add ACL authentication support with auto-generated and existing secret options #14
Conversation
…t options Signed-off-by: David Flanagan <[email protected]>
rawkode
force-pushed
the
add-acl-authentication
branch
from
4196475 to
2787b1e
Compare
There was a problem hiding this comment.
Pull Request Overview
This PR adds ACL authentication support to the Valkey Helm chart with three different configuration methods: auto-generated secrets, existing secrets, and inline configuration. It includes comprehensive validation logic and extensive test coverage to ensure only one authentication method is used at a time.
- Adds three authentication methods with priority-based selection and mutual exclusion validation
- Implements auto-generation of passwords and ACL configurations via Kubernetes secrets
- Provides comprehensive test coverage for all authentication scenarios and edge cases
Reviewed Changes
Copilot reviewed 14 out of 14 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| valkey/values.yaml | Added authentication configuration options with detailed comments |
| valkey/templates/secret.yaml | New template for generating authentication secrets |
| valkey/templates/init_config.yaml | Updated to handle different authentication methods |
| valkey/templates/deploy_valkey.yaml | Added auth volume mounts and validation |
| valkey/templates/_helpers.tpl | Added authentication configuration validation logic |
| valkey/templates/tests/auth.yaml | New test pods for authentication verification |
| valkey/tests/*.yaml | Comprehensive test suites for all components |
| Justfile | Development task automation |
| .github/workflows/test.yml | CI/CD pipeline for testing |
| valkey/.helmignore | Updated ignore patterns |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
|
Need to check it firstly |
|
@rawkode Please, fix password generation block: as suggestion writed before |
Co-authored-by: Copilot <[email protected]> Signed-off-by: David Flanagan <[email protected]>
… configs Co-authored-by: Copilot <[email protected]> Signed-off-by: David Flanagan <[email protected]>
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 14 out of 14 changed files in this pull request and generated 1 comment.
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
Signed-off-by: David Flanagan <[email protected]>
Co-authored-by: Copilot <[email protected]> Signed-off-by: David Flanagan <[email protected]>
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 14 out of 14 changed files in this pull request and generated 2 comments.
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| {{- /* Check if aclConfig has actual content (not just comments/whitespace) */}} | ||
| {{- if .Values.auth.aclConfig }} | ||
| {{- $trimmed := .Values.auth.aclConfig | trim }} | ||
| {{- /* Use regex to check for any non-empty, non-comment line */}} |
There was a problem hiding this comment.
[nitpick] The regex pattern uses (?m) multiline flag but could be simplified. Consider using a more readable approach or add a comment explaining the regex logic for maintainability.
| {{- /* Use regex to check for any non-empty, non-comment line */}} | |
| {{- /* Use regex to check for any non-empty, non-comment line */}} | |
| {{- /* | |
| The regex pattern "(?m)^(\s*[^#\s].*)$" uses the multiline flag (?m) so that ^ and $ match the start/end of each line. | |
| It matches any line that is not just whitespace and does not start with a '#' (comment). | |
| This ensures aclConfig contains at least one meaningful, non-comment line. | |
| */}} |
| # If password key exists in secret, test with it | ||
| if [ -f /valkey-auth/password ]; then | ||
| PASSWORD=$(cat /valkey-auth/password) |
There was a problem hiding this comment.
The USERNAME variable is used but never defined in this context. This appears to be a shell variable that should either be defined or the fallback logic should be clarified.
| PASSWORD=$(cat /valkey-auth/password) | |
| PASSWORD=$(cat /valkey-auth/password) | |
| # Extract the first username from the ACL file, fallback to "default" if not found | |
| USERNAME=$(awk '/^user / {print $2; exit}' /valkey-auth/users.acl) |
|
@rawkode template needs to be fixed: https://github.com/valkey-io/valkey-helm/actions/runs/18554956365/job/53594604893?pr=14 |
|
Any update on this? This is a deal breaker for me (and I think for most users too). Thanks! |
|
I need this as well, let's wait just a bit longer for @rawkode to fix this, otherwise I'll submit a PR that passes the checks. |
|
@rawkode Thanks for the PR, excellent work!! Test units look really good! My 2c, I rather not having auto-generated passwords. This introduces run-time dependencies and cannot be tested. Instead I would introduce an existingSecret/existingSecretKey under generateDefaultUser that would take precedence over the plaintext password. PS: I noticed there are RegEx gymnastics over aclConfig to detect if there is actual content or not. I would default it to "", and document the format as a values.yaml comment and/or README. Then it can be tested by Thoughts? |
|
Here is a working copy, updated to main just now: I've made a PR to rawcode's repo, just ask for it if you want to merge my branch, in case @rawkode dissapears. |
|
Sorry, I've not had time to clean this up. Happy to see someone else push this forward 😍 |
Signed-off-by: Raven <[email protected]>
Amm, ok. I could try to do it by myself or if @OnekO already had some fixes, maybe should make in another PR. |
|
ah, waiting for this... |
|
Hi all, I have updated this PR with fixes and a few changes. I'll push them here tomorrow. |
7 participants
This adds support for generating passwords or using a pre-existing secret, as well as test coverage for all changes.