From 97b3d641caccbce6abbc25b8146d202d5b178ebb Mon Sep 17 00:00:00 2001
From: David Collom <david@collom.co.uk>
Date: Mon, 24 Jan 2022 11:52:51 +0000
Subject: [PATCH] Adding TLS Support and shellchecking all .sh (#8)

Signed-off-by: David Collom <david.collom@jetstack.io>
---
 Dockerfile          | 26 +++++++++++++++++++-------
 Makefile            |  7 +++++--
 entrypoint.sh       | 24 ++++++++++++++++++++++++
 healthcheck.sh      |  9 ++++++---
 setupMasterSlave.sh |  8 ++++----
 5 files changed, 58 insertions(+), 16 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index fb97bd6..0e8b5b3 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.9
+FROM alpine:3.9 as builder
 
 MAINTAINER Opstree Solutions
 
@@ -10,19 +10,31 @@ ARG REDIS_DOWNLOAD_URL="http://download.redis.io/"
 
 ARG REDIS_VERSION="stable"
 
-RUN addgroup -S -g 1001 redis && adduser -S -G redis -u 1001 redis && \
-    apk add --no-cache su-exec tzdata make curl build-base linux-headers bash
+RUN apk add --no-cache su-exec tzdata make curl build-base linux-headers bash openssl-dev
 
 RUN curl -fL -Lo /tmp/redis-${REDIS_VERSION}.tar.gz ${REDIS_DOWNLOAD_URL}/redis-${REDIS_VERSION}.tar.gz && \
     cd /tmp && \
     tar xvzf redis-${REDIS_VERSION}.tar.gz && \
     cd redis-${REDIS_VERSION} && \
     make && \
-    make install && \
+    make install BUILD_TLS=yes && \
     mkdir -p /etc/redis && \
-    cp -f *.conf /etc/redis && \
-    rm -rf /tmp/redis-${REDIS_VERSION}* && \
-    apk del curl make
+    cp -f *.conf /etc/redis
+
+FROM alpine:3.9
+
+MAINTAINER Opstree Solutions
+
+LABEL VERSION=1.0 \
+      ARCH=AMD64 \
+      DESCRIPTION="A production grade performance tuned redis docker image created by Opstree Solutions"
+
+COPY --from=builder /usr/local/bin/redis-server /usr/local/bin/redis-server
+COPY --from=builder /usr/local/bin/redis-cli /usr/local/bin/redis-cli
+COPY --from=builder /etc/redis /etc/redis
+
+RUN addgroup -S -g 1001 redis && adduser -S -G redis -u 1001 redis && \
+    apk add --no-cache bash
 
 COPY redis.conf /etc/redis/redis.conf
 
diff --git a/Makefile b/Makefile
index e79eb7b..ede1763 100644
--- a/Makefile
+++ b/Makefile
@@ -1,8 +1,11 @@
+REDIS_VERSION ?= 6.2.5
+EXPORTER_VERSION?=1.0
+
 build-redis-image:
-	docker build -t quay.io/opstree/redis:6.2.5 -f Dockerfile .
+	docker build -t quay.io/opstree/redis:$(REDIS_VERSION) -f Dockerfile .
 
 build-redis-exporter-image:
-	docker build -t opstree/redis-exporter:1.0 -f Dockerfile.exporter .
+	docker build -t opstree/redis-exporter:$(EXPORTER_VERSION) -f Dockerfile.exporter .
 
 setup-standalone-server-compose:
 	docker-compose -f docker-compose-standalone.yaml up -d
diff --git a/entrypoint.sh b/entrypoint.sh
index 7890ac0..d97833d 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -50,6 +50,29 @@ redis_mode_setup() {
     fi
 }
 
+tls_setup() {
+    if [[ "${TLS_MODE}" == "true" ]]; then
+        {
+            echo port 0
+            echo tls-port 6379
+            echo tls-cert-file "${REDIS_TLS_CERT}"
+            echo tls-key-file "${REDIS_TLS_CERT_KEY}"
+            echo tls-ca-cert-file "${REDIS_TLS_CA_KEY}"
+            # echo tls-prefer-server-ciphers yes
+            echo tls-auth-clients optional
+        } >> /etc/redis/redis.conf
+
+        if [[ "${SETUP_MODE}" == "cluster" ]]; then
+            {
+                echo tls-replication yes
+                echo tls-cluster yes
+            } >> /etc/redis/redis.conf
+        fi
+    else
+        echo "Running without TLS mode"
+    fi
+}
+
 persistence_setup() {
     if [[ "${PERSISTENCE_ENABLED}" == "true" ]]; then
         {
@@ -87,6 +110,7 @@ main_function() {
     set_redis_password
     redis_mode_setup
     persistence_setup
+    tls_setup
     start_redis
 }
 
diff --git a/healthcheck.sh b/healthcheck.sh
index a28ecd2..a38d9b6 100755
--- a/healthcheck.sh
+++ b/healthcheck.sh
@@ -1,10 +1,13 @@
 #!/bin/bash
 
 check_redis_health() {
-    if [[ -z "${REDIS_PASSWORD}" ]]; then
-        redis-cli ping
+    if [[ -n "${REDIS_PASSWORD}" ]]; then
+        export REDISCLI_AUTH="${REDIS_PASSWORD}"
+    fi
+    if [[ "${TLS_MODE}" == "true" ]]; then
+        redis-cli --tls --cert "${REDIS_TLS_CERT}" --key "${REDIS_TLS_CERT_KEY}" --cacert "${REDIS_TLS_CA_KEY}" -h "$(hostname)" ping
     else
-        redis-cli -a ${REDIS_PASSWORD} ping
+        redis-cli ping
     fi
 }
 
diff --git a/setupMasterSlave.sh b/setupMasterSlave.sh
index 6889e73..771d4bc 100755
--- a/setupMasterSlave.sh
+++ b/setupMasterSlave.sh
@@ -6,14 +6,14 @@ redis_server_mode() {
         if [[ -z "${REDIS_PASSWORD}" ]]; then
              redis-cli --cluster create "${MASTER_LIST}" --cluster-yes
         else
-            redis-cli --cluster create ${MASTER_LIST} --cluster-yes -a "${REDIS_PASSWORD}"
-        fi 
+            redis-cli --cluster create "${MASTER_LIST}" --cluster-yes -a "${REDIS_PASSWORD}"
+        fi
     elif [[ "${SERVER_MODE}" == "slave" ]]; then
         echo "Redis server mode is slave"
         if [[ -z "${REDIS_PASSWORD}" ]]; then
-            redis-cli --cluster add-node ${SLAVE_IP} ${MASTER_IP} --cluster-slave
+            redis-cli --cluster add-node "${SLAVE_IP}" "${MASTER_IP}" --cluster-slave
         else
-            redis-cli --cluster add-node ${SLAVE_IP} ${MASTER_IP} --cluster-slave -a "${REDIS_PASSWORD}"
+            redis-cli --cluster add-node "${SLAVE_IP}" "${MASTER_IP}" --cluster-slave -a "${REDIS_PASSWORD}"
         fi
     else
         echo "Redis server mode is standalone"
-- 
2.26.0