Require password auth for redis access

2025-12-07 17:52:46 +01:00 · 2023-01-04 11:02:40 -05:00
parent cd77e71d8d
commit 831300b540
6 changed files with 24 additions and 7 deletions
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -120,6 +120,7 @@ base:
  '*_heavynode':
    - elasticsearch.auth
    - soc_global
+    - redis.soc_redis
    - minions.{{ grains.id }}
    - minions.adv_{{ grains.id }}

@@ -136,6 +137,7 @@ base:
    {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
    - elasticsearch.auth
    {% endif %}
+    - redis.soc_redis
    - soc_global
    - adv_global
    - minions.{{ grains.id }}
@@ -148,6 +150,8 @@ base:
    {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
    - elasticsearch.auth
    {% endif %}
+    - redis.soc_redis
+    - redis.adv_redis
    - soc_global
    - adv_global
    - minions.{{ grains.id }}
--- a/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja
+++ b/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja
@@ -1,9 +1,10 @@
-{% set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') -%}
-{% set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) -%}
-{% from 'logstash/map.jinja' import REDIS_NODES with context -%}
+{%- set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') %}
+{%- set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %}
+{%- from 'logstash/map.jinja' import REDIS_NODES with context %}
+{%- set REDIS_PASS = salt['pillar.get']('redis:config:requirepass') %}

-{% for index in range(REDIS_NODES|length) -%}
-{%   for host in REDIS_NODES[index] -%}
+{%- for index in range(REDIS_NODES|length) %}
+{%-   for host in REDIS_NODES[index] %}
 input {
        redis {
                host => '{{ host }}'
@@ -14,6 +15,7 @@ input {
                type => 'redis-input'
                threads => {{ THREADS }}
                batch_count => {{ BATCH }}
+                password => {{ REDIS_PASS }}
        }
 }
 {%   endfor %}
--- a/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja
@@ -4,6 +4,8 @@
  {%- set HOST = GLOBALS.manager %}
 {%- endif %}
 {%- set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %}
+{%- set REDIS_PASS = salt['pillar.get']('redis:config:requirepass') %}
+
 output {
 	redis {
 		host => '{{ HOST }}'
@@ -14,5 +16,6 @@ output {
 		congestion_threshold => 50000000
 		batch => true
 		batch_events => {{ BATCH }}
+		password => {{ REDIS_PASS }}
 	}
 }
--- a/salt/redis/defaults.yaml
+++ b/salt/redis/defaults.yaml
@@ -1,7 +1,7 @@
 redis:
  config:
    bind: '0.0.0.0'
-    protected-mode: 'no'
+    protected-mode: 'yes'
    tls-cert-file: '/certs/redis.crt'
    tls-key-file: '/certs/redis.key'
    tls-ca-cert-file: '/certs/ca.crt'
--- a/salt/redis/soc_redis.yaml
+++ b/salt/redis/soc_redis.yaml
@@ -10,6 +10,10 @@ redis:
      global: True
      advanced: True
      helpLink: redis.html
+    requirepass:
+      description: Password for accessing Redis.
+      global: True
+      sensitive: True
    tls-cert-file: 
      description: TLS cert file location.
      global: True
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -1209,6 +1209,7 @@ generate_passwords(){
  GRAFANAPASS=$(get_random_value)
  SENSORONIKEY=$(get_random_value)
  KRATOSKEY=$(get_random_value)
+  REDISPASS=$(get_random_value)
 }

 generate_interface_vars() {
@@ -1496,7 +1497,10 @@ docker_pillar() {
 redis_pillar() {
 	title "Create the redis pillar file"
 	touch $adv_redis_pillar_file
-	touch $redis_pillar_file
+	printf '%s\n'\
+		"redis:"\
+		"  config:"\
+		"    requirepass: '$REDISPASS'" > $redis_pillar_file
 }

 influxdb_pillar() {