ghp/helm-charts
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

GHP publish

Browse Source
This commit is contained in:
ace
2021-01-17 04:09:41 +03:00
commit 9fe2c2adf2
457 changed files with 40068 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

136
nextcloud/charts/redis/templates/NOTES.txt Normal file
View File

@ -0,0 +1,136 @@
** Please be patient while the chart is being deployed **
{{- if contains .Values.master.service.type "LoadBalancer" }}
{{- if not .Values.usePassword }}
{{ if and (not .Values.networkPolicy.enabled) (.Values.networkPolicy.allowExternal) }}
-------------------------------------------------------------------------------
WARNING
By specifying "master.service.type=LoadBalancer" and "usePassword=false" you have
most likely exposed the Redis service externally without any authentication
mechanism.
For security reasons, we strongly suggest that you switch to "ClusterIP" or
"NodePort". As alternative, you can also switch to "usePassword=true"
providing a valid password on "password" parameter.
-------------------------------------------------------------------------------
{{- end }}
{{- end }}
{{- end }}
{{- if and .Values.sentinel.enabled (not .Values.cluster.enabled)}}
-------------------------------------------------------------------------------
WARNING
Using redis sentinel without a cluster is not supported. A single pod with
standalone redis has been deployed.
To deploy redis sentinel, please use the values "cluster.enabled=true" and
"sentinel.enabled=true".
-------------------------------------------------------------------------------
{{- end }}
{{- if .Values.cluster.enabled }}
{{- if .Values.sentinel.enabled }}
Redis can be accessed via port {{ .Values.sentinel.service.redisPort }} on the following DNS name from within your cluster:
{{ template "redis.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} for read only operations
For read/write operations, first access the Redis Sentinel cluster, which is available in port {{ .Values.sentinel.service.sentinelPort }} using the same domain name above.
{{- else }}
Redis can be accessed via port {{ .Values.redisPort }} on the following DNS names from within your cluster:
{{ template "redis.fullname" . }}-master.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} for read/write operations
{{ template "redis.fullname" . }}-slave.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} for read-only operations
{{- end }}
{{- else }}
Redis can be accessed via port {{ .Values.redisPort }} on the following DNS name from within your cluster:
{{ template "redis.fullname" . }}-master.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}
{{- end }}
{{ if .Values.usePassword }}
To get your password run:
export REDIS_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "redis.secretName" . }} -o jsonpath="{.data.redis-password}" | base64 --decode)
{{- end }}
To connect to your Redis server:
1. Run a Redis pod that you can use as a client:
{{- if .Values.tls.enabled }}
kubectl run --namespace {{ .Release.Namespace }} {{ template "redis.fullname" . }}-client --restart='Never' --env REDIS_PASSWORD=$REDIS_PASSWORD --image {{ template "redis.image" . }} --command -- sleep infinity
Copy your TLS certificates to the pod:
kubectl cp --namespace {{ .Release.Namespace }} /path/to/client.cert {{ template "redis.fullname" . }}-client:/tmp/client.cert
kubectl cp --namespace {{ .Release.Namespace }} /path/to/client.key {{ template "redis.fullname" . }}-client:/tmp/client.key
kubectl cp --namespace {{ .Release.Namespace }} /path/to/CA.cert {{ template "redis.fullname" . }}-client:/tmp/CA.cert
Use the following command to attach to the pod:
kubectl exec --tty -i {{ template "redis.fullname" . }}-client \
{{- if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }}--labels="{{ template "redis.fullname" . }}-client=true" \{{- end }}
--namespace {{ .Release.Namespace }} -- bash
{{- else }}
kubectl run --namespace {{ .Release.Namespace }} {{ template "redis.fullname" . }}-client --rm --tty -i --restart='Never' \
{{ if .Values.usePassword }} --env REDIS_PASSWORD=$REDIS_PASSWORD \{{ end }}
{{- if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }}--labels="{{ template "redis.fullname" . }}-client=true" \{{- end }}
--image {{ template "redis.image" . }} -- bash
{{- end }}
2. Connect using the Redis CLI:
{{- if .Values.cluster.enabled }}
{{- if .Values.sentinel.enabled }}
redis-cli -h {{ template "redis.fullname" . }} -p {{ .Values.sentinel.service.redisPort }}{{ if .Values.usePassword }} -a $REDIS_PASSWORD{{ end }}{{ if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} # Read only operations
redis-cli -h {{ template "redis.fullname" . }} -p {{ .Values.sentinel.service.sentinelPort }}{{ if .Values.usePassword }} -a $REDIS_PASSWORD{{ end }}{{ if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }} # Sentinel access
{{- else }}
redis-cli -h {{ template "redis.fullname" . }}-master{{ if .Values.usePassword }} -a $REDIS_PASSWORD{{ end }}{{ if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }}
redis-cli -h {{ template "redis.fullname" . }}-slave{{ if .Values.usePassword }} -a $REDIS_PASSWORD{{ end }}{{ if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }}
{{- end }}
{{- else }}
redis-cli -h {{ template "redis.fullname" . }}-master{{ if .Values.usePassword }} -a $REDIS_PASSWORD{{ end }}{{ if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }}
{{- end }}
{{ if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }}
Note: Since NetworkPolicy is enabled, only pods with label
{{ template "redis.fullname" . }}-client=true"
will be able to connect to redis.
{{- else -}}
To connect to your database from outside the cluster execute the following commands:
{{- if contains "NodePort" .Values.master.service.type }}
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "redis.fullname" . }}-master)
redis-cli -h $NODE_IP -p $NODE_PORT {{- if .Values.usePassword }} -a $REDIS_PASSWORD{{ end }}{{ if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }}
{{- else if contains "LoadBalancer" .Values.master.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "redis.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "redis.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
redis-cli -h $SERVICE_IP -p {{ .Values.master.service.port }} {{- if .Values.usePassword }} -a $REDIS_PASSWORD{{ end }}{{ if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }}
{{- else if contains "ClusterIP" .Values.master.service.type }}
kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ template "redis.fullname" . }}-master {{ .Values.redisPort }}:{{ .Values.redisPort }} &
redis-cli -h 127.0.0.1 -p {{ .Values.redisPort }} {{- if .Values.usePassword }} -a $REDIS_PASSWORD{{ end }}{{ if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }}
{{- end }}
{{- end }}
{{ include "redis.checkRollingTags" . }}
{{- include "redis.validateValues" . }}

421
nextcloud/charts/redis/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,421 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "redis.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Expand the chart plus release name (used by the chart label)
*/}}
{{- define "redis.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "redis.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for networkpolicy.
*/}}
{{- define "networkPolicy.apiVersion" -}}
{{- if semverCompare ">=1.4-0, <1.7-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "extensions/v1beta1" -}}
{{- else -}}
{{- print "networking.k8s.io/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiGroup for PodSecurityPolicy.
*/}}
{{- define "podSecurityPolicy.apiGroup" -}}
{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "policy" -}}
{{- else -}}
{{- print "extensions" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for PodSecurityPolicy.
*/}}
{{- define "podSecurityPolicy.apiVersion" -}}
{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "policy/v1beta1" -}}
{{- else -}}
{{- print "extensions/v1beta1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the proper Redis image name
*/}}
{{- define "redis.image" -}}
{{- $registryName := .Values.image.registry -}}
{{- $repositoryName := .Values.image.repository -}}
{{- $tag := .Values.image.tag | toString -}}
{{/*
Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic.
Also, we can't use a single if because lazy evaluation is not an option
*/}}
{{- if .Values.global }}
{{- if .Values.global.imageRegistry }}
{{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}}
{{- else -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{- else -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{- end -}}
{{/*
Return the proper Redis Sentinel image name
*/}}
{{- define "sentinel.image" -}}
{{- $registryName := .Values.sentinel.image.registry -}}
{{- $repositoryName := .Values.sentinel.image.repository -}}
{{- $tag := .Values.sentinel.image.tag | toString -}}
{{/*
Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic.
Also, we can't use a single if because lazy evaluation is not an option
*/}}
{{- if .Values.global }}
{{- if .Values.global.imageRegistry }}
{{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}}
{{- else -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{- else -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{- end -}}
{{/*
Return the proper image name (for the metrics image)
*/}}
{{- define "redis.metrics.image" -}}
{{- $registryName := .Values.metrics.image.registry -}}
{{- $repositoryName := .Values.metrics.image.repository -}}
{{- $tag := .Values.metrics.image.tag | toString -}}
{{/*
Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic.
Also, we can't use a single if because lazy evaluation is not an option
*/}}
{{- if .Values.global }}
{{- if .Values.global.imageRegistry }}
{{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}}
{{- else -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{- else -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{- end -}}
{{/*
Return the proper image name (for the init container volume-permissions image)
*/}}
{{- define "redis.volumePermissions.image" -}}
{{- $registryName := .Values.volumePermissions.image.registry -}}
{{- $repositoryName := .Values.volumePermissions.image.repository -}}
{{- $tag := .Values.volumePermissions.image.tag | toString -}}
{{/*
Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic.
Also, we can't use a single if because lazy evaluation is not an option
*/}}
{{- if .Values.global }}
{{- if .Values.global.imageRegistry }}
{{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}}
{{- else -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{- else -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{- end -}}
{{/*
Return the path to the cert file.
*/}}
{{- define "redis.tlsCert" -}}
{{- required "Certificate filename is required when TLS in enabled" .Values.tls.certFilename | printf "/opt/bitnami/redis/certs/%s" -}}
{{- end -}}
{{/*
Return the path to the cert key file.
*/}}
{{- define "redis.tlsCertKey" -}}
{{- required "Certificate Key filename is required when TLS in enabled" .Values.tls.certKeyFilename | printf "/opt/bitnami/redis/certs/%s" -}}
{{- end -}}
{{/*
Return the path to the CA cert file.
*/}}
{{- define "redis.tlsCACert" -}}
{{- required "Certificate CA filename is required when TLS in enabled" .Values.tls.certCAFilename | printf "/opt/bitnami/redis/certs/%s" -}}
{{- end -}}
{{/*
Return the path to the DH params file.
*/}}
{{- define "redis.tlsDHParams" -}}
{{- if .Values.tls.dhParamsFilename -}}
{{- printf "/opt/bitnami/redis/certs/%s" .Values.tls.dhParamsFilename -}}
{{- end -}}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "redis.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "redis.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Get the password secret.
*/}}
{{- define "redis.secretName" -}}
{{- if .Values.existingSecret -}}
{{- printf "%s" .Values.existingSecret -}}
{{- else -}}
{{- printf "%s" (include "redis.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Get the password key to be retrieved from Redis secret.
*/}}
{{- define "redis.secretPasswordKey" -}}
{{- if and .Values.existingSecret .Values.existingSecretPasswordKey -}}
{{- printf "%s" .Values.existingSecretPasswordKey -}}
{{- else -}}
{{- printf "redis-password" -}}
{{- end -}}
{{- end -}}
{{/*
Return Redis password
*/}}
{{- define "redis.password" -}}
{{- if not (empty .Values.global.redis.password) }}
{{- .Values.global.redis.password -}}
{{- else if not (empty .Values.password) -}}
{{- .Values.password -}}
{{- else -}}
{{- randAlphaNum 10 -}}
{{- end -}}
{{- end -}}
{{/*
Return sysctl image
*/}}
{{- define "redis.sysctl.image" -}}
{{- $registryName := default "docker.io" .Values.sysctlImage.registry -}}
{{- $repositoryName := .Values.sysctlImage.repository -}}
{{- $tag := default "buster" .Values.sysctlImage.tag | toString -}}
{{/*
Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic.
Also, we can't use a single if because lazy evaluation is not an option
*/}}
{{- if .Values.global }}
{{- if .Values.global.imageRegistry }}
{{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}}
{{- else -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{- else -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{- end -}}
{{/*
Return the proper Docker Image Registry Secret Names
*/}}
{{- define "redis.imagePullSecrets" -}}
{{/*
Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic.
Also, we can not use a single if because lazy evaluation is not an option
*/}}
{{- if .Values.global }}
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- else if or .Values.image.pullSecrets .Values.metrics.image.pullSecrets .Values.sysctlImage.pullSecrets .Values.volumePermissions.image.pullSecrets }}
imagePullSecrets:
{{- range .Values.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- range .Values.metrics.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- range .Values.sysctlImage.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- range .Values.volumePermissions.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- end -}}
{{- else if or .Values.image.pullSecrets .Values.metrics.image.pullSecrets .Values.sysctlImage.pullSecrets .Values.volumePermissions.image.pullSecrets }}
imagePullSecrets:
{{- range .Values.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- range .Values.metrics.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- range .Values.sysctlImage.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- range .Values.volumePermissions.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- end -}}
{{- end -}}
{{/* Check if there are rolling tags in the images */}}
{{- define "redis.checkRollingTags" -}}
{{- if and (contains "bitnami/" .Values.image.repository) (not (.Values.image.tag | toString | regexFind "-r\\d+$|sha256:")) }}
WARNING: Rolling tag detected ({{ .Values.image.repository }}:{{ .Values.image.tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment.
+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/
{{- end }}
{{- if and (contains "bitnami/" .Values.sentinel.image.repository) (not (.Values.sentinel.image.tag | toString | regexFind "-r\\d+$|sha256:")) }}
WARNING: Rolling tag detected ({{ .Values.sentinel.image.repository }}:{{ .Values.sentinel.image.tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment.
+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/
{{- end }}
{{- end -}}
{{/*
Return the proper Storage Class for master
*/}}
{{- define "redis.master.storageClass" -}}
{{/*
Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic.
*/}}
{{- if .Values.global -}}
{{- if .Values.global.storageClass -}}
{{- if (eq "-" .Values.global.storageClass) -}}
{{- printf "storageClassName: \"\"" -}}
{{- else }}
{{- printf "storageClassName: %s" .Values.global.storageClass -}}
{{- end -}}
{{- else -}}
{{- if .Values.master.persistence.storageClass -}}
{{- if (eq "-" .Values.master.persistence.storageClass) -}}
{{- printf "storageClassName: \"\"" -}}
{{- else }}
{{- printf "storageClassName: %s" .Values.master.persistence.storageClass -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- else -}}
{{- if .Values.master.persistence.storageClass -}}
{{- if (eq "-" .Values.master.persistence.storageClass) -}}
{{- printf "storageClassName: \"\"" -}}
{{- else }}
{{- printf "storageClassName: %s" .Values.master.persistence.storageClass -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Return the proper Storage Class for slave
*/}}
{{- define "redis.slave.storageClass" -}}
{{/*
Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic.
*/}}
{{- if .Values.global -}}
{{- if .Values.global.storageClass -}}
{{- if (eq "-" .Values.global.storageClass) -}}
{{- printf "storageClassName: \"\"" -}}
{{- else }}
{{- printf "storageClassName: %s" .Values.global.storageClass -}}
{{- end -}}
{{- else -}}
{{- if .Values.slave.persistence.storageClass -}}
{{- if (eq "-" .Values.slave.persistence.storageClass) -}}
{{- printf "storageClassName: \"\"" -}}
{{- else }}
{{- printf "storageClassName: %s" .Values.slave.persistence.storageClass -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- else -}}
{{- if .Values.slave.persistence.storageClass -}}
{{- if (eq "-" .Values.slave.persistence.storageClass) -}}
{{- printf "storageClassName: \"\"" -}}
{{- else }}
{{- printf "storageClassName: %s" .Values.slave.persistence.storageClass -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Compile all warnings into a single message, and call fail.
*/}}
{{- define "redis.validateValues" -}}
{{- $messages := list -}}
{{- $messages := append $messages (include "redis.validateValues.spreadConstraints" .) -}}
{{- $messages := without $messages "" -}}
{{- $message := join "\n" $messages -}}
{{- if $message -}}
{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}}
{{- end -}}
{{- end -}}
{{/* Validate values of Redis - spreadConstrainsts K8s version */}}
{{- define "redis.validateValues.spreadConstraints" -}}
{{- if and (semverCompare "<1.16-0" .Capabilities.KubeVersion.GitVersion) .Values.slave.spreadConstraints -}}
redis: spreadConstraints
Pod Topology Spread Constraints are only available on K8s >= 1.16
Find more information at https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
{{- end -}}
{{- end -}}
{{/*
Renders a value that contains template.
Usage:
{{ include "redis.tplValue" (dict "value" .Values.path.to.the.Value "context" $) }}
*/}}
{{- define "redis.tplValue" -}}
{{- if typeIs "string" .value }}
{{- tpl .value .context }}
{{- else }}
{{- tpl (.value | toYaml) .context }}
{{- end }}
{{- end -}}

349
nextcloud/charts/redis/templates/configmap-scripts.yaml Normal file
View File

@ -0,0 +1,349 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "redis.fullname" . }}-scripts
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "redis.name" . }}
chart: {{ template "redis.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
data:
{{- if and .Values.cluster.enabled .Values.sentinel.enabled }}
start-node.sh: |
#!/bin/bash
is_boolean_yes() {
local -r bool="${1:-}"
# comparison is performed without regard to the case of alphabetic characters
shopt -s nocasematch
if [[ "$bool" = 1 || "$bool" =~ ^(yes|true)$ ]]; then
true
else
false
fi
}
export REDIS_REPLICATION_MODE="slave"
if [[ $HOSTNAME =~ (.*)-([0-9]+)$ ]]; then
if [[ ${BASH_REMATCH[2]} == "0" ]]; then
if [[ ! -f /data/redisboot.lock ]]; then
export REDIS_REPLICATION_MODE="master"
else
if is_boolean_yes "$REDIS_TLS_ENABLED"; then
sentinel_info_command="redis-cli -a $REDIS_PASSWORD -h {{ template "redis.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} -p {{ .Values.sentinel.port }} --tls --cert ${REDIS_TLS_CERT_FILE} --key ${REDIS_TLS_KEY_FILE} --cacert ${REDIS_TLS_CA_FILE} info"
else
sentinel_info_command="redis-cli {{- if .Values.usePassword }} -a $REDIS_PASSWORD {{- end }} -h {{ template "redis.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} -p {{ .Values.sentinel.port }} info"
fi
if [[ ! ($($sentinel_info_command)) ]]; then
export REDIS_REPLICATION_MODE="master"
rm /data/redisboot.lock
fi
fi
fi
fi
{{- if (eq (.Values.securityContext.runAsUser | int) 0) }}
useradd redis
chown -R redis {{ .Values.slave.persistence.path }}
{{- end }}
if [[ -n $REDIS_PASSWORD_FILE ]]; then
password_aux=`cat ${REDIS_PASSWORD_FILE}`
export REDIS_PASSWORD=$password_aux
fi
if [[ -n $REDIS_MASTER_PASSWORD_FILE ]]; then
password_aux=`cat ${REDIS_MASTER_PASSWORD_FILE}`
export REDIS_MASTER_PASSWORD=$password_aux
fi
if [[ "$REDIS_REPLICATION_MODE" == "master" ]]; then
echo "I am master"
if [[ ! -f /opt/bitnami/redis/etc/master.conf ]];then
cp /opt/bitnami/redis/mounted-etc/master.conf /opt/bitnami/redis/etc/master.conf
fi
else
if [[ ! -f /opt/bitnami/redis/etc/replica.conf ]];then
cp /opt/bitnami/redis/mounted-etc/replica.conf /opt/bitnami/redis/etc/replica.conf
fi
if is_boolean_yes "$REDIS_TLS_ENABLED"; then
sentinel_info_command="redis-cli -a $REDIS_PASSWORD -h {{ template "redis.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} -p {{ .Values.sentinel.port }} --tls --cert ${REDIS_TLS_CERT_FILE} --key ${REDIS_TLS_KEY_FILE} --cacert ${REDIS_TLS_CA_FILE} sentinel get-master-addr-by-name {{ .Values.sentinel.masterSet }}"
else
sentinel_info_command="redis-cli {{- if .Values.usePassword }} -a $REDIS_PASSWORD {{- end }} -h {{ template "redis.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} -p {{ .Values.sentinel.port }} sentinel get-master-addr-by-name {{ .Values.sentinel.masterSet }}"
fi
REDIS_SENTINEL_INFO=($($sentinel_info_command))
REDIS_MASTER_HOST=${REDIS_SENTINEL_INFO[0]}
REDIS_MASTER_PORT_NUMBER=${REDIS_SENTINEL_INFO[1]}
fi
if [[ ! -f /opt/bitnami/redis/etc/redis.conf ]];then
cp /opt/bitnami/redis/mounted-etc/redis.conf /opt/bitnami/redis/etc/redis.conf
fi
{{- if .Values.tls.enabled }}
ARGS=("--port" "0")
ARGS+=("--tls-port" "${REDIS_TLS_PORT}")
ARGS+=("--tls-cert-file" "${REDIS_TLS_CERT_FILE}")
ARGS+=("--tls-key-file" "${REDIS_TLS_KEY_FILE}")
ARGS+=("--tls-ca-cert-file" "${REDIS_TLS_CA_FILE}")
ARGS+=("--tls-auth-clients" "${REDIS_TLS_AUTH_CLIENTS}")
ARGS+=("--tls-replication" "yes")
{{- if .Values.tls.dhParamsFilename }}
ARGS+=("--tls-dh-params-file" "${REDIS_TLS_DH_PARAMS_FILE}")
{{- end }}
{{- else }}
ARGS=("--port" "${REDIS_PORT}")
{{- end }}
if [[ "$REDIS_REPLICATION_MODE" == "slave" ]]; then
ARGS+=("--slaveof" "${REDIS_MASTER_HOST}" "${REDIS_MASTER_PORT_NUMBER}")
fi
{{- if .Values.usePassword }}
ARGS+=("--requirepass" "${REDIS_PASSWORD}")
ARGS+=("--masterauth" "${REDIS_MASTER_PASSWORD}")
{{- else }}
ARGS+=("--protected-mode" "no")
{{- end }}
if [[ "$REDIS_REPLICATION_MODE" == "master" ]]; then
ARGS+=("--include" "/opt/bitnami/redis/etc/master.conf")
else
ARGS+=("--include" "/opt/bitnami/redis/etc/replica.conf")
fi
ARGS+=("--include" "/opt/bitnami/redis/etc/redis.conf")
{{- if .Values.slave.extraFlags }}
{{- range .Values.slave.extraFlags }}
ARGS+=({{ . | quote }})
{{- end }}
{{- end }}
touch /data/redisboot.lock
{{- if .Values.slave.command }}
exec {{ .Values.slave.command }} "${ARGS[@]}"
{{- else }}
exec redis-server "${ARGS[@]}"
{{- end }}
start-sentinel.sh: |
#!/bin/bash
replace_in_file() {
local filename="${1:?filename is required}"
local match_regex="${2:?match regex is required}"
local substitute_regex="${3:?substitute regex is required}"
local posix_regex=${4:-true}
local result
# We should avoid using 'sed in-place' substitutions
# 1) They are not compatible with files mounted from ConfigMap(s)
# 2) We found incompatibility issues with Debian10 and "in-place" substitutions
del=$'\001' # Use a non-printable character as a 'sed' delimiter to avoid issues
if [[ $posix_regex = true ]]; then
result="$(sed -E "s${del}${match_regex}${del}${substitute_regex}${del}g" "$filename")"
else
result="$(sed "s${del}${match_regex}${del}${substitute_regex}${del}g" "$filename")"
fi
echo "$result" > "$filename"
}
sentinel_conf_set() {
local -r key="${1:?missing key}"
local value="${2:-}"
# Sanitize inputs
value="${value//\\/\\\\}"
value="${value//&/\\&}"
value="${value//\?/\\?}"
[[ "$value" = "" ]] && value="\"$value\""
replace_in_file "/opt/bitnami/redis-sentinel/etc/sentinel.conf" "^#*\s*${key} .*" "${key} ${value}" false
}
is_boolean_yes() {
local -r bool="${1:-}"
# comparison is performed without regard to the case of alphabetic characters
shopt -s nocasematch
if [[ "$bool" = 1 || "$bool" =~ ^(yes|true)$ ]]; then
true
else
false
fi
}
if [[ -n $REDIS_PASSWORD_FILE ]]; then
password_aux=`cat ${REDIS_PASSWORD_FILE}`
export REDIS_PASSWORD=$password_aux
fi
if [[ ! -f /opt/bitnami/redis-sentinel/etc/sentinel.conf ]]; then
cp /opt/bitnami/redis-sentinel/mounted-etc/sentinel.conf /opt/bitnami/redis-sentinel/etc/sentinel.conf
{{- if .Values.usePassword }}
printf "\nsentinel auth-pass {{ .Values.sentinel.masterSet }} $REDIS_PASSWORD" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf
{{- if .Values.sentinel.usePassword }}
printf "\nrequirepass $REDIS_PASSWORD" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf
{{- end }}
{{- end }}
{{- if .Values.sentinel.staticID }}
printf "\nsentinel myid $(echo $HOSTNAME | openssl sha1 | awk '{ print $2 }')" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf
{{- end }}
fi
export REDIS_REPLICATION_MODE="slave"
if [[ $HOSTNAME =~ (.*)-([0-9]+)$ ]]; then
if [[ ${BASH_REMATCH[2]} == "0" ]]; then
if [[ ! -f /data/sentinelboot.lock ]]; then
export REDIS_REPLICATION_MODE="master"
else
if is_boolean_yes "$REDIS_SENTINEL_TLS_ENABLED"; then
sentinel_info_command="redis-cli -a $REDIS_PASSWORD -h {{ template "redis.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} -p {{ .Values.sentinel.port }} --tls --cert ${REDIS_SENTINEL_TLS_CERT_FILE} --key ${REDIS_SENTINEL_TLS_KEY_FILE} --cacert ${REDIS_SENTINEL_TLS_CA_FILE} info"
else
sentinel_info_command="redis-cli {{- if .Values.usePassword }} -a $REDIS_PASSWORD {{- end }} -h {{ template "redis.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} -p {{ .Values.sentinel.port }} info"
fi
if [[ ! ($($sentinel_info_command)) ]]; then
export REDIS_REPLICATION_MODE="master"
rm /data/sentinelboot.lock
fi
fi
fi
fi
