From b5abe99f8eba8174ba3d1eaaec06627517928cbd Mon Sep 17 00:00:00 2001 From: Kochetkov S Date: Thu, 23 Apr 2026 17:50:43 +0300 Subject: [PATCH] git push --- apps/bim/base/backend-deployment.yaml | 140 +++++------------- apps/bim/yc-k8s-test/postgresql.yaml | 7 +- apps/django/base/backend-deployment.yaml | 11 +- apps/django/base/celery-deployment.yaml | 11 +- apps/django/yc-k8s-test/postgresql.yaml | 3 +- apps/documentations/base/api-deployment.yaml | 115 +++++++------- .../base/filestream-deployment.yaml | 115 +++++++------- apps/documentations/base/pdm-deployment.yaml | 103 ++++++------- .../yc-k8s-test/postgresql.yaml | 6 +- .../subscriptions/yc-k8s-test/postgresql.yaml | 3 +- 10 files changed, 209 insertions(+), 305 deletions(-) diff --git a/apps/bim/base/backend-deployment.yaml b/apps/bim/base/backend-deployment.yaml index eaffa99..c5d9d78 100644 --- a/apps/bim/base/backend-deployment.yaml +++ b/apps/bim/base/backend-deployment.yaml @@ -15,11 +15,50 @@ spec: metadata: labels: app: backend + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: bim + vault.hashicorp.com/agent-inject-secret-bim-postgresql: secrets/data/postgresql/apps/bim + vault.hashicorp.com/agent-inject-template-bim-postgresql: |- + {{- with secret "secrets/data/postgresql/apps/bim" -}} + POSTGRES_ADDRESS=postgresql.bim.svc.cluster.local + POSTGRES_ADDRESS_2=postgresql.bim.svc.cluster.local + POSTGRES_ADDRESS_3=postgresql.bim.svc.cluster.local + POSTGRES_ADDRESS_4=postgresql.bim.svc.cluster.local + POSTGRES_PORT=5432 + POSTGRES_PORT_2=5432 + POSTGRES_PORT_3=5432 + POSTGRES_PORT_4=5432 + POSTGRES_DB=bim_db + POSTGRES_DB_2=bim_db + POSTGRES_DB_3=bim_db + POSTGRES_DB_4=bim_db + POSTGRES_USER={{ index .Data.data "username" }} + POSTGRES_USER_2={{ index .Data.data "username" }} + POSTGRES_USER_3={{ index .Data.data "username" }} + POSTGRES_USER_4={{ index .Data.data "username" }} + POSTGRES_PASSWORD={{ index .Data.data "password" }} + POSTGRES_PASSWORD_2={{ index .Data.data "password" }} + POSTGRES_PASSWORD_3={{ index .Data.data "password" }} + POSTGRES_PASSWORD_4={{ index .Data.data "password" }} + {{- end -}} spec: + serviceAccountName: bim-vault containers: - name: backend image: cr.yandex/crp3ccidau046kdj8g9q/bim-backend-v2:donstroi1 imagePullPolicy: IfNotPresent + command: ["/bin/sh", "-ec"] + args: + - | + set -a + [ -f /vault/secrets/bim-postgresql ] && . /vault/secrets/bim-postgresql + set +a + exec /app/entrypoint_api.sh ports: - name: http containerPort: 8000 @@ -47,107 +86,6 @@ spec: value: "0" - name: ENABLE_SSL value: "0" - - name: POSTGRES_PORT_4 - valueFrom: - secretKeyRef: - key: port - name: postgresql-secret - - name: POSTGRES_PORT_2 - valueFrom: - secretKeyRef: - key: port - name: postgresql-secret - - name: POSTGRES_PORT - valueFrom: - secretKeyRef: - key: port - name: postgresql-secret - - name: POSTGRES_PORT_3 - valueFrom: - secretKeyRef: - key: port - name: postgresql-secret - - name: POSTGRES_DB_2 - valueFrom: - secretKeyRef: - key: database - name: postgresql-secret - - name: POSTGRES_DB_3 - valueFrom: - secretKeyRef: - key: database - name: postgresql-secret - - name: POSTGRES_DB_4 - valueFrom: - secretKeyRef: - key: database - name: postgresql-secret - - name: POSTGRES_DB - valueFrom: - secretKeyRef: - key: database - name: postgresql-secret - - name: POSTGRES_ADDRESS_2 - valueFrom: - secretKeyRef: - key: hostname - name: postgresql-secret - - name: POSTGRES_ADDRESS - valueFrom: - secretKeyRef: - key: hostname - name: postgresql-secret - - name: POSTGRES_ADDRESS_3 - valueFrom: - secretKeyRef: - key: hostname - name: postgresql-secret - - name: POSTGRES_ADDRESS_4 - valueFrom: - secretKeyRef: - key: hostname - name: postgresql-secret - - name: POSTGRES_USER - valueFrom: - secretKeyRef: - key: username - name: postgresql-secret - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: postgresql-secret - - name: POSTGRES_USER_2 - valueFrom: - secretKeyRef: - key: username - name: postgresql-secret - - name: POSTGRES_PASSWORD_2 - valueFrom: - secretKeyRef: - key: password - name: postgresql-secret - - name: POSTGRES_USER_3 - valueFrom: - secretKeyRef: - key: username - name: postgresql-secret - - name: POSTGRES_PASSWORD_3 - valueFrom: - secretKeyRef: - key: password - name: postgresql-secret - - name: POSTGRES_USER_4 - valueFrom: - secretKeyRef: - key: username - name: postgresql-secret - - name: POSTGRES_PASSWORD_4 - valueFrom: - secretKeyRef: - key: password - name: postgresql-secret - resources: requests: cpu: 100m diff --git a/apps/bim/yc-k8s-test/postgresql.yaml b/apps/bim/yc-k8s-test/postgresql.yaml index ada45d6..6fe5c13 100644 --- a/apps/bim/yc-k8s-test/postgresql.yaml +++ b/apps/bim/yc-k8s-test/postgresql.yaml @@ -114,7 +114,12 @@ spec: - name: bim_db user: bim passwordKey: bim - extensions: [] + extensions: + - pg_stat_statements + - ltree + - timescaledb + - uuid-ossp + - pg_partman restoreFromDump: false s3-proxy: endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local" diff --git a/apps/django/base/backend-deployment.yaml b/apps/django/base/backend-deployment.yaml index a1ef24d..4847a99 100644 --- a/apps/django/base/backend-deployment.yaml +++ b/apps/django/base/backend-deployment.yaml @@ -73,6 +73,11 @@ spec: {{- with secret "secrets/data/vault/common/rsa_keys" -}} {{ index .Data.data "public_key" }} {{- end -}} + vault.hashicorp.com/agent-inject-secret-django-common: secrets/data/vault/common/django_auth + vault.hashicorp.com/agent-inject-template-django-common: |- + {{- with secret "secrets/data/vault/common/django_auth" -}} + ZITADEL_ACCESS_TOKEN={{ index .Data.data "django_zitadel_access_token" }} + {{- end -}} spec: serviceAccountName: django-vault volumes: @@ -95,6 +100,7 @@ spec: [ -f /vault/secrets/django-rabbitmq ] && . /vault/secrets/django-rabbitmq [ -f /vault/secrets/django-s3 ] && . /vault/secrets/django-s3 [ -f /vault/secrets/django-kafka ] && . /vault/secrets/django-kafka + [ -f /vault/secrets/django-common ] && . /vault/secrets/django-common [ -f /vault/secrets/django-jwt-private ] && export JWT_PRIVATE_KEY="$(cat /vault/secrets/django-jwt-private)" [ -f /vault/secrets/django-jwt-public ] && export JWT_PUBLIC_KEY="$(cat /vault/secrets/django-jwt-public)" set +a @@ -176,11 +182,6 @@ spec: value: "1" - name: ZITADEL_HOST value: https://zitadel-srx.wb.ru - - name: ZITADEL_ACCESS_TOKEN - valueFrom: - secretKeyRef: - key: access_token - name: zitadel-secret - name: SERVER_KAFKA_ENABLED value: "False" - name: KAFKA_TOPICS diff --git a/apps/django/base/celery-deployment.yaml b/apps/django/base/celery-deployment.yaml index 32e1b3c..e04f62c 100644 --- a/apps/django/base/celery-deployment.yaml +++ b/apps/django/base/celery-deployment.yaml @@ -73,6 +73,11 @@ spec: {{- with secret "secrets/data/vault/common/rsa_keys" -}} {{ index .Data.data "public_key" }} {{- end -}} + vault.hashicorp.com/agent-inject-secret-django-common: secrets/data/vault/common/django_auth + vault.hashicorp.com/agent-inject-template-django-common: |- + {{- with secret "secrets/data/vault/common/django_auth" -}} + ZITADEL_ACCESS_TOKEN={{ index .Data.data "django_zitadel_access_token" }} + {{- end -}} spec: serviceAccountName: django-vault volumes: @@ -95,6 +100,7 @@ spec: [ -f /vault/secrets/django-rabbitmq ] && . /vault/secrets/django-rabbitmq [ -f /vault/secrets/django-s3 ] && . /vault/secrets/django-s3 [ -f /vault/secrets/django-kafka ] && . /vault/secrets/django-kafka + [ -f /vault/secrets/django-common ] && . /vault/secrets/django-common [ -f /vault/secrets/django-jwt-private ] && export JWT_PRIVATE_KEY="$(cat /vault/secrets/django-jwt-private)" [ -f /vault/secrets/django-jwt-public ] && export JWT_PUBLIC_KEY="$(cat /vault/secrets/django-jwt-public)" set +a @@ -177,11 +183,6 @@ spec: value: "1" - name: ZITADEL_HOST value: https://zitadel-srx.wb.ru - - name: ZITADEL_ACCESS_TOKEN - valueFrom: - secretKeyRef: - key: access_token - name: zitadel-secret - name: SERVER_KAFKA_ENABLED value: "False" - name: KAFKA_TOPICS diff --git a/apps/django/yc-k8s-test/postgresql.yaml b/apps/django/yc-k8s-test/postgresql.yaml index 03d2563..27cb706 100644 --- a/apps/django/yc-k8s-test/postgresql.yaml +++ b/apps/django/yc-k8s-test/postgresql.yaml @@ -114,7 +114,8 @@ spec: - name: sarex_db user: sarex passwordKey: sarex - extensions: [] + extensions: + - pg_stat_statements restoreFromDump: false s3-proxy: endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local" diff --git a/apps/documentations/base/api-deployment.yaml b/apps/documentations/base/api-deployment.yaml index 7aa3014..c0af844 100644 --- a/apps/documentations/base/api-deployment.yaml +++ b/apps/documentations/base/api-deployment.yaml @@ -17,34 +17,68 @@ spec: labels: app: documentations-api service: documentations-api + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: documentations + vault.hashicorp.com/agent-inject-secret-documentations-postgresql: secrets/data/postgresql/apps/documentations + vault.hashicorp.com/agent-inject-template-documentations-postgresql: |- + {{- with secret "secrets/data/postgresql/apps/documentations" -}} + POSTGRES_ADDRESS=postgresql.documentations.svc.cluster.local + POSTGRES_PORT=5432 + POSTGRES_DB=documentations_db + POSTGRES_USER={{ index .Data.data "username" }} + POSTGRES_PASSWORD={{ index .Data.data "password" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-documentations-common: secrets/data/vault/common/django_auth + vault.hashicorp.com/agent-inject-template-documentations-common: |- + {{- with secret "secrets/data/vault/common/django_auth" -}} + DJANGO_BASIC_AUTH={{ index .Data.data "key" }} + DJANGO_BASIC_AUTH_FOR_GET_USER={{ index .Data.data "key" }} + DOCUMENT_PUBLIC_LINK_JWT_SECRET={{ index .Data.data "documentations_public_link_jwt_secret" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-documentations-s3-account-json: secrets/data/vault/common/django_auth + vault.hashicorp.com/agent-inject-template-documentations-s3-account-json: |- + {{- with secret "secrets/data/vault/common/django_auth" -}} + {{ index .Data.data "documentations_s3_service_account_json" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-documentations-zitadel-account-json: secrets/data/vault/common/django_auth + vault.hashicorp.com/agent-inject-template-documentations-zitadel-account-json: |- + {{- with secret "secrets/data/vault/common/django_auth" -}} + {{ index .Data.data "documentations_zitadel_account_json" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-documentations-rsa-public: secrets/data/vault/common/rsa_keys + vault.hashicorp.com/agent-inject-template-documentations-rsa-public: |- + {{- with secret "secrets/data/vault/common/rsa_keys" -}} + {{ index .Data.data "public_key" }} + {{- end -}} spec: - volumes: - - name: documentations-yc-s3-secret - secret: - defaultMode: 420 - secretName: documentations-yc-s3 - - name: zitadel-account - secret: - defaultMode: 420 - secretName: zitadel-account + serviceAccountName: documentations-vault containers: - name: documentations-api image: cr.yandex/crp3ccidau046kdj8g9q/documentations:prod_a9990430 imagePullPolicy: IfNotPresent + command: ["/bin/sh", "-ec"] + args: + - | + set -a + [ -f /vault/secrets/documentations-postgresql ] && . /vault/secrets/documentations-postgresql + [ -f /vault/secrets/documentations-common ] && . /vault/secrets/documentations-common + [ -f /vault/secrets/documentations-rsa-public ] && export PUBLIC_KEY="$(cat /vault/secrets/documentations-rsa-public)" + set +a + exec /app/entrypoint.sh ports: - name: http containerPort: 8000 protocol: TCP env: - - name: PUBLIC_KEY - valueFrom: - secretKeyRef: - key: key - name: public-key - name: POSTGRES_POOL_SIZE value: "20" - name: ZITADEL_ACCOUNT - value: /etc/sarex/zitadel/zitadel-account.json + value: /vault/secrets/documentations-zitadel-account-json - name: ZITADEL_DOMAIN value: zitadel-srx.wb.ru - name: USE_ZITADEL @@ -57,11 +91,6 @@ spec: value: 0.0.0.0:8080 - name: API_ADDRESS_FILE value: 0.0.0.0:8080 - - name: DOCUMENT_PUBLIC_LINK_JWT_SECRET - valueFrom: - secretKeyRef: - key: secret - name: yc-jwt-secret - name: DOCUMENT_PUBLIC_LINK_JWT_EXPIRATION_MINUTES value: "5" - name: ENABLE_SQL_QUERY @@ -111,7 +140,7 @@ spec: - name: WORKFLOWS_IMAGES_VERSION value: master - name: S3_SERVICE_ACCOUNT - value: /etc/sarex/yc-s3-storage/yc-s3-service-account.json + value: /vault/secrets/documentations-s3-account-json - name: READ_WRITE_TIMEOUT_FILE_STREAM value: 6h - name: CACHE_DEFAULT_EXPIRATION @@ -135,54 +164,10 @@ spec: - name: VALKEY_PORT value: "6379" - - name: POSTGRES_DB - valueFrom: - secretKeyRef: - key: database - name: postgresql-secret - - name: POSTGRES_ADDRESS - valueFrom: - secretKeyRef: - key: hostname - name: postgresql-secret - - name: POSTGRES_PORT - valueFrom: - secretKeyRef: - key: port - name: postgresql-secret - - name: POSTGRES_USER - valueFrom: - secretKeyRef: - key: username - name: postgresql-secret - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: postgresql-secret - - name: DJANGO_BASIC_AUTH - valueFrom: - secretKeyRef: - key: key - name: django-auth - - name: DJANGO_BASIC_AUTH_FOR_GET_USER - valueFrom: - secretKeyRef: - key: key - name: django-auth - - resources: requests: cpu: "1" memory: 1Gi - volumeMounts: - - mountPath: /etc/sarex/yc-s3-storage - name: documentations-yc-s3-secret - readOnly: true - - mountPath: /etc/sarex/zitadel - name: zitadel-account - readOnly: true imagePullSecrets: - name: regcred diff --git a/apps/documentations/base/filestream-deployment.yaml b/apps/documentations/base/filestream-deployment.yaml index 13c5b2d..8c89626 100644 --- a/apps/documentations/base/filestream-deployment.yaml +++ b/apps/documentations/base/filestream-deployment.yaml @@ -17,34 +17,68 @@ spec: labels: app: documentations-filestream service: documentations-filestream + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: documentations + vault.hashicorp.com/agent-inject-secret-documentations-postgresql: secrets/data/postgresql/apps/documentations + vault.hashicorp.com/agent-inject-template-documentations-postgresql: |- + {{- with secret "secrets/data/postgresql/apps/documentations" -}} + POSTGRES_ADDRESS=postgresql.documentations.svc.cluster.local + POSTGRES_PORT=5432 + POSTGRES_DB=documentations_db + POSTGRES_USER={{ index .Data.data "username" }} + POSTGRES_PASSWORD={{ index .Data.data "password" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-documentations-common: secrets/data/vault/common/django_auth + vault.hashicorp.com/agent-inject-template-documentations-common: |- + {{- with secret "secrets/data/vault/common/django_auth" -}} + DJANGO_BASIC_AUTH={{ index .Data.data "key" }} + DJANGO_BASIC_AUTH_FOR_GET_USER={{ index .Data.data "key" }} + DOCUMENT_PUBLIC_LINK_JWT_SECRET={{ index .Data.data "documentations_public_link_jwt_secret" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-documentations-s3-account-json: secrets/data/vault/common/django_auth + vault.hashicorp.com/agent-inject-template-documentations-s3-account-json: |- + {{- with secret "secrets/data/vault/common/django_auth" -}} + {{ index .Data.data "documentations_s3_service_account_json" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-documentations-zitadel-account-json: secrets/data/vault/common/django_auth + vault.hashicorp.com/agent-inject-template-documentations-zitadel-account-json: |- + {{- with secret "secrets/data/vault/common/django_auth" -}} + {{ index .Data.data "documentations_zitadel_account_json" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-documentations-rsa-public: secrets/data/vault/common/rsa_keys + vault.hashicorp.com/agent-inject-template-documentations-rsa-public: |- + {{- with secret "secrets/data/vault/common/rsa_keys" -}} + {{ index .Data.data "public_key" }} + {{- end -}} spec: - volumes: - - name: documentations-yc-s3-secret - secret: - defaultMode: 420 - secretName: documentations-yc-s3 - - name: zitadel-account - secret: - defaultMode: 420 - secretName: zitadel-account + serviceAccountName: documentations-vault containers: - name: documentations-filestream image: cr.yandex/crp3ccidau046kdj8g9q/documentations-api-files:prod_a9990430 imagePullPolicy: IfNotPresent + command: ["/bin/sh", "-ec"] + args: + - | + set -a + [ -f /vault/secrets/documentations-postgresql ] && . /vault/secrets/documentations-postgresql + [ -f /vault/secrets/documentations-common ] && . /vault/secrets/documentations-common + [ -f /vault/secrets/documentations-rsa-public ] && export PUBLIC_KEY="$(cat /vault/secrets/documentations-rsa-public)" + set +a + exec /app/file_entrypoint.sh ports: - name: http containerPort: 8000 protocol: TCP env: - - name: PUBLIC_KEY - valueFrom: - secretKeyRef: - key: key - name: public-key - name: POSTGRES_POOL_SIZE value: "20" - name: ZITADEL_ACCOUNT - value: /etc/sarex/zitadel/zitadel-account.json + value: /vault/secrets/documentations-zitadel-account-json - name: ZITADEL_DOMAIN value: zitadel-srx.wb.ru - name: USE_ZITADEL @@ -57,11 +91,6 @@ spec: value: 0.0.0.0:8080 - name: API_ADDRESS_FILE value: 0.0.0.0:8080 - - name: DOCUMENT_PUBLIC_LINK_JWT_SECRET - valueFrom: - secretKeyRef: - key: secret - name: yc-jwt-secret - name: DOCUMENT_PUBLIC_LINK_JWT_EXPIRATION_MINUTES value: "5" - name: ENABLE_SQL_QUERY @@ -111,7 +140,7 @@ spec: - name: WORKFLOWS_IMAGES_VERSION value: master - name: S3_SERVICE_ACCOUNT - value: /etc/sarex/yc-s3-storage/yc-s3-service-account.json + value: /vault/secrets/documentations-s3-account-json - name: READ_WRITE_TIMEOUT_FILE_STREAM value: 6h - name: CACHE_DEFAULT_EXPIRATION @@ -135,54 +164,10 @@ spec: - name: VALKEY_PORT value: "6379" - - name: POSTGRES_DB - valueFrom: - secretKeyRef: - key: database - name: postgresql-secret - - name: POSTGRES_ADDRESS - valueFrom: - secretKeyRef: - key: hostname - name: postgresql-secret - - name: POSTGRES_PORT - valueFrom: - secretKeyRef: - key: port - name: postgresql-secret - - name: POSTGRES_USER - valueFrom: - secretKeyRef: - key: username - name: postgresql-secret - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: postgresql-secret - - name: DJANGO_BASIC_AUTH - valueFrom: - secretKeyRef: - key: key - name: django-auth - - name: DJANGO_BASIC_AUTH_FOR_GET_USER - valueFrom: - secretKeyRef: - key: key - name: django-auth - - resources: requests: cpu: "1" memory: 1Gi - volumeMounts: - - mountPath: /etc/sarex/yc-s3-storage - name: documentations-yc-s3-secret - readOnly: true - - mountPath: /etc/sarex/zitadel - name: zitadel-account - readOnly: true imagePullSecrets: - name: regcred diff --git a/apps/documentations/base/pdm-deployment.yaml b/apps/documentations/base/pdm-deployment.yaml index 368a298..d2c9fb3 100644 --- a/apps/documentations/base/pdm-deployment.yaml +++ b/apps/documentations/base/pdm-deployment.yaml @@ -17,20 +17,53 @@ spec: labels: app: pdm-api service: pdm-api + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: documentations + vault.hashicorp.com/agent-inject-secret-documentations-postgresql: secrets/data/postgresql/apps/documentations + vault.hashicorp.com/agent-inject-template-documentations-postgresql: |- + {{- with secret "secrets/data/postgresql/apps/documentations" -}} + POSTGRES_ADDRESS=postgresql.documentations.svc.cluster.local + POSTGRES_PORT=5432 + POSTGRES_DB=documentations_db + POSTGRES_USER={{ index .Data.data "username" }} + POSTGRES_PASSWORD={{ index .Data.data "password" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-documentations-common: secrets/data/vault/common/django_auth + vault.hashicorp.com/agent-inject-template-documentations-common: |- + {{- with secret "secrets/data/vault/common/django_auth" -}} + DJANGO_BASIC_AUTH={{ index .Data.data "key" }} + RELEASES_TOKEN={{ index .Data.data "documentations_releases_token" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-documentations-s3-account-json: secrets/data/vault/common/django_auth + vault.hashicorp.com/agent-inject-template-documentations-s3-account-json: |- + {{- with secret "secrets/data/vault/common/django_auth" -}} + {{ index .Data.data "documentations_s3_service_account_json" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-documentations-rsa-public: secrets/data/vault/common/rsa_keys + vault.hashicorp.com/agent-inject-template-documentations-rsa-public: |- + {{- with secret "secrets/data/vault/common/rsa_keys" -}} + {{ index .Data.data "public_key" }} + {{- end -}} spec: - volumes: - - name: documentations-yc-s3-secret - secret: - defaultMode: 420 - secretName: documentations-yc-s3 - - name: zitadel-account - secret: - defaultMode: 420 - secretName: zitadel-account + serviceAccountName: documentations-vault containers: - name: pdm-api image: cr.yandex/crp3ccidau046kdj8g9q/pdmv2:prod_38958427 imagePullPolicy: IfNotPresent + command: ["/bin/sh", "-ec"] + args: + - | + set -a + [ -f /vault/secrets/documentations-postgresql ] && . /vault/secrets/documentations-postgresql + [ -f /vault/secrets/documentations-common ] && . /vault/secrets/documentations-common + [ -f /vault/secrets/documentations-rsa-public ] && export PUBLIC_KEY="$(cat /vault/secrets/documentations-rsa-public)" + set +a + exec ./httpserver ports: - name: http containerPort: 8080 @@ -38,50 +71,10 @@ spec: env: - name: USE_EXPERIMENTAL value: "true" - - name: RELEASES_TOKEN - valueFrom: - secretKeyRef: - key: key - name: releases-token - - name: POSTGRES_USER - valueFrom: - secretKeyRef: - key: username - name: postgresql-secret - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: postgresql-secret - - name: POSTGRES_ADDRESS - valueFrom: - secretKeyRef: - key: hostname - name: postgresql-secret - - name: POSTGRES_DB - valueFrom: - secretKeyRef: - key: database - name: postgresql-secret - - name: POSTGRES_PORT - valueFrom: - secretKeyRef: - key: port - name: postgresql-secret - name: POSTGRES_POOL_SIZE value: "20" - name: TRANSMITTALS_BASE_URL value: mock - - name: DJANGO_BASIC_AUTH - valueFrom: - secretKeyRef: - key: key - name: django-auth - - name: PUBLIC_KEY - valueFrom: - secretKeyRef: - key: key - name: public-key - name: API_ADDRESS value: 0.0.0.0:8080 - name: API_ADDRESS_FILE @@ -152,7 +145,7 @@ spec: - name: RESOURCES_URL value: http://resources-service.resources.svc.cluster.local:8000 - name: S3_SERVICE_ACCOUNT - value: /etc/sarex/yc-s3-storage/yc-s3-service-account.json + value: /vault/secrets/documentations-s3-account-json - name: STATES_URL value: http://workspaces-service.workspaces.svc.cluster.local:8000/ - name: SUBSCRIPTIONS_URL @@ -179,20 +172,10 @@ spec: value: v1 - name: WORKSPACE_URL value: http://workspaces-service.workspaces.svc.cluster.local:8000/ - - - resources: requests: cpu: "1" memory: 1Gi - volumeMounts: - - mountPath: /etc/sarex/yc-s3-storage - name: documentations-yc-s3-secret - readOnly: true - - mountPath: /etc/sarex/zitadel - name: zitadel-account - readOnly: true imagePullSecrets: - name: regcred diff --git a/apps/documentations/yc-k8s-test/postgresql.yaml b/apps/documentations/yc-k8s-test/postgresql.yaml index 524424e..0276966 100644 --- a/apps/documentations/yc-k8s-test/postgresql.yaml +++ b/apps/documentations/yc-k8s-test/postgresql.yaml @@ -114,7 +114,11 @@ spec: - name: documentations_db user: documentations passwordKey: documentations - extensions: [] + extensions: + - pg_stat_statements + - ltree + - timescaledb + - uuid-ossp restoreFromDump: false s3-proxy: endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local" diff --git a/apps/subscriptions/yc-k8s-test/postgresql.yaml b/apps/subscriptions/yc-k8s-test/postgresql.yaml index dd25dfe..1983b33 100644 --- a/apps/subscriptions/yc-k8s-test/postgresql.yaml +++ b/apps/subscriptions/yc-k8s-test/postgresql.yaml @@ -114,7 +114,8 @@ spec: - name: subscriptions_db user: subscriptions passwordKey: subscriptions - extensions: [] + extensions: + - postgis restoreFromDump: false s3-proxy: endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local"