sarex/iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

rfi + comparisons

Browse Source
This commit is contained in:
Kochetkov S 2026-04-22 14:17:54 +03:00
parent 43db3d16e8
commit 08814ab8ff
10 changed files with 171 additions and 215 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
apps/comparisons/base/backend-deployment.yaml
View File

@ -15,7 +15,29 @@ spec:
metadata:
labels:
app: backend
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: comparisons
vault.hashicorp.com/agent-inject-secret-comparisons-db: secrets/data/postgresql/apps/comparisons
vault.hashicorp.com/agent-inject-template-comparisons-db: |-
{{- with secret "secrets/data/postgresql/apps/comparisons" -}}
POSTGRES_ADDRESS=postgresql.comparisons.svc.cluster.local
POSTGRES_PORT=5432
POSTGRES_DB=comparisons_db
POSTGRES_USER={{ index .Data.data "username" }}
POSTGRES_PASSWORD={{ index .Data.data "password" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-comparisons-jwt-public: secrets/data/vault/common/rsa_keys
vault.hashicorp.com/agent-inject-template-comparisons-jwt-public: |-
{{- with secret "secrets/data/vault/common/rsa_keys" -}}
{{ index .Data.data "public_key" }}
{{- end -}}
spec:
serviceAccountName: comparisons-vault
volumes:
- name: tasks-execution-config
configMap:
@ -27,6 +49,14 @@ spec:
- name: backend
image: cr.yandex/crp3ccidau046kdj8g9q/comparisons:prod_863df9f0
imagePullPolicy: IfNotPresent
command: ["/bin/sh", "-ec"]
args:
- |
set -a
[ -f /vault/secrets/comparisons-db ] && . /vault/secrets/comparisons-db
[ -f /vault/secrets/comparisons-jwt-public ] && export AUTH_PUBLIC_KEY="$(cat /vault/secrets/comparisons-jwt-public)"
set +a
exec /app/entrypoint.sh
ports:
- name: http
containerPort: 8000
@ -70,36 +100,6 @@ spec:
value: "0"
- name: WORKFLOWS_CONFIG_FILEPATH
value: /etc/app/tasks-execution-config.json
- name: POSTGRES_ADDRESS
valueFrom:
secretKeyRef:
name: postgresql-secrets
key: host
- name: POSTGRES_PORT
valueFrom:
secretKeyRef:
name: postgresql-secrets
key: port
- name: POSTGRES_DB
valueFrom:
secretKeyRef:
name: postgresql-secrets
key: database
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: postgresql-secrets
key: username
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: postgresql-secrets
key: password
- name: AUTH_PUBLIC_KEY
valueFrom:
secretKeyRef:
name: auth-public-key
key: public_key
resources:
requests:
cpu: 100m

1
apps/comparisons/base/kustomization.yaml
View File

@ -4,6 +4,7 @@ kind: Kustomization
namespace: comparisons
resources:
- namespace.yaml
- serviceaccount.yaml
- backend-deployment.yaml
- backend-service.yaml
- frontend-deployment.yaml

5
apps/comparisons/base/serviceaccount.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: comparisons-vault
namespace: comparisons

2
apps/comparisons/yc-k8s-test/kustomization.yaml
View File

@ -8,4 +8,4 @@ patches:
- path: replicas.yaml
target:
kind: Deployment
name: comparisons
name: backend

23
apps/comparisons/yc-k8s-test/postgresql.yaml
View File

@ -9,7 +9,7 @@ spec:
chart:
spec:
chart: postgresql-contour
version: "17.0.2"
version: "17.0.7"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
@ -44,7 +44,7 @@ spec:
image:
registry: cr.yandex/crp3ccidau046kdj8g9q
repository: contour/postgresql
tag: 17.0.2
tag: 17.0.7
pullPolicy: Always
metrics:
enabled: false
@ -61,7 +61,7 @@ spec:
command:
- /bin/sh
- -c
- exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
@ -72,7 +72,7 @@ spec:
command:
- /bin/sh
- -c
- exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
@ -83,7 +83,7 @@ spec:
command:
- /bin/sh
- -c
- exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
@ -101,13 +101,20 @@ spec:
effect: NoSchedule
contour:
enabled: true
adminUser: ""
adminPasswordSecretKey: ""
adminUser: "postgres"
sharedPreloadLibraries: "pg_stat_statements,uuid-ossp"
vault:
enabled: true
role: postgresql
authPath: auth/kubernetes
secretPath: secrets/data/postgresql/admin
secretKey: postgres-password
usersSecretPath: secrets/data/postgresql/users
databases:
- name: comparisons_db
user: comparisons
passwordKey: comparisons
extensions: []
restoreFromDump: false
s3-proxy:
endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local"
endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local"

130
apps/rfi/base/backend-deployment.yaml
View File

@ -17,11 +17,61 @@ spec:
labels:
app: rfi-backend-api
service: api
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: rfi
vault.hashicorp.com/agent-inject-secret-rfi-db: secrets/data/postgresql/apps/rfi
vault.hashicorp.com/agent-inject-template-rfi-db: |-
{{- with secret "secrets/data/postgresql/apps/rfi" -}}
DB_HOST=postgresql.rfi.svc.cluster.local
DB_PORT=5432
DB_NAME=rfi_db
DB_USER={{ index .Data.data "username" }}
DB_PASSWORD={{ index .Data.data "password" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-rfi-s3: secrets/data/minio/apps/rfi
vault.hashicorp.com/agent-inject-template-rfi-s3: |-
{{- with secret "secrets/data/minio/apps/rfi" -}}
YC_S3_ENDPOINT_URL={{ index .Data.data.client "endpoint" }}
YC_S3_BUCKET_NAME=rfi
YC_S3_ACCESS_KEY_ID={{ index .Data.data "access_key" }}
YC_S3_SECRET_ACCESS_KEY={{ index .Data.data "secret_key" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-rfi-rabbitmq: secrets/data/rabbitmq/apps/rfi
vault.hashicorp.com/agent-inject-template-rfi-rabbitmq: |-
{{- with secret "secrets/data/rabbitmq/apps/rfi" -}}
RABBITMQ_VHOST={{ index .Data.data "vhost" }}
RABBITMQ_USERNAME={{ index .Data.data "username" }}
RABBITMQ_PASSWORD={{ index .Data.data "password" }}
RABBITMQ_PORT=5672
RABBITMQ_HOST=rabbitmq.rabbitmq.svc.cluster.local
{{- end -}}
vault.hashicorp.com/agent-inject-secret-rfi-django-auth: secrets/data/vault/common/django_auth
vault.hashicorp.com/agent-inject-template-rfi-django-auth: |-
{{- with secret "secrets/data/vault/common/django_auth" -}}
DJANGO_SECRET_KEY={{ index .Data.data "key" }}
SAREX_BACKEND_AUTH={{ index .Data.data "key" }}
{{- end -}}
spec:
serviceAccountName: rfi-vault
containers:
- name: api
image: cr.yandex/crp3ccidau046kdj8g9q/rfi-backend:production_d1e2e80d
imagePullPolicy: IfNotPresent
command: ["/bin/sh", "-ec"]
args:
- |
set -a
[ -f /vault/secrets/rfi-db ] && . /vault/secrets/rfi-db
[ -f /vault/secrets/rfi-s3 ] && . /vault/secrets/rfi-s3
[ -f /vault/secrets/rfi-rabbitmq ] && . /vault/secrets/rfi-rabbitmq
[ -f /vault/secrets/rfi-django-auth ] && . /vault/secrets/rfi-django-auth
set +a
exec ./entrypoint.sh
ports:
- name: http
containerPort: 8000
@ -41,86 +91,6 @@ spec:
value: http://eav-service.eav.svc.cluster.local:8000
- name: GATEWAY_URL
value: http://pdm-api.documentations.svc.cluster.local:8080
- name: DJANGO_SECRET_KEY
valueFrom:
secretKeyRef:
name: django-secret
key: django_secret_key
- name: DB_HOST
valueFrom:
secretKeyRef:
name: postgresql-secret
key: hostname
- name: DB_PORT
valueFrom:
secretKeyRef:
name: postgresql-secret
key: port
- name: DB_NAME
valueFrom:
secretKeyRef:
name: postgresql-secret
key: database
- name: DB_USER
valueFrom:
secretKeyRef:
name: postgresql-secret
key: username
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: postgresql-secret
key: password
- name: SAREX_BACKEND_AUTH
valueFrom:
secretKeyRef:
name: django-secret
key: token
- name: YC_S3_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: s3-secret
key: username
- name: YC_S3_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: s3-secret
key: password
- name: YC_S3_BUCKET_NAME
valueFrom:
secretKeyRef:
name: s3-secret
key: bucket
- name: YC_S3_ENDPOINT_URL
valueFrom:
secretKeyRef:
name: s3-secret
key: hostname
- name: RABBITMQ_VHOST
valueFrom:
secretKeyRef:
name: rabbitmq-secret
key: vhost
- name: RABBITMQ_USERNAME
valueFrom:
secretKeyRef:
name: rabbitmq-secret
key: username
- name: RABBITMQ_PASSWORD
valueFrom:
secretKeyRef:
name: rabbitmq-secret
key: password
- name: RABBITMQ_PORT
valueFrom:
secretKeyRef:
name: rabbitmq-secret
key: port
- name: RABBITMQ_HOST
valueFrom:
secretKeyRef:
name: rabbitmq-secret
key: hostname
resources:
requests:
cpu: "1"

