An open source, in-memory data structure store used as a database, cache, and message broker.
- Kubernetes 1.24+
- Helm 3.2.0+
- PV provisioner support in the underlying infrastructure (if persistence is enabled)
Add the CloudPirates repository:
To install the chart with the release name my-redis:
helm install my-redis oci://registry-1.docker.io/cloudpirates/redisTo install with custom values:
helm install my-redis oci://registry-1.docker.io/cloudpirates/redis -f my-values.yamlOr install directly from the local chart:
helm install my-redis ./charts/redis- Get the Redis connection details:
# Get password
kubectl get secret my-redis -o jsonpath="{.data.redis-password}" | base64 -d
# Get full connection URI
kubectl get secret my-redis -o jsonpath="{.data.uri}" | base64 -d
# Get individual connection fields
kubectl get secret my-redis -o jsonpath="{.data.host}" | base64 -d
kubectl get secret my-redis -o jsonpath="{.data.port}" | base64 -d
kubectl get secret my-redis -o jsonpath="{.data.username}" | base64 -d- Connect to Redis from inside the cluster:
kubectl run redis-client --rm --tty -i --restart='Never' \
--image redis:8.2.0 -- bash
# Inside the pod:
redis-cli -h my-redis -a $REDIS_PASSWORDThis Helm chart is cryptographically signed with Cosign to ensure authenticity and prevent tampering.
Public Key:
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5U+rM2d3hDjgP5T3cLShuuQIU9vR
Z4/G+Nug6q5vRa+C3qUA1wXjbaJFAfcIrv5VjmYAYOj13shnPpp3Zh4fnQ==
-----END PUBLIC KEY-----
To verify the helm chart before installation, copy the public key to the file cosign.pub and run cosign:
cosign verify --key cosign.pub registry-1.docker.io/cloudpirates/redis:<version>| Parameter | Description | Default |
|---|---|---|
global.imageRegistry |
Global Docker image registry override | "" |
global.imagePullSecrets |
Global Docker registry secret names | [] |
| Parameter | Description | Default |
|---|---|---|
image.registry |
Redis image registry | docker.io |
image.repository |
Redis image repository | redis |
image.tag |
Redis image tag | 8.4.0@sha256:43355efd22490e31ca14b9d569367d05121e2be61fd8e47937563ae2a80952ae |
image.pullPolicy |
Image pull policy | Always |
| Parameter | Description | Default |
|---|---|---|
nameOverride |
String to partially override redis.fullname | "" |
fullnameOverride |
String to fully override redis.fullname | "" |
namespaceOverride |
String to override the namespace for all resources | "" |
clusterDomain |
Kubernetes cluster domain | cluster.local |
commonLabels |
Labels to add to all deployed objects | {} |
commonAnnotations |
Annotations to add to all deployed objects | {} |
architecture |
Redis architecture. standalone: Single instance, cluster: Multi-master cluster, replication: Master-replica (use sentinel.enabled to control automatic failover) |
standalone |
replicaCount |
Number of Redis instances (when architecture=replication|cluster). As cluster or replication with Sentinel: total instances. Replication without Sentinel: 1 master + (n-1) replicas |
3 |
clusterReplicaCount |
Number of replicas to be created for each master when architecture=cluster. |
0 |
revisionHistoryLimit |
Number of revisions to keep in history for rollback (set to 0 for unlimited) | 10 |
| Parameter | Description | Default |
|---|---|---|
podLabels |
Map of labels to add to the pods | {} |
podAnnotations |
Map of annotations to add to the pods | {} |
| Parameter | Description | Default |
|---|---|---|
service.annotations |
Kubernetes service annotations | {} |
service.type |
Kubernetes service type | ClusterIP |
service.port |
Redis service port | 6379 |
service.nodePort |
NodePort value for NodePort and LoadBalancer service types | "" |
service.clusterPort |
Redis cluster service port | 16379 |
| Parameter | Description | Default |
|---|---|---|
auth.enabled |
Enable Redis authentication | true |
auth.sentinel |
Enable authentication for Redis sentinels | true |
auth.password |
Redis password (if empty, random password will be generated) | "" |
auth.existingSecret |
Name of existing secret containing Redis password | "" |
auth.existingSecretPasswordKey |
Key in existing secret containing Redis password | "" |
auth.acl.enabled |
Enable custom ACL rules from a secret file | false |
auth.acl.existingSecret |
Name of existing secret containing ACL rules | "" |
auth.acl.existingSecretACLKey |
Key in existing secret containing ACL rules | "" |
auth.acl.existingFilePath |
Path to existing ACL file injected by Vault Agent Injector (mutually exclusive with existingSecret) | "" |
When auth.enabled is true and no auth.existingSecret or auth.acl.enabled is set, the chart creates a Secret containing full connection details:
| Key | Description |
|---|---|
redis-password |
The Redis password (base64 encoded) |
host |
The Redis service hostname: <fullname>.<namespace>.svc (base64 encoded) |
port |
The Redis service port (base64 encoded). Uses tls.port when TLS is enabled |
username |
The Redis username: default (base64 encoded) |
uri |
Full connection URI: redis://default:<password>@<host>:<port> (base64 encoded). Uses rediss:// scheme when TLS is enabled |
Redis ACL (Access Control List) allows fine-grained access control with user-specific permissions. When ACL is enabled, all users including the 'default' user must be explicitly configured in the ACL file.
Using Kubernetes Secret (existingSecret):
auth:
acl:
enabled: true
existingSecret: "my-redis-acl"
existingSecretACLKey: "users.acl"Using Vault Agent Injector (existingFilePath):
auth:
acl:
enabled: true
existingFilePath: "/vault/secrets/redis-acl"ACL File Format Example:
user default >masterpassword ~* +@all
user readonly >readonlypassword ~* +@read
user sentinel >sentinelpassword ~* +client +info +ping +publish +subscribe +psubscribe +multi +exec +slaveof +config|rewrite +config|get +config|set
Notes:
existingSecretandexistingFilePathare mutually exclusive- When using
existingFilePath, no volume mounting is performed - the file must be available at the specified path - The ACL file must contain at least a 'default' user
- For Sentinel deployments, include a 'sentinel' user or the 'default' user password will be used
| Parameter | Description | Default |
|---|---|---|
tls.enabled |
Enable TLS/SSL for Redis connections | false |
tls.existingSecret |
Name of an existing secret containing TLS certificates (expected keys: tls.crt, tls.key, ca.crt) | "" |
tls.certFilename |
Server certificate filename in the secret | tls.crt |
tls.certKeyFilename |
Server certificate key filename in the secret | tls.key |
tls.certCAFilename |
CA certificate filename in the secret | ca.crt |
tls.port |
TLS port for Redis | 6380 |
tls.authClients |
Require clients to authenticate with a valid client certificate | true |
tls.client.existingSecret |
Name of an existing secret containing client TLS certificates (expected keys: tls.crt, tls.key). Used for probes. | "" |
tls.client.certFilename |
Client certificate filename in the secret | tls.crt |
tls.client.certKeyFilename |
Client certificate key filename in the secret | tls.key |
| Parameter | Description | Default |
|---|---|---|
config.mountPath |
Redis configuration mount path | /usr/local/etc/redis |
config.content |
Custom Redis configuration as string | See values.yaml |
config.existingConfigmap |
Name of existing ConfigMap to use | "" |
config.existingConfigmapKey |
Key in existing ConfigMap | "" |
| Parameter | Description | Default |
|---|---|---|
metrics.enabled |
Start a sidecar Prometheus exporter to expose Redis metrics | false |
metrics.image.registry |
Redis exporter image registry | docker.io |
metrics.image.repository |
Redis exporter image repository | oliver006/redis_exporter |
metrics.image.tag |
Redis exporter image tag | v1.80.1-alpine |
metrics.image.pullPolicy |
Redis exporter image pull policy | Always |
metrics.resources.requests.cpu |
CPU request for the metrics container | 50m |
metrics.resources.requests.memory |
Memory request for the metrics container | 64Mi |
metrics.resources.limits.cpu |
CPU limit for the metrics container | nil |
metrics.resources.limits.memory |
Memory limit for the metrics container | 64Mi |
metrics.extraArgs |
Extra arguments for Redis exporter (e.g. --redis.addr, --web.listen-address) |
[] |
metrics.service.type |
Metrics service type | ClusterIP |
metrics.service.port |
Metrics service port | 9121 |
metrics.service.annotations |
Additional custom annotations for Metrics service | {} |
metrics.service.loadBalancerIP |
LoadBalancer IP if metrics service type is LoadBalancer |
"" |
metrics.service.loadBalancerSourceRanges |
Addresses allowed when metrics service is LoadBalancer |
[] |
metrics.service.clusterIP |
Static clusterIP or None for headless services when metrics service type is ClusterIP |
"" |
metrics.service.nodePort |
NodePort value for LoadBalancer and NodePort service types | "" |
metrics.serviceMonitor.enabled |
Create ServiceMonitor resource(s) for scraping metrics using Prometheus Operator | false |
metrics.serviceMonitor.namespace |
Namespace in which to create ServiceMonitor resource(s) | "" |
metrics.serviceMonitor.interval |
Interval at which metrics should be scraped | 30s |
metrics.serviceMonitor.scrapeTimeout |
Timeout after which the scrape is ended | "" |
metrics.serviceMonitor.relabelings |
Additional relabeling of metrics | [] |
metrics.serviceMonitor.metricRelabelings |
Additional metric relabeling of metrics | [] |
metrics.serviceMonitor.honorLabels |
Honor metrics labels | false |
metrics.serviceMonitor.selector |
Prometheus instance selector labels | {} |
metrics.serviceMonitor.annotations |
Additional custom annotations for the ServiceMonitor | {} |
metrics.serviceMonitor.namespaceSelector |
Namespace selector for ServiceMonitor | {} |
| Parameter | Description | Default |
|---|---|---|
pdb.enabled |
Enable Pod Disruption Budget | false |
pdb.minAvailable |
Minimum number/percentage of pods that should remain scheduled | 1 |
pdb.maxUnavailable |
Maximum number/percentage of pods that may be made unavailable | "" |
| Parameter | Description | Default |
|---|---|---|
persistence.enabled |
Enable persistent storage | true |
persistence.storageClass |
Storage class for persistent volume | "" |
persistence.accessMode |
Access mode for persistent volume | ReadWriteOnce |
persistence.size |
Size of persistent volume | 8Gi |
persistence.mountPath |
Mount path for Redis data | /data |
persistence.annotations |
Annotations for persistent volume claims | {} |
persistence.existingClaim |
The name of an existing PVC to use for persistence | "" |
persistence.subPath |
The subdirectory of the volume to mount to | "" |
| Parameter | Description | Default |
|---|---|---|
persistentVolumeClaimRetentionPolicy.enabled |
Enable Persistent volume retention policy for the StatefulSet | false |
persistentVolumeClaimRetentionPolicy.whenDeleted |
Volume retention behavior that applies when the StatefulSet is deleted | "Retain" |
persistentVolumeClaimRetentionPolicy.whenScaled |
Volume retention behavior when the replica count of the StatefulSet is reduced | "Retain" |
| Parameter | Description | Default |
|---|---|---|
resources.limits.memory |
Memory limit | 256Mi |
resources.requests.cpu |
CPU request | 50m |
resources.requests.memory |
Memory request | 128Mi |
| Parameter | Description | Default |
|---|---|---|
nodeSelector |
Node selector for pod assignment | {} |
priorityClassName |
Priority class for pod eviction | "" |
tolerations |
Tolerations for pod assignment | [] |
affinity |
Affinity rules for pod assignment | {} |
terminationGracePeriodSeconds |
Seconds Kubernetes waits for pod to terminate gracefully (recommended: 60 for Sentinel) | 30 |
topologySpreadConstraints |
Topology spread constraints for pod assignment | [] |
| Parameter | Description | Default |
|---|---|---|
containerSecurityContext.runAsUser |
User ID to run the container | 999 |
containerSecurityContext.runAsGroup |
Group ID to run the container | 999 |
containerSecurityContext.runAsNonRoot |
Run as non-root user | true |
containerSecurityContext.privileged |
Set container's privileged mode | false |
containerSecurityContext.allowPrivilegeEscalation |
Allow privilege escalation | false |
containerSecurityContext.readOnlyRootFilesystem |
Read-only root filesystem | true |
containerSecurityContext.capabilities.drop |
Linux capabilities to be dropped | ["ALL"] |
containerSecurityContext.seccompProfile.type |
Seccomp profile for the container | RuntimeDefault |
podSecurityContext.fsGroup |
Pod's Security Context fsGroup | 999 |
| Parameter | Description | Default |
|---|---|---|
livenessProbe.enabled |
Enable liveness probe | true |
livenessProbe.initialDelaySeconds |
Initial delay before starting probes | 30 |
livenessProbe.periodSeconds |
How often to perform the probe | 10 |
livenessProbe.timeoutSeconds |
Timeout for each probe attempt | 5 |
livenessProbe.failureThreshold |
Number of failures before pod is restarted | 6 |
livenessProbe.successThreshold |
Number of successes to mark probe as successful | 1 |
| Parameter | Description | Default |
|---|---|---|
readinessProbe.enabled |
Enable readiness probe | true |
readinessProbe.initialDelaySeconds |
Initial delay before starting probes | 5 |
readinessProbe.periodSeconds |
How often to perform the probe | 10 |
readinessProbe.timeoutSeconds |
Timeout for each probe attempt | 5 |
readinessProbe.failureThreshold |
Number of failures before pod is marked unready | 6 |
readinessProbe.successThreshold |
Number of successes to mark probe as successful | 1 |
Redis Sentinel provides high availability for Redis through automatic failover. When enabled in replication mode, Sentinel monitors the master and replicas, and promotes a replica to master if the current master becomes unavailable. When disabled with replication mode, pod-0 is always the master.
