sarex/iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

a lot of new services

Browse Source
This commit is contained in:
Kochetkov S 2026-04-23 17:23:03 +03:00
parent b6c5c0c0e0
commit d8b9b59f48
3 changed files with 108 additions and 150 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
apps/processing/base/api-deployment.yaml
View File

@ -17,11 +17,41 @@ spec:
labels:
app: workflows-api
service: workflows-api
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: processing
vault.hashicorp.com/agent-inject-secret-processing-postgresql: secrets/data/postgresql/apps/processing
vault.hashicorp.com/agent-inject-template-processing-postgresql: |-
{{- with secret "secrets/data/postgresql/apps/processing" -}}
POSTGRES_ADDRESS=postgresql.processing.svc.cluster.local
POSTGRES_PORT=5432
POSTGRES_USER={{ index .Data.data "username" }}
POSTGRES_PASSWORD={{ index .Data.data "password" }}
POSTGRES_DB=workflow_db
{{- end -}}
vault.hashicorp.com/agent-inject-secret-processing-jwt-public: secrets/data/vault/common/rsa_keys
vault.hashicorp.com/agent-inject-template-processing-jwt-public: |-
{{- with secret "secrets/data/vault/common/rsa_keys" -}}
{{ index .Data.data "public_key" }}
{{- end -}}
spec:
serviceAccountName: processing-vault
containers:
- name: workflows-api
image: cr.yandex/crp3ccidau046kdj8g9q/workflows-api_prod:075fc0
imagePullPolicy: IfNotPresent
command: ["/bin/bash", "-ec"]
args:
- |
set -a
[ -f /vault/secrets/processing-postgresql ] && . /vault/secrets/processing-postgresql
[ -f /vault/secrets/processing-jwt-public ] && export PUBLIC_KEY="$(cat /vault/secrets/processing-jwt-public)"
set +a
exec /httpserver migrate
ports:
- name: http
containerPort: 8000
@ -44,38 +74,6 @@ spec:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POSTGRES_ADDRESS
valueFrom:
secretKeyRef:
key: hostname
name: postgresql-secret
- name: POSTGRES_PORT
valueFrom:
secretKeyRef:
key: port
name: postgresql-secret
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
key: username
name: postgresql-secret
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: postgresql-secret
- name: POSTGRES_DB
valueFrom:
secretKeyRef:
key: database
name: postgresql-secret
- name: PUBLIC_KEY
valueFrom:
secretKeyRef:
key: key
name: public-key
resources:
requests:
cpu: "1"

98
apps/processing/base/engine-low.yaml
View File

@ -17,24 +17,49 @@ spec:
labels:
app: engine-low
service: engine-low
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: processing
vault.hashicorp.com/agent-inject-secret-processing-postgresql: secrets/data/postgresql/apps/processing
vault.hashicorp.com/agent-inject-template-processing-postgresql: |-
{{- with secret "secrets/data/postgresql/apps/processing" -}}
POSTGRES_ADDRESS=postgresql.processing.svc.cluster.local
POSTGRES_PORT=5432
POSTGRES_USER={{ index .Data.data "username" }}
POSTGRES_PASSWORD={{ index .Data.data "password" }}
POSTGRES_DB=workflow_db
{{- end -}}
vault.hashicorp.com/agent-inject-secret-processing-rabbitmq: secrets/data/rabbitmq/apps/processing
vault.hashicorp.com/agent-inject-template-processing-rabbitmq: |-
{{- with secret "secrets/data/rabbitmq/apps/processing" -}}
RABBITMQ_HOST=rabbitmq.rabbitmq.svc.cluster.local
RABBITMQ_PORT=5672
RABBITMQ_USER={{ index .Data.data "username" }}
RABBITMQ_PASS={{ index .Data.data "password" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-processing-smtp: secrets/data/vault/common/smtp_auth
vault.hashicorp.com/agent-inject-template-processing-smtp: |-
{{- with secret "secrets/data/vault/common/smtp_auth" -}}
{{ index .Data.data "env_json" }}
{{- end -}}
spec:
volumes:
- name: yc-s3
secret:
defaultMode: 420
secretName: yc-s3
- name: django-auth
secret:
defaultMode: 420
secretName: django-auth
- name: smtp-secret
secret:
defaultMode: 420
secretName: smtp-secret
serviceAccountName: processing-vault
containers:
- name: engine-low
image: cr.yandex/crp3ccidau046kdj8g9q/workflows-endigne_prod:075fc0
imagePullPolicy: IfNotPresent
command: ["/bin/bash", "-ec"]
args:
- |
set -a
[ -f /vault/secrets/processing-postgresql ] && . /vault/secrets/processing-postgresql
[ -f /vault/secrets/processing-rabbitmq ] && . /vault/secrets/processing-rabbitmq
set +a
exec /engine
ports:
- name: http
@ -55,51 +80,6 @@ spec:
value: http://backend.django.svc.cluster.local:8000
- name: S3_SERVICE_ACCOUNT
value: /etc/sarex/yc-s3/yc-s3-service-account.json
- name: RABBITMQ_HOST
valueFrom:
secretKeyRef:
key: host
name: rabbitmq-secret
- name: RABBITMQ_PORT
valueFrom:
secretKeyRef:
key: port
name: rabbitmq-secret
- name: RABBITMQ_USER
valueFrom:
secretKeyRef:
key: username
name: rabbitmq-secret
- name: RABBITMQ_PASS
valueFrom:
secretKeyRef:
key: password
name: rabbitmq-secret
- name: POSTGRES_PORT
valueFrom:
secretKeyRef:
key: port
name: postgresql-secret
- name: POSTGRES_ADDRESS
valueFrom:
secretKeyRef:
key: hostname
name: postgresql-secret
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
key: username
name: postgresql-secret
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: postgresql-secret
- name: POSTGRES_DB
valueFrom:
secretKeyRef:
key: database
name: postgresql-secret
- name: BIM_API_V2_DB
value: /etc/sarex/bim-api-v2-db-prod.json
- name: PDM_API_DB
@ -111,7 +91,7 @@ spec:
- name: MAILGUN
value: /etc/mailgun-secret/env.json
- name: SMTP
value: /etc/smtp-secret/smtp.json
value: /vault/secrets/processing-smtp
- name: INTERNAL_PDM_URL
value: http://documentations-api.documentations.svc.cluster.local:8080
- name: INTERNAL_FILESTREAM_URL

98
apps/processing/base/engine.yaml
View File

@ -18,25 +18,50 @@ spec:
labels:
app: engine
service: engine
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: processing
vault.hashicorp.com/agent-inject-secret-processing-postgresql: secrets/data/postgresql/apps/processing
vault.hashicorp.com/agent-inject-template-processing-postgresql: |-
{{- with secret "secrets/data/postgresql/apps/processing" -}}
POSTGRES_ADDRESS=postgresql.processing.svc.cluster.local
POSTGRES_PORT=5432
POSTGRES_USER={{ index .Data.data "username" }}
POSTGRES_PASSWORD={{ index .Data.data "password" }}
POSTGRES_DB=workflow_db
{{- end -}}
vault.hashicorp.com/agent-inject-secret-processing-rabbitmq: secrets/data/rabbitmq/apps/processing
vault.hashicorp.com/agent-inject-template-processing-rabbitmq: |-
{{- with secret "secrets/data/rabbitmq/apps/processing" -}}
RABBITMQ_HOST=rabbitmq.rabbitmq.svc.cluster.local
RABBITMQ_PORT=5672
RABBITMQ_USER={{ index .Data.data "username" }}
RABBITMQ_PASS={{ index .Data.data "password" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-processing-smtp: secrets/data/vault/common/smtp_auth
vault.hashicorp.com/agent-inject-template-processing-smtp: |-
{{- with secret "secrets/data/vault/common/smtp_auth" -}}
{{ index .Data.data "env_json" }}
{{- end -}}
spec:
volumes:
- name: yc-s3
secret:
defaultMode: 420
secretName: yc-s3
- name: django-auth
secret:
defaultMode: 420
secretName: django-auth
- name: smtp-secret
secret:
defaultMode: 420
secretName: smtp-secret
serviceAccountName: processing-vault
containers:
- name: engine
image: cr.yandex/crp3ccidau046kdj8g9q/workflows-endigne_prod:075fc0
imagePullPolicy: IfNotPresent
command: ["/bin/bash", "-ec"]
args:
- |
set -a
[ -f /vault/secrets/processing-postgresql ] && . /vault/secrets/processing-postgresql
[ -f /vault/secrets/processing-rabbitmq ] && . /vault/secrets/processing-rabbitmq
set +a
exec /engine
ports:
- name: http
@ -58,51 +83,6 @@ spec:
value: http://backend.django.svc.cluster.local:8000
- name: S3_SERVICE_ACCOUNT
value: /etc/sarex/yc-s3/yc-s3-service-account.json
- name: RABBITMQ_HOST
valueFrom:
secretKeyRef:
key: host
name: rabbitmq-secret
- name: RABBITMQ_PORT
valueFrom:
secretKeyRef:
key: port
name: rabbitmq-secret
- name: RABBITMQ_USER
valueFrom:
secretKeyRef:
key: username
name: rabbitmq-secret
- name: RABBITMQ_PASS
valueFrom:
secretKeyRef:
key: password
name: rabbitmq-secret
- name: POSTGRES_PORT
valueFrom:
secretKeyRef:
key: port
name: postgresql-secret
- name: POSTGRES_ADDRESS
valueFrom:
secretKeyRef:
key: hostname
name: postgresql-secret
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
key: username
name: postgresql-secret
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: postgresql-secret
- name: POSTGRES_DB
valueFrom:
secretKeyRef:
key: database
name: postgresql-secret
- name: BIM_API_V2_DB
value: /etc/sarex/bim-api-v2-db-prod.json
- name: PDM_API_DB
@ -114,7 +94,7 @@ spec:
- name: MAILGUN
value: /etc/mailgun-secret/env.json
- name: SMTP
value: /etc/smtp-secret/smtp.json
value: /vault/secrets/processing-smtp
- name: INTERNAL_PDM_URL
value: http://documentations-api.documentations.svc.cluster.local:8080
- name: INTERNAL_FILESTREAM_URL