promoting version 7.2.4-12 (#271)

* promoting version 7.2.4-12

* Remove.

---------

Co-authored-by: Ubuntu <[email protected]>

active_active_database_readme.md

@@ -20,6 +20,7 @@ This document describes how to deploy an Active-Active database with Redis Enter
   * [Update existing participating cluster (RERC) details](#update-existing-participating-cluster-rerc-details)
   * [Update existing participating cluster (RERC) secret](#update-existing-participating-cluster-rerc-secret)
   * [Active-Active database with Redis modules](#active-active-database-with-redis-modules)
+  * [Upgrade REC with Active-Active database](#upgrade-rec-with-active-active-database)
   * [Test your Active-Active database](#test-your-active-active-database)
   * [Limitations](#limitations)
 
@@ -725,6 +726,16 @@ To enable modules for Active-Active databases, set a boolean environment variabl
 Important note:
 upgrading modules with Active-Active databases is currently not supported via the operator, to upgrade please use the RS APIs directly and after the module has successfully upgraded update the module version on the REAADB custom resource.
 
+## Upgrade REC with Active-Active database
+
+Upgrading REC with REAADBs  is supported.
+Please follow [upgrade Redis Enterprise Cluster documentation](https://docs.redis.com/latest/kubernetes/re-clusters/upgrade-redis-cluster/).
+
+Notes:
+- It is recommended to upgrade all of the participating clusters to the same operator version.
+- [Optional] - Please view following documentation regarding upgrade the Active-Active database  [here](https://docs.redis.com/latest/rs/installing-upgrading/upgrading/upgrade-active-active/)
+- In case you are upgrading from version with the Active-Active database controller as public preview you may remove the following flags from the environment variables: `ACTIVE_ACTIVE_DATABASE_CONTROLLER_ENABLED` and `REMOTE_CLUSTER_CONTROLLER_ENABLED`, and in case the alpha features flag is enabled only for the REC 'ingressOrRoutesSpec' field you may remove the: `ENABLE_ALPHA_FEATURES` as well.`
+
 ## Test your Active-Active database
 
 The easiest way to test your Active-Active database is to set a key-value pair in one database and retrieve it from the other.

admission/README.md

@@ -1,66 +1,3 @@
-# Redis Enterprise Admission Controller
+# Redis Enterprise admission controller
 
-Redis Labs' Redis Enterprise Operator provides an installable admission control that can be used to verify RedisEnterpriseDatabase, RedisEnterpriseActiveActiveDatabase and RedisEnterpriseRemoteCluster resources on creation and modification for correctness.  This prevents end users from creating syntatically valid but functionally invalid database configurations.  The admission control leverages Kubernetes' built in [Dynamic Admission Control](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/).
-
-## Hooking up the Admission controller directly with Kubernetes
-**NOTE**: This only has to be done the first time setting up the redis enterprise operator, it can be skipped on update
-
-1. Wait for the secret to be created
-
-    ```shell script
-    kubectl get secret admission-tls
-    NAME            TYPE     DATA   AGE
-    admission-tls   Opaque   2      2m43s
-    ```
-
-2. Enable the Kubernetes webhook using the generated certificate stored in a kubernetes secret
-
-      **NOTE**: One must replace REPLACE_WITH_NAMESPACE in the following command with the namespace the REC was installed into.
-
-      ```shell script
-      # save cert
-      CERT=`kubectl get secret admission-tls -o jsonpath='{.data.cert}'`
-      sed 's/NAMESPACE_OF_SERVICE_ACCOUNT/REPLACE_WITH_NAMESPACE/g' webhook.yaml | kubectl create -f -
-
-      # create patch file
-      cat > modified-webhook.yaml <<EOF
-      webhooks:
-      - name: redisenterprise.admission.redislabs
-        clientConfig:
-          caBundle: $CERT
-        admissionReviewVersions: ["v1beta1"]
-      EOF
-      # patch webhook with caBundle
-      kubectl patch ValidatingWebhookConfiguration redis-enterprise-admission --patch "$(cat modified-webhook.yaml)"
-      ```
-          
-## Verifying Installation
-
-In order to verify that the all the components of the Admission Controller are installed correctly, we will try to apply an invalid resource that should force the admission controller to reject it.  If it applies succesfully, it means the admission controller has not been hooked up correctly.
-
-```shell script
-$ kubectl apply -f - << EOF
-apiVersion: app.redislabs.com/v1alpha1
-kind: RedisEnterpriseDatabase
-metadata:
-  name: redis-enterprise-database
-  labels:
-    app: redis-enterprise
-spec:
-  evictionPolicy: illegal
-  defaultUser: false
-EOF
-```
-
-This must fail with an error output by the admission webhook redisenterprise.admission.redislabs that is being denied because 'illegal' is not a valid eviction policy.
-
-```shell script
-Error from server: error when creating "STDIN": admission webhook "redisenterprise.admission.redislabs" denied the request: eviction_policy: u'illegal' is not one of [u'volatile-lru', u'volatile-ttl', u'volatile-random', u'allkeys-lru', u'allkeys-random', u'noeviction', u'volatile-lfu', u'allkeys-lfu']
-```
-
-## Upgrading from previous version
-
-In Redis Enterprise Operator versions 6.4.X and above, the admission webhook has been renamed from `redb-admission` to `redis-enterprise-admission`.
-The reason for that is to reflect that the updated admission webhook now verifies multiple resources beyond RedisEnterpriseDatabase, including RedisEnterpriseActiveActiveDatabase and RedisEnterpriseRemoteCluster resources as well. The previous version only verified RedisEnterpriseDatabases.
-
-If you're using version 6.4.X or above, make sure to delete the old `redb-admission` ValidatingWebhookConfiguration and apply the updated webhook. 
+This content has moved to [docs.redis.com](https://docs.redis.com/latest/); see [Enable the admission controller](https://docs.redis.com/latest/kubernetes/deployment/quick-start/#enable-the-admission-controller).

admission/webhook.yaml

@@ -17,7 +17,7 @@ webhooks:
     resources:   ["redisenterprisedatabases", "redisenterpriseactiveactivedatabases", "redisenterpriseremoteclusters"]
   clientConfig:
     service:
-      namespace: NAMESPACE_OF_SERVICE_ACCOUNT
+      namespace: OPERATOR_NAMESPACE
       name: admission
       path: /admission
     caBundle: "" # Fill in with BASE64 encoded signed cert

bundle.yaml

@@ -245,6 +245,8 @@ spec:
               ingressOrRouteMethodStatus:
                 description: The ingressOrRouteSpec/ActiveActive spec method that exist
                 type: string
+              redisEnterpriseIPFamily:
+                type: string
           spec:
             description: RedisEnterpriseClusterSpec defines the desired state of RedisEnterpriseCluster
             properties:
@@ -365,6 +367,14 @@ spec:
                   true. Note that this field is cleared automatically after the cluster
                   is recovered
                 type: boolean
+              redisEnterpriseIPFamily:
+                description: Reserved, future use, only for use if instructed by Redis.
+                  IPFamily dictates what IP family to choose for pods' internal
+                  and external communication.
+                type: string
+                enum:
+                  - IPv4
+                  - IPv6
               containerTimezone:
                 description: Container timezone configuration. While the default timezone
                   on all containers is UTC, this setting can be used to set the timezone
@@ -7769,6 +7779,8 @@ spec:
                   ldap:
                     type: boolean
                 type: object
+              redisEnterpriseIPFamily:
+                type: string
           spec:
             properties:
               activeActive:
@@ -7848,6 +7860,11 @@ spec:
                 type: string
               clusterRecovery:
                 type: boolean
+              redisEnterpriseIPFamily:
+                type: string
+                enum:
+                  - IPv4
+                  - IPv6
               containerTimezone:
                 properties:
                   propagateHost:
@@ -14854,6 +14871,8 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   name: redisenterprisedatabases.app.redislabs.com
+  labels:
+    app: redis-enterprise
 spec:
   group: app.redislabs.com
   names:
@@ -16462,7 +16481,7 @@ spec:
       serviceAccountName: redis-enterprise-operator
       containers:
         - name: redis-enterprise-operator
-          image: redislabs/operator:7.2.4-7
+          image: redislabs/operator:7.2.4-12
           command:
           - operator-root
           - operator
@@ -16512,7 +16531,7 @@ spec:
               drop:
               - ALL
         - name: admission
-          image: redislabs/operator:7.2.4-7
+          image: redislabs/operator:7.2.4-12
           command:
           - operator-root
           - admission
@@ -16532,6 +16551,10 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
           resources:
             limits:
               cpu: 1000m

cluster_credentials.md

@@ -1,80 +1,3 @@
 # Management of the Redis Enterprise Cluster credentials
-## Background
-When the operator creates a Redis Enterprise Cluster (REC) it generates random credentials that are used by the operator to perform operations on the Redis Enterprise Cluster using the cluster APIs.
-The credentials are saved in a K8s secret (or Vault, see [README](vault/README.md)). When a K8s secret is used, the secret name default to the name of the Redis Enterprise Cluster.
-## Using the Redis Enterprise Cluster Credentials
-The credentials can be used to access the Redis Enterprise Cluster UI or API. Make sure connectivity is configured to the cluster pods using an appropriate service (or by a solution such as kubectl port forwarding). To inspect the random username and password created by the operator, use kubectl:
-``` 
-$ kubectl get secret rec -o jsonpath='{.data}'
-map[password:MVUyTjd1Mm0= username:ZGVtb0ByZWRpc2xhYnMuY29t]
-$ echo MVUyTjd1Mm0= | base64 --decode
-```
-> Note - other utilities to view secrets are available
 
-## Changing the Redis Enterprise Cluster Credentials
-### Replacing the password
-Please follow the following steps:
-1. Take note of the current password, see above
-2. Exec into a Redis Enterprise Cluster node pod using the following command:
-    ```
-    kubectl exec -it <Redis Enterprise Cluster resource name>-0 bash
-    ```
-3. Within the pod console, run a command to add the new password as supported for the existing user, replace with the existing credentials and the new password:
-    ```
-    REC_USER="`cat /opt/redislabs/credentials/username`"; REC_PASSWORD="`cat /opt/redislabs/credentials/password`";curl -k --request POST --url https://localhost:9443/v1/users/password -u "$REC_USER:$REC_PASSWORD" --header 'Content-Type: application/json' --data "{\"username\":\"$REC_USER\",\"old_password\":\"$REC_PASSWORD\", \"new_password\":\"<NEW PASSWORD>\"}"
-    ```
-4. Update the cluster credential secret: using the commands ran outside of the Redis Enterprise Cluster node pod:
-    > Note: For Vault users, see the instruction described [below](./cluster_credentials.md#creds_with_vault) and proceed to the next step.
-
-    a. Save the existing username to a text file (replace <current username> with actual).
-    ```
-    echo -n "<current username>" > username
-    ```
-    b. Save the new password to a text file (replace <new password> with actual).
-    ```
-    echo -n "<new password>" > password
-    ```
-    c. Update the secret:
-    ```
-    kubectl create secret generic <cluster secret name> --from-file=./username --from-file=./password --dry-run -o yaml | kubectl apply -f -
-    ```
-5. Wait 5 minutes to make sure all components have read the new password from the updated secret
-6. in case this cluster is participating in Active-Active database via REAADB follow the instructions [here](active_active_database_readme.md) under `Update existing participating cluster (RERC) secret`.
-7. Exec into a Redis Enterprise Cluster node pod (see above) and run the following command to remove the previous password so only the new one applies. Important: replace OLD PASSWORD with the one being replaced, see step 1 above.
-    ```
-    REC_USER="`cat /opt/redislabs/credentials/username`"; REC_PASSWORD="`cat /opt/redislabs/credentials/password`";curl -k --request DELETE --url https://localhost:9443/v1/users/password -u "$REC_USER:$REC_PASSWORD" --header 'Content-Type: application/json' --data "{\"username\":\"$REC_USER\",\"old_password\":\"<OLD PASSWORD\"}"
-    ```
-    > Note: the username to be used with the K8s secret is the email displayed on the Redis Enterprise UI
-
-    > Note: this procedure is only supported for version 6.0.20-5 or above
-### Replacing the password and the username
-Please follow the following steps:
-1. Log into the Redis Enterprise Cluster UI using the credentials as explained above.
-2. Add another admin user, choose a password
-3. Set the new username with the Redis Enterprise Cluster spec (username field)
-4. Update the cluster credential secret:
-    > Note: For Vault users, see the instruction described [below](#creds_with_vault) and proceed to the next step.
-    
-    a. Save the new username to a text file (replace <new username> with actual).
-    ```
-    echo -n "<new username>" > username
-    ```
-    b. Save the new password to a text file (replace <new password> with actual).
-    ```
-    echo -n "<new password>" > password
-    ```
-    c. Update the secret:
-    ```
-    kubectl create secret generic <cluster secret name> --from-file=./username --from-file=./password --dry-run -o yaml | kubectl apply -f -
-    ```
-    > Note: the username to be used with the K8s secret is the email displayed on the Redis Enterprise UI
-5. Wait 5 minutes to make sure all components have read the new password from the updated secret
-6. in case this cluster is participating in Active-Active database via REAADB follow the instructions [here](active_active_database_readme.md) under `Update existing participating cluster (RERC) secret`.
-7. Delete the previous admin user using the Redis Enterprise Cluster UI
-   > Note: this procedure is only supported for version 6.0.20-5 or above
-   > Note: the operator might log errors in the time period between updating the username in the REC spec and the secret update
-
-<a name="creds_with_vault"></a>
-### Updating the credentials secret in Vault
-For users who store secrets in Vault, update the Vault secret containing the Redis Enterprise Cluster's credentials with the following key-value pairs: username:<desired_username>, password:<desired_password>.
-For more information about Vault integration with the Redis Enterprise Cluster see [README](vault/README.md#deployment_rec).
+This content has moved to [docs.redis.com](https://docs.redis.com/latest/); see [Manage Redis Enterprise cluster (REC) credentials](https://docs.redis.com/latest/kubernetes/security/manage-rec-credentials/).

crds/rec_crd.yaml

@@ -150,6 +150,8 @@ spec:
               ingressOrRouteMethodStatus:
                 description: The ingressOrRouteSpec/ActiveActive spec method that exist
                 type: string
+              redisEnterpriseIPFamily:
+                type: string
           spec:
             description: RedisEnterpriseClusterSpec defines the desired state of RedisEnterpriseCluster
             properties:
@@ -270,6 +272,14 @@ spec:
                   true. Note that this field is cleared automatically after the cluster
                   is recovered
                 type: boolean
+              redisEnterpriseIPFamily:
+                description: Reserved, future use, only for use if instructed by Redis.
+                  IPFamily dictates what IP family to choose for pods' internal
+                  and external communication.
+                type: string
+                enum:
+                  - IPv4
+                  - IPv6
               containerTimezone:
                 description: Container timezone configuration. While the default timezone
                   on all containers is UTC, this setting can be used to set the timezone
@@ -7674,6 +7684,8 @@ spec:
                   ldap:
                     type: boolean
                 type: object
+              redisEnterpriseIPFamily:
+                type: string
           spec:
             properties:
               activeActive:
@@ -7753,6 +7765,11 @@ spec:
                 type: string
               clusterRecovery:
                 type: boolean
+              redisEnterpriseIPFamily:
+                type: string
+                enum:
+                  - IPv4
+                  - IPv6
               containerTimezone:
                 properties:
                   propagateHost:

crds/redb_crd.yaml

@@ -2,6 +2,8 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   name: redisenterprisedatabases.app.redislabs.com
+  labels:
+    app: redis-enterprise
 spec:
   group: app.redislabs.com
   names: