Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-8090

Argo CD Agent: Redis proxy should support TLS (inbound and outbound) and be enabled by default

XMLWordPrintable

    • Argo CD Agent: Redis proxy should support TLS (inbound and outbound) and be enabled by default
    • False
    • Hide

      None

      Show
      None
    • False
    • To Do
    • SECFLOWOTL-291 - Argo CD Agent: Redis proxy should support TLS (inbound and outbound) and be enabled by default
    • 50% To Do, 50% In Progress, 0% Done

      Epic Goal

      • See https://github.com/argoproj-labs/argocd-agent/issues/454 for details
      • As of this writing, when Argo CD communicates with Argo CD agent, and when Argo CD agent communicates with redis, that communication is over a plaintext (non-TLS connection)
      • Use of plaintext in this case enables the possibility of eavesdropping (or even malicious modifications) of redis traffic.
        • Granted, an internal K8s cluster would generally be considered to be (at least partly) trusted, but this is about defense in depth.
      • Since redis traffic often contains important data (credentials), it is beneficial to enable TLS on redis.
      • This epic tracks the enabling of redis on TLS, both in argo cd agent, and in gitop-operator/argocd-operator.
      • As discussed on Slack, this means changing the default redis configuration for argocd agent.

              rh-ee-rnaaz Rizwana Naaz
              jgwest Jonathan West
              Scarlet
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: