diff --git a/content/commands/cluster-migration.md b/content/commands/cluster-migration.md index 844ce677b7..e8b2bbe40c 100644 --- a/content/commands/cluster-migration.md +++ b/content/commands/cluster-migration.md @@ -41,7 +41,7 @@ arguments: type: pure-token name: status token: STATUS - type: block + type: oneof name: subcommand type: oneof arity: -4 @@ -68,8 +68,8 @@ linkTitle: CLUSTER MIGRATION railroad_diagram: /images/railroad/cluster-migration.svg since: 8.4.0 summary: Start, monitor, and cancel atomic slot migration tasks. -syntax_fmt: "CLUSTER MIGRATION | STATUS\_" +syntax_fmt: "CLUSTER MIGRATION |\n STATUS\_<[ID\_task-id] | [ALL]>>" title: CLUSTER MIGRATION --- diff --git a/content/commands/cluster-slot-stats.md b/content/commands/cluster-slot-stats.md index 3883ef0603..146353d586 100644 --- a/content/commands/cluster-slot-stats.md +++ b/content/commands/cluster-slot-stats.md @@ -105,9 +105,14 @@ The command reports on the following statistics: * `KEY-COUNT`: Number of keys stored in the slot. * `CPU-USEC`: CPU time (in microseconds) spent handling the slot. +* `MEMORY-BYTES`: Number of bytes allocated by the slot. * `NETWORK-BYTES-IN`: Total inbound network traffic (in bytes) received by the slot. * `NETWORK-BYTES-OUT`: Total outbound network traffic (in bytes) sent from the slot. +{{< note>}} +`MEMORY-BYTES` requires that you set `cluster-slot-stats-enabled` to `yes` in your `redis.conf` file. +{{< /note >}} + ## Redis Enterprise and Redis Cloud compatibility | Redis
Enterprise | Redis
Cloud | Notes | diff --git a/content/develop/ai/search-and-query/indexing/_index.md b/content/develop/ai/search-and-query/indexing/_index.md index 59d72cce7e..9525cc2adf 100644 --- a/content/develop/ai/search-and-query/indexing/_index.md +++ b/content/develop/ai/search-and-query/indexing/_index.md @@ -29,7 +29,7 @@ The result of each JSONPath expression is indexed and associated with a logical You can use these attributes in queries. {{% alert title="Note" color="info" %}} -Note: `attribute` is optional for [`FT.CREATE`]({{< relref "commands/ft.create/" >}}). +`attribute` is optional for [`FT.CREATE`]({{< relref "commands/ft.create/" >}}). {{% /alert %}} Use the following syntax to create a JSON index: diff --git a/content/develop/tools/cli.md b/content/develop/tools/cli.md index e976413881..65c59a8d23 100644 --- a/content/develop/tools/cli.md +++ b/content/develop/tools/cli.md @@ -64,6 +64,8 @@ even on the terminal with the `--raw` option: You can force human readable output when writing to a file or in pipe to other commands by using `--no-raw`. +For complete command line usage, see [below](#usage). + ## String quoting and escaping When `redis-cli` parses a command, whitespace characters automatically delimit the arguments. @@ -964,3 +966,128 @@ minutes the output stabilizes to the following figures: 140500 Gets/sec | Hits: 135947 (96.76%) | Misses: 4553 (3.24%) With 500MB there is sufficient space for the key quantity (10 million) and distribution (80-20 style). + +## Usage + +``` +Usage: redis-cli [OPTIONS] [cmd [arg [arg ...]]] + -h Server hostname (default: 127.0.0.1). + -p Server port (default: 6379). + -t Server connection timeout in seconds (decimals allowed). + Default timeout is 0, meaning no limit, depending on the OS. + -s Server socket (overrides hostname and port). + -a Password to use when connecting to the server. + You can also use the REDISCLI_AUTH environment + variable to pass this password more safely + (if both are used, this argument takes precedence). + --user Used to send ACL style 'AUTH username pass'. Needs -a. + --pass Alias of -a for consistency with the new --user option. + --askpass Force user to input password with mask from STDIN. + If this argument is used, '-a' and REDISCLI_AUTH + environment variable will be ignored. + -u Server URI on format redis://user:password@host:port/dbnum + User, password and dbnum are optional. For authentication + without a username, use username 'default'. For TLS, use + the scheme 'rediss'. + -r Execute specified command N times. + -i When -r is used, waits seconds per command. + It is possible to specify sub-second times like -i 0.1. + This interval is also used in --scan and --stat per cycle. + and in --bigkeys, --memkeys, --keystats, and --hotkeys per 100 cycles. + -n Database number. + -2 Start session in RESP2 protocol mode. + -3 Start session in RESP3 protocol mode. + -x Read last argument from STDIN (see example below). + -X Read argument from STDIN (see example below). + -d Delimiter between response bulks for raw formatting (default: \n). + -D Delimiter between responses for raw formatting (default: \n). + -c Enable cluster mode (follow -ASK and -MOVED redirections). + -e Return exit error code when command execution fails. + -4 Prefer IPv4 over IPv6 on DNS lookup. + -6 Prefer IPv6 over IPv4 on DNS lookup. + --raw Use raw formatting for replies (default when STDOUT is + not a tty). + --no-raw Force formatted output even when STDOUT is not a tty. + --quoted-input Force input to be handled as quoted strings. + --csv Output in CSV format. + --json Output in JSON format (default RESP3, use -2 if you want to use with RESP2). + --quoted-json Same as --json, but produce ASCII-safe quoted strings, not Unicode. + --show-pushes Whether to print RESP3 PUSH messages. Enabled by default when + STDOUT is a tty but can be overridden with --show-pushes no. + --stat Print rolling stats about server: mem, clients, ... + --latency Enter a special mode continuously sampling latency. + If you use this mode in an interactive session it runs + forever displaying real-time stats. Otherwise if --raw or + --csv is specified, or if you redirect the output to a non + TTY, it samples the latency for 1 second (you can use + -i to change the interval), then produces a single output + and exits. + --latency-history Like --latency but tracking latency changes over time. + Default time interval is 15 sec. Change it using -i. + --latency-dist Shows latency as a spectrum, requires xterm 256 colors. + Default time interval is 1 sec. Change it using -i. + --lru-test Simulate a cache workload with an 80-20 distribution. + --replica Simulate a replica showing commands received from the master. + --rdb Transfer an RDB dump from remote server to local file. + Use filename of "-" to write to stdout. + --functions-rdb Like --rdb but only get the functions (not the keys) + when getting the RDB dump file. + --pipe Transfer raw Redis protocol from stdin to server. + --pipe-timeout In --pipe mode, abort with error if after sending all data. + no reply is received within seconds. + Default timeout: 30. Use 0 to wait forever. + --bigkeys Sample Redis keys looking for keys with many elements (complexity). + --memkeys Sample Redis keys looking for keys consuming a lot of memory. + --memkeys-samples Sample Redis keys looking for keys consuming a lot of memory. + And define number of key elements to sample + --keystats Sample Redis keys looking for keys memory size and length (combine bigkeys and memkeys). + --keystats-samples Sample Redis keys looking for keys memory size and length. + And define number of key elements to sample (only for memory usage). + --cursor Start the scan at the cursor (usually after a Ctrl-C). + Optionally used with --keystats and --keystats-samples. + --top To display top key sizes (default: 10). + Optionally used with --keystats and --keystats-samples. + --hotkeys Sample Redis keys looking for hot keys. + only works when maxmemory-policy is *lfu. + --scan List all keys using the SCAN command. + --pattern Keys pattern when using the --scan, --bigkeys, --memkeys, + --keystats or --hotkeys options (default: *). + --count Count option when using the --scan, --bigkeys, --memkeys, + --keystats or --hotkeys (default: 10). + --quoted-pattern Same as --pattern, but the specified string can be + quoted, in order to pass an otherwise non binary-safe string. + --intrinsic-latency Run a test to measure intrinsic system latency. + The test will run for the specified amount of seconds. + --eval Send an EVAL command using the Lua script at . + --ldb Used with --eval enable the Redis Lua debugger. + --ldb-sync-mode Like --ldb but uses the synchronous Lua debugger, in + this mode the server is blocked and script changes are + not rolled back from the server memory. + --cluster [args...] [opts...] + Cluster Manager command and arguments (see below). + --verbose Verbose mode. + --no-auth-warning Don't show warning message when using password on command + line interface. + --help Output this help and exit. + --version Output version and exit. + +Cluster Manager Commands: + Use --cluster help to list all available cluster manager commands. + +Examples: + redis-cli -u redis://default:PASSWORD@localhost:6379/0 + cat /etc/passwd | redis-cli -x set mypasswd + redis-cli -D "" --raw dump key > key.dump && redis-cli -X dump_tag restore key2 0 dump_tag replace < key.dump + redis-cli -r 100 lpush mylist x + redis-cli -r 100 -i 1 info | grep used_memory_human: + redis-cli --quoted-input set '"null-\x00-separated"' value + redis-cli --eval myscript.lua key1 key2 , arg1 arg2 arg3 + redis-cli --scan --pattern '*:12345*' + redis-cli --scan --pattern '*:12345*' --count 100 + + (Note: when using --eval the comma separates KEYS[] from ARGV[] items) + +When no command is given, redis-cli starts in interactive mode. +Type "help" in interactive mode for information on available commands +and settings. +``` \ No newline at end of file diff --git a/content/embeds/k8s/openshift_rec.md b/content/embeds/k8s/openshift_rec.md index ca18746c11..815a5e544a 100644 --- a/content/embeds/k8s/openshift_rec.md +++ b/content/embeds/k8s/openshift_rec.md @@ -27,7 +27,7 @@ spec: redisEnterpriseImageSpec: repository: registry.connect.redhat.com/redislabs/redis-enterprise - versionTag: 8.0.2-17 + versionTag: 8.0.6-50 redisEnterpriseServicesRiggerImageSpec: repository: registry.connect.redhat.com/redislabs/services-manager bootstrapperImageSpec: diff --git a/content/embeds/k8s/openshift_role.md b/content/embeds/k8s/openshift_role.md index 3584d68974..ed4e6925ad 100644 --- a/content/embeds/k8s/openshift_role.md +++ b/content/embeds/k8s/openshift_role.md @@ -8,10 +8,8 @@ metadata: rules: - apiGroups: - rbac.authorization.k8s.io - - "" resources: - roles - - serviceaccounts - rolebindings verbs: - create @@ -19,6 +17,16 @@ rules: - update - patch - delete + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - get + - update + - patch + - delete - apiGroups: - app.redislabs.com resources: diff --git a/content/embeds/k8s/role.md b/content/embeds/k8s/role.md index 74063d03a8..bed109ae99 100644 --- a/content/embeds/k8s/role.md +++ b/content/embeds/k8s/role.md @@ -8,10 +8,8 @@ metadata: rules: - apiGroups: - rbac.authorization.k8s.io - - "" resources: - roles - - serviceaccounts - rolebindings verbs: - create @@ -19,6 +17,16 @@ rules: - update - patch - delete + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - get + - update + - patch + - delete - apiGroups: - app.redislabs.com resources: diff --git a/content/operate/kubernetes/7.22/re-clusters/auto-tiering.md b/content/operate/kubernetes/7.22/re-clusters/auto-tiering.md index aceefadd56..bb8dddba94 100644 --- a/content/operate/kubernetes/7.22/re-clusters/auto-tiering.md +++ b/content/operate/kubernetes/7.22/re-clusters/auto-tiering.md @@ -11,6 +11,10 @@ weight: 16 url: '/operate/kubernetes/7.22/re-clusters/auto-tiering/' --- +{{}} +This page applies to Redis Enterprise for Kubernetes version 7.22.2-22. If you use version 8.0.2-2 or later, see [Redis Flex](https://redis.io/docs/latest/operate/kubernetes/re-clusters/redis-flex). +{{}} + ## Prerequisites Redis Enterprise Software for Kubernetes supports using Auto Tiering (previously known as Redis on Flash), which extends your node memory to use both RAM and flash storage. SSDs (solid state drives) can store infrequently used (warm) values while your keys and frequently used (hot) values are still stored in RAM. This improves performance and lowers costs for large datasets. diff --git a/content/operate/kubernetes/deployment/helm.md b/content/operate/kubernetes/deployment/helm.md index a1411d6bc2..0ce8d30aca 100644 --- a/content/operate/kubernetes/deployment/helm.md +++ b/content/operate/kubernetes/deployment/helm.md @@ -149,6 +149,10 @@ The upgrade process automatically updates the operator and its components, inclu After you upgrade the operator, you might need to upgrade your Redis Enterprise clusters, depending on the Redis software version bundled with the operator. For detailed information about the upgrade process, see [Redis Enterprise for Kubernetes upgrade documentation](https://redis.io/docs/latest/operate/kubernetes/upgrade/). +{{< note >}} +If your databases use user-defined modules (custom non-bundled modules), you must take additional steps during the upgrade process. See [Upgrade with user-defined modules]({{< relref "/operate/kubernetes/upgrade/upgrade-redis-cluster#user-defined-modules" >}}) for details. +{{< /note >}} + For more information and options when upgrading charts, see [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/). ## Uninstall diff --git a/content/operate/kubernetes/deployment/quick-start.md b/content/operate/kubernetes/deployment/quick-start.md index 74d7fe557a..d2a21c0c3b 100644 --- a/content/operate/kubernetes/deployment/quick-start.md +++ b/content/operate/kubernetes/deployment/quick-start.md @@ -263,6 +263,12 @@ The operator bundle includes a webhook file. The webhook will intercept requests Error from server: error when creating "STDIN": admission webhook "redisenterprise.admission.redislabs" denied the request: eviction_policy: u'illegal' is not one of [u'volatile-lru', u'volatile-ttl', u'volatile-random', u'allkeys-lru', u'allkeys-random', u'noeviction', u'volatile-lfu', u'allkeys-lfu'] ``` +## Add user-defined modules (optional) + +If you plan to create databases that use user-defined modules (custom non-bundled modules), you must add them to the REC custom resource before creating the databases. + +See [User-defined modules]({{< relref "/operate/kubernetes/re-databases/modules#user-defined-modules" >}}) for detailed instructions on adding and configuring custom modules. + ## Create a Redis Enterprise Database (REDB) You can create multiple databases within the same namespace as your REC or in other namespaces. diff --git a/content/operate/kubernetes/re-clusters/cluster-recovery.md b/content/operate/kubernetes/re-clusters/cluster-recovery.md index baadfc25a4..de221fc32e 100644 --- a/content/operate/kubernetes/re-clusters/cluster-recovery.md +++ b/content/operate/kubernetes/re-clusters/cluster-recovery.md @@ -24,6 +24,10 @@ The Redis Enterprise for Kubernetes automates these recovery steps: {{}}Redis Enterprise for Kubernetes 7.2.4-2 introduces a new limitation. You cannot recover or upgrade your cluster if there are databases with old module versions or manually uploaded modules. See the [Redis Enterprise Software 7.2.4 known limitations]({{< relref "/operate/rs/release-notes/rs-7-2-4-releases/rs-7-2-4-52#cluster-recovery-with-manually-uploaded-modules" >}}) for more details.{{}} +{{< note >}} +If your cluster uses user-defined modules, the recovery process doesn't block on module validation errors (such as URL or credential issues). The cluster can recover successfully, and you can resolve any module configuration issues after recovery is complete. See [User-defined modules]({{< relref "/operate/kubernetes/re-databases/modules#user-defined-modules" >}}) for more information. +{{< /note >}} + ## Prerequisites - For cluster recovery, the cluster must be [deployed with persistence]({{< relref "/operate/kubernetes/recommendations/persistent-volumes" >}}). diff --git a/content/operate/kubernetes/re-clusters/redis-flex.md b/content/operate/kubernetes/re-clusters/redis-flex.md index 76709bcb82..b8616a44a8 100644 --- a/content/operate/kubernetes/re-clusters/redis-flex.md +++ b/content/operate/kubernetes/re-clusters/redis-flex.md @@ -10,84 +10,152 @@ linkTitle: Redis Flex weight: 16 --- -## Prerequisites +{{}} +This page applies to Redis Enterprise for Kubernetes version 8.0.2-2 and later. If you use version 7.22.2-22 or earlier, see [Auto Tiering](https://redis.io/docs/latest/operate/kubernetes/7.22/re-clusters/auto-tiering/). +{{}} + +## Overview + +[Redis Flex]({{< relref "/operate/rs/databases/flash" >}}) (previously known as Redis on Flash) extends your node memory to use both RAM and flash storage. Solid state drives (SSDs) store infrequently used (warm) values, while RAM stores your keys and frequently used (hot) values. This approach improves performance and lowers costs for large datasets. -Redis Enterprise Software for Kubernetes supports using Redis Flex (previously known as Redis on Flash), which extends your node memory to use both RAM and flash storage. SSDs (solid state drives) can store infrequently used (warm) values while your keys and frequently used (hot) values are still stored in RAM. This improves performance and lowers costs for large datasets. +Redis Flex provides automatic RAM management and improved performance compared to Auto Tiering. {{}} -NVMe (non-volatile memory express) SSDs are strongly recommended to achieve the best performance. +For best performance, use NVMe (non-volatile memory express) SSDs. {{}} + +## Redis Flex vs Auto Tiering + {{}} Redis Flex is not supported for [Active-Active databases]({{< relref "/operate/kubernetes/active-active" >}}). {{}} Before creating your Redis clusters or databases, these SSDs must be: -- [locally attached to worker nodes in your Kubernetes cluster](https://kubernetes.io/docs/concepts/storage/volumes/#local) -- formatted and mounted on the nodes that will run Redis Enterprise pods -- dedicated to Redis Flex and not shared with other parts of the database, (e.g. durability, binaries) -- [provisioned as local persistent volumes](https://kubernetes.io/docs/concepts/storage/volumes/#local) - - You can use a [local volume provisioner](https://github.com/kubernetes-sigs/sig-storage-local-static-provisioner/blob/master/README.md) to do this [dynamically](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#dynamic) -- a [StorageClass](https://kubernetes.io/docs/concepts/storage/storage-classes/#local) resource with a unique name -For more information on node storage, see [Node persistent and ephemeral storage]({{< relref "/operate/rs/installing-upgrading/install/plan-deployment/persistent-ephemeral-storage" >}}). +The earlier implementation of Redis Flex is called Auto Tiering, which is available in Redis versions earlier than 8.0. -## Create a Redis Enterprise cluster +The operator automatically selects the appropriate implementation based on your Redis version: -To deploy a Redis Enterprise cluster (REC) with Redis Flex, you'll need to specify the following in the `redisOnFlashSpec` section of your [REC custom resource]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api" >}}): +- **Versions 7.22.2-22 and earlier:** Auto Tiering +- **Versions 8.0.2-2 and later:** Redis Flex -- enable Redis Flex (`enabled: true`) -- flash storage driver (`bigStoreDriver`) - - `rocksdb` or `speedb`(default) -- storage class name (`storageClassName`) -- minimal flash disk size (`flashDiskSize`) +Redis Flex differs from Auto Tiering in the following ways: -{{}} Clusters upgraded to version 7.2.4-2 from an earlier version will change the `bigStoreDriver` (previously called `flashStorageEngine`) to the new default `speedb`, regardless of previous configuration. {{}} +**Redis Flex (8.0.2-2 and later)** -{{}}Switching between storage engines (`speedb` and `rocksdb`) requires guidance by Redis Support or your Account Manager.{{}} +- Storage engine: Speedb only +- RAM management: Automatic. Redis manages RAM allocation internally. +- Configuration: `rofRamSize` isn't validated with minimum ratio requirements. +- Redis versions: Redis 8.0 and later -{{}}PVC expansion is not supported when using Redis Flex. Do not enable `enablePersistentVolumeResize` in the REC `persistentSpec` if you are using `redisOnFlashSpec` as this will result in conflicts. {{}} +**Auto Tiering ( 7.22.2-22 and earlier)** -Here is an example of an REC custom resource with these attributes: +- Storage engine: RocksDB or Speedb +- RAM management: Manual. Requires explicit `rofRamSize` configuration. +- Validation: `rofRamSize` must be at least 10% of `memorySize` and can't exceed `memorySize`. +- Redis versions: Redis versions earlier than 8.0 -```YAML +The operator doesn't support Redis 7.4 preview for Redis Flex. Redis 7.4 databases use Auto Tiering regardless of cluster policy. To use Redis Flex, upgrade to Redis 8.0 or later. + +## Prerequisites + +Before you create your Redis clusters or databases, ensure that your SSDs meet the following requirements: + +- [Locally attached to worker nodes in your Kubernetes cluster](https://kubernetes.io/docs/concepts/storage/volumes/#local) +- Formatted and mounted on the nodes that run Redis Enterprise pods +- Dedicated to Redis Flex and not shared with other parts of the database (for example, durability or binaries) +- [Provisioned as local persistent volumes](https://kubernetes.io/docs/concepts/storage/volumes/#local) + - You can use a [local volume provisioner](https://github.com/kubernetes-sigs/sig-storage-local-static-provisioner/blob/master/README.md) to provision volumes [dynamically](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#dynamic). +- Configured with a [StorageClass](https://kubernetes.io/docs/concepts/storage/storage-classes/#local) resource that has a unique name + +For more information about node storage, see [Node persistent and ephemeral storage]({{< relref "/operate/rs/installing-upgrading/install/plan-deployment/persistent-ephemeral-storage" >}}). + +## Create a Redis Enterprise cluster + +To deploy a Redis Enterprise cluster (REC) with Redis Flex, specify the following fields in the `redisOnFlashSpec` section of your [REC custom resource]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#specredisonflashspec" >}}): + +- `enabled: true` - Enables Redis Flex +- `bigStoreDriver: speedb` - Sets the flash storage driver +- `storageClassName` - Specifies the storage class name +- `flashDiskSize` - Sets the minimum flash disk size + +{{}} +Redis Flex doesn't support PVC expansion. Do not enable `enablePersistentVolumeResize` in the REC `persistentSpec` if you use `redisOnFlashSpec`. Enabling both will cause conflicts. +{{}} + +The following example shows a Redis Enterprise cluster custom resource with these fields: + +```yaml apiVersion: app.redislabs.com/v1 kind: RedisEnterpriseCluster metadata: name: "rec" + labels: + app: redis-enterprise spec: - nodes: 3 redisOnFlashSpec: enabled: true - bigStoreDriver: speedb + bigStoreDriver: speedb # Only 'speedb' is suitable for Redis Flex storageClassName: local-scsi flashDiskSize: 100G ``` -### Create a Redis Enterprise database +{{}} + +- Set the `enabled` field to `true`. +- Use `bigStoreDriver: speedb` for Redis Flex support on Redis 8.0 and later. +- The `flashStorageEngine` field is deprecated. Use `bigStoreDriver` instead. + +{{}} -By default, any new database will use RAM only. To create a Redis Enterprise database (REDB) that can use flash storage, specify the following in the `redisEnterpriseCluster` section of the REDB custom resource definition: +## Create a Redis Enterprise database -- `isRof: true` enables Redis Flex -- `rofRamSize` defines the RAM capacity for the database +By default, new databases use RAM only. To create a Redis Enterprise database (REDB) that uses Redis Flex and takes advantage of locally attached SSDs, set `isRof` to `true`. -Below is an example REDB custom resource: +Specify the following fields in the REDB custom resource: + +- `isRof: true` - Enables Redis Flex +- `redisVersion` - Set to `"8.0"` or later +- `memorySize` - Defines the total combined memory size (RAM + flash) +- `rofRamSize` - (Optional) Defines the RAM capacity for the database + +The following example shows a REDB custom resource: ```YAML apiVersion: app.redislabs.com/v1alpha1 kind: RedisEnterpriseDatabase metadata: - name: autoteiring-redb + name: redis-flex-db spec: redisEnterpriseCluster: name: rec isRof: true + redisVersion: "8.0" memorySize: 2GB rofRamSize: 0.5GB ``` {{< note >}} -This example defines both `memorySize` and `rofRamSize`. When using Redis Flex, `memorySize` refers to the total combined memory size (RAM + flash) allocated for the database. `rofRamSize` specifies only the RAM capacity for the database. `rofRamSize` must be at least 10% of `memorySize`. +Redis Flex automatically manages RAM allocation. You can specify `rofRamSize`, but it isn't subject to the 10% minimum ratio requirement that applies to Auto Tiering. The operator doesn't validate or enforce minimum RAM ratios for Redis 8.0 and later databases. {{< /note >}} + +## Upgrade from Auto Tiering to Redis Flex + +When you upgrade a database from a Redis version earlier than 8.0 to Redis 8.0 or later, Redis Server automatically migrates the database from Auto Tiering to Redis Flex. The operator detects this migration and makes the following changes: + +1. Stops validating the `rofRamSize` ratio requirement. +2. Stops reconciling the `bigstore_ram_size` field to avoid configuration drift. +3. Continues to preserve the database configuration. + +### Example upgrade scenario + +The following example shows how to upgrade a database from Auto Tiering to Redis Flex: + +1. Create a database on Redis 7.2 with `rofRamSize: 200MB`. +2. Upgrade the database to Redis 8.0 by updating `spec.redisVersion` to `"8.0"`. +3. Redis Server automatically converts the database to Redis Flex. +4. The operator detects the conversion and adapts its reconciliation behavior. +5. Redis now manages the `rofRamSize` field automatically. You can keep the field in the spec for backward compatibility. diff --git a/content/operate/kubernetes/re-databases/modules.md b/content/operate/kubernetes/re-databases/modules.md index 2e47ac19ac..54ea333bba 100644 --- a/content/operate/kubernetes/re-databases/modules.md +++ b/content/operate/kubernetes/re-databases/modules.md @@ -10,93 +10,341 @@ linkTitle: Configure modules weight: 15 --- -Redis Enterprise modules extend Redis functionality with additional data types, commands, and capabilities. The Redis Enterprise operator supports deploying databases with modules through the `RedisEnterpriseDatabase` (REDB) and `RedisEnterpriseActiveActiveDatabase` (REAADB) custom resources. +Redis Enterprise modules extend Redis functionality with additional data types, commands, and capabilities. Redis Enterprise versions 8.0.2 and later include several bundled modules that are automatically enabled for compatible database types. You can also add user-defined modules for additional functionality. ## Prerequisites -Before you begin, verify that you have: +Before you begin, verify the following: - [Redis Enterprise operator deployed]({{< relref "/operate/kubernetes/deployment/quick-start" >}}) in your Kubernetes cluster -- [Redis Enterprise Cluster (REC)]({{< relref "/operate/kubernetes/re-clusters" >}}) running and in a healthy state -- Modules uploaded to the Redis Enterprise cluster (see [Check available modules](#check-available-modules)) +- [Redis Enterprise cluster (REC)]({{< relref "/operate/kubernetes/re-clusters" >}}) running and in a healthy state -## Available modules +## Bundled modules -Redis Enterprise includes several built-in modules: +Redis Enterprise includes several bundled modules that extend Redis functionality with additional data types, commands, and capabilities. Starting with Redis Enterprise version 8.0.2, these modules are automatically included and immediately available for use. -| Module | Name | Description | -|--------|------|-------------| -| **[RediSearch]({{< relref "/develop/ai/search-and-query/" >}})** | `search` | Full-text search and secondary indexing | -| **[RedisJSON]({{< relref "/develop/data-types/json" >}})** | `ReJSON` | JSON data type support | -| **[RedisTimeSeries]({{< relref "/develop/data-types/timeseries" >}})** | `timeseries` | Time series data structures | -| **[RedisBloom]({{< relref "/develop/data-types/probabilistic" >}})** | `bf` | Probabilistic data structures (Bloom filters, etc.) | +### Available bundled modules -### Check available modules +| Module | Name | Description | Capabilities | +|--------|------|-------------|--------------| +| **[RediSearch]({{< relref "/develop/ai/search-and-query/" >}})** | `search` | Full-text search and secondary indexing | Query, aggregation, full-text search, vector similarity search | +| **[RedisJSON]({{< relref "/develop/data-types/json" >}})** | `ReJSON` | JSON data type support | Store, update, and query JSON documents | +| **[RedisTimeSeries]({{< relref "/develop/data-types/timeseries" >}})** | `timeseries` | Time series data structures | Ingest and query time series data with downsampling and aggregation | +| **[RedisBloom]({{< relref "/develop/data-types/probabilistic" >}})** | `bf` | Probabilistic data structures | Bloom filters, Cuckoo filters, Count-Min Sketch, Top-K | -Before configuring databases with modules, check which modules are available in your cluster: +{{< note >}} +When configuring databases with modules, use the `NAME` field (for example, `search` or `ReJSON`) instead of the `DISPLAY_NAME` field. +{{< /note >}} + +### Automatic enablement in Redis 8 and later + +For databases created with or upgraded to Redis version 8 or later, bundled modules are automatically enabled based on the database type. You don't need to specify them in the `spec.moduleList` field unless you want to use a specific version. + +{{}} + +For databases using Redis versions earlier than 8, explicitly specify bundled modules in the `spec.moduleList` field when you create the database. + +### Check available module versions + +To see which bundled module versions are available in your cluster, run the following command: ```bash kubectl get rec -o jsonpath='{.status.modules}' | jq ``` -This command shows the modules installed in the cluster along with their available versions. +This command displays all modules (both bundled and user-defined) installed in the cluster and their available versions. + +### Bundled vs. user-defined modules + +The following table shows the key differences between bundled and user-defined modules: + +| Aspect | Bundled modules | User-defined modules | +|--------|----------------|---------------------| +| **Installation** | Pre-installed with Redis Enterprise | Must be added to the REC spec | +| **Availability** | Immediately available | Available after you add them to the REC | +| **Versions** | Bundled with the Redis Enterprise version | Specified by URL in the REC spec | +| **Examples** | RediSearch, RedisJSON, RedisTimeSeries, RedisBloom | RedisGears, custom modules | +| **Redis 8 and later behavior** | Automatically enabled for compatible database types | Must be explicitly specified | + +## User-defined modules + +User-defined modules are custom Redis modules that extend Redis functionality beyond the bundled modules. User-defined modules can include third-party modules like RedisGears or custom in-house modules developed for specific use cases. + +**Limitations:** + +- **Active-Active databases**: User-defined modules are not supported with Active-Active databases. Only bundled modules (RediSearch, RedisJSON, RedisTimeSeries, RedisBloom) can be used with Active-Active databases. + +- **Redis on Flash**: User-defined modules are fully supported with Redis on Flash databases. + +### Add user-defined modules to the REC + +To use user-defined modules with your databases, first add them to the Redis Enterprise cluster (REC) custom resource. This enables the operator to validate the modules and make them available for database creation. + +{{< warning >}} +Add user-defined modules to the REC **before** you create any databases that use them. The admission controller validates that modules exist in the REC before allowing REDB creation. +{{< /warning >}} + +1. Edit your REC custom resource: + + ```sh + kubectl edit rec + ``` + +2. Add the `userDefinedModules` section to the `spec`: + + ```yaml + spec: + userDefinedModules: + - name: "custom-module" + source: + https: + url: "https://modules.company.com/custom-module-v1.0.zip" + credentialsSecret: "module-repo-creds" + ``` + +3. If your module repository requires authentication, create a secret with your credentials: + + ```sh + kubectl create secret generic module-repo-creds \ + --from-literal=username= \ + --from-literal=password= + ``` + +### Module naming requirements + +The `name` field in the REC spec must match either the `module_name` or `display_name` value from the module's manifest file (`module.json` inside the module zip file). This enables the operator to validate the module. + +For example, if your module manifest contains the following: + +```json +{ + "module_name": "rg", + "display_name": "RedisGears", + "semantic_version": "1.2.5" +} +``` + +You can use either `"rg"` or `"RedisGears"` as the `name` value in your REC spec. + +{{< note >}} +If the names don't match, the operator can't validate the module. This can lead to preventable errors during database creation or upgrades. +{{< /note >}} + +### Edit user-defined modules + +To modify the user-defined modules list, complete the following steps: + +1. Edit the REC custom resource: + + ```sh + kubectl edit rec + ``` + +1. Update the `userDefinedModules` section: + - **Add new modules**: Append them to the list. + - **Update module URLs**: Change the `url` field for existing modules. + - **Update credentials**: Change the `credentialsSecret` reference. + +1. Save your changes. The operator validates and applies the updates. + +{{< warning >}} +Don't remove modules that are currently in use by any database. The operator rejects the change and puts the REC into an error state. +{{< /warning >}} {{< note >}} -Use the `NAME` field instead of the `DISPLAY_NAME` field when configuring databases with modules. +Changes to the `userDefinedModules` list trigger a rolling restart of the Redis Enterprise cluster pods. Plan module updates during a maintenance window to minimize potential impact on your databases. {{< /note >}} -## Install additional modules +### Verify user-defined modules + +After you add user-defined modules to the REC, verify that they're available: + +```sh +kubectl get rec -o jsonpath='{.spec.userDefinedModules}' | jq +``` + +You can also check the REC status for validation errors: + +```sh +kubectl describe rec +``` + +Look for events or status messages related to module validation in the output. + +## Upgrade with modules + +The upgrade process differs depending on whether you use bundled modules or user-defined modules. + +### Module version selection + +When multiple versions of a module are available in the cluster, Redis Enterprise selects the appropriate version based on the `compatible_redis_version` field in the module's manifest file (`module.json`). This field must match the Redis OSS version that the database is using. + +For example, if your database uses Redis 7.2, Redis Enterprise selects the module version whose `compatible_redis_version` is `7.2`. If no matching version is found, the module cannot be loaded. + +### Upgrade with bundled modules -If you need to install additional modules or specific versions, upload them using the Redis Enterprise API. See [Upload module v2]({{< relref "/operate/rs/references/rest-api/requests/modules/#post-module-v2" >}}) for more information. +For databases using bundled modules (RediSearch, RedisJSON, RedisTimeSeries, RedisBloom): -## Module configuration +- **Redis 8 and later**: Bundled modules are automatically enabled and upgraded when you upgrade the database to Redis version 8 or later. You don't need to take any additional action. The module version is automatically selected based on the database's Redis version. -Each module in the [`modulesList`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_database_api#specmoduleslist" >}}) supports the following fields: +- **Redis versions earlier than 8**: Bundled modules are upgraded automatically when you upgrade the Redis Enterprise cluster. The bundled module versions are tied to the Redis Enterprise version, and the appropriate version is selected based on the database's Redis version. -- **name** (required): The module name (for example, "search", "ReJSON") -- **version** (optional): Specific module version. For Active-Active databases, if specified for one participating cluster, it must be specified for all participating clusters. If omitted, modules will auto-update. -- **config** (optional): Module-specific configuration parameters +### Upgrade with user-defined modules -For detailed module configuration options and parameters, see [Redis modules]({{< relref "/develop/reference/modules" >}}). +For databases using user-defined modules, you must take additional steps during cluster upgrades: -## Upgrade considerations +1. Set `autoUpgradeRedisEnterprise` to `false` in your REC spec before upgrading. -When upgrading Redis Enterprise clusters or the operator with modules, follow these guidelines: +1. Add or update the `userDefinedModules` list in the REC spec with the new module versions before or during the cluster upgrade. Ensure that the new module versions include a `compatible_redis_version` field that matches the Redis version your databases will use after the upgrade. -#### Pre-upgrade planning +1. After the cluster upgrade completes, you can re-enable `autoUpgradeRedisEnterprise` if desired. -- **Check module compatibility**: Verify that your current module versions are compatible with the target Redis Enterprise version. Check each module's [`min_redis_version`](https://redis.io/docs/latest/operate/rs/references/rest-api/objects/module/) requirement. -- **Review module dependencies**: Some modules may have specific version requirements or dependencies -- **Document current configurations**: Record all module versions and configurations before upgrading -- **Test in non-production**: Always test module upgrades in a development or staging environment first +For detailed upgrade instructions, see the following: -#### Module version management during upgrades +- [Upgrade a Redis Enterprise cluster (REC)]({{< relref "/operate/kubernetes/upgrade/upgrade-redis-cluster" >}}) +- [Upgrade Redis Enterprise on OpenShift]({{< relref "/operate/kubernetes/upgrade/openshift-cli" >}}) -- **Upload required modules**: Ensure all necessary module versions are uploaded to the cluster before upgrading -- **Version consistency**: For Active-Active databases, ensure module versions are consistent across all participating clusters. If you specify a version for one cluster, specify the same version for all clusters. Omit versions to allow auto-updates. -- **Compatibility requirements**: Consult the Redis Enterprise documentation for module compatibility matrices and verify each module's [`min_redis_version`](https://redis.io/docs/latest/operate/rs/references/rest-api/objects/module/) requirement +## Troubleshooting -#### Upgrade sequence +This section covers common issues you might encounter when working with user-defined modules. -1. **Upload new module versions** (if required) to the cluster before upgrading Redis Enterprise -2. **Upgrade the Redis Enterprise cluster** following standard upgrade procedures -3. **Verify module functionality** after the cluster upgrade completes -4. **Update database configurations** if new module versions require configuration changes +### Module validation errors -#### Post-upgrade verification +Module validation errors occur when the operator can't validate a user-defined module. Common causes include incorrect URLs, authentication failures, or invalid module manifests. -- **Check module status**: Verify all modules are loaded correctly: `kubectl get rec -o jsonpath='{.status.modules}'` -- **Test module functionality**: Validate that module-specific commands and features work as expected -- **Monitor performance**: Watch for any performance changes after the upgrade -- **Update documentation**: Record the new module versions and any configuration changes +**Symptoms:** -For detailed upgrade procedures, see [Upgrade Redis Enterprise clusters]({{< relref "/operate/kubernetes/upgrade/upgrade-redis-cluster" >}}). +- REC status shows validation errors +- Events indicate module download or validation failures +- Databases fail to create with module-related errors + +**Diagnosis:** + +Check the REC status for validation errors: + +```sh +kubectl describe rec +``` + +Look for error messages related to modules in the Events section. + +**Resolution:** + +1. **Verify the module URL is accessible:** + + ```sh + curl -I + ``` + +2. **Check credentials secret exists and has correct values:** + + ```sh + kubectl get secret -o yaml + ``` + +3. **Verify the module manifest (`module.json`) is valid:** + + Download the module zip file and check that it contains a valid `module.json` file with required fields: `module_name`, `display_name`, `semantic_version`, `commands`, and `compatible_redis_version`. + +4. **Ensure the `name` field in the REC spec matches the module manifest:** + + The `name` must match either `module_name` or `display_name` from the module's `module.json` file. See [Module naming requirements](#module-naming-requirements) for details. + +### Bootstrap failures + +Bootstrap failures occur when the Redis Enterprise cluster fails to start due to module-related issues. + +**Symptoms:** + +- REC pods fail to reach Running state +- Operator logs show module-related errors during bootstrap +- Cluster remains in a non-ready state + +**Diagnosis:** + +Check the operator logs: + +```sh +kubectl logs -l name=redis-enterprise-operator -n +``` + +Check the REC pod logs: + +```sh +kubectl logs -n +``` + +**Resolution:** + +1. **Remove problematic modules from the REC spec:** + + Edit the REC and remove or comment out the problematic module from the `userDefinedModules` list: + + ```sh + kubectl edit rec + ``` + +2. **Wait for the cluster to recover:** + + ```sh + kubectl get rec -w + ``` + +3. **Fix the module configuration and re-add it:** + + After the cluster is running, correct the module URL, credentials, or manifest issues, then add the module back to the REC spec. + +### Module not found errors + +Module not found errors occur when you try to create a database that uses a module that isn't defined in the REC. + +**Symptoms:** + +- REDB creation fails with admission webhook errors +- Error message indicates the module is not found in the REC +- Database remains in a pending or failed state + +**Diagnosis:** + +Check the REDB creation error: + +```sh +kubectl describe redb +``` + +Verify which modules are defined in the REC: + +```sh +kubectl get rec -o jsonpath='{.spec.userDefinedModules}' | jq +``` + +**Resolution:** + +1. **Add the missing module to the REC:** + + See [Add user-defined modules to the REC](#add-user-defined-modules-to-the-rec) for detailed instructions. + +2. **Wait for the module to be validated:** + + ```sh + kubectl describe rec + ``` + + Look for successful validation in the Events section. + +3. **Retry database creation:** + + After the module is available in the REC, the database creation should succeed automatically, or you can delete and recreate the REDB. ## Related information -- [Database controller]({{< relref "/operate/kubernetes/re-databases/db-controller" >}}) - Learn how to create and manage Redis Enterprise databases -- [Active-Active databases]({{< relref "/operate/kubernetes/active-active" >}}) - Set up globally distributed Active-Active databases -- [Database connectivity]({{< relref "/operate/kubernetes/networking/database-connectivity" >}}) - Connect applications to your Redis Enterprise databases +- [Redis modules documentation]({{< relref "/develop/reference/modules" >}}) - Official Redis modules documentation - [REDB API reference]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_database_api" >}}) - Complete API specification for REDB resources - [REAADB API reference]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_active_active_database_api" >}}) - API reference for Active-Active databases -- [Redis modules documentation](https://redis.io/docs/latest/develop/reference/modules/) - Official Redis modules documentation + +### Redis Software documentation + +- [Add modules to a cluster]({{< relref "/operate/oss_and_stack/stack-with-enterprise/install/add-module-to-cluster" >}}) - Install module packages on Redis Enterprise Software clusters +- [Enable modules for a database]({{< relref "/operate/oss_and_stack/stack-with-enterprise/install/add-module-to-database" >}}) - Add modules to databases in Redis Enterprise Software +- [Upgrade modules]({{< relref "/operate/oss_and_stack/stack-with-enterprise/install/upgrade-module" >}}) - Upgrade module versions in Redis Enterprise Software +- [Module lifecycle]({{< relref "/operate/oss_and_stack/stack-with-enterprise/modules-lifecycle" >}}) - Module versioning and end-of-life schedule diff --git a/content/operate/kubernetes/reference/api/redis_enterprise_active_active_database_api.md b/content/operate/kubernetes/reference/api/redis_enterprise_active_active_database_api.md index 9ba26f3b56..9e371b868e 100644 --- a/content/operate/kubernetes/reference/api/redis_enterprise_active_active_database_api.md +++ b/content/operate/kubernetes/reference/api/redis_enterprise_active_active_database_api.md @@ -171,7 +171,14 @@ The Active-Active database global configurations, contains the global properties alertSettings object - Settings for database alerts. Note - Alert settings are not supported for Active-Active database.
+ Settings for database alerts.
+ + false + + auditing + object + + Database auditing configuration.
false @@ -323,6 +330,16 @@ The Active-Active database global configurations, contains the global properties Whether this database supports RESP3 protocol. Note - Deleting this property after explicitly setting its value shall have no effect. Please view the corresponding field in RS doc for more info.
false + + rofRamRatio + integer + + RAM allocation ratio for Redis Flex (v2) databases as a percentage of total data size. Valid range 0-100. When omitted, RS uses the default value of 50%. Controls how much RAM is allocated per unit of data (e.g., 30% means 3MB RAM per 10MB data). RAM grows proportionally with data until rofRamSize limit is reached (if specified). Only applicable when isRof=true and Redis version >= 8.0 (BigStore v2 - Redis Flex).
+
+ Minimum: 0
+ Maximum: 100
+ + false rofRamSize string @@ -422,7 +439,7 @@ Connection/ association to the Active-Active database. ### spec.globalConfigurations.alertSettings [↩ Parent](#specglobalconfigurations) -Settings for database alerts. Note - Alert settings are not supported for Active-Active database. +Settings for database alerts. @@ -1022,6 +1039,31 @@ Dataset size has reached the threshold value [% of the memory limit]
+### spec.globalConfigurations.auditing +[↩ Parent](#specglobalconfigurations) + +Database auditing configuration. + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
dbConnsAuditingboolean + Enables auditing of database connection and authentication events. When enabled, connection, authentication, and disconnection events are tracked and sent to the configured audit listener (configured at the cluster level). The cluster-level auditing configuration must be set before enabling this on a database.
+ 		false
+ + ### spec.globalConfigurations.backup [↩ Parent](#specglobalconfigurations) diff --git a/content/operate/kubernetes/reference/api/redis_enterprise_cluster_api.md b/content/operate/kubernetes/reference/api/redis_enterprise_cluster_api.md index 4cc62e587a..4c3c0f626f 100644 --- a/content/operate/kubernetes/reference/api/redis_enterprise_cluster_api.md +++ b/content/operate/kubernetes/reference/api/redis_enterprise_cluster_api.md @@ -96,6 +96,13 @@ RedisEnterpriseClusterSpec defines the desired state of RedisEnterpriseCluster Additional antiAffinity terms in order to support installation on different zones/vcenters
false + + auditing + object + + Cluster-level configuration for auditing database connection and authentication events. Includes both the audit listener connection parameters and the default policy for new databases.
+ + false backup object @@ -128,7 +135,7 @@ RedisEnterpriseClusterSpec defines the desired state of RedisEnterpriseCluster clusterCredentialSecretName string - Secret Name/Path to use for Cluster Credentials. To be used only if ClusterCredentialSecretType is vault. If left blank, will use cluster name.
+ Name or path of the secret containing cluster credentials. Defaults to the cluster name if left blank. For Kubernetes secrets (default): Must be set to the cluster name or left blank. The secret can be pre-created with 'username' and 'password' fields, or otherwise it will be automatically created with a default username and auto-generated password. For Vault secrets: Can be customized with the path of the secret within Vault. The secret must be pre-created in Vault before REC creation.
false @@ -165,7 +172,7 @@ RedisEnterpriseClusterSpec defines the desired state of RedisEnterpriseCluster createServiceAccount boolean - Whether to create service account
+ Creates a service account for Redis Enterprise.
false @@ -214,7 +221,7 @@ RedisEnterpriseClusterSpec defines the desired state of RedisEnterpriseCluster ingressOrRouteSpec object - Access configurations for the Redis Enterprise Cluster and Databases. At most one of ingressOrRouteSpec or activeActive fields can be set at the same time.
+ Access configurations for the Redis Enterprise cluster and databases. At most one of ingressOrRouteSpec or activeActive fields can be set at the same time.
false @@ -265,7 +272,7 @@ RedisEnterpriseClusterSpec defines the desired state of RedisEnterpriseCluster persistentSpec object - Specification for Redis Enterprise Cluster persistence
+ Persistent storage configuration for Redis Enterprise cluster.
false @@ -395,14 +402,14 @@ RedisEnterpriseClusterSpec defines the desired state of RedisEnterpriseCluster redisOnFlashSpec object - Stores configurations specific to redis on flash. If provided, the cluster will be capable of creating redis on flash databases.
+ Auto Tiering (Redis on Flash) configuration. When provided, the cluster can create Auto Tiering databases.
false redisUpgradePolicy enum - Redis upgrade policy to be set on the Redis Enterprise Cluster. Possible values: major/latest This value is used by the cluster to choose the Redis version of the database when an upgrade is performed. The Redis Enterprise Cluster includes multiple versions of OSS Redis that can be used for databases.
+ Redis upgrade policy to be set on the Redis Enterprise cluster. Possible values: major/latest This value is used by the cluster to choose the Redis version of the database when an upgrade is performed. The Redis Enterprise cluster includes multiple versions of OSS Redis that can be used for databases.

Enum: major, latest
@@ -425,7 +432,7 @@ RedisEnterpriseClusterSpec defines the desired state of RedisEnterpriseCluster serviceAccountName string - Name of the service account to use
+ Name of the service account to use for Redis Enterprise.
false @@ -456,18 +463,25 @@ RedisEnterpriseClusterSpec defines the desired state of RedisEnterpriseCluster Slave high availability mechanism configuration.
false + + sso + object + + Cluster-level SSO configuration for authentication to the Cluster Manager UI.
+ + false uiAnnotations map[string]string - Annotations for Redis Enterprise UI service. This annotations will override the overlapping global annotations set under spec.services.servicesAnnotations The specified annotations will not override annotations that already exist and didn't originate from the operator, except for the 'redis.io/last-keys' annotation which is reserved.
+ Additional annotations for the Redis Enterprise UI service. These annotations override overlapping global annotations set under spec.services.servicesAnnotations. The specified annotations will not override annotations that already exist and didn't originate from the operator, except for the 'redis.io/last-keys' annotation which is reserved.
false uiServiceType enum - Type of service used to expose Redis Enterprise UI (https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types)
+ Service type for exposing the Redis Enterprise UI (https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types).

Enum: ClusterIP, NodePort, LoadBalancer, ExternalName
@@ -476,7 +490,7 @@ RedisEnterpriseClusterSpec defines the desired state of RedisEnterpriseCluster upgradeSpec object - Specification for upgrades of Redis Enterprise
+ Redis Enterprise upgrade configuration
false @@ -486,6 +500,13 @@ RedisEnterpriseClusterSpec defines the desired state of RedisEnterpriseCluster The configuration of the usage meter.
false + + userDefinedModules + []object + + List of user-defined modules to be downloaded and installed during cluster bootstrap The modules on the list will be downloaded on cluster creation, upgrade, scale-out and recovery and installed on all nodes. Note that changing this field for a running cluster will trigger a rolling update.
+ + false username string @@ -559,6 +580,93 @@ Specification for ActiveActive setup. At most one of ingressOrRouteSpec or activ +### spec.auditing +[↩ Parent](#spec) + +Cluster-level configuration for auditing database connection and authentication events. Includes both the audit listener connection parameters and the default policy for new databases. + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
configobject + Configuration for the audit listener connection
+ 		false
dbConnsAuditingboolean + Cluster-wide default policy for database connection auditing. When set to true, connection auditing will be enabled by default for all new databases. Existing databases are not affected and can override this setting individually.
+ 		false
+ + +### spec.auditing.config +[↩ Parent](#specauditing) + +Configuration for the audit listener connection + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
auditAddressstring + TCP/IP address or file path where audit notifications will be sent. For TCP protocol: IP address of the audit listener. For local protocol: file path for audit output (development/testing only).
+ 		true
auditProtocolenum + Protocol used to send audit notifications. Valid values: "TCP" or "local". For production systems, use "TCP". "local" is for development/testing only.
+
+ Enum: TCP, local
+ 		true
auditPortinteger + Port number where audit notifications will be sent (TCP protocol only).
+ 		false
auditReconnectIntervalinteger + Interval in seconds between attempts to reconnect to the audit listener.
+ 		false
auditReconnectMaxAttemptsinteger + Maximum number of attempts to reconnect to the audit listener. Set to 0 for infinite attempts.
+ 		false
+ + ### spec.backup [↩ Parent](#spec) @@ -744,55 +852,70 @@ RS Cluster Certificates. Used to modify the certificates used by the cluster. Se apiCertificateSecretName string - Secret name to use for cluster's API certificate. If left blank, a cluster-provided certificate will be used.
+ Secret name to use for cluster's API certificate. The secret must contain the following structure - A key 'name' with the value 'api'. - A key 'certificate' with the value of the certificate in PEM format. - A key 'key' with the value of the private key. If left blank, a cluster-provided certificate will be used.
false cmCertificateSecretName string - Secret name to use for cluster's CM (Cluster Manager) certificate. If left blank, a cluster-provided certificate will be used.
+ Secret name to use for cluster's CM (Cluster Manager) certificate. The secret must contain the following structure - A key 'name' with the value 'cm'. - A key 'certificate' with the value of the certificate in PEM format. - A key 'key' with the value of the private key. If left blank, a cluster-provided certificate will be used.
false cpInternodeEncryptionCertificateSecretName string - Secret name to use for control plane internode encryption certificate. If left blank, a cluster-provided certificate will be used.
+ Secret name to use for cluster's Control Plane Internode Encryption (CPINE) certificate. The secret must contain the following structure - A key 'name' with the value 'ccs_internode_encryption'. - A key 'certificate' with the value of the certificate in PEM format. - A key 'key' with the value of the private key. If left blank, a cluster-provided certificate will be used.
false dpInternodeEncryptionCertificateSecretName string - Secret name to use for data plane internode encryption certificate. If left blank, a cluster-provided certificate will be used.
+ Secret name to use for cluster's Data Plane Internode Encryption (DPINE) certificate. The secret must contain the following structure - A key 'name' with the value 'data_internode_encryption'. - A key 'certificate' with the value of the certificate in PEM format. - A key 'key' with the value of the private key. If left blank, a cluster-provided certificate will be used.
false ldapClientCertificateSecretName string - Secret name to use for cluster's LDAP client certificate. If left blank, LDAP client certificate authentication will be disabled.
+ + Secret name to use for cluster's LDAP client certificate. The secret must contain the following structure - A key 'name' with the value 'ldap_client'. - A key 'certificate' with the value of the certificate in PEM format. - A key 'key' with the value of the private key. If left blank, LDAP client certificate authentication will be disabled.
false metricsExporterCertificateSecretName string - Secret name to use for cluster's Metrics Exporter certificate. If left blank, a cluster-provided certificate will be used.
+ Secret name to use for cluster's Metrics Exporter certificate. The secret must contain the following structure - A key 'name' with the value 'metrics_exporter'. - A key 'certificate' with the value of the certificate in PEM format. - A key 'key' with the value of the private key. If left blank, a cluster-provided certificate will be used.
false proxyCertificateSecretName string - Secret name to use for cluster's Proxy certificate. If left blank, a cluster-provided certificate will be used.
+ Secret name to use for cluster's Proxy certificate. The secret must contain the following structure - A key 'name' with the value 'proxy'. - A key 'certificate' with the value of the certificate in PEM format. - A key 'key' with the value of the private key. If left blank, a cluster-provided certificate will be used.
+ + false + + ssoIssuerCertificateSecretName + string + + Secret name to use for the SSO Identity Provider (IdP) certificate. This is the public certificate from your SAML Identity Provider used to verify SAML assertions. The secret must contain 'name' and 'certificate' fields (no 'key' field needed for IdP cert). This is optional - if using IdP metadata XML, the IdP certificate is included in the metadata.
+ + false + + ssoServiceCertificateSecretName + string + + Secret name to use for cluster's SSO service certificate. Used for SAML-based SSO authentication to the Cluster Manager. The secret must contain 'name', 'certificate', and 'key' fields (same format as other cluster certificates). If left blank, SSO will not be configured.
false syncerCertificateSecretName string - Secret name to use for cluster's Syncer certificate. If left blank, a cluster-provided certificate will be used.
+ Secret name to use for cluster's Syncer certificate. The secret must contain the following structure - A key 'name' with the value 'syncer'. - A key 'certificate' with the value of the certificate in PEM format. - A key 'key' with the value of the private key. If left blank, a cluster-provided certificate will be used.
false @@ -905,7 +1028,7 @@ HostAlias holds the mapping between IP and hostnames that will be injected as an ### spec.ingressOrRouteSpec [↩ Parent](#spec) -Access configurations for the Redis Enterprise Cluster and Databases. At most one of ingressOrRouteSpec or activeActive fields can be set at the same time. +Access configurations for the Redis Enterprise cluster and databases. At most one of ingressOrRouteSpec or activeActive fields can be set at the same time. @@ -1276,7 +1399,7 @@ An API object that represents the cluster's OCSP configuration. To enable OCSP, ### spec.persistentSpec [↩ Parent](#spec) -Specification for Redis Enterprise Cluster persistence +Persistent storage configuration for Redis Enterprise cluster.
@@ -1369,14 +1492,14 @@ Mitigation setting for STS pods stuck in "ContainerCreating" @@ -2269,7 +2392,7 @@ Compute resource requirements for Services Rigger pod ### spec.redisOnFlashSpec [↩ Parent](#spec) -Stores configurations specific to redis on flash. If provided, the cluster will be capable of creating redis on flash databases. +Auto Tiering (Redis on Flash) configuration. When provided, the cluster can create Auto Tiering databases.
enabled boolean - Whether to detect and attempt to mitigate pod startup issues
+ Enables detection and mitigation of pod startup issues.
 true
startingThresholdSeconds integer - Time in seconds to wait for a pod to be stuck while starting up before action is taken. If set to 0, will be treated as if disabled.
+ Time in seconds to wait before taking action on a pod stuck during startup. Set to 0 to disable.

Format: int32
@@ -2348,7 +2471,7 @@ The security configuration that will be applied to RS pods. @@ -2383,7 +2506,7 @@ Policy controlling whether to enable read-only root filesystem for the Redis Ent ### spec.securityContext.resourceLimits [↩ Parent](#specsecuritycontext) -Settings pertaining to resource limits management by the Redis Enterprise Node container. +Settings pertaining to resource limits management by the Redis Enterprise node container.
resourceLimits object - Settings pertaining to resource limits management by the Redis Enterprise Node container.
+ Settings pertaining to resource limits management by the Redis Enterprise node container.
 false
@@ -3242,7 +3365,7 @@ Slave high availability mechanism configuration. @@ -3251,10 +3374,159 @@ Slave high availability mechanism configuration.
slaveHAGracePeriod integer - Time in seconds between when a node fails, and when slave high availability mechanism starts relocating shards. If set to 0, will not affect cluster configuration.
+ Grace period in seconds between node failure and when the high availability mechanism starts relocating shards. Set to 0 to not affect cluster configuration.

Format: int32
+### spec.sso +[↩ Parent](#spec) + +Cluster-level SSO configuration for authentication to the Cluster Manager UI. + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
enabledboolean + Enables SSO for Cluster Manager authentication. SSO requires the following configuration - Service Provider certificate (spec.certificates.ssoServiceCertificateSecretName), Identity Provider certificate (spec.certificates.ssoIssuerCertificateSecretName), IdP metadata or manual issuer configuration (spec.sso.saml.idpMetadataSecretName or spec.sso.saml.issuer), and Base address for Service Provider URLs (auto-determined from UI service or set via spec.sso.saml.serviceProvider.baseAddress).
+ 		true
samlobject + SAML-based SSO configuration. Currently,SAML is the only supported SSO protocol.
+ 		true
enforceSSOboolean + Enforces SSO-only authentication for the Cluster Manager. When true, local username/password authentication is disabled for non-admin users. When false (default), both SSO and local authentication are available.
+ 		false
+ + +### spec.sso.saml +[↩ Parent](#specsso) + +SAML-based SSO configuration. Currently,SAML is the only supported SSO protocol. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
idpMetadataSecretNamestring + Name of a secret in the same namespace that contains the Identity Provider (IdP) metadata XML. The secret must contain a key named 'idp_metadata' with the IdP metadata XML content. The XML can be plain text or base64-encoded; the operator handles encoding as needed. Obtain this metadata from your SAML Identity Provider (e.g., Okta or Azure AD). This is the recommended configuration method, as it's less error-prone. Either idpMetadataSecretName or issuer must be specified. If both are provided, idpMetadataSecretName takes precedence and issuer is ignored.
+ 		false
issuerobject + Manual Identity Provider (IdP) configuration. Use this when IdP metadata XML is unavailable. Either idpMetadataSecretName or issuer must be specified. If both are provided, idpMetadataSecretName takes precedence and issuer is ignored.
+ 		false
serviceProviderobject + Service Provider (SP) configuration.
+ 		false
spMetadataSecretNamestring + Name of a secret where the operator stores the Service Provider (SP) metadata XML. The operator creates this secret with a key named 'sp_metadata' that contains the base64-encoded SP metadata XML. Upload this metadata to your Identity Provider. If not specified, defaults to "-sso-sp-metadata". If not specified, the Service Provider metadata isn't stored in a K8s secret, but can still be obtained directly from the cluster's UI and/or API. Note: This secret is only created when the cluster is configured to use Kubernetes secrets (spec.clusterCredentialSecretType is unset or set to "kubernetes"). When using Vault secrets, the operator does not create this secret. Users can obtain the SP metadata directly from the Redis Enterprise Server API endpoint: GET /v1/cluster/sso/saml/metadata/sp and store it in Vault themselves if needed.
+ 		false
+ + +### spec.sso.saml.issuer +[↩ Parent](#specssosaml) + +Manual Identity Provider (IdP) configuration. Use this when IdP metadata XML is unavailable. Either idpMetadataSecretName or issuer must be specified. If both are provided, idpMetadataSecretName takes precedence and issuer is ignored. + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
entityIDstring + Identity Provider entity ID (issuer identifier). Example: "urn:sso:example:idp" or "https://idp.example.com".
+ 		true
loginURLstring + Identity Provider SSO login URL where SAML authentication requests are sent. Example: "https://idp.example.com/sso/saml".
+ 		true
logoutURLstring + Identity Provider single logout URL where SAML logout requests are sent.
+ 		false
+ + +### spec.sso.saml.serviceProvider +[↩ Parent](#specssosaml) + +Service Provider (SP) configuration. + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
baseAddressstring + Base address used to construct Service Provider (SP) URLs, such as the ACS URL and SLO URL. Format: [://][:]. Examples: "https://redis-ui.example.com:9443" (recommended - explicit scheme), "redis-ui.example.com:9443" (defaults to https://), "http://redis-ui.example.com:9443" (NOT recommended for production). If the scheme is not specified, the operator automatically prepends "https://". WARNING: Using "http://" is NOT recommended for production environments as it transmits sensitive SAML assertions in plaintext. Only use "http://" for testing/development purposes. If set, this value is used to construct the SP URLs. If unset, the base address is automatically determined from the REC Cluster Manager UI service: - If the UI service type is LoadBalancer (configured via spec.uiServiceType), the load balancer address is used. - Otherwise, the cluster-internal DNS name is used (e.g., rec-ui.svc.cluster.local). - The port defaults to 8443 if not specified. Usage guidelines: - For LoadBalancer services: Leave this field blank to use the default REC UI service, or set it explicitly to the LoadBalancer address for custom services. - For Ingress: Set this to the ingress hostname and port (typically 443), e.g., "https://redis-ui.example.com:443".
+ 		false
+ + ### spec.upgradeSpec [↩ Parent](#spec) -Specification for upgrades of Redis Enterprise +Redis Enterprise upgrade configuration @@ -3269,7 +3541,7 @@ Specification for upgrades of Redis Enterprise @@ -3459,6 +3731,134 @@ ResourceClaim references one entry in PodSpec.ResourceClaims.
autoUpgradeRedisEnterprise boolean - Whether to upgrade Redis Enterprise automatically when operator is upgraded
+ Enables automatic Redis Enterprise upgrades when the operator is upgraded.
 true
+### spec.userDefinedModules[] +[↩ Parent](#spec) + +UserDefinedModule represents a user-defined Redis module to be downloaded and installed during bootstrap + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
namestring + Name of the module
+ 		true
sourceobject + Source location for downloading the module
+ 		true
+ + +### spec.userDefinedModules[].source +[↩ Parent](#specuserdefinedmodules) + +Source location for downloading the module + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
httpobject + HTTP source configuration for downloading the module via HTTP
+ 		false
httpsobject + HTTPS source configuration for downloading the module via HTTPS
+ 		false
+ + +### spec.userDefinedModules[].source.http +[↩ Parent](#specuserdefinedmodulessource) + +HTTP source configuration for downloading the module via HTTP + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
urlstring + URL to download the module from (must use http:// scheme)
+ 		true
credentialsSecretstring + Name of the Kubernetes secret containing credentials for downloading the module, if needed. The secret must contain 'username' and 'password' keys.
+ 		false
+ + +### spec.userDefinedModules[].source.https +[↩ Parent](#specuserdefinedmodulessource) + +HTTPS source configuration for downloading the module via HTTPS + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
urlstring + URL to download the module from (must use https:// scheme)
+ 		true
credentialsSecretstring + Name of the Kubernetes secret containing credentials for downloading the module, if needed. The secret must contain 'username' and 'password' keys.
+ 		false
+ + ### spec.volumes[] [↩ Parent](#spec) @@ -3747,7 +4147,7 @@ Volume represents a named volume in a pod that may be accessed by any container persistenceStatus object - The status of the Persistent Volume Claims that are used for Redis Enterprise Cluster persistence. The status will correspond to the status of one or more of the PVCs (failed/resizing if one of them is in resize or failed to resize)
+ The status of the Persistent Volume Claims that are used for Redis Enterprise cluster persistence. The status will correspond to the status of one or more of the PVCs (failed/resizing if one of them is in resize or failed to resize)
false @@ -4078,7 +4478,7 @@ An API object that represents the cluster's OCSP status ### status.persistenceStatus [↩ Parent](#status) -The status of the Persistent Volume Claims that are used for Redis Enterprise Cluster persistence. The status will correspond to the status of one or more of the PVCs (failed/resizing if one of them is in resize or failed to resize) +The status of the Persistent Volume Claims that are used for Redis Enterprise cluster persistence. The status will correspond to the status of one or more of the PVCs (failed/resizing if one of them is in resize or failed to resize) diff --git a/content/operate/kubernetes/reference/api/redis_enterprise_database_api.md b/content/operate/kubernetes/reference/api/redis_enterprise_database_api.md index 3ccb0ea0bb..3d3d075310 100644 --- a/content/operate/kubernetes/reference/api/redis_enterprise_database_api.md +++ b/content/operate/kubernetes/reference/api/redis_enterprise_database_api.md @@ -96,6 +96,13 @@ RedisEnterpriseDatabaseSpec defines the desired state of RedisEnterpriseDatabase Settings for database alerts
+ + + + + @@ -245,6 +252,16 @@ RedisEnterpriseDatabaseSpec defines the desired state of RedisEnterpriseDatabase Whether this database supports RESP3 protocol. Note - Deleting this property after explicitly setting its value shall have no effect. Please view the corresponding field in RS doc for more info.
+ + + + + @@ -841,6 +858,34 @@ Dataset size has reached the threshold value [% of the memory limit] expected fi
false
auditingobject + Database auditing configuration.
+ 		false
backup object false
rofRamRatiointeger + RAM allocation ratio for Redis Flex (v2) databases as a percentage of total data size. Valid range 0-100. When omitted, RS uses the default value of 50%. Controls how much RAM is allocated per unit of data (e.g., 30% means 3MB RAM per 10MB data). RAM grows proportionally with data until rofRamSize limit is reached (if specified). Only applicable when isRof=true and Redis version >= 8.0 (BigStore v2 - Redis Flex).
+
+ Minimum: 0
+ Maximum: 100
+ 		false
rofRamSize string
+### spec.auditing +[↩ Parent](#spec) + +Database auditing configuration. + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
dbConnsAuditingboolean + Enables auditing of database connection and authentication events. +When enabled, connection, authentication, and disconnection events are tracked and sent +to the configured audit listener (configured at the cluster level). +The cluster-level auditing configuration must be set before enabling this on a database.