| Parameter | Description | Default |
|---|---|---|
sentinel.enabled |
Enable Redis Sentinel for high availability. When disabled, pod-0 is master (manual failover) | false |
sentinel.image.registry |
Redis Sentinel image registry | docker.io |
sentinel.image.repository |
Redis Sentinel image repository | redis |
sentinel.image.tag |
Redis Sentinel image tag | 8.4.0 |
sentinel.image.pullPolicy |
Sentinel image pull policy | Always |
sentinel.config.announceHostnames |
Use the hostnames instead of the IP in "announce-ip" commands | true |
sentinel.masterName |
Name of the master server | mymaster |
sentinel.quorum |
Number of Sentinels needed to agree on master failure | 2 |
sentinel.downAfterMilliseconds |
Time in ms after master is declared down | 30000 |
sentinel.failoverTimeout |
Timeout for failover in ms | 180000 |
sentinel.parallelSyncs |
Number of replicas to reconfigure during failover | 1 |
sentinel.loglevel |
Sentinel log level (debug, verbose, notice, warning). When 'debug', full config is logged | notice |
sentinel.port |
Sentinel port | 26379 |
sentinel.service.type |
Kubernetes service type for Sentinel | ClusterIP |
sentinel.service.port |
Sentinel service port | 26379 |
sentinel.resources.limits.memory |
Memory limit for Sentinel pods | 128Mi |
sentinel.resources.requests.cpu |
CPU request for Sentinel pods | 25m |
sentinel.resources.requests.memory |
Memory request for Sentinel pods | 64Mi |
sentinel.extraVolumeMounts |
Additional volume mounts for Sentinel container | [] |
sentinel.redisShutdownWaitFailover |
Whether Redis waits for Sentinel failover before shutdown (zero-downtime upgrades) | true |
sentinel.preStop.enabled |
Enable preStop hook for Sentinel container (waits for failover before terminating) | true |
sentinel.livenessProbe.enabled |
Enable liveness probe | true |
sentinel.livenessProbe.initialDelaySeconds |
Initial delay before starting probes | 30 |
sentinel.livenessProbe.periodSeconds |
How often to perform the probe | 10 |
sentinel.livenessProbe.timeoutSeconds |
Timeout for each probe attempt | 5 |
sentinel.livenessProbe.failureThreshold |
Number of failures before pod is restarted | 6 |
sentinel.livenessProbe.successThreshold |
Number of successes to mark probe as successful | 1 |
sentinel.readinessProbe.enabled |
Enable readiness probe | true |
sentinel.readinessProbe.initialDelaySeconds |
Initial delay before starting probes | 5 |
sentinel.readinessProbe.periodSeconds |
How often to perform the probe | 10 |
sentinel.readinessProbe.timeoutSeconds |
Timeout for each probe attempt | 5 |
sentinel.readinessProbe.failureThreshold |
Number of failures before pod is marked unready | 6 |
sentinel.readinessProbe.successThreshold |
Number of successes to mark probe as successful | 1 |
| Parameter | Description | Default |
|---|---|---|
serviceAccount.annotations |
Additional custom annotations for the ServiceAccount | {} |
serviceAccount.automountServiceAccountToken |
Automount service account token inside the Redis pods | false |
serviceAccount.create |
Enable the creation of a ServiceAccount | false |
serviceAccount.name |
Name of the ServiceAccount to use. If not set and serviceAccount.create is true, a name is generated using the fullname template. |
"" |
| Parameter | Description | Default |
|---|---|---|
extraEnvVars |
Additional environment variables to set | [] |
extraVolumes |
Additional volumes to add to the pod | [] |
extraVolumeMounts |
Additional volume mounts for Redis container | [] |
extraObjects |
A list of additional Kubernetes objects to deploy alongside the release | [] |
extraPorts |
Additional ports to be exposed by Services and StatefulSet | [] |
| Parameter | Description | Default |
|---|---|---|
customScripts.postStart.enabled |
Enable postStart lifecycle hook | false |
customScripts.postStart.command |
Command to execute in postStart hook | [] |
customScripts.preStop.enabled |
Enable preStop lifecycle hook (overrides default Sentinel preStop hook) | false |
customScripts.preStop.command |
Command to execute in preStop hook | [] |
| Parameter | Description | Default |
|---|---|---|
clusterInitJob.resources |
Resource limits and requests for clusterInit Job | {} |
clusterInitJob.resources.limits.memory |
Memory limit for clusterInit Job | 128Mi |
clusterInitJob.resources.requests.cpu |
CPU request for clusterInit Job | 10m |
clusterInitJob.resources.requests.memory |
Memory request for clusterInit Job | 64Mi |
You can use the extraObjects array to deploy additional Kubernetes resources (such as NetworkPolicies, ConfigMaps, etc.) alongside the release. This is useful for customizing your deployment with extra manifests that are not covered by the default chart options.
Helm templating is supported in any field, but all template expressions must be quoted. For example, to use the release namespace, write namespace: "{{ .Release.Namespace }}".
Example: Deploy a NetworkPolicy with templating
extraObjects:
- apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-dns
namespace: "{{ .Release.Namespace }}"
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
k8s-app: kube-dns
- ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCPAll objects in extraObjects will be rendered and deployed with the release. You can use any valid Kubernetes manifest, and reference Helm values or built-in objects as needed (just remember to quote template expressions).
helm install my-redis ./charts/redis# values-external-secret.yaml
auth:
enabled: true
existingSecret: "redis-credentials"
existingSecretPasswordKey: "password"Deploy Redis with master-replica architecture and Sentinel for automatic failover:
# values-ha.yaml
architecture: replication
replicaCount: 2
sentinel:
enabled: true
quorum: 2
downAfterMilliseconds: 30000
failoverTimeout: 180000
redisShutdownWaitFailover: true # Redis waits for failover before shutdown
preStop:
enabled: true # Sentinel waits for failover before terminating
# Required for graceful failover during helm upgrades
terminationGracePeriodSeconds: 60
auth:
enabled: truehelm install my-redis ./charts/redis -f values-ha.yamlAfter deployment, you'll have:
- 1 Redis master instance
- 2 Redis replica instances
- 3 Redis Sentinel instances (for monitoring and failover)
Connecting to Redis with Sentinel:
# Get the Redis password
REDIS_PASSWORD=$(kubectl get secret my-redis -o jsonpath="{.data.redis-password}" | base64 -d)
# Connect to Sentinel to discover the current master
kubectl run redis-client --rm --tty -i --restart='Never' \
--image redis:8.2.1 -- bash
# Inside the pod:
redis-cli -h my-redis-sentinel -p 26379 sentinel get-master-addr-by-name mymaster
# Connect to the current master (address from previous command)
redis-cli -h <master-ip> -p 6379 -a $REDIS_PASSWORDDeploy Redis with replication but without Sentinel for scenarios where automatic failover is not needed:
architecture: replication
replicaCount: 3 # 1 master + 2 replicas
sentinel:
enabled: false
auth:
enabled: trueAfter deployment, you'll have:
- 1 Redis master instance (pod-0, always the master)
- 2 Redis replica instances (pod-1, pod-2)
- No automatic failover (manual intervention required if master fails)
Key differences from Sentinel mode:
- Pod-0 is always the master, other pods are always replicas
- No automatic failover - if the master fails, manual intervention is required
- Simpler setup with fewer components
- Lower resource usage (no Sentinel containers)
Deploy Redis Cluster with 6 nodes - 3 master and 3 replicas for automated failover:
# values-cluster.yaml
architecture: cluster
replicaCount: 6
clusterReplicaCount: 1helm install my-redis ./charts/redis -f values-cluster.yamlKey differences with replication
- Redis Cluster supports single database only
- Data is automatically divided across multiple nodes for improved performance
- With cluster-aware client, user can connect to any node (directly or via service) and requests will be automatically redirected, based on MOVED response
To upgrade your Redis installation:
helm upgrade my-redis cloudpirates/redisTo uninstall/delete the Redis deployment:
helm delete my-redisFor issues related to this Helm chart, please check: