Merge pull request #9108 from jumpserver/pr@dev@perf_redis_sentinel_support_ssl

perf: 支持sentinel开启ssl(Sentinel和Redis公用一套证书，无额外增加配置项)

apps/jumpserver/conf.py

@@ -202,6 +202,7 @@ class Config(dict):
         'REDIS_SSL_KEY': None,
         'REDIS_SSL_CERT': None,
         'REDIS_SSL_CA': None,
+        'REDIS_SSL_REQUIRED': 'none',
         # Redis Sentinel
         'REDIS_SENTINEL_HOSTS': '',
         'REDIS_SENTINEL_PASSWORD': '',

apps/jumpserver/settings/base.py

@@ -1,6 +1,9 @@
 import os
 import platform
 
+from redis.sentinel import SentinelManagedSSLConnection
+
+
 if platform.system() == 'Darwin' and platform.machine() == 'arm64':
     import pymysql
 
@@ -195,7 +198,7 @@ DATABASES = {
     }
 }
 
-DB_CA_PATH = os.path.join(PROJECT_DIR, 'data', 'certs', 'db_ca.pem')
+DB_CA_PATH = os.path.join(CERTS_DIR, 'db_ca.pem')
 DB_USE_SSL = False
 if CONFIG.DB_ENGINE.lower() == 'mysql':
     DB_OPTIONS['init_command'] = "SET sql_mode='STRICT_TRANS_TABLES'"
@@ -317,10 +320,19 @@ if REDIS_SENTINEL_SERVICE_NAME and REDIS_SENTINELS:
         'CLIENT_CLASS': 'django_redis.client.SentinelClient',
         'SENTINELS': REDIS_SENTINELS, 'PASSWORD': CONFIG.REDIS_PASSWORD,
         'SENTINEL_KWARGS': {
+            'ssl': REDIS_USE_SSL,
+            'ssl_cert_reqs': REDIS_SSL_REQUIRED,
+            "ssl_keyfile": REDIS_SSL_KEY,
+            "ssl_certfile": REDIS_SSL_CERT,
+            "ssl_ca_certs": REDIS_SSL_CA,
             'password': REDIS_SENTINEL_PASSWORD,
             'socket_timeout': REDIS_SENTINEL_SOCKET_TIMEOUT
         }
     })
+    if REDIS_USE_SSL:
+        REDIS_OPTIONS['CONNECTION_POOL_KWARGS'].update({
+            'connection_class': SentinelManagedSSLConnection
+        })
     DJANGO_REDIS_CONNECTION_FACTORY = 'django_redis.pool.SentinelConnectionFactory'
 else:
     REDIS_LOCATION_NO_DB = '%(protocol)s://:%(password)s@%(host)s:%(port)s/{}' % {

apps/jumpserver/settings/libs.py

@@ -102,7 +102,12 @@ if REDIS_SENTINEL_SERVICE_NAME and REDIS_SENTINELS:
     REDIS_LAYERS_HOST['master_name'] = REDIS_SENTINEL_SERVICE_NAME
     REDIS_LAYERS_HOST['sentinel_kwargs'] = {
         'password': REDIS_SENTINEL_PASSWORD,
-        'socket_timeout': REDIS_SENTINEL_SOCKET_TIMEOUT
+        'socket_timeout': REDIS_SENTINEL_SOCKET_TIMEOUT,
+        'ssl': REDIS_USE_SSL,
+        'ssl_cert_reqs': REDIS_SSL_REQUIRED,
+        "ssl_keyfile": REDIS_SSL_KEY,
+        "ssl_certfile": REDIS_SSL_CERT,
+        "ssl_ca_certs": REDIS_SSL_CA
     }
 else:
     # More info see: https://github.com/django/channels_redis/issues/334
@@ -140,7 +145,12 @@ if REDIS_SENTINEL_SERVICE_NAME and REDIS_SENTINELS:
         'master_name': REDIS_SENTINEL_SERVICE_NAME,
         'sentinel_kwargs': {
             'password': REDIS_SENTINEL_PASSWORD,
-            'socket_timeout': REDIS_SENTINEL_SOCKET_TIMEOUT
+            'socket_timeout': REDIS_SENTINEL_SOCKET_TIMEOUT,
+            'ssl': REDIS_USE_SSL,
+            'ssl_cert_reqs': REDIS_SSL_REQUIRED,
+            "ssl_keyfile": REDIS_SSL_KEY,
+            "ssl_certfile": REDIS_SSL_CERT,
+            "ssl_ca_certs": REDIS_SSL_CA
         }
     }
     CELERY_BROKER_TRANSPORT_OPTIONS = CELERY_RESULT_BACKEND_TRANSPORT_OPTIONS = SENTINEL_OPTIONS

utils/start_celery_beat.py

@@ -39,6 +39,11 @@ if REDIS_SENTINEL_SERVICE_NAME and REDIS_SENTINELS:
     connection_params['sentinels'] = REDIS_SENTINELS
     sentinel_client = Sentinel(
         **connection_params, sentinel_kwargs={
+            'ssl': settings.REDIS_USE_SSL,
+            'ssl_cert_reqs': settings.REDIS_SSL_REQUIRED,
+            'ssl_keyfile': settings.REDIS_SSL_KEY,
+            'ssl_certfile': settings.REDIS_SSL_CERT,
+            'ssl_ca_certs': settings.REDIS_SSL_CA,
             'password': REDIS_SENTINEL_PASSWORD,
             'socket_timeout': REDIS_SENTINEL_SOCKET_TIMEOUT
         }