sarex/iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

git push

Browse Source
This commit is contained in:
Kochetkov S 2026-04-23 17:50:43 +03:00
parent d8b9b59f48
commit b5abe99f8e
10 changed files with 209 additions and 305 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

140
apps/bim/base/backend-deployment.yaml
View File

@ -15,11 +15,50 @@ spec:
metadata: metadata:
labels: labels:
app: backend app: backend
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: bim
vault.hashicorp.com/agent-inject-secret-bim-postgresql: secrets/data/postgresql/apps/bim
vault.hashicorp.com/agent-inject-template-bim-postgresql: |-
{{- with secret "secrets/data/postgresql/apps/bim" -}}
POSTGRES_ADDRESS=postgresql.bim.svc.cluster.local
POSTGRES_ADDRESS_2=postgresql.bim.svc.cluster.local
POSTGRES_ADDRESS_3=postgresql.bim.svc.cluster.local
POSTGRES_ADDRESS_4=postgresql.bim.svc.cluster.local
POSTGRES_PORT=5432
POSTGRES_PORT_2=5432
POSTGRES_PORT_3=5432
POSTGRES_PORT_4=5432
POSTGRES_DB=bim_db
POSTGRES_DB_2=bim_db
POSTGRES_DB_3=bim_db
POSTGRES_DB_4=bim_db
POSTGRES_USER={{ index .Data.data "username" }}
POSTGRES_USER_2={{ index .Data.data "username" }}
POSTGRES_USER_3={{ index .Data.data "username" }}
POSTGRES_USER_4={{ index .Data.data "username" }}
POSTGRES_PASSWORD={{ index .Data.data "password" }}
POSTGRES_PASSWORD_2={{ index .Data.data "password" }}
POSTGRES_PASSWORD_3={{ index .Data.data "password" }}
POSTGRES_PASSWORD_4={{ index .Data.data "password" }}
{{- end -}}
spec: spec:
serviceAccountName: bim-vault
containers: containers:
- name: backend - name: backend
image: cr.yandex/crp3ccidau046kdj8g9q/bim-backend-v2:donstroi1 image: cr.yandex/crp3ccidau046kdj8g9q/bim-backend-v2:donstroi1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
command: ["/bin/sh", "-ec"]
args:
- |
set -a
[ -f /vault/secrets/bim-postgresql ] && . /vault/secrets/bim-postgresql
set +a
exec /app/entrypoint_api.sh
ports: ports:
- name: http - name: http
containerPort: 8000 containerPort: 8000
@ -47,107 +86,6 @@ spec:
value: "0" value: "0"
- name: ENABLE_SSL - name: ENABLE_SSL
value: "0" value: "0"
- name: POSTGRES_PORT_4
valueFrom:
secretKeyRef:
key: port
name: postgresql-secret
- name: POSTGRES_PORT_2
valueFrom:
secretKeyRef:
key: port
name: postgresql-secret
- name: POSTGRES_PORT
valueFrom:
secretKeyRef:
key: port
name: postgresql-secret
- name: POSTGRES_PORT_3
valueFrom:
secretKeyRef:
key: port
name: postgresql-secret
- name: POSTGRES_DB_2
valueFrom:
secretKeyRef:
key: database
name: postgresql-secret
- name: POSTGRES_DB_3
valueFrom:
secretKeyRef:
key: database
name: postgresql-secret
- name: POSTGRES_DB_4
valueFrom:
secretKeyRef:
key: database
name: postgresql-secret
- name: POSTGRES_DB
valueFrom:
secretKeyRef:
key: database
name: postgresql-secret
- name: POSTGRES_ADDRESS_2
valueFrom:
secretKeyRef:
key: hostname
name: postgresql-secret
- name: POSTGRES_ADDRESS
valueFrom:
secretKeyRef:
key: hostname
name: postgresql-secret
- name: POSTGRES_ADDRESS_3
valueFrom:
secretKeyRef:
key: hostname
name: postgresql-secret
- name: POSTGRES_ADDRESS_4
valueFrom:
secretKeyRef:
key: hostname
name: postgresql-secret
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
key: username
name: postgresql-secret
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: postgresql-secret
- name: POSTGRES_USER_2
valueFrom:
secretKeyRef:
key: username
name: postgresql-secret
- name: POSTGRES_PASSWORD_2
valueFrom:
secretKeyRef:
key: password
name: postgresql-secret
- name: POSTGRES_USER_3
valueFrom:
secretKeyRef:
key: username
name: postgresql-secret
- name: POSTGRES_PASSWORD_3
valueFrom:
secretKeyRef:
key: password
name: postgresql-secret
- name: POSTGRES_USER_4
valueFrom:
secretKeyRef:
key: username
name: postgresql-secret
- name: POSTGRES_PASSWORD_4
valueFrom:
secretKeyRef:
key: password
name: postgresql-secret
resources: resources:
requests: requests:
cpu: 100m cpu: 100m

7
apps/bim/yc-k8s-test/postgresql.yaml
View File

@ -114,7 +114,12 @@ spec:
- name: bim_db - name: bim_db
user: bim user: bim
passwordKey: bim passwordKey: bim
extensions: [] extensions:
- pg_stat_statements
- ltree
- timescaledb
- uuid-ossp
- pg_partman
restoreFromDump: false restoreFromDump: false
s3-proxy: s3-proxy:
endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local" endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local"

11
apps/django/base/backend-deployment.yaml
View File

@ -73,6 +73,11 @@ spec:
{{- with secret "secrets/data/vault/common/rsa_keys" -}} {{- with secret "secrets/data/vault/common/rsa_keys" -}}
{{ index .Data.data "public_key" }} {{ index .Data.data "public_key" }}
{{- end -}} {{- end -}}
vault.hashicorp.com/agent-inject-secret-django-common: secrets/data/vault/common/django_auth
vault.hashicorp.com/agent-inject-template-django-common: |-
{{- with secret "secrets/data/vault/common/django_auth" -}}
ZITADEL_ACCESS_TOKEN={{ index .Data.data "django_zitadel_access_token" }}
{{- end -}}
spec: spec:
serviceAccountName: django-vault serviceAccountName: django-vault
volumes: volumes:
@ -95,6 +100,7 @@ spec:
[ -f /vault/secrets/django-rabbitmq ] && . /vault/secrets/django-rabbitmq [ -f /vault/secrets/django-rabbitmq ] && . /vault/secrets/django-rabbitmq
[ -f /vault/secrets/django-s3 ] && . /vault/secrets/django-s3 [ -f /vault/secrets/django-s3 ] && . /vault/secrets/django-s3
[ -f /vault/secrets/django-kafka ] && . /vault/secrets/django-kafka [ -f /vault/secrets/django-kafka ] && . /vault/secrets/django-kafka
[ -f /vault/secrets/django-common ] && . /vault/secrets/django-common
[ -f /vault/secrets/django-jwt-private ] && export JWT_PRIVATE_KEY="$(cat /vault/secrets/django-jwt-private)" [ -f /vault/secrets/django-jwt-private ] && export JWT_PRIVATE_KEY="$(cat /vault/secrets/django-jwt-private)"
[ -f /vault/secrets/django-jwt-public ] && export JWT_PUBLIC_KEY="$(cat /vault/secrets/django-jwt-public)" [ -f /vault/secrets/django-jwt-public ] && export JWT_PUBLIC_KEY="$(cat /vault/secrets/django-jwt-public)"
set +a set +a
@ -176,11 +182,6 @@ spec:
value: "1" value: "1"
- name: ZITADEL_HOST - name: ZITADEL_HOST
value: https://zitadel-srx.wb.ru value: https://zitadel-srx.wb.ru
- name: ZITADEL_ACCESS_TOKEN
valueFrom:
secretKeyRef:
key: access_token
name: zitadel-secret
- name: SERVER_KAFKA_ENABLED - name: SERVER_KAFKA_ENABLED
value: "False" value: "False"
- name: KAFKA_TOPICS - name: KAFKA_TOPICS

11
apps/django/base/celery-deployment.yaml
View File

@ -73,6 +73,11 @@ spec:
{{- with secret "secrets/data/vault/common/rsa_keys" -}} {{- with secret "secrets/data/vault/common/rsa_keys" -}}
{{ index .Data.data "public_key" }} {{ index .Data.data "public_key" }}
{{- end -}} {{- end -}}
vault.hashicorp.com/agent-inject-secret-django-common: secrets/data/vault/common/django_auth
vault.hashicorp.com/agent-inject-template-django-common: |-
{{- with secret "secrets/data/vault/common/django_auth" -}}
ZITADEL_ACCESS_TOKEN={{ index .Data.data "django_zitadel_access_token" }}
{{- end -}}
spec: spec:
serviceAccountName: django-vault serviceAccountName: django-vault
volumes: volumes:
@ -95,6 +100,7 @@ spec:
[ -f /vault/secrets/django-rabbitmq ] && . /vault/secrets/django-rabbitmq [ -f /vault/secrets/django-rabbitmq ] && . /vault/secrets/django-rabbitmq
[ -f /vault/secrets/django-s3 ] && . /vault/secrets/django-s3 [ -f /vault/secrets/django-s3 ] && . /vault/secrets/django-s3
[ -f /vault/secrets/django-kafka ] && . /vault/secrets/django-kafka [ -f /vault/secrets/django-kafka ] && . /vault/secrets/django-kafka
[ -f /vault/secrets/django-common ] && . /vault/secrets/django-common
[ -f /vault/secrets/django-jwt-private ] && export JWT_PRIVATE_KEY="$(cat /vault/secrets/django-jwt-private)" [ -f /vault/secrets/django-jwt-private ] && export JWT_PRIVATE_KEY="$(cat /vault/secrets/django-jwt-private)"
[ -f /vault/secrets/django-jwt-public ] && export JWT_PUBLIC_KEY="$(cat /vault/secrets/django-jwt-public)" [ -f /vault/secrets/django-jwt-public ] && export JWT_PUBLIC_KEY="$(cat /vault/secrets/django-jwt-public)"
set +a set +a
@ -177,11 +183,6 @@ spec:
value: "1" value: "1"
- name: ZITADEL_HOST - name: ZITADEL_HOST
value: https://zitadel-srx.wb.ru value: https://zitadel-srx.wb.ru
- name: ZITADEL_ACCESS_TOKEN
valueFrom:
secretKeyRef:
key: access_token
name: zitadel-secret
- name: SERVER_KAFKA_ENABLED - name: SERVER_KAFKA_ENABLED
value: "False" value: "False"
- name: KAFKA_TOPICS - name: KAFKA_TOPICS

3
apps/django/yc-k8s-test/postgresql.yaml
View File

@ -114,7 +114,8 @@ spec:
- name: sarex_db - name: sarex_db
user: sarex user: sarex
passwordKey: sarex passwordKey: sarex
extensions: [] extensions:
- pg_stat_statements
restoreFromDump: false restoreFromDump: false
s3-proxy: s3-proxy:
endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local" endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local"

115
apps/documentations/base/api-deployment.yaml
View File

@ -17,34 +17,68 @@ spec:
labels: labels:
app: documentations-api app: documentations-api
service: documentations-api service: documentations-api
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: documentations
vault.hashicorp.com/agent-inject-secret-documentations-postgresql: secrets/data/postgresql/apps/documentations
vault.hashicorp.com/agent-inject-template-documentations-postgresql: |-
{{- with secret "secrets/data/postgresql/apps/documentations" -}}
POSTGRES_ADDRESS=postgresql.documentations.svc.cluster.local
POSTGRES_PORT=5432
POSTGRES_DB=documentations_db
POSTGRES_USER={{ index .Data.data "username" }}
POSTGRES_PASSWORD={{ index .Data.data "password" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-documentations-common: secrets/data/vault/common/django_auth
vault.hashicorp.com/agent-inject-template-documentations-common: |-
{{- with secret "secrets/data/vault/common/django_auth" -}}
DJANGO_BASIC_AUTH={{ index .Data.data "key" }}
DJANGO_BASIC_AUTH_FOR_GET_USER={{ index .Data.data "key" }}
DOCUMENT_PUBLIC_LINK_JWT_SECRET={{ index .Data.data "documentations_public_link_jwt_secret" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-documentations-s3-account-json: secrets/data/vault/common/django_auth
vault.hashicorp.com/agent-inject-template-documentations-s3-account-json: |-
{{- with secret "secrets/data/vault/common/django_auth" -}}
{{ index .Data.data "documentations_s3_service_account_json" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-documentations-zitadel-account-json: secrets/data/vault/common/django_auth
vault.hashicorp.com/agent-inject-template-documentations-zitadel-account-json: |-
{{- with secret "secrets/data/vault/common/django_auth" -}}
{{ index .Data.data "documentations_zitadel_account_json" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-documentations-rsa-public: secrets/data/vault/common/rsa_keys
vault.hashicorp.com/agent-inject-template-documentations-rsa-public: |-
{{- with secret "secrets/data/vault/common/rsa_keys" -}}
{{ index .Data.data "public_key" }}
{{- end -}}
spec: spec:
volumes: serviceAccountName: documentations-vault
- name: documentations-yc-s3-secret
secret:
defaultMode: 420
secretName: documentations-yc-s3
- name: zitadel-account
secret:
defaultMode: 420
secretName: zitadel-account
containers: containers:
- name: documentations-api - name: documentations-api
image: cr.yandex/crp3ccidau046kdj8g9q/documentations:prod_a9990430 image: cr.yandex/crp3ccidau046kdj8g9q/documentations:prod_a9990430
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
command: ["/bin/sh", "-ec"]
args:
- |
set -a
[ -f /vault/secrets/documentations-postgresql ] && . /vault/secrets/documentations-postgresql
[ -f /vault/secrets/documentations-common ] && . /vault/secrets/documentations-common
[ -f /vault/secrets/documentations-rsa-public ] && export PUBLIC_KEY="$(cat /vault/secrets/documentations-rsa-public)"
set +a
exec /app/entrypoint.sh
ports: ports:
- name: http - name: http
containerPort: 8000 containerPort: 8000
protocol: TCP protocol: TCP
env: env:
- name: PUBLIC_KEY
valueFrom:
secretKeyRef:
key: key
name: public-key
- name: POSTGRES_POOL_SIZE - name: POSTGRES_POOL_SIZE
value: "20" value: "20"
- name: ZITADEL_ACCOUNT - name: ZITADEL_ACCOUNT
value: /etc/sarex/zitadel/zitadel-account.json value: /vault/secrets/documentations-zitadel-account-json
- name: ZITADEL_DOMAIN - name: ZITADEL_DOMAIN
value: zitadel-srx.wb.ru value: zitadel-srx.wb.ru
- name: USE_ZITADEL - name: USE_ZITADEL
@ -57,11 +91,6 @@ spec:
value: 0.0.0.0:8080 value: 0.0.0.0:8080
- name: API_ADDRESS_FILE - name: API_ADDRESS_FILE
value: 0.0.0.0:8080 value: 0.0.0.0:8080
- name: DOCUMENT_PUBLIC_LINK_JWT_SECRET
valueFrom:
secretKeyRef:
key: secret
name: yc-jwt-secret
- name: DOCUMENT_PUBLIC_LINK_JWT_EXPIRATION_MINUTES - name: DOCUMENT_PUBLIC_LINK_JWT_EXPIRATION_MINUTES
value: "5" value: "5"
- name: ENABLE_SQL_QUERY - name: ENABLE_SQL_QUERY
@ -111,7 +140,7 @@ spec:
- name: WORKFLOWS_IMAGES_VERSION - name: WORKFLOWS_IMAGES_VERSION
value: master value: master
- name: S3_SERVICE_ACCOUNT - name: S3_SERVICE_ACCOUNT
value: /etc/sarex/yc-s3-storage/yc-s3-service-account.json value: /vault/secrets/documentations-s3-account-json
- name: READ_WRITE_TIMEOUT_FILE_STREAM - name: READ_WRITE_TIMEOUT_FILE_STREAM
value: 6h value: 6h
- name: CACHE_DEFAULT_EXPIRATION - name: CACHE_DEFAULT_EXPIRATION
@ -135,54 +164,10 @@ spec:
- name: VALKEY_PORT - name: VALKEY_PORT
value: "6379" value: "6379"
- name: POSTGRES_DB
valueFrom:
secretKeyRef:
key: database
name: postgresql-secret
- name: POSTGRES_ADDRESS
valueFrom:
secretKeyRef:
key: hostname
name: postgresql-secret
- name: POSTGRES_PORT
valueFrom:
secretKeyRef:
key: port
name: postgresql-secret
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
key: username
name: postgresql-secret
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: postgresql-secret
- name: DJANGO_BASIC_AUTH
valueFrom:
secretKeyRef:
key: key
name: django-auth
- name: DJANGO_BASIC_AUTH_FOR_GET_USER
valueFrom:
secretKeyRef:
key: key
name: django-auth
resources: resources:
requests: requests:
cpu: "1" cpu: "1"
memory: 1Gi memory: 1Gi
volumeMounts:
- mountPath: /etc/sarex/yc-s3-storage
name: documentations-yc-s3-secret
readOnly: true
- mountPath: /etc/sarex/zitadel
name: zitadel-account
readOnly: true
imagePullSecrets: imagePullSecrets:
- name: regcred - name: regcred

115
apps/documentations/base/filestream-deployment.yaml
View File

@ -17,34 +17,68 @@ spec:
labels: labels:
app: documentations-filestream app: documentations-filestream
service: documentations-filestream service: documentations-filestream
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: documentations
vault.hashicorp.com/agent-inject-secret-documentations-postgresql: secrets/data/postgresql/apps/documentations
vault.hashicorp.com/agent-inject-template-documentations-postgresql: |-
{{- with secret "secrets/data/postgresql/apps/documentations" -}}
POSTGRES_ADDRESS=postgresql.documentations.svc.cluster.local
POSTGRES_PORT=5432
POSTGRES_DB=documentations_db
POSTGRES_USER={{ index .Data.data "username" }}
POSTGRES_PASSWORD={{ index .Data.data "password" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-documentations-common: secrets/data/vault/common/django_auth
vault.hashicorp.com/agent-inject-template-documentations-common: |-
{{- with secret "secrets/data/vault/common/django_auth" -}}
DJANGO_BASIC_AUTH={{ index .Data.data "key" }}
DJANGO_BASIC_AUTH_FOR_GET_USER={{ index .Data.data "key" }}
DOCUMENT_PUBLIC_LINK_JWT_SECRET={{ index .Data.data "documentations_public_link_jwt_secret" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-documentations-s3-account-json: secrets/data/vault/common/django_auth
vault.hashicorp.com/agent-inject-template-documentations-s3-account-json: |-
{{- with secret "secrets/data/vault/common/django_auth" -}}
{{ index .Data.data "documentations_s3_service_account_json" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-documentations-zitadel-account-json: secrets/data/vault/common/django_auth
vault.hashicorp.com/agent-inject-template-documentations-zitadel-account-json: |-
{{- with secret "secrets/data/vault/common/django_auth" -}}
{{ index .Data.data "documentations_zitadel_account_json" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-documentations-rsa-public: secrets/data/vault/common/rsa_keys
vault.hashicorp.com/agent-inject-template-documentations-rsa-public: |-
{{- with secret "secrets/data/vault/common/rsa_keys" -}}
{{ index .Data.data "public_key" }}
{{- end -}}
spec: spec:
volumes: serviceAccountName: documentations-vault
- name: documentations-yc-s3-secret
secret:
defaultMode: 420
secretName: documentations-yc-s3
- name: zitadel-account
secret:
defaultMode: 420
secretName: zitadel-account
containers: containers:
- name: documentations-filestream - name: documentations-filestream
image: cr.yandex/crp3ccidau046kdj8g9q/documentations-api-files:prod_a9990430 image: cr.yandex/crp3ccidau046kdj8g9q/documentations-api-files:prod_a9990430
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
command: ["/bin/sh", "-ec"]
args:
- |
set -a
[ -f /vault/secrets/documentations-postgresql ] && . /vault/secrets/documentations-postgresql
[ -f /vault/secrets/documentations-common ] && . /vault/secrets/documentations-common
[ -f /vault/secrets/documentations-rsa-public ] && export PUBLIC_KEY="$(cat /vault/secrets/documentations-rsa-public)"
set +a
exec /app/file_entrypoint.sh
ports: ports:
- name: http - name: http
containerPort: 8000 containerPort: 8000
protocol: TCP protocol: TCP
env: env:
- name: PUBLIC_KEY
valueFrom:
secretKeyRef:
key: key
name: public-key
- name: POSTGRES_POOL_SIZE - name: POSTGRES_POOL_SIZE
value: "20" value: "20"
- name: ZITADEL_ACCOUNT - name: ZITADEL_ACCOUNT
value: /etc/sarex/zitadel/zitadel-account.json value: /vault/secrets/documentations-zitadel-account-json
- name: ZITADEL_DOMAIN - name: ZITADEL_DOMAIN
value: zitadel-srx.wb.ru value: zitadel-srx.wb.ru
- name: USE_ZITADEL - name: USE_ZITADEL
@ -57,11 +91,6 @@ spec:
value: 0.0.0.0:8080 value: 0.0.0.0:8080
- name: API_ADDRESS_FILE - name: API_ADDRESS_FILE
value: 0.0.0.0:8080 value: 0.0.0.0:8080
- name: DOCUMENT_PUBLIC_LINK_JWT_SECRET
valueFrom:
secretKeyRef:
key: secret
name: yc-jwt-secret
- name: DOCUMENT_PUBLIC_LINK_JWT_EXPIRATION_MINUTES - name: DOCUMENT_PUBLIC_LINK_JWT_EXPIRATION_MINUTES
value: "5" value: "5"
- name: ENABLE_SQL_QUERY - name: ENABLE_SQL_QUERY
@ -111,7 +140,7 @@ spec:
- name: WORKFLOWS_IMAGES_VERSION - name: WORKFLOWS_IMAGES_VERSION
value: master value: master
- name: S3_SERVICE_ACCOUNT - name: S3_SERVICE_ACCOUNT
value: /etc/sarex/yc-s3-storage/yc-s3-service-account.json value: /vault/secrets/documentations-s3-account-json
- name: READ_WRITE_TIMEOUT_FILE_STREAM - name: READ_WRITE_TIMEOUT_FILE_STREAM
value: 6h value: 6h
- name: CACHE_DEFAULT_EXPIRATION - name: CACHE_DEFAULT_EXPIRATION
@ -135,54 +164,10 @@ spec:
- name: VALKEY_PORT - name: VALKEY_PORT
value: "6379" value: "6379"
- name: POSTGRES_DB
valueFrom:
secretKeyRef:
key: database
name: postgresql-secret
- name: POSTGRES_ADDRESS
valueFrom:
secretKeyRef:
key: hostname
name: postgresql-secret
- name: POSTGRES_PORT
valueFrom:
secretKeyRef:
key: port
name: postgresql-secret
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
key: username
name: postgresql-secret
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: postgresql-secret
- name: DJANGO_BASIC_AUTH
valueFrom:
secretKeyRef:
key: key
name: django-auth
- name: DJANGO_BASIC_AUTH_FOR_GET_USER
valueFrom:
secretKeyRef:
key: key
name: django-auth
resources: resources:
requests: requests:
cpu: "1" cpu: "1"
memory: 1Gi memory: 1Gi
volumeMounts:
- mountPath: /etc/sarex/yc-s3-storage
name: documentations-yc-s3-secret
readOnly: true
- mountPath: /etc/sarex/zitadel
name: zitadel-account
readOnly: true
imagePullSecrets: imagePullSecrets:
- name: regcred - name: regcred

103
apps/documentations/base/pdm-deployment.yaml
View File

@ -17,20 +17,53 @@ spec:
labels: labels:
app: pdm-api app: pdm-api
service: pdm-api service: pdm-api
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: documentations
vault.hashicorp.com/agent-inject-secret-documentations-postgresql: secrets/data/postgresql/apps/documentations
vault.hashicorp.com/agent-inject-template-documentations-postgresql: |-
{{- with secret "secrets/data/postgresql/apps/documentations" -}}
POSTGRES_ADDRESS=postgresql.documentations.svc.cluster.local
POSTGRES_PORT=5432
POSTGRES_DB=documentations_db
POSTGRES_USER={{ index .Data.data "username" }}
POSTGRES_PASSWORD={{ index .Data.data "password" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-documentations-common: secrets/data/vault/common/django_auth
vault.hashicorp.com/agent-inject-template-documentations-common: |-
{{- with secret "secrets/data/vault/common/django_auth" -}}
DJANGO_BASIC_AUTH={{ index .Data.data "key" }}
RELEASES_TOKEN={{ index .Data.data "documentations_releases_token" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-documentations-s3-account-json: secrets/data/vault/common/django_auth
vault.hashicorp.com/agent-inject-template-documentations-s3-account-json: |-
{{- with secret "secrets/data/vault/common/django_auth" -}}
{{ index .Data.data "documentations_s3_service_account_json" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-documentations-rsa-public: secrets/data/vault/common/rsa_keys
vault.hashicorp.com/agent-inject-template-documentations-rsa-public: |-
{{- with secret "secrets/data/vault/common/rsa_keys" -}}
{{ index .Data.data "public_key" }}
{{- end -}}
spec: spec:
volumes: serviceAccountName: documentations-vault
- name: documentations-yc-s3-secret
secret:
defaultMode: 420
secretName: documentations-yc-s3
- name: zitadel-account
secret:
defaultMode: 420
secretName: zitadel-account
containers: containers:
- name: pdm-api - name: pdm-api
image: cr.yandex/crp3ccidau046kdj8g9q/pdmv2:prod_38958427 image: cr.yandex/crp3ccidau046kdj8g9q/pdmv2:prod_38958427
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
command: ["/bin/sh", "-ec"]
args:
- |
set -a
[ -f /vault/secrets/documentations-postgresql ] && . /vault/secrets/documentations-postgresql
[ -f /vault/secrets/documentations-common ] && . /vault/secrets/documentations-common
[ -f /vault/secrets/documentations-rsa-public ] && export PUBLIC_KEY="$(cat /vault/secrets/documentations-rsa-public)"
set +a
exec ./httpserver
ports: ports:
- name: http - name: http
containerPort: 8080 containerPort: 8080
@ -38,50 +71,10 @@ spec:
env: env:
- name: USE_EXPERIMENTAL - name: USE_EXPERIMENTAL
value: "true" value: "true"
- name: RELEASES_TOKEN
valueFrom:
secretKeyRef:
key: key
name: releases-token
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
key: username
name: postgresql-secret
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: postgresql-secret
- name: POSTGRES_ADDRESS
valueFrom:
secretKeyRef:
key: hostname
name: postgresql-secret
- name: POSTGRES_DB
valueFrom:
secretKeyRef:
key: database
name: postgresql-secret
- name: POSTGRES_PORT
valueFrom:
secretKeyRef:
key: port
name: postgresql-secret
- name: POSTGRES_POOL_SIZE - name: POSTGRES_POOL_SIZE
value: "20" value: "20"
- name: TRANSMITTALS_BASE_URL - name: TRANSMITTALS_BASE_URL
value: mock value: mock
- name: DJANGO_BASIC_AUTH
valueFrom:
secretKeyRef:
key: key
name: django-auth
- name: PUBLIC_KEY
valueFrom:
secretKeyRef:
key: key
name: public-key
- name: API_ADDRESS - name: API_ADDRESS
value: 0.0.0.0:8080 value: 0.0.0.0:8080
- name: API_ADDRESS_FILE - name: API_ADDRESS_FILE
@ -152,7 +145,7 @@ spec:
- name: RESOURCES_URL - name: RESOURCES_URL
value: http://resources-service.resources.svc.cluster.local:8000 value: http://resources-service.resources.svc.cluster.local:8000
- name: S3_SERVICE_ACCOUNT - name: S3_SERVICE_ACCOUNT
value: /etc/sarex/yc-s3-storage/yc-s3-service-account.json value: /vault/secrets/documentations-s3-account-json
- name: STATES_URL - name: STATES_URL
value: http://workspaces-service.workspaces.svc.cluster.local:8000/ value: http://workspaces-service.workspaces.svc.cluster.local:8000/
- name: SUBSCRIPTIONS_URL - name: SUBSCRIPTIONS_URL
@ -179,20 +172,10 @@ spec:
value: v1 value: v1
- name: WORKSPACE_URL - name: WORKSPACE_URL
value: http://workspaces-service.workspaces.svc.cluster.local:8000/ value: http://workspaces-service.workspaces.svc.cluster.local:8000/
resources: resources:
requests: requests:
cpu: "1" cpu: "1"
memory: 1Gi memory: 1Gi
volumeMounts:
- mountPath: /etc/sarex/yc-s3-storage
name: documentations-yc-s3-secret
readOnly: true
- mountPath: /etc/sarex/zitadel
name: zitadel-account
readOnly: true
imagePullSecrets: imagePullSecrets:
- name: regcred - name: regcred

6
apps/documentations/yc-k8s-test/postgresql.yaml
View File

@ -114,7 +114,11 @@ spec:
- name: documentations_db - name: documentations_db
user: documentations user: documentations
passwordKey: documentations passwordKey: documentations
extensions: [] extensions:
- pg_stat_statements
- ltree
- timescaledb
- uuid-ossp
restoreFromDump: false restoreFromDump: false
s3-proxy: s3-proxy:
endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local" endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local"

3
apps/subscriptions/yc-k8s-test/postgresql.yaml
View File

@ -114,7 +114,8 @@ spec:
- name: subscriptions_db - name: subscriptions_db
user: subscriptions user: subscriptions
passwordKey: subscriptions passwordKey: subscriptions
extensions: [] extensions:
- postgis
restoreFromDump: false restoreFromDump: false
s3-proxy: s3-proxy:
endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local" endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local"