Make authentication/SSL for redis sentinel optional

Change 4954e284b9 updated the redis sentinel driver to apply auth/ssl settings for redis sentinel, based on ones of redis, but this change broke the existing usage in kolla deployments, which require redis with authentication enabled and sentinel with authentication DISABLED. This restores the old behavior, which do not enable authentication and ssl for sentinel even when these for redis is enabled. Closes-Bug: #2056656 Change-Id: I3047c80359df3dad64be041db6f4a3a6180479d6
2024-03-11 01:20:01 +09:00 · 2024-03-11 01:20:01 +09:00 · 3bce8e1dca
parent 29f9043b7b
commit 3bce8e1dca
2 changed files with 41 additions and 1 deletions
--- a/releasenotes/notes/bug-2056656-f71dca8a61138f95.yaml
+++ b/releasenotes/notes/bug-2056656-f71dca8a61138f95.yaml
@ -0,0 +1,22 @@
+---
+features:
+  - |
+    The redis driver now supports the following options.
+
+    - ``sentinel_username``
+    - ``sentinel_parameters``
+    - ``sentinel_ssl``
+
+fixes:
+  - |
+    The redis driver no longer enables authentication for redis sentinel when
+    authentication is enabled in redis. This was the previous behavior before
+    6.0.0, and was already required by some deployment tools like kolla. Now
+    authentication for redis sentinel is controlled by a separate options
+    (``sentinel_username`` and ``sentinel_password``).
+
+  - |
+    The redis driver no longer enables SSL for redis sentinel when SSL is
+    enabled in redis, to restore the compatibility with older versions. Now
+    SSL for redis sentinel is controlled by the separate ``sentinel_ssl``
+    option.
--- a/tooz/drivers/redis.py
+++ b/tooz/drivers/redis.py
@ -267,6 +267,9 @@ class RedisDriver(coordination.CoordinationDriverCachedRunWatchers,
        'ssl_ca_certs',
        'sentinel',
        'sentinel_fallback',
+        'sentinel_username',
+        'sentinel_password',
+        'sentinel_ssl',
    ])
    """
    Keys that we allow to proxy from the coordinator configuration into the
@ -288,6 +291,7 @@ class RedisDriver(coordination.CoordinationDriverCachedRunWatchers,
        'retry_on_timeout',
        'socket_keepalive',
        'ssl',
+        'sentinel_ssl',
    ])

    #: Client arguments that are expected to be int convertible.
@ -474,9 +478,23 @@ return 1
            ]
            sentinel_hosts.insert(0, (kwargs.pop('host'), kwargs.pop('port')))
            sentinel_name = kwargs.pop('sentinel')
+            sentinel_kwargs = {}
+            # NOTE(tkajinam): Copy socket_* options, according to the logic
+            # in redis-py
+            for key in kwargs:
+                if key.startswith('socket_'):
+                    sentinel_kwargs[key] = kwargs[key]
+            if kwargs.pop('sentinel_ssl', False):
+                sentinel_kwargs['ssl'] = True
+                for key in ('ssl_certfile', 'ssl_keyfile', 'ssl_cafile'):
+                    if key in kwargs:
+                        sentinel_kwargs[key] = kwargs[key]
+            for key in ('username', 'password'):
+                if 'sentinel_' + key in kwargs:
+                    sentinel_kwargs[key] = kwargs.pop('sentinel_' + key)
            sentinel_server = sentinel.Sentinel(
                sentinel_hosts,
-                sentinel_kwargs=kwargs,
+                sentinel_kwargs=sentinel_kwargs,
                **kwargs)
            master_client = sentinel_server.master_for(sentinel_name)
            # The master_client is a redis.Redis using a