Revisit Redis password options

[DamianEdwards]

The Redis resource doesn't allow setting a password today, and this carries forward to deployment time too, i.e. Redis containers published from an AppHost have no password set. The resources for PostgreSQL, MSSQL, etc. do allow setting a password and do so by default.

We should revisit the default status of the Redis resource. As changing defaults has compatibility implications, we might want to consider doing it in stages, e.g.:

• in 8.1:
  • change the Redis resource to allow setting a password parameter (but don't set one by default in run mode)
  • by default, on publish a generated password expression is added in the manifest so that published Redis containers have a password set
• in 9.0:
  • change the Redis resource to behave more like the database resources, in that that a password parameter is used and a password is generated by default and used in local dev too

[Alirexaa]

Hey, @DamianEdwards can I take this?
Right now, there are several issues with Redis and one of those is about tests,I don't want to bring any conflict.

[DamianEdwards]

@Alirexaa to add the option to set a password via Parameter on the Redis resource? Please do!

[joperezr]

Per @eerhardt: we still want to look at this one, but it won't make it into 8.2 so moving to 9.0.

[eerhardt]

Moving out of 9.0 as this requires more work than simply adding some variables to the Redis container. We still want to do this, but it won't make it by 9.0.

[eerhardt]

Reopening as this change needed to be reverted for 9.1. See

• [WebToolsE2E][Aspire] Using ‘azd up’ to deploy aspire starter with redis project fails with error: generating bicep from manifest: argument 1 cannot contain connection strings, secured parameters, or secret outputs. Use environment variables instead. (dotnet/aspire#7429)
• Revert redis password change (dotnet/aspire#7518)

We will need to decide how to enable password protection in Redis containers in a future release.

[eerhardt]

After a bit of investigation, here's what I found. To set a password in the Redis container, there are 2 options (see Set password and other options via ENV variable (redis/docker-library-redis#46)):

1. Set via the command line with --requirepass <password>
2. Write the password into a config file, and mount it into the container

Doing this directly isn't secure. We tried taking approach (1) in Add Password To Redis (dotnet/aspire#4642), but this fails to deploy because azd (rightly) fails and says you shouldn't put secrets directly into a command line because the secret will be displayed in clear text.

The same problem exists if we just purely bind mount the config file. First azd only supports this with an experimental switch. And even then, it isn't secure because the file is written to an Azure Storage file share.

One option for taking the 2nd route is to write a config file into an ACA secret, and then mount that secret as a file. See https://learn.microsoft.com/en-us/azure/container-apps/manage-secrets?tabs=arm-template#secrets-volume-mounts. We could then pass that file as the conf file for the redis instance. However, this is specific for ACA and we would need to do something else at local run time. And potentially have something different for other environments.

The route I think we can go down that is secure and works is to use option (1), but pass the password via an environment variable, like we do everywhere else. Then we can set the environment variable via a secret in ACA, just like everything else.

To do this, we can use the solution in https://stackoverflow.com/a/72593084:

var redisPassword = ParameterResourceBuilderExtensions.CreateDefaultPasswordParameter(builder, "redis-pass");

var cache = builder.AddRedis("cache")
    .WithEntrypoint("/bin/sh")
    .WithArgs("-c", "redis-server --requirepass $REDIS_PASSWORD")
    .WithEnvironment(context =>
    {
        context.EnvironmentVariables["REDIS_PASSWORD"] = redisPassword;
    })

The password will get passed via an environment variable, and the call to /bin/sh will expand that environment variable when the container runs.

cc @Alirexaa @sebastienros

[Alirexaa]

@eerhardt, I tested your solution, but it did not work. Somehow, the password does not apply to Redis. You can check my branch and run Redis playground. You can connect to Redis without using the password.

[eerhardt]

@eerhardt, I tested your solution, but it did not work. Somehow, the password does not apply to Redis. You can check my branch and run Redis playground. You can connect to Redis without using the password.

The problem in your branch is that you are adding the redis command line options in separate args. The command/entrypoint being run is no longer the redis-server command. But instead the /bin/sh command. And that command only takes 2 args:

• -c
• redis-server --requirepass $REDIS_PASSWORD

The whole redis-server command + args needs to be passed on a single argument, which is the argument used for -c of /bin/sh.

Take this example to illustrate what is wrong:

When echo and foo are separate args, only echo is passed to /bin/sh -c and so a blank line is emitted. But when "echo foo" is passed as a single arg, then foo is emitted to the conosle.