search

OT-CONTAINER-KIT / helm-charts

A repository which that will contain helm charts with best and security practices.
https://ot-container-kit.github.io/helm-charts
49 stars 84 forks source link

When password is set, sentinel can't access redis cli #175

Open mrhovunping opened 11 months ago

mrhovunping commented 11 months ago

Does this issue reproduce with the latest release?

What operating system and processor architecture are you using (kubectl version)?

kubectl version Output
$ kubectl version

Client Version: v1.28.2
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.21.9
WARNING: version difference between client (1.28) and server (1.21) exceeds the supported minor version skew of +/-1

What did you do?

Code secret Input
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: "redis-secret"
  annotations:
    argocd.argoproj.io/hook: PreSync
    argocd.argoproj.io/sync-wave: "-10"
spec:
  secretStoreRef:
    name: vault
    kind: ClusterSecretStore
  dataFrom:
    - extract:
        key: redis/redis-dev
Sentinel value.yml file Input
---
redisReplication:
  name: "redis-replication"
  clusterSize: 3
  image: quay.io/opstree/redis
  tag: v7.0.12
  imagePullPolicy: IfNotPresent
  redisSecret:
    secretName: redis-secret
    secretKey: password
  resources:
    requests:
      cpu: 100m
      memory: 128Mi
    limits:
      cpu: 100m
      memory: 128Mi
  ignoreAnnotations: []

redisExporter:
  enabled: true
  tag: "v1.45.0"
  resources:
    requests:
      cpu: 100m
      memory: 128Mi
    limits:
      cpu: 100m
      memory: 128Mi

storageSpec:
  volumeClaimTemplate:
    spec:
      storageClassName: local-path
      accessModes: ["ReadWriteOnce"]
      resources:
        requests:
          storage: 1Gi
Replication value.yml file Input
---
redisSentinel:
  name: "redis"
  clusterSize: 3
  image: quay.io/opstree/redis-sentinel
  tag: v7.0.12
  imagePullPolicy: IfNotPresent
  redisSecret:
    secretName: redis-secret
    secretKey: password
  resources:
    requests:
      cpu: 100m
      memory: 128Mi
    limits:
      cpu: 100m
      memory: 128Mi
  ignoreAnnotations: []

redisSentinelConfig:
  redisReplicationName: "redis-replication"
  masterGroupName: "myMaster"
  redisPort: "6379"
  quorum: "2"
  parallelSyncs: "1"
  failoverTimeout: "60000"
  downAfterMilliseconds: "5000"

redisExporter:
  enabled: true
  tag: "v1.45.0"
  resources:
    requests:
      cpu: 100m
      memory: 128Mi
    limits:
      cpu: 100m
      memory: 128Mi

What did you expect to see?

Sentinel log Output
Sentinel is running without password which is not recommended
Running sentinel without TLS mode
ACL_MODE is not true, skipping ACL file modification
Starting  sentinel service .....
7:X 28 Nov 2023 10:52:28.282 * oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo
7:X 28 Nov 2023 10:52:28.282 * Redis version=7.2.1, bits=64, commit=00000000, modified=0, pid=7, just started
7:X 28 Nov 2023 10:52:28.282 * Configuration loaded
7:X 28 Nov 2023 10:52:28.283 * monotonic clock: POSIX clock_gettime
7:X 28 Nov 2023 10:52:28.285 # Failed to write PID file: Permission denied
7:X 28 Nov 2023 10:52:28.285 * Running mode=sentinel, port=26379.
7:X 28 Nov 2023 10:52:28.285 # WARNING: The TCP backlog setting of 511 cannot be enforced because /proc/sys/net/core/somaxconn is set to the lower value of 128.
7:X 28 Nov 2023 10:52:28.389 * Sentinel new configuration saved on disk
7:X 28 Nov 2023 10:52:28.389 * Sentinel ID is 8f6396b6aaa71b047d354bc6bd17a3642b7a911d
7:X 28 Nov 2023 10:52:28.389 # +monitor master myMaster 10.42.58.184 6379 quorum 2
7:X 28 Nov 2023 10:52:28.391 * +slave slave 10.42.252.231:6379 10.42.252.231 6379 @ myMaster 10.42.58.184 6379
7:X 28 Nov 2023 10:52:28.398 * Sentinel new configuration saved on disk
7:X 28 Nov 2023 10:52:28.398 * +slave slave 10.42.57.225:6379 10.42.57.225 6379 @ myMaster 10.42.58.184 6379
7:X 28 Nov 2023 10:52:28.473 * Sentinel new configuration saved on disk
7:X 28 Nov 2023 10:53:08.401 * +sentinel sentinel b60a9e330ccf502f658e1009eff9f1aab575f737 10.42.252.248 26379 @ myMaster 10.42.58.184 6379
7:X 28 Nov 2023 10:53:08.404 * Sentinel new configuration saved on disk
7:X 28 Nov 2023 10:53:54.208 * +sentinel sentinel a2b2be50ea5f14b92182e88683af0d4f02146349 10.42.58.161 26379 @ myMaster 10.42.58.184 6379
7:X 28 Nov 2023 10:53:54.210 * Sentinel new configuration saved on disk
Sentinel config file Output
port 26379
daemonize no
pidfile "/var/run/redis-sentinel.pid"
logfile ""
dir "/tmp"

acllog-max-len 128
sentinel deny-scripts-reconfig yes
sentinel resolve-hostnames no
sentinel announce-hostnames no
protected-mode no
sentinel monitor myMaster 10.42.58.184 6379 2
sentinel down-after-milliseconds myMaster 5000
masterauth T3BzdHJlZUAxMjM0Cg==

requirepass T3BzdHJlZUAxMjM0Cg==
sentinel failover-timeout myMaster 60000

latency-tracking-info-percentiles 50 99 99.9
user default on nopass sanitize-payload ~* &* +@all
sentinel myid a2b2be50ea5f14b92182e88683af0d4f02146349
sentinel config-epoch myMaster 0
sentinel leader-epoch myMaster 0
sentinel current-epoch 0

sentinel known-replica myMaster 10.42.252.231 6379

sentinel known-replica myMaster 10.42.57.225 6379

sentinel known-sentinel myMaster 10.42.57.233 26379 8f6396b6aaa71b047d354bc6bd17a3642b7a911d

sentinel known-sentinel myMaster 10.42.252.248 26379 b60a9e330ccf502f658e1009eff9f1aab575f737
Redis config file Output
bind 0.0.0.0 ::
tcp-backlog 511
timeout 0
tcp-keepalive 300
daemonize no
supervised no
pidfile /var/run/redis.pid
masterauth T3BzdHJlZUAxMjM0Cg==

requirepass T3BzdHJlZUAxMjM0Cg==
protected-mode yes
save 900 1
save 300 10
save 60 10000
appendonly yes
appendfilename "appendonly.aof"
dir /data

What did you see instead?

Sentinel log Output
Running sentinel without TLS mode
ACL_MODE is not true, skipping ACL file modification
Starting  sentinel service .....
7:X 28 Nov 2023 08:31:51.811 * oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo
7:X 28 Nov 2023 08:31:51.811 * Redis version=7.2.1, bits=64, commit=00000000, modified=0, pid=7, just started
7:X 28 Nov 2023 08:31:51.811 * Configuration loaded
7:X 28 Nov 2023 08:31:51.813 * monotonic clock: POSIX clock_gettime
7:X 28 Nov 2023 08:31:51.899 # Failed to write PID file: Permission denied
7:X 28 Nov 2023 08:31:51.899 * Running mode=sentinel, port=26379.
7:X 28 Nov 2023 08:31:51.903 * Sentinel new configuration saved on disk
7:X 28 Nov 2023 08:31:51.903 * Sentinel ID is c1239ddd311682335cc5af8ec198e4d7e6ea16ee
7:X 28 Nov 2023 08:31:51.903 # +monitor master myMaster 0.0.0.0 6379 quorum 2
7:X 28 Nov 2023 08:31:56.841 # +sdown master myMaster 0.0.0.0 6379
Sentinel config file Output
port 26379
daemonize no
pidfile "/var/run/redis-sentinel.pid"
logfile ""
dir "/tmp"

acllog-max-len 128
sentinel deny-scripts-reconfig yes
sentinel resolve-hostnames no
sentinel announce-hostnames no
masterauth "T3BzdHJlZUAxMjM0Cg=="
requirepass "T3BzdHJlZUAxMjM0Cg=="
protected-mode yes
sentinel monitor myMaster 0.0.0.0 6379 2
sentinel down-after-milliseconds myMaster 5000
sentinel failover-timeout myMaster 60000
latency-tracking-info-percentiles 50 99 99.9
user default on sanitize-payload #14afa4523a56381c0e955fa4d3740b063daae79287ccd209a26033c58e57a751 ~* &* +@all
sentinel myid 2ca0f97ebe033bf23fe25b220b8052a5ba446191
sentinel config-epoch myMaster 0
sentinel leader-epoch myMaster 0
sentinel current-epoch 0
Redis config file Output
bind 0.0.0.0 ::
tcp-backlog 511
timeout 0
tcp-keepalive 300
daemonize no
supervised no
pidfile /var/run/redis.pid
masterauth T3BzdHJlZUAxMjM0Cg==
requirepass T3BzdHJlZUAxMjM0Cg==
protected-mode yes
save 900 1
save 300 10
save 60 10000
appendonly yes
appendfilename "appendonly.aof"
dir /data