harbor icon indicating copy to clipboard operation
harbor copied to clipboard

Published 20 hours ago verified publisher icon goharbor

Support for Redis TLS

Open bbobrov opened this issue 4 years ago • 24 comments

As a Harbor instance operator, i want to secure the traffic to Redis instance.

This issue might seem not so pressing when internal Redis is used. However, external managed Redis instances can be used, such as Azure Cache for Redis. Although it is possible to enable non-encrypted port, it is disabled by default; Microsoft recommends enabling TLS.

Now Harbor does not support connecting to SSL/TLS redis endpoints. go-redis library supports it. Docker-distribution has a patch for it - https://github.com/docker/distribution/pull/3161. Chartmuseum has a bugreport about it - https://github.com/helm/chartmuseum/issues/326

I would like to be able to provide rediss:// urls or to set use_ssl=true option when configuring harbor. The options to provide certificates are also required.

bbobrov avatar Oct 08 '20 09:10 bbobrov

is there anything new with the upgrade?

dsalcedolab avatar Nov 03 '20 11:11 dsalcedolab

@yanji09 @ninjadq Any update on that ? Thanks

shinji62 avatar May 14 '21 02:05 shinji62

Hi, we have a plan to support TLS for Redis and the database. It might be included in a future release.

ninjadq avatar May 17 '21 03:05 ninjadq

Similar asks here due to setting up Harbor with AWS ElastiCache and Azure Redis.

It seems without enabling TLS, ElastiCache doesn't even allow to enable authentication. This potentially means even though there are some level of security to be in a VPC, ElastiCache can be accidentally messed up by others in the VPC.

flyingbricks avatar Jun 03 '21 06:06 flyingbricks

Similar ask from our chart users - https://github.com/bitnami/charts/issues/7691

yilmi avatar Nov 02 '21 15:11 yilmi

Maybe would be possible to use Redis Proxy as a sidecar as a temporary solution..

Something like:

  • https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_protocols/redis
  • https://github.com/twitter/twemproxy

lukasmrtvy avatar Nov 02 '21 15:11 lukasmrtvy

use stunnel sidecar is another temp option.

https://www.stunnel.org/

danielzhanghl avatar Jan 20 '22 02:01 danielzhanghl

You could also use a socat container to create a TLS tunnel that connects to the Redis endpoint.

  • https://linux.die.net/man/1/socat
  • https://blog.kloud.com.au/2017/08/03/ssl-tunneling-with-socat-in-docker-to-safely-access-azure-redis-on-port-6379/

colinwilson avatar Jan 20 '22 10:01 colinwilson

Is there any vision on when this is going to be implemented?

slushysnowman avatar Mar 09 '22 08:03 slushysnowman

FYI. trivy support TLS redis from 0.23.0, while trivy adapter does not support TLS redis yet.

danielzhanghl avatar Mar 25 '22 07:03 danielzhanghl

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

github-actions[bot] avatar Jul 06 '22 09:07 github-actions[bot]

Still an issue, please do not close.

keliansb avatar Aug 25 '22 14:08 keliansb

This distribution PR hasn't been included in the distribution v2.8.1 https://github.com/distribution/distribution/pull/3161/files We will hold this feature request until distribution new release support it.

MinerYang avatar Dec 08 '22 08:12 MinerYang

Another security feature blocked by distribution... (the other one being AWS IAM AssumeRoleWithWebIdentity )

hgranillo avatar May 04 '23 08:05 hgranillo

Distribution release v2.8.2 from May this year (which came more than a year after v2.8.1) also did not include the mentioned PR. It does not look like this feature will be added anytime soon there.

marevers avatar Aug 17 '23 10:08 marevers

Please consider adding this feature as it makes the "supply chain" more robust and secure

pfarikrispy avatar Sep 06 '23 11:09 pfarikrispy

I find it incredible how trivial this oft-requested feature would be to implement, and yet here we are three years later. I wanted to volunteer to implement it, but this issue's thread has suggested that would be a fool's errand.

thavlik avatar Sep 15 '23 15:09 thavlik

i'm using harbor latest helm chart, but i do not know how to configure the TLS option, i'm using AWS Elastic cache for redis.

in the helm chart values.yaml file, i only see those options:

  external:
    # support redis, redis+sentinel
    # addr for redis: <host_redis>:<port_redis>
    # addr for redis+sentinel: <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
    addr: "192.168.0.2:6379"
    # The name of the set of Redis instances to monitor, it must be set to support redis+sentinel
    sentinelMasterSet: ""
    # The "coreDatabaseIndex" must be "0" as the library Harbor
    # used doesn't support configuring it
    # harborDatabaseIndex defaults to "0", but it can be configured to "6", this config is optional
    # cacheLayerDatabaseIndex defaults to "0", but it can be configured to "7", this config is optional
    coreDatabaseIndex: "0"
    jobserviceDatabaseIndex: "1"
    registryDatabaseIndex: "2"
    trivyAdapterIndex: "5"
    # harborDatabaseIndex: "6"
    # cacheLayerDatabaseIndex: "7"
    # username field can be an empty string, and it will be authenticated against the default user
    username: ""
    password: ""
    # If using existingSecret, the key must be REDIS_PASSWORD
    existingSecret: ""```

krab-skunk avatar Nov 14 '23 19:11 krab-skunk

i'm using harbor latest helm chart, but i do not know how to configure the TLS option, i'm using AWS Elastic cache for redis.

in the helm chart values.yaml file, i only see those options:

  external:
    # support redis, redis+sentinel
    # addr for redis: <host_redis>:<port_redis>
    # addr for redis+sentinel: <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
    addr: "192.168.0.2:6379"
    # The name of the set of Redis instances to monitor, it must be set to support redis+sentinel
    sentinelMasterSet: ""
    # The "coreDatabaseIndex" must be "0" as the library Harbor
    # used doesn't support configuring it
    # harborDatabaseIndex defaults to "0", but it can be configured to "6", this config is optional
    # cacheLayerDatabaseIndex defaults to "0", but it can be configured to "7", this config is optional
    coreDatabaseIndex: "0"
    jobserviceDatabaseIndex: "1"
    registryDatabaseIndex: "2"
    trivyAdapterIndex: "5"
    # harborDatabaseIndex: "6"
    # cacheLayerDatabaseIndex: "7"
    # username field can be an empty string, and it will be authenticated against the default user
    username: ""
    password: ""
    # If using existingSecret, the key must be REDIS_PASSWORD
    existingSecret: ""```

It's not yet supported yet unfortunately. I assume support is going to be added in the 2.11.0 release.

marevers avatar Nov 14 '23 19:11 marevers

oh ok :( thanks for the so quick reply @marevers

krab-skunk avatar Nov 14 '23 19:11 krab-skunk

This distribution PR hasn't been included in the distribution v2.8.2, v2.8.3 https://github.com/distribution/distribution/pull/3161/files We will hold this feature request until distribution new release support it.

MinerYang avatar Jan 19 '24 07:01 MinerYang

While taking a look into distribution src, found this redisTLS config seems to be ignored in main when migrating from redigo to go-redis by this commit. https://github.com/distribution/distribution/blob/fcbc25e7896b6ea115d1f62107483c9325b4a305/registry/handlers/app.go#L522 cc @wy65701436

MinerYang avatar Jan 19 '24 08:01 MinerYang

progress:

  • Trivy-adapter support is in progress https://github.com/aquasecurity/harbor-scanner-trivy/pull/430
  • upstream distribution still have an issue to support on this, track on https://github.com/distribution/distribution/issues/4284

MinerYang avatar Feb 23 '24 06:02 MinerYang