sarex/iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

system-log

Browse Source
This commit is contained in:
Kochetkov S 2026-04-24 14:22:48 +03:00
parent 28dde42d3a
commit fbb9180fcd
5 changed files with 128 additions and 97 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
apps/django/base/django-configmap.yaml
View File

@ -5,11 +5,52 @@ metadata:
namespace: django namespace: django
data: data:
production.py: | production.py: |
import ast
import os import os
from .base import * from .base import *
from logging.handlers import SysLogHandler from logging.handlers import SysLogHandler
from datetime import timedelta from datetime import timedelta
def _load_env_file(path):
try:
with open(path, "r", encoding="utf-8") as f:
for raw_line in f:
line = raw_line.strip()
if not line or line.startswith("#") or "=" not in line:
continue
key, value = line.split("=", 1)
key = key.strip()
value = value.strip()
if len(value) >= 2 and value[0] == value[-1] and value[0] in ("'", '"'):
try:
value = ast.literal_eval(value)
except (ValueError, SyntaxError):
value = value[1:-1]
if key and key not in os.environ:
os.environ[key] = value
except FileNotFoundError:
pass
def _read_secret_file(path, default=""):
try:
with open(path, "r", encoding="utf-8") as f:
return f.read().strip()
except FileNotFoundError:
return default
# Fallback for manage.py launched via `kubectl exec` (outside entrypoint),
# so Django can still read DB/JWT values from Vault-injected files.
_load_env_file("/vault/secrets/django-postgresql")
_load_env_file("/vault/secrets/django-rabbitmq")
_load_env_file("/vault/secrets/django-s3")
_load_env_file("/vault/secrets/django-kafka")
_load_env_file("/vault/secrets/django-common")
if not os.environ.get("JWT_PRIVATE_KEY"):
os.environ["JWT_PRIVATE_KEY"] = _read_secret_file("/vault/secrets/django-jwt-private")
if not os.environ.get("JWT_PUBLIC_KEY"):
os.environ["JWT_PUBLIC_KEY"] = _read_secret_file("/vault/secrets/django-jwt-public")
ALLOWED_HOSTS = ["*"] ALLOWED_HOSTS = ["*"]
FILE_UPLOAD_PERMISSIONS = 0o644 FILE_UPLOAD_PERMISSIONS = 0o644
DEBUG = False DEBUG = False
@ -109,8 +150,8 @@ data:
'BLACKLIST_AFTER_ROTATION': True, 'BLACKLIST_AFTER_ROTATION': True,
'UPDATE_LAST_LOGIN': False, 'UPDATE_LAST_LOGIN': False,
'ALGORITHM': 'RS512', 'ALGORITHM': 'RS512',
'SIGNING_KEY': os.environ.get("JWT_PRIVATE_KEY").replace("\\n", "\n"), 'SIGNING_KEY': os.environ.get("JWT_PRIVATE_KEY", "").replace("\\n", "\n"),
'VERIFYING_KEY': os.environ.get("JWT_PUBLIC_KEY").replace("\\n", "\n"), 'VERIFYING_KEY': os.environ.get("JWT_PUBLIC_KEY", "").replace("\\n", "\n"),
'AUDIENCE': None, 'AUDIENCE': None,
'ISSUER': os.environ.get('SIMPLE_JWT_ISSUER', 'default_issuer'), 'ISSUER': os.environ.get('SIMPLE_JWT_ISSUER', 'default_issuer'),
'AUTH_HEADER_TYPES': ('Bearer',), 'AUTH_HEADER_TYPES': ('Bearer',),
@ -278,4 +319,3 @@ data:
}, },
"sso_logout_redirect": True "sso_logout_redirect": True
} }

