diff --git a/charts/redis-ha/Chart.yaml b/charts/redis-ha/Chart.yaml index 53e1430..6ee9c06 100644 --- a/charts/redis-ha/Chart.yaml +++ b/charts/redis-ha/Chart.yaml @@ -5,7 +5,7 @@ keywords: - redis - keyvalue - database -version: 4.26.7 +version: 4.29.0 appVersion: 7.2.4 description: This Helm chart provides a highly available Redis implementation with a master/slave configuration and uses Sentinel sidecars for failover management icon: https://upload.wikimedia.org/wikipedia/en/thumb/6/6b/Redis_Logo.svg/1200px-Redis_Logo.svg.png diff --git a/charts/redis-ha/README.md b/charts/redis-ha/README.md index cdf4bd4..685031f 100644 --- a/charts/redis-ha/README.md +++ b/charts/redis-ha/README.md @@ -58,250 +58,240 @@ The command removes all the Kubernetes components associated with the chart and The following table lists the configurable parameters of the Redis chart and their default values. -### General parameters - -| Parameter | Description | Type | Default | -|-----|------|---------|-------------| -| `additionalAffinities` | Additional affinities to add to the Redis server pods. | object | `{}` | -| `affinity` | Override all other affinity settings for the Redis server pods with a string. | string | `""` | -| `auth` | Configures redis with AUTH (requirepass & masterauth conf params) | bool | `false` | -| `authKey` | Defines the key holding the redis password in existing secret. | string | `"auth"` | -| `configmap.labels` | Custom labels for the redis configmap | object | `{}` | -| `configmapTest.image.repository` | Repository of the configmap shellcheck test image. | string | `"koalaman/shellcheck"` | -| `configmapTest.image.tag` | Tag of the configmap shellcheck test image. | string | `"v0.5.0"` | -| `configmapTest.resources` | Resources for the ConfigMap test pod | object | `{}` | -| `containerSecurityContext` | Security context to be added to the Redis containers. | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}}` | -| `emptyDir` | Configuration of `emptyDir`, used only if persistentVolume is disabled and no hostPath specified | object | `{}` | -| `existingSecret` | An existing secret containing a key defined by `authKey` that configures `requirepass` and `masterauth` in the conf parameters (Requires `auth: enabled`, cannot be used in conjunction with `.Values.redisPassword`) | string | `nil` | -| `extraContainers` | Extra containers to include in StatefulSet | list | `[]` | -| `extraInitContainers` | Extra init containers to include in StatefulSet | list | `[]` | -| `extraLabels` | Labels added here are applied to all created resources | object | `{}` | -| `extraVolumes` | Extra volumes to include in StatefulSet | list | `[]` | -| `hardAntiAffinity` | Whether the Redis server pods should be forced to run on separate nodes. | bool | `true` | -| `hostPath.chown` | if chown is true, an init-container with root permissions is launched to change the owner of the hostPath folder to the user defined in the security context | bool | `true` | -| `hostPath.path` | Use this path on the host for data storage. path is evaluated as template so placeholders are replaced | string | `""` | -| `image.pullPolicy` | Redis image pull policy | string | `"IfNotPresent"` | -| `image.repository` | Redis image repository | string | `"public.ecr.aws/docker/library/redis"` | -| `image.tag` | Redis image tag | string | `"7.2.4-alpine"` | -| `imagePullSecrets` | Reference to one or more secrets to be used when pulling redis images | list | `[]` | -| `init.resources` | Extra init resources | object | `{}` | -| `labels` | Custom labels for the redis pod | object | `{}` | -| `networkPolicy.annotations` | Annotations for NetworkPolicy | object | `{}` | -| `networkPolicy.egressRules` | user can define egress rules too, uses the same structure as ingressRules | list | `[]` | -| `networkPolicy.enabled` | whether NetworkPolicy for Redis StatefulSets should be created. when enabled, inter-Redis connectivity is created | bool | `false` | -| `networkPolicy.ingressRules` | User defined ingress rules that Redis should permit into. Uses the format defined in https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors | list | `[]` | -| `networkPolicy.labels` | Labels for NetworkPolicy | object | `{}` | -| `nodeSelector` | Node labels for pod assignment | object | `{}` | -| `persistentVolume.accessModes` | Persistent volume access modes | list | `["ReadWriteOnce"]` | -| `persistentVolume.annotations` | Annotations for the volume | object | `{}` | -| `persistentVolume.enabled` | Enable persistent volume | bool | `true` | -| `persistentVolume.labels` | Labels for the volume | object | `{}` | -| `persistentVolume.size` | Persistent volume size | string | `"10Gi"` | -| `persistentVolume.storageClass` | redis-ha data Persistent Volume Storage Class | string | `nil` | -| `podDisruptionBudget` | Pod Disruption Budget rules | object | `{}` | -| `podManagementPolicy` | The statefulset pod management policy | string | `"OrderedReady"` | -| `priorityClassName` | Kubernetes priorityClass name for the redis-ha-server pod | string | `""` | -| `rbac.create` | Create and use RBAC resources | bool | `true` | -| `redis.annotations` | Annotations for the redis statefulset | object | `{}` | -| `redis.authClients` | It is possible to disable client side certificates authentication when "authClients" is set to "no" | string | `""` | -| `redis.config` | Any valid redis config options in this section will be applied to each server, For multi-value configs use list instead of string (for example loadmodule) (see below) | object | see values.yaml | -| `redis.customArgs` | Allows overriding the redis container arguments | list | `[]` | -| `redis.customCommand` | Allows overriding the redis container command | list | `[]` | -| `redis.customConfig` | Allows for custom redis.conf files to be applied. If this is used then `redis.config` is ignored | string | `nil` | -| `redis.disableCommands` | Array with commands to disable | list | `["FLUSHDB","FLUSHALL"]` | -| `redis.envFrom` | Load environment variables from ConfigMap/Secret | list | `[]` | -| `redis.extraVolumeMounts` | additional volumeMounts for Redis container | list | `[]` | -| `redis.lifecycle` | Container Lifecycle Hooks for redis container Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ | object | see values.yaml | -| `redis.livenessProbe.failureThreshold` | Failure threshold for liveness probe | int | `5` | -| `redis.livenessProbe.initialDelaySeconds` | Initial delay in seconds for liveness probe | int | `30` | -| `redis.livenessProbe.periodSeconds` | Period in seconds after which liveness probe will be repeated | int | `15` | -| `redis.livenessProbe.successThreshold` | Success threshold for liveness probe | int | `1` | -| `redis.livenessProbe.timeoutSeconds` | Timeout seconds for liveness probe | int | `15` | -| `redis.masterGroupName` | Redis convention for naming the cluster group: must match `^[\\w-\\.]+$` and can be templated | string | `"mymaster"` | -| `redis.port` | Port to access the redis service | int | `6379` | -| `redis.readinessProbe.failureThreshold` | Failure threshold for readiness probe | int | `5` | -| `redis.readinessProbe.initialDelaySeconds` | Initial delay in seconds for readiness probe | int | `30` | -| `redis.readinessProbe.periodSeconds` | Period in seconds after which readiness probe will be repeated | int | `15` | -| `redis.readinessProbe.successThreshold` | Success threshold for readiness probe | int | `1` | -| `redis.readinessProbe.timeoutSeconds` | Timeout seconds for readiness probe | int | `15` | -| `redis.resources` | CPU/Memory for master/slave nodes resource requests/limits | object | `{}` | -| `redis.terminationGracePeriodSeconds` | Increase terminationGracePeriodSeconds to allow writing large RDB snapshots. (k8s default is 30s) ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination-forced | int | `60` | -| `redis.tlsPort` | TLS Port to access the redis service | int | `nil` | -| `redis.tlsReplication` | Configures redis with tls-replication parameter, if true sets "tls-replication yes" in redis.conf | bool | `nil` | -| `redis.updateStrategy` | Update strategy for Redis StatefulSet | object | `{"type":"RollingUpdate"}` | -| `redisPassword` | A password that configures a `requirepass` and `masterauth` in the conf parameters (Requires `auth: enabled`) | string | `nil` | -| `replicas` | Number of redis master/slave | int | `3` | -| `restore.existingSecret` | Set existingSecret to true to use secret specified in existingSecret above | bool | `false` | -| `restore.s3.access_key` | Restore init container - AWS AWS_ACCESS_KEY_ID to access restore.s3.source | string | `""` | -| `restore.s3.region` | Restore init container - AWS AWS_REGION to access restore.s3.source | string | `""` | -| `restore.s3.secret_key` | Restore init container - AWS AWS_SECRET_ACCESS_KEY to access restore.s3.source | string | `""` | -| `restore.s3.source` | Restore init container - AWS S3 location of dump - i.e. s3://bucket/dump.rdb | string | `""` | -| `restore.ssh.key` | Restore init container - SSH private key to scp restore.ssh.source to init container. Key should be in one line separated with \n. i.e. `-----BEGIN RSA PRIVATE KEY-----\n...