add username for redis connection (#496)

* add redis_username parameter

* rebase

* add docuementation

* Update pyproject.toml version

* Update unit coverage badge

---------

Co-authored-by: Alessandro Mosca <a.mosca@octo.com>
Co-authored-by: GitHub Actions <actions@github.com>
Co-authored-by: moscaale <moscaale@users.noreply.github.com>

Author: 3 people

.github/badges/coverage-unit.json

@@ -1 +1 @@
-{"schemaVersion":1,"label":"unit coverage","message":"58.96%","color":"red"}
+{"schemaVersion":1,"label":"unit coverage","message":"58.95%","color":"red"}

Makefile

@@ -90,7 +90,7 @@ help:
 	done
 	@$(MAKE) .banner
 	@printf "┌─────────────────────────────────────────────────────────────────────────────────────────┐\n"
-	@printf "│                                   \033[1m🐳 Docker services\033[0m                                    │\n"
+	@printf "│                                   \033[1m🐳 Docker services\033[0m                                     │\n"
 	@printf "├─────────────────────────────────────────────────────────────────────────────────────────┤\n"
 	@printf "\n"
 	@printf " %-30s		%s\n" "Compose file:" "$(compose)"

api/helpers/_limiter.py

@@ -16,8 +16,9 @@ def __init__(self, redis: ConnectionPool, strategy: LimitingStrategy):
         self.connection_pool = redis
         self.redis_host = self.connection_pool.connection_kwargs.get("host", "localhost")
         self.redis_port = self.connection_pool.connection_kwargs.get("port", 6379)
+        self.redis_username = self.connection_pool.connection_kwargs.get("username", "")
         self.redis_password = self.connection_pool.connection_kwargs.get("password", "")
-        self.redis = storage.RedisStorage(uri=f"async+redis://:{self.redis_password}@{self.redis_host}:{self.redis_port}", connection_pool=self.connection_pool)  # fmt: off
+        self.redis = storage.RedisStorage(uri=f"async+redis://{self.redis_username}:{self.redis_password}@{self.redis_host}:{self.redis_port}", connection_pool=self.connection_pool)  # fmt: off
 
         if strategy == LimitingStrategy.MOVING_WINDOW:
             self.strategy = strategies.MovingWindowRateLimiter(storage=self.redis)

compose.example.yml

@@ -54,7 +54,7 @@ services:
       start_period: 60s
 
   redis:
-    image: redis/redis-stack-server:7.2.0-v11
+    image: redis/redis-stack-server:7.4.0-v7
     restart: always
     environment:
       REDIS_ARGS: "--dir /data --requirepass ${REDIS_PASSWORD:-changeme} --user ${REDIS_USER:-redis} on >password ~* allcommands --save 60 1 --appendonly yes"
@@ -67,6 +67,7 @@ services:
       interval: 4s
       timeout: 10s
       retries: 5
+      start_period: 60s
 
 volumes:
   postgres:

docs/docs/dependencies/redis.md

@@ -40,7 +40,7 @@ These metrics are used for monitoring and can be exposed via Prometheus when ena
 
 ### Prerequisites
 
-Redis Stack Server 7.2+ is required (includes the time-series module).
+Redis Stack Server 7.4+ is required (includes the time-series module).
 
 ### Configuration
 
@@ -52,10 +52,10 @@ Add a `redis` container in the `services` section of your `compose.yml` file:
 services:
   [...]
   redis:
-    image: redis/redis-stack-server:7.2.0-v11
+    image: redis/redis-stack-server:7.4.0-v7
     restart: always
     environment:
-      REDIS_ARGS: "--dir /data --requirepass ${REDIS_PASSWORD:-changeme} --user ${REDIS_USER:-redis} on >password ~* allcommands --save 60 1 --appendonly yes"
+      REDIS_ARGS: "--loadmodule /opt/redis-stack/lib/redistimeseries.so --dir /data --requirepass ${REDIS_PASSWORD:-changeme} --user ${REDIS_USER:-redis} on >password ~* allcommands --save 60 1 --appendonly yes"
     ports:
       - "${REDIS_PORT:-6379}:6379"
     volumes:
@@ -65,6 +65,7 @@ services:
       interval: 4s
       timeout: 10s
       retries: 5
+      start_period: 60s
 
 volumes:
   redis:
@@ -112,3 +113,32 @@ For more information about the configuration file, see [Configuration](../gettin
         ```
 
         Theses metrics are stored in Redis time-series module to determine request prioritisation. For more information about request prioritisation, see [request prioritisation documentation](../models/request_prioritisation.md).
+
+### Security
+
+We recommend securing your Redis instance by keeping the version up-to-date.
+For production environment, we also recommend :
+- enabling protected mode
+- deactivating default user
+- create specific users with limited permissions
+- logging to specific log files
+- disabling syslog
+- disabling dangerous commands (FLUSHALL, FLUSHDB, etc.)
+
+It can be done by configuring the `REDIS_ARGS` environment variable in the `docker-compose.yml` or with a redis.conf file.
+Also consider this security hardening for your docker compose service.
+
+```
+  redis:
+    [...]
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    cap_add:
+      - SETGID
+      - SETUID
+    read_only: true
+    tmpfs:
+      - /tmp:noexec,nosuid,size=64M
+```

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "opengatellm"
-version = "0.2.8post1"
+version = "0.2.8post2"
 description = "OpenGateLLM project"
 requires-python = ">=3.12"
 license = { text = "MIT" }