Skip to content

Commit

Permalink
[charts/csm-authorization]: CSM Authorization v2 (#459)
Browse files Browse the repository at this point in the history
* add proxy-server sa

* [csm-authorization]: Add Vault configuration to storage-service (#350)

* Add Storage and CSMRole CRD into Authorization helm chart. (#305)

* add crds

* change group name

* Revert "change group name"

This reverts commit de262a3.

* vault updates

* vault agent updates

* remove vault configs

* revert to vautl client

* configure vault certs

* finish updates

* revert values

* revert values

* revert values

---------

Co-authored-by: Luna Xu <[email protected]>

* customize namespace (#352)

* Update role-service for gitops (#356)

* pass in storage service to role service

* remove duplicate

* add tenant crd (#351)

* add event watch (#396)

* add csmtenants access to proxy-server (#403)

* add csmtenants access to proxy-server

* add csmtenants access to proxy-server

* remove storage service (#411)

* Use default openshift ingress (#414)

* use default openshift ingress

* update comments

* update crds for storage, role, and tenant (#415)

* [KRV-21812] Storage capacity poll interval (#416)

* [KRV-21812] Added storagePollInterval param

* [KRV-21812] Rename param

* [KRV-21812] Move param in config map

* [KRV-21812] Comment

* [KRV-21812] Capitalize parameter

* Sreekb/krv 17923 gitops (#419)

Helm chart update to deploy Redis with sentinels.

* add vault role to values (#422)

* Add snapshot policy and storage service compatibility (#423)

* Add snapshots create policy

* Add clusterroles for storage service

* Add leaderelection arg

* Address PR comments

* Address PR comments

* chart/csm-authorization support authorization-controller deployment in cluster (#429)

* add support for authorization-controller deployment in cluster

* add support for authorization-controller deployment in cluster

* add password to redis commander (#430)

* fix rebase

* address PR comments

---------

Co-authored-by: Luna Xu <[email protected]>
Co-authored-by: shaynafinocchiaro <[email protected]>
Co-authored-by: alikdell <[email protected]>
Co-authored-by: EvgenyUglov <[email protected]>
Co-authored-by: Bharath Sreekanth <[email protected]>
Co-authored-by: Fernando Alfaro Campos <[email protected]>
  • Loading branch information
7 people committed Aug 8, 2024
1 parent 53812b5 commit 63d7919
Show file tree
Hide file tree
Showing 20 changed files with 3,740 additions and 107 deletions.
4 changes: 2 additions & 2 deletions charts/csm-authorization/charts/redis/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
apiVersion: v2
name: redis
description: A Helm chart for Redis
name: redis-csm
description: Helm Chart for Redis with Sentinels
type: application
version: 0.1.0
appVersion: 0.1.0
9 changes: 9 additions & 0 deletions charts/csm-authorization/charts/redis/templates/_helpers.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
{{/*
Namespace for all resources to be installed into
If not defined in values file then the helm release namespace is used
By default this is not set so the helm release namespace will be used
*/}}

{{- define "custom.namespace" -}}
{{ .Values.namespace | default .Release.Namespace }}
{{- end -}}
2,292 changes: 2,292 additions & 0 deletions charts/csm-authorization/charts/redis/templates/redis-cm.yaml

Large diffs are not rendered by default.

Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: v1
kind: Secret
metadata:
name: redis-csm-secret
namespace: {{ include "custom.namespace" . }}
type: kubernetes.io/basic-auth
stringData:
password: K@ravi123!
commander_user: dev
199 changes: 118 additions & 81 deletions charts/csm-authorization/charts/redis/templates/redis.yaml
Original file line number Diff line number Diff line change
@@ -1,24 +1,77 @@
apiVersion: v1
kind: Service
metadata:
name: {{ .Values.redis.name }}
namespace: {{ include "custom.namespace" . }}
spec:
type:
clusterIP: None
selector:
app: {{ .Values.redis.name }}
ports:
- protocol: TCP
port: 6379
targetPort: 6379
name: {{ .Values.redis.name }}
---
apiVersion: apps/v1
kind: Deployment
kind: StatefulSet
metadata:
name: redis-primary
name: {{ .Values.redis.name }}
namespace: {{ include "custom.namespace" . }}
labels:
app: redis
spec:
serviceName: {{ .Values.redis.name }}
replicas: {{ .Values.redis.replicas }}
selector:
matchLabels:
app: redis
role: primary
tier: backend
replicas: 1
app: {{ .Values.redis.name }}
template:
metadata:
labels:
app: redis
role: primary
tier: backend
app: {{ .Values.redis.name }}
annotations:
checksum/secret: {{ include (print $.Template.BasePath "/redis-secret.yaml") . | sha256sum }}
spec:
initContainers:
- name: config
image: {{ .Values.redis.images.redis }}
env:
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: redis-csm-secret
key: password

command: [ "sh", "-c" ]
args:
- |
cp /csm-auth-redis-cm/redis.conf /etc/redis/redis.conf
echo "masterauth $REDIS_PASSWORD" >> /etc/redis/redis.conf
echo "requirepass $REDIS_PASSWORD" >> /etc/redis/redis.conf
echo "Finding master..."
MASTER_FDQN=`hostname -f | sed -e 's/{{ .Values.redis.name }}-[0-9]\./{{ .Values.redis.name }}-0./'`
echo "Master at " $MASTER_FQDN
if [ "$(redis-cli -h sentinel -p 5000 ping)" != "PONG" ]; then
echo "No sentinel found..."
if [ "$(hostname)" = "{{ .Values.redis.name }}-0" ]; then
echo "This is Redis master, not updating redis.conf..."
else
echo "This is Redis replica, updating redis.conf..."
echo "replicaof $MASTER_FDQN 6379" >> /etc/redis/redis.conf
fi
else
echo "Sentinel found, finding master..."
MASTER="$(redis-cli -h sentinel -p 5000 sentinel get-master-addr-by-name mymaster | grep -E '(^redis-csm-\d{1,})|([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})')"
echo "replicaof $MASTER_FDQN 6379" >> /etc/redis/redis.conf
fi
volumeMounts:
- name: redis-primary-volume
mountPath: /data
- name: configmap
mountPath: /csm-auth-redis-cm/
- name: config
mountPath: /etc/redis/
containers:
- name: primary
image: {{ .Values.images.redis.image }}
Expand All @@ -30,85 +83,82 @@ spec:
memory: 100Mi
ports:
- containerPort: 6379
name: {{ .Values.redis.name }}
volumeMounts:
- name: redis-primary-volume
mountPath: /data
volumes:
- name: redis-primary-volume
persistentVolumeClaim:
claimName: redis-primary-pv-claim
---
{{- if not (.Values.storageClass) }}
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: csm-authorization-local-storage
provisioner: kubernetes.io/no-provisioner
volumeBindingMode: WaitForFirstConsumer

---
apiVersion: v1
kind: PersistentVolume
metadata:
name: csm-authorization-redis
spec:
capacity:
storage: 8Gi
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Recycle
storageClassName: csm-authorization-local-storage
hostPath:
path: /csm-authorization/redis
{{- end}}
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: redis-primary-pv-claim
namespace: {{ include "custom.namespace" . }}
labels:
app: redis-primary
spec:
accessModes:
- ReadWriteOnce
{{- if (.Values.storageClass) }}
storageClassName: {{.Values.storageClass }}
{{ else }}
storageClassName: csm-authorization-local-storage
{{- end}}
resources:
requests:
storage: 8Gi
mountPath: /data
- name: configmap
mountPath: /csm-auth-redis-cm/
- name: config
mountPath: /etc/redis/
volumes:
- name: redis-primary-volume
emptyDir: {}
- name: config
emptyDir: {}
- name: configmap
configMap:
name: redis-csm-cm
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: redis-commander
name: {{ .Values.redis.rediscommander }}
namespace: {{ include "custom.namespace" . }}
spec:
replicas: 1
selector:
matchLabels:
app: redis-commander
app: {{ .Values.redis.rediscommander }}
template:
metadata:
labels:
app: redis-commander
app: {{ .Values.redis.rediscommander }}
tier: backend
annotations:
checksum/secret: {{ include (print $.Template.BasePath "/redis-secret.yaml") . | sha256sum }}
spec:
containers:
- name: redis-commander
image: {{ .Values.images.commander.image }}
imagePullPolicy: IfNotPresent
env:
- name: REDIS_HOSTS
value: "rbac:redis.{{ include "custom.namespace" . }}.svc.cluster.local:6379"
{{- $str := "" -}}
{{- $ns := include "custom.namespace" . -}}
{{- $replicas := .Values.redis.replicas | int }}
{{- $sentinel := .Values.redis.sentinel }}
{{- range $i, $e := until $replicas }}
{{- if $i }}
{{- $str = print $str "," -}}
{{- end }}
{{- $str = printf "%s%s-%d.%s.%s.svc.cluster.local:5000" $str $sentinel $i $sentinel $ns -}}
{{- end }}
- name: SENTINELS
value: {{ $str | quote }}
- name: K8S_SIGTERM
value: "1"
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: redis-csm-secret
key: password
- name: SENTINEL_PASSWORD
valueFrom:
secretKeyRef:
name: redis-csm-secret
key: password
- name: HTTP_PASSWORD
valueFrom:
secretKeyRef:
name: redis-csm-secret
key: password
- name: HTTP_USER
valueFrom:
secretKeyRef:
name: redis-csm-secret
key: commander_user
ports:
- name: redis-commander
- name: {{ .Values.redis.rediscommander }}
containerPort: 8081
livenessProbe:
httpGet:
Expand All @@ -131,24 +181,11 @@ spec:
apiVersion: v1
kind: Service
metadata:
name: redis
namespace: {{ include "custom.namespace" . }}
spec:
selector:
app: redis
ports:
- protocol: TCP
port: 6379
targetPort: 6379
---
apiVersion: v1
kind: Service
metadata:
name: redis-commander
name: {{ .Values.redis.rediscommander }}
namespace: {{ include "custom.namespace" . }}
spec:
selector:
app: redis-commander
app: {{ .Values.redis.rediscommander }}
ports:
- protocol: TCP
port: 8081
Expand Down
111 changes: 111 additions & 0 deletions charts/csm-authorization/charts/redis/templates/sentinel.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,111 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ .Values.redis.sentinel }}
spec:
serviceName: {{ .Values.redis.sentinel }}
replicas: {{ .Values.redis.replicas }}
selector:
matchLabels:
app: {{ .Values.redis.sentinel }}
template:
metadata:
labels:
app: {{ .Values.redis.sentinel }}
annotations:
checksum/secret: {{ include (print $.Template.BasePath "/redis-secret.yaml") . | sha256sum }}
spec:
initContainers:
- name: config
image: {{ .Values.redis.images.redis }}
command: [ "sh", "-c" ]
env:
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: redis-csm-secret
key: password
args:
- |
replicas=$( expr {{ .Values.redis.replicas | int }} - 1)
for i in $(seq 0 $replicas)
do
node=$( echo "{{ .Values.redis.name }}-$i.{{ .Values.redis.name }}" )
nodes=$( echo "$nodes*$node" )
done
loop=$(echo $nodes | sed -e "s/"*"/\n/g")
for i in $loop
do
echo "Finding master at $i"
MASTER=$(redis-cli --no-auth-warning --raw -h $i -a $REDIS_PASSWORD info replication | awk '{print $1}' | grep master_host: | cut -d ":" -f2)
if [ "$MASTER" = "" ]; then
echo "Master not found..."
echo "Sleeping 5 seconds for pods to come up..."
sleep 5
MASTER=
else
echo "Master found at $MASTER..."
break
fi
done
echo "sentinel monitor mymaster $MASTER 6379 2" >> /tmp/master
echo "port 5000
sentinel resolve-hostnames yes
sentinel announce-hostnames yes
$(cat /tmp/master)
sentinel down-after-milliseconds mymaster 5000
sentinel failover-timeout mymaster 60000
sentinel parallel-syncs mymaster 2
sentinel auth-pass mymaster $REDIS_PASSWORD
" > /etc/redis/sentinel.conf
cat /etc/redis/sentinel.conf
volumeMounts:
- name: redis-config
mountPath: /etc/redis/
containers:
- name: sentinel
image: {{ .Values.redis.images.redis }}
command: ["redis-sentinel"]
args: ["/etc/redis/sentinel.conf"]
ports:
- containerPort: 5000
name: {{ .Values.redis.sentinel }}
volumeMounts:
- name: redis-config
mountPath: /etc/redis/
- name: data
mountPath: /data
volumes:
- name: redis-config
emptyDir: {}
- name: data
emptyDir : {}
---
apiVersion: v1
kind: Service
metadata:
name: {{ .Values.redis.sentinel }}
spec:
clusterIP: None
ports:
- port: 5000
targetPort: 5000
name: sentinel
selector:
app: sentinel
---
apiVersion: v1
kind: Service
metadata:
name: {{ .Values.redis.sentinel }}-svc
spec:
type: NodePort
ports:
- port: 5000
targetPort: 5000
nodePort: 32003
name: {{ .Values.redis.sentinel }}-svc
selector:
app: {{ .Values.redis.sentinel }}
Loading

0 comments on commit 63d7919

Please sign in to comment.