clusters/cl01tl/manifests/blocky/ConfigMap-blocky-valkey-init-scripts.yaml

@@ -46,35 +46,6 @@ data:
       echo "bind * -::*"
       echo "dir /data"
     } >>"$VALKEY_CONFIG"
-    # Replica mode configuration
-    log "Configuring replication mode"
-
-    # Use POD_INDEX from Kubernetes metadata
-    POD_INDEX=${POD_INDEX:-0}
-    IS_MASTER=false
-
-    # Check if this is pod-0 (master)
-    if [ "$POD_INDEX" = "0" ]; then
-      IS_MASTER=true
-      log "This pod (index $POD_INDEX) is configured as MASTER"
-    else
-      log "This pod (index $POD_INDEX) is configured as REPLICA"
-    fi
-
-    # Configure replica settings
-    if [ "$IS_MASTER" = "false" ]; then
-      MASTER_HOST="blocky-valkey-0.blocky-valkey-headless.blocky.svc.cluster.local"
-      MASTER_PORT="6379"
-
-      log "Configuring replica to follow master at $MASTER_HOST:$MASTER_PORT"
-
-      {
-        echo ""
-        echo "# Replica Configuration"
-        echo "replicaof $MASTER_HOST $MASTER_PORT"
-        echo "replica-announce-ip blocky-valkey-$POD_INDEX.blocky-valkey-headless.blocky.svc.cluster.local"
-      } >>"$VALKEY_CONFIG"
-    fi
 
     # Append extra configs if present
     if [ -f /usr/local/etc/valkey/valkey.conf ]; then

clusters/cl01tl/manifests/blocky/Deployment-blocky-valkey.yaml

@@ -0,0 +1,113 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: blocky-valkey
+  labels:
+    helm.sh/chart: valkey-0.9.3
+    app.kubernetes.io/name: valkey
+    app.kubernetes.io/instance: blocky
+    app.kubernetes.io/version: "9.0.3"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  replicas: 1
+  strategy:
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: valkey
+      app.kubernetes.io/instance: blocky
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: valkey
+        app.kubernetes.io/instance: blocky
+      annotations:
+        checksum/initconfig: 2d752b6b5c2e159b0111a667752e1fca
+    spec:
+      automountServiceAccountToken: false
+      serviceAccountName: blocky-valkey
+      securityContext:
+        fsGroup: 1000
+        runAsGroup: 1000
+        runAsUser: 1000
+      initContainers:
+        - name: blocky-valkey-init
+          image: docker.io/valkey/valkey:9.0.3
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
+          command: ["/scripts/init.sh"]
+          volumeMounts:
+            - name: valkey-data
+              mountPath: /data
+            - name: scripts
+              mountPath: /scripts
+      containers:
+        - name: blocky-valkey
+          image: docker.io/valkey/valkey:9.0.3
+          imagePullPolicy: IfNotPresent
+          command: ["valkey-server"]
+          args: ["/data/conf/valkey.conf"]
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
+          env:
+            - name: VALKEY_LOGLEVEL
+              value: "notice"
+          ports:
+            - name: tcp
+              containerPort: 6379
+              protocol: TCP
+          startupProbe:
+            exec:
+              command: ["sh", "-c", "valkey-cli ping"]
+          livenessProbe:
+            exec:
+              command: ["sh", "-c", "valkey-cli ping"]
+          resources:
+            requests:
+              cpu: 10m
+              memory: 128Mi
+          volumeMounts:
+            - name: valkey-data
+              mountPath: /data
+        - name: metrics
+          image: ghcr.io/oliver006/redis_exporter:v1.81.0
+          imagePullPolicy: "IfNotPresent"
+          ports:
+            - name: metrics
+              containerPort: 9121
+          startupProbe:
+            tcpSocket:
+              port: metrics
+          livenessProbe:
+            tcpSocket:
+              port: metrics
+          readinessProbe:
+            httpGet:
+              path: /
+              port: metrics
+          resources:
+            requests:
+              cpu: 10m
+              memory: 64M
+          env:
+            - name: REDIS_ALIAS
+              value: blocky-valkey
+      volumes:
+        - name: scripts
+          configMap:
+            name: blocky-valkey-init-scripts
+            defaultMode: 0555
+        - name: valkey-data
+          persistentVolumeClaim:
+            claimName: blocky-valkey

clusters/cl01tl/manifests/blocky/PersistentVolumeClaim-blocky-valkey.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: blocky-valkey
+  labels:
+    helm.sh/chart: valkey-0.9.3
+    app.kubernetes.io/name: valkey
+    app.kubernetes.io/instance: blocky
+    app.kubernetes.io/version: "9.0.3"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: ceph-block

clusters/cl01tl/manifests/blocky/Service-blocky-valkey.yaml

@@ -19,4 +19,3 @@ spec:
   selector:
     app.kubernetes.io/name: valkey
     app.kubernetes.io/instance: blocky
-    statefulset.kubernetes.io/pod-name: blocky-valkey-0

clusters/cl01tl/manifests/directus/ConfigMap-directus-valkey-init-scripts.yaml

@@ -23,6 +23,28 @@ data:
     log() {
       echo "$(date) $1" | tee -a "$LOGFILE" >&2
     }
+    # Function to get password for a user
+    # Usage: get_user_password <username> [password_key]
+    # Returns: password via stdout, exits with error if not found
+    get_user_password() {
+      username="$1"
+      password_key="${2:-$username}"
+      password=""
+      # Try to get password from existing secret first (priority)
+      if [ -f "/valkey-users-secret/$password_key" ]; then
+        password=$(cat "/valkey-users-secret/$password_key")
+        log "Using password from existing secret for user $username"
+      elif [ -f "/valkey-auth-secret/${username}-password" ]; then
+        # Fallback to inline password
+        password=$(cat "/valkey-auth-secret/${username}-password")
+        log "Using inline password for user $username"
+      else
+        log "ERROR: No password found for user $username"
+        return 1
+      fi
+
+      echo "$password"
+    }
 
     # Clean old log if requested
     if [ "${KEEP_OLD_LOGS:-false}" != "true" ]; then
@@ -46,6 +68,37 @@ data:
       echo "bind * -::*"
       echo "dir /data"
     } >>"$VALKEY_CONFIG"
+    # Create secure directory for ACL file
+    log "Creating /etc/valkey directory for ACL file"
+    mkdir -p /etc/valkey
+
+    # Set aclfile path in valkey.conf
+    echo "aclfile /etc/valkey/users.acl" >>"$VALKEY_CONFIG"
+
+    # Remove or reset existing ACL file if present (it may be read-only from previous run)
+    log "Preparing ACL file at /etc/valkey/users.acl"
+    if [ -f /etc/valkey/users.acl ]; then
+      log "Removing existing read-only users.acl file"
+      chmod 0600 /etc/valkey/users.acl
+      rm -f /etc/valkey/users.acl
+    fi
+
+    # Create ACL file with secure permissions
+    touch /etc/valkey/users.acl
+    chmod 0600 /etc/valkey/users.acl
+    # Generate ACL entries for each user
+    log "Generating ACL entries for users"
+
+    # User: default
+    PASSWORD=$(get_user_password "default" "default") || exit 1
+
+    # Hash the password and write ACL entry
+    PASSHASH=$(echo -n "$PASSWORD" | sha256sum | cut -f 1 -d " ")
+    echo "user default on #$PASSHASH ~* &* +@all" >> /etc/valkey/users.acl
+
+    # Set final permissions
+    chmod 0400 /etc/valkey/users.acl
+    log "ACL file created with 0400 permissions"
     # Replica mode configuration
     log "Configuring replication mode"
 
@@ -73,7 +126,16 @@ data:
         echo "# Replica Configuration"
         echo "replicaof $MASTER_HOST $MASTER_PORT"
         echo "replica-announce-ip directus-valkey-$POD_INDEX.directus-valkey-headless.directus.svc.cluster.local"
+        echo ""
+        echo "# Master authentication"
       } >>"$VALKEY_CONFIG"
+      # Get the password for the replication user
+      REPL_PASSWORD=$(get_user_password "default" "default") || exit 1
+
+      # Write masterauth configuration
+      echo "masterauth $REPL_PASSWORD" >>"$VALKEY_CONFIG"
+      echo "masteruser default" >>"$VALKEY_CONFIG"
+      log "Configured masterauth with user default"
     fi
 
     # Append extra configs if present

clusters/cl01tl/manifests/directus/Pod-directus-valkey-test-auth-existing.yaml

@@ -0,0 +1,45 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: directus-valkey-test-auth-existing
+  labels:
+    helm.sh/chart: valkey-0.9.3
+    app.kubernetes.io/name: valkey
+    app.kubernetes.io/instance: directus
+    app.kubernetes.io/version: "9.0.3"
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    "helm.sh/hook": test
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+  restartPolicy: Never
+  containers:
+    - name: test-auth
+      image: "valkey/valkey:9.0.3"
+      command:
+        - sh
+        - -c
+        - |
+          set -e
+          echo "Testing authentication with usersExistingSecret..."
+          TLS_FLAGS=""
+
+          # Test basic connection (no auth - will fail if auth is properly configured)
+          PING_RESULT=$(valkey-cli -h directus-valkey -p 6379 $TLS_FLAGS PING 2>&1 || true)
+          if [ "$PING_RESULT" = "PONG" ]; then
+            echo "✗ Authentication test failed: server allows unauthenticated access"
+            exit 1
+          fi
+
+          echo "✓ Authentication is enforced (unauthenticated access denied)"
+          echo "✓ Received expected error: $PING_RESULT"
+          echo "⚠ Manual verification recommended for usersExistingSecret configuration"
+          exit 0
+      volumeMounts:
+        - name: valkey-users-secret
+          mountPath: /valkey-users-secret
+          readOnly: true
+  volumes:
+    - name: valkey-users-secret
+      secret:
+        secretName: directus-valkey-config

clusters/cl01tl/manifests/directus/StatefulSet-directus-valkey.yaml

@@ -32,7 +32,7 @@ spec:
         app.kubernetes.io/name: valkey
         app.kubernetes.io/instance: directus
       annotations:
-        checksum/initconfig: "1a02492c8a38ab0baf1fc607dedf1a27"
+        checksum/initconfig: "6307ecb287c2f05dc09ba3cf7cdfd155"
     spec:
       automountServiceAccountToken: false
       serviceAccountName: directus-valkey
@@ -62,6 +62,11 @@ spec:
               mountPath: /data
             - name: scripts
               mountPath: /scripts
+            - name: valkey-acl
+              mountPath: /etc/valkey
+            - name: valkey-users-secret
+              mountPath: /valkey-users-secret
+              readOnly: true
       containers:
         - name: directus-valkey
           image: docker.io/valkey/valkey:9.0.3
@@ -99,6 +104,8 @@ spec:
           volumeMounts:
             - name: valkey-data
               mountPath: /data
+            - name: valkey-acl
+              mountPath: /etc/valkey
         - name: metrics
           image: ghcr.io/oliver006/redis_exporter:v1.81.0
           imagePullPolicy: "IfNotPresent"
@@ -127,3 +134,10 @@ spec:
           configMap:
             name: directus-valkey-init-scripts
             defaultMode: 0555
+        - name: valkey-acl
+          emptyDir:
+            medium: Memory
+        - name: valkey-users-secret
+          secret:
+            secretName: directus-valkey-config
+            defaultMode: 0400

clusters/cl01tl/manifests/gitea/ConfigMap-gitea-valkey-renovate-init-scripts.yaml

@@ -0,0 +1,58 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: gitea-valkey-renovate-init-scripts
+  labels:
+    helm.sh/chart: valkey-0.9.3
+    app.kubernetes.io/name: valkey-renovate
+    app.kubernetes.io/instance: gitea
+    app.kubernetes.io/version: "9.0.3"
+    app.kubernetes.io/managed-by: Helm
+data:
+  init.sh: |-
+    #!/bin/sh
+    set -eu
+
+    # Default config paths
+    VALKEY_CONFIG=${VALKEY_CONFIG_PATH:-/data/conf/valkey.conf}
+
+    LOGFILE="/data/init.log"
+    DATA_DIR="/data/conf"
+
+    # Logging function (outputs to stderr and file)
+    log() {
+      echo "$(date) $1" | tee -a "$LOGFILE" >&2
+    }
+
+    # Clean old log if requested
+    if [ "${KEEP_OLD_LOGS:-false}" != "true" ]; then
+      rm -f "$LOGFILE"
+    fi
+
+    if [ -f "$LOGFILE" ]; then
+      log "Detected restart of this instance ($HOSTNAME)"
+    fi
+
+    log "Creating configuration in $DATA_DIR..."
+    mkdir -p "$DATA_DIR"
+    rm -f "$VALKEY_CONFIG"
+
+
+    # Base valkey.conf
+    log "Generating base valkey.conf"
+    {
+      echo "port 6379"
+      echo "protected-mode no"
+      echo "bind * -::*"
+      echo "dir /data"
+    } >>"$VALKEY_CONFIG"
+
+    # Append extra configs if present
+    if [ -f /usr/local/etc/valkey/valkey.conf ]; then
+      log "Appending /usr/local/etc/valkey/valkey.conf"
+      cat /usr/local/etc/valkey/valkey.conf >>"$VALKEY_CONFIG"
+    fi
+    if [ -d /extravalkeyconfigs ]; then
+      log "Appending files in /extravalkeyconfigs/"
+      cat /extravalkeyconfigs/* >>"$VALKEY_CONFIG"
+    fi

clusters/cl01tl/manifests/gitea/Deployment-gitea-valkey-renovate.yaml

@@ -0,0 +1,113 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gitea-valkey-renovate
+  labels:
+    helm.sh/chart: valkey-0.9.3
+    app.kubernetes.io/name: valkey-renovate
+    app.kubernetes.io/instance: gitea
+    app.kubernetes.io/version: "9.0.3"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  replicas: 1
+  strategy:
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: valkey-renovate
+      app.kubernetes.io/instance: gitea
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: valkey-renovate
+        app.kubernetes.io/instance: gitea
+      annotations:
+        checksum/initconfig: f77fc408ed818f9e2bd789f0e95a4172
+    spec:
+      automountServiceAccountToken: false
+      serviceAccountName: gitea-valkey-renovate
+      securityContext:
+        fsGroup: 1000
+        runAsGroup: 1000
+        runAsUser: 1000
+      initContainers:
+        - name: gitea-valkey-renovate-init
+          image: docker.io/valkey/valkey:9.0.3
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
+          command: ["/scripts/init.sh"]
+          volumeMounts:
+            - name: valkey-data
+              mountPath: /data
+            - name: scripts
+              mountPath: /scripts
+      containers:
+        - name: gitea-valkey-renovate
+          image: docker.io/valkey/valkey:9.0.3
+          imagePullPolicy: IfNotPresent
+          command: ["valkey-server"]
+          args: ["/data/conf/valkey.conf"]
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
+          env:
+            - name: VALKEY_LOGLEVEL
+              value: "notice"
+          ports:
+            - name: tcp
+              containerPort: 6379
+              protocol: TCP
+          startupProbe:
+            exec:
+              command: ["sh", "-c", "valkey-cli ping"]
+          livenessProbe:
+            exec:
+              command: ["sh", "-c", "valkey-cli ping"]
+          resources:
+            requests:
+              cpu: 10m
+              memory: 128Mi
+          volumeMounts:
+            - name: valkey-data
+              mountPath: /data
+        - name: metrics
+          image: ghcr.io/oliver006/redis_exporter:v1.81.0
+          imagePullPolicy: "IfNotPresent"
+          ports:
+            - name: metrics
+              containerPort: 9121
+          startupProbe:
+            tcpSocket:
+              port: metrics
+          livenessProbe:
+            tcpSocket:
+              port: metrics
+          readinessProbe:
+            httpGet:
+              path: /
+              port: metrics
+          resources:
+            requests:
+              cpu: 10m
+              memory: 64M
+          env:
+            - name: REDIS_ALIAS
+              value: gitea-valkey-renovate
+      volumes:
+        - name: scripts
+          configMap:
+            name: gitea-valkey-renovate-init-scripts
+            defaultMode: 0555
+        - name: valkey-data
+          persistentVolumeClaim:
+            claimName: gitea-valkey-renovate

clusters/cl01tl/manifests/gitea/PersistentVolumeClaim-gitea-valkey-renovate.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: gitea-valkey-renovate
+  labels:
+    helm.sh/chart: valkey-0.9.3
+    app.kubernetes.io/name: valkey-renovate
+    app.kubernetes.io/instance: gitea
+    app.kubernetes.io/version: "9.0.3"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: ceph-block

clusters/cl01tl/manifests/gitea/PodMonitor-gitea-valkey-renovate.yaml

@@ -0,0 +1,23 @@
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: gitea-valkey-renovate
+  labels:
+    helm.sh/chart: valkey-0.9.3
+    app.kubernetes.io/name: valkey-renovate
+    app.kubernetes.io/instance: gitea
+    app.kubernetes.io/version: "9.0.3"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/part-of: valkey
+    app.kubernetes.io/component: podmonitor
+spec:
+  podMetricsEndpoints:
+    - port: metrics
+      interval: 30s
+  namespaceSelector:
+    matchNames:
+      - gitea
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: valkey-renovate
+      app.kubernetes.io/instance: gitea

clusters/cl01tl/manifests/gitea/PrometheusRule-gitea-valkey-renovate.yaml

@@ -0,0 +1,47 @@
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: gitea-valkey-renovate
+  labels:
+    helm.sh/chart: valkey-0.9.3
+    app.kubernetes.io/name: valkey-renovate
+    app.kubernetes.io/instance: gitea
+    app.kubernetes.io/version: "9.0.3"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/part-of: valkey
+spec:
+  groups:
+    - name: gitea-valkey-renovate
+      rules:
+        - alert: ValkeyDown
+          annotations:
+            description: Valkey instance {{ $labels.instance }} is down.
+            summary: Valkey instance {{ $labels.instance }} down
+          expr: |
+            redis_up{service="gitea-valkey-renovate-metrics"} == 0
+          for: 2m
+          labels:
+            severity: error
+        - alert: ValkeyMemoryHigh
+          annotations:
+            description: |
+              Valkey instance {{ $labels.instance }} is using {{ $value }}% of its available memory.
+            summary: Valkey instance {{ $labels.instance }} is using too much memory
+          expr: |
+            redis_memory_used_bytes{service="gitea-valkey-renovate-metrics"} * 100
+            /
+            redis_memory_max_bytes{service="gitea-valkey-renovate-metrics"}
+            > 90 <= 100
+          for: 2m
+          labels:
+            severity: error
+        - alert: ValkeyKeyEviction
+          annotations:
+            description: |
+              Valkey instance {{ $labels.instance }} has evicted {{ $value }} keys in the last 5 minutes.
+            summary: Valkey instance {{ $labels.instance }} has evicted keys
+          expr: |
+            increase(redis_evicted_keys_total{service="gitea-valkey-renovate-metrics"}[5m]) > 0
+          for: 1s
+          labels:
+            severity: error

clusters/cl01tl/manifests/gitea/Service-gitea-valkey-renovate-metrics.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: gitea-valkey-renovate-metrics
+  labels:
+    helm.sh/chart: valkey-0.9.3
+    app.kubernetes.io/name: valkey-renovate
+    app.kubernetes.io/instance: gitea
+    app.kubernetes.io/version: "9.0.3"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: metrics
+    app.kubernetes.io/part-of: valkey
+  annotations:
+spec:
+  type: ClusterIP
+  ports:
+    - name: metrics
+      port: 9121
+      protocol: TCP
+      targetPort: metrics
+  selector:
+    app.kubernetes.io/name: valkey-renovate
+    app.kubernetes.io/instance: gitea

clusters/cl01tl/manifests/gitea/Service-gitea-valkey-renovate.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: gitea-valkey-renovate
+  labels:
+    helm.sh/chart: valkey-0.9.3
+    app.kubernetes.io/name: valkey-renovate
+    app.kubernetes.io/instance: gitea
+    app.kubernetes.io/version: "9.0.3"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: primary
+spec:
+  type: ClusterIP
+  ports:
+    - port: 6379
+      targetPort: tcp
+      protocol: TCP
+      name: tcp
+  selector:
+    app.kubernetes.io/name: valkey-renovate
+    app.kubernetes.io/instance: gitea

clusters/cl01tl/manifests/gitea/ServiceAccount-gitea-valkey-renovate.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: gitea-valkey-renovate
+  labels:
+    helm.sh/chart: valkey-0.9.3
+    app.kubernetes.io/name: valkey-renovate
+    app.kubernetes.io/instance: gitea
+    app.kubernetes.io/version: "9.0.3"
+    app.kubernetes.io/managed-by: Helm
+automountServiceAccountToken: false

clusters/cl01tl/manifests/gitea/ServiceMonitor-gitea-valkey-renovate.yaml

@@ -0,0 +1,24 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: gitea-valkey-renovate
+  labels:
+    helm.sh/chart: valkey-0.9.3
+    app.kubernetes.io/name: valkey-renovate
+    app.kubernetes.io/instance: gitea
+    app.kubernetes.io/version: "9.0.3"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/part-of: valkey
+    app.kubernetes.io/component: service-monitor
+spec:
+  endpoints:
+    - port: metrics
+      interval: 30s
+  namespaceSelector:
+    matchNames:
+      - gitea
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: valkey-renovate
+      app.kubernetes.io/instance: gitea
+      app.kubernetes.io/component: metrics

clusters/cl01tl/manifests/gitea/StatefulSet-gitea-valkey.yaml

@@ -25,7 +25,7 @@ spec:
         storageClassName: "ceph-block"
         resources:
           requests:
-            storage: "1Gi"
+            storage: "10Gi"
   template:
     metadata:
       labels:
@@ -94,8 +94,8 @@ spec:
               command: ["sh", "-c", "valkey-cli ping"]
           resources:
             requests:
-              cpu: 10m
-              memory: 128Mi
+              cpu: 20m
+              memory: 256Mi
           volumeMounts:
             - name: valkey-data
               mountPath: /data

clusters/cl01tl/manifests/grafana-operator/ConfigMap-grafana-operator-valkey-remote-cache-init-scripts.yaml

@@ -0,0 +1,58 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: grafana-operator-valkey-remote-cache-init-scripts
+  labels:
+    helm.sh/chart: valkey-0.9.3
+    app.kubernetes.io/name: valkey-remote-cache
+    app.kubernetes.io/instance: grafana-operator
+    app.kubernetes.io/version: "9.0.3"
+    app.kubernetes.io/managed-by: Helm
+data:
+  init.sh: |-
+    #!/bin/sh
+    set -eu
+
+    # Default config paths
+    VALKEY_CONFIG=${VALKEY_CONFIG_PATH:-/data/conf/valkey.conf}
+
+    LOGFILE="/data/init.log"
+    DATA_DIR="/data/conf"
+
+    # Logging function (outputs to stderr and file)
+    log() {
+      echo "$(date) $1" | tee -a "$LOGFILE" >&2
+    }
+
+    # Clean old log if requested
+    if [ "${KEEP_OLD_LOGS:-false}" != "true" ]; then
+      rm -f "$LOGFILE"
+    fi
+
+    if [ -f "$LOGFILE" ]; then
+      log "Detected restart of this instance ($HOSTNAME)"
+    fi
+
+    log "Creating configuration in $DATA_DIR..."
+    mkdir -p "$DATA_DIR"
+    rm -f "$VALKEY_CONFIG"
+
+
+    # Base valkey.conf
+    log "Generating base valkey.conf"
+    {
+      echo "port 6379"
+      echo "protected-mode no"
+      echo "bind * -::*"
+      echo "dir /data"
+    } >>"$VALKEY_CONFIG"
+
+    # Append extra configs if present
+    if [ -f /usr/local/etc/valkey/valkey.conf ]; then
+      log "Appending /usr/local/etc/valkey/valkey.conf"
+      cat /usr/local/etc/valkey/valkey.conf >>"$VALKEY_CONFIG"
+    fi
+    if [ -d /extravalkeyconfigs ]; then
+      log "Appending files in /extravalkeyconfigs/"
+      cat /extravalkeyconfigs/* >>"$VALKEY_CONFIG"
+    fi

clusters/cl01tl/manifests/grafana-operator/ConfigMap-grafana-operator-valkey-unified-alerting-init-scripts.yaml

@@ -0,0 +1,87 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: grafana-operator-valkey-unified-alerting-init-scripts
+  labels:
+    helm.sh/chart: valkey-0.9.3
+    app.kubernetes.io/name: valkey-unified-alerting
+    app.kubernetes.io/instance: grafana-operator
+    app.kubernetes.io/version: "9.0.3"
+    app.kubernetes.io/managed-by: Helm
+data:
+  init.sh: |-
+    #!/bin/sh
+    set -eu
+
+    # Default config paths
+    VALKEY_CONFIG=${VALKEY_CONFIG_PATH:-/data/conf/valkey.conf}
+
+    LOGFILE="/data/init.log"
+    DATA_DIR="/data/conf"
+
+    # Logging function (outputs to stderr and file)
+    log() {
+      echo "$(date) $1" | tee -a "$LOGFILE" >&2
+    }
+
+    # Clean old log if requested
+    if [ "${KEEP_OLD_LOGS:-false}" != "true" ]; then
+      rm -f "$LOGFILE"
+    fi
+
+    if [ -f "$LOGFILE" ]; then
+      log "Detected restart of this instance ($HOSTNAME)"
+    fi
+
+    log "Creating configuration in $DATA_DIR..."
+    mkdir -p "$DATA_DIR"
+    rm -f "$VALKEY_CONFIG"
+
+
+    # Base valkey.conf
+    log "Generating base valkey.conf"
+    {
+      echo "port 6379"
+      echo "protected-mode no"
+      echo "bind * -::*"
+      echo "dir /data"
+    } >>"$VALKEY_CONFIG"
+    # Replica mode configuration
+    log "Configuring replication mode"
+
+    # Use POD_INDEX from Kubernetes metadata
+    POD_INDEX=${POD_INDEX:-0}
+    IS_MASTER=false
+
+    # Check if this is pod-0 (master)
+    if [ "$POD_INDEX" = "0" ]; then
+      IS_MASTER=true
+      log "This pod (index $POD_INDEX) is configured as MASTER"
+    else
+      log "This pod (index $POD_INDEX) is configured as REPLICA"
+    fi
+
+    # Configure replica settings
+    if [ "$IS_MASTER" = "false" ]; then
+      MASTER_HOST="grafana-operator-valkey-unified-alerting-0.grafana-operator-valkey-unified-alerting-headless.grafana-operator.svc.cluster.local"
+      MASTER_PORT="6379"
+
+      log "Configuring replica to follow master at $MASTER_HOST:$MASTER_PORT"
+
+      {
+        echo ""
+        echo "# Replica Configuration"
+        echo "replicaof $MASTER_HOST $MASTER_PORT"
+        echo "replica-announce-ip grafana-operator-valkey-unified-alerting-$POD_INDEX.grafana-operator-valkey-unified-alerting-headless.grafana-operator.svc.cluster.local"
+      } >>"$VALKEY_CONFIG"
+    fi
+
+    # Append extra configs if present
+    if [ -f /usr/local/etc/valkey/valkey.conf ]; then
+      log "Appending /usr/local/etc/valkey/valkey.conf"
+      cat /usr/local/etc/valkey/valkey.conf >>"$VALKEY_CONFIG"
+    fi
+    if [ -d /extravalkeyconfigs ]; then
+      log "Appending files in /extravalkeyconfigs/"
+      cat /extravalkeyconfigs/* >>"$VALKEY_CONFIG"
+    fi

clusters/cl01tl/manifests/grafana-operator/Deployment-grafana-operator-valkey-remote-cache.yaml

@@ -0,0 +1,113 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: grafana-operator-valkey-remote-cache
+  labels:
+    helm.sh/chart: valkey-0.9.3
+    app.kubernetes.io/name: valkey-remote-cache
+    app.kubernetes.io/instance: grafana-operator
+    app.kubernetes.io/version: "9.0.3"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  replicas: 1
+  strategy:
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: valkey-remote-cache
+      app.kubernetes.io/instance: grafana-operator
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: valkey-remote-cache
+        app.kubernetes.io/instance: grafana-operator
+      annotations:
+        checksum/initconfig: d790dfe3185267fe6c217c9572cfa9fb
+    spec:
+      automountServiceAccountToken: false
+      serviceAccountName: grafana-operator-valkey-remote-cache
+      securityContext:
+        fsGroup: 1000
+        runAsGroup: 1000
+        runAsUser: 1000
+      initContainers:
+        - name: grafana-operator-valkey-remote-cache-init
+          image: docker.io/valkey/valkey:9.0.3
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
+          command: ["/scripts/init.sh"]
+          volumeMounts:
+            - name: valkey-data
+              mountPath: /data
+            - name: scripts
+              mountPath: /scripts
+      containers:
+        - name: grafana-operator-valkey-remote-cache
+          image: docker.io/valkey/valkey:9.0.3
+          imagePullPolicy: IfNotPresent
+          command: ["valkey-server"]
+          args: ["/data/conf/valkey.conf"]
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
+          env:
+            - name: VALKEY_LOGLEVEL
+              value: "notice"
+          ports:
+            - name: tcp
+              containerPort: 6379
+              protocol: TCP
+          startupProbe:
+            exec:
+              command: ["sh", "-c", "valkey-cli ping"]
+          livenessProbe:
+            exec:
+              command: ["sh", "-c", "valkey-cli ping"]
+          resources:
+            requests:
+              cpu: 10m
+              memory: 128Mi
+          volumeMounts:
+            - name: valkey-data
+              mountPath: /data
+        - name: metrics
+          image: ghcr.io/oliver006/redis_exporter:v1.81.0
+          imagePullPolicy: "IfNotPresent"
+          ports:
+            - name: metrics
+              containerPort: 9121
+          startupProbe:
+            tcpSocket:
+              port: metrics
+          livenessProbe:
+            tcpSocket:
+              port: metrics
+          readinessProbe:
+            httpGet:
+              path: /
+              port: metrics
+          resources:
+            requests:
+              cpu: 10m
+              memory: 64M
+          env:
+            - name: REDIS_ALIAS
+              value: grafana-operator-valkey-remote-cache
+      volumes:
+        - name: scripts
+          configMap:
+            name: grafana-operator-valkey-remote-cache-init-scripts
+            defaultMode: 0555
+        - name: valkey-data
+          persistentVolumeClaim:
+            claimName: grafana-operator-valkey-remote-cache

clusters/cl01tl/manifests/grafana-operator/PersistentVolumeClaim-grafana-operator-valkey-remote-cache.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: grafana-operator-valkey-remote-cache
+  labels:
+    helm.sh/chart: valkey-0.9.3
+    app.kubernetes.io/name: valkey-remote-cache
+    app.kubernetes.io/instance: grafana-operator
+    app.kubernetes.io/version: "9.0.3"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: ceph-block

clusters/cl01tl/manifests/grafana-operator/PodMonitor-grafana-operator-valkey-remote-cache.yaml

@@ -1,10 +1,10 @@
 apiVersion: monitoring.coreos.com/v1
 kind: PodMonitor
 metadata:
-  name: grafana-operator-valkey
+  name: grafana-operator-valkey-remote-cache
   labels:
     helm.sh/chart: valkey-0.9.3
-    app.kubernetes.io/name: valkey
+    app.kubernetes.io/name: valkey-remote-cache
     app.kubernetes.io/instance: grafana-operator
     app.kubernetes.io/version: "9.0.3"
     app.kubernetes.io/managed-by: Helm
@@ -19,5 +19,5 @@ spec:
       - grafana-operator
   selector:
     matchLabels:
-      app.kubernetes.io/name: valkey
+      app.kubernetes.io/name: valkey-remote-cache
       app.kubernetes.io/instance: grafana-operator

clusters/cl01tl/manifests/grafana-operator/PodMonitor-grafana-operator-valkey-unified-alerting.yaml

@@ -0,0 +1,23 @@
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: grafana-operator-valkey-unified-alerting
+  labels:
+    helm.sh/chart: valkey-0.9.3
+    app.kubernetes.io/name: valkey-unified-alerting
+    app.kubernetes.io/instance: grafana-operator
+    app.kubernetes.io/version: "9.0.3"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/part-of: valkey
+    app.kubernetes.io/component: podmonitor
+spec:
+  podMetricsEndpoints:
+    - port: metrics
+      interval: 30s
+  namespaceSelector:
+    matchNames:
+      - grafana-operator
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: valkey-unified-alerting
+      app.kubernetes.io/instance: grafana-operator

clusters/cl01tl/manifests/grafana-operator/PrometheusRule-grafana-operator-valkey-remote-cache.yaml

@@ -1,24 +1,24 @@
 apiVersion: monitoring.coreos.com/v1
 kind: PrometheusRule
 metadata:
-  name: grafana-operator-valkey
+  name: grafana-operator-valkey-remote-cache
   labels:
     helm.sh/chart: valkey-0.9.3
-    app.kubernetes.io/name: valkey
+    app.kubernetes.io/name: valkey-remote-cache
     app.kubernetes.io/instance: grafana-operator
     app.kubernetes.io/version: "9.0.3"
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/part-of: valkey
 spec:
   groups:
-    - name: grafana-operator-valkey
+    - name: grafana-operator-valkey-remote-cache
       rules:
         - alert: ValkeyDown
           annotations:
             description: Valkey instance {{ $labels.instance }} is down.
             summary: Valkey instance {{ $labels.instance }} down
           expr: |
-            redis_up{service="grafana-operator-valkey-metrics"} == 0
+            redis_up{service="grafana-operator-valkey-remote-cache-metrics"} == 0
           for: 2m
           labels:
             severity: error
@@ -28,9 +28,9 @@ spec:
               Valkey instance {{ $labels.instance }} is using {{ $value }}% of its available memory.
             summary: Valkey instance {{ $labels.instance }} is using too much memory
           expr: |
-            redis_memory_used_bytes{service="grafana-operator-valkey-metrics"} * 100
+            redis_memory_used_bytes{service="grafana-operator-valkey-remote-cache-metrics"} * 100
             /
-            redis_memory_max_bytes{service="grafana-operator-valkey-metrics"}
+            redis_memory_max_bytes{service="grafana-operator-valkey-remote-cache-metrics"}
             > 90 <= 100
           for: 2m
           labels:
@@ -41,7 +41,7 @@ spec:
               Valkey instance {{ $labels.instance }} has evicted {{ $value }} keys in the last 5 minutes.
             summary: Valkey instance {{ $labels.instance }} has evicted keys
           expr: |
-            increase(redis_evicted_keys_total{service="grafana-operator-valkey-metrics"}[5m]) > 0
+            increase(redis_evicted_keys_total{service="grafana-operator-valkey-remote-cache-metrics"}[5m]) > 0
           for: 1s
           labels:
             severity: error

clusters/cl01tl/manifests/grafana-operator/PrometheusRule-grafana-operator-valkey-unified-alerting.yaml

@@ -0,0 +1,47 @@
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: grafana-operator-valkey-unified-alerting
+  labels:
+    helm.sh/chart: valkey-0.9.3
+    app.kubernetes.io/name: valkey-unified-alerting
+    app.kubernetes.io/instance: grafana-operator
+    app.kubernetes.io/version: "9.0.3"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/part-of: valkey
+spec:
+  groups:
+    - name: grafana-operator-valkey-unified-alerting
+      rules:
+        - alert: ValkeyDown
+          annotations:
+            description: Valkey instance {{ $labels.instance }} is down.
+            summary: Valkey instance {{ $labels.instance }} down
+          expr: |
+            redis_up{service="grafana-operator-valkey-unified-alerting-metrics"} == 0
+          for: 2m
+          labels:
+            severity: error
+        - alert: ValkeyMemoryHigh
+          annotations:
+            description: |
+              Valkey instance {{ $labels.instance }} is using {{ $value }}% of its available memory.
+            summary: Valkey instance {{ $labels.instance }} is using too much memory
+          expr: |
+            redis_memory_used_bytes{service="grafana-operator-valkey-unified-alerting-metrics"} * 100
+            /
+            redis_memory_max_bytes{service="grafana-operator-valkey-unified-alerting-metrics"}
+            > 90 <= 100
+          for: 2m
+          labels:
+            severity: error
+        - alert: ValkeyKeyEviction
+          annotations:
+            description: |
+              Valkey instance {{ $labels.instance }} has evicted {{ $value }} keys in the last 5 minutes.
+            summary: Valkey instance {{ $labels.instance }} has evicted keys
+          expr: |
+            increase(redis_evicted_keys_total{service="grafana-operator-valkey-unified-alerting-metrics"}[5m]) > 0
+          for: 1s
+          labels:
+            severity: error

clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey-remote-cache-metrics.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: grafana-operator-valkey-remote-cache-metrics
+  labels:
+    helm.sh/chart: valkey-0.9.3
+    app.kubernetes.io/name: valkey-remote-cache
+    app.kubernetes.io/instance: grafana-operator
+    app.kubernetes.io/version: "9.0.3"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: metrics
+    app.kubernetes.io/part-of: valkey
+  annotations:
+spec:
+  type: ClusterIP
+  ports:
+    - name: metrics
+      port: 9121
+      protocol: TCP
+      targetPort: metrics
+  selector:
+    app.kubernetes.io/name: valkey-remote-cache
+    app.kubernetes.io/instance: grafana-operator

clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey-remote-cache.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: grafana-operator-valkey-remote-cache
+  labels:
+    helm.sh/chart: valkey-0.9.3
+    app.kubernetes.io/name: valkey-remote-cache
+    app.kubernetes.io/instance: grafana-operator
+    app.kubernetes.io/version: "9.0.3"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: primary
+spec:
+  type: ClusterIP
+  ports:
+    - port: 6379
+      targetPort: tcp
+      protocol: TCP
+      name: tcp
+  selector:
+    app.kubernetes.io/name: valkey-remote-cache
+    app.kubernetes.io/instance: grafana-operator

clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey-unified-alerting-headless.yaml

@@ -1,10 +1,10 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: grafana-operator-valkey-headless
+  name: grafana-operator-valkey-unified-alerting-headless
   labels:
     helm.sh/chart: valkey-0.9.3
-    app.kubernetes.io/name: valkey
+    app.kubernetes.io/name: valkey-unified-alerting
     app.kubernetes.io/instance: grafana-operator
     app.kubernetes.io/version: "9.0.3"
     app.kubernetes.io/managed-by: Helm
@@ -19,5 +19,5 @@ spec:
       targetPort: tcp
       protocol: TCP
   selector:
-    app.kubernetes.io/name: valkey
+    app.kubernetes.io/name: valkey-unified-alerting
     app.kubernetes.io/instance: grafana-operator

clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey-unified-alerting-metrics.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: grafana-operator-valkey-unified-alerting-metrics
+  labels:
+    helm.sh/chart: valkey-0.9.3
+    app.kubernetes.io/name: valkey-unified-alerting
+    app.kubernetes.io/instance: grafana-operator
+    app.kubernetes.io/version: "9.0.3"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: metrics
+    app.kubernetes.io/part-of: valkey
+  annotations:
+spec:
+  type: ClusterIP
+  ports:
+    - name: metrics
+      port: 9121
+      protocol: TCP
+      targetPort: metrics
+  selector:
+    app.kubernetes.io/name: valkey-unified-alerting
+    app.kubernetes.io/instance: grafana-operator

clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey-unified-alerting-read.yaml

@@ -1,10 +1,10 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: grafana-operator-valkey-read
+  name: grafana-operator-valkey-unified-alerting-read
   labels:
     helm.sh/chart: valkey-0.9.3
-    app.kubernetes.io/name: valkey
+    app.kubernetes.io/name: valkey-unified-alerting
     app.kubernetes.io/instance: grafana-operator
     app.kubernetes.io/version: "9.0.3"
     app.kubernetes.io/managed-by: Helm
@@ -17,5 +17,5 @@ spec:
       targetPort: tcp
       protocol: TCP
   selector:
-    app.kubernetes.io/name: valkey
+    app.kubernetes.io/name: valkey-unified-alerting
     app.kubernetes.io/instance: grafana-operator

clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-valkey-unified-alerting.yaml

@@ -1,10 +1,10 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: grafana-operator-valkey
+  name: grafana-operator-valkey-unified-alerting
   labels:
     helm.sh/chart: valkey-0.9.3
-    app.kubernetes.io/name: valkey
+    app.kubernetes.io/name: valkey-unified-alerting
     app.kubernetes.io/instance: grafana-operator
     app.kubernetes.io/version: "9.0.3"
     app.kubernetes.io/managed-by: Helm
@@ -17,6 +17,6 @@ spec:
       protocol: TCP
       name: tcp
   selector:
-    app.kubernetes.io/name: valkey
+    app.kubernetes.io/name: valkey-unified-alerting
     app.kubernetes.io/instance: grafana-operator
-    statefulset.kubernetes.io/pod-name: grafana-operator-valkey-0
+    statefulset.kubernetes.io/pod-name: grafana-operator-valkey-unified-alerting-0

clusters/cl01tl/manifests/grafana-operator/ServiceAccount-grafana-operator-valkey-remote-cache.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: grafana-operator-valkey-remote-cache
+  labels:
+    helm.sh/chart: valkey-0.9.3
+    app.kubernetes.io/name: valkey-remote-cache
+    app.kubernetes.io/instance: grafana-operator
+    app.kubernetes.io/version: "9.0.3"
+    app.kubernetes.io/managed-by: Helm
+automountServiceAccountToken: false

clusters/cl01tl/manifests/grafana-operator/ServiceAccount-grafana-operator-valkey-unified-alerting.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: grafana-operator-valkey-unified-alerting
+  labels:
+    helm.sh/chart: valkey-0.9.3
+    app.kubernetes.io/name: valkey-unified-alerting
+    app.kubernetes.io/instance: grafana-operator
+    app.kubernetes.io/version: "9.0.3"
+    app.kubernetes.io/managed-by: Helm
+automountServiceAccountToken: false

clusters/cl01tl/manifests/grafana-operator/ServiceMonitor-grafana-operator-valkey-remote-cache.yaml

@@ -1,10 +1,10 @@
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
-  name: grafana-operator-valkey
+  name: grafana-operator-valkey-remote-cache
   labels:
     helm.sh/chart: valkey-0.9.3
-    app.kubernetes.io/name: valkey
+    app.kubernetes.io/name: valkey-remote-cache
     app.kubernetes.io/instance: grafana-operator
     app.kubernetes.io/version: "9.0.3"
     app.kubernetes.io/managed-by: Helm
@@ -19,6 +19,6 @@ spec:
       - grafana-operator
   selector:
     matchLabels:
-      app.kubernetes.io/name: valkey
+      app.kubernetes.io/name: valkey-remote-cache
       app.kubernetes.io/instance: grafana-operator
       app.kubernetes.io/component: metrics

clusters/cl01tl/manifests/grafana-operator/ServiceMonitor-grafana-operator-valkey-unified-alerting.yaml

@@ -0,0 +1,24 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: grafana-operator-valkey-unified-alerting
+  labels:
+    helm.sh/chart: valkey-0.9.3
+    app.kubernetes.io/name: valkey-unified-alerting
+    app.kubernetes.io/instance: grafana-operator
+    app.kubernetes.io/version: "9.0.3"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/part-of: valkey
+    app.kubernetes.io/component: service-monitor
+spec:
+  endpoints:
+    - port: metrics
+      interval: 30s
+  namespaceSelector:
+    matchNames:
+      - grafana-operator
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: valkey-unified-alerting
+      app.kubernetes.io/instance: grafana-operator
+      app.kubernetes.io/component: metrics

clusters/cl01tl/manifests/grafana-operator/StatefulSet-grafana-operator-valkey-unified-alerting.yaml

@@ -1,20 +1,20 @@
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
-  name: grafana-operator-valkey
+  name: grafana-operator-valkey-unified-alerting
   labels:
     helm.sh/chart: valkey-0.9.3
-    app.kubernetes.io/name: valkey
+    app.kubernetes.io/name: valkey-unified-alerting
     app.kubernetes.io/instance: grafana-operator
     app.kubernetes.io/version: "9.0.3"
     app.kubernetes.io/managed-by: Helm
 spec:
-  serviceName: grafana-operator-valkey-headless
+  serviceName: grafana-operator-valkey-unified-alerting-headless
   replicas: 3
   podManagementPolicy: OrderedReady
   selector:
     matchLabels:
-      app.kubernetes.io/name: valkey
+      app.kubernetes.io/name: valkey-unified-alerting
       app.kubernetes.io/instance: grafana-operator
   volumeClaimTemplates:
     - metadata:
@@ -29,19 +29,19 @@ spec:
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: valkey
+        app.kubernetes.io/name: valkey-unified-alerting
         app.kubernetes.io/instance: grafana-operator
       annotations:
-        checksum/initconfig: "4e54d550c2f6ca49dbd7140e4d7a0cdc"
+        checksum/initconfig: "cc97af05b1fa8109e641f83996efbf01"
     spec:
       automountServiceAccountToken: false
-      serviceAccountName: grafana-operator-valkey
+      serviceAccountName: grafana-operator-valkey-unified-alerting
       securityContext:
         fsGroup: 1000
         runAsGroup: 1000
         runAsUser: 1000
       initContainers:
-        - name: grafana-operator-valkey-init
+        - name: grafana-operator-valkey-unified-alerting-init
           image: docker.io/valkey/valkey:9.0.3
           imagePullPolicy: IfNotPresent
           securityContext:
@@ -63,7 +63,7 @@ spec:
             - name: scripts
               mountPath: /scripts
       containers:
-        - name: grafana-operator-valkey
+        - name: grafana-operator-valkey-unified-alerting
           image: docker.io/valkey/valkey:9.0.3
           imagePullPolicy: IfNotPresent
           command: ["valkey-server"]
@@ -121,9 +121,9 @@ spec:
               memory: 64M
           env:
             - name: REDIS_ALIAS
-              value: grafana-operator-valkey
+              value: grafana-operator-valkey-unified-alerting
       volumes:
         - name: scripts
           configMap:
-            name: grafana-operator-valkey-init-scripts
+            name: grafana-operator-valkey-unified-alerting-init-scripts
             defaultMode: 0555

clusters/cl01tl/manifests/kube-prometheus-stack/StatefulSet-kube-prometheus-stack-valkey.yaml

@@ -25,7 +25,7 @@ spec:
         storageClassName: "ceph-block"
         resources:
           requests:
-            storage: "1Gi"
+            storage: "10Gi"
   template:
     metadata:
       labels:

clusters/cl01tl/manifests/matrix-synapse/ConfigMap-matrix-synapse-valkey-hookshot-init-scripts.yaml

@@ -1,11 +1,11 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: grafana-operator-valkey-init-scripts
+  name: matrix-synapse-valkey-hookshot-init-scripts
   labels:
     helm.sh/chart: valkey-0.9.3
-    app.kubernetes.io/name: valkey
-    app.kubernetes.io/instance: grafana-operator
+    app.kubernetes.io/name: valkey-hookshot
+    app.kubernetes.io/instance: matrix-synapse
     app.kubernetes.io/version: "9.0.3"
     app.kubernetes.io/managed-by: Helm
 data:
@@ -63,7 +63,7 @@ data:
 
     # Configure replica settings
     if [ "$IS_MASTER" = "false" ]; then
-      MASTER_HOST="grafana-operator-valkey-0.grafana-operator-valkey-headless.grafana-operator.svc.cluster.local"
+      MASTER_HOST="matrix-synapse-valkey-hookshot-0.matrix-synapse-valkey-hookshot-headless.matrix-synapse.svc.cluster.local"
       MASTER_PORT="6379"
 
       log "Configuring replica to follow master at $MASTER_HOST:$MASTER_PORT"
@@ -72,7 +72,7 @@ data:
         echo ""
         echo "# Replica Configuration"
         echo "replicaof $MASTER_HOST $MASTER_PORT"
-        echo "replica-announce-ip grafana-operator-valkey-$POD_INDEX.grafana-operator-valkey-headless.grafana-operator.svc.cluster.local"
+        echo "replica-announce-ip matrix-synapse-valkey-hookshot-$POD_INDEX.matrix-synapse-valkey-hookshot-headless.matrix-synapse.svc.cluster.local"
       } >>"$VALKEY_CONFIG"
     fi
 

clusters/cl01tl/manifests/matrix-synapse/ConfigMap-matrix-synapse-valkey-init-scripts.yaml

@@ -0,0 +1,149 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: matrix-synapse-valkey-init-scripts
+  labels:
+    helm.sh/chart: valkey-0.9.3
+    app.kubernetes.io/name: valkey
+    app.kubernetes.io/instance: matrix-synapse
+    app.kubernetes.io/version: "9.0.3"
+    app.kubernetes.io/managed-by: Helm
+data:
+  init.sh: |-
+    #!/bin/sh
+    set -eu
+
+    # Default config paths
+    VALKEY_CONFIG=${VALKEY_CONFIG_PATH:-/data/conf/valkey.conf}
+
+    LOGFILE="/data/init.log"
+    DATA_DIR="/data/conf"
+
+    # Logging function (outputs to stderr and file)
+    log() {
+      echo "$(date) $1" | tee -a "$LOGFILE" >&2
+    }
+    # Function to get password for a user
+    # Usage: get_user_password <username> [password_key]
+    # Returns: password via stdout, exits with error if not found
+    get_user_password() {
+      username="$1"
+      password_key="${2:-$username}"
+      password=""
+      # Try to get password from existing secret first (priority)
+      if [ -f "/valkey-users-secret/$password_key" ]; then
+        password=$(cat "/valkey-users-secret/$password_key")
+        log "Using password from existing secret for user $username"
+      elif [ -f "/valkey-auth-secret/${username}-password" ]; then
+        # Fallback to inline password
+        password=$(cat "/valkey-auth-secret/${username}-password")
+        log "Using inline password for user $username"
+      else
+        log "ERROR: No password found for user $username"
+        return 1
+      fi
+
+      echo "$password"
+    }
+
+    # Clean old log if requested
+    if [ "${KEEP_OLD_LOGS:-false}" != "true" ]; then
+      rm -f "$LOGFILE"
+    fi
+
+    if [ -f "$LOGFILE" ]; then
+      log "Detected restart of this instance ($HOSTNAME)"
+    fi
+
+    log "Creating configuration in $DATA_DIR..."
+    mkdir -p "$DATA_DIR"
+    rm -f "$VALKEY_CONFIG"
+
+
+    # Base valkey.conf
+    log "Generating base valkey.conf"
+    {
+      echo "port 6379"
+      echo "protected-mode no"
+      echo "bind * -::*"
+      echo "dir /data"
+    } >>"$VALKEY_CONFIG"
+    # Create secure directory for ACL file
+    log "Creating /etc/valkey directory for ACL file"
+    mkdir -p /etc/valkey
+
+    # Set aclfile path in valkey.conf
+    echo "aclfile /etc/valkey/users.acl" >>"$VALKEY_CONFIG"
+
+    # Remove or reset existing ACL file if present (it may be read-only from previous run)
+    log "Preparing ACL file at /etc/valkey/users.acl"
+    if [ -f /etc/valkey/users.acl ]; then
+      log "Removing existing read-only users.acl file"
+      chmod 0600 /etc/valkey/users.acl
+      rm -f /etc/valkey/users.acl
+    fi
+
+    # Create ACL file with secure permissions
+    touch /etc/valkey/users.acl
+    chmod 0600 /etc/valkey/users.acl
+    # Generate ACL entries for each user
+    log "Generating ACL entries for users"
+
+    # User: default
+    PASSWORD=$(get_user_password "default" "default") || exit 1
+
+    # Hash the password and write ACL entry
+    PASSHASH=$(echo -n "$PASSWORD" | sha256sum | cut -f 1 -d " ")
+    echo "user default on #$PASSHASH ~* &* +@all" >> /etc/valkey/users.acl
+
+    # Set final permissions
+    chmod 0400 /etc/valkey/users.acl
+    log "ACL file created with 0400 permissions"
+    # Replica mode configuration
+    log "Configuring replication mode"
+
+    # Use POD_INDEX from Kubernetes metadata
+    POD_INDEX=${POD_INDEX:-0}
+    IS_MASTER=false
+
+    # Check if this is pod-0 (master)
+    if [ "$POD_INDEX" = "0" ]; then
+      IS_MASTER=true
+      log "This pod (index $POD_INDEX) is configured as MASTER"
+    else
+      log "This pod (index $POD_INDEX) is configured as REPLICA"
+    fi
+
+    # Configure replica settings
+    if [ "$IS_MASTER" = "false" ]; then
+      MASTER_HOST="matrix-synapse-valkey-0.matrix-synapse-valkey-headless.matrix-synapse.svc.cluster.local"
+      MASTER_PORT="6379"
+
+      log "Configuring replica to follow master at $MASTER_HOST:$MASTER_PORT"
+
+      {
+        echo ""
+        echo "# Replica Configuration"
+        echo "replicaof $MASTER_HOST $MASTER_PORT"
+        echo "replica-announce-ip matrix-synapse-valkey-$POD_INDEX.matrix-synapse-valkey-headless.matrix-synapse.svc.cluster.local"
+        echo ""
+        echo "# Master authentication"
+      } >>"$VALKEY_CONFIG"
+      # Get the password for the replication user
+      REPL_PASSWORD=$(get_user_password "default" "default") || exit 1
+
+      # Write masterauth configuration
+      echo "masterauth $REPL_PASSWORD" >>"$VALKEY_CONFIG"
+      echo "masteruser default" >>"$VALKEY_CONFIG"
+      log "Configured masterauth with user default"
+    fi
+
+    # Append extra configs if present
+    if [ -f /usr/local/etc/valkey/valkey.conf ]; then
+      log "Appending /usr/local/etc/valkey/valkey.conf"
+      cat /usr/local/etc/valkey/valkey.conf >>"$VALKEY_CONFIG"
+    fi
+    if [ -d /extravalkeyconfigs ]; then
+      log "Appending files in /extravalkeyconfigs/"
+      cat /extravalkeyconfigs/* >>"$VALKEY_CONFIG"
+    fi

clusters/cl01tl/manifests/matrix-synapse/Deployment-matrix-synapse.yaml

@@ -22,7 +22,7 @@ spec:
     metadata:
       annotations:
         checksum/config: 13648c05f49095027336c9a2d1d30591025cdab4497a14542805b397fa3b92c8
-        checksum/secrets: 0d6f055de2a4b62cd5b9ae50f578d73c68253aee28c9641318b06c0940e0c7ac
+        checksum/secrets: 5c93bb9068a23109958239ac9b72c1876b9f5ecfbf8d078c294fd171be2259ab
       labels:
         app.kubernetes.io/name: matrix-synapse
         app.kubernetes.io/instance: matrix-synapse
@@ -71,7 +71,7 @@ spec:
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: matrix-synapse-redis-secret
+                  name: matrix-synapse-valkey-secret
                   key: password
           image: "ghcr.io/element-hq/synapse:v1.148.0"
           imagePullPolicy: IfNotPresent

clusters/cl01tl/manifests/matrix-synapse/ExternalSecret-matrix-synapse-valkey-secret.yaml

@@ -1,10 +1,10 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: matrix-synapse-redis-secret
+  name: matrix-synapse-valkey-secret
   namespace: matrix-synapse
   labels:
-    app.kubernetes.io/name: matrix-synapse-redis-secret
+    app.kubernetes.io/name: matrix-synapse-valkey-secret
     app.kubernetes.io/instance: matrix-synapse
     app.kubernetes.io/part-of: matrix-synapse
 spec:
@@ -12,6 +12,13 @@ spec:
     kind: ClusterSecretStore
     name: vault
   data:
+    - secretKey: default
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/matrix-synapse/redis
+        metadataPolicy: None
+        property: password
     - secretKey: password
       remoteRef:
         conversionStrategy: Default

clusters/cl01tl/manifests/matrix-synapse/Pod-matrix-synapse-valkey-test-auth-existing.yaml

@@ -0,0 +1,45 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: matrix-synapse-valkey-test-auth-existing
+  labels:
+    helm.sh/chart: valkey-0.9.3
+    app.kubernetes.io/name: valkey
+    app.kubernetes.io/instance: matrix-synapse
+    app.kubernetes.io/version: "9.0.3"
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    "helm.sh/hook": test
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+  restartPolicy: Never
+  containers:
+    - name: test-auth
+      image: "valkey/valkey:9.0.3"
+      command:
+        - sh
+        - -c
+        - |
+          set -e
+          echo "Testing authentication with usersExistingSecret..."
+          TLS_FLAGS=""
+
+          # Test basic connection (no auth - will fail if auth is properly configured)
+          PING_RESULT=$(valkey-cli -h matrix-synapse-valkey -p 6379 $TLS_FLAGS PING 2>&1 || true)
+          if [ "$PING_RESULT" = "PONG" ]; then
+            echo "✗ Authentication test failed: server allows unauthenticated access"
+            exit 1
+          fi
+
+          echo "✓ Authentication is enforced (unauthenticated access denied)"
+          echo "✓ Received expected error: $PING_RESULT"
+          echo "⚠ Manual verification recommended for usersExistingSecret configuration"
+          exit 0
+      volumeMounts:
+        - name: valkey-users-secret
+          mountPath: /valkey-users-secret
+          readOnly: true
+  volumes:
+    - name: valkey-users-secret
+      secret:
+        secretName: matrix-synapse-valkey-secret

clusters/cl01tl/manifests/matrix-synapse/PodMonitor-matrix-synapse-valkey-hookshot.yaml

@@ -0,0 +1,23 @@
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: matrix-synapse-valkey-hookshot
+  labels:
+    helm.sh/chart: valkey-0.9.3
+    app.kubernetes.io/name: valkey-hookshot
+    app.kubernetes.io/instance: matrix-synapse
+    app.kubernetes.io/version: "9.0.3"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/part-of: valkey
+    app.kubernetes.io/component: podmonitor
+spec:
+  podMetricsEndpoints:
+    - port: metrics
+      interval: 30s
+  namespaceSelector:
+    matchNames:
+      - matrix-synapse
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: valkey-hookshot
+      app.kubernetes.io/instance: matrix-synapse

clusters/cl01tl/manifests/matrix-synapse/PodMonitor-matrix-synapse-valkey.yaml

@@ -0,0 +1,23 @@
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: matrix-synapse-valkey
+  labels:
+    helm.sh/chart: valkey-0.9.3
+    app.kubernetes.io/name: valkey
+    app.kubernetes.io/instance: matrix-synapse
+    app.kubernetes.io/version: "9.0.3"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/part-of: valkey
+    app.kubernetes.io/component: podmonitor
+spec:
+  podMetricsEndpoints:
+    - port: metrics
+      interval: 30s
+  namespaceSelector:
+    matchNames:
+      - matrix-synapse
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: valkey
+      app.kubernetes.io/instance: matrix-synapse

clusters/cl01tl/manifests/matrix-synapse/PrometheusRule-matrix-synapse-valkey-hookshot.yaml

@@ -0,0 +1,47 @@
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: matrix-synapse-valkey-hookshot
+  labels:
+    helm.sh/chart: valkey-0.9.3
+    app.kubernetes.io/name: valkey-hookshot
+    app.kubernetes.io/instance: matrix-synapse
+    app.kubernetes.io/version: "9.0.3"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/part-of: valkey
+spec:
+  groups:
+    - name: matrix-synapse-valkey-hookshot
+      rules:
+        - alert: ValkeyDown
+          annotations:
+            description: Valkey instance {{ $labels.instance }} is down.
+            summary: Valkey instance {{ $labels.instance }} down
+          expr: |
+            redis_up{service="matrix-synapse-valkey-hookshot-metrics"} == 0
+          for: 2m
+          labels:
+            severity: error
+        - alert: ValkeyMemoryHigh
+          annotations:
+            description: |
+              Valkey instance {{ $labels.instance }} is using {{ $value }}% of its available memory.
+            summary: Valkey instance {{ $labels.instance }} is using too much memory
+          expr: |
+            redis_memory_used_bytes{service="matrix-synapse-valkey-hookshot-metrics"} * 100
+            /
+            redis_memory_max_bytes{service="matrix-synapse-valkey-hookshot-metrics"}
+            > 90 <= 100
+          for: 2m
+          labels:
+            severity: error
+        - alert: ValkeyKeyEviction
+          annotations:
+            description: |
+              Valkey instance {{ $labels.instance }} has evicted {{ $value }} keys in the last 5 minutes.
+            summary: Valkey instance {{ $labels.instance }} has evicted keys
+          expr: |
+            increase(redis_evicted_keys_total{service="matrix-synapse-valkey-hookshot-metrics"}[5m]) > 0
+          for: 1s
+          labels:
+            severity: error

clusters/cl01tl/manifests/matrix-synapse/PrometheusRule-matrix-synapse-valkey.yaml

@@ -0,0 +1,47 @@
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: matrix-synapse-valkey
+  labels:
+    helm.sh/chart: valkey-0.9.3
+    app.kubernetes.io/name: valkey
+    app.kubernetes.io/instance: matrix-synapse
+    app.kubernetes.io/version: "9.0.3"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/part-of: valkey
+spec:
+  groups:
+    - name: matrix-synapse-valkey
+      rules:
+        - alert: ValkeyDown
+          annotations:
+            description: Valkey instance {{ $labels.instance }} is down.
+            summary: Valkey instance {{ $labels.instance }} down
+          expr: |
+            redis_up{service="matrix-synapse-valkey-metrics"} == 0
+          for: 2m
+          labels:
+            severity: error
+        - alert: ValkeyMemoryHigh
+          annotations:
+            description: |
+              Valkey instance {{ $labels.instance }} is using {{ $value }}% of its available memory.
+            summary: Valkey instance {{ $labels.instance }} is using too much memory
+          expr: |
+            redis_memory_used_bytes{service="matrix-synapse-valkey-metrics"} * 100
+            /
+            redis_memory_max_bytes{service="matrix-synapse-valkey-metrics"}
+            > 90 <= 100
+          for: 2m
+          labels:
+            severity: error
+        - alert: ValkeyKeyEviction
+          annotations:
+            description: |
+              Valkey instance {{ $labels.instance }} has evicted {{ $value }} keys in the last 5 minutes.
+            summary: Valkey instance {{ $labels.instance }} has evicted keys
+          expr: |
+            increase(redis_evicted_keys_total{service="matrix-synapse-valkey-metrics"}[5m]) > 0
+          for: 1s
+          labels:
+            severity: error

clusters/cl01tl/manifests/matrix-synapse/RedisReplication-redis-replication-hookshot.yaml

@@ -1,44 +0,0 @@
-apiVersion: redis.redis.opstreelabs.in/v1beta2
-kind: RedisReplication
-metadata:
-  name: redis-replication-hookshot
-  namespace: matrix-synapse
-  labels:
-    helm.sh/chart: redis-replication-hookshot-1.1.0
-    app.kubernetes.io/version: "1.1.0"
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/name: redis-replication-hookshot
-    app.kubernetes.io/instance: matrix-synapse
-    app.kubernetes.io/part-of: matrix-synapse
-spec:
-  clusterSize: 3
-  podSecurityContext:
-    fsGroup: 1000
-    runAsUser: 1000
-  kubernetesConfig:
-    image: "quay.io/opstree/redis:v8.4.2"
-    imagePullPolicy: IfNotPresent
-    resources:
-      requests:
-        cpu: 10m
-        memory: 32Mi
-  storage:
-    volumeClaimTemplate:
-      spec:
-        accessModes:
-          - ReadWriteOnce
-        resources:
-          requests:
-            storage: 1Gi
-        storageClassName: ceph-block
-  redisExporter:
-    enabled: true
-    image: "quay.io/opstree/redis-exporter:v1.81.0"
-  sentinel:
-    image: "quay.io/opstree/redis-sentinel:v8.4.2"
-    imagePullPolicy: IfNotPresent
-    resources:
-      requests:
-        cpu: 10m
-        memory: 32Mi
-    size: 3

clusters/cl01tl/manifests/matrix-synapse/RedisReplication-redis-replication-matrix-synapse.yaml

@@ -1,50 +0,0 @@
-apiVersion: redis.redis.opstreelabs.in/v1beta2
-kind: RedisReplication
-metadata:
-  name: redis-replication-matrix-synapse
-  namespace: matrix-synapse
-  labels:
-    helm.sh/chart: redis-replication-matrix-synapse-1.1.0
-    app.kubernetes.io/version: "1.1.0"
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/name: redis-replication-matrix-synapse
-    app.kubernetes.io/instance: matrix-synapse
-    app.kubernetes.io/part-of: matrix-synapse
-spec:
-  clusterSize: 3
-  podSecurityContext:
-    fsGroup: 1000
-    runAsUser: 1000
-  kubernetesConfig:
-    image: "quay.io/opstree/redis:v8.4.2"
-    imagePullPolicy: IfNotPresent
-    resources:
-      requests:
-        cpu: 10m
-        memory: 32Mi
-    redisSecret:
-      name: matrix-synapse-redis-secret
-      key: password
-  storage:
-    volumeClaimTemplate:
-      spec:
-        accessModes:
-          - ReadWriteOnce
-        resources:
-          requests:
-            storage: 1Gi
-        storageClassName: ceph-block
-  redisExporter:
-    enabled: true
-    image: "quay.io/opstree/redis-exporter:v1.81.0"
-  sentinel:
-    image: "quay.io/opstree/redis-sentinel:v8.4.2"
-    imagePullPolicy: IfNotPresent
-    redisSecret:
-      name: matrix-synapse-redis-secret
-      key: password
-    resources:
-      requests:
-        cpu: 10m
-        memory: 32Mi
-    size: 3

clusters/cl01tl/manifests/matrix-synapse/Secret-matrix-synapse.yaml

@@ -9,4 +9,4 @@ metadata:
     app.kubernetes.io/version: "1.148.0"
     app.kubernetes.io/managed-by: Helm
 stringData:
-  config.yaml: "## Registration ##\n\nregistration_shared_secret: \"default\"\n\n## API Configuration ##\n\n## Database configuration ##\n\ndatabase:\n  name: \"psycopg2\"\n  args:\n    user: \"app\"\n    password: \"@@POSTGRES_PASSWORD@@\"\n    database: \"app\"\n    host: \"matrix-synapse-postgresql-18-cluster-rw\"\n    port: 5432\n    sslmode: \"prefer\"\n    cp_min: 5\n    cp_max: 10\n    \n\n## Redis configuration ##\n\nredis:\n  enabled: true\n  host: \"redis-replication-matrix-synapse-master\"\n  port: 6379\n  password: \"@@REDIS_PASSWORD@@\"\n"
+  config.yaml: "## Registration ##\n\nregistration_shared_secret: \"default\"\n\n## API Configuration ##\n\n## Database configuration ##\n\ndatabase:\n  name: \"psycopg2\"\n  args:\n    user: \"app\"\n    password: \"@@POSTGRES_PASSWORD@@\"\n    database: \"app\"\n    host: \"matrix-synapse-postgresql-18-cluster-rw\"\n    port: 5432\n    sslmode: \"prefer\"\n    cp_min: 5\n    cp_max: 10\n    \n\n## Redis configuration ##\n\nredis:\n  enabled: true\n  host: \"matrix-synapse-valkey\"\n  port: 6379\n  password: \"@@REDIS_PASSWORD@@\"\n"

clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-headless.yaml

@@ -1,11 +1,11 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: blocky-valkey-headless
+  name: matrix-synapse-valkey-headless
   labels:
     helm.sh/chart: valkey-0.9.3
     app.kubernetes.io/name: valkey
-    app.kubernetes.io/instance: blocky
+    app.kubernetes.io/instance: matrix-synapse
     app.kubernetes.io/version: "9.0.3"
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: headless
@@ -20,4 +20,4 @@ spec:
       protocol: TCP
   selector:
     app.kubernetes.io/name: valkey
-    app.kubernetes.io/instance: blocky
+    app.kubernetes.io/instance: matrix-synapse

clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-hookshot-headless.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: matrix-synapse-valkey-hookshot-headless
+  labels:
+    helm.sh/chart: valkey-0.9.3
+    app.kubernetes.io/name: valkey-hookshot
+    app.kubernetes.io/instance: matrix-synapse
+    app.kubernetes.io/version: "9.0.3"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: headless
+spec:
+  type: ClusterIP
+  clusterIP: None
+  publishNotReadyAddresses: true
+  ports:
+    - name: tcp
+      port: 6379
+      targetPort: tcp
+      protocol: TCP
+  selector:
+    app.kubernetes.io/name: valkey-hookshot
+    app.kubernetes.io/instance: matrix-synapse

clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-hookshot-metrics.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: matrix-synapse-valkey-hookshot-metrics
+  labels:
+    helm.sh/chart: valkey-0.9.3
+    app.kubernetes.io/name: valkey-hookshot
+    app.kubernetes.io/instance: matrix-synapse
+    app.kubernetes.io/version: "9.0.3"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: metrics
+    app.kubernetes.io/part-of: valkey
+  annotations:
+spec:
+  type: ClusterIP
+  ports:
+    - name: metrics
+      port: 9121
+      protocol: TCP
+      targetPort: metrics
+  selector:
+    app.kubernetes.io/name: valkey-hookshot
+    app.kubernetes.io/instance: matrix-synapse

clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-hookshot-read.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: matrix-synapse-valkey-hookshot-read
+  labels:
+    helm.sh/chart: valkey-0.9.3
+    app.kubernetes.io/name: valkey-hookshot
+    app.kubernetes.io/instance: matrix-synapse
+    app.kubernetes.io/version: "9.0.3"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: read
+spec:
+  type: ClusterIP
+  ports:
+    - name: tcp
+      port: 6379
+      targetPort: tcp
+      protocol: TCP
+  selector:
+    app.kubernetes.io/name: valkey-hookshot
+    app.kubernetes.io/instance: matrix-synapse

clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-hookshot.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: matrix-synapse-valkey-hookshot
+  labels:
+    helm.sh/chart: valkey-0.9.3
+    app.kubernetes.io/name: valkey-hookshot
+    app.kubernetes.io/instance: matrix-synapse
+    app.kubernetes.io/version: "9.0.3"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: primary
+spec:
+  type: ClusterIP
+  ports:
+    - port: 6379
+      targetPort: tcp
+      protocol: TCP
+      name: tcp
+  selector:
+    app.kubernetes.io/name: valkey-hookshot
+    app.kubernetes.io/instance: matrix-synapse
+    statefulset.kubernetes.io/pod-name: matrix-synapse-valkey-hookshot-0

clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-metrics.yaml

@@ -1,11 +1,11 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: grafana-operator-valkey-metrics
+  name: matrix-synapse-valkey-metrics
   labels:
     helm.sh/chart: valkey-0.9.3
     app.kubernetes.io/name: valkey
-    app.kubernetes.io/instance: grafana-operator
+    app.kubernetes.io/instance: matrix-synapse
     app.kubernetes.io/version: "9.0.3"
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: metrics
@@ -20,4 +20,4 @@ spec:
       targetPort: metrics
   selector:
     app.kubernetes.io/name: valkey
-    app.kubernetes.io/instance: grafana-operator
+    app.kubernetes.io/instance: matrix-synapse

clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey-read.yaml

@@ -1,11 +1,11 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: blocky-valkey-read
+  name: matrix-synapse-valkey-read
   labels:
     helm.sh/chart: valkey-0.9.3
     app.kubernetes.io/name: valkey
-    app.kubernetes.io/instance: blocky
+    app.kubernetes.io/instance: matrix-synapse
     app.kubernetes.io/version: "9.0.3"
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/component: read
@@ -18,4 +18,4 @@ spec:
       protocol: TCP
   selector:
     app.kubernetes.io/name: valkey
-    app.kubernetes.io/instance: blocky
+    app.kubernetes.io/instance: matrix-synapse

clusters/cl01tl/manifests/matrix-synapse/Service-matrix-synapse-valkey.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: matrix-synapse-valkey
+  labels:
+    helm.sh/chart: valkey-0.9.3
+    app.kubernetes.io/name: valkey
+    app.kubernetes.io/instance: matrix-synapse
+    app.kubernetes.io/version: "9.0.3"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: primary
+spec:
+  type: ClusterIP
+  ports:
+    - port: 6379
+      targetPort: tcp
+      protocol: TCP
+      name: tcp
+  selector:
+    app.kubernetes.io/name: valkey
+    app.kubernetes.io/instance: matrix-synapse
+    statefulset.kubernetes.io/pod-name: matrix-synapse-valkey-0

clusters/cl01tl/manifests/matrix-synapse/ServiceAccount-matrix-synapse-valkey-hookshot.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: matrix-synapse-valkey-hookshot
+  labels:
+    helm.sh/chart: valkey-0.9.3
+    app.kubernetes.io/name: valkey-hookshot
+    app.kubernetes.io/instance: matrix-synapse
+    app.kubernetes.io/version: "9.0.3"
+    app.kubernetes.io/managed-by: Helm
+automountServiceAccountToken: false

clusters/cl01tl/manifests/matrix-synapse/ServiceAccount-matrix-synapse-valkey.yaml

@@ -1,11 +1,11 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: grafana-operator-valkey
+  name: matrix-synapse-valkey
   labels:
     helm.sh/chart: valkey-0.9.3
     app.kubernetes.io/name: valkey
-    app.kubernetes.io/instance: grafana-operator
+    app.kubernetes.io/instance: matrix-synapse
     app.kubernetes.io/version: "9.0.3"
     app.kubernetes.io/managed-by: Helm
 automountServiceAccountToken: false

clusters/cl01tl/manifests/matrix-synapse/ServiceMonitor-matrix-synapse-valkey-hookshot.yaml

@@ -0,0 +1,24 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: matrix-synapse-valkey-hookshot
+  labels:
+    helm.sh/chart: valkey-0.9.3
+    app.kubernetes.io/name: valkey-hookshot
+    app.kubernetes.io/instance: matrix-synapse
+    app.kubernetes.io/version: "9.0.3"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/part-of: valkey
+    app.kubernetes.io/component: service-monitor
+spec:
+  endpoints:
+    - port: metrics
+      interval: 30s
+  namespaceSelector:
+    matchNames:
+      - matrix-synapse
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: valkey-hookshot
+      app.kubernetes.io/instance: matrix-synapse
+      app.kubernetes.io/component: metrics

clusters/cl01tl/manifests/matrix-synapse/ServiceMonitor-matrix-synapse-valkey.yaml

@@ -0,0 +1,24 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: matrix-synapse-valkey
+  labels:
+    helm.sh/chart: valkey-0.9.3
+    app.kubernetes.io/name: valkey
+    app.kubernetes.io/instance: matrix-synapse
+    app.kubernetes.io/version: "9.0.3"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/part-of: valkey
+    app.kubernetes.io/component: service-monitor
+spec:
+  endpoints:
+    - port: metrics
+      interval: 30s
+  namespaceSelector:
+    matchNames:
+      - matrix-synapse
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: valkey
+      app.kubernetes.io/instance: matrix-synapse
+      app.kubernetes.io/component: metrics

clusters/cl01tl/manifests/matrix-synapse/ServiceMonitor-redis-replication-hookshot.yaml

@@ -1,22 +0,0 @@
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: redis-replication-hookshot
-  namespace: matrix-synapse
-  labels:
-    helm.sh/chart: redis-replication-hookshot-1.1.0
-    app.kubernetes.io/version: "1.1.0"
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/name: redis-replication-hookshot
-    app.kubernetes.io/instance: matrix-synapse
-    app.kubernetes.io/part-of: matrix-synapse
-spec:
-  selector:
-    matchLabels:
-      app: redis-replication-hookshot
-      redis_setup_type: replication
-      role: replication
-  endpoints:
-    - port: redis-exporter
-      interval: 30s
-      scrapeTimeout: 10s

clusters/cl01tl/manifests/matrix-synapse/ServiceMonitor-redis-replication-matrix-synapse.yaml

@@ -1,22 +0,0 @@
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: redis-replication-matrix-synapse
-  namespace: matrix-synapse
-  labels:
-    helm.sh/chart: redis-replication-matrix-synapse-1.1.0
-    app.kubernetes.io/version: "1.1.0"
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/name: redis-replication-matrix-synapse
-    app.kubernetes.io/instance: matrix-synapse
-    app.kubernetes.io/part-of: matrix-synapse
-spec:
-  selector:
-    matchLabels:
-      app: redis-replication-matrix-synapse
-      redis_setup_type: replication
-      role: replication
-  endpoints:
-    - port: redis-exporter
-      interval: 30s
-      scrapeTimeout: 10s

clusters/cl01tl/manifests/matrix-synapse/StatefulSet-matrix-synapse-valkey-hookshot.yaml

@@ -1,21 +1,21 @@
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
-  name: blocky-valkey
+  name: matrix-synapse-valkey-hookshot
   labels:
     helm.sh/chart: valkey-0.9.3
-    app.kubernetes.io/name: valkey
-    app.kubernetes.io/instance: blocky
+    app.kubernetes.io/name: valkey-hookshot
+    app.kubernetes.io/instance: matrix-synapse
     app.kubernetes.io/version: "9.0.3"
     app.kubernetes.io/managed-by: Helm
 spec:
-  serviceName: blocky-valkey-headless
+  serviceName: matrix-synapse-valkey-hookshot-headless
   replicas: 3
   podManagementPolicy: OrderedReady
   selector:
     matchLabels:
-      app.kubernetes.io/name: valkey
-      app.kubernetes.io/instance: blocky
+      app.kubernetes.io/name: valkey-hookshot
+      app.kubernetes.io/instance: matrix-synapse
   volumeClaimTemplates:
     - metadata:
         name: valkey-data
@@ -29,19 +29,19 @@ spec:
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: valkey
-        app.kubernetes.io/instance: blocky
+        app.kubernetes.io/name: valkey-hookshot
+        app.kubernetes.io/instance: matrix-synapse
       annotations:
-        checksum/initconfig: "b997c0967aeeee370412add1d41691a1"
+        checksum/initconfig: "be330f0cfd3ac6b10c6beb9aa42e308a"
     spec:
       automountServiceAccountToken: false
-      serviceAccountName: blocky-valkey
+      serviceAccountName: matrix-synapse-valkey-hookshot
       securityContext:
         fsGroup: 1000
         runAsGroup: 1000
         runAsUser: 1000
       initContainers:
-        - name: blocky-valkey-init
+        - name: matrix-synapse-valkey-hookshot-init
           image: docker.io/valkey/valkey:9.0.3
           imagePullPolicy: IfNotPresent
           securityContext:
@@ -63,7 +63,7 @@ spec:
             - name: scripts
               mountPath: /scripts
       containers:
-        - name: blocky-valkey
+        - name: matrix-synapse-valkey-hookshot
           image: docker.io/valkey/valkey:9.0.3
           imagePullPolicy: IfNotPresent
           command: ["valkey-server"]
@@ -121,9 +121,9 @@ spec:
               memory: 64M
           env:
             - name: REDIS_ALIAS
-              value: blocky-valkey
+              value: matrix-synapse-valkey-hookshot
       volumes:
         - name: scripts
           configMap:
-            name: blocky-valkey-init-scripts
+            name: matrix-synapse-valkey-hookshot-init-scripts
             defaultMode: 0555

clusters/cl01tl/manifests/matrix-synapse/StatefulSet-matrix-synapse-valkey.yaml

@@ -0,0 +1,143 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: matrix-synapse-valkey
+  labels:
+    helm.sh/chart: valkey-0.9.3
+    app.kubernetes.io/name: valkey
+    app.kubernetes.io/instance: matrix-synapse
+    app.kubernetes.io/version: "9.0.3"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  serviceName: matrix-synapse-valkey-headless
+  replicas: 3
+  podManagementPolicy: OrderedReady
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: valkey
+      app.kubernetes.io/instance: matrix-synapse
+  volumeClaimTemplates:
+    - metadata:
+        name: valkey-data
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        storageClassName: "ceph-block"
+        resources:
+          requests:
+            storage: "1Gi"
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: valkey
+        app.kubernetes.io/instance: matrix-synapse
+      annotations:
+        checksum/initconfig: "fb8ae470a9464112ac420b4e06117ac5"
+    spec:
+      automountServiceAccountToken: false
+      serviceAccountName: matrix-synapse-valkey
+      securityContext:
+        fsGroup: 1000
+        runAsGroup: 1000
+        runAsUser: 1000
+      initContainers:
+        - name: matrix-synapse-valkey-init
+          image: docker.io/valkey/valkey:9.0.3
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
+          command: ["/scripts/init.sh"]
+          env:
+            - name: POD_INDEX
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.labels['apps.kubernetes.io/pod-index']
+          volumeMounts:
+            - name: valkey-data
+              mountPath: /data
+            - name: scripts
+              mountPath: /scripts
+            - name: valkey-acl
+              mountPath: /etc/valkey
+            - name: valkey-users-secret
+              mountPath: /valkey-users-secret
+              readOnly: true
+      containers:
+        - name: matrix-synapse-valkey
+          image: docker.io/valkey/valkey:9.0.3
+          imagePullPolicy: IfNotPresent
+          command: ["valkey-server"]
+          args: ["/data/conf/valkey.conf"]
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
+          env:
+            - name: POD_INDEX
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.labels['apps.kubernetes.io/pod-index']
+            - name: VALKEY_LOGLEVEL
+              value: "notice"
+          ports:
+            - name: tcp
+              containerPort: 6379
+              protocol: TCP
+          startupProbe:
+            exec:
+              command: ["sh", "-c", "valkey-cli ping"]
+          livenessProbe:
+            exec:
+              command: ["sh", "-c", "valkey-cli ping"]
+          resources:
+            requests:
+              cpu: 10m
+              memory: 128Mi
+          volumeMounts:
+            - name: valkey-data
+              mountPath: /data
+            - name: valkey-acl
+              mountPath: /etc/valkey
+        - name: metrics
+          image: ghcr.io/oliver006/redis_exporter:v1.81.0
+          imagePullPolicy: "IfNotPresent"
+          ports:
+            - name: metrics
+              containerPort: 9121
+          startupProbe:
+            tcpSocket:
+              port: metrics
+          livenessProbe:
+            tcpSocket:
+              port: metrics
+          readinessProbe:
+            httpGet:
+              path: /
+              port: metrics
+          resources:
+            requests:
+              cpu: 10m
+              memory: 64M
+          env:
+            - name: REDIS_ALIAS
+              value: matrix-synapse-valkey
+      volumes:
+        - name: scripts
+          configMap:
+            name: matrix-synapse-valkey-init-scripts
+            defaultMode: 0555
+        - name: valkey-acl
+          emptyDir:
+            medium: Memory
+        - name: valkey-users-secret
+          secret:
+            secretName: matrix-synapse-valkey-secret
+            defaultMode: 0400

clusters/cl01tl/manifests/postiz/ConfigMap-postiz-valkey-init-scripts.yaml

@@ -23,6 +23,28 @@ data:
     log() {
       echo "$(date) $1" | tee -a "$LOGFILE" >&2
     }
+    # Function to get password for a user
+    # Usage: get_user_password <username> [password_key]
+    # Returns: password via stdout, exits with error if not found
+    get_user_password() {
+      username="$1"
+      password_key="${2:-$username}"
+      password=""
+      # Try to get password from existing secret first (priority)
+      if [ -f "/valkey-users-secret/$password_key" ]; then
+        password=$(cat "/valkey-users-secret/$password_key")
+        log "Using password from existing secret for user $username"
+      elif [ -f "/valkey-auth-secret/${username}-password" ]; then
+        # Fallback to inline password
+        password=$(cat "/valkey-auth-secret/${username}-password")
+        log "Using inline password for user $username"
+      else
+        log "ERROR: No password found for user $username"
+        return 1
+      fi
+
+      echo "$password"
+    }
 
     # Clean old log if requested
     if [ "${KEEP_OLD_LOGS:-false}" != "true" ]; then
@@ -46,6 +68,37 @@ data:
       echo "bind * -::*"
       echo "dir /data"
     } >>"$VALKEY_CONFIG"
+    # Create secure directory for ACL file
+    log "Creating /etc/valkey directory for ACL file"
+    mkdir -p /etc/valkey
+
+    # Set aclfile path in valkey.conf
+    echo "aclfile /etc/valkey/users.acl" >>"$VALKEY_CONFIG"
+
+    # Remove or reset existing ACL file if present (it may be read-only from previous run)
+    log "Preparing ACL file at /etc/valkey/users.acl"
+    if [ -f /etc/valkey/users.acl ]; then
+      log "Removing existing read-only users.acl file"
+      chmod 0600 /etc/valkey/users.acl
+      rm -f /etc/valkey/users.acl
+    fi
+
+    # Create ACL file with secure permissions
+    touch /etc/valkey/users.acl
+    chmod 0600 /etc/valkey/users.acl
+    # Generate ACL entries for each user
+    log "Generating ACL entries for users"
+
+    # User: default
+    PASSWORD=$(get_user_password "default" "default") || exit 1
+
+    # Hash the password and write ACL entry
+    PASSHASH=$(echo -n "$PASSWORD" | sha256sum | cut -f 1 -d " ")
+    echo "user default on #$PASSHASH ~* &* +@all" >> /etc/valkey/users.acl
+
+    # Set final permissions
+    chmod 0400 /etc/valkey/users.acl
+    log "ACL file created with 0400 permissions"
     # Replica mode configuration
     log "Configuring replication mode"
 
@@ -73,7 +126,16 @@ data:
         echo "# Replica Configuration"
         echo "replicaof $MASTER_HOST $MASTER_PORT"
         echo "replica-announce-ip postiz-valkey-$POD_INDEX.postiz-valkey-headless.postiz.svc.cluster.local"
+        echo ""
+        echo "# Master authentication"
       } >>"$VALKEY_CONFIG"
+      # Get the password for the replication user
+      REPL_PASSWORD=$(get_user_password "default" "default") || exit 1
+
+      # Write masterauth configuration
+      echo "masterauth $REPL_PASSWORD" >>"$VALKEY_CONFIG"
+      echo "masteruser default" >>"$VALKEY_CONFIG"
+      log "Configured masterauth with user default"
     fi
 
     # Append extra configs if present

clusters/cl01tl/manifests/postiz/Pod-postiz-valkey-test-auth-existing.yaml

@@ -0,0 +1,45 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: postiz-valkey-test-auth-existing
+  labels:
+    helm.sh/chart: valkey-0.9.3
+    app.kubernetes.io/name: valkey
+    app.kubernetes.io/instance: postiz
+    app.kubernetes.io/version: "9.0.3"
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    "helm.sh/hook": test
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+  restartPolicy: Never
+  containers:
+    - name: test-auth
+      image: "valkey/valkey:9.0.3"
+      command:
+        - sh
+        - -c
+        - |
+          set -e
+          echo "Testing authentication with usersExistingSecret..."
+          TLS_FLAGS=""
+
+          # Test basic connection (no auth - will fail if auth is properly configured)
+          PING_RESULT=$(valkey-cli -h postiz-valkey -p 6379 $TLS_FLAGS PING 2>&1 || true)
+          if [ "$PING_RESULT" = "PONG" ]; then
+            echo "✗ Authentication test failed: server allows unauthenticated access"
+            exit 1
+          fi
+
+          echo "✓ Authentication is enforced (unauthenticated access denied)"
+          echo "✓ Received expected error: $PING_RESULT"
+          echo "⚠ Manual verification recommended for usersExistingSecret configuration"
+          exit 0
+      volumeMounts:
+        - name: valkey-users-secret
+          mountPath: /valkey-users-secret
+          readOnly: true
+  volumes:
+    - name: valkey-users-secret
+      secret:
+        secretName: postiz-valkey-config

clusters/cl01tl/manifests/postiz/StatefulSet-postiz-valkey.yaml

@@ -32,7 +32,7 @@ spec:
         app.kubernetes.io/name: valkey
         app.kubernetes.io/instance: postiz
       annotations:
-        checksum/initconfig: "8ebc9d0805e0ac2e6000ec208f86483c"
+        checksum/initconfig: "fe93fb7000602d0fb3b36b111a77c4a3"
     spec:
       automountServiceAccountToken: false
       serviceAccountName: postiz-valkey
@@ -62,6 +62,11 @@ spec:
               mountPath: /data
             - name: scripts
               mountPath: /scripts
+            - name: valkey-acl
+              mountPath: /etc/valkey
+            - name: valkey-users-secret
+              mountPath: /valkey-users-secret
+              readOnly: true
       containers:
         - name: postiz-valkey
           image: docker.io/valkey/valkey:9.0.3
@@ -99,6 +104,8 @@ spec:
           volumeMounts:
             - name: valkey-data
               mountPath: /data
+            - name: valkey-acl
+              mountPath: /etc/valkey
         - name: metrics
           image: ghcr.io/oliver006/redis_exporter:v1.81.0
           imagePullPolicy: "IfNotPresent"
@@ -127,3 +134,10 @@ spec:
           configMap:
             name: postiz-valkey-init-scripts
             defaultMode: 0555
+        - name: valkey-acl
+          emptyDir:
+            medium: Memory
+        - name: valkey-users-secret
+          secret:
+            secretName: postiz-valkey-config
+            defaultMode: 0400

clusters/cl01tl/manifests/tubearchivist/StatefulSet-tubearchivist-valkey.yaml

@@ -25,7 +25,7 @@ spec:
         storageClassName: "ceph-block"
         resources:
           requests:
-            storage: "1Gi"
+            storage: "10Gi"
   template:
     metadata:
       labels:
@@ -94,8 +94,8 @@ spec:
               command: ["sh", "-c", "valkey-cli ping"]
           resources:
             requests:
-              cpu: 10m
-              memory: 128Mi
+              cpu: 100m
+              memory: 1Gi
           volumeMounts:
             - name: valkey-data
               mountPath: /data