diff --git a/apps/components/kustomization.yaml b/apps/components/kustomization.yaml index 413c01e99..3a37d4c58 100644 --- a/apps/components/kustomization.yaml +++ b/apps/components/kustomization.yaml @@ -10,5 +10,6 @@ resources: - rabbitmq-cluster.yaml - memcached.yaml - postgres-db.yaml + - nautobot-redis.yaml - nautobot.yaml - keystone.yaml diff --git a/apps/components/nautobot-redis.yaml b/apps/components/nautobot-redis.yaml new file mode 100644 index 000000000..b3aef3bb3 --- /dev/null +++ b/apps/components/nautobot-redis.yaml @@ -0,0 +1,16 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: nautobot-redis +spec: + project: understack + source: + repoURL: https://github.com/rackerlabs/understack.git + path: components/08-nautobot-redis/ + targetRevision: HEAD + destination: + server: "https://kubernetes.default.svc" + namespace: nautobot + syncPolicy: + automated: + selfHeal: true diff --git a/components/01-secrets/README.md b/components/01-secrets/README.md index 58eb7ff34..ee65d9e9f 100644 --- a/components/01-secrets/README.md +++ b/components/01-secrets/README.md @@ -48,7 +48,6 @@ kubectl --namespace nautobot \ --dry-run \ -o yaml \ --type Opaque \ - --from-literal=NAUTOBOT_REDIS_PASSWORD="$(./scripts/pwgen.sh)" \ --from-literal=NAUTOBOT_SECRET_KEY="$(./scripts/pwgen.sh)" \ --from-literal=NAUTOBOT_SUPERUSER_API_TOKEN="$(./scripts/pwgen.sh)" \ --from-literal=NAUTOBOT_SUPERUSER_PASSWORD="$(./scripts/pwgen.sh)" \ @@ -59,7 +58,7 @@ kubectl --namespace nautobot \ --dry-run \ -o yaml \ --type Opaque \ - --from-literal=redis-password="$(yq e '.data.NAUTOBOT_REDIS_PASSWORD' secret-nautobot-env.yaml | base64 -d)" \ + --from-literal=redis-password="$(./scripts/pwgen.sh)" \ > secret-nautobot-redis.yaml ``` diff --git a/components/08-nautobot-redis/kustomization.yaml b/components/08-nautobot-redis/kustomization.yaml new file mode 100644 index 000000000..178ea0c64 --- /dev/null +++ b/components/08-nautobot-redis/kustomization.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +helmGlobals: + chartHome: ../../charts/ +helmCharts: +- name: redis + includeCRDs: true + namespace: nautobot + valuesFile: values.yaml + releaseName: nautobot-redis + version: 18.12.1 + repo: https://charts.bitnami.com/bitnami diff --git a/components/08-nautobot-redis/values.yaml b/components/08-nautobot-redis/values.yaml new file mode 100644 index 000000000..7e9692413 --- /dev/null +++ b/components/08-nautobot-redis/values.yaml @@ -0,0 +1,3 @@ +auth: + existingSecret: nautobot-redis + existingSecretPasswordKey: redis-password diff --git a/components/09-nautobot/kustomization.yaml b/components/09-nautobot/kustomization.yaml index ee5db1072..425b52865 100644 --- a/components/09-nautobot/kustomization.yaml +++ b/components/09-nautobot/kustomization.yaml @@ -2,9 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -# the redis chart that Nautobot brings doesn't create this serviceaccount resources: - - redis-sa.yaml # the hack for the helm chart rendered this manually from the branch with # the following command: # helm template -n nautobot nautobot ./ -f values.yaml > nautobot-helm_2.0.5-plus-password-ref.yaml diff --git a/components/09-nautobot/nautobot-helm_2.0.5-plus-password-ref.yaml b/components/09-nautobot/nautobot-helm_2.0.5-plus-password-ref.yaml index 74ea8ddc7..45c18e349 100644 --- a/components/09-nautobot/nautobot-helm_2.0.5-plus-password-ref.yaml +++ b/components/09-nautobot/nautobot-helm_2.0.5-plus-password-ref.yaml @@ -13,175 +13,6 @@ metadata: app.kubernetes.io/version: "2.0.5" automountServiceAccountToken: false --- -# Source: nautobot/charts/redis/templates/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: nautobot-redis-configuration - namespace: "nautobot" - labels: - app.kubernetes.io/instance: nautobot - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redis - app.kubernetes.io/version: 7.2.4 - helm.sh/chart: redis-18.9.0 -data: - redis.conf: |- - # User-supplied common configuration: - # Enable AOF https://redis.io/topics/persistence#append-only-file - appendonly yes - # Disable RDB persistence, AOF persistence already enabled. - save "" - # End of common configuration - master.conf: |- - dir /data - # User-supplied master configuration: - # End of master configuration - replica.conf: |- - dir /data - # User-supplied replica configuration: - rename-command FLUSHDB "" - rename-command FLUSHALL "" - # End of replica configuration ---- -# Source: nautobot/charts/redis/templates/health-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: nautobot-redis-health - namespace: "nautobot" - labels: - app.kubernetes.io/instance: nautobot - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redis - app.kubernetes.io/version: 7.2.4 - helm.sh/chart: redis-18.9.0 -data: - ping_readiness_local.sh: |- - #!/bin/bash - - [[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD="$(< "${REDIS_PASSWORD_FILE}")" - [[ -n "$REDIS_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_PASSWORD" - response=$( - timeout -s 15 $1 \ - redis-cli \ - -h localhost \ - -p $REDIS_PORT \ - ping - ) - if [ "$?" -eq "124" ]; then - echo "Timed out" - exit 1 - fi - if [ "$response" != "PONG" ]; then - echo "$response" - exit 1 - fi - ping_liveness_local.sh: |- - #!/bin/bash - - [[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD="$(< "${REDIS_PASSWORD_FILE}")" - [[ -n "$REDIS_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_PASSWORD" - response=$( - timeout -s 15 $1 \ - redis-cli \ - -h localhost \ - -p $REDIS_PORT \ - ping - ) - if [ "$?" -eq "124" ]; then - echo "Timed out" - exit 1 - fi - responseFirstWord=$(echo $response | head -n1 | awk '{print $1;}') - if [ "$response" != "PONG" ] && [ "$responseFirstWord" != "LOADING" ] && [ "$responseFirstWord" != "MASTERDOWN" ]; then - echo "$response" - exit 1 - fi - ping_readiness_master.sh: |- - #!/bin/bash - - [[ -f $REDIS_MASTER_PASSWORD_FILE ]] && export REDIS_MASTER_PASSWORD="$(< "${REDIS_MASTER_PASSWORD_FILE}")" - [[ -n "$REDIS_MASTER_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_MASTER_PASSWORD" - response=$( - timeout -s 15 $1 \ - redis-cli \ - -h $REDIS_MASTER_HOST \ - -p $REDIS_MASTER_PORT_NUMBER \ - ping - ) - if [ "$?" -eq "124" ]; then - echo "Timed out" - exit 1 - fi - if [ "$response" != "PONG" ]; then - echo "$response" - exit 1 - fi - ping_liveness_master.sh: |- - #!/bin/bash - - [[ -f $REDIS_MASTER_PASSWORD_FILE ]] && export REDIS_MASTER_PASSWORD="$(< "${REDIS_MASTER_PASSWORD_FILE}")" - [[ -n "$REDIS_MASTER_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_MASTER_PASSWORD" - response=$( - timeout -s 15 $1 \ - redis-cli \ - -h $REDIS_MASTER_HOST \ - -p $REDIS_MASTER_PORT_NUMBER \ - ping - ) - if [ "$?" -eq "124" ]; then - echo "Timed out" - exit 1 - fi - responseFirstWord=$(echo $response | head -n1 | awk '{print $1;}') - if [ "$response" != "PONG" ] && [ "$responseFirstWord" != "LOADING" ]; then - echo "$response" - exit 1 - fi - ping_readiness_local_and_master.sh: |- - script_dir="$(dirname "$0")" - exit_status=0 - "$script_dir/ping_readiness_local.sh" $1 || exit_status=$? - "$script_dir/ping_readiness_master.sh" $1 || exit_status=$? - exit $exit_status - ping_liveness_local_and_master.sh: |- - script_dir="$(dirname "$0")" - exit_status=0 - "$script_dir/ping_liveness_local.sh" $1 || exit_status=$? - "$script_dir/ping_liveness_master.sh" $1 || exit_status=$? - exit $exit_status ---- -# Source: nautobot/charts/redis/templates/scripts-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: nautobot-redis-scripts - namespace: "nautobot" - labels: - app.kubernetes.io/instance: nautobot - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redis - app.kubernetes.io/version: 7.2.4 - helm.sh/chart: redis-18.9.0 -data: - start-master.sh: | - #!/bin/bash - - [[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD="$(< "${REDIS_PASSWORD_FILE}")" - if [[ -f /opt/bitnami/redis/mounted-etc/master.conf ]];then - cp /opt/bitnami/redis/mounted-etc/master.conf /opt/bitnami/redis/etc/master.conf - fi - if [[ -f /opt/bitnami/redis/mounted-etc/redis.conf ]];then - cp /opt/bitnami/redis/mounted-etc/redis.conf /opt/bitnami/redis/etc/redis.conf - fi - ARGS=("--port" "${REDIS_PORT}") - ARGS+=("--requirepass" "${REDIS_PASSWORD}") - ARGS+=("--masterauth" "${REDIS_PASSWORD}") - ARGS+=("--include" "/opt/bitnami/redis/etc/redis.conf") - ARGS+=("--include" "/opt/bitnami/redis/etc/master.conf") - exec redis-server "${ARGS[@]}" ---- # Source: nautobot/templates/configmap.yaml apiVersion: v1 kind: ConfigMap @@ -363,58 +194,6 @@ data: } } --- -# Source: nautobot/charts/redis/templates/headless-svc.yaml -apiVersion: v1 -kind: Service -metadata: - name: nautobot-redis-headless - namespace: "nautobot" - labels: - app.kubernetes.io/instance: nautobot - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redis - app.kubernetes.io/version: 7.2.4 - helm.sh/chart: redis-18.9.0 - annotations: - -spec: - type: ClusterIP - clusterIP: None - ports: - - name: tcp-redis - port: 6379 - targetPort: redis - selector: - app.kubernetes.io/instance: nautobot - app.kubernetes.io/name: redis ---- -# Source: nautobot/charts/redis/templates/master/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: nautobot-redis-master - namespace: "nautobot" - labels: - app.kubernetes.io/instance: nautobot - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redis - app.kubernetes.io/version: 7.2.4 - helm.sh/chart: redis-18.9.0 - app.kubernetes.io/component: master -spec: - type: ClusterIP - internalTrafficPolicy: Cluster - sessionAffinity: None - ports: - - name: tcp-redis - port: 6379 - targetPort: redis - nodePort: null - selector: - app.kubernetes.io/instance: nautobot - app.kubernetes.io/name: redis - app.kubernetes.io/component: master ---- # Source: nautobot/templates/service.yaml apiVersion: v1 kind: Service @@ -525,6 +304,11 @@ spec: secretKeyRef: name: nautobot-pguser-nautobot key: password + - name: NAUTOBOT_REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: nautobot-redis + key: redis-password envFrom: - configMapRef: name: nautobot-env @@ -631,6 +415,11 @@ spec: secretKeyRef: name: nautobot-pguser-nautobot key: password + - name: NAUTOBOT_REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: nautobot-redis + key: redis-password envFrom: - configMapRef: name: nautobot-env @@ -727,6 +516,11 @@ spec: secretKeyRef: name: nautobot-pguser-nautobot key: password + - name: NAUTOBOT_REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: nautobot-redis + key: redis-password envFrom: - configMapRef: name: nautobot-env @@ -773,6 +567,11 @@ spec: secretKeyRef: name: nautobot-pguser-nautobot key: password + - name: NAUTOBOT_REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: nautobot-redis + key: redis-password envFrom: - configMapRef: name: nautobot-env @@ -827,181 +626,6 @@ spec: configMap: name: nautobot-config --- -# Source: nautobot/charts/redis/templates/master/application.yaml -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: nautobot-redis-master - namespace: "nautobot" - labels: - app.kubernetes.io/instance: nautobot - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redis - app.kubernetes.io/version: 7.2.4 - helm.sh/chart: redis-18.9.0 - app.kubernetes.io/component: master -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: nautobot - app.kubernetes.io/name: redis - app.kubernetes.io/component: master - serviceName: nautobot-redis-headless - updateStrategy: - type: RollingUpdate - template: - metadata: - labels: - app.kubernetes.io/instance: nautobot - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redis - app.kubernetes.io/version: 7.2.4 - helm.sh/chart: redis-18.9.0 - app.kubernetes.io/component: master - annotations: - checksum/configmap: e888d0f18b05c7bd70a8c6ee0ee303f66b2775fd57390463254884461a8cdf6c - checksum/health: aff24913d801436ea469d8d374b2ddb3ec4c43ee7ab24663d5f8ff1a1b6991a9 - checksum/scripts: 560c33ff34d845009b51830c332aa05fa211444d1877d3526d3599be7543aaa5 - checksum/secret: 27ae699f02090654b5f07831cdb0fbfa2dfd0aa3a232d4b0006457aaf361b679 - spec: - - securityContext: - fsGroup: 1001 - fsGroupChangePolicy: Always - seccompProfile: - type: RuntimeDefault - supplementalGroups: [] - sysctls: [] - serviceAccountName: nautobot-redis-master - automountServiceAccountToken: false - affinity: - podAffinity: - - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: - app.kubernetes.io/instance: nautobot - app.kubernetes.io/name: redis - app.kubernetes.io/component: master - topologyKey: kubernetes.io/hostname - weight: 1 - nodeAffinity: - - enableServiceLinks: true - terminationGracePeriodSeconds: 30 - containers: - - name: redis - image: docker.io/bitnami/redis:7.2.4-debian-11-r2 - imagePullPolicy: "Always" - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsGroup: 0 - runAsNonRoot: true - runAsUser: 1001 - seccompProfile: - type: RuntimeDefault - command: - - /bin/bash - args: - - -c - - /opt/bitnami/scripts/start-scripts/start-master.sh - env: - - name: BITNAMI_DEBUG - value: "false" - - name: REDIS_REPLICATION_MODE - value: master - - name: ALLOW_EMPTY_PASSWORD - value: "no" - - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: nautobot-redis - key: redis-password - - name: REDIS_TLS_ENABLED - value: "no" - - name: REDIS_PORT - value: "6379" - ports: - - name: redis - containerPort: 6379 - livenessProbe: - initialDelaySeconds: 20 - periodSeconds: 5 - # One second longer than command timeout should prevent generation of zombie processes. - timeoutSeconds: 6 - successThreshold: 1 - failureThreshold: 5 - exec: - command: - - sh - - -c - - /health/ping_liveness_local.sh 5 - readinessProbe: - initialDelaySeconds: 20 - periodSeconds: 5 - timeoutSeconds: 2 - successThreshold: 1 - failureThreshold: 5 - exec: - command: - - sh - - -c - - /health/ping_readiness_local.sh 1 - resources: - limits: {} - requests: {} - volumeMounts: - - name: start-scripts - mountPath: /opt/bitnami/scripts/start-scripts - - name: health - mountPath: /health - - name: redis-data - mountPath: /data - - name: config - mountPath: /opt/bitnami/redis/mounted-etc - - name: redis-tmp-conf - mountPath: /opt/bitnami/redis/etc/ - - name: tmp - mountPath: /tmp - volumes: - - name: start-scripts - configMap: - name: nautobot-redis-scripts - defaultMode: 0755 - - name: health - configMap: - name: nautobot-redis-health - defaultMode: 0755 - - name: config - configMap: - name: nautobot-redis-configuration - - name: redis-tmp-conf - emptyDir: {} - - name: tmp - emptyDir: {} - volumeClaimTemplates: - - apiVersion: v1 - kind: PersistentVolumeClaim - metadata: - name: redis-data - labels: - app.kubernetes.io/instance: nautobot - app.kubernetes.io/name: redis - app.kubernetes.io/component: master - spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "8Gi" ---- # Source: nautobot/templates/tests/test-connection.yaml apiVersion: v1 kind: Pod diff --git a/components/09-nautobot/redis-sa.yaml b/components/09-nautobot/redis-sa.yaml deleted file mode 100644 index cd8dc8c00..000000000 --- a/components/09-nautobot/redis-sa.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: nautobot-redis-master diff --git a/components/09-nautobot/values.yaml b/components/09-nautobot/values.yaml index 70eefddef..3267f79d9 100644 --- a/components/09-nautobot/values.yaml +++ b/components/09-nautobot/values.yaml @@ -12,6 +12,11 @@ nautobot: existingSecret: "nautobot-pguser-nautobot" existingSecretPasswordKey: "password" + redis: + host: "nautobot-redis-master" + existingSecret: "nautobot-redis" + existingSecretPasswordKey: "redis-password" + celery: replicaCount: 1 @@ -19,6 +24,4 @@ postgresql: enabled: false redis: - enabled: true - auth: - password: "change-me" + enabled: false