(#975) Hardening Redis server authn #977
Conversation
|
@arielr-lt Is this Redis StatefulSet for Registry or for Argo? |
|
@rohit-joy this is for the Registry, Argo does not use Redis |
|
@arielr-lt Can you please separate the PRs? Please don't mix Argo files with Redis changes. |
oh gosh! I made by mistake, not meant to do it like that, I will fix it |
|
@rohit-joy can you review/approve this PR? |
| effect: "NoSchedule" | ||
| containers: | ||
| - name: redis | ||
| image: redis:7.2-alpine # Official Redis image |
There was a problem hiding this comment.
We should be on 8.x, the latest image. See docker-compose for reference.
There was a problem hiding this comment.
I can get staging to redis 8.x for initial test and then deploy to sandbox and prod, how does it look like @rohit-joy @edgarf ?
There was a problem hiding this comment.
@arielr-lt that is great, please deply first to sandbox.
There was a problem hiding this comment.
Yeah, deploy to staging, sandbox, then prod. Just to ease everybody's mind about this, we already use 8.x on our end, so we know it works. So this testing should just be a Smoke test. We should try to quickly roll out all the way to prod.
|
@rohit-joy @mparsons-ce @jeannekitchens @excelsior @edgarf Redis has just been updated to |
Adds the Redis hardening changes across every environment: each redis-configmap.yaml now includes a secret-sourced requirepass snippet, the StatefulSet mounts a redis-auth Secret to pass --requirepass to redis-server and authenticate its probes, and the environment’s external-secrets-operator.yaml defines the redis-auth ExternalSecret that pulls redis-password from the existing AWS Secrets Manager entry.
Contributes to: #975