Merge branch 'master' of ssh://158-160-253-227.nip.io:2222/infra/iac

apps/checklists/base/backend-deployment.yaml

@@ -0,0 +1,80 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: checklists-backend
+  namespace: checklists
+  labels:
+    app: checklists-backend
+    service: api
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: checklists-backend
+  template:
+    metadata:
+      labels:
+        app: checklists-backend
+        service: checklists-backend
+    spec:
+      containers:
+        - name: api
+          image: cr.yandex/crp3ccidau046kdj8g9q/checklists-backend:production_68f242cd
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: http
+              containerPort: 8000
+              protocol: TCP
+          env:
+            - name: HTTP_APP_HOST
+              value: 0.0.0.0
+            - name: HTTP_APP_PORT
+              value: "8000"
+            - name: HTTP_APP_ROOT_PATH
+              value: /checklists
+            - name: HTTP_APP_WORKERS
+              value: "8"
+            - name: HTTP_APP_ADMIN_ENABLE
+              value: "true"
+            - name: JWT_AUTH_ENABLE
+              value: "true"
+            - name: DEBUG
+              value: "false"
+            - name: DATABASE_USER
+              valueFrom:
+                secretKeyRef:
+                  key: username
+                  name: postgresql-secret
+            - name: DATABASE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key: password
+                  name: postgresql-secret
+            - name: DATABASE_NAME
+              valueFrom:
+                secretKeyRef:
+                  key: database
+                  name: postgresql-secret
+            - name: DATABASE_PORT
+              valueFrom:
+                secretKeyRef:
+                  key: port
+                  name: postgresql-secret
+            - name: DATABASE_HOST
+              valueFrom:
+                secretKeyRef:
+                  key: hostname
+                  name: postgresql-secret
+            - name: JWT_AUTH_PUBLIC_KEY
+              valueFrom:
+                secretKeyRef:
+                  key: public-key
+                  name: jwt-secret
+
+          resources:
+            requests:
+              cpu: "1"
+              memory: 1Gi
+      imagePullSecrets:
+        - name: regcred

apps/checklists/base/backend-service.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: rfi-backend-api-svc
+  namespace: rfi
+spec:
+  type: ClusterIP
+  selector:
+    app: rfi-backend-api
+  ports:
+    - name: http
+      port: 80
+      targetPort: 8000
+      protocol: TCP

apps/checklists/base/kustomization.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: checklists
+resources:
+  - namespace.yaml
+  - backend-deployment.yaml 
+  - backend-service.yaml

apps/checklists/base/namespace.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: checklists
+  labels:
+    istio-injection: enabled

apps/checklists/yc-k8s-test/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../base
+  - postgresql.yaml
+patches: []

apps/checklists/yc-k8s-test/postgresql.yaml

@@ -0,0 +1,110 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: postgresql
+  namespace:  checklists
+spec:
+  interval: 5m
+  timeout: 2h
+  chart:
+    spec:
+      chart: postgresql-contour
+      version: "17.0.2"
+      sourceRef:
+        kind: HelmRepository
+        name: yc-oci-charts
+        namespace: flux-system
+
+  install:
+    timeout: 2h
+    remediation:
+      retries: 3
+
+  upgrade:
+    timeout: 2h
+    remediation:
+      retries: 3
+
+  values:
+    global:
+      security:
+        allowInsecureImages: true
+      defaultStorageClass: local-path
+      postgresql:
+        auth:
+          username: ""
+          database: ""
+          secretKeys:
+            userPasswordKey: "postgres-password"
+    auth:
+      username: ""
+      database: ""
+      secretKeys:
+        userPasswordKey: "postgres-password"
+    image:
+      registry: cr.yandex/crp3ccidau046kdj8g9q
+      repository: contour/postgresql
+      tag: 17.0.2
+      pullPolicy: Always
+    metrics:
+      enabled: false
+      prometheusRule:
+        enabled: false
+    primary:
+      containerSecurityContext:
+        readOnlyRootFilesystem: false
+      persistence:
+        storageClass: local-path
+        size: 20Gi
+      customLivenessProbe:
+        exec:
+          command:
+            - /bin/sh
+            - -c
+            - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
+        initialDelaySeconds: 30
+        periodSeconds: 10
+        timeoutSeconds: 5
+        successThreshold: 1
+        failureThreshold: 6
+      customReadinessProbe:
+        exec:
+          command:
+            - /bin/sh
+            - -c
+            - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
+        initialDelaySeconds: 5
+        periodSeconds: 10
+        timeoutSeconds: 5
+        successThreshold: 1
+        failureThreshold: 6
+      customStartupProbe:
+        exec:
+          command:
+            - /bin/sh
+            - -c
+            - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
+        initialDelaySeconds: 30
+        periodSeconds: 10
+        timeoutSeconds: 5
+        successThreshold: 1
+        failureThreshold: 6
+      nodeSelector:
+        dedicated: db
+      tolerations:
+        - key: dedicated
+          operator: Equal
+          value: db
+          effect: NoSchedule
+    contour:
+      enabled: true
+      adminUser: ""
+      adminPasswordSecretKey: ""
+      sharedPreloadLibraries: "pg_stat_statements"
+      databases:
+        - name: checklists_db
+          user: checklists
+          extensions: []
+          restoreFromDump: false
+      s3-proxy:
+        endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local"

apps/comparisons/yc-k8s-test/postgresql.yaml

@@ -89,6 +89,9 @@ spec:
         timeoutSeconds: 5
         successThreshold: 1
         failureThreshold: 6
+      resources:
+        requests:
+          memory: 512Mi
       nodeSelector:
         dedicated: db
       tolerations:

apps/contracts/base/deployment.yaml

@@ -31,7 +31,7 @@ spec:
               valueFrom:
                 secretKeyRef:
                   name: postgresql-secrets
-                  key: db_url
+                  key: url
             - name: PUBLIC_KEY
               valueFrom:
                 secretKeyRef:

apps/contracts/base/kustomization.yaml

@@ -4,5 +4,5 @@ kind: Kustomization
 namespace: contracts
 resources:
   - namespace.yaml
-#  - deployment.yaml
+  - deployment.yaml
   - service.yaml

apps/contracts/yc-k8s-test/kustomization.yaml

@@ -3,9 +3,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ../base
-#  - postgresql.yaml
+  - postgresql.yaml
-patches:
+patches: []
-  - path: replicas.yaml
+#  - path: replicas.yaml
-    target:
+#    target:
-      kind: Deployment
+#      kind: Deployment
-      name: backend
+#      name: backend

apps/contracts/yc-k8s-test/postgresql.yaml

@@ -56,6 +56,9 @@ spec:
       persistence:
         storageClass: local-path
         size: 20Gi
+      resources:
+        requests:
+          memory: 512Mi
       customLivenessProbe:
         exec:
           command:

apps/drawings/yc-k8s-test/postgresql.yaml

@@ -89,6 +89,9 @@ spec:
         timeoutSeconds: 5
         successThreshold: 1
         failureThreshold: 6
+      resources:
+        requests:
+          memory: 512Mi
       nodeSelector:
         dedicated: db
       tolerations:

apps/inspections/base/backend-deployment.yaml

@@ -0,0 +1,127 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: inspections-backend
+  namespace: inspections
+  labels:
+    app: inspections-backend
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: inspections-backend
+  template:
+    metadata:
+      labels:
+        app: inspections-backend
+    spec:
+      containers:
+        - name: inspections-backend
+          image: cr.yandex/crp3ccidau046kdj8g9q/sarex-inspections:production_1a33f6f4
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: http
+              containerPort: 8000
+              protocol: TCP
+          env:
+            - name: DEBUG
+              value: "false"
+            - name: SERVICE_URL
+              value: https://srx.wb.ru
+            - name: HTTP_APP_HOST
+              value: 0.0.0.0
+            - name: HTTP_APP_PORT
+              value: "8000"
+            - name: HTTP_APP_ROOT_PATH
+              value: /inspections
+            - name: HTTP_APP_WORKERS
+              value: "3"
+            - name: HTTP_APP_ADMIN_ENABLE
+              value: "true"
+            - name: KAFKA_SSL_CAFILE
+              value: /usr/local/share/ca-certificates/Yandex/YandexInternalRootCA.crt
+            - name: KAFKA_EAV_ASSETS_TOPIC
+              value: assets_broadcast
+            - name: JWT_AUTH_ENABLE
+              value: "true"
+            - name: NOTIFICATIONS_ENABLE
+              value: "true"
+            - name: NOTIFICATIONS_EMAIL_FROM
+              value: hello@sarex.io
+            - name: SAREX_BACKEND_URL
+              value: https://srx.wb.ru
+            - name: SAREX_BACKEND_TIMEOUT
+              value: "30"
+            - name: EAV_URL
+              value: http://eav-service.eav
+            - name: EAV_TIMEOUT
+              value: "30"
+            - name: WORKFLOWS_URL
+              value: http://workflows-service.processing-prod
+            - name: WORKFLOWS_TIMEOUT
+              value: "30"
+            - name: WORKFLOWS_EMAIL_DOCKER_IMAGE
+              value: cr.yandex/crp3ccidau046kdj8g9q/notification:email
+            - name: MOBILE_APP_CURRENT_VERSION
+              value: 1.0.0
+            - name: MOBILE_APP_RECOMMENDED_VERSION
+              value: 1.0.0
+            - name: MOBILE_APP_REQUIRED_VERSION
+              value: 1.0.0
+            - name: MAILER_URL
+              value: http://mailer-service.mailer:8000
+            - name: MAILER_TIMEOUT
+              value: "30"
+            - name: DATABASE_USER
+              valueFrom:
+                secretKeyRef:
+                  key: username
+                  name: postgresql-secret
+            - name: DATABASE_PORT
+              valueFrom:
+                secretKeyRef:
+                  key: port
+                  name: postgresql-secret
+            - name: DATABASE_NAME
+              valueFrom:
+                secretKeyRef:
+                  key: database
+                  name: postgresql-secret
+            - name: DATABASE_HOST
+              valueFrom:
+                secretKeyRef:
+                  key: hostname
+                  name: postgresql-secret
+            - name: DATABASE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key: password
+                  name: postgresql-secret
+            - name: KAFKA_HOST
+              valueFrom:
+                secretKeyRef:
+                  key: host
+                  name: kafka-secret
+            - name: KAFKA_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  key: username
+                  name: kafka-secret
+            - name: KAFKA_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key: password
+                  name: kafka-secret
+            - name: SAREX_BACKEND_AUTH
+              valueFrom:
+                secretKeyRef:
+                  key: key
+                  name: sarex-backend-auth-secret
+
+          resources:
+            requests:
+              cpu: "1"
+              memory: 1Gi
+      imagePullSecrets:
+        - name: regcred

apps/inspections/base/backend-service.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: rfi-backend-api-svc
+  namespace: rfi
+spec:
+  type: ClusterIP
+  selector:
+    app: rfi-backend-api
+  ports:
+    - name: http
+      port: 80
+      targetPort: 8000
+      protocol: TCP

apps/inspections/base/kustomization.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: inspections
+resources:
+  - namespace.yaml
+  - backend-deployment.yaml
+  - backend-service.yaml

apps/inspections/base/namespace.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: inspections
+  labels:
+    istio-injection: enabled

apps/inspections/yc-k8s-test/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../base
+  - postgresql.yaml
+patches: []

apps/inspections/yc-k8s-test/postgresql.yaml

@@ -0,0 +1,110 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: postgresql
+  namespace: inspections
+spec:
+  interval: 5m
+  timeout: 2h
+  chart:
+    spec:
+      chart: postgresql-contour
+      version: "17.0.2"
+      sourceRef:
+        kind: HelmRepository
+        name: yc-oci-charts
+        namespace: flux-system
+
+  install:
+    timeout: 2h
+    remediation:
+      retries: 3
+
+  upgrade:
+    timeout: 2h
+    remediation:
+      retries: 3
+
+  values:
+    global:
+      security:
+        allowInsecureImages: true
+      defaultStorageClass: local-path
+      postgresql:
+        auth:
+          username: ""
+          database: ""
+          secretKeys:
+            userPasswordKey: "postgres-password"
+    auth:
+      username: ""
+      database: ""
+      secretKeys:
+        userPasswordKey: "postgres-password"
+    image:
+      registry: cr.yandex/crp3ccidau046kdj8g9q
+      repository: contour/postgresql
+      tag: 17.0.2
+      pullPolicy: Always
+    metrics:
+      enabled: false
+      prometheusRule:
+        enabled: false
+    primary:
+      containerSecurityContext:
+        readOnlyRootFilesystem: false
+      persistence:
+        storageClass: local-path
+        size: 20Gi
+      customLivenessProbe:
+        exec:
+          command:
+            - /bin/sh
+            - -c
+            - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
+        initialDelaySeconds: 30
+        periodSeconds: 10
+        timeoutSeconds: 5
+        successThreshold: 1
+        failureThreshold: 6
+      customReadinessProbe:
+        exec:
+          command:
+            - /bin/sh
+            - -c
+            - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
+        initialDelaySeconds: 5
+        periodSeconds: 10
+        timeoutSeconds: 5
+        successThreshold: 1
+        failureThreshold: 6
+      customStartupProbe:
+        exec:
+          command:
+            - /bin/sh
+            - -c
+            - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
+        initialDelaySeconds: 30
+        periodSeconds: 10
+        timeoutSeconds: 5
+        successThreshold: 1
+        failureThreshold: 6
+      nodeSelector:
+        dedicated: db
+      tolerations:
+        - key: dedicated
+          operator: Equal
+          value: db
+          effect: NoSchedule
+    contour:
+      enabled: true
+      adminUser: ""
+      adminPasswordSecretKey: ""
+      sharedPreloadLibraries: "postgis"
+      databases:
+        - name: inspections_db
+          user: inspections
+          extensions: []
+          restoreFromDump: false
+      s3-proxy:
+        endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local"

apps/notes/base/backend-deployment.yaml

@@ -0,0 +1,85 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: backend
+  namespace: notes
+  labels:
+    app: backend
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: backend
+  template:
+    metadata:
+      labels:
+        app: backend
+        service: main
+    spec:
+      containers:
+        - name: main
+          image: cr.yandex/crp3ccidau046kdj8g9q/notes-backend:production_81366854
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: http
+              containerPort: 8000
+              protocol: TCP
+          env:
+            - name: PG_SSL_MODE
+              value: verify-full
+            - name: DJANGO_HOST
+              value: https://lk.sarex.io
+            - name: BASE_HOST
+              value: https://api.sarex.io/notes
+            - name: TIMEOUT
+              value: "120"
+            - name: FAAS_SERVICE
+              value: https://api.sarex.io/lambdas
+            - name: WORKSPACE_URL
+              value: https://api.sarex.io/workspaces/api/v1
+            - name: WORKFLOW_HOST
+              value: https://api.sarex.io/workflows/api/v1
+            - name: WORKFLOW_TAG
+              value: stable
+            - name: RESOURCE_URL
+              value: https://api.sarex.io/resources/api/v1
+            - name: SYNC_RESOURCE_ID
+              value: "0"
+            - name: ENABLE_ND
+              value: "0"
+            - name: ATTACHMENT_HOST
+              value: http://attachments-service.attachments.svc.cluster.local:80/api/v1
+            - name: PG_PORT
+              value: "5432"
+            - name: PG_DB
+              valueFrom:
+                secretKeyRef:
+                  name: postgresql-secrets
+                  key: database
+            - name: PG_LOGIN
+              valueFrom:
+                secretKeyRef:
+                  name: postgresql-secrets
+                  key: username
+            - name: PG_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: postgresql-secrets
+                  key: password
+            - name: PG_HOST
+              valueFrom:
+                secretKeyRef:
+                  name: postgresql-secrets
+                  key: hostname
+            - name: DJANGO_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: django-secret
+                  key: token
+          resources:
+            requests:
+              cpu: "1"
+              memory: 512Mi
+      imagePullSecrets:
+        - name: regcred

apps/notes/base/backend-service.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: backend-service
+  namespace: notes
+spec:
+  type: ClusterIP
+  selector:
+    app: backend
+  ports:
+    - name: http
+      port: 8000
+      targetPort: 8000
+      protocol: TCP

apps/notes/base/frontend-deployment.yaml

@@ -0,0 +1,58 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: frontend
+  namespace: notes
+  labels:
+    app: frontend
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: frontend
+  template:
+    metadata:
+      labels:
+        app: frontend
+        service: frontend
+    spec:
+      volumes:
+        - name: nginx-configmap
+          configMap:
+            name: nginx-configmap
+            items:
+              - key: nginx.conf
+                path: nginx.conf
+      containers:
+        - name: frontend
+          image: cr.yandex/crp3ccidau046kdj8g9q/notes-frontend:production_0cb0909f
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: http
+              containerPort: 80
+              protocol: TCP
+          resources:
+            requests:
+              cpu: 100m
+              memory: 100Mi
+          volumeMounts:
+            - name: nginx-configmap
+              mountPath: /etc/nginx/nginx.conf
+              subPath: nginx.conf
+          livenessProbe:
+            httpGet:
+              path: /ping
+              port: 80
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            failureThreshold: 10
+          readinessProbe:
+            httpGet:
+              path: /ping
+              port: 80
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            failureThreshold: 20
+      imagePullSecrets:
+        - name: regcred

apps/notes/base/frontend-service.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: frontend-service
+  namespace: notes
+spec:
+  type: ClusterIP
+  selector:
+    app: frontend
+  ports:
+    - name: http
+      port: 80
+      targetPort: 80
+      protocol: TCP

apps/notes/base/kustomization.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: notes
+resources:
+  - namespace.yaml
+  - backend-deployment.yaml
+  - backend-service.yaml
+  - frontend-deployment.yaml
+  - frontend-service.yaml
+  - nginx-configmap.yaml

apps/notes/base/namespace.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: notes
+  labels:
+    istio-injection: enabled

apps/notes/base/nginx-configmap.yaml

@@ -0,0 +1,47 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nginx-configmap
+  namespace: notes
+data:
+  nginx.conf: |
+    user  nginx;
+    worker_processes  auto;
+
+    error_log  stderr warn;
+    pid        /var/run/nginx.pid;
+
+    events {
+        worker_connections  1024;
+    }
+
+    http {
+        include       /etc/nginx/mime.types;
+        default_type  application/octet-stream;
+
+        log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                          '$status $body_bytes_sent "$http_referer" '
+                          '"$http_user_agent" "$http_x_forwarded_for"';
+
+        access_log  /dev/stdout  main;
+
+        sendfile        on;
+
+        keepalive_timeout  65;
+
+        gzip  on;
+
+        server {
+            client_header_buffer_size 16k;
+            large_client_header_buffers 4 16k;
+            listen       80;
+            server_name  localhost;
+            root /dist;
+            expires off;
+
+            location = /ping {
+                return 200 '{"result": "ok"}';
+            }
+        }
+    }

apps/notes/yc-k8s-test/kustomization.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../base
+  - postgresql.yaml
+patches: []
+#  - path: replicas.yaml
+#    target:
+#      kind: Deployment
+#      name: backend

apps/notes/yc-k8s-test/postgresql.yaml

@@ -0,0 +1,113 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: postgresql
+  namespace: notes
+spec:
+  interval: 5m
+  timeout: 2h
+  chart:
+    spec:
+      chart: postgresql-contour
+      version: "17.0.2"
+      sourceRef:
+        kind: HelmRepository
+        name: yc-oci-charts
+        namespace: flux-system
+
+  install:
+    timeout: 2h
+    remediation:
+      retries: 3
+
+  upgrade:
+    timeout: 2h
+    remediation:
+      retries: 3
+
+  values:
+    global:
+      security:
+        allowInsecureImages: true
+      defaultStorageClass: local-path
+      postgresql:
+        auth:
+          username: ""
+          database: ""
+          secretKeys:
+            userPasswordKey: "postgres-password"
+    auth:
+      username: ""
+      database: ""
+      secretKeys:
+        userPasswordKey: "postgres-password"
+    image:
+      registry: cr.yandex/crp3ccidau046kdj8g9q
+      repository: contour/postgresql
+      tag: 17.0.2
+      pullPolicy: Always
+    metrics:
+      enabled: false
+      prometheusRule:
+        enabled: false
+    primary:
+      containerSecurityContext:
+        readOnlyRootFilesystem: false
+      persistence:
+        storageClass: local-path
+        size: 20Gi
+      resources:
+        requests:
+          memory: 512Mi
+      customLivenessProbe:
+        exec:
+          command:
+            - /bin/sh
+            - -c
+            - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
+        initialDelaySeconds: 30
+        periodSeconds: 10
+        timeoutSeconds: 5
+        successThreshold: 1
+        failureThreshold: 6
+      customReadinessProbe:
+        exec:
+          command:
+            - /bin/sh
+            - -c
+            - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
+        initialDelaySeconds: 5
+        periodSeconds: 10
+        timeoutSeconds: 5
+        successThreshold: 1
+        failureThreshold: 6
+      customStartupProbe:
+        exec:
+          command:
+            - /bin/sh
+            - -c
+            - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
+        initialDelaySeconds: 30
+        periodSeconds: 10
+        timeoutSeconds: 5
+        successThreshold: 1
+        failureThreshold: 6
+      nodeSelector:
+        dedicated: db
+      tolerations:
+        - key: dedicated
+          operator: Equal
+          value: db
+          effect: NoSchedule
+    contour:
+      enabled: true
+      adminUser: ""
+      adminPasswordSecretKey: ""
+      sharedPreloadLibraries: "pg_stat_statements"
+      databases:
+        - name: notes_db
+          user: notes
+          extensions: []
+          restoreFromDump: false
+      s3-proxy:
+        endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local"

apps/notes/yc-k8s-test/replicas.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: backend
+  namespace: notes
+spec:
+  replicas: 2

apps/pm/base/backend-configmap.yaml

@@ -0,0 +1,30 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: backend-configmap
+  namespace: pm
+data:
+  uwsgi.ini: |
+    [uwsgi]
+    log-format = {"time": "%(time)", "method": "%(method)", "uri": "%(uri)", "status": "%(status)", "size": "%(size)", "addr": "%(addr)", "user": "%(user)", "proto": "%(proto)", "user_agent": "%(uagent)", "referer": "%(referer)", "trace_id": "%(trace_id)", "span_id": "%(span_id)"}
+    module                 = config.wsgi:application
+    DJANGO_SETTINGS_MODULE = config.settings.base
+    http                   = 0.0.0.0:8000
+    processes              = 8
+    master                 = true
+    vacuum                 = true
+    enable-threads         = true
+    buffer-size            = 65535
+    stats                  = :3031
+    stats-http             = true
+    memory-report          = true
+    lazy-apps              = true
+    listen                 = 1024
+    disable-write-exception= 0
+    harakiri               = 300
+    socket-timeout         = 300
+    chunked-input-timeout  = 300
+    http-timeout           = 300
+    worker-reload-mercy    = 240
+    mule-reload-mercy      = 240

apps/pm/base/backend-deployment.yaml

@@ -0,0 +1,210 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: backend
+  namespace: pm
+  labels:
+    app: backend
+    service: api
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: backend
+  template:
+    metadata:
+      labels:
+        app: backend
+        service: api
+    spec:
+      containers:
+        - name: api
+          image: cr.yandex/crp3ccidau046kdj8g9q/pm-backend:production_0843a55d
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: http
+              containerPort: 8000
+              protocol: TCP
+          env:
+            - name: USERS_INTERNAL_HOST
+              value: http://backend-service.sarex.svc.cluster.local:8000
+            - name: CELERY_REDIS_HOST
+              value: redis.pm.svc.cluster.local
+            - name: RESOURCES_INTERNAL_HOST
+              value: http://sarex-resources-service.resources
+            - name: EAV_HOST
+              value: http://eav-service.eav
+            - name: EAV_API_PREFIX
+              value: /api/v0
+            - name: EAV_API_PREFIX_V1
+              value: /api/v1
+            - name: TRACING_INSECURE
+              value: "False"
+            - name: SERVER_ENABLE_SYNC_RESOURCES
+              value: "True"
+            - name: SERVER_DELETED_TASK_MAX_AGE_DAYS
+              value: "1"
+            - name: SERVER_EXPIRED_TASK_NOTIFICATION_HOUR
+              value: "17"
+            - name: LANG
+              value: C.UTF-8
+            - name: LC_ALL
+              value: C.UTF-8
+            - name: PYTHONUTF8
+              value: "1"
+            - name: DB_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: postgresql-secrets
+                  key: username
+            - name: DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: postgresql-secrets
+                  key: password
+            - name: DB_DATABASE
+              valueFrom:
+                secretKeyRef:
+                  name: postgresql-secrets
+                  key: database
+            - name: DB_HOST
+              valueFrom:
+                secretKeyRef:
+                  name: postgresql-secrets
+                  key: hostname
+            - name: DB_PORT
+              valueFrom:
+                secretKeyRef:
+                  name: postgresql-secrets
+                  key: port
+            - name: S3_HOST
+              valueFrom:
+                secretKeyRef:
+                  name: s3-secrets
+                  key: endpoint
+            - name: S3_LOGIN
+              valueFrom:
+                secretKeyRef:
+                  name: s3-secrets
+                  key: login
+            - name: S3_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: s3-secrets
+                  key: password
+            - name: S3_BUCKET
+              valueFrom:
+                secretKeyRef:
+                  name: s3-secrets
+                  key: bucket
+
+#            - name: CACHE_HOST
+#              valueFrom:
+#                secretKeyRef:
+#                  name: cache-secret-pm
+#                  key: host
+#            - name: CACHE_PORT
+#              valueFrom:
+#                secretKeyRef:
+#                  name: cache-secret-pm
+#                  key: port
+#            - name: CACHE_PASSWORD
+#              valueFrom:
+#                secretKeyRef:
+#                  name: cache-secret-pm
+#                  key: password
+            - name: CACHE_SSL
+              value: "False"
+            - name: CACHE_SSL_CA_CERTS
+              value: ""
+            - name: CACHE_ENABLE
+              value: "False"
+            - name: CLICKHOUSE_ENABLE
+              value: 'False'
+            - name: KAFKA_ENABLE
+              value: 'False'
+#            - name: KAFKA_BOOTSTRAP_SERVERS
+#              valueFrom:
+#                secretKeyRef:
+#                  name: ya-kafka-secret-pm
+#                  key: bootstrap_servers
+#            - name: KAFKA_SECURITY_PROTOCOL
+#              valueFrom:
+#                secretKeyRef:
+#                  name: ya-kafka-secret-pm
+#                  key: security_protocol
+#            - name: KAFKA_SASL_MECHANISM
+#              valueFrom:
+#                secretKeyRef:
+#                  name: ya-kafka-secret-pm
+#                  key: sasl_mechanism
+#            - name: KAFKA_SASL_PLAIN_USERNAME
+#              valueFrom:
+#                secretKeyRef:
+#                  name: ya-kafka-secret-pm
+#                  key: sasl_username
+#            - name: KAFKA_SASL_PLAIN_PASSWORD
+#              valueFrom:
+#                secretKeyRef:
+#                  name: ya-kafka-secret-pm
+#                  key: sasl_password
+#            - name: KAFKA_SSL_CAFILE
+#              valueFrom:
+#                secretKeyRef:
+#                  name: ya-kafka-secret-pm
+#                  key: ssl_cafile
+#            - name: KAFKA_TOPICS
+#              valueFrom:
+#                secretKeyRef:
+#                  name: ya-kafka-secret-pm
+#                  key: topics
+
+            - name: CELERY_RABBITMQ_HOST
+              valueFrom:
+                secretKeyRef:
+                  name: rabbitmq-secrets
+                  key: hostname
+            - name: CELERY_RABBITMQ_PORT
+              valueFrom:
+                secretKeyRef:
+                  name: rabbitmq-secrets
+                  key: port
+            - name: CELERY_RABBITMQ_USER
+              valueFrom:
+                secretKeyRef:
+                  name: rabbitmq-secrets
+                  key: username
+            - name: CELERY_RABBITMQ_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: rabbitmq-secrets
+                  key: password
+            - name: CELERY_RABBITMQ_VHOST
+              valueFrom:
+                secretKeyRef:
+                  name: rabbitmq-secrets
+                  key: vhost
+
+            - name: AUTH_PUBLIC_TOKEN_URL
+              value: "https://lk.sarex.io/api/token/public/"
+            - name: SERVER_HOST
+              value: "https://lk.sarex.io"
+            - name: SERVER_API_HOST
+              value: "https://api.sarex.io"
+            - name: SERVER_DEBUG
+              value: "False"
+            - name: SERVER_ALLOWED_HOSTS
+              value: '["*"]'
+            - name: SERVER_USE_OTEL
+              value: "False"
+            - name: SERVER_VERIFY_SSL
+              value: "False"
+            - name: SERVER_LOG_LEVEL
+              value: "INFO"
+          resources:
+            requests:
+              cpu: "1"
+              memory: 1Gi
+      imagePullSecrets:
+        - name: regcred

apps/pm/base/backend-service.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: backend-service
+  namespace: pm
+spec:
+  type: ClusterIP
+  selector:
+    app: backend
+  ports:
+    - name: http
+      port: 8000
+      targetPort: 8000
+      protocol: TCP

apps/pm/base/celery-deployment.yaml

@@ -0,0 +1,223 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: celery
+  namespace: pm
+  labels:
+    app: celery
+    service: celery
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: celery
+  template:
+    metadata:
+      labels:
+        app: celery
+        service: celery
+    spec:
+      containers:
+        - name: celery
+          image: cr.yandex/crp3ccidau046kdj8g9q/pm-backend:production_0843a55d
+          imagePullPolicy: IfNotPresent
+          command:
+            - celery
+            - "-A"
+            - config
+            - worker
+            - "-B"
+            - "-l"
+            - info
+            - "-E"
+            - "-Q"
+            - pm
+            - "-n"
+            - default_worker.%h
+            - "--concurrency=2"
+          ports:
+            - name: http
+              containerPort: 8000
+              protocol: TCP
+          env:
+            - name: USERS_INTERNAL_HOST
+              value: http://backend-service.sarex.svc.cluster.local:8000
+            - name: CELERY_REDIS_HOST
+              value: redis.pm.svc.cluster.local
+            - name: RESOURCES_INTERNAL_HOST
+              value: http://sarex-resources-service.resources
+            - name: EAV_HOST
+              value: http://eav-service.eav
+            - name: EAV_API_PREFIX
+              value: /api/v0
+            - name: EAV_API_PREFIX_V1
+              value: /api/v1
+            - name: TRACING_INSECURE
+              value: "False"
+            - name: SERVER_ENABLE_SYNC_RESOURCES
+              value: "True"
+            - name: SERVER_DELETED_TASK_MAX_AGE_DAYS
+              value: "1"
+            - name: SERVER_EXPIRED_TASK_NOTIFICATION_HOUR
+              value: "17"
+            - name: LANG
+              value: C.UTF-8
+            - name: LC_ALL
+              value: C.UTF-8
+            - name: PYTHONUTF8
+              value: "1"
+            - name: DB_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: postgresql-secrets
+                  key: username
+            - name: DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: postgresql-secrets
+                  key: password
+            - name: DB_DATABASE
+              valueFrom:
+                secretKeyRef:
+                  name: postgresql-secrets
+                  key: database
+            - name: DB_HOST
+              valueFrom:
+                secretKeyRef:
+                  name: postgresql-secrets
+                  key: hostname
+            - name: DB_PORT
+              valueFrom:
+                secretKeyRef:
+                  name: postgresql-secrets
+                  key: port
+            - name: S3_HOST
+              valueFrom:
+                secretKeyRef:
+                  name: s3-secrets
+                  key: endpoint
+            - name: S3_LOGIN
+              valueFrom:
+                secretKeyRef:
+                  name: s3-secrets
+                  key: login
+            - name: S3_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: s3-secrets
+                  key: password
+            - name: S3_BUCKET
+              valueFrom:
+                secretKeyRef:
+                  name: s3-secrets
+                  key: bucket
+
+#            - name: CACHE_HOST
+#              valueFrom:
+#                secretKeyRef:
+#                  name: cache-secret-pm
+#                  key: host
+#            - name: CACHE_PORT
+#              valueFrom:
+#                secretKeyRef:
+#                  name: cache-secret-pm
+#                  key: port
+#            - name: CACHE_PASSWORD
+#              valueFrom:
+#                secretKeyRef:
+#                  name: cache-secret-pm
+#                  key: password
+            - name: CACHE_SSL
+              value: "False"
+            - name: CACHE_SSL_CA_CERTS
+              value: ""
+            - name: CACHE_ENABLE
+              value: "False"
+            - name: CLICKHOUSE_ENABLE
+              value: 'False'
+            - name: KAFKA_ENABLE
+              value: 'False'
+#            - name: KAFKA_BOOTSTRAP_SERVERS
+#              valueFrom:
+#                secretKeyRef:
+#                  name: ya-kafka-secret-pm
+#                  key: bootstrap_servers
+#            - name: KAFKA_SECURITY_PROTOCOL
+#              valueFrom:
+#                secretKeyRef:
+#                  name: ya-kafka-secret-pm
+#                  key: security_protocol
+#            - name: KAFKA_SASL_MECHANISM
+#              valueFrom:
+#                secretKeyRef:
+#                  name: ya-kafka-secret-pm
+#                  key: sasl_mechanism
+#            - name: KAFKA_SASL_PLAIN_USERNAME
+#              valueFrom:
+#                secretKeyRef:
+#                  name: ya-kafka-secret-pm
+#                  key: sasl_username
+#            - name: KAFKA_SASL_PLAIN_PASSWORD
+#              valueFrom:
+#                secretKeyRef:
+#                  name: ya-kafka-secret-pm
+#                  key: sasl_password
+#            - name: KAFKA_SSL_CAFILE
+#              valueFrom:
+#                secretKeyRef:
+#                  name: ya-kafka-secret-pm
+#                  key: ssl_cafile
+#            - name: KAFKA_TOPICS
+#              valueFrom:
+#                secretKeyRef:
+#                  name: ya-kafka-secret-pm
+#                  key: topics
+
+            - name: CELERY_RABBITMQ_HOST
+              valueFrom:
+                secretKeyRef:
+                  name: rabbitmq-secrets
+                  key: hostname
+            - name: CELERY_RABBITMQ_PORT
+              valueFrom:
+                secretKeyRef:
+                  name: rabbitmq-secrets
+                  key: port
+            - name: CELERY_RABBITMQ_USER
+              valueFrom:
+                secretKeyRef:
+                  name: rabbitmq-secrets
+                  key: username
+            - name: CELERY_RABBITMQ_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: rabbitmq-secrets
+                  key: password
+            - name: CELERY_RABBITMQ_VHOST
+              valueFrom:
+                secretKeyRef:
+                  name: rabbitmq-secrets
+                  key: vhost
+
+            - name: AUTH_PUBLIC_TOKEN_URL
+              value: "https://lk.sarex.io/api/token/public/"
+            - name: SERVER_HOST
+              value: "https://lk.sarex.io"
+            - name: SERVER_API_HOST
+              value: "https://api.sarex.io"
+            - name: SERVER_DEBUG
+              value: "False"
+            - name: SERVER_ALLOWED_HOSTS
+              value: '["*"]'
+            - name: SERVER_USE_OTEL
+              value: "False"
+            - name: SERVER_VERIFY_SSL
+              value: "False"
+            - name: SERVER_LOG_LEVEL
+              value: "INFO"
+          resources:
+            requests:
+              memory: 1Gi
+      imagePullSecrets:
+        - name: regcred

apps/pm/base/kustomization.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: pm
+resources:
+  - namespace.yaml
+  - backend-deployment.yaml
+  - backend-service.yaml
+  - celery-deployment.yaml
+  - backend-configmap.yaml

apps/pm/base/namespace.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: pm
+  labels:
+    istio-injection: enabled

apps/pm/yc-k8s-test/kustomization.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../base
+  - postgresql.yaml
+  - redis-deployment.yaml
+  - redis-service.yaml
+patches: []

apps/pm/yc-k8s-test/postgresql.yaml

@@ -0,0 +1,113 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: postgresql
+  namespace: pm
+spec:
+  interval: 5m
+  timeout: 2h
+  chart:
+    spec:
+      chart: postgresql-contour
+      version: "17.0.2"
+      sourceRef:
+        kind: HelmRepository
+        name: yc-oci-charts
+        namespace: flux-system
+
+  install:
+    timeout: 2h
+    remediation:
+      retries: 3
+
+  upgrade:
+    timeout: 2h
+    remediation:
+      retries: 3
+
+  values:
+    global:
+      security:
+        allowInsecureImages: true
+      defaultStorageClass: local-path
+      postgresql:
+        auth:
+          username: ""
+          database: ""
+          secretKeys:
+            userPasswordKey: "postgres-password"
+    auth:
+      username: ""
+      database: ""
+      secretKeys:
+        userPasswordKey: "postgres-password"
+    image:
+      registry: cr.yandex/crp3ccidau046kdj8g9q
+      repository: contour/postgresql
+      tag: 17.0.2
+      pullPolicy: Always
+    metrics:
+      enabled: false
+      prometheusRule:
+        enabled: false
+    primary:
+      containerSecurityContext:
+        readOnlyRootFilesystem: false
+      persistence:
+        storageClass: local-path
+        size: 20Gi
+      customLivenessProbe:
+        exec:
+          command:
+            - /bin/sh
+            - -c
+            - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
+        initialDelaySeconds: 30
+        periodSeconds: 10
+        timeoutSeconds: 5
+        successThreshold: 1
+        failureThreshold: 6
+      customReadinessProbe:
+        exec:
+          command:
+            - /bin/sh
+            - -c
+            - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
+        initialDelaySeconds: 5
+        periodSeconds: 10
+        timeoutSeconds: 5
+        successThreshold: 1
+        failureThreshold: 6
+      customStartupProbe:
+        exec:
+          command:
+            - /bin/sh
+            - -c
+            - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
+        initialDelaySeconds: 30
+        periodSeconds: 10
+        timeoutSeconds: 5
+        successThreshold: 1
+        failureThreshold: 6
+      resources:
+        requests:
+          memory: 512Mi
+      nodeSelector:
+        dedicated: db
+      tolerations:
+        - key: dedicated
+          operator: Equal
+          value: db
+          effect: NoSchedule
+    contour:
+      enabled: true
+      adminUser: ""
+      adminPasswordSecretKey: ""
+      sharedPreloadLibraries: "pg_stat_statements,ltree"
+      databases:
+        - name: pm_db
+          user: pm
+          extensions: []
+          restoreFromDump: false
+      s3-proxy:
+        endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local"

apps/pm/yc-k8s-test/redis-deployment.yaml

@@ -0,0 +1,27 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: redis
+  namespace: pm
+  labels:
+    app: redis
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: redis
+  template:
+    metadata:
+      labels:
+        app: redis
+    spec:
+      containers:
+        - name: redis
+          image: cr.yandex/crp3ccidau046kdj8g9q/redis:latest
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 6379
+              protocol: TCP
+      imagePullSecrets:
+        - name: regcred

apps/pm/yc-k8s-test/redis-service.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: redis
+  namespace: pm
+spec:
+  selector:
+    app: redis
+  ports:
+    - port: 6379
+      targetPort: 6379
+      protocol: TCP

apps/remarks/base/deployment.yaml

@@ -0,0 +1,33 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: frontend
+  namespace: remarks
+  labels:
+    app: frontend
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: frontend
+  template:
+    metadata:
+      labels:
+        app: frontend
+        version: stable
+    spec:
+      containers:
+        - name: frontend
+          image: cr.yandex/crp3ccidau046kdj8g9q/remarks-frontend:wb_002f8896
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: http
+              containerPort: 80
+              protocol: TCP
+          resources:
+            requests:
+              cpu: 100m
+              memory: 100Mi
+      imagePullSecrets:
+        - name: regcred

apps/remarks/base/kustomization.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: remarks
+resources:
+  - namespace.yaml
+  - deployment.yaml
+  - service.yaml

apps/remarks/base/namespace.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: remarks
+  labels:
+    istio-injection: enabled

apps/remarks/base/service.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: frontend-service
+  namespace: remarks
+spec:
+  type: ClusterIP
+  selector:
+    app: frontend
+  ports:
+    - name: http
+      port: 80
+      targetPort: 80
+      protocol: TCP

apps/remarks/yc-k8s-test/kustomization.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../base
+patches: []
+#  - path: replicas.yaml
+#    target:
+#      kind: Deployment
+#      name: frontend

apps/remarks/yc-k8s-test/replicas.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: frontend
+  namespace: remarks
+spec:
+  replicas: 1

apps/subscriptions/base/backend-deployment.yaml

@@ -0,0 +1,94 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: sarex-subscriptions
+  namespace: subscriptions
+  labels:
+    app: sarex-subscriptions
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: sarex-subscriptions
+  template:
+    metadata:
+      labels:
+        app: sarex-subscriptions
+    spec:
+      containers:
+        - name: subscriptions
+          image: cr.yandex/crp3ccidau046kdj8g9q/subscriptions:prod_a50928e1
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: http
+              containerPort: 8000
+              protocol: TCP
+          env:
+            - name: DATABASE_HOST
+              valueFrom:
+                secretKeyRef:
+                  key: hostname
+                  name: postgresql-secret
+            - name: DATABASE_PORT
+              valueFrom:
+                secretKeyRef:
+                  key: port
+                  name: postgresql-secret
+            - name: DATABASE_NAME
+              valueFrom:
+                secretKeyRef:
+                  key: database
+                  name: postgresql-secret
+            - name: DATABASE_USER
+              valueFrom:
+                secretKeyRef:
+                  key: username
+                  name: postgresql-secret
+            - name: DATABASE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key: password
+                  name: postgresql-secret
+            - name: API_ADDRESS
+              value: "8000"
+            - name: SYSTEM_LOG_HOST
+              value: http://api-service.system-log
+            - name: USER_SERVICE_HOST
+              value: http://backend.django.svc.cluster.local:8000
+            - name: IS_USE_TELEGRAM
+              value: "false"
+            - name: IS_MAILGUN_USE
+              value: "0"
+            - name: SMTP_EMAIL_FROM
+              value: sarex@rwb.ru
+            - name: SMTP_EMAIL_HOST
+              value: mail.rwb.ru
+            - name: SMTP_EMAIL_PORT
+              value: "465"
+            - name: YC_S3_ACCESS_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  key: username
+                  name: s3-secret
+            - name: YC_S3_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  key: password
+                  name: s3-secret
+            - name: YC_S3_BUCKET_NAME
+              valueFrom:
+                secretKeyRef:
+                  key: bucket
+                  name: s3-secret
+            - name: YC_S3_ENDPOINT_URL
+              valueFrom:
+                secretKeyRef:
+                  key: host
+                  name: s3-secret
+          resources:
+            requests:
+              cpu: "1"
+              memory: 1Gi
+      imagePullSecrets:
+        - name: regcred

apps/subscriptions/base/backend-service.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: rfi-backend-api-svc
+  namespace: rfi
+spec:
+  type: ClusterIP
+  selector:
+    app: rfi-backend-api
+  ports:
+    - name: http
+      port: 80
+      targetPort: 8000
+      protocol: TCP

apps/subscriptions/base/kustomization.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: subscriptions
+resources:
+  - namespace.yaml
+  - backend-deployment.yaml
+  - backend-service.yaml

apps/subscriptions/base/namespace.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: subscriptions
+  labels:
+    istio-injection: enabled

apps/subscriptions/yc-k8s-test/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../base
+  - postgresql.yaml
+patches: []

apps/subscriptions/yc-k8s-test/postgresql.yaml

@@ -0,0 +1,110 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: postgresql
+  namespace: subscriptions
+spec:
+  interval: 5m
+  timeout: 2h
+  chart:
+    spec:
+      chart: postgresql-contour
+      version: "17.0.2"
+      sourceRef:
+        kind: HelmRepository
+        name: yc-oci-charts
+        namespace: flux-system
+
+  install:
+    timeout: 2h
+    remediation:
+      retries: 3
+
+  upgrade:
+    timeout: 2h
+    remediation:
+      retries: 3
+
+  values:
+    global:
+      security:
+        allowInsecureImages: true
+      defaultStorageClass: local-path
+      postgresql:
+        auth:
+          username: ""
+          database: ""
+          secretKeys:
+            userPasswordKey: "postgres-password"
+    auth:
+      username: ""
+      database: ""
+      secretKeys:
+        userPasswordKey: "postgres-password"
+    image:
+      registry: cr.yandex/crp3ccidau046kdj8g9q
+      repository: contour/postgresql
+      tag: 17.0.2
+      pullPolicy: Always
+    metrics:
+      enabled: false
+      prometheusRule:
+        enabled: false
+    primary:
+      containerSecurityContext:
+        readOnlyRootFilesystem: false
+      persistence:
+        storageClass: local-path
+        size: 20Gi
+      customLivenessProbe:
+        exec:
+          command:
+            - /bin/sh
+            - -c
+            - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
+        initialDelaySeconds: 30
+        periodSeconds: 10
+        timeoutSeconds: 5
+        successThreshold: 1
+        failureThreshold: 6
+      customReadinessProbe:
+        exec:
+          command:
+            - /bin/sh
+            - -c
+            - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
+        initialDelaySeconds: 5
+        periodSeconds: 10
+        timeoutSeconds: 5
+        successThreshold: 1
+        failureThreshold: 6
+      customStartupProbe:
+        exec:
+          command:
+            - /bin/sh
+            - -c
+            - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
+        initialDelaySeconds: 30
+        periodSeconds: 10
+        timeoutSeconds: 5
+        successThreshold: 1
+        failureThreshold: 6
+      nodeSelector:
+        dedicated: db
+      tolerations:
+        - key: dedicated
+          operator: Equal
+          value: db
+          effect: NoSchedule
+    contour:
+      enabled: true
+      adminUser: ""
+      adminPasswordSecretKey: ""
+      sharedPreloadLibraries: "postgis"
+      databases:
+        - name: subscriptions_db
+          user: subscriptions
+          extensions: []
+          restoreFromDump: false
+      s3-proxy:
+        endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local"

apps/system-log/base/backend-deployment.yaml

@@ -0,0 +1,116 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: api
+  namespace: system-log
+  labels:
+    app: api
+    service: api
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: api
+  template:
+    metadata:
+      labels:
+        app: api
+        service: api
+    spec:
+      containers:
+        - name: api
+          image: cr.yandex/crp3ccidau046kdj8g9q/system-log:prod_6ed1b27e
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: http
+              containerPort: 8000
+              protocol: TCP
+          env:
+            - name: KAFKA_ENABLE
+              value: "0"
+            - name: KAFKA_USE_SSL
+              value: "0"
+            - name: KAFKA_ENABLE_LOGGING
+              value: "0"
+            - name: APP_NAME
+              value: system_log
+            - name: APP_VERSION
+              value: 0.0.1
+            - name: LOG_LEVEL
+              value: INFO
+            - name: HTTP_HOST
+              value: 0.0.0.0
+            - name: HTTP_PORT
+              value: "8000"
+            - name: NAMESPACE
+              value: system-log
+            - name: POSTGRES_POOL_SIZE
+              value: "3"
+            - name: ENABLE_SSL
+              value: "0"
+            - name: KAFKA_GROUP
+              value: system-log-stage
+            - name: KAFKA_CLIENT_ID
+              value: system-log-stage
+            - name: KAFKA_PEM_PATH
+              value: "/tmp"
+            - name: DJANGO_HOST
+              value: http://backend.django.svc.cluster.local:8000
+            - name: POSTGRES_ADDRESS
+              valueFrom:
+                secretKeyRef:
+                  key: hostname
+                  name: postgresql-secret
+            - name: POSTGRES_PORT
+              valueFrom:
+                secretKeyRef:
+                  key: port
+                  name: postgresql-secret
+            - name: POSTGRES_DB
+              valueFrom:
+                secretKeyRef:
+                  key: database
+                  name: postgresql-secret
+            - name: POSTGRES_USER
+              valueFrom:
+                secretKeyRef:
+                  key: username
+                  name: postgresql-secret
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key: password
+                  name: postgresql-secret
+            - name: KAFKA_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  key: username
+                  name: kafka-secret
+            - name: KAFKA_BROKERS
+              valueFrom:
+                secretKeyRef:
+                  key: host
+                  name: kafka-secret
+            - name: KAFKA_TOPIC
+              valueFrom:
+                secretKeyRef:
+                  key: topic
+                  name: kafka-secret
+            - name: KAFKA_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key: password
+                  name: kafka-secret
+            - name: KAFKA_PEM_CERT
+              valueFrom:
+                secretKeyRef:
+                  key: ca.crt
+                  name: kafka-secret
+
+          resources:
+            requests:
+              cpu: "1"
+              memory: 1Gi
+      imagePullSecrets:
+        - name: regcred

apps/system-log/base/backend-service.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: rfi-backend-api-svc
+  namespace: system-log
+spec:
+  type: ClusterIP
+  selector:
+    app: rfi-backend-api
+  ports:
+    - name: http
+      port: 80
+      targetPort: 8000
+      protocol: TCP

apps/system-log/base/kustomization.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: system-log
+resources:
+  - namespace.yaml
+  - backend-deployment.yaml
+  - backend-service.yaml
+  - worker-deployment.yaml

apps/system-log/base/namespace.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: system-log
+  labels:
+    istio-injection: enabled

apps/system-log/base/worker-deployment.yaml

@@ -0,0 +1,91 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: worker
+  namespace: system-log
+  labels:
+    app: worker
+    service: worker
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: worker
+  template:
+    metadata:
+      labels:
+        app: worker
+        service: worker
+    spec:
+      containers:
+        - name: worker
+          image: cr.yandex/crp3ccidau046kdj8g9q/system_log_worker:de6a0147d285afa273e85c0f074c8b6049d03a32
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: http
+              containerPort: 8000
+              protocol: TCP
+          env:
+            - name: APP_NAME
+              value: system_log
+            - name: APP_VERSION
+              value: 0.0.1
+            - name: LOG_LEVEL
+              value: INFO
+            - name: HTTP_HOST
+              value: 0.0.0.0
+            - name: HTTP_PORT
+              value: "8000"
+            - name: NAMESPACE
+              value: sarex-system-log
+            - name: DOCUMENTATIONS_URL
+              value: http://documentations-api.documentations.svc.cluster.local:8080
+            - name: POSTGRES_POOL_SIZE
+              value: "3"
+            - name: ENABLE_SSL
+              value: "0"
+            - name: DJANGO_HOST
+              value: http://backend.django.svc.cluster.local:8000
+            - name: POSTGRES_ADDRESS
+              valueFrom:
+                secretKeyRef:
+                  key: hostname
+                  name: postgresql-secret
+            - name: POSTGRES_PORT
+              valueFrom:
+                secretKeyRef:
+                  key: port
+                  name: postgresql-secret
+            - name: POSTGRES_DB
+              valueFrom:
+                secretKeyRef:
+                  key: database
+                  name: postgresql-secret
+            - name: POSTGRES_USER
+              valueFrom:
+                secretKeyRef:
+                  key: username
+                  name: postgresql-secret
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key: password
+                  name: postgresql-secret
+            - name: SUPER_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  key: username
+                  name: superuser
+            - name: SUPER_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key: password
+                  name: superuser
+
+          resources:
+            requests:
+              cpu: "1"
+              memory: 1Gi
+      imagePullSecrets:
+        - name: regcred

apps/system-log/yc-k8s-test/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../base
+  - postgresql.yaml
+patches: []

apps/system-log/yc-k8s-test/postgresql.yaml

@@ -0,0 +1,110 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: postgresql
+  namespace: system-log
+spec:
+  interval: 5m
+  timeout: 2h
+  chart:
+    spec:
+      chart: postgresql-contour
+      version: "17.0.2"
+      sourceRef:
+        kind: HelmRepository
+        name: yc-oci-charts
+        namespace: flux-system
+
+  install:
+    timeout: 2h
+    remediation:
+      retries: 3
+
+  upgrade:
+    timeout: 2h
+    remediation:
+      retries: 3
+
+  values:
+    global:
+      security:
+        allowInsecureImages: true
+      defaultStorageClass: local-path
+      postgresql:
+        auth:
+          username: ""
+          database: ""
+          secretKeys:
+            userPasswordKey: "postgres-password"
+    auth:
+      username: ""
+      database: ""
+      secretKeys:
+        userPasswordKey: "postgres-password"
+    image:
+      registry: cr.yandex/crp3ccidau046kdj8g9q
+      repository: contour/postgresql
+      tag: 17.0.2
+      pullPolicy: Always
+    metrics:
+      enabled: false
+      prometheusRule:
+        enabled: false
+    primary:
+      containerSecurityContext:
+        readOnlyRootFilesystem: false
+      persistence:
+        storageClass: local-path
+        size: 20Gi
+      customLivenessProbe:
+        exec:
+          command:
+            - /bin/sh
+            - -c
+            - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
+        initialDelaySeconds: 30
+        periodSeconds: 10
+        timeoutSeconds: 5
+        successThreshold: 1
+        failureThreshold: 6
+      customReadinessProbe:
+        exec:
+          command:
+            - /bin/sh
+            - -c
+            - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
+        initialDelaySeconds: 5
+        periodSeconds: 10
+        timeoutSeconds: 5
+        successThreshold: 1
+        failureThreshold: 6
+      customStartupProbe:
+        exec:
+          command:
+            - /bin/sh
+            - -c
+            - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
+        initialDelaySeconds: 30
+        periodSeconds: 10
+        timeoutSeconds: 5
+        successThreshold: 1
+        failureThreshold: 6
+      nodeSelector:
+        dedicated: db
+      tolerations:
+        - key: dedicated
+          operator: Equal
+          value: db
+          effect: NoSchedule
+    contour:
+      enabled: true
+      adminUser: ""
+      adminPasswordSecretKey: ""
+      sharedPreloadLibraries: "ltree,pg_stat_statements,timescaledb"
+      databases:
+        - name: system_log_db
+          user: system_log
+          extensions: []
+          restoreFromDump: false
+      s3-proxy:
+        endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local"

clusters/yc-k8s-test/kustomization.yaml

@@ -16,4 +16,11 @@ resources:
   - ../../apps/drawings/yc-k8s-test
   - ../../apps/comparisons/yc-k8s-test
   - ../../apps/contracts/yc-k8s-test
-  - ../../apps/rfi/yc-k8s-test
+  - ../../apps/rfi/yc-k8s-test
+  - ../../apps/checklists/yc-k8s-test
+  - ../../apps/subscriptions/yc-k8s-test
+  - ../../apps/inspections/yc-k8s-test
+  - ../../apps/system-log/yc-k8s-test
+  - ../../apps/remarks/yc-k8s-test
+  - ../../apps/notes/yc-k8s-test
+  - ../../apps/pm/yc-k8s-test