Deployment with OpenShift CLI for Redis Enterprise for Kubernetes
Use these steps to set up a Redis Enterprise Software cluster with OpenShift.
Prerequisites
- OpenShift cluster with at least 3 nodes (each meeting the minimum requirements for a development installation)
- OpenShift CLI
Deploy the operator
-
Create a new project.
oc new-project <your-project-name>
-
Verify the newly created project.
oc project <your-project-name>
-
Get the deployment files.
git clone https://github.com/RedisLabs/redis-enterprise-k8s-docs
-
Deploy the OpenShift operator bundle.
Note:If you are using version 6.2.18-41 or earlier, you must apply the security context constraint before the operator bundle.oc apply -f openshift.bundle.yaml
Warning -Changes to theopenshift.bundle.yaml
file can cause unexpected results. -
Verify that your
redis-enterprise-operator
deployment is running.oc get deployment
A typical response looks like this:
NAME READY UP-TO-DATE AVAILABLE AGE redis-enterprise-operator 1/1 1 1 0m36s
Install security context constraint
The Redis Enterprise pods must run in OpenShift with privileges set in a Security Context Constraint. This grants the pod various rights, such as the ability to change system limits or run as a particular user.
-
Apply the file
scc.yaml
file.Warning -Do not edit this file.oc apply -f openshift/scc.yaml
You should receive the following response:
securitycontextconstraints.security.openshift.io "redis-enterprise-scc" configured
-
Provide the operator permissions for the pods.
oc adm policy add-scc-to-user redis-enterprise-scc \ system:serviceaccount:<my-project>:<rec>
If you are using version 6.2.18-41 or earlier, add additional permissions for your cluster.
oc adm policy add-scc-to-user redis-enterprise-scc \
system:serviceaccount:<my-project>:redis-enterprise-operator
You can check the name of your project using the oc project
command. To replace the project name, use oc edit project myproject
. Replace rec
with the name of your Redis Enterprise cluster, if different.
Create a Redis Enterprise cluster custom resource
-
Apply the
RedisEnterpriseCluster
resource file (rec_rhel.yaml).You can rename the file to
<your_cluster_name>.yaml
, but it is not required. Examples below use<rec_rhel>.yaml
. Options for Redis Enterprise clusters has more info about the Redis Enterprise cluster (REC) custom resource, or see the Redis Enterprise cluster API for a full list of options.Note:Each Redis Enterprise cluster requires at least 3 nodes. Single-node RECs are not supported. -
Apply the custom resource file to create your Redis Enterprise cluster.
oc apply -f <rec_rhel>.yaml
The operator typically creates the REC within a few minutes.
-
Check the cluster status.
oc get pod
You should receive a response similar to the following:
| NAME | READY | STATUS | RESTARTS | AGE | | -------------------------------- | ----- | ------- | -------- | --- | | rec-name-0 | 2/2 | Running | 0 | 1m | | rec-name-1 | 2/2 | Running | 0 | 1m | | rec-name-2 | 2/2 | Running | 0 | 1m | | rec-name-controller-x-x | 1/1 | Running | 0 | 1m | | Redis-enterprise-operator-x-x | 1/1 | Running | 0 | 5m |
Configure the admission controller
-
Verify the Kubernetes secret.
The operator creates a Kubernetes secret for the admission controller during deployment.
oc get secret admission-tls
The response will be similar to this:
NAME TYPE DATA AGE admission-tls Opaque 2 2m43s
-
Save the automatically generated certificate to a local environment variable.
CERT=`oc get secret admission-tls -o jsonpath='{.data.cert}'`
-
Create a patch file for the Kubernetes webhook using your own values for the namespace and webhook name.
sed '<your_namespace>' admission/webhook.yaml | oc create -f - cat > modified-webhook.yaml <<EOF webhooks: - name: <your.admission.webhook> clientConfig: caBundle: $CERT admissionReviewVersions: ["v1beta1"] EOF
-
Patch the validating webhook with the certificate.
oc patch ValidatingWebhookConfiguration \ redis-enterprise-admission --patch "$(cat modified-webhook.yaml)"
Limit the webhook to relevant namespaces
If not limited, the webhook intercepts requests from all namespaces. If you have several REC objects in your Kubernetes cluster, limit the webhook to the relevant namespaces. If you aren’t using multiple namespaces, skip this step.
-
Verify your namespace is labeled and the label is unique to this namespace, as shown in the next example.
apiVersion: v1 kind: Namespace metadata: labels: namespace-name: staging name: staging
-
Patch the webhook spec with the
namespaceSelector
field.cat > modified-webhook.yaml <<EOF webhooks: - name: redisenterprise.admission.redislabs namespaceSelector: matchLabels: namespace-name: staging EOF
-
Apply the patch.
oc patch ValidatingWebhookConfiguration \ redis-enterprise-admission --patch "$(cat modified-webhook.yaml)"
For releases before 6.4.2-4, use this command instead:
sh oc patch ValidatingWebhookConfiguration \ redb-admission --patch "$(cat modified-webhook.yaml)"
The 6.4.2-4 release introduces a new ValidatingWebhookConfiguration
to replace redb-admission
. See the 6.4.2-4 release notes.
Verify admission controller installation
Apply an invalid resource as shown below to force the admission controller to reject it. If it applies successfully, the admission controller is not installed correctly.
oc apply -f - << EOF
apiVersion: app.redislabs.com/v1alpha1
kind: RedisEnterpriseDatabase
metadata:
name: redis-enterprise-database
spec:
evictionPolicy: illegal
EOF
You should see this error from the admission controller webhook redisenterprise.admission.redislabs
.
Error from server: error when creating "STDIN": admission webhook "redisenterprise.admission.redislabs" denied the request: eviction_policy: u'illegal' is not one of [u'volatile-lru', u'volatile-ttl', u'volatile-random', u'allkeys-lru', u'allkeys-random', u'noeviction', u'volatile-lfu', u'allkeys-lfu']
Create a Redis Enterprise database custom resource
The operator uses the instructions in the Redis Enterprise database (REDB) custom resources to manage databases on the Redis Enterprise cluster.
-
Create a
RedisEnterpriseDatabase
custom resource.This example creates a test database. For production databases, see creating a database and database options.
cat << EOF > /tmp/redis-enterprise-database.yml apiVersion: app.redislabs.com/v1alpha1 kind: RedisEnterpriseDatabase metadata: name: redis-enterprise-database spec: memorySize: 100MB EOF
-
Apply the newly created REDB resource.
oc apply -f /tmp/redis-enterprise-database.yml