Skip to content

feat: add Redis NetworkPolicy for agent and principal #574

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jannfis merged 4 commits into from
Oct 2, 2025
Merged

feat: add Redis NetworkPolicy for agent and principal #574

jannfis merged 4 commits into from
Oct 2, 2025

Conversation

@juanxiu
Copy link
Contributor

@juanxiu juanxiu commented Sep 20, 2025
edited
Loading

What does this PR do / why we need it:

This PR adds a NetworkPolicy to enable secure communication between ArgoCD Agent and Redis. Previously, agent pods were unable to connect to Redis due to network restrictions, causing connectivity issues in environments with strict network policies enabled. we have to allow egress traffic to Redis (port 6379/TCP) from both agent and principal pods.

The changes include:

  • Add Helm values and template for agent NetworkPolicy
  • Add kustomize manifest for agent NetworkPolicy
  • Add kustomize manifest for principal NetworkPolicy

Which issue(s) this PR fixes:

Fixes #566

How to test changes / Special notes to the reviewer:

Testing Steps:

  1. Template Validation:

    cd install/helm-repo/argocd-agent-agent
helm template argocd-agent-agent . --values values.yaml -s templates/agent-networkpolicy-redis.yaml | kubectl apply --dry-run=client -f -

  2. Deploy and Verify:

    helm install argocd-agent-agent . --values values.yaml
kubectl get networkpolicy -n <namespace>
kubectl describe networkpolicy allow-agent-to-redis -n <namespace>

  3. Connectivity Test:

    kubectl exec -it <agent-pod> -n <namespace> -- redis-cli -h argocd-redis ping

Special Notes:

  • NetworkPolicy only allows ingress traffic from agent pods to Redis
  • All ports are allowed (Redis default 6379 + any additional ports)
  • Policy is applied to pods matching app.kubernetes.io/name: argocd-redis label
  • Agent pods must have app.kubernetes.io/name: argocd-agent-agent label

Checklist

  • Documentation update is required by this PR (and has been updated) OR no documentation update is required.

@juanxiu
feat(helm): add NetworkPolicy for agent-redis connectivity
a379d22 
- Add NetworkPolicy template for secure agent to redis communication
- Configure pod selectors for argocd-agent-agent and argocd-redis
- Enable network policy by default in values.yaml

Signed-off-by: yeonsoo <[email protected]>
@jannfis
Copy link
Collaborator

jannfis commented Sep 21, 2025

Thanks! However, to fix #566, this change is not complete. The same goes for the principal, and there are kustomize manifests that need to be adapted for both, agent and principal.

@mikeshng
Copy link
Collaborator

mikeshng commented Sep 29, 2025

Thank you for trying to fix this issue @juanxiu ! Could you see @jannfis 's review comment please? Many thanks!

@juanxiu
feat: Add NetworkPolicy for Redis egress to agent and principal
cae1703 
- Add Helm values and template for agent NetworkPolicy
- Add kustomize manifest for agent NetworkPolicy
- Add kustomize manifest for principal NetworkPolicy

Signed-off-by: yeonsoo <[email protected]>
@juanxiu
Copy link
Contributor Author

juanxiu commented Oct 1, 2025

Thanks for the feedback! @jannfis @mikeshng I've added NetworkPolicy for the principal as well, and updated kustomize manifests for both agent and principal.

@juanxiu juanxiu changed the title feat(helm): add NetworkPolicy for agent-redis connectivity feat: add Redis NetworkPolicy for agent and principal Oct 1, 2025
@codecov-commenter
Copy link

codecov-commenter commented Oct 1, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 45.62%. Comparing base (0fa851d) to head (de585c0).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #574   +/-   ##
=======================================
  Coverage   45.62%   45.62%           
=======================================
  Files          90       90           
  Lines       12021    12021           
=======================================
  Hits         5485     5485           
  Misses       6091     6091           
  Partials      445      445

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@jannfis
Copy link
Collaborator

jannfis commented Oct 1, 2025

Thanks @juanxiu ! I just saw that the Helm policy type (Ingress) differs from the ones in Kustomize (Egress). Is there a reason for that? I think they really should be the same type. Ideally, given proper Helm values, the Helm and Kustomize results should be the same (or at least, very similar).

@juanxiu
Copy link
Contributor Author

juanxiu commented Oct 2, 2025

@jannfis Good catch! I've updated the Helm template to use Egress instead of Ingress, making it consistent with the kustomize manifests. Both now allow egress traffic from agent pods to Redis on port 6379/TCP.

jannfis
jannfis approved these changes Oct 2, 2025
View reviewed changes
Copy link
Collaborator

@jannfis jannfis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @juanxiu !

LGTM.

@jannfis jannfis merged commit 4e4ee60 into argoproj-labs:main Oct 2, 2025
15 checks passed
@bianbbc87 bianbbc87 mentioned this pull request Oct 16, 2025
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jannfis jannfis jannfis approved these changes

@jgwest jgwest Awaiting requested review from jgwest jgwest is a code owner

@chetan-rns chetan-rns Awaiting requested review from chetan-rns chetan-rns is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Missing NetworkPolicy for accessing Redis

4 participants

@juanxiu @jannfis @mikeshng @codecov-commenter