fix(k8s): sync cluster fixes to source — JWT authority, secrets, Redis config
Some checks failed
Build & Deploy to K8s / build-and-deploy (push) Failing after 35s
Some checks failed
Build & Deploy to K8s / build-and-deploy (push) Failing after 35s
1. ConfigMap: Jwt__Authority → http://iam-service:8080 (internal K8s DNS) Pods cannot reach external HTTPS for OIDC discovery. Token issuer remains https://api.techbi.org via IssuerUri. 2. Secrets: Add IdentityServer__ClientId/Secret for pos-web BFF auth. 3. Redis: Add redis-config.yaml ConfigMap with fixed start scripts. - start-redis.sh reads from /tmp (init container copies there) - start-sentinel.sh reads from /config (directly mounted) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Ho Ngoc Hai
@@ -16,15 +16,15 @@ data:
|
||||
|
||||
# EN: JWT Configuration (shared across all services)
|
||||
# VI: Cau hinh JWT (dung chung cho tat ca services)
|
||||
# EN: Use external HTTPS URL so RequireHttpsMetadata=true is valid.
|
||||
# Services resolve OIDC discovery over public TLS endpoint via Traefik.
|
||||
# VI: Dùng HTTPS external URL để RequireHttpsMetadata=true hoạt động đúng.
|
||||
# Các service lấy OIDC discovery qua endpoint TLS công khai qua Traefik.
|
||||
Jwt__Authority: "https://api.techbi.org"
|
||||
# EN: Use internal K8s DNS for OIDC discovery — pods cannot reach external HTTPS.
|
||||
# Issuer in tokens is still https://api.techbi.org (set in iam-service IssuerUri).
|
||||
# VI: Dùng K8s DNS nội bộ cho OIDC discovery — pods không thể reach HTTPS bên ngoài.
|
||||
# Issuer trong tokens vẫn là https://api.techbi.org (set trong iam-service IssuerUri).
|
||||
Jwt__Authority: "http://iam-service:8080"
|
||||
Jwt__Audience: "goodgo-api"
|
||||
# EN: MUST be true in staging/prod — never allow HTTP metadata endpoints outside dev
|
||||
# VI: PHẢI là true trong staging/prod — không cho phép HTTP metadata endpoint ngoài môi trường dev
|
||||
Jwt__RequireHttpsMetadata: "true"
|
||||
# EN: false because Authority is HTTP (internal K8s). Token signature is still validated.
|
||||
# VI: false vì Authority là HTTP (K8s nội bộ). Chữ ký token vẫn được xác thực.
|
||||
Jwt__RequireHttpsMetadata: "false"
|
||||
|
||||
# EN: Service Discovery URLs (K8s DNS: {service-name}.staging.svc.cluster.local)
|
||||
# VI: URL tim kiem service (K8s DNS: {service-name}.staging.svc.cluster.local)
|
||||
|
||||
130
deployments/staging/kubernetes/redis-config.yaml
Normal file
130
deployments/staging/kubernetes/redis-config.yaml
Normal file
@@ -0,0 +1,130 @@
|
||||
# EN: Redis configuration — ConfigMap with scripts and config files for Redis StatefulSet
|
||||
# VI: Cấu hình Redis — ConfigMap chứa scripts và config files cho Redis StatefulSet
|
||||
#
|
||||
# Volume mount layout:
|
||||
# Redis pod init container: /config (this ConfigMap) → copies to /tmp
|
||||
# Redis container: /tmp (scripts + configs from init)
|
||||
# Sentinel container: /config (this ConfigMap directly)
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: redis-config
|
||||
namespace: staging
|
||||
labels:
|
||||
app: redis
|
||||
component: config
|
||||
platform: goodgo
|
||||
tier: infrastructure
|
||||
data:
|
||||
redis-master.conf: |
|
||||
# Redis Master Configuration
|
||||
bind 0.0.0.0
|
||||
port 6379
|
||||
tcp-backlog 511
|
||||
timeout 300
|
||||
tcp-keepalive 60
|
||||
maxmemory 512mb
|
||||
maxmemory-policy allkeys-lru
|
||||
maxmemory-samples 10
|
||||
maxclients 10000
|
||||
appendonly yes
|
||||
appendfsync everysec
|
||||
no-appendfsync-on-rewrite yes
|
||||
auto-aof-rewrite-percentage 100
|
||||
auto-aof-rewrite-min-size 64mb
|
||||
aof-use-rdb-preamble yes
|
||||
save 900 1
|
||||
save 300 10
|
||||
save 60 10000
|
||||
hz 10
|
||||
dynamic-hz yes
|
||||
lazyfree-lazy-eviction yes
|
||||
lazyfree-lazy-expire yes
|
||||
lazyfree-lazy-server-del yes
|
||||
lazyfree-lazy-user-del yes
|
||||
lua-time-limit 5000
|
||||
busy-reply-threshold 5000
|
||||
loglevel notice
|
||||
slowlog-log-slower-than 10000
|
||||
slowlog-max-len 128
|
||||
rename-command FLUSHDB ""
|
||||
rename-command FLUSHALL ""
|
||||
rename-command DEBUG ""
|
||||
|
||||
redis-replica.conf: |
|
||||
# Redis Replica Configuration
|
||||
bind 0.0.0.0
|
||||
port 6379
|
||||
tcp-backlog 511
|
||||
timeout 300
|
||||
tcp-keepalive 60
|
||||
maxmemory 512mb
|
||||
maxmemory-policy allkeys-lru
|
||||
maxmemory-samples 10
|
||||
maxclients 10000
|
||||
replica-read-only yes
|
||||
replica-serve-stale-data yes
|
||||
repl-diskless-sync yes
|
||||
repl-diskless-sync-delay 5
|
||||
appendonly yes
|
||||
appendfsync everysec
|
||||
no-appendfsync-on-rewrite yes
|
||||
save 900 1
|
||||
save 300 10
|
||||
hz 10
|
||||
dynamic-hz yes
|
||||
lazyfree-lazy-eviction yes
|
||||
lazyfree-lazy-expire yes
|
||||
lazyfree-lazy-server-del yes
|
||||
lazyfree-lazy-user-del yes
|
||||
lua-time-limit 5000
|
||||
busy-reply-threshold 5000
|
||||
loglevel notice
|
||||
slowlog-log-slower-than 10000
|
||||
slowlog-max-len 128
|
||||
rename-command FLUSHDB ""
|
||||
rename-command FLUSHALL ""
|
||||
rename-command DEBUG ""
|
||||
|
||||
sentinel.conf: |
|
||||
# Redis Sentinel Configuration
|
||||
port 26379
|
||||
sentinel monitor redis-master redis-0.redis-headless.staging.svc.cluster.local 6379 2
|
||||
sentinel down-after-milliseconds redis-master 5000
|
||||
sentinel failover-timeout redis-master 10000
|
||||
sentinel parallel-syncs redis-master 1
|
||||
sentinel resolve-hostnames yes
|
||||
sentinel announce-hostnames yes
|
||||
|
||||
# EN: Redis init container copies all files to /tmp; redis container reads from /tmp
|
||||
# VI: Redis init container copy tất cả files sang /tmp; redis container đọc từ /tmp
|
||||
start-redis.sh: |
|
||||
#!/bin/sh
|
||||
set -e
|
||||
HOSTNAME=$(hostname)
|
||||
INDEX="${HOSTNAME##*-}"
|
||||
# Config files already in /tmp from init container
|
||||
if [ "$INDEX" = "0" ]; then
|
||||
cp /tmp/redis-master.conf /tmp/redis.conf
|
||||
else
|
||||
cp /tmp/redis-replica.conf /tmp/redis.conf
|
||||
echo "replicaof redis-0.redis-headless.staging.svc.cluster.local 6379" >> /tmp/redis.conf
|
||||
echo "masterauth ${REDIS_PASSWORD}" >> /tmp/redis.conf
|
||||
fi
|
||||
echo "requirepass ${REDIS_PASSWORD}" >> /tmp/redis.conf
|
||||
echo "masterauth ${REDIS_PASSWORD}" >> /tmp/redis.conf
|
||||
exec redis-server /tmp/redis.conf
|
||||
|
||||
# EN: Sentinel has /config mounted directly (no init container)
|
||||
# VI: Sentinel mount /config trực tiếp (không có init container)
|
||||
start-sentinel.sh: |
|
||||
#!/bin/sh
|
||||
set -e
|
||||
cp /config/sentinel.conf /tmp/sentinel-run.conf
|
||||
echo "sentinel auth-pass redis-master ${REDIS_PASSWORD}" >> /tmp/sentinel-run.conf
|
||||
# Wait for Redis master to be ready
|
||||
until redis-cli -h redis-0.redis-headless.staging.svc.cluster.local -p 6379 -a "${REDIS_PASSWORD}" ping 2>/dev/null; do
|
||||
echo "Waiting for Redis master..."
|
||||
sleep 2
|
||||
done
|
||||
exec redis-sentinel /tmp/sentinel-run.conf
|
||||
@@ -63,6 +63,11 @@ stringData:
|
||||
# VI: IdentityServer Issuer
|
||||
IdentityServer__IssuerUri: "https://api.techbi.org"
|
||||
|
||||
# EN: BFF Client credentials (used by pos-web to obtain tokens from IdentityServer)
|
||||
# VI: Thông tin xác thực BFF Client (pos-web dùng để lấy token từ IdentityServer)
|
||||
IdentityServer__ClientId: "bff-client"
|
||||
IdentityServer__ClientSecret: "PLACEHOLDER-bff-client-secret"
|
||||
|
||||
# EN: PostgreSQL Connection Strings (per-service databases)
|
||||
# VI: Chuoi ket noi PostgreSQL (database rieng cho tung service)
|
||||
# Format: Host=ip;Port=port;Database=db;Username=user;Password=pass;SSL Mode=Prefer
|
||||
|
||||
Reference in New Issue
Block a user