Require authentication for Redis HA autoconfig

[homerquan]

Motivation

• The Redis HA helper previously started redis-server and Sentinel bound to 0.0.0.0 with protected-mode no and no default credentials, exposing the runtime persistence plane to network attackers.
• The change prevents accidental unauthenticated listeners in Sentinel HA mode by enforcing an operator-provided password before bringing up Redis/Sentinel.

Description

• Require MN_REDIS_PASSWORD (via REDIS_PASSWORD) before scripts/redis_ha.sh join will start Redis/Sentinel by adding require_join_credentials and refusing to run unauthenticated listeners.
• Default the Sentinel client password to the Redis password when MN_REDIS_SENTINEL_PASSWORD is unset, and propagate that in scripts/start_cluster_node.sh when launching in Sentinel mode.
• Always start Redis with --requirepass and --masterauth once credential validation passes and write Sentinel config entries requirepass and sentinel sentinel-pass (with safe quoting via redis_conf_quote).
• Add unit-style shell tests exercising the join refusal and the authenticated startup path in tests/unit/redis_ha_scripts_test.exs and update README.md to document the HA helper password requirement.

Testing

• Ran mix format successfully to update formatting.
• Performed syntax checks with bash -n for scripts/redis_ha.sh, scripts/test_redis_sentinel_ha.sh, scripts/test_redis_sentinel_two_box_ha.sh, scripts/start_cluster_node.sh, and scripts/cluster_cli.sh, and they passed.
• Executed manual smoke runs using fake redis-server/redis-cli wrappers to verify that join with MN_REDIS_PASSWORD=shared-secret starts Redis with --requirepass/--masterauth, generates a Sentinel config containing requirepass/sentinel sentinel-pass, and that sentinel receives the SENTINEL SET ... auth-pass command, all of which succeeded.
• Verified that join without MN_REDIS_PASSWORD exits non-zero and does not start Redis/Sentinel, which also succeeded; mix test could not be run in this environment because fetching Hex/dependencies was blocked by network restrictions (HTTP 403).

---

Codex Task

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 343d65b048

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Propagate the sentinel password fallback to runtime clients

When operators run scripts/redis_ha.sh join directly with only MN_REDIS_PASSWORD, this fallback makes the helper start Sentinel with requirepass using that password, but the Elixir Sentinel client still reads only MN_REDIS_SENTINEL_PASSWORD in lib/mirror_neuron/redis/sentinel.ex, and wrappers like scripts/cluster_cli.sh do not export the fallback added to start_cluster_node.sh. In that documented direct-helper/CLI path the runtime queries Sentinel unauthenticated and cannot resolve the primary, so the same fallback needs to live in shared runtime/client config or all Sentinel-mode wrappers.

Useful? React with 👍 / 👎.