valkey-io · GilboaAWS · Mar 17, 2025 · Mar 18, 2025 · Mar 24, 2025 · Mar 24, 2025
@@ -113,6 +113,7 @@ default = [
     "connection-manager",
     "cluster",
     "cluster-async",
+    "tls-rustls-insecure",
 ]
 acl = []
 aio = [

@@ -123,6 +123,7 @@
     ProtocolVersion,
     ReadFrom,
     ServerCredentials,
+    TlsAdvancedConfiguration,
 )
 from glide.constants import (
     OK,
@@ -201,6 +202,7 @@
     "TJsonUniversalResponse",
     "TOK",
     "TResult",
+    "TlsAdvancedConfiguration",
     "TXInfoStreamFullResponse",
     "TXInfoStreamResponse",
     "FtAggregateResponse",

@@ -139,6 +139,21 @@ class PeriodicChecksStatus(Enum):
     """
 
 
+class TlsAdvancedConfiguration:
+    """
+    Represents advanced TLS configuration settings.
+
+    Attributes:
+        insecure (Optional[bool]): Indicates whether to bypass TLS certificate verification.
+            When set to True, the client will bypass certificate validation (for example, when connecting
+            to servers with self-signed or unauthorized certificates). This setting is useful for development
+            or testing environments, but should not be used in production due to security risks.
+    """
+
+    def __init__(self, insecure: Optional[bool] = None):
+        self.insecure = insecure
+
+
 class AdvancedBaseClientConfiguration:
     """
     Represents the advanced configuration settings for a base Glide client.
@@ -148,16 +163,33 @@ class AdvancedBaseClientConfiguration:
             This applies both during initial client creation and any reconnections that may occur during request processing.
             **Note**: A high connection timeout may lead to prolonged blocking of the entire command pipeline.
             If not explicitly set, a default value of 250 milliseconds will be used.
+        tls_config (Optional[TlsAdvancedConfiguration]): The advanced TLS configuration settings.
+            This allows for more granular control of TLS behavior, such as enabling an insecure mode
+            that bypasses certificate validation.
     """
 
-    def __init__(self, connection_timeout: Optional[int] = None):
+    def __init__(
+        self,
+        connection_timeout: Optional[int] = None,
+        tls_config: Optional[TlsAdvancedConfiguration] = None,
+    ):
         self.connection_timeout = connection_timeout
+        self.tls_config = tls_config
 
     def _create_a_protobuf_conn_request(
         self, request: ConnectionRequest
     ) -> ConnectionRequest:
         if self.connection_timeout:
             request.connection_timeout = self.connection_timeout
+
+        if self.tls_config and self.tls_config.insecure:
+            if request.tls_mode == TlsMode.SecureTls:
+                request.tls_mode = TlsMode.InsecureTls
+            else:
+                raise ValueError(
+                    "TLS is configured as insecure, but TLS isn't in use."
+                )
+
         return request
 
 
@@ -179,7 +211,8 @@ class BaseClientConfiguration:
                 ].
 
         use_tls (bool): True if communication with the cluster should use Transport Level Security.
-            Should match the TLS configuration of the server/cluster, otherwise the connection attempt will fail
+            Should match the TLS configuration of the server/cluster, otherwise the connection attempt will fail.
+            For advanced tls configuration, please use the AdvancedBaseClientConfiguration option.
         credentials (ServerCredentials): Credentials for authentication process.
             If none are set, the client will not authenticate itself with the server.
         read_from (ReadFrom): If not set, `PRIMARY` will be used.
@@ -291,9 +324,13 @@ class AdvancedGlideClientConfiguration(AdvancedBaseClientConfiguration):
     Represents the advanced configuration settings for a Standalone Glide client.
     """
 
-    def __init__(self, connection_timeout: Optional[int] = None):
+    def __init__(
+        self,
+        connection_timeout: Optional[int] = None,
+        tls_config: Optional[TlsAdvancedConfiguration] = None,
+    ):
 
-        super().__init__(connection_timeout)
+        super().__init__(connection_timeout, tls_config)
 
 
 class GlideClientConfiguration(BaseClientConfiguration):
@@ -311,6 +348,7 @@ class GlideClientConfiguration(BaseClientConfiguration):
                 ]
 
         use_tls (bool): True if communication with the cluster should use Transport Level Security.
+                For advanced tls configuration, please use the AdvancedGlideClientConfiguration option.
         credentials (ServerCredentials): Credentials for authentication process.
                 If none are set, the client will not authenticate itself with the server.
         read_from (ReadFrom): If not set, `PRIMARY` will be used.
@@ -461,8 +499,12 @@ class AdvancedGlideClusterClientConfiguration(AdvancedBaseClientConfiguration):
     Represents the advanced configuration settings for a Glide Cluster client.
     """
 
-    def __init__(self, connection_timeout: Optional[int] = None):
-        super().__init__(connection_timeout)
+    def __init__(
+        self,
+        connection_timeout: Optional[int] = None,
+        tls_config: Optional[TlsAdvancedConfiguration] = None,
+    ):
+        super().__init__(connection_timeout, tls_config)
 
 
 class GlideClusterClientConfiguration(BaseClientConfiguration):
@@ -479,6 +521,7 @@ class GlideClusterClientConfiguration(BaseClientConfiguration):
                 ]
 
         use_tls (bool): True if communication with the cluster should use Transport Level Security.
+                For advanced tls configuration, please use the AdvancedGlideClusterClientConfiguration option.
         credentials (ServerCredentials): Credentials for authentication process.
                 If none are set, the client will not authenticate itself with the server.
         read_from (ReadFrom): If not set, `PRIMARY` will be used.

@@ -14,6 +14,7 @@
     ProtocolVersion,
     ReadFrom,
     ServerCredentials,
+    TlsAdvancedConfiguration,
 )
 from glide.exceptions import ClosingError
 from glide.glide_client import GlideClient, GlideClusterClient, TGlideClient
@@ -260,9 +261,15 @@ async def create_client(
     client_az: Optional[str] = None,
     reconnect_strategy: Optional[BackoffStrategy] = None,
     valkey_cluster: Optional[ValkeyCluster] = None,
+    use_tls: Optional[bool] = None,
+    tls_insecure: Optional[bool] = None,
 ) -> Union[GlideClient, GlideClusterClient]:
     # Create async socket client
-    use_tls = request.config.getoption("--tls")
+    if use_tls is not None:
+        use_tls = use_tls
+    else:
+        use_tls = request.config.getoption("--tls")
+    tls_adv_conf = TlsAdvancedConfiguration(insecure=tls_insecure)
     if cluster_mode:
         valkey_cluster = valkey_cluster or pytest.valkey_cluster  # type: ignore
         assert type(valkey_cluster) is ValkeyCluster
@@ -280,15 +287,16 @@ async def create_client(
             inflight_requests_limit=inflight_requests_limit,
             read_from=read_from,
             client_az=client_az,
-            advanced_config=AdvancedGlideClusterClientConfiguration(connection_timeout),
+            advanced_config=AdvancedGlideClusterClientConfiguration(
+                connection_timeout, tls_config=tls_adv_conf
+            ),
         )
         return await GlideClusterClient.create(cluster_config)
     else:
-        assert type(pytest.standalone_cluster) is ValkeyCluster  # type: ignore
+        valkey_cluster = valkey_cluster or pytest.standalone_cluster  # type: ignore
+        assert type(valkey_cluster) is ValkeyCluster
         config = GlideClientConfiguration(
-            addresses=(
-                pytest.standalone_cluster.nodes_addr if addresses is None else addresses  # type: ignore
-            ),
+            addresses=(valkey_cluster.nodes_addr if addresses is None else addresses),
             use_tls=use_tls,
             credentials=credentials,
             database_id=database_id,
@@ -299,7 +307,9 @@ async def create_client(
             inflight_requests_limit=inflight_requests_limit,
             read_from=read_from,
             client_az=client_az,
-            advanced_config=AdvancedGlideClientConfiguration(connection_timeout),
+            advanced_config=AdvancedGlideClientConfiguration(
+                connection_timeout, tls_config=tls_adv_conf
+            ),
             reconnect_strategy=reconnect_strategy,
         )
         return await GlideClient.create(config)

@@ -1,5 +1,6 @@
 # Copyright Valkey GLIDE Project Contributors - SPDX Identifier: Apache-2.0
 
+import pytest
 from glide.config import (
     AdvancedGlideClientConfiguration,
     AdvancedGlideClusterClientConfiguration,
@@ -10,6 +11,7 @@
     PeriodicChecksManualInterval,
     PeriodicChecksStatus,
     ReadFrom,
+    TlsAdvancedConfiguration,
 )
 from glide.protobuf.connection_request_pb2 import ConnectionRequest
 from glide.protobuf.connection_request_pb2 import ReadFrom as ProtobufReadFrom
@@ -106,3 +108,43 @@ def test_connection_timeout_in_protobuf_request():
 
     assert isinstance(request, ConnectionRequest)
     assert request.connection_timeout == connection_timeout
+
+
+def test_tls_insecure_in_protobuf_request():
+    tls_conf = TlsAdvancedConfiguration(insecure=True)
+
+    config = GlideClientConfiguration(
+        [NodeAddress("127.0.0.1")],
+        use_tls=False,
+        advanced_config=AdvancedGlideClientConfiguration(tls_config=tls_conf),
+    )
+    with pytest.raises(ValueError):
+        config._create_a_protobuf_conn_request()
+
+    config = GlideClientConfiguration(
+        [NodeAddress("127.0.0.1")],
+        use_tls=True,
+        advanced_config=AdvancedGlideClientConfiguration(tls_config=tls_conf),
+    )
+    request = config._create_a_protobuf_conn_request()
+
+    assert isinstance(request, ConnectionRequest)
+    assert request.tls_mode is TlsMode.InsecureTls
+
+    config = GlideClusterClientConfiguration(
+        [NodeAddress("127.0.0.1")],
+        use_tls=False,
+        advanced_config=AdvancedGlideClusterClientConfiguration(tls_config=tls_conf),
+    )
+    with pytest.raises(ValueError):
+        config._create_a_protobuf_conn_request(cluster_mode=True)
+
+    config = GlideClusterClientConfiguration(
+        [NodeAddress("127.0.0.1")],
+        use_tls=True,
+        advanced_config=AdvancedGlideClusterClientConfiguration(tls_config=tls_conf),
+    )
+    request = config._create_a_protobuf_conn_request(cluster_mode=True)
+
+    assert isinstance(request, ConnectionRequest)
+    assert request.tls_mode is TlsMode.InsecureTls
@@ -0,0 +1,85 @@
+import asyncio
+from typing import AsyncGenerator
+
+import pytest
+from glide.config import ProtocolVersion
+from glide.glide_client import TGlideClient
+from tests.conftest import create_client
+from tests.utils.cluster import ValkeyCluster
+
+
+@pytest.fixture(scope="module")
+def event_loop():
+    """A module-scoped event loop for async tests in this file only."""
+    loop = asyncio.new_event_loop()
+    yield loop
+    loop.close()
+
+
+@pytest.fixture(scope="module", autouse=True)
+async def tls_clusters():
+    tls_valkey_cluster = ValkeyCluster(
+        tls=True, cluster_mode=True, shard_count=3, replica_count=0
+    )
+    tls_valkey_standalone = ValkeyCluster(
+        tls=True, cluster_mode=False, shard_count=1, replica_count=0
+    )
+
+    yield (tls_valkey_cluster, tls_valkey_standalone)
+
+    del tls_valkey_cluster
+    del tls_valkey_standalone
+
+
+@pytest.fixture
+def tls_insecure(request) -> bool:
+    # If the test has param'd tls_insecure, use it
+    # Otherwise default to False
+    return getattr(request, "param", False)
+
+
+@pytest.fixture(scope="function")
+async def glide_tls_client(
+    request,
+    tls_clusters,  # we get (cluster_mode=True, cluster_mode=False) ValkeyClusters as a tuple
+    cluster_mode: bool,  # this is coming from @pytest.mark.parametrize
+    protocol: ProtocolVersion,
+    tls_insecure: bool,
+) -> "AsyncGenerator[TGlideClient, None]":
+    """
+    Return a GlideClusterClient that connects to either the cluster or standalone,
+    depending on the cluster_mode param.
+    """
+    (tls_valkey_cluster, tls_valkey_standalone) = tls_clusters
+
+    if cluster_mode:
+        chosen_cluster = tls_valkey_cluster
+    else:
+        chosen_cluster = tls_valkey_standalone
+
+    client = await create_client(
+        request,
+        cluster_mode=cluster_mode,
+        valkey_cluster=chosen_cluster,
+        protocol=protocol,
+        use_tls=True,
+        tls_insecure=tls_insecure,
+    )
+    yield client
+    await client.close()
+
+
+@pytest.mark.asyncio
+class TestTls:
+    @pytest.mark.parametrize("cluster_mode", [True, False])
+    @pytest.mark.parametrize("protocol", [ProtocolVersion.RESP2, ProtocolVersion.RESP3])
+    @pytest.mark.parametrize("tls_insecure", [True], indirect=True)
+    async def test_tls_insecure(self, glide_tls_client: TGlideClient):
+        """
+        This test verifies that the Glide client can connect to a TLS-enabled Valkey instance while skipping
+        certificate validation. By parametrizing tls_insecure=True, we confirm that the client can successfully
+        ping the cluster without strict cert checks.
+        """
+        result = await glide_tls_client.ping()
+
+        assert result == b"PONG"