openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 14 Packages Projects Releases Wiki Activity
aa08b43198
openova/platform/valkey/blueprint.yaml
e3mrah 1ca37ea7f8
fix(bp-valkey): default auth.enabled=false to match bp-newapi passwordless REDIS_CONN_STRING (Closes #2003) (#2007) 
Pre-1.0.2 bp-valkey shipped `valkey.auth.enabled: true` (bitnami default)
while bp-newapi's REDIS_CONN_STRING default was the passwordless URL
`redis://valkey-primary.valkey.svc.cluster.local:6379`. On every
freshly-franchised Sovereign the newapi Pod CrashLoopBackOff'd 45x on
the Redis ping probe with `NOAUTH Authentication required` — caught
on t38 sandbox walk 2026-05-20. This is the Pillar-4 verifier-killing
bug for the Sandbox + qwen-code + MCP end-user DoD (#1986).

Approach A (simpler, this PR): flip bp-valkey's default to
`auth.enabled: false` so the upstream bitnami chart exports
`ALLOW_EMPTY_PASSWORD=yes` to the Valkey container. Verified via
`helm template` — the render now contains:

    - name: ALLOW_EMPTY_PASSWORD
      value: "yes"

Other in-cluster consumers tolerate the change:
  - products/catalyst sme-services (auth.yaml + gateway.yaml) read
    VALKEY_PASSWORD via `secretKeyRef ... optional: true` and fall
    back to the no-auth connect path in
    core/services/shared/db/valkey.go when the value is empty.
  - products/catalyst projector wraps the password Secret mount in
    `{{- with .Values.services.projector.valkey.passwordSecret }}`
    so an absent Secret simply skips the password env var.

Approach B (deferred): make bp-newapi mirror the bp-valkey
auto-generated password Secret into the newapi namespace and template
it into REDIS_CONN_STRING. Larger scope, tracked under #2003 follow-up.

Changes:
  - platform/valkey/chart/values.yaml — auth.enabled: true → false
  - platform/valkey/chart/Chart.yaml — version 1.0.1 → 1.0.2
  - platform/valkey/blueprint.yaml — spec.version + configSchema default
  - clusters/_template/bootstrap-kit/17-valkey.yaml — chart pin 1.0.1 → 1.0.2

Verified:
  - `helm dependency build` succeeds (bitnami/valkey 5.5.1 unchanged)
  - `helm template` renders `ALLOW_EMPTY_PASSWORD=yes` on the Pod
  - tests/observability-toggle.sh — all 4 cases PASS

Closes #2003
Refs #1986

Co-authored-by: hatiyildiz <catalyst@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-20 02:26:56 +04:00

79 lines
2.8 KiB
YAML
Raw Blame History

apiVersion: catalyst.openova.io/v1alpha1
kind: Blueprint
metadata:
name: bp-valkey
labels:
catalyst.openova.io/section: pts-4-1-data-services
spec:
version: 1.0.2
card:
title: Valkey
summary: |
Redis-compatible in-memory cache (BSD-3 fork of Redis 7.2.4 under
Linux Foundation governance). Bootstrap-kit slot 17 — used by
Catalyst control-plane services for ephemeral session/state, and
by Application-tier Apps that need a Redis wire-protocol cache.
Replication via REPLICAOF (per-Application choice — see
docs/SRE.md §2.5).
icon: valkey.svg
category: data
visibility: unlisted # mandatory infra, auto-installed by bootstrap kit
configSchema:
type: object
properties:
architecture:
type: string
enum: [standalone, replication]
default: replication
description: |
Standalone (single primary, no replicas) or replication (one
primary + N replicas). Solo Sovereigns use replication with
replicaCount: 0 to keep the StatefulSet shape stable while
paying for only one pod.
auth:
type: object
properties:
enabled:
type: boolean
default: false
description: |
Enforce password auth on the Valkey wire protocol.
Default false (TBD-V12 #2003) — matches bp-newapi's
passwordless REDIS_CONN_STRING contract; flipping true
requires every consumer chart (bp-newapi, catalyst
sme-services, projector) to wire the bp-valkey-
generated password into their connection strings.
metrics:
type: object
properties:
enabled:
type: boolean
default: false
description: |
Sidecar Prometheus exporter (redis-exporter) on each pod.
Cluster overlays flip true once kube-prometheus-stack
reconciles (issue #182).
serviceMonitor:
type: object
properties:
enabled:
type: boolean
default: false
description: |
monitoring.coreos.com/v1 ServiceMonitor — requires the
Prometheus Operator CRDs from kube-prometheus-stack.
placementSchema:
modes: [single-region, active-active, active-hotstandby]
default: single-region # Valkey replication is per-Application
manifests:
chart: ./chart
# Valkey is a self-contained cache — only needs Flux Ready. The Flux HR
# at clusters/_template/bootstrap-kit/17-valkey.yaml encodes this
# dependsOn. Declared here for documentation parity; the
# blueprint-controller does not yet reconcile this field.
depends:
- blueprint: bp-flux
version: ^1.0
upgrades:
from: ["0.x"]
Reference in New Issue View Git Blame Copy Permalink