From 0e9570295ca3b46ef1aa7c0fe40f166aba26fa2a Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Thu, 14 Nov 2024 06:33:31 +0000 Subject: [PATCH] promoting version 7.8.2-2 --- .gitignore | 2 +- README.md | 24 +- active_active_database_readme.md | 6 +- admission-service.yaml | 1 - admission/README.md | 2 +- admission/webhook.yaml | 1 - bundle.yaml | 102 +++++-- cluster_credentials.md | 2 +- ...redislabs.com_redisenterpriseacls_crd.yaml | 57 ++++ crds/reaadb_crd.yaml | 14 +- crds/rec_crd.yaml | 40 ++- crds/redb_crd.yaml | 32 ++- crds/rerc_crd.yaml | 7 + helm/redis-enterprise-operator/.helmignore | 1 + helm/redis-enterprise-operator/Chart.yaml | 17 ++ helm/redis-enterprise-operator/README.md | 149 ++++++++++ .../templates/_helpers.tpl | 39 +++ .../templates/admission-service.yaml | 15 + .../templates/jobs/install-crds.yaml | 97 +++++++ .../templates/jobs/patch-namespace-label.yaml | 146 ++++++++++ .../jobs/patch-webhook-configuration.yaml | 134 +++++++++ .../templates/openshift/scc.yaml | 38 +++ .../operator-environment-config.yaml | 9 + .../templates/operator.yaml | 161 +++++++++++ .../templates/role.yaml | 197 ++++++++++++++ .../templates/role_binding.yaml | 15 + .../templates/service_account.yaml | 8 + .../templates/webhook.yaml | 70 +++++ helm/redis-enterprise-operator/values.yaml | 49 ++++ log_collector/log_collector.py | 256 ++++++++---------- .../log_collector_role_all_mode.yaml | 185 +++++++++++++ .../log_collector_role_restricted_mode.yaml | 144 ++++++++++ multi-namespace-redb/README.md | 2 +- multi-namespace-redb/operator.yaml | 5 +- openshift.bundle.yaml | 107 ++++++-- openshift/OLM/README.md | 2 +- openshift/admission-service.yaml | 1 - openshift/operator_rhel.yaml | 7 +- openshift/rec_rhel.yaml | 2 +- openshift/role.yaml | 1 - openshift/role_binding.yaml | 1 - openshift/scc.yaml | 3 +- openshift/service_account.yaml | 1 - operator.yaml | 5 +- ...s_enterprise_active_active_database_api.md | 1 + redis_enterprise_cluster_api.md | 45 ++- redis_enterprise_database_api.md | 10 +- redis_enterprise_remote_cluster_api.md | 2 + redis_on_flash.md | 2 +- role.yaml | 1 - role_binding.yaml | 1 - service_account.yaml | 1 - setting_ingress_or_route_readme.md | 10 +- topics.md | 14 +- vault/README.md | 4 + 55 files changed, 1970 insertions(+), 278 deletions(-) create mode 100644 crds/app.redislabs.com_redisenterpriseacls_crd.yaml create mode 100644 helm/redis-enterprise-operator/.helmignore create mode 100644 helm/redis-enterprise-operator/Chart.yaml create mode 100644 helm/redis-enterprise-operator/README.md create mode 100644 helm/redis-enterprise-operator/templates/_helpers.tpl create mode 100644 helm/redis-enterprise-operator/templates/admission-service.yaml create mode 100644 helm/redis-enterprise-operator/templates/jobs/install-crds.yaml create mode 100644 helm/redis-enterprise-operator/templates/jobs/patch-namespace-label.yaml create mode 100644 helm/redis-enterprise-operator/templates/jobs/patch-webhook-configuration.yaml create mode 100644 helm/redis-enterprise-operator/templates/openshift/scc.yaml create mode 100644 helm/redis-enterprise-operator/templates/operator-environment-config.yaml create mode 100644 helm/redis-enterprise-operator/templates/operator.yaml create mode 100644 helm/redis-enterprise-operator/templates/role.yaml create mode 100644 helm/redis-enterprise-operator/templates/role_binding.yaml create mode 100644 helm/redis-enterprise-operator/templates/service_account.yaml create mode 100644 helm/redis-enterprise-operator/templates/webhook.yaml create mode 100644 helm/redis-enterprise-operator/values.yaml create mode 100644 log_collector/log_collector_role_all_mode.yaml create mode 100644 log_collector/log_collector_role_restricted_mode.yaml diff --git a/.gitignore b/.gitignore index 485dee6..5c3bdbb 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -.idea +*bundle.yaml diff --git a/README.md b/README.md index 642e32e..f20caa1 100644 --- a/README.md +++ b/README.md @@ -13,29 +13,31 @@ * [Supported K8S Distributions](#supported-k8s-distributions) This page describes how to deploy Redis Enterprise on Kubernetes using the Redis Enterprise Operator. The Redis Enterprise Operator supports two Custom Resource Definitions (CRDs): + * Redis Enterprise Cluster (REC): an API to create Redis Enterprise clusters. Note that only one cluster is supported per operator deployment. + * Redis Enterprise Database (REDB): an API to create Redis databases running on the Redis Enterprise cluster. -Note that the Redis Enterprise Operator is namespaced. -High level architecture and overview of the solution can be found [HERE](https://docs.redislabs.com/latest/platforms/kubernetes/). +Note that the Redis Enterprise operator is namespaced. +High level architecture and overview of the solution can be found [HERE](https://redis.io/docs/latest/operate/kubernetes/architecture/). ## Quick start guide -This content [has moved](https://docs.redis.com/latest/kubernetes/deployment/quick-start/) to the Redis Enterprise doc site, [docs.redis.com](https://docs.redis.com/latest/kubernetes/). +This content [has moved](https://redis.io/docs/latest/operate/kubernetes/deployment/quick-start/) to the Redis Enterprise doc site, [redis.io/docs](https://redis.io/docs/latest/operate/kubernetes/). ### Installation on OpenShift -This content [has moved](https://docs.redis.com/latest/kubernetes/deployment/openshift/openshift-cli/) to the Redis Enterprise doc site, [docs.redis.com](https://docs.redis.com/latest/kubernetes/). +This content [has moved](https://redis.io/docs/latest/operate/kubernetes/deployment/openshift/openshift-cli/) to the Redis Enterprise doc site, [redis.io/docs](https://redis.io/docs/latest/operate/kubernetes/). ### Installation on VMWare Tanzu - This content [has moved](https://docs.redis.com/latest/kubernetes/deployment/tanzu/) to the [Redis Enterprise docs site](https://docs.redis.com/latest/kubernetes/). + This content [has moved](https://redis.io/docs/latest/operate/kubernetes/deployment/tanzu/) to the [Redis Enterprise docs site](https://redis.io/docs/latest/operate/kubernetes/). ## Configuration ### RedisEnterpriseCluster custom resource The operator deploys a `RedisEnterpriseCluster` with default configurations values, but those can be customized in the `RedisEnterpriseCluster` spec as follow: -Some examples [have moved](https://docs.redis.com/latest/kubernetes/reference/cluster-options/) to the Redis Enterprise doc site, [docs.redis.com](https://docs.redis.com/latest/kubernetes/). +Some examples [have moved](https://redis.io/docs/latest/operate/kubernetes/reference/cluster-options/) to the Redis Enterprise doc site, [redis.io/docs](https://redis.io/docs/latest/operate/kubernetes/). * Cluster username (Default is demo@redis.com) @@ -92,11 +94,11 @@ Some examples [have moved](https://docs.redis.com/latest/kubernetes/reference/cl ### Private Repositories -This content [has moved](https://docs.redis.com/latest/kubernetes/deployment/container-images/) to the Redis Enterprise doc site, [docs.redis.com](https://docs.redis.com/latest/kubernetes/). +This content [has moved](https://redis.io/docs/latest/operate/kubernetes/deployment/container-images/) to the Redis Enterprise doc site, [redis.io/docs](https://redis.io/docs/latest/operate/kubernetes/). ### Pull secrets -This content [has moved](https://docs.redis.com/latest/kubernetes/deployment/container-images/) to the Redis Enterprise doc site, [docs.redis.com](https://docs.redis.com/latest/kubernetes/). +This content [has moved](https://redis.io/docs/latest/operate/kubernetes/deployment/container-images/) to the Redis Enterprise doc site, [redis.io/docs](https://redis.io/docs/latest/operate/kubernetes/). ### Advanced Configuration @@ -107,13 +109,13 @@ This content [has moved](https://docs.redis.com/latest/kubernetes/deployment/con ## Connect to Redis Enterprise Software web console -This content [has moved](https://docs.redis.com/latest/kubernetes/re-clusters/connect-to-admin-console/) to the Redis Enterprise doc site, [docs.redis.com](https://docs.redis.com/latest/kubernetes/). +This content [has moved](https://redis.io/docs/latest/operate/kubernetes/re-clusters/connect-to-admin-console/) to the Redis Enterprise doc site, [redis.io/docs](https://redis.io/docs/latest/operate/kubernetes/). ## Upgrade -This content [has moved](https://docs.redis.com/latest/kubernetes/re-clusters/upgrade-redis-cluster/) to the Redis Enterprise doc site, [docs.redis.com](https://docs.redis.com/latest/kubernetes/). +This content [has moved](https://redis.io/docs/latest/operate/kubernetes/re-clusters/upgrade-redis-cluster/) to the Redis Enterprise doc site, [redis.io/docs](https://redis.io/docs/latest/operate/kubernetes/). ## Supported K8S Distributions -This content [has moved](https://docs.redis.com/latest/kubernetes/reference/supported_k8s_distributions/) to the Redis Enterprise doc site, [docs.redis.com](https://docs.redis.com/latest/kubernetes/). \ No newline at end of file +This content [has moved](https://redis.io/docs/latest/operate/kubernetes/reference/supported_k8s_distributions/) to the Redis Enterprise doc site, [redis.io/docs](https://redis.io/docs/latest/operate/kubernetes/). \ No newline at end of file diff --git a/active_active_database_readme.md b/active_active_database_readme.md index 424ccc2..99fc97f 100644 --- a/active_active_database_readme.md +++ b/active_active_database_readme.md @@ -729,11 +729,11 @@ upgrading modules with Active-Active databases is currently not supported via th ## Upgrade REC with Active-Active database Upgrading REC with REAADBs is supported. -Please follow [upgrade Redis Enterprise Cluster documentation](https://docs.redis.com/latest/kubernetes/re-clusters/upgrade-redis-cluster/). +Please follow [upgrade Redis Enterprise Cluster documentation](https://redis.io/docs/latest/operate/kubernetes/re-clusters/upgrade-redis-cluster/). Notes: - It is recommended to upgrade all of the participating clusters to the same operator version. -- [Optional] - Please view following documentation regarding upgrade the Active-Active database [here](https://docs.redis.com/latest/rs/installing-upgrading/upgrading/upgrade-active-active/) +- [Optional] - Please view following documentation regarding upgrade the Active-Active database [here](https://redis.io/docs/latest/operate/rs/installing-upgrading/upgrading/upgrade-active-active/) - In case you are upgrading from version with the Active-Active database controller as public preview you may remove the following flags from the environment variables: `ACTIVE_ACTIVE_DATABASE_CONTROLLER_ENABLED` and `REMOTE_CLUSTER_CONTROLLER_ENABLED`, and in case the alpha features flag is enabled only for the REC 'ingressOrRoutesSpec' field you may remove the: `ENABLE_ALPHA_FEATURES` as well.` ## Test your Active-Active database @@ -761,7 +761,7 @@ From the output fetch the redis 'targetPort': 3. Set a test key with SET foo bar in the first database. If your Active-Active deployment is working properly, when connected to your second database, GET foo should output bar. - to test externally you may use the instructions under 'Test your external access' [here](https://docs.redis.com/latest/kubernetes/re-databases/set-up-ingress-controller/) + to test externally you may use the instructions under 'Test your external access' [here](https://redis.io/docs/latest/operate/kubernetes/re-databases/set-up-ingress-controller/) ## Limitations diff --git a/admission-service.yaml b/admission-service.yaml index 46d923e..91007fe 100644 --- a/admission-service.yaml +++ b/admission-service.yaml @@ -1,4 +1,3 @@ ---- apiVersion: v1 kind: Service metadata: diff --git a/admission/README.md b/admission/README.md index 146019a..886958b 100644 --- a/admission/README.md +++ b/admission/README.md @@ -1,3 +1,3 @@ # Redis Enterprise admission controller -This content has moved to [docs.redis.com](https://docs.redis.com/latest/); see [Enable the admission controller](https://docs.redis.com/latest/kubernetes/deployment/quick-start/#enable-the-admission-controller). +This content has moved to [redis.io/docs](https://redis.io/docs/latest/); see [Enable the admission controller](https://redis.io/docs/latest/operate/kubernetes/deployment/quick-start/#enable-the-admission-controller). diff --git a/admission/webhook.yaml b/admission/webhook.yaml index 10274df..5262e1f 100644 --- a/admission/webhook.yaml +++ b/admission/webhook.yaml @@ -1,4 +1,3 @@ ---- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: diff --git a/bundle.yaml b/bundle.yaml index fe2adf6..9d91800 100644 --- a/bundle.yaml +++ b/bundle.yaml @@ -1,5 +1,4 @@ --- ---- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -173,7 +172,6 @@ rules: - delete - watch --- ---- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -188,7 +186,6 @@ subjects: - kind: ServiceAccount name: redis-enterprise-operator --- ---- apiVersion: v1 kind: ServiceAccount metadata: @@ -196,7 +193,6 @@ metadata: app: redis-enterprise name: redis-enterprise-operator --- ---- apiVersion: v1 kind: Service metadata: @@ -360,6 +356,26 @@ spec: field in the RedisEnterpriseCluster resource. type: boolean type: object + certificatesStatus: + description: Stores information about cluster certificates and their + update process. In Active-Active databases, this is used to detect + updates to the certificates, and trigger synchronization across the + participating clusters. + properties: + generation: + description: Generation stores the version of the cluster's Proxy + and Syncer certificate secrets. In Active-Active databases, when + a user updates the proxy or syncer certificate, a crdb-update + command needs to be triggered to avoid potential sync issues. + This helps the REAADB controller detect a change in a certificate + and trigger a crdb-update. The version of the cluster's Proxy + certificate secret. + format: int64 + type: integer + updateStatus: + description: The status of the cluster's certificates update + type: string + type: object ingressOrRouteMethodStatus: description: The ingressOrRouteSpec/ActiveActive spec method that exist type: string @@ -808,6 +824,10 @@ spec: cacheTTLSeconds: description: The maximum TTL of cached entries. type: integer + directoryTimeoutSeconds: + description: The connection timeout to the LDAP server when authenticating + a user, in seconds + type: integer enabledForControlPlane: description: Whether to enable LDAP for control plane access. Disabled by default. @@ -1078,7 +1098,7 @@ spec: on Kubernetes v1.25+. Future versions of the RedisEnterpriseCluster API will remove support for this field altogether. For migration instructions, see https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/ - \n Name of pod security policy to use on pods" + \n Name of pod security policy to use on pods" type: string podStartingPolicy: description: Mitigation setting for STS pods stuck in "ContainerCreating" @@ -6891,7 +6911,7 @@ spec: type: string required: - port - type: object + type: object httpGet: properties: host: @@ -7935,6 +7955,14 @@ spec: - version type: object type: array + certificatesStatus: + properties: + generation: + format: int64 + type: integer + updateStatus: + type: string + type: object ingressOrRouteMethodStatus: type: string managedAPIs: @@ -8232,6 +8260,8 @@ spec: type: string cacheTTLSeconds: type: integer + directoryTimeoutSeconds: + type: integer enabledForControlPlane: type: boolean enabledForDataPlane: @@ -14126,7 +14156,7 @@ spec: type: string required: - port - type: object + type: object httpGet: properties: host: @@ -15454,12 +15484,16 @@ spec: and it must not be below 1GB. type: string modulesList: - description: List of modules associated with database. - Note - For Active-Active databases this feature is currently in preview. For - this feature to take effect for Active-Active databases, set a boolean environment variable - with the name "ENABLE_ALPHA_FEATURES" to True. This variable can - be set via the redis-enterprise-operator pod spec, or through the - operator-environment-config Config Map. + description: List of modules associated with database. Note - For Active-Active + databases this feature is currently in preview. For this feature to + take effect for Active-Active databases, set a boolean environment + variable with the name "ENABLE_ALPHA_FEATURES" to True. This variable + can be set via the redis-enterprise-operator pod spec, or through + the operator-environment-config Config Map. Note - if you do not want + to upgrade to the latest version you must set upgradeSpec -> upgradeModulesToLatest + to false. if you specify a version and do not set the upgradeModulesToLatest + it can result errors in the operator. in addition, the option to specify + specific version is Deprecated and will be deleted in next releases. items: description: 'Redis Enterprise Module: https://redislabs.com/redis-enterprise/modules/' properties: @@ -15471,7 +15505,8 @@ spec: description: The module's name e.g "ft" for redissearch type: string version: - description: Module's semantic version e.g "1.6.12" - optional only in REDB, must be set in REAADB + description: DEPRECATED - Module's semantic version e.g "1.6.12" + - optional only in REDB, must be set in REAADB type: string required: - name @@ -15635,9 +15670,12 @@ spec: description: Specifications for DB upgrade. properties: upgradeModulesToLatest: - description: Upgrades the modules to the latest version that supportes the DB version during a DB upgrade action, to upgrade the DB version view the 'redisVersion' field. - Notes - All modules must be without specifing the version. - in addition, This field is currently not supported for Active-Active databases. + description: DEPRECATED Upgrades the modules to the latest version + that supports the DB version during a DB upgrade action, to upgrade + the DB version view the 'redisVersion' field. Notes - All modules + must be without specifying the version. in addition, This field + is currently not supported for Active-Active databases. The default + is true type: boolean required: - upgradeModulesToLatest @@ -15666,8 +15704,8 @@ spec: - participatingClusterName type: object memcachedSaslSecretName: - description: 'Credentials used for binary authentication in memcached databases. - The credentials should be saved as an opaque secret and the name of that secret should be configured using this field. + description: 'Credentials used for binary authentication in memcached databases. + The credentials should be saved as an opaque secret and the name of that secret should be configured using this field. For username, use ''username'' as the key and the actual username as the value. For password, use ''password'' as the key and the actual password as the value. Note that connections are not encrypted.' @@ -15883,6 +15921,10 @@ spec: observedGeneration: description: The most recent generation observed for this RERC. It corresponds to the RERC's generation, which is updated by the API Server. type: integer + internalObservedSecretResourceVersion: + description: The observed secret resource version. + Used for internal purposes only. + type: string type: object spec: properties: @@ -15894,6 +15936,9 @@ spec: description: The database URL suffix, will be used for the active-active database replication endpoint and replication endpoint SNI. type: string + apiPort: + description: The port number of the cluster's URL used for connectivity/sync + type: integer recNamespace: description: The namespace of the REC that the RERC is pointing at type: string @@ -16011,6 +16056,13 @@ spec: - up - down type: string + clusterCertificatesGeneration: + description: Versions of the cluster's Proxy and Syncer certificates. + In Active-Active databases, these are used to detect updates to the + certificates, and trigger synchronization across the participating + clusters. . + format: int64 + type: integer secretsStatus: description: The status of the secrets items: @@ -16084,7 +16136,8 @@ spec: - participatingClusterName type: object alertSettings: - description: Settings for database alerts + description: Settings for database alerts. + Note - Alert settings are not supported for Active-Active database. properties: bdb_backup_delayed: description: Periodic backup has been delayed for longer than @@ -16543,7 +16596,9 @@ spec: for some databases, you must set redisUpgradePolicy on the cluster before. Possible values are 'major' or 'latest' When using upgrade - make sure to backup the database before. This value is used - only for database type 'redis' + only for database type 'redis'. + Note - Specifying Redis version is currently not + supported for Active-Active database. type: string upgradeSpec: description: Specifications for DB upgrade. @@ -16678,7 +16733,6 @@ spec: type: object type: object --- ---- apiVersion: apps/v1 kind: Deployment metadata: @@ -16721,7 +16775,7 @@ spec: - configMapRef: name: "operator-environment-config" optional: true - image: redislabs/operator:7.4.6-2 + image: redislabs/operator:7.8.2-2 imagePullPolicy: Always livenessProbe: failureThreshold: 3 @@ -16769,7 +16823,7 @@ spec: - configMapRef: name: "operator-environment-config" optional: true - image: redislabs/operator:7.4.6-2 + image: redislabs/operator:7.8.2-2 imagePullPolicy: Always livenessProbe: failureThreshold: 3 diff --git a/cluster_credentials.md b/cluster_credentials.md index 6a85144..69e7396 100644 --- a/cluster_credentials.md +++ b/cluster_credentials.md @@ -1,3 +1,3 @@ # Management of the Redis Enterprise Cluster credentials -This content has moved to [docs.redis.com](https://docs.redis.com/latest/); see [Manage Redis Enterprise cluster (REC) credentials](https://docs.redis.com/latest/kubernetes/security/manage-rec-credentials/). \ No newline at end of file +This content has moved to [redis.io/docs](https://redis.io/docs/latest/operate/); see [Manage Redis Enterprise cluster (REC) credentials](https://redis.io/docs/latest/operate/kubernetes/security/manage-rec-credentials/). \ No newline at end of file diff --git a/crds/app.redislabs.com_redisenterpriseacls_crd.yaml b/crds/app.redislabs.com_redisenterpriseacls_crd.yaml new file mode 100644 index 0000000..d98b2ff --- /dev/null +++ b/crds/app.redislabs.com_redisenterpriseacls_crd.yaml @@ -0,0 +1,57 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: redisenterpriseacls.app.redislabs.com +spec: + group: app.redislabs.com + names: + kind: RedisEnterpriseACL + listKind: RedisEnterpriseACLList + plural: redisenterpriseacls + singular: redisenterpriseacl + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: RedisEnterpriseACL represents an access control list definition + for a Redis database. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RedisEnterpriseACLSpec defines the desired state of RedisEnterpriseACL + properties: + acl: + description: Redis ACL rule + type: string + type: object + status: + description: RedisEnterpriseACLStatus defines the observed state of RedisEnterpriseACL + properties: + max_version: + description: Maximum Redis database version that supports this ACL + type: string + min_version: + description: Minimum Redis database version that supports this ACL + type: string + uid: + description: The internal UID of the Redis ACL object defined in the + Redis Enterprise Cluster. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/crds/reaadb_crd.yaml b/crds/reaadb_crd.yaml index 0c8fd8a..059628b 100644 --- a/crds/reaadb_crd.yaml +++ b/crds/reaadb_crd.yaml @@ -98,6 +98,13 @@ spec: - up - down type: string + clusterCertificatesGeneration: + description: Versions of the cluster's Proxy and Syncer certificates. + In Active-Active databases, these are used to detect updates to the + certificates, and trigger synchronization across the participating + clusters. . + format: int64 + type: integer secretsStatus: description: The status of the secrets items: @@ -171,7 +178,8 @@ spec: - participatingClusterName type: object alertSettings: - description: Settings for database alerts + description: Settings for database alerts. + Note - Alert settings are not supported for Active-Active database. properties: bdb_backup_delayed: description: Periodic backup has been delayed for longer than @@ -630,7 +638,9 @@ spec: for some databases, you must set redisUpgradePolicy on the cluster before. Possible values are 'major' or 'latest' When using upgrade - make sure to backup the database before. This value is used - only for database type 'redis' + only for database type 'redis'. + Note - Specifying Redis version is currently not + supported for Active-Active database. type: string upgradeSpec: description: Specifications for DB upgrade. diff --git a/crds/rec_crd.yaml b/crds/rec_crd.yaml index 97858e8..9aff2ea 100644 --- a/crds/rec_crd.yaml +++ b/crds/rec_crd.yaml @@ -147,6 +147,26 @@ spec: field in the RedisEnterpriseCluster resource. type: boolean type: object + certificatesStatus: + description: Stores information about cluster certificates and their + update process. In Active-Active databases, this is used to detect + updates to the certificates, and trigger synchronization across the + participating clusters. + properties: + generation: + description: Generation stores the version of the cluster's Proxy + and Syncer certificate secrets. In Active-Active databases, when + a user updates the proxy or syncer certificate, a crdb-update + command needs to be triggered to avoid potential sync issues. + This helps the REAADB controller detect a change in a certificate + and trigger a crdb-update. The version of the cluster's Proxy + certificate secret. + format: int64 + type: integer + updateStatus: + description: The status of the cluster's certificates update + type: string + type: object ingressOrRouteMethodStatus: description: The ingressOrRouteSpec/ActiveActive spec method that exist type: string @@ -595,6 +615,10 @@ spec: cacheTTLSeconds: description: The maximum TTL of cached entries. type: integer + directoryTimeoutSeconds: + description: The connection timeout to the LDAP server when authenticating + a user, in seconds + type: integer enabledForControlPlane: description: Whether to enable LDAP for control plane access. Disabled by default. @@ -865,7 +889,7 @@ spec: on Kubernetes v1.25+. Future versions of the RedisEnterpriseCluster API will remove support for this field altogether. For migration instructions, see https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/ - \n Name of pod security policy to use on pods" + \n Name of pod security policy to use on pods" type: string podStartingPolicy: description: Mitigation setting for STS pods stuck in "ContainerCreating" @@ -6678,7 +6702,7 @@ spec: type: string required: - port - type: object + type: object httpGet: properties: host: @@ -7722,6 +7746,14 @@ spec: - version type: object type: array + certificatesStatus: + properties: + generation: + format: int64 + type: integer + updateStatus: + type: string + type: object ingressOrRouteMethodStatus: type: string managedAPIs: @@ -8019,6 +8051,8 @@ spec: type: string cacheTTLSeconds: type: integer + directoryTimeoutSeconds: + type: integer enabledForControlPlane: type: boolean enabledForDataPlane: @@ -13913,7 +13947,7 @@ spec: type: string required: - port - type: object + type: object httpGet: properties: host: diff --git a/crds/redb_crd.yaml b/crds/redb_crd.yaml index 68cf16f..4f20644 100644 --- a/crds/redb_crd.yaml +++ b/crds/redb_crd.yaml @@ -401,12 +401,16 @@ spec: and it must not be below 1GB. type: string modulesList: - description: List of modules associated with database. - Note - For Active-Active databases this feature is currently in preview. For - this feature to take effect for Active-Active databases, set a boolean environment variable - with the name "ENABLE_ALPHA_FEATURES" to True. This variable can - be set via the redis-enterprise-operator pod spec, or through the - operator-environment-config Config Map. + description: List of modules associated with database. Note - For Active-Active + databases this feature is currently in preview. For this feature to + take effect for Active-Active databases, set a boolean environment + variable with the name "ENABLE_ALPHA_FEATURES" to True. This variable + can be set via the redis-enterprise-operator pod spec, or through + the operator-environment-config Config Map. Note - if you do not want + to upgrade to the latest version you must set upgradeSpec -> upgradeModulesToLatest + to false. if you specify a version and do not set the upgradeModulesToLatest + it can result errors in the operator. in addition, the option to specify + specific version is Deprecated and will be deleted in next releases. items: description: 'Redis Enterprise Module: https://redislabs.com/redis-enterprise/modules/' properties: @@ -418,7 +422,8 @@ spec: description: The module's name e.g "ft" for redissearch type: string version: - description: Module's semantic version e.g "1.6.12" - optional only in REDB, must be set in REAADB + description: DEPRECATED - Module's semantic version e.g "1.6.12" + - optional only in REDB, must be set in REAADB type: string required: - name @@ -582,9 +587,12 @@ spec: description: Specifications for DB upgrade. properties: upgradeModulesToLatest: - description: Upgrades the modules to the latest version that supportes the DB version during a DB upgrade action, to upgrade the DB version view the 'redisVersion' field. - Notes - All modules must be without specifing the version. - in addition, This field is currently not supported for Active-Active databases. + description: DEPRECATED Upgrades the modules to the latest version + that supports the DB version during a DB upgrade action, to upgrade + the DB version view the 'redisVersion' field. Notes - All modules + must be without specifying the version. in addition, This field + is currently not supported for Active-Active databases. The default + is true type: boolean required: - upgradeModulesToLatest @@ -613,8 +621,8 @@ spec: - participatingClusterName type: object memcachedSaslSecretName: - description: 'Credentials used for binary authentication in memcached databases. - The credentials should be saved as an opaque secret and the name of that secret should be configured using this field. + description: 'Credentials used for binary authentication in memcached databases. + The credentials should be saved as an opaque secret and the name of that secret should be configured using this field. For username, use ''username'' as the key and the actual username as the value. For password, use ''password'' as the key and the actual password as the value. Note that connections are not encrypted.' diff --git a/crds/rerc_crd.yaml b/crds/rerc_crd.yaml index 344cef6..eab55df 100644 --- a/crds/rerc_crd.yaml +++ b/crds/rerc_crd.yaml @@ -56,6 +56,10 @@ spec: observedGeneration: description: The most recent generation observed for this RERC. It corresponds to the RERC's generation, which is updated by the API Server. type: integer + internalObservedSecretResourceVersion: + description: The observed secret resource version. + Used for internal purposes only. + type: string type: object spec: properties: @@ -67,6 +71,9 @@ spec: description: The database URL suffix, will be used for the active-active database replication endpoint and replication endpoint SNI. type: string + apiPort: + description: The port number of the cluster's URL used for connectivity/sync + type: integer recNamespace: description: The namespace of the REC that the RERC is pointing at type: string diff --git a/helm/redis-enterprise-operator/.helmignore b/helm/redis-enterprise-operator/.helmignore new file mode 100644 index 0000000..6b8c0ab --- /dev/null +++ b/helm/redis-enterprise-operator/.helmignore @@ -0,0 +1 @@ +.helmignore diff --git a/helm/redis-enterprise-operator/Chart.yaml b/helm/redis-enterprise-operator/Chart.yaml new file mode 100644 index 0000000..7ab18f2 --- /dev/null +++ b/helm/redis-enterprise-operator/Chart.yaml @@ -0,0 +1,17 @@ +apiVersion: v2 +type: application + +name: redis-enterprise-operator +description: A Helm chart for Redis Enterprise Operator for Kubernetes + +version: 0.1.0 +appVersion: 7.8.2-2 + +home: https://redis.com +icon: https://redis.com/wp-content/themes/wpx/assets/images/logo-redis.svg +keywords: + - redis + - database +maintainers: + - name: Redis + url: https://redis.com/company/contact/ diff --git a/helm/redis-enterprise-operator/README.md b/helm/redis-enterprise-operator/README.md new file mode 100644 index 0000000..e5bb9ee --- /dev/null +++ b/helm/redis-enterprise-operator/README.md @@ -0,0 +1,149 @@ +# Redis Enterprise Operator Helm Chart + +Official Helm chart for installing, configuring and upgrading **Redis Enterprise Operator for Kubernetes**. + +[Redis Enterprise](https://redis.com/redis-enterprise-software/overview/) is a self-managed data platform that unlocks the full potential of Redis at enterprise scale - on premises or in the cloud. +[Redis Enterprise Operator for Kubernetes](https://redis.com/redis-enterprise-software/redis-enterprise-on-kubernetes/) provides a simple, Kubernetes-native way for deploying and managing Redis Enterprise on Kubernetes. + +## Prerequisites + +- Kubernetes 1.23+ + Supported Kubernetes versions can vary according to the Kubernetes distribution being used. + Please consult the [release notes](https://redis.io/docs/latest/operate/kubernetes/release-notes/) for detailed supported distributions information per operator version. +- Helm 3.10+ + +## Installing the Chart + +To install the chart: + +```sh +helm install [RELEASE_NAME] [PATH_TO_CHART] +``` + +The `[PATH_TO_CHART]` may be a path to the chart root directory, or a chart archive on the local filesystem. + +To install the chart on **OpenShift**, set the `openshift.mode=true` value: + +```sh +helm install [RELEASE_NAME] [PATH_TO_CHART] \ + --set openshift.mode=true +``` + +To create and select a namespace for the installation, specify the `--namespace` and `--create-namespace` flags: + +```sh +helm install [RELEASE_NAME] [PATH_TO_CHART] \ + --namespace [NAMESPACE] \ + --create-namespace +``` + +For example, to install the chart with release name "my-redis-enterprise" from within the chart's root directory: + +```sh +helm install my-redis-enterprise . \ + --namespace redis-enterprise \ + --create-namespace +``` + +Note: the chart installation includes several jobs that configure the CRDs and admission controller used by the operator. +These jobs run synchronously during the execution of `helm install` command, and may take around 1 minute to complete. +To view additional progress information during the `helm install` execution, use the `--debug` flag: + +```sh +helm install [RELEASE_NAME] [PATH_TO_CHART] \ + --debug +``` + +See [Configuration](#configuration) section below for various configuration options. +See [Creating a Redis Enterprise Cluster](#creating-a-redis-enterprise-cluster) section below for instructions for creating a Redis Enterprise Cluster. +See [helm install](https://helm.sh/docs/helm/helm_install/) and [Using Helm](https://helm.sh/docs/intro/using_helm/#helm-install-installing-a-package) for more information and options when installing charts. + +## Uninstalling the Chart + +Before uninstalling the chart, delete any custom resources managed by the Redis Enterprise Operator: + +```sh +kubectl delete redb +kubectl delete rerc +kubectl delete reaadb +kubectl delete rec +``` + +To uninstall a previously installed chart: + +```sh +helm uninstall [RELEASE_NAME] +``` + +This removes all the Kubernetes resources associated with the chart and deletes the release. + +See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for more information and options when uninstalling charts. + +## Creating a Redis Enterprise Cluster + +Once the chart is installed and the Redis Enterprise Operator is running, a Redis Enterprise Cluster can be created. +As of now, the Redis Enterprise Cluster is created directly via custom resources, and not via Helm. + +To create a Redis Enterprise Cluster: + +1. Validate that the `redis-enterprise-operator` pod is in `RUNNING` state: + +```sh +kubectl get pods -n [NAMESPACE] +``` + +2. Create a file for the `RedisEnterpriseCluster` custom resource: + +```yaml +apiVersion: app.redislabs.com/v1 +kind: RedisEnterpriseCluster +metadata: + name: rec +spec: + nodes: 3 +``` + +3. Apply the custom resource: + +```sh +kubectl apply -f rec.yaml -n [NAMESPACE] +``` + +See [Create a Redis Enterprise cluster](https://redis.io/docs/latest/operate/kubernetes/deployment/quick-start/#create-a-redis-enterprise-cluster-rec) and [Redis Enterprise Cluster API](https://github.com/RedisLabs/redis-enterprise-k8s-docs/blob/master/redis_enterprise_cluster_api.md) for more information and options for creating a Redis Enterprise Cluster. + +## Configuration + +The chart supports several configuration options that allows to customize the behavior and capabilities of the Redis Enterprise Operator. +For a list of configurable options and their descriptions, please refer to the `values.yaml` file at the root of the chart. + +To install the chart with a customized values file: + +```sh +helm install [RELEASE_NAME] [PATH_TO_CHART] \ + --values [PATH_TO_VALUES_FILE] +``` + +To install the chart with the default values files but with some specific values overriden: + +```sh +helm install [RELEASE_NAME] [PATH_TO_CHART] \ + --set key1=value1 \ + --set key2=value2 +``` + +See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing) for additional information on how to customize the chart installation. + +## Known Limitations + +This is a preliminary release of this Helm chart, and as of now some if its functionality is still limited: + +- The chart only installs the Redis Enterprise Operator, but doesn't create a Redis Enterprise Cluster. See [Creating a Redis Enterprise Cluster](#creating-a-redis-enterprise-cluster) section for instructions on how to directly create a Redis Enterprise Cluster. +- Several configuration options for the operator are still unsupported, including multiple REDB namespaces, rack-aware, and vault integration. These options can be enabled by following the relevant instructions in the [product documentation](https://redis.io/docs/latest/operate/kubernetes/). +- CRDs installed by the chart are not removed upon chart uninstallation. These could be manually removed when the chart is uninstalled and are no longer needed, using the following command: + ```sh + kubectl delete crds -l app=redis-enterprise + ``` +- Helm chart upgrades are not supported, nor migrations from a non-Helm deployment to a Helm deployment. +- Limited testing in advanced setups such as Active-Active configurations, airgapped deployments, IPv6/dual-stack environments. +- The chart is still unpublished in a "helm repo" or ArtifactHub, and thus can only be installed from a local source (chart directory/archive). +- While not really a limitation, please note that this chart also installs the [admission controller](https://redis.io/docs/latest/operate/kubernetes/deployment/quick-start/#enable-the-admission-controller) by default, and there's no option to disable it (as opposed to the non-Helm deployment). \ No newline at end of file diff --git a/helm/redis-enterprise-operator/templates/_helpers.tpl b/helm/redis-enterprise-operator/templates/_helpers.tpl new file mode 100644 index 0000000..b9754ae --- /dev/null +++ b/helm/redis-enterprise-operator/templates/_helpers.tpl @@ -0,0 +1,39 @@ +{{- define "redis-enterprise-operator.operator.image" }} +{{- if (.Values.global).azure }} +{{- with .Values.global.azure.images.operator }} +{{ .registry }}/{{ .image }}@{{ .digest }} +{{- end }} +{{- else }} +{{- $defaultRepository := ternary "registry.connect.redhat.com/redislabs/redis-enterprise-operator" "redislabs/operator-internal" .Values.openshift.mode }} +{{- $repository := default $defaultRepository .Values.operator.image.repository }} +{{ $repository }}:{{ .Values.operator.image.tag }} +{{- end }} +{{- end }} + +{{- define "redis-enterprise-operator.annotations" }} +{{- if ne .Values.versionAnnotations false -}} +redis.io/helm-chart-ver: {{ .Chart.Version }} +redis.io/operator-ver: {{ .Values.operator.image.tag }} +{{- end }} +{{- end }} + +{{/* +Evaluates to a TLS configuration for the admission webhook, either by retrieving an +existing configuration from the "admission-tls" Secret, or by generating a new one. +Returns a TLS configuration YAML object with a "cert" and "privateKey" keys. +*/}} +{{- define "redis-enterprise-operator.admissionTLSConfig" }} + {{- $tlsConfig := dict }} + {{- $secret := (lookup "v1" "Secret" .Release.Namespace "admission-tls") }} + {{- if $secret }} + {{ $tlsConfig = $secret.data }} + {{- else}} + {{ $cna := printf "admission.%s" .Release.Namespace }} + {{ $cnb := printf "admission.%s.svc" .Release.Namespace }} + {{ $cnc := printf "admission.%s.svc.cluster.local" .Release.Namespace }} + {{ $cert := genSelfSignedCert $cnb nil (list $cna $cnb $cnc) (int (mul 365 5)) }} + {{ $_ := set $tlsConfig "cert" ($cert.Cert | b64enc) }} + {{ $_ := set $tlsConfig "privateKey" ($cert.Key | b64enc) }} + {{- end }} + {{ $tlsConfig | toYaml | nindent 2 }} +{{- end }} diff --git a/helm/redis-enterprise-operator/templates/admission-service.yaml b/helm/redis-enterprise-operator/templates/admission-service.yaml new file mode 100644 index 0000000..0677dd4 --- /dev/null +++ b/helm/redis-enterprise-operator/templates/admission-service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: admission + labels: + app: redis-enterprise + annotations: + {{- include "redis-enterprise-operator.annotations" . | nindent 4}} +spec: + ports: + - port: 443 + protocol: TCP + targetPort: 8443 + selector: + name: redis-enterprise-operator diff --git a/helm/redis-enterprise-operator/templates/jobs/install-crds.yaml b/helm/redis-enterprise-operator/templates/jobs/install-crds.yaml new file mode 100644 index 0000000..4db62f4 --- /dev/null +++ b/helm/redis-enterprise-operator/templates/jobs/install-crds.yaml @@ -0,0 +1,97 @@ +apiVersion: batch/v1 +kind: Job +metadata: + namespace: {{ .Release.Namespace }} + name: redis-enterprise-crds + annotations: + "redis/operator-ver": {{ .Values.operator.image.tag }} + "redis/helm-chart-ver": {{ .Chart.Version }} + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-4" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation + labels: + app: redis-enterprise +spec: + template: + metadata: + labels: + app: redis-enterprise + spec: + containers: + - name: gatekeeper-crds + image: {{ include "redis-enterprise-operator.operator.image" . | printf "%s" | trim }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + runAsNonRoot: true + seccompProfile: + type: "RuntimeDefault" + command: + - crd-installer + args: + - "-action=applyCRD" + - "-crdPaths=/crds/rec_crd.yaml,/crds/redb_crd.yaml,/crds/reaadb_crd.yaml,/crds/rerc_crd.yaml" + resources: + limits: + cpu: 100m + memory: 100Mi + serviceAccountName: redis-enterprise-crds + restartPolicy: OnFailure + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: redis-enterprise-crds + annotations: + "redis/operator-ver": {{ .Values.operator.image.tag }} + "redis/helm-chart-ver": {{ .Chart.Version }} + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation + labels: + app: redis-enterprise +rules: + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["create", "get", "list", "watch", "patch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: redis-enterprise-crds + annotations: + "redis/operator-ver": {{ .Values.operator.image.tag }} + "redis/helm-chart-ver": {{ .Chart.Version }} + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation + labels: + app: redis-enterprise +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: redis-enterprise-crds +subjects: + - kind: ServiceAccount + name: redis-enterprise-crds + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: redis-enterprise-crds + namespace: {{ .Release.Namespace }} + annotations: + "redis/operator-ver": {{ .Values.operator.image.tag }} + "redis/helm-chart-ver": {{ .Chart.Version }} + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation + labels: + app: redis-enterprise diff --git a/helm/redis-enterprise-operator/templates/jobs/patch-namespace-label.yaml b/helm/redis-enterprise-operator/templates/jobs/patch-namespace-label.yaml new file mode 100644 index 0000000..dc15c5a --- /dev/null +++ b/helm/redis-enterprise-operator/templates/jobs/patch-namespace-label.yaml @@ -0,0 +1,146 @@ +{{- if .Values.admission.limitToNamespace }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: redis-enterprise-namespace-labels + labels: + app: redis-enterprise + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-install,post-upgrade,post-delete + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation + {{- include "redis-enterprise-operator.annotations" . | nindent 4}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: redis-enterprise-namespace-labels + labels: + app: redis-enterprise + annotations: + "helm.sh/hook": post-install,post-upgrade,post-delete + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation + {{- include "redis-enterprise-operator.annotations" . | nindent 4}} +rules: +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["patch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: redis-enterprise-namespace-labels + labels: + app: redis-enterprise + annotations: + "helm.sh/hook": post-install,post-upgrade,post-delete + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation + {{- include "redis-enterprise-operator.annotations" . | nindent 4}} +subjects: +- kind: ServiceAccount + name: redis-enterprise-namespace-labels + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: redis-enterprise-namespace-labels + apiGroup: rbac.authorization.k8s.io + +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: redis-enterprise-namespace-labels + labels: + app: redis-enterprise + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation + {{- include "redis-enterprise-operator.annotations" . | nindent 4}} +spec: + backoffLimit: 6 + completions: 1 + parallelism: 1 + template: + metadata: + labels: + app: redis-enterprise + spec: + containers: + - name: redis-enterprise-namespace-labels + resources: + limits: + cpu: 100m + memory: 100Mi + image: {{ include "redis-enterprise-operator.operator.image" . | printf "%s" | trim }} + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + runAsNonRoot: true + seccompProfile: + type: "RuntimeDefault" + command: + - crd-installer + args: + - "-action=patchNamespace" + - -namespace={{ .Release.Namespace }} + restartPolicy: OnFailure + serviceAccountName: redis-enterprise-namespace-labels + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} +--- + +apiVersion: batch/v1 +kind: Job +metadata: + name: redis-enterprise-namespace-labels-cleanup + labels: + app: redis-enterprise + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation + {{- include "redis-enterprise-operator.annotations" . | nindent 4}} +spec: + backoffLimit: 6 + completions: 1 + parallelism: 1 + template: + metadata: + labels: + app: redis-enterprise + spec: + containers: + - name: redis-enterprise-namespace-labels-cleanup + resources: + limits: + cpu: 100m + memory: 100Mi + image: {{ include "redis-enterprise-operator.operator.image" . | printf "%s" | trim }} + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + runAsNonRoot: true + seccompProfile: + type: "RuntimeDefault" + command: + - crd-installer + args: + - "-action=unpatchNamespace" + - -namespace={{ .Release.Namespace }} + restartPolicy: OnFailure + serviceAccountName: redis-enterprise-namespace-labels + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} +{{- end }}{{- /* if limitToNamespace */ -}} diff --git a/helm/redis-enterprise-operator/templates/jobs/patch-webhook-configuration.yaml b/helm/redis-enterprise-operator/templates/jobs/patch-webhook-configuration.yaml new file mode 100644 index 0000000..fd87030 --- /dev/null +++ b/helm/redis-enterprise-operator/templates/jobs/patch-webhook-configuration.yaml @@ -0,0 +1,134 @@ +{{- if not .Values.admission.setCABundle }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: redis-enterprise-admission-configuration + labels: + app: redis-enterprise + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation + {{- include "redis-enterprise-operator.annotations" . | nindent 4}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: redis-enterprise-admission-configuration + labels: + app: redis-enterprise + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation + {{- include "redis-enterprise-operator.annotations" . | nindent 4}} +rules: +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["patch", "get"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: redis-enterprise-admission-configuration + labels: + app: redis-enterprise + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation + {{- include "redis-enterprise-operator.annotations" . | nindent 4}} +subjects: +- kind: ServiceAccount + name: redis-enterprise-admission-configuration + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: redis-enterprise-admission-configuration + apiGroup: rbac.authorization.k8s.io +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: redis-enterprise-admission-configuration + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation + {{- include "redis-enterprise-operator.annotations" . | nindent 4}} + labels: + app: redis-enterprise +rules: + - apiGroups: [ "" ] + resources: [ "secrets" ] + verbs: [ "get"] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: redis-enterprise-admission-configuration + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation + {{- include "redis-enterprise-operator.annotations" . | nindent 4}} + labels: + app: redis-enterprise +subjects: +- kind: ServiceAccount + name: redis-enterprise-admission-configuration +roleRef: + kind: Role + name: redis-enterprise-admission-configuration + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: redis-webhook-configuration + labels: + app: redis-enterprise + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation + {{- include "redis-enterprise-operator.annotations" . | nindent 4}} +spec: + backoffLimit: 6 + completions: 1 + parallelism: 1 + template: + metadata: + labels: + app: redis-enterprise + spec: + containers: + - name: patch-admission-webhook-configuration + resources: + limits: + cpu: 100m + memory: 100Mi + image: {{ include "redis-enterprise-operator.operator.image" . | printf "%s" | trim }} + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + runAsNonRoot: true + seccompProfile: + type: "RuntimeDefault" + command: + - crd-installer + args: + - -action=patchWebhook + - -webhookName=redis-enterprise-admission-{{ .Release.Namespace }} + - -namespace={{ .Release.Namespace }} + restartPolicy: OnFailure + serviceAccountName: redis-enterprise-admission-configuration + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/helm/redis-enterprise-operator/templates/openshift/scc.yaml b/helm/redis-enterprise-operator/templates/openshift/scc.yaml new file mode 100644 index 0000000..db8d292 --- /dev/null +++ b/helm/redis-enterprise-operator/templates/openshift/scc.yaml @@ -0,0 +1,38 @@ +{{- if and .Values.openshift.mode .Values.openshift.scc.install -}} +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + name: redis-enterprise-scc-v2 + annotations: + kubernetes.io/description: redis-enterprise-scc-v2 is the minimal SCC needed to run Redis Enterprise nodes on Kubernetes. + It provides the same features as restricted-v2 SCC, but allows pods to enable the SYS_RESOURCE capability, + which is required by Redis Enterprise nodes to manage file descriptor limits and OOM scores for database shards. + Additionally, it requires pods to run as UID/GID 1001, which are the UID/GID used within the Redis Enterprise node containers. + {{- if .Values.openshift.scc.shared }} + helm.sh/resource-policy: keep + {{- end }} +allowedCapabilities: +- SYS_RESOURCE +allowHostDirVolumePlugin: false +allowHostIPC : false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +readOnlyRootFilesystem: false +runAsUser: + type: MustRunAs + uid: 1001 +fsGroup: + type: MustRunAs + ranges: + - min: 1001 + max: 1001 +seLinuxContext: + type: MustRunAs +seccompProfiles: +- runtime/default +supplementalGroups: + type: RunAsAny +{{- end -}} diff --git a/helm/redis-enterprise-operator/templates/operator-environment-config.yaml b/helm/redis-enterprise-operator/templates/operator-environment-config.yaml new file mode 100644 index 0000000..64ffa15 --- /dev/null +++ b/helm/redis-enterprise-operator/templates/operator-environment-config.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app: redis-enterprise + name: operator-environment-config + namespace: {{ $.Release.Namespace }} + annotations: + {{- include "redis-enterprise-operator.annotations" . | nindent 4}} diff --git a/helm/redis-enterprise-operator/templates/operator.yaml b/helm/redis-enterprise-operator/templates/operator.yaml new file mode 100644 index 0000000..c03deb1 --- /dev/null +++ b/helm/redis-enterprise-operator/templates/operator.yaml @@ -0,0 +1,161 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + {{- include "redis-enterprise-operator.annotations" . | nindent 8}} + labels: + app: redis-enterprise + name: redis-enterprise-operator +spec: + replicas: 1 + selector: + matchLabels: + name: redis-enterprise-operator + strategy: + type: Recreate + template: + metadata: + labels: + app: redis-enterprise + name: redis-enterprise-operator + spec: + containers: + - command: + - operator-root + - operator + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: WATCH_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: OPERATOR_NAME + value: redis-enterprise-operator + {{- if .Values.openshift.mode }} + - name: IS_OPENSHIFT + value: "true" + {{- end }} + {{- if (.Values.global).azure }} + {{- with .Values.global.azure.images }} + - name: DEFAULT_RS_IMAGE_REPOSITORY + value: {{ .rs.registry }}/{{ .rs.image }} + - name: DEFAULT_RIGGER_IMAGE_REPOSITORY + value: {{ .rigger.registry }}/{{ .rigger.image }} + - name: DEFAULT_BOOTSTRAPPER_IMAGE_REPOSITORY + value: {{ .operator.registry }}/{{ .operator.image }} + - name: DEFAULT_RS_IMAGE_DIGEST + value: {{ .rs.digest }} + - name: DEFAULT_RIGGER_IMAGE_DIGEST + value: {{ .rigger.digest }} + - name: DEFAULT_BOOTSTRAPPER_IMAGE_DIGEST + value: {{ .operator.digest }} + {{- end }} + {{- end }} + envFrom: + - configMapRef: + name: {{ "operator-environment-config" | quote }} + optional: true + image: {{ include "redis-enterprise-operator.operator.image" . | printf "%s" | trim }} + imagePullPolicy: Always + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 8080 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: redis-enterprise-operator + ports: + - containerPort: 8080 + resources: + limits: + cpu: 4000m + memory: 512Mi + requests: + cpu: 500m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + - command: + - operator-root + - admission + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: WATCH_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + envFrom: + - configMapRef: + name: {{ "operator-environment-config" | quote }} + optional: true + image: {{ include "redis-enterprise-operator.operator.image" . | printf "%s" | trim }} + imagePullPolicy: Always + livenessProbe: + failureThreshold: 3 + httpGet: + path: /liveness + port: 8443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: admission + ports: + - containerPort: 8443 + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 8443 + scheme: HTTPS + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: + limits: + cpu: 1000m + memory: 512Mi + requests: + cpu: 250m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + securityContext: + {{- if not .Values.openshift.mode}} + seccompProfile: + type: RuntimeDefault + {{- end }} + runAsNonRoot: true + serviceAccountName: redis-enterprise-operator + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} diff --git a/helm/redis-enterprise-operator/templates/role.yaml b/helm/redis-enterprise-operator/templates/role.yaml new file mode 100644 index 0000000..febee46 --- /dev/null +++ b/helm/redis-enterprise-operator/templates/role.yaml @@ -0,0 +1,197 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + {{- include "redis-enterprise-operator.annotations" . | nindent 8}} + labels: + app: redis-enterprise + name: redis-enterprise-operator +rules: + - apiGroups: + - rbac.authorization.k8s.io + - "" + resources: + - roles + - serviceaccounts + - rolebindings + verbs: + - create + - get + - update + - patch + - delete + - apiGroups: + - app.redislabs.com + resources: + - redisenterpriseclusters + - redisenterpriseclusters/status + - redisenterpriseclusters/finalizers + - redisenterprisedatabases + - redisenterprisedatabases/status + - redisenterprisedatabases/finalizers + - redisenterpriseremoteclusters + - redisenterpriseremoteclusters/status + - redisenterpriseremoteclusters/finalizers + - redisenterpriseactiveactivedatabases + - redisenterpriseactiveactivedatabases/status + - redisenterpriseactiveactivedatabases/finalizers + verbs: + - delete + - get + - list + - patch + - create + - update + - watch + - apiGroups: + - "" + resources: + - secrets + verbs: + - update + - get + - create + - patch + - delete + - list + - watch + - apiGroups: + - "" + resources: + - endpoints + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - apps + resources: + - deployments + - statefulsets + - replicasets + verbs: + - create + - delete + - get + - patch + - update + - list + - watch + - apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - create + - delete + - get + - list + - watch + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - delete + - get + - update + - watch + - list + - apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - create + - delete + - get + - update + - list + - watch + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - update + - patch + - delete + - watch + - apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - update + - patch + - create + - delete + - watch + - apiGroups: + - policy + resourceNames: + - redis-enterprise-psp + resources: + - podsecuritypolicies + verbs: + - use + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - create + - patch + - delete + - list + - update + - get + - watch + - apiGroups: + - networking.istio.io + resources: + - gateways + - virtualservices + verbs: + - get + - list + - update + - patch + - create + - delete + - watch + {{- if .Values.openshift.mode }} + - apiGroups: + - route.openshift.io + resources: + - routes + - routes/custom-host + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - security.openshift.io + resourceNames: + - nonroot + resources: + - securitycontextconstraints + verbs: + - use + {{- end }}{{/* if .Values.openshift.mode */}} diff --git a/helm/redis-enterprise-operator/templates/role_binding.yaml b/helm/redis-enterprise-operator/templates/role_binding.yaml new file mode 100644 index 0000000..06d4231 --- /dev/null +++ b/helm/redis-enterprise-operator/templates/role_binding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: + {{- include "redis-enterprise-operator.annotations" . | nindent 8}} + labels: + app: redis-enterprise + name: redis-enterprise-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: redis-enterprise-operator +subjects: + - kind: ServiceAccount + name: redis-enterprise-operator diff --git a/helm/redis-enterprise-operator/templates/service_account.yaml b/helm/redis-enterprise-operator/templates/service_account.yaml new file mode 100644 index 0000000..0a1972c --- /dev/null +++ b/helm/redis-enterprise-operator/templates/service_account.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + {{- include "redis-enterprise-operator.annotations" . | nindent 8}} + labels: + app: redis-enterprise + name: redis-enterprise-operator diff --git a/helm/redis-enterprise-operator/templates/webhook.yaml b/helm/redis-enterprise-operator/templates/webhook.yaml new file mode 100644 index 0000000..255fa9e --- /dev/null +++ b/helm/redis-enterprise-operator/templates/webhook.yaml @@ -0,0 +1,70 @@ +{{- $admissionTLSConfig := dict }} + +{{- if .Values.admission.setCABundle }} +{{- $admissionTLSConfig = include "redis-enterprise-operator.admissionTLSConfig" . | fromYaml }} +{{- /* Skip secret creation if it was already created by the admission server */ -}} +{{- $secret := (lookup "v1" "Secret" .Release.Namespace "admission-tls") }} +{{- if or (not $secret) (eq (dig "metadata" "labels" "app.kubernetes.io/managed-by" "" $secret) "Helm") }} +apiVersion: v1 +kind: Secret +metadata: + annotations: + {{- include "redis-enterprise-operator.annotations" . | nindent 4 }} + name: admission-tls + namespace: {{ .Release.Namespace }} +type: Opaque +data: + cert: {{ get $admissionTLSConfig "cert" }} + privateKey: {{ get $admissionTLSConfig "privateKey" }} + +--- +{{- end }}{{- /* if not $secret */ -}} +{{- end }}{{- /* if setCABundle */ -}} + +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + {{- include "redis-enterprise-operator.annotations" . | nindent 4}} + labels: + app: redis-enterprise + {{- if $.Values.admission.limitToNamespace }} + name: redis-enterprise-admission-{{ .Release.Namespace }} + {{- else }} + name: redis-enterprise-admission + {{- end }} +webhooks: + - admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: admission + path: /admission + namespace: {{ .Release.Namespace }} + {{- if $.Values.admission.setCABundle }} + caBundle: {{ get $admissionTLSConfig "cert" }} + {{- else }} + caBundle: "" # Fill in with BASE64 encoded signed cert + {{- end }} + failurePolicy: Fail + matchPolicy: Exact + name: redisenterprise.admission.redislabs + {{- if $.Values.admission.limitToNamespace }} + namespaceSelector: + matchLabels: + redis.io/redisenterprise.admission.enable: {{ .Release.Namespace }} + {{- end }} + rules: + - apiGroups: + - app.redislabs.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - redisenterprisedatabases + - redisenterpriseactiveactivedatabases + - redisenterpriseremoteclusters + sideEffects: None + timeoutSeconds: 30 diff --git a/helm/redis-enterprise-operator/values.yaml b/helm/redis-enterprise-operator/values.yaml new file mode 100644 index 0000000..3d34df6 --- /dev/null +++ b/helm/redis-enterprise-operator/values.yaml @@ -0,0 +1,49 @@ +# This file includes the values that can be customized for the chart. +# +# For instructions how to override these default values, +# see https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing + +# Image pull secret to use for registry authentication +imagePullSecrets: null + +# Configuration options for the operator +operator: + + # Configuration options for the operator image + image: + + # Image repository for the operator image. + # Leave blank to use the default image repository, + # which is `redislabs/operator` for non-OpenShift deployments, + # and `registry.connect.redhat.com/redislabs/redis-enterprise-operator` for OpenShift deployments. + repository: "" + + # Image tag for the operator image. + # This typically represents the operator version. + tag: 7.8.2-2 + +# Configuration options for the admission webhook +admission: + + # Whether to create a new CA key and certificate for the admission webhook + setCABundle: true + + # Whether to deploy the admission webhook limited to objects in the installation namespace. + limitToNamespace: true + +# Configuration options for OpenShift +openshift: + + # Set to true if deploying to an OpenShift cluster + mode: false + + # Configuration options for the SecurityContextConstraints + scc: + + # Whether to install the SecurityContextConstraints object for Redis Enterprise + install: true + + # Whether to keep (avoid deleting) the SecurityContextConstraints object when uninstaling the chart. + # This can be useful if installing the chart multiple times in the cluster, such that the SCC + # can be shared between multiple chart installations. + shared: false diff --git a/log_collector/log_collector.py b/log_collector/log_collector.py index 31f6651..e7616bd 100644 --- a/log_collector/log_collector.py +++ b/log_collector/log_collector.py @@ -37,7 +37,7 @@ logger.setLevel(logging.INFO) LOGGER_FORMAT = '%(asctime)s - %(levelname)s - %(message)s' logging.basicConfig(format=LOGGER_FORMAT) -VERSION_LOG_COLLECTOR = "7.4.6-2" +VERSION_LOG_COLLECTOR = "7.8.2-2" TIME_FORMAT = time.strftime("%Y%m%d-%H%M%S") @@ -48,24 +48,36 @@ TIMEOUT = 180 -DEFAULT_K8S_CLI = "kubectl" +KUBECTL_K8S_CLI = "kubectl" OC_K8S_CLI = "oc" -OPERATOR_CUSTOM_RESOURCES = [ +OPERATOR_CUSTOM_RESOURCE_DEFINITION_NAMES = [ + "redisenterpriseclusters.app.redislabs.com", + "redisenterprisedatabases.app.redislabs.com", + "redisenterpriseremoteclusters.app.redislabs.com", + "redisenterpriseactiveactivedatabases.app.redislabs.com" +] + +# Resources that aren't created by the operator, +# and hence don't have the 'app: redis-enterprise' label. +# For these resources, we avoid using a label selector. +NON_LABELED_RESOURCES = [ "RedisEnterpriseCluster", "RedisEnterpriseDatabase", "RedisEnterpriseRemoteCluster", "RedisEnterpriseActiveActiveDatabase", -] - -NON_LABELED_RESOURCES = OPERATOR_CUSTOM_RESOURCES + [ "VolumeAttachment", "NetworkPolicy", ] -RESTRICTED_MODE_API_RESOURCES = NON_LABELED_RESOURCES + [ +RESTRICTED_MODE_API_RESOURCES = [ + "RedisEnterpriseCluster", + "RedisEnterpriseDatabase", + "RedisEnterpriseRemoteCluster", + "RedisEnterpriseActiveActiveDatabase", "StatefulSet", "Deployment", + "ReplicaSet", "Service", "ConfigMap", "Route", @@ -81,11 +93,9 @@ "Pod", "CustomResourceDefinition", "ValidatingWebhookConfiguration", - "NamespacedValidatingType", - "NamespacedValidatingRule", - "PodSecurityPolicy", "Namespace", - "Job" + "Job", + "NetworkPolicy", ] OLM_RESOURCES = [ @@ -99,12 +109,13 @@ "Node", "ResourceQuota", "CertificateSigningRequest", + "PodSecurityPolicy", "ClusterServiceVersion", "Subscription", "InstallPlan", "CatalogSource", - "ReplicaSet", "StorageClass", + "VolumeAttachment", "Gateway", "VirtualService", ] @@ -157,49 +168,16 @@ def make_dir(directory): sys.exit() -def _filter_non_existing_namespaces(namespaces, k8s_cli): - """ - Filter non-existing namespaces from user's input - """ - return_code, out = run_shell_command( - "{} get ns -o=custom-columns=\"DATA:metadata.name\" --no-headers=true".format(k8s_cli)) - if return_code: - return [] - res = [] - existing_namespaces = set(out.split()) - for namespace in namespaces: - if namespace in existing_namespaces: - res.append(namespace) - else: - logger.warning("Namespace %s doesn't exist - Skipping", namespace) - return res - - def _get_namespaces_to_run_on(namespace, k8s_cli): - def _get_namespace_from_config(): + if not namespace: config_namespace = get_namespace_from_config(k8s_cli) if not config_namespace: return ["default"] return [config_namespace] - if not namespace: - return _get_namespace_from_config() - - if namespace == 'all': - return_code, out = run_shell_command( - "{} get ns -o=custom-columns=\"DATA:metadata.name\" --no-headers=true".format(k8s_cli)) - if return_code: - logger.warning("Failed to parse namespace list - will use namespace from config: %s", out) - return _get_namespace_from_config() - return out.split() - # comma separated string namespaces = namespace.split(',') - existing_namespaces = _filter_non_existing_namespaces(namespaces, k8s_cli) - if not existing_namespaces: - logger.warning("Input doesn't contain an existing namespace - will use namespace from config") - return _get_namespace_from_config() - return existing_namespaces + return namespaces # pylint: disable=R0913 @@ -288,36 +266,45 @@ def get_helm_output(namespace, cmd, helm_output_dir, file_name): file_handle.write(output) +def is_openshift(k8s_cli): + """ + Detect whether the target cluster is OpenShift. + The detection is based on a simple heuristic - + whether there are any API groups with "openshift" in them. + """ + api_versions_command = "{} api-versions".format(k8s_cli) + return_code, output = run_shell_command(api_versions_command) + if return_code: + logger.info("Failed to run cmd %s", api_versions_command) + return False + + return output is not None and "openshift" in output + + def detect_k8s_cli(k8s_cli_input=""): - "Check whether the kubernetes is openshift and use oc as needed" + """Choose k8s CLI (kubectl/oc) based on availability and target cluster""" + if k8s_cli_input and k8s_cli_input != "auto-detect": - logger.info("Using cli-client %s", k8s_cli_input) + logger.info("Using k8s CLI: %s", k8s_cli_input) return k8s_cli_input # auto detect mode - get_nodes_cmd = "{} get nodes -o json".format(DEFAULT_K8S_CLI) - return_code, output = run_shell_command(get_nodes_cmd) - if return_code: - logger.info("Failed to run cmd %s", get_nodes_cmd) - return DEFAULT_K8S_CLI + has_kubectl = run_shell_command_is_success("{} help".format(KUBECTL_K8S_CLI)) + has_oc = run_shell_command_is_success("{} help".format(OC_K8S_CLI)) + + # if both kubectl and oc are available, choose based on the cluster type + if has_kubectl and has_oc: + k8s_cli = OC_K8S_CLI if is_openshift(KUBECTL_K8S_CLI) else KUBECTL_K8S_CLI + elif has_kubectl: + k8s_cli = KUBECTL_K8S_CLI + elif has_oc: + k8s_cli = OC_K8S_CLI + else: + logger.error("No k8s CLI found - please install kubectl (or oc for OpenShift) and rerun") + sys.exit(1) - if output: - try: - parsed = json.loads("".join(output)) - if "items" in parsed and len(parsed["items"]) and \ - ("machine.openshift.io/machine" in parsed["items"][0]["metadata"]["annotations"] or - "node.openshift.io/os_id" in parsed["items"][0]["metadata"]["labels"]): - # this is an openshift - logger.info( - "Auto detected OpenShift, will use oc as cli tool " - "(this can be overriden using the --k8s_cli argument)") - return OC_K8S_CLI - except json.JSONDecodeError: - logger.exception( - "Failed to detect the relevant client for Kubernetes " - "(failed to parse kubectl command) will keep the default") - return DEFAULT_K8S_CLI - return DEFAULT_K8S_CLI + logger.info("Using k8s CLI: %s", k8s_cli) + return k8s_cli def detect_k8s_cli_version(k8s_cli): # noqa: C901 @@ -525,8 +512,6 @@ def run(results): if mode == MODE_ALL: api_resources = api_resources + ALL_ONLY_API_RESOURCES - collect_cluster_info(output_dir, k8s_cli) - processes = [] for namespace in namespaces: proc = Process(target=collect_from_ns, @@ -580,29 +565,6 @@ def get_selector(mode): return selector -def get_non_ready_rs_pod_names(namespace, k8s_cli, mode=MODE_RESTRICTED): - """ - get names of rs pods that are not ready - """ - pod_names = [] - selector = get_selector(mode) - rs_pods = get_pods(namespace, k8s_cli, selector=selector) - if not rs_pods: - logger.info("Namespace '%s': cannot find redis enterprise pods", namespace) - return [] - - for rs_pod in rs_pods: - pod_name = rs_pod['metadata']['name'] - if "status" in rs_pod and "containerStatuses" in rs_pod["status"]: - for container_status_entry in rs_pod["status"]["containerStatuses"]: - container_name = container_status_entry['name'] - is_ready = container_status_entry["ready"] - if container_name == RLEC_CONTAINER_NAME and not is_ready: - pod_names.append(pod_name) - - return pod_names - - def collect_pod_rs_logs(namespace, output_dir, k8s_cli, mode): """ get logs from rs pods that are not ready @@ -615,7 +577,6 @@ def collect_pod_rs_logs(namespace, output_dir, k8s_cli, mode): "skipping rs pods logs collection", namespace) return make_dir(rs_pod_logs_dir) - # TODO restore usage of get_non_ready_rs_pod_names once RS bug is resolved (RED-51857) # pylint: disable=W0511 for rs_pod_name in rs_pod_names: pod_log_dir = os.path.join(rs_pod_logs_dir, rs_pod_name) make_dir(pod_log_dir) @@ -632,7 +593,7 @@ def collect_pod_rs_logs(namespace, output_dir, k8s_cli, mode): else: logger.info("Namespace '%s': " - "Collected rs logs from pod marked as not ready, pod name: %s", namespace, rs_pod_name) + "Collected rs logs from pod: %s", namespace, rs_pod_name) pod_config_dir = os.path.join(pod_log_dir, "config") make_dir(pod_config_dir) @@ -648,7 +609,7 @@ def collect_pod_rs_logs(namespace, output_dir, k8s_cli, mode): "to output directory, output:%s", out) else: - logger.info("Collected rs config from pod marked as not ready, pod name: %s", rs_pod_name) + logger.info("Collected rs config from pod: %s", rs_pod_name) def create_debug_info_package_on_pod(namespace, pod_name, attempt, k8s_cli): @@ -658,12 +619,13 @@ def create_debug_info_package_on_pod(namespace, pod_name, attempt, k8s_cli): and None otherwise. """ prog = "/opt/redislabs/bin/rladmin" - cmd = "{} -n {} exec {} -c {} {} cluster debug_info path /tmp" \ + cmd = "{} -n {} exec {} -c {} -- {} cluster debug_info path /tmp" \ .format(k8s_cli, namespace, pod_name, RLEC_CONTAINER_NAME, prog) return_code, out = run_shell_command(cmd) if return_code != 0 or "Downloading complete" not in out: - logger.warning("Failed running rladmin command in pod: %s (attempt %d)", - out.rstrip(), attempt) + logger.warning("Failed to collect debug_info from pod: %s. (Attempt %d) " + "If the issue persists, consider using the --skip_support_package flag " + "to skip collecting the debug info package.", pod_name, attempt) return None # get the debug file name @@ -822,14 +784,6 @@ def collect_resources_list(namespace, output_dir, k8s_cli, mode): namespace=namespace) -def collect_cluster_info(output_dir, k8s_cli): - """ - Prints the output of kubectl cluster-info to a file - """ - collect_helper(output_dir, cmd="{} cluster-info".format(k8s_cli), - file_name="cluster_info", resource_name="cluster-info") - - def collect_events(namespace, output_dir, k8s_cli, mode=MODE_RESTRICTED): """ Prints the output of kubectl get events -o wide and @@ -931,7 +885,11 @@ def collect_api_resources(namespace, output_dir, k8s_cli, api_resources, selecto message = f"{message}, skip collecting empty log file" for resource in api_resources: if resource == "Namespace": - output = run_get_resource_yaml(namespace, resource, k8s_cli, resource_name=namespace) + output = run_get_resource_yaml(namespace, resource, k8s_cli, + resource_names=[namespace]) + elif resource == "CustomResourceDefinition": + output = run_get_resource_yaml(namespace, resource, k8s_cli, + resource_names=OPERATOR_CUSTOM_RESOURCE_DEFINITION_NAMES) elif resource in NON_LABELED_RESOURCES: output = run_get_resource_yaml(namespace, resource, k8s_cli) else: @@ -977,7 +935,11 @@ def collect_api_resources_description(namespace, output_dir, k8s_cli, api_resour message = f"{message}, skip collecting empty log file" for resource in api_resources: if resource == "Namespace": - output = describe_resource(namespace, resource, k8s_cli, resource_name=namespace) + output = describe_resource(namespace, resource, k8s_cli, + resource_names=[namespace]) + elif resource == "CustomResourceDefinition": + output = describe_resource(namespace, resource, k8s_cli, + resource_names=OPERATOR_CUSTOM_RESOURCE_DEFINITION_NAMES) elif resource in NON_LABELED_RESOURCES: output = describe_resource(namespace, resource, k8s_cli) else: @@ -1275,11 +1237,12 @@ def native_string(input_var): return input_var.decode('utf-8', 'replace') -def run_get_resource_yaml(namespace, resource_type, k8s_cli, selector="", resource_name=""): +def run_get_resource_yaml(namespace, resource_type, k8s_cli, selector="", resource_names=None): """ Runs kubectl get command with yaml format """ - cmd = "{} get -n {} {} {} {} -o yaml".format(k8s_cli, namespace, resource_type, resource_name, selector) + resource_name_args = " ".join(resource_names) if resource_names else "" + cmd = "{} get -n {} {} {} {} -o yaml".format(k8s_cli, namespace, resource_type, resource_name_args, selector) error_template = "Namespace '{}': Failed to get {} resource: {{}}.".format(namespace, resource_type) missing_resource_template = f"Namespace '{namespace}': Skip collecting information for {resource_type}. " \ f"Server has no resource of type {resource_type}" @@ -1296,7 +1259,15 @@ def handle_unsuccessful_cmd(out, error_template, missing_resource_template): logger.warning(error_template.format(out.rstrip())) -def run_shell_command_with_retries(cmd, retries, error_template, missing_resource_template=""): +def run_shell_command_is_success(args): + """ + Run a shell command, and returns whether the execution was successful (exit code 0). + """ + return_code, _ = run_shell_command(args) + return return_code == 0 + + +def run_shell_command_with_retries(args, retries, error_template, missing_resource_template=""): """ Run a shell command, retrying up to attempts. When the command fails with a non-zero exit code, the output is printed @@ -1305,7 +1276,7 @@ def run_shell_command_with_retries(cmd, retries, error_template, missing_resourc """ prev_out = None for _ in range(retries): - return_code, out = run_shell_command(cmd) + return_code, out = run_shell_command(args) if return_code == 0: return out if out is not None and out != prev_out: @@ -1396,11 +1367,12 @@ def alarm_handler(_, __): return piped_process.returncode, native_string(output) -def describe_resource(namespace, resource_type, k8s_cli, selector="", resource_name=""): +def describe_resource(namespace, resource_type, k8s_cli, selector="", resource_names=None): """ Runs kubectl describe command """ - cmd = "{} describe -n {} {} {} {}".format(k8s_cli, namespace, resource_type, resource_name, selector) + resource_name_args = " ".join(resource_names) if resource_names else "" + cmd = "{} describe -n {} {} {} {}".format(k8s_cli, namespace, resource_type, resource_name_args, selector) error_template = "Namespace '{}': Failed to describe {} resource: {{}}.".format(namespace, resource_type) missing_resource_template = f"Namespace '{namespace}': Skip collecting description for {resource_type}. " \ f"Server has no resource of type {resource_type}" @@ -1420,40 +1392,44 @@ def check_not_negative(value): if __name__ == "__main__": # pylint: disable=locally-disabled, invalid-name - parser = argparse.ArgumentParser(description='Redis Enterprise' - ' K8s log collector') + parser = argparse.ArgumentParser(description='Redis Enterprise Log Collector for Kubernetes\n\n' + 'For additional details and usage instructions, see ' + 'https://redis.io/docs/latest/operate/kubernetes/logs/collect-logs/', + formatter_class=argparse.RawTextHelpFormatter) parser.add_argument('-n', '--namespace', action="store", type=str, - help="pass namespace name or comma separated list or 'all' " - "when left empty will use namespace from kube config") - parser.add_argument('-o', '--output_dir', action="store", type=str) + help="Sets the namespace(s) to collect from.\n" + "Can be set to a single namespace, or multiple namespaces (comma-separated).\n" + "When left empty, will use the current context's namespace from kubeconfig.") + parser.add_argument('-o', '--output_dir', action="store", type=str, + help="Sets the output directory.\n" + "Defaults to current working directory.") parser.add_argument('-a', '--logs_from_all_pods', action="store_true", - help="collect logs from all pods, not only the operator and pods run by the operator") + help="Collect logs from all pods in the selected namespace(s),\n" + "and otherwise collect only from the operator and pods run by the operator.") parser.add_argument('-t', '--timeout', action="store", type=check_not_negative, default=TIMEOUT, - help="time to wait for external commands to " - "finish execution " - "(default: 180s, specify 0 to not timeout) " - "(Linux only)") + help="Time to wait for external commands to finish execution (Linux only).\n" + "Default to 180s. Specify 0 to disable timeout.") parser.add_argument('--k8s_cli', action="store", type=str, - help="Which K8s cli client to use (kubectl/oc/auto-detect). " - "Defaults to auto-detect (chooses between \"kubectl\" and \"oc\"). " + help="The K8s cli client to use (kubectl/oc/auto-detect).\n" + "Defaults to auto-detect (chooses between 'kubectl' and 'oc').\n" "Full paths can also be used.") parser.add_argument('-m', '--mode', action="store", type=str, choices=[MODE_RESTRICTED, MODE_ALL], - help="Which mode to run the log collector. The options are:" - "1. restricted (default for clusters of version 6.2.18 and newer) - " - "collect only resources that are related to the operator," - " and has the label \"app=redis-enterprise\". " - "2. all - collect all resources") + help="Controls which resources are collected:\n" + "In 'restricted' mode, only resources associated with the operator " + "and have the label 'app=redis-enterprise' are collected.\n" + "In 'all' mode, all resources are collected.\n" + "Defaults to 'restricted' mode.") parser.add_argument('--collect_istio', action="store_true", - help="collect data from istio-system namespace to debug potential " - "problems related to istio ingress method") + help="Collect data from istio-system namespace to debug potential\n" + "problems related to istio ingress method.") parser.add_argument('--skip_support_package', action="store_true", - help="not collect RS support package") + help="Disable collection of RS support package from Redis Enterprise nodes.") parser.add_argument('--collect_empty_files', action="store_true", - help='collect empty log files for missing resources') + help='Collect empty log files for missing resources.') parser.add_argument('--helm_release_name', action="store", type=str, - help='collect resources related to helm release name') + help='Collect resources related to the given Helm release name.') parser.set_defaults(collect_istio=False) run(parser.parse_args()) diff --git a/log_collector/log_collector_role_all_mode.yaml b/log_collector/log_collector_role_all_mode.yaml new file mode 100644 index 0000000..c326d93 --- /dev/null +++ b/log_collector/log_collector_role_all_mode.yaml @@ -0,0 +1,185 @@ +# The minimal Role and ClusterRole required for running the log collector in 'all' mode. +# The roles should be bound to the user executing the log collector, in each of the namespaces to be collected. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: redis-enterprise-log-collector +rules: +- apiGroups: + - "" + resources: + - pods + - pods/log + verbs: + - get + - list +- apiGroups: + - "" + resources: + - pods/exec + verbs: + - create +- apiGroups: + - "" + resources: + - events + - services + - endpoints + - configmaps + - secrets + - resourcequotas + - limitranges + - persistentvolumeclaims + - replicationcontrollers + verbs: + - get + - list +- apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - get + - list +- apiGroups: + - batch + resources: + - cronjobs + - jobs + verbs: + - get + - list +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - get + - list +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - get + - list +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - get + - list +- apiGroups: + - app.redislabs.com + resources: + - "*" + verbs: + - get + - list +- apiGroups: + - networking.k8s.io + resources: + - ingresses + - networkpolicies + verbs: + - get + - list +- apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - get + - list +- apiGroups: + - operators.coreos.com + resources: + - clusterserviceversions + - subscriptions + - installplans + - catalogsources + verbs: + - get + - list +- apiGroups: + - networking.istio.io + resources: + - gateways + - virtualservices + verbs: + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: redis-enterprise-log-collector +rules: +- apiGroups: + - "" + resources: + - nodes + - persistentvolumes + verbs: + - get + - list +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + - clusterrolebindings + verbs: + - get + - list +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + resourceNames: + - redisenterpriseclusters.app.redislabs.com + - redisenterprisedatabases.app.redislabs.com + - redisenterpriseremoteclusters.app.redislabs.com + - redisenterpriseactiveactivedatabases.app.redislabs.com + verbs: + - get + - list +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - list +- apiGroups: + - storage.k8s.io + resources: + - volumeattachments + - storageclasses + verbs: + - get + - list +- apiGroups: + - policy + resources: + - podsecuritypolicy + verbs: + - get + - list +- apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + verbs: + - get + - list diff --git a/log_collector/log_collector_role_restricted_mode.yaml b/log_collector/log_collector_role_restricted_mode.yaml new file mode 100644 index 0000000..5bc5472 --- /dev/null +++ b/log_collector/log_collector_role_restricted_mode.yaml @@ -0,0 +1,144 @@ +# The minimal Role and ClusterRole required for running the log collector in 'restricted' mode. +# The roles should be bound to the user executing the log collector, in each of the namespaces to be collected. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: redis-enterprise-log-collector +rules: +- apiGroups: + - "" + resources: + - pods + - pods/log + verbs: + - get + - list +- apiGroups: + - "" + resources: + - pods/exec + verbs: + - create +- apiGroups: + - "" + resources: + - events + - services + - endpoints + - configmaps + - secrets + - resourcequotas + - limitranges + - persistentvolumeclaims + - replicationcontrollers + verbs: + - get + - list +- apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - get + - list +- apiGroups: + - batch + resources: + - cronjobs + - jobs + verbs: + - get + - list +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - get + - list +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - get + - list +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - get + - list +- apiGroups: + - app.redislabs.com + resources: + - "*" + verbs: + - get + - list +- apiGroups: + - networking.k8s.io + resources: + - ingresses + - networkpolicies + verbs: + - get + - list +- apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: redis-enterprise-log-collector +rules: +- apiGroups: + - "" + resources: + - persistentvolumes + verbs: + - get + - list +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + - clusterrolebindings + verbs: + - get + - list +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + resourceNames: + - redisenterpriseclusters.app.redislabs.com + - redisenterprisedatabases.app.redislabs.com + - redisenterpriseremoteclusters.app.redislabs.com + - redisenterpriseactiveactivedatabases.app.redislabs.com + verbs: + - list + - get +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - list + - get diff --git a/multi-namespace-redb/README.md b/multi-namespace-redb/README.md index 0e29ef4..d44dc77 100644 --- a/multi-namespace-redb/README.md +++ b/multi-namespace-redb/README.md @@ -1,3 +1,3 @@ # Multi-Namespaced REDB -This content has moved to [docs.redis.com](https://docs.redis.com/latest/); see [Manage databases in multiple namespaces](https://docs.redis.com/latest/kubernetes/re-clusters/multi-namespace/). \ No newline at end of file +This content has moved to [redis.io/docs](https://redis.io/docs/latest/); see [Manage databases in multiple namespaces](https://redis.io/docs/latest/operate/kubernetes/re-clusters/multi-namespace/). \ No newline at end of file diff --git a/multi-namespace-redb/operator.yaml b/multi-namespace-redb/operator.yaml index 32076d8..f9ec62f 100644 --- a/multi-namespace-redb/operator.yaml +++ b/multi-namespace-redb/operator.yaml @@ -1,4 +1,3 @@ ---- apiVersion: apps/v1 kind: Deployment metadata: @@ -41,7 +40,7 @@ spec: - configMapRef: name: "operator-environment-config" optional: true - image: redislabs/operator:7.4.6-2 + image: redislabs/operator:7.8.2-2 imagePullPolicy: Always livenessProbe: failureThreshold: 3 @@ -89,7 +88,7 @@ spec: - configMapRef: name: "operator-environment-config" optional: true - image: redislabs/operator:7.4.6-2 + image: redislabs/operator:7.8.2-2 imagePullPolicy: Always livenessProbe: failureThreshold: 3 diff --git a/openshift.bundle.yaml b/openshift.bundle.yaml index 2a1e11b..628bead 100644 --- a/openshift.bundle.yaml +++ b/openshift.bundle.yaml @@ -1,11 +1,10 @@ --- ---- apiVersion: security.openshift.io/v1 kind: SecurityContextConstraints metadata: name: redis-enterprise-scc-v2 annotations: - kubernetes.io/description: redis-enterprise-scc is the minimal SCC needed to run Redis Enterprise nodes on Kubernetes. It provides the same features as restricted-v2 SCC, but allows pods to enable the SYS_RESOURCE capability, which is required by Redis Enterprise nodes to manage file descriptor limits and OOM scores for database shards. Additionally, it requires pods to run as UID/GID 1001, which are the UID/GID used within the Redis Enterprise node containers. + kubernetes.io/description: redis-enterprise-scc-v2 is the minimal SCC needed to run Redis Enterprise nodes on Kubernetes. It provides the same features as restricted-v2 SCC, but allows pods to enable the SYS_RESOURCE capability, which is required by Redis Enterprise nodes to manage file descriptor limits and OOM scores for database shards. Additionally, it requires pods to run as UID/GID 1001, which are the UID/GID used within the Redis Enterprise node containers. allowedCapabilities: - SYS_RESOURCE allowHostDirVolumePlugin: false @@ -31,7 +30,6 @@ seccompProfiles: supplementalGroups: type: RunAsAny --- ---- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -226,7 +224,6 @@ rules: verbs: - use --- ---- apiVersion: v1 kind: ServiceAccount metadata: @@ -234,7 +231,6 @@ metadata: app: redis-enterprise name: redis-enterprise-operator --- ---- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -249,7 +245,6 @@ subjects: - kind: ServiceAccount name: redis-enterprise-operator --- ---- apiVersion: v1 kind: Service metadata: @@ -413,6 +408,26 @@ spec: field in the RedisEnterpriseCluster resource. type: boolean type: object + certificatesStatus: + description: Stores information about cluster certificates and their + update process. In Active-Active databases, this is used to detect + updates to the certificates, and trigger synchronization across the + participating clusters. + properties: + generation: + description: Generation stores the version of the cluster's Proxy + and Syncer certificate secrets. In Active-Active databases, when + a user updates the proxy or syncer certificate, a crdb-update + command needs to be triggered to avoid potential sync issues. + This helps the REAADB controller detect a change in a certificate + and trigger a crdb-update. The version of the cluster's Proxy + certificate secret. + format: int64 + type: integer + updateStatus: + description: The status of the cluster's certificates update + type: string + type: object ingressOrRouteMethodStatus: description: The ingressOrRouteSpec/ActiveActive spec method that exist type: string @@ -861,6 +876,10 @@ spec: cacheTTLSeconds: description: The maximum TTL of cached entries. type: integer + directoryTimeoutSeconds: + description: The connection timeout to the LDAP server when authenticating + a user, in seconds + type: integer enabledForControlPlane: description: Whether to enable LDAP for control plane access. Disabled by default. @@ -1131,7 +1150,7 @@ spec: on Kubernetes v1.25+. Future versions of the RedisEnterpriseCluster API will remove support for this field altogether. For migration instructions, see https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/ - \n Name of pod security policy to use on pods" + \n Name of pod security policy to use on pods" type: string podStartingPolicy: description: Mitigation setting for STS pods stuck in "ContainerCreating" @@ -6944,7 +6963,7 @@ spec: type: string required: - port - type: object + type: object httpGet: properties: host: @@ -7988,6 +8007,14 @@ spec: - version type: object type: array + certificatesStatus: + properties: + generation: + format: int64 + type: integer + updateStatus: + type: string + type: object ingressOrRouteMethodStatus: type: string managedAPIs: @@ -8285,6 +8312,8 @@ spec: type: string cacheTTLSeconds: type: integer + directoryTimeoutSeconds: + type: integer enabledForControlPlane: type: boolean enabledForDataPlane: @@ -14179,7 +14208,7 @@ spec: type: string required: - port - type: object + type: object httpGet: properties: host: @@ -15507,12 +15536,16 @@ spec: and it must not be below 1GB. type: string modulesList: - description: List of modules associated with database. - Note - For Active-Active databases this feature is currently in preview. For - this feature to take effect for Active-Active databases, set a boolean environment variable - with the name "ENABLE_ALPHA_FEATURES" to True. This variable can - be set via the redis-enterprise-operator pod spec, or through the - operator-environment-config Config Map. + description: List of modules associated with database. Note - For Active-Active + databases this feature is currently in preview. For this feature to + take effect for Active-Active databases, set a boolean environment + variable with the name "ENABLE_ALPHA_FEATURES" to True. This variable + can be set via the redis-enterprise-operator pod spec, or through + the operator-environment-config Config Map. Note - if you do not want + to upgrade to the latest version you must set upgradeSpec -> upgradeModulesToLatest + to false. if you specify a version and do not set the upgradeModulesToLatest + it can result errors in the operator. in addition, the option to specify + specific version is Deprecated and will be deleted in next releases. items: description: 'Redis Enterprise Module: https://redislabs.com/redis-enterprise/modules/' properties: @@ -15524,7 +15557,8 @@ spec: description: The module's name e.g "ft" for redissearch type: string version: - description: Module's semantic version e.g "1.6.12" - optional only in REDB, must be set in REAADB + description: DEPRECATED - Module's semantic version e.g "1.6.12" + - optional only in REDB, must be set in REAADB type: string required: - name @@ -15688,9 +15722,12 @@ spec: description: Specifications for DB upgrade. properties: upgradeModulesToLatest: - description: Upgrades the modules to the latest version that supportes the DB version during a DB upgrade action, to upgrade the DB version view the 'redisVersion' field. - Notes - All modules must be without specifing the version. - in addition, This field is currently not supported for Active-Active databases. + description: DEPRECATED Upgrades the modules to the latest version + that supports the DB version during a DB upgrade action, to upgrade + the DB version view the 'redisVersion' field. Notes - All modules + must be without specifying the version. in addition, This field + is currently not supported for Active-Active databases. The default + is true type: boolean required: - upgradeModulesToLatest @@ -15719,8 +15756,8 @@ spec: - participatingClusterName type: object memcachedSaslSecretName: - description: 'Credentials used for binary authentication in memcached databases. - The credentials should be saved as an opaque secret and the name of that secret should be configured using this field. + description: 'Credentials used for binary authentication in memcached databases. + The credentials should be saved as an opaque secret and the name of that secret should be configured using this field. For username, use ''username'' as the key and the actual username as the value. For password, use ''password'' as the key and the actual password as the value. Note that connections are not encrypted.' @@ -15936,6 +15973,10 @@ spec: observedGeneration: description: The most recent generation observed for this RERC. It corresponds to the RERC's generation, which is updated by the API Server. type: integer + internalObservedSecretResourceVersion: + description: The observed secret resource version. + Used for internal purposes only. + type: string type: object spec: properties: @@ -15947,6 +15988,9 @@ spec: description: The database URL suffix, will be used for the active-active database replication endpoint and replication endpoint SNI. type: string + apiPort: + description: The port number of the cluster's URL used for connectivity/sync + type: integer recNamespace: description: The namespace of the REC that the RERC is pointing at type: string @@ -16064,6 +16108,13 @@ spec: - up - down type: string + clusterCertificatesGeneration: + description: Versions of the cluster's Proxy and Syncer certificates. + In Active-Active databases, these are used to detect updates to the + certificates, and trigger synchronization across the participating + clusters. . + format: int64 + type: integer secretsStatus: description: The status of the secrets items: @@ -16137,7 +16188,8 @@ spec: - participatingClusterName type: object alertSettings: - description: Settings for database alerts + description: Settings for database alerts. + Note - Alert settings are not supported for Active-Active database. properties: bdb_backup_delayed: description: Periodic backup has been delayed for longer than @@ -16596,7 +16648,9 @@ spec: for some databases, you must set redisUpgradePolicy on the cluster before. Possible values are 'major' or 'latest' When using upgrade - make sure to backup the database before. This value is used - only for database type 'redis' + only for database type 'redis'. + Note - Specifying Redis version is currently not + supported for Active-Active database. type: string upgradeSpec: description: Specifications for DB upgrade. @@ -16731,7 +16785,6 @@ spec: type: object type: object --- ---- apiVersion: apps/v1 kind: Deployment metadata: @@ -16770,13 +16823,13 @@ spec: fieldPath: metadata.name - name: OPERATOR_NAME value: redis-enterprise-operator - - name: DEPLOY_RHEL + - name: IS_OPENSHIFT value: "true" envFrom: - configMapRef: name: "operator-environment-config" optional: true - image: registry.connect.redhat.com/redislabs/redis-enterprise-operator:7.4.6-2 + image: registry.connect.redhat.com/redislabs/redis-enterprise-operator:7.8.2-2 imagePullPolicy: Always livenessProbe: failureThreshold: 3 @@ -16824,7 +16877,7 @@ spec: - configMapRef: name: "operator-environment-config" optional: true - image: registry.connect.redhat.com/redislabs/redis-enterprise-operator:7.4.6-2 + image: registry.connect.redhat.com/redislabs/redis-enterprise-operator:7.8.2-2 imagePullPolicy: Always livenessProbe: failureThreshold: 3 diff --git a/openshift/OLM/README.md b/openshift/OLM/README.md index 72dd145..431496f 100644 --- a/openshift/OLM/README.md +++ b/openshift/OLM/README.md @@ -1,3 +1,3 @@ # Installing Redis Enterprise Operator on Openshift's OLM -This content has moved to [docs.redis.com](https://docs.redis.com/latest/); see [Deploy Redis Enterprise with OpenShift OperatorHub](https://docs.redis.com/latest/kubernetes/deployment/openshift/openshift-operatorhub/). \ No newline at end of file +This content has moved to [redis.io/docs](https://redis.io/docs/latest/); see [Deploy Redis Enterprise with OpenShift OperatorHub](https://redis.io/docs/latest/operate/kubernetes/deployment/openshift/openshift-operatorhub/). \ No newline at end of file diff --git a/openshift/admission-service.yaml b/openshift/admission-service.yaml index 46d923e..91007fe 100644 --- a/openshift/admission-service.yaml +++ b/openshift/admission-service.yaml @@ -1,4 +1,3 @@ ---- apiVersion: v1 kind: Service metadata: diff --git a/openshift/operator_rhel.yaml b/openshift/operator_rhel.yaml index 6908996..11db6ce 100644 --- a/openshift/operator_rhel.yaml +++ b/openshift/operator_rhel.yaml @@ -1,4 +1,3 @@ ---- apiVersion: apps/v1 kind: Deployment metadata: @@ -37,13 +36,13 @@ spec: fieldPath: metadata.name - name: OPERATOR_NAME value: redis-enterprise-operator - - name: DEPLOY_RHEL + - name: IS_OPENSHIFT value: "true" envFrom: - configMapRef: name: "operator-environment-config" optional: true - image: registry.connect.redhat.com/redislabs/redis-enterprise-operator:7.4.6-2 + image: registry.connect.redhat.com/redislabs/redis-enterprise-operator:7.8.2-2 imagePullPolicy: Always livenessProbe: failureThreshold: 3 @@ -91,7 +90,7 @@ spec: - configMapRef: name: "operator-environment-config" optional: true - image: registry.connect.redhat.com/redislabs/redis-enterprise-operator:7.4.6-2 + image: registry.connect.redhat.com/redislabs/redis-enterprise-operator:7.8.2-2 imagePullPolicy: Always livenessProbe: failureThreshold: 3 diff --git a/openshift/rec_rhel.yaml b/openshift/rec_rhel.yaml index 9c7588c..fcd4a22 100644 --- a/openshift/rec_rhel.yaml +++ b/openshift/rec_rhel.yaml @@ -9,7 +9,7 @@ spec: nodes: 3 redisEnterpriseImageSpec: repository: registry.connect.redhat.com/redislabs/redis-enterprise - versionTag: 7.4.6-22.rhel8-openshift + versionTag: 7.8.2-34.rhel8-openshift redisEnterpriseServicesRiggerImageSpec: repository: registry.connect.redhat.com/redislabs/services-manager bootstrapperImageSpec: diff --git a/openshift/role.yaml b/openshift/role.yaml index 4a0427a..fc0f499 100644 --- a/openshift/role.yaml +++ b/openshift/role.yaml @@ -1,4 +1,3 @@ ---- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: diff --git a/openshift/role_binding.yaml b/openshift/role_binding.yaml index dca673d..a203cd2 100644 --- a/openshift/role_binding.yaml +++ b/openshift/role_binding.yaml @@ -1,4 +1,3 @@ ---- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: diff --git a/openshift/scc.yaml b/openshift/scc.yaml index 5cb3727..515268e 100644 --- a/openshift/scc.yaml +++ b/openshift/scc.yaml @@ -1,10 +1,9 @@ ---- apiVersion: security.openshift.io/v1 kind: SecurityContextConstraints metadata: name: redis-enterprise-scc-v2 annotations: - kubernetes.io/description: redis-enterprise-scc is the minimal SCC needed to run Redis Enterprise nodes on Kubernetes. It provides the same features as restricted-v2 SCC, but allows pods to enable the SYS_RESOURCE capability, which is required by Redis Enterprise nodes to manage file descriptor limits and OOM scores for database shards. Additionally, it requires pods to run as UID/GID 1001, which are the UID/GID used within the Redis Enterprise node containers. + kubernetes.io/description: redis-enterprise-scc-v2 is the minimal SCC needed to run Redis Enterprise nodes on Kubernetes. It provides the same features as restricted-v2 SCC, but allows pods to enable the SYS_RESOURCE capability, which is required by Redis Enterprise nodes to manage file descriptor limits and OOM scores for database shards. Additionally, it requires pods to run as UID/GID 1001, which are the UID/GID used within the Redis Enterprise node containers. allowedCapabilities: - SYS_RESOURCE allowHostDirVolumePlugin: false diff --git a/openshift/service_account.yaml b/openshift/service_account.yaml index b2940cf..0bedf17 100644 --- a/openshift/service_account.yaml +++ b/openshift/service_account.yaml @@ -1,4 +1,3 @@ ---- apiVersion: v1 kind: ServiceAccount metadata: diff --git a/operator.yaml b/operator.yaml index 32076d8..f9ec62f 100644 --- a/operator.yaml +++ b/operator.yaml @@ -1,4 +1,3 @@ ---- apiVersion: apps/v1 kind: Deployment metadata: @@ -41,7 +40,7 @@ spec: - configMapRef: name: "operator-environment-config" optional: true - image: redislabs/operator:7.4.6-2 + image: redislabs/operator:7.8.2-2 imagePullPolicy: Always livenessProbe: failureThreshold: 3 @@ -89,7 +88,7 @@ spec: - configMapRef: name: "operator-environment-config" optional: true - image: redislabs/operator:7.4.6-2 + image: redislabs/operator:7.8.2-2 imagePullPolicy: Always livenessProbe: failureThreshold: 3 diff --git a/redis_enterprise_active_active_database_api.md b/redis_enterprise_active_active_database_api.md index 7e208b1..5c132bd 100644 --- a/redis_enterprise_active_active_database_api.md +++ b/redis_enterprise_active_active_database_api.md @@ -78,6 +78,7 @@ RedisEnterpriseActiveActiveDatabaseStatus defines the observed state of RedisEnt | redisEnterpriseCluster | The Redis Enterprise Cluster Object this Resource is associated with | string | | false | | secretsStatus | The status of the secrets | []*[SecretStatus](#secretstatus) | | false | | replicationStatus | The overall replication status | [ReplicationStatus](#replicationstatus) | | false | +| clusterCertificatesGeneration | Versions of the cluster's Proxy and Syncer certificates. In Active-Active databases, these are used to detect updates to the certificates, and trigger synchronization across the participating clusters. . | *int64 | | false | [Back to Table of Contents](#table-of-contents) ### SecretStatus diff --git a/redis_enterprise_cluster_api.md b/redis_enterprise_cluster_api.md index 1966873..6928e7a 100644 --- a/redis_enterprise_cluster_api.md +++ b/redis_enterprise_cluster_api.md @@ -9,6 +9,7 @@ This document describes the parameters for the Redis Enterprise Cluster custom r * [BundledDatabaseRedisVersions](#bundleddatabaseredisversions) * [BundledDatabaseVersions](#bundleddatabaseversions) * [ClusterCertificate](#clustercertificate) + * [ClusterCertificatesStatus](#clustercertificatesstatus) * [CmServer](#cmserver) * [ContainerTimezoneSpec](#containertimezonespec) * [CrdbCoordinator](#crdbcoordinator) @@ -46,6 +47,7 @@ This document describes the parameters for the Redis Enterprise Cluster custom r * [StatsArchiver](#statsarchiver) * [UpgradeSpec](#upgradespec) * [Enums](#enums) + * [CertificatesUpdateStatus](#certificatesupdatestatus) * [ClusterState](#clusterstate) * [IngressMethod](#ingressmethod) * [LDAPProtocol](#ldapprotocol) @@ -113,6 +115,15 @@ Customization options for the REC API service. | key | | string | | true | [Back to Table of Contents](#table-of-contents) +### ClusterCertificatesStatus +ClusterCertificatesStatus Stores information about cluster certificates and their update process. In Active-Active databases, this is used to detect updates to the certificates, and trigger synchronization across the participating clusters. + +| Field | Description | Scheme | Default Value | Required | +| ----- | ----------- | ------ | -------- | -------- | +| generation | Generation stores the version of the cluster's Proxy and Syncer certificate secrets. In Active-Active databases, when a user updates the proxy or syncer certificate, a crdb-update command needs to be triggered to avoid potential sync issues. This helps the REAADB controller detect a change in a certificate and trigger a crdb-update. The version of the cluster's Proxy certificate secret. | *int64 | | false | +| updateStatus | The status of the cluster's certificates update | [CertificatesUpdateStatus](#certificatesupdatestatus) | | false | +[Back to Table of Contents](#table-of-contents) + ### CmServer @@ -219,6 +230,7 @@ Address of an LDAP server. | cacheTTLSeconds | The maximum TTL of cached entries. | *int | | false | | authenticationQuery | Configuration of authentication queries, mapping between the username, provided to the cluster for authentication, and the LDAP Distinguished Name. | [LDAPAuthenticationQuery](#ldapauthenticationquery) | | true | | authorizationQuery | Configuration of authorization queries, mapping between a user's Distinguished Name and its group memberships. | [LDAPAuthorizationQuery](#ldapauthorizationquery) | | true | +| directoryTimeoutSeconds | The connection timeout to the LDAP server when authenticating a user, in seconds | *int | | false | [Back to Table of Contents](#table-of-contents) ### LicenseStatus @@ -430,6 +442,7 @@ RedisEnterpriseClusterStatus defines the observed state of RedisEnterpriseCluste | ingressOrRouteMethodStatus | The ingressOrRouteSpec/ActiveActive spec method that exist | [IngressMethod](#ingressmethod) | | false | | redisEnterpriseIPFamily | The chosen IP family of the cluster if was specified in REC spec. | v1.IPFamily | | false | | persistenceStatus | The status of the Persistent Volume Claims that are used for Redis Enterprise Cluster persistence. The status will correspond to the status of one or more of the PVCs (failed/resizing if one of them is in resize or failed to resize) | [PersistenceStatus](#persistencestatus) | | false | +| certificatesStatus | Stores information about cluster certificates and their update process. In Active-Active databases, this is used to detect updates to the certificates, and trigger synchronization across the participating clusters. | *[ClusterCertificatesStatus](#clustercertificatesstatus) | | false | [Back to Table of Contents](#table-of-contents) ### RedisEnterpriseServicesConfiguration @@ -530,23 +543,33 @@ Specification for upgrades of Redis Enterprise [Back to Table of Contents](#table-of-contents) ## Enums +### CertificatesUpdateStatus +CertificatesUpdateStatus stores the status of the cluster's certificates update + +| Value | Description | +| ----- | ----------- | +| "InProgress" | CertificatesUpdateStatusInProgress indicates that the certificates update is in progress | +| "Completed" | CertificatesUpdateStatusCompleted indicates that the certificates update has been completed | +[Back to Table of Contents](#table-of-contents) + ### ClusterState State of the Redis Enterprise Cluster | Value | Description | | ----- | ----------- | -| "PendingCreation" | ClusterPendingCreate means cluster is not created yet | +| "PendingCreation" | PendingCreation means cluster is not created yet | | "BootstrappingFirstPod" | Bootstrapping first pod | -| "Initializing" | ClusterInitializing means the cluster was created and nodes are in the process of joining the cluster | -| "RecoveryReset" | ClusterRecoveryReset resets the cluster by deleting all pods | -| "RecoveringFirstPod" | ClusterRecoveringFirstPod means the cluster entered cluster recovery | -| "Running" | ClusterRunning means the cluster's sub-resources have been created and are in running state | -| "Error" | ClusterError means the there was an error when starting creating/updating the one or more of the cluster's resources | -| "Invalid" | ClusterConfigurationInvalid means an invalid spec was applied | -| "InvalidUpgrade" | ClusterInvalidUpgrade means an upgrade is not possible at this time | -| "Upgrade" | ClusterUpgrade | -| "Deleting" | ClusterDeleting | -| "ClusterRecreating" | ClusterRecreating - similar to ClusterRecoveryReset - delete all pods before recreation of the cluster. | +| "Initializing" | Initializing means the cluster was created and nodes are in the process of joining the cluster | +| "RecoveryReset" | RecoveryReset resets the cluster by deleting all pods | +| "RecoveringFirstPod" | RecoveringFirstPod means the cluster entered cluster recovery | +| "Running" | Running means the cluster's sub-resources have been created and are in running state | +| "Error" | Error means the there was an error when starting creating/updating the one or more of the cluster's resources | +| "Invalid" | Invalid means an invalid spec was applied | +| "InvalidUpgrade" | InvalidUpgrade means an upgrade is not possible at this time | +| "Upgrade" | Upgrade | +| "Deleting" | Deleting | +| "ClusterRecreating" | ClusterRecreating - similar to RecoveryReset - delete all pods before recreation of the cluster. | +| "RunningRollingUpdate" | RunningRollingUpdate similar to Running state and the STS is during rolling-update | [Back to Table of Contents](#table-of-contents) ### IngressMethod diff --git a/redis_enterprise_database_api.md b/redis_enterprise_database_api.md index 2386239..9bf213f 100644 --- a/redis_enterprise_database_api.md +++ b/redis_enterprise_database_api.md @@ -96,7 +96,7 @@ Threshold for database alert | Field | Description | Scheme | Default Value | Required | | ----- | ----------- | ------ | -------- | -------- | -| upgradeModulesToLatest | Upgrades the modules to the latest version that supportes the DB version during a DB upgrade action, to upgrade the DB version view the 'redisVersion' field. Notes - All modules must be without specifing the version. in addition, This field is currently not supported for Active-Active databases. | *bool | | true | +| upgradeModulesToLatest | DEPRECATED Upgrades the modules to the latest version that supports the DB version during a DB upgrade action, to upgrade the DB version view the 'redisVersion' field. Notes - All modules must be without specifying the version. in addition, This field is currently not supported for Active-Active databases. The default is true | *bool | | true | [Back to Table of Contents](#table-of-contents) ### DbAlertsSettings @@ -126,7 +126,7 @@ Redis Enterprise Module: https://redislabs.com/redis-enterprise/modules/ | Field | Description | Scheme | Default Value | Required | | ----- | ----------- | ------ | -------- | -------- | | name | The module's name e.g "ft" for redissearch | string | | true | -| version | Module's semantic version e.g "1.6.12" - optional only in REDB, must be set in REAADB | string | | false | +| version | DEPRECATED - Module's semantic version e.g "1.6.12" - optional only in REDB, must be set in REAADB | string | | false | | config | Module command line arguments e.g. VKEY_MAX_ENTITY_COUNT 30 | string | | false | [Back to Table of Contents](#table-of-contents) @@ -208,9 +208,9 @@ RedisEnterpriseDatabaseSpec defines the desired state of RedisEnterpriseDatabase | tlsMode | Require SSL authenticated and encrypted connections to the database. enabled - all incoming connections to the Database must use SSL. disabled - no incoming connection to the Database should use SSL. replica_ssl - databases that replicate from this one need to use SSL. | string | disabled | false | | clientAuthenticationCertificates | The Secrets containing TLS Client Certificate to use for Authentication | []string | | false | | replicaSources | What databases to replicate from | [][ReplicaSource](#replicasource) | | false | -| alertSettings | Settings for database alerts | *[DbAlertsSettings](#dbalertssettings) | | false | +| alertSettings | Settings for database alerts. Note - Alert settings are not supported for Active-Active database. | *[DbAlertsSettings](#dbalertssettings) | | false | | backup | Target for automatic database backups. | *[BackupSpec](#backupspec) | | false | -| modulesList | List of modules associated with database. Note - For Active-Active databases this feature is currently in preview. For this feature to take effect for Active-Active databases, set a boolean environment variable with the name "ENABLE_ALPHA_FEATURES" to True. This variable can be set via the redis-enterprise-operator pod spec, or through the operator-environment-config Config Map. | *[][DbModule](#dbmodule) | | false | +| modulesList | List of modules associated with database. Note - For Active-Active databases this feature is currently in preview. For this feature to take effect for Active-Active databases, set a boolean environment variable with the name "ENABLE_ALPHA_FEATURES" to True. This variable can be set via the redis-enterprise-operator pod spec, or through the operator-environment-config Config Map. Note - if you do not want to upgrade to the latest version you must set upgradeSpec -> upgradeModulesToLatest to false. if you specify a version and do not set the upgradeModulesToLatest it can result errors in the operator. in addition, the option to specify specific version is Deprecated and will be deleted in next releases. | *[][DbModule](#dbmodule) | | false | | rolesPermissions | List of Redis Enteprise ACL and Role bindings to apply | [][RolePermission](#rolepermission) | | false | | defaultUser | Is connecting with a default user allowed? If disabled, the DatabaseSecret will not be created or updated | *bool | true | false | | ossCluster | OSS Cluster mode option. Note that not all client libraries support OSS cluster mode. | *bool | false | false | @@ -222,7 +222,7 @@ RedisEnterpriseDatabaseSpec defines the desired state of RedisEnterpriseDatabase | isRof | Whether it is an RoF database or not. Applicable only for databases of type "REDIS". Assumed to be false if left blank. | *bool | | false | | rofRamSize | The size of the RAM portion of an RoF database. Similarly to "memorySize" use formats like 100MB, 0.1GB It must be at least 10% of combined memory size (RAM+Flash), as specified by "memorySize". | string | | false | | memcachedSaslSecretName | Credentials used for binary authentication in memcached databases. The credentials should be saved as an opaque secret and the name of that secret should be configured using this field. For username, use 'username' as the key and the actual username as the value. For password, use 'password' as the key and the actual password as the value. Note that connections are not encrypted. | string | | false | -| redisVersion | Redis OSS version. Version can be specified via prefix, or via channels - for existing databases - Upgrade Redis OSS version. For new databases - the version which the database will be created with. If set to 'major' - will always upgrade to the most recent major Redis version. If set to 'latest' - will always upgrade to the most recent Redis version. Depends on 'redisUpgradePolicy' - if you want to set the value to 'latest' for some databases, you must set redisUpgradePolicy on the cluster before. Possible values are 'major' or 'latest' When using upgrade - make sure to backup the database before. This value is used only for database type 'redis' | string | | false | +| redisVersion | Redis OSS version. Version can be specified via prefix, or via channels - for existing databases - Upgrade Redis OSS version. For new databases - the version which the database will be created with. If set to 'major' - will always upgrade to the most recent major Redis version. If set to 'latest' - will always upgrade to the most recent Redis version. Depends on 'redisUpgradePolicy' - if you want to set the value to 'latest' for some databases, you must set redisUpgradePolicy on the cluster before. Possible values are 'major' or 'latest' When using upgrade - make sure to backup the database before. This value is used only for database type 'redis'. Note - Specifying Redis version is currently not supported for Active-Active database. | string | | false | | upgradeSpec | Specifications for DB upgrade. | *[DBUpgradeSpec](#dbupgradespec) | | false | | activeActive | Connection/ association to the Active-Active database. | *[ActiveActiveInfo](#activeactiveinfo) | | false | | resp3 | Whether this database supports RESP3 protocol. Note - Deleting this property after explicitly setting its value shall have no effect. Please view the corresponding field in RS doc for more info. | *bool | | false | diff --git a/redis_enterprise_remote_cluster_api.md b/redis_enterprise_remote_cluster_api.md index b5234be..f543e29 100644 --- a/redis_enterprise_remote_cluster_api.md +++ b/redis_enterprise_remote_cluster_api.md @@ -39,6 +39,7 @@ RedisEnterpriseRemoteClusterList contains a list of RedisEnterpriseRemoteCluster | recNamespace | The namespace of the REC that the RERC is pointing at | string | | true | | secretName | The name of the secret containing cluster credentials. Must be of the following format: "redis-enterprise-" | string | | false | | apiFqdnUrl | The URL of the cluster, will be used for the active-active database URL. | string | | true | +| apiPort | The port number of the cluster's URL used for connectivity/sync | *int | | false | | dbFqdnSuffix | The database URL suffix, will be used for the active-active database replication endpoint and replication endpoint SNI. | string | | false | [Back to Table of Contents](#table-of-contents) @@ -51,6 +52,7 @@ RedisEnterpriseRemoteClusterList contains a list of RedisEnterpriseRemoteCluster | status | The status of the remote cluster. | [RemoteClusterStatus](#remoteclusterstatus) | | false | | specStatus | Whether the desired specification is valid. | [SpecStatusName](#specstatusname) | | false | | observedGeneration | observedGeneration is the most recent generation observed for this RERC. It corresponds to the RERC's generation, which is updated by the API Server. | int64 | | false | +| internalObservedSecretResourceVersion | The observed secret resource version. Used for internal purposes only. | string | | false | [Back to Table of Contents](#table-of-contents) ## Enums diff --git a/redis_on_flash.md b/redis_on_flash.md index 05847a6..17ccd4b 100644 --- a/redis_on_flash.md +++ b/redis_on_flash.md @@ -1,3 +1,3 @@ # Deploying Redis on Flash on K8s using Redis Enterprise operator -This content has moved to [docs.redis.com](https://docs.redis.com/latest/). See [Use Auto Tiering on Kubernetes](https://docs.redis.com/latest/kubernetes/re-clusters/auto-tiering/). \ No newline at end of file +This content has moved to [redis.io/docs](https://redis.io/docs/latest/operate/). See [Use Auto Tiering on Kubernetes](https://redis.io/docs/latest/operate/kubernetes/re-clusters/auto-tiering/). \ No newline at end of file diff --git a/role.yaml b/role.yaml index 9e99e97..4bd1900 100644 --- a/role.yaml +++ b/role.yaml @@ -1,4 +1,3 @@ ---- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: diff --git a/role_binding.yaml b/role_binding.yaml index dca673d..a203cd2 100644 --- a/role_binding.yaml +++ b/role_binding.yaml @@ -1,4 +1,3 @@ ---- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: diff --git a/service_account.yaml b/service_account.yaml index b2940cf..0bedf17 100644 --- a/service_account.yaml +++ b/service_account.yaml @@ -1,4 +1,3 @@ ---- apiVersion: v1 kind: ServiceAccount metadata: diff --git a/setting_ingress_or_route_readme.md b/setting_ingress_or_route_readme.md index 9037a36..62d2e7a 100644 --- a/setting_ingress_or_route_readme.md +++ b/setting_ingress_or_route_readme.md @@ -28,8 +28,8 @@ By default, the operator creates a ClusterIP type service, which exposes a clust Install one of the supported ingresses, if not installed already on your K8s cluster: * [Nginx ingress controller installation guide](https://kubernetes.github.io/ingress-nginx/deploy/) * [HAProxy ingress getting started](https://haproxy-ingress.github.io/docs/getting-started/) - * Istio - follow the "Install and configure Istio for Redis Enterprise" [here](https://docs.redis.com/latest/kubernetes/re-databases/ingress_routing_with_istio/) - * [Openshift Routes](https://docs.redis.com/latest/kubernetes/re-databases/routes/) + * Istio - follow the "Install and configure Istio for Redis Enterprise" [here](https://redis.io/docs/latest/operate/kubernetes/networking/istio-ingress/) + * [Openshift Routes](https://redis.io/docs/latest/operate/kubernetes/networking/routes//) Warning - You’ll need to make sure `ssl-passthrough` is enabled. It’s enabled by default for HAProxy, but disabled by default for NGINX. See the [Nginx User Guide](https://kubernetes.github.io/ingress-nginx/user-guide/tls/#ssl-passthrough) for details. @@ -91,6 +91,6 @@ Notes: * For more info please view the REC custom resource definition or the API doc. For more information please view the following links: - - [Redis doc - set up ingress controller](https://docs.redis.com/latest/kubernetes/re-databases/set-up-ingress-controller/) - - [Redis doc - create aa database](https://docs.redis.com/latest/kubernetes/re-clusters/create-aa-database/) - - [Redis doc - Openshift Routes](https://docs.redis.com/latest/kubernetes/re-databases/routes/) + - [Redis doc - set up ingress controller](https://redis.io/docs/latest/operate/kubernetes/networking/ingressorroutespec/) + - [Redis doc - create aa database](https://redis.io/docs/latest/operate/kubernetes/active-active/) + - [Redis doc - Openshift Routes](https://redis.io/docs/latest/operate/kubernetes/networking/routes//) diff --git a/topics.md b/topics.md index 7be62f7..485439d 100644 --- a/topics.md +++ b/topics.md @@ -15,15 +15,15 @@ ## Guaranteed Quality of Service -This content has moved to [docs.redis.com](https://docs.redis.com/latest); see [Manage pod stability](https://docs.redis.com/latest/kubernetes/recommendations/pod-stability/). +This content has moved to [redis.io/docs](https://redis.io/docs/latest); see [Manage pod stability](https://redis.io/docs/latest/operate/kubernetes/recommendations/pod-stability/). ## Priority Class -This content has moved to [docs.redis.com](https://docs.redis.com/latest); see [Manage pod stability](https://docs.redis.com/latest/kubernetes/recommendations/pod-stability/). +This content has moved to [redis.io/docs](https://redis.io/docs/latest); see [Manage pod stability](https://redis.io/docs/latest/operate/kubernetes/recommendations/pod-stability/). ## Node Pool -This content has moved to [docs.redis.com](https://docs.redis.com); see [Control node selection](https://docs.redis.com/latest/kubernetes/recommendations/node-selection/). +This content has moved to [redis.io/docs](https://redis.io/docs); see [Control node selection](https://redis.io/docs/latest/operate/kubernetes/recommendations/node-selection/). ## K8s Out of Resource Handling recommendations @@ -31,11 +31,11 @@ We highly recommend reading [k8s documentation of out of resource administration ### Monitoring -This content has moved to [docs.redis.com](https://docs.redis.com); see [Manage node resources](https://docs.redis.com/latest/kubernetes/recommendations/node-resources/). +This content has moved to [redis.io/docs](https://redis.io/docs); see [Manage node resources](https://redis.io/docs/latest/operate/kubernetes/recommendations/node-resources/). ### Eviction Thresholds -This content has moved to [docs.redis.com](https://docs.redis.com); see [Manage node resources](https://docs.redis.com/latest/kubernetes/recommendations/node-resources/). +This content has moved to [redis.io/docs](https://redis.io/docs); see [Manage node resources](https://redis.io/docs/latest/operate/kubernetes/recommendations/node-resources/). ## Pod Security Policy (PSP) @@ -69,11 +69,11 @@ SideCar containers- images that will run along side the redis enterprise contain ## Resource Limits and Quotas -This content has moved to [docs.redis.com](https://docs.redis.com); see [Manage node resources](https://docs.redis.com/latest/kubernetes/recommendations/node-resources/). +This content has moved to [redis.io/docs](https://redis.io/docs); see [Manage node resources](https://redis.io/docs/latest/operate/kubernetes/recommendations/node-resources/). ## Custom Resource Deletion -This content [has moved](https://docs.redis.com/latest/kubernetes/re-clusters/delete_custom_resources/) to the Redis Enterprise doc site, [docs.redis.com](https://docs.redis.com/latest/kubernetes/). +This content [has moved](https://redis.io/docs/latest/operate/kubernetes/delete_custom_resources/) to the Redis Enterprise doc site, [redis.io/docs](https://redis.io/docs/latest/operate/kubernetes/). ### REDB `redisVersion` field The ‘redisVersion’ field is used for specifying Redis OSS version on REDB. diff --git a/vault/README.md b/vault/README.md index b5d79e8..0cf1dfe 100644 --- a/vault/README.md +++ b/vault/README.md @@ -82,6 +82,7 @@ Hashicorp Vault and the Redis Enterprise Operator can be deployed in multiple sc VAULT_ROLE: "redis-enterprise-operator-" VAULT_AUTH_PATH: VAULT_NAMESPACE: + VAULT_CACHE_SECRET_EXPIRATION_SECONDS: ``` * `VAULT_SERVER_FQDN`: Hashicorp Vault server Fully Qualified Domain Name (FQDN). If the Vault server is running with k8s,
it would typically be `.)`: @@ -92,6 +93,9 @@ Hashicorp Vault and the Redis Enterprise Operator can be deployed in multiple sc * `VAULT_AUTH_PATH`: the path kubernetes auth is enabled in Hashicorp Vault, defaults to `kubernetes` - use no leading/trailing slashes.
* `VAULT_NAMESPACE`: supported in Hashicorp Vault enterprise.
> The full secret path would be: // + * `VAULT_CACHE_SECRET_EXPIRATION_SECONDS`: Defines the expiration duration of secrets that are fetched from Vault. + Secrets are cached in the operator for a period of X seconds (2 min by default). + Note - the REC credentials will be re-fetched directly from Vault in case of 'unauthorized' error via the RS API. 4. Deploy the operator by applying the Redis Labs Kubernetes Operator Bundle as explained [here](../README.md) - steps 1,2 (steps 1-4 on OpenShift).
The Operator pod would not be ready before you save the admission controller secret to Vault: