Merge branch 'release-rs-gilboa' into DOC-5680

Author: rrelledge

config.toml

@@ -55,7 +55,7 @@ rdi_redis_gears_version = "1.2.6"
 rdi_debezium_server_version = "2.3.0.Final"
 rdi_db_types = "cassandra|mysql|oracle|postgresql|sqlserver"
 rdi_cli_latest = "latest"
-rdi_current_version = "1.14.0"
+rdi_current_version = "1.14.1"
 
 [params.clientsConfig]
 "Python"={quickstartSlug="redis-py"}

content/develop/ai/langcache/_index.md

@@ -33,8 +33,8 @@ Using LangCache as a semantic caching service has the following benefits:
 
 - **Lower LLM costs**:  Reduce costly LLM calls by easily storing the most frequently-requested responses.
 - **Faster AI app responses**: Get faster AI responses by retrieving previously-stored requests from memory.
-- **Simpler Deployments**: Access our managed service using a REST API with automated embedding generation, configurable controls, and no database management required.
-- **Advanced cache management**: Manage data access and privacy, eviction protocols, and monitor usage and cache hit rates.
+- **Simpler deployments**: Access our managed service using a REST API with automated embedding generation, configurable controls, and no database management required.
+- **Advanced cache management**: Manage data access, privacy, and eviction protocols. Monitor usage and cache hit rates.
 
 LangCache works well for the following use cases:
 

content/develop/data-types/streams.md

@@ -981,6 +981,5 @@ A few remarks:
 
 ## Learn more
 
-* The [Redis Streams Tutorial]({{< relref "/develop/data-types/streams" >}}) explains Redis streams with many examples.
 * [Redis Streams Explained](https://www.youtube.com/watch?v=Z8qcpXyMAiA) is an entertaining introduction to streams in Redis.
 * [Redis University's RU202](https://university.redis.com/courses/ru202/) is a free, online course dedicated to Redis Streams.

content/embeds/rdi-supported-source-versions.md

@@ -1,6 +1,6 @@
 | Database | Versions | AWS RDS  Versions | GCP SQL Versions |
 | :-- | :-- | :-- | :-- |
-| Oracle | 12c, 19c, 21c | 19c, 21c | - |
+| Oracle | 19c, 21c | 19c, 21c | - |
 | MariaDB | 10.5, 11.4.3 | 10.4 to 10.11, 11.4.3 | - |
 | MongoDB | 6.0, 7.0, 8.0 | - | - |
 | MySQL | 5.7, 8.0.x, 8.2 | 8.0.x | 8.0 |

content/integrate/redis-data-integration/data-pipelines/deploy.md

@@ -52,7 +52,9 @@ secrets are only relevant for TLS/mTLS connections.
 {{< note >}}When creating secrets for TLS or mTLS, ensure that all certificates and keys are in `PEM` format. The only exception to this is that for PostgreSQL, the private key `SOURCE_DB_KEY` secret must be in `DER` format. If you have a key in `PEM` format, you must convert it to `DER` before creating the `SOURCE_DB_KEY` secret using the command:
 
 ```bash
-openssl pkcs8 -topk8 -inform PEM -outform DER -in /path/to/myclient.pem -out /path/to/myclient.pk8 -nocrypt
+openssl pkcs8 -topk8 -inform PEM -outform DER \
+    -in /path/to/myclient.pem \
+    -out /path/to/myclient.pk8 -nocrypt
 ```
 
 This command assumes that the private key is not encrypted. See the [`openssl` documentation](https://docs.openssl.org/master/) to learn how to convert an encrypted private key.

