From db2293b30b4bc20b9a687105225126f0ae1b1803 Mon Sep 17 00:00:00 2001
From: Kochetkov S <kochetkov.s@sarex.io>
Date: Thu, 16 Apr 2026 12:15:38 +0300
Subject: [PATCH] add vault support

---
 .../infrastructure/patches/postgresql.yaml     | 18 ++++++++++++------
 .../postgresql/base/helmrelease.yaml           |  2 +-
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/clusters/yc-k8s-test/infrastructure/patches/postgresql.yaml b/clusters/yc-k8s-test/infrastructure/patches/postgresql.yaml
index 0251052..0bc0301 100644
--- a/clusters/yc-k8s-test/infrastructure/patches/postgresql.yaml
+++ b/clusters/yc-k8s-test/infrastructure/patches/postgresql.yaml
@@ -36,13 +36,14 @@ spec:
     image:
       registry: cr.yandex/crp3ccidau046kdj8g9q
       repository: contour/postgresql
-      tag: 17.0.2
+      tag: 17.0.3
       pullPolicy: Always
     metrics:
       enabled: false
       prometheusRule:
         enabled: false
     primary:
+      automountServiceAccountToken: true
       containerSecurityContext:
         readOnlyRootFilesystem: false
       persistence:
@@ -53,7 +54,7 @@ spec:
           command:
             - /bin/sh
             - -c
-            - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
+            - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
         initialDelaySeconds: 30
         periodSeconds: 10
         timeoutSeconds: 5
@@ -64,7 +65,7 @@ spec:
           command:
             - /bin/sh
             - -c
-            - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
+            - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
         initialDelaySeconds: 5
         periodSeconds: 10
         timeoutSeconds: 5
@@ -75,7 +76,7 @@ spec:
           command:
             - /bin/sh
             - -c
-            - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
+            - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
         initialDelaySeconds: 30
         periodSeconds: 10
         timeoutSeconds: 5
@@ -90,8 +91,13 @@ spec:
           effect: NoSchedule
     contour:
       enabled: true
-      adminUser: ""
-      adminPasswordSecretKey: ""
+      adminUser: "postgres"
+      vault:
+        enabled: true
+        role: postgresql
+        authPath: auth/kubernetes
+        secretPath: secrets/data/postgresql/admin
+        secretKey: postgres-password
       sharedPreloadLibraries: "timescaledb,pg_stat_statements"
       databases:
         - name: attachments_db
diff --git a/infrastructure/postgresql/base/helmrelease.yaml b/infrastructure/postgresql/base/helmrelease.yaml
index 6bd1520..ee38f60 100644
--- a/infrastructure/postgresql/base/helmrelease.yaml
+++ b/infrastructure/postgresql/base/helmrelease.yaml
@@ -8,7 +8,7 @@ spec:
   chart:
     spec:
       chart: postgresql-contour
-      version: "17.0.2"
+      version: "17.0.3"
       sourceRef:
         kind: HelmRepository
         name: yc-oci-charts