Add SSL context for RedisCluster connections #85
Conversation
Is the template still foobar'd ? |
There was a problem hiding this comment.
I understand where this comes from, but the use case of verify_peer => false seems kinda anachronistic nowadays.
Possibly better to provision both host and client with a dummy certificate via https://github.com/FiloSottile/mkcert/blob/2a46726cebac0ff4e1f133d90b4e4c42f1edf44a/README.md ?
The template mentions to make a PR for features against a development branch: Pick the target branch based on the following criteria:
|
it is just an example for a unit test |
| @@ -8,7 +8,7 @@ | |||
| "license": "BSD-3-Clause", | |||
| "require": { | |||
| "php": "~8.1.0 || ~8.2.0 || ~8.3.0", | |||
| "ext-redis": "^5.0.2 || ^6.0", | |||
| "ext-redis": "^5.3.2 || ^6.0", | |||
There was a problem hiding this comment.
Passing a ssl/tls context to the RedisCluster constructor from the phpredis extension is apparently only introduced in version 5.3.2: https://github.com/phpredis/phpredis/blob/develop/CHANGELOG.md
I noticed this due to the failing pipeline.
This would of course be a breaking change though.
There was a problem hiding this comment.
I havent had this kind of change ever but I remember that I did modified some redis range in the past. IMO having a check during CD that all the required extension versions are fulfilled should be a good thing, so I do not have a problem with that change personally, but how is this kind of stuff handled in other OSS.
Do you have experience here @Ocramius?
robin-brabants
force-pushed
the
feature/redis-cluster-ssl-context
branch
3 times, most recently
from
8e32c6b
to
97961bd
Compare
|
I added a few commits which should fix the failing integration tests. Could they be ran again? |
|
I wonder if we can add an integration test where we actually setup a redis cluster with SSL and self-signed certificate to verify if this is actually working. I don't expect this in this PR tho as I think it would already suffice and I can understand that taking time to implement this kind of setup would be too much. |
robin-brabants
force-pushed
the
feature/redis-cluster-ssl-context
branch
from
c8db434
to
436e29e
Compare
|
Implemented an sslContext class right now which contains the sslcontext options in the fields. I omitted the 'capture_peer_cert' and 'capture_peer_cert_chain' options since they are not relevant for us in my opinion. I wanted to make some of the default values clearly visible in the constructor. I made them correspond to the actual sslContext default options at least for more recent php versions with the exception of 'SNI_enabled' which would make sense in my opinion to enable by default if possible. |
|
Sorry, havent reviewed yet. Will probably do so either today or tomorrow evening. |
boesing
force-pushed
the
feature/redis-cluster-ssl-context
branch
4 times, most recently
from
7706dbc
to
135268e
Compare
Signed-off-by: robin-brabants <robin.brabants@tngtech.com> Co-authored-by: robin-brabants <robin.brabants@tngtech.com> Signed-off-by: Maximilian Bösing <2189546+boesing@users.noreply.github.com>
…sl/tls context parameter was introduced in version 5.3.2 Signed-off-by: robin-brabants <robin.brabants@tngtech.com> Co-authored-by: robin-brabants <robin.brabants@tngtech.com> Signed-off-by: Maximilian Bösing <2189546+boesing@users.noreply.github.com>
Signed-off-by: robin-brabants <robin.brabants@tngtech.com> Co-authored-by: robin-brabants <robin.brabants@tngtech.com> Signed-off-by: Maximilian Bösing <2189546+boesing@users.noreply.github.com>
… TLS connection is attempted by default Signed-off-by: robin-brabants <robin.brabants@tngtech.com> Co-authored-by: robin-brabants <robin.brabants@tngtech.com> Signed-off-by: Maximilian Bösing <2189546+boesing@users.noreply.github.com>
… phpredis RedisCluster class Signed-off-by: robin-brabants <robin.brabants@tngtech.com> Co-authored-by: robin-brabants <robin.brabants@tngtech.com> Signed-off-by: Maximilian Bösing <2189546+boesing@users.noreply.github.com>
…ntext to the RedisCluster Signed-off-by: robin-brabants <robin.brabants@tngtech.com> Co-authored-by: robin-brabants <robin.brabants@tngtech.com> Signed-off-by: Maximilian Bösing <2189546+boesing@users.noreply.github.com>
…tor to the code Signed-off-by: robin-brabants <robin.brabants@tngtech.com> Co-authored-by: robin-brabants <robin.brabants@tngtech.com> Signed-off-by: Maximilian Bösing <2189546+boesing@users.noreply.github.com>
This refactors some of the `SslContext` implementation to have better readability, less complexity (regarding camel case handling, etc.) and explicit context serialization. Signed-off-by: Maximilian Bösing <2189546+boesing@users.noreply.github.com>
boesing
force-pushed
the
feature/redis-cluster-ssl-context
branch
from
135268e
to
d387d42
Compare
|
I refactored the code a little bit, especially since I am not a fan from those abbreviations all round tech. I'd say we should only allow 1:1 array notations which would be accepted by PHP as well, thats why I removed all that camel case handling and just have two dedicated methods, a named factory to instantiate our object from an SSL context array (in the notation supported by PHP) and a method which converts the object back to a PHP supported SSL context array. I also do not allow I also removed all the ssl context defaults. That prevents us from having issues with several PHP versions where (whyever) defaults might change and then we have to see how to provide defaults for both versions. I do not really see that we should do that and thus I'd say lets allow passing I also would say we should not require I'd love to get some review of my changes and some feedback. If that works for you and you still see the feature is serving your needs, I'd love to get a quick 👍🏼 so that we can proceed. But I'd be fine with releasing this without actual integration tests as its a new feature which needs to be explicitly implemented by projects and thus its okayish to depend on projects having integration testings up and running until we implement #88. Thanks for your massive work here and I'm happy to see your feedback. Had to rebase with latest 2.8.x as renovate updated |
|
Sorry that I only see your improvement right now, but was a bit preoccupied. |
|
@boesing |
boesing
changed the title
|
Thanks @robin-brabants! |
Description
This small feature allows to pass an sslContext to the RedisCluster constructor from the phpredis extension.
Without this feature, one could not connect to a cluster using TLS. Now when specifying the correct protocol for the seed nodes (e.g.: 'seeds' => ['tls://nodeId-01.xxx:6379', 'tls://nodeId-02.xxx:6379']) and passing an sslContext one can connect to a cluster using TLS .
One can pass an empty array for the sslContext, but also explicitly specify non-default options for the TLS connection. For a full list of ssl context options see: https://www.php.net/manual/en/context.ssl.php.
This for example enables one to connect to an AWS elasticache redis cluster with in-transit encryption set to required due to security reasons.