Introduction
Radar Collector collects Redis metrics from configured deployments and sends them to the Radar server via gRPC.
Supported Deployment Types
- Standalone Redis instances
- Redis Enterprise clusters (REST API integration)
- Redis Cluster (OSS) with automatic node discovery
- Redis Sentinel
Features
- Monitor multiple Redis deployments from a single collector
- YAML configuration with environment variable expansion
- Offline collection mode with configurable data redaction
- gRPC communication with API key authentication
- Configuration validation and connection testing
- Signal handling for graceful shutdown (SIGINT, SIGTERM)
- Configurable logging levels with JSON output option
Quick Start
- Install the radar-collector binary
- Configure your Redis deployments
- Validate your configuration
- Run the radar-collector
Architecture
Single-binary design with:
- Configuration layer - YAML parsing with environment variable expansion
- Collection layer - Per-deployment type collectors
- gRPC layer - Communication with Radar server
- Redaction layer - Privacy controls for sensitive data
Installation
Download the radar-collector binary for your platform from the releases page.
Binary Installation
# Download binary (replace VERSION and PLATFORM)
curl -LO https://github.com/redis-field-engineering/radar-collector/releases/download/VERSION/radar-collector-PLATFORM
# Make executable
chmod +x radar-collector-PLATFORM
mv radar-collector-PLATFORM /usr/local/bin/radar-collector
# Verify installation
radar-collector --version
Docker
Pull the Docker image:
docker pull ghcr.io/redis-field-engineering/radar-collector:latest
Run with configuration file:
docker run -v /path/to/config.yml:/config.yml ghcr.io/redis-field-engineering/radar-collector:latest --config /config.yml
Next Steps
Configuration
Radar Collector uses a YAML configuration file. Default location is radar-collector.yml in the current directory. Use --config to specify a different file.
Basic Example
collector:
id: radar-collector-001
collection_interval: 60s
server:
grpc_url: https://grpc.radar.redis.io:443 # Production Radar gRPC endpoint
api_key: ${RADAR_API_KEY}
deployments:
- id: redis-local
name: Local Redis
type: standalone
redis_url: redis://localhost:6379
Configuration Sections
collector
Collector settings:
id- Unique collector identifier (required)collection_interval- How often to collect (default: 60s)output_directory- Directory for offline collections (default: current directory)redaction_level- Default redaction level:none,credentials,all(default: all)
server
Server connection:
grpc_url- Radar server gRPC endpoint (required)api_key- Authentication key (required)timeout- Request timeout (default: 30s)
deployments
List of Redis deployments to monitor. Each deployment needs:
id- Unique identifier (required)name- Display name (required)type- Deployment type (required)
Type-specific fields vary. See Deployment Types for details.
Environment Variables
Use ${VAR} or ${VAR:-default} syntax:
server:
api_key: ${RADAR_API_KEY}
grpc_url: ${RADAR_SERVER:-https://grpc.radar.redis.io:443}
Further Reading
- Deployment Types - Configure Standalone, Enterprise, Cluster, Sentinel
- Credentials & Security - Authentication and TLS
- Configuration Schema - Complete reference
Deployment Types
Radar Collector supports multiple Redis deployment types. Each type has specific configuration requirements.
Standalone Deployments
Monitor single Redis instances.
Configuration
deployments:
- id: "cache-01"
name: "cache-server"
type: "standalone"
redis_url: "redis://redis.example.com:6379"
credentials:
password: "${REDIS_PASSWORD}" # Optional
For TLS connections:
deployments:
- id: "cache-tls-01"
name: "cache-server-tls"
type: "standalone"
redis_url: "rediss://redis.example.com:6380" # rediss:// for TLS
credentials:
password: "${REDIS_PASSWORD}"
Environment Variables
# When only one standalone deployment exists
export REDIS_HOST=localhost
export REDIS_PORT=6379
export REDIS_PASSWORD=mypassword
Data Collected
- Server info (version, uptime, memory)
- Configuration settings
- Client connections
- Replication status
- Persistence info (RDB/AOF)
- Performance metrics
Enterprise Deployments
Monitor Redis Enterprise clusters via REST API.
Configuration
deployments:
- id: "ent-prod"
name: "production-enterprise"
type: "enterprise" # Case-insensitive
rest_api:
host: "enterprise.example.com"
port: 9443
use_tls: true
insecure: false # Set true for self-signed certs
enterprise_admin_url: "https://enterprise.example.com:8443" # Optional UI URL
enterprise:
db_endpoint: "external_ip" # Options: external_ip, internal_ip, dns (default: external_ip)
credentials:
rest_api:
basic_auth: "admin@redis.local:${ENTERPRISE_PASSWORD}"
Fields Explained
rest_api section (top-level, required):
host: REST API hostname or IP addressport: REST API port (typically 9443)use_tls: Whether to use HTTPS (typically true for production)insecure: Set totrueto skip certificate verification for self-signed certificatesenterprise_admin_url: Optional UI URL for reference only (not used for data collection)
enterprise section (top-level, optional):
db_endpoint: How to report database endpoints -external_ip(default),internal_ip, ordns
credentials.rest_api (required):
basic_auth: Authentication inusername:passwordformat (e.g.,"admin@cluster.local:password123")
Alternative Configuration (Compatibility)
For backward compatibility, enterprise_api is also supported as an alias for rest_api in the credentials section:
deployments:
- id: "ent-prod"
name: "production-enterprise"
type: "enterprise"
rest_api:
host: "enterprise.example.com"
port: 9443
use_tls: true
insecure: true
credentials:
enterprise_api: # Alternative to rest_api (both work)
basic_auth: "admin@redis.local:${ENTERPRISE_PASSWORD}"
Environment Variables
# Override by deployment ID (uses uppercased ID with underscores)
export RADAR_ENTERPRISE_ENT_PROD_REST_API_URL=https://new-url:9443
export RADAR_ENTERPRISE_ENT_PROD_USERNAME=admin@redis.local
export RADAR_ENTERPRISE_ENT_PROD_PASSWORD=newpassword
export RADAR_ENTERPRISE_ENT_PROD_INSECURE=true
Data Collected
- Cluster topology and nodes
- Database configurations
- License information
- Memory and storage metrics
- Replication status
- Module information
Cluster Deployments
Monitor Redis OSS clusters with automatic node discovery.
Configuration
deployments:
- id: "cluster-01"
name: "main-cluster"
type: "cluster" # Case-insensitive
redis_urls:
- "cluster1.example.com:7000"
- "cluster2.example.com:7000"
- "cluster3.example.com:7000"
credentials:
password: "${CLUSTER_PASSWORD}" # Optional
Note: The collector automatically discovers all cluster nodes from the seed nodes specified in redis_urls.
Discovery
- Connects to seed nodes
- Runs
CLUSTER NODESto discover topology - Collects from all discovered nodes
- Handles node failures gracefully
Data Collected
- Full cluster topology
- Slot distribution
- Node roles (master/replica)
- Node health status
- Per-node metrics (memory, clients, ops)
- Cluster-wide statistics
Sentinel Deployments
Monitor Redis high-availability setups with Sentinel.
Configuration
deployments:
- id: "sentinel-01"
name: "ha-redis"
type: "sentinel" # Case-insensitive
master_name: "mymaster"
sentinel_urls:
- "sentinel1.example.com:26379"
- "sentinel2.example.com:26379"
- "sentinel3.example.com:26379"
credentials:
password: "${REDIS_PASSWORD}" # Redis instance password
sentinel_password: "${SENTINEL_PASSWORD}" # Sentinel password (if different)
Discovery
- Connects to Sentinels
- Discovers monitored masters
- Finds replicas for each master
- Handles Sentinel failures with fallback
Data Collected
- Sentinel instances and status
- Monitored masters
- Replica information
- Failover history
- Quorum configuration
- Master/replica Redis metrics
Multiple Deployments
Monitor multiple deployments of different types:
collector:
id: radar-collector-001
server:
grpc_url: https://grpc.radar.redis.io:443 # Production Radar gRPC endpoint
api_key: ${RADAR_API_KEY}
deployments:
# Enterprise cluster
- id: ent-01
name: enterprise-prod
type: enterprise
rest_api:
host: enterprise.local
port: 9443
use_tls: true
insecure: true # For self-signed certs
enterprise:
db_endpoint: external_ip
credentials:
rest_api:
basic_auth: "admin@redis.local:${ENT_PASSWORD}"
# Standalone cache
- id: cache-01
name: session-cache
type: standalone
redis_url: redis://cache.local:6379
credentials:
password: ${CACHE_PASSWORD}
# Redis Cluster
- id: cluster-01
name: data-cluster
type: cluster
redis_urls:
- node1.local:7000
- node2.local:7000
- node3.local:7000
credentials:
password: ${CLUSTER_PASSWORD}
# Sentinel HA
- id: sentinel-01
name: ha-redis
type: sentinel
master_name: mymaster
sentinel_urls:
- sentinel1.local:26379
- sentinel2.local:26379
credentials:
password: ${REDIS_PASSWORD}
Collection Behavior
All deployments are collected concurrently. Individual deployment failures don't stop other collections. Failed collections are retried with exponential backoff (default: 3 attempts).
Validation
# Validate specific deployment
radar-collector validate --deployment enterprise-prod
# Test collection
radar-collector test --deployment session-cache
# Validate all
radar-collector --validate
Credentials & Security
Configure Redis credentials to allow Radar Collector to collect monitoring data. The collector requires read-only access to Redis instances and supports various authentication methods.
Future Authentication Support
Planned authentication methods for future deployment types:
AWS ElastiCache (Planned)
- IAM role-based authentication
- AUTH token support
Redis Standalone Credentials
For standalone Redis instances, you can configure authentication in several ways.
Method 1: URL-based Authentication
Include credentials directly in the Redis URL:
deployments:
- id: "redis-prod"
name: "Production Redis"
deployment_type: "standalone"
redis_url: "redis://username:password@localhost:6379"
Method 2: Separate Credentials
Use the credentials section for better security:
deployments:
- id: "redis-prod"
name: "Production Redis"
deployment_type: "standalone"
redis_url: "redis://localhost:6379"
credentials:
username: "radar-collector"
password: "${REDIS_PASSWORD}"
Method 3: Environment Variables in URL
Combine URL format with environment variable expansion:
deployments:
- id: "redis-prod"
name: "Production Redis"
deployment_type: "standalone"
redis_url: "redis://${REDIS_USER}:${REDIS_PASSWORD}@${REDIS_HOST}:6379"
Redis ACL Setup
Creating a Monitoring User
For Redis instances with ACL support (Redis 6+), create a dedicated monitoring user:
# Connect to Redis
redis-cli
# Create user with read-only permissions
ACL SETUSER radar-collector on >${SECURE_PASSWORD} \
+info +ping +config|get +client|list +memory|usage +latency \
+@read ~* &*
# Verify the user
ACL LIST
Or without a password (not recommended for production):
ACL SETUSER radar-collector on nopass \
+info +ping +config|get +client|list +memory|usage +latency \
+@read ~* &*
Required Permissions
The radar-collector user needs these Redis permissions:
| Command Category | Commands | Purpose |
|---|---|---|
| Server Info | +info, +ping | Basic server information and health |
| Configuration | +config|get | Redis configuration settings |
| Client Info | +client|list | Active connection information |
| Memory | +memory|usage | Memory usage statistics |
| Performance | +latency | Latency monitoring data |
| Data Access | +@read, ~* | Read access to all keys for sampling |
| Pub/Sub | &* | Access to all pub/sub channels |
Minimal ACL Rule
For the most restrictive setup:
ACL SETUSER radar-collector on >${PASSWORD} \
+info +ping +config|get +client|list +memory|usage +latency \
+@read ~* &*
TLS/SSL Configuration
For secure connections, use rediss:// URLs:
deployments:
- id: "redis-tls"
name: "Redis with TLS"
deployment_type: "standalone"
redis_url: "rediss://username:password@localhost:6380"
Environment Variables
Store sensitive information in environment variables:
# Set environment variables
export REDIS_PASSWORD="your-secure-password"
export REDIS_HOST="redis.example.com"
export REDIS_PORT="6379"
Reference them in configuration:
deployments:
- id: "redis-prod"
name: "Production Redis"
deployment_type: "standalone"
redis_url: "redis://radar-collector:${REDIS_PASSWORD}@${REDIS_HOST}:${REDIS_PORT}"
- id: "redis-replica"
name: "Redis Replica"
deployment_type: "standalone"
redis_url: "redis://${REDIS_HOST_REPLICA}:6379"
credentials:
username: "radar-collector"
password: "${REDIS_REPLICA_PASSWORD}"
Testing Credentials
Validate your credentials using the validation command:
# Test all deployments
radar-collector validate
# Test specific deployment
radar-collector validate --deployment-id redis-prod
# Test with connection attempts
radar-collector validate --test-connections
Security Best Practices
- Use dedicated monitoring users - Don't use admin credentials
- Apply least privilege - Only grant necessary permissions
- Use environment variables - Don't hardcode credentials in config files
- Enable TLS - Use
rediss://URLs for encrypted connections - Rotate credentials - Regularly update passwords and API keys
- Monitor access - Review Redis logs for authentication events
Redis Enterprise Credentials
Redis Enterprise deployments use REST API basic authentication:
deployments:
- id: "ent-01"
name: "production-enterprise"
type: "enterprise"
rest_api:
host: "enterprise.example.com"
port: 9443
use_tls: true
insecure: false # Set true for self-signed certificates
credentials:
rest_api:
basic_auth: "admin@cluster.local:${ENTERPRISE_PASSWORD}"
Key points:
- Authentication uses
username:passwordformat in thebasic_authfield - Typically uses admin-level credentials for cluster API access
- Supports self-signed certificates with
insecure: true - Uses port 9443 for REST API access
Enterprise data access: create Data ACL, Role, and User
You can grant the collector read-only access in Redis Enterprise using either the REST API or the Admin UI.
Option A — REST API
- Create a Redis ACL (Data ACL)
curl -X POST "https://<your-cluster-host>:9443/v1/redis_acls" \
-H "Content-Type: application/json" \
-u "<admin-user>:<admin-password>" \
-d '{
"name": "radar-collector-acl",
"acl": "+@read +info +ping +config|get +client|list +memory +latency"
}'
- Save the
uidfrom the response (call itACL_UID).
- Create a Role and then assign the ACL to each database you want monitored
# Create role
curl -X POST "https://<your-cluster-host>:9443/v1/roles" \
-H "Content-Type: application/json" \
-u "<admin-user>:<admin-password>" \
-d '{
"name": "radar-collector-role",
"management": "cluster_member"
}'
# Save the role uid from the response (ROLE_UID), then for each database:
# Replace <BDB_ID> with the database id/uid on your cluster
curl -X PUT "https://<your-cluster-host>:9443/v1/bdbs/<BDB_ID>" \
-H "Content-Type: application/json" \
-u "<admin-user>:<admin-password>" \
-d '{
"roles_permissions": [
{ "role_uid": ROLE_UID, "redis_acl_uid": ACL_UID }
]
}'
- Create the collector user and assign the role
curl -X POST "https://<your-cluster-host>:9443/v1/users" \
-H "Content-Type: application/json" \
-u "<admin-user>:<admin-password>" \
-d '{
"email": "radar-collector@cluster.local",
"password": "<secure-password>",
"name": "radar-collector",
"role_uids": [ ROLE_UID ]
}'
Option B — Admin UI
- Create a new Redis ACL
- Navigate: Access Control → Roles → Data ACLs → Add Redis ACL
- Name:
radar-collector-acl - ACL Rule:
+@read +info +ping +config|get +client|list +memory +latency
- Create a role and assign the ACL to databases
- Navigate: Access Control → Roles → Create Role
- Name:
radar-collector-role - Management:
cluster_member - For each database to monitor: Database → Configuration → Security → Assign
radar-collector-acltoradar-collector-role
- Create a user and give it the role
- Navigate: Access Control → Users → Add User
- Email:
radar-collector@cluster.local - Password:
<secure-password> - Name:
radar-collector - Assign role:
radar-collector-role
Using the created credentials
Use the created user credentials for Radar Enterprise collection:
# REST API basic auth in your collector configuration
credentials:
rest_api:
basic_auth: "radar-collector@cluster.local:<secure-password>"
Notes:
- The Data ACL grants read-only access used by the collector to collect metrics.
- Apply the role+ACL to every database you want the collector to monitor.
- For clusters with self-signed certs, set
use_tls: trueandinsecure: truein the Enterprise rest_api config.
Running the Collector
The radar-collector supports multiple operational modes:
Continuous Mode (Production)
Standard production mode - continuously collects metrics and submits to server.
# Default configuration file (radar-collector.yml)
./radar-collector
# Custom configuration
./radar-collector --config /etc/radar/production.yml
# With debug logging
RUST_LOG=debug ./radar-collector
Behavior:
- Collects from all configured deployments at specified intervals
- Automatically submits data to Radar server via gRPC
- Runs continuously until stopped with SIGTERM/SIGINT
- Gracefully completes current collection before shutdown
Use when:
- Running in production environments
- Deployed as systemd service or Kubernetes pod
- Continuous monitoring is required
Offline Mode
Collect data to local files for manual inspection before submission.
Collect to File
# Auto-generated filename (includes hostname, version, timestamp)
./radar-collector --once --output-file
# Creates: radar-collection-hostname-v0.1.0-20251014-120000.json
# Custom path
./radar-collector --once --output-file /var/lib/radar/collection.json
# With specific redaction level
./radar-collector --once --output-file --redact credentials
Redaction Levels
all (default) - Maximum privacy:
- Passwords →
***REDACTED*** - API keys →
***REDACTED*** - Hostnames →
host-a1b2c3d4.domain.com(deterministic hash) - IP addresses →
192.xxx.xxx.xxx(first octet only) - Port numbers →
6xxx(first digit only)
credentials - Moderate privacy:
- Passwords →
***REDACTED*** - API keys →
***REDACTED*** - Hostnames, IPs, ports → visible
none - No redaction (debug only):
- All data visible in plaintext
- Only use in isolated, secure environments
Submit Collected Data
# Submit previously collected file
./radar-collector submit --file radar-collection-hostname-v0.1.0-20251014-120000.json
# With custom server config
./radar-collector --config production.yml submit --file collection.json
Use when:
- Air-gapped environments requiring manual file transfer
- Security reviews needed before cloud submission
- Compliance workflows require approval process
- Local debugging and analysis
Test Mode
Test single deployment without affecting production monitoring.
# Collect and submit once
./radar-collector test --deployment redis-prod
# Collect without submitting (dry run)
./radar-collector test --deployment redis-prod --dry-run
# With debug output
RUST_LOG=debug ./radar-collector test --deployment enterprise-cluster
Behavior:
- Collects from specified deployment once
- Shows collected data (in dry-run mode)
- Exits after single collection
- Does not affect other deployments
Use when:
- Testing new deployment configuration
- Verifying connectivity before production
- Debugging collection issues
- Validating data format
Validation Mode
Validate configuration and test connectivity without collecting data.
# Validate all deployments
./radar-collector --validate
# Validate specific deployment
./radar-collector validate --deployment redis-prod
Use when:
- First-time configuration setup
- Troubleshooting connection issues
- Verifying credentials
- Pre-deployment checks
Additional Options
Logging Levels
Control log verbosity with RUST_LOG:
# Info (default) - standard operational messages
RUST_LOG=info ./radar-collector
# Debug - detailed operational information
RUST_LOG=debug ./radar-collector
# Trace - very verbose, includes all data
RUST_LOG=trace ./radar-collector
Graceful Shutdown
The radar-collector handles SIGTERM and SIGINT signals gracefully:
- Receives shutdown signal
- Stops scheduling new collections
- Completes current collection in progress
- Exits cleanly
# Send graceful shutdown signal
kill -TERM <pid>
# Or use Ctrl+C
^C
Running in Production
For production deployments, see:
- Linux Deployment - Systemd service setup
- Kubernetes Deployment - Container orchestration
Validation & Testing
Validate Configuration
# Check configuration syntax
./radar-collector --validate
# Test specific deployment
./radar-collector validate --deployment redis-prod
Test Collection
# Dry run - collect without submitting
./radar-collector test --deployment redis-prod --dry-run
# Single collection with submission
./radar-collector test --deployment redis-prod
# Debug output
RUST_LOG=debug ./radar-collector test --deployment redis-prod
Recommended Workflow
-
Validate configuration
./radar-collector --validate -
Test single deployment
./radar-collector test --deployment redis-prod --dry-run -
Run radar-collector
./radar-collector
Deployment
Deploy Radar Collector as a systemd service or in Kubernetes.
Deployment Methods
- Linux Deployment - Systemd service
- Kubernetes Deployment - Container orchestration
Network Requirements
- Access to Radar server gRPC endpoint
- Access to all monitored Redis instances
- DNS resolution for hostnames
Security
- Store API keys in environment variables or secrets
- Use dedicated Redis monitoring users with minimal permissions
- Run radar-collector as non-root user
Resource Usage
- CPU: ~0.1 core per 10 deployments
- Memory: ~50MB base + ~10MB per deployment
- Network: Minimal (<1KB per collection)
Linux Deployment
Deploy Radar Collector as a systemd service.
Installation
1. Create User and Directories
sudo useradd --system --no-create-home --shell /usr/sbin/nologin radar-collector
sudo mkdir -p /opt/radar-collector /etc/radar-collector
sudo chown radar-collector:radar-collector /opt/radar-collector
2. Install Binary
sudo cp target/release/radar-collector /opt/radar-collector/
sudo chmod +x /opt/radar-collector/radar-collector
sudo chown radar-collector:radar-collector /opt/radar-collector/radar-collector
3. Create Configuration
sudo vi /etc/radar-collector/config.yml
collector:
id: radar-collector-001
server:
grpc_url: ${RADAR_SERVER_URL}
api_key: ${RADAR_API_KEY}
deployments:
- id: redis-prod
name: Production Redis
type: standalone
redis_url: ${REDIS_URL}
4. Create Environment File
sudo vi /etc/radar-collector/environment
RADAR_SERVER_URL=http://localhost:50051
RADAR_API_KEY=your-api-key
REDIS_URL=redis://localhost:6379
RUST_LOG=info
Set permissions:
sudo chmod 600 /etc/radar-collector/environment
sudo chmod 640 /etc/radar-collector/config.yml
5. Create Systemd Service
sudo vi /etc/systemd/system/radar-collector.service
[Unit]
Description=Radar Collector
After=network.target
[Service]
Type=simple
User=radar-collector
Group=radar-collector
WorkingDirectory=/opt/radar-collector
ExecStart=/opt/radar-collector/radar-collector --config /etc/radar-collector/config.yml
Restart=always
RestartSec=10
EnvironmentFile=/etc/radar-collector/environment
StandardOutput=journal
StandardError=journal
[Install]
WantedBy=multi-user.target
6. Start Service
sudo systemctl daemon-reload
sudo systemctl enable radar-collector
sudo systemctl start radar-collector
sudo systemctl status radar-collector
Service Management
# View logs
sudo journalctl -u radar-collector -f
# Restart after config changes
sudo systemctl restart radar-collector
# Stop service
sudo systemctl stop radar-collector
Kubernetes Deployment
Deploy Radar Collector in Kubernetes using Deployments, ConfigMaps, and Secrets for scalable monitoring.
Prerequisites
- Kubernetes cluster (1.19+)
kubectlconfigured to access your cluster- Container image of Radar Collector
Quick Start
1. Create Namespace
# namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
name: radar-collector
labels:
name: radar-collector
kubectl apply -f namespace.yaml
2. Create Secrets
Store sensitive configuration in Kubernetes Secrets:
# secrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: radar-collector-secrets
namespace: radar-collector
type: Opaque
stringData:
api-key: "your-radar-api-key"
redis-password: "your-redis-password"
kubectl apply -f secrets.yaml
3. Create ConfigMap
Store the collector configuration:
# configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: radar-collector-config
namespace: radar-collector
data:
config.yml: |
collector:
id: "radar-collector-k8s-${HOSTNAME}"
hostname: "${HOSTNAME}"
collection_interval: "30s"
server:
grpc_url: "https://api.radar.com:443"
api_key: "${RADAR_API_KEY}"
deployments:
- id: "redis-production"
name: "Production Redis"
deployment_type: "standalone"
redis_url: "redis://radar-collector:${REDIS_PASSWORD}@redis.production.svc.cluster.local:6379"
collection:
interval: "30s"
retry_on_failure: true
max_retries: 3
kubectl apply -f configmap.yaml
4. Create Deployment
Deploy the Radar Collector:
# deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: radar-collector
namespace: radar-collector
labels:
app: radar-collector
spec:
replicas: 1
selector:
matchLabels:
app: radar-collector
template:
metadata:
labels:
app: radar-collector
spec:
serviceAccountName: radar-collector
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
containers:
- name: radar-collector
image: radar-collector:latest # Replace with your image
imagePullPolicy: Always
# Command and arguments
command: ["/app/radar-collector"]
args: ["--config", "/etc/radar-collector/config.yml"]
# Environment variables
env:
- name: HOSTNAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: RADAR_API_KEY
valueFrom:
secretKeyRef:
name: radar-collector-secrets
key: api-key
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: radar-collector-secrets
key: redis-password
- name: RUST_LOG
value: "info"
# Volume mounts
volumeMounts:
- name: config
mountPath: /etc/radar-collector
readOnly: true
# Resource limits
resources:
requests:
memory: "64Mi"
cpu: "100m"
limits:
memory: "256Mi"
cpu: "500m"
# Health checks
livenessProbe:
exec:
command:
- /app/radar-collector
- validate
- --config
- /etc/radar-collector/config.yml
initialDelaySeconds: 30
periodSeconds: 60
timeoutSeconds: 10
readinessProbe:
exec:
command:
- /app/radar-collector
- validate
- --config
- /etc/radar-collector/config.yml
- --test-connections
initialDelaySeconds: 10
periodSeconds: 30
timeoutSeconds: 15
volumes:
- name: config
configMap:
name: radar-collector-config
# Restart policy
restartPolicy: Always
# Node selection (optional)
nodeSelector:
kubernetes.io/os: linux
5. Create ServiceAccount and RBAC
Create service account with minimal permissions:
# rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: radar-collector
namespace: radar-collector
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: radar-collector
namespace: radar-collector
rules:
- apiGroups: [""]
resources: ["configmaps", "secrets"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: radar-collector
namespace: radar-collector
subjects:
- kind: ServiceAccount
name: radar-collector
namespace: radar-collector
roleRef:
kind: Role
name: radar-collector
apiGroup: rbac.authorization.k8s.io
kubectl apply -f rbac.yaml
kubectl apply -f deployment.yaml
Advanced Configuration
Multi-Environment Setup
Deploy different collectors for different environments:
# production-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: radar-collector-production
namespace: radar-collector
spec:
replicas: 1
selector:
matchLabels:
app: radar-collector
environment: production
template:
metadata:
labels:
app: radar-collector
environment: production
spec:
containers:
- name: radar-collector
image: radar-collector:latest
env:
- name: ENVIRONMENT
value: "production"
volumeMounts:
- name: config
mountPath: /etc/radar-collector
volumes:
- name: config
configMap:
name: radar-collector-config-production
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: radar-collector-staging
namespace: radar-collector
spec:
replicas: 1
selector:
matchLabels:
app: radar-collector
environment: staging
template:
metadata:
labels:
app: radar-collector
environment: staging
spec:
containers:
- name: radar-collector
image: radar-collector:latest
env:
- name: ENVIRONMENT
value: "staging"
volumeMounts:
- name: config
mountPath: /etc/radar-collector
volumes:
- name: config
configMap:
name: radar-collector-config-staging
Horizontal Pod Autoscaler
Auto-scale based on CPU usage:
# hpa.yaml
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: radar-collector-hpa
namespace: radar-collector
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: radar-collector
minReplicas: 1
maxReplicas: 3
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 70
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: 80
Network Policies
Restrict network access:
# network-policy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: radar-collector-netpol
namespace: radar-collector
spec:
podSelector:
matchLabels:
app: radar-collector
policyTypes:
- Egress
egress:
# Allow DNS resolution
- to: []
ports:
- protocol: UDP
port: 53
# Allow HTTPS to Radar server
- to: []
ports:
- protocol: TCP
port: 443
# Allow Redis connections
- to: []
ports:
- protocol: TCP
port: 6379
- protocol: TCP
port: 6380
Container Image
Dockerfile
Create a secure container image:
# Dockerfile
FROM rust:1.88-slim as builder
WORKDIR /app
COPY . .
