REDIS_PASSWORD[_FILE] env and empy password warning #492

Peter-Sh · 2025-12-05T14:50:53Z

Description

This is proof of concept implementation of env vars for setting password and showing a warning if empty password is detected.

Provide an ability to set password using REDIS_PASSWORD or REDIS_PASSWORD_FILE variables.
While it's possible to set password using command line args or configuration files, setting it using env vars is a common and well-known pattern.
Use --include with temporary config snippet if possible to avoid displaying password in process list
Fallback to --requirepass if tmp is not writeable or when starting sentinel (it doesn't support include arg)
Try to detect whether password is already set (use some "heuristic" to detect whether there are already some security related configuration) and show a big warning banner about empty password (which no one would notice as redis and modules output a lot of startup info into terminal)

Allowing to set only password an no other config parameters via env is a bit misleading
Make redis-cli (and other clients) to use passwords from env or file
Everything that is marked TODO in debian/docker-entrypoint.sh (a lot of important stuff and edge cases)
Update documentation describing env vars and ways to set password for older versions (using --include)
Banner is scrolled out of the screen because a lot of startup logs from redis and modules
Set password env variables priority or fail when both are set
Add tests

Peter-Sh added 2 commits December 5, 2025 16:32

REDIS_PASSWORD[_FILE] env and empy password warning

d648779

Explicitly handle special arguments

67e57c5