{
  "id": "vault",
  "title": "Integrate HashiCorp Vault with Redis Enterprise for Kubernetes",
  "url": "https://redis.io/docs/latest/operate/kubernetes/8.0/security/vault/",
  "summary": "Configure HashiCorp Vault as the centralized secret management system for Redis Enterprise for Kubernetes.",
  "content": "\nYou can configure HashiCorp Vault as the centralized secret management system for the Redis Enterprise Kubernetes operator, replacing the default Kubernetes secrets. This integration provides enhanced security, centralized secret management, and advanced features like secret rotation and audit logging.\n\n## What secrets are managed by Vault?\n\nWhen Vault integration is enabled, all secrets referenced in Redis Enterprise custom resources are retrieved from Vault instead of Kubernetes secrets, including:\n\n| **Category** | **Secret Type** | **API Field** | **Description** |\n|---|---|---|---|\n| **Cluster secrets** |  |  |  |\n|  | [Cluster credentials](https://redis.io/docs/latest/operate/kubernetes/deployment/quick-start) | [`clusterCredentialSecretName`](https://redis.io/docs/latest/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec) | Authentication credentials for cluster access |\n|  | [License](https://redis.io/docs/latest/operate/kubernetes/deployment/quick-start#install-the-license) | [`licenseSecretName`](https://redis.io/docs/latest/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec) | Redis Enterprise license key |\n|  | [API certificate](https://redis.io/docs/latest/operate/kubernetes/security/manage-rec-certificates) | [`apiCertificateSecretName`](https://redis.io/docs/latest/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec) | TLS certificate for API server |\n|  | [Cluster manager certificate](https://redis.io/docs/latest/operate/kubernetes/security/manage-rec-certificates) | [`cmCertificateSecretName`](https://redis.io/docs/latest/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec) | TLS certificate for cluster manager |\n|  | [Metrics exporter certificate](https://redis.io/docs/latest/operate/kubernetes/re-clusters/connect-prometheus-operator) | [`metricsExporterCertificateSecretName`](https://redis.io/docs/latest/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec) | TLS certificate for metrics exporter |\n|  | [Proxy certificate](https://redis.io/docs/latest/operate/kubernetes/security/manage-rec-certificates) | [`proxyCertificateSecretName`](https://redis.io/docs/latest/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec) | TLS certificate for proxy |\n|  | [Syncer certificate](https://redis.io/docs/latest/operate/kubernetes/active-active) | [`syncerCertificateSecretName`](https://redis.io/docs/latest/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec) | TLS certificate for Active-Active syncer |\n|  | [LDAP client certificate](https://redis.io/docs/latest/operate/kubernetes/security/ldap) | [`ldapClientCertificateSecretName`](https://redis.io/docs/latest/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec) | TLS certificate for LDAP client authentication |\n|  | [User-defined module credentials](https://redis.io/docs/latest/operate/kubernetes/re-databases/modules) | [`credentialsSecret`](https://redis.io/docs/latest/operate/kubernetes/reference/api/redis_enterprise_cluster_api#specuserdefinedmodulessourcehttps) | Credentials for downloading user-defined modules from authenticated repositories |\n| **Database secrets** |  |  |  |\n|  | [Database passwords](https://redis.io/docs/latest/operate/kubernetes/networking/database-connectivity/#credentials-and-secrets-management) | Various | Passwords for Redis databases |\n|  | [Replica source client TLS