Skip to main content
Loading
Version: Operator 2.0.0

Install the Operator on OpenShift using Command Line

Configure the CLIโ€‹

From a terminal login to the OpenShift cluster and ensure that the oc and kubectl commands connect to the correct OpenShift cluster.

Ensure the Operator package is visibleโ€‹

Run the following command.

kubectl get packagemanifests aerospike-kubernetes-operator-rhmp -n openshift-marketplace

You will see output similar to:

NAME                                 CATALOG               AGE
aerospike-kubernetes-operator-rhmp Red Hat Marketplace 22d

Create the Operator subscriptionโ€‹

Create a file aerospike-kubernetes-operator.yaml with the following contents:

apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: aerospike-kubernetes-operator-rhmp
namespace: openshift-operators
spec:
channel: alpha
installPlanApproval: Automatic
name: aerospike-kubernetes-operator-rhmp
source: redhat-marketplace
sourceNamespace: openshift-marketplace
startingCSV: aerospike-kubernetes-operator.v2.0.0

tip

We recommend setting spec.installPlanApproval to Automatic in the aerospike-kubernetes-operator.yaml file. This setting automatically upgrades the operator whenever upgrades are available.

Create this subscription using the following command:

kubectl apply -f aerospike-kubernetes-operator.yaml

Verify the Operator is Runningโ€‹

Verify that the Operator's CSV is in the Succeeded phase.

$ kubectl get csv -n openshift-operators aerospike-kubernetes-operator.v2.0.0

You will see output similar to the following:

NAME                                   DISPLAY                         VERSION   REPLACES   PHASE
aerospike-kubernetes-operator.v2.0.0 Aerospike Kubernetes Operator 2.0.0 Succeeded

Check Operator Logsโ€‹

The Operator runs as two replicas by default, for higher availability. Run the following command to follow the logs for the Operator pods.

kubectl -n openshift-operators logs -f deployment/aerospike-operator-controller-manager manager

Sample output:

2022-01-15T19:09:58.058Z    INFO    controller-runtime.metrics  metrics server is starting to listen    {"addr": "127.0.0.1:8080"}
2022-01-15T19:09:58.062Z INFO setup Init aerospike-server config schemas

2022-01-15T19:09:58.071Z DEBUG schema-map Config schema added {"version": "4.7.0"}
2022-01-15T19:09:58.072Z INFO aerospikecluster-resource Registering mutating webhook to the webhook server
2022-01-15T19:09:58.073Z INFO controller-runtime.webhook registering webhook {"path": "/mutate-asdb-aerospike-com-v1beta1-aerospikecluster"}
2022-01-15T19:09:58.073Z INFO controller-runtime.builder skip registering a mutating webhook, admission.Defaulter interface is not implemented {"GVK": "asdb.aerospike.com/v1beta1, Kind=AerospikeCluster"}
2022-01-15T19:09:58.073Z INFO controller-runtime.builder Registering a validating webhook {"GVK": "asdb.aerospike.com/v1beta1, Kind=AerospikeCluster", "path": "/validate-asdb-aerospike-com-v1beta1-aerospikecluster"}
2022-01-15T19:09:58.073Z INFO controller-runtime.webhook registering webhook {"path": "/validate-asdb-aerospike-com-v1beta1-aerospikecluster"}
2022-01-15T19:09:58.074Z INFO setup Starting manager
I1015 19:09:58.074722 1 leaderelection.go:243] attempting to acquire leader lease aerospike/96242fdf.aerospike.com...

Grant permissions to the target namespacesโ€‹

The Operator is installed in the openshift-operators namespace. It needs additional service accounts configured for the Kubernetes namespaces where the Aerospike clusters will be created.

The procedure to use the namespace aerospike is as follows:

Create the namespaceโ€‹

Create the Kubernetes namespace if not already created:

kubectl create namespace aerospike

Create a service accountโ€‹

kubectl -n aerospike create  serviceaccount aerospike-operator-controller-manager

Update the operator's ClusterRoleBindingโ€‹

Next, add this service account to the Operator's ClusterRoleBinding. To do this, run the following command:

kubectl edit clusterrolebindings.rbac.authorization.k8s.io $(kubectl get clusterrolebindings.rbac.authorization.k8s.io  | grep aerospike-kubernetes-operator | grep -v -- "-opera-" | cut -f 1 -d " ")

This command launches an editor. Append the following lines to the subjects section:

  # A new entry for aerospike.
# Replace aerospike with your namespace
- kind: ServiceAccount
name: aerospike-operator-controller-manager
namespace: aerospike

Save and ensure that the changes are applied.

Here is a full example of the Operator's ClusterRoleBinding targeting the aerospike namespace.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: "2022-01-16T10:48:36Z"
labels:
olm.owner: aerospike-kubernetes-operator.v2.1.0
olm.owner.kind: ClusterServiceVersion
olm.owner.namespace: test
operators.coreos.com/aerospike-kubernetes-operator.test: ""
name: aerospike-kubernetes-operator.v2.1.0-74b946466d
resourceVersion: "51841234"
uid: be546dd5-b21e-4cc3-8a07-e2fe5fe5274c
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: aerospike-kubernetes-operator.v2.1.0-74b946466d
subjects:
- kind: ServiceAccount
name: aerospike-operator-controller-manager
namespace: operators

# New entry
- kind: ServiceAccount
name: aerospike-operator-controller-manager
namespace: aerospike

OpenShift Security Context Constraints (SCC)โ€‹

On OpenShift clusters, administrators can use security context constraints (SCCs) to control permissions for pods. These permissions control which actions a pod can perform, and which resources it can access. You can use SCCs to define a set of conditions that a pod must run with, in order to be accepted into the system. See OpenShift SC Guide for details. In order to run Aerospike Enterprise Server clusters on OpenShift, the Aerospike pods need to be granted access to some of the SCC on clusters

SCC anyuid (required)โ€‹

Aerospike Enterprise Server images are designed to run as some non-root (any) UID. On OpenShift this requires Aerospike Pods to be allowed to run with any UID requiring anyuid SCC.

This SCC should be granted to the Operator's service account for the aerospike namespace using the following command:

oc adm policy add-scc-to-user anyuid system:serviceaccount:aerospike:aerospike-operator-controller-manager

SCC hostnetwork (optional)โ€‹

This SCC allows using host networking and host ports.

This SCC should be granted to the AKO service account for the aerospike namespace using the following command:

oc adm policy add-scc-to-user hostnetwork system:serviceaccount:aerospike:aerospike-operator-controller-manager

SCC privileged (optional)โ€‹

This SCC allows access to all privileged and host features and the ability to run as any user, any group, any FSGroup, and with any SELinux context. For example, this is required to run Index on Flash storage configuration with Aerospike primary index stored on SSD devices.

This SCC should be granted to the Operator's service account for the aerospike namespace using the following command:

oc adm policy add-scc-to-user privileged system:serviceaccount:aerospike:aerospike-operator-controller-manager