[charts/csm-authorization]: CSM Authorization v2 (#459)

* add proxy-server sa * [csm-authorization]: Add Vault configuration to storage-service (#350) * Add Storage and CSMRole CRD into Authorization helm chart. (#305) * add crds * change group name * Revert "change group name" This reverts commit de262a3. * vault updates * vault agent updates * remove vault configs * revert to vautl client * configure vault certs * finish updates * revert values * revert values * revert values --------- Co-authored-by: Luna Xu <10015938+xuluna@users.noreply.github.com> * customize namespace (#352) * Update role-service for gitops (#356) * pass in storage service to role service * remove duplicate * add tenant crd (#351) * add event watch (#396) * add csmtenants access to proxy-server (#403) * add csmtenants access to proxy-server * add csmtenants access to proxy-server * remove storage service (#411) * Use default openshift ingress (#414) * use default openshift ingress * update comments * update crds for storage, role, and tenant (#415) * [KRV-21812] Storage capacity poll interval (#416) * [KRV-21812] Added storagePollInterval param * [KRV-21812] Rename param * [KRV-21812] Move param in config map * [KRV-21812] Comment * [KRV-21812] Capitalize parameter * Sreekb/krv 17923 gitops (#419) Helm chart update to deploy Redis with sentinels. * add vault role to values (#422) * Add snapshot policy and storage service compatibility (#423) * Add snapshots create policy * Add clusterroles for storage service * Add leaderelection arg * Address PR comments * Address PR comments * chart/csm-authorization support authorization-controller deployment in cluster (#429) * add support for authorization-controller deployment in cluster * add support for authorization-controller deployment in cluster * add password to redis commander (#430) * fix rebase * address PR comments --------- Co-authored-by: Luna Xu <10015938+xuluna@users.noreply.github.com> Co-authored-by: shaynafinocchiaro <shayna_finocchiaro@dell.com> Co-authored-by: alikdell <52920355+alikdell@users.noreply.github.com> Co-authored-by: EvgenyUglov <63835199+EvgenyUglov@users.noreply.github.com> Co-authored-by: Bharath Sreekanth <93715158+bharathsreekanth@users.noreply.github.com> Co-authored-by: Fernando Alfaro Campos <falfarocampos@outlook.com>
dell · Aug 8, 2024 · 63d7919 · 63d7919
1 parent 53812b5
commit 63d7919
Show file tree

Hide file tree

Showing 20 changed files with 3,740 additions and 107 deletions.
diff --git a/charts/csm-authorization/charts/redis/Chart.yaml b/charts/csm-authorization/charts/redis/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
-name: redis
-description: A Helm chart for Redis
+name: redis-csm
+description: Helm Chart for Redis with Sentinels
 type: application
 version: 0.1.0
 appVersion: 0.1.0
diff --git a/charts/csm-authorization/charts/redis/templates/_helpers.tpl b/charts/csm-authorization/charts/redis/templates/_helpers.tpl
@@ -0,0 +1,9 @@
+{{/*
+Namespace for all resources to be installed into
+If not defined in values file then the helm release namespace is used
+By default this is not set so the helm release namespace will be used
+*/}}
+
+{{- define "custom.namespace" -}}
+	{{ .Values.namespace | default .Release.Namespace }}
+{{- end -}}
diff --git a/charts/csm-authorization/charts/redis/templates/redis-cm.yaml b/charts/csm-authorization/charts/redis/templates/redis-cm.yaml
diff --git a/charts/csm-authorization/charts/redis/templates/redis-secret.yaml b/charts/csm-authorization/charts/redis/templates/redis-secret.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: redis-csm-secret
+  namespace: {{ include "custom.namespace" . }}
+type: kubernetes.io/basic-auth
+stringData:
+  password: K@ravi123!
+  commander_user: dev
diff --git a/charts/csm-authorization/charts/redis/templates/redis.yaml b/charts/csm-authorization/charts/redis/templates/redis.yaml
@@ -1,24 +1,77 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Values.redis.name }}
+  namespace: {{ include "custom.namespace" . }}
+spec:
+  type:
+  clusterIP: None
+  selector:
+    app: {{ .Values.redis.name }}
+  ports:
+  - protocol: TCP
+    port: 6379
+    targetPort: 6379
+    name: {{ .Values.redis.name }}
+---
 apiVersion: apps/v1
-kind: Deployment
+kind: StatefulSet
 metadata:
-  name: redis-primary
+  name: {{ .Values.redis.name }}
   namespace: {{ include "custom.namespace" . }}
-  labels:
-    app: redis
 spec:
+  serviceName: {{ .Values.redis.name }}
+  replicas: {{ .Values.redis.replicas }}
   selector:
     matchLabels:
-      app: redis
-      role: primary
-      tier: backend
-  replicas: 1
+      app: {{ .Values.redis.name }}
   template:
     metadata:
       labels:
-        app: redis
-        role: primary
-        tier: backend
+        app: {{ .Values.redis.name }}
+      annotations:
+        checksum/secret: {{ include (print $.Template.BasePath "/redis-secret.yaml") . | sha256sum }}
     spec:
+      initContainers:
+      - name: config
+        image: {{ .Values.redis.images.redis }}
+        env:
+          - name: REDIS_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: redis-csm-secret
+                key: password
+
+        command: [ "sh", "-c" ]
+        args:
+          - |
+            cp /csm-auth-redis-cm/redis.conf /etc/redis/redis.conf
+            echo "masterauth $REDIS_PASSWORD" >> /etc/redis/redis.conf
+            echo "requirepass $REDIS_PASSWORD" >> /etc/redis/redis.conf
+
+            echo "Finding master..."
+            MASTER_FDQN=`hostname  -f | sed -e 's/{{ .Values.redis.name }}-[0-9]\./{{ .Values.redis.name }}-0./'`
+            echo "Master at " $MASTER_FQDN
+            if [ "$(redis-cli -h sentinel -p 5000 ping)" != "PONG" ]; then
+              echo "No sentinel found..."
+              if [ "$(hostname)" = "{{ .Values.redis.name }}-0" ]; then
+                echo "This is Redis master, not updating redis.conf..."
+              else
+                echo "This is Redis replica, updating redis.conf..."
+                echo "replicaof $MASTER_FDQN 6379" >> /etc/redis/redis.conf
+              fi
+            else
+              echo "Sentinel found, finding master..."
+              MASTER="$(redis-cli -h sentinel -p 5000 sentinel get-master-addr-by-name mymaster | grep -E '(^redis-csm-\d{1,})|([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})')"
+              echo "replicaof $MASTER_FDQN 6379" >> /etc/redis/redis.conf
+            fi
+        volumeMounts:
+        - name: redis-primary-volume
+          mountPath: /data
+        - name: configmap
+          mountPath: /csm-auth-redis-cm/
+        - name: config
+          mountPath: /etc/redis/
       containers:
       - name: primary
         image: {{ .Values.images.redis.image }}
@@ -30,85 +83,82 @@ spec:
             memory: 100Mi
         ports:
         - containerPort: 6379
+          name: {{ .Values.redis.name }}
         volumeMounts:
-          - name: redis-primary-volume
-            mountPath: /data
-      volumes:
         - name: redis-primary-volume
-          persistentVolumeClaim:
-            claimName: redis-primary-pv-claim
----
-{{- if not (.Values.storageClass) }}
-apiVersion: storage.k8s.io/v1
-kind: StorageClass
-metadata:
-  name: csm-authorization-local-storage
-provisioner: kubernetes.io/no-provisioner
-volumeBindingMode: WaitForFirstConsumer
-
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: csm-authorization-redis
-spec:
-  capacity:
-    storage: 8Gi
-  volumeMode: Filesystem
-  accessModes:
-  - ReadWriteOnce
-  persistentVolumeReclaimPolicy: Recycle
-  storageClassName: csm-authorization-local-storage
-  hostPath:
-    path: /csm-authorization/redis
-{{- end}}
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: redis-primary-pv-claim
-  namespace: {{ include "custom.namespace" . }}
-  labels:
-    app: redis-primary
-spec:
-  accessModes:
-    - ReadWriteOnce
-  {{- if (.Values.storageClass) }}
-  storageClassName: {{.Values.storageClass }}
-  {{ else }}
-  storageClassName: csm-authorization-local-storage
-  {{- end}}
-  resources:
-    requests:
-      storage: 8Gi
+          mountPath: /data
+        - name: configmap
+          mountPath: /csm-auth-redis-cm/
+        - name: config
+          mountPath: /etc/redis/
+      volumes:
+      - name: redis-primary-volume
+        emptyDir: {}
+      - name: config
+        emptyDir: {}
+      - name: configmap
+        configMap:
+          name: redis-csm-cm
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: redis-commander
+  name: {{ .Values.redis.rediscommander }}
   namespace: {{ include "custom.namespace" . }}
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app: redis-commander
+      app: {{ .Values.redis.rediscommander }}
   template:
     metadata:
       labels:
-        app: redis-commander
+        app: {{ .Values.redis.rediscommander }}
         tier: backend
+      annotations:
+        checksum/secret: {{ include (print $.Template.BasePath "/redis-secret.yaml") . | sha256sum }}
     spec:
       containers:
       - name: redis-commander
         image: {{ .Values.images.commander.image }}
         imagePullPolicy: IfNotPresent
         env:
-        - name: REDIS_HOSTS
-          value: "rbac:redis.{{ include "custom.namespace" . }}.svc.cluster.local:6379"
+          {{- $str := "" -}}
+          {{- $ns := include "custom.namespace" . -}}
+          {{- $replicas := .Values.redis.replicas | int }}
+          {{- $sentinel := .Values.redis.sentinel }}
+          {{- range $i, $e := until $replicas }}
+          {{- if $i }}
+          {{- $str = print $str "," -}}
+          {{- end }}
+          {{- $str = printf "%s%s-%d.%s.%s.svc.cluster.local:5000" $str $sentinel $i $sentinel $ns -}}
+          {{- end }}
+        - name: SENTINELS
+          value: {{ $str | quote }}
         - name: K8S_SIGTERM
           value: "1"
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: redis-csm-secret
+              key: password
+        - name: SENTINEL_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: redis-csm-secret
+              key: password
+        - name: HTTP_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: redis-csm-secret
+              key: password
+        - name: HTTP_USER
+          valueFrom:
+            secretKeyRef:
+              name: redis-csm-secret
+              key: commander_user
         ports:
-        - name: redis-commander
+        - name: {{ .Values.redis.rediscommander }}
           containerPort: 8081
         livenessProbe:
           httpGet:
@@ -131,24 +181,11 @@ spec:
 apiVersion: v1
 kind: Service
 metadata:
-  name: redis
-  namespace: {{ include "custom.namespace" . }}
-spec:
-  selector:
-    app: redis
-  ports:
-  - protocol: TCP
-    port: 6379
-    targetPort: 6379
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: redis-commander
+  name: {{ .Values.redis.rediscommander }}
   namespace: {{ include "custom.namespace" . }}
 spec:
   selector:
-    app: redis-commander
+    app: {{ .Values.redis.rediscommander }}
   ports:
   - protocol: TCP
     port: 8081

diff --git a/charts/csm-authorization/charts/redis/templates/sentinel.yaml b/charts/csm-authorization/charts/redis/templates/sentinel.yaml
@@ -0,0 +1,111 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: {{ .Values.redis.sentinel }}
+spec:
+  serviceName: {{ .Values.redis.sentinel }}
+  replicas: {{ .Values.redis.replicas }}
+  selector:
+    matchLabels:
+      app: {{ .Values.redis.sentinel }}
+  template:
+    metadata:
+      labels:
+        app: {{ .Values.redis.sentinel }}
+      annotations:
+        checksum/secret: {{ include (print $.Template.BasePath "/redis-secret.yaml") . | sha256sum }}
+    spec:
+      initContainers:
+      - name: config
+        image: {{ .Values.redis.images.redis }}
+        command: [ "sh", "-c" ]
+        env:
+          - name: REDIS_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: redis-csm-secret
+                key: password
+        args:         
+          - |         
+            replicas=$( expr {{ .Values.redis.replicas | int }} - 1)          
+            for i in $(seq 0 $replicas)
+            do               
+                node=$( echo "{{ .Values.redis.name }}-$i.{{ .Values.redis.name }}" )
+                nodes=$( echo "$nodes*$node" )
+            done            
+            loop=$(echo $nodes | sed -e "s/"*"/\n/g")
+           
+            for i in $loop
+            do                
+                echo "Finding master at $i"
+                MASTER=$(redis-cli --no-auth-warning --raw -h $i -a $REDIS_PASSWORD info replication | awk '{print $1}' | grep master_host: | cut -d ":" -f2)
+                if [ "$MASTER" = "" ]; then
+                    echo "Master not found..."
+                    echo "Sleeping 5 seconds for pods to come up..."
+                    sleep 5
+                    MASTER=
+                else
+                    echo "Master found at $MASTER..."
+                    break
+                fi
+            done
+
+            echo "sentinel monitor mymaster $MASTER 6379 2" >> /tmp/master
+            echo "port 5000
+            sentinel resolve-hostnames yes
+            sentinel announce-hostnames yes
+            $(cat /tmp/master)
+            sentinel down-after-milliseconds mymaster 5000
+            sentinel failover-timeout mymaster 60000
+            sentinel parallel-syncs mymaster 2
+            sentinel auth-pass mymaster $REDIS_PASSWORD
+            " > /etc/redis/sentinel.conf
+            cat /etc/redis/sentinel.conf
+        volumeMounts:
+        - name: redis-config
+          mountPath: /etc/redis/
+      containers:
+      - name: sentinel
+        image: {{ .Values.redis.images.redis }}
+        command: ["redis-sentinel"]
+        args: ["/etc/redis/sentinel.conf"]
+        ports:
+        - containerPort: 5000
+          name: {{ .Values.redis.sentinel }}
+        volumeMounts:
+        - name: redis-config
+          mountPath: /etc/redis/
+        - name: data
+          mountPath: /data
+      volumes:
+      - name: redis-config
+        emptyDir: {}
+      - name: data
+        emptyDir : {}  
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Values.redis.sentinel }}
+spec:
+  clusterIP: None
+  ports:
+  - port: 5000
+    targetPort: 5000
+    name: sentinel
+  selector:
+    app: sentinel
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ .Values.redis.sentinel }}-svc
+spec: 
+ type: NodePort
+ ports:
+ - port: 5000
+   targetPort: 5000
+   nodePort: 32003
+   name: {{ .Values.redis.sentinel }}-svc
+ selector:
+   app: {{ .Values.redis.sentinel }}