From bb18939f5a7fd858ba078af8e8103759a9ba9223 Mon Sep 17 00:00:00 2001 From: Kochetkov S Date: Thu, 23 Apr 2026 11:12:00 +0300 Subject: [PATCH] contracts,notes,mapper --- apps/contracts/base/deployment.yaml | 68 ++++++++++++++--- apps/contracts/base/kustomization.yaml | 1 + apps/contracts/base/serviceaccount.yaml | 5 ++ apps/contracts/yc-k8s-test/postgresql.yaml | 21 ++++-- apps/mapper/base/deployment.yaml | 60 +++++++++++++++ apps/mapper/base/kustomization.yaml | 1 + apps/mapper/base/serviceaccount.yaml | 5 ++ apps/notes/base/backend-deployment.yaml | 85 +++++++++++++++------- apps/notes/base/kustomization.yaml | 1 + apps/notes/base/serviceaccount.yaml | 5 ++ apps/notes/yc-k8s-test/postgresql.yaml | 21 ++++-- 11 files changed, 224 insertions(+), 49 deletions(-) create mode 100644 apps/contracts/base/serviceaccount.yaml create mode 100644 apps/mapper/base/serviceaccount.yaml create mode 100644 apps/notes/base/serviceaccount.yaml diff --git a/apps/contracts/base/deployment.yaml b/apps/contracts/base/deployment.yaml index 52e2c1e..d536b18 100644 --- a/apps/contracts/base/deployment.yaml +++ b/apps/contracts/base/deployment.yaml @@ -15,27 +15,75 @@ spec: metadata: labels: app: backend + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: contracts + vault.hashicorp.com/agent-inject-secret-contracts-db: secrets/data/postgresql/apps/contracts + vault.hashicorp.com/agent-inject-template-contracts-db: |- + {{- with secret "secrets/data/postgresql/apps/contracts" -}} + DB_URL=postgresql://{{ index .Data.data "username" }}:{{ index .Data.data "password" }}@postgresql.contracts.svc.cluster.local:5432/contracts_db?sslmode=disable + {{- end -}} + vault.hashicorp.com/agent-inject-secret-contracts-jwt-public: secrets/data/vault/common/rsa_keys + vault.hashicorp.com/agent-inject-template-contracts-jwt-public: |- + {{- with secret "secrets/data/vault/common/rsa_keys" -}} + {{ index .Data.data "public_key" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-contracts-rabbitmq: secrets/data/rabbitmq/apps/contracts + vault.hashicorp.com/agent-inject-template-contracts-rabbitmq: |- + {{- with secret "secrets/data/rabbitmq/apps/contracts" -}} + CONTRACTS_RABBITMQ_VHOST={{ index .Data.data "vhost" }} + CONTRACTS_RABBITMQ_USERNAME={{ index .Data.data "username" }} + CONTRACTS_RABBITMQ_PASSWORD={{ index .Data.data "password" }} + CONTRACTS_RABBITMQ_HOST=rabbitmq.rabbitmq.svc.cluster.local + CONTRACTS_RABBITMQ_PORT=5672 + {{- end -}} + vault.hashicorp.com/agent-inject-secret-contracts-s3: secrets/data/minio/apps/contracts + vault.hashicorp.com/agent-inject-template-contracts-s3: |- + {{- with secret "secrets/data/minio/apps/contracts" -}} + CONTRACTS_S3_ENDPOINT={{ index .Data.data.client "endpoint" }} + CONTRACTS_S3_REGION={{ index .Data.data.client "region" }} + CONTRACTS_S3_BUCKET=contracts + CONTRACTS_S3_ACCESS_KEY_ID={{ index .Data.data "access_key" }} + CONTRACTS_S3_SECRET_ACCESS_KEY={{ index .Data.data "secret_key" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-contracts-kafka: secrets/data/kafka/apps/contracts + vault.hashicorp.com/agent-inject-template-contracts-kafka: |- + {{- with secret "secrets/data/kafka/apps/contracts" -}} + CONTRACTS_KAFKA_BOOTSTRAP_SERVERS={{ index .Data.data.auth "bootstrap_servers" }} + CONTRACTS_KAFKA_SECURITY_PROTOCOL={{ index .Data.data.auth "security_protocol" }} + CONTRACTS_KAFKA_SASL_MECHANISM={{ index .Data.data.auth "sasl_mechanism" }} + CONTRACTS_KAFKA_USERNAME={{ index .Data.data "username" }} + CONTRACTS_KAFKA_PASSWORD={{ index .Data.data "password" }} + {{- end -}} spec: + serviceAccountName: contracts-vault containers: - name: backend image: cr.yandex/crp3ccidau046kdj8g9q/contracts:prod_d3bbd9fc imagePullPolicy: IfNotPresent + command: ["/bin/sh", "-ec"] + args: + - | + set -a + [ -f /vault/secrets/contracts-db ] && . /vault/secrets/contracts-db + [ -f /vault/secrets/contracts-jwt-public ] && export PUBLIC_KEY="$(cat /vault/secrets/contracts-jwt-public)" + [ -f /vault/secrets/contracts-rabbitmq ] && . /vault/secrets/contracts-rabbitmq + [ -f /vault/secrets/contracts-s3 ] && . /vault/secrets/contracts-s3 + [ -f /vault/secrets/contracts-kafka ] && . /vault/secrets/contracts-kafka + set +a + exec /usr/local/bin/http ports: - name: http containerPort: 8000 protocol: TCP env: + - name: ADDRESS + value: ":8000" - name: ENABLE_SSL value: "false" - - name: DB_URL - valueFrom: - secretKeyRef: - name: postgresql-secrets - key: url - - name: PUBLIC_KEY - valueFrom: - secretKeyRef: - name: auth-public-key - key: public_key imagePullSecrets: - name: regcred diff --git a/apps/contracts/base/kustomization.yaml b/apps/contracts/base/kustomization.yaml index 3c22a88..b7edf4a 100644 --- a/apps/contracts/base/kustomization.yaml +++ b/apps/contracts/base/kustomization.yaml @@ -4,5 +4,6 @@ kind: Kustomization namespace: contracts resources: - namespace.yaml + - serviceaccount.yaml - deployment.yaml - service.yaml diff --git a/apps/contracts/base/serviceaccount.yaml b/apps/contracts/base/serviceaccount.yaml new file mode 100644 index 0000000..a38e7c3 --- /dev/null +++ b/apps/contracts/base/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: contracts-vault + namespace: contracts diff --git a/apps/contracts/yc-k8s-test/postgresql.yaml b/apps/contracts/yc-k8s-test/postgresql.yaml index b04d0dc..14f3864 100644 --- a/apps/contracts/yc-k8s-test/postgresql.yaml +++ b/apps/contracts/yc-k8s-test/postgresql.yaml @@ -9,7 +9,7 @@ spec: chart: spec: chart: postgresql-contour - version: "17.0.2" + version: "17.0.7" sourceRef: kind: HelmRepository name: yc-oci-charts @@ -64,7 +64,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 @@ -75,7 +75,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 5 @@ -86,7 +86,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 @@ -101,12 +101,19 @@ spec: effect: NoSchedule contour: enabled: true - adminUser: "" - adminPasswordSecretKey: "" - sharedPreloadLibraries: "pg_stat_statements" + adminUser: "postgres" + sharedPreloadLibraries: "pg_stat_statements,uuid-ossp" + vault: + enabled: true + role: postgresql + authPath: auth/kubernetes + secretPath: secrets/data/postgresql/admin + secretKey: postgres-password + usersSecretPath: secrets/data/postgresql/users databases: - name: contracts_db user: contracts + passwordKey: contracts extensions: [] restoreFromDump: false s3-proxy: diff --git a/apps/mapper/base/deployment.yaml b/apps/mapper/base/deployment.yaml index 38b7705..b7204be 100644 --- a/apps/mapper/base/deployment.yaml +++ b/apps/mapper/base/deployment.yaml @@ -15,11 +15,71 @@ spec: metadata: labels: app: backend + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: mapper + vault.hashicorp.com/agent-inject-secret-mapper-django-auth: secrets/data/vault/common/django_auth + vault.hashicorp.com/agent-inject-template-mapper-django-auth: |- + {{- with secret "secrets/data/vault/common/django_auth" -}} + MAPPER_DJANGO_TOKEN={{ index .Data.data "key" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-mapper-db: secrets/data/postgresql/apps/mapper + vault.hashicorp.com/agent-inject-template-mapper-db: |- + {{- with secret "secrets/data/postgresql/apps/mapper" -}} + MAPPER_DB_USER={{ index .Data.data "username" }} + MAPPER_DB_PASSWORD={{ index .Data.data "password" }} + MAPPER_DB_HOST=postgresql.mapper.svc.cluster.local + MAPPER_DB_PORT=5432 + MAPPER_DB_NAME=mapper_db + {{- end -}} + vault.hashicorp.com/agent-inject-secret-mapper-rabbitmq: secrets/data/rabbitmq/apps/mapper + vault.hashicorp.com/agent-inject-template-mapper-rabbitmq: |- + {{- with secret "secrets/data/rabbitmq/apps/mapper" -}} + MAPPER_RABBITMQ_VHOST={{ index .Data.data "vhost" }} + MAPPER_RABBITMQ_USERNAME={{ index .Data.data "username" }} + MAPPER_RABBITMQ_PASSWORD={{ index .Data.data "password" }} + MAPPER_RABBITMQ_HOST=rabbitmq.rabbitmq.svc.cluster.local + MAPPER_RABBITMQ_PORT=5672 + {{- end -}} + vault.hashicorp.com/agent-inject-secret-mapper-s3: secrets/data/minio/apps/mapper + vault.hashicorp.com/agent-inject-template-mapper-s3: |- + {{- with secret "secrets/data/minio/apps/mapper" -}} + MAPPER_S3_ENDPOINT={{ index .Data.data.client "endpoint" }} + MAPPER_S3_REGION={{ index .Data.data.client "region" }} + MAPPER_S3_BUCKET=mapper + MAPPER_S3_ACCESS_KEY_ID={{ index .Data.data "access_key" }} + MAPPER_S3_SECRET_ACCESS_KEY={{ index .Data.data "secret_key" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-mapper-kafka: secrets/data/kafka/apps/mapper + vault.hashicorp.com/agent-inject-template-mapper-kafka: |- + {{- with secret "secrets/data/kafka/apps/mapper" -}} + MAPPER_KAFKA_BOOTSTRAP_SERVERS={{ index .Data.data.auth "bootstrap_servers" }} + MAPPER_KAFKA_SECURITY_PROTOCOL={{ index .Data.data.auth "security_protocol" }} + MAPPER_KAFKA_SASL_MECHANISM={{ index .Data.data.auth "sasl_mechanism" }} + MAPPER_KAFKA_USERNAME={{ index .Data.data "username" }} + MAPPER_KAFKA_PASSWORD={{ index .Data.data "password" }} + {{- end -}} spec: + serviceAccountName: mapper-vault containers: - name: backend image: cr.yandex/crp3ccidau046kdj8g9q/mapper:prod_b0d05a34 imagePullPolicy: IfNotPresent + command: ["/bin/bash", "-ec"] + args: + - | + set -a + [ -f /vault/secrets/mapper-django-auth ] && . /vault/secrets/mapper-django-auth + [ -f /vault/secrets/mapper-db ] && . /vault/secrets/mapper-db + [ -f /vault/secrets/mapper-rabbitmq ] && . /vault/secrets/mapper-rabbitmq + [ -f /vault/secrets/mapper-s3 ] && . /vault/secrets/mapper-s3 + [ -f /vault/secrets/mapper-kafka ] && . /vault/secrets/mapper-kafka + set +a + exec /bin/bash /opt/entrypoint.sh ports: - name: http containerPort: 8000 diff --git a/apps/mapper/base/kustomization.yaml b/apps/mapper/base/kustomization.yaml index 0493fc3..952bab2 100644 --- a/apps/mapper/base/kustomization.yaml +++ b/apps/mapper/base/kustomization.yaml @@ -4,5 +4,6 @@ kind: Kustomization namespace: mapper resources: - namespace.yaml + - serviceaccount.yaml - deployment.yaml - service.yaml diff --git a/apps/mapper/base/serviceaccount.yaml b/apps/mapper/base/serviceaccount.yaml new file mode 100644 index 0000000..79d1166 --- /dev/null +++ b/apps/mapper/base/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: mapper-vault + namespace: mapper diff --git a/apps/notes/base/backend-deployment.yaml b/apps/notes/base/backend-deployment.yaml index ddf3111..e109f88 100644 --- a/apps/notes/base/backend-deployment.yaml +++ b/apps/notes/base/backend-deployment.yaml @@ -16,11 +16,71 @@ spec: labels: app: backend service: main + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: notes + vault.hashicorp.com/agent-inject-secret-notes-db: secrets/data/postgresql/apps/notes + vault.hashicorp.com/agent-inject-template-notes-db: |- + {{- with secret "secrets/data/postgresql/apps/notes" -}} + PG_HOST=postgresql.notes.svc.cluster.local + PG_PORT=5432 + PG_DB=notes_db + PG_LOGIN={{ index .Data.data "username" }} + PG_PASSWORD={{ index .Data.data "password" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-notes-django-auth: secrets/data/vault/common/django_auth + vault.hashicorp.com/agent-inject-template-notes-django-auth: |- + {{- with secret "secrets/data/vault/common/django_auth" -}} + DJANGO_TOKEN={{ index .Data.data "key" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-notes-rabbitmq: secrets/data/rabbitmq/apps/notes + vault.hashicorp.com/agent-inject-template-notes-rabbitmq: |- + {{- with secret "secrets/data/rabbitmq/apps/notes" -}} + NOTES_RABBITMQ_VHOST={{ index .Data.data "vhost" }} + NOTES_RABBITMQ_USERNAME={{ index .Data.data "username" }} + NOTES_RABBITMQ_PASSWORD={{ index .Data.data "password" }} + NOTES_RABBITMQ_HOST=rabbitmq.rabbitmq.svc.cluster.local + NOTES_RABBITMQ_PORT=5672 + {{- end -}} + vault.hashicorp.com/agent-inject-secret-notes-s3: secrets/data/minio/apps/notes + vault.hashicorp.com/agent-inject-template-notes-s3: |- + {{- with secret "secrets/data/minio/apps/notes" -}} + NOTES_S3_ENDPOINT={{ index .Data.data.client "endpoint" }} + NOTES_S3_REGION={{ index .Data.data.client "region" }} + NOTES_S3_BUCKET=notes + NOTES_S3_ACCESS_KEY_ID={{ index .Data.data "access_key" }} + NOTES_S3_SECRET_ACCESS_KEY={{ index .Data.data "secret_key" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-notes-kafka: secrets/data/kafka/apps/notes + vault.hashicorp.com/agent-inject-template-notes-kafka: |- + {{- with secret "secrets/data/kafka/apps/notes" -}} + NOTES_KAFKA_BOOTSTRAP_SERVERS={{ index .Data.data.auth "bootstrap_servers" }} + NOTES_KAFKA_SECURITY_PROTOCOL={{ index .Data.data.auth "security_protocol" }} + NOTES_KAFKA_SASL_MECHANISM={{ index .Data.data.auth "sasl_mechanism" }} + NOTES_KAFKA_USERNAME={{ index .Data.data "username" }} + NOTES_KAFKA_PASSWORD={{ index .Data.data "password" }} + {{- end -}} spec: + serviceAccountName: notes-vault containers: - name: main image: cr.yandex/crp3ccidau046kdj8g9q/notes-backend:production_81366854 imagePullPolicy: IfNotPresent + command: ["/bin/bash", "-ec"] + args: + - | + set -a + [ -f /vault/secrets/notes-db ] && . /vault/secrets/notes-db + [ -f /vault/secrets/notes-django-auth ] && . /vault/secrets/notes-django-auth + [ -f /vault/secrets/notes-rabbitmq ] && . /vault/secrets/notes-rabbitmq + [ -f /vault/secrets/notes-s3 ] && . /vault/secrets/notes-s3 + [ -f /vault/secrets/notes-kafka ] && . /vault/secrets/notes-kafka + set +a + exec /bin/bash /opt/entrypoint.sh ports: - name: http containerPort: 8000 @@ -52,31 +112,6 @@ spec: value: http://attachments-service.attachments.svc.cluster.local:80/api/v1 - name: PG_PORT value: "5432" - - name: PG_DB - valueFrom: - secretKeyRef: - name: postgresql-secrets - key: database - - name: PG_LOGIN - valueFrom: - secretKeyRef: - name: postgresql-secrets - key: username - - name: PG_PASSWORD - valueFrom: - secretKeyRef: - name: postgresql-secrets - key: password - - name: PG_HOST - valueFrom: - secretKeyRef: - name: postgresql-secrets - key: hostname - - name: DJANGO_TOKEN - valueFrom: - secretKeyRef: - name: django-secret - key: token resources: requests: cpu: "1" diff --git a/apps/notes/base/kustomization.yaml b/apps/notes/base/kustomization.yaml index 4758015..2ff8124 100644 --- a/apps/notes/base/kustomization.yaml +++ b/apps/notes/base/kustomization.yaml @@ -4,6 +4,7 @@ kind: Kustomization namespace: notes resources: - namespace.yaml + - serviceaccount.yaml - backend-deployment.yaml - backend-service.yaml - frontend-deployment.yaml diff --git a/apps/notes/base/serviceaccount.yaml b/apps/notes/base/serviceaccount.yaml new file mode 100644 index 0000000..5f43a53 --- /dev/null +++ b/apps/notes/base/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: notes-vault + namespace: notes diff --git a/apps/notes/yc-k8s-test/postgresql.yaml b/apps/notes/yc-k8s-test/postgresql.yaml index 76ae62d..d1974b1 100644 --- a/apps/notes/yc-k8s-test/postgresql.yaml +++ b/apps/notes/yc-k8s-test/postgresql.yaml @@ -9,7 +9,7 @@ spec: chart: spec: chart: postgresql-contour - version: "17.0.2" + version: "17.0.7" sourceRef: kind: HelmRepository name: yc-oci-charts @@ -64,7 +64,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 @@ -75,7 +75,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 5 @@ -86,7 +86,7 @@ spec: command: - /bin/sh - -c - - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 + - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 @@ -101,12 +101,19 @@ spec: effect: NoSchedule contour: enabled: true - adminUser: "" - adminPasswordSecretKey: "" - sharedPreloadLibraries: "pg_stat_statements" + adminUser: "postgres" + sharedPreloadLibraries: "pg_stat_statements,uuid-ossp" + vault: + enabled: true + role: postgresql + authPath: auth/kubernetes + secretPath: secrets/data/postgresql/admin + secretKey: postgres-password + usersSecretPath: secrets/data/postgresql/users databases: - name: notes_db user: notes + passwordKey: notes extensions: [] restoreFromDump: false s3-proxy: