From 16a6161ddd050a08046b559adad62aeb8f8cf87d Mon Sep 17 00:00:00 2001
From: Jessica Rodriguez <jrodri@redhat.com>
Date: Thu, 16 Jan 2025 09:23:02 -0500
Subject: [PATCH] Document TLS enabled if inMemoryDb.password is returned

---
 .../cloud.redhat.com/providers/inmemorydb/elasticache.go        | 2 ++
 docs/providers/inmemorydb.md                                    | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/controllers/cloud.redhat.com/providers/inmemorydb/elasticache.go b/controllers/cloud.redhat.com/providers/inmemorydb/elasticache.go
index bf2216b88..bb5fa6376 100644
--- a/controllers/cloud.redhat.com/providers/inmemorydb/elasticache.go
+++ b/controllers/cloud.redhat.com/providers/inmemorydb/elasticache.go
@@ -53,6 +53,8 @@ func (e *elasticache) Provide(app *crd.ClowdApp) error {
 				)
 			}
 
+			// ElastiCache and Terraform resources, via qontract-reconcile, guarantee that `db.auth_token` is provided
+			// only if in-transit encryption is enabled.
 			passwd := string(secret.Data["db.auth_token"])
 			if passwd != "" {
 				creds.Password = &passwd
diff --git a/docs/providers/inmemorydb.md b/docs/providers/inmemorydb.md
index a27edc1fb..783be1540 100644
--- a/docs/providers/inmemorydb.md
+++ b/docs/providers/inmemorydb.md
@@ -39,7 +39,7 @@ ClowdEnv Config options available:
 In elasticache mode, the *In-Memory DB Provider* will search for a secret named
 `in-memory-db` inside the same namespace as the `ClowdApp` that requested it.
 The hostname and port will then be passed to the `cdappconfig.json` for use by
-the app.
+the app. If a password is provided, it is known that in-transit encryption is enabled, as per [ElastiCache requirements](https://docs.aws.amazon.com/AmazonElastiCache/latest/dg/auth.html#auth-using).
 
 ## Generated App Configuration