Open dceravigupta opened 1 year ago
cc @weisisea perhaps you can answer?
@weisisea would you be able to help me out on this one?
Sorry for the late reply.
Envoy supports individual passwords for different clusters: https://github.com/envoyproxy/envoy/blob/dede92e6e5888cdf27320bf3b6bc9987657d6e22/test/extensions/filters/network/redis_proxy/redis_proxy_integration_test.cc#L238-L271
But I don't think Envoy currently supports different passwords for different endpoints in the same cluster. Envoy Redis filter authenticates the client on the downstream connection. The authentication is done locally at Envoy and the AUTH
commands aren't forwarded to upstream Redis nodes. Once the downstream connection is authenticated, the requests of the client can reach all upstream Redis nodes.
After reading the code a little more, I realized that the previous comment is related to the downstream authentication, instead of the upstream authentication, which the question is about.
Currently, an upstream connection pool has one password: https://github.com/envoyproxy/envoy/blob/dede92e6e5888cdf27320bf3b6bc9987657d6e22/source/extensions/filters/network/redis_proxy/conn_pool_impl.h#L183 https://github.com/envoyproxy/envoy/blob/dede92e6e5888cdf27320bf3b6bc9987657d6e22/source/extensions/filters/network/redis_proxy/conn_pool_impl.cc#L137-L138
The password is passed when creating an upstream client: https://github.com/envoyproxy/envoy/blob/dede92e6e5888cdf27320bf3b6bc9987657d6e22/source/extensions/filters/network/redis_proxy/conn_pool_impl.cc#L243-L244
During the upstream client initialization, the client sends an AUTH
command to the upstream Redis host:
https://github.com/envoyproxy/envoy/blob/dede92e6e5888cdf27320bf3b6bc9987657d6e22/source/extensions/filters/network/common/redis/client_impl.cc#L289-L293
To support per-endpoint password, I think we could modify the RedisProtocolOptions to contain a table containing mappings from endpoint to password. The ConnPool::InstanceImpl can then store the mapping table. When we create a connection to an upstream Redis host in the connection pool, we get the password for that Redis host from the mapping table and use it to initialize an upstream client.
Hi, is it possible to use different auth passwords for connecting to different redis endpoints as part of a single redis upstream clusters?
In the example config above, both redis instances i.e. abc.redis.net and xyz.redis.net have different auth passwords.