fix: Switch to official redis image (#10173)

Author: adskyiproger

.github/workflows/deploy-dependencies.yml

@@ -45,5 +45,4 @@ jobs:
             -f environments/${ENV}/dependencies/values.yaml \
             --create-namespace \
             --set hostname=${{ vars.DOMAIN }} \
-            --set storage_type=host_path \
             --atomic

.github/workflows/deploy-opencrvs.yml

@@ -84,6 +84,19 @@ jobs:
           --set hostname=${{ vars.DOMAIN }} \
           --create-namespace \
           --atomic
+      - name: Copy secrets from dependencies into application namespace
+        # Only redis secret for now needs to be copied
+        run: |
+          secrets=(
+            "redis-opencrvs-users"
+          )
+          for secret in "${secrets[@]}"; do
+            kubectl get secret $secret -n opencrvs-deps-e2e -o yaml \
+            | sed "s#namespace: opencrvs-deps-e2e#namespace: opencrvs-${ENV}#" \
+            | grep -vE 'resourceVersion|uid|creationTimestamp' \
+            | kubectl apply -n opencrvs-${ENV} -f - \
+            || echo "Secret $secret doesn't exist in opencrvs-deps-e2e namespace"
+          done
       - name: "FIXME: temporary remove data-migration job due to issues"
         run: |
           kubectl delete job -n "opencrvs-${ENV}" --ignore-not-found=true data-migration || true

.github/workflows/k8s-reset-data.yml

@@ -12,6 +12,7 @@ on:
         type: choice
         options:
           - demo
+          - dev
   workflow_call:
     inputs:
       environment:

.github/workflows/k8s-seed-data.yml

@@ -10,6 +10,7 @@ on:
           type: choice
           options:
             - demo
+            - dev
     workflow_call:
       inputs:
         environment:

charts/dependencies/templates/redis-secrets.yaml

@@ -63,4 +63,17 @@ data:
   {{- end }}
 
 {{- end }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: redis-opencrvs-conf
+data:
+  redis.conf: |
+    bind 0.0.0.0
+    protected-mode yes
+    port 6379
+
+    # path to ACL file (from the Secret mount)
+    aclfile /usr/local/etc/redis/users.acl
 {{- end }}

charts/dependencies/templates/redis.yaml

@@ -30,42 +30,40 @@ spec:
       labels:
         app: redis
     spec:
+      securityContext:
+        runAsUser: 999
+        runAsGroup: 999
+        fsGroup: 999
       containers:
-        # FIXME: https://github.com/opencrvs/opencrvs-core/issues/10173
-        - image: public.ecr.aws/bitnami/redis:8.2
+        - image: redis:8
+          command: ["redis-server", "/usr/local/etc/redis/redis.conf"]
           name: redis
+          {{- if .Values.redis.env }}
           env:
-          {{- if eq .Values.redis.auth_mode "acl" }}
-            - name: REDIS_ACLFILE
-              value: /opt/bitnami/redis/mounted-etc/users.acl
-            - name: REDIS_PASSWORD
-              value: "false"
-          {{- else if eq .Values.redis.auth_mode "password" }}
-            - name: REDIS_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: redis-opencrvs-users
-                  key: DEFAULT_REDIS_PASSWORD
-          {{- else }}
-            - name: ALLOW_EMPTY_PASSWORD
-              value: "yes"
-          {{- end }}
-
           {{- include "render-env-vars" (dict "service_name" "redis" "Values" .Values) }}
+          {{- end }}
           ports:
             - containerPort: 6379
               protocol: TCP
           {{- if eq .Values.redis.auth_mode "acl" }}
           volumeMounts:
-            - name: redis-opencrvs-acl
-              mountPath: /opt/bitnami/redis/mounted-etc
-              # subPath: redis-acl.conf
+            - name: redis-conf
+              mountPath: /usr/local/etc/redis/redis.conf
+              subPath: redis.conf
+              readOnly: true
+            - name: redis-acl
+              mountPath: /usr/local/etc/redis/users.acl
+              subPath: users.acl
+              readOnly: true
           {{- end }}
       restartPolicy: Always
       volumes:
-        {{- if eq .Values.redis.auth_mode "acl" }}
-        - name: redis-opencrvs-acl
+      {{- if eq .Values.redis.auth_mode "acl" }}
+        - name: redis-acl
           secret:
             secretName: redis-opencrvs-acl
-        {{- end }}
+        - name: redis-conf
+          configMap:
+            name: redis-opencrvs-conf
+      {{- end }}
 {{- end }}

environments/dev/dependencies/values.yaml

@@ -17,3 +17,6 @@ postgres:
 
 monitoring:
   enabled: true
+
+redis:
+  auth_mode: acl

environments/dev/opencrvs-services/values.yaml

@@ -31,7 +31,7 @@ mongodb:
   host: mongodb-0.mongodb.opencrvs-deps-dev.svc.cluster.local
 
 redis:
-  auth_mode: disabled
+  auth_mode: use_secret
   host: redis-0.redis.opencrvs-deps-dev.svc.cluster.local
 
 postgres: