feat: redis TLS encryption enabled by default for all connections

Assisted-by: Cursor
Signed-off-by: Rizwana777 <rizwananaaz177@gmail.com>

Author: Rizwana777

Makefile

@@ -72,6 +72,7 @@ endif
 ifneq (${ARGOCD_AGENT_IN_CLUSTER},)
 	./hack/dev-env/restart-all.sh
 endif
+	./hack/dev-env/setup-e2e-enable-redis-tls.sh
 
 .PHONY: teardown-e2e
 teardown-e2e:

agent/agent.go

@@ -41,6 +41,7 @@ import (
 	"github.com/argoproj-labs/argocd-agent/internal/metrics"
 	"github.com/argoproj-labs/argocd-agent/internal/queue"
 	"github.com/argoproj-labs/argocd-agent/internal/resources"
+	"github.com/argoproj-labs/argocd-agent/internal/tlsutil"
 	"github.com/argoproj-labs/argocd-agent/internal/version"
 	"github.com/argoproj-labs/argocd-agent/pkg/client"
 	"github.com/argoproj-labs/argocd-agent/pkg/types"
@@ -171,6 +172,10 @@ func NewAgent(ctx context.Context, client *kube.KubernetesClient, namespace stri
 		return nil, fmt.Errorf("remote not defined")
 	}
 
+	if a.cacheRefreshInterval == 0 {
+		return nil, fmt.Errorf("cache refresh interval not set")
+	}
+
 	a.kubeClient = client
 
 	// Initial state of the agent is disconnected
@@ -330,7 +335,20 @@ func NewAgent(ctx context.Context, client *kube.KubernetesClient, namespace stri
 		connMap: map[string]connectionEntry{},
 	}
 
-	clusterCache, err := cluster.NewClusterCacheInstance(a.redisProxyMsgHandler.redisAddress, a.redisProxyMsgHandler.redisPassword, cacheutil.RedisCompressionGZip)
+	// Create TLS config for cluster cache Redis client (same as for Redis proxy)
+	clusterCacheTLSConfig, err := tlsutil.CreateRedisTLSConfig(
+		a.redisProxyMsgHandler.redisTLSEnabled,
+		a.redisProxyMsgHandler.redisAddress,
+		a.redisProxyMsgHandler.redisTLSInsecure,
+		a.redisProxyMsgHandler.redisTLSCA,
+		a.redisProxyMsgHandler.redisTLSCAPath,
+		"cluster cache",
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	clusterCache, err := cluster.NewClusterCacheInstance(a.redisProxyMsgHandler.redisAddress, a.redisProxyMsgHandler.redisPassword, cacheutil.RedisCompressionGZip, clusterCacheTLSConfig)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create cluster cache instance: %v", err)
 	}

agent/agent_test.go

@@ -19,6 +19,7 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"testing"
+	"time"
 
 	"github.com/sirupsen/logrus"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -34,14 +35,14 @@ func newAgent(t *testing.T, apps ...runtime.Object) (*Agent, *kube.KubernetesCli
 	kubec := fakekube.NewKubernetesFakeClientWithApps("argocd", apps...)
 	remote, err := client.NewRemote("127.0.0.1", 8080)
 	require.NoError(t, err)
-	agent, err := NewAgent(context.TODO(), kubec, "argocd", WithRemote(remote))
+	agent, err := NewAgent(context.TODO(), kubec, "argocd", WithRemote(remote), WithCacheRefreshInterval(10*time.Second))
 	require.NoError(t, err)
 	return agent, kubec
 }
 
 func Test_NewAgent(t *testing.T) {
 	kubec := fakekube.NewKubernetesFakeClientWithApps("agent")
-	agent, err := NewAgent(context.TODO(), kubec, "agent", WithRemote(&client.Remote{}))
+	agent, err := NewAgent(context.TODO(), kubec, "agent", WithRemote(&client.Remote{}), WithCacheRefreshInterval(10*time.Second))
 	require.NotNil(t, agent)
 	require.NoError(t, err)
 }

agent/filters_test.go

@@ -17,6 +17,7 @@ package agent
 import (
 	"context"
 	"testing"
+	"time"
 
