From 71e9378bbd5d04743d506e9c18fccfeb1a1c1d2b Mon Sep 17 00:00:00 2001
From: Tanguy Herbron <tanguy.herbron@outlook.com>
Date: Thu, 22 May 2025 23:11:41 +0200
Subject: [PATCH] feat(pvc): Rework PVC permissions and split redis deployment

---
 manifests/deployment.yaml    | 46 +++++++++++++++++++++++++++++++++---
 manifests/pvc.yaml           |  4 +---
 manifests/redis-service.yaml |  4 ++--
 3 files changed, 46 insertions(+), 8 deletions(-)

diff --git a/manifests/deployment.yaml b/manifests/deployment.yaml
index 7ec1cd0..3ddd01a 100644
--- a/manifests/deployment.yaml
+++ b/manifests/deployment.yaml
@@ -33,6 +33,7 @@ spec:
                 runAsUser: 991
                 runAsGroup: 991
                 fsGroup: 991
+                fsGroupChangePolicy: "OnRootMismatch"
             containers:
               - name: mastodon-web
                 image: ghcr.io/mastodon/mastodon:v4.3.7
@@ -215,6 +216,48 @@ spec:
                 volumeMounts:
                   - mountPath: "/mastodon/public/system"
                     name: mastodon-data
+            volumes:
+              - name: mastodon-data
+                persistentVolumeClaim:
+                  claimName: mastodon-pvc
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+    name: redis
+    namespace: mastodon
+spec:
+    replicas: 1
+    selector:
+        matchLabels:
+            app: redis
+    template:
+        metadata:
+            labels:
+                app: redis
+        spec:
+            affinity:
+              podAffinity:
+                preferredDuringSchedulingIgnoredDuringExecution:
+                  - weight: 100
+                    podAffinityTerm:
+                      labelSelector:
+                        matchExpressions:
+                          - key: cnpg.io/cluster
+                            operator: In
+                            values:
+                              - mastodon-db
+                          - key: cnpg.io/instanceRole
+                            operator: In
+                            values:
+                              - primary
+                      topologyKey: "kubernetes.io/hostname"
+            securityContext:
+                runAsUser: 1000
+                runAsGroup: 1000
+                fsGroup: 1000
+                fsGroupChangePolicy: "OnRootMismatch"
+            containers:
               - name: redis
                 image: redis:7.4.2
                 ports:
@@ -223,9 +266,6 @@ spec:
                   - mountPath: "/data"
                     name: redis-data
             volumes:
-              - name: mastodon-data
-                persistentVolumeClaim:
-                  claimName: mastodon-pvc
               - name: redis-data
                 persistentVolumeClaim:
                   claimName: redis-pvc
diff --git a/manifests/pvc.yaml b/manifests/pvc.yaml
index 1e711e8..a2aa092 100644
--- a/manifests/pvc.yaml
+++ b/manifests/pvc.yaml
@@ -14,14 +14,12 @@ spec:
       storage: 50Gi
   storageClassName: redundant-storage-class
 ---
+
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: redis-pvc
   namespace: mastodon
-  labels:
-    recurring-job.longhorn.io/source: enabled
-    recurring-job-group.longhorn.io/standard-pvc: enabled
 spec:
   accessModes:
     - ReadWriteOnce
diff --git a/manifests/redis-service.yaml b/manifests/redis-service.yaml
index 9603b99..8190425 100644
--- a/manifests/redis-service.yaml
+++ b/manifests/redis-service.yaml
@@ -4,7 +4,7 @@ metadata:
     name: redis-svc
     namespace: mastodon
     labels:
-      app.kubernetes.io/name: mastodon
+      app.kubernetes.io/name: redis
 spec:
     ports:
         - name: http
@@ -12,4 +12,4 @@ spec:
           protocol: TCP
           targetPort: 6379
     selector:
-        app: mastodon
+        app: redis