You are looking at the documentation of a prior release. To read the documentation of the latest release, please
visit here.
New to KubeDB? Please start here.
Run Redis with TLS/SSL (Transport Encryption)
KubeDB supports providing TLS/SSL encryption for Redis. This tutorial will show you how to use KubeDB to run a Redis database with TLS/SSL encryption.
Before You Begin
At first, you need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. If you do not already have a cluster, you can create one by using kind.
Install
cert-manger
v1.0.0 or later to your cluster to manage your SSL/TLS certificates.Now, install KubeDB cli on your workstation and KubeDB operator in your cluster following the steps here.
To keep things isolated, this tutorial uses a separate namespace called
demo
throughout this tutorial.$ kubectl create ns demo namespace/demo created
Note: YAML files used in this tutorial are stored in docs/examples/redis folder in GitHub repository kubedb/docs.
Overview
KubeDB uses following crd fields to enable SSL/TLS encryption in Redis.
spec:
tls:
issuerRef
certificate
Read about the fields in details in redis concept,
Create Issuer/ ClusterIssuer
We are going to create an example Issuer
that will be used throughout the duration of this tutorial to enable SSL/TLS in Redis. Alternatively, you can follow this cert-manager tutorial to create your own Issuer
.
- Start off by generating you ca certificates using openssl.
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./ca.key -out ./ca.crt -subj "/CN=redis/O=kubedb"
- Now create a ca-secret using the certificate files you have just generated.
kubectl create secret tls redis-ca \
--cert=ca.crt \
--key=ca.key \
--namespace=demo
Now, create an Issuer
using the ca-secret
you have just created. The YAML
file looks like this:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: redis-ca-issuer
namespace: demo
spec:
ca:
secretName: redis-ca
Apply the YAML
file:
$ kubectl create -f https://github.com/kubedb/docs/raw/v2023.11.2/docs/examples/redis/tls/issuer.yaml
issuer.cert-manager.io/redis-ca-issuer created
TLS/SSL encryption in Redis Cluster
Below is the YAML for Redis Cluster.
apiVersion: kubedb.com/v1alpha2
kind: Redis
metadata:
name: rd-tls
namespace: demo
spec:
version: "6.2.5"
mode: Cluster
cluster:
master: 3
replicas: 1
tls:
issuerRef:
apiGroup: "cert-manager.io"
kind: Issuer
name: redis-ca-issuer
storage:
storageClassName: "standard"
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
Deploy Redis Cluster
$ kubectl create -f https://github.com/kubedb/docs/raw/v2023.11.2/docs/examples/redis/tls/rd-cluster-ssl.yaml
redis.kubedb.com/rd-tls created
Now, wait until rd-tls
has status Ready
. i.e,
$ watch kubectl get rd -n demo
Every 2.0s: kubectl get redis -n demo
NAME VERSION STATUS AGE
rd-tls 6.2.5 Ready 2m14s
Verify TLS/SSL in Redis Cluster
Now, connect to this database by exec into a pod and verify if tls
has been set up as intended.
$ kubectl describe secret -n demo rd-tls-client-cert
Name: rd-tls-client-cert
Namespace: demo
Labels: app.kubernetes.io/component=database
app.kubernetes.io/instance=rd-tls
app.kubernetes.io/managed-by=kubedb.com
app.kubernetes.io/name=redises.kubedb.com
Annotations: cert-manager.io/alt-names:
cert-manager.io/certificate-name: rd-tls-client-cert
cert-manager.io/common-name: default
cert-manager.io/ip-sans:
cert-manager.io/issuer-group: cert-manager.io
cert-manager.io/issuer-kind: Issuer
cert-manager.io/issuer-name: redis-ca-issuer
cert-manager.io/uri-sans:
Type: kubernetes.io/tls
Data
====
ca.crt: 1147 bytes
tls.crt: 1127 bytes
tls.key: 1679 bytes
Now, Lets exec into a redis container and find out the username to connect in a redis shell,
$ kubectl exec -it -n demo rd-tls-shard0-0 -c redis -- bash
root@rd-tls-shard0-0:/data# ls /certs
ca.crt client.crt client.key server.crt server.key
root@rd-tls-shard0-0:/data# apt-get update; apt-get install openssl;
...
root@rd-tls-shard0-0:/data# openssl x509 -in /certs/ca.crt -inform PEM -subject -nameopt RFC2253 -noout
subject=O=kubedb,CN=redis
Now, we can connect using CN=redis,O=kubedb
as root to connect to the redis and write some data
$ kubectl exec -it -n demo rd-tls-shard0-0 -c redis -- bash
# Trying to connect without tls certificates
root@rd-tls-0:/data# redis-cli
127.0.0.1:6379>
127.0.0.1:6379> set hello world
# Can not write data
Error: Connection reset by peer
# Trying to connect with tls certificates
root@rd-tls-0:/data# redis-cli --tls --cert "/certs/client.crt" --key "/certs/client.key" --cacert "/certs/ca.crt"
127.0.0.1:6379>
127.0.0.1:6379> set hello world
OK
127.0.0.1:6379> exit
Cleaning up
To clean up the Kubernetes resources created by this tutorial, run:
$ kubectl patch -n demo redis/rd-tls -p '{"spec":{"terminationPolicy":"WipeOut"}}' --type="merge"
redis.kubedb.com/rd-tls patched
$ kubectl delete -n demo redis rd-tls
redis.kubedb.com "rd-tls" deleted
$ kubectl delete issuer -n demo redis-ca-issuer
issuer.cert-manager.io "redis-ca-issuer" deleted
Next Steps
- Detail concepts of Redis object.
- Backup and Restore Redis databases using Stash. .
- Monitor your Redis database with KubeDB using out-of-the-box Prometheus operator.
- Monitor your Redis database with KubeDB using out-of-the-box builtin-Prometheus.