\n...\n-----END RSA PRIVATE KEY-----` | string | `""` | -| `restore.ssh.source` | Restore init container - SSH scp location of dump - i.e. user@server:/path/dump.rdb | string | `""` | -| `restore.timeout` | Timeout for the restore | int | `600` | -| `ro_replicas` | Comma separated list of slaves which never get promoted to be master. Count starts with 0. Allowed values 1-9. i.e. 3,4 - 3th and 4th redis slave never make it to be master, where master is index 0. | string | `""` | -| `schedulerName` | Use an alternate scheduler, e.g. "stork". ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ | string | `""` | -| `securityContext` | Security context to be added to the Redis StatefulSet. | object | `{"fsGroup":1000,"runAsNonRoot":true,"runAsUser":1000}` | -| `serviceAccount.automountToken` | opt in/out of automounting API credentials into container. Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ | bool | `false` | -| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | bool | `true` | -| `serviceAccount.name` | The name of the ServiceAccount to use. If not set and create is true, a name is generated using the redis-ha.fullname template | string | `""` | -| `serviceLabels` | Custom labels for redis service | object | `{}` | -| `splitBrainDetection.interval` | Interval between redis sentinel and server split brain checks (in seconds) | int | `60` | -| `splitBrainDetection.resources` | splitBrainDetection resources | object | `{}` | -| `sysctlImage.command` | sysctlImage command to execute | list | `[]` | -| `sysctlImage.enabled` | Enable an init container to modify Kernel settings | bool | `false` | -| `sysctlImage.mountHostSys` | Mount the host `/sys` folder to `/host-sys` | bool | `false` | -| `sysctlImage.pullPolicy` | sysctlImage Init container pull policy | string | `"Always"` | -| `sysctlImage.registry` | sysctlImage Init container registry | string | `"public.ecr.aws/docker/library"` | -| `sysctlImage.repository` | sysctlImage Init container name | string | `"busybox"` | -| `sysctlImage.resources` | sysctlImage resources | object | `{}` | -| `sysctlImage.tag` | sysctlImage Init container tag | string | `"1.34.1"` | -| `tls.caCertFile` | Name of CA certificate file | string | `"ca.crt"` | -| `tls.certFile` | Name of certificate file | string | `"redis.crt"` | -| `tls.dhParamsFile` | Name of Diffie-Hellman (DH) key exchange parameters file | string | `nil` | -| `tls.keyFile` | Name of key file | string | `"redis.key"` | -| `topologySpreadConstraints.enabled` | Enable topology spread constraints | bool | `false` | -| `topologySpreadConstraints.maxSkew` | Max skew of pods tolerated | string | `""` | -| `topologySpreadConstraints.topologyKey` | Topology key for spread constraints | string | `""` | -| `topologySpreadConstraints.whenUnsatisfiable` | Enforcement policy, hard or soft | string | `""` | - -### Redis Sentinel parameters - -| Parameter | Description | Type | Default | -|-----|------|---------|-------------| -| `sentinel.auth` | Enables or disables sentinel AUTH (Requires `sentinel.password` to be set) | bool | `false` | -| `sentinel.authClients` | It is possible to disable client side certificates authentication when "authClients" is set to "no" | string | `""` | -| `sentinel.authKey` | The key holding the sentinel password in an existing secret. | string | `"sentinel-password"` | -| `sentinel.config` | Valid sentinel config options in this section will be applied as config options to each sentinel (see below) | object | see values.yaml | -| `sentinel.customConfig` | Allows for custom sentinel.conf files to be applied. If this is used then `sentinel.config` is ignored | string | `""` | -| `sentinel.existingSecret` | An existing secret containing a key defined by `sentinel.authKey` that configures `requirepass` in the conf parameters (Requires `sentinel.auth: enabled`, cannot be used in conjunction with `.Values.sentinel.password`) | string | `""` | -| `sentinel.extraVolumeMounts` | additional volumeMounts for Sentinel container | list | `[]` | -| `sentinel.lifecycle` | Container Lifecycle Hooks for sentinel container. Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ | object | `{}` | -| `sentinel.livenessProbe.failureThreshold` | Failure threshold for liveness probe | int | `5` | -| `sentinel.livenessProbe.initialDelaySeconds` | Initial delay in seconds for liveness probe | int | `30` | -| `sentinel.livenessProbe.periodSeconds` | Period in seconds after which liveness probe will be repeated | int | `15` | -| `sentinel.livenessProbe.successThreshold` | Success threshold for liveness probe | int | `1` | -| `sentinel.livenessProbe.timeoutSeconds` | Timeout seconds for liveness probe | int | `15` | -| `sentinel.password` | A password that configures a `requirepass` in the conf parameters (Requires `sentinel.auth: enabled`) | string | `nil` | -| `sentinel.port` | Port to access the sentinel service | int | `26379` | -| `sentinel.quorum` | Minimum number of servers necessary to maintain quorum | int | `2` | -| `sentinel.readinessProbe.failureThreshold` | Failure threshold for readiness probe | int | `5` | -| `sentinel.readinessProbe.initialDelaySeconds` | Initial delay in seconds for readiness probe | int | `30` | -| `sentinel.readinessProbe.periodSeconds` | Period in seconds after which readiness probe will be repeated | int | `15` | -| `sentinel.readinessProbe.successThreshold` | Success threshold for readiness probe | int | `3` | -| `sentinel.readinessProbe.timeoutSeconds` | Timeout seconds for readiness probe | int | `15` | -| `sentinel.resources` | CPU/Memory for sentinel node resource requests/limits | object | `{}` | -| `sentinel.tlsPort` | TLS Port to access the sentinel service | int | `nil` | -| `sentinel.tlsReplication` | Configures sentinel with tls-replication parameter, if true sets "tls-replication yes" in sentinel.conf | bool | `nil` | - -### HAProxy parameters - -| Parameter | Description | Type | Default | -|-----|------|---------|-------------| -| `haproxy.IPv6.enabled` | Enable HAProxy parameters to bind and consume IPv6 addresses. Enabled by default. | bool | `true` | -| `haproxy.additionalAffinities` | Additional affinities to add to the haproxy pods. | object | `{}` | -| `haproxy.affinity` | Override all other affinity settings for the haproxy pods with a string. | string | `""` | -| `haproxy.annotations` | HAProxy template annotations | object | `{}` | -| `haproxy.checkFall` | haproxy.cfg `check fall` setting | int | `1` | -| `haproxy.checkInterval` | haproxy.cfg `check inter` setting | string | `"1s"` | -| `haproxy.containerPort` | Modify HAProxy deployment container port | int | `6379` | -| `haproxy.containerSecurityContext` | Security context to be added to the HAProxy containers. | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | -| `haproxy.customConfig` | Allows for custom config-haproxy.cfg file to be applied. If this is used then default config will be overwriten | string | `nil` | -| `haproxy.deploymentStrategy` | Deployment strategy for the haproxy deployment | object | `{"type":"RollingUpdate"}` | -| `haproxy.emptyDir` | Configuration of `emptyDir` | object | `{}` | -| `haproxy.enabled` | Enabled HAProxy LoadBalancing/Proxy | bool | `false` | -| `haproxy.extraConfig` | Allows to place any additional configuration section to add to the default config-haproxy.cfg | string | `nil` | -| `haproxy.hardAntiAffinity` | Whether the haproxy pods should be forced to run on separate nodes. | bool | `true` | -| `haproxy.image.pullPolicy` | HAProxy Image PullPolicy | string | `"IfNotPresent"` | -| `haproxy.image.repository` | HAProxy Image Repository | string | `"public.ecr.aws/docker/library/haproxy"` | -| `haproxy.image.tag` | HAProxy Image Tag | string | `"2.9.4-alpine"` | -| `haproxy.imagePullSecrets` | Reference to one or more secrets to be used when pulling images ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | list | `[]` | -| `haproxy.init.resources` | Extra init resources | object | `{}` | -| `haproxy.labels` | Custom labels for the haproxy pod | object | `{}` | -| `haproxy.lifecycle` | Container lifecycle hooks. Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ | object | `{}` | -| `haproxy.metrics.enabled` | HAProxy enable prometheus metric scraping | bool | `false` | -| `haproxy.metrics.port` | HAProxy prometheus metrics scraping port | int | `9101` | -| `haproxy.metrics.portName` | HAProxy metrics scraping port name | string | `"http-exporter-port"` | -| `haproxy.metrics.scrapePath` | HAProxy prometheus metrics scraping path | string | `"/metrics"` | -| `haproxy.metrics.serviceMonitor.enabled` | When set true then use a ServiceMonitor to configure scraping | bool | `false` | -| `haproxy.metrics.serviceMonitor.endpointAdditionalProperties` | Set additional properties for the ServiceMonitor endpoints such as relabeling, scrapeTimeout, tlsConfig, and more. | object | `{}` | -| `haproxy.metrics.serviceMonitor.interval` | Set how frequently Prometheus should scrape | string | `""` | -| `haproxy.metrics.serviceMonitor.labels` | Set labels for the ServiceMonitor, use this to define your scrape label for Prometheus Operator | object | `{}` | -| `haproxy.metrics.serviceMonitor.namespace` | Set the namespace the ServiceMonitor should be deployed | string | `.Release.Namespace` | -| `haproxy.metrics.serviceMonitor.telemetryPath` | Set path to redis-exporter telemtery-path | string | `""` | -| `haproxy.metrics.serviceMonitor.timeout` | Set timeout for scrape | string | `""` | -| `haproxy.networkPolicy.annotations` | Annotations for Haproxy NetworkPolicy | object | `{}` | -| `haproxy.networkPolicy.egressRules` | user can define egress rules too, uses the same structure as ingressRules | list | `[]` | -| `haproxy.networkPolicy.enabled` | whether NetworkPolicy for Haproxy should be created | bool | `false` | -| `haproxy.networkPolicy.ingressRules` | user defined ingress rules that Haproxy should permit into. uses the format defined in https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors | list | `[]` | -| `haproxy.networkPolicy.labels` | Labels for Haproxy NetworkPolicy | object | `{}` | -| `haproxy.podDisruptionBudget` | Pod Disruption Budget ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ | object | `{}` | -| `haproxy.priorityClassName` | Kubernetes priorityClass name for the haproxy pod | string | `""` | -| `haproxy.readOnly.enabled` | Enable if you want a dedicated port in haproxy for redis-slaves | bool | `false` | -| `haproxy.readOnly.port` | Port for the read-only redis-slaves | int | `6380` | -| `haproxy.replicas` | Number of HAProxy instances | int | `3` | -| `haproxy.resources` | HAProxy resources | object | `{}` | -| `haproxy.securityContext` | Security context to be added to the HAProxy deployment. | object | `{"fsGroup":99,"runAsNonRoot":true,"runAsUser":99}` | -| `haproxy.service.annotations` | HAProxy service annotations | string | `nil` | -| `haproxy.service.externalIPs` | HAProxy external IPs | object | `{}` | -| `haproxy.service.externalTrafficPolicy` | HAProxy service externalTrafficPolicy value (haproxy.service.type must be LoadBalancer) | string | `nil` | -| `haproxy.service.labels` | HAProxy service labels | object | `{}` | -| `haproxy.service.loadBalancerIP` | HAProxy service loadbalancer IP | string | `nil` | -| `haproxy.service.loadBalancerSourceRanges` | List of CIDR's allowed to connect to LoadBalancer | list | `[]` | -| `haproxy.service.nodePort` | HAProxy service nodePort value (haproxy.service.type must be NodePort) | int | `nil` | -| `haproxy.service.type` | HAProxy service type "ClusterIP", "LoadBalancer" or "NodePort" | string | `"ClusterIP"` | -| `haproxy.serviceAccount.create` | Specifies whether a ServiceAccount should be created | bool | `true` | -| `haproxy.serviceAccountName` | HAProxy serviceAccountName | string | `"redis-sa"` | -| `haproxy.servicePort` | Modify HAProxy service port | int | `6379` | -| `haproxy.stickyBalancing` | HAProxy sticky load balancing to Redis nodes. Helps with connections shutdown. | bool | `false` | -| `haproxy.tests.resources` | Pod resources for the tests against HAProxy. | object | `{}` | -| `haproxy.timeout.check` | haproxy.cfg `timeout check` setting | string | `"2s"` | -| `haproxy.timeout.client` | haproxy.cfg `timeout client` setting | string | `"330s"` | -| `haproxy.timeout.connect` | haproxy.cfg `timeout connect` setting | string | `"4s"` | -| `haproxy.timeout.server` | haproxy.cfg `timeout server` setting | string | `"330s"` | -| `haproxy.tls.certMountPath` | Path to mount the secret that contains the certificates. haproxy | string | `"/tmp/"` | -| `haproxy.tls.enabled` | If "true" this will enable TLS termination on haproxy | bool | `false` | -| `haproxy.tls.keyName` | Key file name | string | `nil` | -| `haproxy.tls.secretName` | Secret containing the .pem file | string | `""` | - -### Prometheus exporter parameters - -| Parameter | Description | Type | Default | -|-----|------|---------|-------------| -| `exporter.address` | Address/Host for Redis instance. Exists to circumvent issues with IPv6 dns resolution that occurs on certain environments | string | `"localhost"` | -| `exporter.enabled` | If `true`, the prometheus exporter sidecar is enabled | bool | `false` | -| `exporter.extraArgs` | Additional args for redis exporter | object | `{}` | -| `exporter.image` | Exporter image | string | `"oliver006/redis_exporter"` | -| `exporter.livenessProbe.httpGet.path` | Exporter liveness probe httpGet path | string | `"/metrics"` | -| `exporter.livenessProbe.httpGet.port` | Exporter liveness probe httpGet port | int | `9121` | -| `exporter.livenessProbe.initialDelaySeconds` | Initial delay in seconds for liveness probe of exporter | int | `15` | -| `exporter.livenessProbe.periodSeconds` | Period in seconds after which liveness probe will be repeated | int | `15` | -| `exporter.livenessProbe.timeoutSeconds` | Timeout seconds for liveness probe of exporter | int | `3` | -| `exporter.port` | Exporter port | int | `9121` | -| `exporter.portName` | Exporter port name | string | `"exporter-port"` | -| `exporter.pullPolicy` | Exporter image pullPolicy | string | `"IfNotPresent"` | -| `exporter.readinessProbe.httpGet.path` | Exporter readiness probe httpGet path | string | `"/metrics"` | -| `exporter.readinessProbe.httpGet.port` | Exporter readiness probe httpGet port | int | `9121` | -| `exporter.readinessProbe.initialDelaySeconds` | Initial delay in seconds for readiness probe of exporter | int | `15` | -| `exporter.readinessProbe.periodSeconds` | Period in seconds after which readiness probe will be repeated | int | `15` | -| `exporter.readinessProbe.successThreshold` | Success threshold for readiness probe of exporter | int | `2` | -| `exporter.readinessProbe.timeoutSeconds` | Timeout seconds for readiness probe of exporter | int | `3` | -| `exporter.resources` | cpu/memory resource limits/requests | object | `{}` | -| `exporter.scrapePath` | Exporter scrape path | string | `"/metrics"` | -| `exporter.script` | A custom custom Lua script that will be mounted to exporter for collection of custom metrics. Creates a ConfigMap and sets env var `REDIS_EXPORTER_SCRIPT`. | string | `""` | -| `exporter.serviceMonitor.enabled` | When set true then use a ServiceMonitor to configure scraping | bool | `false` | -| `exporter.serviceMonitor.endpointAdditionalProperties` | Set additional properties for the ServiceMonitor endpoints such as relabeling, scrapeTimeout, tlsConfig, and more. | object | `{}` | -| `exporter.serviceMonitor.interval` | Set how frequently Prometheus should scrape | string | `""` | -| `exporter.serviceMonitor.labels` | Set labels for the ServiceMonitor, use this to define your scrape label for Prometheus Operator | object | `{}` | -| `exporter.serviceMonitor.namespace` | Set the namespace the ServiceMonitor should be deployed | string | `.Release.Namespace` | -| `exporter.serviceMonitor.telemetryPath` | Set path to redis-exporter telemtery-path | string | `""` | -| `exporter.serviceMonitor.timeout` | Set timeout for scrape | string | `""` | -| `exporter.tag` | Exporter image tag | string | `"v1.57.0"` | -| `prometheusRule.additionalLabels` | Additional labels to be set in metadata. | object | `{}` | -| `prometheusRule.enabled` | If true, creates a Prometheus Operator PrometheusRule. | bool | `false` | -| `prometheusRule.interval` | How often rules in the group are evaluated (falls back to `global.evaluation_interval` if not set). | string | `"10s"` | -| `prometheusRule.namespace` | Namespace which Prometheus is running in. | string | `nil` | -| `prometheusRule.rules` | Rules spec template (see https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#rule). | list | `[]` | +| Parameter | Description | Default | +|:--------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-------------------------------------------------------------------------------------------| +| `global.priorityClassName`| Default priority class for all components (HAProxy Deployment and Redis StatefulSet) | `""` | +| `global.compatibility.openshift.adaptSecurityContext`| Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `"auto"` | +| `image.repository` | Redis image repository | `redis` | +| `image.tag` | Redis image tag | `6.2.5-alpine` | +| `image.pullPolicy` | Redis image pull policy | `IfNotPresent` | +| `imagePullSecrets` | Reference to one or more secrets to be used when pulling redis images | [] | +| `tag` | Redis tag | `6.2.5-alpine` | +| `replicas` | Number of redis master/slave pods | `3` | +| `podManagementPolicy` | The statefulset pod management policy | `OrderedReady` | +| `ro_replicas` | Comma separated list of slaves which never get promoted to be master. Count starts with 0. Allowed values 1-9. i.e. 3,4 - 3th and 4th redis slave never make it to be master, where master is index 0. | ``| +| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | +| `serviceAccount.name` | The name of the ServiceAccount to create | Generated using the redis-ha.fullname template | +| `serviceAccount.automountToken` | Opt in/out of automounting API credentials into container | `false` | +| `serviceAccount.annotations` | Specifies annotations that should be applied to the service account | `{}` | +| `serviceAnnotations` | Annotations to set on Redis HA service | `null` | +| `serviceLabels` | Labels to set on Redis HA service | `{}` | +| `rbac.create` | Create and use RBAC resources | `true` | +| `redis.port` | Port to access the redis service | `6379` | +| `redis.customCommand` | Allows overriding the redis container command | `[]` | +| `redis.customArgs` | Allows overriding the redis container arguments | `[]` | +| `redis.envFrom` | Load environment variables from ConfigMap/Secret |``| +| `redis.tlsPort` | TLS Port to access the redis service |``| +| `redis.tlsReplication` | Configures redis with tls-replication parameter, if true sets "tls-replication yes" in redis.conf |``| +| `redis.authClients` | It is possible to disable client side certificates authentication when "authClients" is set to "no" |``| +| `redis.livenessProbe.enabled` | Whether to enable the liveness probe | `30` | +| `redis.livenessProbe.initialDelaySeconds` | Initial delay in seconds for liveness probe | `30` | +| `redis.livenessProbe.periodSeconds` | Period in seconds after which liveness probe will be repeated | `15` | +| `redis.livenessProbe.timeoutSeconds` | Timeout seconds for liveness probe | `15` | +| `redis.livenessProbe.successThreshold` | Success threshold for liveness probe | `1` | +| `redis.livenessProbe.failureThreshold` | Failure threshold for liveness probe | `5` | +| `redis.readinessProbe.enabled` | Whether to enable the readiness probe | `30` | +| `redis.readinessProbe.initialDelaySeconds` | Initial delay in seconds for readiness probe | `30` | +| `redis.readinessProbe.periodSeconds` | Period in seconds after which readiness probe will be repeated | `15` | +| `redis.readinessProbe.timeoutSeconds` | Timeout seconds for readiness probe | `15` | +| `redis.readinessProbe.successThreshold` | Success threshold for readiness probe | `1` | +| `redis.readinessProbe.failureThreshold` | Failure threshold for readiness probe | `5` | +| `redis.startupProbe.enabled` | Whether to enable the startup probe | `30` | +| `redis.startupProbe.initialDelaySeconds` | Initial delay in seconds for startup probe | `30` | +| `redis.startupProbe.periodSeconds` | Period in seconds after which startup probe will be repeated | `15` | +| `redis.startupProbe.timeoutSeconds` | Timeout seconds for startup probe | `15` | +| `redis.startupProbe.successThreshold` | Success threshold for startup probe | `1` | +| `redis.startupProbe.failureThreshold` | Failure threshold for startup probe | `5` | +| `redis.masterGroupName` | Redis convention for naming the cluster group: must match `^[\\w-\\.]+$` and can be templated | `mymaster` | +| `redis.disableCommands` | Array with commands to disable | `["FLUSHDB","FLUSHALL"]` | +| `redis.config` | Any valid redis config options in this section will be applied to each server, For multi-value configs use list instead of string (for example loadmodule) (see below) | see values.yaml | +| `redis.customConfig` | Allows for custom redis.conf files to be applied. If this is used then `redis.config` is ignored |``| +| `redis.resources` | CPU/Memory for master/slave nodes resource requests/limits | `{}` | +| `redis.lifecycle` | Container Lifecycle Hooks for redis container | see values.yaml | +| `redis.annotations` | Annotations for the redis statefulset | `{}` | +| `redis.updateStategy.type`| Update strategy for redis statefulSet | `RollingUpdate` | +| `redis.minReadySeconds` | an optional field that specifies the minimum number of seconds for which a newly created Pod should be running and ready without any of its containers crashing, for it to be considered available. | ``| +| `redis.extraVolumeMounts` | Extra volume mounts for Redis container | `[]` | +| `sentinel.port` | Port to access the sentinel service | `26379` | +| `sentinel.bind` | Configure the 'bind' directive to bind to a list of network interfaces | `` | +| `sentinel.tlsPort` | TLS Port to access the sentinel service |``| +| `sentinel.tlsReplication` | Configures sentinel with tls-replication parameter, if true sets "tls-replication yes" in sentinel.conf |``| +| `sentinel.authClients` | It is possible to disable client side certificates authentication when "authClients" is set to "no" |``| +| `sentinel.livenessProbe.enabled` | Whether to enable the liveness probe | `30` | +| `sentinel.livenessProbe.initialDelaySeconds` | Initial delay in seconds for liveness probe | `30` | +| `sentinel.livenessProbe.periodSeconds` | Period in seconds after which liveness probe will be repeated | `15` | +| `sentinel.livenessProbe.timeoutSeconds` | Timeout seconds for liveness probe | `15` | +| `sentinel.livenessProbe.successThreshold` | Success threshold for liveness probe | `1` | +| `sentinel.livenessProbe.failureThreshold` | Failure threshold for liveness probe | `5` | +| `sentinel.readinessProbe.enabled` | Whether to enable the liveness probe | `30` | +| `sentinel.readinessProbe.initialDelaySeconds` | Initial delay in seconds for readiness probe | `30` | +| `sentinel.readinessProbe.periodSeconds` | Period in seconds after which readiness probe will be repeated | `15` | +| `sentinel.readinessProbe.timeoutSeconds` | Timeout seconds for readiness probe | `15` | +| `sentinel.readinessProbe.successThreshold` | Success threshold for readiness probe | `3` | +| `sentinel.readinessProbe.failureThreshold` | Failure threshold for readiness probe | `5` | +| `sentinel.startupProbe.enabled` | Whether to enable the liveness probe | `30` | +| `sentinel.startupProbe.initialDelaySeconds` | Initial delay in seconds for startup probe | `30` | +| `sentinel.startupProbe.periodSeconds` | Period in seconds after which startup probe will be repeated | `15` | +| `sentinel.startupProbe.timeoutSeconds` | Timeout seconds for startup probe | `15` | +| `sentinel.startupProbe.successThreshold` | Success threshold for startup probe | `3` | +| `sentinel.startupProbe.failureThreshold` | Failure threshold for startup probe | `5` | +| `sentinel.auth` | Enables or disables sentinel AUTH (Requires `sentinel.password` to be set) | `false` | +| `sentinel.password` | A password that configures a `requirepass` in the conf parameters (Requires `sentinel.auth: enabled`) |``| +| `sentinel.existingSecret` | An existing secret containing a key defined by `sentinel.authKey` that configures `requirepass` in the conf parameters (Requires `sentinel.auth: enabled`, cannot be used in conjunction with `.Values.sentinel.password`) |``| +| `sentinel.authKey` | The key holding the sentinel password in an existing secret. | `sentinel-password` | +| `sentinel.customCommand` | Allows overriding the sentinel container command | `[]` | +| `sentinel.customArgs` | Allows overriding the sentinel container arguments | `[]` | +| `sentinel.quorum` | Minimum number of servers necessary to maintain quorum | `2` | +| `sentinel.config` | Valid sentinel config options in this section will be applied as config options to each sentinel (see below) | see values.yaml | +| `sentinel.customConfig` | Allows for custom sentinel.conf files to be applied. If this is used then `sentinel.config` is ignored |``| +| `sentinel.resources` | CPU/Memory for sentinel node resource requests/limits | `{}` | +| `sentinel.lifecycle` | Container Lifecycle Hooks for sentinel container | `{}` | +| `sentinel.extraVolumeMounts` | Extra volume mounts for Sentinel container | `[]` | +| `init.resources` | CPU/Memory for init Container node resource requests/limits | `{}` | +| `auth` | Enables or disables redis AUTH (Requires `redisPassword` to be set) | `false` | +| `redisPassword` | A password that configures a `requirepass` and `masterauth` in the conf parameters (Requires `auth: enabled`) |``| +| `authKey` | The key holding the redis password in an existing secret. | `auth` | +| `existingSecret` | An existing secret containing a key defined by `authKey` that configures `requirepass` and `masterauth` in the conf parameters (Requires `auth: enabled`, cannot be used in conjunction with `.Values.redisPassword`) |``| +| `nodeSelector` | Node labels for pod assignment | `{}` | +| `tolerations` | Toleration labels for pod assignment | `[]` | +| `hardAntiAffinity` | Whether the Redis server pods should be forced to run on separate nodes. | `true` | +| `additionalAffinities` | Additional affinities to add to the Redis server pods. | `{}` | +| `securityContext` | Security context to be added to the Redis StatefulSet. | `{runAsUser: 1000, fsGroup: 1000, runAsNonRoot: true}` | +| `containerSecurityContext` | Security context to be added to the Redis containers. | `{ runAsNonRoot: true, allowPrivilegeEscalation: false, seccompProfile: { type: RuntimeDefault }, capabilities: { drop: [ "ALL" ] }` | +| `affinity` | Override all other affinity settings with a string. | `""` | +| `labels` | Labels for the Redis pod. | `{}` | +| `configmap.labels` | Labels for the Redis configmap. | `{}` | +| `configmapTest.image.repository` | Repository of the configmap shellcheck test image. | `koalaman/shellcheck` | +| `configmapTest.image.tag` | Tag of the configmap shellcheck test image. | `v0.5.0` | +| `configmapTest.resources` | Resources for the ConfigMap tests. | `{}` | +| `persistentVolume.size` | Size for the volume | 10Gi | +| `persistentVolume.annotations` | Annotations for the volume | `{}` | +| `persistentVolume.labels` | Labels for the volume | `{}` | +| `emptyDir` | Configuration of `emptyDir`, used only if persistentVolume is disabled and no hostPath specified | `{}` | +| `exporter.enabled` | If `true`, the prometheus exporter sidecar is enabled | `false` | +| `exporter.image` | Exporter image | `oliver006/redis_exporter` | +| `exporter.tag` | Exporter tag | `v1.27.0` | +| `exporter.port` | Exporter port | `9121` | +| `exporter.portName` | Exporter port name | `exporter-port` | +| `exporter.address` | Redis instance Hostname/Address Exists to circumvent some issues with issues in IPv6 hostname resolution | `localhost` | +| `exporter.annotations` | Prometheus scrape annotations | `{prometheus.io/path: /metrics, prometheus.io/port: "9121", prometheus.io/scrape: "true"}` | +| `exporter.extraArgs` | Additional args for the exporter | `{}` | +| `exporter.script` | A custom custom Lua script that will be mounted to exporter for collection of custom metrics. Creates a ConfigMap and sets env var `REDIS_EXPORTER_SCRIPT`. | | +| `exporter.serviceMonitor.enabled` | Use servicemonitor from prometheus operator | `false` | +| `exporter.serviceMonitor.namespace` | Namespace the service monitor is created in | `default` | +| `exporter.serviceMonitor.interval` | Scrape interval, If not set, the Prometheus default scrape interval is used | `nil` | +| `exporter.serviceMonitor.telemetryPath` | Path to redis-exporter telemetry-path | `/metrics` | +| `exporter.serviceMonitor.labels` | Labels for the servicemonitor passed to Prometheus Operator | `{}` | +| `exporter.serviceMonitor.timeout` | How long until a scrape request times out. If not set, the Prometheus default scape timeout is used | `nil` | +| `exporter.serviceMonitor.endpointAdditionalProperties` | Set additional properties for the ServiceMonitor endpoints such as relabeling, scrapeTimeout, tlsConfig, and more. | `{}` | +| `haproxy.enabled` | Enabled HAProxy LoadBalancing/Proxy | `false` | +| `haproxy.replicas` | Number of HAProxy instances | `3` | +| `haproxy.servicePort` | Modify HAProxy service port | `6379` | +| `haproxy.containerPort` | Modify HAProxy deployment container port | `6379` +| `haproxy.image.repository`| HAProxy Image Repository | `haproxy` | +| `haproxy.image.tag` | HAProxy Image Tag | `2.4.2` | +| `haproxy.image.pullPolicy`| HAProxy Image PullPolicy | `IfNotPresent` | +| `haproxy.imagePullSecrets`| Reference to one or more secrets to be used when pulling haproxy images | [] | +| `haproxy.tls.enabled` | If "true" this will enable TLS termination on haproxy | `false` +| `haproxy.tls.secretName` | Secret containing the .pem file | `""` +| `haproxy.tls.certMountPath` | Path to mount the secret that contains the certificates. haproxy | `false` +| `haproxy.tls.secretName` | Secret containing the .pem file | `""` +| `haproxy.annotations` | HAProxy template annotations | `{}` | +| `haproxy.customConfig` | Allows for custom config-haproxy.cfg file to be applied. If this is used then default config will be overwriten |``| +| `haproxy.extraConfig` | Allows to place any additional configuration section to add to the default config-haproxy.cfg |``| +| `haproxy.resources` | HAProxy resources | `{}` | +| `haproxy.emptyDir` | Configuration of `emptyDir` | `{}` | +| `haproxy.labels` | Labels for the HAProxy pod | `{}` | +| `haproxy.serviceAccountName`| HAProxy serviceAccountName | `default` +| `haproxy.serviceAccount.automountToken` | Opt in/out of automounting API credentials into container | `false` | +| `haproxy.service.type` | HAProxy service type "ClusterIP", "LoadBalancer" or "NodePort" | `ClusterIP` | +| `haproxy.service.nodePort` | HAProxy service nodePort value (haproxy.service.type must be NodePort) | not set | +| `haproxy.image.serviceAccountName`| HAProxy serviceAccountName | `default` +| `haproxy.service.externalTrafficPolicy`| HAProxy service externalTrafficPolicy value (haproxy.service.type must be LoadBalancer) | not set | +| `haproxy.service.annotations` | HAProxy service annotations | `{}` | +| `haproxy.service.labels` | HAProxy service labels | `{}` | +| `haproxy.service.loadBalancerIP` | HAProxy service loadbalancer IP | not set | +| `haproxy.service.externalIPs` | HAProxy external IPs | `{}` | +| `haproxy.stickyBalancing` | HAProxy sticky load balancing to Redis nodes. Helps with connections shutdown. | `false` | +| `haproxy.hapreadport.enable` | Enable a read only port for redis slaves | `false` | +| `haproxy.hapreadport.port` | Haproxy port for read only redis slaves | `6380` | +| `haproxy.metrics.enabled` | HAProxy enable prometheus metric scraping | `false` | +| `haproxy.metrics.port` | HAProxy prometheus metrics scraping port | `9101` | +| `haproxy.metrics.portName` | HAProxy metrics scraping port name | `http-exporter-port` | +| `haproxy.metrics.scrapePath` | HAProxy prometheus metrics scraping port | `/metrics` | +| `haproxy.metrics.serviceMonitor.enabled` | Use servicemonitor from prometheus operator for HAProxy metrics | `false` | +| `haproxy.metrics.serviceMonitor.namespace` | Namespace the service monitor for HAProxy metrics is created in | `default` | +| `haproxy.metrics.serviceMonitor.interval` | Scrape interval, If not set, the Prometheus default scrape interval is used | `nil` | +| `haproxy.metrics.serviceMonitor.telemetryPath` | Path to HAProxy metrics telemetry-path | `/metrics` | +| `haproxy.metrics.serviceMonitor.labels` | Labels for the HAProxy metrics servicemonitor passed to Prometheus Operator | `{}` | +| `haproxy.metrics.serviceMonitor.timeout` | How long until a scrape request times out. If not set, the Prometheus default scape timeout is used | `nil` | +| `haproxy.metrics.serviceMonitor.endpointAdditionalProperties` | Set additional properties for the ServiceMonitor endpoints such as