sarex/iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add bi test db

Browse Source
This commit is contained in:
Kochetkov S 2026-04-21 14:39:35 +03:00
parent 77e43f93b8
commit dccb4d6c62
4 changed files with 194 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
clusters/yc-k8s-test/infrastructure/bootstrap-jobs/kustomization.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- service-bootstrap-jobs.yaml

180
clusters/yc-k8s-test/infrastructure/bootstrap-jobs/service-bootstrap-jobs.yaml Normal file
View File

@ -0,0 +1,180 @@
apiVersion: batch/v1
kind: CronJob
metadata:
name: rabbitmq-apps-bootstrap
namespace: rabbitmq
spec:
schedule: "*/10 * * * *"
successfulJobsHistoryLimit: 1
failedJobsHistoryLimit: 2
concurrencyPolicy: Forbid
jobTemplate:
spec:
template:
spec:
restartPolicy: OnFailure
serviceAccountName: rabbitmq
containers:
- name: bootstrap
image: alpine:3.20
command: ["/bin/sh", "-ec"]
args:
- |
apk add --no-cache curl jq >/dev/null
VAULT_ADDR="http://vault-vault-contour.vault.svc:8200"
JWT="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
VAULT_TOKEN="$(curl -sS --request POST \
--data "{\"role\":\"rabbitmq\",\"jwt\":\"${JWT}\"}" \
"${VAULT_ADDR}/v1/auth/kubernetes/login" | jq -r '.auth.client_token')"
[ -n "${VAULT_TOKEN}" ] && [ "${VAULT_TOKEN}" != "null" ]
admin_json="$(curl -sS -H "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/secrets/data/rabbitmq/auth")"
admin_user="$(echo "${admin_json}" | jq -r '.data.data.username')"
admin_pass="$(echo "${admin_json}" | jq -r '.data.data.password')"
list_json="$(curl -sS -H "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/secrets/metadata/rabbitmq/apps?list=true")"
for app in $(echo "${list_json}" | jq -r '.data.keys[]?' | sed 's#/$##'); do
app_json="$(curl -sS -H "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/secrets/data/rabbitmq/apps/${app}")"
username="$(echo "${app_json}" | jq -r '.data.data.username')"
password="$(echo "${app_json}" | jq -r '.data.data.password')"
[ -z "${username}" ] && username="${app}"
[ -z "${password}" ] && continue
curl -sS -u "${admin_user}:${admin_pass}" -H "content-type:application/json" \
-X PUT "http://rabbitmq.rabbitmq.svc.cluster.local:15672/api/users/${username}" \
-d "{\"password\":\"${password}\",\"tags\":\"\"}" >/dev/null
curl -sS -u "${admin_user}:${admin_pass}" -H "content-type:application/json" \
-X PUT "http://rabbitmq.rabbitmq.svc.cluster.local:15672/api/permissions/%2F/${username}" \
-d '{"configure":".*","write":".*","read":".*"}' >/dev/null
done
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: minio-apps-bootstrap
namespace: minio
spec:
schedule: "*/10 * * * *"
successfulJobsHistoryLimit: 1
failedJobsHistoryLimit: 2
concurrencyPolicy: Forbid
jobTemplate:
spec:
template:
spec:
restartPolicy: OnFailure
serviceAccountName: minio-sa
containers:
- name: bootstrap
image: alpine:3.20
command: ["/bin/sh", "-ec"]
args:
- |
apk add --no-cache curl jq >/dev/null
curl -fsSL -o /usr/local/bin/mc https://dl.min.io/client/mc/release/linux-amd64/mc
chmod +x /usr/local/bin/mc
VAULT_ADDR="http://vault-vault-contour.vault.svc:8200"
JWT="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
VAULT_TOKEN="$(curl -sS --request POST \
--data "{\"role\":\"minio\",\"jwt\":\"${JWT}\"}" \
"${VAULT_ADDR}/v1/auth/kubernetes/login" | jq -r '.auth.client_token')"
[ -n "${VAULT_TOKEN}" ] && [ "${VAULT_TOKEN}" != "null" ]
admin_json="$(curl -sS -H "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/secrets/data/minio/admin")"
root_user="$(echo "${admin_json}" | jq -r '.data.data.rootUser')"
root_pass="$(echo "${admin_json}" | jq -r '.data.data.rootPassword')"
/usr/local/bin/mc alias set local http://minio.minio.svc.cluster.local:9000 "${root_user}" "${root_pass}"
list_json="$(curl -sS -H "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/secrets/metadata/minio/apps?list=true")"
