sarex/iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

issues + flows vault

Browse Source
This commit is contained in:
Kochetkov S 2026-04-22 17:28:37 +03:00
parent d42884a8a4
commit 26550c547b
11 changed files with 283 additions and 393 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

144
apps/flows/base/backend-deployment.yaml
View File

@ -17,26 +17,68 @@ spec:
labels:
app: backend
service: backend
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: flows
vault.hashicorp.com/agent-inject-secret-flows-postgresql: secrets/data/postgresql/apps/flows
vault.hashicorp.com/agent-inject-template-flows-postgresql: |-
{{- with secret "secrets/data/postgresql/apps/flows" -}}
PG_DB=flows_db
PG_LOGIN={{ index .Data.data "username" }}
PG_HOST=postgresql.flows.svc.cluster.local
PG_PORT=5432
PG_PASSWORD={{ index .Data.data "password" }}
DOCUMENTATION_PG_HOST=postgresql.flows.svc.cluster.local
DOCUMENTATION_PG_PORT=5432
DOCUMENTATION_PG_DATABASE=flows_db
DOCUMENTATION_PG_USERNAME={{ index .Data.data "username" }}
DOCUMENTATION_PG_PASSWORD={{ index .Data.data "password" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-flows-rabbitmq: secrets/data/rabbitmq/apps/flows
vault.hashicorp.com/agent-inject-template-flows-rabbitmq: |-
{{- with secret "secrets/data/rabbitmq/apps/flows" -}}
RABBITMQ_USERNAME={{ index .Data.data "username" }}
RABBITMQ_PASSWORD={{ index .Data.data "password" }}
RABBITMQ_VHOST={{ index .Data.data "vhost" }}
RABBITMQ_HOST=rabbitmq.rabbitmq.svc.cluster.local
RABBITMQ_PORT=5672
ADMIN_PANEL_SECRET_KEY=rabbitmq.rabbitmq:5672
{{- end -}}
vault.hashicorp.com/agent-inject-secret-flows-django-auth: secrets/data/vault/common/django_auth
vault.hashicorp.com/agent-inject-template-flows-django-auth: |-
{{- with secret "secrets/data/vault/common/django_auth" -}}
DJANGO_TOKEN={{ index .Data.data "key" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-flows-jwt-public: secrets/data/vault/common/rsa_keys
vault.hashicorp.com/agent-inject-template-flows-jwt-public: |-
{{- with secret "secrets/data/vault/common/rsa_keys" -}}
{{ index .Data.data "public_key" }}
{{- end -}}
spec:
serviceAccountName: flows-vault
containers:
- name: backend
image: cr.yandex/crp3ccidau046kdj8g9q/flows-backend:production_2a439111
imagePullPolicy: IfNotPresent
command: ["/bin/sh", "-ec"]
args:
- |
set -a
[ -f /vault/secrets/flows-postgresql ] && . /vault/secrets/flows-postgresql
[ -f /vault/secrets/flows-rabbitmq ] && . /vault/secrets/flows-rabbitmq
[ -f /vault/secrets/flows-django-auth ] && . /vault/secrets/flows-django-auth
[ -f /vault/secrets/flows-jwt-public ] && export JWT_PUBLIC_KEY="$(cat /vault/secrets/flows-jwt-public)"
set +a
exec /opt/entrypoint.sh
ports:
- name: http
containerPort: 8000
protocol: TCP
env:
- name: ADMIN_PANEL_SECRET_KEY
valueFrom:
secretKeyRef:
key: key
name: admin-secret
- name: JWT_PUBLIC_KEY
valueFrom:
secretKeyRef:
key: public_key
name: jwt-secret
- name: LOG_LEVEL
value: DEBUG
- name: BASE_HOST
@ -73,32 +115,6 @@ spec:
value: https://srx.wb.ru/flows/api/v1
- name: SMTP_HOST
value: mail.rwb.ru
- name: DOCUMENTATION_PG_HOST
valueFrom:
secretKeyRef:
key: hostname
name: postgresql-secret-documentations
- name: DOCUMENTATION_PG_PORT
valueFrom:
secretKeyRef:
key: port
name: postgresql-secret-documentations
- name: DOCUMENTATION_PG_DATABASE
valueFrom:
secretKeyRef:
key: database
name: postgresql-secret-documentations
- name: DOCUMENTATION_PG_USERNAME
valueFrom:
secretKeyRef:
key: username
name: postgresql-secret-documentations
- name: DOCUMENTATION_PG_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: postgresql-secret-documentations
- name: CHECKLIST_HOST
value: http://checklists-backend-service.checklists.svc.cluster.local:80
- name: SMTP_PORT
@ -113,62 +129,6 @@ spec:
value: "60"
- name: DOCUMENTATION_TIMEOUT
value: "60"
- name: DJANGO_TOKEN
valueFrom:
secretKeyRef:
key: token
name: django-secret
- name: PG_DB
valueFrom:
secretKeyRef:
key: database
name: postgresql-secret
- name: PG_LOGIN
valueFrom:
secretKeyRef:
key: username
name: postgresql-secret
- name: PG_HOST
valueFrom:
secretKeyRef:
key: hostname
name: postgresql-secret
- name: PG_PORT
valueFrom:
secretKeyRef:
key: port
name: postgresql-secret
- name: PG_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: postgresql-secret
- name: RABBITMQ_USERNAME
valueFrom:
secretKeyRef:
key: username
name: rabbitmq-secret
- name: RABBITMQ_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: rabbitmq-secret
- name: RABBITMQ_VHOST
valueFrom:
secretKeyRef:
key: vhost
name: rabbitmq-secret
- name: RABBITMQ_HOST
valueFrom:
secretKeyRef:
key: hostname
name: rabbitmq-secret
- name: RABBITMQ_PORT
valueFrom:
secretKeyRef:
key: port
name: rabbitmq-secret
resources:
requests:
cpu: "1"

150
apps/flows/base/celery-deployment.yaml
View File

@ -17,36 +17,68 @@ spec:
labels:
app: celery
service: celery
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: flows
vault.hashicorp.com/agent-inject-secret-flows-postgresql: secrets/data/postgresql/apps/flows
vault.hashicorp.com/agent-inject-template-flows-postgresql: |-
{{- with secret "secrets/data/postgresql/apps/flows" -}}
PG_DB=flows_db
PG_LOGIN={{ index .Data.data "username" }}
PG_HOST=postgresql.flows.svc.cluster.local
PG_PORT=5432
PG_PASSWORD={{ index .Data.data "password" }}
DOCUMENTATION_PG_HOST=postgresql.flows.svc.cluster.local
DOCUMENTATION_PG_PORT=5432
DOCUMENTATION_PG_DATABASE=flows_db
DOCUMENTATION_PG_USERNAME={{ index .Data.data "username" }}
DOCUMENTATION_PG_PASSWORD={{ index .Data.data "password" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-flows-rabbitmq: secrets/data/rabbitmq/apps/flows
vault.hashicorp.com/agent-inject-template-flows-rabbitmq: |-
{{- with secret "secrets/data/rabbitmq/apps/flows" -}}
RABBITMQ_USERNAME={{ index .Data.data "username" }}
RABBITMQ_PASSWORD={{ index .Data.data "password" }}
RABBITMQ_VHOST={{ index .Data.data "vhost" }}
RABBITMQ_HOST=rabbitmq.rabbitmq.svc.cluster.local
RABBITMQ_PORT=5672
ADMIN_PANEL_SECRET_KEY=rabbitmq.rabbitmq:5672
{{- end -}}
vault.hashicorp.com/agent-inject-secret-flows-django-auth: secrets/data/vault/common/django_auth
vault.hashicorp.com/agent-inject-template-flows-django-auth: |-
{{- with secret "secrets/data/vault/common/django_auth" -}}
DJANGO_TOKEN={{ index .Data.data "key" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-flows-jwt-public: secrets/data/vault/common/rsa_keys
vault.hashicorp.com/agent-inject-template-flows-jwt-public: |-
{{- with secret "secrets/data/vault/common/rsa_keys" -}}
{{ index .Data.data "public_key" }}
{{- end -}}
spec:
serviceAccountName: flows-vault
containers:
- name: celery
image: cr.yandex/crp3ccidau046kdj8g9q/flows-backend_worker:production_2a439111
imagePullPolicy: IfNotPresent
command:
- uv
command: ["/bin/sh", "-ec"]
args:
- run
- celery
- -A
- config
- worker
- -l
- info
- |
set -a
[ -f /vault/secrets/flows-postgresql ] && . /vault/secrets/flows-postgresql
[ -f /vault/secrets/flows-rabbitmq ] && . /vault/secrets/flows-rabbitmq
[ -f /vault/secrets/flows-django-auth ] && . /vault/secrets/flows-django-auth
[ -f /vault/secrets/flows-jwt-public ] && export JWT_PUBLIC_KEY="$(cat /vault/secrets/flows-jwt-public)"
set +a
exec uv run celery -A config worker -l info
ports:
- name: http
containerPort: 8000
protocol: TCP
env:
- name: ADMIN_PANEL_SECRET_KEY
valueFrom:
secretKeyRef:
key: key
name: admin-secret
- name: JWT_PUBLIC_KEY
valueFrom:
secretKeyRef:
key: public_key
name: jwt-secret
- name: LOG_LEVEL
value: DEBUG
- name: BASE_HOST
@ -83,31 +115,6 @@ spec:
value: https://srx.wb.ru/flows/api/v1
- name: SMTP_HOST
value: mail.rwb.ru
- name: DOCUMENTATION_PG_HOST
valueFrom:
secretKeyRef:
key: hostname
name: postgresql-secret-documentations
- name: DOCUMENTATION_PG_PORT
valueFrom:
secretKeyRef:
key: port
name: postgresql-secret-documentations
- name: DOCUMENTATION_PG_DATABASE
valueFrom:
secretKeyRef:
key: database
name: postgresql-secret-documentations
- name: DOCUMENTATION_PG_USERNAME
valueFrom:
secretKeyRef:
key: username
name: postgresql-secret-documentations
- name: DOCUMENTATION_PG_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: postgresql-secret-documentations
- name: CHECKLIST_HOST
value: http://checklists-backend-service.checklists.svc.cluster.local:80
- name: SMTP_PORT
@ -122,61 +129,6 @@ spec:
value: "60"
- name: DOCUMENTATION_TIMEOUT
value: "60"
- name: DJANGO_TOKEN
valueFrom:
secretKeyRef:
key: token
name: django-secret
- name: PG_DB
valueFrom:
secretKeyRef:
key: database
name: postgresql-secret
- name: PG_LOGIN
valueFrom:
secretKeyRef:
key: username
name: postgresql-secret
- name: PG_HOST
valueFrom:
secretKeyRef:
key: hostname
name: postgresql-secret
- name: PG_PORT
valueFrom:
secretKeyRef:
key: port
name: postgresql-secret
- name: PG_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: postgresql-secret
- name: RABBITMQ_USERNAME
valueFrom:
secretKeyRef:
key: username
name: rabbitmq-secret
- name: RABBITMQ_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: rabbitmq-secret
- name: RABBITMQ_VHOST
valueFrom:
secretKeyRef:
key: vhost
name: rabbitmq-secret
- name: RABBITMQ_HOST
valueFrom:
secretKeyRef:
key: hostname
name: rabbitmq-secret
- name: RABBITMQ_PORT
valueFrom:
secretKeyRef:
key: port
name: rabbitmq-secret
resources:
requests:
cpu: "1"

1
apps/flows/base/kustomization.yaml
View File

@ -4,6 +4,7 @@ kind: Kustomization
namespace: flows
resources:
- namespace.yaml
- serviceaccount.yaml
- backend-deployment.yaml
- celery-deployment.yaml
- frontend-deployment.yaml

5
apps/flows/base/serviceaccount.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: flows-vault
namespace: flows

26
apps/flows/yc-k8s-test/postgresql.yaml
View File

@ -9,7 +9,7 @@ spec:
chart:
spec:
chart: postgresql-contour
version: "17.0.2"
version: "17.0.7"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
@ -44,7 +44,7 @@ spec:
image:
registry: cr.yandex/crp3ccidau046kdj8g9q
repository: contour/postgresql
tag: 17.0.2
tag: 17.0.7
pullPolicy: Always
metrics:
enabled: false
@ -61,7 +61,7 @@ spec:
command:
- /bin/sh
- -c
- exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
@ -72,7 +72,7 @@ spec:
command:
- /bin/sh
- -c
- exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
@ -83,12 +83,15 @@ spec:
command:
- /bin/sh
- -c
- exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
resources:
requests:
memory: 512Mi
nodeSelector:
dedicated: db
tolerations:
@ -98,12 +101,19 @@ spec:
effect: NoSchedule
contour:
enabled: true
adminUser: ""
adminPasswordSecretKey: ""
sharedPreloadLibraries: "pg_stat_statements"
adminUser: "postgres"
sharedPreloadLibraries: "pg_stat_statements,uuid-ossp,ltree,postgis"
vault:
enabled: true
role: postgresql
authPath: auth/kubernetes
secretPath: secrets/data/postgresql/admin
secretKey: postgres-password
usersSecretPath: secrets/data/postgresql/users
databases:
- name: flows_db
user: flows
passwordKey: flow
extensions: []
restoreFromDump: false
s3-proxy:

154
apps/issues/base/backend-deployment.yaml
View File

@ -17,7 +17,57 @@ spec:
labels:
app: backend
service: backend
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: issues
vault.hashicorp.com/agent-inject-secret-issues-db: secrets/data/postgresql/apps/issues
vault.hashicorp.com/agent-inject-template-issues-db: |-
{{- with secret "secrets/data/postgresql/apps/issues" -}}
DATABASE_PORT=5432
DATABASE_HOST=postgresql.issues.svc.cluster.local
DATABASE_USER={{ index .Data.data "username" }}
DATABASE_PASSWORD={{ index .Data.data "password" }}
DATABASE_NAME=issues_db
{{- end -}}
vault.hashicorp.com/agent-inject-secret-issues-rabbitmq: secrets/data/rabbitmq/apps/issues
vault.hashicorp.com/agent-inject-template-issues-rabbitmq: |-
{{- with secret "secrets/data/rabbitmq/apps/issues" -}}
RABBITMQ_VHOST={{ index .Data.data "vhost" }}
RABBITMQ_USERNAME={{ index .Data.data "username" }}
RABBITMQ_HOSTNAME=rabbitmq.rabbitmq.svc.cluster.local
RABBITMQ_PASSWORD={{ index .Data.data "password" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-issues-s3: secrets/data/minio/admin
vault.hashicorp.com/agent-inject-template-issues-s3: |-
{{- with secret "secrets/data/minio/admin" -}}
YC_S3_ACCESS_KEY_ID={{ index .Data.data "rootUser" }}
YC_S3_SECRET_ACCESS_KEY={{ index .Data.data "rootPassword" }}
YC_S3_BUCKET_NAME=rfi
YC_S3_ENDPOINT_URL=https://minio.contour.infra.sarex.tech
{{- end -}}
vault.hashicorp.com/agent-inject-secret-issues-django-auth: secrets/data/vault/common/django_auth
vault.hashicorp.com/agent-inject-template-issues-django-auth: |-
{{- with secret "secrets/data/vault/common/django_auth" -}}
DJANGO_TOKEN={{ index .Data.data "key" }}
SAREX_USERNAME={{ index .Data.data "username" }}
SAREX_PASSWORD={{ index .Data.data "password" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-issues-jwt-private: secrets/data/vault/common/rsa_keys
vault.hashicorp.com/agent-inject-template-issues-jwt-private: |-
{{- with secret "secrets/data/vault/common/rsa_keys" -}}
{{ index .Data.data "private_key" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-issues-jwt-public: secrets/data/vault/common/rsa_keys
vault.hashicorp.com/agent-inject-template-issues-jwt-public: |-
{{- with secret "secrets/data/vault/common/rsa_keys" -}}
{{ index .Data.data "public_key" }}
{{- end -}}
spec:
serviceAccountName: issues-vault
volumes:
- name: production-configmap
configMap:
@ -30,6 +80,18 @@ spec:
- name: backend
image: cr.yandex/crp3ccidau046kdj8g9q/issues:production_17c438aa
imagePullPolicy: IfNotPresent
command: ["/bin/sh", "-ec"]
args:
- |
set -a
[ -f /vault/secrets/issues-db ] && . /vault/secrets/issues-db
[ -f /vault/secrets/issues-rabbitmq ] && . /vault/secrets/issues-rabbitmq
[ -f /vault/secrets/issues-s3 ] && . /vault/secrets/issues-s3
[ -f /vault/secrets/issues-django-auth ] && . /vault/secrets/issues-django-auth
[ -f /vault/secrets/issues-jwt-private ] && export JWT_PRIVATE_KEY="$(cat /vault/secrets/issues-jwt-private)"
[ -f /vault/secrets/issues-jwt-public ] && export JWT_PUBLIC_KEY="$(cat /vault/secrets/issues-jwt-public)"
set +a
exec /src/entrypoint.sh
ports:
- name: http
containerPort: 8000
@ -61,98 +123,6 @@ spec:
value: config.settings.production
- name: API_ADDRESS
value: "8000"
- name: YC_S3_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
key: username
name: s3-secret
- name: YC_S3_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
key: password
name: s3-secret
- name: YC_S3_BUCKET_NAME
valueFrom:
secretKeyRef:
key: bucket
name: s3-secret
- name: YC_S3_ENDPOINT_URL
valueFrom:
secretKeyRef:
key: host
name: s3-secret
- name: DJANGO_BASIC_AUTH
valueFrom:
secretKeyRef:
key: key
name: django-auth
- name: SAREX_USERNAME
valueFrom:
secretKeyRef:
key: username
name: sarex-auth
- name: SAREX_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: sarex-auth
- name: DATABASE_PORT
valueFrom:
secretKeyRef:
key: port
name: postgresql-secret
- name: DATABASE_HOST
valueFrom:
secretKeyRef:
key: hostname
name: postgresql-secret
- name: DATABASE_USER
valueFrom:
secretKeyRef:
key: username
name: postgresql-secret
- name: DATABASE_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: postgresql-secret
- name: DATABASE_NAME
valueFrom:
secretKeyRef:
key: database
name: postgresql-secret
- name: RABBITMQ_VHOST
valueFrom:
secretKeyRef:
key: vhost
name: rabbitmq-secret
- name: RABBITMQ_USERNAME
valueFrom:
secretKeyRef:
key: username
name: rabbitmq-secret
- name: RABBITMQ_HOSTNAME
valueFrom:
secretKeyRef:
key: host
name: rabbitmq-secret
- name: RABBITMQ_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: rabbitmq-secret
- name: JWT_PRIVATE_KEY
valueFrom:
secretKeyRef:
key: ssh_private.key
name: backend-secret
- name: JWT_PUBLIC_KEY
valueFrom:
secretKeyRef:
key: ssh_public.key
name: backend-secret
resources:
requests:
cpu: "1"

154
apps/issues/base/celery-deployment.yaml
View File

@ -17,7 +17,57 @@ spec:
labels:
app: celery
service: celery
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: issues
vault.hashicorp.com/agent-inject-secret-issues-db: secrets/data/postgresql/apps/issues
vault.hashicorp.com/agent-inject-template-issues-db: |-
{{- with secret "secrets/data/postgresql/apps/issues" -}}
DATABASE_PORT=5432
DATABASE_HOST=postgresql.issues.svc.cluster.local
DATABASE_USER={{ index .Data.data "username" }}
DATABASE_PASSWORD={{ index .Data.data "password" }}
DATABASE_NAME=issues_db
{{- end -}}
vault.hashicorp.com/agent-inject-secret-issues-rabbitmq: secrets/data/rabbitmq/apps/issues
vault.hashicorp.com/agent-inject-template-issues-rabbitmq: |-
{{- with secret "secrets/data/rabbitmq/apps/issues" -}}
RABBITMQ_VHOST={{ index .Data.data "vhost" }}
RABBITMQ_USERNAME={{ index .Data.data "username" }}
RABBITMQ_HOSTNAME=rabbitmq.rabbitmq.svc.cluster.local
RABBITMQ_PASSWORD={{ index .Data.data "password" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-issues-s3: secrets/data/minio/admin
vault.hashicorp.com/agent-inject-template-issues-s3: |-
{{- with secret "secrets/data/minio/admin" -}}
YC_S3_ACCESS_KEY_ID={{ index .Data.data "rootUser" }}
YC_S3_SECRET_ACCESS_KEY={{ index .Data.data "rootPassword" }}
YC_S3_BUCKET_NAME=rfi
YC_S3_ENDPOINT_URL=https://minio.contour.infra.sarex.tech
{{- end -}}
vault.hashicorp.com/agent-inject-secret-issues-django-auth: secrets/data/vault/common/django_auth
vault.hashicorp.com/agent-inject-template-issues-django-auth: |-
{{- with secret "secrets/data/vault/common/django_auth" -}}
DJANGO_TOKEN={{ index .Data.data "key" }}
SAREX_USERNAME={{ index .Data.data "username" }}
SAREX_PASSWORD={{ index .Data.data "password" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-issues-jwt-private: secrets/data/vault/common/rsa_keys
vault.hashicorp.com/agent-inject-template-issues-jwt-private: |-
{{- with secret "secrets/data/vault/common/rsa_keys" -}}
{{ index .Data.data "private_key" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-issues-jwt-public: secrets/data/vault/common/rsa_keys
vault.hashicorp.com/agent-inject-template-issues-jwt-public: |-
{{- with secret "secrets/data/vault/common/rsa_keys" -}}
{{ index .Data.data "public_key" }}
{{- end -}}
spec:
serviceAccountName: issues-vault
volumes:
- name: production-configmap
configMap:
@ -30,8 +80,18 @@ spec:
- name: celery
image: cr.yandex/crp3ccidau046kdj8g9q/issues:production_17c438aa
imagePullPolicy: IfNotPresent
command: ["celery", "-A", "config", "worker", "-l", "info", "-E"]
command: ["/bin/sh", "-ec"]
args:
- |
set -a
[ -f /vault/secrets/issues-db ] && . /vault/secrets/issues-db
[ -f /vault/secrets/issues-rabbitmq ] && . /vault/secrets/issues-rabbitmq
[ -f /vault/secrets/issues-s3 ] && . /vault/secrets/issues-s3
[ -f /vault/secrets/issues-django-auth ] && . /vault/secrets/issues-django-auth
[ -f /vault/secrets/issues-jwt-private ] && export JWT_PRIVATE_KEY="$(cat /vault/secrets/issues-jwt-private)"
[ -f /vault/secrets/issues-jwt-public ] && export JWT_PUBLIC_KEY="$(cat /vault/secrets/issues-jwt-public)"
set +a
exec celery -A config worker -l info -E
ports:
- name: http
containerPort: 8000
@ -63,96 +123,6 @@ spec:
value: config.settings.production
- name: API_ADDRESS
value: "8000"
- name: YC_S3_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
key: username
name: s3-secret
- name: YC_S3_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
key: password
name: s3-secret
- name: YC_S3_BUCKET_NAME
valueFrom:
secretKeyRef:
key: bucket
name: s3-secret
- name: YC_S3_ENDPOINT_URL
valueFrom:
secretKeyRef:
key: host
name: s3-secret
- name: DJANGO_BASIC_AUTH
valueFrom:
secretKeyRef:
key: key
name: django-auth
- name: SAREX_USERNAME
valueFrom:
secretKeyRef:
key: username
name: sarex-auth
- name: SAREX_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: sarex-auth
- name: DATABASE_PORT
valueFrom:
secretKeyRef:
key: port
name: postgresql-secret
- name: DATABASE_HOST
valueFrom:
secretKeyRef:
key: hostname
name: postgresql-secret
- name: DATABASE_USER
valueFrom:
secretKeyRef:
key: username
name: postgresql-secret
- name: DATABASE_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: postgresql-secret
- name: DATABASE_NAME
valueFrom:
secretKeyRef:
key: database
name: postgresql-secret
- name: RABBITMQ_VHOST
valueFrom:
secretKeyRef:
key: vhost
name: rabbitmq-secret
- name: RABBITMQ_USERNAME
valueFrom:
secretKeyRef:
key: username
name: rabbitmq-secret
- name: RABBITMQ_HOSTNAME
valueFrom:
secretKeyRef:
key: host
name: rabbitmq-secret
- name: RABBITMQ_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: rabbitmq-secret
- name: JWT_PRIVATE_KEY
valueFrom:
secretKeyRef:
key: ssh_private.key
name: backend-secret
- name: JWT_PUBLIC_KEY
valueFrom:
secretKeyRef:
key: ssh_public.key
name: backend-secret
resources:
requests:
cpu: "1"

1
apps/issues/base/kustomization.yaml
View File

@ -4,6 +4,7 @@ kind: Kustomization
namespace: issues
resources:
- namespace.yaml
- serviceaccount.yaml
- backend-deployment.yaml
- celery-deployment.yaml
- frontend-deployment.yaml

2
apps/issues/base/production-configmap.yaml
View File

@ -21,7 +21,7 @@ data:
SECRET_KEY = "FromToMuchLoveOfLiving" # Delete after Test
# -----------------------------------------------------------------------------
DJANGO_TOKEN="aGFnZW4wMTM6emVhbG90MDk2"
DJANGO_TOKEN = os.getenv("DJANGO_TOKEN", "aGFnZW4wMTM6emVhbG90MDk2")
# ALLOWED HOSTS START
# -----------------------------------------------------------------------------

5
apps/issues/base/serviceaccount.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: issues-vault
namespace: issues

34
apps/issues/yc-k8s-test/postgresql.yaml
View File

@ -9,7 +9,7 @@ spec:
chart:
spec:
chart: postgresql-contour
version: "17.0.2"
version: "17.0.7"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
@ -44,7 +44,7 @@ spec:
image:
registry: cr.yandex/crp3ccidau046kdj8g9q
repository: contour/postgresql
tag: 17.0.2
tag: 17.0.7
pullPolicy: Always
metrics:
enabled: false
@ -61,7 +61,7 @@ spec:
command:
- /bin/sh
- -c
- exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
@ -72,7 +72,7 @@ spec:
command:
- /bin/sh
- -c
- exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
@ -83,12 +83,15 @@ spec:
command:
- /bin/sh
- -c
- exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
resources:
requests:
memory: 512Mi
nodeSelector:
dedicated: db
tolerations:
@ -98,13 +101,26 @@ spec:
effect: NoSchedule
contour:
enabled: true
adminUser: ""
adminPasswordSecretKey: ""
sharedPreloadLibraries: "pg_stat_statements"
adminUser: "postgres"
sharedPreloadLibraries: "pg_stat_statements,uuid-ossp,ltree,postgis"
vault:
enabled: true
role: postgresql
authPath: auth/kubernetes
secretPath: secrets/data/postgresql/admin
secretKey: postgres-password
usersSecretPath: secrets/data/postgresql/users
databases:
- name: issues_db
user: issues
extensions: []
passwordKey: issues
extensions:
- ltree
- pg_stat_statements
- pg_trgm
- postgis
- timescaledb
- uuid-ossp
restoreFromDump: false
s3-proxy:
endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local"