add SSL parameter support for redis (#2389)

* add SSL parameter support for redis * add ssl support to redis pool
2025-04-10 04:49:29 +02:00 · 2024-09-12 09:18:11 -07:00 · 2024-09-12 09:18:11 -07:00 · 4bc4da29f5
commit 4bc4da29f5
parent 7af572d0e7
3 changed files with 42 additions and 14 deletions
--- a/backend/danswer/background/celery/celeryconfig.py
+++ b/backend/danswer/background/celery/celeryconfig.py
@ -3,6 +3,9 @@ from danswer.configs.app_configs import REDIS_DB_NUMBER_CELERY
 from danswer.configs.app_configs import REDIS_HOST
 from danswer.configs.app_configs import REDIS_PASSWORD
 from danswer.configs.app_configs import REDIS_PORT
+from danswer.configs.app_configs import REDIS_SSL
+from danswer.configs.app_configs import REDIS_SSL_CA_CERTS
+from danswer.configs.app_configs import REDIS_SSL_CERT_REQS
 from danswer.configs.constants import DanswerCeleryPriority

 CELERY_SEPARATOR = ":"
@ -11,16 +14,22 @@ CELERY_PASSWORD_PART = ""
 if REDIS_PASSWORD:
    CELERY_PASSWORD_PART = f":{REDIS_PASSWORD}@"

+REDIS_SCHEME = "redis"
+
+# SSL-specific query parameters for Redis URL
+SSL_QUERY_PARAMS = ""
+if REDIS_SSL:
+    REDIS_SCHEME == "rediss"
+    SSL_QUERY_PARAMS = f"?ssl_cert_reqs={REDIS_SSL_CERT_REQS}"
+    if REDIS_SSL_CA_CERTS:
+        SSL_QUERY_PARAMS += f"&ssl_ca_certs={REDIS_SSL_CA_CERTS}"
+
 # example celery_broker_url: "redis://:password@localhost:6379/15"
-broker_url = (
-    f"redis://{CELERY_PASSWORD_PART}{REDIS_HOST}:{REDIS_PORT}/{REDIS_DB_NUMBER_CELERY}"
-)
+broker_url = f"{REDIS_SCHEME}://{CELERY_PASSWORD_PART}{REDIS_HOST}:{REDIS_PORT}/{REDIS_DB_NUMBER_CELERY}{SSL_QUERY_PARAMS}"

-result_backend = (
-    f"redis://{CELERY_PASSWORD_PART}{REDIS_HOST}:{REDIS_PORT}/{REDIS_DB_NUMBER_CELERY}"
-)
+result_backend = f"{REDIS_SCHEME}://{CELERY_PASSWORD_PART}{REDIS_HOST}:{REDIS_PORT}/{REDIS_DB_NUMBER_CELERY}{SSL_QUERY_PARAMS}"

-# NOTE: prefetch 4 is significantly faster than prefetch 1
+# NOTE: prefetch 4 is significantly faster than prefetch 1 for small tasks
 # however, prefetching is bad when tasks are lengthy as those tasks
 # can stall other tasks.
 worker_prefetch_multiplier = 4
--- a/backend/danswer/configs/app_configs.py
+++ b/backend/danswer/configs/app_configs.py
@ -150,6 +150,7 @@ try:
 except ValueError:
    POSTGRES_POOL_RECYCLE = POSTGRES_POOL_RECYCLE_DEFAULT

+REDIS_SSL = os.getenv("REDIS_SSL", "").lower() == "true"
 REDIS_HOST = os.environ.get("REDIS_HOST") or "localhost"
 REDIS_PORT = int(os.environ.get("REDIS_PORT", 6379))
 REDIS_PASSWORD = os.environ.get("REDIS_PASSWORD") or ""
@ -160,6 +161,9 @@ REDIS_DB_NUMBER = int(os.environ.get("REDIS_DB_NUMBER", 0))
 # Used by celery as broker and backend
 REDIS_DB_NUMBER_CELERY = int(os.environ.get("REDIS_DB_NUMBER_CELERY", 15))

+REDIS_SSL_CERT_REQS = os.getenv("REDIS_SSL_CERT_REQS", "CERT_NONE")
+REDIS_SSL_CA_CERTS = os.getenv("REDIS_SSL_CA_CERTS", "")
+
 #####
 # Connector Configs
 #####
--- a/backend/danswer/redis/redis_pool.py
+++ b/backend/danswer/redis/redis_pool.py
@ -9,6 +9,9 @@ from danswer.configs.app_configs import REDIS_DB_NUMBER
 from danswer.configs.app_configs import REDIS_HOST
 from danswer.configs.app_configs import REDIS_PASSWORD
 from danswer.configs.app_configs import REDIS_PORT
+from danswer.configs.app_configs import REDIS_SSL
+from danswer.configs.app_configs import REDIS_SSL_CA_CERTS
+from danswer.configs.app_configs import REDIS_SSL_CERT_REQS

 REDIS_POOL_MAX_CONNECTIONS = 10

@ -27,13 +30,25 @@ class RedisPool:
        return cls._instance

    def _init_pool(self) -> None:
-        self._pool = redis.ConnectionPool(
-            host=REDIS_HOST,
-            port=REDIS_PORT,
-            db=REDIS_DB_NUMBER,
-            password=REDIS_PASSWORD,
-            max_connections=REDIS_POOL_MAX_CONNECTIONS,
-        )
+        if REDIS_SSL:
+            self._pool = redis.ConnectionPool(
+                host=REDIS_HOST,
+                port=REDIS_PORT,
+                db=REDIS_DB_NUMBER,
+                password=REDIS_PASSWORD,
+                max_connections=REDIS_POOL_MAX_CONNECTIONS,
+                ssl=True,
+                ssl_ca_certs=REDIS_SSL_CA_CERTS,
+                ssl_cert_reqs=REDIS_SSL_CERT_REQS,
+            )
+        else:
+            self._pool = redis.ConnectionPool(
+                host=REDIS_HOST,
+                port=REDIS_PORT,
+                db=REDIS_DB_NUMBER,
+                password=REDIS_PASSWORD,
+                max_connections=REDIS_POOL_MAX_CONNECTIONS,
+            )

    def get_client(self) -> Redis:
        return redis.Redis(connection_pool=self._pool)