key](https://redis.io/docs/latest/operate/kubernetes/re-databases/replica-redb) | [`clientKeySecret`](https://redis.io/docs/latest/operate/kubernetes/reference/api/redis_enterprise_database_api#redisenterprisedbspec) | Client TLS key for cross-cluster replication |\n|  | [Replica source server certificate](https://redis.io/docs/latest/operate/kubernetes/re-databases/replica-redb) | [`serverCertSecret`](https://redis.io/docs/latest/operate/kubernetes/reference/api/redis_enterprise_database_api#redisenterprisedbspec) | Server certificate for cross-cluster replication |\n|  | [S3 backup credentials](https://redis.io/docs/latest/operate/kubernetes/re-databases) | [`awsSecretName`](https://redis.io/docs/latest/operate/kubernetes/reference/api/redis_enterprise_database_api#redisenterprisedbspec) | AWS S3 storage credentials for database backups |\n|  | [SFTP backup credentials](https://redis.io/docs/latest/operate/kubernetes/re-databases) | [`sftpSecretName`](https://redis.io/docs/latest/operate/kubernetes/reference/api/redis_enterprise_database_api#redisenterprisedbspec) | SFTP storage credentials for database backups |\n|  | [Swift backup credentials](https://redis.io/docs/latest/operate/kubernetes/re-databases) | [`swiftSecretName`](https://redis.io/docs/latest/operate/kubernetes/reference/api/redis_enterprise_database_api#redisenterprisedbspec) | Swift storage credentials for database backups |\n|  | [Azure Blob backup credentials](https://redis.io/docs/latest/operate/kubernetes/re-databases) | [`absSecretName`](https://redis.io/docs/latest/operate/kubernetes/reference/api/redis_enterprise_database_api#redisenterprisedbspec) | Azure Blob storage credentials for database backups |\n|  | [Google Cloud backup credentials](https://redis.io/docs/latest/operate/kubernetes/re-databases) | [`gcsSecretName`](https://redis.io/docs/latest/operate/kubernetes/reference/api/redis_enterprise_database_api#redisenterprisedbspec) | Google Cloud storage credentials for database backups |\n|  | [Client authentication certificates](https://redis.io/docs/latest/operate/kubernetes/security/add-client-certificates) | Various | TLS client certificates for authentication |\n| **Other secrets** |  |  |  |\n|  | [Remote cluster secrets](https://redis.io/docs/latest/operate/kubernetes/active-active) | [`secretName`](https://redis.io/docs/latest/operate/kubernetes/reference/api/redis_enterprise_remote_cluster_api#redisenterpriseremoteclusterspec) | Credentials for Redis Enterprise Remote Cluster (RERC) configurations |\n|  | [Active-Active database secrets](https://redis.io/docs/latest/operate/kubernetes/active-active) | [`globalConfigurations`](https://redis.io/docs/latest/operate/kubernetes/reference/api/redis_enterprise_active_active_database_api#redisenterpriseactiveactivedatabasespec) | All secret names specified in REAADB global configurations |\n\n\nFor complete details on supported secrets, see the [`RedisEnterpriseCluster` API reference](https://redis.io/docs/latest/operate/kubernetes/reference/api/redis_enterprise_cluster_api) and [`RedisEnterpriseDatabase` API reference](https://redis.io/docs/latest/operate/kubernetes/reference/api/redis_enterprise_database_api).\n\n### Secret path structure\n\nVault secrets follow a hierarchical path structure:\n```\n\u003cVAULT_SECRET_ROOT\u003e/\u003cVAULT_SECRET_PREFIX\u003e/\u003csecret-name\u003e\n```\n\nDefault example:\n```\nsecret/data/redisenterprise-redis-ns/my-cluster\nsecret/data/redisenterprise-redis-ns/my-database-password\nsecret/data/redisenterprise-redis-ns/tls-certificates\n```\n\n\nWhen using OpenShift, replace `kubectl` commands with `oc` throughout this guide.