rendering config for redis tls (#2145)

Signed-off-by: yminer <[email protected]> update ut Co-authored-by: yminer <[email protected]>
goharbor · Feb 26, 2025 · 834dd74 · 834dd74
1 parent 6c342ac
commit 834dd74
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 2 deletions.
diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
@@ -148,7 +148,21 @@ app: "{{ template "harbor.name" . }}"
 
 {{- define "harbor.redis.scheme" -}}
   {{- with .Values.redis }}
-    {{- ternary "redis+sentinel" "redis"  (and (eq .type "external" ) (not (not .external.sentinelMasterSet))) }}
+    {{- if eq .type "external" -}}
+      {{- if not (not .external.sentinelMasterSet) -}}
+        {{- ternary "rediss+sentinel" "redis+sentinel" (.external.tlsOptions.enable) }}
+      {{- else -}}
+        {{- ternary "rediss" "redis" (.external.tlsOptions.enable) }}
+      {{- end -}}
+    {{- else -}}
+      {{ print "redis" }}
+    {{- end -}}
+  {{- end }}
+{{- end -}}
+
+{{- define "harbor.redis.enableTLS" -}}
+  {{- with .Values.redis }}
+    {{- ternary "true" "false" (and ( eq .type "external") (.external.tlsOptions.enable)) }}
   {{- end }}
 {{- end -}}
 
@@ -161,7 +175,7 @@ app: "{{ template "harbor.name" . }}"
 
 {{- define "harbor.redis.masterSet" -}}
   {{- with .Values.redis }}
-    {{- ternary .external.sentinelMasterSet "" (eq "redis+sentinel" (include "harbor.redis.scheme" $)) }}
+    {{- ternary .external.sentinelMasterSet "" (contains "+sentinel" (include "harbor.redis.scheme" $)) }}
   {{- end }}
 {{- end -}}
 

diff --git a/templates/registry/registry-cm.yaml b/templates/registry/registry-cm.yaml
@@ -182,6 +182,7 @@ data:
       readtimeout: 10s
       writetimeout: 10s
       dialtimeout: 10s
+      enableTLS: {{ template "harbor.redis.enableTLS" . }}
       pool:
         maxidle: 100
         maxactive: 500

diff --git a/test/unittest/core/core_configmap_test.yaml b/test/unittest/core/core_configmap_test.yaml
@@ -34,6 +34,21 @@ tests:
       - equal:
           path: data._REDIS_URL_HARBOR
           value: redis://192.168.0.2:6379/test-index?idle_timeout_seconds=30
+
+  - it: RedisSentinelUrlHarborExternalTLS
+    set:
+      redis:
+        external:
+          harborDatabaseIndex: test-index
+          tlsOptions:
+            enable: true
+          sentinelMasterSet: "mymaster"
+        type: external
+    template: templates/core/core-cm.yaml
+    asserts:
+      - equal:
+          path: data._REDIS_URL_HARBOR
+          value: rediss+sentinel://192.168.0.2:6379/mymaster/test-index?idle_timeout_seconds=30
 
   - it: CacheLayerDatabaseIndex
     set:

diff --git a/values.yaml b/values.yaml
@@ -1008,6 +1008,14 @@ redis:
     addr: "192.168.0.2:6379"
     # The name of the set of Redis instances to monitor, it must be set to support redis+sentinel
     sentinelMasterSet: ""
+    # TLS configuration for redis connection
+    # only server-authentication is supported, mTLS for redis connection is not supported
+    # tls connection will be disable by default
+    # Once `tlsOptions.enable` set as true, tls/ssl connection will be used for redis
+    # Please set the `caBundleSecretName` in this configuration file which conatins redis server rootCA if it is self-signed.
+    # The secret must contain keys named "ca.crt" which will be injected into the trust store
+    tlsOptions:
+      enable: false
     # The "coreDatabaseIndex" must be "0" as the library Harbor
     # used doesn't support configuring it
     # harborDatabaseIndex defaults to "0", but it can be configured to "6", this config is optional