Use Helm to Create an Aerospike Cluster on Kubernetes
Follow these instructions to use the Operator to deploy the Aerospike cluster using Helm.
Requirementsโ
Before deploying your Aerospike cluster using Helm, you must use Helm to install the Aerospike Kubernetes Operator on your cluster.
For Kubernetes 1.23 or later, Pod Security Admission (PSA) is enabled by default. Make sure the namespace where the Aerospike cluster is deployed has either baseline
or privileged
Pod Security Standard level set.
The restricted
level is not supported by Aerospike. The default Pod Security Standard level in Kubernetes 1.23 is privileged
.
For more details, see Apply Pod Security Standards
1. Prepare the namespaceโ
We recommend that you use at least one namespace called aerospike
for Aerospike clusters instead of Aerospike Kubernetes Operator's (AKO) namespace for your clusters.
If this is the first cluster to be launched, create and provide access for the AKO to use this namespace.
For Kubernetes 1.23 or later, Pod Security Admission (PSA) is enabled by default. Make sure the namespace where the Aerospike cluster is deployed has either baseline
or privileged
Pod Security Standard level set.
The restricted
level is not supported by Aerospike. The default Pod Security Standard level in Kubernetes 1.23 is privileged
.
For more details, see Apply Pod Security Standards
There are two ways to grant permission for the target namespaces:
Using kubectlโ
The procedure to use the namespace aerospike
is as follows:
Create the namespaceโ
Create the Kubernetes namespace if not already created:
kubectl create namespace aerospike
Create a service accountโ
kubectl -n aerospike create serviceaccount aerospike-operator-controller-manager
Create RoleBinding/ClusterRoleBinding for Aerospike clusterโ
Next, create a RoleBinding or ClusterRoleBinding as per requirement to attach this service account to ClusterRole aerospike-cluster
.
This ClusterRole is created as part of Operator installation and grants Aerospike cluster permission to service account.
- For using Kubernetes native Pod only network to connect to Aerospike cluster create RoleBinding:
kubectl -n aerospike create rolebinding aerospike-cluster --clusterrole=aerospike-cluster --serviceaccount=aerospike:aerospike-operator-controller-manager
- For connecting to Aerospike cluster from outside Kubernetes create ClusterRoleBinding:
kubectl create clusterrolebinding aerospike-cluster --clusterrole=aerospike-cluster --serviceaccount=aerospike:aerospike-operator-controller-manager
For attaching multiple service accounts of different namespaces in one go, add multiple --serviceaccount
params in above command
Example: To attach service accounts of aerospike and aerospike1 namespace
kubectl create clusterrolebinding aerospike-cluster --clusterrole=aerospike-cluster --serviceaccount=aerospike:aerospike-operator-controller-manager --serviceaccount=aerospike1:aerospike-operator-controller-manager
If the required ClusterRoleBinding already exists in cluster, edit it to attach new service account:
kubectl edit clusterrolebinding aerospike-cluster
This command launches an editor. Append the following lines to the subjects section:
# A new entry for aerospike.
# Replace aerospike with your namespace
- kind: ServiceAccount
name: aerospike-operator-controller-manager
namespace: aerospike
Save and ensure that the changes are applied.
Using akoctl pluginโ
For instructions on installing the akoctl
plugin, see akoctl installation.
The procedure to use the namespace aerospike
is as follows:
- For using Kubernetes native Pod only network to connect to Aerospike cluster grant namespace scope permission:
kubectl akoctl auth create -n aerospike --cluster-scope=false
- For connecting to Aerospike cluster from outside Kubernetes grant cluster scope permission:
kubectl akoctl auth create -n aerospike
For granting permission of multiple namespaces in one go, specify comma separated namespace list in -n
param
Example: To grant permission for aerospike and aerospike1 namespace
kubectl akoctl auth create -n aerospike,aerospike1
2. Configure persistent storageโ
The AKO uses dynamically-provisioned storage classes that automatically provision storage as needed. Aerospike Database pods may have different storage volumes associated with each service. Persistent storage on the pods uses storage class provisioners that are set up in the storage class file.
Apply one of the following sample storage classes based on your Kubernetes environment:
- Amazon Elastic Kubernetes Service (EKS):
kubectl apply -f eks_ssd_storage_class.yaml
- Google Compute Engine (GCE):
kubectl apply -f gce_ssd_storage_class.yaml
- Microk8s:
kubectl apply -f microk8s_filesystem_storage_class.yaml
See Storage Provisioning for more details on configuring persistent storage.
3. Get the Helm chartsโ
To get the Helm charts, clone the aerospike/aerospike-kubernetes-operator
repository.
git clone https://github.com/aerospike/aerospike-kubernetes-operator.git
The charts are in the helm-charts
folder of this repository.
Go to this folder and ensure you have the right version of the files with git checkout <AKO version>
.
cd aerospike-kubernetes-operator
cd helm-charts
git checkout 3.2.2
4. Deploy the clusterโ
Deploy in "dev" modeโ
"Dev" mode creates a minimal Aerospike cluster with security disabled. Use this for testing only, not in production.
Create a Secret containing the Aerospike feature-key file features.conf
.
kubectl create secret generic aerospike-secret --from-file=[path to your features.conf file]
Default values in "dev" modeโ
These values are set as defaults when the cluster is deployed in "dev" mode (devMode=true
).
aerospikeConfig:
service:
feature-key-file: /etc/aerospike/secrets/features.conf
network:
service:
port: 3000
fabric:
port: 3001
heartbeat:
port: 3002
namespaces:
- name: test
replication-factor: 2
storage-engine:
type: memory
data-size: 1073741824
podSpec:
multiPodPerHost: true
storage:
volumes:
- name: aerospike-config-secret
source:
secret:
secretName: aerospike-secret
aerospike:
path: /etc/aerospike/secrets
validationPolicy:
skipWorkDirValidate: true
skipXdrDlogFileValidate: true
Install the chart.
helm install aerospike helm-charts/aerospike-cluster --set devMode=true
This command assumes few defaults, and deploys an Aerospike cluster in "dev" mode with no data persistence. We recommend you create a custom YAML file with your required configurations, and apply it with helm install
.
Deploy in "production" mode (devMode=false
)โ
Create Secretsโ
Create Secrets to set up features like the feature-key file (features.conf
), Aerospike authentication, TLS, and the cluster admin password. See the Manage TLS Certificates section for more details.
The example Secrets directory includes a collection of example TLS certificates, security credentials, and more.
Download these files into a local folder called secrets
, then apply them as a Kubernetes Secret:
kubectl -n aerospike create secret generic aerospike-secret --from-file=secrets
Next, create a Secret containing the password for the Aerospike cluster admin:
kubectl -n aerospike create secret generic auth-secret --from-literal=password='admin123'
This is an example of a custom user-defined values.yaml
file not using "dev" mode (installed with devMode=false
).
## Aerospike cluster size
replicas: 3
## Aerospike server docker image
image:
repository: aerospike/aerospike-server-enterprise
tag: 7.0.0.0
## Aerospike access control configuration
aerospikeAccessControl:
users:
- name: admin
secretName: auth-secret
roles:
- sys-admin
- user-admin
## Aerospike Configuration
aerospikeConfig:
service:
feature-key-file: /etc/aerospike/secret/features.conf
security: {}
network:
service:
port: 3000
heartbeat:
port: 3002
fabric:
port: 3001
namespaces:
- name: test
replication-factor: 2
storage-engine:
type: device
devices:
- /test/dev/xvdf
- name: testMem
replication-factor: 1
storage-engine:
type: memory
data-size: 1073741824
## Network policy
aerospikeNetworkPolicy: {}
## Pod spec
podSpec:
multiPodPerHost: true
## Rack configuration
rackConfig:
namespaces:
- test
racks:
- id: 1
# Change to the zone for your k8s cluster.
zone: us-central1-c
- id: 2
# Change to the zone for your k8s cluster.
zone: us-central1-c
## Storage configuration
storage:
filesystemVolumePolicy:
cascadeDelete: true
initMethod: deleteFiles
blockVolumePolicy:
cascadeDelete: true
volumes:
- name: workdir
aerospike:
path: /opt/aerospike
source:
persistentVolume:
storageClass: ssd
volumeMode: Filesystem
size: 1Gi
- name: ns
aerospike:
path: /test/dev/xvdf
source:
persistentVolume:
storageClass: ssd
volumeMode: Block
size: 5Gi
- name: aerospike-config-secret
source:
secret:
secretName: aerospike-secret
aerospike:
path: /etc/aerospike/secret
## Validation policy
validationPolicy:
skipWorkDirValidate: false
skipXdrDlogFileValidate: false
## seedsFinderServices defines service (e.g. loadbalancer) to connect to Aerospike
seedsFinderServices: {}
## operatorClientCert defines certificates to connect to Aerospike
operatorClientCert: {}
## Dev Mode
devMode: false
Install the chart with custom values.
helm install aerospike helm-charts/aerospike-cluster/ -f [custom YAML file]
Configurationsโ
For more details on these configurations, see the Aerospike Cluster Configuration Settings.
Name | Description | Default |
---|---|---|
replicas | Aerospike cluster size. | 3 |
image.repository | Aerospike Server container image repository. | aerospike/aerospike-server-enterprise |
image.tag | Aerospike Server container image tag. | 7.0.0.0 |
imagePullSecrets | Secrets containing credentials to pull Aerospike container image from a private registry. | {} (nil) |
customLabels | Custom labels to add on the Aerospike cluster resource | {} (nil) |
aerospikeAccessControl | Aerospike access control configuration. Define users and roles to be created on the cluster. | {} (nil) |
aerospikeConfig | Aerospike configuration. | {} (nil) |
aerospikeNetworkPolicy | Network policy (client access configuration). | {} (nil) |
commonName | Base string for naming pods, services, stateful sets, and so forth. | Release name truncated to 63 characters without hyphens |
podSpec | Aerospike pod spec configuration. | {} (nil) |
rackConfig | Aerospike rack configuration. | {} (nil) |
storage | Aerospike pod storage configuration. | {} (nil) |
validationPolicy | Validation policy. | {} (nil) |
operatorClientCert | Client certificates to connect to Aerospike. | {} (nil) |
seedsFinderServices | Service (e.g. loadbalancer) for Aerospike cluster discovery. | {} (nil) |
devMode | Deploy Aerospike cluster in dev mode. | false |