From 1c2c285ba55f44d6f98b21a38413efd981a09a76 Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Sun, 21 Jun 2026 01:32:03 +0545
Subject: [PATCH 1/3] docs(redis): add TLS config and examples

Document tlsConfig field with enable, ca, cert, key, handshakeTimeout,
and insecureSkipVerify. Add examples for all four TLS variants:
system trust store, custom CA, mutual TLS, and insecure.
---
 canary-checker/docs/reference/1-redis.mdx | 70 ++++++++++++++++++++++-
 1 file changed, 69 insertions(+), 1 deletion(-)

diff --git a/canary-checker/docs/reference/1-redis.mdx b/canary-checker/docs/reference/1-redis.mdx
index f17580ea..4db3241c 100644
--- a/canary-checker/docs/reference/1-redis.mdx
+++ b/canary-checker/docs/reference/1-redis.mdx
@@ -12,6 +12,7 @@ The Redis check connects to a specified Redis database instance to check its ava
 
 ```yaml title="redis.yaml"  file=<rootDir>/modules/canary-checker/fixtures/datasources/redis_pass.yaml
 ```
+
 <HealthCheck name="redis" connection="url" rows={[
   {field: "url", description: "Redis connection URL", scheme: 'string'},
   {field: "connection", description: "Connection name e.g. connection://redis/prod", scheme: 'string'},
@@ -19,8 +20,75 @@ The Redis check connects to a specified Redis database instance to check its ava
   {field: "password", description: "Password for authentication", scheme: 'EnvVar'},
   {field: "db", description: "Database to be selected after connecting to the server", scheme: 'int'},
   {field: "addr", description: "Redis address (deprecated - use url instead)", scheme: 'string'},
-
+  {
+    field: 'tlsConfig',
+    description: 'TLS and mutual TLS configuration',
+    scheme: '[TLSConfig](#tls-config)'
+  },
 ]}/>
 
+## TLS Config
+
+The `tlsConfig` field enables TLS for the Redis connection. Set `enable: true` to use the system trust store. Use `tlsConfig.ca` to verify with a custom CA. Add `tlsConfig.cert` and `tlsConfig.key` for mutual TLS.
+
+<Fields
+  rows={[
+    {
+      field: 'enable',
+      description: 'Explicitly enable TLS when no other TLS field is set (e.g. for publicly-trusted servers that need no CA).',
+      scheme: 'bool'
+    },
+    {
+      field: 'ca',
+      description: 'PEM encoded CA certificate to verify the server certificate',
+      scheme: 'EnvVar'
+    },
+    {
+      field: 'cert',
+      description: 'PEM encoded client certificate for mutual TLS',
+      scheme: 'EnvVar'
+    },
+    {
+      field: 'key',
+      description: 'PEM encoded client private key for mutual TLS',
+      scheme: 'EnvVar'
+    },
+    {
+      field: 'handshakeTimeout',
+      description: 'TLS handshake timeout. Defaults to 10 seconds',
+      scheme: 'Duration'
+    },
+    {
+      field: 'insecureSkipVerify',
+      description: 'Skip verification of the server certificate chain and host name',
+      scheme: 'bool'
+    },
+  ]}
+/>
+
+## Examples
+
+### Redis with TLS (system trust store)
+
+```yaml title="redis-tls.yaml" file=<rootDir>/modules/canary-checker/fixtures/datasources/redis-tls.yaml
+
+```
+
+### Redis with custom CA
 
+```yaml title="redis-custom-ca.yaml" file=<rootDir>/modules/canary-checker/fixtures/datasources/redis-custom-ca.yaml
+
+```
+
+### Redis with mutual TLS
+
+```yaml title="redis-mtls.yaml" file=<rootDir>/modules/canary-checker/fixtures/datasources/redis-mtls.yaml
+
+```
+
+### Redis with insecure TLS (skip verification)
+
+```yaml title="redis-tls-insecure.yaml" file=<rootDir>/modules/canary-checker/fixtures/datasources/redis-tls-insecure.yaml
+
+```
 

From d5076e2772d9e3489eed58dced9f39e918bab37f Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Sun, 21 Jun 2026 01:32:22 +0545
Subject: [PATCH 2/3] docs(redis): note that native TLS connection strings are
 not supported

rediss://, ssl=true, and other Redis native TLS URL formats are not
supported. TLS must be configured via the tlsConfig field.
---
 canary-checker/docs/reference/1-redis.mdx | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/canary-checker/docs/reference/1-redis.mdx b/canary-checker/docs/reference/1-redis.mdx
index 4db3241c..aaec2be8 100644
--- a/canary-checker/docs/reference/1-redis.mdx
+++ b/canary-checker/docs/reference/1-redis.mdx
@@ -31,6 +31,11 @@ The Redis check connects to a specified Redis database instance to check its ava
 
 The `tlsConfig` field enables TLS for the Redis connection. Set `enable: true` to use the system trust store. Use `tlsConfig.ca` to verify with a custom CA. Add `tlsConfig.cert` and `tlsConfig.key` for mutual TLS.
 
+:::note
+Native Redis TLS connection string formats are **not** supported — e.g. `rediss://` scheme,
+`ssl=true`, or other query-string flags in the URL. TLS must be configured explicitly via `tlsConfig`.
+:::
+
 <Fields
   rows={[
     {

From f4c38fd248e18c0e362d8f2110319c2218b7d25e Mon Sep 17 00:00:00 2001
From: Aditya Thebe <contact@adityathebe.com>
Date: Mon, 22 Jun 2026 16:07:49 +0545
Subject: [PATCH 3/3] chore(submodules): bump canary-checker for redis TLS
 fixtures

PR #513 references four redis TLS fixture files
(redis-tls, redis-custom-ca, redis-mtls, redis-tls-insecure) via
file=<rootDir> imports in canary-checker/docs/reference/1-redis.mdx.
These fixtures were added upstream in canary-checker e9d20f4
("feat: redis TLS (#2987)"), but the submodule was pinned to 8cc042d
which predates them, so the Vercel/Netlify docusaurus build failed to
resolve the imports. Bump the submodule so the fixtures exist.
---
 modules/canary-checker | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/canary-checker b/modules/canary-checker
index 8cc042df..e9d20f4a 160000
--- a/modules/canary-checker
+++ b/modules/canary-checker
@@ -1 +1 @@
-Subproject commit 8cc042df1520b271314471f2b1c86a3edef234d2
+Subproject commit e9d20f4ace8e8884b2eb49d18106c92eb0211f75