alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 2 Actions Activity

Automated Manifest Update (#4478)

Browse Source 
This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow.

Reviewed-on: #4478
Co-authored-by: gitea-bot <gitea-bot@alexlebens.net>
Co-committed-by: gitea-bot <gitea-bot@alexlebens.net>
This commit was merged in pull request #4478.
This commit is contained in:
gitea-bot
2026-03-06 06:27:10 +00:00
committed by Alex Lebens
parent 7d2c0c912a
commit 896fb526b3
69 changed files with 1902 additions and 246 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
clusters/cl01tl/manifests/directus/ConfigMap-directus-valkey-init-scripts.yaml
View File

@@ -23,6 +23,28 @@ data:
log() {
echo "$(date) $1" | tee -a "$LOGFILE" >&2
}
# Function to get password for a user
# Usage: get_user_password <username> [password_key]
# Returns: password via stdout, exits with error if not found
get_user_password() {
username="$1"
password_key="${2:-$username}"
password=""
# Try to get password from existing secret first (priority)
if [ -f "/valkey-users-secret/$password_key" ]; then
password=$(cat "/valkey-users-secret/$password_key")
log "Using password from existing secret for user $username"
elif [ -f "/valkey-auth-secret/${username}-password" ]; then
# Fallback to inline password
password=$(cat "/valkey-auth-secret/${username}-password")
log "Using inline password for user $username"
else
log "ERROR: No password found for user $username"
return 1
fi
echo "$password"
}
# Clean old log if requested
if [ "${KEEP_OLD_LOGS:-false}" != "true" ]; then
@@ -46,6 +68,37 @@ data:
echo "bind * -::*"
echo "dir /data"
} >>"$VALKEY_CONFIG"
# Create secure directory for ACL file
log "Creating /etc/valkey directory for ACL file"
mkdir -p /etc/valkey
# Set aclfile path in valkey.conf
echo "aclfile /etc/valkey/users.acl" >>"$VALKEY_CONFIG"
# Remove or reset existing ACL file if present (it may be read-only from previous run)
log "Preparing ACL file at /etc/valkey/users.acl"
if [ -f /etc/valkey/users.acl ]; then
log "Removing existing read-only users.acl file"
chmod 0600 /etc/valkey/users.acl
rm -f /etc/valkey/users.acl
fi
# Create ACL file with secure permissions
touch /etc/valkey/users.acl
chmod 0600 /etc/valkey/users.acl
# Generate ACL entries for each user
log "Generating ACL entries for users"
# User: default
PASSWORD=$(get_user_password "default" "default") || exit 1
# Hash the password and write ACL entry
PASSHASH=$(echo -n "$PASSWORD" | sha256sum | cut -f 1 -d " ")
echo "user default on #$PASSHASH ~* &* +@all" >> /etc/valkey/users.acl
# Set final permissions
chmod 0400 /etc/valkey/users.acl
log "ACL file created with 0400 permissions"
# Replica mode configuration
log "Configuring replication mode"
@@ -73,7 +126,16 @@ data:
echo "# Replica Configuration"
echo "replicaof $MASTER_HOST $MASTER_PORT"
echo "replica-announce-ip directus-valkey-$POD_INDEX.directus-valkey-headless.directus.svc.cluster.local"
echo ""
echo "# Master authentication"
} >>"$VALKEY_CONFIG"
# Get the password for the replication user
REPL_PASSWORD=$(get_user_password "default" "default") || exit 1
# Write masterauth configuration
echo "masterauth $REPL_PASSWORD" >>"$VALKEY_CONFIG"
echo "masteruser default" >>"$VALKEY_CONFIG"
log "Configured masterauth with user default"
fi
# Append extra configs if present

45
clusters/cl01tl/manifests/directus/Pod-directus-valkey-test-auth-existing.yaml Normal file
View File

@@ -0,0 +1,45 @@
apiVersion: v1
kind: Pod
metadata:
name: directus-valkey-test-auth-existing
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey
app.kubernetes.io/instance: directus
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
annotations:
"helm.sh/hook": test
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
spec:
restartPolicy: Never
containers:
- name: test-auth
image: "valkey/valkey:9.0.3"
command:
- sh
- -c
- |
set -e
echo "Testing authentication with usersExistingSecret..."
TLS_FLAGS=""
# Test basic connection (no auth - will fail if auth is properly configured)
PING_RESULT=$(valkey-cli -h directus-valkey -p 6379 $TLS_FLAGS PING 2>&1 || true)
if [ "$PING_RESULT" = "PONG" ]; then
echo "✗ Authentication test failed: server allows unauthenticated access"
exit 1
fi
echo "✓ Authentication is enforced (unauthenticated access denied)"
echo "✓ Received expected error: $PING_RESULT"
echo "⚠ Manual verification recommended for usersExistingSecret configuration"
exit 0
volumeMounts:
- name: valkey-users-secret
mountPath: /valkey-users-secret
readOnly: true
volumes:
- name: valkey-users-secret
secret:
secretName: directus-valkey-config

16
clusters/cl01tl/manifests/directus/StatefulSet-directus-valkey.yaml
View File

@@ -32,7 +32,7 @@ spec:
app.kubernetes.io/name: valkey
app.kubernetes.io/instance: directus
annotations:
checksum/initconfig: "1a02492c8a38ab0baf1fc607dedf1a27"
checksum/initconfig: "6307ecb287c2f05dc09ba3cf7cdfd155"
spec:
automountServiceAccountToken: false
serviceAccountName: directus-valkey
@@ -62,6 +62,11 @@ spec:
mountPath: /data
- name: scripts
mountPath: /scripts
- name: valkey-acl
mountPath: /etc/valkey
- name: valkey-users-secret
mountPath: /valkey-users-secret
readOnly: true
containers:
- name: directus-valkey
image: docker.io/valkey/valkey:9.0.3
@@ -99,6 +104,8 @@ spec:
volumeMounts:
- name: valkey-data
mountPath: /data
- name: valkey-acl
mountPath: /etc/valkey
- name: metrics
image: ghcr.io/oliver006/redis_exporter:v1.81.0
imagePullPolicy: "IfNotPresent"
@@ -127,3 +134,10 @@ spec:
configMap:
name: directus-valkey-init-scripts
defaultMode: 0555
- name: valkey-acl
emptyDir:
medium: Memory
- name: valkey-users-secret
secret:
secretName: directus-valkey-config
defaultMode: 0400