Share ssl_* options with the Sentinel daemon connections on TLS URLs#445
Open
fatih-acar wants to merge 1 commit into
Open
Share ssl_* options with the Sentinel daemon connections on TLS URLs#445fatih-acar wants to merge 1 commit into
fatih-acar wants to merge 1 commit into
Conversation
The funneled ssl_* query options previously reached only the data-node connections, so a private CA passed as ?ssl_ca_certs= (or ?ssl_cert_reqs=none for unverified setups) left every Sentinel daemon connection verifying against the system trust store; discovery failed with MasterNotFoundError before a master could ever be resolved. On rediss+sentinel:// URLs the daemon connections now reuse the URL's ssl_* options, so one CA covers the whole topology. Plaintext daemons are unaffected. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR shares the funneled
ssl_*connection options with the Sentinel daemon connections onrediss+sentinel://URLs, so a single private CA covers the whole topology.Problem
parse_sentinel_urlfunnels the remaining query parameters through redis-py'sparse_urland applies them to the data-node connections only;sentinel_kwargscarries justsentinel_username/sentinel_passwordand the scheme-derivedssl=True. That means on a TLS topology with a private or self-signed CA:?ssl_ca_certs=/etc/redis/ca.pemconfigures the master connections, but every connection to a Sentinel daemon still verifies against the system trust store withssl_cert_reqs="required";MasterNotFoundErrorbefore a data connection is ever attempted — there is no way to make a private-CArediss+sentinel://URL work at all (the same applies to?ssl_cert_reqs=nonefor deliberately unverified setups).Reproduced against a real TLS Sentinel topology in Docker (master + 2 replicas + 3 Sentinels on TLS-only ports,
tls-replication yes, self-signed CA): every variant failed withMasterNotFoundError, with the daemon connection reprs showingssl_ca_certs=None, ssl_cert_reqs=required.Fix
When the scheme is
rediss+sentinel, the daemon connections now reuse the URL's funneledssl_*options (ssl_ca_certs,ssl_cert_reqs,ssl_check_hostname, ...). Plaintextredis+sentinel://URLs are unaffected —ssl_*options keep applying to the data nodes only, like any other redis-py option.With the fix, the same Docker topology passes end to end: CA-verified discovery and reads/writes, the
?ssl_cert_reqs=none&ssl_check_hostname=falseunverified variant, rejection when the CA is omitted (negative control), and a master SIGKILL failover under TLS (~3s, client follows the promotion).Notes
prefect-redis, whose Sentinel parser deliberately mirrors this module, hit exactly this in review testing and applied the same fix in Add Redis Sentinel support to prefect-redis PrefectHQ/prefect#22377 — this PR keeps the two convergent.pytest tests/test_sentinel_urls.py(34 passed) andprek run(ruff, pyright, loq) are green.🤖 Generated with Claude Code