Skip to content

feat: support per-tenant Valkey credentials via LOADER_CACHE_REDIS_USERNAME#1165

Open
nicacioliveira wants to merge 1 commit intomainfrom
feat/valkey-tenant-acl
Open

feat: support per-tenant Valkey credentials via LOADER_CACHE_REDIS_USERNAME#1165
nicacioliveira wants to merge 1 commit intomainfrom
feat/valkey-tenant-acl

Conversation

@nicacioliveira
Copy link
Copy Markdown
Contributor

@nicacioliveira nicacioliveira commented Apr 9, 2026
edited by coderabbitai bot
Loading

Summary

  • Reads LOADER_CACHE_REDIS_USERNAME and passes it as the ioredis username option for ACL-based authentication
  • Applied to all three client constructors: Sentinel, direct URL, and read replica
  • Completely backwards compatible: if the env var is absent, behavior is identical to today

How it works

When the deco operator provisions a site namespace, it creates a valkey-acl Secret injected into the pod with:

  • LOADER_CACHE_REDIS_USERNAME = site name (e.g. minha-loja)
  • LOADER_CACHE_REDIS_PASSWORD = random per-site password

The Valkey ACL for that user is restricted to ~minha-loja:* and ~lock:minha-loja:* — matching exactly the key prefixes already generated by utils.ts via DECO_SITE_NAME.

⚠️ Merge only after operator validation

This PR should be merged and deployed only after:

  1. feat: per-tenant Valkey ACL provisioning decocms/operator#3 is deployed and validated
  2. Valkey auth is enabled in production
  3. ACL provisioning is confirmed working end-to-end

Merging before that is safe (env var absent = no-op), but sites won't actually use per-tenant credentials until the operator is live.

🤖 Generated with Claude Code

Summary by cubic

Adds per-tenant Valkey ACL authentication via LOADER_CACHE_REDIS_USERNAME. If the env var is missing, behavior is unchanged.

  • New Features

    • Sets username on ioredis for Sentinel, direct, and read-replica clients.

  • Migration

    • Merge after decocms/operator#3 is deployed, Valkey auth is enabled, and ACL provisioning is validated.
    • Safe to merge earlier; without the env var this is a no-op.

Written for commit de8d680. Summary will update on new commits.

Summary by CodeRabbit

Release Notes

  • New Features
    • Added support for Redis username-based authentication configuration for enhanced connection security across all connection types.

@claude
feat: support per-tenant Valkey credentials via LOADER_CACHE_REDIS_US…
de8d680 
…ERNAME

Reads LOADER_CACHE_REDIS_USERNAME and passes it as the ioredis username
option for ACL-based authentication. No-op when the env var is absent,
preserving existing behavior for sites not yet migrated.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 9, 2026

Tagging Options

Should a new tag be published when this PR is merged?

  • 👍 for Patch 1.195.2 update
  • 🎉 for Minor 1.196.0 update
  • 🚀 for Major 2.0.0 update

@coderabbitai
Copy link
Copy Markdown

coderabbitai bot commented Apr 9, 2026
edited
Loading

📝 Walkthrough

Walkthrough

Add support for Redis username authentication by introducing LOADER_CACHE_REDIS_USERNAME environment variable and conditionally including it in Redis client configurations for both standard and read-only connections.

Changes

Cohort / File(s) Summary
Redis Authentication
runtime/caches/redis.ts		 Adds conditional username parameter support to Redis client initialization in both createRedisClient() and createReadRedisClient() functions, sourced from the new LOADER_CACHE_REDIS_USERNAME environment variable.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related PRs

Suggested reviewers

  • guitavano
  • hugo-ccabral

Poem

🐰 A username hops into Redis's door,
Authentication credentials galore!
Sentinel and direct clients now play,
Username auth saves the day! 🔐✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (2 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and specifically describes the main change: adding support for per-tenant Valkey credentials through a new environment variable. It directly reflects the primary modification made to the Redis client initialization logic.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/valkey-tenant-acl

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
runtime/caches/redis.ts (1)

10-155: ⚠️ Potential issue | 🟡 Minor

CI is failing on formatting; run deno fmt for this file before merge.

The current diff is functionally fine, but formatting must be fixed to satisfy the pipeline gate.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@runtime/caches/redis.ts` around lines 10 - 155, The file's formatting is out
of date; run the Deno formatter to normalize whitespace and line breaks across
functions like activeCodec, ensureZstd, _compress, and _decompress and their
imports/const blocks. Fix by running `deno fmt` (or your editor's Deno format
command) on this file, then commit the formatted changes so the CI formatting
check passes. Ensure no other semantic changes are made.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@runtime/caches/redis.ts`:
- Around line 10-155: The file's formatting is out of date; run the Deno
formatter to normalize whitespace and line breaks across functions like
activeCodec, ensureZstd, _compress, and _decompress and their imports/const
blocks. Fix by running `deno fmt` (or your editor's Deno format command) on this
file, then commit the formatted changes so the CI formatting check passes.
Ensure no other semantic changes are made.
ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: fda36f17-a695-42f6-8695-95743e2a7135

📥 Commits

Reviewing files that changed from the base of the PR and between c7dbfc6 and de8d680.

📒 Files selected for processing (1)
  • runtime/caches/redis.ts

cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 1 file

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nicacioliveira