+ 		false
+ + ### spec.backup [↩ Parent](#spec) @@ -1379,6 +1424,13 @@ RedisEnterpriseDatabaseStatus defines the observed state of RedisEnterpriseDatab Information on the database's periodic backup
false + + bigstoreVersion + integer + + BigStore version for Redis on Flash databases (1 for Auto Tiering, 2 for Redis Flex). Read-only field populated from RS.
+ + false createdTime string diff --git a/content/operate/kubernetes/reference/supported_k8s_distributions.md b/content/operate/kubernetes/reference/supported_k8s_distributions.md index fa915032a4..0bce64a920 100644 --- a/content/operate/kubernetes/reference/supported_k8s_distributions.md +++ b/content/operate/kubernetes/reference/supported_k8s_distributions.md @@ -29,30 +29,29 @@ Any distribution not listed below is not supported for production workloads. For details on this platform, see the Kubernetes [documentation](https://kubernetes.io/docs/home/supported-doc-versions/). {{}} -| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| Redis operator | **8.0.2-2** | **7.22.2-21** | **7.22.0-15** | **7.22.0-7** | **7.8.6-1** | **7.8.4-9** | **7.8.4-8** | **7.8.2-6** | **7.4.6-2** | **7.4.2-12** | **7.4.2-2** | **7.2.4-12** | **7.2.4-7** | **7.2.4-2** | **6.4.2-8** | **6.4.2-6** | **6.4.2-5** | **6.4.2-4** | **6.2.18-41** | **6.2.18-3** | **6.2.12-1** | ****6.2.10-4**5** | **6.2.10-34** | **6.2.10-4** | **6.2.8-15** | **6.2.8-11** | **6.2.8-2** | **6.2.4-1** | -| | October 2025 | October 2025 | July 2025 | April 2025 | March 2025 | March 2025 | Feb 2025 | Nov 2024 | July 2024 | May 2024 | March 2024 | Dec 2023 | Oct 2023 | Aug 2023 | July 2023 | June 2023 | April 2023 | March 2023 | Jan 2023 | Nov 2022 | Sept 2022 | July 2022 | May 2022 | March 2022 | Jan 2022 | Jan 2022 | Nov 2021 | Sept 2021 | -| **Community K8s** | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.34 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.33 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.32 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.31 | :warning: | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.30 | | :warning: | :warning: | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.29 | | | | | :warning: | | | | | | | | | | | | | | | | | | | | | | | | -| 1.28 | | | | | :warning: | | | | | | | | | | | | | | | | | | | | | | | | -| 1.27 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.26 | | | | | | | | | :warning: | :warning: | :warning: | | | | | | | | | | | | | | | | | | -| 1.25 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.24 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.23 | | | | | | | | | | | | | | | :warning: | :warning: | | | | | | | | | | | | | -| 1.22 | | | | | | | | | | | | | | | | | :warning: | :warning: | | | | | | | | | | | -| 1.21 | | | | | | | | | | | | | | | | | | | | | | :warning: | | | | | | | -| 1.20 | | | | | | | | | | | | | | | | | | | | | | | :warning: | | | | | | -| 1.19 | | | | | | | | | | | | | | | | | | | | | | | :warning: | | | | | | -| 1.18 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.17 | | | | | | | | | | | | | | | | | | | | | | | | | | | | :warning: | -| 1.16 | | | | | | | | | | | | | | | | | | | | | | | | | | | | :warning: | +| Redis operator | **8.0.6-6** | **8.0.2-2** | **7.22.2-21** | **7.22.0-15** | **7.22.0-7** | **7.8.6-1** | **7.8.4-9** | **7.8.4-8** | **7.8.2-6** | **7.4.6-2** | **7.4.2-12** | **7.4.2-2** | **7.2.4-12** | **7.2.4-7** | **7.2.4-2** | **6.4.2-8** | **6.4.2-6** | **6.4.2-5** | **6.4.2-4** | **6.2.18-41** | **6.2.18-3** | **6.2.12-1** | ****6.2.10-4**5** | **6.2.10-34** | **6.2.10-4** | **6.2.8-15** | **6.2.8-11** | **6.2.8-2** | **6.2.4-1** | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| | December 2025 | October 2025 | October 2025 | July 2025 | April 2025 | March 2025 | March 2025 | Feb 2025 | Nov 2024 | July 2024 | May 2024 | March 2024 | Dec 2023 | Oct 2023 | Aug 2023 | July 2023 | June 2023 | April 2023 | March 2023 | Jan 2023 | Nov 2022 | Sept 2022 | July 2022 | May 2022 | March 2022 | Jan 2022 | Jan 2022 | Nov 2021 | Sept 2021 | +| **Community K8s** | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.34 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.33 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.32 | :warning: | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.31 | | :warning: | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.30 | | | :warning: | :warning: | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.29 | | | | | | :warning: | | | | | | | | | | | | | | | | | | | | | | | | +| 1.28 | | | | | | :warning: | | | | | | | | | | | | | | | | | | | | | | | | +| 1.27 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.26 | | | | | | | | | | :warning: | :warning: | :warning: | | | | | | | | | | | | | | | | | | +| 1.25 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.24 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.23 | | | | | | | | | | | | | | | | :warning: | :warning: | | | | | | | | | | | | | +| 1.22 | | | | | | | | | | | | | | | | | | :warning: | :warning: | | | | | | | | | | | +| 1.21 | | | | | | | | | | | | | | | | | | | | | | | :warning: | | | | | | | +| 1.20 | | | | | | | | | | | | | | | | | | | | | | | | :warning: | | | | | | +| 1.19 | | | | | | | | | | | | | | | | | | | | | | | | :warning: | | | | | | +| 1.18 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.17 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | :warning: | +| 1.16 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | :warning: | {{}} @@ -61,28 +60,27 @@ For details on this platform, see the Kubernetes [documentation](https://kuberne For details on this platform, see the [OpenShift documentation](https://docs.openshift.com/container-platform/4.13/welcome/index.html). {{}} -| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| Redis operator | **8.0.2-2** | **7.22.2-21** | **7.22.0-15** | **7.22.0-7** | **7.8.6-1** | **7.8.4-9** | **7.8.4-8** | **7.8.2-6** | **7.4.6-2** | **7.4.2-12** | **7.4.2-2** | **7.2.4-12** | **7.2.4-7** | **7.2.4-2** | **6.4.2-8** | **6.4.2-6** | **6.4.2-5** | **6.4.2-4** | **6.2.18-41** | **6.2.18-3** | **6.2.12-1** | **6.2.10-45** | **6.2.10-34** | **6.2.10-4** | **6.2.8-15** | **6.2.8-11** | **6.2.8-2** | **6.2.4-1** | -| | October 2025 | October 2025 | July 2025 | April 2025 | March 2025 | March 2025 | Feb 2025 | Nov 2024 | July 2024 | May 2024 | March 2024 | Dec 2023 | Oct 2023 | Aug 2023 | July 2023 | June 2023 | April 2023 | March 2023 | Jan 2023 | Nov 2022 | Sept 2022 | July 2022 | May 2022 | March 2022 | Jan 2022 | Jan 2022 | Nov 2021 | Sept 2021 | -| **OpenShift** | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 4.20 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 4.19 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 4.18 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 4.17 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 4.16 | :warning: | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 4.15 | | :warning: | :warning: | | | | | | | | | | | | | | | | | | | | | | | | | | -| 4.14 | | | | | :warning: | | | | | | | | | | | | | | | | | | | | | | | | -| 4.13 | | | | | :warning: | | | | | | | | | | | | | | | | | | | | | | | | -| 4.12 | | | | | | | | | | | :warning: | | | | | | | | | | | | | | | | | | -| 4.11 | | | | | | | | | | :warning: | :warning: | | | | | | | | | | | | | | | | | | -| 4.10 | | | | | | | | | | | | | :warning: | :warning: | :warning: | :warning: | | | | | | | | | | | | | -| 4.9 | | | | | | | | | | | | | | | | :warning: | :warning: | :warning: | :warning: | :warning: | | | | | | | | | -| 4.8 | | | | | | | | | | | | | | | | | :warning: | :warning: | :warning: | :warning: | :warning: | :warning: | | | | | | | -| 4.7 | | | | | | | | | | | | | | | | | | | | | :warning: | :warning: | :warning: | | | | | | -| 4.6 | | | | | | | | | | | | | | | | | | | | | | | :warning: | | | | | | -| 4.5 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 3.11 | | | | | | | | | | | | | | | | | | | | | | | | :warning: | :warning: | :warning: | :warning: | :warning: | +| Redis operator | **8.0.6-6** | **8.0.2-2** | **7.22.2-21** | **7.22.0-15** | **7.22.0-7** | **7.8.6-1** | **7.8.4-9** | **7.8.4-8** | **7.8.2-6** | **7.4.6-2** | **7.4.2-12** | **7.4.2-2** | **7.2.4-12** | **7.2.4-7** | **7.2.4-2** | **6.4.2-8** | **6.4.2-6** | **6.4.2-5** | **6.4.2-4** | **6.2.18-41** | **6.2.18-3** | **6.2.12-1** | **6.2.10-45** | **6.2.10-34** | **6.2.10-4** | **6.2.8-15** | **6.2.8-11** | **6.2.8-2** | **6.2.4-1** | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| | December 2025 | October 2025 | October 2025 | July 2025 | April 2025 | March 2025 | March 2025 | Feb 2025 | Nov 2024 | July 2024 | May 2024 | March 2024 | Dec 2023 | Oct 2023 | Aug 2023 | July 2023 | June 2023 | April 2023 | March 2023 | Jan 2023 | Nov 2022 | Sept 2022 | July 2022 | May 2022 | March 2022 | Jan 2022 | Jan 2022 | Nov 2021 | Sept 2021 | +| **OpenShift** | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 4.20 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 4.19 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 4.18 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 4.17 | :warning: | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 4.16 | | :warning: | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 4.15 | | | :warning: | :warning: | | | | | | | | | | | | | | | | | | | | | | | | | | +| 4.14 | | | | | | :warning: | | | | | | | | | | | | | | | | | | | | | | | | +| 4.13 | | | | | | :warning: | | | | | | | | | | | | | | | | | | | | | | | | +| 4.12 | | | | | | | | | | | | :warning: | | | | | | | | | | | | | | | | | | +| 4.11 | | | | | | | | | | | :warning: | :warning: | | | | | | | | | | | | | | | | | | +| 4.10 | | | | | | | | | | | | | | :warning: | :warning: | :warning: | :warning: | | | | | | | | | | | | | +| 4.9 | | | | | | | | | | | | | | | | | :warning: | :warning: | :warning: | :warning: | :warning: | | | | | | | | | +| 4.8 | | | | | | | | | | | | | | | | | | :warning: | :warning: | :warning: | :warning: | :warning: | :warning: | | | | | | | +| 4.7 | | | | | | | | | | | | | | | | | | | | | | :warning: | :warning: | :warning: | | | | | | +| 4.6 | | | | | | | | | | | | | | | | | | | | | | | | :warning: | | | | | | +| 4.5 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 3.11 | | | | | | | | | | | | | | | | | | | | | | | | | :warning: | :warning: | :warning: | :warning: | :warning: | {{}} @@ -90,28 +88,28 @@ For details on this platform, see the [OpenShift documentation](https://docs.ope For details on this platform, see the [EKS documentation](https://docs.aws.amazon.com/eks/?icmpid=docs_homepage_containers). -{{}}| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| Redis operator | **8.0.2-2** | **7.22.2-21** | **7.22.0-15** | **7.22.0-7** | **7.8.6-1** | **7.8.4-9** | **7.8.4-8** | **7.8.2-6** | **7.4.6-2** | **7.4.2-12** | **7.4.2-2** | **7.2.4-12** | **7.2.4-7** | **7.2.4-2** | **6.4.2-8** | **6.4.2-6** | **6.4.2-5** | **6.4.2-4** | **6.2.18-41** | **6.2.18-3** | **6.2.12-1** | **6.2.10-45** | **6.2.10-34** | **6.2.10-4** | **6.2.8-15** | **6.2.8-11** | **6.2.8-2** | **6.2.4-1** | -| | October 2025 | October 2025 | July 2025 | April 2025 | March 2025 | March 2025 | Feb 2025 | Nov 2024 | July 2024 | May 2024 | March 2024 | Dec 2023 | Oct 2023 | Aug 2023 | July 2023 | June 2023 | April 2023 | March 2023 | Jan 2023 | Nov 2022 | Sept 2022 | July 2022 | May 2022 | March 2022 | Jan 2022 | Jan 2022 | Nov 2021 | Sept 2021 | -| **Amazon EKS** | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.34 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.33 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.32 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.31 | :warning: | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.30 | | :warning: | :warning: | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.29 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.28 | | | | | :warning: | | | | | | | | | | | | | | | | | | | | | | | | -| 1.27 | | | | | | :warning: | :warning: | :warning: | :warning: | | | | | | | | | | | | | | | | | | | | -| 1.26 | | | | | | | | | :warning: | | | | | | | | | | | | | | | | | | | | -| 1.25 | | | | | | | | | | :warning: | :warning: | | | | | | | | | | | | | | | | | | -| 1.24 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.23 | | | | | | | | | | | | :warning: | :warning: | :warning: | :warning: | :warning: | | | | | | | | | | | | | -| 1.22 | | | | | | | | | | | | | | | :warning: | :warning: | | | | | | | | | | | | | -| 1.21 | | | | | | | | | | | | | | | | | | | :warning: | :warning: | :warning: | | | | | | | | -| 1.20 | | | | | | | | | | | | | | | | | | | | | | :warning: | | | | | | | -| 1.19 | | | | | | | | | | | | | | | | | | | | | | :warning: | :warning: | | | | | | -| 1.18 | | | | | | | | | | | | | | | | | | | | | | | :warning: | | | | | | +{{}} +| Redis operator | **8.0.6-6** | **8.0.2-2** | **7.22.2-21** | **7.22.0-15** | **7.22.0-7** | **7.8.6-1** | **7.8.4-9** | **7.8.4-8** | **7.8.2-6** | **7.4.6-2** | **7.4.2-12** | **7.4.2-2** | **7.2.4-12** | **7.2.4-7** | **7.2.4-2** | **6.4.2-8** | **6.4.2-6** | **6.4.2-5** | **6.4.2-4** | **6.2.18-41** | **6.2.18-3** | **6.2.12-1** | **6.2.10-45** | **6.2.10-34** | **6.2.10-4** | **6.2.8-15** | **6.2.8-11** | **6.2.8-2** | **6.2.4-1** | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| | December 2025 | October 2025 | October 2025 | July 2025 | April 2025 | March 2025 | March 2025 | Feb 2025 | Nov 2024 | July 2024 | May 2024 | March 2024 | Dec 2023 | Oct 2023 | Aug 2023 | July 2023 | June 2023 | April 2023 | March 2023 | Jan 2023 | Nov 2022 | Sept 2022 | July 2022 | May 2022 | March 2022 | Jan 2022 | Jan 2022 | Nov 2021 | Sept 2021 | +| **Amazon EKS** | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.34 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.33 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.32 | :warning: | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.31 | | :warning: | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.30 | | | :warning: | :warning: | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.29 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.28 | | | | | | :warning: | | | | | | | | | | | | | | | | | | | | | | | | +| 1.27 | | | | | | | :warning: | :warning: | :warning: | :warning: | | | | | | | | | | | | | | | | | | | | +| 1.26 | | | | | | | | | | :warning: | | | | | | | | | | | | | | | | | | | | +| 1.25 | | | | | | | | | | | :warning: | :warning: | | | | | | | | | | | | | | | | | | +| 1.24 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.23 | | | | | | | | | | | | | :warning: | :warning: | :warning: | :warning: | :warning: | | | | | | | | | | | | | +| 1.22 | | | | | | | | | | | | | | | | :warning: | :warning: | | | | | | | | | | | | | +| 1.21 | | | | | | | | | | | | | | | | | | | | :warning: | :warning: | :warning: | | | | | | | | +| 1.20 | | | | | | | | | | | | | | | | | | | | | | | :warning: | | | | | | | +| 1.19 | | | | | | | | | | | | | | | | | | | | | | | :warning: | :warning: | | | | | | +| 1.18 | | | | | | | | | | | | | | | | | | | | | | | | :warning: | | | | | | {{}} @@ -120,28 +118,27 @@ For details on this platform, see the [EKS documentation](https://docs.aws.amazo For details on this platform, see the [AKS documentation](https://learn.microsoft.com/en-us/azure/aks/). {{}} -| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| Redis operator | **8.0.2-2** | **7.22.2-21** | **7.22.0-15** | **7.22.0-7** | **7.8.6-1** | **7.8.4-9** | **7.8.4-8** | **7.8.2-6** | **7.4.6-2** | **7.4.2-12** | **7.4.2-2** | **7.2.4-12** | **7.2.4-7** | **7.2.4-2** | **6.4.2-8** | **6.4.2-6** | **6.4.2-5** | **6.4.2-4** | **6.2.18-41** | **6.2.18-3** | **6.2.12-1** | **6.2.10-45** | **6.2.10-34** | **6.2.10-4** | **6.2.8-15** | **6.2.8-11** | **6.2.8-2** | **6.2.4-1** | -| | October 2025 | October 2025 | July 2025 | April 2025 | March 2025 | March 2025 | Feb 2025 | Nov 2024 | July 2024 | May 2024 | March 2024 | Dec 2023 | Oct 2023 | Aug 2023 | July 2023 | June 2023 | April 2023 | March 2023 | Jan 2023 | Nov 2022 | Sept 2022 | July 2022 | May 2022 | March 2022 | Jan 2022 | Jan 2022 | Nov 2021 | Sept 2021 | -| **Azure AKS** | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.34 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.33 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.32 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.31 | :warning: | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.30 | | :warning: | :warning: | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.29 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.28 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.27 | | | | | | :warning: | :warning: | :warning: | :warning: | | | | | | | | | | | | | | | | | | | | -| 1.26 | | | | | | | | | | :warning: | :warning: | | | | | | | | | | | | | | | | | | -| 1.25 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.24 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.23 | | | | | | | | | | | | | | | :warning: | :warning: | :warning: | :warning: | | | | | | | | | | | -| 1.22 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.21 | | | | | | | | | | | | | | | | | | | | | | :warning: | | | | | | | -| 1.20 | | | | | | | | | | | | | | | | | | | | | | | :warning: | | | | | | -| 1.19 | | | | | | | | | | | | | | | | | | | | | | | :warning: | | | | | | -| 1.18 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| Redis operator | **8.0.6-6** | **8.0.2-2** | **7.22.2-21** | **7.22.0-15** | **7.22.0-7** | **7.8.6-1** | **7.8.4-9** | **7.8.4-8** | **7.8.2-6** | **7.4.6-2** | **7.4.2-12** | **7.4.2-2** | **7.2.4-12** | **7.2.4-7** | **7.2.4-2** | **6.4.2-8** | **6.4.2-6** | **6.4.2-5** | **6.4.2-4** | **6.2.18-41** | **6.2.18-3** | **6.2.12-1** | **6.2.10-45** | **6.2.10-34** | **6.2.10-4** | **6.2.8-15** | **6.2.8-11** | **6.2.8-2** | **6.2.4-1** | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| | December 2025 | October 2025 | October 2025 | July 2025 | April 2025 | March 2025 | March 2025 | Feb 2025 | Nov 2024 | July 2024 | May 2024 | March 2024 | Dec 2023 | Oct 2023 | Aug 2023 | July 2023 | June 2023 | April 2023 | March 2023 | Jan 2023 | Nov 2022 | Sept 2022 | July 2022 | May 2022 | March 2022 | Jan 2022 | Jan 2022 | Nov 2021 | Sept 2021 | +| **Azure AKS** | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.34 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.33 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.32 | :warning: | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.31 | | :warning: | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.30 | | | :warning: | :warning: | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.29 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.28 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.27 | | | | | | | :warning: | :warning: | :warning: | :warning: | | | | | | | | | | | | | | | | | | | | +| 1.26 | | | | | | | | | | | :warning: | :warning: | | | | | | | | | | | | | | | | | | +| 1.25 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.24 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.23 | | | | | | | | | | | | | | | | :warning: | :warning: | :warning: | :warning: | | | | | | | | | | | +| 1.22 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.21 | | | | | | | | | | | | | | | | | | | | | | | :warning: | | | | | | | +| 1.20 | | | | | | | | | | | | | | | | | | | | | | | | :warning: | | | | | | +| 1.19 | | | | | | | | | | | | | | | | | | | | | | | | :warning: | | | | | | +| 1.18 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | {{}} @@ -150,29 +147,27 @@ For details on this platform, see the [AKS documentation](https://learn.microsof For details on this platform, see the [GKE documentation](https://cloud.google.com/kubernetes-engine/docs). {{}} -| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| Redis operator | **8.0.2-2** | **7.22.2-21** | **7.22.0-15** | **7.22.0-7** | **7.8.6-1** | **7.8.4-9** | **7.8.4-8** | **7.8.2-6** | **7.4.6-2** | **7.4.2-12** | **7.4.2-2** | **7.2.4-12** | **7.2.4-7** | **7.2.4-2** | **6.4.2-8** | **6.4.2-6** | **6.4.2-5** | **6.4.2-4** | **6.2.18-41** | **6.2.18-3** | **6.2.12-1** | **6.2.10-45** | **6.2.10-34** | **6.2.10-4** | **6.2.8-15** | **6.2.8-11** | **6.2.8-2** | **6.2.4-1** | -| | October 2025 | October 2025 | July 2025 | April 2025 | March 2025 | March 2025 | Feb 2025 | Nov 2024 | July 2024 | May 2024 | March 2024 | Dec 2023 | Oct 2023 | Aug 2023 | July 2023 | June 2023 | April 2023 | March 2023 | Jan 2023 | Nov 2022 | Sept 2022 | July 2022 | May 2022 | March 2022 | Jan 2022 | Jan 2022 | Nov 2021 | Sept 2021 | -| **Google GKE** | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.34 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.33 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.32 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.31 | :warning: | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.30 | | :warning: | :warning: | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.29 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.28 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.27 | | | | | | | | | :warning: | | | | | | | | | | | | | | | | | | | | -| 1.26 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.25 | | | | | | | | | | :warning: | :warning: | | | | | | | | | | | | | | | | | | -| 1.24 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.23 | | | | | | | | | | | | | :warning: | :warning: | :warning: | :warning: | | | | | | | | | | | | | -| 1.22 | | | | | | | | | | | | | | | :warning: | :warning: | | | | | | | | | | | | | -| 1.21 | | | | | | | | | | | | | | | | | | | :warning: | :warning: | :warning: | | | | | | | | -| 1.20 | | | | | | | | | | | | | | | | | | | | | | :warning: | | | | | | | -| 1.19 | | | | | | | | | | | | | | | | | | | | | | :warning: | | | | | | | -| 1.18 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - +| Redis operator | **8.0.6-6** | **8.0.2-2** | **7.22.2-21** | **7.22.0-15** | **7.22.0-7** | **7.8.6-1** | **7.8.4-9** | **7.8.4-8** | **7.8.2-6** | **7.4.6-2** | **7.4.2-12** | **7.4.2-2** | **7.2.4-12** | **7.2.4-7** | **7.2.4-2** | **6.4.2-8** | **6.4.2-6** | **6.4.2-5** | **6.4.2-4** | **6.2.18-41** | **6.2.18-3** | **6.2.12-1** | **6.2.10-45** | **6.2.10-34** | **6.2.10-4** | **6.2.8-15** | **6.2.8-11** | **6.2.8-2** | **6.2.4-1** | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| | December 2025 | October 2025 | October 2025 | July 2025 | April 2025 | March 2025 | March 2025 | Feb 2025 | Nov 2024 | July 2024 | May 2024 | March 2024 | Dec 2023 | Oct 2023 | Aug 2023 | July 2023 | June 2023 | April 2023 | March 2023 | Jan 2023 | Nov 2022 | Sept 2022 | July 2022 | May 2022 | March 2022 | Jan 2022 | Jan 2022 | Nov 2021 | Sept 2021 | +| **Google GKE** | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.34 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.33 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.32 | :warning: | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.31 | | :warning: | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.30 | | | :warning: | :warning: | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.29 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.28 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.27 | | | | | | | | | | :warning: | | | | | | | | | | | | | | | | | | | | +| 1.26 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.25 | | | | | | | | | | | :warning: | :warning: | | | | | | | | | | | | | | | | | | +| 1.24 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.23 | | | | | | | | | | | | | | :warning: | :warning: | :warning: | :warning: | | | | | | | | | | | | | +| 1.22 | | | | | | | | | | | | | | | | :warning: | :warning: | | | | | | | | | | | | | +| 1.21 | | | | | | | | | | | | | | | | | | | | :warning: | :warning: | :warning: | | | | | | | | +| 1.20 | | | | | | | | | | | | | | | | | | | | | | | :warning: | | | | | | | +| 1.19 | | | | | | | | | | | | | | | | | | | | | | | :warning: | | | | | | | +| 1.18 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | {{}} ## Rancher @@ -180,37 +175,36 @@ For details on this platform, see the [GKE documentation](https://cloud.google.c For details on this platform, see the [Rancher documentation](https://ranchermanager.docs.rancher.com/). {{}} -| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| Redis operator | **8.0.2-2** | **7.22.2-21** | **7.22.0-15** | **7.22.0-7** | **7.8.6-1** | **7.8.4-9** | **7.8.4-8** | **7.8.2-6** | **7.4.6-2** | **7.4.2-12** | **7.4.2-2** | **7.2.4-12** | **7.2.4-7** | **7.2.4-2** | **6.4.2-8** | **6.4.2-6** | **6.4.2-5** | **6.4.2-4** | **6.2.18-41** | **6.2.18-3** | **6.2.12-1** | **6.2.10-45** | **6.2.10-34** | **6.2.10-4** | **6.2.8-15** | **6.2.8-11** | **6.2.8-2** | **6.2.4-1** | -| | October 2025 | October 2025 | July 2025 | April 2025 | March 2025 | March 2025 | Feb 2025 | Nov 2024 | July 2024 | May 2024 | March 2024 | Dec 2023 | Oct 2023 | Aug 2023 | July 2023 | June 2023 | April 2023 | March 2023 | Jan 2023 | Nov 2022 | Sept 2022 | July 2022 | May 2022 | March 2022 | Jan 2022 | Jan 2022 | Nov 2021 | Sept 2021 | -| **RKE2** | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.34 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.33 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.32 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.31 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.30 | :warning: | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.29 | :warning: | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.28 | | :warning: | :warning: | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.27 | | | | | :warning: | | | | | | | | | | | | | | | | | | | | | | | | -| 1.26 | | | | | | :warning: | :warning: | :warning: | | | | | | | | | | | | | | | | | | | | | -| 1.25 | | | | | | | | | :warning: | | | | | | | | | | | | | | | | | | | | -| 1.24 | | | | | | | | | | | :warning: | | | | | | | | | | | | | | | | | | -| 1.23 | | | | | | | | | | | | :warning: | :warning: | :warning: | :warning: | :warning: | | | | | | | | | | | | | -| 1.24 | | | | | | | | | | | | | :warning: | :warning: | | | | | | | | | | | | | | | -| 1.23 | | | | | | | | | | | | | | | :warning: | :warning: | | | | | | | | | | | | | -| **Rancher** | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.22 | | | | | | | | | | | | | | | :warning: | :warning: | | | | | | | | | | | | | -| 1.21 | | | | | | | | | | | | | | | | | :warning: | :warning: | | | | | | | | | | | -| 1.20 | | | | | | | | | | | | | | | | | | | | | | :warning: | | | | | | | -| 1.19 | | | | | | | | | | | | | | | | | | | | | | :warning: | | | | | | | -| 1.18 | | | | | | | | | | | | | | | | | | | | | | | :warning: | | | | | | -| 1.20 | | | | | | | | | | | | | | | | | | | | | | | | :warning: | | | | | -| 1.19 | | | | | | | | | | | | | | | | | | | | | | | | :warning: | | | | | -| 1.18 | | | | | | | | | | | | | | | | | | | | | | | | :warning: | | | | | -| 1.17 | | | | | | | | | | | | | | | | | | | | | | | | :warning: | | | | | -| 1.18 | | | | | | | | | | | | | | | | | | | | | | | | | | | :warning: | | -| 1.17 | | | | | | | | | | | | | | | | | | | | | | | | | | | :warning: | | +| Redis operator | **8.0.6-6** | **8.0.2-2** | **7.22.2-21** | **7.22.0-15** | **7.22.0-7** | **7.8.6-1** | **7.8.4-9** | **7.8.4-8** | **7.8.2-6** | **7.4.6-2** | **7.4.2-12** | **7.4.2-2** | **7.2.4-12** | **7.2.4-7** | **7.2.4-2** | **6.4.2-8** | **6.4.2-6** | **6.4.2-5** | **6.4.2-4** | **6.2.18-41** | **6.2.18-3** | **6.2.12-1** | **6.2.10-45** | **6.2.10-34** | **6.2.10-4** | **6.2.8-15** | **6.2.8-11** | **6.2.8-2** | **6.2.4-1** | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| | December 2025 | October 2025 | October 2025 | July 2025 | April 2025 | March 2025 | March 2025 | Feb 2025 | Nov 2024 | July 2024 | May 2024 | March 2024 | Dec 2023 | Oct 2023 | Aug 2023 | July 2023 | June 2023 | April 2023 | March 2023 | Jan 2023 | Nov 2022 | Sept 2022 | July 2022 | May 2022 | March 2022 | Jan 2022 | Jan 2022 | Nov 2021 | Sept 2021 | +| **RKE2** | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.34 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.33 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.32 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.31 | :warning: | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.30 | | :warning: | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.29 | | :warning: | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.28 | | | :warning: | :warning: | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.27 | | | | | | :warning: | | | | | | | | | | | | | | | | | | | | | | | | +| 1.26 | | | | | | | :warning: | :warning: | :warning: | | | | | | | | | | | | | | | | | | | | | +| 1.25 | | | | | | | | | | :warning: | | | | | | | | | | | | | | | | | | | | +| 1.24 | | | | | | | | | | | | :warning: | | | | | | | | | | | | | | | | | | +| 1.23 | | | | | | | | | | | | | :warning: | :warning: | :warning: | :warning: | :warning: | | | | | | | | | | | | | +| 1.24 | | | | | | | | | | | | | | :warning: | :warning: | | | | | | | | | | | | | | | +| 1.23 | | | | | | | | | | | | | | | | :warning: | :warning: | | | | | | | | | | | | | +| **Rancher** | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.22 | | | | | | | | | | | | | | | | :warning: | :warning: | | | | | | | | | | | | | +| 1.21 | | | | | | | | | | | | | | | | | | :warning: | :warning: | | | | | | | | | | | +| 1.20 | | | | | | | | | | | | | | | | | | | | | | | :warning: | | | | | | | +| 1.19 | | | | | | | | | | | | | | | | | | | | | | | :warning: | | | | | | | +| 1.18 | | | | | | | | | | | | | | | | | | | | | | | | :warning: | | | | | | +| 1.20 | | | | | | | | | | | | | | | | | | | | | | | | | :warning: | | | | | +| 1.19 | | | | | | | | | | | | | | | | | | | | | | | | | :warning: | | | | | +| 1.18 | | | | | | | | | | | | | | | | | | | | | | | | | :warning: | | | | | +| 1.17 | | | | | | | | | | | | | | | | | | | | | | | | | :warning: | | | | | +| 1.18 | | | | | | | | | | | | | | | | | | | | | | | | | | | | :warning: | | +| 1.17 | | | | | | | | | | | | | | | | | | | | | | | | | | | | :warning: | | {{}} @@ -219,27 +213,27 @@ For details on this platform, see the [Rancher documentation](https://rancherman For details on this platform, see the [TKGI documentation](https://docs.vmware.com/en/VMware-Tanzu-Kubernetes-Grid-Integrated-Edition/index.html). {{}} -| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| -| Redis operator | **8.0.2-2** | **7.22.2-21** | **7.22.0-15** | **7.22.0-7** | **7.8.6-1** | **7.8.4-9** | **7.8.4-8** | **7.8.2-6** | **7.4.6-2** | **7.4.2-12** | **7.4.2-2** | **7.2.4-12** | **7.2.4-7** | **7.2.4-2** | **6.4.2-8** | **6.4.2-6** | **6.4.2-5** | **6.4.2-4** | **6.2.18-41** | **6.2.18-3** | **6.2.12-1** | **6.2.10-45** | **6.2.10-34** | **6.2.10-4** | **6.2.8-15** | **6.2.8-11** | **6.2.8-2** | **6.2.4-1** | -| | October 2025 | October 2025 | July 2025 | April 2025 | March 2025 | March 2025 | Feb 2025 | Nov 2024 | July 2024 | May 2024 | March 2024 | Dec 2023 | Oct 2023 | Aug 2023 | July 2023 | June 2023 | April 2023 | March 2023 | Jan 2023 | Nov 2022 | Sept 2022 | July 2022 | May 2022 | March 2022 | Jan 2022 | Jan 2022 | Nov 2021 | Sept 2021 | -| **VMware TKGI** | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.22 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.21 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.20 | :warning: | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.19 | | :warning: | :warning: | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.18 | | | | :warning: | :warning: | | | | | | | | | | | | | | | | | | | | | | | | -| 1.17 | | | | :warning: | :warning: | | | | | | | | | | | | | | | | | | | | | | | | -| 1.16 | | | | | | | | | :warning: | | | | | | | | | | | | | | | | | | | | -| 1.15 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.14 | | | | | | | | | | | | | :warning: | :warning: | :warning: | :warning: | | | | | | | | | | | | | -| 1.13 | | | | | | | | | | | | | | | :warning: | :warning: | :warning: | :warning: | | | | | | | | | | | -| 1.12 | | | | | | | | | | | | | | | | | | | | | :warning: | | | | | | | | -| 1.11 | | | | | | | | | | | | | | | | | | | | | :warning: | :warning: | | | | | | | -| 1.10 | | | | | | | | | | | | | | | | | | | | | | :warning: | | | | | | | -| 1.09 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| 1.08 | | | | | | | | | | | | | | | | | | | | | | | | | | | | :warning: | -| 1.07 | | | | | | | | | | | | | | | | | | | | | | | | | | | | :warning: | +| Redis operator | **8.0.6-6** | **8.0.2-2** | **7.22.2-21** | **7.22.0-15** | **7.22.0-7** | **7.8.6-1** | **7.8.4-9** | **7.8.4-8** | **7.8.2-6** | **7.4.6-2** | **7.4.2-12** | **7.4.2-2** | **7.2.4-12** | **7.2.4-7** | **7.2.4-2** | **6.4.2-8** | **6.4.2-6** | **6.4.2-5** | **6.4.2-4** | **6.2.18-41** | **6.2.18-3** | **6.2.12-1** | **6.2.10-45** | **6.2.10-34** | **6.2.10-4** | **6.2.8-15** | **6.2.8-11** | **6.2.8-2** | **6.2.4-1** | +|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| +| | December 2025 | October 2025 | October 2025 | July 2025 | April 2025 | March 2025 | March 2025 | Feb 2025 | Nov 2024 | July 2024 | May 2024 | March 2024 | Dec 2023 | Oct 2023 | Aug 2023 | July 2023 | June 2023 | April 2023 | March 2023 | Jan 2023 | Nov 2022 | Sept 2022 | July 2022 | May 2022 | March 2022 | Jan 2022 | Jan 2022 | Nov 2021 | Sept 2021 | +| **VMware TKGI** | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.23 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.22 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.21 | :warning: | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.20 | | :warning: | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.19 | | | :warning: | :warning: | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.18 | | | | | :warning: | :warning: | | | | | | | | | | | | | | | | | | | | | | | | +| 1.17 | | | | | :warning: | :warning: | | | | | | | | | | | | | | | | | | | | | | | | +| 1.16 | | | | | | | | | | :warning: | | | | | | | | | | | | | | | | | | | | +| 1.15 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.14 | | | | | | | | | | | | | | :warning: | :warning: | :warning: | :warning: | | | | | | | | | | | | | +| 1.13 | | | | | | | | | | | | | | | | :warning: | :warning: | :warning: | :warning: | | | | | | | | | | | +| 1.12 | | | | | | | | | | | | | | | | | | | | | | :warning: | | | | | | | | +| 1.11 | | | | | | | | | | | | | | | | | | | | | | :warning: | :warning: | | | | | | | +| 1.10 | | | | | | | | | | | | | | | | | | | | | | | :warning: | | | | | | | +| 1.09 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| 1.08 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | :warning: | +| 1.07 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | :warning: | {{}} @@ -248,14 +242,11 @@ For details on this platform, see the [TKGI documentation](https://docs.vmware.c For details on this platform, see the [VKS documentation](https://techdocs.broadcom.com/us/en/vmware-cis/vcf/vsphere-supervisor-services-and-standalone-components/latest/release-notes/vmware-tanzu-kubernetes-grid-service-release-notes.html). -| | | | +| Redis operator | **8.0.6-6** | **8.0.2-2** | |---|---|---| -| | | | -| Redis operator | **8.0.2-2** | - | -| | October 2025 | - | +| | December 2025 | October 2025 | | **VMware VKS** | | | -| 1.32 | | - | - +| 1.32 | | | ## VMware Tanzu Kubernetes Grid (TKG) diff --git a/content/operate/kubernetes/release-notes/8-0-2-releases/_index.md b/content/operate/kubernetes/release-notes/8-0-2-releases/_index.md index 216e271515..c212c51081 100644 --- a/content/operate/kubernetes/release-notes/8-0-2-releases/_index.md +++ b/content/operate/kubernetes/release-notes/8-0-2-releases/_index.md @@ -8,7 +8,7 @@ description: Releases with support for Redis Enterprise Software 8.0.2 hideListLinks: true linkTitle: 8.0.2 releases title: Redis Enterprise for Kubernetes 8.0.2 release notes -weight: 1 +weight: 2 --- Redis Enterprise for Kubernetes 8.0.2 includes bug fixes, enhancements, and support for Redis Enterprise Software 8.0.2. The latest release is 8.0.2-2 with support for Redis Enterprise Software version 8.0.2. diff --git a/content/operate/kubernetes/release-notes/8-0-6-releases/8-0-6-8-december2025.md b/content/operate/kubernetes/release-notes/8-0-6-releases/8-0-6-8-december2025.md new file mode 100644 index 0000000000..77d82b7d42 --- /dev/null +++ b/content/operate/kubernetes/release-notes/8-0-6-releases/8-0-6-8-december2025.md @@ -0,0 +1,159 @@ +--- +alwaysopen: false +categories: +- docs +- operate +- kubernetes +description: Maintenance release including support for Redis Software 8.0.6-54, enhancements, and bug fixes. +hideListLinks: true +linkTitle: 8.0.6-8 (December 2025) +title: Redis Enterprise for Kubernetes 8.0.6-8 (December 2025) release notes +weight: 1 +--- + +Redis Enterprise for Kuberntes 8.0.6-8 is a feature release that supports Redis Software [8.0.6-54]({{< relref "/operate/rs/release-notes/rs-8-0-releases/rs-8-0-6-54/" >}}), and includes enhancements, supported distribution updates and bug fixes. + +## Highlights + +- Support for external module repositories (custom modueles) +- Support for Redis Software [8.0.6-54]({{< relref "/operate/rs/release-notes/rs-8-0-releases/rs-8-0-6-54/" >}}) +- SAML 2.0 single sign-on (SSO) authentication support for the cluster manager UI + +## Enhancements + +API support has been added for the following features: + +- Database connection auditing +- REAADB alerts +- User-defined modules +- Redis Software [8.0.6-54]({{< relref "/operate/rs/release-notes/rs-8-0-releases/rs-8-0-6-54/" >}}) +- User-defined certificates for [internode encryption]({{< relref "/operate/kubernetes/security/internode-encryption" >}}) +- SAML 2.0 single sign-on (SSO) authentication +- Redis Flex + +See [API changes](#api-changes) for details. + +## Resolved issues + +- Removed 'InsecureRequestWarning: Unverified HTTPS request is being made to host localhost' message that appeared when running the healthcheck script +- Fixed bug that blocked image spec updates during active REC upgrades. +- Fixed slow reaction time by services rigger to node failures. +- Security patches + +## API changes + +| **CRD** | **Field** | **Change** | **Description** | +|---|---|---|---| +| REAADB | `spec.globalConfigurations.auditing` | Added | Enable database connection auditing. | +| REAADB | `spec.globalConfigurations.alertSettings` | Added | Configure alert settings for the active-active database. | +| REAADB | `spec.globalConfigurations.rofRamRatio` | Added | RAM allocation ratio for Redis Flex (v2) databases as a percentage of total data size. Valid range: 0-100. Default: 50% when omitted. Controls how much RAM is allocated per unit of data (for example, 30% means 3MB RAM per 10MB data). RAM grows proportionally with data until `rofRamSize` limit is reached (if specified). Only applicable when `isRof=true` and Redis version 8.0 or later (BigStore v2 - Redis Flex). | +| REC | `spec.auditing` | Added | Cluster-level configuration for auditing database connection and authentication events. Includes both the audit listener connection parameters and the default policy for new databases. | +| REC | `spec.sso` | Added | Cluster-level SSO configuration for authentication to the cluster manager UI. | +| REC | `spec.userDefinedModules` | Added | List of user-defined modules to be downloaded and installed during cluster bootstrap. The modules on the list will be downloaded on cluster creation, upgrade, scale-out, and recovery and installed on all nodes. Changing this field for a running cluster will trigger a rolling update. | +| REC | `spec.certificates.ssoServiceCertificateSecretName` | Added | Secret name for the cluster's SSO service certificate. Used for SAML-based SSO authentication to the cluster manager. The secret must contain `name`, `certificate`, and `key` fields (same format as other cluster certificates). If left blank, SSO will not be configured. | +| REC | `spec.certificates.ssoIssuerCertificateSecretName` | Added | Secret name for the SSO Identity Provider (IdP) certificate. This is the public certificate from your SAML Identity Provider used to verify SAML assertions. The secret must contain `name` and `certificate` fields (no `key` field needed for IdP certificate). This is optional - if using IdP metadata XML, the IdP certificate is included in the metadata. | +| REDB | `spec.auditing` | Added | Database-level auditing configuration. | +| REDB | `spec.rofRamRatio` | Added | RAM allocation ratio for Redis Flex (v2) databases as a percentage of total data size. Valid range: 0-100. Default: 50% when omitted. Controls how much RAM is allocated per unit of data (for example, 30% means 3MB RAM per 10MB data). RAM grows proportionally with data until `rofRamSize` limit is reached (if specified). Only applicable when `isRof=true` and Redis version 8.0 or later (BigStore v2 - Redis Flex). | +| REDB | `status.bigstoreVersion` | Added | BigStore version for Redis on Flash databases (1 for Auto Tiering, 2 for Redis Flex). Read-only field populated from Redis Software. | + + +## Supported distributions + +The following table shows supported distributions at the time of this release. You can also find this list in [Supported Kubernetes distributions]({{< relref "/operate/kubernetes/reference/supported_k8s_distributions" >}}). + + **Supported** – This distribution is supported for this version of Redis Enterprise Software for Kubernetes. + +:warning: **Deprecated** – This distribution is still supported for this version of Redis Enterprise Software for Kubernetes, but support will be removed in a future release. + + **End of life** – Support for this distribution ended. + +Any distribution not listed in the table is not supported for production workloads. + +| Kubernetes version | **1.29** | **1.30** | **1.31** | **1.32** | **1.33** | **1.34** | +|---|---|---|---|---|---|---| +| **Community K8s** | | | | :warning: | | | +| **Amazon EKS** | | | | :warning: | | | +| **Azure EKS** | | | | :warning: | | | +| **Google GKE** | | | | :warning: | | | +| **Rancher REK2** | | | :warning: | | | | +| **VMware TKG 2.5** | | | | | | | +| **VMware VKS** | | | | | | | +| | | | | | | | +| **OpenShift** | **4.16** | **4.17** | **4.18** | **4.19** | **4.20** | | +| --- | --- | --- | --- | --- | --- | --- | +| | | :warning: | | | | | +| | | | | | | | +| **VMware TKGI** | **1.20** | **1.21** | **1.22** | **1.23** | | | +| --- | --- | --- | --- | --- | --- | --- | +| | | :warning: | | | | | + +## Downloads + +- **Redis Enterprise**: `redislabs/redis:8.0.6-54` +- **Operator**: `redislabs/operator:8.0.6-8` +- **Services Rigger**: `redislabs/k8s-controller:8.0.6-8` +- **Callhome client**: `redislabs/re-call-home-client:8.0.6-8` +- **Redis Enterprise operator bundle**: `8.0.6-8.0` + +## Known limitations + +### New limitations + +- **SSO configuration doesn't work with IPv6 or dual stack (IPv4/IPv6) clusters.** + +### Existing limitations + +- **Only upgrades from 7.4.2-2 and later are supported.** If you are using an earlier version, install 7.4.2-2 before upgrading to 8.0.6-8. + +- **Custom certificate upload is not supported for internode encryption (RED-173229).** Internode communication between cluster nodes continues to use default self-signed certificates and cannot be configured with customer-provided certificates. + +- **Missing endpoint for admission endpoint (rare) (RED-119469)** Restart the operator pod. + +- **The REDB "redisVersion" field can't be used for memcached databases(RED-119152)** + +- **When modifying the database suffix for an Active-Active database, while the service-rigger is in a terminating state, the services-rigger will delete and create the ingress or route resources in a loop (RED-107687)** Wait until the services rigger pod has finished to terminate it. + +- **REAADB changes might fail with "gateway timeout" errors, mostly on OpenShift (RED-103048)** Retry the operation. + +- **Creating two databases with the same name directly on Redis Enterprise software will cause the service to be deleted and the database will not be available (RED-99997)** Avoid duplicating database names. Database creation via K8s has validation in place to prevent this. + +- **Installing the operator bundle produces warning: `Warning: would violate PodSecurity "restricted: v1.24"` (RED-97381)** Ignore the warning. This issue is documented as benign on official Red Hat documentation. + +- **RERC resources must have a unique name (RED-96302)** The string "rec-name"/"rec-namespace" must be different from all other participating clusters in the Active-Active database. + +- **Admission is not blocking REAADB with `shardCount` which exceeds license quota (RED-96301)** Fix the problems with the REAADB and reapply. + +- **Active-Active controller only supports global database options. Configuration specific to location is not supported (RED-86490)** + +- **Active-Active setup removal might keep services or routes undeleted (RED-77752)** Delete services or routes manually if you encounter this problem. + +- **`autoUpgrade` set to `true` can cause unexpected bdb upgrades when `redisUpgradePolicy` is set to `true` (RED-72351)** Contact support if your deployment is impacted. + +- **Following the previous quick start guide version causes issues with creating an REDB due to unrecognized memory field name (RED-69515)** The workaround is to use the newer (current) revision of Deploy Redis Enterprise Software for Kubernetes. + +- **PVC size issues when using decimal value in spec (RED-62132)** Make sure you use integer values for the PVC size. + +- **REC might report error states on initial startup (RED-61707)** There is no workaround at this time except to ignore the errors. + +- **Hashicorp Vault integration - no support for Gesher (RED-55080)** There is no workaround for this issue. Gesher support has been deprecated. + +- **REC clusters fail to start on Kubernetes clusters with unsynchronized clocks (RED-47254)** When REC clusters are deployed on Kubernetes clusters without synchronized clocks, the REC cluster does not start correctly. The fix is to use NTP to synchronize the underlying K8s nodes. + +- **Deleting an OpenShift project with an REC deployed may hang (RED-47192)** When an REC cluster is deployed in a project (namespace) and has REDB resources, the REDB resources must be deleted first before the REC can be deleted. Therefore, until the REDB resources are deleted, the project deletion will hang. The fix is to delete the REDB resources first and the REC second. Then, you can delete the project. + +- **Clusters must be named 'rec' in OLM-based deployments (RED-39825)** In OLM-deployed operators, the deployment of the cluster will fail if the name is not "rec". When the operator is deployed via the OLM, the security context constraints (scc) are bound to a specific service account name (namely, "rec"). The workaround is to name the cluster "rec". + +- **Readiness probe incorrect on failures (RED-39300)** STS Readiness probe does not mark a node as "not ready" when running `rladmin status` on node failure. + +- **Internal DNS and Kubernetes DNS may have conflicts (RED-37462)** DNS conflicts are possible between the cluster `mdns_server` and the K8s DNS. This only impacts DNS resolution from within cluster nodes for Kubernetes DNS names. + +- **K8s-based 5.4.10 clusters seem to negatively affect existing 5.4.6 clusters (RED-37233)** Upgrade clusters to latest version. + +- **Node CPU usage is reported instead of pod CPU usage (RED-36884)** In Kubernetes, the reported node CPU usage is the usage of the Kubernetes worker node hosting the REC pod. + +- **An unreachable cluster has status running (RED-32805)** When a cluster is in an unreachable state, the state remains `running` instead of triggering an error. + +- **Long cluster names cause routes to be rejected (RED-25871)** A cluster name longer than 20 characters will result in a rejected route configuration because the host part of the domain name exceeds 63 characters. The workaround is to limit the cluster name to 20 characters or fewer. + +- **Cluster CR (REC) errors are not reported after invalid updates (RED-25542)** A cluster CR specification error is not reported if two or more invalid CR resources are updated in sequence. + diff --git a/content/operate/kubernetes/release-notes/8-0-6-releases/_index.md b/content/operate/kubernetes/release-notes/8-0-6-releases/_index.md new file mode 100644 index 0000000000..43afd7251b --- /dev/null +++ b/content/operate/kubernetes/release-notes/8-0-6-releases/_index.md @@ -0,0 +1,76 @@ +--- +alwaysopen: false +categories: +- docs +- operate +- kubernetes +description: Releases with support for Redis Enterprise Software 8.0.6 +hideListLinks: true +linkTitle: 8.0.6 releases +title: Redis Enterprise for Kubernetes 8.0.6 release notes +weight: 1 +--- + +Redis Enterprise for Kubernetes 8.0.6 includes bug fixes, enhancements, and support for Redis Enterprise Software 8.0.6. The latest release is 8.0.6-8 with support for Redis Enterprise Software version 8.0.6-54. + +## Detailed release notes + +{{}} + +## Known limitations + +- **SSO configuration doesn't work with IPv6 or dual stack (IPv4/IPv6) clusters.** + +- **Only upgrades from 7.4.2-2 and later are supported.** If you are using an earlier version, install 7.4.2-2 before upgrading to 8.0.6-8. + +- **Custom certificate upload is not supported for internode encryption (RED-173229).** Internode communication between cluster nodes continues to use default self-signed certificates and cannot be configured with customer-provided certificates. + +- **Missing endpoint for admission endpoint (rare) (RED-119469)** Restart the operator pod. + +- **The REDB "redisVersion" field can't be used for memcached databases(RED-119152)** + +- **When modifying the database suffix for an Active-Active database, while the service-rigger is in a terminating state, the services-rigger will delete and create the ingress or route resources in a loop (RED-107687)** Wait until the services rigger pod has finished to terminate it. + +- **REAADB changes might fail with "gateway timeout" errors, mostly on OpenShift (RED-103048)** Retry the operation. + +- **Creating two databases with the same name directly on Redis Enterprise software will cause the service to be deleted and the database will not be available (RED-99997)** Avoid duplicating database names. Database creation via K8s has validation in place to prevent this. + +- **Installing the operator bundle produces warning: `Warning: would violate PodSecurity "restricted: v1.24"` (RED-97381)** Ignore the warning. This issue is documented as benign on official Red Hat documentation. + +- **RERC resources must have a unique name (RED-96302)** The string "rec-name"/"rec-namespace" must be different from all other participating clusters in the Active-Active database. + +- **Admission is not blocking REAADB with `shardCount` which exceeds license quota (RED-96301)** Fix the problems with the REAADB and reapply. + +- **Active-Active controller only supports global database options. Configuration specific to location is not supported (RED-86490)** + +- **Active-Active setup removal might keep services or routes undeleted (RED-77752)** Delete services or routes manually if you encounter this problem. + +- **`autoUpgrade` set to `true` can cause unexpected bdb upgrades when `redisUpgradePolicy` is set to `true` (RED-72351)** Contact support if your deployment is impacted. + +- **Following the previous quick start guide version causes issues with creating an REDB due to unrecognized memory field name (RED-69515)** The workaround is to use the newer (current) revision of Deploy Redis Enterprise Software for Kubernetes. + +- **PVC size issues when using decimal value in spec (RED-62132)** Make sure you use integer values for the PVC size. + +- **REC might report error states on initial startup (RED-61707)** There is no workaround at this time except to ignore the errors. + +- **Hashicorp Vault integration - no support for Gesher (RED-55080)** There is no workaround for this issue. Gesher support has been deprecated. + +- **REC clusters fail to start on Kubernetes clusters with unsynchronized clocks (RED-47254)** When REC clusters are deployed on Kubernetes clusters without synchronized clocks, the REC cluster does not start correctly. The fix is to use NTP to synchronize the underlying K8s nodes. + +- **Deleting an OpenShift project with an REC deployed may hang (RED-47192)** When an REC cluster is deployed in a project (namespace) and has REDB resources, the REDB resources must be deleted first before the REC can be deleted. Therefore, until the REDB resources are deleted, the project deletion will hang. The fix is to delete the REDB resources first and the REC second. Then, you can delete the project. + +- **Clusters must be named 'rec' in OLM-based deployments (RED-39825)** In OLM-deployed operators, the deployment of the cluster will fail if the name is not "rec". When the operator is deployed via the OLM, the security context constraints (scc) are bound to a specific service account name (namely, "rec"). The workaround is to name the cluster "rec". + +- **Readiness probe incorrect on failures (RED-39300)** STS Readiness probe does not mark a node as "not ready" when running `rladmin status` on node failure. + +- **Internal DNS and Kubernetes DNS may have conflicts (RED-37462)** DNS conflicts are possible between the cluster `mdns_server` and the K8s DNS. This only impacts DNS resolution from within cluster nodes for Kubernetes DNS names. + +- **K8s-based 5.4.10 clusters seem to negatively affect existing 5.4.6 clusters (RED-37233)** Upgrade clusters to latest version. + +- **Node CPU usage is reported instead of pod CPU usage (RED-36884)** In Kubernetes, the reported node CPU usage is the usage of the Kubernetes worker node hosting the REC pod. + +- **An unreachable cluster has status running (RED-32805)** When a cluster is in an unreachable state, the state remains `running` instead of triggering an error. + +- **Long cluster names cause routes to be rejected (RED-25871)** A cluster name longer than 20 characters will result in a rejected route configuration because the host part of the domain name exceeds 63 characters. The workaround is to limit the cluster name to 20 characters or fewer. + +- **Cluster CR (REC) errors are not reported after invalid updates (RED-25542)** A cluster CR specification error is not reported if two or more invalid CR resources are updated in sequence. diff --git a/content/operate/kubernetes/security/sso.md b/content/operate/kubernetes/security/sso.md index 7683656a0c..e765cd6768 100644 --- a/content/operate/kubernetes/security/sso.md +++ b/content/operate/kubernetes/security/sso.md @@ -10,8 +10,10 @@ linkTitle: Enable SSO weight: 94 --- + Redis Enterprise Software supports SAML 2.0 single sign-on (SSO) for the Cluster Manager UI with both IdP-initiated and SP-initiated authentication. User accounts are automatically created on first sign-in using just-in-time (JIT) provisioning. + ## IdP requirements Your identity provider must support: @@ -29,15 +31,26 @@ To enable SSO for your Redis Enterprise cluster (REC), follow these steps to con Before enabling SSO, ensure you have: -1. A SAML 2.0-compatible identity provider (such as Okta, Azure AD, or similar) -2. Admin access to your identity provider -3. A TLS certificate and private key for the Service Provider (SP) + +1. An existing Redis Enterprise cluster (REC) deployed in Kubernetes + +2. **External access to the Cluster Manager UI** - The Cluster Manager UI must be accessible externally via a LoadBalancer service or Ingress so users can access it from their browser and the identity provider can redirect back after authentication. See [Connect to the admin console]({{< relref "/operate/kubernetes/re-clusters/connect-to-admin-console.md" >}}) for configuration options. + +3. A SAML 2.0-compatible identity provider (such as Okta, Azure AD, or similar) + +4. Admin access to your identity provider + +5. A TLS certificate and private key for the service provider (SP) + +{{}} +SSO requires external access to the Cluster Manager UI. Port forwarding is not sufficient for SSO authentication because the identity provider needs to redirect users back to the UI after authentication. You must configure either a LoadBalancer service (via `spec.uiServiceType: LoadBalancer`) or an Ingress controller. +{{}} ### Step 1: Upload Service Provider certificate and private key The Service Provider certificate is used by the cluster to sign SAML requests and encrypt SAML responses. -1. Create a secret with your Service Provider certificate and private key: +1. Create a secret with your service provider certificate and private key: ```sh kubectl -n create secret generic sso-service-cert \ @@ -54,7 +67,7 @@ The Service Provider certificate is used by the cluster to sign SAML requests an Replace the `` in the command above with your own values. -2. Configure the Service Provider certificate in the `RedisEnterpriseCluster` custom resource: +2. Configure the service provider certificate in the `RedisEnterpriseCluster` custom resource: ```yaml apiVersion: app.redislabs.com/v1 @@ -80,7 +93,7 @@ The Service Provider certificate is used by the cluster to sign SAML requests an #### Configure Service Provider base address (optional) -The base address is used to construct Service Provider URLs, such as the Assertion Consumer Service (ACS) URL and Single Logout (SLO) URL. +The base address is used to construct service provider URLs, such as the Assertion Consumer Service (ACS) URL and Single Logout (SLO) URL. If not specified, the base address is automatically determined from the REC Cluster Manager UI service: - If the UI service type is `LoadBalancer` (configured via `spec.uiServiceType`), the load balancer address is used. @@ -114,7 +127,7 @@ Using `http://` is NOT recommended for production environments as it transmits s ### Step 2: Download Service Provider metadata -After applying the configuration, retrieve the Service Provider metadata to use when configuring your identity provider. +After applying the configuration, retrieve the service provider metadata to use when configuring your identity provider. #### Option A: Retrieve from Kubernetes secret @@ -317,19 +330,6 @@ Finally, activate SSO by enabling it in the `RedisEnterpriseCluster` custom reso 3. Test SSO by accessing the Cluster Manager UI and clicking **Sign in with SSO**. -#### Enforce SSO (optional) - -By default, both SSO and local username/password authentication are available. To enforce SSO-only authentication for non-admin users, set `enforceSSO` to `true`: - -```yaml -spec: - sso: - enabled: true - enforceSSO: true -``` - -When `enforceSSO` is set to `true`, local username/password authentication is disabled for non-admin users. - ## Complete example Here's a complete example of a `RedisEnterpriseCluster` resource with SSO enabled: @@ -363,6 +363,5 @@ After enabling SSO: 1. Configure users in your identity provider with matching email addresses 2. Set up the `redisRoleMapping` attribute in your identity provider to assign appropriate roles for new users 3. Test both IdP-initiated and SP-initiated SSO flows -4. Consider enforcing SSO to disable local authentication for non-admin users For more information about Redis Enterprise Software security, see [Access control]({{< relref "/operate/rs/security/access-control/" >}}). diff --git a/content/operate/kubernetes/upgrade/openshift-cli.md b/content/operate/kubernetes/upgrade/openshift-cli.md index aa895a6039..8474ff8857 100644 --- a/content/operate/kubernetes/upgrade/openshift-cli.md +++ b/content/operate/kubernetes/upgrade/openshift-cli.md @@ -35,6 +35,16 @@ Your Redis Enterprise clusters must be running version 7.4.2-2 or later before u Your Redis databases must be running version 7.2 or later before upgrading your cluster version. See [upgrade databases](#upgrade-databases) for detailed steps. You can find your database version in the [REDB `spec.redisVersion` field]({{}}). +#### User-defined modules + +If your databases use user-defined modules (custom non-bundled modules): + +- Set `autoUpgradeRedisEnterprise: false` in the REC custom resource before upgrading the operator. +- Define the user-defined modules in the REC custom resource before upgrading the database. +- See [Edit `redisEnterpriseImageSpec`](#edit-redisenterpriseimagespec) for more details. + +For more information about user-defined modules, see [User-defined modules]({{< relref "/operate/kubernetes/re-databases/modules#user-defined-modules" >}}). + #### RHEL9-compatible modules Upgrading to Redis operator versions 7.8.2-6 and later involves migrating your Redis Enterprise nodes to RHEL9 from either Ubuntu 18 or RHEL8. If your databases use modules, you need to manually install modules compatible with RHEL9. @@ -81,6 +91,8 @@ For detailed Helm upgrade instructions, see [Upgrade the chart]({{}}If your databases use user-defined modules, set `autoUpgradeRedisEnterprise: false` in the REC custom resource before upgrading the operator.{{}} + ### Download the bundle Make sure you pull the correct version of the bundle. You can find the version tags @@ -188,6 +200,24 @@ After the operator upgrade is complete, you can upgrade Redis Enterprise cluster versionTag: ``` +1. Define any user-defined modules used by databases in the cluster. + + ```YAML + spec: + userDefinedModules: + - name: "custom-module" + source: + https: + url: "https://modules.company.com/search-v2.1.zip" + credentialsSecret: "module-repo-creds" + ``` + + The `name` field must match the `display_name` or `module_name` that appears in the module manifest (for example, "redisgears"). This enables the operator to run validation on the user-defined module. If these names don't match, the operator can't run validation on the user-defined module and preventable errors may occur. + + {{< note >}} +Adding or modifying the `userDefinedModules` list triggers a rolling restart of the Redis Enterprise cluster pods in addition to the rolling upgrade for the version change. + {{< /note >}} + 1. Save the changes to apply. ### Reapply roles and role bindings @@ -224,6 +254,10 @@ For Active-Active databases, the `redis.Version` change only needs to be applied If your REAADB uses supported modules, keep the existing `moduleList` version numbers unchanged when upgrading `redisVersion`. The database will automatically use the module versions that are bundled with the new Redis version, regardless of what versions are specified in `moduleList`. After the upgrade is complete, you can optionally change the old version numbers from `moduleList`, but this change has no functional impact. +#### Upgrade with user-defined modules + +If a user-defined module is used by any database in the cluster, the module must be defined in the REC custom resource before upgrading the database. See [Add user-defined modules to the REC]({{< relref "/operate/kubernetes/re-databases/modules#add-user-defined-modules-to-the-rec" >}}) for detailed instructions. + #### General upgrade notes Note that if your cluster [`redisUpgradePolicy`]({{}}) or your database [`redisVersion`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_database_api#redisversion" >}}) are set to `major`, you won't be able to upgrade those databases to minor versions. See [Redis upgrade policy]({{< relref "/operate/rs/installing-upgrading/upgrading#redis-upgrade-policy" >}}) for more details. @@ -251,5 +285,3 @@ curl -sfk -u : -X POST -H "Content-Type: application ``` After updating the database with the Redis Software API, update the REDB custom resource to reflect the change. - - diff --git a/content/operate/kubernetes/upgrade/upgrade-olm.md b/content/operate/kubernetes/upgrade/upgrade-olm.md index d595170e76..6ad6ac3ec4 100644 --- a/content/operate/kubernetes/upgrade/upgrade-olm.md +++ b/content/operate/kubernetes/upgrade/upgrade-olm.md @@ -35,23 +35,15 @@ Your Redis Enterprise clusters must be running version 7.4.2-2 or later before u Your Redis databases must be running version 7.2 or later before upgrading your cluster version. See [upgrade databases](#upgrade-databases) for detailed steps. You can find your database version in the [REDB `spec.redisVersion` field]({{}}). -#### RHEL9-compatible modules +### User-defined modules -Upgrading to Redis operator version 7.8.2-6 or later involves migrating your Redis Enterprise nodes to RHEL9 from either Ubuntu 18 or RHEL8. If your databases use modules, you need to manually install modules compatible with RHEL9. +If your databases use user-defined modules (custom non-bundled modules): -To see which modules you have installed, run: +- Set `autoUpgradeRedisEnterprise: false` in the REC custom resource before upgrading the operator. +- Define the user-defined modules in the REC custom resource before upgrading the database. +- See [Edit `redisEnterpriseImageSpec`](#edit-redisenterpriseimagespec) for more details. -```sh -curl -k -u : -X GET https://localhost:9443/v1/modules | jq -r 'map([.module_name, .semantic_version, (.platforms | keys)]) | .[] | .[0] as $name | .[1] as $version | .[2][] | $name + "-" + $version + "-" + .' | sort -``` - -To see which modules are currently in use, run: - -```sh -curl -k -u : -X GET https://localhost:9443/v1/bdbs | jq -r '.[].module_list | map(.module_name + "-" + .semantic_version) | .[]' -``` - -See [Upgrade modules]({{}}) for details on how to upgrade modules with the `rladmin` tool. +For more information about user-defined modules, see [User-defined modules]({{< relref "/operate/kubernetes/re-databases/modules#user-defined-modules" >}}). ### Valid license @@ -111,6 +103,24 @@ After the operator upgrade is complete, you can upgrade Redis Enterprise cluster versionTag: ``` +1. Define any user-defined modules used by databases in the cluster. + + ```YAML + spec: + userDefinedModules: + - name: "custom-module" + source: + https: + url: "https://modules.company.com/search-v2.1.zip" + credentialsSecret: "module-repo-creds" + ``` + + The `name` field must match the `display_name` or `module_name` that appears in the module manifest (for example, "redisgears"). This enables the operator to run validation on the user-defined module. If these names don't match, the operator can't run validation on the user-defined module and preventable errors may occur. + + {{< note >}} +Adding or modifying the `userDefinedModules` list triggers a rolling restart of the Redis Enterprise cluster pods in addition to the rolling upgrade for the version change. + {{< /note >}} + 1. Save the changes to apply. ### Reapply roles and role bindings diff --git a/content/operate/kubernetes/upgrade/upgrade-redis-cluster.md b/content/operate/kubernetes/upgrade/upgrade-redis-cluster.md index abf87c8a4e..30b2363ec5 100644 --- a/content/operate/kubernetes/upgrade/upgrade-redis-cluster.md +++ b/content/operate/kubernetes/upgrade/upgrade-redis-cluster.md @@ -35,23 +35,15 @@ Check the [Redis Enterprise for Kubernetes release notes]({{}}). -### Module compatibility +### User-defined modules -Some Redis Enterprise operator versions may require specific module versions or involve changes to the underlying operating system. If your databases use modules, check the release notes for your target version to determine if you need to manually install updated modules. +If your databases use user-defined modules (custom non-bundled modules): -To see which modules you have installed, run: +- Set `autoUpgradeRedisEnterprise: false` in the REC custom resource before upgrading the operator. +- Define the user-defined modules in the REC custom resource before upgrading the database. +- See [Edit `redisEnterpriseImageSpec`](#edit-redisenterpriseimagespec-in-the-rec-spec) for more details. -```sh -curl -k -u : -X GET https://localhost:9443/v1/modules | jq -r 'map([.module_name, .semantic_version, (.platforms | keys)]) | .[] | .[0] as $name | .[1] as $version | .[2][] | $name + "-" + $version + "-" + .' | sort -``` - -To see which modules are currently in use, run: - -```sh -curl -k -u : -X GET https://localhost:9443/v1/bdbs | jq -r '.[].module_list | map(.module_name + "-" + .semantic_version) | .[]' -``` - -See [Upgrade modules]({{}}) for details on how to upgrade modules with the `rladmin` tool. +For more information about user-defined modules, see [User-defined modules]({{< relref "/operate/kubernetes/re-databases/modules#user-defined-modules" >}}). ### Valid license @@ -86,6 +78,8 @@ For detailed Helm upgrade instructions, see [Upgrade the chart]({{}}If your databases use user-defined modules, set `autoUpgradeRedisEnterprise: false` in the REC custom resource before upgrading the operator.{{}} + ### Download the bundle Make sure you pull the correct version of the bundle. You can find the version tags @@ -164,11 +158,9 @@ Before beginning the upgrade of the Redis Enterprise cluster, check the [Redis E After the operator upgrade is complete, you can upgrade Redis Enterprise cluster (REC). -### Upgrade an REC with an Active-Active database - -We recommend upgrading all participating clusters to the same operator version. - -If you are upgrading from a preview version of the Active-Active controller, you can remove the following environment variables: `ACTIVE_ACTIVE_DATABASE_CONTROLLER_ENABLED`, `REMOTE_CLUSTER_CONTROLLER_ENABLED`, and `ENABLE_ALPHA_FEATURES`. +{{}} +For Active-Active databases, we recommend upgrading all participating clusters to the same operator version. +{{}} ### Edit `redisEnterpriseImageSpec` in the REC spec @@ -188,6 +180,24 @@ If you are upgrading from a preview version of the Active-Active controller, you versionTag: ``` +1. Define any user-defined modules used by databases in the cluster. + + ```YAML + spec: + userDefinedModules: + - name: "custom-module" + source: + https: + url: "https://modules.company.com/search-v2.1.zip" + credentialsSecret: "module-repo-creds" + ``` + + The `name` field must match the `display_name` or `module_name` that appears in the module manifest (for example, "redisgears"). This enables the operator to run validation on the user-defined module. If these names don't match, the operator can't run validation on the user-defined module and preventable errors may occur. + + {{< note >}} +Adding or modifying the `userDefinedModules` list triggers a rolling restart of the Redis Enterprise cluster pods in addition to the rolling upgrade for the version change. + {{< /note >}} + 1. Save the changes to apply. ### Reapply roles and role bindings @@ -214,17 +224,25 @@ To see the status of the current rolling upgrade, run: kubectl rollout status sts ``` -### Upgrade databases +## Upgrade databases After the cluster is upgraded, you can upgrade your databases. +### Upgrade REDB + To upgrade your REDB, specify your new database version in the `spec.redisVersion` field in the REDB or REAADB custom resources. Supported database versions for operator versions include "7.2", "7.4", "8.0", and "8.2" (note this value is a string). +### Upgrade REAADB + For Active-Active databases, the `redis.Version` change only needs to be applied on one participating cluster and will automatically propagate to all other participating clusters. All participating clusters must be running operator version 8.0.2-2 or later. If your REAADB uses supported modules, keep the existing `moduleList` version numbers unchanged when upgrading `redisVersion`. The database will automatically use the module versions that are bundled with the new Redis version, regardless of what versions are specified in `moduleList`. After the upgrade is complete, you can optionally change the old version numbers from `moduleList`, but this change has no functional impact. -#### General upgrade notes +### Upgrade with user-defined modules + +If a user-defined module is used by any database in the cluster, the module must be defined in the REC custom resource before upgrading the database. See [Add user-defined modules to the REC]({{< relref "/operate/kubernetes/re-databases/modules#add-user-defined-modules-to-the-rec" >}}) for detailed instructions. + +### Upgrade policy Note that if your cluster [`redisUpgradePolicy`]({{}}) or your database [`redisVersion`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_database_api#redisversion" >}}) are set to `major`, you won't be able to upgrade those databases to minor versions. See [Redis upgrade policy]({{< relref "/operate/rs/installing-upgrading/upgrading#redis-upgrade-policy" >}}) for more details. @@ -232,6 +250,30 @@ Note that if your cluster [`redisUpgradePolicy`]({{ -o jsonpath='{.spec.autoUpgradeRedisEnterprise}' + ``` + +1. **Verify modules are defined in the REC**: Ensure all user-defined modules are listed in the REC `userDefinedModules` section before upgrading. + + ```sh + kubectl get rec -o jsonpath='{.spec.userDefinedModules}' | jq + ``` + +1. **Check module validation errors**: Review the REC status for module validation errors. + + ```sh + kubectl describe rec + ``` + +For more information about user-defined modules, see [User-defined modules]({{< relref "/operate/kubernetes/re-databases/modules#user-defined-modules" >}}). + ### Invalid module version If the operator logs show an event related to an unsupported module, download the updated module locally, and install it using the `v2/modules` API endpoint. diff --git a/content/operate/oss_and_stack/stack-with-enterprise/install/_index.md b/content/operate/oss_and_stack/stack-with-enterprise/install/_index.md index 19b3e97d6d..85927dfe33 100644 --- a/content/operate/oss_and_stack/stack-with-enterprise/install/_index.md +++ b/content/operate/oss_and_stack/stack-with-enterprise/install/_index.md @@ -11,7 +11,7 @@ linkTitle: Install and upgrade modules weight: 4 --- -Several modules that provide additional Redis capabilities, such as search and query, JSON, time series, and probabilistic data structures, come packaged with [Redis Enterprise Software]({{< relref "/operate/rs" >}}). As of version 8.0, Redis Enterprise Software includes four feature sets, compatible with different Redis database versions. +Several modules that provide additional Redis capabilities, such as search and query, JSON, time series, and probabilistic data structures, come packaged with [Redis Enterprise Software]({{< relref "/operate/rs" >}}). As of version 8.0, Redis Enterprise Software includes multiple feature sets, compatible with different Redis database versions. However, if you want to use additional modules or upgrade a module to a more recent version, you need to: diff --git a/content/operate/oss_and_stack/stack-with-enterprise/install/add-module-to-cluster.md b/content/operate/oss_and_stack/stack-with-enterprise/install/add-module-to-cluster.md index a02c7bf2b1..eae69275e6 100644 --- a/content/operate/oss_and_stack/stack-with-enterprise/install/add-module-to-cluster.md +++ b/content/operate/oss_and_stack/stack-with-enterprise/install/add-module-to-cluster.md @@ -10,7 +10,7 @@ linkTitle: Install on a cluster weight: 10 --- -[Redis Enterprise Software]({{< relref "/operate/rs" >}}) comes packaged with several modules that provide additional Redis capabilities such as [search and query]({{}}), [JSON]({{}}), [time series]({{}}), and [probabilistic data structures]({{}}). As of version 8.0, Redis Enterprise Software includes four feature sets, compatible with different Redis database versions. You can view the installed modules, their versions, and their minimum compatible Redis database versions from **Cluster > Modules** in the Cluster Manager UI. +[Redis Enterprise Software]({{< relref "/operate/rs" >}}) comes packaged with several modules that provide additional Redis capabilities such as [search and query]({{}}), [JSON]({{}}), [time series]({{}}), and [probabilistic data structures]({{}}). As of version 8.0, Redis Enterprise Software includes multiple feature sets, compatible with different Redis database versions. You can view the installed modules, their versions, and their minimum compatible Redis database versions from **Cluster > Modules** in the Cluster Manager UI. To use other modules or upgrade an existing module to a more recent version, you need to install the new module package on your cluster. @@ -18,6 +18,20 @@ To use other modules or upgrade an existing module to a more recent version, you Some module versions are not supported or recommended for use with Redis Enterprise Software. {{}} +## Module package requirements + +The module must be packaged as a `.zip` file containing: + +- **module.json**: A metadata file with module information including: + - `module_name`: The actual module name + - `version`: Numeric version + - `semantic_version`: Semantic version string (for example, "1.0.0") + - `min_redis_version`: Minimum compatible Redis version + - `commands`: List of commands the module provides + - `capabilities`: List of module capabilities + +- **Module binary**: The compiled `.so` file for the target platform + ## Get packaged modules To install or upgrade a module on a [Redis Enterprise Software]({{< relref "/operate/rs" >}}) cluster, you need a module package. @@ -26,6 +40,237 @@ To install or upgrade a module on a [Redis Enterprise Software]({{< relref "/ope - For custom-packaged modules, download a [custom-packaged module](https://redislabs.com/community/redis-modules-hub/) from the developer. +- User-defined modules are downloaded automatically if you [add them during bootstrapping](#bootstrap-user-defined-module). + +## Add user-defined modules during bootstrapping (Redis Software v8.0.6 and later) {#bootstrap-user-defined-module} + +As of Redis Enterprise Software version 8.0.6, you can include `user_defined_modules` in REST API requests to [initiate boostrap operations]({{}}) such as `create_cluster`, `join_cluster`, or `recover_cluster`. Each node in the cluster independently downloads and installs the specified modules during its bootstrap process. + +`user_defined_modules` has the following JSON schema: + +```json +{ + "user_defined_modules": [ + { + "name": "string (required)", + "location": { + "location_type": "http | https (required)", + "url": "string (required)", + "credentials": { + "username": "string (optional)", + "password": "string (optional)" + } + } + } + ] +} +``` + +### Best practices + +- Use `https` instead of `http` for secure module downloads. + +- Include version numbers in module URLs. + +- Use the same `user_defined_modules` configuration for all nodes in a cluster. + +- If using authenticated downloads, ensure credentials are properly secured. + +- Ensure modules are compatible with the Redis database version running on your cluster. + +- Verify modules work correctly before deploying to production environments. + +### Example requests + +{{< multitabs id="bootstrap-modules" + tab1="Create cluster" + tab2="Join cluster" + tab3="Recover cluster" >}} + +The following example creates a cluster with multiple modules: + + +```sh +POST /v1/bootstrap/create_cluster +{ + "action": "create_cluster", + "credentials": { + "username": "admin@example.com", + "password": "your-secure-password" + }, + "cluster": { + "name": "my-cluster.example.com" + }, + "user_defined_modules": [ + { + "name": "ModuleA", + "location": { + "location_type": "https", + "url": "https://private-repo.example.com/enterprise-module-2.0.0.zip", + "credentials": { + "username": "download-user", + "password": "download-password" + } + } + }, + { + "name": "ModuleB", + "location": { + "location_type": "https", + "url": "https://modules.example.com/module-b-2.5.0.zip" + } + }, + { + "name": "ModuleC", + "location": { + "location_type": "http", + "url": "http://internal-server.local/module-c-1.2.0.zip" + } + } + ] +} +``` + +-tab-sep- + +The following example joins a node to a cluster with multiple modules: + +```sh +POST /v1/bootstrap/join_cluster +{ + "action": "join_cluster", + "credentials": { + "username": "admin@example.com", + "password": "your-secure-password" + }, + "cluster": { + "name": "my-cluster.example.com", + "nodes": ["192.168.1.10", "192.168.1.11"] + }, + "user_defined_modules": [ + { + "name": "ModuleA", + "location": { + "location_type": "https", + "url": "https://private-repo.example.com/enterprise-module-2.0.0.zip", + "credentials": { + "username": "download-user", + "password": "download-password" + } + } + }, + { + "name": "ModuleB", + "location": { + "location_type": "https", + "url": "https://modules.example.com/module-b-2.5.0.zip" + } + }, + { + "name": "ModuleC", + "location": { + "location_type": "http", + "url": "http://internal-server.local/module-c-1.2.0.zip" + } + } + ] +} +``` + +-tab-sep- + +The following example recovers a cluster with multiple modules: + +```sh +POST /v1/bootstrap/recover_cluster +{ + "action": "recover_cluster", + "recovery_filename": "/path/to/backup.rdb", + "credentials": { + "username": "admin@example.com", + "password": "your-secure-password" + }, + "user_defined_modules": [ + { + "name": "ModuleA", + "location": { + "location_type": "https", + "url": "https://private-repo.example.com/enterprise-module-2.0.0.zip", + "credentials": { + "username": "download-user", + "password": "download-password" + } + } + }, + { + "name": "ModuleB", + "location": { + "location_type": "https", + "url": "https://modules.example.com/module-b-2.5.0.zip" + } + }, + { + "name": "ModuleC", + "location": { + "location_type": "http", + "url": "http://internal-server.local/module-c-1.2.0.zip" + } + } + ] +} +``` + +{{< /multitabs >}} + +### Troubleshooting + +#### Error handling + +Download failures do not fail the bootstrap process. If a module fails to download or install, a warning is logged and the bootstrap process continues with the remaining modules. + +Warnings are recorded in the bootstrap status with: +- `warning_type`: `"module_download_failed"` +- `message`: Error description +- `details`: `{"module_name": ""}` + +#### Module download failed + +Check the bootstrap logs for detailed error messages: + +``` +Failed to download and install custom module '': +``` + +Common causes: +- Invalid URL +- Network connectivity issues +- Authentication failures +- Module package format issues + +#### Module compatibility errors + +After processing user-defined modules, the system validates that all custom modules are compatible with existing databases in the cluster. This validation: + +1. Checks which custom modules are used by existing databases. + +1. Verifies that compatible module versions are available on the node. + +1. Fails the bootstrap process if incompatible modules are detected. + +If the bootstrap process fails with an `incompatible_modules` error: + +1. Verify the module version is compatible with existing databases. + +1. Ensure the module binary exists and is accessible. + +#### Missing module.json + +If you see `"module.json missing"` errors: + +1. Verify the zip file contains a valid `module.json` at the root level. + +1. Verify the JSON is properly formatted. + ## Add a user-defined module to a cluster (Redis Software v8.0.x and later) {#add-user-defined-module-to-cluster} To add a custom module to a cluster running Redis Enterprise Software version 8.0.x or later, use the following REST API requests: diff --git a/content/operate/rc/langcache/create-service.md b/content/operate/rc/langcache/create-service.md index 24b96a2489..16dfdb7cb8 100644 --- a/content/operate/rc/langcache/create-service.md +++ b/content/operate/rc/langcache/create-service.md @@ -32,19 +32,39 @@ LangCache does not support the following databases during public preview: From the [Redis Cloud console](https://cloud.redis.io/), select **LangCache** from the left-hand menu. -When you access the LangCache page for the first time, you will see a page with an introduction to LangCache. Select **Let's create a service** to create your first service. +If you have not already created a LangCache service, you'll see a page with an introduction to LangCache. Otherwise, select **New service** to go to the LangCache introduction page. -{{The Let's create a service button.}} +{{The New service button.}} -If you have already created a LangCache service, select **New service** to create another one. +From here: -{{The New service button.}} +- Select **Quick create** to create a LangCache service with default settings using your Free 30MB database. If you haven't created a Free database yet, Redis Cloud will create one and set up the LangCache service for you. + + {{The Quick create button.}} + + After Redis Cloud creates your LangCache service, a window containing your LangCache service key will appear. Select **Copy** to copy the key to your clipboard. + + {{The LangCache service key window. Use the Copy button to save the service key to the clipboard.}} + + {{}} +This is the only time the value of the user key is available. Save it to a secure location before closing the dialog box.

-This takes you to the **Create LangCache service** page. The page is divided into the following sections: +If you lose the service key value, you will need to [generate a new service key]({{< relref "/operate/rc/langcache/view-edit-cache#replace-service-api-key" >}}) to be able to use the LangCache API. + {{}} + + After your cache is created, you can [use the LangCache API]({{< relref "/operate/rc/langcache/use-langcache" >}}) from your client app. + + You can also [view and edit the cache]({{< relref "/operate/rc/langcache/view-edit-cache" >}}) and [monitor the cache's performance]({{< relref "/operate/rc/langcache/monitor-cache" >}}). + +- If you want to customize your LangCache service, select **Create custom service**. -1. The [General settings](#general-settings) section defines basic properties of your service. -1. The [Embedding settings](#embedding-settings) section defines the embedding model used by your service. -1. The [Attributes settings](#attributes-settings) section allows you to define attributes for your service. + {{The Create custom service button.}} + + This takes you to the **Create LangCache service** page. The page is divided into the following sections: + + 1. The [General settings](#general-settings) section defines basic properties of your service. + 1. The [Embedding settings](#embedding-settings) section defines the embedding model used by your service. + 1. The [Attributes settings](#attributes-settings) section allows you to define attributes for your service. ### General settings @@ -57,7 +77,7 @@ The **General settings** section defines basic properties of your service. | **Service name** | Enter a name for your LangCache service. We recommend you use a name that describes your service's purpose. | | **Select database** | Select the Redis Cloud database to use for this service from the list. | | **TTL** | The time to live (TTL) for cache entries, in milliseconds. Default: `No expiration` - items in the cache will remain until manually removed. | -| **User** | The [database access user]({{< relref "/operate/rc/security/access-control/data-access-control/role-based-access-control" >}}) to use for this service. LangCache only supports the [`default` user]({{< relref "/operate/rc/security/access-control/data-access-control/default-user" >}}) during public preview. | +| **User for this service** | The [database access user]({{< relref "/operate/rc/security/access-control/data-access-control/role-based-access-control" >}}) to use for this service. LangCache only supports the [`default` user]({{< relref "/operate/rc/security/access-control/data-access-control/default-user" >}}) during public preview. | ### Embedding settings @@ -65,11 +85,14 @@ The **Embedding settings** section defines the embedding model used by your serv {{The Embedding settings section.}} +Required settings depend on the embedding provider you select. + | Setting name |Description| |:----------------------|:----------| -| **Embedding Provider** | The embedding provider to use for your service. Select between `Redis` and `OpenAI`. | -| **Embedding provider API key** | Enter your embedding provider's API key if not using the default Redis embedding provider. | -| **Model** | Select the embedding model to use for your service. | +| **Embedding Provider** | The embedding provider to use for your service. Select between `Redis`, `OpenAI`, and `Bring your own`.
Any embedding provider you use must support the [OpenAI embeddings API](https://platform.openai.com/docs/api-reference/embeddings). | +| **Embedding provider API key** | Enter your embedding provider's API key *(`OpenAI` and `Bring your own` embedding providers only)* | +| **Embedding provider URL** | Enter your embedding provider's API URL *(`Bring your own` embedding provider only)* | +| **Model** | Select or enter the embedding model to use for your service. | | **Similarity threshold** | Set the minimum similarity score required to consider a cached response a match. Range: `0.5` to `1.0`. Default: `0.85`

A higher value means more precise matches, but if it's too high, you will compromise on the number of matches and may lose relevant matches. A lower value means more matches, but may include less relevant matches. We recommend starting between `0.8` and `0.9` and then fine-tuning based on your results. | ### Attributes settings @@ -78,7 +101,7 @@ Attributes provide powerful scoping capabilities for your LangCache operations. The **Attributes settings** section allows you to define attributes for your service. It is collapsed by default. -{{The Attributes settings section, expanded.}} +{{The Attributes settings section.}} LangCache allows you to define up to 5 custom attributes that align with your specific use case. To add a new attribute: @@ -92,7 +115,7 @@ LangCache allows you to define up to 5 custom attributes that align with your sp After you save your custom attribute, it will appear in the list of custom attributes. Use the **Delete** button to remove it. -{{Select the Delete button to delete the selected attribute.}} +{{Select the Delete button to delete the selected attribute.}} You can also select **Add attribute** again to add an additional attribute. diff --git a/content/operate/rc/langcache/monitor-cache.md b/content/operate/rc/langcache/monitor-cache.md index a250230751..0970200652 100644 --- a/content/operate/rc/langcache/monitor-cache.md +++ b/content/operate/rc/langcache/monitor-cache.md @@ -17,7 +17,7 @@ You can monitor a LangCache service's performance from the **Metrics** tab of th The **Metrics** tab provides a series of graphs showing performance data for your LangCache service. -You can switch between daily and weekly stats using the **Day** and **Week** buttons at the top of the page. Each graph also includes minimum, average, maximum, and latest values. +You can switch between hourly, daily, and weekly stats using the **Hour**, **Day**, and **Week** buttons at the top of the page. Each graph also includes minimum, average, maximum, and latest values. ## LangCache metrics reference @@ -48,8 +48,4 @@ High cache latency may indicate one of the following: - Inefficient embedding generation from the embedding provider - Large cache requiring longer comparison times - Network latency between the cache and embedding provider -- Resource constraints - -### Cache items - -The total number of entries stores in your cache. Each item includes the query string, embedding, response, and other metadata. \ No newline at end of file +- Resource constraints \ No newline at end of file diff --git a/content/operate/rc/langcache/view-edit-cache.md b/content/operate/rc/langcache/view-edit-cache.md index a60b66ec40..836bd45335 100644 --- a/content/operate/rc/langcache/view-edit-cache.md +++ b/content/operate/rc/langcache/view-edit-cache.md @@ -37,7 +37,7 @@ The **Connectivity** section provides the connection details for your LangCache |:----------------------|:----------| | **API Key** | The Bearer token for your LangCache API requests. | | **Cache ID** | The unique ID of your LangCache service. | -| **API Base URL** | The base URL for LangCache API requests. | +| **URL List** | A list of base URLs for LangCache API requests. Use the closest URL for the best performance. | Select the **Copy** button next to the Cache ID and API Base URL to copy them to the clipboard. If you lost the API key value or need to rotate the key, you can [generate a new service API key](#replace-service-api-key) at any time. @@ -51,7 +51,7 @@ To generate a new service key: 1. Select **Generate key**. - {{The Replace Key button.}} + {{The Generate Key button.}} 1. A confirmation dialog will appear. Select **Confirm** to confirm. diff --git a/content/operate/rc/security/aws-privatelink.md b/content/operate/rc/security/aws-privatelink.md index a01d77d28c..e8bda10c64 100644 --- a/content/operate/rc/security/aws-privatelink.md +++ b/content/operate/rc/security/aws-privatelink.md @@ -130,7 +130,7 @@ Follow the guide to [create a VPC resource endpoint in the AWS console](https:// - **Type**: Select **Resources**. - **Resource configurations**: Select the configuration with the same Resource Configuration ID as the one shown in the Redis Cloud console. - **VPC**: Select your VPC from the list. -- **Addtional settings**: Select **Enable private DNS name** and set **Private DNS Preference** to **Verified domains only** or **Verified domains and specified domains**. +- **Additional settings**: Select **Enable private DNS name** and set **Private DNS Preference** to **Verified domains only** or **Verified domains and specified domains**. - **Subnets**: Select the subnets to create endpoint network resources in. - **Security groups**: Select any security groups you want to associate with the resource endpoint, including the security group that allows access to the necessary ports, as described in the [prerequisites](#prerequisites) diff --git a/content/operate/rs/references/rest-api/objects/bootstrap/_index.md b/content/operate/rs/references/rest-api/objects/bootstrap/_index.md index df3331d459..8123bc2c93 100644 --- a/content/operate/rs/references/rest-api/objects/bootstrap/_index.md +++ b/content/operate/rs/references/rest-api/objects/bootstrap/_index.md @@ -39,5 +39,7 @@ A bootstrap configuration object. | recovery_filename | string | Name of backup file to recover from | | required_version | string | This node can only join the cluster if all nodes in the cluster have a version greater than the required_version (deprecated as of Redis Enterprise Software v7.8.6) | | retry_time | integer | Max waiting time between retries (in seconds) | +| user_defined_modules | array of [user_defined_module]({{< relref "/operate/rs/references/rest-api/objects/bootstrap/user_defined_module" >}}) objects | List of custom modules to download and install during bootstrap. Each node downloads and installs the modules independently. | +| witness_disk | object | An API object that represents the Witness Disk bootstrap configuration | diff --git a/content/operate/rs/references/rest-api/objects/bootstrap/user_defined_module.md b/content/operate/rs/references/rest-api/objects/bootstrap/user_defined_module.md new file mode 100644 index 0000000000..0fc38d6cfb --- /dev/null +++ b/content/operate/rs/references/rest-api/objects/bootstrap/user_defined_module.md @@ -0,0 +1,40 @@ +--- +Title: user_defined_module object +alwaysopen: false +categories: +- docs +- operate +- rs +description: An object for user-defined module configuration during bootstrap +hideListLinks: true +linkTitle: user_defined_module +weight: $weight +--- + +A user-defined module configuration object for bootstrap operations. + +| Name | Type/Value | Description | +|------|------------|-------------| +| name | string | Module name for presentation and logging purposes (required) | +| location | object | Information on where to download the module from (required)
{{}}{ + "location_type": "http | https", + "url": "string", + "credentials": { + "username": "string", + "password": "string" + } +}{{}}
**location_type**: The type of location, either `http` or `https` (required)
**url**: The URL to download the module zip file from (required)
**credentials**: Optional credentials for downloads that require basic authentication | + +## Module package requirements + +The module must be packaged as a `.zip` file containing: + +- **module.json**: A metadata file with module information including: + - `module_name`: The actual module name + - `version`: Numeric version + - `semantic_version`: Semantic version string (for example, "1.0.0") + - `min_redis_version`: Minimum compatible Redis version + - `commands`: List of commands the module provides + - `capabilities`: List of module capabilities + +- **Module binary**: The compiled `.so` file for the target platform diff --git a/content/operate/rs/references/rest-api/objects/certificates.md b/content/operate/rs/references/rest-api/objects/certificates.md index 6d24c0fc75..45290379ab 100644 --- a/content/operate/rs/references/rest-api/objects/certificates.md +++ b/content/operate/rs/references/rest-api/objects/certificates.md @@ -14,6 +14,6 @@ An API object that represents a certificate used by a Redis Enterprise Software | Name | Type/Value | Description | |------|------------|-------------| -| name | `cm`
`api`
`mtls_trusted_ca`
`proxy`
`metrics_exporter`
`syncer`
`ldap_client`
`ccs_internode_encryption`
`data_internode_encryption` | Certificate type.
See the [certificates table]({{< relref "/operate/rs/security/certificates" >}}) for the list of cluster certificates and their descriptions. | +| name | "cm"
"api"
"mtls_trusted_ca"
"proxy"
"metrics_exporter"
"syncer"
"ldap_client"
"ccs_internode_encryption"
"data_internode_encryption"
"sso_service"
"sso_issuer" | Certificate type.
See the [certificates table]({{< relref "/operate/rs/security/certificates" >}}) for the list of cluster certificates and their descriptions. | | certificate | string | The certificate in PEM format | | key | string | The private key in PEM format | diff --git a/content/operate/rs/references/rest-api/objects/crdb/database_config.md b/content/operate/rs/references/rest-api/objects/crdb/database_config.md index 8a290ccc07..431609ba3b 100644 --- a/content/operate/rs/references/rest-api/objects/crdb/database_config.md +++ b/content/operate/rs/references/rest-api/objects/crdb/database_config.md @@ -19,6 +19,7 @@ An object that represents the database configuration. | authentication_redis_pass | string | Redis AUTH password (deprecated as of Redis Enterprise v7.2, replaced with multiple passwords feature in version 6.0.X) | | bigstore | boolean (default: false) | Database driver is Auto Tiering | | bigstore_ram_size | integer (default: 0) | Memory size of RAM size | +| cert | string | Optional PEM-encoded server certificate for the underlying database instance | | data_persistence | 'disabled'
'snapshot'
**'aof'** | Database on-disk persistence policy. For snapshot persistence, a [snapshot_policy]({{< relref "/operate/rs/references/rest-api/objects/bdb/snapshot_policy" >}}) must be provided | | enforce_client_authentication | **'enabled'**
'disabled' | Require authentication of client certificates for SSL connections to the database. If enabled, a certificate should be provided in either `authentication_ssl_client_certs` or `authentication_ssl_crdt_certs` | | max_aof_file_size | integer | Maximum AOF file size in bytes | @@ -29,6 +30,7 @@ An object that represents the database configuration. | oss_cluster_api_preferred_ip_type | 'internal'
'external' | Indicates preferred IP type in OSS cluster API | | oss_sharding | boolean (default: false) | An alternative to `shard_key_regex` for using the common case of the OSS shard hashing policy | | port | integer | TCP port for database access | +| private_key | string | Optional PEM-encoded private key matching the certificate for the underlying database instance | | proxy_policy | 'single'
'all-master-shards'
'all-nodes' | The policy used for proxy binding to the endpoint | | rack_aware | boolean (default: false) | Require the database to be always replicated across multiple racks | | replication | boolean (default: true) | Database replication | diff --git a/content/operate/rs/references/rest-api/objects/sso.md b/content/operate/rs/references/rest-api/objects/sso.md new file mode 100644 index 0000000000..01ff6591ca --- /dev/null +++ b/content/operate/rs/references/rest-api/objects/sso.md @@ -0,0 +1,28 @@ +--- +Title: SSO object +alwaysopen: false +categories: +- docs +- operate +- rs +description: An object for single sign-on (SSO) configuration +linkTitle: sso +weight: $weight +--- + +An API object that represents single sign-on (SSO) configuration in the cluster. + +| Name | Type/Value | Description | +|------|------------|-------------| +| control_plane | boolean (default: false) | If `true`, enables single sign-on (SSO) for the control plane. | +| enforce_control_plane | boolean (default: false) | If `true`, enforce SSO login for the control plane for non-admin users. If `false`, all users can still login using their local username and password if SSO is down. | +| protocol | "saml2" | SSO protocol to use. | +| issuer | complex object | Issuer related configuration.
Contains the following fields:
**id**: Unique ID of the issuer side (example: "urn:sso:example:idp")
**login_url**: SSO login URL (example: "https://idp.example.com/sso/saml")
**logout_url**: SSO logout URL (example: "https://idp.example.com/sso/slo")
**metadata**: Base64 encoded IdP metadata (read-only) | +| service | complex object | Service related configuration.
For SAML2 service configuration:
{{}}{ + "address": "string", + "saml2": { + "entity_id": "string", + "acs_url": "string", + "slo_url": "string" + } +}{{}}
**address**: External service address used for SSO. By default, the cluster name with the Cluster Manager port is used.
**acs_url**: Assertion Consumer Service URL (read-only)
**slo_url**: Single Logout URL (read-only)
**entity_id**: Service entity ID (read-only) | diff --git a/content/operate/rs/references/rest-api/objects/user.md b/content/operate/rs/references/rest-api/objects/user.md index 62278759e1..2240cf52bd 100644 --- a/content/operate/rs/references/rest-api/objects/user.md +++ b/content/operate/rs/references/rest-api/objects/user.md @@ -15,7 +15,7 @@ weight: $weight | uid | integer | User's unique ID | | account_id | integer | SM account ID | | action_uid | string | Action UID. If it exists, progress can be tracked by the `GET /actions/{uid}` API request (read-only) | -| auth_method | **'regular'**
'certificate'
'entraid' | User's authentication method | +| auth_method | **'regular'**
'certificate'
'entraid'
'sso' | User's authentication method | | bdbs_email_alerts | complex object | UIDs of databases that user will receive alerts for | | certificate_subject_line | string | The certificate’s subject line as defined by RFC2253. Used for certificate-based authentication users only. | | cluster_email_alerts | boolean | Activate cluster email alerts for a user | diff --git a/content/operate/rs/references/rest-api/permissions.md b/content/operate/rs/references/rest-api/permissions.md index 639a9cba4e..f5cea0d3a0 100644 --- a/content/operate/rs/references/rest-api/permissions.md +++ b/content/operate/rs/references/rest-api/permissions.md @@ -34,12 +34,12 @@ Available management roles include: | Role | Permissions | |------|-------------| | none | No permissions | -| admin | [add_cluster_module](#add_cluster_module), [cancel_cluster_action](#cancel_cluster_action), [cancel_node_action](#cancel_node_action), [config_ldap](#config_ldap), [config_ocsp](#config_ocsp), [create_bdb](#create_bdb), [create_crdb](#create_crdb), [create_ldap_mapping](#create_ldap_mapping), [create_new_user](#create_new_user), [create_redis_acl](#create_redis_acl), [create_role](#create_role), [delete_bdb](#delete_bdb), [delete_cluster_module](#delete_cluster_module), [delete_crdb](#delete_crdb), [delete_ldap_mapping](#delete_ldap_mapping), [delete_redis_acl](#delete_redis_acl), [delete_role](#delete_role), [delete_user](#delete_user), [edit_bdb_module](#edit_bdb_module), [failover_shard](#failover_shard), [flush_crdb](#flush_crdb), [install_new_license](#install_new_license), [manage_cluster_modules](#manage_cluster_modules), [migrate_shard](#migrate_shard), [purge_instance](#purge_instance), [reset_bdb_current_backup_status](#reset_bdb_current_backup_status), [reset_bdb_current_export_status](#reset_bdb_current_export_status), [reset_bdb_current_import_status](#reset_bdb_current_import_status), [start_bdb_export](#start_bdb_export), [start_bdb_import](#start_bdb_import), [start_bdb_recovery](#start_bdb_recovery), [start_cluster_action](#start_cluster_action), [start_node_action](#start_node_action), [test_ocsp_status](#test_ocsp_status), [update_bdb](#update_bdb), [update_bdb_alerts](#update_bdb_alerts), [update_bdb_with_action](#update_bdb_with_action), [update_cluster](#update_cluster), [update_crdb](#update_crdb), [update_ldap_mapping](#update_ldap_mapping), [update_node](#update_node), [update_proxy](#update_proxy), [update_redis_acl](#update_redis_acl), [update_role](#update_role), [update_user](#update_user), [view_all_bdb_stats](#view_all_bdb_stats), [view_all_bdbs_alerts](#view_all_bdbs_alerts), [view_all_bdbs_info](#view_all_bdbs_info), [view_all_ldap_mappings_info](#view_all_ldap_mappings_info), [view_all_metrics](#view_all_metrics), [view_all_nodes_alerts](#view_all_nodes_alerts), [view_all_nodes_checks](#view_all_nodes_checks), [view_all_nodes_info](#view_all_nodes_info), [view_all_nodes_stats](#view_all_nodes_stats), [view_all_proxies_info](#view_all_proxies_info), [view_all_redis_acls_info](#view_all_redis_acls_info), [view_all_roles_info](#view_all_roles_info), [view_all_shard_stats](#view_all_shard_stats), [view_all_users_info](#view_all_users_info), [view_bdb_alerts](#view_bdb_alerts), [view_bdb_info](#view_bdb_info), [view_bdb_recovery_plan](#view_bdb_recovery_plan), [view_bdb_stats](#view_bdb_stats), [view_cluster_alerts](#view_cluster_alerts), [view_cluster_info](#view_cluster_info), [view_cluster_keys](#view_cluster_keys), [view_cluster_modules](#view_cluster_modules), [view_cluster_stats](#view_cluster_stats), [view_crdb](#view_crdb), [view_crdb_list](#view_crdb_list), [view_crdb_task](#view_crdb_task), [view_crdb_task_list](#view_crdb_task_list), [view_debugging_info](#view_debugging_info), [view_endpoint_stats](#view_endpoint_stats), [view_ldap_config](#view_ldap_config), [view_ldap_mapping_info](#view_ldap_mapping_info), [view_license](#view_license), [view_logged_events](#view_logged_events), [view_node_alerts](#view_node_alerts), [view_node_check](#view_node_check), [view_node_info](#view_node_info), [view_node_stats](#view_node_stats), [view_ocsp_config](#view_ocsp_config), [view_ocsp_status](#view_ocsp_status), [view_proxy_info](#view_proxy_info), [view_redis_acl_info](#view_redis_acl_info), [view_redis_pass](#view_redis_pass), [view_role_info](#view_role_info), [view_shard_stats](#view_shard_stats), [view_status_of_all_node_actions](#view_status_of_all_node_actions), [view_status_of_cluster_action](#view_status_of_cluster_action), [view_status_of_node_action](#view_status_of_node_action), [view_user_info](#view_user_info) | -| cluster_member | [create_bdb](#create_bdb), [create_crdb](#create_crdb), [delete_bdb](#delete_bdb), [delete_crdb](#delete_crdb), [edit_bdb_module](#edit_bdb_module), [failover_shard](#failover_shard), [flush_crdb](#flush_crdb), [migrate_shard](#migrate_shard), [purge_instance](#purge_instance), [reset_bdb_current_backup_status](#reset_bdb_current_backup_status), [reset_bdb_current_export_status](#reset_bdb_current_export_status), [reset_bdb_current_import_status](#reset_bdb_current_import_status), [start_bdb_export](#start_bdb_export), [start_bdb_import](#start_bdb_import), [start_bdb_recovery](#start_bdb_recovery), [update_bdb](#update_bdb), [update_bdb_alerts](#update_bdb_alerts), [update_bdb_with_action](#update_bdb_with_action), [update_crdb](#update_crdb), [view_all_bdb_stats](#view_all_bdb_stats), [view_all_bdbs_alerts](#view_all_bdbs_alerts), [view_all_bdbs_info](#view_all_bdbs_info), [view_all_metrics](#view_all_metrics), [view_all_nodes_alerts](#view_all_nodes_alerts), [view_all_nodes_checks](#view_all_nodes_checks), [view_all_nodes_info](#view_all_nodes_info), [view_all_nodes_stats](#view_all_nodes_stats), [view_all_proxies_info](#view_all_proxies_info), [view_all_redis_acls_info](#view_all_redis_acls_info), [view_all_roles_info](#view_all_roles_info), [view_all_shard_stats](#view_all_shard_stats), [view_bdb_alerts](#view_bdb_alerts), [view_bdb_info](#view_bdb_info), [view_bdb_recovery_plan](#view_bdb_recovery_plan), [view_bdb_stats](#view_bdb_stats), [view_cluster_alerts](#view_cluster_alerts), [view_cluster_info](#view_cluster_info), [view_cluster_keys](#view_cluster_keys), [view_cluster_modules](#view_cluster_modules), [view_cluster_stats](#view_cluster_stats), [view_crdb](#view_crdb), [view_crdb_list](#view_crdb_list), [view_crdb_task](#view_crdb_task), [view_crdb_task_list](#view_crdb_task_list), [view_debugging_info](#view_debugging_info), [view_endpoint_stats](#view_endpoint_stats), [view_license](#view_license), [view_logged_events](#view_logged_events), [view_node_alerts](#view_node_alerts), [view_node_check](#view_node_check), [view_node_info](#view_node_info), [view_node_stats](#view_node_stats), [view_proxy_info](#view_proxy_info), [view_redis_acl_info](#view_redis_acl_info), [view_redis_pass](#view_redis_pass), [view_role_info](#view_role_info), [view_shard_stats](#view_shard_stats), [view_status_of_all_node_actions](#view_status_of_all_node_actions), [view_status_of_cluster_action](#view_status_of_cluster_action), [view_status_of_node_action](#view_status_of_node_action) | -| cluster_viewer | [view_all_bdb_stats](#view_all_bdb_stats), [view_all_bdbs_alerts](#view_all_bdbs_alerts), [view_all_bdbs_info](#view_all_bdbs_info), [view_all_metrics](#view_all_metrics), [view_all_nodes_alerts](#view_all_nodes_alerts), [view_all_nodes_checks](#view_all_nodes_checks), [view_all_nodes_info](#view_all_nodes_info), [view_all_nodes_stats](#view_all_nodes_stats), [view_all_proxies_info](#view_all_proxies_info), [view_all_redis_acls_info](#view_all_redis_acls_info), [view_all_roles_info](#view_all_roles_info), [view_all_shard_stats](#view_all_shard_stats), [view_bdb_alerts](#view_bdb_alerts), [view_bdb_info](#view_bdb_info), [view_bdb_recovery_plan](#view_bdb_recovery_plan), [view_bdb_stats](#view_bdb_stats), [view_cluster_alerts](#view_cluster_alerts), [view_cluster_info](#view_cluster_info), [view_cluster_modules](#view_cluster_modules), [view_cluster_stats](#view_cluster_stats), [view_crdb](#view_crdb), [view_crdb_list](#view_crdb_list), [view_crdb_task](#view_crdb_task), [view_crdb_task_list](#view_crdb_task_list), [view_endpoint_stats](#view_endpoint_stats), [view_license](#view_license), [view_logged_events](#view_logged_events), [view_node_alerts](#view_node_alerts), [view_node_check](#view_node_check), [view_node_info](#view_node_info), [view_node_stats](#view_node_stats), [view_proxy_info](#view_proxy_info), [view_redis_acl_info](#view_redis_acl_info), [view_role_info](#view_role_info), [view_shard_stats](#view_shard_stats), [view_status_of_all_node_actions](#view_status_of_all_node_actions), [view_status_of_cluster_action](#view_status_of_cluster_action), [view_status_of_node_action](#view_status_of_node_action) | -| db_member | [create_bdb](#create_bdb), [create_crdb](#create_crdb), [delete_bdb](#delete_bdb), [delete_crdb](#delete_crdb), [edit_bdb_module](#edit_bdb_module), [failover_shard](#failover_shard), [flush_crdb](#flush_crdb), [migrate_shard](#migrate_shard), [purge_instance](#purge_instance), [reset_bdb_current_backup_status](#reset_bdb_current_backup_status), [reset_bdb_current_export_status](#reset_bdb_current_export_status), [reset_bdb_current_import_status](#reset_bdb_current_import_status), [start_bdb_export](#start_bdb_export), [start_bdb_import](#start_bdb_import), [start_bdb_recovery](#start_bdb_recovery), [update_bdb](#update_bdb), [update_bdb_alerts](#update_bdb_alerts), [update_bdb_with_action](#update_bdb_with_action), [update_crdb](#update_crdb), [view_all_bdb_stats](#view_all_bdb_stats), [view_all_bdbs_alerts](#view_all_bdbs_alerts), [view_all_bdbs_info](#view_all_bdbs_info), [view_all_nodes_alerts](#view_all_nodes_alerts), [view_all_nodes_checks](#view_all_nodes_checks), [view_all_nodes_info](#view_all_nodes_info), [view_all_nodes_stats](#view_all_nodes_stats), [view_all_proxies_info](#view_all_proxies_info), [view_all_redis_acls_info](#view_all_redis_acls_info), [view_all_roles_info](#view_all_roles_info), [view_all_shard_stats](#view_all_shard_stats), [view_bdb_alerts](#view_bdb_alerts), [view_bdb_info](#view_bdb_info), [view_bdb_recovery_plan](#view_bdb_recovery_plan), [view_bdb_stats](#view_bdb_stats), [view_cluster_alerts](#view_cluster_alerts), [view_cluster_info](#view_cluster_info), [view_cluster_modules](#view_cluster_modules), [view_cluster_stats](#view_cluster_stats), [view_crdb](#view_crdb), [view_crdb_list](#view_crdb_list), [view_crdb_task](#view_crdb_task), [view_crdb_task_list](#view_crdb_task_list), [view_debugging_info](#view_debugging_info), [view_endpoint_stats](#view_endpoint_stats), [view_license](#view_license), [view_logged_events](#view_logged_events), [view_node_alerts](#view_node_alerts), [view_node_check](#view_node_check), [view_node_info](#view_node_info), [view_node_stats](#view_node_stats), [view_proxy_info](#view_proxy_info), [view_redis_acl_info](#view_redis_acl_info), [view_redis_pass](#view_redis_pass), [view_role_info](#view_role_info), [view_shard_stats](#view_shard_stats), [view_status_of_all_node_actions](#view_status_of_all_node_actions), [view_status_of_cluster_action](#view_status_of_cluster_action), [view_status_of_node_action](#view_status_of_node_action) | -| db_viewer | [view_all_bdb_stats](#view_all_bdb_stats), [view_all_bdbs_alerts](#view_all_bdbs_alerts), [view_all_bdbs_info](#view_all_bdbs_info), [view_all_nodes_alerts](#view_all_nodes_alerts), [view_all_nodes_checks](#view_all_nodes_checks), [view_all_nodes_info](#view_all_nodes_info), [view_all_nodes_stats](#view_all_nodes_stats), [view_all_proxies_info](#view_all_proxies_info), [view_all_redis_acls_info](#view_all_redis_acls_info), [view_all_roles_info](#view_all_roles_info), [view_all_shard_stats](#view_all_shard_stats), [view_bdb_alerts](#view_bdb_alerts), [view_bdb_info](#view_bdb_info), [view_bdb_recovery_plan](#view_bdb_recovery_plan), [view_bdb_stats](#view_bdb_stats), [view_cluster_alerts](#view_cluster_alerts), [view_cluster_info](#view_cluster_info), [view_cluster_modules](#view_cluster_modules), [view_cluster_stats](#view_cluster_stats), [view_crdb](#view_crdb), [view_crdb_list](#view_crdb_list), [view_crdb_task](#view_crdb_task), [view_crdb_task_list](#view_crdb_task_list), [view_endpoint_stats](#view_endpoint_stats), [view_license](#view_license), [view_node_alerts](#view_node_alerts), [view_node_check](#view_node_check), [view_node_info](#view_node_info), [view_node_stats](#view_node_stats), [view_proxy_info](#view_proxy_info), [view_redis_acl_info](#view_redis_acl_info), [view_role_info](#view_role_info), [view_shard_stats](#view_shard_stats), [view_status_of_all_node_actions](#view_status_of_all_node_actions), [view_status_of_cluster_action](#view_status_of_cluster_action), [view_status_of_node_action](#view_status_of_node_action) | -| user_manager | [config_ldap](#config_ldap), [create_ldap_mapping](#create_ldap_mapping), [create_new_user](#create_new_user), [create_role](#create_role), [create_redis_acl](#create_redis_acl), [delete_ldap_mapping](#delete_ldap_mapping), [delete_redis_acl](#delete_redis_acl), [delete_role](#delete_role), [delete_user](#delete_user), [install_new_license](#install_new_license), [update_ldap_mapping](#update_ldap_mapping), [update_proxy](#update_proxy), [update_role](#update_role), [update_redis_acl](#update_redis_acl), [update_user](#update_user), [view_all_bdb_stats](#view_all_bdb_stats), [view_all_bdbs_alerts](#view_all_bdbs_alerts), [view_all_bdbs_info](#view_all_bdbs_info), [view_all_ldap_mappings_info](#view_all_ldap_mappings_info), [view_all_nodes_alerts](view_all_nodes_alerts), [view_all_nodes_checks](#view_all_nodes_checks), [view_all_nodes_info](#view_all_nodes_info), [view_all_nodes_stats](#view_all_nodes_stats), [view_all_proxies_info](#view_all_proxies_info), [view_all_redis_acls_info](#view_all_redis_acls_info), [view_all_roles_info](#view_all_roles_info), [view_all_shard_stats](#view_all_shard_stats), [view_all_users_info](#view_all_users_info), [view_bdb_alerts](#view_bdb_alerts), [view_bdb_info](#view_bdb_info), [view_bdb_stats](#view_bdb_stats), [view_cluster_alerts](#view_cluster_alerts), [view_cluster_info](#view_cluster_info), [view_cluster_keys](#view_cluster_keys), [view_cluster_modules](#view_cluster_modules), [view_cluster_stats](#view_cluster_stats), [view_crdb](#view_crdb), [view_crdb_list](#view_crdb_list), [view_crdb_task](#view_crdb_task), [view_crdb_task_list](#view_crdb_task_list), [view_endpoint_stats](#view_endpoint_stats), [view_ldap_config](#view_ldap_config), [view_ldap_mapping_info](#view_ldap_mapping_info), [view_license](#view_license), [view_logged_events](#view_logged_events), [view_node_alerts](#view_node_alerts), [view_node_check](#view_node_check), [view_node_info](#view_node_info), [view_node_stats](#view_node_stats), [view_proxy_info](#view_proxy_info), [view_redis_acl_info](#view_redis_acl_info), [view_redis_pass](#view_redis_pass), [view_role_info](#view_role_info), [view_shard_stats](#view_shard_stats), [view_status_of_all_node_actions](#view_status_of_all_node_actions), [view_status_of_cluster_action](#view_status_of_cluster_action), [view_status_of_node_action](#view_status_of_node_action), [view_user_info](#view_user_info) +| admin | [add_cluster_module](#add_cluster_module), [cancel_cluster_action](#cancel_cluster_action), [cancel_node_action](#cancel_node_action), [config_ldap](#config_ldap), [config_ocsp](#config_ocsp), [config_sso](#config_sso), [create_bdb](#create_bdb), [create_crdb](#create_crdb), [create_ldap_mapping](#create_ldap_mapping), [create_new_user](#create_new_user), [create_redis_acl](#create_redis_acl), [create_role](#create_role), [delete_bdb](#delete_bdb), [delete_cluster_module](#delete_cluster_module), [delete_crdb](#delete_crdb), [delete_ldap_mapping](#delete_ldap_mapping), [delete_redis_acl](#delete_redis_acl), [delete_role](#delete_role), [delete_user](#delete_user), [edit_bdb_module](#edit_bdb_module), [failover_shard](#failover_shard), [flush_crdb](#flush_crdb), [install_new_license](#install_new_license), [manage_cluster_modules](#manage_cluster_modules), [migrate_shard](#migrate_shard), [purge_instance](#purge_instance), [reset_bdb_current_backup_status](#reset_bdb_current_backup_status), [reset_bdb_current_export_status](#reset_bdb_current_export_status), [reset_bdb_current_import_status](#reset_bdb_current_import_status), [start_bdb_export](#start_bdb_export), [start_bdb_import](#start_bdb_import), [start_bdb_recovery](#start_bdb_recovery), [start_cluster_action](#start_cluster_action), [start_node_action](#start_node_action), [test_ocsp_status](#test_ocsp_status), [update_bdb](#update_bdb), [update_bdb_alerts](#update_bdb_alerts), [update_bdb_with_action](#update_bdb_with_action), [update_cluster](#update_cluster), [update_crdb](#update_crdb), [update_ldap_mapping](#update_ldap_mapping), [update_node](#update_node), [update_proxy](#update_proxy), [update_redis_acl](#update_redis_acl), [update_role](#update_role), [update_user](#update_user), [view_all_bdb_stats](#view_all_bdb_stats), [view_all_bdbs_alerts](#view_all_bdbs_alerts), [view_all_bdbs_info](#view_all_bdbs_info), [view_all_ldap_mappings_info](#view_all_ldap_mappings_info), [view_all_metrics](#view_all_metrics), [view_all_nodes_alerts](#view_all_nodes_alerts), [view_all_nodes_checks](#view_all_nodes_checks), [view_all_nodes_info](#view_all_nodes_info), [view_all_nodes_stats](#view_all_nodes_stats), [view_all_proxies_info](#view_all_proxies_info), [view_all_redis_acls_info](#view_all_redis_acls_info), [view_all_roles_info](#view_all_roles_info), [view_all_shard_stats](#view_all_shard_stats), [view_all_users_info](#view_all_users_info), [view_bdb_alerts](#view_bdb_alerts), [view_bdb_info](#view_bdb_info), [view_bdb_recovery_plan](#view_bdb_recovery_plan), [view_bdb_stats](#view_bdb_stats), [view_cluster_alerts](#view_cluster_alerts), [view_cluster_info](#view_cluster_info), [view_cluster_keys](#view_cluster_keys), [view_cluster_modules](#view_cluster_modules), [view_cluster_stats](#view_cluster_stats), [view_crdb](#view_crdb), [view_crdb_list](#view_crdb_list), [view_crdb_task](#view_crdb_task), [view_crdb_task_list](#view_crdb_task_list), [view_debugging_info](#view_debugging_info), [view_endpoint_stats](#view_endpoint_stats), [view_ldap_config](#view_ldap_config), [view_ldap_mapping_info](#view_ldap_mapping_info), [view_license](#view_license), [view_logged_events](#view_logged_events), [view_node_alerts](#view_node_alerts), [view_node_check](#view_node_check), [view_node_info](#view_node_info), [view_node_stats](#view_node_stats), [view_ocsp_config](#view_ocsp_config), [view_ocsp_status](#view_ocsp_status), [view_proxy_info](#view_proxy_info), [view_redis_acl_info](#view_redis_acl_info), [view_redis_pass](#view_redis_pass), [view_role_info](#view_role_info), [view_shard_stats](#view_shard_stats), [view_sso](#view_sso), [view_status_of_all_node_actions](#view_status_of_all_node_actions), [view_status_of_cluster_action](#view_status_of_cluster_action), [view_status_of_node_action](#view_status_of_node_action), [view_user_info](#view_user_info) | +| cluster_member | [create_bdb](#create_bdb), [create_crdb](#create_crdb), [delete_bdb](#delete_bdb), [delete_crdb](#delete_crdb), [edit_bdb_module](#edit_bdb_module), [failover_shard](#failover_shard), [flush_crdb](#flush_crdb), [migrate_shard](#migrate_shard), [purge_instance](#purge_instance), [reset_bdb_current_backup_status](#reset_bdb_current_backup_status), [reset_bdb_current_export_status](#reset_bdb_current_export_status), [reset_bdb_current_import_status](#reset_bdb_current_import_status), [start_bdb_export](#start_bdb_export), [start_bdb_import](#start_bdb_import), [start_bdb_recovery](#start_bdb_recovery), [update_bdb](#update_bdb), [update_bdb_alerts](#update_bdb_alerts), [update_bdb_with_action](#update_bdb_with_action), [update_crdb](#update_crdb), [view_all_bdb_stats](#view_all_bdb_stats), [view_all_bdbs_alerts](#view_all_bdbs_alerts), [view_all_bdbs_info](#view_all_bdbs_info), [view_all_metrics](#view_all_metrics), [view_all_nodes_alerts](#view_all_nodes_alerts), [view_all_nodes_checks](#view_all_nodes_checks), [view_all_nodes_info](#view_all_nodes_info), [view_all_nodes_stats](#view_all_nodes_stats), [view_all_proxies_info](#view_all_proxies_info), [view_all_redis_acls_info](#view_all_redis_acls_info), [view_all_roles_info](#view_all_roles_info), [view_all_shard_stats](#view_all_shard_stats), [view_bdb_alerts](#view_bdb_alerts), [view_bdb_info](#view_bdb_info), [view_bdb_recovery_plan](#view_bdb_recovery_plan), [view_bdb_stats](#view_bdb_stats), [view_cluster_alerts](#view_cluster_alerts), [view_cluster_info](#view_cluster_info), [view_cluster_keys](#view_cluster_keys), [view_cluster_modules](#view_cluster_modules), [view_cluster_stats](#view_cluster_stats), [view_crdb](#view_crdb), [view_crdb_list](#view_crdb_list), [view_crdb_task](#view_crdb_task), [view_crdb_task_list](#view_crdb_task_list), [view_debugging_info](#view_debugging_info), [view_endpoint_stats](#view_endpoint_stats), [view_license](#view_license), [view_logged_events](#view_logged_events), [view_node_alerts](#view_node_alerts), [view_node_check](#view_node_check), [view_node_info](#view_node_info), [view_node_stats](#view_node_stats), [view_proxy_info](#view_proxy_info), [view_redis_acl_info](#view_redis_acl_info), [view_redis_pass](#view_redis_pass), [view_role_info](#view_role_info), [view_shard_stats](#view_shard_stats), [view_sso](#view_sso), [view_status_of_all_node_actions](#view_status_of_all_node_actions), [view_status_of_cluster_action](#view_status_of_cluster_action), [view_status_of_node_action](#view_status_of_node_action) | +| cluster_viewer | [view_all_bdb_stats](#view_all_bdb_stats), [view_all_bdbs_alerts](#view_all_bdbs_alerts), [view_all_bdbs_info](#view_all_bdbs_info), [view_all_metrics](#view_all_metrics), [view_all_nodes_alerts](#view_all_nodes_alerts), [view_all_nodes_checks](#view_all_nodes_checks), [view_all_nodes_info](#view_all_nodes_info), [view_all_nodes_stats](#view_all_nodes_stats), [view_all_proxies_info](#view_all_proxies_info), [view_all_redis_acls_info](#view_all_redis_acls_info), [view_all_roles_info](#view_all_roles_info), [view_all_shard_stats](#view_all_shard_stats), [view_bdb_alerts](#view_bdb_alerts), [view_bdb_info](#view_bdb_info), [view_bdb_recovery_plan](#view_bdb_recovery_plan), [view_bdb_stats](#view_bdb_stats), [view_cluster_alerts](#view_cluster_alerts), [view_cluster_info](#view_cluster_info), [view_cluster_modules](#view_cluster_modules), [view_cluster_stats](#view_cluster_stats), [view_crdb](#view_crdb), [view_crdb_list](#view_crdb_list), [view_crdb_task](#view_crdb_task), [view_crdb_task_list](#view_crdb_task_list), [view_endpoint_stats](#view_endpoint_stats), [view_license](#view_license), [view_logged_events](#view_logged_events), [view_node_alerts](#view_node_alerts), [view_node_check](#view_node_check), [view_node_info](#view_node_info), [view_node_stats](#view_node_stats), [view_proxy_info](#view_proxy_info), [view_redis_acl_info](#view_redis_acl_info), [view_role_info](#view_role_info), [view_shard_stats](#view_shard_stats), [view_sso](#view_sso), [view_status_of_all_node_actions](#view_status_of_all_node_actions), [view_status_of_cluster_action](#view_status_of_cluster_action), [view_status_of_node_action](#view_status_of_node_action) | +| db_member | [create_bdb](#create_bdb), [create_crdb](#create_crdb), [delete_bdb](#delete_bdb), [delete_crdb](#delete_crdb), [edit_bdb_module](#edit_bdb_module), [failover_shard](#failover_shard), [flush_crdb](#flush_crdb), [migrate_shard](#migrate_shard), [purge_instance](#purge_instance), [reset_bdb_current_backup_status](#reset_bdb_current_backup_status), [reset_bdb_current_export_status](#reset_bdb_current_export_status), [reset_bdb_current_import_status](#reset_bdb_current_import_status), [start_bdb_export](#start_bdb_export), [start_bdb_import](#start_bdb_import), [start_bdb_recovery](#start_bdb_recovery), [update_bdb](#update_bdb), [update_bdb_alerts](#update_bdb_alerts), [update_bdb_with_action](#update_bdb_with_action), [update_crdb](#update_crdb), [view_all_bdb_stats](#view_all_bdb_stats), [view_all_bdbs_alerts](#view_all_bdbs_alerts), [view_all_bdbs_info](#view_all_bdbs_info), [view_all_nodes_alerts](#view_all_nodes_alerts), [view_all_nodes_checks](#view_all_nodes_checks), [view_all_nodes_info](#view_all_nodes_info), [view_all_nodes_stats](#view_all_nodes_stats), [view_all_proxies_info](#view_all_proxies_info), [view_all_redis_acls_info](#view_all_redis_acls_info), [view_all_roles_info](#view_all_roles_info), [view_all_shard_stats](#view_all_shard_stats), [view_bdb_alerts](#view_bdb_alerts), [view_bdb_info](#view_bdb_info), [view_bdb_recovery_plan](#view_bdb_recovery_plan), [view_bdb_stats](#view_bdb_stats), [view_cluster_alerts](#view_cluster_alerts), [view_cluster_info](#view_cluster_info), [view_cluster_modules](#view_cluster_modules), [view_cluster_stats](#view_cluster_stats), [view_crdb](#view_crdb), [view_crdb_list](#view_crdb_list), [view_crdb_task](#view_crdb_task), [view_crdb_task_list](#view_crdb_task_list), [view_debugging_info](#view_debugging_info), [view_endpoint_stats](#view_endpoint_stats), [view_license](#view_license), [view_logged_events](#view_logged_events), [view_node_alerts](#view_node_alerts), [view_node_check](#view_node_check), [view_node_info](#view_node_info), [view_node_stats](#view_node_stats), [view_proxy_info](#view_proxy_info), [view_redis_acl_info](#view_redis_acl_info), [view_redis_pass](#view_redis_pass), [view_role_info](#view_role_info), [view_shard_stats](#view_shard_stats), [view_sso](#view_sso), [view_status_of_all_node_actions](#view_status_of_all_node_actions), [view_status_of_cluster_action](#view_status_of_cluster_action), [view_status_of_node_action](#view_status_of_node_action) | +| db_viewer | [view_all_bdb_stats](#view_all_bdb_stats), [view_all_bdbs_alerts](#view_all_bdbs_alerts), [view_all_bdbs_info](#view_all_bdbs_info), [view_all_nodes_alerts](#view_all_nodes_alerts), [view_all_nodes_checks](#view_all_nodes_checks), [view_all_nodes_info](#view_all_nodes_info), [view_all_nodes_stats](#view_all_nodes_stats), [view_all_proxies_info](#view_all_proxies_info), [view_all_redis_acls_info](#view_all_redis_acls_info), [view_all_roles_info](#view_all_roles_info), [view_all_shard_stats](#view_all_shard_stats), [view_bdb_alerts](#view_bdb_alerts), [view_bdb_info](#view_bdb_info), [view_bdb_recovery_plan](#view_bdb_recovery_plan), [view_bdb_stats](#view_bdb_stats), [view_cluster_alerts](#view_cluster_alerts), [view_cluster_info](#view_cluster_info), [view_cluster_modules](#view_cluster_modules), [view_cluster_stats](#view_cluster_stats), [view_crdb](#view_crdb), [view_crdb_list](#view_crdb_list), [view_crdb_task](#view_crdb_task), [view_crdb_task_list](#view_crdb_task_list), [view_endpoint_stats](#view_endpoint_stats), [view_license](#view_license), [view_node_alerts](#view_node_alerts), [view_node_check](#view_node_check), [view_node_info](#view_node_info), [view_node_stats](#view_node_stats), [view_proxy_info](#view_proxy_info), [view_redis_acl_info](#view_redis_acl_info), [view_role_info](#view_role_info), [view_shard_stats](#view_shard_stats), [view_sso](#view_sso), [view_status_of_all_node_actions](#view_status_of_all_node_actions), [view_status_of_cluster_action](#view_status_of_cluster_action), [view_status_of_node_action](#view_status_of_node_action) | +| user_manager | [config_ldap](#config_ldap), [create_ldap_mapping](#create_ldap_mapping), [create_new_user](#create_new_user), [create_role](#create_role), [create_redis_acl](#create_redis_acl), [delete_ldap_mapping](#delete_ldap_mapping), [delete_redis_acl](#delete_redis_acl), [delete_role](#delete_role), [delete_user](#delete_user), [install_new_license](#install_new_license), [update_ldap_mapping](#update_ldap_mapping), [update_proxy](#update_proxy), [update_role](#update_role), [update_redis_acl](#update_redis_acl), [update_user](#update_user), [view_all_bdb_stats](#view_all_bdb_stats), [view_all_bdbs_alerts](#view_all_bdbs_alerts), [view_all_bdbs_info](#view_all_bdbs_info), [view_all_ldap_mappings_info](#view_all_ldap_mappings_info), [view_all_nodes_alerts](view_all_nodes_alerts), [view_all_nodes_checks](#view_all_nodes_checks), [view_all_nodes_info](#view_all_nodes_info), [view_all_nodes_stats](#view_all_nodes_stats), [view_all_proxies_info](#view_all_proxies_info), [view_all_redis_acls_info](#view_all_redis_acls_info), [view_all_roles_info](#view_all_roles_info), [view_all_shard_stats](#view_all_shard_stats), [view_all_users_info](#view_all_users_info), [view_bdb_alerts](#view_bdb_alerts), [view_bdb_info](#view_bdb_info), [view_bdb_stats](#view_bdb_stats), [view_cluster_alerts](#view_cluster_alerts), [view_cluster_info](#view_cluster_info), [view_cluster_keys](#view_cluster_keys), [view_cluster_modules](#view_cluster_modules), [view_cluster_stats](#view_cluster_stats), [view_crdb](#view_crdb), [view_crdb_list](#view_crdb_list), [view_crdb_task](#view_crdb_task), [view_crdb_task_list](#view_crdb_task_list), [view_endpoint_stats](#view_endpoint_stats), [view_ldap_config](#view_ldap_config), [view_ldap_mapping_info](#view_ldap_mapping_info), [view_license](#view_license), [view_logged_events](#view_logged_events), [view_node_alerts](#view_node_alerts), [view_node_check](#view_node_check), [view_node_info](#view_node_info), [view_node_stats](#view_node_stats), [view_proxy_info](#view_proxy_info), [view_redis_acl_info](#view_redis_acl_info), [view_redis_pass](#view_redis_pass), [view_role_info](#view_role_info), [view_shard_stats](#view_shard_stats), [view_sso](#view_sso), [view_status_of_all_node_actions](#view_status_of_all_node_actions), [view_status_of_cluster_action](#view_status_of_cluster_action), [view_status_of_node_action](#view_status_of_node_action), [view_user_info](#view_user_info) | ## Roles list per permission @@ -51,6 +51,7 @@ Available management roles include: | cancel_node_action | admin | | config_ldap | admin
user_manager | | config_ocsp | admin | +| config_sso | admin | | create_bdb | admin
cluster_member
db_member | | create_crdb | admin
cluster_member
db_member | | create_ldap_mapping | admin
user_manager | @@ -135,6 +136,7 @@ Available management roles include: | view_redis_pass | admin
cluster_member
db_member
user_manager | | view_role_info | admin
cluster_member
cluster_viewer
db_member
db_viewer
user_manager | | view_shard_stats | admin
cluster_member
cluster_viewer
db_member
db_viewer
user_manager | +| view_sso | admin
cluster_member
cluster_viewer
db_member
db_viewer
user_manager | | view_status_of_all_node_actions | admin
cluster_member
cluster_viewer
db_member
db_viewer
user_manager | | view_status_of_cluster_action | admin
cluster_member
cluster_viewer
db_member
db_viewer
user_manager | | view_status_of_node_action | admin
cluster_member
cluster_viewer
db_member
db_viewer
user_manager | diff --git a/content/operate/rs/references/rest-api/requests/cluster/sso.md b/content/operate/rs/references/rest-api/requests/cluster/sso.md new file mode 100644 index 0000000000..49093f0dfe --- /dev/null +++ b/content/operate/rs/references/rest-api/requests/cluster/sso.md @@ -0,0 +1,331 @@ +--- +Title: Single sign-on requests +alwaysopen: false +categories: +- docs +- operate +- rs +description: Single sign-on (SSO) configuration requests +headerRange: '[1-2]' +linkTitle: sso +toc: 'true' +weight: $weight +--- + +| Method | Path | Description | +|--------|------|-------------| +| [GET](#get-cluster-sso) | `/v1/cluster/sso` | Get SSO configuration | +| [PUT](#put-cluster-sso) | `/v1/cluster/sso` | Set or update SSO configuration | +| [DELETE](#delete-cluster-sso) | `/v1/cluster/sso` | Clear SSO configuration | +| [GET](#get-cluster-sso-saml-metadata) | `/v1/cluster/sso/saml/metadata/sp` | Get SAML service provider metadata | +| [POST](#post-cluster-sso-saml-metadata) | `/v1/cluster/sso/saml/metadata/idp` | Upload SAML identity provider metadata | + +## Get SSO configuration {#get-cluster-sso} + + GET /v1/cluster/sso + +Get the single sign-on configuration as JSON. + +#### Required permissions + +| Permission name | Roles | +|-----------------|-------| +| [view_sso]({{< relref "/operate/rs/references/rest-api/permissions#view_sso" >}}) | admin
user_manager | + +### Request {#get-request} + +#### Example HTTP request + + GET /v1/cluster/sso + +#### Request headers + +| Key | Value | Description | +|-----|-------|-------------| +| Host | cnm.cluster.fqdn | Domain name | +| Accept | application/json | Accepted media type | + +### Response {#get-response} + +Returns an [SSO object]({{< relref "/operate/rs/references/rest-api/objects/sso" >}}). + +#### Example JSON body + +```json +{ + "control_plane": true, + "protocol": "saml2", + "enforce_control_plane": false, + "issuer": { + "id": "urn:sso:example:idp", + "login_url": "https://idp.example.com/sso/saml", + "logout_url": "https://idp.example.com/sso/slo", + "metadata": "" + }, + "service": { + "address": "https://hostname:port", + "saml2": { + "entity_id": "https://cnm.cluster.fqdn/sp", + "acs_url": "https://cnm.cluster.fqdn/v1/cluster/sso/saml/acs", + "slo_url": "https://cnm.cluster.fqdn/v1/cluster/sso/saml/slo" + } + } +} +``` + +### Status codes {#get-status-codes} + +| Code | Description | +|------|-------------| +| [200 OK](https://www.rfc-editor.org/rfc/rfc9110.html#name-200-ok) | Success | + +## Update SSO configuration {#put-cluster-sso} + + PUT /v1/cluster/sso + +Set or update the cluster single sign-on configuration. + +#### Required permissions + +| Permission name | Roles | +|-----------------|-------| +| [config_sso]({{< relref "/operate/rs/references/rest-api/permissions#config_sso" >}}) | admin
user_manager | + +### Request {#put-request} + +#### Example HTTP request + + PUT /v1/cluster/sso + +#### Example JSON body + +```json +{ + "control_plane": false, + "protocol": "saml2", + "enforce_control_plane": false, + "issuer": { + "id": "urn:sso:example:idp", + "login_url": "https://idp.example.com/sso/saml", + "logout_url": "https://idp.example.com/sso/slo" + }, + "service": { + "address": "https://hostname:port" + } +} +``` + +#### Request headers + +| Key | Value | Description | +|-----|-------|-------------| +| Host | cnm.cluster.fqdn | Domain name | +| Accept | application/json | Accepted media type | + +#### Request body + +Include an [SSO object]({{< relref "/operate/rs/references/rest-api/objects/sso" >}}) with updated fields in the request body. + +### Response {#put-response} + +Returns a status code. If an error occurs, the response body can include an error code and message with more details. + +### Error codes {#put-error-codes} + +Possible `error_code` values: + +| Code | Description | +|------|-------------| +| missing_param | A required parameter is missing while SSO is being enabled | +| missing_certificate | SSO certificate is not found while SSO is being enabled | + +### Status codes {#put-status-codes} + +| Code | Description | +|------|-------------| +| [200 OK](https://www.rfc-editor.org/rfc/rfc9110.html#name-200-ok) | Success, SSO config has been set | +| [400 Bad Request](https://www.rfc-editor.org/rfc/rfc9110.html#name-400-bad-request) | Bad or missing configuration parameters | +| [406 Not Acceptable](https://www.rfc-editor.org/rfc/rfc9110.html#name-406-not-acceptable) | Missing required certificate | + +## Delete SSO configuration {#delete-cluster-sso} + + DELETE /v1/cluster/sso + +Clear the single sign-on configuration. + +#### Required permissions + +| Permission name | Roles | +|-----------------|-------| +| [config_sso]({{< relref "/operate/rs/references/rest-api/permissions#config_sso" >}}) | admin
user_manager | + +### Request {#delete-request} + +#### Example HTTP request + + DELETE /v1/cluster/sso + +#### Request headers + +| Key | Value | Description | +|-----|-------|-------------| +| Host | cnm.cluster.fqdn | Domain name | +| Accept | application/json | Accepted media type | + +### Response {#delete-response} + +Returns a status code. + +### Error codes {#delete-error-codes} + +Possible `error_code` values: + +| Code | Description | +|------|-------------| +| delete_certificate_error | An error occurred during SSO certificate deletion | + +### Status codes {#delete-status-codes} + +| Code | Description | +|------|-------------| +| [200 OK](https://www.rfc-editor.org/rfc/rfc9110.html#name-200-ok) | Success | +| [500 Internal Server Error](https://www.rfc-editor.org/rfc/rfc9110.html#name-500-internal-server-error) | Error during deletion | + +## Get SAML service provider metadata {#get-cluster-sso-saml-metadata} + + GET /v1/cluster/sso/saml/metadata/sp + +Generates and returns the SAML2 service provider metadata XML. + +#### Required permissions + +| Permission name | Roles | +|-----------------|-------| +| [view_sso]({{< relref "/operate/rs/references/rest-api/permissions#view_sso" >}}) | admin
user_manager | + +### Request {#get-metadata-request} + +#### Example HTTP request + + GET /v1/cluster/sso/saml/metadata/sp + +#### Request headers + +| Key | Value | Description | +|-----|-------|-------------| +| Host | cnm.cluster.fqdn | Domain name | +| Accept | application/samlmetadata+xml | Accepted media type | + +### Response {#get-metadata-response} + +Returns SAML2 service provider metadata as XML. + +#### Example response body + +```xml + + + ... + +``` + +### Error codes {#get-metadata-error-codes} + +Possible `error_code` values: + +| Code | Description | +|------|-------------| +| missing_certificate | Service certificate is missing | +| saml_metadata_generation_error | An error occurred while generating the XML metadata | + +### Status codes {#get-metadata-status-codes} + +| Code | Description | +|------|-------------| +| [200 OK](https://www.rfc-editor.org/rfc/rfc9110.html#name-200-ok) | Success | +| [406 Not Acceptable](https://www.rfc-editor.org/rfc/rfc9110.html#name-406-not-acceptable) | Missing required service certificate | +| [500 Internal Server Error](https://www.rfc-editor.org/rfc/rfc9110.html#name-500-internal-server-error) | Unexpected error when generating metadata | + +## Upload SAML identity provider metadata {#post-cluster-sso-saml-metadata} + + POST /v1/cluster/sso/saml/metadata/idp + +Uploads and validates the SAML2 identity provider metadata XML. + +#### Required permissions + +| Permission name | Roles | +|-----------------|-------| +| [config_sso]({{< relref "/operate/rs/references/rest-api/permissions#config_sso" >}}) | admin
user_manager | + +### Request {#post-metadata-request} + +#### Example HTTP request + + POST /v1/cluster/sso/saml/metadata/idp + +#### Example JSON body + +```json +{ + "idp_metadata": "YWp3cjkwcHR1eWF3MHJ0eTkwYXc0eXQwOW4..." +} +``` + +#### Request headers + +| Key | Value | Description | +|-----|-------|-------------| +| Host | cnm.cluster.fqdn | Domain name | +| Accept | application/json | Accepted media type | + +#### Request body + +| Name | Type/Value | Description | +|------|------------|-------------| +| idp_metadata | string | Base64-encoded SAML2 identity provider metadata XML | + +### Response {#post-metadata-response} + +Returns an [SSO object]({{< relref "/operate/rs/references/rest-api/objects/sso" >}}) with the updated configuration. + +#### Example JSON body + +```json +{ + "control_plane": true, + "protocol": "saml2", + "enforce_control_plane": false, + "issuer": { + "id": "urn:sso:example:idp", + "login_url": "https://idp.example.com/sso/saml", + "logout_url": "https://idp.example.com/sso/slo" + }, + "service": { + "saml2": { + "entity_id": "https://cnm.cluster.fqdn/sp", + "acs_url": "https://cnm.cluster.fqdn/v1/cluster/sso/saml/acs", + "slo_url": "https://cnm.cluster.fqdn/v1/cluster/sso/saml/slo" + } + } +} +``` + +### Error codes {#post-metadata-error-codes} + +Possible `error_code` values: + +| Code | Description | +|------|-------------| +| saml_metadata_validation_error | IdP metadata failed configuration validation checks | +| saml_metadata_parsing_error | IdP metadata is not a valid base64-encoded XML | +| missing_certificate | SSO certificate is not found while SSO is being enabled | + +### Status codes {#post-metadata-status-codes} + +| Code | Description | +|------|-------------| +| [200 OK](https://www.rfc-editor.org/rfc/rfc9110.html#name-200-ok) | Success | +| [400 Bad Request](https://www.rfc-editor.org/rfc/rfc9110.html#name-400-bad-request) | Bad or missing parameters | +| [406 Not Acceptable](https://www.rfc-editor.org/rfc/rfc9110.html#name-406-not-acceptable) | Missing required service certificate | diff --git a/content/operate/rs/references/rest-api/requests/migrations/_index.md b/content/operate/rs/references/rest-api/requests/migrations/_index.md index 4d1b791287..ade34ab4f0 100644 --- a/content/operate/rs/references/rest-api/requests/migrations/_index.md +++ b/content/operate/rs/references/rest-api/requests/migrations/_index.md @@ -58,12 +58,26 @@ Returns a JSON array with all data required by the migration orchestrator. #### Example response body ```json -"migration": { - "status": "foo", - "lag": 123, - "run_id": "5", - "flush_counter": 2, - "source_shards": [{"replication_id": "1", "replication_offset": 2}] +{ + "migration": { + "status": "string", + "lag": 0, + "rdb_size": 0, + "rdb_transferred": 0, + "run_id": "string", + "flush_counter": 0, + "source_shards": [ + { + "replication_id": "string", + "replication_offset": 0 + } + ], + "error": { + "error_code": "string", + "message": "string", + "timestamp": "2019-08-24T14:15:22Z" + } + } } ``` diff --git a/content/operate/rs/release-notes/rs-8-0-releases/_index.md b/content/operate/rs/release-notes/rs-8-0-releases/_index.md index 3a9befbaf1..3753f7f009 100644 --- a/content/operate/rs/release-notes/rs-8-0-releases/_index.md +++ b/content/operate/rs/release-notes/rs-8-0-releases/_index.md @@ -195,7 +195,11 @@ The following table provides a snapshot of supported platforms as of this Redis ## Known issues -- RS131972: Creating an ACL that contains a line break in the Cluster Manager UI can cause shard migration to fail due to ACL errors. +- RS180550: You cannot set up SSO when the Cluster Manager UI is exposed through an IPv6-based load balancer or gateway. + + As a workaround, use an IPv4-based address for the SSO service base address, or register a DNS name that resolves to the IPv6 address. + +- RS131972: Creating an ACL that contains a line break in the Cluster Manager UI can cause shard migration to fail due to ACL errors. This issue was fixed in Redis Enterprise Software version 8.0.6. - RS155734: Endpoint availability metrics do not work as expected due to a calculation error. diff --git a/content/operate/rs/release-notes/rs-8-0-releases/rs-8-0-6-54.md b/content/operate/rs/release-notes/rs-8-0-releases/rs-8-0-6-54.md new file mode 100644 index 0000000000..bc536ce1b5 --- /dev/null +++ b/content/operate/rs/release-notes/rs-8-0-releases/rs-8-0-6-54.md @@ -0,0 +1,421 @@ +--- +Title: Redis Enterprise Software release notes 8.0.6-54 (December 2025) +alwaysopen: false +categories: +- docs +- operate +- rs +compatibleOSSVersion: Redis 8.2.1, 8.0.2, 7.4.3, 7.2.7, 6.2.13 +description: Single sign-on for the Cluster Manager UI. Error reports for Replica Of migration status. Automatically download and install user-defined modules during bootstrapping. +linkTitle: 8.0.6-54 (December 2025) +weight: 88 +--- + +​[​Redis Enterprise Software version 8.0.6](https://redis.io/downloads/#Redis_Software) is now available! This release includes API enhancements that warranted a new minor version instead of a maintenance release for version 8.0.2. However, you can upgrade from 8.0.2 to 8.0.6 without issue. + +## Highlights + +This version offers: + +- Single sign-on for the Cluster Manager UI + +- Error reports for Replica Of migration status + +- Automatically download and install user-defined modules during bootstrapping + +## New in this release + +### New features + +#### Single sign-on for the Cluster Manager UI {#sso} + +Redis Enterprise Software now supports IdP-initiated and SP-initiated single sign-on (SSO) with SAML (Security Assertion Markup Language) 2.0 for the Cluster Manager UI. + +When SSO is activated: + +- Users can sign in to the Redis Enterprise Software Cluster Manager UI using their identity provider (IdP) instead of usernames and passwords. + +- Optionally, you can enforce SSO for the cluster, which means non-admin users can no longer sign in with their previous usernames and passwords and must use SSO instead. + +- With just-in-time (JIT) user provisioning, Redis Enterprise Software automatically creates a user account the first time a new user signs in with SSO. + +For more information and setup instructions, see [SAML single sign-on]({{}}). + +Known limitation: You cannot change the default service provider address using the Cluster Manager UI. You can only change this address using a REST API request. + +### Enhancements + +- Added error report to Replica Of [migration status]({{}}) REST API responses. + +- Added support for automatically downloading and installing user-defined modules during bootstrap operations. You can now specify `user_defined_modules` in [bootstrap requests]({{}}) for `create_cluster`, `join_cluster`, and `recover_cluster` actions. See [Add user-defined modules during bootstrapping]({{}}) for details. + +- Added `cert` and `private_key` fields to the [CRDB database config object]({{}}) for an optional PEM-encoded server certificate for the underlying database instance. + +### Redis database versions + +Redis Enterprise Software version 8.0.6 includes five Redis database versions: 8.2.1, 8.0.2, 7.4.3, 7.2.7, and 6.2.13. + +The [default Redis database version]({{}}) is 8.2. + +### Redis feature sets + +Redis Enterprise Software includes multiple feature sets, compatible with different Redis database versions. + +The following table shows which Redis modules are compatible with each Redis database version included in this release. + +| Redis database version | Compatible Redis modules | +|------------------------|--------------------------| +| 8.2 | RediSearch 8.2
RedisJSON 8.2
RedisTimeSeries 8.2
RedisBloom 8.2
See [What's new in Redis 8.2]({{}}) and [Redis Open Source 8.2 release notes]({{}}) | +| 8.0 | RediSearch 8.0
RedisJSON 8.0
RedisTimeSeries 8.0
RedisBloom 8.0
See [What's new in Redis 8.0]({{}}) and [Redis Open Source 8.0 release notes]({{}}) | +| 7.4 | [RediSearch 2.10]({{< relref "/operate/oss_and_stack/stack-with-enterprise/release-notes/redisearch/redisearch-2.10-release-notes.md" >}})
[RedisJSON 2.8]({{< relref "/operate/oss_and_stack/stack-with-enterprise/release-notes/redisjson/redisjson-2.8-release-notes.md" >}})
[RedisTimeSeries 1.12]({{< relref "/operate/oss_and_stack/stack-with-enterprise/release-notes/redistimeseries/redistimeseries-1.12-release-notes.md" >}})
[RedisBloom 2.8]({{< relref "/operate/oss_and_stack/stack-with-enterprise/release-notes/redisbloom/redisbloom-2.8-release-notes.md" >}}) | +| 7.2 | [RediSearch 2.8]({{< relref "/operate/oss_and_stack/stack-with-enterprise/release-notes/redisearch/redisearch-2.8-release-notes.md" >}})
[RedisJSON 2.6]({{< relref "/operate/oss_and_stack/stack-with-enterprise/release-notes/redisjson/redisjson-2.6-release-notes.md" >}})
[RedisTimeSeries 1.10]({{< relref "/operate/oss_and_stack/stack-with-enterprise/release-notes/redistimeseries/redistimeseries-1.10-release-notes.md" >}})
[RedisBloom 2.6]({{< relref "/operate/oss_and_stack/stack-with-enterprise/release-notes/redisbloom/redisbloom-2.6-release-notes.md" >}}) | +| 6.2 | [RediSearch 2.6]({{< relref "/operate/oss_and_stack/stack-with-enterprise/release-notes/redisearch/redisearch-2.6-release-notes.md" >}})
[RedisJSON 2.4]({{< relref "/operate/oss_and_stack/stack-with-enterprise/release-notes/redisjson/redisjson-2.4-release-notes.md" >}})
[RedisTimeSeries 1.8]({{< relref "/operate/oss_and_stack/stack-with-enterprise/release-notes/redistimeseries/redistimeseries-1.8-release-notes.md" >}})
[RedisBloom 2.4]({{< relref "/operate/oss_and_stack/stack-with-enterprise/release-notes/redisbloom/redisbloom-2.4-release-notes.md" >}}) | + +### Resolved issues + +- RS131972: Fixed an issue where creating an ACL that contains a line break in the Cluster Manager UI could cause shard migration to fail due to ACL errors. + +- RS140424: Fixed an issue where configuration changes initiated topology updates even if the topology did not change. + +- RS144636: Improved support package generation to collect available database information even when some data collection steps fail. + +- RS162503: Fixed an issue where force-removed Active-Active database instances could not be re-added as participating members without purging. + +- RS155782: Improved logs and added validation to ensure operations are properly queued and prevent stuck state machines. + +- RS167151: Improved reliability of node removal operations by increasing retry attempts for failover and reshard operations. + +- RS167280: Fixed an issue where a subset of shards on a restarted node could fail to start due to temporary connection issues. + +- RS172813: Improved logging for Active-Active database failover scenarios to provide better visibility into data recovery processes. + +- RS173195: Fixed an issue where cluster operations could fail when attempting to communicate with unreachable nodes. + +- RS174154: Fixed an issue where EntraID authentication service was not properly enabled despite being configured and running. + +- RS174819: Fixed an issue where duplicate syncers could spawn on the same node. + +- RS176400: Fixed an issue where Google Cloud Storage backup locations could be set to the incorrect type when configured in the Cluster Manager UI. + +- RS165983: Fixed an issue where an incorrect value was printed for `region_name` in the event log. + +## Version changes + +### Supported platforms + +The following table provides a snapshot of supported platforms as of this Redis Enterprise Software release. See the [supported platforms reference]({{< relref "/operate/rs/references/supported-platforms" >}}) for more details about operating system compatibility. + + Supported – The platform is supported for this version of Redis Enterprise Software and Redis Stack modules. + +:warning: Deprecation warning – The platform is still supported for this version of Redis Enterprise Software, but support will be removed in a future release. + +| Redis Software
major versions | 8.0 | 7.22 | 7.8 | 7.4 | 7.2 | 6.4 | 6.2 | +|---------------------------------|:-----:|:-----:|:-----:|:-----:|:-----:|:-----:|:-----:| +| **Release date** | Oct 2025 | May 2025 | Nov 2024 | Feb 2024 | Aug 2023 | Feb 2023 | Aug 2021 | +| [**End-of-life date**]({{< relref "/operate/rs/installing-upgrading/product-lifecycle#endoflife-schedule" >}}) | Determined after
next major release | Oct 2027 | May 2027 | Nov 2026 | Feb 2026 | Aug 2025 | Feb 2025 | +| **Platforms** | | | | | | | | +| RHEL 9 &
compatible distros[1](#table-note-1) | | | | | – | – | – | +| RHEL 9
FIPS mode[5](#table-note-5) | | | | – | – | – | – | +| RHEL 8 &
compatible distros[1](#table-note-1) | | | | | | | | +| RHEL 7 &
compatible distros[1](#table-note-1) | – | – | – | – | :warning: | | | +| Ubuntu 22.04[2](#table-note-2) | | | | – | – | – | – | +| Ubuntu 20.04[2](#table-note-2) | | | | | | | – | +| Ubuntu 18.04[2](#table-note-2) | – | – | – | :warning: | :warning: | | | +| Ubuntu 16.04[2](#table-note-2) | – | – | – | – | :warning: | | | +| Amazon Linux 2 | | | | | | | – | +| Amazon Linux 1 | – | – | – | – | | | | +| Kubernetes[3](#table-note-3) | | | | | | | | +| Docker[4](#table-note-4) | | | | | | | | + +1. The RHEL-compatible distributions CentOS, CentOS Stream, Alma, and Rocky are supported if they have full RHEL compatibility. Oracle Linux running the Red Hat Compatible Kernel (RHCK) is supported, but the Unbreakable Enterprise Kernel (UEK) is not supported. + +2. The server version of Ubuntu is recommended for production installations. The desktop version is only recommended for development deployments. + +3. See the [Redis Enterprise for Kubernetes documentation]({{< relref "/operate/kubernetes/reference/supported_k8s_distributions" >}}) for details about support per version and Kubernetes distribution. + +4. [Docker images]({{< relref "/operate/rs/installing-upgrading/quickstarts/docker-quickstart" >}}) of Redis Enterprise Software are certified for development and testing only. + +5. Supported only if [FIPS was enabled during RHEL installation](https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/security_hardening/switching-rhel-to-fips-mode_security-hardening#proc_installing-the-system-with-fips-mode-enabled_switching-rhel-to-fips-mode) to ensure FIPS compliance. + +## Downloads + +The following table shows the SHA256 checksums for the available packages: + +| Package | SHA256 checksum (8.0.6-54 December release) | +|---------|---------------------------------------| +| Ubuntu 20 | 70ef3f95bc8bc16e988e8f5572a3956d2ab3068a7d069ce03578ca2a30431301 | +| Ubuntu 22 (amd64) | 576653f63613be103fcf8e1cd7760f6373bbc12a698ab59a12b452ea8f967fd4 | +| Ubuntu 22 (arm64) | 422635cdf0231a59aa9bb2e27c9fca8a13e1ea145ccd002159e66085d6b271e2 | +| Red Hat Enterprise Linux (RHEL) 8 | fa744961e7075a506b6456a9bb70b19e02b31f172ea6c9ef2154f80dfb5c1dcb | +| Red Hat Enterprise Linux (RHEL) 9 | 9c4c24ee3086ad8d595dc6fea2865b6520f07f8f589c214efae5229040727ac8 | +| Amazon Linux 2 | 8bd6008bc9036b675d57f3995f5a4725e264db86c981f940cada4529b001d3f7 | + +## Known issues + +- RS180550: You cannot set up SSO when the Cluster Manager UI is exposed through an IPv6-based load balancer or gateway. + + As a workaround, use an IPv4-based address for the SSO service base address, or register a DNS name that resolves to the IPv6 address. + +- RS155734: Endpoint availability metrics do not work as expected due to a calculation error. + +## Known limitations + +#### Cannot change SP address for SSO in the Cluster Manager UI + +You cannot change the default service provider address using the Cluster Manager UI. You can only change this address using a REST API request. + +#### Rolling upgrade limitation for clusters with custom or deprecated modules + +Due to module handling changes introduced in Redis Enterprise Software version 8.0, upgrading a cluster that contains custom or deprecated modules, such as RedisGraph and RedisGears v2, can become stuck when adding a new node to the cluster during a rolling upgrade. + +#### Module commands limitation during Active-Active database upgrades to Redis 8.0 + +When upgrading an Active-Active database to Redis version 8.0, you cannot use module commands until all Active-Active database instances have been upgraded. Currently, these commands are not blocked automatically. + +#### Redis 8.0 database cannot be created with flash + +You cannot create a Redis 8.0 database with flash storage enabled. Create a Redis 8.0 database with RAM-only storage instead, or use Redis 8.2 for flash-enabled (Redis Flex) databases. + +#### Cluster Manager UI limitations + +The following legacy UI features are not yet available in the new Cluster Manager UI: + +- Purge an Active-Active instance. + + Use [`crdb-cli crdb purge-instance`]({{< relref "/operate/rs/references/cli-utilities/crdb-cli/crdb/purge-instance" >}}) instead. + +- Search and export the log. + +## Security + +#### Redis Open Source security fixes compatibility + +As part of Redis's commitment to security, Redis Enterprise Software implements the latest [security fixes](https://github.com/redis/redis/releases) available with [Redis Open Source](https://github.com/redis/redis). Redis Enterprise Software has already included the fixes for the relevant CVEs. + +Some CVEs announced for Redis Open Source do not affect Redis Enterprise Software due to different or additional functionality available in Redis Enterprise Software that is not available in Redis Open Source. + +Redis Enterprise Software 8.0.6-54 supports Redis Open Source 8.2, 8.0, 7.4, 7.2, and 6.2. Below is the list of Redis Open Source CVEs and other security vulnerabilities fixed by version. + +Redis 8.2.x: + +- RedisBloom: Restore invalid filter. + +- (CVE-2025-62507) A user can run the `XACKDEL` command with multiple IDs and trigger a stack buffer overflow, which can potentially lead to remote code execution. + +- The `HGETEX` command can lead to a buffer overflow. + +- Integer overflow in `hllPatLen`. + +- RedisBloom: Cuckoo filter counter overflow. + +- RedisBloom: Invalid Bloom filters can cause arbitrary memory reads and writes. + +- RedisBloom: Reachable assert in `TopK_Create` + +- RedisBloom: Out-of-bounds access with empty Bloom chains. + +- RedisBloom: Division by zero in Cuckoo filter insertion. + +- (CVE-2025-46818) An authenticated user may use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user. + +- (CVE-2025-46819) An authenticated user may use a specially crafted LUA script to read out-of-bound data or crash the server and lead to subsequent denial of service. + +- (CVE-2025-46817) An authenticated user may use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution. + +- (CVE-2025-49844) An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free, and potentially lead to remote code execution. + +Redis 8.0.x: + +- RedisBloom: Restore invalid filter. + +- The `HGETEX` command can lead to a buffer overflow. + +- Integer overflow in `hllPatLen`. + +- RedisBloom: Cuckoo filter counter overflow. + +- RedisBloom: Invalid Bloom filters can cause arbitrary memory reads and writes. + +- RedisBloom: Reachable assert in `TopK_Create` + +- RedisBloom: Out-of-bounds access with empty Bloom chains. + +- RedisBloom: Division by zero in Cuckoo filter insertion. + +- (CVE-2025-46818) An authenticated user may use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user. + +- (CVE-2025-46819) An authenticated user may use a specially crafted LUA script to read out-of-bound data or crash the server and lead to subsequent denial of service. + +- (CVE-2025-46817) An authenticated user may use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution. + +- (CVE-2025-49844) An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free, and potentially lead to remote code execution. + +Redis 7.4.x: + +- RedisBloom: Restore invalid filter. + +- Integer overflow in `hllPatLen`. + +- RedisBloom: Cuckoo filter counter overflow. + +- RedisBloom: Invalid Bloom filters can cause arbitrary memory reads and writes. + +- RedisBloom: Reachable assert in `TopK_Create` + +- RedisBloom: Out-of-bounds access with empty Bloom chains. + +- RedisBloom: Division by zero in Cuckoo filter insertion. + +- (CVE-2025-46818) An authenticated user may use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user. + +- (CVE-2025-46819) An authenticated user may use a specially crafted LUA script to read out-of-bound data or crash the server and lead to subsequent denial of service. + +- (CVE-2025-46817) An authenticated user may use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution. + +- (CVE-2025-49844) An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free, and potentially lead to remote code execution. + +- (CVE-2025-32023) An authenticated user can use a specially crafted string to trigger a stack/heap out-of-bounds write on HyperLogLog operations, which can lead to remote code execution. + +- (CVE-2025-21605) An unauthenticated client can cause unlimited growth of output buffers until the server runs out of memory or is terminated, which can lead to denial-of-service. + +Redis 7.2.x: + +- RedisBloom: Restore invalid filter. + +- Integer overflow in `hllPatLen`. + +- RedisBloom: Cuckoo filter counter overflow. + +- RedisBloom: Invalid Bloom filters can cause arbitrary memory reads and writes. + +- RedisBloom: Reachable assert in `TopK_Create` + +- RedisBloom: Out-of-bounds access with empty Bloom chains. + +- RedisBloom: Division by zero in Cuckoo filter insertion. + +- (CVE-2025-46818) An authenticated user may use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user. + +- (CVE-2025-46819) An authenticated user may use a specially crafted LUA script to read out-of-bound data or crash the server and lead to subsequent denial of service. + +- (CVE-2025-46817) An authenticated user may use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution. + +- (CVE-2025-49844) An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free, and potentially lead to remote code execution. + +- (CVE-2025-32023) An authenticated user can use a specially crafted string to trigger a stack/heap out-of-bounds write on HyperLogLog operations, which can lead to remote code execution. + +- (CVE-2025-21605) An unauthenticated client can cause unlimited growth of output buffers until the server runs out of memory or is terminated, which can lead to denial-of-service. + +- (CVE-2024-31449) An authenticated user may use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially lead to remote code execution. + +- (CVE-2024-31228) An authenticated user can trigger a denial-of-service by using specially crafted, long string match patterns on supported commands such as `KEYS`, `SCAN`, `PSUBSCRIBE`, `FUNCTION LIST`, `COMMAND LIST`, and ACL definitions. Matching of extremely long patterns may result in unbounded recursion, leading to stack overflow and process crashes. + +- (CVE-2023-41056) In some cases, Redis may incorrectly handle resizing of memory buffers, which can result in incorrect accounting of buffer sizes and lead to heap overflow and potential remote code execution. + +- (CVE-2023-41053) Redis does not correctly identify keys accessed by `SORT_RO` and, as a result, may grant users executing this command access to keys that are not explicitly authorized by the ACL configuration. (Redis 7.2.1) + +Redis 7.0.x: + +- (CVE-2024-31449) An authenticated user may use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially lead to remote code execution. + +- (CVE-2024-31228) An authenticated user can trigger a denial-of-service by using specially crafted, long string match patterns on supported commands such as `KEYS`, `SCAN`, `PSUBSCRIBE`, `FUNCTION LIST`, `COMMAND LIST`, and ACL definitions. Matching of extremely long patterns may result in unbounded recursion, leading to stack overflow and process crashes. + +- (CVE-2023-41056) In some cases, Redis may incorrectly handle resizing of memory buffers, which can result in incorrect accounting of buffer sizes and lead to heap overflow and potential remote code execution. + +- (CVE-2023-41053) Redis does not correctly identify keys accessed by `SORT_RO` and, as a result, may grant users executing this command access to keys that are not explicitly authorized by the ACL configuration. (Redis 7.0.13) + +- (CVE-2023-36824) Extracting key names from a command and a list of arguments may, in some cases, trigger a heap overflow and result in reading random heap memory, heap corruption, and potentially remote code execution. Specifically: using `COMMAND GETKEYS*` and validation of key names in ACL rules. (Redis 7.0.12) + +- (CVE-2023-28856) Authenticated users can use the `HINCRBYFLOAT` command to create an invalid hash field that will crash Redis on access. (Redis 7.0.11) + +- (CVE-2023-28425) Specially crafted `MSETNX` commands can lead to assertion and denial-of-service. (Redis 7.0.10) + +- (CVE-2023-25155) Specially crafted `SRANDMEMBER`, `ZRANDMEMBER`, and `HRANDFIELD` commands can trigger an integer overflow, resulting in a runtime assertion and termination of the Redis server process. (Redis 7.0.9) + +- (CVE-2023-22458) Integer overflow in the Redis `HRANDFIELD` and `ZRANDMEMBER` commands can lead to denial-of-service. (Redis 7.0.8) + +- (CVE-2022-36021) String matching commands (like `SCAN` or `KEYS`) with a specially crafted pattern to trigger a denial-of-service attack on Redis can cause it to hang and consume 100% CPU time. (Redis 7.0.9) + +- (CVE-2022-35977) Integer overflow in the Redis `SETRANGE` and `SORT`/`SORT_RO` commands can drive Redis to OOM panic. (Redis 7.0.8) + +- (CVE-2022-35951) Executing an `XAUTOCLAIM` command on a stream key in a specific state, with a specially crafted `COUNT` argument, may cause an integer overflow, a subsequent heap overflow, and potentially lead to remote code execution. The problem affects Redis versions 7.0.0 or newer. (Redis 7.0.5) + +- (CVE-2022-31144) A specially crafted `XAUTOCLAIM` command on a stream key in a specific state may result in heap overflow and potentially remote code execution. The problem affects Redis versions 7.0.0 or newer. (Redis 7.0.4) + +- (CVE-2022-24834) A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson and cmsgpack libraries, and result in heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users. (Redis 7.0.12) + +- (CVE-2022-24736) An attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result in a crash of the `redis-server` process. This issue affects all versions of Redis. (Redis 7.0.0) + +- (CVE-2022-24735) By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis can inject Lua code that will execute with the (potentially higher) privileges of another Redis user. (Redis 7.0.0) + +Redis 6.2.x: + +- RedisBloom: Restore invalid filter. + +- Integer overflow in `hllPatLen`. + +- RedisBloom: Cuckoo filter counter overflow. + +- RedisBloom: Invalid Bloom filters can cause arbitrary memory reads and writes. + +- RedisBloom: Reachable assert in `TopK_Create` + +- RedisBloom: Out-of-bounds access with empty Bloom chains. + +- RedisBloom: Division by zero in Cuckoo filter insertion. + +- (CVE-2025-46818) An authenticated user may use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user. + +- (CVE-2025-46819) An authenticated user may use a specially crafted LUA script to read out-of-bound data or crash the server and lead to subsequent denial of service. + +- (CVE-2025-46817) An authenticated user may use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution. + +- (CVE-2025-49844) An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free, and potentially lead to remote code execution. + +- (CVE-2025-32023) An authenticated user can use a specially crafted string to trigger a stack/heap out-of-bounds write on HyperLogLog operations, which can lead to remote code execution. + +- (CVE-2025-21605) An unauthenticated client can cause unlimited growth of output buffers until the server runs out of memory or is terminated, which can lead to denial-of-service. + +- (CVE-2024-31449) An authenticated user may use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially lead to remote code execution. + +- (CVE-2024-31228) An authenticated user can trigger a denial-of-service by using specially crafted, long string match patterns on supported commands such as `KEYS`, `SCAN`, `PSUBSCRIBE`, `FUNCTION LIST`, `COMMAND LIST`, and ACL definitions. Matching of extremely long patterns may result in unbounded recursion, leading to stack overflow and process crashes. + +- (CVE-2023-28856) Authenticated users can use the `HINCRBYFLOAT` command to create an invalid hash field that will crash Redis on access. (Redis 6.2.12) + +- (CVE-2023-25155) Specially crafted `SRANDMEMBER`, `ZRANDMEMBER`, and `HRANDFIELD` commands can trigger an integer overflow, resulting in a runtime assertion and termination of the Redis server process. (Redis 6.2.11) + +- (CVE-2023-22458) Integer overflow in the Redis `HRANDFIELD` and `ZRANDMEMBER` commands can lead to denial-of-service. (Redis 6.2.9) + +- (CVE-2022-36021) String matching commands (like `SCAN` or `KEYS`) with a specially crafted pattern to trigger a denial-of-service attack on Redis can cause it to hang and consume 100% CPU time. (Redis 6.2.11) + +- (CVE-2022-35977) Integer overflow in the Redis `SETRANGE` and `SORT`/`SORT_RO` commands can drive Redis to OOM panic. (Redis 6.2.9) + +- (CVE-2022-24834) A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson and cmsgpack libraries, and result in heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users. (Redis 6.2.13) + +- (CVE-2022-24736) An attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result in a crash of the `redis-server` process. This issue affects all versions of Redis. (Redis 6.2.7) + +- (CVE-2022-24735) By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis can inject Lua code that will execute with the (potentially higher) privileges of another Redis user. (Redis 6.2.7) + +- (CVE-2021-41099) Integer to heap buffer overflow handling certain string commands and network payloads, when `proto-max-bulk-len` is manually configured to a non-default, very large value. (Redis 6.2.6) + +- (CVE-2021-32762) Integer to heap buffer overflow issue in `redis-cli` and `redis-sentinel` parsing large multi-bulk replies on some older and less common platforms. (Redis 6.2.6) + +- (CVE-2021-32761) An integer overflow bug in Redis version 2.2 or newer can be exploited using the `BITFIELD` command to corrupt the heap and potentially result with remote code execution. (Redis 6.2.5) + +- (CVE-2021-32687) Integer to heap buffer overflow with intsets, when `set-max-intset-entries` is manually configured to a non-default, very large value. (Redis 6.2.6) + +- (CVE-2021-32675) Denial Of Service when processing RESP request payloads with a large number of elements on many connections. (Redis 6.2.6) + +- (CVE-2021-32672) Random heap reading issue with Lua Debugger. (Redis 6.2.6) + +- (CVE-2021-32628) Integer to heap buffer overflow handling ziplist-encoded data types, when configuring a large, non-default value for `hash-max-ziplist-entries`, `hash-max-ziplist-value`, `zset-max-ziplist-entries` or `zset-max-ziplist-value`. (Redis 6.2.6) + +- (CVE-2021-32627) Integer to heap buffer overflow issue with streams, when configuring a non-default, large value for `proto-max-bulk-len` and `client-query-buffer-limit`. (Redis 6.2.6) + +- (CVE-2021-32626) Specially crafted Lua scripts may result with Heap buffer overflow. (Redis 6.2.6) + +- (CVE-2021-32625) An integer overflow bug in Redis version 6.0 or newer can be exploited using the STRALGO LCS command to corrupt the heap and potentially result with remote code execution. This is a result of an incomplete fix by CVE-2021-29477. (Redis 6.2.4) + +- (CVE-2021-29478) An integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and potentially result with remote code execution. The vulnerability involves changing the default set-max-intset-entries configuration value, creating a large set key that consists of integer values and using the COPY command to duplicate it. The integer overflow bug exists in all versions of Redis starting with 2.6, where it could result with a corrupted RDB or DUMP payload, but not exploited through COPY (which did not exist before 6.2). (Redis 6.2.3) + +- (CVE-2021-29477) An integer overflow bug in Redis version 6.0 or newer could be exploited using the STRALGO LCS command to corrupt the heap and potentially result in remote code execution. The integer overflow bug exists in all versions of Redis starting with 6.0. (Redis 6.2.3) diff --git a/content/operate/rs/security/_index.md b/content/operate/rs/security/_index.md index 9e128f82be..c4ce2bc129 100644 --- a/content/operate/rs/security/_index.md +++ b/content/operate/rs/security/_index.md @@ -19,6 +19,7 @@ Redis Enterprise Software provides various features to secure your Redis Enterpr | [Password expiration]({{}}) | [Create roles]({{}}) | [Configure cipher suites]({{}}) | [Update certificates]({{}}) | | [Default database access]({{}}) | [Redis ACLs]({{}}) | [Encrypt private keys on disk]({{}}) | [Enable OCSP stapling]({{}}) | | [Rotate user passwords]({{}}) | [Integrate with LDAP]({{}}) | [Internode encryption]({{}}) | [Audit database connections]({{}}) | +| [Single sign-on (SSO)]({{}}) | | | | ## Recommended security practices diff --git a/content/operate/rs/security/access-control/create-users.md b/content/operate/rs/security/access-control/create-users.md index 2c1b87f603..24a8e88e60 100644 --- a/content/operate/rs/security/access-control/create-users.md +++ b/content/operate/rs/security/access-control/create-users.md @@ -30,6 +30,10 @@ To add a user to the cluster: {{Create user panel with fields for username, email, password, and alerts.}} + {{< note >}} +To use [single sign-on (SSO)]({{< relref "/operate/rs/security/access-control/saml-sso" >}}), users must have email addresses. + {{< /note >}} + 1. Select the **Alerts** the user should receive by email: - **Receive alerts for databases** - The alerts that are enabled for the selected databases will be sent to the user. Choose **All databases** or **Customize** to select the individual databases to send alerts for. diff --git a/content/operate/rs/security/access-control/saml-sso.md b/content/operate/rs/security/access-control/saml-sso.md new file mode 100644 index 0000000000..48363490bb --- /dev/null +++ b/content/operate/rs/security/access-control/saml-sso.md @@ -0,0 +1,443 @@ +--- +Title: SAML single sign-on +alwaysopen: false +categories: +- docs +- operate +- rs +description: Set up single sign-on with SAML for the Redis Enterprise Software Cluster Manager UI. +hideListLinks: true +linkTitle: SAML SSO +weight: 60 +--- + + +Redis Enterprise Software supports both [IdP-initiated](#idp-initiated-sso) and [SP-initiated](#sp-initiated-sso) [single sign-on (SSO)](https://en.wikipedia.org/wiki/Single_sign-on) with [SAML (Security Assertion Markup Language)](https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language) for the Cluster Manager UI. Redis Enterprise Software uses SAML 2.0, which is the latest SAML version and an industry standard. + +You cannot use [SCIM (System for Cross-domain Identity Management)](https://en.wikipedia.org/wiki/System_for_Cross-domain_Identity_Management) to provision Redis Enterprise Software users. However, Redis Enterprise Software supports just-in-time (JIT) user provisioning, which means Redis Enterprise Software automatically creates a user account the first time a new user signs in with SSO. + +## SSO overview + +When single sign-on is activated, users can sign in to the Redis Enterprise Software Cluster Manager UI using their [identity provider (IdP)](https://en.wikipedia.org/wiki/Identity_provider) instead of usernames and passwords. If [SSO is enforced](#enforce-sso), non-admin users can no longer sign in with their previous usernames and passwords and must use SSO instead. + +Before users can sign in to the Cluster Manager UI with SSO, the identity provider admin needs to set up these users on the IdP side with matching email addresses. + +With just-in-time (JIT) user provisioning, Redis Enterprise Software automatically creates user accounts for new users assigned to the SAML application in your identity provider when they sign in to the Cluster Manager UI for the first time. For these users, you must configure the `redisRoleMapping` attribute in your identity provider to assign appropriate roles for [role-based access control]({{}}) during account creation. + +### IdP-initiated SSO + +With IdP-initiated single sign-on, you can select the Redis Enterprise Software application after you sign in to your [identity provider (IdP)](https://en.wikipedia.org/wiki/Identity_provider). This redirects you to the Redis Enterprise Software Cluster Manager UI and signs you in. + +### SP-initiated SSO + +You can also initiate single sign-on from the Redis Enterprise Software Cluster Manager UI. This process is known as [service provider (SP)](https://en.wikipedia.org/wiki/Service_provider)-initiated single sign-on. + +On the Redis Enterprise Software Cluster Manager UI's sign-in screen, click **Sign in with SSO**. + +- If you already have an active SSO session with your identity provider, this signs you in. + +- Otherwise, the SSO flow redirects you to your identity provider's sign in screen. Enter your IdP user credentials to sign in. This redirects you back to the Redis Enterprise Software Cluster Manager UI and automatically signs you in. + +Authentication requests expire after 3 minutes. + +## IdP requirements + +You can use any identity provider to integrate with Redis Enterprise Software as long as it supports the following: + +- [SAML](https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language) 2.0 protocol. + +- Signed SAML responses since Redis Enterprise Software will not accept any unsigned SAML responses. + +- HTTP-Redirect binding for SP-initiated SSO. + +- HTTP-POST binding for SAML assertions. + +## Set up SAML SSO + +To set up SAML single sign-on for a Redis Enterprise Software cluster: + +1. [Upload the service provider certificate and private key](#upload-sp-certificate). + +1. [Download the service provider metadata](#download-sp-metadata). + +1. [Set up a SAML app](#set-up-app) to integrate Redis Enterprise Software with your identity provider. + +1. [Download identity provider metadata](#download-idp-metadata). + +1. [Configure SAML identity provider in Redis Enterprise Software](#configure-idp-metadata). + +1. [Assign the SAML app to existing users](#assign-saml-app-to-existing-users). + +1. [Activate SSO](#activate-sso). + +### Upload SP certificate + +1. Create a service provider certificate for Redis Enterprise Software. See [Create certificates ]({{}}) for instructions. + +1. Upload the service provider certificate and key to the Redis Enterprise Software cluster: + + {{< multitabs id="upload-sp-cert" + tab1="Cluster Manager UI" + tab2="REST API" >}} + +1. Sign in to the Redis Enterprise Software Cluster Manager UI using admin credentials. + +1. Go to **Access Control > Single Sign-On**. + + The single sign-on configuration screen. + +1. In the **Service Provider (Redis) metadata** section, find **Service-provider's public certificate + private key** and click **Upload**. + +1. Enter or upload the private key and certificate for your service provider. + +1. Click **Upload** to save. + +-tab-sep- + +To upload a certificate using the REST API, use an [update cluster certificates]({{}}) request. + +```sh +PUT https://:/v1/cluster/certificates +{ + "certificates": [ + { + "name": "", + "certificate": "sso_service", + "key": "" + } + ] +} +``` + + {{< /multitabs >}} + +### Download SP metadata + +You need to download the service provider metadata for Redis Enterprise Software and use it to configure the SAML integration app for your identity provider. + +{{< multitabs id="download-sp-metadata" +tab1="Cluster Manager UI" +tab2="REST API" >}} + +To download the service provider's metadata using the Cluster Manager UI: + +1. Go to **Access Control > Single Sign-On**. + +1. In the **Service Provider (Redis) metadata** section, click the following buttons to download the service provider files needed to set up a SAML app: + + 1. **Public certificate** + + 1. **Metadata file** + + The service provider Redis metadata section. + +1. Optionally copy the following values for future SAML app setup in the identity provider. You can also find these values in the service provider's metadata file. + + 1. **SP entity ID**: `https:///sp` + + 1. **Assertion Consumer Service (ACS)**: `https://:8443/cluster/sso/saml/acs` + + 1. **Single Logout Service**: `https://:8443/cluster/sso/saml/slo` + +-tab-sep- + +To download the service provider's metadata using the REST API, use a [get SAML service provider metadata]({{}}) request. + +```sh +GET https://:/v1/cluster/sso/saml/metadata/sp +``` + +{{< /multitabs >}} + +Here's an abridged example of the service provider metadata XML: + +```xml + + ... + + ... + + urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + + + Redis Cluster Enterprise - + Redis Cluster Enterprise SSO + + + + + + + +``` + +See [Metadata for the OASIS Security +Assertion Markup Language (SAML) +V2.0](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf) for more information about the metadata fields. + +{{< note >}} +Redis Enterprise Software metadata expiration time is equivalent to the SSO service certificate's expiration time. The service provider metadata will only change if the service address used for the Assertion Consumer Service (ACS) and the single logout (SLO) URL is modified. +{{< /note >}} + +### Set up SAML app {#set-up-app} + +Set up a SAML app to integrate Redis Enterprise Software with your identity provider: + +1. Sign in to your identity provider's admin console. + +1. Create or add a SAML integration app for the service provider Redis Enterprise Software. For detailed setup instructions, see your identity provider's documentation. + +1. Configure the SAML app with the service provider metadata. + + - Some identity providers let you upload the XML file directly. + + - Others require you to manually configure the service provider app with specific metadata fields, such as: + + | Setting | Value | Description | + |---------|-------|-------------| + | Audience URI (SP Entity ID) | `https://:8443/sp` | Unique URL that identifies the Redis Enterprise Software service provider.

Copy the **SP entity ID** from the **Access Control > Single Sign-On** page in the Cluster Manager UI or `EntityDescriptor`'s `entityID` in the metadata XML. | + | Single sign-on URL | `https://:8443/cluster/sso/saml/acs` | The service provider endpoint where the identity provider sends a SAML assertion that authenticates a user.

Copy the **Assertion Consumer Service (ACS)** from the **Access Control > Single Sign-On** page in the Cluster Manager UI or `AssertionConsumerService`'s `Location` in the metadata XML. | + | Name ID format | EmailAddress | | + | Application username | Email | | + +1. For the signature certificate, upload the Service Provider (Redis) public certificate. + +1. Enable signed requests. + +1. Optionally, you can enable single log-out (SLO) to allow users to automatically sign out of the the identity provider when they sign out of the Redis Enterprise Software Cluster Manager UI. Copy the **Single Logout Service** from the **Access Control > Single Sign-On** page in the Cluster Manager UI (`https://:8443/cluster/sso/saml/slo`) and configure it in the SAML app. + + {{< note >}} +Redis Enterprise Software only supports SP-initiated logout, where the user logs out from the Redis Enterprise Software Cluster Manager UI. IdP-initiated logout requests are not supported. + {{< /note >}} + +1. Set up your SAML service provider app so the SAML assertion contains the following attributes: + + | Attribute name (case-sensitive) | Description | + |-------------------------------------------|-------------| + | firstName | User's first name | + | lastName | User's last name | + | email | User's email address (used as the username in the Redis Enterprise Software Cluster Manager UI) | + | redisRoleMapping | String array that includes the role UID for role-based access control in Redis Enterprise Software. Only used for just-in-time (JIT) user provisioning. If a user already exists in Redis Enterprise Software, this attribute is ignored and their existing roles are preserved. | + + {{}} +To confirm the identity provider's SAML assertions contain the required attributes, you can use a SAML-tracer web developer tool to inspect them. + {{}} + +1. Set up any additional configuration required by your identity provider to ensure you can configure the `redisRoleMapping` attribute for SAML users. + + If your identity provider lets you configure custom attributes with workflows or group rules, you can set up automation to configure the `redisRoleMapping` field automatically instead of manually. + +### Download IdP metadata + +After you create the SAML app in your identity provider, retrieve the following information: + +| Setting | Description | +|---------|-------------| +| Issuer (IdP entity ID) | The unique entity ID for the identity provider | +| IdP server URL | The identity provider's HTTPS URL for SAML SSO | +| Single logout URL | The URL used to sign out of the identity provider and connected apps (optional) | +| Assertion signing certificate | Public SHA-256 certificate used to validate SAML assertions from the identity provider | + +You will use this certificate and metadata to configure the identity provider metadata in Redis Enterprise Software. To find these metadata values, see your identity provider's documentation. + +### Configure IdP metadata in Redis Enterprise Software {#configure-idp-metadata} + +After you set up the SAML integration app, you need to configure the identity provider metadata in your Redis Enterprise Software cluster. + +{{< multitabs id="configure-idp-metadata" +tab1="Cluster Manager UI" +tab2="REST API" >}} + +1. Sign in to the Redis Enterprise Software Cluster Manager UI using admin credentials. + +1. Go to **Access Control > Single Sign-On**. + +1. In the **Identity Provider metadata** section, click **Edit**. + +1. Enter the **Identity Provider metadata** settings. + + The identity provider metadata dialog. + +1. Click **Save**. + +-tab-sep- + +1. Upload your SAML app's assertion signing certificate using an [update cluster certificates]({{}}) REST API request. + + ```sh + PUT https://:/v1/cluster/certificates + { + "certificates": [ + { + "name": "", + "certificate": "sso_issuer", + "key": "" + } + ] + } + ``` + +1. Configure the identity provider metadata using an [update SSO configuration]({{}}) REST API request. + + ```sh + PUT https://:/v1/cluster/sso + { + "protocol": "saml2", + "issuer": { + "id": "urn:sso:example:idp", + "login_url": "https://idp.example.com/sso/saml", + "logout_url": "https://idp.example.com/sso/slo" + } + } + ``` + +{{< /multitabs >}} + +### Assign SAML app to existing users + +In the identity provider's admin console: + +1. Create user profiles in the identity provider for existing Redis Enterprise Software users. Make sure each user's email address matches in the identity provider and Redis Enterprise Software. + + {{}} +You do not need to configure the `redisRoleMapping` attribute for existing Redis Enterprise Software users. Their current roles will be preserved, and the `redisRoleMapping` attribute is ignored if provided. + {{}} + +2. Assign the new SAML integration app to each user. + +See your identity provider's documentation for detailed instructions. + +### Activate SSO {#activate-sso} + +After you finish the required SAML SSO configuration between your identity provider and Redis Enterprise Software cluster, you can activate SSO. + +{{< multitabs id="activate-sso" +tab1="Cluster Manager UI" +tab2="REST API" >}} + +To activate single sign-on using the Cluster Manager UI: + +1. Go to **Access Control > Single Sign-On**. + +1. Click **Activate SSO**. + +-tab-sep- + +To activate single sign-on using the REST API, use an [update SSO configuration]({{}}) request. + +```sh +PUT https://:/v1/cluster/sso +{ + "control_plane": true +} +``` + +{{< /multitabs >}} + +## Add new users with JIT provisioning + +After single sign-on is activated for Redis Enterprise Software, you can create new Redis Enterprise Software users on the identity provider side using just-in-time (JIT) provisioning. + +1. In the identity provider's admin console, create a new user profile with a valid email address. See your identity provider's documentation for detailed instructions. + +1. Configure the `redisRoleMapping` and assign a Redis Enterprise Software role UID to the user. + + {{}} +To see a list of available role UIDs in your cluster, use a REST API request to [get all roles]({{}}): + +```sh +GET https://:/v1/roles +``` + {{}} + +1. Assign the new SAML integration app to the user. + +1. Redis Enterprise Software will create a new user with the mapped role the first time the new user signs in to the Cluster Manager UI using SSO. + + +## Enforce SSO + +If SSO is enforced for the cluster, non-admin users can no longer sign in with their previous usernames and passwords and must use SSO instead. + +{{< multitabs id="enforce-sso" +tab1="Cluster Manager UI" +tab2="REST API" >}} + +To enforce single sign-on using the Cluster Manager UI: + +1. Go to **Access Control > Single Sign-On**. + +1. Find **Fallback behavior** and click **Edit**. + +1. Select **Enforce SSO-only login**. + + Enforce SSO-only login is selected. + +1. Click **Save**. + +-tab-sep- + +To enforce single sign-on using the REST API, use an [update SSO configuration]({{}}) request. + +```sh +PUT https://:/v1/cluster/sso +{ + "enforce_control_plane": true +} +``` + +{{< /multitabs >}} + +## Update configuration {#update-config} + +If you change certain metadata or configuration settings after you set up SSO, such as the assertion signing certificate, remember to do the following: + +1. [Update the SAML SSO configuration](#configure-idp-metadata) with the new values. + +1. [Download the updated service provider metadata](#download-sp) and use it to update the Redis Enterprise Software service provider app. + +### Change SP address + +If your deployment's default service provider address is not accessible to external identity providers, you can change it to an external hostname. + +{{}} +If you change the service address, the existing SSO integration will break because the metadata file, SP login and logout URLs, and entity ID will change to match the new address. You must update the service provider configuration on the identity provider's side after this change. +{{}} + +To change the service provider address, use an [update SSO configuration]({{}}) REST API request: + +```sh +PUT https://:/v1/cluster/sso +{ + "service": { + "address": "https://" + } +} +``` + +## Deactivate SSO + +{{< multitabs id="deactivate-sso" +tab1="Cluster Manager UI" +tab2="REST API" >}} + +To deactivate single sign-on using the Cluster Manager UI: + +1. Go to **Access Control > Single Sign-On**. + +1. Click **Deactivate SSO**. + +1. Click **Confirm**. + +-tab-sep- + +To deactivate single sign-on using the REST API, use an [update SSO configuration]({{}}) request. + +```sh +PUT https://:/v1/cluster/sso +{ + "control_plane": false +} +``` + +{{< /multitabs >}} diff --git a/content/operate/rs/security/certificates/_index.md b/content/operate/rs/security/certificates/_index.md index 7bb5c12c06..e7f700453d 100644 --- a/content/operate/rs/security/certificates/_index.md +++ b/content/operate/rs/security/certificates/_index.md @@ -29,9 +29,11 @@ Here's the list of supported certificates that create secure, encrypted connecti | `metrics_exporter` | | Sends Redis Enterprise metrics to external [monitoring tools]({{< relref "/operate/rs/monitoring/" >}}) over a secure connection. | | `mtls_trusted_ca` | :x: | Required to enable certificate-based authentication for secure, passwordless access to the REST API. | | `proxy` | | Creates secure, encrypted connections between clients and databases. | +| `sso_issuer` | :x: | Identity provider certificate for [single sign-on (SSO)]({{< relref "/operate/rs/security/access-control/saml-sso" >}}). | +| `sso_service` | :x: | Service provider certificate for [single sign-on (SSO)]({{< relref "/operate/rs/security/access-control/saml-sso" >}}). | | `syncer` | | For [Active-Active]({{< relref "/operate/rs/databases/active-active/" >}}) or [Replica Of]({{< relref "/operate/rs/databases/import-export/replica-of/" >}}) databases, encrypts data during the synchronization of participating clusters. | -Certificates that are not autogenerated are optional unless you want to use certain features. For example, you must provide your own `ldap_client` certificate to enable [LDAP authentication]({{}}) or an `mtls_trusted_ca` certificate to enable certificate-based authentication. +Certificates that are not autogenerated are optional unless you want to use certain features. For example, you must provide your own `ldap_client` certificate to enable [LDAP authentication]({{}}), an `mtls_trusted_ca` certificate to enable certificate-based authentication, or `sso_issuer` and `sso_service` certificates for [single sign-on (SSO)]({{}}). ## Accept self-signed certificates to access the Cluster Manager UI diff --git a/content/operate/rs/security/encryption/internode-encryption.md b/content/operate/rs/security/encryption/internode-encryption.md index 41ec34c033..bade69b083 100644 --- a/content/operate/rs/security/encryption/internode-encryption.md +++ b/content/operate/rs/security/encryption/internode-encryption.md @@ -137,6 +137,8 @@ Customer-provided internode encryption certificates must meet the following requ - Certificates must use an RSA key. Using other key types, such as ECDSA or EdDSA, might prevent internode encryption from working. +- Certificates must be created with the TLS Web Client Authentication attribute enabled. + ### Upload customer-provided certificates You can upload either: diff --git a/static/images/railroad/cluster-migration.svg b/static/images/railroad/cluster-migration.svg index d11b847be3..febec5c814 100644 --- a/static/images/railroad/cluster-migration.svg +++ b/static/images/railroad/cluster-migration.svg @@ -1,4 +1,4 @@ - + - + CLUSTER MIGRATION - - -IMPORT -start-slot -end-slot - -CANCEL - - -ID -task-id -ALL - -STATUS - - - -ID -task-id - - -ALL \ No newline at end of file + + +IMPORT + + +start-slot +end-slot + + +CANCEL + + +ID +task-id +ALL + +STATUS + + + + +ID +task-id + + +ALL \ No newline at end of file diff --git a/static/images/railroad/ft.hybrid.svg b/static/images/railroad/ft.hybrid.svg new file mode 100644 index 0000000000..2010cb4a50 --- /dev/null +++ b/static/images/railroad/ft.hybrid.svg @@ -0,0 +1,254 @@ + + + + + + + + +FT.HYBRID +index + +SEARCH +query + + + +SCORER +scorer + + + +YIELD_SCORE_AS +yield_score_as + +VSIM +field +vector + + + + +KNN +count + +K +k + + + +EF_RUNTIME +ef_runtime + + + +YIELD_SCORE_AS +yield_score_as + +RANGE +count + +RADIUS +radius + + + +EPSILON +epsilon + + + +YIELD_SCORE_AS +yield_score_as + + + +FILTER +filter + + + +COMBINE + + +RRF +count + + + +CONSTANT +constant + + + +WINDOW +window + + + +YIELD_SCORE_AS +yield_score_as + +LINEAR +count + + + + +ALPHA +alpha + +BETA +beta + + + +WINDOW +window + + + +YIELD_SCORE_AS +yield_score_as + + + +LIMIT +offset +num + + + + + +SORTBY +sortby + + + +ASC +DESC +NOSORT + + + +PARAMS +nargs + + +name +value + + + + +TIMEOUT +timeout + + + +FORMAT +format + + + + +LOAD +count + +field + + + +LOAD * + + + +GROUPBY +nproperties + +property + + + + + +REDUCE + +COUNT +COUNT_DISTINCT +COUNT_DISTINCTISH +SUM +MIN +MAX +AVG +STDDEV +QUANTILE +TOLIST +FIRST_VALUE +RANDOM_SAMPLE +nargs + +arg + + + + +AS +name + + + + + + +APPLY +expression + +AS +name + + + + +FILTER +filter \ No newline at end of file diff --git a/static/images/rc/button-access-management-user-key-create.png b/static/images/rc/button-access-management-user-key-create.png index d5ca94a7ed..18f59510d0 100644 Binary files a/static/images/rc/button-access-management-user-key-create.png and b/static/images/rc/button-access-management-user-key-create.png differ diff --git a/static/images/rc/langcache-add-attribute.png b/static/images/rc/langcache-add-attribute.png index bb8b2fd060..f3fb24d246 100644 Binary files a/static/images/rc/langcache-add-attribute.png and b/static/images/rc/langcache-add-attribute.png differ diff --git a/static/images/rc/langcache-attribute-settings.png b/static/images/rc/langcache-attribute-settings.png index 150038c267..eb9aeb0508 100644 Binary files a/static/images/rc/langcache-attribute-settings.png and b/static/images/rc/langcache-attribute-settings.png differ diff --git a/static/images/rc/langcache-custom-attributes.png b/static/images/rc/langcache-custom-attributes.png index e11dee8542..503fb6cc6b 100644 Binary files a/static/images/rc/langcache-custom-attributes.png and b/static/images/rc/langcache-custom-attributes.png differ diff --git a/static/images/rc/langcache-custom-service.png b/static/images/rc/langcache-custom-service.png new file mode 100644 index 0000000000..81a2928a23 Binary files /dev/null and b/static/images/rc/langcache-custom-service.png differ diff --git a/static/images/rc/langcache-embedding-settings.png b/static/images/rc/langcache-embedding-settings.png index 4d5b9c7e59..e5d0f58400 100644 Binary files a/static/images/rc/langcache-embedding-settings.png and b/static/images/rc/langcache-embedding-settings.png differ diff --git a/static/images/rc/langcache-general-settings.png b/static/images/rc/langcache-general-settings.png index 45ede217a1..6d38f0a3da 100644 Binary files a/static/images/rc/langcache-general-settings.png and b/static/images/rc/langcache-general-settings.png differ diff --git a/static/images/rc/langcache-metrics.png b/static/images/rc/langcache-metrics.png index 8d662be82f..9e7a089407 100644 Binary files a/static/images/rc/langcache-metrics.png and b/static/images/rc/langcache-metrics.png differ diff --git a/static/images/rc/langcache-new-service.png b/static/images/rc/langcache-new-service.png index 303b07d215..5e97b2298e 100644 Binary files a/static/images/rc/langcache-new-service.png and b/static/images/rc/langcache-new-service.png differ diff --git a/static/images/rc/langcache-quick-create.png b/static/images/rc/langcache-quick-create.png new file mode 100644 index 0000000000..f39ed118cb Binary files /dev/null and b/static/images/rc/langcache-quick-create.png differ diff --git a/static/images/rc/langcache-replace-key.png b/static/images/rc/langcache-replace-key.png index ada2f37e1c..b3e69cab65 100644 Binary files a/static/images/rc/langcache-replace-key.png and b/static/images/rc/langcache-replace-key.png differ diff --git a/static/images/rc/langcache-service-key.png b/static/images/rc/langcache-service-key.png index 29e645f24e..6188b7e960 100644 Binary files a/static/images/rc/langcache-service-key.png and b/static/images/rc/langcache-service-key.png differ diff --git a/static/images/rc/langcache-service-list.png b/static/images/rc/langcache-service-list.png index 84242e00e7..5cf6076015 100644 Binary files a/static/images/rc/langcache-service-list.png and b/static/images/rc/langcache-service-list.png differ diff --git a/static/images/rc/langcache-view-actions.png b/static/images/rc/langcache-view-actions.png index f9927b8905..a472747948 100644 Binary files a/static/images/rc/langcache-view-actions.png and b/static/images/rc/langcache-view-actions.png differ diff --git a/static/images/rc/langcache-view-attributes.png b/static/images/rc/langcache-view-attributes.png index 8658320897..0efca57e92 100644 Binary files a/static/images/rc/langcache-view-attributes.png and b/static/images/rc/langcache-view-attributes.png differ diff --git a/static/images/rc/langcache-view-connectivity.png b/static/images/rc/langcache-view-connectivity.png index 2ee3d143d4..2b36f20a26 100644 Binary files a/static/images/rc/langcache-view-connectivity.png and b/static/images/rc/langcache-view-connectivity.png differ diff --git a/static/images/rc/langcache-view-general.png b/static/images/rc/langcache-view-general.png index 1e2ccc40e8..889896176f 100644 Binary files a/static/images/rc/langcache-view-general.png and b/static/images/rc/langcache-view-general.png differ diff --git a/static/images/rs/screenshots/access-control/sso/edit-idp-metadata.png b/static/images/rs/screenshots/access-control/sso/edit-idp-metadata.png new file mode 100644 index 0000000000..a19c5055f1 Binary files /dev/null and b/static/images/rs/screenshots/access-control/sso/edit-idp-metadata.png differ diff --git a/static/images/rs/screenshots/access-control/sso/enforce-sso.png b/static/images/rs/screenshots/access-control/sso/enforce-sso.png new file mode 100644 index 0000000000..086971027f Binary files /dev/null and b/static/images/rs/screenshots/access-control/sso/enforce-sso.png differ diff --git a/static/images/rs/screenshots/access-control/sso/sp-metadata-after-cert-upload.png b/static/images/rs/screenshots/access-control/sso/sp-metadata-after-cert-upload.png new file mode 100644 index 0000000000..3cb0adee82 Binary files /dev/null and b/static/images/rs/screenshots/access-control/sso/sp-metadata-after-cert-upload.png differ diff --git a/static/images/rs/screenshots/access-control/sso/sso-before-config.png b/static/images/rs/screenshots/access-control/sso/sso-before-config.png new file mode 100644 index 0000000000..d4267bffe8 Binary files /dev/null and b/static/images/rs/screenshots/access-control/sso/sso-before-config.png differ