From 52126b8fae99d79591cb8994bdcf010f126b8771 Mon Sep 17 00:00:00 2001 From: Matthieu Bourgain Date: Tue, 23 Jul 2024 18:01:37 +0200 Subject: [PATCH] Add TLS certs params to redis (#8654) * add tls params to redis * add PR number * add example * move doc to redis fragment * Update changelogs/fragments/8654-add-redis-tls-params.yml Co-authored-by: Felix Fontein * rm aliases and add version_added --------- Co-authored-by: Felix Fontein --- changelogs/fragments/8654-add-redis-tls-params.yml | 2 ++ plugins/doc_fragments/redis.py | 10 ++++++++++ plugins/module_utils/redis.py | 8 +++++++- plugins/modules/redis.py | 10 ++++++++++ tests/unit/plugins/modules/test_redis_info.py | 8 ++++++++ 5 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 changelogs/fragments/8654-add-redis-tls-params.yml diff --git a/changelogs/fragments/8654-add-redis-tls-params.yml b/changelogs/fragments/8654-add-redis-tls-params.yml new file mode 100644 index 00000000000..0b549f5dd0d --- /dev/null +++ b/changelogs/fragments/8654-add-redis-tls-params.yml @@ -0,0 +1,2 @@ +minor_changes: + - redis, redis_info - add ``client_cert`` and ``client_key`` options to specify path to certificate for Redis authentication (https://github.com/ansible-collections/community.general/pull/8654). diff --git a/plugins/doc_fragments/redis.py b/plugins/doc_fragments/redis.py index fafb52c86c4..69fd0c9cd58 100644 --- a/plugins/doc_fragments/redis.py +++ b/plugins/doc_fragments/redis.py @@ -49,6 +49,16 @@ class ModuleDocFragment(object): - Path to root certificates file. If not set and O(tls) is set to V(true), certifi ca-certificates will be used. type: str + client_cert_file: + description: + - Path to the client certificate file. + type: str + version_added: 9.3.0 + client_key_file: + description: + - Path to the client private key file. + type: str + version_added: 9.3.0 requirements: [ "redis", "certifi" ] notes: diff --git a/plugins/module_utils/redis.py b/plugins/module_utils/redis.py index c4d87aca515..e823f966dc2 100644 --- a/plugins/module_utils/redis.py +++ b/plugins/module_utils/redis.py @@ -57,7 +57,9 @@ def redis_auth_argument_spec(tls_default=True): validate_certs=dict(type='bool', default=True ), - ca_certs=dict(type='str') + ca_certs=dict(type='str'), + client_cert_file=dict(type='str'), + client_key_file=dict(type='str'), ) @@ -71,6 +73,8 @@ def redis_auth_params(module): ca_certs = module.params['ca_certs'] if tls and ca_certs is None: ca_certs = str(certifi.where()) + client_cert_file = module.params['client_cert_file'] + client_key_file = module.params['client_key_file'] if tuple(map(int, redis_version.split('.'))) < (3, 4, 0) and login_user is not None: module.fail_json( msg='The option `username` in only supported with redis >= 3.4.0.') @@ -78,6 +82,8 @@ def redis_auth_params(module): 'port': login_port, 'password': login_password, 'ssl_ca_certs': ca_certs, + 'ssl_certfile': client_cert_file, + 'ssl_keyfile': client_key_file, 'ssl_cert_reqs': validate_certs, 'ssl': tls} if login_user is not None: diff --git a/plugins/modules/redis.py b/plugins/modules/redis.py index 207927cb77c..a30b89922cb 100644 --- a/plugins/modules/redis.py +++ b/plugins/modules/redis.py @@ -132,6 +132,16 @@ command: config name: lua-time-limit value: 100 + +- name: Connect using TLS and certificate authentication + community.general.redis: + command: config + name: lua-time-limit + value: 100 + tls: true + ca_certs: /etc/redis/certs/ca.crt + client_cert_file: /etc/redis/certs/redis.crt + client_key_file: /etc/redis/certs/redis.key ''' import traceback diff --git a/tests/unit/plugins/modules/test_redis_info.py b/tests/unit/plugins/modules/test_redis_info.py index cdc78680e52..831b8f40522 100644 --- a/tests/unit/plugins/modules/test_redis_info.py +++ b/tests/unit/plugins/modules/test_redis_info.py @@ -55,6 +55,8 @@ def test_without_parameters(self): 'password': None, 'ssl': False, 'ssl_ca_certs': None, + 'ssl_certfile': None, + 'ssl_keyfile': None, 'ssl_cert_reqs': 'required'},)) self.assertEqual(result.exception.args[0]['info']['redis_version'], '999.999.999') @@ -74,6 +76,8 @@ def test_with_parameters(self): 'password': 'PASS', 'ssl': False, 'ssl_ca_certs': None, + 'ssl_certfile': None, + 'ssl_keyfile': None, 'ssl_cert_reqs': 'required'},)) self.assertEqual(result.exception.args[0]['info']['redis_version'], '999.999.999') @@ -87,6 +91,8 @@ def test_with_tls_parameters(self): 'login_password': 'PASS', 'tls': True, 'ca_certs': '/etc/ssl/ca.pem', + 'client_cert_file': '/etc/ssl/client.pem', + 'client_key_file': '/etc/ssl/client.key', 'validate_certs': False }) self.module.main() @@ -96,6 +102,8 @@ def test_with_tls_parameters(self): 'password': 'PASS', 'ssl': True, 'ssl_ca_certs': '/etc/ssl/ca.pem', + 'ssl_certfile': '/etc/ssl/client.pem', + 'ssl_keyfile': '/etc/ssl/client.key', 'ssl_cert_reqs': None},)) self.assertEqual(result.exception.args[0]['info']['redis_version'], '999.999.999')