feat(helm): add CDC PVC, Redis auth, and miroir.config template

Implements P8.7: Helm values for CDC PVC, Redis, ESO integration. Changes: - Add miroir.config template that generates miroir.yaml from Helm values - Add miroir.secretName helper for secret name resolution - Add miroir.redisSecretName helper for Redis secret name resolution - Add redis.auth section to values.yaml (enabled: true, existingSecret option) - Update redis-deployment.yaml to support auth with password from secret The miroir.config template now properly sets taskStore.url to point at the Redis service when redis.enabled=true, meeting the acceptance criteria for P8.7. Note: Redis auth password is passed via MIROIR_REDIS_PASSWORD env var in the deployment. The Rust code will need to be updated to use this env var when constructing the Redis connection string. Closes: miroir-qjt.7
2026-05-25 03:29:02 -04:00 · 2026-05-25 03:29:02 -04:00 · cbf0ba12b8
commit cbf0ba12b8
parent 0b266bf37e
3 changed files with 125 additions and 2 deletions
--- a/charts/miroir/templates/_helpers.tpl
+++ b/charts/miroir/templates/_helpers.tpl
@ -55,6 +55,17 @@ Redis enabled
 {{- eq .Values.miroir.taskStore.backend "redis" }}
 {{- end }}

+{{/*
+Redis secret name
+*/}}
+{{- define "miroir.redisSecretName" -}}
+{{- if .Values.redis.auth.existingSecret }}
+{{- .Values.redis.auth.existingSecret }}
+{{- else }}
+{{- printf "%s-redis-secret" (include "miroir.fullname" .) }}
+{{- end }}
+{{- end }}
+
 {{/*
 CDC PVC enabled — only rendered when cdc.buffer.primary=="pvc" or cdc.buffer.overflow=="pvc" (plan §13.13)
 */}}
@ -73,6 +84,104 @@ Service Account Name
 {{- end }}
 {{- end }}

+{{/*
+Secret name
+*/}}
+{{- define "miroir.secretName" -}}
+{{- if .Values.miroir.existingSecret }}
+{{- .Values.miroir.existingSecret }}
+{{- else }}
+{{- printf "%s-miroir-secret" (include "miroir.fullname" .) }}
+{{- end }}
+{{- end }}
+
+{{/*
+Miroir config (miroir.yaml)
+*/}}
+{{- define "miroir.config" -}}
+# Miroir configuration (plan §4)
+shards: {{ .Values.miroir.shards }}
+replication_factor: {{ .Values.miroir.replicationFactor }}
+replica_groups: {{ .Values.miroir.replicaGroups }}
+
+nodes: []
+task_store:
+  backend: {{ .Values.miroir.taskStore.backend | quote }}
+  path: {{ .Values.miroir.taskStore.path | quote }}
+  {{- if and (eq (include "miroir.redisEnabled" .) "true") .Values.redis.enabled }}
+  url: {{ printf "redis://%s-redis:6379" (include "miroir.fullname" .) | quote }}
+  {{- else if .Values.miroir.taskStore.url }}
+  url: {{ .Values.miroir.taskStore.url | quote }}
+  {{- end }}
+
+admin:
+  enabled: true
+
+health:
+  interval_ms: 5000
+  timeout_ms: 2000
+  unhealthy_threshold: 3
+  recovery_threshold: 2
+
+scatter:
+  node_timeout_ms: 5000
+  retry_on_timeout: true
+  unavailable_shard_policy: {{ .Values.miroir.scatter.unavailableShardPolicy | quote }}
+
+rebalancer:
+  auto_rebalance_on_recovery: true
+  max_concurrent_migrations: 4
+  migration_timeout_s: 3600
+
+server:
+  port: 7700
+  bind: "0.0.0.0"
+  max_body_bytes: 104857600
+  max_concurrent_requests: 500
+  request_timeout_ms: 30000
+
+connection_pool_per_node:
+  max_idle: 32
+  max_total: 128
+  idle_timeout_s: 60
+
+task_registry:
+  cache_size: 10000
+  redis_pool_max: 50
+  ttl_seconds: 604800
+  prune_interval_s: 300
+  prune_batch_size: 10000
+
+{{- if .Values.miroir.cdc.enabled }}
+cdc:
+  enabled: true
+  emit_ttl_deletes: {{ .Values.miroir.cdc.emit_ttl_deletes }}
+  emit_internal_writes: {{ .Values.miroir.cdc.emit_internal_writes }}
+  sinks:
+{{- if .Values.miroir.cdc.sinks }}
+{{ toYaml .Values.miroir.cdc.sinks | indent 4 }}
+{{- else }}
+  []
+{{- end }}
+  buffer:
+    primary: {{ .Values.miroir.cdc.buffer.primary | quote }}
+    memory_bytes: {{ .Values.miroir.cdc.buffer.memory_bytes }}
+    overflow: {{ .Values.miroir.cdc.buffer.overflow | quote }}
+    {{- if eq .Values.miroir.cdc.buffer.primary "redis" }}
+    redis_bytes: {{ .Values.miroir.cdc.buffer.redis_bytes }}
+    {{- end }}
+{{- end }}
+
+peer_discovery:
+  service_name: "miroir-headless"
+  refresh_interval_s: 15
+
+leader_election:
+  enabled: true
+  lease_ttl_s: 10
+  renew_interval_s: 3
+{{- end }}
+
 {{/*
 Validate values at render time (cross-field checks that JSON Schema cannot express).
 */}}
--- a/charts/miroir/templates/redis-deployment.yaml
+++ b/charts/miroir/templates/redis-deployment.yaml
@ -28,6 +28,18 @@ spec:
        - name: redis
          containerPort: 6379
          protocol: TCP
+        {{- if .Values.redis.auth.enabled }}
+        command:
+          - redis-server
+          - --requirepass
+          - $(REDIS_PASSWORD)
+        env:
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ include "miroir.redisSecretName" . }}
+              key: redis-password
+        {{- end }}
        {{- with .Values.redis.resources }}
        resources:
          {{- toYaml . | nindent 10 }}
@ -44,7 +56,6 @@ spec:
          claimName: {{ include "miroir.fullname" . }}-redis
      {{- end }}
 ---
-{{- if and (include "miroir.redisEnabled" .) .Values.redis.enabled }}
 apiVersion: v1
 kind: Service
 metadata:
@ -62,7 +73,6 @@ spec:
  selector:
    {{- include "miroir.selectorLabels" . | nindent 4 }}
    app: redis
-{{- end }}
 ---
 {{- if and (include "miroir.redisEnabled" .) .Values.redis.enabled .Values.redis.persistence.enabled }}
 apiVersion: v1
--- a/charts/miroir/values.yaml
+++ b/charts/miroir/values.yaml
@ -194,6 +194,10 @@ redis:
    repository: redis
    tag: 7-alpine
    pullPolicy: IfNotPresent
+  auth:
+    enabled: true
+    existingSecret: ""
+    # Password comes from K8s Secret `miroir-redis-secrets` / ESO
  resources:
    limits:
      cpu: 500m