vault + resources

apps/resources/base/backend-deployment.yaml

@@ -14,7 +14,32 @@ spec:
     metadata:
       labels:
         app: backend
+      annotations:
+        traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
+        vault.hashicorp.com/agent-init-first: "true"
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/auth-path: auth/kubernetes
+        vault.hashicorp.com/role: resources
+        vault.hashicorp.com/agent-inject-secret-resources-db: secrets/data/postgresql/apps/resources
+        vault.hashicorp.com/agent-inject-template-resources-db: |-
+          {{- with secret "secrets/data/postgresql/apps/resources" -}}
+          DATABASE_HOST=postgresql.resources.svc.cluster.local
+          DATABASE_PORT=5432
+          DATABASE_NAME=resources_db
+          DATABASE_USER={{ index .Data.data "username" }}
+          DATABASE_PASSWORD={{ index .Data.data "password" }}
+          {{- end -}}
+        vault.hashicorp.com/agent-inject-secret-resources-s3: secrets/data/minio/apps/resources
+        vault.hashicorp.com/agent-inject-template-resources-s3: |-
+          {{- with secret "secrets/data/minio/apps/resources" -}}
+          YC_S3_ENDPOINT_URL={{ index .Data.data.client "endpoint" }}
+          YC_S3_BUCKET_NAME=resources
+          YC_S3_ACCESS_KEY_ID={{ index .Data.data "access_key" }}
+          YC_S3_SECRET_ACCESS_KEY={{ index .Data.data "secret_key" }}
+          {{- end -}}
     spec:
+      serviceAccountName: resources-vault
       volumes:
         - name: django-configmap
           configMap:
@@ -28,6 +53,14 @@ spec:
         - name: backend
           image: cr.yandex/crp3ccidau046kdj8g9q/sarex-resources:prod_d642ef88
           imagePullPolicy: IfNotPresent
+          command: ["/bin/sh", "-ec"]
+          args:
+            - |
+              set -a
+              [ -f /vault/secrets/resources-db ] && . /vault/secrets/resources-db
+              [ -f /vault/secrets/resources-s3 ] && . /vault/secrets/resources-s3
+              set +a
+              exec /server/entrypoint.sh
 
           ports:
             - name: http
@@ -39,51 +72,6 @@ spec:
               value: config.settings.production
             - name: API_ADDRESS
               value: "8000"
-            - name: DATABASE_NAME
-              valueFrom:
-                secretKeyRef:
-                  key: database
-                  name: postgresql-secret
-            - name: DATABASE_HOST
-              valueFrom:
-                secretKeyRef:
-                  key: hostname
-                  name: postgresql-secret
-            - name: DATABASE_USER
-              valueFrom:
-                secretKeyRef:
-                  key: username
-                  name: postgresql-secret
-            - name: DATABASE_PORT
-              valueFrom:
-                secretKeyRef:
-                  key: port
-                  name: postgresql-secret
-            - name: DATABASE_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  key: password
-                  name: postgresql-secret
-            - name: YC_S3_ACCESS_KEY_ID
-              valueFrom:
-                secretKeyRef:
-                  key: username
-                  name: s3-secret
-            - name: YC_S3_ENDPOINT_URL
-              valueFrom:
-                secretKeyRef:
-                  key: host
-                  name: s3-secret
-            - name: YC_S3_SECRET_ACCESS_KEY
-              valueFrom:
-                secretKeyRef:
-                  key: password
-                  name: s3-secret
-            - name: YC_S3_BUCKET_NAME
-              valueFrom:
-                secretKeyRef:
-                  key: bucket
-                  name: s3-secret
 
 
           resources:
@@ -97,20 +85,20 @@ spec:
               subPath: production.py
 
           livenessProbe:
-            httpGet:
+            tcpSocket:
-              path: /ping
               port: 8000
-            initialDelaySeconds: 10
+            initialDelaySeconds: 20
-            periodSeconds: 60
+            periodSeconds: 30
-            failureThreshold: 10
+            timeoutSeconds: 3
+            failureThreshold: 5
 
           readinessProbe:
-            httpGet:
+            tcpSocket:
-              path: /ping
               port: 8000
-            initialDelaySeconds: 5
+            initialDelaySeconds: 10
-            periodSeconds: 5
+            periodSeconds: 10
-            failureThreshold: 20
+            timeoutSeconds: 3
+            failureThreshold: 6
 
       imagePullSecrets:
-        - name: regcred
+        - name: regcred

apps/resources/base/kustomization.yaml

@@ -4,6 +4,7 @@ kind: Kustomization
 namespace: resources
 resources:
   - namespace.yaml
+  - serviceaccount.yaml
   - backend-deployment.yaml
   - backend-service.yaml
   - django-configmap.yaml

apps/resources/base/serviceaccount.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: resources-vault
+  namespace: resources

apps/resources/yc-k8s-test/kustomization.yaml

@@ -8,4 +8,4 @@ patches:
   - path: replicas.yaml
     target:
       kind: Deployment
-      name: comparisons
+      name: backend

apps/resources/yc-k8s-test/postgresql.yaml

@@ -9,7 +9,7 @@ spec:
   chart:
     spec:
       chart: postgresql-contour
-      version: "17.0.2"
+      version: "17.0.7"
       sourceRef:
         kind: HelmRepository
         name: yc-oci-charts
@@ -44,7 +44,7 @@ spec:
     image:
       registry: cr.yandex/crp3ccidau046kdj8g9q
       repository: contour/postgresql
-      tag: 17.0.2
+      tag: 17.0.7
       pullPolicy: Always
     metrics:
       enabled: false
@@ -61,7 +61,7 @@ spec:
           command:
             - /bin/sh
             - -c
-            - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
+            - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
         initialDelaySeconds: 30
         periodSeconds: 10
         timeoutSeconds: 5
@@ -72,7 +72,7 @@ spec:
           command:
             - /bin/sh
             - -c
-            - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
+            - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
         initialDelaySeconds: 5
         periodSeconds: 10
         timeoutSeconds: 5
@@ -83,7 +83,7 @@ spec:
           command:
             - /bin/sh
             - -c
-            - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
+            - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
         initialDelaySeconds: 30
         periodSeconds: 10
         timeoutSeconds: 5
@@ -101,13 +101,20 @@ spec:
           effect: NoSchedule
     contour:
       enabled: true
-      adminUser: ""
+      adminUser: "postgres"
-      adminPasswordSecretKey: ""
       sharedPreloadLibraries: "pg_stat_statements,uuid-ossp,ltree,postgis"
+      vault:
+        enabled: true
+        role: postgresql
+        authPath: auth/kubernetes
+        secretPath: secrets/data/postgresql/admin
+        secretKey: postgres-password
+        usersSecretPath: secrets/data/postgresql/users
       databases:
         - name: resources_db
           user: resources
+          passwordKey: resources
           extensions: []
           restoreFromDump: false
       s3-proxy:
-        endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local"
+        endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local"