diff --git a/apps/transmittal/base/backend-deployment.yaml b/apps/transmittal/base/backend-deployment.yaml index e966c08..9603bd8 100644 --- a/apps/transmittal/base/backend-deployment.yaml +++ b/apps/transmittal/base/backend-deployment.yaml @@ -17,12 +17,70 @@ spec: labels: app: backend service: backend - + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: transmittal + vault.hashicorp.com/agent-inject-secret-transmittal-db: secrets/data/postgresql/apps/transmittal + vault.hashicorp.com/agent-inject-template-transmittal-db: |- + {{- with secret "secrets/data/postgresql/apps/transmittal" -}} + TRANSMITTAL_SERVICE_DATABASE__USER={{ index .Data.data "username" }} + TRANSMITTAL_SERVICE_DATABASE__PASSWORD={{ index .Data.data "password" }} + TRANSMITTAL_SERVICE_DATABASE__HOST=postgresql.transmittal.svc.cluster.local + TRANSMITTAL_SERVICE_DATABASE__PORT=5432 + TRANSMITTAL_SERVICE_DATABASE__NAME=transmittal_db + {{- end -}} + vault.hashicorp.com/agent-inject-secret-transmittal-rabbitmq: secrets/data/rabbitmq/apps/transmittal + vault.hashicorp.com/agent-inject-template-transmittal-rabbitmq: |- + {{- with secret "secrets/data/rabbitmq/apps/transmittal" -}} + TRANSMITTAL_SERVICE_RABBITMQ__USER={{ index .Data.data "username" }} + TRANSMITTAL_SERVICE_RABBITMQ__PASSWORD={{ index .Data.data "password" }} + TRANSMITTAL_SERVICE_RABBITMQ__VHOST={{ index .Data.data "vhost" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-transmittal-s3: secrets/data/minio/apps/transmittal + vault.hashicorp.com/agent-inject-template-transmittal-s3: |- + {{- with secret "secrets/data/minio/apps/transmittal" -}} + TRANSMITTAL_SERVICE_S3_CLIENT__ACCESS_KEY={{ index .Data.data "access_key" }} + TRANSMITTAL_SERVICE_S3_CLIENT__SECRET_KEY={{ index .Data.data "secret_key" }} + {{- $buckets := index .Data.data "buckets" -}} + TRANSMITTAL_SERVICE_S3_CLIENT__DEFAULT_BUCKET={{- if gt (len $buckets) 0 -}}{{ index (index $buckets 0) "name" }}{{- else -}}transmittal-storage{{- end -}} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-transmittal-django-auth: secrets/data/vault/common/django_auth + vault.hashicorp.com/agent-inject-template-transmittal-django-auth: |- + {{- with secret "secrets/data/vault/common/django_auth" -}} + TRANSMITTAL_SERVICE_SAREX_BACKEND_REPOSITORY__BASIC_AUTH_ENCODED={{ index .Data.data "key" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-transmittal-public-key: secrets/data/vault/common/rsa_keys + vault.hashicorp.com/agent-inject-template-transmittal-public-key: |- + {{- with secret "secrets/data/vault/common/rsa_keys" -}} + TRANSMITTAL_SERVICE_AUTH__PUBLIC_KEY={{ printf "%q" (index .Data.data "public_key") }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-transmittal-mailgun: secrets/data/vault/apps/transmittal + vault.hashicorp.com/agent-inject-template-transmittal-mailgun: |- + {{- with secret "secrets/data/vault/apps/transmittal" -}} + TRANSMITTAL_SERVICE_MAILGUN__API_KEY={{ index .Data.data "TRANSMITTAL_SERVICE_MAILGUN__API_KEY" }} + {{- end -}} spec: + serviceAccountName: transmittal-vault containers: - name: backend image: cr.yandex/crp3ccidau046kdj8g9q/transmittal-api:prod_a9d879ae imagePullPolicy: IfNotPresent + command: ["/bin/bash", "-ec"] + args: + - | + set -a + [ -f /vault/secrets/transmittal-db ] && . /vault/secrets/transmittal-db + [ -f /vault/secrets/transmittal-rabbitmq ] && . /vault/secrets/transmittal-rabbitmq + [ -f /vault/secrets/transmittal-s3 ] && . /vault/secrets/transmittal-s3 + [ -f /vault/secrets/transmittal-django-auth ] && . /vault/secrets/transmittal-django-auth + [ -f /vault/secrets/transmittal-public-key ] && . /vault/secrets/transmittal-public-key + [ -f /vault/secrets/transmittal-mailgun ] && . /vault/secrets/transmittal-mailgun + set +a + exec scripts/entrypoint.sh ports: - name: http containerPort: 8000 @@ -75,16 +133,8 @@ spec: - name: TRANSMITTAL_SERVICE_UVICORN__NUM_WORKERS value: "2" - name: TRANSMITTAL_SERVICE_UVICORN__ROOT_PATH - - name: TRANSMITTAL_SERVICE_DATABASE__HOST - value: sarex-vpsql-01.xc.wb.ru - - name: TRANSMITTAL_SERVICE_DATABASE__PORT - value: "5432" - - name: TRANSMITTAL_SERVICE_DATABASE__NAME - value: transmittal_db - name: TRANSMITTAL_SERVICE_DATABASE__ENABLE_SSL value: "false" - - name: TRANSMITTAL_SERVICE_RABBITMQ__VHOST - value: transmitalls - name: TRANSMITTAL_SERVICE_RABBITMQ__HOST value: rabbitmq.rabbitmq.svc.cluster.local - name: TRANSMITTAL_SERVICE_RABBITMQ__PORT @@ -123,10 +173,8 @@ spec: value: ru-central1 - name: TRANSMITTAL_SERVICE_S3_CLIENT__VERIFY value: "true" - - name: TRANSMITTAL_SERVICE_S3_CLIENT__DEFAULT_BUCKET - value: transmittal-storage - name: TRANSMITTAL_SERVICE_S3_CLIENT__ENDPOINT - value: 10.49.10.90:9000 + value: minio.minio.svc.cluster.local:9000 - name: TRANSMITTAL_SERVICE_S3_CLIENT__USE_SSL value: "false" - name: TRANSMITTAL_SERVICE_HTML_TO_PDF_CONVERTER__BASE_URL @@ -155,58 +203,6 @@ spec: value: "15" - name: TRANSMITTAL_SERVICE_MAILGUN__EMAIL value: hello@wb.io - - name: TRANSMITTAL_SERVICE_DATABASE__USER - valueFrom: - secretKeyRef: - key: username - name: postgres-secret - - name: TRANSMITTAL_SERVICE_DATABASE__PASSWORD - valueFrom: - secretKeyRef: - key: password - name: postgres-secret - - name: YC-PG-CERTIFICATE - valueFrom: - secretKeyRef: - key: certificate - name: postgres-secret - - name: TRANSMITTAL_SERVICE_AUTH__PUBLIC_KEY - valueFrom: - secretKeyRef: - key: key - name: public-key - - name: TRANSMITTAL_SERVICE_SAREX_BACKEND_REPOSITORY__BASIC_AUTH_ENCODED - valueFrom: - secretKeyRef: - key: key - name: django-auth - - name: TRANSMITTAL_SERVICE_S3_CLIENT__ACCESS_KEY - valueFrom: - secretKeyRef: - key: access_key - name: s3-secret - - name: TRANSMITTAL_SERVICE_S3_CLIENT__SECRET_KEY - valueFrom: - secretKeyRef: - key: secret_key - name: s3-secret - - name: TRANSMITTAL_SERVICE_RABBITMQ__USER - valueFrom: - secretKeyRef: - key: username - name: rabbitmq-cred - - name: TRANSMITTAL_SERVICE_RABBITMQ__PASSWORD - valueFrom: - secretKeyRef: - key: password - name: rabbitmq-cred - - name: TRANSMITTAL_SERVICE_MAILGUN__API_KEY - valueFrom: - secretKeyRef: - key: api_key - name: mailgun-cred - - resources: requests: cpu: "1" diff --git a/apps/transmittal/base/kustomization.yaml b/apps/transmittal/base/kustomization.yaml index 44a8cfe..0356b25 100644 --- a/apps/transmittal/base/kustomization.yaml +++ b/apps/transmittal/base/kustomization.yaml @@ -4,8 +4,9 @@ kind: Kustomization namespace: transmittal resources: - namespace.yaml + - serviceaccount.yaml - backend-deployment.yaml - - celery-deployment.yaml + - worker-deployment.yaml - frontend-deployment.yaml - backend-service.yaml - frontend-service.yaml diff --git a/apps/transmittal/base/serviceaccount.yaml b/apps/transmittal/base/serviceaccount.yaml new file mode 100644 index 0000000..cb9d042 --- /dev/null +++ b/apps/transmittal/base/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: transmittal-vault + namespace: transmittal diff --git a/apps/transmittal/base/worker-deployment.yaml b/apps/transmittal/base/worker-deployment.yaml index e3a451e..d3a5de0 100644 --- a/apps/transmittal/base/worker-deployment.yaml +++ b/apps/transmittal/base/worker-deployment.yaml @@ -17,19 +17,70 @@ spec: labels: app: worker service: worker + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: transmittal + vault.hashicorp.com/agent-inject-secret-transmittal-db: secrets/data/postgresql/apps/transmittal + vault.hashicorp.com/agent-inject-template-transmittal-db: |- + {{- with secret "secrets/data/postgresql/apps/transmittal" -}} + TRANSMITTAL_SERVICE_DATABASE__USER={{ index .Data.data "username" }} + TRANSMITTAL_SERVICE_DATABASE__PASSWORD={{ index .Data.data "password" }} + TRANSMITTAL_SERVICE_DATABASE__HOST=postgresql.transmittal.svc.cluster.local + TRANSMITTAL_SERVICE_DATABASE__PORT=5432 + TRANSMITTAL_SERVICE_DATABASE__NAME=transmittal_db + {{- end -}} + vault.hashicorp.com/agent-inject-secret-transmittal-rabbitmq: secrets/data/rabbitmq/apps/transmittal + vault.hashicorp.com/agent-inject-template-transmittal-rabbitmq: |- + {{- with secret "secrets/data/rabbitmq/apps/transmittal" -}} + TRANSMITTAL_SERVICE_RABBITMQ__USER={{ index .Data.data "username" }} + TRANSMITTAL_SERVICE_RABBITMQ__PASSWORD={{ index .Data.data "password" }} + TRANSMITTAL_SERVICE_RABBITMQ__VHOST={{ index .Data.data "vhost" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-transmittal-s3: secrets/data/minio/apps/transmittal + vault.hashicorp.com/agent-inject-template-transmittal-s3: |- + {{- with secret "secrets/data/minio/apps/transmittal" -}} + TRANSMITTAL_SERVICE_S3_CLIENT__ACCESS_KEY={{ index .Data.data "access_key" }} + TRANSMITTAL_SERVICE_S3_CLIENT__SECRET_KEY={{ index .Data.data "secret_key" }} + {{- $buckets := index .Data.data "buckets" -}} + TRANSMITTAL_SERVICE_S3_CLIENT__DEFAULT_BUCKET={{- if gt (len $buckets) 0 -}}{{ index (index $buckets 0) "name" }}{{- else -}}transmittal-storage{{- end -}} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-transmittal-django-auth: secrets/data/vault/common/django_auth + vault.hashicorp.com/agent-inject-template-transmittal-django-auth: |- + {{- with secret "secrets/data/vault/common/django_auth" -}} + TRANSMITTAL_SERVICE_SAREX_BACKEND_REPOSITORY__BASIC_AUTH_ENCODED={{ index .Data.data "key" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-transmittal-public-key: secrets/data/vault/common/rsa_keys + vault.hashicorp.com/agent-inject-template-transmittal-public-key: |- + {{- with secret "secrets/data/vault/common/rsa_keys" -}} + TRANSMITTAL_SERVICE_AUTH__PUBLIC_KEY={{ printf "%q" (index .Data.data "public_key") }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-transmittal-mailgun: secrets/data/vault/apps/transmittal + vault.hashicorp.com/agent-inject-template-transmittal-mailgun: |- + {{- with secret "secrets/data/vault/apps/transmittal" -}} + TRANSMITTAL_SERVICE_MAILGUN__API_KEY={{ index .Data.data "TRANSMITTAL_SERVICE_MAILGUN__API_KEY" }} + {{- end -}} spec: + serviceAccountName: transmittal-vault containers: - name: worker image: cr.yandex/crp3ccidau046kdj8g9q/transmittal-api:prod_a9d879ae imagePullPolicy: IfNotPresent - command: - - taskiq - - worker - - --no-parse - - transmittal_service.tasks.broker:broker - - transmittal_service.tasks.transmittal.tasks - - transmittal_service.tasks.email.tasks - + command: ["/bin/bash", "-ec"] + args: + - | + set -a + [ -f /vault/secrets/transmittal-db ] && . /vault/secrets/transmittal-db + [ -f /vault/secrets/transmittal-rabbitmq ] && . /vault/secrets/transmittal-rabbitmq + [ -f /vault/secrets/transmittal-s3 ] && . /vault/secrets/transmittal-s3 + [ -f /vault/secrets/transmittal-django-auth ] && . /vault/secrets/transmittal-django-auth + [ -f /vault/secrets/transmittal-public-key ] && . /vault/secrets/transmittal-public-key + [ -f /vault/secrets/transmittal-mailgun ] && . /vault/secrets/transmittal-mailgun + set +a + exec taskiq worker --no-parse transmittal_service.tasks.broker:broker transmittal_service.tasks.transmittal.tasks transmittal_service.tasks.email.tasks ports: - name: http containerPort: 8000 @@ -82,16 +133,8 @@ spec: - name: TRANSMITTAL_SERVICE_UVICORN__NUM_WORKERS value: "2" - name: TRANSMITTAL_SERVICE_UVICORN__ROOT_PATH - - name: TRANSMITTAL_SERVICE_DATABASE__HOST - value: sarex-vpsql-01.xc.wb.ru - - name: TRANSMITTAL_SERVICE_DATABASE__PORT - value: "5432" - - name: TRANSMITTAL_SERVICE_DATABASE__NAME - value: transmittal_db - name: TRANSMITTAL_SERVICE_DATABASE__ENABLE_SSL value: "false" - - name: TRANSMITTAL_SERVICE_RABBITMQ__VHOST - value: transmitalls - name: TRANSMITTAL_SERVICE_RABBITMQ__HOST value: rabbitmq.rabbitmq.svc.cluster.local - name: TRANSMITTAL_SERVICE_RABBITMQ__PORT @@ -130,10 +173,8 @@ spec: value: ru-central1 - name: TRANSMITTAL_SERVICE_S3_CLIENT__VERIFY value: "true" - - name: TRANSMITTAL_SERVICE_S3_CLIENT__DEFAULT_BUCKET - value: transmittal-storage - name: TRANSMITTAL_SERVICE_S3_CLIENT__ENDPOINT - value: 10.49.10.90:9000 + value: minio.minio.svc.cluster.local:9000 - name: TRANSMITTAL_SERVICE_S3_CLIENT__USE_SSL value: "false" - name: TRANSMITTAL_SERVICE_HTML_TO_PDF_CONVERTER__BASE_URL @@ -162,57 +203,6 @@ spec: value: "15" - name: TRANSMITTAL_SERVICE_MAILGUN__EMAIL value: hello@wb.io - - name: TRANSMITTAL_SERVICE_DATABASE__USER - valueFrom: - secretKeyRef: - key: username - name: postgres-secret - - name: TRANSMITTAL_SERVICE_DATABASE__PASSWORD - valueFrom: - secretKeyRef: - key: password - name: postgres-secret - - name: YC-PG-CERTIFICATE - valueFrom: - secretKeyRef: - key: certificate - name: postgres-secret - - name: TRANSMITTAL_SERVICE_AUTH__PUBLIC_KEY - valueFrom: - secretKeyRef: - key: key - name: public-key - - name: TRANSMITTAL_SERVICE_SAREX_BACKEND_REPOSITORY__BASIC_AUTH_ENCODED - valueFrom: - secretKeyRef: - key: key - name: django-auth - - name: TRANSMITTAL_SERVICE_S3_CLIENT__ACCESS_KEY - valueFrom: - secretKeyRef: - key: access_key - name: s3-secret - - name: TRANSMITTAL_SERVICE_S3_CLIENT__SECRET_KEY - valueFrom: - secretKeyRef: - key: secret_key - name: s3-secret - - name: TRANSMITTAL_SERVICE_RABBITMQ__USER - valueFrom: - secretKeyRef: - key: username - name: rabbitmq-cred - - name: TRANSMITTAL_SERVICE_RABBITMQ__PASSWORD - valueFrom: - secretKeyRef: - key: password - name: rabbitmq-cred - - name: TRANSMITTAL_SERVICE_MAILGUN__API_KEY - valueFrom: - secretKeyRef: - key: api_key - name: mailgun-cred - resources: requests: cpu: "1"