Install the Aerospike Kubernetes Operator on Red Hat OpenShift

Aerospike Kubernetes Operator (AKO) is a RedHat Marketplace certified operator. It is available through the RedHat certified operators catalog.

Install AKO

You can install AKO on your OpenShift cluster using any of the following methods:

Web Console

This is the procedure to install AKO on Red Hat OpenShift using the web console.

1. Launch the OpenShift web console.

2. Using the Administrator view, navigate to Operators > OperatorHub.

3. Search for Aerospike.

4. Select the Marketplace version of the Aerospike Kubernetes Operator as shown in the following image.

   

5. A dialog appears describing the Operator as shown in the following image. Click Install to install the Operator.

   

6. Configure the Operator installation using the following image as an example.

   

7. Select openshift-operators as the namespace.

8. Select Automatic for Upgrade Approval to automatically upgrade the Operator whenever upgrades are available.

   After a successful installation, a message similar to the following appears.

   

9. Select View Operator to verify the Operator details. The details should be similar to the following example:

   

10. From a terminal, log in to the OpenShift cluster and ensure that the oc and kubectl commands connect to the correct OpenShift cluster.

Command Line

This is the procedure to install AKO on Red Hat OpenShift using the command line tools.

1. From a terminal, log in to the OpenShift cluster and ensure that the oc and kubectl commands connect to the correct OpenShift cluster.

   tip

   The following instructions also work with the OpenShift command line tool oc

2. Ensure the AKO package is visible by running the following command.

   kubectl get packagemanifests aerospike-kubernetes-operator-rhmp -n openshift-marketplace

   You will see output similar to the following:

   NAME                                 CATALOG               AGE
   aerospike-kubernetes-operator-rhmp   Red Hat Marketplace   22d

3. Create a subscription file aerospike-kubernetes-operator.yaml with the following contents:

   apiVersion: operators.coreos.com/v1alpha1
   kind: Subscription
   metadata:
     name: aerospike-kubernetes-operator-rhmp
     namespace: openshift-operators
   spec:
     channel: stable
     installPlanApproval: Automatic  #Automatically upgrades AKO whenever upgrades are available
     name: aerospike-kubernetes-operator-rhmp
     source: redhat-marketplace
     sourceNamespace: openshift-marketplace
     startingCSV: aerospike-kubernetes-operator-rhmp.v4.0.0

4. Create this subscription using the following command:

   kubectl apply -f aerospike-kubernetes-operator.yaml

5. Verify that AKO's CSV is in the Succeeded phase with the following command:

   $ kubectl get csv -n openshift-operators aerospike-kubernetes-operator-rhmp.v4.0.0

   Check that the output is similar to the following:

   NAME                                   DISPLAY                         VERSION   REPLACES   PHASE
   aerospike-kubernetes-operator-rhmp.v4.0.0   Aerospike Kubernetes Operator   4.0.0                Succeeded

Check AKO logs

AKO runs as two replicas by default for higher availability. Run the following command to follow the logs for the AKO pods.

kubectl -n openshift-operators logs -f deployment/aerospike-operator-controller-manager manager

Sample output:

2025-02-04T07:59:36Z    INFO    setup   Initializing webhook certificate watcher using provided certificates    {"webhook-cert-path": "/tmp/k8s-webhook-server/serving-certs", "webhook-cert-name": "tls.crt", "webhook-cert-key": "tls.key"}
2025-02-04T07:59:36Z    INFO    controller-runtime.certwatcher  Updated current TLS certificate
2025-02-04T07:59:36Z    INFO    setup   Init aerospike-server config schemas
2025-02-04T07:59:36Z    DEBUG   setup   Config schema added {"version": "6.3.0"}
2025-02-04T07:59:36Z    DEBUG   setup   Config schema added {"version": "6.4.0"}
2025-02-04T07:59:36Z    DEBUG   setup   Config schema added {"version": "7.0.0"}
2025-02-04T07:59:36Z    DEBUG   setup   Config schema added {"version": "7.1.0"}
2025-02-04T07:59:36Z    DEBUG   setup   Config schema added {"version": "7.2.0"}
2025-02-04T07:59:36Z    DEBUG   setup   Config schema added {"version": "6.0.0"}
2025-02-04T07:59:36Z    DEBUG   setup   Config schema added {"version": "6.1.0"}
2025-02-04T07:59:36Z    DEBUG   setup   Config schema added {"version": "6.2.0"}
2025-02-04T07:59:36Z    DEBUG   setup   Config schema added {"version": "8.0.0"}
2025-02-04T07:59:36Z    INFO    controller-runtime.builder  Registering a mutating webhook  {"GVK": "asdb.aerospike.com/v1, Kind=AerospikeCluster", "path": "/mutate-asdb-aerospike-com-v1-aerospikecluster"}
2025-02-04T07:59:36Z    INFO    controller-runtime.webhook  Registering webhook {"path": "/mutate-asdb-aerospike-com-v1-aerospikecluster"}
2025-02-04T07:59:36Z    INFO    controller-runtime.builder  Registering a validating webhook    {"GVK": "asdb.aerospike.com/v1, Kind=AerospikeCluster", "path": "/validate-asdb-aerospike-com-v1-aerospikecluster"}
2025-02-04T07:59:36Z    INFO    controller-runtime.webhook  Registering webhook {"path": "/validate-asdb-aerospike-com-v1-aerospikecluster"}
2025-02-04T07:59:36Z    INFO    controller-runtime.builder  Registering a mutating webhook  {"GVK": "asdb.aerospike.com/v1beta1, Kind=AerospikeBackupService", "path": "/mutate-asdb-aerospike-com-v1beta1-aerospikebackupservice"}
2025-02-04T07:59:36Z    INFO    controller-runtime.webhook  Registering webhook {"path": "/mutate-asdb-aerospike-com-v1beta1-aerospikebackupservice"}
2025-02-04T07:59:36Z    INFO    controller-runtime.builder  Registering a validating webhook    {"GVK": "asdb.aerospike.com/v1beta1, Kind=AerospikeBackupService", "path": "/validate-asdb-aerospike-com-v1beta1-aerospikebackupservice"}
2025-02-04T07:59:36Z    INFO    controller-runtime.webhook  Registering webhook {"path": "/validate-asdb-aerospike-com-v1beta1-aerospikebackupservice"}
2025-02-04T07:59:36Z    INFO    controller-runtime.builder  Registering a mutating webhook  {"GVK": "asdb.aerospike.com/v1beta1, Kind=AerospikeBackup", "path": "/mutate-asdb-aerospike-com-v1beta1-aerospikebackup"}
2025-02-04T07:59:36Z    INFO    controller-runtime.webhook  Registering webhook {"path": "/mutate-asdb-aerospike-com-v1beta1-aerospikebackup"}
2025-02-04T07:59:36Z    INFO    controller-runtime.builder  Registering a validating webhook    {"GVK": "asdb.aerospike.com/v1beta1, Kind=AerospikeBackup", "path": "/validate-asdb-aerospike-com-v1beta1-aerospikebackup"}
2025-02-04T07:59:36Z    INFO    controller-runtime.webhook  Registering webhook {"path": "/validate-asdb-aerospike-com-v1beta1-aerospikebackup"}
2025-02-04T07:59:36Z    INFO    controller-runtime.builder  Registering a mutating webhook  {"GVK": "asdb.aerospike.com/v1beta1, Kind=AerospikeRestore", "path": "/mutate-asdb-aerospike-com-v1beta1-aerospikerestore"}
2025-02-04T07:59:36Z    INFO    controller-runtime.webhook  Registering webhook {"path": "/mutate-asdb-aerospike-com-v1beta1-aerospikerestore"}
2025-02-04T07:59:36Z    INFO    controller-runtime.builder  Registering a validating webhook    {"GVK": "asdb.aerospike.com/v1beta1, Kind=AerospikeRestore", "path": "/validate-asdb-aerospike-com-v1beta1-aerospikerestore"}
2025-02-04T07:59:36Z    INFO    controller-runtime.webhook  Registering webhook {"path": "/validate-asdb-aerospike-com-v1beta1-aerospikerestore"}
2025-02-04T07:59:36Z    INFO    setup   Adding webhook certificate watcher to manager
2025-02-04T07:59:36Z    INFO    setup   Starting manager
2025-02-04T07:59:36Z    INFO    controller-runtime.metrics  Starting metrics server
2025-02-04T07:59:36Z    INFO    setup   disabling http/2
2025-02-04T07:59:36Z    INFO    starting server {"name": "health probe", "addr": "[::]:8081"}
2025-02-04T07:59:36Z    INFO    controller-runtime.webhook  Starting webhook server
2025-02-04T07:59:36Z    INFO    setup   disabling http/2
2025-02-04T07:59:36Z    INFO    controller-runtime.webhook  Serving webhook server  {"host": "", "port": 9443}

Grant permissions to the target namespaces

AKO is installed in the openshift-operators namespace. Grant additional permissions by configuring ServiceAccounts and RoleBindings or ClusterRoleBindings for the target Kubernetes namespace where the Aerospike clusters are created.

You can use the kubectl or akoctl tools to grant permissions for the aerospike namespace.

kubectl

1. Create the Kubernetes namespace if not already created.

   kubectl create namespace aerospike

2. Create a service account.

   kubectl -n aerospike create serviceaccount aerospike-operator-controller-manager

3. Create a RoleBinding or ClusterRoleBinding to attach this service account to the aerospike-cluster ClusterRole. This ClusterRole is created as part of AKO installation and grants Aerospike cluster permissions to the service account.

   • For using the Kubernetes native, pod-only network to connect to the Aerospike cluster, create a RoleBinding with the following command:

     kubectl -n aerospike create rolebinding aerospike-cluster --clusterrole=aerospike-cluster --serviceaccount=aerospike:aerospike-operator-controller-manager

   • For connecting to the Aerospike cluster from outside Kubernetes, create a ClusterRoleBinding with the following command:

     kubectl create clusterrolebinding aerospike-cluster --clusterrole=aerospike-cluster --serviceaccount=aerospike:aerospike-operator-controller-manager

     tip

     For attaching multiple service accounts of different namespaces at one time, add multiple --serviceaccount parameters to the previous command.

     Example: To attach service accounts of the aerospike and aerospike1 namespaces:

     kubectl create clusterrolebinding aerospike-cluster --clusterrole=aerospike-cluster --serviceaccount=aerospike:aerospike-operator-controller-manager --serviceaccount=aerospike1:aerospike-operator-controller-manager

4. If the required ClusterRoleBinding already exists in the cluster, edit it to attach a new service account.

   kubectl edit clusterrolebinding aerospike-cluster

5. The kubectl edit command launches an editor. Append the following lines to the subjects section:

     # A new entry for aerospike.
     # Replace aerospike with your namespace
   - kind: ServiceAccount
     name: aerospike-operator-controller-manager
     namespace: aerospike

6. Save and ensure that the changes are applied.

akoctl

For instructions on installing the akoctl plugin, see akoctl installation.

• For using the Kubernetes native, pod-only network to connect to the Aerospike cluster, grant namespace scope permissions:

  kubectl akoctl auth create -n aerospike --cluster-scope=false

• For connecting to the Aerospike cluster from outside Kubernetes, grant cluster scope permissions:

  kubectl akoctl auth create -n aerospike

  To grant permissions for multiple namespaces at the same time, specify a comma-separated namespace list with the -n flag.

  kubectl akoctl auth create -n aerospike,aerospike1

OpenShift Security Context Constraints (SCC)

On OpenShift clusters, administrators can use security context constraints (SCCs) to control permissions for pods. These permissions control which actions a pod can perform and which resources it can access. You can use SCCs to define a set of conditions that a pod must run with in order to be accepted into the system. In order to run Aerospike Database Enterprise Edition clusters on OpenShift, the Aerospike pods need to be granted access to some of the cluster SCCs.

The following SCCs are commonly used in most Aerospike deployments. See the OpenShift SCC Guide for additional details.

SCC anyuid (required)

Aerospike Database Enterprise Edition images are designed to run as some non-root (any) UID. On OpenShift, this requires Aerospike pods to be allowed to run with any UID, requiring the anyuid SCC.

Grant this SCC to the Aerospike cluster service account for the aerospike namespace using the following command:

oc adm policy add-scc-to-user anyuid system:serviceaccount:aerospike:aerospike-operator-controller-manager

SCC hostnetwork (optional)

This SCC allows using host networking and host ports.

Grant this SCC to the Aerospike cluster service account for the aerospike namespace using the following command:

oc adm policy add-scc-to-user hostnetwork system:serviceaccount:aerospike:aerospike-operator-controller-manager

SCC privileged (optional)

This SCC allows access to all privileged and host features and the ability to run as any user, any group, any FSGroup, and with any SELinux context. This is required to run Index on Flash storage configuration with Aerospike primary index stored on SSD devices.

Grant this SCC to the Aerospike cluster service account for the aerospike namespace using the following command:

oc adm policy add-scc-to-user privileged system:serviceaccount:aerospike:aerospike-operator-controller-manager