fix: delete redis from bitnami and provide own templates (#1267)

* fix: remove bitnami redis and provide own templates

* fix: update integration tests redis image for docker-compose 

* fix: update entrypoint.sh shell script with the fallback for docker

* test: test new version of SC4SNMP-UI backend

* chore: add changelog

Author: omrozowicz-splunk

CHANGELOG.md

@@ -3,6 +3,11 @@
 ## Unreleased
 
 ### Changed
+- **Redis Migration**: Replaced Bitnami Redis chart with custom Kubernetes manifests
+  - Updated to official Redis image version 8.2.2 (addresses security vulnerabilities)
+  - Added authentication support (password or Kubernetes Secret)
+  - Implemented automatic data migration from Bitnami deployments (PVC reuse)
+  - Enabled AOF persistence by default for data durability
 - add CounterBasedGauge64 and ZeroBasedCounter64 as metrics types
 
 ### Fixes

charts/splunk-connect-for-snmp/Chart.lock

@@ -2,11 +2,8 @@ dependencies:
 - name: mongodb
   repository: https://charts.bitnami.com/bitnami
   version: 15.6.26
-- name: redis
-  repository: https://charts.bitnami.com/bitnami
-  version: 20.2.2
 - name: mibserver
   repository: https://pysnmp.github.io/mibs/charts/
   version: 1.15.25
-digest: sha256:b7c83eee7395cbc67d21833ab21da52d1d43481c798e52d0a9a7f0a7c3fe05b4
-generated: "2025-08-13T13:56:57.099109+02:00"
+digest: sha256:747fcedec83bf0d80600166a021b35436d8d2ea877b60e9a43044ed2140cf1c5
+generated: "2025-10-13T12:15:04.255986+02:00"

charts/splunk-connect-for-snmp/Chart.yaml

@@ -25,9 +25,6 @@ dependencies:
   - name: mongodb
     version: ~15.6.0
     repository: https://charts.bitnami.com/bitnami
-  - name: redis
-    version: ~20.2.0
-    repository: https://charts.bitnami.com/bitnami
   - name: mibserver
     version: ~1.15
     repository: https://pysnmp.github.io/mibs/charts/

charts/splunk-connect-for-snmp/templates/_helpers.tpl

@@ -14,22 +14,6 @@
 {{- end }}
 {{- end }}
 
-{{- define "splunk-connect-for-snmp.celery_url" -}}
-{{- if and ( eq .Values.redis.architecture "replication" ) .Values.redis.sentinel.enabled  }}
-{{- printf "redis://%s-redis:6379/0" .Release.Name }}
-{{- else }}
-{{- printf "redis://%s-redis-master:6379/0" .Release.Name }}
-{{- end }}
-{{- end }}
-
-{{- define "splunk-connect-for-snmp.redis_url" -}}
-{{- if and ( eq .Values.redis.architecture "replication" ) .Values.redis.sentinel.enabled  }}
-{{- printf "redis://%s-redis:6379/1" .Release.Name }}
-{{- else }}
-{{- printf "redis://%s-redis-master:6379/1" .Release.Name }}
-{{- end }}
-{{- end }}
-
 {{/*
 Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).

charts/splunk-connect-for-snmp/templates/inventory/job.yaml

@@ -30,12 +30,28 @@ spec:
           env:
           - name: CONFIG_PATH
             value: /app/config/config.yaml
-          - name: REDIS_URL
-            value: {{ include "splunk-connect-for-snmp.redis_url" . }}
+        {{- if .Values.redis.auth.enabled }}
+          - name: REDIS_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                {{- if .Values.redis.auth.existingSecret }}
+                name: {{ .Values.redis.auth.existingSecret }}
+                key: {{ .Values.redis.auth.existingSecretPasswordKey | default "password" }}
+                {{- else }}
+                name: {{ .Release.Name }}-redis-secret
+                key: password
+                {{- end }}
+          {{- end }}
+          - name: REDIS_HOST
+            value: {{ .Release.Name }}-redis
+          - name: REDIS_PORT
+            value: "6379"
+          - name: REDIS_DB
+            value: "1"
+          - name: CELERY_DB
+            value: "0"
           - name: INVENTORY_PATH
             value: /app/inventory/inventory.csv
-          - name: CELERY_BROKER_URL
-            value: {{ include "splunk-connect-for-snmp.celery_url" . }}
           - name: MONGO_URI
             value: {{ include "splunk-connect-for-snmp.mongo_uri" . }}
           - name: MIB_SOURCES

