Merge pull request #228 from Kuadrant/sandbox-redis-tls-requirepass

new sandbox: secured redis

README.md

@@ -15,7 +15,7 @@ port, that implements the Envoy Rate Limit protocol (v3).
 - [**Getting started**](#getting-started)
 - [**How it works**](/doc/how-it-works.md)
 - [**Development**](#development)
-- [**Testing Environment**](limitador-server/docs/sandbox.md)
+- [**Testing Environment**](limitador-server/sandbox/README.md)
 - [**Kubernetes**](limitador-server/kubernetes/)
 - [**Contributing**](#contributing)
 - [**License**](#license)

doc/server/configuration.md

@@ -140,6 +140,32 @@ itself, providing accuracy over these, races tho can occur when multiple Limitad
 redis and using "stacked" limits (i.e. over different periods). Latency is also impacted, as it results in one
 additional hop to talk to redis and maintain the counters.
 
+**TLS Support**
+
+Connect to a redis instance using the `rediss://` URL scheme.
+
+To enable insecure mode, append `#insecure` at the end of the URL. For example:
+
+```
+limitador-server <LIMITS_FILE> redis rediss://127.0.0.1/#insecure"
+```
+
+**Authentication**
+
+To enable authentication, use the username and password properties of the URL scheme. For example:
+
+```
+limitador-server <LIMITS_FILE> redis redis://my-username:my-password@127.0.0.1"
+```
+
+when the username is omitted, redis assumes `default` user. For example:
+
+```
+limitador-server <LIMITS_FILE> redis redis://:my-password@127.0.0.1"
+```
+
+**Usage**
+
 ```
 Uses Redis to store counters
 
@@ -159,6 +185,32 @@ Limitador servers. This lowers the latency, but sacrifices some accuracy as it w
 coalesce counters updates to redis over time. See [this configuration](#redis_local_cache_enabled) option for more
 information.
 
+**TLS Support**
+
+Connect to a redis instance using the `rediss://` URL scheme.
+
+To enable insecure mode, append `#insecure` at the end of the URL. For example:
+
+```
+limitador-server <LIMITS_FILE> redis rediss://127.0.0.1/#insecure"
+```
+
+**Authentication**
+
+To enable authentication, use the username and password properties of the URL scheme. For example:
+
+```
+limitador-server <LIMITS_FILE> redis redis://my-username:my-password@127.0.0.1"
+```
+
+when the username is omitted, redis assumes `default` user. For example:
+
+```
+limitador-server <LIMITS_FILE> redis redis://:my-password@127.0.0.1"
+```
+
+**Usage**
+
 ```
 Uses Redis to store counters, with an in-memory cache
 

limitador-server/sandbox/.gitignore

@@ -0,0 +1,4 @@
+*.crt
+*.key
+*.pem
+*.csr

limitador-server/sandbox/Makefile

@@ -3,8 +3,7 @@ SHELL := /bin/bash
 MKFILE_PATH := $(abspath $(lastword $(MAKEFILE_LIST)))
 PROJECT_PATH := $(patsubst %/,%,$(dir $(MKFILE_PATH)))
 
-DOCKER_COMPOSE ?= $(shell which docker-compose 2>/dev/null)
-DOCKER ?= $(shell which docker 2>/dev/null || echo "docker")
+DOCKER ?= $(shell which docker 2> /dev/null || echo "docker")
 
 all: help
 
@@ -27,27 +26,56 @@ help: ## Display this help.
 ##@ Deployment Options
 
 deploy-in-memory: clean ## Counters are held in Limitador (ephemeral)
-	$(DOCKER_COMPOSE) -f docker-compose-envoy.yaml -f docker-compose-limitador-memory.yaml up
+	$(DOCKER) compose -f docker-compose-envoy.yaml -f docker-compose-limitador-memory.yaml up
 
 deploy-redis: clean ## Uses Redis to store counters
-	$(DOCKER_COMPOSE) -f docker-compose-envoy.yaml -f docker-compose-limitador-redis.yaml up
+	$(DOCKER) compose -f docker-compose-envoy.yaml -f docker-compose-limitador-redis.yaml up
+
+deploy-redis-tls: clean ## Uses Redis with TLS and password protected to store counters
+	$(MAKE) ca
+	$(MAKE) redis-client-certs
+	$(DOCKER) compose -f docker-compose-envoy.yaml -f docker-compose-limitador-redis-tls.yaml up
 
 deploy-redis-cached: clean ## Uses Redis to store counters, with an in-memory cache
-	$(DOCKER_COMPOSE) -f docker-compose-envoy.yaml -f docker-compose-limitador-redis-cached.yaml up
+	$(DOCKER) compose -f docker-compose-envoy.yaml -f docker-compose-limitador-redis-cached.yaml up
 
 deploy-disk: clean ## Uses disk to store counters
-	$(DOCKER_COMPOSE) -f docker-compose-envoy.yaml -f docker-compose-limitador-disk.yaml up
+	$(DOCKER) compose -f docker-compose-envoy.yaml -f docker-compose-limitador-disk.yaml up
 
 deploy-infinispan: clean ## Uses Infinispan to store counters
-	$(DOCKER_COMPOSE) -f docker-compose-envoy.yaml -f docker-compose-limitador-infinispan.yaml up
+	$(DOCKER) compose -f docker-compose-envoy.yaml -f docker-compose-limitador-infinispan.yaml up
 
 ##@ Helper targets
 
 build: ## Build "limitador-testing" image
 	$(DOCKER) build -t limitador-testing -f ../../Dockerfile ../../
 
-clean: ## clean all containers
-	- $(DOCKER_COMPOSE) -f docker-compose-envoy.yaml -f docker-compose-limitador-memory.yaml down --volumes --remove-orphans
-	- $(DOCKER_COMPOSE) -f docker-compose-envoy.yaml -f docker-compose-limitador-redis.yaml down --volumes --remove-orphans
-	- $(DOCKER_COMPOSE) -f docker-compose-envoy.yaml -f docker-compose-limitador-redis-cached.yaml down --volumes --remove-orphans
-	- $(DOCKER_COMPOSE) -f docker-compose-envoy.yaml -f docker-compose-limitador-infinispan.yaml down --volumes --remove-orphans
+ca: ## Create CA cert
+	openssl genrsa -out ca.key 2048
+	openssl req -batch -new -x509 -nodes -key ca.key -sha256 -days 1024 -out ca.crt
+
+redis-client-certs: ## Create CSR, then sign it with CA cert
+	openssl req -subj '/CN=redis'  -newkey rsa:4096 -nodes \
+			-sha256 \
+			-days 3650 \
+			-keyout redis.key \
+			-out redis.csr
+	chmod +r redis.key
+	openssl x509 -req -in redis.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out redis.crt -days 500 -sha256
+
+##@ Cleanning targets
+
+redis-clean-certs: ## Clean certs
+	- rm *.crt *.key *.pem *.csr
+
+clean-containers: ## clean containers
+	- $(DOCKER) compose down --volumes --remove-orphans
+	- $(DOCKER) compose -f docker-compose-envoy.yaml -f docker-compose-limitador-memory.yaml down --volumes --remove-orphans
+	- $(DOCKER) compose -f docker-compose-envoy.yaml -f docker-compose-limitador-redis.yaml down --volumes --remove-orphans
+	- $(DOCKER)_compose -f docker-compose-envoy.yaml -f docker-compose-limitador-redis-cached.yaml down --volumes --remove-orphans
+	- $(DOCKER) compose -f docker-compose-envoy.yaml -f docker-compose-limitador-infinispan.yaml down --volumes --remove-orphans
+	- $(MAKE) cleancerts
+
+clean: ## clean all
+	- $(MAKE) clean-containers
+	- $(MAKE) redis-clean-certs

limitador-server/docs/sandbox.md → limitador-server/sandbox/README.md

@@ -2,8 +2,7 @@
 
 ### Requirements
 
-* *docker*
-* *docker-compose*
+* *docker* v24+
 
 ### Setup
 
@@ -22,6 +21,7 @@ Check out `make help` for all the targets.
 | ------------- | ----- | ----- |
 | In-memory configuration | `make deploy-in-memory` | Counters are held in Limitador (ephemeral) |
 | Redis | `make deploy-redis` | Uses Redis to store counters |
+| Redis Secured | `make deploy-redis-tls` | Uses Redis with TLS and password protected to store counters |
 | Redis Cached | `make deploy-redis-cached` | Uses Redis to store counters, with an in-memory cache |
 | Infinispan | `make deploy-infinispan` | Uses Infinispan to store counters |
 
@@ -61,8 +61,8 @@ The `LIMITADOR_IMAGE` environment variable overrides the default image. For exam
 make deploy-in-memory LIMITADOR_IMAGE=quay.io/kuadrant/limitador:latest
 ```
 
-### Tear Down
+### Clean env
 
 ```bash
-make tear-down
+make clean
 ```

limitador-server/sandbox/docker-compose-envoy.yaml

@@ -1,5 +1,5 @@
 ---
-version: '2.2'
+version: '3.8'
 services:
   envoy:
     image: envoyproxy/envoy:v1.20-latest

limitador-server/sandbox/docker-compose-limitador-disk.yaml

@@ -1,5 +1,5 @@
 ---
-version: '2.2'
+version: '3.8'
 services:
   limitador:
     image: ${LIMITADOR_IMAGE:-limitador-testing}

limitador-server/sandbox/docker-compose-limitador-infinispan.yaml

@@ -1,5 +1,5 @@
 ---
-version: '2.2'
+version: '3.8'
 services:
   limitador:
     image: ${LIMITADOR_IMAGE:-limitador-testing}

limitador-server/sandbox/docker-compose-limitador-memory.yaml

@@ -1,5 +1,5 @@
 ---
-version: '2.2'
+version: '3.8'
 services:
   limitador:
     image: ${LIMITADOR_IMAGE:-limitador-testing}

limitador-server/sandbox/docker-compose-limitador-redis-cached.yaml

@@ -1,5 +1,5 @@
 ---
-version: '2.2'
+version: '3.8'
 services:
   limitador:
     image: ${LIMITADOR_IMAGE:-limitador-testing}

limitador-server/sandbox/docker-compose-limitador-redis-tls.yaml

@@ -0,0 +1,42 @@
+---
+version: '3.8'
+services:
+  limitador:
+    image: ${LIMITADOR_IMAGE:-limitador-testing}
+    depends_on:
+      - envoy
+      - redis
+    command:
+      - limitador-server
+      - --rls-ip
+      - 0.0.0.0
+      - --rls-port
+      - "8081"
+      - --http-ip
+      - 0.0.0.0
+      - --http-port
+      - "8080"
+      - -vvv
+      - /opt/kuadrant/limits/limits.yaml
+      - redis
+      - rediss://:foobared@redis:6379/#insecure
+    expose:
+      - "8080"
+      - "8081"
+    ports:
+      - "18080:8080"
+    volumes:
+      - ./limits.yaml:/opt/kuadrant/limits/limits.yaml
+  redis:
+    image: redis:6.2
+    restart: always
+    ports:
+      - '6379:6379'
+    command:
+      - redis-server
+      - /usr/local/etc/redis/redis.conf
+    volumes:
+      - ./redis-tls/redis-config.conf:/usr/local/etc/redis/redis.conf
+      - ./redis.crt:/usr/local/etc/redis/certs/redis.crt
+      - ./redis.key:/usr/local/etc/redis/certs/redis.key
+      - ./ca.crt:/usr/local/etc/redis/certs/ca.crt

limitador-server/sandbox/docker-compose-limitador-redis.yaml

@@ -1,5 +1,5 @@
 ---
-version: '2.2'
+version: '3.8'
 services:
   limitador:
     image: ${LIMITADOR_IMAGE:-limitador-testing}

limitador-server/sandbox/redis-tls/README.md

@@ -0,0 +1,13 @@
+### Testing  redis security
+
+Execute bash shell in redis pod
+
+```
+docker compose -p sandbox exec redis /bin/bash
+```
+
+Connect to this Redis server with redis-cli:
+
+```
+root@e024a29b74ba:/data# redis-cli --tls --cacert /usr/local/etc/redis/certs/ca.crt -a foobared
+```

limitador-server/sandbox/redis-tls/redis-config.conf

@@ -0,0 +1,7 @@
+requirepass foobared
+port 0
+tls-port 6379
+tls-cert-file /usr/local/etc/redis/certs/redis.crt
+tls-key-file /usr/local/etc/redis/certs/redis.key
+tls-ca-cert-file /usr/local/etc/redis/certs/ca.crt
+tls-auth-clients no