Support authentication and SSL for redis sentinel

This change allows enabling SSL and/or authentication for redis sentinel. Previously both of these were possible for only redis, and connections to redis sentinel servers were not protected. (cherry picked from commit 20e5964)
gnocchixyz · Aug 20, 2024 · 42c6045 · 42c6045
1 parent 0873cdf
commit 42c6045
Showing 1 changed file with 24 additions and 8 deletions.
diff --git a/gnocchi/common/redis.py b/gnocchi/common/redis.py
@@ -45,6 +45,9 @@
     'ssl_ca_certs',
     'sentinel',
     'sentinel_fallback',
+    'sentinel_username',
+    'sentinel_password',
+    'sentinel_ssl'
 ])
 """
 """
@@ -59,6 +62,7 @@
     'retry_on_timeout',
     'socket_keepalive',
     'ssl',
+    'sentinel_ssl'
 ])
 
 #: Client arguments that are expected to be int convertible.
@@ -167,19 +171,31 @@ def get_client(conf, scripts=None):
     if 'sentinel' in kwargs:
         sentinel_hosts = [
             _parse_sentinel(fallback)
-            for fallback in kwargs.get('sentinel_fallback', [])
+            for fallback in kwargs.pop('sentinel_fallback', [])
         ]
-        sentinel_hosts.insert(0, (kwargs['host'], kwargs['port']))
+        sentinel_hosts.insert(0, (kwargs.pop('host'), kwargs.pop('port')))
+        sentinel_name = kwargs.pop('sentinel')
+        sentinel_kwargs = {}
+        # NOTE(tkajinam): Copy socket_* options, according to the logic
+        # in redis-py
+        for key in kwargs:
+            if key.startswith('socket_'):
+                sentinel_kwargs[key] = kwargs[key]
+        if kwargs.pop('sentinel_ssl', False):
+            sentinel_kwargs['ssl'] = True
+            for key in ('ssl_certfile', 'ssl_keyfile', 'ssl_cafile'):
+                if key in kwargs:
+                    sentinel_kwargs[key] = kwargs[key]
+        for key in ('username', 'password'):
+            if 'sentinel_' + key in kwargs:
+                sentinel_kwargs[key] = kwargs.pop('sentinel_' + key)
         sentinel_server = sentinel.Sentinel(
             sentinel_hosts,
-            socket_timeout=kwargs.get('socket_timeout'))
-        sentinel_name = kwargs['sentinel']
-        del kwargs['sentinel']
-        if 'sentinel_fallback' in kwargs:
-            del kwargs['sentinel_fallback']
+            sentinel_kwargs=sentinel_kwargs,
+            **kwargs)
         # The client is a redis.StrictRedis using a
         # Sentinel managed connection pool.
-        client = sentinel_server.master_for(sentinel_name, **kwargs)
+        client = sentinel_server.master_for(sentinel_name)
     else:
         client = redis.StrictRedis(**kwargs)