Alerting: Add options to configure TLS for HA using Redis (#87567)

* Add Alerting HA Redis Client TLS configs

* Add test to ping miniredis with mTLS

* Update .ini files and docs

* Add tests for unified alerting ha redis TLS settings

* Fix malformed go.sum

* Add modowner

* Fix lint error

* Update docs and use dstls config

pkg/setting/setting_unified_alerting.go

@@ -7,6 +7,7 @@ import (
 	"time"
 
 	alertingCluster "github.com/grafana/alerting/cluster"
+	dstls "github.com/grafana/dskit/crypto/tls"
 	"github.com/grafana/grafana-plugin-sdk-go/backend/gtime"
 	"gopkg.in/ini.v1"
 
@@ -79,6 +80,8 @@ type UnifiedAlertingSettings struct {
 	HARedisPassword                string
 	HARedisDB                      int
 	HARedisMaxConns                int
+	HARedisTLSEnabled              bool
+	HARedisTLSConfig               dstls.ClientConfig
 	MaxAttempts                    int64
 	MinInterval                    time.Duration
 	EvaluationTimeout              time.Duration
@@ -234,6 +237,14 @@ func (cfg *Cfg) ReadUnifiedAlertingSettings(iniFile *ini.File) error {
 			uaCfg.HAPeers = append(uaCfg.HAPeers, peer)
 		}
 	}
+	uaCfg.HARedisTLSEnabled = ua.Key("ha_redis_tls_enabled").MustBool(false)
+	uaCfg.HARedisTLSConfig.CertPath = ua.Key("ha_redis_tls_cert_path").MustString("")
+	uaCfg.HARedisTLSConfig.KeyPath = ua.Key("ha_redis_tls_key_path").MustString("")
+	uaCfg.HARedisTLSConfig.CAPath = ua.Key("ha_redis_tls_ca_path").MustString("")
+	uaCfg.HARedisTLSConfig.ServerName = ua.Key("ha_redis_tls_server_name").MustString("")
+	uaCfg.HARedisTLSConfig.InsecureSkipVerify = ua.Key("ha_redis_tls_insecure_skip_verify").MustBool(false)
+	uaCfg.HARedisTLSConfig.CipherSuites = ua.Key("ha_redis_tls_cipher_suites").MustString("")
+	uaCfg.HARedisTLSConfig.MinVersion = ua.Key("ha_redis_tls_min_version").MustString("")
 
 	// TODO load from ini file
 	uaCfg.DefaultConfiguration = alertmanagerDefaultConfiguration

pkg/setting/setting_unified_alerting_test.go

@@ -298,3 +298,50 @@ func TestMinInterval(t *testing.T) {
 		})
 	}
 }
+
+func TestHARedisTLSSettings(t *testing.T) {
+	// Initialize .ini file with new HA Redis TLS Settings
+	f := ini.Empty()
+	section, err := f.NewSection("unified_alerting")
+	require.NoError(t, err)
+
+	const (
+		tlsEnabled         = true
+		certPath           = "path/to/cert"
+		keyPath            = "path/to/key"
+		caPath             = "path/to/ca"
+		serverName         = "server_name"
+		insecureSkipVerify = true
+		cipherSuites       = "TLS_AES_128_GCM_SHA256"
+		minVersion         = "VersionTLS13"
+	)
+	_, err = section.NewKey("ha_redis_tls_enabled", strconv.FormatBool(tlsEnabled))
+	require.NoError(t, err)
+	_, err = section.NewKey("ha_redis_tls_cert_path", certPath)
+	require.NoError(t, err)
+	_, err = section.NewKey("ha_redis_tls_key_path", keyPath)
+	require.NoError(t, err)
+	_, err = section.NewKey("ha_redis_tls_ca_path", caPath)
+	require.NoError(t, err)
+	_, err = section.NewKey("ha_redis_tls_server_name", serverName)
+	require.NoError(t, err)
+	_, err = section.NewKey("ha_redis_tls_insecure_skip_verify", strconv.FormatBool(insecureSkipVerify))
+	require.NoError(t, err)
+	_, err = section.NewKey("ha_redis_tls_cipher_suites", cipherSuites)
+	require.NoError(t, err)
+	_, err = section.NewKey("ha_redis_tls_min_version", minVersion)
+	require.NoError(t, err)
+
+	cfg := NewCfg()
+	err = cfg.ReadUnifiedAlertingSettings(f)
+	require.Nil(t, err)
+
+	require.Equal(t, tlsEnabled, cfg.UnifiedAlerting.HARedisTLSEnabled)
+	require.Equal(t, certPath, cfg.UnifiedAlerting.HARedisTLSConfig.CertPath)
+	require.Equal(t, keyPath, cfg.UnifiedAlerting.HARedisTLSConfig.KeyPath)
+	require.Equal(t, caPath, cfg.UnifiedAlerting.HARedisTLSConfig.CAPath)
+	require.Equal(t, serverName, cfg.UnifiedAlerting.HARedisTLSConfig.ServerName)
+	require.Equal(t, insecureSkipVerify, cfg.UnifiedAlerting.HARedisTLSConfig.InsecureSkipVerify)
+	require.Equal(t, cipherSuites, cfg.UnifiedAlerting.HARedisTLSConfig.CipherSuites)
+	require.Equal(t, minVersion, cfg.UnifiedAlerting.HARedisTLSConfig.MinVersion)
+}