charts/splunk-connect-for-snmp/templates/redis/redis-config.yaml

@@ -0,0 +1,37 @@
+{{- if eq .Values.redis.architecture "standalone" }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-redis-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ .Release.Name }}-redis
+data:
+  redis.conf: |
+    # Data directory
+    dir /data
+
+    # Persistence - RDB
+    save 900 1
+    save 300 10
+    save 60 10000
+
+    # Persistence - AOF
+    {{- if .Values.redis.persistence.aof.enabled }}
+    appendonly yes
+    appendfsync {{ .Values.redis.persistence.aof.fsync }}
+    {{- else }}
+    appendonly no
+    {{- end }}
+
+    # Logging
+    loglevel notice
+
+    # Memory
+    maxmemory-policy noeviction
+
+    # Network
+    bind 0.0.0.0
+    protected-mode no
+    port 6379
+{{- end }}

charts/splunk-connect-for-snmp/templates/redis/redis-secret.yaml

@@ -0,0 +1,10 @@
+{{- if and .Values.redis.auth.enabled (not .Values.redis.auth.existingSecret) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-redis-secret
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+data:
+  password: {{ .Values.redis.auth.password | b64enc }}
+{{- end }}

charts/splunk-connect-for-snmp/templates/redis/redis-standalone-service.yaml

@@ -0,0 +1,15 @@
+{{- if eq .Values.redis.architecture "standalone" }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Release.Name }}-redis
+  namespace: {{ .Release.Namespace }}
+spec:
+  type: ClusterIP
+  ports:
+  - port: 6379
+    targetPort: 6379
+    name: redis
+  selector:
+    app: {{ .Release.Name }}-redis
+{{- end }}

charts/splunk-connect-for-snmp/templates/redis/redis-standalone-statefulset.yaml

@@ -0,0 +1,159 @@
+{{- if eq .Values.redis.architecture "standalone" }}
+{{- $bitnamiPVC := printf "redis-data-%s-redis-master-0" .Release.Name }}
+{{- $existingPVC := lookup "v1" "PersistentVolumeClaim" .Release.Namespace $bitnamiPVC }}
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: {{ .Release.Name }}-redis
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ .Release.Name }}-redis
+spec:
+  serviceName: {{ .Release.Name }}-redis
+  replicas: 1
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}-redis
+  template:
+    metadata:
+      labels:
+        app: {{ .Release.Name }}-redis
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/redis/redis-config.yaml") . | sha256sum }}
+    spec:
+      {{- with .Values.redis.podSecurityContext }}
+      securityContext:
+        runAsUser: {{ .runAsUser }}
+        fsGroup: {{ .fsGroup }}
+      {{- end }}
+      initContainers:
+      - name: fix-permissions
+        image: {{ .Values.redis.image.repository }}:{{ .Values.redis.image.tag }}
+        imagePullPolicy: {{ .Values.redis.image.pullPolicy }}
+        command:
+        - sh
+        - -c
+        - |
+          echo "=== Redis Init: Fixing Permissions ==="
+          echo "Current ownership:"
+          ls -ln /data
+          echo ""
+          echo "Fixing ownership to {{ .Values.redis.podSecurityContext.runAsUser }}:{{ .Values.redis.podSecurityContext.fsGroup }}..."
+          chown -R {{ .Values.redis.podSecurityContext.runAsUser }}:{{ .Values.redis.podSecurityContext.fsGroup }} /data
+          chmod -R 755 /data
+          echo ""
+          echo "New ownership:"
+          ls -ln /data
+          echo "=== Permissions Fixed ==="
+        volumeMounts:
+        - name: redis-data
+          mountPath: /data
+        securityContext:
+          runAsUser: 0  # Must run as root to chown
+      containers:
+      - name: redis
+        image: {{ .Values.redis.image.repository }}:{{ .Values.redis.image.tag }}
+        imagePullPolicy: {{ .Values.redis.image.pullPolicy }}
+        ports:
+        - containerPort: 6379
+          name: redis
+        command:
+        - sh
+        - -c
+        args:
+        - |
+          # Copy config to writable location
+          cp /etc/redis/redis.conf /tmp/redis.conf
+
+          {{- if .Values.redis.auth.enabled }}
+          # Append password at runtime
+          echo "requirepass $REDIS_PASSWORD" >> /tmp/redis.conf
+          {{- end }}
+
+          # Start Redis
+          exec redis-server /tmp/redis.conf
+        {{- if .Values.redis.auth.enabled }}
+        env:
+          - name: REDIS_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                {{- if .Values.redis.auth.existingSecret }}
+                name: {{ .Values.redis.auth.existingSecret }}
+                key: {{ .Values.redis.auth.existingSecretPasswordKey | default "password" }}
+                {{- else }}
+                name: {{ .Release.Name }}-redis-secret
+                key: password
+                {{- end }}
+        {{- end }}
+        volumeMounts:
+        - name: redis-data
+          mountPath: /data
+        - name: redis-config
+          mountPath: /etc/redis
+        resources:
+          {{- toYaml .Values.redis.resources | nindent 10 }}
+        livenessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - |
+              {{- if .Values.redis.auth.enabled }}
+              redis-cli -a "$REDIS_PASSWORD" ping
+              {{- else }}
+              redis-cli ping
+              {{- end }}
+          initialDelaySeconds: 30
+          periodSeconds: 10
+        readinessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - |
+              {{- if .Values.redis.auth.enabled }}
+              redis-cli -a "$REDIS_PASSWORD" ping
+              {{- else }}
+              redis-cli ping
+              {{- end }}
+          initialDelaySeconds: 5
+          periodSeconds: 5
+      {{- if and .Values.redis.storage.enabled $existingPVC }}
+      # Reuse existing Bitnami PVC
+      volumes:
+      - name: redis-data
+        persistentVolumeClaim:
+          claimName: {{ $bitnamiPVC }}
+      - name: redis-config
+        configMap:
+          name: {{ .Release.Name }}-redis-config
+      {{- else if .Values.redis.storage.enabled }}
+      # Storage enabled but no existing PVC - use volumeClaimTemplates below
+      volumes:
+      - name: redis-config
+        configMap:
+          name: {{ .Release.Name }}-redis-config
+      {{- else }}
+      # Storage disabled - use emptyDir (ephemeral)
+      volumes:
+      - name: redis-data
+        emptyDir: {}
+      - name: redis-config
+        configMap:
+          name: {{ .Release.Name }}-redis-config
+      {{- end }}
+  {{- if and .Values.redis.storage.enabled (not $existingPVC) }}
+  # No existing PVC found, create new one via volumeClaimTemplates
+  volumeClaimTemplates:
+  - metadata:
+      name: redis-data
+    spec:
+      accessModes: {{ toYaml .Values.redis.storage.accessModes | nindent 8 }}
+      {{- if .Values.redis.storage.storageClassName }}
+      storageClassName: {{ .Values.redis.storage.storageClassName }}
+      {{- end }}
+      resources:
+        requests:
+          storage: {{ .Values.redis.storage.size }}
+  {{- end }}
+{{- end }}

charts/splunk-connect-for-snmp/templates/scheduler/deployment.yaml

@@ -45,10 +45,26 @@ spec:
           env:
             - name: CONFIG_PATH
               value: /app/config/config.yaml
-            - name: REDIS_URL
-              value: {{ include "splunk-connect-for-snmp.redis_url" . }}
-            - name: CELERY_BROKER_URL
-              value: {{ include "splunk-connect-for-snmp.celery_url" . }}
+            {{- if .Values.redis.auth.enabled }}
+            - name: REDIS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  {{- if .Values.redis.auth.existingSecret }}
+                  name: {{ .Values.redis.auth.existingSecret }}
+                  key: {{ .Values.redis.auth.existingSecretPasswordKey | default "password" }}
+                  {{- else }}
+                  name: {{ .Release.Name }}-redis-secret
+                  key: password
+                  {{- end }}
+            {{- end }}
+            - name: REDIS_HOST
+              value: {{ .Release.Name }}-redis
+            - name: REDIS_PORT
+              value: "6379"
+            - name: REDIS_DB
+              value: "1"
+            - name: CELERY_DB
+              value: "0"
             - name: MONGO_URI
               value: {{ include "splunk-connect-for-snmp.mongo_uri" . }}
             - name: MIB_SOURCES