Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-8836

Argo CD Agent: Redis proxy should support TLS (inbound and outbound) and be enabled by default

XMLWordPrintable

    • Icon: Feature Feature
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • None
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • GITOPS-8830Multi-cluster GitOps - UMBRELLA - Post GA
    • 0% To Do, 100% In Progress, 0% Done

      Feature Overview

      Goals

      As of this writing, when Argo CD communicates with Argo CD agent, and when Argo CD agent communicates with redis, that communication is over a plaintext (non-TLS connection)

      Use of plaintext in this case enables the possibility of eavesdropping (or even malicious modifications) of redis traffic.

      • Granted, an internal K8s cluster would generally be considered to be (at least partly) trusted, but this is about defense in depth.

      Since redis traffic often contains important data (credentials), it is beneficial to enable TLS on redis.

      Requirements

      Requirements Notes IS MVP
       Redis TLS enabled by default in upstream Argo CD Agent    
       Redis TLS enabled by default in OpenShift GitOps for Argo CD Agent installs    

      <links>

      Definition of Ready

      • The objectives of the feature are clearly defined and aligned with the business strategy.
      • All feature requirements have been clearly defined by Product Owners.
      • The feature has been broken down into epics.
      • The feature has been stack ranked.
      • Definition of the business outcome is in the Outcome Jira (which must have a parent Jira).

              rh-ee-rnaaz Rizwana Naaz
              jgwest Jonathan West
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: