From 86858bd7b4c02f7c125a9cc4fd89b951dd1b0c3f Mon Sep 17 00:00:00 2001
From: Kochetkov S <kochetkov.s@sarex.io>
Date: Tue, 2 Jun 2026 16:14:45 +0300
Subject: [PATCH] Add Vault to yc-ecp

---
 clusters/yc-ecp/helm-repositories.yaml        | 12 ++++
 .../yc-ecp/infrastructure/kustomization.yaml  | 13 +++++
 .../yc-ecp/infrastructure/patches/vault.yaml  | 12 ++++
 .../yc-ecp/infrastructure/vault-istio.yaml    | 57 +++++++++++++++++++
 clusters/yc-ecp/kustomization.yaml            |  6 ++
 5 files changed, 100 insertions(+)
 create mode 100644 clusters/yc-ecp/helm-repositories.yaml
 create mode 100644 clusters/yc-ecp/infrastructure/kustomization.yaml
 create mode 100644 clusters/yc-ecp/infrastructure/patches/vault.yaml
 create mode 100644 clusters/yc-ecp/infrastructure/vault-istio.yaml
 create mode 100644 clusters/yc-ecp/kustomization.yaml

diff --git a/clusters/yc-ecp/helm-repositories.yaml b/clusters/yc-ecp/helm-repositories.yaml
new file mode 100644
index 0000000..bbdeea6
--- /dev/null
+++ b/clusters/yc-ecp/helm-repositories.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: yc-oci-charts
+  namespace: flux-system
+spec:
+  type: oci
+  interval: 10m0s
+  url: oci://cr.yandex/crp3ccidau046kdj8g9q/charts
+  secretRef:
+    name: yc-cr-auth
diff --git a/clusters/yc-ecp/infrastructure/kustomization.yaml b/clusters/yc-ecp/infrastructure/kustomization.yaml
new file mode 100644
index 0000000..9a4f017
--- /dev/null
+++ b/clusters/yc-ecp/infrastructure/kustomization.yaml
@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../../infrastructure/vault
+  - ./vault-istio.yaml
+patches:
+  - path: ./patches/vault.yaml
+    target:
+      group: helm.toolkit.fluxcd.io
+      version: v2
+      kind: HelmRelease
+      name: vault
+      namespace: vault
diff --git a/clusters/yc-ecp/infrastructure/patches/vault.yaml b/clusters/yc-ecp/infrastructure/patches/vault.yaml
new file mode 100644
index 0000000..ab7e936
--- /dev/null
+++ b/clusters/yc-ecp/infrastructure/patches/vault.yaml
@@ -0,0 +1,12 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: vault
+  namespace: vault
+spec:
+  interval: 5m
+  timeout: 10m
+  values:
+    server:
+      dataStorage:
+        storageClass: yc-network-hdd
diff --git a/clusters/yc-ecp/infrastructure/vault-istio.yaml b/clusters/yc-ecp/infrastructure/vault-istio.yaml
new file mode 100644
index 0000000..a44300f
--- /dev/null
+++ b/clusters/yc-ecp/infrastructure/vault-istio.yaml
@@ -0,0 +1,57 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: vault-cert
+  namespace: istio-system
+spec:
+  dnsNames:
+    - vault.158-160-200-60.nip.io
+  issuerRef:
+    kind: ClusterIssuer
+    name: letsencrypt-prod
+  secretName: vault-tls
+---
+apiVersion: networking.istio.io/v1beta1
+kind: Gateway
+metadata:
+  name: vault-gateway
+  namespace: gateway
+spec:
+  selector:
+    istio: ingressgateway
+  servers:
+    - hosts:
+        - vault.158-160-200-60.nip.io
+      port:
+        name: http
+        number: 80
+        protocol: HTTP
+    - hosts:
+        - vault.158-160-200-60.nip.io
+      port:
+        name: https
+        number: 443
+        protocol: HTTPS
+      tls:
+        credentialName: vault-tls
+        mode: SIMPLE
+---
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: vault-virt-service
+  namespace: vault
+spec:
+  gateways:
+    - gateway/vault-gateway
+  hosts:
+    - vault.158-160-200-60.nip.io
+  http:
+    - match:
+        - uri:
+            prefix: /
+      route:
+        - destination:
+            host: vault-vault-contour.vault.svc.cluster.local
+            port:
+              number: 8200
diff --git a/clusters/yc-ecp/kustomization.yaml b/clusters/yc-ecp/kustomization.yaml
new file mode 100644
index 0000000..a8384a3
--- /dev/null
+++ b/clusters/yc-ecp/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./flux-system
+  - ./helm-repositories.yaml
+  - ./infrastructure