- Adaptations to support secure Redis Access

- Redis Connection Pooling set up for Celery, dogpile caching and flask session
2025-08-31 17:43:30 +02:00
parent 25ab9ccf23
commit 35f58f0c57
3 changed files with 129 additions and 137 deletions
--- a/common/utils/celery_utils.py
+++ b/common/utils/celery_utils.py
@@ -1,3 +1,5 @@
+import tempfile
+
 from celery import Celery
 from kombu import Queue
 from werkzeug.local import LocalProxy
@@ -6,6 +8,16 @@ from redbeat import RedBeatScheduler
 celery_app = Celery()


+def _create_ssl_cert_file(cert_data: str) -> str:
+    """Create temporary certificate file for Celery SSL"""
+    if not cert_data:
+        return None
+
+    with tempfile.NamedTemporaryFile(mode='w', delete=False, suffix='.pem') as cert_file:
+        cert_file.write(cert_data)
+        return cert_file.name
+
+
 def init_celery(celery, app, is_beat=False):
    celery_app.main = app.name

@@ -19,6 +31,32 @@ def init_celery(celery, app, is_beat=False):
        'enable_utc': app.config.get('CELERY_ENABLE_UTC', True),
    }

+    # Add broker transport options for SSL and connection pooling
+    broker_transport_options = {
+        'master_name': None,
+        'max_connections': 20,
+        'retry_on_timeout': True,
+        'socket_connect_timeout': 5,
+        'socket_timeout': 5,
+    }
+
+    cert_data = app.config.get('REDIS_CERT_DATA')
+    if cert_data:
+        try:
+            ssl_cert_file = _create_ssl_cert_file(cert_data)
+            if ssl_cert_file:
+                broker_transport_options.update({
+                    'ssl_cert_reqs': 'required',
+                    'ssl_ca_certs': ssl_cert_file,
+                    'ssl_check_hostname': True,
+                })
+                app.logger.info("SSL configured for Celery Redis connection")
+        except Exception as e:
+            app.logger.error(f"Failed to configure SSL for Celery: {e}")
+
+    celery_config['broker_transport_options'] = broker_transport_options
+    celery_config['result_backend_transport_options'] = broker_transport_options
+
    if is_beat:
        # Add configurations specific to Beat scheduler
        celery_config['beat_scheduler'] = 'redbeat.RedBeatScheduler'