feat: add dragonfly

kubernetes/main/apps/database/dragonfly/app/helmrelease.yaml

@@ -0,0 +1,102 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: &app dragonfly-operator
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: app-template
+      version: 3.1.0
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      strategy: rollback
+      retries: 3
+  values:
+    controllers:
+      dragonfly-operator:
+        strategy: RollingUpdate
+        containers:
+          app:
+            image:
+              repository: ghcr.io/dragonflydb/operator
+              tag: v1.1.2
+            command: ["/manager"]
+            args:
+              - --health-probe-bind-address=:8081
+              - --metrics-bind-address=:8080
+            probes:
+              liveness:
+                enabled: true
+                custom: true
+                spec:
+                  httpGet:
+                    path: /healthz
+                    port: &port 8081
+                  initialDelaySeconds: 15
+                  periodSeconds: 20
+                  timeoutSeconds: 1
+                  failureThreshold: 3
+              readiness:
+                enabled: true
+                custom: true
+                spec:
+                  httpGet:
+                    path: /readyz
+                    port: *port
+                  initialDelaySeconds: 5
+                  periodSeconds: 10
+                  timeoutSeconds: 1
+                  failureThreshold: 3
+            resources:
+              requests:
+                cpu: 10m
+              limits:
+                memory: 128Mi
+            securityContext:
+              allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: true
+              capabilities: { drop: ["ALL"] }
+    defaultPodOptions:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+        runAsGroup: 65534
+        seccompProfile: { type: RuntimeDefault }
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: kubernetes.io/hostname
+          whenUnsatisfiable: DoNotSchedule
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: *app
+    service:
+      app:
+        controller: *app
+        ports:
+          http:
+            port: *port
+          metrics:
+            port: 8080
+    serviceMonitor:
+      app:
+        serviceName: *app
+        endpoints:
+          - port: metrics
+            scheme: http
+            path: /metrics
+            interval: 1m
+            scrapeTimeout: 10s
+    serviceAccount:
+      create: true
+      name: *app

kubernetes/main/apps/database/dragonfly/app/kustomization.yaml

@@ -0,0 +1,9 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  # renovate: datasource=github-releases depName=dragonflydb/dragonfly-operator
+  - https://raw.githubusercontent.com/dragonflydb/dragonfly-operator/v1.1.2/manifests/crd.yaml
+  - ./helmrelease.yaml
+  - ./rbac.yaml

kubernetes/main/apps/database/dragonfly/app/rbac.yaml

@@ -0,0 +1,40 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: dragonfly-operator
+rules:
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
+  - apiGroups: [""]
+    resources: ["pods", "services"]
+    verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
+  - apiGroups: ["apps"]
+    resources: ["statefulsets"]
+    verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
+  - apiGroups: ["dragonflydb.io"]
+    resources: ["dragonflies"]
+    verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
+  - apiGroups: ["dragonflydb.io"]
+    resources: ["dragonflies/finalizers"]
+    verbs: ["update"]
+  - apiGroups: ["dragonflydb.io"]
+    resources: ["dragonflies/status"]
+    verbs: ["get", "patch", "update"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: dragonfly-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: dragonfly-operator
+subjects:
+  - kind: ServiceAccount
+    name: dragonfly-operator
+    namespace: database

kubernetes/main/apps/database/dragonfly/cluster/cluster.yaml

@@ -0,0 +1,29 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/dragonflydb.io/dragonfly_v1alpha1.json
+apiVersion: dragonflydb.io/v1alpha1
+kind: Dragonfly
+metadata:
+  name: dragonfly
+spec:
+  image: ghcr.io/dragonflydb/dragonfly:v1.18.1
+  replicas: 3
+  env:
+    - name: MAX_MEMORY
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.memory
+          divisor: 1Mi
+  args:
+    - --maxmemory=$(MAX_MEMORY)Mi
+    - --proactor_threads=2
+    - --cluster_mode=emulated
+    - --lock_on_hashtags
+  authentication:
+    passwordFromSecret:
+      name: dragonfly-secret
+      key: password
+  resources:
+    requests:
+      cpu: 100m
+    limits:
+      memory: 512Mi

kubernetes/main/apps/database/dragonfly/cluster/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./cluster.yaml
+  - ./podmonitor.yaml

kubernetes/main/apps/database/dragonfly/cluster/podmonitor.yaml

@@ -0,0 +1,13 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/monitoring.coreos.com/podmonitor_v1.json
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: dragonfly
+spec:
+  selector:
+    matchLabels:
+      app: dragonfly
+  podTargetLabels: ["app"]
+  podMetricsEndpoints:
+    - port: admin

kubernetes/main/apps/database/dragonfly/ks.yaml

@@ -0,0 +1,66 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app dragonfly-operator
+  namespace: flux-system
+spec:
+  targetNamespace: database
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./kubernetes/main/apps/database/dragonfly/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops
+  wait: true
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app dragonfly-secret-store
+  namespace: flux-system
+spec:
+  targetNamespace: database
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./kubernetes/main/apps/database/dragonfly/secret-store
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops
+  wait: true
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app dragonfly-cluster
+  namespace: flux-system
+spec:
+  targetNamespace: database
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  dependsOn:
+    - name: dragonfly-operator
+    - name: dragonfly-secret-store
+  path: ./kubernetes/main/apps/database/dragonfly/cluster
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops
+  wait: true
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m

kubernetes/main/apps/database/dragonfly/secret-store/clustersecretstore.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: dragonfly-secret-store
+spec:
+  provider:
+    kubernetes:
+      remoteNamespace: database
+      auth:
+        serviceAccount:
+          name: dragonfly-secret-manager
+          namespace: database
+      server:
+        caProvider:
+          type: ConfigMap
+          name: kube-root-ca.crt
+          namespace: security
+          key: ca.crt

kubernetes/main/apps/database/dragonfly/secret-store/kustomization.yaml

@@ -0,0 +1,8 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./clustersecretstore.yaml
+  - ./rbac.yaml
+  - ./secret.sops.yaml

kubernetes/main/apps/database/dragonfly/secret-store/rbac.yaml

@@ -0,0 +1,39 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: dragonfly-secret-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: dragonfly-secret-manager-role
+rules:
+  - apiGroups: [""]
+    resources:
+      - secrets
+    resourceNames:
+      - dragonfly-secret
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - authorization.k8s.io
+    resources:
+      - selfsubjectrulesreviews
+    verbs:
+      - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: dragonfly-secret-manager-binding
+subjects:
+  - kind: ServiceAccount
+    name: dragonfly-secret-manager
+    namespace: database
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: dragonfly-secret-manager-role

kubernetes/main/apps/database/dragonfly/secret-store/secret.sops.yaml

@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: dragonfly-secret
+type: kubernetes.io/basic-auth
+stringData:
+    username: ENC[AES256_GCM,data:q1syECEHzlku,iv:Ft/Kwi788xSLcbZFzzvs0oEWBgtM3+wRhM+fzFFXaGI=,tag:AksZsqPTrAEtBt5ONBYMhA==,type:str]
+    password: ENC[AES256_GCM,data:z/mvnn+uDdyuMP8w/e3b30HcMv/uDtQvcExLzW8B2jlQbNX9Us5Ob+M/E8sjGxG4Y2kuMishO9PQgfq+6MDnBw==,iv:m51Tw9yYPrnlUPubqGtCU+LyylaGjrXkiGCcJzK2IfY=,tag:x4de+pR0Qd6BL5JVwzsfdA==,type:str]
+    host: ENC[AES256_GCM,data:3jlG9CbloDNLUPLFdUXutDJE61727bShQ74Jrj7XTJrZhihq,iv:MD6c0FsKWNyJHBAQy1ZI/62k0h+TNL990jXimrTZNEc=,tag:u4EZpKa4ZJ98TsB86Xni0g==,type:str]
+    port: ENC[AES256_GCM,data:3Ew/JA==,iv:Nlsqd0OCqi2rJLD6gIRf+p5JQu2zVz0ygZ2zNaQw03I=,tag:0Ixm2b8UHlBtUHIwOICXCA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1ve9kzacrwq7l9l0emvs326uk6t576d75r596e083r2tq6xu28qcsacy3s7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGT1B3NzU2bTF6SE1OMVN0
+            MHIvOUFuK081UFBrMWxQYllSRGoxZlpHeVU4CmtpRkovcUhXdis0WndYTTFsZkUx
+            b3Y1YndEWG0yMDRkSWJKU2hweDVnY0UKLS0tIFpWZ3M2R3lLSURTK0dnMlpaNURE
+            dHFnSm1OeHdzVElYdC8yNkpFV3I5QVUKuAfcF2UIgxBcGT0ULdOTL9MHm6kynVDO
+            Nr1TRBfWBga7eNfeffniTHunS+ag+w3swhGCt6w6heSJyyZz3Y8hNQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-05-19T14:21:05Z"
+    mac: ENC[AES256_GCM,data:z766h9nNYXqV5WcDhVxwOrwYfo8kMG/kyQNdqwUWbFZprcEe9k4MCedAIkrJzRKVoxS1tYvYb8AWjhlCMIg9sGpdLk5+aUbcLsAiTUOicAq+nuhySfKTFApHhyVKopGB9XHX8V6H5xi7MmvhK+0P0NVVY4CLBuLGhLdVmtvrwzY=,iv:CX/ri2UdqbJryyeitybkWUvJaBDGPaUhV+GOq+pQyPo=,tag:AhusS/dEINZYScE9SkDR2w==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.8.1

kubernetes/main/apps/database/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./namespace.yaml
+  - ./dragonfly/ks.yaml

kubernetes/main/apps/database/namespace.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: database
+  labels:
+    kustomize.toolkit.fluxcd.io/prune: disabled