You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
DB ENDPOINT SUFFIX - will be used to set the db host ingress . Creates a host name so it should be unique if more than one db is created on the cluster with the same name
string
true
ingressAnnotations
Used for ingress controllers such as ha-proxy or nginx in GKE
AuditingConfig defines the audit listener connection parameters
Field
Description
Scheme
Default Value
Required
auditProtocol
Protocol used to send audit notifications. Valid values: "TCP" or "local". For production systems, use "TCP". "local" is for development/testing only.
string
true
auditAddress
TCP/IP address or file path where audit notifications will be sent. For TCP protocol: IP address of the audit listener. For local protocol: file path for audit output (development/testing only).
string
true
auditPort
Port number where audit notifications will be sent (TCP protocol only).
*int
false
auditReconnectInterval
Interval in seconds between attempts to reconnect to the audit listener.
*int
1
false
auditReconnectMaxAttempts
Maximum number of attempts to reconnect to the audit listener. Set to 0 for infinite attempts.
Cluster-wide default policy for database connection auditing. When set to true, connection auditing will be enabled by default for all new databases. Existing databases are not affected and can override this setting individually.
if needed, add proxy details in secret. the name of the proxy secret in the secret, can send the following keys: proxy-url, proxy-username, proxy-password (the url includes the proxy port).
string
false
s3Target
S3-compatible storage target for call home data upload. When enabled, call home data will be uploaded to this S3 target only. Before using this feature, please coordinate with Redis.
Interval between call home reports (e.g., "1h", "30m"). Passed as --interval flag to the call home client binary. If not specified, the CALL_HOME_CLIENT_INTERVAL environment variable is used, or the default value of 24h. Changing defaults is not recommended.
string
false
cronExpression
Cron expression for scheduling the call home CronJob (e.g., "0 */6 * * *"). If not specified, the CALL_HOME_CLIENT_CRON_SCHEDULE environment variable is used, or the default value of "0 23 * * *" (23:00 UTC daily). Changing defaults is not recommended.
S3 bucket name. Required when S3Target is enabled.
string
false
region
AWS region for the S3 bucket (e.g., "us-east-1").
string
false
prefix
S3 object key prefix/subfolder for uploaded files (e.g., "reports/2025"). If specified, files will be uploaded to s3://bucket/prefix/filename.
string
false
credentialsSecretName
Name of the Kubernetes secret containing S3 credentials. The secret must contain keys "access-key" and "secret-key". Optional keys: "session-token" (for AWS STS), "ca-cert" (for custom CA). The credentials must have s3:PutObject permission on the target bucket.
ClusterCertificatesStatus Stores information about cluster certificates and their update process. In Active-Active databases, this is used to detect updates to the certificates, and trigger synchronization across the participating clusters.
Field
Description
Scheme
Default Value
Required
generation
Generation stores the version of the cluster's Proxy and Syncer certificate secrets. This generation counter is automatically incremented when proxy or syncer certificates are updated. In Active-Active databases (REAADB), the operator monitors this field to detect certificate changes and automatically triggers a CRDB force update (equivalent to 'crdb-cli crdb update --force'), which synchronizes the certificate changes to all participating clusters, eliminating the need for manual intervention to maintain sync.
Used to set the timezone across all redis enterprise containers - You can either propagate the hosts timezone to RS pods or set it manually via timezoneName.
Field
Description
Scheme
Default Value
Required
propagateHost
Identifies that container timezone should be in sync with the host, this option mounts a hostPath volume onto RS pods that could be restricted in some systems.
The repository (name) of the container image to be deployed.
string
true
versionTag
The tag of the container image to be deployed.
string
true
digestHash
The digest hash of the container image to pull. When specified, the container image is pulled according to the digest hash instead of the image tag. The versionTag field must also be specified with the image tag matching this digest hash. Note: This field is only supported for OLM deployments.
string
false
imagePullPolicy
The image pull policy to be applied to the container image. One of Always, Never, IfNotPresent.
DB ENDPOINT SUFFIX - will be used to set the db host ingress . Creates a host name so it should be unique if more than one db is created on the cluster with the same name
string
true
ingressAnnotations
Additional annotations to set on ingress resources created by the operator
Configuration for a template query. Mutually exclusive with the 'query' field. The substring '%u' will be replaced with the username, e.g., 'cn=%u,ou=dev,dc=example,dc=com'.
