(voxpupuli#527) Add masteruser parameter

Enable setting the masteruser parameter which was introduced in Redis 6+ to be able to connect using the new ACL rules.
mrsteffenjo · May 15, 2024 · 153655b · 153655b
1 parent ad3cd35
commit 153655b
Show file tree

Hide file tree

Showing 6 changed files with 66 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -33,6 +33,16 @@ class { 'redis':
 }
 ```
 
+With ACL authentication
+
+```puppet
+class { 'redis':
+  bind       => '10.0.1.1',
+  masterauth => 'secret',
+  masteruser => 'username',
+}
+```
+
 ### Slave node
 
 ```puppet

diff --git a/REFERENCE.md b/REFERENCE.md
@@ -122,6 +122,7 @@ The following parameters are available in the `redis` class:
 * [`manage_package`](#-redis--manage_package)
 * [`managed_by_cluster_manager`](#-redis--managed_by_cluster_manager)
 * [`masterauth`](#-redis--masterauth)
+* [`masteruser`](#-redis--masteruser)
 * [`maxclients`](#-redis--maxclients)
 * [`maxmemory`](#-redis--maxmemory)
 * [`maxmemory_policy`](#-redis--maxmemory_policy)
@@ -532,7 +533,15 @@ Default value: `false`
 
 Data type: `Optional[Variant[String[1], Sensitive[String[1]], Deferred]]`
 
-If the master is password protected (using the "requirepass" configuration
+If the master is password protected (using the "requirepass" configuration)
+
+Default value: `undef`
+
+##### <a name="-redis--masteruser"></a>`masteruser`
+
+Data type: `Optional[Variant[String[1], Sensitive[String[1]], Deferred]]`
+
+If the master is password protected and a user is defined (using the "user" configuration)
 
 Default value: `undef`
 
@@ -1953,6 +1962,7 @@ The following parameters are available in the `redis::instance` defined type:
 * [`managed_by_cluster_manager`](#-redis--instance--managed_by_cluster_manager)
 * [`manage_service_file`](#-redis--instance--manage_service_file)
 * [`masterauth`](#-redis--instance--masterauth)
+* [`masteruser`](#-redis--instance--masteruser)
 * [`maxclients`](#-redis--instance--maxclients)
 * [`maxmemory`](#-redis--instance--maxmemory)
 * [`maxmemory_policy`](#-redis--instance--maxmemory_policy)
@@ -2305,7 +2315,15 @@ Default value: `true`
 
 Data type: `Optional[Variant[String[1], Sensitive[String[1]], Deferred]]`
 
-If the master is password protected (using the "requirepass" configuration
+If the master is password protected (using the "requirepass" configuration)
+
+Default value: `$redis::masterauth`
+
+##### <a name="-redis--instance--masteruser"></a>`masteruser`
+
+Data type: `Optional[Variant[String[1], Sensitive[String[1]], Deferred]]`
+
+If the master is password protected and a user is defined (using the "user" configuration)
 
 Default value: `$redis::masterauth`
 

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -95,7 +95,9 @@
 # @param managed_by_cluster_manager
 #   Choose if redis will be managed by a cluster manager such as pacemaker or rgmanager
 # @param masterauth
-#   If the master is password protected (using the "requirepass" configuration
+#   If the master is password protected (using the "requirepass" configuration)
+# @param masteruser
+#   If the master is password protected and a user is defined (using the "user" configuration)
 # @param maxclients
 #   Set the max number of connected clients at the same time.
 # @param maxmemory
@@ -392,6 +394,7 @@
   Boolean $manage_package                                        = true,
   Boolean $manage_repo                                           = false,
   Optional[Variant[String[1], Sensitive[String[1]], Deferred]] $masterauth = undef,
+  Optional[Variant[String[1], Sensitive[String[1]], Deferred]] $masteruser = undef,
   Integer[1] $maxclients                                         = 10000,
   $maxmemory                                                     = undef,
   Optional[Redis::MemoryPolicy] $maxmemory_policy                = undef,

diff --git a/manifests/instance.pp b/manifests/instance.pp
@@ -74,7 +74,9 @@
 # @param manage_service_file
 #   Determine if the systemd service file should be managed
 # @param masterauth
-#   If the master is password protected (using the "requirepass" configuration
+#   If the master is password protected (using the "requirepass" configuration)
+# @param masteruser
+#   If the master is password protected and a user is defined (using the "user" configuration)
 # @param maxclients
 #   Set the max number of connected clients at the same time.
 # @param maxmemory
@@ -325,6 +327,7 @@
   Stdlib::Filemode $log_dir_mode                                 = $redis::log_dir_mode,
   Redis::LogLevel $log_level                                     = $redis::log_level,
   Optional[Variant[String[1], Sensitive[String[1]], Deferred]] $masterauth = $redis::masterauth,
+  Optional[Variant[String[1], Sensitive[String[1]], Deferred]] $masteruser = $redis::masterauth,
   Integer[1] $maxclients                                         = $redis::maxclients,
   Optional[Variant[Integer, String]] $maxmemory                  = $redis::maxmemory,
   Optional[Redis::MemoryPolicy] $maxmemory_policy                = $redis::maxmemory_policy,
@@ -526,6 +529,7 @@
     slaveof                       => $slaveof,
     replicaof                     => $replicaof,
     masterauth                    => $masterauth,
+    masteruser                    => $masteruser,
     slave_serve_stale_data        => $slave_serve_stale_data,
     slave_read_only               => $slave_read_only,
     repl_announce_ip              => $repl_announce_ip,

diff --git a/spec/classes/redis_spec.rb b/spec/classes/redis_spec.rb
@@ -523,6 +523,20 @@ class { 'redis':
         }
       end
 
+      describe 'with parameter masteruser' do
+        let(:params) do
+          {
+            masteruser: '_VALUE_'
+          }
+        end
+
+        it {
+          is_expected.to contain_file(config_file_orig).with(
+            'content' => %r{masteruser.*_VALUE_}
+          )
+        }
+      end
+
       describe 'with parameter maxclients' do
         let(:params) do
           {

diff --git a/templates/redis.conf.epp b/templates/redis.conf.epp
@@ -23,6 +23,7 @@
   Optional[String[1]]                                $slaveof,
   Optional[String[1]]                                $replicaof,
   Optional[Variant[String[1], Sensitive[String[1]]]] $masterauth,
+  Optional[Variant[String[1], Sensitive[String[1]]]] $masteruser,
   Boolean                                            $slave_serve_stale_data,
   Boolean                                            $slave_read_only,
   Optional[Stdlib::Host]                             $repl_announce_ip,
@@ -411,6 +412,18 @@ dir <%= $workdir %>
 # masterauth <master-password>
 <% if $masterauth { -%>masterauth <%= $masterauth %><% } -%>
 
+# However this is not enough if you are using Redis ACLs (for Redis version
+# 6 or greater), and the default user is not capable of running the PSYNC
+# command and/or other commands needed for replication. In this case it's
+# better to configure a special user to use with replication, and specify the
+# masteruser configuration as such:
+#
+# masteruser <username>
+<% if $masteruser { -%>masteruser <%= $masteruser %><% } -%>
+#
+# When masteruser is specified, the replica will authenticate against its
+# master using the new AUTH form: AUTH <username> <password>.
+
 # When a slave loses the connection with the master, or when the replication
 # is still in progress, the slave can act in two different ways:
 #