Migrate attachments app to HelmRelease: replace Deployment and Service with HelmRelease and update kustomization configuration.

2026-04-24 17:21:56 +03:00 · 2026-04-24 17:21:56 +03:00 · bc8698b5db
commit bc8698b5db
parent 33401218b3
4 changed files with 112 additions and 86 deletions
--- a/apps/attachments/base/deployment.yaml
+++ b/apps/attachments/base/deployment.yaml
@ -1,70 +0,0 @@
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: attachments
-  namespace: attachments
-  labels:
-    app: attachments
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: attachments
-  template:
-    metadata:
-      labels:
-        app: attachments
-      annotations:
-        traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
-        vault.hashicorp.com/agent-init-first: "true"
-        vault.hashicorp.com/agent-inject: "true"
-        vault.hashicorp.com/agent-pre-populate-only: "true"
-        vault.hashicorp.com/auth-path: auth/kubernetes
-        vault.hashicorp.com/role: attachments
-        vault.hashicorp.com/agent-inject-secret-attachments-db: secrets/data/postgresql/apps/attachments
-        vault.hashicorp.com/agent-inject-template-attachments-db: |-
-          {{- with secret "secrets/data/postgresql/apps/attachments" -}}
-          DATABASE_HOST=postgresql.attachments.svc.cluster.local
-          DATABASE_PORT=5432
-          DATABASE_NAME=attachments_db
-          DATABASE_USER={{ index .Data.data "username" }}
-          DATABASE_PASSWORD={{ index .Data.data "password" }}
-          DATABASE_SSL_MODE=disable
-          {{- end -}}
-        vault.hashicorp.com/agent-inject-secret-attachments-s3: secrets/data/minio/apps/attachments
-        vault.hashicorp.com/agent-inject-template-attachments-s3: |-
-          {{- with secret "secrets/data/minio/apps/attachments" -}}
-          YANDEX_S3_ENDPOINT_URL=minio.minio:9000
-          YANDEX_S3_ACCESS_KEY_ID={{ index .Data.data "access_key" }}
-          YANDEX_S3_SECRET_ACCESS_KEY={{ index .Data.data "secret_key" }}
-          YANDEX_S3_USE_SSL=false
-          YANDEX_S3_REGION=ru-central
-          YANDEX_S3_VERIFY=false
-          BUCKET_NAME=attachments
-          {{- end -}}
-    spec:
-      serviceAccountName: attachments-vault
-      containers:
-        - name: attachments
-          image: cr.yandex/crp3ccidau046kdj8g9q/attachments:feature_6238c882
-          imagePullPolicy: IfNotPresent
-          command: ["/bin/bash", "-ec"]
-          args:
-            - |
-              set -a
-              [ -f /vault/secrets/attachments-db ] && . /vault/secrets/attachments-db
-              [ -f /vault/secrets/attachments-s3 ] && . /vault/secrets/attachments-s3
-              set +a
-              exec /opt/attachments/entrypoint.sh
-          ports:
-            - name: http
-              containerPort: 8000
-              protocol: TCP
-          env:
-            - name: POSTGRES_POOL_SIZE
-              value: "10"
-            - name: API_ADDRESS
-              value: 0.0.0.0:8000
-      imagePullSecrets:
-        - name: regcred
--- a/apps/attachments/base/helmrelease.yaml
+++ b/apps/attachments/base/helmrelease.yaml
@ -0,0 +1,111 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: attachments
+  namespace: attachments
+spec:
+  interval: 10m
+  chart:
+    spec:
+      chart: universal-chart
+      version: "0.1.8"
+      sourceRef:
+        kind: HelmRepository
+        name: yc-oci-charts
+        namespace: flux-system
+      interval: 10m
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  values:
+    global:
+      env: _default
+    services:
+      attachments:
+        enabled: true
+        serviceAccount:
+          # Не создаём SA — используем существующий из base/serviceaccount.yaml.
+          name:
+            _default: attachments-vault
+        deployment:
+          enabled: true
+          name:
+            _default: attachments
+          replicaCount:
+            _default: 1
+          port:
+            _default: 8000
+          command:
+            _default: ["/bin/bash", "-ec"]
+          args:
+            _default:
+              - |
+                set -a
+                [ -f /vault/secrets/attachments-db ] && . /vault/secrets/attachments-db
+                [ -f /vault/secrets/attachments-s3 ] && . /vault/secrets/attachments-s3
+                set +a
+                exec /opt/attachments/entrypoint.sh
+        image:
+          name:
+            _default: cr.yandex/crp3ccidau046kdj8g9q/attachments:feature_6238c882
+          pullPolicy:
+            _default: IfNotPresent
+        service:
+          enabled: true
+          name:
+            _default: attachments-service
+          type:
+            _default: ClusterIP
+          port:
+            _default: 8000
+          targetPort:
+            _default: 8000
+          portName:
+            _default: http
+        imagePullSecrets:
+          enabled:
+            _default: true
+          name:
+            _default: regcred
+        envs:
+          - name: POSTGRES_POOL_SIZE
+            value:
+              _default: "10"
+          - name: API_ADDRESS
+            value:
+              _default: 0.0.0.0:8000
+        podAnnotations:
+          _default:
+            # Порт Vault 8200 добавлен к дефолтным портам трейсинга — иначе
+            # чарт перезатрёт их одиночным "8200" и SigNoz перестанет ходить.
+            traffic.sidecar.istio.io/excludeOutboundPorts: "4317,4318,9411,8200"
+            vault.hashicorp.com/agent-init-first: "true"
+            vault.hashicorp.com/agent-inject: "true"
+            vault.hashicorp.com/agent-pre-populate-only: "true"
+            vault.hashicorp.com/auth-path: auth/kubernetes
+            vault.hashicorp.com/role: attachments
+            vault.hashicorp.com/agent-inject-secret-attachments-db: secrets/data/postgresql/apps/attachments
+            vault.hashicorp.com/agent-inject-template-attachments-db: |-
+              {{- with secret "secrets/data/postgresql/apps/attachments" -}}
+              DATABASE_HOST=postgresql.attachments.svc.cluster.local
+              DATABASE_PORT=5432
+              DATABASE_NAME=attachments_db
+              DATABASE_USER={{ index .Data.data "username" }}
+              DATABASE_PASSWORD={{ index .Data.data "password" }}
+              DATABASE_SSL_MODE=disable
+              {{- end -}}
+            vault.hashicorp.com/agent-inject-secret-attachments-s3: secrets/data/minio/apps/attachments
+            vault.hashicorp.com/agent-inject-template-attachments-s3: |-
+              {{- with secret "secrets/data/minio/apps/attachments" -}}
+              YANDEX_S3_ENDPOINT_URL=minio.minio:9000
+              YANDEX_S3_ACCESS_KEY_ID={{ index .Data.data "access_key" }}
+              YANDEX_S3_SECRET_ACCESS_KEY={{ index .Data.data "secret_key" }}
+              YANDEX_S3_USE_SSL=false
+              YANDEX_S3_REGION=ru-central
+              YANDEX_S3_VERIFY=false
+              BUCKET_NAME=attachments
+              {{- end -}}
--- a/apps/attachments/base/kustomization.yaml
+++ b/apps/attachments/base/kustomization.yaml
@ -5,5 +5,4 @@ namespace: attachments
 resources:
  - namespace.yaml
  - serviceaccount.yaml
-  - deployment.yaml
-  - service.yaml
+  - helmrelease.yaml
--- a/apps/attachments/base/service.yaml
+++ b/apps/attachments/base/service.yaml
@ -1,14 +0,0 @@
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: attachments-service
-  namespace: attachments
-spec:
-  type: ClusterIP
-  selector:
-    app: attachments
-  ports:
-    - port: 8000
-      targetPort: 8000
-      protocol: TCP