Skip to main content

Dragonfly Instance Authentication

This guide provides step-by-step instructions for setting up Dragonfly with authentication. Currently, Dragonfly supports two types of authentication:

Prerequisites

Password-based authentication

Password-based authentication is the simplest way to secure your Dragonfly instance. In this method, you can set a password for your Dragonfly instance through a secret. The password is then used to authenticate the clients.

Create a secret

kubectl create secret generic dragonfly-auth --from-literal=password=dragonfly

Deploy Dragonfly with authentication

kubectl apply -f - <<EOF
apiVersion: dragonflydb.io/v1alpha1
kind: Dragonfly
metadata:
name: dragonfly-auth
spec:
authentication:
passwordFromSecret:
name: dragonfly-auth
key: password
replicas: 2
EOF

Check the status of the Dragonfly instance

kubectl describe dragonflies.dragonflydb.io dragonfly-auth

Connecting to Dragonfly

kubectl run -it --rm --restart=Never redis-cli --image=redis:7.0.10 -- redis-cli -h dragonfly-auth.default
if you don't see a command prompt, try pressing enter.
dragonfly-auth.default:6379> GET 1
(error) NOAUTH Authentication required.
dragonfly-auth.default:6379> AUTH dragonfly
OK
dragonfly-auth.default:6379> GET 1
(nil)
dragonfly-auth.default:6379> SET 1 2
OK
dragonfly-auth.default:6379> GET 1
"2"
dragonfly-auth.default:6379> exit

TLS-based authentication

TLS-based authentication is a more secure way to secure your Dragonfly instance. First, you need TLS configured on your Dragonfly instance. Then, you can specify a list of CA certificates that are trusted by the Dragonfly instance. The clients must present a certificate signed by one of the trusted CAs to connect to the Dragonfly instance.

Create a TLS secret for Dragonfly through cert-manager

Install cert-manager

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.0/cert-manager.yaml

Create a self-signed certificate

kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: ca-issuer
spec:
selfSigned: {}
EOF

Request a TLS certificate

kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: dragonfly-sample
spec:
secretName: dragonfly-sample
duration: 2160h # 90d
renewBefore: 360h # 15d
subject:
organizations:
- dragonfly-sample
privateKey:
algorithm: RSA
encoding: PKCS1
size: 2048
dnsNames:
- dragonfly-sample.com
- www.dragonfly-sample.com
issuerRef:
name: ca-issuer
kind: Issuer
group: cert-manager.io
EOF

Generate a client certificate signed by a client CA

Create a Client CA

kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: client-ca-issuer
spec:
selfSigned: {}
EOF

Request a Client certificate

kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: dragonfly-client-ca
spec:
secretName: dragonfly-client-ca
duration: 2160h # 90d
renewBefore: 360h # 15d
subject:
organizations:
- dragonfly-client-ca
privateKey:
algorithm: RSA
encoding: PKCS1
size: 2048
dnsNames:
- dragonfly-client-ca.com
- www.dragonfly-client-ca.com
usages:
- client auth
issuerRef:
name: client-ca-issuer
kind: Issuer
group: cert-manager.io
EOF

Create a Dragonfly instance with TLS

kubectl apply -f - <<EOF
apiVersion: dragonflydb.io/v1alpha1
kind: Dragonfly
metadata:
name: dragonfly-sample
spec:
authentication:
clientCaCertSecret:
name: dragonfly-client-ca
key: ca.crt
replicas: 2
tlsSecretRef:
name: dragonfly-sample
EOF

Verify the Dragonfly instance is ready

kubectl describe dragonflies.dragonflydb.io dragonfly-sample

Connecting to Dragonfly With TLS

You should be able to connect to the Dragonfly instance only if you have a client certificate signed by the client CA.

kubectl run -it --rm redis-cli --image=redis:7.0.10 --restart=Never --overrides='
{
"spec": {
"containers": [
{
"name": "redis-cli",
"image": "redis:7.0.10",
"tty": true,
"stdin": true,
"command": [
"redis-cli",
"-h",
"dragonfly-sample.default",
"--tls",
"--cacert",
"/etc/ssl/ca.crt",
"--cert",
"/etc/tls/tls.crt",
"--key",
"/etc/tls/tls.key"
],
"volumeMounts": [
{
"name": "ca-certs",
"mountPath": "/etc/ssl",
"readOnly": true
},
{
"name": "client-certs",
"mountPath": "/etc/tls",
"readOnly": true
}
]
}
],
"volumes": [
{
"name": "ca-certs",
"secret": {
"secretName": "dragonfly-sample"
}
},
{
"name": "client-certs",
"secret": {
"secretName": "dragonfly-client-ca"
}
}
]
}
}'