search

goharbor / harbor

An open source trusted cloud native registry project that stores, signs, and scans content.
https://goharbor.io
Apache License 2.0
23.21k stars 4.67k forks source link

Support for Redis TLS #13223

Open bbobrov opened 3 years ago

bbobrov commented 3 years ago

As a Harbor instance operator, i want to secure the traffic to Redis instance.

This issue might seem not so pressing when internal Redis is used. However, external managed Redis instances can be used, such as Azure Cache for Redis. Although it is possible to enable non-encrypted port, it is disabled by default; Microsoft recommends enabling TLS.

Now Harbor does not support connecting to SSL/TLS redis endpoints. go-redis library supports it. Docker-distribution has a patch for it - https://github.com/docker/distribution/pull/3161. Chartmuseum has a bugreport about it - https://github.com/helm/chartmuseum/issues/326

I would like to be able to provide rediss:// urls or to set use_ssl=true option when configuring harbor. The options to provide certificates are also required.

dsalcedolab commented 3 years ago

is there anything new with the upgrade?

shinji62 commented 3 years ago

@yanji09 @ninjadq Any update on that ? Thanks

ninjadq commented 3 years ago

Hi, we have a plan to support TLS for Redis and the database. It might be included in a future release.

flyingbricks commented 3 years ago

Similar asks here due to setting up Harbor with AWS ElastiCache and Azure Redis.

It seems without enabling TLS, ElastiCache doesn't even allow to enable authentication. This potentially means even though there are some level of security to be in a VPC, ElastiCache can be accidentally messed up by others in the VPC.

yilmi commented 2 years ago

Similar ask from our chart users - https://github.com/bitnami/charts/issues/7691

lukasmrtvy commented 2 years ago

Maybe would be possible to use Redis Proxy as a sidecar as a temporary solution..

Something like:

danielzhanghl commented 2 years ago

use stunnel sidecar is another temp option.

https://www.stunnel.org/

colinwilson commented 2 years ago

You could also use a socat container to create a TLS tunnel that connects to the Redis endpoint.

slushysnowman commented 2 years ago

Is there any vision on when this is going to be implemented?

danielzhanghl commented 2 years ago

FYI. trivy support TLS redis from 0.23.0, while trivy adapter does not support TLS redis yet.

github-actions[bot] commented 2 years ago

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

keliansb commented 1 year ago

Still an issue, please do not close.

MinerYang commented 1 year ago

This distribution PR hasn't been included in the distribution v2.8.1 https://github.com/distribution/distribution/pull/3161/files We will hold this feature request until distribution new release support it.

hgranillo commented 1 year ago

Another security feature blocked by distribution... (the other one being AWS IAM AssumeRoleWithWebIdentity )

marevers commented 11 months ago

Distribution release v2.8.2 from May this year (which came more than a year after v2.8.1) also did not include the mentioned PR. It does not look like this feature will be added anytime soon there.

pfarikrispy commented 10 months ago

Please consider adding this feature as it makes the "supply chain" more robust and secure

thavlik commented 10 months ago

I find it incredible how trivial this oft-requested feature would be to implement, and yet here we are three years later. I wanted to volunteer to implement it, but this issue's thread has suggested that would be a fool's errand.

krab-skunk commented 8 months ago

i'm using harbor latest helm chart, but i do not know how to configure the TLS option, i'm using AWS Elastic cache for redis.

in the helm chart values.yaml file, i only see those options:


  external:
    # support redis, redis+sentinel
    # addr for redis: <host_redis>:<port_redis>
    # addr for redis+sentinel: <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
    addr: "192.168.0.2:6379"
    # The name of the set of Redis instances to monitor, it must be set to support redis+sentinel
    sentinelMasterSet: ""
    # The "coreDatabaseIndex" must be "0" as the library Harbor
    # used doesn't support configuring it
    # harborDatabaseIndex defaults to "0", but it can be configured to "6", this config is optional
    # cacheLayerDatabaseIndex defaults to "0", but it can be configured to "7", this config is optional
    coreDatabaseIndex: "0"
    jobserviceDatabaseIndex: "1"
    registryDatabaseIndex: "2"
    trivyAdapterIndex: "5"
    # harborDatabaseIndex: "6"
    # cacheLayerDatabaseIndex: "7"
    # username field can be an empty string, and it will be authenticated against the default user
    username: ""
    password: ""
    # If using existingSecret, the key must be REDIS_PASSWORD
    existingSecret: ""```
marevers commented 8 months ago

i'm using harbor latest helm chart, but i do not know how to configure the TLS option, i'm using AWS Elastic cache for redis.

in the helm chart values.yaml file, i only see those options:

  external:
    # support redis, redis+sentinel
    # addr for redis: <host_redis>:<port_redis>
    # addr for redis+sentinel: <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
    addr: "192.168.0.2:6379"
    # The name of the set of Redis instances to monitor, it must be set to support redis+sentinel
    sentinelMasterSet: ""
    # The "coreDatabaseIndex" must be "0" as the library Harbor
    # used doesn't support configuring it
    # harborDatabaseIndex defaults to "0", but it can be configured to "6", this config is optional
    # cacheLayerDatabaseIndex defaults to "0", but it can be configured to "7", this config is optional
    coreDatabaseIndex: "0"
    jobserviceDatabaseIndex: "1"
    registryDatabaseIndex: "2"
    trivyAdapterIndex: "5"
    # harborDatabaseIndex: "6"
    # cacheLayerDatabaseIndex: "7"
    # username field can be an empty string, and it will be authenticated against the default user
    username: ""
    password: ""
    # If using existingSecret, the key must be REDIS_PASSWORD
    existingSecret: ""```

It's not yet supported yet unfortunately. I assume support is going to be added in the 2.11.0 release.

krab-skunk commented 8 months ago

oh ok :( thanks for the so quick reply @marevers

MinerYang commented 6 months ago

This distribution PR hasn't been included in the distribution v2.8.2, v2.8.3 https://github.com/distribution/distribution/pull/3161/files We will hold this feature request until distribution new release support it.

MinerYang commented 6 months ago

While taking a look into distribution src, found this redisTLS config seems to be ignored in main when migrating from redigo to go-redis by this commit. https://github.com/distribution/distribution/blob/fcbc25e7896b6ea115d1f62107483c9325b4a305/registry/handlers/app.go#L522 cc @wy65701436

MinerYang commented 5 months ago

progress: