From 68f07b76f6be15b6dc41bd7f720cd40da38c7b63 Mon Sep 17 00:00:00 2001
From: Will Thompson <wjt@endlessos.org>
Date: Fri, 27 Sep 2024 16:00:59 +0100
Subject: [PATCH] Allow connecting to Redis with TLS

Previously we've been using a client-side proxy to connect to our TLS-enabled
ElastiCache cluster. But ioredis supports connecting with TLS natively. There
are two ways to opt in:

1. If a connection string is passed to the Redis constructor, using rediss://
   rather than redis:// as the scheme enables TLS.
2. Pass a 'tls' option whose value is a (possibly-empty) object of options to
   pass through to Node's tls.connect() method.

Add a new REDIS_TLS environment variable, which can be set to '1' or 'true' to
connect with TLS. If set, set the 'tls' option to an empty object to enable TLS.

https://phabricator.endlessm.com/T35672
---
 config/index.js | 2 ++
 util/redis.js   | 6 ++++++
 2 files changed, 8 insertions(+)

diff --git a/config/index.js b/config/index.js
index 897be84..949a669 100644
--- a/config/index.js
+++ b/config/index.js
@@ -11,6 +11,7 @@ const server_bind_address = process.env.BIND_ADDRESS || '127.0.0.1';
 const redis_host = process.env.REDIS_HOST || '127.0.0.1';
 const redis_port = parseInt(process.env.REDIS_PORT, 10) || 6379;
 const redis_password = process.env.REDIS_PASSWORD || '';
+const redis_tls = ["true", "1"].includes((process.env.REDIS_TLS || '').toLowerCase());
 
 // Crash handler
 process.on('uncaughtException', (err) => {
@@ -26,4 +27,5 @@ exports = module.exports = {
   redis_host,
   redis_port,
   redis_password,
+  redis_tls,
 };
diff --git a/util/redis.js b/util/redis.js
index a24701e..541dda9 100644
--- a/util/redis.js
+++ b/util/redis.js
@@ -12,10 +12,16 @@ exports = module.exports = {
   redisPort: config.redis_port,
   redisPassword: config.redis_password,
   getRedis: (callback) => {
+    /* ioredis uses tls.connect() if the tls option is set, and passes it as
+     * additional options to tls.connect().
+     */
+    let tls = config.redis_tls ? {} : undefined;
+
     const redis = new Redis({
       host: config.redis_host,
       port: config.redis_port,
       password: config.redis_password,
+      tls,
       reconnectOnError(err) {
         /* Reconnect when ElastiCache has promoted some other node to primary & 
          * demoted the node we are connected to a replica.