roadrunner-server · rustatian · Nov 20, 2024 · Nov 19, 2024 · Nov 19, 2024 · Nov 19, 2024
diff --git a/kv/config.go b/kv/config.go
@@ -1,6 +1,7 @@
 package kv
 
 import (
+	"crypto/tls"
 	"time"
 )
 
@@ -26,6 +27,12 @@ type Config struct {
 	IdleTimeout      time.Duration `mapstructure:"idle_timeout"`
 	IdleCheckFreq    time.Duration `mapstructure:"idle_check_freq"`
 	ReadOnly         bool          `mapstructure:"read_only"`
+	TLSConfig        TLSConfig     `mapstructure:"tls"`
+}
+
+type TLSConfig struct {
+	MinVersion string `mapstructure:"min_version"`
+	CaFile     string `mapstructure:"ca_file"`
 }
 
 // InitDefaults initializing fill config with default values
@@ -34,3 +41,16 @@ func (s *Config) InitDefaults() {
 		s.Addrs = []string{"127.0.0.1:6379"} // default addr is pointing to local storage
 	}
 }
+
+func (t *TLSConfig) TLSVersion() uint16 {
+	switch t.MinVersion {
+	case "1.0":
+		return tls.VersionTLS10
+	case "1.1":
+		return tls.VersionTLS11
+	case "1.2":
+		return tls.VersionTLS12
+	default:
+		return tls.VersionTLS13
+	}
+}
diff --git a/kv/driver.go b/kv/driver.go
@@ -2,7 +2,10 @@
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	stderr "errors"
+	"os"
 	"strings"
 	"time"
 	"unsafe"
@@ -53,7 +56,7 @@
 
 	d.cfg.InitDefaults()
 
-	d.universalClient = redis.NewUniversalClient(&redis.UniversalOptions{
+	redisOptions := &redis.UniversalOptions{
 		Addrs:            d.cfg.Addrs,
 		DB:               d.cfg.DB,
 		Username:         d.cfg.Username,
@@ -74,7 +77,39 @@
 		RouteByLatency:   d.cfg.RouteByLatency,
 		RouteRandomly:    d.cfg.RouteRandomly,
 		MasterName:       d.cfg.MasterName,
-	})
+	}
+
+	tlsConfig := &tls.Config{}
+	rootCAs, _ := x509.SystemCertPool()
+	if rootCAs == nil {
+		rootCAs = x509.NewCertPool()
+	}
+
+	if d.cfg.TLSConfig.MinVersion != "" {
+		tlsConfig.MinVersion = d.cfg.TLSConfig.TLSVersion()
+	}
+
+	if d.cfg.TLSConfig.CaFile != "" {
+		if _, crtExistErr := os.Stat(d.cfg.TLSConfig.CaFile); crtExistErr != nil {
+			return nil, errors.E(op, crtExistErr)
+		}
+
+		bytes, crtReadErr := os.ReadFile(d.cfg.TLSConfig.CaFile)
+		if crtReadErr != nil {
+			return nil, errors.E(op, crtReadErr)
+		}
+
+		if !rootCAs.AppendCertsFromPEM(bytes) {
+			return nil, errors.E(op, errors.Errorf("failed to append certs from PEM file: %s", d.cfg.TLSConfig.CaFile))
+		}
+	}
+
+	if d.cfg.TLSConfig.CaFile != "" || d.cfg.TLSConfig.MinVersion != "" {
+		tlsConfig.RootCAs = rootCAs
+		redisOptions.TLSConfig = tlsConfig
+	}
+
+	d.universalClient = redis.NewUniversalClient(redisOptions)
 
 	err = redisotel.InstrumentMetrics(d.universalClient)
 	if err != nil {