refactor: change dragonfly to valkey (#556)

kubernetes/mydata/immich/app/netpol.yaml

@@ -71,12 +71,12 @@ specs:
             rules:
               dns:
                 - matchName: "immich-postgres-rw.mydata.svc.cluster.local."
-                - matchName: "immich-dragonfly.mydata.svc.cluster.local."
+                - matchName: "immich-valkey.mydata.svc.cluster.local."
       - toEndpoints:
           - matchLabels:
               cnpg.io/cluster: immich-postgres
           - matchLabels:
-              app.kubernetes.io/name: immich-dragonfly
+              app.kubernetes.io/name: immich-valkey
         toPorts:
           - ports:
               - protocol: TCP

kubernetes/mydata/immich/app/release.yaml

@@ -44,13 +44,18 @@ spec:
               IMMICH_PORT: &p1 3001
               IMMICH_MEDIA_LOCATION: &data-dir /data
               IMMICH_MACHINE_LEARNING_URL: http://immich-machine-learning:3003
-              REDIS_HOSTNAME: immich-dragonfly
               DB_VECTOR_EXTENSION: pgvector
               DB_URL:
                 valueFrom:
                   secretKeyRef:
                     name: *s
                     key: DB_URL
+              REDIS_HOSTNAME: immich-valkey
+              REDIS_USERNAME:
+                valueFrom:
+                  secretKeyRef:
+                    name: *s
+                    key: REDIS_USERNAME
               REDIS_PASSWORD:
                 valueFrom:
                   secretKeyRef:
@@ -95,7 +100,7 @@ spec:
               IMMICH_WORKERS_EXCLUDE: api
               IMMICH_MEDIA_LOCATION: *data-dir
               IMMICH_MACHINE_LEARNING_URL: http://immich-machine-learning:3003
-              REDIS_HOSTNAME: immich-dragonfly
+              REDIS_HOSTNAME: immich-valkey
               DB_VECTOR_EXTENSION: pgvector
               DB_URL:
                 valueFrom:

kubernetes/mydata/immich/app/secret.yaml

@@ -15,13 +15,18 @@ spec:
         jmesPath:
           - path: DB_URL
             objectAlias: DB_URL
+          - path: REDIS_USERNAME
+            objectAlias: REDIS_USERNAME
           - path: REDIS_PASSWORD
             objectAlias: REDIS_PASSWORD
+
   secretObjects:
     - secretName: *name
       type: Opaque
       data:
         - key: DB_URL
           objectName: DB_URL
+        - key: REDIS_USERNAME
+          objectName: REDIS_USERNAME
         - key: REDIS_PASSWORD
           objectName: REDIS_PASSWORD

kubernetes/mydata/immich/deps/netpol.yaml

@@ -21,7 +21,7 @@ specs:
   # allow redis connection from immich
   - endpointSelector:
       matchLabels:
-        app.kubernetes.io/name: immich-dragonfly
+        app.kubernetes.io/name: immich-valkey
     ingress:
       - fromEndpoints: *immich
         toPorts:

kubernetes/mydata/immich/deps/dragonfly-secret.yaml → kubernetes/mydata/immich/deps/valkey-secret.yaml

@@ -4,20 +4,12 @@ apiVersion: secrets-store.csi.x-k8s.io/v1
 kind: SecretProviderClass
 metadata:
   namespace: mydata
-  name: &name immich-dragonfly-secret
+  name: immich-valkey-secret
 spec:
   provider: aws
   parameters:
     region: us-west-2
     objects: |
       - objectType: ssmparameter
-        objectName: /amethyst/immich-dragonfly
-        jmesPath:
-          - path: DFLY_PASSWORD
-            objectAlias: DFLY_PASSWORD
-  secretObjects:
-    - secretName: *name
-      type: Opaque
-      data:
-        - key: DFLY_PASSWORD
-          objectName: DFLY_PASSWORD
+        objectName: /amethyst/immich-valkey
+        objectAlias: users.acl

kubernetes/mydata/immich/deps/dragonfly.yaml → kubernetes/mydata/immich/deps/valkey.yaml

@@ -4,7 +4,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
   namespace: mydata
-  name: immich-dragonfly
+  name: immich-valkey
 spec:
   chart:
     spec:
@@ -23,7 +23,7 @@ spec:
         replicas: 1
         strategy: RollingUpdate
         annotations:
-          secret.reloader.stakater.com/reload: &s immich-dragonfly-secret
+          secret.reloader.stakater.com/reload: &s immich-valkey-secret
         pod:
           automountServiceAccountToken: false
           securityContext:
@@ -39,18 +39,10 @@ spec:
         containers:
           main:
             image:
-              repository: ghcr.io/dragonflydb/dragonfly
-              tag: v1.26.1
+              repository: valkey/valkey
+              tag: 8.0.2-alpine
             args:
-              # https://github.com/immich-app/immich/issues/2542
-              - --default_lua_flags=allow-undeclared-keys
-              - --dir=/data
-            env:
-              DFLY_requirepass:
-                valueFrom:
-                  secretKeyRef:
-                    name: *s
-                    key: DFLY_PASSWORD
+              - /config/valkey.conf
             resources:
               requests:
                 cpu: 100m
@@ -75,10 +67,27 @@ spec:
     serviceAccount:
       create: true
       annotations:
-        eks.amazonaws.com/role-arn: arn:aws:iam::262264826613:role/amethyst-immich-dragonfly
+        eks.amazonaws.com/role-arn: arn:aws:iam::262264826613:role/amethyst-immich-valkey
         eks.amazonaws.com/audience: sts.amazonaws.com
 
+    configMaps:
+      config:
+        enabled: true
+        data:
+          valkey.conf: |
+            bind * -::*
+            aclfile /secret/users.acl
+            # ACL example:
+            # user default off
+            # user {username} {permissions} {access-patterns} {on or off} >{plaintext-password}
+
     persistence:
+      config:
+        type: configMap
+        name: immich-valkey-config
+        globalMounts:
+          - path: /config
+            readOnly: true
       secret:
         type: custom
         volumeSpec:
@@ -87,6 +96,9 @@ spec:
             readOnly: true
             volumeAttributes:
               secretProviderClass: *s
+        globalMounts:
+          - path: /secret
+            readOnly: true
 
     service:
       main:

kubernetes/mydata/immich/kustomization.yaml

@@ -8,8 +8,8 @@ resources:
   - app/pvc.yaml
   - app/secret.yaml
   - app/netpol.yaml
-  - deps/dragonfly-secret.yaml
-  - deps/dragonfly.yaml
+  - deps/valkey-secret.yaml
+  - deps/valkey.yaml
   - deps/postgres-secret.yaml
   - deps/postgres.yaml
   - deps/netpol.yaml

kubernetes/mydata/nextcloud/app/config.yaml

@@ -23,7 +23,7 @@ data:
   php-config.ini: |
     ; -- Redis session handler
     session.save_handler = redis
-    session.save_path = "tcp://${_REDIS_HOST}:${REDIS_HOST_PORT}?auth=${REDIS_HOST_PASSWORD}"
+    session.save_path = "tcp://${_REDIS_HOST}:${REDIS_HOST_PORT}?auth[username]=${REDIS_HOST_USERNAME}&auth[password]=${REDIS_HOST_PASSWORD}"
     redis.session.locking_enabled = 1
     redis.session.lock_retries = -1
     redis.session.lock_wait_time = 10000
@@ -51,6 +51,7 @@ data:
       'redis' => [
         'host' => getenv('_REDIS_HOST'),
         'port' => getenv('REDIS_HOST_PORT') ?: 6379,
+        'user' => getenv('REDIS_HOST_USERNAME'),
         'password' => getenv('REDIS_HOST_PASSWORD')
       ],
 

kubernetes/mydata/nextcloud/app/netpol.yaml

@@ -33,12 +33,12 @@ specs:
             rules:
               dns:
                 - matchName: "nextcloud-postgres-rw.mydata.svc.cluster.local."
-                - matchName: "nextcloud-dragonfly.mydata.svc.cluster.local."
+                - matchName: "nextcloud-valkey.mydata.svc.cluster.local."
       - toEndpoints:
           - matchLabels:
               cnpg.io/cluster: nextcloud-postgres
           - matchLabels:
-              app.kubernetes.io/name: nextcloud-dragonfly
+              app.kubernetes.io/name: nextcloud-valkey
         toPorts:
           - ports:
               - protocol: TCP

kubernetes/mydata/nextcloud/app/release.yaml

@@ -64,8 +64,13 @@ spec:
                     name: *s
                     key: POSTGRES_PASSWORD
               #! the underscore is intended to by pass the annoying entrypoint.sh
-              _REDIS_HOST: nextcloud-dragonfly
+              _REDIS_HOST: nextcloud-valkey
               REDIS_HOST_PORT: 6379
+              REDIS_HOST_USERNAME:
+                valueFrom:
+                  secretKeyRef:
+                    name: *s
+                    key: REDIS_HOST_USERNAME
               REDIS_HOST_PASSWORD:
                 valueFrom:
                   secretKeyRef:

kubernetes/mydata/nextcloud/app/secret.yaml

@@ -21,6 +21,8 @@ spec:
             objectAlias: POSTGRES_USER
           - path: POSTGRES_PASSWORD
             objectAlias: POSTGRES_PASSWORD
+          - path: REDIS_HOST_USERNAME
+            objectAlias: REDIS_HOST_USERNAME
           - path: REDIS_HOST_PASSWORD
             objectAlias: REDIS_HOST_PASSWORD
   secretObjects:
@@ -35,5 +37,7 @@ spec:
           objectName: POSTGRES_USER
         - key: POSTGRES_PASSWORD
           objectName: POSTGRES_PASSWORD
+        - key: REDIS_HOST_USERNAME
+          objectName: REDIS_HOST_USERNAME
         - key: REDIS_HOST_PASSWORD
           objectName: REDIS_HOST_PASSWORD

kubernetes/mydata/nextcloud/deps/netpol.yaml

@@ -21,7 +21,7 @@ specs:
   # allow redis connection from nextcloud
   - endpointSelector:
       matchLabels:
-        app.kubernetes.io/name: nextcloud-dragonfly
+        app.kubernetes.io/name: nextcloud-valkey
     ingress:
       - fromEndpoints: *nextcloud
         toPorts:

kubernetes/mydata/nextcloud/deps/dragonfly-secret.yaml → kubernetes/mydata/nextcloud/deps/valkey-secret.yaml

@@ -4,20 +4,12 @@ apiVersion: secrets-store.csi.x-k8s.io/v1
 kind: SecretProviderClass
 metadata:
   namespace: mydata
-  name: &name nextcloud-dragonfly-secret
+  name: nextcloud-valkey-secret
 spec:
   provider: aws
   parameters:
     region: us-west-2
     objects: |
       - objectType: ssmparameter
-        objectName: /amethyst/nextcloud-dragonfly
-        jmesPath:
-          - path: DFLY_PASSWORD
-            objectAlias: DFLY_PASSWORD
-  secretObjects:
-    - secretName: *name
-      type: Opaque
-      data:
-        - key: DFLY_PASSWORD
-          objectName: DFLY_PASSWORD
+        objectName: /amethyst/nextcloud-valkey
+        objectAlias: users.acl

kubernetes/mydata/nextcloud/deps/dragonfly.yaml → kubernetes/mydata/nextcloud/deps/valkey.yaml

@@ -4,7 +4,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
   namespace: mydata
-  name: nextcloud-dragonfly
+  name: nextcloud-valkey
 spec:
   chart:
     spec:
@@ -23,7 +23,7 @@ spec:
         replicas: 1
         strategy: RollingUpdate
         annotations:
-          secret.reloader.stakater.com/reload: &s nextcloud-dragonfly-secret
+          secret.reloader.stakater.com/reload: &s nextcloud-valkey-secret
         pod:
           automountServiceAccountToken: false
           securityContext:
@@ -39,27 +39,20 @@ spec:
         containers:
           main:
             image:
-              repository: ghcr.io/dragonflydb/dragonfly
-              tag: v1.26.1
+              repository: valkey/valkey
+              tag: 8.0.2-alpine
             args:
-              - --default_lua_flags=allow-undeclared-keys
-              - --dir=/data
-            env:
-              DFLY_requirepass:
-                valueFrom:
-                  secretKeyRef:
-                    name: *s
-                    key: DFLY_PASSWORD
+              - /config/valkey.conf
             resources:
               requests:
                 cpu: 100m
             probes:
               startup:
-                enabled: false
-              liveness:
-                enabled: false
+                enabled: true
               readiness:
-                enabled: false
+                enabled: true
+              liveness:
+                enabled: true
             securityContext:
               runAsNonRoot: true
               runAsUser: 65534
@@ -74,10 +67,27 @@ spec:
     serviceAccount:
       create: true
       annotations:
-        eks.amazonaws.com/role-arn: arn:aws:iam::262264826613:role/amethyst-nextcloud-dragonfly
+        eks.amazonaws.com/role-arn: arn:aws:iam::262264826613:role/amethyst-nextcloud-valkey
         eks.amazonaws.com/audience: sts.amazonaws.com
 
+    configMaps:
+      config:
+        enabled: true
+        data:
+          valkey.conf: |
+            bind * -::*
+            aclfile /secret/users.acl
+            # ACL example:
+            # user default off
+            # user {username} {permissions} {access-patterns} {on or off} >{plaintext-password}
+
     persistence:
+      config:
+        type: configMap
+        name: nextcloud-valkey-config
+        globalMounts:
+          - path: /config
+            readOnly: true
       secret:
         type: custom
         volumeSpec:
@@ -86,6 +96,9 @@ spec:
             readOnly: true
             volumeAttributes:
               secretProviderClass: *s
+        globalMounts:
+          - path: /secret
+            readOnly: true
 
     service:
       main:
@@ -94,5 +107,5 @@ spec:
         ports:
           redis:
             primary: true
-            protocol: TCP
             port: 6379
+            protocol: TCP

kubernetes/mydata/nextcloud/kustomization.yaml

@@ -20,6 +20,6 @@ resources:
   - deps/postgres-secret.yaml
   - deps/postgres-secret-holder.yaml
   - deps/postgres-sa.yaml
-  - deps/dragonfly.yaml
-  - deps/dragonfly-secret.yaml
+  - deps/valkey.yaml
+  - deps/valkey-secret.yaml
   - deps/netpol.yaml