diff --git a/active_active_database_readme.md b/active_active_database_readme.md index 2794470..5443e2a 100644 --- a/active_active_database_readme.md +++ b/active_active_database_readme.md @@ -754,6 +754,7 @@ From the output fetch the redis 'targetPort': ## Limitations + ### No migration from the previous AA method migrating Active-Active database with non-operator managed Active-Active database is currently not supported. diff --git a/admission/GESHER.md b/admission/GESHER.md deleted file mode 100644 index b8ae20d..0000000 --- a/admission/GESHER.md +++ /dev/null @@ -1,254 +0,0 @@ -# Admission Control with Gesher Installation for Redis Enterprise Operator - -## Gesher Background - -Gesher is an operator that enables Kubernetes administrator to delegate the ability to setup webhook validating admission controllers to users for running within their own namespace. - -Gesher is configured by two custom resources. - -1) A cluster-scoped **NamespacedValidatingType** that defines what Kubernetes resources and operations Gesher is allowed to Proxy -2) A namespace-scoped **NamespacedValidatingRule** that is a namespaced equivalent to Kubernetes **ValidatingWebhookConfiguration** but only effects resources within its same namespace. - -### Choosing Traditional Cluster or Gesher's Delegated installation methods. - -Redis provides two methods for integrating admission control into one's system, what we refer to as *cluster* and *delegated* configurations. - -*Cluster* configuration integrates admission via the standard Kubernetes **ValidatingWebhookConfiguration** resource. This is a cluster-scoped kubernetes resource that can only be configured by a cluster administrator. - -*Delegated* configuration integrates admission via the open source [Gesher admission proxy operator](https://github.com/redislabs/gesher). Gesher enables an administrator to setup an operator that delegates the ability to setup admission control on namespaced objects to users with the appropriate RBAC permissions within the same namespace as the object. Instead of requiring a cluster-scoped resource that can impact all resources on a machine, Gesher's namespaced-scoped custom resources only impact resources within the same namespace. This avoids the needs for administrator intervention for every namespaced operator that will be deployed. - -We recommend using *Cluster* configuration when the cluster administrator is the one installing and managing the operator, as well as in clusters where one only expects a single operator to be used. - -*Delegated* configuration is meant for cases where the cluster administrator expects multiple namespaced operators to be used without their direct knowledge or intervention. - -If the cluster administrator involvement will always be required, using Gesher just adds complexity without any significant gain. - -## Installing Gesher - -## Gesher Bundle Installation - -Install the Gesher bundle into its own namespace: - -This must be done by the Kubernetes cluster administrator. - -**NOTE**: One must replace REPLACE_WITH_GESHER_NAMESPACE in the following command with the proper namespace -**NOTE**: If one is using openshift, one should replace `gesher.bundle.yaml` with `gesher.openshift.bundle.yaml` - -```shell script -sed 's/NAMESPACE_OF_SERVICE_ACCOUNT/REPLACE_WITH_GESHER_NAMESPACE/g' gesher.bundle.yaml | kubectl create -f - -``` - -This will deploy the admission proxy, and via an included **NamespacedValidatingType** custom resource, allow forwarding of REDB admission requests. However, until a **NamespacedValidatingRule** is installed into a namespace, admission is not setup. - -## Individual Yaml Installation - -1. Create, and switch to, a dedicated namespace for the Gesher Admission proxy - - If installing using Cluster Admission Controller method, skip this, and other steps related to Gesher, to step 11. - - ```shell script - kubectl create namespace gesher - kubectl config set-context --current --namespace=gesher - ``` - -2. ServiceAccount for the Gesher Admission proxy to run as - - ```shell script - kubectl apply -f gesher/service_account.yaml - ``` - -3. namespaced Role that allows the Gesher Admission proxy to function as an operator in its namespace. - - ```shell script - kubectl apply -f gesher/role.yaml - ``` - -4. Cluster Role that allows controlling the Kubernetes cluster's Admission webhook configuration, and the CRDs of the Gesher operator - - ```shell script - kubectl apply -f gesher/cluster_role.yaml - ``` - -5. Binding namespaced Role, and the Cluster Role to the service account of the Gesher Admission proxy - - NOTE: One must replace REPLACE_WITH_NAMESPACE in the following command with the namespace Gesher is being installed to, from above. - - ```shell script - kubectl apply -f gesher/role_binding.yaml - kubectl apply -f gesher/cluster_role_binding.yaml - ``` - -6. Kubernetes Service that is used to access the Gesher Admission Control HTTP proxy - - ```shell script - kubectl apply -f gesher/service.yaml - ``` - -8. Deployment for the Gesher operator - - **Note:** if one is using openshift, one should replace `operator.yaml` with `operator.openshift.yaml` - - ```shell script - kubectl apply -f gesher/operator.yaml - ``` - -9. NamespacedValidatingType and NamespacedValidatingRule CRDs - - **NamespacedValidatingTypes** and **NamespacedValidatingRules** are Custom Resource Definition that allow creating resources of the corresponding type. - - **NamespacedValidatingTypes** resources allow the Kubernetes cluster administrator to specify which resources _can_ be proxied by the Gesher Admission Controller proxy. Having a resource of this type is required - but not sufficient - to forward Admission requests to a namespaced Admission Controller. - A resource of this type will be created in the next step, to allow Admission Control of Redis Enterprise Database resources. - - **NamespacedValidatingRules** functions as the 'implementation' to **NamespacedValidatingTypes** 'interface'. A resource of this type represents a namespaced Admission Controller, and will usually be created in the same namespace as the Admission Controller, and possibly, the operator for the CRDs being admission controlled. - A resource of this type, that will register the Admission Controller for Redis Enterprise Database resources, will be created in the last step. - - ```shell script - kubectl apply -f gesher/crds/app.redislabs.com_namespacedvalidatingtype_crd.yaml - kubectl apply -f gesher/crds/app.redislabs.com_namespacedvalidatingrule_crd.yaml - ``` - -10. **NamespacedValidatingType** Custom Resource - - This is the Custom resource, mentioned in the previous step, that allows forwarding of Admission Control requests for Redis Enterprise Database resources. - - ```shell script - kubectl apply -f gesher/type.yaml - ``` - -## Verifying Gesher installation - -One can verify that gesher is running correctly by verifying that the **ValidatingWebhookConfiguration** it creates to point at itself has been created and has the appropriate data corresponding to the **NamespacedValidatingType** that was loaded - -```shell script -$ kubectl get ValidatingWebhookConfiguration -NAME CREATED AT -proxy.webhook.gesher 2020-10-05T16:18:21Z -``` - -and - -```shell script -$ kubectl get -o yaml ValidatingWebhookConfiguration proxy.webhook.gesher -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: ValidatingWebhookConfiguration -metadata: - name: proxy.webhook.gesher - -webhooks: -- admissionReviewVersions: - - v1beta1 - clientConfig: - caBundle: - service: - name: gesher - namespace: automation-1 - path: /proxy - port: 443 - failurePolicy: Fail - matchPolicy: Exact - name: proxy.webhook.gesher - namespaceSelector: {} - objectSelector: {} - rules: - - apiGroups: - - app.redislabs.com - apiVersions: - - v1alpha1 - operations: - - '*' - resources: - - redisenterprisedatabases - scope: Namespaced - sideEffects: Unknown - timeoutSeconds: 30 -``` - -## Installing Admission Controller - -Installing the admission controller with gesher is similiar to the traditional installation. It is a 2 step process - -1. Installing the admission controller via a single bundle or individual yaml files -2. Hooking up the admission webhook via gesher - -## Admission Control via Bundle Installation - -1. Install the Admission Controller via a bundle into the same namespace the REC was installed into. - -```shell script -kubectl create -f admission.bundle.yaml -``` - -## Individual Yaml Installation - -1. namespaced Role that allows creation and reading of Secrets - - ```shell script - kubectl apply -f role.yaml - ``` - -2. ServiceAccount for admission controller to run as - - ```shell script - kubectl apply -f service_account.yaml - ``` - -3. Binding namespaced Role to the service account - - ```shell script - kubectl apply -f role_binding.yaml - ``` - -4. Kubernetes Service that is used to access the Admission Control HTTP Server - - ```shell script - kubectl apply -f service.yaml - ``` - -5. TLS Key generator + Admission Controller HTTP Server - - ```shell script - kubectl apply -f deployment.yaml - ``` - -## Hooking up the Admission controller with Gesher - -**NOTE**: This only has to be done the first time setting up the admission controller, it can be skipped on update - -1. Wait for the secret to be created - - ```shell script - kubectl get secret admission-tls - NAME TYPE DATA AGE - admission-tls Opaque 2 2m43s - ``` - -2. Enable the gesher rule using the generated certificate - - ```shell script - # save cert - CERT=`kubectl get secret admission-tls -o jsonpath='{.data.cert}'` - sed -e "s#CERTIFICATE_PLACEHOLDER#${CERT}#g" gesher/rule.yaml | kubectl create -f - - ``` - -## Verifying Installation - -In order to verify that the all the components of the Admission Controller are installed correctly, we will try to apply an invalid resource that should force the admission controller to reject it. If it applies succesfully, it means the admission controller has not been hooked up correctly. - -```shell script -$ kubectl apply -f - << EOF -apiVersion: app.redislabs.com/v1alpha1 -kind: RedisEnterpriseDatabase -metadata: - name: redis-enterprise-database - labels: - app: redis-enterprise -spec: - evictionPolicy: illegal -EOF -``` - -This must fail with an error output by the admission webhook proxy.webhook.gesher that is being denied because 'illegal' is not a valid eviction policy. - -```shell script -Error from server: error when creating "STDIN": admission webhook "proxy.webhook.gesher" denied the request: proxied webhook webhook denied the request: eviction_policy: u'illegal' is not one of [u'volatile-lru', u'volatile-ttl', u'volatile-random', u'allkeys-lru', u'allkeys-random', u'noeviction', u'volatile-lfu', u'allkeys-lfu'] -``` diff --git a/admission/README.md b/admission/README.md index d3929a7..62c39c5 100644 --- a/admission/README.md +++ b/admission/README.md @@ -2,8 +2,6 @@ Redis Labs' Redis Enterprise Operator provides an installable admission control that can be used to verify RedisEnterpriseDatabase, RedisEnterpriseActiveActiveDatabase and RedisEnterpriseRemoteCluster resources on creation and modification for correctness. This prevents end users from creating syntatically valid but functionally invalid database configurations. The admission control leverages Kubernetes' built in [Dynamic Admission Control](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/). -**Note:** Redis Labs' Redis Enterprise Operator can also be installed through the [Gesher Admission Proxy](GESHER.md) - ## Hooking up the Admission controller directly with Kubernetes **NOTE**: This only has to be done the first time setting up the redis enterprise operator, it can be skipped on update diff --git a/admission/gesher/cluster_role.yaml b/admission/gesher/cluster_role.yaml deleted file mode 100644 index 5829db5..0000000 --- a/admission/gesher/cluster_role.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: gesher -rules: -- apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - app.redislabs.com - resources: - - namespacedvalidatingtypes - - namespacedvalidatingtypes/status - - namespacedvalidatingrules - - namespacedvalidatingrules/status - verbs: ["*"] diff --git a/admission/gesher/cluster_role_binding.yaml b/admission/gesher/cluster_role_binding.yaml deleted file mode 100644 index db8d383..0000000 --- a/admission/gesher/cluster_role_binding.yaml +++ /dev/null @@ -1,14 +0,0 @@ -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: gesher - labels: - app: redis-enterprise -subjects: -- kind: ServiceAccount - name: gesher - namespace: NAMESPACE_OF_SERVICE_ACCOUNT -roleRef: - kind: ClusterRole - name: gesher - apiGroup: rbac.authorization.k8s.io diff --git a/admission/gesher/crds/app.redislabs.com_namespacedvalidatingrule_crd.yaml b/admission/gesher/crds/app.redislabs.com_namespacedvalidatingrule_crd.yaml deleted file mode 100644 index 2d60e24..0000000 --- a/admission/gesher/crds/app.redislabs.com_namespacedvalidatingrule_crd.yaml +++ /dev/null @@ -1,154 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: namespacedvalidatingrules.app.redislabs.com - labels: - app: redis-enterprise -spec: - group: app.redislabs.com - names: - kind: NamespacedValidatingRule - listKind: NamespacedValidatingRuleList - plural: namespacedvalidatingrules - singular: namespacedvalidatingrule - scope: Namespaced - versions: - - name: v1alpha1 - served: true - storage: true - subresources: - status: {} - schema: - openAPIV3Schema: - properties: - apiVersion: - type: string - kind: - type: string - metadata: - type: object - spec: - properties: - webhooks: - items: - properties: - admissionReviewVersions: - items: - type: string - type: array - clientConfig: - properties: - caBundle: - format: byte - type: string - service: - properties: - name: - type: string - namespace: - type: string - path: - type: string - port: - format: int32 - type: integer - required: - - name - - namespace - type: object - url: - type: string - type: object - failurePolicy: - type: string - matchPolicy: - type: string - name: - type: string - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - objectSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - rules: - items: - properties: - apiGroups: - items: - type: string - type: array - apiVersions: - items: - type: string - type: array - operations: - items: - type: string - type: array - resources: - items: - type: string - type: array - scope: - type: string - type: object - type: array - sideEffects: - type: string - timeoutSeconds: - format: int32 - type: integer - required: - - clientConfig - - name - type: object - type: array - type: object - status: - properties: - observedGeneration: - format: int64 - type: integer - type: object - type: object \ No newline at end of file diff --git a/admission/gesher/crds/app.redislabs.com_namespacedvalidatingtype_crd.yaml b/admission/gesher/crds/app.redislabs.com_namespacedvalidatingtype_crd.yaml deleted file mode 100644 index 37f4c32..0000000 --- a/admission/gesher/crds/app.redislabs.com_namespacedvalidatingtype_crd.yaml +++ /dev/null @@ -1,62 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: namespacedvalidatingtypes.app.redislabs.com - labels: - app: redis-enterprise -spec: - group: app.redislabs.com - names: - kind: NamespacedValidatingType - listKind: NamespacedValidatingTypeList - plural: namespacedvalidatingtypes - singular: namespacedvalidatingtype - scope: Cluster - versions: - - name: v1alpha1 - served: true - storage: true - subresources: - status: {} - schema: - openAPIV3Schema: - properties: - apiVersion: - type: string - kind: - type: string - metadata: - type: object - spec: - properties: - types: - items: - properties: - apiGroups: - items: - type: string - type: array - apiVersions: - items: - type: string - type: array - operations: - items: - type: string - type: array - resources: - items: - type: string - type: array - scope: - type: string - type: object - type: array - type: object - status: - properties: - observedGeneration: - format: int64 - type: integer - type: object - type: object \ No newline at end of file diff --git a/admission/gesher/operator.openshift.yaml b/admission/gesher/operator.openshift.yaml deleted file mode 100644 index 9fdfde0..0000000 --- a/admission/gesher/operator.openshift.yaml +++ /dev/null @@ -1,52 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gesher -spec: - replicas: 1 - selector: - matchLabels: - name: gesher - template: - metadata: - labels: - name: gesher - spec: - serviceAccountName: gesher - volumes: - - name: certs - emptyDir: - medium: Memory - containers: - - name: gesher - volumeMounts: - - mountPath: /certs - name: certs - image: redislabs/gesher:0.6 - command: - - "/manager" - args: - - "--namespace" - - "$(POD_NAMESPACE)" - imagePullPolicy: Always - env: - - name: WATCH_NAMESPACE - value: "" - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: OPERATOR_NAME - value: "gesher" - resources: - limits: - cpu: 4000m - memory: 512Mi - requests: - cpu: 500m - memory: 256Mi - diff --git a/admission/gesher/operator.yaml b/admission/gesher/operator.yaml deleted file mode 100644 index bb5f7e0..0000000 --- a/admission/gesher/operator.yaml +++ /dev/null @@ -1,57 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gesher -spec: - replicas: 1 - selector: - matchLabels: - name: gesher - template: - metadata: - labels: - name: gesher - app: redis-enterprise - spec: - securityContext: - runAsUser: 1001 - runAsGroup: 1001 - fsGroup: 1001 - serviceAccountName: gesher - volumes: - - name: certs - emptyDir: - medium: Memory - containers: - - name: gesher - volumeMounts: - - mountPath: /certs - name: certs - image: redislabs/gesher:0.6 - command: - - "/manager" - args: - - "--namespace" - - "$(POD_NAMESPACE)" - imagePullPolicy: Always - env: - - name: WATCH_NAMESPACE - value: "" - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: OPERATOR_NAME - value: "gesher" - resources: - limits: - cpu: 4000m - memory: 512Mi - requests: - cpu: 500m - memory: 256Mi - diff --git a/admission/gesher/role.yaml b/admission/gesher/role.yaml deleted file mode 100644 index 149ca7b..0000000 --- a/admission/gesher/role.yaml +++ /dev/null @@ -1,63 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: gesher - labels: - app: redis-enterprise -rules: -- apiGroups: - - "" - resources: - - pods - - services - - services/finalizers - - endpoints - - persistentvolumeclaims - - events - - configmaps - - secrets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - apps - resources: - - deployments - - daemonsets - - replicasets - - statefulsets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors - verbs: - - get - - create -- apiGroups: - - apps - resourceNames: - - gesher - resources: - - deployments/finalizers - verbs: - - update -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - resourceNames: - - redis-enterprise-psp - verbs: - - use - diff --git a/admission/gesher/role_binding.yaml b/admission/gesher/role_binding.yaml deleted file mode 100644 index 34d9fdd..0000000 --- a/admission/gesher/role_binding.yaml +++ /dev/null @@ -1,13 +0,0 @@ -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: gesher - labels: - app: redis-enterprise -subjects: -- kind: ServiceAccount - name: gesher -roleRef: - kind: Role - name: gesher - apiGroup: rbac.authorization.k8s.io diff --git a/admission/gesher/rule.yaml b/admission/gesher/rule.yaml deleted file mode 100644 index 04f8611..0000000 --- a/admission/gesher/rule.