feat: Allow Redis password to be loaded from a file, enabling Kubernetes secret integration

[yashisrani]

Fix: #104

Key Changes:

Store:

• Updated pkg/store to support the REDIS_PASSWORD_FILE environment variable.
• It now reads the password from the specified file path if REDIS_PASSWORD is not set.

Deployment:

• Updated k8s/agentcube-router.yaml to mount the redis-auth secret to /etc/agentcube/secrets and configured the application to read the password from this location.

[volcano-sh-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gemini-code-assist]

Summary of Changes

Hello @yashisrani, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the security and operational flexibility for managing Redis passwords within the application. By introducing the capability to load the Redis password from a file, it enables seamless integration with Kubernetes secrets, allowing sensitive credentials to be managed more securely and compliantly. The changes involve updates to both the application's core Redis connection logic and its Kubernetes deployment configuration to adopt this new, more secure method.

Highlights

• Redis Password File Support: Implemented support for loading Redis passwords from a file via the REDIS_PASSWORD_FILE environment variable, enhancing security practices by avoiding direct password exposure in environment variables.
• Kubernetes Secret Integration: Integrated Kubernetes secret management by updating the agentcube-router.yaml to define and mount a redis-auth secret, configuring the application to read the Redis password from the mounted file path /etc/agentcube/secrets/password.
• Robust Password Loading Logic: Refactored the Redis connection logic in pkg/store/store_redis.go to prioritize REDIS_PASSWORD_FILE if REDIS_PASSWORD is not provided, including robust file reading, error handling, and trimming of potential whitespace/newlines from the file content.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a useful feature to load the Redis password from a file, which is great for Kubernetes integration with secrets. The implementation is mostly solid. I've pointed out a security concern with a hardcoded password in the example Kubernetes manifest, which should be addressed or at least documented for users. I also suggested a small improvement in the Go code to make the password trimming from the file more robust. Overall, good work.

[gemini-code-assist]

The Redis password is hardcoded in this Secret definition. While this may be convenient for local development or demonstration, it poses a significant security risk if used in production environments. It's strongly recommended to not check in plaintext secrets into version control. For production, secrets should be created out-of-band (e.g., via kubectl create secret or a CI/CD pipeline) or managed by a secrets management system like HashiCorp Vault. Consider adding a comment here to warn users about this.

[gemini-code-assist]

The current implementation for trimming the password read from the file only handles a single trailing newline (\n). This is not robust enough as the file could contain other whitespace (like spaces, tabs, or carriage returns \r), or could have leading whitespace. Using strings.TrimSpace is a better approach as it handles all leading and trailing whitespace characters, making the password retrieval more reliable.

Note: You'll need to add "strings" to your imports for this change.

Suggested change

	// Trim possible whitespace/newlines from the file content
	redisPassword = string(data)
	// Handle cases where the file might have trailing newlines
	if len(redisPassword) > 0 && redisPassword[len(redisPassword)-1] == '\n' {
	redisPassword = redisPassword[:len(redisPassword)-1]
	}
	// Trim possible whitespace/newlines from the file content
	redisPassword = strings.TrimSpace(string(data))

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (main@c1cb5ac). Learn more about missing BASE report.
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #117   +/-   ##
=======================================
  Coverage        ?   29.68%           
=======================================
  Files           ?       29           
  Lines           ?     2749           
  Branches        ?        0           
=======================================
  Hits            ?      816           
  Misses          ?     1799           
  Partials        ?      134           

Flag	Coverage Δ
unittests	29.68% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[hzxuzhonghu]

@yashisrani

Our intention is to use downward api FYI https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#define-a-container-environment-variable-with-data-from-a-single-secret

Donot store the passwd in the filesystem, which is not allowed from security view

[hzxuzhonghu]

Please wait until #99, adapt to helm chart too

[hzxuzhonghu]

@yashisrani We can move forward now with all the dependencies merged