How to Deploy RedisInsight in EKS and Access via Ingress Nginx
Let me introduce you “Redisinsight” first. Redis claim that Redisinsight is the best GUI for Redis.
It is available in several forms. As of Jan 13, 2023, you can have the GUI in these forms:
- Linux App Image
- Linux Debian Package
- Windows
- Mac OS Silicon
- Mac OS Intel
I am talking about Redisinsight-2. Apart from these, you can have the docker images to deploy and use as a Web App. Though I love the Desktop App it provides, I am more excited about the web version of RedisInsight.
Features that Attract Me
- Seamless Key Browsing like GUI File Managers
- CLI implementation
- Redis Search Support
- Redis Profiler and Memory Analyzer
- Client List — Get ideas about connected clients
- Slow Log
So, these tool is a good ones when managing or interacting with Redis. As I was mentioning my excitement about the Web Version of this tool, let me explain to you “Why”.
What type of problem it is solving for me?
I have worked on a project that involved Elasticache(Redis) and EKS. Elasticache is not accessible outside of the VPC. What can we do to access the Redis Instance?
- We could use an EC2 instance as a Bastion Server in the VPC.
- We could use an EC2 instance and make a proxy to access the Redis.
- We could follow this guide and use VPN too: https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/accessing-elasticache.html#access-from-outside-aws
- We could exec into a container of a POD and use Redis-CLI
- or other service integration.
There were situations when developers needed to access the keys and check or modify and test particular data and associated service behaviors. Developers are used to the default command line interface of redis-cli in their workstation and development system.
Thus finding Redisinsight seemed a great one for this specific need.
Also, we did choose Redisinsight due to the availability of the Redisinsight Web App and which is easily handled by developers for its simplicity and features.
How did I manage to install Redisinsight and provide access?
First of all, I tried to follow the documentation from this link: https://docs.redis.com/latest/ri/installing/install-k8s/
My special need involved:
- Deploy Redis Insight in EKS.
- Access Redis Insight via ingress-Nginx and have an endpoint with a valid HTTPS-enabled URL.
Let me give you my step-by-step solution to achieve the one I wanted to have.
First I created a separate namespace for RedisInsight. This is mostly to sort things in a good and clean manner.
apiVersion: v1
kind: Namespace
metadata:
name: redisinsight
labels:
name: redisinsightAfter that, I created the deployment.
apiVersion: apps/v1
kind: Deployment
metadata:
name: redisinsight
namespace: redisinsight
labels:
app: redisinsight
spec:
replicas: 1
selector:
matchLabels:
app: "redisinsight"
template:
metadata:
labels:
app: redisinsight
spec:
containers:
- name: redisinsight
image: redislabs/redisinsight:latest
imagePullPolicy: IfNotPresent
volumeMounts:
- name: db
mountPath: /db
ports:
- containerPort: 8001
name: http-port
volumes:
- name: db
emptyDir: {}For persistence, I could use PV with EFS. But I did focus on accessing RedisInsight at first.
This deployment did not fully work for me as it was giving
Are you behind a proxy? If so, please set the RedisInsight environment variables.So, I needed to change the deployment manifest adjusting some variables that suggest suiting my need.
apiVersion: apps/v1
kind: Deployment
metadata:
name: redisinsight
namespace: redisinsight
labels:
app: redisinsight
spec:
replicas: 1
selector:
matchLabels:
app: "redisinsight"
template:
metadata:
labels:
app: redisinsight
spec:
containers:
- name: redisinsight
image: redislabs/redisinsight:latest
imagePullPolicy: IfNotPresent
env:
- name: RILOGLEVEL
value: "DEBUG"
- name: RITRUSTEDORIGINS
value: "https://redisinsight.<DOMAIN>"
volumeMounts:
- name: db
mountPath: /db
ports:
- containerPort: 8001
name: http-port
volumes:
- name: db
emptyDir: {}There is a page from where I got the variables. https://docs.redis.com/latest/ri/installing/configurations/
My main goal was to deploy it in EKS and access it via ingress-Nginx, I did create a certificate through the “letsencrypt” and used it in ingress.
