[cherry-pick] Add Insecure TLS verify (#172) (#175)

Signed-off-by: Shaad7 <abdullah.alshaad@appscode.com>

Makefile

@@ -43,7 +43,7 @@ else
 endif
 
 RESTIC_VER       := 0.13.1
-REDIS_DUMP_VER   := 0.8.0-ac
+REDIS_DUMP_VER   := 0.8.1-ac
 
 ###
 ### These variables should not need tweaking.

go.mod

@@ -3,7 +3,7 @@ module stash.appscode.dev/redis
 go 1.18
 
 require (
-	github.com/mediocregopher/radix/v3 v3.8.0
+	github.com/mediocregopher/radix/v3 v3.8.1
 	github.com/spf13/cobra v1.6.0
 	github.com/yannh/redis-dump-go v0.0.0-00010101000000-000000000000
 	go.bytebuilders.dev/license-verifier/kubernetes v0.12.0
@@ -97,4 +97,4 @@ require (
 	sigs.k8s.io/yaml v1.3.0 // indirect
 )
 
-replace github.com/yannh/redis-dump-go => github.com/kubedb/redis-dump-go v0.8.1-0.20230429151509-2f2a7ce60763
+replace github.com/yannh/redis-dump-go => github.com/kubedb/redis-dump-go v0.8.1-ac

go.sum

@@ -293,8 +293,8 @@ github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfn
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
-github.com/kubedb/redis-dump-go v0.8.1-0.20230429151509-2f2a7ce60763 h1:HyNjcmSJSLEPXN+y6wNNLtNPfEcZiPotGPHbnkhj1g0=
-github.com/kubedb/redis-dump-go v0.8.1-0.20230429151509-2f2a7ce60763/go.mod h1:u6sFg98XPtTAaIyUv5oq+4D8D6krErkijf78cV30VOA=
+github.com/kubedb/redis-dump-go v0.8.1-ac h1:Cv126EMUQxBOKvVJCO/d4SRuBQBIuQzFvgPayG0mSlI=
+github.com/kubedb/redis-dump-go v0.8.1-ac/go.mod h1:nEQHeV2eDU9UjWkd+PXjU5skPdS9CAGXaQs39VGi1NA=
 github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
@@ -306,8 +306,8 @@ github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNx
 github.com/mattn/go-isatty v0.0.14 h1:yVuAays6BHfxijgZPzw+3Zlu5yQgKGP2/hcQbHb7S9Y=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 h1:I0XW9+e1XWDxdcEniV4rQAIOPUGDq67JSCiRCgGCZLI=
-github.com/mediocregopher/radix/v3 v3.8.0 h1:HI8EgkaM7WzsrFpYAkOXIgUKbjNonb2Ne7K6Le61Pmg=
-github.com/mediocregopher/radix/v3 v3.8.0/go.mod h1:8FL3F6UQRXHXIBSPUs5h0RybMF8i4n7wVopoX3x7Bv8=
+github.com/mediocregopher/radix/v3 v3.8.1 h1:rOkHflVuulFKlwsLY01/M2cM2tWCjDoETcMqKbAWu1M=
+github.com/mediocregopher/radix/v3 v3.8.1/go.mod h1:8FL3F6UQRXHXIBSPUs5h0RybMF8i4n7wVopoX3x7Bv8=
 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
 github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
 github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=

pkg/backup.go

@@ -205,19 +205,23 @@ func (opt *redisOptions) backupRedis(targetRef api_v1beta1.TargetRef) (*restic.B
 	if err != nil {
 		return nil, err
 	}
+	err = opt.writeTLSCertsToFile(appBinding)
+	if err != nil {
+		return nil, err
+	}
 
 	s := redisdump.Host{
 		Host:       hostname,
 		Port:       int(port),
 		Username:   username,
 		Password:   password,
-		TlsHandler: nil, // TODO(Shaad7): Add support for tls protected redis
+		TlsHandler: nil,
 	}
 
 	session := opt.newSessionWrapper(RedisDumpCMD)
 	session.setDatabaseCredentials(password)
 
-	err = opt.setTLSParameters(appBinding, session.cmd)
+	opt.setTLSParametersToCMD(appBinding, session.cmd)
 	if err != nil {
 		return nil, err
 	}
@@ -227,6 +231,13 @@ func (opt *redisOptions) backupRedis(targetRef api_v1beta1.TargetRef) (*restic.B
 		return nil, err
 	}
 
+	if appBinding.Spec.ClientConfig.CABundle != nil {
+		// clear all the args ( tls args )
+		session.cmd.Args = session.cmd.Args[:0]
+		session.cmd.Args = append(session.cmd.Args, "--tls")
+		session.cmd.Args = append(session.cmd.Args, "--insecure")
+	}
+
 	session.cmd.Args = append(session.cmd.Args, "-host", s.Host)
 	// if port is specified, append port in the arguments
 	if s.Port != 0 {

pkg/restore.go

@@ -184,12 +184,27 @@ func (opt *redisOptions) restoreRedis(targetRef api_v1beta1.TargetRef) (*restic.
 		return nil, err
 	}
 
+	err = opt.writeTLSCertsToFile(appBinding)
+	if err != nil {
+		return nil, err
+	}
+
+	var tlsHandler *redisdump.TlsHandler = nil
+	ca, cert, key := opt.getTLSParameter(appBinding)
+	if ca != "" {
+		tlsHandler = &redisdump.TlsHandler{
+			CACertPath: ca,
+			CertPath:   cert,
+			KeyPath:    key,
+		}
+	}
+
 	s := redisdump.Host{
 		Host:       hostname,
 		Port:       int(port),
 		Username:   username,
 		Password:   password,
-		TlsHandler: nil, // TODO(Shaad7): Add support for tls protected redis
+		TlsHandler: tlsHandler,
 	}
 
 	if hosts, err := redisdump.GetHosts(s, opt.NWorkers); err != nil {
@@ -200,6 +215,13 @@ func (opt *redisOptions) restoreRedis(targetRef api_v1beta1.TargetRef) (*restic.
 		startTime := time.Now()
 		beforeKeys := 0
 		afterKeys := 0
+		if appBinding.Spec.ClientConfig.CABundle != nil {
+			for i := range hosts {
+				hosts[i].TlsHandler = &redisdump.TlsHandler{
+					SkipVerify: true,
+				}
+			}
+		}
 
 		for _, host := range hosts {
 			session := opt.newSessionWrapper(RedisRestoreCMD)
@@ -209,7 +231,7 @@ func (opt *redisOptions) restoreRedis(targetRef api_v1beta1.TargetRef) (*restic.
 				return nil, err
 			}
 
-			err = opt.setTLSParameters(appBinding, session.cmd)
+			opt.setTLSParametersToCMD(appBinding, session.cmd)
 			if err != nil {
 				return nil, err
 			}

pkg/util.go

@@ -115,7 +115,7 @@ func (session *sessionWrapper) setDatabaseCredentials(password string) {
 	session.sh.SetEnv(EnvRedisDumpGoAuth, password)
 }
 
-func (opt *redisOptions) setTLSParameters(appBinding *appcatalog.AppBinding, cmd *restic.Command) error {
+func (opt *redisOptions) writeTLSCertsToFile(appBinding *appcatalog.AppBinding) error {
 	// if ssl enabled, add ca.crt in the arguments
 	if appBinding.Spec.ClientConfig.CABundle != nil {
 		parameters := v1alpha1.RedisConfiguration{}
@@ -128,9 +128,6 @@ func (opt *redisOptions) setTLSParameters(appBinding *appcatalog.AppBinding, cmd
 		if err := os.WriteFile(filepath.Join(opt.setupOptions.ScratchDir, core.ServiceAccountRootCAKey), appBinding.Spec.ClientConfig.CABundle, 0o600); err != nil {
 			return err
 		}
-		caPath := filepath.Join(opt.setupOptions.ScratchDir, core.ServiceAccountRootCAKey)
-		cmd.Args = append(cmd.Args, "--tls")
-		cmd.Args = append(cmd.Args, "--cacert", caPath)
 
