chore: set password on embedded Redis instance

[wyattwalter]

Summary

• Generate a random password for the embedded Redis at first boot, same pattern as MongoDB/Postgres/Supervisor credentials
• Backfill existing installs on next container startup (only when Redis URL points to localhost)
• Write Redis config to a file instead of CLI args to keep the password out of the process list

Test plan

• Fresh install: verify APPSMITH_REDIS_PASSWORD and updated APPSMITH_REDIS_URL appear in docker.env
• Fresh install: verify redis-cli without -a <password> is rejected, with password works
• Existing install: verify password is backfilled and Redis URL is updated on restart
• Existing install with external Redis URL: verify URL is not modified
• Verify Redis process list does not show the password

🤖 Generated with Claude Code

Summary by CodeRabbit

• Security Enhancements
  • Introduced automatic Redis password generation and secure management for local deployment environments.
  • Updated Redis connection strings to include password authentication for embedded Redis instances.
  • Enhanced Redis startup configuration with secure dynamic configuration files, preventing credential exposure in process listings.
  • Added automatic password backfilling for existing configurations to ensure consistent security.

[coderabbitai]

Walkthrough

Introduces Redis password generation and management for Docker deployments. Generates a password during initial configuration, stores it in environment files, embeds it in Redis connection strings for localhost setups, and creates temporary Redis configuration files with restrictive permissions for local Redis instances.

Changes

Cohort / File(s)	Summary
Redis Password Generation & Configuration deploy/docker/fs/opt/appsmith/entrypoint.sh, deploy/docker/fs/opt/appsmith/templates/supervisord/redis.conf	Adds password generation logic during initial setup, backfill mechanism for existing configs, and updates Redis supervisor command to use dynamic config file with embedded password for localhost Redis.
Environment Variable Updates deploy/docker/fs/opt/appsmith/templates/docker.env.sh	Introduces REDIS_PASSWORD environment variable and updates APPSMITH_REDIS_URL to include password credentials in connection string.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🔐 A password blooms for Redis in the night,
Embedded in the Docker's gentle flight,
With secrets safe and localhost held tight,
Configuration secured, permissions right! 🚀

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding password authentication to the embedded Redis instance, which aligns with the core objective of the pull request.
Description check	✅ Passed	PR description covers key changes (password generation, backfill logic, config file approach) with a test plan demonstrating verification of the implementation.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/redis-auth-embedded

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@deploy/docker/fs/opt/appsmith/entrypoint.sh`:
- Around line 115-126: Treat empty APPSMITH_REDIS_PASSWORD as missing and when
backfilling a generated_appsmith_redis_password, preserve the existing
APPSMITH_REDIS_URL host/port/path/query instead of hardcoding 127.0.0.1:6379:
check for APPSMITH_REDIS_PASSWORD being unset or empty, generate
generated_appsmith_redis_password as you already do, append it to the env, then
parse current_redis_url (from the APPSMITH_REDIS_URL line) and inject the
password into that URL by inserting :<generated_appsmith_redis_password>@ after
the scheme (e.g. redis://) while keeping the original host/port/path/query
intact; update the APPSMITH_REDIS_URL line with the modified URL rather than
replacing it with a fixed host.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 11ec7dbe-8668-44d9-b4ec-76a5916bf71e

📥 Commits

Reviewing files that changed from the base of the PR and between 4d07d19 and d5eb57a.

📒 Files selected for processing (3)

• deploy/docker/fs/opt/appsmith/entrypoint.sh
• deploy/docker/fs/opt/appsmith/templates/docker.env.sh
• deploy/docker/fs/opt/appsmith/templates/supervisord/redis.conf

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Preserve existing localhost Redis URL details during backfill.

Line 125 rewrites to a fixed 127.0.0.1:6379 URL, which can break upgrades where local Redis used a custom port/path/query. Also, Line 115 should treat empty APPSMITH_REDIS_PASSWORD as missing.

Proposed fix

-    if ! grep -q "APPSMITH_REDIS_PASSWORD" "$ENV_PATH"; then
+    if ! grep -qE '^APPSMITH_REDIS_PASSWORD=.+$' "$ENV_PATH"; then
       local generated_appsmith_redis_password=$(
         tr -dc A-Za-z0-9 </dev/urandom | head -c 13
         echo ''
       )
       echo $'\nAPPSMITH_REDIS_PASSWORD='"$generated_appsmith_redis_password" >> "$ENV_PATH"
       # Update the Redis URL to include the password, but only for the embedded Redis.
       local current_redis_url
+      local redis_target
       current_redis_url=$(grep "^APPSMITH_REDIS_URL=" "$ENV_PATH" | tail -1 | cut -d= -f2-)
       if [[ "$current_redis_url" == *"localhost"* || "$current_redis_url" == *"127.0.0.1"* ]]; then
-        sed -i "s|^APPSMITH_REDIS_URL=.*|APPSMITH_REDIS_URL=redis://:${generated_appsmith_redis_password}@127.0.0.1:6379|" "$ENV_PATH"
+        redis_target="${current_redis_url#redis://}"  # strip scheme
+        redis_target="${redis_target#*@}"             # strip existing credentials if present
+        sed -i "s|^APPSMITH_REDIS_URL=.*|APPSMITH_REDIS_URL=redis://:${generated_appsmith_redis_password}@${redis_target}|" "$ENV_PATH"
       fi
     fi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if ! grep -q "APPSMITH_REDIS_PASSWORD" "$ENV_PATH"; then
	local generated_appsmith_redis_password=$(
	tr -dc A-Za-z0-9 </dev/urandom | head -c 13
	echo ''
	)
	echo $'\nAPPSMITH_REDIS_PASSWORD='"$generated_appsmith_redis_password" >> "$ENV_PATH"
	# Update the Redis URL to include the password, but only for the embedded Redis.
	local current_redis_url
	current_redis_url=$(grep "^APPSMITH_REDIS_URL=" "$ENV_PATH" | tail -1 | cut -d= -f2-)
	if [[ "$current_redis_url" == *"localhost"* || "$current_redis_url" == *"127.0.0.1"* ]]; then
	sed -i "s|^APPSMITH_REDIS_URL=.*|APPSMITH_REDIS_URL=redis://:${generated_appsmith_redis_password}@127.0.0.1:6379|" "$ENV_PATH"
	fi
	if ! grep -qE '^APPSMITH_REDIS_PASSWORD=.+$' "$ENV_PATH"; then
	local generated_appsmith_redis_password=$(
	tr -dc A-Za-z0-9 </dev/urandom | head -c 13
	echo ''
	)
	echo $'\nAPPSMITH_REDIS_PASSWORD='"$generated_appsmith_redis_password" >> "$ENV_PATH"
	# Update the Redis URL to include the password, but only for the embedded Redis.
	local current_redis_url
	local redis_target
	current_redis_url=$(grep "^APPSMITH_REDIS_URL=" "$ENV_PATH" | tail -1 | cut -d= -f2-)
	if [[ "$current_redis_url" == *"localhost"* || "$current_redis_url" == *"127.0.0.1"* ]]; then
	redis_target="${current_redis_url#redis://}" # strip scheme
	redis_target="${redis_target#*@}" # strip existing credentials if present
	sed -i "s|^APPSMITH_REDIS_URL=.*|APPSMITH_REDIS_URL=redis://:${generated_appsmith_redis_password}@${redis_target}|" "$ENV_PATH"
	fi

🧰 Tools

🪛 Shellcheck (0.11.0)

[warning] 116-116: Declare and assign separately to avoid masking return values.

(SC2155)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@deploy/docker/fs/opt/appsmith/entrypoint.sh` around lines 115 - 126, Treat
empty APPSMITH_REDIS_PASSWORD as missing and when backfilling a
generated_appsmith_redis_password, preserve the existing APPSMITH_REDIS_URL
host/port/path/query instead of hardcoding 127.0.0.1:6379: check for
APPSMITH_REDIS_PASSWORD being unset or empty, generate
generated_appsmith_redis_password as you already do, append it to the env, then
parse current_redis_url (from the APPSMITH_REDIS_URL line) and inject the
password into that URL by inserting :<generated_appsmith_redis_password>@ after
the scheme (e.g. redis://) while keeping the original host/port/path/query
intact; update the APPSMITH_REDIS_URL line with the modified URL rather than
replacing it with a fixed host.

[wyattwalter]

/build-deploy-preview

[github-actions]

Deploying Your Preview: https://github.com/appsmithorg/appsmith/actions/runs/23296377431.
Workflow: On demand build Docker image and deploy preview.
skip-tests: . env: .
PR: 41634.
recreate: .
base-image-tag: .

[github-actions]

Deploy-Preview-URL: https://ce-41634.dp.appsmith.com