fix: use REDISCLI_AUTH env var to avoid passing password via -a flag in Redis health checks

[BearTS]

Summary

Simplifies Redis health check commands by leveraging the REDISCLI_AUTH environment variable for automatic authentication, removing the need for conditional -a "$REDIS_PASSWORD" flags in liveness and readiness probes.

Changes

• Added REDISCLI_AUTH environment variable to the Redis container, sourced from the same secret as REDIS_PASSWORD. When set, redis-cli automatically uses this variable for authentication without requiring the -a flag.
• Replaced the conditional redis-cli probe commands (which branched on whether auth was enabled) with a single unconditional redis-cli ping. When auth is enabled, REDISCLI_AUTH handles it transparently; when auth is disabled, the variable is simply not set.

Type of change

• Bug fix
• Feature
• Refactor
• Documentation
• Chore/CI

Affected areas

• Core (Go)
• Transports (HTTP)
• Providers/Integrations
• Plugins
• UI (React)
• Docs

How to test

Deploy the Bifrost Helm chart with Redis auth enabled and verify that the liveness and readiness probes succeed without errors:

helm upgrade --install bifrost ./helm-charts/bifrost \
  --set vectorStore.redis.auth.enabled=true \
  --set vectorStore.redis.auth.password=<your-password>

kubectl describe pod <redis-pod> | grep -A5 "Liveness\|Readiness"

Expected: probes report successful ping responses and the pod reaches Running state.

Breaking changes

• Yes
• No

Related issues

Security considerations

REDISCLI_AUTH is sourced from the same Kubernetes secret as REDIS_PASSWORD, so there is no change in how the password is stored or exposed. This approach avoids passing the password as a visible command-line argument, which is a minor security improvement.

Checklist

• I read docs/contributing/README.md and followed the guidelines
• I added/updated tests where appropriate
• I updated documentation where needed
• I verified builds succeed (Go and UI)
• I verified the CI pipeline passes locally if applicable

[coderabbitai]

Warning

Rate limit exceeded

@BearTS has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 5 minutes and 21 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: dc09707a-039a-44a9-83cd-11bde9382185

📥 Commits

Reviewing files that changed from the base of the PR and between 2ffea79 and d82ba33.

📒 Files selected for processing (1)

• helm-charts/bifrost/templates/redis-deployment.yaml

📝 Walkthrough

Walkthrough

The Redis Helm deployment template refactors authentication handling by introducing an REDISCLI_AUTH environment variable and simplifying health check probes. Rather than embedding password authentication within conditional shell commands, the new approach leverages environment variables that redis-cli recognizes natively, reducing probe complexity.

Changes

Redis Authentication and Health Checks

Layer / File(s)	Summary
Redis authentication and health checks helm-charts/bifrost/templates/redis-deployment.yaml	REDISCLI_AUTH environment variable is populated from the Redis password secret. Liveness and readiness probes are updated from shell-based conditional commands with inline authentication to simplified redis-cli ping commands that rely on the REDISCLI_AUTH variable.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• akshaydeo

Poem

🐰 A Redis tale, both swift and bright,
No more passwords passed in sight,
Auth lives now in variables clean,
The simplest probes we've ever seen! 🔐

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: using REDISCLI_AUTH env var to avoid passing password via -a flag in Redis health checks.
Description check	✅ Passed	The description is comprehensive and covers all key template sections including summary, changes, type of change, affected areas, testing instructions, security considerations, and a completed checklist.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 05-20-fix_reids_to_pass_the_secret_in_env

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[BearTS]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• chore: bump Bifrost Helm chart to 2.1.18 with feature flags, model catalog URL, and bug fixes #3623
• feat: add access_profile_id support to bifrost helm chart virtual key schema and helpers #3622
• fix: sort provider secrets and weaviate env vars alphabetically for deterministic Helm rendering #3621
• feat: add default password warnings for PostgreSQL and Redis in Helm chart NOTES.txt #3620
• fix: gate Weaviate PVC creation on persistence.enabled #3619
• fix: use REDISCLI_AUTH env var to avoid passing password via -a flag in Redis health checks #3618 👈 (View in Graphite)
• feat: add optional gRPC port to bifrost cluster deployment and service #3617
• feat: add timeout comments to guardrail rule and provider entries in values.yaml #3612
• dev

This stack of pull requests is managed by Graphite. Learn more about stacking.

[greptile-apps]

Confidence Score: 5/5

This change is safe to merge — it is a targeted refactor of Helm probe commands with no functional regressions and a minor security improvement.

The only file touched is a Helm deployment template. The new REDISCLI_AUTH env var is correctly scoped inside the existing auth.enabled conditional, so it is never set when authentication is off. The unconditional redis-cli ping command works correctly in both auth and no-auth modes. No secrets management changes, no new Kubernetes resources, and no Go or UI code is affected.

No files require special attention.

Important Files Changed

Filename	Overview
helm-charts/bifrost/templates/redis-deployment.yaml	Adds REDISCLI_AUTH env var (sourced from same secret as REDIS_PASSWORD) and simplifies liveness/readiness probe commands to unconditional redis-cli ping; logic is correct and the security improvement is valid.

_{Reviews (3): Last reviewed commit: "fix: reids to pass the secret in env" | Re-trigger Greptile}