Redis cache: added parameter to disable SSL certificate verification

CHANGELOG.md

@@ -45,6 +45,7 @@
   - `-store-gateway.sharding-ring.instance-interface` renamed to `-store-gateway.sharding-ring.instance-interface-names`
   - `-distributor.ring.instance-interface` renamed to `-distributor.ring.instance-interface-names`
   - `-ruler.ring.instance-interface` renamed to `-ruler.ring.instance-interface-names`
+* [CHANGE] Renamed `-redis.enable-tls` CLI flag to `-redis.tls-enabled`, and its respective YAML config option from `enable_tls` to `tls_enabled`. #3298
 * [FEATURE] Added support for shuffle-sharding queriers in the query-frontend. When configured (`-frontend.max-queriers-per-tenant` globally, or using per-tenant limit `max_queriers_per_tenant`), each tenants's requests will be handled by different set of queriers. #3113 #3257
 * [FEATURE] Query-frontend: added `compression` config to support results cache with compression. #3217
 * [ENHANCEMENT] Expose additional HTTP configs for the S3 backend client. New flag are listed below: #3244
@@ -72,6 +73,7 @@
 * [ENHANCEMENT] Added shuffle sharding support to ruler. Added new metric `cortex_ruler_sync_rules_total`. #3235
 * [ENHANCEMENT] Return an explicit error when the store-gateway is explicitly requested without a blocks storage engine. #3287
 * [ENHANCEMENT] Ruler: only load rules that belong to the ruler. Improves rules synching performances when ruler sharding is enabled. #3269
+* [ENHANCEMENT] Added `-redis.tls-insecure-skip-verify` flag. #3298
 * [BUGFIX] No-longer-needed ingester operations for queries triggered by queriers and rulers are now canceled. #3178
 * [BUGFIX] Ruler: directories in the configured `rules-path` will be removed on startup and shutdown in order to ensure they don't persist between runs. #3195
 * [BUGFIX] Handle hash-collisions in the query path. #3192

docs/configuration/config-file-reference.md

@@ -2943,9 +2943,13 @@ The `redis_config` configures the Redis backend cache. The supported CLI flags `
 # CLI flag: -<prefix>.redis.password
 [password: <string> | default = ""]
 
-# Enables connecting to redis with TLS.
-# CLI flag: -<prefix>.redis.enable-tls
-[enable_tls: <boolean> | default = false]
+# Enable connecting to redis with TLS.
+# CLI flag: -<prefix>.redis.tls-enabled
+[tls_enabled: <boolean> | default = false]
+
+# Skip validating server certificate.
+# CLI flag: -<prefix>.redis.tls-insecure-skip-verify
+[tls_insecure_skip_verify: <boolean> | default = false]
 
 # Close connections after remaining idle for this duration. If the value is
 # zero, then idle connections are not closed.

docs/production/caching.md

@@ -103,8 +103,10 @@ You can also use [Redis](https://redis.io/) for out-of-process caching; this is
 -<prefix>.redis.master-name
     Redis Sentinel master group name.
     An empty string for Redis Server or Redis Cluster
--<prefix>.redis.enable-tls
-    Enables connecting to redis with TLS.
+-<prefix>.redis.tls-enabled
+    Enable connecting to redis with TLS.
+-<prefix>.redis.tls-insecure-skip-verify
+    Skip validating server certificate.
 -<prefix>.redis.expiration duration
     How long keys stay in the redis.
 -<prefix>.redis.db int

pkg/chunk/cache/redis_client.go

@@ -16,16 +16,17 @@ import (
 
 // RedisConfig defines how a RedisCache should be constructed.
 type RedisConfig struct {
-	Endpoint    string         `yaml:"endpoint"`
-	MasterName  string         `yaml:"master_name"`
-	Timeout     time.Duration  `yaml:"timeout"`
-	Expiration  time.Duration  `yaml:"expiration"`
-	DB          int            `yaml:"db"`
-	PoolSize    int            `yaml:"pool_size"`
-	Password    flagext.Secret `yaml:"password"`
-	EnableTLS   bool           `yaml:"enable_tls"`
-	IdleTimeout time.Duration  `yaml:"idle_timeout"`
-	MaxConnAge  time.Duration  `yaml:"max_connection_age"`
+	Endpoint           string         `yaml:"endpoint"`
+	MasterName         string         `yaml:"master_name"`
+	Timeout            time.Duration  `yaml:"timeout"`
+	Expiration         time.Duration  `yaml:"expiration"`
+	DB                 int            `yaml:"db"`
+	PoolSize           int            `yaml:"pool_size"`
+	Password           flagext.Secret `yaml:"password"`
+	EnableTLS          bool           `yaml:"tls_enabled"`
+	InsecureSkipVerify bool           `yaml:"tls_insecure_skip_verify"`
+	IdleTimeout        time.Duration  `yaml:"idle_timeout"`
+	MaxConnAge         time.Duration  `yaml:"max_connection_age"`
 }
 
 // RegisterFlagsWithPrefix adds the flags required to config this to the given FlagSet
@@ -37,7 +38,8 @@ func (cfg *RedisConfig) RegisterFlagsWithPrefix(prefix, description string, f *f
 	f.IntVar(&cfg.DB, prefix+"redis.db", 0, description+"Database index.")
 	f.IntVar(&cfg.PoolSize, prefix+"redis.pool-size", 0, description+"Maximum number of connections in the pool.")
 	f.Var(&cfg.Password, prefix+"redis.password", description+"Password to use when connecting to redis.")
-	f.BoolVar(&cfg.EnableTLS, prefix+"redis.enable-tls", false, description+"Enables connecting to redis with TLS.")
+	f.BoolVar(&cfg.EnableTLS, prefix+"redis.tls-enabled", false, description+"Enable connecting to redis with TLS.")
+	f.BoolVar(&cfg.InsecureSkipVerify, prefix+"redis.tls-insecure-skip-verify", false, description+"Skip validating server certificate.")
 	f.DurationVar(&cfg.IdleTimeout, prefix+"redis.idle-timeout", 0, description+"Close connections after remaining idle for this duration. If the value is zero, then idle connections are not closed.")
 	f.DurationVar(&cfg.MaxConnAge, prefix+"redis.max-connection-age", 0, description+"Close connections older than this duration. If the value is zero, then the pool does not close connections based on age.")
 }
@@ -60,7 +62,7 @@ func NewRedisClient(cfg *RedisConfig) *RedisClient {
 		MaxConnAge:  cfg.MaxConnAge,
 	}
 	if cfg.EnableTLS {
-		opt.TLSConfig = &tls.Config{}
+		opt.TLSConfig = &tls.Config{InsecureSkipVerify: cfg.InsecureSkipVerify}
 	}
 	return &RedisClient{
 		expiration: cfg.Expiration,