sarex/iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: sarex:master
Branches Tags
sarex:master
sarex:argocd-helm-master
sarex:helm
sarex:helm-master
sarex:3.9.0
..
compare: sarex:argocd-helm-master
Branches Tags
sarex:master
sarex:argocd-helm-master
sarex:helm
sarex:helm-master
sarex:3.9.0

3 Commits
master ... argocd-hel

Author SHA1 Message Date
emelinda
3ec6a853c9 Add Redis applications to ArgoCD using universal-chart Helm configuration across multiple namespaces (django, pm, documentations); update kustomization references. 2026-04-29 17:35:19 +03:00
emelinda
0359c0deca Add frontend applications to ArgoCD using universal-chart Helm configuration across multiple namespaces. 2026-04-24 14:42:45 +03:00
emelinda
137df85ef7 Migrate frontend deployments and services to HelmRelease configuration using universal-chart across multiple namespaces. 2026-04-24 14:18:33 +03:00
601 changed files with 3000 additions and 78896 deletions
Show Stats Expand all files Collapse all files

2
.gitignore vendored
View File

@ -2,5 +2,3 @@
.claude .claude
CLAUDE.md CLAUDE.md
.env .env
tmp

344
README.md
View File

@ -1,349 +1,7 @@
# FluxCD v2 Monorepooo # FluxCD v2 Monorepo
Репозиторий Infrastructure as Code, управляемый [FluxCD v2](https://fluxcd.io/) с использованием Kustomize-оверлеев и Helm-релизов. Репозиторий Infrastructure as Code, управляемый [FluxCD v2](https://fluxcd.io/) с использованием Kustomize-оверлеев и Helm-релизов.
## Карта инфраструктуры и межсервисных маршрутов
Диаграмма ниже показывает инфраструктурные компоненты кластера, их зависимости и типовые маршруты вызовов между бизнес-сервисами.
```mermaid
flowchart LR
%% ===== Внешний контур =====
User([👤 Пользователь<br/>Web / Mobile]):::ext
Admin([🛡 Администратор<br/>kubectl / flux]):::ext
LE([🔐 Let's Encrypt<br/>ACME v2]):::ext
GitRepo([📦 Git Repository<br/>FluxCD source]):::ext
OCI([🐳 OCI Registry<br/>cr.yandex]):::ext
%% ===== GitOps =====
subgraph GITOPS["⚙️ GitOps Control Plane"]
direction TB
FluxSource[source-controller]:::flux
FluxKust[kustomize-controller]:::flux
FluxHelm[helm-controller]:::flux
FluxNotif[notification-controller]:::flux
FluxSource --> FluxKust
FluxSource --> FluxHelm
FluxKust --> FluxNotif
FluxHelm --> FluxNotif
end
%% ===== Edge / Service Mesh =====
subgraph EDGE["🌐 Edge & Service Mesh — istio-system"]
direction TB
Gateway["Istio Gateway<br/>:443 / :80<br/>LoadBalancer"]:::mesh
Pilot["istiod / Pilot<br/>xDS :15010/:15012"]:::mesh
Base[Istio Base<br/>CRDs + RBAC]:::mesh
Cert["cert-manager<br/>v1.x"]:::mesh
IssuerProd[ClusterIssuer<br/>letsencrypt-prod]:::mesh
IssuerIstio[ClusterIssuer<br/>letsencrypt-istio]:::mesh
Pilot -->|sidecar inject| Gateway
Base --> Pilot
Cert --> IssuerProd
Cert --> IssuerIstio
IssuerIstio -. TLS cert .-> Gateway
end
%% ===== Платформа =====
subgraph PLATFORM["🛠 Платформа"]
direction TB
Dashboard["K8s Dashboard<br/>UI :8443"]:::platform
LPP["local-path-provisioner<br/>StorageClass: local-path"]:::platform
Vault["HashiCorp Vault<br/>:8200 KV/Transit"]:::platform
S3Proxy["S3 Proxy<br/>S3 API gateway"]:::platform
end
%% ===== Identity =====
subgraph IDENTITY["🪪 Identity & SSO"]
direction TB
Zitadel["Zitadel<br/>OIDC :8080"]:::identity
Keycloak["Keycloak<br/>OIDC/SAML :8080"]:::identity
OpenLDAP["OpenLDAP<br/>:389 / :636"]:::identity
Keycloak -- "LDAP federation" --> OpenLDAP
end
%% ===== Данные =====
subgraph DATA["🗄 Хранилища данных"]
direction TB
PG[("PostgreSQL<br/>:5432<br/>HA primary/replica")]:::data
Redis[("Redis<br/>:6379<br/>cache + pub/sub")]:::data
MinIO[("MinIO<br/>S3 :9000<br/>console :9001")]:::data
end
%% ===== Messaging =====
subgraph MSG["📨 Messaging"]
direction TB
Kafka[["Kafka<br/>:9092 / :9093 SASL<br/>3 brokers"]]:::msg
ZK[["ZooKeeper / KRaft<br/>:2181"]]:::msg
RMQ[["RabbitMQ<br/>:5672 / mgmt :15672"]]:::msg
Kafka --- ZK
end
%% ===== BPM =====
subgraph BPM["🔧 BPM"]
direction TB
Camunda["Camunda Platform<br/>REST :8080 / Tasklist"]:::app
Operate["Camunda Operate<br/>UI :8081"]:::app
end
%% ===== Бизнес-сервисы (каждый в своём namespace) =====
subgraph APPS["💼 Бизнес-сервисы — namespaces"]
direction LR
CI["ns: control-interface"]:::app
Django["ns: django"]:::app
EAV["ns: eav"]:::app
Workspaces["ns: workspaces"]:::app
Projects["ns: projects"]:::app
PM["ns: pm"]:::app
Contracts["ns: contracts"]:::app
Resources["ns: resources"]:::app
Subs["ns: subscriptions"]:::app
SysLog["ns: system-log"]:::app
MsgHub["ns: message-hub"]:::app
FaaS["ns: faas"]:::app
Flows["ns: flows"]:::app
Docs["ns: documentations"]:::app
DocLink["ns: document-link"]:::app
Attach["ns: attachments"]:::app
Transmittal["ns: transmittal"]:::app
CDE["ns: cde"]:::app
Drawings["ns: drawings"]:::app
BIM["ns: bim"]:::app
Stamp["ns: stamp-verification"]:::app
Inspect["ns: inspections"]:::app
Checklists["ns: checklists"]:::app
Remarks["ns: remarks"]:::app
Issues["ns: issues"]:::app
RFI["ns: rfi"]:::app
Reviews["ns: reviews"]:::app
Prescr["ns: prescriptions"]:::app
Compare["ns: comparisons"]:::app
Measure["ns: measurements"]:::app
Mapper["ns: mapper"]:::app
XSection["ns: cross-section"]:::app
Process["ns: processing"]:::app
Notes["ns: notes"]:::app
end
%% ===== GitOps потоки =====
Admin ==>|git push| GitRepo
GitRepo ==>|pull/poll| FluxSource
OCI ==>|OCI charts| FluxSource
FluxKust ==>|apply manifests| EDGE
FluxKust ==>|apply manifests| PLATFORM
FluxKust ==>|apply manifests| IDENTITY
FluxHelm ==>|HelmRelease| DATA
FluxHelm ==>|HelmRelease| MSG
FluxHelm ==>|HelmRelease| BPM
FluxHelm ==>|HelmRelease| APPS
%% ===== Внешний трафик =====
User ==>|HTTPS 443| Gateway
LE -. ACME HTTP-01 .-> Cert
Gateway ==>|VirtualService<br/>mTLS| CI
Gateway ==>|/api| Django
Gateway ==>|/bim| BIM
Gateway ==>|/cde| CDE
Gateway ==>|/docs| Docs
Gateway ==>|/pm| PM
Gateway ==>|VirtualService| Camunda
Gateway ==>|VirtualService| Operate
Gateway ==>|/auth| Keycloak
Gateway ==>|/oauth| Zitadel
Gateway ==>|/dashboard| Dashboard
Gateway ==>|/minio| MinIO
Admin -.->|kubectl| Dashboard
%% ===== Frontend → backend (через control-interface) =====
CI -- "API gateway" --> Django
CI -- "API gateway" --> PM
CI -- "API gateway" --> Projects
CI -- "API gateway" --> Workspaces
%% ===== Подключения к данным =====
Django -- "JDBC/ORM" --> PG
EAV -- "JDBC" --> PG
PM -- "JDBC" --> PG
Contracts -- "JDBC" --> PG
Resources -- "JDBC" --> PG
Projects -- "JDBC" --> PG
Workspaces -- "JDBC" --> PG
Subs -- "JDBC" --> PG
SysLog -- "JDBC" --> PG
Docs -- "JDBC" --> PG
DocLink -- "JDBC" --> PG
CDE -- "JDBC" --> PG
BIM -- "JDBC" --> PG
Drawings -- "JDBC" --> PG
Inspect -- "JDBC" --> PG
Checklists -- "JDBC" --> PG
Issues -- "JDBC" --> PG
Remarks -- "JDBC" --> PG
RFI -- "JDBC" --> PG
Reviews -- "JDBC" --> PG
Prescr -- "JDBC" --> PG
Compare -- "JDBC" --> PG
Measure -- "JDBC" --> PG
Mapper -- "JDBC" --> PG
XSection -- "JDBC" --> PG
Notes -- "JDBC" --> PG
Stamp -- "JDBC" --> PG
Transmittal -- "JDBC" --> PG
Camunda -- "JDBC" --> PG
Operate -- "JDBC" --> PG
Zitadel -- "JDBC" --> PG
Keycloak -- "JDBC" --> PG
%% ===== Redis (общий кэш / sessions) =====
Django -- "session/cache" --> Redis
CI -- "session" --> Redis
PM -- "cache" --> Redis
Workspaces -- "cache" --> Redis
Subs -- "pub/sub realtime" --> Redis
MsgHub -- "pub/sub" --> Redis
Flows -- "state" --> Redis
FaaS -- "queue" --> Redis
Camunda -- "cache" --> Redis
Keycloak -- "session" --> Redis
%% ===== S3 / объектное хранилище =====
Attach -- "PUT/GET" --> S3Proxy
Docs -- "filestream" --> S3Proxy
BIM -- "IFC/RVT" --> S3Proxy
Drawings -- "DWG/PDF" --> S3Proxy
CDE -- "files" --> S3Proxy
Compare -- "rendered diff" --> S3Proxy
Stamp -- "signed PDF" --> S3Proxy
Transmittal -- "bundles" --> S3Proxy
Process -- "raw + результаты" --> S3Proxy
Mapper -- "tiles" --> S3Proxy
Measure -- "snapshots" --> S3Proxy
XSection -- "профили" --> S3Proxy
S3Proxy -- "S3 API" --> MinIO
%% ===== Vault (secrets) =====
Django -. "kv" .-> Vault
Camunda -. "approle" .-> Vault
Keycloak -. "kv" .-> Vault
Zitadel -. "kv" .-> Vault
FaaS -. "approle" .-> Vault
Flows -. "approle" .-> Vault
%% ===== Storage / PVC =====
PG -.->|PVC| LPP
Redis -.->|PVC| LPP
Kafka -.->|PVC| LPP
ZK -.->|PVC| LPP
RMQ -.->|PVC| LPP
MinIO -.->|PVC| LPP
Vault -.->|PVC| LPP
%% ===== Kafka (event bus) =====
SysLog -- "consume audit.*" --> Kafka
MsgHub -- "produce notify.*" --> Kafka
Subs -- "consume notify.*" --> Kafka
Flows -- "produce/consume flows.*" --> Kafka
Camunda -- "produce bpm.events" --> Kafka
Operate -- "consume zeebe-records" --> Kafka
BIM -- "produce bim.processed" --> Kafka
Drawings -- "produce drawings.uploaded" --> Kafka
Process -- "consume processing.jobs" --> Kafka
Compare -- "consume drawings.uploaded" --> Kafka
Inspect -- "produce inspect.events" --> Kafka
Issues -- "consume inspect.events" --> Kafka
Remarks -- "produce remarks.events" --> Kafka
Reviews -- "consume remarks.events" --> Kafka
%% ===== RabbitMQ (work queues) =====
FaaS -- "consume tasks.*" --> RMQ
Flows -- "publish tasks.*" --> RMQ
Process -- "publish jobs" --> RMQ
Mapper -- "consume tile.jobs" --> RMQ
XSection -- "consume xs.jobs" --> RMQ
Stamp -- "consume sign.jobs" --> RMQ
Camunda -- "consume bpm.tasks" --> RMQ
%% ===== Межсервисные REST маршруты =====
PM -- "REST" --> Projects
PM -- "REST" --> Contracts
PM -- "REST" --> Resources
Projects -- "REST" --> Workspaces
Contracts -- "REST" --> Resources
Inspect -- "REST" --> Checklists
Inspect -- "REST" --> Issues
Issues -- "REST" --> Remarks
Reviews -- "REST" --> RFI
Reviews -- "REST" --> Prescr
RFI -- "REST" --> DocLink
DocLink --> Docs
DocLink --> CDE
CDE -- "REST" --> Docs
CDE -- "REST" --> Drawings
CDE -- "REST" --> BIM
Transmittal -- "REST" --> CDE
Transmittal -- "REST" --> Docs
Drawings -- "REST" --> Compare
Drawings -- "REST" --> Stamp
Measure -- "REST" --> Mapper
Mapper -- "REST" --> XSection
XSection --> Process
BIM -- "REST" --> Process
Notes -- "REST" --> DocLink
Flows -- "trigger" --> FaaS
Flows -- "start" --> Camunda
Camunda -- "callback" --> Flows
EAV -- "schemas" --> Django
MsgHub -- "deliver email/push" --> Subs
%% ===== AuthN / AuthZ =====
Django -. "OIDC validate" .-> Keycloak
CI -. "OIDC login" .-> Keycloak
PM -. "JWT" .-> Keycloak
Camunda -. "JWT" .-> Zitadel
Operate -. "OIDC" .-> Zitadel
Dashboard -. "OIDC" .-> Keycloak
BIM -. "JWT" .-> Keycloak
CDE -. "JWT" .-> Keycloak
Docs -. "JWT" .-> Keycloak
%% ===== Service mesh sidecar metrics =====
CI -. "envoy" .-> Pilot
Django -. "envoy" .-> Pilot
Camunda -. "envoy" .-> Pilot
BIM -. "envoy" .-> Pilot
Flows -. "envoy" .-> Pilot
%% ===== Стили =====
classDef ext fill:#1f2937,stroke:#9ca3af,stroke-width:2px,color:#f9fafb
classDef flux fill:#6366f1,stroke:#3730a3,stroke-width:2px,color:#fff
classDef mesh fill:#7c3aed,stroke:#4c1d95,stroke-width:2px,color:#fff
classDef platform fill:#0ea5e9,stroke:#075985,stroke-width:2px,color:#fff
classDef identity fill:#f59e0b,stroke:#92400e,stroke-width:2px,color:#fff
classDef data fill:#10b981,stroke:#065f46,stroke-width:2px,color:#fff
classDef msg fill:#ef4444,stroke:#991b1b,stroke-width:2px,color:#fff
classDef app fill:#ec4899,stroke:#9d174d,stroke-width:2px,color:#fff
style GITOPS fill:#e0e7ff,stroke:#6366f1,stroke-width:2px
style EDGE fill:#ede9fe,stroke:#7c3aed,stroke-width:2px
style PLATFORM fill:#e0f2fe,stroke:#0ea5e9,stroke-width:2px
style IDENTITY fill:#fef3c7,stroke:#f59e0b,stroke-width:2px
style DATA fill:#d1fae5,stroke:#10b981,stroke-width:2px
style MSG fill:#fee2e2,stroke:#ef4444,stroke-width:2px
style BPM fill:#fce7f3,stroke:#ec4899,stroke-width:2px
style APPS fill:#fce7f3,stroke:#ec4899,stroke-width:2px
```
📂 **Подробные диаграммы по каждому бизнес-сервису:** [`docs/apps/`](./docs/apps/README.md)
**Легенда:**
- 🟪 **Edge / Mesh** — терминация TLS, маршрутизация и mTLS между сервисами (Istio + cert-manager)
- 🟦 **Платформа** — служебные компоненты (storage, secrets, S3 proxy, dashboard)
- 🟧 **Identity** — единый вход и федерация пользователей (Zitadel, Keycloak, OpenLDAP)
- 🟩 **Данные** — постоянные хранилища (PostgreSQL, Redis, MinIO)
- 🟥 **Messaging** — асинхронный обмен (Kafka, RabbitMQ)
- 🟪 **Бизнес-сервисы** — прикладная логика (Camunda, бизнес-приложения)
## Структура репозитория ## Структура репозитория
``` ```

204
apps/ams-sync/base/helmrelease.yaml
View File

@ -1,204 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: ams-sync
namespace: ams-sync
spec:
interval: 10m
chart:
spec:
chart: universal-chart
version: "0.1.7"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
namespace: flux-system
interval: 10m
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
global:
env: _default
services:
backend:
enabled: true
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/ams-sync:ugok
pullPolicy:
_default: IfNotPresent
deployment:
enabled: true
name:
_default: ams-sync
replicaCount:
_default: 1
stage: 1
preprod: 3
production: 3
port:
_default: 8000
probes:
liveness:
enabled: false
readiness:
enabled: false
service:
enabled: true
name:
_default: ams-sync
type:
_default: ClusterIP
port:
_default: 8000
targetPort:
_default: 8000
portName:
_default: http
imagePullSecrets:
enabled:
_default: true
name:
_default: regcred
labels:
monitoring: prometheus
envs:
- name: AMS_SYNC_TOPIC
value:
_default: "ams-sync"
- name: ENVIRONMENT
value:
_default: "PRODUCTION"
- name: HOST_ORGANIZATION_ID
value:
_default: "368536846176636704"
- name: ALERT_ENABLED
value:
_default: "False"
- name: USER_SERVER_HOST
value:
_default: "https://sarex.ugok.lan"
- name: AUTH_HOST
value:
_default: "https://sarex.ugok.lan"
- name: VERIFY_USERS
value:
_default: "True"
- name: KAFKA_SECURITY_PROTOCOL
value:
_default: "SSL"
- name: KAFKA_SASL_MECHANISM
value:
_default: "SCRAM-SHA-512"
secretEnvs:
- name: TELEGRAM_TOKEN
secretName:
_default: "telegram-secret"
secretKey: "telegram-token"
- name: TELEGRAM_GROUP_ID
secretName:
_default: "telegram-secret"
secretKey: "telegram-group-id"
- name: ZITADEL_HOST
secretName:
_default: "zitadel-token-secret"
secretKey: "zitadel-host"
- name: ZITADEL_SERVICE_ACCESS_TOKEN
secretName:
_default: "zitadel-token-secret"
secretKey: "zitadel-access-token"
- name: KAFKA_BOOTSTRAP_SERVERS
secretName:
_default: "ams-kafka-secret"
secretKey: "kafka-bootstrap-servers"
- name: KAFKA_SASL_PLAIN_USERNAME
secretName:
_default: "ams-kafka-secret"
secretKey: "kafka-username"
- name: KAFKA_SASL_PLAIN_PASSWORD
secretName:
_default: "ams-kafka-secret"
secretKey: "kafka-password"
- name: KAFKA_SSL_CAFILE
secretName:
_default: "ams-kafka-secret"
secretKey: "kafka-ca-file"
- name: AUTH_ADMIN_USERNAME
secretName:
_default: "auth-secret"
secretKey: "admin-username"
- name: AUTH_ADMIN_PASSWORD
secretName:
_default: "auth-secret"
secretKey: "admin-password"
- name: USER_DB_NAME
secretName:
_default: "user-db-secret"
secretKey: "user-db-name"
- name: USER_DB_USER
secretName:
_default: "user-db-secret"
secretKey: "user-db-user"
- name: USER_DB_PASSWORD
secretName:
_default: "user-db-secret"
secretKey: "user-db-password"
- name: USER_DB_HOST
secretName:
_default: "user-db-secret"
secretKey: "user-db-host"
- name: USER_DB_PORT
secretName:
_default: "user-db-secret"
secretKey: "user-db-port"
commitSha: ""
gitlabUri: ""
gitlabJobUrl: ""
owner: ""

6
apps/ams-sync/base/kustomization.yaml
View File

@ -1,6 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: ams-sync
resources:
- helmrelease.yaml

220
apps/ams-sync/brusnika-stage/backend.yaml
View File

@ -1,220 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: ams-sync
namespace: ams-sync
spec:
interval: 10m
chart:
spec:
chart: universal-chart
version: "0.1.7"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
namespace: flux-system
interval: 10m
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
global:
env: _default
services:
backend:
enabled: true
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/ams-sync:ugok
pullPolicy:
_default: IfNotPresent
deployment:
enabled: true
name:
_default: ams-sync
replicaCount:
_default: 1
stage: 1
preprod: 3
production: 3
port:
_default: 8000
probes:
liveness:
enabled: false
readiness:
enabled: false
service:
enabled: true
name:
_default: ams-sync
type:
_default: ClusterIP
port:
_default: 8000
targetPort:
_default: 8000
portName:
_default: http
imagePullSecrets:
enabled:
_default: true
name:
_default: regcred
volumes:
_default:
- name: kafka-cert
mountPath:
_default: /etc/ca-certificates/Yandex/YandexInternalRootCA.crt
subPath:
_default: YandexInternalRootCA.crt
readOnly:
_default: true
configMap:
name:
_default: kafka-cert
items:
- key: YandexInternalRootCA.crt
path:
_default: YandexInternalRootCA.crt
labels:
monitoring: prometheus
envs:
- name: AMS_SYNC_TOPIC
value:
_default: "ams-sync"
- name: ENVIRONMENT
value:
_default: "PRODUCTION"
- name: HOST_ORGANIZATION_ID
value:
_default: "368536846176636704"
- name: ALERT_ENABLED
value:
_default: "False"
- name: USER_SERVER_HOST
value:
_default: "https://sarex.ugok.lan"
- name: AUTH_HOST
value:
_default: "https://sarex.ugok.lan"
- name: VERIFY_USERS
value:
_default: "True"
- name: KAFKA_SECURITY_PROTOCOL
value:
_default: "SSL"
- name: KAFKA_SASL_MECHANISM
value:
_default: "SCRAM-SHA-512"
secretEnvs:
- name: TELEGRAM_TOKEN
secretName:
_default: "telegram-secret"
secretKey: "telegram-token"
- name: TELEGRAM_GROUP_ID
secretName:
_default: "telegram-secret"
secretKey: "telegram-group-id"
- name: ZITADEL_HOST
secretName:
_default: "zitadel-token-secret"
secretKey: "zitadel-host"
- name: ZITADEL_SERVICE_ACCESS_TOKEN
secretName:
_default: "zitadel-token-secret"
secretKey: "zitadel-access-token"
- name: KAFKA_BOOTSTRAP_SERVERS
secretName:
_default: "ams-kafka-secret"
secretKey: "kafka-bootstrap-servers"
- name: KAFKA_SASL_PLAIN_USERNAME
secretName:
_default: "ams-kafka-secret"
secretKey: "kafka-username"
- name: KAFKA_SASL_PLAIN_PASSWORD
secretName:
_default: "ams-kafka-secret"
secretKey: "kafka-password"
- name: KAFKA_SSL_CAFILE
secretName:
_default: "ams-kafka-secret"
secretKey: "kafka-ca-file"
- name: AUTH_ADMIN_USERNAME
secretName:
_default: "auth-secret"
secretKey: "admin-username"
- name: AUTH_ADMIN_PASSWORD
secretName:
_default: "auth-secret"
secretKey: "admin-password"
- name: USER_DB_NAME
secretName:
_default: "user-db-secret"
secretKey: "user-db-name"
- name: USER_DB_USER
secretName:
_default: "user-db-secret"
secretKey: "user-db-user"
- name: USER_DB_PASSWORD
secretName:
_default: "user-db-secret"
secretKey: "user-db-password"
- name: USER_DB_HOST
secretName:
_default: "user-db-secret"
secretKey: "user-db-host"
- name: USER_DB_PORT
secretName:
_default: "user-db-secret"
secretKey: "user-db-port"
commitSha: ""
gitlabUri: ""
gitlabJobUrl: ""
owner: ""

6
apps/ams-sync/brusnika-stage/kustomization.yaml
View File

@ -1,6 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: ams-sync
resources:
- backend.yaml

70
apps/attachments/base/deployment.yaml Normal file
View File

@ -0,0 +1,70 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: attachments
namespace: attachments
labels:
app: attachments
spec:
replicas: 1
selector:
matchLabels:
app: attachments
template:
metadata:
labels:
app: attachments
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: attachments
vault.hashicorp.com/agent-inject-secret-attachments-db: secrets/data/postgresql/apps/attachments
vault.hashicorp.com/agent-inject-template-attachments-db: |-
{{- with secret "secrets/data/postgresql/apps/attachments" -}}
DATABASE_HOST=postgresql.attachments.svc.cluster.local
DATABASE_PORT=5432
DATABASE_NAME=attachments_db
DATABASE_USER={{ index .Data.data "username" }}
DATABASE_PASSWORD={{ index .Data.data "password" }}
DATABASE_SSL_MODE=disable
{{- end -}}
vault.hashicorp.com/agent-inject-secret-attachments-s3: secrets/data/minio/apps/attachments
vault.hashicorp.com/agent-inject-template-attachments-s3: |-
{{- with secret "secrets/data/minio/apps/attachments" -}}
YANDEX_S3_ENDPOINT_URL=minio.minio:9000
YANDEX_S3_ACCESS_KEY_ID={{ index .Data.data "access_key" }}
YANDEX_S3_SECRET_ACCESS_KEY={{ index .Data.data "secret_key" }}
YANDEX_S3_USE_SSL=false
YANDEX_S3_REGION=ru-central
YANDEX_S3_VERIFY=false
BUCKET_NAME=attachments
{{- end -}}
spec:
serviceAccountName: attachments-vault
containers:
- name: attachments
image: cr.yandex/crp3ccidau046kdj8g9q/attachments:feature_6238c882
imagePullPolicy: IfNotPresent
command: ["/bin/bash", "-ec"]
args:
- |
set -a
[ -f /vault/secrets/attachments-db ] && . /vault/secrets/attachments-db
[ -f /vault/secrets/attachments-s3 ] && . /vault/secrets/attachments-s3
set +a
exec /opt/attachments/entrypoint.sh
ports:
- name: http
containerPort: 8000
protocol: TCP
env:
- name: POSTGRES_POOL_SIZE
value: "10"
- name: API_ADDRESS
value: 0.0.0.0:8000
imagePullSecrets:
- name: regcred

110
apps/attachments/base/helmrelease.yaml
View File

@ -1,110 +0,0 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: attachments
namespace: attachments
spec:
interval: 10m
chart:
spec:
chart: universal-chart
version: "0.1.9"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
namespace: flux-system
interval: 10m
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
global:
env: _default
services:
attachments:
enabled: true
serviceAccount:
enabled:
_default: true
name:
_default: attachments-vault
deployment:
enabled: true
name:
_default: attachments
replicaCount:
_default: 1
port:
_default: 8000
command:
_default: ["/bin/bash", "-ec"]
args:
_default:
- |
set -a
[ -f /vault/secrets/attachments-db ] && . /vault/secrets/attachments-db
[ -f /vault/secrets/attachments-s3 ] && . /vault/secrets/attachments-s3
set +a
exec /opt/attachments/entrypoint.sh
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/attachments:feature_6238c882
pullPolicy:
_default: IfNotPresent
service:
enabled: true
name:
_default: attachments-service
type:
_default: ClusterIP
port:
_default: 8000
targetPort:
_default: 8000
portName:
_default: http
imagePullSecrets:
enabled:
_default: true
name:
_default: regcred
envs:
- name: POSTGRES_POOL_SIZE
value:
_default: "10"
- name: API_ADDRESS
value:
_default: 0.0.0.0:8000
podAnnotations:
_default:
traffic.sidecar.istio.io/excludeOutboundPorts: "4317,4318,9411,8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: attachments
vault.hashicorp.com/agent-inject-secret-attachments-db: secrets/data/postgresql/apps/attachments
vault.hashicorp.com/agent-inject-template-attachments-db: |-
{{- with secret "secrets/data/postgresql/apps/attachments" -}}
DATABASE_HOST=postgresql.attachments.svc.cluster.local
DATABASE_PORT=5432
DATABASE_NAME=attachments_db
DATABASE_USER={{ index .Data.data "username" }}
DATABASE_PASSWORD={{ index .Data.data "password" }}
DATABASE_SSL_MODE=disable
{{- end -}}
vault.hashicorp.com/agent-inject-secret-attachments-s3: secrets/data/minio/apps/attachments
vault.hashicorp.com/agent-inject-template-attachments-s3: |-
{{- with secret "secrets/data/minio/apps/attachments" -}}
YANDEX_S3_ENDPOINT_URL=minio.minio:9000
YANDEX_S3_ACCESS_KEY_ID={{ index .Data.data "access_key" }}
YANDEX_S3_SECRET_ACCESS_KEY={{ index .Data.data "secret_key" }}
YANDEX_S3_USE_SSL=false
YANDEX_S3_REGION=ru-central
YANDEX_S3_VERIFY=false
BUCKET_NAME=attachments
{{- end -}}

5
apps/attachments/base/kustomization.yaml
View File

@ -3,4 +3,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
namespace: attachments namespace: attachments
resources: resources:
- helmrelease.yaml - namespace.yaml
- serviceaccount.yaml
- deployment.yaml
- service.yaml

2
apps/transmittal/base/namespace.yaml → apps/attachments/base/namespace.yaml
View File

@ -2,6 +2,6 @@
apiVersion: v1 apiVersion: v1
kind: Namespace kind: Namespace
metadata: metadata:
name: transmittal name: attachments
labels: labels:
istio-injection: enabled istio-injection: enabled

9
apps/transmittal/base/backend-service.yaml → apps/attachments/base/service.yaml
View File

@ -2,14 +2,13 @@
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: backend-svc name: attachments-service
namespace: transmittal namespace: attachments
spec: spec:
type: ClusterIP type: ClusterIP
selector: selector:
app: backend app: attachments
ports: ports:
- name: http - port: 8000
port: 80
targetPort: 8000 targetPort: 8000
protocol: TCP protocol: TCP

5
apps/attachments/base/serviceaccount.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: attachments-vault
namespace: attachments

142
apps/attachments/brusnika-prod/backend.yaml
View File

@ -1,142 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: attachments
namespace: attachments
spec:
interval: 10m
chart:
spec:
chart: universal-chart
version: "0.1.7"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
namespace: flux-system
interval: 10m
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
global:
env: _default
services:
backend:
enabled: true
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/attachments:production_6dbb4dce
pullPolicy:
_default: IfNotPresent
deployment:
enabled: true
name:
_default: attachments
replicaCount:
_default: 1
stage: 1
preprod: 3
production: 3
port:
_default: 8000
probes:
liveness:
enabled: false
readiness:
enabled: false
service:
enabled: true
name:
_default: attachments-service
type:
_default: ClusterIP
port:
_default: 8000
targetPort:
_default: 8000
portName:
_default: http
imagePullSecrets:
enabled:
_default: true
name:
_default: regcred
labels:
monitoring: prometheus
envs:
- name: POSTGRES_POOL_SIZE
value:
_default: "10"
- name: API_ADDRESS
value:
_default: "0.0.0.0:8000"
- name: YANDEX_S3_ACCOUNT_PATH
value:
_default: "/etc/sarex/yc-s3-storage/yc-s3-service-account.json"
- name: BUCKET_NAME
value:
_default: "attachments-storage"
- name: DATABASE_SSL_MODE
value:
_default: "disable"
- name: YANDEX_S3_VERIFY
value:
_default: "false"
secretEnvs:
- name: DATABASE_HOST
secretName:
_default: "postgres-secret"
secretKey: "host"
- name: DATABASE_PORT
secretName:
_default: "postgres-secret"
secretKey: "port"
- name: DATABASE_NAME
secretName:
_default: "postgres-secret"
secretKey: "database"
- name: DATABASE_USER
secretName:
_default: "postgres-secret"
secretKey: "username"
- name: DATABASE_PASSWORD
secretName:
_default: "postgres-secret"
secretKey: "password"
commitSha: ""
gitlabUri: ""
gitlabJobUrl: ""
owner: ""

6
apps/attachments/brusnika-prod/kustomization.yaml
View File

@ -1,6 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: attachments
resources:
- backend.yaml

142
apps/attachments/brusnika-stage/backend.yaml
View File

@ -1,142 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: attachments
namespace: attachments
spec:
interval: 10m
chart:
spec:
chart: universal-chart
version: "0.1.7"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
namespace: flux-system
interval: 10m
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
global:
env: _default
services:
backend:
enabled: true
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/attachments:production_6dbb4dce
pullPolicy:
_default: IfNotPresent
deployment:
enabled: true
name:
_default: attachments
replicaCount:
_default: 1
stage: 1
preprod: 3
production: 3
port:
_default: 8000
probes:
liveness:
enabled: false
readiness:
enabled: false
service:
enabled: true
name:
_default: attachments-service
type:
_default: ClusterIP
port:
_default: 8000
targetPort:
_default: 8000
portName:
_default: http
imagePullSecrets:
enabled:
_default: true
name:
_default: regcred
labels:
monitoring: prometheus
envs:
- name: POSTGRES_POOL_SIZE
value:
_default: "10"
- name: API_ADDRESS
value:
_default: "0.0.0.0:8000"
- name: YANDEX_S3_ACCOUNT_PATH
value:
_default: "/etc/sarex/yc-s3-storage/yc-s3-service-account.json"
- name: BUCKET_NAME
value:
_default: "attachments-storage"
- name: DATABASE_SSL_MODE
value:
_default: "disable"
- name: YANDEX_S3_VERIFY
value:
_default: "false"
secretEnvs:
- name: DATABASE_HOST
secretName:
_default: "postgres-secret"
secretKey: "host"
- name: DATABASE_PORT
secretName:
_default: "postgres-secret"
secretKey: "port"
- name: DATABASE_NAME
secretName:
_default: "postgres-secret"
secretKey: "database"
- name: DATABASE_USER
secretName:
_default: "postgres-secret"
secretKey: "username"
- name: DATABASE_PASSWORD
secretName:
_default: "postgres-secret"
secretKey: "password"
commitSha: ""
gitlabUri: ""
gitlabJobUrl: ""
owner: ""

6
apps/attachments/brusnika-stage/kustomization.yaml
View File

@ -1,6 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: attachments
resources:
- backend.yaml

10
apps/attachments/yc-k8s-test/kustomization.yaml
View File

@ -4,8 +4,8 @@ kind: Kustomization
resources: resources:
- ../base - ../base
- postgresql.yaml - postgresql.yaml
patches: [] patches:
# - path: replicas.yaml - path: replicas.yaml
# target: target:
# kind: HelmRelease kind: Deployment
# name: attachments name: attachments

4
apps/attachments/yc-k8s-test/postgresql.yaml
View File

@ -89,10 +89,6 @@ spec:
timeoutSeconds: 5 timeoutSeconds: 5
successThreshold: 1 successThreshold: 1
failureThreshold: 6 failureThreshold: 6
resources:
requests:
cpu: 50m
memory: 128Mi
nodeSelector: nodeSelector:
dedicated: db dedicated: db
tolerations: tolerations:

11
apps/attachments/yc-k8s-test/replicas.yaml
View File

@ -1,13 +1,8 @@
--- ---
apiVersion: helm.toolkit.fluxcd.io/v2 apiVersion: apps/v1
kind: HelmRelease kind: Deployment
metadata: metadata:
name: attachments name: attachments
namespace: attachments namespace: attachments
spec: spec:
values: replicas: 1
services:
attachments:
deployment:
replicaCount:
_default: 2

33
apps/auth-flow/base/deployment.yaml
View File

@ -1,33 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: frontend
namespace: auth-flow
labels:
app: frontend
spec:
replicas: 1
selector:
matchLabels:
app: frontend
template:
metadata:
labels:
app: frontend
version: stable
spec:
containers:
- name: frontend
image: cr.yandex/crp3ccidau046kdj8g9q/auth-flow-frontend:production_48bec2ff
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 80
protocol: TCP
resources:
requests:
cpu: 25m
memory: 100Mi
imagePullSecrets:
- name: regcred

8
apps/auth-flow/base/kustomization.yaml
View File

@ -1,8 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: auth-flow
resources:
- namespace.yaml
- deployment.yaml
- service.yaml

7
apps/auth-flow/base/namespace.yaml
View File

@ -1,7 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: auth-flow
labels:
istio-injection: enabled

15
apps/auth-flow/base/service.yaml
View File

@ -1,15 +0,0 @@
---
apiVersion: v1
kind: Service
metadata:
name: frontend-svc
namespace: reviews
spec:
type: ClusterIP
selector:
app: frontend
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP

92
apps/auth-flow/brusnika-prod/helmrelease.yaml
View File

@ -1,92 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: frontend
namespace: auth-flow
spec:
interval: 10m
chart:
spec:
chart: universal-chart
version: "0.1.7"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
namespace: flux-system
interval: 10m
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
global:
env: _default
services:
frontend:
enabled: true
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/auth-flow-frontend:production_48bec2ff
pullPolicy:
_default: IfNotPresent
deployment:
enabled: true
name:
_default: frontend
replicaCount:
_default: 1
stage: 1
preprod: 3
production: 3
port:
_default: 80
probes:
liveness:
enabled: false
readiness:
enabled: false
service:
enabled: true
name:
_default: frontend-service
type:
_default: ClusterIP
port:
_default: 80
targetPort:
_default: 80
portName:
_default: http
imagePullSecrets:
enabled:
_default: true
name:
_default: regcred
commitSha: ""
gitlabUri: ""
gitlabJobUrl: ""
owner: ""

6
apps/auth-flow/brusnika-prod/kustomization.yaml
View File

@ -1,6 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: auth-flow
resources:
- helmrelease.yaml

92
apps/auth-flow/brusnika-stage/helmrelease.yaml
View File

@ -1,92 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: frontend
namespace: auth-flow
spec:
interval: 10m
chart:
spec:
chart: universal-chart
version: "0.1.7"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
namespace: flux-system
interval: 10m
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
global:
env: _default
services:
frontend:
enabled: true
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/auth-flow-frontend:production_48bec2ff
pullPolicy:
_default: IfNotPresent
deployment:
enabled: true
name:
_default: frontend
replicaCount:
_default: 1
stage: 1
preprod: 3
production: 3
port:
_default: 80
probes:
liveness:
enabled: false
readiness:
enabled: false
service:
enabled: true
name:
_default: frontend-service
type:
_default: ClusterIP
port:
_default: 80
targetPort:
_default: 80
portName:
_default: http
imagePullSecrets:
enabled:
_default: true
name:
_default: regcred
commitSha: ""
gitlabUri: ""
gitlabJobUrl: ""
owner: ""

6
apps/auth-flow/brusnika-stage/kustomization.yaml
View File

@ -1,6 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: auth-flow
resources:
- helmrelease.yaml

10
apps/auth-flow/yc-k8s-test/kustomization.yaml
View File

@ -1,10 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../base
patches: []
# - path: replicas.yaml
# target:
# kind: Deployment
# name: frontend

8
apps/auth-flow/yc-k8s-test/replicas.yaml
View File

@ -1,8 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: frontend
namespace: reviews
spec:
replicas: 1

6
apps/bim/base/backend-deployment.yaml
View File

@ -50,7 +50,7 @@ spec:
serviceAccountName: bim-vault serviceAccountName: bim-vault
containers: containers:
- name: backend - name: backend
image: cr.yandex/crp3ccidau046kdj8g9q/bim-api:contour_3d704fef image: cr.yandex/crp3ccidau046kdj8g9q/bim-backend-v2:donstroi1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
command: ["/bin/sh", "-ec"] command: ["/bin/sh", "-ec"]
args: args:
@ -58,7 +58,7 @@ spec:
set -a set -a
[ -f /vault/secrets/bim-postgresql ] && . /vault/secrets/bim-postgresql [ -f /vault/secrets/bim-postgresql ] && . /vault/secrets/bim-postgresql
set +a set +a
exec ./httpserver exec ./entrypoint.sh
ports: ports:
- name: http - name: http
containerPort: 8000 containerPort: 8000
@ -88,7 +88,7 @@ spec:
value: "0" value: "0"
resources: resources:
requests: requests:
cpu: 25m cpu: 100m
memory: 100Mi memory: 100Mi
livenessProbe: livenessProbe:
httpGet: httpGet:

4
apps/bim/base/backend-service.yaml
View File

@ -2,7 +2,7 @@
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: backend-svc name: backend-service
namespace: bim namespace: bim
spec: spec:
type: ClusterIP type: ClusterIP
@ -10,6 +10,6 @@ spec:
app: backend app: backend
ports: ports:
- name: http - name: http
port: 80 port: 8000
targetPort: 8000 targetPort: 8000
protocol: TCP protocol: TCP

229
apps/bim/brusnika-prod/backend.yaml
View File

@ -1,229 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: backend
namespace: bim
spec:
interval: 10m
chart:
spec:
chart: universal-chart
version: "0.1.7"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
namespace: flux-system
interval: 10m
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
global:
env: _default
services:
backend:
enabled: true
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/bim-backend-v2:prod_b0bd750b
pullPolicy:
_default: IfNotPresent
deployment:
enabled: true
name:
_default: backend
replicaCount:
_default: 1
stage: 1
preprod: 3
production: 3
port:
_default: 8000
probes:
liveness:
enabled: false
readiness:
enabled: false
service:
enabled: true
name:
_default: backend-service
type:
_default: ClusterIP
port:
_default: 8000
targetPort:
_default: 8000
portName:
_default: http
imagePullSecrets:
enabled:
_default: true
name:
_default: regcred
labels:
monitoring: prometheus
envs:
- name: LAST_MASTER_BIM
value:
_default: "100000"
- name: LAST_SLAVE_1_BIM
value:
_default: "100000"
- name: LAST_MASTER_BIM_V3
value:
_default: "100000"
- name: LAST_SLAVE_1_BIM_V3
value:
_default: "100000"
- name: DB_CERT_PATH_3
value:
_default: "/root/yandex_pg.pem"
- name: DB_CERT_PATH_4
value:
_default: "/root/yandex_pg.pem"
- name: POSTGRES_ADDRESS_3
value:
_default: "postgres-service"
- name: POSTGRES_ADDRESS_4
value:
_default: "postgres-service"
- name: POSTGRES_PORT_3
value:
_default: "5432"
- name: POSTGRES_PORT_4
value:
_default: "5432"
- name: POSTGRES_DB_3
value:
_default: "bimapidb"
- name: POSTGRES_DB_4
value:
_default: "bimapidb"
- name: DB_CERT_PATH_2
value:
_default: "/root/yandex_pg.pem"
- name: POSTGRES_ADDRESS_2
value:
_default: "postgres-service"
- name: POSTGRES_PORT_2
value:
_default: "5432"
- name: POSTGRES_DB_2
value:
_default: "bimapidb"
- name: POSTGRES_ADDRESS
value:
_default: "postgres-service"
- name: POSTGRES_PORT
value:
_default: "5432"
- name: POSTGRES_DB
value:
_default: "bimapidb"
- name: POSTGRES_POOL_SIZE
value:
_default: "30"
- name: API_ADDRESS
value:
_default: "0.0.0.0:8000"
- name: DJANGO_HOST
value:
_default: "http://backend.django.svc.cluster.local:8000"
- name: ENABLE_SQL_QUERY
value:
_default: "0"
- name: ENABLE_SSL
value:
_default: "0"
secretEnvs:
- name: POSTGRES_USER
secretName:
_default: "postgres-secret"
secretKey: "username"
- name: POSTGRES_PASSWORD
secretName:
_default: "postgres-secret"
secretKey: "password"
- name: POSTGRES_USER_4
secretName:
_default: "postgres-secret"
secretKey: "username"
- name: POSTGRES_PASSWORD_4
secretName:
_default: "postgres-secret"
secretKey: "password"
- name: POSTGRES_USER_2
secretName:
_default: "postgres-secret"
secretKey: "username"
- name: POSTGRES_PASSWORD_2
secretName:
_default: "postgres-secret"
secretKey: "password"
- name: POSTGRES_USER_3
secretName:
_default: "postgres-secret"
secretKey: "username"
- name: POSTGRES_PASSWORD_3
secretName:
_default: "postgres-secret"
secretKey: "password"
commitSha: ""
gitlabUri: ""
gitlabJobUrl: ""
owner: ""

6
apps/bim/brusnika-prod/kustomization.yaml
View File

@ -1,6 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: bim
resources:
- backend.yaml

229
apps/bim/brusnika-stage/backend.yaml
View File

@ -1,229 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: backend
namespace: bim
spec:
interval: 10m
chart:
spec:
chart: universal-chart
version: "0.1.7"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
namespace: flux-system
interval: 10m
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
global:
env: _default
services:
backend:
enabled: true
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/bim-backend-v2:prod_b0bd750b
pullPolicy:
_default: IfNotPresent
deployment:
enabled: true
name:
_default: backend
replicaCount:
_default: 1
stage: 1
preprod: 3
production: 3
port:
_default: 8000
probes:
liveness:
enabled: false
readiness:
enabled: false
service:
enabled: true
name:
_default: backend-service
type:
_default: ClusterIP
port:
_default: 8000
targetPort:
_default: 8000
portName:
_default: http
imagePullSecrets:
enabled:
_default: true
name:
_default: regcred
labels:
monitoring: prometheus
envs:
- name: LAST_MASTER_BIM
value:
_default: "100000"
- name: LAST_SLAVE_1_BIM
value:
_default: "100000"
- name: LAST_MASTER_BIM_V3
value:
_default: "100000"
- name: LAST_SLAVE_1_BIM_V3
value:
_default: "100000"
- name: DB_CERT_PATH_3
value:
_default: "/root/yandex_pg.pem"
- name: DB_CERT_PATH_4
value:
_default: "/root/yandex_pg.pem"
- name: POSTGRES_ADDRESS_3
value:
_default: "postgres-service"
- name: POSTGRES_ADDRESS_4
value:
_default: "postgres-service"
- name: POSTGRES_PORT_3
value:
_default: "5432"
- name: POSTGRES_PORT_4
value:
_default: "5432"
- name: POSTGRES_DB_3
value:
_default: "bimapidb"
- name: POSTGRES_DB_4
value:
_default: "bimapidb"
- name: DB_CERT_PATH_2
value:
_default: "/root/yandex_pg.pem"
- name: POSTGRES_ADDRESS_2
value:
_default: "postgres-service"
- name: POSTGRES_PORT_2
value:
_default: "5432"
- name: POSTGRES_DB_2
value:
_default: "bimapidb"
- name: POSTGRES_ADDRESS
value:
_default: "postgres-service"
- name: POSTGRES_PORT
value:
_default: "5432"
- name: POSTGRES_DB
value:
_default: "bimapidb"
- name: POSTGRES_POOL_SIZE
value:
_default: "30"
- name: API_ADDRESS
value:
_default: "0.0.0.0:8000"
- name: DJANGO_HOST
value:
_default: "http://backend.django.svc.cluster.local:8000"
- name: ENABLE_SQL_QUERY
value:
_default: "0"
- name: ENABLE_SSL
value:
_default: "0"
secretEnvs:
- name: POSTGRES_USER
secretName:
_default: "postgres-secret"
secretKey: "username"
- name: POSTGRES_PASSWORD
secretName:
_default: "postgres-secret"
secretKey: "password"
- name: POSTGRES_USER_4
secretName:
_default: "postgres-secret"
secretKey: "username"
- name: POSTGRES_PASSWORD_4
secretName:
_default: "postgres-secret"
secretKey: "password"
- name: POSTGRES_USER_2
secretName:
_default: "postgres-secret"
secretKey: "username"
- name: POSTGRES_PASSWORD_2
secretName:
_default: "postgres-secret"
secretKey: "password"
- name: POSTGRES_USER_3
secretName:
_default: "postgres-secret"
secretKey: "username"
- name: POSTGRES_PASSWORD_3
secretName:
_default: "postgres-secret"
secretKey: "password"
commitSha: ""
gitlabUri: ""
gitlabJobUrl: ""
owner: ""

6
apps/bim/brusnika-stage/kustomization.yaml
View File

@ -1,6 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: bim
resources:
- backend.yaml

3
apps/bim/yc-k8s-test/postgresql.yaml
View File

@ -92,8 +92,7 @@ spec:
failureThreshold: 6 failureThreshold: 6
resources: resources:
requests: requests:
cpu: 50m memory: 512Mi
memory: 128Mi
nodeSelector: nodeSelector:
dedicated: db dedicated: db
tolerations: tolerations:

32
apps/cde/base/cde-flowscallback.yaml
View File

@ -17,34 +17,11 @@ spec:
labels: labels:
app: cde-flowscallback app: cde-flowscallback
service: cde-flowscallback service: cde-flowscallback
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: cde
vault.hashicorp.com/agent-inject-secret-cde-env: secrets/data/vault/apps/cde
vault.hashicorp.com/agent-inject-template-cde-env: |-
{{- with secret "secrets/data/vault/apps/cde" -}}
{{- range $k, $v := .Data.data }}
export {{ $k }}=$(printf '%b' {{ printf "%q" (printf "%v" $v) }})
{{- end }}
{{- end -}}
spec: spec:
serviceAccountName: cde-vault
containers: containers:
- name: cde-flowscallback - name: cde-flowscallback
image: cr.yandex/crp3ccidau046kdj8g9q/flowscallback-worker:prod_9f3c1d2a image: cr.yandex/crp3ccidau046kdj8g9q/flowscallback-worker:prod_3.1.2
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
command:
- /bin/bash
- -lc
args:
- |
set -e
source /vault/secrets/cde-env
exec /worker
ports: ports:
- name: http - name: http
containerPort: 8000 containerPort: 8000
@ -52,9 +29,12 @@ spec:
env: env:
- name: S3_IS_CONTOUR - name: S3_IS_CONTOUR
value: "true" value: "true"
envFrom:
- secretRef:
name: cde-secret
resources: resources:
requests: requests:
cpu: "25m" cpu: "1"
memory: 128Mi memory: 1Gi
imagePullSecrets: imagePullSecrets:
- name: regcred - name: regcred

32
apps/cde/base/cde-splitpdf.yaml
View File

@ -17,34 +17,11 @@ spec:
labels: labels:
app: cde-splitpdf app: cde-splitpdf
service: cde-splitpdf service: cde-splitpdf
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: cde
vault.hashicorp.com/agent-inject-secret-cde-env: secrets/data/vault/apps/cde
vault.hashicorp.com/agent-inject-template-cde-env: |-
{{- with secret "secrets/data/vault/apps/cde" -}}
{{- range $k, $v := .Data.data }}
export {{ $k }}=$(printf '%b' {{ printf "%q" (printf "%v" $v) }})
{{- end }}
{{- end -}}
spec: spec:
serviceAccountName: cde-vault
containers: containers:
- name: cde-splitpdf - name: cde-splitpdf
image: cr.yandex/crp3ccidau046kdj8g9q/splitpdf-worker:prod_9f3c1d2a image: cr.yandex/crp3ccidau046kdj8g9q/splitpdf-worker:prod_3.1.2
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
command:
- /bin/bash
- -lc
args:
- |
set -e
source /vault/secrets/cde-env
exec /worker
ports: ports:
- name: http - name: http
containerPort: 8000 containerPort: 8000
@ -52,9 +29,12 @@ spec:
env: env:
- name: S3_IS_CONTOUR - name: S3_IS_CONTOUR
value: "true" value: "true"
envFrom:
- secretRef:
name: cde-secret
resources: resources:
requests: requests:
cpu: "25m" cpu: "1"
memory: 128Mi memory: 1Gi
imagePullSecrets: imagePullSecrets:
- name: regcred - name: regcred

32
apps/cde/base/cde-worker-copy.yaml
View File

@ -17,34 +17,11 @@ spec:
labels: labels:
app: cde-worker-copy app: cde-worker-copy
service: cde-worker-copy service: cde-worker-copy
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: cde
vault.hashicorp.com/agent-inject-secret-cde-env: secrets/data/vault/apps/cde
vault.hashicorp.com/agent-inject-template-cde-env: |-
{{- with secret "secrets/data/vault/apps/cde" -}}
{{- range $k, $v := .Data.data }}
export {{ $k }}=$(printf '%b' {{ printf "%q" (printf "%v" $v) }})
{{- end }}
{{- end -}}
spec: spec:
serviceAccountName: cde-vault
containers: containers:
- name: cde-worker-copy - name: cde-worker-copy
image: cr.yandex/crp3ccidau046kdj8g9q/copy-worker:prod_9f3c1d2a image: cr.yandex/crp3ccidau046kdj8g9q/copy-worker:preprod_fd483601
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
command:
- /bin/bash
- -lc
args:
- |
set -e
source /vault/secrets/cde-env
exec /worker
ports: ports:
- name: http - name: http
containerPort: 8000 containerPort: 8000
@ -52,9 +29,12 @@ spec:
env: env:
- name: S3_IS_CONTOUR - name: S3_IS_CONTOUR
value: "true" value: "true"
envFrom:
- secretRef:
name: cde-secret
resources: resources:
requests: requests:
cpu: "25m" cpu: "1"
memory: 128Mi memory: 1Gi
imagePullSecrets: imagePullSecrets:
- name: regcred - name: regcred

32
apps/cde/base/cde-worker-create-versions.yaml
View File

