sarex/iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: sarex:b16000b75d067b22ac13a4fe73fc5d543c24f52c
Branches Tags
sarex:master
sarex:argocd-helm-master
sarex:helm
sarex:helm-master
..
compare: sarex:38bf5c91caa476c1254c28584bb697150454d34d
Branches Tags
sarex:master
sarex:argocd-helm-master
sarex:helm
sarex:helm-master

No commits in common. "b16000b75d067b22ac13a4fe73fc5d543c24f52c" and "38bf5c91caa476c1254c28584bb697150454d34d" have entirely different histories.
b16000b75d ... 38bf5c91ca

515 changed files with 39069 additions and 455 deletions
Show Stats Expand all files Collapse all files

4
.gitignore vendored Normal file
View File

@ -0,0 +1,4 @@
.idea
.claude
CLAUDE.md
.env

462
README.md Normal file
View File

@ -0,0 +1,462 @@
# FluxCD v2 Monorepooo
Репозиторий Infrastructure as Code, управляемый [FluxCD v2](https://fluxcd.io/) с использованием Kustomize-оверлеев и Helm-релизов.
## Карта инфраструктуры и межсервисных маршрутов
Диаграмма ниже показывает инфраструктурные компоненты кластера, их зависимости и типовые маршруты вызовов между бизнес-сервисами.
```mermaid
flowchart LR
%% ===== Внешний контур =====
User([👤 Пользователь<br/>Web / Mobile]):::ext
Admin([🛡 Администратор<br/>kubectl / flux]):::ext
LE([🔐 Let's Encrypt<br/>ACME v2]):::ext
GitRepo([📦 Git Repository<br/>FluxCD source]):::ext
OCI([🐳 OCI Registry<br/>cr.yandex]):::ext
%% ===== GitOps =====
subgraph GITOPS["⚙️ GitOps Control Plane"]
direction TB
FluxSource[source-controller]:::flux
FluxKust[kustomize-controller]:::flux
FluxHelm[helm-controller]:::flux
FluxNotif[notification-controller]:::flux
FluxSource --> FluxKust
FluxSource --> FluxHelm
FluxKust --> FluxNotif
FluxHelm --> FluxNotif
end
%% ===== Edge / Service Mesh =====
subgraph EDGE["🌐 Edge & Service Mesh — istio-system"]
direction TB
Gateway["Istio Gateway<br/>:443 / :80<br/>LoadBalancer"]:::mesh
Pilot["istiod / Pilot<br/>xDS :15010/:15012"]:::mesh
Base[Istio Base<br/>CRDs + RBAC]:::mesh
Cert["cert-manager<br/>v1.x"]:::mesh
IssuerProd[ClusterIssuer<br/>letsencrypt-prod]:::mesh
IssuerIstio[ClusterIssuer<br/>letsencrypt-istio]:::mesh
Pilot -->|sidecar inject| Gateway
Base --> Pilot
Cert --> IssuerProd
Cert --> IssuerIstio
IssuerIstio -. TLS cert .-> Gateway
end
%% ===== Платформа =====
subgraph PLATFORM["🛠 Платформа"]
direction TB
Dashboard["K8s Dashboard<br/>UI :8443"]:::platform
LPP["local-path-provisioner<br/>StorageClass: local-path"]:::platform
Vault["HashiCorp Vault<br/>:8200 KV/Transit"]:::platform
S3Proxy["S3 Proxy<br/>S3 API gateway"]:::platform
end
%% ===== Identity =====
subgraph IDENTITY["🪪 Identity & SSO"]
direction TB
Zitadel["Zitadel<br/>OIDC :8080"]:::identity
Keycloak["Keycloak<br/>OIDC/SAML :8080"]:::identity
OpenLDAP["OpenLDAP<br/>:389 / :636"]:::identity
Keycloak -- "LDAP federation" --> OpenLDAP
end
%% ===== Данные =====
subgraph DATA["🗄 Хранилища данных"]
direction TB
PG[("PostgreSQL<br/>:5432<br/>HA primary/replica")]:::data
Redis[("Redis<br/>:6379<br/>cache + pub/sub")]:::data
MinIO[("MinIO<br/>S3 :9000<br/>console :9001")]:::data
end
%% ===== Messaging =====
subgraph MSG["📨 Messaging"]
direction TB
Kafka[["Kafka<br/>:9092 / :9093 SASL<br/>3 brokers"]]:::msg
ZK[["ZooKeeper / KRaft<br/>:2181"]]:::msg
RMQ[["RabbitMQ<br/>:5672 / mgmt :15672"]]:::msg
Kafka --- ZK
end
%% ===== BPM =====
subgraph BPM["🔧 BPM"]
direction TB
Camunda["Camunda Platform<br/>REST :8080 / Tasklist"]:::app
Operate["Camunda Operate<br/>UI :8081"]:::app
end
%% ===== Бизнес-сервисы (каждый в своём namespace) =====
subgraph APPS["💼 Бизнес-сервисы — namespaces"]
direction LR
CI["ns: control-interface"]:::app
Django["ns: django"]:::app
EAV["ns: eav"]:::app
Workspaces["ns: workspaces"]:::app
Projects["ns: projects"]:::app
PM["ns: pm"]:::app
Contracts["ns: contracts"]:::app
Resources["ns: resources"]:::app
Subs["ns: subscriptions"]:::app
SysLog["ns: system-log"]:::app
MsgHub["ns: message-hub"]:::app
FaaS["ns: faas"]:::app
Flows["ns: flows"]:::app
Docs["ns: documentations"]:::app
DocLink["ns: document-link"]:::app
Attach["ns: attachments"]:::app
Transmittal["ns: transmittal"]:::app
CDE["ns: cde"]:::app
Drawings["ns: drawings"]:::app
BIM["ns: bim"]:::app
Stamp["ns: stamp-verification"]:::app
Inspect["ns: inspections"]:::app
Checklists["ns: checklists"]:::app
Remarks["ns: remarks"]:::app
Issues["ns: issues"]:::app
RFI["ns: rfi"]:::app
Reviews["ns: reviews"]:::app
Prescr["ns: prescriptions"]:::app
Compare["ns: comparisons"]:::app
Measure["ns: measurements"]:::app
Mapper["ns: mapper"]:::app
XSection["ns: cross-section"]:::app
Process["ns: processing"]:::app
Notes["ns: notes"]:::app
end
%% ===== GitOps потоки =====
Admin ==>|git push| GitRepo
GitRepo ==>|pull/poll| FluxSource
OCI ==>|OCI charts| FluxSource
FluxKust ==>|apply manifests| EDGE
FluxKust ==>|apply manifests| PLATFORM
FluxKust ==>|apply manifests| IDENTITY
FluxHelm ==>|HelmRelease| DATA
FluxHelm ==>|HelmRelease| MSG
FluxHelm ==>|HelmRelease| BPM
FluxHelm ==>|HelmRelease| APPS
%% ===== Внешний трафик =====
User ==>|HTTPS 443| Gateway
LE -. ACME HTTP-01 .-> Cert
Gateway ==>|VirtualService<br/>mTLS| CI
Gateway ==>|/api| Django
Gateway ==>|/bim| BIM
Gateway ==>|/cde| CDE
Gateway ==>|/docs| Docs
Gateway ==>|/pm| PM
Gateway ==>|VirtualService| Camunda
Gateway ==>|VirtualService| Operate
Gateway ==>|/auth| Keycloak
Gateway ==>|/oauth| Zitadel
Gateway ==>|/dashboard| Dashboard
Gateway ==>|/minio| MinIO
Admin -.->|kubectl| Dashboard
%% ===== Frontend → backend (через control-interface) =====
CI -- "API gateway" --> Django
CI -- "API gateway" --> PM
CI -- "API gateway" --> Projects
CI -- "API gateway" --> Workspaces
%% ===== Подключения к данным =====
Django -- "JDBC/ORM" --> PG
EAV -- "JDBC" --> PG
PM -- "JDBC" --> PG
Contracts -- "JDBC" --> PG
Resources -- "JDBC" --> PG
Projects -- "JDBC" --> PG
Workspaces -- "JDBC" --> PG
Subs -- "JDBC" --> PG
SysLog -- "JDBC" --> PG
Docs -- "JDBC" --> PG
DocLink -- "JDBC" --> PG
CDE -- "JDBC" --> PG
BIM -- "JDBC" --> PG
Drawings -- "JDBC" --> PG
Inspect -- "JDBC" --> PG
Checklists -- "JDBC" --> PG
Issues -- "JDBC" --> PG
Remarks -- "JDBC" --> PG
RFI -- "JDBC" --> PG
Reviews -- "JDBC" --> PG
Prescr -- "JDBC" --> PG
Compare -- "JDBC" --> PG
Measure -- "JDBC" --> PG
Mapper -- "JDBC" --> PG
XSection -- "JDBC" --> PG
Notes -- "JDBC" --> PG
Stamp -- "JDBC" --> PG
Transmittal -- "JDBC" --> PG
Camunda -- "JDBC" --> PG
Operate -- "JDBC" --> PG
Zitadel -- "JDBC" --> PG
Keycloak -- "JDBC" --> PG
%% ===== Redis (общий кэш / sessions) =====
Django -- "session/cache" --> Redis
CI -- "session" --> Redis
PM -- "cache" --> Redis
Workspaces -- "cache" --> Redis
Subs -- "pub/sub realtime" --> Redis
MsgHub -- "pub/sub" --> Redis
Flows -- "state" --> Redis
FaaS -- "queue" --> Redis
Camunda -- "cache" --> Redis
Keycloak -- "session" --> Redis
%% ===== S3 / объектное хранилище =====
Attach -- "PUT/GET" --> S3Proxy
Docs -- "filestream" --> S3Proxy
BIM -- "IFC/RVT" --> S3Proxy
Drawings -- "DWG/PDF" --> S3Proxy
CDE -- "files" --> S3Proxy
Compare -- "rendered diff" --> S3Proxy
Stamp -- "signed PDF" --> S3Proxy
Transmittal -- "bundles" --> S3Proxy
Process -- "raw + результаты" --> S3Proxy
Mapper -- "tiles" --> S3Proxy
Measure -- "snapshots" --> S3Proxy
XSection -- "профили" --> S3Proxy
S3Proxy -- "S3 API" --> MinIO
%% ===== Vault (secrets) =====
Django -. "kv" .-> Vault
Camunda -. "approle" .-> Vault
Keycloak -. "kv" .-> Vault
Zitadel -. "kv" .-> Vault
FaaS -. "approle" .-> Vault
Flows -. "approle" .-> Vault
%% ===== Storage / PVC =====
PG -.->|PVC| LPP
Redis -.->|PVC| LPP
Kafka -.->|PVC| LPP
ZK -.->|PVC| LPP
RMQ -.->|PVC| LPP
MinIO -.->|PVC| LPP
Vault -.->|PVC| LPP
%% ===== Kafka (event bus) =====
SysLog -- "consume audit.*" --> Kafka
MsgHub -- "produce notify.*" --> Kafka
Subs -- "consume notify.*" --> Kafka
Flows -- "produce/consume flows.*" --> Kafka
Camunda -- "produce bpm.events" --> Kafka
Operate -- "consume zeebe-records" --> Kafka
BIM -- "produce bim.processed" --> Kafka
Drawings -- "produce drawings.uploaded" --> Kafka
Process -- "consume processing.jobs" --> Kafka
Compare -- "consume drawings.uploaded" --> Kafka
Inspect -- "produce inspect.events" --> Kafka
Issues -- "consume inspect.events" --> Kafka
Remarks -- "produce remarks.events" --> Kafka
Reviews -- "consume remarks.events" --> Kafka
%% ===== RabbitMQ (work queues) =====
FaaS -- "consume tasks.*" --> RMQ
Flows -- "publish tasks.*" --> RMQ
Process -- "publish jobs" --> RMQ
Mapper -- "consume tile.jobs" --> RMQ
XSection -- "consume xs.jobs" --> RMQ
Stamp -- "consume sign.jobs" --> RMQ
Camunda -- "consume bpm.tasks" --> RMQ
%% ===== Межсервисные REST маршруты =====
PM -- "REST" --> Projects
PM -- "REST" --> Contracts
PM -- "REST" --> Resources
Projects -- "REST" --> Workspaces
Contracts -- "REST" --> Resources
Inspect -- "REST" --> Checklists
Inspect -- "REST" --> Issues
Issues -- "REST" --> Remarks
Reviews -- "REST" --> RFI
Reviews -- "REST" --> Prescr
RFI -- "REST" --> DocLink
DocLink --> Docs
DocLink --> CDE
CDE -- "REST" --> Docs
CDE -- "REST" --> Drawings
CDE -- "REST" --> BIM
Transmittal -- "REST" --> CDE
Transmittal -- "REST" --> Docs
Drawings -- "REST" --> Compare
Drawings -- "REST" --> Stamp
Measure -- "REST" --> Mapper
Mapper -- "REST" --> XSection
XSection --> Process
BIM -- "REST" --> Process
Notes -- "REST" --> DocLink
Flows -- "trigger" --> FaaS
Flows -- "start" --> Camunda
Camunda -- "callback" --> Flows
EAV -- "schemas" --> Django
MsgHub -- "deliver email/push" --> Subs
%% ===== AuthN / AuthZ =====
Django -. "OIDC validate" .-> Keycloak
CI -. "OIDC login" .-> Keycloak
PM -. "JWT" .-> Keycloak
Camunda -. "JWT" .-> Zitadel
Operate -. "OIDC" .-> Zitadel
Dashboard -. "OIDC" .-> Keycloak
BIM -. "JWT" .-> Keycloak
CDE -. "JWT" .-> Keycloak
Docs -. "JWT" .-> Keycloak
%% ===== Service mesh sidecar metrics =====
CI -. "envoy" .-> Pilot
Django -. "envoy" .-> Pilot
Camunda -. "envoy" .-> Pilot
BIM -. "envoy" .-> Pilot
Flows -. "envoy" .-> Pilot
%% ===== Стили =====
classDef ext fill:#1f2937,stroke:#9ca3af,stroke-width:2px,color:#f9fafb
classDef flux fill:#6366f1,stroke:#3730a3,stroke-width:2px,color:#fff
classDef mesh fill:#7c3aed,stroke:#4c1d95,stroke-width:2px,color:#fff
classDef platform fill:#0ea5e9,stroke:#075985,stroke-width:2px,color:#fff
classDef identity fill:#f59e0b,stroke:#92400e,stroke-width:2px,color:#fff
classDef data fill:#10b981,stroke:#065f46,stroke-width:2px,color:#fff
classDef msg fill:#ef4444,stroke:#991b1b,stroke-width:2px,color:#fff
classDef app fill:#ec4899,stroke:#9d174d,stroke-width:2px,color:#fff
style GITOPS fill:#e0e7ff,stroke:#6366f1,stroke-width:2px
style EDGE fill:#ede9fe,stroke:#7c3aed,stroke-width:2px
style PLATFORM fill:#e0f2fe,stroke:#0ea5e9,stroke-width:2px
style IDENTITY fill:#fef3c7,stroke:#f59e0b,stroke-width:2px
style DATA fill:#d1fae5,stroke:#10b981,stroke-width:2px
style MSG fill:#fee2e2,stroke:#ef4444,stroke-width:2px
style BPM fill:#fce7f3,stroke:#ec4899,stroke-width:2px
style APPS fill:#fce7f3,stroke:#ec4899,stroke-width:2px
```
📂 **Подробные диаграммы по каждому бизнес-сервису:** [`docs/apps/`](./docs/apps/README.md)
**Легенда:**
- 🟪 **Edge / Mesh** — терминация TLS, маршрутизация и mTLS между сервисами (Istio + cert-manager)
- 🟦 **Платформа** — служебные компоненты (storage, secrets, S3 proxy, dashboard)
- 🟧 **Identity** — единый вход и федерация пользователей (Zitadel, Keycloak, OpenLDAP)
- 🟩 **Данные** — постоянные хранилища (PostgreSQL, Redis, MinIO)
- 🟥 **Messaging** — асинхронный обмен (Kafka, RabbitMQ)
- 🟪 **Бизнес-сервисы** — прикладная логика (Camunda, бизнес-приложения)
## Структура репозитория
```
├── clusters/ # Точка входа для каждого кластера (Flux читает отсюда)
│ └── contour/ # Кластер contour
│ ├── flux-system/ # Автогенерируется через `flux bootstrap` (не редактировать)
│ ├── helm-repositories.yaml # Определения HelmRepository
│ ├── infrastructure.yaml # Flux Kustomization → ./infrastructure
│ └── apps.yaml # Flux Kustomization → ./apps
├── infrastructure/ # Инфраструктурные компоненты
│ ├── kustomization.yaml # Список всех инфра-сервисов
│ └── example-infra/ # Пример инфра-компонента
│ ├── kustomization.yaml # Собирает base + patches
│ ├── base/ # Базовые манифесты (namespace, HelmRelease)
│ └── patches/ # Патчи поверх base
├── apps/ # Прикладные сервисы
│ ├── kustomization.yaml # Список всех приложений
│ └── example-app/ # Пример приложения
│ ├── kustomization.yaml # Собирает base + patches
│ ├── base/ # Базовые манифесты (Deployment, Service, ConfigMap)
│ └── patches/ # Патчи поверх base
```
## Как это работает
Flux отслеживает директорию `clusters/<имя-кластера>/`. Каждый кластер содержит два Flux Kustomization CRD верхнего уровня:
1. **infrastructure.yaml** — реконсилирует `./infrastructure`. Содержит HelmReleases и вспомогательные ресурсы.
2. **apps.yaml** — реконсилирует `./apps`. Содержит Deployments, Services и другие ресурсы приложений.
`apps` зависит от `infrastructure`, что гарантирует готовность инфраструктуры до деплоя приложений.
Каждый сервис (в `infrastructure/` или `apps/`) имеет собственную структуру:
- **base/** — базовые манифесты, общие для всех окружений
- **patches/** — патчи, применяемые поверх base
- **kustomization.yaml** — на уровне сервиса, собирает base + patches через Kustomize
## Начало работы
### Бутстрап Flux
```bash
flux bootstrap git \
--url=<URL_ВАШЕГО_РЕПОЗИТОРИЯ> \
--branch=master \
--path=clusters/contour
```
### Проверка реконсиляции
```bash
flux get kustomizations
flux get helmreleases -A
flux events --watch
```
## Добавление нового инфраструктурного компонента
1. Создайте директорию с base и patches:
```
infrastructure/my-component/
├── kustomization.yaml # resources: [./base], patches: [patches/...]
├── base/
│ ├── kustomization.yaml
│ ├── namespace.yaml
│ └── helmrelease.yaml
└── patches/
└── values.yaml
```
2. Зарегистрируйте в `infrastructure/kustomization.yaml`:
```yaml
resources:
- example-infra
- my-component # Добавьте эту строку
```
3. Если нужен новый HelmRepository, добавьте его в `clusters/<кластер>/helm-repositories.yaml`.
## Добавление нового приложения
1. Создайте директорию с base и patches:
```
apps/my-app/
├── kustomization.yaml # resources: [./base], patches: [patches/...]
├── base/
│ ├── kustomization.yaml
│ ├── namespace.yaml
│ ├── deployment.yaml
│ └── service.yaml
└── patches/
└── replicas.yaml
```
2. Зарегистрируйте в `apps/kustomization.yaml`:
```yaml
resources:
- example-app
- my-app # Добавьте эту строку
```
## Добавление нового кластера
1. Создайте точку входа `clusters/<имя>/` с `infrastructure.yaml`, `apps.yaml` и `helm-repositories.yaml`
2. Выполните бутстрап Flux с `--path=clusters/<имя>`
## Справочник API-версий
| Ресурс | apiVersion |
|------------------|-----------------------------------------|
| Kustomization | `kustomize.toolkit.fluxcd.io/v1` |
| GitRepository | `source.toolkit.fluxcd.io/v1` |
| HelmRepository | `source.toolkit.fluxcd.io/v1` |
| HelmRelease | `helm.toolkit.fluxcd.io/v2` |

110
apps/attachments/base/helmrelease.yaml Normal file
View File

@ -0,0 +1,110 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: attachments
namespace: attachments
spec:
interval: 10m
chart:
spec:
chart: universal-chart
version: "0.1.9"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
namespace: flux-system
interval: 10m
install:
remediation:
retries: 3
upgrade:
remediation:
retries: 3
values:
global:
env: _default
services:
attachments:
enabled: true
serviceAccount:
enabled:
_default: true
name:
_default: attachments-vault
deployment:
enabled: true
name:
_default: attachments
replicaCount:
_default: 1
port:
_default: 8000
command:
_default: ["/bin/bash", "-ec"]
args:
_default:
- |
set -a
[ -f /vault/secrets/attachments-db ] && . /vault/secrets/attachments-db
[ -f /vault/secrets/attachments-s3 ] && . /vault/secrets/attachments-s3
set +a
exec /opt/attachments/entrypoint.sh
image:
name:
_default: cr.yandex/crp3ccidau046kdj8g9q/attachments:feature_6238c882
pullPolicy:
_default: IfNotPresent
service:
enabled: true
name:
_default: attachments-service
type:
_default: ClusterIP
port:
_default: 8000
targetPort:
_default: 8000
portName:
_default: http
imagePullSecrets:
enabled:
_default: true
name:
_default: regcred
envs:
- name: POSTGRES_POOL_SIZE
value:
_default: "10"
- name: API_ADDRESS
value:
_default: 0.0.0.0:8000
podAnnotations:
_default:
traffic.sidecar.istio.io/excludeOutboundPorts: "4317,4318,9411,8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: attachments
vault.hashicorp.com/agent-inject-secret-attachments-db: secrets/data/postgresql/apps/attachments
vault.hashicorp.com/agent-inject-template-attachments-db: |-
{{- with secret "secrets/data/postgresql/apps/attachments" -}}
DATABASE_HOST=postgresql.attachments.svc.cluster.local
DATABASE_PORT=5432
DATABASE_NAME=attachments_db
DATABASE_USER={{ index .Data.data "username" }}
DATABASE_PASSWORD={{ index .Data.data "password" }}
DATABASE_SSL_MODE=disable
{{- end -}}
vault.hashicorp.com/agent-inject-secret-attachments-s3: secrets/data/minio/apps/attachments
vault.hashicorp.com/agent-inject-template-attachments-s3: |-
{{- with secret "secrets/data/minio/apps/attachments" -}}
YANDEX_S3_ENDPOINT_URL=minio.minio:9000
YANDEX_S3_ACCESS_KEY_ID={{ index .Data.data "access_key" }}
YANDEX_S3_SECRET_ACCESS_KEY={{ index .Data.data "secret_key" }}
YANDEX_S3_USE_SSL=false
YANDEX_S3_REGION=ru-central
YANDEX_S3_VERIFY=false
BUCKET_NAME=attachments
{{- end -}}

6
apps/attachments/base/kustomization.yaml Normal file
View File

@ -0,0 +1,6 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: attachments
resources:
- helmrelease.yaml

11
apps/attachments/yc-k8s-test/kustomization.yaml Normal file
View File

@ -0,0 +1,11 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../base
- postgresql.yaml
patches: []
# - path: replicas.yaml
# target:
# kind: HelmRelease
# name: attachments

121
apps/attachments/yc-k8s-test/postgresql.yaml Normal file
View File

@ -0,0 +1,121 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: postgresql
namespace: attachments
spec:
interval: 5m
timeout: 2h
chart:
spec:
chart: postgresql-contour
version: "17.0.7"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
namespace: flux-system
install:
timeout: 2h
remediation:
retries: 3
upgrade:
timeout: 2h
remediation:
retries: 3
values:
global:
security:
allowInsecureImages: true
defaultStorageClass: local-path
postgresql:
auth:
username: ""
database: ""
secretKeys:
userPasswordKey: "postgres-password"
auth:
username: ""
database: ""
secretKeys:
userPasswordKey: "postgres-password"
image:
registry: cr.yandex/crp3ccidau046kdj8g9q
repository: contour/postgresql
tag: 17.0.7
pullPolicy: Always
metrics:
enabled: false
prometheusRule:
enabled: false
primary:
containerSecurityContext:
readOnlyRootFilesystem: false
persistence:
storageClass: local-path
size: 20Gi
customLivenessProbe:
exec:
command:
- /bin/sh
- -c
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
customReadinessProbe:
exec:
command:
- /bin/sh
- -c
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
customStartupProbe:
exec:
command:
- /bin/sh
- -c
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
resources:
requests:
cpu: 50m
memory: 128Mi
nodeSelector:
dedicated: db
tolerations:
- key: dedicated
operator: Equal
value: db
effect: NoSchedule
contour:
enabled: true
adminUser: "postgres"
sharedPreloadLibraries: "pg_stat_statements"
vault:
enabled: true
role: postgresql
authPath: auth/kubernetes
secretPath: secrets/data/postgresql/admin
secretKey: postgres-password
usersSecretPath: secrets/data/postgresql/users
databases:
- name: attachments_db
user: attachments
passwordKey: attachments
extensions: []
restoreFromDump: false
s3-proxy:
endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local"

13
apps/attachments/yc-k8s-test/replicas.yaml Normal file
View File

@ -0,0 +1,13 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: attachments
namespace: attachments
spec:
values:
services:
attachments:
deployment:
replicaCount:
_default: 2

108
apps/bim/base/backend-deployment.yaml Normal file
View File

@ -0,0 +1,108 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: backend
namespace: bim
labels:
app: backend
spec:
replicas: 1
selector:
matchLabels:
app: backend
template:
metadata:
labels:
app: backend
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: bim
vault.hashicorp.com/agent-inject-secret-bim-postgresql: secrets/data/postgresql/apps/bim
vault.hashicorp.com/agent-inject-template-bim-postgresql: |-
{{- with secret "secrets/data/postgresql/apps/bim" -}}
POSTGRES_ADDRESS=postgresql.bim.svc.cluster.local
POSTGRES_ADDRESS_2=postgresql.bim.svc.cluster.local
POSTGRES_ADDRESS_3=postgresql.bim.svc.cluster.local
POSTGRES_ADDRESS_4=postgresql.bim.svc.cluster.local
POSTGRES_PORT=5432
POSTGRES_PORT_2=5432
POSTGRES_PORT_3=5432
POSTGRES_PORT_4=5432
POSTGRES_DB=bim_db
POSTGRES_DB_2=bim_db
POSTGRES_DB_3=bim_db
POSTGRES_DB_4=bim_db
POSTGRES_USER={{ index .Data.data "username" }}
POSTGRES_USER_2={{ index .Data.data "username" }}
POSTGRES_USER_3={{ index .Data.data "username" }}
POSTGRES_USER_4={{ index .Data.data "username" }}
POSTGRES_PASSWORD={{ index .Data.data "password" }}
POSTGRES_PASSWORD_2={{ index .Data.data "password" }}
POSTGRES_PASSWORD_3={{ index .Data.data "password" }}
POSTGRES_PASSWORD_4={{ index .Data.data "password" }}
{{- end -}}
spec:
serviceAccountName: bim-vault
containers:
- name: backend
image: cr.yandex/crp3ccidau046kdj8g9q/bim-api:contour_3d704fef
imagePullPolicy: IfNotPresent
command: ["/bin/sh", "-ec"]
args:
- |
set -a
[ -f /vault/secrets/bim-postgresql ] && . /vault/secrets/bim-postgresql
set +a
exec ./httpserver
ports:
- name: http
containerPort: 8000
protocol: TCP
env:
- name: LAST_MASTER_BIM
value: "100000"
- name: LAST_MASTER_BIM_V3
value: "100000"
- name: DB_CERT_PATH_4
value: /root/yandex_pg.pem
- name: DB_CERT_PATH_3
value: /root/yandex_pg.pem
- name: DB_CERT_PATH_2
value: /root/yandex_pg.pem
- name: LAST_SLAVE_1_BIM
value: "1000000"
- name: POSTGRES_POOL_SIZE
value: "30"
- name: API_ADDRESS
value: 0.0.0.0:8000
- name: DJANGO_HOST
value: http://backend.django.svc.cluster.local:8000
- name: ENABLE_SQL_QUERY
value: "0"
- name: ENABLE_SSL
value: "0"
resources:
requests:
cpu: 25m
memory: 100Mi
livenessProbe:
httpGet:
path: /ping
port: 8000
initialDelaySeconds: 10
periodSeconds: 60
failureThreshold: 10
readinessProbe:
httpGet:
path: /ping
port: 8000
initialDelaySeconds: 5
periodSeconds: 5
failureThreshold: 20
imagePullSecrets:
- name: regcred

15
apps/bim/base/backend-service.yaml Normal file
View File

@ -0,0 +1,15 @@
---
apiVersion: v1
kind: Service
metadata:
name: backend-svc
namespace: bim
spec:
type: ClusterIP
selector:
app: backend
ports:
- name: http
port: 80
targetPort: 8000
protocol: TCP

9
apps/bim/base/kustomization.yaml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: bim
resources:
- namespace.yaml
- serviceaccount.yaml
- backend-deployment.yaml
- backend-service.yaml

7
apps/bim/base/namespace.yaml Normal file
View File

@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: bim
labels:
istio-injection: enabled

5
apps/bim/base/serviceaccount.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: bim-vault
namespace: bim

11
apps/bim/yc-k8s-test/kustomization.yaml Normal file
View File

@ -0,0 +1,11 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../base
- postgresql.yaml
patches:
- path: replicas.yaml
target:
kind: Deployment
name: backend

126
apps/bim/yc-k8s-test/postgresql.yaml Normal file
View File

@ -0,0 +1,126 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: postgresql
namespace: bim
spec:
interval: 5m
timeout: 2h
chart:
spec:
chart: postgresql-contour
version: "13.0.8"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
namespace: flux-system
install:
timeout: 2h
remediation:
retries: 3
upgrade:
timeout: 2h
remediation:
retries: 3
strategy: uninstall
values:
global:
security:
allowInsecureImages: true
defaultStorageClass: local-path
postgresql:
auth:
username: ""
database: ""
secretKeys:
userPasswordKey: "postgres-password"
auth:
username: ""
database: ""
secretKeys:
userPasswordKey: "postgres-password"
image:
registry: cr.yandex/crp3ccidau046kdj8g9q
repository: contour/postgresql
tag: 13.0.8
pullPolicy: Always
metrics:
enabled: false
prometheusRule:
enabled: false
primary:
containerSecurityContext:
readOnlyRootFilesystem: false
persistence:
storageClass: local-path
size: 20Gi
customLivenessProbe:
exec:
command:
- /bin/sh
- -c
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
customReadinessProbe:
exec:
command:
- /bin/sh
- -c
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
customStartupProbe:
exec:
command:
- /bin/sh
- -c
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
resources:
requests:
cpu: 50m
memory: 128Mi
nodeSelector:
dedicated: db
tolerations:
- key: dedicated
operator: Equal
value: db
effect: NoSchedule
contour:
enabled: true
adminUser: "postgres"
sharedPreloadLibraries: "pg_stat_statements,uuid-ossp,ltree,timescaledb"
vault:
enabled: true
role: postgresql
authPath: auth/kubernetes
secretPath: secrets/data/postgresql/admin
secretKey: postgres-password
usersSecretPath: secrets/data/postgresql/users
databases:
- name: bim_db
user: bim
passwordKey: bim
extensions:
- ltree
- timescaledb
- uuid-ossp
- pg_partman
restoreFromDump: false
s3-proxy:
endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local"

8
apps/bim/yc-k8s-test/replicas.yaml Normal file
View File

@ -0,0 +1,8 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: backend
namespace: bim
spec:
replicas: 1

15
apps/cde/base/backend-service.yaml Normal file
View File

@ -0,0 +1,15 @@
---
apiVersion: v1
kind: Service
metadata:
name: cde-svc
namespace: faas
spec:
type: ClusterIP
selector:
app: cde
ports:
- name: http
port: 80
targetPort: 8000
protocol: TCP

60
apps/cde/base/cde-flowscallback.yaml Normal file
View File

@ -0,0 +1,60 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: cde-flowscallback
namespace: cde
labels:
app: cde-flowscallback
service: cde-flowscallback
spec:
replicas: 1
selector:
matchLabels:
app: cde-flowscallback
template:
metadata:
labels:
app: cde-flowscallback
service: cde-flowscallback
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: cde
vault.hashicorp.com/agent-inject-secret-cde-env: secrets/data/vault/apps/cde
vault.hashicorp.com/agent-inject-template-cde-env: |-
{{- with secret "secrets/data/vault/apps/cde" -}}
{{- range $k, $v := .Data.data }}
export {{ $k }}=$(printf '%b' {{ printf "%q" (printf "%v" $v) }})
{{- end }}
{{- end -}}
spec:
serviceAccountName: cde-vault
containers:
- name: cde-flowscallback
image: cr.yandex/crp3ccidau046kdj8g9q/flowscallback-worker:prod_9f3c1d2a
imagePullPolicy: IfNotPresent
command:
- /bin/bash
- -lc
args:
- |
set -e
source /vault/secrets/cde-env
exec /worker
ports:
- name: http
containerPort: 8000
protocol: TCP
env:
- name: S3_IS_CONTOUR
value: "true"
resources:
requests:
cpu: "25m"
memory: 128Mi
imagePullSecrets:
- name: regcred

60
apps/cde/base/cde-splitpdf.yaml Normal file
View File

@ -0,0 +1,60 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: cde-splitpdf
namespace: cde
labels:
app: cde-splitpdf
service: cde-splitpdf
spec:
replicas: 1
selector:
matchLabels:
app: cde-splitpdf
template:
metadata:
labels:
app: cde-splitpdf
service: cde-splitpdf
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: cde
vault.hashicorp.com/agent-inject-secret-cde-env: secrets/data/vault/apps/cde
vault.hashicorp.com/agent-inject-template-cde-env: |-
{{- with secret "secrets/data/vault/apps/cde" -}}
{{- range $k, $v := .Data.data }}
export {{ $k }}=$(printf '%b' {{ printf "%q" (printf "%v" $v) }})
{{- end }}
{{- end -}}
spec:
serviceAccountName: cde-vault
containers:
- name: cde-splitpdf
image: cr.yandex/crp3ccidau046kdj8g9q/splitpdf-worker:prod_9f3c1d2a
imagePullPolicy: IfNotPresent
command:
- /bin/bash
- -lc
args:
- |
set -e
source /vault/secrets/cde-env
exec /worker
ports:
- name: http
containerPort: 8000
protocol: TCP
env:
- name: S3_IS_CONTOUR
value: "true"
resources:
requests:
cpu: "25m"
memory: 128Mi
imagePullSecrets:
- name: regcred

60
apps/cde/base/cde-worker-copy.yaml Normal file
View File

@ -0,0 +1,60 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: cde-worker-copy
namespace: cde
labels:
app: cde-worker-copy
service: cde-worker-copy
spec:
replicas: 1
selector:
matchLabels:
app: cde-worker-copy
template:
metadata:
labels:
app: cde-worker-copy
service: cde-worker-copy
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: cde
vault.hashicorp.com/agent-inject-secret-cde-env: secrets/data/vault/apps/cde
vault.hashicorp.com/agent-inject-template-cde-env: |-
{{- with secret "secrets/data/vault/apps/cde" -}}
{{- range $k, $v := .Data.data }}
export {{ $k }}=$(printf '%b' {{ printf "%q" (printf "%v" $v) }})
{{- end }}
{{- end -}}
spec:
serviceAccountName: cde-vault
containers:
- name: cde-worker-copy
image: cr.yandex/crp3ccidau046kdj8g9q/copy-worker:prod_9f3c1d2a
imagePullPolicy: IfNotPresent
command:
- /bin/bash
- -lc
args:
- |
set -e
source /vault/secrets/cde-env
exec /worker
ports:
- name: http
containerPort: 8000
protocol: TCP
env:
- name: S3_IS_CONTOUR
value: "true"
resources:
requests:
cpu: "25m"
memory: 128Mi
imagePullSecrets:
- name: regcred

60
apps/cde/base/cde-worker-create-versions.yaml Normal file
View File

@ -0,0 +1,60 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: cde-worker-create-versions
namespace: cde
labels:
app: cde-worker-create-versions
service: cde-worker-create-versions
spec:
replicas: 1
selector:
matchLabels:
app: cde-worker-create-versions
template:
metadata:
labels:
app: cde-worker-create-versions
service: cde-worker-create-versions
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: cde
vault.hashicorp.com/agent-inject-secret-cde-env: secrets/data/vault/apps/cde
vault.hashicorp.com/agent-inject-template-cde-env: |-
{{- with secret "secrets/data/vault/apps/cde" -}}
{{- range $k, $v := .Data.data }}
export {{ $k }}=$(printf '%b' {{ printf "%q" (printf "%v" $v) }})
{{- end }}
{{- end -}}
spec:
serviceAccountName: cde-vault
containers:
- name: cde-worker-create-versions
image: cr.yandex/crp3ccidau046kdj8g9q/createversions-worker:prod_9f3c1d2a
imagePullPolicy: IfNotPresent
command:
- /bin/bash
- -lc
args:
- |
set -e
source /vault/secrets/cde-env
exec /worker
ports:
- name: http
containerPort: 8000
protocol: TCP
env:
- name: S3_IS_CONTOUR
value: "true"
resources:
requests:
cpu: "25m"
memory: 128Mi
imagePullSecrets:
- name: regcred

60
apps/cde/base/cde-worker-markings.yaml Normal file
View File

@ -0,0 +1,60 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: cde-worker-markings
namespace: cde
labels:
app: cde-worker-markings
service: cde-worker-markings
spec:
replicas: 1
selector:
matchLabels:
app: cde-worker-markings
template:
metadata:
labels:
app: cde-worker-markings
service: cde-worker-markings
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: cde
vault.hashicorp.com/agent-inject-secret-cde-env: secrets/data/vault/apps/cde
vault.hashicorp.com/agent-inject-template-cde-env: |-
{{- with secret "secrets/data/vault/apps/cde" -}}
{{- range $k, $v := .Data.data }}
export {{ $k }}=$(printf '%b' {{ printf "%q" (printf "%v" $v) }})
{{- end }}
{{- end -}}
spec:
serviceAccountName: cde-vault
containers:
- name: cde-worker-markings
image: cr.yandex/crp3ccidau046kdj8g9q/markings-worker:prod_9f3c1d2a
imagePullPolicy: IfNotPresent
command:
- /bin/bash
- -lc
args:
- |
set -e
source /vault/secrets/cde-env
exec /worker
ports:
- name: http
containerPort: 8000
protocol: TCP
env:
- name: S3_IS_CONTOUR
value: "true"
resources:
requests:
cpu: "25m"
memory: 128Mi
imagePullSecrets:
- name: regcred

60
apps/cde/base/cde-worker-sign.yaml Normal file
View File

@ -0,0 +1,60 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: cde-worker-sign
namespace: cde
labels:
app: cde-worker-sign
service: cde-worker-sign
spec:
replicas: 1
selector:
matchLabels:
app: cde-worker-sign
template:
metadata:
labels:
app: cde-worker-sign
service: cde-worker-sign
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: cde
vault.hashicorp.com/agent-inject-secret-cde-env: secrets/data/vault/apps/cde
vault.hashicorp.com/agent-inject-template-cde-env: |-
{{- with secret "secrets/data/vault/apps/cde" -}}
{{- range $k, $v := .Data.data }}
export {{ $k }}=$(printf '%b' {{ printf "%q" (printf "%v" $v) }})
{{- end }}
{{- end -}}
spec:
serviceAccountName: cde-vault
containers:
- name: cde-worker-sign
image: cr.yandex/crp3ccidau046kdj8g9q/sign-worker:prod_9f3c1d2a
imagePullPolicy: IfNotPresent
command:
- /bin/bash
- -lc
args:
- |
set -e
source /vault/secrets/cde-env
exec /worker
ports:
- name: http
containerPort: 8000
protocol: TCP
env:
- name: S3_IS_CONTOUR
value: "true"
resources:
requests:
cpu: "25m"
memory: 128Mi
imagePullSecrets:
- name: regcred

60
apps/cde/base/cde-worker-update-bundles.yaml Normal file
View File

@ -0,0 +1,60 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: cde-worker-update-bundles
namespace: cde
labels:
app: cde-worker-update-bundles
service: cde-worker-update-bundles
spec:
replicas: 1
selector:
matchLabels:
app: cde-worker-update-bundles
template:
metadata:
labels:
app: cde-worker-update-bundles
service: cde-worker-update-bundles
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: cde
vault.hashicorp.com/agent-inject-secret-cde-env: secrets/data/vault/apps/cde
vault.hashicorp.com/agent-inject-template-cde-env: |-
{{- with secret "secrets/data/vault/apps/cde" -}}
{{- range $k, $v := .Data.data }}
export {{ $k }}=$(printf '%b' {{ printf "%q" (printf "%v" $v) }})
{{- end }}
{{- end -}}
spec:
serviceAccountName: cde-vault
containers:
- name: cde-worker-update-bundles
image: cr.yandex/crp3ccidau046kdj8g9q/updatebundles-worker:prod_9f3c1d2a
imagePullPolicy: IfNotPresent
command:
- /bin/bash
- -lc
args:
- |
set -e
source /vault/secrets/cde-env
exec /worker
ports:
- name: http
containerPort: 8000
protocol: TCP
env:
- name: S3_IS_CONTOUR
value: "true"
resources:
requests:
cpu: "25m"
memory: 128Mi
imagePullSecrets:
- name: regcred

60
apps/cde/base/cde.yaml Normal file
View File

@ -0,0 +1,60 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: cde
namespace: cde
labels:
app: cde
service: cde
spec:
replicas: 1
selector:
matchLabels:
app: cde
template:
metadata:
labels:
app: cde
service: cde
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: cde
vault.hashicorp.com/agent-inject-secret-cde-env: secrets/data/vault/apps/cde
vault.hashicorp.com/agent-inject-template-cde-env: |-
{{- with secret "secrets/data/vault/apps/cde" -}}
{{- range $k, $v := .Data.data }}
export {{ $k }}=$(printf '%b' {{ printf "%q" (printf "%v" $v) }})
{{- end }}
{{- end -}}
spec:
serviceAccountName: cde-vault
containers:
- name: api
image: cr.yandex/crp3ccidau046kdj8g9q/cde:prod_9f3c1d2a
imagePullPolicy: IfNotPresent
command:
- /bin/bash
- -lc
args:
- |
set -e
source /vault/secrets/cde-env
exec /http
ports:
- name: http
containerPort: 8000
protocol: TCP
env:
- name: S3_IS_CONTOUR
value: "true"
resources:
requests:
cpu: "25m"
memory: 128Mi
imagePullSecrets:
- name: regcred

16
apps/cde/base/kustomization.yaml Normal file
View File

@ -0,0 +1,16 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: cde
resources:
- namespace.yaml
- serviceaccount.yaml
- cde.yaml
- cde-splitpdf.yaml
- backend-service.yaml
- cde-flowscallback.yaml
- cde-worker-copy.yaml
- cde-worker-create-versions.yaml
- cde-worker-markings.yaml
- cde-worker-sign.yaml
- cde-worker-update-bundles.yaml

7
apps/cde/base/namespace.yaml Normal file
View File

@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: cde
labels:
istio-injection: enabled

5
apps/cde/base/serviceaccount.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: cde-vault
namespace: cde

10
apps/cde/yc-k8s-test/kustomization.yaml Normal file
View File

@ -0,0 +1,10 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../base
patches: []
# - path: replicas.yaml
# target:
# kind: Deployment
# name: frontend

8
apps/cde/yc-k8s-test/replicas.yaml Normal file
View File

@ -0,0 +1,8 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: backend
namespace: cde
spec:
replicas: 1

80
apps/checklists/base/backend-deployment.yaml Normal file
View File

@ -0,0 +1,80 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: checklists-backend
namespace: checklists
labels:
app: checklists-backend
service: api
spec:
replicas: 1
selector:
matchLabels:
app: checklists-backend
template:
metadata:
labels:
app: checklists-backend
service: checklists-backend
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: checklists
vault.hashicorp.com/agent-inject-secret-checklists-db: secrets/data/postgresql/apps/checklists
vault.hashicorp.com/agent-inject-template-checklists-db: |-
{{- with secret "secrets/data/postgresql/apps/checklists" -}}
DATABASE_HOST=postgresql.checklists.svc.cluster.local
DATABASE_PORT=5432
DATABASE_NAME=checklists_db
DATABASE_USER={{ index .Data.data "username" }}
DATABASE_PASSWORD={{ index .Data.data "password" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-checklists-jwt-public: secrets/data/vault/common/rsa_keys
vault.hashicorp.com/agent-inject-template-checklists-jwt-public: |-
{{- with secret "secrets/data/vault/common/rsa_keys" -}}
{{ index .Data.data "public_key" }}
{{- end -}}
spec:
serviceAccountName: checklists-vault
containers:
- name: api
image: cr.yandex/crp3ccidau046kdj8g9q/checklists-backend:production_68f242cd
imagePullPolicy: IfNotPresent
command: ["/bin/bash", "-ec"]
args:
- |
set -a
[ -f /vault/secrets/checklists-db ] && . /vault/secrets/checklists-db
[ -f /vault/secrets/checklists-jwt-public ] && export JWT_AUTH_PUBLIC_KEY="$(cat /vault/secrets/checklists-jwt-public)"
set +a
exec ./entrypoint.sh
ports:
- name: http
containerPort: 8000
protocol: TCP
env:
- name: HTTP_APP_HOST
value: 0.0.0.0
- name: HTTP_APP_PORT
value: "8000"
- name: HTTP_APP_ROOT_PATH
value: /checklists
- name: HTTP_APP_WORKERS
value: "1"
- name: HTTP_APP_ADMIN_ENABLE
value: "true"
- name: JWT_AUTH_ENABLE
value: "true"
- name: DEBUG
value: "false"
resources:
requests:
cpu: "25m"
memory: 128Mi
imagePullSecrets:
- name: regcred

15
apps/checklists/base/backend-service.yaml Normal file
View File

@ -0,0 +1,15 @@
---
apiVersion: v1
kind: Service
metadata:
name: rfi-backend-api-svc
namespace: checklists
spec:
type: ClusterIP
selector:
app: checklists-backend
ports:
- name: http
port: 80
targetPort: 8000
protocol: TCP

9
apps/checklists/base/kustomization.yaml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: checklists
resources:
- namespace.yaml
- serviceaccount.yaml
- backend-deployment.yaml
- backend-service.yaml

7
apps/checklists/base/namespace.yaml Normal file
View File

@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: checklists
labels:
istio-injection: enabled

5
apps/checklists/base/serviceaccount.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: checklists-vault
namespace: checklists

7
apps/checklists/yc-k8s-test/kustomization.yaml Normal file
View File

@ -0,0 +1,7 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../base
- postgresql.yaml
patches: []

121
apps/checklists/yc-k8s-test/postgresql.yaml Normal file
View File

@ -0,0 +1,121 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: postgresql
namespace: checklists
spec:
interval: 5m
timeout: 2h
chart:
spec:
chart: postgresql-contour
version: "17.0.7"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
namespace: flux-system
install:
timeout: 2h
remediation:
retries: 3
upgrade:
timeout: 2h
remediation:
retries: 3
values:
global:
security:
allowInsecureImages: true
defaultStorageClass: local-path
postgresql:
auth:
username: ""
database: ""
secretKeys:
userPasswordKey: "postgres-password"
auth:
username: ""
database: ""
secretKeys:
userPasswordKey: "postgres-password"
image:
registry: cr.yandex/crp3ccidau046kdj8g9q
repository: contour/postgresql
tag: 17.0.7
pullPolicy: Always
metrics:
enabled: false
prometheusRule:
enabled: false
primary:
containerSecurityContext:
readOnlyRootFilesystem: false
persistence:
storageClass: local-path
size: 20Gi
customLivenessProbe:
exec:
command:
- /bin/sh
- -c
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
customReadinessProbe:
exec:
command:
- /bin/sh
- -c
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
customStartupProbe:
exec:
command:
- /bin/sh
- -c
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
resources:
requests:
cpu: 50m
memory: 128Mi
nodeSelector:
dedicated: db
tolerations:
- key: dedicated
operator: Equal
value: db
effect: NoSchedule
contour:
enabled: true
adminUser: "postgres"
sharedPreloadLibraries: "pg_stat_statements,uuid-ossp"
vault:
enabled: true
role: postgresql
authPath: auth/kubernetes
secretPath: secrets/data/postgresql/admin
secretKey: postgres-password
usersSecretPath: secrets/data/postgresql/users
databases:
- name: checklists_db
user: checklists
passwordKey: checklists
extensions: []
restoreFromDump: false
s3-proxy:
endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local"

136
apps/comparisons/base/backend-deployment.yaml Normal file
View File

@ -0,0 +1,136 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: backend
namespace: comparisons
labels:
app: backend
spec:
replicas: 1
selector:
matchLabels:
app: backend
template:
metadata:
labels:
app: backend
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: comparisons
vault.hashicorp.com/agent-inject-secret-comparisons-db: secrets/data/postgresql/apps/comparisons
vault.hashicorp.com/agent-inject-template-comparisons-db: |-
{{- with secret "secrets/data/postgresql/apps/comparisons" -}}
DATABASE_HOST=postgresql.comparisons.svc.cluster.local
DATABASE_PORT=5432
DATABASE_DB=comparisons_db
DATABASE_USER={{ index .Data.data "username" }}
DATABASE_PASSWORD={{ index .Data.data "password" }}
POSTGRES_ADDRESS=postgresql.comparisons.svc.cluster.local
POSTGRES_PORT=5432
POSTGRES_DB=comparisons_db
POSTGRES_USER={{ index .Data.data "username" }}
POSTGRES_PASSWORD={{ index .Data.data "password" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-comparisons-jwt-public: secrets/data/vault/common/rsa_keys
vault.hashicorp.com/agent-inject-template-comparisons-jwt-public: |-
{{- with secret "secrets/data/vault/common/rsa_keys" -}}
{{ index .Data.data "public_key" }}
{{- end -}}
spec:
serviceAccountName: comparisons-vault
volumes:
- name: tasks-execution-config
configMap:
name: tasks-execution-config-comparisons-v2
items:
- key: tasks-execution-config-comparisons-v2.json
path: tasks-execution-config.json
containers:
- name: backend
image: cr.yandex/crp3ccidau046kdj8g9q/comparisons_backend_prod:075fc0
imagePullPolicy: IfNotPresent
command: ["/bin/bash", "-ec"]
args:
- |
set -a
[ -f /vault/secrets/comparisons-db ] && . /vault/secrets/comparisons-db
[ -f /vault/secrets/comparisons-jwt-public ] && export AUTH_PUBLIC_KEY="$(cat /vault/secrets/comparisons-jwt-public)"
set +a
exec /app/entrypoint.sh
ports:
- name: http
containerPort: 8000
protocol: TCP
env:
- name: APP_NAME
value: comparisons
- name: APP_VERSION
value: 0.0.1
- name: LOGGER_LOG_LEVEL
value: info
- name: DATABASE_NAME
value: postgres
- name: ENABLE_SSL
value: "false"
- name: POSTGRES_POOL_SIZE
value: "10"
- name: HTTP_PORT
value: "8000"
- name: DOCUMENTATIONS_INTERNAL_HOST
value: http://documentations-service.documentations
- name: DOCUMENTATIONS_EXTERNAL_HOST
value: https://api.sarex.io/documentations
- name: DOCUMENTATION_FILESTREAM_URL
value: http://backend-filestream-svc.documentations.svc.cluster.local/
- name: WORKFLOWS_HOST
value: http://workflows-service.processing
- name: WORKFLOWS_IMAGE_VERSION
value: master
- name: WORKFLOWS_DJANGO_HOST
value: https://lk.sarex.io
- name: WORKFLOWS_BIMV2_INTERNAL_HOST
value: http://bim-backend-v2-service.bim-api
- name: WORKSPACES_HOST
value: http://workspaces-service.workspaces
- name: EAV_HOST
value: https://api.sarex.io/eav
- name: LAST_MASTER_BIM
value: "36311"
- name: LAST_SLAVE_1_BIM
value: "94015"
- name: LAST_SLAVE_2_BIM
value: "135771"
- name: ABAP_FIXED_CONC
value: "0"
- name: WORKFLOWS_CONFIG_FILEPATH
value: /etc/app/tasks-execution-config.json
resources:
requests:
cpu: 25m
memory: 100Mi
volumeMounts:
- name: tasks-execution-config
readOnly: true
mountPath: /etc/app/tasks-execution-config.json
subPath: tasks-execution-config.json
livenessProbe:
httpGet:
path: /ping
port: 8000
initialDelaySeconds: 10
periodSeconds: 60
failureThreshold: 10
readinessProbe:
httpGet:
path: /ping
port: 8000
initialDelaySeconds: 5
periodSeconds: 5
failureThreshold: 20
imagePullSecrets:
- name: regcred

15
apps/comparisons/base/backend-service.yaml Normal file
View File

@ -0,0 +1,15 @@
---
apiVersion: v1
kind: Service
metadata:
name: backend-service
namespace: comparisons
spec:
type: ClusterIP
selector:
app: backend
ports:
- name: http
port: 8000
targetPort: 8000
protocol: TCP

57
apps/comparisons/base/frontend-deployment.yaml Normal file
View File

@ -0,0 +1,57 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: frontend
namespace: comparisons
labels:
app: frontend
spec:
replicas: 1
selector:
matchLabels:
app: frontend
template:
metadata:
labels:
app: frontend
spec:
volumes:
- name: nginx-configmap
configMap:
name: nginx-configmap
items:
- key: nginx.conf
path: nginx.conf
containers:
- name: frontend
image: cr.yandex/crp3ccidau046kdj8g9q/comparisons-frontend:prod_6dc6e0c2
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 80
protocol: TCP
resources:
requests:
cpu: 25m
memory: 100Mi
volumeMounts:
- name: nginx-configmap
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
livenessProbe:
httpGet:
path: /ping
port: 80
initialDelaySeconds: 10
periodSeconds: 10
failureThreshold: 10
readinessProbe:
httpGet:
path: /ping
port: 80
initialDelaySeconds: 10
periodSeconds: 10
failureThreshold: 20
imagePullSecrets:
- name: regcred

15
apps/comparisons/base/frontend-service.yaml Normal file
View File

@ -0,0 +1,15 @@
---
apiVersion: v1
kind: Service
metadata:
name: frontend-service
namespace: comparisons
spec:
type: ClusterIP
selector:
app: frontend
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP

13
apps/comparisons/base/kustomization.yaml Normal file
View File

@ -0,0 +1,13 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: comparisons
resources:
- namespace.yaml
- serviceaccount.yaml
- backend-deployment.yaml
- backend-service.yaml
- frontend-deployment.yaml
- frontend-service.yaml
- nginx-configmap.yaml
- tasks-execution-config.yaml

7
apps/comparisons/base/namespace.yaml Normal file
View File

@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: comparisons
labels:
istio-injection: enabled

47
apps/comparisons/base/nginx-configmap.yaml Normal file
View File

@ -0,0 +1,47 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-configmap
namespace: comparisons
data:
nginx.conf: |
user nginx;
worker_processes auto;
error_log stderr warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /dev/stdout main;
sendfile on;
keepalive_timeout 65;
gzip on;
server {
client_header_buffer_size 16k;
large_client_header_buffers 4 16k;
listen 80;
server_name localhost;
root /dist;
expires off;
location = /ping {
return 200 '{"result": "ok"}';
}
}
}

5
apps/comparisons/base/serviceaccount.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: comparisons-vault
namespace: comparisons

104
apps/comparisons/base/tasks-execution-config.yaml Normal file
View File

@ -0,0 +1,104 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: tasks-execution-config-comparisons-v2
namespace: comparisons
data:
tasks-execution-config-comparisons-v2.json: |
{
"abap": {
"executor": "k8s",
"resources": {
"cpu_requests": "8",
"memory_requests": "40Gi"
}
},
"bim2bim_comparison": {
"executor": "k8s"
},
"bim_api_metadata_inserter_v2": {
"executor": "k8s",
"resources": {
"memory_requests": "5Gi"
}
},
"bim_api_metadata_inserter_v4": {
"executor": "k8s",
"resources": {
"memory_requests": "3Gi"
}
},
"bim_abap_updater": {
"executor": "k8s"
},
"build_ooc": {
"executor": "k8s",
"resources": {
"cpu_requests": "8",
"memory_requests": "40Gi"
}
},
"calculate_deviation_job": {
"executor": "k8s",
"resources": {
"cpu_requests": "8",
"memory_requests": "40Gi"
}
},
"cloud_to_cloud": {
"executor": "k8s",
"resources": {
"cpu_requests": "8",
"memory_requests": "40Gi"
}
},
"cloud_to_surface": {
"executor": "k8s",
"resources": {
"cpu_requests": "8",
"memory_requests": "40Gi"
}
},
"convert_to_potree": {
"executor": "k8s",
"resources": {
"cpu_requests": "900m",
"memory_requests": "3.3Gi"
}
},
"deviation_icp": {
"executor": "k8s",
"resources": {
"cpu_requests": "8",
"memory_requests": "40Gi"
}
},
"las_to_tiff": {
"executor": "k8s",
"resources": {
"cpu_requests": "8",
"memory_requests": "40Gi"
}
},
"pdf_cv_comparer": {
"executor": "k8s",
"resources": {
"cpu_requests": "1",
"memory_requests": "512Mi"
}
},
"pdf_georeferencing": {
"executor": "k8s"
},
"split_pdf_document": {
"executor": "k8s",
"resources": {
"cpu_requests": "1",
"memory_requests": "512Mi"
}
},
"webhook_caller": {
"executor": "k8s"
}
}

11
apps/comparisons/yc-k8s-test/kustomization.yaml Normal file
View File

@ -0,0 +1,11 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../base
- postgresql.yaml
patches:
- path: replicas.yaml
target:
kind: Deployment
name: backend

121
apps/comparisons/yc-k8s-test/postgresql.yaml Normal file
View File

@ -0,0 +1,121 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: postgresql
namespace: comparisons
spec:
interval: 5m
timeout: 2h
chart:
spec:
chart: postgresql-contour
version: "17.0.7"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
namespace: flux-system
install:
timeout: 2h
remediation:
retries: 3
upgrade:
timeout: 2h
remediation:
retries: 3
values:
global:
security:
allowInsecureImages: true
defaultStorageClass: local-path
postgresql:
auth:
username: ""
database: ""
secretKeys:
userPasswordKey: "postgres-password"
auth:
username: ""
database: ""
secretKeys:
userPasswordKey: "postgres-password"
image:
registry: cr.yandex/crp3ccidau046kdj8g9q
repository: contour/postgresql
tag: 17.0.7
pullPolicy: Always
metrics:
enabled: false
prometheusRule:
enabled: false
primary:
containerSecurityContext:
readOnlyRootFilesystem: false
persistence:
storageClass: local-path
size: 20Gi
customLivenessProbe:
exec:
command:
- /bin/sh
- -c
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
customReadinessProbe:
exec:
command:
- /bin/sh
- -c
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
customStartupProbe:
exec:
command:
- /bin/sh
- -c
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
resources:
requests:
cpu: 50m
memory: 128Mi
nodeSelector:
dedicated: db
tolerations:
- key: dedicated
operator: Equal
value: db
effect: NoSchedule
contour:
enabled: true
adminUser: "postgres"
sharedPreloadLibraries: "pg_stat_statements,uuid-ossp"
vault:
enabled: true
role: postgresql
authPath: auth/kubernetes
secretPath: secrets/data/postgresql/admin
secretKey: postgres-password
usersSecretPath: secrets/data/postgresql/users
databases:
- name: comparisons_db
user: comparisons
passwordKey: comparisons
extensions: []
restoreFromDump: false
s3-proxy:
endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local"

8
apps/comparisons/yc-k8s-test/replicas.yaml Normal file
View File

@ -0,0 +1,8 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: backend
namespace: comparisons
spec:
replicas: 1

89
apps/contracts/base/deployment.yaml Normal file
View File

@ -0,0 +1,89 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: backend
namespace: contracts
labels:
app: backend
spec:
replicas: 1
selector:
matchLabels:
app: backend
template:
metadata:
labels:
app: backend
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: contracts
vault.hashicorp.com/agent-inject-secret-contracts-db: secrets/data/postgresql/apps/contracts
vault.hashicorp.com/agent-inject-template-contracts-db: |-
{{- with secret "secrets/data/postgresql/apps/contracts" -}}
DB_URL=postgresql://{{ index .Data.data "username" }}:{{ index .Data.data "password" }}@postgresql.contracts.svc.cluster.local:5432/contracts_db?sslmode=disable
{{- end -}}
vault.hashicorp.com/agent-inject-secret-contracts-jwt-public: secrets/data/vault/common/rsa_keys
vault.hashicorp.com/agent-inject-template-contracts-jwt-public: |-
{{- with secret "secrets/data/vault/common/rsa_keys" -}}
{{ index .Data.data "public_key" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-contracts-rabbitmq: secrets/data/rabbitmq/apps/contracts
vault.hashicorp.com/agent-inject-template-contracts-rabbitmq: |-
{{- with secret "secrets/data/rabbitmq/apps/contracts" -}}
CONTRACTS_RABBITMQ_VHOST={{ index .Data.data "vhost" }}
CONTRACTS_RABBITMQ_USERNAME={{ index .Data.data "username" }}
CONTRACTS_RABBITMQ_PASSWORD={{ index .Data.data "password" }}
CONTRACTS_RABBITMQ_HOST=rabbitmq.rabbitmq.svc.cluster.local
CONTRACTS_RABBITMQ_PORT=5672
{{- end -}}
vault.hashicorp.com/agent-inject-secret-contracts-s3: secrets/data/minio/apps/contracts
vault.hashicorp.com/agent-inject-template-contracts-s3: |-
{{- with secret "secrets/data/minio/apps/contracts" -}}
CONTRACTS_S3_ENDPOINT={{ index .Data.data.client "endpoint" }}
CONTRACTS_S3_REGION={{ index .Data.data.client "region" }}
CONTRACTS_S3_BUCKET=contracts
CONTRACTS_S3_ACCESS_KEY_ID={{ index .Data.data "access_key" }}
CONTRACTS_S3_SECRET_ACCESS_KEY={{ index .Data.data "secret_key" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-contracts-kafka: secrets/data/kafka/apps/contracts
vault.hashicorp.com/agent-inject-template-contracts-kafka: |-
{{- with secret "secrets/data/kafka/apps/contracts" -}}
CONTRACTS_KAFKA_BOOTSTRAP_SERVERS={{ index .Data.data.auth "bootstrap_servers" }}
CONTRACTS_KAFKA_SECURITY_PROTOCOL={{ index .Data.data.auth "security_protocol" }}
CONTRACTS_KAFKA_SASL_MECHANISM={{ index .Data.data.auth "sasl_mechanism" }}
CONTRACTS_KAFKA_USERNAME={{ index .Data.data "username" }}
CONTRACTS_KAFKA_PASSWORD={{ index .Data.data "password" }}
{{- end -}}
spec:
serviceAccountName: contracts-vault
containers:
- name: backend
image: cr.yandex/crp3ccidau046kdj8g9q/contracts:prod_d3bbd9fc
imagePullPolicy: IfNotPresent
command: ["/bin/sh", "-ec"]
args:
- |
set -a
[ -f /vault/secrets/contracts-db ] && . /vault/secrets/contracts-db
[ -f /vault/secrets/contracts-jwt-public ] && export PUBLIC_KEY="$(cat /vault/secrets/contracts-jwt-public)"
[ -f /vault/secrets/contracts-rabbitmq ] && . /vault/secrets/contracts-rabbitmq
[ -f /vault/secrets/contracts-s3 ] && . /vault/secrets/contracts-s3
[ -f /vault/secrets/contracts-kafka ] && . /vault/secrets/contracts-kafka
set +a
exec /usr/local/bin/http
ports:
- name: http
containerPort: 8000
protocol: TCP
env:
- name: ADDRESS
value: ":8000"
- name: ENABLE_SSL
value: "false"
imagePullSecrets:
- name: regcred

9
apps/contracts/base/kustomization.yaml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: contracts
resources:
- namespace.yaml
- serviceaccount.yaml
- deployment.yaml
- service.yaml

7
apps/contracts/base/namespace.yaml Normal file
View File

@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: contracts
labels:
istio-injection: enabled

15
apps/contracts/base/service.yaml Normal file
View File

@ -0,0 +1,15 @@
---
apiVersion: v1
kind: Service
metadata:
name: backend-service
namespace: contracts
spec:
type: ClusterIP
selector:
app: backend
ports:
- name: http
port: 8000
targetPort: 8000
protocol: TCP

5
apps/contracts/base/serviceaccount.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: contracts-vault
namespace: contracts

11
apps/contracts/yc-k8s-test/kustomization.yaml Normal file
View File

@ -0,0 +1,11 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../base
- postgresql.yaml
patches: []
# - path: replicas.yaml
# target:
# kind: Deployment
# name: backend

121
apps/contracts/yc-k8s-test/postgresql.yaml Normal file
View File

@ -0,0 +1,121 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: postgresql
namespace: contracts
spec:
interval: 5m
timeout: 2h
chart:
spec:
chart: postgresql-contour
version: "17.0.7"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
namespace: flux-system
install:
timeout: 2h
remediation:
retries: 3
upgrade:
timeout: 2h
remediation:
retries: 3
values:
global:
security:
allowInsecureImages: true
defaultStorageClass: local-path
postgresql:
auth:
username: ""
database: ""
secretKeys:
userPasswordKey: "postgres-password"
auth:
username: ""
database: ""
secretKeys:
userPasswordKey: "postgres-password"
image:
registry: cr.yandex/crp3ccidau046kdj8g9q
repository: contour/postgresql
tag: 17.0.7
pullPolicy: Always
metrics:
enabled: false
prometheusRule:
enabled: false
primary:
containerSecurityContext:
readOnlyRootFilesystem: false
persistence:
storageClass: local-path
size: 20Gi
resources:
requests:
cpu: 50m
memory: 128Mi
customLivenessProbe:
exec:
command:
- /bin/sh
- -c
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
customReadinessProbe:
exec:
command:
- /bin/sh
- -c
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
customStartupProbe:
exec:
command:
- /bin/sh
- -c
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
nodeSelector:
dedicated: db
tolerations:
- key: dedicated
operator: Equal
value: db
effect: NoSchedule
contour:
enabled: true
adminUser: "postgres"
sharedPreloadLibraries: "pg_stat_statements,uuid-ossp"
vault:
enabled: true
role: postgresql
authPath: auth/kubernetes
secretPath: secrets/data/postgresql/admin
secretKey: postgres-password
usersSecretPath: secrets/data/postgresql/users
databases:
- name: contracts_db
user: contracts
passwordKey: contracts
extensions: []
restoreFromDump: false
s3-proxy:
endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local"

7
apps/contracts/yc-k8s-test/replicas.yaml Normal file
View File

@ -0,0 +1,7 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: backend
spec:
replicas: 1

29
apps/control-interface/base/deployment.yaml Normal file
View File

@ -0,0 +1,29 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: srx-admin
namespace: control-interface
labels:
app: srx-admin
spec:
replicas: 1
selector:
matchLabels:
app: srx-admin
template:
metadata:
labels:
app: srx-admin
spec:
containers:
- name: srx-admin
image: cr.yandex/crp3ccidau046kdj8g9q/srx-admin:prod_3b9cb250
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 80
protocol: TCP
imagePullSecrets:
- name: regcred

8
apps/control-interface/base/kustomization.yaml Normal file
View File

@ -0,0 +1,8 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: control-interface
resources:
- namespace.yaml
- deployment.yaml
- service.yaml

7
apps/control-interface/base/namespace.yaml Normal file
View File

@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: control-interface
labels:
istio-injection: enabled

14
apps/control-interface/base/service.yaml Normal file
View File

@ -0,0 +1,14 @@
---
apiVersion: v1
kind: Service
metadata:
name: frontend-svc
namespace: control-interface
spec:
type: ClusterIP
selector:
app: srx-admin
ports:
- port: 80
targetPort: 80
protocol: TCP

10
apps/control-interface/yc-k8s-test/kustomization.yaml Normal file
View File

@ -0,0 +1,10 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../base
patches:
- path: replicas.yaml
target:
kind: Deployment
name: srx-admin

8
apps/control-interface/yc-k8s-test/replicas.yaml Normal file
View File

@ -0,0 +1,8 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: srx-admin
namespace: control-interface
spec:
replicas: 1

46
apps/cross-section/base/deployment.yaml Normal file
View File

@ -0,0 +1,46 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: cross-section-static
namespace: cross-section
labels:
app: cross-section-static
spec:
replicas: 2
selector:
matchLabels:
app: cross-section-static
template:
metadata:
labels:
app: cross-section-static
spec:
containers:
- name: frontend
image: cr.yandex/crp3ccidau046kdj8g9q/cross-section-app:production_e09e648b
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 80
protocol: TCP
livenessProbe:
httpGet:
path: /ping
port: 80
initialDelaySeconds: 10
periodSeconds: 10
failureThreshold: 10
readinessProbe:
httpGet:
path: /ping
port: 80
initialDelaySeconds: 10
periodSeconds: 10
failureThreshold: 20
resources:
requests:
cpu: 25m
memory: 100Mi
imagePullSecrets:
- name: regcred

8
apps/cross-section/base/kustomization.yaml Normal file
View File

@ -0,0 +1,8 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: cross-section
resources:
- namespace.yaml
- deployment.yaml
- service.yaml

7
apps/cross-section/base/namespace.yaml Normal file
View File

@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: cross-section
labels:
istio-injection: enabled

15
apps/cross-section/base/service.yaml Normal file
View File

@ -0,0 +1,15 @@
---
apiVersion: v1
kind: Service
metadata:
name: cross-section-static
namespace: cross-section
spec:
type: ClusterIP
selector:
app: cross-section-static
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP

10
apps/cross-section/yc-k8s-test/kustomization.yaml Normal file
View File

@ -0,0 +1,10 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../base
patches:
- path: replicas.yaml
target:
kind: Deployment
name: cross-section-static

8
apps/cross-section/yc-k8s-test/replicas.yaml Normal file
View File

@ -0,0 +1,8 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: cross-section-static
namespace: cross-section
spec:
replicas: 1

216
apps/django/base/backend-deployment.yaml Normal file
View File

@ -0,0 +1,216 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: backend
namespace: django
labels:
app: backend
service: backend
spec:
replicas: 1
selector:
matchLabels:
app: backend
template:
metadata:
labels:
app: backend
service: backend
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: django
vault.hashicorp.com/agent-inject-secret-django-postgresql: secrets/data/postgresql/apps/django
vault.hashicorp.com/agent-inject-template-django-postgresql: |-
{{- with secret "secrets/data/postgresql/apps/django" -}}
DJANGO_POSTGRES_HOST=postgresql.django.svc.cluster.local
DJANGO_POSTGRES_PORTS=5432
DJANGO_POSTGRES_DATABASE=sarex_db
DJANGO_POSTGRES_USER={{ index .Data.data "username" }}
DJANGO_POSTGRES_PASSWORD={{ index .Data.data "password" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-django-rabbitmq: secrets/data/rabbitmq/apps/django
vault.hashicorp.com/agent-inject-template-django-rabbitmq: |-
{{- with secret "secrets/data/rabbitmq/apps/django" -}}
CELERY_RABBITMQ_HOST=rabbitmq.rabbitmq.svc.cluster.local
CELERY_RABBITMQ_USER={{ index .Data.data "username" }}
CELERY_RABBITMQ_PASSWORD={{ index .Data.data "password" }}
CELERY_RABBITMQ_VHOST={{ index .Data.data "vhost" }}
DJANGO_RABBIT_HOSTNAME=rabbitmq.rabbitmq.svc.cluster.local
DJANGO_RABBIT_USER={{ index .Data.data "username" }}
DJANGO_RABBIT_PASS={{ index .Data.data "password" }}
DJANGO_RABBIT_VHOST={{ index .Data.data "vhost" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-django-s3: secrets/data/minio/apps/django
vault.hashicorp.com/agent-inject-template-django-s3: |-
{{- with secret "secrets/data/minio/apps/django" -}}
AWS_S3_ENDPOINT_URL=https://minio.contour.infra.sarex.tech
S3_HOST=https://minio.contour.infra.sarex.tech
{{- $buckets := index .Data.data "buckets" }}
S3_BUCKET={{- if gt (len $buckets) 0 -}}{{ index (index $buckets 0) "name" }}{{- else -}}django{{- end -}}
S3_LOGIN={{ index .Data.data "access_key" }}
S3_PASSWORD={{ index .Data.data "secret_key" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-django-kafka: secrets/data/kafka/apps/django
vault.hashicorp.com/agent-inject-template-django-kafka: |-
{{- with secret "secrets/data/kafka/apps/django" -}}
KAFKA_BOOTSTRAP_SERVERS="[\"{{ index .Data.data.auth "bootstrap_servers" }}\"]"
KAFKA_SECURITY_PROTOCOL={{ index .Data.data.auth "security_protocol" }}
KAFKA_SASL_MECHANISM={{ index .Data.data.auth "sasl_mechanism" }}
KAFKA_SASL_PLAIN_USERNAME={{ index .Data.data "username" }}
KAFKA_SASL_PLAIN_PASSWORD={{ index .Data.data "password" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-django-jwt-private: secrets/data/vault/common/rsa_keys
vault.hashicorp.com/agent-inject-template-django-jwt-private: |-
{{- with secret "secrets/data/vault/common/rsa_keys" -}}
{{ index .Data.data "private_key" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-django-jwt-public: secrets/data/vault/common/rsa_keys
vault.hashicorp.com/agent-inject-template-django-jwt-public: |-
{{- with secret "secrets/data/vault/common/rsa_keys" -}}
{{ index .Data.data "public_key" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-django-common: secrets/data/vault/common/django_auth
vault.hashicorp.com/agent-inject-template-django-common: |-
{{- with secret "secrets/data/vault/common/django_auth" -}}
ZITADEL_ACCESS_TOKEN={{ index .Data.data "django_zitadel_access_token" }}
{{- end -}}
spec:
serviceAccountName: django-vault
volumes:
- name: django-configmap
configMap:
name: django-configmap
items:
- key: production.py
path: production.py
defaultMode: 420
- name: uwsgi-configmap
configMap:
name: uwsgi-configmap
items:
- key: uwsgi.ini
path: uwsgi.ini
defaultMode: 420
containers:
- name: backend
image: cr.yandex/crp3ccidau046kdj8g9q/backend:production_a96dead0
imagePullPolicy: IfNotPresent
command: ["/bin/sh", "-ec"]
args:
- |
set -a
[ -f /vault/secrets/django-postgresql ] && . /vault/secrets/django-postgresql
[ -f /vault/secrets/django-rabbitmq ] && . /vault/secrets/django-rabbitmq
[ -f /vault/secrets/django-s3 ] && . /vault/secrets/django-s3
[ -f /vault/secrets/django-kafka ] && . /vault/secrets/django-kafka
[ -f /vault/secrets/django-common ] && . /vault/secrets/django-common
[ -f /vault/secrets/django-jwt-private ] && export JWT_PRIVATE_KEY="$(cat /vault/secrets/django-jwt-private)"
[ -f /vault/secrets/django-jwt-public ] && export JWT_PUBLIC_KEY="$(cat /vault/secrets/django-jwt-public)"
set +a
exec /opt/sarex/entrypoint.sh
ports:
- name: http
containerPort: 8000
protocol: TCP
env:
- name: ALLOWED_HOSTS
value: '*'
- name: SERVER_USE_CHANGELOG
value: "0"
- name: SERVER_ZITADEL_ENABLED
value: "False"
- name: DJANGO_SETTINGS_MODULE
value: config.settings.production
- name: CELERY_REDIS_HOST
value: redis
- name: CELERY_REDIS_PORT
value: "6379"
- name: DJANGO_REDIS_HOST
value: redis
- name: DJANGO_REDIS_PORT
value: "6379"
- name: BIMV2_INTERNAL_HOST
value: http://bim-backend-v2-service.bim-api
- name: BIMV2_TIMEOUT
value: "60"
- name: JWT_KID
value: "1"
- name: PDM_SYNC
value: "1"
- name: KC_SYNC_ENABLE
value: "0"
- name: MEASUREMENTS_HOST
value: http://measurements-service.measurements.svc.cluster.local:8000/api
- name: MEASUREMENTS_USE_MEASUREMENTS
value: "1"
- name: SERVER_API_HOST
value: https://sarex.contour.infra.sarex.tech
- name: SERVER_HOST
value: https://sarex.contour.infra.sarex.tech
- name: WORKFLOWS_HOST
value: https://sarex.contour.infra.sarex.tech
- name: WORKFLOWS_BASE_HOST
value: https://sarex.contour.infra.sarex.tech
- name: WORKFLOWS_USE
value: "1"
- name: SERVER_S3_STREAM_IMPORT
value: "1"
- name: SERVER_SAVE_DIFF_DEM
value: "1"
- name: SERVER_USE_CLICKHOUSE
value: "0"
- name: SERVER_USE_CREATE_COMPARED_GEOTIFF_TASK
value: "0"
- name: SERVER_USE_DJANGO_STORAGE
value: "1"
- name: SERVER_USE_METASHAPE
value: "0"
- name: SERVER_CHANGELOG_MODE_SYSTEM_LOG
value: "1"
- name: SERVER_CHANGELOG_MODE
value: "0"
- name: SERVER_DJANGO_URLS
value: "1"
- name: CHECK_IMPORT_HASH
value: "1"
- name: EAV_ENABLE
value: "1"
- name: SERVER_CHECK_IMPORT_HASH
value: "1"
- name: SERVER_CHUNKED_PATH
value: /tmp/chunked_uploads/%Y/%m/%d
- name: SERVER_HIDE_USER_SCROLL_PERMISSIONS
value: "0"
- name: SERVER_USE_WRORKFLOW_STATUS
value: "1"
- name: ZITADEL_HOST
value: https://zitadel-srx.wb.ru
- name: SERVER_KAFKA_ENABLED
value: "False"
- name: KAFKA_TOPICS
value: '{"planning": "message-hub-stage", "ams-sync": "ams-sync"}'
- name: KAFKA_SSL_CAFILE
value: /usr/local/share/ca-certificates/kafka.crt
- name: KC_USE_REDIRECT_LOGOUT
value: "False"
resources:
requests:
cpu: "25m"
memory: 128Mi
volumeMounts:
- name: django-configmap
mountPath: /opt/sarex/config/settings/production.py
subPath: production.py
- name: uwsgi-configmap
mountPath: /opt/sarex/uwsgi.ini
subPath: uwsgi.ini
imagePullSecrets:
- name: regcred

15
apps/django/base/backend-service.yaml Normal file
View File

@ -0,0 +1,15 @@
---
apiVersion: v1
kind: Service
metadata:
name: backend-svc
namespace: django
spec:
type: ClusterIP
selector:
app: backend
ports:
- name: http
port: 80
targetPort: 8000
protocol: TCP

204
apps/django/base/celery-deployment.yaml Normal file
View File

@ -0,0 +1,204 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: celery
namespace: django
labels:
app: celery
service: celery
spec:
replicas: 1
selector:
matchLabels:
app: celery
template:
metadata:
labels:
app: celery
service: celery
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: django
vault.hashicorp.com/agent-inject-secret-django-postgresql: secrets/data/postgresql/apps/django
vault.hashicorp.com/agent-inject-template-django-postgresql: |-
{{- with secret "secrets/data/postgresql/apps/django" -}}
DJANGO_POSTGRES_HOST=postgresql.django.svc.cluster.local
DJANGO_POSTGRES_PORTS=5432
DJANGO_POSTGRES_DATABASE=sarex_db
DJANGO_POSTGRES_USER={{ index .Data.data "username" }}
DJANGO_POSTGRES_PASSWORD={{ index .Data.data "password" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-django-rabbitmq: secrets/data/rabbitmq/apps/django
vault.hashicorp.com/agent-inject-template-django-rabbitmq: |-
{{- with secret "secrets/data/rabbitmq/apps/django" -}}
CELERY_RABBITMQ_HOST=rabbitmq.rabbitmq.svc.cluster.local
CELERY_RABBITMQ_USER={{ index .Data.data "username" }}
CELERY_RABBITMQ_PASSWORD={{ index .Data.data "password" }}
CELERY_RABBITMQ_VHOST={{ index .Data.data "vhost" }}
DJANGO_RABBIT_HOSTNAME=rabbitmq.rabbitmq.svc.cluster.local
DJANGO_RABBIT_USER={{ index .Data.data "username" }}
DJANGO_RABBIT_PASS={{ index .Data.data "password" }}
DJANGO_RABBIT_VHOST={{ index .Data.data "vhost" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-django-s3: secrets/data/minio/apps/django
vault.hashicorp.com/agent-inject-template-django-s3: |-
{{- with secret "secrets/data/minio/apps/django" -}}
AWS_S3_ENDPOINT_URL=https://minio.contour.infra.sarex.tech
S3_HOST=https://minio.contour.infra.sarex.tech
{{- $buckets := index .Data.data "buckets" }}
S3_BUCKET={{- if gt (len $buckets) 0 -}}{{ index (index $buckets 0) "name" }}{{- else -}}django{{- end -}}
S3_LOGIN={{ index .Data.data "access_key" }}
S3_PASSWORD={{ index .Data.data "secret_key" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-django-kafka: secrets/data/kafka/apps/django
vault.hashicorp.com/agent-inject-template-django-kafka: |-
{{- with secret "secrets/data/kafka/apps/django" -}}
KAFKA_BOOTSTRAP_SERVERS="[\"{{ index .Data.data.auth "bootstrap_servers" }}\"]"
KAFKA_SECURITY_PROTOCOL={{ index .Data.data.auth "security_protocol" }}
KAFKA_SASL_MECHANISM={{ index .Data.data.auth "sasl_mechanism" }}
KAFKA_SASL_PLAIN_USERNAME={{ index .Data.data "username" }}
KAFKA_SASL_PLAIN_PASSWORD={{ index .Data.data "password" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-django-jwt-private: secrets/data/vault/common/rsa_keys
vault.hashicorp.com/agent-inject-template-django-jwt-private: |-
{{- with secret "secrets/data/vault/common/rsa_keys" -}}
{{ index .Data.data "private_key" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-django-jwt-public: secrets/data/vault/common/rsa_keys
vault.hashicorp.com/agent-inject-template-django-jwt-public: |-
{{- with secret "secrets/data/vault/common/rsa_keys" -}}
{{ index .Data.data "public_key" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-django-common: secrets/data/vault/common/django_auth
vault.hashicorp.com/agent-inject-template-django-common: |-
{{- with secret "secrets/data/vault/common/django_auth" -}}
ZITADEL_ACCESS_TOKEN={{ index .Data.data "django_zitadel_access_token" }}
{{- end -}}
spec:
serviceAccountName: django-vault
volumes:
- name: django-configmap
configMap:
name: django-configmap
items:
- key: production.py
path: production.py
defaultMode: 420
containers:
- name: celery
image: cr.yandex/crp3ccidau046kdj8g9q/backend:production_a96dead0
imagePullPolicy: IfNotPresent
command: ["/bin/sh", "-ec"]
args:
- |
set -a
[ -f /vault/secrets/django-postgresql ] && . /vault/secrets/django-postgresql
[ -f /vault/secrets/django-rabbitmq ] && . /vault/secrets/django-rabbitmq
[ -f /vault/secrets/django-s3 ] && . /vault/secrets/django-s3
[ -f /vault/secrets/django-kafka ] && . /vault/secrets/django-kafka
[ -f /vault/secrets/django-common ] && . /vault/secrets/django-common
[ -f /vault/secrets/django-jwt-private ] && export JWT_PRIVATE_KEY="$(cat /vault/secrets/django-jwt-private)"
[ -f /vault/secrets/django-jwt-public ] && export JWT_PUBLIC_KEY="$(cat /vault/secrets/django-jwt-public)"
set +a
exec celery -A config worker -B -l info -E -Q default -n default_worker.%h --concurrency=2
ports:
- name: http
containerPort: 8000
protocol: TCP
env:
- name: ALLOWED_HOSTS
value: '*'
- name: SERVER_USE_CHANGELOG
value: "0"
- name: SERVER_ZITADEL_ENABLED
value: "False"
- name: DJANGO_SETTINGS_MODULE
value: config.settings.production
- name: CELERY_REDIS_HOST
value: redis
- name: CELERY_REDIS_PORT
value: "6379"
- name: DJANGO_REDIS_HOST
value: redis
- name: DJANGO_REDIS_PORT
value: "6379"
- name: BIMV2_INTERNAL_HOST
value: http://bim-backend-v2-service.bim-api
- name: BIMV2_TIMEOUT
value: "60"
- name: JWT_KID
value: "1"
- name: PDM_SYNC
value: "1"
- name: KC_SYNC_ENABLE
value: "0"
- name: MEASUREMENTS_HOST
value: http://measurements-service.measurements.svc.cluster.local:8000/api
- name: MEASUREMENTS_USE_MEASUREMENTS
value: "1"
- name: SERVER_API_HOST
value: https://wb.sarex.io
- name: SERVER_HOST
value: https://wb.sarex.io
- name: WORKFLOWS_HOST
value: https://wb.sarex.io
- name: WORKFLOWS_BASE_HOST
value: https://wb.sarex.io
- name: WORKFLOWS_USE
value: "1"
- name: SERVER_S3_STREAM_IMPORT
value: "1"
- name: SERVER_SAVE_DIFF_DEM
value: "1"
- name: SERVER_USE_CLICKHOUSE
value: "0"
- name: SERVER_USE_CREATE_COMPARED_GEOTIFF_TASK
value: "0"
- name: SERVER_USE_DJANGO_STORAGE
value: "1"
- name: SERVER_USE_METASHAPE
value: "0"
- name: SERVER_CHANGELOG_MODE_SYSTEM_LOG
value: "1"
- name: SERVER_CHANGELOG_MODE
value: "0"
- name: SERVER_DJANGO_URLS
value: "1"
- name: CHECK_IMPORT_HASH
value: "1"
- name: EAV_ENABLE
value: "1"
- name: SERVER_CHECK_IMPORT_HASH
value: "1"
- name: SERVER_CHUNKED_PATH
value: /tmp/chunked_uploads/%Y/%m/%d
- name: SERVER_HIDE_USER_SCROLL_PERMISSIONS
value: "0"
- name: SERVER_USE_WRORKFLOW_STATUS
value: "1"
- name: ZITADEL_HOST
value: https://zitadel-srx.wb.ru
- name: SERVER_KAFKA_ENABLED
value: "False"
- name: KAFKA_TOPICS
value: '{"planning": "message-hub-stage", "ams-sync": "ams-sync"}'
- name: KAFKA_SSL_CAFILE
value: /usr/local/share/ca-certificates/kafka.crt
- name: KC_USE_REDIRECT_LOGOUT
value: "False"
resources:
requests:
cpu: "25m"
memory: 128Mi
volumeMounts:
- name: django-configmap
mountPath: /opt/sarex/config/settings/production.py
subPath: production.py
imagePullSecrets:
- name: regcred

321
apps/django/base/django-configmap.yaml Normal file
View File

@ -0,0 +1,321 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: django-configmap
namespace: django
data:
production.py: |
import ast
import os
from .base import *
from logging.handlers import SysLogHandler
from datetime import timedelta
def _load_env_file(path):
try:
with open(path, "r", encoding="utf-8") as f:
for raw_line in f:
line = raw_line.strip()
if not line or line.startswith("#") or "=" not in line:
continue
key, value = line.split("=", 1)
key = key.strip()
value = value.strip()
if len(value) >= 2 and value[0] == value[-1] and value[0] in ("'", '"'):
try:
value = ast.literal_eval(value)
except (ValueError, SyntaxError):
value = value[1:-1]
if key and key not in os.environ:
os.environ[key] = value
except FileNotFoundError:
pass
def _read_secret_file(path, default=""):
try:
with open(path, "r", encoding="utf-8") as f:
return f.read().strip()
except FileNotFoundError:
return default
# Fallback for manage.py launched via `kubectl exec` (outside entrypoint),
# so Django can still read DB/JWT values from Vault-injected files.
_load_env_file("/vault/secrets/django-postgresql")
_load_env_file("/vault/secrets/django-rabbitmq")
_load_env_file("/vault/secrets/django-s3")
_load_env_file("/vault/secrets/django-kafka")
_load_env_file("/vault/secrets/django-common")
if not os.environ.get("JWT_PRIVATE_KEY"):
os.environ["JWT_PRIVATE_KEY"] = _read_secret_file("/vault/secrets/django-jwt-private")
if not os.environ.get("JWT_PUBLIC_KEY"):
os.environ["JWT_PUBLIC_KEY"] = _read_secret_file("/vault/secrets/django-jwt-public")
ALLOWED_HOSTS = ["*"]
FILE_UPLOAD_PERMISSIONS = 0o644
DEBUG = False
CSRF_COOKIE_SECURE = True
CSRF_TRUSTED_ORIGINS = ["https://sarex.contour.infra.sarex.tech", "http://sarex.contour.infra.sarex.tech"]
SESSION_COOKIE_SECURE = True
SECURE_SSL_REDIRECT = False
SECRET_KEY = 't2=9+($2f%7ptsdy4!rby$)mcfl1l%o2e@vs^d(g&(wwi&%k1v'
CORS_ORIGIN_ALLOW_ALL = True
SERVERSETTINGS.cache_enabled = True
INSTALLED_APPS = list(INSTALLED_APPS) + ['corsheaders']
CORS_ALLOW_METHODS = (
'DELETE',
'GET',
'OPTIONS',
'PATCH',
'POST',
'PUT',
)
BASIC_USER_ID = 2
CORS_ALLOW_HEADERS = (
'accept',
'accept-encoding',
'authorization',
'content-type',
'user-agent',
'x-csrftoken',
'x-requested-with',
'x-token',
'Bearer',
)
HOST = "https://sarex.contour.infra.sarex.tech"
POSTGRES_DATABASE = os.environ.get('DJANGO_POSTGRES_DATABASE')
POSTGRES_USER = os.environ.get('DJANGO_POSTGRES_USER')
POSTGRES_PASSWORD = os.environ.get('DJANGO_POSTGRES_PASSWORD')
POSTGRES_HOST = os.environ.get('DJANGO_POSTGRES_HOST')
POSTGRES_PORTS = os.environ.get('DJANGO_POSTGRES_PORTS', "5432")
DATABASES = {
'default': {
'ENGINE': 'django_prometheus.db.backends.postgresql',
'NAME': POSTGRES_DATABASE,
'USER': POSTGRES_USER,
'PASSWORD': POSTGRES_PASSWORD,
'HOST': POSTGRES_HOST,
'PORT': POSTGRES_PORTS,
}
}
LOGGING = {
'version': 1,
'disable_existing_loggers': False,
'filters': {
'require_debug_false': {
'()': 'django.utils.log.RequireDebugFalse',
}
},
'formatters': {
'verbose': {
'format': '[contactor] %(levelname)s %(asctime)s %(message)s',
},
},
'handlers': {
'console': {
'level': 'DEBUG',
'class': 'logging.StreamHandler',
},
'sentry': {
'level': 'ERROR',
'filters': ['require_debug_false'],
'class': 'logging.StreamHandler',
},
},
'loggers': {
'': {
'handlers': ['console', 'sentry'],
'level': 'INFO',
'propagate': False,
},
}
}
COMPARATOR_JWT = os.environ.get("COMPARATOR_JWT", "default_jwt")
COMPARATOR_URL = os.environ.get("COMPARATOR_URL", "https://wb.sarex.io/comparator")
COMPARATOR_SECTION = os.environ.get("COMPARATOR_SECTION", "sarex-production-storage")
SIMPLE_JWT = {
'ACCESS_TOKEN_LIFETIME': timedelta(hours=1),
'REFRESH_TOKEN_LIFETIME': timedelta(days=1),
'ROTATE_REFRESH_TOKENS': False,
'BLACKLIST_AFTER_ROTATION': True,
'UPDATE_LAST_LOGIN': False,
'ALGORITHM': 'RS512',
'SIGNING_KEY': os.environ.get("JWT_PRIVATE_KEY", "").replace("\\n", "\n"),
'VERIFYING_KEY': os.environ.get("JWT_PUBLIC_KEY", "").replace("\\n", "\n"),
'AUDIENCE': None,
'ISSUER': os.environ.get('SIMPLE_JWT_ISSUER', 'default_issuer'),
'AUTH_HEADER_TYPES': ('Bearer',),
'AUTH_HEADER_NAME': 'HTTP_AUTHORIZATION',
'USER_ID_FIELD': 'id',
'USER_ID_CLAIM': 'user_id',
'AUTH_TOKEN_CLASSES': ('rest_framework_simplejwt.tokens.AccessToken',),
'TOKEN_TYPE_CLAIM': 'token_type',
'JTI_CLAIM': 'jti',
'SLIDING_TOKEN_REFRESH_EXP_CLAIM': 'refresh_exp',
'SLIDING_TOKEN_LIFETIME': timedelta(minutes=5),
'SLIDING_TOKEN_REFRESH_LIFETIME': timedelta(days=1),
}
os.environ["DJANGO_ALLOW_ASYNC_UNSAFE"] = "true"
DEFAULT_FILE_STORAGE = 'sarex.core.storages.CustomS3Boto3Storage'
DATA_UPLOAD_MAX_MEMORY_SIZE = 268435456
if not os.environ.get('ISOLATED', False):
import sentry_sdk
from sentry_sdk.integrations.django import DjangoIntegration
sentry_sdk.init(
dsn="https://3df2f4b8d3d14595a06c92e9d7c562cb@sentry.io/1501541",
integrations=[DjangoIntegration()],
environment=os.environ.get('SENTRY_ENVIRONMENT', 'production'),
send_default_pii=True,
)
COMPARISON_API_URL = f"{os.environ.get('WORKFLOWSSETTINGS_HOST')}/comparisons"
DOCUMENTATION_API_URL = f"{os.environ.get('WORKFLOWSSETTINGS_HOST')}/documentations"
PDM_FILES_API_URL = f"{os.environ.get('WORKFLOWSSETTINGS_HOST')}/files"
WORKFLOWS_TASKS = {
"update_orthomosaic_data": {
"image": f"{os.environ.get('WORKFLOWSSETTINGS_REGISTRY')}/update-orthomosaic-data:dev",
"service_requests": ["django-auth"],
"backoff_limit": 3,
},
}
REST_FRAMEWORK = { 'DEFAULT_PAGINATION_CLASS': (
'rest_framework.pagination.LimitOffsetPagination' ),
'DEFAULT_SCHEMA_CLASS': 'rest_framework.schemas.coreapi.AutoSchema',
'PAGE_SIZE': 1000, 'DEFAULT_FILTER_BACKENDS': [
'django_filters.rest_framework.DjangoFilterBackend' ],
'DEFAULT_AUTHENTICATION_CLASSES': [
# 'sarex.authentication.backends.ZitadelJWTAuthentication',
'rest_framework.authentication.RemoteUserAuthentication',
'rest_framework_simplejwt.authentication.JWTAuthentication',
'rest_framework.authentication.BasicAuthentication',
'rest_framework.authentication.SessionAuthentication',
'sarex.authentication.backends.JWTAuthentication' ],
'DEFAULT_PERMISSION_CLASSES': [
'rest_framework.permissions.IsAuthenticated', ] }
AUTHENTICATION_BACKENDS = [
'sarex.authentication.backends.CustomRemoteUserBackend',
'django.contrib.auth.backends.ModelBackend',
'guardian.backends.ObjectPermissionBackend',
]
MIDDLEWARE = [
'django_prometheus.middleware.PrometheusBeforeMiddleware',
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
#'django_keycloak.middlewares.AuthorizationHeaderMiddleware',
#'django_keycloak.middlewares.KeycloakSessionMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
#'django.contrib.auth.middleware.RemoteUserMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'django_user_agents.middleware.UserAgentMiddleware',
'simple_history.middleware.HistoryRequestMiddleware',
'django_prometheus.middleware.PrometheusAfterMiddleware', ]
class KeyCloakSettings(BaseSettings):
client_id: str = "client_id"
client_secret: str = "client_secret"
discovery_url: str = "https://login.wb.sarex.io/realms/sarex/.well-known/openid-configuration"
staff: Optional[str] = "Sarex staff"
superuser: Optional[str] = "Sarex superusers"
sync_with_django: bool = True
sync_admin: bool = False
group_prefix: str = 'Sarex-Role'
company_prefix: str = 'Sarex-Company'
department_prefix: str = 'Sarex-Department'
position_prefix: str = 'Sarex-Position'
separator: str = '__'
sync_user_groups: bool = False
sync_user_positions: bool = False
sync_user_departments: bool = False
sync_user_companies: bool = False
use_redirect_logout: bool = False
logout_redirect_uri: str = "/"
default_group_name: Optional[str] = 'Тест'
default_company_name: Optional[str] = 'Брусника'
trusted_uri: List[str] = ['/api/core/orthophotos/', '/api/token', '/api/token/me']
trusted_uri: List[str] = []
class Config:
env_prefix = "KC_"
KEYCLOAKSETTINGS = KeyCloakSettings()
REMOTE_USER_DEFAULT_COMPANY_ID = 1
SAREX_MODULES = [
{
"name": "Замечания",
"uri": "/remarks"
},
# {
# "name": "Управление проектами",
# "uri": "/management/projects",
# },
{
"name": "Замечания V2",
"uri": "/issues"
},
{
"name": "Документация",
"uri": "/documentations",
},
{
"name": "Согласование документов",
"uri": "/reviews"
},
{
"name": "Рабочие процессы",
"uri": "/processes"
},
{
"name": "Запросы",
"uri": "/rfi"
},
# {
# "name": "Обзор",
# "uri": "/projects"
# },
{
"name": "Передача документации",
"uri": "/transmittal"
},
]
AUTH_SETTINGS = {
"refresh_token": False,
"refresh_token_uri": "/api/token/me",
"refresh_oauth_token": True,
"refresh_oauth_token_uri": "/oauth/token",
"refresh_time": 240,
}
DEBUG=True
WEB_APP_AUTH_MODE='jwt-session-based'
SAREX_MODULES_SETTINGS = {
"aero": {
"enable_new_media": True
},
"sso_logout_redirect": True
}

44
apps/django/base/frontend-deployment.yaml Normal file
View File

@ -0,0 +1,44 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: frontend
namespace: django
labels:
app: frontend
spec:
replicas: 1
selector:
matchLabels:
app: frontend
template:
metadata:
labels:
app: frontend
spec:
volumes:
- name: nginx-configmap
configMap:
name: nginx-configmap
items:
- key: nginx.conf
path: nginx.conf
defaultMode: 420
containers:
- name: frontend
image: cr.yandex/crp3ccidau046kdj8g9q/sarex-frontend-dev:contour_0b579274
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 80
protocol: TCP
resources:
requests:
cpu: 25m
memory: 100Mi
volumeMounts:
- name: nginx-configmap
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
imagePullSecrets:
- name: regcred

15
apps/django/base/frontend-service.yaml Normal file
View File

@ -0,0 +1,15 @@
---
apiVersion: v1
kind: Service
metadata:
name: frontend-svc
namespace: django
spec:
type: ClusterIP
selector:
app: frontend
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP

17
apps/django/base/kustomization.yaml Normal file
View File

@ -0,0 +1,17 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: django
resources:
- namespace.yaml
- serviceaccount.yaml
- backend-deployment.yaml
- celery-deployment.yaml
- frontend-deployment.yaml
- backend-service.yaml
- frontend-service.yaml
- django-configmap.yaml
- srx-admin-deployment.yaml
- srx-admin-service.yaml
- nginx-configmap.yaml
- uwsgi-configmap.yaml

7
apps/django/base/namespace.yaml Normal file
View File

@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: django
labels:
istio-injection: enabled

116
apps/django/base/nginx-configmap.yaml Normal file
View File

@ -0,0 +1,116 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-configmap
namespace: django
data:
nginx.conf: |
worker_processes auto;
pid /var/run/nginx.pid;
events {
use epoll;
worker_connections 1024;
}
http {
# Basic Settings
large_client_header_buffers 8 128k;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 300;
types_hash_max_size 2048;
client_max_body_size 5000M;
client_header_buffer_size 5M;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Logging Settings
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
# GZIP Settings
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
server {
listen 80;
listen [::]:80;
root /opt/react_client/;
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Methods' '*' always;
add_header 'Access-Control-Allow-Headers' '*' always;
location = /static/index.bundle.js {
add_header Cache-Control 'no-store no-cache, must-revalidate, proxy-revalidate, max-age=0';
if_modified_since off;
expires off;
}
location ~^/api/pm/ {
#rewrite /api/(.+) /$1 break;
proxy_set_header Host $host;
proxy_pass http://backend-svc.pm.svc.cluster.local:8000;
}
location ~^/api/v1/documents/ {
#rewrite /api/(.+) /$1 break;
proxy_set_header Host $host;
proxy_pass http://backend-filestream-svc.documentations.svc.cluster.local:80;
}
# location ~^/(api|admin)/ {
# proxy_set_header Host $host;
# proxy_pass http://backend-svc.django.svc.cluster.local:80;
# }
location ~^/workspaces-v2/(.+).js {
proxy_http_version 1.1;
proxy_set_header Connection "";
rewrite /workspaces-v2/(.+) /$1 break;
proxy_pass http://frontend-svc.workspaces.svc.cluster.local:80;
}
location ~^/workspaces-v2/(.+)\.wasm$ {
proxy_http_version 1.1;
proxy_set_header Connection "";
rewrite ^/workspaces-v2/(.+) /$1 break;
proxy_pass http://frontend-svc.workspaces.svc.cluster.local:80;
}
location @index {
add_header Cache-Control 'no-cache, must-revalidate, proxy-revalidate, max-age=0';
if_modified_since off;
expires off;
try_files /static/index.html =404;
}
# location ~^/workflows/(.+).js {
# rewrite /workflows/(.+) /$1 break;
# proxy_pass http://frontend-svc.processing.svc.cluster.local:80;
# }
location /service-worker.js {
try_files /static/$uri @index;
}
location / {
try_files $uri @index;
}
}
}

5
apps/django/base/serviceaccount.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: django-vault
namespace: django

32
apps/django/base/srx-admin-deployment.yaml Normal file
View File

@ -0,0 +1,32 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: srx-admin-frontend
namespace: django
labels:
app: srx-admin-frontend
spec:
replicas: 1
selector:
matchLabels:
app: srx-admin-frontend
template:
metadata:
labels:
app: srx-admin-frontend
spec:
containers:
- name: srx-admin-frontend
image: cr.yandex/crp3ccidau046kdj8g9q/srx-admin:prod_3b9cb250
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 80
protocol: TCP
resources:
requests:
cpu: 25m
memory: 100Mi
imagePullSecrets:
- name: regcred

15
apps/django/base/srx-admin-service.yaml Normal file
View File

@ -0,0 +1,15 @@
---
apiVersion: v1
kind: Service
metadata:
name: srx-admin-svc
namespace: django
spec:
type: ClusterIP
selector:
app: srx-admin
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP

30
apps/django/base/uwsgi-configmap.yaml Normal file
View File

@ -0,0 +1,30 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: uwsgi-configmap
namespace: django
data:
uwsgi.ini: |
[uwsgi]
module = config.wsgi:application
DJANGO_SETTINGS_MODULE = config.settings.production
http = 0.0.0.0:8000
processes = 16
master = true
vacuum = true
enable-threads = true
buffer-size = 65535
stats = :3031
stats-http = true
memory-report = true
lazy-apps = true
listen = 128
disable-write-exception= 0
harakiri = 300
socket-timeout = 300
chunked-input-timeout = 300
http-timeout = 300
worker-reload-mercy = 240
mule-reload-mercy = 240
static-map = /static=/opt/sarex/sarex/static/
static-map = /media=/media/

9
apps/django/yc-k8s-test/kustomization.yaml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../base
- postgresql.yaml
- redis-deployment.yaml
- redis-service.yaml
patches: []

122
apps/django/yc-k8s-test/postgresql.yaml Normal file
View File

@ -0,0 +1,122 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: postgresql
namespace: django
spec:
interval: 5m
timeout: 2h
chart:
spec:
chart: postgresql-contour
version: "17.0.7"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
namespace: flux-system
install:
timeout: 2h
remediation:
retries: 3
upgrade:
timeout: 2h
remediation:
retries: 3
values:
global:
security:
allowInsecureImages: true
defaultStorageClass: local-path
postgresql:
auth:
username: ""
database: ""
secretKeys:
userPasswordKey: "postgres-password"
auth:
username: ""
database: ""
secretKeys:
userPasswordKey: "postgres-password"
image:
registry: cr.yandex/crp3ccidau046kdj8g9q
repository: contour/postgresql
tag: 17.0.7
pullPolicy: Always
metrics:
enabled: false
prometheusRule:
enabled: false
primary:
containerSecurityContext:
readOnlyRootFilesystem: false
persistence:
storageClass: local-path
size: 20Gi
customLivenessProbe:
exec:
command:
- /bin/sh
- -c
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
customReadinessProbe:
exec:
command:
- /bin/sh
- -c
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
customStartupProbe:
exec:
command:
- /bin/sh
- -c
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
resources:
requests:
cpu: 50m
memory: 128Mi
nodeSelector:
dedicated: db
tolerations:
- key: dedicated
operator: Equal
value: db
effect: NoSchedule
contour:
enabled: true
adminUser: "postgres"
sharedPreloadLibraries: "pg_stat_statements"
vault:
enabled: true
role: postgresql
authPath: auth/kubernetes
secretPath: secrets/data/postgresql/admin
secretKey: postgres-password
usersSecretPath: secrets/data/postgresql/users
databases:
- name: sarex_db
user: sarex
passwordKey: sarex
extensions:
- pg_stat_statements
restoreFromDump: false
s3-proxy:
endpointUrl: "s3-proxy-service.postgresql.svc.cluster.local"

27
apps/django/yc-k8s-test/redis-deployment.yaml Normal file
View File

@ -0,0 +1,27 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: redis
namespace: django
labels:
app: redis
spec:
replicas: 1
selector:
matchLabels:
app: redis
template:
metadata:
labels:
app: redis
spec:
containers:
- name: redis
image: cr.yandex/crp3ccidau046kdj8g9q/redis:latest
imagePullPolicy: Always
ports:
- containerPort: 6379
protocol: TCP
imagePullSecrets:
- name: regcred

13
apps/django/yc-k8s-test/redis-service.yaml Normal file
View File

@ -0,0 +1,13 @@
---
apiVersion: v1
kind: Service
metadata:
name: redis
namespace: django
spec:
selector:
app: redis
ports:
- port: 6379
targetPort: 6379
protocol: TCP

33
apps/document-link/base/deployment.yaml Normal file
View File

@ -0,0 +1,33 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: frontend
namespace: document-link
labels:
app: frontend
spec:
replicas: 1
selector:
matchLabels:
app: frontend
template:
metadata:
labels:
app: frontend
version: stable
spec:
containers:
- name: frontend
image: cr.yandex/crp3ccidau046kdj8g9q/document-link-frontend:wb_cb2027ce
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 80
protocol: TCP
resources:
requests:
cpu: 25m
memory: 100Mi
imagePullSecrets:
- name: regcred

8
apps/document-link/base/kustomization.yaml Normal file
View File

@ -0,0 +1,8 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: document-link
resources:
- namespace.yaml
- deployment.yaml
- service.yaml

7
apps/document-link/base/namespace.yaml Normal file
View File

@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: document-link
labels:
istio-injection: enabled

15
apps/document-link/base/service.yaml Normal file
View File

@ -0,0 +1,15 @@
---
apiVersion: v1
kind: Service
metadata:
name: frontend-service
namespace: document-link
spec:
type: ClusterIP
selector:
app: frontend
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP

10
apps/document-link/yc-k8s-test/kustomization.yaml Normal file
View File

@ -0,0 +1,10 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../base
patches: []
# - path: replicas.yaml
# target:
# kind: Deployment
# name: frontend

8
apps/document-link/yc-k8s-test/replicas.yaml Normal file
View File

@ -0,0 +1,8 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: frontend
namespace: document-link
spec:
replicas: 1

173
apps/documentations/base/api-deployment.yaml Normal file
View File

@ -0,0 +1,173 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: documentations-api
namespace: documentations
labels:
app: documentations-api
service: documentations-api
spec:
replicas: 1
selector:
matchLabels:
app: documentations-api
template:
metadata:
labels:
app: documentations-api
service: documentations-api
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: documentations
vault.hashicorp.com/agent-inject-secret-documentations-postgresql: secrets/data/postgresql/apps/documentations
vault.hashicorp.com/agent-inject-template-documentations-postgresql: |-
{{- with secret "secrets/data/postgresql/apps/documentations" -}}
POSTGRES_ADDRESS=postgresql.documentations.svc.cluster.local
POSTGRES_PORT=5432
POSTGRES_DB=documentations_db
POSTGRES_USER={{ index .Data.data "username" }}
POSTGRES_PASSWORD={{ index .Data.data "password" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-documentations-common: secrets/data/vault/common/django_auth
vault.hashicorp.com/agent-inject-template-documentations-common: |-
{{- with secret "secrets/data/vault/common/django_auth" -}}
DJANGO_BASIC_AUTH={{ index .Data.data "key" }}
DJANGO_BASIC_AUTH_FOR_GET_USER={{ index .Data.data "key" }}
DOCUMENT_PUBLIC_LINK_JWT_SECRET={{ index .Data.data "documentations_public_link_jwt_secret" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-documentations-s3-account-json: secrets/data/vault/common/django_auth
vault.hashicorp.com/agent-inject-template-documentations-s3-account-json: |-
{{- with secret "secrets/data/vault/common/django_auth" -}}
{{ index .Data.data "documentations_s3_service_account_json" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-documentations-zitadel-account-json: secrets/data/vault/common/django_auth
vault.hashicorp.com/agent-inject-template-documentations-zitadel-account-json: |-
{{- with secret "secrets/data/vault/common/django_auth" -}}
{{ index .Data.data "documentations_zitadel_account_json" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-documentations-rsa-public: secrets/data/vault/common/rsa_keys
vault.hashicorp.com/agent-inject-template-documentations-rsa-public: |-
{{- with secret "secrets/data/vault/common/rsa_keys" -}}
{{ index .Data.data "public_key" }}
{{- end -}}
spec:
serviceAccountName: documentations-vault
containers:
- name: documentations-api
image: cr.yandex/crp3ccidau046kdj8g9q/documentations:prod_a9990430
imagePullPolicy: IfNotPresent
command: ["/bin/sh", "-ec"]
args:
- |
set -a
[ -f /vault/secrets/documentations-postgresql ] && . /vault/secrets/documentations-postgresql
[ -f /vault/secrets/documentations-common ] && . /vault/secrets/documentations-common
[ -f /vault/secrets/documentations-rsa-public ] && export PUBLIC_KEY="$(cat /vault/secrets/documentations-rsa-public)"
set +a
exec /app/entrypoint.sh
ports:
- name: http
containerPort: 8080
protocol: TCP
env:
- name: POSTGRES_POOL_SIZE
value: "20"
- name: ZITADEL_ACCOUNT
value: /vault/secrets/documentations-zitadel-account-json
- name: ZITADEL_DOMAIN
value: zitadel-srx.wb.ru
- name: USE_ZITADEL
value: "0"
- name: FLOWS_URL
value: http://backend-svc.flows.svc.cluster.local:80
- name: LAST_MASTER_BIM
value: "36311"
- name: API_ADDRESS
value: 0.0.0.0:8080
- name: API_ADDRESS_FILE
value: 0.0.0.0:8080
- name: DOCUMENT_PUBLIC_LINK_JWT_EXPIRATION_MINUTES
value: "5"
- name: ENABLE_SQL_QUERY
value: "0"
- name: ENABLE_SSL
value: "0"
- name: WORKSPACE_V2_EXTERNAL_URL
value: https://sarex.contour.infra.sarex.tech/workspaces-v2/
- name: ENABLE_S3
value: "1"
- name: CONTAINER_REGISTRY
value: cr.yandex/crp3ccidau046kdj8g9q
- name: ENVIRONMENT
value: production
- name: LAST_SLAVE_1_BIM
value: "1000000"
- name: HOST
value: http://backend-api-svc.documentations.svc.cluster.local:80
- name: FILE_STREAM_HOST
value: sarex.contour.infra.sarex.tech
- name: DOCUMENTATION_URL
value: http://documentations-api.documentations.svc.cluster.local:80/
- name: WORKFLOW_URL
value: http://backend-svc.processing.svc.cluster.local:80/
- name: WORKSPACE_URL
value: http://backend-svc.workspaces.svc.cluster.local:80/
- name: BIM_API_URL
value: http://bim-api-service.bim.svc.cluster.local:8080/
- name: BIM_API_V2_URL
value: http://backend-service.bim.svc.cluster.local:8000/
- name: WORKSPACE_BUNDLE_VERSION
value: v1
- name: SYSTEM_LOG_URL
value: http://backend-svc.system-log.svc.cluster.local:80
- name: DJANGO_HOST
value: http://backend-svc.django.svc.cluster.local:80
- name: MARKS_PROCESSING_URL
value: http://marks-service:8000
- name: PUBLIC_LINK_HOST
value: https://document-link-srx.wb.ru
- name: NAMESPACE
value: documentations
- name: DJANGO_ORIGINATOR
value: docs_prod
- name: WORKFLOW_IMAGES_VERSION
value: master
- name: WORKFLOWS_IMAGES_VERSION
value: master
- name: S3_SERVICE_ACCOUNT
value: /vault/secrets/documentations-s3-account-json
- name: READ_WRITE_TIMEOUT_FILE_STREAM
value: 6h
- name: CACHE_DEFAULT_EXPIRATION
value: 60s
- name: ENABLE_SMTP
value: "True"
- name: ENABLE_MAILGUN
value: "False"
- name: CACHE_CLEANUP_INTERVAL
value: 60s
- name: ENABLE_AUTH_JWT_IN_URL
value: "true"
- name: ENABLE_SIGNATURE_IN_URL
value: "false"
- name: USE_CACHE_IN_FILE_STREAMER
value: "0"
- name: VALKEY_ADDR
value: redis:6379
- name: VALKEY_HOST
value: redis
- name: VALKEY_PORT
value: "6379"
resources:
requests:
cpu: "25m"
memory: 128Mi
imagePullSecrets:
- name: regcred

15
apps/documentations/base/api-service.yaml Normal file
View File

@ -0,0 +1,15 @@
---
apiVersion: v1
kind: Service
metadata:
name: backend-api-svc
namespace: documentations
spec:
type: ClusterIP
selector:
app: documentations-api
ports:
- name: http
port: 80
targetPort: 8080
protocol: TCP

173
apps/documentations/base/filestream-deployment.yaml Normal file
View File

@ -0,0 +1,173 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: documentations-filestream
namespace: documentations
labels:
app: documentations-filestream
service: documentations-filestream
spec:
replicas: 1
selector:
matchLabels:
app: documentations-filestream
template:
metadata:
labels:
app: documentations-filestream
service: documentations-filestream
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: documentations
vault.hashicorp.com/agent-inject-secret-documentations-postgresql: secrets/data/postgresql/apps/documentations
vault.hashicorp.com/agent-inject-template-documentations-postgresql: |-
{{- with secret "secrets/data/postgresql/apps/documentations" -}}
POSTGRES_ADDRESS=postgresql.documentations.svc.cluster.local
POSTGRES_PORT=5432
POSTGRES_DB=documentations_db
POSTGRES_USER={{ index .Data.data "username" }}
POSTGRES_PASSWORD={{ index .Data.data "password" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-documentations-common: secrets/data/vault/common/django_auth
vault.hashicorp.com/agent-inject-template-documentations-common: |-
{{- with secret "secrets/data/vault/common/django_auth" -}}
DJANGO_BASIC_AUTH={{ index .Data.data "key" }}
DJANGO_BASIC_AUTH_FOR_GET_USER={{ index .Data.data "key" }}
DOCUMENT_PUBLIC_LINK_JWT_SECRET={{ index .Data.data "documentations_public_link_jwt_secret" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-documentations-s3-account-json: secrets/data/vault/common/django_auth
vault.hashicorp.com/agent-inject-template-documentations-s3-account-json: |-
{{- with secret "secrets/data/vault/common/django_auth" -}}
{{ index .Data.data "documentations_s3_service_account_json" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-documentations-zitadel-account-json: secrets/data/vault/common/django_auth
vault.hashicorp.com/agent-inject-template-documentations-zitadel-account-json: |-
{{- with secret "secrets/data/vault/common/django_auth" -}}
{{ index .Data.data "documentations_zitadel_account_json" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-documentations-rsa-public: secrets/data/vault/common/rsa_keys
vault.hashicorp.com/agent-inject-template-documentations-rsa-public: |-
{{- with secret "secrets/data/vault/common/rsa_keys" -}}
{{ index .Data.data "public_key" }}
{{- end -}}
spec:
serviceAccountName: documentations-vault
containers:
- name: documentations-filestream
image: cr.yandex/crp3ccidau046kdj8g9q/documentations-api-files:prod_a9990430
imagePullPolicy: IfNotPresent
command: ["/bin/sh", "-ec"]
args:
- |
set -a
[ -f /vault/secrets/documentations-postgresql ] && . /vault/secrets/documentations-postgresql
[ -f /vault/secrets/documentations-common ] && . /vault/secrets/documentations-common
[ -f /vault/secrets/documentations-rsa-public ] && export PUBLIC_KEY="$(cat /vault/secrets/documentations-rsa-public)"
set +a
exec /app/file_entrypoint.sh
ports:
- name: http
containerPort: 8080
protocol: TCP
env:
- name: POSTGRES_POOL_SIZE
value: "20"
- name: ZITADEL_ACCOUNT
value: /vault/secrets/documentations-zitadel-account-json
- name: ZITADEL_DOMAIN
value: zitadel-srx.wb.ru
- name: USE_ZITADEL
value: "0"
- name: FLOWS_URL
value: http://backend-svc.flows.svc.cluster.local:80
- name: LAST_MASTER_BIM
value: "36311"
- name: API_ADDRESS
value: 0.0.0.0:8080
- name: API_ADDRESS_FILE
value: 0.0.0.0:8080
- name: DOCUMENT_PUBLIC_LINK_JWT_EXPIRATION_MINUTES
value: "5"
- name: ENABLE_SQL_QUERY
value: "0"
- name: ENABLE_SSL
value: "0"
- name: WORKSPACE_V2_EXTERNAL_URL
value: https://srx.wb.ru/workspaces-v2/
- name: ENABLE_S3
value: "1"
- name: CONTAINER_REGISTRY
value: cr.yandex/crp3ccidau046kdj8g9q
- name: ENVIRONMENT
value: production
- name: LAST_SLAVE_1_BIM
value: "1000000"
- name: HOST
value: http://backend-api-svc.documentations.svc.cluster.local:80
- name: FILE_STREAM_HOST
value: srx.wb.ru
- name: DOCUMENTATION_URL
value: http://backend-api-svc.documentations.svc.cluster.local:80/
- name: WORKFLOW_URL
value: http://workflows-api-service.workflow.svc.cluster.local:8000/
- name: WORKSPACE_URL
value: http://backend-svc.workspaces.svc.cluster.local:80/
- name: BIM_API_URL
value: http://bim-api-service.bim.svc.cluster.local:8080/
- name: BIM_API_V2_URL
value: http://backend-service.bim.svc.cluster.local:8000/
- name: WORKSPACE_BUNDLE_VERSION
value: v1
- name: SYSTEM_LOG_URL
value: http://api-service.system-log.svc.cluster.local:8000
- name: DJANGO_HOST
value: http://backend-svc.django.svc.cluster.local:80
- name: MARKS_PROCESSING_URL
value: http://marks-service:8000
- name: PUBLIC_LINK_HOST
value: https://document-link-srx.wb.ru
- name: NAMESPACE
value: documentations
- name: DJANGO_ORIGINATOR
value: docs_prod
- name: WORKFLOW_IMAGES_VERSION
value: master
- name: WORKFLOWS_IMAGES_VERSION
value: master
- name: S3_SERVICE_ACCOUNT
value: /vault/secrets/documentations-s3-account-json
- name: READ_WRITE_TIMEOUT_FILE_STREAM
value: 6h
- name: CACHE_DEFAULT_EXPIRATION
value: 60s
- name: ENABLE_SMTP
value: "True"
- name: ENABLE_MAILGUN
value: "False"
- name: CACHE_CLEANUP_INTERVAL
value: 60s
- name: ENABLE_AUTH_JWT_IN_URL
value: "false"
- name: ENABLE_SIGNATURE_IN_URL
value: "true"
- name: USE_CACHE_IN_FILE_STREAMER
value: "0"
- name: VALKEY_ADDR
value: redis:6379
- name: VALKEY_HOST
value: redis
- name: VALKEY_PORT
value: "6379"
resources:
requests:
cpu: "25m"
memory: 128Mi
imagePullSecrets:
- name: regcred

15
apps/documentations/base/filestream-service.yaml Normal file
View File

@ -0,0 +1,15 @@
---
apiVersion: v1
kind: Service
metadata:
name: backend-filestream-svc
namespace: documentations
spec:
type: ClusterIP
selector:
app: documentations-filestream
ports:
- name: http
port: 80
targetPort: 8080
protocol: TCP

32
apps/documentations/base/frontend-deployment.yaml Normal file
View File

@ -0,0 +1,32 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: frontend
namespace: documentations
labels:
app: frontend
spec:
replicas: 1
selector:
matchLabels:
app: frontend
template:
metadata:
labels:
app: frontend
spec:
containers:
- name: frontend
image: cr.yandex/crp3ccidau046kdj8g9q/documentation-frontend-app:brusnika_ae1bb076
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 80
protocol: TCP
resources:
requests:
cpu: 25m
memory: 100Mi
imagePullSecrets:
- name: regcred

15
apps/documentations/base/frontend-service.yaml Normal file
View File

@ -0,0 +1,15 @@
---
apiVersion: v1
kind: Service
metadata:
name: frontend-svc
namespace: documentations
spec:
type: ClusterIP
selector:
app: frontend
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP

15
apps/documentations/base/kustomization.yaml Normal file
View File

@ -0,0 +1,15 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: documentations
resources:
- namespace.yaml
- serviceaccount.yaml
- api-deployment.yaml
- pdm-deployment.yaml
- filestream-deployment.yaml
- frontend-deployment.yaml
- api-service.yaml
- pdm-service.yaml
- filestream-service.yaml
- frontend-service.yaml

7
apps/documentations/base/namespace.yaml Normal file
View File

@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: documentations
labels:
istio-injection: enabled

181
apps/documentations/base/pdm-deployment.yaml Normal file
View File

@ -0,0 +1,181 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: pdm-api
namespace: documentations
labels:
app: pdm-api
service: pdm-api
spec:
replicas: 1
selector:
matchLabels:
app: pdm-api
template:
metadata:
labels:
app: pdm-api
service: pdm-api
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: documentations
vault.hashicorp.com/agent-inject-secret-documentations-postgresql: secrets/data/postgresql/apps/documentations
vault.hashicorp.com/agent-inject-template-documentations-postgresql: |-
{{- with secret "secrets/data/postgresql/apps/documentations" -}}
POSTGRES_ADDRESS=postgresql.documentations.svc.cluster.local
POSTGRES_PORT=5432
POSTGRES_DB=documentations_db
POSTGRES_USER={{ index .Data.data "username" }}
POSTGRES_PASSWORD={{ index .Data.data "password" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-documentations-common: secrets/data/vault/common/django_auth
vault.hashicorp.com/agent-inject-template-documentations-common: |-
{{- with secret "secrets/data/vault/common/django_auth" -}}
DJANGO_BASIC_AUTH={{ index .Data.data "key" }}
RELEASES_TOKEN={{ index .Data.data "documentations_releases_token" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-documentations-s3-account-json: secrets/data/vault/common/django_auth
vault.hashicorp.com/agent-inject-template-documentations-s3-account-json: |-
{{- with secret "secrets/data/vault/common/django_auth" -}}
{{ index .Data.data "documentations_s3_service_account_json" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-documentations-rsa-public: secrets/data/vault/common/rsa_keys
vault.hashicorp.com/agent-inject-template-documentations-rsa-public: |-
{{- with secret "secrets/data/vault/common/rsa_keys" -}}
{{ index .Data.data "public_key" }}
{{- end -}}
spec:
serviceAccountName: documentations-vault
containers:
- name: pdm-api
image: cr.yandex/crp3ccidau046kdj8g9q/pdmv2:prod_38958427
imagePullPolicy: IfNotPresent
command: ["/bin/sh", "-ec"]
args:
- |
set -a
[ -f /vault/secrets/documentations-postgresql ] && . /vault/secrets/documentations-postgresql
[ -f /vault/secrets/documentations-common ] && . /vault/secrets/documentations-common
[ -f /vault/secrets/documentations-rsa-public ] && export PUBLIC_KEY="$(cat /vault/secrets/documentations-rsa-public)"
set +a
exec ./httpserver
ports:
- name: http
containerPort: 8080
protocol: TCP
env:
- name: USE_EXPERIMENTAL
value: "true"
- name: POSTGRES_POOL_SIZE
value: "20"
- name: TRANSMITTALS_BASE_URL
value: mock
- name: API_ADDRESS
value: 0.0.0.0:8080
- name: API_ADDRESS_FILE
value: 0.0.0.0:8080
- name: BUCKET_NAME
value: attachments-storage
- name: API_HOST_PREFIX
value: /
- name: APP_NAME
value: pdm_v2
- name: APP_VERSION
value: 0.0.1
- name: ENABLE_PERMISSIONS_FILTER
value: "1"
- name: PERMISSIONS_FILTER_COMPANIES
value: '[1]'
- name: TRANSMITTALS_ENABLE
value: "false"
- name: DRAWINGS_INTERNAL_URL
value: http://drawings-api-service.drawings.svc.cluster.local:80
- name: ATTACHMENTS_URL
value: http://attachments-service.attachments.svc.cluster.local:8000
- name: BIM_API_V2_URL
value: http://backend-service.bim.svc.cluster.local:8000/
- name: BIM_V2_HOST
value: http://backend-service.bim.svc.cluster.local:8000/
- name: CACHE_CLEANUP_INTERVAL
value: 60s
- name: CACHE_DEFAULT_EXPIRATION
value: 60s
- name: DJANGO_HOST
value: http://backend-svc.django.svc.cluster.local:80
- name: DJANGO_ORIGINATOR
value: docs_prod
- name: DOCUMENTATION_URL
value: http://backend-api-svc.documentations.svc.cluster.local:80/
- name: EAV_URL
value: http://backend-svc.eav.svc.cluster.local:80
- name: ENABLE_OBSERVABILITY
value: "false"
- name: ENABLE_S3
value: "1"
- name: ENABLE_SSL
value: "0"
- name: ENVIRONMENT
value: prod
- name: FLOWS_URL
value: http://backend-svc.flows.svc.cluster.local:80
- name: HEIGHT_THUMB_ATTACHMENTS
value: "300"
- name: HEIGHT_THUMB_STATES
value: "73"
- name: HTTP_PORT
value: "8080"
- name: INSPECTIONS_URL
value: http://inspections-service.inspections.svc.cluster.local:80
- name: LOG_LEVEL
value: INFO
- name: NOTES_URL
- name: OBSERVABILITY_COLLECTOR_ENDPOINT
value: temp
- name: READ_WRITE_TIMEOUT_FILE_STREAM
value: 6h
- name: RELEASES_URL
value: https://gitlab.com
- name: REMARKS_URL
value: http://remarks-static-service.remarks.svc.cluster.local:8080/remarks
- name: RESOURCES_URL
value: http://backend-svc.resources.svc.cluster.local:80
- name: S3_SERVICE_ACCOUNT
value: /vault/secrets/documentations-s3-account-json
- name: STATES_URL
value: http://backend-svc.workspaces.svc.cluster.local:80/
- name: SUBSCRIPTIONS_URL
value: http://backend-svc.subscriptions.svc.cluster.local:80
- name: SYSTEM_LOG_URL
value: http://api-service.system-log.svc.cluster.local:8000
- name: TARGET_URL
value: http://backend-svc.django.svc.cluster.local:80
- name: USE_CACHE_IN_FILE_STREAMER
value: "1"
- name: USE_SUBSCRIPTIONS
value: "false"
- name: WIDTH_THUMB_ATTACHMENTS
value: "300"
- name: WIDTH_THUMB_STATES
value: "120"
- name: WORKFLOWS_IMAGES_VERSION
value: master
- name: WORKFLOW_IMAGES_VERSION
value: master
- name: WORKFLOW_URL
value: http://backend-svc.processing.svc.cluster.local:80/
- name: WORKSPACE_BUNDLE_VERSION
value: v1
- name: WORKSPACE_URL
value: http://backend-svc.workspaces.svc.cluster.local:80/
resources:
requests:
cpu: "25m"
memory: 128Mi
imagePullSecrets:
- name: regcred

Some files were not shown because too many files have changed in this diff Show More