Adding TLS Support and shellchecking all .sh (#8)

Signed-off-by: David Collom <david.collom@jetstack.io>

Adding TLS Support and shellchecking all .sh (#8)
Signed-off-by: David Collom <david.collom@jetstack.io>
97b3d641 · David Collom · GitHub · eed5009b · 97b3d641 · 97b3d641
Unverified Commit 97b3d641 authored Jan 24, 2022 by David Collom Committed by GitHub Jan 24, 2022
Showing with 58 additions and 16 deletions

Dockerfile Dockerfile +19 -7

Makefile Makefile +5 -2

entrypoint.sh entrypoint.sh +24 -0

healthcheck.sh healthcheck.sh +6 -3

setupMasterSlave.sh setupMasterSlave.sh +4 -4

No files found.
--- a/Dockerfile
+++ b/Dockerfile
-FROM alpine:3.9
+FROM alpine:3.9 as builder

 MAINTAINER Opstree Solutions

@@ -10,19 +10,31 @@ ARG REDIS_DOWNLOAD_URL="http://download.redis.io/"

 ARG REDIS_VERSION="stable"

-RUN addgroup -S -g 1001 redis && adduser -S -G redis -u 1001 redis && \
-    apk add --no-cache su-exec tzdata make curl build-base linux-headers bash
+RUN apk add --no-cache su-exec tzdata make curl build-base linux-headers bash openssl-dev

 RUN curl -fL -Lo /tmp/redis-${REDIS_VERSION}.tar.gz ${REDIS_DOWNLOAD_URL}/redis-${REDIS_VERSION}.tar.gz && \
    cd /tmp && \
    tar xvzf redis-${REDIS_VERSION}.tar.gz && \
    cd redis-${REDIS_VERSION} && \
    make && \
-    make install && \
+    make install BUILD_TLS=yes && \
    mkdir -p /etc/redis && \
-    cp -f *.conf /etc/redis && \
-    rm -rf /tmp/redis-${REDIS_VERSION}* && \
-    apk del curl make
+    cp -f *.conf /etc/redis
+
+FROM alpine:3.9
+
+MAINTAINER Opstree Solutions
+
+LABEL VERSION=1.0 \
+      ARCH=AMD64 \
+      DESCRIPTION="A production grade performance tuned redis docker image created by Opstree Solutions"
+
+COPY --from=builder /usr/local/bin/redis-server /usr/local/bin/redis-server
+COPY --from=builder /usr/local/bin/redis-cli /usr/local/bin/redis-cli
+COPY --from=builder /etc/redis /etc/redis
+
+RUN addgroup -S -g 1001 redis && adduser -S -G redis -u 1001 redis && \
+    apk add --no-cache bash

 COPY redis.conf /etc/redis/redis.conf


--- a/Makefile
+++ b/Makefile
+REDIS_VERSION ?= 6.2.5
+EXPORTER_VERSION?=1.0
+
 build-redis-image:
-	docker build -t quay.io/opstree/redis:6.2.5 -f Dockerfile .
+	docker build -t quay.io/opstree/redis:$(REDIS_VERSION) -f Dockerfile .

 build-redis-exporter-image:
-	docker build -t opstree/redis-exporter:1.0 -f Dockerfile.exporter .
+	docker build -t opstree/redis-exporter:$(EXPORTER_VERSION) -f Dockerfile.exporter .

 setup-standalone-server-compose:
 	docker-compose -f docker-compose-standalone.yaml up -d

--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -50,6 +50,29 @@ redis_mode_setup() {
    fi
 }

+tls_setup() {
+    if [[ "${TLS_MODE}" == "true" ]]; then
+        {
+            echo port 0
+            echo tls-port 6379
+            echo tls-cert-file "${REDIS_TLS_CERT}"
+            echo tls-key-file "${REDIS_TLS_CERT_KEY}"
+            echo tls-ca-cert-file "${REDIS_TLS_CA_KEY}"
+            # echo tls-prefer-server-ciphers yes
+            echo tls-auth-clients optional
+        } >> /etc/redis/redis.conf
+
+        if [[ "${SETUP_MODE}" == "cluster" ]]; then
+            {
+                echo tls-replication yes
+                echo tls-cluster yes
+            } >> /etc/redis/redis.conf
+        fi
+    else
+        echo "Running without TLS mode"
+    fi
+}
+
 persistence_setup() {
    if [[ "${PERSISTENCE_ENABLED}" == "true" ]]; then
        {
@@ -87,6 +110,7 @@ main_function() {
    set_redis_password
    redis_mode_setup
    persistence_setup
+    tls_setup
    start_redis
 }


--- a/healthcheck.sh
+++ b/healthcheck.sh
 #!/bin/bash

 check_redis_health() {
-    if [[ -z "${REDIS_PASSWORD}" ]]; then
-        redis-cli ping
+    if [[ -n "${REDIS_PASSWORD}" ]]; then
+        export REDISCLI_AUTH="${REDIS_PASSWORD}"
+    fi
+    if [[ "${TLS_MODE}" == "true" ]]; then
+        redis-cli --tls --cert "${REDIS_TLS_CERT}" --key "${REDIS_TLS_CERT_KEY}" --cacert "${REDIS_TLS_CA_KEY}" -h "$(hostname)" ping
    else
-        redis-cli -a ${REDIS_PASSWORD} ping
+        redis-cli ping
    fi
 }


--- a/setupMasterSlave.sh
+++ b/setupMasterSlave.sh
@@ -6,14 +6,14 @@ redis_server_mode() {
        if [[ -z "${REDIS_PASSWORD}" ]]; then
             redis-cli --cluster create "${MASTER_LIST}" --cluster-yes
        else
-            redis-cli --cluster create ${MASTER_LIST} --cluster-yes -a "${REDIS_PASSWORD}"
-        fi 
+            redis-cli --cluster create "${MASTER_LIST}" --cluster-yes -a "${REDIS_PASSWORD}"
+        fi
    elif [[ "${SERVER_MODE}" == "slave" ]]; then
        echo "Redis server mode is slave"
        if [[ -z "${REDIS_PASSWORD}" ]]; then
-            redis-cli --cluster add-node ${SLAVE_IP} ${MASTER_IP} --cluster-slave
+            redis-cli --cluster add-node "${SLAVE_IP}" "${MASTER_IP}" --cluster-slave
        else
-            redis-cli --cluster add-node ${SLAVE_IP} ${MASTER_IP} --cluster-slave -a "${REDIS_PASSWORD}"
+            redis-cli --cluster add-node "${SLAVE_IP}" "${MASTER_IP}" --cluster-slave -a "${REDIS_PASSWORD}"
        fi
    else
        echo "Redis server mode is standalone"