alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 2 Actions Activity

Automated Manifest Update (#4478)

Browse Source 
This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow.

Reviewed-on: #4478
Co-authored-by: gitea-bot <gitea-bot@alexlebens.net>
Co-committed-by: gitea-bot <gitea-bot@alexlebens.net>
This commit was merged in pull request #4478.
This commit is contained in:
gitea-bot
2026-03-06 06:27:10 +00:00
committed by Alex Lebens
parent 7d2c0c912a
commit 896fb526b3
69 changed files with 1902 additions and 246 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
clusters/cl01tl/manifests/blocky/ConfigMap-blocky-valkey-init-scripts.yaml
View File

@@ -46,35 +46,6 @@ data:
echo "bind * -::*" echo "bind * -::*"
echo "dir /data" echo "dir /data"
} >>"$VALKEY_CONFIG" } >>"$VALKEY_CONFIG"
# Replica mode configuration
log "Configuring replication mode"
# Use POD_INDEX from Kubernetes metadata
POD_INDEX=${POD_INDEX:-0}
IS_MASTER=false
# Check if this is pod-0 (master)
if [ "$POD_INDEX" = "0" ]; then
IS_MASTER=true
log "This pod (index $POD_INDEX) is configured as MASTER"
else
log "This pod (index $POD_INDEX) is configured as REPLICA"
fi
# Configure replica settings
if [ "$IS_MASTER" = "false" ]; then
MASTER_HOST="blocky-valkey-0.blocky-valkey-headless.blocky.svc.cluster.local"
MASTER_PORT="6379"
log "Configuring replica to follow master at $MASTER_HOST:$MASTER_PORT"
{
echo ""
echo "# Replica Configuration"
echo "replicaof $MASTER_HOST $MASTER_PORT"
echo "replica-announce-ip blocky-valkey-$POD_INDEX.blocky-valkey-headless.blocky.svc.cluster.local"
} >>"$VALKEY_CONFIG"
fi
# Append extra configs if present # Append extra configs if present
if [ -f /usr/local/etc/valkey/valkey.conf ]; then if [ -f /usr/local/etc/valkey/valkey.conf ]; then

113
clusters/cl01tl/manifests/blocky/Deployment-blocky-valkey.yaml Normal file
View File

@@ -0,0 +1,113 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: blocky-valkey
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey
app.kubernetes.io/instance: blocky
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
spec:
replicas: 1
strategy:
type: RollingUpdate
selector:
matchLabels:
app.kubernetes.io/name: valkey
app.kubernetes.io/instance: blocky
template:
metadata:
labels:
app.kubernetes.io/name: valkey
app.kubernetes.io/instance: blocky
annotations:
checksum/initconfig: 2d752b6b5c2e159b0111a667752e1fca
spec:
automountServiceAccountToken: false
serviceAccountName: blocky-valkey
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsUser: 1000
initContainers:
- name: blocky-valkey-init
image: docker.io/valkey/valkey:9.0.3
imagePullPolicy: IfNotPresent
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
command: ["/scripts/init.sh"]
volumeMounts:
- name: valkey-data
mountPath: /data
- name: scripts
mountPath: /scripts
containers:
- name: blocky-valkey
image: docker.io/valkey/valkey:9.0.3
imagePullPolicy: IfNotPresent
command: ["valkey-server"]
args: ["/data/conf/valkey.conf"]
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
env:
- name: VALKEY_LOGLEVEL
value: "notice"
ports:
- name: tcp
containerPort: 6379
protocol: TCP
startupProbe:
exec:
command: ["sh", "-c", "valkey-cli ping"]
livenessProbe:
exec:
command: ["sh", "-c", "valkey-cli ping"]
resources:
requests:
cpu: 10m
memory: 128Mi
volumeMounts:
- name: valkey-data
mountPath: /data
- name: metrics
image: ghcr.io/oliver006/redis_exporter:v1.81.0
imagePullPolicy: "IfNotPresent"
ports:
- name: metrics
containerPort: 9121
startupProbe:
tcpSocket:
port: metrics
livenessProbe:
tcpSocket:
port: metrics
readinessProbe:
httpGet:
path: /
port: metrics
resources:
requests:
cpu: 10m
memory: 64M
env:
- name: REDIS_ALIAS
value: blocky-valkey
volumes:
- name: scripts
configMap:
name: blocky-valkey-init-scripts
defaultMode: 0555
- name: valkey-data
persistentVolumeClaim:
claimName: blocky-valkey

18
clusters/cl01tl/manifests/blocky/PersistentVolumeClaim-blocky-valkey.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: blocky-valkey
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey
app.kubernetes.io/instance: blocky
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 1Gi
storageClassName: ceph-block

1
clusters/cl01tl/manifests/blocky/Service-blocky-valkey.yaml
View File

@@ -19,4 +19,3 @@ spec:
selector: selector:
app.kubernetes.io/name: valkey app.kubernetes.io/name: valkey
app.kubernetes.io/instance: blocky app.kubernetes.io/instance: blocky
statefulset.kubernetes.io/pod-name: blocky-valkey-0

62
clusters/cl01tl/manifests/directus/ConfigMap-directus-valkey-init-scripts.yaml
View File

@@ -23,6 +23,28 @@ data:
log() { log() {
echo "$(date) $1" | tee -a "$LOGFILE" >&2 echo "$(date) $1" | tee -a "$LOGFILE" >&2
} }
# Function to get password for a user
# Usage: get_user_password <username> [password_key]
# Returns: password via stdout, exits with error if not found
get_user_password() {
username="$1"
password_key="${2:-$username}"
password=""
# Try to get password from existing secret first (priority)
if [ -f "/valkey-users-secret/$password_key" ]; then
password=$(cat "/valkey-users-secret/$password_key")
log "Using password from existing secret for user $username"
elif [ -f "/valkey-auth-secret/${username}-password" ]; then
# Fallback to inline password
password=$(cat "/valkey-auth-secret/${username}-password")
log "Using inline password for user $username"
else
log "ERROR: No password found for user $username"
return 1
fi
echo "$password"
}
# Clean old log if requested # Clean old log if requested
if [ "${KEEP_OLD_LOGS:-false}" != "true" ]; then if [ "${KEEP_OLD_LOGS:-false}" != "true" ]; then
@@ -46,6 +68,37 @@ data:
echo "bind * -::*" echo "bind * -::*"
echo "dir /data" echo "dir /data"
} >>"$VALKEY_CONFIG" } >>"$VALKEY_CONFIG"
# Create secure directory for ACL file
log "Creating /etc/valkey directory for ACL file"
mkdir -p /etc/valkey
# Set aclfile path in valkey.conf
echo "aclfile /etc/valkey/users.acl" >>"$VALKEY_CONFIG"
# Remove or reset existing ACL file if present (it may be read-only from previous run)
log "Preparing ACL file at /etc/valkey/users.acl"
if [ -f /etc/valkey/users.acl ]; then
log "Removing existing read-only users.acl file"
chmod 0600 /etc/valkey/users.acl
rm -f /etc/valkey/users.acl
fi
# Create ACL file with secure permissions
touch /etc/valkey/users.acl
chmod 0600 /etc/valkey/users.acl
# Generate ACL entries for each user
log "Generating ACL entries for users"
# User: default
PASSWORD=$(get_user_password "default" "default") || exit 1
# Hash the password and write ACL entry
PASSHASH=$(echo -n "$PASSWORD" | sha256sum | cut -f 1 -d " ")
echo "user default on #$PASSHASH ~* &* +@all" >> /etc/valkey/users.acl
# Set final permissions
chmod 0400 /etc/valkey/users.acl
log "ACL file created with 0400 permissions"
# Replica mode configuration # Replica mode configuration
log "Configuring replication mode" log "Configuring replication mode"
@@ -73,7 +126,16 @@ data:
echo "# Replica Configuration" echo "# Replica Configuration"
echo "replicaof $MASTER_HOST $MASTER_PORT" echo "replicaof $MASTER_HOST $MASTER_PORT"
echo "replica-announce-ip directus-valkey-$POD_INDEX.directus-valkey-headless.directus.svc.cluster.local" echo "replica-announce-ip directus-valkey-$POD_INDEX.directus-valkey-headless.directus.svc.cluster.local"
echo ""
echo "# Master authentication"
} >>"$VALKEY_CONFIG" } >>"$VALKEY_CONFIG"
# Get the password for the replication user
REPL_PASSWORD=$(get_user_password "default" "default") || exit 1
# Write masterauth configuration
echo "masterauth $REPL_PASSWORD" >>"$VALKEY_CONFIG"
echo "masteruser default" >>"$VALKEY_CONFIG"
log "Configured masterauth with user default"
fi fi
# Append extra configs if present # Append extra configs if present

45
clusters/cl01tl/manifests/directus/Pod-directus-valkey-test-auth-existing.yaml Normal file
View File

@@ -0,0 +1,45 @@
apiVersion: v1
kind: Pod
metadata:
name: directus-valkey-test-auth-existing
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey
app.kubernetes.io/instance: directus
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
annotations:
"helm.sh/hook": test
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
spec:
restartPolicy: Never
containers:
- name: test-auth
image: "valkey/valkey:9.0.3"
command:
- sh
- -c
- |
set -e
echo "Testing authentication with usersExistingSecret..."
TLS_FLAGS=""
# Test basic connection (no auth - will fail if auth is properly configured)
PING_RESULT=$(valkey-cli -h directus-valkey -p 6379 $TLS_FLAGS PING 2>&1 || true)
if [ "$PING_RESULT" = "PONG" ]; then
echo "✗ Authentication test failed: server allows unauthenticated access"
exit 1
fi
echo "✓ Authentication is enforced (unauthenticated access denied)"
echo "✓ Received expected error: $PING_RESULT"
echo "⚠ Manual verification recommended for usersExistingSecret configuration"
exit 0
volumeMounts:
- name: valkey-users-secret
mountPath: /valkey-users-secret
readOnly: true
volumes:
- name: valkey-users-secret
secret:
secretName: directus-valkey-config

16
clusters/cl01tl/manifests/directus/StatefulSet-directus-valkey.yaml
View File

@@ -32,7 +32,7 @@ spec:
app.kubernetes.io/name: valkey app.kubernetes.io/name: valkey
app.kubernetes.io/instance: directus app.kubernetes.io/instance: directus
annotations: annotations:
checksum/initconfig: "1a02492c8a38ab0baf1fc607dedf1a27" checksum/initconfig: "6307ecb287c2f05dc09ba3cf7cdfd155"
spec: spec:
automountServiceAccountToken: false automountServiceAccountToken: false
serviceAccountName: directus-valkey serviceAccountName: directus-valkey
@@ -62,6 +62,11 @@ spec:
mountPath: /data mountPath: /data
- name: scripts - name: scripts
mountPath: /scripts mountPath: /scripts
- name: valkey-acl
mountPath: /etc/valkey
- name: valkey-users-secret
mountPath: /valkey-users-secret
readOnly: true
containers: containers:
- name: directus-valkey - name: directus-valkey
image: docker.io/valkey/valkey:9.0.3 image: docker.io/valkey/valkey:9.0.3
@@ -99,6 +104,8 @@ spec:
volumeMounts: volumeMounts:
- name: valkey-data - name: valkey-data
mountPath: /data mountPath: /data
- name: valkey-acl
mountPath: /etc/valkey
- name: metrics - name: metrics
image: ghcr.io/oliver006/redis_exporter:v1.81.0 image: ghcr.io/oliver006/redis_exporter:v1.81.0
imagePullPolicy: "IfNotPresent" imagePullPolicy: "IfNotPresent"
@@ -127,3 +134,10 @@ spec:
configMap: configMap:
name: directus-valkey-init-scripts name: directus-valkey-init-scripts
defaultMode: 0555 defaultMode: 0555
- name: valkey-acl
emptyDir:
medium: Memory
- name: valkey-users-secret
secret:
secretName: directus-valkey-config
defaultMode: 0400

58
clusters/cl01tl/manifests/gitea/ConfigMap-gitea-valkey-renovate-init-scripts.yaml Normal file
View File

@@ -0,0 +1,58 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: gitea-valkey-renovate-init-scripts
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey-renovate
app.kubernetes.io/instance: gitea
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
data:
init.sh: |-
#!/bin/sh
set -eu
# Default config paths
VALKEY_CONFIG=${VALKEY_CONFIG_PATH:-/data/conf/valkey.conf}
LOGFILE="/data/init.log"
DATA_DIR="/data/conf"
# Logging function (outputs to stderr and file)
log() {
echo "$(date) $1" | tee -a "$LOGFILE" >&2
}
# Clean old log if requested
if [ "${KEEP_OLD_LOGS:-false}" != "true" ]; then
rm -f "$LOGFILE"
fi
if [ -f "$LOGFILE" ]; then
log "Detected restart of this instance ($HOSTNAME)"
fi
log "Creating configuration in $DATA_DIR..."
mkdir -p "$DATA_DIR"
rm -f "$VALKEY_CONFIG"
# Base valkey.conf
log "Generating base valkey.conf"
{
echo "port 6379"
echo "protected-mode no"
echo "bind * -::*"
echo "dir /data"
} >>"$VALKEY_CONFIG"
# Append extra configs if present
if [ -f /usr/local/etc/valkey/valkey.conf ]; then
log "Appending /usr/local/etc/valkey/valkey.conf"
cat /usr/local/etc/valkey/valkey.conf >>"$VALKEY_CONFIG"
fi
if [ -d /extravalkeyconfigs ]; then
log "Appending files in /extravalkeyconfigs/"
cat /extravalkeyconfigs/* >>"$VALKEY_CONFIG"
fi

113
clusters/cl01tl/manifests/gitea/Deployment-gitea-valkey-renovate.yaml Normal file
View File

@@ -0,0 +1,113 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: gitea-valkey-renovate
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey-renovate
app.kubernetes.io/instance: gitea
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
spec:
replicas: 1
strategy:
type: RollingUpdate
selector:
matchLabels:
app.kubernetes.io/name: valkey-renovate
app.kubernetes.io/instance: gitea
template:
metadata:
labels:
app.kubernetes.io/name: valkey-renovate
app.kubernetes.io/instance: gitea
annotations:
checksum/initconfig: f77fc408ed818f9e2bd789f0e95a4172
spec:
automountServiceAccountToken: false
serviceAccountName: gitea-valkey-renovate
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsUser: 1000
initContainers:
- name: gitea-valkey-renovate-init
image: docker.io/valkey/valkey:9.0.3
imagePullPolicy: IfNotPresent
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
command: ["/scripts/init.sh"]
volumeMounts:
- name: valkey-data
mountPath: /data
- name: scripts
mountPath: /scripts
containers:
- name: gitea-valkey-renovate
image: docker.io/valkey/valkey:9.0.3
imagePullPolicy: IfNotPresent
command: ["valkey-server"]
args: ["/data/conf/valkey.conf"]
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
env:
- name: VALKEY_LOGLEVEL
value: "notice"
ports:
- name: tcp
containerPort: 6379
protocol: TCP
startupProbe:
exec:
command: ["sh", "-c", "valkey-cli ping"]
livenessProbe:
exec:
command: ["sh", "-c", "valkey-cli ping"]
resources:
requests:
cpu: 10m
memory: 128Mi
volumeMounts:
- name: valkey-data
mountPath: /data
- name: metrics
image: ghcr.io/oliver006/redis_exporter:v1.81.0
imagePullPolicy: "IfNotPresent"
ports:
- name: metrics
containerPort: 9121
startupProbe:
tcpSocket:
port: metrics
livenessProbe:
tcpSocket:
port: metrics
readinessProbe:
httpGet:
path: /
port: metrics
resources:
requests:
cpu: 10m
memory: 64M
env:
- name: REDIS_ALIAS
value: gitea-valkey-renovate
volumes:
- name: scripts
configMap:
name: gitea-valkey-renovate-init-scripts
defaultMode: 0555
- name: valkey-data
persistentVolumeClaim:
claimName: gitea-valkey-renovate

18
clusters/cl01tl/manifests/gitea/PersistentVolumeClaim-gitea-valkey-renovate.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: gitea-valkey-renovate
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey-renovate
app.kubernetes.io/instance: gitea
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 1Gi
storageClassName: ceph-block

23
clusters/cl01tl/manifests/gitea/PodMonitor-gitea-valkey-renovate.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: gitea-valkey-renovate
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey-renovate
app.kubernetes.io/instance: gitea
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: valkey
app.kubernetes.io/component: podmonitor
spec:
podMetricsEndpoints:
- port: metrics
interval: 30s
namespaceSelector:
matchNames:
- gitea
selector:
matchLabels:
app.kubernetes.io/name: valkey-renovate
app.kubernetes.io/instance: gitea

47
clusters/cl01tl/manifests/gitea/PrometheusRule-gitea-valkey-renovate.yaml Normal file
View File

@@ -0,0 +1,47 @@
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: gitea-valkey-renovate
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey-renovate
app.kubernetes.io/instance: gitea
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: valkey
spec:
groups:
- name: gitea-valkey-renovate
rules:
- alert: ValkeyDown
annotations:
description: Valkey instance {{ $labels.instance }} is down.
summary: Valkey instance {{ $labels.instance }} down
expr: |
redis_up{service="gitea-valkey-renovate-metrics"} == 0
for: 2m
labels:
severity: error
- alert: ValkeyMemoryHigh
annotations:
description: |
Valkey instance {{ $labels.instance }} is using {{ $value }}% of its available memory.
summary: Valkey instance {{ $labels.instance }} is using too much memory
expr: |
redis_memory_used_bytes{service="gitea-valkey-renovate-metrics"} * 100
/
redis_memory_max_bytes{service="gitea-valkey-renovate-metrics"}
> 90 <= 100
for: 2m
labels:
severity: error
- alert: ValkeyKeyEviction
annotations:
description: |
Valkey instance {{ $labels.instance }} has evicted {{ $value }} keys in the last 5 minutes.
summary: Valkey instance {{ $labels.instance }} has evicted keys
expr: |
increase(redis_evicted_keys_total{service="gitea-valkey-renovate-metrics"}[5m]) > 0
for: 1s
labels:
severity: error

23
clusters/cl01tl/manifests/gitea/Service-gitea-valkey-renovate-metrics.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: v1
kind: Service
metadata:
name: gitea-valkey-renovate-metrics
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey-renovate
app.kubernetes.io/instance: gitea
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: metrics
app.kubernetes.io/part-of: valkey
annotations:
spec:
type: ClusterIP
ports:
- name: metrics
port: 9121
protocol: TCP
targetPort: metrics
selector:
app.kubernetes.io/name: valkey-renovate
app.kubernetes.io/instance: gitea

21
clusters/cl01tl/manifests/gitea/Service-gitea-valkey-renovate.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: v1
kind: Service
metadata:
name: gitea-valkey-renovate
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey-renovate
app.kubernetes.io/instance: gitea
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: primary
spec:
type: ClusterIP
ports:
- port: 6379
targetPort: tcp
protocol: TCP
name: tcp
selector:
app.kubernetes.io/name: valkey-renovate
app.kubernetes.io/instance: gitea

11
clusters/cl01tl/manifests/gitea/ServiceAccount-gitea-valkey-renovate.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: gitea-valkey-renovate
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey-renovate
app.kubernetes.io/instance: gitea
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
automountServiceAccountToken: false

24
clusters/cl01tl/manifests/gitea/ServiceMonitor-gitea-valkey-renovate.yaml Normal file
View File

@@ -0,0 +1,24 @@
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: gitea-valkey-renovate
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey-renovate
app.kubernetes.io/instance: gitea
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: valkey
app.kubernetes.io/component: service-monitor
spec:
endpoints:
- port: metrics
interval: 30s
namespaceSelector:
matchNames:
- gitea
selector:
matchLabels:
app.kubernetes.io/name: valkey-renovate
app.kubernetes.io/instance: gitea
app.kubernetes.io/component: metrics

6
clusters/cl01tl/manifests/gitea/StatefulSet-gitea-valkey.yaml
View File

@@ -25,7 +25,7 @@ spec:
storageClassName: "ceph-block" storageClassName: "ceph-block"
resources: resources:
requests: requests:
storage: "1Gi" storage: "10Gi"
template: template:
metadata: metadata:
labels: labels:
@@ -94,8 +94,8 @@ spec:
command: ["sh", "-c", "valkey-cli ping"] command: ["sh", "-c", "valkey-cli ping"]
resources: resources:
requests: requests:
cpu: 10m cpu: 20m
memory: 128Mi memory: 256Mi
volumeMounts: volumeMounts:
- name: valkey-data - name: valkey-data
mountPath: /data mountPath: /data

58
clusters/cl01tl/manifests/grafana-operator/ConfigMap-grafana-operator-valkey-remote-cache-init-scripts.yaml Normal file
View File

@@ -0,0 +1,58 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: grafana-operator-valkey-remote-cache-init-scripts
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey-remote-cache
app.kubernetes.io/instance: grafana-operator
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
data:
init.sh: |-
#!/bin/sh
set -eu
# Default config paths
VALKEY_CONFIG=${VALKEY_CONFIG_PATH:-/data/conf/valkey.conf}
LOGFILE="/data/init.log"
DATA_DIR="/data/conf"
# Logging function (outputs to stderr and file)
log() {
echo "$(date) $1" | tee -a "$LOGFILE" >&2
}
# Clean old log if requested
if [ "${KEEP_OLD_LOGS:-false}" != "true" ]; then
rm -f "$LOGFILE"
fi
if [ -f "$LOGFILE" ]; then
log "Detected restart of this instance ($HOSTNAME)"
fi
log "Creating configuration in $DATA_DIR..."
mkdir -p "$DATA_DIR"
rm -f "$VALKEY_CONFIG"
# Base valkey.conf
log "Generating base valkey.conf"
{
echo "port 6379"
echo "protected-mode no"
echo "bind * -::*"
echo "dir /data"
} >>"$VALKEY_CONFIG"
# Append extra configs if present
if [ -f /usr/local/etc/valkey/valkey.conf ]; then
log "Appending /usr/local/etc/valkey/valkey.conf"
cat /usr/local/etc/valkey/valkey.conf >>"$VALKEY_CONFIG"
fi
if [ -d /extravalkeyconfigs ]; then
log "Appending files in /extravalkeyconfigs/"
cat /extravalkeyconfigs/* >>"$VALKEY_CONFIG"
fi

87
clusters/cl01tl/manifests/grafana-operator/ConfigMap-grafana-operator-valkey-unified-alerting-init-scripts.yaml Normal file
View File

@@ -0,0 +1,87 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: grafana-operator-valkey-unified-alerting-init-scripts
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey-unified-alerting
app.kubernetes.io/instance: grafana-operator
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
data:
init.sh: |-
#!/bin/sh
set -eu
# Default config paths
VALKEY_CONFIG=${VALKEY_CONFIG_PATH:-/data/conf/valkey.conf}
LOGFILE="/data/init.log"
DATA_DIR="/data/conf"
# Logging function (outputs to stderr and file)
log() {
echo "$(date) $1" | tee -a "$LOGFILE" >&2
}
# Clean old log if requested
if [ "${KEEP_OLD_LOGS:-false}" != "true" ]; then
rm -f "$LOGFILE"
fi
if [ -f "$LOGFILE" ]; then
log "Detected restart of this instance ($HOSTNAME)"
fi
log "Creating configuration in $DATA_DIR..."
mkdir -p "$DATA_DIR"
rm -f "$VALKEY_CONFIG"
# Base valkey.conf
log "Generating base valkey.conf"
{
echo "port 6379"
echo "protected-mode no"
echo "bind * -::*"
echo "dir /data"
} >>"$VALKEY_CONFIG"
# Replica mode configuration
log "Configuring replication mode"
# Use POD_INDEX from Kubernetes metadata
POD_INDEX=${POD_INDEX:-0}
IS_MASTER=false
# Check if this is pod-0 (master)
if [ "$POD_INDEX" = "0" ]; then
IS_MASTER=true
log "This pod (index $POD_INDEX) is configured as MASTER"
else
log "This pod (index $POD_INDEX) is configured as REPLICA"
fi
# Configure replica settings
if [ "$IS_MASTER" = "false" ]; then
MASTER_HOST="grafana-operator-valkey-unified-alerting-0.grafana-operator-valkey-unified-alerting-headless.grafana-operator.svc.cluster.local"
MASTER_PORT="6379"
log "Configuring replica to follow master at $MASTER_HOST:$MASTER_PORT"
{
echo ""
echo "# Replica Configuration"
echo "replicaof $MASTER_HOST $MASTER_PORT"
echo "replica-announce-ip grafana-operator-valkey-unified-alerting-$POD_INDEX.grafana-operator-valkey-unified-alerting-headless.grafana-operator.svc.cluster.local"
} >>"$VALKEY_CONFIG"
fi
# Append extra configs if present
if [ -f /usr/local/etc/valkey/valkey.conf ]; then
log "Appending /usr/local/etc/valkey/valkey.conf"
cat /usr/local/etc/valkey/valkey.conf >>"$VALKEY_CONFIG"
fi
if [ -d /extravalkeyconfigs ]; then
log "Appending files in /extravalkeyconfigs/"
cat /extravalkeyconfigs/* >>"$VALKEY_CONFIG"
fi

113
clusters/cl01tl/manifests/grafana-operator/Deployment-grafana-operator-valkey-remote-cache.yaml Normal file
View File

@@ -0,0 +1,113 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: grafana-operator-valkey-remote-cache
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey-remote-cache
app.kubernetes.io/instance: grafana-operator
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
spec:
replicas: 1
strategy:
type: RollingUpdate
selector:
matchLabels:
app.kubernetes.io/name: valkey-remote-cache
app.kubernetes.io/instance: grafana-operator
template:
metadata:
labels:
app.kubernetes.io/name: valkey-remote-cache
app.kubernetes.io/instance: grafana-operator
annotations:
checksum/initconfig: d790dfe3185267fe6c217c9572cfa9fb
spec:
automountServiceAccountToken: false
serviceAccountName: grafana-operator-valkey-remote-cache
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsUser: 1000
initContainers:
- name: grafana-operator-valkey-remote-cache-init
image: docker.io/valkey/valkey:9.0.3
imagePullPolicy: IfNotPresent
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
command: ["/scripts/init.sh"]
volumeMounts:
- name: valkey-data
mountPath: /data
- name: scripts
mountPath: /scripts
containers:
- name: grafana-operator-valkey-remote-cache
image: docker.io/valkey/valkey:9.0.3
imagePullPolicy: IfNotPresent
command: ["valkey-server"]
args: ["/data/conf/valkey.conf"]
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
env:
- name: VALKEY_LOGLEVEL
value: "notice"
ports:
- name: tcp
containerPort: 6379
protocol: TCP
startupProbe:
exec:
command: ["sh", "-c", "valkey-cli ping"]
livenessProbe:
exec:
command: ["sh", "-c", "valkey-cli ping"]
resources:
requests:
cpu: 10m
memory: 128Mi
volumeMounts:
- name: valkey-data
mountPath: /data
- name: metrics
image: ghcr.io/oliver006/redis_exporter:v1.81.0
imagePullPolicy: "IfNotPresent"
ports:
- name: metrics
containerPort: 9121
startupProbe:
tcpSocket:
port: metrics
livenessProbe:
tcpSocket:
port: metrics
readinessProbe:
httpGet:
path: /
port: metrics
resources:
requests:
cpu: 10m
memory: 64M
env:
- name: REDIS_ALIAS
value: grafana-operator-valkey-remote-cache
volumes:
- name: scripts
configMap:
name: grafana-operator-valkey-remote-cache-init-scripts
defaultMode: 0555
- name: valkey-data
persistentVolumeClaim:
claimName: grafana-operator-valkey-remote-cache

18
clusters/cl01tl/manifests/grafana-operator/PersistentVolumeClaim-grafana-operator-valkey-remote-cache.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: grafana-operator-valkey-remote-cache
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey-remote-cache
app.kubernetes.io/instance: grafana-operator
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 1Gi
storageClassName: ceph-block

6
clusters/cl01tl/manifests/grafana-operator/PodMonitor-grafana-operator-valkey.yaml → clusters/cl01tl/manifests/grafana-operator/PodMonitor-grafana-operator-valkey-remote-cache.yaml
View File

@@ -1,10 +1,10 @@
apiVersion: monitoring.coreos.com/v1 apiVersion: monitoring.coreos.com/v1
kind: PodMonitor kind: PodMonitor
metadata: metadata:
name: grafana-operator-valkey name: grafana-operator-valkey-remote-cache
labels: labels:
helm.sh/chart: valkey-0.9.3 helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey app.kubernetes.io/name: valkey-remote-cache
app.kubernetes.io/instance: grafana-operator app.kubernetes.io/instance: grafana-operator
app.kubernetes.io/version: "9.0.3" app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
@@ -19,5 +19,5 @@ spec:
- grafana-operator - grafana-operator
selector: selector:
matchLabels: matchLabels:
app.kubernetes.io/name: valkey app.kubernetes.io/name: valkey-remote-cache
app.kubernetes.io/instance: grafana-operator app.kubernetes.io/instance: grafana-operator

23
clusters/cl01tl/manifests/grafana-operator/PodMonitor-grafana-operator-valkey-unified-alerting.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: grafana-operator-valkey-unified-alerting
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey-unified-alerting
app.kubernetes.io/instance: grafana-operator
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: valkey
app.kubernetes.io/component: podmonitor
spec:
podMetricsEndpoints:
- port: metrics
interval: 30s
namespaceSelector:
matchNames:
- grafana-operator
selector:
matchLabels:
app.kubernetes.io/name: valkey-unified-alerting
app.kubernetes.io/instance: grafana-operator

14
clusters/cl01tl/manifests/grafana-operator/PrometheusRule-grafana-operator-valkey.yaml → clusters/cl01tl/manifests/grafana-operator/PrometheusRule-grafana-operator-valkey-remote-cache.yaml
View File

@@ -1,24 +1,24 @@
apiVersion: monitoring.coreos.com/v1 apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule kind: PrometheusRule
metadata: metadata:
name: grafana-operator-valkey name: grafana-operator-valkey-remote-cache
labels: labels:
helm.sh/chart: valkey-0.9.3 helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey app.kubernetes.io/name: valkey-remote-cache
app.kubernetes.io/instance: grafana-operator app.kubernetes.io/instance: grafana-operator
app.kubernetes.io/version: "9.0.3" app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: valkey app.kubernetes.io/part-of: valkey
spec: spec:
groups: groups:
- name: grafana-operator-valkey - name: grafana-operator-valkey-remote-cache
rules: rules:
- alert: ValkeyDown - alert: ValkeyDown
annotations: annotations:
description: Valkey instance {{ $labels.instance }} is down. description: Valkey instance {{ $labels.instance }} is down.
summary: Valkey instance {{ $labels.instance }} down summary: Valkey instance {{ $labels.instance }} down
expr: | expr: |
redis_up{service="grafana-operator-valkey-metrics"} == 0 redis_up{service="grafana-operator-valkey-remote-cache-metrics"} == 0
for: 2m for: 2m
labels: labels:
severity: error severity: error
@@ -28,9 +28,9 @@ spec:
Valkey instance {{ $labels.instance }} is using {{ $value }}% of its available memory. Valkey instance {{ $labels.instance }} is using {{ $value }}% of its available memory.
summary: Valkey instance {{ $labels.instance }} is using too much memory summary: Valkey instance {{ $labels.instance }} is using too much memory
expr: | expr: |
redis_memory_used_bytes{service="grafana-operator-valkey-metrics"} * 100 redis_memory_used_bytes{service="grafana-operator-valkey-remote-cache-metrics"} * 100
/ /
redis_memory_max_bytes{service="grafana-operator-valkey-metrics"} redis_memory_max_bytes{service="grafana-operator-valkey-remote-cache-metrics"}
> 90 <= 100 > 90 <= 100
for: 2m for: 2m
labels: labels:
@@ -41,7 +41,7 @@ spec:
Valkey instance {{ $labels.instance }} has evicted {{ $value }} keys in the last 5 minutes. Valkey instance {{ $labels.instance }} has evicted {{ $value }} keys in the last 5 minutes.
summary: Valkey instance {{ $labels.instance }} has evicted keys summary: Valkey instance {{ $labels.instance }} has evicted keys
expr: | expr: |
increase(redis_evicted_keys_total{service="grafana-operator-valkey-metrics"}[5m]) > 0 increase(redis_evicted_keys_total{service="grafana-operator-valkey-remote-cache-metrics"}[5m]) > 0
for: 1s for: 1s
labels: labels:
severity: error severity: error

47
clusters/cl01tl/manifests/grafana-operator/PrometheusRule-grafana-operator-valkey-unified-alerting.yaml Normal file
View File

@@ -0,0 +1,47 @@
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: grafana-operator-valkey-unified-alerting
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey-unified-alerting
app.kubernetes.io/instance: grafana-operator
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: valkey
spec:
groups:
- name: grafana-operator-valkey-unified-alerting
rules:
- alert: ValkeyDown
annotations:
description: Valkey instance {{ $labels.instance }} is down.
summary: Valkey instance {{ $labels.instance }} down
expr: |
redis_up{service="grafana-operator-valkey-unified-alerting-metrics"} == 0
for: 2m
labels:
severity: error
- alert: ValkeyMemoryHigh
annotations:
description: |
Valkey instance {{ $labels.instance }} is using {{ $value }}% of its available memory.
summary: Valkey instance {{ $labels.instance }} is using too much memory
expr: |
redis_memory_used_bytes{service="grafana-operator-valkey-unified-alerting-metrics"} * 100
/
redis_memory_max_bytes{service="grafana-operator-valkey-unified-alerting-metrics"}
> 90 <= 100
for: 2m
labels:
severity: error
- alert: ValkeyKeyEviction
annotations:
description: |
Valkey instance {{ $labels.instance }} has evicted {{ $value }} keys in the last 5 minutes.
summary: Valkey instance {{ $labels.instance }} has evicted keys
expr: |
increase(redis_evicted_keys_total{service="grafana-operator-valkey-unified-alerting-metrics"}[5m]) > 0
for: 1s
labels:
severity: error

23
clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey-remote-cache-metrics.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: v1
kind: Service
metadata:
name: grafana-operator-valkey-remote-cache-metrics
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey-remote-cache
app.kubernetes.io/instance: grafana-operator
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: metrics
app.kubernetes.io/part-of: valkey
annotations:
spec:
type: ClusterIP
ports:
- name: metrics
port: 9121
protocol: TCP
targetPort: metrics
selector:
app.kubernetes.io/name: valkey-remote-cache
app.kubernetes.io/instance: grafana-operator

21
clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey-remote-cache.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: v1
kind: Service
metadata:
name: grafana-operator-valkey-remote-cache
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey-remote-cache
app.kubernetes.io/instance: grafana-operator
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: primary
spec:
type: ClusterIP
ports:
- port: 6379
targetPort: tcp
protocol: TCP
name: tcp
selector:
app.kubernetes.io/name: valkey-remote-cache
app.kubernetes.io/instance: grafana-operator

6
clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey-headless.yaml → clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey-unified-alerting-headless.yaml
View File

@@ -1,10 +1,10 @@
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: grafana-operator-valkey-headless name: grafana-operator-valkey-unified-alerting-headless
labels: labels:
helm.sh/chart: valkey-0.9.3 helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey app.kubernetes.io/name: valkey-unified-alerting
app.kubernetes.io/instance: grafana-operator app.kubernetes.io/instance: grafana-operator
app.kubernetes.io/version: "9.0.3" app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
@@ -19,5 +19,5 @@ spec:
targetPort: tcp targetPort: tcp
protocol: TCP protocol: TCP
selector: selector:
app.kubernetes.io/name: valkey app.kubernetes.io/name: valkey-unified-alerting
app.kubernetes.io/instance: grafana-operator app.kubernetes.io/instance: grafana-operator

23
clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey-unified-alerting-metrics.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: v1
kind: Service
metadata:
name: grafana-operator-valkey-unified-alerting-metrics
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey-unified-alerting
app.kubernetes.io/instance: grafana-operator
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: metrics
app.kubernetes.io/part-of: valkey
annotations:
spec:
type: ClusterIP
ports:
- name: metrics
port: 9121
protocol: TCP
targetPort: metrics
selector:
app.kubernetes.io/name: valkey-unified-alerting
app.kubernetes.io/instance: grafana-operator

6
clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey-read.yaml → clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey-unified-alerting-read.yaml
View File

@@ -1,10 +1,10 @@
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: grafana-operator-valkey-read name: grafana-operator-valkey-unified-alerting-read
labels: labels:
helm.sh/chart: valkey-0.9.3 helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey app.kubernetes.io/name: valkey-unified-alerting
app.kubernetes.io/instance: grafana-operator app.kubernetes.io/instance: grafana-operator
app.kubernetes.io/version: "9.0.3" app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
@@ -17,5 +17,5 @@ spec:
targetPort: tcp targetPort: tcp
protocol: TCP protocol: TCP
selector: selector:
app.kubernetes.io/name: valkey app.kubernetes.io/name: valkey-unified-alerting
app.kubernetes.io/instance: grafana-operator app.kubernetes.io/instance: grafana-operator

8
clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey.yaml → clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey-unified-alerting.yaml
View File

@@ -1,10 +1,10 @@
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: grafana-operator-valkey name: grafana-operator-valkey-unified-alerting
labels: labels:
helm.sh/chart: valkey-0.9.3 helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey app.kubernetes.io/name: valkey-unified-alerting
app.kubernetes.io/instance: grafana-operator app.kubernetes.io/instance: grafana-operator
app.kubernetes.io/version: "9.0.3" app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
@@ -17,6 +17,6 @@ spec:
protocol: TCP protocol: TCP
name: tcp name: tcp
selector: selector:
app.kubernetes.io/name: valkey app.kubernetes.io/name: valkey-unified-alerting
app.kubernetes.io/instance: grafana-operator app.kubernetes.io/instance: grafana-operator
statefulset.kubernetes.io/pod-name: grafana-operator-valkey-0 statefulset.kubernetes.io/pod-name: grafana-operator-valkey-unified-alerting-0

11
clusters/cl01tl/manifests/grafana-operator/ServiceAccount-grafana-operator-valkey-remote-cache.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: grafana-operator-valkey-remote-cache
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey-remote-cache
app.kubernetes.io/instance: grafana-operator
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
automountServiceAccountToken: false

11
clusters/cl01tl/manifests/grafana-operator/ServiceAccount-grafana-operator-valkey-unified-alerting.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: grafana-operator-valkey-unified-alerting
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey-unified-alerting
app.kubernetes.io/instance: grafana-operator
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
automountServiceAccountToken: false

6
clusters/cl01tl/manifests/grafana-operator/ServiceMonitor-grafana-operator-valkey.yaml → clusters/cl01tl/manifests/grafana-operator/ServiceMonitor-grafana-operator-valkey-remote-cache.yaml
View File

@@ -1,10 +1,10 @@
apiVersion: monitoring.coreos.com/v1 apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor kind: ServiceMonitor
metadata: metadata:
name: grafana-operator-valkey name: grafana-operator-valkey-remote-cache
labels: labels:
helm.sh/chart: valkey-0.9.3 helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey app.kubernetes.io/name: valkey-remote-cache
app.kubernetes.io/instance: grafana-operator app.kubernetes.io/instance: grafana-operator
app.kubernetes.io/version: "9.0.3" app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
@@ -19,6 +19,6 @@ spec:
- grafana-operator - grafana-operator
selector: selector:
matchLabels: matchLabels:
app.kubernetes.io/name: valkey app.kubernetes.io/name: valkey-remote-cache
app.kubernetes.io/instance: grafana-operator app.kubernetes.io/instance: grafana-operator
app.kubernetes.io/component: metrics app.kubernetes.io/component: metrics

24
clusters/cl01tl/manifests/grafana-operator/ServiceMonitor-grafana-operator-valkey-unified-alerting.yaml Normal file
View File

@@ -0,0 +1,24 @@
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: grafana-operator-valkey-unified-alerting
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey-unified-alerting
app.kubernetes.io/instance: grafana-operator
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: valkey
app.kubernetes.io/component: service-monitor
spec:
endpoints:
- port: metrics
interval: 30s
namespaceSelector:
matchNames:
- grafana-operator
selector:
matchLabels:
app.kubernetes.io/name: valkey-unified-alerting
app.kubernetes.io/instance: grafana-operator
app.kubernetes.io/component: metrics

22
clusters/cl01tl/manifests/grafana-operator/StatefulSet-grafana-operator-valkey.yaml → clusters/cl01tl/manifests/grafana-operator/StatefulSet-grafana-operator-valkey-unified-alerting.yaml
View File

@@ -1,20 +1,20 @@
apiVersion: apps/v1 apiVersion: apps/v1
kind: StatefulSet kind: StatefulSet
metadata: metadata:
name: grafana-operator-valkey name: grafana-operator-valkey-unified-alerting
labels: labels:
helm.sh/chart: valkey-0.9.3 helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey app.kubernetes.io/name: valkey-unified-alerting
app.kubernetes.io/instance: grafana-operator app.kubernetes.io/instance: grafana-operator
app.kubernetes.io/version: "9.0.3" app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
spec: spec:
serviceName: grafana-operator-valkey-headless serviceName: grafana-operator-valkey-unified-alerting-headless
replicas: 3 replicas: 3
podManagementPolicy: OrderedReady podManagementPolicy: OrderedReady
selector: selector:
matchLabels: matchLabels:
app.kubernetes.io/name: valkey app.kubernetes.io/name: valkey-unified-alerting
app.kubernetes.io/instance: grafana-operator app.kubernetes.io/instance: grafana-operator
volumeClaimTemplates: volumeClaimTemplates:
- metadata: - metadata:
@@ -29,19 +29,19 @@ spec:
template: template:
metadata: metadata:
labels: labels:
app.kubernetes.io/name: valkey app.kubernetes.io/name: valkey-unified-alerting
app.kubernetes.io/instance: grafana-operator app.kubernetes.io/instance: grafana-operator
annotations: annotations:
checksum/initconfig: "4e54d550c2f6ca49dbd7140e4d7a0cdc" checksum/initconfig: "cc97af05b1fa8109e641f83996efbf01"
spec: spec:
automountServiceAccountToken: false automountServiceAccountToken: false
serviceAccountName: grafana-operator-valkey serviceAccountName: grafana-operator-valkey-unified-alerting
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
runAsGroup: 1000 runAsGroup: 1000
runAsUser: 1000 runAsUser: 1000
initContainers: initContainers:
- name: grafana-operator-valkey-init - name: grafana-operator-valkey-unified-alerting-init
image: docker.io/valkey/valkey:9.0.3 image: docker.io/valkey/valkey:9.0.3
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
securityContext: securityContext:
@@ -63,7 +63,7 @@ spec:
- name: scripts - name: scripts
mountPath: /scripts mountPath: /scripts
containers: containers:
- name: grafana-operator-valkey - name: grafana-operator-valkey-unified-alerting
image: docker.io/valkey/valkey:9.0.3 image: docker.io/valkey/valkey:9.0.3
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
command: ["valkey-server"] command: ["valkey-server"]
@@ -121,9 +121,9 @@ spec:
memory: 64M memory: 64M
env: env:
- name: REDIS_ALIAS - name: REDIS_ALIAS
value: grafana-operator-valkey value: grafana-operator-valkey-unified-alerting
volumes: volumes:
- name: scripts - name: scripts
configMap: configMap:
name: grafana-operator-valkey-init-scripts name: grafana-operator-valkey-unified-alerting-init-scripts
defaultMode: 0555 defaultMode: 0555

