apiVersion: apps/v1
kind: Deployment
metadata:
  name: redis
  namespace: honeydue
  labels:
    app.kubernetes.io/name: redis
    app.kubernetes.io/part-of: honeydue
spec:
  replicas: 1
  strategy:
    type: Recreate  # ReadWriteOnce PVC — can't attach to two pods
  selector:
    matchLabels:
      app.kubernetes.io/name: redis
  template:
    metadata:
      labels:
        app.kubernetes.io/name: redis
        app.kubernetes.io/part-of: honeydue
    spec:
      serviceAccountName: redis
      nodeSelector:
        honeydue/redis: "true"
      securityContext:
        runAsNonRoot: true
        runAsUser: 999
        runAsGroup: 999
        fsGroup: 999
        seccompProfile:
          type: RuntimeDefault
      containers:
        - name: redis
          image: redis:7-alpine
          command:
            - sh
            - -c
            - |
              # allkeys-lru: under memory pressure, evict the least-recently-used key.
              # honeyDue uses Redis as a cache + asynq queue. The cache layer falls
              # through to DB on miss, so eviction is graceful. asynq keys with TTLs
              # would be evicted only after older cache entries are gone.
              ARGS="--appendonly yes --appendfsync everysec --maxmemory 256mb --maxmemory-policy allkeys-lru"
              if [ -n "$REDIS_PASSWORD" ]; then
                ARGS="$ARGS --requirepass $REDIS_PASSWORD"
              fi
              exec redis-server $ARGS
          ports:
            - containerPort: 6379
              protocol: TCP
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            capabilities:
              drop: ["ALL"]
          env:
            - name: REDIS_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: honeydue-secrets
                  key: REDIS_PASSWORD
                  optional: true
          volumeMounts:
            - name: redis-data
              mountPath: /data
            - name: tmp
              mountPath: /tmp
          resources:
            requests:
              cpu: 100m
              memory: 128Mi
            limits:
              cpu: 500m
              memory: 512Mi
          readinessProbe:
            exec:
              command:
                - sh
                - -c
                - |
                  if [ -n "$REDIS_PASSWORD" ]; then
                    redis-cli -a "$REDIS_PASSWORD" ping 2>/dev/null | grep -q PONG
                  else
                    redis-cli ping | grep -q PONG
                  fi
            initialDelaySeconds: 5
            periodSeconds: 10
            timeoutSeconds: 5
          livenessProbe:
            exec:
              command:
                - sh
                - -c
                - |
                  if [ -n "$REDIS_PASSWORD" ]; then
                    redis-cli -a "$REDIS_PASSWORD" ping 2>/dev/null | grep -q PONG
                  else
                    redis-cli ping | grep -q PONG
                  fi
            initialDelaySeconds: 15
            periodSeconds: 20
            timeoutSeconds: 5
      volumes:
        - name: redis-data
          persistentVolumeClaim:
            claimName: redis-data
        - name: tmp
          emptyDir:
            medium: Memory
            sizeLimit: 64Mi