feat: redis TLS encryption enabled by default for all connections

Assisted-by: Cursor
Signed-off-by: Rizwana777 <[email protected]>

Author: Rizwana777

Makefile

@@ -59,14 +59,23 @@ endif
 	@echo ""
 	@echo "Configuring Redis TLS (required for E2E)..."
 	./hack/dev-env/gen-redis-tls-certs.sh
-	@echo "Step 1: Enabling TLS on Redis servers (creates secrets)..."
+	@echo ""
+	@echo "Configuring each cluster for Redis TLS (Redis + ArgoCD components together)"
+	@echo "Note: Redis and ArgoCD components are configured together per-cluster to avoid"
+	@echo "      connection errors during the transition period."
+	@echo ""
+	@echo "=== Control Plane ==="
 	./hack/dev-env/configure-redis-tls.sh vcluster-control-plane
-	./hack/dev-env/configure-redis-tls.sh vcluster-agent-managed
-	./hack/dev-env/configure-redis-tls.sh vcluster-agent-autonomous
-	@echo "Step 2: Configuring Argo CD components for Redis TLS..."
 	./hack/dev-env/configure-argocd-redis-tls.sh vcluster-control-plane
+	@echo ""
+	@echo "=== Agent Managed ==="
+	./hack/dev-env/configure-redis-tls.sh vcluster-agent-managed
 	./hack/dev-env/configure-argocd-redis-tls.sh vcluster-agent-managed
+	@echo ""
+	@echo "=== Agent Autonomous ==="
+	./hack/dev-env/configure-redis-tls.sh vcluster-agent-autonomous
 	./hack/dev-env/configure-argocd-redis-tls.sh vcluster-agent-autonomous
+	@echo ""
 	@echo " E2E environment ready with Redis TLS enabled (required)"
 
 .PHONY: teardown-e2e

agent/agent.go

@@ -327,6 +327,7 @@ func NewAgent(ctx context.Context, client *kube.KubernetesClient, namespace stri
 			MinVersion: tls.VersionTLS12,
 		}
 		if a.redisProxyMsgHandler.redisTLSInsecure {
+			log().Warn("INSECURE: Not verifying Redis TLS certificate for cluster cache")
 			clusterCacheTLSConfig.InsecureSkipVerify = true
 		} else if a.redisProxyMsgHandler.redisTLSCAPath != "" {
 			caCertPEM, err := os.ReadFile(a.redisProxyMsgHandler.redisTLSCAPath)
@@ -441,20 +442,22 @@ func (a *Agent) Start(ctx context.Context) error {
 
 	// Start the background process of periodic sync of cluster cache info.
 	// This will send periodic updates of Application, Resource and API counts to principal.
-	if a.mode == types.AgentModeManaged {
-		go func() {
-			ticker := time.NewTicker(a.cacheRefreshInterval)
-			defer ticker.Stop()
-			for {
-				select {
-				case <-ticker.C:
-					a.addClusterCacheInfoUpdateToQueue()
-				case <-a.context.Done():
-					return
-				}
+	// Both managed and autonomous agents need to send cluster cache info updates
+	go func() {
+		// Send initial update immediately on startup (don't wait for first ticker)
+		a.addClusterCacheInfoUpdateToQueue()
+
+		ticker := time.NewTicker(a.cacheRefreshInterval)
+		defer ticker.Stop()
+		for {
+			select {
+			case <-ticker.C:
+				a.addClusterCacheInfoUpdateToQueue()
+			case <-a.context.Done():
+				return
 			}
-		}()
-	}
+		}
+	}()
 
 	if a.remote != nil {
 		a.remote.SetClientMode(a.mode)

cmd/argocd-agent/principal.go

@@ -468,7 +468,7 @@ func observer(interval time.Duration) {
 // The secret names where the certificates are stored in are hard-coded at the
 // moment.
 func getResourceProxyTLSConfigFromKube(kubeClient *kube.KubernetesClient, namespace, certName, caName string) (*tls.Config, error) {
-	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
 	defer cancel()
 	proxyCert, err := tlsutil.TLSCertFromSecret(ctx, kubeClient.Clientset, namespace, certName)
 	if err != nil {