Dragonfly Instance Authentication

This guide provides step-by-step instructions for setting up Dragonfly with authentication. Currently, Dragonfly supports two types of authentication:

Prerequisites

Password-based authentication

Password-based authentication is the simplest way to secure your Dragonfly instance. In this method, you can set a password for your Dragonfly instance through a secret. The password is then used to authenticate the clients.

Create a secret

  1. kubectl create secret generic dragonfly-auth --from-literal=password=dragonfly

Deploy Dragonfly with authentication

  1. kubectl apply -f - <<EOF
  2. apiVersion: dragonflydb.io/v1alpha1
  3. kind: Dragonfly
  4. metadata:
  5. name: dragonfly-auth
  6. spec:
  7. authentication:
  8. passwordFromSecret:
  9. name: dragonfly-auth
  10. key: password
  11. replicas: 2
  12. EOF

Check the status of the Dragonfly instance

  1. kubectl describe dragonflies.dragonflydb.io dragonfly-auth

Connecting to Dragonfly

  1. kubectl run -it --rm --restart=Never redis-cli --image=redis:7.0.10 -- redis-cli -h dragonfly-auth.default
  2. if you don't see a command prompt, try pressing enter.
  3. dragonfly-auth.default:6379> GET 1
  4. (error) NOAUTH Authentication required.
  5. dragonfly-auth.default:6379> AUTH dragonfly
  6. OK
  7. dragonfly-auth.default:6379> GET 1
  8. (nil)
  9. dragonfly-auth.default:6379> SET 1 2
  10. OK
  11. dragonfly-auth.default:6379> GET 1
  12. "2"
  13. dragonfly-auth.default:6379> exit

TLS-based authentication

TLS-based authentication is a more secure way to secure your Dragonfly instance. First, you need TLS configured on your Dragonfly instance. Then, you can specify a list of CA certificates that are trusted by the Dragonfly instance. The clients must present a certificate signed by one of the trusted CAs to connect to the Dragonfly instance.

Create a TLS secret for Dragonfly through cert-manager

Install cert-manager

  1. kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.0/cert-manager.yaml

Create a self-signed certificate

  1. kubectl apply -f - <<EOF
  2. apiVersion: cert-manager.io/v1
  3. kind: Issuer
  4. metadata:
  5. name: ca-issuer
  6. spec:
  7. selfSigned: {}
  8. EOF

Request a TLS certificate

  1. kubectl apply -f - <<EOF
  2. apiVersion: cert-manager.io/v1
  3. kind: Certificate
  4. metadata:
  5. name: dragonfly-sample
  6. spec:
  7. secretName: dragonfly-sample
  8. duration: 2160h # 90d
  9. renewBefore: 360h # 15d
  10. subject:
  11. organizations:
  12. - dragonfly-sample
  13. privateKey:
  14. algorithm: RSA
  15. encoding: PKCS1
  16. size: 2048
  17. dnsNames:
  18. - dragonfly-sample.com
  19. - www.dragonfly-sample.com
  20. issuerRef:
  21. name: ca-issuer
  22. kind: Issuer
  23. group: cert-manager.io
  24. EOF

Generate a client certificate signed by a client CA

Create a Client CA

  1. kubectl apply -f - <<EOF
  2. apiVersion: cert-manager.io/v1
  3. kind: Issuer
  4. metadata:
  5. name: client-ca-issuer
  6. spec:
  7. selfSigned: {}
  8. EOF

Request a Client certificate

  1. kubectl apply -f - <<EOF
  2. apiVersion: cert-manager.io/v1
  3. kind: Certificate
  4. metadata:
  5. name: dragonfly-client-ca
  6. spec:
  7. secretName: dragonfly-client-ca
  8. duration: 2160h # 90d
  9. renewBefore: 360h # 15d
  10. subject:
  11. organizations:
  12. - dragonfly-client-ca
  13. privateKey:
  14. algorithm: RSA
  15. encoding: PKCS1
  16. size: 2048
  17. dnsNames:
  18. - dragonfly-client-ca.com
  19. - www.dragonfly-client-ca.com
  20. usages:
  21. - client auth
  22. issuerRef:
  23. name: client-ca-issuer
  24. kind: Issuer
  25. group: cert-manager.io
  26. EOF

Create a Dragonfly instance with TLS

  1. kubectl apply -f - <<EOF
  2. apiVersion: dragonflydb.io/v1alpha1
  3. kind: Dragonfly
  4. metadata:
  5. name: dragonfly-sample
  6. spec:
  7. authentication:
  8. clientCaCertSecret:
  9. name: dragonfly-client-ca
  10. key: ca.crt
  11. replicas: 2
  12. tlsSecretRef:
  13. name: dragonfly-sample
  14. EOF

Verify the Dragonfly instance is ready

  1. kubectl describe dragonflies.dragonflydb.io dragonfly-sample

Connecting to Dragonfly With TLS

You should be able to connect to the Dragonfly instance only if you have a client certificate signed by the client CA.

  1. kubectl run -it --rm redis-cli --image=redis:7.0.10 --restart=Never --overrides='
  2. {
  3. "spec": {
  4. "containers": [
  5. {
  6. "name": "redis-cli",
  7. "image": "redis:7.0.10",
  8. "tty": true,
  9. "stdin": true,
  10. "command": [
  11. "redis-cli",
  12. "-h",
  13. "dragonfly-sample.default",
  14. "--tls",
  15. "--cacert",
  16. "/etc/ssl/ca.crt",
  17. "--cert",
  18. "/etc/tls/tls.crt",
  19. "--key",
  20. "/etc/tls/tls.key"
  21. ],
  22. "volumeMounts": [
  23. {
  24. "name": "ca-certs",
  25. "mountPath": "/etc/ssl",
  26. "readOnly": true
  27. },
  28. {
  29. "name": "client-certs",
  30. "mountPath": "/etc/tls",
  31. "readOnly": true
  32. }
  33. ]
  34. }
  35. ],
  36. "volumes": [
  37. {
  38. "name": "ca-certs",
  39. "secret": {
  40. "secretName": "dragonfly-sample"
  41. }
  42. },
  43. {
  44. "name": "client-certs",
  45. "secret": {
  46. "secretName": "dragonfly-client-ca"
  47. }
  48. }
  49. ]
  50. }
  51. }'