ROCSP: Remove support for Redis Cluster (#6645)

Fixes #6517
letsencrypt · Feb 9, 2023 · 5c49231 · 5c49231
1 parent 6792739
commit 5c49231
Show file tree

Hide file tree

Showing 18 changed files with 51 additions and 582 deletions.
diff --git a/cmd/rocsp-tool/client.go b/cmd/rocsp-tool/client.go
@@ -20,7 +20,7 @@ import (
 )
 
 type client struct {
-	redis         rocsp.Writer
+	redis         *rocsp.RWClient
 	db            *db.WrappedMap // optional
 	ocspGenerator capb.OCSPGeneratorClient
 	clk           clock.Clock

diff --git a/cmd/rocsp-tool/client_test.go b/cmd/rocsp-tool/client_test.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 	"math/big"
-	"os"
 	"testing"
 	"time"
 
@@ -39,8 +38,8 @@ func makeClient() (*rocsp.RWClient, clock.Clock) {
 
 	rdb := redis.NewRing(&redis.RingOptions{
 		Addrs: map[string]string{
-			"shard1": "10.33.33.8:4218",
-			"shard2": "10.33.33.9:4218",
+			"shard1": "10.33.33.2:4218",
+			"shard2": "10.33.33.3:4218",
 		},
 		Username:  "unittest-rw",
 		Password:  "824968fa490f4ecec1e52d5e34916bdb60d45f8d",
@@ -50,32 +49,6 @@ func makeClient() (*rocsp.RWClient, clock.Clock) {
 	return rocsp.NewWritingClient(rdb, 500*time.Millisecond, clk, metrics.NoopRegisterer), clk
 }
 
-// TODO(#6517) remove this helper.
-func makeClusterClient() (*rocsp.CRWClient, clock.Clock) {
-	CACertFile := "../../test/redis-tls/minica.pem"
-	CertFile := "../../test/redis-tls/boulder/cert.pem"
-	KeyFile := "../../test/redis-tls/boulder/key.pem"
-	tlsConfig := cmd.TLSConfig{
-		CACertFile: &CACertFile,
-		CertFile:   &CertFile,
-		KeyFile:    &KeyFile,
-	}
-	tlsConfig2, err := tlsConfig.Load()
-	if err != nil {
-		panic(err)
-	}
-
-	rdb := redis.NewClusterClient(&redis.ClusterOptions{
-		Addrs:     []string{"10.33.33.2:4218"},
-		Username:  "unittest-rw",
-		Password:  "824968fa490f4ecec1e52d5e34916bdb60d45f8d",
-		TLSConfig: tlsConfig2,
-	})
-	clk := clock.NewFake()
-
-	return rocsp.NewClusterWritingClient(rdb, 5*time.Second, clk, metrics.NoopRegisterer), clk
-}
-
 func TestGetStartingID(t *testing.T) {
 	clk := clock.NewFake()
 	dbMap, err := sa.NewDbMap(vars.DBConnSAFullPerms, sa.DbSettings{})
@@ -109,14 +82,7 @@ func TestGetStartingID(t *testing.T) {
 }
 
 func TestStoreResponse(t *testing.T) {
-	// TODO(#6517) remove this block.
-	var redisClient rocsp.Writer
-	var clk clock.Clock
-	if os.Getenv("BOULDER_CONFIG_DIR") == "test/config" {
-		redisClient, clk = makeClusterClient()
-	} else {
-		redisClient, clk = makeClient()
-	}
+	redisClient, clk := makeClient()
 
 	issuer, err := core.LoadCert("../../test/hierarchy/int-e1.cert.pem")
 	test.AssertNotError(t, err, "loading int-e1")
@@ -153,14 +119,7 @@ func (mog mockOCSPGenerator) GenerateOCSP(ctx context.Context, in *capb.Generate
 }
 
 func TestLoadFromDB(t *testing.T) {
-	// TODO(#6517) remove this block.
-	var redisClient rocsp.Writer
-	var clk clock.Clock
-	if os.Getenv("BOULDER_CONFIG_DIR") == "test/config" {
-		redisClient, clk = makeClusterClient()
-	} else {
-		redisClient, clk = makeClient()
-	}
+	redisClient, clk := makeClient()
 
 	dbMap, err := sa.NewDbMap(vars.DBConnSA, sa.DbSettings{})
 	if err != nil {

diff --git a/docker-compose.next.yml b/docker-compose.next.yml
@@ -5,26 +5,3 @@ services:
       FAKE_DNS: 10.77.77.77
       BOULDER_CONFIG_DIR: &boulder_config_dir test/config-next
       GOFLAGS: -mod=vendor
-  # TODO(#6517): remove bredis_clusterer
-  bredis_clusterer:
-    depends_on:
-      - bredis_7
-      - bredis_8
-  # TODO(#6517): move both nodes to docker-compose.yml
-  bredis_7:
-    image: redis:6.2.7
-    volumes:
-      - ./test/:/test/:cached
-    command: redis-server /test/redis.config
-    networks:
-      redisnet:
-        ipv4_address: 10.33.33.8
-
-  bredis_8:
-    image: redis:6.2.7
-    volumes:
-      - ./test/:/test/:cached
-    command: redis-server /test/redis.config
-    networks:
-      redisnet:
-        ipv4_address: 10.33.33.9
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -41,7 +41,8 @@ services:
       - 4003:4003 # OCSP
     depends_on:
       - bmysql
-      - bredis_clusterer
+      - bredis_1
+      - bredis_2
       - bconsul
     entrypoint: test/entrypoint.sh
     working_dir: &boulder_working_dir /boulder
@@ -62,13 +63,12 @@ services:
     command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON
     logging:
       driver: none
-  # TODO(#6517): replace all bredis_ services with those from
-  # docker-compose.next.yml.
+
   bredis_1:
     image: redis:6.2.7
     volumes:
       - ./test/:/test/:cached
-    command: redis-server /test/redis-cluster.config
+    command: redis-server /test/redis.config
     networks:
       redisnet:
         ipv4_address: 10.33.33.2
@@ -77,68 +77,11 @@ services:
     image: redis:6.2.7
     volumes:
       - ./test/:/test/:cached
-    command: redis-server /test/redis-cluster.config
+    command: redis-server /test/redis.config
     networks:
       redisnet:
         ipv4_address: 10.33.33.3
 
-  bredis_3:
-    image: redis:6.2.7
-    volumes:
-      - ./test/:/test/:cached
-    command: redis-server /test/redis-cluster.config
-    networks:
-      redisnet:
-        ipv4_address: 10.33.33.4
-
-  bredis_4:
-    image: redis:6.2.7
-    volumes:
-      - ./test/:/test/:cached
-    command: redis-server /test/redis-cluster.config
-    networks:
-      redisnet:
-        ipv4_address: 10.33.33.5
-
-  bredis_5:
-    image: redis:6.2.7
-    volumes:
-      - ./test/:/test/:cached
-    command: redis-server /test/redis-cluster.config
-    networks:
-      redisnet:
-        ipv4_address: 10.33.33.6
-
-  bredis_6:
-    image: redis:6.2.7
-    volumes:
-      - ./test/:/test/:cached
-    command: redis-server /test/redis-cluster.config
-    networks:
-      redisnet:
-        ipv4_address: 10.33.33.7
-  # TODO(#6517): remove bredis_clusterer.
-  bredis_clusterer:
-    image: redis:6.2.7
-    environment:
-      BOULDER_CONFIG_DIR: *boulder_config_dir
-    volumes:
-      - ./test/:/test/:cached
-      - ./cluster/:/cluster/:cached
-    command: /test/wait-for-it.sh 10.33.33.2 4218 /test/redis-create.sh
-    depends_on:
-      - bredis_1
-      - bredis_2
-      - bredis_3
-      - bredis_4
-      - bredis_5
-      - bredis_6
-    networks:
-      redisnet:
-        ipv4_address: 10.33.33.10
-        aliases:
-          - boulder-redis-clusterer
-
   bconsul:
     image: hashicorp/consul:1.13.1
     volumes:

diff --git a/docs/redis.md b/docs/redis.md
@@ -1,13 +1,8 @@
 # Redis
 
-TODO(#6517): Update this to reflect the use of Redis Ring.
-
-We use Redis Cluster for OCSP. The Boulder dev environment stands up a cluster
-of 6 nodes, with 3 primaries and 3 replicas. Check docker-compose.yml for
-details of those.
-
-The initial setup is done by test/redis-create.sh, which assigns all the
-individual Redis nodes to their roles as primaries or replicas.
+We use Redis for OCSP. The Boulder dev environment stands up a two nodes. We use
+the Ring client in the github.com/redis/go-redis package to consistently hash
+our reads and writes across these two nodes. 
 
 ## Debugging
 
@@ -19,26 +14,32 @@ The first tool you might turn to is `redis-cli`. You probably don't
 have redis-cli on your host, so we'll run it in a Docker container. We
 also need to pass some specific arguments for TLS and authentication. There's a
 script that handles all that for you: `test/redis-cli.sh`. First, make sure your
-redis cluster is running:
+redis is running:
 
-```
-docker compose up bredis_clusterer
+```shell
+docker compose up boulder
 ```
 
-Then, in a different window, run:
+Then, in a different window, run the following to connect to `bredis_1`:
 
-```
+```shell
 ./test/redis-cli.sh -h 10.33.33.2
 ```
 
+Similarly, to connect to `bredis_2`:
+
+```shell
+./test/redis-cli.sh -h 10.33.33.3
+```
+
 You can pass any IP address for the -h (host) parameter. The full list of IP
 addresses for Redis nodes is in `docker-compose.yml`. You can also pass other
 redis-cli commandline parameters. They'll get passed through.
 
 You may want to go a level deeper and communicate with a Redis node using the
 Redis protocol. Here's the command to do that (run from the Boulder root):
 
-```
+```shell
 openssl s_client -connect 10.33.33.2:4218 \
   -CAfile test/redis-tls/minica.pem \
   -cert test/redis-tls/boulder/cert.pem \

diff --git a/ocsp/responder/redis/redis_source.go b/ocsp/responder/redis/redis_source.go
@@ -49,7 +49,7 @@ type redisSource struct {
 // NewRedisSource returns a responder.Source which will look up OCSP responses in a
 // Redis table.
 func NewRedisSource(
-	client rocsp.Writer,
+	client *rocsp.RWClient,
 	signer responder.Source,
 	liveSigningPeriod time.Duration,
 	clk clock.Clock,