add brusnika-prod

Add test service in test namespace for brusnika-stage
bootstrap brusnika-stage
2026-06-01 17:59:51 +03:00 · 2026-06-01 16:59:02 +03:00 · 2026-06-01 16:55:47 +03:00 · 2026-05-28 23:05:51 +03:00 · 2026-05-28 22:57:46 +03:00 · 2026-05-28 18:52:10 +03:00
263 changed files with 32457 additions and 837 deletions
--- a/README.md
+++ b/README.md
@ -1,7 +1,349 @@
-# FluxCD v2 Monorepo
+# FluxCD v2 Monorepooo

 Репозиторий Infrastructure as Code, управляемый [FluxCD v2](https://fluxcd.io/) с использованием Kustomize-оверлеев и Helm-релизов.

+## Карта инфраструктуры и межсервисных маршрутов
+
+Диаграмма ниже показывает инфраструктурные компоненты кластера, их зависимости и типовые маршруты вызовов между бизнес-сервисами.
+
+```mermaid
+flowchart LR
+    %% ===== Внешний контур =====
+    User([👤 Пользователь<br/>Web / Mobile]):::ext
+    Admin([🛡 Администратор<br/>kubectl / flux]):::ext
+    LE([🔐 Let's Encrypt<br/>ACME v2]):::ext
+    GitRepo([📦 Git Repository<br/>FluxCD source]):::ext
+    OCI([🐳 OCI Registry<br/>cr.yandex]):::ext
+
+    %% ===== GitOps =====
+    subgraph GITOPS["⚙️ GitOps Control Plane"]
+        direction TB
+        FluxSource[source-controller]:::flux
+        FluxKust[kustomize-controller]:::flux
+        FluxHelm[helm-controller]:::flux
+        FluxNotif[notification-controller]:::flux
+        FluxSource --> FluxKust
+        FluxSource --> FluxHelm
+        FluxKust --> FluxNotif
+        FluxHelm --> FluxNotif
+    end
+
+    %% ===== Edge / Service Mesh =====
+    subgraph EDGE["🌐 Edge & Service Mesh — istio-system"]
+        direction TB
+        Gateway["Istio Gateway<br/>:443 / :80<br/>LoadBalancer"]:::mesh
+        Pilot["istiod / Pilot<br/>xDS :15010/:15012"]:::mesh
+        Base[Istio Base<br/>CRDs + RBAC]:::mesh
+        Cert["cert-manager<br/>v1.x"]:::mesh
+        IssuerProd[ClusterIssuer<br/>letsencrypt-prod]:::mesh
+        IssuerIstio[ClusterIssuer<br/>letsencrypt-istio]:::mesh
+        Pilot -->|sidecar inject| Gateway
+        Base --> Pilot
+        Cert --> IssuerProd
+        Cert --> IssuerIstio
+        IssuerIstio -. TLS cert .-> Gateway
+    end
+
+    %% ===== Платформа =====
+    subgraph PLATFORM["🛠 Платформа"]
+        direction TB
+        Dashboard["K8s Dashboard<br/>UI :8443"]:::platform
+        LPP["local-path-provisioner<br/>StorageClass: local-path"]:::platform
+        Vault["HashiCorp Vault<br/>:8200 KV/Transit"]:::platform
+        S3Proxy["S3 Proxy<br/>S3 API gateway"]:::platform
+    end
+
+    %% ===== Identity =====
+    subgraph IDENTITY["🪪 Identity & SSO"]
+        direction TB
+        Zitadel["Zitadel<br/>OIDC :8080"]:::identity
+        Keycloak["Keycloak<br/>OIDC/SAML :8080"]:::identity
+        OpenLDAP["OpenLDAP<br/>:389 / :636"]:::identity
+        Keycloak -- "LDAP federation" --> OpenLDAP
+    end
+
+    %% ===== Данные =====
+    subgraph DATA["🗄 Хранилища данных"]
+        direction TB
+        PG[("PostgreSQL<br/>:5432<br/>HA primary/replica")]:::data
+        Redis[("Redis<br/>:6379<br/>cache + pub/sub")]:::data
+        MinIO[("MinIO<br/>S3 :9000<br/>console :9001")]:::data
+    end
+
+    %% ===== Messaging =====
+    subgraph MSG["📨 Messaging"]
+        direction TB
+        Kafka[["Kafka<br/>:9092 / :9093 SASL<br/>3 brokers"]]:::msg
+        ZK[["ZooKeeper / KRaft<br/>:2181"]]:::msg
+        RMQ[["RabbitMQ<br/>:5672 / mgmt :15672"]]:::msg
+        Kafka --- ZK
+    end
+
+    %% ===== BPM =====
+    subgraph BPM["🔧 BPM"]
+        direction TB
+        Camunda["Camunda Platform<br/>REST :8080 / Tasklist"]:::app
+        Operate["Camunda Operate<br/>UI :8081"]:::app
+    end
+
+    %% ===== Бизнес-сервисы (каждый в своём namespace) =====
+    subgraph APPS["💼 Бизнес-сервисы — namespaces"]
+        direction LR
+        CI["ns: control-interface"]:::app
+        Django["ns: django"]:::app
+        EAV["ns: eav"]:::app
+        Workspaces["ns: workspaces"]:::app
+        Projects["ns: projects"]:::app
+        PM["ns: pm"]:::app
+        Contracts["ns: contracts"]:::app
+        Resources["ns: resources"]:::app
+        Subs["ns: subscriptions"]:::app
+        SysLog["ns: system-log"]:::app
+        MsgHub["ns: message-hub"]:::app
+        FaaS["ns: faas"]:::app
+        Flows["ns: flows"]:::app
+        Docs["ns: documentations"]:::app
+        DocLink["ns: document-link"]:::app
+        Attach["ns: attachments"]:::app
+        Transmittal["ns: transmittal"]:::app
+        CDE["ns: cde"]:::app
+        Drawings["ns: drawings"]:::app
+        BIM["ns: bim"]:::app
+        Stamp["ns: stamp-verification"]:::app
+        Inspect["ns: inspections"]:::app
+        Checklists["ns: checklists"]:::app
+        Remarks["ns: remarks"]:::app
+        Issues["ns: issues"]:::app
+        RFI["ns: rfi"]:::app
+        Reviews["ns: reviews"]:::app
+        Prescr["ns: prescriptions"]:::app
+        Compare["ns: comparisons"]:::app
+        Measure["ns: measurements"]:::app
+        Mapper["ns: mapper"]:::app
+        XSection["ns: cross-section"]:::app
+        Process["ns: processing"]:::app
+        Notes["ns: notes"]:::app
+    end
+
+    %% ===== GitOps потоки =====
+    Admin ==>|git push| GitRepo
+    GitRepo ==>|pull/poll| FluxSource
+    OCI ==>|OCI charts| FluxSource
+    FluxKust ==>|apply manifests| EDGE
+    FluxKust ==>|apply manifests| PLATFORM
+    FluxKust ==>|apply manifests| IDENTITY
+    FluxHelm ==>|HelmRelease| DATA
+    FluxHelm ==>|HelmRelease| MSG
+    FluxHelm ==>|HelmRelease| BPM
+    FluxHelm ==>|HelmRelease| APPS
+
+    %% ===== Внешний трафик =====
+    User ==>|HTTPS 443| Gateway
+    LE -. ACME HTTP-01 .-> Cert
+    Gateway ==>|VirtualService<br/>mTLS| CI
+    Gateway ==>|/api| Django
+    Gateway ==>|/bim| BIM
+    Gateway ==>|/cde| CDE
+    Gateway ==>|/docs| Docs
+    Gateway ==>|/pm| PM
+    Gateway ==>|VirtualService| Camunda
+    Gateway ==>|VirtualService| Operate
+    Gateway ==>|/auth| Keycloak
+    Gateway ==>|/oauth| Zitadel
+    Gateway ==>|/dashboard| Dashboard
+    Gateway ==>|/minio| MinIO
+    Admin -.->|kubectl| Dashboard
+
+    %% ===== Frontend → backend (через control-interface) =====
+    CI -- "API gateway" --> Django
+    CI -- "API gateway" --> PM
+    CI -- "API gateway" --> Projects
+    CI -- "API gateway" --> Workspaces
+
+    %% ===== Подключения к данным =====
+    Django -- "JDBC/ORM" --> PG
+    EAV -- "JDBC" --> PG
+    PM -- "JDBC" --> PG
+    Contracts -- "JDBC" --> PG
+    Resources -- "JDBC" --> PG
+    Projects -- "JDBC" --> PG
+    Workspaces -- "JDBC" --> PG
+    Subs -- "JDBC" --> PG
+    SysLog -- "JDBC" --> PG
+    Docs -- "JDBC" --> PG
+    DocLink -- "JDBC" --> PG
+    CDE -- "JDBC" --> PG
+    BIM -- "JDBC" --> PG
+    Drawings -- "JDBC" --> PG
+    Inspect -- "JDBC" --> PG
+    Checklists -- "JDBC" --> PG
+    Issues -- "JDBC" --> PG
+    Remarks -- "JDBC" --> PG
+    RFI -- "JDBC" --> PG
+    Reviews -- "JDBC" --> PG
+    Prescr -- "JDBC" --> PG
+    Compare -- "JDBC" --> PG
+    Measure -- "JDBC" --> PG
+    Mapper -- "JDBC" --> PG
+    XSection -- "JDBC" --> PG
+    Notes -- "JDBC" --> PG
+    Stamp -- "JDBC" --> PG
+    Transmittal -- "JDBC" --> PG
+    Camunda -- "JDBC" --> PG
+    Operate -- "JDBC" --> PG
+    Zitadel -- "JDBC" --> PG
+    Keycloak -- "JDBC" --> PG
+
+    %% ===== Redis (общий кэш / sessions) =====
+    Django -- "session/cache" --> Redis
+    CI -- "session" --> Redis
+    PM -- "cache" --> Redis
+    Workspaces -- "cache" --> Redis
+    Subs -- "pub/sub realtime" --> Redis
+    MsgHub -- "pub/sub" --> Redis
+    Flows -- "state" --> Redis
+    FaaS -- "queue" --> Redis
+    Camunda -- "cache" --> Redis
+    Keycloak -- "session" --> Redis
+
+    %% ===== S3 / объектное хранилище =====
+    Attach -- "PUT/GET" --> S3Proxy
+    Docs -- "filestream" --> S3Proxy
+    BIM -- "IFC/RVT" --> S3Proxy
+    Drawings -- "DWG/PDF" --> S3Proxy
+    CDE -- "files" --> S3Proxy
+    Compare -- "rendered diff" --> S3Proxy
+    Stamp -- "signed PDF" --> S3Proxy
+    Transmittal -- "bundles" --> S3Proxy
+    Process -- "raw + результаты" --> S3Proxy
+    Mapper -- "tiles" --> S3Proxy
+    Measure -- "snapshots" --> S3Proxy
+    XSection -- "профили" --> S3Proxy
+    S3Proxy -- "S3 API" --> MinIO
+
+    %% ===== Vault (secrets) =====
+    Django -. "kv" .-> Vault
+    Camunda -. "approle" .-> Vault
+    Keycloak -. "kv" .-> Vault
+    Zitadel -. "kv" .-> Vault
+    FaaS -. "approle" .-> Vault
+    Flows -. "approle" .-> Vault
+
+    %% ===== Storage / PVC =====
+    PG -.->|PVC| LPP
+    Redis -.->|PVC| LPP
+    Kafka -.->|PVC| LPP
+    ZK -.->|PVC| LPP
+    RMQ -.->|PVC| LPP
+    MinIO -.->|PVC| LPP
+    Vault -.->|PVC| LPP
+
+    %% ===== Kafka (event bus) =====
+    SysLog -- "consume audit.*" --> Kafka
+    MsgHub -- "produce notify.*" --> Kafka
+    Subs -- "consume notify.*" --> Kafka
+    Flows -- "produce/consume flows.*" --> Kafka
+    Camunda -- "produce bpm.events" --> Kafka
+    Operate -- "consume zeebe-records" --> Kafka
+    BIM -- "produce bim.processed" --> Kafka
+    Drawings -- "produce drawings.uploaded" --> Kafka
+    Process -- "consume processing.jobs" --> Kafka
+    Compare -- "consume drawings.uploaded" --> Kafka
+    Inspect -- "produce inspect.events" --> Kafka
+    Issues -- "consume inspect.events" --> Kafka
+    Remarks -- "produce remarks.events" --> Kafka
+    Reviews -- "consume remarks.events" --> Kafka
+
+    %% ===== RabbitMQ (work queues) =====
+    FaaS -- "consume tasks.*" --> RMQ
+    Flows -- "publish tasks.*" --> RMQ
+    Process -- "publish jobs" --> RMQ
+    Mapper -- "consume tile.jobs" --> RMQ
+    XSection -- "consume xs.jobs" --> RMQ
+    Stamp -- "consume sign.jobs" --> RMQ
+    Camunda -- "consume bpm.tasks" --> RMQ
+
+    %% ===== Межсервисные REST маршруты =====
+    PM -- "REST" --> Projects
+    PM -- "REST" --> Contracts
+    PM -- "REST" --> Resources
+    Projects -- "REST" --> Workspaces
+    Contracts -- "REST" --> Resources
+    Inspect -- "REST" --> Checklists
+    Inspect -- "REST" --> Issues
+    Issues -- "REST" --> Remarks
+    Reviews -- "REST" --> RFI
+    Reviews -- "REST" --> Prescr
+    RFI -- "REST" --> DocLink
+    DocLink --> Docs
+    DocLink --> CDE
+    CDE -- "REST" --> Docs
+    CDE -- "REST" --> Drawings
+    CDE -- "REST" --> BIM
+    Transmittal -- "REST" --> CDE
+    Transmittal -- "REST" --> Docs
+    Drawings -- "REST" --> Compare
+    Drawings -- "REST" --> Stamp
+    Measure -- "REST" --> Mapper
+    Mapper -- "REST" --> XSection
+    XSection --> Process
+    BIM -- "REST" --> Process
+    Notes -- "REST" --> DocLink
+    Flows -- "trigger" --> FaaS
+    Flows -- "start" --> Camunda
+    Camunda -- "callback" --> Flows
+    EAV -- "schemas" --> Django
+    MsgHub -- "deliver email/push" --> Subs
+
+    %% ===== AuthN / AuthZ =====
+    Django -. "OIDC validate" .-> Keycloak
+    CI -. "OIDC login" .-> Keycloak
+    PM -. "JWT" .-> Keycloak
+    Camunda -. "JWT" .-> Zitadel
+    Operate -. "OIDC" .-> Zitadel
+    Dashboard -. "OIDC" .-> Keycloak
+    BIM -. "JWT" .-> Keycloak
+    CDE -. "JWT" .-> Keycloak
+    Docs -. "JWT" .-> Keycloak
+
+    %% ===== Service mesh sidecar metrics =====
+    CI -. "envoy" .-> Pilot
+    Django -. "envoy" .-> Pilot
+    Camunda -. "envoy" .-> Pilot
+    BIM -. "envoy" .-> Pilot
+    Flows -. "envoy" .-> Pilot
+
+
+    %% ===== Стили =====
+    classDef ext fill:#1f2937,stroke:#9ca3af,stroke-width:2px,color:#f9fafb
+    classDef flux fill:#6366f1,stroke:#3730a3,stroke-width:2px,color:#fff
+    classDef mesh fill:#7c3aed,stroke:#4c1d95,stroke-width:2px,color:#fff
+    classDef platform fill:#0ea5e9,stroke:#075985,stroke-width:2px,color:#fff
+    classDef identity fill:#f59e0b,stroke:#92400e,stroke-width:2px,color:#fff
+    classDef data fill:#10b981,stroke:#065f46,stroke-width:2px,color:#fff
+    classDef msg fill:#ef4444,stroke:#991b1b,stroke-width:2px,color:#fff
+    classDef app fill:#ec4899,stroke:#9d174d,stroke-width:2px,color:#fff
+
+    style GITOPS fill:#e0e7ff,stroke:#6366f1,stroke-width:2px
+    style EDGE fill:#ede9fe,stroke:#7c3aed,stroke-width:2px
+    style PLATFORM fill:#e0f2fe,stroke:#0ea5e9,stroke-width:2px
+    style IDENTITY fill:#fef3c7,stroke:#f59e0b,stroke-width:2px
+    style DATA fill:#d1fae5,stroke:#10b981,stroke-width:2px
+    style MSG fill:#fee2e2,stroke:#ef4444,stroke-width:2px
+    style BPM fill:#fce7f3,stroke:#ec4899,stroke-width:2px
+    style APPS fill:#fce7f3,stroke:#ec4899,stroke-width:2px
+```
+
+📂 **Подробные диаграммы по каждому бизнес-сервису:** [`docs/apps/`](./docs/apps/README.md)
+
+**Легенда:**
+- 🟪 **Edge / Mesh** — терминация TLS, маршрутизация и mTLS между сервисами (Istio + cert-manager)
+- 🟦 **Платформа** — служебные компоненты (storage, secrets, S3 proxy, dashboard)
+- 🟧 **Identity** — единый вход и федерация пользователей (Zitadel, Keycloak, OpenLDAP)
+- 🟩 **Данные** — постоянные хранилища (PostgreSQL, Redis, MinIO)
+- 🟥 **Messaging** — асинхронный обмен (Kafka, RabbitMQ)
+- 🟪 **Бизнес-сервисы** — прикладная логика (Camunda, бизнес-приложения)
+
 ## Структура репозитория

 ```
--- a/apps/attachments/base/deployment.yaml
+++ b/apps/attachments/base/deployment.yaml
@ -1,70 +0,0 @@
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: attachments
-  namespace: attachments
-  labels:
-    app: attachments
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: attachments
-  template:
-    metadata:
-      labels:
-        app: attachments
-      annotations:
-        traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
-        vault.hashicorp.com/agent-init-first: "true"
-        vault.hashicorp.com/agent-inject: "true"
-        vault.hashicorp.com/agent-pre-populate-only: "true"
-        vault.hashicorp.com/auth-path: auth/kubernetes
-        vault.hashicorp.com/role: attachments
-        vault.hashicorp.com/agent-inject-secret-attachments-db: secrets/data/postgresql/apps/attachments
-        vault.hashicorp.com/agent-inject-template-attachments-db: |-
-          {{- with secret "secrets/data/postgresql/apps/attachments" -}}
-          DATABASE_HOST=postgresql.attachments.svc.cluster.local
-          DATABASE_PORT=5432
-          DATABASE_NAME=attachments_db
-          DATABASE_USER={{ index .Data.data "username" }}
-          DATABASE_PASSWORD={{ index .Data.data "password" }}
-          DATABASE_SSL_MODE=disable
-          {{- end -}}
-        vault.hashicorp.com/agent-inject-secret-attachments-s3: secrets/data/minio/apps/attachments
-        vault.hashicorp.com/agent-inject-template-attachments-s3: |-
-          {{- with secret "secrets/data/minio/apps/attachments" -}}
-          YANDEX_S3_ENDPOINT_URL=minio.minio:9000
-          YANDEX_S3_ACCESS_KEY_ID={{ index .Data.data "access_key" }}
-          YANDEX_S3_SECRET_ACCESS_KEY={{ index .Data.data "secret_key" }}
-          YANDEX_S3_USE_SSL=false
-          YANDEX_S3_REGION=ru-central
-          YANDEX_S3_VERIFY=false
-          BUCKET_NAME=attachments
-          {{- end -}}
-    spec:
-      serviceAccountName: attachments-vault
-      containers:
-        - name: attachments
-          image: cr.yandex/crp3ccidau046kdj8g9q/attachments:feature_6238c882
-          imagePullPolicy: IfNotPresent
-          command: ["/bin/bash", "-ec"]
-          args:
-            - |
-              set -a
-              [ -f /vault/secrets/attachments-db ] && . /vault/secrets/attachments-db
-              [ -f /vault/secrets/attachments-s3 ] && . /vault/secrets/attachments-s3
-              set +a
-              exec /opt/attachments/entrypoint.sh
-          ports:
-            - name: http
-              containerPort: 8000
-              protocol: TCP
-          env:
-            - name: POSTGRES_POOL_SIZE
-              value: "10"
-            - name: API_ADDRESS
-              value: 0.0.0.0:8000
-      imagePullSecrets:
-        - name: regcred
--- a/apps/attachments/base/helmrelease.yaml
+++ b/apps/attachments/base/helmrelease.yaml
@ -0,0 +1,110 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: attachments
+  namespace: attachments
+spec:
+  interval: 10m
+  chart:
+    spec:
+      chart: universal-chart
+      version: "0.1.9"
+      sourceRef:
+        kind: HelmRepository
+        name: yc-oci-charts
+        namespace: flux-system
+      interval: 10m
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  values:
+    global:
+      env: _default
+    services:
+      attachments:
+        enabled: true
+        serviceAccount:
+          enabled:
+            _default: true
+          name:
+            _default: attachments-vault
+        deployment:
+          enabled: true
+          name:
+            _default: attachments
+          replicaCount:
+            _default: 1
+          port:
+            _default: 8000
+          command:
+            _default: ["/bin/bash", "-ec"]
+          args:
+            _default:
+              - |
+                set -a
+                [ -f /vault/secrets/attachments-db ] && . /vault/secrets/attachments-db
+                [ -f /vault/secrets/attachments-s3 ] && . /vault/secrets/attachments-s3
+                set +a
+                exec /opt/attachments/entrypoint.sh
+        image:
+          name:
+            _default: cr.yandex/crp3ccidau046kdj8g9q/attachments:feature_6238c882
+          pullPolicy:
+            _default: IfNotPresent
+        service:
+          enabled: true
+          name:
+            _default: attachments-service
+          type:
+            _default: ClusterIP
+          port:
+            _default: 8000
+          targetPort:
+            _default: 8000
+          portName:
+            _default: http
+        imagePullSecrets:
+          enabled:
+            _default: true
+          name:
+            _default: regcred
+        envs:
+          - name: POSTGRES_POOL_SIZE
+            value:
+              _default: "10"
+          - name: API_ADDRESS
+            value:
+              _default: 0.0.0.0:8000
+        podAnnotations:
+          _default:
+            traffic.sidecar.istio.io/excludeOutboundPorts: "4317,4318,9411,8200"
+            vault.hashicorp.com/agent-init-first: "true"
+            vault.hashicorp.com/agent-inject: "true"
+            vault.hashicorp.com/agent-pre-populate-only: "true"
+            vault.hashicorp.com/auth-path: auth/kubernetes
+            vault.hashicorp.com/role: attachments
+            vault.hashicorp.com/agent-inject-secret-attachments-db: secrets/data/postgresql/apps/attachments
+            vault.hashicorp.com/agent-inject-template-attachments-db: |-
+              {{- with secret "secrets/data/postgresql/apps/attachments" -}}
+              DATABASE_HOST=postgresql.attachments.svc.cluster.local
+              DATABASE_PORT=5432
+              DATABASE_NAME=attachments_db
+              DATABASE_USER={{ index .Data.data "username" }}
+              DATABASE_PASSWORD={{ index .Data.data "password" }}
+              DATABASE_SSL_MODE=disable
+              {{- end -}}
+            vault.hashicorp.com/agent-inject-secret-attachments-s3: secrets/data/minio/apps/attachments
+            vault.hashicorp.com/agent-inject-template-attachments-s3: |-
+              {{- with secret "secrets/data/minio/apps/attachments" -}}
+              YANDEX_S3_ENDPOINT_URL=minio.minio:9000
+              YANDEX_S3_ACCESS_KEY_ID={{ index .Data.data "access_key" }}
+              YANDEX_S3_SECRET_ACCESS_KEY={{ index .Data.data "secret_key" }}
+              YANDEX_S3_USE_SSL=false
+              YANDEX_S3_REGION=ru-central
+              YANDEX_S3_VERIFY=false
+              BUCKET_NAME=attachments
+              {{- end -}}
--- a/apps/attachments/base/kustomization.yaml
+++ b/apps/attachments/base/kustomization.yaml
@ -3,7 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: attachments
 resources:
-  - namespace.yaml
-  - serviceaccount.yaml
-  - deployment.yaml
-  - service.yaml
+  - helmrelease.yaml
--- a/apps/attachments/base/serviceaccount.yaml
+++ b/apps/attachments/base/serviceaccount.yaml
@ -1,5 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: attachments-vault
-  namespace: attachments
--- a/apps/attachments/yc-k8s-test/kustomization.yaml
+++ b/apps/attachments/yc-k8s-test/kustomization.yaml
@ -4,8 +4,8 @@ kind: Kustomization
 resources:
  - ../base
  - postgresql.yaml
-patches:
-  - path: replicas.yaml
-    target:
-      kind: Deployment
-      name: attachments
+patches: []
+#  - path: replicas.yaml
+#    target:
+#      kind: HelmRelease
+#      name: attachments
--- a/apps/attachments/yc-k8s-test/postgresql.yaml
+++ b/apps/attachments/yc-k8s-test/postgresql.yaml
@ -89,6 +89,10 @@ spec:
        timeoutSeconds: 5
        successThreshold: 1
        failureThreshold: 6
+      resources:
+        requests:
+          cpu: 50m
+          memory: 128Mi
      nodeSelector:
        dedicated: db
      tolerations:
--- a/apps/attachments/yc-k8s-test/replicas.yaml
+++ b/apps/attachments/yc-k8s-test/replicas.yaml
@ -1,8 +1,13 @@
 ---
-apiVersion: apps/v1
-kind: Deployment
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
 metadata:
  name: attachments
  namespace: attachments
 spec:
-  replicas: 1
+  values:
+    services:
+      attachments:
+        deployment:
+          replicaCount:
+            _default: 2
--- a/apps/bim/base/backend-deployment.yaml
+++ b/apps/bim/base/backend-deployment.yaml
@ -50,7 +50,7 @@ spec:
      serviceAccountName: bim-vault
      containers:
        - name: backend
-          image: cr.yandex/crp3ccidau046kdj8g9q/bim-backend-v2:donstroi1
+          image: cr.yandex/crp3ccidau046kdj8g9q/bim-api:contour_3d704fef
          imagePullPolicy: IfNotPresent
          command: ["/bin/sh", "-ec"]
          args:
@ -58,7 +58,7 @@ spec:
              set -a
              [ -f /vault/secrets/bim-postgresql ] && . /vault/secrets/bim-postgresql
              set +a
-              exec ./entrypoint.sh
+              exec ./httpserver
          ports:
            - name: http
              containerPort: 8000
@ -88,7 +88,7 @@ spec:
              value: "0"
          resources:
            requests:
-              cpu: 100m
+              cpu: 25m
              memory: 100Mi
          livenessProbe:
            httpGet:
--- a/apps/bim/base/backend-service.yaml
+++ b/apps/bim/base/backend-service.yaml
@ -2,7 +2,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: backend-service
+  name: backend-svc
  namespace: bim
 spec:
  type: ClusterIP
@ -10,6 +10,6 @@ spec:
    app: backend
  ports:
    - name: http
-      port: 8000
+      port: 80
      targetPort: 8000
      protocol: TCP
--- a/apps/bim/yc-k8s-test/postgresql.yaml
+++ b/apps/bim/yc-k8s-test/postgresql.yaml
@ -92,7 +92,8 @@ spec:
        failureThreshold: 6
      resources:
        requests:
-          memory: 512Mi
+          cpu: 50m
+          memory: 128Mi
      nodeSelector:
        dedicated: db
      tolerations:
--- a/apps/cde/base/cde-flowscallback.yaml
+++ b/apps/cde/base/cde-flowscallback.yaml
@ -17,11 +17,34 @@ spec:
      labels:
        app: cde-flowscallback
        service: cde-flowscallback
+      annotations:
+        traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
+        vault.hashicorp.com/agent-init-first: "true"
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/auth-path: auth/kubernetes
+        vault.hashicorp.com/role: cde
+        vault.hashicorp.com/agent-inject-secret-cde-env: secrets/data/vault/apps/cde
+        vault.hashicorp.com/agent-inject-template-cde-env: |-
+          {{- with secret "secrets/data/vault/apps/cde" -}}
+          {{- range $k, $v := .Data.data }}
+          export {{ $k }}=$(printf '%b' {{ printf "%q" (printf "%v" $v) }})
+          {{- end }}
+          {{- end -}}
    spec:
+      serviceAccountName: cde-vault
      containers:
        - name: cde-flowscallback
-          image: cr.yandex/crp3ccidau046kdj8g9q/flowscallback-worker:prod_3.1.2
+          image: cr.yandex/crp3ccidau046kdj8g9q/flowscallback-worker:prod_9f3c1d2a
          imagePullPolicy: IfNotPresent
+          command:
+            - /bin/bash
+            - -lc
+          args:
+            - |
+              set -e
+              source /vault/secrets/cde-env
+              exec /worker
          ports:
            - name: http
              containerPort: 8000
@ -29,12 +52,9 @@ spec:
          env:
            - name: S3_IS_CONTOUR
              value: "true"
-          envFrom:
-          - secretRef:
-              name: cde-secret
          resources:
            requests:
-              cpu: "1"
-              memory: 1Gi
+              cpu: "25m"
+              memory: 128Mi
      imagePullSecrets:
        - name: regcred
--- a/apps/cde/base/cde-splitpdf.yaml
+++ b/apps/cde/base/cde-splitpdf.yaml
@ -17,11 +17,34 @@ spec:
      labels:
        app: cde-splitpdf
        service: cde-splitpdf
+      annotations:
+        traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
+        vault.hashicorp.com/agent-init-first: "true"
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/auth-path: auth/kubernetes
+        vault.hashicorp.com/role: cde
+        vault.hashicorp.com/agent-inject-secret-cde-env: secrets/data/vault/apps/cde
+        vault.hashicorp.com/agent-inject-template-cde-env: |-
+          {{- with secret "secrets/data/vault/apps/cde" -}}
+          {{- range $k, $v := .Data.data }}
+          export {{ $k }}=$(printf '%b' {{ printf "%q" (printf "%v" $v) }})
+          {{- end }}
+          {{- end -}}
    spec:
+      serviceAccountName: cde-vault
      containers:
        - name: cde-splitpdf
-          image: cr.yandex/crp3ccidau046kdj8g9q/splitpdf-worker:prod_3.1.2
+          image: cr.yandex/crp3ccidau046kdj8g9q/splitpdf-worker:prod_9f3c1d2a
          imagePullPolicy: IfNotPresent
+          command:
+            - /bin/bash
+            - -lc
+          args:
+            - |
+              set -e
+              source /vault/secrets/cde-env
+              exec /worker
          ports:
            - name: http
              containerPort: 8000
@ -29,12 +52,9 @@ spec:
          env:
            - name: S3_IS_CONTOUR
              value: "true"
-          envFrom:
-          - secretRef:
-              name: cde-secret
          resources:
            requests:
-              cpu: "1"
-              memory: 1Gi
+              cpu: "25m"
+              memory: 128Mi
      imagePullSecrets:
        - name: regcred
--- a/apps/cde/base/cde-worker-copy.yaml
+++ b/apps/cde/base/cde-worker-copy.yaml
@ -17,11 +17,34 @@ spec:
      labels:
        app: cde-worker-copy
        service: cde-worker-copy
+      annotations:
+        traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
+        vault.hashicorp.com/agent-init-first: "true"
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/auth-path: auth/kubernetes
+        vault.hashicorp.com/role: cde
+        vault.hashicorp.com/agent-inject-secret-cde-env: secrets/data/vault/apps/cde
+        vault.hashicorp.com/agent-inject-template-cde-env: |-
+          {{- with secret "secrets/data/vault/apps/cde" -}}
+          {{- range $k, $v := .Data.data }}
+          export {{ $k }}=$(printf '%b' {{ printf "%q" (printf "%v" $v) }})
+          {{- end }}
+          {{- end -}}
    spec:
+      serviceAccountName: cde-vault
      containers:
        - name: cde-worker-copy
-          image: cr.yandex/crp3ccidau046kdj8g9q/copy-worker:preprod_fd483601
+          image: cr.yandex/crp3ccidau046kdj8g9q/copy-worker:prod_9f3c1d2a
          imagePullPolicy: IfNotPresent
+          command:
+            - /bin/bash
+            - -lc
+          args:
+            - |
+              set -e
+              source /vault/secrets/cde-env
+              exec /worker
          ports:
            - name: http
              containerPort: 8000
@ -29,12 +52,9 @@ spec:
          env:
            - name: S3_IS_CONTOUR
              value: "true"
-          envFrom:
-          - secretRef:
-              name: cde-secret
          resources:
            requests:
-              cpu: "1"
-              memory: 1Gi
+              cpu: "25m"
+              memory: 128Mi
      imagePullSecrets:
        - name: regcred
--- a/apps/cde/base/cde-worker-create-versions.yaml
+++ b/apps/cde/base/cde-worker-create-versions.yaml
@ -17,11 +17,34 @@ spec:
      labels:
        app: cde-worker-create-versions
        service: cde-worker-create-versions
+      annotations:
+        traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
+        vault.hashicorp.com/agent-init-first: "true"
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/auth-path: auth/kubernetes
+        vault.hashicorp.com/role: cde
+        vault.hashicorp.com/agent-inject-secret-cde-env: secrets/data/vault/apps/cde
+        vault.hashicorp.com/agent-inject-template-cde-env: |-
+          {{- with secret "secrets/data/vault/apps/cde" -}}
+          {{- range $k, $v := .Data.data }}
+          export {{ $k }}=$(printf '%b' {{ printf "%q" (printf "%v" $v) }})
+          {{- end }}
+          {{- end -}}
    spec:
+      serviceAccountName: cde-vault
      containers:
        - name: cde-worker-create-versions
-          image: cr.yandex/crp3ccidau046kdj8g9q/createversions-worker:preprod_ec474ae7
+          image: cr.yandex/crp3ccidau046kdj8g9q/createversions-worker:prod_9f3c1d2a
          imagePullPolicy: IfNotPresent
+          command:
+            - /bin/bash
+            - -lc
+          args:
+            - |
+              set -e
+              source /vault/secrets/cde-env
+              exec /worker
          ports:
            - name: http
              containerPort: 8000
@ -29,12 +52,9 @@ spec:
          env:
            - name: S3_IS_CONTOUR
              value: "true"
-          envFrom:
-          - secretRef:
-              name: cde-secret
          resources:
            requests:
-              cpu: "1"
-              memory: 1Gi
+              cpu: "25m"
+              memory: 128Mi
      imagePullSecrets:
        - name: regcred
--- a/apps/cde/base/cde-worker-markings.yaml
+++ b/apps/cde/base/cde-worker-markings.yaml
@ -17,11 +17,34 @@ spec:
      labels:
        app: cde-worker-markings
        service: cde-worker-markings
+      annotations:
+        traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
+        vault.hashicorp.com/agent-init-first: "true"
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/auth-path: auth/kubernetes
+        vault.hashicorp.com/role: cde
+        vault.hashicorp.com/agent-inject-secret-cde-env: secrets/data/vault/apps/cde
+        vault.hashicorp.com/agent-inject-template-cde-env: |-
+          {{- with secret "secrets/data/vault/apps/cde" -}}
+          {{- range $k, $v := .Data.data }}
+          export {{ $k }}=$(printf '%b' {{ printf "%q" (printf "%v" $v) }})
+          {{- end }}
+          {{- end -}}
    spec:
+      serviceAccountName: cde-vault
      containers:
        - name: cde-worker-markings
-          image: cr.yandex/crp3ccidau046kdj8g9q/markings-worker:preprod_eb50f30e
+          image: cr.yandex/crp3ccidau046kdj8g9q/markings-worker:prod_9f3c1d2a
          imagePullPolicy: IfNotPresent
+          command:
+            - /bin/bash
+            - -lc
+          args:
+            - |
+              set -e
+              source /vault/secrets/cde-env
+              exec /worker
          ports:
            - name: http
              containerPort: 8000
@ -29,12 +52,9 @@ spec:
