Skip to content

(feat) TLS support for ValkeyCluster #59

New issue
New issue
Open
Feature
#91
Open
(feat) TLS support for ValkeyCluster#59
Feature
#91
Assignees
sandeepkunusoth
Labels
enhancementNew feature or request
@sandeepkunusoth

Description

@sandeepkunusoth
sandeepkunusoth
opened on Jan 17, 2026

Summary

Add TLS support for Valkey nodes managed by valkey-operator, including:

  • Enable TLS for client traffic, replication traffic, and cluster bus.
  • Support both server-only TLS and mutual TLS (mTLS).
  • Optional mTLS (require client certs).
  • Existing clusters without TLS must behave unchanged (backwards compatible).
  • Update status conditions for missing/invalid TLS secrets.

Followups (optional)

  • Auto-generate certificates via cert-manager
  • Certificate rotation automation

Proposed CRD Spec Changes

Add an optional spec.tls:

apiVersion: valkey.io/v1alpha1
kind: ValkeyCluster
metadata:
  name: valkeycluster-tls
spec:
  shards: 3
  replicas: 0
  tls:
    # Enable TLS
    enabled: false

    # Name of the Secret containing TLS keys (required when enabled=true)
    existingSecret: ""

    # Secret key name containing server public certificate (default=server.crt)
    cert: server.crt

    # Secret key name containing server private key (default=server.key)
    key: server.key

    # Secret key name containing Certificate Authority public certificate (default=ca.crt)
    ca: ca.crt

    # Require that clients authenticate with a certificate (mTLS)
    requireClientCertificate: false

    # Future mode: cert-manager (optional, follow-up) issuerRef:
    issuerRef:
          name: my-issuer
          kind: ClusterIssuer

Validation

  • Backwards compatible: spec.tls omitted => current behavior.

  • If tls.enabled=true:

    • Must specify either existingSecret or issuerRef (not both).

    • If existingSecret is used:

      • Secret must contain keys: <cert>, <key>, <ca> (using the configured names).

  • Defaults:

    • cert=server.crt, key=server.key, ca=ca.crt
    • requireClientCertificate=false

Acceptance Criteria

Backwards compatibility

  • If spec.tls is omitted or tls.enabled=false, behavior is unchanged.

TLS (server-only)

  • With tls.enabled=true and requireClientCertificate=false, pods become Ready.
  • TLS client connections succeed (PING/SET/GET via TLS).
  • Replication + cluster bus use TLS (where applicable).

mTLS

  • With requireClientCertificate=true, clients without cert are rejected.
  • Clients with valid cert can connect and perform basic ops.

Status + validation

  • Missing/invalid secret surfaces a clear status condition + event.
  • Missing keys in secret surfaces which keys are missing.

Follow-ups (optional)

  • cert-manager integration:

    • If issuerRef set, operator creates Certificate resources and waits for Secret.

  • Certificate rotation automation:

    • Controlled rolling restart when Secret changes (or documented behavior).

Contribution:

  • I’m willing to implement this feature.

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

Feature

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions