Install the Aerospike Kubernetes Operator Using Helm

Overview

This page describes how to use Helm charts to install the Aerospike Kubernetes Operator (AKO).

Helm charts are groups of YAML files that describe Kubernetes resources and their current configurations. If you plan to use Helm charts to deploy Aerospike clusters, you also need to use Helm to install the AKO on your Kubernetes deployment.

Requirements

1. Install kubectl.
2. You need a running Kubernetes cluster.
   • For a quick start, install minikube to create a local cluster.
   • See the Kubernetes documentation to explore other options.
3. Install cert-manager. AKO uses admission webhooks, which need TLS certificates issued by cert-manager.
4. Install Helm.

note

In Kubernetes 1.23 and later, Pod Security Admission (PSA) is enabled by default. Make sure the namespace where the AKO is installed has either baseline or privileged Pod Security Standard level set. The restricted level is not supported by Aerospike. The default Pod Security Standard level in Kubernetes 1.23 is privileged. For more details, see Apply Pod Security Standards.

Install AKO

1. Add the Helm repository to get the AKO Helm charts.

   helm repo add aerospike https://aerospike.github.io/aerospike-kubernetes-enterprise

   If the Helm repository is already added, update the index:

   helm repo update

2. Install AKO on your Kubernetes cluster.

   helm install aerospike-kubernetes-operator aerospike/aerospike-kubernetes-operator --version=4.0.0 --set watchNamespaces="aerospike"

Check AKO logs

AKO runs as two replicas by default for higher availability. Run the following command to follow the logs for the AKO pods.

kubectl -n <release-namespace> logs -f deployment/aerospike-kubernetes-operator manager

Sample output:

2025-02-04T07:59:36Z    INFO    setup   Initializing webhook certificate watcher using provided certificates    {"webhook-cert-path": "/tmp/k8s-webhook-server/serving-certs", "webhook-cert-name": "tls.crt", "webhook-cert-key": "tls.key"}
2025-02-04T07:59:36Z    INFO    controller-runtime.certwatcher  Updated current TLS certificate
2025-02-04T07:59:36Z    INFO    setup   Init aerospike-server config schemas
2025-02-04T07:59:36Z    DEBUG   setup   Config schema added {"version": "6.3.0"}
2025-02-04T07:59:36Z    DEBUG   setup   Config schema added {"version": "6.4.0"}
2025-02-04T07:59:36Z    DEBUG   setup   Config schema added {"version": "7.0.0"}
2025-02-04T07:59:36Z    DEBUG   setup   Config schema added {"version": "7.1.0"}
2025-02-04T07:59:36Z    DEBUG   setup   Config schema added {"version": "7.2.0"}
2025-02-04T07:59:36Z    DEBUG   setup   Config schema added {"version": "6.0.0"}
2025-02-04T07:59:36Z    DEBUG   setup   Config schema added {"version": "6.1.0"}
2025-02-04T07:59:36Z    DEBUG   setup   Config schema added {"version": "6.2.0"}
2025-02-04T07:59:36Z    DEBUG   setup   Config schema added {"version": "8.0.0"}
2025-02-04T07:59:36Z    INFO    controller-runtime.builder  Registering a mutating webhook  {"GVK": "asdb.aerospike.com/v1, Kind=AerospikeCluster", "path": "/mutate-asdb-aerospike-com-v1-aerospikecluster"}
2025-02-04T07:59:36Z    INFO    controller-runtime.webhook  Registering webhook {"path": "/mutate-asdb-aerospike-com-v1-aerospikecluster"}
2025-02-04T07:59:36Z    INFO    controller-runtime.builder  Registering a validating webhook    {"GVK": "asdb.aerospike.com/v1, Kind=AerospikeCluster", "path": "/validate-asdb-aerospike-com-v1-aerospikecluster"}
2025-02-04T07:59:36Z    INFO    controller-runtime.webhook  Registering webhook {"path": "/validate-asdb-aerospike-com-v1-aerospikecluster"}
2025-02-04T07:59:36Z    INFO    controller-runtime.builder  Registering a mutating webhook  {"GVK": "asdb.aerospike.com/v1beta1, Kind=AerospikeBackupService", "path": "/mutate-asdb-aerospike-com-v1beta1-aerospikebackupservice"}
2025-02-04T07:59:36Z    INFO    controller-runtime.webhook  Registering webhook {"path": "/mutate-asdb-aerospike-com-v1beta1-aerospikebackupservice"}
2025-02-04T07:59:36Z    INFO    controller-runtime.builder  Registering a validating webhook    {"GVK": "asdb.aerospike.com/v1beta1, Kind=AerospikeBackupService", "path": "/validate-asdb-aerospike-com-v1beta1-aerospikebackupservice"}
2025-02-04T07:59:36Z    INFO    controller-runtime.webhook  Registering webhook {"path": "/validate-asdb-aerospike-com-v1beta1-aerospikebackupservice"}
2025-02-04T07:59:36Z    INFO    controller-runtime.builder  Registering a mutating webhook  {"GVK": "asdb.aerospike.com/v1beta1, Kind=AerospikeBackup", "path": "/mutate-asdb-aerospike-com-v1beta1-aerospikebackup"}
2025-02-04T07:59:36Z    INFO    controller-runtime.webhook  Registering webhook {"path": "/mutate-asdb-aerospike-com-v1beta1-aerospikebackup"}
2025-02-04T07:59:36Z    INFO    controller-runtime.builder  Registering a validating webhook    {"GVK": "asdb.aerospike.com/v1beta1, Kind=AerospikeBackup", "path": "/validate-asdb-aerospike-com-v1beta1-aerospikebackup"}
2025-02-04T07:59:36Z    INFO    controller-runtime.webhook  Registering webhook {"path": "/validate-asdb-aerospike-com-v1beta1-aerospikebackup"}
2025-02-04T07:59:36Z    INFO    controller-runtime.builder  Registering a mutating webhook  {"GVK": "asdb.aerospike.com/v1beta1, Kind=AerospikeRestore", "path": "/mutate-asdb-aerospike-com-v1beta1-aerospikerestore"}
2025-02-04T07:59:36Z    INFO    controller-runtime.webhook  Registering webhook {"path": "/mutate-asdb-aerospike-com-v1beta1-aerospikerestore"}
2025-02-04T07:59:36Z    INFO    controller-runtime.builder  Registering a validating webhook    {"GVK": "asdb.aerospike.com/v1beta1, Kind=AerospikeRestore", "path": "/validate-asdb-aerospike-com-v1beta1-aerospikerestore"}
2025-02-04T07:59:36Z    INFO    controller-runtime.webhook  Registering webhook {"path": "/validate-asdb-aerospike-com-v1beta1-aerospikerestore"}
2025-02-04T07:59:36Z    INFO    setup   Adding webhook certificate watcher to manager
2025-02-04T07:59:36Z    INFO    setup   Starting manager
2025-02-04T07:59:36Z    INFO    controller-runtime.metrics  Starting metrics server
2025-02-04T07:59:36Z    INFO    setup   disabling http/2
2025-02-04T07:59:36Z    INFO    starting server {"name": "health probe", "addr": "[::]:8081"}
2025-02-04T07:59:36Z    INFO    controller-runtime.webhook  Starting webhook server
2025-02-04T07:59:36Z    INFO    setup   disabling http/2
2025-02-04T07:59:36Z    INFO    controller-runtime.webhook  Serving webhook server  {"host": "", "port": 9443}

Grant permissions to the target namespaces

AKO is installed in the <release-namespace> namespace. Grant additional permissions by configuring ServiceAccounts and RoleBindings or ClusterRoleBindings for the target Kubernetes namespace where the Aerospike clusters are created.

You can use the kubectl or akoctl tools to grant permissions for the aerospike namespace.

kubectl

1. Create the Kubernetes namespace if not already created.

   kubectl create namespace aerospike

2. Create a service account.

   kubectl -n aerospike create serviceaccount aerospike-operator-controller-manager

3. Create a RoleBinding or ClusterRoleBinding to attach this service account to the aerospike-cluster ClusterRole. This ClusterRole is created as part of AKO installation and grants Aerospike cluster permissions to the service account.

   • For using the Kubernetes native, pod-only network to connect to the Aerospike cluster, create a RoleBinding with the following command:

     kubectl -n aerospike create rolebinding aerospike-cluster --clusterrole=aerospike-cluster --serviceaccount=aerospike:aerospike-operator-controller-manager

   • For connecting to the Aerospike cluster from outside Kubernetes, create a ClusterRoleBinding with the following command:

     kubectl create clusterrolebinding aerospike-cluster --clusterrole=aerospike-cluster --serviceaccount=aerospike:aerospike-operator-controller-manager

     tip

     For attaching multiple service accounts of different namespaces at one time, add multiple --serviceaccount parameters to the previous command.

     Example: To attach service accounts of the aerospike and aerospike1 namespaces:

     kubectl create clusterrolebinding aerospike-cluster --clusterrole=aerospike-cluster --serviceaccount=aerospike:aerospike-operator-controller-manager --serviceaccount=aerospike1:aerospike-operator-controller-manager

4. If the required ClusterRoleBinding already exists in the cluster, edit it to attach a new service account.

   kubectl edit clusterrolebinding aerospike-cluster

5. The kubectl edit command launches an editor. Append the following lines to the subjects section:

     # A new entry for aerospike.
     # Replace aerospike with your namespace
   - kind: ServiceAccount
     name: aerospike-operator-controller-manager
     namespace: aerospike

6. Save and ensure that the changes are applied.

akoctl

For instructions on installing the akoctl plugin, see akoctl installation.

• For using the Kubernetes native, pod-only network to connect to the Aerospike cluster, grant namespace scope permissions:

  kubectl akoctl auth create -n aerospike --cluster-scope=false

• For connecting to the Aerospike cluster from outside Kubernetes, grant cluster scope permissions:

  kubectl akoctl auth create -n aerospike

  To grant permissions for multiple namespaces at the same time, specify a comma-separated namespace list with the -n flag.

  kubectl akoctl auth create -n aerospike,aerospike1

Configuration reference

Name	Description	Default
replicas	Number of AKO replicas	2
operatorImage.repository	AKO image repository	aerospike/aerospike-kubernetes-operator
operatorImage.tag	AKO image tag	4.0.0
operatorImage.pullPolicy	Image pull policy	IfNotPresent
imagePullSecrets	Secrets containing credentials to pull AKO image from a private registry	{} (nil)
rbac.create	Set this to true to let helm chart automatically create RBAC resources necessary for AKO	true
rbac.serviceAccountName	If rbac.create=false, provide a service account name to be used with the AKO deployment	default
healthPort	Health port	8081
metricsPort	Metrics port	8080
certs.create	Set this to true to let Helm chart automatically create certificates using cert-manager	true
certs.webhookServerCertSecretName	Kubernetes secret name that contains webhook server certificates	webhook-server-cert
watchNamespaces	Namespaces to watch. AKO watches for AerospikeCluster custom resources in these namespaces.	default
aerospikeKubernetesInitRegistry	Registry used to pull aerospike-init image	docker.io
resources	Resource requests and limits for the AKO pods	requests.cpu: 10m, requests.memory: 64Mi , limits.cpu: 200m, limits.memory: 256Mi
affinity	Affinity rules for the AKO deployment	{} (nil)
extraEnv	Extra environment variables that are passed into the AKO pods	{} (nil)
nodeSelector	Node selectors for scheduling the AKO pods based on node labels	{} (nil)
tolerations	Tolerations for scheduling the AKO pods based on node taints	{} (nil)
annotations	Annotations for the AKO deployment	{} (nil)
labels	Labels for the AKO deployment	{} (nil)
podAnnotations	Annotations for the AKO pods	{} (nil)
podLabels	Labels for the AKO pods	{} (nil)
metricsService.labels	Labels for the AKO metrics service	{} (nil)
metricsService.annotations	Annotations for the AKO metrics service	{} (nil)
metricsService.port	The AKO metrics service port	8443
metricsService.type	The AKO metrics service type	ClusterIP
webhookService.labels	Labels for the AKO webhook service	{} (nil)
webhookService.annotations	Annotations for the AKO webhook service	{} (nil)
webhookService.port	The AKO webhook service port	443
webhookService.targetPort	The AKO webhook target port	9443
webhookService.type	The AKO webhook service type	ClusterIP
podSecurityContext	Security context for the AKO pods	{} (nil)
securityContex.allowPrivilegeEscalation	Set allowPrivilegeEscalation in Security context for the AKO container	false
livenessProbe	Liveliness probe for the AKO container	initialDelaySeconds: 15, periodSeconds: 20, timeoutSeconds: 1, successThreshold: 1, failureThreshold: 3
readinessProbe	Readiness probe for the AKO container	initialDelaySeconds: 5, periodSeconds: 10, timeoutSeconds: 1, successThreshold: 1, failureThreshold: 3