Merge branch 'master' into feature/redis-ha_introduce_helm-docs

DandyDeveloper · Nov 5, 2024 · 1837572 · 1837572
2 parents b598c55 + 57f2386
commit 1837572
Show file tree

Hide file tree

Showing 11 changed files with 449 additions and 282 deletions.
diff --git a/charts/redis-ha/Chart.yaml b/charts/redis-ha/Chart.yaml
@@ -5,7 +5,7 @@ keywords:
 - redis
 - keyvalue
 - database
-version: 4.26.7
+version: 4.29.0
 appVersion: 7.2.4
 description: This Helm chart provides a highly available Redis implementation with a master/slave configuration and uses Sentinel sidecars for failover management
 icon: https://upload.wikimedia.org/wikipedia/en/thumb/6/6b/Redis_Logo.svg/1200px-Redis_Logo.svg.png

diff --git a/charts/redis-ha/README.md b/charts/redis-ha/README.md
diff --git a/charts/redis-ha/templates/_configs.tpl b/charts/redis-ha/templates/_configs.tpl
@@ -643,11 +643,12 @@
       {{- end}}
         ping
     )
-    if [ "$response" != "PONG" ] && [ "${response:0:7}" != "LOADING" ] ; then
-      echo "$response"
-      exit 1
-    fi
     echo "response=$response"
+    case $response in
+      PONG|LOADING*) ;;
+      *) exit 1 ;;
+    esac
+    exit 0
 {{- end }}
 
 {{- define "redis_readiness.sh" }}
@@ -668,10 +669,39 @@
         ping
     )
     if [ "$response" != "PONG" ] ; then
-      echo "$response"
+      echo "ping=$response"
+      exit 1
+    fi
+
+    response=$(
+      redis-cli \
+      {{- if .Values.auth }}
+        -a "${AUTH}" --no-auth-warning \
+      {{- end }}
+        -h localhost \
+      {{- if ne (int .Values.redis.port) 0 }}
+        -p {{ .Values.redis.port }} \
+      {{- else }}
+        -p {{ .Values.redis.tlsPort }} ${TLS_CLIENT_OPTION} \
+      {{- end}}
+        role
+    )
+    role=$( echo "$response" | sed "1!d" )
+    if [ "$role" = "master" ]; then
+      echo "role=$role"
+      exit 0
+    elif [ "$role" = "slave" ]; then
+      repl=$( echo "$response" | sed "4!d" )
+      echo "role=$role; repl=$repl"
+      if [ "$repl" = "connected" ]; then
+        exit 0
+      else
+        exit 1
+      fi
+    else
+      echo "role=$role"
       exit 1
     fi
-    echo "response=$response"
 {{- end }}
 
 {{- define "sentinel_liveness.sh" }}

diff --git a/charts/redis-ha/templates/_helpers.tpl b/charts/redis-ha/templates/_helpers.tpl
@@ -92,3 +92,39 @@ Return the appropriate apiVersion for poddisruptionbudget.
 {{- print "policy/v1beta1" -}}
 {{- end -}}
 {{- end -}}
+
+{{/* 
+Return true if the detected platform is Openshift
+Usage:
+{{- include "common.compatibility.isOpenshift" . -}}
+*/}}
+{{- define "compatibility.isOpenshift" -}}
+{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}}
+{{- true -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC
+Usage:
+{{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}}
+*/}}
+{{- define "compatibility.renderSecurityContext" -}}
+{{- $adaptedContext := .secContext -}}
+
+{{- if (((.context.Values.global).compatibility).openshift) -}}
+  {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "compatibility.isOpenshift" .context)) -}}
+    {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}}
+    {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}}
+    {{- if not .secContext.seLinuxOptions -}}
+    {{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}}
+    {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+{{/* Remove fields that are disregarded when running the container in privileged mode */}}
+{{- if $adaptedContext.privileged -}}
+  {{- $adaptedContext = omit $adaptedContext "capabilities" "seLinuxOptions" -}}
+{{- end -}}
+{{- omit $adaptedContext "enabled" | toYaml -}}
+{{- end -}}
diff --git a/charts/redis-ha/templates/redis-ha-network-policy.yaml b/charts/redis-ha/templates/redis-ha-network-policy.yaml
@@ -35,13 +35,6 @@ spec:
           protocol: TCP
         - port: {{ .Values.sentinel.port }}
           protocol: TCP
-    - to:
-      - namespaceSelector: {}
-      ports:
-        - port: 53
-          protocol: UDP
-        - port: 53
-          protocol: TCP
 {{-  range $rule := .Values.networkPolicy.egressRules }}
     - to:
 {{ (tpl (toYaml $rule.selectors) $) | indent 7 }}

diff --git a/charts/redis-ha/templates/redis-ha-serviceaccount.yaml b/charts/redis-ha/templates/redis-ha-serviceaccount.yaml
@@ -12,6 +12,10 @@ metadata:
     {{- range $key, $value := .Values.extraLabels }}
     {{ $key }}: {{ $value | quote }}
     {{- end }}
+{{- if .Values.serviceAccount.annotations }}
+  annotations:
+{{ toYaml .Values.serviceAccount.annotations | indent 4 }}
+{{- end }}
 {{- if or .Values.auth .Values.sentinel.auth }}
 secrets:
 {{- end }}

diff --git a/charts/redis-ha/templates/redis-ha-statefulset.yaml b/charts/redis-ha/templates/redis-ha-statefulset.yaml
@@ -24,6 +24,9 @@ spec:
   podManagementPolicy: {{ .Values.podManagementPolicy }}
   updateStrategy:
     type: {{ .Values.redis.updateStrategy.type }}
+  {{- if .Values.redis.minReadySeconds }}
+  minReadySeconds: {{ .Values.redis.minReadySeconds }}
+  {{- end }}
   template:
     metadata:
       annotations:
@@ -105,7 +108,7 @@ spec:
       {{- if .Values.imagePullSecrets }}
       imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }}
       {{- end }}
-      securityContext: {{ toYaml .Values.securityContext | nindent 8 }}
+      securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.securityContext "context" $) | nindent 8 }}
       serviceAccountName: {{ template "redis-ha.serviceAccountName" . }}
       automountServiceAccountToken: {{ .Values.serviceAccount.automountToken }}
       initContainers:
@@ -120,12 +123,12 @@ spec:
           mountPath: /host-sys
         {{- end }}
         command: {{ toYaml .Values.sysctlImage.command | nindent 10 }}
-        securityContext: {{ toYaml .Values.containerSecurityContext | nindent 10 }}        
+        securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 10 }}
       {{- end }}
 {{- if and .Values.hostPath.path .Values.hostPath.chown }}
       - name: hostpath-chown
         image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
-        securityContext: {{ toYaml .Values.containerSecurityContext | nindent 10 }}        
+        securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 10 }}
         command:
         - chown
         - "{{ .Values.containerSecurityContext.runAsUser }}"
@@ -143,7 +146,7 @@ spec:
         - sh
         args:
         - /readonly-config/init.sh
-        securityContext: {{ toYaml .Values.containerSecurityContext | nindent 10 }}        
+        securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 10 }}
         env:
 {{- $replicas := int (toString .Values.replicas) -}}
 {{- range $i := until $replicas }}
@@ -231,7 +234,7 @@ spec:
            && if test -s /data/dump.rdb; \
               then cp -v /data/dump.rdb /data/dump.rdb_orig; fi \
            && mv -v /data/dump.rdb_ /data/dump.rdb"
-        securityContext: {{ toYaml .Values.containerSecurityContext | nindent 10 }}        
+        securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 10 }}
         envFrom:
         - secretRef:
           {{- if .Values.restore.existingSecret }}
@@ -262,7 +265,7 @@ spec:
         {{- else }}
           - /data/conf/redis.conf
         {{- end }}
-        securityContext: {{ toYaml .Values.containerSecurityContext | nindent 10 }}        
+        securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 10 }}
         {{- if .Values.auth }}
         env:
         - name: AUTH
@@ -279,6 +282,7 @@ spec:
         envFrom:
 {{ toYaml .Values.redis.envFrom | indent 10 }}
         {{- end }}
+        {{- if .Values.redis.livenessProbe.enabled }}
         livenessProbe:
           initialDelaySeconds: {{ .Values.redis.livenessProbe.initialDelaySeconds }}
           periodSeconds: {{ .Values.redis.livenessProbe.periodSeconds }}
@@ -290,6 +294,8 @@ spec:
               - sh
               - -c
               - /health/redis_liveness.sh
+        {{- end }}
+        {{- if .Values.redis.readinessProbe.enabled }}
         readinessProbe:
           initialDelaySeconds: {{ .Values.redis.readinessProbe.initialDelaySeconds }}
           periodSeconds: {{ .Values.redis.readinessProbe.periodSeconds }}
@@ -301,6 +307,20 @@ spec:
               - sh
               - -c
               - /health/redis_readiness.sh
+        {{- end }}
+        {{- if .Values.redis.startupProbe.enabled }}
+        startupProbe:
+          initialDelaySeconds: {{ .Values.redis.startupProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.redis.startupProbe.periodSeconds }}
+          timeoutSeconds: {{ .Values.redis.startupProbe.timeoutSeconds }}
+          successThreshold: {{ .Values.redis.startupProbe.successThreshold }}
+          failureThreshold: {{ .Values.redis.startupProbe.failureThreshold }}
+          exec:
+            command:
+              - sh
+              - -c
+              - /health/redis_readiness.sh
+        {{- end }}
         resources:
 {{ toYaml .Values.redis.resources | indent 10 }}
         ports:
@@ -333,10 +353,18 @@ spec:
         image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         command:
+        {{- if .Values.sentinel.customCommand }}
+{{ toYaml .Values.sentinel.customCommand | indent 10 }}
+        {{- else }}
           - redis-sentinel
+        {{- end }}
         args:
+        {{- if .Values.sentinel.customArgs }}
+{{ toYaml .Values.sentinel.customArgs | indent 10 }}
+        {{- else }}
           - /data/conf/sentinel.conf
-        securityContext: {{ toYaml .Values.containerSecurityContext | nindent 10 }}        
+        {{- end }}
+        securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 10 }}
 {{- if or .Values.auth .Values.sentinel.auth}}
         env:
   {{- if .Values.auth }}
@@ -362,6 +390,7 @@ spec:
               key: {{ .Values.sentinel.authKey }}
   {{- end }}
 {{- end }}
+        {{- if .Values.sentinel.livenessProbe.enabled }}
         livenessProbe:
           initialDelaySeconds: {{ .Values.sentinel.livenessProbe.initialDelaySeconds }}
           periodSeconds: {{ .Values.sentinel.livenessProbe.periodSeconds }}
@@ -373,6 +402,8 @@ spec:
               - sh
               - -c
               - /health/sentinel_liveness.sh
+        {{- end }}
+        {{- if .Values.sentinel.readinessProbe.enabled }}
         readinessProbe:
           initialDelaySeconds: {{ .Values.sentinel.readinessProbe.initialDelaySeconds }}
           periodSeconds: {{ .Values.sentinel.readinessProbe.periodSeconds }}
@@ -384,6 +415,20 @@ spec:
               - sh
               - -c
               - /health/sentinel_liveness.sh
+        {{- end }}
+        {{- if .Values.sentinel.startupProbe.enabled }}
+        startupProbe:
+          initialDelaySeconds: {{ .Values.sentinel.startupProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.sentinel.startupProbe.periodSeconds }}
+          timeoutSeconds: {{ .Values.sentinel.startupProbe.timeoutSeconds }}
+          successThreshold: {{ .Values.sentinel.startupProbe.successThreshold }}
+          failureThreshold: {{ .Values.sentinel.startupProbe.failureThreshold }}
+          exec:
+            command:
+              - sh
+              - -c
+              - /health/sentinel_liveness.sh
+        {{- end }}
         resources:
 {{ toYaml .Values.sentinel.resources | indent 10 }}
         ports:
@@ -417,7 +462,7 @@ spec:
           - sh
         args:
           - /readonly-config/fix-split-brain.sh
-        securityContext: {{ toYaml .Values.containerSecurityContext | nindent 10 }}        
+        securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 10 }}
         env:
 {{- $replicas := int (toString .Values.replicas) -}}
 {{- range $i := until $replicas }}
@@ -467,7 +512,7 @@ spec:
         {{- range $key, $value := .Values.exporter.extraArgs }}
           - --{{ $key }}={{ $value }}
         {{- end }}
-        securityContext: {{ toYaml .Values.containerSecurityContext | nindent 10 }}        
+        securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 10 }}
         env:
           - name: REDIS_ADDR
           {{- if .Values.exporter.sslEnabled }}
@@ -520,9 +565,9 @@ spec:
 {{- if .Values.extraContainers }}
 {{- toYaml .Values.extraContainers | nindent 6 }}
 {{- end -}}
-{{- if .Values.priorityClassName }}
-      priorityClassName: {{ .Values.priorityClassName }}
-{{- end }}
+      {{- with .Values.priorityClassName | default .Values.global.priorityClassName }}
+      priorityClassName: {{ . }}
+      {{- end }}
       volumes:
       - name: config
         configMap:
@@ -558,7 +603,9 @@ spec:
 {{- end -}}
 {{- if .Values.persistentVolume.enabled }}
   volumeClaimTemplates:
-  - metadata:
+  - apiVersion: v1
+    kind: PersistentVolumeClaim
+    metadata:
       name: data
       annotations:
       {{- range $key, $value := .Values.persistentVolume.annotations }}

diff --git a/charts/redis-ha/templates/redis-haproxy-deployment.yaml b/charts/redis-ha/templates/redis-haproxy-deployment.yaml
@@ -49,7 +49,8 @@ spec:
       {{- else }}
       serviceAccountName: {{ .Values.haproxy.serviceAccountName }}
       {{- end }}
-      securityContext: {{ toYaml .Values.haproxy.securityContext | nindent 8 }}
+      securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.haproxy.securityContext "context" $) | nindent 8 }}
+      automountServiceAccountToken: {{ .Values.haproxy.serviceAccount.automountToken }}
       nodeSelector:
 {{ toYaml .Values.nodeSelector | indent 8 }}
       tolerations:
@@ -102,7 +103,7 @@ spec:
         - sh
         args:
         - /readonly/haproxy_init.sh
-        securityContext: {{ toYaml .Values.haproxy.containerSecurityContext | nindent 10 }}
+        securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.haproxy.containerSecurityContext "context" $) | nindent 10 }}
         volumeMounts:
         - name: config-volume
           mountPath: /readonly
@@ -116,7 +117,7 @@ spec:
       - name: haproxy
         image: {{ .Values.haproxy.image.repository }}:{{ .Values.haproxy.image.tag }}
         imagePullPolicy: {{ .Values.haproxy.image.pullPolicy }}
-        securityContext: {{ toYaml .Values.haproxy.containerSecurityContext | nindent 10 }}
+        securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.haproxy.containerSecurityContext "context" $) | nindent 10 }}
     {{- if or .Values.auth .Values.sentinel.auth}}
         env:
       {{- if .Values.auth }}
@@ -178,9 +179,9 @@ spec:
 {{- end }}
         lifecycle:
 {{ toYaml .Values.haproxy.lifecycle | indent 10 }}
-{{- if .Values.haproxy.priorityClassName }}
-      priorityClassName: {{ .Values.haproxy.priorityClassName }}
-{{- end }}
+      {{- with .Values.haproxy.priorityClassName | default .Values.global.priorityClassName }}
+      priorityClassName: {{ . }}
+      {{- end }}
       volumes:
 {{- if .Values.haproxy.tls.enabled }}
       - name: pemfile

diff --git a/charts/redis-ha/templates/tests/test-redis-ha-configmap.yaml b/charts/redis-ha/templates/tests/test-redis-ha-configmap.yaml
@@ -21,7 +21,7 @@ spec:
       mountPath: /readonly-config
       readOnly: true
     resources: {{ toYaml .Values.configmapTest.resources | nindent 6 }}
-    securityContext: {{ toYaml .Values.containerSecurityContext | nindent 6 }}
+    securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 6 }}
   {{- if .Values.imagePullSecrets }}
   imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 4 }}
   {{- end }}

diff --git a/charts/redis-ha/templates/tests/test-redis-ha-pod.yaml b/charts/redis-ha/templates/tests/test-redis-ha-pod.yaml
@@ -21,7 +21,7 @@ spec:
       - -c
       - redis-cli -h {{ template "redis-ha.fullname" . }}-haproxy -p {{ .Values.redis.port }} info server
     resources: {{ toYaml .Values.haproxy.tests.resources | nindent 6 }}
-    securityContext: {{ toYaml .Values.containerSecurityContext | nindent 6 }}
+    securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 6 }}
   {{- if .Values.imagePullSecrets }}
   imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 4 }}
   {{- end }}