Skip to content

Commit

Permalink
promoting version 7.2.4-12 (#271)
Browse files Browse the repository at this point in the history
* promoting version 7.2.4-12

* Remove.

---------

Co-authored-by: Ubuntu <ubuntu@ip-172-31-48-195.eu-central-1.compute.internal>
  • Loading branch information
alon-zada and Ubuntu authored Dec 14, 2023
1 parent 1cdfab5 commit 86513c1
Show file tree
Hide file tree
Showing 27 changed files with 191 additions and 690 deletions.
11 changes: 11 additions & 0 deletions active_active_database_readme.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ This document describes how to deploy an Active-Active database with Redis Enter
* [Update existing participating cluster (RERC) details](#update-existing-participating-cluster-rerc-details)
* [Update existing participating cluster (RERC) secret](#update-existing-participating-cluster-rerc-secret)
* [Active-Active database with Redis modules](#active-active-database-with-redis-modules)
* [Upgrade REC with Active-Active database](#upgrade-rec-with-active-active-database)
* [Test your Active-Active database](#test-your-active-active-database)
* [Limitations](#limitations)

Expand Down Expand Up @@ -725,6 +726,16 @@ To enable modules for Active-Active databases, set a boolean environment variabl
Important note:
upgrading modules with Active-Active databases is currently not supported via the operator, to upgrade please use the RS APIs directly and after the module has successfully upgraded update the module version on the REAADB custom resource.

## Upgrade REC with Active-Active database

Upgrading REC with REAADBs is supported.
Please follow [upgrade Redis Enterprise Cluster documentation](https://docs.redis.com/latest/kubernetes/re-clusters/upgrade-redis-cluster/).

Notes:
- It is recommended to upgrade all of the participating clusters to the same operator version.
- [Optional] - Please view following documentation regarding upgrade the Active-Active database [here](https://docs.redis.com/latest/rs/installing-upgrading/upgrading/upgrade-active-active/)
- In case you are upgrading from version with the Active-Active database controller as public preview you may remove the following flags from the environment variables: `ACTIVE_ACTIVE_DATABASE_CONTROLLER_ENABLED` and `REMOTE_CLUSTER_CONTROLLER_ENABLED`, and in case the alpha features flag is enabled only for the REC 'ingressOrRoutesSpec' field you may remove the: `ENABLE_ALPHA_FEATURES` as well.`

## Test your Active-Active database

The easiest way to test your Active-Active database is to set a key-value pair in one database and retrieve it from the other.
Expand Down
67 changes: 2 additions & 65 deletions admission/README.md
Original file line number Diff line number Diff line change
@@ -1,66 +1,3 @@
# Redis Enterprise Admission Controller
# Redis Enterprise admission controller

Redis Labs' Redis Enterprise Operator provides an installable admission control that can be used to verify RedisEnterpriseDatabase, RedisEnterpriseActiveActiveDatabase and RedisEnterpriseRemoteCluster resources on creation and modification for correctness. This prevents end users from creating syntatically valid but functionally invalid database configurations. The admission control leverages Kubernetes' built in [Dynamic Admission Control](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/).

## Hooking up the Admission controller directly with Kubernetes
**NOTE**: This only has to be done the first time setting up the redis enterprise operator, it can be skipped on update

1. Wait for the secret to be created

```shell script
kubectl get secret admission-tls
NAME TYPE DATA AGE
admission-tls Opaque 2 2m43s
```

2. Enable the Kubernetes webhook using the generated certificate stored in a kubernetes secret

**NOTE**: One must replace REPLACE_WITH_NAMESPACE in the following command with the namespace the REC was installed into.

```shell script
# save cert
CERT=`kubectl get secret admission-tls -o jsonpath='{.data.cert}'`
sed 's/NAMESPACE_OF_SERVICE_ACCOUNT/REPLACE_WITH_NAMESPACE/g' webhook.yaml | kubectl create -f -
# create patch file
cat > modified-webhook.yaml <<EOF
webhooks:
- name: redisenterprise.admission.redislabs
clientConfig:
caBundle: $CERT
admissionReviewVersions: ["v1beta1"]
EOF
# patch webhook with caBundle
kubectl patch ValidatingWebhookConfiguration redis-enterprise-admission --patch "$(cat modified-webhook.yaml)"
```
## Verifying Installation
In order to verify that the all the components of the Admission Controller are installed correctly, we will try to apply an invalid resource that should force the admission controller to reject it. If it applies succesfully, it means the admission controller has not been hooked up correctly.
```shell script
$ kubectl apply -f - << EOF
apiVersion: app.redislabs.com/v1alpha1
kind: RedisEnterpriseDatabase
metadata:
name: redis-enterprise-database
labels:
app: redis-enterprise
spec:
evictionPolicy: illegal
defaultUser: false
EOF
```

This must fail with an error output by the admission webhook redisenterprise.admission.redislabs that is being denied because 'illegal' is not a valid eviction policy.

```shell script
Error from server: error when creating "STDIN": admission webhook "redisenterprise.admission.redislabs" denied the request: eviction_policy: u'illegal' is not one of [u'volatile-lru', u'volatile-ttl', u'volatile-random', u'allkeys-lru', u'allkeys-random', u'noeviction', u'volatile-lfu', u'allkeys-lfu']
```

## Upgrading from previous version

In Redis Enterprise Operator versions 6.4.X and above, the admission webhook has been renamed from `redb-admission` to `redis-enterprise-admission`.
The reason for that is to reflect that the updated admission webhook now verifies multiple resources beyond RedisEnterpriseDatabase, including RedisEnterpriseActiveActiveDatabase and RedisEnterpriseRemoteCluster resources as well. The previous version only verified RedisEnterpriseDatabases.

If you're using version 6.4.X or above, make sure to delete the old `redb-admission` ValidatingWebhookConfiguration and apply the updated webhook.
This content has moved to [docs.redis.com](https://docs.redis.com/latest/); see [Enable the admission controller](https://docs.redis.com/latest/kubernetes/deployment/quick-start/#enable-the-admission-controller).
2 changes: 1 addition & 1 deletion admission/webhook.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ webhooks:
resources: ["redisenterprisedatabases", "redisenterpriseactiveactivedatabases", "redisenterpriseremoteclusters"]
clientConfig:
service:
namespace: NAMESPACE_OF_SERVICE_ACCOUNT
namespace: OPERATOR_NAMESPACE
name: admission
path: /admission
caBundle: "" # Fill in with BASE64 encoded signed cert
Expand Down
27 changes: 25 additions & 2 deletions bundle.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -245,6 +245,8 @@ spec:
ingressOrRouteMethodStatus:
description: The ingressOrRouteSpec/ActiveActive spec method that exist
type: string
redisEnterpriseIPFamily:
type: string
spec:
description: RedisEnterpriseClusterSpec defines the desired state of RedisEnterpriseCluster
properties:
Expand Down Expand Up @@ -365,6 +367,14 @@ spec:
true. Note that this field is cleared automatically after the cluster
is recovered
type: boolean
redisEnterpriseIPFamily:
description: Reserved, future use, only for use if instructed by Redis.
IPFamily dictates what IP family to choose for pods' internal
and external communication.
type: string
enum:
- IPv4
- IPv6
containerTimezone:
description: Container timezone configuration. While the default timezone
on all containers is UTC, this setting can be used to set the timezone
Expand Down Expand Up @@ -7769,6 +7779,8 @@ spec:
ldap:
type: boolean
type: object
redisEnterpriseIPFamily:
type: string
spec:
properties:
activeActive:
Expand Down Expand Up @@ -7848,6 +7860,11 @@ spec:
type: string
clusterRecovery:
type: boolean
redisEnterpriseIPFamily:
type: string
enum:
- IPv4
- IPv6
containerTimezone:
properties:
propagateHost:
Expand Down Expand Up @@ -14854,6 +14871,8 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: redisenterprisedatabases.app.redislabs.com
labels:
app: redis-enterprise
spec:
group: app.redislabs.com
names:
Expand Down Expand Up @@ -16462,7 +16481,7 @@ spec:
serviceAccountName: redis-enterprise-operator
containers:
- name: redis-enterprise-operator
image: redislabs/operator:7.2.4-7
image: redislabs/operator:7.2.4-12
command:
- operator-root
- operator
Expand Down Expand Up @@ -16512,7 +16531,7 @@ spec:
drop:
- ALL
- name: admission
image: redislabs/operator:7.2.4-7
image: redislabs/operator:7.2.4-12
command:
- operator-root
- admission
Expand All @@ -16532,6 +16551,10 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
resources:
limits:
cpu: 1000m
Expand Down
79 changes: 1 addition & 78 deletions cluster_credentials.md
Original file line number Diff line number Diff line change
@@ -1,80 +1,3 @@
# Management of the Redis Enterprise Cluster credentials
## Background
When the operator creates a Redis Enterprise Cluster (REC) it generates random credentials that are used by the operator to perform operations on the Redis Enterprise Cluster using the cluster APIs.
The credentials are saved in a K8s secret (or Vault, see [README](vault/README.md)). When a K8s secret is used, the secret name default to the name of the Redis Enterprise Cluster.
## Using the Redis Enterprise Cluster Credentials
The credentials can be used to access the Redis Enterprise Cluster UI or API. Make sure connectivity is configured to the cluster pods using an appropriate service (or by a solution such as kubectl port forwarding). To inspect the random username and password created by the operator, use kubectl:
```
$ kubectl get secret rec -o jsonpath='{.data}'
map[password:MVUyTjd1Mm0= username:ZGVtb0ByZWRpc2xhYnMuY29t]
$ echo MVUyTjd1Mm0= | base64 --decode
```
> Note - other utilities to view secrets are available

## Changing the Redis Enterprise Cluster Credentials
### Replacing the password
Please follow the following steps:
1. Take note of the current password, see above
2. Exec into a Redis Enterprise Cluster node pod using the following command:
```
kubectl exec -it <Redis Enterprise Cluster resource name>-0 bash
```
3. Within the pod console, run a command to add the new password as supported for the existing user, replace with the existing credentials and the new password:
```
REC_USER="`cat /opt/redislabs/credentials/username`"; REC_PASSWORD="`cat /opt/redislabs/credentials/password`";curl -k --request POST --url https://localhost:9443/v1/users/password -u "$REC_USER:$REC_PASSWORD" --header 'Content-Type: application/json' --data "{\"username\":\"$REC_USER\",\"old_password\":\"$REC_PASSWORD\", \"new_password\":\"<NEW PASSWORD>\"}"
```
4. Update the cluster credential secret: using the commands ran outside of the Redis Enterprise Cluster node pod:
> Note: For Vault users, see the instruction described [below](./cluster_credentials.md#creds_with_vault) and proceed to the next step.
a. Save the existing username to a text file (replace <current username> with actual).
```
echo -n "<current username>" > username
```
b. Save the new password to a text file (replace <new password> with actual).
```
echo -n "<new password>" > password
```
c. Update the secret:
```
kubectl create secret generic <cluster secret name> --from-file=./username --from-file=./password --dry-run -o yaml | kubectl apply -f -
```
5. Wait 5 minutes to make sure all components have read the new password from the updated secret
6. in case this cluster is participating in Active-Active database via REAADB follow the instructions [here](active_active_database_readme.md) under `Update existing participating cluster (RERC) secret`.
7. Exec into a Redis Enterprise Cluster node pod (see above) and run the following command to remove the previous password so only the new one applies. Important: replace OLD PASSWORD with the one being replaced, see step 1 above.
```
REC_USER="`cat /opt/redislabs/credentials/username`"; REC_PASSWORD="`cat /opt/redislabs/credentials/password`";curl -k --request DELETE --url https://localhost:9443/v1/users/password -u "$REC_USER:$REC_PASSWORD" --header 'Content-Type: application/json' --data "{\"username\":\"$REC_USER\",\"old_password\":\"<OLD PASSWORD\"}"
```
> Note: the username to be used with the K8s secret is the email displayed on the Redis Enterprise UI
> Note: this procedure is only supported for version 6.0.20-5 or above
### Replacing the password and the username
Please follow the following steps:
1. Log into the Redis Enterprise Cluster UI using the credentials as explained above.
2. Add another admin user, choose a password
3. Set the new username with the Redis Enterprise Cluster spec (username field)
4. Update the cluster credential secret:
> Note: For Vault users, see the instruction described [below](#creds_with_vault) and proceed to the next step.
a. Save the new username to a text file (replace <new username> with actual).
```
echo -n "<new username>" > username
```
b. Save the new password to a text file (replace <new password> with actual).
```
echo -n "<new password>" > password
```
c. Update the secret:
```
kubectl create secret generic <cluster secret name> --from-file=./username --from-file=./password --dry-run -o yaml | kubectl apply -f -
```
> Note: the username to be used with the K8s secret is the email displayed on the Redis Enterprise UI
5. Wait 5 minutes to make sure all components have read the new password from the updated secret
6. in case this cluster is participating in Active-Active database via REAADB follow the instructions [here](active_active_database_readme.md) under `Update existing participating cluster (RERC) secret`.
7. Delete the previous admin user using the Redis Enterprise Cluster UI
> Note: this procedure is only supported for version 6.0.20-5 or above
> Note: the operator might log errors in the time period between updating the username in the REC spec and the secret update
<a name="creds_with_vault"></a>
### Updating the credentials secret in Vault
For users who store secrets in Vault, update the Vault secret containing the Redis Enterprise Cluster's credentials with the following key-value pairs: username:<desired_username>, password:<desired_password>.
For more information about Vault integration with the Redis Enterprise Cluster see [README](vault/README.md#deployment_rec).
This content has moved to [docs.redis.com](https://docs.redis.com/latest/); see [Manage Redis Enterprise cluster (REC) credentials](https://docs.redis.com/latest/kubernetes/security/manage-rec-credentials/).
17 changes: 17 additions & 0 deletions crds/rec_crd.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,8 @@ spec:
ingressOrRouteMethodStatus:
description: The ingressOrRouteSpec/ActiveActive spec method that exist
type: string
redisEnterpriseIPFamily:
type: string
spec:
description: RedisEnterpriseClusterSpec defines the desired state of RedisEnterpriseCluster
properties:
Expand Down Expand Up @@ -270,6 +272,14 @@ spec:
true. Note that this field is cleared automatically after the cluster
is recovered
type: boolean
redisEnterpriseIPFamily:
description: Reserved, future use, only for use if instructed by Redis.
IPFamily dictates what IP family to choose for pods' internal
and external communication.
type: string
enum:
- IPv4
- IPv6
containerTimezone:
description: Container timezone configuration. While the default timezone
on all containers is UTC, this setting can be used to set the timezone
Expand Down Expand Up @@ -7674,6 +7684,8 @@ spec:
ldap:
type: boolean
type: object
redisEnterpriseIPFamily:
type: string
spec:
properties:
activeActive:
Expand Down Expand Up @@ -7753,6 +7765,11 @@ spec:
type: string
clusterRecovery:
type: boolean
redisEnterpriseIPFamily:
type: string
enum:
- IPv4
- IPv6
containerTimezone:
properties:
propagateHost:
Expand Down
2 changes: 2 additions & 0 deletions crds/redb_crd.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: redisenterprisedatabases.app.redislabs.com
labels:
app: redis-enterprise
spec:
group: app.redislabs.com
names:
Expand Down
Loading

0 comments on commit 86513c1

Please sign in to comment.