Skip to content

[DX-2178] docs: clarify Redis Sentinel with master password configuration #1124

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
buger wants to merge 33 commits into
base: main
Choose a base branch
from
Open

[DX-2178] docs: clarify Redis Sentinel with master password configuration #1124

buger wants to merge 33 commits into from

Conversation

@buger
Copy link
Member

@buger buger commented Dec 5, 2025
edited by github-actions bot
Loading

User description

Summary

  • Add documentation clarifying that when using Redis Sentinel with a password-protected master Redis instance, both the sentinel_password and the master password must be configured
  • Add new section "Configuring Both Sentinel and Master Redis Passwords" with clear explanation
  • Add warning about common misconfiguration scenario
  • Add complete configuration examples for Gateway, Dashboard, and Pump with environment variable reference tables

Related

  • Jira: DX-2178

Test plan

  • Review the new documentation section for accuracy
  • Verify configuration examples are syntactically correct
  • Confirm environment variable names match the actual implementation

🤖 Generated with Claude Code

PR Type

Documentation

Description

  • Add section on dual-password Sentinel setups

  • Provide Gateway, Dashboard, Pump examples

  • Include env var reference tables

  • Add warning about common misconfiguration

Diagram Walkthrough

flowchart LR
  A["Redis Sentinel deployment with auth"] -- "Sentinel auth via sentinel_password" --> B["Tyk connects to Sentinel"]
  B -- "Master address resolved" --> C["Tyk connects to master Redis"]
  C -- "Master auth via password" --> D["Successful Redis connection"]
  B -- "Only sentinel_password set" --> E["Master auth fails"]
Loading

File Walkthrough
Relevant files
Documentation
redis-cluster-sentinel.mdx
Document dual-password Redis Sentinel configuration           

tyk-configuration-reference/redis-cluster-sentinel.mdx

  • Add new section on configuring both passwords
  • Provide JSON examples for Gateway, Dashboard, Pump
  • Add env var tables mapping fields to variables
  • Insert warning about partial configuration failure
 +80/-0   

@buger @claude
[DX-2178] docs: clarify Redis Sentinel with master password configura…
5d775c8 
…tion

Add documentation explaining that when using Redis Sentinel with a
password-protected master Redis instance, both the sentinel_password
and the master password must be configured.

Includes:
- New section "Configuring Both Sentinel and Master Redis Passwords"
- Warning about common misconfiguration
- Complete configuration examples for Gateway, Dashboard, and Pump
- Environment variable reference tables for each component

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@buger buger mentioned this pull request Dec 5, 2025
Draft
3 tasks
@github-actions
Copy link

github-actions bot commented Dec 5, 2025

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪
🧪 No relevant tests
🔒 No security concerns identified
⚡ Recommended focus areas for review

Env Var Names

Validate that the documented environment variable names (e.g., TYK_GW_STORAGE_SENTINELPASSWORD, TYK_DB_REDISSENTINELPASSWORD, TYK_PMP_ANALYTICSSTORAGECONFIG_SENTINELPASSWORD) exactly match the implementation; these are easy to get wrong due to naming conventions and prefixes.

 
| Field | Environment Variable | Description |
|-------|---------------------|-------------|
| `sentinel_password` | `TYK_GW_STORAGE_SENTINELPASSWORD` | Password for authenticating with Redis Sentinel nodes |
| `password` | `TYK_GW_STORAGE_PASSWORD` | Password for authenticating with the master Redis instance |

#### Dashboard Configuration Example (with both passwords)

```json
"redis_addrs": [
  "sentinel1:26379",
  "sentinel2:26379",
  "sentinel3:26379"
],
"redis_master_name": "mymaster",
"redis_sentinel_password": "your-sentinel-password",
"redis_password": "your-master-redis-password"
Field Environment Variable Description
redis_sentinel_password TYK_DB_REDISSENTINELPASSWORD Password for authenticating with Redis Sentinel nodes
redis_password TYK_DB_REDISPASSWORD Password for authenticating with the master Redis instance

Pump Configuration Example (with both passwords)

"analytics_storage_config": {
  "type": "redis",
  "addrs": [
    "sentinel1:26379",
    "sentinel2:26379",
    "sentinel3:26379"
  ],
  "master_name": "mymaster",
  "sentinel_password": "your-sentinel-password",
  "username": "",
  "password": "your-master-redis-password",
  "database": 0,
  "optimisation_max_idle": 100,
  "use_ssl": false
}
Field Environment Variable Description
sentinel_password TYK_PMP_ANALYTICSSTORAGECONFIG_SENTINELPASSWORD Password for authenticating with Redis Sentinel nodes
password TYK_PMP_ANALYTICSSTORAGECONFIG_PASSWORD Password for authenticating with the master Redis instance 

</details>

<details><summary><a href='https://github.com/TykTechnologies/tyk-docs/pull/1124/files#diff-a27e6804dd865628c5ae9681fca270e0d2ae83b6be4aa8d2a1f48edc77e156ffR295-R355'><strong>JSON Validity</strong></a>

Confirm the JSON snippets are syntactically valid in the real configs (trailing commas, enclosing braces); some examples appear as fragments and might be copied verbatim by users.
</summary>

```txt
```json
"storage": {
  "type": "redis",
  "addrs": [
    "sentinel1:26379",
    "sentinel2:26379",
    "sentinel3:26379"
  ],
  "master_name": "mymaster",
  "sentinel_password": "your-sentinel-password",
  "username": "",
  "password": "your-master-redis-password",
  "database": 0,
  "optimisation_max_idle": 2000,
  "optimisation_max_active": 4000,
  "use_ssl": false
}
Field Environment Variable Description
sentinel_password TYK_GW_STORAGE_SENTINELPASSWORD Password for authenticating with Redis Sentinel nodes
password TYK_GW_STORAGE_PASSWORD Password for authenticating with the master Redis instance

Dashboard Configuration Example (with both passwords)

"redis_addrs": [
  "sentinel1:26379",
  "sentinel2:26379",
  "sentinel3:26379"
],
"redis_master_name": "mymaster",
"redis_sentinel_password": "your-sentinel-password",
"redis_password": "your-master-redis-password"
Field Environment Variable Description
redis_sentinel_password TYK_DB_REDISSENTINELPASSWORD Password for authenticating with Redis Sentinel nodes
redis_password TYK_DB_REDISPASSWORD Password for authenticating with the master Redis instance

Pump Configuration Example (with both passwords)

"analytics_storage_config": {
  "type": "redis",
  "addrs": [
    "sentinel1:26379",
    "sentinel2:26379",
    "sentinel3:26379"
  ],
  "master_name": "mymaster",
  "sentinel_password": "your-sentinel-password",
  "username": "",
  "password": "your-master-redis-password",
  "database": 0,
  "optimisation_max_idle": 100,
  "use_ssl": false
}

</details>

<details><summary><a href='https://github.com/TykTechnologies/tyk-docs/pull/1124/files#diff-a27e6804dd865628c5ae9681fca270e0d2ae83b6be4aa8d2a1f48edc77e156ffR289-R361'><strong>Security Note</strong></a>

Consider adding a note discouraging hard-coded plaintext passwords in config files and pointing to secret management or environment variables, especially since examples show inline secrets.
</summary>

```txt
<Warning>
If you only configure the `sentinel_password` but your master Redis instance also requires authentication, Tyk will successfully connect to Sentinel but fail to authenticate with the master Redis instance. Make sure to configure both passwords when both are required.
</Warning>