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: app.redislabs.com/v1alpha1 -kind: NamespacedValidatingRule -metadata: - name: redb -spec: - webhooks: - - name: "redb-admission" - failurePolicy: Fail - timeoutSeconds: 25 - matchPolicy: Exact - sideEffects: None - clientConfig: - service: - name: "admission" - port: 443 - path: "/admission" - caBundle: CERTIFICATE_PLACEHOLDER - rules: - - apiGroups: ["app.redislabs.com"] - apiVersions: ["v1alpha1"] - resources: ["redisenterprisedatabases"] - operations: ["*"] - admissionReviewVersions: ["v1"] - diff --git a/admission/gesher/service.yaml b/admission/gesher/service.yaml deleted file mode 100644 index 9758160..0000000 --- a/admission/gesher/service.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: gesher - labels: - app: redis-enterprise -spec: - ports: - - port: 443 - protocol: TCP - targetPort: 8443 - selector: - name: gesher diff --git a/admission/gesher/service_account.yaml b/admission/gesher/service_account.yaml deleted file mode 100644 index accbef5..0000000 --- a/admission/gesher/service_account.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: gesher - labels: - app: redis-enterprise diff --git a/admission/gesher/type.yaml b/admission/gesher/type.yaml deleted file mode 100644 index eabeadb..0000000 --- a/admission/gesher/type.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: app.redislabs.com/v1alpha1 -kind: NamespacedValidatingType -metadata: - name: redb -spec: - types: - - operations: ["*"] - apiGroups: ["app.redislabs.com"] - apiVersions: ["v1alpha1"] - resources: ["redisenterprisedatabases"] diff --git a/bundle.yaml b/bundle.yaml index 94752c4..bf1f7d2 100644 --- a/bundle.yaml +++ b/bundle.yaml @@ -219,6 +219,8 @@ spec: properties: dbType: type: string + major: + type: boolean version: type: string required: @@ -240,6 +242,9 @@ spec: field in the RedisEnterpriseCluster resource. type: boolean type: object + ingressOrRouteMethodStatus: + description: The ingressOrRouteSpec/ActiveActive spec method that exist + type: string spec: description: RedisEnterpriseClusterSpec defines the desired state of RedisEnterpriseCluster properties: @@ -7033,9 +7038,13 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true + bigStoreDriver: + type: string + enum: + - rocksdb + - speedb required: - enabled - - flashStorageEngine - storageClassName type: object upgradeSpec: @@ -7746,11 +7755,15 @@ spec: type: string version: type: string + major: + type: boolean required: - dbType - version type: object type: array + ingressOrRouteMethodStatus: + type: string managedAPIs: properties: ldap: @@ -14221,9 +14234,13 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true + bigStoreDriver: + type: string + enum: + - rocksdb + - speedb required: - enabled - - flashStorageEngine - storageClassName type: object upgradeSpec: @@ -16438,10 +16455,14 @@ spec: name: redis-enterprise-operator app: redis-enterprise spec: + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true serviceAccountName: redis-enterprise-operator containers: - name: redis-enterprise-operator - image: redislabs/operator:6.4.2-8 + image: redislabs/operator:7.2.4-2 command: - operator-root - operator @@ -16483,8 +16504,15 @@ spec: path: /healthz port: 8080 scheme: HTTP + securityContext: + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL - name: admission - image: redislabs/operator:6.4.2-8 + image: redislabs/operator:7.2.4-2 command: - operator-root - admission @@ -16530,4 +16558,11 @@ spec: path: /liveness port: 8443 scheme: HTTPS + securityContext: + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL --- diff --git a/crds/rec_crd.yaml b/crds/rec_crd.yaml index 4b18ce0..4e87258 100644 --- a/crds/rec_crd.yaml +++ b/crds/rec_crd.yaml @@ -124,6 +124,8 @@ spec: properties: dbType: type: string + major: + type: boolean version: type: string required: @@ -145,6 +147,9 @@ spec: field in the RedisEnterpriseCluster resource. type: boolean type: object + ingressOrRouteMethodStatus: + description: The ingressOrRouteSpec/ActiveActive spec method that exist + type: string spec: description: RedisEnterpriseClusterSpec defines the desired state of RedisEnterpriseCluster properties: @@ -6938,9 +6943,13 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true + bigStoreDriver: + type: string + enum: + - rocksdb + - speedb required: - enabled - - flashStorageEngine - storageClassName type: object upgradeSpec: @@ -7651,11 +7660,15 @@ spec: type: string version: type: string + major: + type: boolean required: - dbType - version type: object type: array + ingressOrRouteMethodStatus: + type: string managedAPIs: properties: ldap: @@ -14126,9 +14139,13 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true + bigStoreDriver: + type: string + enum: + - rocksdb + - speedb required: - enabled - - flashStorageEngine - storageClassName type: object upgradeSpec: diff --git a/gesher.bundle.yaml b/gesher.bundle.yaml deleted file mode 100644 index c5080ec..0000000 --- a/gesher.bundle.yaml +++ /dev/null @@ -1,428 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: gesher - labels: - app: redis-enterprise ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: gesher -rules: -- apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - app.redislabs.com - resources: - - namespacedvalidatingtypes - - namespacedvalidatingtypes/status - - namespacedvalidatingrules - - namespacedvalidatingrules/status - verbs: ["*"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: gesher - labels: - app: redis-enterprise -rules: -- apiGroups: - - "" - resources: - - pods - - services - - services/finalizers - - endpoints - - persistentvolumeclaims - - events - - configmaps - - secrets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - apps - resources: - - deployments - - daemonsets - - replicasets - - statefulsets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors - verbs: - - get - - create -- apiGroups: - - apps - resourceNames: - - gesher - resources: - - deployments/finalizers - verbs: - - update -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - resourceNames: - - redis-enterprise-psp - verbs: - - use - ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: gesher - labels: - app: redis-enterprise -subjects: -- kind: ServiceAccount - name: gesher -roleRef: - kind: Role - name: gesher - apiGroup: rbac.authorization.k8s.io ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: gesher - labels: - app: redis-enterprise -subjects: -- kind: ServiceAccount - name: gesher - namespace: NAMESPACE_OF_SERVICE_ACCOUNT -roleRef: - kind: ClusterRole - name: gesher - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: v1 -kind: Service -metadata: - name: gesher - labels: - app: redis-enterprise -spec: - ports: - - port: 443 - protocol: TCP - targetPort: 8443 - selector: - name: gesher ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: namespacedvalidatingrules.app.redislabs.com - labels: - app: redis-enterprise -spec: - group: app.redislabs.com - names: - kind: NamespacedValidatingRule - listKind: NamespacedValidatingRuleList - plural: namespacedvalidatingrules - singular: namespacedvalidatingrule - scope: Namespaced - versions: - - name: v1alpha1 - served: true - storage: true - subresources: - status: {} - schema: - openAPIV3Schema: - properties: - apiVersion: - type: string - kind: - type: string - metadata: - type: object - spec: - properties: - webhooks: - items: - properties: - admissionReviewVersions: - items: - type: string - type: array - clientConfig: - properties: - caBundle: - format: byte - type: string - service: - properties: - name: - type: string - namespace: - type: string - path: - type: string - port: - format: int32 - type: integer - required: - - name - - namespace - type: object - url: - type: string - type: object - failurePolicy: - type: string - matchPolicy: - type: string - name: - type: string - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - objectSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - rules: - items: - properties: - apiGroups: - items: - type: string - type: array - apiVersions: - items: - type: string - type: array - operations: - items: - type: string - type: array - resources: - items: - type: string - type: array - scope: - type: string - type: object - type: array - sideEffects: - type: string - timeoutSeconds: - format: int32 - type: integer - required: - - clientConfig - - name - type: object - type: array - type: object - status: - properties: - observedGeneration: - format: int64 - type: integer - type: object - type: object ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: namespacedvalidatingtypes.app.redislabs.com - labels: - app: redis-enterprise -spec: - group: app.redislabs.com - names: - kind: NamespacedValidatingType - listKind: NamespacedValidatingTypeList - plural: namespacedvalidatingtypes - singular: namespacedvalidatingtype - scope: Cluster - versions: - - name: v1alpha1 - served: true - storage: true - subresources: - status: {} - schema: - openAPIV3Schema: - properties: - apiVersion: - type: string - kind: - type: string - metadata: - type: object - spec: - properties: - types: - items: - properties: - apiGroups: - items: - type: string - type: array - apiVersions: - items: - type: string - type: array - operations: - items: - type: string - type: array - resources: - items: - type: string - type: array - scope: - type: string - type: object - type: array - type: object - status: - properties: - observedGeneration: - format: int64 - type: integer - type: object - type: object ---- -apiVersion: app.redislabs.com/v1alpha1 -kind: NamespacedValidatingType -metadata: - name: redb -spec: - types: - - operations: ["*"] - apiGroups: ["app.redislabs.com"] - apiVersions: ["v1alpha1"] - resources: ["redisenterprisedatabases"] ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gesher -spec: - replicas: 1 - selector: - matchLabels: - name: gesher - template: - metadata: - labels: - name: gesher - app: redis-enterprise - spec: - securityContext: - runAsUser: 1001 - runAsGroup: 1001 - fsGroup: 1001 - serviceAccountName: gesher - volumes: - - name: certs - emptyDir: - medium: Memory - containers: - - name: gesher - volumeMounts: - - mountPath: /certs - name: certs - image: redislabs/gesher:0.6 - command: - - "/manager" - args: - - "--namespace" - - "$(POD_NAMESPACE)" - imagePullPolicy: Always - env: - - name: WATCH_NAMESPACE - value: "" - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: OPERATOR_NAME - value: "gesher" - resources: - limits: - cpu: 4000m - memory: 512Mi - requests: - cpu: 500m - memory: 256Mi - ---- diff --git a/gesher.openshift.bundle.yaml b/gesher.openshift.bundle.yaml deleted file mode 100644 index 3fbc43c..0000000 --- a/gesher.openshift.bundle.yaml +++ /dev/null @@ -1,423 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: gesher - labels: - app: redis-enterprise ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: gesher -rules: -- apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - app.redislabs.com - resources: - - namespacedvalidatingtypes - - namespacedvalidatingtypes/status - - namespacedvalidatingrules - - namespacedvalidatingrules/status - verbs: ["*"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: gesher - labels: - app: redis-enterprise -rules: -- apiGroups: - - "" - resources: - - pods - - services - - services/finalizers - - endpoints - - persistentvolumeclaims - - events - - configmaps - - secrets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - apps - resources: - - deployments - - daemonsets - - replicasets - - statefulsets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors - verbs: - - get - - create -- apiGroups: - - apps - resourceNames: - - gesher - resources: - - deployments/finalizers - verbs: - - update -- apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - resourceNames: - - redis-enterprise-psp - verbs: - - use - ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: gesher - labels: - app: redis-enterprise -subjects: -- kind: ServiceAccount - name: gesher -roleRef: - kind: Role - name: gesher - apiGroup: rbac.authorization.k8s.io ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: gesher - labels: - app: redis-enterprise -subjects: -- kind: ServiceAccount - name: gesher - namespace: NAMESPACE_OF_SERVICE_ACCOUNT -roleRef: - kind: ClusterRole - name: gesher - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: v1 -kind: Service -metadata: - name: gesher - labels: - app: redis-enterprise -spec: - ports: - - port: 443 - protocol: TCP - targetPort: 8443 - selector: - name: gesher ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: namespacedvalidatingrules.app.redislabs.com - labels: - app: redis-enterprise -spec: - group: app.redislabs.com - names: - kind: NamespacedValidatingRule - listKind: NamespacedValidatingRuleList - plural: namespacedvalidatingrules - singular: namespacedvalidatingrule - scope: Namespaced - versions: - - name: v1alpha1 - served: true - storage: true - subresources: - status: {} - schema: - openAPIV3Schema: - properties: - apiVersion: - type: string - kind: - type: string - metadata: - type: object - spec: - properties: - webhooks: - items: - properties: - admissionReviewVersions: - items: - type: string - type: array - clientConfig: - properties: - caBundle: - format: byte - type: string - service: - properties: - name: - type: string - namespace: - type: string - path: - type: string - port: - format: int32 - type: integer - required: - - name - - namespace - type: object - url: - type: string - type: object - failurePolicy: - type: string - matchPolicy: - type: string - name: - type: string - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - objectSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - rules: - items: - properties: - apiGroups: - items: - type: string - type: array - apiVersions: - items: - type: string - type: array - operations: - items: - type: string - type: array - resources: - items: - type: string - type: array - scope: - type: string - type: object - type: array - sideEffects: - type: string - timeoutSeconds: - format: int32 - type: integer - required: - - clientConfig - - name - type: object - type: array - type: object - status: - properties: - observedGeneration: - format: int64 - type: integer - type: object - type: object ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: namespacedvalidatingtypes.app.redislabs.com - labels: - app: redis-enterprise -spec: - group: app.redislabs.com - names: - kind: NamespacedValidatingType - listKind: NamespacedValidatingTypeList - plural: namespacedvalidatingtypes - singular: namespacedvalidatingtype - scope: Cluster - versions: - - name: v1alpha1 - served: true - storage: true - subresources: - status: {} - schema: - openAPIV3Schema: - properties: - apiVersion: - type: string - kind: - type: string - metadata: - type: object - spec: - properties: - types: - items: - properties: - apiGroups: - items: - type: string - type: array - apiVersions: - items: - type: string - type: array - operations: - items: - type: string - type: array - resources: - items: - type: string - type: array - scope: - type: string - type: object - type: array - type: object - status: - properties: - observedGeneration: - format: int64 - type: integer - type: object - type: object ---- -apiVersion: app.redislabs.com/v1alpha1 -kind: NamespacedValidatingType -metadata: - name: redb -spec: - types: - - operations: ["*"] - apiGroups: ["app.redislabs.com"] - apiVersions: ["v1alpha1"] - resources: ["redisenterprisedatabases"] ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gesher -spec: - replicas: 1 - selector: - matchLabels: - name: gesher - template: - metadata: - labels: - name: gesher - spec: - serviceAccountName: gesher - volumes: - - name: certs - emptyDir: - medium: Memory - containers: - - name: gesher - volumeMounts: - - mountPath: /certs - name: certs - image: redislabs/gesher:0.6 - command: - - "/manager" - args: - - "--namespace" - - "$(POD_NAMESPACE)" - imagePullPolicy: Always - env: - - name: WATCH_NAMESPACE - value: "" - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: OPERATOR_NAME - value: "gesher" - resources: - limits: - cpu: 4000m - memory: 512Mi - requests: - cpu: 500m - memory: 256Mi - ---- diff --git a/log_collector/log_collector.py b/log_collector/log_collector.py index 91563e7..1352c76 100644 --- a/log_collector/log_collector.py +++ b/log_collector/log_collector.py @@ -36,7 +36,7 @@ logger.setLevel(logging.INFO) LOGGER_FORMAT = '%(asctime)s - %(levelname)s - %(message)s' logging.basicConfig(format=LOGGER_FORMAT) -VERSION_LOG_COLLECTOR = "6.4.2-8" +VERSION_LOG_COLLECTOR = "7.2.4-2" TIME_FORMAT = time.strftime("%Y%m%d-%H%M%S") @@ -82,6 +82,13 @@ "Namespace" ] +OLM_RESOURCES = [ + "Role", + "RoleBinding", + "Service", + "Endpoints", +] + ALL_ONLY_API_RESOURCES = [ "Node", "ResourceQuota", @@ -109,6 +116,7 @@ MISSING_RESOURCE = "no resources found in" UNRECOGNIZED_RESOURCE = "error: the server doesn't have a resource type" +OLM_LABEL = "operators.coreos.com/redis-enterprise-operator-cert.%s" def set_file_logger(output_dir): @@ -192,6 +200,14 @@ def _get_namespace_from_config(): # pylint: disable=R0913 +def collect_k8s_version_info(ns_output_dir, k8s_cli): + """ + Collects kubectl/oc version and cluster's k8s version + """ + cmd = f"{k8s_cli} version -o yaml" + collect_helper(ns_output_dir, cmd, "Version.yaml", "Version") + + def collect_from_ns(namespace, output_dir, api_resources, logs_from_all_pods=False, k8s_cli_input="", mode=MODE_RESTRICTED, skip_support_package=False, collect_empty_files=False): "Collect the context of a specific namespace. Typically runs in parallel processes." @@ -205,14 +221,16 @@ def collect_from_ns(namespace, output_dir, api_resources, logs_from_all_pods=Fal selector = "" if mode == MODE_RESTRICTED: selector = '--selector="{}"'.format(OPERATOR_LABEL) - + collect_k8s_version_info(ns_output_dir, k8s_cli) collect_connectivity_check(namespace, ns_output_dir, k8s_cli) get_redis_enterprise_debug_info(namespace, ns_output_dir, k8s_cli, mode, skip_support_package, k8s_cli_version) collect_pod_rs_logs(namespace, ns_output_dir, k8s_cli, mode) collect_resources_list(namespace, ns_output_dir, k8s_cli, mode) collect_events(namespace, ns_output_dir, k8s_cli, mode) collect_api_resources(namespace, ns_output_dir, k8s_cli, api_resources, selector, collect_empty_files) + collect_olm_auto_generated_resources(namespace, ns_output_dir, k8s_cli) collect_api_resources_description(namespace, ns_output_dir, k8s_cli, api_resources, selector, collect_empty_files) + collect_olm_auto_generated_resources_description(namespace, ns_output_dir, k8s_cli) collect_pods_logs(namespace, ns_output_dir, k8s_cli, logs_from_all_pods) @@ -783,6 +801,61 @@ def check_empty_yaml_file(out): return False +def detect_if_olm_deployed(namespace, k8s_cli): + """ + detect if operator was deployed using OLM + """ + cmd = f"{k8s_cli} get operators/redis-enterprise-operator-cert.{namespace} -n {namespace}" + code, _ = run_shell_command(cmd) + return code == 0 + + +def collect_olm_auto_generated_resources(namespace, ns_output_dir, k8s_cli): + """ + Creates file for each of the OLM autogenerated resources and aggregate them in their own folder + with the output of kubectl get -o yaml + """ + if not detect_if_olm_deployed(namespace, k8s_cli): + return + olm_output_dir = os.path.join(ns_output_dir, "OLM") + make_dir(olm_output_dir) + selector = f"--selector={OLM_LABEL % namespace}" + logger.info("Namespace '%s': Collecting OLM autogenerated resources", namespace) + resources_out = OrderedDict() + for resource in OLM_RESOURCES: + output = run_get_resource_yaml(namespace, resource, k8s_cli, selector) + if output: + resources_out[resource] = output + logger.info("Namespace '%s': + Collected %s", namespace, resource) + for entry, out in resources_out.items(): + with open(os.path.join(olm_output_dir, + "{}.yaml".format(entry)), "w+", encoding='UTF-8') as file_handle: + file_handle.write(out) + + +def collect_olm_auto_generated_resources_description(namespace, ns_output_dir, k8s_cli): + """ + Creates file for each of the OLM autogenerated resources and aggregate them in their own folder + with the output of kubectl get -o yaml + """ + if not detect_if_olm_deployed(namespace, k8s_cli): + return + olm_output_dir = os.path.join(ns_output_dir, "OLM") + make_dir(olm_output_dir) + selector = f"--selector={OLM_LABEL % namespace}" + logger.info("Namespace '%s': Collecting OLM autogenerated resources description", namespace) + resources_out = OrderedDict() + for resource in OLM_RESOURCES: + output = describe_resource(namespace, resource, k8s_cli, selector) + if output: + resources_out[resource] = output + logger.info("Namespace '%s': + Collected %s", namespace, resource) + for entry, out in resources_out.items(): + with open(os.path.join(olm_output_dir, + "{}.txt".format(entry)), "w+", encoding='UTF-8') as file_handle: + file_handle.write(out) + + def collect_api_resources(namespace, output_dir, k8s_cli, api_resources, selector="", collect_empty_files=False): """ Creates file for each of the API resources @@ -906,6 +979,9 @@ def collect_pv_by_pvc_names(namespace, k8s_cli, collect_func, retries): error_template = "Namespace '{}': Failed to get {} resource: {{}}.".format(namespace, "PersistentVolumeClaim") volumes_names = get_pv_names(k8s_cli, namespace, error_template) for volume in volumes_names: + if volume == "": + logger.info('skipping nameless pvc') + continue cmd = "{} {} -n {} {} --field-selector=metadata.name={} -o yaml".format(k8s_cli, collect_func, namespace, "PersistentVolume", @@ -927,6 +1003,9 @@ def collect_pv_by_pvc_name_description(namespace, k8s_cli, retries): error_template = "Namespace '{}': Failed to get {} resource: {{}}.".format(namespace, "PersistentVolumeClaim") volumes_names = get_pv_names(k8s_cli, namespace, error_template) for volume in volumes_names: + if volume == "": + logger.info('skipping nameless pvc') + continue # get the PV name and then run with describe cmd = "{} get -n {} {} --field-selector=metadata.name={} -o=name".format(k8s_cli, namespace, "PersistentVolume", volume) diff --git a/multi-namespace-redb/operator.yaml b/multi-namespace-redb/operator.yaml index 3c5ad59..3da9bc4 100644 --- a/multi-namespace-redb/operator.yaml +++ b/multi-namespace-redb/operator.yaml @@ -17,10 +17,14 @@ spec: name: redis-enterprise-operator app: redis-enterprise spec: + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true serviceAccountName: redis-enterprise-operator containers: - name: redis-enterprise-operator - image: redislabs/operator:6.4.2-8 + image: redislabs/operator:7.2.4-2 command: - operator-root - operator @@ -62,8 +66,15 @@ spec: path: /healthz port: 8080 scheme: HTTP + securityContext: + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL - name: admission - image: redislabs/operator:6.4.2-8 + image: redislabs/operator:7.2.4-2 command: - operator-root - admission @@ -108,4 +119,11 @@ spec: httpGet: path: /liveness port: 8443 - scheme: HTTPS \ No newline at end of file + scheme: HTTPS + securityContext: + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/openshift.bundle.yaml b/openshift.bundle.yaml index 5d8f8e3..382e461 100644 --- a/openshift.bundle.yaml +++ b/openshift.bundle.yaml @@ -261,6 +261,8 @@ spec: properties: dbType: type: string + major: + type: boolean version: type: string required: @@ -282,6 +284,9 @@ spec: field in the RedisEnterpriseCluster resource. type: boolean type: object + ingressOrRouteMethodStatus: + description: The ingressOrRouteSpec/ActiveActive spec method that exist + type: string spec: description: RedisEnterpriseClusterSpec defines the desired state of RedisEnterpriseCluster properties: @@ -7075,9 +7080,13 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true + bigStoreDriver: + type: string + enum: + - rocksdb + - speedb required: - enabled - - flashStorageEngine - storageClassName type: object upgradeSpec: @@ -7788,11 +7797,15 @@ spec: type: string version: type: string + major: + type: boolean required: - dbType - version type: object type: array + ingressOrRouteMethodStatus: + type: string managedAPIs: properties: ldap: @@ -14263,9 +14276,13 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true + bigStoreDriver: + type: string + enum: + - rocksdb + - speedb required: - enabled - - flashStorageEngine - storageClassName type: object upgradeSpec: @@ -16480,12 +16497,19 @@ spec: name: redis-enterprise-operator app: redis-enterprise spec: + securityContext: + runAsNonRoot: true serviceAccountName: redis-enterprise-operator containers: - name: redis-enterprise-operator - image: registry.connect.redhat.com/redislabs/redis-enterprise-operator:6.4.2-8 + image: registry.connect.redhat.com/redislabs/redis-enterprise-operator:7.2.4-2 securityContext: - runAsUser: 1001 + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL command: - operator-root - operator @@ -16530,7 +16554,14 @@ spec: port: 8080 scheme: HTTP - name: admission - image: registry.connect.redhat.com/redislabs/redis-enterprise-operator:6.4.2-8 + image: registry.connect.redhat.com/redislabs/redis-enterprise-operator:7.2.4-2 + securityContext: + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL command: - operator-root - admission diff --git a/openshift/operator_rhel.yaml b/openshift/operator_rhel.yaml index ee200d4..51772ef 100644 --- a/openshift/operator_rhel.yaml +++ b/openshift/operator_rhel.yaml @@ -17,12 +17,19 @@ spec: name: redis-enterprise-operator app: redis-enterprise spec: + securityContext: + runAsNonRoot: true serviceAccountName: redis-enterprise-operator containers: - name: redis-enterprise-operator - image: registry.connect.redhat.com/redislabs/redis-enterprise-operator:6.4.2-8 + image: registry.connect.redhat.com/redislabs/redis-enterprise-operator:7.2.4-2 securityContext: - runAsUser: 1001 + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL command: - operator-root - operator @@ -67,7 +74,14 @@ spec: port: 8080 scheme: HTTP - name: admission - image: registry.connect.redhat.com/redislabs/redis-enterprise-operator:6.4.2-8 + image: registry.connect.redhat.com/redislabs/redis-enterprise-operator:7.2.4-2 + securityContext: + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL command: - operator-root - admission diff --git a/openshift/rec_rhel.yaml b/openshift/rec_rhel.yaml index 50f6cfb..0774d57 100644 --- a/openshift/rec_rhel.yaml +++ b/openshift/rec_rhel.yaml @@ -9,7 +9,7 @@ spec: nodes: 3 redisEnterpriseImageSpec: repository: registry.connect.redhat.com/redislabs/redis-enterprise - versionTag: 6.4.2-94.rhel8-openshift + versionTag: 7.2.4-52.rhel8-openshift redisEnterpriseServicesRiggerImageSpec: repository: registry.connect.redhat.com/redislabs/services-manager bootstrapperImageSpec: diff --git a/operator.yaml b/operator.yaml index 3c5ad59..3da9bc4 100644 --- a/operator.yaml +++ b/operator.yaml @@ -17,10 +17,14 @@ spec: name: redis-enterprise-operator app: redis-enterprise spec: + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true serviceAccountName: redis-enterprise-operator containers: - name: redis-enterprise-operator - image: redislabs/operator:6.4.2-8 + image: redislabs/operator:7.2.4-2 command: - operator-root - operator @@ -62,8 +66,15 @@ spec: path: /healthz port: 8080 scheme: HTTP + securityContext: + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL - name: admission - image: redislabs/operator:6.4.2-8 + image: redislabs/operator:7.2.4-2 command: - operator-root - admission @@ -108,4 +119,11 @@ spec: httpGet: path: /liveness port: 8443 - scheme: HTTPS \ No newline at end of file + scheme: HTTPS + securityContext: + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/redis_enterprise_cluster_api.md b/redis_enterprise_cluster_api.md index 3160a92..016be5a 100644 --- a/redis_enterprise_cluster_api.md +++ b/redis_enterprise_cluster_api.md @@ -78,6 +78,7 @@ Customization options for the REC API service. | Field | Description | Scheme | Default Value | Required | | ----- | ----------- | ------ | -------- | -------- | | version | | string | | true | +| major | | bool | | true | [Back to Table of Contents](#table-of-contents) ### BundledDatabaseVersions @@ -87,6 +88,7 @@ Customization options for the REC API service. | ----- | ----------- | ------ | -------- | -------- | | dbType | | string | | true | | version | | string | | true | +| major | | bool | | false | [Back to Table of Contents](#table-of-contents) ### ClusterCertificate @@ -372,7 +374,7 @@ RedisEnterpriseClusterSpec defines the desired state of RedisEnterpriseCluster | clusterCredentialSecretType | Type of Secret to use for ClusterCredential: vault, kubernetes,... If left blank, will default to kubernetes secrets | string | | true | | clusterCredentialSecretRole | Used only if ClusterCredentialSecretType is vault, to define vault role to be used. If blank, defaults to "redis-enterprise-rec" | string | | true | | vaultCASecret | K8s secret name containing Vault's CA cert - defaults to "vault-ca-cert" | string | | false | -| redisEnterpriseServicesConfiguration | RS Cluster optional services settings. Note that when disabling the CM Server service, the cluster's UI Service will be removed from the k8s cluster | *[RedisEnterpriseServicesConfiguration](#redisenterpriseservicesconfiguration) | | false | +| redisEnterpriseServicesConfiguration | RS Cluster optional services settings. Notes: When disabling the CM Server service, the cluster's UI Service will be removed from the k8s cluster. Also the saslauthd entry is deprecated and will be removed (the service was already removed from the cluster and is always disabled). | *[RedisEnterpriseServicesConfiguration](#redisenterpriseservicesconfiguration) | | false | | dataInternodeEncryption | Internode encryption (INE) cluster wide policy. An optional boolean setting. Specifies if INE should be on/off for new created REDBs. May be overridden for specific REDB via similar setting, please view the similar setting for REDB for more info. | *bool | | false | | redisUpgradePolicy | Redis upgrade policy to be set on the Redis Enterprise Cluster. Possible values: major/latest This value is used by the cluster to choose the Redis version of the database when an upgrade is performed. The Redis Enterprise Cluster includes multiple versions of OSS Redis that can be used for databases. | string | | false | | certificates | RS Cluster Certificates. Used to modify the certificates used by the cluster. See the "RSClusterCertificates" struct described above to see the supported certificates. | *[RSClusterCertificates](#rsclustercertificates) | | false | @@ -400,6 +402,7 @@ RedisEnterpriseClusterStatus defines the observed state of RedisEnterpriseCluste | bundledDatabaseVersions | Versions of open source databases bundled by Redis Enterprise Software - please note that in order to use a specific version it should be supported by the ‘upgradePolicy’ - ‘major’ or ‘latest’ according to the desired version (major/minor) | []*[BundledDatabaseVersions](#bundleddatabaseversions) | | false | | ocspStatus | An API object that represents the cluster's OCSP status | *[OcspStatus](#ocspstatus) | | false | | managedAPIs | Indicates cluster APIs that are being managed by the operator. This only applies to cluster APIs which are optionally-managed by the operator, such as cluster LDAP configuration. Most other APIs are automatically managed by the operator, and are not listed here. | *[ManagedAPIs](#managedapis) | | false | +| ingressOrRouteMethodStatus | The ingressOrRouteSpec/ActiveActive spec method that exist | [IngressMethod](#ingressmethod) | | false | [Back to Table of Contents](#table-of-contents) ### RedisEnterpriseServicesConfiguration @@ -422,9 +425,10 @@ RedisOnFlashSpec contains all the parameters needed to configure in order to ena | Field | Description | Scheme | Default Value | Required | | ----- | ----------- | ------ | -------- | -------- | | enabled | Indicates whether RoF is turned on or not. | bool | | true | -| flashStorageEngine | The type of DB engine used on flash. Currently the only supported value is "rocksdb", but this will change in the future. | [RedisOnFlashsStorageEngine](#redisonflashsstorageengine) | | true | +| flashStorageEngine | The type of DB engine used on flash. This field is DEPRECATED, if you wish to change the driver from RocksDB to Speedb use bigStoreDriver | [RedisOnFlashsStorageEngine](#redisonflashsstorageengine) | | false | | storageClassName | Used to identify the storage class name of the corresponding volume claim template. | string | | true | | flashDiskSize | Required flash disk size. | resource.Quantity | | false | +| bigStoreDriver | Used to change the bigstore_driver when REC is up and running. | [RedisOnFlashsStorageEngine](#redisonflashsstorageengine) | | false | [Back to Table of Contents](#table-of-contents) ### Saslauthd @@ -552,6 +556,7 @@ The search scope for an LDAP query. | Value | Description | | ----- | ----------- | | "rocksdb" | | +| "speedb" | | [Back to Table of Contents](#table-of-contents) ### ServiceType