issues + flows vault

2026-04-22 17:28:37 +03:00 · 2026-04-22 17:28:37 +03:00 · 26550c547b
commit 26550c547b
parent d42884a8a4
11 changed files with 283 additions and 393 deletions
--- a/apps/flows/base/backend-deployment.yaml
+++ b/apps/flows/base/backend-deployment.yaml
@ -17,26 +17,68 @@ spec:
      labels:
        app: backend
        service: backend
      annotations:
        traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
        vault.hashicorp.com/agent-init-first: "true"
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-pre-populate-only: "true"
        vault.hashicorp.com/auth-path: auth/kubernetes
        vault.hashicorp.com/role: flows
        vault.hashicorp.com/agent-inject-secret-flows-postgresql: secrets/data/postgresql/apps/flows
        vault.hashicorp.com/agent-inject-template-flows-postgresql: |-
          {{- with secret "secrets/data/postgresql/apps/flows" -}}
          PG_DB=flows_db
          PG_LOGIN={{ index .Data.data "username" }}
          PG_HOST=postgresql.flows.svc.cluster.local
          PG_PORT=5432
          PG_PASSWORD={{ index .Data.data "password" }}
          DOCUMENTATION_PG_HOST=postgresql.flows.svc.cluster.local
          DOCUMENTATION_PG_PORT=5432
          DOCUMENTATION_PG_DATABASE=flows_db
          DOCUMENTATION_PG_USERNAME={{ index .Data.data "username" }}
          DOCUMENTATION_PG_PASSWORD={{ index .Data.data "password" }}
          {{- end -}}
        vault.hashicorp.com/agent-inject-secret-flows-rabbitmq: secrets/data/rabbitmq/apps/flows
        vault.hashicorp.com/agent-inject-template-flows-rabbitmq: |-
          {{- with secret "secrets/data/rabbitmq/apps/flows" -}}
          RABBITMQ_USERNAME={{ index .Data.data "username" }}
          RABBITMQ_PASSWORD={{ index .Data.data "password" }}
          RABBITMQ_VHOST={{ index .Data.data "vhost" }}
          RABBITMQ_HOST=rabbitmq.rabbitmq.svc.cluster.local
          RABBITMQ_PORT=5672
          ADMIN_PANEL_SECRET_KEY=rabbitmq.rabbitmq:5672
          {{- end -}}
        vault.hashicorp.com/agent-inject-secret-flows-django-auth: secrets/data/vault/common/django_auth
        vault.hashicorp.com/agent-inject-template-flows-django-auth: |-
          {{- with secret "secrets/data/vault/common/django_auth" -}}
          DJANGO_TOKEN={{ index .Data.data "key" }}
          {{- end -}}
        vault.hashicorp.com/agent-inject-secret-flows-jwt-public: secrets/data/vault/common/rsa_keys
        vault.hashicorp.com/agent-inject-template-flows-jwt-public: |-
          {{- with secret "secrets/data/vault/common/rsa_keys" -}}
          {{ index .Data.data "public_key" }}
          {{- end -}}
    spec:
      serviceAccountName: flows-vault
      containers:
        - name: backend
          image: cr.yandex/crp3ccidau046kdj8g9q/flows-backend:production_2a439111
          imagePullPolicy: IfNotPresent
          command: ["/bin/sh", "-ec"]
          args:
            - |
              set -a
              [ -f /vault/secrets/flows-postgresql ] && . /vault/secrets/flows-postgresql
              [ -f /vault/secrets/flows-rabbitmq ] && . /vault/secrets/flows-rabbitmq
              [ -f /vault/secrets/flows-django-auth ] && . /vault/secrets/flows-django-auth
              [ -f /vault/secrets/flows-jwt-public ] && export JWT_PUBLIC_KEY="$(cat /vault/secrets/flows-jwt-public)"
              set +a
              exec /opt/entrypoint.sh
          ports:
            - name: http
              containerPort: 8000
              protocol: TCP
          env:
            - name: ADMIN_PANEL_SECRET_KEY
              valueFrom:
                secretKeyRef:
                  key: key
                  name: admin-secret
            - name: JWT_PUBLIC_KEY
              valueFrom:
                secretKeyRef:
                  key: public_key
                  name: jwt-secret
            - name: LOG_LEVEL
              value: DEBUG
            - name: BASE_HOST
@ -73,32 +115,6 @@ spec:
              value: https://srx.wb.ru/flows/api/v1
            - name: SMTP_HOST
              value: mail.rwb.ru
            - name: DOCUMENTATION_PG_HOST
              valueFrom:
                secretKeyRef:
                  key: hostname
                  name: postgresql-secret-documentations
            - name: DOCUMENTATION_PG_PORT
              valueFrom:
                secretKeyRef:
                  key: port
                  name: postgresql-secret-documentations
            - name: DOCUMENTATION_PG_DATABASE
              valueFrom:
                secretKeyRef:
                  key: database
                  name: postgresql-secret-documentations
            - name: DOCUMENTATION_PG_USERNAME
              valueFrom:
                secretKeyRef:
                  key: username
                  name: postgresql-secret-documentations
            - name: DOCUMENTATION_PG_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: password
                  name: postgresql-secret-documentations
            - name: CHECKLIST_HOST
              value: http://checklists-backend-service.checklists.svc.cluster.local:80
            - name: SMTP_PORT
@ -113,62 +129,6 @@ spec:
              value: "60"
            - name: DOCUMENTATION_TIMEOUT
              value: "60"
            - name: DJANGO_TOKEN
              valueFrom:
                secretKeyRef:
                  key: token
                  name: django-secret
            - name: PG_DB
              valueFrom:
                secretKeyRef:
                  key: database
                  name: postgresql-secret
            - name: PG_LOGIN
              valueFrom:
                secretKeyRef:
                  key: username
                  name: postgresql-secret
            - name: PG_HOST
              valueFrom:
                secretKeyRef:
                  key: hostname
                  name: postgresql-secret
            - name: PG_PORT
              valueFrom:
                secretKeyRef:
                  key: port
                  name: postgresql-secret
            - name: PG_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: password
                  name: postgresql-secret
            - name: RABBITMQ_USERNAME
              valueFrom:
                secretKeyRef:
                  key: username
                  name: rabbitmq-secret
            - name: RABBITMQ_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: password
                  name: rabbitmq-secret
            - name: RABBITMQ_VHOST
              valueFrom:
                secretKeyRef:
                  key: vhost
                  name: rabbitmq-secret
            - name: RABBITMQ_HOST
              valueFrom:
                secretKeyRef:
                  key: hostname
                  name: rabbitmq-secret
            - name: RABBITMQ_PORT
              valueFrom:
                secretKeyRef:
                  key: port
                  name: rabbitmq-secret
          resources:
            requests:
              cpu: "1"
--- a/apps/flows/base/celery-deployment.yaml
+++ b/apps/flows/base/celery-deployment.yaml
@ -17,36 +17,68 @@ spec:
      labels:
        app: celery
        service: celery
      annotations:
        traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
        vault.hashicorp.com/agent-init-first: "true"
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-pre-populate-only: "true"
        vault.hashicorp.com/auth-path: auth/kubernetes
        vault.hashicorp.com/role: flows
        vault.hashicorp.com/agent-inject-secret-flows-postgresql: secrets/data/postgresql/apps/flows
        vault.hashicorp.com/agent-inject-template-flows-postgresql: |-
          {{- with secret "secrets/data/postgresql/apps/flows" -}}
          PG_DB=flows_db
          PG_LOGIN={{ index .Data.data "username" }}
          PG_HOST=postgresql.flows.svc.cluster.local
          PG_PORT=5432
          PG_PASSWORD={{ index .Data.data "password" }}
          DOCUMENTATION_PG_HOST=postgresql.flows.svc.cluster.local
          DOCUMENTATION_PG_PORT=5432
          DOCUMENTATION_PG_DATABASE=flows_db
          DOCUMENTATION_PG_USERNAME={{ index .Data.data "username" }}
          DOCUMENTATION_PG_PASSWORD={{ index .Data.data "password" }}
          {{- end -}}
        vault.hashicorp.com/agent-inject-secret-flows-rabbitmq: secrets/data/rabbitmq/apps/flows
        vault.hashicorp.com/agent-inject-template-flows-rabbitmq: |-
          {{- with secret "secrets/data/rabbitmq/apps/flows" -}}
          RABBITMQ_USERNAME={{ index .Data.data "username" }}
          RABBITMQ_PASSWORD={{ index .Data.data "password" }}
          RABBITMQ_VHOST={{ index .Data.data "vhost" }}
          RABBITMQ_HOST=rabbitmq.rabbitmq.svc.cluster.local
          RABBITMQ_PORT=5672
          ADMIN_PANEL_SECRET_KEY=rabbitmq.rabbitmq:5672
          {{- end -}}
        vault.hashicorp.com/agent-inject-secret-flows-django-auth: secrets/data/vault/common/django_auth
        vault.hashicorp.com/agent-inject-template-flows-django-auth: |-
          {{- with secret "secrets/data/vault/common/django_auth" -}}
          DJANGO_TOKEN={{ index .Data.data "key" }}
          {{- end -}}
        vault.hashicorp.com/agent-inject-secret-flows-jwt-public: secrets/data/vault/common/rsa_keys
        vault.hashicorp.com/agent-inject-template-flows-jwt-public: |-
          {{- with secret "secrets/data/vault/common/rsa_keys" -}}
          {{ index .Data.data "public_key" }}
          {{- end -}}
    spec:
      serviceAccountName: flows-vault
      containers:
        - name: celery
          image: cr.yandex/crp3ccidau046kdj8g9q/flows-backend_worker:production_2a439111
          imagePullPolicy: IfNotPresent
-          command:
+          command: ["/bin/sh", "-ec"]
            - uv
          args:
-            - run
+            - |
-            - celery
+              set -a
-            - -A
+              [ -f /vault/secrets/flows-postgresql ] && . /vault/secrets/flows-postgresql
-            - config
+              [ -f /vault/secrets/flows-rabbitmq ] && . /vault/secrets/flows-rabbitmq
-            - worker
+              [ -f /vault/secrets/flows-django-auth ] && . /vault/secrets/flows-django-auth
-            - -l
+              [ -f /vault/secrets/flows-jwt-public ] && export JWT_PUBLIC_KEY="$(cat /vault/secrets/flows-jwt-public)"
-            - info
+              set +a
              exec uv run celery -A config worker -l info
          ports:
            - name: http
              containerPort: 8000
              protocol: TCP
          env:
            - name: ADMIN_PANEL_SECRET_KEY
              valueFrom:
                secretKeyRef:
                  key: key
                  name: admin-secret
            - name: JWT_PUBLIC_KEY
              valueFrom:
                secretKeyRef:
                  key: public_key
                  name: jwt-secret
            - name: LOG_LEVEL
              value: DEBUG
            - name: BASE_HOST
@ -83,31 +115,6 @@ spec:
              value: https://srx.wb.ru/flows/api/v1
            - name: SMTP_HOST
              value: mail.rwb.ru
            - name: DOCUMENTATION_PG_HOST
              valueFrom:
                secretKeyRef:
                  key: hostname
                  name: postgresql-secret-documentations
            - name: DOCUMENTATION_PG_PORT
              valueFrom:
                secretKeyRef:
                  key: port
                  name: postgresql-secret-documentations
            - name: DOCUMENTATION_PG_DATABASE
              valueFrom:
                secretKeyRef:
                  key: database
                  name: postgresql-secret-documentations
            - name: DOCUMENTATION_PG_USERNAME
              valueFrom:
                secretKeyRef:
                  key: username
                  name: postgresql-secret-documentations
            - name: DOCUMENTATION_PG_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: password
                  name: postgresql-secret-documentations
            - name: CHECKLIST_HOST
              value: http://checklists-backend-service.checklists.svc.cluster.local:80
            - name: SMTP_PORT
@ -122,61 +129,6 @@ spec:
              value: "60"
            - name: DOCUMENTATION_TIMEOUT
              value: "60"
            - name: DJANGO_TOKEN
              valueFrom:
                secretKeyRef:
                  key: token
                  name: django-secret
            - name: PG_DB
              valueFrom:
                secretKeyRef:
                  key: database
                  name: postgresql-secret
            - name: PG_LOGIN
              valueFrom:
                secretKeyRef:
                  key: username
                  name: postgresql-secret
            - name: PG_HOST
              valueFrom:
                secretKeyRef:
                  key: hostname
                  name: postgresql-secret
            - name: PG_PORT
              valueFrom:
                secretKeyRef:
                  key: port
                  name: postgresql-secret
            - name: PG_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: password
                  name: postgresql-secret
            - name: RABBITMQ_USERNAME
              valueFrom:
                secretKeyRef:
                  key: username
                  name: rabbitmq-secret
            - name: RABBITMQ_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: password
                  name: rabbitmq-secret
            - name: RABBITMQ_VHOST
              valueFrom:
                secretKeyRef:
                  key: vhost
                  name: rabbitmq-secret
            - name: RABBITMQ_HOST
              valueFrom:
                secretKeyRef:
                  key: hostname
                  name: rabbitmq-secret
            - name: RABBITMQ_PORT
              valueFrom:
                secretKeyRef:
                  key: port
                  name: rabbitmq-secret
          resources:
            requests:
              cpu: "1"
--- a/apps/flows/base/kustomization.yaml
+++ b/apps/flows/base/kustomization.yaml
@ -4,6 +4,7 @@ kind: Kustomization
 namespace: flows
 resources:
  - namespace.yaml
  - serviceaccount.yaml
  - backend-deployment.yaml
  - celery-deployment.yaml
  - frontend-deployment.yaml
--- a/apps/flows/base/serviceaccount.yaml
+++ b/apps/flows/base/serviceaccount.yaml
@ -0,0 +1,5 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: flows-vault
  namespace: flows
--- a/apps/flows/yc-k8s-test/postgresql.yaml
+++ b/apps/flows/yc-k8s-test/postgresql.yaml
@ -9,7 +9,7 @@ spec:
  chart:
    spec:
      chart: postgresql-contour
-      version: "17.0.2"
+      version: "17.0.7"
      sourceRef:
        kind: HelmRepository
        name: yc-oci-charts
@ -44,7 +44,7 @@ spec:
    image:
      registry: cr.yandex/crp3ccidau046kdj8g9q
      repository: contour/postgresql
-      tag: 17.0.2
+      tag: 17.0.7
      pullPolicy: Always
    metrics:
      enabled: false
@ -61,7 +61,7 @@ spec:
          command:
            - /bin/sh
            - -c
-            - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
+            - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
        initialDelaySeconds: 30
        periodSeconds: 10
        timeoutSeconds: 5
@ -72,7 +72,7 @@ spec:
          command:
            - /bin/sh
            - -c
-            - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
+            - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
        initialDelaySeconds: 5
        periodSeconds: 10
        timeoutSeconds: 5
@ -83,12 +83,15 @@ spec:
          command:
            - /bin/sh
            - -c
-            - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
+            - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
        initialDelaySeconds: 30
        periodSeconds: 10
        timeoutSeconds: 5
        successThreshold: 1
        failureThreshold: 6
      resources:
        requests:
          memory: 512Mi
      nodeSelector:
        dedicated: db
      tolerations:
@ -98,12 +101,19 @@ spec:
          effect: NoSchedule
    contour:
      enabled: true
-      adminUser: ""
+      adminUser: "postgres"
-      adminPasswordSecretKey: ""
+      sharedPreloadLibraries: "pg_stat_statements,uuid-ossp,ltree,postgis"
-      sharedPreloadLibraries: "pg_stat_statements"
+      vault:
        enabled: true
        role: postgresql
        authPath: auth/kubernetes
        secretPath: secrets/data/postgresql/admin
        secretKey: postgres-password
        usersSecretPath: secrets/data/postgresql/users
      databases:
        - name: flows_db
          user: flows
          passwordKey: flow
          extensions: []
          restoreFromDump: false
      s3-proxy:
--- a/apps/issues/base/backend-deployment.yaml
+++ b/apps/issues/base/backend-deployment.yaml
@ -17,7 +17,57 @@ spec:
      labels:
        app: backend
        service: backend
      annotations:
        traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
        vault.hashicorp.com/agent-init-first: "true"
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-pre-populate-only: "true"
        vault.hashicorp.com/auth-path: auth/kubernetes
        vault.hashicorp.com/role: issues
        vault.hashicorp.com/agent-inject-secret-issues-db: secrets/data/postgresql/apps/issues
        vault.hashicorp.com/agent-inject-template-issues-db: |-
          {{- with secret "secrets/data/postgresql/apps/issues" -}}
          DATABASE_PORT=5432
          DATABASE_HOST=postgresql.issues.svc.cluster.local
          DATABASE_USER={{ index .Data.data "username" }}
          DATABASE_PASSWORD={{ index .Data.data "password" }}
          DATABASE_NAME=issues_db
          {{- end -}}
        vault.hashicorp.com/agent-inject-secret-issues-rabbitmq: secrets/data/rabbitmq/apps/issues
        vault.hashicorp.com/agent-inject-template-issues-rabbitmq: |-
          {{- with secret "secrets/data/rabbitmq/apps/issues" -}}
          RABBITMQ_VHOST={{ index .Data.data "vhost" }}
          RABBITMQ_USERNAME={{ index .Data.data "username" }}
          RABBITMQ_HOSTNAME=rabbitmq.rabbitmq.svc.cluster.local
          RABBITMQ_PASSWORD={{ index .Data.data "password" }}
          {{- end -}}
        vault.hashicorp.com/agent-inject-secret-issues-s3: secrets/data/minio/admin
        vault.hashicorp.com/agent-inject-template-issues-s3: |-
          {{- with secret "secrets/data/minio/admin" -}}
          YC_S3_ACCESS_KEY_ID={{ index .Data.data "rootUser" }}
          YC_S3_SECRET_ACCESS_KEY={{ index .Data.data "rootPassword" }}
          YC_S3_BUCKET_NAME=rfi
          YC_S3_ENDPOINT_URL=https://minio.contour.infra.sarex.tech
          {{- end -}}
        vault.hashicorp.com/agent-inject-secret-issues-django-auth: secrets/data/vault/common/django_auth
        vault.hashicorp.com/agent-inject-template-issues-django-auth: |-
          {{- with secret "secrets/data/vault/common/django_auth" -}}
          DJANGO_TOKEN={{ index .Data.data "key" }}
          SAREX_USERNAME={{ index .Data.data "username" }}
          SAREX_PASSWORD={{ index .Data.data "password" }}
          {{- end -}}
        vault.hashicorp.com/agent-inject-secret-issues-jwt-private: secrets/data/vault/common/rsa_keys
        vault.hashicorp.com/agent-inject-template-issues-jwt-private: |-
          {{- with secret "secrets/data/vault/common/rsa_keys" -}}
          {{ index .Data.data "private_key" }}
          {{- end -}}
        vault.hashicorp.com/agent-inject-secret-issues-jwt-public: secrets/data/vault/common/rsa_keys
        vault.hashicorp.com/agent-inject-template-issues-jwt-public: |-
          {{- with secret "secrets/data/vault/common/rsa_keys" -}}
          {{ index .Data.data "public_key" }}
          {{- end -}}
    spec:
      serviceAccountName: issues-vault
      volumes:
        - name: production-configmap
          configMap:
@ -30,6 +80,18 @@ spec:
        - name: backend
          image: cr.yandex/crp3ccidau046kdj8g9q/issues:production_17c438aa
          imagePullPolicy: IfNotPresent
          command: ["/bin/sh", "-ec"]
          args:
            - |
              set -a
              [ -f /vault/secrets/issues-db ] && . /vault/secrets/issues-db
              [ -f /vault/secrets/issues-rabbitmq ] && . /vault/secrets/issues-rabbitmq
              [ -f /vault/secrets/issues-s3 ] && . /vault/secrets/issues-s3
              [ -f /vault/secrets/issues-django-auth ] && . /vault/secrets/issues-django-auth
              [ -f /vault/secrets/issues-jwt-private ] && export JWT_PRIVATE_KEY="$(cat /vault/secrets/issues-jwt-private)"
              [ -f /vault/secrets/issues-jwt-public ] && export JWT_PUBLIC_KEY="$(cat /vault/secrets/issues-jwt-public)"
              set +a
              exec /src/entrypoint.sh
          ports:
            - name: http
              containerPort: 8000
@ -61,98 +123,6 @@ spec:
              value: config.settings.production
            - name: API_ADDRESS
              value: "8000"
            - name: YC_S3_ACCESS_KEY_ID
              valueFrom:
                secretKeyRef:
                  key: username
                  name: s3-secret
            - name: YC_S3_SECRET_ACCESS_KEY
              valueFrom:
                secretKeyRef:
                  key: password
                  name: s3-secret
            - name: YC_S3_BUCKET_NAME
              valueFrom:
                secretKeyRef:
                  key: bucket
                  name: s3-secret
            - name: YC_S3_ENDPOINT_URL
              valueFrom:
                secretKeyRef:
                  key: host
                  name: s3-secret
            - name: DJANGO_BASIC_AUTH
              valueFrom:
                secretKeyRef:
                  key: key
                  name: django-auth
            - name: SAREX_USERNAME
              valueFrom:
                secretKeyRef:
                  key: username
                  name: sarex-auth
            - name: SAREX_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: password
                  name: sarex-auth
            - name: DATABASE_PORT
              valueFrom:
                secretKeyRef:
                  key: port
                  name: postgresql-secret
            - name: DATABASE_HOST
              valueFrom:
                secretKeyRef:
                  key: hostname
                  name: postgresql-secret
            - name: DATABASE_USER
              valueFrom:
                secretKeyRef:
                  key: username
                  name: postgresql-secret
            - name: DATABASE_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: password
                  name: postgresql-secret
            - name: DATABASE_NAME
              valueFrom:
                secretKeyRef:
                  key: database
                  name: postgresql-secret
            - name: RABBITMQ_VHOST
              valueFrom:
                secretKeyRef:
                  key: vhost
                  name: rabbitmq-secret
            - name: RABBITMQ_USERNAME
              valueFrom:
                secretKeyRef:
                  key: username
                  name: rabbitmq-secret
            - name: RABBITMQ_HOSTNAME
              valueFrom:
                secretKeyRef:
                  key: host
                  name: rabbitmq-secret
            - name: RABBITMQ_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: password
                  name: rabbitmq-secret
            - name: JWT_PRIVATE_KEY
              valueFrom:
                secretKeyRef:
                  key: ssh_private.key
                  name: backend-secret
            - name: JWT_PUBLIC_KEY
              valueFrom:
                secretKeyRef:
                  key: ssh_public.key
                  name: backend-secret
          resources:
            requests:
              cpu: "1"
--- a/apps/issues/base/celery-deployment.yaml
+++ b/apps/issues/base/celery-deployment.yaml
@ -17,7 +17,57 @@ spec:
      labels:
        app: celery
        service: celery
      annotations:
        traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
        vault.hashicorp.com/agent-init-first: "true"
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-pre-populate-only: "true"
        vault.hashicorp.com/auth-path: auth/kubernetes
        vault.hashicorp.com/role: issues
        vault.hashicorp.com/agent-inject-secret-issues-db: secrets/data/postgresql/apps/issues
        vault.hashicorp.com/agent-inject-template-issues-db: |-
          {{- with secret "secrets/data/postgresql/apps/issues" -}}
          DATABASE_PORT=5432
          DATABASE_HOST=postgresql.issues.svc.cluster.local
          DATABASE_USER={{ index .Data.data "username" }}
          DATABASE_PASSWORD={{ index .Data.data "password" }}
          DATABASE_NAME=issues_db
          {{- end -}}
        vault.hashicorp.com/agent-inject-secret-issues-rabbitmq: secrets/data/rabbitmq/apps/issues
        vault.hashicorp.com/agent-inject-template-issues-rabbitmq: |-
          {{- with secret "secrets/data/rabbitmq/apps/issues" -}}
          RABBITMQ_VHOST={{ index .Data.data "vhost" }}
          RABBITMQ_USERNAME={{ index .Data.data "username" }}
          RABBITMQ_HOSTNAME=rabbitmq.rabbitmq.svc.cluster.local
          RABBITMQ_PASSWORD={{ index .Data.data "password" }}
          {{- end -}}
        vault.hashicorp.com/agent-inject-secret-issues-s3: secrets/data/minio/admin
        vault.hashicorp.com/agent-inject-template-issues-s3: |-
          {{- with secret "secrets/data/minio/admin" -}}
          YC_S3_ACCESS_KEY_ID={{ index .Data.data "rootUser" }}
          YC_S3_SECRET_ACCESS_KEY={{ index .Data.data "rootPassword" }}
          YC_S3_BUCKET_NAME=rfi
          YC_S3_ENDPOINT_URL=https://minio.contour.infra.sarex.tech
          {{- end -}}
        vault.hashicorp.com/agent-inject-secret-issues-django-auth: secrets/data/vault/common/django_auth
        vault.hashicorp.com/agent-inject-template-issues-django-auth: |-
          {{- with secret "secrets/data/vault/common/django_auth" -}}
          DJANGO_TOKEN={{ index .Data.data "key" }}
          SAREX_USERNAME={{ index .Data.data "username" }}
          SAREX_PASSWORD={{ index .Data.data "password" }}
          {{- end -}}
        vault.hashicorp.com/agent-inject-secret-issues-jwt-private: secrets/data/vault/common/rsa_keys
        vault.hashicorp.com/agent-inject-template-issues-jwt-private: |-
          {{- with secret "secrets/data/vault/common/rsa_keys" -}}
          {{ index .Data.data "private_key" }}
          {{- end -}}
        vault.hashicorp.com/agent-inject-secret-issues-jwt-public: secrets/data/vault/common/rsa_keys
        vault.hashicorp.com/agent-inject-template-issues-jwt-public: |-
          {{- with secret "secrets/data/vault/common/rsa_keys" -}}
          {{ index .Data.data "public_key" }}
          {{- end -}}
    spec:
      serviceAccountName: issues-vault
      volumes:
        - name: production-configmap
          configMap:
@ -30,8 +80,18 @@ spec:
        - name: celery
          image: cr.yandex/crp3ccidau046kdj8g9q/issues:production_17c438aa
          imagePullPolicy: IfNotPresent
-          command: ["celery", "-A", "config", "worker", "-l", "info", "-E"]
+          command: ["/bin/sh", "-ec"]
-
+          args:
            - |
              set -a
              [ -f /vault/secrets/issues-db ] && . /vault/secrets/issues-db
              [ -f /vault/secrets/issues-rabbitmq ] && . /vault/secrets/issues-rabbitmq
              [ -f /vault/secrets/issues-s3 ] && . /vault/secrets/issues-s3
              [ -f /vault/secrets/issues-django-auth ] && . /vault/secrets/issues-django-auth
              [ -f /vault/secrets/issues-jwt-private ] && export JWT_PRIVATE_KEY="$(cat /vault/secrets/issues-jwt-private)"
              [ -f /vault/secrets/issues-jwt-public ] && export JWT_PUBLIC_KEY="$(cat /vault/secrets/issues-jwt-public)"
              set +a
              exec celery -A config worker -l info -E
          ports:
            - name: http
              containerPort: 8000
@ -63,96 +123,6 @@ spec:
              value: config.settings.production
            - name: API_ADDRESS
              value: "8000"
            - name: YC_S3_ACCESS_KEY_ID
              valueFrom:
                secretKeyRef:
                  key: username
                  name: s3-secret
            - name: YC_S3_SECRET_ACCESS_KEY
              valueFrom:
                secretKeyRef:
                  key: password
                  name: s3-secret
            - name: YC_S3_BUCKET_NAME
              valueFrom:
                secretKeyRef:
                  key: bucket
                  name: s3-secret
            - name: YC_S3_ENDPOINT_URL
              valueFrom:
                secretKeyRef:
                  key: host
                  name: s3-secret
            - name: DJANGO_BASIC_AUTH
              valueFrom:
                secretKeyRef:
                  key: key
                  name: django-auth
            - name: SAREX_USERNAME
              valueFrom:
                secretKeyRef:
                  key: username
                  name: sarex-auth
            - name: SAREX_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: password
                  name: sarex-auth
            - name: DATABASE_PORT
              valueFrom:
                secretKeyRef:
                  key: port
                  name: postgresql-secret
            - name: DATABASE_HOST
              valueFrom:
                secretKeyRef:
                  key: hostname
                  name: postgresql-secret
            - name: DATABASE_USER
              valueFrom:
                secretKeyRef:
                  key: username
                  name: postgresql-secret
            - name: DATABASE_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: password
                  name: postgresql-secret
            - name: DATABASE_NAME
              valueFrom:
                secretKeyRef:
                  key: database
                  name: postgresql-secret
            - name: RABBITMQ_VHOST
              valueFrom:
                secretKeyRef:
                  key: vhost
                  name: rabbitmq-secret
            - name: RABBITMQ_USERNAME
              valueFrom:
                secretKeyRef:
                  key: username
                  name: rabbitmq-secret
            - name: RABBITMQ_HOSTNAME
              valueFrom:
                secretKeyRef:
                  key: host
                  name: rabbitmq-secret
            - name: RABBITMQ_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: password
                  name: rabbitmq-secret
            - name: JWT_PRIVATE_KEY
              valueFrom:
                secretKeyRef:
                  key: ssh_private.key
                  name: backend-secret
            - name: JWT_PUBLIC_KEY
              valueFrom:
                secretKeyRef:
                  key: ssh_public.key
                  name: backend-secret
          resources:
            requests:
              cpu: "1"
--- a/apps/issues/base/kustomization.yaml
+++ b/apps/issues/base/kustomization.yaml
@ -4,6 +4,7 @@ kind: Kustomization
 namespace: issues
 resources:
  - namespace.yaml
  - serviceaccount.yaml
  - backend-deployment.yaml
  - celery-deployment.yaml
  - frontend-deployment.yaml
--- a/apps/issues/base/production-configmap.yaml
+++ b/apps/issues/base/production-configmap.yaml
@ -21,7 +21,7 @@ data:
    SECRET_KEY = "FromToMuchLoveOfLiving"  # Delete after Test
    # -----------------------------------------------------------------------------
-    DJANGO_TOKEN="aGFnZW4wMTM6emVhbG90MDk2"
+    DJANGO_TOKEN = os.getenv("DJANGO_TOKEN", "aGFnZW4wMTM6emVhbG90MDk2")
    # ALLOWED HOSTS START
    # -----------------------------------------------------------------------------
--- a/apps/issues/base/serviceaccount.yaml
+++ b/apps/issues/base/serviceaccount.yaml
@ -0,0 +1,5 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: issues-vault
  namespace: issues
--- a/apps/issues/yc-k8s-test/postgresql.yaml
+++ b/apps/issues/yc-k8s-test/postgresql.yaml
@ -9,7 +9,7 @@ spec:
  chart:
    spec:
      chart: postgresql-contour
-      version: "17.0.2"
+      version: "17.0.7"
      sourceRef:
        kind: HelmRepository
        name: yc-oci-charts
@ -44,7 +44,7 @@ spec:
    image:
      registry: cr.yandex/crp3ccidau046kdj8g9q
      repository: contour/postgresql
-      tag: 17.0.2
+      tag: 17.0.7
      pullPolicy: Always
    metrics:
      enabled: false
@ -61,7 +61,7 @@ spec:
          command:
            - /bin/sh
            - -c
-            - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
+            - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
        initialDelaySeconds: 30
        periodSeconds: 10
        timeoutSeconds: 5
@ -72,7 +72,7 @@ spec:
          command:
            - /bin/sh
            - -c
-            - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
+            - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
        initialDelaySeconds: 5
        periodSeconds: 10
        timeoutSeconds: 5
@ -83,12 +83,15 @@ spec:
          command:
            - /bin/sh
            - -c
-            - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
+            - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
        initialDelaySeconds: 30
        periodSeconds: 10
        timeoutSeconds: 5
        successThreshold: 1
        failureThreshold: 6
      resources:
        requests:
          memory: 512Mi
      nodeSelector:
        dedicated: db
      tolerations:
@ -98,13 +101,26 @@ spec:
          effect: NoSchedule
    contour:
      enabled: true
-      adminUser: ""
+      adminUser: "postgres"
-      adminPasswordSecretKey: ""
+      sharedPreloadLibraries: "pg_stat_statements,uuid-ossp,ltree,postgis"
-      sharedPreloadLibraries: "pg_stat_statements"
+      vault:
        enabled: true
        role: postgresql
        authPath: auth/kubernetes
        secretPath: secrets/data/postgresql/admin
        secretKey: postgres-password
        usersSecretPath: secrets/data/postgresql/users
      databases:
        - name: issues_db
          user: issues
-          extensions: []
+          passwordKey: issues
          extensions:
            - ltree
            - pg_stat_statements
            - pg_trgm
            - postgis
            - timescaledb
            - uuid-ossp
          restoreFromDump: false
      s3-proxy:
        endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local"