flanksource · adityathebe · Jun 22, 2026 · Jun 20, 2026 · Jun 20, 2026 · Jun 22, 2026
diff --git a/canary-checker/docs/reference/1-redis.mdx b/canary-checker/docs/reference/1-redis.mdx
@@ -12,15 +12,88 @@ The Redis check connects to a specified Redis database instance to check its ava
 
 ```yaml title="redis.yaml"  file=<rootDir>/modules/canary-checker/fixtures/datasources/redis_pass.yaml
 ```
+
 <HealthCheck name="redis" connection="url" rows={[
   {field: "url", description: "Redis connection URL", scheme: 'string'},
   {field: "connection", description: "Connection name e.g. connection://redis/prod", scheme: 'string'},
   {field: "username", description: "Username for authentication", scheme: 'EnvVar'},
   {field: "password", description: "Password for authentication", scheme: 'EnvVar'},
   {field: "db", description: "Database to be selected after connecting to the server", scheme: 'int'},
   {field: "addr", description: "Redis address (deprecated - use url instead)", scheme: 'string'},
-
+  {
+    field: 'tlsConfig',
+    description: 'TLS and mutual TLS configuration',
+    scheme: '[TLSConfig](#tls-config)'
+  },
 ]}/>
 
+## TLS Config
+
+The `tlsConfig` field enables TLS for the Redis connection. Set `enable: true` to use the system trust store. Use `tlsConfig.ca` to verify with a custom CA. Add `tlsConfig.cert` and `tlsConfig.key` for mutual TLS.
+
+:::note
+Native Redis TLS connection string formats are **not** supported — e.g. `rediss://` scheme,
+`ssl=true`, or other query-string flags in the URL. TLS must be configured explicitly via `tlsConfig`.
+:::
+
+<Fields
+  rows={[
+    {
+      field: 'enable',
+      description: 'Explicitly enable TLS when no other TLS field is set (e.g. for publicly-trusted servers that need no CA).',
+      scheme: 'bool'
+    },
+    {
+      field: 'ca',
+      description: 'PEM encoded CA certificate to verify the server certificate',
+      scheme: 'EnvVar'
+    },
+    {
+      field: 'cert',
+      description: 'PEM encoded client certificate for mutual TLS',
+      scheme: 'EnvVar'
+    },
+    {
+      field: 'key',
+      description: 'PEM encoded client private key for mutual TLS',
+      scheme: 'EnvVar'
+    },
+    {
+      field: 'handshakeTimeout',
+      description: 'TLS handshake timeout. Defaults to 10 seconds',
+      scheme: 'Duration'
+    },
+    {
+      field: 'insecureSkipVerify',
+      description: 'Skip verification of the server certificate chain and host name',
+      scheme: 'bool'
+    },
+  ]}
+/>
+
+## Examples
+
+### Redis with TLS (system trust store)
+
+```yaml title="redis-tls.yaml" file=<rootDir>/modules/canary-checker/fixtures/datasources/redis-tls.yaml
+
+```
+
+### Redis with custom CA
 
+```yaml title="redis-custom-ca.yaml" file=<rootDir>/modules/canary-checker/fixtures/datasources/redis-custom-ca.yaml
+
+```
+
+### Redis with mutual TLS
+
+```yaml title="redis-mtls.yaml" file=<rootDir>/modules/canary-checker/fixtures/datasources/redis-mtls.yaml
+
+```
+
+### Redis with insecure TLS (skip verification)
+
+```yaml title="redis-tls-insecure.yaml" file=<rootDir>/modules/canary-checker/fixtures/datasources/redis-tls-insecure.yaml
+
+```
 
diff --git a/modules/canary-checker b/modules/canary-checker
+1 −1		api/v1/canary_types.go
+73 −0		api/v1/checks.go
+21 −0		api/v1/zz_generated.deepcopy.go
+28 −1		checks/redis.go
+252 −0		checks/redis_test.go
+148 −2		config/deploy/Canary.yml
+148 −2		config/deploy/manifests.yaml
+35 −0		config/schemas/canary.schema.json
+35 −0		config/schemas/component.schema.json
+39 −0		config/schemas/health_redis.schema.json
+35 −0		config/schemas/topology.schema.json
+4 −0		fixtures/datasources/kustomization.yaml
+15 −0		fixtures/datasources/redis-custom-ca.yaml
+28 −0		fixtures/datasources/redis-mtls.yaml
+11 −0		fixtures/datasources/redis-tls-insecure.yaml
+11 −0		fixtures/datasources/redis-tls.yaml
+34 −11		go.mod
+76 −27		go.sum
+1 −1		pkg/api.go
+16 −12		pkg/metrics/metrics.go
+161 −0		pkg/metrics/metrics_test.go
+13 −2		pkg/prometheus/prometheus.go