Setting Redis user and password in Docker environnement

docker
redis
Published

January 10, 2023

Summary

For several years, locally, I used redis without needing to use a password to secure access.

Recently, while migrating an application from a VM to Kubernetes, I ran into a problem with redis requiring a user and password.

In the VM, redis was configured without using a specific user but in the Kubernetes environment, it is required.

The redis cluster is shared by multiple applications; which requires access to namespaces to be secure.

So the question is: how to set up a secure redis user?

Approach to solution

Not being Devops, this solution can be totally trivial.

Option 1: Use the --requirepass option

Example:

version: '3.9'
services:
    redis:
        image: 'redis:5-alpine'
        command: redis-server --requirepass mypassword
        ports:
            - '6379:6379'

This option is the one that I found the most, but it does not correspond to my need.

It does not allow to define a user and a password.

Option 2: Create a configuration file to define the ACLs

This option meets my need in that I can have a specific user and password.

First you have to create the file redis.conf with the following content:

masterauth password

# @see: https://redis.io/docs/management/security/acl/
## Totally disable anonymous access
user default off
# Adds user "development" with the password "mypassword" and give the access to namespaces "myproject:*"
# `#89e01536ac207279409d4de1e5253e01f4a1769e696db0d6062ca9b8f56767c8` corresponds to the SHA-256 password for the user.
user development on ~myproject:* &* +@all -@dangerous #89e01536ac207279409d4de1e5253e01f4a1769e696db0d6062ca9b8f56767c8

In your docker-compose.yaml file, you should configure it like that:

version: '3.9'
services:
    redis:
        image: redis:5-alpine
        command: [ 'redis-server', '/redis.conf' ]
        ports:
            - "6379:6379"
        volumes:
            - /redis.conf:/redis.conf:rw

That’s all 🎉.

If you are a Symfony user, you can configure the DSN like the following:

# .env.local
REDIS_URL=redis://development:mypassword@127.0.0.1:6379