fix: apply TLS and auth config to Redis Sentinel connections (#1015)

* fix: apply TLS and auth config to Redis Sentinel connections

When using Redis Sentinel with TLS enabled, the client was failing
to connect to Sentinel nodes because the TLS configuration was not
being applied to the SentinelConnFunc. This caused "SSL wrong version
number" errors and connection resets.

This fix adds a sentinelDialFunc that properly applies:
- TLS configuration (when REDIS_TLS=true)
- Authentication settings (when REDIS_AUTH is set)
- Connection timeout settings

The fix mirrors the approach used for the main Redis connection
dial function, ensuring consistent configuration across both
Sentinel and data node connections.

Fixes connection to Redis Sentinel over TLS.
Signed-off-by: Stefan Kolesnikowicz <stefan@sandnetworks.com>
Signed-off-by: stekole <stefan@sandnetworks.com>

* fix: apply TLS and auth config to Redis Sentinel connections

When using Redis Sentinel with TLS enabled, the client was failing
to connect to Sentinel nodes because the TLS configuration was not
being applied to the SentinelConnFunc. This caused "SSL wrong version
number" errors and connection resets.

This fix adds a sentinelDialFunc that properly applies:
- TLS configuration (when REDIS_TLS=true)
- Authentication settings (when REDIS_AUTH is set)
- Connection timeout settings

The fix mirrors the approach used for the main Redis connection
dial function, ensuring consistent configuration across both
Sentinel and data node connections.

Fixes connection to Redis Sentinel over TLS.
Signed-off-by: Stefan Kolesnikowicz <stefan@sandnetworks.com>
Signed-off-by: stekole <stefan@sandnetworks.com>

* fix: apply TLS and auth config to Redis Sentinel connections

When using Redis Sentinel with TLS enabled, the client was failing
to connect to Sentinel nodes because the TLS configuration was not
being applied to the SentinelConnFunc. This caused "SSL wrong version
number" errors and connection resets.

This fix adds a sentinelDialFunc that properly applies:
- TLS configuration (when REDIS_TLS=true)
- Authentication settings (when REDIS_AUTH is set)
- Connection timeout settings

The fix mirrors the approach used for the main Redis connection
dial function, ensuring consistent configuration across both
Sentinel and data node connections.

Fixes connection to Redis Sentinel over TLS.
Signed-off-by: Stefan Kolesnikowicz <stefan@sandnetworks.com>
Signed-off-by: stekole <stefan@sandnetworks.com>

---------

Signed-off-by: Stefan Kolesnikowicz <stefan@sandnetworks.com>
Signed-off-by: stekole <stefan@sandnetworks.com>

Author: stekole

.gitignore

@@ -1,6 +1,7 @@
 cover.out
 
 bin/
+env/
 .idea/
 .vscode/
 vendor

README.md

@@ -1253,8 +1253,9 @@ As well Ratelimit supports TLS connections and authentication. These can be conf
 1. `REDIS_TLS` & `REDIS_PERSECOND_TLS`: set to `"true"` to enable a TLS connection for the specific connection type.
 1. `REDIS_TLS_CLIENT_CERT`, `REDIS_TLS_CLIENT_KEY`, and `REDIS_TLS_CACERT` to provides files to specify a TLS connection configuration to Redis server that requires client certificate verification. (This is effective when `REDIS_TLS` or `REDIS_PERSECOND_TLS` is set to to `"true"`).
 1. `REDIS_TLS_SKIP_HOSTNAME_VERIFICATION` set to `"true"` will skip hostname verification in environments where the certificate has an invalid hostname, such as GCP Memorystore.
-1. `REDIS_AUTH` & `REDIS_PERSECOND_AUTH`: set to `"password"` to enable password-only authentication to the redis host.
-1. `REDIS_AUTH` & `REDIS_PERSECOND_AUTH`: set to `"username:password"` to enable username-password authentication to the redis host.
+1. `REDIS_AUTH` & `REDIS_PERSECOND_AUTH`: set to `"password"` to enable password-only authentication to the Redis master/replica nodes.
+1. `REDIS_AUTH` & `REDIS_PERSECOND_AUTH`: set to `"username:password"` to enable username-password authentication to the Redis master/replica nodes.
+1. `REDIS_SENTINEL_AUTH` & `REDIS_PERSECOND_SENTINEL_AUTH`: set to `"password"` or `"username:password"` to enable authentication to Redis Sentinel nodes. This is separate from `REDIS_AUTH`/`REDIS_PERSECOND_AUTH` which authenticate to the Redis master/replica nodes. Only used when `REDIS_TYPE` or `REDIS_PERSECOND_TYPE` is set to `"sentinel"`. If not set, no authentication will be attempted when connecting to Sentinel nodes.
 1. `CACHE_KEY_PREFIX`: a string to prepend to all cache keys
 
 For controlling the behavior of cache key incrementation when any of them is already over the limit, you can use the following configuration:

src/redis/cache_impl.go

@@ -19,13 +19,13 @@ func NewRateLimiterCacheImplFromSettings(s settings.Settings, localCache *freeca
 	if s.RedisPerSecond {
 		perSecondPool = NewClientImpl(srv.Scope().Scope("redis_per_second_pool"), s.RedisPerSecondTls, s.RedisPerSecondAuth, s.RedisPerSecondSocketType,
 			s.RedisPerSecondType, s.RedisPerSecondUrl, s.RedisPerSecondPoolSize, s.RedisPerSecondPipelineWindow, s.RedisPerSecondPipelineLimit, s.RedisTlsConfig, s.RedisHealthCheckActiveConnection, srv, s.RedisPerSecondTimeout,
-			s.RedisPerSecondPoolOnEmptyBehavior, s.RedisPerSecondPoolOnEmptyWaitDuration)
+			s.RedisPerSecondPoolOnEmptyBehavior, s.RedisPerSecondPoolOnEmptyWaitDuration, s.RedisPerSecondSentinelAuth)
 		closer.Closers = append(closer.Closers, perSecondPool)
 	}
 
 	otherPool := NewClientImpl(srv.Scope().Scope("redis_pool"), s.RedisTls, s.RedisAuth, s.RedisSocketType, s.RedisType, s.RedisUrl, s.RedisPoolSize,
 		s.RedisPipelineWindow, s.RedisPipelineLimit, s.RedisTlsConfig, s.RedisHealthCheckActiveConnection, srv, s.RedisTimeout,
-		s.RedisPoolOnEmptyBehavior, s.RedisPoolOnEmptyWaitDuration)
+		s.RedisPoolOnEmptyBehavior, s.RedisPoolOnEmptyWaitDuration, s.RedisSentinelAuth)
 	closer.Closers = append(closer.Closers, otherPool)
 
 	return NewFixedRateLimitCacheImpl(

src/redis/driver_impl.go

@@ -72,7 +72,7 @@ func checkError(err error) {
 
 func NewClientImpl(scope stats.Scope, useTls bool, auth, redisSocketType, redisType, url string, poolSize int,
 	pipelineWindow time.Duration, pipelineLimit int, tlsConfig *tls.Config, healthCheckActiveConnection bool, srv server.Server,
-	timeout time.Duration, poolOnEmptyBehavior string, poolOnEmptyWaitDuration time.Duration,
+	timeout time.Duration, poolOnEmptyBehavior string, poolOnEmptyWaitDuration time.Duration, sentinelAuth string,
 ) Client {
 	maskedUrl := utils.MaskCredentialsInUrl(url)
 	logger.Warnf("connecting to redis on %s with pool size %d", maskedUrl, poolSize)
@@ -148,7 +148,29 @@ func NewClientImpl(scope stats.Scope, useTls bool, auth, redisSocketType, redisT
 		if len(urls) < 2 {
 			panic(RedisError("Expected master name and a list of urls for the sentinels, in the format: <redis master name>,<sentinel1>,...,<sentineln>"))
 		}
-		client, err = radix.NewSentinel(urls[0], urls[1:], radix.SentinelPoolFunc(poolFunc))
+		sentinelDialFunc := func(network, addr string) (radix.Conn, error) {
+			var dialOpts []radix.DialOpt
+			// Always set the dial timeout consistent with the main dial func
+			dialOpts = append(dialOpts, radix.DialTimeout(timeout))
+			if useTls {
+				logger.Warnf("enabling TLS to redis sentinel on %s", addr)
+				dialOpts = append(dialOpts, radix.DialUseTLS(tlsConfig))
+			}
+			// Use sentinelAuth for authenticating to Sentinel nodes, not auth
+			// auth is used for Redis master/replica authentication
+			if sentinelAuth != "" {
+				user, pass, found := strings.Cut(sentinelAuth, ":")
+				if found {
+					logger.Warnf("enabling authentication to redis sentinel on %s with user %s", addr, user)
+					dialOpts = append(dialOpts, radix.DialAuthUser(user, pass))
+				} else {
+					logger.Warnf("enabling authentication to redis sentinel on %s without user", addr)
+					dialOpts = append(dialOpts, radix.DialAuthPass(sentinelAuth))
+				}
+			}
+			return radix.Dial(network, addr, dialOpts...)
+		}
+		client, err = radix.NewSentinel(urls[0], urls[1:], radix.SentinelConnFunc(sentinelDialFunc), radix.SentinelPoolFunc(poolFunc))
 	default:
 		panic(RedisError("Unrecognized redis type " + redisType))
 	}

src/redis/fixed_cache_impl.go

@@ -42,7 +42,8 @@ func pipelineAppendtoGet(client Client, pipeline *Pipeline, key string, result *
 }
 
 func (this *fixedRateLimitCacheImpl) getHitsAddend(hitsAddend uint64, isCacheKeyOverlimit, isCacheKeyNearlimit,
-	isNearLimt bool) uint64 {
+	isNearLimt bool,
+) uint64 {
 	// If stopCacheKeyIncrementWhenOverlimit is false, then we always increment the cache key.
 	if !this.stopCacheKeyIncrementWhenOverlimit {
 		return hitsAddend

src/settings/settings.go

@@ -151,6 +151,14 @@ type Settings struct {
 	RedisPerSecondPoolSize   int    `envconfig:"REDIS_PERSECOND_POOL_SIZE" default:"10"`
 	RedisPerSecondAuth       string `envconfig:"REDIS_PERSECOND_AUTH" default:""`
 	RedisPerSecondTls        bool   `envconfig:"REDIS_PERSECOND_TLS" default:"false"`
+	// RedisSentinelAuth is the password for authenticating to Redis Sentinel nodes (not the Redis master/replica).
+	// This is separate from RedisAuth which is used for authenticating to the Redis master/replica nodes.
+	// If empty, no authentication will be attempted when connecting to Sentinel nodes.
+	RedisSentinelAuth string `envconfig:"REDIS_SENTINEL_AUTH" default:""`
+	// RedisPerSecondSentinelAuth is the password for authenticating to per-second Redis Sentinel nodes.
+	// This is separate from RedisPerSecondAuth which is used for authenticating to the Redis master/replica nodes.
+	// If empty, no authentication will be attempted when connecting to per-second Sentinel nodes.
+	RedisPerSecondSentinelAuth string `envconfig:"REDIS_PERSECOND_SENTINEL_AUTH" default:""`
 	// RedisPerSecondPipelineWindow sets the duration after which internal pipelines will be flushed for per second redis.
 	// See comments of RedisPipelineWindow for details.
 	RedisPerSecondPipelineWindow time.Duration `envconfig:"REDIS_PERSECOND_PIPELINE_WINDOW" default:"0"`

test/common/common.go

@@ -74,7 +74,8 @@ func NewRateLimitRequest(domain string, descriptors [][][2]string, hitsAddend ui
 }
 
 func NewRateLimitRequestWithPerDescriptorHitsAddend(domain string, descriptors [][][2]string,
-	hitsAddends []uint64) *pb.RateLimitRequest {
+	hitsAddends []uint64,
+) *pb.RateLimitRequest {
 	request := NewRateLimitRequest(domain, descriptors, 1)
 	for i, hitsAddend := range hitsAddends {
 		request.Descriptors[i].HitsAddend = &wrapperspb.UInt64Value{Value: hitsAddend}

test/redis/bench_test.go

@@ -44,7 +44,7 @@ func BenchmarkParallelDoLimit(b *testing.B) {
 		return func(b *testing.B) {
 			statsStore := gostats.NewStore(gostats.NewNullSink(), false)
 			sm := stats.NewMockStatManager(statsStore)
-			client := redis.NewClientImpl(statsStore, false, "", "tcp", "single", "127.0.0.1:6379", poolSize, pipelineWindow, pipelineLimit, nil, false, nil, 10*time.Second, "", 0)
+			client := redis.NewClientImpl(statsStore, false, "", "tcp", "single", "127.0.0.1:6379", poolSize, pipelineWindow, pipelineLimit, nil, false, nil, 10*time.Second, "", 0, "")
 			defer client.Close()
 
 			cache := redis.NewFixedRateLimitCacheImpl(client, nil, utils.NewTimeSourceImpl(), rand.New(utils.NewLockedSource(time.Now().Unix())), 10, nil, 0.8, "", sm, true)

test/redis/driver_impl_test.go

@@ -2,6 +2,7 @@ package redis_test
 
 import (
 	"fmt"
+	"strings"
 	"testing"
 	"time"
 
@@ -38,7 +39,7 @@ func testNewClientImpl(t *testing.T, pipelineWindow time.Duration, pipelineLimit
 		statsStore := stats.NewStore(stats.NewNullSink(), false)
 
 		mkRedisClient := func(auth, addr string) redis.Client {
-			return redis.NewClientImpl(statsStore, false, auth, "tcp", "single", addr, 1, pipelineWindow, pipelineLimit, nil, false, nil, 10*time.Second, "", 0)
+			return redis.NewClientImpl(statsStore, false, auth, "tcp", "single", addr, 1, pipelineWindow, pipelineLimit, nil, false, nil, 10*time.Second, "", 0, "")
 		}
 
 		t.Run("connection refused", func(t *testing.T) {
@@ -131,7 +132,7 @@ func TestDoCmd(t *testing.T) {
 	statsStore := stats.NewStore(stats.NewNullSink(), false)
 
 	mkRedisClient := func(addr string) redis.Client {
-		return redis.NewClientImpl(statsStore, false, "", "tcp", "single", addr, 1, 0, 0, nil, false, nil, 10*time.Second, "", 0)
+		return redis.NewClientImpl(statsStore, false, "", "tcp", "single", addr, 1, 0, 0, nil, false, nil, 10*time.Second, "", 0, "")
 	}
 
 	t.Run("SETGET ok", func(t *testing.T) {
@@ -176,7 +177,7 @@ func testPipeDo(t *testing.T, pipelineWindow time.Duration, pipelineLimit int) f
 		statsStore := stats.NewStore(stats.NewNullSink(), false)
 
 		mkRedisClient := func(addr string) redis.Client {
-			return redis.NewClientImpl(statsStore, false, "", "tcp", "single", addr, 1, pipelineWindow, pipelineLimit, nil, false, nil, 10*time.Second, "", 0)
+			return redis.NewClientImpl(statsStore, false, "", "tcp", "single", addr, 1, pipelineWindow, pipelineLimit, nil, false, nil, 10*time.Second, "", 0, "")
 		}
 
 		t.Run("SETGET ok", func(t *testing.T) {
@@ -238,7 +239,7 @@ func TestPoolOnEmptyBehavior(t *testing.T) {
 
