Authentication and TLS¶
The standalone URL carries credentials (redis://user:pass@host), but the bare cluster /
sentinel seed lists cannot. Builders set them on every topology, mapping onto fred's config:
// ACL username + password on a cluster. Bare seed lists cannot encode credentials, so the
// builder is the only way to authenticate a cluster or sentinel topology.
let _broker = RedisBroker::cluster(["10.0.0.1:6379"]).credentials("worker", "s3cr3t");
For a password-only AUTH (the legacy requirepass form, no ACL user) use .password(...):
// Password-only AUTH (legacy requirepass, no ACL user) on a sentinel topology.
let _broker = RedisBroker::sentinel("mymaster", ["10.0.0.1:26379"]).password("s3cr3t");
Credentials set programmatically override any in a standalone URL.
TLS¶
TLS lives behind additive, off-by-default features that map onto fred's TLS backends - tls-rustls
(rustls with aws-lc-rs), tls-rustls-ring (rustls with ring), and tls-native-tls. With one
enabled, pass a TlsConfig (or any TlsConnector) on any topology; a standalone broker can also
use a rediss:// / valkeys:// URL:
// System trust roots, no client certificate. The same TlsConnector works on every topology.
let tls = TlsConnector::default_rustls()?;
let _broker = RedisBroker::cluster(["10.0.0.1:6379"]).tls(tls);
Further auth features¶
Two further auth features are off by default:
sentinel-authadds.sentinel_credentials(user, pass)/.sentinel_password(pass)for credentials that authenticate to the sentinels, distinct from the data-node credentials.credential-provideraccepts.credential_provider(provider), a callback that supplies and can rotate the username/password on eachAUTH/HELLO(IAM-style auth); it takes precedence over static credentials.
For full control (custom reconnection, performance, or TLS policy beyond these builders), build a
fred Pool yourself and wrap it with RedisBroker::from_pool.