main.tf
:
provider "google" {
project = "PROJECT_ID"
}
resource "google_compute_instance" "test-redis" {
name = "test-redis"
machine_type = "e2-micro"
zone = "europe-central2-a"
boot_disk {
initialize_params {
image = "debian-12"
}
}
network_interface {
subnetwork = google_compute_subnetwork.test-redis.self_link
access_config {}
}
metadata = {
enable-oslogin = true
startup-script = file("startup.sh")
}
}
resource "google_compute_network" "test-redis" {
name = "test-redis"
auto_create_subnetworks = false
}
resource "google_compute_subnetwork" "test-redis" {
name = "test-redis"
ip_cidr_range = "10.0.0.0/20"
region = "europe-central2"
network = google_compute_network.test-redis.self_link
}
resource "google_compute_firewall" "test-redis-ssh" {
name = "test-redis-ssh"
network = google_compute_network.test-redis.name
source_ranges = ["35.235.240.0/20"]
allow {
protocol = "tcp"
ports = [22]
}
}
resource "google_compute_firewall" "test-redis-redis" {
name = "test-redis-redis"
network = google_compute_network.test-redis.name
source_ranges = ["SOURCE_IP"]
allow {
protocol = "tcp"
ports = [6379]
}
}
startup.sh
:
set -x
curl -fsSL https://download.docker.com/linux/debian/gpg \
-o /etc/apt/keyrings/docker.asc
echo "deb [signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" \
> /etc/apt/sources.list.d/docker.list
apt-get update
apt-get install -y docker-ce
mkdir -p root/redis/certs
cd root/redis/certs
openssl req -x509 -subj /CN=root.yourdomain.com -days 3650 -noenc \
-out root.crt -keyout root.key
openssl req -x509 -subj /CN=server.yourdomain.com -days 365 -noenc \
-CA root.crt -CAkey root.key -extensions usr_cert \
-out server.crt -keyout server.key
openssl req -x509 -subj /CN=client.yourdomain.com -days 365 -noenc \
-CA root.crt -CAkey root.key -extensions usr_cert \
-out client.crt -keyout client.key
cat server.key server.crt > server.yourdomain.com.crt
cd ..
cat <<\END > hitch.conf
frontend = "[0.0.0.0]:6379"
backend = "[redis]:6379"
pem-file = {
cert = "/certs/server.crt"
private-key = "/certs/server.key"
}
client-verify = required
client-verify-ca = "/certs/root.crt"
user = "hitch"
group = "hitch"
log-level = 2
END
cat <<\END > docker-compose.yml
services:
redis:
image: redis:5.0.14-alpine3.16
command: redis-server /etc/redis.conf
volumes:
- ./redis.conf:/etc/redis.conf
hitch:
image: hitch:1
ports:
- 6379:6379
volumes:
- ./hitch.conf:/etc/hitch/hitch.conf
- ./certs:/certs
END
docker compose up -d
a.rb
:
require 'redis'
r = Redis.new host: 'xx.xxx.xx.xxx',
ssl: true,
ssl_params: {
cert: 'certs/client.crt',
key: 'certs/client.key',
ca_file: 'certs/root.crt',
verify_hostname: false,
}
p r.keys
a.py
:
import redis
r = redis.Redis(
host='xx.xxx.xx.xxx',
ssl=True,
ssl_certfile='certs/client.crt',
ssl_keyfile='certs/client.key',
ssl_ca_certs='certs/root.crt',
# ssl_check_hostname=True,
)
print(r.keys())
// replace PROJECT_ID, SOURCE_IP
$ docker run --rm -itv "$PWD:/app" -w /app google/cloud-sdk:457.0.0-alpine
/app # gcloud auth login --update-adc
/app # apk add terraform
/app # terraform init
/app # terraform apply; echo -e '\a'
/app # gcloud compute ssh test-redis \
--command 'sudo -i tar czf /tmp/certs.tar.gz -C redis certs' \
--tunnel-through-iap \
--zone europe-central2-a --project PROJECT_ID
/app # gcloud compute scp test-redis:/tmp/certs.tar.gz /tmp/certs.tar.gz \
--tunnel-through-iap \
--zone europe-central2-a --project PROJECT_ID
$ docker cp ...:/tmp/certs.tar.gz certs.tar.gz
$ tar xf certs.tar.gz
/app # gcloud compute instances list --project PROJECT_ID --filter name:redis
NAME ZONE MACHINE_TYPE PREEMPTIBLE INTERNAL_IP EXTERNAL_IP STATUS
test-redis europe-central2-a e2-micro 10.0.0.5 xx.xxx.xx.xxx RUNNING
// replace the ip in a.rb, a.py
$ docker run --rm -itv "$PWD:/app" -w /app alpine:3.19
/app # apk add ruby python3 py3-redis
/app # gem install redis
/app # ruby a.rb
[]
/app # python a.py
[]