          env:
            - name: S3_IS_CONTOUR
              value: "true"
-          envFrom:
-          - secretRef:
-              name: cde-secret
          resources:
            requests:
-              cpu: "1"
-              memory: 1Gi
+              cpu: "25m"
+              memory: 128Mi
      imagePullSecrets:
        - name: regcred
--- a/apps/cde/base/cde-worker-sign.yaml
+++ b/apps/cde/base/cde-worker-sign.yaml
@ -17,11 +17,34 @@ spec:
      labels:
        app: cde-worker-sign
        service: cde-worker-sign
+      annotations:
+        traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
+        vault.hashicorp.com/agent-init-first: "true"
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/auth-path: auth/kubernetes
+        vault.hashicorp.com/role: cde
+        vault.hashicorp.com/agent-inject-secret-cde-env: secrets/data/vault/apps/cde
+        vault.hashicorp.com/agent-inject-template-cde-env: |-
+          {{- with secret "secrets/data/vault/apps/cde" -}}
+          {{- range $k, $v := .Data.data }}
+          export {{ $k }}=$(printf '%b' {{ printf "%q" (printf "%v" $v) }})
+          {{- end }}
+          {{- end -}}
    spec:
+      serviceAccountName: cde-vault
      containers:
        - name: cde-worker-sign
-          image: cr.yandex/crp3ccidau046kdj8g9q/sign-worker:preprod_fd483601
+          image: cr.yandex/crp3ccidau046kdj8g9q/sign-worker:prod_9f3c1d2a
          imagePullPolicy: IfNotPresent
+          command:
+            - /bin/bash
+            - -lc
+          args:
+            - |
+              set -e
+              source /vault/secrets/cde-env
+              exec /worker
          ports:
            - name: http
              containerPort: 8000
@ -29,12 +52,9 @@ spec:
          env:
            - name: S3_IS_CONTOUR
              value: "true"
-          envFrom:
-          - secretRef:
-              name: cde-secret
          resources:
            requests:
-              cpu: "1"
-              memory: 1Gi
+              cpu: "25m"
+              memory: 128Mi
      imagePullSecrets:
        - name: regcred
--- a/apps/cde/base/cde-worker-update-bundles.yaml
+++ b/apps/cde/base/cde-worker-update-bundles.yaml
@ -17,11 +17,34 @@ spec:
      labels:
        app: cde-worker-update-bundles
        service: cde-worker-update-bundles
+      annotations:
+        traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
+        vault.hashicorp.com/agent-init-first: "true"
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/auth-path: auth/kubernetes
+        vault.hashicorp.com/role: cde
+        vault.hashicorp.com/agent-inject-secret-cde-env: secrets/data/vault/apps/cde
+        vault.hashicorp.com/agent-inject-template-cde-env: |-
+          {{- with secret "secrets/data/vault/apps/cde" -}}
+          {{- range $k, $v := .Data.data }}
+          export {{ $k }}=$(printf '%b' {{ printf "%q" (printf "%v" $v) }})
+          {{- end }}
+          {{- end -}}
    spec:
+      serviceAccountName: cde-vault
      containers:
        - name: cde-worker-update-bundles
-          image: cr.yandex/crp3ccidau046kdj8g9q/updatebundles-worker:prod_3.1.2
+          image: cr.yandex/crp3ccidau046kdj8g9q/updatebundles-worker:prod_9f3c1d2a
          imagePullPolicy: IfNotPresent
+          command:
+            - /bin/bash
+            - -lc
+          args:
+            - |
+              set -e
+              source /vault/secrets/cde-env
+              exec /worker
          ports:
            - name: http
              containerPort: 8000
@ -29,12 +52,9 @@ spec:
          env:
            - name: S3_IS_CONTOUR
              value: "true"
-          envFrom:
-          - secretRef:
-              name: cde-secret
          resources:
            requests:
-              cpu: "1"
-              memory: 1Gi
+              cpu: "25m"
+              memory: 128Mi
      imagePullSecrets:
        - name: regcred
--- a/apps/cde/base/cde.yaml
+++ b/apps/cde/base/cde.yaml
@ -17,11 +17,34 @@ spec:
      labels:
        app: cde
        service: cde
+      annotations:
+        traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
+        vault.hashicorp.com/agent-init-first: "true"
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/auth-path: auth/kubernetes
+        vault.hashicorp.com/role: cde
+        vault.hashicorp.com/agent-inject-secret-cde-env: secrets/data/vault/apps/cde
+        vault.hashicorp.com/agent-inject-template-cde-env: |-
+          {{- with secret "secrets/data/vault/apps/cde" -}}
+          {{- range $k, $v := .Data.data }}
+          export {{ $k }}=$(printf '%b' {{ printf "%q" (printf "%v" $v) }})
+          {{- end }}
+          {{- end -}}
    spec:
+      serviceAccountName: cde-vault
      containers:
        - name: api
-          image: cr.yandex/crp3ccidau046kdj8g9q/cde:preprod_ec474ae7
+          image: cr.yandex/crp3ccidau046kdj8g9q/cde:prod_9f3c1d2a
          imagePullPolicy: IfNotPresent
+          command:
+            - /bin/bash
+            - -lc
+          args:
+            - |
+              set -e
+              source /vault/secrets/cde-env
+              exec /http
          ports:
            - name: http
              containerPort: 8000
@ -29,12 +52,9 @@ spec:
          env:
            - name: S3_IS_CONTOUR
              value: "true"
-          envFrom:
-          - secretRef:
-              name: cde-secret
          resources:
            requests:
-              cpu: "1"
-              memory: 1Gi
+              cpu: "25m"
+              memory: 128Mi
      imagePullSecrets:
        - name: regcred
--- a/apps/cde/base/kustomization.yaml
+++ b/apps/cde/base/kustomization.yaml
@ -4,6 +4,7 @@ kind: Kustomization
 namespace: cde
 resources:
  - namespace.yaml
+  - serviceaccount.yaml
  - cde.yaml
  - cde-splitpdf.yaml
  - backend-service.yaml
@ -12,4 +13,4 @@ resources:
  - cde-worker-create-versions.yaml
  - cde-worker-markings.yaml
  - cde-worker-sign.yaml
-  - cde-worker-update-bundles.yaml
+  - cde-worker-update-bundles.yaml
--- a/apps/cde/base/serviceaccount.yaml
+++ b/apps/cde/base/serviceaccount.yaml
@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cde-vault
+  namespace: cde
--- a/apps/checklists/base/backend-deployment.yaml
+++ b/apps/checklists/base/backend-deployment.yaml
@ -17,11 +17,41 @@ spec:
      labels:
        app: checklists-backend
        service: checklists-backend
+      annotations:
+        traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
+        vault.hashicorp.com/agent-init-first: "true"
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/auth-path: auth/kubernetes
+        vault.hashicorp.com/role: checklists
+        vault.hashicorp.com/agent-inject-secret-checklists-db: secrets/data/postgresql/apps/checklists
+        vault.hashicorp.com/agent-inject-template-checklists-db: |-
+          {{- with secret "secrets/data/postgresql/apps/checklists" -}}
+          DATABASE_HOST=postgresql.checklists.svc.cluster.local
+          DATABASE_PORT=5432
+          DATABASE_NAME=checklists_db
+          DATABASE_USER={{ index .Data.data "username" }}
+          DATABASE_PASSWORD={{ index .Data.data "password" }}
+          {{- end -}}
+        vault.hashicorp.com/agent-inject-secret-checklists-jwt-public: secrets/data/vault/common/rsa_keys
+        vault.hashicorp.com/agent-inject-template-checklists-jwt-public: |-
+          {{- with secret "secrets/data/vault/common/rsa_keys" -}}
+          {{ index .Data.data "public_key" }}
+          {{- end -}}
    spec:
+      serviceAccountName: checklists-vault
      containers:
        - name: api
          image: cr.yandex/crp3ccidau046kdj8g9q/checklists-backend:production_68f242cd
          imagePullPolicy: IfNotPresent
+          command: ["/bin/bash", "-ec"]
+          args:
+            - |
+              set -a
+              [ -f /vault/secrets/checklists-db ] && . /vault/secrets/checklists-db
+              [ -f /vault/secrets/checklists-jwt-public ] && export JWT_AUTH_PUBLIC_KEY="$(cat /vault/secrets/checklists-jwt-public)"
+              set +a
+              exec ./entrypoint.sh
          ports:
            - name: http
              containerPort: 8000
@ -34,47 +64,17 @@ spec:
            - name: HTTP_APP_ROOT_PATH
              value: /checklists
            - name: HTTP_APP_WORKERS
-              value: "8"
+              value: "1"
            - name: HTTP_APP_ADMIN_ENABLE
              value: "true"
            - name: JWT_AUTH_ENABLE
              value: "true"
            - name: DEBUG
              value: "false"
-            - name: DATABASE_USER
-              valueFrom:
-                secretKeyRef:
-                  key: username
-                  name: postgresql-secret
-            - name: DATABASE_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  key: password
-                  name: postgresql-secret
-            - name: DATABASE_NAME
-              valueFrom:
-                secretKeyRef:
-                  key: database
-                  name: postgresql-secret
-            - name: DATABASE_PORT
-              valueFrom:
-                secretKeyRef:
-                  key: port
-                  name: postgresql-secret
-            - name: DATABASE_HOST
-              valueFrom:
-                secretKeyRef:
-                  key: hostname
-                  name: postgresql-secret
-            - name: JWT_AUTH_PUBLIC_KEY
-              valueFrom:
-                secretKeyRef:
-                  key: public-key
-                  name: jwt-secret

          resources:
            requests:
-              cpu: "1"
-              memory: 1Gi
+              cpu: "25m"
+              memory: 128Mi
      imagePullSecrets:
        - name: regcred
--- a/apps/checklists/base/backend-service.yaml
+++ b/apps/checklists/base/backend-service.yaml
@ -3,11 +3,11 @@ apiVersion: v1
 kind: Service
 metadata:
  name: rfi-backend-api-svc
-  namespace: rfi
+  namespace: checklists
 spec:
  type: ClusterIP
  selector:
-    app: rfi-backend-api
+    app: checklists-backend
  ports:
    - name: http
      port: 80
--- a/apps/checklists/base/kustomization.yaml
+++ b/apps/checklists/base/kustomization.yaml
@ -4,5 +4,6 @@ kind: Kustomization
 namespace: checklists
 resources:
  - namespace.yaml
+  - serviceaccount.yaml
  - backend-deployment.yaml 
  - backend-service.yaml
--- a/apps/checklists/base/serviceaccount.yaml
+++ b/apps/checklists/base/serviceaccount.yaml
@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: checklists-vault
+  namespace: checklists
--- a/apps/checklists/yc-k8s-test/postgresql.yaml
+++ b/apps/checklists/yc-k8s-test/postgresql.yaml
@ -2,14 +2,14 @@ apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: postgresql
-  namespace:  checklists
+  namespace: checklists
 spec:
  interval: 5m
  timeout: 2h
  chart:
    spec:
      chart: postgresql-contour
-      version: "17.0.2"
+      version: "17.0.7"
      sourceRef:
        kind: HelmRepository
        name: yc-oci-charts
@ -44,7 +44,7 @@ spec:
    image:
      registry: cr.yandex/crp3ccidau046kdj8g9q
      repository: contour/postgresql
-      tag: 17.0.2
+      tag: 17.0.7
      pullPolicy: Always
    metrics:
      enabled: false
@ -61,7 +61,7 @@ spec:
          command:
            - /bin/sh
            - -c
-            - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
+            - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
        initialDelaySeconds: 30
        periodSeconds: 10
        timeoutSeconds: 5
@ -72,7 +72,7 @@ spec:
          command:
            - /bin/sh
            - -c
-            - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
+            - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
        initialDelaySeconds: 5
        periodSeconds: 10
        timeoutSeconds: 5
@ -83,12 +83,16 @@ spec:
          command:
            - /bin/sh
            - -c
-            - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
+            - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
        initialDelaySeconds: 30
        periodSeconds: 10
        timeoutSeconds: 5
        successThreshold: 1
        failureThreshold: 6
+      resources:
+        requests:
+          cpu: 50m
+          memory: 128Mi
      nodeSelector:
        dedicated: db
      tolerations:
@ -98,12 +102,19 @@ spec:
          effect: NoSchedule
    contour:
      enabled: true
-      adminUser: ""
-      adminPasswordSecretKey: ""
-      sharedPreloadLibraries: "pg_stat_statements"
+      adminUser: "postgres"
+      sharedPreloadLibraries: "pg_stat_statements,uuid-ossp"
+      vault:
+        enabled: true
+        role: postgresql
+        authPath: auth/kubernetes
+        secretPath: secrets/data/postgresql/admin
+        secretKey: postgres-password
+        usersSecretPath: secrets/data/postgresql/users
      databases:
        - name: checklists_db
          user: checklists
+          passwordKey: checklists
          extensions: []
          restoreFromDump: false
      s3-proxy:
--- a/apps/comparisons/base/backend-deployment.yaml
+++ b/apps/comparisons/base/backend-deployment.yaml
@ -111,7 +111,7 @@ spec:
              value: /etc/app/tasks-execution-config.json
          resources:
            requests:
-              cpu: 100m
+              cpu: 25m
              memory: 100Mi
          volumeMounts:
            - name: tasks-execution-config
--- a/apps/comparisons/base/frontend-deployment.yaml
+++ b/apps/comparisons/base/frontend-deployment.yaml
@ -33,7 +33,7 @@ spec:
              protocol: TCP
          resources:
            requests:
-              cpu: 100m
+              cpu: 25m
              memory: 100Mi
          volumeMounts:
            - name: nginx-configmap
--- a/apps/comparisons/yc-k8s-test/postgresql.yaml
+++ b/apps/comparisons/yc-k8s-test/postgresql.yaml
@ -91,7 +91,8 @@ spec:
        failureThreshold: 6
      resources:
        requests:
-          memory: 512Mi
+          cpu: 50m
+          memory: 128Mi
      nodeSelector:
        dedicated: db
      tolerations:
--- a/apps/contracts/yc-k8s-test/postgresql.yaml
+++ b/apps/contracts/yc-k8s-test/postgresql.yaml
@ -58,7 +58,8 @@ spec:
        size: 20Gi
      resources:
        requests:
-          memory: 512Mi
+          cpu: 50m
+          memory: 128Mi
      customLivenessProbe:
        exec:
          command:
--- a/apps/control-interface/base/service.yaml
+++ b/apps/control-interface/base/service.yaml
@ -2,13 +2,13 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: srx-admin-svc
+  name: frontend-svc
  namespace: control-interface
 spec:
  type: ClusterIP
  selector:
    app: srx-admin
  ports:
-    - port: 8080
+    - port: 80
      targetPort: 80
      protocol: TCP
--- a/apps/cross-section/base/deployment.yaml
+++ b/apps/cross-section/base/deployment.yaml
@ -40,7 +40,7 @@ spec:
            failureThreshold: 20
          resources:
            requests:
-              cpu: 100m
+              cpu: 25m
              memory: 100Mi
      imagePullSecrets:
        - name: regcred
--- a/apps/django/base/backend-deployment.yaml
+++ b/apps/django/base/backend-deployment.yaml
@ -50,7 +50,7 @@ spec:
          {{- with secret "secrets/data/minio/apps/django" -}}
          AWS_S3_ENDPOINT_URL=https://minio.contour.infra.sarex.tech
          S3_HOST=https://minio.contour.infra.sarex.tech
-          {{- $buckets := index .Data.data "buckets" -}}
+          {{- $buckets := index .Data.data "buckets" }}
          S3_BUCKET={{- if gt (len $buckets) 0 -}}{{ index (index $buckets 0) "name" }}{{- else -}}django{{- end -}}
          S3_LOGIN={{ index .Data.data "access_key" }}
          S3_PASSWORD={{ index .Data.data "secret_key" }}
@ -127,11 +127,11 @@ spec:
            - name: DJANGO_SETTINGS_MODULE
              value: config.settings.production
            - name: CELERY_REDIS_HOST
-              value: redis-service
+              value: redis
            - name: CELERY_REDIS_PORT
              value: "6379"
            - name: DJANGO_REDIS_HOST
-              value: redis-service
+              value: redis
            - name: DJANGO_REDIS_PORT
              value: "6379"
            - name: BIMV2_INTERNAL_HOST
@ -149,13 +149,13 @@ spec:
            - name: MEASUREMENTS_USE_MEASUREMENTS
              value: "1"
            - name: SERVER_API_HOST
-              value: https://wb.sarex.io
+              value: https://sarex.contour.infra.sarex.tech
            - name: SERVER_HOST
-              value: https://wb.sarex.io
+              value: https://sarex.contour.infra.sarex.tech
            - name: WORKFLOWS_HOST
-              value: https://wb.sarex.io
+              value: https://sarex.contour.infra.sarex.tech
            - name: WORKFLOWS_BASE_HOST
-              value: https://wb.sarex.io
+              value: https://sarex.contour.infra.sarex.tech
            - name: WORKFLOWS_USE
              value: "1"
            - name: SERVER_S3_STREAM_IMPORT
@ -203,8 +203,8 @@ spec:

          resources:
            requests:
-              cpu: "1"
-              memory: 1Gi
+              cpu: "25m"
+              memory: 128Mi
          volumeMounts:
            - name: django-configmap
              mountPath: /opt/sarex/config/settings/production.py
--- a/apps/django/base/celery-deployment.yaml
+++ b/apps/django/base/celery-deployment.yaml
@ -50,7 +50,7 @@ spec:
          {{- with secret "secrets/data/minio/apps/django" -}}
          AWS_S3_ENDPOINT_URL=https://minio.contour.infra.sarex.tech
          S3_HOST=https://minio.contour.infra.sarex.tech
-          {{- $buckets := index .Data.data "buckets" -}}
+          {{- $buckets := index .Data.data "buckets" }}
          S3_BUCKET={{- if gt (len $buckets) 0 -}}{{ index (index $buckets 0) "name" }}{{- else -}}django{{- end -}}
          S3_LOGIN={{ index .Data.data "access_key" }}
          S3_PASSWORD={{ index .Data.data "secret_key" }}
@ -121,11 +121,11 @@ spec:
            - name: DJANGO_SETTINGS_MODULE
              value: config.settings.production
            - name: CELERY_REDIS_HOST
-              value: redis-service
+              value: redis
            - name: CELERY_REDIS_PORT
              value: "6379"
            - name: DJANGO_REDIS_HOST
-              value: redis-service
+              value: redis
            - name: DJANGO_REDIS_PORT
              value: "6379"
            - name: BIMV2_INTERNAL_HOST
@ -194,8 +194,8 @@ spec:
              value: "False"
          resources:
            requests:
-              cpu: "1"
-              memory: 1Gi
+              cpu: "25m"
+              memory: 128Mi
          volumeMounts:
            - name: django-configmap
              mountPath: /opt/sarex/config/settings/production.py
--- a/apps/django/base/django-configmap.yaml
+++ b/apps/django/base/django-configmap.yaml
@ -5,16 +5,57 @@ metadata:
  namespace: django
 data:
  production.py: |
+    import ast
    import os
    from .base import *
    from logging.handlers import SysLogHandler
    from datetime import timedelta

+    def _load_env_file(path):
+        try:
+            with open(path, "r", encoding="utf-8") as f:
+                for raw_line in f:
+                    line = raw_line.strip()
+                    if not line or line.startswith("#") or "=" not in line:
+                        continue
+                    key, value = line.split("=", 1)
+                    key = key.strip()
+                    value = value.strip()
+                    if len(value) >= 2 and value[0] == value[-1] and value[0] in ("'", '"'):
+                        try:
+                            value = ast.literal_eval(value)
+                        except (ValueError, SyntaxError):
+                            value = value[1:-1]
+                    if key and key not in os.environ:
+                        os.environ[key] = value
+        except FileNotFoundError:
+            pass
+
+    def _read_secret_file(path, default=""):
+        try:
+            with open(path, "r", encoding="utf-8") as f:
+                return f.read().strip()
+        except FileNotFoundError:
+            return default
+
+    # Fallback for manage.py launched via `kubectl exec` (outside entrypoint),
+    # so Django can still read DB/JWT values from Vault-injected files.
+    _load_env_file("/vault/secrets/django-postgresql")
+    _load_env_file("/vault/secrets/django-rabbitmq")
+    _load_env_file("/vault/secrets/django-s3")
+    _load_env_file("/vault/secrets/django-kafka")
+    _load_env_file("/vault/secrets/django-common")
+
+    if not os.environ.get("JWT_PRIVATE_KEY"):
+        os.environ["JWT_PRIVATE_KEY"] = _read_secret_file("/vault/secrets/django-jwt-private")
+    if not os.environ.get("JWT_PUBLIC_KEY"):
+        os.environ["JWT_PUBLIC_KEY"] = _read_secret_file("/vault/secrets/django-jwt-public")
+
    ALLOWED_HOSTS = ["*"]
    FILE_UPLOAD_PERMISSIONS = 0o644
    DEBUG = False
    CSRF_COOKIE_SECURE = True
-    CSRF_TRUSTED_ORIGINS = ["https://lk.srx.wb.ru:30443", "https://lk.srx.wb.ru"]
+    CSRF_TRUSTED_ORIGINS = ["https://sarex.contour.infra.sarex.tech", "http://sarex.contour.infra.sarex.tech"]
    SESSION_COOKIE_SECURE = True
    SECURE_SSL_REDIRECT = False

@ -46,7 +87,7 @@ data:
        'Bearer',
    )

-    HOST = "https://wb.sarex.io"
+    HOST = "https://sarex.contour.infra.sarex.tech"

    POSTGRES_DATABASE = os.environ.get('DJANGO_POSTGRES_DATABASE')
    POSTGRES_USER = os.environ.get('DJANGO_POSTGRES_USER')
@ -109,8 +150,8 @@ data:
        'BLACKLIST_AFTER_ROTATION': True,
        'UPDATE_LAST_LOGIN': False,
        'ALGORITHM': 'RS512',
-        'SIGNING_KEY': os.environ.get("JWT_PRIVATE_KEY").replace("\\n", "\n"),
-        'VERIFYING_KEY': os.environ.get("JWT_PUBLIC_KEY").replace("\\n", "\n"),
+        'SIGNING_KEY': os.environ.get("JWT_PRIVATE_KEY", "").replace("\\n", "\n"),
+        'VERIFYING_KEY': os.environ.get("JWT_PUBLIC_KEY", "").replace("\\n", "\n"),
        'AUDIENCE': None,
        'ISSUER': os.environ.get('SIMPLE_JWT_ISSUER', 'default_issuer'),
        'AUTH_HEADER_TYPES': ('Bearer',),
@ -269,7 +310,7 @@ data:


    DEBUG=True
-    #WEB_APP_AUTH_MODE='jwt-session-based'
+    WEB_APP_AUTH_MODE='jwt-session-based'


    SAREX_MODULES_SETTINGS = {
@ -278,4 +319,3 @@ data:
        },
        "sso_logout_redirect": True
    }
-
--- a/apps/django/base/frontend-deployment.yaml
+++ b/apps/django/base/frontend-deployment.yaml
@ -34,7 +34,7 @@ spec:
              protocol: TCP
          resources:
            requests:
-              cpu: 100m
+              cpu: 25m
              memory: 100Mi
          volumeMounts:
            - name: nginx-configmap
--- a/apps/django/base/nginx-configmap.yaml
+++ b/apps/django/base/nginx-configmap.yaml
@ -80,10 +80,19 @@ data:
            # }
            
            location ~^/workspaces-v2/(.+).js {
+                proxy_http_version 1.1;
+                proxy_set_header Connection "";
                rewrite /workspaces-v2/(.+) /$1 break;
                proxy_pass http://frontend-svc.workspaces.svc.cluster.local:80;
            }

+            location ~^/workspaces-v2/(.+)\.wasm$ {
+                proxy_http_version 1.1;
+                proxy_set_header Connection "";
+                rewrite ^/workspaces-v2/(.+) /$1 break;
+                proxy_pass http://frontend-svc.workspaces.svc.cluster.local:80;
+            }
+
            location @index {
                add_header Cache-Control 'no-cache, must-revalidate, proxy-revalidate, max-age=0';
                if_modified_since off;
@ -91,10 +100,10 @@ data:
                try_files /static/index.html =404;
            }
            
-            location ~^/workflows/(.+).js {
-                rewrite /workflows/(.+) /$1 break;
-                proxy_pass http://frontend-svc.processing.svc.cluster.local:80;
-            }
+            # location ~^/workflows/(.+).js {
+            #     rewrite /workflows/(.+) /$1 break;
+            #     proxy_pass http://frontend-svc.processing.svc.cluster.local:80;
+            # }
            location /service-worker.js {
                try_files /static/$uri @index;
            }
--- a/apps/django/base/srx-admin-deployment.yaml
+++ b/apps/django/base/srx-admin-deployment.yaml
@ -26,7 +26,7 @@ spec:
              protocol: TCP
          resources:
            requests:
-              cpu: 100m
+              cpu: 25m
              memory: 100Mi
      imagePullSecrets:
        - name: regcred
--- a/apps/django/yc-k8s-test/kustomization.yaml
+++ b/apps/django/yc-k8s-test/kustomization.yaml
@ -4,4 +4,6 @@ kind: Kustomization
 resources:
  - ../base
  - postgresql.yaml
+  - redis-deployment.yaml
+  - redis-service.yaml
 patches: []
--- a/apps/django/yc-k8s-test/postgresql.yaml
+++ b/apps/django/yc-k8s-test/postgresql.yaml
@ -91,7 +91,8 @@ spec:
        failureThreshold: 6
      resources:
        requests:
-          memory: 512Mi
+          cpu: 50m
+          memory: 128Mi
      nodeSelector:
        dedicated: db
      tolerations:
--- a/apps/django/yc-k8s-test/redis-deployment.yaml
+++ b/apps/django/yc-k8s-test/redis-deployment.yaml
@ -0,0 +1,27 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: redis
+  namespace: django
+  labels:
+    app: redis
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: redis
+  template:
+    metadata:
+      labels:
+        app: redis
+    spec:
+      containers:
+        - name: redis
+          image: cr.yandex/crp3ccidau046kdj8g9q/redis:latest
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 6379
+              protocol: TCP
+      imagePullSecrets:
+        - name: regcred
--- a/apps/django/yc-k8s-test/redis-service.yaml
+++ b/apps/django/yc-k8s-test/redis-service.yaml
@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: redis
+  namespace: django
+spec:
+  selector:
+    app: redis
+  ports:
+    - port: 6379
+      targetPort: 6379
+      protocol: TCP
--- a/apps/document-link/base/deployment.yaml
+++ b/apps/document-link/base/deployment.yaml
@ -27,7 +27,7 @@ spec:
              protocol: TCP
          resources:
            requests:
-              cpu: 100m
+              cpu: 25m
              memory: 100Mi
      imagePullSecrets:
        - name: regcred
--- a/apps/documentations/base/api-deployment.yaml
+++ b/apps/documentations/base/api-deployment.yaml
@ -72,7 +72,7 @@ spec:
              exec /app/entrypoint.sh
          ports:
            - name: http
-              containerPort: 8000
+              containerPort: 8080
              protocol: TCP
          env:
            - name: POSTGRES_POOL_SIZE
@ -82,9 +82,9 @@ spec:
            - name: ZITADEL_DOMAIN
              value: zitadel-srx.wb.ru
            - name: USE_ZITADEL
-              value: "1"
+              value: "0"
            - name: FLOWS_URL
-              value: http://backend-service.flows.svc.cluster.local:8000
+              value: http://backend-svc.flows.svc.cluster.local:80
            - name: LAST_MASTER_BIM
              value: "36311"
            - name: API_ADDRESS
@ -98,7 +98,7 @@ spec:
            - name: ENABLE_SSL
              value: "0"
            - name: WORKSPACE_V2_EXTERNAL_URL
-              value: https://srx.wb.ru/workspaces-v2/
+              value: https://sarex.contour.infra.sarex.tech/workspaces-v2/
            - name: ENABLE_S3
              value: "1"
            - name: CONTAINER_REGISTRY
@ -108,15 +108,15 @@ spec:
            - name: LAST_SLAVE_1_BIM
              value: "1000000"
            - name: HOST
-              value: http://documentations-api.documentations.svc.cluster.local:8080
+              value: http://backend-api-svc.documentations.svc.cluster.local:80
            - name: FILE_STREAM_HOST
-              value: srx.wb.ru
+              value: sarex.contour.infra.sarex.tech
            - name: DOCUMENTATION_URL
-              value: http://documentations-api.documentations.svc.cluster.local:8080/
+              value: http://documentations-api.documentations.svc.cluster.local:80/
            - name: WORKFLOW_URL
-              value: http://workflows-api-service.workflow.svc.cluster.local:8000/
+              value: http://backend-svc.processing.svc.cluster.local:80/
            - name: WORKSPACE_URL
-              value: http://workspaces-service.workspaces.svc.cluster.local:8000/
+              value: http://backend-svc.workspaces.svc.cluster.local:80/
            - name: BIM_API_URL
              value: http://bim-api-service.bim.svc.cluster.local:8080/
            - name: BIM_API_V2_URL
@ -124,9 +124,9 @@ spec:
            - name: WORKSPACE_BUNDLE_VERSION
              value: v1
            - name: SYSTEM_LOG_URL
-              value: http://api-service.system-log.svc.cluster.local:8000
+              value: http://backend-svc.system-log.svc.cluster.local:80
            - name: DJANGO_HOST
-              value: http://backend.django.svc.cluster.local:8000
+              value: http://backend-svc.django.svc.cluster.local:80
            - name: MARKS_PROCESSING_URL
              value: http://marks-service:8000
            - name: PUBLIC_LINK_HOST
@ -152,9 +152,9 @@ spec:
            - name: CACHE_CLEANUP_INTERVAL
              value: 60s
            - name: ENABLE_AUTH_JWT_IN_URL
-              value: "false"
-            - name: ENABLE_SIGNATURE_IN_URL
              value: "true"
+            - name: ENABLE_SIGNATURE_IN_URL
+              value: "false"
            - name: USE_CACHE_IN_FILE_STREAMER
              value: "0"
            - name: VALKEY_ADDR
@ -166,8 +166,8 @@ spec:
      
          resources:
            requests:
-              cpu: "1"
-              memory: 1Gi
+              cpu: "25m"
+              memory: 128Mi

      imagePullSecrets:
        - name: regcred
--- a/apps/documentations/base/api-service.yaml
+++ b/apps/documentations/base/api-service.yaml
@ -11,5 +11,5 @@ spec:
  ports:
    - name: http
      port: 80
-      targetPort: 8000
+      targetPort: 8080
      protocol: TCP
--- a/apps/documentations/base/filestream-deployment.yaml
+++ b/apps/documentations/base/filestream-deployment.yaml
@ -72,7 +72,7 @@ spec:
              exec /app/file_entrypoint.sh
          ports:
            - name: http
-              containerPort: 8000
+              containerPort: 8080
              protocol: TCP
          env:
            - name: POSTGRES_POOL_SIZE
@ -82,9 +82,9 @@ spec:
            - name: ZITADEL_DOMAIN
              value: zitadel-srx.wb.ru
            - name: USE_ZITADEL
-              value: "1"
+              value: "0"
            - name: FLOWS_URL
-              value: http://backend-service.flows.svc.cluster.local:8000
+              value: http://backend-svc.flows.svc.cluster.local:80
            - name: LAST_MASTER_BIM
              value: "36311"
            - name: API_ADDRESS
@ -108,15 +108,15 @@ spec:
            - name: LAST_SLAVE_1_BIM
              value: "1000000"
            - name: HOST
-              value: http://documentations-api.documentations.svc.cluster.local:8080
+              value: http://backend-api-svc.documentations.svc.cluster.local:80
            - name: FILE_STREAM_HOST
              value: srx.wb.ru
            - name: DOCUMENTATION_URL
-              value: http://documentations-api.documentations.svc.cluster.local:8080/
+              value: http://backend-api-svc.documentations.svc.cluster.local:80/
            - name: WORKFLOW_URL
