From 08814ab8ffd51fbfc5d37167fceaf9ce00d61ef9 Mon Sep 17 00:00:00 2001 From: Kochetkov S Date: Wed, 22 Apr 2026 14:17:54 +0300 Subject: [PATCH] rfi + comparisons --- apps/comparisons/base/backend-deployment.yaml | 60 ++++---- apps/comparisons/base/kustomization.yaml | 1 + apps/comparisons/base/serviceaccount.yaml | 5 + .../yc-k8s-test/kustomization.yaml | 2 +- apps/comparisons/yc-k8s-test/postgresql.yaml | 23 ++- apps/rfi/base/backend-deployment.yaml | 130 +++++++---------- apps/rfi/base/celery-deployment.yaml | 138 +++++++----------- apps/rfi/base/kustomization.yaml | 1 + apps/rfi/base/serviceaccount.yaml | 5 + apps/rfi/yc-k8s-test/postgresql.yaml | 21 ++- 10 files changed, 171 insertions(+), 215 deletions(-) create mode 100644 apps/comparisons/base/serviceaccount.yaml create mode 100644 apps/rfi/base/serviceaccount.yaml diff --git a/apps/comparisons/base/backend-deployment.yaml b/apps/comparisons/base/backend-deployment.yaml index 302b75c..e935f33 100644 --- a/apps/comparisons/base/backend-deployment.yaml +++ b/apps/comparisons/base/backend-deployment.yaml @@ -15,7 +15,29 @@ spec: metadata: labels: app: backend + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: comparisons + vault.hashicorp.com/agent-inject-secret-comparisons-db: secrets/data/postgresql/apps/comparisons + vault.hashicorp.com/agent-inject-template-comparisons-db: |- + {{- with secret "secrets/data/postgresql/apps/comparisons" -}} + POSTGRES_ADDRESS=postgresql.comparisons.svc.cluster.local + POSTGRES_PORT=5432 + POSTGRES_DB=comparisons_db + POSTGRES_USER={{ index .Data.data "username" }} + POSTGRES_PASSWORD={{ index .Data.data "password" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-comparisons-jwt-public: secrets/data/vault/common/rsa_keys + vault.hashicorp.com/agent-inject-template-comparisons-jwt-public: |- + {{- with secret "secrets/data/vault/common/rsa_keys" -}} + {{ index .Data.data "public_key" }} + {{- end -}} spec: + serviceAccountName: comparisons-vault volumes: - name: tasks-execution-config configMap: @@ -27,6 +49,14 @@ spec: - name: backend image: cr.yandex/crp3ccidau046kdj8g9q/comparisons:prod_863df9f0 imagePullPolicy: IfNotPresent + command: ["/bin/sh", "-ec"] + args: + - | + set -a + [ -f /vault/secrets/comparisons-db ] && . /vault/secrets/comparisons-db + [ -f /vault/secrets/comparisons-jwt-public ] && export AUTH_PUBLIC_KEY="$(cat /vault/secrets/comparisons-jwt-public)" + set +a + exec /app/entrypoint.sh ports: - name: http containerPort: 8000 @@ -70,36 +100,6 @@ spec: value: "0" - name: WORKFLOWS_CONFIG_FILEPATH value: /etc/app/tasks-execution-config.json - - name: POSTGRES_ADDRESS - valueFrom: - secretKeyRef: - name: postgresql-secrets - key: host - - name: POSTGRES_PORT - valueFrom: - secretKeyRef: - name: postgresql-secrets - key: port - - name: POSTGRES_DB - valueFrom: - secretKeyRef: - name: postgresql-secrets - key: database - - name: POSTGRES_USER - valueFrom: - secretKeyRef: - name: postgresql-secrets - key: username - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: postgresql-secrets - key: password - - name: AUTH_PUBLIC_KEY - valueFrom: - secretKeyRef: - name: auth-public-key - key: public_key resources: requests: cpu: 100m diff --git a/apps/comparisons/base/kustomization.yaml b/apps/comparisons/base/kustomization.yaml index abc95ab..0ab9d12 100644 --- a/apps/comparisons/base/kustomization.yaml +++ b/apps/comparisons/base/kustomization.yaml @@ -4,6 +4,7 @@ kind: Kustomization namespace: comparisons resources: - namespace.yaml + - serviceaccount.yaml - backend-deployment.yaml - backend-service.yaml - frontend-deployment.yaml diff --git a/apps/comparisons/base/serviceaccount.yaml b/apps/comparisons/base/serviceaccount.yaml new file mode 100644 index 0000000..0a78f2c --- /dev/null +++ b/apps/comparisons/base/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: comparisons-vault + namespace: comparisons diff --git a/apps/comparisons/yc-k8s-test/kustomization.yaml b/apps/comparisons/yc-k8s-test/kustomization.yaml index 79e4c45..050d882 100644 --- a/apps/comparisons/yc-k8s-test/kustomization.yaml +++ b/apps/comparisons/yc-k8s-test/kustomization.yaml @@ -8,4 +8,4 @@ patches: - path: replicas.yaml target: kind: Deployment - name: comparisons + name: backend diff --git a/apps/comparisons/yc-k8s-test/postgresql.yaml b/apps/comparisons/yc-k8s-test/postgresql.yaml index 163ed2f..8fad84a 100644 --- a/apps/comparisons/yc-k8s-test/postgresql.yaml +++ b/apps/comparisons/yc-k8s-test/postgresql.yaml @@ -9,7 +9,7 @@ spec: chart: spec: chart: postgresql-contour - version: "17.0.2" + version: "17.0.7" sourceRef: kind: HelmRepository name: yc-oci-charts @@ -44,7 +44,7 @@ spec: image: registry: cr.yandex/crp3ccidau046kdj8g9q repository: contour/postgresql - tag: 17.0.2 + tag: 17.0.7 pullPolicy: Always metrics: enabled: false @@ -61,7 +61,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 @@ -72,7 +72,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 5 @@ -83,7 +83,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 @@ -101,13 +101,20 @@ spec: effect: NoSchedule contour: enabled: true - adminUser: "" - adminPasswordSecretKey: "" + adminUser: "postgres" sharedPreloadLibraries: "pg_stat_statements,uuid-ossp" + vault: + enabled: true + role: postgresql + authPath: auth/kubernetes + secretPath: secrets/data/postgresql/admin + secretKey: postgres-password + usersSecretPath: secrets/data/postgresql/users databases: - name: comparisons_db user: comparisons + passwordKey: comparisons extensions: [] restoreFromDump: false s3-proxy: - endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local" \ No newline at end of file + endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local" diff --git a/apps/rfi/base/backend-deployment.yaml b/apps/rfi/base/backend-deployment.yaml index 94d81f9..b6921fb 100644 --- a/apps/rfi/base/backend-deployment.yaml +++ b/apps/rfi/base/backend-deployment.yaml @@ -17,11 +17,61 @@ spec: labels: app: rfi-backend-api service: api + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: rfi + vault.hashicorp.com/agent-inject-secret-rfi-db: secrets/data/postgresql/apps/rfi + vault.hashicorp.com/agent-inject-template-rfi-db: |- + {{- with secret "secrets/data/postgresql/apps/rfi" -}} + DB_HOST=postgresql.rfi.svc.cluster.local + DB_PORT=5432 + DB_NAME=rfi_db + DB_USER={{ index .Data.data "username" }} + DB_PASSWORD={{ index .Data.data "password" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-rfi-s3: secrets/data/minio/apps/rfi + vault.hashicorp.com/agent-inject-template-rfi-s3: |- + {{- with secret "secrets/data/minio/apps/rfi" -}} + YC_S3_ENDPOINT_URL={{ index .Data.data.client "endpoint" }} + YC_S3_BUCKET_NAME=rfi + YC_S3_ACCESS_KEY_ID={{ index .Data.data "access_key" }} + YC_S3_SECRET_ACCESS_KEY={{ index .Data.data "secret_key" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-rfi-rabbitmq: secrets/data/rabbitmq/apps/rfi + vault.hashicorp.com/agent-inject-template-rfi-rabbitmq: |- + {{- with secret "secrets/data/rabbitmq/apps/rfi" -}} + RABBITMQ_VHOST={{ index .Data.data "vhost" }} + RABBITMQ_USERNAME={{ index .Data.data "username" }} + RABBITMQ_PASSWORD={{ index .Data.data "password" }} + RABBITMQ_PORT=5672 + RABBITMQ_HOST=rabbitmq.rabbitmq.svc.cluster.local + {{- end -}} + vault.hashicorp.com/agent-inject-secret-rfi-django-auth: secrets/data/vault/common/django_auth + vault.hashicorp.com/agent-inject-template-rfi-django-auth: |- + {{- with secret "secrets/data/vault/common/django_auth" -}} + DJANGO_SECRET_KEY={{ index .Data.data "key" }} + SAREX_BACKEND_AUTH={{ index .Data.data "key" }} + {{- end -}} spec: + serviceAccountName: rfi-vault containers: - name: api image: cr.yandex/crp3ccidau046kdj8g9q/rfi-backend:production_d1e2e80d imagePullPolicy: IfNotPresent + command: ["/bin/sh", "-ec"] + args: + - | + set -a + [ -f /vault/secrets/rfi-db ] && . /vault/secrets/rfi-db + [ -f /vault/secrets/rfi-s3 ] && . /vault/secrets/rfi-s3 + [ -f /vault/secrets/rfi-rabbitmq ] && . /vault/secrets/rfi-rabbitmq + [ -f /vault/secrets/rfi-django-auth ] && . /vault/secrets/rfi-django-auth + set +a + exec ./entrypoint.sh ports: - name: http containerPort: 8000 @@ -41,86 +91,6 @@ spec: value: http://eav-service.eav.svc.cluster.local:8000 - name: GATEWAY_URL value: http://pdm-api.documentations.svc.cluster.local:8080 - - name: DJANGO_SECRET_KEY - valueFrom: - secretKeyRef: - name: django-secret - key: django_secret_key - - name: DB_HOST - valueFrom: - secretKeyRef: - name: postgresql-secret - key: hostname - - name: DB_PORT - valueFrom: - secretKeyRef: - name: postgresql-secret - key: port - - name: DB_NAME - valueFrom: - secretKeyRef: - name: postgresql-secret - key: database - - name: DB_USER - valueFrom: - secretKeyRef: - name: postgresql-secret - key: username - - name: DB_PASSWORD - valueFrom: - secretKeyRef: - name: postgresql-secret - key: password - - name: SAREX_BACKEND_AUTH - valueFrom: - secretKeyRef: - name: django-secret - key: token - - name: YC_S3_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - name: s3-secret - key: username - - name: YC_S3_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - name: s3-secret - key: password - - name: YC_S3_BUCKET_NAME - valueFrom: - secretKeyRef: - name: s3-secret - key: bucket - - name: YC_S3_ENDPOINT_URL - valueFrom: - secretKeyRef: - name: s3-secret - key: hostname - - name: RABBITMQ_VHOST - valueFrom: - secretKeyRef: - name: rabbitmq-secret - key: vhost - - name: RABBITMQ_USERNAME - valueFrom: - secretKeyRef: - name: rabbitmq-secret - key: username - - name: RABBITMQ_PASSWORD - valueFrom: - secretKeyRef: - name: rabbitmq-secret - key: password - - name: RABBITMQ_PORT - valueFrom: - secretKeyRef: - name: rabbitmq-secret - key: port - - name: RABBITMQ_HOST - valueFrom: - secretKeyRef: - name: rabbitmq-secret - key: hostname resources: requests: cpu: "1" diff --git a/apps/rfi/base/celery-deployment.yaml b/apps/rfi/base/celery-deployment.yaml index 9231b9f..580206d 100644 --- a/apps/rfi/base/celery-deployment.yaml +++ b/apps/rfi/base/celery-deployment.yaml @@ -17,21 +17,61 @@ spec: labels: app: celery service: celery + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: rfi + vault.hashicorp.com/agent-inject-secret-rfi-db: secrets/data/postgresql/apps/rfi + vault.hashicorp.com/agent-inject-template-rfi-db: |- + {{- with secret "secrets/data/postgresql/apps/rfi" -}} + DB_HOST=postgresql.rfi.svc.cluster.local + DB_PORT=5432 + DB_NAME=rfi_db + DB_USER={{ index .Data.data "username" }} + DB_PASSWORD={{ index .Data.data "password" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-rfi-s3: secrets/data/minio/apps/rfi + vault.hashicorp.com/agent-inject-template-rfi-s3: |- + {{- with secret "secrets/data/minio/apps/rfi" -}} + YC_S3_ENDPOINT_URL={{ index .Data.data.client "endpoint" }} + YC_S3_BUCKET_NAME=rfi + YC_S3_ACCESS_KEY_ID={{ index .Data.data "access_key" }} + YC_S3_SECRET_ACCESS_KEY={{ index .Data.data "secret_key" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-rfi-rabbitmq: secrets/data/rabbitmq/apps/rfi + vault.hashicorp.com/agent-inject-template-rfi-rabbitmq: |- + {{- with secret "secrets/data/rabbitmq/apps/rfi" -}} + RABBITMQ_VHOST={{ index .Data.data "vhost" }} + RABBITMQ_USERNAME={{ index .Data.data "username" }} + RABBITMQ_PASSWORD={{ index .Data.data "password" }} + RABBITMQ_PORT=5672 + RABBITMQ_HOST=rabbitmq.rabbitmq.svc.cluster.local + {{- end -}} + vault.hashicorp.com/agent-inject-secret-rfi-django-auth: secrets/data/vault/common/django_auth + vault.hashicorp.com/agent-inject-template-rfi-django-auth: |- + {{- with secret "secrets/data/vault/common/django_auth" -}} + DJANGO_SECRET_KEY={{ index .Data.data "key" }} + SAREX_BACKEND_AUTH={{ index .Data.data "key" }} + {{- end -}} spec: + serviceAccountName: rfi-vault containers: - name: celery image: cr.yandex/crp3ccidau046kdj8g9q/rfi-backend:dev4 imagePullPolicy: IfNotPresent - command: - - uv + command: ["/bin/sh", "-ec"] args: - - run - - celery - - -A - - config - - worker - - -l - - info + - | + set -a + [ -f /vault/secrets/rfi-db ] && . /vault/secrets/rfi-db + [ -f /vault/secrets/rfi-s3 ] && . /vault/secrets/rfi-s3 + [ -f /vault/secrets/rfi-rabbitmq ] && . /vault/secrets/rfi-rabbitmq + [ -f /vault/secrets/rfi-django-auth ] && . /vault/secrets/rfi-django-auth + set +a + exec uv run celery -A config worker -l info ports: - name: http containerPort: 8000 @@ -51,86 +91,6 @@ spec: value: http://eav-service.eav.svc.cluster.local:8000 - name: GATEWAY_URL value: http://pdm-api.documentations.svc.cluster.local:8080 - - name: DJANGO_SECRET_KEY - valueFrom: - secretKeyRef: - name: django-secret - key: django_secret_key - - name: DB_HOST - valueFrom: - secretKeyRef: - name: postgresql-secret - key: hostname - - name: DB_PORT - valueFrom: - secretKeyRef: - name: postgresql-secret - key: port - - name: DB_NAME - valueFrom: - secretKeyRef: - name: postgresql-secret - key: database - - name: DB_USER - valueFrom: - secretKeyRef: - name: postgresql-secret - key: username - - name: DB_PASSWORD - valueFrom: - secretKeyRef: - name: postgresql-secret - key: password - - name: SAREX_BACKEND_AUTH - valueFrom: - secretKeyRef: - name: django-secret - key: token - - name: YC_S3_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - name: s3-secret - key: username - - name: YC_S3_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - name: s3-secret - key: password - - name: YC_S3_BUCKET_NAME - valueFrom: - secretKeyRef: - name: s3-secret - key: bucket - - name: YC_S3_ENDPOINT_URL - valueFrom: - secretKeyRef: - name: s3-secret - key: hostname - - name: RABBITMQ_VHOST - valueFrom: - secretKeyRef: - name: rabbitmq-secret - key: vhost - - name: RABBITMQ_USERNAME - valueFrom: - secretKeyRef: - name: rabbitmq-secret - key: username - - name: RABBITMQ_PASSWORD - valueFrom: - secretKeyRef: - name: rabbitmq-secret - key: password - - name: RABBITMQ_PORT - valueFrom: - secretKeyRef: - name: rabbitmq-secret - key: port - - name: RABBITMQ_HOST - valueFrom: - secretKeyRef: - name: rabbitmq-secret - key: hostname resources: requests: cpu: "1" diff --git a/apps/rfi/base/kustomization.yaml b/apps/rfi/base/kustomization.yaml index fdeeb4e..5da1ac4 100644 --- a/apps/rfi/base/kustomization.yaml +++ b/apps/rfi/base/kustomization.yaml @@ -4,6 +4,7 @@ kind: Kustomization namespace: rfi resources: - namespace.yaml + - serviceaccount.yaml - backend-deployment.yaml - celery-deployment.yaml - frontend-deployment.yaml diff --git a/apps/rfi/base/serviceaccount.yaml b/apps/rfi/base/serviceaccount.yaml new file mode 100644 index 0000000..f598354 --- /dev/null +++ b/apps/rfi/base/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: rfi-vault + namespace: rfi diff --git a/apps/rfi/yc-k8s-test/postgresql.yaml b/apps/rfi/yc-k8s-test/postgresql.yaml index 6e52a7b..19a555d 100644 --- a/apps/rfi/yc-k8s-test/postgresql.yaml +++ b/apps/rfi/yc-k8s-test/postgresql.yaml @@ -9,7 +9,7 @@ spec: chart: spec: chart: postgresql-contour - version: "17.0.2" + version: "17.0.7" sourceRef: kind: HelmRepository name: yc-oci-charts @@ -44,7 +44,7 @@ spec: image: registry: cr.yandex/crp3ccidau046kdj8g9q repository: contour/postgresql - tag: 17.0.2 + tag: 17.0.7 pullPolicy: Always metrics: enabled: false @@ -61,7 +61,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 @@ -72,7 +72,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 5 @@ -83,7 +83,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 @@ -98,12 +98,19 @@ spec: effect: NoSchedule contour: enabled: true - adminUser: "" - adminPasswordSecretKey: "" + adminUser: "postgres" sharedPreloadLibraries: "pg_stat_statements" + vault: + enabled: true + role: postgresql + authPath: auth/kubernetes + secretPath: secrets/data/postgresql/admin + secretKey: postgres-password + usersSecretPath: secrets/data/postgresql/users databases: - name: rfi_db user: rfi + passwordKey: rfi extensions: [] restoreFromDump: false s3-proxy: