root: make redis settings more consistent (#9335)

* make redis settings more consistent Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add support to go Signed-off-by: Jens Langhammer <jens@goauthentik.io> * rewrite url Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix redis connect in wait_for_db Signed-off-by: Jens Langhammer <jens@goauthentik.io> * censor password when logging error Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update docs Signed-off-by: Jens Langhammer <jens@goauthentik.io> * reword docs Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add redis url generation helper Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2024-04-18 16:49:41 +02:00
parent 2e9df96a62
commit a742331484
7 changed files with 84 additions and 48 deletions
--- a/internal/outpost/proxyv2/application/session.go
+++ b/internal/outpost/proxyv2/application/session.go
@ -2,6 +2,8 @@ package application

 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"math"
 	"net/http"
@ -19,6 +21,7 @@ import (
 	"goauthentik.io/internal/outpost/proxyv2/codecs"
 	"goauthentik.io/internal/outpost/proxyv2/constants"
 	"goauthentik.io/internal/outpost/proxyv2/redisstore"
+	"goauthentik.io/internal/utils"
 )

 const RedisKeyPrefix = "authentik_proxy_session_"
@ -31,11 +34,40 @@ func (a *Application) getStore(p api.ProxyOutpostConfig, externalHost *url.URL)
 		maxAge = int(*t) + 1
 	}
 	if a.isEmbedded {
+		var tls *tls.Config
+		if config.Get().Redis.TLS {
+			tls = utils.GetTLSConfig()
+			switch strings.ToLower(config.Get().Redis.TLSReqs) {
+			case "none":
+			case "false":
+				tls.InsecureSkipVerify = true
+			case "required":
+				break
+			}
+			ca := config.Get().Redis.TLSCaCert
+			if ca != nil {
+				// Get the SystemCertPool, continue with an empty pool on error
+				rootCAs, _ := x509.SystemCertPool()
+				if rootCAs == nil {
+					rootCAs = x509.NewCertPool()
+				}
+				certs, err := os.ReadFile(*ca)
+				if err != nil {
+					a.log.WithError(err).Fatalf("Failed to append %s to RootCAs", *ca)
+				}
+				// Append our cert to the system pool
+				if ok := rootCAs.AppendCertsFromPEM(certs); !ok {
+					a.log.Println("No certs appended, using system certs only")
+				}
+				tls.RootCAs = rootCAs
+			}
+		}
 		client := redis.NewClient(&redis.Options{
-			Addr:     fmt.Sprintf("%s:%d", config.Get().Redis.Host, config.Get().Redis.Port),
-			Username: config.Get().Redis.Username,
-			Password: config.Get().Redis.Password,
-			DB:       config.Get().Redis.DB,
+			Addr:      fmt.Sprintf("%s:%d", config.Get().Redis.Host, config.Get().Redis.Port),
+			Username:  config.Get().Redis.Username,
+			Password:  config.Get().Redis.Password,
+			DB:        config.Get().Redis.DB,
+			TLSConfig: tls,
 		})

 		// New default RedisStore