@ -17,34 +17,11 @@ spec:
labels: labels:
app: cde-worker-create-versions app: cde-worker-create-versions
service: cde-worker-create-versions service: cde-worker-create-versions
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: cde
vault.hashicorp.com/agent-inject-secret-cde-env: secrets/data/vault/apps/cde
vault.hashicorp.com/agent-inject-template-cde-env: |-
{{- with secret "secrets/data/vault/apps/cde" -}}
{{- range $k, $v := .Data.data }}
export {{ $k }}=$(printf '%b' {{ printf "%q" (printf "%v" $v) }})
{{- end }}
{{- end -}}
spec: spec:
serviceAccountName: cde-vault
containers: containers:
- name: cde-worker-create-versions - name: cde-worker-create-versions
image: cr.yandex/crp3ccidau046kdj8g9q/createversions-worker:prod_9f3c1d2a image: cr.yandex/crp3ccidau046kdj8g9q/createversions-worker:preprod_ec474ae7
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
command:
- /bin/bash
- -lc
args:
- |
set -e
source /vault/secrets/cde-env
exec /worker
ports: ports:
- name: http - name: http
containerPort: 8000 containerPort: 8000
@ -52,9 +29,12 @@ spec:
env: env:
- name: S3_IS_CONTOUR - name: S3_IS_CONTOUR
value: "true" value: "true"
envFrom:
- secretRef:
name: cde-secret
resources: resources:
requests: requests:
cpu: "25m" cpu: "1"
memory: 128Mi memory: 1Gi
imagePullSecrets: imagePullSecrets:
- name: regcred - name: regcred

32
apps/cde/base/cde-worker-markings.yaml
View File

@ -17,34 +17,11 @@ spec:
labels: labels:
app: cde-worker-markings app: cde-worker-markings
service: cde-worker-markings service: cde-worker-markings
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: cde
vault.hashicorp.com/agent-inject-secret-cde-env: secrets/data/vault/apps/cde
vault.hashicorp.com/agent-inject-template-cde-env: |-
{{- with secret "secrets/data/vault/apps/cde" -}}
{{- range $k, $v := .Data.data }}
export {{ $k }}=$(printf '%b' {{ printf "%q" (printf "%v" $v) }})
{{- end }}
{{- end -}}
spec: spec:
serviceAccountName: cde-vault
containers: containers:
- name: cde-worker-markings - name: cde-worker-markings
image: cr.yandex/crp3ccidau046kdj8g9q/markings-worker:prod_9f3c1d2a image: cr.yandex/crp3ccidau046kdj8g9q/markings-worker:preprod_eb50f30e
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
command:
- /bin/bash
- -lc
args:
- |
set -e
source /vault/secrets/cde-env
exec /worker
ports: ports:
- name: http - name: http
containerPort: 8000 containerPort: 8000
@ -52,9 +29,12 @@ spec:
env: env:
- name: S3_IS_CONTOUR - name: S3_IS_CONTOUR
value: "true" value: "true"
envFrom:
- secretRef:
name: cde-secret
resources: resources:
requests: requests:
cpu: "25m" cpu: "1"
memory: 128Mi memory: 1Gi
imagePullSecrets: imagePullSecrets:
- name: regcred - name: regcred

32
apps/cde/base/cde-worker-sign.yaml
View File

@ -17,34 +17,11 @@ spec:
labels: labels:
app: cde-worker-sign app: cde-worker-sign
service: cde-worker-sign service: cde-worker-sign
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: cde
vault.hashicorp.com/agent-inject-secret-cde-env: secrets/data/vault/apps/cde
vault.hashicorp.com/agent-inject-template-cde-env: |-
{{- with secret "secrets/data/vault/apps/cde" -}}
{{- range $k, $v := .Data.data }}
export {{ $k }}=$(printf '%b' {{ printf "%q" (printf "%v" $v) }})
{{- end }}
{{- end -}}
spec: spec:
serviceAccountName: cde-vault
containers: containers:
- name: cde-worker-sign - name: cde-worker-sign
image: cr.yandex/crp3ccidau046kdj8g9q/sign-worker:prod_9f3c1d2a image: cr.yandex/crp3ccidau046kdj8g9q/sign-worker:preprod_fd483601
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
command:
- /bin/bash
- -lc
args:
- |
set -e
source /vault/secrets/cde-env
exec /worker
ports: ports:
- name: http - name: http
containerPort: 8000 containerPort: 8000
@ -52,9 +29,12 @@ spec:
env: env:
- name: S3_IS_CONTOUR - name: S3_IS_CONTOUR
value: "true" value: "true"
envFrom:
- secretRef:
name: cde-secret
resources: resources:
requests: requests:
cpu: "25m" cpu: "1"
memory: 128Mi memory: 1Gi
imagePullSecrets: imagePullSecrets:
- name: regcred - name: regcred

32
apps/cde/base/cde-worker-update-bundles.yaml
View File

@ -17,34 +17,11 @@ spec:
labels: labels:
app: cde-worker-update-bundles app: cde-worker-update-bundles
service: cde-worker-update-bundles service: cde-worker-update-bundles
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: cde
vault.hashicorp.com/agent-inject-secret-cde-env: secrets/data/vault/apps/cde
vault.hashicorp.com/agent-inject-template-cde-env: |-
{{- with secret "secrets/data/vault/apps/cde" -}}
{{- range $k, $v := .Data.data }}
export {{ $k }}=$(printf '%b' {{ printf "%q" (printf "%v" $v) }})
{{- end }}
{{- end -}}
spec: spec:
serviceAccountName: cde-vault
containers: containers:
- name: cde-worker-update-bundles - name: cde-worker-update-bundles
image: cr.yandex/crp3ccidau046kdj8g9q/updatebundles-worker:prod_9f3c1d2a image: cr.yandex/crp3ccidau046kdj8g9q/updatebundles-worker:prod_3.1.2
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
command:
- /bin/bash
- -lc
args:
- |
set -e
source /vault/secrets/cde-env
exec /worker
ports: ports:
- name: http - name: http
containerPort: 8000 containerPort: 8000
@ -52,9 +29,12 @@ spec:
env: env:
- name: S3_IS_CONTOUR - name: S3_IS_CONTOUR
value: "true" value: "true"
envFrom:
- secretRef:
name: cde-secret
resources: resources:
requests: requests:
cpu: "25m" cpu: "1"
memory: 128Mi memory: 1Gi
imagePullSecrets: imagePullSecrets:
- name: regcred - name: regcred

32
apps/cde/base/cde.yaml
View File

@ -17,34 +17,11 @@ spec:
labels: labels:
app: cde app: cde
service: cde service: cde
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: cde
vault.hashicorp.com/agent-inject-secret-cde-env: secrets/data/vault/apps/cde
vault.hashicorp.com/agent-inject-template-cde-env: |-
{{- with secret "secrets/data/vault/apps/cde" -}}
{{- range $k, $v := .Data.data }}
export {{ $k }}=$(printf '%b' {{ printf "%q" (printf "%v" $v) }})
{{- end }}
{{- end -}}
spec: spec:
serviceAccountName: cde-vault
containers: containers:
- name: api - name: api
image: cr.yandex/crp3ccidau046kdj8g9q/cde:prod_9f3c1d2a image: cr.yandex/crp3ccidau046kdj8g9q/cde:preprod_ec474ae7
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
command:
- /bin/bash
- -lc
args:
- |
set -e
source /vault/secrets/cde-env
exec /http
ports: ports:
- name: http - name: http
containerPort: 8000 containerPort: 8000
@ -52,9 +29,12 @@ spec:
env: env:
- name: S3_IS_CONTOUR - name: S3_IS_CONTOUR
value: "true" value: "true"
envFrom:
- secretRef:
name: cde-secret
resources: resources:
requests: requests:
cpu: "25m" cpu: "1"
memory: 128Mi memory: 1Gi
imagePullSecrets: imagePullSecrets:
- name: regcred - name: regcred

1
apps/cde/base/kustomization.yaml
View File

@ -4,7 +4,6 @@ kind: Kustomization
namespace: cde namespace: cde
resources: resources:
- namespace.yaml - namespace.yaml
- serviceaccount.yaml
- cde.yaml - cde.yaml
- cde-splitpdf.yaml - cde-splitpdf.yaml
- backend-service.yaml - backend-service.yaml

5
apps/cde/base/serviceaccount.yaml
View File

@ -1,5 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: cde-vault
namespace: cde

612
apps/cde/brusnika-prod/helmrelease.yaml
View File

@ -1,612 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: cde
namespace: orchestrator
spec:
interval: 10m
chart:
spec:
chart: universal-chart
version: "0.1.7"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
namespace: flux-system
interval: 10m
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
global:
env: _default
services:
cde:
enabled: true
deployment:
enabled: true
name:
_default: cde
replicaCount:
_default: 1
port:
_default: 8080
probes:
liveness:
enabled:
_default: true
type:
_default: tcpSocket
tcpSocket:
port:
_default: 8080
initialDelaySeconds:
_default: 15
periodSeconds:
_default: 10
readiness:
enabled:
_default: true
type:
_default: tcpSocket
tcpSocket:
port:
_default: 8080
initialDelaySeconds:
_default: 15
periodSeconds:
_default: 10
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/orchestrator:latest
pullPolicy:
_default: Always
imagePullSecrets:
enabled:
_default: false
stage: true
preprod: true
production: false
name:
_default: dockerhub
service:
enabled: true
name:
_default: cde
type:
_default: ClusterIP
portName:
_default: http
port:
_default: 8080
targetPort:
_default: http
serviceAccount:
enabled:
_default: true
name:
_default: cde
automountServiceAccountToken:
_default: true
secretEnvs: &cde_secret_envs
- name: ENVIRONMENT
secretName:
_default: cde-secret
secretKey:
_default: ENVIRONMENT
- name: LOG_LEVEL
secretName:
_default: cde-secret
secretKey:
_default: LOG_LEVEL
- name: ZEEBE_GATEWAY
secretName:
_default: cde-secret
secretKey:
_default: ZEEBE_GATEWAY
- name: DATABASE_URL
secretName:
_default: cde-secret
secretKey:
_default: DATABASE_URL
- name: S3_ENDPOINT_URL
secretName:
_default: cde-secret
secretKey:
_default: S3_ENDPOINT_URL
- name: S3_ACCESS_KEY_ID
secretName:
_default: cde-secret
secretKey:
_default: S3_ACCESS_KEY_ID
- name: S3_SECRET_ACCESS_KEY
secretName:
_default: cde-secret
secretKey:
_default: S3_SECRET_ACCESS_KEY
- name: PUBLIC_KEY
secretName:
_default: cde-secret
secretKey:
_default: PUBLIC_KEY
- name: PDM_URL
secretName:
_default: cde-secret
secretKey:
_default: PDM_URL
- name: FLOWS_URL
secretName:
_default: cde-secret
secretKey:
_default: FLOWS_URL
- name: USERNAME
secretName:
_default: cde-secret
secretKey:
_default: USERNAME
- name: PASSWORD
secretName:
_default: cde-secret
secretKey:
_default: PASSWORD
- name: CAMUNDA_PROCESS_DEFINITION_ID
secretName:
_default: cde-secret
secretKey:
_default: CAMUNDA_PROCESS_DEFINITION_ID
- name: OPERATE_URL
secretName:
_default: cde-secret
secretKey:
_default: OPERATE_URL
- name: CAMUNDA_KEYCLOAK_URL
secretName:
_default: cde-secret
secretKey:
_default: CAMUNDA_KEYCLOAK_URL
- name: CAMUNDA_CLIENT_ID
secretName:
_default: cde-secret
secretKey:
_default: CAMUNDA_CLIENT_ID
- name: CAMUNDA_CLIENT_SECRET
secretName:
_default: cde-secret
secretKey:
_default: CAMUNDA_CLIENT_SECRET
- name: WORKFLOWS_HOST
secretName:
_default: cde-secret
secretKey:
_default: WORKFLOWS_HOST
- name: WORKSPACES_URL
secretName:
_default: cde-secret
secretKey:
_default: WORKSPACES_URL
- name: AUTH_HOST
secretName:
_default: cde-secret
secretKey:
_default: AUTH_HOST
- name: TELEGRAM_ALERT_GROUP_ID
secretName:
_default: cde-secret
secretKey:
_default: TELEGRAM_ALERT_GROUP_ID
- name: TELEGRAM_TOKEN
secretName:
_default: cde-secret
secretKey:
_default: TELEGRAM_TOKEN
- name: IS_CONTOUR
secretName:
_default: cde-secret
secretKey:
_default: IS_CONTOUR
- name: AMQP_HOST
secretName:
_default: cde-secret
secretKey:
_default: AMQP_HOST
- name: AMQP_PORT
secretName:
_default: cde-secret
secretKey:
_default: AMQP_PORT
- name: AMQP_USER
secretName:
_default: cde-secret
secretKey:
_default: AMQP_USER
- name: AMQP_PASSWORD
secretName:
_default: cde-secret
secretKey:
_default: AMQP_PASSWORD
- name: AMQP_PATH_API
secretName:
_default: cde-secret
secretKey:
_default: AMQP_PATH_API
cde-worker-copy:
enabled: true
deployment:
enabled: true
name:
_default: cde-worker-copy
replicaCount:
_default: 1
preprod: 2
production: 2
port:
_default: 8080
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/copy-worker:latest
pullPolicy:
_default: Always
imagePullSecrets:
enabled:
_default: false
stage: true
preprod: true
production: false
name:
_default: dockerhub
service:
enabled: false
serviceAccount:
enabled:
_default: false
name:
_default: cde
secretEnvs: *cde_secret_envs
cde-worker-copyv2:
enabled: true
deployment:
enabled: true
name:
_default: cde-worker-copyv2
replicaCount:
_default: 1
preprod: 2
production: 2
port:
_default: 8080
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/copyv2-worker:latest
pullPolicy:
_default: Always
imagePullSecrets:
enabled:
_default: false
stage: true
preprod: true
production: false
name:
_default: dockerhub
service:
enabled: false
serviceAccount:
enabled:
_default: false
name:
_default: cde
secretEnvs: *cde_secret_envs
cde-worker-markings:
enabled: true
deployment:
enabled: true
name:
_default: cde-worker-markings
replicaCount:
_default: 1
preprod: 2
production: 2
port:
_default: 8080
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/markings-worker:latest
pullPolicy:
_default: Always
imagePullSecrets:
enabled:
_default: false
stage: true
preprod: true
production: false
name:
_default: dockerhub
service:
enabled: false
serviceAccount:
enabled:
_default: false
name:
_default: cde
secretEnvs: *cde_secret_envs
cde-worker-markingsv2:
enabled: true
deployment:
enabled: true
name:
_default: cde-worker-markingsv2
replicaCount:
_default: 1
preprod: 2
production: 2
port:
_default: 8080
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/markingsv2-worker:latest
pullPolicy:
_default: Always
imagePullSecrets:
enabled:
_default: false
stage: true
preprod: true
production: false
name:
_default: dockerhub
service:
enabled: false
serviceAccount:
enabled:
_default: false
name:
_default: cde
secretEnvs: *cde_secret_envs
cde-worker-sign:
enabled: true
deployment:
enabled: true
name:
_default: cde-worker-sign
replicaCount:
_default: 1
port:
_default: 8080
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/sign-worker:latest
pullPolicy:
_default: Always
imagePullSecrets:
enabled:
_default: false
stage: true
preprod: true
production: false
name:
_default: dockerhub
service:
enabled: false
serviceAccount:
enabled:
_default: false
name:
_default: cde
cde-worker-signv2:
enabled: true
deployment:
enabled: true
name:
_default: cde-worker-signv2
replicaCount:
_default: 1
port:
_default: 8080
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/signv2-worker:latest
pullPolicy:
_default: Always
imagePullSecrets:
enabled:
_default: false
stage: true
preprod: true
production: false
name:
_default: dockerhub
service:
enabled: false
serviceAccount:
enabled:
_default: false
name:
_default: cde
secretEnvs: *cde_secret_envs
cde-flowscallback:
enabled: true
deployment:
enabled: true
name:
_default: cde-flowscallback
replicaCount:
_default: 1
port:
_default: 8080
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/flowscallback-worker:latest
pullPolicy:
_default: Always
imagePullSecrets:
enabled:
_default: false
stage: true
preprod: true
production: false
name:
_default: dockerhub
service:
enabled: false
serviceAccount:
enabled:
_default: false
name:
_default: cde
secretEnvs: *cde_secret_envs
cde-splitpdf:
enabled: true
deployment:
enabled: true
name:
_default: cde-splitpdf
replicaCount:
_default: 1
port:
_default: 8080
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/splitpdf-worker:latest
pullPolicy:
_default: Always
imagePullSecrets:
enabled:
_default: false
stage: true
preprod: true
production: false
name:
_default: dockerhub
service:
enabled: false
serviceAccount:
enabled:
_default: false
name:
_default: cde
cde-worker-update-bundles:
enabled: true
deployment:
enabled: true
name:
_default: cde-worker-update-bundles
replicaCount:
_default: 1
port:
_default: 8080
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/updatebundles-worker:latest
pullPolicy:
_default: Always
imagePullSecrets:
enabled:
_default: true
production: true
name:
_default: dockerhub
service:
enabled: false
serviceAccount:
enabled:
_default: false
name:
_default: cde
cde-worker-create-versions:
enabled: true
deployment:
enabled: true
name:
_default: cde-worker-create-versions
replicaCount:
_default: 1
port:
_default: 8080
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/createversions-worker:latest
pullPolicy:
_default: Always
imagePullSecrets:
enabled:
_default: true
production: true
name:
_default: dockerhub
service:
enabled: false
serviceAccount:
enabled:
_default: false
name:
_default: cde
secretEnvs: *cde_secret_envs
cde-worker-create-versionsv2:
enabled: true
deployment:
enabled: true
name:
_default: cde-worker-create-versionsv2
replicaCount:
_default: 1
port:
_default: 8080
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/createversionsv2-worker:latest
pullPolicy:
_default: Always
imagePullSecrets:
enabled:
_default: true
production: true
name:
_default: dockerhub
service:
enabled: false
serviceAccount:
enabled:
_default: false
name:
_default: cde
secretEnvs: *cde_secret_envs
cde-worker-alert:
enabled: true
deployment:
enabled: true
name:
_default: cde-worker-alert
replicaCount:
_default: 1
port:
_default: 8080
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/orchestrator:latest
pullPolicy:
_default: Always
imagePullSecrets:
enabled:
_default: false
stage: true
preprod: true
production: false
name:
_default: dockerhub
service:
enabled: false
serviceAccount:
enabled:
_default: false
name:
_default: cde
secretEnvs: *cde_secret_envs

6
apps/cde/brusnika-prod/kustomization.yaml
View File

@ -1,6 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: contracts
resources:
- helmrelease.yaml

612
apps/cde/brusnika-stage/helmrelease.yaml
View File

@ -1,612 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: cde
namespace: orchestrator
spec:
interval: 10m
chart:
spec:
chart: universal-chart
version: "0.1.7"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
namespace: flux-system
interval: 10m
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
global:
env: _default
services:
cde:
enabled: true
deployment:
enabled: true
name:
_default: cde
replicaCount:
_default: 1
port:
_default: 8080
probes:
liveness:
enabled:
_default: true
type:
_default: tcpSocket
tcpSocket:
port:
_default: 8080
initialDelaySeconds:
_default: 15
periodSeconds:
_default: 10
readiness:
enabled:
_default: true
type:
_default: tcpSocket
tcpSocket:
port:
_default: 8080
initialDelaySeconds:
_default: 15
periodSeconds:
_default: 10
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/orchestrator:latest
pullPolicy:
_default: Always
imagePullSecrets:
enabled:
_default: false
stage: true
preprod: true
production: false
name:
_default: dockerhub
service:
enabled: true
name:
_default: cde
type:
_default: ClusterIP
portName:
_default: http
port:
_default: 8080
targetPort:
_default: http
serviceAccount:
enabled:
_default: true
name:
_default: cde
automountServiceAccountToken:
_default: true
secretEnvs: &cde_secret_envs
- name: ENVIRONMENT
secretName:
_default: cde-secret
secretKey:
_default: ENVIRONMENT
- name: LOG_LEVEL
secretName:
_default: cde-secret
secretKey:
_default: LOG_LEVEL
- name: ZEEBE_GATEWAY
secretName:
_default: cde-secret
secretKey:
_default: ZEEBE_GATEWAY
- name: DATABASE_URL
secretName:
_default: cde-secret
secretKey:
_default: DATABASE_URL
- name: S3_ENDPOINT_URL
secretName:
_default: cde-secret
secretKey:
_default: S3_ENDPOINT_URL
- name: S3_ACCESS_KEY_ID
secretName:
_default: cde-secret
secretKey:
_default: S3_ACCESS_KEY_ID
- name: S3_SECRET_ACCESS_KEY
secretName:
_default: cde-secret
secretKey:
_default: S3_SECRET_ACCESS_KEY
- name: PUBLIC_KEY
secretName:
_default: cde-secret
secretKey:
_default: PUBLIC_KEY
- name: PDM_URL
secretName:
_default: cde-secret
secretKey:
_default: PDM_URL
- name: FLOWS_URL
secretName:
_default: cde-secret
secretKey:
_default: FLOWS_URL
- name: USERNAME
secretName:
_default: cde-secret
secretKey:
_default: USERNAME
- name: PASSWORD
secretName:
_default: cde-secret
secretKey:
_default: PASSWORD
- name: CAMUNDA_PROCESS_DEFINITION_ID
secretName:
_default: cde-secret
secretKey:
_default: CAMUNDA_PROCESS_DEFINITION_ID
- name: OPERATE_URL
secretName:
_default: cde-secret
secretKey:
_default: OPERATE_URL
- name: CAMUNDA_KEYCLOAK_URL
secretName:
_default: cde-secret
secretKey:
_default: CAMUNDA_KEYCLOAK_URL
- name: CAMUNDA_CLIENT_ID
secretName:
_default: cde-secret
secretKey:
_default: CAMUNDA_CLIENT_ID
- name: CAMUNDA_CLIENT_SECRET
secretName:
_default: cde-secret
secretKey:
_default: CAMUNDA_CLIENT_SECRET
- name: WORKFLOWS_HOST
secretName:
_default: cde-secret
secretKey:
_default: WORKFLOWS_HOST
- name: WORKSPACES_URL
secretName:
_default: cde-secret
secretKey:
_default: WORKSPACES_URL
- name: AUTH_HOST
secretName:
_default: cde-secret
secretKey:
_default: AUTH_HOST
- name: TELEGRAM_ALERT_GROUP_ID
secretName:
_default: cde-secret
secretKey:
_default: TELEGRAM_ALERT_GROUP_ID
- name: TELEGRAM_TOKEN
secretName:
_default: cde-secret
secretKey:
_default: TELEGRAM_TOKEN
- name: IS_CONTOUR
secretName:
_default: cde-secret
secretKey:
_default: IS_CONTOUR
- name: AMQP_HOST
secretName:
_default: cde-secret
secretKey:
_default: AMQP_HOST
- name: AMQP_PORT
secretName:
_default: cde-secret
secretKey:
_default: AMQP_PORT
- name: AMQP_USER
secretName:
_default: cde-secret
secretKey:
_default: AMQP_USER
- name: AMQP_PASSWORD
secretName:
_default: cde-secret
secretKey:
_default: AMQP_PASSWORD
- name: AMQP_PATH_API
secretName:
_default: cde-secret
secretKey:
_default: AMQP_PATH_API
cde-worker-copy:
enabled: true
deployment:
enabled: true
name:
_default: cde-worker-copy
replicaCount:
_default: 1
preprod: 2
production: 2
port:
_default: 8080
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/copy-worker:latest
pullPolicy:
_default: Always
imagePullSecrets:
enabled:
_default: false
stage: true
preprod: true
production: false
name:
_default: dockerhub
service:
enabled: false
serviceAccount:
enabled:
_default: false
name:
_default: cde
secretEnvs: *cde_secret_envs
cde-worker-copyv2:
enabled: true
deployment:
enabled: true
name:
_default: cde-worker-copyv2
replicaCount:
_default: 1
preprod: 2
production: 2
port:
_default: 8080
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/copyv2-worker:latest
pullPolicy:
_default: Always
imagePullSecrets:
enabled:
_default: false
stage: true
preprod: true
production: false
name:
_default: dockerhub
service:
enabled: false
serviceAccount:
enabled:
_default: false
name:
_default: cde
secretEnvs: *cde_secret_envs
cde-worker-markings:
enabled: true
deployment:
enabled: true
name:
_default: cde-worker-markings
replicaCount:
_default: 1
preprod: 2
production: 2
port:
_default: 8080
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/markings-worker:latest
pullPolicy:
_default: Always
imagePullSecrets:
enabled:
_default: false
stage: true
preprod: true
production: false
name:
_default: dockerhub
service:
enabled: false
serviceAccount:
enabled:
_default: false
name:
_default: cde
secretEnvs: *cde_secret_envs
cde-worker-markingsv2:
enabled: true
deployment:
enabled: true
name:
_default: cde-worker-markingsv2
replicaCount:
_default: 1
preprod: 2
production: 2
port:
_default: 8080
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/markingsv2-worker:latest
pullPolicy:
_default: Always
imagePullSecrets:
enabled:
_default: false
stage: true
preprod: true
production: false
name:
_default: dockerhub
service:
enabled: false
serviceAccount:
enabled:
_default: false
name:
_default: cde
secretEnvs: *cde_secret_envs
cde-worker-sign:
enabled: true
deployment:
enabled: true
name:
_default: cde-worker-sign
replicaCount:
_default: 1
port:
_default: 8080
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/sign-worker:latest
pullPolicy:
_default: Always
imagePullSecrets:
enabled:
_default: false
stage: true
preprod: true
production: false
name:
_default: dockerhub
service:
enabled: false
serviceAccount:
enabled:
_default: false
name:
_default: cde
cde-worker-signv2:
enabled: true
deployment:
enabled: true
name:
_default: cde-worker-signv2
replicaCount:
_default: 1
port:
_default: 8080
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/signv2-worker:latest
pullPolicy:
_default: Always
imagePullSecrets:
enabled:
_default: false
stage: true
preprod: true
production: false
name:
_default: dockerhub
service:
enabled: false
serviceAccount:
enabled:
_default: false
name:
_default: cde
secretEnvs: *cde_secret_envs
cde-flowscallback:
enabled: true
deployment:
enabled: true
name:
_default: cde-flowscallback
replicaCount:
_default: 1
port:
_default: 8080
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/flowscallback-worker:latest
pullPolicy:
_default: Always
imagePullSecrets:
enabled:
_default: false
stage: true
preprod: true
production: false
name:
_default: dockerhub
service:
enabled: false
serviceAccount:
enabled:
_default: false
name:
_default: cde
secretEnvs: *cde_secret_envs
cde-splitpdf:
enabled: true
deployment:
enabled: true
name:
_default: cde-splitpdf
replicaCount:
_default: 1
port:
_default: 8080
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/splitpdf-worker:latest
pullPolicy:
_default: Always
imagePullSecrets:
enabled:
_default: false
stage: true
preprod: true
production: false
name:
_default: dockerhub
service:
enabled: false
serviceAccount:
enabled:
_default: false
name:
_default: cde
cde-worker-update-bundles:
enabled: true
deployment:
enabled: true
name:
_default: cde-worker-update-bundles
replicaCount:
_default: 1
port:
_default: 8080
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/updatebundles-worker:latest
pullPolicy:
_default: Always
imagePullSecrets:
enabled:
_default: true
production: true
name:
_default: dockerhub
service:
enabled: false
serviceAccount:
enabled:
_default: false
name:
_default: cde
cde-worker-create-versions:
enabled: true
deployment:
enabled: true
name:
_default: cde-worker-create-versions
replicaCount:
_default: 1
port:
_default: 8080
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/createversions-worker:latest
pullPolicy:
_default: Always
imagePullSecrets:
enabled:
_default: true
production: true
name:
_default: dockerhub
service:
enabled: false
serviceAccount:
enabled:
_default: false
name:
_default: cde
secretEnvs: *cde_secret_envs
cde-worker-create-versionsv2:
enabled: true
deployment:
enabled: true
name:
_default: cde-worker-create-versionsv2
replicaCount:
_default: 1
port:
_default: 8080
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/createversionsv2-worker:latest
pullPolicy:
_default: Always
imagePullSecrets:
enabled:
_default: true
production: true
name:
_default: dockerhub
service:
enabled: false
serviceAccount:
enabled:
_default: false
name:
_default: cde
secretEnvs: *cde_secret_envs
cde-worker-alert:
enabled: true
deployment:
enabled: true
name:
_default: cde-worker-alert
replicaCount:
_default: 1
port:
_default: 8080
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/orchestrator:latest
pullPolicy:
_default: Always
imagePullSecrets:
enabled:
_default: false
stage: true
preprod: true
production: false
name:
_default: dockerhub
service:
enabled: false
serviceAccount:
enabled:
_default: false
name:
_default: cde
secretEnvs: *cde_secret_envs

6
apps/cde/brusnika-stage/kustomization.yaml
View File

@ -1,6 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: contracts
resources:
- helmrelease.yaml

66
apps/checklists/base/backend-deployment.yaml
View File

@ -17,41 +17,11 @@ spec:
labels: labels:
app: checklists-backend app: checklists-backend
service: checklists-backend service: checklists-backend
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: checklists
vault.hashicorp.com/agent-inject-secret-checklists-db: secrets/data/postgresql/apps/checklists
vault.hashicorp.com/agent-inject-template-checklists-db: |-
{{- with secret "secrets/data/postgresql/apps/checklists" -}}
DATABASE_HOST=postgresql.checklists.svc.cluster.local
DATABASE_PORT=5432
DATABASE_NAME=checklists_db
DATABASE_USER={{ index .Data.data "username" }}
DATABASE_PASSWORD={{ index .Data.data "password" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-checklists-jwt-public: secrets/data/vault/common/rsa_keys
vault.hashicorp.com/agent-inject-template-checklists-jwt-public: |-
{{- with secret "secrets/data/vault/common/rsa_keys" -}}
{{ index .Data.data "public_key" }}
{{- end -}}
spec: spec:
serviceAccountName: checklists-vault
containers: containers:
- name: api - name: api
image: cr.yandex/crp3ccidau046kdj8g9q/checklists-backend:production_68f242cd image: cr.yandex/crp3ccidau046kdj8g9q/checklists-backend:production_68f242cd
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
command: ["/bin/bash", "-ec"]
args:
- |
set -a
[ -f /vault/secrets/checklists-db ] && . /vault/secrets/checklists-db
[ -f /vault/secrets/checklists-jwt-public ] && export JWT_AUTH_PUBLIC_KEY="$(cat /vault/secrets/checklists-jwt-public)"
set +a
exec ./entrypoint.sh
ports: ports:
- name: http - name: http
containerPort: 8000 containerPort: 8000
@ -64,17 +34,47 @@ spec:
- name: HTTP_APP_ROOT_PATH - name: HTTP_APP_ROOT_PATH
value: /checklists value: /checklists
- name: HTTP_APP_WORKERS - name: HTTP_APP_WORKERS
value: "1" value: "8"
- name: HTTP_APP_ADMIN_ENABLE - name: HTTP_APP_ADMIN_ENABLE
value: "true" value: "true"
- name: JWT_AUTH_ENABLE - name: JWT_AUTH_ENABLE
value: "true" value: "true"
- name: DEBUG - name: DEBUG
value: "false" value: "false"
- name: DATABASE_USER
valueFrom:
secretKeyRef:
key: username
name: postgresql-secret
- name: DATABASE_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: postgresql-secret
- name: DATABASE_NAME
valueFrom:
secretKeyRef:
key: database
name: postgresql-secret
- name: DATABASE_PORT
valueFrom:
secretKeyRef:
key: port
name: postgresql-secret
- name: DATABASE_HOST
valueFrom:
secretKeyRef:
key: hostname
name: postgresql-secret
- name: JWT_AUTH_PUBLIC_KEY
valueFrom:
secretKeyRef:
key: public-key
name: jwt-secret
resources: resources:
requests: requests:
cpu: "25m" cpu: "1"
memory: 128Mi memory: 1Gi
imagePullSecrets: imagePullSecrets:
- name: regcred - name: regcred

4
apps/checklists/base/backend-service.yaml
View File

@ -3,11 +3,11 @@ apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: rfi-backend-api-svc name: rfi-backend-api-svc
namespace: checklists namespace: rfi
spec: spec:
type: ClusterIP type: ClusterIP
selector: selector:
app: checklists-backend app: rfi-backend-api
ports: ports:
- name: http - name: http
port: 80 port: 80

1
apps/checklists/base/kustomization.yaml
View File

@ -4,6 +4,5 @@ kind: Kustomization
namespace: checklists namespace: checklists
resources: resources:
- namespace.yaml - namespace.yaml
- serviceaccount.yaml
- backend-deployment.yaml - backend-deployment.yaml
- backend-service.yaml - backend-service.yaml

5
apps/checklists/base/serviceaccount.yaml
View File

@ -1,5 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: checklists-vault
namespace: checklists

151
apps/checklists/brusnika-prod/backend.yaml
View File

@ -1,151 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: backend
namespace: checklist
spec:
interval: 10m
chart:
spec:
chart: universal-chart
version: "0.1.7"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
namespace: flux-system
interval: 10m
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
global:
env: _default
services:
backend:
enabled: true
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/checklists-backend:preprod_b1980fc6
pullPolicy:
_default: IfNotPresent
deployment:
enabled: true
name:
_default: backend
replicaCount:
_default: 1
stage: 1
preprod: 3
production: 3
port:
_default: 8000
probes:
liveness:
enabled: false
readiness:
enabled: false
service:
enabled: true
name:
_default: backend-service
type:
_default: ClusterIP
port:
_default: 8000
targetPort:
_default: 8000
portName:
_default: http
imagePullSecrets:
enabled:
_default: true
name:
_default: regcred
labels:
monitoring: prometheus
envs:
- name: HTTP_APP_HOST
value:
_default: "0.0.0.0"
- name: HTTP_APP_PORT
value:
_default: "8000"
- name: HTTP_APP_ROOT_PATH
value:
_default: "/checklists"
- name: HTTP_APP_WORKERS
value:
_default: "8"
- name: HTTP_APP_ADMIN_ENABLE
value:
_default: "true"
- name: JWT_AUTH_ENABLE
value:
_default: "true"
- name: DEBUG
value:
_default: "false"
secretEnvs:
- name: DATABASE_HOST
secretName:
_default: "checklists-postgresql-secret"
secretKey: "hostname"
- name: DATABASE_PORT
secretName:
_default: "checklists-postgresql-secret"
secretKey: "port"
- name: DATABASE_NAME
secretName:
_default: "checklists-postgresql-secret"
secretKey: "database"
- name: DATABASE_USER
secretName:
_default: "checklists-postgresql-secret"
secretKey: "username"
- name: DATABASE_PASSWORD
secretName:
_default: "checklists-postgresql-secret"
secretKey: "password"
- name: JWT_AUTH_PUBLIC_KEY
secretName:
_default: "checklists-public-key"
secretKey: "key"
commitSha: ""
gitlabUri: ""
gitlabJobUrl: ""
owner: ""

6
apps/checklists/brusnika-prod/kustomization.yaml
View File

@ -1,6 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: checklist
resources:
- backend.yaml

151
apps/checklists/brusnika-stage/backend.yaml
View File

@ -1,151 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: backend
namespace: checklist
spec:
interval: 10m
chart:
spec:
chart: universal-chart
version: "0.1.7"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
namespace: flux-system
interval: 10m
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
global:
env: _default
services:
backend:
enabled: true
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/checklists-backend:preprod_b1980fc6
pullPolicy:
_default: IfNotPresent
deployment:
enabled: true
name:
_default: backend
replicaCount:
_default: 1
stage: 1
preprod: 3
production: 3
port:
_default: 8000
probes:
liveness:
enabled: false
readiness:
enabled: false
service:
enabled: true
name:
_default: backend-service
type:
_default: ClusterIP
port:
_default: 8000
targetPort:
_default: 8000
portName:
_default: http
imagePullSecrets:
enabled:
_default: true
name:
_default: regcred
labels:
monitoring: prometheus
envs:
- name: HTTP_APP_HOST
value:
_default: "0.0.0.0"
- name: HTTP_APP_PORT
value:
_default: "8000"
- name: HTTP_APP_ROOT_PATH
value:
_default: "/checklists"
- name: HTTP_APP_WORKERS
value:
_default: "8"
- name: HTTP_APP_ADMIN_ENABLE
value:
_default: "true"
- name: JWT_AUTH_ENABLE
value:
_default: "true"
- name: DEBUG
value:
_default: "false"
secretEnvs:
- name: DATABASE_HOST
secretName:
_default: "checklists-postgresql-secret"
secretKey: "hostname"
- name: DATABASE_PORT
secretName:
_default: "checklists-postgresql-secret"
secretKey: "port"
- name: DATABASE_NAME
secretName:
_default: "checklists-postgresql-secret"
secretKey: "database"
- name: DATABASE_USER
secretName:
_default: "checklists-postgresql-secret"
secretKey: "username"
- name: DATABASE_PASSWORD
secretName:
_default: "checklists-postgresql-secret"
secretKey: "password"
- name: JWT_AUTH_PUBLIC_KEY
secretName:
_default: "checklists-public-key"
secretKey: "key"
commitSha: ""
gitlabUri: ""
gitlabJobUrl: ""
owner: ""

6
apps/checklists/brusnika-stage/kustomization.yaml
View File

@ -1,6 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: checklist
resources:
- backend.yaml

27
apps/checklists/yc-k8s-test/postgresql.yaml
View File

@ -9,7 +9,7 @@ spec:
chart: chart:
spec: spec:
chart: postgresql-contour chart: postgresql-contour
version: "17.0.7" version: "17.0.2"
sourceRef: sourceRef:
kind: HelmRepository kind: HelmRepository
name: yc-oci-charts name: yc-oci-charts
@ -44,7 +44,7 @@ spec:
image: image:
registry: cr.yandex/crp3ccidau046kdj8g9q registry: cr.yandex/crp3ccidau046kdj8g9q
repository: contour/postgresql repository: contour/postgresql
tag: 17.0.7 tag: 17.0.2
pullPolicy: Always pullPolicy: Always
metrics: metrics:
enabled: false enabled: false
@ -61,7 +61,7 @@ spec:
command: command:
- /bin/sh - /bin/sh
- -c - -c
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 30 initialDelaySeconds: 30
periodSeconds: 10 periodSeconds: 10
timeoutSeconds: 5 timeoutSeconds: 5
@ -72,7 +72,7 @@ spec:
command: command:
- /bin/sh - /bin/sh
- -c - -c
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 5 initialDelaySeconds: 5
periodSeconds: 10 periodSeconds: 10
timeoutSeconds: 5 timeoutSeconds: 5
@ -83,16 +83,12 @@ spec:
command: command:
- /bin/sh - /bin/sh
- -c - -c
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 30 initialDelaySeconds: 30
periodSeconds: 10 periodSeconds: 10
timeoutSeconds: 5 timeoutSeconds: 5
successThreshold: 1 successThreshold: 1
failureThreshold: 6 failureThreshold: 6
resources:
requests:
cpu: 50m
memory: 128Mi
nodeSelector: nodeSelector:
dedicated: db dedicated: db
tolerations: tolerations:
@ -102,19 +98,12 @@ spec:
effect: NoSchedule effect: NoSchedule
contour: contour:
enabled: true enabled: true
adminUser: "postgres" adminUser: ""
sharedPreloadLibraries: "pg_stat_statements,uuid-ossp" adminPasswordSecretKey: ""
vault: sharedPreloadLibraries: "pg_stat_statements"
enabled: true
role: postgresql
authPath: auth/kubernetes
secretPath: secrets/data/postgresql/admin
secretKey: postgres-password
usersSecretPath: secrets/data/postgresql/users
databases: databases:
- name: checklists_db - name: checklists_db
user: checklists user: checklists
passwordKey: checklists
extensions: [] extensions: []
restoreFromDump: false restoreFromDump: false
s3-proxy: s3-proxy:

2
apps/comparisons/base/backend-deployment.yaml
View File

@ -111,7 +111,7 @@ spec:
value: /etc/app/tasks-execution-config.json value: /etc/app/tasks-execution-config.json
resources: resources:
requests: requests:
cpu: 25m cpu: 100m
memory: 100Mi memory: 100Mi
volumeMounts: volumeMounts:
- name: tasks-execution-config - name: tasks-execution-config

57
apps/comparisons/base/frontend-deployment.yaml
View File

@ -1,57 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: frontend
namespace: comparisons
labels:
app: frontend
spec:
replicas: 1
selector:
matchLabels:
app: frontend
template:
metadata:
labels:
app: frontend
spec:
volumes:
- name: nginx-configmap
configMap:
name: nginx-configmap
items:
- key: nginx.conf
path: nginx.conf
containers:
- name: frontend
image: cr.yandex/crp3ccidau046kdj8g9q/comparisons-frontend:prod_6dc6e0c2
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 80
protocol: TCP
resources:
requests:
cpu: 25m
memory: 100Mi
volumeMounts:
- name: nginx-configmap
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
livenessProbe:
httpGet:
path: /ping
port: 80
initialDelaySeconds: 10
periodSeconds: 10
failureThreshold: 10
readinessProbe:
httpGet:
path: /ping
port: 80
initialDelaySeconds: 10
periodSeconds: 10
failureThreshold: 20
imagePullSecrets:
- name: regcred

112
apps/comparisons/base/frontend-helmrelease.yaml Normal file
View File

@ -0,0 +1,112 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: comparisons-frontend
namespace: comparisons
spec:
interval: 10m
chart:
spec:
chart: universal-chart
version: "0.1.7"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
namespace: flux-system
interval: 10m
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
global:
env: _default
services:
frontend:
enabled: true
deployment:
enabled: true
name:
_default: frontend
replicaCount:
_default: 1
port:
_default: 80
resources:
requests:
memory:
_default: 100Mi
cpu:
_default: 100m
probes:
liveness:
enabled:
_default: true
type:
_default: httpGet
httpGet:
path:
_default: /ping
port:
_default: 80
initialDelaySeconds:
_default: 10
periodSeconds:
_default: 10
failureThreshold:
_default: 10
readiness:
enabled:
_default: true
type:
_default: httpGet
httpGet:
path:
_default: /ping
port:
_default: 80
initialDelaySeconds:
_default: 10
periodSeconds:
_default: 10
failureThreshold:
_default: 20
volumes:
_default:
- name: nginx-configmap
mountPath:
_default: /etc/nginx/nginx.conf
subPath:
_default: nginx.conf
configMap:
name:
_default: nginx-configmap
items:
- key: nginx.conf
path:
_default: nginx.conf
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/comparisons-frontend:prod_6dc6e0c2
pullPolicy:
_default: IfNotPresent
service:
enabled: true
name:
_default: frontend-service
type:
_default: ClusterIP
port:
_default: 80
targetPort:
_default: 80
portName:
_default: http
imagePullSecrets:
enabled:
_default: true
name:
_default: regcred

15
apps/comparisons/base/frontend-service.yaml
View File

@ -1,15 +0,0 @@
---
apiVersion: v1
kind: Service
metadata:
name: frontend-service
namespace: comparisons
spec:
type: ClusterIP
selector:
app: frontend
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP

3
apps/comparisons/base/kustomization.yaml
View File

@ -7,7 +7,6 @@ resources:
- serviceaccount.yaml - serviceaccount.yaml
- backend-deployment.yaml - backend-deployment.yaml
- backend-service.yaml - backend-service.yaml
- frontend-deployment.yaml - frontend-helmrelease.yaml
- frontend-service.yaml
- nginx-configmap.yaml - nginx-configmap.yaml
- tasks-execution-config.yaml - tasks-execution-config.yaml

123
apps/comparisons/brusnika-prod/backend.yaml
View File

@ -1,123 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: drawings-api
namespace: drawings
spec:
interval: 10m
chart:
spec:
chart: universal-chart
version: "0.1.7"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
namespace: flux-system
interval: 10m
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
global:
env: _default
services:
backend:
enabled: true
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/drawings-api:015e68e1b2a3dcc13f0b405e1f761b154a825d24
pullPolicy:
_default: IfNotPresent
deployment:
enabled: true
name:
_default: drawings-api
replicaCount:
_default: 1
stage: 1
preprod: 3
production: 3
port:
_default: 8000
probes:
liveness:
enabled: false
readiness:
enabled: false
service:
enabled: true
name:
_default: drawings-api-service
type:
_default: ClusterIP
port:
_default: 8000
targetPort:
_default: 8000
portName:
_default: http
imagePullSecrets:
enabled:
_default: true
name:
_default: regcred
labels:
monitoring: prometheus
envs:
- name: POSTGRES_ADDRESS
value:
_default: "postgres-service:5432"
- name: POSTGRES_DB
value:
_default: "drawings"
- name: POSTGRES_POOL_SIZE
value:
_default: "3"
- name: API_ADDRESS
value:
_default: "0.0.0.0:8080"
- name: ENABLE_SSL
value:
_default: "0"
secretEnvs:
- name: POSTGRES_USER
secretName:
_default: "postgres-secret"
secretKey: "username"
- name: POSTGRES_PASSWORD
secretName:
_default: "postgres-secret"
secretKey: "password"
commitSha: ""
gitlabUri: ""
gitlabJobUrl: ""
owner: ""

6
apps/comparisons/brusnika-prod/kustomization.yaml
View File

@ -1,6 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: drawings
resources:
- backend.yaml

123
apps/comparisons/brusnika-stage/backend.yaml
View File

@ -1,123 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: drawings-api
namespace: drawings
spec:
interval: 10m
chart:
spec:
chart: universal-chart
version: "0.1.7"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
namespace: flux-system
interval: 10m
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
global:
env: _default
services:
backend:
enabled: true
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/drawings-api:015e68e1b2a3dcc13f0b405e1f761b154a825d24
pullPolicy:
_default: IfNotPresent
deployment:
enabled: true
name:
_default: drawings-api
replicaCount:
_default: 1
stage: 1
preprod: 3
production: 3
port:
_default: 8000
probes:
liveness:
enabled: false
readiness:
enabled: false
service:
enabled: true
name:
_default: drawings-api-service
type:
_default: ClusterIP
port:
_default: 8000
targetPort:
_default: 8000
portName:
_default: http
imagePullSecrets:
enabled:
_default: true
name:
_default: regcred
labels:
monitoring: prometheus
envs:
- name: POSTGRES_ADDRESS
value:
_default: "192.168.2.45:5432"
- name: POSTGRES_DB
value:
_default: "drawings"
- name: POSTGRES_POOL_SIZE
value:
_default: "3"
- name: API_ADDRESS
value:
_default: "0.0.0.0:8080"
- name: ENABLE_SSL
value:
_default: "0"
secretEnvs:
- name: POSTGRES_USER
secretName:
_default: "postgres-secret"
secretKey: "username"
- name: POSTGRES_PASSWORD
secretName:
_default: "postgres-secret"
secretKey: "password"
commitSha: ""
gitlabUri: ""
gitlabJobUrl: ""
owner: ""

6
apps/comparisons/brusnika-stage/kustomization.yaml
View File

@ -1,6 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: drawings
resources:
- backend.yaml

3
apps/comparisons/yc-k8s-test/postgresql.yaml
View File

@ -91,8 +91,7 @@ spec:
failureThreshold: 6 failureThreshold: 6
resources: resources:
requests: requests:
cpu: 50m memory: 512Mi
memory: 128Mi
nodeSelector: nodeSelector:
dedicated: db dedicated: db
tolerations: tolerations:

103
apps/contracts/brusnika-prod/helmrelease.yaml
View File

@ -1,103 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: backend
namespace: contracts
spec:
interval: 10m
chart:
spec:
chart: universal-chart
version: "0.1.7"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
namespace: flux-system
interval: 10m
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
global:
env: _default
services:
backend:
enabled: true
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/contracts:prod_d3bbd9fc
pullPolicy:
_default: IfNotPresent
deployment:
enabled: true
name:
_default: backend
replicaCount:
_default: 1
stage: 1
preprod: 3
production: 3
port:
_default: 8080
probes:
liveness:
enabled: false
readiness:
enabled: false
service:
enabled: true
name:
_default: backend-service
type:
_default: ClusterIP
port:
_default: 8000
targetPort:
_default: 8000
portName:
_default: http
imagePullSecrets:
enabled:
_default: true
name:
_default: regcred
labels:
monitoring: prometheus
secretEnvs:
- name: DB_URL
secretName:
_default: "ya-pg-secret"
secretKey: "db_url"
- name: PUBLIC_KEY
secretName:
_default: "public-key"
secretKey: "key"
commitSha: ""
gitlabUri: ""
gitlabJobUrl: ""
owner: ""

6
apps/contracts/brusnika-prod/kustomization.yaml
View File

@ -1,6 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: contracts
resources:
- helmrelease.yaml

103
apps/contracts/brusnika-stage/helmrelease.yaml
View File

@ -1,103 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: backend
namespace: contracts
spec:
interval: 10m
chart:
spec:
chart: universal-chart
version: "0.1.7"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
namespace: flux-system
interval: 10m
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
global:
env: _default
services:
backend:
enabled: true
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/contracts:prod_d3bbd9fc
pullPolicy:
_default: IfNotPresent
deployment:
enabled: true
name:
_default: backend
replicaCount:
_default: 1
stage: 1
preprod: 3
production: 3
port:
_default: 8080
probes:
liveness:
enabled: false
readiness:
enabled: false
service:
enabled: true
name:
_default: backend-service
type:
_default: ClusterIP
port:
_default: 8000
targetPort:
_default: 8000
portName:
_default: http
imagePullSecrets:
enabled:
_default: true
name:
_default: regcred
labels:
monitoring: prometheus
secretEnvs:
- name: DB_URL
secretName:
_default: "ya-pg-secret"
secretKey: "db_url"
- name: PUBLIC_KEY
secretName:
_default: "public-key"
secretKey: "key"
commitSha: ""
gitlabUri: ""
gitlabJobUrl: ""
owner: ""

6
apps/contracts/brusnika-stage/kustomization.yaml
View File

@ -1,6 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: contracts
resources:
- helmrelease.yaml

3
apps/contracts/yc-k8s-test/postgresql.yaml
View File

@ -58,8 +58,7 @@ spec:
size: 20Gi size: 20Gi
resources: resources:
requests: requests:
cpu: 50m memory: 512Mi
memory: 128Mi
customLivenessProbe: customLivenessProbe:
exec: exec:
command: command:

4
apps/control-interface/base/service.yaml
View File

@ -2,13 +2,13 @@
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: frontend-svc name: srx-admin-svc
namespace: control-interface namespace: control-interface
spec: spec:
type: ClusterIP type: ClusterIP
selector: selector:
app: srx-admin app: srx-admin
ports: ports:
- port: 80 - port: 8080
targetPort: 80 targetPort: 80
protocol: TCP protocol: TCP

92
apps/control-interface/brusnika-prod/helmrelease.yaml
View File

@ -1,92 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: srx-admin
namespace: django
spec:
interval: 10m
chart:
spec:
chart: universal-chart
version: "0.1.7"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
namespace: flux-system
interval: 10m
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
global:
env: _default
services:
frontend:
enabled: true
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/srx-admin:prod_feb59026
pullPolicy:
_default: IfNotPresent
deployment:
enabled: true
name:
_default: srx-admin
replicaCount:
_default: 1
stage: 1
preprod: 3
production: 3
port:
_default: 80
probes:
liveness:
enabled: false
readiness:
enabled: false
service:
enabled: true
name:
_default: srx-admin-svc
type:
_default: ClusterIP
port:
_default: 8080
targetPort:
_default: 80
portName:
_default: http
imagePullSecrets:
enabled:
_default: true
name:
_default: regcred
commitSha: ""
gitlabUri: ""
gitlabJobUrl: ""
owner: ""

6
apps/control-interface/brusnika-prod/kustomization.yaml
View File

@ -1,6 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: django
resources:
- helmrelease.yaml

92
apps/control-interface/brusnika-stage/helmrelease.yaml
View File

@ -1,92 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: srx-admin
namespace: django
spec:
interval: 10m
chart:
spec:
chart: universal-chart
version: "0.1.7"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
namespace: flux-system
interval: 10m
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
global:
env: _default
services:
frontend:
enabled: true
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/srx-admin:prod_feb59026
pullPolicy:
_default: IfNotPresent
deployment:
enabled: true
name:
_default: srx-admin
replicaCount:
_default: 1
stage: 1
preprod: 3
production: 3
port:
_default: 80
probes:
liveness:
enabled: false
readiness:
enabled: false
service:
enabled: true
name:
_default: srx-admin-svc
type:
_default: ClusterIP
port:
_default: 8080
targetPort:
_default: 80
portName:
_default: http
imagePullSecrets:
enabled:
_default: true
name:
_default: regcred
commitSha: ""
gitlabUri: ""
gitlabJobUrl: ""
owner: ""

6
apps/control-interface/brusnika-stage/kustomization.yaml
View File

@ -1,6 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: django
resources:
- helmrelease.yaml

46
apps/cross-section/base/deployment.yaml
View File

@ -1,46 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: cross-section-static
namespace: cross-section
labels:
app: cross-section-static
spec:
replicas: 2
selector:
matchLabels:
app: cross-section-static
template:
metadata:
labels:
app: cross-section-static
spec:
containers:
- name: frontend
image: cr.yandex/crp3ccidau046kdj8g9q/cross-section-app:production_e09e648b
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 80
protocol: TCP
livenessProbe:
httpGet:
path: /ping
port: 80
initialDelaySeconds: 10
periodSeconds: 10
failureThreshold: 10
readinessProbe:
httpGet:
path: /ping
port: 80
initialDelaySeconds: 10
periodSeconds: 10
failureThreshold: 20
resources:
requests:
cpu: 25m
memory: 100Mi
imagePullSecrets:
- name: regcred

98
apps/cross-section/base/frontend-helmrelease.yaml Normal file
View File

@ -0,0 +1,98 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: cross-section-frontend
namespace: cross-section
spec:
interval: 10m
chart:
spec:
chart: universal-chart
version: "0.1.7"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
namespace: flux-system
interval: 10m
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
global:
env: _default
services:
static:
enabled: true
deployment:
enabled: true
name:
_default: cross-section-static
replicaCount:
_default: 2
port:
_default: 80
resources:
requests:
memory:
_default: 100Mi
cpu:
_default: 100m
probes:
liveness:
enabled:
_default: true
type:
_default: httpGet
httpGet:
path:
_default: /ping
port:
_default: 80
initialDelaySeconds:
_default: 10
periodSeconds:
_default: 10
failureThreshold:
_default: 10
readiness:
enabled:
_default: true
type:
_default: httpGet
httpGet:
path:
_default: /ping
port:
_default: 80
initialDelaySeconds:
_default: 10
periodSeconds:
_default: 10
failureThreshold:
_default: 20
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/cross-section-app:production_e09e648b
pullPolicy:
_default: IfNotPresent
service:
enabled: true
name:
_default: cross-section-static
type:
_default: ClusterIP
port:
_default: 80
targetPort:
_default: 80
portName:
_default: http
imagePullSecrets:
enabled:
_default: true
name:
_default: regcred

3
apps/cross-section/base/kustomization.yaml
View File

@ -4,5 +4,4 @@ kind: Kustomization
namespace: cross-section namespace: cross-section
resources: resources:
- namespace.yaml - namespace.yaml
- deployment.yaml - frontend-helmrelease.yaml
- service.yaml

15
apps/cross-section/base/service.yaml
View File

@ -1,15 +0,0 @@
---
apiVersion: v1
kind: Service
metadata:
name: cross-section-static
namespace: cross-section
spec:
type: ClusterIP
selector:
app: cross-section-static
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP

101
apps/cross-section/brusnika-prod/backend.yaml
View File

@ -1,101 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: measurements
namespace: measurements
spec:
interval: 10m
chart:
spec:
chart: universal-chart
version: "0.1.7"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
namespace: flux-system
interval: 10m
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3
driftDetection:
mode: enabled
values:
global:
env: _default
services:
backend:
enabled: true
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/documentations:prod_5904312b
pullPolicy:
_default: IfNotPresent
deployment:
enabled: true
name:
_default: measurements
replicaCount:
_default: 1
stage: 1
preprod: 3
production: 3
port:
_default: 8080
probes:
liveness:
enabled: false
readiness:
enabled: false
service:
enabled: true
name:
_default: measurements-service
type:
_default: ClusterIP
port:
_default: 8000
targetPort:
_default: 8000
portName:
_default: http
imagePullSecrets:
enabled:
_default: true
name:
_default: regcred
labels:
monitoring: prometheus
secretEnvs:
- name: S3_JSON_SETTINGS
secretName:
_default: "s3-json-settings"
secretKey: "S3_JSON_SETTINGS"
commitSha: ""
gitlabUri: ""
gitlabJobUrl: ""
owner: ""

6
apps/cross-section/brusnika-prod/kustomization.yaml
View File

@ -1,6 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: measurements
resources:
- backend.yaml

101
apps/cross-section/brusnika-stage/backend.yaml
View File

@ -1,101 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: measurements
namespace: measurements
spec:
interval: 10m
chart:
spec:
chart: universal-chart
version: "0.1.7"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
namespace: flux-system
interval: 10m
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3
driftDetection:
mode: enabled
values:
global:
env: _default
services:
backend:
enabled: true
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/documentations:prod_5904312b
pullPolicy:
_default: IfNotPresent
deployment:
enabled: true
name:
_default: measurements
replicaCount:
_default: 1
stage: 1
preprod: 3
production: 3
port:
_default: 8080
probes:
liveness:
enabled: false
readiness:
enabled: false
service:
enabled: true
name:
_default: measurements-service
type:
_default: ClusterIP
port:
_default: 8000
targetPort:
_default: 8000
portName:
_default: http
imagePullSecrets:
enabled:
_default: true
name:
_default: regcred
labels:
monitoring: prometheus
secretEnvs:
- name: S3_JSON_SETTINGS
secretName:
_default: "s3-json-settings"
secretKey: "S3_JSON_SETTINGS"
commitSha: ""
gitlabUri: ""
gitlabJobUrl: ""
owner: ""

6
apps/cross-section/brusnika-stage/kustomization.yaml
View File

@ -1,6 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: measurements
resources:
- backend.yaml

18
apps/django/base/backend-deployment.yaml
View File

@ -50,7 +50,7 @@ spec:
{{- with secret "secrets/data/minio/apps/django" -}} {{- with secret "secrets/data/minio/apps/django" -}}
AWS_S3_ENDPOINT_URL=https://minio.contour.infra.sarex.tech AWS_S3_ENDPOINT_URL=https://minio.contour.infra.sarex.tech
S3_HOST=https://minio.contour.infra.sarex.tech S3_HOST=https://minio.contour.infra.sarex.tech
{{- $buckets := index .Data.data "buckets" }} {{- $buckets := index .Data.data "buckets" -}}
S3_BUCKET={{- if gt (len $buckets) 0 -}}{{ index (index $buckets 0) "name" }}{{- else -}}django{{- end -}} S3_BUCKET={{- if gt (len $buckets) 0 -}}{{ index (index $buckets 0) "name" }}{{- else -}}django{{- end -}}
S3_LOGIN={{ index .Data.data "access_key" }} S3_LOGIN={{ index .Data.data "access_key" }}
S3_PASSWORD={{ index .Data.data "secret_key" }} S3_PASSWORD={{ index .Data.data "secret_key" }}
@ -127,11 +127,11 @@ spec:
- name: DJANGO_SETTINGS_MODULE - name: DJANGO_SETTINGS_MODULE
value: config.settings.production value: config.settings.production
- name: CELERY_REDIS_HOST - name: CELERY_REDIS_HOST
value: redis value: redis-service
- name: CELERY_REDIS_PORT - name: CELERY_REDIS_PORT
value: "6379" value: "6379"
- name: DJANGO_REDIS_HOST - name: DJANGO_REDIS_HOST
value: redis value: redis-service
- name: DJANGO_REDIS_PORT - name: DJANGO_REDIS_PORT
value: "6379" value: "6379"
- name: BIMV2_INTERNAL_HOST - name: BIMV2_INTERNAL_HOST
@ -149,13 +149,13 @@ spec:
- name: MEASUREMENTS_USE_MEASUREMENTS - name: MEASUREMENTS_USE_MEASUREMENTS
value: "1" value: "1"
- name: SERVER_API_HOST - name: SERVER_API_HOST
value: https://sarex.contour.infra.sarex.tech value: https://wb.sarex.io
- name: SERVER_HOST - name: SERVER_HOST
value: https://sarex.contour.infra.sarex.tech value: https://wb.sarex.io
- name: WORKFLOWS_HOST - name: WORKFLOWS_HOST
value: https://sarex.contour.infra.sarex.tech value: https://wb.sarex.io
- name: WORKFLOWS_BASE_HOST - name: WORKFLOWS_BASE_HOST
value: https://sarex.contour.infra.sarex.tech value: https://wb.sarex.io
- name: WORKFLOWS_USE - name: WORKFLOWS_USE
value: "1" value: "1"
- name: SERVER_S3_STREAM_IMPORT - name: SERVER_S3_STREAM_IMPORT
@ -203,8 +203,8 @@ spec:
resources: resources:
requests: requests:
cpu: "25m" cpu: "1"
memory: 128Mi memory: 1Gi
volumeMounts: volumeMounts:
- name: django-configmap - name: django-configmap
mountPath: /opt/sarex/config/settings/production.py mountPath: /opt/sarex/config/settings/production.py

10
apps/django/base/celery-deployment.yaml
View File

@ -50,7 +50,7 @@ spec:
{{- with secret "secrets/data/minio/apps/django" -}} {{- with secret "secrets/data/minio/apps/django" -}}
AWS_S3_ENDPOINT_URL=https://minio.contour.infra.sarex.tech AWS_S3_ENDPOINT_URL=https://minio.contour.infra.sarex.tech
S3_HOST=https://minio.contour.infra.sarex.tech S3_HOST=https://minio.contour.infra.sarex.tech
{{- $buckets := index .Data.data "buckets" }} {{- $buckets := index .Data.data "buckets" -}}
S3_BUCKET={{- if gt (len $buckets) 0 -}}{{ index (index $buckets 0) "name" }}{{- else -}}django{{- end -}} S3_BUCKET={{- if gt (len $buckets) 0 -}}{{ index (index $buckets 0) "name" }}{{- else -}}django{{- end -}}
S3_LOGIN={{ index .Data.data "access_key" }} S3_LOGIN={{ index .Data.data "access_key" }}
S3_PASSWORD={{ index .Data.data "secret_key" }} S3_PASSWORD={{ index .Data.data "secret_key" }}
@ -121,11 +121,11 @@ spec:
- name: DJANGO_SETTINGS_MODULE - name: DJANGO_SETTINGS_MODULE
value: config.settings.production value: config.settings.production
- name: CELERY_REDIS_HOST - name: CELERY_REDIS_HOST
value: redis value: redis-service
- name: CELERY_REDIS_PORT - name: CELERY_REDIS_PORT
value: "6379" value: "6379"
- name: DJANGO_REDIS_HOST - name: DJANGO_REDIS_HOST
value: redis value: redis-service
- name: DJANGO_REDIS_PORT - name: DJANGO_REDIS_PORT
value: "6379" value: "6379"
- name: BIMV2_INTERNAL_HOST - name: BIMV2_INTERNAL_HOST
@ -194,8 +194,8 @@ spec:
value: "False" value: "False"
resources: resources:
requests: requests:
cpu: "25m" cpu: "1"
memory: 128Mi memory: 1Gi
volumeMounts: volumeMounts:
- name: django-configmap - name: django-configmap
mountPath: /opt/sarex/config/settings/production.py mountPath: /opt/sarex/config/settings/production.py

52
apps/django/base/django-configmap.yaml
View File

@ -5,57 +5,16 @@ metadata:
namespace: django namespace: django
data: data:
production.py: | production.py: |
import ast
import os import os
from .base import * from .base import *
from logging.handlers import SysLogHandler from logging.handlers import SysLogHandler
from datetime import timedelta from datetime import timedelta
def _load_env_file(path):
try:
with open(path, "r", encoding="utf-8") as f:
for raw_line in f:
line = raw_line.strip()
if not line or line.startswith("#") or "=" not in line:
continue
key, value = line.split("=", 1)
key = key.strip()
value = value.strip()
if len(value) >= 2 and value[0] == value[-1] and value[0] in ("'", '"'):
try:
value = ast.literal_eval(value)
except (ValueError, SyntaxError):
value = value[1:-1]
if key and key not in os.environ:
os.environ[key] = value
except FileNotFoundError:
pass
def _read_secret_file(path, default=""):
try:
with open(path, "r", encoding="utf-8") as f:
return f.read().strip()
except FileNotFoundError:
return default
# Fallback for manage.py launched via `kubectl exec` (outside entrypoint),
# so Django can still read DB/JWT values from Vault-injected files.
_load_env_file("/vault/secrets/django-postgresql")
_load_env_file("/vault/secrets/django-rabbitmq")
_load_env_file("/vault/secrets/django-s3")
_load_env_file("/vault/secrets/django-kafka")
_load_env_file("/vault/secrets/django-common")
if not os.environ.get("JWT_PRIVATE_KEY"):
os.environ["JWT_PRIVATE_KEY"] = _read_secret_file("/vault/secrets/django-jwt-private")
if not os.environ.get("JWT_PUBLIC_KEY"):
os.environ["JWT_PUBLIC_KEY"] = _read_secret_file("/vault/secrets/django-jwt-public")
ALLOWED_HOSTS = ["*"] ALLOWED_HOSTS = ["*"]
FILE_UPLOAD_PERMISSIONS = 0o644 FILE_UPLOAD_PERMISSIONS = 0o644
DEBUG = False DEBUG = False
CSRF_COOKIE_SECURE = True CSRF_COOKIE_SECURE = True
CSRF_TRUSTED_ORIGINS = ["https://sarex.contour.infra.sarex.tech", "http://sarex.contour.infra.sarex.tech"] CSRF_TRUSTED_ORIGINS = ["https://lk.srx.wb.ru:30443", "https://lk.srx.wb.ru"]
SESSION_COOKIE_SECURE = True SESSION_COOKIE_SECURE = True
SECURE_SSL_REDIRECT = False SECURE_SSL_REDIRECT = False
@ -87,7 +46,7 @@ data:
'Bearer', 'Bearer',
) )
HOST = "https://sarex.contour.infra.sarex.tech" HOST = "https://wb.sarex.io"
POSTGRES_DATABASE = os.environ.get('DJANGO_POSTGRES_DATABASE') POSTGRES_DATABASE = os.environ.get('DJANGO_POSTGRES_DATABASE')
POSTGRES_USER = os.environ.get('DJANGO_POSTGRES_USER') POSTGRES_USER = os.environ.get('DJANGO_POSTGRES_USER')
@ -150,8 +109,8 @@ data:
'BLACKLIST_AFTER_ROTATION': True, 'BLACKLIST_AFTER_ROTATION': True,
'UPDATE_LAST_LOGIN': False, 'UPDATE_LAST_LOGIN': False,
'ALGORITHM': 'RS512', 'ALGORITHM': 'RS512',
'SIGNING_KEY': os.environ.get("JWT_PRIVATE_KEY", "").replace("\\n", "\n"), 'SIGNING_KEY': os.environ.get("JWT_PRIVATE_KEY").replace("\\n", "\n"),
'VERIFYING_KEY': os.environ.get("JWT_PUBLIC_KEY", "").replace("\\n", "\n"), 'VERIFYING_KEY': os.environ.get("JWT_PUBLIC_KEY").replace("\\n", "\n"),
'AUDIENCE': None, 'AUDIENCE': None,
'ISSUER': os.environ.get('SIMPLE_JWT_ISSUER', 'default_issuer'), 'ISSUER': os.environ.get('SIMPLE_JWT_ISSUER', 'default_issuer'),
'AUTH_HEADER_TYPES': ('Bearer',), 'AUTH_HEADER_TYPES': ('Bearer',),
@ -310,7 +269,7 @@ data:
DEBUG=True DEBUG=True
WEB_APP_AUTH_MODE='jwt-session-based' #WEB_APP_AUTH_MODE='jwt-session-based'
SAREX_MODULES_SETTINGS = { SAREX_MODULES_SETTINGS = {
@ -319,3 +278,4 @@ data:
}, },
"sso_logout_redirect": True "sso_logout_redirect": True
} }

44
apps/django/base/frontend-deployment.yaml
View File

@ -1,44 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: frontend
namespace: django
labels:
app: frontend
spec:
replicas: 1
selector:
matchLabels:
app: frontend
template:
metadata:
labels:
app: frontend
spec:
volumes:
- name: nginx-configmap
configMap:
name: nginx-configmap
items:
- key: nginx.conf
path: nginx.conf
defaultMode: 420
containers:
- name: frontend
image: cr.yandex/crp3ccidau046kdj8g9q/sarex-frontend-dev:contour_0b579274
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 80
protocol: TCP
resources:
requests:
cpu: 25m
memory: 100Mi
volumeMounts:
- name: nginx-configmap
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
imagePullSecrets:
- name: regcred

96
apps/django/brusnika-prod/sarex-frontend.yaml → apps/django/base/frontend-helmrelease.yaml
View File

@ -1,12 +1,11 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2 apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease kind: HelmRelease
metadata: metadata:
name: frontend name: django-frontend
namespace: django namespace: django
spec: spec:
interval: 10m interval: 10m
chart: chart:
spec: spec:
chart: universal-chart chart: universal-chart
@ -16,74 +15,32 @@ spec:
name: yc-oci-charts name: yc-oci-charts
namespace: flux-system namespace: flux-system
interval: 10m interval: 10m
install: install:
remediation: remediation:
retries: 3 retries: 3
upgrade: upgrade:
remediation: remediation:
retries: 3 retries: 3
values: values:
global: global:
env: _default env: _default
services: services:
frontend: frontend:
enabled: true enabled: true
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/sarex-frontend-dev:contour_5.16.3
pullPolicy:
_default: IfNotPresent
deployment: deployment:
enabled: true enabled: true
name: name:
_default: frontend _default: frontend
replicaCount: replicaCount:
_default: 1 _default: 1
stage: 1
preprod: 3
production: 3
port: port:
_default: 80 _default: 80
resources:
probes: requests:
liveness: memory:
enabled: false _default: 100Mi
readiness: cpu:
enabled: false _default: 100m
service:
enabled: true
name:
_default: frontend-service
type:
_default: ClusterIP
port:
_default: 80
targetPort:
_default: 80
portName:
_default: http
imagePullSecrets:
enabled:
_default: true
name:
_default: regcred
volumes: volumes:
_default: _default:
- name: nginx-configmap - name: nginx-configmap
@ -91,19 +48,34 @@ spec:
_default: /etc/nginx/nginx.conf _default: /etc/nginx/nginx.conf
subPath: subPath:
_default: nginx.conf _default: nginx.conf
readOnly:
_default: true
configMap: configMap:
name: name:
_default: nginx-configmap _default: nginx-configmap
items: items:
- key: nginx.conf - key: nginx.conf
path: nginx.conf path:
defaultMode: 420 _default: nginx.conf
defaultMode:
_default: 420
image:
commitSha: "" name:
gitlabUri: "" _default: cr.yandex/crp3ccidau046kdj8g9q/sarex-frontend-dev:contour_0b579274
gitlabJobUrl: "" pullPolicy:
owner: "" _default: IfNotPresent
service:
enabled: true
name:
_default: frontend-svc
type:
_default: ClusterIP
port:
_default: 80
targetPort:
_default: 80
portName:
_default: http
imagePullSecrets:
enabled:
_default: true
name:
_default: regcred

15
apps/django/base/frontend-service.yaml
View File

@ -1,15 +0,0 @@
---
apiVersion: v1
kind: Service
metadata:
name: frontend-svc
namespace: django
spec:
type: ClusterIP
selector:
app: frontend
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP

3
apps/django/base/kustomization.yaml
View File

@ -7,9 +7,8 @@ resources:
- serviceaccount.yaml - serviceaccount.yaml
- backend-deployment.yaml - backend-deployment.yaml
- celery-deployment.yaml - celery-deployment.yaml
- frontend-deployment.yaml
- backend-service.yaml - backend-service.yaml
- frontend-service.yaml - frontend-helmrelease.yaml
- django-configmap.yaml - django-configmap.yaml
- srx-admin-deployment.yaml - srx-admin-deployment.yaml
- srx-admin-service.yaml - srx-admin-service.yaml

17
apps/django/base/nginx-configmap.yaml
View File

@ -80,19 +80,10 @@ data:
# } # }
location ~^/workspaces-v2/(.+).js { location ~^/workspaces-v2/(.+).js {
proxy_http_version 1.1;
proxy_set_header Connection "";
rewrite /workspaces-v2/(.+) /$1 break; rewrite /workspaces-v2/(.+) /$1 break;
proxy_pass http://frontend-svc.workspaces.svc.cluster.local:80; proxy_pass http://frontend-svc.workspaces.svc.cluster.local:80;
} }
location ~^/workspaces-v2/(.+)\.wasm$ {
proxy_http_version 1.1;
proxy_set_header Connection "";
rewrite ^/workspaces-v2/(.+) /$1 break;
proxy_pass http://frontend-svc.workspaces.svc.cluster.local:80;
}
location @index { location @index {
add_header Cache-Control 'no-cache, must-revalidate, proxy-revalidate, max-age=0'; add_header Cache-Control 'no-cache, must-revalidate, proxy-revalidate, max-age=0';
if_modified_since off; if_modified_since off;
@ -100,10 +91,10 @@ data:
try_files /static/index.html =404; try_files /static/index.html =404;
} }
# location ~^/workflows/(.+).js { location ~^/workflows/(.+).js {
# rewrite /workflows/(.+) /$1 break; rewrite /workflows/(.+) /$1 break;
# proxy_pass http://frontend-svc.processing.svc.cluster.local:80; proxy_pass http://frontend-svc.processing.svc.cluster.local:80;
# } }
location /service-worker.js { location /service-worker.js {
try_files /static/$uri @index; try_files /static/$uri @index;
} }

2
apps/django/base/srx-admin-deployment.yaml
View File

@ -26,7 +26,7 @@ spec:
protocol: TCP protocol: TCP
resources: resources:
requests: requests:
cpu: 25m cpu: 100m
memory: 100Mi memory: 100Mi
imagePullSecrets: imagePullSecrets:
- name: regcred - name: regcred

406
apps/django/brusnika-prod/celery.yaml
View File

@ -1,406 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: celery
namespace: django
spec:
interval: 10m
chart:
spec:
chart: universal-chart
version: "0.1.7"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
namespace: flux-system
interval: 10m
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
global:
env: _default
services:
backend:
enabled: true
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/backend:production_8f05291e
pullPolicy:
_default: IfNotPresent
deployment:
enabled: true
name:
_default: celery
replicaCount:
_default: 1
stage: 1
preprod: 3
production: 3
port:
_default: 8000
command:
_default:
- celery
- -A
- config
- worker
- -B
- -l
- info
- -E
- -Q
- default
- -n
- default_worker.%h
- --concurrency=2
probes:
liveness:
enabled: false
readiness:
enabled: false
service:
enabled: true
name:
_default: celery
type:
_default: ClusterIP
port:
_default: 8000
targetPort:
_default: 8000
portName:
_default: http
imagePullSecrets:
enabled:
_default: true
name:
_default: regcred
volumes:
_default:
- name: uwsgi-configmap
mountPath:
_default: /opt/sarex/uwsgi.ini
subPath:
_default: uwsgi.ini
readOnly:
_default: true
configMap:
name:
_default: uwsgi-configmap
items:
- key: uwsgi.ini
path:
_default: uwsgi.ini
- name: django-configmap
mountPath:
_default: /opt/sarex/config/settings/production.py
subPath:
_default: production.py
readOnly:
_default: true
configMap:
name:
_default: django-configmap
items:
- key: production.py
path:
_default: production.py
labels:
monitoring: prometheus
envs:
- name: SERVER_SUPERSET_HOST
value:
_default: "https://superset.cde.brusnika.ru"
- name: GK_ENCRYPTION_KEY
value:
_default: "zfDjuszywHSbAhY8KJQbESbpUYN74XTs"
- name: ALLOWED_HOSTS
value:
_default: "*"
- name: SERVER_USE_CHANGELOG
value:
_default: "0"
- name: SERVER_ZITADEL_ENABLED
value:
_default: "False"
- name: DJANGO_SETTINGS_MODULE
value:
_default: "config.settings.production"
- name: CELERY_REDIS_HOST
value:
_default: "redis-service"
- name: CELERY_REDIS_PORT
value:
_default: "6379"
- name: DJANGO_REDIS_HOST
value:
_default: "redis-service"
- name: DJANGO_REDIS_PORT
value:
_default: "6379"
- name: BIMV2_INTERNAL_HOST
value:
_default: "http://bim-backend-v2-service.bim-api"
- name: BIMV2_TIMEOUT
value:
_default: "60"
- name: JWT_KID
value:
_default: "1"
- name: PDM_SYNC
value:
_default: "1"
- name: KC_SYNC_ENABLE
value:
_default: "0"
- name: MEASUREMENTS_HOST
value:
_default: "http://measurements-service.measurements.svc.cluster.local:8000/api"
- name: MEASUREMENTS_USE_MEASUREMENTS
value:
_default: "1"
- name: SERVER_API_HOST
value:
_default: "https://cde.brusnika.ru"
- name: SERVER_HOST
value:
_default: "https://cde.brusnika.ru"
- name: WORKFLOWS_HOST
value:
_default: "https://cde.brusnika.ru"
- name: WORKFLOWS_BASE_HOST
value:
_default: "https://cde.brusnika.ru"
- name: WORKFLOWS_USE
value:
_default: "1"
- name: SERVER_S3_STREAM_IMPORT
value:
_default: "1"
- name: SERVER_SAVE_DIFF_DEM
value:
_default: "1"
- name: SERVER_USE_CLICKHOUSE
value:
_default: "0"
- name: SERVER_USE_CREATE_COMPARED_GEOTIFF_TASK
value:
_default: "0"
- name: SERVER_USE_DJANGO_STORAGE
value:
_default: "1"
- name: SERVER_USE_METASHAPE
value:
_default: "0"
- name: SERVER_CHANGELOG_MODE_SYSTEM_LOG
value:
_default: "1"
- name: SERVER_CHANGELOG_MODE
value:
_default: "0"
- name: SERVER_DJANGO_URLS
value:
_default: "1"
- name: CHECK_IMPORT_HASH
value:
_default: "1"
- name: EAV_ENABLE
value:
_default: "1"
- name: SERVER_CHECK_IMPORT_HASH
value:
_default: "1"
- name: SERVER_CHUNKED_PATH
value:
_default: "/tmp/chunked_uploads/%Y/%m/%d"
- name: SERVER_HIDE_USER_SCROLL_PERMISSIONS
value:
_default: "0"
- name: SERVER_USE_WRORKFLOW_STATUS
value:
_default: "1"
- name: S3_HOST
value:
_default: "http://minio-svc.minio.svc.cluster.local:9000"
- name: KC_USE_REDIRECT_LOGOUT
value:
_default: "True"
secretEnvs:
- name: SERVER_SUPERSET_JWT_SECRET
secretName:
_default: "jwt-secret-superset"
secretKey: "jwt_secret"
- name: KC_CLIENT_ID
secretName:
_default: "gatekeeper-secret"
secretKey: "client_id"
- name: KC_CLIENT_SECRET
secretName:
_default: "gatekeeper-secret"
secretKey: "client_secret"
- name: AWS_S3_ENDPOINT_URL
secretName:
_default: "s3-secret"
secretKey: "endpoint"
- name: CELERY_RABBITMQ_HOST
secretName:
_default: "rabbitmq-secret"
secretKey: "host"
- name: CELERY_RABBITMQ_USER
secretName:
_default: "rabbitmq-secret"
secretKey: "username"
- name: CELERY_RABBITMQ_PASSWORD
secretName:
_default: "rabbitmq-secret"
secretKey: "password"
- name: CELERY_RABBITMQ_VHOST
secretName:
_default: "rabbitmq-secret"
secretKey: "vhost"
- name: DJANGO_POSTGRES_HOST
secretName:
_default: "postgres-secret"
secretKey: "host"
- name: DJANGO_POSTGRES_PORTS
secretName:
_default: "postgres-secret"
secretKey: "port"
- name: DJANGO_POSTGRES_USER
secretName:
_default: "postgres-secret"
secretKey: "username"
- name: DJANGO_POSTGRES_PASSWORD
secretName:
_default: "postgres-secret"
secretKey: "password"
- name: DJANGO_POSTGRES_DATABASE
secretName:
_default: "postgres-secret"
secretKey: "database"
- name: DJANGO_RABBIT_HOSTNAME
secretName:
_default: "rabbitmq-secret"
secretKey: "host"
- name: DJANGO_RABBIT_USER
secretName:
_default: "rabbitmq-secret"
secretKey: "username"
- name: DJANGO_RABBIT_PASS
secretName:
_default: "rabbitmq-secret"
secretKey: "password"
- name: DJANGO_RABBIT_VHOST
secretName:
_default: "rabbitmq-secret"
secretKey: "vhost"
- name: JWT_PRIVATE_KEY
secretName:
_default: "backend-secret"
secretKey: "ssh_private.key"
- name: JWT_PUBLIC_KEY
secretName:
_default: "backend-secret"
secretKey: "ssh_public.key"
- name: S3_BUCKET
secretName:
_default: "sarex-media-storage-secret"
secretKey: "bucket"
- name: S3_LOGIN
secretName:
_default: "sarex-media-storage-secret"
secretKey: "login"
- name: S3_PASSWORD
secretName:
_default: "sarex-media-storage-secret"
secretKey: "password"
commitSha: ""
gitlabUri: ""
gitlabJobUrl: ""
owner: ""

94
apps/django/brusnika-prod/export-project.yaml
View File

@ -1,94 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: export-project
namespace: django
spec:
interval: 10m
chart:
spec:
chart: universal-chart
version: "0.1.7"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
namespace: flux-system
interval: 10m
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
global:
env: _default
services:
backend:
enabled: true
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/export-project:prod_37a48176
pullPolicy:
_default: IfNotPresent
deployment:
enabled: true
name:
_default: export-project
replicaCount:
_default: 1
stage: 1
preprod: 3
production: 3
port:
_default: 8000
probes:
liveness:
enabled: false
readiness:
enabled: false
service:
enabled: true
name:
_default: export-project-service
type:
_default: ClusterIP
port:
_default: 8000
targetPort:
_default: 8000
portName:
_default: http
imagePullSecrets:
enabled:
_default: true
name:
_default: regcred
labels:
monitoring: prometheus
commitSha: ""
gitlabUri: ""
gitlabJobUrl: ""
owner: ""

10
apps/django/brusnika-prod/kustomization.yaml
View File

@ -1,10 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: django
resources:
- sarex-frontend.yaml
- sarex-backend.yaml
- celery.yaml
- export-project.yaml
- s3-proxy.yaml

113
apps/django/brusnika-prod/s3-proxy.yaml
View File

@ -1,113 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: s3-proxy
namespace: django
spec:
interval: 10m
chart:
spec:
chart: universal-chart
version: "0.1.7"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
namespace: flux-system
interval: 10m
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
global:
env: _default
services:
backend:
enabled: true
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/export-project:prod_37a48176
pullPolicy:
_default: IfNotPresent
deployment:
enabled: true
name:
_default: s3-proxy
replicaCount:
_default: 1
stage: 1
preprod: 3
production: 3
port:
_default: 8000
probes:
liveness:
enabled: false
readiness:
enabled: false
service:
enabled: true
name:
_default: s3-proxy-service
type:
_default: ClusterIP
port:
_default: 80
targetPort:
_default: 8000
portName:
_default: http
imagePullSecrets:
enabled:
_default: true
name:
_default: regcred
labels:
monitoring: prometheus
envs:
- name: AWS_API_ENDPOINT
value:
_default: "http://minio-svc.minio.svc.cluster.local:9000"
- name: APP_PORT
value:
_default: "8000"
secretEnvs:
- name: AWS_ACCESS_KEY_ID
secretName:
_default: "sarex-media-storage-secret"
secretKey: "login"
- name: AWS_SECRET_ACCESS_KEY
secretName:
_default: "sarex-media-storage-secret"
secretKey: "password"
- name: AWS_S3_BUCKET
secretName:
_default: "sarex-media-storage-secret"
secretKey: "bucket"
commitSha: ""
gitlabUri: ""
gitlabJobUrl: ""
owner: ""

Some files were not shown because too many files have changed in this diff Show More