From 820b5a96feb4d5f90643092a9a2efcaefe52a94a Mon Sep 17 00:00:00 2001 From: Kochetkov S Date: Wed, 22 Apr 2026 15:36:22 +0300 Subject: [PATCH] inspections + workspaces vault --- apps/inspections/base/backend-deployment.yaml | 83 +++++++++---------- apps/inspections/base/kustomization.yaml | 1 + apps/inspections/base/serviceaccount.yaml | 5 ++ apps/workspaces/base/backend-deployment.yaml | 60 +++++++------- apps/workspaces/base/kustomization.yaml | 1 + apps/workspaces/base/serviceaccount.yaml | 5 ++ .../workspaces/yc-k8s-test/kustomization.yaml | 2 +- 7 files changed, 81 insertions(+), 76 deletions(-) create mode 100644 apps/inspections/base/serviceaccount.yaml create mode 100644 apps/workspaces/base/serviceaccount.yaml diff --git a/apps/inspections/base/backend-deployment.yaml b/apps/inspections/base/backend-deployment.yaml index 7dc94a0..c9b3dda 100644 --- a/apps/inspections/base/backend-deployment.yaml +++ b/apps/inspections/base/backend-deployment.yaml @@ -15,11 +15,49 @@ spec: metadata: labels: app: inspections-backend + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: inspections + vault.hashicorp.com/agent-inject-secret-inspections-db: secrets/data/postgresql/apps/inspections + vault.hashicorp.com/agent-inject-template-inspections-db: |- + {{- with secret "secrets/data/postgresql/apps/inspections" -}} + DATABASE_HOST=postgresql.inspections.svc.cluster.local + DATABASE_PORT=5432 + DATABASE_NAME=inspections_db + DATABASE_USER={{ index .Data.data "username" }} + DATABASE_PASSWORD={{ index .Data.data "password" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-inspections-kafka: secrets/data/kafka/apps/inspections + vault.hashicorp.com/agent-inject-template-inspections-kafka: |- + {{- with secret "secrets/data/kafka/apps/inspections" -}} + KAFKA_HOST={{ index .Data.data.auth "bootstrap_servers" }} + KAFKA_USERNAME={{ index .Data.data "username" }} + KAFKA_PASSWORD={{ index .Data.data "password" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-inspections-django-auth: secrets/data/vault/common/django_auth + vault.hashicorp.com/agent-inject-template-inspections-django-auth: |- + {{- with secret "secrets/data/vault/common/django_auth" -}} + SAREX_BACKEND_AUTH={{ index .Data.data "key" }} + {{- end -}} spec: + serviceAccountName: inspections-vault containers: - name: inspections-backend image: cr.yandex/crp3ccidau046kdj8g9q/sarex-inspections:production_1a33f6f4 imagePullPolicy: IfNotPresent + command: ["/bin/bash", "-ec"] + args: + - | + set -a + [ -f /vault/secrets/inspections-db ] && . /vault/secrets/inspections-db + [ -f /vault/secrets/inspections-kafka ] && . /vault/secrets/inspections-kafka + [ -f /vault/secrets/inspections-django-auth ] && . /vault/secrets/inspections-django-auth + set +a + exec ./entrypoint.sh ports: - name: http containerPort: 8000 @@ -73,51 +111,6 @@ spec: value: http://mailer-service.mailer:8000 - name: MAILER_TIMEOUT value: "30" - - name: DATABASE_USER - valueFrom: - secretKeyRef: - key: username - name: postgresql-secret - - name: DATABASE_PORT - valueFrom: - secretKeyRef: - key: port - name: postgresql-secret - - name: DATABASE_NAME - valueFrom: - secretKeyRef: - key: database - name: postgresql-secret - - name: DATABASE_HOST - valueFrom: - secretKeyRef: - key: hostname - name: postgresql-secret - - name: DATABASE_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: postgresql-secret - - name: KAFKA_HOST - valueFrom: - secretKeyRef: - key: host - name: kafka-secret - - name: KAFKA_USERNAME - valueFrom: - secretKeyRef: - key: username - name: kafka-secret - - name: KAFKA_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: kafka-secret - - name: SAREX_BACKEND_AUTH - valueFrom: - secretKeyRef: - key: key - name: sarex-backend-auth-secret resources: requests: diff --git a/apps/inspections/base/kustomization.yaml b/apps/inspections/base/kustomization.yaml index 501546d..2b4238a 100644 --- a/apps/inspections/base/kustomization.yaml +++ b/apps/inspections/base/kustomization.yaml @@ -4,5 +4,6 @@ kind: Kustomization namespace: inspections resources: - namespace.yaml + - serviceaccount.yaml - backend-deployment.yaml - backend-service.yaml diff --git a/apps/inspections/base/serviceaccount.yaml b/apps/inspections/base/serviceaccount.yaml new file mode 100644 index 0000000..b9f482d --- /dev/null +++ b/apps/inspections/base/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: inspections-vault + namespace: inspections diff --git a/apps/workspaces/base/backend-deployment.yaml b/apps/workspaces/base/backend-deployment.yaml index 33cd497..a3d52e4 100644 --- a/apps/workspaces/base/backend-deployment.yaml +++ b/apps/workspaces/base/backend-deployment.yaml @@ -15,11 +15,41 @@ spec: metadata: labels: app: workspaces-api + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: workspaces + vault.hashicorp.com/agent-inject-secret-workspaces-db: secrets/data/postgresql/apps/workspaces + vault.hashicorp.com/agent-inject-template-workspaces-db: |- + {{- with secret "secrets/data/postgresql/apps/workspaces" -}} + POSTGRES_ADDRESS=postgresql.workspaces.svc.cluster.local + POSTGRES_PORT=5432 + POSTGRES_DB=workspaces_db + POSTGRES_USER={{ index .Data.data "username" }} + POSTGRES_PASSWORD={{ index .Data.data "password" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-workspaces-django-auth: secrets/data/vault/common/django_auth + vault.hashicorp.com/agent-inject-template-workspaces-django-auth: |- + {{- with secret "secrets/data/vault/common/django_auth" -}} + DJANGO_BASIC_AUTH={{ index .Data.data "key" }} + {{- end -}} spec: + serviceAccountName: workspaces-vault containers: - name: workspaces-api image: cr.yandex/crp3ccidau046kdj8g9q/workspaces:prod_4961b1f1 imagePullPolicy: IfNotPresent + command: ["/bin/sh", "-ec"] + args: + - | + set -a + [ -f /vault/secrets/workspaces-db ] && . /vault/secrets/workspaces-db + [ -f /vault/secrets/workspaces-django-auth ] && . /vault/secrets/workspaces-django-auth + set +a + exec /api ports: - name: http containerPort: 8000 @@ -51,36 +81,6 @@ spec: value: http://backend.django.svc.cluster.local:8000 - name: DJANGO_ORIGINATOR value: docs_prod - - name: POSTGRES_DB - valueFrom: - secretKeyRef: - key: database - name: postgresql-secret - - name: POSTGRES_PORT - valueFrom: - secretKeyRef: - key: port - name: postgresql-secret - - name: POSTGRES_ADDRESS - valueFrom: - secretKeyRef: - key: hostname - name: postgresql-secret - - name: POSTGRES_USER - valueFrom: - secretKeyRef: - key: username - name: postgresql-secret - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: postgresql-secret - - name: DJANGO_BASIC_AUTH - valueFrom: - secretKeyRef: - key: key - name: django-auth resources: requests: diff --git a/apps/workspaces/base/kustomization.yaml b/apps/workspaces/base/kustomization.yaml index 363c25f..6ebeaba 100644 --- a/apps/workspaces/base/kustomization.yaml +++ b/apps/workspaces/base/kustomization.yaml @@ -4,6 +4,7 @@ kind: Kustomization namespace: workspaces resources: - namespace.yaml + - serviceaccount.yaml - backend-deployment.yaml - backend-service.yaml - frontend-deployment.yaml diff --git a/apps/workspaces/base/serviceaccount.yaml b/apps/workspaces/base/serviceaccount.yaml new file mode 100644 index 0000000..8855786 --- /dev/null +++ b/apps/workspaces/base/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: workspaces-vault + namespace: workspaces diff --git a/apps/workspaces/yc-k8s-test/kustomization.yaml b/apps/workspaces/yc-k8s-test/kustomization.yaml index 79e4c45..00b5299 100644 --- a/apps/workspaces/yc-k8s-test/kustomization.yaml +++ b/apps/workspaces/yc-k8s-test/kustomization.yaml @@ -8,4 +8,4 @@ patches: - path: replicas.yaml target: kind: Deployment - name: comparisons + name: workspaces-api