Add TLS support for Redis Client implementation

sigstore · Feb 6, 2024 · 7d3ad6b · 7d3ad6b
1 parent e4a7393
commit 7d3ad6b
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 14 deletions.
diff --git a/cmd/backfill-redis/main.go b/cmd/backfill-redis/main.go
@@ -29,6 +29,7 @@ package main
 import (
 	"bytes"
 	"context"
+	"crypto/tls"
 	"encoding/base64"
 	"errors"
 	"flag"
@@ -64,15 +65,16 @@ import (
 )
 
 var (
-	redisHostname = flag.String("hostname", "", "Hostname for Redis application")
-	redisPort     = flag.String("port", "", "Port to Redis application")
-	redisPassword = flag.String("password", "", "Password for Redis authentication")
-	startIndex    = flag.Int("start", -1, "First index to backfill")
-	endIndex      = flag.Int("end", -1, "Last index to backfill")
-	rekorAddress  = flag.String("rekor-address", "", "Address for Rekor, e.g. https://rekor.sigstore.dev")
-	versionFlag   = flag.Bool("version", false, "Print the current version of Backfill Redis")
-	concurrency   = flag.Int("concurrency", 1, "Number of workers to use for backfill")
-	dryRun        = flag.Bool("dry-run", false, "Dry run - don't actually insert into Redis")
+	redisHostname      = flag.String("hostname", "", "Hostname for Redis application")
+	redisPort          = flag.String("port", "", "Port to Redis application")
+	redisPassword      = flag.String("password", "", "Password for Redis authentication")
+	startIndex         = flag.Int("start", -1, "First index to backfill")
+	endIndex           = flag.Int("end", -1, "Last index to backfill")
+	insecureSkipVerify = flag.Bool("insecure-skip-verify", false, "Whether to skip TLS verification or not")
+	rekorAddress       = flag.String("rekor-address", "", "Address for Rekor, e.g. https://rekor.sigstore.dev")
+	versionFlag        = flag.Bool("version", false, "Print the current version of Backfill Redis")
+	concurrency        = flag.Int("concurrency", 1, "Number of workers to use for backfill")
+	dryRun             = flag.Bool("dry-run", false, "Dry run - don't actually insert into Redis")
 )
 
 func main() {
@@ -102,11 +104,16 @@ func main() {
 
 	log.Printf("running backfill redis Version: %s GitCommit: %s BuildDate: %s", versionInfo.GitVersion, versionInfo.GitCommit, versionInfo.BuildDate)
 
+	tlsConfig := &tls.Config{
+		InsecureSkipVerify: *insecureSkipVerify,
+	}
+
 	redisClient := redis.NewClient(&redis.Options{
-		Addr:     fmt.Sprintf("%s:%s", *redisHostname, *redisPort),
-		Password: *redisPassword,
-		Network:  "tcp",
-		DB:       0, // default DB
+		Addr:      fmt.Sprintf("%s:%s", *redisHostname, *redisPort),
+		Password:  *redisPassword,
+		Network:   "tcp",
+		TLSConfig: tlsConfig,
+		DB:        0, // default DB
 	})
 
 	rekorClient, err := client.GetRekorClient(*rekorAddress)

diff --git a/pkg/api/api.go b/pkg/api/api.go
@@ -18,6 +18,7 @@ package api
 import (
 	"context"
 	"crypto/sha256"
+	"crypto/tls"
 	"crypto/x509"
 	"encoding/hex"
 	"fmt"
@@ -179,7 +180,10 @@ func ConfigureAPI(treeID uint) {
 			Addr:     fmt.Sprintf("%v:%v", viper.GetString("redis_server.address"), viper.GetUint64("redis_server.port")),
 			Password: viper.GetString("redis_server.password"),
 			Network:  "tcp",
-			DB:       0, // default DB
+			TLSConfig: &tls.Config{
+				InsecureSkipVerify: viper.GetBool("redis_server.insecure-skip-verify"),
+			},
+			DB: 0, // default DB
 		})
 		checkpointPublisher := witness.NewCheckpointPublisher(context.Background(), api.logClient, api.logRanges.ActiveTreeID(),
 			viper.GetString("rekor_server.hostname"), api.signer, redisClient, viper.GetUint("publish_frequency"), CheckpointPublishCount)