 	// Helper to create client with specific on-empty behavior
 	mkRedisClientWithBehavior := func(addr, behavior string, waitDuration time.Duration) redis.Client {
-		return redis.NewClientImpl(statsStore, false, "", "tcp", "single", addr, 1, 0, 0, nil, false, nil, 10*time.Second, behavior, waitDuration)
+		return redis.NewClientImpl(statsStore, false, "", "tcp", "single", addr, 1, 0, 0, nil, false, nil, 10*time.Second, behavior, waitDuration, "")
 	}
 
 	t.Run("default behavior (empty string)", func(t *testing.T) {
@@ -379,3 +380,151 @@ func TestPoolOnEmptyBehavior(t *testing.T) {
 		assert.Equal(t, "value7", res)
 	})
 }
+
+func TestNewClientImplSentinel(t *testing.T) {
+	statsStore := stats.NewStore(stats.NewNullSink(), false)
+
+	mkSentinelClient := func(auth, sentinelAuth, url string, useTls bool, timeout time.Duration) redis.Client {
+		// Pass nil for tlsConfig - we can't test TLS without a real TLS server,
+		// but we can verify the code path is executed (logs will show TLS is enabled)
+		return redis.NewClientImpl(statsStore, useTls, auth, "tcp", "sentinel", url, 1, 0, 0, nil, false, nil, timeout, "", 0, sentinelAuth)
+	}
+
+	t.Run("invalid url format - missing sentinel addresses", func(t *testing.T) {
+		panicErr := expectPanicError(t, func() {
+			mkSentinelClient("", "", "mymaster", false, 10*time.Second)
+		})
+		assert.Contains(t, panicErr.Error(), "Expected master name and a list of urls for the sentinels")
+	})
+
+	t.Run("invalid url format - only master name", func(t *testing.T) {
+		panicErr := expectPanicError(t, func() {
+			mkSentinelClient("", "", "mymaster,", false, 10*time.Second)
+		})
+		// Empty sentinel address causes "missing address" error from radix
+		assert.True(t,
+			containsAny(panicErr.Error(), []string{"Expected master name", "missing address"}),
+			"Expected format validation error, got: %s", panicErr.Error())
+	})
+
+	t.Run("connection refused - sentinel not available", func(t *testing.T) {
+		// Use a port that's unlikely to have a sentinel running
+		url := "mymaster,localhost:12345"
+		panicErr := expectPanicError(t, func() {
+			mkSentinelClient("", "", url, false, 1*time.Second)
+		})
+		// Should fail with connection error or timeout
+		assert.NotNil(t, panicErr)
+		assert.True(t,
+			containsAny(panicErr.Error(), []string{"connection refused", "timeout", "no such host", "connect"}),
+			"Expected connection error, got: %s", panicErr.Error())
+	})
+
+	t.Run("sentinel auth password only", func(t *testing.T) {
+		// This will fail to connect, but we're testing that sentinelAuth parameter is accepted
+		// The log output will show "enabling authentication to redis sentinel" which confirms the code path
+		url := "mymaster,localhost:12345"
+		panicErr := expectPanicError(t, func() {
+			mkSentinelClient("", "sentinel-password", url, false, 1*time.Second)
+		})
+		// Should fail with connection error, not auth error (since we can't connect)
+		assert.NotNil(t, panicErr)
+		assert.True(t,
+			containsAny(panicErr.Error(), []string{"connection refused", "timeout", "no such host", "connect"}),
+			"Expected connection error, got: %s", panicErr.Error())
+	})
+
+	t.Run("sentinel auth user:password", func(t *testing.T) {
+		// This will fail to connect, but we're testing that sentinelAuth parameter with user:password format is accepted
+		// The log output will show "enabling authentication to redis sentinel on ... with user sentinel-user"
+		url := "mymaster,localhost:12345"
+		panicErr := expectPanicError(t, func() {
+			mkSentinelClient("", "sentinel-user:sentinel-pass", url, false, 1*time.Second)
+		})
+		// Should fail with connection error, not auth error (since we can't connect)
+		assert.NotNil(t, panicErr)
+		assert.True(t,
+			containsAny(panicErr.Error(), []string{"connection refused", "timeout", "no such host", "connect"}),
+			"Expected connection error, got: %s", panicErr.Error())
+	})
+
+	t.Run("sentinel with timeout", func(t *testing.T) {
+		// Test that timeout parameter is used
+		url := "mymaster,localhost:12345"
+		start := time.Now()
+		panicErr := expectPanicError(t, func() {
+			mkSentinelClient("", "", url, false, 500*time.Millisecond)
+		})
+		duration := time.Since(start)
+		assert.NotNil(t, panicErr)
+		// Timeout should be respected (with some tolerance)
+		assert.True(t, duration < 2*time.Second, "Timeout should be respected, took %v", duration)
+	})
+
+	t.Run("sentinel with multiple addresses", func(t *testing.T) {
+		// Test that multiple sentinel addresses are accepted in URL format
+		url := "mymaster,localhost:12345,localhost:12346,localhost:12347"
+		panicErr := expectPanicError(t, func() {
+			mkSentinelClient("", "", url, false, 1*time.Second)
+		})
+		// Should fail with connection error, not format error
+		assert.NotNil(t, panicErr)
+		assert.NotContains(t, panicErr.Error(), "Expected master name")
+		assert.True(t,
+			containsAny(panicErr.Error(), []string{"connection refused", "timeout", "no such host", "connect"}),
+			"Expected connection error, got: %s", panicErr.Error())
+	})
+
+	t.Run("sentinel with redis auth but no sentinel auth", func(t *testing.T) {
+		// Test that redis auth and sentinel auth are separate
+		// redisAuth is for master/replica, sentinelAuth is for sentinel nodes
+		url := "mymaster,localhost:12345"
+		panicErr := expectPanicError(t, func() {
+			mkSentinelClient("redis-password", "", url, false, 1*time.Second)
+		})
+		// Should fail with connection error (can't test auth without real sentinel)
+		assert.NotNil(t, panicErr)
+		assert.True(t,
+			containsAny(panicErr.Error(), []string{"connection refused", "timeout", "no such host", "connect"}),
+			"Expected connection error, got: %s", panicErr.Error())
+	})
+
+	t.Run("sentinel with TLS enabled", func(t *testing.T) {
+		// Test that TLS configuration is accepted (will fail to connect without real TLS server)
+		// The log output will show "enabling TLS to redis sentinel" which confirms the code path
+		url := "mymaster,localhost:12345"
+		panicErr := expectPanicError(t, func() {
+			mkSentinelClient("", "", url, true, 1*time.Second)
+		})
+		// Should fail with connection/TLS error (can't test TLS without real TLS server)
+		assert.NotNil(t, panicErr)
+		// Error could be connection refused, TLS handshake failure, or timeout
+		assert.True(t,
+			containsAny(panicErr.Error(), []string{"connection refused", "timeout", "no such host", "connect", "tls", "handshake"}),
+			"Expected connection/TLS error, got: %s", panicErr.Error())
+	})
+
+	t.Run("sentinel with TLS and sentinel auth", func(t *testing.T) {
+		// Test that both TLS and sentinel auth can be configured together
+		// The log output will show both TLS and auth messages
+		url := "mymaster,localhost:12345"
+		panicErr := expectPanicError(t, func() {
+			mkSentinelClient("redis-password", "sentinel-password", url, true, 1*time.Second)
+		})
+		// Should fail with connection/TLS error (can't test without real servers)
+		assert.NotNil(t, panicErr)
+		assert.True(t,
+			containsAny(panicErr.Error(), []string{"connection refused", "timeout", "no such host", "connect", "tls", "handshake"}),
+			"Expected connection/TLS error, got: %s", panicErr.Error())
+	})
+}
+
+// Helper function to check if error message contains any of the given strings
+func containsAny(s string, substrs []string) bool {
+	for _, substr := range substrs {
+		if strings.Contains(strings.ToLower(s), strings.ToLower(substr)) {
+			return true
+		}
+	}
+	return false
+}