[Feat] Enable redis password in helm chart

[lx1036]

Pull Request Description

In our k8s cluster, install components like redis, mysql and so on, it must enable password for security.

[gemini-code-assist]

Summary of Changes

Hello @lx1036, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly improves the security of the application's Redis integration within the Kubernetes environment. It introduces a robust mechanism to enable and manage Redis passwords via the Helm chart, ensuring that all dependent services can securely authenticate with Redis using credentials stored in a Kubernetes Secret. This change aligns with best practices for securing sensitive data in a production cluster.

Highlights

• Redis Password Support: Introduced the capability to enable password protection for Redis instances managed by the Helm chart, enhancing security.
• Deployment Updates: Modified gateway-plugin, gpu-optimizer, and metadata-service deployments to conditionally inject the REDIS_PASSWORD environment variable, sourcing it from a Kubernetes Secret.
• Redis Container Configuration: Updated the Redis container definition to also conditionally use the REDIS_PASSWORD environment variable, ensuring the Redis server itself enforces password authentication.
• Secret Management: Added logic to conditionally create a Kubernetes Secret named aibrix-redis to securely store the Redis password when enabled.
• Helm Chart Values: Added new configuration parameters metadata.redis.enablePassword and metadata.redis.password to values.yaml, allowing users to easily enable and set the Redis password.
• Resource Path Correction: Corrected the resource path for gateway-plugin deployment from .Values.gatewayPlugin.resources to .Values.gatewayPlugin.container.resources.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a valuable security enhancement by enabling password protection for Redis within the Helm chart. The implementation correctly propagates the Redis password to various components. My review includes suggestions to further improve security by changing how the password is managed in values.yaml and generated in the secret. I've also pointed out a couple of minor issues in the Helm templates to improve maintainability and correctness, such as fixing a cross-component value reference and an indentation error.

[gemini-code-assist]

To improve security and user experience, it's better to handle password encoding within the template. This change will take a plaintext password from values.yaml, base64 encode it, and fail the deployment if enablePassword is true but no password is provided. This complements the change I suggested for values.yaml.

{{- if .Values.metadata.redis.enablePassword }}
{{- if not .Values.metadata.redis.password -}}
{{- fail "A password is required when .Values.metadata.redis.enablePassword is true" -}}
{{- end }}
apiVersion: v1
kind: Secret
metadata:
  name: aibrix-redis
  namespace: {{ .Release.Namespace }}
type: Opaque
data:
  redis-password: {{ .Values.metadata.redis.password | b64enc }}
{{- end }}

[gemini-code-assist]

Storing a default, weak, base64-encoded password in values.yaml is a security risk. It's better to leave this empty and require the user to provide a strong password when enablePassword is set to true. Also, for better user experience, the password should be stored in plaintext in values.yaml and be base64 encoded within the Secret template. I'll leave a corresponding suggestion on dist/chart/templates/metadata-service/redis.yaml.

    enablePassword: false
    # When enablePassword is true, a plaintext password must be provided.
    # It will be Base64 encoded automatically.
    password: ""

[gemini-code-assist]

There are a couple of issues here:

1. The REDIS_PORT for the GPU optimizer should be sourced from its own configuration section in values.yaml (.Values.gpuOptimizer.dependencies.redis.port) instead of from the gatewayPlugin section. This coupling makes the chart less modular and harder to maintain.
2. The indentation for the if block on line 37 is incorrect. It should be aligned with the - name: blocks (12 spaces) for consistency and readability.

              value: "{{ .Values.gpuOptimizer.dependencies.redis.port }}"
            {{- if .Values.metadata.redis.enablePassword }}

[googs1025]

can you fix the DCO with git commit -s --amend

[googs1025]

good catch. thanks

[googs1025]

This is a good improvement. Thanks.
plz fix DCO. other LGTM

[lx1036]

This is a good improvement. Thanks. plz fix DCO. other LGTM

Has fixed DCO.

[googs1025]

final ack for @Jeffwan