Skip to content

Fix TLS support for workhorse redis dialer to standalone Redis

Sylvester Chin requested to merge sc1-add-tls-support-to-dialer into master

What does this MR do and why?

This MR adds tls.DialWithDialer to support TLS connections. This fixes the regression introduced in !134596 (merged) where TLS support was missing.

Related to omnibus-gitlab#8329 (comment 1668323442)

Note that this MR fixes the TLS support for standalone Redis. TLS support for sentinel is not provided yet ( track efforts in #421656)

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After

How to set up and validate locally

To replicate

  1. Set up Redis using TLS
  • you may need to build it using the steps in https://redis.io/docs/management/security/encryption/ as asdf/rtx installed redis does not seem to be built with BUILD_TLS=yes
  • Run ./utils/gen-test-certs.sh to generate certs and keys
  • In the redis folder, run ./src/redis-server --tls-port 6379 --port 0 --tls-cert-file ./tests/tls/redis.crt --tls-key-file ./tests/tls/redis.key --tls-ca-cert-file ./tests/tls/redis.crt --tls-auth-clients no
  1. Connect to it using the cli:
./src/redis-cli --tls --insecure
  1. On master branch, run cd workhorse && make && gdk restart gitlab-workhorse. gdk tail gitlab-workhorse would show errors like the following
2023-11-28_02:33:18.97408 gitlab-workhorse      : {"error":"keywatcher: read tcp 127.0.0.1:49945-\u003e127.0.0.1:6379: read: connection reset by peer","level":"error","msg":"","time":"2023-11-28T10:33:18+08:00"}
  1. Using this branch, set tlsConfig.InsecureSkipVerify = true 
diff --git a/workhorse/internal/redis/redis.go b/workhorse/internal/redis/redis.go
index e21dae916e45..77fe8693bbda 100644
--- a/workhorse/internal/redis/redis.go
+++ b/workhorse/internal/redis/redis.go
@@ -86,6 +86,7 @@ func createDialer(sentinels []string, tlsConfig *tls.Config) func(ctx context.Co
                var err error

                if tlsConfig != nil {
+      tlsConfig.InsecureSkipVerify = true
                        conn, err = tls.DialWithDialer(netDialer, network, addr, tlsConfig)
                } else {
                        conn, err = netDialer.DialContext(ctx, network, addr)

  1. Run make and gdk restart gitlab-workhorse

  2. gdk tail gitlab-workhorse to see that there are no more errors.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Sylvester Chin

Merge request reports