fix(brightstaff): enable TLS for redis session cache

Turn on the redis crate's tokio-rustls-comp + tls-rustls-webpki-roots features so rediss:// URLs in routing.session_cache.url actually negotiate TLS. Previously connecting to a TLS Redis failed with "can't connect with TLS, the feature is not enabled". Uses pure-Rust rustls + bundled Mozilla CA roots, so no system OpenSSL dependency is needed in the slim runtime image. Works with managed Redis (ElastiCache, Azure Cache, Redis Cloud, Upstash, etc.) out of the box.
2026-06-11 15:05:14 +02:00 · 2026-04-30 10:58:32 -07:00 · 2026-04-30 10:58:32 -07:00 · 5b776dbf56
commit 5b776dbf56
parent 938f9c4bdf
2 changed files with 40 additions and 3 deletions
--- a/crates/Cargo.lock
+++ b/crates/Cargo.lock
@ -2752,12 +2752,18 @@ dependencies = [
 "num-bigint",
 "percent-encoding",
 "pin-project-lite",
+ "rustls 0.23.38",
+ "rustls-native-certs 0.7.3",
+ "rustls-pemfile 2.2.0",
+ "rustls-pki-types",
 "ryu",
 "sha1_smol",
 "socket2 0.5.10",
 "tokio",
+ "tokio-rustls 0.26.4",
 "tokio-util",
 "url",
+ "webpki-roots 0.26.11",
 ]

 [[package]]
@ -2965,7 +2971,20 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a9aace74cb666635c918e9c12bc0d348266037aa8eb599b5cba565709a8dff00"
 dependencies = [
 "openssl-probe 0.1.6",
- "rustls-pemfile",
+ "rustls-pemfile 1.0.4",
+ "schannel",
+ "security-framework 2.11.1",
+]
+
+[[package]]
+name = "rustls-native-certs"
+version = "0.7.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e5bfb394eeed242e909609f56089eecfe5fda225042e8b171791b9c95f5931e5"
+dependencies = [
+ "openssl-probe 0.1.6",
+ "rustls-pemfile 2.2.0",
+ "rustls-pki-types",
 "schannel",
 "security-framework 2.11.1",
 ]
@ -2991,6 +3010,15 @@ dependencies = [
 "base64 0.21.7",
 ]

+[[package]]
+name = "rustls-pemfile"
+version = "2.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dce314e5fee3f39953d46bb63bb8a46d40c2f8fb7cc5a3b6cab2bde9721d6e50"
+dependencies = [
+ "rustls-pki-types",
+]
+
 [[package]]
 name = "rustls-pki-types"
 version = "1.14.0"
@ -4024,7 +4052,7 @@ dependencies = [
 "serde_json",
 "ureq-proto",
 "utf8-zero",
- "webpki-roots",
+ "webpki-roots 1.0.6",
 ]

 [[package]]
@ -4278,6 +4306,15 @@ dependencies = [
 "wasm-bindgen",
 ]

+[[package]]
+name = "webpki-roots"
+version = "0.26.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "521bc38abb08001b01866da9f51eb7c5d647a19260e00054a8c7fd5f9e57f7a9"
+dependencies = [
+ "webpki-roots 1.0.6",
+]
+
 [[package]]
 name = "webpki-roots"
 version = "1.0.6"
--- a/crates/brightstaff/Cargo.toml
+++ b/crates/brightstaff/Cargo.toml
@ -43,7 +43,7 @@ lru = "0.12"
 metrics = "0.23"
 metrics-exporter-prometheus = { version = "0.15", default-features = false, features = ["http-listener"] }
 metrics-process = "2.1"
-redis = { version = "0.27", features = ["tokio-comp"] }
+redis = { version = "0.27", features = ["tokio-comp", "tokio-rustls-comp", "tls-rustls-webpki-roots"] }
 reqwest = { version = "0.12.15", features = ["stream"] }
 serde = { version = "1.0.219", features = ["derive"] }
 serde_json = "1.0.140"