From 26550c547bdf8643dbdf527816f0ba09650d3d7c Mon Sep 17 00:00:00 2001 From: Kochetkov S Date: Wed, 22 Apr 2026 17:28:37 +0300 Subject: [PATCH] issues + flows vault --- apps/flows/base/backend-deployment.yaml | 144 +++++++------------ apps/flows/base/celery-deployment.yaml | 150 +++++++------------- apps/flows/base/kustomization.yaml | 1 + apps/flows/base/serviceaccount.yaml | 5 + apps/flows/yc-k8s-test/postgresql.yaml | 26 ++-- apps/issues/base/backend-deployment.yaml | 154 +++++++++------------ apps/issues/base/celery-deployment.yaml | 154 +++++++++------------ apps/issues/base/kustomization.yaml | 1 + apps/issues/base/production-configmap.yaml | 2 +- apps/issues/base/serviceaccount.yaml | 5 + apps/issues/yc-k8s-test/postgresql.yaml | 34 +++-- 11 files changed, 283 insertions(+), 393 deletions(-) create mode 100644 apps/flows/base/serviceaccount.yaml create mode 100644 apps/issues/base/serviceaccount.yaml diff --git a/apps/flows/base/backend-deployment.yaml b/apps/flows/base/backend-deployment.yaml index 36bea7d..cac8801 100644 --- a/apps/flows/base/backend-deployment.yaml +++ b/apps/flows/base/backend-deployment.yaml @@ -17,26 +17,68 @@ spec: labels: app: backend service: backend + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: flows + vault.hashicorp.com/agent-inject-secret-flows-postgresql: secrets/data/postgresql/apps/flows + vault.hashicorp.com/agent-inject-template-flows-postgresql: |- + {{- with secret "secrets/data/postgresql/apps/flows" -}} + PG_DB=flows_db + PG_LOGIN={{ index .Data.data "username" }} + PG_HOST=postgresql.flows.svc.cluster.local + PG_PORT=5432 + PG_PASSWORD={{ index .Data.data "password" }} + DOCUMENTATION_PG_HOST=postgresql.flows.svc.cluster.local + DOCUMENTATION_PG_PORT=5432 + DOCUMENTATION_PG_DATABASE=flows_db + DOCUMENTATION_PG_USERNAME={{ index .Data.data "username" }} + DOCUMENTATION_PG_PASSWORD={{ index .Data.data "password" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-flows-rabbitmq: secrets/data/rabbitmq/apps/flows + vault.hashicorp.com/agent-inject-template-flows-rabbitmq: |- + {{- with secret "secrets/data/rabbitmq/apps/flows" -}} + RABBITMQ_USERNAME={{ index .Data.data "username" }} + RABBITMQ_PASSWORD={{ index .Data.data "password" }} + RABBITMQ_VHOST={{ index .Data.data "vhost" }} + RABBITMQ_HOST=rabbitmq.rabbitmq.svc.cluster.local + RABBITMQ_PORT=5672 + ADMIN_PANEL_SECRET_KEY=rabbitmq.rabbitmq:5672 + {{- end -}} + vault.hashicorp.com/agent-inject-secret-flows-django-auth: secrets/data/vault/common/django_auth + vault.hashicorp.com/agent-inject-template-flows-django-auth: |- + {{- with secret "secrets/data/vault/common/django_auth" -}} + DJANGO_TOKEN={{ index .Data.data "key" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-flows-jwt-public: secrets/data/vault/common/rsa_keys + vault.hashicorp.com/agent-inject-template-flows-jwt-public: |- + {{- with secret "secrets/data/vault/common/rsa_keys" -}} + {{ index .Data.data "public_key" }} + {{- end -}} spec: + serviceAccountName: flows-vault containers: - name: backend image: cr.yandex/crp3ccidau046kdj8g9q/flows-backend:production_2a439111 imagePullPolicy: IfNotPresent + command: ["/bin/sh", "-ec"] + args: + - | + set -a + [ -f /vault/secrets/flows-postgresql ] && . /vault/secrets/flows-postgresql + [ -f /vault/secrets/flows-rabbitmq ] && . /vault/secrets/flows-rabbitmq + [ -f /vault/secrets/flows-django-auth ] && . /vault/secrets/flows-django-auth + [ -f /vault/secrets/flows-jwt-public ] && export JWT_PUBLIC_KEY="$(cat /vault/secrets/flows-jwt-public)" + set +a + exec /opt/entrypoint.sh ports: - name: http containerPort: 8000 protocol: TCP env: - - name: ADMIN_PANEL_SECRET_KEY - valueFrom: - secretKeyRef: - key: key - name: admin-secret - - name: JWT_PUBLIC_KEY - valueFrom: - secretKeyRef: - key: public_key - name: jwt-secret - name: LOG_LEVEL value: DEBUG - name: BASE_HOST @@ -73,32 +115,6 @@ spec: value: https://srx.wb.ru/flows/api/v1 - name: SMTP_HOST value: mail.rwb.ru - - - name: DOCUMENTATION_PG_HOST - valueFrom: - secretKeyRef: - key: hostname - name: postgresql-secret-documentations - - name: DOCUMENTATION_PG_PORT - valueFrom: - secretKeyRef: - key: port - name: postgresql-secret-documentations - - name: DOCUMENTATION_PG_DATABASE - valueFrom: - secretKeyRef: - key: database - name: postgresql-secret-documentations - - name: DOCUMENTATION_PG_USERNAME - valueFrom: - secretKeyRef: - key: username - name: postgresql-secret-documentations - - name: DOCUMENTATION_PG_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: postgresql-secret-documentations - name: CHECKLIST_HOST value: http://checklists-backend-service.checklists.svc.cluster.local:80 - name: SMTP_PORT @@ -113,62 +129,6 @@ spec: value: "60" - name: DOCUMENTATION_TIMEOUT value: "60" - - name: DJANGO_TOKEN - valueFrom: - secretKeyRef: - key: token - name: django-secret - - name: PG_DB - valueFrom: - secretKeyRef: - key: database - name: postgresql-secret - - name: PG_LOGIN - valueFrom: - secretKeyRef: - key: username - name: postgresql-secret - - name: PG_HOST - valueFrom: - secretKeyRef: - key: hostname - name: postgresql-secret - - name: PG_PORT - valueFrom: - secretKeyRef: - key: port - name: postgresql-secret - - name: PG_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: postgresql-secret - - name: RABBITMQ_USERNAME - valueFrom: - secretKeyRef: - key: username - name: rabbitmq-secret - - name: RABBITMQ_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: rabbitmq-secret - - name: RABBITMQ_VHOST - valueFrom: - secretKeyRef: - key: vhost - name: rabbitmq-secret - - name: RABBITMQ_HOST - valueFrom: - secretKeyRef: - key: hostname - name: rabbitmq-secret - - name: RABBITMQ_PORT - valueFrom: - secretKeyRef: - key: port - name: rabbitmq-secret - resources: requests: cpu: "1" diff --git a/apps/flows/base/celery-deployment.yaml b/apps/flows/base/celery-deployment.yaml index 7eba7cb..2aa719e 100644 --- a/apps/flows/base/celery-deployment.yaml +++ b/apps/flows/base/celery-deployment.yaml @@ -17,36 +17,68 @@ spec: labels: app: celery service: celery + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: flows + vault.hashicorp.com/agent-inject-secret-flows-postgresql: secrets/data/postgresql/apps/flows + vault.hashicorp.com/agent-inject-template-flows-postgresql: |- + {{- with secret "secrets/data/postgresql/apps/flows" -}} + PG_DB=flows_db + PG_LOGIN={{ index .Data.data "username" }} + PG_HOST=postgresql.flows.svc.cluster.local + PG_PORT=5432 + PG_PASSWORD={{ index .Data.data "password" }} + DOCUMENTATION_PG_HOST=postgresql.flows.svc.cluster.local + DOCUMENTATION_PG_PORT=5432 + DOCUMENTATION_PG_DATABASE=flows_db + DOCUMENTATION_PG_USERNAME={{ index .Data.data "username" }} + DOCUMENTATION_PG_PASSWORD={{ index .Data.data "password" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-flows-rabbitmq: secrets/data/rabbitmq/apps/flows + vault.hashicorp.com/agent-inject-template-flows-rabbitmq: |- + {{- with secret "secrets/data/rabbitmq/apps/flows" -}} + RABBITMQ_USERNAME={{ index .Data.data "username" }} + RABBITMQ_PASSWORD={{ index .Data.data "password" }} + RABBITMQ_VHOST={{ index .Data.data "vhost" }} + RABBITMQ_HOST=rabbitmq.rabbitmq.svc.cluster.local + RABBITMQ_PORT=5672 + ADMIN_PANEL_SECRET_KEY=rabbitmq.rabbitmq:5672 + {{- end -}} + vault.hashicorp.com/agent-inject-secret-flows-django-auth: secrets/data/vault/common/django_auth + vault.hashicorp.com/agent-inject-template-flows-django-auth: |- + {{- with secret "secrets/data/vault/common/django_auth" -}} + DJANGO_TOKEN={{ index .Data.data "key" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-flows-jwt-public: secrets/data/vault/common/rsa_keys + vault.hashicorp.com/agent-inject-template-flows-jwt-public: |- + {{- with secret "secrets/data/vault/common/rsa_keys" -}} + {{ index .Data.data "public_key" }} + {{- end -}} spec: + serviceAccountName: flows-vault containers: - name: celery image: cr.yandex/crp3ccidau046kdj8g9q/flows-backend_worker:production_2a439111 imagePullPolicy: IfNotPresent - command: - - uv + command: ["/bin/sh", "-ec"] args: - - run - - celery - - -A - - config - - worker - - -l - - info + - | + set -a + [ -f /vault/secrets/flows-postgresql ] && . /vault/secrets/flows-postgresql + [ -f /vault/secrets/flows-rabbitmq ] && . /vault/secrets/flows-rabbitmq + [ -f /vault/secrets/flows-django-auth ] && . /vault/secrets/flows-django-auth + [ -f /vault/secrets/flows-jwt-public ] && export JWT_PUBLIC_KEY="$(cat /vault/secrets/flows-jwt-public)" + set +a + exec uv run celery -A config worker -l info ports: - name: http containerPort: 8000 protocol: TCP env: - - name: ADMIN_PANEL_SECRET_KEY - valueFrom: - secretKeyRef: - key: key - name: admin-secret - - name: JWT_PUBLIC_KEY - valueFrom: - secretKeyRef: - key: public_key - name: jwt-secret - name: LOG_LEVEL value: DEBUG - name: BASE_HOST @@ -83,31 +115,6 @@ spec: value: https://srx.wb.ru/flows/api/v1 - name: SMTP_HOST value: mail.rwb.ru - - name: DOCUMENTATION_PG_HOST - valueFrom: - secretKeyRef: - key: hostname - name: postgresql-secret-documentations - - name: DOCUMENTATION_PG_PORT - valueFrom: - secretKeyRef: - key: port - name: postgresql-secret-documentations - - name: DOCUMENTATION_PG_DATABASE - valueFrom: - secretKeyRef: - key: database - name: postgresql-secret-documentations - - name: DOCUMENTATION_PG_USERNAME - valueFrom: - secretKeyRef: - key: username - name: postgresql-secret-documentations - - name: DOCUMENTATION_PG_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: postgresql-secret-documentations - name: CHECKLIST_HOST value: http://checklists-backend-service.checklists.svc.cluster.local:80 - name: SMTP_PORT @@ -122,61 +129,6 @@ spec: value: "60" - name: DOCUMENTATION_TIMEOUT value: "60" - - name: DJANGO_TOKEN - valueFrom: - secretKeyRef: - key: token - name: django-secret - - name: PG_DB - valueFrom: - secretKeyRef: - key: database - name: postgresql-secret - - name: PG_LOGIN - valueFrom: - secretKeyRef: - key: username - name: postgresql-secret - - name: PG_HOST - valueFrom: - secretKeyRef: - key: hostname - name: postgresql-secret - - name: PG_PORT - valueFrom: - secretKeyRef: - key: port - name: postgresql-secret - - name: PG_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: postgresql-secret - - name: RABBITMQ_USERNAME - valueFrom: - secretKeyRef: - key: username - name: rabbitmq-secret - - name: RABBITMQ_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: rabbitmq-secret - - name: RABBITMQ_VHOST - valueFrom: - secretKeyRef: - key: vhost - name: rabbitmq-secret - - name: RABBITMQ_HOST - valueFrom: - secretKeyRef: - key: hostname - name: rabbitmq-secret - - name: RABBITMQ_PORT - valueFrom: - secretKeyRef: - key: port - name: rabbitmq-secret resources: requests: cpu: "1" diff --git a/apps/flows/base/kustomization.yaml b/apps/flows/base/kustomization.yaml index e197b54..2f070b6 100644 --- a/apps/flows/base/kustomization.yaml +++ b/apps/flows/base/kustomization.yaml @@ -4,6 +4,7 @@ kind: Kustomization namespace: flows resources: - namespace.yaml + - serviceaccount.yaml - backend-deployment.yaml - celery-deployment.yaml - frontend-deployment.yaml diff --git a/apps/flows/base/serviceaccount.yaml b/apps/flows/base/serviceaccount.yaml new file mode 100644 index 