Version: Operator 3.2.2

Install the Aerospike Kubernetes Operator Using Helm

Helm charts are groups of YAML files that describe Kubernetes resources and their current configurations. If you plan to use Helm charts to deploy Aerospike clusters, you also need to use Helm to install the Operator on your Kubernetes deployment.

Requirements

You first need an existing Kubernetes cluster with kubectl configured to use that cluster. See the Requirements page for Kubernetes version and other requirements.

Before installing the Operator, you must install cert-manager. The Operator uses admission webhooks, which needs TLS certificates issued by cert-manager. Follow the official cert-manager instructions to install cert-manager on your Kubernetes cluster.

note

For Kubernetes version 1.23 or later, Pod Security Admission (PSA) is enabled by default. Make sure the namespace where the Aerospike Operator is installed has either baseline or privileged Pod Security Standard level set. The restricted level is not supported by Aerospike. The default Pod Security Standard level in Kubernetes 1.23 is privileged. For more details, see Apply Pod Security Standards

Get the Helm Charts

To get the Helm charts for the Operator, clone the aerospike/aerospike-kubernetes-operator repository.

git clone https://github.com/aerospike/aerospike-kubernetes-operator.git
cd aerospike-kubernetes-operator
git checkout 3.2.2

Deploy the Aerospike Kubernetes Operator

The charts are in the helm-charts directory. Use this command to deploy the Operator:

helm install aerospike-kubernetes-operator helm-charts/aerospike-kubernetes-operator --set watchNamespaces="aerospike"

Check Operator Logs

The Operator runs as two replicas by default, for higher availability. Run the following command to follow the logs for the Operator pods.

kubectl -n <release-namespace> logs -f deployment/aerospike-kubernetes-operator manager

Output:

2023-08-01T09:07:02Z    INFO    setup   legacy OLM < 0.17 directory is present - initializing webhook server
2023-08-01T09:07:03Z    INFO    controller-runtime.metrics  Metrics server is starting to listen    {"addr": "127.0.0.1:8080"}
2023-08-01T09:07:03Z    INFO    setup   Init aerospike-server config schemas
2023-08-01T09:07:03Z    DEBUG   schema-map  Config schema added {"version": "4.3.0"}
2023-08-01T09:07:03Z    DEBUG   schema-map  Config schema added {"version": "4.5.2"}
2023-08-01T09:07:03Z    DEBUG   schema-map  Config schema added {"version": "5.6.0"}
2023-08-01T09:07:03Z    DEBUG   schema-map  Config schema added {"version": "4.5.0"}
2023-08-01T09:07:03Z    DEBUG   schema-map  Config schema added {"version": "5.2.0"}
2023-08-01T09:07:03Z    DEBUG   schema-map  Config schema added {"version": "5.4.0"}
2023-08-01T09:07:03Z    DEBUG   schema-map  Config schema added {"version": "4.0.0"}
2023-08-01T09:07:03Z    DEBUG   schema-map  Config schema added {"version": "4.7.0"}
2023-08-01T09:07:03Z    DEBUG   schema-map  Config schema added {"version": "6.0.0"}
2023-08-01T09:07:03Z    DEBUG   schema-map  Config schema added {"version": "5.7.0"}
2023-08-01T09:07:03Z    DEBUG   schema-map  Config schema added {"version": "4.1.0"}
2023-08-01T09:07:03Z    DEBUG   schema-map  Config schema added {"version": "5.1.0"}
2023-08-01T09:07:03Z    DEBUG   schema-map  Config schema added {"version": "4.5.1"}
2023-08-01T09:07:03Z    DEBUG   schema-map  Config schema added {"version": "4.6.0"}
2023-08-01T09:07:03Z    DEBUG   schema-map  Config schema added {"version": "5.0.0"}
2023-08-01T09:07:03Z    DEBUG   schema-map  Config schema added {"version": "6.1.0"}
2023-08-01T09:07:03Z    DEBUG   schema-map  Config schema added {"version": "6.2.0"}
2023-08-01T09:07:03Z    DEBUG   schema-map  Config schema added {"version": "6.4.0"}
2023-08-01T09:07:03Z    DEBUG   schema-map  Config schema added {"version": "6.3.0"}
2023-08-01T09:07:03Z    DEBUG   schema-map  Config schema added {"version": "4.2.0"}
2023-08-01T09:07:03Z    DEBUG   schema-map  Config schema added {"version": "4.5.3"}
2023-08-01T09:07:03Z    DEBUG   schema-map  Config schema added {"version": "5.5.0"}
2023-08-01T09:07:03Z    DEBUG   schema-map  Config schema added {"version": "5.3.0"}
2023-08-01T09:07:03Z    DEBUG   schema-map  Config schema added {"version": "4.3.1"}
2023-08-01T09:07:03Z    DEBUG   schema-map  Config schema added {"version": "4.4.0"}
2023-08-01T09:07:03Z    DEBUG   schema-map  Config schema added {"version": "4.8.0"}
2023-08-01T09:07:03Z    DEBUG   schema-map  Config schema added {"version": "4.9.0"}
2023-08-01T09:07:03Z    DEBUG   schema-map  Config schema added {"version": "7.0.0"}
2023-08-01T09:07:03Z    INFO    aerospikecluster-resource   Registering mutating webhook to the webhook server
2023-08-01T09:07:03Z    INFO    controller-runtime.webhook  Registering webhook {"path": "/mutate-asdb-aerospike-com-v1-aerospikecluster"}
2023-08-01T09:07:03Z    INFO    controller-runtime.builder  skip registering a mutating webhook, object does not implement admission.Defaulter or WithDefaulter wasn't called   {"GVK": "asdb.aerospike.com/v1, Kind=AerospikeCluster"}
2023-08-01T09:07:03Z    INFO    controller-runtime.builder  Registering a validating webhook    {"GVK": "asdb.aerospike.com/v1, Kind=AerospikeCluster", "path": "/validate-asdb-aerospike-com-v1-aerospikecluster"}
2023-08-01T09:07:03Z    INFO    controller-runtime.webhook  Registering webhook {"path": "/validate-asdb-aerospike-com-v1-aerospikecluster"}
2023-08-01T09:07:03Z    INFO    setup   Starting manager
2023-08-01T09:07:03Z    INFO    controller-runtime.webhook.webhooks Starting webhook server
2023-08-01T09:07:03Z    INFO    Starting server {"path": "/metrics", "kind": "metrics", "addr": "127.0.0.1:8080"}
2023-08-01T09:07:03Z    INFO    controller-runtime.certwatcher  Updated current TLS certificate
2023-08-01T09:07:03Z    INFO    Starting server {"kind": "health probe", "addr": "[::]:8081"}
I0801 09:07:03.213295       1 leaderelection.go:248] attempting to acquire leader lease operators/96242fdf.aerospike.com...
2023-08-01T09:07:03Z    INFO    controller-runtime.webhook  Serving webhook server  {"host": "", "port": 9443}
2023-08-01T09:07:03Z    INFO    controller-runtime.certwatcher  Starting certificate watcher

Grant permissions to the target namespaces

The Operator is installed in the <release-namespace> namespace. Grant additional permissions (by configuring ServiceAccounts and RoleBindings/ClusterRoleBindings) for the target Kubernetes namespace where the Aerospike clusters are created.

There are two ways to grant permission for the target namespaces:

Using kubectl
Using akoctl plugin

Using kubectl

The procedure to use the namespace aerospike is as follows:

Create the namespace

Create the Kubernetes namespace if not already created:

kubectl create namespace aerospike

Create a service account

kubectl -n aerospike create serviceaccount aerospike-operator-controller-manager

Create RoleBinding/ClusterRoleBinding for Aerospike cluster

Next, create a RoleBinding or ClusterRoleBinding as per requirement to attach this service account to ClusterRole aerospike-cluster. This ClusterRole is created as part of Operator installation and grants Aerospike cluster permission to service account.

For using Kubernetes native Pod only network to connect to Aerospike cluster create RoleBinding:

kubectl -n aerospike create rolebinding aerospike-cluster --clusterrole=aerospike-cluster --serviceaccount=aerospike:aerospike-operator-controller-manager

For connecting to Aerospike cluster from outside Kubernetes create ClusterRoleBinding:

kubectl create clusterrolebinding aerospike-cluster --clusterrole=aerospike-cluster --serviceaccount=aerospike:aerospike-operator-controller-manager

tip

For attaching multiple service accounts of different namespaces in one go, add multiple --serviceaccount params in above command

Example: To attach service accounts of aerospike and aerospike1 namespace

kubectl create clusterrolebinding aerospike-cluster --clusterrole=aerospike-cluster --serviceaccount=aerospike:aerospike-operator-controller-manager --serviceaccount=aerospike1:aerospike-operator-controller-manager

If the required ClusterRoleBinding already exists in cluster, edit it to attach new service account:

kubectl edit clusterrolebinding aerospike-cluster

This command launches an editor. Append the following lines to the subjects section:

  # A new entry for aerospike.
  # Replace aerospike with your namespace
- kind: ServiceAccount
  name: aerospike-operator-controller-manager
  namespace: aerospike

Save and ensure that the changes are applied.

Using akoctl plugin

For instructions on installing the akoctl plugin, see akoctl installation.

The procedure to use the namespace aerospike is as follows:

For using Kubernetes native Pod only network to connect to Aerospike cluster grant namespace scope permission:

kubectl akoctl auth create -n aerospike --cluster-scope=false

For connecting to Aerospike cluster from outside Kubernetes grant cluster scope permission:

kubectl akoctl auth create -n aerospike

tip

For granting permission of multiple namespaces in one go, specify comma separated namespace list in -n param

Example: To grant permission for aerospike and aerospike1 namespace

kubectl akoctl auth create -n aerospike,aerospike1

Configurations

Name	Description	Default
`replicas`	Number of operator replicas	`2`
`operatorImage.repository`	Operator image repository	`aerospike/aerospike-kubernetes-operator`
`operatorImage.tag`	Operator image tag	`3.2.2`
`operatorImage.pullPolicy`	Image pull policy	`IfNotPresent`
`imagePullSecrets`	Secrets containing credentials to pull Operator image from a private registry	`{}` (nil)
`rbac.create`	Set this to `true` to let helm chart automatically create RBAC resources necessary for operator	`true`
`rbac.serviceAccountName`	If `rbac.create=false`, provide a service account name to be used with the operator deployment	`default`
`healthPort`	Health port	`8081`
`metricsPort`	Metrics port	`8080`
`certs.create`	Set this to `true` to let helm chart automatically create certificates using `cert-manager`	`true`
`certs.webhookServerCertSecretName`	Kubernetes secret name which contains webhook server certificates	`webhook-server-cert`
`watchNamespaces`	Namespaces to watch. Operator will watch for `AerospikeCluster` custom resources in these namespaces.	`default`
`aerospikeKubernetesInitRegistry`	Registry used to pull aerospike-init image	`docker.io`
`resources`	Resource requests and limits for the operator pods	`requests.cpu: 10m`, `requests.memory: 64Mi` , `limits.cpu: 200m`, `limits.memory: 256Mi`
`affinity`	Affinity rules for the operator deployment	`{}` (nil)
`extraEnv`	Extra environment variables that will be passed into the operator pods	`{}` (nil)
`nodeSelector`	Node selectors for scheduling the operator pods based on node labels	`{}` (nil)
`tolerations`	Tolerations for scheduling the operator pods based on node taints	`{}` (nil)
`annotations`	Annotations for the operator deployment	`{}` (nil)
`labels`	Labels for the operator deployment	`{}` (nil)
`podAnnotations`	Annotations for the operator pods	`{}` (nil)
`podLabels`	Labels for the operator pods	`{}` (nil)
`metricsService.labels`	Labels for the operator's metrics service	`{}` (nil)
`metricsService.annotations`	Annotations for the operator's metrics service	`{}` (nil)
`metricsService.port`	Operator's metrics service port	`8443`
`metricsService.type`	Operator's metrics service type	`ClusterIP`
`webhookService.labels`	Labels for the operator's webhook service	`{}` (nil)
`webhookService.annotations`	Annotations for the operator's webhook service	`{}` (nil)
`webhookService.port`	Operator's webhook service port	`443`
`webhookService.targetPort`	Operator's webhook target port	`9443`
`webhookService.type`	Operator's webhook service type	`ClusterIP`
`podSecurityContext`	Security context for the operator pods	`{}` (nil)
`securityContex.allowPrivilegeEscalationt`	Set `allowPrivilegeEscalationt` in Security context for the operator container	`false`
`livenessProbe`	Liveliness probe for operator container	`initialDelaySeconds: 15`, `periodSeconds: 20`, `timeoutSeconds: 1`, `successThreshold: 1`, `failureThreshold: 3`
`readinessProbe`	Readiness probe for the operator container	`initialDelaySeconds: 5`, `periodSeconds: 10`, `timeoutSeconds: 1`, `successThreshold: 1`, `failureThreshold: 3`
`kubeRBACProxy.image.repository`	Kube RBAC Proxy image repository container	`gcr.io/kubebuilder/kube-rbac-proxy`
`kubeRBACProxy.image.tag`	Kube RBAC Proxy image tag	`v0.15.0`
`kubeRBACProxy.image.pullPolicy`	Kube RBAC Proxy image pull policy	`IfNotPresent`
`kubeRBACProxy.port`	Kube RBAC proxy listening port	`8443`
`kubeRBACProxy.resources`	Kube RBAC Proxy container resource	`requests.cpu: 5m`, `requests.memory: 64Mi` , `limits.cpu: 500m`, `limits.memory: 128Mi`

Requirements​

Get the Helm Charts​

Deploy the Aerospike Kubernetes Operator​

Check Operator Logs​

Grant permissions to the target namespaces​

Using kubectl​

Create the namespace​

Create a service account​

Create RoleBinding/ClusterRoleBinding for Aerospike cluster​

Using akoctl plugin​

Configurations​