Use redis for OCSP as well, in different database number

2026-01-27 02:19:27 +00:00 · 2025-02-16 16:25:27 +01:00
parent 580fb4407e
commit 9bad889fab
5 changed files with 74 additions and 0 deletions
--- a/patch-cfg.sh
+++ b/patch-cfg.sh
@@ -73,6 +73,13 @@ perl -i -p0e "s/(services {\s*id\s*=\s*\"bredis4\".*?}\n\n)//igs" consul/config.
 sed -i -e "s|test/certs|/opt/boulder/labca/certs|" consul/config.hcl
 sed -i -e "s|/test/certs|/opt/boulder/labca/certs|" redis-ratelimits.config

+perl -i -p0e "s/(\s*)(\"passwordFile\":.*?,).*(\"shardAddrs\": {)/\1\2\1\"db\": 0,\1\3/igs" config/ocsp-responder.json
+perl -i -p0e "s/(\"shardAddrs\": {\n)(\s*).*?(\s*},)/\1\2\"shard1\": \"10.33.33.4:4218\"\3/igs" config/ocsp-responder.json
+perl -i -p0e "s/(\s*)(\"passwordFile\":.*?,).*(\"lookups\": \[)/\1\2\1\"db\": 1,\1\3/igs" config/ra.json
+perl -i -p0e "s/(\s*)(\"passwordFile\":.*?,).*(\"shardAddrs\": {)/\1\2\1\"db\": 0,\1\3/igs" config/rocsp-tool.json
+perl -i -p0e "s/(\"shardAddrs\": {\n)(\s*).*?(\s*},)/\1\2\"shard1\": \"10.33.33.4:4218\"\3/igs" config/rocsp-tool.json
+perl -i -p0e "s/,(\s*)(\"passwordFile\":.*?,).*(\"lookups\": \[)/,\1\2\1\"db\": 1,\1\3/igs" config/wfe2.json
+
 for file in `find . -type f | grep -v .git`; do
    sed -i -e "s|test/|labca/|g" $file
 done
--- a/patch.sh
+++ b/patch.sh
@@ -27,6 +27,7 @@ $SUDO patch -p1 < $cloneDir/patches/ceremony_rsa.patch
 $SUDO patch -p1 < $cloneDir/patches/cert-checker_main.patch
 $SUDO patch -p1 < $cloneDir/patches/cmd_config.patch
 $SUDO patch -p1 < $cloneDir/patches/config_duration.patch
+$SUDO patch -p1 < $cloneDir/patches/config_rocsp_config.patch
 $SUDO patch -p1 < $cloneDir/patches/contact-auditor_main.patch
 $SUDO patch -p1 < $cloneDir/patches/core_interfaces.patch
 $SUDO patch -p1 < $cloneDir/patches/crl-storer_main.patch
@@ -48,6 +49,7 @@ $SUDO patch -p1 < $cloneDir/patches/ocsp-responder_main.patch
 $SUDO patch -p1 < $cloneDir/patches/policy_pa.patch
 $SUDO patch -p1 < $cloneDir/patches/ra_ra.patch
 $SUDO patch -p1 < $cloneDir/patches/ratelimits_names.patch
+$SUDO patch -p1 < $cloneDir/patches/redis_config.patch
 $SUDO patch -p1 < $cloneDir/patches/remoteva_main.patch
 $SUDO patch -p1 < $cloneDir/patches/start.patch
 if [ "$SUDO" == "" ]; then
@@ -57,6 +59,7 @@ fi
 $SUDO patch -p1 < $cloneDir/patches/sfe_templates_layout.patch
 $SUDO patch -p1 < $cloneDir/patches/storer_storer.patch
 $SUDO patch -p1 < $cloneDir/patches/test_health-checker_main.patch
+$SUDO patch -p1 < $cloneDir/patches/test_ocsp_helper_helper.patch
 $SUDO patch -p1 < $cloneDir/patches/updater_updater.patch
 $SUDO patch -p1 < $cloneDir/patches/updater_continuous.patch
 $SUDO patch -p1 < $cloneDir/patches/va_http.patch
--- a/patches/config_rocsp_config.patch
+++ b/patches/config_rocsp_config.patch
@@ -0,0 +1,21 @@
+diff --git a/rocsp/config/rocsp_config.go b/rocsp/config/rocsp_config.go
+index c5416a499..d23091b53 100644
+--- a/rocsp/config/rocsp_config.go
+++ b/rocsp/config/rocsp_config.go
+@@ -31,6 +31,8 @@ type RedisConfig struct {
+ 	TLS cmd.TLSConfig
+ 	// Username is a Redis username.
+ 	Username string `validate:"required"`
+	// DB is the database number in Redis
+	DB int `validate:"min=0"`
+ 	// ShardAddrs is a map of shard names to IP address:port pairs. The go-redis
+ 	// `Ring` client will shard reads and writes across the provided Redis
+ 	// Servers based on a consistent hashing algorithm.
+@@ -114,6 +116,7 @@ func MakeClient(c *RedisConfig, clk clock.Clock, stats prometheus.Registerer) (*
+ 
+ 	rdb := redis.NewRing(&redis.RingOptions{
+ 		Addrs:     c.ShardAddrs,
+		DB:        c.DB,
+ 		Username:  c.Username,
+ 		Password:  password,
+ 		TLSConfig: tlsConfig,
--- a/patches/redis_config.patch
+++ b/patches/redis_config.patch
@@ -0,0 +1,22 @@
+diff --git a/redis/config.go b/redis/config.go
+index c858a4beb..2ec26aab1 100644
+--- a/redis/config.go
+++ b/redis/config.go
+@@ -24,6 +24,9 @@ type Config struct {
+ 	// authenticate to each Redis instance.
+ 	cmd.PasswordConfig
+ 
+	// DB is the database number in Redis
+	DB int `validate:"min=0"`
+
+ 	// ShardAddrs is a map of shard names to IP address:port pairs. The go-redis
+ 	// `Ring` client will shard reads and writes across the provided Redis
+ 	// Servers based on a consistent hashing algorithm.
+@@ -134,6 +137,7 @@ func NewRingFromConfig(c Config, stats prometheus.Registerer, log blog.Logger) (
+ 
+ 	inner := redis.NewRing(&redis.RingOptions{
+ 		Addrs:     c.ShardAddrs,
+		DB:        c.DB,
+ 		Username:  c.Username,
+ 		Password:  password,
+ 		TLSConfig: tlsConfig,
--- a/patches/test_ocsp_helper_helper.patch
+++ b/patches/test_ocsp_helper_helper.patch
@@ -0,0 +1,21 @@
+diff --git a/test/ocsp/helper/helper.go b/test/ocsp/helper/helper.go
+index a223f5fa6..96ab34aa7 100644
+--- a/test/ocsp/helper/helper.go
+++ b/test/ocsp/helper/helper.go
+@@ -15,6 +15,7 @@ import (
+ 	"net/http"
+ 	"net/url"
+ 	"os"
+	"path"
+ 	"strings"
+ 	"sync"
+ 	"time"
+@@ -317,7 +318,7 @@ func sendHTTPRequest(
+ 	var httpRequest *http.Request
+ 	var err error
+ 	if method == "GET" {
+-		ocspURL.Path = encodedReq
+		ocspURL.Path = path.Join(ocspURL.Path, encodedReq)
+ 		fmt.Fprintf(output, "Fetching %s\n", ocspURL.String())
+ 		httpRequest, err = http.NewRequest("GET", ocspURL.String(), http.NoBody)
+ 	} else if method == "POST" {