Certificate:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: redisinsight-cert
namespace: redisinsight
spec:
secretName: redisinsight-cert
dnsNames:
- redisinsight.<DOMAIN>
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuerIngress:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: redisinsight
name: redisinsight-ingress
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: 50m
nginx.org/server-snippets: "gzip on;"
certmanager.k8s.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/ssl-passthrough: 'true'
spec:
tls:
- hosts:
- redisinsight.<DOMAIN>
secretName: redisinsight-cert
rules:
- host: redisinsight.<DOMAIN>
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: redisinsight-service
port:
number: 80Using these manifest files, I could deploy Redisinsight and access the UI. But there is a concern about being publicly accessible. Of course, I do not want it to be fully open to the public.
With ease in mind, I have used Basic Auth with ingress-Nginx to restrict access a little bit.
How did I set up Basic Authentication with ingress-Nginx?
To achieve this I have
- created a secret having user and password hashed.
- use the secret and pass that to ingress-Nginx.
In regular Nginx setup, We have the option to create a file having a user and password in them. A widely used tool here is “htpasswd” from “apache2-utils” or “httpd-tools”.
I did use htpasswd too. But need to follow strict rules here.
- The user:password file should be named “auth”.
Command is:
htpasswd -c auth usernameIt will ask you to put in a password. After the file is populated, I could create the Kubernetes secret having this file.
kubectl create secret generic basic-auth-for-redisinsight --from-file=auth --namespace=redisinsightAnd then when created, needed to modify and add some annotations in Ingress.
...
# type of authentication
nginx.ingress.kubernetes.io/auth-type: basic
# name of the secret that contains the user/password definitions
nginx.ingress.kubernetes.io/auth-secret: basic-auth-for-redisinsight
# message to display with an appropriate context why the authentication is required
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required !'
...Let me share my full manifest file to deploy Redisinsight.
---
apiVersion: v1
kind: Namespace
metadata:
name: redisinsight
labels:
name: redisinsight
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: redisinsight-cert
namespace: redisinsight
spec:
secretName: redisinsight-cert
dnsNames:
- redisinsight.fahadahammed.com
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: redisinsight
namespace: redisinsight
labels:
app: redisinsight
spec:
replicas: 1
selector:
matchLabels:
app: "redisinsight"
template:
metadata:
labels:
app: redisinsight
spec:
containers:
- name: redisinsight
image: redislabs/redisinsight:latest
imagePullPolicy: IfNotPresent
env:
- name: RILOGLEVEL
value: "DEBUG"
- name: RITRUSTEDORIGINS
value: "https://redisinsight.fahadahammed.com"
volumeMounts:
- name: db
mountPath: /db
ports:
- containerPort: 8001
name: http-port
volumes:
- name: db
emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
name: redisinsight-service
namespace: redisinsight
spec:
type: ClusterIP
ports:
- port: 80
name: http-port
protocol: TCP
targetPort: 8001
selector:
app: redisinsight
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: redisinsight
name: redisinsight-ingress
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: 50m
nginx.org/server-snippets: "gzip on;"
certmanager.k8s.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/ssl-passthrough: 'true'
# type of authentication
nginx.ingress.kubernetes.io/auth-type: basic
# name of the secret that contains the user/password definitions
nginx.ingress.kubernetes.io/auth-secret: basic-auth-for-redisinsight
# message to display with an appropriate context why the authentication is required
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required !'
spec:
tls:
- hosts:
- redisinsight.fahadahammed.com
secretName: redisinsight-cert
rules:
- host: redisinsight.fahadahammed.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: redisinsight-service
port:
number: 80This Basic auth setup is better than not having any authentication mechanism.
This solution helped the developers a lot to control their need of using Redis in the project. I did enjoy this exploration.
If you have any questions regarding this, feel free to reach me at my LinkedIn.
Thanks for reading.
