kube/redis: implement optional cfg.password option

If set, this enables internal redis authentication scheme. Supports
secretRefs, as well as values passed directly.

Change-Id: Ie902b8d79fdc4aa83ad8ad123e79f0bc80c1251f
diff --git a/kube/redis.libsonnet b/kube/redis.libsonnet
index d272227..e596ac2 100644
--- a/kube/redis.libsonnet
+++ b/kube/redis.libsonnet
@@ -12,6 +12,7 @@
         appName: error "app name must be set",
         storageClassName: "waw-hdd-redundant-1",
         prefix: "", # if set, should be 'foo-'
+        password: null,
 
         image: "redis:5.0.4-alpine",
         resources: {
@@ -65,13 +66,16 @@
                             args: [
                                 "redis-server",
                                 "--appendonly", "yes",
-                            ],
+                            ] + (if cfg.password != null then ["--requirepass", "$(REDIS_PASSWORD)"] else []),
                             ports_: {
                                 client: { containerPort: 6379 },
                             },
                             volumeMounts_: {
                                 data: { mountPath: "/data" },
                             },
+                            env_: {
+                                [if cfg.password != null then "REDIS_PASSWORD"]: cfg.password,
+                            },
                             resources: cfg.resources,
                         },
                     },