Install the Operator on OpenShift using Command Line
Configure the CLIโ
From a terminal login to the OpenShift cluster and ensure that the oc
and kubectl
commands connect to the correct OpenShift cluster.
Ensure the Operator package is visibleโ
Run the following command.
kubectl get packagemanifests aerospike-kubernetes-operator-rhmp -n openshift-marketplace
You will see output similar to:
NAME CATALOG AGE
aerospike-kubernetes-operator-rhmp Red Hat Marketplace 22d
Create the Operator subscriptionโ
Create a file aerospike-kubernetes-operator.yaml
with the following contents:
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: aerospike-kubernetes-operator-rhmp
namespace: openshift-operators
spec:
channel: alpha
installPlanApproval: Automatic
name: aerospike-kubernetes-operator-rhmp
source: redhat-marketplace
sourceNamespace: openshift-marketplace
startingCSV: aerospike-kubernetes-operator.v2.0.0
We recommend setting spec.installPlanApproval
to Automatic in the aerospike-kubernetes-operator.yaml
file. This setting automatically upgrades the operator whenever upgrades are available.
Create this subscription using the following command:
kubectl apply -f aerospike-kubernetes-operator.yaml
Verify the Operator is Runningโ
Verify that the Operator's CSV is in the Succeeded
phase.
$ kubectl get csv -n openshift-operators aerospike-kubernetes-operator.v2.0.0
You will see output similar to the following:
NAME DISPLAY VERSION REPLACES PHASE
aerospike-kubernetes-operator.v2.0.0 Aerospike Kubernetes Operator 2.0.0 Succeeded
Check Operator Logsโ
The Operator runs as two replicas by default, for higher availability. Run the following command to follow the logs for the Operator pods.
kubectl -n openshift-operators logs -f deployment/aerospike-operator-controller-manager manager
Sample output:
2022-01-15T19:09:58.058Z INFO controller-runtime.metrics metrics server is starting to listen {"addr": "127.0.0.1:8080"}
2022-01-15T19:09:58.062Z INFO setup Init aerospike-server config schemas
2022-01-15T19:09:58.071Z DEBUG schema-map Config schema added {"version": "4.7.0"}
2022-01-15T19:09:58.072Z INFO aerospikecluster-resource Registering mutating webhook to the webhook server
2022-01-15T19:09:58.073Z INFO controller-runtime.webhook registering webhook {"path": "/mutate-asdb-aerospike-com-v1beta1-aerospikecluster"}
2022-01-15T19:09:58.073Z INFO controller-runtime.builder skip registering a mutating webhook, admission.Defaulter interface is not implemented {"GVK": "asdb.aerospike.com/v1beta1, Kind=AerospikeCluster"}
2022-01-15T19:09:58.073Z INFO controller-runtime.builder Registering a validating webhook {"GVK": "asdb.aerospike.com/v1beta1, Kind=AerospikeCluster", "path": "/validate-asdb-aerospike-com-v1beta1-aerospikecluster"}
2022-01-15T19:09:58.073Z INFO controller-runtime.webhook registering webhook {"path": "/validate-asdb-aerospike-com-v1beta1-aerospikecluster"}
2022-01-15T19:09:58.074Z INFO setup Starting manager
I1015 19:09:58.074722 1 leaderelection.go:243] attempting to acquire leader lease aerospike/96242fdf.aerospike.com...
Grant permissions to the target namespacesโ
The Operator is installed in the openshift-operators
namespace. It needs additional service accounts configured
for the Kubernetes namespaces where the Aerospike clusters will be created.
The procedure to use the namespace aerospike
is as follows:
Create the namespaceโ
Create the Kubernetes namespace if not already created:
kubectl create namespace aerospike
Create a service accountโ
kubectl -n aerospike create serviceaccount aerospike-operator-controller-manager
Update the operator's ClusterRoleBindingโ
Next, add this service account to the Operator's ClusterRoleBinding
. To do this, run the following command:
kubectl edit clusterrolebindings.rbac.authorization.k8s.io $(kubectl get clusterrolebindings.rbac.authorization.k8s.io | grep aerospike-kubernetes-operator | grep -v -- "-opera-" | cut -f 1 -d " ")
This command launches an editor. Append the following lines to the subjects
section:
# A new entry for aerospike.
# Replace aerospike with your namespace
- kind: ServiceAccount
name: aerospike-operator-controller-manager
namespace: aerospike
Save and ensure that the changes are applied.
Here is a full example of the Operator's ClusterRoleBinding targeting the aerospike
namespace.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: "2022-01-16T10:48:36Z"
labels:
olm.owner: aerospike-kubernetes-operator.v2.1.0
olm.owner.kind: ClusterServiceVersion
olm.owner.namespace: test
operators.coreos.com/aerospike-kubernetes-operator.test: ""
name: aerospike-kubernetes-operator.v2.1.0-74b946466d
resourceVersion: "51841234"
uid: be546dd5-b21e-4cc3-8a07-e2fe5fe5274c
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: aerospike-kubernetes-operator.v2.1.0-74b946466d
subjects:
- kind: ServiceAccount
name: aerospike-operator-controller-manager
namespace: operators
# New entry
- kind: ServiceAccount
name: aerospike-operator-controller-manager
namespace: aerospike
OpenShift Security Context Constraints (SCC)โ
On OpenShift clusters, administrators can use security context constraints (SCCs) to control permissions for pods. These permissions control which actions a pod can perform, and which resources it can access. You can use SCCs to define a set of conditions that a pod must run with, in order to be accepted into the system. See OpenShift SC Guide for details. In order to run Aerospike Enterprise Server clusters on OpenShift, the Aerospike pods need to be granted access to some of the SCC on clusters
SCC anyuid
(required)โ
Aerospike Enterprise Server images are designed to run as some non-root (any) UID. On OpenShift this requires Aerospike Pods to be allowed to run with any UID requiring anyuid
SCC.
This SCC should be granted to the Operator's service account for the aerospike
namespace using the following command:
oc adm policy add-scc-to-user anyuid system:serviceaccount:aerospike:aerospike-operator-controller-manager
SCC hostnetwork
(optional)โ
This SCC allows using host networking and host ports.
This SCC should be granted to the Operator's service account for the aerospike
namespace using the following command:
oc adm policy add-scc-to-user hostnetwork system:serviceaccount:aerospike:aerospike-operator-controller-manager
SCC privileged
(optional)โ
This SCC allows access to all privileged and host features and the ability to run as any user, any group, any FSGroup, and with any SELinux context.
For example, this is required to run Index on Flash
storage configuration with Aerospike primary index stored on SSD devices.
This SCC should be granted to the Operator's service account for the aerospike
namespace using the following command:
oc adm policy add-scc-to-user privileged system:serviceaccount:aerospike:aerospike-operator-controller-manager