管理多个命名空间中的数据库

Redis Enterprise for Kubernetes 允许您部署到 Kubernetes 集群中的多个命名空间。本文将介绍如何配置 Redis Enterprise 集群以连接到多个命名空间中的数据库

适用于 Kubernetes 的 Redis Enterprise

多个 Redis Enterprise 数据库资源 (REDB) 可以与单个 Redis Enterprise 集群资源 (REC) 相关联,即使它们位于不同的命名空间中。

要了解有关设计多命名空间 Redis Enterprise 集群的更多信息,请参阅灵活的部署选项

警告:
多命名空间安装不支持主动-主动数据库 (REAADB)。目前,多命名空间部署仅支持使用 REDB 资源创建的数据库。

先决条件

在配置多命名空间部署之前,您必须有一个正在运行的 Redis Enterprise 集群 (REC)。有关更多信息,请参阅 部署 部分。

为托管命名空间创建角色和角色绑定

作员和 RedisEnterpriseCluster (REC) 资源都需要访问 REC 将管理的每个命名空间。对于每个托管命名空间,创建一个role.yamlrole_binding.yaml文件,如以下示例所示。

注意:
每次升级时都需要重新应用这些费用。

取代<rec-namespace>替换为 REC 所在的命名空间。 取代<service-account-name>替换为您自己的值(默认为 REC 名称)。

role.yaml例:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: redb-role
  labels:
    app: redis-enterprise
rules:
  - apiGroups:
      - app.redislabs.com
    resources: ["redisenterpriseclusters", "redisenterpriseclusters/status", "redisenterpriseclusters/finalizers",
                "redisenterprisedatabases", "redisenterprisedatabases/status", "redisenterprisedatabases/finalizers",
                "redisenterpriseremoteclusters", "redisenterpriseremoteclusters/status",
                "redisenterpriseremoteclusters/finalizers",
                "redisenterpriseactiveactivedatabases", "redisenterpriseactiveactivedatabases/status",
                "redisenterpriseactiveactivedatabases/finalizers"]
    verbs: ["delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["update", "get", "read", "list", "listallnamespaces", "watch", "watchlist",
            "watchlistallnamespaces", "create","patch","replace","delete","deletecollection"]
  - apiGroups: [""]
    resources: ["endpoints"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create"]
  - apiGroups: [""]
    resources: ["services"]
    verbs: ["get", "watch", "list", "update", "patch", "create", "delete"]

role_binding.yaml example:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: redb-role
  labels:
    app: redis-enterprise
subjects:
- kind: ServiceAccount
  name: redis-enterprise-operator
  namespace: <rec-namespace>
- kind: ServiceAccount
  name: <service-account-name>
  namespace: <rec-namespace>
roleRef:
  kind: Role
  name: redb-role
  apiGroup: rbac.authorization.k8s.io

Apply the files, replacing <managed-namespace> with your own values:

kubectl apply -f role.yaml -n <managed-namespace>
kubectl apply -f role_binding.yaml -n <managed-namespace>
Note:
If the REC is configured to watch a namespace without setting the role and role binding permissions, or a namespace that is not yet created, the operator will fail and halt normal operations.

Update Redis Enterprise operator ConfigMap

There are two methods of updating the operator ConfigMap (operator-environment-config) to specify which namespaces to manage.

  • Method 1: Configure the operator to watch for a namespace label and add this label to managed namespaces (available in versions 6.4.2-4 or later).
  • Method 2: Configure the operator with an explicit list of namespaces to manage.

You can create this ConfigMap manually before deployment, or it will be created automatically after the operator was deployed.

Method 1: Namespace label (available in versions 6.4.2-4 or later)

  1. Create the cluster_role_binding.yaml and cluster_role.yaml files. Replace the <rec-namespace> with the namespace the Redis Enterprise cluster (REC) resides in.

operator_cluster_role.yaml example:

  apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRole
  metadata:
    name: redis-enterprise-operator-consumer-ns
    labels:
      app: redis-enterprise
  rules:
    - apiGroups: [""]
      resources: ["namespaces"]
      verbs: ["list", "watch"]

operator_cluster_role_binding.yaml example:

  kind: ClusterRoleBinding
  apiVersion: rbac.authorization.k8s.io/v1
  metadata:
    name: redis-enterprise-operator-consumer-ns
    labels:
      app: redis-enterprise
  subjects:
  - kind: ServiceAccount
    name: redis-enterprise-operator
    namespace: <rec-namespace>
  roleRef:
    kind: ClusterRole
    name: redis-enterprise-operator-consumer-ns
    apiGroup: rbac.authorization.k8s.io
  1. Apply the files.
kubectl apply -f operator_cluster_role.yaml
kubectl apply -f operator_cluster_role_binding.yaml
  1. Patch the ConfigMap in the REC namespace (<rec-namespace>) to identify the managed namespaces with your label (<label-name>).
 kubectl patch ConfigMap/operator-environment-config \
-n <rec-namespace> \
--type merge \
-p '{"data": {"REDB_NAMESPACES_LABEL": "<label-name>"}}'
  1. For each managed namespace, apply the same label. Replace <managed-namespace> with the namespace the REC will manage. Replace <label-name> with the value used in the previous step. If you specify a value for <label-value>, both the label name and value in managed namespaces must match to be detected by the operator. If the <label-value> is empty, only the label name needs to match on managed namespaces and the value is disregarded.
kubectl label namespace <managed-namespace> <label-name>=<label-value>
Note:
The operator restarts when it detects a namespace label was added or removed.

Method 2: Explicit namespace list

Patch the operator-environment-config in the REC namespace with a new environment variable (REDB_NAMESPACES).

kubectl patch ConfigMap/operator-environment-config \ 
-n <rec-namespace> \
--type merge \
-p '{"data":{"REDB_NAMESPACES": "<comma,separated,list,of,namespaces,to,watch"}}'
Warning:
Only configure the operator to watch a namespace after the namespace is created and configured with the role/role_binding as explained above. If configured to watch a namespace without setting those permissions or a namespace that is not created yet, the operator will fail and not perform normal operations.
RATE THIS PAGE
Back to top ↑