fix: right-size service memory after PVE RAM upgrade (142→272GB)

- MySQL InnoDB: 2Gi/4Gi → 3Gi/6Gi (was at 97% of limit) - Redis HAProxy: 16Mi/16Mi → 32Mi/64Mi (OOMKilled) - Plotting-book: 64Mi/64Mi → 128Mi/256Mi (OOMKilled) - Tandoor: 256Mi/256Mi → 384Mi/512Mi (60 OOM restarts), re-enabled - Navidrome: 128Mi/128Mi → 256Mi/384Mi - Matrix: add explicit 256Mi/512Mi resources - Trading-bot workers: 64Mi/64Mi → 128Mi/256Mi, re-enabled - Tier 3-edge defaults: 96Mi/192Mi → 128Mi/256Mi - Fallback tier defaults: 128Mi/128Mi → 128Mi/192Mi, max 2→4Gi - Mailserver: disable rspamd-redis, fix Roundcube IPv6/IMAP, bump dovecot connections
2026-04-05 23:02:50 +03:00 · 2026-04-05 23:02:50 +03:00 · 4da8f0242f
commit 4da8f0242f
parent 825adc4a67
10 changed files with 113 additions and 98 deletions
--- a/stacks/redis/modules/redis/main.tf
+++ b/stacks/redis/modules/redis/main.tf
@ -109,9 +109,9 @@ resource "helm_release" "redis" {
      enabled = false
    }

-    # Use the existing service name so clients don't need changes
-    # Sentinel-enabled Bitnami chart creates a headless service
-    # and a regular service pointing at the master
+    # Disable the Helm chart's ClusterIP service — we manage our own
+    # that points to HAProxy (master-only routing). The headless service
+    # is still needed for StatefulSet pod DNS resolution.
    nameOverride = "redis"
  })]
 }
@ -209,10 +209,10 @@ resource "kubernetes_deployment" "haproxy" {
          resources {
            requests = {
              cpu    = "10m"
-              memory = "16Mi"
+              memory = "32Mi"
            }
            limits = {
-              memory = "16Mi"
+              memory = "64Mi"
            }
          }
          liveness_probe {
@ -236,28 +236,24 @@ resource "kubernetes_deployment" "haproxy" {
  depends_on = [helm_release.redis]
 }

-resource "kubernetes_service" "redis" {
-  metadata {
-    name      = "redis"
-    namespace = kubernetes_namespace.redis.metadata[0].name
-  }
-  spec {
-    selector = {
-      app = "redis-haproxy"
-    }
-    port {
-      name        = "tcp-redis"
-      port        = 6379
-      target_port = 6379
-    }
-    port {
-      name        = "tcp-sentinel"
-      port        = 26379
-      target_port = 26379
-    }
+# The Helm chart creates a `redis` Service that selects all nodes (master + replica),
+# causing READONLY errors when clients hit the replica. We patch it post-Helm to
+# route through HAProxy instead, which health-checks and routes only to the master.
+# This runs on every apply to ensure the Helm chart's service is always corrected.
+resource "null_resource" "patch_redis_service" {
+  triggers = {
+    always = timestamp()
  }

-  depends_on = [kubernetes_deployment.haproxy]
+  provisioner "local-exec" {
+    command = <<-EOT
+      kubectl --kubeconfig=${abspath("${path.module}/../../../../config")} \
+        patch svc redis -n redis --type='json' \
+        -p='[{"op":"replace","path":"/spec/selector","value":{"app":"redis-haproxy"}}]'
+    EOT
+  }
+
+  depends_on = [helm_release.redis, kubernetes_deployment.haproxy]
 }

 module "nfs_backup" {