Support redis sentinel

[neumantm]

Is your feature request related to a problem? Please describe. I would like to deploy authentik on kubernetes with a separately configured distributed redis setup. Typically a distributed redis is setup using redis sentinel. As far as I know authentik currently does not support redis sentinel.

Describe the solution you'd like I'd like, that authentik allows configuring redis sentinels and uses them.

Describe alternatives you've considered Using a non-distributed redis installation, but then the redis is not as fail-save.

Additional context For the django part: The django-redis libary recently added support for this. docs Celery also has support. docs The python redis libary, too. docs Same for go-redis. docs

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[ToshY]

This is still a desired feature 🤐

[ck3mp]

I require this too. For now I have deployed a HAProxy container with a service resource to auto pick the primary node and allow Authentik to write to Redis.

[kashalls]

Looking forward to having this implemented, it will be extremely helpful. I already started switching over from an other provider as this is another key feature I wanted (among other things).

[PKizzle]

@kashalls You might want to have a look at https://github.com/goauthentik/authentik/pull/7118 and test whether it works as expected. A pre-built Docker image is linked as well.

[kashalls]

@kashalls You might want to have a look at #7118 and test whether it works as expected. A pre-built Docker image is linked as well. @PKizzle What configuration changes do I need to do in order for sentinel support to be enabled?

So, after looking through the commit and figuring out what I actually needed to pass... Heres what I have.

I used your container, passed this environment variable: AUTHENTIK_REDIS__URL: "redis+sentinel://redis.database.svc.cluster.local:26379/?db=3&mastername=redis-master"

Log shows this:

{"event": "Redis Connection failed, retrying... (unknown command 'SELECT', with args beginning with: '3' )", "level": "info", "logger": "authentik.lib.config", "timestamp": 1697416356.665426, "redis_url": "redis+sentinel://redis.database.svc.cluster.local:26379/?db=3&mastername=redis-master"}

Feel free to view my configuration while I was testing this: home-cluster/authentik & home-cluster/redis

I did verify that the container can resolve the cluster service and ping it.

[PKizzle]

Thank you very much for your input. To be honest I have only tried connecting to the default 0 database so that might be causing the issue. I'll have a look at it.

[PKizzle]

I have fixed the issue. Please check again using the updated image on Docker Hub.

[cardboardpig]

does AUTHENTIK_REDIS__URL also work with the helm chart?

[kashalls]

does AUTHENTIK_REDIS__URL also work with the helm chart?

Kind of. In it's current state, overriding the image and passing it as an env works.

[cardboardpig]

Perhaps I am doing something wrong?

apiVersion: apps/v1
kind: Deployment
<snip>
      containers:
        - name: authentik
          image: "ghcr.io/goauthentik/server:2023.8.3"
          imagePullPolicy: "IfNotPresent"
          args: ["server"]
          envFrom:
            - secretRef:
                name: authentik
            - configMapRef:
                name: authentik
<snip>

apiVersion: v1
kind: ConfigMap
metadata:
  name: authentik
data:
<snip>
  AUTHENTIK_REDIS__URL: "redis+sentinel://redis.redis:26379/?db=0"

{"event": "Redis Connection failed, retrying... (Error 111 connecting to localhost:6379. Connection refused.)", "level": "info", "logger": "authentik.lib.config", "timestamp": 1698890681.8654897, "redis_url": "redis://:@localhost:6379/0"}

No other Redis variables are set/exist in the container via envFrom etc.

Edit: Ahh I found the current pull request for URL support. Ignore me! :sweat_smile:

[PKizzle]

Yeah, it is still a draft PR as I require more feedback on the various Redis configurations.

[NeptuneHub]

Hi, In this days I encountered the same issue by installing authentik with the helm chart on K3S 3 node cluster and trying to use it with redis sentinel I have multiple errore like "trying to write on read only".

In the values.yaml of authentik I just passed host (of redis SVC), port and password

Is this fix still work in progress or I need to pass same special configuration?

I'm also wondering if there is any alternative to deploy authentik in HA on a K3S/K8S cluster, because without redis in HA all the application go down when redis go down.

Thanks.

[kashalls]

Is this fix still work in progress or I need to pass same special configuration?

I don't think he's been working on it as I have lost interest and just decided to use the authentik helm chart's redis server. Internally, the dependencies that are used for redis do not support redis sentinel mode and those related issues have stayed open without comment from the maintainers.

[NeptuneHub]

So this means that Authentik can't be run in high availability mode because it doesn't support redis I'm high availability mode ? Or there is any alternative that I'm missing?

Actually I'm using integrated postgresql and integrated redis. I have a staging deployment with cloudnativepg for postgresql in HA but nothing for redis in HA because both redis with sentinel and redis cluster don't work.

[kashalls]

I haven't tried it but Redis Cluster should just work too. Redis Sentinel has leader elections and I don't think there is a way to label which redis node is the current leader in kubernetes. You could create a service that points to that label just like you would with cloudnative-pg.

[cardboardpig]

So this means that Authentik can't be run in high availability mode because it doesn't support redis I'm high availability mode ? Or there is any alternative that I'm missing?

You can use Redis behind HA-Proxy for high availability, or one of the Redis alternatives that support HA - I'm using Dragonfly. Though even behind HA-Proxy or using Dragonfly etc. the server and workers are very sensitive to loss of Redis connectivity when failing over after the primary Redis fails - my worker and server pods restart almost immediately despite the Redis primary target switching immediately.

Actually I'm using integrated postgresql and integrated redis. I have a staging deployment with cloudnativepg for postgresql in HA but nothing for redis in HA because both redis with sentinel and redis cluster don't work.

If you have PGBouncer in front of your Postgres you'll need to use pool mode in Authentik - the necessary options to have it work with PGBouncer aren't yet exposed.