Use these steps to set up a Redis Enterprise Software cluster with OpenShift.

Prerequisites

To see which version of Redis Enterprise for Kubernetes supports your OpenShift version, see Supported Kubernetes distributions.

Deploy the operator

  1. Create a new project.

    oc new-project <your-project-name> 
    
  2. Verify the newly created project.

    oc project <your-project-name>
    
  3. Get the deployment files.

    git clone https://github.com/RedisLabs/redis-enterprise-k8s-docs
    
  4. Deploy the OpenShift operator bundle.

    Note:
    If you are using version 6.2.18-41 or earlier, you must apply the security context constraint before the operator bundle.
    oc apply -f openshift.bundle.yaml
    
    Warning -
    Changes to the openshift.bundle.yaml file can cause unexpected results.
  5. Verify that your redis-enterprise-operator deployment is running.

    oc get deployment
    

    A typical response looks like this:

    NAME                        READY   UP-TO-DATE   AVAILABLE   AGE
    redis-enterprise-operator   1/1     1            1           0m36s
    
Warning -
DO NOT modify or delete the StatefulSet created during the deployment process. Doing so could destroy your Redis Enterprise cluster (REC).

Install security context constraint

The Redis Enterprise pods must run in OpenShift with privileges set in a Security Context Constraint. This grants the pod various rights, such as the ability to change system limits or run as a particular user.

  1. Apply the file scc.yaml file.

    Warning -
    Do not edit this file.
    oc apply -f openshift/scc.yaml
    

    You should receive the following response:

    securitycontextconstraints.security.openshift.io "redis-enterprise-scc-v2" configured
    

    Releases before 6.4.2-6 use the earlier version of the SCC, named redis-enterprise-scc.

  2. Provide the operator permissions for the pods.

    oc adm policy add-scc-to-user redis-enterprise-scc-v2 \
      system:serviceaccount:<my-project>:<rec>
    
Note:

If you are using version 6.2.18-41 or earlier, add additional permissions for your cluster.

oc adm policy add-scc-to-user redis-enterprise-scc-v2 \
system:serviceaccount:<my-project>:redis-enterprise-operator

You can check the name of your project using the oc project command. To replace the project name, use oc edit project myproject. Replace rec with the name of your Redis Enterprise cluster, if different.

Create a Redis Enterprise cluster custom resource

  1. Apply the RedisEnterpriseCluster resource file (rec_rhel.yaml).

    You can rename the file to <your_cluster_name>.yaml, but it is not required. Examples below use <rec_rhel>.yaml. Options for Redis Enterprise clusters has more info about the Redis Enterprise cluster (REC) custom resource, or see the Redis Enterprise cluster API for a full list of options.

    Note:
    Each Redis Enterprise cluster requires at least 3 nodes. Single-node RECs are not supported.
  2. Apply the custom resource file to create your Redis Enterprise cluster.

    oc apply -f <rec_rhel>.yaml
    

    The operator typically creates the REC within a few minutes.

  3. Check the cluster status.

    oc get pod
    

    You should receive a response similar to the following:

    | NAME                             | READY | STATUS  | RESTARTS | AGE |
    | -------------------------------- | ----- | ------- | -------- | --- |
    | rec-name-0              | 2/2   | Running | 0        | 1m  |
    | rec-name-1              | 2/2   | Running | 0        | 1m  |
    | rec-name-2              | 2/2   | Running | 0        | 1m  |
    | rec-name-controller-x-x | 1/1   | Running | 0        | 1m  |
    | Redis-enterprise-operator-x-x    | 1/1   | Running | 0        | 5m  |
    

Configure the admission controller

  1. Verify the admission-tls secret exists.

     kubectl get secret admission-tls
    

    The output should look similar to

     NAME            TYPE     DATA   AGE
     admission-tls   Opaque   2      2m43s
    
  2. Save the certificate to a local environment variable.

    CERT=`kubectl get secret admission-tls -o jsonpath='{.data.cert}'`
    
  3. Create a Kubernetes validating webhook, replacing <namespace> with the namespace where the REC was installed.

    The webhook.yaml template can be found in redis-enterprise-k8s-docs/admission

    sed 's/NAMESPACE_OF_SERVICE_ACCOUNT/<namespace>/g' webhook.yaml | kubectl create -f -
    
  4. Create a patch file for the Kubernetes validating webhook.

    cat > modified-webhook.yaml <<EOF
    webhooks:
    - name: redisenterprise.admission.redislabs
      clientConfig:
        caBundle: $CERT
      admissionReviewVersions: ["v1beta1"]
    EOF
    
  5. Patch the webhook with the certificate.

    kubectl patch ValidatingWebhookConfiguration \
      redis-enterprise-admission --patch "$(cat modified-webhook.yaml)"
    

Limit the webhook to relevant namespaces

If not limited, the webhook intercepts requests from all namespaces. If you have several REC objects in your Kubernetes cluster, limit the webhook to the relevant namespaces. If you aren’t using multiple namespaces, skip this step.

  1. Verify your namespace is labeled and the label is unique to this namespace, as shown in the next example.

    apiVersion: v1
    kind: Namespace
    metadata:
      labels:
        namespace-name: staging
    name: staging
    
  2. Patch the webhook spec with the namespaceSelector field.

    cat > modified-webhook.yaml <<EOF
    webhooks:
    - name: redisenterprise.admission.redislabs
      namespaceSelector:
        matchLabels:
          namespace-name: staging
    EOF
    
  3. Apply the patch.

    oc patch ValidatingWebhookConfiguration \
      redis-enterprise-admission --patch "$(cat modified-webhook.yaml)"
    
Note:

For releases before 6.4.2-4, use this command instead: sh oc patch ValidatingWebhookConfiguration \ redb-admission --patch "$(cat modified-webhook.yaml)"

The 6.4.2-4 release introduces a new ValidatingWebhookConfiguration to replace redb-admission. See the 6.4.2-4 release notes.

Verify admission controller installation

Apply an invalid resource as shown below to force the admission controller to reject it. If it applies successfully, the admission controller is not installed correctly.

  oc apply -f - << EOF
   apiVersion: app.redislabs.com/v1alpha1
   kind: RedisEnterpriseDatabase
   metadata:
     name: redis-enterprise-database
   spec:
    evictionPolicy: illegal
   EOF

You should see this error from the admission controller webhook redisenterprise.admission.redislabs.

Error from server: error when creating "STDIN": admission webhook "redisenterprise.admission.redislabs" denied the request: eviction_policy: u'illegal' is not one of [u'volatile-lru', u'volatile-ttl', u'volatile-random', u'allkeys-lru', u'allkeys-random', u'noeviction', u'volatile-lfu', u'allkeys-lfu']

Create a Redis Enterprise database custom resource

The operator uses the instructions in the Redis Enterprise database (REDB) custom resources to manage databases on the Redis Enterprise cluster.

  1. Create a RedisEnterpriseDatabase custom resource.

    This example creates a test database. For production databases, see creating a database and database options.

    cat << EOF > /tmp/redis-enterprise-database.yml
    apiVersion: app.redislabs.com/v1alpha1
    kind: RedisEnterpriseDatabase
    metadata:
      name: redis-enterprise-database
    spec:
      memorySize: 100MB
    EOF
    
  2. Apply the newly created REDB resource.

    oc apply -f /tmp/redis-enterprise-database.yml
    

More info