0xPolygonID · Strnadj · Nov 27, 2025 · Nov 27, 2025
@@ -64,6 +64,7 @@ ISSUER_CIRCUIT_PATH=./pkg/credentials/circuits
 # ISSUER_CACHE_PROVIDER could be either [redis | valkey]
 ISSUER_CACHE_PROVIDER=redis
 ISSUER_CACHE_URL=redis://@redis:6379/1
+ISSUER_CACHE_TLS=false
 
 
 ISSUER_KEY_STORE_TOKEN=<Key Store Vault Token>

@@ -2,6 +2,7 @@ package cache
 
 import (
 	"context"
+	"crypto/tls"
 	"time"
 
 	"github.com/valkey-io/valkey-go"
@@ -32,20 +33,29 @@ type Cache interface {
 func NewCacheClient(ctx context.Context, cfg config.Configuration) (Cache, error) {
 	var cachex Cache
 	if cfg.Cache.Provider == config.CacheProviderRedis {
-		rdb, err := redis.Open(ctx, cfg.Cache.Url)
+		rdb, err := redis.Open(ctx, cfg.Cache.Url, cfg.Cache.TLS)
 		if err != nil {
 			log.Error(ctx, "cannot connect to redis", "err", err, "host", cfg.Cache.Url)
 			return nil, err
 		}
 		cachex = NewRedisCache(rdb)
 	} else if cfg.Cache.Provider == config.CacheProviderValKey {
-		client, err := valkey.NewClient(valkey.ClientOption{InitAddress: []string{cfg.Cache.Url}})
+		opts := valkey.ClientOption{
+			InitAddress: []string{cfg.Cache.Url},
+		}
+
+		if cfg.Cache.TLS {
+			opts.TLSConfig = &tls.Config{}
+		}
+
+		client, err := valkey.NewClient(opts)
+
 		if err != nil {
 			log.Error(ctx, "cannot connect to valkey", "err", err, "host", cfg.Cache.Url)
 			return nil, err
 		}
-		cachex = NewValKeyCache(client)
 
+		cachex = NewValKeyCache(client)
 	}
 
 	return cachex, nil

@@ -83,6 +83,7 @@ type Database struct {
 type Cache struct {
 	Provider string `env:"ISSUER_CACHE_PROVIDER" envDefault:"redis"`
 	Url      string `env:"ISSUER_CACHE_URL"`
+	TLS			 bool   `env:"ISSUER_CACHE_TLS" envDefault:"false"`
 }
 
 // IPFS configurations

@@ -233,6 +233,13 @@ func TestLoadCacheProvider(t *testing.T) {
 	cfg, err := Load()
 	assert.NoError(t, err)
 	assert.Equal(t, "redis", cfg.Cache.Provider)
+	assert.Equal(t, false, cfg.Cache.TLS)
+
+	envVars["ISSUER_CACHE_TLS"] = "true"
+	loadEnvironmentVariables(t, envVars)
+	cfg, err = Load()
+	assert.NoError(t, err)
+	assert.Equal(t, true, cfg.Cache.TLS)
 
 	envVars["ISSUER_CACHE_URL"] = ""
 	loadEnvironmentVariables(t, envVars)
@@ -274,6 +281,7 @@ func initVariables(t *testing.T) envVarsT {
 		"ISSUER_MEDIA_TYPE_MANAGER_ENABLED":           "true",
 		"ISSUER_CACHE_PROVIDER":                       "redis",
 		"ISSUER_CACHE_URL":                            "redis://@localhost:6379/1",
+		"ISSUER_CACHE_TLS":                            "false",
 	}
 	return envVars
 }

@@ -3,6 +3,8 @@ package pubsub
 import (
 	"context"
 
+	"crypto/tls"
+
 	"github.com/valkey-io/valkey-go"
 
 	"github.com/polygonid/sh-id-platform/internal/config"
@@ -43,18 +45,28 @@ type Client interface {
 func NewPubSub(ctx context.Context, cfg config.Configuration) (Client, error) {
 	var ps Client
 	if cfg.Cache.Provider == config.CacheProviderRedis {
-		rdb, err := redis.Open(ctx, cfg.Cache.Url)
+		rdb, err := redis.Open(ctx, cfg.Cache.Url, cfg.Cache.TLS)
 		if err != nil {
 			log.Error(ctx, "cannot connect to redis", "err", err, "host", cfg.Cache.Url)
 			return nil, err
 		}
 		ps = NewRedis(rdb)
 	} else if cfg.Cache.Provider == config.CacheProviderValKey {
-		client, err := valkey.NewClient(valkey.ClientOption{InitAddress: []string{cfg.Cache.Url}})
+		opts := valkey.ClientOption{
+			InitAddress: []string{cfg.Cache.Url},
+		}
+
+		if cfg.Cache.TLS {
+			opts.TLSConfig = &tls.Config{}
+		}
+
+		client, err := valkey.NewClient(opts)
+
 		if err != nil {
 			log.Error(ctx, "cannot connect to valkey", "err", err, "host", cfg.Cache.Url)
 			return nil, err
 		}
+
 		ps = NewValKeyClient(client)
 	}
 

@@ -2,16 +2,24 @@ package redis
 
 import (
 	"context"
+	"crypto/tls"
 
 	"github.com/go-redis/redis/v8"
 )
 
 // Open opens a connection to redis and returns it
-func Open(ctx context.Context, url string) (*redis.Client, error) {
+func Open(ctx context.Context, url string, tlsEnabled bool) (*redis.Client, error) {
 	opts, err := redis.ParseURL(url)
 	if err != nil {
 		return nil, err
 	}
+
+	if tlsEnabled {
+		opts.TLSConfig = &tls.Config{
+			InsecureSkipVerify: false, // true only if you want to test self-signed certificates
+		}
+	}
+
 	rdb := redis.NewClient(opts)
 	if err := Status(ctx, rdb); err != nil {
 		return nil, err