{ "id": "openshift-cli", "title": "Deployment with OpenShift CLI for Redis Enterprise for Kubernetes", "url": "https://redis.io/docs/latest/operate/kubernetes/8.0.18/deployment/openshift/openshift-cli/", "summary": "Redis Enterprise for Kubernetes and cluster can be installed via CLI tools OpenShift", "content": "\nUse these steps to set up a Redis Enterprise Software cluster with OpenShift.\n\n## Prerequisites\n\n- [OpenShift cluster](https://docs.openshift.com/container-platform/4.8/installing/index.html) with at least 3 nodes (each meeting the [minimum requirements for a development installation](https://redis.io/docs/latest/operate/rs/installing-upgrading/install/plan-deployment/hardware-requirements))\n- [OpenShift CLI](https://docs.openshift.com/container-platform/latest/cli_reference/openshift_cli/getting-started-cli.html)\n\nTo see which version of Redis Enterprise for Kubernetes supports your OpenShift version, see [Supported Kubernetes distributions](https://redis.io/docs/latest/operate/kubernetes/reference/supported_k8s_distributions).\n\n\nIf you suspect your file descriptor limits are below 100,000, you must either manually increase limits or [Allow automatic resource adjustment](https://redis.io/docs/latest/operate/kubernetes/security/allow-resource-adjustment). Most major cloud providers and standard container runtime configurations set default file descriptor limits well above the minimum required by Redis Enterprise. In these environments, you can safely run without enabling automatic resource adjustment.\n\n\n## Deploy the operator\n\n1. Create a new project.\n\n ```sh\n oc new-project \u003cyour-project-name\u003e \n ```\n\n1. Verify the newly created project. \n\n ```sh\n oc project \u003cyour-project-name\u003e\n ```\n\n1. Get the deployment files.\n\n ```sh\n git clone https://github.com/RedisLabs/redis-enterprise-k8s-docs\n ```\n\n1. Deploy the OpenShift operator bundle.\n\n If you are using version 6.2.18-41 or earlier, you must [apply the security context constraint](#install-security-context-constraint) before the operator bundle.\n\n ```sh\n oc apply -f openshift.bundle.yaml\n ```\n\n \nChanges to the `openshift.bundle.yaml` file can cause unexpected results.\n \n\n1. Verify that your `redis-enterprise-operator` deployment is running.\n\n ```sh\n oc get deployment\n ```\n\n A typical response looks like this:\n\n ```sh\n NAME READY UP-TO-DATE AVAILABLE AGE\n redis-enterprise-operator 1/1 1 1 0m36s\n ```\n\n \nDO NOT modify or delete the StatefulSet created during the deployment process. Doing so could destroy your Redis Enterprise cluster (REC).\n \n\n## Security context constraints\n\nVersions 7.22.0-6 and later run in without permissions to [allow automatic resource adjustment](https://redis.io/docs/latest/operate/kubernetes/security/allow-resource-adjustment). If you use the recommended default security constraints, remove the existing `redis-enterprise-scc-v2` SCC and unbind it from the REC service account after upgrading.\n\n## Create a Redis Enterprise cluster custom resource\n\n1. Apply the `RedisEnterpriseCluster` resource file ([rec_rhel.yaml](https://github.com/RedisLabs/redis-enterprise-k8s-docs/blob/master/openshift/rec_rhel.yaml)).\n\n You can rename the file to `\u003cyour_cluster_name\u003e.yaml`, but it is not required. Examples below use `\u003crec_rhel\u003e.yaml`. [Options for Redis Enterprise clusters](https://redis.io/docs/latest/operate/kubernetes/reference/api/redis_enterprise_cluster_api) has more info about the Redis Enterprise cluster (REC) custom resource, or see the [Redis Enterprise cluster API](https://redis.io/docs/latest/operate/kubernetes/reference/api/redis_enterprise_cluster_api) for a full list of options.\n\n \nIf you suspect your file descriptor limits are below 100,000, you must either manually increase limits or [Allow automatic resource adjustment](https://redis.io/docs/latest/operate/kubernetes/security/allow-resource-adjustment). Most major cloud providers and standard container runtime configurations set default file descriptor limits well above the minimum required by Redis Enterprise. In these environments, you can safely run without enabling automatic resource adjustment.\n \n\n The REC name cannot be changed after cluster creation.\n\n \nEach Redis Enterprise cluster requires at least 3 nodes. Single-node RECs are not supported.\n \n\n2. Apply the custom resource file to create your Redis Enterprise cluster.\n\n \nIf you enabled automatic resource adjustment in your configuration, this step will trigger the operator to apply elevated capabilities. Ensure your security context allows it.\n \n\n ```sh\n oc apply -f \u003crec_rhel\u003e.yaml\n ```\n\n The operator typically creates the REC within a few minutes.\n\n1. Check the cluster status.\n\n ```sh\n oc get pod\n ```\n\n You should receive a response similar to the following:\n\n ```sh\n NAME | READY | STATUS | RESTARTS | AGE |\n | -------------------------------- | ----- | ------- | -------- | --- |\n | rec-name-0 | 2/2 | Running | 0 | 1m |\n | rec-name-1 | 2/2 | Running | 0 | 1m |\n | rec-name-2 | 2/2 | Running | 0 | 1m |\n | rec-name-controller-x-x | 1/1 | Running | 0 | 1m |\n | Redis-enterprise-operator-x-x | 1/1 | Running | 0 | 5m |\n ```\n\n## Configure the admission controller\n\n1. Verify the `admission-tls` secret exists.\n\n ```sh\n kubectl get secret admission-tls\n ```\n \n The output should look similar to\n \n ```sh\n NAME TYPE DATA AGE\n admission-tls Opaque 2 2m43s\n ```\n\n1. Save the certificate to a local environment variable.\n\n ```sh\n CERT=`kubectl get secret admission-tls -o jsonpath='{.data.cert}'`\n ```\n\n1. Create a Kubernetes validating webhook, replacing `\u003cnamespace\u003e` with the namespace where the REC was installed.\n\n The `webhook.yaml` template can be found in [redis-enterprise-k8s-docs/admission](https://github.com/RedisLabs/redis-enterprise-k8s-docs/tree/master/admission)\n\n ```sh\n sed 's/OPERATOR_NAMESPACE/\u003cnamespace\u003e/g' webhook.yaml | kubectl create -f -\n ```\n\n1. Create a patch file for the Kubernetes validating webhook.\n\n ```sh\n cat \u003e modified-webhook.yaml \u003c\u003cEOF\n webhooks:\n - name: redisenterprise.admission.redislabs\n clientConfig:\n caBundle: $CERT\n EOF\n ```\n\n1. Patch the webhook with the certificate.\n\n ```sh\n kubectl patch ValidatingWebhookConfiguration \\\n redis-enterprise-admission --patch \"$(cat modified-webhook.yaml)\"\n ```\n\n\n### Limit the webhook to relevant namespaces\n\nIf not limited, the webhook intercepts requests from all namespaces. If you have several REC objects in your Kubernetes cluster, limit the webhook to the relevant namespaces. If you aren't using multiple namespaces, skip this step.\n\n1. Verify your namespace is labeled and the label is unique to this namespace, as shown in the next example.\n\n ```sh\n apiVersion: v1\n kind: Namespace\n metadata:\n labels:\n namespace-name: staging\n name: staging\n ```\n\n1. Patch the webhook spec with the `namespaceSelector` field.\n\n ```sh\n cat \u003e modified-webhook.yaml \u003c\u003cEOF\n webhooks:\n - name: redisenterprise.admission.redislabs\n namespaceSelector:\n matchLabels:\n namespace-name: staging\n EOF\n ```\n\n1. Apply the patch.\n\n ```sh\n oc patch ValidatingWebhookConfiguration \\\n redis-enterprise-admission --patch \"$(cat modified-webhook.yaml)\"\n ```\n\n \nFor releases before 6.4.2-4, use this command instead:\n\n```sh\noc patch ValidatingWebhookConfiguration \\\n redb-admission --patch \"$(cat modified-webhook.yaml)\"\n```\n\nThe 6.4.2-4 release introduces a new `ValidatingWebhookConfiguration` to replace `redb-admission`. See the [6.4.2-4 release notes](https://redis.io/docs/latest/operate/kubernetes/release-notes/previous-releases/).\n \n\n### Verify admission controller installation\n\nApply an invalid resource as shown below to force the admission controller to reject it. If it applies successfully, the admission controller is not installed correctly.\n\n```sh\noc apply -f - \u003c\u003c EOF\napiVersion: app.redislabs.com/v1alpha1\nkind: RedisEnterpriseDatabase\nmetadata:\n name: redis-enterprise-database\nspec:\n evictionPolicy: illegal\nEOF\n```\n\nYou should see this error from the admission controller webhook `redisenterprise.admission.redislabs`.\n \n```sh\nError from server: error when creating \"STDIN\": admission webhook \"redisenterprise.admission.redislabs\" denied the request: eviction_policy: u'illegal' is not one of [u'volatile-lru', u'volatile-ttl', u'volatile-random', u'allkeys-lru', u'allkeys-random', u'noeviction', u'volatile-lfu', u'allkeys-lfu']\n```\n\n## Create a Redis Enterprise database custom resource\n\nThe operator uses the instructions in the Redis Enterprise database (REDB) custom resources to manage databases on the Redis Enterprise cluster.\n\n1. Create a `RedisEnterpriseDatabase` custom resource.\n\n This example creates a test database. For production databases, see [create a database](https://redis.io/docs/latest/operate/kubernetes/re-databases/db-controller.md#create-a-database) and [RedisEnterpriseDatabase API reference](https://redis.io/docs/latest/operate/kubernetes/reference/api/redis_enterprise_database_api).\n\n ```sh\n cat \u003c\u003c EOF \u003e /tmp/redis-enterprise-database.yml\n apiVersion: app.redislabs.com/v1alpha1\n kind: RedisEnterpriseDatabase\n metadata:\n name: redis-enterprise-database\n spec:\n memorySize: 100MB\n EOF\n ```\n\n1. Apply the newly created REDB resource.\n\n ```sh\n oc apply -f /tmp/redis-enterprise-database.yml\n ```\n\n## More info\n\n- [Redis Enterprise cluster API](https://redis.io/docs/latest/operate/kubernetes/reference/api/redis_enterprise_cluster_api)\n- [Redis Enterprise database API](https://redis.io/docs/latest/operate/kubernetes/reference/api/redis_enterprise_database_api)\n", "tags": ["docs","operate","kubernetes"], "last_updated": "2026-06-04T14:49:57+01:00" }