Manage Redis Services Using the Declarative Cluster API in KubeBlocks

This guide provides step-by-step instructions for exposing Redis services managed by KubeBlocks, both externally and internally. You'll learn to configure external access using cloud provider LoadBalancer services, manage internal services, and properly disable external exposure when no longer needed.

Prerequisites

Before proceeding, ensure the following:

Environment Setup:
- A Kubernetes cluster is up and running.
- The kubectl CLI tool is configured to communicate with your cluster.
- KubeBlocks CLI and KubeBlocks Operator are installed. Follow the installation instructions here.
Namespace Preparation: To keep resources isolated, create a dedicated namespace for this tutorial:

kubectl create ns demo
namespace/demo created

Deploy a Redis Replication Cluster

KubeBlocks uses a declarative approach for managing Redis Replication Clusters. Below is an example configuration for deploying a Redis Replication Cluster with two components, redis and redis sentinel.

Apply the following YAML configuration to deploy the cluster:

apiVersion: apps.kubeblocks.io/v1
kind: Cluster
metadata:
  name: redis-replication
  namespace: demo
spec:
  terminationPolicy: Delete
  clusterDef: redis
  topology: replication
  componentSpecs:
    - name: redis
      serviceVersion: "7.2.4"
      disableExporter: false
      replicas: 2
      resources:
        limits:
          cpu: '0.5'
          memory: 0.5Gi
        requests:
          cpu: '0.5'
          memory: 0.5Gi
      volumeClaimTemplates:
        - name: data
          spec:
            storageClassName: ""
            accessModes:
              - ReadWriteOnce
            resources:
              requests:
                storage: 20Gi
    - name: redis-sentinel
      replicas: 3
      resources:
        limits:
          cpu: '0.5'
          memory: 0.5Gi
        requests:
          cpu: '0.5'
          memory: 0.5Gi
      volumeClaimTemplates:
        - name: data
          spec:
            storageClassName: ""
            accessModes:
              - ReadWriteOnce
            resources:
              requests:
                storage: 20Gi

Verifying the Deployment

Monitor the cluster status until it transitions to the Running state:

kubectl get cluster redis-replication -n demo -w

Expected Output:

NAME                CLUSTER-DEFINITION   TERMINATION-POLICY   STATUS    AGE
redis-replication   redis                Delete               Running   3m49s

Check the pod status and roles:

kubectl get pods -l app.kubernetes.io/instance=redis-replication -L  kubeblocks.io/role -n demo

Expected Output:

NAME                                 READY   STATUS    RESTARTS   AGE     ROLE
redis-replication-redis-0            3/3     Running   0          3m38s   primary
redis-replication-redis-1            3/3     Running   0          3m16s   secondary
redis-replication-redis-sentinel-0   2/2     Running   0          4m35s
redis-replication-redis-sentinel-1   2/2     Running   0          4m17s
redis-replication-redis-sentinel-2   2/2     Running   0          3m59s

Once the cluster status becomes Running, your Redis cluster is ready for use.

TIP

If you are creating the cluster for the very first time, it may take some time to pull images before running.

View Network Services

List the Services created for the Redis cluster:

kubectl get service -l app.kubernetes.io/instance=redis-replication -n demo

Example Services:

NAME                                              TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)     AGE
redis-replication-redis-redis                     ClusterIP   10.96.102.140   <none>        6379/TCP    31s
redis-replication-redis-sentinel-redis-sentinel   ClusterIP   10.96.157.4     <none>        26379/TCP   51s

Expose Redis Service

External service addresses enable public internet access to Redis, while internal service addresses restrict access to the user's VPC.

Service Types Comparison

Type	Use Case	Cloud Cost	Security
ClusterIP	Internal service communication	Free	Highest
NodePort	Development/testing	Low	Moderate
LoadBalancer	Production external access	High	Managed via security groups

Option 1: Using OpsRequest

To expose the Redis service externally using a LoadBalancer, create an OpsRequest resource:

apiVersion: operations.kubeblocks.io/v1alpha1
kind: OpsRequest
metadata:
  name: redis-replication-expose-enable-ops
  namespace: demo
spec:
  type: Expose
  clusterName: redis-replication
  expose:
  - componentName: redis
    services:
    - name: internet
      # Determines how the Service is exposed. Defaults to 'ClusterIP'.
      # Valid options are 'ClusterIP', 'NodePort', and 'LoadBalancer'.
      serviceType: LoadBalancer
      # Contains cloud provider related parameters if ServiceType is LoadBalancer.
      # Following is an example for AWS EKS
      annotations:
        service.beta.kubernetes.io/aws-load-balancer-type: nlb
        service.beta.kubernetes.io/aws-load-balancer-internal: "false"  # or "true" for an internal VPC IP
      # Specifies a role to target with the service.
      # If specified, the service will only be exposed to pods with the matching
      # role.
      roleSelector: primary
    switch: Enable

Wait for the OpsRequest to complete:

kubectl get ops redis-replication-expose-enable-ops -n demo

Example Output:

NAME                                  TYPE     CLUSTER             STATUS    PROGRESS   AGE
redis-replication-expose-enable-ops   Expose   redis-replication   Succeed   1/1        31s

Option 2: Using Cluster API

Alternatively, update the spec.services section in the Cluster resource to include a LoadBalancer service:

apiVersion: apps.kubeblocks.io/v1
kind: Cluster
metadata:
  name: redis-replication
  namespace: demo
spec:
  terminationPolicy: Delete
  clusterDef: redis
  topology: replication
  # expose a external service
  services:
    - annotations:
        service.beta.kubernetes.io/aws-load-balancer-type: nlb  # Use Network Load Balancer
        service.beta.kubernetes.io/aws-load-balancer-internal: "false"  # or "true" for an internal VPC IP
      componentSelector: redis
      name: redis-internet
      serviceName: redis-internet
      roleSelector: primary
      spec:
        ipFamilyPolicy: PreferDualStack
        ports:
          - name: redis
            port: 6379
            protocol: TCP
            targetPort: redis
        type: LoadBalancer
  componentSpecs:
  ...

