feat(redis): Secrets credentials via volume mount

util/cache/cache.go

@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"math"
 	"os"
+	"path/filepath"
 	"strings"
 	"time"
 
@@ -33,6 +34,8 @@ const (
 	envRedisSentinelPassword = "REDIS_SENTINEL_PASSWORD"
 	// envRedisSentinelUsername is an env variable name which stores redis sentinel username
 	envRedisSentinelUsername = "REDIS_SENTINEL_USERNAME"
+	// envRedisCredsFilePath is an env variable name which stores path to redis credentials file
+	envRedisCredsFilePath = "REDIS_CREDS_FILE_PATH"
 )
 
 const (
@@ -129,6 +132,54 @@ func getFlagVal[T any](cmd *cobra.Command, o Options, name string, getVal func(n
 	}
 }
 
+// loadRedisCreds loads Redis credentials either from file-based mounts or environment variables.
+// If a mount path is provided, Redis credentials are expected to be read only from the mounted files.
+// If no mount path is provided, the function falls back to reading credentials from environment variables.
+func loadRedisCreds(mountPath string, opt Options) (username, password, sentinelUsername, sentinelPassword string) {
+	if mountPath != "" {
+		log.Infof("Loading Redis credentials from file: %s", mountPath)
+		readAuthDetailsFromFile := func(filename string) string {
+			path := filepath.Join(mountPath, filename)
+			data, err := os.ReadFile(path)
+			if errors.Is(err, os.ErrNotExist) {
+				log.Infof("Redis credential file %s not found", path)
+				return ""
+			}
+			if err != nil {
+				log.Warnf("Failed to read Redis credential file %s: %v", path, err)
+				return ""
+			}
+			return strings.TrimSpace(string(data))
+		}
+		password = readAuthDetailsFromFile("auth")
+		username = readAuthDetailsFromFile("auth_username")
+		sentinelUsername = readAuthDetailsFromFile("sentinel_username")
+		sentinelPassword = readAuthDetailsFromFile("sentinel_auth")
+		return username, password, sentinelUsername, sentinelPassword
+	}
+	log.Info("Loading Redis credentials from environment variables")
+	username = os.Getenv(envRedisUsername)
+	password = os.Getenv(envRedisPassword)
+	sentinelUsername = os.Getenv(envRedisSentinelUsername)
+	sentinelPassword = os.Getenv(envRedisSentinelPassword)
+	if opt.FlagPrefix != "" {
+		pref := opt.getEnvPrefix()
+		if val := os.Getenv(pref + envRedisUsername); val != "" {
+			username = val
+		}
+		if val := os.Getenv(pref + envRedisPassword); val != "" {
+			password = val
+		}
+		if val := os.Getenv(pref + envRedisSentinelUsername); val != "" {
+			sentinelUsername = val
+		}
+		if val := os.Getenv(pref + envRedisSentinelPassword); val != "" {
+			sentinelPassword = val
+		}
+	}
+	return username, password, sentinelUsername, sentinelPassword
+}
+
 // AddCacheFlagsToCmd adds flags which control caching to the specified command
 func AddCacheFlagsToCmd(cmd *cobra.Command, opts ...Options) func() (*Cache, error) {
 	redisAddress := ""
@@ -206,25 +257,14 @@ func AddCacheFlagsToCmd(cmd *cobra.Command, opts ...Options) func() (*Cache, err
 				}
 			}
 		}
-		password := os.Getenv(envRedisPassword)
-		username := os.Getenv(envRedisUsername)
-		sentinelUsername := os.Getenv(envRedisSentinelUsername)
-		sentinelPassword := os.Getenv(envRedisSentinelPassword)
+		var password, username, sentinelUsername, sentinelPassword string
+		credsFilePath := os.Getenv(envRedisCredsFilePath)
 		if opt.FlagPrefix != "" {
-			if val := os.Getenv(opt.getEnvPrefix() + envRedisUsername); val != "" {
-				username = val
-			}
-			if val := os.Getenv(opt.getEnvPrefix() + envRedisPassword); val != "" {
-				password = val
-			}
-			if val := os.Getenv(opt.getEnvPrefix() + envRedisSentinelUsername); val != "" {
-				sentinelUsername = val
-			}
-			if val := os.Getenv(opt.getEnvPrefix() + envRedisSentinelPassword); val != "" {
-				sentinelPassword = val
+			if val := os.Getenv(opt.getEnvPrefix() + envRedisCredsFilePath); val != "" {
+				credsFilePath = val
 			}
 		}
-
+		username, password, sentinelUsername, sentinelPassword = loadRedisCreds(credsFilePath, opt)
 		maxRetries := env.ParseNumFromEnv(envRedisRetryCount, defaultRedisRetryCount, 0, math.MaxInt32)
 		compression, err := CompressionTypeFromString(compressionStr)
 		if err != nil {

util/cache/cache_test.go

@@ -1,6 +1,8 @@
 package cache
 
 import (
+	"os"
+	"path/filepath"
 	"testing"
 	"time"
 
@@ -87,3 +89,64 @@ func TestGenerateCacheKey(t *testing.T) {
 	testKey := cache.generateFullKey("testkey")
 	assert.Equal(t, "testkey|"+common.CacheVersion, testKey)
 }
+
+// Test loading Redis credentials from a file
+func TestLoadRedisCreds(t *testing.T) {
+	dir := t.TempDir()
+	// Helper to write a file
+	writeFile := func(name, content string) {
+		require.NoError(t, os.WriteFile(filepath.Join(dir, name), []byte(content), 0o400))
+	}
+	// Write all files
+	writeFile("auth", "mypassword\n")
+	writeFile("auth_username", "myuser")
+	writeFile("sentinel_username", "sentineluser")
+	writeFile("sentinel_auth", "sentinelpass")
+
+	username, password, sentinelUsername, sentinelPassword := loadRedisCreds(dir, Options{})
+	assert.Equal(t, "mypassword", password)
+	assert.Equal(t, "myuser", username)
+	assert.Equal(t, "sentineluser", sentinelUsername)
+	assert.Equal(t, "sentinelpass", sentinelPassword)
+}
+
+// Test loading Redis credentials from environment variables
+func TestLoadRedisCredsFromEnv(t *testing.T) {
+	// Set environment variables
+	t.Setenv(envRedisPassword, "mypassword")
+	t.Setenv(envRedisUsername, "myuser")
+	t.Setenv(envRedisSentinelUsername, "sentineluser")
+	t.Setenv(envRedisSentinelPassword, "sentinelpass")
+
+	username, password, sentinelUsername, sentinelPassword := loadRedisCreds("", Options{})
+	assert.Equal(t, "mypassword", password)
+	assert.Equal(t, "myuser", username)
+	assert.Equal(t, "sentineluser", sentinelUsername)
+	assert.Equal(t, "sentinelpass", sentinelPassword)
+}
+
+// Test loading Redis credentials from both environment variables and a file
+func TestLoadRedisCredsFromBothEnvAndFile(t *testing.T) {
+	// Set environment variables
+	t.Setenv(envRedisPassword, "mypassword")
+	t.Setenv(envRedisUsername, "myuser")
+	t.Setenv(envRedisSentinelUsername, "sentineluser")
+	t.Setenv(envRedisSentinelPassword, "sentinelpass")
+
+	dir := t.TempDir()
+	// Helper to write a file
+	writeFile := func(name, content string) {
+		require.NoError(t, os.WriteFile(filepath.Join(dir, name), []byte(content), 0o400))
+	}
+	// Write all files
+	writeFile("auth", "filepassword\n")
+	writeFile("auth_username", "fileuser")
+	writeFile("sentinel_username", "filesentineluser")
+	writeFile("sentinel_auth", "filesentinelpass")
+
+	username, password, sentinelUsername, sentinelPassword := loadRedisCreds(dir, Options{})
+	assert.Equal(t, "filepassword", password)
+	assert.Equal(t, "fileuser", username)
+	assert.Equal(t, "filesentineluser", sentinelUsername)
+	assert.Equal(t, "filesentinelpass", sentinelPassword)
+}