Skip to content

Added Redis ACL #823

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Oct 18, 2025
Merged

Added Redis ACL #823

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
c3f513d
Added Redis ACL
HiranmoyChowdhury Oct 16, 2025
b867cf5
as per review
HiranmoyChowdhury Oct 16, 2025
c8172e3
configuration added
HiranmoyChowdhury Oct 16, 2025
794bdfa
done
HiranmoyChowdhury Oct 16, 2025
70f1f54
Signed-off-by: HiranmoyChowdhury <[email protected]>
HiranmoyChowdhury Oct 17, 2025
f1350fa
change
HiranmoyChowdhury Oct 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions docs/examples/redis/reconfigure/acl/new-acl-secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: v1
kind: Secret
metadata:
name: new-acl-secret
namespace: demo
type: Opaque
stringData:
k1: "updatePass1"
k10: "pass10"
11 changes: 11 additions & 0 deletions docs/examples/redis/reconfigure/acl/old-acl-secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: v1
kind: Secret
metadata:
name: old-acl-secret
namespace: demo
type: Opaque
stringData:
k1: "pass1"
k2: "pass2"
k3: "pass3"
k4: "pass4"
18 changes: 18 additions & 0 deletions docs/examples/redis/reconfigure/acl/rd-ops.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
apiVersion: ops.kubedb.com/v1alpha1
kind: RedisOpsRequest
metadata:
name: rdops
namespace: demo
spec:
type: Reconfigure
databaseRef:
name: redis-instance
configuration:
auth:
syncACL:
- userName1 ${k1} +get ~mykeys:*
- userName10 ${k10} +get ~mykeys:*
deleteUsers:
- userName2
secretRef:
name: new-acl-secret
28 changes: 28 additions & 0 deletions docs/examples/redis/reconfigure/acl/redis.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
apiVersion: kubedb.com/v1
kind: Redis
metadata:
name: redis-instance
namespace: demo
spec:
version: 8.2.2
mode: Cluster
cluster:
shards: 3
replicas: 2
storageType: Durable
storage:
resources:
requests:
storage: 20M
storageClassName: "standard"
accessModes:
- ReadWriteOnce
deletionPolicy: WipeOut
acl:
secretRef:
name: old-acl-secret
rules:
- userName1 ${k1} allkeys +@string +@set -SADD
- userName2 ${k2} allkeys +@string +@set -SADD
- userName3 ${k3} allkeys +@string +@set -SADD
- userName4 ${k4} allkeys +@string +@set -SADD
141 changes: 141 additions & 0 deletions docs/guides/redis/configuration/acl.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,141 @@
---
title: Access Control Lists (ACL)
menu:
docs_{{ .version }}:
identifier: rd-configuration-acl
name: Access Control Lists (ACL)
parent: rd-configuration
weight: 40
menu_name: docs_{{ .version }}
section_menu_id: guides
---

> New to KubeDB? Please start [here](/docs/README.md).

# Using Access Control Lists (ACL) in Redis

KubeDB supports providing ACL configuration for Redis. This tutorial will show you how to use KubeDB to run Redis with ACL configuration.

## Before You Begin

- At first, you need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. If you do not already have a cluster, you can create one by using [kind](https://kind.sigs.k8s.io/docs/user/quick-start/).

- Now, install KubeDB cli on your workstation and KubeDB operator in your cluster following the steps [here](/docs/setup/README.md).

- To keep things isolated, this tutorial uses a separate namespace called `demo` throughout this tutorial.

```bash
$ kubectl create ns demo
namespace/demo created

$ kubectl get ns demo
NAME STATUS AGE
demo Active 5s
```

> Note: YAML files used in this tutorial are stored in [docs/examples/redis](https://github.com/kubedb/docs/tree/{{< param "info.version" >}}/docs/examples/redis) folder in GitHub repository [kubedb/docs](https://github.com/kubedb/docs).

# Deploy Redis with ACL

This document explains how to configure ACL users during initial deployment so the operator provisions Redis/Valkey with the desired ACL entries.

## Overview

- Define ACL rules in the Redis CR under `spec.acl.rules`.
- Provide passwords via a Kubernetes Secret referenced by `spec.acl.secretRef`.
- The operator substitutes `${key}` placeholders from the referenced Secret and applies ACLs when provisioning Redis.

## Example Redis CR

Define users and reference a Secret that contains passwords:

```yaml
# Redis CR: deploy with ACL
apiVersion: kubedb.com/v1
kind: Redis
metadata:
name: redis-instance
namespace: demo
spec:
version: 8.2.2
mode: Cluster
cluster:
shards: 3
replicas: 2
storageType: Durable
storage:
resources:
requests:
storage: 20M
storageClassName: "standard"
accessModes:
- ReadWriteOnce
deletionPolicy: WipeOut
acl:
secretRef:
name: rd-user # Secret with password keys referenced below
rules:
- userName1 ${k1} allkeys +@string +@set -SADD
- userName2 ${k2} allkeys +@string +@set -SADD
- userName3 ${k3} allkeys +@string +@set -SADD
- userName4 ${k4} allkeys +@string +@set -SADD
```

## Secret with passwords

Create a Secret whose `stringData` keys match the variable names used in the ACL rules:

```yaml
# Secret: rd-user
apiVersion: v1
kind: Secret
metadata:
name: rd-user
namespace: demo
type: Opaque
stringData:
k1: "pass1"
k2: "pass2"
k3: "pass3"
k4: "pass4"
```

Apply both the Secret and the Redis CR:

```bash
kubectl create -f https://github.com/kubedb/docs/raw/{{< param "info.version" >}}/docs/examples/redis/reconfigure/acl/old-acl-secret.yaml
kubectl create -f https://github.com/kubedb/docs/raw/{{< param "info.version" >}}/docs/examples/redis/reconfigure/acl/redis.yaml
```

Wait until the Redis resource is Ready:

```bash
kubectl get rd -n demo
# expect: redis-instance 8.2.2 Ready
```

## Verify ACLs inside Redis

List ACL users from a Redis pod:

```bash
kubectl exec -it -n demo redis-instance-shard0-0 -c redis -- redis-cli acl list
1) "user userName1 on sanitize-payload #e6c3da5b206634d7f3f3586d747ffdb36b5c675757b380c6a5fe5c570c714349 ~* resetchannels -@all +@string +@set -sadd"
2) "user userName2 on sanitize-payload #1ba3d16e9881959f8c9a9762854f72c6e6321cdd44358a10a4e939033117eab9 ~* resetchannels -@all +@string +@set -sadd"
3) "user userName3 on sanitize-payload #3acb59306ef6e660cf832d1d34c4fba3d88d616f0bb5c2a9e0f82d18ef6fc167 ~* resetchannels -@all +@string +@set -sadd"
4) "user userName4 on sanitize-payload #a417b5dc3d06d15d91c6687e27fc1705ebc56b3b2d813abe03066e5643fe4e74 ~* resetchannels -@all +@string +@set -sadd"
5) "user default on sanitize-payload #b23f6deded0b32c4cac29a8846d8a21e3403a04961436bc686d9e59e3925371c ~* &* +@all"
```

You should see entries for userName1..userName4 and the default user. Each user line includes the hashed password, command categories and key patterns.

## Notes and tips

- Variable substitution: Use `${key}` in rules; the operator replaces these from the `spec.acl.secretRef` Secret.
- Secrets: Store passwords in a Secret referenced by `spec.acl.secretRef`. Use `stringData` during creation for convenience.
- Safety: For updates after deployment, use a `RedisOpsRequest` (Reconfigure) to sync ACL changes or delete users; this avoids manual pod edits.

## Next steps

If you need to modify or rotate ACL users later, see the reconfigure guide:
- [reconfigure acl](docs/guides/redis/reconfigure/acl.md)
Loading
Loading