From d8b9b59f48d27b3252cd5864b087c43c982ddffc Mon Sep 17 00:00:00 2001 From: Kochetkov S Date: Thu, 23 Apr 2026 17:23:03 +0300 Subject: [PATCH] a lot of new services --- apps/processing/base/api-deployment.yaml | 62 ++++++++------- apps/processing/base/engine-low.yaml | 98 ++++++++++-------------- apps/processing/base/engine.yaml | 98 ++++++++++-------------- 3 files changed, 108 insertions(+), 150 deletions(-) diff --git a/apps/processing/base/api-deployment.yaml b/apps/processing/base/api-deployment.yaml index 2a546ba..1230fb5 100644 --- a/apps/processing/base/api-deployment.yaml +++ b/apps/processing/base/api-deployment.yaml @@ -17,11 +17,41 @@ spec: labels: app: workflows-api service: workflows-api + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: processing + vault.hashicorp.com/agent-inject-secret-processing-postgresql: secrets/data/postgresql/apps/processing + vault.hashicorp.com/agent-inject-template-processing-postgresql: |- + {{- with secret "secrets/data/postgresql/apps/processing" -}} + POSTGRES_ADDRESS=postgresql.processing.svc.cluster.local + POSTGRES_PORT=5432 + POSTGRES_USER={{ index .Data.data "username" }} + POSTGRES_PASSWORD={{ index .Data.data "password" }} + POSTGRES_DB=workflow_db + {{- end -}} + vault.hashicorp.com/agent-inject-secret-processing-jwt-public: secrets/data/vault/common/rsa_keys + vault.hashicorp.com/agent-inject-template-processing-jwt-public: |- + {{- with secret "secrets/data/vault/common/rsa_keys" -}} + {{ index .Data.data "public_key" }} + {{- end -}} spec: + serviceAccountName: processing-vault containers: - name: workflows-api image: cr.yandex/crp3ccidau046kdj8g9q/workflows-api_prod:075fc0 imagePullPolicy: IfNotPresent + command: ["/bin/bash", "-ec"] + args: + - | + set -a + [ -f /vault/secrets/processing-postgresql ] && . /vault/secrets/processing-postgresql + [ -f /vault/secrets/processing-jwt-public ] && export PUBLIC_KEY="$(cat /vault/secrets/processing-jwt-public)" + set +a + exec /httpserver migrate ports: - name: http containerPort: 8000 @@ -44,38 +74,6 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name - - name: POSTGRES_ADDRESS - valueFrom: - secretKeyRef: - key: hostname - name: postgresql-secret - - name: POSTGRES_PORT - valueFrom: - secretKeyRef: - key: port - name: postgresql-secret - - name: POSTGRES_USER - valueFrom: - secretKeyRef: - key: username - name: postgresql-secret - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: postgresql-secret - - name: POSTGRES_DB - valueFrom: - secretKeyRef: - key: database - name: postgresql-secret - - name: PUBLIC_KEY - valueFrom: - secretKeyRef: - key: key - name: public-key - - resources: requests: cpu: "1" diff --git a/apps/processing/base/engine-low.yaml b/apps/processing/base/engine-low.yaml index a90365f..c6a401d 100644 --- a/apps/processing/base/engine-low.yaml +++ b/apps/processing/base/engine-low.yaml @@ -17,24 +17,49 @@ spec: labels: app: engine-low service: engine-low + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: processing + vault.hashicorp.com/agent-inject-secret-processing-postgresql: secrets/data/postgresql/apps/processing + vault.hashicorp.com/agent-inject-template-processing-postgresql: |- + {{- with secret "secrets/data/postgresql/apps/processing" -}} + POSTGRES_ADDRESS=postgresql.processing.svc.cluster.local + POSTGRES_PORT=5432 + POSTGRES_USER={{ index .Data.data "username" }} + POSTGRES_PASSWORD={{ index .Data.data "password" }} + POSTGRES_DB=workflow_db + {{- end -}} + vault.hashicorp.com/agent-inject-secret-processing-rabbitmq: secrets/data/rabbitmq/apps/processing + vault.hashicorp.com/agent-inject-template-processing-rabbitmq: |- + {{- with secret "secrets/data/rabbitmq/apps/processing" -}} + RABBITMQ_HOST=rabbitmq.rabbitmq.svc.cluster.local + RABBITMQ_PORT=5672 + RABBITMQ_USER={{ index .Data.data "username" }} + RABBITMQ_PASS={{ index .Data.data "password" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-processing-smtp: secrets/data/vault/common/smtp_auth + vault.hashicorp.com/agent-inject-template-processing-smtp: |- + {{- with secret "secrets/data/vault/common/smtp_auth" -}} + {{ index .Data.data "env_json" }} + {{- end -}} spec: - volumes: - - name: yc-s3 - secret: - defaultMode: 420 - secretName: yc-s3 - - name: django-auth - secret: - defaultMode: 420 - secretName: django-auth - - name: smtp-secret - secret: - defaultMode: 420 - secretName: smtp-secret + serviceAccountName: processing-vault containers: - name: engine-low image: cr.yandex/crp3ccidau046kdj8g9q/workflows-endigne_prod:075fc0 imagePullPolicy: IfNotPresent + command: ["/bin/bash", "-ec"] + args: + - | + set -a + [ -f /vault/secrets/processing-postgresql ] && . /vault/secrets/processing-postgresql + [ -f /vault/secrets/processing-rabbitmq ] && . /vault/secrets/processing-rabbitmq + set +a + exec /engine ports: - name: http @@ -55,51 +80,6 @@ spec: value: http://backend.django.svc.cluster.local:8000 - name: S3_SERVICE_ACCOUNT value: /etc/sarex/yc-s3/yc-s3-service-account.json - - name: RABBITMQ_HOST - valueFrom: - secretKeyRef: - key: host - name: rabbitmq-secret - - name: RABBITMQ_PORT - valueFrom: - secretKeyRef: - key: port - name: rabbitmq-secret - - name: RABBITMQ_USER - valueFrom: - secretKeyRef: - key: username - name: rabbitmq-secret - - name: RABBITMQ_PASS - valueFrom: - secretKeyRef: - key: password - name: rabbitmq-secret - - name: POSTGRES_PORT - valueFrom: - secretKeyRef: - key: port - name: postgresql-secret - - name: POSTGRES_ADDRESS - valueFrom: - secretKeyRef: - key: hostname - name: postgresql-secret - - name: POSTGRES_USER - valueFrom: - secretKeyRef: - key: username - name: postgresql-secret - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: postgresql-secret - - name: POSTGRES_DB - valueFrom: - secretKeyRef: - key: database - name: postgresql-secret - name: BIM_API_V2_DB value: /etc/sarex/bim-api-v2-db-prod.json - name: PDM_API_DB @@ -111,7 +91,7 @@ spec: - name: MAILGUN value: /etc/mailgun-secret/env.json - name: SMTP - value: /etc/smtp-secret/smtp.json + value: /vault/secrets/processing-smtp - name: INTERNAL_PDM_URL value: http://documentations-api.documentations.svc.cluster.local:8080 - name: INTERNAL_FILESTREAM_URL diff --git a/apps/processing/base/engine.yaml b/apps/processing/base/engine.yaml index 5e3e965..1457e9a 100644 --- a/apps/processing/base/engine.yaml +++ b/apps/processing/base/engine.yaml @@ -18,25 +18,50 @@ spec: labels: app: engine service: engine + annotations: + traffic.sidecar.istio.io/excludeOutboundPorts: "8200" + vault.hashicorp.com/agent-init-first: "true" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-pre-populate-only: "true" + vault.hashicorp.com/auth-path: auth/kubernetes + vault.hashicorp.com/role: processing + vault.hashicorp.com/agent-inject-secret-processing-postgresql: secrets/data/postgresql/apps/processing + vault.hashicorp.com/agent-inject-template-processing-postgresql: |- + {{- with secret "secrets/data/postgresql/apps/processing" -}} + POSTGRES_ADDRESS=postgresql.processing.svc.cluster.local + POSTGRES_PORT=5432 + POSTGRES_USER={{ index .Data.data "username" }} + POSTGRES_PASSWORD={{ index .Data.data "password" }} + POSTGRES_DB=workflow_db + {{- end -}} + vault.hashicorp.com/agent-inject-secret-processing-rabbitmq: secrets/data/rabbitmq/apps/processing + vault.hashicorp.com/agent-inject-template-processing-rabbitmq: |- + {{- with secret "secrets/data/rabbitmq/apps/processing" -}} + RABBITMQ_HOST=rabbitmq.rabbitmq.svc.cluster.local + RABBITMQ_PORT=5672 + RABBITMQ_USER={{ index .Data.data "username" }} + RABBITMQ_PASS={{ index .Data.data "password" }} + {{- end -}} + vault.hashicorp.com/agent-inject-secret-processing-smtp: secrets/data/vault/common/smtp_auth + vault.hashicorp.com/agent-inject-template-processing-smtp: |- + {{- with secret "secrets/data/vault/common/smtp_auth" -}} + {{ index .Data.data "env_json" }} + {{- end -}} spec: - volumes: - - name: yc-s3 - secret: - defaultMode: 420 - secretName: yc-s3 - - name: django-auth - secret: - defaultMode: 420 - secretName: django-auth - - name: smtp-secret - secret: - defaultMode: 420 - secretName: smtp-secret + serviceAccountName: processing-vault containers: - name: engine image: cr.yandex/crp3ccidau046kdj8g9q/workflows-endigne_prod:075fc0 imagePullPolicy: IfNotPresent + command: ["/bin/bash", "-ec"] + args: + - | + set -a + [ -f /vault/secrets/processing-postgresql ] && . /vault/secrets/processing-postgresql + [ -f /vault/secrets/processing-rabbitmq ] && . /vault/secrets/processing-rabbitmq + set +a + exec /engine ports: - name: http @@ -58,51 +83,6 @@ spec: value: http://backend.django.svc.cluster.local:8000 - name: S3_SERVICE_ACCOUNT value: /etc/sarex/yc-s3/yc-s3-service-account.json - - name: RABBITMQ_HOST - valueFrom: - secretKeyRef: - key: host - name: rabbitmq-secret - - name: RABBITMQ_PORT - valueFrom: - secretKeyRef: - key: port - name: rabbitmq-secret - - name: RABBITMQ_USER - valueFrom: - secretKeyRef: - key: username - name: rabbitmq-secret - - name: RABBITMQ_PASS - valueFrom: - secretKeyRef: - key: password - name: rabbitmq-secret - - name: POSTGRES_PORT - valueFrom: - secretKeyRef: - key: port - name: postgresql-secret - - name: POSTGRES_ADDRESS - valueFrom: - secretKeyRef: - key: hostname - name: postgresql-secret - - name: POSTGRES_USER - valueFrom: - secretKeyRef: - key: username - name: postgresql-secret - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: postgresql-secret - - name: POSTGRES_DB - valueFrom: - secretKeyRef: - key: database - name: postgresql-secret - name: BIM_API_V2_DB value: /etc/sarex/bim-api-v2-db-prod.json - name: PDM_API_DB @@ -114,7 +94,7 @@ spec: - name: MAILGUN value: /etc/mailgun-secret/env.json - name: SMTP - value: /etc/smtp-secret/smtp.json + value: /vault/secrets/processing-smtp - name: INTERNAL_PDM_URL value: http://documentations-api.documentations.svc.cluster.local:8080 - name: INTERNAL_FILESTREAM_URL