This example demonstrates how to use TLS and MutualTLS for internal communications with Dgraph Alpha and starting with Dgraph v20.11.0
, Dgraph Zero as well.
On the deploy workstation, that is, the system you will use to create certificates and deploy the helm charts, you will need the dgraph
binary. You can get this with:
## Install Dgraph
curl -sSf https://get.dgraph.io | bash
## Verify Version installed
dgraph version | awk -F: '/Dgraph version/{print $2}'
First you need to generate certificates and keys for Dgraph Alpha service and Dgraph Zero service. There's a script that can help automate creating certificates and keys, as well as a helm value secrets.yaml
that can be used for the helm chart. See README.md.
You can run this locally with:
ln --symbolic ../../charts/dgraph/scripts/make_tls_secrets.sh make_tls_secrets.sh
## ./make_tls_secrets.sh --help for more information
./make_tls_secrets.sh \
--release "my-release" \
--client "dgraphuser" \
--zero \
--tls_dir ./examples/dgraph_tls
## Verify Dgraph Alpha Keys and Certificates
dgraph cert ls --dir ./examples/dgraph_tls/alpha
## Verify Dgraph Zero Keys and Certificates
dgraph cert ls --dir ./examples/dgraph_tls/zero
With Dgraph TLS support, you can choose the type of authentication, such as whether MutualTLS is optional or explicitly required. For more information see Client Authentication Options.
You can set this value using the environment variable TLS_CLIENT_AUTH
for use with helmfile. If this environment variable is not set, the default configuration will be VERIFYIFGIVEN
. As an example:
export TLS_CLIENT_AUTH=REQUIREANDVERIFY
For TLS support with Dgraph Alpha for external ports, the alpha_tls
environment:
helmfile --environment "alpha_tls" apply
For securing internal and external ports on both Dgraph Zero and Dgraph Alpha (Dgraph v20.11.0
or greater), the zero_tls_internal
environment can be used:
helmfile --environment "zero_tls_internal" apply
Here are some examples that can be use to test TLS and MutualTLS with client authentication.
The Dgraph Alpha service will be configured with either REQUEST
or VERIFYIFGIVEN
(default) for the TLS client authentication method.
Use port forwarding for Dgraph Alpha HTTPS to make it available on localhost using another terminal tab:
kubectl port-forward my-release-dgraph-alpha-0 8080:8080
Now test against localhost
using curl
:
curl --silent \
--cacert ./examples/dgraph_tls/alpha/ca.crt \
https://localhost:8080/state | jq
Use port forwarding for Dgraph Alpha GRPC to make it available on localhost using another terminal tab:
kubectl port-forward my-release-dgraph-alpha-0 9080:9080
Now test against localhost
using dgraph increment
:
dgraph increment \
--tls_cacert ./examples/dgraph_tls/alpha/ca.crt \
--tls_server_name localhost \
--alpha localhost:9080
The Dgraph Alpha service will be configured with either REQUIREANY
or REQUIREANDVERIFY
for the TLS client authentication method.
Use port forwarding for Dgraph Alpha HTTPS to make it available on localhost using another terminal tab:
kubectl port-forward my-release-dgraph-alpha-0 8080:8080
Now test against localhost
using curl
:
curl --silent \
--cacert ./examples/dgraph_tls/alpha/ca.crt \
--cert ./examples/dgraph_tls/alpha/client.dgraphuser.crt \
--key ./examples/dgraph_tls/alpha/client.dgraphuser.key \
https://localhost:8080/state | jq
Use port forwarding for Dgraph Alpha GRPC to make it available on localhost using another terminal tab:
kubectl port-forward my-release-dgraph-alpha-0 9080:9080
Now test against localhost
using dgraph increment
:
dgraph increment \
--tls_cacert ./examples/dgraph_tls/alpha/ca.crt \
--tls_cert ./examples/dgraph_tls/alpha/client.dgraphuser.crt \
--tls_key ./examples/dgraph_tls/alpha/client.dgraphuser.key \
--tls_server_name localhost \
--alpha localhost:9080
The Dgraph Zero service will be configured with either REQUIREANY
or REQUIREANDVERIFY
for the TLS client authentication method.
Use port forwarding for Dgraph Zero HTTPS to make it available on localhost using another terminal tab:
kubectl port-forward my-release-dgraph-zero-0 6080:6080
Now test against localhost
using curl
:
curl --silent \
--cacert ./examples/dgraph_tls/zero/ca.crt \
--cert ./examples/dgraph_tls/zero/client.dgraphuser.crt \
--key ./examples/dgraph_tls/zero/client.dgraphuser.key \
https://localhost:6080/state | jq