sarex/iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

inspections + workspaces vault

Browse Source
This commit is contained in:
Kochetkov S 2026-04-22 15:36:22 +03:00
parent 67483099f6
commit 820b5a96fe
7 changed files with 81 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
apps/inspections/base/backend-deployment.yaml
View File

@ -15,11 +15,49 @@ spec:
metadata: metadata:
labels: labels:
app: inspections-backend app: inspections-backend
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: inspections
vault.hashicorp.com/agent-inject-secret-inspections-db: secrets/data/postgresql/apps/inspections
vault.hashicorp.com/agent-inject-template-inspections-db: |-
{{- with secret "secrets/data/postgresql/apps/inspections" -}}
DATABASE_HOST=postgresql.inspections.svc.cluster.local
DATABASE_PORT=5432
DATABASE_NAME=inspections_db
DATABASE_USER={{ index .Data.data "username" }}
DATABASE_PASSWORD={{ index .Data.data "password" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-inspections-kafka: secrets/data/kafka/apps/inspections
vault.hashicorp.com/agent-inject-template-inspections-kafka: |-
{{- with secret "secrets/data/kafka/apps/inspections" -}}
KAFKA_HOST={{ index .Data.data.auth "bootstrap_servers" }}
KAFKA_USERNAME={{ index .Data.data "username" }}
KAFKA_PASSWORD={{ index .Data.data "password" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-inspections-django-auth: secrets/data/vault/common/django_auth
vault.hashicorp.com/agent-inject-template-inspections-django-auth: |-
{{- with secret "secrets/data/vault/common/django_auth" -}}
SAREX_BACKEND_AUTH={{ index .Data.data "key" }}
{{- end -}}
spec: spec:
serviceAccountName: inspections-vault
containers: containers:
- name: inspections-backend - name: inspections-backend
image: cr.yandex/crp3ccidau046kdj8g9q/sarex-inspections:production_1a33f6f4 image: cr.yandex/crp3ccidau046kdj8g9q/sarex-inspections:production_1a33f6f4
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
command: ["/bin/bash", "-ec"]
args:
- |
set -a
[ -f /vault/secrets/inspections-db ] && . /vault/secrets/inspections-db
[ -f /vault/secrets/inspections-kafka ] && . /vault/secrets/inspections-kafka
[ -f /vault/secrets/inspections-django-auth ] && . /vault/secrets/inspections-django-auth
set +a
exec ./entrypoint.sh
ports: ports:
- name: http - name: http
containerPort: 8000 containerPort: 8000
@ -73,51 +111,6 @@ spec:
value: http://mailer-service.mailer:8000 value: http://mailer-service.mailer:8000
- name: MAILER_TIMEOUT - name: MAILER_TIMEOUT
value: "30" value: "30"
- name: DATABASE_USER
valueFrom:
secretKeyRef:
key: username
name: postgresql-secret
- name: DATABASE_PORT
valueFrom:
secretKeyRef:
key: port
name: postgresql-secret
- name: DATABASE_NAME
valueFrom:
secretKeyRef:
key: database
name: postgresql-secret
- name: DATABASE_HOST
valueFrom:
secretKeyRef:
key: hostname
name: postgresql-secret
- name: DATABASE_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: postgresql-secret
- name: KAFKA_HOST
valueFrom:
secretKeyRef:
key: host
name: kafka-secret
- name: KAFKA_USERNAME
valueFrom:
secretKeyRef:
key: username
name: kafka-secret
- name: KAFKA_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: kafka-secret
- name: SAREX_BACKEND_AUTH
valueFrom:
secretKeyRef:
key: key
name: sarex-backend-auth-secret
resources: resources:
requests: requests:

1
apps/inspections/base/kustomization.yaml
View File

@ -4,5 +4,6 @@ kind: Kustomization
namespace: inspections namespace: inspections
resources: resources:
- namespace.yaml - namespace.yaml
- serviceaccount.yaml
- backend-deployment.yaml - backend-deployment.yaml
- backend-service.yaml - backend-service.yaml

5
apps/inspections/base/serviceaccount.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: inspections-vault
namespace: inspections

60
apps/workspaces/base/backend-deployment.yaml
View File

@ -15,11 +15,41 @@ spec:
metadata: metadata:
labels: labels:
app: workspaces-api app: workspaces-api
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: workspaces
vault.hashicorp.com/agent-inject-secret-workspaces-db: secrets/data/postgresql/apps/workspaces
vault.hashicorp.com/agent-inject-template-workspaces-db: |-
{{- with secret "secrets/data/postgresql/apps/workspaces" -}}
POSTGRES_ADDRESS=postgresql.workspaces.svc.cluster.local
POSTGRES_PORT=5432
POSTGRES_DB=workspaces_db
POSTGRES_USER={{ index .Data.data "username" }}
POSTGRES_PASSWORD={{ index .Data.data "password" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-workspaces-django-auth: secrets/data/vault/common/django_auth
vault.hashicorp.com/agent-inject-template-workspaces-django-auth: |-
{{- with secret "secrets/data/vault/common/django_auth" -}}
DJANGO_BASIC_AUTH={{ index .Data.data "key" }}
{{- end -}}
spec: spec:
serviceAccountName: workspaces-vault
containers: containers:
- name: workspaces-api - name: workspaces-api
image: cr.yandex/crp3ccidau046kdj8g9q/workspaces:prod_4961b1f1 image: cr.yandex/crp3ccidau046kdj8g9q/workspaces:prod_4961b1f1
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
command: ["/bin/sh", "-ec"]
args:
- |
set -a
[ -f /vault/secrets/workspaces-db ] && . /vault/secrets/workspaces-db
[ -f /vault/secrets/workspaces-django-auth ] && . /vault/secrets/workspaces-django-auth
set +a
exec /api
ports: ports:
- name: http - name: http
containerPort: 8000 containerPort: 8000
@ -51,36 +81,6 @@ spec:
value: http://backend.django.svc.cluster.local:8000 value: http://backend.django.svc.cluster.local:8000
- name: DJANGO_ORIGINATOR - name: DJANGO_ORIGINATOR
value: docs_prod value: docs_prod
- name: POSTGRES_DB
valueFrom:
secretKeyRef:
key: database
name: postgresql-secret
- name: POSTGRES_PORT
valueFrom:
secretKeyRef:
key: port
name: postgresql-secret
- name: POSTGRES_ADDRESS
valueFrom:
secretKeyRef:
key: hostname
name: postgresql-secret
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
key: username
name: postgresql-secret
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: postgresql-secret
- name: DJANGO_BASIC_AUTH
valueFrom:
secretKeyRef:
key: key
name: django-auth
resources: resources:
requests: requests:

1
apps/workspaces/base/kustomization.yaml
View File

@ -4,6 +4,7 @@ kind: Kustomization
namespace: workspaces namespace: workspaces
resources: resources:
- namespace.yaml - namespace.yaml
- serviceaccount.yaml
- backend-deployment.yaml - backend-deployment.yaml
- backend-service.yaml - backend-service.yaml
- frontend-deployment.yaml - frontend-deployment.yaml

5
apps/workspaces/base/serviceaccount.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: workspaces-vault
namespace: workspaces

2
apps/workspaces/yc-k8s-test/kustomization.yaml
View File

@ -8,4 +8,4 @@ patches:
- path: replicas.yaml - path: replicas.yaml
target: target:
kind: Deployment kind: Deployment
name: comparisons name: workspaces-api