From 085c9841b032388e9df773bcbdaf0968199fa04a Mon Sep 17 00:00:00 2001 From: Kochetkov S Date: Thu, 23 Apr 2026 14:04:39 +0300 Subject: [PATCH] attachments --- apps/attachments/base/deployment.yaml | 100 +++++++------------ apps/attachments/base/kustomization.yaml | 2 +- apps/attachments/base/serviceaccount.yaml | 5 + apps/attachments/yc-k8s-test/postgresql.yaml | 23 +++-- 4 files changed, 58 insertions(+), 72 deletions(-) create mode 100644 apps/attachments/base/serviceaccount.yaml diff --git a/apps/attachments/base/deployment.yaml b/apps/attachments/base/deployment.yaml index 21d4bc3..817c6c7 100644 --- a/apps/attachments/base/deployment.yaml +++ b/apps/attachments/base/deployment.yaml @@ -15,11 +15,48 @@ spec: metadata: labels: app: attachments + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: attachments + vault.hashicorp.com/agent-inject-secret-attachments-db: secrets/data/postgresql/apps/attachments + vault.hashicorp.com/agent-inject-template-attachments-db: |- + {{- with secret "secrets/data/postgresql/apps/attachments" -}} + DATABASE_HOST=postgresql.attachments.svc.cluster.local + DATABASE_PORT=5432 + DATABASE_NAME=attachments_db + DATABASE_USER={{ index .Data.data "username" }} + DATABASE_PASSWORD={{ index .Data.data "password" }} + DATABASE_SSL_MODE=disable + {{- end -}} + vault.hashicorp.com/agent-inject-secret-attachments-s3: secrets/data/minio/apps/attachments + vault.hashicorp.com/agent-inject-template-attachments-s3: |- + {{- with secret "secrets/data/minio/apps/attachments" -}} + YANDEX_S3_ENDPOINT_URL=minio.minio:9000 + YANDEX_S3_ACCESS_KEY_ID={{ index .Data.data "access_key" }} + YANDEX_S3_SECRET_ACCESS_KEY={{ index .Data.data "secret_key" }} + YANDEX_S3_USE_SSL=false + YANDEX_S3_REGION=ru-central + YANDEX_S3_VERIFY=false + BUCKET_NAME=attachments + {{- end -}} spec: + serviceAccountName: attachments-vault containers: - name: attachments image: cr.yandex/crp3ccidau046kdj8g9q/attachments:feature_6238c882 imagePullPolicy: IfNotPresent + command: ["/bin/bash", "-ec"] + args: + - | + set -a + [ -f /vault/secrets/attachments-db ] && . /vault/secrets/attachments-db + [ -f /vault/secrets/attachments-s3 ] && . /vault/secrets/attachments-s3 + set +a + exec /opt/attachments/entrypoint.sh ports: - name: http containerPort: 8000 @@ -29,68 +66,5 @@ spec: value: "10" - name: API_ADDRESS value: 0.0.0.0:8000 - - name: YANDEX_S3_ENDPOINT_URL - valueFrom: - secretKeyRef: - name: s3-secret - key: endpoint - - name: YANDEX_S3_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - name: s3-secret - key: login - - name: YANDEX_S3_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - name: s3-secret - key: password - - name: YANDEX_S3_USE_SSL - valueFrom: - secretKeyRef: - name: s3-secret - key: use_ssl - - name: YANDEX_S3_REGION - valueFrom: - secretKeyRef: - name: s3-secret - key: region - - name: YANDEX_S3_VERIFY - valueFrom: - secretKeyRef: - name: s3-secret - key: verify - - name: BUCKET_NAME - valueFrom: - secretKeyRef: - name: s3-secret - key: bucket - - name: DATABASE_SSL_MODE - value: disable - - name: DATABASE_HOST - valueFrom: - secretKeyRef: - name: postgresql-secrets - key: hostname - - name: DATABASE_PORT - valueFrom: - secretKeyRef: - name: postgresql-secrets - key: port - - name: DATABASE_NAME - valueFrom: - secretKeyRef: - name: postgresql-secrets - key: database - - name: DATABASE_USER - valueFrom: - secretKeyRef: - name: postgresql-secrets - key: username - - name: DATABASE_PASSWORD - valueFrom: - secretKeyRef: - name: postgresql-secrets - key: password imagePullSecrets: - name: regcred - diff --git a/apps/attachments/base/kustomization.yaml b/apps/attachments/base/kustomization.yaml index 548fc42..2487bc6 100644 --- a/apps/attachments/base/kustomization.yaml +++ b/apps/attachments/base/kustomization.yaml @@ -4,6 +4,6 @@ kind: Kustomization namespace: attachments resources: - namespace.yaml + - serviceaccount.yaml - deployment.yaml - service.yaml - diff --git a/apps/attachments/base/serviceaccount.yaml b/apps/attachments/base/serviceaccount.yaml new file mode 100644 index 0000000..d766ce1 --- /dev/null +++ b/apps/attachments/base/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: attachments-vault + namespace: attachments diff --git a/apps/attachments/yc-k8s-test/postgresql.yaml b/apps/attachments/yc-k8s-test/postgresql.yaml index d4819d0..bfca739 100644 --- a/apps/attachments/yc-k8s-test/postgresql.yaml +++ b/apps/attachments/yc-k8s-test/postgresql.yaml @@ -9,7 +9,7 @@ spec: chart: spec: chart: postgresql-contour - version: "17.0.2" + version: "17.0.7" sourceRef: kind: HelmRepository name: yc-oci-charts @@ -44,7 +44,7 @@ spec: image: registry: cr.yandex/crp3ccidau046kdj8g9q repository: contour/postgresql - tag: 17.0.2 + tag: 17.0.7 pullPolicy: Always metrics: enabled: false @@ -61,7 +61,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 @@ -72,7 +72,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 5 @@ -83,7 +83,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 @@ -98,13 +98,20 @@ spec: effect: NoSchedule contour: enabled: true - adminUser: "" - adminPasswordSecretKey: "" + adminUser: "postgres" sharedPreloadLibraries: "pg_stat_statements" + vault: + enabled: true + role: postgresql + authPath: auth/kubernetes + secretPath: secrets/data/postgresql/admin + secretKey: postgres-password + usersSecretPath: secrets/data/postgresql/users databases: - name: attachments_db user: attachments + passwordKey: attachments extensions: [] restoreFromDump: false s3-proxy: - endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local" \ No newline at end of file + endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local"