Skip to content

(#975) Hardening Redis server authn #977

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
arielr-lt wants to merge 12 commits into from
Closed

(#975) Hardening Redis server authn #977

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
d5efa75
#971 - add Argo Workflows manifests
Jan 13, 2026
c37c9fb
add IP restrictions
Jan 13, 2026
7217734
add CE ip add
Jan 13, 2026
3342f77
adapting for staging namespace/environment
Jan 13, 2026
a642f1c
add documentation for triggering a dummy workflow using rest call
Jan 13, 2026
59e323c
adding Postman instructions to triggering a dummy argo workflow
Jan 13, 2026
9879c60
fix wf example
Jan 13, 2026
47283af
Hardening Redis authN #975
Jan 15, 2026
cd7519c
applied redis authN to prod and sandbox #975
Jan 15, 2026
66db76e
removing as this belongs to another PR
Jan 16, 2026
d4e9deb
upgrade Sandbox to redis 8.0
Jan 22, 2026
0a7314a
implement Redis most recent image in staging and production
Jan 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions terraform/environments/eks/k8s-manifests-prod/external-secrets-operator.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,3 +15,28 @@ spec:
dataFrom:
- extract:
key: credreg-secrets-eks-production

---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: redis-auth
namespace: credreg-prod
spec:
refreshInterval: 1h
secretStoreRef:
name: aws-secret-manager
kind: ClusterSecretStore
target:
name: redis-auth
creationPolicy: Owner
template:
data:
password: "{{ .redis_password }}"
redis-password.conf: |
requirepass {{ .redis_password }}
data:
- secretKey: redis_password
remoteRef:
key: credreg-secrets-eks-production
property: redis-password
8 changes: 4 additions & 4 deletions terraform/environments/eks/k8s-manifests-prod/redis-configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,9 @@ data:
redis.conf: |
bind 0.0.0.0
port 6379
requirepass your_secure_password
appendonly yes
maxmemory 500mb
maxmemory-policy allkeys-lru
appendonly yes
maxmemory 500mb
maxmemory-policy allkeys-lru
tcp-keepalive 300
protected-mode yes
include /run/redis-auth/redis-password.conf
26 changes: 22 additions & 4 deletions terraform/environments/eks/k8s-manifests-prod/redis-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,15 +26,24 @@ spec:
effect: "NoSchedule"
containers:
- name: redis
image: redis:7.2-alpine # Official Redis image
command: ["redis-server", "/usr/local/etc/redis/redis.conf"]
image: redis:8.0-alpine # Official Redis image
command:
- /bin/sh
- -c
- |
set -euo pipefail
PASS="$(cat /run/redis-auth/password)"
exec redis-server /usr/local/etc/redis/redis.conf --requirepass "$PASS"
ports:
- containerPort: 6379
volumeMounts:
- name: redis-data
mountPath: /data
- name: redis-config
mountPath: /usr/local/etc/redis
- name: redis-auth
mountPath: /run/redis-auth
readOnly: true
resources:
requests:
cpu: "100m"
Expand All @@ -44,18 +53,27 @@ spec:
memory: "1Gi"
livenessProbe:
exec:
command: ["redis-cli", "ping"]
command:
- /bin/sh
- -c
- redis-cli -a "$(cat /run/redis-auth/password)" ping
initialDelaySeconds: 30
periodSeconds: 10
readinessProbe:
exec:
command: ["redis-cli", "ping"]
command:
- /bin/sh
- -c
- redis-cli -a "$(cat /run/redis-auth/password)" ping
initialDelaySeconds: 5
periodSeconds: 5
volumes:
- name: redis-config
configMap:
name: redis-config
- name: redis-auth
secret:
secretName: redis-auth
volumeClaimTemplates:
- metadata:
name: redis-data
Expand Down
25 changes: 25 additions & 0 deletions terraform/environments/eks/k8s-manifests-sandbox/external-secrets-operator.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,3 +50,28 @@ spec:
dataFrom:
- extract:
key: credreg-secrets-eks-sandbox

---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: redis-auth
namespace: credreg-sandbox
spec:
refreshInterval: 1h
secretStoreRef:
name: aws-secret-manager
kind: ClusterSecretStore
target:
name: redis-auth
creationPolicy: Owner
template:
data:
password: "{{ .redis_password }}"
redis-password.conf: |
requirepass {{ .redis_password }}
data:
- secretKey: redis_password
remoteRef:
key: credreg-secrets-eks-sandbox
property: redis-password
8 changes: 4 additions & 4 deletions terraform/environments/eks/k8s-manifests-sandbox/redis-configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,9 @@ data:
redis.conf: |
bind 0.0.0.0
port 6379
requirepass your_secure_password
appendonly yes
maxmemory 500mb
maxmemory-policy allkeys-lru
appendonly yes
maxmemory 500mb
maxmemory-policy allkeys-lru
tcp-keepalive 300
protected-mode yes
include /run/redis-auth/redis-password.conf
26 changes: 22 additions & 4 deletions terraform/environments/eks/k8s-manifests-sandbox/redis-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,15 +26,24 @@ spec:
effect: "NoSchedule"
containers:
- name: redis
image: redis:7.2-alpine # Official Redis image
command: ["redis-server", "/usr/local/etc/redis/redis.conf"]
image: redis:8.0-alpine # Official Redis image
command:
- /bin/sh
- -c
- |
set -euo pipefail
PASS="$(cat /run/redis-auth/password)"
exec redis-server /usr/local/etc/redis/redis.conf --requirepass "$PASS"
ports:
- containerPort: 6379
volumeMounts:
- name: redis-data
mountPath: /data
- name: redis-config
mountPath: /usr/local/etc/redis
- name: redis-auth
mountPath: /run/redis-auth
readOnly: true
resources:
requests:
cpu: "100m"
Expand All @@ -44,18 +53,27 @@ spec:
memory: "1Gi"
livenessProbe:
exec:
command: ["redis-cli", "ping"]
command:
- /bin/sh
- -c
- redis-cli -a "$(cat /run/redis-auth/password)" ping
initialDelaySeconds: 30
periodSeconds: 10
readinessProbe:
exec:
command: ["redis-cli", "ping"]
command:
- /bin/sh
- -c
- redis-cli -a "$(cat /run/redis-auth/password)" ping
initialDelaySeconds: 5
periodSeconds: 5
volumes:
- name: redis-config
configMap:
name: redis-config
- name: redis-auth
secret:
secretName: redis-auth
volumeClaimTemplates:
- metadata:
name: redis-data
Expand Down
25 changes: 25 additions & 0 deletions terraform/environments/eks/k8s-manifests-staging/external-secrets-operator.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,3 +50,28 @@ spec:
dataFrom:
- extract:
key: credreg-secrets-eks-staging

---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: redis-auth
namespace: credreg-staging
spec:
refreshInterval: 1h
secretStoreRef:
name: aws-secret-manager
kind: ClusterSecretStore
target:
name: redis-auth
creationPolicy: Owner
template:
data:
password: "{{ .redis_password }}"
redis-password.conf: |
requirepass {{ .redis_password }}
data:
- secretKey: redis_password
remoteRef:
key: credreg-secrets-eks-staging
property: redis-password
2 changes: 1 addition & 1 deletion terraform/environments/eks/k8s-manifests-staging/redis-configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,9 @@ data:
redis.conf: |
bind 0.0.0.0
port 6379
requirepass your_secure_password
appendonly yes
maxmemory 500mb
maxmemory-policy allkeys-lru
tcp-keepalive 300
protected-mode yes
include /run/redis-auth/redis-password.conf
26 changes: 22 additions & 4 deletions terraform/environments/eks/k8s-manifests-staging/redis-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,15 +26,24 @@ spec:
effect: "NoSchedule"
containers:
- name: redis
image: redis:7.2-alpine # Official Redis image
command: ["redis-server", "/usr/local/etc/redis/redis.conf"]
image: redis:8.0-alpine # Official Redis image
command:
- /bin/sh
- -c
- |
set -euo pipefail
PASS="$(cat /run/redis-auth/password)"
exec redis-server /usr/local/etc/redis/redis.conf --requirepass "$PASS"
ports:
- containerPort: 6379
volumeMounts:
- name: redis-data
mountPath: /data
- name: redis-config
mountPath: /usr/local/etc/redis
- name: redis-auth
mountPath: /run/redis-auth
readOnly: true
resources:
requests:
cpu: "100m"
Expand All @@ -44,18 +53,27 @@ spec:
memory: "1Gi"
livenessProbe:
exec:
command: ["redis-cli", "ping"]
command:
- /bin/sh
- -c
- redis-cli -a "$(cat /run/redis-auth/password)" ping
initialDelaySeconds: 30
periodSeconds: 10
readinessProbe:
exec:
command: ["redis-cli", "ping"]
command:
- /bin/sh
- -c
- redis-cli -a "$(cat /run/redis-auth/password)" ping
initialDelaySeconds: 5
periodSeconds: 5
volumes:
- name: redis-config
configMap:
name: redis-config
- name: redis-auth
secret:
secretName: redis-auth
volumeClaimTemplates:
- metadata:
name: redis-data
Expand Down
Loading