Dragonfly With Server TLS

This guide will walk you through setting up Dragonfly with TLS. With TLS enabled, you can have encrypted communication between your clients and the Dragonfly instance.

Prerequisites

  • A Kubernetes cluster with kubectl configured to access it.
  • Dragonfly Operator installed in your cluster.

Generate a Cert with Cert Manager

Cert Manager is a Kubernetes add-on to automate the management and issuance of TLS certificates from various issuing sources. In this guide, we will use the self-signed issuer to generate a cert.

You can also skip this step and use the self-signed cert that is generated manually. The Operator expects a relevant secret to be present with tls.crt, tls.key keys.

Install Cert Manager

  1. kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.0/cert-manager.yaml

Create a self-signed issuer:

  1. kubectl apply -f - <<EOF
  2. apiVersion: cert-manager.io/v1
  3. kind: Issuer
  4. metadata:
  5. name: ca-issuer
  6. spec:
  7. selfSigned: {}
  8. EOF

Request a certificate from the self-signed issuer:

  1. kubectl apply -f - <<EOF
  2. apiVersion: cert-manager.io/v1
  3. kind: Certificate
  4. metadata:
  5. name: dragonfly-sample
  6. spec:
  7. # Secret names are always required.
  8. secretName: dragonfly-sample
  9. duration: 2160h # 90d
  10. renewBefore: 360h # 15d
  11. subject:
  12. organizations:
  13. - dragonfly-sample
  14. # The use of the common name field has been deprecated since 2000 and is
  15. # discouraged from being used.
  16. commonName: example.com
  17. privateKey:
  18. algorithm: RSA
  19. encoding: PKCS1
  20. size: 2048
  21. # At least one of a DNS Name, URI, or IP address is required.
  22. dnsNames:
  23. - dragonfly-sample.com
  24. - www.dragonfly-sample.com
  25. # Issuer references are always required.
  26. issuerRef:
  27. name: ca-issuer
  28. kind: Issuer
  29. group: cert-manager.io
  30. EOF

Dragonfly Instance With TLS

For TLS there are two mechanisms used by Dragonfly to authenticate its clients. Either with a password or with a CA root certificate. Below, we use password authentication:

  1. kubectl apply -f - <<EOF
  2. apiVersion: v1
  3. kind: Secret
  4. metadata:
  5. name: dragonfly-password
  6. type: Opaque
  7. stringData:
  8. password: dragonfly
  9. EOF

Create a Dragonfly instance with at least one auth mechanism as described above.

  1. kubectl apply -f - <<EOF
  2. apiVersion: dragonflydb.io/v1alpha1
  3. kind: Dragonfly
  4. metadata:
  5. name: dragonfly-sample
  6. spec:
  7. authentication:
  8. passwordFromSecret:
  9. name: dragonfly-password
  10. key: password
  11. replicas: 2
  12. tlsSecretRef:
  13. name: dragonfly-sample
  14. EOF

Check the status of the Dragonfly instance:

  1. kubectl describe dragonflies.dragonflydb.io dragonfly-sample

Connecting to Dragonfly

The CA cert is stored in a secret named dragonfly-sample in the default namespace. We use that to connect to Dragonfly. This is required as we are using a self-signed cert that is not trusted by default.

Create a redis-cli container with the ca.crt

  1. kubectl run -it --rm redis-cli --image=redis:7.0.10 --restart=Never --overrides='
  2. {
  3. "spec": {
  4. "containers": [
  5. {
  6. "name": "redis-cli",
  7. "image": "redis:7.0.10",
  8. "tty": true,
  9. "stdin": true,
  10. "command": [
  11. "redis-cli",
  12. "-h",
  13. "dragonfly-sample.default",
  14. "-a",
  15. "dragonfly",
  16. "--tls",
  17. "--cacert",
  18. "/etc/ssl/ca.crt"
  19. ],
  20. "volumeMounts": [
  21. {
  22. "name": "ca-certs",
  23. "mountPath": "/etc/ssl",
  24. "readOnly": true
  25. }
  26. ]
  27. }
  28. ],
  29. "volumes": [
  30. {
  31. "name": "ca-certs",
  32. "secret": {
  33. "secretName": "dragonfly-sample",
  34. "items": [
  35. {
  36. "key": "ca.crt",
  37. "path": "ca.crt"
  38. }
  39. ]
  40. }
  41. }
  42. ]
  43. }
  44. }'

You should see the redis-cli prompt, and you can run redis commands.