BC-10251 replace bitnami valkey (#73)

Author: Loki-Afro

ansible/roles/tldraw-valkey/defaults/main.yaml

@@ -1,2 +1,5 @@
-TLDRAW_VALKEY_CHART_VERSION: 3.0.22
+# https://github.com/groundhog2k/helm-charts/blob/master/charts/valkey/RELEASENOTES.md
+TLDRAW_VALKEY_CHART_VERSION: 2.2.1
+TLDRAW_VALKEY_IMAGE_VERSION: 9.0.0
+TLDRAW_VALKEY_REDIS_EXPORTER_IMAGE_VERSION: v1.80.0
 TLDRAW_VALKEY_REPLICAS: 3

ansible/roles/tldraw-valkey/tasks/main.yml

@@ -7,70 +7,44 @@
     tags:
       - 1password
 
+  - name: External Secret tldraw-valkey-config
+    kubernetes.core.k8s:
+      kubeconfig: ~/.kube/config
+      namespace: "{{ NAMESPACE }}"
+      template: es-valkey-config.yml.j2
+    when: EXTERNAL_SECRETS_OPERATOR
+    tags:
+      - 1password
+
+  - name: External Secret tldraw-valkey-sentinel-config
+    kubernetes.core.k8s:
+      kubeconfig: ~/.kube/config
+      namespace: "{{ NAMESPACE }}"
+      template: es-valkey-sentinel-config.yml.j2
+    when: EXTERNAL_SECRETS_OPERATOR
+    tags:
+      - 1password
+
+  - name: External Secret tldraw-valkey-exporter
+    kubernetes.core.k8s:
+      kubeconfig: ~/.kube/config
+      namespace: "{{ NAMESPACE }}"
+      template: es-valkey-exporter.yml.j2
+    when: EXTERNAL_SECRETS_OPERATOR
+    tags:
+      - 1password
+
   - name: Install valkey sentinel
     kubernetes.core.helm:
-      chart_ref: oci://docker.io/bitnamicharts/valkey
-      chart_version: "{{ TLDRAW_VALKEY_CHART_VERSION }}"
+      chart_repo_url: "https://groundhog2k.github.io/helm-charts/"
+      chart_ref: valkey
+      chart_version: '{{ TLDRAW_VALKEY_CHART_VERSION }}'
       release_name: tldraw-valkey
-      release_namespace: "{{ NAMESPACE }}"
+      release_namespace: '{{ NAMESPACE }}'
       release_state: present
       create_namespace: yes
       kubeconfig: ~/.kube/config
       update_repo_cache: no
-      values:
-        global:
-          defaultStorageClass: "{{ SC_DEFAULT_STORAGE_CLASS_NAME }}"
-          security:
-            allowInsecureImages: true
-        image:
-          repository: "bitnamilegacy/valkey"
-        replica:
-          replicaCount: "{{ TLDRAW_VALKEY_REPLICAS }}"
-          pdb:
-            create: false
-          resources:
-            limits:
-              cpu: "{{ TLDRAW_VALKEY_CPU_LIMITS|default('1000m', true) }}"
-              memory: "{{ TLDRAW_VALKEY_MEMORY_LIMITS|default('4Gi', true) }}"
-            requests:
-              cpu: "{{ TLDRAW_VALKEY_CPU_REQUESTS|default('100m', true) }}"
-              memory: "{{ TLDRAW_VALKEY_MEMORY_REQUESTS|default('1Gi', true) }}"
-        primary:
-          pdb:
-            create: false
-          readinessProbe:
-            timeoutSeconds: 5
-          resources:
-            limits:
-              cpu: "{{ TLDRAW_VALKEY_CPU_LIMITS|default('1000m', true) }}"
-              memory: "{{ TLDRAW_VALKEY_MEMORY_LIMITS|default('4Gi', true) }}"
-            requests:
-              cpu: "{{ TLDRAW_VALKEY_CPU_REQUESTS|default('100m', true) }}"
-              memory: "{{ TLDRAW_VALKEY_MEMORY_REQUESTS|default('1Gi', true) }}"
-        auth:
-          existingSecret: tldraw-valkey-password
-          existingSecretPasswordKey: REDIS_SENTINEL_PASSWORD
-          usePasswordFiles: false
-        sentinel:
-          enabled: true
-          image:
-            repository: "bitnamilegacy/valkey-sentinel"
-          readinessProbe:
-            timeoutSeconds: 5
-        metrics:
-          enabled: true
-          image:
-            repository: "bitnamilegacy/redis-exporter"
-          podMonitor:
-            enabled: true
-          serviceMonitor:
-            enabled: true
-        # OPS-6762 still up to debate if we will enable this
-        networkPolicy:
-          enabled: false
-        serviceAccount:
-          create: false
-        # https://github.com/bitnami/charts/issues/9689
-        useHostnames: false
+      values: "{{ lookup('template', 'values.yml.j2') | from_yaml }}"
     tags:
       - helm

ansible/roles/tldraw-valkey/templates/es-valkey-config.yml.j2

@@ -0,0 +1,23 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: tldraw-valkey-config
+  namespace: {{ NAMESPACE }}
+  labels:
+    app: tldraw-valkey
+spec:
+  refreshInterval: {{ EXTERNAL_SECRETS_REFRESH_INTERVAL }}
+  secretStoreRef:
+    kind: SecretStore
+    name: {{ EXTERNAL_SECRETS_K8S_STORE }}
+  target:
+    name: tldraw-valkey-config
+    template:
+      engineVersion: v2
+      data:
+        valkey-auth.conf: |
+          requirepass "{% raw %}{{ .REDIS_SENTINEL_PASSWORD }}{% endraw %}"
+          masterauth "{% raw %}{{ .REDIS_SENTINEL_PASSWORD }}{% endraw %}"
+  dataFrom:
+    - extract:
+        key: tldraw-valkey-password

ansible/roles/tldraw-valkey/templates/es-valkey-exporter.yml.j2

@@ -0,0 +1,21 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: tldraw-valkey-exporter
+  namespace: {{ NAMESPACE }}
+  labels:
+    app: tldraw-valkey
+spec:
+  refreshInterval: {{ EXTERNAL_SECRETS_REFRESH_INTERVAL }}
+  secretStoreRef:
+    kind: SecretStore
+    name: {{ EXTERNAL_SECRETS_K8S_STORE }}
+  target:
+    name: tldraw-valkey-exporter
+    template:
+      engineVersion: v2
+      data:
+        REDIS_PASSWORD: "{% raw %}{{ .REDIS_SENTINEL_PASSWORD }}{% endraw %}"
+  dataFrom:
+    - extract:
+        key: tldraw-valkey-password

ansible/roles/tldraw-valkey/templates/es-valkey-sentinel-config.yml.j2

@@ -0,0 +1,22 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: tldraw-valkey-sentinel-config
+  namespace: {{ NAMESPACE }}
+  labels:
+    app: tldraw-valkey
+spec:
+  refreshInterval: {{ EXTERNAL_SECRETS_REFRESH_INTERVAL }}
+  secretStoreRef:
+    kind: SecretStore
+    name: {{ EXTERNAL_SECRETS_K8S_STORE }}
+  target:
+    name: tldraw-valkey-sentinel-config
+    template:
+      engineVersion: v2
+      data:
+        sentinel-auth.conf: |
+          sentinel auth-pass myprimary "{% raw %}{{ .REDIS_SENTINEL_PASSWORD }}{% endraw %}"
+  dataFrom:
+    - extract:
+        key: tldraw-valkey-password

ansible/roles/tldraw-valkey/templates/values.yml.j2

@@ -0,0 +1,59 @@
+storage:
+  className: "{{ SC_DEFAULT_STORAGE_CLASS_NAME }}"
+
+haMode:
+  enabled: true
+  replicas: {{ TLDRAW_VALKEY_REPLICAS }}
+  masterGroupName: myprimary
+
+image:
+  registry: "docker.io"
+  repository: "valkey/valkey"
+  tag: "{{ TLDRAW_VALKEY_IMAGE_VERSION }}"
+
+resources:
+  limits:
+    cpu: "{{ TLDRAW_VALKEY_CPU_LIMITS|default('1000m', true) }}"
+    memory: "{{ TLDRAW_VALKEY_MEMORY_LIMITS|default('4Gi', true) }}"
+  requests:
+    cpu: "{{ TLDRAW_VALKEY_CPU_REQUESTS|default('100m', true) }}"
+    memory: "{{ TLDRAW_VALKEY_MEMORY_REQUESTS|default('1Gi', true) }}"
+
+sentinelResources:
+  limits:
+    cpu: "{{ TLDRAW_VALKEY_SENTINEL_CPU_LIMITS|default('150m', true) }}"
+    memory: "{{ TLDRAW_VALKEY_SENTINEL_MEMORY_LIMITS|default('192Mi', true) }}"
+  requests:
+    cpu: "{{ TLDRAW_VALKEY_SENTINEL_CPU_REQUESTS|default('100m', true) }}"
+    memory: "{{ TLDRAW_VALKEY_SENTINEL_MEMORY_REQUESTS|default('128Mi', true) }}"
+
+extraSecretValkeyConfigs: "tldraw-valkey-config"
+extraSecretSentinelConfigs: "tldraw-valkey-sentinel-config"
+
+metrics:
+  enabled: true
+  exporter:
+    image:
+      registry: "docker.io"
+      repository: "oliver006/redis_exporter"
+      tag: "{{ TLDRAW_VALKEY_REDIS_EXPORTER_IMAGE_VERSION }}"
+    resources:
+        limits:
+            cpu: "{{ TLDRAW_VALKEY_EXPORTER_CPU_LIMITS|default('150m', true) }}"
+            memory: "{{ TLDRAW_VALKEY_EXPORTER_MEMORY_LIMITS|default('192Mi', true) }}"
+        requests:
+            cpu: "{{ TLDRAW_VALKEY_EXPORTER_CPU_REQUESTS|default('100m', true) }}"
+            memory: "{{ TLDRAW_VALKEY_EXPORTER_MEMORY_REQUESTS|default('128Mi', true) }}"
+    args:
+      - --check-key-groups=(jwt):.+
+    extraExporterEnvSecrets:
+      - "tldraw-valkey-exporter"
+  serviceMonitor:
+    interval: 30s
+    extraEndpointParameters:
+      metricRelabelings:
+          - sourceLabels: [ __name__ ]
+            regex: redis_key_group_count
+            action: replace
+            targetLabel: longterm
+            replacement: "true"