Closed gligneul closed 1 year ago
I’ve been researching to find the best way to add TLS support and this is what I have found so far:
We’re using the aptly named redis crate to connect to Redis (I’ll call it redis-rs to avoid confusion). It supports TLS by enabling features related to the rustls or native-tls crates. Configuring a connection using custom certificates seemed the best approach, so I searched for a way to do just that. The problem is that redis-rs doesn’t offer this customizability in its high-level API, hiding the functionality present in the TLS crates it uses internally.
There’s an open issue regarding this topic with a proposed workaround. Unfortunately, it doesn’t seem to work with ConnectionManager, which we are currently using.
Some possible paths forward:
@endersonmaia I wanted to hear from you if path 1 would be a good (enough) fit for our needs or if it presents more issues that I'm aware of.
Configuring a connection using custom certificates seemed the best approach, so I searched for a way to do just that.
When I also control/manage the redis-server, it's the way to go. There's the need to generate the root CA and generate server and client certificates, and a way to define this configuration.
For redis cloud providers that support TLS, they usually use valid certificates supported by every OS, and public domains.
We could wait (watch) this to be solved upstream, and make our own workaround using stunnel
, this should be enough to connect to AWS Managed Redis TLS.
And we could focus on #12, to make use of the cluster features from AWS Managed Redis.
This is the solution I came up with in the end:
I've decided to use the native-tls crate as I find it provides a richer API (even though we won't interact directly with it). The certificates are loaded "automagically", so there are not many code changes besides the Redis server's URL schema (which becomes rediss).
To test it out, we've created a Docker image containing a Redis server adequately configured with the TLS certificates and a test binary. When executed the binary tries to connect to the server to generate and retrieve an event. The test itself consists of executing said binary inside the container and asserting it finishes with a valid exit code.
Client certificate authentication was disabled in the server as we considered it unnecessary for now.
📚 Context
We might need to support TLS when connecting to a hosted Redis service (e.g. AWS MemoryDB).
✔️ Solution
When connecting using redis-cli, it is possible to connect to Redis using the option
--tls
. We should do something similar for our clients.📈 Subtasks