From 82dbc9c9e1e7e041d549c22125896d765cda3243 Mon Sep 17 00:00:00 2001 From: Doug Goldstein Date: Sat, 3 Feb 2024 20:56:51 -0600 Subject: [PATCH] feat: separate out Redis from the Nautobot deploy The Nautobot chart shouldn't deploy its own copy of Redis so break that out. This simplifies secret handling of the Redis password by the Nautobot chart as well. The service account is properly created by the Redis chart as well so that can be removed. --- apps/components/kustomization.yaml | 1 + apps/components/nautobot-redis.yaml | 16 + components/01-secrets/README.md | 3 +- .../08-nautobot-redis/kustomization.yaml | 14 + components/08-nautobot-redis/values.yaml | 3 + components/09-nautobot/kustomization.yaml | 2 - ...nautobot-helm_2.0.5-plus-password-ref.yaml | 416 +----------------- components/09-nautobot/redis-sa.yaml | 5 - components/09-nautobot/values.yaml | 9 +- 9 files changed, 61 insertions(+), 408 deletions(-) create mode 100644 apps/components/nautobot-redis.yaml create mode 100644 components/08-nautobot-redis/kustomization.yaml create mode 100644 components/08-nautobot-redis/values.yaml delete mode 100644 components/09-nautobot/redis-sa.yaml diff --git a/apps/components/kustomization.yaml b/apps/components/kustomization.yaml index 413c01e99..3a37d4c58 100644 --- a/apps/components/kustomization.yaml +++ b/apps/components/kustomization.yaml @@ -10,5 +10,6 @@ resources: - rabbitmq-cluster.yaml - memcached.yaml - postgres-db.yaml + - nautobot-redis.yaml - nautobot.yaml - keystone.yaml diff --git a/apps/components/nautobot-redis.yaml b/apps/components/nautobot-redis.yaml new file mode 100644 index 000000000..b3aef3bb3 --- /dev/null +++ b/apps/components/nautobot-redis.yaml @@ -0,0 +1,16 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: nautobot-redis +spec: + project: understack + source: + repoURL: https://github.com/rackerlabs/understack.git + path: components/08-nautobot-redis/ + targetRevision: HEAD + destination: + server: "https://kubernetes.default.svc" + namespace: nautobot + syncPolicy: + automated: + selfHeal: true diff --git a/components/01-secrets/README.md b/components/01-secrets/README.md index 58eb7ff34..ee65d9e9f 100644 --- a/components/01-secrets/README.md +++ b/components/01-secrets/README.md @@ -48,7 +48,6 @@ kubectl --namespace nautobot \ --dry-run \ -o yaml \ --type Opaque \ - --from-literal=NAUTOBOT_REDIS_PASSWORD="$(./scripts/pwgen.sh)" \ --from-literal=NAUTOBOT_SECRET_KEY="$(./scripts/pwgen.sh)" \ --from-literal=NAUTOBOT_SUPERUSER_API_TOKEN="$(./scripts/pwgen.sh)" \ --from-literal=NAUTOBOT_SUPERUSER_PASSWORD="$(./scripts/pwgen.sh)" \ @@ -59,7 +58,7 @@ kubectl --namespace nautobot \ --dry-run \ -o yaml \ --type Opaque \ - --from-literal=redis-password="$(yq e '.data.NAUTOBOT_REDIS_PASSWORD' secret-nautobot-env.yaml | base64 -d)" \ + --from-literal=redis-password="$(./scripts/pwgen.sh)" \ > secret-nautobot-redis.yaml ``` diff --git a/components/08-nautobot-redis/kustomization.yaml b/components/08-nautobot-redis/kustomization.yaml new file mode 100644 index 000000000..178ea0c64 --- /dev/null +++ b/components/08-nautobot-redis/kustomization.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +helmGlobals: + chartHome: ../../charts/ +helmCharts: +- name: redis + includeCRDs: true + namespace: nautobot + valuesFile: values.yaml + releaseName: nautobot-redis + version: 18.12.1 + repo: https://charts.bitnami.com/bitnami diff --git a/components/08-nautobot-redis/values.yaml b/components/08-nautobot-redis/values.yaml new file mode 100644 index 000000000..7e9692413 --- /dev/null +++ b/components/08-nautobot-redis/values.yaml @@ -0,0 +1,3 @@ +auth: + existingSecret: nautobot-redis + existingSecretPasswordKey: redis-password diff --git a/components/09-nautobot/kustomization.yaml b/components/09-nautobot/kustomization.yaml index ee5db1072..425b52865 100644 --- a/components/09-nautobot/kustomization.yaml +++ b/components/09-nautobot/kustomization.yaml @@ -2,9 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -# the redis chart that Nautobot brings doesn't create this serviceaccount resources: - - redis-sa.yaml # the hack for the helm chart rendered this manually from the branch with # the following command: # helm template -n nautobot nautobot ./ -f values.yaml > nautobot-helm_2.0.5-plus-password-ref.yaml diff --git a/components/09-nautobot/nautobot-helm_2.0.5-plus-password-ref.yaml b/components/09-nautobot/nautobot-helm_2.0.5-plus-password-ref.yaml index 74ea8ddc7..45c18e349 100644 --- a/components/09-nautobot/nautobot-helm_2.0.5-plus-password-ref.yaml +++ b/components/09-nautobot/nautobot-helm_2.0.5-plus-password-ref.yaml @@ -13,175 +13,6 @@ metadata: app.kubernetes.io/version: "2.0.5" automountServiceAccountToken: false --- -# Source: nautobot/charts/redis/templates/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: nautobot-redis-configuration - namespace: "nautobot" - labels: - app.kubernetes.io/instance: nautobot - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redis - app.kubernetes.io/version: 7.2.4 - helm.sh/chart: redis-18.9.0 -data: - redis.conf: |- - # User-supplied common configuration: - # Enable AOF https://redis.io/topics/persistence#append-only-file - appendonly yes - # Disable RDB persistence, AOF persistence already enabled. - save "" - # End of common configuration - master.conf: |- - dir /data - # User-supplied master configuration: - # End of master configuration - replica.conf: |- - dir /data - # User-supplied replica configuration: - rename-command FLUSHDB "" - rename-command FLUSHALL "" - # End of replica configuration ---- -# Source: nautobot/charts/redis/templates/health-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: nautobot-redis-health - namespace: "nautobot" - labels: - app.kubernetes.io/instance: nautobot - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redis - app.kubernetes.io/version: 7.2.4 - helm.sh/chart: redis-18.9.0 -data: - ping_readiness_local.sh: |- - #!/bin/bash - - [[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD="$(< "${REDIS_PASSWORD_FILE}")" - [[ -n "$REDIS_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_PASSWORD" - response=$( - timeout -s 15 $1 \ - redis-cli \ - -h localhost \ - -p $REDIS_PORT \ - ping - ) - if [ "$?" -eq "124" ]; then - echo "Timed out" - exit 1 - fi - if [ "$response" != "PONG" ]; then - echo "$response" - exit 1 - fi - ping_liveness_local.sh: |- - #!/bin/bash - - [[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD="$(< "${REDIS_PASSWORD_FILE}")" - [[ -n "$REDIS_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_PASSWORD" - response=$( - timeout -s 15 $1 \ - redis-cli \ - -h localhost \ - -p $REDIS_PORT \ - ping - ) - if [ "$?" -eq "124" ]; then - echo "Timed out" - exit 1 - fi - responseFirstWord=$(echo $response | head -n1 | awk '{print $1;}') - if [ "$response" != "PONG" ] && [ "$responseFirstWord" != "LOADING" ] && [ "$responseFirstWord" != "MASTERDOWN" ]; then - echo "$response" - exit 1 - fi - ping_readiness_master.sh: |- - #!/bin/bash - - [[ -f $REDIS_MASTER_PASSWORD_FILE ]] && export REDIS_MASTER_PASSWORD="$(< "${REDIS_MASTER_PASSWORD_FILE}")" - [[ -n "$REDIS_MASTER_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_MASTER_PASSWORD" - response=$( - timeout -s 15 $1 \ - redis-cli \ - -h $REDIS_MASTER_HOST \ - -p $REDIS_MASTER_PORT_NUMBER \ - ping - ) - if [ "$?" -eq "124" ]; then - echo "Timed out" - exit 1 - fi - if [ "$response" != "PONG" ]; then - echo "$response" - exit 1 - fi - ping_liveness_master.sh: |- - #!/bin/bash - - [[ -f $REDIS_MASTER_PASSWORD_FILE ]] && export REDIS_MASTER_PASSWORD="$(< "${REDIS_MASTER_PASSWORD_FILE}")" - [[ -n "$REDIS_MASTER_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_MASTER_PASSWORD" - response=$( - timeout -s 15 $1 \ - redis-cli \ - -h $REDIS_MASTER_HOST \ - -p $REDIS_MASTER_PORT_NUMBER \ - ping - ) - if [ "$?" -eq "124" ]; then - echo "Timed out" - exit 1 - fi - responseFirstWord=$(echo $response | head -n1 | awk '{print $1;}') - if [ "$response" != "PONG" ] && [ "$responseFirstWord" != "LOADING" ]; then - echo "$response" - exit 1 - fi - ping_readiness_local_and_master.sh: |- - script_dir="$(dirname "$0")" - exit_status=0 - "$script_dir/ping_readiness_local.sh" $1 || exit_status=$? - "$script_dir/ping_readiness_master.sh" $1 || exit_status=$? - exit $exit_status - ping_liveness_local_and_master.sh: |- - script_dir="$(dirname "$0")" - exit_status=0 - "$script_dir/ping_liveness_local.sh" $1 || exit_status=$? - "$script_dir/ping_liveness_master.sh" $1 || exit_status=$? - exit $exit_status ---- -# Source: nautobot/charts/redis/templates/scripts-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: nautobot-redis-scripts - namespace: "nautobot" - labels: - app.kubernetes.io/instance: nautobot - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redis - app.kubernetes.io/version: 7.2.4 - helm.sh/chart: redis-18.9.0 -data: - start-master.sh: | - #!