138
apps/rfi/base/celery-deployment.yaml
View File

@ -17,21 +17,61 @@ spec:
labels:
app: celery
service: celery
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: rfi
vault.hashicorp.com/agent-inject-secret-rfi-db: secrets/data/postgresql/apps/rfi
vault.hashicorp.com/agent-inject-template-rfi-db: |-
{{- with secret "secrets/data/postgresql/apps/rfi" -}}
DB_HOST=postgresql.rfi.svc.cluster.local
DB_PORT=5432
DB_NAME=rfi_db
DB_USER={{ index .Data.data "username" }}
DB_PASSWORD={{ index .Data.data "password" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-rfi-s3: secrets/data/minio/apps/rfi
vault.hashicorp.com/agent-inject-template-rfi-s3: |-
{{- with secret "secrets/data/minio/apps/rfi" -}}
YC_S3_ENDPOINT_URL={{ index .Data.data.client "endpoint" }}
YC_S3_BUCKET_NAME=rfi
YC_S3_ACCESS_KEY_ID={{ index .Data.data "access_key" }}
YC_S3_SECRET_ACCESS_KEY={{ index .Data.data "secret_key" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-rfi-rabbitmq: secrets/data/rabbitmq/apps/rfi
vault.hashicorp.com/agent-inject-template-rfi-rabbitmq: |-
{{- with secret "secrets/data/rabbitmq/apps/rfi" -}}
RABBITMQ_VHOST={{ index .Data.data "vhost" }}
RABBITMQ_USERNAME={{ index .Data.data "username" }}
RABBITMQ_PASSWORD={{ index .Data.data "password" }}
RABBITMQ_PORT=5672
RABBITMQ_HOST=rabbitmq.rabbitmq.svc.cluster.local
{{- end -}}
vault.hashicorp.com/agent-inject-secret-rfi-django-auth: secrets/data/vault/common/django_auth
vault.hashicorp.com/agent-inject-template-rfi-django-auth: |-
{{- with secret "secrets/data/vault/common/django_auth" -}}
DJANGO_SECRET_KEY={{ index .Data.data "key" }}
SAREX_BACKEND_AUTH={{ index .Data.data "key" }}
{{- end -}}
spec:
serviceAccountName: rfi-vault
containers:
- name: celery
image: cr.yandex/crp3ccidau046kdj8g9q/rfi-backend:dev4
imagePullPolicy: IfNotPresent
command:
- uv
command: ["/bin/sh", "-ec"]
args:
- run
- celery
- -A
- config
- worker
- -l
- info
- |
set -a
[ -f /vault/secrets/rfi-db ] && . /vault/secrets/rfi-db
[ -f /vault/secrets/rfi-s3 ] && . /vault/secrets/rfi-s3
[ -f /vault/secrets/rfi-rabbitmq ] && . /vault/secrets/rfi-rabbitmq
[ -f /vault/secrets/rfi-django-auth ] && . /vault/secrets/rfi-django-auth
set +a
exec uv run celery -A config worker -l info
ports:
- name: http
containerPort: 8000
@ -51,86 +91,6 @@ spec:
value: http://eav-service.eav.svc.cluster.local:8000
- name: GATEWAY_URL
value: http://pdm-api.documentations.svc.cluster.local:8080
- name: DJANGO_SECRET_KEY
valueFrom:
secretKeyRef:
name: django-secret
key: django_secret_key
- name: DB_HOST
valueFrom:
secretKeyRef:
name: postgresql-secret
key: hostname
- name: DB_PORT
valueFrom:
secretKeyRef:
name: postgresql-secret
key: port
- name: DB_NAME
valueFrom:
secretKeyRef:
name: postgresql-secret
key: database
- name: DB_USER
valueFrom:
secretKeyRef:
name: postgresql-secret
key: username
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: postgresql-secret
key: password
- name: SAREX_BACKEND_AUTH
valueFrom:
secretKeyRef:
name: django-secret
key: token
- name: YC_S3_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: s3-secret
key: username
- name: YC_S3_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: s3-secret
key: password
- name: YC_S3_BUCKET_NAME
valueFrom:
secretKeyRef:
name: s3-secret
key: bucket
- name: YC_S3_ENDPOINT_URL
valueFrom:
secretKeyRef:
name: s3-secret
key: hostname
- name: RABBITMQ_VHOST
valueFrom:
secretKeyRef:
name: rabbitmq-secret
key: vhost
- name: RABBITMQ_USERNAME
valueFrom:
secretKeyRef:
name: rabbitmq-secret
key: username
- name: RABBITMQ_PASSWORD
valueFrom:
secretKeyRef:
name: rabbitmq-secret
key: password
- name: RABBITMQ_PORT
valueFrom:
secretKeyRef:
name: rabbitmq-secret
key: port
- name: RABBITMQ_HOST
valueFrom:
secretKeyRef:
name: rabbitmq-secret
key: hostname
resources:
requests:
cpu: "1"

