feat: support Redis TLS

Signed-off-by: knqyf263 <[email protected]>

Author: knqyf263

Makefile

@@ -39,8 +39,8 @@ dev:
 debug:
 	skaffold debug --tolerate-failures-until-deadline=true
 
-run: export SCANNER_TRIVY_CACHE_DIR = $(TMPDIR)harbor-scanner-trivy/.cache/trivy
-run: export SCANNER_TRIVY_REPORTS_DIR=$(TMPDIR)harbor-scanner-trivy/.cache/reports
+run: export SCANNER_TRIVY_CACHE_DIR = $(TMPDIR)/harbor-scanner-trivy/.cache/trivy
+run: export SCANNER_TRIVY_REPORTS_DIR=$(TMPDIR)/harbor-scanner-trivy/.cache/reports
 run: export SCANNER_LOG_LEVEL=debug
 run:
 	@mkdir -p $(SCANNER_TRIVY_CACHE_DIR) $(SCANNER_TRIVY_REPORTS_DIR)

pkg/etc/config.go

@@ -73,6 +73,7 @@ type RedisPool struct {
 	ConnectionTimeout time.Duration `env:"SCANNER_REDIS_POOL_CONNECTION_TIMEOUT" envDefault:"1s"`
 	ReadTimeout       time.Duration `env:"SCANNER_REDIS_POOL_READ_TIMEOUT" envDefault:"1s"`
 	WriteTimeout      time.Duration `env:"SCANNER_REDIS_POOL_WRITE_TIMEOUT" envDefault:"1s"`
+	CACert            string        `env:"SCANNER_REDIS_CA_CERT" envDefault:""` // For private certs
 }
 
 func LogLevel() slog.Level {

pkg/redisx/pool.go

@@ -2,9 +2,11 @@ package redisx
 
 import (
 	"context"
+	"crypto/x509"
 	"fmt"
 	"log/slog"
 	"net/url"
+	"os"
 	"strconv"
 	"strings"
 
@@ -25,7 +27,7 @@ func NewClient(config etc.RedisPool) (*redis.Client, error) {
 	}
 
 	switch configURL.Scheme {
-	case "redis":
+	case "redis", "rediss":
 		return newInstancePool(config)
 	case "redis+sentinel":
 		return newSentinelPool(configURL, config)
@@ -36,7 +38,7 @@ func NewClient(config etc.RedisPool) (*redis.Client, error) {
 
 // redis://user:password@host:port/db-number
 func newInstancePool(config etc.RedisPool) (*redis.Client, error) {
-	// TODO: Ask the Harbor team about why they use "idle_timeout_seconds" instead of "idle_timeout".
+	// redigo uses "idle_timeout_seconds" for the idle timeout configuration
 	config.URL = strings.ReplaceAll(config.URL, "idle_timeout_seconds", "idle_timeout")
 
 	slog.Debug("Constructing connection pool for Redis", slog.String("url", config.URL))
@@ -53,6 +55,17 @@ func newInstancePool(config etc.RedisPool) (*redis.Client, error) {
 		return nil
 	}
 
+	if options.TLSConfig != nil && config.CACert != "" {
+		// Load the CA certificate
+		caCert, err := os.ReadFile(config.CACert)
+		if err != nil {
+			return nil, xerrors.Errorf("unable to read CA certificate: %s", err)
+		}
+		caCertPool := x509.NewCertPool()
+		caCertPool.AppendCertsFromPEM(caCert)
+		options.TLSConfig.RootCAs = caCertPool
+	}
+
 	return redis.NewClient(options), nil
 }
 

pkg/redisx/pool_test.go

@@ -12,11 +12,11 @@ import (
 
 func TestGetPool(t *testing.T) {
 
-	t.Run("Should return error when configured to connect to secure redis", func(t *testing.T) {
+	t.Run("Should not return error when configured to connect to secure redis", func(t *testing.T) {
 		_, err := NewClient(etc.RedisPool{
 			URL: "rediss://hostname:6379",
 		})
-		assert.EqualError(t, err, "invalid redis URL scheme: rediss")
+		assert.NoError(t, err)
 	})
 
 	t.Run("Should return error when configured with unsupported url scheme", func(t *testing.T) {