fix(cli): add optional password setting for headless redis client (#19035) (#19039)

* chore: add optional password setting for headless redis client Signed-off-by: Rachel Sheikh <rsheikh@squareup.com> * fix: remove import cycle Signed-off-by: Rachel Sheikh <rsheikh@squareup.com> * fix: add shared SetOptionalRedisPasswordFromKubeConfig method Signed-off-by: Rachel Sheikh <rsheikh@squareup.com> * fix: export redis consts Signed-off-by: Rachel Sheikh <rsheikh@squareup.com> * test: add test cases for SetOptionalRedisPasswordFromKubeConfig() Signed-off-by: Rachel Sheikh <rsheikh@squareup.com> * chore: go mod tidy Signed-off-by: Rachel Sheikh <rsheikh@squareup.com> * fix: use require instead of assert Signed-off-by: Rachel Sheikh <rsheikh@squareup.com> * fix: Update common/common.go Co-authored-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> Signed-off-by: Rachel Sheikh <sheikhrachel97@gmail.com> --------- Signed-off-by: Rachel Sheikh <rsheikh@squareup.com> Signed-off-by: Rachel Sheikh <sheikhrachel97@gmail.com> Co-authored-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
2026-02-20 01:28:45 +01:00 · 2024-07-15 12:09:49 -07:00
parent 7fdddbe59b
commit c14143635c
6 changed files with 119 additions and 30 deletions
--- a/common/common.go
+++ b/common/common.go
@@ -1,15 +1,20 @@
 package common

 import (
-	"errors"
+	"context"
+	"fmt"
 	"os"
 	"path/filepath"
 	"strconv"
 	"time"

+	"github.com/pkg/errors"
+	"github.com/redis/go-redis/v9"
 	"github.com/sirupsen/logrus"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
 )

 // Component names
@@ -414,3 +419,30 @@ const TokenVerificationError = "failed to verify the token"
 var TokenVerificationErr = errors.New(TokenVerificationError)

 var PermissionDeniedAPIError = status.Error(codes.PermissionDenied, "permission denied")
+
+// Redis password consts
+const (
+	DefaultRedisInitialPasswordSecretName = "argocd-redis"
+	DefaultRedisInitialPasswordKey        = "auth"
+)
+
+/*
+SetOptionalRedisPasswordFromKubeConfig sets the optional Redis password if it exists in the k8s namespace's secrets.
+
+We specify kubeClient as kubernetes.Interface to allow for mocking in tests, but this should be treated as a kubernetes.Clientset param.
+*/
+func SetOptionalRedisPasswordFromKubeConfig(ctx context.Context, kubeClient kubernetes.Interface, namespace string, redisOptions *redis.Options) error {
+	secret, err := kubeClient.CoreV1().Secrets(namespace).Get(ctx, DefaultRedisInitialPasswordSecretName, v1.GetOptions{})
+	if err != nil {
+		return fmt.Errorf("failed to get secret %s/%s: %w", namespace, DefaultRedisInitialPasswordSecretName, err)
+	}
+	if secret == nil {
+		return fmt.Errorf("failed to get secret %s/%s: secret is nil", namespace, DefaultRedisInitialPasswordSecretName)
+	}
+	_, ok := secret.Data[DefaultRedisInitialPasswordKey]
+	if !ok {
+		return fmt.Errorf("secret %s/%s does not contain key %s", namespace, DefaultRedisInitialPasswordSecretName, DefaultRedisInitialPasswordKey)
+	}
+	redisOptions.Password = string(secret.Data[DefaultRedisInitialPasswordKey])
+	return nil
+}
--- a/common/common_test.go
+++ b/common/common_test.go
@@ -1,12 +1,18 @@
 package common

 import (
+	"context"
 	"fmt"
 	"os"
 	"testing"
 	"time"

+	"github.com/redis/go-redis/v9"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	kubefake "k8s.io/client-go/kubernetes/fake"
 )

 // Test env var not set for EnvGRPCKeepAliveMin
@@ -44,3 +50,63 @@ func Test_GRPCKeepAliveMinIncorrectlySet(t *testing.T) {
 	grpcKeepAliveTime := GetGRPCKeepAliveTime()
 	assert.Equal(t, 2*grpcKeepAliveExpectedMin, grpcKeepAliveTime)
 }
+
+func TestSetOptionalRedisPasswordFromKubeConfig(t *testing.T) {
+	t.Parallel()
+	testCases := []struct {
+		name, namespace, expectedPassword, expectedErr string
+		secret                                         *corev1.Secret
+	}{
+		{
+			name:             "Secret exists with correct key",
+			namespace:        "default",
+			expectedPassword: "password123",
+			expectedErr:      "",
+			secret: &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{Name: DefaultRedisInitialPasswordSecretName},
+				Data:       map[string][]byte{DefaultRedisInitialPasswordKey: []byte("password123")},
+			},
+		},
+		{
+			name:             "Secret does not exist",
+			namespace:        "default",
+			expectedPassword: "",
+			expectedErr:      fmt.Sprintf("failed to get secret default/%s", DefaultRedisInitialPasswordSecretName),
+			secret:           nil,
+		},
+		{
+			name:             "Secret exists without correct key",
+			namespace:        "default",
+			expectedPassword: "",
+			expectedErr:      fmt.Sprintf("secret default/%s does not contain key %s", DefaultRedisInitialPasswordSecretName, DefaultRedisInitialPasswordKey),
+			secret: &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{Name: DefaultRedisInitialPasswordSecretName},
+				Data:       map[string][]byte{},
+			},
+		},
+	}
+	for _, tc := range testCases {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			var (
+				ctx          = context.TODO()
+				kubeClient   = kubefake.NewSimpleClientset()
+				redisOptions = &redis.Options{}
+			)
+			if tc.secret != nil {
+				if _, err := kubeClient.CoreV1().Secrets(tc.namespace).Create(ctx, tc.secret, metav1.CreateOptions{}); err != nil {
+					t.Fatalf("Failed to create secret: %v", err)
+				}
+			}
+			err := SetOptionalRedisPasswordFromKubeConfig(ctx, kubeClient, tc.namespace, redisOptions)
+			if tc.expectedErr != "" {
+				require.Error(t, err)
+				require.Contains(t, err.Error(), tc.expectedErr)
+			} else {
+				require.NoError(t, err)
+			}
+			require.Equal(t, tc.expectedPassword, redisOptions.Password)
+		})
+	}
+}