Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for using SSL connections to Redis. #129

Merged
merged 1 commit into from
May 8, 2019
Merged

Add support for using SSL connections to Redis. #129

merged 1 commit into from
May 8, 2019

Conversation

ajknv
Copy link
Contributor

@ajknv ajknv commented Mar 19, 2019

Requires a build or release of netbox containing pull request netbox-community/netbox#3012.

cimnine
cimnine reviewed Mar 19, 2019
View reviewed changes
Copy link
Collaborator

@cimnine cimnine left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you very much for this PR. I would like to wait for this PR to be merged until the change is actually released in Netbox.

env/netbox.env
@@ -15,6 +15,7 @@ NAPALM_TIMEOUT=10
MAX_PAGE_SIZE=1000
REDIS_HOST=redis
REDIS_PASSWORD=H733Kdjndks81
REDIS_SSL=false
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is not necessary, as the default is false anyway, and we don't have all the variables in the list either.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was on the fence; initially I almost made the pull request with suggested change of making it true by default in the env file since using a password without SSL is still pretty fundamentally insecure (the AUTH command sends it as plaintext). Redis ElastiCache in AWS doesn't even permit using auth without SSL. But I wasn't sure how widely common it would be for people to actually have their Redis servers configured for SSL. Thus explicitly calling out the unsafe default combination of parameters here seemed like a compromise.

Copy link
Collaborator

@cimnine cimnine Mar 22, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤔 Fair point.

Turning TLS on by default would not work, because the Redis which is started with the default docker-compose.yml configuration of netbox-docker is not configured for TLS, and it would be hard to do so.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I dislike that it's called REDIS_SSL, as SSL is dead and was superseded by TLS almost 20 years ago. What do you think about changing the name to REDIS_TLS?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm fine with either name, it's just that for better or worse the redis-py library kwarg for this parameter is named 'ssl'. I just tried to thread it back up the stack with the matching name. So django-rq (the real root dependency here) and the main netbox project have already accepted the pull requests with the REDIS_SSL naming. Thus the risk (albeit small) to using a different name here would be the potential for confusion, especially in terms of making the mapping between netbox-docker and netbox itself.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

¯_(ツ)_/¯

@cimnine cimnine added the enhancement The issue describes an enhancement that we would like to implement in the future. label Mar 25, 2019
@cimnine
Copy link
Collaborator

cimnine commented Mar 25, 2019

Thank you once more for this. I'm planing on merging this as soon as I have some minutes to spare.

@cimnine
Copy link
Collaborator

cimnine commented Mar 27, 2019
edited
Loading

Just a quick update: I've decided to wait with merging this until the feature is actually released in Netbox.

@ajknv
Copy link
Contributor Author

ajknv commented Mar 27, 2019
edited
Loading

Sure, that's pretty much how I figured it would need to be sequenced.

@cimnine cimnine merged commit 5beb309 into netbox-community:master May 8, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cimnine cimnine cimnine approved these changes

Assignees
No one assigned
Labels
enhancement The issue describes an enhancement that we would like to implement in the future.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ajknv @cimnine