Dragonfly Instance Authentication

Dragonfly Instance Authentication

This guide provides step-by-step instructions for setting up Dragonfly with authentication. Currently, Dragonfly supports two types of authentication:

Password-based authentication through a secret
TLS-based authentication through a secret

Prerequisites

A Kubernetes cluster with Dragonfly installed

Password-based authentication

Password-based authentication is the simplest way to secure your Dragonfly instance. In this method, you can set a password for your Dragonfly instance through a secret. The password is then used to authenticate the clients.

Create a secret

kubectl create secret generic dragonfly-auth --from-literal=password=dragonfly

Deploy Dragonfly with authentication

kubectl apply -f - <<EOF
apiVersion: dragonflydb.io/v1alpha1
kind: Dragonfly
metadata:
  name: dragonfly-auth
spec:
    authentication:
      passwordFromSecret:
        name: dragonfly-auth
        key: password
    replicas: 2
EOF

Check the status of the Dragonfly instance

kubectl describe dragonflies.dragonflydb.io dragonfly-auth

Connecting to Dragonfly

kubectl run -it --rm --restart=Never redis-cli --image=redis:7.0.10 -- redis-cli -h dragonfly-auth.default
if you don't see a command prompt, try pressing enter.
dragonfly-auth.default:6379> GET 1
(error) NOAUTH Authentication required. 
dragonfly-auth.default:6379> AUTH dragonfly
OK
dragonfly-auth.default:6379> GET 1
(nil)
dragonfly-auth.default:6379> SET 1 2
OK
dragonfly-auth.default:6379> GET 1
"2"
dragonfly-auth.default:6379> exit

TLS-based authentication

TLS-based authentication is a more secure way to secure your Dragonfly instance. First, you need TLS configured on your Dragonfly instance. Then, you can specify a list of CA certificates that are trusted by the Dragonfly instance. The clients must present a certificate signed by one of the trusted CAs to connect to the Dragonfly instance.

Create a TLS secret for Dragonfly through cert-manager

Install cert-manager

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.0/cert-manager.yaml

Create a self-signed certificate

kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: ca-issuer
spec:
  selfSigned: {}
EOF

Request a TLS certificate

kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: dragonfly-sample
spec:
  secretName: dragonfly-sample
  duration: 2160h # 90d
  renewBefore: 360h # 15d
  subject:
    organizations:
      - dragonfly-sample
  privateKey:
    algorithm: RSA
    encoding: PKCS1
    size: 2048
  dnsNames:
    - dragonfly-sample.com
    - www.dragonfly-sample.com
  issuerRef:
    name: ca-issuer
    kind: Issuer
    group: cert-manager.io
EOF

Generate a client certificate signed by a client CA

Create a Client CA

kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: client-ca-issuer
spec:
  selfSigned: {}
EOF

Request a Client certificate

kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: dragonfly-client-ca
spec:
    secretName: dragonfly-client-ca
    duration: 2160h # 90d
    renewBefore: 360h # 15d
    subject:
        organizations:
        - dragonfly-client-ca
    privateKey:
        algorithm: RSA
        encoding: PKCS1
        size: 2048
    dnsNames:
        - dragonfly-client-ca.com
        - www.dragonfly-client-ca.com
    usages:
        - client auth
    issuerRef:
        name: client-ca-issuer
        kind: Issuer
        group: cert-manager.io
EOF

Create a Dragonfly instance with TLS

kubectl apply -f - <<EOF
apiVersion: dragonflydb.io/v1alpha1
kind: Dragonfly
metadata:
  name: dragonfly-sample
spec:
    authentication:
      clientCaCertSecret:
        name: dragonfly-client-ca
        key: ca.crt
    replicas: 2
    tlsSecretRef:
      name: dragonfly-sample
EOF

Verify the Dragonfly instance is ready

kubectl describe dragonflies.dragonflydb.io dragonfly-sample

Connecting to Dragonfly With TLS

You should be able to connect to the Dragonfly instance only if you have a client certificate signed by the client CA.

kubectl run -it --rm redis-cli --image=redis:7.0.10 --restart=Never --overrides='
{
    "spec": {
        "containers": [
            {
                "name": "redis-cli",
                "image": "redis:7.0.10",
                "tty": true,
                "stdin": true,
                "command": [
                    "redis-cli",
                    "-h",
                    "dragonfly-sample.default",
                    "--tls",
                    "--cacert",
                    "/etc/ssl/ca.crt",
                    "--cert",
                    "/etc/tls/tls.crt",
                    "--key",
                    "/etc/tls/tls.key"
                ],
                "volumeMounts": [
                    {
                        "name": "ca-certs",
                        "mountPath": "/etc/ssl",
                        "readOnly": true
                    },
                    {
                        "name": "client-certs",
                        "mountPath": "/etc/tls",
                        "readOnly": true
                    }
                ]
            }
        ],
        "volumes": [
            {
                "name": "ca-certs",
                "secret": {
                    "secretName": "dragonfly-sample"
                }
            },
            {
                "name": "client-certs",
                "secret": {
                    "secretName": "dragonfly-client-ca"
                }
            }
        ]
    }
}'