Replace KeyDb dependency with Valkey

omnibus/Gemfile.lock

@@ -10,10 +10,10 @@ GIT
 
 GIT
   remote: https://github.com/chef/omnibus-software.git
-  revision: 0cb128b237c26b5796370b761adbd499f71e5413
+  revision: d6fce7b6c5e6a9ba1f3a21eef2b2be8ee778391f
   branch: main
   specs:
-    omnibus-software (25.10.350)
+    omnibus-software (25.12.358)
       omnibus (>= 9.0.0)
 
 GIT

omnibus/config/software/server-complete.rb

@@ -31,7 +31,7 @@
 # the backend
 dependency "postgresql96-bin" # for upgrading 9.6 -> 13
 dependency "postgresql13"
-dependency "keydb" # dynamic routing controls
+dependency "valkey" # dynamic routing controls
 dependency "haproxy"
 dependency "opensearch" # used by search
 

omnibus/files/server-ctl-cookbooks/infra-server/recipes/redis_lb.rb

@@ -73,15 +73,23 @@
   owner 'root'
   group 'root'
   mode '0644'
-  variables(redis_data.to_hash)
+  variables(redis_data.to_hash.merge(
+    'password' => PrivateChef.credentials.get('redis_lb', 'password')
+  ))
 end
 
 # Define the redis_lb runit service.
 component_runit_service 'redis_lb'
 
-# Restart the redis_lb runit service.
+# Force restart the redis_lb service to apply config changes.
+# We need to stop then start to ensure the new config is loaded.
+runit_service 'redis_lb' do
+  action :stop
+  only_if { is_data_master? }
+end
+
 runit_service 'redis_lb' do
-  action :restart
+  action :start
   retries 10
   retry_delay 1
   only_if { is_data_master? }

omnibus/files/server-ctl-cookbooks/infra-server/templates/default/nginx/scripts/config.lua.erb

@@ -42,7 +42,8 @@ local function auth_not_required(err)
   -- conservatively try to determine if auth is not required.
   -- if auth isn't required, we can safely ignore an error from
   -- the AUTH command
-  return err == "ERR Client sent AUTH, but no password is set"
+  return err == "ERR Client sent AUTH, but no password is set" or
+         (err and string.find(err, "Redis is running in protected mode") ~= nil)
 end
 
 local function connect_redis()

omnibus/files/server-ctl-cookbooks/infra-server/templates/default/redis_lb.conf.erb

@@ -10,6 +10,16 @@ bind <%= @listen%> 0.0.0.0
 bind <%= @listen%>
 <% end %>
 
+
+<% if @password && !@password.to_s.empty? %>
+# Legacy password authentication
+requirepass <%= @password %>
+
+# ACL-based authentication (KeyDB/Valkey 7+)
+# Set password for the default user
+user default on ><%=  @password %> ~* &* +@all
+<% end %>
+
 tcp-keepalive <%= @keepalive %>
 timeout <%= @timeout %>
 loglevel <%= @loglevel %>

omnibus/files/server-ctl-cookbooks/infra-server/templates/default/sv-redis_lb-run.erb

@@ -1,4 +1,3 @@
 #!/bin/sh
 exec 2>&1
-exec /opt/<%= ChefUtils::Dist::Org::LEGACY_CONF_DIR %>/embedded/bin/veil-env-helper -f /etc/<%= ChefUtils::Dist::Org::LEGACY_CONF_DIR %>/private-<%= ChefUtils::Dist::Infra::SHORT %>-secrets.json -s REDIS_PASSWORD=redis_lb.password -- chpst -P -o 131071 -u <%= node["private_chef"]["user"]["username"] %> -U <%= node["private_chef"]["user"]["username"] %> -o 100000 env HOME="<%= node["private_chef"]["redis_lb"]["dir"] %>" /opt/<%= ChefUtils::Dist::Org::LEGACY_CONF_DIR %>/embedded/bin/keydb-server <%= File.join(node["private_chef"]["redis_lb"]["dir"], "etc", "redis.conf") %> --requirepass "${REDIS_PASSWORD}"
-
+exec /opt/<%= ChefUtils::Dist::Org::LEGACY_CONF_DIR %>/embedded/bin/veil-env-helper -f /etc/<%= ChefUtils::Dist::Org::LEGACY_CONF_DIR %>/private-<%= ChefUtils::Dist::Infra::SHORT %>-secrets.json -s REDIS_PASSWORD=redis_lb.password -- chpst -P -o 131071 -u <%= node["private_chef"]["user"]["username"] %> -U <%= node["private_chef"]["user"]["username"] %> -o 100000 env HOME="<%= node["private_chef"]["redis_lb"]["dir"] %>" /opt/<%= ChefUtils::Dist::Org::LEGACY_CONF_DIR %>/embedded/bin/valkey-server <%= File.join(node["private_chef"]["redis_lb"]["dir"], "etc", "redis.conf") %> --requirepass "${REDIS_PASSWORD}"

src/chef-server-ctl/bin/chef-server-ctl

@@ -296,10 +296,10 @@ Cleansing data in a remote Opensearch instance is not currently supported.
       # opscode-solr4 status is seen as elasticsearch status"
     end
 
-  # Overriding the service_list command to add the keyDB message.
+  # Overriding the service_list command to add the Valkey message.
   def service_list(*args)
     super(*args)
-    log "We are using keydb instead of redis underneath. All the functions are supposed to work the same because keydb is a fork of redis."
+    log "We are using Valkey instead of redis underneath. All the functions are supposed to work the same because Valkey is a fork of redis."
   end
 
     # Overriding reconfigure to skip license checking
@@ -322,7 +322,7 @@ Cleansing data in a remote Opensearch instance is not currently supported.
       mtls_enabled ? run_command(command) : :ok
 
       if status.success?
-        log "We are using keydb instead of redis underneath. All the functions are supposed to work the same because keydb is a fork of redis."
+        log "We are using Valkey instead of redis underneath. All the functions are supposed to work the same because Valkey is a fork of redis."
         log "#{display_name} Reconfigured!"
         exit! 0
       else

src/nginx/habitat/config/config.lua

@@ -54,7 +54,8 @@ local function auth_not_required(err)
   -- conservatively try to determine if auth is not required.
   -- if auth isn't required, we can safely ignore an error from
   -- the AUTH command
-  return err == "ERR Client sent AUTH, but no password is set"
+  return err == "ERR Client sent AUTH, but no password is set" or
+         (err and string.find(err, "Redis is running in protected mode") ~= nil)
 end
 
 local function connect_redis()