The YAML configuration above adds a new external service under the services section. This LoadBalancer service includes annotations for AWS Network Load Balancer (NLB).

NOTE

Cloud Provider Annotations

When using a LoadBalancer service, you must include the appropriate annotations specific to your cloud provider. Below is a list of commonly used annotations for different cloud providers:

service.beta.kubernetes.io/aws-load-balancer-type: nlb  # Use Network Load Balancer
service.beta.kubernetes.io/aws-load-balancer-internal: "true"  # Use "false" for internet-facing LoadBalancer

Azure

service.beta.kubernetes.io/azure-load-balancer-internal: "true" # Use "false" for internet-facing LoadBalancer

networking.gke.io/load-balancer-type: "Internal"  # Restricts the LoadBalancer to internal VPC access only. Defaults to internet-facing if not specified.
cloud.google.com/l4-rbs: "enabled" # Optimization for internet-facing LoadBalancer

Alibaba Cloud

service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type: "internet"  # Use "intranet" for internal-facing LoadBalancer

NOTE

The service.beta.kubernetes.io/aws-load-balancer-internal annotation controls whether the LoadBalancer is internal or internet-facing. Note that this annotation cannot be modified dynamically after service creation.

  service.beta.kubernetes.io/aws-load-balancer-internal: "false"  # Use "true" for internal VPC IPs

If you change this annotation from "false" to "true" after the Service is created, the annotation may update in the Service object, but the LoadBalancer will still retain its public IP.

To properly modify this behavior:

First, delete the existing LoadBalancer service.
Recreate the service with the updated annotation (service.beta.kubernetes.io/aws-load-balancer-internal: "true").
Wait for the new LoadBalancer to be provisioned with the correct internal or external IP.

Wait for the Cluster status to transition to Running using the following command:

kubectl get cluster redis-replication -n demo -w

NAME         CLUSTER-DEFINITION   TERMINATION-POLICY   STATUS    AGE
redis-replication   redis           Delete               Running   18m

Verify the Exposed Service

Check the service details to confirm the LoadBalancer service is created:

kubectl get service -l app.kubernetes.io/instance=redis-replication -n demo

Example Output:

NAME                               TYPE           CLUSTER-IP     EXTERNAL-IP   PORT(S)             AGE
redis-replication-redis-internet   LoadBalancer   172.20.60.24   <EXTERNAL-IP> 6379:31243/TCP      1m

Wait for DNS Propagation

The LoadBalancer DNS name may take 2-5 minutes to become resolvable. Verify the resolution status:

nslookup <EXTERNAL-IP>  # replace <EXTERNAL-IP> with the real IP from previous output.

Connect to Redis Externally

Retrieve Credentials

KubeBlocks automatically creates a Secret containing the Redis default credentials. Retrieve the Redis default credentials:

NAME=`kubectl get secrets -n demo redis-replication-redis-account-default -o jsonpath='{.data.username}' | base64 -d`
PASSWD=`kubectl get secrets -n demo redis-replication-redis-account-default -o jsonpath='{.data.password}' | base64 -d`

Connect Using Redis Client

You can now connect to the Redis database externally (e.g., from your laptop or EC2):

redis-cli -h <EXTERNAL_IP> -a ${PASSWD}

Disable External Exposure

Option 1: Using OpsRequest

To disable external access, create an OpsRequest:

apiVersion: operations.kubeblocks.io/v1alpha1
kind: OpsRequest
metadata:
  name: redis-replication-expose-disable-ops
  namespace: demo
spec:
  clusterName: redis-replication
  expose:
  - componentName: redis
    services:
    - name: internet
      roleSelector: primary
      serviceType: LoadBalancer
    switch: Disable
  preConditionDeadlineSeconds: 0
  type: Expose

Wait for the OpsRequest to complete:

kubectl get ops redis-replication-expose-disable-ops -n demo

Example Output:

NAME                                   TYPE     CLUSTER      STATUS    PROGRESS   AGE
redis-replication-expose-disable-ops   Expose   redis-replication   Succeed   1/1        12s

Option 2: Using Cluster API

Alternatively, remove the spec.services field from the Cluster resource:

kubectl patch cluster redis-replication -n demo --type=json -p='[
  {
    "op": "remove",
    "path": "/spec/services"
  }
]'

Monitor the cluster status until it is Running:

kubectl get cluster redis-replication -n demo -w

NAME                CLUSTER-DEFINITION   TERMINATION-POLICY   STATUS    AGE
redis-replication   redis           Delete               Running   23m

Verify Service Removal

Ensure that the 'redis-replication-redis-internet' Service is removed:

kubectl get service -l app.kubernetes.io/instance=redis-replication -n demo

Expected Result: The 'redis-replication-redis-internet' Service should be removed.

Cleanup

To remove all created resources, delete the Redis cluster along with its namespace:

kubectl delete cluster redis-replication -n demo
kubectl delete ns demo

Summary

This guide demonstrated how to:

Expose a Redis service externally or internally using KubeBlocks.
Configure LoadBalancer services with cloud provider-specific annotations.
Manage external access by enabling or disabling services via OpsRequest or direct updates to the Cluster API.

KubeBlocks provides flexibility and simplicity for managing MySQL services in Kubernetes environments. simplicity for managing Redis services in Kubernetes environments.