sarex/iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

vault + eav

Browse Source
This commit is contained in:
Kochetkov S 2026-04-22 12:57:28 +03:00
parent e083128be5
commit a4242bf82d
5 changed files with 66 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

101
apps/eav/base/backend-deployment.yaml
View File

@ -14,7 +14,42 @@ spec:
metadata:
labels:
app: backend
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: eav
vault.hashicorp.com/agent-inject-secret-eav-db: secrets/data/postgresql/apps/eav
vault.hashicorp.com/agent-inject-template-eav-db: |-
{{- with secret "secrets/data/postgresql/apps/eav" -}}
DJANGO_POSTGRES_HOST=postgresql.eav.svc.cluster.local
DJANGO_POSTGRES_PORT=5432
DJANGO_POSTGRES_DATABASE=eav_db
DJANGO_POSTGRES_USER={{ index .Data.data "username" }}
DJANGO_POSTGRES_PASSWORD={{ index .Data.data "password" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-eav-s3: secrets/data/minio/apps/eav
vault.hashicorp.com/agent-inject-template-eav-s3: |-
{{- with secret "secrets/data/minio/apps/eav" -}}
YC_S3_ENDPOINT_URL={{ index .Data.data.client "endpoint" }}
YC_S3_BUCKET_NAME=eav
YC_S3_ACCESS_KEY_ID={{ index .Data.data "access_key" }}
YC_S3_SECRET_ACCESS_KEY={{ index .Data.data "secret_key" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-eav-jwt-private: secrets/data/vault/common/rsa_keys
vault.hashicorp.com/agent-inject-template-eav-jwt-private: |-
{{- with secret "secrets/data/vault/common/rsa_keys" -}}
{{ index .Data.data "private_key" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-eav-jwt-public: secrets/data/vault/common/rsa_keys
vault.hashicorp.com/agent-inject-template-eav-jwt-public: |-
{{- with secret "secrets/data/vault/common/rsa_keys" -}}
{{ index .Data.data "public_key" }}
{{- end -}}
spec:
serviceAccountName: eav-vault
volumes:
- name: django-configmap
configMap:
@ -28,6 +63,16 @@ spec:
- name: backend
image: cr.yandex/crp3ccidau046kdj8g9q/eav:prod_0fb73247
imagePullPolicy: IfNotPresent
command: ["/bin/sh", "-ec"]
args:
- |
set -a
[ -f /vault/secrets/eav-db ] && . /vault/secrets/eav-db
[ -f /vault/secrets/eav-s3 ] && . /vault/secrets/eav-s3
[ -f /vault/secrets/eav-jwt-private ] && export JWT_PRIVATE_KEY="$(cat /vault/secrets/eav-jwt-private)"
[ -f /vault/secrets/eav-jwt-public ] && export JWT_PUBLIC_KEY="$(cat /vault/secrets/eav-jwt-public)"
set +a
exec /server/entrypoint.sh
ports:
- name: http
@ -41,60 +86,6 @@ spec:
value: sarex
- name: DJANGO_SETTINGS_MODULE
value: config.settings.production
- name: DJANGO_POSTGRES_DATABASE
value: eav_db
- name: YC_S3_ENDPOINT_URL
value: http://minio-svc.minio.svc.cluster.local:9000
- name: YC_S3_BUCKET_NAME
value: eav
- name: DJANGO_POSTGRES_HOST
valueFrom:
secretKeyRef:
name: postgresql-secret
key: hostname
- name: DJANGO_POSTGRES_USER
valueFrom:
secretKeyRef:
name: postgresql-secret
key: username
- name: DJANGO_POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: postgresql-secret
key: password
- name: DJANGO_POSTGRES_PORT
valueFrom:
secretKeyRef:
name: postgresql-secret
key: port
- name: JWT_PRIVATE_KEY
valueFrom:
secretKeyRef:
name: backend-secret
key: ssh_private.key
- name: JWT_PUBLIC_KEY
valueFrom:
secretKeyRef:
name: backend-secret
key: ssh_public.key
- name: YC_S3_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: s3-secret
key: username
- name: YC_S3_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: s3-secret
key: password
resources:
requests:
@ -123,4 +114,4 @@ spec:
failureThreshold: 20
imagePullSecrets:
- name: regcred
- name: regcred

1
apps/eav/base/kustomization.yaml
View File

@ -4,6 +4,7 @@ kind: Kustomization
namespace: eav
resources:
- namespace.yaml
- serviceaccount.yaml
- backend-deployment.yaml
- backend-service.yaml
- django-configmap.yaml

5
apps/eav/base/serviceaccount.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: eav-vault
namespace: eav

2
apps/eav/yc-k8s-test/kustomization.yaml
View File

@ -8,4 +8,4 @@ patches:
- path: replicas.yaml
target:
kind: Deployment
name: comparisons
name: backend

19
apps/eav/yc-k8s-test/postgresql.yaml
View File

@ -61,7 +61,7 @@ spec:
command:
- /bin/sh
- -c
- exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
@ -72,7 +72,7 @@ spec:
command:
- /bin/sh
- -c
- exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
@ -83,7 +83,7 @@ spec:
command:
- /bin/sh
- -c
- exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
@ -101,13 +101,20 @@ spec:
effect: NoSchedule
contour:
enabled: true
adminUser: ""
adminPasswordSecretKey: ""
adminUser: "postgres"
sharedPreloadLibraries: "pg_stat_statements,uuid-ossp,ltree,postgis"
vault:
enabled: true
role: postgresql
authPath: auth/kubernetes
secretPath: secrets/data/postgresql/admin
secretKey: postgres-password
usersSecretPath: secrets/data/postgresql/users
databases:
- name: eav_db
user: eav
passwordKey: eav
extensions: []
restoreFromDump: false
s3-proxy:
endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local"
endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local"