sarex/iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update PM app backend and Celery deployments: add environment variables, configure secrets, update resource requests, and modify image version

Browse Source
This commit is contained in:
emelinda 2026-04-17 14:21:20 +03:00
parent c08493c4df
commit 5c401a37d1
3 changed files with 574 additions and 126 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

351
apps/pm/base/backend-deployment.yaml
View File

@ -6,97 +6,318 @@ metadata:
namespace: pm namespace: pm
labels: labels:
app: backend app: backend
service: api
spec: spec:
replicas: 1 replicas: 1
selector: selector:
matchLabels: matchLabels:
app: backend app: backend
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 5
maxUnavailable: 5
template: template:
metadata: metadata:
labels: labels:
app: backend app: backend
monitoring: prometheus service: api
spec: spec:
affinity: volumes:
podAntiAffinity: - name: ch-cert
requiredDuringSchedulingIgnoredDuringExecution: configMap:
- labelSelector: name: ch-cert
matchExpressions: items:
- key: app - key: CA.pem
operator: In path: RootCA.crt
values: defaultMode: 420
- backend
topologyKey: kubernetes.io/hostname
containers: containers:
- name: backend - name: api
image: cr.yandex/crp3ccidau046kdj8g9q/pm-backend:production_c54c2123 image: cr.yandex/crp3ccidau046kdj8g9q/pm-backend:production_0843a55d
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
ports: ports:
- name: http - name: http
containerPort: 8000 containerPort: 8000
protocol: TCP protocol: TCP
env: env:
- name: K8S_POD_UID
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.uid
- name: K8S_POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: K8S_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: OTEL_RESOURCE_ATTRIBUTES
value: >-
k8s.pod.uid=$(K8S_POD_UID),k8s.pod.name=$(K8S_POD_NAME),k8s.namespace.name=$(K8S_NAMESPACE)
- name: USERS_INTERNAL_HOST - name: USERS_INTERNAL_HOST
value: http://backend.django.svc.cluster.local:8000 value: http://backend-service.sarex.svc.cluster.local:8000
- name: CELERY_REDIS_HOST
value: redis-service.pm.svc.cluster.local
- name: RESOURCES_INTERNAL_HOST - name: RESOURCES_INTERNAL_HOST
value: http://resources-service.resources.svc.cluster.local:8000 value: http://sarex-resources-service.resources
- name: EAV_HOST - name: EAV_HOST
value: http://eav-service.eav.svc.cluster.local:8000 value: http://eav-service.eav
- name: EAV_API_PREFIX - name: EAV_API_PREFIX
value: /api/v0 value: /api/v0
- name: EAV_API_PREFIX_V1 - name: EAV_API_PREFIX_V1
value: /api/v1 value: /api/v1
- name: TRACING_ENDPOINT
value: signoz-otel-collector-external.signoz.svc.cluster.local:4317
- name: TRACING_INSECURE
value: "True"
- name: SERVER_ENABLE_SYNC_RESOURCES
value: "True"
- name: SERVER_DELETED_TASK_MAX_AGE_DAYS
value: "1"
- name: SERVER_EXPIRED_TASK_NOTIFICATION_HOUR
value: "17"
- name: LANG
value: C.UTF-8
- name: LC_ALL
value: C.UTF-8
- name: PYTHONUTF8
value: "1"
- name: DB_USERNAME
valueFrom:
secretKeyRef:
name: postgresql-secrets
key: username
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: postgresql-secrets
key: password
- name: DB_DATABASE
valueFrom:
secretKeyRef:
name: postgresql-secrets
key: database
- name: DB_HOST
valueFrom:
secretKeyRef:
name: postgresql-secrets
key: host
- name: DB_PORT
valueFrom:
secretKeyRef:
name: postgresql-secrets
key: port
- name: S3_HOST
valueFrom:
secretKeyRef:
name: ya-s3-secret-pm
key: host
- name: S3_LOGIN
valueFrom:
secretKeyRef:
name: ya-s3-secret-pm
key: login
- name: S3_PASSWORD
valueFrom:
secretKeyRef:
name: ya-s3-secret-pm
key: password
- name: S3_BUCKET
valueFrom:
secretKeyRef:
name: ya-s3-secret-pm
key: bucket
- name: CACHE_HOST
valueFrom:
secretKeyRef:
name: cache-secret-pm
key: host
- name: CACHE_PORT
valueFrom:
secretKeyRef:
name: cache-secret-pm
key: port
- name: CACHE_PASSWORD
valueFrom:
secretKeyRef:
name: cache-secret-pm
key: password
- name: CACHE_SSL
valueFrom:
secretKeyRef:
name: cache-secret-pm
key: ssl
- name: CACHE_SSL_CA_CERTS
valueFrom:
secretKeyRef:
name: cache-secret-pm
key: ssl_ca_certs
- name: CACHE_ENABLE
valueFrom:
secretKeyRef:
name: cache-secret-pm
key: enable
- name: CLICKHOUSE_HOST
valueFrom:
secretKeyRef:
name: clickhouse-secret-pm
key: host
- name: CLICKHOUSE_PORT
valueFrom:
secretKeyRef:
name: clickhouse-secret-pm
key: port
- name: CLICKHOUSE_USER
valueFrom:
secretKeyRef:
name: clickhouse-secret-pm
key: user
- name: CLICKHOUSE_PASSWORD
valueFrom:
secretKeyRef:
name: clickhouse-secret-pm
key: password
- name: CLICKHOUSE_DATABASE
valueFrom:
secretKeyRef:
name: clickhouse-secret-pm
key: database
- name: CLICKHOUSE_TABLE
valueFrom:
secretKeyRef:
name: clickhouse-secret-pm
key: table
- name: CLICKHOUSE_SECURE
valueFrom:
secretKeyRef:
name: clickhouse-secret-pm
key: secure
- name: CLICKHOUSE_VERIFY
valueFrom:
secretKeyRef:
name: clickhouse-secret-pm
key: verify
- name: CLICKHOUSE_CERT
valueFrom:
secretKeyRef:
name: clickhouse-secret-pm
key: cert
- name: CLICKHOUSE_ENABLE
valueFrom:
secretKeyRef:
name: clickhouse-secret-pm
key: enable
- name: KAFKA_ENABLE
valueFrom:
secretKeyRef:
name: ya-kafka-secret-pm
key: enable
- name: KAFKA_BOOTSTRAP_SERVERS
valueFrom:
secretKeyRef:
name: ya-kafka-secret-pm
key: bootstrap_servers
- name: KAFKA_SECURITY_PROTOCOL
valueFrom:
secretKeyRef:
name: ya-kafka-secret-pm
key: security_protocol
- name: KAFKA_SASL_MECHANISM
valueFrom:
secretKeyRef:
name: ya-kafka-secret-pm
key: sasl_mechanism
- name: KAFKA_SASL_PLAIN_USERNAME
valueFrom:
secretKeyRef:
name: ya-kafka-secret-pm
key: sasl_username
- name: KAFKA_SASL_PLAIN_PASSWORD
valueFrom:
secretKeyRef:
name: ya-kafka-secret-pm
key: sasl_password
- name: KAFKA_SSL_CAFILE
valueFrom:
secretKeyRef:
name: ya-kafka-secret-pm
key: ssl_cafile
- name: KAFKA_TOPICS
valueFrom:
secretKeyRef:
name: ya-kafka-secret-pm
key: topics
- name: CELERY_RABBITMQ_HOST
valueFrom:
secretKeyRef:
name: rabbit-secret-pm
key: host
- name: CELERY_RABBITMQ_PORT
valueFrom:
secretKeyRef:
name: rabbit-secret-pm
key: port
- name: CELERY_RABBITMQ_USER
valueFrom:
secretKeyRef:
name: rabbit-secret-pm
key: user
- name: CELERY_RABBITMQ_PASSWORD
valueFrom:
secretKeyRef:
name: rabbit-secret-pm
key: password
- name: CELERY_RABBITMQ_VHOST
valueFrom:
secretKeyRef:
name: rabbit-secret-pm
key: vhost
- name: AUTH_PUBLIC_TOKEN_URL
valueFrom:
secretKeyRef:
name: server-secret-pm
key: auth_public_token_url
- name: SERVER_HOST
valueFrom:
secretKeyRef:
name: server-secret-pm
