pkg/storage/redis: add redis TLS support (#1163)

Fixes #1156

cache/databroker.go

@@ -1,13 +1,17 @@
 package cache
 
 import (
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/base64"
 	"fmt"
+	"io/ioutil"
 
 	"google.golang.org/grpc"
 
 	"github.com/pomerium/pomerium/config"
 	internal_databroker "github.com/pomerium/pomerium/internal/databroker"
+	"github.com/pomerium/pomerium/internal/log"
 	"github.com/pomerium/pomerium/pkg/cryptutil"
 	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 )
@@ -23,10 +27,27 @@ func NewDataBrokerServer(grpcServer *grpc.Server, opts config.Options) (*DataBro
 	if err != nil || len(key) != cryptutil.DefaultKeySize {
 		return nil, fmt.Errorf("shared key is required and must be %d bytes long", cryptutil.DefaultKeySize)
 	}
+
+	caCertPool := x509.NewCertPool()
+	if caCert, err := ioutil.ReadFile(opts.DataBrokerStorageCAFile); err == nil {
+		caCertPool.AppendCertsFromPEM(caCert)
+	} else {
+		log.Warn().Err(err).Msg("failed to read databroker CA file")
+	}
+	tlsConfig := &tls.Config{
+		RootCAs: caCertPool,
+		// nolint: gosec
+		InsecureSkipVerify: opts.DataBrokerStorageCertSkipVerify,
+	}
+	if opts.DataBrokerCertificate != nil {
+		tlsConfig.Certificates = []tls.Certificate{*opts.DataBrokerCertificate}
+	}
+
 	internalSrv := internal_databroker.New(
 		internal_databroker.WithSecret(key),
 		internal_databroker.WithStorageType(opts.DataBrokerStorageType),
 		internal_databroker.WithStorageConnectionString(opts.DataBrokerStorageConnectionString),
+		internal_databroker.WithStorageTLSConfig(tlsConfig),
 	)
 	srv := &DataBrokerServer{DataBrokerServiceServer: internalSrv}
 	databroker.RegisterDataBrokerServiceServer(grpcServer, srv)