\n\n\n## Prerequisites\n\nBefore integrating Redis Enterprise operator with HashiCorp Vault, ensure you have the following components properly configured:\n\nHashiCorp Vault Requirements:\n\n- Vault instance: HashiCorp Vault v1.15.2+ with TLS and network connectivity to your Kubernetes cluster\n- Authentication method: Configure Kubernetes authentication method in Vault (see [HashiCorp's Kubernetes Auth documentation](https://developer.hashicorp.com/vault/docs/auth/kubernetes))\n- Secret engine: Enable and configure KV version 2 secret engine\n  - Default mount path: `secret/` (configurable)\n  - Used to store all Redis Enterprise secrets\n  - Supports versioning and metadata\n\nKubernetes Requirements:\n\n- Vault Agent Injector: Deploy the HashiCorp Vault Agent Injector\n  - Enables automatic secret injection into pods\n  - See [Vault Agent Injector tutorial](https://developer.hashicorp.com/vault/tutorials/kubernetes/kubernetes-sidecar)\n- Network access: Ensure Kubernetes cluster can reach Vault\n  - Configure appropriate network policies and firewall rules\n  - Vault typically runs on port 8200 (HTTPS)\n- Service accounts: Proper RBAC configuration for operator service accounts\n\nVault editions:\n\nThis guide supports both Vault Community and Enterprise editions:\n\n- Vault Community: Use all commands without `-namespace` flags or `VAULT_NAMESPACE` parameters\n- Vault Enterprise: Supports namespaces for logical isolation and multi-tenancy (separate from Kubernetes namespaces)\n\nMinimum token TTL:\n\nConfigure Vault token policies with minimum TTL of 1 hour:\n- Prevents frequent token renewal overhead\n- Ensures stable operation during maintenance windows\n- See [Vault token management](https://developer.hashicorp.com/vault/tutorials/tokens/token-management)\n\n### Deployment scenarios\n\nThis guide covers the most common deployment scenario with the following assumptions:\n\n- Vault Enterprise with namespace support (adapt for Community Edition by removing namespace parameters)\n- Multiple Redis Enterprise clusters in the same Kubernetes cluster\n- Namespace isolation using Kubernetes namespace suffixes for Vault configurations\n- Production security with proper RBAC and network policies\n\n\nMulti-cluster considerations: When deploying across multiple Kubernetes clusters with identical namespace names, additional prefixing may be required to avoid Vault path conflicts.\n\n\n## Configure the operator\n\n1. Configure Vault policies and roles\n\n   Create a policy that grants the Redis Enterprise operator read access to secrets:\n\n   ```bash\n   vault policy write -namespace=\u003cVAULT_NAMESPACE\u003e redisenterprise-\u003cK8S_NAMESPACE\u003e - \u003c\u003cEOF\n   path \"secret/data/redisenterprise-\u003cK8S_NAMESPACE\u003e/*\" {\n     capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\"]\n   }\n   path \"secret/metadata/redisenterprise-\u003cK8S_NAMESPACE\u003e/*\" {\n     capabilities = [\"list\"]\n   }\n   EOF\n   ```\n\n   Parameter explanation:\n   - `\u003cVAULT_NAMESPACE\u003e`: Your Vault Enterprise namespace (omit for Community Edition)\n   - `\u003cK8S_NAMESPACE\u003e`: Kubernetes namespace where Redis Enterprise operator is deployed\n\n   Configure a Vault role that binds the operator's service account to the policy:\n\n   ```bash\n   vault write -namespace=\u003cVAULT_NAMESPACE\u003e auth/\u003cAUTH_PATH\u003e/role/redis-enterprise-operator-\u003cK8S_NAMESPACE\u003e \\\n           bound_service_account_names=\"redis-enterprise-operator\" \\\n           bound_service_account_namespaces=\u003cK8S_NAMESPACE\u003e \\\n           policies=redisenterprise-\u003cK8S_NAMESPACE\u003e\n   ```\n\n   Parameter explanation:\n   - `\u003cAUTH_PATH\u003e`: Kubernetes auth method path in Vault (default: `kubernetes`)\n   - Role name includes namespace for multi-tenant isolation\n\n2. Configure operator environment\n\n   Create a ConfigMap with Vault configuration for the Redis Enterprise operator:\n\n   ```yaml\n   # operator-environment-config.yaml\n   apiVersion: v1\n   kind: ConfigMap\n   metadata:\n     name: operator-environment-config\n     namespace: \u003cK8S_NAMESPACE\u003e\n   data:\n     CREDENTIAL_TYPE: \"vault\"\n     VAULT_SERVER_FQDN: \"\u003cVAULT_FQDN\u003e\"\n     VAULT_SERVICE_PORT_HTTPS: \"8200\"\n     VAULT_SECRET_ROOT: \"secret\"\n     VAULT_SECRET_PREFIX: \"redisenterprise-\u003cK8S_NAMESPACE\u003e\"\n     VAULT_ROLE: \"redis-enterprise-operator-\u003cK8S_NAMESPACE\u003e\"\n     VAULT_AUTH_PATH: \"\u003cAUTH_PATH\u003e\"\n     VAULT_NAMESPACE: \"\u003cVAULT_NAMESPACE\u003e\"\n     VAULT_CACHE_SECRET_EXPIRATION_SECONDS: \"120\"\n   ```\n\n   Apply the configuration:\n\n   ```bash\n   kubectl apply -f operator-environment-config.yaml\n   ```\n\n   Configuration parameters:\n\n   | Parameter | Description | Default | Required |\n   |-----------|-------------|---------|----------|\n   | `CREDENTIAL_TYPE` | Must be set to `\"vault\"` to enable Vault integration | - | Yes |\n   | `VAULT_SERVER_FQDN` | Vault server hostname (e.g., `vault.vault-ns.svc.cluster.local`) | - | Yes |\n   | `VAULT_SERVICE_PORT_HTTPS` | Vault HTTPS port | `8200` | Yes |\n   | `VAULT_SECRET_ROOT` | KV-v2 secret engine mount path | `secret` | Yes |\n   | `VAULT_SECRET_PREFIX` | Prefix for all Redis Enterprise secrets | `redisenterprise` | Yes |\n   | `VAULT_ROLE` | Vault role for operator authentication | `redis-enterprise-operator` | Yes |\n   | `VAULT_AUTH_PATH` | Kubernetes auth method path | `kubernetes` | Yes |\n   | `VAULT_NAMESPACE` | Vault Enterprise namespace | - | Enterprise only |\n   | `VAULT_CACHE_SECRET_EXPIRATION_SECONDS` | Secret cache duration | `120` | No |\n\n   Secret path construction: Secrets are stored at `\u003cVAULT_SECRET_ROOT\u003e/data/\u003cVAULT_SECRET_PREFIX\u003e/\u003csecret-name\u003e`\n\n   \u003cbr\u003e\n\n3. Deploy the operator\n\n   Deploy the Redis Enterprise operator following the [standard installation guide](https://redis.io/docs/latest/operate/kubernetes/deployment).\n\n   \n   The operator pod will not be ready until the admission controller secret is stored in Vault (covered in the next step).\n   \n\n   \u003cbr\u003e\n\n4. Configure admission controller secret\n\n   Generate and store the admission controller TLS certificate in Vault:\n\n   ```bash\n   kubectl exec -it $(kubectl get pod -l name=redis-enterprise-operator -o jsonpath='{.items[0].metadata.name}') \\\n     -c redis-enterprise-operator -- /usr/local/bin/generate-tls -infer | tail -4 \u003e output.json\n   ```\n\n   Copy the certificate file to Vault (if Vault is running in Kubernetes):\n\n   ```bash\n   kubectl cp output.json vault-0:/tmp -n vault\n   ```\n\n   Store the certificate in Vault:\n\n   ```bash\n   vault kv put -namespace=\u003cVAULT_NAMESPACE\u003e \u003cVAULT_SECRET_ROOT\u003e/redisenterprise-\u003cK8S_NAMESPACE\u003e/admission-tls @output.json\n   ```\n\n   \n   Once the operator is running with Vault integration, proceed to create Redis Enterprise clusters. Do not create clusters before completing this setup.\n   \n\n   \u003cbr\u003e\n\n5. Create Vault CA certificate secret\n\n   Create a Kubernetes secret containing the Certificate Authority certificate used by your Vault instance:\n\n   ```bash\n   kubectl create secret generic vault-ca-cert \\\n           --namespace \u003cK8S_NAMESPACE\u003e \\\n           --from-file=vault.ca=\u003cvault-ca-cert-file-path\u003e\n   ```\n\n   \n   The Vault server certificate must be signed by the Certificate Authority provided in this secret.\n   \n\n## Create Redis Enterprise clusters\n\n1. Generate cluster credentials\n\n   Unlike standard deployments, Vault integration requires manually creating cluster credentials:\n\n   ```bash\n   # Generate a secure random password\n   openssl rand -base64 32\n   ```\n\n   Store credentials in Vault:\n\n   ```bash\n   vault kv put -namespace=\u003cVAULT_NAMESPACE\u003e \\\n     \u003cVAULT_SECRET_ROOT\u003e/redisenterprise-\u003cK8S_NAMESPACE\u003e/\u003cREC_NAME\u003e \\\n     username=\u003cYOUR_USERNAME\u003e \\\n     password=\u003cYOUR_PASSWORD\u003e\n   ```\n\n   \n   - The username field in the REC spec is ignored when using Vault\n   - The username from the Vault secret takes precedence\n   - Use strong, unique passwords for each cluster\n   \n\n   \u003cbr\u003e\n\n2. Create cluster service account role\n\n   Configure a Vault role for the Redis Enterprise cluster's service account:\n\n   ```bash\n   vault write -namespace=\u003cVAULT_NAMESPACE\u003e \\\n     auth/\u003cAUTH_PATH\u003e/role/redis-enterprise-rec-\u003cK8S_NAMESPACE\u003e \\\n     bound_service_account_names=\u003cREC_NAME\u003e \\\n     bound_service_account_namespaces=\u003cK8S_NAMESPACE\u003e \\\n     policies=redisenterprise-\u003cK8S_NAMESPACE\u003e\n   ```\n\n   \u003cbr\u003e\n\n3. Deploy Redis Enterprise cluster\n\n   Create the `RedisEnterpriseCluster` resource with Vault configuration:\n\n   ```yaml\n   apiVersion: app.redislabs.com/v1\n   kind: RedisEnterpriseCluster\n   metadata:\n     name: rec\n     namespace: \u003cK8S_NAMESPACE\u003e\n     labels:\n       app: redis-enterprise\n   spec:\n     nodes: 3\n     clusterCredentialSecretName: rec\n     clusterCredentialSecretType: vault\n     clusterCredentialSecretRole: redis-enterprise-rec-\u003cK8S_NAMESPACE\u003e\n     vaultCASecret: vault-ca-cert\n     podAnnotations:\n       vault.hashicorp.com/auth-path: auth/\u003cAUTH_PATH\u003e\n       vault.hashicorp.com/namespace: \u003cVAULT_NAMESPACE\u003e\n   ```\n\n   Apply the configuration:\n\n   ```bash\n   kubectl apply -f redis-enterprise-cluster.yaml\n   ```\n\n   Key configuration fields:\n\n   | Field | Description | Example |\n   |-------|-------------|---------|\n   | `clusterCredentialSecretName` | Path of the secret in Vault containing cluster credentials. Can be customized during cluster creation but cannot be changed afterward. The secret must be pre-created in Vault. | `rec` |\n   | `clusterCredentialSecretType` | Must be set to `vault` | `vault` |\n   | `clusterCredentialSecretRole` | Vault role for cluster authentication | `redis-enterprise-rec-\u003cK8S_NAMESPACE\u003e` |\n   | `vaultCASecret` | Kubernetes secret containing Vault's CA certificate | `vault-ca-cert` |\n   | `podAnnotations` | Vault agent annotations for pod-level configuration | See example above |\n\n## Create Redis Enterprise databases\n\nTo create a Redis Enterprise database (REDB) with Vault integration:\n\n1. Create database password in Vault:\n   ```bash\n   vault kv put -namespace=\u003cVAULT_NAMESPACE\u003e \\\n     \u003cVAULT_SECRET_ROOT\u003e/redisenterprise-\u003cK8S_NAMESPACE\u003e/redb-\u003cDATABASE_NAME\u003e \\\n     password=\u003cDATABASE_PASSWORD\u003e\n   ```\n\n   \u003cbr\u003e\n\n2. Create the REDB custom resource:\n   Follow the standard [database creation process](https://redis.io/docs/latest/operate/kubernetes/re-databases). The REC configuration automatically enables Vault integration for all databases.\n\n   \u003cbr\u003e\n\n3. Configure additional secrets (optional):\n   Store additional REDB secrets in the path `redisenterprise-\u003cK8S_NAMESPACE\u003e/`. Secrets must comply with the [REDB secrets schema](https://redis.io/docs/latest/operate/kubernetes/reference/api/redis_enterprise_database_api).\n\n\nWhen using the Redis Enterprise Vault plugin, set `defaultUser: false` and associate users through ACL bindings to the REDB.\n\n\nFor complete field documentation, see the [Redis Enterprise database API reference](https://redis.io/docs/latest/operate/kubernetes/reference/api/redis_enterprise_database_api).\n\n### Redis Enterprise Remote Cluster secrets\n\nThe `secretName` field is supported and should be stored in HashiCorp Vault when the Redis Enterprise cluster uses Vault as a secret source.\n\n### Redis Enterprise Active-Active database secrets\n\nREAADB resources include REDB specifications in the `globalConfigurations` field. All secret names specified in these configurations are supported and should be stored in HashiCorp Vault when the Redis Enterprise cluster uses Vault as a secret source.\n\n## Manage secrets\n\n\nComplete field documentation is available in the [`RedisEnterpriseCluster` API reference](https://redis.io/docs/latest/operate/kubernetes/reference/api/redis_enterprise_cluster_api) and [`RedisEnterpriseDatabase` API reference](https://redis.io/docs/latest/operate/kubernetes/reference/api/redis_enterprise_database_api).\n\n\n### Redis Enterprise cluster secrets\n\n#### Example REC configuration with all certificates\n\n```yaml\napiVersion: app.redislabs.com/v1\nkind: RedisEnterpriseCluster\nmetadata:\n  name: rec\n  labels:\n    app: redis-enterprise\nspec:\n  nodes: 3\n  licenseSecretName: \u003cVAULT_SECRET_NAME\u003e\n  clusterCredentialSecretName: \u003cVAULT_SECRET_NAME\u003e\n  certificates:\n    apiCertificateSecretName: \u003cVAULT_SECRET_NAME\u003e\n    cmCertificateSecretName: \u003cVAULT_SECRET_NAME\u003e\n    metricsExporterCertificateSecretName: \u003cVAULT_SECRET_NAME\u003e\n    proxyCertificateSecretName: \u003cVAULT_SECRET_NAME\u003e\n    syncerCertificateSecretName: \u003cVAULT_SECRET_NAME\u003e\n    ldapClientCertificateSecretName: \u003cVAULT_SECRET_NAME\u003e\n  # Vault configuration\n  clusterCredentialSecretType: vault\n  clusterCredentialSecretRole: redis-enterprise-rec-\u003cK8S_NAMESPACE\u003e\n  vaultCASecret: vault-ca-cert\n  podAnnotations:\n    vault.hashicorp.com/auth-path: auth/\u003cAUTH_PATH\u003e\n    vault.hashicorp.com/namespace: \u003cVAULT_NAMESPACE\u003e\n```\n\nYou can also update certificates using `kubectl patch`:\n\n```bash\nkubectl patch rec rec --type merge --patch '{\"spec\": {\"certificates\": {\"apiCertificateSecretName\": \"\u003cVAULT_SECRET_NAME\u003e\"}}}'\n```\n\n### Database secrets\n\n#### Database passwords\nStore database passwords in Vault using the database name as the secret key:\n\n```bash\nvault kv put -namespace=\u003cVAULT_NAMESPACE\u003e \\\n  \u003cVAULT_SECRET_ROOT\u003e/redisenterprise-\u003cK8S_NAMESPACE\u003e/\u003cDATABASE_NAME\u003e \\\n  password=\u003cDATABASE_PASSWORD\u003e\n```\n\n#### Backup storage credentials\nStore backup storage credentials for Redis Enterprise databases:\n\n```bash\nvault kv put -namespace=\u003cVAULT_NAMESPACE\u003e \\\n  \u003cVAULT_SECRET_ROOT\u003e/redisenterprise-\u003cK8S_NAMESPACE\u003e/\u003cBACKUP_SECRET_NAME\u003e \\\n  AWS_ACCESS_KEY_ID=\u003caccess_key\u003e \\\n  AWS_SECRET_ACCESS_KEY=\u003csecret_key\u003e\n```\n\n#### TLS certificates\nStore TLS certificates for database connections:\n\n```bash\nvault kv put -namespace=\u003cVAULT_NAMESPACE\u003e \\\n  \u003cVAULT_SECRET_ROOT\u003e/redisenterprise-\u003cK8S_NAMESPACE\u003e/\u003cCERT_SECRET_NAME\u003e \\\n  tls.crt=\u003ccertificate_content\u003e \\\n  tls.key=\u003cprivate_key_content\u003e\n```\n\n### User-defined module credentials\n\nStore credentials for downloading user-defined modules from authenticated repositories:\n\n```bash\nvault kv put -namespace=\u003cVAULT_NAMESPACE\u003e \\\n  \u003cVAULT_SECRET_ROOT\u003e/redisenterprise-\u003cK8S_NAMESPACE\u003e/\u003cMODULE_CREDENTIALS_SECRET_NAME\u003e \\\n  username=\u003crepository_username\u003e \\\n  password=\u003crepository_password\u003e\n```\n\nReference this secret in your REC specification's `userDefinedModules` section. See [Configure modules](https://redis.io/docs/latest/operate/kubernetes/re-databases/modules) for details.\n\n## Troubleshooting\n\n### Common Issues and Solutions\n\n#### Operator pod not ready\n\nSymptoms: Operator pod remains in `Pending` or `CrashLoopBackOff` state\n\nCauses and solutions:\n\n1. Missing admission controller secret:\n   ```bash\n   # Check if admission-tls secret exists in Vault\n   vault kv get -namespace=\u003cVAULT_NAMESPACE\u003e \u003cVAULT_SECRET_ROOT\u003e/redisenterprise-\u003cK8S_NAMESPACE\u003e/admission-tls\n   ```\n\n2. Vault CA certificate issues:\n   ```bash\n   # Verify vault-ca-cert secret exists\n   kubectl get secret vault-ca-cert -n \u003cK8S_NAMESPACE\u003e\n\n   # Check certificate content\n   kubectl get secret vault-ca-cert -n \u003cK8S_NAMESPACE\u003e -o jsonpath='{.data.vault\\.ca}' | base64 -d\n   ```\n\n3. Network connectivity:\n   ```bash\n   # Test Vault connectivity from operator pod\n   kubectl exec -it \u003coperator-pod\u003e -c redis-enterprise-operator -- \\\n     curl -k https://\u003cVAULT_FQDN\u003e:8200/v1/sys/health\n   ```\n\n#### Authentication failures\n\nSymptoms: `Failed to authenticate with Vault` errors in operator logs\n\nSolutions:\n\n1. Verify Vault role configuration:\n   ```bash\n   vault read -namespace=\u003cVAULT_NAMESPACE\u003e auth/\u003cAUTH_PATH\u003e/role/redis-enterprise-operator-\u003cK8S_NAMESPACE\u003e\n   ```\n\n2. Check service account token:\n   ```bash\n   # Verify service account exists\n   kubectl get serviceaccount redis-enterprise-operator -n \u003cK8S_NAMESPACE\u003e\n\n   # Check token mount\n   kubectl describe pod \u003coperator-pod\u003e -n \u003cK8S_NAMESPACE\u003e | grep -A5 \"Mounts:\"\n   ```\n\n#### Secret retrieval failures\n\nSymptoms: `Failed to read Vault secret` errors\n\nSolutions:\n\n1. Verify secret exists:\n   ```bash\n   vault kv get -namespace=\u003cVAULT_NAMESPACE\u003e \u003cVAULT_SECRET_ROOT\u003e/redisenterprise-\u003cK8S_NAMESPACE\u003e/\u003csecret-name\u003e\n   ```\n\n2. Check policy permissions:\n   ```bash\n   vault policy read -namespace=\u003cVAULT_NAMESPACE\u003e redisenterprise-\u003cK8S_NAMESPACE\u003e\n   ```\n\n3. Validate secret format:\n   ```bash\n   # Cluster credentials must have 'username' and 'password' keys\n   vault kv get -format=json -namespace=\u003cVAULT_NAMESPACE\u003e \u003cVAULT_SECRET_ROOT\u003e/redisenterprise-\u003cK8S_NAMESPACE\u003e/\u003ccluster-name\u003e\n   ```\n\n### Debugging commands\n\nCheck operator logs:\n```bash\nkubectl logs -f deployment/redis-enterprise-operator -n \u003cK8S_NAMESPACE\u003e -c redis-enterprise-operator\n```\n\nVerify Vault configuration:\n```bash\nkubectl get configmap operator-environment-config -n \u003cK8S_NAMESPACE\u003e -o yaml\n```\n\nTest Vault authentication:\n```bash\n# From within operator pod\nkubectl exec -it \u003coperator-pod\u003e -n \u003cK8S_NAMESPACE\u003e -c redis-enterprise-operator -- \\\n  cat /var/run/secrets/kubernetes.io/serviceaccount/token\n```\n",
  "tags": ["docs","operate","kubernetes"],
  "last_updated": "2026-06-04T14:49:57+01:00"
}