key: server_host
- name: SERVER_API_HOST
valueFrom:
secretKeyRef:
name: server-secret-pm
key: server_api_host
- name: SERVER_DEBUG
valueFrom:
secretKeyRef:
name: server-secret-pm
key: server_debug
- name: SERVER_ALLOWED_HOSTS
valueFrom:
secretKeyRef:
name: server-secret-pm
key: server_allowed_hosts
- name: SERVER_USE_OTEL
valueFrom:
secretKeyRef:
name: server-secret-pm
key: server_use_otel
- name: SERVER_VERIFY_SSL
valueFrom:
secretKeyRef:
name: server-secret-pm
key: server_verify_ssl
- name: SERVER_LOG_LEVEL
valueFrom:
secretKeyRef:
name: server-secret-pm
key: server_log_level
resources: resources:
requests: requests:
cpu: 100m cpu: "1"
memory: 256Mi memory: 1Gi
volumeMounts: volumeMounts:
- name: uwsgi-configmap - name: ch-cert
mountPath: /opt/sarex/uwsgi.ini readOnly: true
subPath: uwsgi.ini mountPath: /root/clickhouse
- name: env-file
mountPath: /opt/sarex/.env
subPath: .env
- name: tmp-volume
mountPath: /tmp
- name: kafka-cert-volume
mountPath: /usr/local/share/ca-certificates
livenessProbe:
httpGet:
path: /ping
port: 8000
initialDelaySeconds: 10
periodSeconds: 60
failureThreshold: 10
readinessProbe:
httpGet:
path: /ping
port: 8000
initialDelaySeconds: 5
periodSeconds: 5
failureThreshold: 20
volumes:
- name: tmp-volume
emptyDir: {}
- name: uwsgi-configmap
configMap:
name: backend-configmap
defaultMode: 420
items:
- key: uwsgi.ini
path: uwsgi.ini
- name: env-file
secret:
secretName: sarex-env
defaultMode: 420
- name: kafka-cert-volume
configMap:
name: kafka-cert
defaultMode: 420
imagePullSecrets: imagePullSecrets:
- name: regcred - name: regcred

347
apps/pm/base/celery-deployment.yaml
View File

@ -6,101 +6,330 @@ metadata:
namespace: pm namespace: pm
labels: labels:
app: celery app: celery
service: celery
spec: spec:
replicas: 1 replicas: 1
selector: selector:
matchLabels: matchLabels:
app: celery app: celery
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 5
maxUnavailable: 5
template: template:
metadata: metadata:
labels: labels:
app: celery app: celery
monitoring: prometheus service: celery
spec: spec:
affinity: volumes:
podAntiAffinity: - name: ch-cert
requiredDuringSchedulingIgnoredDuringExecution: configMap:
- labelSelector: name: ch-cert
matchExpressions: items:
- key: app - key: CA.pem
operator: In path: RootCA.crt
values: defaultMode: 420
- backend
topologyKey: kubernetes.io/hostname
containers: containers:
- name: celery - name: celery
image: cr.yandex/crp3ccidau046kdj8g9q/pm-backend:production_c54c2123 image: cr.yandex/crp3ccidau046kdj8g9q/pm-backend:production_0843a55d
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
command: command:
- celery - celery
- -A - "-A"
- config - config
- worker - worker
- -B - "-B"
- -l - "-l"
- info - info
- -E - "-E"
- -Q - "-Q"
- pm - pm
- -n - "-n"
- default_worker.%h - default_worker.%h
- --concurrency=2 - "--concurrency=2"
ports: ports:
- name: http - name: http
containerPort: 8000 containerPort: 8000
protocol: TCP protocol: TCP
env: env:
- name: PLANNING_HOST - name: K8S_POD_UID
value: http://backend-service.pm.svc.cluster.local:8000/api/pm/msp valueFrom:
- name: PLANNING_USE fieldRef:
value: "True" apiVersion: v1
fieldPath: metadata.uid
- name: K8S_POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: K8S_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: OTEL_RESOURCE_ATTRIBUTES
value: >-
k8s.pod.uid=$(K8S_POD_UID),k8s.pod.name=$(K8S_POD_NAME),k8s.namespace.name=$(K8S_NAMESPACE)
- name: USERS_INTERNAL_HOST - name: USERS_INTERNAL_HOST
value: http://backend.django.svc.cluster.local:8000 value: http://backend-service.sarex.svc.cluster.local:8000
- name: CELERY_REDIS_HOST
value: redis-service.pm.svc.cluster.local
- name: RESOURCES_INTERNAL_HOST - name: RESOURCES_INTERNAL_HOST
value: http://resources-service.resources.svc.cluster.local:8000 value: http://sarex-resources-service.resources
- name: EAV_HOST - name: EAV_HOST
value: http://eav-service.eav.svc.cluster.local:8000 value: http://eav-service.eav
- name: EAV_API_PREFIX - name: EAV_API_PREFIX
value: /api/v0 value: /api/v0
- name: EAV_API_PREFIX_V1 - name: EAV_API_PREFIX_V1
value: /api/v1 value: /api/v1
- name: TRACING_ENDPOINT
value: signoz-otel-collector-external.signoz.svc.cluster.local:4317
- name: TRACING_INSECURE
value: "True"
- name: SERVER_ENABLE_SYNC_RESOURCES
value: "True"
- name: SERVER_DELETED_TASK_MAX_AGE_DAYS
value: "1"
- name: SERVER_EXPIRED_TASK_NOTIFICATION_HOUR
value: "17"
- name: LANG
value: C.UTF-8
- name: LC_ALL
value: C.UTF-8
- name: PYTHONUTF8
value: "1"
- name: DB_USERNAME
valueFrom:
secretKeyRef:
name: postgresql-secrets
key: username
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: postgresql-secrets
key: password
- name: DB_DATABASE
valueFrom:
secretKeyRef:
name: postgresql-secrets
key: database
- name: DB_HOST
valueFrom:
secretKeyRef:
name: postgresql-secrets
key: host
- name: DB_PORT
valueFrom:
secretKeyRef:
name: postgresql-secrets
key: port
- name: S3_HOST
valueFrom:
secretKeyRef:
name: ya-s3-secret-pm
key: host
- name: S3_LOGIN
valueFrom:
secretKeyRef:
name: ya-s3-secret-pm
key: login
- name: S3_PASSWORD
valueFrom:
secretKeyRef:
name: ya-s3-secret-pm
key: password
- name: S3_BUCKET
valueFrom:
secretKeyRef:
name: ya-s3-secret-pm
key: bucket
- name: CACHE_HOST
valueFrom:
secretKeyRef:
name: cache-secret-pm
key: host
- name: CACHE_PORT
valueFrom:
secretKeyRef:
name: cache-secret-pm
key: port
- name: CACHE_PASSWORD
valueFrom:
secretKeyRef:
name: cache-secret-pm
key: password
- name: CACHE_SSL
valueFrom:
secretKeyRef:
name: cache-secret-pm
key: ssl
- name: CACHE_SSL_CA_CERTS
valueFrom:
secretKeyRef:
name: cache-secret-pm
key: ssl_ca_certs
- name: CACHE_ENABLE
valueFrom:
secretKeyRef:
name: cache-secret-pm
key: enable
- name: CLICKHOUSE_HOST
valueFrom:
secretKeyRef:
name: clickhouse-secret-pm
key: host
- name: CLICKHOUSE_PORT
valueFrom:
secretKeyRef:
name: clickhouse-secret-pm
key: port
- name: CLICKHOUSE_USER
valueFrom:
secretKeyRef:
name: clickhouse-secret-pm
key: user
- name: CLICKHOUSE_PASSWORD
valueFrom:
secretKeyRef:
name: clickhouse-secret-pm
key: password
- name: CLICKHOUSE_DATABASE
valueFrom:
secretKeyRef:
name: clickhouse-secret-pm
key: database
- name: CLICKHOUSE_TABLE
valueFrom:
secretKeyRef:
name: clickhouse-secret-pm
key: table
- name: CLICKHOUSE_SECURE
valueFrom:
secretKeyRef:
name: clickhouse-secret-pm
key: secure
- name: CLICKHOUSE_VERIFY
valueFrom:
secretKeyRef:
name: clickhouse-secret-pm
key: verify
