diff --git a/kubernetes/apps/postgres-db/deployment.yaml b/kubernetes/apps/postgres-db/deployment.yaml index bc185cc2..ae44a980 100644 --- a/kubernetes/apps/postgres-db/deployment.yaml +++ b/kubernetes/apps/postgres-db/deployment.yaml @@ -3,7 +3,7 @@ kind: Deployment metadata: name: postgres spec: - replicas: 1 + replicas: 3 selector: matchLabels: app: postgres diff --git a/kubernetes/apps/redis-db/deployment.yaml b/kubernetes/apps/redis-db/deployment.yaml index 21adc895..eeb85a4e 100644 --- a/kubernetes/apps/redis-db/deployment.yaml +++ b/kubernetes/apps/redis-db/deployment.yaml @@ -1,27 +1,79 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: redis-stack + labels: + app.kubernetes.io/name: argocd-redis + app.kubernetes.io/part-of: argocd + app.kubernetes.io/component: redis + name: argocd-redis spec: - replicas: 1 selector: matchLabels: - app: redis-stack + app.kubernetes.io/name: argocd-redis template: metadata: labels: - app: redis-stack + app.kubernetes.io/name: argocd-redis spec: + initContainers: + - command: + - argocd + - admin + - redis-initial-password + image: quay.io/argoproj/argocd:latest + imagePullPolicy: IfNotPresent + name: secret-init + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + securityContext: + runAsNonRoot: true + runAsUser: 999 + seccompProfile: + type: RuntimeDefault + serviceAccountName: argocd-redis containers: - - name: redis-stack - image: redis/redis-stack:latest + - name: redis + image: redis:7.0.15-alpine + imagePullPolicy: Always + args: + - "--save" + - "" + - "--appendonly" + - "no" + - --requirepass $(REDIS_PASSWORD) + env: + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + key: auth + name: argocd-redis ports: - containerPort: 6379 - - containerPort: 8001 - volumeMounts: - - mountPath: /data - name: redis-data - volumes: - - name: redis-data - persistentVolumeClaim: - claimName: redis-pvc + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchLabels: + app.kubernetes.io/name: argocd-redis + topologyKey: kubernetes.io/hostname + - weight: 5 + podAffinityTerm: + labelSelector: + matchLabels: + app.kubernetes.io/part-of: argocd + topologyKey: kubernetes.io/hostname diff --git a/kubernetes/apps/redis-db/network-policy.yaml b/kubernetes/apps/redis-db/network-policy.yaml new file mode 100644 index 00000000..b3e44e53 --- /dev/null +++ b/kubernetes/apps/redis-db/network-policy.yaml @@ -0,0 +1,24 @@ +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: argocd-redis-network-policy +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: argocd-redis + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app.kubernetes.io/name: argocd-server + - podSelector: + matchLabels: + app.kubernetes.io/name: argocd-repo-server + - podSelector: + matchLabels: + app.kubernetes.io/name: argocd-application-controller + ports: + - protocol: TCP + port: 6379 diff --git a/kubernetes/apps/redis-db/persistant-vol-claim.yaml b/kubernetes/apps/redis-db/persistant-vol-claim.yaml deleted file mode 100644 index 671986fe..00000000 --- a/kubernetes/apps/redis-db/persistant-vol-claim.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: redis-pvc -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi diff --git a/kubernetes/apps/redis-db/persistant-vol.yaml b/kubernetes/apps/redis-db/persistant-vol.yaml deleted file mode 100644 index d1f027b9..00000000 --- a/kubernetes/apps/redis-db/persistant-vol.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: PersistentVolume -metadata: - name: redis-pv -spec: - capacity: - storage: 5Gi - accessModes: - - ReadWriteOnce - hostPath: - path: /mnt/storage/redis diff --git a/kubernetes/apps/redis-db/redis-insight/deployment.yaml b/kubernetes/apps/redis-db/redis-insight/deployment.yaml new file mode 100644 index 00000000..b9a7f18d --- /dev/null +++ b/kubernetes/apps/redis-db/redis-insight/deployment.yaml @@ -0,0 +1,30 @@ +# Redis Insight deployment with name 'redisinsight' +apiVersion: apps/v1 +kind: Deployment +metadata: + name: redisinsight #deployment name + labels: + app: redisinsight #deployment label +spec: + replicas: 1 #a single replica pod + selector: + matchLabels: + app: redisinsight #which pods is the deployment managing, as defined by the pod template + template: #pod template + metadata: + labels: + app: redisinsight #label for pod/s + spec: + containers: + - name: redisinsight #Container name (DNS_LABEL, unique) + image: redis/redisinsight:latest #repo/image + imagePullPolicy: IfNotPresent #Installs the latest Redis Insight version + volumeMounts: + - name: redisinsight #Pod volumes to mount into the container's filesystem. Cannot be updated. + mountPath: /data + ports: + - containerPort: 5540 #exposed container port and protocol + protocol: TCP + volumes: + - name: redisinsight + emptyDir: {} # node-ephemeral volume https://kubernetes.io/docs/concepts/storage/volumes/#emptydir diff --git a/kubernetes/apps/redis-db/redis-insight/service.yaml b/kubernetes/apps/redis-db/redis-insight/service.yaml new file mode 100644 index 00000000..d7c74bfe --- /dev/null +++ b/kubernetes/apps/redis-db/redis-insight/service.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + name: redisinsight-svc +spec: + type: LoadBalancer + ports: + - port: 80 + targetPort: 5540 + selector: + app: redisinsight diff --git a/kubernetes/apps/redis-db/role-binding.yaml b/kubernetes/apps/redis-db/role-binding.yaml new file mode 100644 index 00000000..87b902a1 --- /dev/null +++ b/kubernetes/apps/redis-db/role-binding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/component: redis + app.kubernetes.io/name: argocd-redis + app.kubernetes.io/part-of: argocd + name: argocd-redis +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: argocd-redis +subjects: + - kind: ServiceAccount + name: argocd-redis diff --git a/kubernetes/apps/redis-db/role.yaml b/kubernetes/apps/redis-db/role.yaml new file mode 100644 index 00000000..bba553ca --- /dev/null +++ b/kubernetes/apps/redis-db/role.yaml @@ -0,0 +1,23 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/component: redis + app.kubernetes.io/name: argocd-redis + app.kubernetes.io/part-of: argocd + name: argocd-redis +rules: + - apiGroups: + - "" + resources: + - secrets + resourceNames: + - argocd-redis + verbs: + - get + - apiGroups: + - "" + resources: + - secrets + verbs: + - create diff --git a/kubernetes/apps/redis-db/service-account.yaml b/kubernetes/apps/redis-db/service-account.yaml new file mode 100644 index 00000000..5b2e34ce --- /dev/null +++ b/kubernetes/apps/redis-db/service-account.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: redis + app.kubernetes.io/name: argocd-redis + app.kubernetes.io/part-of: argocd + name: argocd-redis diff --git a/kubernetes/apps/redis-db/service.yaml b/kubernetes/apps/redis-db/service.yaml index 8d34b027..fef2c2b3 100644 --- a/kubernetes/apps/redis-db/service.yaml +++ b/kubernetes/apps/redis-db/service.yaml @@ -1,17 +1,16 @@ apiVersion: v1 kind: Service metadata: - name: redis-stack + labels: + app.kubernetes.io/name: argocd-redis + app.kubernetes.io/part-of: argocd + app.kubernetes.io/component: redis + name: argocd-redis spec: - selector: - app: redis ports: - - name: redis-port - protocol: TCP + - name: tcp-redis port: 6379 targetPort: 6379 - - name: ui-port - protocol: TCP - port: 8001 - targetPort: 8001 - type: LoadBalancer + selector: + app.kubernetes.io/name: argocd-redis +type: LoadBalancer