-
-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add SSL context for RedisCluster connections #85
Add SSL context for RedisCluster connections #85
Conversation
Is the template still foobar'd ? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I understand where this comes from, but the use case of verify_peer => false
seems kinda anachronistic nowadays.
Possibly better to provision both host and client with a dummy certificate via https://github.com/FiloSottile/mkcert/blob/2a46726cebac0ff4e1f133d90b4e4c42f1edf44a/README.md ?
The template mentions to make a PR for features against a development branch: Pick the target branch based on the following criteria:
|
it is just an example for a unit test |
@@ -8,7 +8,7 @@ | |||
"license": "BSD-3-Clause", | |||
"require": { | |||
"php": "~8.1.0 || ~8.2.0 || ~8.3.0", | |||
"ext-redis": "^5.0.2 || ^6.0", | |||
"ext-redis": "^5.3.2 || ^6.0", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Passing a ssl/tls context to the RedisCluster constructor from the phpredis extension is apparently only introduced in version 5.3.2: https://github.com/phpredis/phpredis/blob/develop/CHANGELOG.md
I noticed this due to the failing pipeline.
This would of course be a breaking change though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I havent had this kind of change ever but I remember that I did modified some redis range in the past. IMO having a check during CD that all the required extension versions are fulfilled should be a good thing, so I do not have a problem with that change personally, but how is this kind of stuff handled in other OSS.
Do you have experience here @Ocramius?
8e32c6b
to
97961bd
Compare
I added a few commits which should fix the failing integration tests. Could they be ran again? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd added some comments, would be decent if we can improve this a little bit.
Sorry for the late response, I am not doing too much OSS at the moment.
I wonder if we can add an integration test where we actually setup a redis cluster with SSL and self-signed certificate to verify if this is actually working. I don't expect this in this PR tho as I think it would already suffice and I can understand that taking time to implement this kind of setup would be too much. |
c8db434
to
436e29e
Compare
Implemented an sslContext class right now which contains the sslcontext options in the fields. I omitted the 'capture_peer_cert' and 'capture_peer_cert_chain' options since they are not relevant for us in my opinion. I wanted to make some of the default values clearly visible in the constructor. I made them correspond to the actual sslContext default options at least for more recent php versions with the exception of 'SNI_enabled' which would make sense in my opinion to enable by default if possible. |
Sorry, havent reviewed yet. Will probably do so either today or tomorrow evening. |
7706dbc
to
135268e
Compare
Signed-off-by: robin-brabants <[email protected]> Co-authored-by: robin-brabants <[email protected]> Signed-off-by: Maximilian Bösing <[email protected]>
…sl/tls context parameter was introduced in version 5.3.2 Signed-off-by: robin-brabants <[email protected]> Co-authored-by: robin-brabants <[email protected]> Signed-off-by: Maximilian Bösing <[email protected]>
Signed-off-by: robin-brabants <[email protected]> Co-authored-by: robin-brabants <[email protected]> Signed-off-by: Maximilian Bösing <[email protected]>
… TLS connection is attempted by default Signed-off-by: robin-brabants <[email protected]> Co-authored-by: robin-brabants <[email protected]> Signed-off-by: Maximilian Bösing <[email protected]>
… phpredis RedisCluster class Signed-off-by: robin-brabants <[email protected]> Co-authored-by: robin-brabants <[email protected]> Signed-off-by: Maximilian Bösing <[email protected]>
…ntext to the RedisCluster Signed-off-by: robin-brabants <[email protected]> Co-authored-by: robin-brabants <[email protected]> Signed-off-by: Maximilian Bösing <[email protected]>
…tor to the code Signed-off-by: robin-brabants <[email protected]> Co-authored-by: robin-brabants <[email protected]> Signed-off-by: Maximilian Bösing <[email protected]>
This refactors some of the `SslContext` implementation to have better readability, less complexity (regarding camel case handling, etc.) and explicit context serialization. Signed-off-by: Maximilian Bösing <[email protected]>
135268e
to
d387d42
Compare
I refactored the code a little bit, especially since I am not a fan from those abbreviations all round tech. I'd say we should only allow 1:1 array notations which would be accepted by PHP as well, thats why I removed all that camel case handling and just have two dedicated methods, a named factory to instantiate our object from an SSL context array (in the notation supported by PHP) and a method which converts the object back to a PHP supported SSL context array. I also do not allow I also removed all the ssl context defaults. That prevents us from having issues with several PHP versions where (whyever) defaults might change and then we have to see how to provide defaults for both versions. I do not really see that we should do that and thus I'd say lets allow passing I also would say we should not require I'd love to get some review of my changes and some feedback. If that works for you and you still see the feature is serving your needs, I'd love to get a quick 👍🏼 so that we can proceed. But I'd be fine with releasing this without actual integration tests as its a new feature which needs to be explicitly implemented by projects and thus its okayish to depend on projects having integration testings up and running until we implement #88. Thanks for your massive work here and I'm happy to see your feedback. Had to rebase with latest 2.8.x as renovate updated |
Sorry that I only see your improvement right now, but was a bit preoccupied. |
@boesing |
Thanks @robin-brabants! |
Description
This small feature allows to pass an sslContext to the RedisCluster constructor from the phpredis extension.
Without this feature, one could not connect to a cluster using TLS. Now when specifying the correct protocol for the seed nodes (e.g.: 'seeds' => ['tls://nodeId-01.xxx:6379', 'tls://nodeId-02.xxx:6379']) and passing an sslContext one can connect to a cluster using TLS .
One can pass an empty array for the sslContext, but also explicitly specify non-default options for the TLS connection. For a full list of ssl context options see: https://www.php.net/manual/en/context.ssl.php.
This for example enables one to connect to an AWS elasticache redis cluster with in-transit encryption set to required due to security reasons.