diff --git a/clusters/cl01tl/manifests/blocky/ConfigMap-blocky-valkey-init-scripts.yaml b/clusters/cl01tl/manifests/blocky/ConfigMap-blocky-valkey-init-scripts.yaml index de5d0d775..82ca10232 100644 --- a/clusters/cl01tl/manifests/blocky/ConfigMap-blocky-valkey-init-scripts.yaml +++ b/clusters/cl01tl/manifests/blocky/ConfigMap-blocky-valkey-init-scripts.yaml @@ -46,35 +46,6 @@ data: echo "bind * -::*" echo "dir /data" } >>"$VALKEY_CONFIG" - # Replica mode configuration - log "Configuring replication mode" - - # Use POD_INDEX from Kubernetes metadata - POD_INDEX=${POD_INDEX:-0} - IS_MASTER=false - - # Check if this is pod-0 (master) - if [ "$POD_INDEX" = "0" ]; then - IS_MASTER=true - log "This pod (index $POD_INDEX) is configured as MASTER" - else - log "This pod (index $POD_INDEX) is configured as REPLICA" - fi - - # Configure replica settings - if [ "$IS_MASTER" = "false" ]; then - MASTER_HOST="blocky-valkey-0.blocky-valkey-headless.blocky.svc.cluster.local" - MASTER_PORT="6379" - - log "Configuring replica to follow master at $MASTER_HOST:$MASTER_PORT" - - { - echo "" - echo "# Replica Configuration" - echo "replicaof $MASTER_HOST $MASTER_PORT" - echo "replica-announce-ip blocky-valkey-$POD_INDEX.blocky-valkey-headless.blocky.svc.cluster.local" - } >>"$VALKEY_CONFIG" - fi # Append extra configs if present if [ -f /usr/local/etc/valkey/valkey.conf ]; then diff --git a/clusters/cl01tl/manifests/blocky/Deployment-blocky-valkey.yaml b/clusters/cl01tl/manifests/blocky/Deployment-blocky-valkey.yaml new file mode 100644 index 000000000..c872f033c --- /dev/null +++ b/clusters/cl01tl/manifests/blocky/Deployment-blocky-valkey.yaml @@ -0,0 +1,113 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: blocky-valkey + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: blocky + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + strategy: + type: RollingUpdate + selector: + matchLabels: + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: blocky + template: + metadata: + labels: + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: blocky + annotations: + checksum/initconfig: 2d752b6b5c2e159b0111a667752e1fca + spec: + automountServiceAccountToken: false + serviceAccountName: blocky-valkey + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsUser: 1000 + initContainers: + - name: blocky-valkey-init + image: docker.io/valkey/valkey:9.0.3 + imagePullPolicy: IfNotPresent + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + command: ["/scripts/init.sh"] + volumeMounts: + - name: valkey-data + mountPath: /data + - name: scripts + mountPath: /scripts + containers: + - name: blocky-valkey + image: docker.io/valkey/valkey:9.0.3 + imagePullPolicy: IfNotPresent + command: ["valkey-server"] + args: ["/data/conf/valkey.conf"] + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + env: + - name: VALKEY_LOGLEVEL + value: "notice" + ports: + - name: tcp + containerPort: 6379 + protocol: TCP + startupProbe: + exec: + command: ["sh", "-c", "valkey-cli ping"] + livenessProbe: + exec: + command: ["sh", "-c", "valkey-cli ping"] + resources: + requests: + cpu: 10m + memory: 128Mi + volumeMounts: + - name: valkey-data + mountPath: /data + - name: metrics + image: ghcr.io/oliver006/redis_exporter:v1.81.0 + imagePullPolicy: "IfNotPresent" + ports: + - name: metrics + containerPort: 9121 + startupProbe: + tcpSocket: + port: metrics + livenessProbe: + tcpSocket: + port: metrics + readinessProbe: + httpGet: + path: / + port: metrics + resources: + requests: + cpu: 10m + memory: 64M + env: + - name: REDIS_ALIAS + value: blocky-valkey + volumes: + - name: scripts + configMap: + name: blocky-valkey-init-scripts + defaultMode: 0555 + - name: valkey-data + persistentVolumeClaim: + claimName: blocky-valkey diff --git a/clusters/cl01tl/manifests/blocky/PersistentVolumeClaim-blocky-valkey.yaml b/clusters/cl01tl/manifests/blocky/PersistentVolumeClaim-blocky-valkey.yaml new file mode 100644 index 000000000..9e6b14414 --- /dev/null +++ b/clusters/cl01tl/manifests/blocky/PersistentVolumeClaim-blocky-valkey.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: blocky-valkey + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: blocky + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm +spec: + accessModes: + - ReadWriteOnce + volumeMode: Filesystem + resources: + requests: + storage: 1Gi + storageClassName: ceph-block diff --git a/clusters/cl01tl/manifests/blocky/Service-blocky-valkey.yaml b/clusters/cl01tl/manifests/blocky/Service-blocky-valkey.yaml index 981739fc6..b3e22cd7e 100644 --- a/clusters/cl01tl/manifests/blocky/Service-blocky-valkey.yaml +++ b/clusters/cl01tl/manifests/blocky/Service-blocky-valkey.yaml @@ -19,4 +19,3 @@ spec: selector: app.kubernetes.io/name: valkey app.kubernetes.io/instance: blocky - statefulset.kubernetes.io/pod-name: blocky-valkey-0 diff --git a/clusters/cl01tl/manifests/directus/ConfigMap-directus-valkey-init-scripts.yaml b/clusters/cl01tl/manifests/directus/ConfigMap-directus-valkey-init-scripts.yaml index e68e6c723..0a32a8443 100644 --- a/clusters/cl01tl/manifests/directus/ConfigMap-directus-valkey-init-scripts.yaml +++ b/clusters/cl01tl/manifests/directus/ConfigMap-directus-valkey-init-scripts.yaml @@ -23,6 +23,28 @@ data: log() { echo "$(date) $1" | tee -a "$LOGFILE" >&2 } + # Function to get password for a user + # Usage: get_user_password [password_key] + # Returns: password via stdout, exits with error if not found + get_user_password() { + username="$1" + password_key="${2:-$username}" + password="" + # Try to get password from existing secret first (priority) + if [ -f "/valkey-users-secret/$password_key" ]; then + password=$(cat "/valkey-users-secret/$password_key") + log "Using password from existing secret for user $username" + elif [ -f "/valkey-auth-secret/${username}-password" ]; then + # Fallback to inline password + password=$(cat "/valkey-auth-secret/${username}-password") + log "Using inline password for user $username" + else + log "ERROR: No password found for user $username" + return 1 + fi + + echo "$password" + } # Clean old log if requested if [ "${KEEP_OLD_LOGS:-false}" != "true" ]; then @@ -46,6 +68,37 @@ data: echo "bind * -::*" echo "dir /data" } >>"$VALKEY_CONFIG" + # Create secure directory for ACL file + log "Creating /etc/valkey directory for ACL file" + mkdir -p /etc/valkey + + # Set aclfile path in valkey.conf + echo "aclfile /etc/valkey/users.acl" >>"$VALKEY_CONFIG" + + # Remove or reset existing ACL file if present (it may be read-only from previous run) + log "Preparing ACL file at /etc/valkey/users.acl" + if [ -f /etc/valkey/users.acl ]; then + log "Removing existing read-only users.acl file" + chmod 0600 /etc/valkey/users.acl + rm -f /etc/valkey/users.acl + fi + + # Create ACL file with secure permissions + touch /etc/valkey/users.acl + chmod 0600 /etc/valkey/users.acl + # Generate ACL entries for each user + log "Generating ACL entries for users" + + # User: default + PASSWORD=$(get_user_password "default" "default") || exit 1 + + # Hash the password and write ACL entry + PASSHASH=$(echo -n "$PASSWORD" | sha256sum | cut -f 1 -d " ") + echo "user default on #$PASSHASH ~* &* +@all" >> /etc/valkey/users.acl + + # Set final permissions + chmod 0400 /etc/valkey/users.acl + log "ACL file created with 0400 permissions" # Replica mode configuration log "Configuring replication mode" @@ -73,7 +126,16 @@ data: echo "# Replica Configuration" echo "replicaof $MASTER_HOST $MASTER_PORT" echo "replica-announce-ip directus-valkey-$POD_INDEX.directus-valkey-headless.directus.svc.cluster.local" + echo "" + echo "# Master authentication" } >>"$VALKEY_CONFIG" + # Get the password for the replication user + REPL_PASSWORD=$(get_user_password "default" "default") || exit 1 + + # Write masterauth configuration + echo "masterauth $REPL_PASSWORD" >>"$VALKEY_CONFIG" + echo "masteruser default" >>"$VALKEY_CONFIG" + log "Configured masterauth with user default" fi # Append extra configs if present diff --git a/clusters/cl01tl/manifests/directus/Pod-directus-valkey-test-auth-existing.yaml b/clusters/cl01tl/manifests/directus/Pod-directus-valkey-test-auth-existing.yaml new file mode 100644 index 000000000..a12f9d93c --- /dev/null +++ b/clusters/cl01tl/manifests/directus/Pod-directus-valkey-test-auth-existing.yaml @@ -0,0 +1,45 @@ +apiVersion: v1 +kind: Pod +metadata: + name: directus-valkey-test-auth-existing + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: directus + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + restartPolicy: Never + containers: + - name: test-auth + image: "valkey/valkey:9.0.3" + command: + - sh + - -c + - | + set -e + echo "Testing authentication with usersExistingSecret..." + TLS_FLAGS="" + + # Test basic connection (no auth - will fail if auth is properly configured) + PING_RESULT=$(valkey-cli -h directus-valkey -p 6379 $TLS_FLAGS PING 2>&1 || true) + if [ "$PING_RESULT" = "PONG" ]; then + echo "✗ Authentication test failed: server allows unauthenticated access" + exit 1 + fi + + echo "✓ Authentication is enforced (unauthenticated access denied)" + echo "✓ Received expected error: $PING_RESULT" + echo "⚠ Manual verification recommended for usersExistingSecret configuration" + exit 0 + volumeMounts: + - name: valkey-users-secret + mountPath: /valkey-users-secret + readOnly: true + volumes: + - name: valkey-users-secret + secret: + secretName: directus-valkey-config diff --git a/clusters/cl01tl/manifests/directus/StatefulSet-directus-valkey.yaml b/clusters/cl01tl/manifests/directus/StatefulSet-directus-valkey.yaml index 7268cad64..63dd76bc6 100644 --- a/clusters/cl01tl/manifests/directus/StatefulSet-directus-valkey.yaml +++ b/clusters/cl01tl/manifests/directus/StatefulSet-directus-valkey.yaml @@ -32,7 +32,7 @@ spec: app.kubernetes.io/name: valkey app.kubernetes.io/instance: directus annotations: - checksum/initconfig: "1a02492c8a38ab0baf1fc607dedf1a27" + checksum/initconfig: "6307ecb287c2f05dc09ba3cf7cdfd155" spec: automountServiceAccountToken: false serviceAccountName: directus-valkey @@ -62,6 +62,11 @@ spec: mountPath: /data - name: scripts mountPath: /scripts + - name: valkey-acl + mountPath: /etc/valkey + - name: valkey-users-secret + mountPath: /valkey-users-secret + readOnly: true containers: - name: directus-valkey image: docker.io/valkey/valkey:9.0.3 @@ -99,6 +104,8 @@ spec: volumeMounts: - name: valkey-data mountPath: /data + - name: valkey-acl + mountPath: /etc/valkey - name: metrics image: ghcr.io/oliver006/redis_exporter:v1.81.0 imagePullPolicy: "IfNotPresent" @@ -127,3 +134,10 @@ spec: configMap: name: directus-valkey-init-scripts defaultMode: 0555 + - name: valkey-acl + emptyDir: + medium: Memory + - name: valkey-users-secret + secret: + secretName: directus-valkey-config + defaultMode: 0400 diff --git a/clusters/cl01tl/manifests/gitea/ConfigMap-gitea-valkey-renovate-init-scripts.yaml b/clusters/cl01tl/manifests/gitea/ConfigMap-gitea-valkey-renovate-init-scripts.yaml new file mode 100644 index 000000000..08d86c3c4 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/ConfigMap-gitea-valkey-renovate-init-scripts.yaml @@ -0,0 +1,58 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: gitea-valkey-renovate-init-scripts + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey-renovate + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm +data: + init.sh: |- + #!/bin/sh + set -eu + + # Default config paths + VALKEY_CONFIG=${VALKEY_CONFIG_PATH:-/data/conf/valkey.conf} + + LOGFILE="/data/init.log" + DATA_DIR="/data/conf" + + # Logging function (outputs to stderr and file) + log() { + echo "$(date) $1" | tee -a "$LOGFILE" >&2 + } + + # Clean old log if requested + if [ "${KEEP_OLD_LOGS:-false}" != "true" ]; then + rm -f "$LOGFILE" + fi + + if [ -f "$LOGFILE" ]; then + log "Detected restart of this instance ($HOSTNAME)" + fi + + log "Creating configuration in $DATA_DIR..." + mkdir -p "$DATA_DIR" + rm -f "$VALKEY_CONFIG" + + + # Base valkey.conf + log "Generating base valkey.conf" + { + echo "port 6379" + echo "protected-mode no" + echo "bind * -::*" + echo "dir /data" + } >>"$VALKEY_CONFIG" + + # Append extra configs if present + if [ -f /usr/local/etc/valkey/valkey.conf ]; then + log "Appending /usr/local/etc/valkey/valkey.conf" + cat /usr/local/etc/valkey/valkey.conf >>"$VALKEY_CONFIG" + fi + if [ -d /extravalkeyconfigs ]; then + log "Appending files in /extravalkeyconfigs/" + cat /extravalkeyconfigs/* >>"$VALKEY_CONFIG" + fi diff --git a/clusters/cl01tl/manifests/gitea/Deployment-gitea-valkey-renovate.yaml b/clusters/cl01tl/manifests/gitea/Deployment-gitea-valkey-renovate.yaml new file mode 100644 index 000000000..42e2908cc --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/Deployment-gitea-valkey-renovate.yaml @@ -0,0 +1,113 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gitea-valkey-renovate + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey-renovate + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + strategy: + type: RollingUpdate + selector: + matchLabels: + app.kubernetes.io/name: valkey-renovate + app.kubernetes.io/instance: gitea + template: + metadata: + labels: + app.kubernetes.io/name: valkey-renovate + app.kubernetes.io/instance: gitea + annotations: + checksum/initconfig: f77fc408ed818f9e2bd789f0e95a4172 + spec: + automountServiceAccountToken: false + serviceAccountName: gitea-valkey-renovate + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsUser: 1000 + initContainers: + - name: gitea-valkey-renovate-init + image: docker.io/valkey/valkey:9.0.3 + imagePullPolicy: IfNotPresent + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + command: ["/scripts/init.sh"] + volumeMounts: + - name: valkey-data + mountPath: /data + - name: scripts + mountPath: /scripts + containers: + - name: gitea-valkey-renovate + image: docker.io/valkey/valkey:9.0.3 + imagePullPolicy: IfNotPresent + command: ["valkey-server"] + args: ["/data/conf/valkey.conf"] + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + env: + - name: VALKEY_LOGLEVEL + value: "notice" + ports: + - name: tcp + containerPort: 6379 + protocol: TCP + startupProbe: + exec: + command: ["sh", "-c", "valkey-cli ping"] + livenessProbe: + exec: + command: ["sh", "-c", "valkey-cli ping"] + resources: + requests: + cpu: 10m + memory: 128Mi + volumeMounts: + - name: valkey-data + mountPath: /data + - name: metrics + image: ghcr.io/oliver006/redis_exporter:v1.81.0 + imagePullPolicy: "IfNotPresent" + ports: + - name: metrics + containerPort: 9121 + startupProbe: + tcpSocket: + port: metrics + livenessProbe: + tcpSocket: + port: metrics + readinessProbe: + httpGet: + path: / + port: metrics + resources: + requests: + cpu: 10m + memory: 64M + env: + - name: REDIS_ALIAS + value: gitea-valkey-renovate + volumes: + - name: scripts + configMap: + name: gitea-valkey-renovate-init-scripts + defaultMode: 0555 + - name: valkey-data + persistentVolumeClaim: + claimName: gitea-valkey-renovate diff --git a/clusters/cl01tl/manifests/gitea/PersistentVolumeClaim-gitea-valkey-renovate.yaml b/clusters/cl01tl/manifests/gitea/PersistentVolumeClaim-gitea-valkey-renovate.yaml new file mode 100644 index 000000000..a273a5925 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/PersistentVolumeClaim-gitea-valkey-renovate.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: gitea-valkey-renovate + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey-renovate + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm +spec: + accessModes: + - ReadWriteOnce + volumeMode: Filesystem + resources: + requests: + storage: 1Gi + storageClassName: ceph-block diff --git a/clusters/cl01tl/manifests/gitea/PodMonitor-gitea-valkey-renovate.yaml b/clusters/cl01tl/manifests/gitea/PodMonitor-gitea-valkey-renovate.yaml new file mode 100644 index 000000000..31de7bcf1 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/PodMonitor-gitea-valkey-renovate.yaml @@ -0,0 +1,23 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: gitea-valkey-renovate + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey-renovate + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: valkey + app.kubernetes.io/component: podmonitor +spec: + podMetricsEndpoints: + - port: metrics + interval: 30s + namespaceSelector: + matchNames: + - gitea + selector: + matchLabels: + app.kubernetes.io/name: valkey-renovate + app.kubernetes.io/instance: gitea diff --git a/clusters/cl01tl/manifests/gitea/PrometheusRule-gitea-valkey-renovate.yaml b/clusters/cl01tl/manifests/gitea/PrometheusRule-gitea-valkey-renovate.yaml new file mode 100644 index 000000000..1ed65d3ec --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/PrometheusRule-gitea-valkey-renovate.yaml @@ -0,0 +1,47 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: gitea-valkey-renovate + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey-renovate + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: valkey +spec: + groups: + - name: gitea-valkey-renovate + rules: + - alert: ValkeyDown + annotations: + description: Valkey instance {{ $labels.instance }} is down. + summary: Valkey instance {{ $labels.instance }} down + expr: | + redis_up{service="gitea-valkey-renovate-metrics"} == 0 + for: 2m + labels: + severity: error + - alert: ValkeyMemoryHigh + annotations: + description: | + Valkey instance {{ $labels.instance }} is using {{ $value }}% of its available memory. + summary: Valkey instance {{ $labels.instance }} is using too much memory + expr: | + redis_memory_used_bytes{service="gitea-valkey-renovate-metrics"} * 100 + / + redis_memory_max_bytes{service="gitea-valkey-renovate-metrics"} + > 90 <= 100 + for: 2m + labels: + severity: error + - alert: ValkeyKeyEviction + annotations: + description: | + Valkey instance {{ $labels.instance }} has evicted {{ $value }} keys in the last 5 minutes. + summary: Valkey instance {{ $labels.instance }} has evicted keys + expr: | + increase(redis_evicted_keys_total{service="gitea-valkey-renovate-metrics"}[5m]) > 0 + for: 1s + labels: + severity: error diff --git a/clusters/cl01tl/manifests/gitea/Service-gitea-valkey-renovate-metrics.yaml b/clusters/cl01tl/manifests/gitea/Service-gitea-valkey-renovate-metrics.yaml new file mode 100644 index 000000000..f9bde3047 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/Service-gitea-valkey-renovate-metrics.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + name: gitea-valkey-renovate-metrics + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey-renovate + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: metrics + app.kubernetes.io/part-of: valkey + annotations: +spec: + type: ClusterIP + ports: + - name: metrics + port: 9121 + protocol: TCP + targetPort: metrics + selector: + app.kubernetes.io/name: valkey-renovate + app.kubernetes.io/instance: gitea diff --git a/clusters/cl01tl/manifests/gitea/Service-gitea-valkey-renovate.yaml b/clusters/cl01tl/manifests/gitea/Service-gitea-valkey-renovate.yaml new file mode 100644 index 000000000..2fe593bb2 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/Service-gitea-valkey-renovate.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Service +metadata: + name: gitea-valkey-renovate + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey-renovate + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: primary +spec: + type: ClusterIP + ports: + - port: 6379 + targetPort: tcp + protocol: TCP + name: tcp + selector: + app.kubernetes.io/name: valkey-renovate + app.kubernetes.io/instance: gitea diff --git a/clusters/cl01tl/manifests/gitea/ServiceAccount-gitea-valkey-renovate.yaml b/clusters/cl01tl/manifests/gitea/ServiceAccount-gitea-valkey-renovate.yaml new file mode 100644 index 000000000..fe9bd8cbd --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/ServiceAccount-gitea-valkey-renovate.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gitea-valkey-renovate + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey-renovate + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm +automountServiceAccountToken: false diff --git a/clusters/cl01tl/manifests/gitea/ServiceMonitor-gitea-valkey-renovate.yaml b/clusters/cl01tl/manifests/gitea/ServiceMonitor-gitea-valkey-renovate.yaml new file mode 100644 index 000000000..42a557a65 --- /dev/null +++ b/clusters/cl01tl/manifests/gitea/ServiceMonitor-gitea-valkey-renovate.yaml @@ -0,0 +1,24 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: gitea-valkey-renovate + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey-renovate + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: valkey + app.kubernetes.io/component: service-monitor +spec: + endpoints: + - port: metrics + interval: 30s + namespaceSelector: + matchNames: + - gitea + selector: + matchLabels: + app.kubernetes.io/name: valkey-renovate + app.kubernetes.io/instance: gitea + app.kubernetes.io/component: metrics diff --git a/clusters/cl01tl/manifests/gitea/StatefulSet-gitea-valkey.yaml b/clusters/cl01tl/manifests/gitea/StatefulSet-gitea-valkey.yaml index ae394dac4..1f5e28e71 100644 --- a/clusters/cl01tl/manifests/gitea/StatefulSet-gitea-valkey.yaml +++ b/clusters/cl01tl/manifests/gitea/StatefulSet-gitea-valkey.yaml @@ -25,7 +25,7 @@ spec: storageClassName: "ceph-block" resources: requests: - storage: "1Gi" + storage: "10Gi" template: metadata: labels: @@ -94,8 +94,8 @@ spec: command: ["sh", "-c", "valkey-cli ping"] resources: requests: - cpu: 10m - memory: 128Mi + cpu: 20m + memory: 256Mi volumeMounts: - name: valkey-data mountPath: /data diff --git a/clusters/cl01tl/manifests/grafana-operator/ConfigMap-grafana-operator-valkey-remote-cache-init-scripts.yaml b/clusters/cl01tl/manifests/grafana-operator/ConfigMap-grafana-operator-valkey-remote-cache-init-scripts.yaml new file mode 100644 index 000000000..812146530 --- /dev/null +++ b/clusters/cl01tl/manifests/grafana-operator/ConfigMap-grafana-operator-valkey-remote-cache-init-scripts.yaml @@ -0,0 +1,58 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: grafana-operator-valkey-remote-cache-init-scripts + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey-remote-cache + app.kubernetes.io/instance: grafana-operator + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm +data: + init.sh: |- + #!/bin/sh + set -eu + + # Default config paths + VALKEY_CONFIG=${VALKEY_CONFIG_PATH:-/data/conf/valkey.conf} + + LOGFILE="/data/init.log" + DATA_DIR="/data/conf" + + # Logging function (outputs to stderr and file) + log() { + echo "$(date) $1" | tee -a "$LOGFILE" >&2 + } + + # Clean old log if requested + if [ "${KEEP_OLD_LOGS:-false}" != "true" ]; then + rm -f "$LOGFILE" + fi + + if [ -f "$LOGFILE" ]; then + log "Detected restart of this instance ($HOSTNAME)" + fi + + log "Creating configuration in $DATA_DIR..." + mkdir -p "$DATA_DIR" + rm -f "$VALKEY_CONFIG" + + + # Base valkey.conf + log "Generating base valkey.conf" + { + echo "port 6379" + echo "protected-mode no" + echo "bind * -::*" + echo "dir /data" + } >>"$VALKEY_CONFIG" + + # Append extra configs if present + if [ -f /usr/local/etc/valkey/valkey.conf ]; then + log "Appending /usr/local/etc/valkey/valkey.conf" + cat /usr/local/etc/valkey/valkey.conf >>"$VALKEY_CONFIG" + fi + if [ -d /extravalkeyconfigs ]; then + log "Appending files in /extravalkeyconfigs/" + cat /extravalkeyconfigs/* >>"$VALKEY_CONFIG" + fi diff --git a/clusters/cl01tl/manifests/grafana-operator/ConfigMap-grafana-operator-valkey-unified-alerting-init-scripts.yaml b/clusters/cl01tl/manifests/grafana-operator/ConfigMap-grafana-operator-valkey-unified-alerting-init-scripts.yaml new file mode 100644 index 000000000..e5f33a88f --- /dev/null +++ b/clusters/cl01tl/manifests/grafana-operator/ConfigMap-grafana-operator-valkey-unified-alerting-init-scripts.yaml @@ -0,0 +1,87 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: grafana-operator-valkey-unified-alerting-init-scripts + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey-unified-alerting + app.kubernetes.io/instance: grafana-operator + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm +data: + init.sh: |- + #!/bin/sh + set -eu + + # Default config paths + VALKEY_CONFIG=${VALKEY_CONFIG_PATH:-/data/conf/valkey.conf} + + LOGFILE="/data/init.log" + DATA_DIR="/data/conf" + + # Logging function (outputs to stderr and file) + log() { + echo "$(date) $1" | tee -a "$LOGFILE" >&2 + } + + # Clean old log if requested + if [ "${KEEP_OLD_LOGS:-false}" != "true" ]; then + rm -f "$LOGFILE" + fi + + if [ -f "$LOGFILE" ]; then + log "Detected restart of this instance ($HOSTNAME)" + fi + + log "Creating configuration in $DATA_DIR..." + mkdir -p "$DATA_DIR" + rm -f "$VALKEY_CONFIG" + + + # Base valkey.conf + log "Generating base valkey.conf" + { + echo "port 6379" + echo "protected-mode no" + echo "bind * -::*" + echo "dir /data" + } >>"$VALKEY_CONFIG" + # Replica mode configuration + log "Configuring replication mode" + + # Use POD_INDEX from Kubernetes metadata + POD_INDEX=${POD_INDEX:-0} + IS_MASTER=false + + # Check if this is pod-0 (master) + if [ "$POD_INDEX" = "0" ]; then + IS_MASTER=true + log "This pod (index $POD_INDEX) is configured as MASTER" + else + log "This pod (index $POD_INDEX) is configured as REPLICA" + fi + + # Configure replica settings + if [ "$IS_MASTER" = "false" ]; then + MASTER_HOST="grafana-operator-valkey-unified-alerting-0.grafana-operator-valkey-unified-alerting-headless.grafana-operator.svc.cluster.local" + MASTER_PORT="6379" + + log "Configuring replica to follow master at $MASTER_HOST:$MASTER_PORT" + + { + echo "" + echo "# Replica Configuration" + echo "replicaof $MASTER_HOST $MASTER_PORT" + echo "replica-announce-ip grafana-operator-valkey-unified-alerting-$POD_INDEX.grafana-operator-valkey-unified-alerting-headless.grafana-operator.svc.cluster.local" + } >>"$VALKEY_CONFIG" + fi + + # Append extra configs if present + if [ -f /usr/local/etc/valkey/valkey.conf ]; then + log "Appending /usr/local/etc/valkey/valkey.conf" + cat /usr/local/etc/valkey/valkey.conf >>"$VALKEY_CONFIG" + fi + if [ -d /extravalkeyconfigs ]; then + log "Appending files in /extravalkeyconfigs/" + cat /extravalkeyconfigs/* >>"$VALKEY_CONFIG" + fi diff --git a/clusters/cl01tl/manifests/grafana-operator/Deployment-grafana-operator-valkey-remote-cache.yaml b/clusters/cl01tl/manifests/grafana-operator/Deployment-grafana-operator-valkey-remote-cache.yaml new file mode 100644 index 000000000..b37d9e3df --- /dev/null +++ b/clusters/cl01tl/manifests/grafana-operator/Deployment-grafana-operator-valkey-remote-cache.yaml @@ -0,0 +1,113 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: grafana-operator-valkey-remote-cache + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey-remote-cache + app.kubernetes.io/instance: grafana-operator + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + strategy: + type: RollingUpdate + selector: + matchLabels: + app.kubernetes.io/name: valkey-remote-cache + app.kubernetes.io/instance: grafana-operator + template: + metadata: + labels: + app.kubernetes.io/name: valkey-remote-cache + app.kubernetes.io/instance: grafana-operator + annotations: + checksum/initconfig: d790dfe3185267fe6c217c9572cfa9fb + spec: + automountServiceAccountToken: false + serviceAccountName: grafana-operator-valkey-remote-cache + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsUser: 1000 + initContainers: + - name: grafana-operator-valkey-remote-cache-init + image: docker.io/valkey/valkey:9.0.3 + imagePullPolicy: IfNotPresent + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + command: ["/scripts/init.sh"] + volumeMounts: + - name: valkey-data + mountPath: /data + - name: scripts + mountPath: /scripts + containers: + - name: grafana-operator-valkey-remote-cache + image: docker.io/valkey/valkey:9.0.3 + imagePullPolicy: IfNotPresent + command: ["valkey-server"] + args: ["/data/conf/valkey.conf"] + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + env: + - name: VALKEY_LOGLEVEL + value: "notice" + ports: + - name: tcp + containerPort: 6379 + protocol: TCP + startupProbe: + exec: + command: ["sh", "-c", "valkey-cli ping"] + livenessProbe: + exec: + command: ["sh", "-c", "valkey-cli ping"] + resources: + requests: + cpu: 10m + memory: 128Mi + volumeMounts: + - name: valkey-data + mountPath: /data + - name: metrics + image: ghcr.io/oliver006/redis_exporter:v1.81.0 + imagePullPolicy: "IfNotPresent" + ports: + - name: metrics + containerPort: 9121 + startupProbe: + tcpSocket: + port: metrics + livenessProbe: + tcpSocket: + port: metrics + readinessProbe: + httpGet: + path: / + port: metrics + resources: + requests: + cpu: 10m + memory: 64M + env: + - name: REDIS_ALIAS + value: grafana-operator-valkey-remote-cache + volumes: + - name: scripts + configMap: + name: grafana-operator-valkey-remote-cache-init-scripts + defaultMode: 0555 + - name: valkey-data + persistentVolumeClaim: + claimName: grafana-operator-valkey-remote-cache diff --git a/clusters/cl01tl/manifests/grafana-operator/PersistentVolumeClaim-grafana-operator-valkey-remote-cache.yaml b/clusters/cl01tl/manifests/grafana-operator/PersistentVolumeClaim-grafana-operator-valkey-remote-cache.yaml new file mode 100644 index 000000000..d8239d96f --- /dev/null +++ b/clusters/cl01tl/manifests/grafana-operator/PersistentVolumeClaim-grafana-operator-valkey-remote-cache.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: grafana-operator-valkey-remote-cache + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey-remote-cache + app.kubernetes.io/instance: grafana-operator + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm +spec: + accessModes: + - ReadWriteOnce + volumeMode: Filesystem + resources: + requests: + storage: 1Gi + storageClassName: ceph-block diff --git a/clusters/cl01tl/manifests/grafana-operator/PodMonitor-grafana-operator-valkey.yaml b/clusters/cl01tl/manifests/grafana-operator/PodMonitor-grafana-operator-valkey-remote-cache.yaml similarity index 78% rename from clusters/cl01tl/manifests/grafana-operator/PodMonitor-grafana-operator-valkey.yaml rename to clusters/cl01tl/manifests/grafana-operator/PodMonitor-grafana-operator-valkey-remote-cache.yaml index eea2a1838..c39ca3174 100644 --- a/clusters/cl01tl/manifests/grafana-operator/PodMonitor-grafana-operator-valkey.yaml +++ b/clusters/cl01tl/manifests/grafana-operator/PodMonitor-grafana-operator-valkey-remote-cache.yaml @@ -1,10 +1,10 @@ apiVersion: monitoring.coreos.com/v1 kind: PodMonitor metadata: - name: grafana-operator-valkey + name: grafana-operator-valkey-remote-cache labels: helm.sh/chart: valkey-0.9.3 - app.kubernetes.io/name: valkey + app.kubernetes.io/name: valkey-remote-cache app.kubernetes.io/instance: grafana-operator app.kubernetes.io/version: "9.0.3" app.kubernetes.io/managed-by: Helm @@ -19,5 +19,5 @@ spec: - grafana-operator selector: matchLabels: - app.kubernetes.io/name: valkey + app.kubernetes.io/name: valkey-remote-cache app.kubernetes.io/instance: grafana-operator diff --git a/clusters/cl01tl/manifests/grafana-operator/PodMonitor-grafana-operator-valkey-unified-alerting.yaml b/clusters/cl01tl/manifests/grafana-operator/PodMonitor-grafana-operator-valkey-unified-alerting.yaml new file mode 100644 index 000000000..78761545c --- /dev/null +++ b/clusters/cl01tl/manifests/grafana-operator/PodMonitor-grafana-operator-valkey-unified-alerting.yaml @@ -0,0 +1,23 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: grafana-operator-valkey-unified-alerting + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey-unified-alerting + app.kubernetes.io/instance: grafana-operator + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: valkey + app.kubernetes.io/component: podmonitor +spec: + podMetricsEndpoints: + - port: metrics + interval: 30s + namespaceSelector: + matchNames: + - grafana-operator + selector: + matchLabels: + app.kubernetes.io/name: valkey-unified-alerting + app.kubernetes.io/instance: grafana-operator diff --git a/clusters/cl01tl/manifests/grafana-operator/PrometheusRule-grafana-operator-valkey.yaml b/clusters/cl01tl/manifests/grafana-operator/PrometheusRule-grafana-operator-valkey-remote-cache.yaml similarity index 81% rename from clusters/cl01tl/manifests/grafana-operator/PrometheusRule-grafana-operator-valkey.yaml rename to clusters/cl01tl/manifests/grafana-operator/PrometheusRule-grafana-operator-valkey-remote-cache.yaml index 4512521ef..aa2071643 100644 --- a/clusters/cl01tl/manifests/grafana-operator/PrometheusRule-grafana-operator-valkey.yaml +++ b/clusters/cl01tl/manifests/grafana-operator/PrometheusRule-grafana-operator-valkey-remote-cache.yaml @@ -1,24 +1,24 @@ apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: - name: grafana-operator-valkey + name: grafana-operator-valkey-remote-cache labels: helm.sh/chart: valkey-0.9.3 - app.kubernetes.io/name: valkey + app.kubernetes.io/name: valkey-remote-cache app.kubernetes.io/instance: grafana-operator app.kubernetes.io/version: "9.0.3" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: valkey spec: groups: - - name: grafana-operator-valkey + - name: grafana-operator-valkey-remote-cache rules: - alert: ValkeyDown annotations: description: Valkey instance {{ $labels.instance }} is down. summary: Valkey instance {{ $labels.instance }} down expr: | - redis_up{service="grafana-operator-valkey-metrics"} == 0 + redis_up{service="grafana-operator-valkey-remote-cache-metrics"} == 0 for: 2m labels: severity: error @@ -28,9 +28,9 @@ spec: Valkey instance {{ $labels.instance }} is using {{ $value }}% of its available memory. summary: Valkey instance {{ $labels.instance }} is using too much memory expr: | - redis_memory_used_bytes{service="grafana-operator-valkey-metrics"} * 100 + redis_memory_used_bytes{service="grafana-operator-valkey-remote-cache-metrics"} * 100 / - redis_memory_max_bytes{service="grafana-operator-valkey-metrics"} + redis_memory_max_bytes{service="grafana-operator-valkey-remote-cache-metrics"} > 90 <= 100 for: 2m labels: @@ -41,7 +41,7 @@ spec: Valkey instance {{ $labels.instance }} has evicted {{ $value }} keys in the last 5 minutes. summary: Valkey instance {{ $labels.instance }} has evicted keys expr: | - increase(redis_evicted_keys_total{service="grafana-operator-valkey-metrics"}[5m]) > 0 + increase(redis_evicted_keys_total{service="grafana-operator-valkey-remote-cache-metrics"}[5m]) > 0 for: 1s labels: severity: error diff --git a/clusters/cl01tl/manifests/grafana-operator/PrometheusRule-grafana-operator-valkey-unified-alerting.yaml b/clusters/cl01tl/manifests/grafana-operator/PrometheusRule-grafana-operator-valkey-unified-alerting.yaml new file mode 100644 index 000000000..77a59738a --- /dev/null +++ b/clusters/cl01tl/manifests/grafana-operator/PrometheusRule-grafana-operator-valkey-unified-alerting.yaml @@ -0,0 +1,47 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: grafana-operator-valkey-unified-alerting + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey-unified-alerting + app.kubernetes.io/instance: grafana-operator + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: valkey +spec: + groups: + - name: grafana-operator-valkey-unified-alerting + rules: + - alert: ValkeyDown + annotations: + description: Valkey instance {{ $labels.instance }} is down. + summary: Valkey instance {{ $labels.instance }} down + expr: | + redis_up{service="grafana-operator-valkey-unified-alerting-metrics"} == 0 + for: 2m + labels: + severity: error + - alert: ValkeyMemoryHigh + annotations: + description: | + Valkey instance {{ $labels.instance }} is using {{ $value }}% of its available memory. + summary: Valkey instance {{ $labels.instance }} is using too much memory + expr: | + redis_memory_used_bytes{service="grafana-operator-valkey-unified-alerting-metrics"} * 100 + / + redis_memory_max_bytes{service="grafana-operator-valkey-unified-alerting-metrics"} + > 90 <= 100 + for: 2m + labels: + severity: error + - alert: ValkeyKeyEviction + annotations: + description: | + Valkey instance {{ $labels.instance }} has evicted {{ $value }} keys in the last 5 minutes. + summary: Valkey instance {{ $labels.instance }} has evicted keys + expr: | + increase(redis_evicted_keys_total{service="grafana-operator-valkey-unified-alerting-metrics"}[5m]) > 0 + for: 1s + labels: + severity: error diff --git a/clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey-remote-cache-metrics.yaml b/clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey-remote-cache-metrics.yaml new file mode 100644 index 000000000..71e3c3bb6 --- /dev/null +++ b/clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey-remote-cache-metrics.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + name: grafana-operator-valkey-remote-cache-metrics + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey-remote-cache + app.kubernetes.io/instance: grafana-operator + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: metrics + app.kubernetes.io/part-of: valkey + annotations: +spec: + type: ClusterIP + ports: + - name: metrics + port: 9121 + protocol: TCP + targetPort: metrics + selector: + app.kubernetes.io/name: valkey-remote-cache + app.kubernetes.io/instance: grafana-operator diff --git a/clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey-remote-cache.yaml b/clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey-remote-cache.yaml new file mode 100644 index 000000000..86f7da52b --- /dev/null +++ b/clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey-remote-cache.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Service +metadata: + name: grafana-operator-valkey-remote-cache + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey-remote-cache + app.kubernetes.io/instance: grafana-operator + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: primary +spec: + type: ClusterIP + ports: + - port: 6379 + targetPort: tcp + protocol: TCP + name: tcp + selector: + app.kubernetes.io/name: valkey-remote-cache + app.kubernetes.io/instance: grafana-operator diff --git a/clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey-headless.yaml b/clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey-unified-alerting-headless.yaml similarity index 74% rename from clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey-headless.yaml rename to clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey-unified-alerting-headless.yaml index 9214ad1d8..b26d55a10 100644 --- a/clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey-headless.yaml +++ b/clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey-unified-alerting-headless.yaml @@ -1,10 +1,10 @@ apiVersion: v1 kind: Service metadata: - name: grafana-operator-valkey-headless + name: grafana-operator-valkey-unified-alerting-headless labels: helm.sh/chart: valkey-0.9.3 - app.kubernetes.io/name: valkey + app.kubernetes.io/name: valkey-unified-alerting app.kubernetes.io/instance: grafana-operator app.kubernetes.io/version: "9.0.3" app.kubernetes.io/managed-by: Helm @@ -19,5 +19,5 @@ spec: targetPort: tcp protocol: TCP selector: - app.kubernetes.io/name: valkey + app.kubernetes.io/name: valkey-unified-alerting app.kubernetes.io/instance: grafana-operator diff --git a/clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey-unified-alerting-metrics.yaml b/clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey-unified-alerting-metrics.yaml new file mode 100644 index 000000000..9b13b781e --- /dev/null +++ b/clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey-unified-alerting-metrics.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + name: grafana-operator-valkey-unified-alerting-metrics + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey-unified-alerting + app.kubernetes.io/instance: grafana-operator + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: metrics + app.kubernetes.io/part-of: valkey + annotations: +spec: + type: ClusterIP + ports: + - name: metrics + port: 9121 + protocol: TCP + targetPort: metrics + selector: + app.kubernetes.io/name: valkey-unified-alerting + app.kubernetes.io/instance: grafana-operator diff --git a/clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey-read.yaml b/clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey-unified-alerting-read.yaml similarity index 72% rename from clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey-read.yaml rename to clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey-unified-alerting-read.yaml index 2a8cc988a..2131774f1 100644 --- a/clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey-read.yaml +++ b/clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey-unified-alerting-read.yaml @@ -1,10 +1,10 @@ apiVersion: v1 kind: Service metadata: - name: grafana-operator-valkey-read + name: grafana-operator-valkey-unified-alerting-read labels: helm.sh/chart: valkey-0.9.3 - app.kubernetes.io/name: valkey + app.kubernetes.io/name: valkey-unified-alerting app.kubernetes.io/instance: grafana-operator app.kubernetes.io/version: "9.0.3" app.kubernetes.io/managed-by: Helm @@ -17,5 +17,5 @@ spec: targetPort: tcp protocol: TCP selector: - app.kubernetes.io/name: valkey + app.kubernetes.io/name: valkey-unified-alerting app.kubernetes.io/instance: grafana-operator diff --git a/clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey.yaml b/clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey-unified-alerting.yaml similarity index 73% rename from clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey.yaml rename to clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey-unified-alerting.yaml index 11b8f39a3..03663b4b5 100644 --- a/clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey.yaml +++ b/clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey-unified-alerting.yaml @@ -1,10 +1,10 @@ apiVersion: v1 kind: Service metadata: - name: grafana-operator-valkey + name: grafana-operator-valkey-unified-alerting labels: helm.sh/chart: valkey-0.9.3 - app.kubernetes.io/name: valkey + app.kubernetes.io/name: valkey-unified-alerting app.kubernetes.io/instance: grafana-operator app.kubernetes.io/version: "9.0.3" app.kubernetes.io/managed-by: Helm @@ -17,6 +17,6 @@ spec: protocol: TCP name: tcp selector: - app.kubernetes.io/name: valkey + app.kubernetes.io/name: valkey-unified-alerting app.kubernetes.io/instance: grafana-operator - statefulset.kubernetes.io/pod-name: grafana-operator-valkey-0 + statefulset.kubernetes.io/pod-name: grafana-operator-valkey-unified-alerting-0 diff --git a/clusters/cl01tl/manifests/grafana-operator/ServiceAccount-grafana-operator-valkey-remote-cache.yaml b/clusters/cl01tl/manifests/grafana-operator/ServiceAccount-grafana-operator-valkey-remote-cache.yaml new file mode 100644 index 000000000..9c8f4382c --- /dev/null +++ b/clusters/cl01tl/manifests/grafana-operator/ServiceAccount-grafana-operator-valkey-remote-cache.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: grafana-operator-valkey-remote-cache + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey-remote-cache + app.kubernetes.io/instance: grafana-operator + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm +automountServiceAccountToken: false diff --git a/clusters/cl01tl/manifests/grafana-operator/ServiceAccount-grafana-operator-valkey-unified-alerting.yaml b/clusters/cl01tl/manifests/grafana-operator/ServiceAccount-grafana-operator-valkey-unified-alerting.yaml new file mode 100644 index 000000000..d4b183f4a --- /dev/null +++ b/clusters/cl01tl/manifests/grafana-operator/ServiceAccount-grafana-operator-valkey-unified-alerting.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: grafana-operator-valkey-unified-alerting + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey-unified-alerting + app.kubernetes.io/instance: grafana-operator + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm +automountServiceAccountToken: false diff --git a/clusters/cl01tl/manifests/grafana-operator/ServiceMonitor-grafana-operator-valkey.yaml b/clusters/cl01tl/manifests/grafana-operator/ServiceMonitor-grafana-operator-valkey-remote-cache.yaml similarity index 79% rename from clusters/cl01tl/manifests/grafana-operator/ServiceMonitor-grafana-operator-valkey.yaml rename to clusters/cl01tl/manifests/grafana-operator/ServiceMonitor-grafana-operator-valkey-remote-cache.yaml index ce2795dd6..b5b260e05 100644 --- a/clusters/cl01tl/manifests/grafana-operator/ServiceMonitor-grafana-operator-valkey.yaml +++ b/clusters/cl01tl/manifests/grafana-operator/ServiceMonitor-grafana-operator-valkey-remote-cache.yaml @@ -1,10 +1,10 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: - name: grafana-operator-valkey + name: grafana-operator-valkey-remote-cache labels: helm.sh/chart: valkey-0.9.3 - app.kubernetes.io/name: valkey + app.kubernetes.io/name: valkey-remote-cache app.kubernetes.io/instance: grafana-operator app.kubernetes.io/version: "9.0.3" app.kubernetes.io/managed-by: Helm @@ -19,6 +19,6 @@ spec: - grafana-operator selector: matchLabels: - app.kubernetes.io/name: valkey + app.kubernetes.io/name: valkey-remote-cache app.kubernetes.io/instance: grafana-operator app.kubernetes.io/component: metrics diff --git a/clusters/cl01tl/manifests/grafana-operator/ServiceMonitor-grafana-operator-valkey-unified-alerting.yaml b/clusters/cl01tl/manifests/grafana-operator/ServiceMonitor-grafana-operator-valkey-unified-alerting.yaml new file mode 100644 index 000000000..6d4007809 --- /dev/null +++ b/clusters/cl01tl/manifests/grafana-operator/ServiceMonitor-grafana-operator-valkey-unified-alerting.yaml @@ -0,0 +1,24 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: grafana-operator-valkey-unified-alerting + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey-unified-alerting + app.kubernetes.io/instance: grafana-operator + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: valkey + app.kubernetes.io/component: service-monitor +spec: + endpoints: + - port: metrics + interval: 30s + namespaceSelector: + matchNames: + - grafana-operator + selector: + matchLabels: + app.kubernetes.io/name: valkey-unified-alerting + app.kubernetes.io/instance: grafana-operator + app.kubernetes.io/component: metrics diff --git a/clusters/cl01tl/manifests/grafana-operator/StatefulSet-grafana-operator-valkey.yaml b/clusters/cl01tl/manifests/grafana-operator/StatefulSet-grafana-operator-valkey-unified-alerting.yaml similarity index 83% rename from clusters/cl01tl/manifests/grafana-operator/StatefulSet-grafana-operator-valkey.yaml rename to clusters/cl01tl/manifests/grafana-operator/StatefulSet-grafana-operator-valkey-unified-alerting.yaml index 23433e188..7a9b19a28 100644 --- a/clusters/cl01tl/manifests/grafana-operator/StatefulSet-grafana-operator-valkey.yaml +++ b/clusters/cl01tl/manifests/grafana-operator/StatefulSet-grafana-operator-valkey-unified-alerting.yaml @@ -1,20 +1,20 @@ apiVersion: apps/v1 kind: StatefulSet metadata: - name: grafana-operator-valkey + name: grafana-operator-valkey-unified-alerting labels: helm.sh/chart: valkey-0.9.3 - app.kubernetes.io/name: valkey + app.kubernetes.io/name: valkey-unified-alerting app.kubernetes.io/instance: grafana-operator app.kubernetes.io/version: "9.0.3" app.kubernetes.io/managed-by: Helm spec: - serviceName: grafana-operator-valkey-headless + serviceName: grafana-operator-valkey-unified-alerting-headless replicas: 3 podManagementPolicy: OrderedReady selector: matchLabels: - app.kubernetes.io/name: valkey + app.kubernetes.io/name: valkey-unified-alerting app.kubernetes.io/instance: grafana-operator volumeClaimTemplates: - metadata: @@ -29,19 +29,19 @@ spec: template: metadata: labels: - app.kubernetes.io/name: valkey + app.kubernetes.io/name: valkey-unified-alerting app.kubernetes.io/instance: grafana-operator annotations: - checksum/initconfig: "4e54d550c2f6ca49dbd7140e4d7a0cdc" + checksum/initconfig: "cc97af05b1fa8109e641f83996efbf01" spec: automountServiceAccountToken: false - serviceAccountName: grafana-operator-valkey + serviceAccountName: grafana-operator-valkey-unified-alerting securityContext: fsGroup: 1000 runAsGroup: 1000 runAsUser: 1000 initContainers: - - name: grafana-operator-valkey-init + - name: grafana-operator-valkey-unified-alerting-init image: docker.io/valkey/valkey:9.0.3 imagePullPolicy: IfNotPresent securityContext: @@ -63,7 +63,7 @@ spec: - name: scripts mountPath: /scripts containers: - - name: grafana-operator-valkey + - name: grafana-operator-valkey-unified-alerting image: docker.io/valkey/valkey:9.0.3 imagePullPolicy: IfNotPresent command: ["valkey-server"] @@ -121,9 +121,9 @@ spec: memory: 64M env: - name: REDIS_ALIAS - value: grafana-operator-valkey + value: grafana-operator-valkey-unified-alerting volumes: - name: scripts configMap: - name: grafana-operator-valkey-init-scripts + name: grafana-operator-valkey-unified-alerting-init-scripts defaultMode: 0555 diff --git a/clusters/cl01tl/manifests/kube-prometheus-stack/StatefulSet-kube-prometheus-stack-valkey.yaml b/clusters/cl01tl/manifests/kube-prometheus-stack/StatefulSet-kube-prometheus-stack-valkey.yaml index 0a18d1990..0c0e84e24 100644 --- a/clusters/cl01tl/manifests/kube-prometheus-stack/StatefulSet-kube-prometheus-stack-valkey.yaml +++ b/clusters/cl01tl/manifests/kube-prometheus-stack/StatefulSet-kube-prometheus-stack-valkey.yaml @@ -25,7 +25,7 @@ spec: storageClassName: "ceph-block" resources: requests: - storage: "1Gi" + storage: "10Gi" template: metadata: labels: diff --git a/clusters/cl01tl/manifests/grafana-operator/ConfigMap-grafana-operator-valkey-init-scripts.yaml b/clusters/cl01tl/manifests/matrix-synapse/ConfigMap-matrix-synapse-valkey-hookshot-init-scripts.yaml similarity index 83% rename from clusters/cl01tl/manifests/grafana-operator/ConfigMap-grafana-operator-valkey-init-scripts.yaml rename to clusters/cl01tl/manifests/matrix-synapse/ConfigMap-matrix-synapse-valkey-hookshot-init-scripts.yaml index 691907c4d..7a4770739 100644 --- a/clusters/cl01tl/manifests/grafana-operator/ConfigMap-grafana-operator-valkey-init-scripts.yaml +++ b/clusters/cl01tl/manifests/matrix-synapse/ConfigMap-matrix-synapse-valkey-hookshot-init-scripts.yaml @@ -1,11 +1,11 @@ apiVersion: v1 kind: ConfigMap metadata: - name: grafana-operator-valkey-init-scripts + name: matrix-synapse-valkey-hookshot-init-scripts labels: helm.sh/chart: valkey-0.9.3 - app.kubernetes.io/name: valkey - app.kubernetes.io/instance: grafana-operator + app.kubernetes.io/name: valkey-hookshot + app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/version: "9.0.3" app.kubernetes.io/managed-by: Helm data: @@ -63,7 +63,7 @@ data: # Configure replica settings if [ "$IS_MASTER" = "false" ]; then - MASTER_HOST="grafana-operator-valkey-0.grafana-operator-valkey-headless.grafana-operator.svc.cluster.local" + MASTER_HOST="matrix-synapse-valkey-hookshot-0.matrix-synapse-valkey-hookshot-headless.matrix-synapse.svc.cluster.local" MASTER_PORT="6379" log "Configuring replica to follow master at $MASTER_HOST:$MASTER_PORT" @@ -72,7 +72,7 @@ data: echo "" echo "# Replica Configuration" echo "replicaof $MASTER_HOST $MASTER_PORT" - echo "replica-announce-ip grafana-operator-valkey-$POD_INDEX.grafana-operator-valkey-headless.grafana-operator.svc.cluster.local" + echo "replica-announce-ip matrix-synapse-valkey-hookshot-$POD_INDEX.matrix-synapse-valkey-hookshot-headless.matrix-synapse.svc.cluster.local" } >>"$VALKEY_CONFIG" fi diff --git a/clusters/cl01tl/manifests/matrix-synapse/ConfigMap-matrix-synapse-valkey-init-scripts.yaml b/clusters/cl01tl/manifests/matrix-synapse/ConfigMap-matrix-synapse-valkey-init-scripts.yaml new file mode 100644 index 000000000..108ef20f0 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ConfigMap-matrix-synapse-valkey-init-scripts.yaml @@ -0,0 +1,149 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: matrix-synapse-valkey-init-scripts + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm +data: + init.sh: |- + #!/bin/sh + set -eu + + # Default config paths + VALKEY_CONFIG=${VALKEY_CONFIG_PATH:-/data/conf/valkey.conf} + + LOGFILE="/data/init.log" + DATA_DIR="/data/conf" + + # Logging function (outputs to stderr and file) + log() { + echo "$(date) $1" | tee -a "$LOGFILE" >&2 + } + # Function to get password for a user + # Usage: get_user_password [password_key] + # Returns: password via stdout, exits with error if not found + get_user_password() { + username="$1" + password_key="${2:-$username}" + password="" + # Try to get password from existing secret first (priority) + if [ -f "/valkey-users-secret/$password_key" ]; then + password=$(cat "/valkey-users-secret/$password_key") + log "Using password from existing secret for user $username" + elif [ -f "/valkey-auth-secret/${username}-password" ]; then + # Fallback to inline password + password=$(cat "/valkey-auth-secret/${username}-password") + log "Using inline password for user $username" + else + log "ERROR: No password found for user $username" + return 1 + fi + + echo "$password" + } + + # Clean old log if requested + if [ "${KEEP_OLD_LOGS:-false}" != "true" ]; then + rm -f "$LOGFILE" + fi + + if [ -f "$LOGFILE" ]; then + log "Detected restart of this instance ($HOSTNAME)" + fi + + log "Creating configuration in $DATA_DIR..." + mkdir -p "$DATA_DIR" + rm -f "$VALKEY_CONFIG" + + + # Base valkey.conf + log "Generating base valkey.conf" + { + echo "port 6379" + echo "protected-mode no" + echo "bind * -::*" + echo "dir /data" + } >>"$VALKEY_CONFIG" + # Create secure directory for ACL file + log "Creating /etc/valkey directory for ACL file" + mkdir -p /etc/valkey + + # Set aclfile path in valkey.conf + echo "aclfile /etc/valkey/users.acl" >>"$VALKEY_CONFIG" + + # Remove or reset existing ACL file if present (it may be read-only from previous run) + log "Preparing ACL file at /etc/valkey/users.acl" + if [ -f /etc/valkey/users.acl ]; then + log "Removing existing read-only users.acl file" + chmod 0600 /etc/valkey/users.acl + rm -f /etc/valkey/users.acl + fi + + # Create ACL file with secure permissions + touch /etc/valkey/users.acl + chmod 0600 /etc/valkey/users.acl + # Generate ACL entries for each user + log "Generating ACL entries for users" + + # User: default + PASSWORD=$(get_user_password "default" "default") || exit 1 + + # Hash the password and write ACL entry + PASSHASH=$(echo -n "$PASSWORD" | sha256sum | cut -f 1 -d " ") + echo "user default on #$PASSHASH ~* &* +@all" >> /etc/valkey/users.acl + + # Set final permissions + chmod 0400 /etc/valkey/users.acl + log "ACL file created with 0400 permissions" + # Replica mode configuration + log "Configuring replication mode" + + # Use POD_INDEX from Kubernetes metadata + POD_INDEX=${POD_INDEX:-0} + IS_MASTER=false + + # Check if this is pod-0 (master) + if [ "$POD_INDEX" = "0" ]; then + IS_MASTER=true + log "This pod (index $POD_INDEX) is configured as MASTER" + else + log "This pod (index $POD_INDEX) is configured as REPLICA" + fi + + # Configure replica settings + if [ "$IS_MASTER" = "false" ]; then + MASTER_HOST="matrix-synapse-valkey-0.matrix-synapse-valkey-headless.matrix-synapse.svc.cluster.local" + MASTER_PORT="6379" + + log "Configuring replica to follow master at $MASTER_HOST:$MASTER_PORT" + + { + echo "" + echo "# Replica Configuration" + echo "replicaof $MASTER_HOST $MASTER_PORT" + echo "replica-announce-ip matrix-synapse-valkey-$POD_INDEX.matrix-synapse-valkey-headless.matrix-synapse.svc.cluster.local" + echo "" + echo "# Master authentication" + } >>"$VALKEY_CONFIG" + # Get the password for the replication user + REPL_PASSWORD=$(get_user_password "default" "default") || exit 1 + + # Write masterauth configuration + echo "masterauth $REPL_PASSWORD" >>"$VALKEY_CONFIG" + echo "masteruser default" >>"$VALKEY_CONFIG" + log "Configured masterauth with user default" + fi + + # Append extra configs if present + if [ -f /usr/local/etc/valkey/valkey.conf ]; then + log "Appending /usr/local/etc/valkey/valkey.conf" + cat /usr/local/etc/valkey/valkey.conf >>"$VALKEY_CONFIG" + fi + if [ -d /extravalkeyconfigs ]; then + log "Appending files in /extravalkeyconfigs/" + cat /extravalkeyconfigs/* >>"$VALKEY_CONFIG" + fi diff --git a/clusters/cl01tl/manifests/matrix-synapse/Deployment-matrix-synapse.yaml b/clusters/cl01tl/manifests/matrix-synapse/Deployment-matrix-synapse.yaml index 1c83771db..baa98db5e 100644 --- a/clusters/cl01tl/manifests/matrix-synapse/Deployment-matrix-synapse.yaml +++ b/clusters/cl01tl/manifests/matrix-synapse/Deployment-matrix-synapse.yaml @@ -22,7 +22,7 @@ spec: metadata: annotations: checksum/config: 13648c05f49095027336c9a2d1d30591025cdab4497a14542805b397fa3b92c8 - checksum/secrets: 0d6f055de2a4b62cd5b9ae50f578d73c68253aee28c9641318b06c0940e0c7ac + checksum/secrets: 5c93bb9068a23109958239ac9b72c1876b9f5ecfbf8d078c294fd171be2259ab labels: app.kubernetes.io/name: matrix-synapse app.kubernetes.io/instance: matrix-synapse @@ -71,7 +71,7 @@ spec: - name: REDIS_PASSWORD valueFrom: secretKeyRef: - name: matrix-synapse-redis-secret + name: matrix-synapse-valkey-secret key: password image: "ghcr.io/element-hq/synapse:v1.148.0" imagePullPolicy: IfNotPresent diff --git a/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-redis-secret.yaml b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-valkey-secret.yaml similarity index 61% rename from clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-redis-secret.yaml rename to clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-valkey-secret.yaml index 9951a58f3..69fe60ce8 100644 --- a/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-redis-secret.yaml +++ b/clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-valkey-secret.yaml @@ -1,10 +1,10 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: matrix-synapse-redis-secret + name: matrix-synapse-valkey-secret namespace: matrix-synapse labels: - app.kubernetes.io/name: matrix-synapse-redis-secret + app.kubernetes.io/name: matrix-synapse-valkey-secret app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/part-of: matrix-synapse spec: @@ -12,6 +12,13 @@ spec: kind: ClusterSecretStore name: vault data: + - secretKey: default + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/matrix-synapse/redis + metadataPolicy: None + property: password - secretKey: password remoteRef: conversionStrategy: Default diff --git a/clusters/cl01tl/manifests/matrix-synapse/Pod-matrix-synapse-valkey-test-auth-existing.yaml b/clusters/cl01tl/manifests/matrix-synapse/Pod-matrix-synapse-valkey-test-auth-existing.yaml new file mode 100644 index 000000000..c9107c86b --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/Pod-matrix-synapse-valkey-test-auth-existing.yaml @@ -0,0 +1,45 @@ +apiVersion: v1 +kind: Pod +metadata: + name: matrix-synapse-valkey-test-auth-existing + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + restartPolicy: Never + containers: + - name: test-auth + image: "valkey/valkey:9.0.3" + command: + - sh + - -c + - | + set -e + echo "Testing authentication with usersExistingSecret..." + TLS_FLAGS="" + + # Test basic connection (no auth - will fail if auth is properly configured) + PING_RESULT=$(valkey-cli -h matrix-synapse-valkey -p 6379 $TLS_FLAGS PING 2>&1 || true) + if [ "$PING_RESULT" = "PONG" ]; then + echo "✗ Authentication test failed: server allows unauthenticated access" + exit 1 + fi + + echo "✓ Authentication is enforced (unauthenticated access denied)" + echo "✓ Received expected error: $PING_RESULT" + echo "⚠ Manual verification recommended for usersExistingSecret configuration" + exit 0 + volumeMounts: + - name: valkey-users-secret + mountPath: /valkey-users-secret + readOnly: true + volumes: + - name: valkey-users-secret + secret: + secretName: matrix-synapse-valkey-secret diff --git a/clusters/cl01tl/manifests/matrix-synapse/PodMonitor-matrix-synapse-valkey-hookshot.yaml b/clusters/cl01tl/manifests/matrix-synapse/PodMonitor-matrix-synapse-valkey-hookshot.yaml new file mode 100644 index 000000000..fa0024771 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/PodMonitor-matrix-synapse-valkey-hookshot.yaml @@ -0,0 +1,23 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: matrix-synapse-valkey-hookshot + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey-hookshot + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: valkey + app.kubernetes.io/component: podmonitor +spec: + podMetricsEndpoints: + - port: metrics + interval: 30s + namespaceSelector: + matchNames: + - matrix-synapse + selector: + matchLabels: + app.kubernetes.io/name: valkey-hookshot + app.kubernetes.io/instance: matrix-synapse diff --git a/clusters/cl01tl/manifests/matrix-synapse/PodMonitor-matrix-synapse-valkey.yaml b/clusters/cl01tl/manifests/matrix-synapse/PodMonitor-matrix-synapse-valkey.yaml new file mode 100644 index 000000000..9689b876e --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/PodMonitor-matrix-synapse-valkey.yaml @@ -0,0 +1,23 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: matrix-synapse-valkey + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: valkey + app.kubernetes.io/component: podmonitor +spec: + podMetricsEndpoints: + - port: metrics + interval: 30s + namespaceSelector: + matchNames: + - matrix-synapse + selector: + matchLabels: + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: matrix-synapse diff --git a/clusters/cl01tl/manifests/matrix-synapse/PrometheusRule-matrix-synapse-valkey-hookshot.yaml b/clusters/cl01tl/manifests/matrix-synapse/PrometheusRule-matrix-synapse-valkey-hookshot.yaml new file mode 100644 index 000000000..2fa44091a --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/PrometheusRule-matrix-synapse-valkey-hookshot.yaml @@ -0,0 +1,47 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: matrix-synapse-valkey-hookshot + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey-hookshot + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: valkey +spec: + groups: + - name: matrix-synapse-valkey-hookshot + rules: + - alert: ValkeyDown + annotations: + description: Valkey instance {{ $labels.instance }} is down. + summary: Valkey instance {{ $labels.instance }} down + expr: | + redis_up{service="matrix-synapse-valkey-hookshot-metrics"} == 0 + for: 2m + labels: + severity: error + - alert: ValkeyMemoryHigh + annotations: + description: | + Valkey instance {{ $labels.instance }} is using {{ $value }}% of its available memory. + summary: Valkey instance {{ $labels.instance }} is using too much memory + expr: | + redis_memory_used_bytes{service="matrix-synapse-valkey-hookshot-metrics"} * 100 + / + redis_memory_max_bytes{service="matrix-synapse-valkey-hookshot-metrics"} + > 90 <= 100 + for: 2m + labels: + severity: error + - alert: ValkeyKeyEviction + annotations: + description: | + Valkey instance {{ $labels.instance }} has evicted {{ $value }} keys in the last 5 minutes. + summary: Valkey instance {{ $labels.instance }} has evicted keys + expr: | + increase(redis_evicted_keys_total{service="matrix-synapse-valkey-hookshot-metrics"}[5m]) > 0 + for: 1s + labels: + severity: error diff --git a/clusters/cl01tl/manifests/matrix-synapse/PrometheusRule-matrix-synapse-valkey.yaml b/clusters/cl01tl/manifests/matrix-synapse/PrometheusRule-matrix-synapse-valkey.yaml new file mode 100644 index 000000000..827743cc4 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/PrometheusRule-matrix-synapse-valkey.yaml @@ -0,0 +1,47 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: matrix-synapse-valkey + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: valkey +spec: + groups: + - name: matrix-synapse-valkey + rules: + - alert: ValkeyDown + annotations: + description: Valkey instance {{ $labels.instance }} is down. + summary: Valkey instance {{ $labels.instance }} down + expr: | + redis_up{service="matrix-synapse-valkey-metrics"} == 0 + for: 2m + labels: + severity: error + - alert: ValkeyMemoryHigh + annotations: + description: | + Valkey instance {{ $labels.instance }} is using {{ $value }}% of its available memory. + summary: Valkey instance {{ $labels.instance }} is using too much memory + expr: | + redis_memory_used_bytes{service="matrix-synapse-valkey-metrics"} * 100 + / + redis_memory_max_bytes{service="matrix-synapse-valkey-metrics"} + > 90 <= 100 + for: 2m + labels: + severity: error + - alert: ValkeyKeyEviction + annotations: + description: | + Valkey instance {{ $labels.instance }} has evicted {{ $value }} keys in the last 5 minutes. + summary: Valkey instance {{ $labels.instance }} has evicted keys + expr: | + increase(redis_evicted_keys_total{service="matrix-synapse-valkey-metrics"}[5m]) > 0 + for: 1s + labels: + severity: error diff --git a/clusters/cl01tl/manifests/matrix-synapse/RedisReplication-redis-replication-hookshot.yaml b/clusters/cl01tl/manifests/matrix-synapse/RedisReplication-redis-replication-hookshot.yaml deleted file mode 100644 index 1b7c8410d..000000000 --- a/clusters/cl01tl/manifests/matrix-synapse/RedisReplication-redis-replication-hookshot.yaml +++ /dev/null @@ -1,44 +0,0 @@ -apiVersion: redis.redis.opstreelabs.in/v1beta2 -kind: RedisReplication -metadata: - name: redis-replication-hookshot - namespace: matrix-synapse - labels: - helm.sh/chart: redis-replication-hookshot-1.1.0 - app.kubernetes.io/version: "1.1.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redis-replication-hookshot - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/part-of: matrix-synapse -spec: - clusterSize: 3 - podSecurityContext: - fsGroup: 1000 - runAsUser: 1000 - kubernetesConfig: - image: "quay.io/opstree/redis:v8.4.2" - imagePullPolicy: IfNotPresent - resources: - requests: - cpu: 10m - memory: 32Mi - storage: - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - storageClassName: ceph-block - redisExporter: - enabled: true - image: "quay.io/opstree/redis-exporter:v1.81.0" - sentinel: - image: "quay.io/opstree/redis-sentinel:v8.4.2" - imagePullPolicy: IfNotPresent - resources: - requests: - cpu: 10m - memory: 32Mi - size: 3 diff --git a/clusters/cl01tl/manifests/matrix-synapse/RedisReplication-redis-replication-matrix-synapse.yaml b/clusters/cl01tl/manifests/matrix-synapse/RedisReplication-redis-replication-matrix-synapse.yaml deleted file mode 100644 index 45f26ea85..000000000 --- a/clusters/cl01tl/manifests/matrix-synapse/RedisReplication-redis-replication-matrix-synapse.yaml +++ /dev/null @@ -1,50 +0,0 @@ -apiVersion: redis.redis.opstreelabs.in/v1beta2 -kind: RedisReplication -metadata: - name: redis-replication-matrix-synapse - namespace: matrix-synapse - labels: - helm.sh/chart: redis-replication-matrix-synapse-1.1.0 - app.kubernetes.io/version: "1.1.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redis-replication-matrix-synapse - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/part-of: matrix-synapse -spec: - clusterSize: 3 - podSecurityContext: - fsGroup: 1000 - runAsUser: 1000 - kubernetesConfig: - image: "quay.io/opstree/redis:v8.4.2" - imagePullPolicy: IfNotPresent - resources: - requests: - cpu: 10m - memory: 32Mi - redisSecret: - name: matrix-synapse-redis-secret - key: password - storage: - volumeClaimTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - storageClassName: ceph-block - redisExporter: - enabled: true - image: "quay.io/opstree/redis-exporter:v1.81.0" - sentinel: - image: "quay.io/opstree/redis-sentinel:v8.4.2" - imagePullPolicy: IfNotPresent - redisSecret: - name: matrix-synapse-redis-secret - key: password - resources: - requests: - cpu: 10m - memory: 32Mi - size: 3 diff --git a/clusters/cl01tl/manifests/matrix-synapse/Secret-matrix-synapse.yaml b/clusters/cl01tl/manifests/matrix-synapse/Secret-matrix-synapse.yaml index c3dec3f2d..c346ddf78 100644 --- a/clusters/cl01tl/manifests/matrix-synapse/Secret-matrix-synapse.yaml +++ b/clusters/cl01tl/manifests/matrix-synapse/Secret-matrix-synapse.yaml @@ -9,4 +9,4 @@ metadata: app.kubernetes.io/version: "1.148.0" app.kubernetes.io/managed-by: Helm stringData: - config.yaml: "## Registration ##\n\nregistration_shared_secret: \"default\"\n\n## API Configuration ##\n\n## Database configuration ##\n\ndatabase:\n name: \"psycopg2\"\n args:\n user: \"app\"\n password: \"@@POSTGRES_PASSWORD@@\"\n database: \"app\"\n host: \"matrix-synapse-postgresql-18-cluster-rw\"\n port: 5432\n sslmode: \"prefer\"\n cp_min: 5\n cp_max: 10\n \n\n## Redis configuration ##\n\nredis:\n enabled: true\n host: \"redis-replication-matrix-synapse-master\"\n port: 6379\n password: \"@@REDIS_PASSWORD@@\"\n" + config.yaml: "## Registration ##\n\nregistration_shared_secret: \"default\"\n\n## API Configuration ##\n\n## Database configuration ##\n\ndatabase:\n name: \"psycopg2\"\n args:\n user: \"app\"\n password: \"@@POSTGRES_PASSWORD@@\"\n database: \"app\"\n host: \"matrix-synapse-postgresql-18-cluster-rw\"\n port: 5432\n sslmode: \"prefer\"\n cp_min: 5\n cp_max: 10\n \n\n## Redis configuration ##\n\nredis:\n enabled: true\n host: \"matrix-synapse-valkey\"\n port: 6379\n password: \"@@REDIS_PASSWORD@@\"\n" diff --git a/clusters/cl01tl/manifests/blocky/Service-blocky-valkey-headless.yaml b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-headless.yaml similarity index 76% rename from clusters/cl01tl/manifests/blocky/Service-blocky-valkey-headless.yaml rename to clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-headless.yaml index cb80c52b4..9eabbb6b0 100644 --- a/clusters/cl01tl/manifests/blocky/Service-blocky-valkey-headless.yaml +++ b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-headless.yaml @@ -1,11 +1,11 @@ apiVersion: v1 kind: Service metadata: - name: blocky-valkey-headless + name: matrix-synapse-valkey-headless labels: helm.sh/chart: valkey-0.9.3 app.kubernetes.io/name: valkey - app.kubernetes.io/instance: blocky + app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/version: "9.0.3" app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: headless @@ -20,4 +20,4 @@ spec: protocol: TCP selector: app.kubernetes.io/name: valkey - app.kubernetes.io/instance: blocky + app.kubernetes.io/instance: matrix-synapse diff --git a/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-hookshot-headless.yaml b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-hookshot-headless.yaml new file mode 100644 index 000000000..9f1d3debe --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-hookshot-headless.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + name: matrix-synapse-valkey-hookshot-headless + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey-hookshot + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: headless +spec: + type: ClusterIP + clusterIP: None + publishNotReadyAddresses: true + ports: + - name: tcp + port: 6379 + targetPort: tcp + protocol: TCP + selector: + app.kubernetes.io/name: valkey-hookshot + app.kubernetes.io/instance: matrix-synapse diff --git a/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-hookshot-metrics.yaml b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-hookshot-metrics.yaml new file mode 100644 index 000000000..af1fa4d47 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-hookshot-metrics.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + name: matrix-synapse-valkey-hookshot-metrics + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey-hookshot + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: metrics + app.kubernetes.io/part-of: valkey + annotations: +spec: + type: ClusterIP + ports: + - name: metrics + port: 9121 + protocol: TCP + targetPort: metrics + selector: + app.kubernetes.io/name: valkey-hookshot + app.kubernetes.io/instance: matrix-synapse diff --git a/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-hookshot-read.yaml b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-hookshot-read.yaml new file mode 100644 index 000000000..2e525b069 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-hookshot-read.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Service +metadata: + name: matrix-synapse-valkey-hookshot-read + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey-hookshot + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: read +spec: + type: ClusterIP + ports: + - name: tcp + port: 6379 + targetPort: tcp + protocol: TCP + selector: + app.kubernetes.io/name: valkey-hookshot + app.kubernetes.io/instance: matrix-synapse diff --git a/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-hookshot.yaml b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-hookshot.yaml new file mode 100644 index 000000000..fc17f171c --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-hookshot.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Service +metadata: + name: matrix-synapse-valkey-hookshot + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey-hookshot + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: primary +spec: + type: ClusterIP + ports: + - port: 6379 + targetPort: tcp + protocol: TCP + name: tcp + selector: + app.kubernetes.io/name: valkey-hookshot + app.kubernetes.io/instance: matrix-synapse + statefulset.kubernetes.io/pod-name: matrix-synapse-valkey-hookshot-0 diff --git a/clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey-metrics.yaml b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-metrics.yaml similarity index 76% rename from clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey-metrics.yaml rename to clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-metrics.yaml index 643d4dacb..e2bb599a4 100644 --- a/clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey-metrics.yaml +++ b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-metrics.yaml @@ -1,11 +1,11 @@ apiVersion: v1 kind: Service metadata: - name: grafana-operator-valkey-metrics + name: matrix-synapse-valkey-metrics labels: helm.sh/chart: valkey-0.9.3 app.kubernetes.io/name: valkey - app.kubernetes.io/instance: grafana-operator + app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/version: "9.0.3" app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: metrics @@ -20,4 +20,4 @@ spec: targetPort: metrics selector: app.kubernetes.io/name: valkey - app.kubernetes.io/instance: grafana-operator + app.kubernetes.io/instance: matrix-synapse diff --git a/clusters/cl01tl/manifests/blocky/Service-blocky-valkey-read.yaml b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-read.yaml similarity index 75% rename from clusters/cl01tl/manifests/blocky/Service-blocky-valkey-read.yaml rename to clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-read.yaml index 9f76c0c7e..224661c98 100644 --- a/clusters/cl01tl/manifests/blocky/Service-blocky-valkey-read.yaml +++ b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-read.yaml @@ -1,11 +1,11 @@ apiVersion: v1 kind: Service metadata: - name: blocky-valkey-read + name: matrix-synapse-valkey-read labels: helm.sh/chart: valkey-0.9.3 app.kubernetes.io/name: valkey - app.kubernetes.io/instance: blocky + app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/version: "9.0.3" app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: read @@ -18,4 +18,4 @@ spec: protocol: TCP selector: app.kubernetes.io/name: valkey - app.kubernetes.io/instance: blocky + app.kubernetes.io/instance: matrix-synapse diff --git a/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey.yaml b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey.yaml new file mode 100644 index 000000000..542727392 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Service +metadata: + name: matrix-synapse-valkey + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: primary +spec: + type: ClusterIP + ports: + - port: 6379 + targetPort: tcp + protocol: TCP + name: tcp + selector: + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: matrix-synapse + statefulset.kubernetes.io/pod-name: matrix-synapse-valkey-0 diff --git a/clusters/cl01tl/manifests/matrix-synapse/ServiceAccount-matrix-synapse-valkey-hookshot.yaml b/clusters/cl01tl/manifests/matrix-synapse/ServiceAccount-matrix-synapse-valkey-hookshot.yaml new file mode 100644 index 000000000..b0c6ae391 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ServiceAccount-matrix-synapse-valkey-hookshot.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: matrix-synapse-valkey-hookshot + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey-hookshot + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm +automountServiceAccountToken: false diff --git a/clusters/cl01tl/manifests/grafana-operator/ServiceAccount-grafana-operator-valkey.yaml b/clusters/cl01tl/manifests/matrix-synapse/ServiceAccount-matrix-synapse-valkey.yaml similarity index 74% rename from clusters/cl01tl/manifests/grafana-operator/ServiceAccount-grafana-operator-valkey.yaml rename to clusters/cl01tl/manifests/matrix-synapse/ServiceAccount-matrix-synapse-valkey.yaml index 050fce6bf..81f45a1f7 100644 --- a/clusters/cl01tl/manifests/grafana-operator/ServiceAccount-grafana-operator-valkey.yaml +++ b/clusters/cl01tl/manifests/matrix-synapse/ServiceAccount-matrix-synapse-valkey.yaml @@ -1,11 +1,11 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: grafana-operator-valkey + name: matrix-synapse-valkey labels: helm.sh/chart: valkey-0.9.3 app.kubernetes.io/name: valkey - app.kubernetes.io/instance: grafana-operator + app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/version: "9.0.3" app.kubernetes.io/managed-by: Helm automountServiceAccountToken: false diff --git a/clusters/cl01tl/manifests/matrix-synapse/ServiceMonitor-matrix-synapse-valkey-hookshot.yaml b/clusters/cl01tl/manifests/matrix-synapse/ServiceMonitor-matrix-synapse-valkey-hookshot.yaml new file mode 100644 index 000000000..032a23ce1 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ServiceMonitor-matrix-synapse-valkey-hookshot.yaml @@ -0,0 +1,24 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: matrix-synapse-valkey-hookshot + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey-hookshot + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: valkey + app.kubernetes.io/component: service-monitor +spec: + endpoints: + - port: metrics + interval: 30s + namespaceSelector: + matchNames: + - matrix-synapse + selector: + matchLabels: + app.kubernetes.io/name: valkey-hookshot + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/component: metrics diff --git a/clusters/cl01tl/manifests/matrix-synapse/ServiceMonitor-matrix-synapse-valkey.yaml b/clusters/cl01tl/manifests/matrix-synapse/ServiceMonitor-matrix-synapse-valkey.yaml new file mode 100644 index 000000000..c0c3a5ba2 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/ServiceMonitor-matrix-synapse-valkey.yaml @@ -0,0 +1,24 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: matrix-synapse-valkey + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: valkey + app.kubernetes.io/component: service-monitor +spec: + endpoints: + - port: metrics + interval: 30s + namespaceSelector: + matchNames: + - matrix-synapse + selector: + matchLabels: + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/component: metrics diff --git a/clusters/cl01tl/manifests/matrix-synapse/ServiceMonitor-redis-replication-hookshot.yaml b/clusters/cl01tl/manifests/matrix-synapse/ServiceMonitor-redis-replication-hookshot.yaml deleted file mode 100644 index 3cc0b5b5b..000000000 --- a/clusters/cl01tl/manifests/matrix-synapse/ServiceMonitor-redis-replication-hookshot.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: redis-replication-hookshot - namespace: matrix-synapse - labels: - helm.sh/chart: redis-replication-hookshot-1.1.0 - app.kubernetes.io/version: "1.1.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redis-replication-hookshot - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/part-of: matrix-synapse -spec: - selector: - matchLabels: - app: redis-replication-hookshot - redis_setup_type: replication - role: replication - endpoints: - - port: redis-exporter - interval: 30s - scrapeTimeout: 10s diff --git a/clusters/cl01tl/manifests/matrix-synapse/ServiceMonitor-redis-replication-matrix-synapse.yaml b/clusters/cl01tl/manifests/matrix-synapse/ServiceMonitor-redis-replication-matrix-synapse.yaml deleted file mode 100644 index dde1078d2..000000000 --- a/clusters/cl01tl/manifests/matrix-synapse/ServiceMonitor-redis-replication-matrix-synapse.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: redis-replication-matrix-synapse - namespace: matrix-synapse - labels: - helm.sh/chart: redis-replication-matrix-synapse-1.1.0 - app.kubernetes.io/version: "1.1.0" - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redis-replication-matrix-synapse - app.kubernetes.io/instance: matrix-synapse - app.kubernetes.io/part-of: matrix-synapse -spec: - selector: - matchLabels: - app: redis-replication-matrix-synapse - redis_setup_type: replication - role: replication - endpoints: - - port: redis-exporter - interval: 30s - scrapeTimeout: 10s diff --git a/clusters/cl01tl/manifests/blocky/StatefulSet-blocky-valkey.yaml b/clusters/cl01tl/manifests/matrix-synapse/StatefulSet-matrix-synapse-valkey-hookshot.yaml similarity index 81% rename from clusters/cl01tl/manifests/blocky/StatefulSet-blocky-valkey.yaml rename to clusters/cl01tl/manifests/matrix-synapse/StatefulSet-matrix-synapse-valkey-hookshot.yaml index 89c18df2e..ca1c84ec6 100644 --- a/clusters/cl01tl/manifests/blocky/StatefulSet-blocky-valkey.yaml +++ b/clusters/cl01tl/manifests/matrix-synapse/StatefulSet-matrix-synapse-valkey-hookshot.yaml @@ -1,21 +1,21 @@ apiVersion: apps/v1 kind: StatefulSet metadata: - name: blocky-valkey + name: matrix-synapse-valkey-hookshot labels: helm.sh/chart: valkey-0.9.3 - app.kubernetes.io/name: valkey - app.kubernetes.io/instance: blocky + app.kubernetes.io/name: valkey-hookshot + app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/version: "9.0.3" app.kubernetes.io/managed-by: Helm spec: - serviceName: blocky-valkey-headless + serviceName: matrix-synapse-valkey-hookshot-headless replicas: 3 podManagementPolicy: OrderedReady selector: matchLabels: - app.kubernetes.io/name: valkey - app.kubernetes.io/instance: blocky + app.kubernetes.io/name: valkey-hookshot + app.kubernetes.io/instance: matrix-synapse volumeClaimTemplates: - metadata: name: valkey-data @@ -29,19 +29,19 @@ spec: template: metadata: labels: - app.kubernetes.io/name: valkey - app.kubernetes.io/instance: blocky + app.kubernetes.io/name: valkey-hookshot + app.kubernetes.io/instance: matrix-synapse annotations: - checksum/initconfig: "b997c0967aeeee370412add1d41691a1" + checksum/initconfig: "be330f0cfd3ac6b10c6beb9aa42e308a" spec: automountServiceAccountToken: false - serviceAccountName: blocky-valkey + serviceAccountName: matrix-synapse-valkey-hookshot securityContext: fsGroup: 1000 runAsGroup: 1000 runAsUser: 1000 initContainers: - - name: blocky-valkey-init + - name: matrix-synapse-valkey-hookshot-init image: docker.io/valkey/valkey:9.0.3 imagePullPolicy: IfNotPresent securityContext: @@ -63,7 +63,7 @@ spec: - name: scripts mountPath: /scripts containers: - - name: blocky-valkey + - name: matrix-synapse-valkey-hookshot image: docker.io/valkey/valkey:9.0.3 imagePullPolicy: IfNotPresent command: ["valkey-server"] @@ -121,9 +121,9 @@ spec: memory: 64M env: - name: REDIS_ALIAS - value: blocky-valkey + value: matrix-synapse-valkey-hookshot volumes: - name: scripts configMap: - name: blocky-valkey-init-scripts + name: matrix-synapse-valkey-hookshot-init-scripts defaultMode: 0555 diff --git a/clusters/cl01tl/manifests/matrix-synapse/StatefulSet-matrix-synapse-valkey.yaml b/clusters/cl01tl/manifests/matrix-synapse/StatefulSet-matrix-synapse-valkey.yaml new file mode 100644 index 000000000..370359002 --- /dev/null +++ b/clusters/cl01tl/manifests/matrix-synapse/StatefulSet-matrix-synapse-valkey.yaml @@ -0,0 +1,143 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: matrix-synapse-valkey + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: matrix-synapse + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm +spec: + serviceName: matrix-synapse-valkey-headless + replicas: 3 + podManagementPolicy: OrderedReady + selector: + matchLabels: + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: matrix-synapse + volumeClaimTemplates: + - metadata: + name: valkey-data + spec: + accessModes: + - ReadWriteOnce + storageClassName: "ceph-block" + resources: + requests: + storage: "1Gi" + template: + metadata: + labels: + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: matrix-synapse + annotations: + checksum/initconfig: "fb8ae470a9464112ac420b4e06117ac5" + spec: + automountServiceAccountToken: false + serviceAccountName: matrix-synapse-valkey + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsUser: 1000 + initContainers: + - name: matrix-synapse-valkey-init + image: docker.io/valkey/valkey:9.0.3 + imagePullPolicy: IfNotPresent + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + command: ["/scripts/init.sh"] + env: + - name: POD_INDEX + valueFrom: + fieldRef: + fieldPath: metadata.labels['apps.kubernetes.io/pod-index'] + volumeMounts: + - name: valkey-data + mountPath: /data + - name: scripts + mountPath: /scripts + - name: valkey-acl + mountPath: /etc/valkey + - name: valkey-users-secret + mountPath: /valkey-users-secret + readOnly: true + containers: + - name: matrix-synapse-valkey + image: docker.io/valkey/valkey:9.0.3 + imagePullPolicy: IfNotPresent + command: ["valkey-server"] + args: ["/data/conf/valkey.conf"] + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + env: + - name: POD_INDEX + valueFrom: + fieldRef: + fieldPath: metadata.labels['apps.kubernetes.io/pod-index'] + - name: VALKEY_LOGLEVEL + value: "notice" + ports: + - name: tcp + containerPort: 6379 + protocol: TCP + startupProbe: + exec: + command: ["sh", "-c", "valkey-cli ping"] + livenessProbe: + exec: + command: ["sh", "-c", "valkey-cli ping"] + resources: + requests: + cpu: 10m + memory: 128Mi + volumeMounts: + - name: valkey-data + mountPath: /data + - name: valkey-acl + mountPath: /etc/valkey + - name: metrics + image: ghcr.io/oliver006/redis_exporter:v1.81.0 + imagePullPolicy: "IfNotPresent" + ports: + - name: metrics + containerPort: 9121 + startupProbe: + tcpSocket: + port: metrics + livenessProbe: + tcpSocket: + port: metrics + readinessProbe: + httpGet: + path: / + port: metrics + resources: + requests: + cpu: 10m + memory: 64M + env: + - name: REDIS_ALIAS + value: matrix-synapse-valkey + volumes: + - name: scripts + configMap: + name: matrix-synapse-valkey-init-scripts + defaultMode: 0555 + - name: valkey-acl + emptyDir: + medium: Memory + - name: valkey-users-secret + secret: + secretName: matrix-synapse-valkey-secret + defaultMode: 0400 diff --git a/clusters/cl01tl/manifests/postiz/ConfigMap-postiz-valkey-init-scripts.yaml b/clusters/cl01tl/manifests/postiz/ConfigMap-postiz-valkey-init-scripts.yaml index b372da398..8024a54a7 100644 --- a/clusters/cl01tl/manifests/postiz/ConfigMap-postiz-valkey-init-scripts.yaml +++ b/clusters/cl01tl/manifests/postiz/ConfigMap-postiz-valkey-init-scripts.yaml @@ -23,6 +23,28 @@ data: log() { echo "$(date) $1" | tee -a "$LOGFILE" >&2 } + # Function to get password for a user + # Usage: get_user_password [password_key] + # Returns: password via stdout, exits with error if not found + get_user_password() { + username="$1" + password_key="${2:-$username}" + password="" + # Try to get password from existing secret first (priority) + if [ -f "/valkey-users-secret/$password_key" ]; then + password=$(cat "/valkey-users-secret/$password_key") + log "Using password from existing secret for user $username" + elif [ -f "/valkey-auth-secret/${username}-password" ]; then + # Fallback to inline password + password=$(cat "/valkey-auth-secret/${username}-password") + log "Using inline password for user $username" + else + log "ERROR: No password found for user $username" + return 1 + fi + + echo "$password" + } # Clean old log if requested if [ "${KEEP_OLD_LOGS:-false}" != "true" ]; then @@ -46,6 +68,37 @@ data: echo "bind * -::*" echo "dir /data" } >>"$VALKEY_CONFIG" + # Create secure directory for ACL file + log "Creating /etc/valkey directory for ACL file" + mkdir -p /etc/valkey + + # Set aclfile path in valkey.conf + echo "aclfile /etc/valkey/users.acl" >>"$VALKEY_CONFIG" + + # Remove or reset existing ACL file if present (it may be read-only from previous run) + log "Preparing ACL file at /etc/valkey/users.acl" + if [ -f /etc/valkey/users.acl ]; then + log "Removing existing read-only users.acl file" + chmod 0600 /etc/valkey/users.acl + rm -f /etc/valkey/users.acl + fi + + # Create ACL file with secure permissions + touch /etc/valkey/users.acl + chmod 0600 /etc/valkey/users.acl + # Generate ACL entries for each user + log "Generating ACL entries for users" + + # User: default + PASSWORD=$(get_user_password "default" "default") || exit 1 + + # Hash the password and write ACL entry + PASSHASH=$(echo -n "$PASSWORD" | sha256sum | cut -f 1 -d " ") + echo "user default on #$PASSHASH ~* &* +@all" >> /etc/valkey/users.acl + + # Set final permissions + chmod 0400 /etc/valkey/users.acl + log "ACL file created with 0400 permissions" # Replica mode configuration log "Configuring replication mode" @@ -73,7 +126,16 @@ data: echo "# Replica Configuration" echo "replicaof $MASTER_HOST $MASTER_PORT" echo "replica-announce-ip postiz-valkey-$POD_INDEX.postiz-valkey-headless.postiz.svc.cluster.local" + echo "" + echo "# Master authentication" } >>"$VALKEY_CONFIG" + # Get the password for the replication user + REPL_PASSWORD=$(get_user_password "default" "default") || exit 1 + + # Write masterauth configuration + echo "masterauth $REPL_PASSWORD" >>"$VALKEY_CONFIG" + echo "masteruser default" >>"$VALKEY_CONFIG" + log "Configured masterauth with user default" fi # Append extra configs if present diff --git a/clusters/cl01tl/manifests/postiz/Pod-postiz-valkey-test-auth-existing.yaml b/clusters/cl01tl/manifests/postiz/Pod-postiz-valkey-test-auth-existing.yaml new file mode 100644 index 000000000..6a86bb9a3 --- /dev/null +++ b/clusters/cl01tl/manifests/postiz/Pod-postiz-valkey-test-auth-existing.yaml @@ -0,0 +1,45 @@ +apiVersion: v1 +kind: Pod +metadata: + name: postiz-valkey-test-auth-existing + labels: + helm.sh/chart: valkey-0.9.3 + app.kubernetes.io/name: valkey + app.kubernetes.io/instance: postiz + app.kubernetes.io/version: "9.0.3" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + restartPolicy: Never + containers: + - name: test-auth + image: "valkey/valkey:9.0.3" + command: + - sh + - -c + - | + set -e + echo "Testing authentication with usersExistingSecret..." + TLS_FLAGS="" + + # Test basic connection (no auth - will fail if auth is properly configured) + PING_RESULT=$(valkey-cli -h postiz-valkey -p 6379 $TLS_FLAGS PING 2>&1 || true) + if [ "$PING_RESULT" = "PONG" ]; then + echo "✗ Authentication test failed: server allows unauthenticated access" + exit 1 + fi + + echo "✓ Authentication is enforced (unauthenticated access denied)" + echo "✓ Received expected error: $PING_RESULT" + echo "⚠ Manual verification recommended for usersExistingSecret configuration" + exit 0 + volumeMounts: + - name: valkey-users-secret + mountPath: /valkey-users-secret + readOnly: true + volumes: + - name: valkey-users-secret + secret: + secretName: postiz-valkey-config diff --git a/clusters/cl01tl/manifests/postiz/StatefulSet-postiz-valkey.yaml b/clusters/cl01tl/manifests/postiz/StatefulSet-postiz-valkey.yaml index ca3920cca..309471ffe 100644 --- a/clusters/cl01tl/manifests/postiz/StatefulSet-postiz-valkey.yaml +++ b/clusters/cl01tl/manifests/postiz/StatefulSet-postiz-valkey.yaml @@ -32,7 +32,7 @@ spec: app.kubernetes.io/name: valkey app.kubernetes.io/instance: postiz annotations: - checksum/initconfig: "8ebc9d0805e0ac2e6000ec208f86483c" + checksum/initconfig: "fe93fb7000602d0fb3b36b111a77c4a3" spec: automountServiceAccountToken: false serviceAccountName: postiz-valkey @@ -62,6 +62,11 @@ spec: mountPath: /data - name: scripts mountPath: /scripts + - name: valkey-acl + mountPath: /etc/valkey + - name: valkey-users-secret + mountPath: /valkey-users-secret + readOnly: true containers: - name: postiz-valkey image: docker.io/valkey/valkey:9.0.3 @@ -99,6 +104,8 @@ spec: volumeMounts: - name: valkey-data mountPath: /data + - name: valkey-acl + mountPath: /etc/valkey - name: metrics image: ghcr.io/oliver006/redis_exporter:v1.81.0 imagePullPolicy: "IfNotPresent" @@ -127,3 +134,10 @@ spec: configMap: name: postiz-valkey-init-scripts defaultMode: 0555 + - name: valkey-acl + emptyDir: + medium: Memory + - name: valkey-users-secret + secret: + secretName: postiz-valkey-config + defaultMode: 0400 diff --git a/clusters/cl01tl/manifests/tubearchivist/StatefulSet-tubearchivist-valkey.yaml b/clusters/cl01tl/manifests/tubearchivist/StatefulSet-tubearchivist-valkey.yaml index 8881e8104..9c89e6e1f 100644 --- a/clusters/cl01tl/manifests/tubearchivist/StatefulSet-tubearchivist-valkey.yaml +++ b/clusters/cl01tl/manifests/tubearchivist/StatefulSet-tubearchivist-valkey.yaml @@ -25,7 +25,7 @@ spec: storageClassName: "ceph-block" resources: requests: - storage: "1Gi" + storage: "10Gi" template: metadata: labels: @@ -94,8 +94,8 @@ spec: command: ["sh", "-c", "valkey-cli ping"] resources: requests: - cpu: 10m - memory: 128Mi + cpu: 100m + memory: 1Gi volumeMounts: - name: valkey-data mountPath: /data