fix(helm): reject unsupported redis.auth.password configurations#41924
Merged
Conversation
redis.auth.password is a Bitnami subchart passthrough the Appsmith templates never read. Used with the chart defaults it silently vanishes (Bitnami ignores it because existingSecret is non-empty), and used with existingSecret:"" but no URL it splits the credential between Redis and the app. Add a render-time guard (appsmith.validateRedisAuth, invoked from configMap.yaml so it always evaluates): if redis.auth.password is set, require both redis.auth.existingSecret="" and applicationConfig.APPSMITH_REDIS_URL, else fail with a message stating the two supported options. This leaves exactly one valid redis.auth.password path: fully self-managed. Also skip the password-bootstrap hook when redis.auth.password is set — safe only because the guard eliminates the case that previously broke (a non-empty existingSecret pointing at a now-uncreated secret); noted in a comment. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ssword path The redis readiness init-container pulled REDISCLI_AUTH from the chart-managed Redis Secret whenever redis.auth.enabled. On the self-managed redis.auth.password path (existingSecret:"" + APPSMITH_REDIS_URL, the only path the new guard allows) no chart Secret exists — the bootstrap hook is skipped and Bitnami stores the password under its own <release>-redis Secret — so the secretKeyRef was unresolvable and wedged the pod in CreateContainerConfigError. Caught by the live upgrade test, not the render matrix (helm template can't see the missing Secret). Gate REDISCLI_AUTH on the same (not applicationConfig.APPSMITH_REDIS_URL) condition the main container already uses for its Redis env. The wait still works without auth: `redis-cli ping` against an auth-required server replies NOAUTH but exits 0. Default and BYO-secret paths keep REDISCLI_AUTH (URL unset there). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…n AGENTS.md Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. 🗂️ Base branches to auto review (2)
Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
…riants in AGENTS.md" This reverts commit d279bea.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Builds on #41874.
redis.auth.passwordis a Bitnami subchart value that the Appsmith chart templates do not read on their own, so setting it currently misconfigures Redis silently — the password ends up split between the Redis server and the application, or is dropped entirely, and only surfaces as a runtime authentication failure.This change:
appsmith.validateRedisAuth) that fails fast with actionable guidance unlessredis.auth.passwordis used in the one supported, fully self-managed shape (redis.auth.existingSecret: ""plus a matchingapplicationConfig.APPSMITH_REDIS_URL).CreateContainerConfigError).deploy/helm/AGENTS.md.Verified by rendering the chart across the default, bring-your-own-secret, and self-managed combinations, and by a live install→upgrade test on a k3s cluster: the default path is unaffected, misconfigured upgrades now fail fast with migration guidance, and the self-managed path installs and reconnects cleanly.