support requirepass redis sentinel

[ORuteMa]

In my deployment, I am using a celery worker with Redis Sentinel configured as a broker, with both Redis and Sentinel having password authentication enabled. To configure the password in sentinel_kwargs, I encountered an error when I added it to the celery_broker_transport_options section. However, I was able to resolve the issue by using conf.getjson() to load the sentinel_kwargs configuration, and it now works without any issues.

Closes: #28010

[boring-cyborg]

Congratulations on your first Pull Request and welcome to the Apache Airflow community! If you have any issues or are unsure about any anything please check our Contribution Guide (https://github.com/apache/airflow/blob/main/CONTRIBUTING.rst)
Here are some useful points:

• Pay attention to the quality of your code (ruff, mypy and type annotations). Our pre-commits will help you with that.
• In case of a new feature add useful documentation (in docstrings or in docs/ directory). Adding a new operator? Check this short guide Consider adding an example DAG that shows how users should use it.
• Consider using Breeze environment for testing locally, it's a heavy docker but it ships with a working Airflow and a lot of integrations.
• Be patient and persistent. It might take some time to get a review or get the final approval from Committers.
• Please follow ASF Code of Conduct for all communication including (but not limited to) comments on Pull Requests, Mailing list and Slack.
• Be sure to read the Airflow Coding style.
  Apache Airflow is a community-driven project and together we are making it better 🚀.
  In case of doubts contact the developers at:
  Mailing List: dev@airflow.apache.org
  Slack: https://s.apache.org/airflow-slack

[potiuk]

This is cool, this issue was raised by a few users.

@jonathanjuursema @dintorf @TomYork1986 - you were involved in related
#28010
#19510

Can you please help the community and verify if the fix solves the problems you raised?

That would boost our confidence up that we can merge this one.

[jonathanjuursema]

Most certainly! I'll try to make some time for this today, otherwise I'll block some time to test this in our organization next week! :)

[potiuk]

Most certainly! I'll try to make some time for this today, otherwise I'll block some time to test this in our organization next week! :)

Would be cool. I would hold on with merging that one then - but mark it for 2.6 so that we will come back to it (BTW. @ORuteMa can you please fix the static checks ?

[ORuteMa]

Most certainly! I'll try to make some time for this today, otherwise I'll block some time to test this in our organization next week! :)

Would be cool. I would hold on with merging that one then - but mark it for 2.6 so that we will come back to it (BTW. @ORuteMa can you please fix the static checks ?

Of course I can, I will fix it soon. After installing the pre-commit tool on my local machine, I encountered some network issues and couldn't finish the checks :(

[potiuk]

Approved the CI run now 🤞

[jonathanjuursema]

Hey!

I've set aside some time today to work on this, but I could not finish a test. We're deploying Airflow using the Docker container, and as far as I can tell this has not been built into an image yet. So I've used our current pipeline to build an image off of this branch, and use that image as the base for our own image.

I've also tried to look into how, using the changes in this PR, I'm supposed to correctly configure Redis Sentinel. In my original issue (comment link) I've talked over a few ways which I thought might work (leaning on some stuff I found externally as well).

Having said that, the test environment in our organisation is now up to date and I have that image built off of this branch. If you can tell me what the syntax is for configuring Sentinel I should be able to give it a go relatively quickly. In our case, the following apply:

• 3 sentinels (identified by hostname)
• 3 masters (identified by "master-name" via the sentinels)
• sentinels and masters require TLS (internal cert, so disabling SSL verification is ok, I'll figure out that later)
• sentinels are unauthenticated
• masters are protected by a password
• default user, database ID 0

We deploy everything in containers and use environment variables for configuration.

Hoping to hear from you!

[ORuteMa]

Hey!

I've set aside some time today to work on this, but I could not finish a test. We're deploying Airflow using the Docker container, and as far as I can tell this has not been built into an image yet. So I've used our current pipeline to build an image off of this branch, and use that image as the base for our own image.

I've also tried to look into how, using the changes in this PR, I'm supposed to correctly configure Redis Sentinel. In my original issue (comment link) I've talked over a few ways which I thought might work (leaning on some stuff I found externally as well).

Having said that, the test environment in our organisation is now up to date and I have that image built off of this branch. If you can tell me what the syntax is for configuring Sentinel I should be able to give it a go relatively quickly. In our case, the following apply:

• 3 sentinels (identified by hostname)
• 3 masters (identified by "master-name" via the sentinels)
• sentinels and masters require TLS (internal cert, so disabling SSL verification is ok, I'll figure out that later)
• sentinels are unauthenticated
• masters are protected by a password
• default user, database ID 0

We deploy everything in containers and use environment variables for configuration.

Hoping to hear from you!

Hi! Thanks for your work. I will share my config below. @jonathanjuursema

In my case, I configured the broker_url in the following format to include 3 authenticated sentinels: sentinel://:${authPass}@${host1}:${port};sentinel://:${authPass}@${host2}:${port};sentinel://:${authPass}@${host3}:${port}. I have kept celery_ssl_active as False and configured sentinel_kwargs={"password": "{master_password}"} in the [celery_broker_transport_options] section because my master is authenticated.

Regarding sentinel with TLS, I think it is supported, and you can find more details from celery/celery#6647. Therefore, in my PR, I have changed line 85 to support the URL of the sentinel:// prefix with SSL.

If you have the time, could you please test whether the sentinel works properly when SSL is enabled? My Redis deployment is only protected by a password, so I would like to ensure that the SSL configuration is functional.

[potiuk]

@jonathanjuursema - did you manage it to work? The build is green, but I am hesitating to merge that one, as I am not sure if this is general enough. Possibly also adding documentation describing how to use it (based on your experience and maybe with @ORuteMa review and help could alleviate some of the concerns? I am afraid in the current form it is a bit too difficult to discover how to do.

Would it be possible to add such docs (@ORuteMa and @jonathanjuursema maybe you can join forces on that one ?).

[jonathanjuursema]

Hey! I'm very sorry for not updating here. Unfortunately we have shifted priorities a while back. I was able to squeeze in some time for the previous quick test, but I haven't had sufficient time to dive into this again so far.

It's not worth much, but I still have this on my todo list to pick up whenever things calm down. Having said that, our org wants wants me to focus on other things for the time being - so I wouldn't wait for me. :( I'm sorry I can't be of more help at this moment.

[ORuteMa]

@jonathanjuursema - did you manage it to work? The build is green, but I am hesitating to merge that one, as I am not sure if this is general enough. Possibly also adding documentation describing how to use it (based on your experience and maybe with @ORuteMa review and help could alleviate some of the concerns? I am afraid in the current form it is a bit too difficult to discover how to do.

Would it be possible to add such docs (@ORuteMa and @jonathanjuursema maybe you can join forces on that one ?).

Maybe I should add some docs to describe sentinel_kwargs config item in [celery_broker_transport_options] section. It will be soon.

[potiuk]

Maybe I should add some docs to describe sentinel_kwargs config item in [celery_broker_transport_options] section. It will be soon.

Thank you. I will mark it as "Require changes" just to not merge it accidentally before.

[potiuk]

Waiting for some docs describing the new featture.

[ORuteMa]

@potiuk I have added some docs to describe sentinel_kwargs, I am not sure if version_added is appropriate. Thanks for your time~

[potiuk]

@potiuk I have added some docs to describe sentinel_kwargs, I am not sure if version_added is appropriate. Thanks for your time~

It should be 2.7.0 - we do not add features in patchlevel versions.

Also - one small request, can you mention that Redis sentinel is supported in https://airflow.apache.org/docs/apache-airflow/stable/core-concepts/executor/celery.html and maybe add an example configuration for it there? That's what I was looking for as "discoverabiliyt" by having just parameter decribing kwargs, it's not obvious that sentinel is supported and if we describe it in celery docs with example it might be much easier for people to find out

[ORuteMa]

@potiuk I have added some docs to describe sentinel_kwargs, I am not sure if version_added is appropriate. Thanks for your time~

It should be 2.7.0 - we do not add features in patchlevel versions.

Also - one small request, can you mention that Redis sentinel is supported in https://airflow.apache.org/docs/apache-airflow/stable/core-concepts/executor/celery.html and maybe add an example configuration for it there? That's what I was looking for as "discoverabiliyt" by having just parameter decribing kwargs, it's not obvious that sentinel is supported and if we describe it in celery docs with example it might be much easier for people to find out

Sure. I will add a example for sentinel.

[ORuteMa]

@potiuk Hi there,
I noticed that there might be some issues with the Providers tests, but I don't think my PR is related to them. Would it be possible for you to run the tests again to confirm?

Thank you for your time and help, and please let me know if there's anything I can do to assist.

[potiuk]

You should add them description in config.yml -> this is the source of truth for this defailt config but also it is used to generate documentation automatically, so the comment you added here, should be added in config.yml and then pre-commit should automatically add it above and you should not need to add it manually here.

[ORuteMa]

Actually, I don't add it manually. When I make modifications in config.yml and do a git commit, the pre-commit hook prevents my merge request and automatically generates this content in my git stage. Only after that, I can successfully commit without any pre-commit issues.

[potiuk]

The pre-commit prevents you doing it and modifes it and ask you to commit the changes it has done when it add.
You need to:

1. add changes to ,yml
2. commit and let pre-commit add it to the config
3. add the generated config changes it to the staging
4. commit again

[potiuk]

Ah ... stupid me. yes you re right! I missed that it is example generated from the other part. Sorry for the confusion.

[potiuk]

@potiuk Hi there, I noticed that there might be some issues with the Providers tests, but I don't think my PR is related to them. Would it be possible for you to run the tests again to confirm?

Yes. It's a problem with latest botocore which we are handling separately (it affecst a subset of prs that are changing common files like config,yml for example, so you are unlucky, but you should not bother, we can merge it even if we won't fix it in main.

[boring-cyborg]

Awesome work, congrats on your first merged pull request! You are invited to check our Issue Tracker for additional contributions.