- name: CLICKHOUSE_CERT
valueFrom:
secretKeyRef:
name: clickhouse-secret-pm
key: cert
- name: CLICKHOUSE_ENABLE
valueFrom:
secretKeyRef:
name: clickhouse-secret-pm
key: enable
- name: KAFKA_ENABLE
valueFrom:
secretKeyRef:
name: ya-kafka-secret-pm
key: enable
- name: KAFKA_BOOTSTRAP_SERVERS
valueFrom:
secretKeyRef:
name: ya-kafka-secret-pm
key: bootstrap_servers
- name: KAFKA_SECURITY_PROTOCOL
valueFrom:
secretKeyRef:
name: ya-kafka-secret-pm
key: security_protocol
- name: KAFKA_SASL_MECHANISM
valueFrom:
secretKeyRef:
name: ya-kafka-secret-pm
key: sasl_mechanism
- name: KAFKA_SASL_PLAIN_USERNAME
valueFrom:
secretKeyRef:
name: ya-kafka-secret-pm
key: sasl_username
- name: KAFKA_SASL_PLAIN_PASSWORD
valueFrom:
secretKeyRef:
name: ya-kafka-secret-pm
key: sasl_password
- name: KAFKA_SSL_CAFILE
valueFrom:
secretKeyRef:
name: ya-kafka-secret-pm
key: ssl_cafile
- name: KAFKA_TOPICS
valueFrom:
secretKeyRef:
name: ya-kafka-secret-pm
key: topics
- name: CELERY_RABBITMQ_HOST
valueFrom:
secretKeyRef:
name: rabbit-secret-pm
key: host
- name: CELERY_RABBITMQ_PORT
valueFrom:
secretKeyRef:
name: rabbit-secret-pm
key: port
- name: CELERY_RABBITMQ_USER
valueFrom:
secretKeyRef:
name: rabbit-secret-pm
key: user
- name: CELERY_RABBITMQ_PASSWORD
valueFrom:
secretKeyRef:
name: rabbit-secret-pm
key: password
- name: CELERY_RABBITMQ_VHOST
valueFrom:
secretKeyRef:
name: rabbit-secret-pm
key: vhost
- name: AUTH_PUBLIC_TOKEN_URL
valueFrom:
secretKeyRef:
name: server-secret-pm
key: auth_public_token_url
- name: SERVER_HOST
valueFrom:
secretKeyRef:
name: server-secret-pm
key: server_host
- name: SERVER_API_HOST
valueFrom:
secretKeyRef:
name: server-secret-pm
key: server_api_host
- name: SERVER_DEBUG
valueFrom:
secretKeyRef:
name: server-secret-pm
key: server_debug
- name: SERVER_ALLOWED_HOSTS
valueFrom:
secretKeyRef:
name: server-secret-pm
key: server_allowed_hosts
- name: SERVER_USE_OTEL
valueFrom:
secretKeyRef:
name: server-secret-pm
key: server_use_otel
- name: SERVER_VERIFY_SSL
valueFrom:
secretKeyRef:
name: server-secret-pm
key: server_verify_ssl
- name: SERVER_LOG_LEVEL
valueFrom:
secretKeyRef:
name: server-secret-pm
key: server_log_level
resources: resources:
requests: requests:
cpu: 100m memory: 1Gi
memory: 256Mi
volumeMounts: volumeMounts:
- name: uwsgi-configmap
mountPath: /opt/sarex/uwsgi.ini
subPath: uwsgi.ini
- name: env-file
mountPath: /opt/sarex/.env
subPath: .env
- name: tmp-volume - name: tmp-volume
mountPath: /tmp mountPath: /tmp
- name: kafka-cert-volume
mountPath: /usr/local/share/ca-certificates
volumes:
- name: tmp-volume
emptyDir: {}
- name: uwsgi-configmap
configMap:
name: backend-configmap
defaultMode: 420
items:
- key: uwsgi.ini
path: uwsgi.ini
- name: env-file
secret:
secretName: sarex-env
defaultMode: 420
- name: kafka-cert-volume
configMap:
name: kafka-cert
defaultMode: 420
imagePullSecrets: imagePullSecrets:
- name: regcred - name: regcred

2
apps/pm/base/kustomization.yaml
View File

@ -7,6 +7,4 @@ resources:
# - backend-deployment.yaml # - backend-deployment.yaml
- backend-service.yaml - backend-service.yaml
# - celery-deployment.yaml # - celery-deployment.yaml
# - redis-deployment.yaml
# - redis-service.yaml
- backend-configmap.yaml - backend-configmap.yaml