diff --git a/apps/cde/base/cde-flowscallback.yaml b/apps/cde/base/cde-flowscallback.yaml index b9faab5..2de773c 100644 --- a/apps/cde/base/cde-flowscallback.yaml +++ b/apps/cde/base/cde-flowscallback.yaml @@ -17,10 +17,25 @@ spec: labels: app: cde-flowscallback service: cde-flowscallback + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: cde + vault.hashicorp.com/agent-inject-secret-cde-env: secrets/data/vault/apps/cde + vault.hashicorp.com/agent-inject-template-cde-env: |- + {{- with secret "secrets/data/vault/apps/cde" -}} + {{- range $k, $v := .Data.data }} + {{ $k }}={{ replace "\n" "\\n" (printf "%v" $v) }} + {{- end }} + {{- end -}} spec: + serviceAccountName: cde-vault containers: - name: cde-flowscallback - image: cr.yandex/crp3ccidau046kdj8g9q/flowscallback-worker:prod_3.1.2 + image: cr.yandex/crp3ccidau046kdj8g9q/flowscallback-worker:prod_9f3c1d2a imagePullPolicy: IfNotPresent ports: - name: http diff --git a/apps/cde/base/cde-splitpdf.yaml b/apps/cde/base/cde-splitpdf.yaml index 09bcce6..1dfae0f 100644 --- a/apps/cde/base/cde-splitpdf.yaml +++ b/apps/cde/base/cde-splitpdf.yaml @@ -17,10 +17,25 @@ spec: labels: app: cde-splitpdf service: cde-splitpdf + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: cde + vault.hashicorp.com/agent-inject-secret-cde-env: secrets/data/vault/apps/cde + vault.hashicorp.com/agent-inject-template-cde-env: |- + {{- with secret "secrets/data/vault/apps/cde" -}} + {{- range $k, $v := .Data.data }} + {{ $k }}={{ replace "\n" "\\n" (printf "%v" $v) }} + {{- end }} + {{- end -}} spec: + serviceAccountName: cde-vault containers: - name: cde-splitpdf - image: cr.yandex/crp3ccidau046kdj8g9q/splitpdf-worker:prod_3.1.2 + image: cr.yandex/crp3ccidau046kdj8g9q/splitpdf-worker:prod_9f3c1d2a imagePullPolicy: IfNotPresent ports: - name: http diff --git a/apps/cde/base/cde-worker-copy.yaml b/apps/cde/base/cde-worker-copy.yaml index caaf637..bc9fe94 100644 --- a/apps/cde/base/cde-worker-copy.yaml +++ b/apps/cde/base/cde-worker-copy.yaml @@ -17,10 +17,25 @@ spec: labels: app: cde-worker-copy service: cde-worker-copy + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: cde + vault.hashicorp.com/agent-inject-secret-cde-env: secrets/data/vault/apps/cde + vault.hashicorp.com/agent-inject-template-cde-env: |- + {{- with secret "secrets/data/vault/apps/cde" -}} + {{- range $k, $v := .Data.data }} + {{ $k }}={{ replace "\n" "\\n" (printf "%v" $v) }} + {{- end }} + {{- end -}} spec: + serviceAccountName: cde-vault containers: - name: cde-worker-copy - image: cr.yandex/crp3ccidau046kdj8g9q/copy-worker:preprod_fd483601 + image: cr.yandex/crp3ccidau046kdj8g9q/copy-worker:prod_9f3c1d2a imagePullPolicy: IfNotPresent ports: - name: http diff --git a/apps/cde/base/cde-worker-create-versions.yaml b/apps/cde/base/cde-worker-create-versions.yaml index 62deccd..b488c21 100644 --- a/apps/cde/base/cde-worker-create-versions.yaml +++ b/apps/cde/base/cde-worker-create-versions.yaml @@ -17,10 +17,25 @@ spec: labels: app: cde-worker-create-versions service: cde-worker-create-versions + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: cde + vault.hashicorp.com/agent-inject-secret-cde-env: secrets/data/vault/apps/cde + vault.hashicorp.com/agent-inject-template-cde-env: |- + {{- with secret "secrets/data/vault/apps/cde" -}} + {{- range $k, $v := .Data.data }} + {{ $k }}={{ replace "\n" "\\n" (printf "%v" $v) }} + {{- end }} + {{- end -}} spec: + serviceAccountName: cde-vault containers: - name: cde-worker-create-versions - image: cr.yandex/crp3ccidau046kdj8g9q/createversions-worker:preprod_ec474ae7 + image: cr.yandex/crp3ccidau046kdj8g9q/createversions-worker:prod_9f3c1d2a imagePullPolicy: IfNotPresent ports: - name: http diff --git a/apps/cde/base/cde-worker-markings.yaml b/apps/cde/base/cde-worker-markings.yaml index 5d2a206..3fc7833 100644 --- a/apps/cde/base/cde-worker-markings.yaml +++ b/apps/cde/base/cde-worker-markings.yaml @@ -17,10 +17,25 @@ spec: labels: app: cde-worker-markings service: cde-worker-markings + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: cde + vault.hashicorp.com/agent-inject-secret-cde-env: secrets/data/vault/apps/cde + vault.hashicorp.com/agent-inject-template-cde-env: |- + {{- with secret "secrets/data/vault/apps/cde" -}} + {{- range $k, $v := .Data.data }} + {{ $k }}={{ replace "\n" "\\n" (printf "%v" $v) }} + {{- end }} + {{- end -}} spec: + serviceAccountName: cde-vault containers: - name: cde-worker-markings - image: cr.yandex/crp3ccidau046kdj8g9q/markings-worker:preprod_eb50f30e + image: cr.yandex/crp3ccidau046kdj8g9q/markings-worker:prod_9f3c1d2a imagePullPolicy: IfNotPresent ports: - name: http diff --git a/apps/cde/base/cde-worker-sign.yaml b/apps/cde/base/cde-worker-sign.yaml index 2e08972..635a251 100644 --- a/apps/cde/base/cde-worker-sign.yaml +++ b/apps/cde/base/cde-worker-sign.yaml @@ -17,10 +17,25 @@ spec: labels: app: cde-worker-sign service: cde-worker-sign + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: cde + vault.hashicorp.com/agent-inject-secret-cde-env: secrets/data/vault/apps/cde + vault.hashicorp.com/agent-inject-template-cde-env: |- + {{- with secret "secrets/data/vault/apps/cde" -}} + {{- range $k, $v := .Data.data }} + {{ $k }}={{ replace "\n" "\\n" (printf "%v" $v) }} + {{- end }} + {{- end -}} spec: + serviceAccountName: cde-vault containers: - name: cde-worker-sign - image: cr.yandex/crp3ccidau046kdj8g9q/sign-worker:preprod_fd483601 + image: cr.yandex/crp3ccidau046kdj8g9q/sign-worker:prod_9f3c1d2a imagePullPolicy: IfNotPresent ports: - name: http diff --git a/apps/cde/base/cde-worker-update-bundles.yaml b/apps/cde/base/cde-worker-update-bundles.yaml index 4421daa..525f436 100644 --- a/apps/cde/base/cde-worker-update-bundles.yaml +++ b/apps/cde/base/cde-worker-update-bundles.yaml @@ -17,10 +17,25 @@ spec: labels: app: cde-worker-update-bundles service: cde-worker-update-bundles + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: cde + vault.hashicorp.com/agent-inject-secret-cde-env: secrets/data/vault/apps/cde + vault.hashicorp.com/agent-inject-template-cde-env: |- + {{- with secret "secrets/data/vault/apps/cde" -}} + {{- range $k, $v := .Data.data }} + {{ $k }}={{ replace "\n" "\\n" (printf "%v" $v) }} + {{- end }} + {{- end -}} spec: + serviceAccountName: cde-vault containers: - name: cde-worker-update-bundles - image: cr.yandex/crp3ccidau046kdj8g9q/updatebundles-worker:prod_3.1.2 + image: cr.yandex/crp3ccidau046kdj8g9q/updatebundles-worker:prod_9f3c1d2a imagePullPolicy: IfNotPresent ports: - name: http diff --git a/apps/cde/base/cde.yaml b/apps/cde/base/cde.yaml index 776f550..b43dc84 100644 --- a/apps/cde/base/cde.yaml +++ b/apps/cde/base/cde.yaml @@ -17,10 +17,25 @@ spec: labels: app: cde service: cde + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: cde + vault.hashicorp.com/agent-inject-secret-cde-env: secrets/data/vault/apps/cde + vault.hashicorp.com/agent-inject-template-cde-env: |- + {{- with secret "secrets/data/vault/apps/cde" -}} + {{- range $k, $v := .Data.data }} + {{ $k }}={{ replace "\n" "\\n" (printf "%v" $v) }} + {{- end }} + {{- end -}} spec: + serviceAccountName: cde-vault containers: - name: api - image: cr.yandex/crp3ccidau046kdj8g9q/cde:preprod_ec474ae7 + image: cr.yandex/crp3ccidau046kdj8g9q/cde:prod_9f3c1d2a imagePullPolicy: IfNotPresent ports: - name: http diff --git a/apps/cde/base/kustomization.yaml b/apps/cde/base/kustomization.yaml index 18d33e8..9c18fbf 100644 --- a/apps/cde/base/kustomization.yaml +++ b/apps/cde/base/kustomization.yaml @@ -4,6 +4,7 @@ kind: Kustomization namespace: cde resources: - namespace.yaml + - serviceaccount.yaml - cde.yaml - cde-splitpdf.yaml - backend-service.yaml @@ -12,4 +13,4 @@ resources: - cde-worker-create-versions.yaml - cde-worker-markings.yaml - cde-worker-sign.yaml - - cde-worker-update-bundles.yaml \ No newline at end of file + - cde-worker-update-bundles.yaml diff --git a/apps/cde/base/serviceaccount.yaml b/apps/cde/base/serviceaccount.yaml new file mode 100644 index 0000000..ebb471d --- /dev/null +++ b/apps/cde/base/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cde-vault + namespace: cde