*string
false
query
Configuration for a search query. Mutually exclusive with the 'template' field. The substring '%u' in the query filter will be replaced with the username.
Configuration for an attribute query. Mutually exclusive with the 'query' field. Holds the name of an attribute of the LDAP user entity that contains a list of the groups that the user belongs to. e.g., 'memberOf'.
*string
false
query
Configuration for a search query. Mutually exclusive with the 'attribute' field. The substring '%D' in the query filter will be replaced with the user's Distinguished Name.
The Distinguished Name of the entry at which to start the search, e.g., 'ou=dev,dc=example,dc=com'.
string
true
filter
An RFC-4515 string representation of the filter to apply in the search. For an authentication query, the substring '%u' will be replaced with the username, e.g., '(cn=%u)'. For an authorization query, the substring '%D' will be replaced with the user's Distinguished Name, e.g., '(members=%D)'.
string
true
scope
The search scope for an LDAP query. One of: BaseObject, SingleLevel, WholeSubtree
Name of a secret within the same namespace, holding the credentials used to communicate with the LDAP server for authentication queries. The secret must have a key named 'dn' with the Distinguished Name of the user to execute the query, and 'password' with its password. If left blank, credentials-based authentication is disabled.
*string
false
caCertificateSecretName
Name of a secret within the same namespace, holding a PEM-encoded CA certificate for validating the TLS connection to the LDAP server. The secret must have a key named 'cert' with the certificate data. This field is applicable only when the protocol is LDAPS or STARTTLS.
*string
false
enabledForControlPlane
Whether to enable LDAP for control plane access. Disabled by default.
bool
false
enabledForDataPlane
Whether to enable LDAP for data plane access. Disabled by default.
bool
false
cacheTTLSeconds
The maximum TTL of cached entries.
*int
false
authenticationQuery
Configuration of authentication queries, mapping between the username, provided to the cluster for authentication, and the LDAP Distinguished Name.
Indicates cluster APIs that are being managed by the operator. This only applies to cluster APIs which are optionally-managed by the operator, such as cluster LDAP configuration. Most other APIs are automatically managed by the operator, and are not listed here.
Field
Description
Scheme
Default Value
Required
ldap
Indicate whether cluster LDAP configuration is managed by the operator. When this is enabled, the operator will reconcile the cluster LDAP configuration according to the '.spec.ldap' field in the RedisEnterpriseCluster resource.
An API object that represents the cluster's OCSP configuration
Field
Description
Scheme
Default Value
Required
ocspFunctionality
Whether to enable/disable OCSP mechanism for the cluster.
*bool
false
queryFrequency
Determines the interval (in seconds) in which the control plane will poll the OCSP responder for a new status for the server certificate. Minimum value is 60. Maximum value is 86400.
*int
false
responseTimeout
Determines the time interval (in seconds) for which the request waits for a response from the OCSP responder. Minimum value is 1. Maximum value is 60.
*int
false
recoveryFrequency
Determines the interval (in seconds) in which the control plane will poll the OCSP responder for a new status for the server certificate when the current staple is invalid. Minimum value is 60. Maximum value is 86400.
*int
false
recoveryMaxTries
Determines the maximum number for the OCSP recovery attempts. After max number of tries passed, the control plane will revert back to the regular frequency. Minimum value is 1. Maximum value is 100.
Configuration for LoadBalancer services created to assign public IPs for Redis Enterprise cluster nodes.
Field
Description
Scheme
Default Value
Required
serviceAnnotations
Additional annotations to set on LoadBalancer services created for Redis Enterprise cluster nodes. These annotations are merged with global service annotations from spec.services.servicesAnnotations.
map[string]string
false
externalTrafficPolicy
ExternalTrafficPolicy specifies the externalTrafficPolicy for LoadBalancer services created for Redis Enterprise cluster nodes. Choose "Local" to configure the LoadBalancer to only route traffic to the single worker node hosting the Redis Enterprise cluster node for that service. Choose "Cluster" to route traffic to any worker node, providing a more stable behavior during failovers, but with increased overhead due to additional hop. Defaults to "Local" when podCIDRs is configured, and "Cluster" otherwise.
Cluster-level configuration for OSS cluster mode databases.
Field
Description
Scheme
Default Value
Required
externalAccessType
Specifies the mechanism for enabling external access to OSS cluster databases. When unset or set to "Disabled", external access is not allowed for any OSS cluster databases. When set to a specific mechanism (e.g., "LoadBalancer"), that mechanism is used to provide external access. Note: Individual databases must still enable external access via their ossClusterSettings.enableExternalAccess field.
A list of Kubernetes pod CIDR ranges from which pod IPs are allocated. Supports both IPv4 (e.g., "10.30.0.0/16") and IPv6 addresses. This field should only be configured when OSS cluster databases need to be accessed from both internal and external clients. When configured, internal communication can reach pods directly using their pod IPs, bypassing the external access mechanism (e.g., load balancer services) for improved performance. IMPORTANT: For this feature to work correctly, the entire data path must preserve the client source IP address. This is required because the Redis server uses the client's source IP to construct the CLUSTER SHARDS/SLOTS response - returning pod IPs for internal clients (matching podCIDRs) or load balancer addresses for external clients. On cloud platforms, this typically requires configuring the load balancer to preserve source IPs.
Secret name to use for cluster's API certificate. The secret must have the following keys: - A key named 'certificate'/'cert'/'tls.crt' with the value of the certificate in PEM format. - A key named 'key'/'tls.key with the value of the private key. - Optionally, a key named 'ca.crt', containing the public certificate of the root CA.\n If present, the root CA certificate is appended to the certificate provided in the 'tls.crt' (or equivalent) key, to form a full certificate chain.\n Otherwise, the certificate in 'tls.crt' must include a full certificate chain inline.\n This key is typically populated by the cert-manager when it has access to the root certificate. Otherwise, it could be added manually.\nIf left blank, a cluster-provided certificate will be used.
string
false
cmCertificateSecretName
Secret name to use for cluster's CM (Cluster Manager) certificate. The secret must have the following keys: - A key named 'certificate'/'cert'/'tls.crt' with the value of the certificate in PEM format. - A key named 'key'/'tls.key with the value of the private key. - Optionally, a key named 'ca.crt', containing the public certificate of the root CA.\n If present, the root CA certificate is appended to the certificate provided in the 'tls.crt' (or equivalent) key, to form a full certificate chain.\n Otherwise, the certificate in 'tls.crt' must include a full certificate chain inline.\n This key is typically populated by the cert-manager when it has access to the root certificate. Otherwise, it could be added manually.\nIf left blank, a cluster-provided certificate will be used.
string
false
metricsExporterCertificateSecretName
Secret name to use for cluster's Metrics Exporter certificate. The secret must have the following keys: - A key named 'certificate'/'cert'/'tls.crt' with the value of the certificate in PEM format. - A key named 'key'/'tls.key with the value of the private key. - Optionally, a key named 'ca.crt', containing the public certificate of the root CA.\n If present, the root CA certificate is appended to the certificate provided in the 'tls.crt' (or equivalent) key, to form a full certificate chain.\n Otherwise, the certificate in 'tls.crt' must include a full certificate chain inline.\n This key is typically populated by the cert-manager when it has access to the root certificate. Otherwise, it could be added manually.\nIf left blank, a cluster-provided certificate will be used.
string
false
proxyCertificateSecretName
Secret name to use for cluster's Proxy certificate. The secret must have the following keys: - A key named 'certificate'/'cert'/'tls.crt' with the value of the certificate in PEM format. - A key named 'key'/'tls.key with the value of the private key. - Optionally, a key named 'ca.crt', containing the public certificate of the root CA.\n If present, the root CA certificate is appended to the certificate provided in the 'tls.crt' (or equivalent) key, to form a full certificate chain.\n Otherwise, the certificate in 'tls.crt' must include a full certificate chain inline.\n This key is typically populated by the cert-manager when it has access to the root certificate. Otherwise, it could be added manually.\nIf left blank, a cluster-provided certificate will be used. Note: For Active-Active databases (REAADB), certificate updates are automatically reconciled. When you update this secret, the operator detects the change and automatically executes a CRDB force update (equivalent to 'crdb-cli crdb update --force'), which synchronizes the certificate changes to all participating clusters, eliminating the need for manual intervention.
string
false
syncerCertificateSecretName
Secret name to use for cluster's Syncer certificate. The secret must have the following keys: - A key named 'certificate'/'cert'/'tls.crt' with the value of the certificate in PEM format. - A key named 'key'/'tls.key with the value of the private key. - Optionally, a key named 'ca.crt', containing the public certificate of the root CA.\n If present, the root CA certificate is appended to the certificate provided in the 'tls.crt' (or equivalent) key, to form a full certificate chain.\n Otherwise, the certificate in 'tls.crt' must include a full certificate chain inline.\n This key is typically populated by the cert-manager when it has access to the root certificate. Otherwise, it could be added manually.\nIf left blank, a cluster-provided certificate will be used. Note: For Active-Active databases (REAADB), certificate updates are automatically reconciled. When you update this secret, the operator detects the change and automatically executes a CRDB force update (equivalent to 'crdb-cli crdb update --force'), which synchronizes the certificate changes to all participating clusters, eliminating the need for manual intervention.
string
false
ldapClientCertificateSecretName
Secret name to use for cluster's LDAP client certificate. The secret must have the following keys: - A key named 'certificate'/'cert'/'tls.crt' with the value of the certificate in PEM format. - A key named 'key'/'tls.key with the value of the private key. - Optionally, a key named 'ca.crt', containing the public certificate of the root CA.\n If present, the root CA certificate is appended to the certificate provided in the 'tls.crt' (or equivalent) key, to form a full certificate chain.\n Otherwise, the certificate in 'tls.crt' must include a full certificate chain inline.\n This key is typically populated by the cert-manager when it has access to the root certificate. Otherwise, it could be added manually.\nIf left blank, LDAP client certificate authentication will be disabled.
string
false
dpInternodeEncryptionCertificateSecretName
Secret name to use for cluster's Data Plane Internode Encryption (DPINE) certificate. The secret must have the following keys: - A key named 'certificate'/'cert'/'tls.crt' with the value of the certificate in PEM format. - A key named 'key'/'tls.key with the value of the private key. - Optionally, a key named 'ca.crt', containing the public certificate of the root CA.\n If present, the root CA certificate is appended to the certificate provided in the 'tls.crt' (or equivalent) key, to form a full certificate chain.\n Otherwise, the certificate in 'tls.crt' must include a full certificate chain inline.\n This key is typically populated by the cert-manager when it has access to the root certificate. Otherwise, it could be added manually.\nIf left blank, a cluster-provided certificate will be used.
string
false
cpInternodeEncryptionCertificateSecretName
Secret name to use for cluster's Control Plane Internode Encryption (CPINE) certificate. The secret must have the following keys: - A key named 'certificate'/'cert'/'tls.crt' with the value of the certificate in PEM format. - A key named 'key'/'tls.key with the value of the private key. - Optionally, a key named 'ca.crt', containing the public certificate of the root CA.\n If present, the root CA certificate is appended to the certificate provided in the 'tls.crt' (or equivalent) key, to form a full certificate chain.\n Otherwise, the certificate in 'tls.crt' must include a full certificate chain inline.\n This key is typically populated by the cert-manager when it has access to the root certificate. Otherwise, it could be added manually.\nIf left blank, a cluster-provided certificate will be used.
string
false
ssoServiceCertificateSecretName
Secret name to use for the SSO Service Provider (SP) certificate. This certificate is used by the cluster to sign SAML requests and encrypt SAML responses, and it must be configured as part of the SSO setup, before SSO can be enabled for the cluster. The secret must have the following keys: - A key named 'certificate'/'cert'/'tls.crt' with the value of the certificate in PEM format. - A key named 'key'/'tls.key with the value of the private key. - Optionally, a key named 'ca.crt', containing the public certificate of the root CA.\n If present, the root CA certificate is appended to the certificate provided in the 'tls.crt' (or equivalent) key, to form a full certificate chain.\n Otherwise, the certificate in 'tls.crt' must include a full certificate chain inline.\n This key is typically populated by the cert-manager when it has access to the root certificate. Otherwise, it could be added manually.
string
false
ssoIssuerCertificateSecretName
Secret name to use for the SSO Identity Provider (IdP) certificate. This is the public certificate from your SAML Identity Provider used to verify SAML assertions. The secret must contain a single field named 'certificate'/'cert'/'tls.cert' (no 'key' field needed for IdP cert). This certificate must be configured as part of the SSO setup, before SSO can be enabled for the cluster. Note: While IdP metadata XML may contain the certificate, Redis Enterprise Server does not use it from there, so the certificate must be provided separately via this secret.
ADVANCED USAGE USE AT YOUR OWN RISK - specify pod attributes that are required for the statefulset - Redis Enterprise pods. Pod attributes managed by the operator might override these settings. Also make sure the attributes are supported by the K8s version running on the cluster - the operator does not validate that.
Name or path of the Kubernetes secret or Vault secret containing the cluster license. When left blank, the license is read from the "license" field. Cannot specify non-empty values in both "license" and "licenseSecretName" fields. The license must be stored under the key "license".
Node selector for scheduling pods on specific nodes. This applies to all pods managed by the operator: Redis Enterprise nodes, Services Rigger, and Call Home Client.
*map[string]string
false
redisEnterpriseImageSpec
Container image specification for Redis Enterprise.
Additional sidecar containers to add to each Redis Enterprise pod.
[]v1.Container
empty
false
extraLabels
Additional labels applied to resources created by the operator (Services, Secrets, StatefulSet, etc.). Note that PersistentVolumeClaims are only labeled with extra labels specified during cluster creation. Modifying this field after cluster creation does not affect existing PersistentVolumeClaims.
map[string]string
empty
false
podAntiAffinity
Custom anti-affinity rules for Redis Enterprise pods. If specified, this overrides the default anti-affinity rules which place Redis Enterprise pods on separate nodes.
*v1.PodAntiAffinity
false
antiAffinityAdditionalTopologyKeys
Additional topology keys for anti-affinity rules to support installation across different zones or vCenters.
[]string
false
activeActive
Ingress connectivity configuration for Active-Active databases. This field is deprecated, use ingressOrRouteSpec instead; cannot be used simultaneously with ingressOrRouteSpec.
Forces IPv4 networking by setting the ENFORCE_IPV4 environment variable.
*bool
false
false
clusterRecovery
Initiates cluster recovery when set to true. This field is automatically cleared after recovery completes.
*bool
false
rackAwarenessNodeLabel
Node label that specifies rack ID for creating a rack-aware cluster. Requires the label to exist on all nodes and the operator to have cluster role permissions to list nodes.
string
false
priorityClassName
Priority class name for pods managed by the operator.
Name or path of the secret containing cluster credentials. Defaults to the cluster name if left blank. For Kubernetes secrets (default): Can be customized to any valid secret name, or left blank to use the cluster name. The secret can be pre-created with 'username' and 'password' fields, or otherwise it will be automatically created with a default username and auto-generated password. On running clusters, this field can be changed to point to a different existing secret. The new secret must exist, contain valid 'username' and 'password' fields, and the credentials must work with the RS cluster. For Vault secrets: Can be customized with the path of the secret within Vault. The secret must be pre-created in Vault before REC creation.
string
false
clusterCredentialSecretType
Type of secret for cluster credentials (vault or kubernetes). Defaults to kubernetes if left blank.
string
false
clusterCredentialSecretRole
Vault role for cluster credentials. Used only when ClusterCredentialSecretType is vault. Defaults to "redis-enterprise-rec" if blank.
string
false
vaultCASecret
Name of the Kubernetes secret containing Vault's CA certificate. Defaults to "vault-ca-cert".
string
false
redisEnterpriseServicesConfiguration
Configuration for optional Redis Enterprise services. Note: Disabling the CM Server service removes the cluster's UI Service from the Kubernetes cluster. The saslauthd entry is deprecated and will be removed.
Cluster-wide internode encryption (INE) policy for new databases. Can be overridden for specific databases using the same setting in RedisEnterpriseDatabase.
Termination grace period in seconds for Redis Enterprise pods. Pods should not be forcefully terminated as clean shutdown prevents data loss. The default value is intentionally large (1 year). For pure caching configurations where data loss is acceptable, a shorter value may be used.
*int64
31536000
false
redisOnFlashSpec
Redis Flex (previously known as Redis on Flash) configuration. When provided, the cluster can create Redis Flex databases.
Private key encryption Possible values: true/false
*bool
false
redisEnterpriseIPFamily
When the operator is running in a dual-stack environment (both IPv4 and IPv6 network interfaces are available), specifies the IP family of the network interface that will be used by the Redis Enterprise cluster, as well as services created by the operator (API, UI, Prometheus services).
v1.IPFamily
false
containerTimezone
Container timezone configuration. While the default timezone on all containers is UTC, this setting can be used to set the timezone on services rigger/bootstrapper/RS containers. Currently the only supported value is to propagate the host timezone to all containers.
Access configurations for the Redis Enterprise cluster and databases. At most one of ingressOrRouteSpec or activeActive fields can be set at the same time.
ADVANCED USAGE: use carefully. Add environment variables to RS StatefulSet's containers.
[]v1.EnvVar
false
resp3Default
Whether databases will turn on RESP3 compatibility upon database upgrade. Note - Deleting this property after explicitly setting its value shall have no effect. Please view the corresponding field in RS doc for more info.
List of user-defined modules to be downloaded and installed during cluster bootstrap The modules on the list will be downloaded on cluster creation, upgrade, scale-out and recovery and installed on all nodes. Alpha feature - use only if instructed. Note that changing this field for a running cluster will trigger a rolling update.
Cluster-level configuration for auditing database connection and authentication events. Includes both the audit listener connection parameters and the default policy for new databases.
Versions of open source databases bundled by Redis Enterprise Software - please note that in order to use a specific version it should be supported by the ‘upgradePolicy’ - ‘major’ or ‘latest’ according to the desired version (major/minor)
Indicates cluster APIs that are being managed by the operator. This only applies to cluster APIs which are optionally-managed by the operator, such as cluster LDAP configuration. Most other APIs are automatically managed by the operator, and are not listed here.
The chosen IP family of the cluster if was specified in REC spec.
v1.IPFamily
false
persistenceStatus
The status of the Persistent Volume Claims that are used for Redis Enterprise cluster persistence. The status will correspond to the status of one or more of the PVCs (failed/resizing if one of them is in resize or failed to resize)
Stores information about cluster certificates and their update process. In Active-Active databases, this is used to detect updates to the certificates, and trigger synchronization across the participating clusters.
The name of the secret containing cluster credentials currently in use by the cluster. This field tracks the current credential secret name and is updated when the secret name changes.
Resource limits management settings for Redis Enterprise node containers.
Field
Description
Scheme
Default Value
Required
allowAutoAdjustment
Allows Redis Enterprise to automatically adjust resource limits (such as max open file descriptors) for its data plane processes. When enabled, the SYS_RESOURCE capability is added to Redis Enterprise pods and their allowPrivilegeEscalation field is set. Disabled by default.
Base address used to construct Service Provider (SP) URLs, such as the ACS URL and SLO URL. Format: [://][:] Examples:\n - "https://redis-ui.example.com:9443" (recommended - explicit scheme)\n - "redis-ui.example.com:9443" (defaults to https://)\n - "http://redis-ui.example.com:9443" (NOT recommended for production)\n\nIf the scheme is not specified, the operator automatically prepends "https://". WARNING: Using "http://" is NOT recommended for production environments as it transmits sensitive SAML assertions in plaintext. Only use "http://" for testing/development purposes.\n\nIf set, this value is used to construct the SP URLs.\n\nIf unset, the base address is automatically determined from the REC Cluster Manager UI service: - If the UI service type is LoadBalancer (configured via spec.uiServiceType), the load balancer address is used. - Otherwise, the cluster-internal DNS name is used (e.g., rec-ui.svc.cluster.local). - The port defaults to 8443 if not specified.\n\nUsage guidelines: - For LoadBalancer services: Leave this field blank to use the default REC UI service, or set it explicitly to the LoadBalancer address for custom services. - For Ingress: Set this to the ingress hostname and port (typically 443), e.g., "https://redis-ui.example.com:443".
Name of a secret in the same namespace that contains the Identity Provider (IdP) metadata XML. The secret must contain a key named 'idp_metadata' with the IdP metadata XML content. The XML can be plain text or base64-encoded; the operator handles encoding as needed. Obtain this metadata from your SAML Identity Provider (for example, Okta or Azure AD). This is the recommended configuration method, as it's less error-prone. Either idpMetadataSecretName or issuer must be specified. If both are provided, idpMetadataSecretName takes precedence and issuer is ignored.
string
false
issuer
Manual Identity Provider (IdP) configuration. Use this when IdP metadata XML is unavailable. Either idpMetadataSecretName or issuer must be specified. If both are provided, idpMetadataSecretName takes precedence and issuer is ignored.
Name of a secret where the operator stores the Service Provider (SP) metadata XML. The operator creates this secret with a key named 'sp_metadata' that contains the base64-encoded SP metadata XML. Upload this metadata to your Identity Provider. If not specified, the Service Provider metadata isn't stored in a K8s secret, but can still be obtained directly from the cluster's UI and/or API. Note: This secret is only created when the cluster is configured to use Kubernetes secrets (spec.clusterCredentialSecretType is unset or set to "kubernetes"). When using Vault secrets, the operator does not create this secret. Users can obtain the SP metadata directly from the Redis Enterprise Server API endpoint: GET /v1/cluster/sso/saml/metadata/sp and store it in Vault themselves if needed.
Enables SSO for Cluster Manager authentication. SSO requires the following configuration: - Service Provider certificate (spec.certificates.ssoServiceCertificateSecretName) - Identity Provider certificate (spec.certificates.ssoIssuerCertificateSecretName) - IdP metadata or manual issuer configuration (spec.sso.saml.idpMetadataSecretName or spec.sso.saml.issuer) - Base address for Service Provider URLs (auto-determined from UI service or set via spec.sso.saml.serviceProvider.baseAddress)
bool
true
enforceSSO
Enforces SSO-only authentication for the Cluster Manager. When true, local username/password authentication is disabled for non-admin users. When false (default), both SSO and local authentication are available.
bool
false
saml
SAML-based SSO configuration. Currently,SAML is the only supported SSO protocol.
Policy for enabling read-only root filesystem for Redis Enterprise containers. Note that certain filesystem paths remain writable through mounted volumes to ensure proper functionality.
Customization options for operator-managed service resources created for Redis Enterprise clusters and databases
Field
Description
Scheme
Default Value
Required
servicesAnnotations
Global additional annotations to set on service resources created by the operator. The specified annotations will not override annotations that already exist and didn't originate from the operator.
Service types for access to databases. should be a comma separated list. The possible values are cluster_ip, headless and load_balancer.
string
cluster_ip,headless
false
serviceNaming
Used to determine how to name the services created automatically when a database is created. When bdb_name is used, the database name will be also used for the service name. When redis-port is used, the service will be named redis-
string
bdb_name
false
extraEnvVars
[]v1.EnvVar
false
servicesRiggerAdditionalPodSpecAttributes
ADVANCED USAGE USE AT YOUR OWN RISK - specify pod attributes that are required for the rigger deployment pod. Pod attributes managed by the operator might override these settings (Containers, serviceAccountName, ImagePullSecrets, nodeSelector, PriorityClassName, PodSecurityContext). podTolerations are merged with tolerations defined here. Also make sure the attributes are supported by the K8s version running on the cluster - the operator does not validate that.
DatabaseServicePortPolicy instructs how to determine the service ports for REDB services. Defaults to DatabasePortForward, if not specified otherwise. Note - Regardless whether this flag is set or not, if an REDB/REAADB is configured with databaseServicePort that would be the port exposed by the Service. Options:\n\tDatabasePortForward - The service port will be the same as the database port.\n\tRedisDefaultPort - The service port will be the default Redis port (6379).
Grace period in seconds between node failure and when the high availability mechanism starts relocating shards. Set to 0 to not affect cluster configuration.
OssClusterExternalAccessType specifies the mechanism used to provide external access to OSS cluster databases.
This is a cluster-level control that determines whether external access is allowed and which mechanism to use.
Individual databases must still opt-in to external access via their ossClusterSettings.enableExternalAccess field.
Value
Description
"LoadBalancer"
OssClusterExternalAccessLoadBalancer uses LoadBalancer services per REC pod to provide external access
"Disabled"
OssClusterExternalAccessDisabled explicitly disables external access for OSS cluster databases