Skip to content

redis_sentinel: Add SSL/TLS, username/ACL, and Redis 7+ replica support#2939

Open
amendez-primer wants to merge 6 commits intoDataDog:masterfrom
amendez-primer:fix/redis-sentinel-ssl-tls-support
Open

redis_sentinel: Add SSL/TLS, username/ACL, and Redis 7+ replica support#2939
amendez-primer wants to merge 6 commits intoDataDog:masterfrom
amendez-primer:fix/redis-sentinel-ssl-tls-support

Conversation

@amendez-primer
Copy link
Copy Markdown

@amendez-primer amendez-primer commented Mar 20, 2026
edited
Loading

Summary

Modernizes the Redis Sentinel check to support TLS-enabled deployments, Redis 6+ ACLs, and Redis 7+ command changes.

Fixes #2938, #2395, #1586

Changes

1. SSL/TLS support (#2938)

The check previously created redis.StrictRedis connections without any SSL parameters, making it impossible to connect to TLS-enabled Sentinel instances (e.g. AWS ElastiCache, Azure Cache for Redis).

Added support for: ssl, ssl_certfile, ssl_keyfile, ssl_ca_certs, ssl_cert_reqs — matching the core redisdb integration.

2. Username / ACL support (#2395)

Redis 6+ introduced ACLs requiring a username parameter. Without it, AUTH fails with: AUTH <password> called without any password configured for the default user.

Added sentinel_username instance config option, passed through to StrictRedis(username=...).

3. Redis 7+ REPLICAS command (#1586)

Redis 7 removed the SENTINEL SLAVES subcommand in favor of SENTINEL REPLICAS. The check now uses sentinel_replicas() (redis-py 4.2+) with a fallback to sentinel_slaves() for older Redis versions.

4. Socket timeout

Added socket_timeout config option (default: 5s) to prevent the check from hanging indefinitely on unreachable sentinels.

Files changed

File Change
redis_sentinel.py SSL, username, timeout params in _load_config(); _get_sentinel_replicas() helper
conf.yaml.example Documented all new config options
test_redis_sentinel.py Tests for SSL, username, timeout config; updated mock for replicas
pyproject.toml Bumped redis dep from 2.10.5 to >=4.5.0

Example config (Helm)

datadog:
  confd:
    redis_sentinel.yaml: |-
      instances:
        - sentinel_host: sentinel.example.com
          sentinel_port: 26379
          sentinel_username: default
          sentinel_password: secret
          ssl: true
          ssl_ca_certs: /etc/ssl/certs/ca.pem
          ssl_certfile: /etc/ssl/certs/client.pem
          ssl_keyfile: /etc/ssl/certs/client-key.pem
          socket_timeout: 10
          masters:
            - mymaster

Backward compatibility

  • All new options are optional with sensible defaults
  • Without ssl: true, behavior is identical to before
  • _get_sentinel_replicas() falls back to sentinel_slaves() if sentinel_replicas() is unavailable

@amendez-primer
Add SSL/TLS support for Redis Sentinel connections
145a8fd 
Fixes DataDog#2938

The check previously created Redis connections without any SSL/TLS
parameters, making it impossible to connect to TLS-enabled Sentinel
instances. This adds support for ssl, ssl_certfile, ssl_keyfile,
ssl_ca_certs, and ssl_cert_reqs instance config options.
@amendez-primer amendez-primer requested a review from a team as a code owner March 20, 2026 02:34
@amendez-primer
Add SSL/TLS, username/ACL, and sentinel_replicas support
12dd816 
- Add SSL/TLS connection params (ssl, ssl_certfile, ssl_keyfile,
  ssl_ca_certs, ssl_cert_reqs) to match the core redisdb integration
- Add username param for Redis 6+ ACL support (fixes DataDog#2395)
- Use sentinel_replicas() with fallback to sentinel_slaves() for
  Redis 7+ compatibility (fixes DataDog#1586)
- Add socket_timeout support to prevent hanging on unreachable sentinels

Fixes DataDog#2938, DataDog#2395, DataDog#1586
@amendez-primer
Update conf.yaml.example with SSL/TLS, username, and timeout options
fc6b94a
@amendez-primer
Update tests for SSL/TLS, username, and sentinel_replicas changes
3d7c9c5
@amendez-primer
Bump redis dependency from 2.10.5 to 4.5.0+
f1834e3 
redis-py 4.2+ adds sentinel_replicas() needed for Redis 7+ compat.
Also requires username param support for Redis 6+ ACLs.
@amendez-primer amendez-primer changed the title redis_sentinel: Add SSL/TLS support for Sentinel connections redis_sentinel: Add SSL/TLS, username/ACL, and Redis 7+ replica support Mar 20, 2026
lucia-sb
lucia-sb requested changes Mar 20, 2026
View reviewed changes
Copy link
Copy Markdown

@lucia-sb lucia-sb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi! Could you run ddev test --fmt to fix the linting failures?
Thanks!!

@amendez-primer
fix: apply ruff/black formatting to redis_sentinel
d57b248 
Run ruff check --fix and ruff format to fix linting failures:
- Add trailing comma after **ssl_kwargs
- Remove extra blank lines between imports
@lucia-sb
Copy link
Copy Markdown

lucia-sb commented Mar 31, 2026

@amendez-primer Could you make sure you’re using the latest version of ddev (14.4.0) when running the command? The formatting requirements can sometimes change between versions

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lucia-sb lucia-sb lucia-sb requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

redis_sentinel: No SSL/TLS support for Sentinel connections

2 participants

@amendez-primer @lucia-sb