feat: redis TLS encryption enabled by default for all connections

Assisted-by: Cursor
Signed-off-by: Rizwana777 <[email protected]>

Author: Rizwana777

Makefile

@@ -59,14 +59,23 @@ endif
 	@echo ""
 	@echo "Configuring Redis TLS (required for E2E)..."
 	./hack/dev-env/gen-redis-tls-certs.sh
-	@echo "Step 1: Enabling TLS on Redis servers (creates secrets)..."
+	@echo ""
+	@echo "Configuring each cluster for Redis TLS (Redis + ArgoCD components together)"
+	@echo "Note: Redis and ArgoCD components are configured together per-cluster to avoid"
+	@echo "      connection errors during the transition period."
+	@echo ""
+	@echo "=== Control Plane ==="
 	./hack/dev-env/configure-redis-tls.sh vcluster-control-plane
-	./hack/dev-env/configure-redis-tls.sh vcluster-agent-managed
-	./hack/dev-env/configure-redis-tls.sh vcluster-agent-autonomous
-	@echo "Step 2: Configuring Argo CD components for Redis TLS..."
 	./hack/dev-env/configure-argocd-redis-tls.sh vcluster-control-plane
+	@echo ""
+	@echo "=== Agent Managed ==="
+	./hack/dev-env/configure-redis-tls.sh vcluster-agent-managed
 	./hack/dev-env/configure-argocd-redis-tls.sh vcluster-agent-managed
+	@echo ""
+	@echo "=== Agent Autonomous ==="
+	./hack/dev-env/configure-redis-tls.sh vcluster-agent-autonomous
 	./hack/dev-env/configure-argocd-redis-tls.sh vcluster-agent-autonomous
+	@echo ""
 	@echo " E2E environment ready with Redis TLS enabled (required)"
 
 .PHONY: teardown-e2e

agent/agent.go

@@ -142,10 +142,11 @@ type AgentOption func(*Agent) error
 // options.
 func NewAgent(ctx context.Context, client *kube.KubernetesClient, namespace string, opts ...AgentOption) (*Agent, error) {
 	a := &Agent{
-		version:      version.New("argocd-agent"),
-		deletions:    manager.NewDeletionTracker(),
-		sourceCache:  cache.NewSourceCache(),
-		inflightLogs: make(map[string]struct{}),
+		version:              version.New("argocd-agent"),
+		deletions:            manager.NewDeletionTracker(),
+		sourceCache:          cache.NewSourceCache(),
+		inflightLogs:         make(map[string]struct{}),
+		cacheRefreshInterval: 30 * time.Second, // Default interval, can be overridden via WithCacheRefreshInterval
 	}
 	a.infStopCh = make(chan struct{})
 	a.namespace = namespace
@@ -331,6 +332,7 @@ func NewAgent(ctx context.Context, client *kube.KubernetesClient, namespace stri
 			MinVersion: tls.VersionTLS12,
 		}
 		if a.redisProxyMsgHandler.redisTLSInsecure {
+			log().Warn("INSECURE: Not verifying Redis TLS certificate for cluster cache")
 			clusterCacheTLSConfig.InsecureSkipVerify = true
 		} else if a.redisProxyMsgHandler.redisTLSCAPath != "" {
 			caCertPEM, err := os.ReadFile(a.redisProxyMsgHandler.redisTLSCAPath)
@@ -445,20 +447,22 @@ func (a *Agent) Start(ctx context.Context) error {
 
 	// Start the background process of periodic sync of cluster cache info.
 	// This will send periodic updates of Application, Resource and API counts to principal.
-	if a.mode == types.AgentModeManaged {
-		go func() {
-			ticker := time.NewTicker(a.cacheRefreshInterval)
-			defer ticker.Stop()
-			for {
-				select {
-				case <-ticker.C:
-					a.addClusterCacheInfoUpdateToQueue()
-				case <-a.context.Done():
-					return
-				}
+	// Both managed and autonomous agents need to send cluster cache info updates
+	go func() {
+		// Send initial update immediately on startup (don't wait for first ticker)
+		a.addClusterCacheInfoUpdateToQueue()
+
+		ticker := time.NewTicker(a.cacheRefreshInterval)
+		defer ticker.Stop()
+		for {
+			select {
+			case <-ticker.C:
+				a.addClusterCacheInfoUpdateToQueue()
+			case <-a.context.Done():
+				return
 			}
-		}()
-	}
+		}
+	}()
 
 	if a.remote != nil {
 		a.remote.SetClientMode(a.mode)

cmd/argocd-agent/agent.go

@@ -240,8 +240,8 @@ func NewAgentRunCommand() *cobra.Command {
 
 	// Redis TLS flags
 	command.Flags().BoolVar(&redisTLSEnabled, "redis-tls-enabled",
-		env.BoolWithDefault("ARGOCD_AGENT_REDIS_TLS_ENABLED", false),
-		"Enable TLS for Redis connections")
+		env.BoolWithDefault("ARGOCD_AGENT_REDIS_TLS_ENABLED", true),
+		"Enable TLS for Redis connections (enabled by default for security)")
 	command.Flags().StringVar(&redisTLSCAPath, "redis-tls-ca-path",
 		env.StringWithDefault("ARGOCD_AGENT_REDIS_TLS_CA_PATH", nil, ""),
 		"Path to CA certificate for Redis TLS")

cmd/argocd-agent/principal.go

@@ -95,6 +95,7 @@ func NewPrincipalRunCommand() *cobra.Command {
 		redisUpstreamTLSCAPath       string
 		redisUpstreamTLSCASecretName string
 		redisUpstreamTLSInsecure     bool
+		informerSyncTimeout          time.Duration
 	)
 	var command = &cobra.Command{
 		Use:   "principal",
@@ -255,6 +256,10 @@ func NewPrincipalRunCommand() *cobra.Command {
 			opts = append(opts, principal.WithRedis(redisAddress, redisPassword, redisCompressionType))
 			opts = append(opts, principal.WithHealthzPort(healthzPort))
 
+			if informerSyncTimeout > 0 {
+				opts = append(opts, principal.WithInformerSyncTimeout(informerSyncTimeout))
+			}
+
 			// Configure Redis TLS
 			opts = append(opts, principal.WithRedisTLSEnabled(redisTLSEnabled))
 			if redisTLSEnabled {
@@ -269,9 +274,20 @@ func NewPrincipalRunCommand() *cobra.Command {
 					opts = append(opts, principal.WithRedisServerTLSFromSecret(kubeConfig.Clientset, namespace, redisServerTLSSecretName))
 				}
 
-				// Validate upstream TLS configuration - insecure and CA path are mutually exclusive
-				if redisUpstreamTLSInsecure && redisUpstreamTLSCAPath != "" {
-					cmdutil.Fatal("Cannot specify both --redis-upstream-tls-insecure and --redis-upstream-ca-path")
+				// Validate upstream TLS configuration - only one mode can be specified
+				modesSet := 0
+				if redisUpstreamTLSInsecure {
+					modesSet++
+				}
+				if redisUpstreamTLSCAPath != "" {
+					modesSet++
+				}
+				// Only count non-default secret name to allow default value
+				if redisUpstreamTLSCASecretName != "" && redisUpstreamTLSCASecretName != "argocd-redis-tls" {
+					modesSet++
+				}
+				if modesSet > 1 {
+					cmdutil.Fatal("Only one Redis upstream TLS mode can be specified: --redis-upstream-tls-insecure, --redis-upstream-ca-path, or --redis-upstream-ca-secret-name")
 				}
 
 				// Redis upstream TLS (for connections to principal's argocd-redis)
@@ -415,11 +431,14 @@ func NewPrincipalRunCommand() *cobra.Command {
 	command.Flags().IntVar(&healthzPort, "healthz-port",
 		env.NumWithDefault("ARGOCD_PRINCIPAL_HEALTH_CHECK_PORT", cmdutil.ValidPort, 8003),
 		"Port the health check server will listen on")
+	command.Flags().DurationVar(&informerSyncTimeout, "informer-sync-timeout",
+		env.DurationWithDefault("ARGOCD_PRINCIPAL_INFORMER_SYNC_TIMEOUT", nil, 0),
+		"Timeout for waiting for informers to sync on startup (0 = use default of 60s, increase for slow environments)")
 
 	// Redis TLS flags
 	command.Flags().BoolVar(&redisTLSEnabled, "redis-tls-enabled",
-		env.BoolWithDefault("ARGOCD_PRINCIPAL_REDIS_TLS_ENABLED", false),
-		"Enable TLS for Redis connections")
+		env.BoolWithDefault("ARGOCD_PRINCIPAL_REDIS_TLS_ENABLED", true),
+		"Enable TLS for Redis connections (enabled by default for security)")
 	command.Flags().StringVar(&redisServerTLSCertPath, "redis-server-tls-cert",
 		env.StringWithDefault("ARGOCD_PRINCIPAL_REDIS_SERVER_TLS_CERT_PATH", nil, ""),
 		"Path to TLS certificate for Redis proxy server")
@@ -468,7 +487,7 @@ func observer(interval time.Duration) {
 // The secret names where the certificates are stored in are hard-coded at the
 // moment.
 func getResourceProxyTLSConfigFromKube(kubeClient *kube.KubernetesClient, namespace, certName, caName string) (*tls.Config, error) {
-	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
 	defer cancel()
 	proxyCert, err := tlsutil.TLSCertFromSecret(ctx, kubeClient.Clientset, namespace, certName)
 	if err != nil {

docs/configuration/agent/configuration.md

@@ -80,7 +80,7 @@ The recommended approach for production deployments is to use ConfigMap entries
 - **Description**: Skip verification of remote TLS certificate (INSECURE)
 - **Type**: Boolean
 - **Default**: `false`
-- **Security Warning**: Only use for development purposes
+**Security Warning**: Only use for development purposes
 - **Example**: `"false"`
 
 #### Root CA Secret Name