2
clusters/cl01tl/manifests/kube-prometheus-stack/StatefulSet-kube-prometheus-stack-valkey.yaml
View File

@@ -25,7 +25,7 @@ spec:
storageClassName: "ceph-block" storageClassName: "ceph-block"
resources: resources:
requests: requests:
storage: "1Gi" storage: "10Gi"
template: template:
metadata: metadata:
labels: labels:

10
clusters/cl01tl/manifests/grafana-operator/ConfigMap-grafana-operator-valkey-init-scripts.yaml → clusters/cl01tl/manifests/matrix-synapse/ConfigMap-matrix-synapse-valkey-hookshot-init-scripts.yaml
View File

@@ -1,11 +1,11 @@
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
metadata: metadata:
name: grafana-operator-valkey-init-scripts name: matrix-synapse-valkey-hookshot-init-scripts
labels: labels:
helm.sh/chart: valkey-0.9.3 helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey app.kubernetes.io/name: valkey-hookshot
app.kubernetes.io/instance: grafana-operator app.kubernetes.io/instance: matrix-synapse
app.kubernetes.io/version: "9.0.3" app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
data: data:
@@ -63,7 +63,7 @@ data:
# Configure replica settings # Configure replica settings
if [ "$IS_MASTER" = "false" ]; then if [ "$IS_MASTER" = "false" ]; then
MASTER_HOST="grafana-operator-valkey-0.grafana-operator-valkey-headless.grafana-operator.svc.cluster.local" MASTER_HOST="matrix-synapse-valkey-hookshot-0.matrix-synapse-valkey-hookshot-headless.matrix-synapse.svc.cluster.local"
MASTER_PORT="6379" MASTER_PORT="6379"
log "Configuring replica to follow master at $MASTER_HOST:$MASTER_PORT" log "Configuring replica to follow master at $MASTER_HOST:$MASTER_PORT"
@@ -72,7 +72,7 @@ data:
echo "" echo ""
echo "# Replica Configuration" echo "# Replica Configuration"
echo "replicaof $MASTER_HOST $MASTER_PORT" echo "replicaof $MASTER_HOST $MASTER_PORT"
echo "replica-announce-ip grafana-operator-valkey-$POD_INDEX.grafana-operator-valkey-headless.grafana-operator.svc.cluster.local" echo "replica-announce-ip matrix-synapse-valkey-hookshot-$POD_INDEX.matrix-synapse-valkey-hookshot-headless.matrix-synapse.svc.cluster.local"
} >>"$VALKEY_CONFIG" } >>"$VALKEY_CONFIG"
fi fi

149
clusters/cl01tl/manifests/matrix-synapse/ConfigMap-matrix-synapse-valkey-init-scripts.yaml Normal file
View File

@@ -0,0 +1,149 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: matrix-synapse-valkey-init-scripts
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey
app.kubernetes.io/instance: matrix-synapse
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
data:
init.sh: |-
#!/bin/sh
set -eu
# Default config paths
VALKEY_CONFIG=${VALKEY_CONFIG_PATH:-/data/conf/valkey.conf}
LOGFILE="/data/init.log"
DATA_DIR="/data/conf"
# Logging function (outputs to stderr and file)
log() {
echo "$(date) $1" | tee -a "$LOGFILE" >&2
}
# Function to get password for a user
# Usage: get_user_password <username> [password_key]
# Returns: password via stdout, exits with error if not found
get_user_password() {
username="$1"
password_key="${2:-$username}"
password=""
# Try to get password from existing secret first (priority)
if [ -f "/valkey-users-secret/$password_key" ]; then
password=$(cat "/valkey-users-secret/$password_key")
log "Using password from existing secret for user $username"
elif [ -f "/valkey-auth-secret/${username}-password" ]; then
# Fallback to inline password
password=$(cat "/valkey-auth-secret/${username}-password")
log "Using inline password for user $username"
else
log "ERROR: No password found for user $username"
return 1
fi
echo "$password"
}
# Clean old log if requested
if [ "${KEEP_OLD_LOGS:-false}" != "true" ]; then
rm -f "$LOGFILE"
fi
if [ -f "$LOGFILE" ]; then
log "Detected restart of this instance ($HOSTNAME)"
fi
log "Creating configuration in $DATA_DIR..."
mkdir -p "$DATA_DIR"
rm -f "$VALKEY_CONFIG"
# Base valkey.conf
log "Generating base valkey.conf"
{
echo "port 6379"
echo "protected-mode no"
echo "bind * -::*"
echo "dir /data"
} >>"$VALKEY_CONFIG"
# Create secure directory for ACL file
log "Creating /etc/valkey directory for ACL file"
mkdir -p /etc/valkey
# Set aclfile path in valkey.conf
echo "aclfile /etc/valkey/users.acl" >>"$VALKEY_CONFIG"
# Remove or reset existing ACL file if present (it may be read-only from previous run)
log "Preparing ACL file at /etc/valkey/users.acl"
if [ -f /etc/valkey/users.acl ]; then
log "Removing existing read-only users.acl file"
chmod 0600 /etc/valkey/users.acl
rm -f /etc/valkey/users.acl
fi
# Create ACL file with secure permissions
touch /etc/valkey/users.acl
chmod 0600 /etc/valkey/users.acl
# Generate ACL entries for each user
log "Generating ACL entries for users"
# User: default
PASSWORD=$(get_user_password "default" "default") || exit 1
# Hash the password and write ACL entry
PASSHASH=$(echo -n "$PASSWORD" | sha256sum | cut -f 1 -d " ")
echo "user default on #$PASSHASH ~* &* +@all" >> /etc/valkey/users.acl
# Set final permissions
chmod 0400 /etc/valkey/users.acl
log "ACL file created with 0400 permissions"
# Replica mode configuration
log "Configuring replication mode"
# Use POD_INDEX from Kubernetes metadata
POD_INDEX=${POD_INDEX:-0}
IS_MASTER=false
# Check if this is pod-0 (master)
if [ "$POD_INDEX" = "0" ]; then
IS_MASTER=true
log "This pod (index $POD_INDEX) is configured as MASTER"
else
log "This pod (index $POD_INDEX) is configured as REPLICA"
fi
# Configure replica settings
if [ "$IS_MASTER" = "false" ]; then
MASTER_HOST="matrix-synapse-valkey-0.matrix-synapse-valkey-headless.matrix-synapse.svc.cluster.local"
MASTER_PORT="6379"
log "Configuring replica to follow master at $MASTER_HOST:$MASTER_PORT"
{
echo ""
echo "# Replica Configuration"
echo "replicaof $MASTER_HOST $MASTER_PORT"
echo "replica-announce-ip matrix-synapse-valkey-$POD_INDEX.matrix-synapse-valkey-headless.matrix-synapse.svc.cluster.local"
echo ""
echo "# Master authentication"
} >>"$VALKEY_CONFIG"
# Get the password for the replication user
REPL_PASSWORD=$(get_user_password "default" "default") || exit 1
# Write masterauth configuration
echo "masterauth $REPL_PASSWORD" >>"$VALKEY_CONFIG"
echo "masteruser default" >>"$VALKEY_CONFIG"
log "Configured masterauth with user default"
fi
# Append extra configs if present
if [ -f /usr/local/etc/valkey/valkey.conf ]; then
log "Appending /usr/local/etc/valkey/valkey.conf"
cat /usr/local/etc/valkey/valkey.conf >>"$VALKEY_CONFIG"
fi
if [ -d /extravalkeyconfigs ]; then
log "Appending files in /extravalkeyconfigs/"
cat /extravalkeyconfigs/* >>"$VALKEY_CONFIG"
fi

4
clusters/cl01tl/manifests/matrix-synapse/Deployment-matrix-synapse.yaml
View File

@@ -22,7 +22,7 @@ spec:
metadata: metadata:
annotations: annotations:
checksum/config: 13648c05f49095027336c9a2d1d30591025cdab4497a14542805b397fa3b92c8 checksum/config: 13648c05f49095027336c9a2d1d30591025cdab4497a14542805b397fa3b92c8
checksum/secrets: 0d6f055de2a4b62cd5b9ae50f578d73c68253aee28c9641318b06c0940e0c7ac checksum/secrets: 5c93bb9068a23109958239ac9b72c1876b9f5ecfbf8d078c294fd171be2259ab
labels: labels:
app.kubernetes.io/name: matrix-synapse app.kubernetes.io/name: matrix-synapse
app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/instance: matrix-synapse
@@ -71,7 +71,7 @@ spec:
- name: REDIS_PASSWORD - name: REDIS_PASSWORD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: matrix-synapse-redis-secret name: matrix-synapse-valkey-secret
key: password key: password
image: "ghcr.io/element-hq/synapse:v1.148.0" image: "ghcr.io/element-hq/synapse:v1.148.0"
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent

11
clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-redis-secret.yaml → clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-valkey-secret.yaml
View File

@@ -1,10 +1,10 @@
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: matrix-synapse-redis-secret name: matrix-synapse-valkey-secret
namespace: matrix-synapse namespace: matrix-synapse
labels: labels:
app.kubernetes.io/name: matrix-synapse-redis-secret app.kubernetes.io/name: matrix-synapse-valkey-secret
app.kubernetes.io/instance: matrix-synapse app.kubernetes.io/instance: matrix-synapse
app.kubernetes.io/part-of: matrix-synapse app.kubernetes.io/part-of: matrix-synapse
spec: spec:
@@ -12,6 +12,13 @@ spec:
kind: ClusterSecretStore kind: ClusterSecretStore
name: vault name: vault
data: data:
- secretKey: default
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/matrix-synapse/redis
metadataPolicy: None
property: password
- secretKey: password - secretKey: password
remoteRef: remoteRef:
conversionStrategy: Default conversionStrategy: Default

45
clusters/cl01tl/manifests/matrix-synapse/Pod-matrix-synapse-valkey-test-auth-existing.yaml Normal file
View File

@@ -0,0 +1,45 @@
apiVersion: v1
kind: Pod
metadata:
name: matrix-synapse-valkey-test-auth-existing
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey
app.kubernetes.io/instance: matrix-synapse
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
annotations:
"helm.sh/hook": test
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
spec:
restartPolicy: Never
containers:
- name: test-auth
image: "valkey/valkey:9.0.3"
command:
- sh
- -c
- |
set -e
echo "Testing authentication with usersExistingSecret..."
TLS_FLAGS=""
# Test basic connection (no auth - will fail if auth is properly configured)
PING_RESULT=$(valkey-cli -h matrix-synapse-valkey -p 6379 $TLS_FLAGS PING 2>&1 || true)
if [ "$PING_RESULT" = "PONG" ]; then
echo "✗ Authentication test failed: server allows unauthenticated access"
exit 1
fi
echo "✓ Authentication is enforced (unauthenticated access denied)"
echo "✓ Received expected error: $PING_RESULT"
echo "⚠ Manual verification recommended for usersExistingSecret configuration"
exit 0
volumeMounts:
- name: valkey-users-secret
mountPath: /valkey-users-secret
readOnly: true
volumes:
- name: valkey-users-secret
secret:
secretName: matrix-synapse-valkey-secret

23
clusters/cl01tl/manifests/matrix-synapse/PodMonitor-matrix-synapse-valkey-hookshot.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: matrix-synapse-valkey-hookshot
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey-hookshot
app.kubernetes.io/instance: matrix-synapse
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: valkey
app.kubernetes.io/component: podmonitor
spec:
podMetricsEndpoints:
- port: metrics
interval: 30s
namespaceSelector:
matchNames:
- matrix-synapse
selector:
matchLabels:
app.kubernetes.io/name: valkey-hookshot
app.kubernetes.io/instance: matrix-synapse

23
clusters/cl01tl/manifests/matrix-synapse/PodMonitor-matrix-synapse-valkey.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: matrix-synapse-valkey
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey
app.kubernetes.io/instance: matrix-synapse
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: valkey
app.kubernetes.io/component: podmonitor
spec:
podMetricsEndpoints:
- port: metrics
interval: 30s
namespaceSelector:
matchNames:
- matrix-synapse
selector:
matchLabels:
app.kubernetes.io/name: valkey
app.kubernetes.io/instance: matrix-synapse

47
clusters/cl01tl/manifests/matrix-synapse/PrometheusRule-matrix-synapse-valkey-hookshot.yaml Normal file
View File

@@ -0,0 +1,47 @@
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: matrix-synapse-valkey-hookshot
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey-hookshot
app.kubernetes.io/instance: matrix-synapse
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: valkey
spec:
groups:
- name: matrix-synapse-valkey-hookshot
rules:
- alert: ValkeyDown
annotations:
description: Valkey instance {{ $labels.instance }} is down.
summary: Valkey instance {{ $labels.instance }} down
expr: |
redis_up{service="matrix-synapse-valkey-hookshot-metrics"} == 0
for: 2m
labels:
severity: error
- alert: ValkeyMemoryHigh
annotations:
description: |
Valkey instance {{ $labels.instance }} is using {{ $value }}% of its available memory.
summary: Valkey instance {{ $labels.instance }} is using too much memory
expr: |
redis_memory_used_bytes{service="matrix-synapse-valkey-hookshot-metrics"} * 100
/
redis_memory_max_bytes{service="matrix-synapse-valkey-hookshot-metrics"}
> 90 <= 100
for: 2m
labels:
severity: error
- alert: ValkeyKeyEviction
annotations:
description: |
Valkey instance {{ $labels.instance }} has evicted {{ $value }} keys in the last 5 minutes.
summary: Valkey instance {{ $labels.instance }} has evicted keys
expr: |
increase(redis_evicted_keys_total{service="matrix-synapse-valkey-hookshot-metrics"}[5m]) > 0
for: 1s
labels:
severity: error

47
clusters/cl01tl/manifests/matrix-synapse/PrometheusRule-matrix-synapse-valkey.yaml Normal file
View File

@@ -0,0 +1,47 @@
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: matrix-synapse-valkey
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey
app.kubernetes.io/instance: matrix-synapse
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: valkey
spec:
groups:
- name: matrix-synapse-valkey
rules:
- alert: ValkeyDown
annotations:
description: Valkey instance {{ $labels.instance }} is down.
summary: Valkey instance {{ $labels.instance }} down
expr: |
redis_up{service="matrix-synapse-valkey-metrics"} == 0
for: 2m
labels:
severity: error
- alert: ValkeyMemoryHigh
annotations:
description: |
Valkey instance {{ $labels.instance }} is using {{ $value }}% of its available memory.
summary: Valkey instance {{ $labels.instance }} is using too much memory
expr: |
redis_memory_used_bytes{service="matrix-synapse-valkey-metrics"} * 100
/
redis_memory_max_bytes{service="matrix-synapse-valkey-metrics"}
> 90 <= 100
for: 2m
labels:
severity: error
- alert: ValkeyKeyEviction
annotations:
description: |
Valkey instance {{ $labels.instance }} has evicted {{ $value }} keys in the last 5 minutes.
summary: Valkey instance {{ $labels.instance }} has evicted keys
expr: |
increase(redis_evicted_keys_total{service="matrix-synapse-valkey-metrics"}[5m]) > 0
for: 1s
labels:
severity: error

44
clusters/cl01tl/manifests/matrix-synapse/RedisReplication-redis-replication-hookshot.yaml
View File

@@ -1,44 +0,0 @@
apiVersion: redis.redis.opstreelabs.in/v1beta2
kind: RedisReplication
metadata:
name: redis-replication-hookshot
namespace: matrix-synapse
labels:
helm.sh/chart: redis-replication-hookshot-1.1.0
app.kubernetes.io/version: "1.1.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: redis-replication-hookshot
app.kubernetes.io/instance: matrix-synapse
app.kubernetes.io/part-of: matrix-synapse
spec:
clusterSize: 3
podSecurityContext:
fsGroup: 1000
runAsUser: 1000
kubernetesConfig:
image: "quay.io/opstree/redis:v8.4.2"
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 10m
memory: 32Mi
storage:
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: ceph-block
redisExporter:
enabled: true
image: "quay.io/opstree/redis-exporter:v1.81.0"
sentinel:
image: "quay.io/opstree/redis-sentinel:v8.4.2"
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 10m
memory: 32Mi
size: 3

50
clusters/cl01tl/manifests/matrix-synapse/RedisReplication-redis-replication-matrix-synapse.yaml
View File

@@ -1,50 +0,0 @@
apiVersion: redis.redis.opstreelabs.in/v1beta2
kind: RedisReplication
metadata:
name: redis-replication-matrix-synapse
namespace: matrix-synapse
labels:
helm.sh/chart: redis-replication-matrix-synapse-1.1.0
app.kubernetes.io/version: "1.1.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: redis-replication-matrix-synapse
app.kubernetes.io/instance: matrix-synapse
app.kubernetes.io/part-of: matrix-synapse
spec:
clusterSize: 3
podSecurityContext:
fsGroup: 1000
runAsUser: 1000
kubernetesConfig:
image: "quay.io/opstree/redis:v8.4.2"
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 10m
memory: 32Mi
redisSecret:
name: matrix-synapse-redis-secret
key: password
storage:
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: ceph-block
redisExporter:
enabled: true
image: "quay.io/opstree/redis-exporter:v1.81.0"
sentinel:
image: "quay.io/opstree/redis-sentinel:v8.4.2"
imagePullPolicy: IfNotPresent
redisSecret:
name: matrix-synapse-redis-secret
key: password
resources:
requests:
cpu: 10m
memory: 32Mi
size: 3

2
clusters/cl01tl/manifests/matrix-synapse/Secret-matrix-synapse.yaml
View File

@@ -9,4 +9,4 @@ metadata:
app.kubernetes.io/version: "1.148.0" app.kubernetes.io/version: "1.148.0"
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
stringData: stringData:
config.yaml: "## Registration ##\n\nregistration_shared_secret: \"default\"\n\n## API Configuration ##\n\n## Database configuration ##\n\ndatabase:\n name: \"psycopg2\"\n args:\n user: \"app\"\n password: \"@@POSTGRES_PASSWORD@@\"\n database: \"app\"\n host: \"matrix-synapse-postgresql-18-cluster-rw\"\n port: 5432\n sslmode: \"prefer\"\n cp_min: 5\n cp_max: 10\n \n\n## Redis configuration ##\n\nredis:\n enabled: true\n host: \"redis-replication-matrix-synapse-master\"\n port: 6379\n password: \"@@REDIS_PASSWORD@@\"\n" config.yaml: "## Registration ##\n\nregistration_shared_secret: \"default\"\n\n## API Configuration ##\n\n## Database configuration ##\n\ndatabase:\n name: \"psycopg2\"\n args:\n user: \"app\"\n password: \"@@POSTGRES_PASSWORD@@\"\n database: \"app\"\n host: \"matrix-synapse-postgresql-18-cluster-rw\"\n port: 5432\n sslmode: \"prefer\"\n cp_min: 5\n cp_max: 10\n \n\n## Redis configuration ##\n\nredis:\n enabled: true\n host: \"matrix-synapse-valkey\"\n port: 6379\n password: \"@@REDIS_PASSWORD@@\"\n"

6
clusters/cl01tl/manifests/blocky/Service-blocky-valkey-headless.yaml → clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-headless.yaml
View File

@@ -1,11 +1,11 @@
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: blocky-valkey-headless name: matrix-synapse-valkey-headless
labels: labels:
helm.sh/chart: valkey-0.9.3 helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey app.kubernetes.io/name: valkey
app.kubernetes.io/instance: blocky app.kubernetes.io/instance: matrix-synapse
app.kubernetes.io/version: "9.0.3" app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: headless app.kubernetes.io/component: headless
@@ -20,4 +20,4 @@ spec:
protocol: TCP protocol: TCP
selector: selector:
app.kubernetes.io/name: valkey app.kubernetes.io/name: valkey
app.kubernetes.io/instance: blocky app.kubernetes.io/instance: matrix-synapse

23
clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-hookshot-headless.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: v1
kind: Service
metadata:
name: matrix-synapse-valkey-hookshot-headless
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey-hookshot
app.kubernetes.io/instance: matrix-synapse
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: headless
spec:
type: ClusterIP
clusterIP: None
publishNotReadyAddresses: true
ports:
- name: tcp
port: 6379
targetPort: tcp
protocol: TCP
selector:
app.kubernetes.io/name: valkey-hookshot
app.kubernetes.io/instance: matrix-synapse