0000000..90ea5b2 --- /dev/null +++ b/apps/flows/base/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: flows-vault + namespace: flows diff --git a/apps/flows/yc-k8s-test/postgresql.yaml b/apps/flows/yc-k8s-test/postgresql.yaml index b47f5c9..8be70b2 100644 --- a/apps/flows/yc-k8s-test/postgresql.yaml +++ b/apps/flows/yc-k8s-test/postgresql.yaml @@ -9,7 +9,7 @@ spec: chart: spec: chart: postgresql-contour - version: "17.0.2" + version: "17.0.7" sourceRef: kind: HelmRepository name: yc-oci-charts @@ -44,7 +44,7 @@ spec: image: registry: cr.yandex/crp3ccidau046kdj8g9q repository: contour/postgresql - tag: 17.0.2 + tag: 17.0.7 pullPolicy: Always metrics: enabled: false @@ -61,7 +61,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 @@ -72,7 +72,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 5 @@ -83,12 +83,15 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 successThreshold: 1 failureThreshold: 6 + resources: + requests: + memory: 512Mi nodeSelector: dedicated: db tolerations: @@ -98,12 +101,19 @@ spec: effect: NoSchedule contour: enabled: true - adminUser: "" - adminPasswordSecretKey: "" - sharedPreloadLibraries: "pg_stat_statements" + adminUser: "postgres" + sharedPreloadLibraries: "pg_stat_statements,uuid-ossp,ltree,postgis" + vault: + enabled: true + role: postgresql + authPath: auth/kubernetes + secretPath: secrets/data/postgresql/admin + secretKey: postgres-password + usersSecretPath: secrets/data/postgresql/users databases: - name: flows_db user: flows + passwordKey: flow extensions: [] restoreFromDump: false s3-proxy: diff --git a/apps/issues/base/backend-deployment.yaml b/apps/issues/base/backend-deployment.yaml index f1b1bf0..5a03d73 100644 --- a/apps/issues/base/backend-deployment.yaml +++ b/apps/issues/base/backend-deployment.yaml @@ -17,7 +17,57 @@ spec: labels: app: backend service: backend + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: issues + vault.hashicorp.com/agent-inject-secret-issues-db: secrets/data/postgresql/apps/issues + vault.hashicorp.com/agent-inject-template-issues-db: |- + {{- with secret "secrets/data/postgresql/apps/issues" -}} + DATABASE_PORT=5432 + DATABASE_HOST=postgresql.issues.svc.cluster.local + DATABASE_USER={{ index .Data.data "username" }} + DATABASE_PASSWORD={{ index .Data.data "password" }} + DATABASE_NAME=issues_db + {{- end -}} + vault.hashicorp.com/agent-inject-secret-issues-rabbitmq: secrets/data/rabbitmq/apps/issues + vault.hashicorp.com/agent-inject-template-issues-rabbitmq: |- + {{- with secret "secrets/data/rabbitmq/apps/issues" -}} + RABBITMQ_VHOST={{ index .Data.data "vhost" }} + RABBITMQ_USERNAME={{ index .Data.data "username" }} + RABBITMQ_HOSTNAME=rabbitmq.rabbitmq.svc.cluster.local + RABBITMQ_PASSWORD={{ index .Data.data "password" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-issues-s3: secrets/data/minio/admin + vault.hashicorp.com/agent-inject-template-issues-s3: |- + {{- with secret "secrets/data/minio/admin" -}} + YC_S3_ACCESS_KEY_ID={{ index .Data.data "rootUser" }} + YC_S3_SECRET_ACCESS_KEY={{ index .Data.data "rootPassword" }} + YC_S3_BUCKET_NAME=rfi + YC_S3_ENDPOINT_URL=https://minio.contour.infra.sarex.tech + {{- end -}} + vault.hashicorp.com/agent-inject-secret-issues-django-auth: secrets/data/vault/common/django_auth + vault.hashicorp.com/agent-inject-template-issues-django-auth: |- + {{- with secret "secrets/data/vault/common/django_auth" -}} + DJANGO_TOKEN={{ index .Data.data "key" }} + SAREX_USERNAME={{ index .Data.data "username" }} + SAREX_PASSWORD={{ index .Data.data "password" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-issues-jwt-private: secrets/data/vault/common/rsa_keys + vault.hashicorp.com/agent-inject-template-issues-jwt-private: |- + {{- with secret "secrets/data/vault/common/rsa_keys" -}} + {{ index .Data.data "private_key" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-issues-jwt-public: secrets/data/vault/common/rsa_keys + vault.hashicorp.com/agent-inject-template-issues-jwt-public: |- + {{- with secret "secrets/data/vault/common/rsa_keys" -}} + {{ index .Data.data "public_key" }} + {{- end -}} spec: + serviceAccountName: issues-vault volumes: - name: production-configmap configMap: @@ -30,6 +80,18 @@ spec: - name: backend image: cr.yandex/crp3ccidau046kdj8g9q/issues:production_17c438aa imagePullPolicy: IfNotPresent + command: ["/bin/sh", "-ec"] + args: + - | + set -a + [ -f /vault/secrets/issues-db ] && . /vault/secrets/issues-db + [ -f /vault/secrets/issues-rabbitmq ] && . /vault/secrets/issues-rabbitmq + [ -f /vault/secrets/issues-s3 ] && . /vault/secrets/issues-s3 + [ -f /vault/secrets/issues-django-auth ] && . /vault/secrets/issues-django-auth + [ -f /vault/secrets/issues-jwt-private ] && export JWT_PRIVATE_KEY="$(cat /vault/secrets/issues-jwt-private)" + [ -f /vault/secrets/issues-jwt-public ] && export JWT_PUBLIC_KEY="$(cat /vault/secrets/issues-jwt-public)" + set +a + exec /src/entrypoint.sh ports: - name: http containerPort: 8000 @@ -61,98 +123,6 @@ spec: value: config.settings.production - name: API_ADDRESS value: "8000" - - name: YC_S3_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - key: username - name: s3-secret - - name: YC_S3_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - key: password - name: s3-secret - - name: YC_S3_BUCKET_NAME - valueFrom: - secretKeyRef: - key: bucket - name: s3-secret - - name: YC_S3_ENDPOINT_URL - valueFrom: - secretKeyRef: - key: host - name: s3-secret - - name: DJANGO_BASIC_AUTH - valueFrom: - secretKeyRef: - key: key - name: django-auth - - name: SAREX_USERNAME - valueFrom: - secretKeyRef: - key: username - name: sarex-auth - - name: SAREX_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: sarex-auth - - name: DATABASE_PORT - valueFrom: - secretKeyRef: - key: port - name: postgresql-secret - - name: DATABASE_HOST - valueFrom: - secretKeyRef: - key: hostname - name: postgresql-secret - - name: DATABASE_USER - valueFrom: - secretKeyRef: - key: username - name: postgresql-secret - - name: DATABASE_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: postgresql-secret - - name: DATABASE_NAME - valueFrom: - secretKeyRef: - key: database - name: postgresql-secret - - name: RABBITMQ_VHOST - valueFrom: - secretKeyRef: - key: vhost - name: rabbitmq-secret - - name: RABBITMQ_USERNAME - valueFrom: - secretKeyRef: - key: username - name: rabbitmq-secret - - name: RABBITMQ_HOSTNAME - valueFrom: - secretKeyRef: - key: host - name: rabbitmq-secret - - name: RABBITMQ_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: rabbitmq-secret - - name: JWT_PRIVATE_KEY - valueFrom: - secretKeyRef: - key: ssh_private.key - name: backend-secret - - name: JWT_PUBLIC_KEY - valueFrom: - secretKeyRef: - key: ssh_public.key - name: backend-secret - - resources: requests: cpu: "1" diff --git a/apps/issues/base/celery-deployment.yaml b/apps/issues/base/celery-deployment.yaml index b2b7bfb..188e09b 100644 --- a/apps/issues/base/celery-deployment.yaml +++ b/apps/issues/base/celery-deployment.yaml @@ -17,7 +17,57 @@ spec: labels: app: celery service: celery + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: issues + vault.hashicorp.com/agent-inject-secret-issues-db: secrets/data/postgresql/apps/issues + vault.hashicorp.com/agent-inject-template-issues-db: |- + {{- with secret "secrets/data/postgresql/apps/issues" -}} + DATABASE_PORT=5432 + DATABASE_HOST=postgresql.issues.svc.cluster.local + DATABASE_USER={{ index .Data.data "username" }} + DATABASE_PASSWORD={{ index .Data.data "password" }} + DATABASE_NAME=issues_db + {{- end -}} + vault.hashicorp.com/agent-inject-secret-issues-rabbitmq: secrets/data/rabbitmq/apps/issues + vault.hashicorp.com/agent-inject-template-issues-rabbitmq: |- + {{- with secret "secrets/data/rabbitmq/apps/issues" -}} + RABBITMQ_VHOST={{ index .Data.data "vhost" }} + RABBITMQ_USERNAME={{ index .Data.data "username" }} + RABBITMQ_HOSTNAME=rabbitmq.rabbitmq.svc.cluster.local + RABBITMQ_PASSWORD={{ index .Data.data "password" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-issues-s3: secrets/data/minio/admin + vault.hashicorp.com/agent-inject-template-issues-s3: |- + {{- with secret "secrets/data/minio/admin" -}} + YC_S3_ACCESS_KEY_ID={{ index .Data.data "rootUser" }} + YC_S3_SECRET_ACCESS_KEY={{ index .Data.data "rootPassword" }} + YC_S3_BUCKET_NAME=rfi + YC_S3_ENDPOINT_URL=https://minio.contour.infra.sarex.tech + {{- end -}} + vault.hashicorp.com/agent-inject-secret-issues-django-auth: secrets/data/vault/common/django_auth + vault.hashicorp.com/agent-inject-template-issues-django-auth: |- + {{- with secret "secrets/data/vault/common/django_auth" -}} + DJANGO_TOKEN={{ index .Data.data "key" }} + SAREX_USERNAME={{ index .Data.data "username" }} + SAREX_PASSWORD={{ index .Data.data "password" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-issues-jwt-private: secrets/data/vault/common/rsa_keys + vault.hashicorp.com/agent-inject-template-issues-jwt-private: |- + {{- with secret "secrets/data/vault/common/rsa_keys" -}} + {{ index .Data.data "private_key" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-issues-jwt-public: secrets/data/vault/common/rsa_keys + vault.hashicorp.com/agent-inject-template-issues-jwt-public: |- + {{- with secret "secrets/data/vault/common/rsa_keys" -}} + {{ index .Data.data "public_key" }} + {{- end -}} spec: + serviceAccountName: issues-vault volumes: - name: production-configmap configMap: @@ -30,8 +80,18 @@ spec: - name: celery image: cr.yandex/crp3ccidau046kdj8g9q/issues:production_17c438aa imagePullPolicy: IfNotPresent - command: ["celery", "-A", "config", "worker", "-l", "info", "-E"] - + command: ["/bin/sh", "-ec"] + args: + - | + set -a + [ -f /vault/secrets/issues-db ] && . /vault/secrets/issues-db + [ -f /vault/secrets/issues-rabbitmq ] && . /vault/secrets/issues-rabbitmq + [ -f /vault/secrets/issues-s3 ] && . /vault/secrets/issues-s3 + [ -f /vault/secrets/issues-django-auth ] && . /vault/secrets/issues-django-auth + [ -f /vault/secrets/issues-jwt-private ] && export JWT_PRIVATE_KEY="$(cat /vault/secrets/issues-jwt-private)" + [ -f /vault/secrets/issues-jwt-public ] && export JWT_PUBLIC_KEY="$(cat /vault/secrets/issues-jwt-public)" + set +a + exec celery -A config worker -l info -E ports: - name: http containerPort: 8000 @@ -63,96 +123,6 @@ spec: value: config.settings.production - name: API_ADDRESS value: "8000" - - name: YC_S3_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - key: username - name: s3-secret - - name: YC_S3_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - key: password - name: s3-secret - - name: YC_S3_BUCKET_NAME - valueFrom: - secretKeyRef: - key: bucket - name: s3-secret - - name: YC_S3_ENDPOINT_URL - valueFrom: - secretKeyRef: - key: host - name: s3-secret - - name: DJANGO_BASIC_AUTH - valueFrom: - secretKeyRef: - key: key - name: django-auth - - name: SAREX_USERNAME - valueFrom: - secretKeyRef: - key: username - name: sarex-auth - - name: SAREX_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: sarex-auth - - name: DATABASE_PORT - valueFrom: - secretKeyRef: - key: port - name: postgresql-secret - - name: DATABASE_HOST - valueFrom: - secretKeyRef: - key: hostname - name: postgresql-secret - - name: DATABASE_USER - valueFrom: - secretKeyRef: - key: username - name: postgresql-secret - - name: DATABASE_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: postgresql-secret - - name: DATABASE_NAME - valueFrom: - secretKeyRef: - key: database - name: postgresql-secret - - name: RABBITMQ_VHOST - valueFrom: - secretKeyRef: - key: vhost - name: rabbitmq-secret - - name: RABBITMQ_USERNAME - valueFrom: - secretKeyRef: - key: username - name: rabbitmq-secret - - name: RABBITMQ_HOSTNAME - valueFrom: - secretKeyRef: - key: host - name: rabbitmq-secret - - name: RABBITMQ_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: rabbitmq-secret - - name: JWT_PRIVATE_KEY - valueFrom: - secretKeyRef: - key: ssh_private.key - name: backend-secret - - name: JWT_PUBLIC_KEY - valueFrom: - secretKeyRef: - key: ssh_public.key - name: backend-secret resources: requests: cpu: "1" diff --git a/apps/issues/base/kustomization.yaml b/apps/issues/base/kustomization.yaml index 3ece763..2b1272a 100644 --- a/apps/issues/base/kustomization.yaml +++ b/apps/issues/base/kustomization.yaml @@ -4,6 +4,7 @@ kind: Kustomization namespace: issues resources: - namespace.yaml + - serviceaccount.yaml - backend-deployment.yaml - celery-deployment.yaml - frontend-deployment.yaml diff --git a/apps/issues/base/production-configmap.yaml b/apps/issues/base/production-configmap.yaml index c9ddd72..ff13300 100644 --- a/apps/issues/base/production-configmap.yaml +++ b/apps/issues/base/production-configmap.yaml @@ -21,7 +21,7 @@ data: SECRET_KEY = "FromToMuchLoveOfLiving" # Delete after Test # ----------------------------------------------------------------------------- - DJANGO_TOKEN="aGFnZW4wMTM6emVhbG90MDk2" + DJANGO_TOKEN = os.getenv("DJANGO_TOKEN", "aGFnZW4wMTM6emVhbG90MDk2") # ALLOWED HOSTS START # ----------------------------------------------------------------------------- diff --git a/apps/issues/base/serviceaccount.yaml b/apps/issues/base/serviceaccount.yaml new file mode 100644 index 0000000..30a477e --- /dev/null +++ b/apps/issues/base/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: issues-vault + namespace: issues diff --git a/apps/issues/yc-k8s-test/postgresql.yaml b/apps/issues/yc-k8s-test/postgresql.yaml index 2a7a590..108809f 100644 --- a/apps/issues/yc-k8s-test/postgresql.yaml +++ b/apps/issues/yc-k8s-test/postgresql.yaml @@ -9,7 +9,7 @@ spec: chart: spec: chart: postgresql-contour - version: "17.0.2" + version: "17.0.7" sourceRef: kind: HelmRepository name: yc-oci-charts @@ -44,7 +44,7 @@ spec: image: registry: cr.yandex/crp3ccidau046kdj8g9q repository: contour/postgresql - tag: 17.0.2 + tag: 17.0.7 pullPolicy: Always metrics: enabled: false @@ -61,7 +61,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 @@ -72,7 +72,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 5 @@ -83,12 +83,15 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 successThreshold: 1 failureThreshold: 6 + resources: + requests: + memory: 512Mi nodeSelector: dedicated: db tolerations: @@ -98,13 +101,26 @@ spec: effect: NoSchedule contour: enabled: true - adminUser: "" - adminPasswordSecretKey: "" - sharedPreloadLibraries: "pg_stat_statements" + adminUser: "postgres" + sharedPreloadLibraries: "pg_stat_statements,uuid-ossp,ltree,postgis" + vault: + enabled: true + role: postgresql + authPath: auth/kubernetes + secretPath: secrets/data/postgresql/admin + secretKey: postgres-password + usersSecretPath: secrets/data/postgresql/users databases: - name: issues_db user: issues - extensions: [] + passwordKey: issues + extensions: + - ltree + - pg_stat_statements + - pg_trgm + - postgis + - timescaledb + - uuid-ossp restoreFromDump: false s3-proxy: endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local"