Skip to content

restatedev/restate-operator

Repository files navigation

Restate Operator

A Kubernetes operator that creates Restate clusters. Supported features:

  • Online volume expansion
  • Network security via NetworkPolicy
  • Manage credentials using EKS Pod Identity
  • Manage security groups using Security Groups for Pods
  • Sign requests using private keys from Secrets or CSI Secret Store

Usage

Installing

helm install restate-operator oci://ghcr.io/restatedev/restate-operator-helm --namespace restate-operator --create-namespace

Creating a cluster

The operator watches RestateCluster objects, which are not namespaced. A Namespace with the same name as the RestateCluster will be created, in which a StatefulSet, Service, and NetworkPolicies are created.

An example RestateCluster:

apiVersion: restate.dev/v1
kind: RestateCluster
metadata:
  name: restate-test
spec:
  compute:
    image: restatedev/restate:0.8.0
  storage:
    storageRequestBytes: 2147483648 # 2 GiB

For the full schema as a Pkl template see crd/RestateCluster.pkl.

EKS Pod Identity

EKS Pod Identity is a convenient way to have a single AWS role shared amongst many Restate clusters, where the AWS identities will contain tags detailing their Kubernetes identity. This can be useful for access control eg 'Restate clusters in namespace my-cluster may call this Lambda'.

This operator can create objects for the AWS ACK EKS controller such that pod identity associations are created for each RestateCluster. To enable this functionality the operator must be started with knowledge of the EKS cluster name, by setting awsPodIdentityAssociationCluster in the helm chart. If this option is set, the ACK CRDs must be installed or the operator will fail to start. Then, you may provide awsPodIdentityAssociationRoleArn in the RestateCluster spec.

EKS Security Groups for Pods

EKS Security Groups for Pods allows you to isolate pods into separate AWS Security Groups, which is a powerful security primitive which can help you limit Restate to public IP access, as well as to obtain VPC flow logs.

The operator can create SecurityGroupPolicy objects which put Restate pods into a set of Security Groups. If this CRD is installed, you may provide awsPodSecurityGroups in the RestateCluster spec.

Releasing

  1. Update the version in charts/restate-operator/Chart.yaml and the version in Cargo.{toml,lock} eg to 0.0.2
  2. Push a new tag v0.0.2
  3. Accept the draft release once the workflow finishes