From e993ca6b47ebed0635872bc83745099e0ed082b8 Mon Sep 17 00:00:00 2001 From: Kyle Rockman Date: Mon, 2 Jun 2025 13:36:19 -0500 Subject: [PATCH 1/4] convert redis to be a statefulset --- .../opslevel/templates/redis/deployment.yaml | 46 ----------- .../templates/redis/serviceaccount.yaml | 13 ++++ .../opslevel/templates/redis/statefulset.yaml | 78 +++++++++++++++++++ charts/opslevel/values.yaml | 11 ++- 4 files changed, 101 insertions(+), 47 deletions(-) delete mode 100644 charts/opslevel/templates/redis/deployment.yaml create mode 100644 charts/opslevel/templates/redis/serviceaccount.yaml create mode 100644 charts/opslevel/templates/redis/statefulset.yaml diff --git a/charts/opslevel/templates/redis/deployment.yaml b/charts/opslevel/templates/redis/deployment.yaml deleted file mode 100644 index 0231480..0000000 --- a/charts/opslevel/templates/redis/deployment.yaml +++ /dev/null @@ -1,46 +0,0 @@ -{{- if eq .Values.redis.external false }} -apiVersion: apps/v1 # API version -kind: Deployment -metadata: - name: redis - labels: - app.kubernetes.io/component: app - app.kubernetes.io/part-of: redis -spec: - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app.kubernetes.io/component: app - app.kubernetes.io/part-of: redis - revisionHistoryLimit: 3 - template: - metadata: - labels: - app.kubernetes.io/component: app - app.kubernetes.io/part-of: redis - annotations: - checksum/secret: {{ include (print $.Template.BasePath "/redis/secret.yaml") . | sha256sum }} -{{- with .Values.redis.pod.annotations }} -{{ toYaml . | indent 8 }} -{{- end }} - spec: - {{- template "opslevel.pullSecrets" . }} - {{- template "global.nodeSelector" . }} - priorityClassName: {{ .Values.priorityClasses.normal }} - {{- with .Values.redis.securityContext }} - securityContext: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: master - image: {{ template "redis.image" . }} - imagePullPolicy: IfNotPresent - ports: - - containerPort: 6379 - {{- with .Values.redis.resources }} - resources: - {{- toYaml . | nindent 12 }} - {{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/opslevel/templates/redis/serviceaccount.yaml b/charts/opslevel/templates/redis/serviceaccount.yaml new file mode 100644 index 0000000..30af308 --- /dev/null +++ b/charts/opslevel/templates/redis/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.redis.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: '{{ .Values.redis.serviceAccount.name }}' + labels: + app.kubernetes.io/component: serviceAccount + app.kubernetes.io/part-of: redis +{{- with .Values.redis.serviceAccount.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/opslevel/templates/redis/statefulset.yaml b/charts/opslevel/templates/redis/statefulset.yaml new file mode 100644 index 0000000..de9a4d9 --- /dev/null +++ b/charts/opslevel/templates/redis/statefulset.yaml @@ -0,0 +1,78 @@ +{{- if eq .Values.redis.external false }} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: redis + labels: + app.kubernetes.io/component: app + app.kubernetes.io/part-of: redis +spec: + replicas: 1 + serviceName: redis + revisionHistoryLimit: 3 + selector: + matchLabels: + app.kubernetes.io/component: app + app.kubernetes.io/part-of: redis + updateStrategy: + type: RollingUpdate + template: + metadata: + labels: + app.kubernetes.io/component: app + app.kubernetes.io/part-of: redis + annotations: + checksum/secret: {{ include (print $.Template.BasePath "/redis/secret.yaml") . | sha256sum }} +{{- with .Values.redis.pod.annotations }} +{{ toYaml . | indent 8 }} +{{- end }} + spec: + {{- template "opslevel.pullSecrets" . }} + {{- template "global.nodeSelector" . }} + serviceAccountName: "{{ .Values.redis.serviceAccount.name }}" + priorityClassName: {{ .Values.priorityClasses.high }} + {{- with .Values.redis.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + subdomain: redis + containers: + - name: redis + image: {{ template "redis.image" . }} + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + ports: + - containerPort: 6379 + {{- with .Values.redis.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - name: data + mountPath: /data + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + volumes: + - name: empty-dir + emptyDir: {} + volumeClaimTemplates: + - metadata: + name: data + spec: + accessModes: + - ReadWriteOnce + {{- if .Values.redis.storageClass }} + storageClassName: '{{ .Values.redis.storageClass }}' + {{- end }} + resources: + requests: + storage: '{{ .Values.redis.storageSize }}' \ No newline at end of file diff --git a/charts/opslevel/values.yaml b/charts/opslevel/values.yaml index 926c752..08329eb 100644 --- a/charts/opslevel/values.yaml +++ b/charts/opslevel/values.yaml @@ -180,7 +180,16 @@ redis: resources: *resourcesMedium pod: annotations: {} - securityContext: {} + serviceAccount: + create: true + name: redis + annotations: {} + securityContext: + fsGroupChangePolicy: Always + supplementalGroups: [] + sysctls: [] + storageClass: "" + storageSize: "8Gi" secret: create: true name: "opslevel-redis" From 7f05d7f162030031b8468bee8cb20a928b1def6e Mon Sep 17 00:00:00 2001 From: Kyle Rockman Date: Mon, 2 Jun 2025 13:51:28 -0500 Subject: [PATCH 2/4] fix helm syntax --- charts/opslevel/templates/redis/statefulset.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/charts/opslevel/templates/redis/statefulset.yaml b/charts/opslevel/templates/redis/statefulset.yaml index de9a4d9..e988053 100644 --- a/charts/opslevel/templates/redis/statefulset.yaml +++ b/charts/opslevel/templates/redis/statefulset.yaml @@ -75,4 +75,5 @@ spec: {{- end }} resources: requests: - storage: '{{ .Values.redis.storageSize }}' \ No newline at end of file + storage: '{{ .Values.redis.storageSize }}' +{{- end }} From bdf75120b189be7cba687024aa7ebe6f98e53ddb Mon Sep 17 00:00:00 2001 From: Kyle Rockman Date: Mon, 2 Jun 2025 14:18:59 -0500 Subject: [PATCH 3/4] more tweaks --- Taskfile.yml | 20 +++++++++++++++++++ charts/opslevel/Chart.yaml | 2 +- .../opslevel/templates/redis/statefulset.yaml | 11 +++------- charts/opslevel/values.yaml | 10 ++++++++++ 4 files changed, 34 insertions(+), 9 deletions(-) diff --git a/Taskfile.yml b/Taskfile.yml index 0a768d8..e6d16f3 100644 --- a/Taskfile.yml +++ b/Taskfile.yml @@ -22,6 +22,26 @@ tasks: - task: setup - task: lint-self-hosted + internal-release: + desc: Workflow that releases the self-hosted helm chart for internal use + deps: + - setup + cmds: + - task: package-self-hosted + - task: lint-self-hosted + - task: publish-self-hosted + vars: { REPLICATED_CHANNEL: 'Helm-Unstable' } + + public-release: + desc: Workflow that releases the self-hosted helm chart to customers + deps: + - setup + cmds: + - task: package-self-hosted + - task: lint-self-hosted + - task: publish-self-hosted + vars: { REPLICATED_CHANNEL: 'Helm' } + release-self-hosted: desc: Workflow that packages, lints and releases the self-hosted helm chart deps: diff --git a/charts/opslevel/Chart.yaml b/charts/opslevel/Chart.yaml index 083bea7..0200b55 100644 --- a/charts/opslevel/Chart.yaml +++ b/charts/opslevel/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: "v2" name: "opslevel" type: "application" -version: "2025.5.23" +version: "2025.6.2" appVersion: "2025.5.22" description: "The OpsLevel internal developer portal helps your team ship fast without risking your software standards." home: "https://www.opslevel.com/" diff --git a/charts/opslevel/templates/redis/statefulset.yaml b/charts/opslevel/templates/redis/statefulset.yaml index e988053..a621441 100644 --- a/charts/opslevel/templates/redis/statefulset.yaml +++ b/charts/opslevel/templates/redis/statefulset.yaml @@ -40,15 +40,10 @@ spec: - name: redis image: {{ template "redis.image" . }} imagePullPolicy: IfNotPresent + {{- with .Values.redis.pod.securityContext }} securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault + {{- toYaml . | nindent 12 }} + {{- end }} ports: - containerPort: 6379 {{- with .Values.redis.resources }} diff --git a/charts/opslevel/values.yaml b/charts/opslevel/values.yaml index 08329eb..9fdb1b5 100644 --- a/charts/opslevel/values.yaml +++ b/charts/opslevel/values.yaml @@ -180,6 +180,16 @@ redis: resources: *resourcesMedium pod: annotations: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault serviceAccount: create: true name: redis From 76fdf6907228a91061bc3aa075a0cb94298fb158 Mon Sep 17 00:00:00 2001 From: Kyle Rockman Date: Mon, 2 Jun 2025 15:34:24 -0500 Subject: [PATCH 4/4] use defaults that work on vanilla k8s --- charts/opslevel/Chart.yaml | 2 +- charts/opslevel/values.yaml | 28 ++++++++++++++-------------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/charts/opslevel/Chart.yaml b/charts/opslevel/Chart.yaml index 0200b55..6cb3ad3 100644 --- a/charts/opslevel/Chart.yaml +++ b/charts/opslevel/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: "v2" name: "opslevel" type: "application" -version: "2025.6.2" +version: "2025.6.3" appVersion: "2025.5.22" description: "The OpsLevel internal developer portal helps your team ship fast without risking your software standards." home: "https://www.opslevel.com/" diff --git a/charts/opslevel/values.yaml b/charts/opslevel/values.yaml index 9fdb1b5..b5360ee 100644 --- a/charts/opslevel/values.yaml +++ b/charts/opslevel/values.yaml @@ -180,24 +180,24 @@ redis: resources: *resourcesMedium pod: annotations: {} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - seccompProfile: - type: RuntimeDefault + securityContext: {} +# allowPrivilegeEscalation: false +# capabilities: +# drop: +# - ALL +# readOnlyRootFilesystem: true +# runAsNonRoot: true +# runAsUser: 1000 +# seccompProfile: +# type: RuntimeDefault serviceAccount: create: true name: redis annotations: {} - securityContext: - fsGroupChangePolicy: Always - supplementalGroups: [] - sysctls: [] + securityContext: {} +# fsGroupChangePolicy: Always +# supplementalGroups: [] +# sysctls: [] storageClass: "" storageSize: "8Gi" secret: