fix(deploy): replace Dragonfly CRD with plain Valkey deployment

Tenant SA lacks dragonflydb.io CRD permissions. Use a standard Valkey Deployment+Service instead. Also re-enable CNPG (created via kubectl), migrate job, and add seccompProfile to migrate pod.
2026-02-22 10:53:33 +01:00
parent f48a29c433
commit e092a8d054
3 changed files with 61 additions and 7 deletions
--- a/backend/deploy/helm/templates/dragonfly.yaml
+++ b/backend/deploy/helm/templates/dragonfly.yaml
@@ -1,13 +1,65 @@
 {{- if .Values.dragonfly.enabled -}}
-apiVersion: dragonflydb.io/v1alpha1
-kind: Dragonfly
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Values.dragonfly.name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "marktvogt-backend.labels" . | nindent 4 }}
+    app.kubernetes.io/component: cache
+spec:
+  replicas: {{ .Values.dragonfly.replicas }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ .Values.dragonfly.name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ .Values.dragonfly.name }}
+    spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 999
+        fsGroup: 999
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+        - name: valkey
+          image: valkey/valkey:8-alpine
+          ports:
+            - containerPort: 6379
+              protocol: TCP
+          resources:
+            {{- toYaml .Values.dragonfly.resources | nindent 12 }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop:
+                - ALL
+          volumeMounts:
+            - name: data
+              mountPath: /data
+            - name: tmp
+              mountPath: /tmp
+      volumes:
+        - name: data
+          emptyDir: {}
+        - name: tmp
+          emptyDir: {}
+---
+apiVersion: v1
+kind: Service
 metadata:
  name: {{ .Values.dragonfly.name }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "marktvogt-backend.labels" . | nindent 4 }}
 spec:
-  replicas: {{ .Values.dragonfly.replicas }}
-  resources:
-    {{- toYaml .Values.dragonfly.resources | nindent 4 }}
+  selector:
+    app.kubernetes.io/name: {{ .Values.dragonfly.name }}
+  ports:
+    - port: 6379
+      targetPort: 6379
+      protocol: TCP
 {{- end }}
--- a/backend/deploy/helm/templates/migrate-job.yaml
+++ b/backend/deploy/helm/templates/migrate-job.yaml
@@ -25,6 +25,8 @@ spec:
        runAsNonRoot: true
        runAsUser: 65534
        fsGroup: 65534
+        seccompProfile:
+          type: RuntimeDefault
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
--- a/backend/deploy/helm/values.yaml
+++ b/backend/deploy/helm/values.yaml
@@ -98,7 +98,7 @@ postgres:
 # DragonflyDB (Redis-compatible) — replaces Valkey in production
 # Access is restricted via NetworkPolicy; no auth required
 dragonfly:
-  enabled: false
+  enabled: true
  name: marktvogt-cache
  replicas: 1
  resources:
@@ -111,7 +111,7 @@ dragonfly:

 # Migration job (Helm pre-install/pre-upgrade hook)
 migrate:
-  enabled: false
+  enabled: true

 networkPolicy:
  enabled: false