feat: add Redis NetworkPolicy for agent and principal

[juanxiu]

What does this PR do / why we need it:

This PR adds a NetworkPolicy to enable secure communication between ArgoCD Agent and Redis. Previously, agent pods were unable to connect to Redis due to network restrictions, causing connectivity issues in environments with strict network policies enabled. we have to allow egress traffic to Redis (port 6379/TCP) from both agent and principal pods.

The changes include:

• Add Helm values and template for agent NetworkPolicy
• Add kustomize manifest for agent NetworkPolicy
• Add kustomize manifest for principal NetworkPolicy

Which issue(s) this PR fixes:

Fixes #566

How to test changes / Special notes to the reviewer:

Testing Steps:

1. Template Validation:

   cd install/helm-repo/argocd-agent-agent
   helm template argocd-agent-agent . --values values.yaml -s templates/agent-networkpolicy-redis.yaml | kubectl apply --dry-run=client -f -

2. Deploy and Verify:

   helm install argocd-agent-agent . --values values.yaml
   kubectl get networkpolicy -n <namespace>
   kubectl describe networkpolicy allow-agent-to-redis -n <namespace>

3. Connectivity Test:

   kubectl exec -it <agent-pod> -n <namespace> -- redis-cli -h argocd-redis ping

Special Notes:

• NetworkPolicy only allows ingress traffic from agent pods to Redis
• All ports are allowed (Redis default 6379 + any additional ports)
• Policy is applied to pods matching app.kubernetes.io/name: argocd-redis label
• Agent pods must have app.kubernetes.io/name: argocd-agent-agent label

Checklist

• Documentation update is required by this PR (and has been updated) OR no documentation update is required.

[jannfis]

Thanks! However, to fix #566, this change is not complete. The same goes for the principal, and there are kustomize manifests that need to be adapted for both, agent and principal.

[mikeshng]

Thank you for trying to fix this issue @juanxiu ! Could you see @jannfis 's review comment please? Many thanks!

[juanxiu]

Thanks for the feedback! @jannfis @mikeshng I've added NetworkPolicy for the principal as well, and updated kustomize manifests for both agent and principal.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 45.62%. Comparing base (0fa851d) to head (de585c0).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #574   +/-   ##
=======================================
  Coverage   45.62%   45.62%           
=======================================
  Files          90       90           
  Lines       12021    12021           
=======================================
  Hits         5485     5485           
  Misses       6091     6091           
  Partials      445      445           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[jannfis]

Thanks @juanxiu ! I just saw that the Helm policy type (Ingress) differs from the ones in Kustomize (Egress). Is there a reason for that? I think they really should be the same type. Ideally, given proper Helm values, the Helm and Kustomize results should be the same (or at least, very similar).

[juanxiu]

@jannfis Good catch! I've updated the Helm template to use Egress instead of Ingress, making it consistent with the kustomize manifests. Both now allow egress traffic from agent pods to Redis on port 6379/TCP.

[jannfis]

Thank you @juanxiu !

LGTM.