86
apps/system-log/base/backend-deployment.yaml
View File

@ -17,11 +17,45 @@ spec:
labels: labels:
app: api app: api
service: api service: api
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: system-log
vault.hashicorp.com/agent-inject-secret-system-log-postgresql: secrets/data/postgresql/apps/system-log
vault.hashicorp.com/agent-inject-template-system-log-postgresql: |-
{{- with secret "secrets/data/postgresql/apps/system-log" -}}
POSTGRES_ADDRESS=postgresql.system-log.svc.cluster.local
POSTGRES_PORT=5432
POSTGRES_DB=system_log_db
POSTGRES_USER={{ index .Data.data "username" }}
POSTGRES_PASSWORD={{ index .Data.data "password" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-system-log-kafka: secrets/data/kafka/apps/system-log
vault.hashicorp.com/agent-inject-template-system-log-kafka: |-
{{- with secret "secrets/data/kafka/apps/system-log" -}}
KAFKA_USERNAME={{ index .Data.data "username" }}
KAFKA_PASSWORD={{ index .Data.data "password" }}
KAFKA_BROKERS={{ index .Data.data.auth "bootstrap_servers" }}
{{- $topics := index .Data.data "topics" -}}
KAFKA_TOPIC={{- if gt (len $topics) 0 -}}{{ index (index $topics 0) "name" }}{{- else -}}system-log.events{{- end -}}
{{- end -}}
spec: spec:
serviceAccountName: system-log-vault
containers: containers:
- name: api - name: api
image: cr.yandex/crp3ccidau046kdj8g9q/system-log:prod_6ed1b27e image: cr.yandex/crp3ccidau046kdj8g9q/system-log_prod:075fc0
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
command: ["/bin/bash", "-ec"]
args:
- |
set -a
[ -f /vault/secrets/system-log-postgresql ] && . /vault/secrets/system-log-postgresql
[ -f /vault/secrets/system-log-kafka ] && . /vault/secrets/system-log-kafka
set +a
exec /app
ports: ports:
- name: http - name: http
containerPort: 8000 containerPort: 8000
@ -57,56 +91,6 @@ spec:
value: "/tmp" value: "/tmp"
- name: DJANGO_HOST - name: DJANGO_HOST
value: http://backend.django.svc.cluster.local:8000 value: http://backend.django.svc.cluster.local:8000
- name: POSTGRES_ADDRESS
valueFrom:
secretKeyRef:
key: hostname
name: postgresql-secret
- name: POSTGRES_PORT
valueFrom:
secretKeyRef:
key: port
name: postgresql-secret
- name: POSTGRES_DB
valueFrom:
secretKeyRef:
key: database
name: postgresql-secret
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
key: username
name: postgresql-secret
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: postgresql-secret
- name: KAFKA_USERNAME
valueFrom:
secretKeyRef:
key: username
name: kafka-secret
- name: KAFKA_BROKERS
valueFrom:
secretKeyRef:
key: host
name: kafka-secret
- name: KAFKA_TOPIC
valueFrom:
secretKeyRef:
key: topic
name: kafka-secret
- name: KAFKA_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: kafka-secret
- name: KAFKA_PEM_CERT
valueFrom:
secretKeyRef:
key: ca.crt
name: kafka-secret
resources: resources:
requests: requests:

1
apps/system-log/base/kustomization.yaml
View File

@ -4,6 +4,7 @@ kind: Kustomization
namespace: system-log namespace: system-log
resources: resources:
- namespace.yaml - namespace.yaml
- serviceaccount.yaml
- backend-deployment.yaml - backend-deployment.yaml
- backend-service.yaml - backend-service.yaml
- worker-deployment.yaml - worker-deployment.yaml

68
apps/system-log/base/worker-deployment.yaml
View File

@ -17,11 +17,42 @@ spec:
labels: labels:
app: worker app: worker
service: worker service: worker
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: system-log
vault.hashicorp.com/agent-inject-secret-system-log-postgresql: secrets/data/postgresql/apps/system-log
vault.hashicorp.com/agent-inject-template-system-log-postgresql: |-
{{- with secret "secrets/data/postgresql/apps/system-log" -}}
POSTGRES_ADDRESS=postgresql.system-log.svc.cluster.local
POSTGRES_PORT=5432
POSTGRES_DB=system_log_db
POSTGRES_USER={{ index .Data.data "username" }}
POSTGRES_PASSWORD={{ index .Data.data "password" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-system-log-django-auth: secrets/data/vault/common/django_auth
vault.hashicorp.com/agent-inject-template-system-log-django-auth: |-
{{- with secret "secrets/data/vault/common/django_auth" -}}
SUPER_USERNAME={{ index .Data.data "username" }}
SUPER_PASSWORD={{ index .Data.data "password" }}
{{- end -}}
spec: spec:
serviceAccountName: system-log-vault
containers: containers:
- name: worker - name: worker
image: cr.yandex/crp3ccidau046kdj8g9q/system_log_worker:de6a0147d285afa273e85c0f074c8b6049d03a32 image: cr.yandex/crp3ccidau046kdj8g9q/system-log-worker_prod:075fc0
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
command: ["/bin/bash", "-ec"]
args:
- |
set -a
[ -f /vault/secrets/system-log-postgresql ] && . /vault/secrets/system-log-postgresql
[ -f /vault/secrets/system-log-django-auth ] && . /vault/secrets/system-log-django-auth
set +a
exec /app
ports: ports:
- name: http - name: http
containerPort: 8000 containerPort: 8000
@ -47,41 +78,6 @@ spec:
value: "0" value: "0"
- name: DJANGO_HOST - name: DJANGO_HOST
value: http://backend.django.svc.cluster.local:8000 value: http://backend.django.svc.cluster.local:8000
- name: POSTGRES_ADDRESS
valueFrom:
secretKeyRef:
key: hostname
name: postgresql-secret
- name: POSTGRES_PORT
valueFrom:
secretKeyRef:
key: port
name: postgresql-secret
- name: POSTGRES_DB
valueFrom:
secretKeyRef:
key: database
name: postgresql-secret
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
key: username
name: postgresql-secret
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: postgresql-secret
- name: SUPER_USERNAME
valueFrom:
secretKeyRef:
key: username
name: superuser
- name: SUPER_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: superuser
resources: resources:
requests: requests:

24
apps/system-log/yc-k8s-test/postgresql.yaml
View File

@ -9,7 +9,7 @@ spec:
chart: chart:
spec: spec:
chart: postgresql-contour chart: postgresql-contour
version: "17.0.2" version: "17.0.7"
sourceRef: sourceRef:
kind: HelmRepository kind: HelmRepository
name: yc-oci-charts name: yc-oci-charts
@ -44,7 +44,7 @@ spec:
image: image:
registry: cr.yandex/crp3ccidau046kdj8g9q registry: cr.yandex/crp3ccidau046kdj8g9q
repository: contour/postgresql repository: contour/postgresql
tag: 17.0.2 tag: 17.0.7
pullPolicy: Always pullPolicy: Always
metrics: metrics:
enabled: false enabled: false
@ -61,7 +61,7 @@ spec:
command: command:
- /bin/sh - /bin/sh
- -c - -c
- exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 30 initialDelaySeconds: 30
periodSeconds: 10 periodSeconds: 10
timeoutSeconds: 5 timeoutSeconds: 5
@ -72,7 +72,7 @@ spec:
command: command:
- /bin/sh - /bin/sh
- -c - -c
- exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 5 initialDelaySeconds: 5
periodSeconds: 10 periodSeconds: 10
timeoutSeconds: 5 timeoutSeconds: 5
@ -83,12 +83,15 @@ spec:
command: command:
- /bin/sh - /bin/sh
- -c - -c
- exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432 - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 30 initialDelaySeconds: 30
periodSeconds: 10 periodSeconds: 10
timeoutSeconds: 5 timeoutSeconds: 5
successThreshold: 1 successThreshold: 1
failureThreshold: 6 failureThreshold: 6
resources:
requests:
memory: 512Mi
nodeSelector: nodeSelector:
dedicated: db dedicated: db
tolerations: tolerations:
@ -98,12 +101,19 @@ spec:
effect: NoSchedule effect: NoSchedule
contour: contour:
enabled: true enabled: true
adminUser: "" adminUser: "postgres"
adminPasswordSecretKey: ""
sharedPreloadLibraries: "ltree,pg_stat_statements,timescaledb" sharedPreloadLibraries: "ltree,pg_stat_statements,timescaledb"
vault:
enabled: true
role: postgresql
authPath: auth/kubernetes
secretPath: secrets/data/postgresql/admin
secretKey: postgres-password
usersSecretPath: secrets/data/postgresql/users
databases: databases:
- name: system_log_db - name: system_log_db
user: system_log user: system_log
passwordKey: system-log
extensions: [] extensions: []
restoreFromDump: false restoreFromDump: false
s3-proxy: s3-proxy: