Reapply Redis password (#7599)

This PR addresses the previous issue by changing the container entrypoint and providing the password from an environment variable.

* Revert "Revert redis password change (#7518)"

This reverts commit 6a9540c.

* checkout eventhubns.module.bicep and eventhubs aspire-manifest.json

* Set password from envs

* Add redis-command in single arg instead of multiple args

* Update playground manifest

* Address PR feedback

* Respond to PR feedback

* Change Redis password generation to exclude special characters.

SE.Redis doesn't support commas in the password when parsing the connection string.

* Fix ACA bug with HostAndPort

* Always display the port for HostAndPort

Fix #3838

---------

Co-authored-by: Eric Erhardt <[email protected]>

Author: Alirexaa

playground/AzureContainerApps/AzureContainerApps.AppHost/api.module.bicep

@@ -5,6 +5,9 @@ param api_containerport string
 
 param storage_outputs_blobendpoint string
 
+@secure()
+param cache_password_value string
+
 param account_outputs_connectionstring string
 
 @secure()
@@ -30,6 +33,10 @@ resource api 'Microsoft.App/containerApps@2024-03-01' = {
   properties: {
     configuration: {
       secrets: [
+        {
+          name: 'connectionstrings--cache'
+          value: 'cache:6379,password=${cache_password_value}'
+        }
         {
           name: 'value'
           value: secretparam_value
@@ -88,7 +95,7 @@ resource api 'Microsoft.App/containerApps@2024-03-01' = {
             }
             {
               name: 'ConnectionStrings__cache'
-              value: 'cache:6379'
+              secretRef: 'connectionstrings--cache'
             }
             {
               name: 'ConnectionStrings__account'

playground/AzureContainerApps/AzureContainerApps.AppHost/aspire-manifest.json

@@ -31,22 +31,23 @@
     },
     "cache": {
       "type": "container.v1",
-      "connectionString": "{cache.bindings.tcp.host}:{cache.bindings.tcp.port}",
+      "connectionString": "{cache.bindings.tcp.host}:{cache.bindings.tcp.port},password={cache-password.value}",
       "image": "docker.io/library/redis:7.4",
       "deployment": {
         "type": "azure.bicep.v0",
         "path": "cache.module.bicep",
         "params": {
           "cache_volumes_0_storage": "{cache.volumes.0.storage}",
+          "cache_password_value": "{cache-password.value}",
           "outputs_azure_container_registry_managed_identity_id": "{.outputs.AZURE_CONTAINER_REGISTRY_MANAGED_IDENTITY_ID}",
           "outputs_managed_identity_client_id": "{.outputs.MANAGED_IDENTITY_CLIENT_ID}",
           "outputs_azure_container_apps_environment_id": "{.outputs.AZURE_CONTAINER_APPS_ENVIRONMENT_ID}"
         }
       },
+      "entrypoint": "/bin/sh",
       "args": [
-        "--save",
-        "60",
-        "1"
+        "-c",
+        "redis-server --requirepass $REDIS_PASSWORD --save 60 1"
       ],
       "volumes": [
         {
@@ -55,6 +56,9 @@
           "readOnly": false
         }
       ],
+      "env": {
+        "REDIS_PASSWORD": "{cache-password.value}"
+      },
       "bindings": {
         "tcp": {
           "scheme": "tcp",
@@ -116,6 +120,7 @@
         "params": {
           "api_containerport": "{api.containerPort}",
           "storage_outputs_blobendpoint": "{storage.outputs.blobEndpoint}",
+          "cache_password_value": "{cache-password.value}",
           "account_outputs_connectionstring": "{account.outputs.connectionString}",
           "secretparam_value": "{secretparam.value}",
           "outputs_azure_container_registry_managed_identity_id": "{.outputs.AZURE_CONTAINER_REGISTRY_MANAGED_IDENTITY_ID}",
@@ -152,6 +157,22 @@
           "external": true
         }
       }
+    },
+    "cache-password": {
+      "type": "parameter.v0",
+      "value": "{cache-password.inputs.value}",
+      "inputs": {
+        "value": {
+          "type": "string",
+          "secret": true,
+          "default": {
+            "generate": {
+              "minLength": 22,
+              "special": false
+            }
+          }
+        }
+      }
     }
   }
 }

playground/AzureContainerApps/AzureContainerApps.AppHost/cache.module.bicep

@@ -3,6 +3,9 @@ param location string = resourceGroup().location
 
 param cache_volumes_0_storage string
 
+@secure()
+param cache_password_value string
+
 param outputs_azure_container_registry_managed_identity_id string
 
 param outputs_managed_identity_client_id string
@@ -14,6 +17,12 @@ resource cache 'Microsoft.App/containerApps@2024-03-01' = {
   location: location
   properties: {
     configuration: {
+      secrets: [
+        {
+          name: 'redis-password'
+          value: cache_password_value
+        }
+      ]
       activeRevisionsMode: 'Single'
       ingress: {
         external: false
@@ -27,12 +36,18 @@ resource cache 'Microsoft.App/containerApps@2024-03-01' = {
         {
           image: 'docker.io/library/redis:7.4'
           name: 'cache'
+          command: [
+            '/bin/sh'
+          ]
           args: [
-            '--save'
-            '60'
-            '1'
+            '-c'
+            'redis-server --requirepass \$REDIS_PASSWORD --save 60 1'
           ]
           env: [
+            {
+              name: 'REDIS_PASSWORD'
+              secretRef: 'redis-password'
+            }
             {
               name: 'AZURE_CLIENT_ID'
               value: outputs_managed_identity_client_id

playground/ProxylessEndToEnd/ProxylessEndToEnd.AppHost/aspire-manifest.json

@@ -3,8 +3,16 @@
   "resources": {
     "redis": {
       "type": "container.v0",
-      "connectionString": "{redis.bindings.tcp.host}:{redis.bindings.tcp.port}",
+      "connectionString": "{redis.bindings.tcp.host}:{redis.bindings.tcp.port},password={redis-password.value}",
       "image": "docker.io/library/redis:7.4",
+      "entrypoint": "/bin/sh",
+      "args": [
+        "-c",
+        "redis-server --requirepass $REDIS_PASSWORD"
+      ],
+      "env": {
+        "REDIS_PASSWORD": "{redis-password.value}"
+      },
       "bindings": {
         "tcp": {
           "scheme": "tcp",
@@ -59,6 +67,22 @@
           "port": 13456
         }
       }
+    },
+    "redis-password": {
+      "type": "parameter.v0",
+      "value": "{redis-password.inputs.value}",
+      "inputs": {
+        "value": {
+          "type": "string",
+          "secret": true,
+          "default": {
+            "generate": {
+              "minLength": 22,
+              "special": false
+            }
+          }
+        }
+      }
     }
   }
 }

playground/Redis/Redis.AppHost/Program.cs

@@ -12,6 +12,7 @@
     .WithDataVolume("valkey-data");
 
 builder.AddProject<Projects.Redis_ApiService>("apiservice")
+    .WithExternalHttpEndpoints()
     .WithReference(redis).WaitFor(redis)
     .WithReference(garnet).WaitFor(garnet)
     .WithReference(valkey).WaitFor(valkey);

playground/Redis/Redis.AppHost/aspire-manifest.json

@@ -3,12 +3,12 @@
   "resources": {
     "redis": {
       "type": "container.v0",
-      "connectionString": "{redis.bindings.tcp.host}:{redis.bindings.tcp.port}",
+      "connectionString": "{redis.bindings.tcp.host}:{redis.bindings.tcp.port},password={redis-password.value}",
       "image": "docker.io/library/redis:7.4",
+      "entrypoint": "/bin/sh",
       "args": [
-        "--save",
-        "60",
-        "1"
+        "-c",
+        "redis-server --requirepass $REDIS_PASSWORD --save 60 1"
       ],
       "volumes": [
         {
@@ -17,6 +17,9 @@
           "readOnly": false
         }
       ],
+      "env": {
+        "REDIS_PASSWORD": "{redis-password.value}"
+      },
       "bindings": {
         "tcp": {
           "scheme": "tcp",
@@ -96,12 +99,30 @@
         "http": {
           "scheme": "http",
           "protocol": "tcp",
-          "transport": "http"
+          "transport": "http",
+          "external": true
         },
         "https": {
           "scheme": "https",
           "protocol": "tcp",
-          "transport": "http"
+          "transport": "http",
+          "external": true
+        }
+      }
+    },
+    "redis-password": {
+      "type": "parameter.v0",
+      "value": "{redis-password.inputs.value}",
+      "inputs": {
+        "value": {
+          "type": "string",
+          "secret": true,
+          "default": {
+            "generate": {
+              "minLength": 22,
+              "special": false
+            }
+          }
         }
       }
     }

playground/TestShop/TestShop.AppHost/aspire-manifest.json

@@ -33,12 +33,12 @@
     },
     "basketcache": {
       "type": "container.v0",
-      "connectionString": "{basketcache.bindings.tcp.host}:{basketcache.bindings.tcp.port}",
+      "connectionString": "{basketcache.bindings.tcp.host}:{basketcache.bindings.tcp.port},password={basketcache-password.value}",
       "image": "docker.io/library/redis:7.4",
+      "entrypoint": "/bin/sh",
       "args": [
-        "--save",
-        "60",
-        "1"
+        "-c",
+        "redis-server --requirepass $REDIS_PASSWORD --save 60 1"
       ],
       "volumes": [
         {
@@ -47,6 +47,9 @@
           "readOnly": false
         }
       ],
+      "env": {
+        "REDIS_PASSWORD": "{basketcache-password.value}"
+      },
       "bindings": {
         "tcp": {
           "scheme": "tcp",
@@ -240,6 +243,22 @@
         }
       }
     },
+    "basketcache-password": {
+      "type": "parameter.v0",
+      "value": "{basketcache-password.inputs.value}",
+      "inputs": {
+        "value": {
+          "type": "string",
+          "secret": true,
+          "default": {
+            "generate": {
+              "minLength": 22,
+              "special": false
+            }
+          }
+        }
+      }
+    },
     "messaging-password": {
       "type": "parameter.v0",
       "value": "{messaging-password.inputs.value}",

src/Aspire.Hosting.Azure.AppContainers/AzureContainerAppsInfrastructure.cs

@@ -608,6 +608,7 @@ BicepValue<string> GetHostValue(string? prefix = null, string? suffix = null)
                     EndpointProperty.Url => GetHostValue($"{scheme}://", suffix: isHttpIngress ? null : $":{port}"),
                     EndpointProperty.Host or EndpointProperty.IPV4Host => GetHostValue(),
                     EndpointProperty.Port => port.ToString(CultureInfo.InvariantCulture),
+                    EndpointProperty.HostAndPort => GetHostValue(suffix: $":{port}"),
                     EndpointProperty.TargetPort => targetPort is null ? AllocateContainerPortParameter() : targetPort,
                     EndpointProperty.Scheme => scheme,
                     _ => throw new NotSupportedException(),