feat: redis tls support (#5884)

Co-authored-by: Laurin Quast <laurinquast@googlemail.com>

Author: andriihrachov

.changeset/early-otters-help.md

@@ -0,0 +1,5 @@
+---
+'hive': minor
+---
+
+Add `REDIS_TLS_ENABLED` environment variable for enabling and disabling Redis TLS for `emails`, `schema`, `tokens`, `webhooks` and `server` services.

docs/DEVELOPMENT.md

@@ -22,6 +22,23 @@ ENVIRONMENT=local
 
 - Run `pnpm i` at the root to install all the dependencies and run the hooks
 - Run `pnpm local:setup` to run Docker compose dependencies, create databases and migrate database
+
+Solving permission problems on this step:
+
+```bash
+export UID=$(id -u)
+export GID=$(id -g)
+```
+
+Add "user" field to docker-compose.dev.yml
+
+```
+  clickhouse:
+    user: '${UID}:${GID}'
+  db:
+    user: '${UID}:${GID}'
+```
+
 - Run `pnpm generate` to generate the typings from the graphql files (use `pnpm graphql:generate` if
   you only need to run GraphQL Codegen)
 - Run `pnpm build` to build all services

packages/libraries/core/src/version.ts

@@ -1 +1 @@
-export const version = '0.8.0';
+export const version = '0.8.2';

packages/services/api/src/modules/shared/providers/redis.ts

@@ -5,7 +5,9 @@ import { Logger } from './logger';
 
 export type { RedisInstance as Redis };
 
-export type RedisConfig = Required<Pick<RedisOptions, 'host' | 'port' | 'password'>>;
+export type RedisConfig = Required<Pick<RedisOptions, 'host' | 'port' | 'password'>> & {
+  tlsEnabled: boolean;
+};
 
 export const REDIS_INSTANCE = new InjectionToken<RedisInstance>('REDIS_INSTANCE');
 
@@ -24,6 +26,7 @@ export function createRedisClient(label: string, config: RedisConfig, logger: Lo
     db: 0,
     maxRetriesPerRequest: null,
     enableReadyCheck: false,
+    tls: config.tlsEnabled ? {} : undefined,
   });
 
   redis.on('error', err => {

packages/services/emails/README.md

@@ -12,6 +12,7 @@ Service for sending Hive Emails.
 | `REDIS_HOST`                             | **Yes**                                               | The host of your redis instance.                                                                         | `"127.0.0.1"`                                        |
 | `REDIS_PORT`                             | **Yes**                                               | The port of your redis instance.                                                                         | `6379`                                               |
 | `REDIS_PASSWORD`                         | **Yes**                                               | The password of your redis instance.                                                                     | `"apollorocks"`                                      |
+| `REDIS_TLS_ENABLED`                      | **No**                                                | Enable TLS for redis connection (rediss://).                                                             | `"0"`                                                |
 | `EMAIL_FROM`                             | **Yes**                                               | The email address used for sending emails                                                                | `kamil@graphql-hive.com`                             |
 | `EMAIL_PROVIDER`                         | **Yes**                                               | The email provider that should be used for sending emails.                                               | `smtp` or `postmark` or `mock`                       |
 | `EMAIL_PROVIDER_SMTP_PROTOCOL`           | No (**Yes** if `EMAIL_PROVIDER` is set to `smtp`)     | The protocol used for the smtp server                                                                    | `smtp` or `smtps`                                    |

packages/services/emails/src/environment.ts

@@ -40,6 +40,7 @@ const RedisModel = zod.object({
   REDIS_HOST: zod.string(),
   REDIS_PORT: NumberFromString,
   REDIS_PASSWORD: emptyString(zod.string().optional()),
+  REDIS_TLS_ENABLED: emptyString(zod.union([zod.literal('1'), zod.literal('0')]).optional()),
 });
 
 const PostmarkEmailModel = zod.object({
@@ -193,6 +194,7 @@ export const env = {
     host: redis.REDIS_HOST,
     port: redis.REDIS_PORT,
     password: redis.REDIS_PASSWORD ?? '',
+    tlsEnabled: redis.REDIS_TLS_ENABLED === '1',
   },
   email: {
     provider: emailProviderConfig,

packages/services/emails/src/index.ts

@@ -66,6 +66,7 @@ async function main() {
         host: env.redis.host,
         port: env.redis.port,
         password: env.redis.password,
+        tlsEnabled: env.redis.tlsEnabled,
       },
       queueName: 'emails',
       emailProvider,

packages/services/emails/src/scheduler.ts

@@ -18,6 +18,7 @@ export function createScheduler(config: {
     host: string;
     port: number;
     password: string;
+    tlsEnabled: boolean;
   };
   queueName: string;
   emailProvider: EmailProvider;
@@ -126,6 +127,7 @@ export function createScheduler(config: {
       db: 0,
       maxRetriesPerRequest: null,
       enableReadyCheck: false,
+      tls: config.redis.tlsEnabled ? {} : undefined,
     });
 
     redisConnection.on('error', err => {

packages/services/schema/README.md

@@ -11,6 +11,7 @@ of subschemas.
 | `REDIS_HOST`                        | **Yes**  | The host of your redis instance.                                                                         | `"127.0.0.1"`                                        |
 | `REDIS_PORT`                        | **Yes**  | The port of your redis instance.                                                                         | `6379`                                               |
 | `REDIS_PASSWORD`                    | **Yes**  | The password of your redis instance.                                                                     | `"apollorocks"`                                      |
+| `REDIS_TLS_ENABLED`                 | **No**   | Enable TLS for redis connection (rediss://).                                                             | `"0"`                                                |
 | `ENCRYPTION_SECRET`                 | **Yes**  | Secret for encrypting stuff.                                                                             | `8ebe95cg21c1fee355e9fa32c8c33141`                   |
 | `ENVIRONMENT`                       | No       | The environment of your Hive app. (**Note:** This will be used for Sentry reporting.)                    | `staging`                                            |
 | `BODY_LIMIT`                        | No       | Maximum payload size in bytes. Defaults to 11 MB.                                                        | `11000000`                                           |

packages/services/schema/src/environment.ts

@@ -59,6 +59,7 @@ const RedisModel = zod.object({
   REDIS_HOST: zod.string(),
   REDIS_PORT: NumberFromString(),
   REDIS_PASSWORD: emptyString(zod.string().optional()),
+  REDIS_TLS_ENABLED: emptyString(zod.union([zod.literal('1'), zod.literal('0')]).optional()),
 });
 
 const PrometheusModel = zod.object({
@@ -151,6 +152,7 @@ export const env = {
     host: redis.REDIS_HOST,
     port: redis.REDIS_PORT,
     password: redis.REDIS_PASSWORD ?? '',
+    tlsEnabled: redis.REDIS_TLS_ENABLED === '1',
   },
   sentry: sentry.SENTRY === '1' ? { dsn: sentry.SENTRY_DSN } : null,
   log: {