diff --git a/apps/eav/base/backend-deployment.yaml b/apps/eav/base/backend-deployment.yaml
index d41653a..f0bd0c6 100644
--- a/apps/eav/base/backend-deployment.yaml
+++ b/apps/eav/base/backend-deployment.yaml
@@ -14,7 +14,42 @@ spec:
     metadata:
       labels:
         app: backend
+      annotations:
+        traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
+        vault.hashicorp.com/agent-init-first: "true"
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/auth-path: auth/kubernetes
+        vault.hashicorp.com/role: eav
+        vault.hashicorp.com/agent-inject-secret-eav-db: secrets/data/postgresql/apps/eav
+        vault.hashicorp.com/agent-inject-template-eav-db: |-
+          {{- with secret "secrets/data/postgresql/apps/eav" -}}
+          DJANGO_POSTGRES_HOST=postgresql.eav.svc.cluster.local
+          DJANGO_POSTGRES_PORT=5432
+          DJANGO_POSTGRES_DATABASE=eav_db
+          DJANGO_POSTGRES_USER={{ index .Data.data "username" }}
+          DJANGO_POSTGRES_PASSWORD={{ index .Data.data "password" }}
+          {{- end -}}
+        vault.hashicorp.com/agent-inject-secret-eav-s3: secrets/data/minio/apps/eav
+        vault.hashicorp.com/agent-inject-template-eav-s3: |-
+          {{- with secret "secrets/data/minio/apps/eav" -}}
+          YC_S3_ENDPOINT_URL={{ index .Data.data.client "endpoint" }}
+          YC_S3_BUCKET_NAME=eav
+          YC_S3_ACCESS_KEY_ID={{ index .Data.data "access_key" }}
+          YC_S3_SECRET_ACCESS_KEY={{ index .Data.data "secret_key" }}
+          {{- end -}}
+        vault.hashicorp.com/agent-inject-secret-eav-jwt-private: secrets/data/vault/common/rsa_keys
+        vault.hashicorp.com/agent-inject-template-eav-jwt-private: |-
+          {{- with secret "secrets/data/vault/common/rsa_keys" -}}
+          {{ index .Data.data "private_key" }}
+          {{- end -}}
+        vault.hashicorp.com/agent-inject-secret-eav-jwt-public: secrets/data/vault/common/rsa_keys
+        vault.hashicorp.com/agent-inject-template-eav-jwt-public: |-
+          {{- with secret "secrets/data/vault/common/rsa_keys" -}}
+          {{ index .Data.data "public_key" }}
+          {{- end -}}
     spec:
+      serviceAccountName: eav-vault
       volumes:
         - name: django-configmap
           configMap:
@@ -28,6 +63,16 @@ spec:
         - name: backend
           image: cr.yandex/crp3ccidau046kdj8g9q/eav:prod_0fb73247
           imagePullPolicy: IfNotPresent
+          command: ["/bin/sh", "-ec"]
+          args:
+            - |
+              set -a
+              [ -f /vault/secrets/eav-db ] && . /vault/secrets/eav-db
+              [ -f /vault/secrets/eav-s3 ] && . /vault/secrets/eav-s3
+              [ -f /vault/secrets/eav-jwt-private ] && export JWT_PRIVATE_KEY="$(cat /vault/secrets/eav-jwt-private)"
+              [ -f /vault/secrets/eav-jwt-public ] && export JWT_PUBLIC_KEY="$(cat /vault/secrets/eav-jwt-public)"
+              set +a
+              exec /server/entrypoint.sh
 
           ports:
             - name: http
@@ -41,60 +86,6 @@ spec:
               value: sarex
             - name: DJANGO_SETTINGS_MODULE
               value: config.settings.production
-            - name: DJANGO_POSTGRES_DATABASE
-              value: eav_db
-            - name: YC_S3_ENDPOINT_URL
-              value: http://minio-svc.minio.svc.cluster.local:9000
-            - name: YC_S3_BUCKET_NAME
-              value: eav
-
-            - name: DJANGO_POSTGRES_HOST
-              valueFrom:
-                secretKeyRef:
-                  name: postgresql-secret
-                  key: hostname
-
-            - name: DJANGO_POSTGRES_USER
-              valueFrom:
-                secretKeyRef:
-                  name: postgresql-secret
-                  key: username
-
-            - name: DJANGO_POSTGRES_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: postgresql-secret
-                  key: password
-
-            - name: DJANGO_POSTGRES_PORT
-              valueFrom:
-                secretKeyRef:
-                  name: postgresql-secret
-                  key: port
-
-            - name: JWT_PRIVATE_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: backend-secret
-                  key: ssh_private.key
-
-            - name: JWT_PUBLIC_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: backend-secret
-                  key: ssh_public.key
-
-            - name: YC_S3_ACCESS_KEY_ID
-              valueFrom:
-                secretKeyRef:
-                  name: s3-secret
-                  key: username
-
-            - name: YC_S3_SECRET_ACCESS_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: s3-secret
-                  key: password
 
           resources:
             requests:
@@ -123,4 +114,4 @@ spec:
             failureThreshold: 20
 
       imagePullSecrets:
-        - name: regcred
\ No newline at end of file
+        - name: regcred
diff --git a/apps/eav/base/kustomization.yaml b/apps/eav/base/kustomization.yaml
index f9a6541..ad9cf5d 100644
--- a/apps/eav/base/kustomization.yaml
+++ b/apps/eav/base/kustomization.yaml
@@ -4,6 +4,7 @@ kind: Kustomization
 namespace: eav
 resources:
   - namespace.yaml
+  - serviceaccount.yaml
   - backend-deployment.yaml
   - backend-service.yaml
   - django-configmap.yaml
diff --git a/apps/eav/base/serviceaccount.yaml b/apps/eav/base/serviceaccount.yaml
new file mode 100644
index 0000000..c2d7154
--- /dev/null
+++ b/apps/eav/base/serviceaccount.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: eav-vault
+  namespace: eav
diff --git a/apps/eav/yc-k8s-test/kustomization.yaml b/apps/eav/yc-k8s-test/kustomization.yaml
index 79e4c45..050d882 100644
--- a/apps/eav/yc-k8s-test/kustomization.yaml
+++ b/apps/eav/yc-k8s-test/kustomization.yaml
@@ -8,4 +8,4 @@ patches:
   - path: replicas.yaml
     target:
       kind: Deployment
-      name: comparisons
+      name: backend
diff --git a/apps/eav/yc-k8s-test/postgresql.yaml b/apps/eav/yc-k8s-test/postgresql.yaml
index 8ed8238..fe1da07 100644
--- a/apps/eav/yc-k8s-test/postgresql.yaml
+++ b/apps/eav/yc-k8s-test/postgresql.yaml
@@ -61,7 +61,7 @@ spec:
           command:
             - /bin/sh
             - -c
-            - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
+            - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
         initialDelaySeconds: 30
         periodSeconds: 10
         timeoutSeconds: 5
@@ -72,7 +72,7 @@ spec:
           command:
             - /bin/sh
             - -c
-            - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
+            - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
         initialDelaySeconds: 5
         periodSeconds: 10
         timeoutSeconds: 5
@@ -83,7 +83,7 @@ spec:
           command:
             - /bin/sh
             - -c
-            - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
+            - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
         initialDelaySeconds: 30
         periodSeconds: 10
         timeoutSeconds: 5
@@ -101,13 +101,20 @@ spec:
           effect: NoSchedule
     contour:
       enabled: true
-      adminUser: ""
-      adminPasswordSecretKey: ""
+      adminUser: "postgres"
       sharedPreloadLibraries: "pg_stat_statements,uuid-ossp,ltree,postgis"
+      vault:
+        enabled: true
+        role: postgresql
+        authPath: auth/kubernetes
+        secretPath: secrets/data/postgresql/admin
+        secretKey: postgres-password
+        usersSecretPath: secrets/data/postgresql/users
       databases:
         - name: eav_db
           user: eav
+          passwordKey: eav
           extensions: []
           restoreFromDump: false
       s3-proxy:
-        endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local"
\ No newline at end of file
+        endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local"