diff --git a/clusters/yc-infra-prod/infrastructure/kustomization.yaml b/clusters/yc-infra-prod/infrastructure/kustomization.yaml index 3968212..4609694 100644 --- a/clusters/yc-infra-prod/infrastructure/kustomization.yaml +++ b/clusters/yc-infra-prod/infrastructure/kustomization.yaml @@ -1,10 +1,34 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + - ../../../infrastructure/argo-workflows + - ../../../infrastructure/argo-events + - ../../../infrastructure/postgresql - ../../../infrastructure/vault-unseal - ../../../infrastructure/vault - ../../../infrastructure/yc-pg-dumper patches: + - path: ./patches/argo-workflows.yaml + target: + group: helm.toolkit.fluxcd.io + version: v2 + kind: HelmRelease + name: argo-workflows + namespace: argo + - path: ./patches/argo-events.yaml + target: + group: helm.toolkit.fluxcd.io + version: v2 + kind: HelmRelease + name: argo-events + namespace: argo + - path: ./patches/postgresql.yaml + target: + group: helm.toolkit.fluxcd.io + version: v2 + kind: HelmRelease + name: postgresql + namespace: postgresql - path: ./patches/vault-unseal.yaml target: group: helm.toolkit.fluxcd.io diff --git a/clusters/yc-infra-prod/infrastructure/patches/argo-events.yaml b/clusters/yc-infra-prod/infrastructure/patches/argo-events.yaml new file mode 100644 index 0000000..88657c0 --- /dev/null +++ b/clusters/yc-infra-prod/infrastructure/patches/argo-events.yaml @@ -0,0 +1,41 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: argo-events + namespace: argo +spec: + values: + global: + podAnnotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: "auth/kubernetes" + vault.hashicorp.com/role: "argo-events" + vault.hashicorp.com/agent-inject-secret-argo-events-secret: "secrets/data/yc-infra-prod/infra/argo_events/argo_events_secret" + controller: + podAnnotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: "auth/kubernetes" + vault.hashicorp.com/role: "argo-events" + vault.hashicorp.com/agent-inject-secret-argo-events-secret: "secrets/data/yc-infra-prod/infra/argo_events/argo_events_secret" + nodeSelector: + dedicated: sts + tolerations: + - key: dedicated + operator: Equal + value: sts + effect: NoSchedule + resources: + requests: + cpu: 250m + memory: 512Mi + extraObjects: + - apiVersion: argoproj.io/v1alpha1 + kind: EventBus + metadata: + name: default + spec: + jetstream: + version: "2.10.10" + replicas: 3 diff --git a/clusters/yc-infra-prod/infrastructure/patches/argo-workflows.yaml b/clusters/yc-infra-prod/infrastructure/patches/argo-workflows.yaml new file mode 100644 index 0000000..7fa71f3 --- /dev/null +++ b/clusters/yc-infra-prod/infrastructure/patches/argo-workflows.yaml @@ -0,0 +1,49 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: argo-workflows + namespace: argo +spec: + values: + controller: + workflowNamespaces: + - argo + podAnnotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: "auth/kubernetes" + vault.hashicorp.com/role: "argo-workflows" + vault.hashicorp.com/agent-inject-secret-argo-workflows-secret: "secrets/data/yc-infra-prod/infra/argo_workflows/argo_workflows_secret" + nodeSelector: + kubernetes.io/os: linux + dedicated: sts + tolerations: + - key: dedicated + operator: Equal + value: sts + effect: NoSchedule + resources: + requests: + cpu: 250m + memory: 512Mi + server: + authModes: + - server + podAnnotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: "auth/kubernetes" + vault.hashicorp.com/role: "argo-workflows" + vault.hashicorp.com/agent-inject-secret-argo-workflows-secret: "secrets/data/yc-infra-prod/infra/argo_workflows/argo_workflows_secret" + nodeSelector: + kubernetes.io/os: linux + dedicated: sts + tolerations: + - key: dedicated + operator: Equal + value: sts + effect: NoSchedule + resources: + requests: + cpu: 250m + memory: 512Mi diff --git a/clusters/yc-infra-prod/infrastructure/patches/postgresql.yaml b/clusters/yc-infra-prod/infrastructure/patches/postgresql.yaml new file mode 100644 index 0000000..3a01831 --- /dev/null +++ b/clusters/yc-infra-prod/infrastructure/patches/postgresql.yaml @@ -0,0 +1,82 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: postgresql + namespace: postgresql +spec: + chart: + spec: + version: "13.0.8" + values: + global: + security: + allowInsecureImages: true + image: + registry: cr.yandex/crp3ccidau046kdj8g9q + repository: contour/postgresql + tag: "13.0.8" + pullPolicy: IfNotPresent + postgresqlSharedPreloadLibraries: "timescaledb,pg_stat_statements" + primary: + extendedConfiguration: |- + fsync = off + full_page_writes = off + synchronous_commit = off + shared_buffers = 8GB + effective_cache_size = 18GB + work_mem = 256MB + maintenance_work_mem = 2GB + temp_buffers = 256MB + max_wal_size = 32GB + checkpoint_timeout = 1h + checkpoint_completion_target = 0.9 + wal_level = minimal + max_wal_senders = 0 + archive_mode = off + random_page_cost = 1.1 + resources: + requests: + cpu: "6" + memory: 25Gi + limits: + cpu: "6" + memory: 25Gi + nodeSelector: + dedicated: sts + tolerations: + - key: dedicated + operator: Equal + value: sts + effect: NoSchedule + persistence: + storageClass: database-storage + size: 500Gi + contour: + enabled: true + vault: + enabled: true + role: postgresql-contour + authPath: auth/kubernetes + secretPath: secrets/data/yc-infra-prod/infra/postgresql_contour/postgresql_contour_secret + secretKey: postgres-password + usersSecretPath: secrets/data/yc-infra-prod/infra/postgresql_contour/postgresql_users_secret + sharedPreloadLibraries: "timescaledb,pg_stat_statements" + "s3-proxy": + endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local" + databases: + - name: sanitizer + user: sanitizer + passwordKey: sanitizer + extensions: + - ltree + - pg_stat_statements + - postgis + - timescaledb + - uuid-ossp + - pg_trgm + - btree_gin + - btree_gist + - hstore + - pg_partman + - vector + restoreFromDump: false diff --git a/infrastructure/argo-events/base/helmrelease.yaml b/infrastructure/argo-events/base/helmrelease.yaml new file mode 100644 index 0000000..c98cc11 --- /dev/null +++ b/infrastructure/argo-events/base/helmrelease.yaml @@ -0,0 +1,26 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: argo-events + namespace: argo +spec: + interval: 10m + dependsOn: + - name: argo-workflows + namespace: argo + chart: + spec: + chart: argo-events-infra + version: "2.4.15" + sourceRef: + kind: HelmRepository + name: yc-oci-charts + namespace: flux-system + interval: 10m + install: + createNamespace: true + remediation: + retries: 3 + upgrade: + remediation: + retries: 3 diff --git a/infrastructure/argo-events/base/kustomization.yaml b/infrastructure/argo-events/base/kustomization.yaml new file mode 100644 index 0000000..82eb9cf --- /dev/null +++ b/infrastructure/argo-events/base/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: argo +resources: + - helmrelease.yaml diff --git a/infrastructure/argo-events/kustomization.yaml b/infrastructure/argo-events/kustomization.yaml new file mode 100644 index 0000000..85dcd9d --- /dev/null +++ b/infrastructure/argo-events/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - base diff --git a/infrastructure/argo-workflows/base/helmrelease.yaml b/infrastructure/argo-workflows/base/helmrelease.yaml new file mode 100644 index 0000000..e014bd6 --- /dev/null +++ b/infrastructure/argo-workflows/base/helmrelease.yaml @@ -0,0 +1,23 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: argo-workflows + namespace: argo +spec: + interval: 10m + chart: + spec: + chart: argo-workflows-infra + version: "0.45.12" + sourceRef: + kind: HelmRepository + name: yc-oci-charts + namespace: flux-system + interval: 10m + install: + createNamespace: true + remediation: + retries: 3 + upgrade: + remediation: + retries: 3 diff --git a/infrastructure/argo-workflows/base/kustomization.yaml b/infrastructure/argo-workflows/base/kustomization.yaml new file mode 100644 index 0000000..76b6595 --- /dev/null +++ b/infrastructure/argo-workflows/base/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: argo +resources: + - namespace.yaml + - helmrelease.yaml diff --git a/infrastructure/argo-workflows/base/namespace.yaml b/infrastructure/argo-workflows/base/namespace.yaml new file mode 100644 index 0000000..325701d --- /dev/null +++ b/infrastructure/argo-workflows/base/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: argo diff --git a/infrastructure/argo-workflows/kustomization.yaml b/infrastructure/argo-workflows/kustomization.yaml new file mode 100644 index 0000000..85dcd9d --- /dev/null +++ b/infrastructure/argo-workflows/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - base diff --git a/infrastructure/postgresql/base/kustomization.yaml b/infrastructure/postgresql/base/kustomization.yaml index ad2777d..f26a436 100644 --- a/infrastructure/postgresql/base/kustomization.yaml +++ b/infrastructure/postgresql/base/kustomization.yaml @@ -2,4 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: postgresql resources: + - namespace.yaml - helmrelease.yaml diff --git a/infrastructure/postgresql/base/namespace.yaml b/infrastructure/postgresql/base/namespace.yaml new file mode 100644 index 0000000..a6bb64a --- /dev/null +++ b/infrastructure/postgresql/base/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: postgresql