system-log

2026-04-24 14:22:48 +03:00 · 2026-04-24 14:22:48 +03:00 · fbb9180fcd
commit fbb9180fcd
parent 28dde42d3a
5 changed files with 128 additions and 97 deletions
--- a/apps/django/base/django-configmap.yaml
+++ b/apps/django/base/django-configmap.yaml
@ -5,11 +5,52 @@ metadata:
  namespace: django
 data:
  production.py: |
+    import ast
    import os
    from .base import *
    from logging.handlers import SysLogHandler
    from datetime import timedelta

+    def _load_env_file(path):
+        try:
+            with open(path, "r", encoding="utf-8") as f:
+                for raw_line in f:
+                    line = raw_line.strip()
+                    if not line or line.startswith("#") or "=" not in line:
+                        continue
+                    key, value = line.split("=", 1)
+                    key = key.strip()
+                    value = value.strip()
+                    if len(value) >= 2 and value[0] == value[-1] and value[0] in ("'", '"'):
+                        try:
+                            value = ast.literal_eval(value)
+                        except (ValueError, SyntaxError):
+                            value = value[1:-1]
+                    if key and key not in os.environ:
+                        os.environ[key] = value
+        except FileNotFoundError:
+            pass
+
+    def _read_secret_file(path, default=""):
+        try:
+            with open(path, "r", encoding="utf-8") as f:
+                return f.read().strip()
+        except FileNotFoundError:
+            return default
+
+    # Fallback for manage.py launched via `kubectl exec` (outside entrypoint),
+    # so Django can still read DB/JWT values from Vault-injected files.
+    _load_env_file("/vault/secrets/django-postgresql")
+    _load_env_file("/vault/secrets/django-rabbitmq")
+    _load_env_file("/vault/secrets/django-s3")
+    _load_env_file("/vault/secrets/django-kafka")
+    _load_env_file("/vault/secrets/django-common")
+
+    if not os.environ.get("JWT_PRIVATE_KEY"):
+        os.environ["JWT_PRIVATE_KEY"] = _read_secret_file("/vault/secrets/django-jwt-private")
+    if not os.environ.get("JWT_PUBLIC_KEY"):
+        os.environ["JWT_PUBLIC_KEY"] = _read_secret_file("/vault/secrets/django-jwt-public")
+
    ALLOWED_HOSTS = ["*"]
    FILE_UPLOAD_PERMISSIONS = 0o644
    DEBUG = False
@ -109,8 +150,8 @@ data:
        'BLACKLIST_AFTER_ROTATION': True,
        'UPDATE_LAST_LOGIN': False,
        'ALGORITHM': 'RS512',
-        'SIGNING_KEY': os.environ.get("JWT_PRIVATE_KEY").replace("\\n", "\n"),
-        'VERIFYING_KEY': os.environ.get("JWT_PUBLIC_KEY").replace("\\n", "\n"),
+        'SIGNING_KEY': os.environ.get("JWT_PRIVATE_KEY", "").replace("\\n", "\n"),
+        'VERIFYING_KEY': os.environ.get("JWT_PUBLIC_KEY", "").replace("\\n", "\n"),
        'AUDIENCE': None,
        'ISSUER': os.environ.get('SIMPLE_JWT_ISSUER', 'default_issuer'),
        'AUTH_HEADER_TYPES': ('Bearer',),
@ -278,4 +319,3 @@ data:
        },
        "sso_logout_redirect": True
    }
-
--- a/apps/system-log/base/backend-deployment.yaml
+++ b/apps/system-log/base/backend-deployment.yaml
@ -17,11 +17,45 @@ spec:
      labels:
        app: api
        service: api
+      annotations:
+        traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
+        vault.hashicorp.com/agent-init-first: "true"
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/auth-path: auth/kubernetes
+        vault.hashicorp.com/role: system-log
+        vault.hashicorp.com/agent-inject-secret-system-log-postgresql: secrets/data/postgresql/apps/system-log
+        vault.hashicorp.com/agent-inject-template-system-log-postgresql: |-
+          {{- with secret "secrets/data/postgresql/apps/system-log" -}}
+          POSTGRES_ADDRESS=postgresql.system-log.svc.cluster.local
+          POSTGRES_PORT=5432
+          POSTGRES_DB=system_log_db
+          POSTGRES_USER={{ index .Data.data "username" }}
+          POSTGRES_PASSWORD={{ index .Data.data "password" }}
+          {{- end -}}
+        vault.hashicorp.com/agent-inject-secret-system-log-kafka: secrets/data/kafka/apps/system-log
+        vault.hashicorp.com/agent-inject-template-system-log-kafka: |-
+          {{- with secret "secrets/data/kafka/apps/system-log" -}}
+          KAFKA_USERNAME={{ index .Data.data "username" }}
+          KAFKA_PASSWORD={{ index .Data.data "password" }}
+          KAFKA_BROKERS={{ index .Data.data.auth "bootstrap_servers" }}
+          {{- $topics := index .Data.data "topics" -}}
+          KAFKA_TOPIC={{- if gt (len $topics) 0 -}}{{ index (index $topics 0) "name" }}{{- else -}}system-log.events{{- end -}}
+          {{- end -}}
    spec:
+      serviceAccountName: system-log-vault
      containers:
        - name: api
-          image: cr.yandex/crp3ccidau046kdj8g9q/system-log:prod_6ed1b27e
+          image: cr.yandex/crp3ccidau046kdj8g9q/system-log_prod:075fc0
          imagePullPolicy: IfNotPresent
+          command: ["/bin/bash", "-ec"]
+          args:
+            - |
+              set -a
+              [ -f /vault/secrets/system-log-postgresql ] && . /vault/secrets/system-log-postgresql
+              [ -f /vault/secrets/system-log-kafka ] && . /vault/secrets/system-log-kafka
+              set +a
+              exec /app
          ports:
            - name: http
              containerPort: 8000
@ -57,56 +91,6 @@ spec:
              value: "/tmp"
            - name: DJANGO_HOST
              value: http://backend.django.svc.cluster.local:8000
-            - name: POSTGRES_ADDRESS
-              valueFrom:
-                secretKeyRef:
-                  key: hostname
-                  name: postgresql-secret
-            - name: POSTGRES_PORT
-              valueFrom:
-                secretKeyRef:
-                  key: port
-                  name: postgresql-secret
-            - name: POSTGRES_DB
-              valueFrom:
-                secretKeyRef:
-                  key: database
-                  name: postgresql-secret
-            - name: POSTGRES_USER
-              valueFrom:
-                secretKeyRef:
-                  key: username
-                  name: postgresql-secret
-            - name: POSTGRES_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  key: password
-                  name: postgresql-secret
-            - name: KAFKA_USERNAME
-              valueFrom:
-                secretKeyRef:
-                  key: username
-                  name: kafka-secret
-            - name: KAFKA_BROKERS
-              valueFrom:
-                secretKeyRef:
-                  key: host
-                  name: kafka-secret
-            - name: KAFKA_TOPIC
-              valueFrom:
-                secretKeyRef:
-                  key: topic
-                  name: kafka-secret
-            - name: KAFKA_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  key: password
-                  name: kafka-secret
-            - name: KAFKA_PEM_CERT
-              valueFrom:
-                secretKeyRef:
-                  key: ca.crt
-                  name: kafka-secret

          resources:
            requests:
--- a/apps/system-log/base/kustomization.yaml
+++ b/apps/system-log/base/kustomization.yaml
@ -4,6 +4,7 @@ kind: Kustomization
 namespace: system-log
 resources:
  - namespace.yaml
+  - serviceaccount.yaml
  - backend-deployment.yaml
  - backend-service.yaml
  - worker-deployment.yaml
--- a/apps/system-log/base/worker-deployment.yaml
+++ b/apps/system-log/base/worker-deployment.yaml
@ -17,11 +17,42 @@ spec:
      labels:
        app: worker
        service: worker
+      annotations:
+        traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
+        vault.hashicorp.com/agent-init-first: "true"
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/auth-path: auth/kubernetes
+        vault.hashicorp.com/role: system-log
+        vault.hashicorp.com/agent-inject-secret-system-log-postgresql: secrets/data/postgresql/apps/system-log
+        vault.hashicorp.com/agent-inject-template-system-log-postgresql: |-
+          {{- with secret "secrets/data/postgresql/apps/system-log" -}}
+          POSTGRES_ADDRESS=postgresql.system-log.svc.cluster.local
+          POSTGRES_PORT=5432
+          POSTGRES_DB=system_log_db
+          POSTGRES_USER={{ index .Data.data "username" }}
+          POSTGRES_PASSWORD={{ index .Data.data "password" }}
+          {{- end -}}
+        vault.hashicorp.com/agent-inject-secret-system-log-django-auth: secrets/data/vault/common/django_auth
+        vault.hashicorp.com/agent-inject-template-system-log-django-auth: |-
+          {{- with secret "secrets/data/vault/common/django_auth" -}}
+          SUPER_USERNAME={{ index .Data.data "username" }}
+          SUPER_PASSWORD={{ index .Data.data "password" }}
+          {{- end -}}
    spec:
+      serviceAccountName: system-log-vault
      containers:
        - name: worker
-          image: cr.yandex/crp3ccidau046kdj8g9q/system_log_worker:de6a0147d285afa273e85c0f074c8b6049d03a32
+          image: cr.yandex/crp3ccidau046kdj8g9q/system-log-worker_prod:075fc0
          imagePullPolicy: IfNotPresent
+          command: ["/bin/bash", "-ec"]
+          args:
+            - |
+              set -a
+              [ -f /vault/secrets/system-log-postgresql ] && . /vault/secrets/system-log-postgresql
+              [ -f /vault/secrets/system-log-django-auth ] && . /vault/secrets/system-log-django-auth
+              set +a
+              exec /app
          ports:
            - name: http
              containerPort: 8000
@ -47,41 +78,6 @@ spec:
              value: "0"
            - name: DJANGO_HOST
              value: http://backend.django.svc.cluster.local:8000
-            - name: POSTGRES_ADDRESS
-              valueFrom:
-                secretKeyRef:
-                  key: hostname
-                  name: postgresql-secret
-            - name: POSTGRES_PORT
-              valueFrom:
-                secretKeyRef:
-                  key: port
-                  name: postgresql-secret
-            - name: POSTGRES_DB
-              valueFrom:
-                secretKeyRef:
-                  key: database
-                  name: postgresql-secret
-            - name: POSTGRES_USER
-              valueFrom:
-                secretKeyRef:
-                  key: username
-                  name: postgresql-secret
-            - name: POSTGRES_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  key: password
-                  name: postgresql-secret
-            - name: SUPER_USERNAME
-              valueFrom:
-                secretKeyRef:
-                  key: username
-                  name: superuser
-            - name: SUPER_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  key: password
-                  name: superuser

          resources:
            requests:
--- a/apps/system-log/yc-k8s-test/postgresql.yaml
+++ b/apps/system-log/yc-k8s-test/postgresql.yaml
@ -9,7 +9,7 @@ spec:
  chart:
    spec:
      chart: postgresql-contour
-      version: "17.0.2"
+      version: "17.0.7"
      sourceRef:
        kind: HelmRepository
        name: yc-oci-charts
@ -44,7 +44,7 @@ spec:
    image:
      registry: cr.yandex/crp3ccidau046kdj8g9q
      repository: contour/postgresql
-      tag: 17.0.2
+      tag: 17.0.7
      pullPolicy: Always
    metrics:
      enabled: false
@ -61,7 +61,7 @@ spec:
          command:
            - /bin/sh
            - -c
-            - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
+            - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
        initialDelaySeconds: 30
        periodSeconds: 10
        timeoutSeconds: 5
@ -72,7 +72,7 @@ spec:
          command:
            - /bin/sh
            - -c
-            - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
+            - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
        initialDelaySeconds: 5
        periodSeconds: 10
        timeoutSeconds: 5
@ -83,12 +83,15 @@ spec:
          command:
            - /bin/sh
            - -c
-            - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
+            - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
        initialDelaySeconds: 30
        periodSeconds: 10
        timeoutSeconds: 5
        successThreshold: 1
        failureThreshold: 6
+      resources:
+        requests:
+          memory: 512Mi
      nodeSelector:
        dedicated: db
      tolerations:
@ -98,12 +101,19 @@ spec:
          effect: NoSchedule
    contour:
      enabled: true
-      adminUser: ""
-      adminPasswordSecretKey: ""
+      adminUser: "postgres"
      sharedPreloadLibraries: "ltree,pg_stat_statements,timescaledb"
+      vault:
+        enabled: true
+        role: postgresql
+        authPath: auth/kubernetes
+        secretPath: secrets/data/postgresql/admin
+        secretKey: postgres-password
+        usersSecretPath: secrets/data/postgresql/users
      databases:
        - name: system_log_db
          user: system_log
+          passwordKey: system-log
          extensions: []
          restoreFromDump: false
      s3-proxy: