feat(redis): Secrets credentials via volume mount

[Mangaal]

Description

This PR introduces a more secure method for providing Redis credentials to Argo CD components by allowing them to be loaded from a specified file path. Currently, Redis credentials (password, username, sentinel credentials) are configured via environment variables (e.g., REDIS_PASSWORD). Storing secrets in environment variables is a common practice but can be less secure than using file-based secrets.

This change is backward-compatible. Existing setups using environment variables will continue to work without any modification

Proposed Change
This PR introduces a new mechanism to load Redis credentials from files:

1. New Environment Variable: A new environment variable, REDIS_CREDS_FILE_PATH, is introduced. This variable should point to a directory where credential files are mounted.
2. File-Based Credential Loading: When REDIS_CREDS_FILE_PATH is set, Argo CD will attempt to read credentials from the following files within that directory:
   • auth: The password for the main Redis connection.
   • auth_username: The username for the main Redis connection.
   • sentinel_auth: The password for Redis Sentinel connections.
   • sentinel_username: The username for Redis Sentinel connections.
3. Fallback Logic: The implementation prioritises credentials loaded from the file path. If REDIS_CREDS_FILE_PATH is not set, or if a specific credential file does not exist, the system gracefully falls back to using the corresponding environment variables (REDIS_PASSWORD, REDIS_USERNAME, etc.). This ensures full backward compatibility.

Implementation Details

1. A new struct redisCreds was added to hold the set of credentials.
2. A new function loadRedisCredsFromFile(mountPath string) was created to handle the logic of reading the individual credential files from the specified mountPath. It is designed to be resilient to missing files, returning empty strings for any credential that cannot be read.
3. The AddCacheFlagsToCmd function has been updated to incorporate this new logic. It first checks for the REDIS_CREDS_FILE_PATH environment variable. If present, it calls loadRedisCredsFromFile and then checks if any credentials still need to be populated from the environment variables.

How to Test This Change
Mount the Secret into your Argo CD pods (e.g., argocd-repo-server, argocd-application-controller) and set the new environment variable.

spec:
  template:
    spec:
      containers:
      - name: your-argocd-container
        env:
        - name: REDIS_CREDS_FILE_PATH
          value: "/etc/redis-creds"
        # IMPORTANT: Ensure the old env vars like REDIS_PASSWORD are NOT set
        # to verify the new mechanism is working.
        volumeMounts:
        - name: redis-creds-volume
          mountPath: "/etc/redis-creds"
          readOnly: true
      volumes:
      - name: redis-creds-volume
        secret:
          secretName: argocd-redis-creds

Related Issue

Fixes #20619

[bunnyshell]

❌ Preview Environment undeployed from Bunnyshell

Available commands (reply to this comment):

• 🚀 /bns:deploy to deploy the environment

[Mangaal]

Hi @dudinea , I have updated this PR to include only the required code changes for this feature. I will create a separate PR for the documentation and manifest updates.

[dudinea]

Hi @Mangaal! Thank you for the changes you made to the PR!

This PR has been discussed on the last Contributors Experience Meeting: it has been decided to include this functionality for now without the changes in the provided Manifests, just argocd code + docs to allow interested people to use this functionality provided they know to add custom configuration to ArgoCD and Redis.

Could you re-add the relevant part of the FAQ that you wrote?

Please also see my new comment on the code.

After this is addressed I hope it would be possible to commit this feature.

[Mangaal]

Hi @dudinea, I have added documentation explaining how to configure Argo CD components with file-based Redis authentication and have also addressed your previous review comments.
Please take another look when you get a chance.
Thanks again for your time and for reviewing this PR, It would be great if we could get it merged soon.

[dudinea]

Hi! Please see the comments on the files. Otherwise LGTM.
Thanks!

[nitishfy]

Thank you! I've left some comments, PTAL.

[nitishfy]

Also, i think we should find a better place to document somewhere, probably in operator-manual?

[Mangaal]

Hi @dudinea, could you please take a look at my PR when you have a chance?

[nitishfy]

Feel free to resolve the comments that you've addressed.