Enable Redis Authentication
Starting with Helm chart version 3.8.2, the bundled Redis instance is password-protected by default. The chart generates the password automatically, stores it in a Kubernetes Secret, and wires it into both Redis and Appsmith.
This page explains how to enable Redis authentication on existing deployments, including deployments running chart versions older than 3.8.2.
This page applies only to the bundled Redis subchart (redis.enabled: true). If you use an external Redis instance, see External Redis. For a Docker single-container deployment, use External Redis to run an authenticated instance.
The examples use the release name appsmith-ee. Substitute your own release name and namespace. The Secret name appsmith-redis-secret is a fixed default (set by redis.auth.existingSecret) and is not release-prefixed.
Upgrade an existing deployment to chart 3.8.2 or later
For most deployments, enabling Redis authentication is a standard chart upgrade. Redis stores only sessions and cache, so enabling authentication briefly logs users out and repopulates the cache with no data loss while the pods roll.
-
Remove any explicit
redis.auth.enabled: falsefrom yourvalues.yaml, or set it totrue. An explicitfalseoverrides the new default and leaves authentication disabled after the upgrade:redis:
auth:
enabled: true -
Update your local chart repository and upgrade:
helm repo update
helm upgrade -i appsmith-ee appsmith-ee/appsmith -n appsmith-ee -f values.yaml -
Verify that the Secret exists:
kubectl get secret appsmith-redis-secret -n appsmith-ee -
Verify that all pods are running and that Appsmith can reach Redis:
kubectl get pods -n appsmith-eeOptionally, test the authenticated connection directly:
kubectl exec -it appsmith-ee-redis-master-0 -n appsmith-ee -- \
sh -c 'REDISCLI_AUTH="<your-redis-password>" redis-cli ping'Replace
<your-redis-password>with the value from theappsmith-redis-secretSecret. The command should returnPONG.
Bring your own password
To control the password yourself, create the Secret before installing or upgrading:
kubectl create secret generic appsmith-redis-secret \
--from-literal=redis-password='<your-password>' \
-n appsmith-ee
To use a different Secret name or key, point the chart at it in values.yaml:
redis:
auth:
existingSecret: my-redis-secret
existingSecretPasswordKey: my-password-key
Self-manage the Redis password
To set the Redis password directly instead of letting the chart manage a Secret (for example, when migrating a deployment that already sets redis.auth.password), set all three values in values.yaml:
redis:
auth:
password: "<your-password>"
existingSecret: ""
applicationConfig:
APPSMITH_REDIS_URL: "redis://:<your-password>@<release-name>-redis-master.<namespace>.svc.cluster.local:6379"
existingSecret must be empty so the chart skips its bootstrap Secret, and APPSMITH_REDIS_URL must carry the same password. The chart rejects the install with an error if redis.auth.password is set without both.
This path stores the password in plaintext in two places: redis.auth.password and the APPSMITH_REDIS_URL in your values.yaml and the rendered ConfigMap. Prefer the chart-managed Secret (the default) or Bring your own password, and manage rotation through your secret manager (for example, Sealed Secrets or Vault).
Opt out
To keep the bundled Redis unauthenticated (for example, in an isolated development cluster), disable auth in values.yaml:
redis:
auth:
enabled: false
This restores the behavior of earlier chart versions: a passwordless Redis.
Air-gapped and restricted networks
The bootstrap Job pulls docker.io/alpine/kubectl:latest by default. If your cluster cannot reach Docker Hub, mirror the image to your private registry and override it in values.yaml:
redisAuth:
passwordInit:
image:
registry: registry.example.com
repository: mirrored/alpine-kubectl
tag: "1.33.1"
The default tag is latest. Pin a specific tag or digest for reproducible, supply-chain-safe deployments.
Enable auth on chart versions before 3.8.2
Chart versions older than 3.8.2 require manual configuration to enable Redis authentication:
-
Create the password Secret:
kubectl create secret generic appsmith-redis-secret \
--from-literal=redis-password='<your-password>' \
-n appsmith-ee -
Point the bundled Redis subchart at the Secret in
values.yaml:redis:
auth:
enabled: true
existingSecret: appsmith-redis-secret
existingSecretPasswordKey: redis-password -
Set the authenticated Redis URL explicitly:
applicationConfig:
APPSMITH_REDIS_URL: "redis://:<your-password>@<release-name>-redis-master.<namespace>.svc.cluster.local:6379"Replace
<release-name>and<namespace>with your Helm release name and namespace.cautionOn charts older than 3.8.2, the password set in
applicationConfigis stored in plaintext in the rendered ConfigMap and in yourvalues.yaml. Upgrading to chart 3.8.2 or later avoids this: the password is injected by Secret reference instead. Remove the manualAPPSMITH_REDIS_URLoverride after upgrading so the chart can manage the URL. -
Apply the changes:
helm upgrade -i appsmith-ee appsmith-ee/appsmith -n appsmith-ee -f values.yaml
Troubleshooting
Install fails with redis.auth.password is set, which is only supported on the self-managed path
Either unset redis.auth.password and use a Secret instead (see Bring your own password), or set the full self-managed configuration (see Self-manage the Redis password).
Appsmith logs show NOAUTH Authentication required or WRONGPASS
The password in the Secret doesn't match what Redis was started with, typically after editing the Secret manually. After changing the password, restart both Redis and Appsmith so they pick up the new value:
kubectl rollout restart statefulset appsmith-ee-redis-master -n appsmith-ee
kubectl rollout restart statefulset appsmith-ee -n appsmith-ee
The bootstrap Job pod shows ImagePullBackOff
Your cluster can't pull docker.io/alpine/kubectl. Mirror the image and override redisAuth.passwordInit.image as described in Air-gapped and restricted networks.
See also
- Helm Chart: Architecture and configuration reference for the Appsmith Helm chart.
- External Redis: Connect Appsmith to a Redis instance outside the cluster.
- Chart parameters reference: Full list of configurable Helm values.