hpi-schul-cloud · Loki-Afro · Jul 25, 2025 · Jul 25, 2025 · Jul 25, 2025 · Aug 6, 2025
diff --git a/ansible/group_vars/all/misc.yml b/ansible/group_vars/all/misc.yml
@@ -3,9 +3,9 @@ ANIT_AFFINITY_NODEPOOL_ENABLE: true
 ANIT_AFFINITY_NODEPOOL_TOPOLOGY_KEY: "cloud.ionos.com/nodepool-name"
 
 
-EXTERNAL_SECRETS_OPERATOR: false
+EXTERNAL_SECRETS_OPERATOR: true
+EXTERNAL_SECRETS_POSTFIX: "-source"
 EXTERNAL_SECRETS_K8S_STORE: k8s-store
-EXTERNAL_SECRETS_POSTFIX: ""
 EXTERNAL_SECRETS_REFRESH_INTERVAL: "1m"
 EXTERNAL_SECRETS_NAMESPACE: external-secrets
 EXTERNAL_SECRETS_TOKEN_SECRET: external-secrets-k8s-store-token

diff --git a/ansible/group_vars/develop/external-secrets.yml b/ansible/group_vars/develop/external-secrets.yml
diff --git a/ansible/playbook_rollout.yml b/ansible/playbook_rollout.yml
@@ -9,6 +9,7 @@
   roles:
     - role: sys
     - role: pre_deployment
+    - role: external-secrets
     - role: dof_mongo
     - role: dof_postgresql
     - role: dof_rabbitmq

diff --git a/ansible/roles/session-valkey/README.md b/ansible/roles/session-valkey/README.md
@@ -0,0 +1,3 @@
+session-valkey-password(1pwd) -> session-valkey-password(secret) -> session-valkey-auth(externalsecret) -> session-valkey-auth(secret)
+                                                             -> session-valkey-auth(externalsecret) -> session-valkey-sentinel-config(secret)
+                                                             -> session-valkey-auth(externalsecret) -> session-valkey-exporter-config(secret)
diff --git a/ansible/roles/session-valkey/defaults/main.yaml b/ansible/roles/session-valkey/defaults/main.yaml
@@ -1,2 +1,5 @@
-SESSION_VALKEY_CHART_VERSION: 3.0.22
+SESSION_VALKEY_CHART_VERSION: 2.1.2
+
+SESSION_VALKEY_IMAGE_VERSION: 8.1.3
+SESSION_VALKEY_REDIS_EXPORTER_IMAGE_VERSION: v1.74.0
 SESSION_VALKEY_REPLICAS: 3
diff --git a/ansible/roles/session-valkey/tasks/main.yml b/ansible/roles/session-valkey/tasks/main.yml
@@ -7,16 +7,44 @@
   tags:
     - 1password
 
+- name: External Secret session-valkey-config
+  kubernetes.core.k8s:
+    kubeconfig: ~/.kube/config
+    namespace: "{{ NAMESPACE }}"
+    template: es-valkey-config.yml.j2
+  when: EXTERNAL_SECRETS_OPERATOR
+  tags:
+    - 1password
+
+- name: External Secret session-valkey-sentinel-config
+  kubernetes.core.k8s:
+    kubeconfig: ~/.kube/config
+    namespace: "{{ NAMESPACE }}"
+    template: es-valkey-sentinel-config.yml.j2
+  when: EXTERNAL_SECRETS_OPERATOR
+  tags:
+    - 1password
+
+- name: External Secret session-valkey-exporter
+  kubernetes.core.k8s:
+    kubeconfig: ~/.kube/config
+    namespace: "{{ NAMESPACE }}"
+    template: es-valkey-exporter.yml.j2
+  when: EXTERNAL_SECRETS_OPERATOR
+  tags:
+    - 1password
+
 - name: Install valkey sentinel
   kubernetes.core.helm:
-    chart_ref: oci://docker.io/bitnamicharts/valkey
+    chart_repo_url: "https://groundhog2k.github.io/helm-charts/"
+    chart_ref: valkey
     chart_version: '{{ SESSION_VALKEY_CHART_VERSION }}'
-    release_name: session-valkey
+    release_name: session
     release_namespace: '{{ NAMESPACE }}'
     release_state: present
     create_namespace: yes
     kubeconfig: ~/.kube/config
     update_repo_cache: no
     values: "{{ lookup('template', 'values.yml.j2') | from_yaml }}"
   tags:
-    - helm
+    - helm
diff --git a/ansible/roles/session-valkey/templates/es-valkey-config.yml.j2 b/ansible/roles/session-valkey/templates/es-valkey-config.yml.j2
@@ -0,0 +1,23 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: session-valkey-config
+  namespace: {{ NAMESPACE }}
+  labels:
+    app: session-valkey
+spec:
+  refreshInterval: {{ EXTERNAL_SECRETS_REFRESH_INTERVAL }}
+  secretStoreRef:
+    kind: SecretStore
+    name: {{ EXTERNAL_SECRETS_K8S_STORE }}
+  target:
+    name: session-valkey-config
+    template:
+      engineVersion: v2
+      data:
+        valkey-auth.conf: |
+          requirepass "{% raw %}{{ .SESSION_VALKEY__SENTINEL_PASSWORD }}{% endraw %}"
+          masterauth "{% raw %}{{ .SESSION_VALKEY__SENTINEL_PASSWORD }}{% endraw %}"
+  dataFrom:
+    - extract:
+        key: session-valkey-password
diff --git a/ansible/roles/session-valkey/templates/es-valkey-exporter.yml.j2 b/ansible/roles/session-valkey/templates/es-valkey-exporter.yml.j2
@@ -0,0 +1,21 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: session-valkey-exporter
+  namespace: {{ NAMESPACE }}
+  labels:
+    app: session-valkey
+spec:
+  refreshInterval: {{ EXTERNAL_SECRETS_REFRESH_INTERVAL }}
+  secretStoreRef:
+    kind: SecretStore
+    name: {{ EXTERNAL_SECRETS_K8S_STORE }}
+  target:
+    name: session-valkey-exporter
+    template:
+      engineVersion: v2
+      data:
+        REDIS_PASSWORD: "{% raw %}{{ .SESSION_VALKEY__SENTINEL_PASSWORD }}{% endraw %}"
+  dataFrom:
+    - extract:
+        key: session-valkey-password
diff --git a/ansible/roles/session-valkey/templates/es-valkey-sentinel-config.yml.j2 b/ansible/roles/session-valkey/templates/es-valkey-sentinel-config.yml.j2
@@ -0,0 +1,22 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: session-valkey-sentinel-config
+  namespace: {{ NAMESPACE }}
+  labels:
+    app: session-valkey
+spec:
+  refreshInterval: {{ EXTERNAL_SECRETS_REFRESH_INTERVAL }}
+  secretStoreRef:
+    kind: SecretStore
+    name: {{ EXTERNAL_SECRETS_K8S_STORE }}
+  target:
+    name: session-valkey-sentinel-config
+    template:
+      engineVersion: v2
+      data:
+        sentinel-auth.conf: |
+          sentinel auth-pass myprimary "{% raw %}{{ .SESSION_VALKEY__SENTINEL_PASSWORD }}{% endraw %}"
+  dataFrom:
+    - extract:
+        key: session-valkey-password
diff --git a/ansible/roles/session-valkey/templates/values.yml.j2 b/ansible/roles/session-valkey/templates/values.yml.j2
@@ -1,54 +1,59 @@
-global:
-  defaultStorageClass: "{{ SC_DEFAULT_STORAGE_CLASS_NAME }}"
-replica:
-  replicaCount: {{ SESSION_VALKEY_REPLICAS }}
-  pdb:
-    create: false
-  resources:
-    limits:
-      cpu: "{{ SESSION_VALKEY_CPU_LIMITS|default('1000m', true) }}"
-      memory: "{{ SESSION_VALKEY_MEMORY_LIMITS|default('4Gi', true) }}"
-    requests:
-      cpu: "{{ SESSION_VALKEY_CPU_REQUESTS|default('100m', true) }}"
-      memory: "{{ SESSION_VALKEY_MEMORY_REQUESTS|default('1Gi', true) }}"
-primary:
-  pdb:
-    create: false
-  readinessProbe:
-    timeoutSeconds: 5
-  resources:
-    limits:
-      cpu: "{{ SESSION_VALKEY_CPU_LIMITS|default('1000m', true) }}"
-      memory: "{{ SESSION_VALKEY_MEMORY_LIMITS|default('4Gi', true) }}"
-    requests:
-      cpu: "{{ SESSION_VALKEY_CPU_REQUESTS|default('100m', true) }}"
-      memory: "{{ SESSION_VALKEY_MEMORY_REQUESTS|default('1Gi', true) }}"
-auth:
-  existingSecret: session-valkey-password
-  existingSecretPasswordKey: SESSION_VALKEY__SENTINEL_PASSWORD
-  usePasswordFiles: false
-sentinel:
+storage:
+  className: "{{ SC_DEFAULT_STORAGE_CLASS_NAME }}"
+
+haMode:
   enabled: true
-  readinessProbe:
-    timeoutSeconds: 5
+  replicas: {{ SESSION_VALKEY_REPLICAS }}
+  masterGroupName: myprimary
+
+image:
+  registry: "docker.io"
+  repository: "valkey/valkey"
+  tag: "{{ SESSION_VALKEY_IMAGE_VERSION }}"
+
+resources:
+  limits:
+    cpu: "{{ SESSION_VALKEY_CPU_LIMITS|default('1000m', true) }}"
+    memory: "{{ SESSION_VALKEY_MEMORY_LIMITS|default('4Gi', true) }}"
+  requests:
+    cpu: "{{ SESSION_VALKEY_CPU_REQUESTS|default('100m', true) }}"
+    memory: "{{ SESSION_VALKEY_MEMORY_REQUESTS|default('1Gi', true) }}"
+
+sentinelResources:
+  limits:
+    cpu: "{{ SESSION_VALKEY_SENTINEL_CPU_LIMITS|default('150m', true) }}"
+    memory: "{{ SESSION_VALKEY_SENTINEL_MEMORY_LIMITS|default('192Mi', true) }}"
+  requests:
+    cpu: "{{ SESSION_VALKEY_SENTINEL_CPU_REQUESTS|default('100m', true) }}"
+    memory: "{{ SESSION_VALKEY_SENTINEL_MEMORY_REQUESTS|default('128Mi', true) }}"
+
+extraSecretValkeyConfigs: "session-valkey-config"
+extraSecretSentinelConfigs: "session-valkey-sentinel-config"
+
 metrics:
   enabled: true
-  podMonitor:
-    enabled: true
-  extraArgs:
-    check-key-groups: '\(jwt\):.+'
+  exporter:
+    image:
+      registry: "docker.io"
+      repository: "oliver006/redis_exporter"
+      tag: "{{ SESSION_VALKEY_REDIS_EXPORTER_IMAGE_VERSION }}"
+    resources:
+        limits:
+            cpu: "{{ SESSION_VALKEY_EXPORTER_CPU_LIMITS|default('150m', true) }}"
+            memory: "{{ SESSION_VALKEY_EXPORTER_MEMORY_LIMITS|default('192Mi', true) }}"
+        requests:
+            cpu: "{{ SESSION_VALKEY_EXPORTER_CPU_REQUESTS|default('100m', true) }}"
+            memory: "{{ SESSION_VALKEY_EXPORTER_MEMORY_REQUESTS|default('128Mi', true) }}"
+    args:
+      - --check-key-groups=(jwt):.+
+    extraExporterEnvSecrets:
+      - "session-valkey-exporter"
   serviceMonitor:
-    enabled: true
-    metricRelabelings:
-        - sourceLabels: [ __name__ ]
-          regex: redis_key_group_count
-          action: replace
-          targetLabel: longterm
-          replacement: "true"   
-# OPS-6762 still up to debate if we will enable this
-networkPolicy:
-  enabled: false
-serviceAccount:
-  create: false
-# https://github.com/bitnami/charts/issues/9689
-useHostnames: false
+    interval: 30s
+    extraEndpointParameters:
+      metricRelabelings:
+          - sourceLabels: [ __name__ ]
+            regex: redis_key_group_count
+            action: replace
+            targetLabel: longterm
+            replacement: "true"