cube icon indicating copy to clipboard operation
cube copied to clipboard

Published 20 hours ago • verified publisher icon cube-js

How to configure redis TLS certificate

Open uulwake opened this issue 3 years ago • 4 comments

Describe the bug I want to connect to Redis Memory store in GCP and got the following error:

Error: Redis connection to <port> failed - unable to verify the first certificate at TLSSocket.onConnectSecure
(_tls_wrap.js:1502:34) at TLSSocket.emit (events.js:314:20) at TLSSocket._finishInit (_tls_wrap.js:937:8) at
TLSWrap.ssl.onhandshakedone (_tls_wrap.js:711:12)

To Reproduce Steps to reproduce the behavior:

  1. Create redis memory store instance with auth and TLS enabled
  2. Create cloud run instance in the same region with redis memory store
  3. set REDIS_URL=rediss://<ip-address>:<port>
  4. set REDIS_PASSWORD=<redis-auth>
  5. set REDIS_TLS=true

Expected behavior Cubejs and redis should connect

Version: 0.26.45

uulwake avatar Mar 11 '21 08:03 uulwake

My current workaround is to encode the CA certificate to base64 and store the value in the environment variable with name REDIS_TLS_CERT.

base64 <your .pem file>

In cube.js, I use redisPoolOptions to create redis TLS connection.

const { createRedisClient } = require('@cubejs-backend/query-orchestrator');

module.exports = {
  orchestratorOptions: {
    redisPoolOptions: {
      createClient: () => {
        const { REDIS_URL, REDIS_TLS_CERT } = process.env;
        const ca = Buffer.from(REDIS_TLS_CERT, 'base64').toString('ascii');
        const checkServerIdentity = () => null;

        return createRedisClient(REDIS_URL, {
          tls: { ca, checkServerIdentity },
        });
      },
    },
  },
}

uulwake avatar Mar 11 '21 08:03 uulwake

It's not supported to set SSL configuration for Redis driver by env variables/configuration.

Related to env variables, there is a code that already solves a similar problem (but for database drivers):

https://github.com/cube-js/cube.js/blob/v0.26.62/packages/cubejs-query-orchestrator/src/driver/BaseDriver.js#L96

Supporting SSL configuration by env variables can be done in a similar way.

ovr avatar Mar 18 '21 20:03 ovr

If you are interested in working on this issue, please leave a comment below and we will be happy to assign the issue to you. If this is the first time you are contributing a Pull Request to Cube.js, please check our contribution guidelines. You can also post any questions while contributing in the #contributors channel in the Cube.js Slack.

github-actions[bot] avatar Mar 18 '21 20:03 github-actions[bot]

👋 a quick reminder that we will be replacing Redis with Cube Store as announced in this blog post.

rpaik avatar Jul 28 '22 05:07 rpaik

I believe that this issue is not relevant anymore since Cube Store has replaced Redis for query queue and cache management.

Docs: https://cube.dev/docs/product/deployment#redis

Announcement: https://cube.dev/blog/how-you-win-by-using-cube-store-part-1

igorlukanin avatar Sep 01 '23 12:09 igorlukanin