Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions deploy/helm/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -237,6 +237,27 @@ Uses existing secret if provided, otherwise derives "{release}-redis-secret"
{{- .Values.redis.auth.existingSecret | default (printf "%s-redis-secret" .Release.Name) -}}
{{- end -}}

{{/*
Redis: validate the redis.auth.password configuration.

redis.auth.password is a Bitnami subchart passthrough that the Appsmith
templates never read on their own. There is exactly ONE supported way to use
it: the fully self-managed path, where the operator also disables the chart's
bootstrap secret (existingSecret: "") and hands the app a matching connection
string via applicationConfig.APPSMITH_REDIS_URL. Any other use silently splits
the password between Redis and the app, so we fail fast instead.

Invoked from a template that always renders (configMap.yaml) so it evaluates on
every `helm template`/install/upgrade.
*/}}
{{- define "appsmith.validateRedisAuth" -}}
{{- if .Values.redis.auth.password -}}
{{- if or .Values.redis.auth.existingSecret (not .Values.applicationConfig.APPSMITH_REDIS_URL) -}}
{{ fail (printf "redis.auth.password is set, which is only supported on the self-managed path. Choose one of:\n 1. Leave redis.auth.password unset and let the chart bootstrap a password (default), or supply your own secret via redis.auth.existingSecret / redis.auth.existingSecretPasswordKey.\n 2. Self-manage the password: set redis.auth.password, set redis.auth.existingSecret: \"\", and set applicationConfig.APPSMITH_REDIS_URL=redis://:<password>@%s-redis-master:6379 so the app uses the same credential." .Release.Name) }}
{{- end -}}
{{- end -}}
{{- end -}}

{{/*
Redis: master service hostname (FQDN inside the cluster).
Derived from the release name to stay uniform with the chart's other components.
Expand Down
1 change: 1 addition & 0 deletions deploy/helm/templates/configMap.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
{{- $postgresqlPassword := .Values.postgresql.auth.password -}}
{{- $postgresqlDatabase := .Values.postgresql.auth.database -}}
{{- $releaseName := .Release.Name -}}
{{- include "appsmith.validateRedisAuth" . -}}
apiVersion: v1
kind: ConfigMap
metadata:
Expand Down
8 changes: 7 additions & 1 deletion deploy/helm/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,13 @@ spec:
image: "{{ .Values.redis.image.registry }}/{{ .Values.redis.image.repository }}:{{ .Values.redis.image.tag }}"
{{- end }}
command: ['sh', '-c', "until redis-cli -h {{ include "appsmith.redisMasterHost" . }} ping ; do echo waiting for redis; sleep 2; done"]
{{- if .Values.redis.auth.enabled }}
{{- if and .Values.redis.auth.enabled (not .Values.applicationConfig.APPSMITH_REDIS_URL) }}
# Pull the password from the chart-managed Secret so the readiness ping can
# authenticate. Skipped when the operator supplies their own APPSMITH_REDIS_URL
# (the self-managed redis.auth.password path), because then no chart Secret exists
# to reference and an unresolvable secretKeyRef would wedge the pod in
# CreateContainerConfigError. The wait still works unauthenticated: `redis-cli ping`
# against an auth-required server replies NOAUTH but exits 0, satisfying the loop.
env:
- name: REDISCLI_AUTH
valueFrom:
Expand Down
11 changes: 10 additions & 1 deletion deploy/helm/templates/hooks/redis.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,16 @@ secret (or a user who pre-created their own) is left untouched.
The resulting Secret has no Helm release labels/annotations and no
ownerReferences, so ArgoCD does not track or diff it.
*/}}
{{- if and .Values.redis.enabled .Values.redis.auth.enabled }}
{{/*
Skip the bootstrap entirely when redis.auth.password is set: on that path the
operator self-manages the credential (Bitnami uses redis.auth.password directly)
and there is no chart secret to create. Safe ONLY because appsmith.validateRedisAuth
(see _helpers.tpl, invoked from configMap.yaml) rejects every redis.auth.password
configuration except the self-managed one (existingSecret: "" + a matching
APPSMITH_REDIS_URL) — so this can no longer leave a non-empty existingSecret
pointing at a secret the hook never creates.
*/}}
{{- if and .Values.redis.enabled .Values.redis.auth.enabled (not .Values.redis.auth.password) }}
{{- $secretName := include "appsmith.redisSecretName" . -}}
{{- $passwordKey := .Values.redis.auth.existingSecretPasswordKey -}}
{{- $jobName := printf "%s-redis-password-init" (include "appsmith.fullname" .) | trunc 63 | trimSuffix "-" -}}
Expand Down
Loading