diff --git a/kubernetes/ansible/roles/sunbird-monitoring/defaults/main.yml b/kubernetes/ansible/roles/sunbird-monitoring/defaults/main.yml
index cf89a47542ff418b273b6ecae09d9ddf9f9a967d..b8aaa5bd922b34dbe54365176d2eb86d1cd2ce98 100644
--- a/kubernetes/ansible/roles/sunbird-monitoring/defaults/main.yml
+++ b/kubernetes/ansible/roles/sunbird-monitoring/defaults/main.yml
@@ -13,6 +13,7 @@ monitoring_stack:
- prometheus-redis-exporter
- processing-kafka-exporter
- json-path-exporter
+ - oauth2-proxy
# Variable to add additional charts in monitoring.
# eg:
diff --git a/kubernetes/ansible/roles/sunbird-monitoring/templates/oauth2-proxy.yaml b/kubernetes/ansible/roles/sunbird-monitoring/templates/oauth2-proxy.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..fd2f50c010a2003b77eb50eb25cbe4376510403f
--- /dev/null
+++ b/kubernetes/ansible/roles/sunbird-monitoring/templates/oauth2-proxy.yaml
@@ -0,0 +1,23 @@
+# Oauth client configuration specifics
+config:
+ # OAuth client ID
+ clientID: "{{ grafana_google_oauth_client_id }}"
+ # OAuth client secret
+ clientSecret: "{{ grafana_google_oauth_client_secret }}"
+ # Create a new secret with the following command
+ # openssl rand -base64 32 | head -c 32 | base64
+ cookieSecret: "{{ cookie_secret }}"
+ # Default configuration, to be overridden
+ configFile: |-
+ redirect_url = "https://{{ domain_name }}/oauth3/callback"
+extraArgs:
+ proxy-prefix: /oauth3
+authenticatedEmailsFile:
+ enabled: true
+ # New line seperated email ids for ansible variable.
+ # eg:
+ # grafana_login_whitelisted_emails: |-
+ # user1@gmail.com
+ # user2@mycompany.com
+ restricted_access: |-
+{{ grafana_login_whitelisted_emails | indent( width=4, indentfirst=True) }}
diff --git a/kubernetes/ansible/roles/sunbird-monitoring/templates/prometheus-operator.yaml b/kubernetes/ansible/roles/sunbird-monitoring/templates/prometheus-operator.yaml
index 4b6432c183abbd280c73f24f7b4faf2f84e5c2f8..e94458f6f7e04fdb9f0ad989c4c651b2bd8a31b2 100644
--- a/kubernetes/ansible/roles/sunbird-monitoring/templates/prometheus-operator.yaml
+++ b/kubernetes/ansible/roles/sunbird-monitoring/templates/prometheus-operator.yaml
@@ -273,7 +273,14 @@ grafana:
pullPolicy: IfNotPresent
env:
GF_SERVER_ROOT_URL: http://grafana.local.com/grafana
- adminPassword: {{ (grafana_admin_password| default('prom-operator'))}}
+ GF_AUTH_ANONYMOUS_ENABLED: "true"
+ GF_AUTH_ANONYMOUS_ORG_ROLE: "Viewer"
+ GF_AUTH_ANONYMOUS_ORG_ROLE: "Viewer"
+ GF_AUTH_PROXY_ENABLED: "true"
+ GF_AUTH_DISABLE_LOGIN_FORM: "true"
+ GF_AUTH_PROXY_HEADER_NAME: "{{ grafana_admin_user_http_header | default('X-SUNBIRDAUTH-USER') }}"
+ GF_AUTH_PROXY_header_property: "username"
+ GF_AUTH_PROXY_auto_sign_up: "false"
{% if grafana_data_sources is defined and grafana_data_sources %}
additionalDataSources: {{ (grafana_data_sources) | to_json}}
{% endif %}
diff --git a/kubernetes/helm_charts/logging/oauth2-proxy/.helmignore b/kubernetes/helm_charts/common_charts/oauth2-proxy/.helmignore
similarity index 100%
rename from kubernetes/helm_charts/logging/oauth2-proxy/.helmignore
rename to kubernetes/helm_charts/common_charts/oauth2-proxy/.helmignore
diff --git a/kubernetes/helm_charts/logging/oauth2-proxy/Chart.yaml b/kubernetes/helm_charts/common_charts/oauth2-proxy/Chart.yaml
similarity index 100%
rename from kubernetes/helm_charts/logging/oauth2-proxy/Chart.yaml
rename to kubernetes/helm_charts/common_charts/oauth2-proxy/Chart.yaml
diff --git a/kubernetes/helm_charts/logging/oauth2-proxy/README.md b/kubernetes/helm_charts/common_charts/oauth2-proxy/README.md
similarity index 100%
rename from kubernetes/helm_charts/logging/oauth2-proxy/README.md
rename to kubernetes/helm_charts/common_charts/oauth2-proxy/README.md
diff --git a/kubernetes/helm_charts/logging/oauth2-proxy/templates/NOTES.txt b/kubernetes/helm_charts/common_charts/oauth2-proxy/templates/NOTES.txt
similarity index 100%
rename from kubernetes/helm_charts/logging/oauth2-proxy/templates/NOTES.txt
rename to kubernetes/helm_charts/common_charts/oauth2-proxy/templates/NOTES.txt
diff --git a/kubernetes/helm_charts/logging/oauth2-proxy/templates/_helpers.tpl b/kubernetes/helm_charts/common_charts/oauth2-proxy/templates/_helpers.tpl
similarity index 100%
rename from kubernetes/helm_charts/logging/oauth2-proxy/templates/_helpers.tpl
rename to kubernetes/helm_charts/common_charts/oauth2-proxy/templates/_helpers.tpl
diff --git a/kubernetes/helm_charts/logging/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml b/kubernetes/helm_charts/common_charts/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml
similarity index 100%
rename from kubernetes/helm_charts/logging/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml
rename to kubernetes/helm_charts/common_charts/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml
diff --git a/kubernetes/helm_charts/logging/oauth2-proxy/templates/configmap-htpasswd-file.yaml b/kubernetes/helm_charts/common_charts/oauth2-proxy/templates/configmap-htpasswd-file.yaml
similarity index 100%
rename from kubernetes/helm_charts/logging/oauth2-proxy/templates/configmap-htpasswd-file.yaml
rename to kubernetes/helm_charts/common_charts/oauth2-proxy/templates/configmap-htpasswd-file.yaml
diff --git a/kubernetes/helm_charts/logging/oauth2-proxy/templates/configmap.yaml b/kubernetes/helm_charts/common_charts/oauth2-proxy/templates/configmap.yaml
similarity index 100%
rename from kubernetes/helm_charts/logging/oauth2-proxy/templates/configmap.yaml
rename to kubernetes/helm_charts/common_charts/oauth2-proxy/templates/configmap.yaml
diff --git a/kubernetes/helm_charts/logging/oauth2-proxy/templates/deployment.yaml b/kubernetes/helm_charts/common_charts/oauth2-proxy/templates/deployment.yaml
similarity index 100%
rename from kubernetes/helm_charts/logging/oauth2-proxy/templates/deployment.yaml
rename to kubernetes/helm_charts/common_charts/oauth2-proxy/templates/deployment.yaml
diff --git a/kubernetes/helm_charts/logging/oauth2-proxy/templates/google-secret.yaml b/kubernetes/helm_charts/common_charts/oauth2-proxy/templates/google-secret.yaml
similarity index 100%
rename from kubernetes/helm_charts/logging/oauth2-proxy/templates/google-secret.yaml
rename to kubernetes/helm_charts/common_charts/oauth2-proxy/templates/google-secret.yaml
diff --git a/kubernetes/helm_charts/logging/oauth2-proxy/templates/ingress.yaml b/kubernetes/helm_charts/common_charts/oauth2-proxy/templates/ingress.yaml
similarity index 100%
rename from kubernetes/helm_charts/logging/oauth2-proxy/templates/ingress.yaml
rename to kubernetes/helm_charts/common_charts/oauth2-proxy/templates/ingress.yaml
diff --git a/kubernetes/helm_charts/logging/oauth2-proxy/templates/poddisruptionbudget.yaml b/kubernetes/helm_charts/common_charts/oauth2-proxy/templates/poddisruptionbudget.yaml
similarity index 100%
rename from kubernetes/helm_charts/logging/oauth2-proxy/templates/poddisruptionbudget.yaml
rename to kubernetes/helm_charts/common_charts/oauth2-proxy/templates/poddisruptionbudget.yaml
diff --git a/kubernetes/helm_charts/logging/oauth2-proxy/templates/secret.yaml b/kubernetes/helm_charts/common_charts/oauth2-proxy/templates/secret.yaml
similarity index 100%
rename from kubernetes/helm_charts/logging/oauth2-proxy/templates/secret.yaml
rename to kubernetes/helm_charts/common_charts/oauth2-proxy/templates/secret.yaml
diff --git a/kubernetes/helm_charts/logging/oauth2-proxy/templates/service.yaml b/kubernetes/helm_charts/common_charts/oauth2-proxy/templates/service.yaml
similarity index 100%
rename from kubernetes/helm_charts/logging/oauth2-proxy/templates/service.yaml
rename to kubernetes/helm_charts/common_charts/oauth2-proxy/templates/service.yaml
diff --git a/kubernetes/helm_charts/logging/oauth2-proxy/values.yaml b/kubernetes/helm_charts/common_charts/oauth2-proxy/values.yaml
similarity index 98%
rename from kubernetes/helm_charts/logging/oauth2-proxy/values.yaml
rename to kubernetes/helm_charts/common_charts/oauth2-proxy/values.yaml
index 3ce4c2da69640b6bcef179abc1a2350a93bf5c19..eb7049c92b3ae17dd939ab35feefa19430c7f94f 100644
--- a/kubernetes/helm_charts/logging/oauth2-proxy/values.yaml
+++ b/kubernetes/helm_charts/common_charts/oauth2-proxy/values.yaml
@@ -30,8 +30,8 @@ config:
alphaConfigFile: {}
image:
- repository: "quay.io/pusher/oauth2_proxy"
- tag: "v5.1.0"
+ repository: "quay.io/oauth2-proxy/oauth2-proxy"
+ tag: "v7.1.3"
pullPolicy: "IfNotPresent"
# Optionally specify an array of imagePullSecrets.
diff --git a/kubernetes/helm_charts/core/nginx-private-ingress/templates/configmap.yaml b/kubernetes/helm_charts/core/nginx-private-ingress/templates/configmap.yaml
index 522767d8cebb67007296c1256f577eb27d8e8c85..00d3333c9ba744ff704adffe760745e6f4917f31 100644
--- a/kubernetes/helm_charts/core/nginx-private-ingress/templates/configmap.yaml
+++ b/kubernetes/helm_charts/core/nginx-private-ingress/templates/configmap.yaml
@@ -51,6 +51,12 @@ data:
proxy_pass $target;
}
location /grafana/ {
+ auth_basic "Restricted";
+ auth_basic_user_file /etc/nginx/.htpasswd;
+ proxy_set_header Authorization "";
+ proxy_set_header Host $host;
+ proxy_set_header {{ .Values.grafana_admin_user_http_header }} admin;
+ proxy_set_header X-Real-IP $remote_addr;
set $target http://prometheus-operator-grafana.monitoring.svc.cluster.local;
rewrite ^/grafana/(.*) /$1 break;
proxy_pass $target;
diff --git a/kubernetes/helm_charts/core/nginx-private-ingress/templates/deployment.yaml b/kubernetes/helm_charts/core/nginx-private-ingress/templates/deployment.yaml
index 5cfab46c8354860da3e484c34455c0a89d59cd54..f876dc850b4eb2401f9c8390e452bad44848953d 100644
--- a/kubernetes/helm_charts/core/nginx-private-ingress/templates/deployment.yaml
+++ b/kubernetes/helm_charts/core/nginx-private-ingress/templates/deployment.yaml
@@ -27,11 +27,18 @@ spec:
ports:
- containerPort: 80
volumeMounts:
+ - mountPath: /etc/nginx/.htpasswd
+ name: htpasswd
+ subPath: htpasswd
- mountPath: /etc/nginx/nginx.conf
name: config-volume
subPath: nginx.conf
readOnly: true
volumes:
+ - name: htpasswd
+ secret:
+ defaultMode: 420
+ secretName: htpasswd
- name: config-volume
configMap:
name: nginx-private-ingress.conf
diff --git a/kubernetes/helm_charts/core/nginx-private-ingress/templates/secrets.yaml b/kubernetes/helm_charts/core/nginx-private-ingress/templates/secrets.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..ce5a5a9dfcb81fed91ab61f2294e2c1887f8e29a
--- /dev/null
+++ b/kubernetes/helm_charts/core/nginx-private-ingress/templates/secrets.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: htpasswd
+ namespace: {{ .Values.namespace }}
+type: Opaque
+data:
+ htpasswd: |-
+ {{ .Values.grafana_htpasswd | b64enc }}
diff --git a/kubernetes/helm_charts/core/nginx-private-ingress/values.j2 b/kubernetes/helm_charts/core/nginx-private-ingress/values.j2
index 52db8e9159249076c4906b2372a231f2b077d78a..396a408ee829ce1f7967df8ae2f9a282965c45a0 100644
--- a/kubernetes/helm_charts/core/nginx-private-ingress/values.j2
+++ b/kubernetes/helm_charts/core/nginx-private-ingress/values.j2
@@ -7,6 +7,14 @@ replicaCount: {{nginx_private_ingress_replicacount|default(1)}}
nginx_private_ingress_type: {{ nginx_private_ingress_type | default('LoadBalancer') }}
kube_dns_ip: {{kube_dns_ip}}
+# Grafana access htpasswd
+# You can generate one at
+# https://wtools.io/generate-htpasswd-online
+grafana_htpasswd: {{ grafana_nginx_private_htpasswd | default("") }}
+
+# http header to be passed for admin user access.
+grafana_admin_user_http_header: {{ grafana_admin_user_http_header | default("X-SUNBIRDAUTH-USER") }}
+
annotations: {{nginx_private_ingress_annotations|to_json}}
{% if private_ingressgateway_ip is defined and private_ingressgateway_ip %}
diff --git a/kubernetes/helm_charts/core/nginx-public-ingress/values.j2 b/kubernetes/helm_charts/core/nginx-public-ingress/values.j2
index c88848895190b9d2f17c8da61c8b7c2eb9eb3f61..22395c90436cbe913193aafbc4524ff1c7850413 100644
--- a/kubernetes/helm_charts/core/nginx-public-ingress/values.j2
+++ b/kubernetes/helm_charts/core/nginx-public-ingress/values.j2
@@ -428,8 +428,34 @@ proxyconfig: |-
proxy_pass $target;
}
{% endif %}
+ location /oauth3 {
+ set $target http://oauth2-proxy.monitoring.svc.cluster.local;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Scheme $scheme;
+ proxy_set_header X-Auth-Request-Redirect $request_uri;
+ proxy_set_header X-Request-ID $sb_request_id;
+ proxy_pass $target;
+ }
+ location = /oauth3/auth {
+ set $target http://oauth2-proxy.monitoring.svc.cluster.local;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Scheme $scheme;
+ proxy_set_header Content-Length "";
+ proxy_pass_request_body off;
+ proxy_set_header X-Request-ID $sb_request_id;
+ proxy_pass $target;
+ }
location /grafana/ {
+ auth_request /oauth3/auth;
+ error_page 401 = /oauth3/sign_in;
+ auth_request_set $target http://prometheus-operator-grafana.monitoring.svc.cluster.local;
include /etc/nginx/defaults.d/compression.conf;
+ proxy_set_header Connection "";
+ proxy_http_version 1.1;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
set $target http://prometheus-operator-grafana.monitoring.svc.cluster.local;
rewrite ^/grafana/(.*) /$1 break;
proxy_pass $target;
diff --git a/kubernetes/helm_charts/logging/oauth2-proxy b/kubernetes/helm_charts/logging/oauth2-proxy
new file mode 120000
index 0000000000000000000000000000000000000000..19ad46367f75cdbe36b25725668b509ed231231d
--- /dev/null
+++ b/kubernetes/helm_charts/logging/oauth2-proxy
@@ -0,0 +1 @@
+../common_charts/oauth2-proxy
\ No newline at end of file
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/.helmignore b/kubernetes/helm_charts/monitoring/oauth2-proxy/.helmignore
new file mode 100644
index 0000000000000000000000000000000000000000..825c0077915747f915c8e96a104c8dcb7ff88845
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+
+OWNERS
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/Chart.lock b/kubernetes/helm_charts/monitoring/oauth2-proxy/Chart.lock
new file mode 100644
index 0000000000000000000000000000000000000000..361ad6eb5b352350e496aad325737a761bb8a3f6
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/Chart.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: redis
+ repository: https://charts.bitnami.com/bitnami
+ version: 10.6.19
+digest: sha256:9967a7f9f35d93e0c3ac69e4cfbea4ea8d38cfd12a7ad416dd81256800eb040f
+generated: "2021-05-14T12:07:28.273068+02:00"
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/Chart.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/Chart.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..a7c5a2da0b16928a94ba2c1e74dc52a7c1b1615f
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/Chart.yaml
@@ -0,0 +1,34 @@
+apiVersion: v2
+appVersion: 7.1.3
+dependencies:
+- alias: redis
+ condition: redis.enabled
+ name: redis
+ repository: https://charts.bitnami.com/bitnami
+ version: ~10.6.0
+description: A reverse proxy that provides authentication with Google, Github or other providers
+home: https://oauth2-proxy.github.io/oauth2-proxy/
+keywords:
+- kubernetes
+- oauth
+- oauth2
+- authentication
+- google
+- github
+- redis
+kubeVersion: '>=1.9.0-0'
+maintainers:
+- email: cedric@desaintmartin.fr
+ name: desaintmartin
+- name: tlawrie
+- email: nicholas.meves@gmail.com
+ name: NickMeves
+- email: joel.speed@hotmail.co.uk
+ name: JoelSpeed
+- email: pierluigi.lenoci@gmail.com
+ name: pierluigilenoci
+name: oauth2-proxy
+sources:
+- https://github.com/oauth2-proxy/oauth2-proxy
+- https://github.com/oauth2-proxy/manifests
+version: 4.1.1
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/README.md b/kubernetes/helm_charts/monitoring/oauth2-proxy/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..4b8472715717ccd2b0da5d0348c3cf96cae7b797
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/README.md
@@ -0,0 +1,213 @@
+# oauth2-proxy
+
+[oauth2-proxy](https://github.com/oauth2-proxy/oauth2-proxy) is a reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by email, domain or group.
+
+## TL;DR;
+
+```console
+$ helm repo add oauth2-proxy https://oauth2-proxy.github.io/manifests
+$ helm install my-release oauth2-proxy/oauth2-proxy
+```
+
+## Introduction
+
+This chart bootstraps an oauth2-proxy deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+
+## Installing the Chart
+
+To install the chart with the release name `my-release`:
+
+```console
+$ helm install my-release oauth2-proxy/oauth2-proxy
+```
+
+The command deploys oauth2-proxy on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation.
+
+## Uninstalling the Chart
+
+To uninstall/delete the `my-release` deployment:
+
+```console
+$ helm uninstall my-release
+```
+
+The command removes all the Kubernetes components associated with the chart and deletes the release.
+
+## Upgrading an existing Release to a new major version
+
+A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an
+incompatible breaking change needing manual actions.
+
+### To 1.0.0
+
+This version upgrades oauth2-proxy to v4.0.0. Please see the [changelog](https://github.com/oauth2-proxy/oauth2-proxy/blob/v4.0.0/CHANGELOG.md#v400) in order to upgrade.
+
+### To 2.0.0
+
+Version 2.0.0 of this chart introduces support for Kubernetes v1.16.x by way of addressing the deprecation of the Deployment object apiVersion `apps/v1beta2`. See [the v1.16 API deprecations page](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for more information.
+
+Due to [this issue](https://github.com/helm/helm/issues/6583) there may be errors performing a `helm upgrade` of this chart from versions earlier than 2.0.0.
+
+### To 3.0.0
+
+Version 3.0.0 introduces support for [EKS IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) by adding a managed service account to the chart. This is a breaking change since the service account is enabled by default. To disable this behaviour set `serviceAccount.enabled` to `false`
+
+### To 4.0.0
+
+Version 4.0.0 adds support for the new Ingress apiVersion **networking.k8s.io/v1**.
+Therefore the `ingress.extraPaths` parameter needs to be updated to the new format.
+See the [v1.22 API deprecations guide](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#ingress-v122) for more information.
+
+For the same reason `service.port` was renamed to `service.portNumber`.
+
+## Configuration
+
+The following table lists the configurable parameters of the oauth2-proxy chart and their default values.
+
+Parameter | Description | Default
+--- | --- | ---
+`affinity` | node/pod affinities | None
+`authenticatedEmailsFile.enabled` | Enables authorize individual email addresses | `false`
+`authenticatedEmailsFile.persistence` | Defines how the email addresses file will be projected, via a configmap or secret | `configmap`
+`authenticatedEmailsFile.template` | Name of the configmap or secret that is handled outside of that chart | `""`
+`authenticatedEmailsFile.restrictedUserAccessKey` | The key of the configmap or secret that holds the email addresses list | `""`
+`authenticatedEmailsFile.restricted_access` | [email addresses](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider#email-authentication) list config | `""`
+`authenticatedEmailsFile.annotations` | configmap or secret annotations | `nil`
+`config.clientID` | oauth client ID | `""`
+`config.clientSecret` | oauth client secret | `""`
+`config.cookieSecret` | server specific cookie for the secret; create a new one with `openssl rand -base64 32 \| head -c 32 \| base64` | `""`
+`config.existingSecret` | existing Kubernetes secret to use for OAuth2 credentials. See [secret template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/secret.yaml) for the required values | `nil`
+`config.configFile` | custom [oauth2_proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/oauth2-proxy.cfg.example) contents for settings not overridable via environment nor command line | `""`
+`config.existingConfig` | existing Kubernetes configmap to use for the configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/configmap.yaml) for the required values | `nil`
+`config.cookieName` | The name of the cookie that oauth2-proxy will create. | `""`
+`config.google.adminEmail` | user impersonated by the google service account | `""`
+`config.google.serviceAccountJson` | google service account json contents | `""`
+`config.google.existingConfig` | existing Kubernetes configmap to use for the service account file. See [google secret template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/google-secret.yaml) for the required values | `nil`
+`extraArgs` | key:value list of extra arguments to give the binary | `{}`
+`extraEnv` | key:value list of extra environment variables to give the binary | `[]`
+`extraVolumes` | list of extra volumes | `[]`
+`extraVolumeMounts` | list of extra volumeMounts | `[]`
+`htpasswdFile.enabled` | enable htpasswd-file option | `false`
+`htpasswdFile.entries` | list of [SHA encrypted user:passwords](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview#command-line-options) | `{}`
+`htpasswdFile.existingSecret` | existing Kubernetes secret to use for OAuth2 htpasswd file | `""`
+`httpScheme` | `http` or `https`. `name` used for port on the deployment. `httpGet` port `name` and `scheme` used for `liveness`- and `readinessProbes`. `name` and `targetPort` used for the service. | `http`
+`image.pullPolicy` | Image pull policy | `IfNotPresent`
+`image.repository` | Image repository | `quay.io/oauth2-proxy/oauth2-proxy`
+`image.tag` | Image tag | `v7.1.3`
+`imagePullSecrets` | Specify image pull secrets | `nil` (does not add image pull secrets to deployed pods)
+`ingress.enabled` | Enable Ingress | `false`
+`ingress.path` | Ingress accepted path | `/`
+`ingress.pathType` | Ingress [path type](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types) | `ImplementationSpecific`
+`ingress.extraPaths` | Ingress extra paths to prepend to every host configuration. Useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/#actions). | `[]`
+`ingress.annotations` | Ingress annotations | `nil`
+`ingress.hosts` | Ingress accepted hostnames | `nil`
+`ingress.tls` | Ingress TLS configuration | `nil`
+`livenessProbe.enabled` | enable Kubernetes livenessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true`
+`livenessProbe.initialDelaySeconds` | number of seconds | 0
+`livenessProbe.timeoutSeconds` | number of seconds | 1
+`nodeSelector` | node labels for pod assignment | `{}`
+`podAnnotations` | annotations to add to each pod | `{}`
+`podLabels` | additional labesl to add to each pod | `{}`
+`podDisruptionBudget.enabled`| Enabled creation of PodDisruptionBudget (only if replicaCount > 1) | true
+`podDisruptionBudget.minAvailable`| minAvailable parameter for PodDisruptionBudget | 1
+`podSecurityContext` | Kubernetes security context to apply to pod | `{}`
+`priorityClassName` | priorityClassName | `nil`
+`readinessProbe.enabled` | enable Kubernetes readinessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true`
+`readinessProbe.initialDelaySeconds` | number of seconds | 0
+`readinessProbe.timeoutSeconds` | number of seconds | 1
+`readinessProbe.periodSeconds` | number of seconds | 10
+`readinessProbe.successThreshold` | number of successes | 1
+`replicaCount` | desired number of pods | `1`
+`resources` | pod resource requests & limits | `{}`
+`service.portNumber` | port number for the service | `80`
+`service.type` | type of service | `ClusterIP`
+`service.clusterIP` | cluster ip address | `nil`
+`service.loadBalancerIP` | ip of load balancer | `nil`
+`service.loadBalancerSourceRanges` | allowed source ranges in load balancer | `nil`
+`serviceAccount.enabled` | create a service account | `true`
+`serviceAccount.name` | the service account name | ``
+`serviceAccount.annotations` | (optional) annotations for the service account | `{}`
+`tolerations` | list of node taints to tolerate | `[]`
+`securityContext.enabled` | enable Kubernetes security context on container | `false`
+`securityContext.runAsNonRoot` | make sure that the container runs as a non-root user | `true`
+`proxyVarsAsSecrets` | choose between environment values or secrets for setting up OAUTH2_PROXY variables. When set to false, remember to add the variables OAUTH2_PROXY_CLIENT_ID, OAUTH2_PROXY_CLIENT_SECRET, OAUTH2_PROXY_COOKIE_SECRET in extraEnv | `true`
+`sessionStorage.type` | Session storage type which can be one of the following: cookie or redis | `cookie`
+`sessionStorage.redis.existingSecret` | existing Kubernetes secret to use for redis-password and redis-sentinel-password | `""`
+`sessionStorage.redis.password` | Redis password. Applicable for all Redis configurations | `nil`
+`sessionStorage.redis.clientType` | Allows the user to select which type of client will be used for redis instance. Possible options are: `sentinel`, `cluster` or `standalone` | `standalone`
+`sessionStorage.redis.standalone.connectionUrl` | URL of redis standalone server for redis session storage (e.g. redis://HOST[:PORT]). Automatically generated if not set. | `""`
+`sessionStorage.redis.cluster.connectionUrls` | List of Redis cluster connection URLs (e.g. redis://HOST[:PORT]) | `[]`
+`sessionStorage.redis.sentinel.password` | Redis sentinel password. Used only for sentinel connection; any redis node passwords need to use `sessionStorage.redis.password` | `nil`
+`sessionStorage.redis.sentinel.masterName` | Redis sentinel master name | `nil`
+`sessionStorage.redis.sentinel.connectionUrls` | List of Redis sentinel connection URLs (e.g. redis://HOST[:PORT]) | `[]`
+`redis.enabled` | Enable the redis subchart deployment | `false`
+`checkDeprecation` | Enable deprecation checks | `true`
+`metrics.enabled` | Enable Prometheus metrics endpoint | `true`
+`metrics.port` | Serve Prometheus metrics on this port | `44180`
+`metrics.servicemonitor.enabled` | Enable Prometheus Operator ServiceMonitor | `false`
+`metrics.servicemonitor.namespace` | Define the namespace where to deploy the ServiceMonitor resource | `""`
+`metrics.servicemonitor.prometheusInstance` | Prometheus Instance definition | `default`
+`metrics.servicemonitor.interval` | Prometheus scrape interval | `60s`
+`metrics.servicemonitor.scrapeTimeout` | Prometheus scrape timeout | `30s`
+`metrics.servicemonitor.labels` | Add custom labels to the ServiceMonitor resource| `{}`
+
+Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
+
+```console
+$ helm install my-release oauth2-proxy/oauth2-proxy \
+ --set=image.tag=v0.0.2,resources.limits.cpu=200m
+```
+
+Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,
+
+```console
+$ helm install my-release oauth2-proxy/oauth2-proxy -f values.yaml
+```
+
+> **Tip**: You can use the default [values.yaml](values.yaml)
+
+## TLS Configuration
+
+See: [TLS Configuration](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/tls).
+Use ```values.yaml``` like:
+
+```yaml
+...
+extraArgs:
+ tls-cert-file: /path/to/cert.pem
+ tls-key-file: /path/to/cert.key
+
+extraVolumes:
+ - name: ssl-cert
+ secret:
+ secretName: my-ssl-secret
+
+extraVolumeMounts:
+ - mountPath: /path/to/
+ name: ssl-cert
+...
+```
+
+With a secret called `my-ssl-secret`:
+
+```yaml
+...
+data:
+ cert.pem: AB..==
+ cert.key: CD..==
+```
+
+## Extra environment variable templating
+The extraEnv value supports the tpl function which evaluate strings as templates inside the deployment template.
+This is useful to pass a template string as a value to the chart's extra environment variables and to render external configuration environment values
+
+
+```yaml
+...
+tplValue: "This is a test value for the tpl function"
+extraEnv:
+ - name: TEST_ENV_VAR_1
+ value: test_value_1
+ - name: TEST_ENV_VAR_2
+ value: '{{ .Values.tplValue }}'
+```
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/.helmignore b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/.helmignore
new file mode 100644
index 0000000000000000000000000000000000000000..f0c13194444163d1cba5c67d9e79231a62bc8f44
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/.helmignore
@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/Chart.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/Chart.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..d8cf6634600747b3bbcd04807b91d106c8493b22
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/Chart.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+appVersion: 6.0.5
+description: Open source, advanced key-value store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets.
+home: http://redis.io/
+icon: https://bitnami.com/assets/stacks/redis/img/redis-stack-220x234.png
+keywords:
+- redis
+- keyvalue
+- database
+maintainers:
+- email: containers@bitnami.com
+ name: Bitnami
+- email: cedric@desaintmartin.fr
+ name: desaintmartin
+name: redis
+sources:
+- https://github.com/bitnami/bitnami-docker-redis
+version: 10.6.19
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/README.md b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..fa2ee908d107d13663104a8d4f8aa666a5f3205e
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/README.md
@@ -0,0 +1,515 @@
+# Redis
+
+[Redis](http://redis.io/) is an advanced key-value cache and store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets, sorted sets, bitmaps and hyperloglogs.
+
+## TL;DR;
+
+```bash
+# Testing configuration
+$ helm repo add bitnami https://charts.bitnami.com/bitnami
+$ helm install my-release bitnami/redis
+```
+
+```bash
+# Production configuration
+$ helm repo add bitnami https://charts.bitnami.com/bitnami
+$ helm install my-release bitnami/redis --values values-production.yaml
+```
+
+## Introduction
+
+This chart bootstraps a [Redis](https://github.com/bitnami/bitnami-docker-redis) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+
+Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This chart has been tested to work with NGINX Ingress, cert-manager, fluentd and Prometheus on top of the [BKPR](https://kubeprod.io/).
+
+### Choose between Redis Helm Chart and Redis Cluster Helm Chart
+
+You can choose any of the two Redis Helm charts for deploying a Redis cluster.
+While [Redis Helm Chart](https://github.com/bitnami/charts/tree/master/bitnami/redis) will deploy a master-slave cluster using Redis Sentinel, the [Redis Cluster Helm Chart](https://github.com/bitnami/charts/tree/master/bitnami/redis-cluster) will deploy a Redis Cluster topology with sharding.
+The main features of each chart are the following:
+
+| Redis | Redis Cluster |
+|-----------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------|
+| Supports multiple databases | Supports only one database. Better if you have a big dataset |
+| Single write point (single master) | Multiple write points (multiple masters) |
+|  |  |
+
+## Prerequisites
+
+- Kubernetes 1.12+
+- Helm 2.12+ or Helm 3.0-beta3+
+- PV provisioner support in the underlying infrastructure
+
+## Installing the Chart
+
+To install the chart with the release name `my-release`:
+
+```bash
+$ helm install my-release bitnami/redis
+```
+
+The command deploys Redis on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation.
+
+> **Tip**: List all releases using `helm list`
+
+## Uninstalling the Chart
+
+To uninstall/delete the `my-release` deployment:
+
+```bash
+$ helm delete my-release
+```
+
+The command removes all the Kubernetes components associated with the chart and deletes the release.
+
+## Parameters
+
+The following table lists the configurable parameters of the Redis chart and their default values.
+
+| Parameter | Description | Default |
+|-----------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|
+| `global.imageRegistry` | Global Docker image registry | `nil` |
+| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
+| `global.storageClass` | Global storage class for dynamic provisioning | `nil` |
+| `global.redis.password` | Redis password (overrides `password`) | `nil` |
+| `image.registry` | Redis Image registry | `docker.io` |
+| `image.repository` | Redis Image name | `bitnami/redis` |
+| `image.tag` | Redis Image tag | `{TAG_NAME}` |
+| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
+| `image.pullSecrets` | Specify docker-registry secret names as an array | `nil` |
+| `nameOverride` | String to partially override redis.fullname template with a string (will prepend the release name) | `nil` |
+| `fullnameOverride` | String to fully override redis.fullname template with a string | `nil` |
+| `cluster.enabled` | Use master-slave topology | `true` |
+| `cluster.slaveCount` | Number of slaves | `2` |
+| `existingSecret` | Name of existing secret object (for password authentication) | `nil` |
+| `existingSecretPasswordKey` | Name of key containing password to be retrieved from the existing secret | `nil` |
+| `usePassword` | Use password | `true` |
+| `usePasswordFile` | Mount passwords as files instead of environment variables | `false` |
+| `password` | Redis password (ignored if existingSecret set) | Randomly generated |
+| `configmap` | Additional common Redis node configuration (this value is evaluated as a template) | See values.yaml |
+| `clusterDomain` | Kubernetes DNS Domain name to use | `cluster.local` |
+| `networkPolicy.enabled` | Enable NetworkPolicy | `false` |
+| `networkPolicy.allowExternal` | Don't require client label for connections | `true` |
+| `networkPolicy.ingressNSMatchLabels` | Allow connections from other namespaces | `{}` |
+| `networkPolicy.ingressNSPodMatchLabels` | For other namespaces match by pod labels and namespace labels | `{}` |
+| `securityContext.enabled` | Enable security context (both redis master and slave pods) | `true` |
+| `securityContext.fsGroup` | Group ID for the container (both redis master and slave pods) | `1001` |
+| `securityContext.runAsUser` | User ID for the container (both redis master and slave pods) | `1001` |
+| `securityContext.sysctls` | Set namespaced sysctls for the container (both redis master and slave pods) | `nil` |
+| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `false` |
+| `serviceAccount.name` | The name of the ServiceAccount to create | Generated using the fullname template |
+| `rbac.create` | Specifies whether RBAC resources should be created | `false` |
+| `rbac.role.rules` | Rules to create | `[]` |
+| `metrics.enabled` | Start a side-car prometheus exporter | `false` |
+| `metrics.image.registry` | Redis exporter image registry | `docker.io` |
+| `metrics.image.repository` | Redis exporter image name | `bitnami/redis-exporter` |
+| `metrics.image.tag` | Redis exporter image tag | `{TAG_NAME}` |
+| `metrics.image.pullPolicy` | Image pull policy | `IfNotPresent` |
+| `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `nil` |
+| `metrics.extraArgs` | Extra arguments for the binary; possible values [here](https://github.com/oliver006/redis_exporter#flags) | {} |
+| `metrics.podLabels` | Additional labels for Metrics exporter pod | {} |
+| `metrics.podAnnotations` | Additional annotations for Metrics exporter pod | {} |
+| `metrics.resources` | Exporter resource requests/limit | Memory: `256Mi`, CPU: `100m` |
+| `metrics.serviceMonitor.enabled` | if `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`) | `false` |
+| `metrics.serviceMonitor.namespace` | Optional namespace which Prometheus is running in | `nil` |
+| `metrics.serviceMonitor.interval` | How frequently to scrape metrics (use by default, falling back to Prometheus' default) | `nil` |
+| `metrics.serviceMonitor.selector` | Default to kube-prometheus install (CoreOS recommended), but should be set according to Prometheus install | `{ prometheus: kube-prometheus }` |
+| `metrics.service.type` | Kubernetes Service type (redis metrics) | `ClusterIP` |
+| `metrics.service.annotations` | Annotations for the services to monitor (redis master and redis slave service) | {} |
+| `metrics.service.labels` | Additional labels for the metrics service | {} |
+| `metrics.service.loadBalancerIP` | loadBalancerIP if redis metrics service type is `LoadBalancer` | `nil` |
+| `metrics.priorityClassName` | Metrics exporter pod priorityClassName | {} |
+| `metrics.prometheusRule.enabled` | Set this to true to create prometheusRules for Prometheus operator | `false` |
+| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so prometheusRules will be discovered by Prometheus | `{}` |
+| `metrics.prometheusRule.namespace` | namespace where prometheusRules resource should be created | Same namespace as redis |
+| `metrics.prometheusRule.rules` | [rules](https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/) to be created, check values for an example. | `[]` |
+| `persistence.existingClaim` | Provide an existing PersistentVolumeClaim | `nil` |
+| `master.persistence.enabled` | Use a PVC to persist data (master node) | `true` |
+| `master.persistence.path` | Path to mount the volume at, to use other images | `/data` |
+| `master.persistence.subPath` | Subdirectory of the volume to mount at | `""` |
+| `master.persistence.storageClass` | Storage class of backing PVC | `generic` |
+| `master.persistence.accessModes` | Persistent Volume Access Modes | `[ReadWriteOnce]` |
+| `master.persistence.size` | Size of data volume | `8Gi` |
+| `master.persistence.matchLabels` | matchLabels persistent volume selector | `{}` |
+| `master.persistence.matchExpressions` | matchExpressions persistent volume selector | `{}` |
+| `master.statefulset.updateStrategy` | Update strategy for StatefulSet | onDelete |
+| `master.statefulset.rollingUpdatePartition` | Partition update strategy | `nil` |
+| `master.podLabels` | Additional labels for Redis master pod | {} |
+| `master.podAnnotations` | Additional annotations for Redis master pod | {} |
+| `redisPort` | Redis port (in both master and slaves) | `6379` |
+| `master.command` | Redis master entrypoint string. The command `redis-server` is executed if this is not provided. | `/run.sh` |
+| `master.configmap` | Additional Redis configuration for the master nodes (this value is evaluated as a template) | `nil` |
+| `master.disableCommands` | Array of Redis commands to disable (master) | `["FLUSHDB", "FLUSHALL"]` |
+| `master.extraFlags` | Redis master additional command line flags | [] |
+| `master.nodeSelector` | Redis master Node labels for pod assignment | {"beta.kubernetes.io/arch": "amd64"} |
+| `master.tolerations` | Toleration labels for Redis master pod assignment | [] |
+| `master.affinity` | Affinity settings for Redis master pod assignment | {} |
+| `master.schedulerName` | Name of an alternate scheduler | `nil` |
+| `master.service.type` | Kubernetes Service type (redis master) | `ClusterIP` |
+| `master.service.port` | Kubernetes Service port (redis master) | `6379` |
+| `master.service.nodePort` | Kubernetes Service nodePort (redis master) | `nil` |
+| `master.service.annotations` | annotations for redis master service | {} |
+| `master.service.labels` | Additional labels for redis master service | {} |
+| `master.service.loadBalancerIP` | loadBalancerIP if redis master service type is `LoadBalancer` | `nil` |
+| `master.service.loadBalancerSourceRanges` | loadBalancerSourceRanges if redis master service type is `LoadBalancer` | `nil` |
+| `master.resources` | Redis master CPU/Memory resource requests/limits | Memory: `256Mi`, CPU: `100m` |
+| `master.livenessProbe.enabled` | Turn on and off liveness probe (redis master pod) | `true` |
+| `master.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated (redis master pod) | `30` |
+| `master.livenessProbe.periodSeconds` | How often to perform the probe (redis master pod) | `30` |
+| `master.livenessProbe.timeoutSeconds` | When the probe times out (redis master pod) | `5` |
+| `master.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed (redis master pod) | `1` |
+| `master.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `5` |
+| `master.readinessProbe.enabled` | Turn on and off readiness probe (redis master pod) | `true` |
+| `master.readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated (redis master pod) | `5` |
+| `master.readinessProbe.periodSeconds` | How often to perform the probe (redis master pod) | `10` |
+| `master.readinessProbe.timeoutSeconds` | When the probe times out (redis master pod) | `1` |
+| `master.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed (redis master pod) | `1` |
+| `master.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `5` |
+| `master.priorityClassName` | Redis Master pod priorityClassName | {} |
+| `volumePermissions.enabled` | Enable init container that changes volume permissions in the registry (for cases where the default k8s `runAsUser` and `fsUser` values do not work) | `false` |
+| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` |
+| `volumePermissions.image.repository` | Init container volume-permissions image name | `bitnami/minideb` |
+| `volumePermissions.image.tag` | Init container volume-permissions image tag | `buster` |
+| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `Always` |
+| `volumePermissions.resources ` | Init container volume-permissions CPU/Memory resource requests/limits | {} |
+| `slave.service.type` | Kubernetes Service type (redis slave) | `ClusterIP` |
+| `slave.service.nodePort` | Kubernetes Service nodePort (redis slave) | `nil` |
+| `slave.service.annotations` | annotations for redis slave service | {} |
+| `slave.service.labels` | Additional labels for redis slave service | {} |
+| `slave.service.port` | Kubernetes Service port (redis slave) | `6379` |
+| `slave.service.loadBalancerIP` | LoadBalancerIP if Redis slave service type is `LoadBalancer` | `nil` |
+| `slave.service.loadBalancerSourceRanges` | loadBalancerSourceRanges if Redis slave service type is `LoadBalancer` | `nil` |
+| `slave.command` | Redis slave entrypoint array. The docker image's ENTRYPOINT is used if this is not provided. | `/run.sh` |
+| `slave.configmap` | Additional Redis configuration for the slave nodes (this value is evaluated as a template) | `nil` |
+| `slave.disableCommands` | Array of Redis commands to disable (slave) | `[FLUSHDB, FLUSHALL]` |
+| `slave.extraFlags` | Redis slave additional command line flags | `[]` |
+| `slave.livenessProbe.enabled` | Turn on and off liveness probe (redis slave pod) | `true` |
+| `slave.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated (redis slave pod) | `30` |
+| `slave.livenessProbe.periodSeconds` | How often to perform the probe (redis slave pod) | `10` |
+| `slave.livenessProbe.timeoutSeconds` | When the probe times out (redis slave pod) | `5` |
+| `slave.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed (redis slave pod) | `1` |
+| `slave.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `5` |
+| `slave.readinessProbe.enabled` | Turn on and off slave.readiness probe (redis slave pod) | `true` |
+| `slave.readinessProbe.initialDelaySeconds` | Delay before slave.readiness probe is initiated (redis slave pod) | `5` |
+| `slave.readinessProbe.periodSeconds` | How often to perform the probe (redis slave pod) | `10` |
+| `slave.readinessProbe.timeoutSeconds` | When the probe times out (redis slave pod) | `10` |
+| `slave.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed (redis slave pod) | `1` |
+| `slave.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. (redis slave pod) | `5` |
+| `slave.persistence.enabled` | Use a PVC to persist data (slave node) | `true` |
+| `slave.persistence.path` | Path to mount the volume at, to use other images | `/data` |
+| `slave.persistence.subPath` | Subdirectory of the volume to mount at | `""` |
+| `slave.persistence.storageClass` | Storage class of backing PVC | `generic` |
+| `slave.persistence.accessModes` | Persistent Volume Access Modes | `[ReadWriteOnce]` |
+| `slave.persistence.size` | Size of data volume | `8Gi` |
+| `slave.persistence.matchLabels` | matchLabels persistent volume selector | `{}` |
+| `slave.persistence.matchExpressions` | matchExpressions persistent volume selector | `{}` |
+| `slave.statefulset.updateStrategy` | Update strategy for StatefulSet | onDelete |
+| `slave.statefulset.rollingUpdatePartition` | Partition update strategy | `nil` |
+| `slave.podLabels` | Additional labels for Redis slave pod | `master.podLabels` |
+| `slave.podAnnotations` | Additional annotations for Redis slave pod | `master.podAnnotations` |
+| `slave.schedulerName` | Name of an alternate scheduler | `nil` |
+| `slave.resources` | Redis slave CPU/Memory resource requests/limits | `{}` |
+| `slave.affinity` | Enable node/pod affinity for slaves | {} |
+| `slave.spreadConstraints` | [Topology Spread Constraints](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) for Redis slave pod | {} |
+| `slave.priorityClassName` | Redis Slave pod priorityClassName | {} |
+| `sentinel.enabled` | Enable sentinel containers | `false` |
+| `sentinel.usePassword` | Use password for sentinel containers | `true` |
+| `sentinel.masterSet` | Name of the sentinel master set | `mymaster` |
+| `sentinel.initialCheckTimeout` | Timeout for querying the redis sentinel service for the active sentinel list | `5` |
+| `sentinel.quorum` | Quorum for electing a new master | `2` |
+| `sentinel.downAfterMilliseconds` | Timeout for detecting a Redis node is down | `60000` |
+| `sentinel.failoverTimeout` | Timeout for performing a election failover | `18000` |
+| `sentinel.parallelSyncs` | Number of parallel syncs in the cluster | `1` |
+| `sentinel.port` | Redis Sentinel port | `26379` |
+| `sentinel.configmap` | Additional Redis configuration for the sentinel nodes (this value is evaluated as a template) | `nil` |
+| `sentinel.staticID` | Enable static IDs for sentinel replicas (If disabled IDs will be randomly generated on startup) | `false` |
+| `sentinel.service.type` | Kubernetes Service type (redis sentinel) | `ClusterIP` |
+| `sentinel.service.nodePort` | Kubernetes Service nodePort (redis sentinel) | `nil` |
+| `sentinel.service.annotations` | annotations for redis sentinel service | {} |
+| `sentinel.service.labels` | Additional labels for redis sentinel service | {} |
+| `sentinel.service.redisPort` | Kubernetes Service port for Redis read only operations | `6379` |
+| `sentinel.service.sentinelPort` | Kubernetes Service port for Redis sentinel | `26379` |
+| `sentinel.service.redisNodePort` | Kubernetes Service node port for Redis read only operations | `` |
+| `sentinel.service.sentinelNodePort` | Kubernetes Service node port for Redis sentinel | `` |
+| `sentinel.service.loadBalancerIP` | LoadBalancerIP if Redis sentinel service type is `LoadBalancer` | `nil` |
+| `sentinel.livenessProbe.enabled` | Turn on and off liveness probe (redis sentinel pod) | `true` |
+| `sentinel.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated (redis sentinel pod) | `5` |
+| `sentinel.livenessProbe.periodSeconds` | How often to perform the probe (redis sentinel container) | `5` |
+| `sentinel.livenessProbe.timeoutSeconds` | When the probe times out (redis sentinel container) | `5` |
+| `sentinel.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed (redis sentinel container) | `1` |
+| `sentinel.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `5` |
+| `sentinel.readinessProbe.enabled` | Turn on and off sentinel.readiness probe (redis sentinel pod) | `true` |
+| `sentinel.readinessProbe.initialDelaySeconds` | Delay before sentinel.readiness probe is initiated (redis sentinel pod) | `5` |
+| `sentinel.readinessProbe.periodSeconds` | How often to perform the probe (redis sentinel pod) | `5` |
+| `sentinel.readinessProbe.timeoutSeconds` | When the probe times out (redis sentinel container) | `1` |
+| `sentinel.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed (redis sentinel container) | `1` |
+| `sentinel.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. (redis sentinel container) | `5` |
+| `sentinel.resources` | Redis sentinel CPU/Memory resource requests/limits | `{}` |
+| `sentinel.image.registry` | Redis Sentinel Image registry | `docker.io` |
+| `sentinel.image.repository` | Redis Sentinel Image name | `bitnami/redis-sentinel` |
+| `sentinel.image.tag` | Redis Sentinel Image tag | `{TAG_NAME}` |
+| `sentinel.image.pullPolicy` | Image pull policy | `IfNotPresent` |
+| `sentinel.image.pullSecrets` | Specify docker-registry secret names as an array | `nil` |
+| `sysctlImage.enabled` | Enable an init container to modify Kernel settings | `false` |
+| `sysctlImage.command` | sysctlImage command to execute | [] |
+| `sysctlImage.registry` | sysctlImage Init container registry | `docker.io` |
+| `sysctlImage.repository` | sysctlImage Init container name | `bitnami/minideb` |
+| `sysctlImage.tag` | sysctlImage Init container tag | `buster` |
+| `sysctlImage.pullPolicy` | sysctlImage Init container pull policy | `Always` |
+| `sysctlImage.mountHostSys` | Mount the host `/sys` folder to `/host-sys` | `false` |
+| `sysctlImage.resources` | sysctlImage Init container CPU/Memory resource requests/limits | {} |
+| `podSecurityPolicy.create` | Specifies whether a PodSecurityPolicy should be created | `false` |
+
+Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
+
+```bash
+$ helm install my-release \
+ --set password=secretpassword \
+ bitnami/redis
+```
+
+The above command sets the Redis server password to `secretpassword`.
+
+Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
+
+```bash
+$ helm install my-release -f values.yaml bitnami/redis
+```
+
+> **Tip**: You can use the default [values.yaml](values.yaml)
+
+> **Note for minikube users**: Current versions of minikube (v0.24.1 at the time of writing) provision `hostPath` persistent volumes that are only writable by root. Using chart defaults cause pod failure for the Redis pod as it attempts to write to the `/bitnami` directory. Consider installing Redis with `--set persistence.enabled=false`. See minikube issue [1990](https://github.com/kubernetes/minikube/issues/1990) for more information.
+
+## Configuration and installation details
+
+### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/)
+
+It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.
+
+Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist.
+
+### Production configuration
+
+This chart includes a `values-production.yaml` file where you can find some parameters oriented to production configuration in comparison to the regular `values.yaml`. You can use this file instead of the default one.
+
+- Number of slaves:
+```diff
+- cluster.slaveCount: 2
++ cluster.slaveCount: 3
+```
+
+- Enable NetworkPolicy:
+```diff
+- networkPolicy.enabled: false
++ networkPolicy.enabled: true
+```
+
+- Start a side-car prometheus exporter:
+```diff
+- metrics.enabled: false
++ metrics.enabled: true
+```
+
+### Change Redis version
+
+To modify the Redis version used in this chart you can specify a [valid image tag](https://hub.docker.com/r/bitnami/redis/tags/) using the `image.tag` parameter. For example, `image.tag=X.Y.Z`. This approach is also applicable to other images like exporters.
+
+### Cluster topologies
+
+#### Default: Master-Slave
+
+When installing the chart with `cluster.enabled=true`, it will deploy a Redis master StatefulSet (only one master node allowed) and a Redis slave StatefulSet. The slaves will be read-replicas of the master. Two services will be exposed:
+
+ - Redis Master service: Points to the master, where read-write operations can be performed
+ - Redis Slave service: Points to the slaves, where only read operations are allowed.
+
+In case the master crashes, the slaves will wait until the master node is respawned again by the Kubernetes Controller Manager.
+
+#### Master-Slave with Sentinel
+
+When installing the chart with `cluster.enabled=true` and `sentinel.enabled=true`, it will deploy a Redis master StatefulSet (only one master allowed) and a Redis slave StatefulSet. In this case, the pods will contain en extra container with Redis Sentinel. This container will form a cluster of Redis Sentinel nodes, which will promote a new master in case the actual one fails. In addition to this, only one service is exposed:
+
+ - Redis service: Exposes port 6379 for Redis read-only operations and port 26379 for accesing Redis Sentinel.
+
+For read-only operations, access the service using port 6379. For write operations, it's necessary to access the Redis Sentinel cluster and query the current master using the command below (using redis-cli or similar:
+
+```
+SENTINEL get-master-addr-by-name <name of your MasterSet. Example: mymaster>
+```
+This command will return the address of the current master, which can be accessed from inside the cluster.
+
+In case the current master crashes, the Sentinel containers will elect a new master node.
+
+### Using password file
+To use a password file for Redis you need to create a secret containing the password.
+
+> *NOTE*: It is important that the file with the password must be called `redis-password`
+
+And then deploy the Helm Chart using the secret name as parameter:
+
+```console
+usePassword=true
+usePasswordFile=true
+existingSecret=redis-password-file
+sentinels.enabled=true
+metrics.enabled=true
+```
+
+### Metrics
+
+The chart optionally can start a metrics exporter for [prometheus](https://prometheus.io). The metrics endpoint (port 9121) is exposed in the service. Metrics can be scraped from within the cluster using something similar as the described in the [example Prometheus scrape configuration](https://github.com/prometheus/prometheus/blob/master/documentation/examples/prometheus-kubernetes.yml). If metrics are to be scraped from outside the cluster, the Kubernetes API proxy can be utilized to access the endpoint.
+
+### Host Kernel Settings
+Redis may require some changes in the kernel of the host machine to work as expected, in particular increasing the `somaxconn` value and disabling transparent huge pages.
+To do so, you can set up a privileged initContainer with the `sysctlImage` config values, for example:
+```
+sysctlImage:
+ enabled: true
+ mountHostSys: true
+ command:
+ - /bin/sh
+ - -c
+ - |-
+ install_packages procps
+ sysctl -w net.core.somaxconn=10000
+ echo never > /host-sys/kernel/mm/transparent_hugepage/enabled
+```
+
+Alternatively, for Kubernetes 1.12+ you can set `securityContext.sysctls` which will configure sysctls for master and slave pods. Example:
+
+```yaml
+securityContext:
+ sysctls:
+ - name: net.core.somaxconn
+ value: "10000"
+```
+
+Note that this will not disable transparent huge tables.
+
+## Persistence
+
+By default, the chart mounts a [Persistent Volume](http://kubernetes.io/docs/user-guide/persistent-volumes/) at the `/data` path. The volume is created using dynamic volume provisioning. If a Persistent Volume Claim already exists, specify it during installation.
+
+### Existing PersistentVolumeClaim
+
+1. Create the PersistentVolume
+2. Create the PersistentVolumeClaim
+3. Install the chart
+
+```bash
+$ helm install my-release --set persistence.existingClaim=PVC_NAME bitnami/redis
+```
+
+## NetworkPolicy
+
+To enable network policy for Redis, install
+[a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin),
+and set `networkPolicy.enabled` to `true`.
+
+For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting
+the DefaultDeny namespace annotation. Note: this will enforce policy for _all_ pods in the namespace:
+
+ kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}"
+
+With NetworkPolicy enabled, only pods with the generated client label will be
+able to connect to Redis. This label will be displayed in the output
+after a successful install.
+
+With `networkPolicy.ingressNSMatchLabels` pods from other namespaces can connect to redis. Set `networkPolicy.ingressNSPodMatchLabels` to match pod labels in matched namespace. For example, for a namespace labeled `redis=external` and pods in that namespace labeled `redis-client=true` the fields should be set:
+
+```
+networkPolicy:
+ enabled: true
+ ingressNSMatchLabels:
+ redis: external
+ ingressNSPodMatchLabels:
+ redis-client: true
+```
+
+## Upgrading an existing Release to a new major version
+
+A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an
+incompatible breaking change needing manual actions.
+
+### To 10.0.0
+
+For releases with `usePassword: true`, the value `sentinel.usePassword` controls whether the password authentication also applies to the sentinel port. This defaults to `true` for a secure configuration, however it is possible to disable to account for the following cases:
+* Using a version of redis-sentinel prior to `5.0.1` where the authentication feature was introduced.
+* Where redis clients need to be updated to support sentinel authentication.
+
+If using a master/slave topology, or with `usePassword: false`, no action is required.
+
+### To 8.0.18
+
+For releases with `metrics.enabled: true` the default tag for the exporter image is now `v1.x.x`. This introduces many changes including metrics names. You'll want to use [this dashboard](https://github.com/oliver006/redis_exporter/blob/master/contrib/grafana_prometheus_redis_dashboard.json) now. Please see the [redis_exporter github page](https://github.com/oliver006/redis_exporter#upgrading-from-0x-to-1x) for more details.
+
+### To 7.0.0
+
+This version causes a change in the Redis Master StatefulSet definition, so the command helm upgrade would not work out of the box. As an alternative, one of the following could be done:
+
+ - Recommended: Create a clone of the Redis Master PVC (for example, using projects like [this one](https://github.com/edseymour/pvc-transfer)). Then launch a fresh release reusing this cloned PVC.
+
+ ```
+ helm install my-release bitnami/redis --set persistence.existingClaim=<NEW PVC>
+ ```
+
+ - Alternative (not recommended, do at your own risk): `helm delete --purge` does not remove the PVC assigned to the Redis Master StatefulSet. As a consequence, the following commands can be done to upgrade the release
+
+ ```
+ helm delete --purge <RELEASE>
+ helm install <RELEASE> bitnami/redis
+ ```
+
+Previous versions of the chart were not using persistence in the slaves, so this upgrade would add it to them. Another important change is that no values are inherited from master to slaves. For example, in 6.0.0 `slaves.readinessProbe.periodSeconds`, if empty, would be set to `master.readinessProbe.periodSeconds`. This approach lacked transparency and was difficult to maintain. From now on, all the slave parameters must be configured just as it is done with the masters.
+
+Some values have changed as well:
+
+ - `master.port` and `slave.port` have been changed to `redisPort` (same value for both master and slaves)
+ - `master.securityContext` and `slave.securityContext` have been changed to `securityContext`(same values for both master and slaves)
+
+By default, the upgrade will not change the cluster topology. In case you want to use Redis Sentinel, you must explicitly set `sentinel.enabled` to `true`.
+
+### To 6.0.0
+
+Previous versions of the chart were using an init-container to change the permissions of the volumes. This was done in case the `securityContext` directive in the template was not enough for that (for example, with cephFS). In this new version of the chart, this container is disabled by default (which should not affect most of the deployments). If your installation still requires that init container, execute `helm upgrade` with the `--set volumePermissions.enabled=true`.
+
+### To 5.0.0
+
+The default image in this release may be switched out for any image containing the `redis-server`
+and `redis-cli` binaries. If `redis-server` is not the default image ENTRYPOINT, `master.command`
+must be specified.
+
+#### Breaking changes
+- `master.args` and `slave.args` are removed. Use `master.command` or `slave.command` instead in order to override the image entrypoint, or `master.extraFlags` to pass additional flags to `redis-server`.
+- `disableCommands` is now interpreted as an array of strings instead of a string of comma separated values.
+- `master.persistence.path` now defaults to `/data`.
+
+### 4.0.0
+
+This version removes the `chart` label from the `spec.selector.matchLabels`
+which is immutable since `StatefulSet apps/v1beta2`. It has been inadvertently
+added, causing any subsequent upgrade to fail. See https://github.com/helm/charts/issues/7726.
+
+It also fixes https://github.com/helm/charts/issues/7726 where a deployment `extensions/v1beta1` can not be upgraded if `spec.selector` is not explicitly set.
+
+Finally, it fixes https://github.com/helm/charts/issues/7803 by removing mutable labels in `spec.VolumeClaimTemplate.metadata.labels` so that it is upgradable.
+
+In order to upgrade, delete the Redis StatefulSet before upgrading:
+```bash
+$ kubectl delete statefulsets.apps --cascade=false my-release-redis-master
+```
+And edit the Redis slave (and metrics if enabled) deployment:
+```bash
+kubectl patch deployments my-release-redis-slave --type=json -p='[{"op": "remove", "path": "/spec/selector/matchLabels/chart"}]'
+kubectl patch deployments my-release-redis-metrics --type=json -p='[{"op": "remove", "path": "/spec/selector/matchLabels/chart"}]'
+```
+
+## Notable changes
+
+### 9.0.0
+The metrics exporter has been changed from a separate deployment to a sidecar container, due to the latest changes in the Redis exporter code. Check the [official page](https://github.com/oliver006/redis_exporter/) for more information. The metrics container image was changed from oliver006/redis_exporter to bitnami/redis-exporter (Bitnami's maintained package of oliver006/redis_exporter).
+
+### 7.0.0
+In order to improve the performance in case of slave failure, we added persistence to the read-only slaves. That means that we moved from Deployment to StatefulSets. This should not affect upgrades from previous versions of the chart, as the deployments did not contain any persistence at all.
+
+This version also allows enabling Redis Sentinel containers inside of the Redis Pods (feature disabled by default). In case the master crashes, a new Redis node will be elected as master. In order to query the current master (no redis master service is exposed), you need to query first the Sentinel cluster. Find more information [in this section](#master-slave-with-sentinel).
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/ci/extra-flags-values.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/ci/extra-flags-values.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..71132f76e1963675cdb204915f9849e778e0f241
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/ci/extra-flags-values.yaml
@@ -0,0 +1,11 @@
+master:
+ extraFlags:
+ - --maxmemory-policy allkeys-lru
+ persistence:
+ enabled: false
+slave:
+ extraFlags:
+ - --maxmemory-policy allkeys-lru
+ persistence:
+ enabled: false
+usePassword: false
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/ci/production-sentinel-values.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/ci/production-sentinel-values.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..afa5c485cbd2c7b5c0c4cf11c0a4b60ccf78993a
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/ci/production-sentinel-values.yaml
@@ -0,0 +1,682 @@
+## Global Docker image parameters
+## Please, note that this will override the image parameters, including dependencies, configured to use the global value
+## Current available global Docker image parameters: imageRegistry and imagePullSecrets
+##
+global:
+ # imageRegistry: myRegistryName
+ # imagePullSecrets:
+ # - myRegistryKeySecretName
+ # storageClass: myStorageClass
+ redis: {}
+
+## Bitnami Redis image version
+## ref: https://hub.docker.com/r/bitnami/redis/tags/
+##
+image:
+ registry: docker.io
+ repository: bitnami/redis
+ ## Bitnami Redis image tag
+ ## ref: https://github.com/bitnami/bitnami-docker-redis#supported-tags-and-respective-dockerfile-links
+ ##
+ tag: 5.0.9-debian-10-r0
+ ## Specify a imagePullPolicy
+ ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+ ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+ ##
+ pullPolicy: IfNotPresent
+ ## Optionally specify an array of imagePullSecrets.
+ ## Secrets must be manually created in the namespace.
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+ ##
+ # pullSecrets:
+ # - myRegistryKeySecretName
+
+## String to partially override redis.fullname template (will maintain the release name)
+##
+# nameOverride:
+
+## String to fully override redis.fullname template
+##
+# fullnameOverride:
+
+## Cluster settings
+cluster:
+ enabled: true
+ slaveCount: 3
+
+## Use redis sentinel in the redis pod. This will disable the master and slave services and
+## create one redis service with ports to the sentinel and the redis instances
+sentinel:
+ enabled: true
+ ## Require password authentication on the sentinel itself
+ ## ref: https://redis.io/topics/sentinel
+ usePassword: true
+ ## Bitnami Redis Sentintel image version
+ ## ref: https://hub.docker.com/r/bitnami/redis-sentinel/tags/
+ ##
+ image:
+ registry: docker.io
+ repository: bitnami/redis-sentinel
+ ## Bitnami Redis image tag
+ ## ref: https://github.com/bitnami/bitnami-docker-redis-sentinel#supported-tags-and-respective-dockerfile-links
+ ##
+ tag: 5.0.9-debian-10-r0
+ ## Specify a imagePullPolicy
+ ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+ ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+ ##
+ pullPolicy: IfNotPresent
+ ## Optionally specify an array of imagePullSecrets.
+ ## Secrets must be manually created in the namespace.
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+ ##
+ # pullSecrets:
+ # - myRegistryKeySecretName
+ masterSet: mymaster
+ initialCheckTimeout: 5
+ quorum: 2
+ downAfterMilliseconds: 60000
+ failoverTimeout: 18000
+ parallelSyncs: 1
+ port: 26379
+ ## Additional Redis configuration for the sentinel nodes
+ ## ref: https://redis.io/topics/config
+ ##
+ configmap:
+ ## Enable or disable static sentinel IDs for each replicas
+ ## If disabled each sentinel will generate a random id at startup
+ ## If enabled, each replicas will have a constant ID on each start-up
+ ##
+ staticID: false
+ ## Configure extra options for Redis Sentinel liveness and readiness probes
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
+ ##
+ livenessProbe:
+ enabled: true
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 5
+ readinessProbe:
+ enabled: true
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ timeoutSeconds: 1
+ successThreshold: 1
+ failureThreshold: 5
+ customLivenessProbe: {}
+ customReadinessProbe: {}
+ ## Redis Sentinel resource requests and limits
+ ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
+ # resources:
+ # requests:
+ # memory: 256Mi
+ # cpu: 100m
+ ## Redis Sentinel Service properties
+ service:
+ ## Redis Sentinel Service type
+ type: ClusterIP
+ sentinelPort: 26379
+ redisPort: 6379
+
+ ## Specify the nodePort value for the LoadBalancer and NodePort service types.
+ ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+ ##
+ # sentinelNodePort:
+ # redisNodePort:
+
+ ## Provide any additional annotations which may be required. This can be used to
+ ## set the LoadBalancer service type to internal only.
+ ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
+ ##
+ annotations: {}
+ labels: {}
+ loadBalancerIP:
+
+## Specifies the Kubernetes Cluster's Domain Name.
+##
+clusterDomain: cluster.local
+
+networkPolicy:
+ ## Specifies whether a NetworkPolicy should be created
+ ##
+ enabled: true
+
+ ## The Policy model to apply. When set to false, only pods with the correct
+ ## client label will have network access to the port Redis is listening
+ ## on. When true, Redis will accept connections from any source
+ ## (with the correct destination port).
+ ##
+ # allowExternal: true
+
+ ## Allow connections from other namespacess. Just set label for namespace and set label for pods (optional).
+ ##
+ ingressNSMatchLabels: {}
+ ingressNSPodMatchLabels: {}
+
+serviceAccount:
+ ## Specifies whether a ServiceAccount should be created
+ ##
+ create: false
+ ## The name of the ServiceAccount to use.
+ ## If not set and create is true, a name is generated using the fullname template
+ name:
+
+rbac:
+ ## Specifies whether RBAC resources should be created
+ ##
+ create: false
+
+ role:
+ ## Rules to create. It follows the role specification
+ # rules:
+ # - apiGroups:
+ # - extensions
+ # resources:
+ # - podsecuritypolicies
+ # verbs:
+ # - use
+ # resourceNames:
+ # - gce.unprivileged
+ rules: []
+
+## Redis pod Security Context
+securityContext:
+ enabled: true
+ fsGroup: 1001
+ runAsUser: 1001
+ ## sysctl settings for master and slave pods
+ ##
+ ## Uncomment the setting below to increase the net.core.somaxconn value
+ ##
+ # sysctls:
+ # - name: net.core.somaxconn
+ # value: "10000"
+
+## Use password authentication
+usePassword: true
+## Redis password (both master and slave)
+## Defaults to a random 10-character alphanumeric string if not set and usePassword is true
+## ref: https://github.com/bitnami/bitnami-docker-redis#setting-the-server-password-on-first-run
+##
+password:
+## Use existing secret (ignores previous password)
+# existingSecret:
+## Password key to be retrieved from Redis secret
+##
+# existingSecretPasswordKey:
+
+## Mount secrets as files instead of environment variables
+usePasswordFile: false
+
+## Persist data to a persistent volume (Redis Master)
+persistence:
+ ## A manually managed Persistent Volume and Claim
+ ## Requires persistence.enabled: true
+ ## If defined, PVC must be created manually before volume will be bound
+ existingClaim:
+
+# Redis port
+redisPort: 6379
+
+##
+## Redis Master parameters
+##
+master:
+ ## Redis command arguments
+ ##
+ ## Can be used to specify command line arguments, for example:
+ ##
+ command: "/run.sh"
+ ## Additional Redis configuration for the master nodes
+ ## ref: https://redis.io/topics/config
+ ##
+ configmap:
+ ## Redis additional command line flags
+ ##
+ ## Can be used to specify command line flags, for example:
+ ##
+ ## extraFlags:
+ ## - "--maxmemory-policy volatile-ttl"
+ ## - "--repl-backlog-size 1024mb"
+ extraFlags: []
+ ## Comma-separated list of Redis commands to disable
+ ##
+ ## Can be used to disable Redis commands for security reasons.
+ ## Commands will be completely disabled by renaming each to an empty string.
+ ## ref: https://redis.io/topics/security#disabling-of-specific-commands
+ ##
+ disableCommands:
+ - FLUSHDB
+ - FLUSHALL
+
+ ## Redis Master additional pod labels and annotations
+ ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+ podLabels: {}
+ podAnnotations: {}
+
+ ## Redis Master resource requests and limits
+ ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
+ # resources:
+ # requests:
+ # memory: 256Mi
+ # cpu: 100m
+ ## Use an alternate scheduler, e.g. "stork".
+ ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
+ ##
+ # schedulerName:
+
+ ## Configure extra options for Redis Master liveness and readiness probes
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
+ ##
+ livenessProbe:
+ enabled: true
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 5
+ readinessProbe:
+ enabled: true
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ timeoutSeconds: 1
+ successThreshold: 1
+ failureThreshold: 5
+
+ ## Configure custom probes for images other images like
+ ## rhscl/redis-32-rhel7 rhscl/redis-5-rhel7
+ ## Only used if readinessProbe.enabled: false / livenessProbe.enabled: false
+ ##
+ # customLivenessProbe:
+ # tcpSocket:
+ # port: 6379
+ # initialDelaySeconds: 10
+ # periodSeconds: 5
+ # customReadinessProbe:
+ # initialDelaySeconds: 30
+ # periodSeconds: 10
+ # timeoutSeconds: 5
+ # exec:
+ # command:
+ # - "container-entrypoint"
+ # - "bash"
+ # - "-c"
+ # - "redis-cli set liveness-probe \"`date`\" | grep OK"
+ customLivenessProbe: {}
+ customReadinessProbe: {}
+
+ ## Redis Master Node selectors and tolerations for pod assignment
+ ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+ ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature
+ ##
+ # nodeSelector: {"beta.kubernetes.io/arch": "amd64"}
+ # tolerations: []
+ ## Redis Master pod/node affinity/anti-affinity
+ ##
+ affinity: {}
+
+ ## Redis Master Service properties
+ service:
+ ## Redis Master Service type
+ type: ClusterIP
+ port: 6379
+
+ ## Specify the nodePort value for the LoadBalancer and NodePort service types.
+ ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+ ##
+ # nodePort:
+
+ ## Provide any additional annotations which may be required. This can be used to
+ ## set the LoadBalancer service type to internal only.
+ ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
+ ##
+ annotations: {}
+ labels: {}
+ loadBalancerIP:
+ # loadBalancerSourceRanges: ["10.0.0.0/8"]
+
+ ## Enable persistence using Persistent Volume Claims
+ ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
+ ##
+ persistence:
+ enabled: true
+ ## The path the volume will be mounted at, useful when using different
+ ## Redis images.
+ path: /data
+ ## The subdirectory of the volume to mount to, useful in dev environments
+ ## and one PV for multiple services.
+ subPath: ""
+ ## redis data Persistent Volume Storage Class
+ ## If defined, storageClassName: <storageClass>
+ ## If set to "-", storageClassName: "", which disables dynamic provisioning
+ ## If undefined (the default) or set to null, no storageClassName spec is
+ ## set, choosing the default provisioner. (gp2 on AWS, standard on
+ ## GKE, AWS & OpenStack)
+ ##
+ # storageClass: "-"
+ accessModes:
+ - ReadWriteOnce
+ size: 8Gi
+ ## Persistent Volume selectors
+ ## https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector
+ matchLabels: {}
+ matchExpressions: {}
+
+ ## Update strategy, can be set to RollingUpdate or onDelete by default.
+ ## https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
+ statefulset:
+ updateStrategy: RollingUpdate
+ ## Partition update strategy
+ ## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions
+ # rollingUpdatePartition:
+
+ ## Redis Master pod priorityClassName
+ ##
+ priorityClassName: {}
+
+##
+## Redis Slave properties
+## Note: service.type is a mandatory parameter
+## The rest of the parameters are either optional or, if undefined, will inherit those declared in Redis Master
+##
+slave:
+ ## Slave Service properties
+ service:
+ ## Redis Slave Service type
+ type: ClusterIP
+ ## Redis port
+ port: 6379
+ ## Specify the nodePort value for the LoadBalancer and NodePort service types.
+ ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+ ##
+ # nodePort:
+
+ ## Provide any additional annotations which may be required. This can be used to
+ ## set the LoadBalancer service type to internal only.
+ ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
+ ##
+ annotations: {}
+ labels: {}
+ loadBalancerIP:
+ # loadBalancerSourceRanges: ["10.0.0.0/8"]
+
+ ## Redis slave port
+ port: 6379
+ ## Can be used to specify command line arguments, for example:
+ ##
+ command: "/run.sh"
+ ## Additional Redis configuration for the slave nodes
+ ## ref: https://redis.io/topics/config
+ ##
+ configmap:
+ ## Redis extra flags
+ extraFlags: []
+ ## List of Redis commands to disable
+ disableCommands:
+ - FLUSHDB
+ - FLUSHALL
+
+ ## Redis Slave pod/node affinity/anti-affinity
+ ##
+ affinity: {}
+
+ ## Configure extra options for Redis Slave liveness and readiness probes
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
+ ##
+ livenessProbe:
+ enabled: true
+ initialDelaySeconds: 30
+ periodSeconds: 10
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 5
+ readinessProbe:
+ enabled: true
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ timeoutSeconds: 10
+ successThreshold: 1
+ failureThreshold: 5
+
+ ## Configure custom probes for images other images like
+ ## rhscl/redis-32-rhel7 rhscl/redis-5-rhel7
+ ## Only used if readinessProbe.enabled: false / livenessProbe.enabled: false
+ ##
+ # customLivenessProbe:
+ # tcpSocket:
+ # port: 6379
+ # initialDelaySeconds: 10
+ # periodSeconds: 5
+ # customReadinessProbe:
+ # initialDelaySeconds: 30
+ # periodSeconds: 10
+ # timeoutSeconds: 5
+ # exec:
+ # command:
+ # - "container-entrypoint"
+ # - "bash"
+ # - "-c"
+ # - "redis-cli set liveness-probe \"`date`\" | grep OK"
+ customLivenessProbe: {}
+ customReadinessProbe: {}
+
+ ## Redis slave Resource
+ # resources:
+ # requests:
+ # memory: 256Mi
+ # cpu: 100m
+
+ ## Redis slave selectors and tolerations for pod assignment
+ # nodeSelector: {"beta.kubernetes.io/arch": "amd64"}
+ # tolerations: []
+
+ ## Use an alternate scheduler, e.g. "stork".
+ ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
+ ##
+ # schedulerName:
+
+ ## Redis slave pod Annotation and Labels
+ podLabels: {}
+ podAnnotations: {}
+
+ ## Redis slave pod priorityClassName
+ # priorityClassName: {}
+
+ ## Enable persistence using Persistent Volume Claims
+ ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
+ ##
+ persistence:
+ enabled: true
+ ## The path the volume will be mounted at, useful when using different
+ ## Redis images.
+ path: /data
+ ## The subdirectory of the volume to mount to, useful in dev environments
+ ## and one PV for multiple services.
+ subPath: ""
+ ## redis data Persistent Volume Storage Class
+ ## If defined, storageClassName: <storageClass>
+ ## If set to "-", storageClassName: "", which disables dynamic provisioning
+ ## If undefined (the default) or set to null, no storageClassName spec is
+ ## set, choosing the default provisioner. (gp2 on AWS, standard on
+ ## GKE, AWS & OpenStack)
+ ##
+ # storageClass: "-"
+ accessModes:
+ - ReadWriteOnce
+ size: 8Gi
+ ## Persistent Volume selectors
+ ## https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector
+ matchLabels: {}
+ matchExpressions: {}
+
+ ## Update strategy, can be set to RollingUpdate or onDelete by default.
+ ## https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
+ statefulset:
+ updateStrategy: RollingUpdate
+ ## Partition update strategy
+ ## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions
+ # rollingUpdatePartition:
+
+## Prometheus Exporter / Metrics
+##
+metrics:
+ enabled: true
+
+ image:
+ registry: docker.io
+ repository: bitnami/redis-exporter
+ tag: 1.5.3-debian-10-r14
+ pullPolicy: IfNotPresent
+ ## Optionally specify an array of imagePullSecrets.
+ ## Secrets must be manually created in the namespace.
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+ ##
+ # pullSecrets:
+ # - myRegistryKeySecretName
+
+ ## Metrics exporter resource requests and limits
+ ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
+ ##
+ # resources: {}
+
+ ## Extra arguments for Metrics exporter, for example:
+ ## extraArgs:
+ ## check-keys: myKey,myOtherKey
+ # extraArgs: {}
+
+ ## Metrics exporter pod Annotation and Labels
+ podAnnotations:
+ prometheus.io/scrape: "true"
+ prometheus.io/port: "9121"
+ # podLabels: {}
+
+ # Enable this if you're using https://github.com/coreos/prometheus-operator
+ serviceMonitor:
+ enabled: false
+ ## Specify a namespace if needed
+ # namespace: monitoring
+ # fallback to the prometheus default unless specified
+ # interval: 10s
+ ## Defaults to what's used if you follow CoreOS [Prometheus Install Instructions](https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#tldr)
+ ## [Prometheus Selector Label](https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-operator-1)
+ ## [Kube Prometheus Selector Label](https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#exporters)
+ selector:
+ prometheus: kube-prometheus
+
+ ## Custom PrometheusRule to be defined
+ ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart
+ ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions
+ prometheusRule:
+ enabled: false
+ additionalLabels: {}
+ namespace: ""
+ ## Redis prometheus rules
+ ## These are just examples rules, please adapt them to your needs.
+ ## Make sure to constraint the rules to the current postgresql service.
+ # rules:
+ # - alert: RedisDown
+ # expr: redis_up{service="{{ template "redis.fullname" . }}-metrics"} == 0
+ # for: 2m
+ # labels:
+ # severity: error
+ # annotations:
+ # summary: Redis instance {{ "{{ $labels.instance }}" }} down
+ # description: Redis instance {{ "{{ $labels.instance }}" }} is down
+ # - alert: RedisMemoryHigh
+ # expr: >
+ # redis_memory_used_bytes{service="{{ template "redis.fullname" . }}-metrics"} * 100
+ # /
+ # redis_memory_max_bytes{service="{{ template "redis.fullname" . }}-metrics"}
+ # > 90 =< 100
+ # for: 2m
+ # labels:
+ # severity: error
+ # annotations:
+ # summary: Redis instance {{ "{{ $labels.instance }}" }} is using too much memory
+ # description: |
+ # Redis instance {{ "{{ $labels.instance }}" }} is using {{ "{{ $value }}" }}% of its available memory.
+ # - alert: RedisKeyEviction
+ # expr: |
+ # increase(redis_evicted_keys_total{service="{{ template "redis.fullname" . }}-metrics"}[5m]) > 0
+ # for: 1s
+ # labels:
+ # severity: error
+ # annotations:
+ # summary: Redis instance {{ "{{ $labels.instance }}" }} has evicted keys
+ # description: |
+ # Redis instance {{ "{{ $labels.instance }}" }} has evicted {{ "{{ $value }}" }} keys in the last 5 minutes.
+ rules: []
+
+ ## Metrics exporter pod priorityClassName
+ # priorityClassName: {}
+ service:
+ type: ClusterIP
+ ## Use serviceLoadBalancerIP to request a specific static IP,
+ ## otherwise leave blank
+ # loadBalancerIP:
+ annotations: {}
+ labels: {}
+
+##
+## Init containers parameters:
+## volumePermissions: Change the owner of the persist volume mountpoint to RunAsUser:fsGroup
+##
+volumePermissions:
+ enabled: false
+ image:
+ registry: docker.io
+ repository: bitnami/minideb
+ tag: buster
+ pullPolicy: Always
+ ## Optionally specify an array of imagePullSecrets.
+ ## Secrets must be manually created in the namespace.
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+ ##
+ # pullSecrets:
+ # - myRegistryKeySecretName
+ resources: {}
+ # resources:
+ # requests:
+ # memory: 128Mi
+ # cpu: 100m
+
+## Redis config file
+## ref: https://redis.io/topics/config
+##
+configmap: |-
+ # Enable AOF https://redis.io/topics/persistence#append-only-file
+ appendonly yes
+ # Disable RDB persistence, AOF persistence already enabled.
+ save ""
+
+## Sysctl InitContainer
+## used to perform sysctl operation to modify Kernel settings (needed sometimes to avoid warnings)
+sysctlImage:
+ enabled: false
+ command: []
+ registry: docker.io
+ repository: bitnami/minideb
+ tag: buster
+ pullPolicy: Always
+ ## Optionally specify an array of imagePullSecrets.
+ ## Secrets must be manually created in the namespace.
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+ ##
+ # pullSecrets:
+ # - myRegistryKeySecretName
+ mountHostSys: false
+ resources: {}
+ # resources:
+ # requests:
+ # memory: 128Mi
+ # cpu: 100m
+
+## PodSecurityPolicy configuration
+## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
+##
+podSecurityPolicy:
+ ## Specifies whether a PodSecurityPolicy should be created
+ ##
+ create: false
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/img/redis-cluster-topology.png b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/img/redis-cluster-topology.png
new file mode 100644
index 0000000000000000000000000000000000000000..f0a02a9f8835381302731c9cb000b2835a45e7c9
Binary files /dev/null and b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/img/redis-cluster-topology.png differ
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/img/redis-topology.png b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/img/redis-topology.png
new file mode 100644
index 0000000000000000000000000000000000000000..3f5280febe6761d34d6a70fba1190fbe09208997
Binary files /dev/null and b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/img/redis-topology.png differ
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/NOTES.txt b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/NOTES.txt
new file mode 100644
index 0000000000000000000000000000000000000000..35a0c4a16bf2585c332a768244f55a4ca61c773e
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/NOTES.txt
@@ -0,0 +1,106 @@
+** Please be patient while the chart is being deployed **
+
+{{- if contains .Values.master.service.type "LoadBalancer" }}
+{{- if not .Values.usePassword }}
+{{ if and (not .Values.networkPolicy.enabled) (.Values.networkPolicy.allowExternal) }}
+
+-------------------------------------------------------------------------------
+ WARNING
+
+ By specifying "master.service.type=LoadBalancer" and "usePassword=false" you have
+ most likely exposed the Redis service externally without any authentication
+ mechanism.
+
+ For security reasons, we strongly suggest that you switch to "ClusterIP" or
+ "NodePort". As alternative, you can also switch to "usePassword=true"
+ providing a valid password on "password" parameter.
+
+-------------------------------------------------------------------------------
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- if .Values.cluster.enabled }}
+{{- if .Values.sentinel.enabled }}
+Redis can be accessed via port {{ .Values.sentinel.service.redisPort }} on the following DNS name from within your cluster:
+
+{{ template "redis.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} for read only operations
+
+For read/write operations, first access the Redis Sentinel cluster, which is available in port {{ .Values.sentinel.service.sentinelPort }} using the same domain name above.
+
+{{- else }}
+Redis can be accessed via port {{ .Values.redisPort }} on the following DNS names from within your cluster:
+
+{{ template "redis.fullname" . }}-master.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} for read/write operations
+{{ template "redis.fullname" . }}-slave.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} for read-only operations
+{{- end }}
+
+{{- else }}
+Redis can be accessed via port {{ .Values.redisPort }} on the following DNS name from within your cluster:
+
+{{ template "redis.fullname" . }}-master.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}
+
+{{- end }}
+
+{{ if .Values.usePassword }}
+To get your password run:
+
+ export REDIS_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "redis.secretName" . }} -o jsonpath="{.data.redis-password}" | base64 --decode)
+{{- end }}
+
+To connect to your Redis server:
+
+1. Run a Redis pod that you can use as a client:
+
+ kubectl run --namespace {{ .Release.Namespace }} {{ template "redis.fullname" . }}-client --rm --tty -i --restart='Never' \
+ {{ if .Values.usePassword }} --env REDIS_PASSWORD=$REDIS_PASSWORD \{{ end }}
+ {{- if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }}--labels="{{ template "redis.fullname" . }}-client=true" \{{- end }}
+ --image {{ template "redis.image" . }} -- bash
+
+2. Connect using the Redis CLI:
+
+{{- if .Values.cluster.enabled }}
+ {{- if .Values.sentinel.enabled }}
+ redis-cli -h {{ template "redis.fullname" . }} -p {{ .Values.sentinel.service.redisPort }}{{ if .Values.usePassword }} -a $REDIS_PASSWORD{{ end }} # Read only operations
+ redis-cli -h {{ template "redis.fullname" . }} -p {{ .Values.sentinel.service.sentinelPort }}{{ if .Values.usePassword }} -a $REDIS_PASSWORD{{ end }} # Sentinel access
+ {{- else }}
+ redis-cli -h {{ template "redis.fullname" . }}-master{{ if .Values.usePassword }} -a $REDIS_PASSWORD{{ end }}
+ redis-cli -h {{ template "redis.fullname" . }}-slave{{ if .Values.usePassword }} -a $REDIS_PASSWORD{{ end }}
+ {{- end }}
+{{- else }}
+ redis-cli -h {{ template "redis.fullname" . }}-master{{ if .Values.usePassword }} -a $REDIS_PASSWORD{{ end }}
+{{- end }}
+
+{{ if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }}
+Note: Since NetworkPolicy is enabled, only pods with label
+{{ template "redis.fullname" . }}-client=true"
+will be able to connect to redis.
+{{- else -}}
+
+To connect to your database from outside the cluster execute the following commands:
+
+{{- if contains "NodePort" .Values.master.service.type }}
+
+ export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+ export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "redis.fullname" . }}-master)
+ redis-cli -h $NODE_IP -p $NODE_PORT {{- if .Values.usePassword }} -a $REDIS_PASSWORD{{ end }}
+
+{{- else if contains "LoadBalancer" .Values.master.service.type }}
+
+ NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+ Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "redis.fullname" . }}'
+
+ export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "redis.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+ redis-cli -h $SERVICE_IP -p {{ .Values.master.service.port }} {{- if .Values.usePassword }} -a $REDIS_PASSWORD{{ end }}
+
+{{- else if contains "ClusterIP" .Values.master.service.type }}
+
+ kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ template "redis.fullname" . }}-master {{ .Values.redisPort }}:{{ .Values.redisPort }} &
+ redis-cli -h 127.0.0.1 -p {{ .Values.redisPort }} {{- if .Values.usePassword }} -a $REDIS_PASSWORD{{ end }}
+
+{{- end }}
+{{- end }}
+
+{{ include "redis.checkRollingTags" . }}
+
+{{- include "redis.validateValues" . }}
\ No newline at end of file
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/_helpers.tpl b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/_helpers.tpl
new file mode 100644
index 0000000000000000000000000000000000000000..47f52a33457559bea21ccc5988d0db00a571222d
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/_helpers.tpl
@@ -0,0 +1,378 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "redis.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Expand the chart plus release name (used by the chart label)
+*/}}
+{{- define "redis.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "redis.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for networkpolicy.
+*/}}
+{{- define "networkPolicy.apiVersion" -}}
+{{- if semverCompare ">=1.4-0, <1.7-0" .Capabilities.KubeVersion.GitVersion -}}
+{{- print "extensions/v1beta1" -}}
+{{- else -}}
+{{- print "networking.k8s.io/v1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiGroup for PodSecurityPolicy.
+*/}}
+{{- define "podSecurityPolicy.apiGroup" -}}
+{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+{{- print "policy" -}}
+{{- else -}}
+{{- print "extensions" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for PodSecurityPolicy.
+*/}}
+{{- define "podSecurityPolicy.apiVersion" -}}
+{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+{{- print "policy/v1beta1" -}}
+{{- else -}}
+{{- print "extensions/v1beta1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the proper Redis image name
+*/}}
+{{- define "redis.image" -}}
+{{- $registryName := .Values.image.registry -}}
+{{- $repositoryName := .Values.image.repository -}}
+{{- $tag := .Values.image.tag | toString -}}
+{{/*
+Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
+but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic.
+Also, we can't use a single if because lazy evaluation is not an option
+*/}}
+{{- if .Values.global }}
+ {{- if .Values.global.imageRegistry }}
+ {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}}
+ {{- else -}}
+ {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
+ {{- end -}}
+{{- else -}}
+ {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the proper Redis Sentinel image name
+*/}}
+{{- define "sentinel.image" -}}
+{{- $registryName := .Values.sentinel.image.registry -}}
+{{- $repositoryName := .Values.sentinel.image.repository -}}
+{{- $tag := .Values.sentinel.image.tag | toString -}}
+{{/*
+Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
+but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic.
+Also, we can't use a single if because lazy evaluation is not an option
+*/}}
+{{- if .Values.global }}
+ {{- if .Values.global.imageRegistry }}
+ {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}}
+ {{- else -}}
+ {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
+ {{- end -}}
+{{- else -}}
+ {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the proper image name (for the metrics image)
+*/}}
+{{- define "redis.metrics.image" -}}
+{{- $registryName := .Values.metrics.image.registry -}}
+{{- $repositoryName := .Values.metrics.image.repository -}}
+{{- $tag := .Values.metrics.image.tag | toString -}}
+{{/*
+Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
+but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic.
+Also, we can't use a single if because lazy evaluation is not an option
+*/}}
+{{- if .Values.global }}
+ {{- if .Values.global.imageRegistry }}
+ {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}}
+ {{- else -}}
+ {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
+ {{- end -}}
+{{- else -}}
+ {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the proper image name (for the init container volume-permissions image)
+*/}}
+{{- define "redis.volumePermissions.image" -}}
+{{- $registryName := .Values.volumePermissions.image.registry -}}
+{{- $repositoryName := .Values.volumePermissions.image.repository -}}
+{{- $tag := .Values.volumePermissions.image.tag | toString -}}
+{{/*
+Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
+but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic.
+Also, we can't use a single if because lazy evaluation is not an option
+*/}}
+{{- if .Values.global }}
+ {{- if .Values.global.imageRegistry }}
+ {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}}
+ {{- else -}}
+ {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
+ {{- end -}}
+{{- else -}}
+ {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "redis.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+ {{ default (include "redis.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+ {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get the password secret.
+*/}}
+{{- define "redis.secretName" -}}
+{{- if .Values.existingSecret -}}
+{{- printf "%s" .Values.existingSecret -}}
+{{- else -}}
+{{- printf "%s" (include "redis.fullname" .) -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get the password key to be retrieved from Redis secret.
+*/}}
+{{- define "redis.secretPasswordKey" -}}
+{{- if and .Values.existingSecret .Values.existingSecretPasswordKey -}}
+{{- printf "%s" .Values.existingSecretPasswordKey -}}
+{{- else -}}
+{{- printf "redis-password" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return Redis password
+*/}}
+{{- define "redis.password" -}}
+{{- if not (empty .Values.global.redis.password) }}
+ {{- .Values.global.redis.password -}}
+{{- else if not (empty .Values.password) -}}
+ {{- .Values.password -}}
+{{- else -}}
+ {{- randAlphaNum 10 -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return sysctl image
+*/}}
+{{- define "redis.sysctl.image" -}}
+{{- $registryName := default "docker.io" .Values.sysctlImage.registry -}}
+{{- $repositoryName := .Values.sysctlImage.repository -}}
+{{- $tag := default "buster" .Values.sysctlImage.tag | toString -}}
+{{/*
+Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
+but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic.
+Also, we can't use a single if because lazy evaluation is not an option
+*/}}
+{{- if .Values.global }}
+ {{- if .Values.global.imageRegistry }}
+ {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}}
+ {{- else -}}
+ {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
+ {{- end -}}
+{{- else -}}
+ {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the proper Docker Image Registry Secret Names
+*/}}
+{{- define "redis.imagePullSecrets" -}}
+{{/*
+Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
+but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic.
+Also, we can not use a single if because lazy evaluation is not an option
+*/}}
+{{- if .Values.global }}
+{{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+{{- end }}
+{{- else if or .Values.image.pullSecrets .Values.metrics.image.pullSecrets .Values.sysctlImage.pullSecrets .Values.volumePermissions.image.pullSecrets }}
+imagePullSecrets:
+{{- range .Values.image.pullSecrets }}
+ - name: {{ . }}
+{{- end }}
+{{- range .Values.metrics.image.pullSecrets }}
+ - name: {{ . }}
+{{- end }}
+{{- range .Values.sysctlImage.pullSecrets }}
+ - name: {{ . }}
+{{- end }}
+{{- range .Values.volumePermissions.image.pullSecrets }}
+ - name: {{ . }}
+{{- end }}
+{{- end -}}
+{{- else if or .Values.image.pullSecrets .Values.metrics.image.pullSecrets .Values.sysctlImage.pullSecrets .Values.volumePermissions.image.pullSecrets }}
+imagePullSecrets:
+{{- range .Values.image.pullSecrets }}
+ - name: {{ . }}
+{{- end }}
+{{- range .Values.metrics.image.pullSecrets }}
+ - name: {{ . }}
+{{- end }}
+{{- range .Values.sysctlImage.pullSecrets }}
+ - name: {{ . }}
+{{- end }}
+{{- range .Values.volumePermissions.image.pullSecrets }}
+ - name: {{ . }}
+{{- end }}
+{{- end -}}
+{{- end -}}
+
+{{/* Check if there are rolling tags in the images */}}
+{{- define "redis.checkRollingTags" -}}
+{{- if and (contains "bitnami/" .Values.image.repository) (not (.Values.image.tag | toString | regexFind "-r\\d+$|sha256:")) }}
+WARNING: Rolling tag detected ({{ .Values.image.repository }}:{{ .Values.image.tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment.
++info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/
+{{- end }}
+{{- if and (contains "bitnami/" .Values.sentinel.image.repository) (not (.Values.sentinel.image.tag | toString | regexFind "-r\\d+$|sha256:")) }}
+WARNING: Rolling tag detected ({{ .Values.sentinel.image.repository }}:{{ .Values.sentinel.image.tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment.
++info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/
+{{- end }}
+{{- end -}}
+
+{{/*
+Return the proper Storage Class for master
+*/}}
+{{- define "redis.master.storageClass" -}}
+{{/*
+Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
+but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic.
+*/}}
+{{- if .Values.global -}}
+ {{- if .Values.global.storageClass -}}
+ {{- if (eq "-" .Values.global.storageClass) -}}
+ {{- printf "storageClassName: \"\"" -}}
+ {{- else }}
+ {{- printf "storageClassName: %s" .Values.global.storageClass -}}
+ {{- end -}}
+ {{- else -}}
+ {{- if .Values.master.persistence.storageClass -}}
+ {{- if (eq "-" .Values.master.persistence.storageClass) -}}
+ {{- printf "storageClassName: \"\"" -}}
+ {{- else }}
+ {{- printf "storageClassName: %s" .Values.master.persistence.storageClass -}}
+ {{- end -}}
+ {{- end -}}
+ {{- end -}}
+{{- else -}}
+ {{- if .Values.master.persistence.storageClass -}}
+ {{- if (eq "-" .Values.master.persistence.storageClass) -}}
+ {{- printf "storageClassName: \"\"" -}}
+ {{- else }}
+ {{- printf "storageClassName: %s" .Values.master.persistence.storageClass -}}
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the proper Storage Class for slave
+*/}}
+{{- define "redis.slave.storageClass" -}}
+{{/*
+Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
+but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic.
+*/}}
+{{- if .Values.global -}}
+ {{- if .Values.global.storageClass -}}
+ {{- if (eq "-" .Values.global.storageClass) -}}
+ {{- printf "storageClassName: \"\"" -}}
+ {{- else }}
+ {{- printf "storageClassName: %s" .Values.global.storageClass -}}
+ {{- end -}}
+ {{- else -}}
+ {{- if .Values.slave.persistence.storageClass -}}
+ {{- if (eq "-" .Values.slave.persistence.storageClass) -}}
+ {{- printf "storageClassName: \"\"" -}}
+ {{- else }}
+ {{- printf "storageClassName: %s" .Values.slave.persistence.storageClass -}}
+ {{- end -}}
+ {{- end -}}
+ {{- end -}}
+{{- else -}}
+ {{- if .Values.slave.persistence.storageClass -}}
+ {{- if (eq "-" .Values.slave.persistence.storageClass) -}}
+ {{- printf "storageClassName: \"\"" -}}
+ {{- else }}
+ {{- printf "storageClassName: %s" .Values.slave.persistence.storageClass -}}
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Compile all warnings into a single message, and call fail.
+*/}}
+{{- define "redis.validateValues" -}}
+{{- $messages := list -}}
+{{- $messages := append $messages (include "redis.validateValues.spreadConstraints" .) -}}
+{{- $messages := without $messages "" -}}
+{{- $message := join "\n" $messages -}}
+
+{{- if $message -}}
+{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}}
+{{- end -}}
+{{- end -}}
+
+{{/* Validate values of Redis - spreadConstrainsts K8s version */}}
+{{- define "redis.validateValues.spreadConstraints" -}}
+{{- if and (semverCompare "<1.16-0" .Capabilities.KubeVersion.GitVersion) .Values.slave.spreadConstraints -}}
+redis: spreadConstraints
+ Pod Topology Spread Constraints are only available on K8s >= 1.16
+ Find more information at https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
+{{- end -}}
+{{- end -}}
\ No newline at end of file
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/configmap.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/configmap.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..092fb948e80a9f91ca4f3aaa6d6e90289ba46a0d
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/configmap.yaml
@@ -0,0 +1,53 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ template "redis.fullname" . }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "redis.name" . }}
+ chart: {{ template "redis.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+data:
+ redis.conf: |-
+{{- if .Values.configmap }}
+ # User-supplied configuration:
+{{- tpl .Values.configmap . | nindent 4 }}
+{{- end }}
+ master.conf: |-
+ dir {{ .Values.master.persistence.path }}
+{{- if .Values.master.configmap }}
+ # User-supplied master configuration:
+{{- tpl .Values.master.configmap . | nindent 4 }}
+{{- end }}
+{{- if .Values.master.disableCommands }}
+{{- range .Values.master.disableCommands }}
+ rename-command {{ . }} ""
+{{- end }}
+{{- end }}
+ replica.conf: |-
+ dir {{ .Values.slave.persistence.path }}
+ slave-read-only yes
+{{- if .Values.slave.configmap }}
+ # User-supplied slave configuration:
+{{- tpl .Values.slave.configmap . | nindent 4 }}
+{{- end }}
+{{- if .Values.slave.disableCommands }}
+{{- range .Values.slave.disableCommands }}
+ rename-command {{ . }} ""
+{{- end }}
+{{- end }}
+{{- if .Values.sentinel.enabled }}
+ sentinel.conf: |-
+ dir "/tmp"
+ bind 0.0.0.0
+ port {{ .Values.sentinel.port }}
+ sentinel monitor {{ .Values.sentinel.masterSet }} {{ template "redis.fullname" . }}-master-0.{{ template "redis.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} {{ .Values.redisPort }} {{ .Values.sentinel.quorum }}
+ sentinel down-after-milliseconds {{ .Values.sentinel.masterSet }} {{ .Values.sentinel.downAfterMilliseconds }}
+ sentinel failover-timeout {{ .Values.sentinel.masterSet }} {{ .Values.sentinel.failoverTimeout }}
+ sentinel parallel-syncs {{ .Values.sentinel.masterSet }} {{ .Values.sentinel.parallelSyncs }}
+{{- if .Values.sentinel.configmap }}
+ # User-supplied sentinel configuration:
+{{- tpl .Values.sentinel.configmap . | nindent 4 }}
+{{- end }}
+{{- end }}
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/headless-svc.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/headless-svc.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..549a05d3ca05078de2425ed4bb41a40dc2a5e0ba
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/headless-svc.yaml
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ template "redis.fullname" . }}-headless
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "redis.name" . }}
+ chart: {{ template "redis.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+spec:
+ type: ClusterIP
+ clusterIP: None
+ ports:
+ - name: redis
+ port: {{ .Values.redisPort }}
+ targetPort: redis
+ {{- if .Values.sentinel.enabled }}
+ - name: redis-sentinel
+ port: {{ .Values.sentinel.port }}
+ targetPort: redis-sentinel
+ {{- end }}
+ selector:
+ app: {{ template "redis.name" . }}
+ release: {{ .Release.Name }}
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/health-configmap.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/health-configmap.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..faa45176e3cabc2f8531ce13d4fe498050f1feb8
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/health-configmap.yaml
@@ -0,0 +1,155 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ template "redis.fullname" . }}-health
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "redis.name" . }}
+ chart: {{ template "redis.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+data:
+ ping_readiness_local.sh: |-
+ #!/bin/bash
+{{- if .Values.usePasswordFile }}
+ password_aux=`cat ${REDIS_PASSWORD_FILE}`
+ export REDIS_PASSWORD=$password_aux
+{{- end }}
+{{- if .Values.usePassword }}
+ no_auth_warning=$([[ "$(redis-cli --version)" =~ (redis-cli 5.*) ]] && echo --no-auth-warning)
+{{- end }}
+ response=$(
+ timeout -s 3 $1 \
+ redis-cli \
+{{- if .Values.usePassword }}
+ -a $REDIS_PASSWORD $no_auth_warning \
+{{- end }}
+ -h localhost \
+ -p $REDIS_PORT \
+ ping
+ )
+ if [ "$response" != "PONG" ]; then
+ echo "$response"
+ exit 1
+ fi
+ ping_liveness_local.sh: |-
+ #!/bin/bash
+{{- if .Values.usePasswordFile }}
+ password_aux=`cat ${REDIS_PASSWORD_FILE}`
+ export REDIS_PASSWORD=$password_aux
+{{- end }}
+{{- if .Values.usePassword }}
+ no_auth_warning=$([[ "$(redis-cli --version)" =~ (redis-cli 5.*) ]] && echo --no-auth-warning)
+{{- end }}
+ response=$(
+ timeout -s 3 $1 \
+ redis-cli \
+{{- if .Values.usePassword }}
+ -a $REDIS_PASSWORD $no_auth_warning \
+{{- end }}
+ -h localhost \
+ -p $REDIS_PORT \
+ ping
+ )
+ if [ "$response" != "PONG" ] && [ "$response" != "LOADING Redis is loading the dataset in memory" ]; then
+ echo "$response"
+ exit 1
+ fi
+{{- if .Values.sentinel.enabled }}
+ ping_sentinel.sh: |-
+ #!/bin/bash
+{{- if .Values.usePasswordFile }}
+ password_aux=`cat ${REDIS_PASSWORD_FILE}`
+ export REDIS_PASSWORD=$password_aux
+{{- end }}
+{{- if .Values.usePassword }}
+ no_auth_warning=$([[ "$(redis-cli --version)" =~ (redis-cli 5.*) ]] && echo --no-auth-warning)
+{{- end }}
+ response=$(
+ timeout -s 3 $1 \
+ redis-cli \
+{{- if .Values.usePassword }}
+ -a $REDIS_PASSWORD $no_auth_warning \
+{{- end }}
+ -h localhost \
+ -p $REDIS_SENTINEL_PORT \
+ ping
+ )
+ if [ "$response" != "PONG" ]; then
+ echo "$response"
+ exit 1
+ fi
+ parse_sentinels.awk: |-
+ /ip/ {FOUND_IP=1}
+ /port/ {FOUND_PORT=1}
+ /runid/ {FOUND_RUNID=1}
+ !/ip|port|runid/ {
+ if (FOUND_IP==1) {
+ IP=$1; FOUND_IP=0;
+ }
+ else if (FOUND_PORT==1) {
+ PORT=$1;
+ FOUND_PORT=0;
+ } else if (FOUND_RUNID==1) {
+ printf "\nsentinel known-sentinel {{ .Values.sentinel.masterSet }} %s %s %s", IP, PORT, $0; FOUND_RUNID=0;
+ }
+ }
+{{- end }}
+ ping_readiness_master.sh: |-
+ #!/bin/bash
+{{- if .Values.usePasswordFile }}
+ password_aux=`cat ${REDIS_MASTER_PASSWORD_FILE}`
+ export REDIS_MASTER_PASSWORD=$password_aux
+{{- end }}
+{{- if .Values.usePassword }}
+ no_auth_warning=$([[ "$(redis-cli --version)" =~ (redis-cli 5.*) ]] && echo --no-auth-warning)
+{{- end }}
+ response=$(
+ timeout -s 3 $1 \
+ redis-cli \
+{{- if .Values.usePassword }}
+ -a $REDIS_MASTER_PASSWORD $no_auth_warning \
+{{- end }}
+ -h $REDIS_MASTER_HOST \
+ -p $REDIS_MASTER_PORT_NUMBER \
+ ping
+ )
+ if [ "$response" != "PONG" ]; then
+ echo "$response"
+ exit 1
+ fi
+ ping_liveness_master.sh: |-
+ #!/bin/bash
+{{- if .Values.usePasswordFile }}
+ password_aux=`cat ${REDIS_MASTER_PASSWORD_FILE}`
+ export REDIS_MASTER_PASSWORD=$password_aux
+{{- end }}
+{{- if .Values.usePassword }}
+ no_auth_warning=$([[ "$(redis-cli --version)" =~ (redis-cli 5.*) ]] && echo --no-auth-warning)
+{{- end }}
+ response=$(
+ timeout -s 3 $1 \
+ redis-cli \
+{{- if .Values.usePassword }}
+ -a $REDIS_MASTER_PASSWORD $no_auth_warning \
+{{- end }}
+ -h $REDIS_MASTER_HOST \
+ -p $REDIS_MASTER_PORT_NUMBER \
+ ping
+ )
+ if [ "$response" != "PONG" ] && [ "$response" != "LOADING Redis is loading the dataset in memory" ]; then
+ echo "$response"
+ exit 1
+ fi
+ ping_readiness_local_and_master.sh: |-
+ script_dir="$(dirname "$0")"
+ exit_status=0
+ "$script_dir/ping_readiness_local.sh" $1 || exit_status=$?
+ "$script_dir/ping_readiness_master.sh" $1 || exit_status=$?
+ exit $exit_status
+ ping_liveness_local_and_master.sh: |-
+ script_dir="$(dirname "$0")"
+ exit_status=0
+ "$script_dir/ping_liveness_local.sh" $1 || exit_status=$?
+ "$script_dir/ping_liveness_master.sh" $1 || exit_status=$?
+ exit $exit_status
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/metrics-prometheus.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/metrics-prometheus.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..551059acdbc1bbce3eea995f466db5f8cfa3cd9d
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/metrics-prometheus.yaml
@@ -0,0 +1,33 @@
+{{- if and (.Values.metrics.enabled) (.Values.metrics.serviceMonitor.enabled) }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+ name: {{ template "redis.fullname" . }}
+ {{- if .Values.metrics.serviceMonitor.namespace }}
+ namespace: {{ .Values.metrics.serviceMonitor.namespace }}
+ {{- else }}
+ namespace: {{ .Release.Namespace }}
+ {{- end }}
+ labels:
+ app: {{ template "redis.name" . }}
+ chart: {{ template "redis.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+ {{- range $key, $value := .Values.metrics.serviceMonitor.selector }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+spec:
+ endpoints:
+ - port: metrics
+ {{- if .Values.metrics.serviceMonitor.interval }}
+ interval: {{ .Values.metrics.serviceMonitor.interval }}
+ {{- end }}
+ selector:
+ matchLabels:
+ app: {{ template "redis.name" . }}
+ release: {{ .Release.Name }}
+ app.kubernetes.io/component: "metrics"
+ namespaceSelector:
+ matchNames:
+ - {{ .Release.Namespace }}
+{{- end -}}
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/metrics-svc.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/metrics-svc.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..f30e1fd87361002a604577ce1757ce396c18f4c0
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/metrics-svc.yaml
@@ -0,0 +1,31 @@
+{{- if .Values.metrics.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ template "redis.fullname" . }}-metrics
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "redis.name" . }}
+ chart: {{ template "redis.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+ app.kubernetes.io/component: "metrics"
+ {{- if .Values.metrics.service.labels -}}
+ {{- toYaml .Values.metrics.service.labels | nindent 4 }}
+ {{- end -}}
+ {{- if .Values.metrics.service.annotations }}
+ annotations: {{- toYaml .Values.metrics.service.annotations | nindent 4 }}
+ {{- end }}
+spec:
+ type: {{ .Values.metrics.service.type }}
+ {{ if and (eq .Values.metrics.service.type "LoadBalancer") .Values.metrics.service.loadBalancerIP }}
+ loadBalancerIP: {{ .Values.metrics.service.loadBalancerIP }}
+ {{- end }}
+ ports:
+ - name: metrics
+ port: 9121
+ targetPort: metrics
+ selector:
+ app: {{ template "redis.name" . }}
+ release: {{ .Release.Name }}
+{{- end }}
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/networkpolicy.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/networkpolicy.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..c56a9d3ee722d4bcec01dce26251d271c4359eff
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/networkpolicy.yaml
@@ -0,0 +1,74 @@
+{{- if .Values.networkPolicy.enabled }}
+kind: NetworkPolicy
+apiVersion: {{ template "networkPolicy.apiVersion" . }}
+metadata:
+ name: {{ template "redis.fullname" . }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "redis.name" . }}
+ chart: {{ template "redis.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+spec:
+ podSelector:
+ matchLabels:
+ app: {{ template "redis.name" . }}
+ release: {{ .Release.Name }}
+ {{- if .Values.cluster.enabled }}
+ policyTypes:
+ - Ingress
+ - Egress
+ egress:
+ # Allow dns resolution
+ - ports:
+ - port: 53
+ protocol: UDP
+ # Allow outbound connections to other cluster pods
+ - ports:
+ - port: {{ .Values.redisPort }}
+ {{- if .Values.sentinel.enabled }}
+ - port: {{ .Values.sentinel.port }}
+ {{- end }}
+ to:
+ - podSelector:
+ matchLabels:
+ app: {{ template "redis.name" . }}
+ release: {{ .Release.Name }}
+ {{- end }}
+ ingress:
+ # Allow inbound connections
+ - ports:
+ - port: {{ .Values.redisPort }}
+ {{- if .Values.sentinel.enabled }}
+ - port: {{ .Values.sentinel.port }}
+ {{- end }}
+ {{- if not .Values.networkPolicy.allowExternal }}
+ from:
+ - podSelector:
+ matchLabels:
+ {{ template "redis.fullname" . }}-client: "true"
+ - podSelector:
+ matchLabels:
+ app: {{ template "redis.name" . }}
+ release: {{ .Release.Name }}
+ {{- if .Values.networkPolicy.ingressNSMatchLabels }}
+ - namespaceSelector:
+ matchLabels:
+ {{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }}
+ {{ $key | quote }}: {{ $value | quote }}
+ {{- end }}
+ {{- if .Values.networkPolicy.ingressNSPodMatchLabels }}
+ podSelector:
+ matchLabels:
+ {{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }}
+ {{ $key | quote }}: {{ $value | quote }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.metrics.enabled }}
+ # Allow prometheus scrapes for metrics
+ - ports:
+ - port: 9121
+ {{- end }}
+{{- end }}
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/prometheusrule.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/prometheusrule.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..9076a97dbc22bda6d64b908db17f74026ad6607d
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/prometheusrule.yaml
@@ -0,0 +1,25 @@
+{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+ name: {{ template "redis.fullname" . }}
+ {{- if .Values.metrics.prometheusRule.namespace }}
+ namespace: {{ .Values.metrics.prometheusRule.namespace }}
+ {{- else }}
+ namespace: {{ .Release.Namespace }}
+ {{- end }}
+ labels:
+ app: {{ template "redis.name" . }}
+ chart: {{ template "redis.chart" . }}
+ release: {{ .Release.Name | quote }}
+ heritage: {{ .Release.Service | quote }}
+{{- with .Values.metrics.prometheusRule.additionalLabels }}
+{{- toYaml . | nindent 4 }}
+{{- end }}
+spec:
+{{- with .Values.metrics.prometheusRule.rules }}
+ groups:
+ - name: {{ template "redis.name" $ }}
+ rules: {{- tpl (toYaml .) $ | nindent 8 }}
+{{- end }}
+{{- end }}
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/psp.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/psp.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..08e0840853ce2f18a4dc12a13980032364e8751d
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/psp.yaml
@@ -0,0 +1,43 @@
+{{- if .Values.podSecurityPolicy.create }}
+apiVersion: {{ template "podSecurityPolicy.apiVersion" . }}
+kind: PodSecurityPolicy
+metadata:
+ name: {{ template "redis.fullname" . }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "redis.name" . }}
+ chart: {{ template "redis.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+spec:
+ allowPrivilegeEscalation: false
+ fsGroup:
+ rule: 'MustRunAs'
+ ranges:
+ - min: {{ .Values.securityContext.fsGroup }}
+ max: {{ .Values.securityContext.fsGroup }}
+ hostIPC: false
+ hostNetwork: false
+ hostPID: false
+ privileged: false
+ readOnlyRootFilesystem: false
+ requiredDropCapabilities:
+ - ALL
+ runAsUser:
+ rule: 'MustRunAs'
+ ranges:
+ - min: {{ .Values.securityContext.runAsUser }}
+ max: {{ .Values.securityContext.runAsUser }}
+ seLinux:
+ rule: 'RunAsAny'
+ supplementalGroups:
+ rule: 'MustRunAs'
+ ranges:
+ - min: {{ .Values.securityContext.runAsUser }}
+ max: {{ .Values.securityContext.runAsUser }}
+ volumes:
+ - 'configMap'
+ - 'secret'
+ - 'emptyDir'
+ - 'persistentVolumeClaim'
+{{- end }}
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/redis-master-statefulset.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/redis-master-statefulset.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..2bfd5b36b60fa14f0b59831d0dbd943b0ee3ec42
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/redis-master-statefulset.yaml
@@ -0,0 +1,416 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+ name: {{ template "redis.fullname" . }}-master
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "redis.name" . }}
+ chart: {{ template "redis.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+spec:
+ selector:
+ matchLabels:
+ app: {{ template "redis.name" . }}
+ release: {{ .Release.Name }}
+ role: master
+ serviceName: {{ template "redis.fullname" . }}-headless
+ template:
+ metadata:
+ labels:
+ app: {{ template "redis.name" . }}
+ chart: {{ template "redis.chart" . }}
+ release: {{ .Release.Name }}
+ role: master
+ {{- if .Values.master.podLabels }}
+ {{- toYaml .Values.master.podLabels | nindent 8 }}
+ {{- end }}
+ {{- if and .Values.metrics.enabled .Values.metrics.podLabels }}
+ {{- toYaml .Values.metrics.podLabels | nindent 8 }}
+ {{- end }}
+ annotations:
+ checksum/health: {{ include (print $.Template.BasePath "/health-configmap.yaml") . | sha256sum }}
+ checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+ checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
+ {{- if .Values.master.podAnnotations }}
+ {{- toYaml .Values.master.podAnnotations | nindent 8 }}
+ {{- end }}
+ {{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }}
+ {{- toYaml .Values.metrics.podAnnotations | nindent 8 }}
+ {{- end }}
+ spec:
+ {{- include "redis.imagePullSecrets" . | nindent 6 }}
+ {{- if .Values.securityContext.enabled }}
+ securityContext:
+ fsGroup: {{ .Values.securityContext.fsGroup }}
+ {{- if .Values.securityContext.sysctls }}
+ sysctls: {{- toYaml .Values.securityContext.sysctls | nindent 8 }}
+ {{- end }}
+ {{- end }}
+ serviceAccountName: {{ template "redis.serviceAccountName" . }}
+ {{- if .Values.master.priorityClassName }}
+ priorityClassName: "{{ .Values.master.priorityClassName }}"
+ {{- end }}
+ {{- with .Values.master.affinity }}
+ affinity: {{- tpl (toYaml .) $ | nindent 8 }}
+ {{- end }}
+ {{- if .Values.master.nodeSelector }}
+ nodeSelector: {{- toYaml .Values.master.nodeSelector | nindent 8 }}
+ {{- end }}
+ {{- if .Values.master.tolerations }}
+ tolerations: {{- toYaml .Values.master.tolerations | nindent 8 }}
+ {{- end }}
+ {{- if .Values.master.schedulerName }}
+ schedulerName: {{ .Values.master.schedulerName }}
+ {{- end }}
+ containers:
+ - name: {{ template "redis.name" . }}
+ image: {{ template "redis.image" . }}
+ imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
+ {{- if .Values.securityContext.enabled }}
+ securityContext:
+ runAsUser: {{ .Values.securityContext.runAsUser }}
+ {{- end }}
+ command:
+ - /bin/bash
+ - -c
+ - |
+ {{- if (eq (.Values.securityContext.runAsUser | int) 0) }}
+ useradd redis
+ chown -R redis {{ .Values.master.persistence.path }}
+ {{- end }}
+ if [[ -n $REDIS_PASSWORD_FILE ]]; then
+ password_aux=`cat ${REDIS_PASSWORD_FILE}`
+ export REDIS_PASSWORD=$password_aux
+ fi
+ if [[ ! -f /opt/bitnami/redis/etc/master.conf ]];then
+ cp /opt/bitnami/redis/mounted-etc/master.conf /opt/bitnami/redis/etc/master.conf
+ fi
+ if [[ ! -f /opt/bitnami/redis/etc/redis.conf ]];then
+ cp /opt/bitnami/redis/mounted-etc/redis.conf /opt/bitnami/redis/etc/redis.conf
+ fi
+ ARGS=("--port" "${REDIS_PORT}")
+ {{- if .Values.usePassword }}
+ ARGS+=("--requirepass" "${REDIS_PASSWORD}")
+ ARGS+=("--masterauth" "${REDIS_PASSWORD}")
+ {{- else }}
+ ARGS+=("--protected-mode" "no")
+ {{- end }}
+ ARGS+=("--include" "/opt/bitnami/redis/etc/redis.conf")
+ ARGS+=("--include" "/opt/bitnami/redis/etc/master.conf")
+ {{- if .Values.master.extraFlags }}
+ {{- range .Values.master.extraFlags }}
+ ARGS+=({{ . | quote }})
+ {{- end }}
+ {{- end }}
+ {{- if .Values.master.command }}
+ {{ .Values.master.command }} ${ARGS[@]}
+ {{- else }}
+ redis-server "${ARGS[@]}"
+ {{- end }}
+ env:
+ - name: REDIS_REPLICATION_MODE
+ value: master
+ {{- if .Values.usePassword }}
+ {{- if .Values.usePasswordFile }}
+ - name: REDIS_PASSWORD_FILE
+ value: "/opt/bitnami/redis/secrets/redis-password"
+ {{- else }}
+ - name: REDIS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ template "redis.secretName" . }}
+ key: {{ template "redis.secretPasswordKey" . }}
+ {{- end }}
+ {{- else }}
+ - name: ALLOW_EMPTY_PASSWORD
+ value: "yes"
+ {{- end }}
+ - name: REDIS_PORT
+ value: {{ .Values.redisPort | quote }}
+ ports:
+ - name: redis
+ containerPort: {{ .Values.redisPort }}
+ {{- if .Values.master.livenessProbe.enabled }}
+ livenessProbe:
+ initialDelaySeconds: {{ .Values.master.livenessProbe.initialDelaySeconds }}
+ periodSeconds: {{ .Values.master.livenessProbe.periodSeconds }}
+ timeoutSeconds: {{ .Values.master.livenessProbe.timeoutSeconds }}
+ successThreshold: {{ .Values.master.livenessProbe.successThreshold }}
+ failureThreshold: {{ .Values.master.livenessProbe.failureThreshold }}
+ exec:
+ command:
+ - sh
+ - -c
+ - /health/ping_liveness_local.sh {{ .Values.master.livenessProbe.timeoutSeconds }}
+ {{- else if .Values.master.customLivenessProbe }}
+ livenessProbe: {{- toYaml .Values.master.customLivenessProbe | nindent 12 }}
+ {{- end }}
+ {{- if .Values.master.readinessProbe.enabled}}
+ readinessProbe:
+ initialDelaySeconds: {{ .Values.master.readinessProbe.initialDelaySeconds }}
+ periodSeconds: {{ .Values.master.readinessProbe.periodSeconds }}
+ timeoutSeconds: {{ .Values.master.readinessProbe.timeoutSeconds }}
+ successThreshold: {{ .Values.master.readinessProbe.successThreshold }}
+ failureThreshold: {{ .Values.master.readinessProbe.failureThreshold }}
+ exec:
+ command:
+ - sh
+ - -c
+ - /health/ping_readiness_local.sh {{ .Values.master.livenessProbe.timeoutSeconds }}
+ {{- else if .Values.master.customReadinessProbe }}
+ readinessProbe: {{- toYaml .Values.master.customReadinessProbe | nindent 12 }}
+ {{- end }}
+ resources: {{- toYaml .Values.master.resources | nindent 12 }}
+ volumeMounts:
+ - name: health
+ mountPath: /health
+ {{- if .Values.usePasswordFile }}
+ - name: redis-password
+ mountPath: /opt/bitnami/redis/secrets/
+ {{- end }}
+ - name: redis-data
+ mountPath: {{ .Values.master.persistence.path }}
+ subPath: {{ .Values.master.persistence.subPath }}
+ - name: config
+ mountPath: /opt/bitnami/redis/mounted-etc
+ - name: redis-tmp-conf
+ mountPath: /opt/bitnami/redis/etc/
+ {{- if and .Values.cluster.enabled .Values.sentinel.enabled }}
+ - name: sentinel
+ image: "{{ template "sentinel.image" . }}"
+ imagePullPolicy: {{ .Values.sentinel.image.pullPolicy | quote }}
+ {{- if .Values.securityContext.enabled }}
+ securityContext:
+ runAsUser: {{ .Values.securityContext.runAsUser }}
+ {{- end }}
+ command:
+ - /bin/bash
+ - -c
+ - |
+ if [[ -n $REDIS_PASSWORD_FILE ]]; then
+ password_aux=`cat ${REDIS_PASSWORD_FILE}`
+ export REDIS_PASSWORD=$password_aux
+ fi
+ if [[ ! -f /opt/bitnami/redis-sentinel/etc/sentinel.conf ]];then
+ cp /opt/bitnami/redis-sentinel/mounted-etc/sentinel.conf /opt/bitnami/redis-sentinel/etc/sentinel.conf
+ {{- if .Values.usePassword }}
+ printf "\nsentinel auth-pass {{ .Values.sentinel.masterSet }} $REDIS_PASSWORD" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf
+ {{- if .Values.sentinel.usePassword }}
+ printf "\nrequirepass $REDIS_PASSWORD" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf
+ {{- end }}
+ {{- end }}
+ {{- if .Values.sentinel.staticID }}
+ printf "\nsentinel myid $(echo $HOSTNAME | openssl sha1 | awk '{ print $2 }')" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf
+ {{- end }}
+ fi
+ echo "Getting information about current running sentinels"
+ # Get information from existing sentinels
+ existing_sentinels=$(timeout -s 3 {{ .Values.sentinel.initialCheckTimeout }} redis-cli --raw -h {{ template "redis.fullname" . }} -a "$REDIS_PASSWORD" -p {{ .Values.sentinel.service.sentinelPort }} SENTINEL sentinels {{ .Values.sentinel.masterSet }})
+ echo "$existing_sentinels" | awk -f /health/parse_sentinels.awk | tee -a /opt/bitnami/redis-sentinel/etc/sentinel.conf
+
+ redis-server /opt/bitnami/redis-sentinel/etc/sentinel.conf --sentinel
+ env:
+ {{- if .Values.usePassword }}
+ {{- if .Values.usePasswordFile }}
+ - name: REDIS_PASSWORD_FILE
+ value: "/opt/bitnami/redis/secrets/redis-password"
+ {{- else }}
+ - name: REDIS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ template "redis.secretName" . }}
+ key: {{ template "redis.secretPasswordKey" . }}
+ {{- end }}
+ {{- else }}
+ - name: ALLOW_EMPTY_PASSWORD
+ value: "yes"
+ {{- end }}
+ - name: REDIS_SENTINEL_PORT
+ value: {{ .Values.sentinel.port | quote }}
+ ports:
+ - name: redis-sentinel
+ containerPort: {{ .Values.sentinel.port }}
+ {{- if .Values.sentinel.livenessProbe.enabled }}
+ livenessProbe:
+ initialDelaySeconds: {{ .Values.sentinel.livenessProbe.initialDelaySeconds }}
+ periodSeconds: {{ .Values.sentinel.livenessProbe.periodSeconds }}
+ timeoutSeconds: {{ .Values.sentinel.livenessProbe.timeoutSeconds }}
+ successThreshold: {{ .Values.sentinel.livenessProbe.successThreshold }}
+ failureThreshold: {{ .Values.sentinel.livenessProbe.failureThreshold }}
+ exec:
+ command:
+ - sh
+ - -c
+ - /health/ping_sentinel.sh {{ .Values.sentinel.livenessProbe.timeoutSeconds }}
+ {{- else if .Values.sentinel.customLivenessProbe }}
+ livenessProbe: {{- toYaml .Values.sentinel.customLivenessProbe | nindent 12 }}
+ {{- end }}
+ {{- if .Values.sentinel.readinessProbe.enabled}}
+ readinessProbe:
+ initialDelaySeconds: {{ .Values.sentinel.readinessProbe.initialDelaySeconds }}
+ periodSeconds: {{ .Values.sentinel.readinessProbe.periodSeconds }}
+ timeoutSeconds: {{ .Values.sentinel.readinessProbe.timeoutSeconds }}
+ successThreshold: {{ .Values.sentinel.readinessProbe.successThreshold }}
+ failureThreshold: {{ .Values.sentinel.readinessProbe.failureThreshold }}
+ exec:
+ command:
+ - sh
+ - -c
+ - /health/ping_sentinel.sh {{ .Values.sentinel.livenessProbe.timeoutSeconds }}
+ {{- else if .Values.sentinel.customReadinessProbe }}
+ readinessProbe: {{- toYaml .Values.sentinel.customReadinessProbe | nindent 12 }}
+ {{- end }}
+ resources: {{- toYaml .Values.sentinel.resources | nindent 12 }}
+ volumeMounts:
+ - name: health
+ mountPath: /health
+ {{- if .Values.usePasswordFile }}
+ - name: redis-password
+ mountPath: /opt/bitnami/redis/secrets/
+ {{- end }}
+ - name: redis-data
+ mountPath: {{ .Values.master.persistence.path }}
+ subPath: {{ .Values.master.persistence.subPath }}
+ - name: config
+ mountPath: /opt/bitnami/redis-sentinel/mounted-etc
+ - name: sentinel-tmp-conf
+ mountPath: /opt/bitnami/redis-sentinel/etc/
+ {{- end }}
+ {{- if .Values.metrics.enabled }}
+ - name: metrics
+ image: {{ template "redis.metrics.image" . }}
+ imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }}
+ command:
+ - /bin/bash
+ - -c
+ - |
+ if [[ -f '/secrets/redis-password' ]]; then
+ export REDIS_PASSWORD=$(cat /secrets/redis-password)
+ fi
+ redis_exporter{{- range $key, $value := .Values.metrics.extraArgs }} --{{ $key }}={{ $value }}{{- end }}
+ env:
+ - name: REDIS_ALIAS
+ value: {{ template "redis.fullname" . }}
+ {{- if and .Values.usePassword (not .Values.usePasswordFile) }}
+ - name: REDIS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ template "redis.secretName" . }}
+ key: {{ template "redis.secretPasswordKey" . }}
+ {{- end }}
+ volumeMounts:
+ {{- if .Values.usePasswordFile }}
+ - name: redis-password
+ mountPath: /secrets/
+ {{- end }}
+ ports:
+ - name: metrics
+ containerPort: 9121
+ resources: {{- toYaml .Values.metrics.resources | nindent 12 }}
+ {{- end }}
+ {{- $needsVolumePermissions := and .Values.volumePermissions.enabled (and ( and .Values.master.persistence.enabled (not .Values.persistence.existingClaim) ) .Values.securityContext.enabled) }}
+ {{- if or $needsVolumePermissions .Values.sysctlImage.enabled }}
+ initContainers:
+ {{- if $needsVolumePermissions }}
+ - name: volume-permissions
+ image: "{{ template "redis.volumePermissions.image" . }}"
+ imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
+ command: ["/bin/chown", "-R", "{{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }}", "{{ .Values.master.persistence.path }}"]
+ securityContext:
+ runAsUser: 0
+ resources: {{- toYaml .Values.volumePermissions.resources | nindent 10 }}
+ volumeMounts:
+ - name: redis-data
+ mountPath: {{ .Values.master.persistence.path }}
+ subPath: {{ .Values.master.persistence.subPath }}
+ {{- end }}
+ {{- if .Values.sysctlImage.enabled }}
+ - name: init-sysctl
+ image: {{ template "redis.sysctl.image" . }}
+ imagePullPolicy: {{ default "" .Values.sysctlImage.pullPolicy | quote }}
+ resources: {{- toYaml .Values.sysctlImage.resources | nindent 10 }}
+ {{- if .Values.sysctlImage.mountHostSys }}
+ volumeMounts:
+ - name: host-sys
+ mountPath: /host-sys
+ {{- end }}
+ command: {{- toYaml .Values.sysctlImage.command | nindent 10 }}
+ securityContext:
+ privileged: true
+ runAsUser: 0
+ {{- end }}
+ {{- end }}
+ volumes:
+ - name: health
+ configMap:
+ name: {{ template "redis.fullname" . }}-health
+ defaultMode: 0755
+ {{- if .Values.usePasswordFile }}
+ - name: redis-password
+ secret:
+ secretName: {{ template "redis.secretName" . }}
+ items:
+ - key: {{ template "redis.secretPasswordKey" . }}
+ path: redis-password
+ {{- end }}
+ - name: config
+ configMap:
+ name: {{ template "redis.fullname" . }}
+ {{- if not .Values.master.persistence.enabled }}
+ - name: "redis-data"
+ emptyDir: {}
+ {{- else }}
+ {{- if .Values.persistence.existingClaim }}
+ - name: "redis-data"
+ persistentVolumeClaim:
+ claimName: {{ .Values.persistence.existingClaim }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.sysctlImage.mountHostSys }}
+ - name: host-sys
+ hostPath:
+ path: /sys
+ {{- end }}
+ - name: redis-tmp-conf
+ emptyDir: {}
+ {{- if and .Values.cluster.enabled .Values.sentinel.enabled }}
+ - name: sentinel-tmp-conf
+ emptyDir: {}
+ {{- end }}
+ {{- if and .Values.master.persistence.enabled (not .Values.persistence.existingClaim) }}
+ volumeClaimTemplates:
+ - metadata:
+ name: redis-data
+ labels:
+ app: {{ template "redis.name" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+ component: master
+ spec:
+ accessModes:
+ {{- range .Values.master.persistence.accessModes }}
+ - {{ . | quote }}
+ {{- end }}
+ resources:
+ requests:
+ storage: {{ .Values.master.persistence.size | quote }}
+ {{ include "redis.master.storageClass" . }}
+ selector:
+ {{- if .Values.master.persistence.matchLabels }}
+ matchLabels: {{- toYaml .Values.master.persistence.matchLabels | nindent 12 }}
+ {{- end -}}
+ {{- if .Values.master.persistence.matchExpressions }}
+ matchExpressions: {{- toYaml .Values.master.persistence.matchExpressions | nindent 12 }}
+ {{- end -}}
+ {{- end }}
+ updateStrategy:
+ type: {{ .Values.master.statefulset.updateStrategy }}
+ {{- if .Values.master.statefulset.rollingUpdatePartition }}
+ {{- if (eq "Recreate" .Values.master.statefulset.updateStrategy) }}
+ rollingUpdate: null
+ {{- else }}
+ rollingUpdate:
+ partition: {{ .Values.master.statefulset.rollingUpdatePartition }}
+ {{- end }}
+ {{- end }}
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/redis-master-svc.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/redis-master-svc.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..09eab2a5d859b1de9ffdd56827a69e4510709751
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/redis-master-svc.yaml
@@ -0,0 +1,40 @@
+{{- if not .Values.sentinel.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ template "redis.fullname" . }}-master
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "redis.name" . }}
+ chart: {{ template "redis.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+ {{- if .Values.master.service.labels -}}
+ {{- toYaml .Values.master.service.labels | nindent 4 }}
+ {{- end -}}
+{{- if .Values.master.service.annotations }}
+ annotations: {{- toYaml .Values.master.service.annotations | nindent 4 }}
+{{- end }}
+spec:
+ type: {{ .Values.master.service.type }}
+ {{- if and (eq .Values.master.service.type "LoadBalancer") .Values.master.service.loadBalancerIP }}
+ loadBalancerIP: {{ .Values.master.service.loadBalancerIP }}
+ {{- end }}
+ {{- if and (eq .Values.master.service.type "LoadBalancer") .Values.master.service.loadBalancerSourceRanges }}
+ loadBalancerSourceRanges:
+ {{- with .Values.master.service.loadBalancerSourceRanges }}
+{{- toYaml . | nindent 4 }}
+{{- end }}
+ {{- end }}
+ ports:
+ - name: redis
+ port: {{ .Values.master.service.port }}
+ targetPort: redis
+ {{- if .Values.master.service.nodePort }}
+ nodePort: {{ .Values.master.service.nodePort }}
+ {{- end }}
+ selector:
+ app: {{ template "redis.name" . }}
+ release: {{ .Release.Name }}
+ role: master
+{{- end }}
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/redis-role.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/redis-role.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..c7412682f911c125559764d273ff4e8944464161
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/redis-role.yaml
@@ -0,0 +1,22 @@
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ template "redis.fullname" . }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "redis.name" . }}
+ chart: {{ template "redis.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+rules:
+{{- if .Values.podSecurityPolicy.create }}
+ - apiGroups: ['{{ template "podSecurityPolicy.apiGroup" . }}']
+ resources: ['podsecuritypolicies']
+ verbs: ['use']
+ resourceNames: [{{ template "redis.fullname" . }}]
+{{- end -}}
+{{- if .Values.rbac.role.rules }}
+{{- toYaml .Values.rbac.role.rules | nindent 2 }}
+{{- end -}}
+{{- end -}}
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/redis-rolebinding.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/redis-rolebinding.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..3657f1454a67e587da391e2ab99e16e44753bc54
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/redis-rolebinding.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ template "redis.fullname" . }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "redis.name" . }}
+ chart: {{ template "redis.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ template "redis.fullname" . }}
+subjects:
+- kind: ServiceAccount
+ name: {{ template "redis.serviceAccountName" . }}
+{{- end -}}
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/redis-serviceaccount.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/redis-serviceaccount.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..5c9707f2328970d86dac45a2bbe90a84be4b00ea
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/redis-serviceaccount.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ template "redis.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "redis.name" . }}
+ chart: {{ template "redis.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+{{- end -}}
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/redis-slave-statefulset.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/redis-slave-statefulset.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..2d0b3b63281eefdaaae638f741243d29670d8f0f
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/redis-slave-statefulset.yaml
@@ -0,0 +1,435 @@
+{{- if .Values.cluster.enabled }}
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+ name: {{ template "redis.fullname" . }}-slave
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "redis.name" . }}
+ chart: {{ template "redis.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+spec:
+{{- if .Values.slave.updateStrategy }}
+ strategy: {{- toYaml .Values.slave.updateStrategy | nindent 4 }}
+{{- end }}
+ replicas: {{ .Values.cluster.slaveCount }}
+ serviceName: {{ template "redis.fullname" . }}-headless
+ selector:
+ matchLabels:
+ app: {{ template "redis.name" . }}
+ release: {{ .Release.Name }}
+ role: slave
+ template:
+ metadata:
+ labels:
+ app: {{ template "redis.name" . }}
+ release: {{ .Release.Name }}
+ chart: {{ template "redis.chart" . }}
+ role: slave
+ {{- if .Values.slave.podLabels }}
+ {{- toYaml .Values.slave.podLabels | nindent 8 }}
+ {{- end }}
+ {{- if and .Values.metrics.enabled .Values.metrics.podLabels }}
+ {{- toYaml .Values.metrics.podLabels | nindent 8 }}
+ {{- end }}
+ annotations:
+ checksum/health: {{ include (print $.Template.BasePath "/health-configmap.yaml") . | sha256sum }}
+ checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+ checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
+ {{- if .Values.slave.podAnnotations }}
+ {{- toYaml .Values.slave.podAnnotations | nindent 8 }}
+ {{- end }}
+ {{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }}
+ {{- toYaml .Values.metrics.podAnnotations | nindent 8 }}
+ {{- end }}
+ spec:
+ {{- include "redis.imagePullSecrets" . | nindent 6 }}
+ {{- if .Values.securityContext.enabled }}
+ securityContext:
+ fsGroup: {{ .Values.securityContext.fsGroup }}
+ {{- if .Values.securityContext.sysctls }}
+ sysctls: {{- toYaml .Values.securityContext.sysctls | nindent 8 }}
+ {{- end }}
+ {{- end }}
+ serviceAccountName: {{ template "redis.serviceAccountName" . }}
+ {{- if .Values.slave.priorityClassName }}
+ priorityClassName: "{{ .Values.slave.priorityClassName }}"
+ {{- end }}
+ {{- if .Values.slave.nodeSelector }}
+ nodeSelector: {{- toYaml .Values.slave.nodeSelector | nindent 8 }}
+ {{- end }}
+ {{- if .Values.slave.tolerations }}
+ tolerations: {{- toYaml .Values.slave.tolerations | nindent 8 }}
+ {{- end }}
+ {{- if .Values.slave.schedulerName }}
+ schedulerName: {{ .Values.slave.schedulerName }}
+ {{- end }}
+ {{- if .Values.master.spreadConstraints }}
+ topologySpreadConstraints: {{- toYaml .Values.master.spreadConstraints | nindent 8 }}
+ {{- end }}
+ {{- with .Values.slave.affinity }}
+ affinity: {{- tpl (toYaml .) $ | nindent 8 }}
+ {{- end }}
+ containers:
+ - name: {{ template "redis.name" . }}
+ image: {{ template "redis.image" . }}
+ imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
+ {{- if .Values.securityContext.enabled }}
+ securityContext:
+ runAsUser: {{ .Values.securityContext.runAsUser }}
+ {{- end }}
+ command:
+ - /bin/bash
+ - -c
+ - |
+ {{- if (eq (.Values.securityContext.runAsUser | int) 0) }}
+ useradd redis
+ chown -R redis {{ .Values.slave.persistence.path }}
+ {{- end }}
+ if [[ -n $REDIS_PASSWORD_FILE ]]; then
+ password_aux=`cat ${REDIS_PASSWORD_FILE}`
+ export REDIS_PASSWORD=$password_aux
+ fi
+ if [[ -n $REDIS_MASTER_PASSWORD_FILE ]]; then
+ password_aux=`cat ${REDIS_MASTER_PASSWORD_FILE}`
+ export REDIS_MASTER_PASSWORD=$password_aux
+ fi
+ if [[ ! -f /opt/bitnami/redis/etc/replica.conf ]];then
+ cp /opt/bitnami/redis/mounted-etc/replica.conf /opt/bitnami/redis/etc/replica.conf
+ fi
+ if [[ ! -f /opt/bitnami/redis/etc/redis.conf ]];then
+ cp /opt/bitnami/redis/mounted-etc/redis.conf /opt/bitnami/redis/etc/redis.conf
+ fi
+ ARGS=("--port" "${REDIS_PORT}")
+ ARGS+=("--slaveof" "${REDIS_MASTER_HOST}" "${REDIS_MASTER_PORT_NUMBER}")
+ {{- if .Values.usePassword }}
+ ARGS+=("--requirepass" "${REDIS_PASSWORD}")
+ ARGS+=("--masterauth" "${REDIS_MASTER_PASSWORD}")
+ {{- else }}
+ ARGS+=("--protected-mode" "no")
+ {{- end }}
+ ARGS+=("--include" "/opt/bitnami/redis/etc/redis.conf")
+ ARGS+=("--include" "/opt/bitnami/redis/etc/replica.conf")
+ {{- if .Values.slave.extraFlags }}
+ {{- range .Values.slave.extraFlags }}
+ ARGS+=({{ . | quote }})
+ {{- end }}
+ {{- end }}
+ {{- if .Values.slave.command }}
+ {{ .Values.slave.command }} "${ARGS[@]}"
+ {{- else }}
+ redis-server "${ARGS[@]}"
+ {{- end }}
+ env:
+ - name: REDIS_REPLICATION_MODE
+ value: slave
+ - name: REDIS_MASTER_HOST
+ value: {{ template "redis.fullname" . }}-master-0.{{ template "redis.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}
+ - name: REDIS_PORT
+ value: {{ .Values.redisPort | quote }}
+ - name: REDIS_MASTER_PORT_NUMBER
+ value: {{ .Values.redisPort | quote }}
+ {{- if .Values.usePassword }}
+ {{- if .Values.usePasswordFile }}
+ - name: REDIS_PASSWORD_FILE
+ value: "/opt/bitnami/redis/secrets/redis-password"
+ - name: REDIS_MASTER_PASSWORD_FILE
+ value: "/opt/bitnami/redis/secrets/redis-password"
+ {{- else }}
+ - name: REDIS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ template "redis.secretName" . }}
+ key: {{ template "redis.secretPasswordKey" . }}
+ - name: REDIS_MASTER_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ template "redis.secretName" . }}
+ key: {{ template "redis.secretPasswordKey" . }}
+ {{- end }}
+ {{- else }}
+ - name: ALLOW_EMPTY_PASSWORD
+ value: "yes"
+ {{- end }}
+ ports:
+ - name: redis
+ containerPort: {{ .Values.redisPort }}
+ {{- if .Values.slave.livenessProbe.enabled }}
+ livenessProbe:
+ initialDelaySeconds: {{ .Values.slave.livenessProbe.initialDelaySeconds }}
+ periodSeconds: {{ .Values.slave.livenessProbe.periodSeconds }}
+ timeoutSeconds: {{ .Values.slave.livenessProbe.timeoutSeconds }}
+ successThreshold: {{ .Values.slave.livenessProbe.successThreshold }}
+ failureThreshold: {{ .Values.slave.livenessProbe.failureThreshold}}
+ exec:
+ command:
+ - sh
+ - -c
+ {{- if .Values.sentinel.enabled }}
+ - /health/ping_liveness_local.sh {{ .Values.slave.livenessProbe.timeoutSeconds }}
+ {{- else }}
+ - /health/ping_liveness_local_and_master.sh {{ .Values.slave.livenessProbe.timeoutSeconds }}
+ {{- end }}
+ {{- else if .Values.slave.customLivenessProbe }}
+ livenessProbe: {{- toYaml .Values.slave.customLivenessProbe | nindent 12 }}
+ {{- end }}
+ {{- if .Values.slave.readinessProbe.enabled }}
+ readinessProbe:
+ initialDelaySeconds: {{ .Values.slave.readinessProbe.initialDelaySeconds }}
+ periodSeconds: {{ .Values.slave.readinessProbe.periodSeconds }}
+ timeoutSeconds: {{ .Values.slave.readinessProbe.timeoutSeconds }}
+ successThreshold: {{ .Values.slave.readinessProbe.successThreshold }}
+ failureThreshold: {{ .Values.slave.readinessProbe.failureThreshold }}
+ exec:
+ command:
+ - sh
+ - -c
+ {{- if .Values.sentinel.enabled }}
+ - /health/ping_readiness_local.sh {{ .Values.slave.livenessProbe.timeoutSeconds }}
+ {{- else }}
+ - /health/ping_readiness_local_and_master.sh {{ .Values.slave.livenessProbe.timeoutSeconds }}
+ {{- end }}
+ {{- else if .Values.slave.customReadinessProbe }}
+ readinessProbe: {{- toYaml .Values.slave.customReadinessProbe | nindent 12 }}
+ {{- end }}
+ resources: {{- toYaml .Values.slave.resources | nindent 12 }}
+ volumeMounts:
+ - name: health
+ mountPath: /health
+ {{- if .Values.usePasswordFile }}
+ - name: redis-password
+ mountPath: /opt/bitnami/redis/secrets/
+ {{- end }}
+ - name: redis-data
+ mountPath: /data
+ - name: config
+ mountPath: /opt/bitnami/redis/mounted-etc
+ - name: redis-tmp-conf
+ mountPath: /opt/bitnami/redis/etc
+ {{- if and .Values.cluster.enabled .Values.sentinel.enabled }}
+ - name: sentinel
+ image: {{ template "sentinel.image" . }}
+ imagePullPolicy: {{ .Values.sentinel.image.pullPolicy | quote }}
+ {{- if .Values.securityContext.enabled }}
+ securityContext:
+ runAsUser: {{ .Values.securityContext.runAsUser }}
+ {{- end }}
+ command:
+ - /bin/bash
+ - -c
+ - |
+ if [[ -n $REDIS_PASSWORD_FILE ]]; then
+ password_aux=`cat ${REDIS_PASSWORD_FILE}`
+ export REDIS_PASSWORD=$password_aux
+ fi
+ if [[ ! -f /opt/bitnami/redis-sentinel/etc/sentinel.conf ]];then
+ cp /opt/bitnami/redis-sentinel/mounted-etc/sentinel.conf /opt/bitnami/redis-sentinel/etc/sentinel.conf
+ {{- if .Values.usePassword }}
+ printf "\nsentinel auth-pass {{ .Values.sentinel.masterSet }} $REDIS_PASSWORD" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf
+ {{- if .Values.sentinel.usePassword }}
+ printf "\nrequirepass $REDIS_PASSWORD" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf
+ {{- end }}
+ {{- end }}
+ {{- if .Values.sentinel.staticID }}
+ printf "\nsentinel myid $(echo $HOSTNAME | openssl sha1 | awk '{ print $2 }')" >> /opt/bitnami/redis-sentinel/etc/sentinel.conf
+ {{- end }}
+ fi
+
+ redis-server /opt/bitnami/redis-sentinel/etc/sentinel.conf --sentinel
+ env:
+ {{- if .Values.usePassword }}
+ {{- if .Values.usePasswordFile }}
+ - name: REDIS_PASSWORD_FILE
+ value: "/opt/bitnami/redis/secrets/redis-password"
+ {{- else }}
+ - name: REDIS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ template "redis.secretName" . }}
+ key: {{ template "redis.secretPasswordKey" . }}
+ {{- end }}
+ {{- else }}
+ - name: ALLOW_EMPTY_PASSWORD
+ value: "yes"
+ {{- end }}
+ - name: REDIS_SENTINEL_PORT
+ value: {{ .Values.sentinel.port | quote }}
+ ports:
+ - name: redis-sentinel
+ containerPort: {{ .Values.sentinel.port }}
+ {{- if .Values.sentinel.livenessProbe.enabled }}
+ livenessProbe:
+ initialDelaySeconds: {{ .Values.sentinel.livenessProbe.initialDelaySeconds }}
+ periodSeconds: {{ .Values.sentinel.livenessProbe.periodSeconds }}
+ timeoutSeconds: {{ .Values.sentinel.livenessProbe.timeoutSeconds }}
+ successThreshold: {{ .Values.sentinel.livenessProbe.successThreshold }}
+ failureThreshold: {{ .Values.sentinel.livenessProbe.failureThreshold }}
+ exec:
+ command:
+ - sh
+ - -c
+ - /health/ping_sentinel.sh {{ .Values.sentinel.livenessProbe.timeoutSeconds }}
+ {{- else if .Values.sentinel.customLivenessProbe }}
+ livenessProbe: {{- toYaml .Values.sentinel.customLivenessProbe | nindent 12 }}
+ {{- end }}
+ {{- if .Values.sentinel.readinessProbe.enabled}}
+ readinessProbe:
+ initialDelaySeconds: {{ .Values.sentinel.readinessProbe.initialDelaySeconds }}
+ periodSeconds: {{ .Values.sentinel.readinessProbe.periodSeconds }}
+ timeoutSeconds: {{ .Values.sentinel.readinessProbe.timeoutSeconds }}
+ successThreshold: {{ .Values.sentinel.readinessProbe.successThreshold }}
+ failureThreshold: {{ .Values.sentinel.readinessProbe.failureThreshold }}
+ exec:
+ command:
+ - sh
+ - -c
+ - /health/ping_sentinel.sh {{ .Values.sentinel.livenessProbe.timeoutSeconds }}
+ {{- else if .Values.sentinel.customReadinessProbe }}
+ readinessProbe: {{- toYaml .Values.sentinel.customReadinessProbe | nindent 12 }}
+ {{- end }}
+ resources: {{- toYaml .Values.sentinel.resources | nindent 12 }}
+ volumeMounts:
+ - name: health
+ mountPath: /health
+ {{- if .Values.usePasswordFile }}
+ - name: redis-password
+ mountPath: /opt/bitnami/redis/secrets/
+ {{- end }}
+ - name: redis-data
+ mountPath: {{ .Values.master.persistence.path }}
+ subPath: {{ .Values.master.persistence.subPath }}
+ - name: config
+ mountPath: /opt/bitnami/redis-sentinel/mounted-etc
+ - name: sentinel-tmp-conf
+ mountPath: /opt/bitnami/redis-sentinel/etc
+ {{- end }}
+ {{- if .Values.metrics.enabled }}
+ - name: metrics
+ image: {{ template "redis.metrics.image" . }}
+ imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }}
+ command:
+ - /bin/bash
+ - -c
+ - |
+ if [[ -f '/secrets/redis-password' ]]; then
+ export REDIS_PASSWORD=$(cat /secrets/redis-password)
+ fi
+ redis_exporter{{- range $key, $value := .Values.metrics.extraArgs }} --{{ $key }}={{ $value }}{{- end }}
+ env:
+ - name: REDIS_ALIAS
+ value: {{ template "redis.fullname" . }}
+ {{- if and .Values.usePassword (not .Values.usePasswordFile) }}
+ - name: REDIS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ template "redis.secretName" . }}
+ key: {{ template "redis.secretPasswordKey" . }}
+ {{- end }}
+ volumeMounts:
+ {{- if .Values.usePasswordFile }}
+ - name: redis-password
+ mountPath: /secrets/
+ {{- end }}
+ ports:
+ - name: metrics
+ containerPort: 9121
+ resources: {{- toYaml .Values.metrics.resources | nindent 12 }}
+ {{- end }}
+ {{- $needsVolumePermissions := and .Values.volumePermissions.enabled (and .Values.slave.persistence.enabled .Values.securityContext.enabled) }}
+ {{- if or $needsVolumePermissions .Values.sysctlImage.enabled }}
+ initContainers:
+ {{- if $needsVolumePermissions }}
+ - name: volume-permissions
+ image: {{ template "redis.volumePermissions.image" . }}
+ imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
+ command: ["/bin/chown", "-R", "{{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }}", "{{ .Values.slave.persistence.path }}"]
+ securityContext:
+ runAsUser: 0
+ resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }}
+ volumeMounts:
+ - name: redis-data
+ mountPath: {{ .Values.slave.persistence.path }}
+ subPath: {{ .Values.slave.persistence.subPath }}
+ {{- end }}
+ {{- if .Values.sysctlImage.enabled }}
+ - name: init-sysctl
+ image: {{ template "redis.sysctl.image" . }}
+ imagePullPolicy: {{ default "" .Values.sysctlImage.pullPolicy | quote }}
+ resources: {{- toYaml .Values.sysctlImage.resources | nindent 12 }}
+ {{- if .Values.sysctlImage.mountHostSys }}
+ volumeMounts:
+ - name: host-sys
+ mountPath: /host-sys
+ {{- end }}
+ command: {{- toYaml .Values.sysctlImage.command | nindent 12 }}
+ securityContext:
+ privileged: true
+ runAsUser: 0
+ {{- end }}
+ {{- end }}
+ volumes:
+ - name: health
+ configMap:
+ name: {{ template "redis.fullname" . }}-health
+ defaultMode: 0755
+ {{- if .Values.usePasswordFile }}
+ - name: redis-password
+ secret:
+ secretName: {{ template "redis.secretName" . }}
+ items:
+ - key: {{ template "redis.secretPasswordKey" . }}
+ path: redis-password
+ {{- end }}
+ - name: config
+ configMap:
+ name: {{ template "redis.fullname" . }}
+ {{- if .Values.sysctlImage.mountHostSys }}
+ - name: host-sys
+ hostPath:
+ path: /sys
+ {{- end }}
+ - name: sentinel-tmp-conf
+ emptyDir: {}
+ - name: redis-tmp-conf
+ emptyDir: {}
+ {{- if not .Values.slave.persistence.enabled }}
+ - name: redis-data
+ emptyDir: {}
+ {{- else }}
+ volumeClaimTemplates:
+ - metadata:
+ name: redis-data
+ labels:
+ app: {{ template "redis.name" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+ component: slave
+ spec:
+ accessModes:
+ {{- range .Values.slave.persistence.accessModes }}
+ - {{ . | quote }}
+ {{- end }}
+ resources:
+ requests:
+ storage: {{ .Values.slave.persistence.size | quote }}
+ {{ include "redis.slave.storageClass" . }}
+ selector:
+ {{- if .Values.slave.persistence.matchLabels }}
+ matchLabels: {{- toYaml .Values.slave.persistence.matchLabels | nindent 12 }}
+ {{- end -}}
+ {{- if .Values.slave.persistence.matchExpressions }}
+ matchExpressions: {{- toYaml .Values.slave.persistence.matchExpressions | nindent 12 }}
+ {{- end -}}
+ {{- end }}
+ updateStrategy:
+ type: {{ .Values.slave.statefulset.updateStrategy }}
+ {{- if .Values.slave.statefulset.rollingUpdatePartition }}
+ {{- if (eq "Recreate" .Values.slave.statefulset.updateStrategy) }}
+ rollingUpdate: null
+ {{- else }}
+ rollingUpdate:
+ partition: {{ .Values.slave.statefulset.rollingUpdatePartition }}
+ {{- end }}
+ {{- end }}
+{{- end }}
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/redis-slave-svc.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/redis-slave-svc.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..dab36c344667713ad3a7c0c3abb83a8b0ec00a7a
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/redis-slave-svc.yaml
@@ -0,0 +1,40 @@
+{{- if and .Values.cluster.enabled (not .Values.sentinel.enabled) }}
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ template "redis.fullname" . }}-slave
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "redis.name" . }}
+ chart: {{ template "redis.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+ {{- if .Values.slave.service.labels -}}
+ {{- toYaml .Values.slave.service.labels | nindent 4 }}
+ {{- end -}}
+{{- if .Values.slave.service.annotations }}
+ annotations: {{- toYaml .Values.slave.service.annotations | nindent 4 }}
+{{- end }}
+spec:
+ type: {{ .Values.slave.service.type }}
+ {{- if and (eq .Values.slave.service.type "LoadBalancer") .Values.slave.service.loadBalancerIP }}
+ loadBalancerIP: {{ .Values.slave.service.loadBalancerIP }}
+ {{- end }}
+ {{- if and (eq .Values.slave.service.type "LoadBalancer") .Values.slave.service.loadBalancerSourceRanges }}
+ loadBalancerSourceRanges:
+ {{- with .Values.slave.service.loadBalancerSourceRanges }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- end }}
+ ports:
+ - name: redis
+ port: {{ .Values.slave.service.port }}
+ targetPort: redis
+ {{- if .Values.slave.service.nodePort }}
+ nodePort: {{ .Values.slave.service.nodePort }}
+ {{- end }}
+ selector:
+ app: {{ template "redis.name" . }}
+ release: {{ .Release.Name }}
+ role: slave
+{{- end }}
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/redis-with-sentinel-svc.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/redis-with-sentinel-svc.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..f5873736a0c40f31975444adfca4d10f44774446
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/redis-with-sentinel-svc.yaml
@@ -0,0 +1,40 @@
+{{- if .Values.sentinel.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ template "redis.fullname" . }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "redis.name" . }}
+ chart: {{ template "redis.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+ {{- if .Values.sentinel.service.labels }}
+ {{- toYaml .Values.sentinel.service.labels | nindent 4 }}
+ {{- end }}
+{{- if .Values.sentinel.service.annotations }}
+ annotations: {{- toYaml .Values.sentinel.service.annotations | nindent 4 }}
+{{- end }}
+spec:
+ type: {{ .Values.sentinel.service.type }}
+ {{ if eq .Values.sentinel.service.type "LoadBalancer" -}} {{ if .Values.sentinel.service.loadBalancerIP }}
+ loadBalancerIP: {{ .Values.sentinel.service.loadBalancerIP }}
+ {{ end -}}
+ {{- end -}}
+ ports:
+ - name: redis
+ port: {{ .Values.sentinel.service.redisPort }}
+ targetPort: redis
+ {{- if .Values.sentinel.service.redisNodePort }}
+ nodePort: {{ .Values.sentinel.service.redisNodePort }}
+ {{- end }}
+ - name: redis-sentinel
+ port: {{ .Values.sentinel.service.sentinelPort }}
+ targetPort: redis-sentinel
+ {{- if .Values.sentinel.service.sentinelNodePort }}
+ nodePort: {{ .Values.sentinel.service.sentinelNodePort }}
+ {{- end }}
+ selector:
+ app: {{ template "redis.name" . }}
+ release: {{ .Release.Name }}
+{{- end }}
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/secret.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/secret.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..4c39ffdcd65d98058801362d819d31da442c5db9
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/templates/secret.yaml
@@ -0,0 +1,15 @@
+{{- if and .Values.usePassword (not .Values.existingSecret) -}}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ template "redis.fullname" . }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: {{ template "redis.name" . }}
+ chart: {{ template "redis.chart" . }}
+ release: "{{ .Release.Name }}"
+ heritage: "{{ .Release.Service }}"
+type: Opaque
+data:
+ redis-password: {{ include "redis.password" . | b64enc | quote }}
+{{- end -}}
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/values-production.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/values-production.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..31ac6aebd345edd0bddf83a5bd3f8ce953fb7e41
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/values-production.yaml
@@ -0,0 +1,690 @@
+## Global Docker image parameters
+## Please, note that this will override the image parameters, including dependencies, configured to use the global value
+## Current available global Docker image parameters: imageRegistry and imagePullSecrets
+##
+global:
+ # imageRegistry: myRegistryName
+ # imagePullSecrets:
+ # - myRegistryKeySecretName
+ # storageClass: myStorageClass
+ redis: {}
+
+## Bitnami Redis image version
+## ref: https://hub.docker.com/r/bitnami/redis/tags/
+##
+image:
+ registry: docker.io
+ repository: bitnami/redis
+ ## Bitnami Redis image tag
+ ## ref: https://github.com/bitnami/bitnami-docker-redis#supported-tags-and-respective-dockerfile-links
+ ##
+ tag: 6.0.5-debian-10-r0
+ ## Specify a imagePullPolicy
+ ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+ ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+ ##
+ pullPolicy: IfNotPresent
+ ## Optionally specify an array of imagePullSecrets.
+ ## Secrets must be manually created in the namespace.
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+ ##
+ # pullSecrets:
+ # - myRegistryKeySecretName
+
+## String to partially override redis.fullname template (will maintain the release name)
+##
+# nameOverride:
+
+## String to fully override redis.fullname template
+##
+# fullnameOverride:
+
+## Cluster settings
+cluster:
+ enabled: true
+ slaveCount: 3
+
+## Use redis sentinel in the redis pod. This will disable the master and slave services and
+## create one redis service with ports to the sentinel and the redis instances
+sentinel:
+ enabled: false
+ ## Require password authentication on the sentinel itself
+ ## ref: https://redis.io/topics/sentinel
+ usePassword: true
+ ## Bitnami Redis Sentintel image version
+ ## ref: https://hub.docker.com/r/bitnami/redis-sentinel/tags/
+ ##
+ image:
+ registry: docker.io
+ repository: bitnami/redis-sentinel
+ ## Bitnami Redis image tag
+ ## ref: https://github.com/bitnami/bitnami-docker-redis-sentinel#supported-tags-and-respective-dockerfile-links
+ ##
+ tag: 6.0.4-debian-10-r11
+ ## Specify a imagePullPolicy
+ ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+ ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+ ##
+ pullPolicy: IfNotPresent
+ ## Optionally specify an array of imagePullSecrets.
+ ## Secrets must be manually created in the namespace.
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+ ##
+ # pullSecrets:
+ # - myRegistryKeySecretName
+ masterSet: mymaster
+ initialCheckTimeout: 5
+ quorum: 2
+ downAfterMilliseconds: 60000
+ failoverTimeout: 18000
+ parallelSyncs: 1
+ port: 26379
+ ## Additional Redis configuration for the sentinel nodes
+ ## ref: https://redis.io/topics/config
+ ##
+ configmap:
+ ## Enable or disable static sentinel IDs for each replicas
+ ## If disabled each sentinel will generate a random id at startup
+ ## If enabled, each replicas will have a constant ID on each start-up
+ ##
+ staticID: false
+ ## Configure extra options for Redis Sentinel liveness and readiness probes
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
+ ##
+ livenessProbe:
+ enabled: true
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 5
+ readinessProbe:
+ enabled: true
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ timeoutSeconds: 1
+ successThreshold: 1
+ failureThreshold: 5
+ customLivenessProbe: {}
+ customReadinessProbe: {}
+ ## Redis Sentinel resource requests and limits
+ ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
+ # resources:
+ # requests:
+ # memory: 256Mi
+ # cpu: 100m
+ ## Redis Sentinel Service properties
+ service:
+ ## Redis Sentinel Service type
+ type: ClusterIP
+ sentinelPort: 26379
+ redisPort: 6379
+
+ ## Specify the nodePort value for the LoadBalancer and NodePort service types.
+ ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+ ##
+ # sentinelNodePort:
+ # redisNodePort:
+
+ ## Provide any additional annotations which may be required. This can be used to
+ ## set the LoadBalancer service type to internal only.
+ ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
+ ##
+ annotations: {}
+ labels: {}
+ loadBalancerIP:
+
+## Specifies the Kubernetes Cluster's Domain Name.
+##
+clusterDomain: cluster.local
+
+networkPolicy:
+ ## Specifies whether a NetworkPolicy should be created
+ ##
+ enabled: true
+
+ ## The Policy model to apply. When set to false, only pods with the correct
+ ## client label will have network access to the port Redis is listening
+ ## on. When true, Redis will accept connections from any source
+ ## (with the correct destination port).
+ ##
+ # allowExternal: true
+
+ ## Allow connections from other namespacess. Just set label for namespace and set label for pods (optional).
+ ##
+ ingressNSMatchLabels: {}
+ ingressNSPodMatchLabels: {}
+
+serviceAccount:
+ ## Specifies whether a ServiceAccount should be created
+ ##
+ create: false
+ ## The name of the ServiceAccount to use.
+ ## If not set and create is true, a name is generated using the fullname template
+ name:
+
+rbac:
+ ## Specifies whether RBAC resources should be created
+ ##
+ create: false
+
+ role:
+ ## Rules to create. It follows the role specification
+ # rules:
+ # - apiGroups:
+ # - extensions
+ # resources:
+ # - podsecuritypolicies
+ # verbs:
+ # - use
+ # resourceNames:
+ # - gce.unprivileged
+ rules: []
+
+## Redis pod Security Context
+securityContext:
+ enabled: true
+ fsGroup: 1001
+ runAsUser: 1001
+ ## sysctl settings for master and slave pods
+ ##
+ ## Uncomment the setting below to increase the net.core.somaxconn value
+ ##
+ # sysctls:
+ # - name: net.core.somaxconn
+ # value: "10000"
+
+## Use password authentication
+usePassword: true
+## Redis password (both master and slave)
+## Defaults to a random 10-character alphanumeric string if not set and usePassword is true
+## ref: https://github.com/bitnami/bitnami-docker-redis#setting-the-server-password-on-first-run
+##
+password:
+## Use existing secret (ignores previous password)
+# existingSecret:
+## Password key to be retrieved from Redis secret
+##
+# existingSecretPasswordKey:
+
+## Mount secrets as files instead of environment variables
+usePasswordFile: false
+
+## Persist data to a persistent volume (Redis Master)
+persistence:
+ ## A manually managed Persistent Volume and Claim
+ ## Requires persistence.enabled: true
+ ## If defined, PVC must be created manually before volume will be bound
+ existingClaim:
+
+# Redis port
+redisPort: 6379
+
+##
+## Redis Master parameters
+##
+master:
+ ## Redis command arguments
+ ##
+ ## Can be used to specify command line arguments, for example:
+ ##
+ command: "/run.sh"
+ ## Additional Redis configuration for the master nodes
+ ## ref: https://redis.io/topics/config
+ ##
+ configmap:
+ ## Redis additional command line flags
+ ##
+ ## Can be used to specify command line flags, for example:
+ ##
+ ## extraFlags:
+ ## - "--maxmemory-policy volatile-ttl"
+ ## - "--repl-backlog-size 1024mb"
+ extraFlags: []
+ ## Comma-separated list of Redis commands to disable
+ ##
+ ## Can be used to disable Redis commands for security reasons.
+ ## Commands will be completely disabled by renaming each to an empty string.
+ ## ref: https://redis.io/topics/security#disabling-of-specific-commands
+ ##
+ disableCommands:
+ - FLUSHDB
+ - FLUSHALL
+
+ ## Redis Master additional pod labels and annotations
+ ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+ podLabels: {}
+ podAnnotations: {}
+
+ ## Redis Master resource requests and limits
+ ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
+ # resources:
+ # requests:
+ # memory: 256Mi
+ # cpu: 100m
+ ## Use an alternate scheduler, e.g. "stork".
+ ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
+ ##
+ # schedulerName:
+
+ ## Configure extra options for Redis Master liveness and readiness probes
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
+ ##
+ livenessProbe:
+ enabled: true
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 5
+ readinessProbe:
+ enabled: true
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ timeoutSeconds: 1
+ successThreshold: 1
+ failureThreshold: 5
+
+ ## Configure custom probes for images other images like
+ ## rhscl/redis-32-rhel7 rhscl/redis-5-rhel7
+ ## Only used if readinessProbe.enabled: false / livenessProbe.enabled: false
+ ##
+ # customLivenessProbe:
+ # tcpSocket:
+ # port: 6379
+ # initialDelaySeconds: 10
+ # periodSeconds: 5
+ # customReadinessProbe:
+ # initialDelaySeconds: 30
+ # periodSeconds: 10
+ # timeoutSeconds: 5
+ # exec:
+ # command:
+ # - "container-entrypoint"
+ # - "bash"
+ # - "-c"
+ # - "redis-cli set liveness-probe \"`date`\" | grep OK"
+ customLivenessProbe: {}
+ customReadinessProbe: {}
+
+ ## Redis Master Node selectors and tolerations for pod assignment
+ ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+ ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature
+ ##
+ # nodeSelector: {"beta.kubernetes.io/arch": "amd64"}
+ # tolerations: []
+ ## Redis Master pod/node affinity/anti-affinity
+ ##
+ affinity: {}
+
+ ## Redis Master Service properties
+ service:
+ ## Redis Master Service type
+ type: ClusterIP
+ port: 6379
+
+ ## Specify the nodePort value for the LoadBalancer and NodePort service types.
+ ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+ ##
+ # nodePort:
+
+ ## Provide any additional annotations which may be required. This can be used to
+ ## set the LoadBalancer service type to internal only.
+ ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
+ ##
+ annotations: {}
+ labels: {}
+ loadBalancerIP:
+ # loadBalancerSourceRanges: ["10.0.0.0/8"]
+
+ ## Enable persistence using Persistent Volume Claims
+ ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
+ ##
+ persistence:
+ enabled: true
+ ## The path the volume will be mounted at, useful when using different
+ ## Redis images.
+ path: /data
+ ## The subdirectory of the volume to mount to, useful in dev environments
+ ## and one PV for multiple services.
+ subPath: ""
+ ## redis data Persistent Volume Storage Class
+ ## If defined, storageClassName: <storageClass>
+ ## If set to "-", storageClassName: "", which disables dynamic provisioning
+ ## If undefined (the default) or set to null, no storageClassName spec is
+ ## set, choosing the default provisioner. (gp2 on AWS, standard on
+ ## GKE, AWS & OpenStack)
+ ##
+ # storageClass: "-"
+ accessModes:
+ - ReadWriteOnce
+ size: 8Gi
+ ## Persistent Volume selectors
+ ## https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector
+ matchLabels: {}
+ matchExpressions: {}
+
+ ## Update strategy, can be set to RollingUpdate or onDelete by default.
+ ## https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
+ statefulset:
+ updateStrategy: RollingUpdate
+ ## Partition update strategy
+ ## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions
+ # rollingUpdatePartition:
+
+ ## Redis Master pod priorityClassName
+ ##
+ priorityClassName: {}
+
+##
+## Redis Slave properties
+## Note: service.type is a mandatory parameter
+## The rest of the parameters are either optional or, if undefined, will inherit those declared in Redis Master
+##
+slave:
+ ## Slave Service properties
+ service:
+ ## Redis Slave Service type
+ type: ClusterIP
+ ## Redis port
+ port: 6379
+ ## Specify the nodePort value for the LoadBalancer and NodePort service types.
+ ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+ ##
+ # nodePort:
+
+ ## Provide any additional annotations which may be required. This can be used to
+ ## set the LoadBalancer service type to internal only.
+ ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
+ ##
+ annotations: {}
+ labels: {}
+ loadBalancerIP:
+ # loadBalancerSourceRanges: ["10.0.0.0/8"]
+
+ ## Redis slave port
+ port: 6379
+ ## Can be used to specify command line arguments, for example:
+ ##
+ command: "/run.sh"
+ ## Additional Redis configuration for the slave nodes
+ ## ref: https://redis.io/topics/config
+ ##
+ configmap:
+ ## Redis extra flags
+ extraFlags: []
+ ## List of Redis commands to disable
+ disableCommands:
+ - FLUSHDB
+ - FLUSHALL
+
+ ## Redis Slave pod/node affinity/anti-affinity
+ ##
+ affinity: {}
+
+ ## Kubernetes Spread Constraints for pod assignment
+ ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
+ ##
+ # - maxSkew: 1
+ # topologyKey: node
+ # whenUnsatisfiable: DoNotSchedule
+ spreadConstraints: {}
+
+ ## Configure extra options for Redis Slave liveness and readiness probes
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
+ ##
+ livenessProbe:
+ enabled: true
+ initialDelaySeconds: 30
+ periodSeconds: 10
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 5
+ readinessProbe:
+ enabled: true
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ timeoutSeconds: 10
+ successThreshold: 1
+ failureThreshold: 5
+
+ ## Configure custom probes for images other images like
+ ## rhscl/redis-32-rhel7 rhscl/redis-5-rhel7
+ ## Only used if readinessProbe.enabled: false / livenessProbe.enabled: false
+ ##
+ # customLivenessProbe:
+ # tcpSocket:
+ # port: 6379
+ # initialDelaySeconds: 10
+ # periodSeconds: 5
+ # customReadinessProbe:
+ # initialDelaySeconds: 30
+ # periodSeconds: 10
+ # timeoutSeconds: 5
+ # exec:
+ # command:
+ # - "container-entrypoint"
+ # - "bash"
+ # - "-c"
+ # - "redis-cli set liveness-probe \"`date`\" | grep OK"
+ customLivenessProbe: {}
+ customReadinessProbe: {}
+
+ ## Redis slave Resource
+ # resources:
+ # requests:
+ # memory: 256Mi
+ # cpu: 100m
+
+ ## Redis slave selectors and tolerations for pod assignment
+ # nodeSelector: {"beta.kubernetes.io/arch": "amd64"}
+ # tolerations: []
+
+ ## Use an alternate scheduler, e.g. "stork".
+ ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
+ ##
+ # schedulerName:
+
+ ## Redis slave pod Annotation and Labels
+ podLabels: {}
+ podAnnotations: {}
+
+ ## Redis slave pod priorityClassName
+ # priorityClassName: {}
+
+ ## Enable persistence using Persistent Volume Claims
+ ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
+ ##
+ persistence:
+ enabled: true
+ ## The path the volume will be mounted at, useful when using different
+ ## Redis images.
+ path: /data
+ ## The subdirectory of the volume to mount to, useful in dev environments
+ ## and one PV for multiple services.
+ subPath: ""
+ ## redis data Persistent Volume Storage Class
+ ## If defined, storageClassName: <storageClass>
+ ## If set to "-", storageClassName: "", which disables dynamic provisioning
+ ## If undefined (the default) or set to null, no storageClassName spec is
+ ## set, choosing the default provisioner. (gp2 on AWS, standard on
+ ## GKE, AWS & OpenStack)
+ ##
+ # storageClass: "-"
+ accessModes:
+ - ReadWriteOnce
+ size: 8Gi
+ ## Persistent Volume selectors
+ ## https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector
+ matchLabels: {}
+ matchExpressions: {}
+
+ ## Update strategy, can be set to RollingUpdate or onDelete by default.
+ ## https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
+ statefulset:
+ updateStrategy: RollingUpdate
+ ## Partition update strategy
+ ## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions
+ # rollingUpdatePartition:
+
+## Prometheus Exporter / Metrics
+##
+metrics:
+ enabled: true
+
+ image:
+ registry: docker.io
+ repository: bitnami/redis-exporter
+ tag: 1.6.1-debian-10-r27
+ pullPolicy: IfNotPresent
+ ## Optionally specify an array of imagePullSecrets.
+ ## Secrets must be manually created in the namespace.
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+ ##
+ # pullSecrets:
+ # - myRegistryKeySecretName
+
+ ## Metrics exporter resource requests and limits
+ ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
+ ##
+ # resources: {}
+
+ ## Extra arguments for Metrics exporter, for example:
+ ## extraArgs:
+ ## check-keys: myKey,myOtherKey
+ # extraArgs: {}
+
+ ## Metrics exporter pod Annotation and Labels
+ podAnnotations:
+ prometheus.io/scrape: "true"
+ prometheus.io/port: "9121"
+ # podLabels: {}
+
+ # Enable this if you're using https://github.com/coreos/prometheus-operator
+ serviceMonitor:
+ enabled: false
+ ## Specify a namespace if needed
+ # namespace: monitoring
+ # fallback to the prometheus default unless specified
+ # interval: 10s
+ ## Defaults to what's used if you follow CoreOS [Prometheus Install Instructions](https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#tldr)
+ ## [Prometheus Selector Label](https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-operator-1)
+ ## [Kube Prometheus Selector Label](https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#exporters)
+ selector:
+ prometheus: kube-prometheus
+
+ ## Custom PrometheusRule to be defined
+ ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart
+ ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions
+ prometheusRule:
+ enabled: false
+ additionalLabels: {}
+ namespace: ""
+ ## Redis prometheus rules
+ ## These are just examples rules, please adapt them to your needs.
+ ## Make sure to constraint the rules to the current postgresql service.
+ # rules:
+ # - alert: RedisDown
+ # expr: redis_up{service="{{ template "redis.fullname" . }}-metrics"} == 0
+ # for: 2m
+ # labels:
+ # severity: error
+ # annotations:
+ # summary: Redis instance {{ "{{ $labels.instance }}" }} down
+ # description: Redis instance {{ "{{ $labels.instance }}" }} is down
+ # - alert: RedisMemoryHigh
+ # expr: >
+ # redis_memory_used_bytes{service="{{ template "redis.fullname" . }}-metrics"} * 100
+ # /
+ # redis_memory_max_bytes{service="{{ template "redis.fullname" . }}-metrics"}
+ # > 90 =< 100
+ # for: 2m
+ # labels:
+ # severity: error
+ # annotations:
+ # summary: Redis instance {{ "{{ $labels.instance }}" }} is using too much memory
+ # description: |
+ # Redis instance {{ "{{ $labels.instance }}" }} is using {{ "{{ $value }}" }}% of its available memory.
+ # - alert: RedisKeyEviction
+ # expr: |
+ # increase(redis_evicted_keys_total{service="{{ template "redis.fullname" . }}-metrics"}[5m]) > 0
+ # for: 1s
+ # labels:
+ # severity: error
+ # annotations:
+ # summary: Redis instance {{ "{{ $labels.instance }}" }} has evicted keys
+ # description: |
+ # Redis instance {{ "{{ $labels.instance }}" }} has evicted {{ "{{ $value }}" }} keys in the last 5 minutes.
+ rules: []
+
+ ## Metrics exporter pod priorityClassName
+ # priorityClassName: {}
+ service:
+ type: ClusterIP
+ ## Use serviceLoadBalancerIP to request a specific static IP,
+ ## otherwise leave blank
+ # loadBalancerIP:
+ annotations: {}
+ labels: {}
+
+##
+## Init containers parameters:
+## volumePermissions: Change the owner of the persist volume mountpoint to RunAsUser:fsGroup
+##
+volumePermissions:
+ enabled: false
+ image:
+ registry: docker.io
+ repository: bitnami/minideb
+ tag: buster
+ pullPolicy: Always
+ ## Optionally specify an array of imagePullSecrets.
+ ## Secrets must be manually created in the namespace.
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+ ##
+ # pullSecrets:
+ # - myRegistryKeySecretName
+ resources: {}
+ # resources:
+ # requests:
+ # memory: 128Mi
+ # cpu: 100m
+
+## Redis config file
+## ref: https://redis.io/topics/config
+##
+configmap: |-
+ # Enable AOF https://redis.io/topics/persistence#append-only-file
+ appendonly yes
+ # Disable RDB persistence, AOF persistence already enabled.
+ save ""
+
+## Sysctl InitContainer
+## used to perform sysctl operation to modify Kernel settings (needed sometimes to avoid warnings)
+sysctlImage:
+ enabled: false
+ command: []
+ registry: docker.io
+ repository: bitnami/minideb
+ tag: buster
+ pullPolicy: Always
+ ## Optionally specify an array of imagePullSecrets.
+ ## Secrets must be manually created in the namespace.
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+ ##
+ # pullSecrets:
+ # - myRegistryKeySecretName
+ mountHostSys: false
+ resources: {}
+ # resources:
+ # requests:
+ # memory: 128Mi
+ # cpu: 100m
+
+## PodSecurityPolicy configuration
+## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
+##
+podSecurityPolicy:
+ ## Specifies whether a PodSecurityPolicy should be created
+ ##
+ create: false
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/values.schema.json b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/values.schema.json
new file mode 100644
index 0000000000000000000000000000000000000000..2138e451e424b49df526d6f8359ed3691b44ed47
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/values.schema.json
@@ -0,0 +1,168 @@
+{
+ "$schema": "http://json-schema.org/schema#",
+ "type": "object",
+ "properties": {
+ "usePassword": {
+ "type": "boolean",
+ "title": "Use password authentication",
+ "form": true
+ },
+ "password": {
+ "type": "string",
+ "title": "Password",
+ "form": true,
+ "description": "Defaults to a random 10-character alphanumeric string if not set",
+ "hidden": {
+ "condition": false,
+ "value": "usePassword"
+ }
+ },
+ "cluster": {
+ "type": "object",
+ "title": "Cluster Settings",
+ "form": true,
+ "properties": {
+ "enabled": {
+ "type": "boolean",
+ "form": true,
+ "title": "Enable master-slave",
+ "description": "Enable master-slave architecture"
+ },
+ "slaveCount": {
+ "type": "integer",
+ "title": "Slave Replicas",
+ "form": true,
+ "hidden": {
+ "condition": false,
+ "value": "cluster.enabled"
+ }
+ }
+ }
+ },
+ "master": {
+ "type": "object",
+ "title": "Master replicas settings",
+ "form": true,
+ "properties": {
+ "persistence": {
+ "type": "object",
+ "title": "Persistence for master replicas",
+ "form": true,
+ "properties": {
+ "enabled": {
+ "type": "boolean",
+ "form": true,
+ "title": "Enable persistence",
+ "description": "Enable persistence using Persistent Volume Claims"
+ },
+ "size": {
+ "type": "string",
+ "title": "Persistent Volume Size",
+ "form": true,
+ "render": "slider",
+ "sliderMin": 1,
+ "sliderMax": 100,
+ "sliderUnit": "Gi",
+ "hidden": {
+ "condition": false,
+ "value": "master.persistence.enabled"
+ }
+ },
+ "matchLabels": {
+ "type": "object",
+ "title": "Persistent Match Labels Selector"
+ },
+ "matchExpressions": {
+ "type": "object",
+ "title": "Persistent Match Expressions Selector"
+ }
+ }
+ }
+ }
+ },
+ "slave": {
+ "type": "object",
+ "title": "Slave replicas settings",
+ "form": true,
+ "hidden": {
+ "condition": false,
+ "value": "cluster.enabled"
+ },
+ "properties": {
+ "persistence": {
+ "type": "object",
+ "title": "Persistence for slave replicas",
+ "form": true,
+ "properties": {
+ "enabled": {
+ "type": "boolean",
+ "form": true,
+ "title": "Enable persistence",
+ "description": "Enable persistence using Persistent Volume Claims"
+ },
+ "size": {
+ "type": "string",
+ "title": "Persistent Volume Size",
+ "form": true,
+ "render": "slider",
+ "sliderMin": 1,
+ "sliderMax": 100,
+ "sliderUnit": "Gi",
+ "hidden": {
+ "condition": false,
+ "value": "slave.persistence.enabled"
+ }
+ },
+ "matchLabels": {
+ "type": "object",
+ "title": "Persistent Match Labels Selector"
+ },
+ "matchExpressions": {
+ "type": "object",
+ "title": "Persistent Match Expressions Selector"
+ }
+ }
+ }
+ }
+ },
+ "volumePermissions": {
+ "type": "object",
+ "properties": {
+ "enabled": {
+ "type": "boolean",
+ "form": true,
+ "title": "Enable Init Containers",
+ "description": "Use an init container to set required folder permissions on the data volume before mounting it in the final destination"
+ }
+ }
+ },
+ "metrics": {
+ "type": "object",
+ "form": true,
+ "title": "Prometheus metrics details",
+ "properties": {
+ "enabled": {
+ "type": "boolean",
+ "title": "Create Prometheus metrics exporter",
+ "description": "Create a side-car container to expose Prometheus metrics",
+ "form": true
+ },
+ "serviceMonitor": {
+ "type": "object",
+ "properties": {
+ "enabled": {
+ "type": "boolean",
+ "title": "Create Prometheus Operator ServiceMonitor",
+ "description": "Create a ServiceMonitor to track metrics using Prometheus Operator",
+ "form": true,
+ "hidden": {
+ "condition": false,
+ "value": "metrics.enabled"
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+}
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/values.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/values.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..29cb7459c017404883ebb654eecea42d26729b64
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/charts/redis/values.yaml
@@ -0,0 +1,690 @@
+## Global Docker image parameters
+## Please, note that this will override the image parameters, including dependencies, configured to use the global value
+## Current available global Docker image parameters: imageRegistry and imagePullSecrets
+##
+global:
+ # imageRegistry: myRegistryName
+ # imagePullSecrets:
+ # - myRegistryKeySecretName
+ # storageClass: myStorageClass
+ redis: {}
+
+## Bitnami Redis image version
+## ref: https://hub.docker.com/r/bitnami/redis/tags/
+##
+image:
+ registry: docker.io
+ repository: bitnami/redis
+ ## Bitnami Redis image tag
+ ## ref: https://github.com/bitnami/bitnami-docker-redis#supported-tags-and-respective-dockerfile-links
+ ##
+ tag: 6.0.5-debian-10-r0
+ ## Specify a imagePullPolicy
+ ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+ ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+ ##
+ pullPolicy: IfNotPresent
+ ## Optionally specify an array of imagePullSecrets.
+ ## Secrets must be manually created in the namespace.
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+ ##
+ # pullSecrets:
+ # - myRegistryKeySecretName
+
+## String to partially override redis.fullname template (will maintain the release name)
+##
+# nameOverride:
+
+## String to fully override redis.fullname template
+##
+# fullnameOverride:
+
+## Cluster settings
+cluster:
+ enabled: true
+ slaveCount: 2
+
+## Use redis sentinel in the redis pod. This will disable the master and slave services and
+## create one redis service with ports to the sentinel and the redis instances
+sentinel:
+ enabled: false
+ ## Require password authentication on the sentinel itself
+ ## ref: https://redis.io/topics/sentinel
+ usePassword: true
+ ## Bitnami Redis Sentintel image version
+ ## ref: https://hub.docker.com/r/bitnami/redis-sentinel/tags/
+ ##
+ image:
+ registry: docker.io
+ repository: bitnami/redis-sentinel
+ ## Bitnami Redis image tag
+ ## ref: https://github.com/bitnami/bitnami-docker-redis-sentinel#supported-tags-and-respective-dockerfile-links
+ ##
+ tag: 6.0.4-debian-10-r11
+ ## Specify a imagePullPolicy
+ ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+ ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+ ##
+ pullPolicy: IfNotPresent
+ ## Optionally specify an array of imagePullSecrets.
+ ## Secrets must be manually created in the namespace.
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+ ##
+ # pullSecrets:
+ # - myRegistryKeySecretName
+ masterSet: mymaster
+ initialCheckTimeout: 5
+ quorum: 2
+ downAfterMilliseconds: 60000
+ failoverTimeout: 18000
+ parallelSyncs: 1
+ port: 26379
+ ## Additional Redis configuration for the sentinel nodes
+ ## ref: https://redis.io/topics/config
+ ##
+ configmap:
+ ## Enable or disable static sentinel IDs for each replicas
+ ## If disabled each sentinel will generate a random id at startup
+ ## If enabled, each replicas will have a constant ID on each start-up
+ ##
+ staticID: false
+ ## Configure extra options for Redis Sentinel liveness and readiness probes
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
+ ##
+ livenessProbe:
+ enabled: true
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 5
+ readinessProbe:
+ enabled: true
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ timeoutSeconds: 1
+ successThreshold: 1
+ failureThreshold: 5
+ customLivenessProbe: {}
+ customReadinessProbe: {}
+ ## Redis Sentinel resource requests and limits
+ ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
+ # resources:
+ # requests:
+ # memory: 256Mi
+ # cpu: 100m
+ ## Redis Sentinel Service properties
+ service:
+ ## Redis Sentinel Service type
+ type: ClusterIP
+ sentinelPort: 26379
+ redisPort: 6379
+
+ ## Specify the nodePort value for the LoadBalancer and NodePort service types.
+ ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+ ##
+ # sentinelNodePort:
+ # redisNodePort:
+
+ ## Provide any additional annotations which may be required. This can be used to
+ ## set the LoadBalancer service type to internal only.
+ ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
+ ##
+ annotations: {}
+ labels: {}
+ loadBalancerIP:
+
+## Specifies the Kubernetes Cluster's Domain Name.
+##
+clusterDomain: cluster.local
+
+networkPolicy:
+ ## Specifies whether a NetworkPolicy should be created
+ ##
+ enabled: false
+
+ ## The Policy model to apply. When set to false, only pods with the correct
+ ## client label will have network access to the port Redis is listening
+ ## on. When true, Redis will accept connections from any source
+ ## (with the correct destination port).
+ ##
+ # allowExternal: true
+
+ ## Allow connections from other namespacess. Just set label for namespace and set label for pods (optional).
+ ##
+ ingressNSMatchLabels: {}
+ ingressNSPodMatchLabels: {}
+
+serviceAccount:
+ ## Specifies whether a ServiceAccount should be created
+ ##
+ create: false
+ ## The name of the ServiceAccount to use.
+ ## If not set and create is true, a name is generated using the fullname template
+ name:
+
+rbac:
+ ## Specifies whether RBAC resources should be created
+ ##
+ create: false
+
+ role:
+ ## Rules to create. It follows the role specification
+ # rules:
+ # - apiGroups:
+ # - extensions
+ # resources:
+ # - podsecuritypolicies
+ # verbs:
+ # - use
+ # resourceNames:
+ # - gce.unprivileged
+ rules: []
+
+## Redis pod Security Context
+securityContext:
+ enabled: true
+ fsGroup: 1001
+ runAsUser: 1001
+ ## sysctl settings for master and slave pods
+ ##
+ ## Uncomment the setting below to increase the net.core.somaxconn value
+ ##
+ # sysctls:
+ # - name: net.core.somaxconn
+ # value: "10000"
+
+## Use password authentication
+usePassword: true
+## Redis password (both master and slave)
+## Defaults to a random 10-character alphanumeric string if not set and usePassword is true
+## ref: https://github.com/bitnami/bitnami-docker-redis#setting-the-server-password-on-first-run
+##
+password: ""
+## Use existing secret (ignores previous password)
+# existingSecret:
+## Password key to be retrieved from Redis secret
+##
+# existingSecretPasswordKey:
+
+## Mount secrets as files instead of environment variables
+usePasswordFile: false
+
+## Persist data to a persistent volume (Redis Master)
+persistence:
+ ## A manually managed Persistent Volume and Claim
+ ## Requires persistence.enabled: true
+ ## If defined, PVC must be created manually before volume will be bound
+ existingClaim:
+
+# Redis port
+redisPort: 6379
+
+##
+## Redis Master parameters
+##
+master:
+ ## Redis command arguments
+ ##
+ ## Can be used to specify command line arguments, for example:
+ ##
+ command: "/run.sh"
+ ## Additional Redis configuration for the master nodes
+ ## ref: https://redis.io/topics/config
+ ##
+ configmap:
+ ## Redis additional command line flags
+ ##
+ ## Can be used to specify command line flags, for example:
+ ##
+ ## extraFlags:
+ ## - "--maxmemory-policy volatile-ttl"
+ ## - "--repl-backlog-size 1024mb"
+ extraFlags: []
+ ## Comma-separated list of Redis commands to disable
+ ##
+ ## Can be used to disable Redis commands for security reasons.
+ ## Commands will be completely disabled by renaming each to an empty string.
+ ## ref: https://redis.io/topics/security#disabling-of-specific-commands
+ ##
+ disableCommands:
+ - FLUSHDB
+ - FLUSHALL
+
+ ## Redis Master additional pod labels and annotations
+ ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+ podLabels: {}
+ podAnnotations: {}
+
+ ## Redis Master resource requests and limits
+ ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
+ # resources:
+ # requests:
+ # memory: 256Mi
+ # cpu: 100m
+ ## Use an alternate scheduler, e.g. "stork".
+ ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
+ ##
+ # schedulerName:
+
+ ## Configure extra options for Redis Master liveness and readiness probes
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
+ ##
+ livenessProbe:
+ enabled: true
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 5
+ readinessProbe:
+ enabled: true
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ timeoutSeconds: 1
+ successThreshold: 1
+ failureThreshold: 5
+
+ ## Configure custom probes for images other images like
+ ## rhscl/redis-32-rhel7 rhscl/redis-5-rhel7
+ ## Only used if readinessProbe.enabled: false / livenessProbe.enabled: false
+ ##
+ # customLivenessProbe:
+ # tcpSocket:
+ # port: 6379
+ # initialDelaySeconds: 10
+ # periodSeconds: 5
+ # customReadinessProbe:
+ # initialDelaySeconds: 30
+ # periodSeconds: 10
+ # timeoutSeconds: 5
+ # exec:
+ # command:
+ # - "container-entrypoint"
+ # - "bash"
+ # - "-c"
+ # - "redis-cli set liveness-probe \"`date`\" | grep OK"
+ customLivenessProbe: {}
+ customReadinessProbe: {}
+
+ ## Redis Master Node selectors and tolerations for pod assignment
+ ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+ ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature
+ ##
+ # nodeSelector: {"beta.kubernetes.io/arch": "amd64"}
+ # tolerations: []
+ ## Redis Master pod/node affinity/anti-affinity
+ ##
+ affinity: {}
+
+ ## Redis Master Service properties
+ service:
+ ## Redis Master Service type
+ type: ClusterIP
+ port: 6379
+
+ ## Specify the nodePort value for the LoadBalancer and NodePort service types.
+ ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+ ##
+ # nodePort:
+
+ ## Provide any additional annotations which may be required. This can be used to
+ ## set the LoadBalancer service type to internal only.
+ ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
+ ##
+ annotations: {}
+ labels: {}
+ loadBalancerIP:
+ # loadBalancerSourceRanges: ["10.0.0.0/8"]
+
+ ## Enable persistence using Persistent Volume Claims
+ ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
+ ##
+ persistence:
+ enabled: true
+ ## The path the volume will be mounted at, useful when using different
+ ## Redis images.
+ path: /data
+ ## The subdirectory of the volume to mount to, useful in dev environments
+ ## and one PV for multiple services.
+ subPath: ""
+ ## redis data Persistent Volume Storage Class
+ ## If defined, storageClassName: <storageClass>
+ ## If set to "-", storageClassName: "", which disables dynamic provisioning
+ ## If undefined (the default) or set to null, no storageClassName spec is
+ ## set, choosing the default provisioner. (gp2 on AWS, standard on
+ ## GKE, AWS & OpenStack)
+ ##
+ # storageClass: "-"
+ accessModes:
+ - ReadWriteOnce
+ size: 8Gi
+ ## Persistent Volume selectors
+ ## https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector
+ matchLabels: {}
+ matchExpressions: {}
+
+ ## Update strategy, can be set to RollingUpdate or onDelete by default.
+ ## https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
+ statefulset:
+ updateStrategy: RollingUpdate
+ ## Partition update strategy
+ ## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions
+ # rollingUpdatePartition:
+
+ ## Redis Master pod priorityClassName
+ ##
+ priorityClassName: {}
+
+##
+## Redis Slave properties
+## Note: service.type is a mandatory parameter
+## The rest of the parameters are either optional or, if undefined, will inherit those declared in Redis Master
+##
+slave:
+ ## Slave Service properties
+ service:
+ ## Redis Slave Service type
+ type: ClusterIP
+ ## Redis port
+ port: 6379
+ ## Specify the nodePort value for the LoadBalancer and NodePort service types.
+ ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+ ##
+ # nodePort:
+
+ ## Provide any additional annotations which may be required. This can be used to
+ ## set the LoadBalancer service type to internal only.
+ ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
+ ##
+ annotations: {}
+ labels: {}
+ loadBalancerIP:
+ # loadBalancerSourceRanges: ["10.0.0.0/8"]
+
+ ## Redis slave port
+ port: 6379
+ ## Can be used to specify command line arguments, for example:
+ ##
+ command: "/run.sh"
+ ## Additional Redis configuration for the slave nodes
+ ## ref: https://redis.io/topics/config
+ ##
+ configmap:
+ ## Redis extra flags
+ extraFlags: []
+ ## List of Redis commands to disable
+ disableCommands:
+ - FLUSHDB
+ - FLUSHALL
+
+ ## Redis Slave pod/node affinity/anti-affinity
+ ##
+ affinity: {}
+
+ ## Kubernetes Spread Constraints for pod assignment
+ ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
+ ##
+ # - maxSkew: 1
+ # topologyKey: node
+ # whenUnsatisfiable: DoNotSchedule
+ spreadConstraints: {}
+
+ ## Configure extra options for Redis Slave liveness and readiness probes
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
+ ##
+ livenessProbe:
+ enabled: true
+ initialDelaySeconds: 30
+ periodSeconds: 10
+ timeoutSeconds: 5
+ successThreshold: 1
+ failureThreshold: 5
+ readinessProbe:
+ enabled: true
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ timeoutSeconds: 10
+ successThreshold: 1
+ failureThreshold: 5
+
+ ## Configure custom probes for images other images like
+ ## rhscl/redis-32-rhel7 rhscl/redis-5-rhel7
+ ## Only used if readinessProbe.enabled: false / livenessProbe.enabled: false
+ ##
+ # customLivenessProbe:
+ # tcpSocket:
+ # port: 6379
+ # initialDelaySeconds: 10
+ # periodSeconds: 5
+ # customReadinessProbe:
+ # initialDelaySeconds: 30
+ # periodSeconds: 10
+ # timeoutSeconds: 5
+ # exec:
+ # command:
+ # - "container-entrypoint"
+ # - "bash"
+ # - "-c"
+ # - "redis-cli set liveness-probe \"`date`\" | grep OK"
+ customLivenessProbe: {}
+ customReadinessProbe: {}
+
+ ## Redis slave Resource
+ # resources:
+ # requests:
+ # memory: 256Mi
+ # cpu: 100m
+
+ ## Redis slave selectors and tolerations for pod assignment
+ # nodeSelector: {"beta.kubernetes.io/arch": "amd64"}
+ # tolerations: []
+
+ ## Use an alternate scheduler, e.g. "stork".
+ ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
+ ##
+ # schedulerName:
+
+ ## Redis slave pod Annotation and Labels
+ podLabels: {}
+ podAnnotations: {}
+
+ ## Redis slave pod priorityClassName
+ # priorityClassName: {}
+
+ ## Enable persistence using Persistent Volume Claims
+ ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
+ ##
+ persistence:
+ enabled: true
+ ## The path the volume will be mounted at, useful when using different
+ ## Redis images.
+ path: /data
+ ## The subdirectory of the volume to mount to, useful in dev environments
+ ## and one PV for multiple services.
+ subPath: ""
+ ## redis data Persistent Volume Storage Class
+ ## If defined, storageClassName: <storageClass>
+ ## If set to "-", storageClassName: "", which disables dynamic provisioning
+ ## If undefined (the default) or set to null, no storageClassName spec is
+ ## set, choosing the default provisioner. (gp2 on AWS, standard on
+ ## GKE, AWS & OpenStack)
+ ##
+ # storageClass: "-"
+ accessModes:
+ - ReadWriteOnce
+ size: 8Gi
+ ## Persistent Volume selectors
+ ## https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector
+ matchLabels: {}
+ matchExpressions: {}
+
+ ## Update strategy, can be set to RollingUpdate or onDelete by default.
+ ## https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
+ statefulset:
+ updateStrategy: RollingUpdate
+ ## Partition update strategy
+ ## https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions
+ # rollingUpdatePartition:
+
+## Prometheus Exporter / Metrics
+##
+metrics:
+ enabled: false
+
+ image:
+ registry: docker.io
+ repository: bitnami/redis-exporter
+ tag: 1.6.1-debian-10-r27
+ pullPolicy: IfNotPresent
+ ## Optionally specify an array of imagePullSecrets.
+ ## Secrets must be manually created in the namespace.
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+ ##
+ # pullSecrets:
+ # - myRegistryKeySecretName
+
+ ## Metrics exporter resource requests and limits
+ ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
+ ##
+ # resources: {}
+
+ ## Extra arguments for Metrics exporter, for example:
+ ## extraArgs:
+ ## check-keys: myKey,myOtherKey
+ # extraArgs: {}
+
+ ## Metrics exporter pod Annotation and Labels
+ podAnnotations:
+ prometheus.io/scrape: "true"
+ prometheus.io/port: "9121"
+ # podLabels: {}
+
+ # Enable this if you're using https://github.com/coreos/prometheus-operator
+ serviceMonitor:
+ enabled: false
+ ## Specify a namespace if needed
+ # namespace: monitoring
+ # fallback to the prometheus default unless specified
+ # interval: 10s
+ ## Defaults to what's used if you follow CoreOS [Prometheus Install Instructions](https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#tldr)
+ ## [Prometheus Selector Label](https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-operator-1)
+ ## [Kube Prometheus Selector Label](https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#exporters)
+ selector:
+ prometheus: kube-prometheus
+
+ ## Custom PrometheusRule to be defined
+ ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart
+ ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions
+ prometheusRule:
+ enabled: false
+ additionalLabels: {}
+ namespace: ""
+ ## Redis prometheus rules
+ ## These are just examples rules, please adapt them to your needs.
+ ## Make sure to constraint the rules to the current postgresql service.
+ # rules:
+ # - alert: RedisDown
+ # expr: redis_up{service="{{ template "redis.fullname" . }}-metrics"} == 0
+ # for: 2m
+ # labels:
+ # severity: error
+ # annotations:
+ # summary: Redis instance {{ "{{ $labels.instance }}" }} down
+ # description: Redis instance {{ "{{ $labels.instance }}" }} is down
+ # - alert: RedisMemoryHigh
+ # expr: >
+ # redis_memory_used_bytes{service="{{ template "redis.fullname" . }}-metrics"} * 100
+ # /
+ # redis_memory_max_bytes{service="{{ template "redis.fullname" . }}-metrics"}
+ # > 90 =< 100
+ # for: 2m
+ # labels:
+ # severity: error
+ # annotations:
+ # summary: Redis instance {{ "{{ $labels.instance }}" }} is using too much memory
+ # description: |
+ # Redis instance {{ "{{ $labels.instance }}" }} is using {{ "{{ $value }}" }}% of its available memory.
+ # - alert: RedisKeyEviction
+ # expr: |
+ # increase(redis_evicted_keys_total{service="{{ template "redis.fullname" . }}-metrics"}[5m]) > 0
+ # for: 1s
+ # labels:
+ # severity: error
+ # annotations:
+ # summary: Redis instance {{ "{{ $labels.instance }}" }} has evicted keys
+ # description: |
+ # Redis instance {{ "{{ $labels.instance }}" }} has evicted {{ "{{ $value }}" }} keys in the last 5 minutes.
+ rules: []
+
+ ## Metrics exporter pod priorityClassName
+ # priorityClassName: {}
+ service:
+ type: ClusterIP
+ ## Use serviceLoadBalancerIP to request a specific static IP,
+ ## otherwise leave blank
+ # loadBalancerIP:
+ annotations: {}
+ labels: {}
+
+##
+## Init containers parameters:
+## volumePermissions: Change the owner of the persist volume mountpoint to RunAsUser:fsGroup
+##
+volumePermissions:
+ enabled: false
+ image:
+ registry: docker.io
+ repository: bitnami/minideb
+ tag: buster
+ pullPolicy: Always
+ ## Optionally specify an array of imagePullSecrets.
+ ## Secrets must be manually created in the namespace.
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+ ##
+ # pullSecrets:
+ # - myRegistryKeySecretName
+ resources: {}
+ # resources:
+ # requests:
+ # memory: 128Mi
+ # cpu: 100m
+
+## Redis config file
+## ref: https://redis.io/topics/config
+##
+configmap: |-
+ # Enable AOF https://redis.io/topics/persistence#append-only-file
+ appendonly yes
+ # Disable RDB persistence, AOF persistence already enabled.
+ save ""
+
+## Sysctl InitContainer
+## used to perform sysctl operation to modify Kernel settings (needed sometimes to avoid warnings)
+sysctlImage:
+ enabled: false
+ command: []
+ registry: docker.io
+ repository: bitnami/minideb
+ tag: buster
+ pullPolicy: Always
+ ## Optionally specify an array of imagePullSecrets.
+ ## Secrets must be manually created in the namespace.
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+ ##
+ # pullSecrets:
+ # - myRegistryKeySecretName
+ mountHostSys: false
+ resources: {}
+ # resources:
+ # requests:
+ # memory: 128Mi
+ # cpu: 100m
+
+## PodSecurityPolicy configuration
+## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
+##
+podSecurityPolicy:
+ ## Specifies whether a PodSecurityPolicy should be created
+ ##
+ create: false
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/ci/default-values.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/ci/default-values.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..fc2ba605adaef469587377fc0574f0b4b938aa4d
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/ci/default-values.yaml
@@ -0,0 +1 @@
+# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml.
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/ci/extra-env-tpl-values.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/ci/extra-env-tpl-values.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..357dba9153f0d30d654778917883261a4e205f22
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/ci/extra-env-tpl-values.yaml
@@ -0,0 +1,6 @@
+tplValue: "This is a test value for the template function"
+extraEnv:
+ - name: TEST_ENV_VAR_1
+ value: test_value_1
+ - name: TEST_ENV_VAR_2
+ value: '{{ .Values.tplValue }}'
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/ci/ingress-extra-paths-values.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/ci/ingress-extra-paths-values.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..8d8c7df3ef84ecb54321febcf110fc0c3ac4f92a
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/ci/ingress-extra-paths-values.yaml
@@ -0,0 +1,9 @@
+ingress:
+ extraPaths:
+ - path: /*
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: ssl-redirect
+ port:
+ name: use-annotation
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/ci/pdb-values.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/ci/pdb-values.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..25b16272a77ae7d92ce1d8c74aff7235d5ac5d02
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/ci/pdb-values.yaml
@@ -0,0 +1 @@
+replicaCount: 2 # Enables PodDisruptionBudget which is disabled when replicaCount is 1
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/ci/pod-security-context-values.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/ci/pod-security-context-values.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..b7c8cea546a546826d3b85cb427ae8010a708bc8
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/ci/pod-security-context-values.yaml
@@ -0,0 +1,4 @@
+# Allocate a FSGroup that owns the pod’s volumes via podSecurityContext
+---
+podSecurityContext:
+ fsGroup: 2000
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/ci/redis-standalone-values.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/ci/redis-standalone-values.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..89221817586f05e5cbbbac2b4817d0bac0bb6119
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/ci/redis-standalone-values.yaml
@@ -0,0 +1,9 @@
+sessionStorage:
+ type: redis
+ redis:
+ clientType: "standalone"
+ password: "foo"
+redis:
+ # provision an instance of the redis sub-chart
+ enabled: true
+ password: "foo"
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/NOTES.txt b/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/NOTES.txt
new file mode 100644
index 0000000000000000000000000000000000000000..10d2de847d4a65fe383910355195c54dc9199eef
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/NOTES.txt
@@ -0,0 +1,3 @@
+To verify that oauth2-proxy has started, run:
+
+ kubectl --namespace={{ .Release.Namespace }} get pods -l "app={{ template "oauth2-proxy.fullname" . }}"
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/_helpers.tpl b/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/_helpers.tpl
new file mode 100644
index 0000000000000000000000000000000000000000..a063d9ddad12acbd05e52b89a64bd6f24c048996
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/_helpers.tpl
@@ -0,0 +1,63 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "oauth2-proxy.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "oauth2-proxy.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "oauth2-proxy.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Get the secret name.
+*/}}
+{{- define "oauth2-proxy.secretName" -}}
+{{- if .Values.config.existingSecret -}}
+{{- printf "%s" .Values.config.existingSecret -}}
+{{- else -}}
+{{- printf "%s" (include "oauth2-proxy.fullname" .) -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "oauth2-proxy.serviceAccountName" -}}
+{{- if .Values.serviceAccount.enabled -}}
+ {{ default (include "oauth2-proxy.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+ {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+
+{{- define "oauth2-proxy.redisStandaloneUrl" -}}
+{{- if .Values.sessionStorage.redis.standalone.connectionUrl -}}
+{{ .Values.sessionStorage.redis.standalone.connectionUrl }}
+{{- else -}}
+{{- printf "redis://%s-redis-master:6379" (include "oauth2-proxy.fullname" .) -}}
+{{- end -}}
+{{- end -}}
\ No newline at end of file
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..980580c18e7badc2c518d766725c484ab7dec7d5
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.authenticatedEmailsFile.enabled }}
+{{- if and (.Values.authenticatedEmailsFile.restricted_access) (eq .Values.authenticatedEmailsFile.persistence "configmap") }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ labels:
+ app: {{ template "oauth2-proxy.name" . }}
+ chart: {{ template "oauth2-proxy.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+{{- if .Values.authenticatedEmailsFile.annotations }}
+ annotations:
+{{ toYaml .Values.authenticatedEmailsFile.annotations | indent 4 }}
+{{- end }}
+ name: {{ template "oauth2-proxy.fullname" . }}-accesslist
+data:
+ {{ default "restricted_user_access" .Values.authenticatedEmailsFile.restrictedUserAccessKey }}: {{ .Values.authenticatedEmailsFile.restricted_access | quote }}
+{{- end }}
+{{- end }}
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/configmap-htpasswd-file.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/configmap-htpasswd-file.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..c40b63716ba8f553e6d0beb63c53098286f17b53
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/configmap-htpasswd-file.yaml
@@ -0,0 +1,17 @@
+{{- if and .Values.htpasswdFile.enabled (not .Values.htpasswdFile.existingSecret) }}
+apiVersion: v1
+kind: Secret
+metadata:
+ labels:
+ app: {{ template "oauth2-proxy.name" . }}
+ chart: {{ template "oauth2-proxy.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ name: {{ template "oauth2-proxy.fullname" . }}-htpasswd-file
+type: Opaque
+stringData:
+ users.txt: |-
+ {{- range $entries := .Values.htpasswdFile.entries }}
+ {{ $entries }}
+ {{- end -}}
+{{- end }}
\ No newline at end of file
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/configmap.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/configmap.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..bf5f517c9acdeefa7a10bb5ec882e2c88749e96a
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/configmap.yaml
@@ -0,0 +1,15 @@
+{{- if not .Values.config.existingConfig }}
+{{- if .Values.config.configFile }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ labels:
+ app: {{ template "oauth2-proxy.name" . }}
+ chart: {{ template "oauth2-proxy.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ name: {{ template "oauth2-proxy.fullname" . }}
+data:
+ oauth2_proxy.cfg: {{ .Values.config.configFile | quote }}
+{{- end }}
+{{- end }}
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/deployment.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/deployment.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..d6e93973ec85f4e90af26d2f63de0e3d2b8f175e
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/deployment.yaml
@@ -0,0 +1,269 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app: {{ template "oauth2-proxy.name" . }}
+ chart: {{ template "oauth2-proxy.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ name: {{ template "oauth2-proxy.fullname" . }}
+spec:
+ replicas: {{ .Values.replicaCount }}
+ selector:
+ matchLabels:
+ app: {{ template "oauth2-proxy.name" . }}
+ release: {{ .Release.Name }}
+ template:
+ metadata:
+ annotations:
+ checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+ checksum/config-emails: {{ include (print $.Template.BasePath "/configmap-authenticated-emails-file.yaml") . | sha256sum }}
+ checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
+ checksum/google-secret: {{ include (print $.Template.BasePath "/google-secret.yaml") . | sha256sum }}
+ checksum/redis-secret: {{ include (print $.Template.BasePath "/redis-secret.yaml") . | sha256sum }}
+{{- if .Values.htpasswdFile.enabled }}
+ checksum/htpasswd: {{ include (print $.Template.BasePath "/configmap-htpasswd-file.yaml") . | sha256sum }}
+{{- end }}
+ {{- if .Values.podAnnotations }}
+{{ toYaml .Values.podAnnotations | indent 8 }}
+ {{- end }}
+ labels:
+ app: {{ template "oauth2-proxy.name" . }}
+ release: "{{ .Release.Name }}"
+ {{- if .Values.podLabels }}
+{{ toYaml .Values.podLabels | indent 8 }}
+ {{- end }}
+ spec:
+ {{- if .Values.priorityClassName }}
+ priorityClassName: "{{ .Values.priorityClassName }}"
+ {{- end }}
+ {{- with .Values.podSecurityContext }}
+ securityContext:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ serviceAccountName: {{ template "oauth2-proxy.serviceAccountName" . }}
+ containers:
+ - name: {{ .Chart.Name }}
+ image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ args:
+ - --http-address=0.0.0.0:4180
+ {{- if .Values.metrics.enabled }}
+ - --metrics-address=0.0.0.0:44180
+ {{- end }}
+ {{- if .Values.config.cookieName }}
+ - --cookie-name={{ .Values.config.cookieName }}
+ {{- end }}
+ {{- range $key, $value := .Values.extraArgs }}
+ {{- if $value }}
+ - --{{ $key }}={{ $value }}
+ {{- else }}
+ - --{{ $key }}
+ {{- end }}
+ {{- end }}
+ {{- if or .Values.config.existingConfig .Values.config.configFile }}
+ - --config=/etc/oauth2_proxy/oauth2_proxy.cfg
+ {{- end }}
+ {{- if .Values.authenticatedEmailsFile.enabled }}
+ {{- if .Values.authenticatedEmailsFile.template }}
+ - --authenticated-emails-file=/etc/oauth2-proxy/{{ .Values.authenticatedEmailsFile.template }}
+ {{- else }}
+ - --authenticated-emails-file=/etc/oauth2-proxy/authenticated-emails-list
+ {{- end }}
+ {{- end }}
+ {{- with .Values.config.google }}
+ {{- if and .adminEmail (or .serviceAccountJson .existingSecret) }}
+ - --google-admin-email={{ .adminEmail }}
+ - --google-service-account-json=/google/service-account.json
+ {{- end }}
+ {{- end }}
+ {{- if .Values.htpasswdFile.enabled }}
+ - --htpasswd-file=/etc/oauth2_proxy/htpasswd/users.txt
+ {{- end }}
+ env:
+ {{- if .Values.proxyVarsAsSecrets }}
+ - name: OAUTH2_PROXY_CLIENT_ID
+ valueFrom:
+ secretKeyRef:
+ name: {{ template "oauth2-proxy.secretName" . }}
+ key: client-id
+ - name: OAUTH2_PROXY_CLIENT_SECRET
+ valueFrom:
+ secretKeyRef:
+ name: {{ template "oauth2-proxy.secretName" . }}
+ key: client-secret
+ - name: OAUTH2_PROXY_COOKIE_SECRET
+ valueFrom:
+ secretKeyRef:
+ name: {{ template "oauth2-proxy.secretName" . }}
+ key: cookie-secret
+ {{- end }}
+ {{- if eq (default "cookie" .Values.sessionStorage.type) "redis" }}
+ - name: OAUTH2_PROXY_SESSION_STORE_TYPE
+ value: "redis"
+ {{- if .Values.sessionStorage.redis.password }}
+ - name: OAUTH2_PROXY_REDIS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ if .Values.sessionStorage.redis.existingSecret }} {{ .Values.sessionStorage.redis.existingSecret }}{{ else }} {{ template "oauth2-proxy.fullname" . }}-redis-access{{ end }}
+ key: redis-password
+ {{- end }}
+ {{- if eq (default "" .Values.sessionStorage.redis.clientType) "standalone" }}
+ - name: OAUTH2_PROXY_REDIS_CONNECTION_URL
+ value: {{ include "oauth2-proxy.redisStandaloneUrl" . }}
+ {{- else if eq (default "" .Values.sessionStorage.redis.clientType) "cluster" }}
+ - name: OAUTH2_PROXY_REDIS_USE_CLUSTER
+ value: "true"
+ - name: OAUTH2_PROXY_REDIS_CLUSTER_CONNECTION_URLS
+ value: {{ .Values.sessionStorage.redis.cluster.connectionUrls }}
+ {{- else if eq (default "" .Values.sessionStorage.redis.clientType) "sentinel" }}
+ - name: OAUTH2_PROXY_REDIS_USE_SENTINEL
+ value: "true"
+ - name: OAUTH2_PROXY_REDIS_SENTINEL_MASTER_NAME
+ value: {{ .Values.sessionStorage.redis.sentinel.masterName }}
+ - name: OAUTH2_PROXY_REDIS_SENTINEL_CONNECTION_URLS
+ value: {{ .Values.sessionStorage.redis.sentinel.connectionUrls }}
+ {{- if .Values.sessionStorage.redis.sentinel.password }}
+ - name: OAUTH2_PROXY_REDIS_SENTINEL_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ if .Values.sessionStorage.redis.existingSecret }} {{ .Values.sessionStorage.redis.existingSecret }}{{ else }} {{ template "oauth2-proxy.fullname" . }}-redis-access{{ end }}
+ key: redis-sentinel-password
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.extraEnv }}
+{{ tpl (toYaml .Values.extraEnv) . | indent 8 }}
+ {{- end }}
+ ports:
+ - containerPort: 4180
+ name: {{ .Values.httpScheme }}
+ protocol: TCP
+{{- if .Values.metrics.enabled }}
+ - containerPort: 44180
+ protocol: TCP
+ name: metrics
+{{- end }}
+{{- if .Values.livenessProbe.enabled }}
+ livenessProbe:
+ httpGet:
+ path: /ping
+ port: {{ .Values.httpScheme }}
+ scheme: {{ .Values.httpScheme | upper }}
+ initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
+ timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
+{{- end }}
+{{- if .Values.readinessProbe.enabled }}
+ readinessProbe:
+ httpGet:
+ path: /ping
+ port: {{ .Values.httpScheme }}
+ scheme: {{ .Values.httpScheme | upper }}
+ initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
+ timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
+ successThreshold: {{ .Values.readinessProbe.successThreshold }}
+ periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
+{{- end }}
+ resources:
+{{ toYaml .Values.resources | indent 10 }}
+ volumeMounts:
+{{- with .Values.config.google }}
+{{- if and .adminEmail (or .serviceAccountJson .existingSecret) }}
+ - name: google-secret
+ mountPath: /google
+ readOnly: true
+{{- end }}
+{{- end }}
+{{- if or .Values.config.existingConfig .Values.config.configFile }}
+ - mountPath: /etc/oauth2_proxy
+ name: configmain
+{{- end }}
+{{- if .Values.authenticatedEmailsFile.enabled }}
+ - mountPath: /etc/oauth2-proxy
+ name: configaccesslist
+ readOnly: true
+{{- end }}
+{{- if .Values.htpasswdFile.enabled }}
+ - mountPath: /etc/oauth2_proxy/htpasswd
+ name: {{ template "oauth2-proxy.fullname" . }}-htpasswd-file
+ readOnly: true
+{{- end }}
+{{- if ne (len .Values.extraVolumeMounts) 0 }}
+{{ toYaml .Values.extraVolumeMounts | indent 8 }}
+{{- end }}
+{{- if .Values.securityContext.enabled }}
+ securityContext:
+ runAsNonRoot: {{ .Values.securityContext.runAsNonRoot }}
+{{- end}}
+ volumes:
+{{- with .Values.config.google }}
+{{- if and .adminEmail (or .serviceAccountJson .existingSecret) }}
+ - name: google-secret
+ secret:
+ secretName: {{ if .existingSecret }}{{ .existingSecret }}{{ else }} {{ template "oauth2-proxy.secretName" $ }}{{ end }}
+{{- end }}
+{{- end }}
+
+{{- if .Values.htpasswdFile.enabled }}
+ - name: {{ template "oauth2-proxy.fullname" . }}-htpasswd-file
+ secret:
+ secretName: {{ if .Values.htpasswdFile.existingSecret }}{{ .Values.htpasswdFile.existingSecret }}{{ else }} {{ template "oauth2-proxy.fullname" . }}-htpasswd-file {{ end }}
+{{- end }}
+
+{{- if and (.Values.authenticatedEmailsFile.enabled) (eq .Values.authenticatedEmailsFile.persistence "secret") }}
+ - name: configaccesslist
+ secret:
+ items:
+ - key: {{ default "restricted_user_access" .Values.authenticatedEmailsFile.restrictedUserAccessKey }}
+{{- if .Values.authenticatedEmailsFile.template }}
+ path: {{ .Values.authenticatedEmailsFile.template }}
+{{- else }}
+ path: authenticated-emails-list
+{{- end }}
+{{- if .Values.authenticatedEmailsFile.template }}
+ secretName: {{ .Values.authenticatedEmailsFile.template }}
+{{- else }}
+ secretName: {{ template "oauth2-proxy.fullname" . }}-accesslist
+{{- end }}
+{{- end }}
+
+{{- if or .Values.config.existingConfig .Values.config.configFile }}
+ - configMap:
+ defaultMode: 420
+ name: {{ if .Values.config.existingConfig }}{{ .Values.config.existingConfig }}{{ else }}{{ template "oauth2-proxy.fullname" . }}{{ end }}
+ name: configmain
+{{- end }}
+{{- if ne (len .Values.extraVolumes) 0 }}
+{{ toYaml .Values.extraVolumes | indent 6 }}
+{{- end }}
+{{- if and (.Values.authenticatedEmailsFile.enabled) (eq .Values.authenticatedEmailsFile.persistence "configmap") }}
+ - configMap:
+{{- if .Values.authenticatedEmailsFile.template }}
+ name: {{ .Values.authenticatedEmailsFile.template }}
+{{- else }}
+ name: {{ template "oauth2-proxy.fullname" . }}-accesslist
+{{- end }}
+ items:
+ - key: {{ default "restricted_user_access" .Values.authenticatedEmailsFile.restrictedUserAccessKey }}
+{{- if .Values.authenticatedEmailsFile.template }}
+ path: {{ .Values.authenticatedEmailsFile.template }}
+{{- else }}
+ path: authenticated-emails-list
+{{- end }}
+ name: configaccesslist
+{{- end }}
+
+ {{- if .Values.imagePullSecrets }}
+ imagePullSecrets:
+{{ toYaml .Values.imagePullSecrets | indent 8 }}
+ {{- end }}
+ {{- if .Values.affinity }}
+ affinity:
+{{ toYaml .Values.affinity | indent 8 }}
+ {{- end }}
+ {{- if .Values.nodeSelector }}
+ nodeSelector:
+{{ toYaml .Values.nodeSelector | indent 8 }}
+ {{- end }}
+ tolerations:
+{{ toYaml .Values.tolerations | indent 8 }}
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/deprecation.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/deprecation.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..0385e03670bffb7239b53e1b4ab1a318e3b24272
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/deprecation.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.checkDeprecation }}
+ {{- if .Values.service.port }}
+ {{ fail "`service.port` does no longer exist. It has been renamed to `service.portNumber`" }}
+ {{- end }}
+ {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" -}}
+ {{- range .Values.ingress.extraPaths }}
+ {{- if or (.backend.serviceName) (.backend.servicePort) }}
+ {{ fail "Please update the format of your `ingress.extraPaths` to the new ingress apiVersion `networking.k8s.io/v1` format" }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+{{- end }}
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/google-secret.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/google-secret.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..0e785b1860ac0456d65413b58fbce6268fff3497
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/google-secret.yaml
@@ -0,0 +1,14 @@
+{{- if and .Values.config.google (not .Values.config.google.existingSecret) }}
+apiVersion: v1
+kind: Secret
+metadata:
+ labels:
+ app: {{ template "oauth2-proxy.name" . }}
+ chart: {{ template "oauth2-proxy.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ name: {{ template "oauth2-proxy.fullname" . }}-google
+type: Opaque
+data:
+ service-account.json: {{ .serviceAccountJson }}
+{{- end -}}
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/ingress.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/ingress.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..07a7f9824fa895816f0c7f6b6e9e120bccd84122
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/ingress.yaml
@@ -0,0 +1,56 @@
+{{- if .Values.ingress.enabled -}}
+{{- $serviceName := include "oauth2-proxy.fullname" . -}}
+{{- $servicePort := .Values.service.portNumber -}}
+{{- $ingressPath := .Values.ingress.path -}}
+{{- $ingressPathType := .Values.ingress.pathType -}}
+{{- $extraPaths := .Values.ingress.extraPaths -}}
+{{- $apiV1 := false -}}
+{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" -}}
+apiVersion: networking.k8s.io/v1
+{{- $apiV1 = true -}}
+{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress" -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+ labels:
+ app: {{ template "oauth2-proxy.name" . }}
+ chart: {{ template "oauth2-proxy.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ name: {{ template "oauth2-proxy.fullname" . }}
+{{- with .Values.ingress.annotations }}
+ annotations:
+{{ toYaml . | indent 4 }}
+{{- end }}
+spec:
+ rules:
+ {{- range $host := .Values.ingress.hosts }}
+ - host: {{ $host | quote }}
+ http:
+ paths:
+{{- if $extraPaths }}
+{{ toYaml $extraPaths | indent 10 }}
+{{- end }}
+ {{- if $apiV1 }}
+ - path: {{ $ingressPath }}
+ pathType: {{ $ingressPathType }}
+ backend:
+ service:
+ name: {{ $serviceName }}
+ port:
+ number: {{ $servicePort }}
+ {{- else }}
+ - path: {{ $ingressPath }}
+ backend:
+ serviceName: {{ $serviceName }}
+ servicePort: {{ $servicePort }}
+ {{- end }}
+ {{- end -}}
+ {{- if .Values.ingress.tls }}
+ tls:
+{{ toYaml .Values.ingress.tls | indent 4 }}
+ {{- end -}}
+{{- end -}}
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/poddisruptionbudget.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/poddisruptionbudget.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..a837fb31abf1765cb36e7474d0a82625dd1584d8
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/poddisruptionbudget.yaml
@@ -0,0 +1,17 @@
+{{- if and .Values.podDisruptionBudget.enabled (gt (.Values.replicaCount | int) 1) }}
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+ labels:
+ app: {{ template "oauth2-proxy.name" . }}
+ chart: {{ template "oauth2-proxy.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ name: {{ template "oauth2-proxy.fullname" . }}
+spec:
+ selector:
+ matchLabels:
+ app: {{ template "oauth2-proxy.name" . }}
+ release: {{ .Release.Name }}
+ minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
+{{- end }}
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/redis-secret.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/redis-secret.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..9ac3431eede6bc555b76cde7624956213168c565
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/redis-secret.yaml
@@ -0,0 +1,15 @@
+{{- if and (eq .Values.sessionStorage.type "redis") (not .Values.sessionStorage.redis.existingSecret) }}
+apiVersion: v1
+kind: Secret
+metadata:
+ labels:
+ app: {{ template "oauth2-proxy.name" . }}
+ chart: {{ template "oauth2-proxy.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ name: {{ template "oauth2-proxy.fullname" . }}-redis-access
+type: Opaque
+data:
+ redis-password: {{ .Values.sessionStorage.redis.password | b64enc | quote }}
+ redis-sentinel-password: {{ .Values.sessionStorage.redis.sentinel.password | b64enc | quote }}
+{{- end -}}
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/secret-authenticated-emails-file.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/secret-authenticated-emails-file.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..c6ef2bd17c3374e6c488514b8584d28c9ca165a4
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/secret-authenticated-emails-file.yaml
@@ -0,0 +1,20 @@
+{{- if .Values.authenticatedEmailsFile.enabled }}
+{{- if and (.Values.authenticatedEmailsFile.restricted_access) (eq .Values.authenticatedEmailsFile.persistence "secret") }}
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+ labels:
+ app: {{ template "oauth2-proxy.name" . }}
+ chart: {{ template "oauth2-proxy.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+{{- if .Values.authenticatedEmailsFile.annotations }}
+ annotations:
+{{ toYaml .Values.authenticatedEmailsFile.annotations | indent 4 }}
+{{- end }}
+ name: {{ template "oauth2-proxy.fullname" . }}-accesslist
+data:
+ {{ default "restricted_user_access" .Values.authenticatedEmailsFile.restrictedUserAccessKey }}: {{ .Values.authenticatedEmailsFile.restricted_access | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/secret.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/secret.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..89134fa0d1265cd26b49313c148f9e1a76ce1c99
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/secret.yaml
@@ -0,0 +1,16 @@
+{{- if and (not .Values.config.existingSecret) (.Values.proxyVarsAsSecrets) }}
+apiVersion: v1
+kind: Secret
+metadata:
+ labels:
+ app: {{ template "oauth2-proxy.name" . }}
+ chart: {{ template "oauth2-proxy.chart" . }}
+ heritage: {{ .Release.Service }}
+ release: {{ .Release.Name }}
+ name: {{ template "oauth2-proxy.fullname" . }}
+type: Opaque
+data:
+ cookie-secret: {{ .Values.config.cookieSecret | b64enc | quote }}
+ client-secret: {{ .Values.config.clientSecret | b64enc | quote }}
+ client-id: {{ .Values.config.clientID | b64enc | quote }}
+{{- end -}}
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/service.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/service.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..689e5f19c4e8c087324501688389ffca4815f50e
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/service.yaml
@@ -0,0 +1,45 @@
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app: {{ template "oauth2-proxy.name" . }}
+ chart: {{ template "oauth2-proxy.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+ name: {{ template "oauth2-proxy.fullname" . }}
+{{- if .Values.service.annotations }}
+ annotations:
+{{ toYaml .Values.service.annotations | indent 4 }}
+{{- end }}
+spec:
+{{- if (or (eq .Values.service.type "ClusterIP") (empty .Values.service.type)) }}
+ type: ClusterIP
+ {{- if .Values.service.clusterIP }}
+ clusterIP: {{ .Values.service.clusterIP }}
+ {{end}}
+{{- else if eq .Values.service.type "LoadBalancer" }}
+ type: {{ .Values.service.type }}
+ {{- if .Values.service.loadBalancerIP }}
+ loadBalancerIP: {{ .Values.service.loadBalancerIP }}
+ {{- end }}
+ {{- if .Values.service.loadBalancerSourceRanges }}
+ loadBalancerSourceRanges:
+{{ toYaml .Values.service.loadBalancerSourceRanges | indent 4 }}
+ {{- end -}}
+{{- else }}
+ type: {{ .Values.service.type }}
+{{- end }}
+ ports:
+ - port: {{ .Values.service.portNumber }}
+ targetPort: {{ .Values.httpScheme }}
+ protocol: TCP
+ name: {{ .Values.httpScheme }}
+ {{- if and .Values.metrics.enabled .Values.metrics.port }}
+ - port: {{ .Values.metrics.port }}
+ protocol: TCP
+ targetPort: metrics
+ name: metrics
+ {{- end }}
+ selector:
+ app: {{ template "oauth2-proxy.name" . }}
+ release: {{ .Release.Name }}
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/serviceaccount.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/serviceaccount.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..a534666f78f81d1ebc20f264ef74da7256a2ba06
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/serviceaccount.yaml
@@ -0,0 +1,15 @@
+{{- if or .Values.serviceAccount.enabled -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ {{- with .Values.serviceAccount.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ labels:
+ app: {{ template "oauth2-proxy.name" . }}
+ chart: {{ template "oauth2-proxy.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+ name: {{ template "oauth2-proxy.serviceAccountName" . }}
+{{- end -}}
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/servicemonitor.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/servicemonitor.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..a9796a8aff5fbc5430d379dac04ff394d00b23aa
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/templates/servicemonitor.yaml
@@ -0,0 +1,34 @@
+{{- if and .Values.metrics.enabled .Values.metrics.servicemonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+ name: {{ template "oauth2-proxy.fullname" . }}
+{{- if .Values.metrics.servicemonitor.namespace }}
+ namespace: {{ .Values.metrics.servicemonitor.namespace }}
+{{- else }}
+ namespace: {{ .Release.Namespace | quote }}
+{{- end }}
+ labels:
+ app: {{ template "oauth2-proxy.name" . }}
+ chart: {{ template "oauth2-proxy.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+ prometheus: {{ .Values.metrics.servicemonitor.prometheusInstance }}
+{{- if .Values.metrics.servicemonitor.labels }}
+{{ toYaml .Values.metrics.servicemonitor.labels | indent 4}}
+{{- end }}
+spec:
+ jobLabel: {{ template "oauth2-proxy.fullname" . }}
+ selector:
+ matchLabels:
+ app: {{ template "oauth2-proxy.name" . }}
+ release: {{ .Release.Name }}
+ namespaceSelector:
+ matchNames:
+ - {{ .Release.Namespace }}
+ endpoints:
+ - port: metrics
+ path: "/metrics"
+ interval: {{ .Values.metrics.servicemonitor.interval }}
+ scrapeTimeout: {{ .Values.metrics.servicemonitor.scrapeTimeout }}
+{{- end }}
diff --git a/kubernetes/helm_charts/monitoring/oauth2-proxy/values.yaml b/kubernetes/helm_charts/monitoring/oauth2-proxy/values.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..e37778118d6a1c8f0e88cb6a6695f1d7dbeeb6f7
--- /dev/null
+++ b/kubernetes/helm_charts/monitoring/oauth2-proxy/values.yaml
@@ -0,0 +1,256 @@
+# Oauth client configuration specifics
+config:
+ # OAuth client ID
+ clientID: "XXXXXXX"
+ # OAuth client secret
+ clientSecret: "XXXXXXXX"
+ # Create a new secret with the following command
+ # openssl rand -base64 32 | head -c 32 | base64
+ # Use an existing secret for OAuth2 credentials (see secret.yaml for required fields)
+ # Example:
+ # existingSecret: secret
+ cookieSecret: "XXXXXXXXXXXXXXXX"
+ # The name of the cookie that oauth2-proxy will create
+ # If left empty, it will default to the release name
+ cookieName: ""
+ google: {}
+ # adminEmail: xxxx
+ # serviceAccountJson: xxxx
+ # Alternatively, use an existing secret (see google-secret.yaml for required fields)
+ # Example:
+ # existingSecret: google-secret
+ # Default configuration, to be overridden
+ configFile: |-
+ email_domains = [ "*" ]
+ upstreams = [ "file:///dev/null" ]
+ # Custom configuration file: oauth2_proxy.cfg
+ # configFile: |-
+ # pass_basic_auth = false
+ # pass_access_token = true
+ # Use an existing config map (see configmap.yaml for required fields)
+ # Example:
+ # existingConfig: config
+
+image:
+ repository: "quay.io/oauth2-proxy/oauth2-proxy"
+ tag: "v7.1.3"
+ pullPolicy: "IfNotPresent"
+
+# Optionally specify an array of imagePullSecrets.
+# Secrets must be manually created in the namespace.
+# ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
+# imagePullSecrets:
+ # - name: myRegistryKeySecretName
+
+extraArgs: {}
+extraEnv: []
+
+# To authorize individual email addresses
+# That is part of extraArgs but since this needs special treatment we need to do a separate section
+authenticatedEmailsFile:
+ enabled: false
+ # Defines how the email addresses file will be projected, via a configmap or secret
+ persistence: configmap
+ # template is the name of the configmap what contains the email user list but has been configured without this chart.
+ # It's a simpler way to maintain only one configmap (user list) instead changing it for each oauth2-proxy service.
+ # Be aware the value name in the extern config map in data needs to be named to "restricted_user_access" or to the
+ # provided value in restrictedUserAccessKey field.
+ template: ""
+ # The configmap/secret key under which the list of email access is stored
+ # Defaults to "restricted_user_access" if not filled-in, but can be overridden to allow flexibility
+ restrictedUserAccessKey: ""
+ # One email per line
+ # example:
+ # restricted_access: |-
+ # name1@domain
+ # name2@domain
+ # If you override the config with restricted_access it will configure a user list within this chart what takes care of the
+ # config map resource.
+ restricted_access: ""
+ annotations: {}
+ # helm.sh/resource-policy: keep
+
+service:
+ type: ClusterIP
+ # when service.type is ClusterIP ...
+ # clusterIP: 192.0.2.20
+ # when service.type is LoadBalancer ...
+ # loadBalancerIP: 198.51.100.40
+ # loadBalancerSourceRanges: 203.0.113.0/24
+ portNumber: 80
+ annotations: {}
+ # foo.io/bar: "true"
+
+## Create or use ServiceAccount
+serviceAccount:
+ ## Specifies whether a ServiceAccount should be created
+ enabled: true
+ ## The name of the ServiceAccount to use.
+ ## If not set and create is true, a name is generated using the fullname template
+ name:
+ annotations: {}
+
+ingress:
+ enabled: false
+ path: /
+ # Only used if API capabilities (networking.k8s.io/v1) allow it
+ pathType: ImplementationSpecific
+ # Used to create an Ingress record.
+ # hosts:
+ # - chart-example.local
+ # Extra paths to prepend to every host configuration. This is useful when working with annotation based services.
+ # Warning! The configuration is dependant on your current k8s API version capabilities (networking.k8s.io/v1)
+ # extraPaths:
+ # - path: /*
+ # pathType: ImplementationSpecific
+ # backend:
+ # service:
+ # name: ssl-redirect
+ # port:
+ # name: use-annotation
+ # annotations:
+ # kubernetes.io/ingress.class: nginx
+ # kubernetes.io/tls-acme: "true"
+ # tls:
+ # Secrets must be manually created in the namespace.
+ # - secretName: chart-example-tls
+ # hosts:
+ # - chart-example.local
+
+resources: {}
+ # limits:
+ # cpu: 100m
+ # memory: 300Mi
+ # requests:
+ # cpu: 100m
+ # memory: 300Mi
+
+extraVolumes: []
+ # - name: ca-bundle-cert
+ # secret:
+ # secretName: <secret-name>
+
+extraVolumeMounts: []
+ # - mountPath: /etc/ssl/certs/
+ # name: ca-bundle-cert
+
+priorityClassName: ""
+
+# Affinity for pod assignment
+# Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+# affinity: {}
+
+# Tolerations for pod assignment
+# Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+tolerations: []
+
+# Node labels for pod assignment
+# Ref: https://kubernetes.io/docs/user-guide/node-selection/
+nodeSelector: {}
+
+# Whether to use secrets instead of environment values for setting up OAUTH2_PROXY variables
+proxyVarsAsSecrets: true
+
+# Configure Kubernetes liveness and readiness probes.
+# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
+# Disable both when deploying with Istio 1.0 mTLS. https://istio.io/help/faq/security/#k8s-health-checks
+livenessProbe:
+ enabled: true
+ initialDelaySeconds: 0
+ timeoutSeconds: 1
+
+readinessProbe:
+ enabled: true
+ initialDelaySeconds: 0
+ timeoutSeconds: 1
+ periodSeconds: 10
+ successThreshold: 1
+
+# Configure Kubernetes security context for container
+# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+securityContext:
+ enabled: false
+ runAsNonRoot: true
+
+podAnnotations: {}
+podLabels: {}
+replicaCount: 1
+
+## PodDisruptionBudget settings
+## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
+podDisruptionBudget:
+ enabled: true
+ minAvailable: 1
+
+# Configure Kubernetes security context for pod
+# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+podSecurityContext: {}
+
+# whether to use http or https
+httpScheme: http
+
+# Additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption.
+# Alternatively supply an existing secret which contains the required information.
+htpasswdFile:
+ enabled: false
+ existingSecret: ""
+ entries: {}
+ # One row for each user
+ # example:
+ # entries:
+ # - testuser:{SHA}EWhzdhgoYJWy0z2gyzhRYlN9DSiv
+
+# Configure the session storage type, between cookie and redis
+sessionStorage:
+ # Can be one of the supported session storage cookie/redis
+ type: cookie
+ redis:
+ # Secret name that holds the redis-password and redis-sentinel-password values
+ existingSecret: ""
+ password: ""
+ # Can be one of sentinel/cluster/standalone
+ clientType: "standalone"
+ standalone:
+ # If empty and sessionStorage type is redis, will automatically be generated.
+ connectionUrl: ""
+ cluster:
+ # connectionUrls: ["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]
+ connectionUrls: []
+ sentinel:
+ password: ""
+ masterName: ""
+ # connectionUrls: ["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]
+ connectionUrls: []
+
+# Enables and configure the automatic deployment of the redis subchart
+redis:
+ # provision an instance of the redis sub-chart
+ enabled: false
+ # Redis specific helm chart settings, please see:
+ # https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters
+ # redisPort: 6379
+ # cluster:
+ # enabled: false
+ # slaveCount: 1
+
+# Enables apiVersion deprecation checks
+checkDeprecation: true
+
+metrics:
+ # Enable Prometheus metrics endpoint
+ enabled: true
+ # Serve Prometheus metrics on this port
+ port: 44180
+ servicemonitor:
+ # Enable Prometheus Operator ServiceMonitor
+ enabled: false
+ # Define the namespace where to deploy the ServiceMonitor resource
+ namespace: ""
+ # Prometheus Instance definition
+ prometheusInstance: default
+ # Prometheus scrape interval
+ interval: 60s
+ # Prometheus scrape timeout
+ scrapeTimeout: 30s
+ # Add custom labels to the ServiceMonitor resource
+ labels: {}
diff --git a/private_repo/ansible/inventory/dev/Core/common.yml b/private_repo/ansible/inventory/dev/Core/common.yml
index c5a433d4dae3b97086c599e17f92cc525884e924..c56485fbf5683bc41e2a7b7b612e9c7a7446e6a0 100644
--- a/private_repo/ansible/inventory/dev/Core/common.yml
+++ b/private_repo/ansible/inventory/dev/Core/common.yml
@@ -225,3 +225,23 @@ kong_consumers:
- username: api-admin
groups: "{{ kong_all_consumer_groups }}"
state: present
+
+## Grafana oauth
+
+# Grafana access htpasswd
+# You can generate one at
+# https://wtools.io/generate-htpasswd-online
+# admin:{{ grafana_admin_password }}
+# eg: grafana_nginx_private_htpasswd: admin:$apr1$mf3whl$79CIvrwS7B2EZsEhKhH8w0
+grafana_nginx_private_htpasswd: ""
+grafana_admin_user_http_header: "X-privateSecretHeader-Auth"
+
+grafana_google_oauth_client_id: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com"
+grafana_google_oauth_client_secret: "xxxxxxxxxxxxxxxxxxxxxxxx"
+
+# New line sperated list of users.
+# For example:
+# grafana_login_whitelisted_emails: |-
+# user1@gmail.com
+# user2@yahoo.com
+grafana_login_whitelisted_emails: ""