feat: deploy redis for git (#336)

- deploy redis/sentinel ha cluster for git - update redis to 7 (required for almalinux 9) - enable requirepass/masterauth Reviewed-on: https://git.query.consul/unkinben/puppet-prod/pulls/336
2025-07-05 15:51:28 +10:00 · 2025-07-05 15:51:28 +10:00 · b976f2063a
commit b976f2063a
parent 93049707e7
5 changed files with 75 additions and 3 deletions
--- a/hieradata/roles/infra/db/redis.yaml
+++ b/hieradata/roles/infra/db/redis.yaml
@ -18,8 +18,8 @@ hiera_include:
 redisha::manage_repo: false
 redisha::redisha_members_lookup: true
 redisha::redisha_members_role: roles::infra::db::redis
-#redisha::redis::requirepass: "%{hiera('redisha::masterauth')}"
-#redisha::redis::masterauth: "%{hiera('redisha::masterauth')}"
+redisha::redis::requirepass: "%{hiera('redisha::masterauth')}"
+redisha::redis::masterauth: "%{hiera('redisha::masterauth')}"
 redisha::sentinel::master_name: "%{facts.country}-%{facts.region}"
 redisha::sentinel::requirepass: "%{hiera('redisha::masterauth')}"
 redisha::sentinel::auth_pass: "%{hiera('redisha::masterauth')}"
--- a/hieradata/roles/infra/git/redis.eyaml
+++ b/hieradata/roles/infra/git/redis.eyaml
@ -0,0 +1,2 @@
+---
+redisha::masterauth: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAV8znsSGAbPpPUhAcyOIWFltVyAcx3yVcIvC+JFndkkuVBT1813GSURrXIreXSilvJEHlwRC03A9NhjWJSsHBIS12uUb+7ap95oh2JJ7OHmeWSVD1GDDRpTQAgDEOikAnioRNJfQ83jUa11nJrsavt46hSq8vDq+rZ2P8ugiNk59mNX5vgYthCPXcEJd7UmpLZhgxZ8+42l4TKo7QpqKRcIMteJXk1NvyYfYGnGTZhknuyHM3xPGauGjKzamMlTzD9dGnn2K0/Q7I4PUyT24ZEG3kNVyDlVHTYcKnIT5q8qvmJdDQfZwOETF3SrzcqhQ2nqFvmI19sCTsQVmveb/2ITBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC9KML3vzwF4vGZdtiu++jmgDAWPZspCckgoXPkgNRMePov3pXSlKUAGxwmdsuIM75rJMxlSTiil2lzMMBWXmUofys=]
--- a/hieradata/roles/infra/git/redis.yaml
+++ b/hieradata/roles/infra/git/redis.yaml
@ -0,0 +1,60 @@
+---
+# additional altnames
+profiles::pki::vault::alt_names:
+  - "gitea-redis-replica-%{facts.environment}.main.unkin.net"
+  - "gitea-redis-replica-%{facts.environment}.service.consul"
+  - "gitea-redis-replica-%{facts.environment}.query.consul"
+  - "gitea-redis-replica-%{facts.environment}.service.%{facts.country}-%{facts.region}.consul"
+
+profiles::ssh::sign::principals:
+  - "gitea-redis-replica-%{facts.environment}.main.unkin.net"
+  - "gitea-redis-replica-%{facts.environment}.service.consul"
+  - "gitea-redis-replica-%{facts.environment}.query.consul"
+
+hiera_include:
+  - redisha
+
+redisha::manage_repo: false
+redisha::redisha_members_lookup: true
+redisha::redisha_members_role: roles::infra::git::redis
+redisha::redis::requirepass: "%{hiera('redisha::masterauth')}"
+redisha::redis::masterauth: "%{hiera('redisha::masterauth')}"
+redisha::sentinel::master_name: "%{facts.country}-%{facts.region}"
+redisha::sentinel::requirepass: "%{hiera('redisha::masterauth')}"
+redisha::sentinel::auth_pass: "%{hiera('redisha::masterauth')}"
+redisha::tools::requirepass: "%{hiera('redisha::masterauth')}"
+
+sudo::configs:
+  consul:
+    priority: 20
+    content: |
+      consul ALL=(ALL) NOPASSWD: /usr/local/sbin/sentineladm info
+consul::services:
+  gitea-redis-replica:
+    service_name: "gitea-redis-replica-%{facts.environment}"
+    address: "%{facts.networking.ip}"
+    port: 6379
+    checks:
+      - id: 'redis-replica_tcp_check'
+        name: 'Redis Replica TCP Check'
+        tcp: "%{facts.networking.ip}:6379"
+        interval: '10s'
+        timeout: '1s'
+  gitea-redis-master:
+    service_name: "gitea-redis-master-%{facts.environment}"
+    address: "%{facts.networking.ip}"
+    port: 6379
+    checks:
+      - id: 'redis-master_tcp_check'
+        name: "Redis Master Check"
+        args:
+          - '/usr/local/bin/check_redis_master'
+        interval: '10s'
+        timeout: '1s'
+profiles::consul::client::node_rules:
+  - resource: service
+    segment: "gitea-redis-replica-%{facts.environment}"
+    disposition: write
+  - resource: service
+    segment: "gitea-redis-master-%{facts.environment}"
+    disposition: write
--- a/modules/redisha/manifests/params.pp
+++ b/modules/redisha/manifests/params.pp
@ -9,7 +9,7 @@ class redisha::params (
  Optional[String] $requirepass = undef,

  # redis
-  Optional[String] $dnf_module_stream  = '6',
+  Optional[String] $dnf_module_stream  = '7',
  Integer[1] $databases = 16,
  Optional[Variant[String, Sensitive[String], Deferred]] $masterauth = $redisha::params::requirepass,

--- a/site/roles/manifests/infra/git/redis.pp
+++ b/site/roles/manifests/infra/git/redis.pp
@ -0,0 +1,10 @@
+# a role to deploy a redis cluster for gitea
+class roles::infra::git::redis {
+  if $facts['firstrun'] {
+    include profiles::defaults
+    include profiles::firstrun::init
+  }else{
+    include profiles::defaults
+    include profiles::base
+  }
+}