 	"github.com/argoproj-labs/argocd-agent/internal/config"
 	"github.com/argoproj-labs/argocd-agent/pkg/client"
@@ -32,7 +33,7 @@ func TestDefaultAppFilterChain_SkipSyncLabel(t *testing.T) {
 	kubec := fakekube.NewKubernetesFakeClientWithApps("argocd")
 	remote, err := client.NewRemote("127.0.0.1", 8080)
 	require.NoError(t, err)
-	agent, err := NewAgent(context.TODO(), kubec, "argocd", WithRemote(remote))
+	agent, err := NewAgent(context.TODO(), kubec, "argocd", WithRemote(remote), WithCacheRefreshInterval(10*time.Second))
 	require.NoError(t, err)
 
 	filterChain := agent.DefaultAppFilterChain()
@@ -152,7 +153,8 @@ func TestDefaultAppFilterChain_NamespaceAndSkipSyncInteraction(t *testing.T) {
 	// Create agent with multiple allowed namespaces
 	agent, err := NewAgent(context.TODO(), kubec, "argocd",
 		WithRemote(remote),
-		WithAllowedNamespaces("argocd", "apps", "staging"))
+		WithAllowedNamespaces("argocd", "apps", "staging"),
+		WithCacheRefreshInterval(10*time.Second))
 	require.NoError(t, err)
 
 	filterChain := agent.DefaultAppFilterChain()
@@ -216,7 +218,7 @@ func TestDefaultAppFilterChain_ProcessChange(t *testing.T) {
 	kubec := fakekube.NewKubernetesFakeClientWithApps("argocd")
 	remote, err := client.NewRemote("127.0.0.1", 8080)
 	require.NoError(t, err)
-	agent, err := NewAgent(context.TODO(), kubec, "argocd", WithRemote(remote))
+	agent, err := NewAgent(context.TODO(), kubec, "argocd", WithRemote(remote), WithCacheRefreshInterval(10*time.Second))
 	require.NoError(t, err)
 
 	filterChain := agent.DefaultAppFilterChain()

agent/inbound_redis.go

@@ -16,7 +16,7 @@ package agent
 
 import (
 	"context"
-	"crypto/tls"
+	"crypto/x509"
 	"errors"
 	"fmt"
 	"strings"
@@ -25,6 +25,7 @@ import (
 
 	"github.com/argoproj-labs/argocd-agent/internal/event"
 	"github.com/argoproj-labs/argocd-agent/internal/logging/logfields"
+	"github.com/argoproj-labs/argocd-agent/internal/tlsutil"
 	rediscache "github.com/go-redis/cache/v9"
 	"github.com/redis/go-redis/v9"
 	"github.com/redis/go-redis/v9/maintnotifications"
@@ -45,6 +46,12 @@ type redisProxyMsgHandler struct {
 
 	// connections maintains statistics about redis connections from principal
 	connections *connectionEntries
+
+	// Redis TLS configuration
+	redisTLSEnabled  bool
+	redisTLSCAPath   string
+	redisTLSCA       *x509.CertPool // CA cert pool loaded from secret
+	redisTLSInsecure bool
 }
 
 // connectionEntries maintains statistics about redis connections from principal
@@ -333,7 +340,18 @@ func stripNamespaceFromRedisKey(key string, logCtx *logrus.Entry) (string, error
 }
 
 func (a *Agent) getRedisClientAndCache() (*redis.Client, *rediscache.Cache, error) {
-	var tlsConfig *tls.Config = nil
+	// Create TLS config for Redis client
+	tlsConfig, err := tlsutil.CreateRedisTLSConfig(
+		a.redisProxyMsgHandler.redisTLSEnabled,
+		a.redisProxyMsgHandler.redisAddress,
+		a.redisProxyMsgHandler.redisTLSInsecure,
+		a.redisProxyMsgHandler.redisTLSCA,
+		a.redisProxyMsgHandler.redisTLSCAPath,
+		"Redis client",
+	)
+	if err != nil {
+		return nil, nil, err
+	}
 
 	opts := &redis.Options{
 		Addr:       a.redisProxyMsgHandler.redisAddress,

agent/options.go

@@ -15,9 +15,13 @@
 package agent
 
 import (
+	"context"
 	"fmt"
 	"time"
 
+	"k8s.io/client-go/kubernetes"
+
+	"github.com/argoproj-labs/argocd-agent/internal/tlsutil"
 	"github.com/argoproj-labs/argocd-agent/pkg/client"
 	"github.com/argoproj-labs/argocd-agent/pkg/types"
 )
@@ -114,3 +118,39 @@ func WithHeartbeatInterval(interval time.Duration) AgentOption {
 		return nil
 	}
 }
+
+// WithRedisTLSEnabled enables or disables TLS for Redis connections
+func WithRedisTLSEnabled(enabled bool) AgentOption {
+	return func(o *Agent) error {
+		o.redisProxyMsgHandler.redisTLSEnabled = enabled
+		return nil
+	}
+}
+
+// WithRedisTLSCAPath sets the CA certificate path for Redis TLS
+func WithRedisTLSCAPath(caPath string) AgentOption {
+	return func(o *Agent) error {
+		o.redisProxyMsgHandler.redisTLSCAPath = caPath
+		return nil
+	}
+}
+
+// WithRedisTLSCAFromSecret loads the CA certificate from a Kubernetes secret for Redis TLS
+func WithRedisTLSCAFromSecret(kube kubernetes.Interface, namespace, name, field string) AgentOption {
+	return func(o *Agent) error {
+		pool, err := tlsutil.X509CertPoolFromSecret(context.Background(), kube, namespace, name, field)
+		if err != nil {
+			return err
+		}
+		o.redisProxyMsgHandler.redisTLSCA = pool
+		return nil
+	}
+}
+
+// WithRedisTLSInsecure enables insecure Redis TLS (for testing only)
+func WithRedisTLSInsecure(insecure bool) AgentOption {
+	return func(o *Agent) error {
+		o.redisProxyMsgHandler.redisTLSInsecure = insecure
+		return nil
+	}
+}

agent/outbound_test.go

@@ -3,6 +3,7 @@ package agent
 import (
 	"context"
 	"testing"
+	"time"
 
 	"github.com/alicebob/miniredis/v2"
 	"github.com/argoproj-labs/argocd-agent/internal/argocd/cluster"
@@ -454,14 +455,14 @@ func Test_addClusterCacheInfoUpdateToQueue(t *testing.T) {
 	remote, err := client.NewRemote("127.0.0.1", 8080)
 	require.NoError(t, err)
 
-	a, err := NewAgent(context.TODO(), kubec, "argocd", WithRemote(remote), WithRedisHost(miniRedis.Addr()))
+	a, err := NewAgent(context.TODO(), kubec, "argocd", WithRemote(remote), WithRedisHost(miniRedis.Addr()), WithCacheRefreshInterval(10*time.Second))
 	require.NoError(t, err)
 
 	a.remote.SetClientID("agent")
 	a.emitter = event.NewEventSource("principal")
 
 	// First populate the cache with dummy data
-	clusterMgr, err := cluster.NewManager(a.context, a.namespace, miniRedis.Addr(), "", cacheutil.RedisCompressionGZip, a.kubeClient.Clientset)
+	clusterMgr, err := cluster.NewManager(a.context, a.namespace, miniRedis.Addr(), "", cacheutil.RedisCompressionGZip, a.kubeClient.Clientset, nil)
 	require.NoError(t, err)
 	err = clusterMgr.MapCluster("test-agent", &v1alpha1.Cluster{
 		Name:   "test-cluster",

cmd/argocd-agent/agent.go

@@ -80,6 +80,11 @@ func NewAgentRunCommand() *cobra.Command {
 		// OpenTelemetry configuration
 		otlpAddress  string
 		otlpInsecure bool
+		// Redis TLS configuration
+		redisTLSEnabled      bool
+		redisTLSCAPath       string
+		redisTLSCASecretName string
+		redisTLSInsecure     bool
 	)
 	command := &cobra.Command{
 		Use:   "agent",
@@ -207,6 +212,40 @@ func NewAgentRunCommand() *cobra.Command {
 			agentOpts = append(agentOpts, agent.WithRedisUsername(redisUsername))
 			agentOpts = append(agentOpts, agent.WithRedisPassword(redisPassword))
 
+			// Configure Redis TLS
+			agentOpts = append(agentOpts, agent.WithRedisTLSEnabled(redisTLSEnabled))
+			if redisTLSEnabled {
+				// Validate Redis TLS configuration - only one mode can be specified
+				// This validation works for both CLI flags and environment variables
+				modesSet := 0
+				if redisTLSInsecure {
+					modesSet++
+				}
+				if redisTLSCAPath != "" {
+					modesSet++
+				}
+				// For secret name: count it if explicitly set (CLI) or if set to non-default value (env var)
+				// This allows the default secret name to be used as a fallback when no mode is explicitly specified
+				if c.Flags().Changed("redis-tls-ca-secret-name") || (redisTLSCASecretName != "" && redisTLSCASecretName != "argocd-redis-tls") {
+					modesSet++
+				}
+				if modesSet > 1 {
+					cmdutil.Fatal("Only one Redis TLS mode can be specified: --redis-tls-insecure, --redis-tls-ca-path, or --redis-tls-ca-secret-name")
+				}
+
+				// Redis TLS (for connections to agent's argocd-redis)
+				if redisTLSInsecure {
+					logrus.Warn("INSECURE: Not verifying Redis TLS certificate")
+					agentOpts = append(agentOpts, agent.WithRedisTLSInsecure(true))
+				} else if redisTLSCAPath != "" {
+					logrus.Infof("Loading Redis CA certificate from file %s", redisTLSCAPath)
+					agentOpts = append(agentOpts, agent.WithRedisTLSCAPath(redisTLSCAPath))
+				} else {
+					logrus.Infof("Loading Redis CA certificate from secret %s/%s", namespace, redisTLSCASecretName)
+					agentOpts = append(agentOpts, agent.WithRedisTLSCAFromSecret(kubeConfig.Clientset, namespace, redisTLSCASecretName, "ca.crt"))
+				}
+			}
+
 			agentOpts = append(agentOpts, agent.WithEnableResourceProxy(enableResourceProxy))
 			agentOpts = append(agentOpts, agent.WithCacheRefreshInterval(cacheRefreshInterval))
 			agentOpts = append(agentOpts, agent.WithHeartbeatInterval(heartbeatInterval))
@@ -248,6 +287,20 @@ func NewAgentRunCommand() *cobra.Command {
 		env.StringWithDefault("REDIS_PASSWORD", nil, ""),
 		"The password to connect to redis with")
 
+	// Redis TLS flags
+	command.Flags().BoolVar(&redisTLSEnabled, "redis-tls-enabled",
+		env.BoolWithDefault("ARGOCD_AGENT_REDIS_TLS_ENABLED", true),
+		"Enable TLS for Redis connections (enabled by default for security)")
+	command.Flags().StringVar(&redisTLSCAPath, "redis-tls-ca-path",
+		env.StringWithDefault("ARGOCD_AGENT_REDIS_TLS_CA_PATH", nil, ""),
+		"Path to CA certificate for Redis TLS (for local development)")
+	command.Flags().StringVar(&redisTLSCASecretName, "redis-tls-ca-secret-name",
+		env.StringWithDefault("ARGOCD_AGENT_REDIS_TLS_CA_SECRET_NAME", nil, "argocd-redis-tls"),
+		"Secret name containing CA certificate for Redis TLS (for production deployment)")
+	command.Flags().BoolVar(&redisTLSInsecure, "redis-tls-insecure",
+		env.BoolWithDefault("ARGOCD_AGENT_REDIS_TLS_INSECURE", false),
+		"INSECURE: Do not verify Redis TLS certificate")
+
 	command.Flags().StringVar(&logFormat, "log-format",
 		env.StringWithDefault("ARGOCD_PRINCIPAL_LOG_FORMAT", nil, "text"),
 		"The log format to use (one of: text, json)")