External Redis without password is neither supported not documented
Redis configuration fails on empty password.
We have an existing Redis instance without an instance password. It's very impractical for us to change the Redis instance and would rather configure GitLab to not attempt the authentication.
Reproducing the issue
Selected helm values for the release
global:
redis:
host: redis.k8s.censored.org
The secret map
apiVersion: v1
kind: Secret
metadata:
namespace: gitlab-beta
name: gitlab-prod-app-redis-secret
data:
secret: ""
What the application generates (/srv/gitlab/config/resque.yml
)
production:
# Redis (single instance)
url: redis://:@redis.k8s.censored.org:6379
This all results in
Redis::CommandError (ERR Client sent AUTH, but no password is set)
Happens everywhere gitlab uses redis, which is in many places, including all http requests to unicorn and whatever is that sidekiq-all-in-1 does.
Proposed change
All templates that build the url as redis://:<%= File.read("/etc/gitlab/redis/password") %>@{{ template "gitlab.redis.host" . }}:{{ template "gitlab.redis.port" . }}
should instead check if the password is set and eventually omit the credentials (the user:pass@
part of the url).
That includes but is definitely not limited to:
charts/gitlab/charts/migrations/templates/configmap.yaml
charts/gitlab/charts/task-runner/templates/configmap.yaml
charts/gitlab/charts/mailroom/templates/configmap.yaml
This change would simplify migrating to the Helm chart from a different pre-existing deployment.