diff --git a/clusters/yc-k8s-test/infrastructure/bootstrap-jobs/kustomization.yaml b/clusters/yc-k8s-test/infrastructure/bootstrap-jobs/kustomization.yaml new file mode 100644 index 0000000..24283cb --- /dev/null +++ b/clusters/yc-k8s-test/infrastructure/bootstrap-jobs/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - service-bootstrap-jobs.yaml + diff --git a/clusters/yc-k8s-test/infrastructure/bootstrap-jobs/service-bootstrap-jobs.yaml b/clusters/yc-k8s-test/infrastructure/bootstrap-jobs/service-bootstrap-jobs.yaml new file mode 100644 index 0000000..e536612 --- /dev/null +++ b/clusters/yc-k8s-test/infrastructure/bootstrap-jobs/service-bootstrap-jobs.yaml @@ -0,0 +1,180 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: rabbitmq-apps-bootstrap + namespace: rabbitmq +spec: + schedule: "*/10 * * * *" + successfulJobsHistoryLimit: 1 + failedJobsHistoryLimit: 2 + concurrencyPolicy: Forbid + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + serviceAccountName: rabbitmq + containers: + - name: bootstrap + image: alpine:3.20 + command: ["/bin/sh", "-ec"] + args: + - | + apk add --no-cache curl jq >/dev/null + VAULT_ADDR="http://vault-vault-contour.vault.svc:8200" + JWT="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" + VAULT_TOKEN="$(curl -sS --request POST \ + --data "{\"role\":\"rabbitmq\",\"jwt\":\"${JWT}\"}" \ + "${VAULT_ADDR}/v1/auth/kubernetes/login" | jq -r '.auth.client_token')" + [ -n "${VAULT_TOKEN}" ] && [ "${VAULT_TOKEN}" != "null" ] + + admin_json="$(curl -sS -H "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/secrets/data/rabbitmq/auth")" + admin_user="$(echo "${admin_json}" | jq -r '.data.data.username')" + admin_pass="$(echo "${admin_json}" | jq -r '.data.data.password')" + list_json="$(curl -sS -H "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/secrets/metadata/rabbitmq/apps?list=true")" + for app in $(echo "${list_json}" | jq -r '.data.keys[]?' | sed 's#/$##'); do + app_json="$(curl -sS -H "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/secrets/data/rabbitmq/apps/${app}")" + username="$(echo "${app_json}" | jq -r '.data.data.username')" + password="$(echo "${app_json}" | jq -r '.data.data.password')" + [ -z "${username}" ] && username="${app}" + [ -z "${password}" ] && continue + + curl -sS -u "${admin_user}:${admin_pass}" -H "content-type:application/json" \ + -X PUT "http://rabbitmq.rabbitmq.svc.cluster.local:15672/api/users/${username}" \ + -d "{\"password\":\"${password}\",\"tags\":\"\"}" >/dev/null + curl -sS -u "${admin_user}:${admin_pass}" -H "content-type:application/json" \ + -X PUT "http://rabbitmq.rabbitmq.svc.cluster.local:15672/api/permissions/%2F/${username}" \ + -d '{"configure":".*","write":".*","read":".*"}' >/dev/null + done +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: minio-apps-bootstrap + namespace: minio +spec: + schedule: "*/10 * * * *" + successfulJobsHistoryLimit: 1 + failedJobsHistoryLimit: 2 + concurrencyPolicy: Forbid + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + serviceAccountName: minio-sa + containers: + - name: bootstrap + image: alpine:3.20 + command: ["/bin/sh", "-ec"] + args: + - | + apk add --no-cache curl jq >/dev/null + curl -fsSL -o /usr/local/bin/mc https://dl.min.io/client/mc/release/linux-amd64/mc + chmod +x /usr/local/bin/mc + + VAULT_ADDR="http://vault-vault-contour.vault.svc:8200" + JWT="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" + VAULT_TOKEN="$(curl -sS --request POST \ + --data "{\"role\":\"minio\",\"jwt\":\"${JWT}\"}" \ + "${VAULT_ADDR}/v1/auth/kubernetes/login" | jq -r '.auth.client_token')" + [ -n "${VAULT_TOKEN}" ] && [ "${VAULT_TOKEN}" != "null" ] + + admin_json="$(curl -sS -H "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/secrets/data/minio/admin")" + root_user="$(echo "${admin_json}" | jq -r '.data.data.rootUser')" + root_pass="$(echo "${admin_json}" | jq -r '.data.data.rootPassword')" + /usr/local/bin/mc alias set local http://minio.minio.svc.cluster.local:9000 "${root_user}" "${root_pass}" + + list_json="$(curl -sS -H "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/secrets/metadata/minio/apps?list=true")" + for app in $(echo "${list_json}" | jq -r '.data.keys[]?' | sed 's#/$##'); do + app_json="$(curl -sS -H "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/secrets/data/minio/apps/${app}")" + username="$(echo "${app_json}" | jq -r '.data.data.username')" + password="$(echo "${app_json}" | jq -r '.data.data.password')" + [ -z "${username}" ] && username="${app}" + [ -z "${password}" ] && continue + + /usr/local/bin/mc admin user add local "${username}" "${password}" >/dev/null 2>&1 || true + /usr/local/bin/mc admin user enable local "${username}" >/dev/null 2>&1 || true + done +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: kafka-bootstrap-exec + namespace: kafka +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["create", "get"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kafka-bootstrap-exec + namespace: kafka +subjects: + - kind: ServiceAccount + name: kafka-kafka-contour + namespace: kafka +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: kafka-bootstrap-exec +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: kafka-apps-bootstrap + namespace: kafka +spec: + schedule: "*/10 * * * *" + successfulJobsHistoryLimit: 1 + failedJobsHistoryLimit: 2 + concurrencyPolicy: Forbid + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + serviceAccountName: kafka-kafka-contour + containers: + - name: bootstrap + image: alpine:3.20 + command: ["/bin/sh", "-ec"] + args: + - | + apk add --no-cache bash curl jq kubectl >/dev/null + + VAULT_ADDR="http://vault-vault-contour.vault.svc:8200" + JWT="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" + VAULT_TOKEN="$(curl -sS --request POST \ + --data "{\"role\":\"kafka\",\"jwt\":\"${JWT}\"}" \ + "${VAULT_ADDR}/v1/auth/kubernetes/login" | jq -r '.auth.client_token')" + [ -n "${VAULT_TOKEN}" ] && [ "${VAULT_TOKEN}" != "null" ] + + bootstrap_json="$(curl -sS -H "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/secrets/data/kafka/bootstrap")" + inter_broker_password="$(echo "${bootstrap_json}" | jq -r '.data.data.interBrokerPassword')" + list_json="$(curl -sS -H "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/secrets/metadata/kafka/apps?list=true")" + target_pod="$(kubectl -n kafka get pod -l app.kubernetes.io/component=controller -o jsonpath='{.items[0].metadata.name}')" + + for app in $(echo "${list_json}" | jq -r '.data.keys[]?' | sed 's#/$##'); do + app_json="$(curl -sS -H "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/secrets/data/kafka/apps/${app}")" + username="$(echo "${app_json}" | jq -r '.data.data.username')" + password="$(echo "${app_json}" | jq -r '.data.data.password')" + [ -z "${username}" ] && username="${app}" + [ -z "${password}" ] && continue + + kubectl -n kafka exec "${target_pod}" -c kafka -- /bin/bash -lc "\ + cat >/tmp/admin.properties </dev/null + done diff --git a/clusters/yc-k8s-test/infrastructure/kustomization.yaml b/clusters/yc-k8s-test/infrastructure/kustomization.yaml index 792329d..febc839 100644 --- a/clusters/yc-k8s-test/infrastructure/kustomization.yaml +++ b/clusters/yc-k8s-test/infrastructure/kustomization.yaml @@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../../infrastructure + - ./bootstrap-jobs patches: - path: ./patches/cert-manager.yaml target: diff --git a/clusters/yc-k8s-test/infrastructure/patches/postgresql.yaml b/clusters/yc-k8s-test/infrastructure/patches/postgresql.yaml index fd1dc8e..656af5a 100644 --- a/clusters/yc-k8s-test/infrastructure/patches/postgresql.yaml +++ b/clusters/yc-k8s-test/infrastructure/patches/postgresql.yaml @@ -128,14 +128,14 @@ spec: - uuid-ossp restoreFromDump: false - # - name: bi - # user: bi - # passwordKey: bi - # extensions: - # - ltree - # - pg_stat_statements - # - uuid-ossp - # restoreFromDump: false + - name: bi + user: bi + passwordKey: bi + extensions: + - ltree + - pg_stat_statements + - uuid-ossp + restoreFromDump: false # - name: camunda_db # user: camunda