From b6c5c0c0e0edbf3b7fe041c623c15e9f10c5636b Mon Sep 17 00:00:00 2001 From: Kochetkov S Date: Thu, 23 Apr 2026 17:16:28 +0300 Subject: [PATCH] a lot of new services --- apps/bim/base/kustomization.yaml | 1 + apps/bim/base/serviceaccount.yaml | 5 + apps/bim/yc-k8s-test/kustomization.yaml | 2 +- apps/bim/yc-k8s-test/postgresql.yaml | 23 ++- apps/django/base/backend-deployment.yaml | 185 +++++++---------- apps/django/base/celery-deployment.yaml | 186 +++++++----------- apps/django/base/kustomization.yaml | 1 + apps/django/base/serviceaccount.yaml | 5 + apps/django/yc-k8s-test/postgresql.yaml | 24 ++- apps/documentations/base/kustomization.yaml | 1 + apps/documentations/base/serviceaccount.yaml | 5 + .../yc-k8s-test/postgresql.yaml | 24 ++- apps/processing/base/api-deployment.yaml | 2 +- apps/processing/base/engine-low.yaml | 2 +- apps/processing/base/engine.yaml | 4 +- apps/processing/base/kustomization.yaml | 1 + apps/processing/base/serviceaccount.yaml | 5 + apps/processing/yc-k8s-test/postgresql.yaml | 24 ++- .../base/backend-deployment.yaml | 78 ++++---- apps/subscriptions/base/kustomization.yaml | 1 + apps/subscriptions/base/serviceaccount.yaml | 5 + .../subscriptions/yc-k8s-test/postgresql.yaml | 24 ++- 22 files changed, 289 insertions(+), 319 deletions(-) create mode 100644 apps/bim/base/serviceaccount.yaml create mode 100644 apps/django/base/serviceaccount.yaml create mode 100644 apps/documentations/base/serviceaccount.yaml create mode 100644 apps/processing/base/serviceaccount.yaml create mode 100644 apps/subscriptions/base/serviceaccount.yaml diff --git a/apps/bim/base/kustomization.yaml b/apps/bim/base/kustomization.yaml index 7bb3454..f47e36a 100644 --- a/apps/bim/base/kustomization.yaml +++ b/apps/bim/base/kustomization.yaml @@ -4,5 +4,6 @@ kind: Kustomization namespace: bim resources: - namespace.yaml + - serviceaccount.yaml - backend-deployment.yaml - backend-service.yaml diff --git a/apps/bim/base/serviceaccount.yaml b/apps/bim/base/serviceaccount.yaml new file mode 100644 index 0000000..ae3568c --- /dev/null +++ b/apps/bim/base/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: bim-vault + namespace: bim diff --git a/apps/bim/yc-k8s-test/kustomization.yaml b/apps/bim/yc-k8s-test/kustomization.yaml index 79e4c45..050d882 100644 --- a/apps/bim/yc-k8s-test/kustomization.yaml +++ b/apps/bim/yc-k8s-test/kustomization.yaml @@ -8,4 +8,4 @@ patches: - path: replicas.yaml target: kind: Deployment - name: comparisons + name: backend diff --git a/apps/bim/yc-k8s-test/postgresql.yaml b/apps/bim/yc-k8s-test/postgresql.yaml index 0b8eea0..ada45d6 100644 --- a/apps/bim/yc-k8s-test/postgresql.yaml +++ b/apps/bim/yc-k8s-test/postgresql.yaml @@ -9,7 +9,7 @@ spec: chart: spec: chart: postgresql-contour - version: "17.0.2" + version: "17.0.7" sourceRef: kind: HelmRepository name: yc-oci-charts @@ -44,7 +44,7 @@ spec: image: registry: cr.yandex/crp3ccidau046kdj8g9q repository: contour/postgresql - tag: 13.0.7 + tag: 17.0.7 pullPolicy: Always metrics: enabled: false @@ -61,7 +61,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 @@ -72,7 +72,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 5 @@ -83,7 +83,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 @@ -101,13 +101,20 @@ spec: effect: NoSchedule contour: enabled: true - adminUser: "" - adminPasswordSecretKey: "" + adminUser: "postgres" sharedPreloadLibraries: "pg_stat_statements,uuid-ossp,ltree,pg_partman" + vault: + enabled: true + role: postgresql + authPath: auth/kubernetes + secretPath: secrets/data/postgresql/admin + secretKey: postgres-password + usersSecretPath: secrets/data/postgresql/users databases: - name: bim_db user: bim + passwordKey: bim extensions: [] restoreFromDump: false s3-proxy: - endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local" \ No newline at end of file + endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local" diff --git a/apps/django/base/backend-deployment.yaml b/apps/django/base/backend-deployment.yaml index 0d417aa..a1ef24d 100644 --- a/apps/django/base/backend-deployment.yaml +++ b/apps/django/base/backend-deployment.yaml @@ -17,7 +17,64 @@ spec: labels: app: backend service: backend + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: django + vault.hashicorp.com/agent-inject-secret-django-postgresql: secrets/data/postgresql/apps/django + vault.hashicorp.com/agent-inject-template-django-postgresql: |- + {{- with secret "secrets/data/postgresql/apps/django" -}} + DJANGO_POSTGRES_HOST=postgresql.django.svc.cluster.local + DJANGO_POSTGRES_PORTS=5432 + DJANGO_POSTGRES_DATABASE=sarex_db + DJANGO_POSTGRES_USER={{ index .Data.data "username" }} + DJANGO_POSTGRES_PASSWORD={{ index .Data.data "password" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-django-rabbitmq: secrets/data/rabbitmq/apps/django + vault.hashicorp.com/agent-inject-template-django-rabbitmq: |- + {{- with secret "secrets/data/rabbitmq/apps/django" -}} + CELERY_RABBITMQ_HOST=rabbitmq.rabbitmq.svc.cluster.local + CELERY_RABBITMQ_USER={{ index .Data.data "username" }} + CELERY_RABBITMQ_PASSWORD={{ index .Data.data "password" }} + CELERY_RABBITMQ_VHOST={{ index .Data.data "vhost" }} + DJANGO_RABBIT_HOSTNAME=rabbitmq.rabbitmq.svc.cluster.local + DJANGO_RABBIT_USER={{ index .Data.data "username" }} + DJANGO_RABBIT_PASS={{ index .Data.data "password" }} + DJANGO_RABBIT_VHOST={{ index .Data.data "vhost" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-django-s3: secrets/data/minio/apps/django + vault.hashicorp.com/agent-inject-template-django-s3: |- + {{- with secret "secrets/data/minio/apps/django" -}} + AWS_S3_ENDPOINT_URL=https://minio.contour.infra.sarex.tech + S3_HOST=https://minio.contour.infra.sarex.tech + S3_BUCKET=rfi + S3_LOGIN={{ index .Data.data "access_key" }} + S3_PASSWORD={{ index .Data.data "secret_key" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-django-kafka: secrets/data/kafka/apps/django + vault.hashicorp.com/agent-inject-template-django-kafka: |- + {{- with secret "secrets/data/kafka/apps/django" -}} + KAFKA_BOOTSTRAP_SERVERS=["{{ index .Data.data.auth "bootstrap_servers" }}"] + KAFKA_SECURITY_PROTOCOL={{ index .Data.data.auth "security_protocol" }} + KAFKA_SASL_MECHANISM={{ index .Data.data.auth "sasl_mechanism" }} + KAFKA_SASL_PLAIN_USERNAME={{ index .Data.data "username" }} + KAFKA_SASL_PLAIN_PASSWORD={{ index .Data.data "password" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-django-jwt-private: secrets/data/vault/common/rsa_keys + vault.hashicorp.com/agent-inject-template-django-jwt-private: |- + {{- with secret "secrets/data/vault/common/rsa_keys" -}} + {{ index .Data.data "private_key" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-django-jwt-public: secrets/data/vault/common/rsa_keys + vault.hashicorp.com/agent-inject-template-django-jwt-public: |- + {{- with secret "secrets/data/vault/common/rsa_keys" -}} + {{ index .Data.data "public_key" }} + {{- end -}} spec: + serviceAccountName: django-vault volumes: - name: django-configmap configMap: @@ -30,6 +87,18 @@ spec: - name: backend image: cr.yandex/crp3ccidau046kdj8g9q/backend:production_a96dead0 imagePullPolicy: IfNotPresent + command: ["/bin/sh", "-ec"] + args: + - | + set -a + [ -f /vault/secrets/django-postgresql ] && . /vault/secrets/django-postgresql + [ -f /vault/secrets/django-rabbitmq ] && . /vault/secrets/django-rabbitmq + [ -f /vault/secrets/django-s3 ] && . /vault/secrets/django-s3 + [ -f /vault/secrets/django-kafka ] && . /vault/secrets/django-kafka + [ -f /vault/secrets/django-jwt-private ] && export JWT_PRIVATE_KEY="$(cat /vault/secrets/django-jwt-private)" + [ -f /vault/secrets/django-jwt-public ] && export JWT_PUBLIC_KEY="$(cat /vault/secrets/django-jwt-public)" + set +a + exec /opt/sarex/entrypoint.sh ports: - name: http containerPort: 8000 @@ -116,124 +185,8 @@ spec: value: "False" - name: KAFKA_TOPICS value: '{"planning": "message-hub-stage", "ams-sync": "ams-sync"}' - - name: KAFKA_BOOTSTRAP_SERVERS - value: '["wb-prod-kafka-bootstrap.kafka.svc.cluster.local:9093"]' - - name: KAFKA_SECURITY_PROTOCOL - value: SSL - - name: KAFKA_SASL_PLAIN_USERNAME - valueFrom: - secretKeyRef: - key: username - name: kafka-secret - - name: KAFKA_SASL_PLAIN_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: kafka-secret - - name: KAFKA_SASL_MECHANISM - value: SCRAM-SHA-512 - name: KAFKA_SSL_CAFILE value: /usr/local/share/ca-certificates/kafka.crt - - name: AWS_S3_ENDPOINT_URL - valueFrom: - secretKeyRef: - key: host - name: s3-secret - - name: S3_HOST - valueFrom: - secretKeyRef: - key: host - name: s3-secret - - name: CELERY_RABBITMQ_HOST - valueFrom: - secretKeyRef: - key: host - name: rabbitmq-secret - - name: CELERY_RABBITMQ_USER - valueFrom: - secretKeyRef: - key: username - name: rabbitmq-secret - - name: CELERY_RABBITMQ_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: rabbitmq-secret - - name: CELERY_RABBITMQ_VHOST - valueFrom: - secretKeyRef: - key: vhost - name: rabbitmq-secret - - name: DJANGO_POSTGRES_HOST - valueFrom: - secretKeyRef: - key: hostname - name: postgresql-secret - - name: DJANGO_POSTGRES_PORTS - valueFrom: - secretKeyRef: - key: port - name: postgresql-secret - - name: DJANGO_POSTGRES_USER - valueFrom: - secretKeyRef: - key: username - name: postgresql-secret - - name: DJANGO_POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: postgresql-secret - - name: DJANGO_POSTGRES_DATABASE - valueFrom: - secretKeyRef: - key: database - name: postgresql-secret - - name: DJANGO_RABBIT_HOSTNAME - valueFrom: - secretKeyRef: - key: host - name: rabbitmq-secret - - name: DJANGO_RABBIT_USER - valueFrom: - secretKeyRef: - key: username - name: rabbitmq-secret - - name: DJANGO_RABBIT_PASS - valueFrom: - secretKeyRef: - key: password - name: rabbitmq-secret - - name: DJANGO_RABBIT_VHOST - valueFrom: - secretKeyRef: - key: vhost - name: rabbitmq-secret - - name: JWT_PRIVATE_KEY - valueFrom: - secretKeyRef: - key: ssh_private.key - name: backend-secret - - name: JWT_PUBLIC_KEY - valueFrom: - secretKeyRef: - key: ssh_public.key - name: backend-secret - - name: S3_BUCKET - valueFrom: - secretKeyRef: - key: bucket - name: s3-secret - - name: S3_LOGIN - valueFrom: - secretKeyRef: - key: username - name: s3-secret - - name: S3_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: s3-secret - name: KC_USE_REDIRECT_LOGOUT value: "False" diff --git a/apps/django/base/celery-deployment.yaml b/apps/django/base/celery-deployment.yaml index fde3700..32e1b3c 100644 --- a/apps/django/base/celery-deployment.yaml +++ b/apps/django/base/celery-deployment.yaml @@ -17,7 +17,64 @@ spec: labels: app: celery service: celery + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: django + vault.hashicorp.com/agent-inject-secret-django-postgresql: secrets/data/postgresql/apps/django + vault.hashicorp.com/agent-inject-template-django-postgresql: |- + {{- with secret "secrets/data/postgresql/apps/django" -}} + DJANGO_POSTGRES_HOST=postgresql.django.svc.cluster.local + DJANGO_POSTGRES_PORTS=5432 + DJANGO_POSTGRES_DATABASE=sarex_db + DJANGO_POSTGRES_USER={{ index .Data.data "username" }} + DJANGO_POSTGRES_PASSWORD={{ index .Data.data "password" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-django-rabbitmq: secrets/data/rabbitmq/apps/django + vault.hashicorp.com/agent-inject-template-django-rabbitmq: |- + {{- with secret "secrets/data/rabbitmq/apps/django" -}} + CELERY_RABBITMQ_HOST=rabbitmq.rabbitmq.svc.cluster.local + CELERY_RABBITMQ_USER={{ index .Data.data "username" }} + CELERY_RABBITMQ_PASSWORD={{ index .Data.data "password" }} + CELERY_RABBITMQ_VHOST={{ index .Data.data "vhost" }} + DJANGO_RABBIT_HOSTNAME=rabbitmq.rabbitmq.svc.cluster.local + DJANGO_RABBIT_USER={{ index .Data.data "username" }} + DJANGO_RABBIT_PASS={{ index .Data.data "password" }} + DJANGO_RABBIT_VHOST={{ index .Data.data "vhost" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-django-s3: secrets/data/minio/apps/django + vault.hashicorp.com/agent-inject-template-django-s3: |- + {{- with secret "secrets/data/minio/apps/django" -}} + AWS_S3_ENDPOINT_URL=https://minio.contour.infra.sarex.tech + S3_HOST=https://minio.contour.infra.sarex.tech + S3_BUCKET=rfi + S3_LOGIN={{ index .Data.data "access_key" }} + S3_PASSWORD={{ index .Data.data "secret_key" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-django-kafka: secrets/data/kafka/apps/django + vault.hashicorp.com/agent-inject-template-django-kafka: |- + {{- with secret "secrets/data/kafka/apps/django" -}} + KAFKA_BOOTSTRAP_SERVERS=["{{ index .Data.data.auth "bootstrap_servers" }}"] + KAFKA_SECURITY_PROTOCOL={{ index .Data.data.auth "security_protocol" }} + KAFKA_SASL_MECHANISM={{ index .Data.data.auth "sasl_mechanism" }} + KAFKA_SASL_PLAIN_USERNAME={{ index .Data.data "username" }} + KAFKA_SASL_PLAIN_PASSWORD={{ index .Data.data "password" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-django-jwt-private: secrets/data/vault/common/rsa_keys + vault.hashicorp.com/agent-inject-template-django-jwt-private: |- + {{- with secret "secrets/data/vault/common/rsa_keys" -}} + {{ index .Data.data "private_key" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-django-jwt-public: secrets/data/vault/common/rsa_keys + vault.hashicorp.com/agent-inject-template-django-jwt-public: |- + {{- with secret "secrets/data/vault/common/rsa_keys" -}} + {{ index .Data.data "public_key" }} + {{- end -}} spec: + serviceAccountName: django-vault volumes: - name: django-configmap configMap: @@ -30,7 +87,18 @@ spec: - name: celery image: cr.yandex/crp3ccidau046kdj8g9q/backend:production_a96dead0 imagePullPolicy: IfNotPresent - command: ["celery", "-A", "config", "worker", "-B", "-l", "info", "-E", "-Q", "default", "-n", "default_worker.%h", "--concurrency=2"] + command: ["/bin/sh", "-ec"] + args: + - | + set -a + [ -f /vault/secrets/django-postgresql ] && . /vault/secrets/django-postgresql + [ -f /vault/secrets/django-rabbitmq ] && . /vault/secrets/django-rabbitmq + [ -f /vault/secrets/django-s3 ] && . /vault/secrets/django-s3 + [ -f /vault/secrets/django-kafka ] && . /vault/secrets/django-kafka + [ -f /vault/secrets/django-jwt-private ] && export JWT_PRIVATE_KEY="$(cat /vault/secrets/django-jwt-private)" + [ -f /vault/secrets/django-jwt-public ] && export JWT_PUBLIC_KEY="$(cat /vault/secrets/django-jwt-public)" + set +a + exec celery -A config worker -B -l info -E -Q default -n default_worker.%h --concurrency=2 ports: - name: http @@ -118,124 +186,8 @@ spec: value: "False" - name: KAFKA_TOPICS value: '{"planning": "message-hub-stage", "ams-sync": "ams-sync"}' - - name: KAFKA_BOOTSTRAP_SERVERS - value: '["wb-prod-kafka-bootstrap.kafka.svc.cluster.local:9093"]' - - name: KAFKA_SECURITY_PROTOCOL - value: SSL - - name: KAFKA_SASL_PLAIN_USERNAME - valueFrom: - secretKeyRef: - key: username - name: kafka-secret - - name: KAFKA_SASL_PLAIN_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: kafka-secret - - name: KAFKA_SASL_MECHANISM - value: SCRAM-SHA-512 - name: KAFKA_SSL_CAFILE value: /usr/local/share/ca-certificates/kafka.crt - - name: AWS_S3_ENDPOINT_URL - valueFrom: - secretKeyRef: - key: host - name: s3-secret - - name: S3_HOST - valueFrom: - secretKeyRef: - key: host - name: s3-secret - - name: CELERY_RABBITMQ_HOST - valueFrom: - secretKeyRef: - key: host - name: rabbitmq-secret - - name: CELERY_RABBITMQ_USER - valueFrom: - secretKeyRef: - key: username - name: rabbitmq-secret - - name: CELERY_RABBITMQ_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: rabbitmq-secret - - name: CELERY_RABBITMQ_VHOST - valueFrom: - secretKeyRef: - key: vhost - name: rabbitmq-secret - - name: DJANGO_POSTGRES_HOST - valueFrom: - secretKeyRef: - key: hostname - name: postgresql-secret - - name: DJANGO_POSTGRES_PORTS - valueFrom: - secretKeyRef: - key: port - name: postgresql-secret - - name: DJANGO_POSTGRES_USER - valueFrom: - secretKeyRef: - key: username - name: postgresql-secret - - name: DJANGO_POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: postgresql-secret - - name: DJANGO_POSTGRES_DATABASE - valueFrom: - secretKeyRef: - key: database - name: postgresql-secret - - name: DJANGO_RABBIT_HOSTNAME - valueFrom: - secretKeyRef: - key: host - name: rabbitmq-secret - - name: DJANGO_RABBIT_USER - valueFrom: - secretKeyRef: - key: username - name: rabbitmq-secret - - name: DJANGO_RABBIT_PASS - valueFrom: - secretKeyRef: - key: password - name: rabbitmq-secret - - name: DJANGO_RABBIT_VHOST - valueFrom: - secretKeyRef: - key: vhost - name: rabbitmq-secret - - name: JWT_PRIVATE_KEY - valueFrom: - secretKeyRef: - key: ssh_private.key - name: backend-secret - - name: JWT_PUBLIC_KEY - valueFrom: - secretKeyRef: - key: ssh_public.key - name: backend-secret - - name: S3_BUCKET - valueFrom: - secretKeyRef: - key: bucket - name: s3-secret - - name: S3_LOGIN - valueFrom: - secretKeyRef: - key: username - name: s3-secret - - name: S3_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: s3-secret - name: KC_USE_REDIRECT_LOGOUT value: "False" resources: diff --git a/apps/django/base/kustomization.yaml b/apps/django/base/kustomization.yaml index 3d5e168..9bebc20 100644 --- a/apps/django/base/kustomization.yaml +++ b/apps/django/base/kustomization.yaml @@ -4,6 +4,7 @@ kind: Kustomization namespace: django resources: - namespace.yaml + - serviceaccount.yaml - backend-deployment.yaml - celery-deployment.yaml - frontend-deployment.yaml diff --git a/apps/django/base/serviceaccount.yaml b/apps/django/base/serviceaccount.yaml new file mode 100644 index 0000000..5222954 --- /dev/null +++ b/apps/django/base/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: django-vault + namespace: django diff --git a/apps/django/yc-k8s-test/postgresql.yaml b/apps/django/yc-k8s-test/postgresql.yaml index ffb1a1b..03d2563 100644 --- a/apps/django/yc-k8s-test/postgresql.yaml +++ b/apps/django/yc-k8s-test/postgresql.yaml @@ -9,7 +9,7 @@ spec: chart: spec: chart: postgresql-contour - version: "17.0.2" + version: "17.0.7" sourceRef: kind: HelmRepository name: yc-oci-charts @@ -44,7 +44,7 @@ spec: image: registry: cr.yandex/crp3ccidau046kdj8g9q repository: contour/postgresql - tag: 17.0.2 + tag: 17.0.7 pullPolicy: Always metrics: enabled: false @@ -61,7 +61,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 @@ -72,7 +72,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 5 @@ -83,12 +83,15 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 successThreshold: 1 failureThreshold: 6 + resources: + requests: + memory: 512Mi nodeSelector: dedicated: db tolerations: @@ -98,12 +101,19 @@ spec: effect: NoSchedule contour: enabled: true - adminUser: "" - adminPasswordSecretKey: "" + adminUser: "postgres" sharedPreloadLibraries: "pg_stat_statements" + vault: + enabled: true + role: postgresql + authPath: auth/kubernetes + secretPath: secrets/data/postgresql/admin + secretKey: postgres-password + usersSecretPath: secrets/data/postgresql/users databases: - name: sarex_db user: sarex + passwordKey: sarex extensions: [] restoreFromDump: false s3-proxy: diff --git a/apps/documentations/base/kustomization.yaml b/apps/documentations/base/kustomization.yaml index 342acc4..2f212c2 100644 --- a/apps/documentations/base/kustomization.yaml +++ b/apps/documentations/base/kustomization.yaml @@ -4,6 +4,7 @@ kind: Kustomization namespace: documentations resources: - namespace.yaml + - serviceaccount.yaml - api-deployment.yaml - pdm-deployment.yaml - filestream-deployment.yaml diff --git a/apps/documentations/base/serviceaccount.yaml b/apps/documentations/base/serviceaccount.yaml new file mode 100644 index 0000000..ba21e50 --- /dev/null +++ b/apps/documentations/base/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: documentations-vault + namespace: documentations diff --git a/apps/documentations/yc-k8s-test/postgresql.yaml b/apps/documentations/yc-k8s-test/postgresql.yaml index ec3b708..524424e 100644 --- a/apps/documentations/yc-k8s-test/postgresql.yaml +++ b/apps/documentations/yc-k8s-test/postgresql.yaml @@ -9,7 +9,7 @@ spec: chart: spec: chart: postgresql-contour - version: "17.0.2" + version: "17.0.7" sourceRef: kind: HelmRepository name: yc-oci-charts @@ -44,7 +44,7 @@ spec: image: registry: cr.yandex/crp3ccidau046kdj8g9q repository: contour/postgresql - tag: 17.0.2 + tag: 17.0.7 pullPolicy: Always metrics: enabled: false @@ -61,7 +61,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 @@ -72,7 +72,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 5 @@ -83,12 +83,15 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 successThreshold: 1 failureThreshold: 6 + resources: + requests: + memory: 512Mi nodeSelector: dedicated: db tolerations: @@ -98,12 +101,19 @@ spec: effect: NoSchedule contour: enabled: true - adminUser: "" - adminPasswordSecretKey: "" + adminUser: "postgres" sharedPreloadLibraries: "pg_stat_statements,ltree,timescaledb,uuid-ossp" + vault: + enabled: true + role: postgresql + authPath: auth/kubernetes + secretPath: secrets/data/postgresql/admin + secretKey: postgres-password + usersSecretPath: secrets/data/postgresql/users databases: - name: documentations_db user: documentations + passwordKey: documentations extensions: [] restoreFromDump: false s3-proxy: diff --git a/apps/processing/base/api-deployment.yaml b/apps/processing/base/api-deployment.yaml index 8ac0f41..2a546ba 100644 --- a/apps/processing/base/api-deployment.yaml +++ b/apps/processing/base/api-deployment.yaml @@ -20,7 +20,7 @@ spec: spec: containers: - name: workflows-api - image: cr.yandex/crp3ccidau046kdj8g9q/workflows-api:prod_9ae8865a + image: cr.yandex/crp3ccidau046kdj8g9q/workflows-api_prod:075fc0 imagePullPolicy: IfNotPresent ports: - name: http diff --git a/apps/processing/base/engine-low.yaml b/apps/processing/base/engine-low.yaml index 7d66b95..a90365f 100644 --- a/apps/processing/base/engine-low.yaml +++ b/apps/processing/base/engine-low.yaml @@ -33,7 +33,7 @@ spec: secretName: smtp-secret containers: - name: engine-low - image: cr.yandex/crp3ccidau046kdj8g9q/workflows-engine:prod_b6e15fda + image: cr.yandex/crp3ccidau046kdj8g9q/workflows-endigne_prod:075fc0 imagePullPolicy: IfNotPresent ports: diff --git a/apps/processing/base/engine.yaml b/apps/processing/base/engine.yaml index 610263b..5e3e965 100644 --- a/apps/processing/base/engine.yaml +++ b/apps/processing/base/engine.yaml @@ -35,7 +35,7 @@ spec: containers: - name: engine - image: cr.yandex/crp3ccidau046kdj8g9q/workflows-engine:prod_b6e15fda + image: cr.yandex/crp3ccidau046kdj8g9q/workflows-endigne_prod:075fc0 imagePullPolicy: IfNotPresent ports: @@ -239,4 +239,4 @@ spec: memory: 1Gi imagePullSecrets: - - name: regcred \ No newline at end of file + - name: regcred diff --git a/apps/processing/base/kustomization.yaml b/apps/processing/base/kustomization.yaml index aeeb0d0..9b0fc07 100644 --- a/apps/processing/base/kustomization.yaml +++ b/apps/processing/base/kustomization.yaml @@ -4,6 +4,7 @@ kind: Kustomization namespace: processing resources: - namespace.yaml + - serviceaccount.yaml - api-deployment.yaml - engine-low.yaml - engine.yaml diff --git a/apps/processing/base/serviceaccount.yaml b/apps/processing/base/serviceaccount.yaml new file mode 100644 index 0000000..c336a7f --- /dev/null +++ b/apps/processing/base/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: processing-vault + namespace: processing diff --git a/apps/processing/yc-k8s-test/postgresql.yaml b/apps/processing/yc-k8s-test/postgresql.yaml index 0483f00..fa6ec66 100644 --- a/apps/processing/yc-k8s-test/postgresql.yaml +++ b/apps/processing/yc-k8s-test/postgresql.yaml @@ -9,7 +9,7 @@ spec: chart: spec: chart: postgresql-contour - version: "17.0.2" + version: "17.0.7" sourceRef: kind: HelmRepository name: yc-oci-charts @@ -44,7 +44,7 @@ spec: image: registry: cr.yandex/crp3ccidau046kdj8g9q repository: contour/postgresql - tag: 17.0.2 + tag: 17.0.7 pullPolicy: Always metrics: enabled: false @@ -61,7 +61,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 @@ -72,7 +72,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 5 @@ -83,12 +83,15 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 successThreshold: 1 failureThreshold: 6 + resources: + requests: + memory: 512Mi nodeSelector: dedicated: db tolerations: @@ -98,12 +101,19 @@ spec: effect: NoSchedule contour: enabled: true - adminUser: "" - adminPasswordSecretKey: "" + adminUser: "postgres" sharedPreloadLibraries: "pg_stat_statements" + vault: + enabled: true + role: postgresql + authPath: auth/kubernetes + secretPath: secrets/data/postgresql/admin + secretKey: postgres-password + usersSecretPath: secrets/data/postgresql/users databases: - name: workflow_db user: workflow + passwordKey: workflow extensions: - uuid-ossp restoreFromDump: false diff --git a/apps/subscriptions/base/backend-deployment.yaml b/apps/subscriptions/base/backend-deployment.yaml index e1373ee..140fab0 100644 --- a/apps/subscriptions/base/backend-deployment.yaml +++ b/apps/subscriptions/base/backend-deployment.yaml @@ -15,41 +15,49 @@ spec: metadata: labels: app: sarex-subscriptions + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: subscriptions + vault.hashicorp.com/agent-inject-secret-subscriptions-postgresql: secrets/data/postgresql/apps/subscriptions + vault.hashicorp.com/agent-inject-template-subscriptions-postgresql: |- + {{- with secret "secrets/data/postgresql/apps/subscriptions" -}} + DATABASE_HOST=postgresql.subscriptions.svc.cluster.local + DATABASE_PORT=5432 + DATABASE_NAME=subscriptions_db + DATABASE_USER={{ index .Data.data "username" }} + DATABASE_PASSWORD={{ index .Data.data "password" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-subscriptions-minio: secrets/data/minio/apps/subscriptions + vault.hashicorp.com/agent-inject-template-subscriptions-minio: |- + {{- with secret "secrets/data/minio/apps/subscriptions" -}} + YC_S3_ACCESS_KEY_ID={{ index .Data.data "access_key" }} + YC_S3_SECRET_ACCESS_KEY={{ index .Data.data "secret_key" }} + YC_S3_BUCKET_NAME=subscriptions + YC_S3_ENDPOINT_URL=https://minio.contour.infra.sarex.tech + {{- end -}} spec: + serviceAccountName: subscriptions-vault containers: - name: subscriptions image: cr.yandex/crp3ccidau046kdj8g9q/subscriptions:prod_a50928e1 imagePullPolicy: IfNotPresent + command: ["/bin/sh", "-ec"] + args: + - | + set -a + [ -f /vault/secrets/subscriptions-postgresql ] && . /vault/secrets/subscriptions-postgresql + [ -f /vault/secrets/subscriptions-minio ] && . /vault/secrets/subscriptions-minio + set +a + exec /server/entrypoint.sh ports: - name: http containerPort: 8000 protocol: TCP env: - - name: DATABASE_HOST - valueFrom: - secretKeyRef: - key: hostname - name: postgresql-secret - - name: DATABASE_PORT - valueFrom: - secretKeyRef: - key: port - name: postgresql-secret - - name: DATABASE_NAME - valueFrom: - secretKeyRef: - key: database - name: postgresql-secret - - name: DATABASE_USER - valueFrom: - secretKeyRef: - key: username - name: postgresql-secret - - name: DATABASE_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: postgresql-secret - name: API_ADDRESS value: "8000" - name: SYSTEM_LOG_HOST @@ -66,26 +74,6 @@ spec: value: mail.rwb.ru - name: SMTP_EMAIL_PORT value: "465" - - name: YC_S3_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - key: username - name: s3-secret - - name: YC_S3_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - key: password - name: s3-secret - - name: YC_S3_BUCKET_NAME - valueFrom: - secretKeyRef: - key: bucket - name: s3-secret - - name: YC_S3_ENDPOINT_URL - valueFrom: - secretKeyRef: - key: host - name: s3-secret resources: requests: cpu: "1" diff --git a/apps/subscriptions/base/kustomization.yaml b/apps/subscriptions/base/kustomization.yaml index 7195a48..b4539be 100644 --- a/apps/subscriptions/base/kustomization.yaml +++ b/apps/subscriptions/base/kustomization.yaml @@ -4,5 +4,6 @@ kind: Kustomization namespace: subscriptions resources: - namespace.yaml + - serviceaccount.yaml - backend-deployment.yaml - backend-service.yaml diff --git a/apps/subscriptions/base/serviceaccount.yaml b/apps/subscriptions/base/serviceaccount.yaml new file mode 100644 index 0000000..e2d9400 --- /dev/null +++ b/apps/subscriptions/base/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: subscriptions-vault + namespace: subscriptions diff --git a/apps/subscriptions/yc-k8s-test/postgresql.yaml b/apps/subscriptions/yc-k8s-test/postgresql.yaml index 543ef06..dd25dfe 100644 --- a/apps/subscriptions/yc-k8s-test/postgresql.yaml +++ b/apps/subscriptions/yc-k8s-test/postgresql.yaml @@ -9,7 +9,7 @@ spec: chart: spec: chart: postgresql-contour - version: "17.0.2" + version: "17.0.7" sourceRef: kind: HelmRepository name: yc-oci-charts @@ -44,7 +44,7 @@ spec: image: registry: cr.yandex/crp3ccidau046kdj8g9q repository: contour/postgresql - tag: 17.0.2 + tag: 17.0.7 pullPolicy: Always metrics: enabled: false @@ -61,7 +61,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 @@ -72,7 +72,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 5 @@ -83,12 +83,15 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 successThreshold: 1 failureThreshold: 6 + resources: + requests: + memory: 512Mi nodeSelector: dedicated: db tolerations: @@ -98,12 +101,19 @@ spec: effect: NoSchedule contour: enabled: true - adminUser: "" - adminPasswordSecretKey: "" + adminUser: "postgres" sharedPreloadLibraries: "postgis" + vault: + enabled: true + role: postgresql + authPath: auth/kubernetes + secretPath: secrets/data/postgresql/admin + secretKey: postgres-password + usersSecretPath: secrets/data/postgresql/users databases: - name: subscriptions_db user: subscriptions + passwordKey: subscriptions extensions: [] restoreFromDump: false s3-proxy: