-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add TLS/mTLS settings for postgreSQL and Redis #47
Changes from 1 commit
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -3,7 +3,7 @@ | |
import os | ||
import sys | ||
from urllib.parse import urlparse | ||
|
||
from .tls_settings import * | ||
import django.conf.locale | ||
from django.utils.crypto import get_random_string | ||
from kombu import Queue | ||
|
@@ -83,6 +83,11 @@ | |
db_options['charset'] = 'utf8mb4' | ||
JSON_FIELD_AVAILABLE = db_backend in ('mysql', 'postgresql') | ||
|
||
db_tls_config = build_db_tls_config(config, db_backend) | ||
if(db_tls_config is not None): | ||
db_options.update(db_tls_config) | ||
|
||
|
||
DATABASES = { | ||
'default': { | ||
'ENGINE': 'django.db.backends.' + db_backend, | ||
|
@@ -209,22 +214,28 @@ | |
|
||
HAS_REDIS = config.has_option('redis', 'location') | ||
if HAS_REDIS: | ||
CACHES['redis'] = { | ||
"BACKEND": "django_redis.cache.RedisCache", | ||
"LOCATION": config.get('redis', 'location'), | ||
"OPTIONS": { | ||
OPTIONS = { | ||
"CLIENT_CLASS": "django_redis.client.DefaultClient", | ||
"REDIS_CLIENT_KWARGS": {"health_check_interval": 30} | ||
} | ||
redis_tls_config = build_redis_tls_config(config) | ||
if(redis_tls_config is not None): | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. You didn't format your code with Ruff? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ah, this file is an existing file, we don't run Ruff on it. Then you have to format your code manually, based on PEP8 coding style. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. formatted the code. |
||
OPTIONS["CONNECTION_POOL_KWARGS"] = redis_tls_config | ||
OPTIONS["REDIS_CLIENT_KWARGS"].update(redis_tls_config) | ||
|
||
if config.has_option('redis', 'password'): | ||
OPTIONS["PASSWORD"] = config.get('redis', 'password') | ||
|
||
CACHES['redis'] = { | ||
"BACKEND": "django_redis.cache.RedisCache", | ||
"LOCATION": config.get('redis', 'location'), | ||
"OPTIONS": OPTIONS | ||
} | ||
CACHES['redis_sessions'] = { | ||
"BACKEND": "django_redis.cache.RedisCache", | ||
"LOCATION": config.get('redis', 'location'), | ||
"TIMEOUT": 3600 * 24 * 30, | ||
"OPTIONS": { | ||
"CLIENT_CLASS": "django_redis.client.DefaultClient", | ||
"REDIS_CLIENT_KWARGS": {"health_check_interval": 30} | ||
} | ||
"OPTIONS": OPTIONS | ||
} | ||
if not HAS_MEMCACHED: | ||
CACHES['default'] = CACHES['redis'] | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
|
||
def build_db_tls_config(config, db_backend): | ||
db_ssl_mode = config.get('database', 'sslmode', fallback='disable') | ||
#add postgresql TLS options | ||
if db_ssl_mode != 'disable' and db_backend == 'postgresql': | ||
db_tls_config = { | ||
'sslmode': db_ssl_mode, | ||
'sslrootcert': config.get('database', 'sslrootcert'), | ||
} | ||
#add postgresql mTLS options | ||
if config.has_option('database', 'sslcert'): | ||
db_tls_config.update({ | ||
'sslcert': config.get('database', 'sslcert'), | ||
'sslkey': config.get('database', 'sslkey'), | ||
}) | ||
return db_tls_config | ||
return None | ||
|
||
def build_redis_tls_config(config): | ||
redis_ssl_cert_reqs = config.get('redis', 'ssl_cert_reqs', fallback='none') | ||
#add redis tls options | ||
if redis_ssl_cert_reqs != 'none': | ||
redis_tls_config = { | ||
'ssl_cert_reqs': redis_ssl_cert_reqs, | ||
'ssl_ca_certs': config.get('redis', 'ssl_ca_certs'), | ||
} | ||
#add redis mTLS options | ||
if config.has_option('redis', 'ssl_certfile'): | ||
redis_tls_config.update({ | ||
'ssl_keyfile': config.get('redis', 'ssl_keyfile'), | ||
'ssl_certfile': config.get('redis', 'ssl_certfile'), | ||
}) | ||
return redis_tls_config | ||
return None |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please rename it to
redis_options
. We don't expose it as application settings, no reason to make it all-uppercase.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Renamed to
redis_options
.