Production Install
This guide installs Bloodraven for production. For a short first run, use Getting Started or the Playground first.
Prerequisites
- Kubernetes 1.27 or newer.
- Helm 3.
- Nodes labelled by site as described in Placement Contract.
- A tested StorageClass for MySQL PVCs.
- external-dns and the
externaldns.k8s.io/v1alpha1DNSEndpointCRD. - cert-manager when using
spec.tls.issuerRef. - Prometheus and Grafana if you want the shipped monitoring path.
- Object storage or PVC storage for backups.
- Dragonfly
v1.38.0+image access if you enablespec.dragonflyfor cache/session co-management.
Namespace layout
| Namespace | Contains |
|---|---|
bloodraven | Operator Deployment, RBAC, metrics Service |
orders | MysqlFailoverGroup, MySQL pods, app-facing Services, backup Jobs |
monitoring | Prometheus, Grafana, alert rules, dashboard ConfigMaps |
Install CRDs
GitOps users should choose one owner for CRDs. Do not let both Helm and a separate CRD application race to own the same files.
helm upgrade --install bloodraven bloodraven/bloodraven \
--namespace bloodraven \
--create-namespace
Helm installs CRDs from the chart's crds/ directory on first install. If CRDs are managed separately:
kubectl apply -f https://raw.githubusercontent.com/ShipStream/bloodraven/main/config/crd/bases/shipstream.io_mysqlfailovergroups.yaml
kubectl apply -f https://raw.githubusercontent.com/ShipStream/bloodraven/main/config/crd/bases/shipstream.io_mysqlbackups.yaml
kubectl apply -f https://raw.githubusercontent.com/ShipStream/bloodraven/main/config/crd/bases/shipstream.io_mysqlbackupverifications.yaml
Then install the operator chart after the platform CRD app has applied the CRDs. Helm does not upgrade CRDs in crds/; apply CRD updates explicitly during upgrades.
Helm values
image:
repository: ghcr.io/shipstream/bloodraven
tag: "0.1.6"
pullPolicy: IfNotPresent
replicaCount: 1
leaderElection:
enabled: true
metrics:
service:
enabled: true
serviceMonitor:
enabled: true
interval: 30s
scrapeTimeout: 10s
labels:
release: kube-prometheus-stack
grafanaDashboards:
enabled: true
namespace: monitoring
folder: Bloodraven
auxiliary:
service:
enabled: false
wsAllowedOrigins: "https://dashboard.example.com"
Apply:
helm upgrade --install bloodraven bloodraven/bloodraven \
--namespace bloodraven \
--create-namespace \
--values bloodraven-values.yaml
NetworkPolicy recommendations
Allow only these paths:
| Source | Destination | Port | Why |
|---|---|---|---|
| Operator | Kubernetes API | 443 | Reconcile CRDs, Services, Events, Jobs |
| Operator | MySQL pods | 3306 | Health, promotion, user management |
| Operator | Dragonfly Services | 6379, admin port 9999 by default | Optional Dragonfly observation, replication wiring, promotion, and snapshot upgrade |
| MySQL sidecar | Kubernetes API | 443 | Lease and fencing coordination |
| Prometheus | Operator metrics Service | 8080 | Metrics scraping |
| Applications | Primary and replica Services | 3306 | Data plane |
| Applications | Active Dragonfly Service | 6379 | Optional Redis-compatible cache/session data plane |
| Backup Jobs | S3 endpoint | 443 | Backup artifacts |
Post-install verification
kubectl rollout status deployment/bloodraven -n bloodraven
kubectl get crd mysqlfailovergroups.shipstream.io mysqlbackups.shipstream.io mysqlbackupverifications.shipstream.io
kubectl get service -n bloodraven
kubectl auth can-i list mysqlfailovergroups.shipstream.io --as=system:serviceaccount:bloodraven:bloodraven
Before production traffic
- Complete Production Hardening.
- Create per-role credentials with Credentials and TLS.
- Configure Prometheus and Grafana.
- Configure S3 backups or PVC backups.
- If using Dragonfly, configure application Redis clients to use
<group>-dragonflyand validatestatus.dragonfly.phase=Ready. - Run a planned failover in a staging environment.