From 77e9dbf709360387b6c1af560ee2ad70cd4b17b4 Mon Sep 17 00:00:00 2001 From: Thibault Cordier Date: Thu, 19 Dec 2024 14:54:48 +0100 Subject: [PATCH 1/5] Create a new config for standalone sentinel --- .../redis/templates/cilium-networkpolicy.yaml | 75 +++ .../redis/templates/scripts-configmap.yaml | 9 +- .../sentinel/standalone-statefulset.yaml | 525 ++++++++++++++++++ bitnami/redis/values.yaml | 21 + 4 files changed, 629 insertions(+), 1 deletion(-) create mode 100644 bitnami/redis/templates/cilium-networkpolicy.yaml create mode 100644 bitnami/redis/templates/sentinel/standalone-statefulset.yaml diff --git a/bitnami/redis/templates/cilium-networkpolicy.yaml b/bitnami/redis/templates/cilium-networkpolicy.yaml new file mode 100644 index 00000000000000..2f1aa7994f3e37 --- /dev/null +++ b/bitnami/redis/templates/cilium-networkpolicy.yaml @@ -0,0 +1,75 @@ +{{- if .Values.ciliumNetworkPolicy.enabled }} +apiVersion: cilium.io/v2 +{{- if .Values.ciliumNetworkPolicy.acrossNamespaces }} +kind: CiliumClusterwideNetworkPolicy +{{- else }} +kind: CiliumNetworkPolicy +{{- end}} +metadata: + {{- if .Values.ciliumNetworkPolicy.acrossNamespaces }} + name: {{ .Release.Namespace }}-redis-bitnami-policy + {{- else }} + name: {{ .Release.Name }}-redis-bitnami-policy + {{- end}} +spec: + endpointSelector: + matchLabels: + app.kubernetes.io/instance: {{ .Release.Name }} + io.kubernetes.pod.namespace: {{ .Release.Namespace }} + egress: + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: UDP + # Allow outbound connections to other cluster pods on sentinel port and redis port + - toEndpoints: + - matchLabels: + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: node + toPorts: + - ports: + - port: "26379" + protocol: TCP + - port: "6379" + protocol: TCP + # Allow outbound connections to other cluster pods on sentinel port (for standalone sentinel) + - toEndpoints: + - matchLabels: + app: redis-replication + {{- if .Values.ciliumNetworkPolicy.onlyBackend }} + io.kubernetes.pod.namespace: {{ .Release.Namespace }} + {{- end}} + toPorts: + - ports: + - port: "26379" + protocol: TCP + {{- if .Values.ciliumNetworkPolicy.additionalEgress }} + {{- toYaml .Values.ciliumNetworkPolicy.additionalEgress | nindent 4 }} + {{- end }} + ingress: + - fromEndpoints: + - matchLabels: + app.kubernetes.io/name: prometheus + io.kubernetes.pod.namespace: {{ .Values.ciliumNetworkPolicy.monitoringNamespace }} + toPorts: + - ports: + - port: {{ .Values.metrics.containerPorts.http | quote }} + protocol: TCP + - fromEndpoints: + - matchLabels: + app.kubernetes.io/instance: {{ .Release.Name }} + toPorts: + - ports: + - port: "26379" + protocol: TCP + - port: "6379" + protocol: TCP + {{- if .Values.ciliumNetworkPolicy.additionalIngress }} + {{- toYaml .Values.ciliumNetworkPolicy.additionalIngress | nindent 4 }} + {{- end }} + +{{- end }} \ No newline at end of file diff --git a/bitnami/redis/templates/scripts-configmap.yaml b/bitnami/redis/templates/scripts-configmap.yaml index d1d277b58e3104..a03ea758e2d99d 100644 --- a/bitnami/redis/templates/scripts-configmap.yaml +++ b/bitnami/redis/templates/scripts-configmap.yaml @@ -335,7 +335,7 @@ data: sentinel_info_command="{{- if and .Values.auth.enabled .Values.auth.sentinel }}REDISCLI_AUTH="\$REDIS_PASSWORD" {{ end }}timeout {{ .Values.sentinel.getMasterTimeout }} redis-cli -h $REDIS_SERVICE -p $SENTINEL_SERVICE_PORT sentinel get-master-addr-by-name {{ .Values.sentinel.masterSet }}" fi info "about to run the command: $sentinel_info_command" - retry_while "eval $sentinel_info_command" 2 5 + retry_while "eval $sentinel_info_command" 2 10 } [[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD="$(< "${REDIS_PASSWORD_FILE}")" @@ -354,6 +354,7 @@ data: REDIS_MASTER_HOST=${REDIS_SENTINEL_INFO[0]} REDIS_MASTER_PORT_NUMBER=${REDIS_SENTINEL_INFO[1]} else + echo "Failed to get master info from sentinel, failback from persisted configuration" REDIS_MASTER_HOST="$master_in_persisted_conf" REDIS_MASTER_PORT_NUMBER="$REDISPORT" fi @@ -362,6 +363,8 @@ data: else export REDIS_REPLICATION_MODE="replica" fi + echo "REDIS_REPLICATION_MODE=$REDIS_REPLICATION_MODE" + echo "REDIS_MASTER_HOST=$REDIS_MASTER_HOST" {{- if or .Values.sentinel.masterService.enabled .Values.sentinel.service.createMaster }} if [[ "${REDIS_REPLICATION_MODE}" == "master" ]]; then @@ -393,6 +396,10 @@ data: exit 1 fi + if [[ "$REDIS_SENTINEL_STANDALONE" == "true" ]]; then + REDIS_MASTER_HOST={{ template "common.names.fullname" . }}-node-0.$HEADLESS_SERVICE + fi + sentinel_conf_set "sentinel monitor" "{{ .Values.sentinel.masterSet }} "$REDIS_MASTER_HOST" "$REDIS_MASTER_PORT_NUMBER" {{ .Values.sentinel.quorum }}" add_known_sentinel() { diff --git a/bitnami/redis/templates/sentinel/standalone-statefulset.yaml b/bitnami/redis/templates/sentinel/standalone-statefulset.yaml new file mode 100644 index 00000000000000..aed3a90c3040b7 --- /dev/null +++ b/bitnami/redis/templates/sentinel/standalone-statefulset.yaml @@ -0,0 +1,525 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if or .Release.IsUpgrade (ne .Values.sentinel.service.type "NodePort") .Values.sentinel.service.nodePorts.redis -}} +# Add a condition to enable standalone sentinel +{{- if and (eq .Values.architecture "replication") .Values.sentinel.enabled .Values.sentinel.standalone.enabled }} +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ printf "%s-node-standalone" (include "common.names.fullname" .) }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: node + {{- if or .Values.commonAnnotations .Values.sentinel.annotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.sentinel.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.sentinel.standalone.replicaCount }} + revisionHistoryLimit: {{ .Values.replica.revisionHistoryLimit }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.replica.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: sentinel + serviceName: {{ printf "%s-headless" (include "common.names.fullname" .) }} + {{- if .Values.replica.updateStrategy }} + updateStrategy: {{- toYaml .Values.replica.updateStrategy | nindent 4 }} + {{- end }} + {{- if and .Values.replica.minReadySeconds (semverCompare ">= 1.23-0" (include "common.capabilities.kubeVersion" .)) }} + minReadySeconds: {{ .Values.replica.minReadySeconds }} + {{- end }} + {{- if .Values.replica.podManagementPolicy }} + podManagementPolicy: {{ .Values.replica.podManagementPolicy | quote }} + {{- end }} + template: + metadata: + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} + app.kubernetes.io/component: sentinel + {{- if .Values.sentinel.masterService.enabled }} + app.kubernetes.io/role: slave + {{- end }} + annotations: + {{- if (include "redis.createConfigmap" .) }} + checksum/configmap: {{ pick ( include (print $.Template.BasePath "/configmap.yaml") . | fromYaml ) "data" | toYaml | sha256sum }} + {{- end }} + checksum/health: {{ pick ( include (print $.Template.BasePath "/health-configmap.yaml") . | fromYaml ) "data" | toYaml | sha256sum }} + checksum/scripts: {{ pick ( include (print $.Template.BasePath "/scripts-configmap.yaml") . | fromYaml ) "data" | toYaml | sha256sum }} + checksum/secret: {{ pick ( include (print $.Template.BasePath "/secret.yaml") . | fromYaml ) "data" | toYaml | sha256sum }} + {{- if .Values.replica.podAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.replica.podAnnotations "context" $ ) | nindent 8 }} + {{- end }} + spec: + {{- if .Values.sentinel.extraPodSpec }} + {{- include "common.tplvalues.render" (dict "value" .Values.sentinel.extraPodSpec "context" $) | nindent 6 }} + {{- end }} + {{- include "redis.imagePullSecrets" . | nindent 6 }} + automountServiceAccountToken: {{ .Values.replica.automountServiceAccountToken }} + {{- if .Values.replica.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.replica.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.replica.podSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.replica.podSecurityContext "context" $) | nindent 8 }} + {{- end }} + serviceAccountName: {{ template "redis.serviceAccountName" . }} + {{- if .Values.replica.priorityClassName }} + priorityClassName: {{ .Values.replica.priorityClassName | quote }} + {{- end }} + {{- if .Values.replica.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.replica.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.replica.podAffinityPreset "component" "node" "customLabels" $podLabels "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.replica.podAntiAffinityPreset "component" "node" "customLabels" $podLabels "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.replica.nodeAffinityPreset.type "key" .Values.replica.nodeAffinityPreset.key "values" .Values.replica.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.replica.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.replica.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.replica.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.replica.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.replica.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.replica.topologySpreadConstraints "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.replica.shareProcessNamespace }} + shareProcessNamespace: {{ .Values.replica.shareProcessNamespace }} + {{- end }} + {{- if .Values.replica.schedulerName }} + schedulerName: {{ .Values.replica.schedulerName | quote }} + {{- end }} + {{- if .Values.replica.dnsPolicy }} + dnsPolicy: {{ .Values.replica.dnsPolicy }} + {{- end }} + {{- if .Values.replica.dnsConfig }} + dnsConfig: {{- include "common.tplvalues.render" (dict "value" .Values.replica.dnsConfig "context" $) | nindent 8 }} + {{- end }} + enableServiceLinks: {{ .Values.sentinel.enableServiceLinks }} + terminationGracePeriodSeconds: {{ .Values.sentinel.terminationGracePeriodSeconds }} + containers: + - name: sentinel + image: {{ template "redis.sentinel.image" . }} + imagePullPolicy: {{ .Values.sentinel.image.pullPolicy | quote }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.sentinel.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.sentinel.lifecycleHooks "context" $) | nindent 12 }} + {{- else }} + lifecycle: + preStop: + exec: + command: + - /bin/bash + - -c + - /opt/bitnami/scripts/start-scripts/prestop-sentinel.sh + {{- end }} + {{- end }} + {{- if .Values.sentinel.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.sentinel.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.sentinel.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.sentinel.command "context" $) | nindent 12 }} + {{- else }} + command: + - /bin/bash + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.sentinel.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.sentinel.args "context" $) | nindent 12 }} + {{- else }} + args: + - -c + - /opt/bitnami/scripts/start-scripts/start-sentinel.sh + {{- end }} + env: + - name: REDIS_SENTINEL_STANDALONE + value: "true" + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.sentinel.image.debug .Values.diagnosticMode.enabled) | quote }} + {{- if .Values.auth.enabled }} + {{- if .Values.auth.usePasswordFiles }} + - name: REDIS_PASSWORD_FILE + value: "/opt/bitnami/redis/secrets/redis-password" + {{- else }} + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "redis.secretName" . }} + key: {{ template "redis.secretPasswordKey" . }} + {{- end }} + {{- else }} + - name: ALLOW_EMPTY_PASSWORD + value: "yes" + {{- end }} + - name: REDIS_SENTINEL_TLS_ENABLED + value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} + {{- if .Values.tls.enabled }} + - name: REDIS_SENTINEL_TLS_PORT_NUMBER + value: {{ .Values.sentinel.containerPorts.sentinel | quote }} + - name: REDIS_SENTINEL_TLS_AUTH_CLIENTS + value: {{ ternary "yes" "no" .Values.tls.authClients | quote }} + - name: REDIS_SENTINEL_TLS_CERT_FILE + value: {{ template "redis.tlsCert" . }} + - name: REDIS_SENTINEL_TLS_KEY_FILE + value: {{ template "redis.tlsCertKey" . }} + - name: REDIS_SENTINEL_TLS_CA_FILE + value: {{ template "redis.tlsCACert" . }} + {{- if .Values.tls.dhParamsFilename }} + - name: REDIS_SENTINEL_TLS_DH_PARAMS_FILE + value: {{ template "redis.tlsDHParams" . }} + {{- end }} + {{- else }} + - name: REDIS_SENTINEL_PORT + value: {{ .Values.sentinel.containerPorts.sentinel | quote }} + {{- end }} + {{- if .Values.sentinel.externalMaster.enabled }} + - name: REDIS_EXTERNAL_MASTER_HOST + value: {{ .Values.sentinel.externalMaster.host | quote }} + - name: REDIS_EXTERNAL_MASTER_PORT + value: {{ .Values.sentinel.externalMaster.port | quote }} + {{- end }} + {{- if .Values.sentinel.extraEnvVars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.sentinel.extraEnvVars "context" $ ) | nindent 12 }} + {{- end }} + {{- if or .Values.sentinel.extraEnvVarsCM .Values.sentinel.extraEnvVarsSecret }} + envFrom: + {{- if .Values.sentinel.extraEnvVarsCM }} + - configMapRef: + name: {{ .Values.sentinel.extraEnvVarsCM }} + {{- end }} + {{- if .Values.sentinel.extraEnvVarsSecret }} + - secretRef: + name: {{ .Values.sentinel.extraEnvVarsSecret }} + {{- end }} + {{- end }} + ports: + - name: redis-sentinel + containerPort: {{ .Values.sentinel.containerPorts.sentinel }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.sentinel.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.sentinel.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.sentinel.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.sentinel.startupProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - sh + - -c + - /health/ping_sentinel.sh {{ .Values.sentinel.livenessProbe.timeoutSeconds }} + {{- end }} + {{- if .Values.sentinel.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.sentinel.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.sentinel.livenessProbe.enabled }} + livenessProbe: + initialDelaySeconds: {{ .Values.sentinel.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.sentinel.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.sentinel.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.sentinel.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.sentinel.livenessProbe.failureThreshold }} + exec: + command: + - sh + - -c + - /health/ping_sentinel.sh {{ .Values.sentinel.livenessProbe.timeoutSeconds }} + {{- end }} + {{- end }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.sentinel.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.sentinel.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.sentinel.readinessProbe.enabled }} + readinessProbe: + initialDelaySeconds: {{ .Values.sentinel.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.sentinel.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.sentinel.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.sentinel.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.sentinel.readinessProbe.failureThreshold }} + exec: + command: + - sh + - -c + - /health/ping_sentinel.sh {{ .Values.sentinel.readinessProbe.timeoutSeconds }} + {{- end }} + {{- end }} + {{- if .Values.sentinel.resources }} + resources: {{- toYaml .Values.sentinel.resources | nindent 12 }} + {{- else if ne .Values.sentinel.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.sentinel.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: start-scripts + mountPath: /opt/bitnami/scripts/start-scripts + - name: health + mountPath: /health + {{- if or .Values.sentinel.masterService.enabled .Values.sentinel.service.createMaster}} + - name: kubectl-shared + mountPath: /etc/shared + {{- end }} + - name: sentinel-data + mountPath: /opt/bitnami/redis-sentinel/etc + {{- if .Values.auth.usePasswordFiles }} + - name: redis-password + mountPath: /opt/bitnami/redis/secrets/ + {{- end }} + - name: redis-data + mountPath: {{ .Values.replica.persistence.path }} + {{- if .Values.replica.persistence.subPath }} + subPath: {{ .Values.replica.persistence.subPath }} + {{- else if .Values.replica.persistence.subPathExpr }} + subPathExpr: {{ .Values.replica.persistence.subPathExpr }} + {{- end }} + - name: config + mountPath: /opt/bitnami/redis-sentinel/mounted-etc + {{- if .Values.tls.enabled }} + - name: redis-certificates + mountPath: /opt/bitnami/redis/certs + readOnly: true + {{- end }} + {{- if .Values.sentinel.extraVolumeMounts }} + {{- include "common.tplvalues.render" ( dict "value" .Values.sentinel.extraVolumeMounts "context" $ ) | nindent 12 }} + {{- end }} + {{- if or .Values.sentinel.masterService.enabled .Values.sentinel.service.createMaster }} + - name: kubectl-shared + image: {{ template "redis.kubectl.image" . }} + imagePullPolicy: {{ .Values.kubectl.image.pullPolicy | quote }} + command: {{- toYaml .Values.kubectl.command | nindent 12 }} + {{- if .Values.kubectl.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.kubectl.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + volumeMounts: + - name: kubectl-shared + mountPath: /etc/shared + - name: kubectl-scripts + mountPath: /opt/bitnami/scripts/kubectl-scripts + {{- if .Values.kubectl.resources }} + resources: {{- toYaml .Values.kubectl.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.replica.sidecars }} + {{- include "common.tplvalues.render" (dict "value" .Values.replica.sidecars "context" $) | nindent 8 }} + {{- end }} + {{- $needsVolumePermissions := and .Values.volumePermissions.enabled .Values.replica.persistence.enabled .Values.replica.podSecurityContext.enabled .Values.replica.containerSecurityContext.enabled }} + {{- if or .Values.replica.initContainers $needsVolumePermissions .Values.sysctl.enabled }} + initContainers: + {{- if .Values.replica.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.replica.initContainers "context" $) | nindent 8 }} + {{- end }} + {{- if $needsVolumePermissions }} + - name: volume-permissions + image: {{ include "redis.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + command: + - /bin/bash + - -ec + - | + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + chown -R `id -u`:`id -G | cut -d " " -f2` {{ .Values.replica.persistence.path }} + {{- else }} + chown -R {{ .Values.replica.containerSecurityContext.runAsUser }}:{{ .Values.replica.podSecurityContext.fsGroup }} {{ .Values.replica.persistence.path }} + {{- end }} + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "runAsUser" | toYaml | nindent 12 }} + {{- else }} + securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.volumePermissions.extraEnvVars }} + env: + {{- include "common.tplvalues.render" (dict "value" .Values.volumePermissions.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.volumePermissions.resources }} + resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- else if ne .Values.volumePermissions.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: redis-data + mountPath: {{ .Values.replica.persistence.path }} + {{- if .Values.replica.persistence.subPath }} + subPath: {{ .Values.replica.persistence.subPath }} + {{- else if .Values.replica.persistence.subPathExpr }} + subPathExpr: {{ .Values.replica.persistence.subPathExpr }} + {{- end }} + {{- end }} + {{- if .Values.sysctl.enabled }} + - name: init-sysctl + image: {{ include "redis.sysctl.image" . }} + imagePullPolicy: {{ default "" .Values.sysctl.image.pullPolicy | quote }} + securityContext: + privileged: true + runAsUser: 0 + {{- if .Values.sysctl.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.sysctl.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.sysctl.resources }} + resources: {{- toYaml .Values.sysctl.resources | nindent 12 }} + {{- else if ne .Values.sysctl.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.sysctl.resourcesPreset) | nindent 12 }} + {{- end }} + {{- if .Values.sysctl.mountHostSys }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: host-sys + mountPath: /host-sys + {{- end }} + {{- end }} + {{- end }} + volumes: + - name: start-scripts + configMap: + name: {{ printf "%s-scripts" (include "common.names.fullname" .) }} + defaultMode: 0755 + - name: health + configMap: + name: {{ printf "%s-health" (include "common.names.fullname" .) }} + defaultMode: 0755 + {{- if or .Values.sentinel.masterService.enabled .Values.sentinel.service.createMaster}} + - name: kubectl-shared + emptyDir: {} + - name: kubectl-scripts + configMap: + name: {{ printf "%s-kubectl-scripts" (include "common.names.fullname" .) }} + defaultMode: 0755 + {{- end }} + {{- if .Values.auth.usePasswordFiles }} + - name: redis-password + {{ if .Values.auth.usePasswordFileFromSecret }} + secret: + secretName: {{ template "redis.secretName" . }} + items: + - key: {{ template "redis.secretPasswordKey" . }} + path: redis-password + {{- else }} + emptyDir: {} + {{- end }} + {{- end }} + - name: config + configMap: + name: {{ include "redis.configmapName" . }} + {{- if .Values.sysctl.mountHostSys }} + - name: host-sys + hostPath: + path: /sys + {{- end }} + {{- if not .Values.sentinel.persistence.enabled }} + - name: sentinel-data + {{- if or .Values.sentinel.persistence.medium .Values.sentinel.persistence.sizeLimit }} + emptyDir: + {{- if .Values.sentinel.persistence.medium }} + medium: {{ .Values.sentinel.persistence.medium | quote }} + {{- end }} + {{- if .Values.sentinel.persistence.sizeLimit }} + sizeLimit: {{ .Values.sentinel.persistence.sizeLimit | quote }} + {{- end }} + {{- else }} + emptyDir: {} + {{- end }} + {{- end }} + - name: empty-dir + {{- if or .Values.sentinel.persistence.medium .Values.sentinel.persistence.sizeLimit }} + emptyDir: + {{- if .Values.sentinel.persistence.medium }} + medium: {{ .Values.sentinel.persistence.medium | quote }} + {{- end }} + {{- if .Values.sentinel.persistence.sizeLimit }} + sizeLimit: {{ .Values.sentinel.persistence.sizeLimit | quote }} + {{- end }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.replica.extraVolumes }} + {{- include "common.tplvalues.render" ( dict "value" .Values.replica.extraVolumes "context" $ ) | nindent 8 }} + {{- end }} + {{- if .Values.sentinel.extraVolumes }} + {{- include "common.tplvalues.render" ( dict "value" .Values.sentinel.extraVolumes "context" $ ) | nindent 8 }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: redis-certificates + secret: + secretName: {{ include "redis.tlsSecretName" . }} + defaultMode: 256 + {{- end }} + {{- if not .Values.replica.persistence.enabled }} + - name: redis-data + {{- if or .Values.replica.persistence.medium .Values.replica.persistence.sizeLimit }} + emptyDir: + {{- if .Values.replica.persistence.medium }} + medium: {{ .Values.replica.persistence.medium | quote }} + {{- end }} + {{- if .Values.replica.persistence.sizeLimit }} + sizeLimit: {{ .Values.replica.persistence.sizeLimit | quote }} + {{- end }} + {{- else }} + emptyDir: {} + {{- end }} + {{- else if .Values.replica.persistence.existingClaim }} + - name: redis-data + persistentVolumeClaim: + claimName: {{ printf "%s" (tpl .Values.replica.persistence.existingClaim .) }} + {{- else }} + {{- if .Values.sentinel.persistentVolumeClaimRetentionPolicy.enabled }} + persistentVolumeClaimRetentionPolicy: + whenDeleted: {{ .Values.sentinel.persistentVolumeClaimRetentionPolicy.whenDeleted }} + whenScaled: {{ .Values.sentinel.persistentVolumeClaimRetentionPolicy.whenScaled }} + {{- end }} + volumeClaimTemplates: + - apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + name: redis-data + labels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 10 }} + app.kubernetes.io/component: node + {{- if .Values.replica.persistence.annotations }} + annotations: {{- toYaml .Values.replica.persistence.annotations | nindent 10 }} + {{- end }} + spec: + accessModes: + {{- range .Values.replica.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.replica.persistence.size | quote }} + {{- if .Values.replica.persistence.selector }} + selector: {{- include "common.tplvalues.render" ( dict "value" .Values.replica.persistence.selector "context" $) | nindent 10 }} + {{- end }} + {{- include "common.storage.class" (dict "persistence" .Values.replica.persistence "global" .Values.global) | nindent 8 }} + {{- if .Values.sentinel.persistence.enabled }} + - apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + name: sentinel-data + {{- $claimLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.sentinel.persistence.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.matchLabels" ( dict "customLabels" $claimLabels "context" $ ) | nindent 10 }} + app.kubernetes.io/component: node + {{- if .Values.sentinel.persistence.annotations }} + annotations: {{- toYaml .Values.sentinel.persistence.annotations | nindent 10 }} + {{- end }} + spec: + accessModes: + {{- range .Values.sentinel.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.sentinel.persistence.size | quote }} + {{- if .Values.sentinel.persistence.selector }} + selector: {{- include "common.tplvalues.render" ( dict "value" .Values.sentinel.persistence.selector "context" $) | nindent 10 }} + {{- end }} + {{- if .Values.sentinel.persistence.dataSource }} + dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.sentinel.persistence.dataSource "context" $) | nindent 10 }} + {{- end }} + {{- include "common.storage.class" (dict "persistence" .Values.sentinel.persistence "global" .Values.global) | nindent 8 }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} diff --git a/bitnami/redis/values.yaml b/bitnami/redis/values.yaml index c9d8370250095a..5e3b4648b9eb6c 100644 --- a/bitnami/redis/values.yaml +++ b/bitnami/redis/values.yaml @@ -1153,6 +1153,7 @@ sentinel: ## @param sentinel.image.pullSecrets Redis® Sentinel image pull secrets ## @param sentinel.image.debug Enable image debug mode ## + image: registry: docker.io repository: bitnami/redis-sentinel @@ -2268,3 +2269,23 @@ useExternalDNS: suffix: "" annotationKey: external-dns.alpha.kubernetes.io/ additionalAnnotations: {} + + +# ciliumNetworkPolicy: +# enabled: true +# monitoringNamespace: "tools-observe" +# acrossNamespaces: true +# additionalIngress: +# - fromEndpoints: +# - matchLabels: +# app: myapp +# io.kubernetes.pod.namespace: customer-xxxx +# toPorts: +# - ports: +# - port: "6379" +# protocol: TCP +# - ports: +# - port: "26379" +# protocol: TCP +# # Règles egress additionnelles +# additionalEgress: {} \ No newline at end of file From a0453b4756617e82eff1cec12f6c77f36928260e Mon Sep 17 00:00:00 2001 From: Thibault Cordier Date: Thu, 19 Dec 2024 18:08:50 +0100 Subject: [PATCH 2/5] Rename cilium policy --- bitnami/redis/templates/cilium-networkpolicy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bitnami/redis/templates/cilium-networkpolicy.yaml b/bitnami/redis/templates/cilium-networkpolicy.yaml index 2f1aa7994f3e37..322037b0bccc2c 100644 --- a/bitnami/redis/templates/cilium-networkpolicy.yaml +++ b/bitnami/redis/templates/cilium-networkpolicy.yaml @@ -7,7 +7,7 @@ kind: CiliumNetworkPolicy {{- end}} metadata: {{- if .Values.ciliumNetworkPolicy.acrossNamespaces }} - name: {{ .Release.Namespace }}-redis-bitnami-policy + name: {{ .Release.Namespace }}-bitnami-policy {{- else }} name: {{ .Release.Name }}-redis-bitnami-policy {{- end}} From 2977fc9001c8bfeeaea034a3f10d1f2d76b81035 Mon Sep 17 00:00:00 2001 From: Thibault Cordier Date: Thu, 26 Dec 2024 17:13:51 +0100 Subject: [PATCH 3/5] Remove redis-data PVC for standalone sentinel --- .../sentinel/standalone-statefulset.yaml | 53 +------------------ 1 file changed, 1 insertion(+), 52 deletions(-) diff --git a/bitnami/redis/templates/sentinel/standalone-statefulset.yaml b/bitnami/redis/templates/sentinel/standalone-statefulset.yaml index aed3a90c3040b7..4add0d938b1323 100644 --- a/bitnami/redis/templates/sentinel/standalone-statefulset.yaml +++ b/bitnami/redis/templates/sentinel/standalone-statefulset.yaml @@ -266,13 +266,6 @@ spec: - name: redis-password mountPath: /opt/bitnami/redis/secrets/ {{- end }} - - name: redis-data - mountPath: {{ .Values.replica.persistence.path }} - {{- if .Values.replica.persistence.subPath }} - subPath: {{ .Values.replica.persistence.subPath }} - {{- else if .Values.replica.persistence.subPathExpr }} - subPathExpr: {{ .Values.replica.persistence.subPathExpr }} - {{- end }} - name: config mountPath: /opt/bitnami/redis-sentinel/mounted-etc {{- if .Values.tls.enabled }} @@ -340,13 +333,6 @@ spec: - name: empty-dir mountPath: /tmp subPath: tmp-dir - - name: redis-data - mountPath: {{ .Values.replica.persistence.path }} - {{- if .Values.replica.persistence.subPath }} - subPath: {{ .Values.replica.persistence.subPath }} - {{- else if .Values.replica.persistence.subPathExpr }} - subPathExpr: {{ .Values.replica.persistence.subPathExpr }} - {{- end }} {{- end }} {{- if .Values.sysctl.enabled }} - name: init-sysctl @@ -448,23 +434,7 @@ spec: secretName: {{ include "redis.tlsSecretName" . }} defaultMode: 256 {{- end }} - {{- if not .Values.replica.persistence.enabled }} - - name: redis-data - {{- if or .Values.replica.persistence.medium .Values.replica.persistence.sizeLimit }} - emptyDir: - {{- if .Values.replica.persistence.medium }} - medium: {{ .Values.replica.persistence.medium | quote }} - {{- end }} - {{- if .Values.replica.persistence.sizeLimit }} - sizeLimit: {{ .Values.replica.persistence.sizeLimit | quote }} - {{- end }} - {{- else }} - emptyDir: {} - {{- end }} - {{- else if .Values.replica.persistence.existingClaim }} - - name: redis-data - persistentVolumeClaim: - claimName: {{ printf "%s" (tpl .Values.replica.persistence.existingClaim .) }} + {{- else }} {{- if .Values.sentinel.persistentVolumeClaimRetentionPolicy.enabled }} persistentVolumeClaimRetentionPolicy: @@ -472,27 +442,6 @@ spec: whenScaled: {{ .Values.sentinel.persistentVolumeClaimRetentionPolicy.whenScaled }} {{- end }} volumeClaimTemplates: - - apiVersion: v1 - kind: PersistentVolumeClaim - metadata: - name: redis-data - labels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 10 }} - app.kubernetes.io/component: node - {{- if .Values.replica.persistence.annotations }} - annotations: {{- toYaml .Values.replica.persistence.annotations | nindent 10 }} - {{- end }} - spec: - accessModes: - {{- range .Values.replica.persistence.accessModes }} - - {{ . | quote }} - {{- end }} - resources: - requests: - storage: {{ .Values.replica.persistence.size | quote }} - {{- if .Values.replica.persistence.selector }} - selector: {{- include "common.tplvalues.render" ( dict "value" .Values.replica.persistence.selector "context" $) | nindent 10 }} - {{- end }} - {{- include "common.storage.class" (dict "persistence" .Values.replica.persistence "global" .Values.global) | nindent 8 }} {{- if .Values.sentinel.persistence.enabled }} - apiVersion: v1 kind: PersistentVolumeClaim From 51a675245536019f5fa16c9ea58bd19c672fc0e3 Mon Sep 17 00:00:00 2001 From: Thibault Cordier Date: Thu, 26 Dec 2024 17:33:58 +0100 Subject: [PATCH 4/5] Remove Extra end --- bitnami/redis/Chart.lock | 6 +++--- bitnami/redis/Chart.yaml | 2 +- .../redis/templates/sentinel/standalone-statefulset.yaml | 1 - 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/bitnami/redis/Chart.lock b/bitnami/redis/Chart.lock index e824dbbba3ee2b..a3f4e509b365d8 100644 --- a/bitnami/redis/Chart.lock +++ b/bitnami/redis/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common - repository: oci://registry-1.docker.io/bitnamicharts + repository: file://../common version: 2.28.0 -digest: sha256:5b30f0fa07bb89b01c55fd6258c8ce22a611b13623d4ad83e8fdd1d4490adc74 -generated: "2024-12-10T17:25:56.439817+01:00" +digest: sha256:849f060b6c093a01d629c0276ad0623ba5111dd297147dfe233a15cf03929bee +generated: "2024-12-26T17:30:12.224836557+01:00" diff --git a/bitnami/redis/Chart.yaml b/bitnami/redis/Chart.yaml index 61e62c5d09857b..1f05058b24ab2c 100644 --- a/bitnami/redis/Chart.yaml +++ b/bitnami/redis/Chart.yaml @@ -19,7 +19,7 @@ apiVersion: v2 appVersion: 7.4.1 dependencies: - name: common - repository: oci://registry-1.docker.io/bitnamicharts + repository: "file://../common" tags: - bitnami-common version: 2.x.x diff --git a/bitnami/redis/templates/sentinel/standalone-statefulset.yaml b/bitnami/redis/templates/sentinel/standalone-statefulset.yaml index 4add0d938b1323..aadc4c8e4c937b 100644 --- a/bitnami/redis/templates/sentinel/standalone-statefulset.yaml +++ b/bitnami/redis/templates/sentinel/standalone-statefulset.yaml @@ -471,4 +471,3 @@ spec: {{- end }} {{- end }} {{- end }} -{{- end }} From 6334469bbaa5fcc90c98965f97bd35973bed5072 Mon Sep 17 00:00:00 2001 From: Thibault Cordier Date: Tue, 31 Dec 2024 09:38:45 +0100 Subject: [PATCH 5/5] fix(redis): improve sentinel script and logging - Fix printf commands by removing trailing quotes - Add more detailed logging in standalone mode: * Log when standalone mode is enabled * Log each node iteration for both sentinel and redis checks - Use replicaCount from values for node iteration - Keep failback behavior when sentinel info is not found --- .../redis/templates/scripts-configmap.yaml | 41 ++++++++++++++++++- 1 file changed, 39 insertions(+), 2 deletions(-) diff --git a/bitnami/redis/templates/scripts-configmap.yaml b/bitnami/redis/templates/scripts-configmap.yaml index a03ea758e2d99d..1773f74cfb0412 100644 --- a/bitnami/redis/templates/scripts-configmap.yaml +++ b/bitnami/redis/templates/scripts-configmap.yaml @@ -397,7 +397,44 @@ data: fi if [[ "$REDIS_SENTINEL_STANDALONE" == "true" ]]; then - REDIS_MASTER_HOST={{ template "common.names.fullname" . }}-node-0.$HEADLESS_SERVICE + info "Standalone mode enabled, searching for master..." + master_found=false + + # Try sentinel sidecars on statefulset pods + for node in $(seq 0 $(( {{ .Values.replica.replicaCount }} - 1 ))); do + info "Iterating over node-$node sentinel sidecar" + if timeout 5 redis-cli -h {{ template "common.names.fullname" . }}-node-$node.$HEADLESS_SERVICE -p {{ .Values.sentinel.containerPorts.sentinel }} ping > /dev/null 2>&1; then + existing_master=$(redis-cli -h {{ template "common.names.fullname" . }}-node-$node.$HEADLESS_SERVICE -p {{ .Values.sentinel.containerPorts.sentinel }} sentinel get-master-addr-by-name {{ .Values.sentinel.masterSet }} | head -n 1) + if [[ -n "$existing_master" ]]; then + REDIS_MASTER_HOST="$existing_master" + info "Found existing master at $REDIS_MASTER_HOST" + master_found=true + break + fi + fi + done + + # If no sentinel found, try Redis nodes directly + if [[ "$master_found" == "false" ]]; then + for node in $(seq 0 $(( {{ .Values.replica.replicaCount }} - 1 ))); do + info "Iterating over node-$node redis node" + if timeout 5 redis-cli -h {{ template "common.names.fullname" . }}-node-$node.$HEADLESS_SERVICE -p $REDIS_MASTER_PORT_NUMBER ping > /dev/null 2>&1; then + role=$(redis-cli -h {{ template "common.names.fullname" . }}-node-$node.$HEADLESS_SERVICE -p $REDIS_MASTER_PORT_NUMBER info replication | grep "^role:" | cut -d: -f2 | tr -d '[:space:]') + if [[ "$role" == "master" ]]; then + REDIS_MASTER_HOST={{ template "common.names.fullname" . }}-node-$node.$HEADLESS_SERVICE + info "Found active master at node-$node" + master_found=true + break + fi + fi + done + fi + + # Fallback to node-0 if nothing found + if [[ "$master_found" == "false" ]]; then + REDIS_MASTER_HOST={{ template "common.names.fullname" . }}-node-0.$HEADLESS_SERVICE + info "No active master found, falling back to node-0" + fi fi sentinel_conf_set "sentinel monitor" "{{ .Values.sentinel.masterSet }} "$REDIS_MASTER_HOST" "$REDIS_MASTER_PORT_NUMBER" {{ .Values.sentinel.quorum }}" @@ -420,7 +457,7 @@ data: } # Add available hosts on the network as known replicas & sentinels - for node in $(seq 0 $(({{ .Values.replica.replicaCount }}-1))); do + for node in $(seq 0 $(( {{ .Values.replica.replicaCount }} - 1 ))); do hostname="{{ template "common.names.fullname" . }}-node-$node" ip="$(getent hosts "$hostname.$HEADLESS_SERVICE" | awk '{ print $1 }')" add_known_sentinel "$hostname" "$ip"