Please implement secret for password

[schklom]

The title should be explicit enough: for security reasons, it would be better to use a secret.
Secrets don't require docker swarm, so why not allow this ?

A docker-compose would look like this:

version: "3.8"

services:
  redis:
    image: redis
    environment:
      REDIS_PASS_FILE: /run/secrets/redis_password
    secrets:
      - redis_password
    volumes:
      - /path_to_redis/redis:/data

secrets:
  redis_password:
    file: /path_to_secrets/redis_pass

A current hacky workaround is detailed here.

[tianon]

As mentioned in #46 (comment), I think the best solution here would be an "ACL file" (https://redis.io/topics/acl#using-an-external-acl-file) as a secret.

If you don't want to use ACLs and want instead to use the older requirepass functionality, I'd suggest putting your whole configuration file in a secret as the most secure way to implement this that doesn't end up with the secret in command-line arguments or an environment variable.

Either way, this isn't something we plan to implement additional behavior in the Docker image for, so if the provided solutions and workarounds are not sufficient for your use case, I'd suggest making a case upstream for Redis itself to include more file-related functionality.

[schklom]

Ok, too bad
Thanks for the detailed explanation :)

[ahgraber]

Any instruction on how to use ACL as a secret?

1. how do we set the password for default user in ACL and what are standard permissions?
2. how do we pass the ACL as a secret?
3. how do we tell redis to look for ACL in /run/secrets?

EDIT: I think I figured it out

users.acl:

user default on >SOME_STRONG_PASSWORD ~* &* +@all 

redis.conf (note: incomplete; these are just the modifications I found were required):

...
bind REDIS_CONTAINER_NAME
...
aclfile /run/secrets/ACL_SECRET_NAME
...

docker-compose.yml

secrets:
  ACL_SECRET_NAME:
    - ./users.acl

services:
  redis:
    image: redis:alpine
    container_name: redis
    secrets:
      - ACL_SECRET_NAME
    command: redis-server /usr/local/etc/redis/redis.conf
    volumes:
      - ./redis.conf:/usr/local/etc/redis/redis.conf