| title | description |
|---|---|
Database Access with Redis Cluster |
How to configure Teleport Database Access with Redis Cluster. |
If you want to configure Redis Standalone, please read Database Access with Redis.
This guide will help you to:
- Install and configure Teleport.
- Configure mutual TLS authentication between Teleport and Redis Cluster.
- Connect to Redis through Teleport.
<ScopedBlock scope={["oss", "enterprise"]}>
<ScopedBlock scope={["cloud"]}>
(!docs/pages/includes/edition-prereqs-tabs.mdx!)
- Redis version
6.0or newer. redis-cliversion6.2or newer installed and added to your system'sPATHenvironment variable.- A host where you will run the Teleport Database Service.
(!docs/pages/includes/tctl.mdx!)
(!docs/pages/includes/database-access/token.mdx!)
Install Teleport on the host where you will run the Teleport Database Service:
(!docs/pages/includes/install-linux.mdx!)
<ScopedBlock scope={["oss", "enterprise"]}>
Start the Teleport Database Service, pointing the --auth-server flag to the
address of your Teleport Proxy Service:
$ teleport db start \
--token=/tmp/token \
--auth-server=teleport.example.com:3080 \
--name=example-redis \
--protocol=redis \
--uri=rediss://redis.example.com:6379?mode=cluster \
--labels=env=dev
The --auth-server flag must point to the Teleport cluster's Proxy Service
endpoint because the Database Service always connects back to the cluster over a
reverse tunnel.
Start the Teleport Database Service, pointing the --auth-server flag to the
address of your Teleport Cloud tenant:
$ teleport db start \
--token=/tmp/token \
--auth-server=mytenant.teleport.sh:443 \
--name=example-redis \
--protocol=redis \
--uri=rediss://redis.example.com:6379?mode=cluster \
--labels=env=dev
(!docs/pages/includes/database-access/create-user.mdx!)
(!docs/pages/includes/database-access/redis-create-users.mdx!)
(!docs/pages/includes/database-access/tctl-auth-sign.mdx!)
We will show you how to use the tctl auth sign command below.
When connecting to Redis Cluster, sign certificates for each member
using their hostnames and IP addresses.
For example, if the first member is accessible at redis1.example.com with IP 10.0.0.1 and
the second at redis2.example.com with IP 10.0.0.2, run:
$ tctl auth sign --format=redis --host=redis1.example.com,10.0.0.1 --out=redis1 --ttl=2190h
$ tctl auth sign --format=redis --host=redis2.example.com,10.0.0.2 --out=redis2 --ttl=2190h
(!docs/pages/includes/database-access/ttl-note.mdx!)
The command will create three files:
server.caswith Teleport's certificate authorityserver.keywith a generated private keyserver.crtwith a generated user certificate
You will need these files to enable mutual TLS on your Redis server.
(!docs/pages/includes/database-access/rotation-note.mdx!)
Use the generated secrets to enable mutual TLS in your redis.conf configuration
file and restart the database:
tls-port 7001
port 0
cluster-enabled yes
tls-replication yes
tls-cluster yes
aclfile /path/to/users.acl
masterauth GENERATED_STRONG_PASSWORD
masteruser replica-user
tls-cert-file /usr/local/etc/redis/certs/server.crt
tls-key-file /usr/local/etc/redis/certs/server.key
tls-ca-cert-file /usr/local/etc/redis/certs/server.cas
tls-protocols "TLSv1.2 TLSv1.3"Once mutual TLS has been enabled, you will no longer be able to connect to
the cluster without providing a valid client certificate. You can use the
tls-auth-clients optional setting to allow connections
from clients that do not present a certificate.
See TLS Support in the Redis documentation for more details.
Use the following command to create the cluster. Please note redis-cli --cluster create accepts only IP addresses.
export REDISCLI_AUTH=STRONG_GENERATED_PASSWORD
export CERTS_DIR=/path/to/certs/
export IP1=10.0.0.1 # update with the real node 1 IP
export IP2=10.0.0.2 # update with the real node 2 IP
export IP3=10.0.0.3 # update with the real node 3 IP
export IP4=10.0.0.4 # update with the real node 4 IP
export IP5=10.0.0.5 # update with the real node 5 IP
export IP6=10.0.0.6 # update with the real node 6 IP
redis-cli --user alice --cluster-replicas 1 --tls --cluster-yes \
--cluster create ${IP1}:7001 ${IP2}:7002 ${IP3}:7003 ${IP4}:7004 ${IP5}:7005 ${IP6}:7006 \
--cacert ${CERTS_DIR}/server.cas --key ${CERTS_DIR}/server.key --cert ${CERTS_DIR}/server.crtTo enable Redis cluster mode in Teleport, add the mode=cluster parameter to the connection URI in
your Teleport Database Service config file.
databases:
- name: "redis-cluster"
uri: "rediss://redis.example.com:6379?mode=cluster"(!docs/pages/includes/database-access/redis-connect.mdx!)
Redis in cluster mode does not support the following commands. If one of the listed commands above is called Teleport
returns the ERR Teleport: command not supported error.
Teleport conducts additional processing on the following commands before communicating with Redis Cluster:
| Command | Description |
|---|---|
DBSIZE |
Sends the query to all nodes and returns the number of keys in the whole cluster. |
KEYS |
Sends the query to all nodes and returns a list of all keys in the whole cluster. |
MGET |
Translates the commands to multiple GETs and sends them to multiple nodes. Result is merged in Teleport and returned back to the client. If Teleport fails to fetch at least one key an error is returned. |
FLUSHDB |
Sends the query to all nodes. |
FLUSHALL |
Works the same as FLUSHDB. |
SCRIPT EXISTS |
Sends the query to all nodes. 1 is returned only if script exists on all nodes. |
SCRIPT LOAD |
Sends the script to all nodes. |
SCRIPT FLUSH |
Sends the query to all nodes. ASYNC parameter is ignored. |
(!docs/pages/includes/database-access/guides-next-steps.mdx!)