fix(common/redis): stop unconditionally skipping TLS certificate verification (#4261)

JoshVanL · cicoyle · web-flow · commit bfbe59f5d252 · 2026-03-31T20:52:17.000Z
Signed-off-by: joshvanl &lt;me@joshvanl.dev&gt;
Co-authored-by: Cassie Coyle &lt;cassie.i.coyle@gmail.com&gt;
diff --git a/bindings/redis/metadata.yaml b/bindings/redis/metadata.yaml
@@ -89,10 +89,17 @@ metadata:
   - name: enableTLS
     type: bool
     required: false
-    description: | 
+    description: |
       If the Redis instance supports TLS; can be configured to be enabled or disabled.
     example: "true"
     default: "false"
+  - name: insecureSkipTLSVerify
+    type: bool
+    required: false
+    description: |
+      Skip TLS certificate verification (insecure). Only use for testing.
+    example: "false"
+    default: "false"
   - name: clientCert
     required: false
     description: Client certificate for Redis host. No Default. Can be secretKeyRef to use a secret reference
diff --git a/common/component/redis/redis_test.go b/common/component/redis/redis_test.go
@@ -112,6 +112,18 @@ func TestParseRedisMetadata(t *testing.T) {
 		assert.True(t, m.Failover)
 		assert.Equal(t, "master", m.SentinelMasterName)
 		assert.False(t, m.UseEntraID)
+		assert.False(t, m.InsecureSkipTLSVerify, "InsecureSkipTLSVerify should default to false when not set")
+	})
+
+	t.Run("insecureSkipTLSVerify is set to true", func(t *testing.T) {
+		fakeProperties := getFakeProperties()
+		fakeProperties["insecureSkipTLSVerify"] = "true"
+
+		m := &Settings{}
+		err := m.Decode(fakeProperties)
+
+		require.NoError(t, err)
+		assert.True(t, m.InsecureSkipTLSVerify)
 	})
 
 	// TODO: Refactor shared redis code to throw error for missing properties
diff --git a/common/component/redis/settings.go b/common/component/redis/settings.go
@@ -86,9 +86,14 @@ type Settings struct {
 	// Use Redis Sentinel for automatic failover.
 	Failover bool `mapstructure:"failover"`
 
-	// A flag to enables TLS by setting InsecureSkipVerify to true
+	// A flag to enable TLS for the Redis connection
 	EnableTLS bool `mapstructure:"enableTLS"`
 
+	// A flag to skip TLS certificate verification (insecure, use only for testing).
+	// Defaults to false. When EnableTLS is true and this is false, proper certificate
+	// verification is performed.
+	InsecureSkipTLSVerify bool `mapstructure:"insecureSkipTLSVerify"`
+
 	// Client certificate and key
 	ClientCert string `mapstructure:"clientCert"`
 	ClientKey  string `mapstructure:"clientKey"`
diff --git a/common/component/redis/v8client.go b/common/component/redis/v8client.go
@@ -351,7 +351,7 @@ func newV8FailoverClient(s *Settings) (RedisClient, error) {
 
 	if s.EnableTLS {
 		opts.TLSConfig = &tls.Config{
-			InsecureSkipVerify: s.EnableTLS, //nolint:gosec
+			InsecureSkipVerify: s.InsecureSkipTLSVerify, //nolint:gosec
 		}
 		err := s.SetCertificate(func(cert *tls.Certificate) {
 			opts.TLSConfig.Certificates = []tls.Certificate{*cert}
@@ -408,7 +408,7 @@ func newV8Client(s *Settings) (RedisClient, error) {
 		/* #nosec */
 		if s.EnableTLS {
 			options.TLSConfig = &tls.Config{
-				InsecureSkipVerify: s.EnableTLS,
+				InsecureSkipVerify: s.InsecureSkipTLSVerify,
 			}
 			err := s.SetCertificate(func(cert *tls.Certificate) {
 				options.TLSConfig.Certificates = []tls.Certificate{*cert}
@@ -448,7 +448,7 @@ func newV8Client(s *Settings) (RedisClient, error) {
 	/* #nosec */
 	if s.EnableTLS {
 		options.TLSConfig = &tls.Config{
-			InsecureSkipVerify: s.EnableTLS,
+			InsecureSkipVerify: s.InsecureSkipTLSVerify,
 		}
 		err := s.SetCertificate(func(cert *tls.Certificate) {
 			options.TLSConfig.Certificates = []tls.Certificate{*cert}
diff --git a/common/component/redis/v9client.go b/common/component/redis/v9client.go
@@ -352,7 +352,7 @@ func newV9FailoverClient(s *Settings) (RedisClient, error) {
 	/* #nosec */
 	if s.EnableTLS {
 		opts.TLSConfig = &tls.Config{
-			InsecureSkipVerify: s.EnableTLS,
+			InsecureSkipVerify: s.InsecureSkipTLSVerify,
 		}
 		err := s.SetCertificate(func(cert *tls.Certificate) {
 			opts.TLSConfig.Certificates = []tls.Certificate{*cert}
@@ -411,7 +411,7 @@ func newV9Client(s *Settings) (RedisClient, error) {
 		if s.EnableTLS {
 			/* #nosec */
 			options.TLSConfig = &tls.Config{
-				InsecureSkipVerify: s.EnableTLS,
+				InsecureSkipVerify: s.InsecureSkipTLSVerify,
 			}
 			err := s.SetCertificate(func(cert *tls.Certificate) {
 				options.TLSConfig.Certificates = []tls.Certificate{*cert}
@@ -451,7 +451,7 @@ func newV9Client(s *Settings) (RedisClient, error) {
 	if s.EnableTLS {
 		/* #nosec */
 		options.TLSConfig = &tls.Config{
-			InsecureSkipVerify: s.EnableTLS,
+			InsecureSkipVerify: s.InsecureSkipTLSVerify,
 		}
 		err := s.SetCertificate(func(cert *tls.Certificate) {
 			options.TLSConfig.Certificates = []tls.Certificate{*cert}
diff --git a/configuration/redis/metadata.yaml b/configuration/redis/metadata.yaml
@@ -77,10 +77,17 @@ metadata:
   - name: enableTLS
     type: bool
     required: false
-    description: | 
+    description: |
       If the Redis instance supports TLS; can be configured to be enabled or disabled.
     example: "true"
     default: "false"
+  - name: insecureSkipTLSVerify
+    type: bool
+    required: false
+    description: |
+      Skip TLS certificate verification (insecure). Only use for testing.
+    example: "false"
+    default: "false"
   - name: clientCert
     required: false
     description: Client certificate for Redis host. No Default. Can be secretKeyRef to use a secret reference
diff --git a/lock/redis/metadata.yaml b/lock/redis/metadata.yaml
@@ -173,6 +173,12 @@ metadata:
     description: "Whether to enable TLS encryption"
     example: "false"
     default: "false"
+  - name: insecureSkipTLSVerify
+    required: false
+    type: bool
+    description: "Skip TLS certificate verification (insecure). Only use for testing."
+    example: "false"
+    default: "false"
   - name: useEntraID
     required: false
     type: bool
diff --git a/pubsub/redis/metadata.yaml b/pubsub/redis/metadata.yaml
@@ -87,6 +87,13 @@ metadata:
     example: "false"
     type: bool
     default: "false"
+  - name: insecureSkipTLSVerify
+    required: false
+    description: |
+      Skip TLS certificate verification (insecure). Only use for testing.
+    example: "false"
+    type: bool
+    default: "false"
   - name: clientCert
     required: false
     description: Client certificate for Redis host. No Default. Can be secretKeyRef to use a secret reference
diff --git a/state/redis/metadata.yaml b/state/redis/metadata.yaml
@@ -85,6 +85,13 @@ metadata:
     description: If the Redis instance supports TLS with public certificates, can be configured to be enabled or disabled. Defaults to false.
     example: "false"
     type: bool
+  - name: insecureSkipTLSVerify
+    required: false
+    description: |
+      Skip TLS certificate verification (insecure). Only use for testing.
+    example: "false"
+    type: bool
+    default: "false"
   - name: clientCert
     required: false
     description: Client certificate for Redis host. No Default. Can be secretKeyRef to use a secret reference
