apiVersion: apps/v1
kind: Deployment
metadata:
  name: redis
  namespace: bakery-ia
  labels:
    app.kubernetes.io/name: redis
    app.kubernetes.io/component: cache
    app.kubernetes.io/part-of: bakery-ia
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: redis
      app.kubernetes.io/component: cache
  template:
    metadata:
      labels:
        app.kubernetes.io/name: redis
        app.kubernetes.io/component: cache
    spec:
      securityContext:
        fsGroup: 999  # redis group
      initContainers:
      - name: fix-tls-permissions
        image: busybox:latest
        securityContext:
          runAsUser: 0
        command: ['sh', '-c']
        args:
        - |
          cp /tls-source/* /tls/
          chmod 600 /tls/redis-key.pem
          chmod 644 /tls/redis-cert.pem /tls/ca-cert.pem
          chown 999:999 /tls/*
          ls -la /tls/
        volumeMounts:
        - name: tls-certs-source
          mountPath: /tls-source
          readOnly: true
        - name: tls-certs-writable
          mountPath: /tls
      containers:
      - name: redis
        image: redis:7.4-alpine
        ports:
        - containerPort: 6379
          name: redis
        env:
        - name: REDIS_PASSWORD
          valueFrom:
            secretKeyRef:
              name: redis-secrets
              key: REDIS_PASSWORD
        command:
        - redis-server
        - --appendonly
        - "yes"
        - --requirepass
        - $(REDIS_PASSWORD)
        - --maxmemory
        - "512mb"
        - --databases
        - "16"
        - --tls-port
        - "6379"
        - --port
        - "0"
        - --tls-cert-file
        - /tls/redis-cert.pem
        - --tls-key-file
        - /tls/redis-key.pem
        - --tls-ca-cert-file
        - /tls/ca-cert.pem
        - --tls-auth-clients
        - "no"
        volumeMounts:
        - name: redis-data
          mountPath: /data
        - name: tls-certs-writable
          mountPath: /tls
        resources:
          requests:
            memory: "256Mi"
            cpu: "100m"
          limits:
            memory: "512Mi"
            cpu: "500m"
        livenessProbe:
          exec:
            command:
            - redis-cli
            - --tls
            - --cert
            - /tls/redis-cert.pem
            - --key
            - /tls/redis-key.pem
            - --cacert
            - /tls/ca-cert.pem
            - -a
            - $(REDIS_PASSWORD)
            - ping
          initialDelaySeconds: 30
          timeoutSeconds: 5
          periodSeconds: 10
          failureThreshold: 3
        readinessProbe:
          exec:
            command:
            - redis-cli
            - --tls
            - --cert
            - /tls/redis-cert.pem
            - --key
            - /tls/redis-key.pem
            - --cacert
            - /tls/ca-cert.pem
            - -a
            - $(REDIS_PASSWORD)
            - ping
          initialDelaySeconds: 5
          timeoutSeconds: 1
          periodSeconds: 5
          failureThreshold: 3
      volumes:
      - name: redis-data
        persistentVolumeClaim:
          claimName: redis-pvc
      - name: tls-certs-source
        secret:
          secretName: redis-tls-secret
      - name: tls-certs-writable
        emptyDir: {}

---
apiVersion: v1
kind: Service
metadata:
  name: redis-service
  namespace: bakery-ia
  labels:
    app.kubernetes.io/name: redis
    app.kubernetes.io/component: cache
spec:
  type: ClusterIP
  ports:
  - port: 6379
    targetPort: 6379
    protocol: TCP
    name: redis
  selector:
    app.kubernetes.io/name: redis
    app.kubernetes.io/component: cache

---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: redis-pvc
  namespace: bakery-ia
  labels:
    app.kubernetes.io/name: redis
    app.kubernetes.io/component: cache
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi