部署管道
了解如何部署 RDI 管道
以下部分介绍了在创建所需配置后如何部署管道。
设置 secret
在部署管道之前,您必须为
源数据库和目标数据库。每个密钥都有一个相应的属性名称,该
您可以将redis-di set-secretcommand (VM 部署) 或kubectl create secret generic(K8s 部署)来设置属性的值。然后,您可以引用这些属性
在config.yaml使用语法”${PROPERTY_NAME}"
(示例 config.yaml 文件显示了正在使用的这些属性)。
下表显示了每个密钥的属性名称。请注意, source 和 target 需要 username 和 password,但另一个 密钥仅与 TLS/mTLS 连接相关。
| 属性名称 | 描述 |
|---|---|
SOURCE_DB_USERNAME |
源数据库的用户名 |
SOURCE_DB_PASSWORD |
源数据库的密码 |
SOURCE_DB_CACERT |
(仅适用于 TLS)源数据库信任证书 |
SOURCE_DB_KEY |
(仅适用于 mTLS)源数据库私有密钥 |
SOURCE_DB_CERT |
(仅适用于 mTLS)源数据库公钥 |
SOURCE_DB_KEY_PASSWORD |
(仅适用于 mTLS)源数据库私钥密码 |
TARGET_DB_USERNAME |
目标数据库的用户名 |
TARGET_DB_PASSWORD |
目标数据库的密码 |
TARGET_DB_CACERT |
(仅适用于 TLS)目标数据库信任证书 |
TARGET_DB_KEY |
(仅适用于 mTLS)目标数据库私有密钥 |
TARGET_DB_CERT |
(仅适用于 mTLS)目标数据库公钥 |
TARGET_DB_KEY_PASSWORD |
(仅适用于 mTLS)目标数据库私钥密码 |
设置 VM 部署的密钥
用redis-di set-secret为 VM 部署设置 secret。例如,您将使用
将源数据库用户名设置为myUserName:
redis-di set-secret SOURCE_DB_USERNAME myUserName
Set secrets for K8s/Helm deployment
Use
kubectl create secret generic
to set secrets for a K8s/Helm deployment. The general pattern of the commands is:
kubectl create secret generic <DB> \
--namespace=rdi \
--from-literal=<SECRET-NAME>=<SECRET-VALUE>
Where <DB> is either source-db for source secrets or target-db for target secrets.
If you use TLS or mTLS for either the source or target databases, you also need to create the source-db-ssl and/or target-db-ssl K8s secrets that contain the certificates used to establish secure connections. The general pattern of the commands is:
kubectl create secret generic <DB>-ssl \
--namespace=rdi \
--from-file=<FILE-NAME>=<FILE-PATH>
When you create these secrets, ensure that all certificates and keys are in PEM format. The only exception to this is that for PostgreSQL, the private key in the source-db-ssl secret (the client.key file) must be in DER format. If you have a key in PEM format, you must convert it to DER before creating the source-db-ssl secret using the command:
openssl pkcs8 -topk8 -inform PEM -outform DER -in /path/to/myclient.key -out /path/to/myclient.pk8 -nocrypt
This command assumes that the private key is not encrypted. See the openssl documentation to learn how to convert an encrypted private key.
The specific command lines for source secrets are as follows:
# Without source TLS
# Create or update source-db secret
kubectl create secret generic source-db --namespace=rdi \
--from-literal=SOURCE_DB_USERNAME=yourUsername \
--from-literal=SOURCE_DB_PASSWORD=yourPassword \
--save-config --dry-run=client -o yaml | kubectl apply -f -
# With source TLS
# Create of update source-db secret
kubectl create secret generic source-db --namespace=rdi \
--from-literal=SOURCE_DB_USERNAME=yourUsername \
--from-literal=SOURCE_DB_PASSWORD=yourPassword \
--from-literal=SOURCE_DB_CACERT=/etc/certificates/source_db/ca.crt \
--save-config --dry-run=client -o yaml | kubectl apply -f -
# Create or update source-db-ssl secret
kubectl create secret generic source-db-ssl --namespace=rdi \
--from-file=ca.crt=/path/to/myca.crt \
--save-config --dry-run=client -o yaml | kubectl apply -f -
# With source mTLS
# Create or update source-db secret
kubectl create secret generic source-db --namespace=rdi \
--from-literal=SOURCE_DB_USERNAME=yourUsername \
--from-literal=SOURCE_DB_PASSWORD=yourPassword \
--from-literal=SOURCE_DB_CACERT=/etc/certificates/source_db/ca.crt \
--from-literal=SOURCE_DB_CERT=/etc/certificates/source_db/client.crt \
--from-literal=SOURCE_DB_KEY=/etc/certificates/source_db/client.key \
--from-literal=SOURCE_DB_KEY_PASSWORD=yourKeyPassword \ # add this only if SOURCE_DB_KEY is password-protected
--save-config --dry-run=client -o yaml | kubectl apply -f -
# Create or update source-db-ssl secret
kubectl create secret generic source-db-ssl --namespace=rdi \
--from-file=ca.crt=/path/to/myca.crt \
--from-file=client.crt=/path/to/myclient.crt \
--from-file=client.key=/path/to/myclient.key \
--save-config --dry-run=client -o yaml | kubectl apply -f -
The corresponding command lines for target secrets are:
# Without target TLS
# Create or update target-db secret
kubectl create secret generic target-db --namespace=rdi \
--from-literal=TARGET_DB_USERNAME=yourUsername \
--from-literal=TARGET_DB_PASSWORD=yourPassword \
--save-config --dry-run=client -o yaml | kubectl apply -f -
# With target TLS
# Create of update target-db secret
kubectl create secret generic target-db --namespace=rdi \
--from-literal=TARGET_DB_USERNAME=yourUsername \
--from-literal=TARGET_DB_PASSWORD=yourPassword \
--from-literal=TARGET_DB_CACERT=/etc/certificates/target_db/ca.crt \
--save-config --dry-run=client -o yaml | kubectl apply -f -
# Create or update target-db-ssl secret
kubectl create secret generic target-db-ssl --namespace=rdi \
--from-file=ca.crt=/path/to/myca.crt \
--save-config --dry-run=client -o yaml | kubectl apply -f -
# With target mTLS
# Create or update target-db secret
kubectl create secret generic target-db --namespace=rdi \
--from-literal=TARGET_DB_USERNAME=yourUsername \
--from-literal=TARGET_DB_PASSWORD=yourPassword \
--from-literal=TARGET_DB_CACERT=/etc/certificates/target_db/ca.crt \
--from-literal=TARGET_DB_CERT=/etc/certificates/target_db/client.crt \
--from-literal=TARGET_DB_KEY=/etc/certificates/target_db/client.key \
--from-literal=TARGET_DB_KEY_PASSWORD=yourKeyPassword \ # add this only if TARGET_DB_KEY is password-protected
--save-config --dry-run=client -o yaml | kubectl apply -f -
# Create or update target-db-ssl secret
kubectl create secret generic target-db-ssl --namespace=rdi \
--from-file=ca.crt=/path/to/myca.crt \
--from-file=client.crt=/path/to/myclient.crt \
--from-file=client.key=/path/to/myclient.key \
--save-config --dry-run=client -o yaml | kubectl apply -f -
Note that the certificate paths contained in the secrets SOURCE_DB_CACERT, SOURCE_DB_CERT, and SOURCE_DB_KEY (for the source database) and TARGET_DB_CACERT, TARGET_DB_CERT, and TARGET_DB_KEY (for the target database) are internal to RDI, so you must use the values shown in the example above. You should only change the certificate paths when you create the source-db-ssl and target-db-ssl secrets.
Deploy a pipeline
When you have created your configuration, including the jobs, they are
ready to deploy. Use Redis Insight
to configure and deploy pipelines for both VM and K8s installations.
For VM installations, you can also use the
redis-di deploy
command to deploy a pipeline:
redis-di deploy --dir <path to pipeline folder>
On this page