1
apps/rfi/base/kustomization.yaml
View File

@ -4,6 +4,7 @@ kind: Kustomization
namespace: rfi
resources:
- namespace.yaml
- serviceaccount.yaml
- backend-deployment.yaml
- celery-deployment.yaml
- frontend-deployment.yaml

5
apps/rfi/base/serviceaccount.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: rfi-vault
namespace: rfi

21
apps/rfi/yc-k8s-test/postgresql.yaml
View File

@ -9,7 +9,7 @@ spec:
chart:
spec:
chart: postgresql-contour
version: "17.0.2"
version: "17.0.7"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
@ -44,7 +44,7 @@ spec:
image:
registry: cr.yandex/crp3ccidau046kdj8g9q
repository: contour/postgresql
tag: 17.0.2
tag: 17.0.7
pullPolicy: Always
metrics:
enabled: false
@ -61,7 +61,7 @@ spec:
command:
- /bin/sh
- -c
- exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
@ -72,7 +72,7 @@ spec:
command:
- /bin/sh
- -c
- exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
@ -83,7 +83,7 @@ spec:
command:
- /bin/sh
- -c
- exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
@ -98,12 +98,19 @@ spec:
effect: NoSchedule
contour:
enabled: true
adminUser: ""
adminPasswordSecretKey: ""
adminUser: "postgres"
sharedPreloadLibraries: "pg_stat_statements"
vault:
enabled: true
role: postgresql
authPath: auth/kubernetes
secretPath: secrets/data/postgresql/admin
secretKey: postgres-password
usersSecretPath: secrets/data/postgresql/users
databases:
- name: rfi_db
user: rfi
passwordKey: rfi
extensions: []
restoreFromDump: false
s3-proxy: