From 8293f11f5329b194e481859d1a39b11aecd9e39a Mon Sep 17 00:00:00 2001
From: Michael Fitz-Payne <fitzy@discourse.org>
Date: Wed, 27 Apr 2022 12:02:26 +1000
Subject: [PATCH] FIX: cache_critical_dns - add TLS support for Redis
 healthcheck

For Redis connections that operate over TLS, we need to ensure that we
are setting the correct arguments for the Redis client. We can utilise
the existing environment variable `DISCOURSE_REDIS_USE_SSL` to toggle
this behaviour.

No SSL verification is performed for two reasons:
- the Discourse application will perform a verification against any FQDN
  as specified for the Redis host
- the healthcheck is run against the _resolved_ IP address for the Redis
  hostname, and any SSL verification will always fail against a direct
  IP address

If no SSL arguments are provided, the IP address is never cached against
the hostname as no healthy address is ever found in the HealthyCache.
---
 script/cache_critical_dns | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/script/cache_critical_dns b/script/cache_critical_dns
index 552d11b90bb..f496230e7ec 100755
--- a/script/cache_critical_dns
+++ b/script/cache_critical_dns
@@ -116,11 +116,18 @@ class HealthyCache
 end
 
 def redis_healthcheck(host:, password:)
-  client = Redis.new(
+  client_opts = {
     host: host,
     password: password,
     timeout: 1,
-  )
+  }
+  if !nilempty(ENV['DISCOURSE_REDIS_USE_SSL']).nil? then
+    client_opts[:ssl] = true
+    client_opts[:ssl_params] = {
+      verify_mode: OpenSSL::SSL::VERIFY_NONE,
+    }
+  end
+  client = Redis.new(**client_opts)
   response = client.ping
   response == "PONG"
 rescue