Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't load more users into Redis kubernetes deployment #693

Open
dgaddsec opened this issue Apr 22, 2024 · 1 comment
Open

Can't load more users into Redis kubernetes deployment #693

dgaddsec opened this issue Apr 22, 2024 · 1 comment

Comments

@dgaddsec
Copy link

dgaddsec commented Apr 22, 2024
edited

Expected behaviour

Deploy Spotahome Redis into my cluster with the more than default users created during deployment.

Actual behaviour

Redis is deployed correctly, but have only default and pinger users.

Steps to reproduce the behaviour

I used Spotahome Redis operator in my Kubernetes deployment. I have my own operator written in C#. It is deployed correctly in general.
I have prepared a secret that contains ACL commands that should add 3 users.
I mount it as a file that is accessible through Redis pod.
I set aclfile property in customConfig property

Please find below my main .yaml template for RedisFailover:

apiVersion: databases.spotahome.com/v1
kind: RedisFailover
metadata:
  name: redis
  namespace: default
  labels:
    ...
spec:
  redis:
    image: redis:7.2.4-alpine
    imagePullPolicy: IfNotPresent
    replicas: 3
    resources:
      ...
    affinity:
      ...
    podAnnotations:
      ...
    extraVolumes:
    - name: redis-users-volume
      secret:
        secretName: redis-users-list
        optional: false
    extraVolumeMounts:
    - name: redis-users-volume
      mountPath: /etc/redis
      readOnly: true
    customConfig:
      - "slowlog-log-slower-than 9500" # works
      - "aclfile ./etc/redis/users.acl" # doesn't work
  sentinel:
    ...

Here is a RedisFailover Describe result:

image

And below there is screenshot from Redis pod shell console presenting:

  • succesfully mounting secret into a file with a correct content
  • loaded users in acl
  • config values of aclfile and slowlog-log-slower-than
  • result from the unsuccessful try of setting aclfile config
    image

Interesting point is that slowlog-log-slower-than sets correctly (9500 is not a default value), while aclfile is not.

Environment

Redis version
redis_version:7.2.4

Kubectl version
Client Version: v1.29.1
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.24.11+vmware.1-fips.1

Question

How can I set up more users?
@jammerwhitey
Copy link

I've been trying to do this as well, but doesn't seem to work using just customConfig. I suspect the aclfile is in conflict with /redis/redis.conf that is used for redis startup because the redis.conf has an acl defined for the pinger user (can't have acl's defined in both files).

Possible Workaround, effectively combining redis.conf and aclfile:

  • Make a copy of the /redis/redis.conf and add the full list of acl's you want as the secret.
  • Write a copy of the updated redis.conf in /etc/redis using the extraVolumes.
  • Use a startup command that references that new redis.conf:
    command: ['/bin/sh', '-c', "redis-server /etc/redis/redis.conf"]

So far this looks like it's working. If there is a new version of the operator released, this approach would possibly break. But hopefully changes can be made so a customConfig and aclfile can be used. I think a separate aclfile is preferred.

I don't think the same approach will work on the Sentinel though as that conf gets rewritten as the master/leader changes, etc.

I'd be interested to hear if anyone has a different experience or has another option that can work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jammerwhitey @dgaddsec