From 6f6de1dc37c069078eed6ee3cefb68f8b953cdcb Mon Sep 17 00:00:00 2001 From: Eguzki Astiz Lezaun Date: Fri, 1 Dec 2023 10:29:23 +0100 Subject: [PATCH 1/2] new sandbox: redis with tls and requirepass --- README.md | 2 +- doc/server/configuration.md | 52 +++++++++++++++++++ limitador-server/sandbox/.gitignore | 4 ++ limitador-server/sandbox/Makefile | 52 ++++++++++++++----- .../{docs/sandbox.md => sandbox/README.md} | 8 +-- .../sandbox/docker-compose-envoy.yaml | 2 +- .../docker-compose-limitador-disk.yaml | 2 +- .../docker-compose-limitador-infinispan.yaml | 2 +- .../docker-compose-limitador-memory.yaml | 2 +- ...docker-compose-limitador-redis-cached.yaml | 2 +- .../docker-compose-limitador-redis-tls.yaml | 42 +++++++++++++++ .../docker-compose-limitador-redis.yaml | 2 +- .../sandbox/redis-tls/redis-config.conf | 7 +++ 13 files changed, 156 insertions(+), 23 deletions(-) create mode 100644 limitador-server/sandbox/.gitignore rename limitador-server/{docs/sandbox.md => sandbox/README.md} (90%) create mode 100644 limitador-server/sandbox/docker-compose-limitador-redis-tls.yaml create mode 100644 limitador-server/sandbox/redis-tls/redis-config.conf diff --git a/README.md b/README.md index 4cdc7f04..68413592 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ port, that implements the Envoy Rate Limit protocol (v3). - [**Getting started**](#getting-started) - [**How it works**](/doc/how-it-works.md) - [**Development**](#development) -- [**Testing Environment**](limitador-server/docs/sandbox.md) +- [**Testing Environment**](limitador-server/sandbox/README.md) - [**Kubernetes**](limitador-server/kubernetes/) - [**Contributing**](#contributing) - [**License**](#license) diff --git a/doc/server/configuration.md b/doc/server/configuration.md index a79bad67..f76baf87 100644 --- a/doc/server/configuration.md +++ b/doc/server/configuration.md @@ -140,6 +140,32 @@ itself, providing accuracy over these, races tho can occur when multiple Limitad redis and using "stacked" limits (i.e. over different periods). Latency is also impacted, as it results in one additional hop to talk to redis and maintain the counters. +**TLS Support** + +Connect to a redis instance using the `rediss://` URL scheme. + +To enable insecure mode, append `#insecure` at the end of the URL. For example: + +``` +limitador-server redis rediss://127.0.0.1/#insecure" +``` + +**Authentication** + +To enable authentication, use the username and password properties of the URL scheme. For example: + +``` +limitador-server redis redis://my-username:my-password@127.0.0.1" +``` + +when the username is omitted, redis assumes `default` user. For example: + +``` +limitador-server redis redis://:my-password@127.0.0.1" +``` + +**Usage** + ``` Uses Redis to store counters @@ -159,6 +185,32 @@ Limitador servers. This lowers the latency, but sacrifices some accuracy as it w coalesce counters updates to redis over time. See [this configuration](#redis_local_cache_enabled) option for more information. +**TLS Support** + +Connect to a redis instance using the `rediss://` URL scheme. + +To enable insecure mode, append `#insecure` at the end of the URL. For example: + +``` +limitador-server redis rediss://127.0.0.1/#insecure" +``` + +**Authentication** + +To enable authentication, use the username and password properties of the URL scheme. For example: + +``` +limitador-server redis redis://my-username:my-password@127.0.0.1" +``` + +when the username is omitted, redis assumes `default` user. For example: + +``` +limitador-server redis redis://:my-password@127.0.0.1" +``` + +**Usage** + ``` Uses Redis to store counters, with an in-memory cache diff --git a/limitador-server/sandbox/.gitignore b/limitador-server/sandbox/.gitignore new file mode 100644 index 00000000..fc648bed --- /dev/null +++ b/limitador-server/sandbox/.gitignore @@ -0,0 +1,4 @@ +*.crt +*.key +*.pem +*.csr diff --git a/limitador-server/sandbox/Makefile b/limitador-server/sandbox/Makefile index 9061bb54..1fd82052 100644 --- a/limitador-server/sandbox/Makefile +++ b/limitador-server/sandbox/Makefile @@ -3,8 +3,7 @@ SHELL := /bin/bash MKFILE_PATH := $(abspath $(lastword $(MAKEFILE_LIST))) PROJECT_PATH := $(patsubst %/,%,$(dir $(MKFILE_PATH))) -DOCKER_COMPOSE ?= $(shell which docker-compose 2>/dev/null) -DOCKER ?= $(shell which docker 2>/dev/null || echo "docker") +DOCKER ?= $(shell which docker 2> /dev/null || echo "docker") all: help @@ -27,27 +26,56 @@ help: ## Display this help. ##@ Deployment Options deploy-in-memory: clean ## Counters are held in Limitador (ephemeral) - $(DOCKER_COMPOSE) -f docker-compose-envoy.yaml -f docker-compose-limitador-memory.yaml up + $(DOCKER) compose -f docker-compose-envoy.yaml -f docker-compose-limitador-memory.yaml up deploy-redis: clean ## Uses Redis to store counters - $(DOCKER_COMPOSE) -f docker-compose-envoy.yaml -f docker-compose-limitador-redis.yaml up + $(DOCKER) compose -f docker-compose-envoy.yaml -f docker-compose-limitador-redis.yaml up + +deploy-redis-tls: clean ## Uses Redis with TLS and password protected to store counters + $(MAKE) ca + $(MAKE) redis-client-certs + $(DOCKER) compose -f docker-compose-envoy.yaml -f docker-compose-limitador-redis-tls.yaml up deploy-redis-cached: clean ## Uses Redis to store counters, with an in-memory cache - $(DOCKER_COMPOSE) -f docker-compose-envoy.yaml -f docker-compose-limitador-redis-cached.yaml up + $(DOCKER) compose -f docker-compose-envoy.yaml -f docker-compose-limitador-redis-cached.yaml up deploy-disk: clean ## Uses disk to store counters - $(DOCKER_COMPOSE) -f docker-compose-envoy.yaml -f docker-compose-limitador-disk.yaml up + $(DOCKER) compose -f docker-compose-envoy.yaml -f docker-compose-limitador-disk.yaml up deploy-infinispan: clean ## Uses Infinispan to store counters - $(DOCKER_COMPOSE) -f docker-compose-envoy.yaml -f docker-compose-limitador-infinispan.yaml up + $(DOCKER) compose -f docker-compose-envoy.yaml -f docker-compose-limitador-infinispan.yaml up ##@ Helper targets build: ## Build "limitador-testing" image $(DOCKER) build -t limitador-testing -f ../../Dockerfile ../../ -clean: ## clean all containers - - $(DOCKER_COMPOSE) -f docker-compose-envoy.yaml -f docker-compose-limitador-memory.yaml down --volumes --remove-orphans - - $(DOCKER_COMPOSE) -f docker-compose-envoy.yaml -f docker-compose-limitador-redis.yaml down --volumes --remove-orphans - - $(DOCKER_COMPOSE) -f docker-compose-envoy.yaml -f docker-compose-limitador-redis-cached.yaml down --volumes --remove-orphans - - $(DOCKER_COMPOSE) -f docker-compose-envoy.yaml -f docker-compose-limitador-infinispan.yaml down --volumes --remove-orphans +ca: ## Create CA cert + openssl genrsa -out ca.key 2048 + openssl req -batch -new -x509 -nodes -key ca.key -sha256 -days 1024 -out ca.crt + +redis-client-certs: ## Create CSR, then sign it with CA cert + openssl req -subj '/CN=redis' -newkey rsa:4096 -nodes \ + -sha256 \ + -days 3650 \ + -keyout redis.key \ + -out redis.csr + chmod +r redis.key + openssl x509 -req -in redis.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out redis.crt -days 500 -sha256 + +##@ Cleanning targets + +redis-clean-certs: ## Clean certs + - rm *.crt *.key *.pem *.csr + +clean-containers: ## clean containers + - $(DOCKER) compose down --volumes --remove-orphans + - $(DOCKER) compose -f docker-compose-envoy.yaml -f docker-compose-limitador-memory.yaml down --volumes --remove-orphans + - $(DOCKER) compose -f docker-compose-envoy.yaml -f docker-compose-limitador-redis.yaml down --volumes --remove-orphans + - $(DOCKER)_compose -f docker-compose-envoy.yaml -f docker-compose-limitador-redis-cached.yaml down --volumes --remove-orphans + - $(DOCKER) compose -f docker-compose-envoy.yaml -f docker-compose-limitador-infinispan.yaml down --volumes --remove-orphans + - $(MAKE) cleancerts + +clean: ## clean all + - $(MAKE) clean-containers + - $(MAKE) redis-clean-certs diff --git a/limitador-server/docs/sandbox.md b/limitador-server/sandbox/README.md similarity index 90% rename from limitador-server/docs/sandbox.md rename to limitador-server/sandbox/README.md index f42dcfd8..2d4113a4 100644 --- a/limitador-server/docs/sandbox.md +++ b/limitador-server/sandbox/README.md @@ -2,8 +2,7 @@ ### Requirements -* *docker* -* *docker-compose* +* *docker* v24+ ### Setup @@ -22,6 +21,7 @@ Check out `make help` for all the targets. | ------------- | ----- | ----- | | In-memory configuration | `make deploy-in-memory` | Counters are held in Limitador (ephemeral) | | Redis | `make deploy-redis` | Uses Redis to store counters | +| Redis Secured | `make deploy-redis-tls` | Uses Redis with TLS and password protected to store counters | | Redis Cached | `make deploy-redis-cached` | Uses Redis to store counters, with an in-memory cache | | Infinispan | `make deploy-infinispan` | Uses Infinispan to store counters | @@ -61,8 +61,8 @@ The `LIMITADOR_IMAGE` environment variable overrides the default image. For exam make deploy-in-memory LIMITADOR_IMAGE=quay.io/kuadrant/limitador:latest ``` -### Tear Down +### Clean env ```bash -make tear-down +make clean ``` diff --git a/limitador-server/sandbox/docker-compose-envoy.yaml b/limitador-server/sandbox/docker-compose-envoy.yaml index 44cae511..c2305db8 100644 --- a/limitador-server/sandbox/docker-compose-envoy.yaml +++ b/limitador-server/sandbox/docker-compose-envoy.yaml @@ -1,5 +1,5 @@ --- -version: '2.2' +version: '3.8' services: envoy: image: envoyproxy/envoy:v1.20-latest diff --git a/limitador-server/sandbox/docker-compose-limitador-disk.yaml b/limitador-server/sandbox/docker-compose-limitador-disk.yaml index b6518b81..1ca6d6d9 100644 --- a/limitador-server/sandbox/docker-compose-limitador-disk.yaml +++ b/limitador-server/sandbox/docker-compose-limitador-disk.yaml @@ -1,5 +1,5 @@ --- -version: '2.2' +version: '3.8' services: limitador: image: ${LIMITADOR_IMAGE:-limitador-testing} diff --git a/limitador-server/sandbox/docker-compose-limitador-infinispan.yaml b/limitador-server/sandbox/docker-compose-limitador-infinispan.yaml index 1be9aeb1..1c3f2bb3 100644 --- a/limitador-server/sandbox/docker-compose-limitador-infinispan.yaml +++ b/limitador-server/sandbox/docker-compose-limitador-infinispan.yaml @@ -1,5 +1,5 @@ --- -version: '2.2' +version: '3.8' services: limitador: image: ${LIMITADOR_IMAGE:-limitador-testing} diff --git a/limitador-server/sandbox/docker-compose-limitador-memory.yaml b/limitador-server/sandbox/docker-compose-limitador-memory.yaml index e837d69b..65262026 100644 --- a/limitador-server/sandbox/docker-compose-limitador-memory.yaml +++ b/limitador-server/sandbox/docker-compose-limitador-memory.yaml @@ -1,5 +1,5 @@ --- -version: '2.2' +version: '3.8' services: limitador: image: ${LIMITADOR_IMAGE:-limitador-testing} diff --git a/limitador-server/sandbox/docker-compose-limitador-redis-cached.yaml b/limitador-server/sandbox/docker-compose-limitador-redis-cached.yaml index 4f105634..1a94c076 100644 --- a/limitador-server/sandbox/docker-compose-limitador-redis-cached.yaml +++ b/limitador-server/sandbox/docker-compose-limitador-redis-cached.yaml @@ -1,5 +1,5 @@ --- -version: '2.2' +version: '3.8' services: limitador: image: ${LIMITADOR_IMAGE:-limitador-testing} diff --git a/limitador-server/sandbox/docker-compose-limitador-redis-tls.yaml b/limitador-server/sandbox/docker-compose-limitador-redis-tls.yaml new file mode 100644 index 00000000..172cfbb3 --- /dev/null +++ b/limitador-server/sandbox/docker-compose-limitador-redis-tls.yaml @@ -0,0 +1,42 @@ +--- +version: '3.8' +services: + limitador: + image: ${LIMITADOR_IMAGE:-limitador-testing} + depends_on: + - envoy + - redis + command: + - limitador-server + - --rls-ip + - 0.0.0.0 + - --rls-port + - "8081" + - --http-ip + - 0.0.0.0 + - --http-port + - "8080" + - -vvv + - /opt/kuadrant/limits/limits.yaml + - redis + - rediss://:foobared@redis:6379/#insecure + expose: + - "8080" + - "8081" + ports: + - "18080:8080" + volumes: + - ./limits.yaml:/opt/kuadrant/limits/limits.yaml + redis: + image: redis:6.2 + restart: always + ports: + - '6379:6379' + command: + - redis-server + - /usr/local/etc/redis/redis.conf + volumes: + - ./redis-tls/redis-config.conf:/usr/local/etc/redis/redis.conf + - ./redis.crt:/usr/local/etc/redis/certs/redis.crt + - ./redis.key:/usr/local/etc/redis/certs/redis.key + - ./ca.crt:/usr/local/etc/redis/certs/ca.crt diff --git a/limitador-server/sandbox/docker-compose-limitador-redis.yaml b/limitador-server/sandbox/docker-compose-limitador-redis.yaml index bd33b149..3cd9a648 100644 --- a/limitador-server/sandbox/docker-compose-limitador-redis.yaml +++ b/limitador-server/sandbox/docker-compose-limitador-redis.yaml @@ -1,5 +1,5 @@ --- -version: '2.2' +version: '3.8' services: limitador: image: ${LIMITADOR_IMAGE:-limitador-testing} diff --git a/limitador-server/sandbox/redis-tls/redis-config.conf b/limitador-server/sandbox/redis-tls/redis-config.conf new file mode 100644 index 00000000..b478e76e --- /dev/null +++ b/limitador-server/sandbox/redis-tls/redis-config.conf @@ -0,0 +1,7 @@ +requirepass foobared +port 0 +tls-port 6379 +tls-cert-file /usr/local/etc/redis/certs/redis.crt +tls-key-file /usr/local/etc/redis/certs/redis.key +tls-ca-cert-file /usr/local/etc/redis/certs/ca.crt +tls-auth-clients no From 1232300ea74bec1c4ee0636472894000b97770b9 Mon Sep 17 00:00:00 2001 From: Eguzki Astiz Lezaun Date: Fri, 1 Dec 2023 11:31:42 +0100 Subject: [PATCH 2/2] limitador-server/sandbox/redis-tls/README.md --- limitador-server/sandbox/redis-tls/README.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 limitador-server/sandbox/redis-tls/README.md diff --git a/limitador-server/sandbox/redis-tls/README.md b/limitador-server/sandbox/redis-tls/README.md new file mode 100644 index 00000000..635626b5 --- /dev/null +++ b/limitador-server/sandbox/redis-tls/README.md @@ -0,0 +1,13 @@ +### Testing redis security + +Execute bash shell in redis pod + +``` +docker compose -p sandbox exec redis /bin/bash +``` + +Connect to this Redis server with redis-cli: + +``` +root@e024a29b74ba:/data# redis-cli --tls --cacert /usr/local/etc/redis/certs/ca.crt -a foobared +```