Skip to content

feat: initial tls support for valkey cluster#133

Merged
sandeepkunusoth merged 3 commits into
valkey-io:mainfrom
sandeepkunusoth:initial_tls_version_vkc
Apr 20, 2026
Merged

feat: initial tls support for valkey cluster#133
sandeepkunusoth merged 3 commits into
valkey-io:mainfrom
sandeepkunusoth:initial_tls_version_vkc

Conversation

@sandeepkunusoth
Copy link
Copy Markdown
Member

@sandeepkunusoth sandeepkunusoth commented Apr 12, 2026
edited
Loading

This PR Adds initial TLS/SSL Support for Valkey Cluster #59.

Summary

This PR introduces initial TLS support for Valkey clusters(SERVER SIDE).

Changes

  • Adds TLS support for Valkey cluster nodes
  • Updates TLS configuration options in CRD for Certificate references.
  • Updates Valkey configuration to include tls-port, port 0, tls-cert-file, tls-key-file, tls-ca-cert-file
  • fixed comments from old PR Added Initial TLS support for ValkeyCluster #91

Implementation

  • Added TLS configuration fields (TLSConfig and CertificateRef) types to ValkeyClusterSpec.
  • Mounts TLS secrets as volumes into Pod spec
  • Updates liveliness, readiness scripts with TLS flags

Testing

  • Add e2e tests for TLS-enabled cluster creation

Next steps

  • This PR only supports using exisiting certificates in the cluster. we can either use cert manager to create certificate. this will be done as part of seperate PR.
  • cert hot reload during cert renewal

Checklist

Before submitting the PR make sure the following are checked:

  • This Pull Request is related to one issue.
  • Commit message explains what changed and why
  • Tests are added or updated.
  • Documentation files are updated.
  • I have run pre-commit locally (pre-commit run --all-files or hooks on commit)

@sandeepkunusoth
initial tls valkey cluster
3563bdd 
Signed-off-by: Sandeep Kunusoth <sandeepkunsoth000@gmail.com>
jdheyburn
jdheyburn reviewed Apr 14, 2026
View reviewed changes
Comment thread api/v1alpha1/valkeycluster_types.go
daanvinken
daanvinken reviewed Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@daanvinken daanvinken left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we have a watcher or use an annotation to make sure cert renewals roll the cluster?

Comment thread api/v1alpha1/valkeycluster_types.go
@sandeepkunusoth
Copy link
Copy Markdown
Member Author

sandeepkunusoth commented Apr 16, 2026
edited
Loading

Should we have a watcher or use an annotation to make sure cert renewals roll the cluster?

we have added watcher for secrets managed by cert-manager and hash annotation to check changes in certs in our internal operator and performed config set on tls cert renewals. this can be added in next iterations as this will be seperate enhancement.

we can also use tls-auto-reload-interval 86400 to automatically reload certs https://valkey.io/topics/tls/#:~:text=tls%2Dauto%2Dreload%2Dinterval%2086400

@sandeepkunusoth
Merge branch 'main' into initial_tls_version_vkc
de9e510 
Signed-off-by: sandeep kunusoth <31273507+sandeepkunusoth@users.noreply.github.com>
bjosv
bjosv reviewed Apr 17, 2026
View reviewed changes
Comment thread internal/controller/valkeynode_controller.go Outdated
Comment thread internal/controller/valkeynode_controller.go Outdated
Comment thread internal/controller/utils.go
@sandeepkunusoth
fixed comments
219ddf7 
Signed-off-by: Sandeep Kunusoth <sandeepkunsoth000@gmail.com>
@sandeepkunusoth sandeepkunusoth changed the title initial tls support for valkey cluster feat: initial tls support for valkey cluster Apr 19, 2026
@sandeepkunusoth sandeepkunusoth requested a review from bjosv April 19, 2026 17:37
bjosv
bjosv approved these changes Apr 20, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@bjosv bjosv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@sandeepkunusoth sandeepkunusoth merged commit 2b3718a into valkey-io:main Apr 20, 2026
7 checks passed
@jdheyburn
Copy link
Copy Markdown
Collaborator

jdheyburn commented Apr 21, 2026

One thing missing from this PR is documentation, cc @sandeepkunusoth

@daanvinken daanvinken mentioned this pull request Apr 22, 2026
Merged
jdheyburn pushed a commit that referenced this pull request Apr 22, 2026
@daanvinken
fix: pass cluster arg to getValkeyClusterState in proactive failover (#…
097c7f0 
…145)

## Description

The merge of #128 (proactive failovers) after #133 (TLS) introduced a
build-breaking call. #133 added a `cluster` parameter to
`getValkeyClusterState`, but #128's new call site at line 445 used the
old signature without it. This causes a compile error on current main.

## Testing

`go build ./...` passes.

Signed-off-by: Daan Vinken <daanvinken@tythus.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jdheyburn jdheyburn jdheyburn left review comments

@bjosv bjosv bjosv approved these changes

+1 more reviewer

@daanvinken daanvinken daanvinken approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@sandeepkunusoth @jdheyburn @daanvinken @bjosv