/bin/bash - - [[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD="$(< "${REDIS_PASSWORD_FILE}")" - if [[ -f /opt/bitnami/redis/mounted-etc/master.conf ]];then - cp /opt/bitnami/redis/mounted-etc/master.conf /opt/bitnami/redis/etc/master.conf - fi - if [[ -f /opt/bitnami/redis/mounted-etc/redis.conf ]];then - cp /opt/bitnami/redis/mounted-etc/redis.conf /opt/bitnami/redis/etc/redis.conf - fi - ARGS=("--port" "${REDIS_PORT}") - ARGS+=("--requirepass" "${REDIS_PASSWORD}") - ARGS+=("--masterauth" "${REDIS_PASSWORD}") - ARGS+=("--include" "/opt/bitnami/redis/etc/redis.conf") - ARGS+=("--include" "/opt/bitnami/redis/etc/master.conf") - exec redis-server "${ARGS[@]}" ---- # Source: nautobot/templates/configmap.yaml apiVersion: v1 kind: ConfigMap @@ -363,58 +194,6 @@ data: } } --- -# Source: nautobot/charts/redis/templates/headless-svc.yaml -apiVersion: v1 -kind: Service -metadata: - name: nautobot-redis-headless - namespace: "nautobot" - labels: - app.kubernetes.io/instance: nautobot - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redis - app.kubernetes.io/version: 7.2.4 - helm.sh/chart: redis-18.9.0 - annotations: - -spec: - type: ClusterIP - clusterIP: None - ports: - - name: tcp-redis - port: 6379 - targetPort: redis - selector: - app.kubernetes.io/instance: nautobot - app.kubernetes.io/name: redis ---- -# Source: nautobot/charts/redis/templates/master/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: nautobot-redis-master - namespace: "nautobot" - labels: - app.kubernetes.io/instance: nautobot - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redis - app.kubernetes.io/version: 7.2.4 - helm.sh/chart: redis-18.9.0 - app.kubernetes.io/component: master -spec: - type: ClusterIP - internalTrafficPolicy: Cluster - sessionAffinity: None - ports: - - name: tcp-redis - port: 6379 - targetPort: redis - nodePort: null - selector: - app.kubernetes.io/instance: nautobot - app.kubernetes.io/name: redis - app.kubernetes.io/component: master ---- # Source: nautobot/templates/service.yaml apiVersion: v1 kind: Service @@ -525,6 +304,11 @@ spec: secretKeyRef: name: nautobot-pguser-nautobot key: password + - name: NAUTOBOT_REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: nautobot-redis + key: redis-password envFrom: - configMapRef: name: nautobot-env @@ -631,6 +415,11 @@ spec: secretKeyRef: name: nautobot-pguser-nautobot key: password + - name: NAUTOBOT_REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: nautobot-redis + key: redis-password envFrom: - configMapRef: name: nautobot-env @@ -727,6 +516,11 @@ spec: secretKeyRef: name: nautobot-pguser-nautobot key: password + - name: NAUTOBOT_REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: nautobot-redis + key: redis-password envFrom: - configMapRef: name: nautobot-env @@ -773,6 +567,11 @@ spec: secretKeyRef: name: nautobot-pguser-nautobot key: password + - name: NAUTOBOT_REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: nautobot-redis + key: redis-password envFrom: - configMapRef: name: nautobot-env @@ -827,181 +626,6 @@ spec: configMap: name: nautobot-config --- -# Source: nautobot/charts/redis/templates/master/application.yaml -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: nautobot-redis-master - namespace: "nautobot" - labels: - app.kubernetes.io/instance: nautobot - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redis - app.kubernetes.io/version: 7.2.4 - helm.sh/chart: redis-18.9.0 - app.kubernetes.io/component: master -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: nautobot - app.kubernetes.io/name: redis - app.kubernetes.io/component: master - serviceName: nautobot-redis-headless - updateStrategy: - type: RollingUpdate - template: - metadata: - labels: - app.kubernetes.io/instance: nautobot - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: redis - app.kubernetes.io/version: 7.2.4 - helm.sh/chart: redis-18.9.0 - app.kubernetes.io/component: master - annotations: - checksum/configmap: e888d0f18b05c7bd70a8c6ee0ee303f66b2775fd57390463254884461a8cdf6c - checksum/health: aff24913d801436ea469d8d374b2ddb3ec4c43ee7ab24663d5f8ff1a1b6991a9 - checksum/scripts: 560c33ff34d845009b51830c332aa05fa211444d1877d3526d3599be7543aaa5 - checksum/secret: 27ae699f02090654b5f07831cdb0fbfa2dfd0aa3a232d4b0006457aaf361b679 - spec: - - securityContext: - fsGroup: 1001 - fsGroupChangePolicy: Always - seccompProfile: - type: RuntimeDefault - supplementalGroups: [] - sysctls: [] - serviceAccountName: nautobot-redis-master - automountServiceAccountToken: false - affinity: - podAffinity: - - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: - app.kubernetes.io/instance: nautobot - app.kubernetes.io/name: redis - app.kubernetes.io/component: master - topologyKey: kubernetes.io/hostname - weight: 1 - nodeAffinity: - - enableServiceLinks: true - terminationGracePeriodSeconds: 30 - containers: - - name: redis - image: docker.io/bitnami/redis:7.2.4-debian-11-r2 - imagePullPolicy: "Always" - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsGroup: 0 - runAsNonRoot: true - runAsUser: 1001 - seccompProfile: - type: RuntimeDefault - command: - - /bin/bash - args: - - -c - - /opt/bitnami/scripts/start-scripts/start-master.sh - env: - - name: BITNAMI_DEBUG - value: "false" - - name: REDIS_REPLICATION_MODE - value: master - - name: ALLOW_EMPTY_PASSWORD - value: "no" - - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: nautobot-redis - key: redis-password - - name: REDIS_TLS_ENABLED - value: "no" - - name: REDIS_PORT - value: "6379" - ports: - - name: redis - containerPort: 6379 - livenessProbe: - initialDelaySeconds: 20 - periodSeconds: 5 - # One second longer than command timeout should prevent generation of zombie processes. - timeoutSeconds: 6 - successThreshold: 1 - failureThreshold: 5 - exec: - command: - - sh - - -c - - /health/ping_liveness_local.sh 5 - readinessProbe: - initialDelaySeconds: 20 - periodSeconds: 5 - timeoutSeconds: 2 - successThreshold: 1 - failureThreshold: 5 - exec: - command: - - sh - - -c - - /health/ping_readiness_local.sh 1 - resources: - limits: {} - requests: {} - volumeMounts: - - name: start-scripts - mountPath: /opt/bitnami/scripts/start-scripts - - name: health - mountPath: /health - - name: redis-data - mountPath: /data - - name: config - mountPath: /opt/bitnami/redis/mounted-etc - - name: redis-tmp-conf - mountPath: /opt/bitnami/redis/etc/ - - name: tmp - mountPath: /tmp - volumes: - - name: start-scripts - configMap: - name: nautobot-redis-scripts - defaultMode: 0755 - - name: health - configMap: - name: nautobot-redis-health - defaultMode: 0755 - - name: config - configMap: - name: nautobot-redis-configuration - - name: redis-tmp-conf - emptyDir: {} - - name: tmp - emptyDir: {} - volumeClaimTemplates: - - apiVersion: v1 - kind: PersistentVolumeClaim - metadata: - name: redis-data - labels: - app.kubernetes.io/instance: nautobot - app.kubernetes.io/name: redis - app.kubernetes.io/component: master - spec: - accessModes: - - "ReadWriteOnce" - resources: - requests: - storage: "8Gi" ---- # Source: nautobot/templates/tests/test-connection.yaml apiVersion: v1 kind: Pod diff --git a/components/09-nautobot/redis-sa.yaml b/components/09-nautobot/redis-sa.yaml deleted file mode 100644 index cd8dc8c00..000000000 --- a/components/09-nautobot/redis-sa.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: nautobot-redis-master diff --git a/components/09-nautobot/values.yaml b/components/09-nautobot/values.yaml index 70eefddef..3267f79d9 100644 --- a/components/09-nautobot/values.yaml +++ b/components/09-nautobot/values.yaml @@ -12,6 +12,11 @@ nautobot: existingSecret: "nautobot-pguser-nautobot" existingSecretPasswordKey: "password" + redis: + host: "nautobot-redis-master" + existingSecret: "nautobot-redis" + existingSecretPasswordKey: "redis-password" + celery: replicaCount: 1 @@ -19,6 +24,4 @@ postgresql: enabled: false redis: - enabled: true - auth: - password: "change-me" + enabled: false