Merge pull request #193 from RedisLabs/6.2.4-1

promoting version 6.2.4-1

README.md

@@ -10,7 +10,7 @@
   * [Private Repositories](#private-repositories)
   * [Pull Secrets](#pull-secrets)
   * [Advanced Configuration](#advanced-configuration)
-* [Connect to Redis Enterprise Software web console](#Connect-to-Redis-Enterprise-Software-web-console)
+* [Connect to Redis Enterprise Software web console](#How-to-connect-to-Redis-Enterprise-Software-web-console?)
 * [Upgrade](#upgrade)
 * [Supported K8S Distributions](#supported-k8s-distributions)
 
@@ -32,9 +32,9 @@ High level architecture and overview of the solution can be found [HERE](https:/
 The following are the images and tags for this release:
 | Component | k8s | Openshift |
 | --- | --- | --- |
-| Redis Enterprise | `redislabs/redis:6.0.20-97` | `redislabs/redis:6.0.20-97.rhel7-openshift` |
-| Operator | `redislabs/operator:6.0.20-12` | `redislabs/operator:6.0.20-12` |
-| Services Rigger | `redislabs/k8s-controller:6.0.20-12` | `redislabs/k8s-controller:6.0.20-12` |
+| Redis Enterprise | `redislabs/redis:6.2.4-55` | `redislabs/redis:6.2.4-55.rhel7-openshift` |
+| Operator | `redislabs/operator:6.2.4-1` | `redislabs/operator:6.2.4-1` |
+| Services Rigger | `redislabs/k8s-controller:6.2.4-1` | `redislabs/k8s-controller:6.2.4-1` |
 > * RedHat certified images are available on [Redhat Catalog](https://access.redhat.com/containers/#/product/71f6d1bb3408bd0d) </br>
 
 
@@ -104,22 +104,23 @@ This is the fastest way to get up and running with a new Redis Enterprise on Kub
 5. Redis Enterprise Database (REDB) Admission Controller:
     The Admission Controlller is recommended for use. It uses the Redis Enterprise Cluster to dynamically validate that REDB resources as configured by the operator are valid.
     Steps to configure the Admission Controller:
+   > **Note:** Redis Labs' Redis Enterprise Operator can also be installed through the [Gesher Admission Proxy](admission/GESHER.md)
     * Wait for the secret to be created:
-    ```shell script
-        kubectl get secret admission-tls
-        NAME            TYPE     DATA   AGE
-        admission-tls   Opaque   2      2m43s
-   ```
+        ```shell script
+            kubectl get secret admission-tls
+            NAME            TYPE     DATA   AGE
+            admission-tls   Opaque   2      2m43s
+       ```
     * Enable the Kubernetes webhook using the generated certificate
    
          **NOTE**: One must replace REPLACE_WITH_NAMESPACE in the following command with the namespace the REC was installed into.
    
          ```shell script
          # save cert
          CERT=`kubectl get secret admission-tls -o jsonpath='{.data.cert}'`
+         # create patch file
          sed 's/NAMESPACE_OF_SERVICE_ACCOUNT/REPLACE_WITH_NAMESPACE/g' admission/webhook.yaml | kubectl create -f -
    
-         # create patch file
          cat > modified-webhook.yaml <<EOF
          webhooks:
          - name: redb.admission.redislabs
@@ -129,8 +130,35 @@ This is the fastest way to get up and running with a new Redis Enterprise on Kub
          EOF
          # patch webhook with caBundle
          kubectl patch ValidatingWebhookConfiguration redb-admission --patch "$(cat modified-webhook.yaml)"
-         ```
-     * Verify the installation
+        ```
+   
+   * Limiting the webhook to the relevant namespaces:    
+    Unless limited, webhooks will intercept requests from all namespaces.<br>
+    In case you have several REC objects on your K8S cluster you need to limit the webhook to the relevant namespace.  
+    This is done by adding a `namespaceSelector` to the webhook spec that targets a label found on the namespace.<br>
+    First, make sure you have such a relevant label on the namespace and that it is unique for this namespace. e.g.
+     ```
+     apiVersion: v1
+     kind: Namespace
+     metadata:
+       labels:
+         namespace-name: staging
+       name: staging
+      ```
+        Then patch the webhook with a namespaceSelector. See this example:
+     ```
+        cat > modified-webhook.yaml <<EOF
+        webhooks:
+        - name: redb.admission.redislabs
+          namespaceSelector:
+            matchLabels:
+              namespace-name: staging
+        EOF
+     
+        # apply the patch:
+        kubectl patch ValidatingWebhookConfiguration redb-admission --patch "$(cat modified-webhook.yaml)"
+        ```
+    * Verify the installation
         In order to verify that the all the components of the Admission Controller are installed correctly, we will try to apply an invalid resource that should force the admission controller to reject it.  If it applies succesfully, it means the admission controller has not been hooked up correctly.
         
         ```shell script
@@ -149,7 +177,7 @@ This is the fastest way to get up and running with a new Redis Enterprise on Kub
         ```shell script
         Error from server: error when creating "STDIN": admission webhook "redb.admission.redislabs" denied the request: eviction_policy: u'illegal' is not one of [u'volatile-lru', u'volatile-ttl', u'volatile-random', u'allkeys-lru', u'allkeys-random', u'noeviction', u'volatile-lfu', u'allkeys-lfu']
         ```
-       > Note: procedure to enable admission is documented with further detail [here](admission/README.md
+       > Note: procedure to enable admission is documented with further detail [here](admission/README.md).
 
 6. Redis Enterprise Database custom resource - `RedisEnterpriseDatabase`
 
@@ -303,7 +331,7 @@ The operator deploys a `RedisEnterpriseCluster` with default configurations valu
     redisEnterpriseImageSpec:
       imagePullPolicy:  IfNotPresent
       repository:       redislabs/redis
-      versionTag:       6.0.20-97
+      versionTag:       6.2.4-55
   ```
 
 * Persistence
@@ -405,21 +433,21 @@ For example:
   redisEnterpriseImageSpec:
     imagePullPolicy:  IfNotPresent
     repository:       harbor.corp.local/redisenterprise/redis
-    versionTag:       6.0.20-97
+    versionTag:       6.2.4-55
 ```
 
 ```yaml
   redisEnterpriseServicesRiggerImageSpec:
     imagePullPolicy:  IfNotPresent
     repository:       harbor.corp.local/redisenterprise/k8s-controller
-    versionTag:       6.0.20-12
+    versionTag:       6.2.4-1
 ```
 
 ```yaml
   bootstrapperImageSpec:
     imagePullPolicy:  IfNotPresent
     repository:       harbor.corp.local/redisenterprise/operator
-    versionTag:       6.0.20-12
+    versionTag:       6.2.4-1
 ```
 
 In Operator Deployment spec (operator.yaml):
@@ -431,7 +459,7 @@ spec:
     spec:
       containers:
         - name: redis-enterprise-operator
-          image: harbor.corp.local/redisenterprise/operator:6.0.20-12
+          image: harbor.corp.local/redisenterprise/operator:6.2.4-1
 ```
 
 Image specification follow the [K8s Container schema](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.10/#container-v1-core).
@@ -490,17 +518,18 @@ First, extract the username and password from the secret:
     kubectl config set-context --current --namespace=<namespace>
 ```
 ![Alt text](./images/web_console_1.png?raw=true)
-2. List the secrets via the command:
+2. List the secrets:
 ```bash
     kubectl get secret
 ```
 ![Alt text](./images/web_console_2.png?raw=true)
-3. Run the command below to view the secret with the credentials , replace the <cluster name> with the name of your Redis Enterprise Cluster:
+3. Run the `kubectl get secret` command to view the secret with the credentials (replace the <cluster name> with the name of your Redis Enterprise Cluster):
 ```bash
     kubectl get secret <cluster name> -o yaml
 ```
 ![Alt text](./images/web_console_3.png?raw=true)
-4. Extract the username and password via the commands below, replace the <cluster name> with the name of your Redis Enterprise Cluster:
+4. Extract the username and password (replace the <cluster name> with the name of your Redis Enterprise Cluster):
+
 ```bash
     kubectl get secret <cluster name> -o jsonpath='{.data.username}' | base64 --decode
     kubectl get secret <cluster name> -o jsonpath='{.data.password}' | base64 --decode
@@ -521,13 +550,13 @@ Note: the default port is 8443.
     kubectl port-forward service/<cluster name>-ui <local port>:<service port>
 ```
 ![Alt text](./images/web_console_6.png?raw=true)
-3. View the web console from the web browser on your local machine: 
+3. In the web browser on the local machine to see the Redis Enterprise web console go to:
 https://localhost:<local port>
 Don't forget to replace the <local port> with the one used in the previous command.
 ![Alt text](./images/web_console_7.png?raw=true)
 
 Method 2: load balancer
-<note> Configuring a load balancer service for the UI will create an external IP address, widely available (when set on cloud providers which support external load balancers). Use with caution. </note>
+> <note> Configuring a load balancer service for the UI will create an external IP address, widely available (when set on cloud providers which support external load balancers). Use with caution. </note>
 1. Run the command below to set the UI service type as load balancer, replace the <cluster name> with the name of your Redis Enterprise Cluster:
 ```bash
     kubectl patch rec <cluster name> --type merge --patch "{\"spec\":{\"uiServiceType\":\"LoadBalancer\"}}"
@@ -539,7 +568,7 @@ Method 2: load balancer
 ```
 Note: the default port is 8443.
 ![Alt text](./images/web_console_9.png?raw=true)
-3. In the web browser on the local machine to see the Redis Enterprise web console go to:
+3. View the web console from the web browser on your local machine:
 https://<external IP>:<service port>
 Don't forget to replace the <external IP> and <service port> with the values from the previous step.
 ![Alt text](./images/web_console_10.png?raw=true)
@@ -553,7 +582,7 @@ Note: in the  examples above the Redis Enterprise Cluster name is: 'rec' and the
 The Operator automates and simplifies the upgrade process.  
 The Redis Enterprise Cluster Software, and the Redis Enterprise Operator for Kubernetes versions are tightly coupled and should be upgraded together.  
 It is recommended to use the bundle.yaml to upgrade, as it loads all the relevant CRD documents for this version. If the updated CRDs are not loaded, the operator might fail.
-There are two ways to upgrade - either set 'autoUpgradeRedisEnterprise' within the Redis Enterprise Cluster Spec to instruct the operator to automatically upgrade to the compatible version, or specify the correct Redis Enterprise image manually using the versionTag attribute. The Redis Enterprise Version compatible with this release is 6.0.20-97
+There are two ways to upgrade - either set 'autoUpgradeRedisEnterprise' within the Redis Enterprise Cluster Spec to instruct the operator to automatically upgrade to the compatible version, or specify the correct Redis Enterprise image manually using the versionTag attribute. The Redis Enterprise Version compatible with this release is 6.2.4-55
 
 ```yaml
   autoUpgradeRedisEnterprise: true
@@ -562,39 +591,44 @@ There are two ways to upgrade - either set 'autoUpgradeRedisEnterprise' within t
 Alternatively:
 ```yaml
   RedisEnterpriseImageSpec:
-    versionTag: redislabs/redis:6.0.20-97
+    versionTag: redislabs/redis:6.2.4-55
 ```
 
 ## Supported K8S Distributions
 Each release of the Redis Enterprise Operator deployment is thoroughly tested against a set of Kubernetes distributions. The table below lists these, along with the current release's support status. "Supported", as well as "deprecated" support status indicates the current release has been tested in this environment and supported by RedisLabs. "Deprecated" also indicates that support will be dropped in a coming future release. "No longer supported" indicates that support has been dropped for this distribution. Any distribution that isn't explicitly listed is not supported for production workloads by RedisLabs.
 Supported versions (platforms/versions that are not listed are not supported): 
 | Distribution                    | Support Status |
 |---------------------------------|----------------|
-| Openshift 3.11 (K8s 1.11)       | supported      |
-| OpenShift 4.5  (K8s 1.18)       | supported      |
+| Openshift 3.11 (K8s 1.11)       | deprecated     |
 | OpenShift 4.6  (K8s 1.19)       | supported      |
 | OpenShift 4.7  (K8s 1.20)       | supported      |
-| KOPS vanilla 1.15               | deprecated     |
-| KOPS vanilla 1.16               | supported      |
-| KOPS vanilla 1.17               | supported      |
+| OpenShift 4.8  (K8s 1.21)       | supported      |
+| KOPS vanilla 1.16               | deprecated     |
+| KOPS vanilla 1.17               | deprecated     |
 | KOPS vanilla 1.18               | supported      |
 | KOPS vanilla 1.19               | supported      |
 | KOPS vanilla 1.20               | supported      |
-| GKE 1.17*                       | deprecated     |
+| KOPS vanilla 1.21               | supported      |
 | GKE 1.18                        | supported      |
 | GKE 1.19                        | supported      |
 | GKE 1.20                        | supported      |
+| GKE 1.21                        | supported      |
 | Rancher 2.4 (K8s 1.17)          | supported      |
 | Rancher 2.4 (K8s 1.18)          | supported      |
 | Rancher 2.5 (K8s 1.17)          | supported      |
 | Rancher 2.5 (K8s 1.18)          | supported      |
-| Rancher 2.5 (K8s 1.19).         | supported      |
-| VMWare TKGIE** 1.7 (K8s 1.16)   | deprecated     |
-| VMWare TKGIE** 1.8 (K8s 1.17)   | deprecated     |
-| VMWare TKGIE*** 1.10 (K8s 1.19) | supported      |
+| Rancher 2.5 (K8s 1.19)          | supported      |
+| Rancher 2.5 (K8s 1.20)          | supported      |
+| VMWare TKGIE* 1.7 (K8s 1.16)    | deprecated     |
+| VMWare TKGIE* 1.8 (K8s 1.17)    | deprecated     |
+| VMWare TKGIE** 1.10 (K8s 1.19)  | supported      |
 | AKS 1.18                        | supported      |
+| AKS 1.19                        | supported      |
+| AKS 1.20                        | supported      |
 | EKS 1.18                        | supported      |
+| EKS 1.19                        | supported      |
+| EKS 1.20                        | supported      |
+| EKS 1.21                        | supported      |
 
-\* No longer supported by Google
-\*\* No longer supported by VMware
-\*\*\* Tanzu Kubernetes Grid Integrated Edition
+\* No longer supported by VMware
+\*\* Tanzu Kubernetes Grid Integrated Edition

admission/gesher/role.yaml

@@ -52,7 +52,7 @@ rules:
   - deployments/finalizers
   verbs:
   - update
-- apiGroups: ["extensions"]
+- apiGroups: ["policy"]
   resources: ["podsecuritypolicies"]
   resourceNames:
   - redis-enterprise-psp