if [[ "$REDIS_REPLICATION_MODE" == "master" ]]; then
sentinel_conf_set "sentinel monitor" "{{ .Values.sentinel.masterSet }} {{ template "redis.fullname" . }}-node-0.{{ template "redis.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} {{ .Values.redisPort }} {{ .Values.sentinel.quorum }}"
else
if is_boolean_yes "$REDIS_SENTINEL_TLS_ENABLED"; then
sentinel_info_command="redis-cli -a $REDIS_PASSWORD -h {{ template "redis.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} -p {{ .Values.sentinel.port }} --tls --cert ${REDIS_SENTINEL_TLS_CERT_FILE} --key ${REDIS_SENTINEL_TLS_KEY_FILE} --cacert ${REDIS_SENTINEL_TLS_CA_FILE} sentinel get-master-addr-by-name {{ .Values.sentinel.masterSet }}"
else
sentinel_info_command="redis-cli {{- if .Values.usePassword }} -a $REDIS_PASSWORD {{- end }} -h {{ template "redis.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} -p {{ .Values.sentinel.port }} sentinel get-master-addr-by-name {{ .Values.sentinel.masterSet }}"
fi
REDIS_SENTINEL_INFO=($($sentinel_info_command))
REDIS_MASTER_HOST=${REDIS_SENTINEL_INFO[0]}
REDIS_MASTER_PORT_NUMBER=${REDIS_SENTINEL_INFO[1]}
sentinel_conf_set "sentinel monitor" "{{ .Values.sentinel.masterSet }} "$REDIS_MASTER_HOST" "$REDIS_MASTER_PORT_NUMBER" {{ .Values.sentinel.quorum }}"
fi
{{- if .Values.tls.enabled }}
ARGS=("--port" "0")
ARGS+=("--tls-port" "${REDIS_SENTINEL_TLS_PORT_NUMBER}")
ARGS+=("--tls-cert-file" "${REDIS_SENTINEL_TLS_CERT_FILE}")
ARGS+=("--tls-key-file" "${REDIS_SENTINEL_TLS_KEY_FILE}")
ARGS+=("--tls-ca-cert-file" "${REDIS_SENTINEL_TLS_CA_FILE}")
ARGS+=("--tls-replication" "yes")
ARGS+=("--tls-auth-clients" "${REDIS_SENTINEL_TLS_AUTH_CLIENTS}")
{{- if .Values.tls.dhParamsFilename }}
ARGS+=("--tls-dh-params-file" "${REDIS_SENTINEL_TLS_DH_PARAMS_FILE}")
{{- end }}
{{- end }}
touch /data/sentinelboot.lock
exec redis-server /opt/bitnami/redis-sentinel/etc/sentinel.conf --sentinel {{- if .Values.tls.enabled }} "${ARGS[@]}" {{- end }}
{{- else }}
start-master.sh: |
#!/bin/bash
{{- if (eq (.Values.securityContext.runAsUser | int) 0) }}
useradd redis
chown -R redis {{ .Values.master.persistence.path }}
{{- end }}
if [[ -n $REDIS_PASSWORD_FILE ]]; then
password_aux=`cat ${REDIS_PASSWORD_FILE}`
export REDIS_PASSWORD=$password_aux
fi
if [[ ! -f /opt/bitnami/redis/etc/master.conf ]];then
cp /opt/bitnami/redis/mounted-etc/master.conf /opt/bitnami/redis/etc/master.conf
fi
if [[ ! -f /opt/bitnami/redis/etc/redis.conf ]];then
cp /opt/bitnami/redis/mounted-etc/redis.conf /opt/bitnami/redis/etc/redis.conf
fi
{{- if .Values.tls.enabled }}
ARGS=("--port" "0")
ARGS+=("--tls-port" "${REDIS_TLS_PORT}")
ARGS+=("--tls-cert-file" "${REDIS_TLS_CERT_FILE}")
ARGS+=("--tls-key-file" "${REDIS_TLS_KEY_FILE}")
ARGS+=("--tls-ca-cert-file" "${REDIS_TLS_CA_FILE}")
ARGS+=("--tls-auth-clients" "${REDIS_TLS_AUTH_CLIENTS}")
{{- if .Values.tls.dhParamsFilename }}
ARGS+=("--tls-dh-params-file" "${REDIS_TLS_DH_PARAMS_FILE}")
{{- end }}
{{- else }}
ARGS=("--port" "${REDIS_PORT}")
{{- end }}
{{- if .Values.usePassword }}
ARGS+=("--requirepass" "${REDIS_PASSWORD}")
ARGS+=("--masterauth" "${REDIS_PASSWORD}")
{{- else }}
ARGS+=("--protected-mode" "no")
{{- end }}
ARGS+=("--include" "/opt/bitnami/redis/etc/redis.conf")
ARGS+=("--include" "/opt/bitnami/redis/etc/master.conf")
{{- if .Values.master.extraFlags }}
{{- range .Values.master.extraFlags }}
ARGS+=({{ . | quote }})
{{- end }}
{{- end }}
{{- if .Values.master.preExecCmds }}
{{ .Values.master.preExecCmds | nindent 4}}
{{- end }}
{{- if .Values.master.command }}
exec {{ .Values.master.command }} "${ARGS[@]}"
{{- else }}
exec redis-server "${ARGS[@]}"
{{- end }}
{{- if .Values.cluster.enabled }}
start-slave.sh: |
#!/bin/bash
{{- if (eq (.Values.securityContext.runAsUser | int) 0) }}
useradd redis
chown -R redis {{ .Values.slave.persistence.path }}
{{- end }}
if [[ -n $REDIS_PASSWORD_FILE ]]; then
password_aux=`cat ${REDIS_PASSWORD_FILE}`
export REDIS_PASSWORD=$password_aux
fi
if [[ -n $REDIS_MASTER_PASSWORD_FILE ]]; then
password_aux=`cat ${REDIS_MASTER_PASSWORD_FILE}`
export REDIS_MASTER_PASSWORD=$password_aux
fi
if [[ ! -f /opt/bitnami/redis/etc/replica.conf ]];then
cp /opt/bitnami/redis/mounted-etc/replica.conf /opt/bitnami/redis/etc/replica.conf
fi
if [[ ! -f /opt/bitnami/redis/etc/redis.conf ]];then
cp /opt/bitnami/redis/mounted-etc/redis.conf /opt/bitnami/redis/etc/redis.conf
fi
{{- if .Values.tls.enabled }}
ARGS=("--port" "0")
ARGS+=("--tls-port" "${REDIS_TLS_PORT}")
ARGS+=("--tls-cert-file" "${REDIS_TLS_CERT_FILE}")
ARGS+=("--tls-key-file" "${REDIS_TLS_KEY_FILE}")
ARGS+=("--tls-ca-cert-file" "${REDIS_TLS_CA_FILE}")
ARGS+=("--tls-auth-clients" "${REDIS_TLS_AUTH_CLIENTS}")
ARGS+=("--tls-replication" "yes")
{{- if .Values.tls.dhParamsFilename }}
ARGS+=("--tls-dh-params-file" "${REDIS_TLS_DH_PARAMS_FILE}")
{{- end }}
{{- else }}
ARGS=("--port" "${REDIS_PORT}")
{{- end }}
ARGS+=("--slaveof" "${REDIS_MASTER_HOST}" "${REDIS_MASTER_PORT_NUMBER}")
{{- if .Values.usePassword }}
ARGS+=("--requirepass" "${REDIS_PASSWORD}")
ARGS+=("--masterauth" "${REDIS_MASTER_PASSWORD}")
{{- else }}
ARGS+=("--protected-mode" "no")
{{- end }}
ARGS+=("--include" "/opt/bitnami/redis/etc/redis.conf")
ARGS+=("--include" "/opt/bitnami/redis/etc/replica.conf")
{{- if .Values.slave.extraFlags }}
{{- range .Values.slave.extraFlags }}
ARGS+=({{ . | quote }})
{{- end }}
{{- end }}
{{- if .Values.slave.preExecCmds }}
{{ .Values.slave.preExecCmds | nindent 4}}
{{- end }}
{{- if .Values.slave.command }}
exec {{ .Values.slave.command }} "${ARGS[@]}"
{{- else }}
exec redis-server "${ARGS[@]}"
{{- end }}
{{- end }}
{{- end -}}

53
nextcloud/charts/redis/templates/configmap.yaml Normal file
View File

@ -0,0 +1,53 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "redis.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "redis.name" . }}
chart: {{ template "redis.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
data:
redis.conf: |-
{{- if .Values.configmap }}
# User-supplied configuration:
{{- tpl .Values.configmap . | nindent 4 }}
{{- end }}
master.conf: |-
dir {{ .Values.master.persistence.path }}
{{- if .Values.master.configmap }}
# User-supplied master configuration:
{{- tpl .Values.master.configmap . | nindent 4 }}
{{- end }}
{{- if .Values.master.disableCommands }}
{{- range .Values.master.disableCommands }}
rename-command {{ . }} ""
{{- end }}
{{- end }}
replica.conf: |-
dir {{ .Values.slave.persistence.path }}
slave-read-only yes
{{- if .Values.slave.configmap }}
# User-supplied slave configuration:
{{- tpl .Values.slave.configmap . | nindent 4 }}
{{- end }}
{{- if .Values.slave.disableCommands }}
{{- range .Values.slave.disableCommands }}
rename-command {{ . }} ""
{{- end }}
{{- end }}
{{- if .Values.sentinel.enabled }}
sentinel.conf: |-
dir "/tmp"
bind 0.0.0.0
port {{ .Values.sentinel.port }}
sentinel monitor {{ .Values.sentinel.masterSet }} {{ template "redis.fullname" . }}-master-0.{{ template "redis.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} {{ .Values.redisPort }} {{ .Values.sentinel.quorum }}
sentinel down-after-milliseconds {{ .Values.sentinel.masterSet }} {{ .Values.sentinel.downAfterMilliseconds }}
sentinel failover-timeout {{ .Values.sentinel.masterSet }} {{ .Values.sentinel.failoverTimeout }}
sentinel parallel-syncs {{ .Values.sentinel.masterSet }} {{ .Values.sentinel.parallelSyncs }}
{{- if .Values.sentinel.configmap }}
# User-supplied sentinel configuration:
{{- tpl .Values.sentinel.configmap . | nindent 4 }}
{{- end }}
{{- end }}

25
nextcloud/charts/redis/templates/headless-svc.yaml Normal file
View File

@ -0,0 +1,25 @@
apiVersion: v1
kind: Service
metadata:
name: {{ template "redis.fullname" . }}-headless
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "redis.name" . }}
chart: {{ template "redis.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
type: ClusterIP
clusterIP: None
ports:
- name: redis
port: {{ .Values.redisPort }}
targetPort: redis
{{- if .Values.sentinel.enabled }}
- name: redis-sentinel
port: {{ .Values.sentinel.port }}
targetPort: redis-sentinel
{{- end }}
selector:
app: {{ template "redis.name" . }}
release: {{ .Release.Name }}

201
nextcloud/charts/redis/templates/health-configmap.yaml Normal file
View File

@ -0,0 +1,201 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "redis.fullname" . }}-health
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "redis.name" . }}
chart: {{ template "redis.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
data:
ping_readiness_local.sh: |-
#!/bin/bash
{{- if .Values.usePasswordFile }}
password_aux=`cat ${REDIS_PASSWORD_FILE}`
export REDIS_PASSWORD=$password_aux
{{- end }}
{{- if .Values.usePassword }}
no_auth_warning=$([[ "$(redis-cli --version)" =~ (redis-cli 5.*) ]] && echo --no-auth-warning)
{{- end }}
response=$(
timeout -s 3 $1 \
redis-cli \
{{- if .Values.usePassword }}
-a $REDIS_PASSWORD $no_auth_warning \
{{- end }}
-h localhost \
{{- if .Values.tls.enabled }}
-p $REDIS_TLS_PORT \
--tls \
--cacert {{ template "redis.tlsCACert" . }} \
{{- if .Values.tls.authClients }}
--cert {{ template "redis.tlsCert" . }} \
--key {{ template "redis.tlsCertKey" . }} \
{{- end }}
{{- else }}
-p $REDIS_PORT \
{{- end }}
ping
)
if [ "$response" != "PONG" ]; then
echo "$response"
exit 1
fi
ping_liveness_local.sh: |-
#!/bin/bash
{{- if .Values.usePasswordFile }}
password_aux=`cat ${REDIS_PASSWORD_FILE}`
export REDIS_PASSWORD=$password_aux
{{- end }}
{{- if .Values.usePassword }}
no_auth_warning=$([[ "$(redis-cli --version)" =~ (redis-cli 5.*) ]] && echo --no-auth-warning)
{{- end }}
response=$(
timeout -s 3 $1 \
redis-cli \
{{- if .Values.usePassword }}
-a $REDIS_PASSWORD $no_auth_warning \
{{- end }}
-h localhost \
{{- if .Values.tls.enabled }}
-p $REDIS_TLS_PORT \
--tls \
--cacert {{ template "redis.tlsCACert" . }} \
{{- if .Values.tls.authClients }}
--cert {{ template "redis.tlsCert" . }} \
--key {{ template "redis.tlsCertKey" . }} \
{{- end }}
{{- else }}
-p $REDIS_PORT \
{{- end }}
ping
)
if [ "$response" != "PONG" ] && [ "$response" != "LOADING Redis is loading the dataset in memory" ]; then
echo "$response"
exit 1
fi
{{- if .Values.sentinel.enabled }}
ping_sentinel.sh: |-
#!/bin/bash
{{- if .Values.usePasswordFile }}
password_aux=`cat ${REDIS_PASSWORD_FILE}`
export REDIS_PASSWORD=$password_aux
{{- end }}
{{- if .Values.usePassword }}
no_auth_warning=$([[ "$(redis-cli --version)" =~ (redis-cli 5.*) ]] && echo --no-auth-warning)
{{- end }}
response=$(
timeout -s 3 $1 \
redis-cli \
{{- if .Values.usePassword }}
-a $REDIS_PASSWORD $no_auth_warning \
{{- end }}
-h localhost \
{{- if .Values.tls.enabled }}
-p $REDIS_SENTINEL_TLS_PORT_NUMBER \
--tls \
--cacert {{ template "redis.tlsCACert" . }} \
{{- if .Values.tls.authClients }}
--cert {{ template "redis.tlsCert" . }} \
--key {{ template "redis.tlsCertKey" . }} \
{{- end }}
{{- else }}
-p $REDIS_SENTINEL_PORT \
{{- end }}
ping
)
if [ "$response" != "PONG" ]; then
echo "$response"
exit 1
fi
parse_sentinels.awk: |-
/ip/ {FOUND_IP=1}
/port/ {FOUND_PORT=1}
/runid/ {FOUND_RUNID=1}
!/ip|port|runid/ {
if (FOUND_IP==1) {
IP=$1; FOUND_IP=0;
}
else if (FOUND_PORT==1) {
PORT=$1;
FOUND_PORT=0;
} else if (FOUND_RUNID==1) {
printf "\nsentinel known-sentinel {{ .Values.sentinel.masterSet }} %s %s %s", IP, PORT, $0; FOUND_RUNID=0;
}
}
{{- end }}
ping_readiness_master.sh: |-
#!/bin/bash
{{- if .Values.usePasswordFile }}
password_aux=`cat ${REDIS_MASTER_PASSWORD_FILE}`
export REDIS_MASTER_PASSWORD=$password_aux
{{- end }}
{{- if .Values.usePassword }}
no_auth_warning=$([[ "$(redis-cli --version)" =~ (redis-cli 5.*) ]] && echo --no-auth-warning)
{{- end }}
response=$(
timeout -s 3 $1 \
redis-cli \
{{- if .Values.usePassword }}
-a $REDIS_MASTER_PASSWORD $no_auth_warning \
{{- end }}
-h $REDIS_MASTER_HOST \
-p $REDIS_MASTER_PORT_NUMBER \
{{- if .Values.tls.enabled }}
--tls \
--cacert {{ template "redis.tlsCACert" . }} \
{{- if .Values.tls.authClients }}
--cert {{ template "redis.tlsCert" . }} \
--key {{ template "redis.tlsCertKey" . }} \
{{- end }}
{{- end }}
ping
)
if [ "$response" != "PONG" ]; then
echo "$response"
exit 1
fi
ping_liveness_master.sh: |-
#!/bin/bash
{{- if .Values.usePasswordFile }}
password_aux=`cat ${REDIS_MASTER_PASSWORD_FILE}`
export REDIS_MASTER_PASSWORD=$password_aux
{{- end }}
{{- if .Values.usePassword }}
no_auth_warning=$([[ "$(redis-cli --version)" =~ (redis-cli 5.*) ]] && echo --no-auth-warning)
{{- end }}
response=$(
timeout -s 3 $1 \
redis-cli \
{{- if .Values.usePassword }}
-a $REDIS_MASTER_PASSWORD $no_auth_warning \
{{- end }}
-h $REDIS_MASTER_HOST \
-p $REDIS_MASTER_PORT_NUMBER \
{{- if .Values.tls.enabled }}
--tls \
--cacert {{ template "redis.tlsCACert" . }} \
{{- if .Values.tls.authClients }}
--cert {{ template "redis.tlsCert" . }} \
--key {{ template "redis.tlsCertKey" . }} \
{{- end }}
{{- end }}
ping
)
if [ "$response" != "PONG" ] && [ "$response" != "LOADING Redis is loading the dataset in memory" ]; then
echo "$response"
exit 1
fi
ping_readiness_local_and_master.sh: |-
script_dir="$(dirname "$0")"
exit_status=0
"$script_dir/ping_readiness_local.sh" $1 || exit_status=$?
"$script_dir/ping_readiness_master.sh" $1 || exit_status=$?
exit $exit_status
ping_liveness_local_and_master.sh: |-
script_dir="$(dirname "$0")"
exit_status=0
"$script_dir/ping_liveness_local.sh" $1 || exit_status=$?
"$script_dir/ping_liveness_master.sh" $1 || exit_status=$?
exit $exit_status

33
nextcloud/charts/redis/templates/metrics-prometheus.yaml Normal file
View File

@ -0,0 +1,33 @@
{{- if and (.Values.metrics.enabled) (.Values.metrics.serviceMonitor.enabled) }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "redis.fullname" . }}
{{- if .Values.metrics.serviceMonitor.namespace }}
namespace: {{ .Values.metrics.serviceMonitor.namespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
app: {{ template "redis.name" . }}
chart: {{ template "redis.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- range $key, $value := .Values.metrics.serviceMonitor.selector }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
endpoints:
- port: metrics
{{- if .Values.metrics.serviceMonitor.interval }}
interval: {{ .Values.metrics.serviceMonitor.interval }}
{{- end }}
selector:
matchLabels:
app: {{ template "redis.name" . }}
release: {{ .Release.Name }}
app.kubernetes.io/component: "metrics"
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
{{- end -}}

31
nextcloud/charts/redis/templates/metrics-svc.yaml Normal file
View File

@ -0,0 +1,31 @@
{{- if .Values.metrics.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "redis.fullname" . }}-metrics
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "redis.name" . }}
chart: {{ template "redis.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
app.kubernetes.io/component: "metrics"
{{- if .Values.metrics.service.labels -}}
{{- toYaml .Values.metrics.service.labels | nindent 4 }}
{{- end -}}
{{- if .Values.metrics.service.annotations }}
annotations: {{- toYaml .Values.metrics.service.annotations | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.metrics.service.type }}
{{ if and (eq .Values.metrics.service.type "LoadBalancer") .Values.metrics.service.loadBalancerIP }}
loadBalancerIP: {{ .Values.metrics.service.loadBalancerIP }}
{{- end }}
ports:
- name: metrics
port: 9121
targetPort: metrics
selector:
app: {{ template "redis.name" . }}
release: {{ .Release.Name }}
{{- end }}

74
nextcloud/charts/redis/templates/networkpolicy.yaml Normal file
View File

@ -0,0 +1,74 @@
{{- if .Values.networkPolicy.enabled }}
kind: NetworkPolicy
apiVersion: {{ template "networkPolicy.apiVersion" . }}
metadata:
name: {{ template "redis.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "redis.name" . }}
chart: {{ template "redis.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
podSelector:
matchLabels:
app: {{ template "redis.name" . }}
release: {{ .Release.Name }}
{{- if .Values.cluster.enabled }}
policyTypes:
- Ingress
- Egress
egress:
# Allow dns resolution
- ports:
- port: 53
protocol: UDP
# Allow outbound connections to other cluster pods
- ports:
- port: {{ .Values.redisPort }}
{{- if .Values.sentinel.enabled }}
- port: {{ .Values.sentinel.port }}
{{- end }}
to:
- podSelector:
matchLabels:
app: {{ template "redis.name" . }}
release: {{ .Release.Name }}
{{- end }}
ingress:
# Allow inbound connections
- ports:
- port: {{ .Values.redisPort }}
{{- if .Values.sentinel.enabled }}
- port: {{ .Values.sentinel.port }}
{{- end }}
{{- if not .Values.networkPolicy.allowExternal }}
from:
- podSelector:
matchLabels:
{{ template "redis.fullname" . }}-client: "true"
- podSelector:
matchLabels:
app: {{ template "redis.name" . }}
release: {{ .Release.Name }}
{{- if .Values.networkPolicy.ingressNSMatchLabels }}
- namespaceSelector:
matchLabels:
{{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- if .Values.networkPolicy.ingressNSPodMatchLabels }}
podSelector:
matchLabels:
{{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.metrics.enabled }}
# Allow prometheus scrapes for metrics
- ports:
- port: 9121
{{- end }}
{{- end }}

21
nextcloud/charts/redis/templates/pdb.yaml Normal file
View File

@ -0,0 +1,21 @@
{{- if .Values.podDisruptionBudget.enabled }}
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: {{ template "redis.fullname" . }}
labels:
app: {{ template "redis.name" . }}
chart: {{ template "redis.chart" . }}
spec:
{{- if .Values.podDisruptionBudget.minAvailable }}
minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
{{- end }}
{{- if .Values.podDisruptionBudget.maxUnavailable }}
maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
{{- end }}
selector:
matchLabels:
app: {{ template "redis.name" . }}
chart: {{ template "redis.chart" . }}
release: {{ .Release.Name }}
{{- end }}

25
nextcloud/charts/redis/templates/prometheusrule.yaml Normal file
View File

@ -0,0 +1,25 @@
{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: {{ template "redis.fullname" . }}
{{- if .Values.metrics.prometheusRule.namespace }}
namespace: {{ .Values.metrics.prometheusRule.namespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
app: {{ template "redis.name" . }}
chart: {{ template "redis.chart" . }}
release: {{ .Release.Name | quote }}
heritage: {{ .Release.Service | quote }}
{{- with .Values.metrics.prometheusRule.additionalLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- with .Values.metrics.prometheusRule.rules }}
groups:
- name: {{ template "redis.name" $ }}
rules: {{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- end }}

43
nextcloud/charts/redis/templates/psp.yaml Normal file
View File

@ -0,0 +1,43 @@
{{- if .Values.podSecurityPolicy.create }}
apiVersion: {{ template "podSecurityPolicy.apiVersion" . }}
kind: PodSecurityPolicy
metadata:
name: {{ template "redis.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "redis.name" . }}
chart: {{ template "redis.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
allowPrivilegeEscalation: false
fsGroup:
rule: 'MustRunAs'
ranges:
- min: {{ .Values.securityContext.fsGroup }}
max: {{ .Values.securityContext.fsGroup }}
hostIPC: false
hostNetwork: false
hostPID: false
privileged: false
readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
rule: 'MustRunAs'
ranges:
- min: {{ .Values.securityContext.runAsUser }}
max: {{ .Values.securityContext.runAsUser }}
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: {{ .Values.securityContext.runAsUser }}
max: {{ .Values.securityContext.runAsUser }}
volumes:
- 'configMap'
- 'secret'
- 'emptyDir'
- 'persistentVolumeClaim'
{{- end }}

346
nextcloud/charts/redis/templates/redis-master-statefulset.yaml Normal file
View File

@ -0,0 +1,346 @@
{{- if or (not .Values.cluster.enabled) (not .Values.sentinel.enabled) }}
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ template "redis.fullname" . }}-master
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "redis.name" . }}
chart: {{ template "redis.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
selector:
matchLabels:
app: {{ template "redis.name" . }}
release: {{ .Release.Name }}
role: master
serviceName: {{ template "redis.fullname" . }}-headless
template:
metadata:
labels:
app: {{ template "redis.name" . }}
chart: {{ template "redis.chart" . }}
release: {{ .Release.Name }}
role: master
{{- if .Values.master.podLabels }}
{{- toYaml .Values.master.podLabels | nindent 8 }}
{{- end }}
{{- if and .Values.metrics.enabled .Values.metrics.podLabels }}
{{- toYaml .Values.metrics.podLabels | nindent 8 }}
{{- end }}
annotations:
checksum/health: {{ include (print $.Template.BasePath "/health-configmap.yaml") . | sha256sum }}
checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
{{- if .Values.master.podAnnotations }}
{{- toYaml .Values.master.podAnnotations | nindent 8 }}
{{- end }}
{{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }}
{{- toYaml .Values.metrics.podAnnotations | nindent 8 }}
{{- end }}
spec:
{{- include "redis.imagePullSecrets" . | nindent 6 }}
{{- if .Values.securityContext.enabled }}
securityContext:
fsGroup: {{ .Values.securityContext.fsGroup }}
{{- if .Values.securityContext.sysctls }}
sysctls: {{- toYaml .Values.securityContext.sysctls | nindent 8 }}
{{- end }}
{{- end }}
serviceAccountName: {{ template "redis.serviceAccountName" . }}
{{- if .Values.master.priorityClassName }}
priorityClassName: "{{ .Values.master.priorityClassName }}"
{{- end }}
{{- with .Values.master.affinity }}
affinity: {{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- if .Values.master.nodeSelector }}
nodeSelector: {{- toYaml .Values.master.nodeSelector | nindent 8 }}
{{- end }}
{{- if .Values.master.tolerations }}
tolerations: {{- toYaml .Values.master.tolerations | nindent 8 }}
{{- end }}
{{- if .Values.master.shareProcessNamespace }}
shareProcessNamespace: {{ .Values.master.shareProcessNamespace }}
{{- end }}
{{- if .Values.master.schedulerName }}
schedulerName: {{ .Values.master.schedulerName }}
{{- end }}
containers:
- name: {{ template "redis.name" . }}
image: {{ template "redis.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
{{- if .Values.securityContext.enabled }}
securityContext:
runAsUser: {{ .Values.securityContext.runAsUser }}
{{- end }}
command:
- /bin/bash
- -c
- /opt/bitnami/scripts/start-scripts/start-master.sh
env:
- name: REDIS_REPLICATION_MODE
value: master
{{- if .Values.usePassword }}
{{- if .Values.usePasswordFile }}
- name: REDIS_PASSWORD_FILE
value: "/opt/bitnami/redis/secrets/redis-password"
{{- else }}
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "redis.secretName" . }}
key: {{ template "redis.secretPasswordKey" . }}
{{- end }}
{{- else }}
- name: ALLOW_EMPTY_PASSWORD
value: "yes"
{{- end }}
- name: REDIS_TLS_ENABLED
value: {{ ternary "yes" "no" .Values.tls.enabled | quote }}
{{- if .Values.tls.enabled }}
- name: REDIS_TLS_PORT
value: {{ .Values.redisPort | quote }}
- name: REDIS_TLS_AUTH_CLIENTS
value: {{ ternary "yes" "no" .Values.tls.authClients | quote }}
- name: REDIS_TLS_CERT_FILE
value: {{ template "redis.tlsCert" . }}
- name: REDIS_TLS_KEY_FILE
value: {{ template "redis.tlsCertKey" . }}
- name: REDIS_TLS_CA_FILE
value: {{ template "redis.tlsCACert" . }}
{{- if .Values.tls.dhParamsFilename }}
- name: REDIS_TLS_DH_PARAMS_FILE
value: {{ template "redis.tlsDHParams" . }}
{{- end }}
{{- else }}
- name: REDIS_PORT
value: {{ .Values.redisPort | quote }}
{{- end }}
{{- if .Values.master.extraEnvVars }}
{{- include "redis.tplValue" (dict "value" .Values.master.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
{{- if or .Values.master.extraEnvVarsCM .Values.master.extraEnvVarsSecret }}
envFrom:
{{- if .Values.master.extraEnvVarsCM }}
- configMapRef:
name: {{ .Values.master.extraEnvVarsCM }}
{{- end }}
{{- if .Values.master.extraEnvVarsSecret }}
- secretRef:
name: {{ .Values.master.extraEnvVarsSecret }}
{{- end }}
{{- end }}
ports:
- name: redis
containerPort: {{ .Values.redisPort }}
{{- if .Values.master.livenessProbe.enabled }}
livenessProbe:
initialDelaySeconds: {{ .Values.master.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.master.livenessProbe.periodSeconds }}
# One second longer than command timeout should prevent generation of zombie processes.
timeoutSeconds: {{ add1 .Values.master.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.master.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.master.livenessProbe.failureThreshold }}
exec:
command:
- sh
- -c
- /health/ping_liveness_local.sh {{ .Values.master.livenessProbe.timeoutSeconds }}
{{- else if .Values.master.customLivenessProbe }}
livenessProbe: {{- toYaml .Values.master.customLivenessProbe | nindent 12 }}
{{- end }}
{{- if .Values.master.readinessProbe.enabled}}
readinessProbe:
initialDelaySeconds: {{ .Values.master.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.master.readinessProbe.periodSeconds }}
timeoutSeconds: {{ add1 .Values.master.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.master.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.master.readinessProbe.failureThreshold }}
exec:
command:
- sh
- -c
- /health/ping_readiness_local.sh {{ .Values.master.readinessProbe.timeoutSeconds }}
{{- else if .Values.master.customReadinessProbe }}
readinessProbe: {{- toYaml .Values.master.customReadinessProbe | nindent 12 }}
{{- end }}
resources: {{- toYaml .Values.master.resources | nindent 12 }}
volumeMounts:
- name: start-scripts
mountPath: /opt/bitnami/scripts/start-scripts
- name: health
mountPath: /health
{{- if .Values.usePasswordFile }}
- name: redis-password
mountPath: /opt/bitnami/redis/secrets/
{{- end }}
- name: redis-data
mountPath: {{ .Values.master.persistence.path }}
subPath: {{ .Values.master.persistence.subPath }}
- name: config
mountPath: /opt/bitnami/redis/mounted-etc
- name: redis-tmp-conf
mountPath: /opt/bitnami/redis/etc/
{{- if .Values.tls.enabled }}
- name: redis-certificates
mountPath: /opt/bitnami/redis/certs
readOnly: true
{{- end }}
{{- if .Values.metrics.enabled }}
- name: metrics
image: {{ template "redis.metrics.image" . }}
imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }}
command:
- /bin/bash
- -c
- |
if [[ -f '/secrets/redis-password' ]]; then
export REDIS_PASSWORD=$(cat /secrets/redis-password)
fi
redis_exporter{{- range $key, $value := .Values.metrics.extraArgs }} --{{ $key }}={{ $value }}{{- end }}
env:
- name: REDIS_ALIAS
value: {{ template "redis.fullname" . }}
{{- if and .Values.usePassword (not .Values.usePasswordFile) }}
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "redis.secretName" . }}
key: {{ template "redis.secretPasswordKey" . }}
{{- end }}
{{- if .Values.tls.enabled }}
- name: REDIS_EXPORTER_TLS_CLIENT_KEY_FILE
value: {{ template "redis.tlsCertKey" . }}
- name: REDIS_EXPORTER_TLS_CLIENT_CERT_FILE
value: {{ template "redis.tlsCert" . }}
{{- end }}
volumeMounts:
{{- if .Values.usePasswordFile }}
- name: redis-password
mountPath: /secrets/
{{- end }}
{{- if .Values.tls.enabled }}
- name: redis-certificates
mountPath: /opt/bitnami/redis/certs
readOnly: true
{{- end }}
ports:
- name: metrics
containerPort: 9121
resources: {{- toYaml .Values.metrics.resources | nindent 12 }}
{{- end }}
{{- $needsVolumePermissions := and .Values.volumePermissions.enabled (and ( and .Values.master.persistence.enabled (not .Values.persistence.existingClaim) ) .Values.securityContext.enabled) }}
{{- if or $needsVolumePermissions .Values.sysctlImage.enabled }}
initContainers:
{{- if $needsVolumePermissions }}
- name: volume-permissions
image: "{{ template "redis.volumePermissions.image" . }}"
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
command: ["/bin/chown", "-R", "{{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }}", "{{ .Values.master.persistence.path }}"]
securityContext:
runAsUser: 0
resources: {{- toYaml .Values.volumePermissions.resources | nindent 10 }}
volumeMounts:
- name: redis-data
mountPath: {{ .Values.master.persistence.path }}
subPath: {{ .Values.master.persistence.subPath }}
{{- end }}
{{- if .Values.sysctlImage.enabled }}
- name: init-sysctl
image: {{ template "redis.sysctl.image" . }}
imagePullPolicy: {{ default "" .Values.sysctlImage.pullPolicy | quote }}
resources: {{- toYaml .Values.sysctlImage.resources | nindent 10 }}
{{- if .Values.sysctlImage.mountHostSys }}
volumeMounts:
- name: host-sys
mountPath: /host-sys
{{- end }}
command: {{- toYaml .Values.sysctlImage.command | nindent 10 }}
securityContext:
privileged: true
runAsUser: 0
{{- end }}
{{- end }}
volumes:
- name: start-scripts
configMap:
name: {{ include "redis.fullname" . }}-scripts
defaultMode: 0755
- name: health
configMap:
name: {{ template "redis.fullname" . }}-health
defaultMode: 0755
{{- if .Values.usePasswordFile }}
- name: redis-password
secret:
secretName: {{ template "redis.secretName" . }}
items:
- key: {{ template "redis.secretPasswordKey" . }}
path: redis-password
{{- end }}
- name: config
configMap:
name: {{ template "redis.fullname" . }}
{{- if not .Values.master.persistence.enabled }}
- name: "redis-data"
emptyDir: {}
{{- else }}
{{- if .Values.persistence.existingClaim }}
- name: "redis-data"
persistentVolumeClaim:
claimName: {{ .Values.persistence.existingClaim }}
{{- end }}
{{- end }}
{{- if .Values.sysctlImage.mountHostSys }}
- name: host-sys
hostPath:
path: /sys
{{- end }}
- name: redis-tmp-conf
emptyDir: {}
{{- if .Values.tls.enabled }}
- name: redis-certificates
secret:
secretName: {{ required "A secret containing the certificates for the TLS traffic is required when TLS in enabled" .Values.tls.certificatesSecret }}
defaultMode: 256
{{- end }}
{{- if and .Values.master.persistence.enabled (not .Values.persistence.existingClaim) }}
volumeClaimTemplates:
- metadata:
name: redis-data
labels:
app: {{ template "redis.name" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
component: master
spec:
accessModes:
{{- range .Values.master.persistence.accessModes }}
- {{ . | quote }}
{{- end }}
resources:
requests:
storage: {{ .Values.master.persistence.size | quote }}
{{ include "redis.master.storageClass" . }}
selector:
{{- if .Values.master.persistence.matchLabels }}
matchLabels: {{- toYaml .Values.master.persistence.matchLabels | nindent 12 }}
{{- end -}}
{{- if .Values.master.persistence.matchExpressions }}
matchExpressions: {{- toYaml .Values.master.persistence.matchExpressions | nindent 12 }}
{{- end -}}
{{- end }}
updateStrategy:
type: {{ .Values.master.statefulset.updateStrategy }}
{{- if .Values.master.statefulset.rollingUpdatePartition }}
{{- if (eq "Recreate" .Values.master.statefulset.updateStrategy) }}
rollingUpdate: null
{{- else }}
rollingUpdate:
partition: {{ .Values.master.statefulset.rollingUpdatePartition }}
{{- end }}
{{- end }}
{{- end }}

40
nextcloud/charts/redis/templates/redis-master-svc.yaml Normal file
View File

@ -0,0 +1,40 @@
{{- if not .Values.sentinel.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "redis.fullname" . }}-master
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "redis.name" . }}
chart: {{ template "redis.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.master.service.labels -}}
{{- toYaml .Values.master.service.labels | nindent 4 }}
{{- end -}}
{{- if .Values.master.service.annotations }}
annotations: {{- toYaml .Values.master.service.annotations | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.master.service.type }}
{{- if and (eq .Values.master.service.type "LoadBalancer") .Values.master.service.loadBalancerIP }}
loadBalancerIP: {{ .Values.master.service.loadBalancerIP }}
{{- end }}
{{- if and (eq .Values.master.service.type "LoadBalancer") .Values.master.service.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{- with .Values.master.service.loadBalancerSourceRanges }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
ports:
- name: redis
port: {{ .Values.master.service.port }}
targetPort: redis
{{- if .Values.master.service.nodePort }}
nodePort: {{ .Values.master.service.nodePort }}
{{- end }}
selector:
app: {{ template "redis.name" . }}
release: {{ .Release.Name }}
role: master
{{- end }}

450
nextcloud/charts/redis/templates/redis-node-statefulset.yaml Normal file
View File

@ -0,0 +1,450 @@
{{- if and .Values.cluster.enabled .Values.sentinel.enabled }}
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ template "redis.fullname" . }}-node
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "redis.name" . }}
chart: {{ template "redis.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
{{- if .Values.slave.updateStrategy }}
strategy: {{- toYaml .Values.slave.updateStrategy | nindent 4 }}
{{- end }}
replicas: {{ .Values.cluster.slaveCount }}
serviceName: {{ template "redis.fullname" . }}-headless
selector:
matchLabels:
app: {{ template "redis.name" . }}
release: {{ .Release.Name }}
role: node
template:
metadata:
labels:
app: {{ template "redis.name" . }}
release: {{ .Release.Name }}
chart: {{ template "redis.chart" . }}
role: node
{{- if .Values.slave.podLabels }}
{{- toYaml .Values.slave.podLabels | nindent 8 }}
{{- end }}
{{- if and .Values.metrics.enabled .Values.metrics.podLabels }}
{{- toYaml .Values.metrics.podLabels | nindent 8 }}
{{- end }}
annotations:
checksum/health: {{ include (print $.Template.BasePath "/health-configmap.yaml") . | sha256sum }}
checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
{{- if .Values.slave.podAnnotations }}
{{- toYaml .Values.slave.podAnnotations | nindent 8 }}
{{- end }}
{{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }}
{{- toYaml .Values.metrics.podAnnotations | nindent 8 }}
{{- end }}
spec:
{{- include "redis.imagePullSecrets" . | nindent 6 }}
{{- if .Values.securityContext.enabled }}
securityContext:
fsGroup: {{ .Values.securityContext.fsGroup }}
{{- if .Values.securityContext.sysctls }}
sysctls: {{- toYaml .Values.securityContext.sysctls | nindent 8 }}
{{- end }}
{{- end }}
serviceAccountName: {{ template "redis.serviceAccountName" . }}
{{- if .Values.slave.priorityClassName }}
priorityClassName: "{{ .Values.slave.priorityClassName }}"
{{- end }}
{{- if .Values.slave.nodeSelector }}
nodeSelector: {{- toYaml .Values.slave.nodeSelector | nindent 8 }}
{{- end }}
{{- if .Values.slave.tolerations }}
tolerations: {{- toYaml .Values.slave.tolerations | nindent 8 }}
{{- end }}
{{- if .Values.slave.schedulerName }}
schedulerName: {{ .Values.slave.schedulerName }}
{{- end }}
{{- if .Values.master.spreadConstraints }}
topologySpreadConstraints: {{- toYaml .Values.master.spreadConstraints | nindent 8 }}
{{- end }}
{{- with .Values.slave.affinity }}
affinity: {{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
containers:
- name: {{ template "redis.name" . }}
image: {{ template "redis.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
{{- if .Values.securityContext.enabled }}
securityContext:
runAsUser: {{ .Values.securityContext.runAsUser }}
{{- end }}
command:
- /bin/bash
- -c
- /opt/bitnami/scripts/start-scripts/start-node.sh
env:
- name: REDIS_MASTER_PORT_NUMBER
value: {{ .Values.redisPort | quote }}
{{- if .Values.usePassword }}
{{- if .Values.usePasswordFile }}
- name: REDIS_PASSWORD_FILE
value: "/opt/bitnami/redis/secrets/redis-password"
- name: REDIS_MASTER_PASSWORD_FILE
value: "/opt/bitnami/redis/secrets/redis-password"
{{- else }}
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "redis.secretName" . }}
key: {{ template "redis.secretPasswordKey" . }}
- name: REDIS_MASTER_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "redis.secretName" . }}
key: {{ template "redis.secretPasswordKey" . }}
{{- end }}
{{- else }}
- name: ALLOW_EMPTY_PASSWORD
value: "yes"
{{- end }}
- name: REDIS_TLS_ENABLED
value: {{ ternary "yes" "no" .Values.tls.enabled | quote }}
{{- if .Values.tls.enabled }}
- name: REDIS_TLS_PORT
value: {{ .Values.redisPort | quote }}
- name: REDIS_TLS_AUTH_CLIENTS
value: {{ ternary "yes" "no" .Values.tls.authClients | quote }}
- name: REDIS_TLS_CERT_FILE
value: {{ template "redis.tlsCert" . }}
- name: REDIS_TLS_KEY_FILE
value: {{ template "redis.tlsCertKey" . }}
- name: REDIS_TLS_CA_FILE
value: {{ template "redis.tlsCACert" . }}
{{- if .Values.tls.dhParamsFilename }}
- name: REDIS_TLS_DH_PARAMS_FILE
value: {{ template "redis.tlsDHParams" . }}
{{- end }}
{{- else }}
- name: REDIS_PORT
value: {{ .Values.redisPort | quote }}
{{- end }}
- name: REDIS_DATA_DIR
value: {{ .Values.slave.persistence.path }}
ports:
- name: redis
containerPort: {{ .Values.redisPort }}
{{- if .Values.slave.livenessProbe.enabled }}
livenessProbe:
initialDelaySeconds: {{ .Values.slave.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.slave.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.slave.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.slave.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.slave.livenessProbe.failureThreshold}}
exec:
command:
- sh
- -c
{{- if .Values.sentinel.enabled }}
- /health/ping_liveness_local.sh {{ .Values.slave.livenessProbe.timeoutSeconds }}
{{- else }}
- /health/ping_liveness_local_and_master.sh {{ .Values.slave.livenessProbe.timeoutSeconds }}
{{- end }}
{{- else if .Values.slave.customLivenessProbe }}
livenessProbe: {{- toYaml .Values.slave.customLivenessProbe | nindent 12 }}
{{- end }}
{{- if .Values.slave.readinessProbe.enabled }}
readinessProbe:
initialDelaySeconds: {{ .Values.slave.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.slave.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.slave.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.slave.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.slave.readinessProbe.failureThreshold }}
exec:
command:
- sh
- -c
{{- if .Values.sentinel.enabled }}
- /health/ping_readiness_local.sh {{ .Values.slave.livenessProbe.timeoutSeconds }}
{{- else }}
- /health/ping_readiness_local_and_master.sh {{ .Values.slave.livenessProbe.timeoutSeconds }}
{{- end }}
{{- else if .Values.slave.customReadinessProbe }}
readinessProbe: {{- toYaml .Values.slave.customReadinessProbe | nindent 12 }}
{{- end }}
resources: {{- toYaml .Values.slave.resources | nindent 12 }}
volumeMounts:
- name: start-scripts
mountPath: /opt/bitnami/scripts/start-scripts
- name: health
mountPath: /health
{{- if .Values.usePasswordFile }}
- name: redis-password
mountPath: /opt/bitnami/redis/secrets/
{{- end }}
- name: redis-data
mountPath: /data
- name: config
mountPath: /opt/bitnami/redis/mounted-etc
- name: redis-tmp-conf
mountPath: /opt/bitnami/redis/etc
{{- if .Values.tls.enabled }}
- name: redis-certificates
mountPath: /opt/bitnami/redis/certs
readOnly: true
{{- end }}
{{- if and .Values.cluster.enabled .Values.sentinel.enabled }}
- name: sentinel
image: {{ template "sentinel.image" . }}
imagePullPolicy: {{ .Values.sentinel.image.pullPolicy | quote }}
{{- if .Values.securityContext.enabled }}
securityContext:
runAsUser: {{ .Values.securityContext.runAsUser }}
{{- end }}
command:
- /bin/bash
- -c
- /opt/bitnami/scripts/start-scripts/start-sentinel.sh
env:
{{- if .Values.usePassword }}
{{- if .Values.usePasswordFile }}
- name: REDIS_PASSWORD_FILE
value: "/opt/bitnami/redis/secrets/redis-password"
{{- else }}
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "redis.secretName" . }}
key: {{ template "redis.secretPasswordKey" . }}
{{- end }}
{{- else }}
- name: ALLOW_EMPTY_PASSWORD
value: "yes"
{{- end }}
- name: REDIS_SENTINEL_TLS_ENABLED
value: {{ ternary "yes" "no" .Values.tls.enabled | quote }}
{{- if .Values.tls.enabled }}
- name: REDIS_SENTINEL_TLS_PORT_NUMBER
value: {{ .Values.sentinel.port | quote }}
- name: REDIS_SENTINEL_TLS_AUTH_CLIENTS
value: {{ ternary "yes" "no" .Values.tls.authClients | quote }}
- name: REDIS_SENTINEL_TLS_CERT_FILE
value: {{ template "redis.tlsCert" . }}
- name: REDIS_SENTINEL_TLS_KEY_FILE
value: {{ template "redis.tlsCertKey" . }}
- name: REDIS_SENTINEL_TLS_CA_FILE
value: {{ template "redis.tlsCACert" . }}
{{- if .Values.tls.dhParamsFilename }}
- name: REDIS_SENTINEL_TLS_DH_PARAMS_FILE
value: {{ template "redis.dhParams" . }}
{{- end }}
{{- else }}
- name: REDIS_SENTINEL_PORT
value: {{ .Values.sentinel.port | quote }}
{{- end }}
ports:
- name: redis-sentinel
containerPort: {{ .Values.sentinel.port }}
{{- if .Values.sentinel.livenessProbe.enabled }}
livenessProbe:
initialDelaySeconds: {{ .Values.sentinel.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.sentinel.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.sentinel.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.sentinel.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.sentinel.livenessProbe.failureThreshold }}
exec:
command:
- sh
- -c
- /health/ping_sentinel.sh {{ .Values.sentinel.livenessProbe.timeoutSeconds }}
{{- else if .Values.sentinel.customLivenessProbe }}
livenessProbe: {{- toYaml .Values.sentinel.customLivenessProbe | nindent 12 }}
{{- end }}
{{- if .Values.sentinel.readinessProbe.enabled}}
readinessProbe:
initialDelaySeconds: {{ .Values.sentinel.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.sentinel.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.sentinel.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.sentinel.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.sentinel.readinessProbe.failureThreshold }}
exec:
command:
- sh
- -c
- /health/ping_sentinel.sh {{ .Values.sentinel.livenessProbe.timeoutSeconds }}
{{- else if .Values.sentinel.customReadinessProbe }}
readinessProbe: {{- toYaml .Values.sentinel.customReadinessProbe | nindent 12 }}
{{- end }}
resources: {{- toYaml .Values.sentinel.resources | nindent 12 }}
volumeMounts:
- name: start-scripts
mountPath: /opt/bitnami/scripts/start-scripts
- name: health
mountPath: /health
{{- if .Values.usePasswordFile }}
- name: redis-password
mountPath: /opt/bitnami/redis/secrets/
{{- end }}
- name: redis-data
mountPath: {{ .Values.master.persistence.path }}
subPath: {{ .Values.master.persistence.subPath }}
- name: config
mountPath: /opt/bitnami/redis-sentinel/mounted-etc
- name: sentinel-tmp-conf
mountPath: /opt/bitnami/redis-sentinel/etc
{{- if .Values.tls.enabled }}
- name: redis-certificates
mountPath: /opt/bitnami/redis/certs
readOnly: true
{{- end }}
{{- end }}
{{- if .Values.metrics.enabled }}
- name: metrics
image: {{ template "redis.metrics.image" . }}
imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }}
command:
- /bin/bash
- -c
- |
if [[ -f '/secrets/redis-password' ]]; then
export REDIS_PASSWORD=$(cat /secrets/redis-password)
fi
redis_exporter{{- range $key, $value := .Values.metrics.extraArgs }} --{{ $key }}={{ $value }}{{- end }}
env:
- name: REDIS_ALIAS
value: {{ template "redis.fullname" . }}
{{- if and .Values.usePassword (not .Values.usePasswordFile) }}
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "redis.secretName" . }}
key: {{ template "redis.secretPasswordKey" . }}
{{- end }}
{{- if .Values.tls.enabled }}
- name: REDIS_EXPORTER_TLS_CLIENT_KEY_FILE
value: {{ template "redis.tlsCertKey" . }}
- name: REDIS_EXPORTER_TLS_CLIENT_CERT_FILE
value: {{ template "redis.tlsCert" . }}
{{- end }}
volumeMounts:
{{- if .Values.usePasswordFile }}
- name: redis-password
mountPath: /secrets/
{{- end }}
{{- if .Values.tls.enabled }}
- name: redis-certificates
mountPath: /opt/bitnami/redis/certs
readOnly: true
{{- end }}
ports:
- name: metrics
containerPort: 9121
resources: {{- toYaml .Values.metrics.resources | nindent 12 }}
{{- end }}
{{- $needsVolumePermissions := and .Values.volumePermissions.enabled (and .Values.slave.persistence.enabled .Values.securityContext.enabled) }}
{{- if or $needsVolumePermissions .Values.sysctlImage.enabled }}
initContainers:
{{- if $needsVolumePermissions }}
- name: volume-permissions
image: {{ template "redis.volumePermissions.image" . }}
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
command: ["/bin/chown", "-R", "{{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }}", "{{ .Values.slave.persistence.path }}"]
securityContext:
runAsUser: 0
resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }}
volumeMounts:
- name: redis-data
mountPath: {{ .Values.slave.persistence.path }}
subPath: {{ .Values.slave.persistence.subPath }}
{{- end }}
{{- if .Values.sysctlImage.enabled }}
- name: init-sysctl
image: {{ template "redis.sysctl.image" . }}
imagePullPolicy: {{ default "" .Values.sysctlImage.pullPolicy | quote }}
resources: {{- toYaml .Values.sysctlImage.resources | nindent 12 }}
{{- if .Values.sysctlImage.mountHostSys }}
volumeMounts:
- name: host-sys
mountPath: /host-sys
{{- end }}
command: {{- toYaml .Values.sysctlImage.command | nindent 12 }}
securityContext:
privileged: true
runAsUser: 0
{{- end }}
{{- end }}
volumes:
- name: start-scripts
configMap:
name: {{ include "redis.fullname" . }}-scripts
defaultMode: 0755
- name: health
configMap:
name: {{ template "redis.fullname" . }}-health
defaultMode: 0755
{{- if .Values.usePasswordFile }}
- name: redis-password
secret:
secretName: {{ template "redis.secretName" . }}
items:
- key: {{ template "redis.secretPasswordKey" . }}
path: redis-password
{{- end }}
- name: config
configMap:
name: {{ template "redis.fullname" . }}
{{- if .Values.sysctlImage.mountHostSys }}
- name: host-sys
hostPath:
path: /sys
{{- end }}
- name: sentinel-tmp-conf
emptyDir: {}
- name: redis-tmp-conf
emptyDir: {}
{{- if .Values.tls.enabled }}
- name: redis-certificates
secret:
secretName: {{ required "A secret containing the certificates for the TLS traffic is required when TLS in enabled" .Values.tls.certificatesSecret }}
defaultMode: 256
{{- end }}
{{- if not .Values.slave.persistence.enabled }}
- name: redis-data
emptyDir: {}
{{- else }}
volumeClaimTemplates:
- metadata:
name: redis-data
labels:
app: {{ template "redis.name" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
component: slave
spec:
accessModes:
{{- range .Values.slave.persistence.accessModes }}
- {{ . | quote }}
{{- end }}
resources:
requests:
storage: {{ .Values.slave.persistence.size | quote }}
{{ include "redis.slave.storageClass" . }}
selector:
{{- if .Values.slave.persistence.matchLabels }}
matchLabels: {{- toYaml .Values.slave.persistence.matchLabels | nindent 12 }}
{{- end -}}
{{- if .Values.slave.persistence.matchExpressions }}
matchExpressions: {{- toYaml .Values.slave.persistence.matchExpressions | nindent 12 }}
{{- end -}}
{{- end }}
updateStrategy:
type: {{ .Values.slave.statefulset.updateStrategy }}
{{- if .Values.slave.statefulset.rollingUpdatePartition }}
{{- if (eq "Recreate" .Values.slave.statefulset.updateStrategy) }}
rollingUpdate: null
{{- else }}
rollingUpdate:
partition: {{ .Values.slave.statefulset.rollingUpdatePartition }}
{{- end }}
{{- end }}
{{- end }}

22
nextcloud/charts/redis/templates/redis-role.yaml Normal file
View File

@ -0,0 +1,22 @@
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "redis.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "redis.name" . }}
chart: {{ template "redis.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules:
{{- if .Values.podSecurityPolicy.create }}
- apiGroups: ['{{ template "podSecurityPolicy.apiGroup" . }}']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames: [{{ template "redis.fullname" . }}]
{{- end -}}
{{- if .Values.rbac.role.rules }}
{{- toYaml .Values.rbac.role.rules | nindent 2 }}
{{- end -}}
{{- end -}}

19
nextcloud/charts/redis/templates/redis-rolebinding.yaml Normal file
View File

@ -0,0 +1,19 @@
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "redis.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "redis.name" . }}
chart: {{ template "redis.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "redis.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "redis.serviceAccountName" . }}
{{- end -}}

12
nextcloud/charts/redis/templates/redis-serviceaccount.yaml Normal file
View File

@ -0,0 +1,12 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "redis.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "redis.name" . }}
chart: {{ template "redis.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- end -}}

354
nextcloud/charts/redis/templates/redis-slave-statefulset.yaml Normal file
View File

@ -0,0 +1,354 @@
{{- if and .Values.cluster.enabled (not .Values.sentinel.enabled) }}
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ template "redis.fullname" . }}-slave
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "redis.name" . }}
chart: {{ template "redis.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
{{- if .Values.slave.updateStrategy }}
strategy: {{- toYaml .Values.slave.updateStrategy | nindent 4 }}
{{- end }}
replicas: {{ .Values.cluster.slaveCount }}
serviceName: {{ template "redis.fullname" . }}-headless
selector:
matchLabels:
app: {{ template "redis.name" . }}
release: {{ .Release.Name }}
role: slave
template:
metadata:
labels:
app: {{ template "redis.name" . }}
release: {{ .Release.Name }}
chart: {{ template "redis.chart" . }}
role: slave
{{- if .Values.slave.podLabels }}
{{- toYaml .Values.slave.podLabels | nindent 8 }}
{{- end }}
{{- if and .Values.metrics.enabled .Values.metrics.podLabels }}
{{- toYaml .Values.metrics.podLabels | nindent 8 }}
{{- end }}
annotations:
checksum/health: {{ include (print $.Template.BasePath "/health-configmap.yaml") . | sha256sum }}
checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
{{- if .Values.slave.podAnnotations }}
{{- toYaml .Values.slave.podAnnotations | nindent 8 }}
{{- end }}
{{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }}
{{- toYaml .Values.metrics.podAnnotations | nindent 8 }}
{{- end }}
spec:
{{- include "redis.imagePullSecrets" . | nindent 6 }}
{{- if .Values.securityContext.enabled }}
securityContext:
fsGroup: {{ .Values.securityContext.fsGroup }}
{{- if .Values.securityContext.sysctls }}
sysctls: {{- toYaml .Values.securityContext.sysctls | nindent 8 }}
{{- end }}
{{- end }}
serviceAccountName: {{ template "redis.serviceAccountName" . }}
{{- if .Values.slave.priorityClassName }}
priorityClassName: "{{ .Values.slave.priorityClassName }}"
{{- end }}
{{- if .Values.slave.nodeSelector }}
nodeSelector: {{- toYaml .Values.slave.nodeSelector | nindent 8 }}
{{- end }}
{{- if .Values.slave.tolerations }}
tolerations: {{- toYaml .Values.slave.tolerations | nindent 8 }}
{{- end }}
{{- if .Values.slave.shareProcessNamespace }}
shareProcessNamespace: {{ .Values.slave.shareProcessNamespace }}
{{- end }}
{{- if .Values.slave.schedulerName }}
schedulerName: {{ .Values.slave.schedulerName }}
{{- end }}
{{- if .Values.master.spreadConstraints }}
topologySpreadConstraints: {{- toYaml .Values.master.spreadConstraints | nindent 8 }}
{{- end }}
{{- with .Values.slave.affinity }}
affinity: {{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
containers:
- name: {{ template "redis.name" . }}
image: {{ template "redis.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
{{- if .Values.securityContext.enabled }}
securityContext:
runAsUser: {{ .Values.securityContext.runAsUser }}
{{- end }}
command:
- /bin/bash
- -c
- /opt/bitnami/scripts/start-scripts/start-slave.sh
env:
- name: REDIS_REPLICATION_MODE
value: slave
- name: REDIS_MASTER_HOST
value: {{ template "redis.fullname" . }}-master-0.{{ template "redis.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}
- name: REDIS_MASTER_PORT_NUMBER
value: {{ .Values.redisPort | quote }}
{{- if .Values.usePassword }}
{{- if .Values.usePasswordFile }}
- name: REDIS_PASSWORD_FILE
value: "/opt/bitnami/redis/secrets/redis-password"
- name: REDIS_MASTER_PASSWORD_FILE
value: "/opt/bitnami/redis/secrets/redis-password"
{{- else }}
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "redis.secretName" . }}
key: {{ template "redis.secretPasswordKey" . }}
- name: REDIS_MASTER_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "redis.secretName" . }}
key: {{ template "redis.secretPasswordKey" . }}
{{- end }}
{{- else }}
- name: ALLOW_EMPTY_PASSWORD
value: "yes"
{{- end }}
- name: REDIS_TLS_ENABLED
value: {{ ternary "yes" "no" .Values.tls.enabled | quote }}
{{- if .Values.tls.enabled }}
- name: REDIS_TLS_PORT
value: {{ .Values.redisPort | quote }}
- name: REDIS_TLS_AUTH_CLIENTS
value: {{ ternary "yes" "no" .Values.tls.authClients | quote }}
- name: REDIS_TLS_CERT_FILE
value: {{ template "redis.tlsCert" . }}
- name: REDIS_TLS_KEY_FILE
value: {{ template "redis.tlsCertKey" . }}
- name: REDIS_TLS_CA_FILE
value: {{ template "redis.tlsCACert" . }}
{{- if .Values.tls.dhParamsFilename }}
- name: REDIS_TLS_DH_PARAMS_FILE
value: {{ template "redis.tlsDHParams" . }}
{{- end }}
{{- else }}
- name: REDIS_PORT
value: {{ .Values.redisPort | quote }}
{{- end }}
{{- if .Values.slave.extraEnvVars }}
{{- include "redis.tplValue" (dict "value" .Values.slave.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
{{- if or .Values.slave.extraEnvVarsCM .Values.slave.extraEnvVarsSecret }}
envFrom:
{{- if .Values.slave.extraEnvVarsCM }}
- configMapRef:
name: {{ .Values.slave.extraEnvVarsCM }}
{{- end }}
{{- if .Values.slave.extraEnvVarsSecret }}
- secretRef:
name: {{ .Values.slave.extraEnvVarsSecret }}
{{- end }}
{{- end }}
ports:
- name: redis
containerPort: {{ .Values.redisPort }}
{{- if .Values.slave.livenessProbe.enabled }}
livenessProbe:
initialDelaySeconds: {{ .Values.slave.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.slave.livenessProbe.periodSeconds }}
timeoutSeconds: {{ add1 .Values.slave.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.slave.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.slave.livenessProbe.failureThreshold}}
exec:
command:
- sh
- -c
- /health/ping_liveness_local_and_master.sh {{ .Values.slave.livenessProbe.timeoutSeconds }}
{{- else if .Values.slave.customLivenessProbe }}
livenessProbe: {{- toYaml .Values.slave.customLivenessProbe | nindent 12 }}
{{- end }}
{{- if .Values.slave.readinessProbe.enabled }}
readinessProbe:
initialDelaySeconds: {{ .Values.slave.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.slave.readinessProbe.periodSeconds }}
timeoutSeconds: {{ add1 .Values.slave.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.slave.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.slave.readinessProbe.failureThreshold }}
exec:
command:
- sh
- -c
- /health/ping_readiness_local_and_master.sh {{ .Values.slave.readinessProbe.timeoutSeconds }}
{{- else if .Values.slave.customReadinessProbe }}
readinessProbe: {{- toYaml .Values.slave.customReadinessProbe | nindent 12 }}
{{- end }}
resources: {{- toYaml .Values.slave.resources | nindent 12 }}
volumeMounts:
- name: start-scripts
mountPath: /opt/bitnami/scripts/start-scripts
- name: health
mountPath: /health
{{- if .Values.usePasswordFile }}
- name: redis-password
mountPath: /opt/bitnami/redis/secrets/
{{- end }}
- name: redis-data
mountPath: /data
- name: config
mountPath: /opt/bitnami/redis/mounted-etc
- name: redis-tmp-conf
mountPath: /opt/bitnami/redis/etc
{{- if .Values.tls.enabled }}
- name: redis-certificates
mountPath: /opt/bitnami/redis/certs
readOnly: true
{{- end }}
{{- if .Values.metrics.enabled }}
- name: metrics
image: {{ template "redis.metrics.image" . }}
imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }}
command:
- /bin/bash
- -c
- |
if [[ -f '/secrets/redis-password' ]]; then
export REDIS_PASSWORD=$(cat /secrets/redis-password)
fi
redis_exporter{{- range $key, $value := .Values.metrics.extraArgs }} --{{ $key }}={{ $value }}{{- end }}
env:
- name: REDIS_ALIAS
value: {{ template "redis.fullname" . }}
{{- if and .Values.usePassword (not .Values.usePasswordFile) }}
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "redis.secretName" . }}
key: {{ template "redis.secretPasswordKey" . }}
{{- end }}
{{- if .Values.tls.enabled }}
- name: REDIS_EXPORTER_TLS_CLIENT_KEY_FILE
value: {{ template "redis.tlsCertKey" . }}
- name: REDIS_EXPORTER_TLS_CLIENT_CERT_FILE
value: {{ template "redis.tlsCert" . }}
{{- end }}
volumeMounts:
{{- if .Values.usePasswordFile }}
- name: redis-password
mountPath: /secrets/
{{- end }}
{{- if .Values.tls.enabled }}
- name: redis-certificates
mountPath: /opt/bitnami/redis/certs
readOnly: true
{{- end }}
ports:
- name: metrics
containerPort: 9121
resources: {{- toYaml .Values.metrics.resources | nindent 12 }}
{{- end }}
{{- $needsVolumePermissions := and .Values.volumePermissions.enabled (and .Values.slave.persistence.enabled .Values.securityContext.enabled) }}
{{- if or $needsVolumePermissions .Values.sysctlImage.enabled }}
initContainers:
{{- if $needsVolumePermissions }}
- name: volume-permissions
image: {{ template "redis.volumePermissions.image" . }}
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
command: ["/bin/chown", "-R", "{{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }}", "{{ .Values.slave.persistence.path }}"]
securityContext:
runAsUser: 0
resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }}
volumeMounts:
- name: redis-data
mountPath: {{ .Values.slave.persistence.path }}
subPath: {{ .Values.slave.persistence.subPath }}
{{- end }}
{{- if .Values.sysctlImage.enabled }}
- name: init-sysctl
image: {{ template "redis.sysctl.image" . }}
imagePullPolicy: {{ default "" .Values.sysctlImage.pullPolicy | quote }}
resources: {{- toYaml .Values.sysctlImage.resources | nindent 12 }}
{{- if .Values.sysctlImage.mountHostSys }}
volumeMounts:
- name: host-sys
mountPath: /host-sys
{{- end }}
command: {{- toYaml .Values.sysctlImage.command | nindent 12 }}
securityContext:
privileged: true
runAsUser: 0
{{- end }}
{{- end }}
volumes:
- name: start-scripts
configMap:
name: {{ include "redis.fullname" . }}-scripts
defaultMode: 0755
- name: health
configMap:
name: {{ template "redis.fullname" . }}-health
defaultMode: 0755
{{- if .Values.usePasswordFile }}
- name: redis-password
secret:
secretName: {{ template "redis.secretName" . }}
items:
- key: {{ template "redis.secretPasswordKey" . }}
path: redis-password
{{- end }}
- name: config
configMap:
name: {{ template "redis.fullname" . }}
{{- if .Values.sysctlImage.mountHostSys }}
- name: host-sys
hostPath:
path: /sys
{{- end }}
- name: redis-tmp-conf
emptyDir: {}
{{- if .Values.tls.enabled }}
- name: redis-certificates
secret:
secretName: {{ required "A secret containing the certificates for the TLS traffic is required when TLS in enabled" .Values.tls.certificatesSecret }}
defaultMode: 256
{{- end }}
{{- if not .Values.slave.persistence.enabled }}
- name: redis-data
emptyDir: {}
{{- else }}
volumeClaimTemplates:
- metadata:
name: redis-data
labels:
app: {{ template "redis.name" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
component: slave
spec:
accessModes:
{{- range .Values.slave.persistence.accessModes }}
- {{ . | quote }}
{{- end }}
resources:
requests:
storage: {{ .Values.slave.persistence.size | quote }}
{{ include "redis.slave.storageClass" . }}
selector:
{{- if .Values.slave.persistence.matchLabels }}
matchLabels: {{- toYaml .Values.slave.persistence.matchLabels | nindent 12 }}
{{- end -}}
{{- if .Values.slave.persistence.matchExpressions }}
matchExpressions: {{- toYaml .Values.slave.persistence.matchExpressions | nindent 12 }}
{{- end -}}
{{- end }}
updateStrategy:
type: {{ .Values.slave.statefulset.updateStrategy }}
{{- if .Values.slave.statefulset.rollingUpdatePartition }}
{{- if (eq "Recreate" .Values.slave.statefulset.updateStrategy) }}
rollingUpdate: null
{{- else }}
rollingUpdate:
partition: {{ .Values.slave.statefulset.rollingUpdatePartition }}
{{- end }}
{{- end }}
{{- end }}

40
nextcloud/charts/redis/templates/redis-slave-svc.yaml Normal file
View File

@ -0,0 +1,40 @@
{{- if and .Values.cluster.enabled (not .Values.sentinel.enabled) }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "redis.fullname" . }}-slave
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "redis.name" . }}
chart: {{ template "redis.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.slave.service.labels -}}
{{- toYaml .Values.slave.service.labels | nindent 4 }}
{{- end -}}
{{- if .Values.slave.service.annotations }}
annotations: {{- toYaml .Values.slave.service.annotations | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.slave.service.type }}
{{- if and (eq .Values.slave.service.type "LoadBalancer") .Values.slave.service.loadBalancerIP }}
loadBalancerIP: {{ .Values.slave.service.loadBalancerIP }}
{{- end }}
{{- if and (eq .Values.slave.service.type "LoadBalancer") .Values.slave.service.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{- with .Values.slave.service.loadBalancerSourceRanges }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
ports:
- name: redis
port: {{ .Values.slave.service.port }}
targetPort: redis
{{- if .Values.slave.service.nodePort }}
nodePort: {{ .Values.slave.service.nodePort }}
{{- end }}
selector:
app: {{ template "redis.name" . }}
release: {{ .Release.Name }}
role: slave
{{- end }}

40
nextcloud/charts/redis/templates/redis-with-sentinel-svc.yaml Normal file
View File

@ -0,0 +1,40 @@
{{- if .Values.sentinel.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "redis.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "redis.name" . }}
chart: {{ template "redis.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.sentinel.service.labels }}
{{- toYaml .Values.sentinel.service.labels | nindent 4 }}
{{- end }}
{{- if .Values.sentinel.service.annotations }}
annotations: {{- toYaml .Values.sentinel.service.annotations | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.sentinel.service.type }}
{{ if eq .Values.sentinel.service.type "LoadBalancer" -}} {{ if .Values.sentinel.service.loadBalancerIP }}
loadBalancerIP: {{ .Values.sentinel.service.loadBalancerIP }}
{{ end -}}
{{- end -}}
ports:
- name: redis
port: {{ .Values.sentinel.service.redisPort }}
targetPort: redis
{{- if .Values.sentinel.service.redisNodePort }}
nodePort: {{ .Values.sentinel.service.redisNodePort }}
{{- end }}
- name: redis-sentinel
port: {{ .Values.sentinel.service.sentinelPort }}
targetPort: redis-sentinel
{{- if .Values.sentinel.service.sentinelNodePort }}
nodePort: {{ .Values.sentinel.service.sentinelNodePort }}
{{- end }}
selector:
app: {{ template "redis.name" . }}
release: {{ .Release.Name }}
{{- end }}

15
nextcloud/charts/redis/templates/secret.yaml Normal file
View File

@ -0,0 +1,15 @@
{{- if and .Values.usePassword (not .Values.existingSecret) -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "redis.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ template "redis.name" . }}
chart: {{ template "redis.chart" . }}
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
type: Opaque
data:
redis-password: {{ include "redis.password" . | b64enc | quote }}
{{- end -}}