diff --git a/charts/gitops-runtime/Chart.yaml b/charts/gitops-runtime/Chart.yaml index 5f7ef9f5..3be70536 100644 --- a/charts/gitops-runtime/Chart.yaml +++ b/charts/gitops-runtime/Chart.yaml @@ -40,3 +40,7 @@ dependencies: - name: cf-common repository: oci://quay.io/codefresh/charts version: 0.27.0 +- name: redis-ha + version: 4.33.4 + repository: https://dandydeveloper.github.io/charts/ + condition: redis-ha.enabled diff --git a/charts/gitops-runtime/README.md b/charts/gitops-runtime/README.md index 70d98d61..0e0c6a2a 100644 --- a/charts/gitops-runtime/README.md +++ b/charts/gitops-runtime/README.md @@ -360,6 +360,22 @@ gitops-operator: tag: vX.Y.Z ``` +### To 0.24.x + +#### Affected values + +- `.Values.redis`/`.Values.redis-ha`/`.Values.redis-secret-init` were added + +```yaml +# Enabled standalone Redis (single Deployment with 1 replica) +redis: + enabled: true + +# Enabled Redis High Availability (StatefulSet with Proxy) +redis-ha: + enabled: false +``` + ## Values | Key | Type | Default | Description | @@ -395,14 +411,14 @@ gitops-operator: | app-proxy.image-enrichment.serviceAccount.name | string | `"codefresh-image-enrichment-sa"` | Name of the service account to create or the name of the existing one to use | | app-proxy.image.pullPolicy | string | `"IfNotPresent"` | | | app-proxy.image.repository | string | `"quay.io/codefresh/cap-app-proxy"` | | -| app-proxy.image.tag | string | `"1.3706.0"` | | +| app-proxy.image.tag | string | `"1.3772.0"` | | | app-proxy.imagePullSecrets | list | `[]` | | | app-proxy.initContainer.command[0] | string | `"./init.sh"` | | | app-proxy.initContainer.env | object | `{}` | | | app-proxy.initContainer.extraVolumeMounts | list | `[]` | Extra volume mounts for init container | | app-proxy.initContainer.image.pullPolicy | string | `"IfNotPresent"` | | | app-proxy.initContainer.image.repository | string | `"quay.io/codefresh/cap-app-proxy-init"` | | -| app-proxy.initContainer.image.tag | string | `"1.3706.0"` | | +| app-proxy.initContainer.image.tag | string | `"1.3772.0"` | | | app-proxy.initContainer.resources.limits | object | `{}` | | | app-proxy.initContainer.resources.requests.cpu | string | `"0.2"` | | | app-proxy.initContainer.resources.requests.memory | string | `"256Mi"` | | @@ -470,8 +486,8 @@ gitops-operator: | argo-cd.crds.install | bool | `true` | | | argo-cd.enabled | bool | `true` | | | argo-cd.fullnameOverride | string | `"argo-cd"` | | -| argo-events.configs.jetstream.versions[0].configReloaderImage | string | `"natsio/nats-server-config-reloader:0.18.2"` | | -| argo-events.configs.jetstream.versions[0].metricsExporterImage | string | `"natsio/prometheus-nats-exporter:0.16.0"` | | +| argo-events.configs.jetstream.versions[0].configReloaderImage | string | `"natsio/nats-server-config-reloader:0.19.1"` | | +| argo-events.configs.jetstream.versions[0].metricsExporterImage | string | `"natsio/prometheus-nats-exporter:0.17.3"` | | | argo-events.configs.jetstream.versions[0].natsImage | string | `"nats:2.11.4"` | | | argo-events.configs.jetstream.versions[0].startCommand | string | `"/nats-server"` | | | argo-events.configs.jetstream.versions[0].version | string | `"latest"` | | @@ -491,10 +507,10 @@ gitops-operator: | argo-workflows.mainContainer.resources.requests.ephemeral-storage | string | `"10Mi"` | | | argo-workflows.server.authModes | list | `["client"]` | auth-mode needs to be set to client to be able to see workflow logs from Codefresh UI | | argo-workflows.server.baseHref | string | `"/workflows/"` | Do not change. Workflows UI is only accessed through internal router, changing this values will break routing to workflows native UI from Codefresh. | -| cf-argocd-extras | object | `{"eventReporter":{"affinity":{},"container":{"image":{"registry":"quay.io","repository":"codefresh/cf-argocd-extras","tag":"v0.5.14"}},"enabled":true,"nodeSelector":{},"pdb":{"enabled":false,"maxUnavailable":"","minAvailable":"50%"},"resources":{"requests":{"cpu":"100m","memory":"128Mi"}},"serviceMonitor":{"main":{"enabled":false}},"tolerations":[]},"sourcesServer":{"affinity":{},"container":{"image":{"registry":"quay.io","repository":"codefresh/cf-argocd-extras","tag":"v0.5.14"}},"enabled":true,"hpa":{"enabled":false,"maxReplicas":10,"minReplicas":1,"targetCPUUtilizationPercentage":70},"nodeSelector":{},"pdb":{"enabled":false,"maxUnavailable":"","minAvailable":"50%"},"resources":{"requests":{"cpu":"100m","memory":"128Mi"}},"tolerations":[]}}` | Codefresh extra services for ArgoCD | +| cf-argocd-extras | object | `{"eventReporter":{"affinity":{},"container":{"image":{"registry":"quay.io","repository":"codefresh/cf-argocd-extras","tag":"1556733"}},"enabled":true,"nodeSelector":{},"pdb":{"enabled":false,"maxUnavailable":"","minAvailable":"50%"},"resources":{"requests":{"cpu":"100m","memory":"128Mi"}},"serviceMonitor":{"main":{"enabled":false}},"tolerations":[]},"sourcesServer":{"affinity":{},"container":{"image":{"registry":"quay.io","repository":"codefresh/cf-argocd-extras","tag":"1556733"}},"enabled":true,"hpa":{"enabled":false,"maxReplicas":10,"minReplicas":1,"targetCPUUtilizationPercentage":70},"nodeSelector":{},"pdb":{"enabled":false,"maxUnavailable":"","minAvailable":"50%"},"resources":{"requests":{"cpu":"100m","memory":"128Mi"}},"tolerations":[]}}` | Codefresh extra services for ArgoCD | | cf-argocd-extras.eventReporter.pdb.enabled | bool | `false` | Enable PDB for event-reporter | | cf-argocd-extras.eventReporter.serviceMonitor.main.enabled | bool | `false` | Enable ServiceMonitor for event reporter | -| cf-argocd-extras.sourcesServer | object | `{"affinity":{},"container":{"image":{"registry":"quay.io","repository":"codefresh/cf-argocd-extras","tag":"v0.5.14"}},"enabled":true,"hpa":{"enabled":false,"maxReplicas":10,"minReplicas":1,"targetCPUUtilizationPercentage":70},"nodeSelector":{},"pdb":{"enabled":false,"maxUnavailable":"","minAvailable":"50%"},"resources":{"requests":{"cpu":"100m","memory":"128Mi"}},"tolerations":[]}` | Sources server configuration | +| cf-argocd-extras.sourcesServer | object | `{"affinity":{},"container":{"image":{"registry":"quay.io","repository":"codefresh/cf-argocd-extras","tag":"1556733"}},"enabled":true,"hpa":{"enabled":false,"maxReplicas":10,"minReplicas":1,"targetCPUUtilizationPercentage":70},"nodeSelector":{},"pdb":{"enabled":false,"maxUnavailable":"","minAvailable":"50%"},"resources":{"requests":{"cpu":"100m","memory":"128Mi"}},"tolerations":[]}` | Sources server configuration | | cf-argocd-extras.sourcesServer.hpa.enabled | bool | `false` | Enable HPA for sources server | | cf-argocd-extras.sourcesServer.pdb.enabled | bool | `false` | Enable PDB for sources server | | codefreshWorkflowLogStoreCM | object | `{"enabled":true,"endpoint":"gitops-workflow-logs.codefresh.io","insecure":false}` | Argo workflows logs storage on Codefresh platform settings. Don't change unless instructed by Codefresh support. | @@ -560,10 +576,11 @@ gitops-operator: | gitops-operator.crds.install | bool | `true` | Whether or not to install CRDs | | gitops-operator.crds.keep | bool | `false` | Keep CRDs if gitops runtime release is uninstalled | | gitops-operator.enabled | bool | `true` | | +| gitops-operator.env.GITOPS_OPERATOR_VERSION | string | `"0.11.1"` | | | gitops-operator.fullnameOverride | string | `""` | | | gitops-operator.image.registry | string | `"quay.io"` | defaults | | gitops-operator.image.repository | string | `"codefresh/codefresh-gitops-operator"` | | -| gitops-operator.image.tag | string | `"v0.11.1"` | | +| gitops-operator.image.tag | string | `"18fcd09"` | | | gitops-operator.imagePullSecrets | list | `[]` | | | gitops-operator.nameOverride | string | `""` | | | gitops-operator.nodeSelector | object | `{}` | | @@ -593,7 +610,7 @@ gitops-operator: | global.codefresh.userToken | object | `{"secretKeyRef":{},"token":""}` | User token. Used for runtime registration against the patform. One of token (for plain text value) or secretKeyRef must be provided. | | global.codefresh.userToken.secretKeyRef | object | `{}` | User token that references an existing secret containing the token. | | global.codefresh.userToken.token | string | `""` | User token in plain text. The chart creates and manages the secret for this token. | -| global.external-argo-cd | object | `{"auth":{"password":"","passwordSecretKeyRef":{"key":"password","name":"argocd-initial-admin-secret"},"token":"","tokenSecretKeyRef":{},"type":"password","username":"admin"},"redis":{"port":6379,"svc":"argocd-redis"},"repoServer":{"port":8081,"svc":"argocd-repo-server"},"server":{"port":80,"rootpath":"","svc":"argocd-server"}}` | Configuration for external ArgoCD Should be used when `argo-cd.enabled` is set to false | +| global.external-argo-cd | object | `{"auth":{"password":"","passwordSecretKeyRef":{"key":"password","name":"argocd-initial-admin-secret"},"token":"","tokenSecretKeyRef":{},"type":"password","username":"admin"},"repoServer":{"port":8081,"svc":"argocd-repo-server"},"server":{"port":80,"rootpath":"","svc":"argocd-server"}}` | Configuration for external ArgoCD Should be used when `argo-cd.enabled` is set to false | | global.external-argo-cd.auth | object | `{"password":"","passwordSecretKeyRef":{"key":"password","name":"argocd-initial-admin-secret"},"token":"","tokenSecretKeyRef":{},"type":"password","username":"admin"}` | How GitOps Runtime should authenticate with ArgoCD | | global.external-argo-cd.auth.password | string | `""` | ArgoCD password in plain text | | global.external-argo-cd.auth.passwordSecretKeyRef | object | `{"key":"password","name":"argocd-initial-admin-secret"}` | ArgoCD password referenced by an existing secret | @@ -601,8 +618,6 @@ gitops-operator: | global.external-argo-cd.auth.tokenSecretKeyRef | object | `{}` | ArgoCD token referenced by an existing secret | | global.external-argo-cd.auth.type | string | `"password"` | Authentication type. Can be password or token | | global.external-argo-cd.auth.username | string | `"admin"` | ArgoCD username in plain text | -| global.external-argo-cd.redis.port | int | `6379` | Port of the ArgoCD Redis | -| global.external-argo-cd.redis.svc | string | `"argocd-redis"` | Service name of the ArgoCD Redis | | global.external-argo-cd.repoServer.port | int | `8081` | Port of the ArgoCD repo server | | global.external-argo-cd.repoServer.svc | string | `"argocd-repo-server"` | Service name of the ArgoCD repo server | | global.external-argo-cd.server | object | `{"port":80,"rootpath":"","svc":"argocd-server"}` | ArgoCD server settings | @@ -649,7 +664,7 @@ gitops-operator: | internal-router.fullnameOverride | string | `"internal-router"` | | | internal-router.image.pullPolicy | string | `"IfNotPresent"` | | | internal-router.image.repository | string | `"docker.io/nginxinc/nginx-unprivileged"` | | -| internal-router.image.tag | string | `"1.28-alpine3.21"` | | +| internal-router.image.tag | string | `"1.29-alpine3.22"` | | | internal-router.imagePullSecrets | list | `[]` | | | internal-router.ipv6 | object | `{"enabled":false}` | For ipv6 enabled clusters switch ipv6 enabled to true | | internal-router.nameOverride | string | `""` | | @@ -673,7 +688,46 @@ gitops-operator: | internal-router.serviceAccount.create | bool | `true` | | | internal-router.serviceAccount.name | string | `""` | | | internal-router.tolerations | list | `[]` | | -| sealed-secrets | object | `{"fullnameOverride":"sealed-secrets-controller","image":{"registry":"quay.io","repository":"codefresh/sealed-secrets-controller","tag":"0.29.0"},"keyrenewperiod":"720h","resources":{"limits":{"cpu":"500m","memory":"1Gi"},"requests":{"cpu":"200m","memory":"512Mi"}}}` | --------------------------------------------------------------------------------------------------------------------- | +| redis | object | `{"affinity":{},"enabled":true,"env":{},"envFrom":[],"extraArgs":[],"image":{"registry":"public.ecr.aws","repository":"docker/library/redis","tag":"8.2.1-alpine"},"imagePullSecrets":[],"livenessProbe":{"enabled":true,"failureThreshold":5,"initialDelaySeconds":30,"periodSeconds":15,"successThreshold":1,"timeoutSeconds":15},"metrics":{"enabled":true,"env":{},"envFrom":[],"image":{"registry":"ghcr.io","repository":"oliver006/redis_exporter","tag":"v1.72.1"},"livenessProbe":{"enabled":true,"failureThreshold":5,"initialDelaySeconds":30,"periodSeconds":15,"successThreshold":1,"timeoutSeconds":15},"readinessProbe":{"enabled":true,"failureThreshold":5,"initialDelaySeconds":30,"periodSeconds":15,"successThreshold":1,"timeoutSeconds":15},"resources":{},"serviceMonitor":{"enabled":false}},"nodeSelector":{},"pdb":{"annotations":{},"enabled":false,"labels":{},"maxUnavailable":"","minAvailable":1},"podAnnotations":{},"podLabels":{},"podSecurityContext":{},"readinessProbe":{"enabled":true,"failureThreshold":5,"initialDelaySeconds":30,"periodSeconds":15,"successThreshold":1,"timeoutSeconds":15},"resources":{},"securityContext":{},"service":{"annotations":{},"labels":{},"ports":{"metrics":{"port":9121,"targetPort":9121},"redis":{"port":6379,"targetPort":6379}},"type":"ClusterIP"},"serviceAccount":{"annotations":{},"create":true,"name":""},"tolerations":[],"topologySpreadConstraints":[]}` | Enable standalone redis deployment Will be replaced by redis-ha subchart when `redis-ha.enabled=true` | +| redis-ha.additionalAffinities | object | `{}` | Additional affinities to add to the Redis server pods. | +| redis-ha.affinity | string | `""` | Assign custom [affinity] rules to the Redis pods. | +| redis-ha.auth | bool | `true` | Configures redis-ha with AUTH | +| redis-ha.containerSecurityContext | object | See [values.yaml] | Redis HA statefulset container-level security context | +| redis-ha.enabled | bool | `false` | Enables the Redis HA subchart and disables the custom Redis single node deployment | +| redis-ha.existingSecret | string | `"gitops-runtime-redis"` | Existing Secret to use for redis-ha authentication. By default the redis-secret-init Job is generating this Secret. | +| redis-ha.exporter.enabled | bool | `false` | Enable Prometheus redis-exporter sidecar | +| redis-ha.exporter.image | string | `"ghcr.io/oliver006/redis_exporter"` | Repository to use for the redis-exporter | +| redis-ha.exporter.tag | string | `"v1.69.0"` | Tag to use for the redis-exporter | +| redis-ha.fullnameOverride | string | `"redis-ha"` | Full name of the Redis HA Resources | +| redis-ha.haproxy.additionalAffinities | object | `{}` | Additional affinities to add to the haproxy pods. | +| redis-ha.haproxy.affinity | string | `""` | Assign custom [affinity] rules to the haproxy pods. | +| redis-ha.haproxy.containerSecurityContext | object | See [values.yaml] | HAProxy container-level security context | +| redis-ha.haproxy.enabled | bool | `true` | Enabled HAProxy LoadBalancing/Proxy | +| redis-ha.haproxy.hardAntiAffinity | bool | `true` | Whether the haproxy pods should be forced to run on separate nodes. | +| redis-ha.haproxy.metrics.enabled | bool | `true` | HAProxy enable prometheus metric scraping | +| redis-ha.haproxy.tolerations | list | `[]` | [Tolerations] for use with node taints for haproxy pods. | +| redis-ha.hardAntiAffinity | bool | `true` | Whether the Redis server pods should be forced to run on separate nodes. | +| redis-ha.image.repository | string | `"public.ecr.aws/docker/library/redis"` | Redis repository | +| redis-ha.image.tag | string | `"8.2.1-alpine"` | Redis tag | +| redis-ha.persistentVolume.enabled | bool | `false` | Configures persistence on Redis nodes | +| redis-ha.redis.config | object | See [values.yaml] | Any valid redis config options in this section will be applied to each server (see `redis-ha` chart) | +| redis-ha.redis.config.save | string | `'""'` | Will save the DB if both the given number of seconds and the given number of write operations against the DB occurred. `""` is disabled | +| redis-ha.redis.masterGroupName | string | `"gitops-runtime"` | Redis convention for naming the cluster group: must match `^[\\w-\\.]+$` and can be templated | +| redis-ha.tolerations | list | `[]` | [Tolerations] for use with node taints for Redis pods. | +| redis-ha.topologySpreadConstraints | object | `{"enabled":false,"maxSkew":"","topologyKey":"","whenUnsatisfiable":""}` | Assign custom [TopologySpreadConstraints] rules to the Redis pods. | +| redis-ha.topologySpreadConstraints.enabled | bool | `false` | Enable Redis HA topology spread constraints | +| redis-ha.topologySpreadConstraints.maxSkew | string | `""` (defaults to `1`) | Max skew of pods tolerated | +| redis-ha.topologySpreadConstraints.topologyKey | string | `""` (defaults to `topology.kubernetes.io/zone`) | Topology key for spread | +| redis-ha.topologySpreadConstraints.whenUnsatisfiable | string | `""` (defaults to `ScheduleAnyway`) | Enforcement policy, hard or soft | +| redis-secret-init | object | `{"affinity":{},"image":{"registry":"docker.io","repository":"alpine/kubectl","tag":"1.34.1"},"nodeSelector":{},"tolerations":[]}` | Enable hook job to create redis secret | +| redis.image | object | `{"registry":"public.ecr.aws","repository":"docker/library/redis","tag":"8.2.1-alpine"}` | Redis image | +| redis.metrics | object | `{"enabled":true,"env":{},"envFrom":[],"image":{"registry":"ghcr.io","repository":"oliver006/redis_exporter","tag":"v1.72.1"},"livenessProbe":{"enabled":true,"failureThreshold":5,"initialDelaySeconds":30,"periodSeconds":15,"successThreshold":1,"timeoutSeconds":15},"readinessProbe":{"enabled":true,"failureThreshold":5,"initialDelaySeconds":30,"periodSeconds":15,"successThreshold":1,"timeoutSeconds":15},"resources":{},"serviceMonitor":{"enabled":false}}` | Enable metrics sidecar | +| redis.metrics.serviceMonitor | object | `{"enabled":false}` | Enable a prometheus ServiceMonitor | +| redis.pdb | object | `{"annotations":{},"enabled":false,"labels":{},"maxUnavailable":"","minAvailable":1}` | Enabled Pod Disruption Budget for redis | +| redis.readinessProbe | object | `{"enabled":true,"failureThreshold":5,"initialDelaySeconds":30,"periodSeconds":15,"successThreshold":1,"timeoutSeconds":15}` | Probes configuration | +| redis.service | object | `{"annotations":{},"labels":{},"ports":{"metrics":{"port":9121,"targetPort":9121},"redis":{"port":6379,"targetPort":6379}},"type":"ClusterIP"}` | Service configuration | +| redis.serviceAccount | object | `{"annotations":{},"create":true,"name":""}` | Create ServiceAccount for redis | +| sealed-secrets | object | `{"fullnameOverride":"sealed-secrets-controller","image":{"registry":"quay.io","repository":"codefresh/sealed-secrets-controller","tag":"0.32.0"},"keyrenewperiod":"720h","resources":{"limits":{"cpu":"500m","memory":"1Gi"},"requests":{"cpu":"200m","memory":"512Mi"}}}` | --------------------------------------------------------------------------------------------------------------------- | | tunnel-client | object | `{"affinity":{},"enabled":true,"libraryMode":true,"nodeSelector":{},"tolerations":[],"tunnelServer":{"host":"register-tunnels.cf-cd.com","subdomainHost":"tunnels.cf-cd.com"}}` | Tunnel based runtime. Not supported for on-prem platform. In on-prem use ingress based runtimes. | | tunnel-client.enabled | bool | `true` | Will only be used if global.runtime.ingress.enabled = false | | tunnel-client.libraryMode | bool | `true` | Do not change this value! Breaks chart logic | diff --git a/charts/gitops-runtime/README.md.gotmpl b/charts/gitops-runtime/README.md.gotmpl index 837a55c8..43e1919c 100644 --- a/charts/gitops-runtime/README.md.gotmpl +++ b/charts/gitops-runtime/README.md.gotmpl @@ -364,4 +364,20 @@ gitops-operator: tag: vX.Y.Z ``` +### To 0.24.x + +#### Affected values + +- `.Values.redis`/`.Values.redis-ha`/`.Values.redis-secret-init` were added + +```yaml +# Enabled standalone Redis (single Deployment with 1 replica) +redis: + enabled: true + +# Enabled Redis High Availability (StatefulSet with Proxy) +redis-ha: + enabled: false +``` + {{ template "chart.valuesSection" . }} diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/environment-variables/_main-container.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/environment-variables/_main-container.yaml index f59f769e..c0f19ee1 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/environment-variables/_main-container.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/environment-variables/_main-container.yaml @@ -217,6 +217,13 @@ LEADER_ID: fieldRef: fieldPath: metadata.name {{- end }} +CACHE_HOST: {{ (splitList ":" (include "codefresh-gitops-runtime.argocd.redis.url" .) | first) }} +CACHE_PORT: {{ (splitList ":" (include "codefresh-gitops-runtime.argocd.redis.url" .) | last) }} +CACHE_PASSWORD: + valueFrom: + secretKeyRef: + name: gitops-runtime-redis + key: auth {{ include "codefresh-gitops-runtime.get-proxy-env-vars" . }} {{- end -}} diff --git a/charts/gitops-runtime/templates/_components/cf-argocd-extras/_default-values.tpl b/charts/gitops-runtime/templates/_components/cf-argocd-extras/_default-values.tpl index 37d145e2..9df788f0 100644 --- a/charts/gitops-runtime/templates/_components/cf-argocd-extras/_default-values.tpl +++ b/charts/gitops-runtime/templates/_components/cf-argocd-extras/_default-values.tpl @@ -148,29 +148,29 @@ eventReporter: REDISDB: valueFrom: configMapKeyRef: - name: argocd-cmd-params-cm + name: event-reporter-cmd-params-cm key: redis.db optional: true REDIS_COMPRESSION: valueFrom: configMapKeyRef: - name: argocd-cmd-params-cm + name: event-reporter-cmd-params-cm key: redis.compression optional: true REDIS_PASSWORD: valueFrom: secretKeyRef: - name: argocd-redis + name: gitops-runtime-redis key: auth REDIS_SERVER: valueFrom: configMapKeyRef: - name: argocd-cmd-params-cm + name: event-reporter-cmd-params-cm key: redis.server REDIS_USERNAME: valueFrom: secretKeyRef: - name: argocd-redis + name: event-reporter-cmd-params-cm key: redis-username optional: true REPO_SERVER: @@ -427,29 +427,29 @@ sourcesServer: REDISDB: valueFrom: configMapKeyRef: - name: argocd-cmd-params-cm + name: sources-server-cmd-params-cm key: redis.db optional: true REDIS_COMPRESSION: valueFrom: configMapKeyRef: - name: argocd-cmd-params-cm + name: sources-server-cmd-params-cm key: redis.compression optional: true REDIS_PASSWORD: valueFrom: secretKeyRef: - name: argocd-redis + name: gitops-runtime-redis key: auth REDIS_SERVER: valueFrom: configMapKeyRef: - name: argocd-cmd-params-cm + name: sources-server-cmd-params-cm key: redis.server REDIS_USERNAME: valueFrom: secretKeyRef: - name: argocd-redis + name: sources-server-cmd-params-cm key: redis-username optional: true REPO_SERVER: diff --git a/charts/gitops-runtime/templates/_helpers.tpl b/charts/gitops-runtime/templates/_helpers.tpl index 1b66f710..68eadb0e 100644 --- a/charts/gitops-runtime/templates/_helpers.tpl +++ b/charts/gitops-runtime/templates/_helpers.tpl @@ -330,18 +330,18 @@ Determine argocd server password. Determine argocd redis url */}} {{- define "codefresh-gitops-runtime.argocd.redis.url" -}} -{{- $argoCDValues := (get .Values "argo-cd") }} -{{- if and (index .Values "argo-cd" "enabled") }} - {{- $serviceName := include "codefresh-gitops-runtime.argocd.redis.servicename" . }} - {{- $port := include "codefresh-gitops-runtime.argocd.redis.serviceport" . }} - {{- printf "%s:%s" $serviceName $port }} -{{- else if and (index .Values "global" "external-argo-cd" "redis") }} - {{- $redis := (index .Values "global" "external-argo-cd" "redis") }} - {{- $svc := required "ArgoCD is not enabled and .Values.global.external-argo-cd.redis.svc is not set" $redis.svc }} - {{- $port := required "ArgoCD is not enabled and .Values.global.external-argo-cd.redis.port is not set" $redis.port }} - {{- printf "%s:%v" $svc $port }} +{{- if and (index .Values "redis-ha" "enabled") (index .Values "redis-ha" "haproxy" "enabled") }} + {{- $redisHa := (index .Values "redis-ha") -}} + {{- $redisHaContext := dict "Chart" (dict "Name" "redis-ha") "Release" .Release "Values" $redisHa -}} + {{- $serverName := printf "%s-haproxy" (include "redis-ha.fullname" $redisHaContext) | trunc 63 | trimSuffix "-" -}} + {{- $port := $redisHa.haproxy.servicePort -}} + {{- printf "%s:%v" $serverName $port }} +{{- else if .Values.redis.enabled }} + {{- $serviceName := include "redis.fullname" . }} + {{- $port := .Values.redis.service.ports.redis.port }} + {{- printf "%s:%v" $serviceName $port }} {{- else }} - {{- fail "ArgoCD is not enabled and .Values.global.external-argo-cd.redis is not set" }} + {{- fail "ERROR: .Values.redis or .Values.redis-ha must be enabled!" }} {{- end }} {{- end}} @@ -536,3 +536,75 @@ NO_PROXY: {{ .Values.global.noProxy | quote }} {{- printf "%s" $eventBusName }} {{- end }} + +{{- define "codefresh-gitops-runtime.image.name" -}} + {{/* Restoring root $ context */}} + {{- $ := .context -}} + + {{- $registryName := .image.registry -}} + {{- $repositoryName := .image.repository -}} + {{- $imageTag := .image.tag | toString -}} + {{- $imageDigest := .image.digest }} + + {{- if $.Values.global -}} + {{- if $.Values.global.imageRegistry -}} + {{ $registryName = $.Values.global.imageRegistry }} + {{- end -}} + {{- end -}} + + {{- if $registryName -}} + {{- if $imageDigest }} + {{- printf "%s/%s:%s@%s" $registryName $repositoryName $imageTag $imageDigest -}} + {{- else }} + {{- printf "%s/%s:%s" $registryName $repositoryName $imageTag -}} + {{- end }} + {{- else }} + {{- if $imageDigest }} + {{- printf "%s:%s@%s" $repositoryName $imageTag $imageDigest -}} + {{- else }} + {{- printf "%s:%s" $repositoryName $imageTag -}} + {{- end }} + {{- end }} +{{- end }} + +{{- define "codefresh-gitops-runtime.env-vars"}} +{{- $ := .context }} + {{- if .Values }} + {{- if not (kindIs "map" .Values) }} + {{ fail "ERROR: env block must be a map"}} + {{- end }} + {{- end }} + {{- $env := .Values }} + {{- $templatedEnv := include "codefresh-gitops-runtime.tplrender" (dict "Values" $env "context" $) | fromYaml }} + {{- range $name, $val := $templatedEnv }} + {{- if or (kindIs "string" $val) (kindIs "bool" $val) (kindIs "int" $val) (kindIs "float64" $val) }} +- name: {{ $name }} + value: {{ $val | quote }} + {{- else if kindIs "map" $val}} + {{- if hasKey $val "valueFrom" }} + {{- if or (hasKey $val.valueFrom "secretKeyRef") (hasKey $val.valueFrom "configMapKeyRef") (hasKey $val.valueFrom "fieldRef") }} +- name: {{ $name }} +{{- $val | toYaml | nindent 2 }} + {{- else}} + {{ fail "ERROR: Only secretKeyRef/configMapKeyRef/fieldRef are supported for valueFrom block for environment variables!" }} + {{- end}} + {{- else }} + {{ fail "ERROR: Cannot generate environment variables only strings and valueFrom are supported!"