Andrew
4ff3048dd3
- _helpers.tpl: required guard on image.tag — silent empty deploys can no longer happen; helm fails fast with a clear message. - configmap-nginx: HTTPS fastcgi param uses if_not_empty, so PHP only sees HTTPS when X-Forwarded-Proto is actually present. - deployment-app: add startupProbe with 100s budget so first-boot cache warmup doesn't trip liveness. - deployment-horizon: failureThreshold=5 on the horizon:status probe; transient Valkey blips no longer cause restart loops. - job-migrate: mount oauth-keys so seeders that touch Passport clients don't silently fail. - statefulset-valkey: replace separate password Secret with a requirePassword toggle that reads REDIS_PASSWORD from the main chart Secret (same Secret app/horizon/scheduler already mount). Liveness probe authenticates with the password when set. - values-us-prod: enable valkey.requirePassword. - README: add REDIS_PASSWORD to bootstrap procedure. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
91 lines
2.8 KiB
YAML
91 lines
2.8 KiB
YAML
{{- if .Values.valkey.enabled }}
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: {{ include "ezscale-website.redisHost" . }}
|
|
labels:
|
|
{{- include "ezscale-website.labels" . | nindent 4 }}
|
|
app.kubernetes.io/component: valkey
|
|
spec:
|
|
type: ClusterIP
|
|
ports:
|
|
- port: 6379
|
|
targetPort: redis
|
|
name: redis
|
|
selector:
|
|
{{- include "ezscale-website.selectorLabels" . | nindent 4 }}
|
|
app.kubernetes.io/component: valkey
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: StatefulSet
|
|
metadata:
|
|
name: {{ include "ezscale-website.redisHost" . }}
|
|
labels:
|
|
{{- include "ezscale-website.labels" . | nindent 4 }}
|
|
app.kubernetes.io/component: valkey
|
|
spec:
|
|
serviceName: {{ include "ezscale-website.redisHost" . }}
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
{{- include "ezscale-website.selectorLabels" . | nindent 6 }}
|
|
app.kubernetes.io/component: valkey
|
|
template:
|
|
metadata:
|
|
labels:
|
|
{{- include "ezscale-website.selectorLabels" . | nindent 8 }}
|
|
app.kubernetes.io/component: valkey
|
|
spec:
|
|
containers:
|
|
- name: valkey
|
|
image: {{ .Values.valkey.image }}
|
|
# When requirePassword is true, REDIS_PASSWORD is sourced from the
|
|
# main chart Secret (same Secret the app/horizon/scheduler pods read
|
|
# via envFrom). Local dev can put it in secret.values; prod
|
|
# bootstraps it manually per the chart README.
|
|
command:
|
|
- valkey-server
|
|
- --appendonly
|
|
- "yes"
|
|
- --maxmemory
|
|
- {{ .Values.valkey.maxmemory | quote }}
|
|
- --maxmemory-policy
|
|
- allkeys-lru
|
|
{{- if .Values.valkey.requirePassword }}
|
|
- --requirepass
|
|
- $(REDIS_PASSWORD)
|
|
{{- end }}
|
|
{{- if .Values.valkey.requirePassword }}
|
|
env:
|
|
- name: REDIS_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ include "ezscale-website.secretName" . }}
|
|
key: REDIS_PASSWORD
|
|
{{- end }}
|
|
ports:
|
|
- name: redis
|
|
containerPort: 6379
|
|
volumeMounts:
|
|
- name: data
|
|
mountPath: /data
|
|
livenessProbe:
|
|
exec:
|
|
{{- if .Values.valkey.requirePassword }}
|
|
command: ["sh", "-c", "valkey-cli -a \"$REDIS_PASSWORD\" --no-auth-warning ping"]
|
|
{{- else }}
|
|
command: ["valkey-cli", "ping"]
|
|
{{- end }}
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 10
|
|
volumeClaimTemplates:
|
|
- metadata:
|
|
name: data
|
|
spec:
|
|
accessModes: ["ReadWriteOnce"]
|
|
storageClassName: {{ .Values.valkey.storage.storageClassName }}
|
|
resources:
|
|
requests:
|
|
storage: {{ .Values.valkey.storage.size }}
|
|
{{- end }}
|