redis_proxy: support multiple passwords (#22024)

When rotating passwords, we need to support multiple passwords for graceful deployment/rollout. This change adds support for multiple passwords in AUTH, for both old auth and new ACL based one. Signed-off-by: Suresh Kumar <sureshkumar.pp@gmail.com> Signed-off-by: Suresh Kumar <suresh.ponnusamy@freshworks.com> Mirrored from https://github.com/envoyproxy/envoy @ 8ef5da2cee7328d24f80aa816aad0f4f22d6f1e0
2 years ago · fb9cfa73fa
parent c460ae3d26
commit fb9cfa73fa
2 changed files with 23 additions and 2 deletions
--- a/envoy/extensions/filters/network/redis_proxy/v3/BUILD
+++ b/envoy/extensions/filters/network/redis_proxy/v3/BUILD
@ -6,6 +6,7 @@ licenses(["notice"])  # Apache 2

 api_proto_package(
    deps = [
+        "//envoy/annotations:pkg",
        "//envoy/config/core/v3:pkg",
        "@com_github_cncf_udpa//udpa/annotations:pkg",
    ],
--- a/envoy/extensions/filters/network/redis_proxy/v3/redis_proxy.proto
+++ b/envoy/extensions/filters/network/redis_proxy/v3/redis_proxy.proto
@ -7,6 +7,7 @@ import "envoy/config/core/v3/base.proto";
 import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";

+import "envoy/annotations/deprecation.proto";
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/sensitive.proto";
 import "udpa/annotations/status.proto";
@ -23,7 +24,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // Redis Proxy :ref:`configuration overview <config_network_filters_redis_proxy>`.
 // [#extension: envoy.filters.network.redis_proxy]

-// [#next-free-field: 9]
+// [#next-free-field: 10]
 message RedisProxy {
  option (udpa.annotations.versioning).previous_message_type =
      "envoy.config.filter.network.redis_proxy.v2.RedisProxy";
@ -259,7 +260,26 @@ message RedisProxy {
  // password is set, then a "NOAUTH Authentication required." error response will be sent to the
  // client. If an AUTH command is received when the password is not set, then an "ERR Client sent
  // AUTH, but no password is set" error will be returned.
-  config.core.v3.DataSource downstream_auth_password = 6 [(udpa.annotations.sensitive) = true];
+  //
+  // .. attention::
+  //   This field is deprecated. Use :ref:`downstream_auth_passwords
+  //   <envoy_v3_api_field_extensions.filters.network.redis_proxy.v3.RedisProxy.downstream_auth_passwords>`.
+  config.core.v3.DataSource downstream_auth_password = 6 [
+    deprecated = true,
+    (udpa.annotations.sensitive) = true,
+    (envoy.annotations.deprecated_at_minor_version) = "3.0"
+  ];
+
+  // Authenticate Redis client connections locally by forcing downstream clients to issue a `Redis
+  // AUTH command <https://redis.io/commands/auth>`_ with one of these passwords before enabling any other
+  // command. If an AUTH command's password matches one of these passwords, an "OK" response will be returned
+  // to the client. If the AUTH command password does not match, then an "ERR invalid
+  // password" error will be returned. If any other command is received before AUTH when the
+  // password(s) are set, then a "NOAUTH Authentication required." error response will be sent to the
+  // client. If an AUTH command is received when the password is not set, then an "ERR Client sent
+  // AUTH, but no password is set" error will be returned.
+  repeated config.core.v3.DataSource downstream_auth_passwords = 9
+      [(udpa.annotations.sensitive) = true];

  // List of faults to inject. Faults currently come in two flavors:
  // - Delay, which delays a request.