Skip to content

fix(common/redis): stop unconditionally skipping TLS certificate verification #4261

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
cicoyle merged 6 commits into from
Mar 31, 2026
+60 −9
Merged

fix(common/redis): stop unconditionally skipping TLS certificate verification #4261

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
d906b07
fix(common/redis): stop unconditionally skipping TLS certificate veri…
JoshVanL Mar 9, 2026
926100f
Adds unit test
JoshVanL Mar 9, 2026
718cc42
Merge branch 'main' into redis-fix-tls-no-verify
JoshVanL Mar 17, 2026
f2f4893
Merge branch 'main' into redis-fix-tls-no-verify
JoshVanL Mar 18, 2026
0b5339e
Merge branch 'main' into redis-fix-tls-no-verify
cicoyle Mar 26, 2026
5717ea1
Merge branch 'main' into redis-fix-tls-no-verify
cicoyle Mar 31, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion bindings/redis/metadata.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,10 +89,17 @@ metadata:
- name: enableTLS
type: bool
required: false
description: |
description: |
If the Redis instance supports TLS; can be configured to be enabled or disabled.
example: "true"
default: "false"
- name: insecureSkipTLSVerify
type: bool
required: false
description: |
Skip TLS certificate verification (insecure). Only use for testing.
example: "false"
default: "false"
- name: clientCert
required: false
description: Client certificate for Redis host. No Default. Can be secretKeyRef to use a secret reference
Expand Down
12 changes: 12 additions & 0 deletions common/component/redis/redis_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,18 @@ func TestParseRedisMetadata(t *testing.T) {
assert.True(t, m.Failover)
assert.Equal(t, "master", m.SentinelMasterName)
assert.False(t, m.UseEntraID)
assert.False(t, m.InsecureSkipTLSVerify, "InsecureSkipTLSVerify should default to false when not set")
})

t.Run("insecureSkipTLSVerify is set to true", func(t *testing.T) {
fakeProperties := getFakeProperties()
fakeProperties["insecureSkipTLSVerify"] = "true"

m := &Settings{}
err := m.Decode(fakeProperties)

require.NoError(t, err)
assert.True(t, m.InsecureSkipTLSVerify)
})

// TODO: Refactor shared redis code to throw error for missing properties
Expand Down
7 changes: 6 additions & 1 deletion common/component/redis/settings.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,9 +86,14 @@ type Settings struct {
// Use Redis Sentinel for automatic failover.
Failover bool `mapstructure:"failover"`

// A flag to enables TLS by setting InsecureSkipVerify to true
// A flag to enable TLS for the Redis connection
EnableTLS bool `mapstructure:"enableTLS"`

// A flag to skip TLS certificate verification (insecure, use only for testing).
// Defaults to false. When EnableTLS is true and this is false, proper certificate
// verification is performed.
InsecureSkipTLSVerify bool `mapstructure:"insecureSkipTLSVerify"`

// Client certificate and key
ClientCert string `mapstructure:"clientCert"`
ClientKey string `mapstructure:"clientKey"`
Expand Down
6 changes: 3 additions & 3 deletions common/component/redis/v8client.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -351,7 +351,7 @@ func newV8FailoverClient(s *Settings) (RedisClient, error) {

if s.EnableTLS {
opts.TLSConfig = &tls.Config{
InsecureSkipVerify: s.EnableTLS, //nolint:gosec
InsecureSkipVerify: s.InsecureSkipTLSVerify, //nolint:gosec
}
err := s.SetCertificate(func(cert *tls.Certificate) {
opts.TLSConfig.Certificates = []tls.Certificate{*cert}
Expand Down Expand Up @@ -408,7 +408,7 @@ func newV8Client(s *Settings) (RedisClient, error) {
/* #nosec */
if s.EnableTLS {
options.TLSConfig = &tls.Config{
InsecureSkipVerify: s.EnableTLS,
InsecureSkipVerify: s.InsecureSkipTLSVerify,
}
err := s.SetCertificate(func(cert *tls.Certificate) {
options.TLSConfig.Certificates = []tls.Certificate{*cert}
Expand Down Expand Up @@ -448,7 +448,7 @@ func newV8Client(s *Settings) (RedisClient, error) {
/* #nosec */
if s.EnableTLS {
options.TLSConfig = &tls.Config{
InsecureSkipVerify: s.EnableTLS,
InsecureSkipVerify: s.InsecureSkipTLSVerify,
}
err := s.SetCertificate(func(cert *tls.Certificate) {
options.TLSConfig.Certificates = []tls.Certificate{*cert}
Expand Down
6 changes: 3 additions & 3 deletions common/component/redis/v9client.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -352,7 +352,7 @@ func newV9FailoverClient(s *Settings) (RedisClient, error) {
/* #nosec */
if s.EnableTLS {
opts.TLSConfig = &tls.Config{
InsecureSkipVerify: s.EnableTLS,
InsecureSkipVerify: s.InsecureSkipTLSVerify,
}
err := s.SetCertificate(func(cert *tls.Certificate) {
opts.TLSConfig.Certificates = []tls.Certificate{*cert}
Expand Down Expand Up @@ -411,7 +411,7 @@ func newV9Client(s *Settings) (RedisClient, error) {
if s.EnableTLS {
/* #nosec */
options.TLSConfig = &tls.Config{
InsecureSkipVerify: s.EnableTLS,
InsecureSkipVerify: s.InsecureSkipTLSVerify,
}
err := s.SetCertificate(func(cert *tls.Certificate) {
options.TLSConfig.Certificates = []tls.Certificate{*cert}
Expand Down Expand Up @@ -451,7 +451,7 @@ func newV9Client(s *Settings) (RedisClient, error) {
if s.EnableTLS {
/* #nosec */
options.TLSConfig = &tls.Config{
InsecureSkipVerify: s.EnableTLS,
InsecureSkipVerify: s.InsecureSkipTLSVerify,
}
err := s.SetCertificate(func(cert *tls.Certificate) {
options.TLSConfig.Certificates = []tls.Certificate{*cert}
Expand Down
9 changes: 8 additions & 1 deletion configuration/redis/metadata.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,10 +77,17 @@ metadata:
- name: enableTLS
type: bool
required: false
description: |
description: |
If the Redis instance supports TLS; can be configured to be enabled or disabled.
example: "true"
default: "false"
- name: insecureSkipTLSVerify
type: bool
required: false
description: |
Skip TLS certificate verification (insecure). Only use for testing.
example: "false"
default: "false"
- name: clientCert
required: false
description: Client certificate for Redis host. No Default. Can be secretKeyRef to use a secret reference
Expand Down
6 changes: 6 additions & 0 deletions lock/redis/metadata.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -173,6 +173,12 @@ metadata:
description: "Whether to enable TLS encryption"
example: "false"
default: "false"
- name: insecureSkipTLSVerify
required: false
type: bool
description: "Skip TLS certificate verification (insecure). Only use for testing."
example: "false"
default: "false"
- name: useEntraID
required: false
type: bool
Expand Down
7 changes: 7 additions & 0 deletions pubsub/redis/metadata.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,13 @@ metadata:
example: "false"
type: bool
default: "false"
- name: insecureSkipTLSVerify
required: false
description: |
Skip TLS certificate verification (insecure). Only use for testing.
example: "false"
type: bool
default: "false"
- name: clientCert
required: false
description: Client certificate for Redis host. No Default. Can be secretKeyRef to use a secret reference
Expand Down
7 changes: 7 additions & 0 deletions state/redis/metadata.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,13 @@ metadata:
description: If the Redis instance supports TLS with public certificates, can be configured to be enabled or disabled. Defaults to false.
example: "false"
type: bool
- name: insecureSkipTLSVerify
required: false
description: |
Skip TLS certificate verification (insecure). Only use for testing.
example: "false"
type: bool
default: "false"
- name: clientCert
required: false
description: Client certificate for Redis host. No Default. Can be secretKeyRef to use a secret reference
Expand Down
Loading