Require password auth for redis access

pillar/top.sls

@@ -120,6 +120,7 @@ base:
   '*_heavynode':
     - elasticsearch.auth
     - soc_global
+    - redis.soc_redis
     - minions.{{ grains.id }}
     - minions.adv_{{ grains.id }}
 
@@ -136,6 +137,7 @@ base:
     {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
     - elasticsearch.auth
     {% endif %}
+    - redis.soc_redis
     - soc_global
     - adv_global
     - minions.{{ grains.id }}
@@ -148,6 +150,8 @@ base:
     {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
     - elasticsearch.auth
     {% endif %}
+    - redis.soc_redis
+    - redis.adv_redis
     - soc_global
     - adv_global
     - minions.{{ grains.id }}

salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja

@@ -1,9 +1,10 @@
-{% set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') -%}
+{%- set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') %}
-{% set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) -%}
+{%- set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %}
-{% from 'logstash/map.jinja' import REDIS_NODES with context -%}
+{%- from 'logstash/map.jinja' import REDIS_NODES with context %}
+{%- set REDIS_PASS = salt['pillar.get']('redis:config:requirepass') %}
 
-{% for index in range(REDIS_NODES|length) -%}
+{%- for index in range(REDIS_NODES|length) %}
-{%   for host in REDIS_NODES[index] -%}
+{%-   for host in REDIS_NODES[index] %}
 input {
         redis {
                 host => '{{ host }}'
@@ -14,6 +15,7 @@ input {
                 type => 'redis-input'
                 threads => {{ THREADS }}
                 batch_count => {{ BATCH }}
+                password => {{ REDIS_PASS }}
         }
 }
 {%   endfor %}

salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja

@@ -4,6 +4,8 @@
   {%- set HOST = GLOBALS.manager %}
 {%- endif %}
 {%- set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %}
+{%- set REDIS_PASS = salt['pillar.get']('redis:config:requirepass') %}
+
 output {
 	redis {
 		host => '{{ HOST }}'
@@ -14,5 +16,6 @@ output {
 		congestion_threshold => 50000000
 		batch => true
 		batch_events => {{ BATCH }}
+		password => {{ REDIS_PASS }}
 	}
 }

salt/redis/defaults.yaml

@@ -1,7 +1,7 @@
 redis:
   config:
     bind: '0.0.0.0'
-    protected-mode: 'no'
+    protected-mode: 'yes'
     tls-cert-file: '/certs/redis.crt'
     tls-key-file: '/certs/redis.key'
     tls-ca-cert-file: '/certs/ca.crt'

salt/redis/soc_redis.yaml

@@ -10,6 +10,10 @@ redis:
       global: True
       advanced: True
       helpLink: redis.html
+    requirepass:
+      description: Password for accessing Redis.
+      global: True
+      sensitive: True
     tls-cert-file: 
       description: TLS cert file location.
       global: True

setup/so-functions

@@ -1209,6 +1209,7 @@ generate_passwords(){
   GRAFANAPASS=$(get_random_value)
   SENSORONIKEY=$(get_random_value)
   KRATOSKEY=$(get_random_value)
+  REDISPASS=$(get_random_value)
 }
 
 generate_interface_vars() {
@@ -1496,7 +1497,10 @@ docker_pillar() {
 redis_pillar() {
 	title "Create the redis pillar file"
 	touch $adv_redis_pillar_file
-	touch $redis_pillar_file
+	printf '%s\n'\
+		"redis:"\
+		"  config:"\
+		"    requirepass: '$REDISPASS'" > $redis_pillar_file
 }
 
 influxdb_pillar() {