diff --git a/deploy/helm/templates/_helpers.tpl b/deploy/helm/templates/_helpers.tpl index 04100291cae..9add8500c67 100644 --- a/deploy/helm/templates/_helpers.tpl +++ b/deploy/helm/templates/_helpers.tpl @@ -237,6 +237,27 @@ Uses existing secret if provided, otherwise derives "{release}-redis-secret" {{- .Values.redis.auth.existingSecret | default (printf "%s-redis-secret" .Release.Name) -}} {{- end -}} +{{/* +Redis: validate the redis.auth.password configuration. + +redis.auth.password is a Bitnami subchart passthrough that the Appsmith +templates never read on their own. There is exactly ONE supported way to use +it: the fully self-managed path, where the operator also disables the chart's +bootstrap secret (existingSecret: "") and hands the app a matching connection +string via applicationConfig.APPSMITH_REDIS_URL. Any other use silently splits +the password between Redis and the app, so we fail fast instead. + +Invoked from a template that always renders (configMap.yaml) so it evaluates on +every `helm template`/install/upgrade. +*/}} +{{- define "appsmith.validateRedisAuth" -}} +{{- if .Values.redis.auth.password -}} +{{- if or .Values.redis.auth.existingSecret (not .Values.applicationConfig.APPSMITH_REDIS_URL) -}} +{{ fail (printf "redis.auth.password is set, which is only supported on the self-managed path. Choose one of:\n 1. Leave redis.auth.password unset and let the chart bootstrap a password (default), or supply your own secret via redis.auth.existingSecret / redis.auth.existingSecretPasswordKey.\n 2. Self-manage the password: set redis.auth.password, set redis.auth.existingSecret: \"\", and set applicationConfig.APPSMITH_REDIS_URL=redis://:@%s-redis-master:6379 so the app uses the same credential." .Release.Name) }} +{{- end -}} +{{- end -}} +{{- end -}} + {{/* Redis: master service hostname (FQDN inside the cluster). Derived from the release name to stay uniform with the chart's other components. diff --git a/deploy/helm/templates/configMap.yaml b/deploy/helm/templates/configMap.yaml index 0f633731344..91dd5c66f12 100644 --- a/deploy/helm/templates/configMap.yaml +++ b/deploy/helm/templates/configMap.yaml @@ -6,6 +6,7 @@ {{- $postgresqlPassword := .Values.postgresql.auth.password -}} {{- $postgresqlDatabase := .Values.postgresql.auth.database -}} {{- $releaseName := .Release.Name -}} +{{- include "appsmith.validateRedisAuth" . -}} apiVersion: v1 kind: ConfigMap metadata: diff --git a/deploy/helm/templates/deployment.yaml b/deploy/helm/templates/deployment.yaml index c45c8891f31..dc5a8c11122 100644 --- a/deploy/helm/templates/deployment.yaml +++ b/deploy/helm/templates/deployment.yaml @@ -80,7 +80,13 @@ spec: image: "{{ .Values.redis.image.registry }}/{{ .Values.redis.image.repository }}:{{ .Values.redis.image.tag }}" {{- end }} command: ['sh', '-c', "until redis-cli -h {{ include "appsmith.redisMasterHost" . }} ping ; do echo waiting for redis; sleep 2; done"] - {{- if .Values.redis.auth.enabled }} + {{- if and .Values.redis.auth.enabled (not .Values.applicationConfig.APPSMITH_REDIS_URL) }} + # Pull the password from the chart-managed Secret so the readiness ping can + # authenticate. Skipped when the operator supplies their own APPSMITH_REDIS_URL + # (the self-managed redis.auth.password path), because then no chart Secret exists + # to reference and an unresolvable secretKeyRef would wedge the pod in + # CreateContainerConfigError. The wait still works unauthenticated: `redis-cli ping` + # against an auth-required server replies NOAUTH but exits 0, satisfying the loop. env: - name: REDISCLI_AUTH valueFrom: diff --git a/deploy/helm/templates/hooks/redis.yaml b/deploy/helm/templates/hooks/redis.yaml index 30b9231e75b..43e507bc463 100644 --- a/deploy/helm/templates/hooks/redis.yaml +++ b/deploy/helm/templates/hooks/redis.yaml @@ -14,7 +14,16 @@ secret (or a user who pre-created their own) is left untouched. The resulting Secret has no Helm release labels/annotations and no ownerReferences, so ArgoCD does not track or diff it. */}} -{{- if and .Values.redis.enabled .Values.redis.auth.enabled }} +{{/* +Skip the bootstrap entirely when redis.auth.password is set: on that path the +operator self-manages the credential (Bitnami uses redis.auth.password directly) +and there is no chart secret to create. Safe ONLY because appsmith.validateRedisAuth +(see _helpers.tpl, invoked from configMap.yaml) rejects every redis.auth.password +configuration except the self-managed one (existingSecret: "" + a matching +APPSMITH_REDIS_URL) — so this can no longer leave a non-empty existingSecret +pointing at a secret the hook never creates. +*/}} +{{- if and .Values.redis.enabled .Values.redis.auth.enabled (not .Values.redis.auth.password) }} {{- $secretName := include "appsmith.redisSecretName" . -}} {{- $passwordKey := .Values.redis.auth.existingSecretPasswordKey -}} {{- $jobName := printf "%s-redis-password-init" (include "appsmith.fullname" .) | trunc 63 | trimSuffix "-" -}}