diff --git a/apps/message-hub/base/deployment.yaml b/apps/message-hub/base/deployment.yaml index 67d2806..90bee88 100644 --- a/apps/message-hub/base/deployment.yaml +++ b/apps/message-hub/base/deployment.yaml @@ -17,11 +17,56 @@ spec: labels: app: message-hub service: message-hub + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: message-hub + vault.hashicorp.com/agent-inject-secret-message-hub-db: secrets/data/postgresql/apps/message-hub + vault.hashicorp.com/agent-inject-template-message-hub-db: |- + {{- with secret "secrets/data/postgresql/apps/message-hub" -}} + DB_USERNAME={{ index .Data.data "username" }} + DB_PASSWORD={{ index .Data.data "password" }} + DB_DATABASE=pm_db + DB_HOST=postgresql.pm.svc.cluster.local + DB_PORT=5432 + {{- end -}} + vault.hashicorp.com/agent-inject-secret-message-hub-s3: secrets/data/minio/apps/message-hub + vault.hashicorp.com/agent-inject-template-message-hub-s3: |- + {{- with secret "secrets/data/minio/apps/message-hub" -}} + S3_HOST={{ index .Data.data.client "endpoint" }} + S3_LOGIN={{ index .Data.data "access_key" }} + S3_PASSWORD={{ index .Data.data "secret_key" }} + {{- $buckets := index .Data.data "buckets" -}} + S3_BUCKET={{- if gt (len $buckets) 0 -}}{{ index (index $buckets 0) "name" }}{{- else -}}rfi{{- end -}} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-message-hub-kafka: secrets/data/kafka/apps/message-hub + vault.hashicorp.com/agent-inject-template-message-hub-kafka: |- + {{- with secret "secrets/data/kafka/apps/message-hub" -}} + KAFKA_USERNAME={{ index .Data.data "username" }} + KAFKA_PASSWORD={{ index .Data.data "password" }} + KAFKA_HOST=kafka-kafka-contour-controller-headless.kafka.svc.cluster.local + KAFKA_PORT=9094 + KAFKA_SECURITY_PROTOCOL={{ index .Data.data.auth "security_protocol" }} + KAFKA_SASL_MECHANISM={{ index .Data.data.auth "sasl_mechanism" }} + {{- end -}} spec: + serviceAccountName: message-hub-vault containers: - name: message-hub image: cr.yandex/crp3ccidau046kdj8g9q/message-hub:production_24425472 imagePullPolicy: IfNotPresent + command: ["/bin/bash", "-ec"] + args: + - | + set -a + [ -f /vault/secrets/message-hub-db ] && . /vault/secrets/message-hub-db + [ -f /vault/secrets/message-hub-s3 ] && . /vault/secrets/message-hub-s3 + [ -f /vault/secrets/message-hub-kafka ] && . /vault/secrets/message-hub-kafka + set +a + exec /opt/entrypoint.sh ports: - name: http containerPort: 8000 @@ -34,8 +79,7 @@ spec: - name: SETTINGS_MAX_RETRIES value: "1" - name: SETTINGS_TOPICS - value: '{"planning": "pm", "assets": "assets_broadcast", "project_entity": - "issues_broadcast"}' + value: '{"planning": "pm", "assets": "assets_broadcast", "project_entity": "issues_broadcast"}' - name: SETTINGS_PDF_CONVERTER_HOST value: http://export-project-service.django.svc.cluster.local:8000 - name: SAREX_BASE_HOST @@ -44,73 +88,6 @@ spec: value: redis.pm.svc.cluster.local - name: CACHE_PORT value: "6379" - - name: KAFKA_SECURITY_PROTOCOL - value: SSL - - name: KAFKA_SASL_MECHANISM - value: SCRAM-SHA-512 - - name: KAFKA_SSL_CAFILE - value: /usr/local/share/ca-certificates/kafka.crt - - name: KAFKA_USERNAME - valueFrom: - secretKeyRef: - key: username - name: kafka-secret - - name: KAFKA_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: kafka-secret - - name: KAFKA_PORT - valueFrom: - secretKeyRef: - key: port - name: kafka-secret - - name: KAFKA_HOST - valueFrom: - secretKeyRef: - key: hostname - name: kafka-secret - - name: DB_USERNAME - valueFrom: - secretKeyRef: - key: username - name: postgresql-secret - - name: DB_DATABASE - valueFrom: - secretKeyRef: - key: database - name: postgresql-secret - - name: DB_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: postgresql-secret - - name: DB_PORT - valueFrom: - secretKeyRef: - key: port - name: postgresql-secret - - name: S3_LOGIN - valueFrom: - secretKeyRef: - key: username - name: s3-secret - - name: S3_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: s3-secret - - name: S3_BUCKET - valueFrom: - secretKeyRef: - key: bucket - name: s3-secret - - name: S3_HOST - valueFrom: - secretKeyRef: - key: host - name: s3-secret - resources: requests: cpu: "1" diff --git a/apps/message-hub/base/kustomization.yaml b/apps/message-hub/base/kustomization.yaml index 1340b66..8ae7d0c 100644 --- a/apps/message-hub/base/kustomization.yaml +++ b/apps/message-hub/base/kustomization.yaml @@ -4,5 +4,6 @@ kind: Kustomization namespace: message-hub resources: - namespace.yaml + - serviceaccount.yaml - deployment.yaml - service.yaml diff --git a/apps/message-hub/base/serviceaccount.yaml b/apps/message-hub/base/serviceaccount.yaml new file mode 100644 index 0000000..c5f9269 --- /dev/null +++ b/apps/message-hub/base/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: message-hub-vault + namespace: message-hub diff --git a/apps/pm/base/backend-deployment.yaml b/apps/pm/base/backend-deployment.yaml index 19d1e7a..d60f234 100644 --- a/apps/pm/base/backend-deployment.yaml +++ b/apps/pm/base/backend-deployment.yaml @@ -17,11 +17,56 @@ spec: labels: app: backend service: api + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: pm + vault.hashicorp.com/agent-inject-secret-pm-db: secrets/data/postgresql/apps/pm + vault.hashicorp.com/agent-inject-template-pm-db: |- + {{- with secret "secrets/data/postgresql/apps/pm" -}} + DB_USERNAME={{ index .Data.data "username" }} + DB_PASSWORD={{ index .Data.data "password" }} + DB_DATABASE=pm_db + DB_HOST=postgresql.pm.svc.cluster.local + DB_PORT=5432 + {{- end -}} + vault.hashicorp.com/agent-inject-secret-pm-rabbitmq: secrets/data/rabbitmq/apps/pm + vault.hashicorp.com/agent-inject-template-pm-rabbitmq: |- + {{- with secret "secrets/data/rabbitmq/apps/pm" -}} + CELERY_RABBITMQ_HOST=rabbitmq.rabbitmq.svc.cluster.local + CELERY_RABBITMQ_PORT=5672 + CELERY_RABBITMQ_USER={{ index .Data.data "username" }} + CELERY_RABBITMQ_PASSWORD={{ index .Data.data "password" }} + CELERY_RABBITMQ_VHOST={{ index .Data.data "vhost" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-pm-s3: secrets/data/minio/apps/pm + vault.hashicorp.com/agent-inject-template-pm-s3: |- + {{- with secret "secrets/data/minio/apps/pm" -}} + S3_HOST={{ index .Data.data.client "endpoint" }} + S3_LOGIN={{ index .Data.data "access_key" }} + S3_PASSWORD={{ index .Data.data "secret_key" }} + {{- $buckets := index .Data.data "buckets" -}} + S3_BUCKET={{- if gt (len $buckets) 0 -}}{{ index (index $buckets 0) "name" }}{{- else -}}pm-bucket{{- end -}} + S3_VERIFY=False + {{- end -}} spec: + serviceAccountName: pm-vault containers: - name: api image: cr.yandex/crp3ccidau046kdj8g9q/pm-backend:production_0843a55d imagePullPolicy: IfNotPresent + command: ["/bin/bash", "-ec"] + args: + - | + set -a + [ -f /vault/secrets/pm-db ] && . /vault/secrets/pm-db + [ -f /vault/secrets/pm-rabbitmq ] && . /vault/secrets/pm-rabbitmq + [ -f /vault/secrets/pm-s3 ] && . /vault/secrets/pm-s3 + set +a + exec /opt/sarex/entrypoint.sh ports: - name: http containerPort: 8000 @@ -53,67 +98,6 @@ spec: value: C.UTF-8 - name: PYTHONUTF8 value: "1" - - name: DB_USERNAME - valueFrom: - secretKeyRef: - name: postgresql-secrets - key: username - - name: DB_PASSWORD - valueFrom: - secretKeyRef: - name: postgresql-secrets - key: password - - name: DB_DATABASE - valueFrom: - secretKeyRef: - name: postgresql-secrets - key: database - - name: DB_HOST - valueFrom: - secretKeyRef: - name: postgresql-secrets - key: hostname - - name: DB_PORT - valueFrom: - secretKeyRef: - name: postgresql-secrets - key: port - - name: S3_HOST - valueFrom: - secretKeyRef: - name: s3-secrets - key: endpoint - - name: S3_LOGIN - valueFrom: - secretKeyRef: - name: s3-secrets - key: login - - name: S3_PASSWORD - valueFrom: - secretKeyRef: - name: s3-secrets - key: password - - name: S3_BUCKET - valueFrom: - secretKeyRef: - name: s3-secrets - key: bucket - -# - name: CACHE_HOST -# valueFrom: -# secretKeyRef: -# name: cache-secret-pm -# key: host -# - name: CACHE_PORT -# valueFrom: -# secretKeyRef: -# name: cache-secret-pm -# key: port -# - name: CACHE_PASSWORD -# valueFrom: -# secretKeyRef: -# name: cache-secret-pm -# key: password - name: CACHE_SSL value: "False" - name: CACHE_SSL_CA_CERTS @@ -121,71 +105,9 @@ spec: - name: CACHE_ENABLE value: "False" - name: CLICKHOUSE_ENABLE - value: 'False' + value: "False" - name: KAFKA_ENABLE - value: 'False' -# - name: KAFKA_BOOTSTRAP_SERVERS -# valueFrom: -# secretKeyRef: -# name: ya-kafka-secret-pm -# key: bootstrap_servers -# - name: KAFKA_SECURITY_PROTOCOL -# valueFrom: -# secretKeyRef: -# name: ya-kafka-secret-pm -# key: security_protocol -# - name: KAFKA_SASL_MECHANISM -# valueFrom: -# secretKeyRef: -# name: ya-kafka-secret-pm -# key: sasl_mechanism -# - name: KAFKA_SASL_PLAIN_USERNAME -# valueFrom: -# secretKeyRef: -# name: ya-kafka-secret-pm -# key: sasl_username -# - name: KAFKA_SASL_PLAIN_PASSWORD -# valueFrom: -# secretKeyRef: -# name: ya-kafka-secret-pm -# key: sasl_password -# - name: KAFKA_SSL_CAFILE -# valueFrom: -# secretKeyRef: -# name: ya-kafka-secret-pm -# key: ssl_cafile -# - name: KAFKA_TOPICS -# valueFrom: -# secretKeyRef: -# name: ya-kafka-secret-pm -# key: topics - - - name: CELERY_RABBITMQ_HOST - valueFrom: - secretKeyRef: - name: rabbitmq-secrets - key: hostname - - name: CELERY_RABBITMQ_PORT - valueFrom: - secretKeyRef: - name: rabbitmq-secrets - key: port - - name: CELERY_RABBITMQ_USER - valueFrom: - secretKeyRef: - name: rabbitmq-secrets - key: username - - name: CELERY_RABBITMQ_PASSWORD - valueFrom: - secretKeyRef: - name: rabbitmq-secrets - key: password - - name: CELERY_RABBITMQ_VHOST - valueFrom: - secretKeyRef: - name: rabbitmq-secrets - key: vhost - + value: "False" - name: AUTH_PUBLIC_TOKEN_URL value: "https://lk.sarex.io/api/token/public/" - name: SERVER_HOST diff --git a/apps/pm/base/celery-deployment.yaml b/apps/pm/base/celery-deployment.yaml index 6226a6d..fe0bfa2 100644 --- a/apps/pm/base/celery-deployment.yaml +++ b/apps/pm/base/celery-deployment.yaml @@ -17,25 +17,56 @@ spec: labels: app: celery service: celery + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: pm + vault.hashicorp.com/agent-inject-secret-pm-db: secrets/data/postgresql/apps/pm + vault.hashicorp.com/agent-inject-template-pm-db: |- + {{- with secret "secrets/data/postgresql/apps/pm" -}} + DB_USERNAME={{ index .Data.data "username" }} + DB_PASSWORD={{ index .Data.data "password" }} + DB_DATABASE=pm_db + DB_HOST=postgresql.pm.svc.cluster.local + DB_PORT=5432 + {{- end -}} + vault.hashicorp.com/agent-inject-secret-pm-rabbitmq: secrets/data/rabbitmq/apps/pm + vault.hashicorp.com/agent-inject-template-pm-rabbitmq: |- + {{- with secret "secrets/data/rabbitmq/apps/pm" -}} + CELERY_RABBITMQ_HOST=rabbitmq.rabbitmq.svc.cluster.local + CELERY_RABBITMQ_PORT=5672 + CELERY_RABBITMQ_USER={{ index .Data.data "username" }} + CELERY_RABBITMQ_PASSWORD={{ index .Data.data "password" }} + CELERY_RABBITMQ_VHOST={{ index .Data.data "vhost" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-pm-s3: secrets/data/minio/apps/pm + vault.hashicorp.com/agent-inject-template-pm-s3: |- + {{- with secret "secrets/data/minio/apps/pm" -}} + S3_HOST={{ index .Data.data.client "endpoint" }} + S3_LOGIN={{ index .Data.data "access_key" }} + S3_PASSWORD={{ index .Data.data "secret_key" }} + {{- $buckets := index .Data.data "buckets" -}} + S3_BUCKET={{- if gt (len $buckets) 0 -}}{{ index (index $buckets 0) "name" }}{{- else -}}pm-bucket{{- end -}} + S3_VERIFY=False + {{- end -}} spec: + serviceAccountName: pm-vault containers: - name: celery image: cr.yandex/crp3ccidau046kdj8g9q/pm-backend:production_0843a55d imagePullPolicy: IfNotPresent - command: - - celery - - "-A" - - config - - worker - - "-B" - - "-l" - - info - - "-E" - - "-Q" - - pm - - "-n" - - default_worker.%h - - "--concurrency=2" + command: ["/bin/bash", "-ec"] + args: + - | + set -a + [ -f /vault/secrets/pm-db ] && . /vault/secrets/pm-db + [ -f /vault/secrets/pm-rabbitmq ] && . /vault/secrets/pm-rabbitmq + [ -f /vault/secrets/pm-s3 ] && . /vault/secrets/pm-s3 + set +a + exec celery -A config worker -B -l info -E -Q pm -n default_worker.%h --concurrency=2 ports: - name: http containerPort: 8000 @@ -67,67 +98,6 @@ spec: value: C.UTF-8 - name: PYTHONUTF8 value: "1" - - name: DB_USERNAME - valueFrom: - secretKeyRef: - name: postgresql-secrets - key: username - - name: DB_PASSWORD - valueFrom: - secretKeyRef: - name: postgresql-secrets - key: password - - name: DB_DATABASE - valueFrom: - secretKeyRef: - name: postgresql-secrets - key: database - - name: DB_HOST - valueFrom: - secretKeyRef: - name: postgresql-secrets - key: hostname - - name: DB_PORT - valueFrom: - secretKeyRef: - name: postgresql-secrets - key: port - - name: S3_HOST - valueFrom: - secretKeyRef: - name: s3-secrets - key: endpoint - - name: S3_LOGIN - valueFrom: - secretKeyRef: - name: s3-secrets - key: login - - name: S3_PASSWORD - valueFrom: - secretKeyRef: - name: s3-secrets - key: password - - name: S3_BUCKET - valueFrom: - secretKeyRef: - name: s3-secrets - key: bucket - -# - name: CACHE_HOST -# valueFrom: -# secretKeyRef: -# name: cache-secret-pm -# key: host -# - name: CACHE_PORT -# valueFrom: -# secretKeyRef: -# name: cache-secret-pm -# key: port -# - name: CACHE_PASSWORD -# valueFrom: -# secretKeyRef: -# name: cache-secret-pm -# key: password - name: CACHE_SSL value: "False" - name: CACHE_SSL_CA_CERTS @@ -135,71 +105,9 @@ spec: - name: CACHE_ENABLE value: "False" - name: CLICKHOUSE_ENABLE - value: 'False' + value: "False" - name: KAFKA_ENABLE - value: 'False' -# - name: KAFKA_BOOTSTRAP_SERVERS -# valueFrom: -# secretKeyRef: -# name: ya-kafka-secret-pm -# key: bootstrap_servers -# - name: KAFKA_SECURITY_PROTOCOL -# valueFrom: -# secretKeyRef: -# name: ya-kafka-secret-pm -# key: security_protocol -# - name: KAFKA_SASL_MECHANISM -# valueFrom: -# secretKeyRef: -# name: ya-kafka-secret-pm -# key: sasl_mechanism -# - name: KAFKA_SASL_PLAIN_USERNAME -# valueFrom: -# secretKeyRef: -# name: ya-kafka-secret-pm -# key: sasl_username -# - name: KAFKA_SASL_PLAIN_PASSWORD -# valueFrom: -# secretKeyRef: -# name: ya-kafka-secret-pm -# key: sasl_password -# - name: KAFKA_SSL_CAFILE -# valueFrom: -# secretKeyRef: -# name: ya-kafka-secret-pm -# key: ssl_cafile -# - name: KAFKA_TOPICS -# valueFrom: -# secretKeyRef: -# name: ya-kafka-secret-pm -# key: topics - - - name: CELERY_RABBITMQ_HOST - valueFrom: - secretKeyRef: - name: rabbitmq-secrets - key: hostname - - name: CELERY_RABBITMQ_PORT - valueFrom: - secretKeyRef: - name: rabbitmq-secrets - key: port - - name: CELERY_RABBITMQ_USER - valueFrom: - secretKeyRef: - name: rabbitmq-secrets - key: username - - name: CELERY_RABBITMQ_PASSWORD - valueFrom: - secretKeyRef: - name: rabbitmq-secrets - key: password - - name: CELERY_RABBITMQ_VHOST - valueFrom: - secretKeyRef: - name: rabbitmq-secrets - key: vhost - + value: "False" - name: AUTH_PUBLIC_TOKEN_URL value: "https://lk.sarex.io/api/token/public/" - name: SERVER_HOST diff --git a/apps/pm/base/kustomization.yaml b/apps/pm/base/kustomization.yaml index 9a1ef5b..d742c1d 100644 --- a/apps/pm/base/kustomization.yaml +++ b/apps/pm/base/kustomization.yaml @@ -4,6 +4,7 @@ kind: Kustomization namespace: pm resources: - namespace.yaml + - serviceaccount.yaml - backend-deployment.yaml - backend-service.yaml - celery-deployment.yaml diff --git a/apps/pm/base/serviceaccount.yaml b/apps/pm/base/serviceaccount.yaml new file mode 100644 index 0000000..e6e28dc --- /dev/null +++ b/apps/pm/base/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: pm-vault + namespace: pm diff --git a/apps/pm/yc-k8s-test/postgresql.yaml b/apps/pm/yc-k8s-test/postgresql.yaml index c7ec8be..cd20a78 100644 --- a/apps/pm/yc-k8s-test/postgresql.yaml +++ b/apps/pm/yc-k8s-test/postgresql.yaml @@ -9,7 +9,7 @@ spec: chart: spec: chart: postgresql-contour - version: "17.0.2" + version: "17.0.7" sourceRef: kind: HelmRepository name: yc-oci-charts @@ -44,7 +44,7 @@ spec: image: registry: cr.yandex/crp3ccidau046kdj8g9q repository: contour/postgresql - tag: 17.0.2 + tag: 17.0.7 pullPolicy: Always metrics: enabled: false @@ -61,7 +61,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 @@ -72,7 +72,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 5 @@ -83,7 +83,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 @@ -101,12 +101,19 @@ spec: effect: NoSchedule contour: enabled: true - adminUser: "" - adminPasswordSecretKey: "" + adminUser: "postgres" sharedPreloadLibraries: "pg_stat_statements,ltree" + vault: + enabled: true + role: postgresql + authPath: auth/kubernetes + secretPath: secrets/data/postgresql/admin + secretKey: postgres-password + usersSecretPath: secrets/data/postgresql/users databases: - name: pm_db user: pm + passwordKey: pm extensions: [] restoreFromDump: false s3-proxy: