sarex/iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Migrate attachments app to HelmRelease: replace Deployment and Service with HelmRelease and update kustomization configuration.

Browse Source
This commit is contained in:
emelinda 2026-04-24 17:21:56 +03:00
parent 33401218b3
commit bc8698b5db
4 changed files with 112 additions and 86 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
apps/attachments/base/deployment.yaml
View File

@ -1,70 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: attachments
namespace: attachments
labels:
app: attachments
spec:
replicas: 1
selector:
matchLabels:
app: attachments
template:
metadata:
labels:
app: attachments
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: attachments
vault.hashicorp.com/agent-inject-secret-attachments-db: secrets/data/postgresql/apps/attachments
vault.hashicorp.com/agent-inject-template-attachments-db: |-
{{- with secret "secrets/data/postgresql/apps/attachments" -}}
DATABASE_HOST=postgresql.attachments.svc.cluster.local
DATABASE_PORT=5432
DATABASE_NAME=attachments_db
DATABASE_USER={{ index .Data.data "username" }}
DATABASE_PASSWORD={{ index .Data.data "password" }}
DATABASE_SSL_MODE=disable
{{- end -}}
vault.hashicorp.com/agent-inject-secret-attachments-s3: secrets/data/minio/apps/attachments
vault.hashicorp.com/agent-inject-template-attachments-s3: |-
{{- with secret "secrets/data/minio/apps/attachments" -}}
YANDEX_S3_ENDPOINT_URL=minio.minio:9000
YANDEX_S3_ACCESS_KEY_ID={{ index .Data.data "access_key" }}
YANDEX_S3_SECRET_ACCESS_KEY={{ index .Data.data "secret_key" }}
YANDEX_S3_USE_SSL=false
YANDEX_S3_REGION=ru-central
YANDEX_S3_VERIFY=false
BUCKET_NAME=attachments
{{- end -}}
spec:
serviceAccountName: attachments-vault
containers:
- name: attachments
image: cr.yandex/crp3ccidau046kdj8g9q/attachments:feature_6238c882
imagePullPolicy: IfNotPresent
command: ["/bin/bash", "-ec"]
args:
- |
set -a
[ -f /vault/secrets/attachments-db ] && . /vault/secrets/attachments-db
[ -f /vault/secrets/attachments-s3 ] && . /vault/secrets/attachments-s3
set +a
exec /opt/attachments/entrypoint.sh
ports:
- name: http
containerPort: 8000
protocol: TCP
env:
- name: POSTGRES_POOL_SIZE
value: "10"
- name: API_ADDRESS
value: 0.0.0.0:8000
imagePullSecrets:
- name: regcred

111
apps/attachments/base/helmrelease.yaml Normal file
View File

@ -0,0 +1,111 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: attachments
namespace: attachments
spec:
interval: 10m
chart:
spec:
chart: universal-chart
version: "0.1.8"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
namespace: flux-system
interval: 10m
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
global:
env: _default
services:
attachments:
enabled: true
serviceAccount:
# Не создаём SA — используем существующий из base/serviceaccount.yaml.
name:
_default: attachments-vault
deployment:
enabled: true
name:
_default: attachments
replicaCount:
_default: 1
port:
_default: 8000
command:
_default: ["/bin/bash", "-ec"]
args:
_default:
- |
set -a
[ -f /vault/secrets/attachments-db ] && . /vault/secrets/attachments-db
[ -f /vault/secrets/attachments-s3 ] && . /vault/secrets/attachments-s3
set +a
exec /opt/attachments/entrypoint.sh
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/attachments:feature_6238c882
pullPolicy:
_default: IfNotPresent
service:
enabled: true
name:
_default: attachments-service
type:
_default: ClusterIP
port:
_default: 8000
targetPort:
_default: 8000
portName:
_default: http
imagePullSecrets:
enabled:
_default: true
name:
_default: regcred
envs:
- name: POSTGRES_POOL_SIZE
value:
_default: "10"
- name: API_ADDRESS
value:
_default: 0.0.0.0:8000
podAnnotations:
_default:
# Порт Vault 8200 добавлен к дефолтным портам трейсинга — иначе
# чарт перезатрёт их одиночным "8200" и SigNoz перестанет ходить.
traffic.sidecar.istio.io/excludeOutboundPorts: "4317,4318,9411,8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: attachments
vault.hashicorp.com/agent-inject-secret-attachments-db: secrets/data/postgresql/apps/attachments
vault.hashicorp.com/agent-inject-template-attachments-db: |-
{{- with secret "secrets/data/postgresql/apps/attachments" -}}
DATABASE_HOST=postgresql.attachments.svc.cluster.local
DATABASE_PORT=5432
DATABASE_NAME=attachments_db
DATABASE_USER={{ index .Data.data "username" }}
DATABASE_PASSWORD={{ index .Data.data "password" }}
DATABASE_SSL_MODE=disable
{{- end -}}
vault.hashicorp.com/agent-inject-secret-attachments-s3: secrets/data/minio/apps/attachments
vault.hashicorp.com/agent-inject-template-attachments-s3: |-
{{- with secret "secrets/data/minio/apps/attachments" -}}
YANDEX_S3_ENDPOINT_URL=minio.minio:9000
YANDEX_S3_ACCESS_KEY_ID={{ index .Data.data "access_key" }}
YANDEX_S3_SECRET_ACCESS_KEY={{ index .Data.data "secret_key" }}
YANDEX_S3_USE_SSL=false
YANDEX_S3_REGION=ru-central
YANDEX_S3_VERIFY=false
BUCKET_NAME=attachments
{{- end -}}

3
apps/attachments/base/kustomization.yaml
View File

@ -5,5 +5,4 @@ namespace: attachments
resources: resources:
- namespace.yaml - namespace.yaml
- serviceaccount.yaml - serviceaccount.yaml
- deployment.yaml - helmrelease.yaml
- service.yaml

14
apps/attachments/base/service.yaml
View File

@ -1,14 +0,0 @@
---
apiVersion: v1
kind: Service
metadata:
name: attachments-service
namespace: attachments
spec:
type: ClusterIP
selector:
app: attachments
ports:
- port: 8000
targetPort: 8000
protocol: TCP