From 8ec6f51f3564a57d60d80c675f3ece14a5582831 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Steffen=20J=C3=B8rgensen?= <steffen.jorgensen@lyse.no>
Date: Wed, 15 May 2024 13:48:17 +0200
Subject: [PATCH] (#527) Add masteruser parameter

Enable setting the masteruser parameter which was introduced in Redis 6+ to be able to connect using the new ACL rules.
---
 README.md                  | 10 ++++++++++
 manifests/init.pp          |  5 ++++-
 manifests/instance.pp      |  6 +++++-
 spec/classes/redis_spec.rb | 14 ++++++++++++++
 templates/redis.conf.epp   | 13 +++++++++++++
 5 files changed, 46 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 32e6fa48..bf8d6c78 100644
--- a/README.md
+++ b/README.md
@@ -33,6 +33,16 @@ class { 'redis':
 }
 ```
 
+With ACL authentication 
+
+```puppet
+class { 'redis':
+  bind       => '10.0.1.1',
+  masterauth => 'secret',
+  masteruser => 'username',
+}
+```
+
 ### Slave node
 
 ```puppet
diff --git a/manifests/init.pp b/manifests/init.pp
index e48ed67c..f19f8d79 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -95,7 +95,9 @@
 # @param managed_by_cluster_manager
 #   Choose if redis will be managed by a cluster manager such as pacemaker or rgmanager
 # @param masterauth
-#   If the master is password protected (using the "requirepass" configuration
+#   If the master is password protected (using the "requirepass" configuration)
+# @param masteruser
+#   If the master is password protected and a user is defined (using the "user" configuration)
 # @param maxclients
 #   Set the max number of connected clients at the same time.
 # @param maxmemory
@@ -392,6 +394,7 @@
   Boolean $manage_package                                        = true,
   Boolean $manage_repo                                           = false,
   Optional[Variant[String[1], Sensitive[String[1]], Deferred]] $masterauth = undef,
+  Optional[Variant[String[1], Sensitive[String[1]], Deferred]] $masteruser = undef,
   Integer[1] $maxclients                                         = 10000,
   $maxmemory                                                     = undef,
   Optional[Redis::MemoryPolicy] $maxmemory_policy                = undef,
diff --git a/manifests/instance.pp b/manifests/instance.pp
index 3b18cfca..b8256b87 100644
--- a/manifests/instance.pp
+++ b/manifests/instance.pp
@@ -74,7 +74,9 @@
 # @param manage_service_file
 #   Determine if the systemd service file should be managed
 # @param masterauth
-#   If the master is password protected (using the "requirepass" configuration
+#   If the master is password protected (using the "requirepass" configuration)
+# @param masteruser
+#   If the master is password protected and a user is defined (using the "user" configuration)
 # @param maxclients
 #   Set the max number of connected clients at the same time.
 # @param maxmemory
@@ -325,6 +327,7 @@
   Stdlib::Filemode $log_dir_mode                                 = $redis::log_dir_mode,
   Redis::LogLevel $log_level                                     = $redis::log_level,
   Optional[Variant[String[1], Sensitive[String[1]], Deferred]] $masterauth = $redis::masterauth,
+  Optional[Variant[String[1], Sensitive[String[1]], Deferred]] $masteruser = $redis::masterauth,
   Integer[1] $maxclients                                         = $redis::maxclients,
   Optional[Variant[Integer, String]] $maxmemory                  = $redis::maxmemory,
   Optional[Redis::MemoryPolicy] $maxmemory_policy                = $redis::maxmemory_policy,
@@ -526,6 +529,7 @@
     slaveof                       => $slaveof,
     replicaof                     => $replicaof,
     masterauth                    => $masterauth,
+    masteruser                    => $masteruser,
     slave_serve_stale_data        => $slave_serve_stale_data,
     slave_read_only               => $slave_read_only,
     repl_announce_ip              => $repl_announce_ip,
diff --git a/spec/classes/redis_spec.rb b/spec/classes/redis_spec.rb
index b0cae74a..fed3e39f 100644
--- a/spec/classes/redis_spec.rb
+++ b/spec/classes/redis_spec.rb
@@ -523,6 +523,20 @@ class { 'redis':
         }
       end
 
+      describe 'with parameter masteruser' do
+        let(:params) do
+          {
+            masteruser: '_VALUE_'
+          }
+        end
+
+        it {
+          is_expected.to contain_file(config_file_orig).with(
+            'content' => %r{masteruser.*_VALUE_}
+          )
+        }
+      end
+
       describe 'with parameter maxclients' do
         let(:params) do
           {
diff --git a/templates/redis.conf.epp b/templates/redis.conf.epp
index a14f7060..e9de5a0f 100644
--- a/templates/redis.conf.epp
+++ b/templates/redis.conf.epp
@@ -23,6 +23,7 @@
   Optional[String[1]]                                $slaveof,
   Optional[String[1]]                                $replicaof,
   Optional[Variant[String[1], Sensitive[String[1]]]] $masterauth,
+  Optional[Variant[String[1], Sensitive[String[1]]]] $masteruser,
   Boolean                                            $slave_serve_stale_data,
   Boolean                                            $slave_read_only,
   Optional[Stdlib::Host]                             $repl_announce_ip,
@@ -411,6 +412,18 @@ dir <%= $workdir %>
 # masterauth <master-password>
 <% if $masterauth { -%>masterauth <%= $masterauth %><% } -%>
 
+# However this is not enough if you are using Redis ACLs (for Redis version
+# 6 or greater), and the default user is not capable of running the PSYNC
+# command and/or other commands needed for replication. In this case it's
+# better to configure a special user to use with replication, and specify the
+# masteruser configuration as such:
+#
+# masteruser <username>
+<% if $masteruser { -%>masteruser <%= $masteruser %><% } -%>
+#
+# When masteruser is specified, the replica will authenticate against its
+# master using the new AUTH form: AUTH <username> <password>.
+
 # When a slave loses the connection with the master, or when the replication
 # is still in progress, the slave can act in two different ways:
 #