gundeck: Support authenticating to redis (#3971)

* dockerephemeral: Start redis in master mode for testing redis migrations locally

This seems to have been deleted by mistake in
#3719

* dockerephemeral: Start redis with creds

* nix: Pin hedis to our fork which does auth correctly

* gundeck: Log uncaught errors in redis connection

* gundeck: Use redis creds from environment when provided

* hack/helmfile: Spin up extra redis for testing redis migration

* hack: Run redis with auth

* changelog

* docs/config-options: Wrap text for ES basic auth section

* docs/config-options: Document setting creds for redis

.envrc

@@ -49,6 +49,11 @@ export LANG=en_US.UTF-8
 export RABBITMQ_USERNAME=guest
 export RABBITMQ_PASSWORD=alpaca-grapefruit
 
+# Redis
+
+export REDIS_PASSWORD=very-secure-redis-cluster-password
+export REDIS_ADDITIONAL_WRITE_PASSWORD=very-secure-redis-master-password
+
 # Integration tests
 export INTEGRATION_DYNAMIC_BACKENDS_POOLSIZE=3
 
@@ -58,7 +63,7 @@ export AWS_REGION="eu-west-1"
 export AWS_ACCESS_KEY_ID="dummykey"
 export AWS_SECRET_ACCESS_KEY="dummysecret"
 
-# integration test suite timeout 
+# integration test suite timeout
 export TEST_TIMEOUT_SECONDS=2
 
 # allow local .envrc overrides

changelog.d/2-features/redis-creds

@@ -0,0 +1 @@
+Support authenticating to redis

charts/gundeck/templates/deployment.yaml

@@ -65,6 +65,34 @@ spec:
                 name: gundeck
                 key: awsSecretKey
           {{- end }}
+          {{- if hasKey .Values.secrets "redisUsername" }}
+          - name: REDIS_USERNAME
+            valueFrom:
+              secretKeyRef:
+                name: gundeck
+                key: redisUsername
+          {{- end }}
+          {{- if hasKey .Values.secrets "redisPassword" }}
+          - name: REDIS_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: gundeck
+                key: redisPassword
+          {{- end }}
+          {{- if hasKey .Values.secrets "redisAdditionalWriteUsername" }}
+          - name: REDIS_ADDITIONAL_WRITE_USERNAME
+            valueFrom:
+              secretKeyRef:
+                name: gundeck
+                key: redisAdditionalWriteUsername
+          {{- end }}
+          {{- if hasKey .Values.secrets "redisAdditionalWritePassword" }}
+          - name: REDIS_ADDITIONAL_WRITE_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: gundeck
+                key: redisAdditionalWritePassword
+          {{- end }}
           - name: AWS_REGION
             value: "{{ .Values.config.aws.region }}"
           {{- with .Values.config.proxy }}

charts/gundeck/templates/secret.yaml

@@ -1,4 +1,4 @@
-{{- if hasKey .Values.secrets "awsKeyId" }}
+{{- if not (empty .Values.secrets) }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -11,7 +11,23 @@ metadata:
 type: Opaque
 data:
   {{- with .Values.secrets }}
+  {{- if hasKey . "awsKeyId" }}
   awsKeyId: {{ .awsKeyId | b64enc | quote }}
+  {{- end }}
+  {{- if hasKey . "awsSecretKey" }}
   awsSecretKey: {{ .awsSecretKey | b64enc | quote }}
   {{- end }}
+  {{- if hasKey . "redisUsername" }}
+  redisUsername: {{ .redisUsername | b64enc | quote }}
+  {{- end }}
+  {{- if hasKey . "redisPassword" }}
+  redisPassword: {{ .redisPassword | b64enc | quote }}
+  {{- end }}
+  {{- if hasKey . "redisAdditionalWriteUsername" }}
+  redisAdditionalWriteUsername: {{ .redisAdditionalWriteUsername | b64enc | quote }}
+  {{- end }}
+  {{- if hasKey . "redisAdditionalWritePassword" }}
+  redisAdditionalWritePassword: {{ .redisAdditionalWritePassword | b64enc | quote }}
+  {{- end }}
+  {{- end }}
 {{- end }}

charts/gundeck/templates/tests/configmap.yaml

@@ -41,6 +41,6 @@ data:
 
     # a "redis migration" test in gundeck makes use of a second (distinct) redis
     redis2:
-      host: redis-ephemeral-master
+      host: redis-ephemeral-2-master
       port: 6379
       connectionMode: master

charts/gundeck/templates/tests/gundeck-integration.yaml

@@ -73,6 +73,34 @@ spec:
       value: "eu-west-1"
     - name: TEST_XML
       value: /tmp/result.xml
+    {{- if hasKey .Values.secrets "redisUsername" }}
+    - name: REDIS_USERNAME
+      valueFrom:
+        secretKeyRef:
+          name: gundeck
+          key: redisUsername
+    {{- end }}
+    {{- if hasKey .Values.secrets "redisPassword" }}
+    - name: REDIS_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: gundeck
+          key: redisPassword
+    {{- end }}
+    {{- if and (hasKey .Values.tests "secrets") (hasKey .Values.tests.secrets "redisAdditionalWriteUsername") }}
+    - name: REDIS_ADDITIONAL_WRITE_USERNAME
+      valueFrom:
+        secretKeyRef:
+          name: gundeck-integration
+          key: redisAdditionalWriteUsername
+    {{- end }}
+    {{- if and (hasKey .Values.tests "secrets") (hasKey .Values.tests.secrets "redisAdditionalWritePassword") }}
+    - name: REDIS_ADDITIONAL_WRITE_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: gundeck-integration
+          key: redisAdditionalWritePassword
+    {{- end }}
     {{- if .Values.tests.config.uploadXml }}
     - name: UPLOAD_XML_S3_BASE_URL
       value: {{ .Values.tests.config.uploadXml.baseUrl }}

charts/gundeck/templates/tests/secret.yaml

@@ -1,3 +1,4 @@
+{{- if not (empty .Values.tests.secrets) }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -10,7 +11,17 @@ metadata:
 type: Opaque
 data:
   {{- with .Values.tests.secrets }}
+  {{- if hasKey . "uploadXmlAwsAccessKeyId" }}
   uploadXmlAwsAccessKeyId: {{ .uploadXmlAwsAccessKeyId | b64enc | quote }}
+  {{- end }}
+  {{- if hasKey . "uploadXmlAwsSecretAccessKey" }}
   uploadXmlAwsSecretAccessKey: {{ .uploadXmlAwsSecretAccessKey | b64enc | quote }}
   {{- end }}
-
+  {{- if hasKey . "redisAdditionalWriteUsername" }}
+  redisAdditionalWriteUsername: {{ .redisAdditionalWriteUsername | b64enc | quote }}
+  {{- end }}
+  {{- if hasKey . "redisAdditionalWritePassword" }}
+  redisAdditionalWritePassword: {{ .redisAdditionalWritePassword | b64enc | quote }}
+  {{- end }}
+  {{- end }}
+{{- end }}

charts/integration/templates/integration-integration.yaml

@@ -262,6 +262,20 @@ spec:
         secretKeyRef:
           name: brig
           key: rabbitmqPassword
+    {{- if hasKey .Values.secrets "redisUsername" }}
+    - name: REDIS_USERNAME
+      valueFrom:
+        secretKeyRef:
+          name: integration
+          key: redisUsername
+    {{- end }}
+    {{- if hasKey .Values.secrets "redisPassword" }}
+    - name: REDIS_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: integration
+          key: redisPassword
+    {{- end }}
     - name: TEST_XML
       value: /tmp/result.xml
     {{- if .Values.config.uploadXml }}

charts/integration/templates/secret.yaml

@@ -10,6 +10,16 @@ metadata:
 type: Opaque
 data:
   {{- with .Values.secrets }}
+  {{- if hasKey . "uploadXmlAwsAccessKeyId" }}
   uploadXmlAwsAccessKeyId: {{ .uploadXmlAwsAccessKeyId | b64enc | quote }}
+  {{- end }}
+  {{- if hasKey . "uploadXmlAwsSecretAccessKey" }}
   uploadXmlAwsSecretAccessKey: {{ .uploadXmlAwsSecretAccessKey | b64enc | quote }}
   {{- end }}
+  {{- if hasKey . "redisUsername" }}
+  redisUsername: {{ .redisUsername | b64enc | quote }}
+  {{- end }}
+  {{- if hasKey . "redisPassword" }}
+  redisPassword: {{ .redisPassword | b64enc | quote }}
+  {{- end }}
+  {{- end }}

deploy/dockerephemeral/docker-compose.yaml

@@ -77,9 +77,20 @@ services:
     networks:
       - demo_wire
 
+  redis-master:
+    container_name: demo_wire_redis
+    image: redis:6.0-alpine
+    command: redis-server /usr/local/etc/redis/redis.conf
+    ports:
+      - "127.0.0.1:6379:6379"
+    volumes:
+      - ./docker/redis-master-mode.conf:/usr/local/etc/redis/redis.conf
+    networks:
+      - demo_wire
+
   redis-cluster:
     image: 'redis:6.0-alpine'
-    command: redis-cli --cluster create 172.20.0.31:6373 172.20.0.32:6374 172.20.0.33:6375 172.20.0.34:6376 172.20.0.35:6377 172.20.0.36:6378 --cluster-replicas 1 --cluster-yes
+    command: redis-cli --cluster create 172.20.0.31:6373 172.20.0.32:6374 172.20.0.33:6375 172.20.0.34:6376 172.20.0.35:6377 172.20.0.36:6378 --cluster-replicas 1 --cluster-yes -a very-secure-redis-cluster-password
     networks:
       redis:
         ipv4_address: 172.20.0.30

deploy/dockerephemeral/docker/redis-master-mode.conf

@@ -0,0 +1 @@
+requirepass very-secure-redis-master-password

deploy/dockerephemeral/docker/redis-node-1.conf

@@ -3,3 +3,5 @@ cluster-enabled yes
 cluster-config-file nodes.conf
 cluster-node-timeout 5000
 appendonly yes
+requirepass very-secure-redis-cluster-password
+masterauth very-secure-redis-cluster-password

deploy/dockerephemeral/docker/redis-node-2.conf

@@ -3,3 +3,5 @@ cluster-enabled yes
 cluster-config-file nodes.conf
 cluster-node-timeout 5000
 appendonly yes
+requirepass very-secure-redis-cluster-password
+masterauth very-secure-redis-cluster-password

deploy/dockerephemeral/docker/redis-node-3.conf

@@ -3,3 +3,5 @@ cluster-enabled yes
 cluster-config-file nodes.conf
 cluster-node-timeout 5000
 appendonly yes
+requirepass very-secure-redis-cluster-password
+masterauth very-secure-redis-cluster-password

deploy/dockerephemeral/docker/redis-node-4.conf

@@ -3,3 +3,5 @@ cluster-enabled yes
 cluster-config-file nodes.conf
 cluster-node-timeout 5000
 appendonly yes
+requirepass very-secure-redis-cluster-password
+masterauth very-secure-redis-cluster-password

deploy/dockerephemeral/docker/redis-node-5.conf

@@ -3,3 +3,5 @@ cluster-enabled yes
 cluster-config-file nodes.conf
 cluster-node-timeout 5000
 appendonly yes
+requirepass very-secure-redis-cluster-password
+masterauth very-secure-redis-cluster-password

deploy/dockerephemeral/docker/redis-node-6.conf

@@ -3,3 +3,5 @@ cluster-enabled yes
 cluster-config-file nodes.conf
 cluster-node-timeout 5000
 appendonly yes
+requirepass very-secure-redis-cluster-password
+masterauth very-secure-redis-cluster-password

docs/src/developer/reference/config-options.md

@@ -856,7 +856,11 @@ The corresponding Cassandra options are described in Cassandra's documentation:
 
 ## Configure Elasticsearch basic authentication
 
-When the Wire backend is configured to work against a custom Elasticsearch instance, it may be desired to enable basic authentication for the internal communication between the Wire backend and the ES instance. To do so the Elasticsearch credentials can be set in wire-server's secrets for `brig` and `elasticsearch-index` as follows:
+When the Wire backend is configured to work against a custom Elasticsearch
+instance, it may be desired to enable basic authentication for the internal
+communication between the Wire backend and the ES instance. To do so the
+Elasticsearch credentials can be set in wire-server's secrets for `brig` and
+`elasticsearch-index` as follows:
 
 ```yaml
 brig:
@@ -872,7 +876,9 @@ elasticsearch-index:
       password: changeme
 ```
 
-In some cases an additional Elasticsearch instance is needed (e.g. for index migrations). To configure credentials for the additional ES instance add the secret as follows:
+In some cases an additional Elasticsearch instance is needed (e.g. for index
+migrations). To configure credentials for the additional ES instance add the
+secret as follows:
 
 ```yaml
 brig:
@@ -881,3 +887,33 @@ brig:
       username: elastic
       password: changeme
 ```
+
+## Configure Redis authentication
+
+If the redis used needs authentication with either username and password or just
+password (legacy auth), it can be configured like this:
+
+```yaml
+gundeck:
+  secrets:
+    redisUsername: <username>
+    redisPassword: <password>
+```
+
+**NOTE**: When using redis < 6, the `redisUsername` must not be set at all (not
+even set to `null` or empty string, the key must be absent from the config).
+When using redis >= 6 and using legacy auth, the `redisUsername` must either be
+not set at all or set to `"default"`.
+
+While doing migrations to another redis instance, the credentials for the
+addtional redis can be set as follows:
+
+```yaml
+gundeck:
+  secrets:
+    redisAdditionalWriteUsername: <username>  # Do not set this at all when using legacy auth
+    redisAdditionalWritePassword: <password>
+```
+
+**NOTE**: `redisAddtiionalWriteUsername` follows same restrictions as
+`redisUsername` when using legacy auth.

hack/helm_vars/redis-cluster/values.yaml.gotmpl

@@ -6,3 +6,4 @@ redis-cluster:
     size: 100Mi
   volumePermissions:
     enabled: true
+  password: very-secure-redis-cluster-password

hack/helm_vars/wire-server/values.yaml.gotmpl

@@ -313,15 +313,19 @@ gundeck:
   secrets:
     awsKeyId: dummykey
     awsSecretKey: dummysecret
+    redisPassword: very-secure-redis-master-password
   tests:
     {{- if .Values.uploadXml }}
     config:
       uploadXml:
         baseUrl: {{ .Values.uploadXml.baseUrl }}
+    {{- end }}
     secrets:
+      {{- if .Values.uploadXml }}
       uploadXmlAwsAccessKeyId: {{ .Values.uploadXml.awsAccessKeyId }}
       uploadXmlAwsSecretAccessKey: {{ .Values.uploadXml.awsSecretAccessKey }}
-    {{- end }}
+      {{- end }}
+      redisAdditionalWritePassword: very-secure-redis-master-password-2
 
 nginz:
   replicaCount: 1
@@ -444,18 +448,21 @@ integration:
       host: {{ .Values.cassandraHost }}
       port: 9042
       replicationFactor: 1
-    {{- if .Values.useK8ssandraSSL.enabled }}
+      {{- if .Values.useK8ssandraSSL.enabled }}
       tlsCaSecretRef:
         name: cassandra-jks-keystore
         key: ca.crt
-    {{- end }}
-  {{- if .Values.uploadXml }}
+      {{- end }}
+    {{- if .Values.uploadXml }}
     uploadXml:
       baseUrl: {{ .Values.uploadXml.baseUrl }}
+    {{- end }}
   secrets:
+    {{- if .Values.uploadXml }}
     uploadXmlAwsAccessKeyId: {{ .Values.uploadXml.awsAccessKeyId }}
     uploadXmlAwsSecretAccessKey: {{ .Values.uploadXml.awsSecretAccessKey }}
-  {{- end }}
+    {{- end }}
+    redisPassword: very-secure-redis-master-password
   tls:
     caNamespace: wire-federation-v0