From 5ab8fe0fe36c8e7b1e041628108b007978b1244d Mon Sep 17 00:00:00 2001 From: Kochetkov S Date: Thu, 23 Apr 2026 13:51:46 +0300 Subject: [PATCH] drwaings/measurements/comparisons/cross-section --- apps/drawings/base/deployment.yaml | 43 ++++++++++++---------- apps/drawings/base/kustomization.yaml | 1 + apps/drawings/base/serviceaccount.yaml | 5 +++ apps/drawings/yc-k8s-test/postgresql.yaml | 23 ++++++++---- apps/measurements/base/deployment.yaml | 25 ++++++++++--- apps/measurements/base/kustomization.yaml | 1 + apps/measurements/base/serviceaccount.yaml | 5 +++ 7 files changed, 70 insertions(+), 33 deletions(-) create mode 100644 apps/drawings/base/serviceaccount.yaml create mode 100644 apps/measurements/base/serviceaccount.yaml diff --git a/apps/drawings/base/deployment.yaml b/apps/drawings/base/deployment.yaml index 8b1a26d..3425999 100644 --- a/apps/drawings/base/deployment.yaml +++ b/apps/drawings/base/deployment.yaml @@ -15,11 +15,34 @@ spec: metadata: labels: app: backend + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: drawings + vault.hashicorp.com/agent-inject-secret-drawings-db: secrets/data/postgresql/apps/drawings + vault.hashicorp.com/agent-inject-template-drawings-db: |- + {{- with secret "secrets/data/postgresql/apps/drawings" -}} + POSTGRES_ADDRESS=postgresql.drawings.svc.cluster.local + POSTGRES_DB=drawings_db + POSTGRES_USER={{ index .Data.data "username" }} + POSTGRES_PASSWORD={{ index .Data.data "password" }} + {{- end -}} spec: + serviceAccountName: drawings-vault containers: - name: backend image: cr.yandex/crp3ccidau046kdj8g9q/drawings-api:015e68e1b2a3dcc13f0b405e1f761b154a825d24 imagePullPolicy: IfNotPresent + command: ["/bin/sh", "-ec"] + args: + - | + set -a + [ -f /vault/secrets/drawings-db ] && . /vault/secrets/drawings-db + set +a + exec ./entrypoint.sh ports: - name: http containerPort: 8080 @@ -31,25 +54,5 @@ spec: value: 0.0.0.0:8000 - name: ENABLE_SSL value: "0" - - name: POSTGRES_ADDRESS - valueFrom: - secretKeyRef: - name: postgresql-secrets - key: host - - name: POSTGRES_DB - valueFrom: - secretKeyRef: - name: postgresql-secrets - key: database - - name: POSTGRES_USER - valueFrom: - secretKeyRef: - name: postgresql-secrets - key: username - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: postgresql-secrets - key: password imagePullSecrets: - name: regcred diff --git a/apps/drawings/base/kustomization.yaml b/apps/drawings/base/kustomization.yaml index 49b3cd3..73f51c2 100644 --- a/apps/drawings/base/kustomization.yaml +++ b/apps/drawings/base/kustomization.yaml @@ -4,5 +4,6 @@ kind: Kustomization namespace: drawings resources: - namespace.yaml + - serviceaccount.yaml - deployment.yaml - service.yaml diff --git a/apps/drawings/base/serviceaccount.yaml b/apps/drawings/base/serviceaccount.yaml new file mode 100644 index 0000000..5578239 --- /dev/null +++ b/apps/drawings/base/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: drawings-vault + namespace: drawings diff --git a/apps/drawings/yc-k8s-test/postgresql.yaml b/apps/drawings/yc-k8s-test/postgresql.yaml index 9c84f6b..560da07 100644 --- a/apps/drawings/yc-k8s-test/postgresql.yaml +++ b/apps/drawings/yc-k8s-test/postgresql.yaml @@ -9,7 +9,7 @@ spec: chart: spec: chart: postgresql-contour - version: "17.0.2" + version: "17.0.7" sourceRef: kind: HelmRepository name: yc-oci-charts @@ -44,7 +44,7 @@ spec: image: registry: cr.yandex/crp3ccidau046kdj8g9q repository: contour/postgresql - tag: 17.0.2 + tag: 17.0.7 pullPolicy: Always metrics: enabled: false @@ -61,7 +61,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 @@ -72,7 +72,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 5 @@ -83,7 +83,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 @@ -101,13 +101,20 @@ spec: effect: NoSchedule contour: enabled: true - adminUser: "" - adminPasswordSecretKey: "" + adminUser: "postgres" sharedPreloadLibraries: "pg_stat_statements,uuid-ossp" + vault: + enabled: true + role: postgresql + authPath: auth/kubernetes + secretPath: secrets/data/postgresql/admin + secretKey: postgres-password + usersSecretPath: secrets/data/postgresql/users databases: - name: drawings_db user: drawings + passwordKey: drawings extensions: [] restoreFromDump: false s3-proxy: - endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local" \ No newline at end of file + endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local" diff --git a/apps/measurements/base/deployment.yaml b/apps/measurements/base/deployment.yaml index 24fcd2f..03f9a26 100644 --- a/apps/measurements/base/deployment.yaml +++ b/apps/measurements/base/deployment.yaml @@ -15,11 +15,31 @@ spec: metadata: labels: app: measurements + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: measurements + vault.hashicorp.com/agent-inject-secret-measurements-s3: secrets/data/minio/apps/measurements + vault.hashicorp.com/agent-inject-template-measurements-s3: |- + {{- with secret "secrets/data/minio/apps/measurements" -}} + S3_JSON_SETTINGS='{"host":"{{ index .Data.data.client "endpoint" }}","login":"{{ index .Data.data "access_key" }}","password":"{{ index .Data.data "secret_key" }}","verify":false,"buckets":["measurements"]}' + {{- end -}} spec: + serviceAccountName: measurements-vault containers: - name: measurements image: cr.yandex/crp3ccidau046kdj8g9q/measurements:production_a5bb3e84 imagePullPolicy: IfNotPresent + command: ["/bin/bash", "-ec"] + args: + - | + set -a + [ -f /vault/secrets/measurements-s3 ] && . /vault/secrets/measurements-s3 + set +a + exec /opt/entrypoint.sh ports: - name: http containerPort: 8000 @@ -27,11 +47,6 @@ spec: env: - name: TRACING_USE value: "false" - - name: S3_JSON_SETTINGS - valueFrom: - secretKeyRef: - name: s3-secrets - key: json resources: requests: cpu: 500m diff --git a/apps/measurements/base/kustomization.yaml b/apps/measurements/base/kustomization.yaml index 6b5ad5b..d379532 100644 --- a/apps/measurements/base/kustomization.yaml +++ b/apps/measurements/base/kustomization.yaml @@ -4,5 +4,6 @@ kind: Kustomization namespace: measurements resources: - namespace.yaml + - serviceaccount.yaml - deployment.yaml - service.yaml diff --git a/apps/measurements/base/serviceaccount.yaml b/apps/measurements/base/serviceaccount.yaml new file mode 100644 index 0000000..eed4acc --- /dev/null +++ b/apps/measurements/base/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: measurements-vault + namespace: measurements