sarex/iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

vault + resources

Browse Source
This commit is contained in:
Kochetkov S 2026-04-22 13:48:08 +03:00
parent 0ee1fc7dd6
commit 8a897b9cee
5 changed files with 66 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

98
apps/resources/base/backend-deployment.yaml
View File

@ -14,7 +14,32 @@ spec:
metadata:
labels:
app: backend
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: resources
vault.hashicorp.com/agent-inject-secret-resources-db: secrets/data/postgresql/apps/resources
vault.hashicorp.com/agent-inject-template-resources-db: |-
{{- with secret "secrets/data/postgresql/apps/resources" -}}
DATABASE_HOST=postgresql.resources.svc.cluster.local
DATABASE_PORT=5432
DATABASE_NAME=resources_db
DATABASE_USER={{ index .Data.data "username" }}
DATABASE_PASSWORD={{ index .Data.data "password" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-resources-s3: secrets/data/minio/apps/resources
vault.hashicorp.com/agent-inject-template-resources-s3: |-
{{- with secret "secrets/data/minio/apps/resources" -}}
YC_S3_ENDPOINT_URL={{ index .Data.data.client "endpoint" }}
YC_S3_BUCKET_NAME=resources
YC_S3_ACCESS_KEY_ID={{ index .Data.data "access_key" }}
YC_S3_SECRET_ACCESS_KEY={{ index .Data.data "secret_key" }}
{{- end -}}
spec:
serviceAccountName: resources-vault
volumes:
- name: django-configmap
configMap:
@ -28,6 +53,14 @@ spec:
- name: backend
image: cr.yandex/crp3ccidau046kdj8g9q/sarex-resources:prod_d642ef88
imagePullPolicy: IfNotPresent
command: ["/bin/sh", "-ec"]
args:
- |
set -a
[ -f /vault/secrets/resources-db ] && . /vault/secrets/resources-db
[ -f /vault/secrets/resources-s3 ] && . /vault/secrets/resources-s3
set +a
exec /server/entrypoint.sh
ports:
- name: http
@ -39,51 +72,6 @@ spec:
value: config.settings.production
- name: API_ADDRESS
value: "8000"
- name: DATABASE_NAME
valueFrom:
secretKeyRef:
key: database
name: postgresql-secret
- name: DATABASE_HOST
valueFrom:
secretKeyRef:
key: hostname
name: postgresql-secret
- name: DATABASE_USER
valueFrom:
secretKeyRef:
key: username
name: postgresql-secret
- name: DATABASE_PORT
valueFrom:
secretKeyRef:
key: port
name: postgresql-secret
- name: DATABASE_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: postgresql-secret
- name: YC_S3_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
key: username
name: s3-secret
- name: YC_S3_ENDPOINT_URL
valueFrom:
secretKeyRef:
key: host
name: s3-secret
- name: YC_S3_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
key: password
name: s3-secret
- name: YC_S3_BUCKET_NAME
valueFrom:
secretKeyRef:
key: bucket
name: s3-secret
resources:
@ -97,20 +85,20 @@ spec:
subPath: production.py
livenessProbe:
httpGet:
path: /ping
tcpSocket:
port: 8000
initialDelaySeconds: 10
periodSeconds: 60
failureThreshold: 10
initialDelaySeconds: 20
periodSeconds: 30
timeoutSeconds: 3
failureThreshold: 5
readinessProbe:
httpGet:
path: /ping
tcpSocket:
port: 8000
initialDelaySeconds: 5
periodSeconds: 5
failureThreshold: 20
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 3
failureThreshold: 6
imagePullSecrets:
- name: regcred

1
apps/resources/base/kustomization.yaml
View File

@ -4,6 +4,7 @@ kind: Kustomization
namespace: resources
resources:
- namespace.yaml
- serviceaccount.yaml
- backend-deployment.yaml
- backend-service.yaml
- django-configmap.yaml

5
apps/resources/base/serviceaccount.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: resources-vault
namespace: resources

2
apps/resources/yc-k8s-test/kustomization.yaml
View File

@ -8,4 +8,4 @@ patches:
- path: replicas.yaml
target:
kind: Deployment
name: comparisons
name: backend

21
apps/resources/yc-k8s-test/postgresql.yaml
View File

@ -9,7 +9,7 @@ spec:
chart:
spec:
chart: postgresql-contour
version: "17.0.2"
version: "17.0.7"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
@ -44,7 +44,7 @@ spec:
image:
registry: cr.yandex/crp3ccidau046kdj8g9q
repository: contour/postgresql
tag: 17.0.2
tag: 17.0.7
pullPolicy: Always
metrics:
enabled: false
@ -61,7 +61,7 @@ spec:
command:
- /bin/sh
- -c
- exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
@ -72,7 +72,7 @@ spec:
command:
- /bin/sh
- -c
- exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
@ -83,7 +83,7 @@ spec:
command:
- /bin/sh
- -c
- exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
@ -101,12 +101,19 @@ spec:
effect: NoSchedule
contour:
enabled: true
adminUser: ""
adminPasswordSecretKey: ""
adminUser: "postgres"
sharedPreloadLibraries: "pg_stat_statements,uuid-ossp,ltree,postgis"
vault:
enabled: true
role: postgresql
authPath: auth/kubernetes
secretPath: secrets/data/postgresql/admin
secretKey: postgres-password
usersSecretPath: secrets/data/postgresql/users
databases:
- name: resources_db
user: resources
passwordKey: resources
extensions: []
restoreFromDump: false
s3-proxy: