Skip to content

feat: add ghproxy valkey/redis ACL support #433

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: add ghproxy valkey/redis ACL support #433

wants to merge 2 commits into from
+43 −4

Conversation

kairoaraujo
Copy link

add ghproxy support to valkey/redis using ACL (username and password)

when using --redis-address the user can pass the username and password if the redis server has auth

New parameters:
--redis-username=username
--redis-password=password

@linux-foundation-easycla Linux Foundation: EasyCLA
Copy link

linux-foundation-easycla bot commented Apr 17, 2025
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. label Apr 17, 2025
@k8s-ci-robot
Copy link
Contributor

Welcome @kairoaraujo!

It looks like this is your first PR to kubernetes-sigs/prow 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/prow has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot
Copy link
Contributor

Hi @kairoaraujo. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Apr 17, 2025
@k8s-ci-robot k8s-ci-robot added the area/ghproxy Issues or PRs related to prow's ghproxy component label Apr 17, 2025
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: kairoaraujo
Once this PR has been reviewed and has the lgtm label, please assign cjwagner for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Apr 17, 2025
@netlify Netlify
Copy link

netlify bot commented Apr 17, 2025
edited
Loading

Deploy Preview for k8s-prow ready!

Name Link
🔨 Latest commit 92f64ea
🔍 Latest deploy log https://app.netlify.com/sites/k8s-prow/deploys/6819be8037516b0008a764d3
😎 Deploy Preview https://deploy-preview-433--k8s-prow.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels Apr 17, 2025
smg247
smg247 reviewed Apr 21, 2025
View reviewed changes
cmd/ghproxy/ghproxy.go Outdated
@@ -143,6 +145,8 @@ func flagOptions() *options {
flag.IntVar(&o.sizeGB, "cache-sizeGB", 0, "Cache size in GB per unique token if using a disk cache.")
flag.BoolVar(&o.diskCacheDisableAuthHeaderPartitioning, "legacy-disable-disk-cache-partitions-by-auth-header", true, "Whether to disable partitioning a disk cache by auth header. Disabling this will start a new cache at $cache_dir/$sha256sum_of_authorization_header for each unique authorization header. Bigger setups are advise to manually warm this up from an existing cache. This option will be removed and set to `false` in the future")
flag.StringVar(&o.redisAddress, "redis-address", "", "Redis address if using a redis cache e.g. localhost:6379.")
flag.StringVar(&o.redisUsername, "redis-usersname", "", "Redis username")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
flag.StringVar(&o.redisUsername, "redis-usersname", "", "Redis username")
flag.StringVar(&o.redisUsername, "redis-username", "", "Redis username")

cmd/ghproxy/ghproxy.go
@@ -143,6 +145,8 @@ func flagOptions() *options {
flag.IntVar(&o.sizeGB, "cache-sizeGB", 0, "Cache size in GB per unique token if using a disk cache.")
flag.BoolVar(&o.diskCacheDisableAuthHeaderPartitioning, "legacy-disable-disk-cache-partitions-by-auth-header", true, "Whether to disable partitioning a disk cache by auth header. Disabling this will start a new cache at $cache_dir/$sha256sum_of_authorization_header for each unique authorization header. Bigger setups are advise to manually warm this up from an existing cache. This option will be removed and set to `false` in the future")
flag.StringVar(&o.redisAddress, "redis-address", "", "Redis address if using a redis cache e.g. localhost:6379.")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would add some validation that states that redis-address must be supplied if either of the 2 new fields are

pkg/ghcache/ghcache.go Outdated
Comment on lines 542 to 551
var conn redis.Conn
var err error
if redisUsername != "" {
conn, err = redis.Dial("tcp", redisAddress, redis.DialUsername(redisUsername), redis.DialPassword(redisPassword))
} else if redisPassword != "" {
conn, err = redis.Dial("tcp", redisAddress, redis.DialPassword(redisPassword))
} else {
conn, err = redis.Dial("tcp", redisAddress)
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rather than creating the connection in three separate statements, can we just always pass the two new options? it seems like passing empty strings for either of the options would have the same result as not including them, but that should be verified.

@smg247
Copy link
Contributor

smg247 commented Apr 21, 2025

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Apr 21, 2025
@petr-muller petr-muller requested a review from Copilot April 21, 2025 15:35
Copilot
Copilot AI reviewed Apr 21, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds ACL support for valkey/redis in ghproxy by enabling the use of a username and password when connecting to Redis.

  • Modified the NewRedisCache function in pkg/ghcache/ghcache.go to support ACL by conditionally passing the username and password.
  • Extended the ghproxy command-line options with redisUsername and redisPassword flags.
  • Noted a typographical error in the flag name for redisUsername.

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
pkg/ghcache/ghcache.go Updated NewRedisCache to support ACL connection using username and password
cmd/ghproxy/ghproxy.go Added new flags for redis credentials; detected a typo in the username flag

petr-muller
petr-muller reviewed Apr 21, 2025
View reviewed changes
cmd/ghproxy/ghproxy.go Outdated
@@ -143,6 +145,8 @@ func flagOptions() *options {
flag.IntVar(&o.sizeGB, "cache-sizeGB", 0, "Cache size in GB per unique token if using a disk cache.")
flag.BoolVar(&o.diskCacheDisableAuthHeaderPartitioning, "legacy-disable-disk-cache-partitions-by-auth-header", true, "Whether to disable partitioning a disk cache by auth header. Disabling this will start a new cache at $cache_dir/$sha256sum_of_authorization_header for each unique authorization header. Bigger setups are advise to manually warm this up from an existing cache. This option will be removed and set to `false` in the future")
flag.StringVar(&o.redisAddress, "redis-address", "", "Redis address if using a redis cache e.g. localhost:6379.")
flag.StringVar(&o.redisUsername, "redis-usersname", "", "Redis username")
flag.StringVar(&o.redisPassword, "redis-password", "", "Redis password")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was not able to a full review but I see we add a sensitive value parameter.

  1. It should not be passed as a value; a typical pattern in Prow is to pass a path to a file with the secret as content
  2. Internally we should work with secrets through the agent. It handles reading the secret from the file, reloading (maybe not that useful here) and log censoring. Whatever needs the secret will fetch it from the agent.

@kairoaraujo
feat: add ghproxy valkey/redis ACL support
b6c8724 
add ghproxy support to valkey/redis using ACL (username and password)

when using --redis-address the user can pass the username and password
if the redis server has auth
--redis-username=username
--redis-password=password

Signed-off-by: Kairo Araujo <kairo@dearaujo.nl>
@kairoaraujo
fixup! feat: add ghproxy valkey/redis ACL support
92f64ea 
Signed-off-by: Kairo Araujo <kairo@dearaujo.nl>
@kairoaraujo kairoaraujo force-pushed the ghproxy-valkey-redis-credentials branch from ad8a96e to 92f64ea Compare May 6, 2025 07:47
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels May 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@petr-muller petr-muller petr-muller left review comments

@smg247 smg247 smg247 left review comments

Copilot code review Copilot Copilot left review comments

@alvaroaleman alvaroaleman Awaiting requested review from alvaroaleman

@michelle192837 michelle192837 Awaiting requested review from michelle192837

Assignees
No one assigned
Labels
area/ghproxy Issues or PRs related to prow's ghproxy component cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@kairoaraujo @k8s-ci-robot @smg247 @petr-muller