feat(server): redis with public TLS certs support (#3783)

Co-authored-by: knqyf263 <knqyf263@gmail.com>
aquasecurity · Mar 30, 2023 · 10796a2 · 10796a2
1 parent abff139
commit 10796a2
Show file tree

Hide file tree

Showing 7 changed files with 42 additions and 5 deletions.
diff --git a/docs/docs/vulnerability/examples/cache.md b/docs/docs/vulnerability/examples/cache.md
@@ -44,13 +44,18 @@ Two options:
 $ trivy server --cache-backend redis://localhost:6379
 ```
 
-Trivy also support for connecting to Redis using TLS, you only need to specify `--redis-ca` , `--redis-cert` , and `--redis-key` option.
+If you want to use TLS with Redis, you can enable it by specifying the `--redis-tls` flag.
+
+```shell
+$ trivy server --cache-backend redis://localhost:6379 --redis-tls
+```
+
+Trivy also supports for connecting to Redis with your certificates.
+You need to specify `--redis-ca` , `--redis-cert` , and `--redis-key` options.
 
 ```
 $ trivy server --cache-backend redis://localhost:6379 \
   --redis-ca /path/to/ca-cert.pem \
   --redis-cert /path/to/cert.pem \
   --redis-key /path/to/key.pem
-```
-
-TLS option for redis is hidden from Trivy command-line flag, but you still can use it.
+```
diff --git a/helm/trivy/README.md b/helm/trivy/README.md
@@ -73,6 +73,7 @@ The following table lists the configurable parameters of the Trivy chart and the
 | `trivy.cache.redis.enabled`           | Enable Redis as caching backend                                         | `false` |
 | `trivy.cache.redis.url`               | Specify redis connection url, e.g. redis://redis.redis.svc:6379         | `` |
 | `trivy.cache.redis.ttl`               | Specify redis TTL, e.g. 3600s or 24h                                    | `` |
+| `trivy.cache.redis.tls`               | Enable Redis TLS with public certificates                               | `` |
 | `trivy.serverToken`                   | The token to authenticate Trivy client with Trivy server                | `` |
 | `trivy.existingSecret`                | existingSecret if an existing secret has been created outside the chart. Overrides gitHubToken, registryUsername, registryPassword, serverToken | `` |
 | `trivy.podAnnotations`                | Annotations for pods created by statefulset                             | `{}` |

diff --git a/helm/trivy/templates/configmap.yaml b/helm/trivy/templates/configmap.yaml
@@ -10,6 +10,7 @@ data:
 {{- if .Values.trivy.cache.redis.enabled }}
   TRIVY_CACHE_BACKEND: {{ .Values.trivy.cache.redis.url | quote }}
   TRIVY_CACHE_TTL: {{ .Values.trivy.cache.redis.ttl | quote }}
+  TRIVY_REDIS_TLS: {{ .Values.trivy.cache.redis.tls | quote }}
 {{- end }}
   TRIVY_DEBUG: {{ .Values.trivy.debugMode | quote }}
   TRIVY_SKIP_DB_UPDATE: {{ .Values.trivy.skipDBUpdate | quote }}

diff --git a/helm/trivy/values.yaml b/helm/trivy/values.yaml
@@ -114,6 +114,7 @@ trivy:
       enabled: false
       url: ""  # e.g. redis://redis.redis.svc:6379
       ttl: ""  # e.g 3600s, 24h
+      tls: false
   serviceAccount:
     annotations: {}
       # eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT_ID:role/IAM_ROLE_NAME

diff --git a/pkg/commands/operation/operation.go b/pkg/commands/operation/operation.go
@@ -54,6 +54,10 @@ func NewCache(c flag.CacheOptions) (Cache, error) {
 				Certificates: []tls.Certificate{cert},
 				MinVersion:   tls.VersionTLS12,
 			}
+		} else if c.RedisTLS {
+			options.TLSConfig = &tls.Config{
+				MinVersion: tls.VersionTLS12,
+			}
 		}
 
 		redisCache := cache.NewRedisCache(options, c.CacheTTL)

diff --git a/pkg/flag/cache_flags.go b/pkg/flag/cache_flags.go
@@ -37,6 +37,12 @@ var (
 		Value:      time.Duration(0),
 		Usage:      "cache TTL when using redis as cache backend",
 	}
+	RedisTLSFlag = Flag{
+		Name:       "redis-tls",
+		ConfigName: "cache.redis.tls",
+		Value:      false,
+		Usage:      "enable redis TLS with public certificates, if using redis as cache backend",
+	}
 	RedisCACertFlag = Flag{
 		Name:       "redis-ca",
 		ConfigName: "cache.redis.ca",
@@ -63,6 +69,7 @@ type CacheFlagGroup struct {
 	CacheBackend *Flag
 	CacheTTL     *Flag
 
+	RedisTLS    *Flag
 	RedisCACert *Flag
 	RedisCert   *Flag
 	RedisKey    *Flag
@@ -72,6 +79,7 @@ type CacheOptions struct {
 	ClearCache   bool
 	CacheBackend string
 	CacheTTL     time.Duration
+	RedisTLS     bool
 	RedisOptions
 }
 
@@ -88,6 +96,7 @@ func NewCacheFlagGroup() *CacheFlagGroup {
 		ClearCache:   &ClearCacheFlag,
 		CacheBackend: &CacheBackendFlag,
 		CacheTTL:     &CacheTTLFlag,
+		RedisTLS:     &RedisTLSFlag,
 		RedisCACert:  &RedisCACertFlag,
 		RedisCert:    &RedisCertFlag,
 		RedisKey:     &RedisKeyFlag,
@@ -99,7 +108,7 @@ func (fg *CacheFlagGroup) Name() string {
 }
 
 func (fg *CacheFlagGroup) Flags() []*Flag {
-	return []*Flag{fg.ClearCache, fg.CacheBackend, fg.CacheTTL, fg.RedisCACert, fg.RedisCert, fg.RedisKey}
+	return []*Flag{fg.ClearCache, fg.CacheBackend, fg.CacheTTL, fg.RedisTLS, fg.RedisCACert, fg.RedisCert, fg.RedisKey}
 }
 
 func (fg *CacheFlagGroup) ToOptions() (CacheOptions, error) {
@@ -127,6 +136,7 @@ func (fg *CacheFlagGroup) ToOptions() (CacheOptions, error) {
 		ClearCache:   getBool(fg.ClearCache),
 		CacheBackend: cacheBackend,
 		CacheTTL:     getDuration(fg.CacheTTL),
+		RedisTLS:     getBool(fg.RedisTLS),
 		RedisOptions: redisOptions,
 	}, nil
 }

diff --git a/pkg/flag/cache_flags_test.go b/pkg/flag/cache_flags_test.go
@@ -16,6 +16,7 @@ func TestCacheFlagGroup_ToOptions(t *testing.T) {
 		ClearCache   bool
 		CacheBackend string
 		CacheTTL     time.Duration
+		RedisTLS     bool
 		RedisCACert  string
 		RedisCert    string
 		RedisKey     string
@@ -64,6 +65,18 @@ func TestCacheFlagGroup_ToOptions(t *testing.T) {
 			},
 			assertion: require.NoError,
 		},
+		{
+			name: "redis tls with public certificates",
+			fields: fields{
+				CacheBackend: "redis://localhost:6379",
+				RedisTLS:     true,
+			},
+			want: flag.CacheOptions{
+				CacheBackend: "redis://localhost:6379",
+				RedisTLS:     true,
+			},
+			assertion: require.NoError,
+		},
 		{
 			name: "unknown backend",
 			fields: fields{
@@ -89,6 +102,7 @@ func TestCacheFlagGroup_ToOptions(t *testing.T) {
 			viper.Set(flag.ClearCacheFlag.ConfigName, tt.fields.ClearCache)
 			viper.Set(flag.CacheBackendFlag.ConfigName, tt.fields.CacheBackend)
 			viper.Set(flag.CacheTTLFlag.ConfigName, tt.fields.CacheTTL)
+			viper.Set(flag.RedisTLSFlag.ConfigName, tt.fields.RedisTLS)
 			viper.Set(flag.RedisCACertFlag.ConfigName, tt.fields.RedisCACert)
 			viper.Set(flag.RedisCertFlag.ConfigName, tt.fields.RedisCert)
 			viper.Set(flag.RedisKeyFlag.ConfigName, tt.fields.RedisKey)
@@ -97,6 +111,7 @@ func TestCacheFlagGroup_ToOptions(t *testing.T) {
 				ClearCache:   &flag.ClearCacheFlag,
 				CacheBackend: &flag.CacheBackendFlag,
 				CacheTTL:     &flag.CacheTTLFlag,
+				RedisTLS:     &flag.RedisTLSFlag,
 				RedisCACert:  &flag.RedisCACertFlag,
 				RedisCert:    &flag.RedisCertFlag,
 				RedisKey:     &flag.RedisKeyFlag,