Support for external Redis/Valkey with ACL / RBAC username and logical DB#203
Open
rcarvalhoxavier wants to merge 10 commits into
Open
Support for external Redis/Valkey with ACL / RBAC username and logical DB#203rcarvalhoxavier wants to merge 10 commits into
rcarvalhoxavier wants to merge 10 commits into
Conversation
- Added support for external Redis configurations, including username and database options. - Updated the Redis URL generation logic to accommodate ACL/Valkey RBAC users. - Modified migrations job template to reference the new external Redis secret handling. Signed-off-by: Rodrigo Xavier <rcarvalhoxavier@gmail.com>
- Clarified descriptions for Redis password, username, and database options in the README. - Added notes on how to use the embedded Redis chart and external Redis configurations. Signed-off-by: Rodrigo Xavier <rcarvalhoxavier@gmail.com>
Signed-off-by: Rodrigo Xavier <rcarvalhoxavier@gmail.com>
- Updated values.yaml to include aclEmbedPasswordInUrl option for better security with external Redis. - Modified _helpers.tpl to conditionally emit REDIS_PASSWORD based on ACL settings. - Adjusted env-secret.yaml to ensure REDIS_PASSWORD is only included when necessary, preventing duplicate AUTH issues. Signed-off-by: Rodrigo Xavier <rcarvalhoxavier@gmail.com>
…edPasswordInUrl option - Revised descriptions for Redis password and username to reflect changes in handling with ACL support. - Added details about the aclEmbedPasswordInUrl option for improved security in Redis configurations. Signed-off-by: Rodrigo Xavier <rcarvalhoxavier@gmail.com>
- Renamed helper function to clarify its purpose regarding external Redis ACL with embedded credentials. - Updated logic in _helpers.tpl and env-secret.yaml to conditionally emit REDIS_PASSWORD based on Redis configuration, ensuring proper handling of ACL settings and avoiding duplicate AUTH issues. Signed-off-by: Rodrigo Xavier <rcarvalhoxavier@gmail.com>
rcarvalhoxavier
changed the title
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 1973e21ee2
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
- Updated the Redis URL generation logic in _helpers.tpl to ensure proper URL encoding of user credentials, enhancing security and consistency in external Redis configurations. - Clarified comments regarding the handling of existing secrets and embedded credentials. Signed-off-by: Rodrigo Xavier <rcarvalhoxavier@gmail.com>
Signed-off-by: Rodrigo Xavier <rcarvalhoxavier@gmail.com>
Signed-off-by: Rodrigo Xavier <rcarvalhoxavier@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds first-class support for external Redis/Valkey in production-style clusters: TLS (
rediss), Redis 6+ ACL / RBAC username, optional logical DB inREDIS_URL, and consistent password handling so it matchesredis-rband Chatwoot’s expectations.What we implemented
External Redis / Valkey (ACL + TLS)
REDIS_URLgeneration (_helpers.tpl): supportsrediss://whenenv.REDIS_TLSis true; optionalredis.usernamefor ACL; optionalredis.databaseas path suffix; URL-encoded user/password in the URI when credentials are embedded.chatwoot.redis.externalAclEmbedActive: one helper istrueonly when external Redis uses ACL with user + password embedded inREDIS_URL(Helm knows the password, noredis.existingSecret,redis.aclEmbedPasswordInUrlenabled). The same condition drives:user:pass@hostbranch ofchatwoot.redis.url, andREDIS_PASSWORDis written to the generated env Secret (omitted in embed mode to avoid duplicate AUTH with TLS+ACL clients).redis.aclEmbedPasswordInUrl(defaulttrue): when ACL username is set and the password is available to Helm, the password can live only inREDIS_URL. Ifredis.existingSecretis used, Helm cannot inline the password intoREDIS_URL; the chart keepsuser@hostin the URL andREDIS_PASSWORDfrom the DeploymentsecretKeyRef(unchanged pattern).Env Secret
REDIS_PASSWORDin the generated Secret is emitted whennot redis.existingSecretandredis.enabledOR external ACL embed is not active — equivalent to omitting the key only in the external ACL-embed case described above.Documentation
Why we need this
We run Chatwoot on EKS with managed PostgreSQL and managed Valkey/ElastiCache (TLS, ACL user, secrets from AWS Secrets Manager). The default chart path (bundled Bitnami Redis or a minimal
redis://+ separate password) is not enough for TLS + ACL without carefulREDIS_URLand env composition. These changes make Helm predictable for that deployment model while preserving compatibility with bundled Redis/Postgres flows.