Skip to content

K8s: configure role permissions #1817

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

K8s: configure role permissions #1817

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0770b4d
configure role permissions
kaitlynmichael Jul 7, 2025
39e6fa5
Apply suggestions from code review
kaitlynmichael Jul 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
87 changes: 84 additions & 3 deletions content/operate/kubernetes/active-active/global-config.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,6 @@ The [REAADB API reference]({{<relref "/operate/kubernetes/reference/redis_enterp

This section edits the secrets under the REAADB `.spec.globalConfigurations` section. For more information and all available fields, see the [REAADB API reference]({{<relref "/operate/kubernetes/reference/redis_enterprise_active_active_database_api">}}).


1. On an existing participating cluster, generate a YAML file containing the database secret with the relevant data.

This example shoes a secret named `my-db-secret` with the password `my-password` encoded in base 64.
Expand Down Expand Up @@ -87,7 +86,7 @@ This section edits the secrets under the REAADB `.spec.globalConfigurations` sec

1. On each other participating cluster, check the secret status.

``sh
```sh
kubectl get reaadb <reaadb-name> -o=jsonpath='{.status.secretsStatus}'
```

Expand All @@ -103,4 +102,86 @@ This section edits the secrets under the REAADB `.spec.globalConfigurations` sec
kubectl apply -f <db-secret-file>
```

1. Repeat the previous two steps on every participating cluster.
1. Repeat the previous two steps on every participating cluster.

## Configure role permissions

You can configure role-based access control (RBAC) permissions for Active-Active databases using the `rolesPermissions` field in the REAADB `.spec.globalConfigurations` section. The role permissions configuration is propagated across all participating clusters, but the underlying roles and Redis ACLs must be manually created on each cluster.

{{<note>}}You must manually create the specified roles and Redis ACLs on all participating clusters before configuring role permissions. The operator only propagates the role permissions configuration—it does not create the underlying roles and ACLs. If roles or ACLs are missing on any cluster, the operator will log errors and dispatch an Event associated with the REAADB object until they are manually created.{{</note>}}

### Prerequisites

Before configuring role permissions:

1. Manually create the required roles and Redis ACLs on all participating clusters using the Redis Enterprise admin console or REST API.
2. Ensure role and ACL names match exactly across all clusters (names are case-sensitive).
3. Verify that roles and ACLs are properly configured on each cluster.

{{<warning>}}The operator does not automatically create or synchronize roles and ACLs across clusters. You are responsible for manually creating identical roles and ACLs on each participating cluster.{{</warning>}}

### Add role permissions to REAADB

1. Create or update your REAADB custom resource to include `rolesPermissions` in the global configurations.

Example REAADB with role permissions:

```yaml
apiVersion: app.redislabs.com/v1alpha1
kind: RedisEnterpriseActiveActiveDatabase
metadata:
name: reaadb-boeing
spec:
globalConfigurations:
databaseSecretName: <my-secret>
memorySize: 200MB
shardCount: 3
rolesPermissions:
- role: <role-name>
acl: <acl-name>
type: redis-enterprise
participatingClusters:
- name: rerc-ohare
- name: rerc-reagan
```

Replace `<role-name>` and `<acl-name>` with the exact names of your Redis Enterprise role and ACL.

2. Apply the REAADB custom resource:

```sh
kubectl apply -f <reaadb-file>
```

Alternatively, patch an existing REAADB to add role permissions:

```sh
kubectl patch reaadb <reaadb-name> --type merge --patch \
'{"spec": {"globalConfigurations": {"rolesPermissions": [{"role": "<role-name>", "acl": "<acl-name>", "type": "redis-enterprise"}]}}}'
```

3. Verify the REAADB status shows `active` and `Valid`:

```sh
kubectl get reaadb <reaadb-name>

NAME STATUS SPEC STATUS GLOBAL CONFIGURATIONS REDB LINKED REDBS
reaadb-boeing active Valid
```

4. Check the operator logs to confirm role permissions are applied:

```sh
kubectl logs -l name=redis-enterprise-operator
```


### Troubleshooting role permissions

If you encounter issues with role permissions:

- **Missing role or ACL errors**: Manually create the specified roles and ACLs on all participating clusters with exact name matches. The operator cannot create these automatically.
- **Permission propagation failures**: Verify that the roles and ACLs are properly configured and accessible on each cluster. Remember that you must manually create identical roles and ACLs on every participating cluster.
- **Case sensitivity issues**: Verify that role and ACL names match exactly, including capitalization, across all clusters.

For more details on the `rolesPermissions` field structure, see the [REAADB API reference]({{<relref "/operate/kubernetes/reference/redis_enterprise_active_active_database_api#specglobalconfigurationsrolespermissions">}}).