From 4e81f90b639fba9de8d66a3e9b6b9d7bf60b969a Mon Sep 17 00:00:00 2001 From: Timtor Date: Wed, 29 Jan 2025 16:28:38 +0700 Subject: [PATCH] refactor: change dragonfly to valkey (#556) --- kubernetes/mydata/immich/app/netpol.yaml | 4 +- kubernetes/mydata/immich/app/release.yaml | 9 +++- kubernetes/mydata/immich/app/secret.yaml | 5 ++ kubernetes/mydata/immich/deps/netpol.yaml | 2 +- ...agonfly-secret.yaml => valkey-secret.yaml} | 14 ++---- .../deps/{dragonfly.yaml => valkey.yaml} | 40 +++++++++------ kubernetes/mydata/immich/kustomization.yaml | 4 +- kubernetes/mydata/nextcloud/app/config.yaml | 3 +- kubernetes/mydata/nextcloud/app/netpol.yaml | 4 +- kubernetes/mydata/nextcloud/app/release.yaml | 7 ++- kubernetes/mydata/nextcloud/app/secret.yaml | 4 ++ kubernetes/mydata/nextcloud/deps/netpol.yaml | 2 +- ...agonfly-secret.yaml => valkey-secret.yaml} | 14 ++---- .../deps/{dragonfly.yaml => valkey.yaml} | 49 ++++++++++++------- .../mydata/nextcloud/kustomization.yaml | 4 +- terraform/aws/kubernetes-irsa.tf | 36 +++++++------- 16 files changed, 115 insertions(+), 86 deletions(-) rename kubernetes/mydata/immich/deps/{dragonfly-secret.yaml => valkey-secret.yaml} (54%) rename kubernetes/mydata/immich/deps/{dragonfly.yaml => valkey.yaml} (74%) rename kubernetes/mydata/nextcloud/deps/{dragonfly-secret.yaml => valkey-secret.yaml} (53%) rename kubernetes/mydata/nextcloud/deps/{dragonfly.yaml => valkey.yaml} (70%) diff --git a/kubernetes/mydata/immich/app/netpol.yaml b/kubernetes/mydata/immich/app/netpol.yaml index a148d6c0..945ff455 100644 --- a/kubernetes/mydata/immich/app/netpol.yaml +++ b/kubernetes/mydata/immich/app/netpol.yaml @@ -71,12 +71,12 @@ specs: rules: dns: - matchName: "immich-postgres-rw.mydata.svc.cluster.local." - - matchName: "immich-dragonfly.mydata.svc.cluster.local." + - matchName: "immich-valkey.mydata.svc.cluster.local." - toEndpoints: - matchLabels: cnpg.io/cluster: immich-postgres - matchLabels: - app.kubernetes.io/name: immich-dragonfly + app.kubernetes.io/name: immich-valkey toPorts: - ports: - protocol: TCP diff --git a/kubernetes/mydata/immich/app/release.yaml b/kubernetes/mydata/immich/app/release.yaml index 36d6b18a..63270c26 100644 --- a/kubernetes/mydata/immich/app/release.yaml +++ b/kubernetes/mydata/immich/app/release.yaml @@ -44,13 +44,18 @@ spec: IMMICH_PORT: &p1 3001 IMMICH_MEDIA_LOCATION: &data-dir /data IMMICH_MACHINE_LEARNING_URL: http://immich-machine-learning:3003 - REDIS_HOSTNAME: immich-dragonfly DB_VECTOR_EXTENSION: pgvector DB_URL: valueFrom: secretKeyRef: name: *s key: DB_URL + REDIS_HOSTNAME: immich-valkey + REDIS_USERNAME: + valueFrom: + secretKeyRef: + name: *s + key: REDIS_USERNAME REDIS_PASSWORD: valueFrom: secretKeyRef: @@ -95,7 +100,7 @@ spec: IMMICH_WORKERS_EXCLUDE: api IMMICH_MEDIA_LOCATION: *data-dir IMMICH_MACHINE_LEARNING_URL: http://immich-machine-learning:3003 - REDIS_HOSTNAME: immich-dragonfly + REDIS_HOSTNAME: immich-valkey DB_VECTOR_EXTENSION: pgvector DB_URL: valueFrom: diff --git a/kubernetes/mydata/immich/app/secret.yaml b/kubernetes/mydata/immich/app/secret.yaml index b6db18dc..57f33fe0 100644 --- a/kubernetes/mydata/immich/app/secret.yaml +++ b/kubernetes/mydata/immich/app/secret.yaml @@ -15,13 +15,18 @@ spec: jmesPath: - path: DB_URL objectAlias: DB_URL + - path: REDIS_USERNAME + objectAlias: REDIS_USERNAME - path: REDIS_PASSWORD objectAlias: REDIS_PASSWORD + secretObjects: - secretName: *name type: Opaque data: - key: DB_URL objectName: DB_URL + - key: REDIS_USERNAME + objectName: REDIS_USERNAME - key: REDIS_PASSWORD objectName: REDIS_PASSWORD diff --git a/kubernetes/mydata/immich/deps/netpol.yaml b/kubernetes/mydata/immich/deps/netpol.yaml index 7cfb2650..75dd63ec 100644 --- a/kubernetes/mydata/immich/deps/netpol.yaml +++ b/kubernetes/mydata/immich/deps/netpol.yaml @@ -21,7 +21,7 @@ specs: # allow redis connection from immich - endpointSelector: matchLabels: - app.kubernetes.io/name: immich-dragonfly + app.kubernetes.io/name: immich-valkey ingress: - fromEndpoints: *immich toPorts: diff --git a/kubernetes/mydata/immich/deps/dragonfly-secret.yaml b/kubernetes/mydata/immich/deps/valkey-secret.yaml similarity index 54% rename from kubernetes/mydata/immich/deps/dragonfly-secret.yaml rename to kubernetes/mydata/immich/deps/valkey-secret.yaml index add62e09..929c9757 100644 --- a/kubernetes/mydata/immich/deps/dragonfly-secret.yaml +++ b/kubernetes/mydata/immich/deps/valkey-secret.yaml @@ -4,20 +4,12 @@ apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: namespace: mydata - name: &name immich-dragonfly-secret + name: immich-valkey-secret spec: provider: aws parameters: region: us-west-2 objects: | - objectType: ssmparameter - objectName: /amethyst/immich-dragonfly - jmesPath: - - path: DFLY_PASSWORD - objectAlias: DFLY_PASSWORD - secretObjects: - - secretName: *name - type: Opaque - data: - - key: DFLY_PASSWORD - objectName: DFLY_PASSWORD + objectName: /amethyst/immich-valkey + objectAlias: users.acl diff --git a/kubernetes/mydata/immich/deps/dragonfly.yaml b/kubernetes/mydata/immich/deps/valkey.yaml similarity index 74% rename from kubernetes/mydata/immich/deps/dragonfly.yaml rename to kubernetes/mydata/immich/deps/valkey.yaml index 8430647e..e1184530 100644 --- a/kubernetes/mydata/immich/deps/dragonfly.yaml +++ b/kubernetes/mydata/immich/deps/valkey.yaml @@ -4,7 +4,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: namespace: mydata - name: immich-dragonfly + name: immich-valkey spec: chart: spec: @@ -23,7 +23,7 @@ spec: replicas: 1 strategy: RollingUpdate annotations: - secret.reloader.stakater.com/reload: &s immich-dragonfly-secret + secret.reloader.stakater.com/reload: &s immich-valkey-secret pod: automountServiceAccountToken: false securityContext: @@ -39,18 +39,10 @@ spec: containers: main: image: - repository: ghcr.io/dragonflydb/dragonfly - tag: v1.26.1 + repository: valkey/valkey + tag: 8.0.2-alpine args: - # https://github.com/immich-app/immich/issues/2542 - - --default_lua_flags=allow-undeclared-keys - - --dir=/data - env: - DFLY_requirepass: - valueFrom: - secretKeyRef: - name: *s - key: DFLY_PASSWORD + - /config/valkey.conf resources: requests: cpu: 100m @@ -75,10 +67,27 @@ spec: serviceAccount: create: true annotations: - eks.amazonaws.com/role-arn: arn:aws:iam::262264826613:role/amethyst-immich-dragonfly + eks.amazonaws.com/role-arn: arn:aws:iam::262264826613:role/amethyst-immich-valkey eks.amazonaws.com/audience: sts.amazonaws.com + configMaps: + config: + enabled: true + data: + valkey.conf: | + bind * -::* + aclfile /secret/users.acl + # ACL example: + # user default off + # user {username} {permissions} {access-patterns} {on or off} >{plaintext-password} + persistence: + config: + type: configMap + name: immich-valkey-config + globalMounts: + - path: /config + readOnly: true secret: type: custom volumeSpec: @@ -87,6 +96,9 @@ spec: readOnly: true volumeAttributes: secretProviderClass: *s + globalMounts: + - path: /secret + readOnly: true service: main: diff --git a/kubernetes/mydata/immich/kustomization.yaml b/kubernetes/mydata/immich/kustomization.yaml index d913c68b..fb630ecd 100644 --- a/kubernetes/mydata/immich/kustomization.yaml +++ b/kubernetes/mydata/immich/kustomization.yaml @@ -8,8 +8,8 @@ resources: - app/pvc.yaml - app/secret.yaml - app/netpol.yaml - - deps/dragonfly-secret.yaml - - deps/dragonfly.yaml + - deps/valkey-secret.yaml + - deps/valkey.yaml - deps/postgres-secret.yaml - deps/postgres.yaml - deps/netpol.yaml diff --git a/kubernetes/mydata/nextcloud/app/config.yaml b/kubernetes/mydata/nextcloud/app/config.yaml index a01a8885..0ee7e19b 100644 --- a/kubernetes/mydata/nextcloud/app/config.yaml +++ b/kubernetes/mydata/nextcloud/app/config.yaml @@ -23,7 +23,7 @@ data: php-config.ini: | ; -- Redis session handler session.save_handler = redis - session.save_path = "tcp://${_REDIS_HOST}:${REDIS_HOST_PORT}?auth=${REDIS_HOST_PASSWORD}" + session.save_path = "tcp://${_REDIS_HOST}:${REDIS_HOST_PORT}?auth[username]=${REDIS_HOST_USERNAME}&auth[password]=${REDIS_HOST_PASSWORD}" redis.session.locking_enabled = 1 redis.session.lock_retries = -1 redis.session.lock_wait_time = 10000 @@ -51,6 +51,7 @@ data: 'redis' => [ 'host' => getenv('_REDIS_HOST'), 'port' => getenv('REDIS_HOST_PORT') ?: 6379, + 'user' => getenv('REDIS_HOST_USERNAME'), 'password' => getenv('REDIS_HOST_PASSWORD') ], diff --git a/kubernetes/mydata/nextcloud/app/netpol.yaml b/kubernetes/mydata/nextcloud/app/netpol.yaml index 2ce708b7..4fc6ac1b 100644 --- a/kubernetes/mydata/nextcloud/app/netpol.yaml +++ b/kubernetes/mydata/nextcloud/app/netpol.yaml @@ -33,12 +33,12 @@ specs: rules: dns: - matchName: "nextcloud-postgres-rw.mydata.svc.cluster.local." - - matchName: "nextcloud-dragonfly.mydata.svc.cluster.local." + - matchName: "nextcloud-valkey.mydata.svc.cluster.local." - toEndpoints: - matchLabels: cnpg.io/cluster: nextcloud-postgres - matchLabels: - app.kubernetes.io/name: nextcloud-dragonfly + app.kubernetes.io/name: nextcloud-valkey toPorts: - ports: - protocol: TCP diff --git a/kubernetes/mydata/nextcloud/app/release.yaml b/kubernetes/mydata/nextcloud/app/release.yaml index d70c685f..08becce5 100644 --- a/kubernetes/mydata/nextcloud/app/release.yaml +++ b/kubernetes/mydata/nextcloud/app/release.yaml @@ -64,8 +64,13 @@ spec: name: *s key: POSTGRES_PASSWORD #! the underscore is intended to by pass the annoying entrypoint.sh - _REDIS_HOST: nextcloud-dragonfly + _REDIS_HOST: nextcloud-valkey REDIS_HOST_PORT: 6379 + REDIS_HOST_USERNAME: + valueFrom: + secretKeyRef: + name: *s + key: REDIS_HOST_USERNAME REDIS_HOST_PASSWORD: valueFrom: secretKeyRef: diff --git a/kubernetes/mydata/nextcloud/app/secret.yaml b/kubernetes/mydata/nextcloud/app/secret.yaml index d70a5767..64a54a0f 100644 --- a/kubernetes/mydata/nextcloud/app/secret.yaml +++ b/kubernetes/mydata/nextcloud/app/secret.yaml @@ -21,6 +21,8 @@ spec: objectAlias: POSTGRES_USER - path: POSTGRES_PASSWORD objectAlias: POSTGRES_PASSWORD + - path: REDIS_HOST_USERNAME + objectAlias: REDIS_HOST_USERNAME - path: REDIS_HOST_PASSWORD objectAlias: REDIS_HOST_PASSWORD secretObjects: @@ -35,5 +37,7 @@ spec: objectName: POSTGRES_USER - key: POSTGRES_PASSWORD objectName: POSTGRES_PASSWORD + - key: REDIS_HOST_USERNAME + objectName: REDIS_HOST_USERNAME - key: REDIS_HOST_PASSWORD objectName: REDIS_HOST_PASSWORD diff --git a/kubernetes/mydata/nextcloud/deps/netpol.yaml b/kubernetes/mydata/nextcloud/deps/netpol.yaml index 7f742fa9..2ae22de4 100644 --- a/kubernetes/mydata/nextcloud/deps/netpol.yaml +++ b/kubernetes/mydata/nextcloud/deps/netpol.yaml @@ -21,7 +21,7 @@ specs: # allow redis connection from nextcloud - endpointSelector: matchLabels: - app.kubernetes.io/name: nextcloud-dragonfly + app.kubernetes.io/name: nextcloud-valkey ingress: - fromEndpoints: *nextcloud toPorts: diff --git a/kubernetes/mydata/nextcloud/deps/dragonfly-secret.yaml b/kubernetes/mydata/nextcloud/deps/valkey-secret.yaml similarity index 53% rename from kubernetes/mydata/nextcloud/deps/dragonfly-secret.yaml rename to kubernetes/mydata/nextcloud/deps/valkey-secret.yaml index ac1ccf8c..bdb82dee 100644 --- a/kubernetes/mydata/nextcloud/deps/dragonfly-secret.yaml +++ b/kubernetes/mydata/nextcloud/deps/valkey-secret.yaml @@ -4,20 +4,12 @@ apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: namespace: mydata - name: &name nextcloud-dragonfly-secret + name: nextcloud-valkey-secret spec: provider: aws parameters: region: us-west-2 objects: | - objectType: ssmparameter - objectName: /amethyst/nextcloud-dragonfly - jmesPath: - - path: DFLY_PASSWORD - objectAlias: DFLY_PASSWORD - secretObjects: - - secretName: *name - type: Opaque - data: - - key: DFLY_PASSWORD - objectName: DFLY_PASSWORD + objectName: /amethyst/nextcloud-valkey + objectAlias: users.acl diff --git a/kubernetes/mydata/nextcloud/deps/dragonfly.yaml b/kubernetes/mydata/nextcloud/deps/valkey.yaml similarity index 70% rename from kubernetes/mydata/nextcloud/deps/dragonfly.yaml rename to kubernetes/mydata/nextcloud/deps/valkey.yaml index c7500196..163b548f 100644 --- a/kubernetes/mydata/nextcloud/deps/dragonfly.yaml +++ b/kubernetes/mydata/nextcloud/deps/valkey.yaml @@ -4,7 +4,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: namespace: mydata - name: nextcloud-dragonfly + name: nextcloud-valkey spec: chart: spec: @@ -23,7 +23,7 @@ spec: replicas: 1 strategy: RollingUpdate annotations: - secret.reloader.stakater.com/reload: &s nextcloud-dragonfly-secret + secret.reloader.stakater.com/reload: &s nextcloud-valkey-secret pod: automountServiceAccountToken: false securityContext: @@ -39,27 +39,20 @@ spec: containers: main: image: - repository: ghcr.io/dragonflydb/dragonfly - tag: v1.26.1 + repository: valkey/valkey + tag: 8.0.2-alpine args: - - --default_lua_flags=allow-undeclared-keys - - --dir=/data - env: - DFLY_requirepass: - valueFrom: - secretKeyRef: - name: *s - key: DFLY_PASSWORD + - /config/valkey.conf resources: requests: cpu: 100m probes: startup: - enabled: false - liveness: - enabled: false + enabled: true readiness: - enabled: false + enabled: true + liveness: + enabled: true securityContext: runAsNonRoot: true runAsUser: 65534 @@ -74,10 +67,27 @@ spec: serviceAccount: create: true annotations: - eks.amazonaws.com/role-arn: arn:aws:iam::262264826613:role/amethyst-nextcloud-dragonfly + eks.amazonaws.com/role-arn: arn:aws:iam::262264826613:role/amethyst-nextcloud-valkey eks.amazonaws.com/audience: sts.amazonaws.com + configMaps: + config: + enabled: true + data: + valkey.conf: | + bind * -::* + aclfile /secret/users.acl + # ACL example: + # user default off + # user {username} {permissions} {access-patterns} {on or off} >{plaintext-password} + persistence: + config: + type: configMap + name: nextcloud-valkey-config + globalMounts: + - path: /config + readOnly: true secret: type: custom volumeSpec: @@ -86,6 +96,9 @@ spec: readOnly: true volumeAttributes: secretProviderClass: *s + globalMounts: + - path: /secret + readOnly: true service: main: @@ -94,5 +107,5 @@ spec: ports: redis: primary: true - protocol: TCP port: 6379 + protocol: TCP diff --git a/kubernetes/mydata/nextcloud/kustomization.yaml b/kubernetes/mydata/nextcloud/kustomization.yaml index 824afdc3..f54c3b9a 100644 --- a/kubernetes/mydata/nextcloud/kustomization.yaml +++ b/kubernetes/mydata/nextcloud/kustomization.yaml @@ -20,6 +20,6 @@ resources: - deps/postgres-secret.yaml - deps/postgres-secret-holder.yaml - deps/postgres-sa.yaml - - deps/dragonfly.yaml - - deps/dragonfly-secret.yaml + - deps/valkey.yaml + - deps/valkey-secret.yaml - deps/netpol.yaml diff --git a/terraform/aws/kubernetes-irsa.tf b/terraform/aws/kubernetes-irsa.tf index c6d9560a..a75c0923 100644 --- a/terraform/aws/kubernetes-irsa.tf +++ b/terraform/aws/kubernetes-irsa.tf @@ -731,8 +731,8 @@ resource "aws_iam_role_policy_attachment" "nextcloud-postgres-secret-holder" { policy_arn = aws_iam_policy.nextcloud-postgres-secret-holder.arn } -resource "aws_iam_role" "nextcloud-dragonfly" { - name = "${local.project}-nextcloud-dragonfly" +resource "aws_iam_role" "nextcloud-valkey" { + name = "${local.project}-nextcloud-valkey" assume_role_policy = jsonencode({ "Version" : "2012-10-17", "Statement" : [ @@ -744,7 +744,7 @@ resource "aws_iam_role" "nextcloud-dragonfly" { "Action" : "sts:AssumeRoleWithWebIdentity", "Condition" : { "StringEquals" : { - "${aws_iam_openid_connect_provider.kubernetes-oidc.url}:sub" : "system:serviceaccount:mydata:nextcloud-dragonfly", + "${aws_iam_openid_connect_provider.kubernetes-oidc.url}:sub" : "system:serviceaccount:mydata:nextcloud-valkey", "${aws_iam_openid_connect_provider.kubernetes-oidc.url}:aud" : "sts.amazonaws.com" } } @@ -753,8 +753,8 @@ resource "aws_iam_role" "nextcloud-dragonfly" { }) } -resource "aws_iam_policy" "nextcloud-dragonfly" { - name = "${local.project}-nextcloud-dragonfly" +resource "aws_iam_policy" "nextcloud-valkey" { + name = "${local.project}-nextcloud-valkey" policy = jsonencode({ "Version" : "2012-10-17", "Statement" : [ @@ -762,16 +762,16 @@ resource "aws_iam_policy" "nextcloud-dragonfly" { "Action" : "ssm:GetParameters", "Effect" : "Allow", "Resource" : [ - "arn:aws:ssm:${data.aws_region.main.name}:${data.aws_caller_identity.main.account_id}:parameter/amethyst/nextcloud-dragonfly" + "arn:aws:ssm:${data.aws_region.main.name}:${data.aws_caller_identity.main.account_id}:parameter/amethyst/nextcloud-valkey" ] } ] }) } -resource "aws_iam_role_policy_attachment" "nextcloud-dragonfly" { - role = aws_iam_role.nextcloud-dragonfly.name - policy_arn = aws_iam_policy.nextcloud-dragonfly.arn +resource "aws_iam_role_policy_attachment" "nextcloud-valkey" { + role = aws_iam_role.nextcloud-valkey.name + policy_arn = aws_iam_policy.nextcloud-valkey.arn } resource "aws_iam_role" "vaultwarden" { @@ -1075,8 +1075,8 @@ resource "aws_iam_role_policy_attachment" "immich-postgres-secret-holder" { policy_arn = aws_iam_policy.immich-postgres-secret-holder.arn } -resource "aws_iam_role" "immich-dragonfly" { - name = "${local.project}-immich-dragonfly" +resource "aws_iam_role" "immich-valkey" { + name = "${local.project}-immich-valkey" assume_role_policy = jsonencode({ "Version" : "2012-10-17", "Statement" : [ @@ -1088,7 +1088,7 @@ resource "aws_iam_role" "immich-dragonfly" { "Action" : "sts:AssumeRoleWithWebIdentity", "Condition" : { "StringEquals" : { - "${aws_iam_openid_connect_provider.kubernetes-oidc.url}:sub" : "system:serviceaccount:mydata:immich-dragonfly", + "${aws_iam_openid_connect_provider.kubernetes-oidc.url}:sub" : "system:serviceaccount:mydata:immich-valkey", "${aws_iam_openid_connect_provider.kubernetes-oidc.url}:aud" : "sts.amazonaws.com" } } @@ -1097,8 +1097,8 @@ resource "aws_iam_role" "immich-dragonfly" { }) } -resource "aws_iam_policy" "immich-dragonfly" { - name = "${local.project}-immich-dragonfly" +resource "aws_iam_policy" "immich-valkey" { + name = "${local.project}-immich-valkey" policy = jsonencode({ "Version" : "2012-10-17", "Statement" : [ @@ -1106,16 +1106,16 @@ resource "aws_iam_policy" "immich-dragonfly" { "Action" : "ssm:GetParameters", "Effect" : "Allow", "Resource" : [ - "arn:aws:ssm:${data.aws_region.main.name}:${data.aws_caller_identity.main.account_id}:parameter/amethyst/immich-dragonfly" + "arn:aws:ssm:${data.aws_region.main.name}:${data.aws_caller_identity.main.account_id}:parameter/amethyst/immich-valkey" ] } ] }) } -resource "aws_iam_role_policy_attachment" "immich-dragonfly" { - role = aws_iam_role.immich-dragonfly.name - policy_arn = aws_iam_policy.immich-dragonfly.arn +resource "aws_iam_role_policy_attachment" "immich-valkey" { + role = aws_iam_role.immich-valkey.name + policy_arn = aws_iam_policy.immich-valkey.arn } resource "aws_iam_role" "miniflux" {