From e092a8d054ec68e669e682ffd482d28ad3f54995 Mon Sep 17 00:00:00 2001 From: vikingowl Date: Sun, 22 Feb 2026 10:53:33 +0100 Subject: [PATCH] fix(deploy): replace Dragonfly CRD with plain Valkey deployment Tenant SA lacks dragonflydb.io CRD permissions. Use a standard Valkey Deployment+Service instead. Also re-enable CNPG (created via kubectl), migrate job, and add seccompProfile to migrate pod. --- backend/deploy/helm/templates/dragonfly.yaml | 62 +++++++++++++++++-- .../deploy/helm/templates/migrate-job.yaml | 2 + backend/deploy/helm/values.yaml | 4 +- 3 files changed, 61 insertions(+), 7 deletions(-) diff --git a/backend/deploy/helm/templates/dragonfly.yaml b/backend/deploy/helm/templates/dragonfly.yaml index 847dc88..1a3ca8b 100644 --- a/backend/deploy/helm/templates/dragonfly.yaml +++ b/backend/deploy/helm/templates/dragonfly.yaml @@ -1,13 +1,65 @@ {{- if .Values.dragonfly.enabled -}} -apiVersion: dragonflydb.io/v1alpha1 -kind: Dragonfly +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Values.dragonfly.name }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "marktvogt-backend.labels" . | nindent 4 }} + app.kubernetes.io/component: cache +spec: + replicas: {{ .Values.dragonfly.replicas }} + selector: + matchLabels: + app.kubernetes.io/name: {{ .Values.dragonfly.name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ .Values.dragonfly.name }} + spec: + securityContext: + runAsNonRoot: true + runAsUser: 999 + fsGroup: 999 + seccompProfile: + type: RuntimeDefault + containers: + - name: valkey + image: valkey/valkey:8-alpine + ports: + - containerPort: 6379 + protocol: TCP + resources: + {{- toYaml .Values.dragonfly.resources | nindent 12 }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + volumeMounts: + - name: data + mountPath: /data + - name: tmp + mountPath: /tmp + volumes: + - name: data + emptyDir: {} + - name: tmp + emptyDir: {} +--- +apiVersion: v1 +kind: Service metadata: name: {{ .Values.dragonfly.name }} namespace: {{ .Release.Namespace }} labels: {{- include "marktvogt-backend.labels" . | nindent 4 }} spec: - replicas: {{ .Values.dragonfly.replicas }} - resources: - {{- toYaml .Values.dragonfly.resources | nindent 4 }} + selector: + app.kubernetes.io/name: {{ .Values.dragonfly.name }} + ports: + - port: 6379 + targetPort: 6379 + protocol: TCP {{- end }} diff --git a/backend/deploy/helm/templates/migrate-job.yaml b/backend/deploy/helm/templates/migrate-job.yaml index 1a6609d..8682514 100644 --- a/backend/deploy/helm/templates/migrate-job.yaml +++ b/backend/deploy/helm/templates/migrate-job.yaml @@ -25,6 +25,8 @@ spec: runAsNonRoot: true runAsUser: 65534 fsGroup: 65534 + seccompProfile: + type: RuntimeDefault {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} diff --git a/backend/deploy/helm/values.yaml b/backend/deploy/helm/values.yaml index 19ccc6c..f0d0781 100644 --- a/backend/deploy/helm/values.yaml +++ b/backend/deploy/helm/values.yaml @@ -98,7 +98,7 @@ postgres: # DragonflyDB (Redis-compatible) — replaces Valkey in production # Access is restricted via NetworkPolicy; no auth required dragonfly: - enabled: false + enabled: true name: marktvogt-cache replicas: 1 resources: @@ -111,7 +111,7 @@ dragonfly: # Migration job (Helm pre-install/pre-upgrade hook) migrate: - enabled: false + enabled: true networkPolicy: enabled: false