23
clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-hookshot-metrics.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: v1
kind: Service
metadata:
name: matrix-synapse-valkey-hookshot-metrics
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey-hookshot
app.kubernetes.io/instance: matrix-synapse
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: metrics
app.kubernetes.io/part-of: valkey
annotations:
spec:
type: ClusterIP
ports:
- name: metrics
port: 9121
protocol: TCP
targetPort: metrics
selector:
app.kubernetes.io/name: valkey-hookshot
app.kubernetes.io/instance: matrix-synapse

21
clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-hookshot-read.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: v1
kind: Service
metadata:
name: matrix-synapse-valkey-hookshot-read
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey-hookshot
app.kubernetes.io/instance: matrix-synapse
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: read
spec:
type: ClusterIP
ports:
- name: tcp
port: 6379
targetPort: tcp
protocol: TCP
selector:
app.kubernetes.io/name: valkey-hookshot
app.kubernetes.io/instance: matrix-synapse

22
clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-hookshot.yaml Normal file
View File

@@ -0,0 +1,22 @@
apiVersion: v1
kind: Service
metadata:
name: matrix-synapse-valkey-hookshot
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey-hookshot
app.kubernetes.io/instance: matrix-synapse
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: primary
spec:
type: ClusterIP
ports:
- port: 6379
targetPort: tcp
protocol: TCP
name: tcp
selector:
app.kubernetes.io/name: valkey-hookshot
app.kubernetes.io/instance: matrix-synapse
statefulset.kubernetes.io/pod-name: matrix-synapse-valkey-hookshot-0

6
clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey-metrics.yaml → clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-metrics.yaml
View File

@@ -1,11 +1,11 @@
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: grafana-operator-valkey-metrics name: matrix-synapse-valkey-metrics
labels: labels:
helm.sh/chart: valkey-0.9.3 helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey app.kubernetes.io/name: valkey
app.kubernetes.io/instance: grafana-operator app.kubernetes.io/instance: matrix-synapse
app.kubernetes.io/version: "9.0.3" app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: metrics app.kubernetes.io/component: metrics
@@ -20,4 +20,4 @@ spec:
targetPort: metrics targetPort: metrics
selector: selector:
app.kubernetes.io/name: valkey app.kubernetes.io/name: valkey
app.kubernetes.io/instance: grafana-operator app.kubernetes.io/instance: matrix-synapse

6
clusters/cl01tl/manifests/blocky/Service-blocky-valkey-read.yaml → clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-read.yaml
View File

@@ -1,11 +1,11 @@
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: blocky-valkey-read name: matrix-synapse-valkey-read
labels: labels:
helm.sh/chart: valkey-0.9.3 helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey app.kubernetes.io/name: valkey
app.kubernetes.io/instance: blocky app.kubernetes.io/instance: matrix-synapse
app.kubernetes.io/version: "9.0.3" app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: read app.kubernetes.io/component: read
@@ -18,4 +18,4 @@ spec:
protocol: TCP protocol: TCP
selector: selector:
app.kubernetes.io/name: valkey app.kubernetes.io/name: valkey
app.kubernetes.io/instance: blocky app.kubernetes.io/instance: matrix-synapse

22
clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey.yaml Normal file
View File

@@ -0,0 +1,22 @@
apiVersion: v1
kind: Service
metadata:
name: matrix-synapse-valkey
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey
app.kubernetes.io/instance: matrix-synapse
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: primary
spec:
type: ClusterIP
ports:
- port: 6379
targetPort: tcp
protocol: TCP
name: tcp
selector:
app.kubernetes.io/name: valkey
app.kubernetes.io/instance: matrix-synapse
statefulset.kubernetes.io/pod-name: matrix-synapse-valkey-0

11
clusters/cl01tl/manifests/matrix-synapse/ServiceAccount-matrix-synapse-valkey-hookshot.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: matrix-synapse-valkey-hookshot
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey-hookshot
app.kubernetes.io/instance: matrix-synapse
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
automountServiceAccountToken: false

4
clusters/cl01tl/manifests/grafana-operator/ServiceAccount-grafana-operator-valkey.yaml → clusters/cl01tl/manifests/matrix-synapse/ServiceAccount-matrix-synapse-valkey.yaml
View File

@@ -1,11 +1,11 @@
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
name: grafana-operator-valkey name: matrix-synapse-valkey
labels: labels:
helm.sh/chart: valkey-0.9.3 helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey app.kubernetes.io/name: valkey
app.kubernetes.io/instance: grafana-operator app.kubernetes.io/instance: matrix-synapse
app.kubernetes.io/version: "9.0.3" app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
automountServiceAccountToken: false automountServiceAccountToken: false

24
clusters/cl01tl/manifests/matrix-synapse/ServiceMonitor-matrix-synapse-valkey-hookshot.yaml Normal file
View File

@@ -0,0 +1,24 @@
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: matrix-synapse-valkey-hookshot
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey-hookshot
app.kubernetes.io/instance: matrix-synapse
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: valkey
app.kubernetes.io/component: service-monitor
spec:
endpoints:
- port: metrics
interval: 30s
namespaceSelector:
matchNames:
- matrix-synapse
selector:
matchLabels:
app.kubernetes.io/name: valkey-hookshot
app.kubernetes.io/instance: matrix-synapse
app.kubernetes.io/component: metrics

24
clusters/cl01tl/manifests/matrix-synapse/ServiceMonitor-matrix-synapse-valkey.yaml Normal file
View File

@@ -0,0 +1,24 @@
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: matrix-synapse-valkey
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey
app.kubernetes.io/instance: matrix-synapse
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: valkey
app.kubernetes.io/component: service-monitor
spec:
endpoints:
- port: metrics
interval: 30s
namespaceSelector:
matchNames:
- matrix-synapse
selector:
matchLabels:
app.kubernetes.io/name: valkey
app.kubernetes.io/instance: matrix-synapse
app.kubernetes.io/component: metrics

22
clusters/cl01tl/manifests/matrix-synapse/ServiceMonitor-redis-replication-hookshot.yaml
View File

@@ -1,22 +0,0 @@
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: redis-replication-hookshot
namespace: matrix-synapse
labels:
helm.sh/chart: redis-replication-hookshot-1.1.0
app.kubernetes.io/version: "1.1.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: redis-replication-hookshot
app.kubernetes.io/instance: matrix-synapse
app.kubernetes.io/part-of: matrix-synapse
spec:
selector:
matchLabels:
app: redis-replication-hookshot
redis_setup_type: replication
role: replication
endpoints:
- port: redis-exporter
interval: 30s
scrapeTimeout: 10s

22
clusters/cl01tl/manifests/matrix-synapse/ServiceMonitor-redis-replication-matrix-synapse.yaml
View File

@@ -1,22 +0,0 @@
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: redis-replication-matrix-synapse
namespace: matrix-synapse
labels:
helm.sh/chart: redis-replication-matrix-synapse-1.1.0
app.kubernetes.io/version: "1.1.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: redis-replication-matrix-synapse
app.kubernetes.io/instance: matrix-synapse
app.kubernetes.io/part-of: matrix-synapse
spec:
selector:
matchLabels:
app: redis-replication-matrix-synapse
redis_setup_type: replication
role: replication
endpoints:
- port: redis-exporter
interval: 30s
scrapeTimeout: 10s

28
clusters/cl01tl/manifests/blocky/StatefulSet-blocky-valkey.yaml → clusters/cl01tl/manifests/matrix-synapse/StatefulSet-matrix-synapse-valkey-hookshot.yaml
View File

@@ -1,21 +1,21 @@
apiVersion: apps/v1 apiVersion: apps/v1
kind: StatefulSet kind: StatefulSet
metadata: metadata:
name: blocky-valkey name: matrix-synapse-valkey-hookshot
labels: labels:
helm.sh/chart: valkey-0.9.3 helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey app.kubernetes.io/name: valkey-hookshot
app.kubernetes.io/instance: blocky app.kubernetes.io/instance: matrix-synapse
app.kubernetes.io/version: "9.0.3" app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
spec: spec:
serviceName: blocky-valkey-headless serviceName: matrix-synapse-valkey-hookshot-headless
replicas: 3 replicas: 3
podManagementPolicy: OrderedReady podManagementPolicy: OrderedReady
selector: selector:
matchLabels: matchLabels:
app.kubernetes.io/name: valkey app.kubernetes.io/name: valkey-hookshot
app.kubernetes.io/instance: blocky app.kubernetes.io/instance: matrix-synapse
volumeClaimTemplates: volumeClaimTemplates:
- metadata: - metadata:
name: valkey-data name: valkey-data
@@ -29,19 +29,19 @@ spec:
template: template:
metadata: metadata:
labels: labels:
app.kubernetes.io/name: valkey app.kubernetes.io/name: valkey-hookshot
app.kubernetes.io/instance: blocky app.kubernetes.io/instance: matrix-synapse
annotations: annotations:
checksum/initconfig: "b997c0967aeeee370412add1d41691a1" checksum/initconfig: "be330f0cfd3ac6b10c6beb9aa42e308a"
spec: spec:
automountServiceAccountToken: false automountServiceAccountToken: false
serviceAccountName: blocky-valkey serviceAccountName: matrix-synapse-valkey-hookshot
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
runAsGroup: 1000 runAsGroup: 1000
runAsUser: 1000 runAsUser: 1000
initContainers: initContainers:
- name: blocky-valkey-init - name: matrix-synapse-valkey-hookshot-init
image: docker.io/valkey/valkey:9.0.3 image: docker.io/valkey/valkey:9.0.3
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
securityContext: securityContext:
@@ -63,7 +63,7 @@ spec:
- name: scripts - name: scripts
mountPath: /scripts mountPath: /scripts
containers: containers:
- name: blocky-valkey - name: matrix-synapse-valkey-hookshot
image: docker.io/valkey/valkey:9.0.3 image: docker.io/valkey/valkey:9.0.3
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
command: ["valkey-server"] command: ["valkey-server"]
@@ -121,9 +121,9 @@ spec:
memory: 64M memory: 64M
env: env:
- name: REDIS_ALIAS - name: REDIS_ALIAS
value: blocky-valkey value: matrix-synapse-valkey-hookshot
volumes: volumes:
- name: scripts - name: scripts
configMap: configMap:
name: blocky-valkey-init-scripts name: matrix-synapse-valkey-hookshot-init-scripts
defaultMode: 0555 defaultMode: 0555

143
clusters/cl01tl/manifests/matrix-synapse/StatefulSet-matrix-synapse-valkey.yaml Normal file
View File

@@ -0,0 +1,143 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: matrix-synapse-valkey
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey
app.kubernetes.io/instance: matrix-synapse
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
spec:
serviceName: matrix-synapse-valkey-headless
replicas: 3
podManagementPolicy: OrderedReady
selector:
matchLabels:
app.kubernetes.io/name: valkey
app.kubernetes.io/instance: matrix-synapse
volumeClaimTemplates:
- metadata:
name: valkey-data
spec:
accessModes:
- ReadWriteOnce
storageClassName: "ceph-block"
resources:
requests:
storage: "1Gi"
template:
metadata:
labels:
app.kubernetes.io/name: valkey
app.kubernetes.io/instance: matrix-synapse
annotations:
checksum/initconfig: "fb8ae470a9464112ac420b4e06117ac5"
spec:
automountServiceAccountToken: false
serviceAccountName: matrix-synapse-valkey
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsUser: 1000
initContainers:
- name: matrix-synapse-valkey-init
image: docker.io/valkey/valkey:9.0.3
imagePullPolicy: IfNotPresent
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
command: ["/scripts/init.sh"]
env:
- name: POD_INDEX
valueFrom:
fieldRef:
fieldPath: metadata.labels['apps.kubernetes.io/pod-index']
volumeMounts:
- name: valkey-data
mountPath: /data
- name: scripts
mountPath: /scripts
- name: valkey-acl
mountPath: /etc/valkey
- name: valkey-users-secret
mountPath: /valkey-users-secret
readOnly: true
containers:
- name: matrix-synapse-valkey
image: docker.io/valkey/valkey:9.0.3
imagePullPolicy: IfNotPresent
command: ["valkey-server"]
args: ["/data/conf/valkey.conf"]
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
env:
- name: POD_INDEX
valueFrom:
fieldRef:
fieldPath: metadata.labels['apps.kubernetes.io/pod-index']
- name: VALKEY_LOGLEVEL
value: "notice"
ports:
- name: tcp
containerPort: 6379
protocol: TCP
startupProbe:
exec:
command: ["sh", "-c", "valkey-cli ping"]
livenessProbe:
exec:
command: ["sh", "-c", "valkey-cli ping"]
resources:
requests:
cpu: 10m
memory: 128Mi
volumeMounts:
- name: valkey-data
mountPath: /data
- name: valkey-acl
mountPath: /etc/valkey
- name: metrics
image: ghcr.io/oliver006/redis_exporter:v1.81.0
imagePullPolicy: "IfNotPresent"
ports:
- name: metrics
containerPort: 9121
startupProbe:
tcpSocket:
port: metrics
livenessProbe:
tcpSocket:
port: metrics
readinessProbe:
httpGet:
path: /
port: metrics
resources:
requests:
cpu: 10m
memory: 64M
env:
- name: REDIS_ALIAS
value: matrix-synapse-valkey
volumes:
- name: scripts
configMap:
name: matrix-synapse-valkey-init-scripts
defaultMode: 0555
- name: valkey-acl
emptyDir:
medium: Memory
- name: valkey-users-secret
secret:
secretName: matrix-synapse-valkey-secret
defaultMode: 0400

62
clusters/cl01tl/manifests/postiz/ConfigMap-postiz-valkey-init-scripts.yaml
View File

@@ -23,6 +23,28 @@ data:
log() { log() {
echo "$(date) $1" | tee -a "$LOGFILE" >&2 echo "$(date) $1" | tee -a "$LOGFILE" >&2
} }
# Function to get password for a user
# Usage: get_user_password <username> [password_key]
# Returns: password via stdout, exits with error if not found
get_user_password() {
username="$1"
password_key="${2:-$username}"
password=""
# Try to get password from existing secret first (priority)
if [ -f "/valkey-users-secret/$password_key" ]; then
password=$(cat "/valkey-users-secret/$password_key")
log "Using password from existing secret for user $username"
elif [ -f "/valkey-auth-secret/${username}-password" ]; then
# Fallback to inline password
password=$(cat "/valkey-auth-secret/${username}-password")
log "Using inline password for user $username"
else
log "ERROR: No password found for user $username"
return 1
fi
echo "$password"
}
# Clean old log if requested # Clean old log if requested
if [ "${KEEP_OLD_LOGS:-false}" != "true" ]; then if [ "${KEEP_OLD_LOGS:-false}" != "true" ]; then
@@ -46,6 +68,37 @@ data:
echo "bind * -::*" echo "bind * -::*"
echo "dir /data" echo "dir /data"
} >>"$VALKEY_CONFIG" } >>"$VALKEY_CONFIG"
# Create secure directory for ACL file
log "Creating /etc/valkey directory for ACL file"
mkdir -p /etc/valkey
# Set aclfile path in valkey.conf
echo "aclfile /etc/valkey/users.acl" >>"$VALKEY_CONFIG"
# Remove or reset existing ACL file if present (it may be read-only from previous run)
log "Preparing ACL file at /etc/valkey/users.acl"
if [ -f /etc/valkey/users.acl ]; then
log "Removing existing read-only users.acl file"
chmod 0600 /etc/valkey/users.acl
rm -f /etc/valkey/users.acl
fi
# Create ACL file with secure permissions
touch /etc/valkey/users.acl
chmod 0600 /etc/valkey/users.acl
# Generate ACL entries for each user
log "Generating ACL entries for users"
# User: default
PASSWORD=$(get_user_password "default" "default") || exit 1
# Hash the password and write ACL entry
PASSHASH=$(echo -n "$PASSWORD" | sha256sum | cut -f 1 -d " ")
echo "user default on #$PASSHASH ~* &* +@all" >> /etc/valkey/users.acl
# Set final permissions
chmod 0400 /etc/valkey/users.acl
log "ACL file created with 0400 permissions"
# Replica mode configuration # Replica mode configuration
log "Configuring replication mode" log "Configuring replication mode"
@@ -73,7 +126,16 @@ data:
echo "# Replica Configuration" echo "# Replica Configuration"
echo "replicaof $MASTER_HOST $MASTER_PORT" echo "replicaof $MASTER_HOST $MASTER_PORT"
echo "replica-announce-ip postiz-valkey-$POD_INDEX.postiz-valkey-headless.postiz.svc.cluster.local" echo "replica-announce-ip postiz-valkey-$POD_INDEX.postiz-valkey-headless.postiz.svc.cluster.local"
echo ""
echo "# Master authentication"
} >>"$VALKEY_CONFIG" } >>"$VALKEY_CONFIG"
# Get the password for the replication user
REPL_PASSWORD=$(get_user_password "default" "default") || exit 1
# Write masterauth configuration
echo "masterauth $REPL_PASSWORD" >>"$VALKEY_CONFIG"
echo "masteruser default" >>"$VALKEY_CONFIG"
log "Configured masterauth with user default"
fi fi
# Append extra configs if present # Append extra configs if present

45
clusters/cl01tl/manifests/postiz/Pod-postiz-valkey-test-auth-existing.yaml Normal file
View File

@@ -0,0 +1,45 @@
apiVersion: v1
kind: Pod
metadata:
name: postiz-valkey-test-auth-existing
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey
app.kubernetes.io/instance: postiz
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
annotations:
"helm.sh/hook": test
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
spec:
restartPolicy: Never
containers:
- name: test-auth
image: "valkey/valkey:9.0.3"
command:
- sh
- -c
- |
set -e
echo "Testing authentication with usersExistingSecret..."
TLS_FLAGS=""
# Test basic connection (no auth - will fail if auth is properly configured)
PING_RESULT=$(valkey-cli -h postiz-valkey -p 6379 $TLS_FLAGS PING 2>&1 || true)
if [ "$PING_RESULT" = "PONG" ]; then
echo "✗ Authentication test failed: server allows unauthenticated access"
exit 1
fi
echo "✓ Authentication is enforced (unauthenticated access denied)"
echo "✓ Received expected error: $PING_RESULT"
echo "⚠ Manual verification recommended for usersExistingSecret configuration"
exit 0
volumeMounts:
- name: valkey-users-secret
mountPath: /valkey-users-secret
readOnly: true
volumes:
- name: valkey-users-secret
secret:
secretName: postiz-valkey-config

16
clusters/cl01tl/manifests/postiz/StatefulSet-postiz-valkey.yaml
View File

@@ -32,7 +32,7 @@ spec:
app.kubernetes.io/name: valkey app.kubernetes.io/name: valkey
app.kubernetes.io/instance: postiz app.kubernetes.io/instance: postiz
annotations: annotations:
checksum/initconfig: "8ebc9d0805e0ac2e6000ec208f86483c" checksum/initconfig: "fe93fb7000602d0fb3b36b111a77c4a3"
spec: spec:
automountServiceAccountToken: false automountServiceAccountToken: false
serviceAccountName: postiz-valkey serviceAccountName: postiz-valkey
@@ -62,6 +62,11 @@ spec:
mountPath: /data mountPath: /data
- name: scripts - name: scripts
mountPath: /scripts mountPath: /scripts
- name: valkey-acl
mountPath: /etc/valkey
- name: valkey-users-secret
mountPath: /valkey-users-secret
readOnly: true
containers: containers:
- name: postiz-valkey - name: postiz-valkey
image: docker.io/valkey/valkey:9.0.3 image: docker.io/valkey/valkey:9.0.3
@@ -99,6 +104,8 @@ spec:
volumeMounts: volumeMounts:
- name: valkey-data - name: valkey-data
mountPath: /data mountPath: /data
- name: valkey-acl
mountPath: /etc/valkey
- name: metrics - name: metrics
image: ghcr.io/oliver006/redis_exporter:v1.81.0 image: ghcr.io/oliver006/redis_exporter:v1.81.0
imagePullPolicy: "IfNotPresent" imagePullPolicy: "IfNotPresent"
@@ -127,3 +134,10 @@ spec:
configMap: configMap:
name: postiz-valkey-init-scripts name: postiz-valkey-init-scripts
defaultMode: 0555 defaultMode: 0555
- name: valkey-acl
emptyDir:
medium: Memory
- name: valkey-users-secret
secret:
secretName: postiz-valkey-config
defaultMode: 0400

6
clusters/cl01tl/manifests/tubearchivist/StatefulSet-tubearchivist-valkey.yaml
View File

@@ -25,7 +25,7 @@ spec:
storageClassName: "ceph-block" storageClassName: "ceph-block"
resources: resources:
requests: requests:
storage: "1Gi" storage: "10Gi"
template: template:
metadata: metadata:
labels: labels:
@@ -94,8 +94,8 @@ spec:
command: ["sh", "-c", "valkey-cli ping"] command: ["sh", "-c", "valkey-cli ping"]
resources: resources:
requests: requests:
cpu: 10m cpu: 100m
memory: 128Mi memory: 1Gi
volumeMounts: volumeMounts:
- name: valkey-data - name: valkey-data
mountPath: /data mountPath: /data