}} + {{- end }} + {{- else }} + {{ fail "ERROR: Only maps and string/int/bool are supported for environment variables!"}} + {{- end }} + {{- end }} +{{- end }} + +{{- define "codefresh-gitops-runtime.tplrender" -}} + {{- $tpl := .Values -}} + {{- if not (typeIs "string" $tpl) -}} + {{- $tpl = toYaml $tpl -}} + {{- end -}} + {{- if contains "{{" $tpl -}} + {{- tpl $tpl .context }} + {{- else -}} + {{- $tpl -}} + {{- end -}} +{{- end -}} diff --git a/charts/gitops-runtime/templates/app-proxy/deployment.yaml b/charts/gitops-runtime/templates/app-proxy/deployment.yaml index 0dab28dc..d9d2e9ab 100644 --- a/charts/gitops-runtime/templates/app-proxy/deployment.yaml +++ b/charts/gitops-runtime/templates/app-proxy/deployment.yaml @@ -3,6 +3,8 @@ {{- $_ := set $appProxyContext "Values" (deepCopy (get .Values "app-proxy")) }} {{- $_ := set $appProxyContext.Values "global" (deepCopy (get .Values "global")) }} {{- $_ := set $appProxyContext.Values "argo-cd" (get .Values "argo-cd") }} +{{- $_ := set $appProxyContext.Values "redis" (get .Values "redis") }} +{{- $_ := set $appProxyContext.Values "redis-ha" (get .Values "redis-ha") }} {{/* Merge environment variables with the ones in _app-proxy-env.yaml */}} {{- $mainContainerMergedValues := mergeOverwrite $appProxyContext.Values.env (include "codefresh-gitops-runtime.app-proxy.calculated-env-vars" . | fromYaml) }} diff --git a/charts/gitops-runtime/templates/hooks/pre-install/redis-secret-init/job.yaml b/charts/gitops-runtime/templates/hooks/pre-install/redis-secret-init/job.yaml new file mode 100644 index 00000000..b35bb953 --- /dev/null +++ b/charts/gitops-runtime/templates/hooks/pre-install/redis-secret-init/job.yaml @@ -0,0 +1,37 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: redis-secret-init + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation + helm.sh/hook-weight: "10" +spec: + backoffLimit: 0 + ttlSecondsAfterFinished: 300 + template: + spec: + serviceAccountName: redis-secret-init + restartPolicy: Never + containers: + - name: redis-secret-init + image: {{ include "codefresh-gitops-runtime.image.name" (dict "image" (index .Values "redis-secret-init" "image") "context" .) }} + imagePullPolicy: {{ index .Values "redis-secret-init" "image" "pullPolicy" | default "IfNotPresent" }} + command: ["sh", "-c"] + args: + - | + PASSWORD=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c16) + if kubectl get secret gitops-runtime-redis -o jsonpath="{.data.auth}" &> /dev/null; then + echo "Secret gitops-runtime-redis already exists, skipping creation" + exit 0 + fi + kubectl create secret generic gitops-runtime-redis --from-literal=auth=$PASSWORD --dry-run=client -o yaml | kubectl apply -f - + {{- with (index .Values "redis-secret-init" "nodeSelector") | default .Values.global.nodeSelector }} + nodeSelector: {{ toYaml . | nindent 8 }} + {{- end }} + {{- with (index .Values "redis-secret-init" "tolerations") | default .Values.global.tolerations }} + tolerations: {{ toYaml . | nindent 6 }} + {{- end }} + {{- with (index .Values "redis-secret-init" "affinity") }} + affinity: {{ toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/gitops-runtime/templates/hooks/pre-install/redis-secret-init/rbac.yaml b/charts/gitops-runtime/templates/hooks/pre-install/redis-secret-init/rbac.yaml new file mode 100644 index 00000000..9b331b4c --- /dev/null +++ b/charts/gitops-runtime/templates/hooks/pre-install/redis-secret-init/rbac.yaml @@ -0,0 +1,51 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: redis-secret-init + namespace: {{ .Release.Namespace }} + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation,hook-failed + helm.sh/hook-weight: "-10" +rules: + - apiGroups: + - "" + resources: + - secrets + resourceNames: + - gitops-runtime-redis + verbs: + - get + - apiGroups: + - "" + resources: + - secrets + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: redis-secret-init + namespace: {{ .Release.Namespace }} + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation,hook-failed + helm.sh/hook-weight: "-10" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: redis-secret-init +subjects: +- kind: ServiceAccount + name: redis-secret-init + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: redis-secret-init + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation,hook-failed + helm.sh/hook-weight: "-10" diff --git a/charts/gitops-runtime/templates/redis/_helpers.tpl b/charts/gitops-runtime/templates/redis/_helpers.tpl new file mode 100644 index 00000000..15d65e70 --- /dev/null +++ b/charts/gitops-runtime/templates/redis/_helpers.tpl @@ -0,0 +1,48 @@ +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "redis.fullname" -}} +{{- print "redis" }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "redis.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "redis.labels" -}} +helm.sh/chart: {{ include "redis.chart" . }} +{{ include "redis.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/part-of: redis +codefresh.io/internal: "true" +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "redis.selectorLabels" -}} +app.kubernetes.io/name: redis +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "redis.serviceAccountName" -}} +{{- if .Values.redis.serviceAccount.create }} +{{- default (include "redis.fullname" .) .Values.redis.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.redis.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/charts/gitops-runtime/templates/redis/deployment.yaml b/charts/gitops-runtime/templates/redis/deployment.yaml new file mode 100644 index 00000000..174e4460 --- /dev/null +++ b/charts/gitops-runtime/templates/redis/deployment.yaml @@ -0,0 +1,156 @@ +{{- $redisHa := index .Values "redis-ha" }} +{{- if and .Values.redis.enabled (not $redisHa.enabled) }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "redis.fullname" . }} + labels: + {{- include "redis.labels" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + {{- include "redis.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.redis.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "redis.selectorLabels" . | nindent 8 }} + {{- with .Values.redis.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.redis.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "redis.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.redis.podSecurityContext | nindent 8 }} + containers: + - name: {{ include "redis.fullname" . }} + securityContext: + {{- toYaml .Values.redis.securityContext | nindent 12 }} + image: {{ include "codefresh-gitops-runtime.image.name" (dict "image" .Values.redis.image "context" .) }} + imagePullPolicy: {{ .Values.redis.image.pullPolicy | default "IfNotPresent" }} + args: + {{- with .Values.redis.extraArgs }} + {{- toYaml . | nindent 8 }} + {{- end }} + - --save + - "" + - --appendonly + - "no" + - --requirepass $(REDIS_PASSWORD) + env: + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: gitops-runtime-redis + key: auth + {{- include "codefresh-gitops-runtime.env-vars" (dict "Values" .Values.redis.env "context" .) | nindent 8 }} + {{- with .Values.redis.envFrom }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.redis.livenessProbe.enabled }} + livenessProbe: + initialDelaySeconds: {{ .Values.redis.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.redis.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.redis.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.redis.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.redis.livenessProbe.failureThreshold }} + exec: + command: + - sh + - -c + - /health/redis_liveness.sh + {{- end }} + {{- if .Values.redis.readinessProbe.enabled }} + readinessProbe: + initialDelaySeconds: {{ .Values.redis.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.redis.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.redis.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.redis.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.redis.readinessProbe.failureThreshold }} + exec: + command: + - sh + - -c + - /health/redis_readiness.sh + {{- end }} + ports: + - name: redis + containerPort: {{ .Values.redis.service.ports.redis.targetPort }} + protocol: TCP + resources: + {{- toYaml .Values.redis.resources | nindent 10 }} + volumeMounts: + - mountPath: /health + name: health + {{- if .Values.redis.metrics.enabled }} + - name: metrics + image: {{ include "codefresh-gitops-runtime.image.name" (dict "image" .Values.redis.metrics.image "context" .) }} + imagePullPolicy: {{ .Values.redis.metrics.image.pullPolicy | default "IfNotPresent" }} + env: + - name: REDIS_ADDR + value: {{ printf "redis://localhost:%v" .Values.redis.service.ports.redis.targetPort }} + - name: REDIS_EXPORTER_WEB_LISTEN_ADDRESS + value: {{ printf "0.0.0.0:%v" .Values.redis.service.ports.metrics.targetPort }} + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: gitops-runtime-redis + key: auth + {{- include "codefresh-gitops-runtime.env-vars" (dict "Values" .Values.redis.metrics.env "context" .) | nindent 8 }} + {{- with .Values.redis.metrics.envFrom }} + {{- toYaml . | nindent 8 }} + {{- end }} + ports: + - name: metrics + containerPort: {{ .Values.redis.service.ports.metrics.targetPort }} + {{- if .Values.redis.metrics.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: /metrics + port: {{ .Values.redis.service.ports.metrics.targetPort }} + initialDelaySeconds: {{ .Values.redis.metrics.livenessProbe.initialDelaySeconds }} + timeoutSeconds: {{ .Values.redis.metrics.livenessProbe.timeoutSeconds }} + periodSeconds: {{ .Values.redis.metrics.livenessProbe.periodSeconds }} + successThreshold: {{ .Values.redis.metrics.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.redis.metrics.livenessProbe.failureThreshold }} + {{- end }} + {{- if .Values.redis.metrics.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: /metrics + port: {{ .Values.redis.service.ports.metrics.targetPort }} + initialDelaySeconds: {{ .Values.redis.metrics.readinessProbe.initialDelaySeconds }} + timeoutSeconds: {{ .Values.redis.metrics.readinessProbe.timeoutSeconds }} + periodSeconds: {{ .Values.redis.metrics.readinessProbe.periodSeconds }} + successThreshold: {{ .Values.redis.metrics.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.redis.metrics.readinessProbe.failureThreshold }} + {{- end }} + resources: + {{- toYaml .Values.redis.metrics.resources | nindent 10 }} + {{- end }} + {{- with .Values.redis.nodeSelector | default .Values.global.nodeSelector }} + nodeSelector: {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.redis.tolerations | default .Values.global.tolerations }} + tolerations: {{ toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.redis.affinity }} + affinity: {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.redis.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "codefresh-gitops-runtime.tplrender" (dict "Values" . "context" .) | nindent 8 }} + {{- end }} + volumes: + - name: health + configMap: + name: {{ include "redis.fullname" . }}-health + defaultMode: 493 +{{- end }} diff --git a/charts/gitops-runtime/templates/redis/health-configmap.yaml b/charts/gitops-runtime/templates/redis/health-configmap.yaml new file mode 100644 index 00000000..8d5fb71a --- /dev/null +++ b/charts/gitops-runtime/templates/redis/health-configmap.yaml @@ -0,0 +1,37 @@ +{{- $redisHa := index .Values "redis-ha" }} +{{- if and .Values.redis.enabled (not $redisHa.enabled) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "redis.fullname" . }}-health + namespace: {{ .Release.Namespace }} + labels: + {{- include "redis.labels" . | nindent 4 }} +data: + redis_liveness.sh: | + response=$( + redis-cli \ + -a "${REDIS_PASSWORD}" --no-auth-warning \ + -h localhost \ + -p {{ .Values.redis.service.ports.redis.targetPort }} \ + ping + ) + if [ "$response" != "PONG" ] && [ "${response:0:7}" != "LOADING" ] ; then + echo "$response" + exit 1 + fi + echo "response=$response" + redis_readiness.sh: | + response=$( + redis-cli \ + -a "${REDIS_PASSWORD}" --no-auth-warning \ + -h localhost \ + -p {{ .Values.redis.service.ports.redis.targetPort }} \ + ping + ) + if [ "$response" != "PONG" ] ; then + echo "$response" + exit 1 + fi + echo "response=$response" +{{- end }} diff --git a/charts/gitops-runtime/templates/redis/pdb.yaml b/charts/gitops-runtime/templates/redis/pdb.yaml new file mode 100644 index 00000000..67a5d0fc --- /dev/null +++ b/charts/gitops-runtime/templates/redis/pdb.yaml @@ -0,0 +1,28 @@ +{{- $redisHa := index .Values "redis-ha" }} +{{- if and .Values.redis.enabled (not $redisHa.enabled) }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "redis.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "redis.labels" . | nindent 4 }} + {{- with .Values.redis.pdb.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.redis.pdb.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} +spec: + {{- with .Values.redis.pdb.maxUnavailable }} + maxUnavailable: {{ . }} + {{- else }} + minAvailable: {{ .Values.redis.pdb.minAvailable | default 1 }} + {{- end }} + selector: + matchLabels: + {{- include "redis.selectorLabels" . | nindent 6 }} +{{- end }} diff --git a/charts/gitops-runtime/templates/redis/service.yaml b/charts/gitops-runtime/templates/redis/service.yaml new file mode 100644 index 00000000..30b73631 --- /dev/null +++ b/charts/gitops-runtime/templates/redis/service.yaml @@ -0,0 +1,29 @@ +{{- $redisHa := index .Values "redis-ha" }} +{{- if and .Values.redis.enabled (not $redisHa.enabled) }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "redis.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "redis.labels" . | nindent 4 }} + {{- with .Values.redis.service.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.redis.service.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} +spec: + ports: + - name: redis + port: {{ .Values.redis.service.ports.redis.port }} + targetPort: redis + - name: metrics + port: {{ .Values.redis.service.ports.metrics.port }} + targetPort: metrics + selector: + {{- include "redis.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/charts/gitops-runtime/templates/redis/serviceaccount.yaml b/charts/gitops-runtime/templates/redis/serviceaccount.yaml new file mode 100644 index 00000000..4bb1af29 --- /dev/null +++ b/charts/gitops-runtime/templates/redis/serviceaccount.yaml @@ -0,0 +1,16 @@ +{{- $redisHa := index .Values "redis-ha" }} +{{- if and .Values.redis.enabled .Values.redis.serviceAccount.create (not $redisHa.enabled) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "redis.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + {{- with .Values.redis.serviceAccount.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} + labels: + {{- include "redis.labels" . | nindent 4 }} +{{- end }} diff --git a/charts/gitops-runtime/templates/redis/servicemonitor.yaml b/charts/gitops-runtime/templates/redis/servicemonitor.yaml new file mode 100644 index 00000000..b51c93e7 --- /dev/null +++ b/charts/gitops-runtime/templates/redis/servicemonitor.yaml @@ -0,0 +1,36 @@ +{{- $redisHa := index .Values "redis-ha" }} +{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.redis.enabled (not $redisHa.enabled) .Values.redis.metrics.serviceMonitor.enabled -}} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "redis.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "redis.labels" . | nindent 4 }} + {{- with .Values.redis.metrics.serviceMonitor.selector }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.redis.metrics.serviceMonitor.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.redis.metrics.serviceMonitor.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + endpoints: + - port: {{ .Values.redis.service.ports.metrics.port }} + {{- with .Values.redis.metrics.serviceMonitor.interval }} + interval: {{ . }} + {{- end }} + path: /metrics + {{- with .Values.redis.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ . }} + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + {{- include "redis.selectorLabels" . | nindent 6 }} +{{- end }} diff --git a/charts/gitops-runtime/tests/cf-argocd-extras_test.yaml b/charts/gitops-runtime/tests/cf-argocd-extras_test.yaml index 1e31b2e9..ae226a5b 100644 --- a/charts/gitops-runtime/tests/cf-argocd-extras_test.yaml +++ b/charts/gitops-runtime/tests/cf-argocd-extras_test.yaml @@ -14,7 +14,7 @@ tests: value: argo-cd-server:80 - equal: path: data["redis.server"] - value: argo-cd-redis:6379 + value: redis:6379 - equal: path: data["repo.server"] value: argo-cd-repo-server:8081 @@ -123,26 +123,24 @@ tests: values: - ./values/mandatory-values-ingress.yaml set: - argo-cd: - redis-ha: - enabled: true + redis-ha: + enabled: true asserts: - equal: path: data["redis.server"] - value: RELEASE-NAME-redis-ha-haproxy:6379 + value: redis-ha-haproxy:6379 - it: Event-Reporter ConfigMap should have valid redis-ha url template: cf-argocd-extras/event-reporter/configmap.yaml values: - ./values/mandatory-values-ingress.yaml set: - argo-cd: - redis-ha: - enabled: true + redis-ha: + enabled: true asserts: - equal: path: data["redis.server"] - value: RELEASE-NAME-redis-ha-haproxy:6379 + value: redis-ha-haproxy:6379 - it: Sources-Server should have an OPTIONAL codefresh-tls-certs volume and volumeMount by default template: cf-argocd-extras/sources-server/deployment.yaml diff --git a/charts/gitops-runtime/tests/external_argocd_test.yaml b/charts/gitops-runtime/tests/external_argocd_test.yaml index a8bee393..f09b48f2 100644 --- a/charts/gitops-runtime/tests/external_argocd_test.yaml +++ b/charts/gitops-runtime/tests/external_argocd_test.yaml @@ -253,7 +253,7 @@ tests: asserts: - equal: path: data["redis.server"] - value: my-argocd-redis:6379 + value: redis:6379 - it: event-reporter ConfigMap should have valid Sources Server address template: cf-argocd-extras/event-reporter/configmap.yaml @@ -379,7 +379,7 @@ tests: asserts: - equal: path: data["redis.server"] - value: my-argocd-redis:6379 + value: redis:6379 - it: sources-server ConfigMap should have valid Repo Server URL template: cf-argocd-extras/sources-server/configmap.yaml @@ -490,17 +490,6 @@ tests: - failedTemplate: errorMessage: "ArgoCD is not enabled and .Values.global.external-argo-cd.auth.password or .Values.global.external-argo-cd.auth.passwordSecretKeyRef is not set" - - it: should require ArgoCd redis address if it's not provided - template: cf-argocd-extras/sources-server/deployment.yaml - values: - - ./values/mandatory-values-ingress.yaml - - ./values/external-argocd-values.yaml - set: - global.external-argo-cd.redis: null - asserts: - - failedTemplate: - errorMessage: "ArgoCD is not enabled and .Values.global.external-argo-cd.redis is not set" - - it: should require ArgoCd repoServer address if it's not provided template: cf-argocd-extras/sources-server/deployment.yaml values: diff --git a/charts/gitops-runtime/tests/redis_test.yaml b/charts/gitops-runtime/tests/redis_test.yaml new file mode 100644 index 00000000..89341135 --- /dev/null +++ b/charts/gitops-runtime/tests/redis_test.yaml @@ -0,0 +1,72 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json +suite: redis tests +templates: + - cf-argocd-extras/**/*.yaml + - app-proxy/deployment.yaml + - redis/** + - charts/redis-ha/** +tests: + - it: Standalone Redis Deployment should be created by default + template: redis/deployment.yaml + values: + - ./values/mandatory-values-ingress.yaml + asserts: + - containsDocument: + kind: Deployment + apiVersion: apps/v1 + name: redis + + - it: Redis HA StatefulSet should be created when redis-ha.enabled is true + template: charts/redis-ha/templates/redis-ha-statefulset.yaml + values: + - ./values/mandatory-values-ingress.yaml + set: + redis-ha.enabled: true + asserts: + - containsDocument: + kind: StatefulSet + apiVersion: apps/v1 + name: redis-ha-server + - containsDocument: + kind: Deployment + apiVersion: apps/v1 + name: redis + not: true + + - it: App-Proxy should have CACHE_ environment variables (standalone Redis) + template: app-proxy/deployment.yaml + values: + - ./values/mandatory-values-ingress.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].env[?(@.name=="CACHE_HOST")].value + value: redis + - equal: + path: spec.template.spec.containers[0].env[?(@.name=="CACHE_PORT")].value + value: "6379" + - equal: + path: spec.template.spec.containers[0].env[?(@.name=="CACHE_PASSWORD")].valueFrom + value: + secretKeyRef: + name: gitops-runtime-redis + key: auth + + - it: App-Proxy should have CACHE_ environment variables (Redis HA) + template: app-proxy/deployment.yaml + values: + - ./values/mandatory-values-ingress.yaml + set: + redis-ha.enabled: true + asserts: + - equal: + path: spec.template.spec.containers[0].env[?(@.name=="CACHE_HOST")].value + value: redis-ha-haproxy + - equal: + path: spec.template.spec.containers[0].env[?(@.name=="CACHE_PORT")].value + value: "6379" + - equal: + path: spec.template.spec.containers[0].env[?(@.name=="CACHE_PASSWORD")].valueFrom + value: + secretKeyRef: + name: gitops-runtime-redis + key: auth diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml index ef41f14d..0b47df0e 100644 --- a/charts/gitops-runtime/values.yaml +++ b/charts/gitops-runtime/values.yaml @@ -144,11 +144,6 @@ global: # e.g. # rootpath: '/argocd' rootpath: '' - redis: - # -- Service name of the ArgoCD Redis - svc: argocd-redis - # -- Port of the ArgoCD Redis - port: 6379 repoServer: # -- Service name of the ArgoCD repo server svc: argocd-repo-server @@ -804,3 +799,194 @@ cf-argocd-extras: enabled: false minAvailable: "50%" maxUnavailable: "" + +# -- Enable hook job to create redis secret +redis-secret-init: + image: + registry: docker.io + repository: alpine/kubectl + tag: 1.34.1 + nodeSelector: {} + tolerations: [] + affinity: {} + +# -- Enable standalone redis deployment +# Will be replaced by redis-ha subchart when `redis-ha.enabled=true` +redis: + enabled: true + # -- Redis image + image: + registry: public.ecr.aws + repository: docker/library/redis + tag: 8.2.1-alpine + podAnnotations: {} + podLabels: {} + imagePullSecrets: [] + podSecurityContext: {} + securityContext: {} + env: {} + envFrom: [] + extraArgs: [] + # -- Probes configuration + readinessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 15 + timeoutSeconds: 15 + successThreshold: 1 + failureThreshold: 5 + livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 15 + timeoutSeconds: 15 + successThreshold: 1 + failureThreshold: 5 + # -- Service configuration + service: + type: ClusterIP + labels: {} + annotations: {} + ports: + redis: + port: 6379 + targetPort: 6379 + metrics: + port: 9121 + targetPort: 9121 + resources: {} + # -- Enable metrics sidecar + metrics: + enabled: true + image: + registry: ghcr.io + repository: oliver006/redis_exporter + tag: v1.72.1 + env: {} + envFrom: [] + resources: {} + readinessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 15 + timeoutSeconds: 15 + successThreshold: 1 + failureThreshold: 5 + livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 15 + timeoutSeconds: 15 + successThreshold: 1 + failureThreshold: 5 + # -- Enable a prometheus ServiceMonitor + serviceMonitor: + enabled: false + nodeSelector: {} + tolerations: [] + affinity: {} + topologySpreadConstraints: [] + # -- Enabled Pod Disruption Budget for redis + pdb: + enabled: false + labels: {} + annotations: {} + minAvailable: 1 + maxUnavailable: "" + # -- Create ServiceAccount for redis + serviceAccount: + create: true + name: "" + annotations: {} + +## Redis-HA subchart replaces custom redis deployment when `redis-ha.enabled=true` +# Ref: https://github.com/DandyDeveloper/charts/blob/master/charts/redis-ha/values.yaml +redis-ha: + # -- Enables the Redis HA subchart and disables the custom Redis single node deployment + enabled: false + # -- Full name of the Redis HA Resources + fullnameOverride: "redis-ha" + ## Redis image + image: + # -- Redis repository + repository: public.ecr.aws/docker/library/redis + # -- Redis tag + tag: 8.2.1-alpine + ## Prometheus redis-exporter sidecar + exporter: + # -- Enable Prometheus redis-exporter sidecar + enabled: false + # -- Repository to use for the redis-exporter + image: ghcr.io/oliver006/redis_exporter + # -- Tag to use for the redis-exporter + tag: v1.69.0 + persistentVolume: + # -- Configures persistence on Redis nodes + enabled: false + ## Redis specific configuration options + redis: + # -- Redis convention for naming the cluster group: must match `^[\\w-\\.]+$` and can be templated + masterGroupName: gitops-runtime + # -- Any valid redis config options in this section will be applied to each server (see `redis-ha` chart) + # @default -- See [values.yaml] + config: + # -- Will save the DB if both the given number of seconds and the given number of write operations against the DB occurred. `""` is disabled + # @default -- `'""'` + save: '""' + ## Enables a HA Proxy for better LoadBalancing / Sentinel Master support. Automatically proxies to Redis master. + haproxy: + # -- Enabled HAProxy LoadBalancing/Proxy + enabled: true + metrics: + # -- HAProxy enable prometheus metric scraping + enabled: true + # -- Whether the haproxy pods should be forced to run on separate nodes. + hardAntiAffinity: true + # -- Additional affinities to add to the haproxy pods. + additionalAffinities: {} + # -- Assign custom [affinity] rules to the haproxy pods. + affinity: | + + # -- [Tolerations] for use with node taints for haproxy pods. + tolerations: [] + # -- HAProxy container-level security context + # @default -- See [values.yaml] + containerSecurityContext: + readOnlyRootFilesystem: true + + # -- Configures redis-ha with AUTH + auth: true + # -- Existing Secret to use for redis-ha authentication. + # By default the redis-secret-init Job is generating this Secret. + existingSecret: gitops-runtime-redis + + # -- Whether the Redis server pods should be forced to run on separate nodes. + hardAntiAffinity: true + + # -- Additional affinities to add to the Redis server pods. + additionalAffinities: {} + + # -- Assign custom [affinity] rules to the Redis pods. + affinity: | + + # -- [Tolerations] for use with node taints for Redis pods. + tolerations: [] + + # -- Assign custom [TopologySpreadConstraints] rules to the Redis pods. + ## https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: + # -- Enable Redis HA topology spread constraints + enabled: false + # -- Max skew of pods tolerated + # @default -- `""` (defaults to `1`) + maxSkew: "" + # -- Topology key for spread + # @default -- `""` (defaults to `topology.kubernetes.io/zone`) + topologyKey: "" + # -- Enforcement policy, hard or soft + # @default -- `""` (defaults to `ScheduleAnyway`) + whenUnsatisfiable: "" + # -- Redis HA statefulset container-level security context + # @default -- See [values.yaml] + containerSecurityContext: + readOnlyRootFilesystem: true