stacklok / toolhive / 23008849893
64%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 554
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 64.331% (+0.07%) from 64.264%
23008849893

push

github

web-flow 
Add TLS support for Redis connections (#4068)

* Add TLS support for Redis/Valkey connections

Add tlsEnabled field to RedisStorageConfig CRD, propagated through
RunConfig to the Redis FailoverClient. When enabled, the go-redis
client connects with TLS (min version 1.2), which is required when
the Redis/Valkey cluster has transit encryption enabled.

Changes span the full config pipeline: CRD → operator conversion →
RunConfig → runtime RedisConfig → redis.FailoverOptions.TLSConfig.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Regenerate swagger docs for tlsEnabled field

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Replace tlsEnabled with separate TLS configs for master and sentinel

Replace the simple tlsEnabled bool with structured TLS configuration
that supports separate settings for Redis master and Sentinel
connections. This is needed because:

- Sentinel emulators typically use self-signed certificates
- ElastiCache masters use Amazon CA certificates
- go-redis applies a single TLSConfig to both connection types

The new config allows:
- Per-connection TLS enable/disable
- Per-connection InsecureSkipVerify (for self-signed sentinel certs)
- Per-connection CA certificate via SecretKeyRef (CRD) or file path
  (RunConfig)

Uses a custom Dialer on FailoverOptions to apply the correct TLS
config based on whether the target address is a sentinel or master.

Example CRD usage:
  redis:
    tls:
      enabled: true
    sentinelTls:
      enabled: true
      insecureSkipVerify: true

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Mount Redis TLS CA certs as volumes in proxy pods

Wire caCertSecretRef through from the CRD to the proxy pod spec by
generating Secret-backed volumes in GenerateAuthServerVolumes. The
CA cert file paths are set in the RunConfig so the runner can read
them at startup.

Master CA cert mounts to /etc/toolhive/authserver/redis-tls/ca.crt
Sentinel CA cer... (continued)

132 of 173 new or added lines in 4 files covered. (76.3%)

9 existing lines in 3 files now uncovered.

48623 of 75582 relevant lines covered (64.33%)

72.52 hits per line

New Missed Lines in Diff

Lines Coverage File
3
83.26
 0.78% pkg/authserver/storage/redis.go
4
88.73
 -0.3% pkg/authserver/runner/embeddedauthserver.go
10
90.71
 -1.18% cmd/thv-operator/pkg/controllerutil/authserver.go
24
34.76
 -0.41% cmd/thv-operator/api/v1alpha1/zz_generated.deepcopy.go

Uncovered Existing Lines

Lines Coverage File
2
71.43
 -1.68% pkg/vmcp/k8s/manager.go
3
80.31
 -0.26% pkg/transport/proxy/httpsse/http_proxy.go
4
80.53
 -0.88% pkg/transport/proxy/transparent/transparent_proxy.go
Jobs
ID Job ID Ran Files Coverage
1 23008849893.1 554
64.33
 GitHub Action Run
Source Files on build 23008849893