feat(gateway): Redis Cloud AuthN

.github/styles/base/Dictionary.txt

@@ -935,6 +935,7 @@ Valero
 Valero
 validator
 validators
+Valkey
 vararg
 vc
 viewport

app/_includes/plugins/redis-cloud-auth.md

@@ -0,0 +1,172 @@
+## Using cloud authentication with Redis {% new_in 3.13 %}
+
+Starting in {{site.base_gateway}} 3.13, you can authenticate with a cloud Redis provider for your Redis strategy. This allows you to seamlessly rotate credentials without relying on static passwords. 
+
+The following providers are supported:
+* AWS ElastiCache
+* Azure Managed Redis
+* Google Cloud Memorystore (with or without Valkey)
+
+Each provider also supports an instance and cluster configuration.
+
+{:.warning}
+> **Important:** {{site.base_gateway}} open source plugins do not support any Redis cloud provider cluster configurations.
+
+To configure cloud authentication with Redis, add the following parameters to your plugin configuration:
+
+{% navtabs "providers" %}
+{% navtab "AWS instance" %}
+
+You need a running Redis instance on an [AWS ElastiCache instance](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/auth-iam.html) for Valkey 7.2 or later or ElastiCache for Redis OSS version 7.0 or later.
+
+```yaml
+config:
+  storage: redis
+  storage_config:
+    redis:
+      host: $INSTANCE_ADDRESS
+      username: $INSTANCE_USERNAME
+      port: 6379
+      cloud_authentication:
+        auth_provider: aws
+        aws_cache_name: $AWS_CACHE_NAME
+        aws_is_serverless: false
+        aws_region: $AWS_REGION
+        aws_access_key_id: $AWS_ACCESS_KEY_ID
+        aws_secret_access_key: $AWS_ACCESS_SECRET_KEY
+```
+
+Replace the following with your actual values:
+* `$INSTANCE_ADDRESS`: The ElastiCache instance address.
+* `$INSTANCE_USERNAME`: The ElastiCache username with [IAM Auth mode configured](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/auth-iam.html#auth-iam-setup).
+* `$AWS_CACHE_NAME`: Name of your AWS ElastiCache instance.
+* `$AWS_REGION`: Your AWS ElastiCache instance region.
+* `$AWS_ACCESS_KEY_ID`: (Optional) Your AWS access key ID. 
+* `$AWS_ACCESS_SECRET_KEY`: (Optional) Your AWS secret access key.
+{% endnavtab %}
+{% navtab "AWS cluster" %}
+
+You need a running Redis instance on an [AWS ElastiCache cluster](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/auth-iam.html) for Valkey 7.2 or later or ElastiCache for Redis OSS version 7.0 or later.
+
+```yaml
+config:
+  storage: redis
+  storage_config:
+    redis:
+      cluster_nodes:
+      - ip: $CLUSTER_ADDRESS
+        port: 6379
+      username: $CLUSTER_USERNAME
+      port: 6379
+      cloud_authentication:
+        auth_provider: aws
+        aws_cache_name: $AWS_CACHE_NAME
+        aws_is_serverless: false
+        aws_region: $AWS_REGION 
+        aws_access_key_id: $AWS_ACCESS_KEY_ID
+        aws_secret_access_key: $AWS_ACCESS_SECRET_KEY 
+```
+
+Replace the following with your actual values:
+* `$CLUSTER_ADDRESS`: The ElastiCache cluster address.
+* `$CLUSTER_USERNAME`: The ElastiCache username with [IAM Auth mode configured](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/auth-iam.html#auth-iam-setup).
+* `$AWS_CACHE_NAME`: Name of your AWS ElastiCache cluster.
+* `$AWS_REGION`: Your AWS ElastiCache cluster region.
+* `$AWS_ACCESS_KEY_ID`: (Optional) Your AWS access key ID. 
+* `$AWS_ACCESS_SECRET_KEY`: (Optional) Your AWS secret access key.
+{% endnavtab %}
+{% navtab "Azure instance" %}
+
+You need a running Redis instance on an [Azure Managed Redis instance](https://learn.microsoft.com/en-us/azure/redis/entra-for-authentication) with Entra authentication configured.
+
+```yaml
+config:
+  storage: redis
+  storage_config:
+    redis:
+      host: $INSTANCE_ADDRESS
+      username: $INSTANCE_USERNAME
+      port: 6379
+      cloud_authentication:
+        auth_provider: azure
+        azure_client_id: $AZURE_CLIENT_ID
+        azure_client_secret: $AZURE_CLIENT_SECRET
+        azure_tenant_id: $AZURE_TENANT_ID
+```
+Replace the following with your actual values:
+* `$INSTANCE_ADDRESS`: The Azure Managed Redis instance address.
+* `$INSTANCE_USERNAME`: The object (principal) ID of the Principal/Identity with essential access.
+* `$AZURE_CLIENT_ID`: The client ID of the Principal/Identity.
+* `$AZURE_CLIENT_SECRET`: (Optional) The client secret of the Principal/Identity. 
+* `$AZURE_TENANT_ID`: (Optional) The tenant ID of the Principal/Identity.
+
+{% endnavtab %}
+{% navtab "Azure cluster" %}
+
+You need a running Redis instance on an [Azure Managed Redis cluster](https://learn.microsoft.com/en-us/azure/redis/entra-for-authentication) with Entra authentication configured.
+
+```yaml
+config:
+  storage: redis
+  storage_config:
+    redis:
+      cluster_nodes:
+      - ip: $CLUSTER_ADDRESS
+        port: 6379
+      username: $CLUSTER_USERNAME
+      port: 6379
+      cloud_authentication:
+        auth_provider: azure
+        azure_client_id: $AZURE_CLIENT_ID
+        azure_client_secret: $AZURE_CLIENT_SECRET
+        azure_tenant_id: $AZURE_TENANT_ID
+```
+Replace the following with your actual values:
+* `$CLUSTER_ADDRESS`: The Azure Managed Redis cluster address.
+* `$CLUSTER_USERNAME`: The object (principal) ID of the Principal/Identity with essential access.
+* `$AZURE_CLIENT_ID`: The client ID of the Principal/Identity.
+* `$AZURE_CLIENT_SECRET`: (Optional) The client secret of the Principal/Identity. 
+* `$AZURE_TENANT_ID`: (Optional) The tenant ID of the Principal/Identity.
+
+{% endnavtab %}
+{% navtab "GCP instance" %}
+
+You need a running Redis instance on an [Google Cloud Memorystore instance](https://cloud.google.com/memorystore/docs/cluster/about-iam-auth).
+
+```yaml
+config:
+  storage: redis
+  storage_config:
+    redis:
+      host: $INSTANCE_ADDRESS
+      port: 6379
+      cloud_authentication:
+        auth_provider: gcp
+        gcp_service_account_json: $GCP_SERVICE_ACCOUNT
+```
+Replace the following with your actual values:
+* `$INSTANCE_ADDRESS`: The Memorystore instance address.
+* `$GCP_SERVICE_ACCOUNT`: (Optional) The GCP service account JSON.
+{% endnavtab %}
+{% navtab "GCP cluster" %}
+
+You need a running Redis instance on an [Google Cloud Memorystore cluster](https://cloud.google.com/memorystore/docs/cluster/about-iam-auth).
+
+```yaml
+config:
+  storage: redis
+  storage_config:
+    redis:
+      cluster_nodes:
+      - ip: $CLUSTER_ADDRESS
+        port: 6379 
+      port: 6379
+      cloud_authentication:
+        auth_provider: gcp
+        gcp_service_account_json: $GCP_SERVICE_ACCOUNT
+```
+Replace the following with your actual values:
+* `$CLUSTER_ADDRESS`: The Memorystore cluster address.
+* `$GCP_SERVICE_ACCOUNT`: The GCP service account JSON.
+{% endnavtab %}
+{% endnavtabs %}

app/_kong_plugins/acme/examples/redis-aws-instance.yaml

@@ -0,0 +1,71 @@
+title: ACME with Redis storage and AWS ElastiCache instance auth
+description: |
+  Configure the ACME plugin with Redis as a storage backend using AWS ElastiCache instance auth
+
+weight: 860
+
+requirements:
+- A public IP and a resolvable DNS
+- '{{site.base_gateway}} accepts proxy traffic on port 80'
+- A running Redis instance on an [AWS ElastiCache instance](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/auth-iam.html) for Valkey 7.2 or later or Elasticache for Redis OSS version 7.0 or later
+
+config:
+  account_email: ${email}
+  account_key:
+    key_id: ${key_id}
+    key_set: ${key_set}
+  domains:
+    - ${domain}
+  tos_accepted: true
+  storage: redis
+  storage_config:
+    redis:
+      host: ${instance_address}
+      username: ${instance_username}
+      port: 6379
+      cloud_authentication:
+        auth_provider: aws
+        aws_cache_name: ${aws_cache}
+        aws_is_serverless: false
+        aws_region: ${aws_region}
+        aws_access_key_id: ${aws_key_id}
+        aws_secret_access_key: ${aws_secret_key}
+
+variables:
+  email:
+    value: $EMAIL
+    description: The account identifier.
+  key_id:
+    value: $KEY_ID
+    description: The kid of a [Key](/gateway/entities/key/).
+  key_set:
+    value: $KEY_SET
+    description: The name of a [Key Set](/gateway/entities/key-set/) to associate the Key ID with.
+  domain:
+    value: $DOMAIN
+    description: An array of strings representing hosts.
+  instance_address:
+    value: $INSTANCE_ADDRESS
+    description: The ElastiCache instance address.
+  instance_username:
+    value: $INSTANCE_USERNAME
+    description: The ElastiCache username with [IAM Auth mode configured](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/auth-iam.html#auth-iam-setup).
+  aws_cache:
+    value: $AWS_CACHE_NAME
+    description: Name of your AWS ElastiCache instance.
+  aws_region:
+    value: $AWS_REGION 
+    description: Your AWS Elasticache instance region.
+  aws_key_id:
+    value: $AWS_ACCESS_KEY_ID 
+    description: (Optional) Your AWS access key ID. 
+  aws_secret_key:
+    value: $AWS_ACCESS_SECRET_KEY 
+    description: (Optional) Your AWS secret access key.
+
+tools:
+  - deck
+  - admin-api
+  - konnect-api
+  - kic
+  - terraform

app/_kong_plugins/acme/examples/redis-azure-instance.yaml

@@ -0,0 +1,66 @@
+title: ACME with Redis storage and Azure Managed Redis instance auth
+description: |
+  Configure the ACME plugin with Redis as a storage backend using Azure Managed Redis instance auth
+
+weight: 860
+
+requirements:
+- A public IP and a resolvable DNS
+- '{{site.base_gateway}} accepts proxy traffic on port 80'
+- A running Redis instance on an [Azure Managed Redis instance](https://learn.microsoft.com/en-us/azure/redis/entra-for-authentication) with Entra authentication configured
+
+config:
+  account_email: ${email}
+  account_key:
+    key_id: ${key_id}
+    key_set: ${key_set}
+  domains:
+    - ${domain}
+  tos_accepted: true
+  storage: redis
+  storage_config:
+    redis:
+      host: ${instance_address}
+      username: ${instance_username}
+      port: 6379
+      cloud_authentication:
+        auth_provider: azure
+        azure_client_id: ${azure_client_id}
+        azure_client_secret: ${azure_client_secret}
+        azure_tenant_id: ${azure_tenant_id}
+
+variables:
+  email:
+    value: $EMAIL
+    description: The account identifier.
+  key_id:
+    value: $KEY_ID
+    description: The kid of a [Key](/gateway/entities/key/).
+  key_set:
+    value: $KEY_SET
+    description: The name of a [Key Set](/gateway/entities/key-set/) to associate the Key ID with.
+  domain:
+    value: $DOMAIN
+    description: An array of strings representing hosts.
+  instance_address:
+    value: $INSTANCE_ADDRESS
+    description: The Azure Managed Redis instance address.
+  instance_username:
+    value: $INSTANCE_USERNAME
+    description: The object (principal) ID of the Principal/Identity with essential access.
+  azure_client_id:
+    value: $AZURE_CLIENT_ID
+    description: The client ID of the Principal/Identity. 
+  azure_client_secret:
+    value: $AZURE_CLIENT_SECRET
+    description: (Optional) The client secret of the Principal/Identity.
+  azure_tenant_id:
+    value: $AZURE_TENANT_ID
+    description: (Optional) The tenant ID of the Principal/Identity.
+
+tools:
+  - deck
+  - admin-api
+  - konnect-api
+  - kic
+  - terraform

app/_kong_plugins/acme/examples/redis-gcp-instance.yaml

@@ -0,0 +1,54 @@
+title: ACME with Redis storage and Google Cloud Memorystore instance auth
+description: |
+  Configure the ACME plugin with Redis as a storage backend using Google Cloud Memorystore instance auth
+
+weight: 860
+
+requirements:
+- A public IP and a resolvable DNS
+- '{{site.base_gateway}} accepts proxy traffic on port 80'
+- A running Redis instance on an [Google Cloud Memorystore instance](https://cloud.google.com/memorystore/docs/cluster/about-iam-auth)
+
+config:
+  account_email: ${email}
+  account_key:
+    key_id: ${key_id}
+    key_set: ${key_set}
+  domains:
+    - ${domain}
+  tos_accepted: true
+  storage: redis
+  storage_config:
+    redis:
+      host: ${instance_address}
+      port: 6379
+      cloud_authentication:
+        auth_provider: gcp
+        gcp_service_account_json: ${service_account}
+
+variables:
+  email:
+    value: $EMAIL
+    description: The account identifier.
+  key_id:
+    value: $KEY_ID
+    description: The kid of a [Key](/gateway/entities/key/).
+  key_set:
+    value: $KEY_SET
+    description: The name of a [Key Set](/gateway/entities/key-set/) to associate the Key ID with.
+  domain:
+    value: $DOMAIN
+    description: An array of strings representing hosts.
+  instance_address:
+    value: $INSTANCE_ADDRESS
+    description: The Memorystore instance address.
+  service_account:
+    value: $GCP_SERVICE_ACCOUNT
+    description: The GCP service account JSON.
+
+tools:
+  - deck
+  - admin-api
+  - konnect-api
+  - kic
+  - terraform

app/_kong_plugins/acme/index.md

@@ -221,3 +221,6 @@ You can see what certificates {{site.base_gateway}} is currently is aware of usi
 The ACME plugin supports external account binding (EAB) with the [`config.eab_kid`](/plugins/acme/reference/#schema--config-eab-kid) and [`config.eab_hmac_key`](/plugins/acme/reference/#schema--config-eab-hmac-key) values.
 
 If you're using [ZeroSSL](https://zerossl.com/), the provider's external account can be registered automatically, without specifying the KID or HMAC key.
+
+
+{% include plugins/redis-cloud-auth.md %}

app/_kong_plugins/ai-proxy-advanced/index.md

@@ -230,3 +230,5 @@ For example, load balancers with the following target combinations are supported
 ## Vector databases
 
 {% include_cached /plugins/ai-vector-db.md name=page.name %}
+
+{% include plugins/redis-cloud-auth.md %}

app/_kong_plugins/ai-rag-injector/index.md

@@ -488,4 +488,5 @@ Use the [Admin API](/plugins/ai-rag-injector/api/) to ingest content with metada
   ```bash
   POST /ai-rag-injector/{pluginID}/lookup_chunks
   {"prompt": "...", "collection": "finance-reports", "filters": {...}}
-  ```
+  ```
+{% include plugins/redis-cloud-auth.md %}