content/integrate/redis-data-integration/data-pipelines/prepare-dbs/oracle.md

@@ -233,7 +233,7 @@ exit;
 | SELECT ANY TABLE         | Enables the connector to read any table. Optionally, rather than granting SELECT permission on all tables, you can grant the SELECT privilege for specific tables only.                                                                                                                                                                                                                                |
 | SELECT_CATALOG_ROLE      | Enables the connector to read the data dictionary, which is needed by Oracle LogMiner sessions.                                                                                                                                                                                                                                                                                                        |
 | EXECUTE_CATALOG_ROLE     | Enables the connector to write the data dictionary into the Oracle redo logs, which is needed to track schema changes.                                                                                                                                                                                                                                                                                 |
-| SELECT ANY TRANSACTION   | Enables the snapshot process to perform a Flashback snapshot query against any transaction so that the connector can read past changes from LogMiner. When FLASHBACK ANY TABLE is granted, this should also be granted. This grant is optional for Oracle 12c and later. In those later releases, the connector obtains the required privileges through the EXECUTE_CATALOG_ROLE and LOGMINING grants. |
+| SELECT ANY TRANSACTION   | Enables the snapshot process to perform a Flashback snapshot query against any transaction so that the connector can read past changes from LogMiner. When FLASHBACK ANY TABLE is granted, this should also be granted. This grant is optional for Oracle 19c and later. In those later releases, the connector obtains the required privileges through the EXECUTE_CATALOG_ROLE and LOGMINING grants. |
 | LOGMINING                | This role was added in newer versions of Oracle as a way to grant full access to Oracle LogMiner and its packages. On older versions of Oracle that don’t have this role, you can ignore this grant.                                                                                                                                                                                                   |
 | CREATE TABLE             | Enables the connector to create its flush table in its default tablespace. The flush table allows the connector to explicitly control flushing of the LGWR internal buffers to disk.                                                                                                                                                                                                                   |
 | LOCK ANY TABLE           | Enables the connector to lock tables during schema snapshot. If snapshot locks are explicitly disabled via configuration, this grant can be safely ignored.                                                                                                                                                                                                                                            |

content/integrate/redis-data-integration/data-pipelines/prepare-dbs/spanner.md

@@ -60,9 +60,9 @@ for more details, including additional configuration options and dialect-specifi
 
 ## 3. Create a service account
 
-To allow RDI to access the Spanner instance, you'll need to create a service account with the 
-appropriate permissions. This service account will then be provided to RDI as a secret for 
-authentication.
+To allow RDI to access the Spanner instance, you'll need to create a service account with the
+appropriate permissions. By default, RDI uses Google Cloud Workload Identity authentication. In this case RDI will assume the [service account is assigned to the GKE cluster](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#enable_on_clusters_and_node_pools). Alternatively, you can provide the
+service account credentials as a Kubernetes secret (see step 4 for details).
 
 1. Create the service account
 
@@ -109,25 +109,42 @@ authentication.
         --project=YOUR_PROJECT_ID
     ```
 
-## 4. Set up secrets for Kubernetes deployment
+### Authentication methods
 
-Before deploying the RDI pipeline, you need to configure the necessary secrets for both the source 
-and target databases. Instructions for setting up the target database secrets are available in the 
+RDI supports two authentication methods for accessing Spanner:
+
+1. **Workload Identity (default)**: The service account is assigned to the GKE cluster, and RDI
+   automatically uses the cluster's identity to authenticate. This is the recommended approach
+   as it's more secure and doesn't require managing credential files.
+
+2. **Service account credentials file**: You provide the service account key file as a Kubernetes
+   secret. This method requires setting `use_credentials_file: true` in your RDI configuration.
+
+## 4. Set up secrets for Kubernetes deployment (optional)
+
+Before deploying the RDI pipeline, you need to configure the necessary secrets for the target
+database. Instructions for setting up the target database secrets are available in the
 [RDI deployment guide]({{< relref "/integrate/redis-data-integration/data-pipelines/deploy#set-secrets-for-k8shelm-deployment-using-kubectl-command" >}}).
 
-In addition to the target database secrets, you'll also need to create a Spanner-specific secret 
-named `source-db-credentials`. This secret should contain the service account key file generated 
-during the Spanner setup phase. Use the command below to create it:
+**Optional**: If you prefer to use a service account credentials file instead of Workload Identity
+authentication, you'll need to create a Spanner-specific secret named `source-db-credentials`.
+This secret should contain the service account key file generated during the Spanner setup phase.
+Use the command below to create it:
 
 ```bash
 kubectl create secret generic source-db-credentials --namespace=rdi \
 --from-file=gcp-service-account.json=~/spanner-reader-account.json \
 --save-config --dry-run=client -o yaml | kubectl apply -f -
 ```
 
-Be sure to adjust the file path (`~/spanner-reader-account.json`) if your service account key is 
+Be sure to adjust the file path (`~/spanner-reader-account.json`) if your service account key is
 stored elsewhere.
 
+{{< note >}}
+If you create the `source-db-credentials` secret, you must also set `use_credentials_file: true`
+in your RDI configuration to use the credentials file instead of Workload Identity authentication.
+{{< /note >}}
+
 ## 5. Configure RDI for Spanner
 
 When configuring your RDI pipeline for Spanner, use the following example configuration in your 
@@ -142,6 +159,7 @@ sources:
       project_id: your-project-id
       instance_id: your-spanner-instance
       database_id: your-spanner-database
+      # use_credentials_file: false  # Default: uses Workload Identity. Set to true to use service account credentials file instead
       change_streams:
         change_stream_all:
           {}

content/integrate/redis-data-integration/installation/install-k8s.md

@@ -213,6 +213,48 @@ also use mTLS, you must set the client certificate and private key contents in
 Please see [these docs]({{< relref "/integrate/redis-data-integration/data-pipelines/prepare-dbs/spanner#6-additional-kubernetes-configuration" >}}) if this RDI installation is for use with GCP Spanner.
 {{< /note >}}
 
+If you are deploying to [OpenShift](https://docs.openshift.com/), you must
+set `global.openshift` to `true`:
+
+```yaml
+global:
+  # Indicates whether the deployment is intended for an OpenShift environment.
+  openShift: true
+```
+
+You should also set `global.securityContext.runAsUser` and
+`global.securityContext.runAsGroup` to the appropriate values for your
+OpenShift environment.
+
+```yaml
+global:
+  # Container default security context.
+  # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
+  securityContext:
+    runAsNonRoot: true
+    # On OpenShift, user and group 1000 are usually not allowed.
+    # If using OpenShift, set runAsUser and runAsGroup to values in your project's user and group ranges.
+    # You can examine the latter via `oc get projects <rid-project-name> -o yaml | grep "openshift.io/sa.scc"`
+    runAsUser: 1000701234
+    runAsGroup: 1000701234
+    allowPrivilegeEscalation: false
+```
+
+{{< warning >}}The default OpenShift Security Context Constraints (SCCs)
+will not allow RDI to run if `global.securityContext.runAsUser`
+and `global.securityContext.runAsGroup` have their default values of `1000`.
+You must edit your `rdi-values.yaml` file to ensure these values are
+in the valid range for your OpenShift environment.
+
+Use the following [OpenShift CLI](https://docs.redhat.com/en/documentation/openshift_container_platform/4.19/html/cli_tools/openshift-cli-oc) command
+to find the user and group ranges for your project:
+
+```bash
+oc get projects <rid-project-name> -o yaml | grep "openshift.io/sa.scc"
+```
+{{< /warning >}}
+
+
 ## Check the installation
 
 To verify the status of the K8s deployment, run the following command:

content/integrate/redis-data-integration/release-notes/rdi-1-14-1.md

@@ -0,0 +1,36 @@
+---
+Title: Redis Data Integration release notes 1.14.1 (August 2025)
+alwaysopen: false
+categories:
+- docs
+- operate
+- rs
+description: |
+  New RDI API v2 with enhanced pipeline management.
+  Improved Oracle RAC support with configuration scaffolding.
+  Enhanced metrics and monitoring capabilities.
+  Better TLS/mTLS support across components.
+linkTitle: 1.14.1 (August 2025)
+toc: 'true'
+weight: 977
+---
+
+{{< note >}}This maintenance release replaces the 1.14.0 release.{{< /note >}}
+
+RDI’s mission is to help Redis customers sync Redis Enterprise with live data from their slow disk-based databases to:
+
+- Meet the required speed and scale of read queries and provide an excellent and predictable user experience.
+- Save resources and time when building pipelines and coding data transformations.
+- Reduce the total cost of ownership by saving money on expensive database read replicas.
+
+RDI keeps the Redis cache up to date with changes in the primary database, using a [_Change Data Capture (CDC)_](https://en.wikipedia.org/wiki/Change_data_capture) mechanism.
+It also lets you _transform_ the data from relational tables into convenient and fast data structures that match your app's requirements. You specify the transformations using a configuration system, so no coding is required.
+
+## What's New in 1.14.1
+
+- Support for Google Cloud Workload Identity authentication when a service account is assigned to the GKE cluster
+- Fixed RDI API job validation that was incorrectly failing when schemas are not explicitly specified in source configuration, even though the configuration was valid
+
+## Limitations
+
+RDI can write data to a Redis Active-Active database. However, it doesn't support writing data to two or more Active-Active replicas. Writing data from RDI to several Active-Active replicas could easily harm data integrity as RDI is not synchronous with the source database commits.

content/operate/rs/7.4/databases/auto-tiering/storage-engine.md

@@ -15,8 +15,9 @@ url: '/operate/rs/7.4/databases/auto-tiering/storage-engine/'
 
 Redis Enterprise Auto Tiering supports two storage engines:
 
-* [Speedb](https://www.speedb.io/) (default, recommended)
-* [RocksDB](https://rocksdb.org/)
+- Speedb: Redis proprietary storage engine. The default and recommended storage engine as of Redis Enterprise Software version 7.2.4.
+
+- [RocksDB](https://rocksdb.org/): Used up to Redis version 6.2. Deprecated for later Redis versions.
 
 {{<warning>}}Switching between storage engines requires guidance by Redis Support or your Account Manager.{{</warning>}}