Skip to content

Redis proxy should support TLS (inbound and outbound) #454

New issue
New issue
Open
Feature
#664
Open
Redis proxy should support TLS (inbound and outbound)#454
Feature
#664
Assignees
Rizwana777
Labels
enhancementNew feature or request
Milestone
v1.0.0 (GA)
@jannfis

Description

@jannfis
jannfis
opened on Jul 11, 2025

Is your feature request related to a problem? Please describe.

The Redis proxy introduced in #436 uses plain text connections only, for both incoming connections from the Argo CD components (server and repo-server) as well as when proxying connections to the local argocd-redis for certain keys. The Redis cache may contain sensitive data, and trusting the cluster's network isn't a good idea.

Describe the solution you'd like

  1. The Redis proxy component should be configurable to accept only TLS connection on its listening endpoint. The configuration would likely require the endpoint's TLS certificate and private key to be specified by the user, or the name of a Kubernetes TLS secret holding the appropriate certificate/key combination.
  2. The Redis proxy component should be configurable to use TLS when connecting to its upstream argocd-redis on the control plane. The configuration would likely require the CA certificate used to sign the upstream's TLS certificate to be specified by the user, or the name of a Kubernetes secret holding the CA certificate.

Completion Criteria:

  • Add cmd line parameters to argocd-agent agent/principal for redis tls config
    • Command line parameter to tell agent/principal that it should require tls for redis
    • Command line paramter which specifies the TLS certificate that agent/principal should use to validate the redis TLS connection
  • Change the default install manifests/scripts for argocd-agent, so that they now use TLS for redis
    • Adding redis tls config to the hack/dev-env scripts
      • This includes enabling redis on upstream argo cd which is installed to control-plane, autonomous-agent, and managed-agent vclusters for dev and E2E tests
    • Adding redis tls config to install/kubernetes (enabled by default)
    • Adding redis tls config to install/helm-repo (enabled by default)
  • From now on, the argocd-agent E2E tests would ONLY run on 'redis w/ TLS' configuration (that is, it is the 'happy path')
  • Update install documentation to ensure redis tls is enabled, and generating redis certificate (for k8s case only, openshift will have a separate configuration mechanism)

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

Feature

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions