# Use Helm to create an Aerospike Cluster on Kubernetes This page describes how to use AKO to deploy an Aerospike Database Enterprise Edition (EE) cluster using Helm. ## Prerequisites Before deploying your Aerospike cluster using Helm, you need to install Aerospike Kubernetes Operator (AKO). You can [use Helm to install AKO](https://aerospike.com/docs/kubernetes/4.3.x/install/helm) on your Kubernetes cluster. In Kubernetes 1.23 and later, Pod Security Admission (PSA) is enabled by default. Make sure the namespace where the Aerospike cluster is installed has either `baseline` or `privileged` Pod Security Standard level set. The `restricted` level is not supported by Aerospike. The default Pod Security Standard level in Kubernetes 1.23 is `privileged`. For more details, see [Apply Pod Security Standards](https://kubernetes.io/docs/tutorials/security/ns-level-pss/). ## Deploy Aerospike Database with AKO 1. Create the namespace. ::: note If you have already created and granted AKO permissions for a namespace, you can skip this step and go directly to storage configuration. ::: Aerospike recommends using at least one namespace called `aerospike` for Aerospike clusters instead of AKO’s namespace for your clusters. If this is your first cluster to be launched, create and provide access for AKO to use this namespace. You can use the `kubectl` or `akoctl` tools to grant permissions for the `aerospike` namespace. - [kubectl](#tab-panel-3203) - [akoctl](#tab-panel-3204) 1. Create the Kubernetes namespace if it doesn’t already exist. ```plaintext kubectl create namespace aerospike ``` 2. Create a service account. ```plaintext kubectl -n aerospike create serviceaccount aerospike-operator-controller-manager ``` 3. Create a RoleBinding or ClusterRoleBinding to attach this service account to the `aerospike-cluster` ClusterRole. This ClusterRole is created as part of AKO installation and grants Aerospike cluster permissions to the service account. - For using the Kubernetes native pod-only network to connect to the Aerospike cluster: 1. Create a RoleBinding with the following command: ```plaintext kubectl -n aerospike create rolebinding aerospike-cluster --clusterrole=aerospike-cluster --serviceaccount=aerospike:aerospike-operator-controller-manager ``` - For connecting to the Aerospike cluster from outside Kubernetes: 1. Create a ClusterRoleBinding with the following command: ```plaintext kubectl create clusterrolebinding aerospike-cluster --clusterrole=aerospike-cluster --serviceaccount=aerospike:aerospike-operator-controller-manager ``` Add multiple `--serviceaccount` parameters to the previous command to attach multiple service accounts of different namespaces at one time. Example: To attach service accounts of the aerospike and aerospike1 namespaces: ```plaintext kubectl create clusterrolebinding aerospike-cluster --clusterrole=aerospike-cluster --serviceaccount=aerospike:aerospike-operator-controller-manager --serviceaccount=aerospike1:aerospike-operator-controller-manager ``` 2. If the required ClusterRoleBinding already exists in the cluster, edit it to attach a new service account. ```plaintext kubectl edit clusterrolebinding aerospike-cluster ``` 3. The `kubectl edit` command launches an editor. Append the following lines to the `subjects` section: ```plaintext kind: ServiceAccount name: aerospike-operator-controller-manager namespace: aerospike ``` 4. Save and ensure that the changes are applied. For instructions on installing the `akoctl` plugin, see [akoctl installation](https://aerospike.com/docs/kubernetes/manage/akoctl/#install-akoctl-with-krew-plugin-manager). - For using the Kubernetes native pod-only network to connect to the Aerospike cluster, grant namespace scope permissions: ```plaintext kubectl akoctl auth create -n aerospike --cluster-scope=false ``` - For connecting to the Aerospike cluster from outside Kubernetes, grant cluster scope permissions: ```plaintext kubectl akoctl auth create -n aerospike ``` To grant permissions for multiple namespaces at the same time, specify a comma-separated namespace list with the `-n` flag. ```plaintext kubectl akoctl auth create -n aerospike,aerospike1 ``` 2. Configure persistent storage. AKO utilizes dynamically-provisioned storage classes. This architecture enables Aerospike Database pods to associate distinct storage volumes with each individual service. Persistent storage on the pods support a variety of storage class provisioners. [Sample storage class files](https://github.com/aerospike/aerospike-kubernetes-operator/tree/v4.3.0/config/samples/storage) are available for download in the AKO GitHub repository. Apply the appropriate sample storage class for your Kubernetes environment: - Amazon Elastic Kubernetes Service (EKS): `kubectl apply -f eks_ssd_storage_class.yaml` - Google Compute Engine (GCE): `kubectl apply -f gce_ssd_storage_class.yaml` - Microk8s: `kubectl apply -f microk8s_filesystem_storage_class.yaml` See [Storage Provisioning](https://aerospike.com/docs/kubernetes/4.3.x/manage/storage/storage-provisioning) for more details on configuring persistent storage. 3. Add the Helm repository to get the Helm charts. Terminal window ```bash helm repo add aerospike https://aerospike.github.io/aerospike-kubernetes-enterprise helm repo update ``` This URL is a Helm chart repository. Helm reads the `index.yaml` at this location internally. If you open it in a browser you may see a 404. Go to `https://aerospike.github.io/aerospike-kubernetes-enterprise/index.yaml` to inspect the YAML manually. 4. Deploy the cluster. Choose “dev” or “production” mode for your deployment. #### Deploy in “dev” mode “Dev” mode creates a minimal Aerospike cluster with security disabled. Use this for testing only, not in production. Create a Secret containing the Aerospike feature-key file `features.conf`. Terminal window ```bash kubectl -n aerospike create secret generic aerospike-secret --from-file=PATH_TO_FEATURES_CONF_DIRECTORY ``` #### Default values in “dev” mode These values are set as defaults when the cluster is deployed in “dev” mode (`devMode=true`). ```yaml aerospikeConfig: service: feature-key-file: /etc/aerospike/secrets/features.conf network: service: port: 3000 fabric: port: 3001 heartbeat: port: 3002 namespaces: - name: test replication-factor: 2 storage-engine: type: memory data-size: 1073741824 podSpec: multiPodPerHost: true storage: volumes: - name: aerospike-config-secret source: secret: secretName: aerospike-secret aerospike: path: /etc/aerospike/secrets validationPolicy: skipWorkDirValidate: true ``` Install the chart. Terminal window ```bash helm install aerospike aerospike/aerospike-cluster -n aerospike --set devMode=true ``` ::: tip This command assumes few defaults, and deploys an Aerospike cluster in “dev” mode with no data persistence. Create a custom YAML file with your required configurations, and apply it with `helm install`. ::: #### Deploy in “production” mode #### Create Secrets Create Secrets to set up features like the feature-key file (`features.conf`), Aerospike authentication, TLS, and the cluster admin password. See the [Manage TLS Certificates](https://aerospike.com/docs/kubernetes/4.3.x/manage/security/certificates) section for more details. The [example Secrets directory](https://github.com/aerospike/aerospike-kubernetes-operator/tree/v4.3.0/config/samples/secrets) includes a collection of example files such as TLS certificates and security credentials. Download these files into a local folder called `secrets`, then apply them as a Kubernetes Secret: Terminal window ```shell kubectl -n aerospike create secret generic aerospike-secret --from-file=secrets ``` Next, create a Secret containing the password for the Aerospike cluster admin: Terminal window ```shell kubectl -n aerospike create secret generic auth-secret --from-literal=password='admin123' ``` This is an example of a custom user-defined `values.yaml` file not using “dev” mode (installed with `devMode=false`). ```yaml ## Aerospike cluster size replicas: 3 ## Aerospike Database Docker image image: repository: aerospike/aerospike-server-enterprise tag: 8.1.1.0 ## Aerospike access control configuration aerospikeAccessControl: users: - name: admin secretName: auth-secret roles: - sys-admin - user-admin ## Aerospike Configuration aerospikeConfig: service: feature-key-file: /etc/aerospike/secret/features.conf security: {} network: service: port: 3000 heartbeat: port: 3002 fabric: port: 3001 namespaces: - name: test replication-factor: 2 storage-engine: type: device devices: - /test/dev/xvdf - name: testMem replication-factor: 1 storage-engine: type: memory data-size: 1073741824 ## Network policy aerospikeNetworkPolicy: {} ## Pod spec podSpec: multiPodPerHost: true ## Rack configuration rackConfig: namespaces: - test racks: - id: 1 # Change to the zone for your k8s cluster. zone: us-central1-c - id: 2 # Change to the zone for your k8s cluster. zone: us-central1-c ## Storage configuration storage: filesystemVolumePolicy: cascadeDelete: true initMethod: deleteFiles blockVolumePolicy: cascadeDelete: true volumes: - name: workdir aerospike: path: /opt/aerospike source: persistentVolume: storageClass: ssd volumeMode: Filesystem size: 1Gi - name: ns aerospike: path: /test/dev/xvdf source: persistentVolume: storageClass: ssd volumeMode: Block size: 5Gi - name: aerospike-config-secret source: secret: secretName: aerospike-secret aerospike: path: /etc/aerospike/secret ## Validation policy validationPolicy: skipWorkDirValidate: false ## seedsFinderServices defines service, such as loadbalancer, to connect to Aerospike seedsFinderServices: {} ## operatorClientCert defines certificates to connect to Aerospike operatorClientCert: {} ## Dev Mode devMode: false ``` Install the chart with custom values. Replace _`PATH_TO_CUSTOM_YAML_FILE`_ with the path to your custom configuration file. Terminal window ```bash helm install aerospike aerospike/aerospike-cluster -n aerospike -f PATH_TO_CUSTOM_YAML_FILE ``` ## Configuration reference For more details on these configurations, see the Aerospike [Cluster Configuration Settings](https://aerospike.com/docs/kubernetes/4.3.x/reference/config-reference). | Name | Description | Default | | --- | --- | --- | | `replicas` | Aerospike cluster size. | `3` | | `image.repository` | Aerospike Database container image repository. | `aerospike/aerospike-server-enterprise` | | `image.tag` | Aerospike Database container image tag. | `8.1.1.0` | | `imagePullSecrets` | Secrets containing credentials to pull Aerospike container image from a private registry. | `{}` (nil) | | `customLabels` | Custom labels to add on the Aerospike cluster resource | `{}` (nil) | | `aerospikeAccessControl` | Aerospike access control configuration. Define users and roles to be created on the cluster. | `{}` (nil) | | `aerospikeConfig` | Aerospike configuration. | `{}` (nil) | | `aerospikeNetworkPolicy` | Network policy (client access configuration). | `{}` (nil) | | `commonName` | Base string for naming pods, services, stateful sets, and so forth. | Release name truncated to 63 characters without hyphens | | `podSpec` | Aerospike pod spec configuration. | `{}` (nil) | | `rackConfig` | Aerospike rack configuration. | `{}` (nil) | | `storage` | Aerospike pod storage configuration. | `{}` (nil) | | `validationPolicy` | Validation policy. | `{}` (nil) | | `operatorClientCert` | Client certificates to connect to Aerospike. | `{}` (nil) | | `seedsFinderServices` | Service, such as loadbalancer, for Aerospike cluster discovery. | `{}` (nil) | | `devMode` | Deploy Aerospike cluster in dev mode. | `false` |