Skip to content

Support Sentinel authentication through `requirepass`

Problem to solve

As of now, it is not possible to enforce client authentication at Sentinel level, even if Redis auth is enabled. If we manually enable requirepass on sentinel.conf, GitLab won't start. So, supporting this feature will help tighten Redis security.

ZD for reference.

Intended users

Proposal

Enable support for requirepass option in sentinel.conf.

Further details

If there's a requirement for Orgs to listen Sentinel service on external IPs, then enabling this feature will restrict any unauthenticated access to Redis nodes. Otherwise, if someone has access to Sentinel IP and port, they will be able to interact with Redis without any authentication.

Documentation

Redis Sentinel doc: https://redis.io/topics/sentinel#configuring-sentinel-instances-with-authentication

GitLab doc suggests to disable requirepass on external Sentinel servers for now.

Availability & Testing

  • Unit test
  • Integration test

What does success look like, and how can we measure that?

GitLab will be able to connect to requirepass enabled Sentinel servers and function normally. Also, there must be a setting in gitlab.rb to enable requirepass on sentinel.conf of Omnibus managed Redis/Sentinel servers.

Links / references