diff --git a/apps/checklists/base/backend-deployment.yaml b/apps/checklists/base/backend-deployment.yaml index 44d91b7..b8fecc2 100644 --- a/apps/checklists/base/backend-deployment.yaml +++ b/apps/checklists/base/backend-deployment.yaml @@ -17,11 +17,41 @@ spec: labels: app: checklists-backend service: checklists-backend + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: checklists + vault.hashicorp.com/agent-inject-secret-checklists-db: secrets/data/postgresql/apps/checklists + vault.hashicorp.com/agent-inject-template-checklists-db: |- + {{- with secret "secrets/data/postgresql/apps/checklists" -}} + DATABASE_HOST=postgresql.checklists.svc.cluster.local + DATABASE_PORT=5432 + DATABASE_NAME=checklists_db + DATABASE_USER={{ index .Data.data "username" }} + DATABASE_PASSWORD={{ index .Data.data "password" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-checklists-jwt-public: secrets/data/vault/common/rsa_keys + vault.hashicorp.com/agent-inject-template-checklists-jwt-public: |- + {{- with secret "secrets/data/vault/common/rsa_keys" -}} + {{ index .Data.data "public_key" }} + {{- end -}} spec: + serviceAccountName: checklists-vault containers: - name: api image: cr.yandex/crp3ccidau046kdj8g9q/checklists-backend:production_68f242cd imagePullPolicy: IfNotPresent + command: ["/bin/bash", "-ec"] + args: + - | + set -a + [ -f /vault/secrets/checklists-db ] && . /vault/secrets/checklists-db + [ -f /vault/secrets/checklists-jwt-public ] && export JWT_AUTH_PUBLIC_KEY="$(cat /vault/secrets/checklists-jwt-public)" + set +a + exec ./entrypoint.sh ports: - name: http containerPort: 8000 @@ -41,36 +71,6 @@ spec: value: "true" - name: DEBUG value: "false" - - name: DATABASE_USER - valueFrom: - secretKeyRef: - key: username - name: postgresql-secret - - name: DATABASE_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: postgresql-secret - - name: DATABASE_NAME - valueFrom: - secretKeyRef: - key: database - name: postgresql-secret - - name: DATABASE_PORT - valueFrom: - secretKeyRef: - key: port - name: postgresql-secret - - name: DATABASE_HOST - valueFrom: - secretKeyRef: - key: hostname - name: postgresql-secret - - name: JWT_AUTH_PUBLIC_KEY - valueFrom: - secretKeyRef: - key: public-key - name: jwt-secret resources: requests: diff --git a/apps/checklists/base/kustomization.yaml b/apps/checklists/base/kustomization.yaml index d88ae04..c3f2f24 100644 --- a/apps/checklists/base/kustomization.yaml +++ b/apps/checklists/base/kustomization.yaml @@ -4,5 +4,6 @@ kind: Kustomization namespace: checklists resources: - namespace.yaml + - serviceaccount.yaml - backend-deployment.yaml - backend-service.yaml diff --git a/apps/checklists/base/serviceaccount.yaml b/apps/checklists/base/serviceaccount.yaml new file mode 100644 index 0000000..b9b74e1 --- /dev/null +++ b/apps/checklists/base/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: checklists-vault + namespace: checklists diff --git a/apps/checklists/yc-k8s-test/postgresql.yaml b/apps/checklists/yc-k8s-test/postgresql.yaml index 2df906f..4fa5e36 100644 --- a/apps/checklists/yc-k8s-test/postgresql.yaml +++ b/apps/checklists/yc-k8s-test/postgresql.yaml @@ -2,14 +2,14 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: postgresql - namespace: checklists + namespace: checklists spec: interval: 5m timeout: 2h chart: spec: chart: postgresql-contour - version: "17.0.2" + version: "17.0.7" sourceRef: kind: HelmRepository name: yc-oci-charts @@ -44,7 +44,7 @@ spec: image: registry: cr.yandex/crp3ccidau046kdj8g9q repository: contour/postgresql - tag: 17.0.2 + tag: 17.0.7 pullPolicy: Always metrics: enabled: false @@ -61,7 +61,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 @@ -72,7 +72,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 5 @@ -83,7 +83,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 @@ -98,12 +98,19 @@ spec: effect: NoSchedule contour: enabled: true - adminUser: "" - adminPasswordSecretKey: "" - sharedPreloadLibraries: "pg_stat_statements" + adminUser: "postgres" + sharedPreloadLibraries: "pg_stat_statements,uuid-ossp" + vault: + enabled: true + role: postgresql + authPath: auth/kubernetes + secretPath: secrets/data/postgresql/admin + secretKey: postgres-password + usersSecretPath: secrets/data/postgresql/users databases: - name: checklists_db user: checklists + passwordKey: checklists extensions: [] restoreFromDump: false s3-proxy: