_env('CONFIG_QUEUES_MAX_CONNS')
   config.redis.proxy = "#{ENV['CONFIG_REDIS_PROXY']}"
+  config.redis.username = "#{ENV['CONFIG_REDIS_USERNAME']}"
+  config.redis.password = "#{ENV['CONFIG_REDIS_PASSWORD']}"
+  config.redis.ssl_params = {
+      ca_file: "#{ENV['CONFIG_REDIS_CA_FILE]}",
+      cert: "#{ENV['CONFIG_REDIS_CERT]}",
+      key: "#{ENV['CONFIG_REDIS_PRIVATE_KEY]}"
+    }
   config.redis.sentinels = "#{ENV['CONFIG_REDIS_SENTINEL_HOSTS']}"
   config.redis.role = "#{ENV['CONFIG_REDIS_SENTINEL_ROLE']}".to_sym
   config.redis.connect_timeout = parse_int_env('CONFIG_REDIS_CONNECT_TIMEOUT')