relabeling, scrapeTimeout, tlsConfig, and more. | `{}` | +| `haproxy.init.resources` | Extra init resources | `{}` | +| `haproxy.timeout.connect` | haproxy.cfg `timeout connect` setting | `4s` | +| `haproxy.timeout.server` | haproxy.cfg `timeout server` setting | `30s` | +| `haproxy.timeout.client` | haproxy.cfg `timeout client` setting | `30s` | +| `haproxy.timeout.check` | haproxy.cfg `timeout check` setting | `2s` | +| `haproxy.checkInterval` | haproxy.cfg `check inter` setting | `1s` | +| `haproxy.checkFall` | haproxy.cfg `check fall` setting | `1` | +| `haproxy.priorityClassName` | priorityClassName for `haproxy` deployment | not set | +| `haproxy.securityContext` | Security context to be added to the HAProxy deployment. | `{runAsUser: 99, fsGroup: 99, runAsNonRoot: true}` | +| `haproxy.containerSecurityContext` | Security context to be added to the HAProxy containers. | `{ runAsNonRoot: true, allowPrivilegeEscalation: false, seccompProfile: { type: RuntimeDefault }, capabilities: { drop: [ "ALL" ] }` | +| `haproxy.hardAntiAffinity` | Whether the haproxy pods should be forced to run on separate nodes. | `true` | +| `haproxy.affinity` | Override all other haproxy affinity settings with a string. | `""` | +| `haproxy.additionalAffinities` | Additional affinities to add to the haproxy server pods. | `{}` | +| `haproxy.tests.resources` | Pod resources for the tests against HAProxy. | `{}` | +| `haproxy.IPv6.enabled` | Disables certain binding options to support non-IPv6 environments. | `true` | +| `networkPolicy.enabled` | Create NetworkPolicy for Haproxy pods |`false`| +| `networkPolicy.labels` | Labels for Haproxy NetworkPolicy |`{}`| +| `networkPolicy.annotations` | Annotations for Haproxy NetworkPolicy |`{}`| +| `networkPolicy.ingressRules[].selectors` | Label selector query to define resources for this ingress rule |`[]`| +| `networkPolicy.ingressRules[].ports` | The destination ports for the ingress rule |`[{port: redis.port, protocol: TCP}, {port: sentinel.port, protocol: TCP}]`| +| `networkPolicy.egressRules[].selectors` | Label selector query to define resources for this egress rule |`[]`| +| `networkPolicy.egressRules[].ports` | The destination ports for the egress rule |``| +| `podDisruptionBudget` | Pod Disruption Budget rules | `{}` | +| `nameOverride` | Override the chart name | `""` | +| `fullnameOverride` | Fully override the release name and chart name | `""` | +| `priorityClassName` | priorityClassName for `redis-ha-statefulset` | not set | +| `hostPath.path` | Use this path on the host for data storage | not set | +| `hostPath.chown` | Run an init-container as root to set ownership on the hostPath | `true` | +| `sysctlImage.enabled` | Enable an init container to modify Kernel settings | `false` | +| `sysctlImage.command` | sysctlImage command to execute | [] | +| `sysctlImage.registry` | sysctlImage Init container registry | `docker.io` | +| `sysctlImage.repository` | sysctlImage Init container name | `busybox` | +| `sysctlImage.tag` | sysctlImage Init container tag | `1.31.1` | +| `sysctlImage.pullPolicy` | sysctlImage Init container pull policy | `Always` | +| `sysctlImage.mountHostSys`| Mount the host `/sys` folder to `/host-sys` | `false` | +| `sysctlImage.resources` | sysctlImage resources | `{}` | +| `schedulerName` | Alternate scheduler name | `nil` | +| `tls.secretName` | The name of secret if you want to use your own TLS certificates. The secret should contains keys named by "tls.certFile" - the certificate, "tls.keyFile" - the private key, "tls.caCertFile" - the certificate of CA and "tls.dhParamsFile" - the dh parameter file | ``| +| `tls.certFile` | Name of certificate file | `redis.crt` | +| `tls.keyFile` | Name of key file | `redis.key` | +| `tls.dhParamsFile` | Name of Diffie-Hellman (DH) key exchange parameters file |`` | +| `tls.caCertFile` | Name of CA certificate file | `ca.crt` | +| `restore.s3.source` | Restore init container - AWS S3 location of dump - i.e. s3://bucket/dump.rdb | `false` | +| `restore.existingSecret` | Set to true to use existingSecret for the AWS S3 or SSH credentials | `false` | +| `topologySpreadConstraints.enabled` | Enable topology spread constraints |`false`| +| `topologySpreadConstraints.maxSkew` | Max skew of pods tolerated |`1`| +| `topologySpreadConstraints.topologyKey` | Topology key for spread |`topology.kubernetes.io/zone`| +| `topologySpreadConstraints.whenUnsatisfiable` | Enforcement policy, hard or soft |`ScheduleAnyway`| +| `restore.s3.access_key` | Restore init container - AWS AWS_ACCESS_KEY_ID to access restore.s3.source |``| +| `restore.s3.secret_key` | Restore init container - AWS AWS_SECRET_ACCESS_KEY to access restore.s3.source |``| +| `restore.s3.region` | Restore init container - AWS AWS_REGION to access restore.s3.source |``| +| `restore.ssh.source` | Restore init container - SSH scp location of dump - i.e. user@server:/path/dump.rdb | `false` | +| `restore.ssh.key` | Restore init container - SSH private key to scp restore.ssh.source to init container. Key should be in one line separated with \n. i.e. -----BEGIN RSA PRIVATE KEY-----\n...\n...\n-----END RSA PRIVATE KEY----- |`` | +| `extraContainers` | Extra containers to include in StatefulSet |`[]`| +| `extraInitContainers` | Extra init containers to include in StatefulSet |`[]`| +| `extraVolumes` | Extra volumes to include in StatefulSet |`[]`| +| `extraLabels` | Labels that should be applied to all created resources |`{}`| +| `networkPolicy.enabled` | Create NetworkPolicy for Redis StatefulSet pods |`false`| +| `networkPolicy.labels` | Labels for NetworkPolicy |`{}`| +| `networkPolicy.annotations` | Annotations for NetworkPolicy |`{}`| +| `networkPolicy.ingressRules[].selectors` | Label selector query to define resources for this ingress rule |`[]`| +| `networkPolicy.ingressRules[].ports` | The destination ports for the ingress rule |`[{port: redis.port, protocol: TCP}, {port: sentinel.port, protocol: TCP}]`| +| `networkPolicy.egressRules[].selectors` | Label selector query to define resources for this egress rule |`[]`| +| `networkPolicy.egressRules[].ports` | The destination ports for the egress rule |``| +| `splitBrainDetection.interval` | Interval between redis sentinel and server split brain checks (in seconds) |`60`| +| `splitBrainDetection.resources` | splitBrainDetection resources |`{}`| Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, diff --git a/charts/redis-ha/templates/_configs.tpl b/charts/redis-ha/templates/_configs.tpl index 459e78a..40c507c 100644 --- a/charts/redis-ha/templates/_configs.tpl +++ b/charts/redis-ha/templates/_configs.tpl @@ -643,11 +643,12 @@ {{- end}} ping ) - if [ "$response" != "PONG" ] && [ "${response:0:7}" != "LOADING" ] ; then - echo "$response" - exit 1 - fi echo "response=$response" + case $response in + PONG|LOADING*) ;; + *) exit 1 ;; + esac + exit 0 {{- end }} {{- define "redis_readiness.sh" }} @@ -668,10 +669,39 @@ ping ) if [ "$response" != "PONG" ] ; then - echo "$response" + echo "ping=$response" + exit 1 + fi + + response=$( + redis-cli \ + {{- if .Values.auth }} + -a "${AUTH}" --no-auth-warning \ + {{- end }} + -h localhost \ + {{- if ne (int .Values.redis.port) 0 }} + -p {{ .Values.redis.port }} \ + {{- else }} + -p {{ .Values.redis.tlsPort }} ${TLS_CLIENT_OPTION} \ + {{- end}} + role + ) + role=$( echo "$response" | sed "1!d" ) + if [ "$role" = "master" ]; then + echo "role=$role" + exit 0 + elif [ "$role" = "slave" ]; then + repl=$( echo "$response" | sed "4!d" ) + echo "role=$role; repl=$repl" + if [ "$repl" = "connected" ]; then + exit 0 + else + exit 1 + fi + else + echo "role=$role" exit 1 fi - echo "response=$response" {{- end }} {{- define "sentinel_liveness.sh" }} diff --git a/charts/redis-ha/templates/_helpers.tpl b/charts/redis-ha/templates/_helpers.tpl index ebae05b..047e05f 100644 --- a/charts/redis-ha/templates/_helpers.tpl +++ b/charts/redis-ha/templates/_helpers.tpl @@ -92,3 +92,39 @@ Return the appropriate apiVersion for poddisruptionbudget. {{- print "policy/v1beta1" -}} {{- end -}} {{- end -}} + +{{/* +Return true if the detected platform is Openshift +Usage: +{{- include "common.compatibility.isOpenshift" . -}} +*/}} +{{- define "compatibility.isOpenshift" -}} +{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}} +{{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC +Usage: +{{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}} +*/}} +{{- define "compatibility.renderSecurityContext" -}} +{{- $adaptedContext := .secContext -}} + +{{- if (((.context.Values.global).compatibility).openshift) -}} + {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "compatibility.isOpenshift" .context)) -}} + {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}} + {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}} + {{- if not .secContext.seLinuxOptions -}} + {{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}} + {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{/* Remove fields that are disregarded when running the container in privileged mode */}} +{{- if $adaptedContext.privileged -}} + {{- $adaptedContext = omit $adaptedContext "capabilities" "seLinuxOptions" -}} +{{- end -}} +{{- omit $adaptedContext "enabled" | toYaml -}} +{{- end -}} \ No newline at end of file diff --git a/charts/redis-ha/templates/redis-ha-network-policy.yaml b/charts/redis-ha/templates/redis-ha-network-policy.yaml index 176d91b..8f688ca 100644 --- a/charts/redis-ha/templates/redis-ha-network-policy.yaml +++ b/charts/redis-ha/templates/redis-ha-network-policy.yaml @@ -35,13 +35,6 @@ spec: protocol: TCP - port: {{ .Values.sentinel.port }} protocol: TCP - - to: - - namespaceSelector: {} - ports: - - port: 53 - protocol: UDP - - port: 53 - protocol: TCP {{- range $rule := .Values.networkPolicy.egressRules }} - to: {{ (tpl (toYaml $rule.selectors) $) | indent 7 }} diff --git a/charts/redis-ha/templates/redis-ha-serviceaccount.yaml b/charts/redis-ha/templates/redis-ha-serviceaccount.yaml index e8894c1..9e1b21e 100644 --- a/charts/redis-ha/templates/redis-ha-serviceaccount.yaml +++ b/charts/redis-ha/templates/redis-ha-serviceaccount.yaml @@ -12,6 +12,10 @@ metadata: {{- range $key, $value := .Values.extraLabels }} {{ $key }}: {{ $value | quote }} {{- end }} +{{- if .Values.serviceAccount.annotations }} + annotations: +{{ toYaml .Values.serviceAccount.annotations | indent 4 }} +{{- end }} {{- if or .Values.auth .Values.sentinel.auth }} secrets: {{- end }} diff --git a/charts/redis-ha/templates/redis-ha-statefulset.yaml b/charts/redis-ha/templates/redis-ha-statefulset.yaml index 610358c..8f247e6 100644 --- a/charts/redis-ha/templates/redis-ha-statefulset.yaml +++ b/charts/redis-ha/templates/redis-ha-statefulset.yaml @@ -24,6 +24,9 @@ spec: podManagementPolicy: {{ .Values.podManagementPolicy }} updateStrategy: type: {{ .Values.redis.updateStrategy.type }} + {{- if .Values.redis.minReadySeconds }} + minReadySeconds: {{ .Values.redis.minReadySeconds }} + {{- end }} template: metadata: annotations: @@ -105,7 +108,7 @@ spec: {{- if .Values.imagePullSecrets }} imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }} {{- end }} - securityContext: {{ toYaml .Values.securityContext | nindent 8 }} + securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.securityContext "context" $) | nindent 8 }} serviceAccountName: {{ template "redis-ha.serviceAccountName" . }} automountServiceAccountToken: {{ .Values.serviceAccount.automountToken }} initContainers: @@ -120,12 +123,12 @@ spec: mountPath: /host-sys {{- end }} command: {{ toYaml .Values.sysctlImage.command | nindent 10 }} - securityContext: {{ toYaml .Values.containerSecurityContext | nindent 10 }} + securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 10 }} {{- end }} {{- if and .Values.hostPath.path .Values.hostPath.chown }} - name: hostpath-chown image: {{ .Values.image.repository }}:{{ .Values.image.tag }} - securityContext: {{ toYaml .Values.containerSecurityContext | nindent 10 }} + securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 10 }} command: - chown - "{{ .Values.containerSecurityContext.runAsUser }}" @@ -143,7 +146,7 @@ spec: - sh args: - /readonly-config/init.sh - securityContext: {{ toYaml .Values.containerSecurityContext | nindent 10 }} + securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 10 }} env: {{- $replicas := int (toString .Values.replicas) -}} {{- range $i := until $replicas }} @@ -231,7 +234,7 @@ spec: && if test -s /data/dump.rdb; \ then cp -v /data/dump.rdb /data/dump.rdb_orig; fi \ && mv -v /data/dump.rdb_ /data/dump.rdb" - securityContext: {{ toYaml .Values.containerSecurityContext | nindent 10 }} + securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 10 }} envFrom: - secretRef: {{- if .Values.restore.existingSecret }} @@ -262,7 +265,7 @@ spec: {{- else }} - /data/conf/redis.conf {{- end }} - securityContext: {{ toYaml .Values.containerSecurityContext | nindent 10 }} + securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 10 }} {{- if .Values.auth }} env: - name: AUTH @@ -279,6 +282,7 @@ spec: envFrom: {{ toYaml .Values.redis.envFrom | indent 10 }} {{- end }} + {{- if .Values.redis.livenessProbe.enabled }} livenessProbe: initialDelaySeconds: {{ .Values.redis.livenessProbe.initialDelaySeconds }} periodSeconds: {{ .Values.redis.livenessProbe.periodSeconds }} @@ -290,6 +294,8 @@ spec: - sh - -c - /health/redis_liveness.sh + {{- end }} + {{- if .Values.redis.readinessProbe.enabled }} readinessProbe: initialDelaySeconds: {{ .Values.redis.readinessProbe.initialDelaySeconds }} periodSeconds: {{ .Values.redis.readinessProbe.periodSeconds }} @@ -301,6 +307,20 @@ spec: - sh - -c - /health/redis_readiness.sh + {{- end }} + {{- if .Values.redis.startupProbe.enabled }} + startupProbe: + initialDelaySeconds: {{ .Values.redis.startupProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.redis.startupProbe.periodSeconds }} + timeoutSeconds: {{ .Values.redis.startupProbe.timeoutSeconds }} + successThreshold: {{ .Values.redis.startupProbe.successThreshold }} + failureThreshold: {{ .Values.redis.startupProbe.failureThreshold }} + exec: + command: + - sh + - -c + - /health/redis_readiness.sh + {{- end }} resources: {{ toYaml .Values.redis.resources | indent 10 }} ports: @@ -333,10 +353,18 @@ spec: image: {{ .Values.image.repository }}:{{ .Values.image.tag }} imagePullPolicy: {{ .Values.image.pullPolicy }} command: + {{- if .Values.sentinel.customCommand }} +{{ toYaml .Values.sentinel.customCommand | indent 10 }} + {{- else }} - redis-sentinel + {{- end }} args: + {{- if .Values.sentinel.customArgs }} +{{ toYaml .Values.sentinel.customArgs | indent 10 }} + {{- else }} - /data/conf/sentinel.conf - securityContext: {{ toYaml .Values.containerSecurityContext | nindent 10 }} + {{- end }} + securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 10 }} {{- if or .Values.auth .Values.sentinel.auth}} env: {{- if .Values.auth }} @@ -362,6 +390,7 @@ spec: key: {{ .Values.sentinel.authKey }} {{- end }} {{- end }} + {{- if .Values.sentinel.livenessProbe.enabled }} livenessProbe: initialDelaySeconds: {{ .Values.sentinel.livenessProbe.initialDelaySeconds }} periodSeconds: {{ .Values.sentinel.livenessProbe.periodSeconds }} @@ -373,6 +402,8 @@ spec: - sh - -c - /health/sentinel_liveness.sh + {{- end }} + {{- if .Values.sentinel.readinessProbe.enabled }} readinessProbe: initialDelaySeconds: {{ .Values.sentinel.readinessProbe.initialDelaySeconds }} periodSeconds: {{ .Values.sentinel.readinessProbe.periodSeconds }} @@ -384,6 +415,20 @@ spec: - sh - -c - /health/sentinel_liveness.sh + {{- end }} + {{- if .Values.sentinel.startupProbe.enabled }} + startupProbe: + initialDelaySeconds: {{ .Values.sentinel.startupProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.sentinel.startupProbe.periodSeconds }} + timeoutSeconds: {{ .Values.sentinel.startupProbe.timeoutSeconds }} + successThreshold: {{ .Values.sentinel.startupProbe.successThreshold }} + failureThreshold: {{ .Values.sentinel.startupProbe.failureThreshold }} + exec: + command: + - sh + - -c + - /health/sentinel_liveness.sh + {{- end }} resources: {{ toYaml .Values.sentinel.resources | indent 10 }} ports: @@ -417,7 +462,7 @@ spec: - sh args: - /readonly-config/fix-split-brain.sh - securityContext: {{ toYaml .Values.containerSecurityContext | nindent 10 }} + securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 10 }} env: {{- $replicas := int (toString .Values.replicas) -}} {{- range $i := until $replicas }} @@ -467,7 +512,7 @@ spec: {{- range $key, $value := .Values.exporter.extraArgs }} - --{{ $key }}={{ $value }} {{- end }} - securityContext: {{ toYaml .Values.containerSecurityContext | nindent 10 }} + securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 10 }} env: - name: REDIS_ADDR {{- if .Values.exporter.sslEnabled }} @@ -520,9 +565,9 @@ spec: {{- if .Values.extraContainers }} {{- toYaml .Values.extraContainers | nindent 6 }} {{- end -}} -{{- if .Values.priorityClassName }} - priorityClassName: {{ .Values.priorityClassName }} -{{- end }} + {{- with .Values.priorityClassName | default .Values.global.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} volumes: - name: config configMap: @@ -558,7 +603,9 @@ spec: {{- end -}} {{- if .Values.persistentVolume.enabled }} volumeClaimTemplates: - - metadata: + - apiVersion: v1 + kind: PersistentVolumeClaim + metadata: name: data annotations: {{- range $key, $value := .Values.persistentVolume.annotations }} diff --git a/charts/redis-ha/templates/redis-haproxy-deployment.yaml b/charts/redis-ha/templates/redis-haproxy-deployment.yaml index f67f6d9..f868612 100644 --- a/charts/redis-ha/templates/redis-haproxy-deployment.yaml +++ b/charts/redis-ha/templates/redis-haproxy-deployment.yaml @@ -49,7 +49,8 @@ spec: {{- else }} serviceAccountName: {{ .Values.haproxy.serviceAccountName }} {{- end }} - securityContext: {{ toYaml .Values.haproxy.securityContext | nindent 8 }} + securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.haproxy.securityContext "context" $) | nindent 8 }} + automountServiceAccountToken: {{ .Values.haproxy.serviceAccount.automountToken }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 8 }} tolerations: @@ -102,7 +103,7 @@ spec: - sh args: - /readonly/haproxy_init.sh - securityContext: {{ toYaml .Values.haproxy.containerSecurityContext | nindent 10 }} + securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.haproxy.containerSecurityContext "context" $) | nindent 10 }} volumeMounts: - name: config-volume mountPath: /readonly @@ -116,7 +117,7 @@ spec: - name: haproxy image: {{ .Values.haproxy.image.repository }}:{{ .Values.haproxy.image.tag }} imagePullPolicy: {{ .Values.haproxy.image.pullPolicy }} - securityContext: {{ toYaml .Values.haproxy.containerSecurityContext | nindent 10 }} + securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.haproxy.containerSecurityContext "context" $) | nindent 10 }} {{- if or .Values.auth .Values.sentinel.auth}} env: {{- if .Values.auth }} @@ -178,9 +179,9 @@ spec: {{- end }} lifecycle: {{ toYaml .Values.haproxy.lifecycle | indent 10 }} -{{- if .Values.haproxy.priorityClassName }} - priorityClassName: {{ .Values.haproxy.priorityClassName }} -{{- end }} + {{- with .Values.haproxy.priorityClassName | default .Values.global.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} volumes: {{- if .Values.haproxy.tls.enabled }} - name: pemfile diff --git a/charts/redis-ha/templates/tests/test-redis-ha-configmap.yaml b/charts/redis-ha/templates/tests/test-redis-ha-configmap.yaml index d85f033..fbf31ad 100644 --- a/charts/redis-ha/templates/tests/test-redis-ha-configmap.yaml +++ b/charts/redis-ha/templates/tests/test-redis-ha-configmap.yaml @@ -21,7 +21,7 @@ spec: mountPath: /readonly-config readOnly: true resources: {{ toYaml .Values.configmapTest.resources | nindent 6 }} - securityContext: {{ toYaml .Values.containerSecurityContext | nindent 6 }} + securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 6 }} {{- if .Values.imagePullSecrets }} imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 4 }} {{- end }} diff --git a/charts/redis-ha/templates/tests/test-redis-ha-pod.yaml b/charts/redis-ha/templates/tests/test-redis-ha-pod.yaml index d8b92f9..ac0c84e 100644 --- a/charts/redis-ha/templates/tests/test-redis-ha-pod.yaml +++ b/charts/redis-ha/templates/tests/test-redis-ha-pod.yaml @@ -21,7 +21,7 @@ spec: - -c - redis-cli -h {{ template "redis-ha.fullname" . }}-haproxy -p {{ .Values.redis.port }} info server resources: {{ toYaml .Values.haproxy.tests.resources | nindent 6 }} - securityContext: {{ toYaml .Values.containerSecurityContext | nindent 6 }} + securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 6 }} {{- if .Values.imagePullSecrets }} imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 4 }} {{- end }} diff --git a/charts/redis-ha/values.yaml b/charts/redis-ha/values.yaml index 21a98e6..23e7ff2 100644 --- a/charts/redis-ha/values.yaml +++ b/charts/redis-ha/values.yaml @@ -1,3 +1,11 @@ +## Globally shared configuration +global: + # -- Default priority class for all components + priorityClassName: "" + compatibility: + openshift: + adaptSecurityContext: auto + ## Configure resource requests and limits ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ ## @@ -68,6 +76,8 @@ serviceAccount: # -- opt in/out of automounting API credentials into container. # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ automountToken: false + # Annotations to be added to the service account for the redis statefulset + annotations: {} ## Enables a HA Proxy for better LoadBalancing / Sentinel Master support. Automatically proxies to Redis master. ## Recommend for externally exposed Redis clusters. @@ -165,6 +175,8 @@ haproxy: serviceAccount: # -- Specifies whether a ServiceAccount should be created create: true + automountToken: false + ## Official HAProxy embedded prometheus metrics settings. ## Ref: https://github.com/haproxy/haproxy/tree/master/contrib/prometheus-exporter ## @@ -359,8 +371,10 @@ redis: # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination-forced terminationGracePeriodSeconds: 60 - # liveness probe parameters for redis container + # -- Liveness probe parameters for redis container livenessProbe: + # -- Enable the Liveness Probe + enabled: true # -- Initial delay in seconds for liveness probe initialDelaySeconds: 30 # -- Period in seconds after which liveness probe will be repeated @@ -372,7 +386,10 @@ redis: # -- Failure threshold for liveness probe failureThreshold: 5 + # -- Readiness probe parameters for redis container readinessProbe: + # -- Enable the Readiness Probe + enabled: true # -- Initial delay in seconds for readiness probe initialDelaySeconds: 30 # -- Period in seconds after which readiness probe will be repeated @@ -384,6 +401,21 @@ redis: # -- Failure threshold for readiness probe failureThreshold: 5 + # -- Startup probe parameters for redis container + startupProbe: + # -- Enable Startup Probe + enabled: true + # -- Initial delay in seconds for startup probe + initialDelaySeconds: 5 + # -- Period in seconds after which startup probe will be repeated + periodSeconds: 10 + # -- Timeout seconds for startup probe + timeoutSeconds: 15 + # -- Success threshold for startup probe + successThreshold: 1 + # -- Failure threshold for startup probe + failureThreshold: 3 + # -- Array with commands to disable disableCommands: - FLUSHDB @@ -477,8 +509,12 @@ sentinel: # -- The key holding the sentinel password in an existing secret. authKey: sentinel-password + customCommand: [] + customArgs: [] + # liveness probe parameters for sentinel container livenessProbe: + enabled: true # -- Initial delay in seconds for liveness probe initialDelaySeconds: 30 # -- Period in seconds after which liveness probe will be repeated @@ -492,6 +528,7 @@ sentinel: # readiness probe parameters for sentinel container readinessProbe: + enabled: true # -- Initial delay in seconds for readiness probe initialDelaySeconds: 30 # -- Period in seconds after which readiness probe will be repeated @@ -503,8 +540,24 @@ sentinel: # -- Failure threshold for readiness probe failureThreshold: 5 - # -- Minimum number of servers necessary to maintain quorum + # -- Startup probe parameters for redis container + startupProbe: + # -- Enable Startup Probe + enabled: true + # -- Initial delay in seconds for startup probe + initialDelaySeconds: 5 + # -- Period in seconds after which startup probe will be repeated + periodSeconds: 10 + # -- Timeout seconds for startup probe + timeoutSeconds: 15 + # -- Success threshold for startup probe + successThreshold: 1 + # -- Failure threshold for startup probe + failureThreshold: 3 + + # -- Minimum number of nodes expected to be live. quorum: 2 + # -- Valid sentinel config options in this section will be applied as config options to each sentinel (see below) # @default -- see values.yaml config: @@ -914,7 +967,20 @@ networkPolicy: # protocol: TCP # -- user can define egress rules too, uses the same structure as ingressRules - egressRules: [] + egressRules: + - selectors: + # -- Allow all destinations for DNS traffic + - namespaceSelector: {} + - ipBlock: + # Cloud Provider often uses the local link local range to host managed DNS resolvers. + # We need to allow this range to ensure that the Redis pods can resolve DNS. + # Example architecture for GCP Cloud DNS: https://cloud.google.com/kubernetes-engine/docs/how-to/cloud-dns#architecture + cidr: 169.254.0.0/16 + ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP splitBrainDetection: # -- Interval between redis sentinel and server split brain checks (in seconds)