diff --git a/apps/django/base/django-configmap.yaml b/apps/django/base/django-configmap.yaml index 58d0bce..395a0d7 100644 --- a/apps/django/base/django-configmap.yaml +++ b/apps/django/base/django-configmap.yaml @@ -5,11 +5,52 @@ metadata: namespace: django data: production.py: | + import ast import os from .base import * from logging.handlers import SysLogHandler from datetime import timedelta + def _load_env_file(path): + try: + with open(path, "r", encoding="utf-8") as f: + for raw_line in f: + line = raw_line.strip() + if not line or line.startswith("#") or "=" not in line: + continue + key, value = line.split("=", 1) + key = key.strip() + value = value.strip() + if len(value) >= 2 and value[0] == value[-1] and value[0] in ("'", '"'): + try: + value = ast.literal_eval(value) + except (ValueError, SyntaxError): + value = value[1:-1] + if key and key not in os.environ: + os.environ[key] = value + except FileNotFoundError: + pass + + def _read_secret_file(path, default=""): + try: + with open(path, "r", encoding="utf-8") as f: + return f.read().strip() + except FileNotFoundError: + return default + + # Fallback for manage.py launched via `kubectl exec` (outside entrypoint), + # so Django can still read DB/JWT values from Vault-injected files. + _load_env_file("/vault/secrets/django-postgresql") + _load_env_file("/vault/secrets/django-rabbitmq") + _load_env_file("/vault/secrets/django-s3") + _load_env_file("/vault/secrets/django-kafka") + _load_env_file("/vault/secrets/django-common") + + if not os.environ.get("JWT_PRIVATE_KEY"): + os.environ["JWT_PRIVATE_KEY"] = _read_secret_file("/vault/secrets/django-jwt-private") + if not os.environ.get("JWT_PUBLIC_KEY"): + os.environ["JWT_PUBLIC_KEY"] = _read_secret_file("/vault/secrets/django-jwt-public") + ALLOWED_HOSTS = ["*"] FILE_UPLOAD_PERMISSIONS = 0o644 DEBUG = False @@ -109,8 +150,8 @@ data: 'BLACKLIST_AFTER_ROTATION': True, 'UPDATE_LAST_LOGIN': False, 'ALGORITHM': 'RS512', - 'SIGNING_KEY': os.environ.get("JWT_PRIVATE_KEY").replace("\\n", "\n"), - 'VERIFYING_KEY': os.environ.get("JWT_PUBLIC_KEY").replace("\\n", "\n"), + 'SIGNING_KEY': os.environ.get("JWT_PRIVATE_KEY", "").replace("\\n", "\n"), + 'VERIFYING_KEY': os.environ.get("JWT_PUBLIC_KEY", "").replace("\\n", "\n"), 'AUDIENCE': None, 'ISSUER': os.environ.get('SIMPLE_JWT_ISSUER', 'default_issuer'), 'AUTH_HEADER_TYPES': ('Bearer',), @@ -278,4 +319,3 @@ data: }, "sso_logout_redirect": True } - diff --git a/apps/system-log/base/backend-deployment.yaml b/apps/system-log/base/backend-deployment.yaml index 011d128..e6c8092 100644 --- a/apps/system-log/base/backend-deployment.yaml +++ b/apps/system-log/base/backend-deployment.yaml @@ -17,11 +17,45 @@ spec: labels: app: api service: api + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: system-log + vault.hashicorp.com/agent-inject-secret-system-log-postgresql: secrets/data/postgresql/apps/system-log + vault.hashicorp.com/agent-inject-template-system-log-postgresql: |- + {{- with secret "secrets/data/postgresql/apps/system-log" -}} + POSTGRES_ADDRESS=postgresql.system-log.svc.cluster.local + POSTGRES_PORT=5432 + POSTGRES_DB=system_log_db + POSTGRES_USER={{ index .Data.data "username" }} + POSTGRES_PASSWORD={{ index .Data.data "password" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-system-log-kafka: secrets/data/kafka/apps/system-log + vault.hashicorp.com/agent-inject-template-system-log-kafka: |- + {{- with secret "secrets/data/kafka/apps/system-log" -}} + KAFKA_USERNAME={{ index .Data.data "username" }} + KAFKA_PASSWORD={{ index .Data.data "password" }} + KAFKA_BROKERS={{ index .Data.data.auth "bootstrap_servers" }} + {{- $topics := index .Data.data "topics" -}} + KAFKA_TOPIC={{- if gt (len $topics) 0 -}}{{ index (index $topics 0) "name" }}{{- else -}}system-log.events{{- end -}} + {{- end -}} spec: + serviceAccountName: system-log-vault containers: - name: api - image: cr.yandex/crp3ccidau046kdj8g9q/system-log:prod_6ed1b27e + image: cr.yandex/crp3ccidau046kdj8g9q/system-log_prod:075fc0 imagePullPolicy: IfNotPresent + command: ["/bin/bash", "-ec"] + args: + - | + set -a + [ -f /vault/secrets/system-log-postgresql ] && . /vault/secrets/system-log-postgresql + [ -f /vault/secrets/system-log-kafka ] && . /vault/secrets/system-log-kafka + set +a + exec /app ports: - name: http containerPort: 8000 @@ -57,56 +91,6 @@ spec: value: "/tmp" - name: DJANGO_HOST value: http://backend.django.svc.cluster.local:8000 - - name: POSTGRES_ADDRESS - valueFrom: - secretKeyRef: - key: hostname - name: postgresql-secret - - name: POSTGRES_PORT - valueFrom: - secretKeyRef: - key: port - name: postgresql-secret - - name: POSTGRES_DB - valueFrom: - secretKeyRef: - key: database - name: postgresql-secret - - name: POSTGRES_USER - valueFrom: - secretKeyRef: - key: username - name: postgresql-secret - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: postgresql-secret - - name: KAFKA_USERNAME - valueFrom: - secretKeyRef: - key: username - name: kafka-secret - - name: KAFKA_BROKERS - valueFrom: - secretKeyRef: - key: host - name: kafka-secret - - name: KAFKA_TOPIC - valueFrom: - secretKeyRef: - key: topic - name: kafka-secret - - name: KAFKA_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: kafka-secret - - name: KAFKA_PEM_CERT - valueFrom: - secretKeyRef: - key: ca.crt - name: kafka-secret resources: requests: diff --git a/apps/system-log/base/kustomization.yaml b/apps/system-log/base/kustomization.yaml index 91b2b1b..c0cac04 100644 --- a/apps/system-log/base/kustomization.yaml +++ b/apps/system-log/base/kustomization.yaml @@ -4,6 +4,7 @@ kind: Kustomization namespace: system-log resources: - namespace.yaml + - serviceaccount.yaml - backend-deployment.yaml - backend-service.yaml - worker-deployment.yaml diff --git a/apps/system-log/base/worker-deployment.yaml b/apps/system-log/base/worker-deployment.yaml index 46ffedf..186f702 100644 --- a/apps/system-log/base/worker-deployment.yaml +++ b/apps/system-log/base/worker-deployment.yaml @@ -17,11 +17,42 @@ spec: labels: app: worker service: worker + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: system-log + vault.hashicorp.com/agent-inject-secret-system-log-postgresql: secrets/data/postgresql/apps/system-log + vault.hashicorp.com/agent-inject-template-system-log-postgresql: |- + {{- with secret "secrets/data/postgresql/apps/system-log" -}} + POSTGRES_ADDRESS=postgresql.system-log.svc.cluster.local + POSTGRES_PORT=5432 + POSTGRES_DB=system_log_db + POSTGRES_USER={{ index .Data.data "username" }} + POSTGRES_PASSWORD={{ index .Data.data "password" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-system-log-django-auth: secrets/data/vault/common/django_auth + vault.hashicorp.com/agent-inject-template-system-log-django-auth: |- + {{- with secret "secrets/data/vault/common/django_auth" -}} + SUPER_USERNAME={{ index .Data.data "username" }} + SUPER_PASSWORD={{ index .Data.data "password" }} + {{- end -}} spec: + serviceAccountName: system-log-vault containers: - name: worker - image: cr.yandex/crp3ccidau046kdj8g9q/system_log_worker:de6a0147d285afa273e85c0f074c8b6049d03a32 + image: cr.yandex/crp3ccidau046kdj8g9q/system-log-worker_prod:075fc0 imagePullPolicy: IfNotPresent + command: ["/bin/bash", "-ec"] + args: + - | + set -a + [ -f /vault/secrets/system-log-postgresql ] && . /vault/secrets/system-log-postgresql + [ -f /vault/secrets/system-log-django-auth ] && . /vault/secrets/system-log-django-auth + set +a + exec /app ports: - name: http containerPort: 8000 @@ -47,41 +78,6 @@ spec: value: "0" - name: DJANGO_HOST value: http://backend.django.svc.cluster.local:8000 - - name: POSTGRES_ADDRESS - valueFrom: - secretKeyRef: - key: hostname - name: postgresql-secret - - name: POSTGRES_PORT - valueFrom: - secretKeyRef: - key: port - name: postgresql-secret - - name: POSTGRES_DB - valueFrom: - secretKeyRef: - key: database - name: postgresql-secret - - name: POSTGRES_USER - valueFrom: - secretKeyRef: - key: username - name: postgresql-secret - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: postgresql-secret - - name: SUPER_USERNAME - valueFrom: - secretKeyRef: - key: username - name: superuser - - name: SUPER_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: superuser resources: requests: diff --git a/apps/system-log/yc-k8s-test/postgresql.yaml b/apps/system-log/yc-k8s-test/postgresql.yaml index d5659e4..34998e9 100644 --- a/apps/system-log/yc-k8s-test/postgresql.yaml +++ b/apps/system-log/yc-k8s-test/postgresql.yaml @@ -9,7 +9,7 @@ spec: chart: spec: chart: postgresql-contour - version: "17.0.2" + version: "17.0.7" sourceRef: kind: HelmRepository name: yc-oci-charts @@ -44,7 +44,7 @@ spec: image: registry: cr.yandex/crp3ccidau046kdj8g9q repository: contour/postgresql - tag: 17.0.2 + tag: 17.0.7 pullPolicy: Always metrics: enabled: false @@ -61,7 +61,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 @@ -72,7 +72,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 5 @@ -83,12 +83,15 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 successThreshold: 1 failureThreshold: 6 + resources: + requests: + memory: 512Mi nodeSelector: dedicated: db tolerations: @@ -98,12 +101,19 @@ spec: effect: NoSchedule contour: enabled: true - adminUser: "" - adminPasswordSecretKey: "" + adminUser: "postgres" sharedPreloadLibraries: "ltree,pg_stat_statements,timescaledb" + vault: + enabled: true + role: postgresql + authPath: auth/kubernetes + secretPath: secrets/data/postgresql/admin + secretKey: postgres-password + usersSecretPath: secrets/data/postgresql/users databases: - name: system_log_db user: system_log + passwordKey: system-log extensions: [] restoreFromDump: false s3-proxy: