Skip to content

feat(redis): Allow loading credentials from a mounted file path #23487

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 387 commits into from
Closed

feat(redis): Allow loading credentials from a mounted file path #23487

wants to merge 387 commits into from

Conversation

@Mangaal
Copy link
Contributor

@Mangaal Mangaal commented Jun 19, 2025

Description

This PR introduces a more secure method for providing Redis credentials to Argo CD components by allowing them to be loaded from a specified file path. Currently, Redis credentials (password, username, sentinel credentials) are configured via environment variables (e.g., REDIS_PASSWORD). Storing secrets in environment variables is a common practice but can be less secure than using file-based secrets.

This change is backward-compatible. Existing setups using environment variables will continue to work without any modification

Proposed Change
This PR introduces a new mechanism to load Redis credentials from files:

  1. New Environment Variable: A new environment variable, REDIS_CREDS_FILE_PATH, is introduced. This variable should point to a directory where credential files are mounted.
  2. File-Based Credential Loading: When REDIS_CREDS_FILE_PATH is set, Argo CD will attempt to read credentials from the following files within that directory:
    • auth: The password for the main Redis connection.
    • auth_username: The username for the main Redis connection.
    • sentinel_auth: The password for Redis Sentinel connections.
    • sentinel_username: The username for Redis Sentinel connections.
  3. Fallback Logic: The implementation prioritises credentials loaded from the file path. If REDIS_CREDS_FILE_PATH is not set, or if a specific credential file does not exist, the system gracefully falls back to using the corresponding environment variables (REDIS_PASSWORD, REDIS_USERNAME, etc.). This ensures full backward compatibility.

Implementation Details

  1. A new struct redisCreds was added to hold the set of credentials.
  2. A new function loadRedisCredsFromFile(mountPath string) was created to handle the logic of reading the individual credential files from the specified mountPath. It is designed to be resilient to missing files, returning empty strings for any credential that cannot be read.
  3. The AddCacheFlagsToCmd function has been updated to incorporate this new logic. It first checks for the REDIS_CREDS_FILE_PATH environment variable. If present, it calls loadRedisCredsFromFile and then checks if any credentials still need to be populated from the environment variables.

How to Test This Change
Mount the Secret into your Argo CD pods (e.g., argocd-repo-server, argocd-application-controller) and set the new environment variable.

spec:
  template:
    spec:
      containers:
      - name: your-argocd-container
        env:
        - name: REDIS_CREDS_FILE_PATH
          value: "/etc/redis-creds"
        # IMPORTANT: Ensure the old env vars like REDIS_PASSWORD are NOT set
        # to verify the new mechanism is working.
        volumeMounts:
        - name: redis-creds-volume
          mountPath: "/etc/redis-creds"
          readOnly: true
      volumes:
      - name: redis-creds-volume
        secret:
          secretName: argocd-redis-creds

Related Issue

Fixes #20619

@Mangaal Mangaal requested a review from a team as a code owner June 19, 2025 11:15
@bunnyshell
Copy link

bunnyshell bot commented Jun 19, 2025
edited
Loading

❌ Preview Environment deleted from Bunnyshell

Available commands (reply to this comment):

  • 🚀 /bns:deploy to deploy the environment

anandf
anandf reviewed Jun 19, 2025
View reviewed changes
@Mangaal Mangaal changed the title feat(redis): Allow loading credentials from a mounted file path (wip)feat(redis): Allow loading credentials from a mounted file path Jun 19, 2025
@blakepettersson blakepettersson changed the title (wip)feat(redis): Allow loading credentials from a mounted file path feat(redis): Allow loading credentials from a mounted file path (wip) Jun 19, 2025
@Mangaal Mangaal changed the title feat(redis): Allow loading credentials from a mounted file path (wip) feat(redis): Allow loading credentials from a mounted file path Jun 19, 2025
anandf
anandf approved these changes Jun 19, 2025
View reviewed changes
Copy link
Member

@anandf anandf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@codecov
Copy link

codecov bot commented Jun 19, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 55.10204% with 22 lines in your changes missing coverage. Please review.
✅ Project coverage is 60.36%. Comparing base (12d3f5d) to head (f62ac71).

Files with missing lines Patch % Lines
util/cache/cache.go 55.10% 17 Missing and 5 partials ⚠️
Additional details and impacted files 
@@           Coverage Diff           @@
##           master   #23487   +/-   ##
=======================================
  Coverage   60.36%   60.36%           
=======================================
  Files         350      350           
  Lines       60036    60070   +34     
=======================================
+ Hits        36242    36264   +22     
- Misses      20877    20894   +17     
+ Partials     2917     2912    -5

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

ishitasequeira
ishitasequeira reviewed Jun 23, 2025
View reviewed changes
Copy link
Member

@ishitasequeira ishitasequeira left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall code looks good!! Can we add some documentation about the feature?

nitishfy
nitishfy reviewed Jun 25, 2025
View reviewed changes
nitishfy
nitishfy reviewed Jun 25, 2025
View reviewed changes
@Mangaal Mangaal requested a review from a team as a code owner June 30, 2025 05:45
@Mangaal Mangaal requested a review from ishitasequeira June 30, 2025 05:51
@Mangaal
Copy link
Contributor Author

Mangaal commented Jun 30, 2025

@ishitasequeira , I have added documentation for the new Redis credentials file-mount feature in the FAQ section.
Please have a look and let me know if any changes are needed.

@Mangaal Mangaal requested a review from nitishfy June 30, 2025 09:47
agaudreault
agaudreault requested changes Jul 4, 2025
View reviewed changes
docs/faq.md

| Variable Name | Description |
|-------------------------|-----------------------------------------------|
| `REDIS_CREDS_FILE_PATH` | Path to the directory containing credential files |
Copy link
Member

@agaudreault agaudreault Jul 4, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR should update the default kustomize manifests in manifests/ to use that variable and mount the argocd-redis secret

Copy link
Contributor Author

@Mangaal Mangaal Jul 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have updated the default kustomize manifests as well as the ha.

@Mangaal Mangaal requested a review from agaudreault July 16, 2025 12:07
@nmirasch
Copy link
Contributor

nmirasch commented Jul 21, 2025

LGTM

@nitishfy nitishfy mentioned this pull request Aug 1, 2025
Closed
6 tasks
dependabot bot and others added 11 commits September 10, 2025 14:22
@dependabot @Mangaal
chore(deps): bump github.com/bmatcuk/doublestar/v4 from 4.8.1 to 4.9.0 (
a2010f8 
argoproj#23774)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Mangaal <[email protected]>
@hanxiaop @Mangaal
fix(ui): account detail page crashes for accounts with empty capabili…
19054f4 
…ties (argoproj#23787)

Signed-off-by: xiaopeng <[email protected]>
Signed-off-by: Mangaal <[email protected]>
@Mangaal
update redis init.sh
a7962a2 
Signed-off-by: Mangaal <[email protected]>
@Mangaal
update redis ha overlay to update configmap
5510ccb 
Signed-off-by: Mangaal <[email protected]>
@Mangaal
update redis ha overlay to update configmap in kustomize yaml
8512dd8 
Signed-off-by: Mangaal <[email protected]>
@Mangaal
run make manifest-local
db9c46a 
Signed-off-by: Mangaal <[email protected]>
@warjiang @Mangaal
fix: typo err for GetConditions comment (argoproj#23807)
1dd3a45 
Signed-off-by: warjiang <[email protected]>
Signed-off-by: Mangaal <[email protected]>
@dependabot @Mangaal
chore(deps): bump library/registry from 1fc7de6 to 45fbac2 in /te…
7866233 
…st/container (argoproj#23800)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Mangaal <[email protected]>
@Mangaal
added a new config-map
f2338ee 
Signed-off-by: Mangaal <[email protected]>
@Mangaal
read redis image from redis container
c11e2f0 
Signed-off-by: Mangaal <[email protected]>
@crenshaw-dev @rumstead @Mangaal
fix(repo-server): support .argocd-source.yaml kustomize version (argo…
27042be 
…proj#23643) (argoproj#23644)

Signed-off-by: Michael Crenshaw <[email protected]>
Co-authored-by: rumstead <[email protected]>
Signed-off-by: Mangaal <[email protected]>
Aamir017 and others added 20 commits September 10, 2025 14:32
@Aamir017 @Mangaal
docs: clarify manifest-generate-paths annotation usage without webhoo…
109352e 
…ks (argoproj#24421)

Signed-off-by: Aamir017 <[email protected]>
Signed-off-by: Mangaal <[email protected]>
@gsalamin @Mangaal
docs: Use enabled in application example (argoproj#24448)
355031e 
Signed-off-by: Grégoire Salamin <[email protected]>
Signed-off-by: Mangaal <[email protected]>
@dependabot @Mangaal
chore(deps): bump softprops/action-gh-release from 2.3.2 to 2.3.3 (ar…
53e9e96 
…goproj#24445)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Mangaal <[email protected]>
@dependabot @Mangaal
chore(deps): bump golang.org/x/sync from 0.16.0 to 0.17.0 (argoproj#2…
b65013a 
…4443)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Mangaal <[email protected]>
@dependabot @Mangaal
chore(deps): bump codecov/codecov-action from 5.5.0 to 5.5.1 (argopro…
fe7132a 
…j#24413)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Mangaal <[email protected]>
@FalseDev @Mangaal
docs: Fix cluster bootstrapping documentation (argoproj#24353)
611f13e 
Signed-off-by: Navaneethan <[email protected]>
Signed-off-by: Mangaal <[email protected]>
@Kelketek @Mangaal
docs: Change reference URL for HA manifests to stable. (argoproj#24049)
65c00c9 
Signed-off-by: Fox Danger Piacenti <[email protected]>
Signed-off-by: Mangaal <[email protected]>
@dependabot @Mangaal
chore(deps): bump github.com/prometheus/client_golang from 1.23.0 to …
c54f5f4 
…1.23.2 (argoproj#24442)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Mangaal <[email protected]>
@crenshaw-dev @Mangaal
chore(refactor): use contexts in hydration operations (argoproj#24431)
644d720 
Signed-off-by: Michael Crenshaw <[email protected]>
Signed-off-by: Mangaal <[email protected]>
@dependabot @Mangaal
chore(deps): bump golang.org/x/time from 0.12.0 to 0.13.0 (argoproj#2…
9222515 
…4441)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Mangaal <[email protected]>
@github-actions @Mangaal
[Bot] docs: Update Snyk report (argoproj#24437)
740ee44 
Signed-off-by: CI <[email protected]>
Co-authored-by: CI <[email protected]>
Signed-off-by: Mangaal <[email protected]>
@aborilov @Mangaal
fix: correct post-delete finalizer removal when cluster not found (ar…
7b1d47a 
…goproj#24415)

Signed-off-by: Pavel Aborilov <[email protected]>
Signed-off-by: Mangaal <[email protected]>
@crenshaw-dev @Mangaal
chore(refactor): simplify hydrator manifest generation (argoproj#24427)
1f8d637 
Signed-off-by: Michael Crenshaw <[email protected]>
Signed-off-by: Mangaal <[email protected]>
@nitishfy @agaudreault @Mangaal
fix: change the appset namespace to server namespace when generating …
b27a820 
…appset (argoproj#23900)

Signed-off-by: nitishfy <[email protected]>
Co-authored-by: Alexandre Gaudreault <[email protected]>
Signed-off-by: Mangaal <[email protected]>
@pjiang-dev @Mangaal
chore: bump k8s 1.34 (argoproj#24405)
c5b9d88 
Signed-off-by: Peter Jiang <[email protected]>
Signed-off-by: Mangaal <[email protected]>
@crenshaw-dev @Mangaal
feat(hydrator): parallelize repo-server calls (argoproj#24451) (argop…
59017cd 
…roj#24436)

Signed-off-by: Michael Crenshaw <[email protected]>
Signed-off-by: Mangaal <[email protected]>
@dependabot @Mangaal
chore(deps): bump golang.org/x/oauth2 from 0.30.0 to 0.31.0 (argoproj…
7f9eda0 
…#24444)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Mangaal <[email protected]>
@dependabot @Mangaal
chore(deps): bump golang.org/x/term from 0.34.0 to 0.35.0 (argoproj#2…
bc7fa19 
…4472)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Mangaal <[email protected]>
@FourFifthsCode @Mangaal
fix: RunResourceAction: error getting Lua resource action: built-in s…
d6ca70e 
…cript does not exist argoproj#24490  (argoproj#24491)

Signed-off-by: Codey Jenkins <[email protected]>
Signed-off-by: Mangaal <[email protected]>
@Mangaal
empty commit to trigger CI
eb7c25c 
Signed-off-by: Mangaal <[email protected]>
@Mangaal Mangaal force-pushed the secrets-via-volume-mount branch from 174b4a3 to eb7c25c Compare September 10, 2025 09:03
@Mangaal Mangaal requested a review from a team as a code owner September 10, 2025 09:03
@Mangaal
Copy link
Contributor Author

Mangaal commented Sep 17, 2025
edited
Loading

Closing this PR due to rebase issues. I’ve created a new PR with the same fix here: [#24597]. Please continue the discussion/review there.

@Mangaal Mangaal closed this Sep 17, 2025
@Mangaal Mangaal mentioned this pull request Sep 19, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ishitasequeira ishitasequeira Awaiting requested review from ishitasequeira

@nitishfy nitishfy Awaiting requested review from nitishfy

@agaudreault agaudreault Awaiting requested review from agaudreault

1 more reviewer

@anandf anandf anandf approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Read Secrets from Disk as well as from Env