feat: redis TLS encryption enabled by default for all connections

Assisted-by: Cursor
Signed-off-by: Rizwana777 <[email protected]>

Author: Rizwana777

Makefile

@@ -56,6 +56,18 @@ endif
 ifneq (${ARGOCD_AGENT_IN_CLUSTER},)
 	./hack/dev-env/restart-all.sh
 endif
+	@echo ""
+	@echo "Configuring Redis TLS (required for E2E)..."
+	./hack/dev-env/gen-redis-tls-certs.sh
+	@echo "Step 1: Enabling TLS on Redis servers (creates secrets)..."
+	./hack/dev-env/configure-redis-tls.sh vcluster-control-plane
+	./hack/dev-env/configure-redis-tls.sh vcluster-agent-managed
+	./hack/dev-env/configure-redis-tls.sh vcluster-agent-autonomous
+	@echo "Step 2: Configuring Argo CD components for Redis TLS..."
+	./hack/dev-env/configure-argocd-redis-tls.sh vcluster-control-plane
+	./hack/dev-env/configure-argocd-redis-tls.sh vcluster-agent-managed
+	./hack/dev-env/configure-argocd-redis-tls.sh vcluster-agent-autonomous
+	@echo " E2E environment ready with Redis TLS enabled (required)"
 
 .PHONY: teardown-e2e
 teardown-e2e:

agent/agent.go

@@ -16,8 +16,11 @@ package agent
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"net/http"
+	"os"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -317,7 +320,28 @@ func NewAgent(ctx context.Context, client *kube.KubernetesClient, namespace stri
 		connMap: map[string]connectionEntry{},
 	}
 
-	clusterCache, err := cluster.NewClusterCacheInstance(a.redisProxyMsgHandler.redisAddress, a.redisProxyMsgHandler.redisPassword, cacheutil.RedisCompressionGZip)
+	// Create TLS config for cluster cache Redis client (same as for Redis proxy)
+	var clusterCacheTLSConfig *tls.Config = nil
+	if a.redisProxyMsgHandler.redisTLSEnabled {
+		clusterCacheTLSConfig = &tls.Config{
+			MinVersion: tls.VersionTLS12,
+		}
+		if a.redisProxyMsgHandler.redisTLSInsecure {
+			clusterCacheTLSConfig.InsecureSkipVerify = true
+		} else if a.redisProxyMsgHandler.redisTLSCAPath != "" {
+			caCertPEM, err := os.ReadFile(a.redisProxyMsgHandler.redisTLSCAPath)
+			if err != nil {
+				return nil, fmt.Errorf("failed to read CA certificate for cluster cache: %w", err)
+			}
+			certPool := x509.NewCertPool()
+			if !certPool.AppendCertsFromPEM(caCertPEM) {
+				return nil, fmt.Errorf("failed to parse CA certificate for cluster cache from %s", a.redisProxyMsgHandler.redisTLSCAPath)
+			}
+			clusterCacheTLSConfig.RootCAs = certPool
+		}
+	}
+
+	clusterCache, err := cluster.NewClusterCacheInstance(a.redisProxyMsgHandler.redisAddress, a.redisProxyMsgHandler.redisPassword, cacheutil.RedisCompressionGZip, clusterCacheTLSConfig)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create cluster cache instance: %v", err)
 	}

agent/inbound_redis.go

@@ -17,8 +17,10 @@ package agent
 import (
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"errors"
 	"fmt"
+	"os"
 	"strings"
 	"sync"
 	"time"
@@ -45,6 +47,11 @@ type redisProxyMsgHandler struct {
 
 	// connections maintains statistics about redis connections from principal
 	connections *connectionEntries
+
+	// Redis TLS configuration
+	redisTLSEnabled  bool
+	redisTLSCAPath   string
+	redisTLSInsecure bool
 }
 
 // connectionEntries maintains statistics about redis connections from principal
@@ -335,6 +342,35 @@ func stripNamespaceFromRedisKey(key string, logCtx *logrus.Entry) (string, error
 func (a *Agent) getRedisClientAndCache() (*redis.Client, *rediscache.Cache, error) {
 	var tlsConfig *tls.Config = nil
 
+	if a.redisProxyMsgHandler.redisTLSEnabled {
+		tlsConfig = &tls.Config{
+			MinVersion: tls.VersionTLS12,
+		}
+
+		if a.redisProxyMsgHandler.redisTLSInsecure {
+			log().Warn("INSECURE: Not verifying Redis TLS certificate")
+			tlsConfig.InsecureSkipVerify = true
+		} else if a.redisProxyMsgHandler.redisTLSCAPath != "" {
+			// Load CA certificate from file
+			caCertPEM, err := os.ReadFile(a.redisProxyMsgHandler.redisTLSCAPath)
+			if err != nil {
+				return nil, nil, fmt.Errorf("failed to read CA certificate: %w", err)
+			}
+
+			// Create a new cert pool and add the CA cert
+			certPool := x509.NewCertPool()
+			if !certPool.AppendCertsFromPEM(caCertPEM) {
+				return nil, nil, fmt.Errorf("failed to parse CA certificate from %s", a.redisProxyMsgHandler.redisTLSCAPath)
+			}
+
+			tlsConfig.RootCAs = certPool
+			log().Debugf("Using CA certificate from %s for Redis TLS", a.redisProxyMsgHandler.redisTLSCAPath)
+		} else {
+			// No CA specified, will use system CAs
+			log().Warn("Redis TLS enabled but no CA certificate specified, using system CAs. This may fail with self-signed certificates.")
+		}
+	}
+
 	opts := &redis.Options{
 		Addr:       a.redisProxyMsgHandler.redisAddress,
 		Password:   a.redisProxyMsgHandler.redisPassword,

agent/options.go

@@ -107,3 +107,27 @@ func WithCacheRefreshInterval(interval time.Duration) AgentOption {
 		return nil
 	}
 }
+
+// WithRedisTLSEnabled enables or disables TLS for Redis connections
+func WithRedisTLSEnabled(enabled bool) AgentOption {
+	return func(o *Agent) error {
+		o.redisProxyMsgHandler.redisTLSEnabled = enabled
+		return nil
+	}
+}
+
+// WithRedisTLSCAPath sets the CA certificate path for Redis TLS
+func WithRedisTLSCAPath(caPath string) AgentOption {
+	return func(o *Agent) error {
+		o.redisProxyMsgHandler.redisTLSCAPath = caPath
+		return nil
+	}
+}
+
+// WithRedisTLSInsecure enables insecure Redis TLS (for testing only)
+func WithRedisTLSInsecure(insecure bool) AgentOption {
+	return func(o *Agent) error {
+		o.redisProxyMsgHandler.redisTLSInsecure = insecure
+		return nil
+	}
+}

agent/outbound_test.go

@@ -461,7 +461,7 @@ func Test_addClusterCacheInfoUpdateToQueue(t *testing.T) {
 	a.emitter = event.NewEventSource("principal")
 
 	// First populate the cache with dummy data
-	clusterMgr, err := cluster.NewManager(a.context, a.namespace, miniRedis.Addr(), "", cacheutil.RedisCompressionGZip, a.kubeClient.Clientset)
+	clusterMgr, err := cluster.NewManager(a.context, a.namespace, miniRedis.Addr(), "", cacheutil.RedisCompressionGZip, a.kubeClient.Clientset, nil)
 	require.NoError(t, err)
 	err = clusterMgr.MapCluster("test-agent", &v1alpha1.Cluster{
 		Name:   "test-cluster",

cmd/argocd-agent/agent.go

@@ -70,6 +70,11 @@ func NewAgentRunCommand() *cobra.Command {
 
 		// Time interval for agent to refresh cluster cache info in principal
 		cacheRefreshInterval time.Duration
+
+		// Redis TLS configuration
+		redisTLSEnabled  bool
+		redisTLSCAPath   string
+		redisTLSInsecure bool
 	)
 	command := &cobra.Command{
 		Use:   "agent",
@@ -176,6 +181,23 @@ func NewAgentRunCommand() *cobra.Command {
 			agentOpts = append(agentOpts, agent.WithRedisUsername(redisUsername))
 			agentOpts = append(agentOpts, agent.WithRedisPassword(redisPassword))
 
+			// Configure Redis TLS
+			agentOpts = append(agentOpts, agent.WithRedisTLSEnabled(redisTLSEnabled))
+			if redisTLSEnabled {
+				// Validate Redis TLS configuration - only one mode allowed
+				if redisTLSInsecure && redisTLSCAPath != "" {
+					cmdutil.Fatal("Only one Redis TLS mode can be specified: --redis-tls-insecure or --redis-tls-ca-path")
+				}
+
+				if redisTLSInsecure {
+					logrus.Warn("INSECURE: Not verifying Redis TLS certificate")
+					agentOpts = append(agentOpts, agent.WithRedisTLSInsecure(true))
+				} else if redisTLSCAPath != "" {
+					logrus.Infof("Loading Redis CA certificate from file %s", redisTLSCAPath)
+					agentOpts = append(agentOpts, agent.WithRedisTLSCAPath(redisTLSCAPath))
+				}
+			}
+
 			agentOpts = append(agentOpts, agent.WithEnableResourceProxy(enableResourceProxy))
 			agentOpts = append(agentOpts, agent.WithCacheRefreshInterval(cacheRefreshInterval))
 
@@ -216,6 +238,17 @@ func NewAgentRunCommand() *cobra.Command {
 		env.StringWithDefault("REDIS_PASSWORD", nil, ""),
 		"The password to connect to redis with")
 
+	// Redis TLS flags
+	command.Flags().BoolVar(&redisTLSEnabled, "redis-tls-enabled",
+		env.BoolWithDefault("ARGOCD_AGENT_REDIS_TLS_ENABLED", false),
+		"Enable TLS for Redis connections")
+	command.Flags().StringVar(&redisTLSCAPath, "redis-tls-ca-path",
+		env.StringWithDefault("ARGOCD_AGENT_REDIS_TLS_CA_PATH", nil, ""),
+		"Path to CA certificate for Redis TLS")
+	command.Flags().BoolVar(&redisTLSInsecure, "redis-tls-insecure",
+		env.BoolWithDefault("ARGOCD_AGENT_REDIS_TLS_INSECURE", false),
+		"INSECURE: Do not verify Redis TLS certificate")
+
 	command.Flags().StringVar(&logFormat, "log-format",
 		env.StringWithDefault("ARGOCD_PRINCIPAL_LOG_FORMAT", nil, "text"),
 		"The log format to use (one of: text, json)")

cmd/argocd-agent/principal.go

@@ -86,6 +86,15 @@ func NewPrincipalRunCommand() *cobra.Command {
 		redisPassword        string
 		redisCompressionType string
 		healthzPort          int
+
+		// Redis TLS configuration
+		redisTLSEnabled              bool
+		redisServerTLSCertPath       string
+		redisServerTLSKeyPath        string
+		redisServerTLSSecretName     string
+		redisUpstreamTLSCAPath       string
+		redisUpstreamTLSCASecretName string
+		redisUpstreamTLSInsecure     bool
 	)
 	var command = &cobra.Command{
 		Use:   "principal",
@@ -246,6 +255,38 @@ func NewPrincipalRunCommand() *cobra.Command {
 			opts = append(opts, principal.WithRedis(redisAddress, redisPassword, redisCompressionType))
 			opts = append(opts, principal.WithHealthzPort(healthzPort))
 
+			// Configure Redis TLS
+			opts = append(opts, principal.WithRedisTLSEnabled(redisTLSEnabled))
+			if redisTLSEnabled {
+				// Redis proxy server TLS (for incoming connections from Argo CD)
+				if redisServerTLSCertPath != "" && redisServerTLSKeyPath != "" {
+					logrus.Infof("Loading Redis proxy server TLS configuration from files cert=%s and key=%s", redisServerTLSCertPath, redisServerTLSKeyPath)
+					opts = append(opts, principal.WithRedisServerTLSFromPath(redisServerTLSCertPath, redisServerTLSKeyPath))
+				} else if (redisServerTLSCertPath != "" && redisServerTLSKeyPath == "") || (redisServerTLSCertPath == "" && redisServerTLSKeyPath != "") {
+					cmdutil.Fatal("Both --redis-server-tls-cert and --redis-server-tls-key have to be given")
+				} else {
+					logrus.Infof("Loading Redis proxy server TLS certificate from secret %s/%s", namespace, redisServerTLSSecretName)
+					opts = append(opts, principal.WithRedisServerTLSFromSecret(kubeConfig.Clientset, namespace, redisServerTLSSecretName))
+				}
+
+				// Validate upstream TLS configuration - insecure and CA path are mutually exclusive
+				if redisUpstreamTLSInsecure && redisUpstreamTLSCAPath != "" {
+					cmdutil.Fatal("Cannot specify both --redis-upstream-tls-insecure and --redis-upstream-ca-path")
+				}
+
+				// Redis upstream TLS (for connections to principal's argocd-redis)
+				if redisUpstreamTLSInsecure {
+					logrus.Warn("INSECURE: Not verifying upstream Redis TLS certificate")
+					opts = append(opts, principal.WithRedisUpstreamTLSInsecure(true))
+				} else if redisUpstreamTLSCAPath != "" {
+					logrus.Infof("Loading Redis upstream CA certificate from file %s", redisUpstreamTLSCAPath)
+					opts = append(opts, principal.WithRedisUpstreamTLSCAFromFile(redisUpstreamTLSCAPath))
+				} else {
+					logrus.Infof("Loading Redis upstream CA certificate from secret %s/%s", namespace, redisUpstreamTLSCASecretName)
+					opts = append(opts, principal.WithRedisUpstreamTLSCAFromSecret(kubeConfig.Clientset, namespace, redisUpstreamTLSCASecretName, "tls.crt"))
+				}
+			}
+
 			s, err := principal.NewServer(ctx, kubeConfig, namespace, opts...)
 			if err != nil {
 				cmdutil.Fatal("Could not create new server instance: %v", err)
@@ -375,6 +416,29 @@ func NewPrincipalRunCommand() *cobra.Command {
 		env.NumWithDefault("ARGOCD_PRINCIPAL_HEALTH_CHECK_PORT", cmdutil.ValidPort, 8003),
 		"Port the health check server will listen on")
 
+	// Redis TLS flags
+	command.Flags().BoolVar(&redisTLSEnabled, "redis-tls-enabled",
+		env.BoolWithDefault("ARGOCD_PRINCIPAL_REDIS_TLS_ENABLED", false),
+		"Enable TLS for Redis connections")
+	command.Flags().StringVar(&redisServerTLSCertPath, "redis-server-tls-cert",
+		env.StringWithDefault("ARGOCD_PRINCIPAL_REDIS_SERVER_TLS_CERT_PATH", nil, ""),
+		"Path to TLS certificate for Redis proxy server")
+	command.Flags().StringVar(&redisServerTLSKeyPath, "redis-server-tls-key",
+		env.StringWithDefault("ARGOCD_PRINCIPAL_REDIS_SERVER_TLS_KEY_PATH", nil, ""),
+		"Path to TLS private key for Redis proxy server")
+	command.Flags().StringVar(&redisServerTLSSecretName, "redis-server-tls-secret-name",
+		env.StringWithDefault("ARGOCD_PRINCIPAL_REDIS_SERVER_TLS_SECRET_NAME", nil, "argocd-redis-tls"),
+		"Secret name containing TLS certificate and key for Redis proxy server")
+	command.Flags().StringVar(&redisUpstreamTLSCAPath, "redis-upstream-ca-path",
+		env.StringWithDefault("ARGOCD_PRINCIPAL_REDIS_UPSTREAM_CA_PATH", nil, ""),
+		"Path to CA certificate for verifying upstream Redis TLS certificate")
+	command.Flags().StringVar(&redisUpstreamTLSCASecretName, "redis-upstream-ca-secret-name",
+		env.StringWithDefault("ARGOCD_PRINCIPAL_REDIS_UPSTREAM_CA_SECRET_NAME", nil, "argocd-redis-tls"),
+		"Secret name containing CA certificate for verifying upstream Redis TLS certificate")
+	command.Flags().BoolVar(&redisUpstreamTLSInsecure, "redis-upstream-tls-insecure",
+		env.BoolWithDefault("ARGOCD_PRINCIPAL_REDIS_UPSTREAM_TLS_INSECURE", false),
+		"INSECURE: Do not verify upstream Redis TLS certificate")
+
 	command.Flags().StringVar(&kubeConfig, "kubeconfig", "", "Path to a kubeconfig file to use")
 	command.Flags().StringVar(&kubeContext, "kubecontext", "", "Override the default kube context")