eloqdata · liunyl · Dec 30, 2025
diff --git a/data_substrate b/data_substrate
diff --git a/include/redis_service.h b/include/redis_service.h
@@ -218,6 +218,11 @@ class RedisServiceImpl : public brpc::RedisService
     bool AddCommandHandler(const std::string &name,
                            RedisCommandHandler *handler);
 
+    // TLS configuration accessors
+    bool IsTlsEnabled() const { return enable_tls_; }
+    const std::string& GetTlsCertFile() const { return tls_cert_file_; }
+    const std::string& GetTlsKeyFile() const { return tls_key_file_; }
+
     // This function should not be touched by user and used by brpc deverloper
     // only.
     RedisCommandHandler *FindCommandHandler(
@@ -560,6 +565,11 @@ class RedisServiceImpl : public brpc::RedisService
     // read and write-write conflict are both retried.
     bool retry_on_occ_error_{false};
 
+    // TLS configuration
+    bool enable_tls_{false};
+    std::string tls_cert_file_;
+    std::string tls_key_file_;
+
 #ifdef VECTOR_INDEX_ENABLED
     // Vector index related
     std::unique_ptr<txservice::TxWorkerPool> vector_index_worker_pool_{nullptr};

diff --git a/src/redis_server.cpp b/src/redis_server.cpp
@@ -21,6 +21,7 @@
  */
 #include <brpc/acceptor.h>
 #include <brpc/server.h>
+#include <brpc/ssl_options.h>
 #include <gflags/gflags.h>
 #include <glog/logging.h>
 
@@ -504,6 +505,25 @@ int main(int argc, char *argv[])
     // Notice: redis_service_impl will be deleted in server's destructor.
     server_options.redis_service = redis_service_impl.release();
     server_options.has_builtin_services = false;
+
+    // Configure TLS if enabled
+    if (redis_service_ptr->IsTlsEnabled())
+    {
+        brpc::ServerSSLOptions *ssl_options =
+            server_options.mutable_ssl_options();
+
+        // Set server certificate and key (required when TLS is enabled)
+        // Validation in Init() ensures both files are provided
+        ssl_options->default_cert.certificate =
+            redis_service_ptr->GetTlsCertFile();
+        ssl_options->default_cert.private_key =
+            redis_service_ptr->GetTlsKeyFile();
+
+        LOG(INFO) << "TLS enabled for brpc server. Certificate: "
+                  << redis_service_ptr->GetTlsCertFile()
+                  << ", Key: " << redis_service_ptr->GetTlsKeyFile();
+    }
+
     if (server.Start(redis_ip_port.c_str(), &server_options) != 0)
     {
         LOG(ERROR) << "Failed to start EloqKV server.";

diff --git a/src/redis_service.cpp b/src/redis_service.cpp
@@ -38,6 +38,7 @@
 #include <charconv>
 #include <cstddef>
 #include <cstdint>
+#include <filesystem>
 #include <functional>
 #include <memory>
 #include <optional>
@@ -134,6 +135,10 @@ DEFINE_string(
 
 DEFINE_bool(retry_on_occ_error, true, "Retry transaction on OCC caused error.");
 
+DEFINE_bool(enable_tls, false, "Enable TLS for brpc RPC connections");
+DEFINE_string(tls_cert_file, "", "Path to TLS certificate file (PEM format)");
+DEFINE_string(tls_key_file, "", "Path to TLS private key file (PEM format)");
+
 namespace EloqKV
 {
 const auto NUM_VCPU = std::thread::hardware_concurrency();
@@ -441,6 +446,77 @@ bool RedisServiceImpl::Init(brpc::Server &brpc_server)
     // tx_service_
 #endif
 
+    // Read TLS configuration
+    enable_tls_ = !CheckCommandLineFlagIsDefault("enable_tls")
+                      ? FLAGS_enable_tls
+                      : config_reader.GetBoolean("local", "enable_tls", false);
+
+    if (enable_tls_)
+    {
+        tls_cert_file_ =
+            !CheckCommandLineFlagIsDefault("tls_cert_file")
+                ? FLAGS_tls_cert_file
+                : config_reader.GetString("local", "tls_cert_file", "");
+
+        tls_key_file_ =
+            !CheckCommandLineFlagIsDefault("tls_key_file")
+                ? FLAGS_tls_key_file
+                : config_reader.GetString("local", "tls_key_file", "");
+
+        // Validate that both certificate and key files are specified (required
+        // when TLS is enabled)
+        if (tls_cert_file_.empty() || tls_key_file_.empty())
+        {
+            LOG(ERROR) << "TLS is enabled but certificate or key file path is "
+                          "not specified. "
+                       << "Please set both tls_cert_file and tls_key_file.";
+            return false;
+        }
+
+        // Validate that certificate file exists and is readable
+        std::error_code error_code;
+        if (!std::filesystem::exists(tls_cert_file_, error_code))
+        {
+            LOG(ERROR)
+                << "TLS certificate file does not exist or is not accessible: "
+                << tls_cert_file_;
+            if (error_code.value() != 0)
+            {
+                LOG(ERROR) << "Error code: " << error_code.value()
+                           << ", error message: " << error_code.message();
+            }
+            return false;
+        }
+
+        // Validate that key file exists and is readable
+        if (!std::filesystem::exists(tls_key_file_, error_code))
+        {
+            LOG(ERROR) << "TLS key file does not exist or is not accessible: "
+                       << tls_key_file_;
+            if (error_code.value() != 0)
+            {
+                LOG(ERROR) << "Error code: " << error_code.value()
+                           << ", error message: " << error_code.message();
+            }
+            return false;
+        }
+
+        // Check if files are regular files (not directories)
+        if (!std::filesystem::is_regular_file(tls_cert_file_, error_code))
+        {
+            LOG(ERROR) << "TLS certificate file is not a regular file: "
+                       << tls_cert_file_;
+            return false;
+        }
+
+        if (!std::filesystem::is_regular_file(tls_key_file_, error_code))
+        {
+            LOG(ERROR) << "TLS key file is not a regular file: "
+                       << tls_key_file_;
+            return false;
+        }
+    }
+
     return true;
 }