Installing the Vertica DB operator

The custom resource definition (CRD), DB operator, and admission controller work together to maintain the state of your environment and automate tasks:.

The custom resource definition (CRD), VerticaDB operator, and admission controller work together to maintain the state of your environment and automate tasks:

The CRD extends the Kubernetes API to provide custom objects. It serves as a blueprint for custom resource (CR) instances that specify the desired state of your environment.
The VerticaDB operator is a custom controller that monitors CR instances to maintain the desired state of VerticaDB objects. You can deploy one VerticaDB operator per namespace, and the operator monitors only the VerticaDB objects within that namespace.
The admission controller is a webhook that queries a REST endpoint to verify changes to mutable states in a CR instance.

Prerequisites

Kubernetes 1.21.1 and higher
Helm 3.5.0 and higher
kubectl command line tool

Installation options

Vertica provides two separate options to install the VerticaDB operator and admission controller:

OperatorHub.io
Helm charts. Helm chart installations include operator logging levels and log rotation policy. For details, see Helm chart parameters.

Note

Each install option has its own workflow that is incompatible with the other option. For example, you cannot install the VerticaDB operator with the Helm charts, and then deploy an operator in the same environment using OperatorHub.io.

OperatorHub.io

OperatorHub.io is a registry that allows vendors to share Kubernetes operators. Each vendor must adhere to packaging guidelines to simplify user adoption.

To install the VerticaDB operator from OperatorHub.io, navigate to the Vertica operator page and follow the install instructions.

Helm charts

Vertica packages VerticaDB operator and admission controller in a Helm chart. Vertica on Kubernetes allows one operator instance per namespace.

Important

Vertica recommends that you use Kubernetes 1.21.1 or later. Earlier versions require that you add the kubernetes.io/metadata.name=namespace-name label to each namespace that contains an operator.

Configuring TLS for the admission controller

Before you can install the VerticaDB Helm chart, you must configure TLS for the admission controller. The admission controller uses a webhook that requires TLS certificates for data encryption. Choose one of the following data encryption options:

cert-manager to generate and manage certificates. For environments that use a self-signed certificate authority (CA), Vertica recommends using cert-manager.
Custom certificates

By default, the custom resource uses cert-manager unless you provide custom certificates. You cannot install the VerticaDB operator Helm chart if you do not install cert-manager or provide custom certificates.

Installing cert-manager

cert-manager is available as a YAML manifest in a GitHub repository.

Use kubectl to install cert-manager:

$ kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.5.3/cert-manager.yaml

Installation might take a few minutes.

Verify the cert-manager installation:

$ kubectl get pods --namespace cert-manager
NAME                                       READY   STATUS    RESTARTS   AGE
cert-manager-7dd5854bb4-skks7              1/1     Running   5          12d
cert-manager-cainjector-64c949654c-9nm2z   1/1     Running   5          12d
cert-manager-webhook-6bdffc7c9d-b7r2p      1/1     Running   5          12d

For additional details about cert-manager install verification, see the cert-manager documentation.

Defining custom certificates

Custom certificates require a TLS key that sets the Subjective Alternative Name (SAN) using the admission controller webhook's fully-qualified domain name (FDQN). You can set the SAN in a configuration file with the following format:

[alt_names]
DNS.1 = verticadb-operator-webhook-service.namespace.svc
DNS.2 = verticadb-operator-webhook-service.namespace.svc.cluster.local

For more information about TLS and Vertica, see TLS protocol.

When you install the VerticaDB operator and admission controller Helm chart, you can pass parameters to customize the Helm chart. Conceal custom certificates in a Secret before you pass them as parameters. The following command creates a Secret that stores the TLS key, TLS certificate, and CA certificate:

$ kubectl create secret generic tls-secret --from-file=tls.key=/path/to/tls.key --from-file=tls.crt=/path/to/tls.crt --from-file=ca.crt=/path/to/ca.crt

Use tls-secret when you install the VerticaDB operator and admission controller Helm chart. For a detailed example, see Helm chart parameters.

Granting operator privileges

You must have cluster administrator privileges to install the operator Helm chart. In some circumstances, you might want to authorize a user with lesser privileges to install the operator in a specific namespace. You can grant these operator privileges with a preconfigured Kubernetes service account.

Vertica leverages Kubernetes RBAC to authorize service accounts with the privileges to perform operator actions. You can grant operator privileges to a Role resource type, then define a RoleBinding resource type that associates that Role with a service account. Any user can pass the service account name to the helm install command with the serviceAccountOverride parameter and install the operator.

The following steps use a YAML file, default-rbac.yaml. This sample file defines a ServiceAccount, Roles, and RoleBindings to grant the required privileges to the service account. It is available in the vertica-kubernetes GitHub repository:

Apply default-rbac.yaml to the namespace:

$ kubectl apply -n namespace -f https://github.com/vertica/vertica-kubernetes/releases/download/v1.4.0/default-rbac.yaml

Verify the changes with kubectl get:

Service account:

$ kubectl get serviceaccounts
NAME                                    SECRETS   AGE
default                                 1         71m
verticadb-operator-controller-manager   1         69m

Roles in the correct namespace:

$ kubectl get roles -n namespace
NAME                                      CREATED AT
verticadb-operator-leader-election-role   2022-04-14T16:26:53Z
verticadb-operator-manager-role           2022-04-14T16:26:53Z

RoleBindings in the correct namespace:

$ kubectl get rolebinding -n namespace
NAME                                             ROLE                                           AGE
verticadb-operator-leader-election-rolebinding   Role/verticadb-operator-leader-election-role   73m
verticadb-operator-manager-rolebinding           Role/verticadb-operator-manager-role           73m

Installing the helm chart

Before you can install the Helm chart, you must configure TLS for the admission controller with one of the following options:

Installing cert-manager
Defining Custom Certificates

The following install steps use custom certificates:

Add the Vertica helm charts to you repository. The following command installs the CRD Helm chart and names it vertica-charts for future reference:
```
$ helm repo add vertica-charts https://vertica.github.io/charts
```
Update your Helm repository to ensure that you are using the latest version of your repository:
```
$ helm repo update vertica-charts
```
Install the operator Helm chart. The following examples demonstrate the most common Helm chart configurations. For details about the Helm chart options and parameters, see Helm chart parameters.

Note
Each of the following commands include the --create-namespace option to create the provided namespace if it does not exist. If you do not provide the namespace during install, Helm installs the operator in the current namespace that is defined in the kubectl configuration file.

Enter one of the following commands to customize your Helm chart installation:
- Default configuration. The following command requires cluster administrator privileges:
```
$ helm install operator-name --namespace namespace --create-namespace vertica-charts/verticadb-operator
```
- Custom certificates. Pass custom certificates with the webhook.caBundle and webhook.tlsSecret. The following command requires cluster administrator privileges, and uses the tls-secret Secret created in Defining Custom Certificates:
```
$ helm install operator-name --namespace namespace --create-namespace vertica-charts/verticadb-operator \
    --set webhook.caBundle=$(cat /path/to/root.pem | base64 --wrap 0) \
    --set webhook.tlsSecret=tls-secret
```
- Service account override. Use service accounts to allow users without cluster administrator privileges to install the operator. Pass the service account with the serviceAccountNameOverride parameter:
```
$ helm install operator-name --namespace namespace --create-namespace vertica-charts/verticadb-operator \
    --set serviceAccountNameOverride=service-account-name
```
  For details, see Granting Operator Installation Privileges.
- Do not install the admission controller webhook. Deploying the webhook requires cluster-scoped privileges that are not required to install the operator. If you use a service account that is granted the privileges required to install the operator but not the webhook, provide the service account with serviceAccountNameOverride, and set webhook.enable to false to deploy only the operator:
```
$ helm install operator-name --namespace namespace --create-namespace vertica-charts/verticadb-operator \
    --set serviceAccountNameOverride=service-account-name
    --set webhook.enable=false
```
  Caution
  Webhooks prevent invalid state changes to the custom resource. Running Vertica on Kubernetes without webhook validations might result in invalid state transitions.

For additional details about helm install, see the official documentation.

Installing the Vertica DB operator

Prerequisites

Installation options

Note

OperatorHub.io

Helm charts

Important

Configuring TLS for the admission controller

Installing cert-manager

Defining custom certificates

Granting operator privileges

Installing the helm chart

Note

Caution