Skip to content

K8s: add more secrets and connectivity info #1918

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Aug 21, 2025
Merged

K8s: add more secrets and connectivity info #1918

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
22560a8
Add Kubernetes configuration secrets documentation
mich-elle-luna Jul 31, 2025
fcefc04
Update content/operate/kubernetes/security/configuration-secrets.md
mich-elle-luna Aug 5, 2025
4493ba7
add database connectivity info
kaitlynmichael Aug 11, 2025
ec6e8de
reduce duplicated info
kaitlynmichael Aug 11, 2025
4d2aba5
copy edit
kaitlynmichael Aug 11, 2025
cf8f2e8
reduce duplication
kaitlynmichael Aug 18, 2025
4588bbe
Apply suggestions from code review
kaitlynmichael Aug 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 6 additions & 12 deletions content/operate/kubernetes/networking/_index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,12 @@ weight: 40

Configure networking and external access for your Redis Enterprise deployment on Kubernetes. By default, Kubernetes doesn't allow external access to your Redis databases. Redis Enterprise for Kubernetes provides several methods to route external traffic to your clusters and databases.

## Database connectivity

Connect applications to your Redis Enterprise databases:

- [Database connectivity]({{< relref "/operate/kubernetes/networking/database-connectivity" >}}) - Comprehensive guide to in-cluster and external database access, service discovery, and credentials management

## External routing methods

Choose the appropriate method for your environment to enable external access:
Expand All @@ -27,18 +33,6 @@ For Active-Active databases, configure automatic ingress creation:

- [REC external routing]({{< relref "/operate/kubernetes/networking/ingressorroutespec" >}}) - Use `ingressOrRouteSpec` field in RedisEnterpriseCluster (REC) for automatic ingress creation

## External routing using Redis Enterprise for Kubernetes

Every time a RedisEnterpriseDatabase (REDB), Redis Enterprise Active-Active database (REAADB), or Redis Enterprise cluster (REC) is created, the Redis Enterprise operator automatically creates a [service](https://kubernetes.io/docs/concepts/services-networking/service/) to allow requests to be routed to that resource.

Redis Enterprise supports three [types of services](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types) for accessing databases: `ClusterIP`, `headless`, or `LoadBalancer`.

By default, the operator creates a `ClusterIP` type service, which exposes a cluster-internal IP and that can only be accessed from within the K8s cluster. For requests to be routed from outside the K8s cluster, you need an [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) (or [route](https://docs.openshift.com/container-platform/4.12/networking/routes/route-configuration.html) if you are using OpenShift). See [kubernetes.io](https://kubernetes.io/docs/) for more details on [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) and [Ingress controllers](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/).

- To use NGINX or HAProxy Ingress controllers, see [Ingress routing]({{< relref "/operate/kubernetes/networking/ingress" >}}).
- To use OpenShift routes, see [OpenShift routes]({{< relref "/operate/kubernetes/networking/routes" >}}).
- To use Istio as an Ingress controller, see [Istio Ingress routing]({{< relref "/operate/kubernetes/networking/istio-ingress" >}})

## `ingressOrRouteSpec` for Active-Active databases

Versions 6.4.2 or later of Redis Enterprise for Kubernetes include a feature for ingress configuration. The `ingressOrRouteSpec` field is available in the RedisEnterpriseCluster spec to automatically create an Ingress (or route) for the API service and databases (REAADB) on that REC. See [REC external routing]({{< relref "/operate/kubernetes/networking/ingressorroutespec" >}}) for more details.
Expand Down
294 changes: 294 additions & 0 deletions content/operate/kubernetes/networking/database-connectivity.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,294 @@
---
Title: Database connectivity
alwaysopen: false
categories:
- docs
- operate
- kubernetes
description: Connect applications to Redis Enterprise databases in Kubernetes clusters with in-cluster and external access patterns.
linkTitle: Database connectivity
weight: 1
---

Connecting applications to Redis Enterprise databases in Kubernetes involves understanding service discovery, credentials management, and access patterns. This guide covers the essential connectivity aspects unique to Kubernetes deployments.

## Service types and access patterns

When you create a RedisEnterpriseDatabase (REDB), the Redis Enterprise operator automatically creates Kubernetes services to route traffic to your database. Understanding these service types is crucial for proper connectivity.

### Default service creation

By default, the operator creates two services for each database:

- ClusterIP service - Provides a stable cluster-internal IP address
- Headless service - Enables direct pod-to-pod communication and service discovery

Both services are created in the same namespace as your database and follow predictable naming conventions.

### Service types

Redis Enterprise supports three service types for database access:

| Service Type | Access Scope | Use Case |
|--------------|--------------|----------|
| `ClusterIP` | Cluster-internal only | Applications running within the same Kubernetes cluster |
| `headless` | Cluster-internal only | Direct pod access, service discovery, StatefulSet scenarios |
| `LoadBalancer` | External access | Applications outside the Kubernetes cluster |

To configure the service type, use the `databaseServiceType` field in your REC's `servicesRiggerSpec`.

## In-cluster database access

For applications running within your Kubernetes cluster, use the automatically created services to connect to your databases.

### Retrieve connection information

Database connection details are stored in a Kubernetes secret maintained by the database controller. This secret contains:

- Database port (`port`)
- Service names (`service_names`)
- Database password (`password`)

1. Get the secret name from your database resource:

```sh
kubectl get redb <database-name> -o jsonpath="{.spec.databaseSecretName}"
```

The secret name typically follows the pattern `redb-<database-name>`.

2. Retrieve the database port:

```sh
kubectl get secret redb-<database-name> -o jsonpath="{.data.port}" | base64 --decode
```

3. Get available service names:

```sh
kubectl get secret redb-<database-name> -o jsonpath="{.data.service_names}" | base64 --decode
```

4. Retrieve the database password:

```sh
kubectl get secret redb-<database-name> -o jsonpath="{.data.password}" | base64 --decode
```

### Service naming and DNS resolution

Services follow standard Kubernetes DNS naming conventions:

- Service FQDN: `<service-name>.<namespace>.svc.cluster.local`
- Short name: `<service-name>` (within the same namespace)

For a database named `mydb` in namespace `production`, the service names would be:
- ClusterIP service: `mydb.production.svc.cluster.local`
- Headless service: `mydb-headless.production.svc.cluster.local`

### Connect from within the cluster

Use any service name from the `service_names` list to connect:

```sh
redis-cli -h <service-name> -p <port>
```

Then authenticate with the retrieved password:

```sh
auth <password>
```

## External database access

To access databases from outside the Kubernetes cluster, you need to configure external routing. Currently supported methods for external access are ingress controllers or OpenShift routes.

### Ingress controllers

Redis Enterprise for Kubernetes only supports the following ingress controllers for external database access:

- NGINX Ingress - Supports SSL passthrough for Redis connections
- HAProxy Ingress - Built-in SSL passthrough support
- Istio Gateway - Service mesh integration with advanced traffic management

See [Ingress routing]({{< relref "/operate/kubernetes/networking/ingress" >}}) for detailed configuration steps.

### OpenShift routes

OpenShift users can leverage routes for external access:

```yaml
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: redis-route
spec:
to:
kind: Service
name: <database-service-name>
port:
targetPort: redis
tls:
termination: passthrough
```
See [OpenShift routes]({{< relref "/operate/kubernetes/networking/routes" >}}) for complete setup instructions.
## Service ports and configuration
### Default port behavior
- Redis Enterprise databases use dynamic port allocation
- Port numbers are assigned automatically during database creation
- The actual port is stored in the database secret
### Custom port configuration
You can specify custom ports using the `databasePort` field in your REDB specification:

```yaml
apiVersion: app.redislabs.com/v1alpha1
kind: RedisEnterpriseDatabase
metadata:
name: mydb
spec:
memorySize: 256MB
databasePort: 6379
```

Custom ports replace the default service port and are reflected in the database secret.

## Credentials and secrets management

### Database secrets structure

Each database has an associated Kubernetes secret containing connection details:

```yaml
apiVersion: v1
kind: Secret
metadata:
name: redb-<database-name>
type: Opaque
data:
port: <base64-encoded-port>
service_names: <base64-encoded-service-list>
password: <base64-encoded-password>
```

### Using secrets in applications

Reference database secrets in your application deployments:

```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
spec:
template:
spec:
containers:
- name: app
image: my-app:latest
env:
- name: REDIS_HOST
value: "<service-name>"
- name: REDIS_PORT
valueFrom:
secretKeyRef:
name: redb-<database-name>
key: port
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: redb-<database-name>
key: password
```

### Default user configuration

By default, databases create a default user with full access. You can disable this behavior:

```yaml
apiVersion: app.redislabs.com/v1alpha1
kind: RedisEnterpriseDatabase
metadata:
name: mydb
spec:
memorySize: 256MB
defaultUser: false
```

When `defaultUser` is disabled, the database secret is not created, and you must configure custom authentication.

## Connection examples
Copy link
Collaborator

@dwdougherty dwdougherty Aug 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems like it might be a good use case for the multitab control. Up to you.

Copy link
Contributor

@kaitlynmichael kaitlynmichael Aug 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea! I'll create a ticket to identify uses in my docs for this. https://redislabs.atlassian.net/browse/DOC-5614


### Python application

```python
import redis
import base64
import os
# Read from Kubernetes secret (mounted as environment variables)
host = os.getenv('REDIS_HOST')
port = int(os.getenv('REDIS_PORT'))
password = os.getenv('REDIS_PASSWORD')
# Create Redis connection
r = redis.Redis(host=host, port=port, password=password, decode_responses=True)
# Test connection
r.ping()
```

### Node.js application

```javascript
const redis = require('redis');
const client = redis.createClient({
host: process.env.REDIS_HOST,
port: process.env.REDIS_PORT,
password: process.env.REDIS_PASSWORD
});
client.on('connect', () => {
console.log('Connected to Redis');
});
```

## Troubleshooting connectivity

### Common issues

1. Connection refused - Verify service names and ports from the database secret
2. Authentication failed - Check password encoding and special characters
3. DNS resolution - Ensure applications use correct service FQDNs
4. Network policies - Verify Kubernetes network policies allow traffic

### Debugging steps

1. Verify service creation:
```sh
kubectl get services -l app=redis-enterprise
```

2. Check service endpoints:
```sh
kubectl get endpoints <service-name>
```

3. Test connectivity from within cluster:
```sh
kubectl run redis-test --image=redis:latest -it --rm -- redis-cli -h <service-name> -p <port>
```

## Related topics

- [Ingress routing]({{< relref "/operate/kubernetes/networking/ingress" >}}) - Configure external access with ingress controllers
- [OpenShift routes]({{< relref "/operate/kubernetes/networking/routes" >}}) - External access using OpenShift routes
- [Database controller]({{< relref "/operate/kubernetes/re-databases/db-controller" >}}) - Database lifecycle management
- [Security]({{< relref "/operate/kubernetes/security" >}}) - TLS configuration and access control
1 change: 1 addition & 0 deletions content/operate/kubernetes/re-databases/_index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ Explore advanced database features and configurations:

Connect applications to your Redis Enterprise databases:

- [Database connectivity]({{< relref "/operate/kubernetes/networking/database-connectivity" >}}) - Comprehensive guide to in-cluster and external database access, service discovery, and credentials management
- [Networking]({{< relref "/operate/kubernetes/networking" >}}) - Configure ingress, routes, and service exposure for database access
- [Security]({{< relref "/operate/kubernetes/security" >}}) - Set up TLS, authentication, and access control for secure database connections

Expand Down
58 changes: 7 additions & 51 deletions content/operate/kubernetes/re-databases/db-controller.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -108,57 +108,13 @@ kubectl delete redb mydb

## Connect to a database

After the database controller creates a database, the services for accessing the database are created in the same namespace. By default there are two services, one 'ClusterIP' service and one 'headless' service.
Connection information for the database is stored in a Kubernetes [secret](https://kubernetes.io/docs/concepts/configuration/secret/) maintained by the database controller. This secret contains:
After the database controller creates a database, services for accessing the database are automatically created in the same namespace. Connection information is stored in a Kubernetes [secret](https://kubernetes.io/docs/concepts/configuration/secret/) maintained by the database controller.

- The database port (`port`)
- A comma separated list of service names (`service_names`)
- The database password for authenticating (`password`)
For comprehensive information about connecting to your database, including:

The name of that secret is stored in the database custom resource.
- Service types and access patterns
- Retrieving connection information from secrets
- In-cluster and external access methods
- Connection examples and troubleshooting

{{<note>}}
Use these steps to connect to your database from within your K8s cluster. To access your database from outside the K8s cluster, set up the [Ingress]({{< relref "/operate/kubernetes/networking/ingress" >}}) controller or use OpenShift routes.
{{</note>}}

1. Retrieve the secret name.

```sh
kubectl get redb mydb -o jsonpath="{.spec.databaseSecretName}"
```

The database secret name usually takes the form of `redb-<database_name>`, so in our example it will be `redb-mydb`.

1. Retrieve and decode the password.

```sh
kubectl get secret redb-mydb -o jsonpath="{.data.password}" | base64 --decode
```

1. Retrieve and decode the port number.

```sh
kubectl get secret redb-mydb -o jsonpath="{.data.port}" | base64 --decode
```

1. Retrieve and decode the service_names.

```sh
kubectl get secret redb-mydb -o jsonpath="{.data.service_names}" | base64 --decode
```

You'll need to pick just one service listed here to use for connecting.

1. From a pod within your cluster, use `redis-cli` to connect to your database.

```sh
redis-cli -h <service_name> -p <port>
```

1. Enter the password you retrieved from the secret.

```sh
auth <password>
```

You are now connected to your database!
See [Database connectivity]({{< relref "/operate/kubernetes/networking/database-connectivity" >}}).
Loading