From bc8698b5dba7e38e6cee54c44c8675735b69f499 Mon Sep 17 00:00:00 2001 From: emelinda Date: Fri, 24 Apr 2026 17:21:56 +0300 Subject: [PATCH 1/3] Migrate `attachments` app to HelmRelease: replace Deployment and Service with HelmRelease and update kustomization configuration. --- apps/attachments/base/deployment.yaml | 70 -------------- apps/attachments/base/helmrelease.yaml | 111 +++++++++++++++++++++++ apps/attachments/base/kustomization.yaml | 3 +- apps/attachments/base/service.yaml | 14 --- 4 files changed, 112 insertions(+), 86 deletions(-) delete mode 100644 apps/attachments/base/deployment.yaml create mode 100644 apps/attachments/base/helmrelease.yaml delete mode 100644 apps/attachments/base/service.yaml diff --git a/apps/attachments/base/deployment.yaml b/apps/attachments/base/deployment.yaml deleted file mode 100644 index 817c6c7..0000000 --- a/apps/attachments/base/deployment.yaml +++ /dev/null @@ -1,70 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: attachments - namespace: attachments - labels: - app: attachments -spec: - replicas: 1 - selector: - matchLabels: - app: attachments - template: - metadata: - labels: - app: attachments - annotations: - traffic.sidecar.istio.io/excludeOutboundPorts: "8200" - vault.hashicorp.com/agent-init-first: "true" - vault.hashicorp.com/agent-inject: "true" - vault.hashicorp.com/agent-pre-populate-only: "true" - vault.hashicorp.com/auth-path: auth/kubernetes - vault.hashicorp.com/role: attachments - vault.hashicorp.com/agent-inject-secret-attachments-db: secrets/data/postgresql/apps/attachments - vault.hashicorp.com/agent-inject-template-attachments-db: |- - {{- with secret "secrets/data/postgresql/apps/attachments" -}} - DATABASE_HOST=postgresql.attachments.svc.cluster.local - DATABASE_PORT=5432 - DATABASE_NAME=attachments_db - DATABASE_USER={{ index .Data.data "username" }} - DATABASE_PASSWORD={{ index .Data.data "password" }} - DATABASE_SSL_MODE=disable - {{- end -}} - vault.hashicorp.com/agent-inject-secret-attachments-s3: secrets/data/minio/apps/attachments - vault.hashicorp.com/agent-inject-template-attachments-s3: |- - {{- with secret "secrets/data/minio/apps/attachments" -}} - YANDEX_S3_ENDPOINT_URL=minio.minio:9000 - YANDEX_S3_ACCESS_KEY_ID={{ index .Data.data "access_key" }} - YANDEX_S3_SECRET_ACCESS_KEY={{ index .Data.data "secret_key" }} - YANDEX_S3_USE_SSL=false - YANDEX_S3_REGION=ru-central - YANDEX_S3_VERIFY=false - BUCKET_NAME=attachments - {{- end -}} - spec: - serviceAccountName: attachments-vault - containers: - - name: attachments - image: cr.yandex/crp3ccidau046kdj8g9q/attachments:feature_6238c882 - imagePullPolicy: IfNotPresent - command: ["/bin/bash", "-ec"] - args: - - | - set -a - [ -f /vault/secrets/attachments-db ] && . /vault/secrets/attachments-db - [ -f /vault/secrets/attachments-s3 ] && . /vault/secrets/attachments-s3 - set +a - exec /opt/attachments/entrypoint.sh - ports: - - name: http - containerPort: 8000 - protocol: TCP - env: - - name: POSTGRES_POOL_SIZE - value: "10" - - name: API_ADDRESS - value: 0.0.0.0:8000 - imagePullSecrets: - - name: regcred diff --git a/apps/attachments/base/helmrelease.yaml b/apps/attachments/base/helmrelease.yaml new file mode 100644 index 0000000..5294201 --- /dev/null +++ b/apps/attachments/base/helmrelease.yaml @@ -0,0 +1,111 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: attachments + namespace: attachments +spec: + interval: 10m + chart: + spec: + chart: universal-chart + version: "0.1.8" + sourceRef: + kind: HelmRepository + name: yc-oci-charts + namespace: flux-system + interval: 10m + install: + remediation: + retries: 3 + upgrade: + remediation: + retries: 3 + values: + global: + env: _default + services: + attachments: + enabled: true + serviceAccount: + # Не создаём SA — используем существующий из base/serviceaccount.yaml. + name: + _default: attachments-vault + deployment: + enabled: true + name: + _default: attachments + replicaCount: + _default: 1 + port: + _default: 8000 + command: + _default: ["/bin/bash", "-ec"] + args: + _default: + - | + set -a + [ -f /vault/secrets/attachments-db ] && . /vault/secrets/attachments-db + [ -f /vault/secrets/attachments-s3 ] && . /vault/secrets/attachments-s3 + set +a + exec /opt/attachments/entrypoint.sh + image: + name: + _default: cr.yandex/crp3ccidau046kdj8g9q/attachments:feature_6238c882 + pullPolicy: + _default: IfNotPresent + service: + enabled: true + name: + _default: attachments-service + type: + _default: ClusterIP + port: + _default: 8000 + targetPort: + _default: 8000 + portName: + _default: http + imagePullSecrets: + enabled: + _default: true + name: + _default: regcred + envs: + - name: POSTGRES_POOL_SIZE + value: + _default: "10" + - name: API_ADDRESS + value: + _default: 0.0.0.0:8000 + podAnnotations: + _default: + # Порт Vault 8200 добавлен к дефолтным портам трейсинга — иначе + # чарт перезатрёт их одиночным "8200" и SigNoz перестанет ходить. + traffic.sidecar.istio.io/excludeOutboundPorts: "4317,4318,9411,8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: attachments + vault.hashicorp.com/agent-inject-secret-attachments-db: secrets/data/postgresql/apps/attachments + vault.hashicorp.com/agent-inject-template-attachments-db: |- + {{- with secret "secrets/data/postgresql/apps/attachments" -}} + DATABASE_HOST=postgresql.attachments.svc.cluster.local + DATABASE_PORT=5432 + DATABASE_NAME=attachments_db + DATABASE_USER={{ index .Data.data "username" }} + DATABASE_PASSWORD={{ index .Data.data "password" }} + DATABASE_SSL_MODE=disable + {{- end -}} + vault.hashicorp.com/agent-inject-secret-attachments-s3: secrets/data/minio/apps/attachments + vault.hashicorp.com/agent-inject-template-attachments-s3: |- + {{- with secret "secrets/data/minio/apps/attachments" -}} + YANDEX_S3_ENDPOINT_URL=minio.minio:9000 + YANDEX_S3_ACCESS_KEY_ID={{ index .Data.data "access_key" }} + YANDEX_S3_SECRET_ACCESS_KEY={{ index .Data.data "secret_key" }} + YANDEX_S3_USE_SSL=false + YANDEX_S3_REGION=ru-central + YANDEX_S3_VERIFY=false + BUCKET_NAME=attachments + {{- end -}} diff --git a/apps/attachments/base/kustomization.yaml b/apps/attachments/base/kustomization.yaml index 2487bc6..119e803 100644 --- a/apps/attachments/base/kustomization.yaml +++ b/apps/attachments/base/kustomization.yaml @@ -5,5 +5,4 @@ namespace: attachments resources: - namespace.yaml - serviceaccount.yaml - - deployment.yaml - - service.yaml + - helmrelease.yaml diff --git a/apps/attachments/base/service.yaml b/apps/attachments/base/service.yaml deleted file mode 100644 index 90823b9..0000000 --- a/apps/attachments/base/service.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: attachments-service - namespace: attachments -spec: - type: ClusterIP - selector: - app: attachments - ports: - - port: 8000 - targetPort: 8000 - protocol: TCP From 82c501dc71c9618ad3d9aa97196e50561237685b Mon Sep 17 00:00:00 2001 From: emelinda Date: Fri, 24 Apr 2026 17:24:23 +0300 Subject: [PATCH 2/3] Migrate `attachments` app to HelmRelease: update replicas and kustomization configuration --- apps/attachments/yc-k8s-test/kustomization.yaml | 2 +- apps/attachments/yc-k8s-test/replicas.yaml | 11 ++++++++--- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/apps/attachments/yc-k8s-test/kustomization.yaml b/apps/attachments/yc-k8s-test/kustomization.yaml index c643c00..2e6e31b 100644 --- a/apps/attachments/yc-k8s-test/kustomization.yaml +++ b/apps/attachments/yc-k8s-test/kustomization.yaml @@ -7,5 +7,5 @@ resources: patches: - path: replicas.yaml target: - kind: Deployment + kind: HelmRelease name: attachments diff --git a/apps/attachments/yc-k8s-test/replicas.yaml b/apps/attachments/yc-k8s-test/replicas.yaml index 264fcf4..02e55f7 100644 --- a/apps/attachments/yc-k8s-test/replicas.yaml +++ b/apps/attachments/yc-k8s-test/replicas.yaml @@ -1,8 +1,13 @@ --- -apiVersion: apps/v1 -kind: Deployment +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease metadata: name: attachments namespace: attachments spec: - replicas: 1 + values: + services: + attachments: + deployment: + replicaCount: + _default: 1 From fc728939d1c03b8d431d8383531fdc462f9c0edb Mon Sep 17 00:00:00 2001 From: emelinda Date: Fri, 24 Apr 2026 17:26:39 +0300 Subject: [PATCH 3/3] Remove unused ServiceAccount from `attachments` app and update HelmRelease configuration --- apps/attachments/base/helmrelease.yaml | 3 ++- apps/attachments/base/kustomization.yaml | 1 - apps/attachments/base/serviceaccount.yaml | 5 ----- 3 files changed, 2 insertions(+), 7 deletions(-) delete mode 100644 apps/attachments/base/serviceaccount.yaml diff --git a/apps/attachments/base/helmrelease.yaml b/apps/attachments/base/helmrelease.yaml index 5294201..840db71 100644 --- a/apps/attachments/base/helmrelease.yaml +++ b/apps/attachments/base/helmrelease.yaml @@ -28,7 +28,8 @@ spec: attachments: enabled: true serviceAccount: - # Не создаём SA — используем существующий из base/serviceaccount.yaml. + enabled: + _default: true name: _default: attachments-vault deployment: diff --git a/apps/attachments/base/kustomization.yaml b/apps/attachments/base/kustomization.yaml index 119e803..9cb4143 100644 --- a/apps/attachments/base/kustomization.yaml +++ b/apps/attachments/base/kustomization.yaml @@ -4,5 +4,4 @@ kind: Kustomization namespace: attachments resources: - namespace.yaml - - serviceaccount.yaml - helmrelease.yaml diff --git a/apps/attachments/base/serviceaccount.yaml b/apps/attachments/base/serviceaccount.yaml deleted file mode 100644 index d766ce1..0000000 --- a/apps/attachments/base/serviceaccount.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: attachments-vault - namespace: attachments