diff --git a/ansible/group_vars/all/misc.yml b/ansible/group_vars/all/misc.yml index 528669fe1..450faf0d1 100644 --- a/ansible/group_vars/all/misc.yml +++ b/ansible/group_vars/all/misc.yml @@ -3,9 +3,9 @@ ANIT_AFFINITY_NODEPOOL_ENABLE: true ANIT_AFFINITY_NODEPOOL_TOPOLOGY_KEY: "cloud.ionos.com/nodepool-name" -EXTERNAL_SECRETS_OPERATOR: false +EXTERNAL_SECRETS_OPERATOR: true +EXTERNAL_SECRETS_POSTFIX: "-source" EXTERNAL_SECRETS_K8S_STORE: k8s-store -EXTERNAL_SECRETS_POSTFIX: "" EXTERNAL_SECRETS_REFRESH_INTERVAL: "1m" EXTERNAL_SECRETS_NAMESPACE: external-secrets EXTERNAL_SECRETS_TOKEN_SECRET: external-secrets-k8s-store-token diff --git a/ansible/group_vars/develop/external-secrets.yml b/ansible/group_vars/develop/external-secrets.yml deleted file mode 100644 index b13eb364c..000000000 --- a/ansible/group_vars/develop/external-secrets.yml +++ /dev/null @@ -1,2 +0,0 @@ -EXTERNAL_SECRETS_OPERATOR: true -EXTERNAL_SECRETS_POSTFIX: "-source" \ No newline at end of file diff --git a/ansible/playbook_rollout.yml b/ansible/playbook_rollout.yml index 3eadf1f24..c60e72289 100644 --- a/ansible/playbook_rollout.yml +++ b/ansible/playbook_rollout.yml @@ -9,6 +9,7 @@ roles: - role: sys - role: pre_deployment + - role: external-secrets - role: dof_mongo - role: dof_postgresql - role: dof_rabbitmq diff --git a/ansible/roles/session-valkey/README.md b/ansible/roles/session-valkey/README.md new file mode 100644 index 000000000..572e6ea79 --- /dev/null +++ b/ansible/roles/session-valkey/README.md @@ -0,0 +1,3 @@ +session-valkey-password(1pwd) -> session-valkey-password(secret) -> session-valkey-auth(externalsecret) -> session-valkey-auth(secret) + -> session-valkey-auth(externalsecret) -> session-valkey-sentinel-config(secret) + -> session-valkey-auth(externalsecret) -> session-valkey-exporter-config(secret) \ No newline at end of file diff --git a/ansible/roles/session-valkey/defaults/main.yaml b/ansible/roles/session-valkey/defaults/main.yaml index 696516413..b7099444d 100644 --- a/ansible/roles/session-valkey/defaults/main.yaml +++ b/ansible/roles/session-valkey/defaults/main.yaml @@ -1,2 +1,5 @@ -SESSION_VALKEY_CHART_VERSION: 3.0.22 +SESSION_VALKEY_CHART_VERSION: 2.1.2 + +SESSION_VALKEY_IMAGE_VERSION: 8.1.3 +SESSION_VALKEY_REDIS_EXPORTER_IMAGE_VERSION: v1.74.0 SESSION_VALKEY_REPLICAS: 3 diff --git a/ansible/roles/session-valkey/tasks/main.yml b/ansible/roles/session-valkey/tasks/main.yml index f613b311d..6bcad11b4 100644 --- a/ansible/roles/session-valkey/tasks/main.yml +++ b/ansible/roles/session-valkey/tasks/main.yml @@ -7,11 +7,39 @@ tags: - 1password +- name: External Secret session-valkey-config + kubernetes.core.k8s: + kubeconfig: ~/.kube/config + namespace: "{{ NAMESPACE }}" + template: es-valkey-config.yml.j2 + when: EXTERNAL_SECRETS_OPERATOR + tags: + - 1password + +- name: External Secret session-valkey-sentinel-config + kubernetes.core.k8s: + kubeconfig: ~/.kube/config + namespace: "{{ NAMESPACE }}" + template: es-valkey-sentinel-config.yml.j2 + when: EXTERNAL_SECRETS_OPERATOR + tags: + - 1password + +- name: External Secret session-valkey-exporter + kubernetes.core.k8s: + kubeconfig: ~/.kube/config + namespace: "{{ NAMESPACE }}" + template: es-valkey-exporter.yml.j2 + when: EXTERNAL_SECRETS_OPERATOR + tags: + - 1password + - name: Install valkey sentinel kubernetes.core.helm: - chart_ref: oci://docker.io/bitnamicharts/valkey + chart_repo_url: "https://groundhog2k.github.io/helm-charts/" + chart_ref: valkey chart_version: '{{ SESSION_VALKEY_CHART_VERSION }}' - release_name: session-valkey + release_name: session release_namespace: '{{ NAMESPACE }}' release_state: present create_namespace: yes @@ -19,4 +47,4 @@ update_repo_cache: no values: "{{ lookup('template', 'values.yml.j2') | from_yaml }}" tags: - - helm + - helm \ No newline at end of file diff --git a/ansible/roles/session-valkey/templates/es-valkey-config.yml.j2 b/ansible/roles/session-valkey/templates/es-valkey-config.yml.j2 new file mode 100644 index 000000000..997279c7c --- /dev/null +++ b/ansible/roles/session-valkey/templates/es-valkey-config.yml.j2 @@ -0,0 +1,23 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: session-valkey-config + namespace: {{ NAMESPACE }} + labels: + app: session-valkey +spec: + refreshInterval: {{ EXTERNAL_SECRETS_REFRESH_INTERVAL }} + secretStoreRef: + kind: SecretStore + name: {{ EXTERNAL_SECRETS_K8S_STORE }} + target: + name: session-valkey-config + template: + engineVersion: v2 + data: + valkey-auth.conf: | + requirepass "{% raw %}{{ .SESSION_VALKEY__SENTINEL_PASSWORD }}{% endraw %}" + masterauth "{% raw %}{{ .SESSION_VALKEY__SENTINEL_PASSWORD }}{% endraw %}" + dataFrom: + - extract: + key: session-valkey-password diff --git a/ansible/roles/session-valkey/templates/es-valkey-exporter.yml.j2 b/ansible/roles/session-valkey/templates/es-valkey-exporter.yml.j2 new file mode 100644 index 000000000..e2d0076f0 --- /dev/null +++ b/ansible/roles/session-valkey/templates/es-valkey-exporter.yml.j2 @@ -0,0 +1,21 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: session-valkey-exporter + namespace: {{ NAMESPACE }} + labels: + app: session-valkey +spec: + refreshInterval: {{ EXTERNAL_SECRETS_REFRESH_INTERVAL }} + secretStoreRef: + kind: SecretStore + name: {{ EXTERNAL_SECRETS_K8S_STORE }} + target: + name: session-valkey-exporter + template: + engineVersion: v2 + data: + REDIS_PASSWORD: "{% raw %}{{ .SESSION_VALKEY__SENTINEL_PASSWORD }}{% endraw %}" + dataFrom: + - extract: + key: session-valkey-password diff --git a/ansible/roles/session-valkey/templates/es-valkey-sentinel-config.yml.j2 b/ansible/roles/session-valkey/templates/es-valkey-sentinel-config.yml.j2 new file mode 100644 index 000000000..4e2b60f19 --- /dev/null +++ b/ansible/roles/session-valkey/templates/es-valkey-sentinel-config.yml.j2 @@ -0,0 +1,22 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: session-valkey-sentinel-config + namespace: {{ NAMESPACE }} + labels: + app: session-valkey +spec: + refreshInterval: {{ EXTERNAL_SECRETS_REFRESH_INTERVAL }} + secretStoreRef: + kind: SecretStore + name: {{ EXTERNAL_SECRETS_K8S_STORE }} + target: + name: session-valkey-sentinel-config + template: + engineVersion: v2 + data: + sentinel-auth.conf: | + sentinel auth-pass myprimary "{% raw %}{{ .SESSION_VALKEY__SENTINEL_PASSWORD }}{% endraw %}" + dataFrom: + - extract: + key: session-valkey-password diff --git a/ansible/roles/session-valkey/templates/values.yml.j2 b/ansible/roles/session-valkey/templates/values.yml.j2 index e30d97d42..b29ca8b96 100644 --- a/ansible/roles/session-valkey/templates/values.yml.j2 +++ b/ansible/roles/session-valkey/templates/values.yml.j2 @@ -1,54 +1,59 @@ -global: - defaultStorageClass: "{{ SC_DEFAULT_STORAGE_CLASS_NAME }}" -replica: - replicaCount: {{ SESSION_VALKEY_REPLICAS }} - pdb: - create: false - resources: - limits: - cpu: "{{ SESSION_VALKEY_CPU_LIMITS|default('1000m', true) }}" - memory: "{{ SESSION_VALKEY_MEMORY_LIMITS|default('4Gi', true) }}" - requests: - cpu: "{{ SESSION_VALKEY_CPU_REQUESTS|default('100m', true) }}" - memory: "{{ SESSION_VALKEY_MEMORY_REQUESTS|default('1Gi', true) }}" -primary: - pdb: - create: false - readinessProbe: - timeoutSeconds: 5 - resources: - limits: - cpu: "{{ SESSION_VALKEY_CPU_LIMITS|default('1000m', true) }}" - memory: "{{ SESSION_VALKEY_MEMORY_LIMITS|default('4Gi', true) }}" - requests: - cpu: "{{ SESSION_VALKEY_CPU_REQUESTS|default('100m', true) }}" - memory: "{{ SESSION_VALKEY_MEMORY_REQUESTS|default('1Gi', true) }}" -auth: - existingSecret: session-valkey-password - existingSecretPasswordKey: SESSION_VALKEY__SENTINEL_PASSWORD - usePasswordFiles: false -sentinel: +storage: + className: "{{ SC_DEFAULT_STORAGE_CLASS_NAME }}" + +haMode: enabled: true - readinessProbe: - timeoutSeconds: 5 + replicas: {{ SESSION_VALKEY_REPLICAS }} + masterGroupName: myprimary + +image: + registry: "docker.io" + repository: "valkey/valkey" + tag: "{{ SESSION_VALKEY_IMAGE_VERSION }}" + +resources: + limits: + cpu: "{{ SESSION_VALKEY_CPU_LIMITS|default('1000m', true) }}" + memory: "{{ SESSION_VALKEY_MEMORY_LIMITS|default('4Gi', true) }}" + requests: + cpu: "{{ SESSION_VALKEY_CPU_REQUESTS|default('100m', true) }}" + memory: "{{ SESSION_VALKEY_MEMORY_REQUESTS|default('1Gi', true) }}" + +sentinelResources: + limits: + cpu: "{{ SESSION_VALKEY_SENTINEL_CPU_LIMITS|default('150m', true) }}" + memory: "{{ SESSION_VALKEY_SENTINEL_MEMORY_LIMITS|default('192Mi', true) }}" + requests: + cpu: "{{ SESSION_VALKEY_SENTINEL_CPU_REQUESTS|default('100m', true) }}" + memory: "{{ SESSION_VALKEY_SENTINEL_MEMORY_REQUESTS|default('128Mi', true) }}" + +extraSecretValkeyConfigs: "session-valkey-config" +extraSecretSentinelConfigs: "session-valkey-sentinel-config" + metrics: enabled: true - podMonitor: - enabled: true - extraArgs: - check-key-groups: '\(jwt\):.+' + exporter: + image: + registry: "docker.io" + repository: "oliver006/redis_exporter" + tag: "{{ SESSION_VALKEY_REDIS_EXPORTER_IMAGE_VERSION }}" + resources: + limits: + cpu: "{{ SESSION_VALKEY_EXPORTER_CPU_LIMITS|default('150m', true) }}" + memory: "{{ SESSION_VALKEY_EXPORTER_MEMORY_LIMITS|default('192Mi', true) }}" + requests: + cpu: "{{ SESSION_VALKEY_EXPORTER_CPU_REQUESTS|default('100m', true) }}" + memory: "{{ SESSION_VALKEY_EXPORTER_MEMORY_REQUESTS|default('128Mi', true) }}" + args: + - --check-key-groups=(jwt):.+ + extraExporterEnvSecrets: + - "session-valkey-exporter" serviceMonitor: - enabled: true - metricRelabelings: - - sourceLabels: [ __name__ ] - regex: redis_key_group_count - action: replace - targetLabel: longterm - replacement: "true" -# OPS-6762 still up to debate if we will enable this -networkPolicy: - enabled: false -serviceAccount: - create: false -# https://github.com/bitnami/charts/issues/9689 -useHostnames: false + interval: 30s + extraEndpointParameters: + metricRelabelings: + - sourceLabels: [ __name__ ] + regex: redis_key_group_count + action: replace + targetLabel: longterm + replacement: "true" \ No newline at end of file