在Kubernetes上安装
学习如何在Kubernetes上安装RDI
本指南解释了如何使用RDI Helm chart在Kubernetes (K8s)上进行安装。你也可以在虚拟机上安装RDI。
安装会创建以下K8s对象:
- 一个名为
rdi的 K8s namespace。 - Deployments 用于 RDI operator, metrics exporter, 和 API 服务器。
- 一个服务账户以及为RDI操作员提供的角色和角色绑定。
- 一个Configmap用于包含RDI Redis数据库详细信息的不同组件。
- Secrets 包含RDI Redis数据库凭据和TLS证书。
您可以在OpenShift和其他K8s发行版上使用此安装,包括云提供商的K8s托管集群。
你可以从 Docker Hub 或你自己的 私有镜像仓库 拉取 RDI 镜像。
在安装之前
在运行Helm之前完成以下步骤:
- Create the RDI database 在您的 Redis Enterprise 集群上。
- 如果您不想使用默认密码,请为RDI数据库创建一个用户(更多信息请参见访问控制)。
- 从下载中心下载RDI helm chart tar文件。
- 如果你想使用一个私有的镜像仓库, 使用RDI镜像准备它。
创建RDI数据库
RDI 使用您 Redis Enterprise 集群上的数据库来存储其状态信息。这需要 Redis Enterprise v6.4 或更高版本。
- 使用Redis控制台创建一个具有250MB内存的数据库,包含一个主节点和一个副本节点。
- 如果您正在为生产环境部署RDI,请使用密码和TLS保护此数据库。
- 将数据库的
淘汰策略设置为
noeviction,并将 数据持久化 设置为AOF - 每秒同步一次。 - 确保RDI数据库不是集群的。 如果RDI数据库是集群的,RDI将无法正常工作,但目标数据库可以是集群的。
然后,您应该在values.yaml文件中提供此数据库的详细信息,如下所述。
使用私有镜像仓库
将Docker Hub中的RDI镜像添加到本地注册表。
下面的示例展示了如何在Helm图表的values.yaml文件中指定注册表和镜像拉取密钥:
global:
imagePullSecrets: []
# - name: "image-pull-secret"
image:
registry: docker.io
repository: redis
要从本地注册表拉取镜像,您必须提供镜像拉取密钥,在某些情况下还需要设置权限。点击以下链接了解如何与以下内容一起使用私有注册表:
- Rancher
- OpenShift
- Amazon Elastic Kubernetes Service (EKS)
- Google Kubernetes Engine (GKE)
- Azure Kubernetes Service (AKS)
安装RDI Helm图表
-
将图表中的默认
values.yaml文件搭建到本地的rdi-values.yaml文件中:helm show values rdi-<rdi-tag>.tar.gz > rdi-values.yaml -
打开你刚刚创建的
rdi-values.yaml文件,并为你的安装设置适当的值 (有关完整可用的值,请参见下面的Thevalues.yamlfile)。 -
开始安装:
helm install rdi rdi-<rdi-tag>.tar.gz -f rdi-values.yaml
values.yaml 文件
下面注释的values.yaml文件描述了您可以为RDI Helm安装设置的值。
至少,您必须在global.rdiSysConfig部分设置RDI_REDIS_HOST和RDI_REDIS_PORT的值,并在global.rdiSysSecret中设置RDI_REDIS_PASSWORD和JWT_SECRET_KEY,以启用与RDI数据库的基本连接。RDI使用JWT_SECRET_KEY中的值来加密RDI API使用的JSON web token (JWT)令牌。最佳实践是生成一个包含32个随机字节数据(相当于256位)的值,然后将该值编码为ASCII字符。使用以下命令从urandom特殊文件生成随机密钥:
head -c 32 /dev/urandom | base64
注意:
如果你想使用
Redis Insight
从K8s集群外部连接到你的RDI部署,你必须启用TLS。完整的 values.yaml 文件如下所示:
# Default RDI values in YAML format.
# Variables to template configuration.
global:
# Set this property when using a private image repository.
# Provide an array of image pull secrets.
# Example:
# imagePullSecrets:
# - name: pullSecret1
# - name: pullSecret2
imagePullSecrets:
- name: docker-config-jfrog
# DO NOT modify this value.
vmMode: false
# Indicates whether the deployment is intended for an OpenShift environment.
openShift: false
image:
# Overrides the image tag for all RDI components.
# tag: 0.0.0
# If using a private repository, update the default values accordingly.
# Docker registry.
registry: docker.io
# Docker image repository.
repository: redis
# Configuration for the RDI ConfigMap.
rdiSysConfig:
# Log level for all RDI components. Valid options: DEBUG, INFO, ERROR.
# If specific component log levels are not set, this value will be used.
RDI_LOG_LEVEL: INFO
# Log level for the RDI API. Valid options: DEBUG, INFO, ERROR.
# If not set, RDI_LOG_LEVEL will be used.
# RDI_LOG_LEVEL_API: INFO
# Log level for the RDI Operator. Valid options: DEBUG, INFO, ERROR.
# If not set, RDI_LOG_LEVEL will be used.
# RDI_LOG_LEVEL_OPERATOR: INFO
# Log level for the RDI processor. Valid options: DEBUG, INFO, ERROR.
# If not set, RDI_LOG_LEVEL will be used.
# RDI_LOG_LEVEL_PROCESSOR: INFO
# Specifies whether the RDI is configured to use TLS.
RDI_REDIS_SSL: false
# RDI_IMAGE_REPO: redis
# This value must be set to the same tag as global.image.tag.
# RDI_IMAGE_TAG: ""
# If using a private repository, set this value to the same secret name as in global.imagePullSecrets.
# RDI_IMAGE_PULL_SECRET: []
# The service IP of the RDI database.
# RDI_REDIS_HOST: ""
# The port for the RDI database.
# RDI_REDIS_PORT: ""
# Enable authentication for the RDI API.
# RDI_API_AUTH_ENABLED: "1"
# Specifies whether the API Collector should be deployed.
# RDI_API_COLLECTOR_ENABLED: "0"
# Configuration for the RDI Secret.
rdiSysSecret:
# Username and password for RDI database.
# If using the default password, keep the username as an empty string.
# RDI_REDIS_USERNAME: ""
# RDI_REDIS_PASSWORD: ""
# Uncomment this property when using a TLS connection from RDI to its Redis database.
# DO NOT modify this value.
# RDI_REDIS_CACERT: /etc/certificates/rdi_db/cacert
# Uncomment these properties when using an mTLS connection from RDI to its Redis database.
# DO NOT modify these values.
# RDI_REDIS_CERT: /etc/certificates/rdi_db/cert
# RDI_REDIS_KEY: /etc/certificates/rdi_db/key
# The passphrase used to get the private key stored in the secret store when using mTLS.
# RDI_REDIS_KEY_PASSPHRASE: ""
# The key used to encrypt the JWT token used by RDI API. Best practice is for this
# to contain 32 random bytes encoded as ASCII characters (equivalent to 256 bits of
# data). See `The values.yaml file` section above to learn how to generate the key.
# JWT_SECRET_KEY: ""
rdiDbSSLSecret:
# Set to `true` when using a TLS connection from RDI to its Redis database.
enabled: false
# The content of the CA certificate PEM file.
# Uncomment and set this property when using a TLS connection from RDI to its Redis database.
# cacert: ""
# The content of the certificate PEM file.
# Uncomment and set this property when using an mTLS connection from RDI to its Redis database.
# cert: ""
# The content of the private key PEM file.
# Uncomment and set this property when using an mTLS connection from RDI to its Redis database.
# key: ""
# Container default security context.
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
allowPrivilegeEscalation: false
# Set `isOpenshift` to `true` if deploying on OpenShift.
reloader:
reloader:
isOpenshift: false
deployment:
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsUser: null
# Configuration of the RDI Operator.
operator:
image:
name: rdi-operator
# Specify an imagePullPolicy.
# ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
pullPolicy: IfNotPresent
# Extra optional options for liveness probe.
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
liveness:
failureThreshold: 6
periodSeconds: 10
# Extra optional options for readiness probe.
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
readiness:
failureThreshold: 6
periodSeconds: 30
# Extra optional options for startup probe.
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
startup:
failureThreshold: 60
periodSeconds: 5
fluentd:
image:
name: rdi-fluentd
# Specify an imagePullPolicy.
# ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
pullPolicy: IfNotPresent
rdiLogsHostPath: "/opt/rdi/logs"
podLogsHostPath: "/var/log/pods"
logrotateMinutes: "5"
rdiMetricsExporter:
image:
name: rdi-monitor
# Specify an imagePullPolicy.
# ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
pullPolicy: IfNotPresent
# The RDI metrics service is set to ClusterIP, allowing access only from within the cluster.
# ref: http://kubernetes.io/docs/user-guide/services/
service:
protocol: TCP
port: 9121
targetPort: 9121
type: ClusterIP
# Configure extra options for liveness probe.
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
liveness:
failureThreshold: 6
periodSeconds: 10
# Configure extra options for readiness probe.
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
readiness:
failureThreshold: 6
periodSeconds: 30
# Configure extra options for startupProbe.
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
startup:
failureThreshold: 60
periodSeconds: 5
# Configuration for the ServiceMonitor, which is used to scrape metrics from the RDI metrics service.
serviceMonitor:
# Set to `true` to activate the ServiceMonitor.
enabled: false
# The endpoint from which Prometheus will scrape metrics.
path: /metrics
# Configuration of the RDI API.
apiServer:
image:
name: rdi-api
# Specify an imagePullPolicy.
# ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
pullPolicy: IfNotPresent
# The RDI API service is set to ClusterIP, allowing access only from within the cluster.
# ref: http://kubernetes.io/docs/user-guide/services/
service:
type: ClusterIP
name: rdi-api
port: 8080
targetPort: 8081
# Configure extra options for liveness probe.
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
liveness:
failureThreshold: 6
periodSeconds: 10
# Configure extra options for readiness probe.
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
readiness:
failureThreshold: 6
periodSeconds: 30
# Configure extra options for startupProbe.
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
startup:
failureThreshold: 60
periodSeconds: 5
# Expose the RDI API service to be accessed from outside the cluster.
# ref: http://kubernetes.io/docs/user-guide/services/
ingress:
# When `enabled` is set to `true`, RDI API Ingress will be created.
enabled: false
# ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress
# className: ""
# Ingress resources configure routes based on the requested host.
# The optional Host field defines the hosts for routing. If omitted, it matches all hosts.
# Example:
# hosts:
# - example.com
# - another-example.com
# Annotations to be added to the IngressClass resource.
# Example:
# annotations:
# kubernetes.io/ingress.class: "nginx"
# nginx.ingress.kubernetes.io/rewrite-target: /
tls:
# Specifies whether the Ingress should be configured to use TLS.
enabled: false
# When `enabled` is set to `true`, set this property to the content of the crt file.
# crt: ""
# When `enabled` is set to `true`, set this property to the content of the key file.
# key: ""
# When `openShift` is set to `true`, Route will be created automatically.
# Route exposes RDI API outside the cluster.
route:
tls:
# Specifies whether the Route should be configured to use TLS.
enabled: false
# When `enabled` is set to `true`, set this property to the content of the crt file.
# crt: ""
# When `enabled` is set to `true`, set this property to the content of the key file.
# key: ""
collectorSourceMetricsExporter:
# The collector-source metrics service is set to ClusterIP, allowing access only from within the cluster.
# ref: http://kubernetes.io/docs/user-guide/services/
service:
type: ClusterIP
port: 9092
targetPort: 19000
# Configuration for the ServiceMonitor, which is used to scrape metrics from the collector-source metrics service.
serviceMonitor:
# Set to `true` to activate the ServiceMonitor.
enabled: false
# The endpoint from which Prometheus will scrape metrics.
path: /metrics
检查安装
要验证K8s部署的状态,请运行以下命令:
helm list -n monitoring -n rdi
输出如下所示。请检查
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
<logical_chart_name> rdi 1 2024-10-10 16:53... +0300 IDT deployed rdi-1.0.0
同时,检查以下pods的状态是否为Running:
kubectl get pod -n rdi
NAME READY STATUS RESTARTS AGE
rdi-api-<id> 1/1 Running 0 29m
rdi-metric-<id>l 1/1 Running 0 29m
rdi-operator-<id> 1/1 Running 0 29m
<logical_chart_name>-reloader-<id> 1/1 Running 0 29m
collector-api-<id> 1/1 Running 0 29m
您可以通过在Redis Insight中添加服务器来验证RDI API是否正常工作。
使用入口控制器
如果你想通过K8s的Ingress资源暴露RDI API服务,你必须确保你的K8s集群中有一个合适的ingress controller可用。请按照你的云服务提供商或ingress控制器的文档来正确安装控制器。
在AKS上使用nginx入口控制器
在AKS上,如果您想使用开源的
nginx
ingress控制器
而不是
AKS应用程序路由附加组件,
请按照AKS文档中的
创建非托管ingress控制器
进行操作。
具体来说,请确保设置了以下Helm chart值中的一个或两个:
controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthzcontroller.service.externalTrafficPolicy=Local
准备您的源数据库
您还必须配置源数据库以使用CDC连接器。请参阅 准备源数据库 部分了解如何执行此操作。
部署一个管道
当Helm安装完成后,并且您已经为CDC准备了源数据库,您就可以开始使用RDI了。请参阅指南以获取更多信息,包括 配置和 部署 RDI管道。您还可以使用Redis Insight来配置和部署管道。