From 8a897b9ceed624452a71c04a56e175c1fc8627b4 Mon Sep 17 00:00:00 2001 From: Kochetkov S Date: Wed, 22 Apr 2026 13:48:08 +0300 Subject: [PATCH] vault + resources --- apps/resources/base/backend-deployment.yaml | 100 ++++++++---------- apps/resources/base/kustomization.yaml | 1 + apps/resources/base/serviceaccount.yaml | 5 + apps/resources/yc-k8s-test/kustomization.yaml | 2 +- apps/resources/yc-k8s-test/postgresql.yaml | 23 ++-- 5 files changed, 66 insertions(+), 65 deletions(-) create mode 100644 apps/resources/base/serviceaccount.yaml diff --git a/apps/resources/base/backend-deployment.yaml b/apps/resources/base/backend-deployment.yaml index 4b763e5..adff2d6 100644 --- a/apps/resources/base/backend-deployment.yaml +++ b/apps/resources/base/backend-deployment.yaml @@ -14,7 +14,32 @@ spec: metadata: labels: app: backend + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: resources + vault.hashicorp.com/agent-inject-secret-resources-db: secrets/data/postgresql/apps/resources + vault.hashicorp.com/agent-inject-template-resources-db: |- + {{- with secret "secrets/data/postgresql/apps/resources" -}} + DATABASE_HOST=postgresql.resources.svc.cluster.local + DATABASE_PORT=5432 + DATABASE_NAME=resources_db + DATABASE_USER={{ index .Data.data "username" }} + DATABASE_PASSWORD={{ index .Data.data "password" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-resources-s3: secrets/data/minio/apps/resources + vault.hashicorp.com/agent-inject-template-resources-s3: |- + {{- with secret "secrets/data/minio/apps/resources" -}} + YC_S3_ENDPOINT_URL={{ index .Data.data.client "endpoint" }} + YC_S3_BUCKET_NAME=resources + YC_S3_ACCESS_KEY_ID={{ index .Data.data "access_key" }} + YC_S3_SECRET_ACCESS_KEY={{ index .Data.data "secret_key" }} + {{- end -}} spec: + serviceAccountName: resources-vault volumes: - name: django-configmap configMap: @@ -28,6 +53,14 @@ spec: - name: backend image: cr.yandex/crp3ccidau046kdj8g9q/sarex-resources:prod_d642ef88 imagePullPolicy: IfNotPresent + command: ["/bin/sh", "-ec"] + args: + - | + set -a + [ -f /vault/secrets/resources-db ] && . /vault/secrets/resources-db + [ -f /vault/secrets/resources-s3 ] && . /vault/secrets/resources-s3 + set +a + exec /server/entrypoint.sh ports: - name: http @@ -39,51 +72,6 @@ spec: value: config.settings.production - name: API_ADDRESS value: "8000" - - name: DATABASE_NAME - valueFrom: - secretKeyRef: - key: database - name: postgresql-secret - - name: DATABASE_HOST - valueFrom: - secretKeyRef: - key: hostname - name: postgresql-secret - - name: DATABASE_USER - valueFrom: - secretKeyRef: - key: username - name: postgresql-secret - - name: DATABASE_PORT - valueFrom: - secretKeyRef: - key: port - name: postgresql-secret - - name: DATABASE_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: postgresql-secret - - name: YC_S3_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - key: username - name: s3-secret - - name: YC_S3_ENDPOINT_URL - valueFrom: - secretKeyRef: - key: host - name: s3-secret - - name: YC_S3_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - key: password - name: s3-secret - - name: YC_S3_BUCKET_NAME - valueFrom: - secretKeyRef: - key: bucket - name: s3-secret resources: @@ -97,20 +85,20 @@ spec: subPath: production.py livenessProbe: - httpGet: - path: /ping + tcpSocket: port: 8000 - initialDelaySeconds: 10 - periodSeconds: 60 - failureThreshold: 10 + initialDelaySeconds: 20 + periodSeconds: 30 + timeoutSeconds: 3 + failureThreshold: 5 readinessProbe: - httpGet: - path: /ping + tcpSocket: port: 8000 - initialDelaySeconds: 5 - periodSeconds: 5 - failureThreshold: 20 + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 3 + failureThreshold: 6 imagePullSecrets: - - name: regcred \ No newline at end of file + - name: regcred diff --git a/apps/resources/base/kustomization.yaml b/apps/resources/base/kustomization.yaml index 149f532..0ccff81 100644 --- a/apps/resources/base/kustomization.yaml +++ b/apps/resources/base/kustomization.yaml @@ -4,6 +4,7 @@ kind: Kustomization namespace: resources resources: - namespace.yaml + - serviceaccount.yaml - backend-deployment.yaml - backend-service.yaml - django-configmap.yaml diff --git a/apps/resources/base/serviceaccount.yaml b/apps/resources/base/serviceaccount.yaml new file mode 100644 index 0000000..79827d3 --- /dev/null +++ b/apps/resources/base/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: resources-vault + namespace: resources diff --git a/apps/resources/yc-k8s-test/kustomization.yaml b/apps/resources/yc-k8s-test/kustomization.yaml index 79e4c45..050d882 100644 --- a/apps/resources/yc-k8s-test/kustomization.yaml +++ b/apps/resources/yc-k8s-test/kustomization.yaml @@ -8,4 +8,4 @@ patches: - path: replicas.yaml target: kind: Deployment - name: comparisons + name: backend diff --git a/apps/resources/yc-k8s-test/postgresql.yaml b/apps/resources/yc-k8s-test/postgresql.yaml index 432f999..8d4e3b7 100644 --- a/apps/resources/yc-k8s-test/postgresql.yaml +++ b/apps/resources/yc-k8s-test/postgresql.yaml @@ -9,7 +9,7 @@ spec: chart: spec: chart: postgresql-contour - version: "17.0.2" + version: "17.0.7" sourceRef: kind: HelmRepository name: yc-oci-charts @@ -44,7 +44,7 @@ spec: image: registry: cr.yandex/crp3ccidau046kdj8g9q repository: contour/postgresql - tag: 17.0.2 + tag: 17.0.7 pullPolicy: Always metrics: enabled: false @@ -61,7 +61,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 @@ -72,7 +72,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 5 @@ -83,7 +83,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 @@ -101,13 +101,20 @@ spec: effect: NoSchedule contour: enabled: true - adminUser: "" - adminPasswordSecretKey: "" + adminUser: "postgres" sharedPreloadLibraries: "pg_stat_statements,uuid-ossp,ltree,postgis" + vault: + enabled: true + role: postgresql + authPath: auth/kubernetes + secretPath: secrets/data/postgresql/admin + secretKey: postgres-password + usersSecretPath: secrets/data/postgresql/users databases: - name: resources_db user: resources + passwordKey: resources extensions: [] restoreFromDump: false s3-proxy: - endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local" \ No newline at end of file + endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local"