cde

apps/cde/base/cde-flowscallback.yaml

@@ -17,10 +17,25 @@ spec:
       labels:
         app: cde-flowscallback
         service: cde-flowscallback
+      annotations:
+        traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
+        vault.hashicorp.com/agent-init-first: "true"
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/auth-path: auth/kubernetes
+        vault.hashicorp.com/role: cde
+        vault.hashicorp.com/agent-inject-secret-cde-env: secrets/data/vault/apps/cde
+        vault.hashicorp.com/agent-inject-template-cde-env: |-
+          {{- with secret "secrets/data/vault/apps/cde" -}}
+          {{- range $k, $v := .Data.data }}
+          {{ $k }}={{ replace "\n" "\\n" (printf "%v" $v) }}
+          {{- end }}
+          {{- end -}}
     spec:
+      serviceAccountName: cde-vault
       containers:
         - name: cde-flowscallback
-          image: cr.yandex/crp3ccidau046kdj8g9q/flowscallback-worker:prod_3.1.2
+          image: cr.yandex/crp3ccidau046kdj8g9q/flowscallback-worker:prod_9f3c1d2a
           imagePullPolicy: IfNotPresent
           ports:
             - name: http

apps/cde/base/cde-splitpdf.yaml

@@ -17,10 +17,25 @@ spec:
       labels:
         app: cde-splitpdf
         service: cde-splitpdf
+      annotations:
+        traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
+        vault.hashicorp.com/agent-init-first: "true"
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/auth-path: auth/kubernetes
+        vault.hashicorp.com/role: cde
+        vault.hashicorp.com/agent-inject-secret-cde-env: secrets/data/vault/apps/cde
+        vault.hashicorp.com/agent-inject-template-cde-env: |-
+          {{- with secret "secrets/data/vault/apps/cde" -}}
+          {{- range $k, $v := .Data.data }}
+          {{ $k }}={{ replace "\n" "\\n" (printf "%v" $v) }}
+          {{- end }}
+          {{- end -}}
     spec:
+      serviceAccountName: cde-vault
       containers:
         - name: cde-splitpdf
-          image: cr.yandex/crp3ccidau046kdj8g9q/splitpdf-worker:prod_3.1.2
+          image: cr.yandex/crp3ccidau046kdj8g9q/splitpdf-worker:prod_9f3c1d2a
           imagePullPolicy: IfNotPresent
           ports:
             - name: http

apps/cde/base/cde-worker-copy.yaml

@@ -17,10 +17,25 @@ spec:
       labels:
         app: cde-worker-copy
         service: cde-worker-copy
+      annotations:
+        traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
+        vault.hashicorp.com/agent-init-first: "true"
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/auth-path: auth/kubernetes
+        vault.hashicorp.com/role: cde
+        vault.hashicorp.com/agent-inject-secret-cde-env: secrets/data/vault/apps/cde
+        vault.hashicorp.com/agent-inject-template-cde-env: |-
+          {{- with secret "secrets/data/vault/apps/cde" -}}
+          {{- range $k, $v := .Data.data }}
+          {{ $k }}={{ replace "\n" "\\n" (printf "%v" $v) }}
+          {{- end }}
+          {{- end -}}
     spec:
+      serviceAccountName: cde-vault
       containers:
         - name: cde-worker-copy
-          image: cr.yandex/crp3ccidau046kdj8g9q/copy-worker:preprod_fd483601
+          image: cr.yandex/crp3ccidau046kdj8g9q/copy-worker:prod_9f3c1d2a
           imagePullPolicy: IfNotPresent
           ports:
             - name: http

apps/cde/base/cde-worker-create-versions.yaml

@@ -17,10 +17,25 @@ spec:
       labels:
         app: cde-worker-create-versions
         service: cde-worker-create-versions
+      annotations:
+        traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
+        vault.hashicorp.com/agent-init-first: "true"
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/auth-path: auth/kubernetes
+        vault.hashicorp.com/role: cde
+        vault.hashicorp.com/agent-inject-secret-cde-env: secrets/data/vault/apps/cde
+        vault.hashicorp.com/agent-inject-template-cde-env: |-
+          {{- with secret "secrets/data/vault/apps/cde" -}}
+          {{- range $k, $v := .Data.data }}
+          {{ $k }}={{ replace "\n" "\\n" (printf "%v" $v) }}
+          {{- end }}
+          {{- end -}}
     spec:
+      serviceAccountName: cde-vault
       containers:
         - name: cde-worker-create-versions
-          image: cr.yandex/crp3ccidau046kdj8g9q/createversions-worker:preprod_ec474ae7
+          image: cr.yandex/crp3ccidau046kdj8g9q/createversions-worker:prod_9f3c1d2a
           imagePullPolicy: IfNotPresent
           ports:
             - name: http

apps/cde/base/cde-worker-markings.yaml

@@ -17,10 +17,25 @@ spec:
       labels:
         app: cde-worker-markings
         service: cde-worker-markings
+      annotations:
+        traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
+        vault.hashicorp.com/agent-init-first: "true"
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/auth-path: auth/kubernetes
+        vault.hashicorp.com/role: cde
+        vault.hashicorp.com/agent-inject-secret-cde-env: secrets/data/vault/apps/cde
+        vault.hashicorp.com/agent-inject-template-cde-env: |-
+          {{- with secret "secrets/data/vault/apps/cde" -}}
+          {{- range $k, $v := .Data.data }}
+          {{ $k }}={{ replace "\n" "\\n" (printf "%v" $v) }}
+          {{- end }}
+          {{- end -}}
     spec:
+      serviceAccountName: cde-vault
       containers:
         - name: cde-worker-markings
-          image: cr.yandex/crp3ccidau046kdj8g9q/markings-worker:preprod_eb50f30e
+          image: cr.yandex/crp3ccidau046kdj8g9q/markings-worker:prod_9f3c1d2a
           imagePullPolicy: IfNotPresent
           ports:
             - name: http

apps/cde/base/cde-worker-sign.yaml

@@ -17,10 +17,25 @@ spec:
       labels:
         app: cde-worker-sign
         service: cde-worker-sign
+      annotations:
+        traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
+        vault.hashicorp.com/agent-init-first: "true"
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/auth-path: auth/kubernetes
+        vault.hashicorp.com/role: cde
+        vault.hashicorp.com/agent-inject-secret-cde-env: secrets/data/vault/apps/cde
+        vault.hashicorp.com/agent-inject-template-cde-env: |-
+          {{- with secret "secrets/data/vault/apps/cde" -}}
+          {{- range $k, $v := .Data.data }}
+          {{ $k }}={{ replace "\n" "\\n" (printf "%v" $v) }}
+          {{- end }}
+          {{- end -}}
     spec:
+      serviceAccountName: cde-vault
       containers:
         - name: cde-worker-sign
-          image: cr.yandex/crp3ccidau046kdj8g9q/sign-worker:preprod_fd483601
+          image: cr.yandex/crp3ccidau046kdj8g9q/sign-worker:prod_9f3c1d2a
           imagePullPolicy: IfNotPresent
           ports:
             - name: http

apps/cde/base/cde-worker-update-bundles.yaml

@@ -17,10 +17,25 @@ spec:
       labels:
         app: cde-worker-update-bundles
         service: cde-worker-update-bundles
+      annotations:
+        traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
+        vault.hashicorp.com/agent-init-first: "true"
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/auth-path: auth/kubernetes
+        vault.hashicorp.com/role: cde
+        vault.hashicorp.com/agent-inject-secret-cde-env: secrets/data/vault/apps/cde
+        vault.hashicorp.com/agent-inject-template-cde-env: |-
+          {{- with secret "secrets/data/vault/apps/cde" -}}
+          {{- range $k, $v := .Data.data }}
+          {{ $k }}={{ replace "\n" "\\n" (printf "%v" $v) }}
+          {{- end }}
+          {{- end -}}
     spec:
+      serviceAccountName: cde-vault
       containers:
         - name: cde-worker-update-bundles
-          image: cr.yandex/crp3ccidau046kdj8g9q/updatebundles-worker:prod_3.1.2
+          image: cr.yandex/crp3ccidau046kdj8g9q/updatebundles-worker:prod_9f3c1d2a
           imagePullPolicy: IfNotPresent
           ports:
             - name: http

apps/cde/base/cde.yaml

@@ -17,10 +17,25 @@ spec:
       labels:
         app: cde
         service: cde
+      annotations:
+        traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
+        vault.hashicorp.com/agent-init-first: "true"
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/auth-path: auth/kubernetes
+        vault.hashicorp.com/role: cde
+        vault.hashicorp.com/agent-inject-secret-cde-env: secrets/data/vault/apps/cde
+        vault.hashicorp.com/agent-inject-template-cde-env: |-
+          {{- with secret "secrets/data/vault/apps/cde" -}}
+          {{- range $k, $v := .Data.data }}
+          {{ $k }}={{ replace "\n" "\\n" (printf "%v" $v) }}
+          {{- end }}
+          {{- end -}}
     spec:
+      serviceAccountName: cde-vault
       containers:
         - name: api
-          image: cr.yandex/crp3ccidau046kdj8g9q/cde:preprod_ec474ae7
+          image: cr.yandex/crp3ccidau046kdj8g9q/cde:prod_9f3c1d2a
           imagePullPolicy: IfNotPresent
           ports:
             - name: http

apps/cde/base/kustomization.yaml

@@ -4,6 +4,7 @@ kind: Kustomization
 namespace: cde
 resources:
   - namespace.yaml
+  - serviceaccount.yaml
   - cde.yaml
   - cde-splitpdf.yaml
   - backend-service.yaml

apps/cde/base/serviceaccount.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cde-vault
+  namespace: cde