git push

apps/bim/base/backend-deployment.yaml

@@ -15,11 +15,50 @@ spec:
     metadata:
       labels:
         app: backend
+      annotations:
+        traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
+        vault.hashicorp.com/agent-init-first: "true"
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/auth-path: auth/kubernetes
+        vault.hashicorp.com/role: bim
+        vault.hashicorp.com/agent-inject-secret-bim-postgresql: secrets/data/postgresql/apps/bim
+        vault.hashicorp.com/agent-inject-template-bim-postgresql: |-
+          {{- with secret "secrets/data/postgresql/apps/bim" -}}
+          POSTGRES_ADDRESS=postgresql.bim.svc.cluster.local
+          POSTGRES_ADDRESS_2=postgresql.bim.svc.cluster.local
+          POSTGRES_ADDRESS_3=postgresql.bim.svc.cluster.local
+          POSTGRES_ADDRESS_4=postgresql.bim.svc.cluster.local
+          POSTGRES_PORT=5432
+          POSTGRES_PORT_2=5432
+          POSTGRES_PORT_3=5432
+          POSTGRES_PORT_4=5432
+          POSTGRES_DB=bim_db
+          POSTGRES_DB_2=bim_db
+          POSTGRES_DB_3=bim_db
+          POSTGRES_DB_4=bim_db
+          POSTGRES_USER={{ index .Data.data "username" }}
+          POSTGRES_USER_2={{ index .Data.data "username" }}
+          POSTGRES_USER_3={{ index .Data.data "username" }}
+          POSTGRES_USER_4={{ index .Data.data "username" }}
+          POSTGRES_PASSWORD={{ index .Data.data "password" }}
+          POSTGRES_PASSWORD_2={{ index .Data.data "password" }}
+          POSTGRES_PASSWORD_3={{ index .Data.data "password" }}
+          POSTGRES_PASSWORD_4={{ index .Data.data "password" }}
+          {{- end -}}
     spec:
+      serviceAccountName: bim-vault
       containers:
         - name: backend
           image: cr.yandex/crp3ccidau046kdj8g9q/bim-backend-v2:donstroi1
           imagePullPolicy: IfNotPresent
+          command: ["/bin/sh", "-ec"]
+          args:
+            - |
+              set -a
+              [ -f /vault/secrets/bim-postgresql ] && . /vault/secrets/bim-postgresql
+              set +a
+              exec /app/entrypoint_api.sh
           ports:
             - name: http
               containerPort: 8000
@@ -47,107 +86,6 @@ spec:
               value: "0"
             - name: ENABLE_SSL
               value: "0"
-            - name: POSTGRES_PORT_4
-              valueFrom:
-                secretKeyRef:
-                  key: port
-                  name: postgresql-secret
-            - name: POSTGRES_PORT_2
-              valueFrom:
-                secretKeyRef:
-                  key: port
-                  name: postgresql-secret
-            - name: POSTGRES_PORT
-              valueFrom:
-                secretKeyRef:
-                  key: port
-                  name: postgresql-secret
-            - name: POSTGRES_PORT_3
-              valueFrom:
-                secretKeyRef:
-                  key: port
-                  name: postgresql-secret
-            - name: POSTGRES_DB_2
-              valueFrom:
-                secretKeyRef:
-                  key: database
-                  name: postgresql-secret
-            - name: POSTGRES_DB_3
-              valueFrom:
-                secretKeyRef:
-                  key: database
-                  name: postgresql-secret
-            - name: POSTGRES_DB_4
-              valueFrom:
-                secretKeyRef:
-                  key: database
-                  name: postgresql-secret
-            - name: POSTGRES_DB
-              valueFrom:
-                secretKeyRef:
-                  key: database
-                  name: postgresql-secret
-            - name: POSTGRES_ADDRESS_2
-              valueFrom:
-                secretKeyRef:
-                  key: hostname
-                  name: postgresql-secret
-            - name: POSTGRES_ADDRESS
-              valueFrom:
-                secretKeyRef:
-                  key: hostname
-                  name: postgresql-secret
-            - name: POSTGRES_ADDRESS_3
-              valueFrom:
-                secretKeyRef:
-                  key: hostname
-                  name: postgresql-secret
-            - name: POSTGRES_ADDRESS_4
-              valueFrom:
-                secretKeyRef:
-                  key: hostname
-                  name: postgresql-secret
-            - name: POSTGRES_USER
-              valueFrom:
-                secretKeyRef:
-                  key: username
-                  name: postgresql-secret
-            - name: POSTGRES_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  key: password
-                  name: postgresql-secret
-            - name: POSTGRES_USER_2
-              valueFrom:
-                secretKeyRef:
-                  key: username
-                  name: postgresql-secret
-            - name: POSTGRES_PASSWORD_2
-              valueFrom:
-                secretKeyRef:
-                  key: password
-                  name: postgresql-secret
-            - name: POSTGRES_USER_3
-              valueFrom:
-                secretKeyRef:
-                  key: username
-                  name: postgresql-secret
-            - name: POSTGRES_PASSWORD_3
-              valueFrom:
-                secretKeyRef:
-                  key: password
-                  name: postgresql-secret
-            - name: POSTGRES_USER_4
-              valueFrom:
-                secretKeyRef:
-                  key: username
-                  name: postgresql-secret
-            - name: POSTGRES_PASSWORD_4
-              valueFrom:
-                secretKeyRef:
-                  key: password
-                  name: postgresql-secret
-
           resources:
             requests:
               cpu: 100m

apps/bim/yc-k8s-test/postgresql.yaml

@@ -114,7 +114,12 @@ spec:
         - name: bim_db
           user: bim
           passwordKey: bim
-          extensions: []
+          extensions: 
+            - pg_stat_statements
+            - ltree
+            - timescaledb
+            - uuid-ossp
+            - pg_partman
           restoreFromDump: false
       s3-proxy:
         endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local"

apps/django/base/backend-deployment.yaml

@@ -73,6 +73,11 @@ spec:
           {{- with secret "secrets/data/vault/common/rsa_keys" -}}
           {{ index .Data.data "public_key" }}
           {{- end -}}
+        vault.hashicorp.com/agent-inject-secret-django-common: secrets/data/vault/common/django_auth
+        vault.hashicorp.com/agent-inject-template-django-common: |-
+          {{- with secret "secrets/data/vault/common/django_auth" -}}
+          ZITADEL_ACCESS_TOKEN={{ index .Data.data "django_zitadel_access_token" }}
+          {{- end -}}
     spec:
       serviceAccountName: django-vault
       volumes:
@@ -95,6 +100,7 @@ spec:
               [ -f /vault/secrets/django-rabbitmq ] && . /vault/secrets/django-rabbitmq
               [ -f /vault/secrets/django-s3 ] && . /vault/secrets/django-s3
               [ -f /vault/secrets/django-kafka ] && . /vault/secrets/django-kafka
+              [ -f /vault/secrets/django-common ] && . /vault/secrets/django-common
               [ -f /vault/secrets/django-jwt-private ] && export JWT_PRIVATE_KEY="$(cat /vault/secrets/django-jwt-private)"
               [ -f /vault/secrets/django-jwt-public ] && export JWT_PUBLIC_KEY="$(cat /vault/secrets/django-jwt-public)"
               set +a
@@ -176,11 +182,6 @@ spec:
               value: "1"
             - name: ZITADEL_HOST
               value: https://zitadel-srx.wb.ru
-            - name: ZITADEL_ACCESS_TOKEN
-              valueFrom:
-                secretKeyRef:
-                  key: access_token
-                  name: zitadel-secret
             - name: SERVER_KAFKA_ENABLED
               value: "False"
             - name: KAFKA_TOPICS

apps/django/base/celery-deployment.yaml

@@ -73,6 +73,11 @@ spec:
           {{- with secret "secrets/data/vault/common/rsa_keys" -}}
           {{ index .Data.data "public_key" }}
           {{- end -}}
+        vault.hashicorp.com/agent-inject-secret-django-common: secrets/data/vault/common/django_auth
+        vault.hashicorp.com/agent-inject-template-django-common: |-
+          {{- with secret "secrets/data/vault/common/django_auth" -}}
+          ZITADEL_ACCESS_TOKEN={{ index .Data.data "django_zitadel_access_token" }}
+          {{- end -}}
     spec:
       serviceAccountName: django-vault
       volumes:
@@ -95,6 +100,7 @@ spec:
               [ -f /vault/secrets/django-rabbitmq ] && . /vault/secrets/django-rabbitmq
               [ -f /vault/secrets/django-s3 ] && . /vault/secrets/django-s3
               [ -f /vault/secrets/django-kafka ] && . /vault/secrets/django-kafka
+              [ -f /vault/secrets/django-common ] && . /vault/secrets/django-common
               [ -f /vault/secrets/django-jwt-private ] && export JWT_PRIVATE_KEY="$(cat /vault/secrets/django-jwt-private)"
               [ -f /vault/secrets/django-jwt-public ] && export JWT_PUBLIC_KEY="$(cat /vault/secrets/django-jwt-public)"
               set +a
@@ -177,11 +183,6 @@ spec:
               value: "1"
             - name: ZITADEL_HOST
               value: https://zitadel-srx.wb.ru
-            - name: ZITADEL_ACCESS_TOKEN
-              valueFrom:
-                secretKeyRef:
-                  key: access_token
-                  name: zitadel-secret
             - name: SERVER_KAFKA_ENABLED
               value: "False"
             - name: KAFKA_TOPICS

apps/django/yc-k8s-test/postgresql.yaml

@@ -114,7 +114,8 @@ spec:
         - name: sarex_db
           user: sarex
           passwordKey: sarex
-          extensions: []
+          extensions:
+            - pg_stat_statements
           restoreFromDump: false
       s3-proxy:
         endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local"

apps/documentations/base/api-deployment.yaml

@@ -17,34 +17,68 @@ spec:
       labels:
         app: documentations-api
         service: documentations-api
+      annotations:
+        traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
+        vault.hashicorp.com/agent-init-first: "true"
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/auth-path: auth/kubernetes
+        vault.hashicorp.com/role: documentations
+        vault.hashicorp.com/agent-inject-secret-documentations-postgresql: secrets/data/postgresql/apps/documentations
+        vault.hashicorp.com/agent-inject-template-documentations-postgresql: |-
+          {{- with secret "secrets/data/postgresql/apps/documentations" -}}
+          POSTGRES_ADDRESS=postgresql.documentations.svc.cluster.local
+          POSTGRES_PORT=5432
+          POSTGRES_DB=documentations_db
+          POSTGRES_USER={{ index .Data.data "username" }}
+          POSTGRES_PASSWORD={{ index .Data.data "password" }}
+          {{- end -}}
+        vault.hashicorp.com/agent-inject-secret-documentations-common: secrets/data/vault/common/django_auth
+        vault.hashicorp.com/agent-inject-template-documentations-common: |-
+          {{- with secret "secrets/data/vault/common/django_auth" -}}
+          DJANGO_BASIC_AUTH={{ index .Data.data "key" }}
+          DJANGO_BASIC_AUTH_FOR_GET_USER={{ index .Data.data "key" }}
+          DOCUMENT_PUBLIC_LINK_JWT_SECRET={{ index .Data.data "documentations_public_link_jwt_secret" }}
+          {{- end -}}
+        vault.hashicorp.com/agent-inject-secret-documentations-s3-account-json: secrets/data/vault/common/django_auth
+        vault.hashicorp.com/agent-inject-template-documentations-s3-account-json: |-
+          {{- with secret "secrets/data/vault/common/django_auth" -}}
+          {{ index .Data.data "documentations_s3_service_account_json" }}
+          {{- end -}}
+        vault.hashicorp.com/agent-inject-secret-documentations-zitadel-account-json: secrets/data/vault/common/django_auth
+        vault.hashicorp.com/agent-inject-template-documentations-zitadel-account-json: |-
+          {{- with secret "secrets/data/vault/common/django_auth" -}}
+          {{ index .Data.data "documentations_zitadel_account_json" }}
+          {{- end -}}
+        vault.hashicorp.com/agent-inject-secret-documentations-rsa-public: secrets/data/vault/common/rsa_keys
+        vault.hashicorp.com/agent-inject-template-documentations-rsa-public: |-
+          {{- with secret "secrets/data/vault/common/rsa_keys" -}}
+          {{ index .Data.data "public_key" }}
+          {{- end -}}
     spec:
-      volumes:
-        - name: documentations-yc-s3-secret
-          secret:
-            defaultMode: 420
-            secretName: documentations-yc-s3
-        - name: zitadel-account
-          secret:
-            defaultMode: 420
-            secretName: zitadel-account
+      serviceAccountName: documentations-vault
       containers:
         - name: documentations-api
           image: cr.yandex/crp3ccidau046kdj8g9q/documentations:prod_a9990430
           imagePullPolicy: IfNotPresent
+          command: ["/bin/sh", "-ec"]
+          args:
+            - |
+              set -a
+              [ -f /vault/secrets/documentations-postgresql ] && . /vault/secrets/documentations-postgresql
+              [ -f /vault/secrets/documentations-common ] && . /vault/secrets/documentations-common
+              [ -f /vault/secrets/documentations-rsa-public ] && export PUBLIC_KEY="$(cat /vault/secrets/documentations-rsa-public)"
+              set +a
+              exec /app/entrypoint.sh
           ports:
             - name: http
               containerPort: 8000
               protocol: TCP
           env:
-            - name: PUBLIC_KEY
-              valueFrom:
-                secretKeyRef:
-                  key: key
-                  name: public-key
             - name: POSTGRES_POOL_SIZE
               value: "20"
             - name: ZITADEL_ACCOUNT
-              value: /etc/sarex/zitadel/zitadel-account.json
+              value: /vault/secrets/documentations-zitadel-account-json
             - name: ZITADEL_DOMAIN
               value: zitadel-srx.wb.ru
             - name: USE_ZITADEL
@@ -57,11 +91,6 @@ spec:
               value: 0.0.0.0:8080
             - name: API_ADDRESS_FILE
               value: 0.0.0.0:8080
-            - name: DOCUMENT_PUBLIC_LINK_JWT_SECRET
-              valueFrom:
-                secretKeyRef:
-                  key: secret
-                  name: yc-jwt-secret
             - name: DOCUMENT_PUBLIC_LINK_JWT_EXPIRATION_MINUTES
               value: "5"
             - name: ENABLE_SQL_QUERY
@@ -111,7 +140,7 @@ spec:
             - name: WORKFLOWS_IMAGES_VERSION
               value: master
             - name: S3_SERVICE_ACCOUNT
-              value: /etc/sarex/yc-s3-storage/yc-s3-service-account.json
+              value: /vault/secrets/documentations-s3-account-json
             - name: READ_WRITE_TIMEOUT_FILE_STREAM
               value: 6h
             - name: CACHE_DEFAULT_EXPIRATION
@@ -135,54 +164,10 @@ spec:
             - name: VALKEY_PORT
               value: "6379"
       
-            - name: POSTGRES_DB
-              valueFrom:
-                secretKeyRef:
-                  key: database
-                  name: postgresql-secret
-            - name: POSTGRES_ADDRESS
-              valueFrom:
-                secretKeyRef:
-                  key: hostname
-                  name: postgresql-secret
-            - name: POSTGRES_PORT
-              valueFrom:
-                secretKeyRef:
-                  key: port
-                  name: postgresql-secret
-            - name: POSTGRES_USER
-              valueFrom:
-                secretKeyRef:
-                  key: username
-                  name: postgresql-secret
-            - name: POSTGRES_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  key: password
-                  name: postgresql-secret
-            - name: DJANGO_BASIC_AUTH
-              valueFrom:
-                secretKeyRef:
-                  key: key
-                  name: django-auth
-            - name: DJANGO_BASIC_AUTH_FOR_GET_USER
-              valueFrom:
-                secretKeyRef:
-                  key: key
-                  name: django-auth
-
-
           resources:
             requests:
               cpu: "1"
               memory: 1Gi
-          volumeMounts:
-            - mountPath: /etc/sarex/yc-s3-storage
-              name: documentations-yc-s3-secret
-              readOnly: true
-            - mountPath: /etc/sarex/zitadel
-              name: zitadel-account
-              readOnly: true
 
       imagePullSecrets:
         - name: regcred

apps/documentations/base/filestream-deployment.yaml

@@ -17,34 +17,68 @@ spec:
       labels:
         app: documentations-filestream
         service: documentations-filestream
+      annotations:
+        traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
+        vault.hashicorp.com/agent-init-first: "true"
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/auth-path: auth/kubernetes
+        vault.hashicorp.com/role: documentations
+        vault.hashicorp.com/agent-inject-secret-documentations-postgresql: secrets/data/postgresql/apps/documentations
+        vault.hashicorp.com/agent-inject-template-documentations-postgresql: |-
+          {{- with secret "secrets/data/postgresql/apps/documentations" -}}
+          POSTGRES_ADDRESS=postgresql.documentations.svc.cluster.local
+          POSTGRES_PORT=5432
+          POSTGRES_DB=documentations_db
+          POSTGRES_USER={{ index .Data.data "username" }}
+          POSTGRES_PASSWORD={{ index .Data.data "password" }}
+          {{- end -}}
+        vault.hashicorp.com/agent-inject-secret-documentations-common: secrets/data/vault/common/django_auth
+        vault.hashicorp.com/agent-inject-template-documentations-common: |-
+          {{- with secret "secrets/data/vault/common/django_auth" -}}
+          DJANGO_BASIC_AUTH={{ index .Data.data "key" }}
+          DJANGO_BASIC_AUTH_FOR_GET_USER={{ index .Data.data "key" }}
+          DOCUMENT_PUBLIC_LINK_JWT_SECRET={{ index .Data.data "documentations_public_link_jwt_secret" }}
+          {{- end -}}
+        vault.hashicorp.com/agent-inject-secret-documentations-s3-account-json: secrets/data/vault/common/django_auth
+        vault.hashicorp.com/agent-inject-template-documentations-s3-account-json: |-
+          {{- with secret "secrets/data/vault/common/django_auth" -}}
+          {{ index .Data.data "documentations_s3_service_account_json" }}
+          {{- end -}}
+        vault.hashicorp.com/agent-inject-secret-documentations-zitadel-account-json: secrets/data/vault/common/django_auth
+        vault.hashicorp.com/agent-inject-template-documentations-zitadel-account-json: |-
+          {{- with secret "secrets/data/vault/common/django_auth" -}}
+          {{ index .Data.data "documentations_zitadel_account_json" }}
+          {{- end -}}
+        vault.hashicorp.com/agent-inject-secret-documentations-rsa-public: secrets/data/vault/common/rsa_keys
+        vault.hashicorp.com/agent-inject-template-documentations-rsa-public: |-
+          {{- with secret "secrets/data/vault/common/rsa_keys" -}}
+          {{ index .Data.data "public_key" }}
+          {{- end -}}
     spec:
-      volumes:
-        - name: documentations-yc-s3-secret
-          secret:
-            defaultMode: 420
-            secretName: documentations-yc-s3
-        - name: zitadel-account
-          secret:
-            defaultMode: 420
-            secretName: zitadel-account
+      serviceAccountName: documentations-vault
       containers:
         - name: documentations-filestream
           image: cr.yandex/crp3ccidau046kdj8g9q/documentations-api-files:prod_a9990430
           imagePullPolicy: IfNotPresent
+          command: ["/bin/sh", "-ec"]
+          args:
+            - |
+              set -a
+              [ -f /vault/secrets/documentations-postgresql ] && . /vault/secrets/documentations-postgresql
+              [ -f /vault/secrets/documentations-common ] && . /vault/secrets/documentations-common
+              [ -f /vault/secrets/documentations-rsa-public ] && export PUBLIC_KEY="$(cat /vault/secrets/documentations-rsa-public)"
+              set +a
+              exec /app/file_entrypoint.sh
           ports:
             - name: http
               containerPort: 8000
               protocol: TCP
           env:
-            - name: PUBLIC_KEY
-              valueFrom:
-                secretKeyRef:
-                  key: key
-                  name: public-key
             - name: POSTGRES_POOL_SIZE
               value: "20"
             - name: ZITADEL_ACCOUNT
-              value: /etc/sarex/zitadel/zitadel-account.json
+              value: /vault/secrets/documentations-zitadel-account-json
             - name: ZITADEL_DOMAIN
               value: zitadel-srx.wb.ru
             - name: USE_ZITADEL
@@ -57,11 +91,6 @@ spec:
               value: 0.0.0.0:8080
             - name: API_ADDRESS_FILE
               value: 0.0.0.0:8080
-            - name: DOCUMENT_PUBLIC_LINK_JWT_SECRET
-              valueFrom:
-                secretKeyRef:
-                  key: secret
-                  name: yc-jwt-secret
             - name: DOCUMENT_PUBLIC_LINK_JWT_EXPIRATION_MINUTES
               value: "5"
             - name: ENABLE_SQL_QUERY
@@ -111,7 +140,7 @@ spec:
             - name: WORKFLOWS_IMAGES_VERSION
               value: master
             - name: S3_SERVICE_ACCOUNT
-              value: /etc/sarex/yc-s3-storage/yc-s3-service-account.json
+              value: /vault/secrets/documentations-s3-account-json
             - name: READ_WRITE_TIMEOUT_FILE_STREAM
               value: 6h
             - name: CACHE_DEFAULT_EXPIRATION
@@ -135,54 +164,10 @@ spec:
             - name: VALKEY_PORT
               value: "6379"
       
-            - name: POSTGRES_DB
-              valueFrom:
-                secretKeyRef:
-                  key: database
-                  name: postgresql-secret
-            - name: POSTGRES_ADDRESS
-              valueFrom:
-                secretKeyRef:
-                  key: hostname
-                  name: postgresql-secret
-            - name: POSTGRES_PORT
-              valueFrom:
-                secretKeyRef:
-                  key: port
-                  name: postgresql-secret
-            - name: POSTGRES_USER
-              valueFrom:
-                secretKeyRef:
-                  key: username
-                  name: postgresql-secret
-            - name: POSTGRES_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  key: password
-                  name: postgresql-secret
-            - name: DJANGO_BASIC_AUTH
-              valueFrom:
-                secretKeyRef:
-                  key: key
-                  name: django-auth
-            - name: DJANGO_BASIC_AUTH_FOR_GET_USER
-              valueFrom:
-                secretKeyRef:
-                  key: key
-                  name: django-auth
-
-
           resources:
             requests:
               cpu: "1"
               memory: 1Gi
-          volumeMounts:
-            - mountPath: /etc/sarex/yc-s3-storage
-              name: documentations-yc-s3-secret
-              readOnly: true
-            - mountPath: /etc/sarex/zitadel
-              name: zitadel-account
-              readOnly: true
 
       imagePullSecrets:
         - name: regcred

apps/documentations/base/pdm-deployment.yaml

@@ -17,20 +17,53 @@ spec:
       labels:
         app: pdm-api
         service: pdm-api
+      annotations:
+        traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
+        vault.hashicorp.com/agent-init-first: "true"
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/auth-path: auth/kubernetes
+        vault.hashicorp.com/role: documentations
+        vault.hashicorp.com/agent-inject-secret-documentations-postgresql: secrets/data/postgresql/apps/documentations
+        vault.hashicorp.com/agent-inject-template-documentations-postgresql: |-
+          {{- with secret "secrets/data/postgresql/apps/documentations" -}}
+          POSTGRES_ADDRESS=postgresql.documentations.svc.cluster.local
+          POSTGRES_PORT=5432
+          POSTGRES_DB=documentations_db
+          POSTGRES_USER={{ index .Data.data "username" }}
+          POSTGRES_PASSWORD={{ index .Data.data "password" }}
+          {{- end -}}
+        vault.hashicorp.com/agent-inject-secret-documentations-common: secrets/data/vault/common/django_auth
+        vault.hashicorp.com/agent-inject-template-documentations-common: |-
+          {{- with secret "secrets/data/vault/common/django_auth" -}}
+          DJANGO_BASIC_AUTH={{ index .Data.data "key" }}
+          RELEASES_TOKEN={{ index .Data.data "documentations_releases_token" }}
+          {{- end -}}
+        vault.hashicorp.com/agent-inject-secret-documentations-s3-account-json: secrets/data/vault/common/django_auth
+        vault.hashicorp.com/agent-inject-template-documentations-s3-account-json: |-
+          {{- with secret "secrets/data/vault/common/django_auth" -}}
+          {{ index .Data.data "documentations_s3_service_account_json" }}
+          {{- end -}}
+        vault.hashicorp.com/agent-inject-secret-documentations-rsa-public: secrets/data/vault/common/rsa_keys
+        vault.hashicorp.com/agent-inject-template-documentations-rsa-public: |-
+          {{- with secret "secrets/data/vault/common/rsa_keys" -}}
+          {{ index .Data.data "public_key" }}
+          {{- end -}}
     spec:
-      volumes:
-        - name: documentations-yc-s3-secret
-          secret:
-            defaultMode: 420
-            secretName: documentations-yc-s3
-        - name: zitadel-account
-          secret:
-            defaultMode: 420
-            secretName: zitadel-account
+      serviceAccountName: documentations-vault
       containers:
         - name: pdm-api
           image: cr.yandex/crp3ccidau046kdj8g9q/pdmv2:prod_38958427
           imagePullPolicy: IfNotPresent
+          command: ["/bin/sh", "-ec"]
+          args:
+            - |
+              set -a
+              [ -f /vault/secrets/documentations-postgresql ] && . /vault/secrets/documentations-postgresql
+              [ -f /vault/secrets/documentations-common ] && . /vault/secrets/documentations-common
+              [ -f /vault/secrets/documentations-rsa-public ] && export PUBLIC_KEY="$(cat /vault/secrets/documentations-rsa-public)"
+              set +a
+              exec ./httpserver
           ports:
             - name: http
               containerPort: 8080
@@ -38,50 +71,10 @@ spec:
           env:
             - name: USE_EXPERIMENTAL
               value: "true"
-            - name: RELEASES_TOKEN
-              valueFrom:
-                secretKeyRef:
-                  key: key
-                  name: releases-token
-            - name: POSTGRES_USER
-              valueFrom:
-                secretKeyRef:
-                  key: username
-                  name: postgresql-secret
-            - name: POSTGRES_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  key: password
-                  name: postgresql-secret
-            - name: POSTGRES_ADDRESS
-              valueFrom:
-                secretKeyRef:
-                  key: hostname
-                  name: postgresql-secret
-            - name: POSTGRES_DB
-              valueFrom:
-                secretKeyRef:
-                  key: database
-                  name: postgresql-secret
-            - name: POSTGRES_PORT
-              valueFrom:
-                secretKeyRef:
-                  key: port
-                  name: postgresql-secret
             - name: POSTGRES_POOL_SIZE
               value: "20"
             - name: TRANSMITTALS_BASE_URL
               value: mock
-            - name: DJANGO_BASIC_AUTH
-              valueFrom:
-                secretKeyRef:
-                  key: key
-                  name: django-auth
-            - name: PUBLIC_KEY
-              valueFrom:
-                secretKeyRef:
-                  key: key
-                  name: public-key
             - name: API_ADDRESS
               value: 0.0.0.0:8080
             - name: API_ADDRESS_FILE
@@ -152,7 +145,7 @@ spec:
             - name: RESOURCES_URL
               value: http://resources-service.resources.svc.cluster.local:8000
             - name: S3_SERVICE_ACCOUNT
-              value: /etc/sarex/yc-s3-storage/yc-s3-service-account.json
+              value: /vault/secrets/documentations-s3-account-json
             - name: STATES_URL
               value: http://workspaces-service.workspaces.svc.cluster.local:8000/
             - name: SUBSCRIPTIONS_URL
@@ -179,20 +172,10 @@ spec:
               value: v1
             - name: WORKSPACE_URL
               value: http://workspaces-service.workspaces.svc.cluster.local:8000/
-
-
-
           resources:
             requests:
               cpu: "1"
               memory: 1Gi
-          volumeMounts:
-            - mountPath: /etc/sarex/yc-s3-storage
-              name: documentations-yc-s3-secret
-              readOnly: true
-            - mountPath: /etc/sarex/zitadel
-              name: zitadel-account
-              readOnly: true
 
       imagePullSecrets:
         - name: regcred

apps/documentations/yc-k8s-test/postgresql.yaml

@@ -114,7 +114,11 @@ spec:
         - name: documentations_db
           user: documentations
           passwordKey: documentations
-          extensions: []
+          extensions: 
+            - pg_stat_statements
+            - ltree
+            - timescaledb
+            - uuid-ossp
           restoreFromDump: false
       s3-proxy:
         endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local"

apps/subscriptions/yc-k8s-test/postgresql.yaml

@@ -114,7 +114,8 @@ spec:
         - name: subscriptions_db
           user: subscriptions
           passwordKey: subscriptions
-          extensions: []
+          extensions: 
+            - postgis
           restoreFromDump: false
       s3-proxy:
         endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local"