for app in $(echo "${list_json}" | jq -r '.data.keys[]?' | sed 's#/$##'); do
app_json="$(curl -sS -H "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/secrets/data/minio/apps/${app}")"
username="$(echo "${app_json}" | jq -r '.data.data.username')"
password="$(echo "${app_json}" | jq -r '.data.data.password')"
[ -z "${username}" ] && username="${app}"
[ -z "${password}" ] && continue
/usr/local/bin/mc admin user add local "${username}" "${password}" >/dev/null 2>&1 || true
/usr/local/bin/mc admin user enable local "${username}" >/dev/null 2>&1 || true
done
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: kafka-bootstrap-exec
namespace: kafka
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create", "get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kafka-bootstrap-exec
namespace: kafka
subjects:
- kind: ServiceAccount
name: kafka-kafka-contour
namespace: kafka
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kafka-bootstrap-exec
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: kafka-apps-bootstrap
namespace: kafka
spec:
schedule: "*/10 * * * *"
successfulJobsHistoryLimit: 1
failedJobsHistoryLimit: 2
concurrencyPolicy: Forbid
jobTemplate:
spec:
template:
spec:
restartPolicy: OnFailure
serviceAccountName: kafka-kafka-contour
containers:
- name: bootstrap
image: alpine:3.20
command: ["/bin/sh", "-ec"]
args:
- |
apk add --no-cache bash curl jq kubectl >/dev/null
VAULT_ADDR="http://vault-vault-contour.vault.svc:8200"
JWT="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
VAULT_TOKEN="$(curl -sS --request POST \
--data "{\"role\":\"kafka\",\"jwt\":\"${JWT}\"}" \
"${VAULT_ADDR}/v1/auth/kubernetes/login" | jq -r '.auth.client_token')"
[ -n "${VAULT_TOKEN}" ] && [ "${VAULT_TOKEN}" != "null" ]
bootstrap_json="$(curl -sS -H "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/secrets/data/kafka/bootstrap")"
inter_broker_password="$(echo "${bootstrap_json}" | jq -r '.data.data.interBrokerPassword')"
list_json="$(curl -sS -H "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/secrets/metadata/kafka/apps?list=true")"
target_pod="$(kubectl -n kafka get pod -l app.kubernetes.io/component=controller -o jsonpath='{.items[0].metadata.name}')"
for app in $(echo "${list_json}" | jq -r '.data.keys[]?' | sed 's#/$##'); do
app_json="$(curl -sS -H "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR}/v1/secrets/data/kafka/apps/${app}")"
username="$(echo "${app_json}" | jq -r '.data.data.username')"
password="$(echo "${app_json}" | jq -r '.data.data.password')"
[ -z "${username}" ] && username="${app}"
[ -z "${password}" ] && continue
kubectl -n kafka exec "${target_pod}" -c kafka -- /bin/bash -lc "\
cat >/tmp/admin.properties <<EOF
security.protocol=SASL_SSL
sasl.mechanism=PLAIN
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username='inter_broker_user' password='${inter_broker_password}';
EOF
kafka-configs.sh --bootstrap-server localhost:9092 --command-config /tmp/admin.properties \
--alter --add-config 'SCRAM-SHA-512=[password=${password}],SCRAM-SHA-256=[password=${password}]' \
--entity-type users --entity-name '${username}'
" >/dev/null
done

1
clusters/yc-k8s-test/infrastructure/kustomization.yaml
View File

@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../infrastructure
- ./bootstrap-jobs
patches:
- path: ./patches/cert-manager.yaml
target:

16
clusters/yc-k8s-test/infrastructure/patches/postgresql.yaml
View File

@ -128,14 +128,14 @@ spec:
- uuid-ossp
restoreFromDump: false
# - name: bi
# user: bi
# passwordKey: bi
# extensions:
# - ltree
# - pg_stat_statements
# - uuid-ossp
# restoreFromDump: false
- name: bi
user: bi
passwordKey: bi
extensions:
- ltree
- pg_stat_statements
- uuid-ossp
restoreFromDump: false
# - name: camunda_db
# user: camunda