fix: support passwordless Redis by conditionally building auth segment (#292)

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: Steffen911

charts/langfuse/README.md

@@ -208,8 +208,8 @@ Open source LLM engineering platform - LLM observability, metrics, evaluations,
 | redis.auth.database | int | `0` |  |
 | redis.auth.existingSecret | string | `""` | If you want to use an existing secret for the redis password, set the name of the secret here. (`redis.auth.password` will be ignored and picked up from this secret). |
 | redis.auth.existingSecretPasswordKey | string | `""` | The key in the existing secret that contains the password. |
-| redis.auth.password | string | `""` | Configure the password by value or existing secret reference. Use URL-encoded passwords or avoid special characters in the password. |
-| redis.auth.username | string | `"default"` | Username to use to connect to the redis database deployed with Langfuse. In case `redis.deploy` is set to `true`, the user will be created automatically. Set to null for an empty username in the connection string. |
+| redis.auth.password | string | `""` | Password for Redis authentication. Set to null to disable authentication (for passwordless Redis like AWS ElastiCache without auth). Use URL-encoded passwords or avoid special characters in the password. |
+| redis.auth.username | string | `"default"` | Username for Redis authentication. Set to null to omit username from connection string entirely. In case `redis.deploy` is set to `true`, the user will be created automatically. |
 | redis.cluster.enabled | bool | `false` | Set to `true` to enable Redis Cluster mode. When enabled, you must set `redis.deploy` to `false` and provide cluster nodes. |
 | redis.cluster.nodes | list | `[]` | List of Redis cluster nodes in the format "host:port". Example: ["redis-1:6379", "redis-2:6379", "redis-3:6379"] |
 | redis.deploy | bool | `true` | Enable valkey deployment (via Bitnami Helm Chart). If you want to use a Redis or Valkey server already deployed, set to false. |

charts/langfuse/templates/_helpers.tpl

@@ -341,7 +341,17 @@ Get value of a specific environment variable from additionalEnv if it exists
 - name: REDIS_TLS_ENABLED
   value: {{ .Values.redis.tls.enabled | quote }}
 - name: REDIS_CONNECTION_STRING
-  value: "{{ if .Values.redis.tls.enabled }}rediss{{ else }}redis{{ end }}://{{ .Values.redis.auth.username }}:$(REDIS_PASSWORD)@{{ include "langfuse.redis.hostname" . }}:{{ .Values.redis.port }}/{{ .Values.redis.auth.database }}"
+{{- $hasPassword := or .Values.redis.auth.existingSecret .Values.redis.auth.password }}
+{{- $hasUsername := .Values.redis.auth.username }}
+{{- $authPart := "" }}
+{{- if and $hasUsername $hasPassword }}
+  {{- $authPart = printf "%s:$(REDIS_PASSWORD)@" .Values.redis.auth.username }}
+{{- else if $hasPassword }}
+  {{- $authPart = ":$(REDIS_PASSWORD)@" }}
+{{- else if $hasUsername }}
+  {{- $authPart = printf "%s@" .Values.redis.auth.username }}
+{{- end }}
+  value: "{{ if .Values.redis.tls.enabled }}rediss{{ else }}redis{{ end }}://{{ $authPart }}{{ include "langfuse.redis.hostname" . }}:{{ .Values.redis.port }}/{{ .Values.redis.auth.database }}"
 {{- end }}
 {{- if .Values.redis.tls.enabled }}
 {{- if .Values.redis.tls.caPath }}

charts/langfuse/tests/redis-cluster_test.yaml

@@ -438,3 +438,113 @@ tests:
           content:
             name: REDIS_TLS_CA_PATH
         template: web/deployment.yaml
+
+  # =====================================================
+  # PASSWORDLESS REDIS TESTS (Issue #291, #273)
+  # =====================================================
+
+  - it: should handle standalone mode without authentication (null password and username)
+    values:
+      - ../values.lint.yaml
+    set:
+      redis.deploy: false
+      redis.host: "my-redis.example.com"
+      redis.port: 6379
+      redis.auth.password: null
+      redis.auth.username: null
+    asserts:
+      # Web deployment should have REDIS_CONNECTION_STRING without auth segment
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: REDIS_CONNECTION_STRING
+            value: "redis://my-redis.example.com:6379/0"
+        template: web/deployment.yaml
+      # Web deployment should NOT have REDIS_PASSWORD when password is null
+      - notContains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: REDIS_PASSWORD
+        template: web/deployment.yaml
+      # Worker deployment should have same connection string
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: REDIS_CONNECTION_STRING
+            value: "redis://my-redis.example.com:6379/0"
+        template: worker/deployment.yaml
+
+  - it: should handle standalone mode with username but no password (null password)
+    values:
+      - ../values.lint.yaml
+    set:
+      redis.deploy: false
+      redis.host: "my-redis.example.com"
+      redis.port: 6379
+      redis.auth.password: null
+      redis.auth.username: "default"
+    asserts:
+      # Web deployment should have REDIS_CONNECTION_STRING with username only
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: REDIS_CONNECTION_STRING
+            value: "redis://default@my-redis.example.com:6379/0"
+        template: web/deployment.yaml
+      # Web deployment should NOT have REDIS_PASSWORD when password is null
+      - notContains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: REDIS_PASSWORD
+        template: web/deployment.yaml
+
+  - it: should handle standalone mode with TLS but no authentication
+    values:
+      - ../values.lint.yaml
+    set:
+      redis.deploy: false
+      redis.host: "my-redis.example.com"
+      redis.port: 6380
+      redis.auth.password: null
+      redis.auth.username: null
+      redis.tls.enabled: true
+    asserts:
+      # Web deployment should have REDIS_CONNECTION_STRING with rediss:// and no auth
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: REDIS_CONNECTION_STRING
+            value: "rediss://my-redis.example.com:6380/0"
+        template: web/deployment.yaml
+      # Web deployment should have REDIS_TLS_ENABLED=true
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: REDIS_TLS_ENABLED
+            value: "true"
+        template: web/deployment.yaml
+
+  - it: should include password segment when password is set (existing behavior)
+    values:
+      - ../values.lint.yaml
+    set:
+      redis.deploy: false
+      redis.host: "my-redis.example.com"
+      redis.port: 6379
+      redis.auth.password: "testPassword123"
+      redis.auth.username: "default"
+    asserts:
+      # Web deployment should have REDIS_CONNECTION_STRING with full auth
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: REDIS_CONNECTION_STRING
+            value: "redis://default:$(REDIS_PASSWORD)@my-redis.example.com:6379/0"
+        template: web/deployment.yaml
+      # Web deployment should have REDIS_PASSWORD
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: REDIS_PASSWORD
+            value: "testPassword123"
+        template: web/deployment.yaml

charts/langfuse/values.yaml

@@ -475,9 +475,11 @@ redis:
 
   # Authentication configuration
   auth:
-    # -- Username to use to connect to the redis database deployed with Langfuse. In case `redis.deploy` is set to `true`, the user will be created automatically. Set to null for an empty username in the connection string.
+    # -- Username for Redis authentication. Set to null to omit username from connection string entirely.
+    # In case `redis.deploy` is set to `true`, the user will be created automatically.
     username: "default"
-    # -- Configure the password by value or existing secret reference. Use URL-encoded passwords or avoid special characters in the password.
+    # -- Password for Redis authentication. Set to null to disable authentication (for passwordless Redis like AWS ElastiCache without auth).
+    # Use URL-encoded passwords or avoid special characters in the password.
     password: ""
     # -- If you want to use an existing secret for the redis password, set the name of the secret here. (`redis.auth.password` will be ignored and picked up from this secret).
     existingSecret: ""