From a8da2e3790e87ded7892e3bc3fc8babfc38e6df5 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Sun, 1 Mar 2026 17:13:25 +0000
Subject: [PATCH] [ci skip] redis: pin service to master pod to fix read-only
 errors

The Bitnami Redis Sentinel chart's service selects all nodes (master + replicas).
Clients using plain redis:// URLs (paperless-ngx, etc.) randomly hit read-only
replicas, causing write failures. Pin the service to redis-node-0 (master).
---
 stacks/platform/modules/redis/main.tf | 30 +++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/stacks/platform/modules/redis/main.tf b/stacks/platform/modules/redis/main.tf
index ef36d70a..60c13a75 100644
--- a/stacks/platform/modules/redis/main.tf
+++ b/stacks/platform/modules/redis/main.tf
@@ -109,6 +109,36 @@ resource "helm_release" "redis" {
   })]
 }
 
+# Override the Helm-managed service to pin to master pod
+# Sentinel clients can use the headless service for discovery,
+# but simple redis:// clients (paperless-ngx, etc.) need to hit the master
+resource "kubernetes_service" "redis" {
+  metadata {
+    name      = "redis"
+    namespace = kubernetes_namespace.redis.metadata[0].name
+  }
+  spec {
+    selector = {
+      "app.kubernetes.io/component"          = "node"
+      "app.kubernetes.io/instance"           = "redis"
+      "app.kubernetes.io/name"               = "redis"
+      "statefulset.kubernetes.io/pod-name"   = "redis-node-0"
+    }
+    port {
+      name        = "tcp-redis"
+      port        = 6379
+      target_port = 6379
+    }
+    port {
+      name        = "tcp-sentinel"
+      port        = 26379
+      target_port = 26379
+    }
+  }
+
+  depends_on = [helm_release.redis]
+}
+
 # Hourly backup: copy RDB snapshot from master to NFS
 resource "kubernetes_cron_job_v1" "redis-backup" {
   metadata {