Add infra Argo and PostgreSQL contour releases

2026-06-11 11:14:13 +03:00 · 2026-06-11 11:14:13 +03:00 · f3bdf28bd8
commit f3bdf28bd8
parent 7ed0c6ef0c
13 changed files with 273 additions and 0 deletions
--- a/clusters/yc-infra-prod/infrastructure/kustomization.yaml
+++ b/clusters/yc-infra-prod/infrastructure/kustomization.yaml
@ -1,10 +1,34 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - ../../../infrastructure/argo-workflows
+  - ../../../infrastructure/argo-events
+  - ../../../infrastructure/postgresql
  - ../../../infrastructure/vault-unseal
  - ../../../infrastructure/vault
  - ../../../infrastructure/yc-pg-dumper
 patches:
+  - path: ./patches/argo-workflows.yaml
+    target:
+      group: helm.toolkit.fluxcd.io
+      version: v2
+      kind: HelmRelease
+      name: argo-workflows
+      namespace: argo
+  - path: ./patches/argo-events.yaml
+    target:
+      group: helm.toolkit.fluxcd.io
+      version: v2
+      kind: HelmRelease
+      name: argo-events
+      namespace: argo
+  - path: ./patches/postgresql.yaml
+    target:
+      group: helm.toolkit.fluxcd.io
+      version: v2
+      kind: HelmRelease
+      name: postgresql
+      namespace: postgresql
  - path: ./patches/vault-unseal.yaml
    target:
      group: helm.toolkit.fluxcd.io
--- a/clusters/yc-infra-prod/infrastructure/patches/argo-events.yaml
+++ b/clusters/yc-infra-prod/infrastructure/patches/argo-events.yaml
@ -0,0 +1,41 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: argo-events
+  namespace: argo
+spec:
+  values:
+    global:
+      podAnnotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/auth-path: "auth/kubernetes"
+        vault.hashicorp.com/role: "argo-events"
+        vault.hashicorp.com/agent-inject-secret-argo-events-secret: "secrets/data/yc-infra-prod/infra/argo_events/argo_events_secret"
+    controller:
+      podAnnotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/auth-path: "auth/kubernetes"
+        vault.hashicorp.com/role: "argo-events"
+        vault.hashicorp.com/agent-inject-secret-argo-events-secret: "secrets/data/yc-infra-prod/infra/argo_events/argo_events_secret"
+      nodeSelector:
+        dedicated: sts
+      tolerations:
+        - key: dedicated
+          operator: Equal
+          value: sts
+          effect: NoSchedule
+      resources:
+        requests:
+          cpu: 250m
+          memory: 512Mi
+    extraObjects:
+      - apiVersion: argoproj.io/v1alpha1
+        kind: EventBus
+        metadata:
+          name: default
+        spec:
+          jetstream:
+            version: "2.10.10"
+            replicas: 3
--- a/clusters/yc-infra-prod/infrastructure/patches/argo-workflows.yaml
+++ b/clusters/yc-infra-prod/infrastructure/patches/argo-workflows.yaml
@ -0,0 +1,49 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: argo-workflows
+  namespace: argo
+spec:
+  values:
+    controller:
+      workflowNamespaces:
+        - argo
+      podAnnotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/auth-path: "auth/kubernetes"
+        vault.hashicorp.com/role: "argo-workflows"
+        vault.hashicorp.com/agent-inject-secret-argo-workflows-secret: "secrets/data/yc-infra-prod/infra/argo_workflows/argo_workflows_secret"
+      nodeSelector:
+        kubernetes.io/os: linux
+        dedicated: sts
+      tolerations:
+        - key: dedicated
+          operator: Equal
+          value: sts
+          effect: NoSchedule
+      resources:
+        requests:
+          cpu: 250m
+          memory: 512Mi
+    server:
+      authModes:
+        - server
+      podAnnotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/auth-path: "auth/kubernetes"
+        vault.hashicorp.com/role: "argo-workflows"
+        vault.hashicorp.com/agent-inject-secret-argo-workflows-secret: "secrets/data/yc-infra-prod/infra/argo_workflows/argo_workflows_secret"
+      nodeSelector:
+        kubernetes.io/os: linux
+        dedicated: sts
+      tolerations:
+        - key: dedicated
+          operator: Equal
+          value: sts
+          effect: NoSchedule
+      resources:
+        requests:
+          cpu: 250m
+          memory: 512Mi
--- a/clusters/yc-infra-prod/infrastructure/patches/postgresql.yaml
+++ b/clusters/yc-infra-prod/infrastructure/patches/postgresql.yaml
@ -0,0 +1,82 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: postgresql
+  namespace: postgresql
+spec:
+  chart:
+    spec:
+      version: "13.0.8"
+  values:
+    global:
+      security:
+        allowInsecureImages: true
+    image:
+      registry: cr.yandex/crp3ccidau046kdj8g9q
+      repository: contour/postgresql
+      tag: "13.0.8"
+      pullPolicy: IfNotPresent
+    postgresqlSharedPreloadLibraries: "timescaledb,pg_stat_statements"
+    primary:
+      extendedConfiguration: |-
+        fsync = off
+        full_page_writes = off
+        synchronous_commit = off
+        shared_buffers = 8GB
+        effective_cache_size = 18GB
+        work_mem = 256MB
+        maintenance_work_mem = 2GB
+        temp_buffers = 256MB
+        max_wal_size = 32GB
+        checkpoint_timeout = 1h
+        checkpoint_completion_target = 0.9
+        wal_level = minimal
+        max_wal_senders = 0
+        archive_mode = off
+        random_page_cost = 1.1
+      resources:
+        requests:
+          cpu: "6"
+          memory: 25Gi
+        limits:
+          cpu: "6"
+          memory: 25Gi
+      nodeSelector:
+        dedicated: sts
+      tolerations:
+        - key: dedicated
+          operator: Equal
+          value: sts
+          effect: NoSchedule
+      persistence:
+        storageClass: database-storage
+        size: 500Gi
+    contour:
+      enabled: true
+      vault:
+        enabled: true
+        role: postgresql-contour
+        authPath: auth/kubernetes
+        secretPath: secrets/data/yc-infra-prod/infra/postgresql_contour/postgresql_contour_secret
+        secretKey: postgres-password
+        usersSecretPath: secrets/data/yc-infra-prod/infra/postgresql_contour/postgresql_users_secret
+      sharedPreloadLibraries: "timescaledb,pg_stat_statements"
+      "s3-proxy":
+        endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local"
+      databases:
+        - name: sanitizer
+          user: sanitizer
+          passwordKey: sanitizer
+          extensions:
+            - ltree
+            - pg_stat_statements
+            - postgis
+            - timescaledb
+            - uuid-ossp
+            - pg_trgm
+            - btree_gin
+            - btree_gist
+            - hstore
+            - pg_partman
+            - vector
+          restoreFromDump: false
--- a/infrastructure/argo-events/base/helmrelease.yaml
+++ b/infrastructure/argo-events/base/helmrelease.yaml
@ -0,0 +1,26 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: argo-events
+  namespace: argo
+spec:
+  interval: 10m
+  dependsOn:
+    - name: argo-workflows
+      namespace: argo
+  chart:
+    spec:
+      chart: argo-events-infra
+      version: "2.4.15"
+      sourceRef:
+        kind: HelmRepository
+        name: yc-oci-charts
+        namespace: flux-system
+      interval: 10m
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
--- a/infrastructure/argo-events/base/kustomization.yaml
+++ b/infrastructure/argo-events/base/kustomization.yaml
@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: argo
+resources:
+  - helmrelease.yaml
--- a/infrastructure/argo-events/kustomization.yaml
+++ b/infrastructure/argo-events/kustomization.yaml
@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - base
--- a/infrastructure/argo-workflows/base/helmrelease.yaml
+++ b/infrastructure/argo-workflows/base/helmrelease.yaml
@ -0,0 +1,23 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: argo-workflows
+  namespace: argo
+spec:
+  interval: 10m
+  chart:
+    spec:
+      chart: argo-workflows-infra
+      version: "0.45.12"
+      sourceRef:
+        kind: HelmRepository
+        name: yc-oci-charts
+        namespace: flux-system
+      interval: 10m
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
--- a/infrastructure/argo-workflows/base/kustomization.yaml
+++ b/infrastructure/argo-workflows/base/kustomization.yaml
@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: argo
+resources:
+  - namespace.yaml
+  - helmrelease.yaml
--- a/infrastructure/argo-workflows/base/namespace.yaml
+++ b/infrastructure/argo-workflows/base/namespace.yaml
@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: argo
--- a/infrastructure/argo-workflows/kustomization.yaml
+++ b/infrastructure/argo-workflows/kustomization.yaml
@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - base
--- a/infrastructure/postgresql/base/kustomization.yaml
+++ b/infrastructure/postgresql/base/kustomization.yaml
@ -2,4 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: postgresql
 resources:
+  - namespace.yaml
  - helmrelease.yaml
--- a/infrastructure/postgresql/base/namespace.yaml
+++ b/infrastructure/postgresql/base/namespace.yaml
@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: postgresql