#### Gateway Configuration Example (with both passwords)

```json
"storage": {
  "type": "redis",
  "addrs": [
    "sentinel1:26379",
    "sentinel2:26379",
    "sentinel3:26379"
  ],
  "master_name": "mymaster",
  "sentinel_password": "your-sentinel-password",
  "username": "",
  "password": "your-master-redis-password",
  "database": 0,
  "optimisation_max_idle": 2000,
  "optimisation_max_active": 4000,
  "use_ssl": false
}
Field Environment Variable Description
sentinel_password TYK_GW_STORAGE_SENTINELPASSWORD Password for authenticating with Redis Sentinel nodes
password TYK_GW_STORAGE_PASSWORD Password for authenticating with the master Redis instance

Dashboard Configuration Example (with both passwords)

"redis_addrs": [
  "sentinel1:26379",
  "sentinel2:26379",
  "sentinel3:26379"
],
"redis_master_name": "mymaster",
"redis_sentinel_password": "your-sentinel-password",
"redis_password": "your-master-redis-password"
Field Environment Variable Description
redis_sentinel_password TYK_DB_REDISSENTINELPASSWORD Password for authenticating with Redis Sentinel nodes
redis_password TYK_DB_REDISPASSWORD Password for authenticating with the master Redis instance

Pump Configuration Example (with both passwords)

"analytics_storage_config": {
  "type": "redis",
  "addrs": [
    "sentinel1:26379",
    "sentinel2:26379",
    "sentinel3:26379"
  ],
  "master_name": "mymaster",
  "sentinel_password": "your-sentinel-password",
  "username": "",
  "password": "your-master-redis-password",
  "database": 0,
  "optimisation_max_idle": 100,
  "use_ssl": false
}
Field Environment Variable Description
sentinel_password TYK_PMP_ANALYTICSSTORAGECONFIG_SENTINELPASSWORD Password for authenticating with Redis Sentinel nodes
password TYK_PMP_ANALYTICSSTORAGECONFIG_PASSWORD Password for authenticating with the master Redis instance 

</details>

</td></tr>
</table>

@github-actions
Copy link

github-actions bot commented Dec 5, 2025

PR Code Suggestions ✨

Explore these optional code suggestions:

CategorySuggestion                                                                                                                                    Impact
Possible issue
Fix incorrect env var names

Use the correct environment variable names that match existing Tyk configuration
conventions. For Gateway, the storage block env vars are
TYK_GW_STORAGE_SENTINEL_PASSWORD and TYK_GW_STORAGE_PASSWORD. Update the table to
prevent misconfiguration at deploy time.

tyk-configuration-reference/redis-cluster-sentinel.mdx [316-317]

-| `sentinel_password` | `TYK_GW_STORAGE_SENTINELPASSWORD` | Password for authenticating with Redis Sentinel nodes |
+| `sentinel_password` | `TYK_GW_STORAGE_SENTINEL_PASSWORD` | Password for authenticating with Redis Sentinel nodes |
 | `password` | `TYK_GW_STORAGE_PASSWORD` | Password for authenticating with the master Redis instance |
Suggestion importance[1-10]: 3

__

Why: The existing lines at 316-317 match, but the proposed env var TYK_GW_STORAGE_SENTINEL_PASSWORD change is speculative and not grounded in the diff; without evidence of a naming convention change in this PR, it's a low-confidence, minor improvement.

Low
Correct dashboard env var names

Correct Dashboard environment variable names to the snake-case convention used
across docs. Replace with TYK_DB_REDIS_SENTINEL_PASSWORD and TYK_DB_REDIS_PASSWORD
to avoid deployment failures.

tyk-configuration-reference/redis-cluster-sentinel.mdx [334-335]

-| `redis_sentinel_password` | `TYK_DB_REDISSENTINELPASSWORD` | Password for authenticating with Redis Sentinel nodes |
-| `redis_password` | `TYK_DB_REDISPASSWORD` | Password for authenticicating with the master Redis instance |
+| `redis_sentinel_password` | `TYK_DB_REDIS_SENTINEL_PASSWORD` | Password for authenticating with Redis Sentinel nodes |
+| `redis_password` | `TYK_DB_REDIS_PASSWORD` | Password for authenticating with the master Redis instance |
Suggestion importance[1-10]: 2

__

Why: Lines 334-335 match, but the suggestion proposes new snake-case env vars not present in the PR; this is likely incorrect and could mislead users, offering little validated benefit.

Low
Fix Pump env var naming

Align Pump env vars with the established naming convention. Use
TYK_PMP_ANALYTICS_STORAGE_CONFIG_SENTINEL_PASSWORD and
TYK_PMP_ANALYTICS_STORAGE_CONFIG_PASSWORD to match documented keys and prevent
misconfiguration.

tyk-configuration-reference/redis-cluster-sentinel.mdx [359-360]

-| `sentinel_password` | `TYK_PMP_ANALYTICSSTORAGECONFIG_SENTINELPASSWORD` | Password for authenticating with Redis Sentinel nodes |
-| `password` | `TYK_PMP_ANALYTICSSTORAGECONFIG_PASSWORD` | Password for authenticating with the master Redis instance |
+| `sentinel_password` | `TYK_PMP_ANALYTICS_STORAGE_CONFIG_SENTINEL_PASSWORD` | Password for authenticating with Redis Sentinel nodes |
+| `password` | `TYK_PMP_ANALYTICS_STORAGE_CONFIG_PASSWORD` | Password for authenticating with the master Redis instance |
Suggestion importance[1-10]: 2

__

Why: The existing code at 359-360 matches, but renaming env vars to a different convention is unsubstantiated by the PR and risks introducing wrong names; impact is low and likely incorrect.

Low

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Review effort 2/5

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@buger