 		if parameters.ClientCertSecret != nil {
 			clientSecret, err := opt.kubeClient.CoreV1().Secrets(opt.namespace).Get(context.TODO(), parameters.ClientCertSecret.Name, metav1.GetOptions{})
@@ -145,7 +142,6 @@ func (opt *redisOptions) setTLSParameters(appBinding *appcatalog.AppBinding, cmd
 			if err := os.WriteFile(filepath.Join(opt.setupOptions.ScratchDir, core.TLSCertKey), certByte, 0o600); err != nil {
 				return err
 			}
-			certPath := filepath.Join(opt.setupOptions.ScratchDir, core.TLSCertKey)
 
 			keyByte, ok := clientSecret.Data[core.TLSPrivateKeyKey]
 			if !ok {
@@ -155,12 +151,58 @@ func (opt *redisOptions) setTLSParameters(appBinding *appcatalog.AppBinding, cmd
 			if err := os.WriteFile(filepath.Join(opt.setupOptions.ScratchDir, core.TLSPrivateKeyKey), keyByte, 0o600); err != nil {
 				return err
 			}
+
+		}
+	}
+	return nil
+}
+
+func (opt *redisOptions) setTLSParametersToCMD(appBinding *appcatalog.AppBinding, cmd *restic.Command) {
+	// if ssl enabled, add ca.crt in the arguments
+	if appBinding.Spec.ClientConfig.CABundle != nil {
+		parameters := v1alpha1.RedisConfiguration{}
+		if appBinding.Spec.Parameters != nil {
+			if err := json.Unmarshal(appBinding.Spec.Parameters.Raw, &parameters); err != nil {
+				klog.Errorf("unable to unmarshal appBinding.Spec.Parameters.Raw. Reason: %v", err)
+			}
+		}
+
+		caPath := filepath.Join(opt.setupOptions.ScratchDir, core.ServiceAccountRootCAKey)
+		cmd.Args = append(cmd.Args, "--tls")
+		cmd.Args = append(cmd.Args, "--cacert", caPath)
+
+		if parameters.ClientCertSecret != nil {
+			certPath := filepath.Join(opt.setupOptions.ScratchDir, core.TLSCertKey)
+
 			keyPath := filepath.Join(opt.setupOptions.ScratchDir, core.TLSPrivateKeyKey)
 
 			cmd.Args = append(cmd.Args, "--cert", certPath, "--key", keyPath)
 		}
 	}
-	return nil
+}
+
+func (opt *redisOptions) getTLSParameter(appBinding *appcatalog.AppBinding) (string, string, string) {
+	// if ssl enabled, add ca.crt in the arguments
+	if appBinding.Spec.ClientConfig.CABundle != nil {
+		parameters := v1alpha1.RedisConfiguration{}
+		if appBinding.Spec.Parameters != nil {
+			if err := json.Unmarshal(appBinding.Spec.Parameters.Raw, &parameters); err != nil {
+				klog.Errorf("unable to unmarshal appBinding.Spec.Parameters.Raw. Reason: %v", err)
+			}
+		}
+
+		caPath := filepath.Join(opt.setupOptions.ScratchDir, core.ServiceAccountRootCAKey)
+
+		if parameters.ClientCertSecret != nil {
+			certPath := filepath.Join(opt.setupOptions.ScratchDir, core.TLSCertKey)
+
+			keyPath := filepath.Join(opt.setupOptions.ScratchDir, core.TLSPrivateKeyKey)
+
+			return caPath, certPath, keyPath
+		}
+		return caPath, "", ""
+	}
+	return "", "", ""
 }
 
 func (session *sessionWrapper) setUserArgs(args string) {