RUN cargo build --release
FROM debian:bookworm-slim
# Install CA certificates and create user
RUN apt-get update && \
apt-get install -y ca-certificates && \
rm -rf /var/lib/apt/lists/* && \
groupadd -r radar-collector && \
useradd -r -g radar-collector radar-collector
# Copy binary
COPY --from=builder /app/target/release/radar-collector /app/radar-collector
# Set ownership and permissions
RUN chown radar-collector:radar-collector /app/radar-collector
# Switch to non-root user
USER radar-collector
# Expose metrics port (if implemented)
EXPOSE 8080
ENTRYPOINT ["/app/radar-collector"]
Build and Push
# Build image
docker build -t radar-collector:latest .
# Tag for registry
docker tag radar-collector:latest your-registry.com/radar-collector:latest
# Push to registry
docker push your-registry.com/radar-collector:latest
Management and Operations
View Logs
# View logs from all radar-collector pods
kubectl logs -n radar-collector -l app=radar-collector -f
# View logs from specific pod
kubectl logs -n radar-collector <pod-name> -f
# View previous container logs (after restart)
kubectl logs -n radar-collector <pod-name> --previous
Update Configuration
# Update ConfigMap
kubectl apply -f configmap.yaml
# Restart deployment to pick up changes
kubectl rollout restart deployment/radar-collector -n radar-collector
# Check rollout status
kubectl rollout status deployment/radar-collector -n radar-collector
Scale Deployment
# Scale to 3 replicas
kubectl scale deployment/radar-collector --replicas=3 -n radar-collector
# Auto-scale based on CPU
kubectl autoscale deployment/radar-collector --cpu-percent=70 --min=1 --max=5 -n radar-collector
Monitoring and Alerting
Pod Monitoring
# servicemonitor.yaml (for Prometheus Operator)
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: radar-collector
namespace: radar-collector
spec:
selector:
matchLabels:
app: radar-collector
endpoints:
- port: metrics
interval: 30s
path: /metrics
Alerting Rules
# alerts.yaml
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: radar-collector-alerts
namespace: radar-collector
spec:
groups:
- name: radar-collector
rules:
- alert: RadarCollectorDown
expr: up{job="radar-collector"} == 0
for: 5m
labels:
severity: critical
annotations:
summary: "Radar Collector is down"
description: "Radar Collector has been down for more than 5 minutes"
Troubleshooting
Common Issues
Pod won't start:
# Check pod status
kubectl get pods -n radar-collector
# Describe pod for events
kubectl describe pod <pod-name> -n radar-collector
# Check logs
kubectl logs <pod-name> -n radar-collector
Configuration issues:
# Validate ConfigMap
kubectl get configmap radar-collector-config -n radar-collector -o yaml
# Test configuration in pod
kubectl exec -it <pod-name> -n radar-collector -- /app/radar-collector validate --config /etc/radar-collector/config.yml
Network connectivity:
# Test from within pod
kubectl exec -it <pod-name> -n radar-collector -- /bin/sh
# Inside pod:
curl -v https://api.radar.com
redis-cli -u redis://user:pass@redis.example.com:6379 ping
Health Checks
Monitor deployment health:
# Check deployment status
kubectl get deployment radar-collector -n radar-collector
# Check pod health
kubectl get pods -n radar-collector -l app=radar-collector
# Check recent events
kubectl get events -n radar-collector --sort-by='.lastTimestamp'
Troubleshooting
Diagnosis Steps
- Validate configuration:
radar-collector --validate - Enable debug logging:
RUST_LOG=debug radar-collector - Test connectivity with curl/redis-cli
- Check error messages for diagnostic hints
Common Issues
Enterprise REST API Connection Failed
Symptoms:
Error: failed to connect to localhost:9443
Solutions:
-
Use actual hostname, not "localhost"
credentials: rest_api: url: "https://enterprise.example.com:9443" # Correct -
Verify port 9443 (REST API), not 8443 (Admin UI)
-
For self-signed certificates:
credentials: rest_api: insecure: true # Skip certificate validation
Test connectivity:
curl -k -u admin@redis.local:password https://enterprise.example.com:9443/v1/cluster
Authentication Failed
Symptoms:
Error: Missing access token
Error: gRPC error: Unauthenticated
Solution:
Set API key via environment variable or config:
export ACCESS_KEY=your-api-key
Or in config:
server:
api_key: your-api-key
Configuration Validation Failed
Symptoms:
Error: missing field `type`
Solution:
Check YAML syntax and required fields:
# Validate configuration
radar-collector --validate
# Test specific deployment
radar-collector validate --deployment redis-prod
Debug Logging
# Info level (default)
RUST_LOG=info radar-collector
# Debug level
RUST_LOG=debug radar-collector
# Trace level (very verbose)
RUST_LOG=trace radar-collector
Testing Connectivity
Enterprise
curl -k https://enterprise.example.com:9443/v1/cluster
Redis Standalone/Cluster
redis-cli -h host -p port ping
Getting Help
Include this information when reporting issues:
- Collector version:
radar-collector --version - Validation output:
radar-collector --validate - Debug logs:
RUST_LOG=debug radar-collector 2>&1 | head -100 - Connection test results
Configuration Schema
Complete reference for Radar Collector configuration.
Top-Level Configuration
server: # Required - Server configuration
grpc_endpoint: string # Required - gRPC server endpoint
api_key: string # Required - API key for authentication
collection_interval: integer # Optional - Seconds between collections (default: 60)
deployments: array # Required - List of deployments to monitor
Server Configuration
The server section configures connection to the Radar server:
server:
grpc_endpoint: "http://localhost:50051" # gRPC endpoint
api_key: "your-api-key" # Authentication key
The api_key is automatically set as the ACCESS_KEY environment variable for gRPC authentication.
Deployment Configuration
Each deployment in the deployments array must specify a type and type-specific fields.
Common Fields
| Field | Type | Required | Description |
|---|---|---|---|
name | string | ✅ | Deployment name (must be unique) |
type | string | ✅ | Deployment type (case-insensitive) |
Standalone Configuration
deployments:
- id: string # Required - Unique deployment ID
name: string # Required - Unique name
type: "standalone" # Required
redis_url: string # Required - Redis connection URL
credentials: # Optional - Authentication
password: string # Optional - Redis password
Example:
deployments:
- id: "cache-01"
name: "cache-server"
type: "standalone"
redis_url: "redis://redis.example.com:6379"
credentials:
password: "${REDIS_PASSWORD}"
For TLS:
deployments:
- id: "cache-tls-01"
name: "cache-server-tls"
type: "standalone"
redis_url: "rediss://redis.example.com:6380" # rediss:// for TLS
credentials:
password: "${REDIS_PASSWORD}"
Enterprise Configuration
deployments:
- id: string # Required - Unique deployment ID
name: string # Required - Unique name
type: "enterprise" # Required
rest_api: # Required - REST API configuration
host: string # Required - REST API hostname
port: integer # Required - REST API port (typically 9443)
use_tls: boolean # Required - Use HTTPS (typically true)
insecure: boolean # Optional - Skip cert verification (default: false)
enterprise_admin_url: string # Optional - Admin UI URL for reference
enterprise: # Optional - Enterprise options
db_endpoint: string # Optional - Database endpoint style (external_ip, internal_ip, dns)
credentials: # Required - Authentication
rest_api: # Can also use 'enterprise_api' for compatibility
basic_auth: string # Required - "username:password" format
Note: Both rest_api and enterprise_api field names are supported in the credentials section for backward compatibility.
Example:
deployments:
- id: "ent-prod"
name: "production-enterprise"
type: "enterprise"
rest_api:
host: "enterprise.example.com"
port: 9443
use_tls: true
insecure: true # For self-signed certificates
enterprise_admin_url: "https://enterprise.example.com:8443" # Optional UI reference
enterprise:
db_endpoint: "external_ip"
credentials:
rest_api: # or 'enterprise_api'
basic_auth: "admin@redis.local:${ENTERPRISE_PASSWORD}"
Cluster Configuration
deployments:
- id: string # Required - Unique deployment ID
name: string # Required - Unique name
type: "cluster" # Required
redis_urls: array<string> # Required - Seed nodes for discovery
credentials: # Optional - Authentication
username: string # Optional - Cluster username
password: string # Optional - Cluster password
Example:
deployments:
- id: "cluster-01"
name: "main-cluster"
type: "cluster"
redis_urls:
- "node1.example.com:7000"
- "node2.example.com:7000"
- "node3.example.com:7000"
credentials:
password: "${CLUSTER_PASSWORD}"
Sentinel Configuration
deployments:
- id: string # Required - Unique deployment ID
name: string # Required - Unique name
type: "sentinel" # Required
master_name: string # Required - Name of master in Sentinel
sentinel_urls: array<string> # Required - Sentinel endpoints
credentials: # Optional - Authentication
password: string # Optional - Redis password
sentinel_password: string # Optional - Sentinel password (if different)
Example:
deployments:
- id: "sentinel-01"
name: "ha-redis"
type: "sentinel"
master_name: "mymaster"
sentinel_urls:
- "sentinel1.example.com:26379"
- "sentinel2.example.com:26379"
- "sentinel3.example.com:26379"
credentials:
password: "${REDIS_PASSWORD}"
sentinel_password: "${SENTINEL_PASSWORD}"
Complete Example
# Collector configuration
collector:
id: "radar-collector-001"
collection_interval: "60s"
# Server configuration
server:
grpc_url: "https://grpc.radar.redis.io:443" # Production Radar gRPC endpoint
api_key: "${RADAR_API_KEY}"
# Deployment configurations
deployments:
# Enterprise cluster
- id: "ent-01"
name: "enterprise-production"
type: "enterprise"
rest_api:
host: "cluster.redis.local"
port: 9443
use_tls: true
insecure: false
enterprise_admin_url: "https://cluster.redis.local:8443" # Optional
enterprise:
db_endpoint: "external_ip"
credentials:
rest_api: # or enterprise_api
basic_auth: "admin@redis.local:${ENT_PASSWORD}"
# Standalone instance
- id: "cache-01"
name: "session-cache"
type: "standalone"
redis_url: "redis://cache.redis.local:6379"
credentials:
password: "${CACHE_PASSWORD}"
# Redis Cluster
- id: "cluster-01"
name: "data-cluster"
type: "cluster"
redis_urls:
- "cluster1.redis.local:7000"
- "cluster2.redis.local:7000"
- "cluster3.redis.local:7000"
credentials:
password: "${CLUSTER_PASSWORD}"
# Sentinel HA
- id: "sentinel-01"
name: "ha-master"
type: "sentinel"
master_name: "mymaster"
sentinel_urls:
- "sentinel1.redis.local:26379"
- "sentinel2.redis.local:26379"
- "sentinel3.redis.local:26379"
credentials:
password: "${REDIS_PASSWORD}"
Environment Variable Expansion
Configuration values can reference environment variables:
${VAR}- Value must be set${VAR:-default}- Use default if not set
Example:
server:
grpc_url: "${RADAR_SERVER:-https://grpc.radar.redis.io:443}"
api_key: "${RADAR_API_KEY}"
deployments:
- id: "redis-01"
name: "redis"
type: "standalone"
redis_url: "${REDIS_URL:-redis://localhost:6379}"
credentials:
password: "${REDIS_PASSWORD}"
Environment Variable Overrides
Configuration can be overridden using environment variables:
Global Settings
export GRPC_ENDPOINT=https://grpc.radar.redis.io:443
export COLLECTION_INTERVAL=30
export RADAR_API_KEY=your-api-key # For authentication
Per-Deployment Settings
For Enterprise deployments (using the id field):
# For deployment with id: "ent-01"
export RADAR_ENTERPRISE_ENT_01_REST_API_URL=https://new-url:9443
export RADAR_ENTERPRISE_ENT_01_USERNAME=newuser
export RADAR_ENTERPRISE_ENT_01_PASSWORD=newpass
export RADAR_ENTERPRISE_ENT_01_INSECURE=true
For single Standalone deployment:
export REDIS_HOST=redis.example.com
export REDIS_PORT=6379
export REDIS_PASSWORD=secret
Authentication
The radar-collector requires authentication with the Radar server:
-
Via configuration:
server: api_key: "your-api-key" # Automatically sets ACCESS_KEY -
Via environment variable:
export ACCESS_KEY=your-api-key
The radar-collector will automatically set the ACCESS_KEY environment variable from the config's api_key field if not already set.
Validation
Validate your configuration:
# Validate entire configuration
radar-collector --validate
# Validate specific deployment
radar-collector validate --deployment enterprise-production
# Test collection from deployment
radar-collector test --deployment session-cache
# Dry run (collect but don't submit)
radar-collector --dry-run
Migration from Legacy Formats
Old Format (pre-v2)
# Old format
grpc_endpoint: "http://localhost:50051"
deployments:
- name: "enterprise"
type: "enterprise"
rest_api_url: "https://host:9443"
username: "admin"
password: "pass"
New Format (v2+)
# New format
server:
grpc_endpoint: "http://localhost:50051"
api_key: "your-key"
deployments:
- name: "enterprise"
type: "enterprise" # Now case-insensitive
id: "ent-01"
credentials:
rest_api: # or enterprise_api for compatibility
url: "https://host:9443"
username: "admin"
password: "pass"
insecure: true # For self-signed certs
Removed Fields
These fields are no longer supported:
send_interval- Removed for simplicitymax_batch_size- Removed for simplicityauto_discover- Not implemented
Command Line Reference
Synopsis
radar-collector [OPTIONS] [COMMAND]
Global Options
| Option | Environment | Description | Default |
|---|---|---|---|
-c, --config <PATH> | - | Configuration file path | radar-collector.yml |
--json-logs | - | Enable JSON formatted logs | false |
-l, --log-level <LEVEL> | RUST_LOG | Log level: trace, debug, info, warn, error | info |
--once | - | Run once and exit | false |
--dry-run | - | Collect but don't submit | false |
--validate | - | Validate config and exit | false |
--output-file [PATH] | - | Write collection to file (offline mode). Auto-generates filename if PATH not specified | - |
--output-dir <DIR> | - | Override default output directory for offline collections | - |
--redact <LEVEL> | - | Redaction level: none, credentials, all | all |
Subcommands
validate
Validate a specific deployment configuration and test connectivity.
# Validate specific deployment
radar-collector validate --deployment my-redis
# With custom config
radar-collector --config custom.yml validate --deployment production
Options:
-d, --deployment <NAME>- Name of deployment to validate (required)
test
Test collection from a specific deployment (full collection).
# Test specific deployment
radar-collector test --deployment my-redis
# Test with debug logging
radar-collector --log-level debug test --deployment my-redis
Options:
-d, --deployment <NAME>- Name of deployment to test (required)
submit
Submit a previously collected offline data file to the server.
# Submit offline collection file
radar-collector submit --file /path/to/collection.json
# With custom config for server settings
radar-collector --config custom.yml submit --file collection.json
Options:
-f, --file <PATH>- Path to offline collection JSON file (required)
Usage Examples
Basic Operation
# Run with default config
radar-collector
# Run with custom config
radar-collector --config /etc/radar/config.yml
# Run once and exit
radar-collector --once
# Dry run (no submission)
radar-collector --dry-run
Offline Collection
# Collect to auto-generated file with full redaction
radar-collector --once --output-file
# Collect to specific file
radar-collector --once --output-file /path/to/collection.json
# Collect with custom output directory
radar-collector --once --output-file --output-dir /var/lib/radar
# Collect with credentials-only redaction
radar-collector --once --output-file --redact credentials
# Collect with no redaction (debug only)
radar-collector --once --output-file --redact none
# Submit previously collected file
radar-collector submit --file radar-collection-hostname-v0.1.0-20251014-120000.json
Validation
# Validate entire configuration
radar-collector --validate
# Validate specific deployment
radar-collector validate --deployment redis-production
Debugging
# Enable debug logging
radar-collector --log-level debug
# JSON formatted logs
radar-collector --json-logs
# Test collection without submission
radar-collector --dry-run --once
Environment Variables
Authentication
ACCESS_KEY- API key for gRPC authentication
Configuration Overrides
Global settings:
GRPC_ENDPOINT- Override gRPC server endpointCOLLECTION_INTERVAL- Override collection interval (seconds)
Per-deployment overrides (by deployment ID):
# Enterprise deployment with ID "ent-01"
export ENT_01_REST_API_URL=https://enterprise:9443
export ENT_01_USERNAME=admin
export ENT_01_PASSWORD=secret
export ENT_01_INSECURE=true
# Standalone defaults (when only one exists)
export REDIS_HOST=localhost
export REDIS_PORT=6379
export REDIS_PASSWORD=mypassword
Logging
RUST_LOG- Control log verbosityerror- Errors onlywarn- Warnings and errorsinfo- Standard operation (default)debug- Detailed operationstrace- All data including responses
Example:
RUST_LOG=debug radar-collector
RUST_LOG=radar_collector=debug,tonic=warn radar-collector
Exit Codes
0- Success1- Error (configuration, connection, or runtime error)
Signal Handling
The radar-collector handles the following signals gracefully:
SIGINT(Ctrl+C) - Graceful shutdownSIGTERM- Graceful shutdown
During shutdown:
- Current collection completes
- Pending submissions are sent
- Connections are closed
- Final metrics are logged