              value: http://workflows-api-service.workflow.svc.cluster.local:8000/
            - name: WORKSPACE_URL
-              value: http://workspaces-service.workspaces.svc.cluster.local:8000/
+              value: http://backend-svc.workspaces.svc.cluster.local:80/
            - name: BIM_API_URL
              value: http://bim-api-service.bim.svc.cluster.local:8080/
            - name: BIM_API_V2_URL
@ -126,7 +126,7 @@ spec:
            - name: SYSTEM_LOG_URL
              value: http://api-service.system-log.svc.cluster.local:8000
            - name: DJANGO_HOST
-              value: http://backend.django.svc.cluster.local:8000
+              value: http://backend-svc.django.svc.cluster.local:80
            - name: MARKS_PROCESSING_URL
              value: http://marks-service:8000
            - name: PUBLIC_LINK_HOST
@ -166,8 +166,8 @@ spec:
      
          resources:
            requests:
-              cpu: "1"
-              memory: 1Gi
+              cpu: "25m"
+              memory: 128Mi

      imagePullSecrets:
        - name: regcred
--- a/apps/documentations/base/filestream-service.yaml
+++ b/apps/documentations/base/filestream-service.yaml
@ -11,5 +11,5 @@ spec:
  ports:
    - name: http
      port: 80
-      targetPort: 8000
+      targetPort: 8080
      protocol: TCP
--- a/apps/documentations/base/frontend-deployment.yaml
+++ b/apps/documentations/base/frontend-deployment.yaml
@ -18,7 +18,7 @@ spec:
    spec:
      containers:
        - name: frontend
-          image: cr.yandex/crp3ccidau046kdj8g9q/documentation-frontend-app:brusnika_ce5555d3
+          image: cr.yandex/crp3ccidau046kdj8g9q/documentation-frontend-app:brusnika_ae1bb076
          imagePullPolicy: IfNotPresent
          ports:
            - name: http
@ -26,7 +26,7 @@ spec:
              protocol: TCP
          resources:
            requests:
-              cpu: 100m
+              cpu: 25m
              memory: 100Mi
      imagePullSecrets:
        - name: regcred
--- a/apps/documentations/base/frontend-service.yaml
+++ b/apps/documentations/base/frontend-service.yaml
@ -2,7 +2,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: frontend-service
+  name: frontend-svc
  namespace: documentations
 spec:
  type: ClusterIP
--- a/apps/documentations/base/pdm-deployment.yaml
+++ b/apps/documentations/base/pdm-deployment.yaml
@ -106,13 +106,13 @@ spec:
            - name: CACHE_DEFAULT_EXPIRATION
              value: 60s
            - name: DJANGO_HOST
-              value: http://backend.django.svc.cluster.local:8000
+              value: http://backend-svc.django.svc.cluster.local:80
            - name: DJANGO_ORIGINATOR
              value: docs_prod
            - name: DOCUMENTATION_URL
-              value: http://documentations-api.documentations.svc.cluster.local:8080/
+              value: http://backend-api-svc.documentations.svc.cluster.local:80/
            - name: EAV_URL
-              value: http://eav-service.eav.svc.cluster.local:8000
+              value: http://backend-svc.eav.svc.cluster.local:80
            - name: ENABLE_OBSERVABILITY
              value: "false"
            - name: ENABLE_S3
@ -122,7 +122,7 @@ spec:
            - name: ENVIRONMENT
              value: prod
            - name: FLOWS_URL
-              value: http://backend-service.flows.svc.cluster.local:8000
+              value: http://backend-svc.flows.svc.cluster.local:80
            - name: HEIGHT_THUMB_ATTACHMENTS
              value: "300"
            - name: HEIGHT_THUMB_STATES
@ -147,13 +147,13 @@ spec:
            - name: S3_SERVICE_ACCOUNT
              value: /vault/secrets/documentations-s3-account-json
            - name: STATES_URL
-              value: http://workspaces-service.workspaces.svc.cluster.local:8000/
+              value: http://backend-svc.workspaces.svc.cluster.local:80/
            - name: SUBSCRIPTIONS_URL
-              value: http://sarex-subscriptions-service.subscriptions.svc.cluster.local:80
+              value: http://backend-svc.subscriptions.svc.cluster.local:80
            - name: SYSTEM_LOG_URL
              value: http://api-service.system-log.svc.cluster.local:8000
            - name: TARGET_URL
-              value: http://backend.django.svc.cluster.local:8000
+              value: http://backend-svc.django.svc.cluster.local:80
            - name: USE_CACHE_IN_FILE_STREAMER
              value: "1"
            - name: USE_SUBSCRIPTIONS
@ -167,15 +167,15 @@ spec:
            - name: WORKFLOW_IMAGES_VERSION
              value: master
            - name: WORKFLOW_URL
-              value: http://workflows-api-service.workflow.svc.cluster.local:8000/
+              value: http://backend-svc.processing.svc.cluster.local:80/
            - name: WORKSPACE_BUNDLE_VERSION
              value: v1
            - name: WORKSPACE_URL
-              value: http://workspaces-service.workspaces.svc.cluster.local:8000/
+              value: http://backend-svc.workspaces.svc.cluster.local:80/
          resources:
            requests:
-              cpu: "1"
-              memory: 1Gi
+              cpu: "25m"
+              memory: 128Mi

      imagePullSecrets:
        - name: regcred
--- a/apps/documentations/yc-k8s-test/kustomization.yaml
+++ b/apps/documentations/yc-k8s-test/kustomization.yaml
@ -4,4 +4,6 @@ kind: Kustomization
 resources:
  - ../base
  - postgresql.yaml
+  - redis-deployment.yaml
+  - redis-service.yaml
 patches: []
--- a/apps/documentations/yc-k8s-test/postgresql.yaml
+++ b/apps/documentations/yc-k8s-test/postgresql.yaml
@ -91,7 +91,8 @@ spec:
        failureThreshold: 6
      resources:
        requests:
-          memory: 512Mi
+          cpu: 50m
+          memory: 128Mi
      nodeSelector:
        dedicated: db
      tolerations:
--- a/apps/documentations/yc-k8s-test/redis-deployment.yaml
+++ b/apps/documentations/yc-k8s-test/redis-deployment.yaml
@ -0,0 +1,27 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: redis
+  namespace: documentations
+  labels:
+    app: redis
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: redis
+  template:
+    metadata:
+      labels:
+        app: redis
+    spec:
+      containers:
+        - name: redis
+          image: cr.yandex/crp3ccidau046kdj8g9q/redis:latest
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 6379
+              protocol: TCP
+      imagePullSecrets:
+        - name: regcred
--- a/apps/documentations/yc-k8s-test/redis-service.yaml
+++ b/apps/documentations/yc-k8s-test/redis-service.yaml
@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: redis
+  namespace: documentations
+spec:
+  selector:
+    app: redis
+  ports:
+    - port: 6379
+      targetPort: 6379
+      protocol: TCP
--- a/apps/drawings/yc-k8s-test/postgresql.yaml
+++ b/apps/drawings/yc-k8s-test/postgresql.yaml
@ -91,7 +91,8 @@ spec:
        failureThreshold: 6
      resources:
        requests:
-          memory: 512Mi
+          cpu: 50m
+          memory: 128Mi
      nodeSelector:
        dedicated: db
      tolerations:
--- a/apps/eav/base/backend-deployment.yaml
+++ b/apps/eav/base/backend-deployment.yaml
@ -89,7 +89,7 @@ spec:

          resources:
            requests:
-              cpu: 100m
+              cpu: 25m
              memory: 100Mi

          volumeMounts:
--- a/apps/eav/base/backend-service.yaml
+++ b/apps/eav/base/backend-service.yaml
@ -2,7 +2,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: backend-service
+  name: backend-svc
  namespace: eav
 spec:
  type: ClusterIP
@ -10,6 +10,6 @@ spec:
    app: backend
  ports:
    - name: http
-      port: 8000
+      port: 80
      targetPort: 8000
      protocol: TCP
--- a/apps/eav/yc-k8s-test/postgresql.yaml
+++ b/apps/eav/yc-k8s-test/postgresql.yaml
@ -91,7 +91,8 @@ spec:
        failureThreshold: 6
      resources:
        requests:
-          memory: 512Mi
+          cpu: 50m
+          memory: 128Mi
      nodeSelector:
        dedicated: db
      tolerations:
--- a/apps/faas/base/export-reviews.yaml
+++ b/apps/faas/base/export-reviews.yaml
@ -38,7 +38,7 @@ spec:
            - name: DOCUMENTATIONS_HOST
              value: https://sarex.contour.infra.sarex.tech/documentations
            - name: EAV_HOST
-              value: http://eav-service.eav.svc.cluster.local:8000
+              value: http://backend-svc.eav.svc.cluster.local:80
            - name: TRANSMITTALS_INTERNAL_HOST
              value: http://transmittal-service.transmittal.svc.cluster.local:80/internal/v1
            - name: DJANGO_TIMEOUT
@ -58,7 +58,7 @@ spec:

          resources:
            requests:
-              cpu: "1"
-              memory: 1Gi
+              cpu: "25m"
+              memory: 128Mi
      imagePullSecrets:
        - name: regcred
--- a/apps/flows/base/backend-deployment.yaml
+++ b/apps/flows/base/backend-deployment.yaml
@ -86,17 +86,17 @@ spec:
            - name: CELERY_QUEUE
              value: flow
            - name: EAV_HOST
-              value: http://eav-service.eav.svc.cluster.local:8000
+              value: http://backend-svc.eav.svc.cluster.local:80
            - name: DJANGO_HOST
-              value: http://backend-svc.django.svc.cluster.local:8000/api
+              value: http://backend-svc.django.svc.cluster.local:80/api
            - name: PLANNING_HOST
-              value: http://backend-service.pm.svc.cluster.local:8000/api/pm/msp
+              value: http://backend-svc.pm.svc.cluster.local:80/api/pm/msp
            - name: PLANNING_USE
              value: "True"
            - name: DOCUMENTATION_HOST
-              value: http://documentations-api.documentations.svc.cluster.local:8080/internal/v1
+              value: http://backend-api-svc.documentations.svc.cluster.local:80/internal/v1
            - name: DOCUMENTATION_EXTERNAL_HOST
-              value: http://documentations-api.documentations.svc.cluster.local:8080/api/v1
+              value: http://backend-api-svc.documentations.svc.cluster.local:80/api/v1
            - name: ENABLE_ANALYTICS
              value: "1"
            - name: ENABLE_CELERY
@ -131,7 +131,7 @@ spec:
              value: "60"
          resources:
            requests:
-              cpu: "1"
-              memory: 1Gi
+              cpu: "25m"
+              memory: 128Mi
      imagePullSecrets:
        - name: regcred
--- a/apps/flows/base/celery-deployment.yaml
+++ b/apps/flows/base/celery-deployment.yaml
@ -86,17 +86,17 @@ spec:
            - name: CELERY_QUEUE
              value: flow
            - name: EAV_HOST
-              value: http://eav-service.eav.svc.cluster.local:8000
+              value: http://backend-svc.eav.svc.cluster.local:80
            - name: DJANGO_HOST
-              value: http://backend-svc.django.svc.cluster.local:8000/api
+              value: http://backend-svc.django.svc.cluster.local:80/api
            - name: PLANNING_HOST
-              value: http://backend-service.pm.svc.cluster.local:8000/api/pm/msp
+              value: http://backend-service.pm.svc.cluster.local:80/api/pm/msp
            - name: PLANNING_USE
              value: "True"
            - name: DOCUMENTATION_HOST
-              value: http://documentations-api.documentations.svc.cluster.local:8080/internal/v1
+              value: http://backend-api-svc.documentations.svc.cluster.local:80/internal/v1
            - name: DOCUMENTATION_EXTERNAL_HOST
-              value: http://documentations-api.documentations.svc.cluster.local:8080/api/v1
+              value: http://backend-api-svc.documentations.svc.cluster.local:80/api/v1
            - name: ENABLE_ANALYTICS
              value: "1"
            - name: ENABLE_CELERY
@ -131,7 +131,7 @@ spec:
              value: "60"
          resources:
            requests:
-              cpu: "1"
-              memory: 1Gi
+              cpu: "25m"
+              memory: 128Mi
      imagePullSecrets:
        - name: regcred
--- a/apps/flows/base/frontend-deployment.yaml
+++ b/apps/flows/base/frontend-deployment.yaml
@ -26,7 +26,7 @@ spec:
              protocol: TCP
          resources:
            requests:
-              cpu: 100m
+              cpu: 25m
              memory: 100Mi
      imagePullSecrets:
        - name: regcred
--- a/apps/flows/base/frontend-service.yaml
+++ b/apps/flows/base/frontend-service.yaml
@ -2,7 +2,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: frontend-service
+  name: frontend-svc
  namespace: flows
 spec:
  type: ClusterIP
--- a/apps/flows/yc-k8s-test/postgresql.yaml
+++ b/apps/flows/yc-k8s-test/postgresql.yaml
@ -91,7 +91,8 @@ spec:
        failureThreshold: 6
      resources:
        requests:
-          memory: 512Mi
+          cpu: 50m
+          memory: 128Mi
      nodeSelector:
        dedicated: db
      tolerations:
--- a/apps/inspections/base/backend-deployment.yaml
+++ b/apps/inspections/base/backend-deployment.yaml
@ -114,7 +114,7 @@ spec:

          resources:
            requests:
-              cpu: "1"
-              memory: 1Gi
+              cpu: "25m"
+              memory: 128Mi
      imagePullSecrets:
        - name: regcred
--- a/apps/inspections/yc-k8s-test/postgresql.yaml
+++ b/apps/inspections/yc-k8s-test/postgresql.yaml
@ -89,6 +89,10 @@ spec:
        timeoutSeconds: 5
        successThreshold: 1
        failureThreshold: 6
+      resources:
+        requests:
+          cpu: 50m
+          memory: 128Mi
      nodeSelector:
        dedicated: db
      tolerations:
--- a/apps/issues/base/backend-deployment.yaml
+++ b/apps/issues/base/backend-deployment.yaml
@ -100,33 +100,33 @@ spec:
            - name: ENVIRONMENT
              value: production
            - name: AERO_PUBLIC_HOST
-              value: https://srx.wb.ru
+              value: https://sarex.contour.infra.sarex.tech
            - name: AERO_HOST
-              value: https://srx.wb.ru
+              value: https://sarex.contour.infra.sarex.tech
            - name: BASE_AERO_URL
-              value: https://srx.wb.ru
+              value: https://sarex.contour.infra.sarex.tech
            - name: BASE_AUTH_URL
-              value: http://backend-svc.django.svc.cluster.local:8000
+              value: http://backend-svc.django.svc.cluster.local:80
            - name: WORKFLOWS_HOST
-              value: http://workflows-api-service.workflow.svc.cluster.local:8000
+              value: http://backend-svc.workflow.svc.cluster.local:80
            - name: WORKFLOWS_URL
-              value: http://workflows-api-service.workflow.svc.cluster.local:8000
+              value: http://backend-svc.workflow.svc.cluster.local:80
            - name: RESOURCES_API_HOST
-              value: http://resources-service.resources.svc.cluster.local:8000
+              value: http://backend-svc.resources.svc.cluster.local:80
            - name: EAV_HOST
-              value: http://eav-service.eav.svc.cluster.local:8000
+              value: http://backend-svc.eav.svc.cluster.local:80
            - name: SAREX_API
-              value: https://srx.wb.ru
+              value: https://sarex.contour.infra.sarex.tech
            - name: DOCUMENTATIONS_URL
-              value: http://documentations-api.documentations.svc.cluster.local:8080
+              value: http://documentations-api-svc.documentations.svc.cluster.local:80
            - name: DJANGO_SETTINGS_MODULE
              value: config.settings.production
            - name: API_ADDRESS
              value: "8000"
          resources:
            requests:
-              cpu: "1"
-              memory: 1Gi
+              cpu: "25m"
+              memory: 128Mi
          volumeMounts:
            - name: production-configmap
              mountPath: /src/config/settings/production.py
--- a/apps/issues/base/celery-deployment.yaml
+++ b/apps/issues/base/celery-deployment.yaml
@ -106,27 +106,27 @@ spec:
            - name: BASE_AERO_URL
              value: https://srx.wb.ru
            - name: BASE_AUTH_URL
-              value: http://backend-svc.django.svc.cluster.local:8000
+              value: http://backend-svc.django.svc.cluster.local:80
            - name: WORKFLOWS_HOST
              value: http://workflows-api-service.workflow.svc.cluster.local:8000
            - name: WORKFLOWS_URL
              value: http://workflows-api-service.workflow.svc.cluster.local:8000
            - name: RESOURCES_API_HOST
-              value: http://resources-service.resources.svc.cluster.local:8000
+              value: http://backend-svc.resources.svc.cluster.local:80
            - name: EAV_HOST
-              value: http://eav-service.eav.svc.cluster.local:8000
+              value: http://backend-svc.eav.svc.cluster.local:80
            - name: SAREX_API
              value: https://srx.wb.ru
            - name: DOCUMENTATIONS_URL
-              value: http://documentations-api.documentations.svc.cluster.local:8080
+              value: http://backend-api-svc.documentations.svc.cluster.local:80
            - name: DJANGO_SETTINGS_MODULE
              value: config.settings.production
            - name: API_ADDRESS
              value: "8000"
          resources:
            requests:
-              cpu: "1"
-              memory: 1Gi
+              cpu: "25m"
+              memory: 128Mi
          volumeMounts:
            - name: production-configmap
              mountPath: /src/config/settings/production.py
--- a/apps/issues/base/frontend-deployment.yaml
+++ b/apps/issues/base/frontend-deployment.yaml
@ -26,7 +26,7 @@ spec:
              protocol: TCP
          resources:
            requests:
-              cpu: 100m
+              cpu: 25m
              memory: 100Mi
      imagePullSecrets:
        - name: regcred
--- a/apps/issues/base/frontend-service.yaml
+++ b/apps/issues/base/frontend-service.yaml
@ -2,7 +2,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: frontend-service
+  name: frontend-svc
  namespace: issues
 spec:
  type: ClusterIP
--- a/apps/issues/base/production-configmap.yaml
+++ b/apps/issues/base/production-configmap.yaml
@ -40,7 +40,7 @@ data:
    DEBUG = False
    # -----------------------------------------------------------------------------

-    REVIEW_HOST='http://backend-service.flows.svc.cluster.local:8000'
+    REVIEW_HOST='http://backend-svc.flows.svc.cluster.local:80'
    # -----------------------------------------------------------------------------
    # EXTERNAL SERVICES END

@ -60,6 +60,10 @@ data:
    USE_NOTIFICATIONS = True

    # JWT SETTINGS START
+    if not os.environ.get("JWT_PRIVATE_KEY"):
+        os.environ["JWT_PRIVATE_KEY"] = _read_secret_file("/vault/secrets/django-jwt-private")
+    if not os.environ.get("JWT_PUBLIC_KEY"):
+        os.environ["JWT_PUBLIC_KEY"] = _read_secret_file("/vault/secrets/django-jwt-public")
    # ---------------------------------------------------------------------------------------------------------------------
    SIMPLE_JWT_ISSUER = os.getenv("SIMPLE_JWT_ISSUER", default="default_issuer")

@ -122,7 +126,7 @@ data:

    AERO_PUBLIC_HOST = os.getenv("AERO_PUBLIC_HOST", default=SAREX_API)

-    BASE_AERO_URL = "http://backend-svc.django.svc.cluster.local:8000"
+    BASE_AERO_URL = "http://backend-svc.django.svc.cluster.local:80"

    ENVIRONMENT = "production"

--- a/apps/issues/yc-k8s-test/postgresql.yaml
+++ b/apps/issues/yc-k8s-test/postgresql.yaml
@ -91,7 +91,8 @@ spec:
        failureThreshold: 6
      resources:
        requests:
-          memory: 512Mi
+          cpu: 50m
+          memory: 128Mi
      nodeSelector:
        dedicated: db
      tolerations:
--- a/apps/mapper/base/deployment.yaml
+++ b/apps/mapper/base/deployment.yaml
@ -99,7 +99,7 @@ spec:
              value: "120"
          resources:
            requests:
-              cpu: "1"
+              cpu: "25m"
              memory: 128Mi
      imagePullSecrets:
        - name: regcred
--- a/apps/mapper/base/service.yaml
+++ b/apps/mapper/base/service.yaml
@ -2,13 +2,13 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: backend-service
+  name: backend-svc
  namespace: mapper
 spec:
  type: ClusterIP
  selector:
    app: backend
  ports:
-    - port: 8000
+    - port: 80
      targetPort: 8000
      protocol: TCP
--- a/apps/measurements/base/deployment.yaml
+++ b/apps/measurements/base/deployment.yaml
@ -49,7 +49,7 @@ spec:
              value: "false"
          resources:
            requests:
-              cpu: 500m
-              memory: 512Mi
+              cpu: 25m
+              memory: 128Mi
      imagePullSecrets:
        - name: regcred
--- a/apps/message-hub/base/deployment.yaml
+++ b/apps/message-hub/base/deployment.yaml
@ -17,11 +17,56 @@ spec:
      labels:
        app: message-hub
        service: message-hub
+      annotations:
+        traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
+        vault.hashicorp.com/agent-init-first: "true"
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/auth-path: auth/kubernetes
+        vault.hashicorp.com/role: message-hub
+        vault.hashicorp.com/agent-inject-secret-message-hub-db: secrets/data/postgresql/apps/message-hub
+        vault.hashicorp.com/agent-inject-template-message-hub-db: |-
+          {{- with secret "secrets/data/postgresql/apps/message-hub" -}}
+          DB_USERNAME={{ index .Data.data "username" }}
+          DB_PASSWORD={{ index .Data.data "password" }}
+          DB_DATABASE=pm_db
+          DB_HOST=postgresql.pm.svc.cluster.local
+          DB_PORT=5432
+          {{- end -}}
+        vault.hashicorp.com/agent-inject-secret-message-hub-s3: secrets/data/minio/apps/message-hub
+        vault.hashicorp.com/agent-inject-template-message-hub-s3: |-
+          {{- with secret "secrets/data/minio/apps/message-hub" -}}
+          S3_HOST={{ index .Data.data.client "endpoint" }}
+          S3_LOGIN={{ index .Data.data "access_key" }}
+          S3_PASSWORD={{ index .Data.data "secret_key" }}
+          {{- $buckets := index .Data.data "buckets" }}
+          S3_BUCKET={{- if gt (len $buckets) 0 -}}{{ index (index $buckets 0) "name" }}{{- else -}}rfi{{- end -}}
+          {{- end -}}
+        vault.hashicorp.com/agent-inject-secret-message-hub-kafka: secrets/data/kafka/apps/message-hub
+        vault.hashicorp.com/agent-inject-template-message-hub-kafka: |-
+          {{- with secret "secrets/data/kafka/apps/message-hub" -}}
+          KAFKA_USERNAME={{ index .Data.data "username" }}
+          KAFKA_PASSWORD={{ index .Data.data "password" }}
+          KAFKA_HOST=kafka-kafka-contour-controller-headless.kafka.svc.cluster.local
+          KAFKA_PORT=9094
+          KAFKA_SECURITY_PROTOCOL={{ index .Data.data.auth "security_protocol" }}
+          KAFKA_SASL_MECHANISM={{ index .Data.data.auth "sasl_mechanism" }}
+          {{- end -}}
    spec:
+      serviceAccountName: message-hub-vault
      containers:
        - name: message-hub
          image: cr.yandex/crp3ccidau046kdj8g9q/message-hub:production_24425472
          imagePullPolicy: IfNotPresent
+          command: ["/bin/bash", "-ec"]
+          args:
+            - |
+              set -a
+              [ -f /vault/secrets/message-hub-db ] && . /vault/secrets/message-hub-db
+              [ -f /vault/secrets/message-hub-s3 ] && . /vault/secrets/message-hub-s3
+              [ -f /vault/secrets/message-hub-kafka ] && . /vault/secrets/message-hub-kafka
+              set +a
+              exec /opt/entrypoint.sh
          ports:
            - name: http
              containerPort: 8000
@ -34,8 +79,7 @@ spec:
            - name: SETTINGS_MAX_RETRIES
              value: "1"
            - name: SETTINGS_TOPICS
-              value: '{"planning": "pm", "assets": "assets_broadcast", "project_entity":
-                "issues_broadcast"}'
+              value: '{"planning": "pm", "assets": "assets_broadcast", "project_entity": "issues_broadcast"}'
            - name: SETTINGS_PDF_CONVERTER_HOST
              value: http://export-project-service.django.svc.cluster.local:8000
            - name: SAREX_BASE_HOST
@ -44,76 +88,9 @@ spec:
              value: redis.pm.svc.cluster.local
            - name: CACHE_PORT
              value: "6379"
-            - name: KAFKA_SECURITY_PROTOCOL
-              value: SSL
-            - name: KAFKA_SASL_MECHANISM
-              value: SCRAM-SHA-512
-            - name: KAFKA_SSL_CAFILE
-              value: /usr/local/share/ca-certificates/kafka.crt
-            - name: KAFKA_USERNAME
-              valueFrom:
-                secretKeyRef:
-                  key: username
-                  name: kafka-secret
-            - name: KAFKA_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  key: password
-                  name: kafka-secret
-            - name: KAFKA_PORT
-              valueFrom:
-                secretKeyRef:
-                  key: port
-                  name: kafka-secret
-            - name: KAFKA_HOST
-              valueFrom:
-                secretKeyRef:
-                  key: hostname
-                  name: kafka-secret
-            - name: DB_USERNAME
-              valueFrom:
-                secretKeyRef:
-                  key: username
-                  name: postgresql-secret
-            - name: DB_DATABASE
-              valueFrom:
-                secretKeyRef:
-                  key: database
-                  name: postgresql-secret
-            - name: DB_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  key: password
-                  name: postgresql-secret
-            - name: DB_PORT
-              valueFrom:
-                secretKeyRef:
-                  key: port
-                  name: postgresql-secret
-            - name: S3_LOGIN
-              valueFrom:
-                secretKeyRef:
-                  key: username
-                  name: s3-secret
-            - name: S3_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  key: password
-                  name: s3-secret
-            - name: S3_BUCKET
-              valueFrom:
-                secretKeyRef:
-                  key: bucket
-                  name: s3-secret
-            - name: S3_HOST
-              valueFrom:
-                secretKeyRef:
-                  key: host
-                  name: s3-secret
-
          resources:
            requests:
-              cpu: "1"
-              memory: 1Gi
+              cpu: "25m"
+              memory: 128Mi
      imagePullSecrets:
        - name: regcred
--- a/apps/message-hub/base/kustomization.yaml
+++ b/apps/message-hub/base/kustomization.yaml
@ -4,5 +4,6 @@ kind: Kustomization
 namespace: message-hub
 resources:
  - namespace.yaml
+  - serviceaccount.yaml
  - deployment.yaml
  - service.yaml
--- a/apps/message-hub/base/serviceaccount.yaml
+++ b/apps/message-hub/base/serviceaccount.yaml
@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: message-hub-vault
+  namespace: message-hub
--- a/apps/notes/base/backend-deployment.yaml
+++ b/apps/notes/base/backend-deployment.yaml
@ -114,7 +114,7 @@ spec:
              value: "5432"
          resources:
            requests:
-              cpu: "1"
-              memory: 512Mi
+              cpu: "25m"
+              memory: 128Mi
      imagePullSecrets:
        - name: regcred
--- a/apps/notes/base/frontend-deployment.yaml
+++ b/apps/notes/base/frontend-deployment.yaml
@ -34,7 +34,7 @@ spec:
              protocol: TCP
          resources:
            requests:
-              cpu: 100m
+              cpu: 25m
              memory: 100Mi
          volumeMounts:
            - name: nginx-configmap
--- a/apps/notes/yc-k8s-test/postgresql.yaml
+++ b/apps/notes/yc-k8s-test/postgresql.yaml
@ -58,7 +58,8 @@ spec:
        size: 20Gi
      resources:
        requests:
-          memory: 512Mi
+          cpu: 50m
+          memory: 128Mi
      customLivenessProbe:
        exec:
          command:
--- a/apps/notes/yc-k8s-test/replicas.yaml
+++ b/apps/notes/yc-k8s-test/replicas.yaml
@ -5,4 +5,4 @@ metadata:
  name: backend
  namespace: notes
 spec:
-  replicas: 2
+  replicas: 1
--- a/apps/pm/base/backend-deployment.yaml
+++ b/apps/pm/base/backend-deployment.yaml
@ -17,11 +17,56 @@ spec:
      labels:
        app: backend
        service: api
+      annotations:
+        traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
+        vault.hashicorp.com/agent-init-first: "true"
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/auth-path: auth/kubernetes
+        vault.hashicorp.com/role: pm
+        vault.hashicorp.com/agent-inject-secret-pm-db: secrets/data/postgresql/apps/pm
+        vault.hashicorp.com/agent-inject-template-pm-db: |-
+          {{- with secret "secrets/data/postgresql/apps/pm" -}}
+          DB_USERNAME={{ index .Data.data "username" }}
+          DB_PASSWORD={{ index .Data.data "password" }}
+          DB_DATABASE=pm_db
+          DB_HOST=postgresql.pm.svc.cluster.local
+          DB_PORT=5432
+          {{- end -}}
+        vault.hashicorp.com/agent-inject-secret-pm-rabbitmq: secrets/data/rabbitmq/apps/pm
+        vault.hashicorp.com/agent-inject-template-pm-rabbitmq: |-
+          {{- with secret "secrets/data/rabbitmq/apps/pm" -}}
+          CELERY_RABBITMQ_HOST=rabbitmq.rabbitmq.svc.cluster.local
+          CELERY_RABBITMQ_PORT=5672
+          CELERY_RABBITMQ_USER={{ index .Data.data "username" }}
+          CELERY_RABBITMQ_PASSWORD={{ index .Data.data "password" }}
+          CELERY_RABBITMQ_VHOST={{ index .Data.data "vhost" }}
+          {{- end -}}
+        vault.hashicorp.com/agent-inject-secret-pm-s3: secrets/data/minio/apps/pm
+        vault.hashicorp.com/agent-inject-template-pm-s3: |-
+          {{- with secret "secrets/data/minio/apps/pm" -}}
+          S3_HOST={{ index .Data.data.client "endpoint" }}
+          S3_LOGIN={{ index .Data.data "access_key" }}
+          S3_PASSWORD={{ index .Data.data "secret_key" }}
+          {{- $buckets := index .Data.data "buckets" }}
+          S3_BUCKET={{- if gt (len $buckets) 0 -}}{{ index (index $buckets 0) "name" }}{{- else -}}pm-bucket{{- end -}}
+          S3_VERIFY=False
+          {{- end -}}
    spec:
+      serviceAccountName: pm-vault
      containers:
        - name: api
          image: cr.yandex/crp3ccidau046kdj8g9q/pm-backend:production_0843a55d
          imagePullPolicy: IfNotPresent
+          command: ["/bin/bash", "-ec"]
+          args:
+            - |
+              set -a
+              [ -f /vault/secrets/pm-db ] && . /vault/secrets/pm-db
+              [ -f /vault/secrets/pm-rabbitmq ] && . /vault/secrets/pm-rabbitmq
+              [ -f /vault/secrets/pm-s3 ] && . /vault/secrets/pm-s3
+              set +a
+              exec /opt/sarex/entrypoint.sh
          ports:
            - name: http
              containerPort: 8000
@ -53,67 +98,6 @@ spec:
              value: C.UTF-8
            - name: PYTHONUTF8
              value: "1"
-            - name: DB_USERNAME
-              valueFrom:
-                secretKeyRef:
-                  name: postgresql-secrets
-                  key: username
-            - name: DB_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: postgresql-secrets
-                  key: password
-            - name: DB_DATABASE
-              valueFrom:
-                secretKeyRef:
-                  name: postgresql-secrets
-                  key: database
-            - name: DB_HOST
-              valueFrom:
-                secretKeyRef:
-                  name: postgresql-secrets
-                  key: hostname
-            - name: DB_PORT
-              valueFrom:
-                secretKeyRef:
-                  name: postgresql-secrets
-                  key: port
-            - name: S3_HOST
-              valueFrom:
-                secretKeyRef:
-                  name: s3-secrets
-                  key: endpoint
-            - name: S3_LOGIN
-              valueFrom:
-                secretKeyRef:
-                  name: s3-secrets
-                  key: login
-            - name: S3_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: s3-secrets
-                  key: password
-            - name: S3_BUCKET
-              valueFrom:
-                secretKeyRef:
-                  name: s3-secrets
-                  key: bucket
-
-#            - name: CACHE_HOST
-#              valueFrom:
-#                secretKeyRef:
-#                  name: cache-secret-pm
-#                  key: host
-#            - name: CACHE_PORT
-#              valueFrom:
-#                secretKeyRef:
-#                  name: cache-secret-pm
-#                  key: port
-#            - name: CACHE_PASSWORD
-#              valueFrom:
-#                secretKeyRef:
-#                  name: cache-secret-pm
-#                  key: password
            - name: CACHE_SSL
              value: "False"
            - name: CACHE_SSL_CA_CERTS
@ -121,71 +105,9 @@ spec:
            - name: CACHE_ENABLE
              value: "False"
            - name: CLICKHOUSE_ENABLE
-              value: 'False'
+              value: "False"
            - name: KAFKA_ENABLE
-              value: 'False'
-#            - name: KAFKA_BOOTSTRAP_SERVERS
-#              valueFrom:
-#                secretKeyRef:
-#                  name: ya-kafka-secret-pm
-#                  key: bootstrap_servers
-#            - name: KAFKA_SECURITY_PROTOCOL
-#              valueFrom:
-#                secretKeyRef:
-#                  name: ya-kafka-secret-pm
-#                  key: security_protocol
-#            - name: KAFKA_SASL_MECHANISM
-#              valueFrom:
-#                secretKeyRef:
-#                  name: ya-kafka-secret-pm
-#                  key: sasl_mechanism
-#            - name: KAFKA_SASL_PLAIN_USERNAME
-#              valueFrom:
-#                secretKeyRef:
-#                  name: ya-kafka-secret-pm
-#                  key: sasl_username
-#            - name: KAFKA_SASL_PLAIN_PASSWORD
-#              valueFrom:
-#                secretKeyRef:
-#                  name: ya-kafka-secret-pm
-#                  key: sasl_password
-#            - name: KAFKA_SSL_CAFILE
-#              valueFrom:
-#                secretKeyRef:
-#                  name: ya-kafka-secret-pm
-#                  key: ssl_cafile
-#            - name: KAFKA_TOPICS
-#              valueFrom:
-#                secretKeyRef:
-#                  name: ya-kafka-secret-pm
-#                  key: topics
-
-            - name: CELERY_RABBITMQ_HOST
-              valueFrom:
-                secretKeyRef:
-                  name: rabbitmq-secrets
-                  key: hostname
-            - name: CELERY_RABBITMQ_PORT
-              valueFrom:
-                secretKeyRef:
-                  name: rabbitmq-secrets
-                  key: port
-            - name: CELERY_RABBITMQ_USER
-              valueFrom:
-                secretKeyRef:
-                  name: rabbitmq-secrets
-                  key: username
-            - name: CELERY_RABBITMQ_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: rabbitmq-secrets
-                  key: password
-            - name: CELERY_RABBITMQ_VHOST
-              valueFrom:
-                secretKeyRef:
-                  name: rabbitmq-secrets
-                  key: vhost
-
+              value: "False"
            - name: AUTH_PUBLIC_TOKEN_URL
              value: "https://lk.sarex.io/api/token/public/"
            - name: SERVER_HOST
@ -204,7 +126,7 @@ spec:
              value: "INFO"
          resources:
            requests:
-              cpu: "1"
-              memory: 1Gi
+              cpu: "25m"
+              memory: 128Mi
      imagePullSecrets:
        - name: regcred
--- a/apps/pm/base/celery-deployment.yaml
+++ b/apps/pm/base/celery-deployment.yaml
@ -17,25 +17,56 @@ spec:
      labels:
        app: celery
        service: celery
+      annotations:
+        traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
+        vault.hashicorp.com/agent-init-first: "true"
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        vault.hashicorp.com/auth-path: auth/kubernetes
+        vault.hashicorp.com/role: pm
+        vault.hashicorp.com/agent-inject-secret-pm-db: secrets/data/postgresql/apps/pm
+        vault.hashicorp.com/agent-inject-template-pm-db: |-
+          {{- with secret "secrets/data/postgresql/apps/pm" -}}
+          DB_USERNAME={{ index .Data.data "username" }}
+          DB_PASSWORD={{ index .Data.data "password" }}
+          DB_DATABASE=pm_db
+          DB_HOST=postgresql.pm.svc.cluster.local
+          DB_PORT=5432
+          {{- end -}}
+        vault.hashicorp.com/agent-inject-secret-pm-rabbitmq: secrets/data/rabbitmq/apps/pm
+        vault.hashicorp.com/agent-inject-template-pm-rabbitmq: |-
+          {{- with secret "secrets/data/rabbitmq/apps/pm" -}}
+          CELERY_RABBITMQ_HOST=rabbitmq.rabbitmq.svc.cluster.local
+          CELERY_RABBITMQ_PORT=5672
+          CELERY_RABBITMQ_USER={{ index .Data.data "username" }}
+          CELERY_RABBITMQ_PASSWORD={{ index .Data.data "password" }}
+          CELERY_RABBITMQ_VHOST={{ index .Data.data "vhost" }}
+          {{- end -}}
+        vault.hashicorp.com/agent-inject-secret-pm-s3: secrets/data/minio/apps/pm
+        vault.hashicorp.com/agent-inject-template-pm-s3: |-
+          {{- with secret "secrets/data/minio/apps/pm" -}}
+          S3_HOST={{ index .Data.data.client "endpoint" }}
+          S3_LOGIN={{ index .Data.data "access_key" }}
+          S3_PASSWORD={{ index .Data.data "secret_key" }}
+          {{- $buckets := index .Data.data "buckets" }}
+          S3_BUCKET={{- if gt (len $buckets) 0 -}}{{ index (index $buckets 0) "name" }}{{- else -}}pm-bucket{{- end -}}
+          S3_VERIFY=False
+          {{- end -}}
    spec:
+      serviceAccountName: pm-vault
      containers:
        - name: celery
          image: cr.yandex/crp3ccidau046kdj8g9q/pm-backend:production_0843a55d
          imagePullPolicy: IfNotPresent
-          command:
-            - celery
-            - "-A"
-            - config
-            - worker
-            - "-B"
-            - "-l"
-            - info
-            - "-E"
-            - "-Q"
-            - pm
-            - "-n"
-            - default_worker.%h
-            - "--concurrency=2"
+          command: ["/bin/bash", "-ec"]
+          args:
+            - |
+              set -a
+              [ -f /vault/secrets/pm-db ] && . /vault/secrets/pm-db
+              [ -f /vault/secrets/pm-rabbitmq ] && . /vault/secrets/pm-rabbitmq
+              [ -f /vault/secrets/pm-s3 ] && . /vault/secrets/pm-s3
+              set +a
+              exec celery -A config worker -B -l info -E -Q pm -n default_worker.%h --concurrency=2
          ports:
            - name: http
              containerPort: 8000
@ -67,67 +98,6 @@ spec:
              value: C.UTF-8
            - name: PYTHONUTF8
              value: "1"
-            - name: DB_USERNAME
-              valueFrom:
-                secretKeyRef:
-                  name: postgresql-secrets
-                  key: username
-            - name: DB_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: postgresql-secrets
-                  key: password
-            - name: DB_DATABASE
-              valueFrom:
-                secretKeyRef:
-                  name: postgresql-secrets
-                  key: database
-            - name: DB_HOST
-              valueFrom:
-                secretKeyRef:
-                  name: postgresql-secrets
-                  key: hostname
-            - name: DB_PORT
-              valueFrom:
-                secretKeyRef:
-                  name: postgresql-secrets
-                  key: port
-            - name: S3_HOST
-              valueFrom:
-                secretKeyRef:
-                  name: s3-secrets
-                  key: endpoint
-            - name: S3_LOGIN
-              valueFrom:
-                secretKeyRef:
-                  name: s3-secrets
-                  key: login
-            - name: S3_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: s3-secrets
-                  key: password
-            - name: S3_BUCKET
-              valueFrom:
-                secretKeyRef:
-                  name: s3-secrets
-                  key: bucket
-
-#            - name: CACHE_HOST
-#              valueFrom:
-#                secretKeyRef:
-#                  name: cache-secret-pm
-#                  key: host
-#            - name: CACHE_PORT
-#              valueFrom:
-#                secretKeyRef:
-#                  name: cache-secret-pm
-#                  key: port
-#            - name: CACHE_PASSWORD
-#              valueFrom:
-#                secretKeyRef:
-#                  name: cache-secret-pm
-#                  key: password
            - name: CACHE_SSL
              value: "False"
            - name: CACHE_SSL_CA_CERTS
@ -135,71 +105,9 @@ spec:
            - name: CACHE_ENABLE
              value: "False"
            - name: CLICKHOUSE_ENABLE
-              value: 'False'
+              value: "False"
            - name: KAFKA_ENABLE
-              value: 'False'
-#            - name: KAFKA_BOOTSTRAP_SERVERS
-#              valueFrom:
-#                secretKeyRef:
-#                  name: ya-kafka-secret-pm
-#                  key: bootstrap_servers
-#            - name: KAFKA_SECURITY_PROTOCOL
-#              valueFrom:
-#                secretKeyRef:
-#                  name: ya-kafka-secret-pm
-#                  key: security_protocol
-#            - name: KAFKA_SASL_MECHANISM
-#              valueFrom:
-#                secretKeyRef:
-#                  name: ya-kafka-secret-pm
-#                  key: sasl_mechanism
-#            - name: KAFKA_SASL_PLAIN_USERNAME
-#              valueFrom:
-#                secretKeyRef:
-#                  name: ya-kafka-secret-pm
-#                  key: sasl_username
-#            - name: KAFKA_SASL_PLAIN_PASSWORD
-#              valueFrom:
-#                secretKeyRef:
-#                  name: ya-kafka-secret-pm
-#                  key: sasl_password
-#            - name: KAFKA_SSL_CAFILE
-#              valueFrom:
-#                secretKeyRef:
-#                  name: ya-kafka-secret-pm
-#                  key: ssl_cafile
-#            - name: KAFKA_TOPICS
-#              valueFrom:
-#                secretKeyRef:
-#                  name: ya-kafka-secret-pm
-#                  key: topics
-
-            - name: CELERY_RABBITMQ_HOST
-              valueFrom:
-                secretKeyRef:
-                  name: rabbitmq-secrets
-                  key: hostname
-            - name: CELERY_RABBITMQ_PORT
-              valueFrom:
-                secretKeyRef:
-                  name: rabbitmq-secrets
-                  key: port
-            - name: CELERY_RABBITMQ_USER
-              valueFrom:
-                secretKeyRef:
-                  name: rabbitmq-secrets
-                  key: username
-            - name: CELERY_RABBITMQ_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: rabbitmq-secrets
-                  key: password
-            - name: CELERY_RABBITMQ_VHOST
-              valueFrom:
-                secretKeyRef:
-                  name: rabbitmq-secrets
-                  key: vhost
-
+              value: "False"
            - name: AUTH_PUBLIC_TOKEN_URL
              value: "https://lk.sarex.io/api/token/public/"
            - name: SERVER_HOST
@ -218,6 +126,6 @@ spec:
              value: "INFO"
          resources:
            requests:
-              memory: 1Gi
+              memory: 128Mi
      imagePullSecrets:
        - name: regcred
--- a/apps/pm/base/kustomization.yaml
+++ b/apps/pm/base/kustomization.yaml
@ -4,6 +4,7 @@ kind: Kustomization
 namespace: pm
 resources:
  - namespace.yaml
+  - serviceaccount.yaml
  - backend-deployment.yaml
  - backend-service.yaml
  - celery-deployment.yaml
--- a/apps/pm/base/serviceaccount.yaml
+++ b/apps/pm/base/serviceaccount.yaml
@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: pm-vault
+  namespace: pm
--- a/apps/pm/yc-k8s-test/postgresql.yaml
+++ b/apps/pm/yc-k8s-test/postgresql.yaml
@ -9,7 +9,7 @@ spec:
  chart:
    spec:
      chart: postgresql-contour
-      version: "17.0.2"
+      version: "17.0.7"
      sourceRef:
        kind: HelmRepository
        name: yc-oci-charts
@ -44,7 +44,7 @@ spec:
    image:
      registry: cr.yandex/crp3ccidau046kdj8g9q
      repository: contour/postgresql
-      tag: 17.0.2
+      tag: 17.0.7
      pullPolicy: Always
    metrics:
      enabled: false
@ -61,7 +61,7 @@ spec:
          command:
            - /bin/sh
            - -c
-            - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
+            - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
        initialDelaySeconds: 30
        periodSeconds: 10
        timeoutSeconds: 5
@ -72,7 +72,7 @@ spec:
          command:
            - /bin/sh
            - -c
-            - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
+            - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
        initialDelaySeconds: 5
        periodSeconds: 10
        timeoutSeconds: 5
@ -83,7 +83,7 @@ spec:
          command:
            - /bin/sh
            - -c
-            - exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
+            - exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
        initialDelaySeconds: 30
        periodSeconds: 10
        timeoutSeconds: 5
@ -91,7 +91,8 @@ spec:
        failureThreshold: 6
      resources:
        requests:
-          memory: 512Mi
+          cpu: 50m
+          memory: 128Mi
      nodeSelector:
        dedicated: db
      tolerations:
@ -101,12 +102,19 @@ spec:
          effect: NoSchedule
    contour:
      enabled: true
-      adminUser: ""
-      adminPasswordSecretKey: ""
+      adminUser: "postgres"
      sharedPreloadLibraries: "pg_stat_statements,ltree"
+      vault:
+        enabled: true
+        role: postgresql
+        authPath: auth/kubernetes
+        secretPath: secrets/data/postgresql/admin
+        secretKey: postgres-password
+        usersSecretPath: secrets/data/postgresql/users
      databases:
        - name: pm_db
          user: pm
+          passwordKey: pm
          extensions: []
          restoreFromDump: false
      s3-proxy:
--- a/apps/prescriptions/base/deployment.yaml
+++ b/apps/prescriptions/base/deployment.yaml
@ -0,0 +1,33 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: frontend
+  namespace: prescriptions
+  labels:
+    app: frontend
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: frontend
+  template:
+    metadata:
+      labels:
+        app: frontend
+        version: stable
+    spec:
+      containers:
+        - name: frontend
+          image: cr.yandex/crp3ccidau046kdj8g9q/prescriptions-frontend:production_d48699e6
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: http
+              containerPort: 80
+              protocol: TCP
+          resources:
+            requests:
+              cpu: 25m
+              memory: 100Mi
+      imagePullSecrets:
+        - name: regcred
--- a/apps/prescriptions/base/kustomization.yaml
+++ b/apps/prescriptions/base/kustomization.yaml
@ -0,0 +1,8 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: prescriptions
+resources:
+  - namespace.yaml
+  - deployment.yaml
+  - service.yaml
--- a/apps/prescriptions/base/namespace.yaml
+++ b/apps/prescriptions/base/namespace.yaml
@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: prescriptions
+  labels:
+    istio-injection: enabled
--- a/apps/prescriptions/base/service.yaml
+++ b/apps/prescriptions/base/service.yaml
@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: frontend-service
+  namespace: prescriptions
+spec:
+  type: ClusterIP
+  selector:
+    app: frontend
+  ports:
+    - name: http
+      port: 80
+      targetPort: 80
+      protocol: TCP
--- a/apps/prescriptions/yc-k8s-test/kustomization.yaml
+++ b/apps/prescriptions/yc-k8s-test/kustomization.yaml
@ -0,0 +1,10 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../base
+patches: []
+#  - path: replicas.yaml
+#    target:
+#      kind: Deployment
+#      name: frontend
--- a/apps/prescriptions/yc-k8s-test/replicas.yaml
+++ b/apps/prescriptions/yc-k8s-test/replicas.yaml
@ -0,0 +1,8 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: frontend
+  namespace: remarks
+spec:
+  replicas: 1
--- a/apps/processing/base/api-deployment.yaml
+++ b/apps/processing/base/api-deployment.yaml
@ -54,7 +54,7 @@ spec:
              exec /httpserver migrate
          ports:
            - name: http
-              containerPort: 8000
+              containerPort: 8080
              protocol: TCP
          env:
            - name: POSTGRES_POOL_SIZE
@ -62,7 +62,7 @@ spec:
            - name: HTTP_HOST
              value: 0.0.0.0:8080
            - name: DJANGO_HOST
-              value: http://backend.django.svc.cluster.local:8000
+              value: http://backend-svc.django.svc.cluster.local:80
            - name: S3_SERVICE_ACCOUNT
              value: /etc/sarex/yc-s3/yc-s3-service-account.json
            - name: ENABLE_SQL_QUERY
@ -76,7 +76,7 @@ spec:
                  fieldPath: metadata.name
          resources:
            requests:
-              cpu: "1"
-              memory: 1Gi
+              cpu: "25m"
+              memory: 128Mi
      imagePullSecrets:
        - name: regcred
--- a/apps/processing/base/api-service.yaml
+++ b/apps/processing/base/api-service.yaml
@ -7,9 +7,9 @@ metadata:
 spec:
  type: ClusterIP
  selector:
-    app: backend
+    app: workflows-api
  ports:
    - name: http
      port: 80
-      targetPort: 8000
+      targetPort: 8080
      protocol: TCP
--- a/apps/processing/base/engine-low.yaml
+++ b/apps/processing/base/engine-low.yaml
@ -170,21 +170,21 @@ spec:
            - name: WORKSPACE_API_DEBUG
              value: "0"
            - name: JOBS_NAMESPACE
-              value: workflow
+              value: processing
            - name: ISSUE_API_DEBUG
              value: "0"
            - name: TOLERATION_KEY
              value: dedicated
            - name: TOLERATION_VALUE
-              value: processing-light
+              value: processing
            - name: TOLERATION_KEY_HIGH_MEM
              value: dedicated
            - name: TOLERATION_VALUE_HIGH_MEM
-              value: processing-light
+              value: processing
            - name: TOLERATION_KEY_PERSISTENT
              value: dedicated
            - name: TOLERATION_VALUE_PERSISTENT
-              value: processing-light
+              value: processing
            - name: RABBITMQ_CREATE_EXCHANGE
              value: autodesk.inputMessage
            - name: RABBITMQ_CANCEL_EXCHANGE
@ -206,16 +206,16 @@ spec:
            - name: DEFAULT_TOLERATION_KEY
              value: dedicated
            - name: DEFAULT_TOLERATION_VALUE
-              value: processing-light
+              value: processing
            - name: DEFAULT_NODE_SELECTOR_KEY
              value: dedicated
            - name: DEFAULT_NODE_SELECTOR_VALUE
-              value: processing-light
+              value: processing

          resources:
            requests:
-              cpu: "1"
-              memory: 1Gi
+              cpu: "25m"
+              memory: 128Mi

      imagePullSecrets:
        - name: regcred
--- a/apps/processing/base/engine.yaml
+++ b/apps/processing/base/engine.yaml
@ -175,21 +175,21 @@ spec:
            - name: WORKSPACE_API_DEBUG
              value: "0"
            - name: JOBS_NAMESPACE
-              value: workflow
+              value: processing
            - name: ISSUE_API_DEBUG
              value: "0"
            - name: TOLERATION_KEY
              value: dedicated
            - name: TOLERATION_VALUE
-              value: processing-light
+              value: processing
            - name: TOLERATION_KEY_HIGH_MEM
              value: dedicated
            - name: TOLERATION_VALUE_HIGH_MEM
-              value: processing-light
+              value: processing
            - name: TOLERATION_KEY_PERSISTENT
              value: dedicated
            - name: TOLERATION_VALUE_PERSISTENT
-              value: processing-light
+              value: processing
            - name: RABBITMQ_CREATE_EXCHANGE
              value: autodesk.inputMessage
            - name: RABBITMQ_CANCEL_EXCHANGE
@ -207,16 +207,16 @@ spec:
            - name: DEFAULT_TOLERATION_KEY
              value: dedicated
            - name: DEFAULT_TOLERATION_VALUE
-              value: processing-light
+              value: processing
            - name: DEFAULT_NODE_SELECTOR_KEY
              value: dedicated
            - name: DEFAULT_NODE_SELECTOR_VALUE
-              value: processing-light
+              value: processing

          resources:
            requests:
-              cpu: "1"
-              memory: 1Gi
+              cpu: "25m"
+              memory: 128Mi

      imagePullSecrets:
        - name: regcred
--- a/apps/processing/base/frontend-deployment.yaml
+++ b/apps/processing/base/frontend-deployment.yaml
@ -18,15 +18,15 @@ spec:
    spec:
      containers:
        - name: frontend
-          image: cr.yandex/crp3ccidau046kdj8g9q/workflows-frontend:wb_ebc15427
+          image: cr.yandex/crp3ccidau046kdj8g9q/workflows-frontend:ugok2_85f6ce2c
          imagePullPolicy: IfNotPresent
          ports:
            - name: http
-              containerPort: 80
+              containerPort: 8080
              protocol: TCP
          resources:
            requests:
-              cpu: 100m
+              cpu: 25m
              memory: 100Mi
      imagePullSecrets:
        - name: regcred
--- a/apps/processing/base/frontend-service.yaml
+++ b/apps/processing/base/frontend-service.yaml
@ -11,5 +11,5 @@ spec:
  ports:
    - name: http
      port: 80
-      targetPort: 80
+      targetPort: 8080
      protocol: TCP
--- a/apps/processing/yc-k8s-test/postgresql.yaml
+++ b/apps/processing/yc-k8s-test/postgresql.yaml
@ -91,7 +91,8 @@ spec:
        failureThreshold: 6
      resources:
        requests:
-          memory: 512Mi
+          cpu: 50m
+          memory: 128Mi
      nodeSelector:
        dedicated: db
      tolerations:
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Kochetkov S	70f0d7f9bb	add brusnika-prod	2026-06-01 17:59:51 +03:00
Kochetkov S	b29d519854	Add test service in test namespace for brusnika-stage	2026-06-01 16:59:02 +03:00
Kochetkov S	38bf5c91ca	bootstrap brusnika-stage	2026-06-01 16:55:47 +03:00
Kochetkov S	7dded5aed3	correcto postgresql nodeslector	2026-05-28 23:05:51 +03:00
Kochetkov S	4a14419756	fix message hub secret	2026-05-28 22:57:46 +03:00
Kochetkov S	a328912649	Allow postgresql on regular yc-k8s-test-02 nodes	2026-05-28 18:52:10 +03:00
Kochetkov S	3e3ba52a04	Make auth services wait for postgresql	2026-05-28 18:47:36 +03:00
Kochetkov S	d2993c5b82	Add postgresql namespace to yc-k8s-test-02	2026-05-28 18:41:49 +03:00
Kochetkov S	fb0c82dff2	Add postgresql to yc-k8s-test-02	2026-05-28 18:39:15 +03:00
Kochetkov S	ae99372ecf	Add platform services to yc-k8s-test-02	2026-05-28 18:35:00 +03:00
Kochetkov S	9722733275	fix istio gateway replica values	2026-05-28 17:42:07 +03:00
Kochetkov S	bd19d33b5a	add istio resources	2026-05-28 17:25:11 +03:00
Kochetkov S	873fe2623e	add istio resources	2026-05-28 16:43:56 +03:00
Kochetkov S	9a4701771e	add minio + vault + lpp	2026-05-28 16:12:35 +03:00
Flux	a3aa4d9295	Add Flux sync manifests	2026-05-28 16:06:54 +03:00
Flux	477712075a	Add Flux v2.8.5 component manifests	2026-05-28 16:06:49 +03:00
Kochetkov S	2b18adafa3	test repo sync	2026-05-28 15:49:47 +03:00
Kochetkov S	b9c5a7e948	Bump WB prometheus stack chart	2026-05-27 17:13:27 +03:00
Kochetkov S	184f334b24	Move WB node exporter to prometheus stack	2026-05-27 17:03:38 +03:00
Kochetkov S	90f43ffbc8	Add node label to WB node exporter scrape	2026-05-27 16:32:16 +03:00
Kochetkov S	7db6aae1d1	change node exporter job name	2026-05-27 14:13:03 +03:00
Kochetkov S	9bc33566e8	change node exporter job name	2026-05-27 13:51:25 +03:00
Kochetkov S	186a89ccab	add pull secrets to postgres-exporter	2026-05-27 13:27:10 +03:00
Kochetkov S	b5446f8109	Fix WB exporters and Istio scrape targets	2026-05-27 13:06:17 +03:00
Kochetkov S	abe9d9c6a6	Scrape WB node exporter through service	2026-05-27 12:27:45 +03:00
Kochetkov S	9b715d52cc	Route WB OTEL traces to OpenObserve	2026-05-27 12:18:56 +03:00
Kochetkov S	ccc6d5e415	Fix WB Grafana datasource and OpenObserve logs endpoint	2026-05-27 11:53:39 +03:00
Kochetkov S	c845011dc1	Fix WB VMStack standalone install	2026-05-27 11:38:37 +03:00
Kochetkov S	172028ba75	Generate WB Grafana admin secret	2026-05-27 11:31:50 +03:00
Kochetkov S	afd4646137	Add WB Istio routes and OpenObserve log export	2026-05-27 11:30:23 +03:00
Kochetkov S	a4c7f745c2	Remove GlitchTip from WB cluster	2026-05-27 11:14:44 +03:00
Kochetkov S	e3ecb05efb	Fix Flux helm remediation for monitoring	2026-05-25 17:22:52 +03:00
Kochetkov S	51c62cbccc	Use generated monitoring secrets	2026-05-25 16:33:24 +03:00
Kochetkov S	2131400030	Remove hardcoded monitoring secrets	2026-05-25 15:10:30 +03:00
Kochetkov S	9b0ce21088	add moitoring stack	2026-05-25 14:11:33 +03:00
Kochetkov S	bb6a2e4ef1	Add WB monitoring stack	2026-05-25 13:18:25 +03:00
Flux	3f5fd12152	Add Flux sync manifests	2026-05-25 12:55:29 +03:00
Flux	bbb4ed8146	Add Flux v2.8.8 component manifests	2026-05-25 12:55:21 +03:00
Kochetkov S	a2b2a3caf7	Use OpenObserve chart with single-node NATS fix	2026-05-21 16:39:00 +03:00
Kochetkov S	ff7f7d4cd7	Use OpenObserve chart with Vault wrapper	2026-05-21 16:25:22 +03:00
Kochetkov S	02b314afef	Use published observability charts	2026-05-21 16:09:10 +03:00
Kochetkov S	db766445dd	add glitchtip + openobserve	2026-05-21 13:49:50 +03:00
Kochetkov S	26639b6208	test(db): right-size postgres requests to observed usage	2026-05-21 11:53:50 +03:00
Kochetkov S	663b06a529	test: reduce business app requests based on current yc-k8s-test usage	2026-05-21 11:46:11 +03:00
Kochetkov S	9d9de98a1e	lower requests	2026-05-21 11:08:01 +03:00
ivan	797502e50f	++	2026-05-13 18:25:37 +05:00
ivan	691010471b	++	2026-05-12 15:54:35 +05:00
ivan	28705c7adf	++	2026-05-12 15:45:12 +05:00
ivan	84c4f2b83b	++	2026-05-12 15:35:10 +05:00
ivan	d20e616ac6	++	2026-05-12 15:35:00 +05:00
ivan	ad0f6ed042	++	2026-05-12 15:28:20 +05:00
ivan	23e1924dce	++	2026-05-12 15:24:02 +05:00
ivan	2759040a63	++	2026-05-12 15:21:21 +05:00
ivan	8a0caeb23d	++	2026-05-12 14:56:33 +05:00
ivan	bb2a427fba	++	2026-05-12 14:39:00 +05:00
ivan	e5783086e8	++	2026-05-12 14:31:31 +05:00
ivan	71d044e3db	++	2026-05-12 14:26:39 +05:00
ivan	d93bdc89a1	++	2026-05-12 14:24:46 +05:00
ivan	bea3567c00	++	2026-05-12 14:23:28 +05:00
ivan	ab11edd178	++	2026-05-12 14:20:35 +05:00
ivan	b544ba486e	++	2026-05-12 14:18:33 +05:00
Kochetkov S	726cd2653c	Fix documentations redis namespace	2026-05-12 11:01:30 +03:00
Flux	0a70a8cdd7	Add Flux sync manifests	2026-05-12 10:46:05 +03:00
emelinda	1318889944	Add service-level mermaid diagrams for all business applications under `docs/apps` folder, illustrating dependencies, namespaces, and inter-service connections	2026-05-08 17:20:45 +03:00
emelinda	57e2867d15	Expand infrastructure diagram in README.md to include detailed business service groups, dependencies, and inter-service connections	2026-05-08 17:03:08 +03:00
emelinda	5903d245d6	Add infrastructure diagram to README.md to illustrate cluster components, dependencies, and service interactions	2026-05-08 16:59:05 +03:00
ivan	4d1eeaf095	++	2026-05-07 11:21:23 +05:00
ivan	37f33d6fd0	++	2026-05-07 11:15:20 +05:00
ivan	9caf34586a	++	2026-05-06 20:10:50 +05:00
ivan	e8e4dea2d7	++	2026-05-05 12:25:26 +07:00
ivan	f5e6e69cb4	++	2026-05-05 12:23:27 +07:00
ivan	c0b1e56513	++	2026-05-05 12:20:11 +07:00
ivan	e28de14fec	++	2026-05-05 12:16:02 +07:00
ivan	990e94cd70	++	2026-05-05 12:12:11 +07:00
ivan	cfa5865d29	++	2026-05-05 12:09:13 +07:00
ivan	705dbc9094	++	2026-05-05 12:04:49 +07:00
ivan	52c5c5f21c	++	2026-05-04 22:58:04 +07:00
ivan	3a0da6063d	++	2026-05-04 22:54:33 +07:00
ivan	0a18ce9959	++	2026-05-04 22:49:40 +07:00
ivan	6731e3957d	++	2026-05-04 22:45:45 +07:00
ivan	fdcac593f9	++	2026-05-04 22:43:23 +07:00
ivan	49ddad4afb	++	2026-05-04 22:29:32 +07:00
ivan	7431cb0715	++	2026-05-04 22:18:20 +07:00
ivan	73f4ec07c1	++	2026-05-04 22:02:14 +07:00
ivan	cf613b0541	++	2026-05-04 22:00:25 +07:00
ivan	03ad1066b2	++	2026-05-04 21:59:14 +07:00
ivan	d774259f35	++	2026-05-04 21:58:40 +07:00
ivan	048749ed2b	++	2026-05-04 21:54:48 +07:00
ivan	e873cb590e	++	2026-05-04 21:52:37 +07:00
ivan	3df7f5ce28	++	2026-05-04 21:49:01 +07:00
ivan	ddac5858eb	++	2026-05-04 21:32:49 +07:00
ivan	a5ccef02fc	++	2026-05-04 20:58:25 +07:00
ivan	be9442c533	++	2026-05-04 20:39:08 +07:00
ivan	5ed5f12cc5	++	2026-05-04 20:35:00 +07:00
ivan	e542730b56	++	2026-05-04 20:30:00 +07:00
ivan	8a529e86c5	++	2026-05-04 20:28:06 +07:00
ivan	6a1c6c952a	++	2026-05-04 20:25:23 +07:00
ivan	485d58b159	++	2026-05-04 20:19:16 +07:00
ivan	7209397a54	++	2026-05-04 20:18:06 +07:00
ivan	d187981b89	++	2026-05-04 20:17:34 +07:00
ivan	3b67767109	++	2026-05-04 20:13:32 +07:00
ivan	0e86a19ae3	++	2026-05-04 20:13:07 +07:00
ivan	97d3555347	++	2026-05-04 20:11:35 +07:00
ivan	940a83c756	++	2026-05-04 20:00:52 +07:00
ivan	4db31a4ac2	++	2026-05-04 19:54:16 +07:00
ivan	e80e11093d	fix	2026-05-04 19:45:20 +07:00
ivan	d813476d85	++	2026-04-27 17:30:32 +07:00
Kochetkov S	434a2e056e	fix kafka	2026-04-27 13:11:18 +03:00
ivan	11a88a2f99	++	2026-04-27 17:02:39 +07:00
ivan	8227c75d44	++	2026-04-27 16:49:53 +07:00
Kochetkov S	e633df20f6	Merge branch 'master' of ssh://158-160-253-227.nip.io:2222/infra/iac	2026-04-27 12:48:51 +03:00
ivan	2f35b24751	++	2026-04-27 16:48:43 +07:00
Kochetkov S	4ecf8b22c0	message hub + pm	2026-04-27 12:48:39 +03:00
ivan	58cfaff8d6	++	2026-04-27 16:41:29 +07:00
ivan	e32b0d91b1	++	2026-04-27 16:38:27 +07:00
Kochetkov S	d96f2a3080	message hub + pm	2026-04-27 12:19:06 +03:00
Kochetkov S	1ff421d025	Merge branch 'master' of ssh://158-160-253-227.nip.io:2222/infra/iac	2026-04-27 12:14:33 +03:00
Kochetkov S	41a8b47dd7	message hub + pm	2026-04-27 12:14:21 +03:00
ivan	e696211fc3	++	2026-04-27 15:41:26 +07:00
Kochetkov S	0872219553	Merge branch 'master' of ssh://158-160-253-227.nip.io:2222/infra/iac	2026-04-27 11:40:06 +03:00
Kochetkov S	dfc79f436c	message hub + pm	2026-04-27 11:39:57 +03:00
ivan	f00b551627	++	2026-04-27 15:37:21 +07:00
ivan	fcd26833b1	++	2026-04-27 15:16:40 +07:00
ivan	4a772356fc	++	2026-04-27 15:12:21 +07:00
ivan	4bb4859020	++	2026-04-27 15:06:44 +07:00
Kochetkov S	42bdc35434	Merge branch 'master' of ssh://158-160-253-227.nip.io:2222/infra/iac	2026-04-27 11:03:33 +03:00
Kochetkov S	0d6dd1c1b3	message hub + pm	2026-04-27 11:03:20 +03:00
ivan	1f32c479f2	++	2026-04-27 15:03:09 +07:00
ivan	770d4829b6	fix	2026-04-27 14:56:41 +07:00
ivan	c07128556b	++	2026-04-27 14:50:11 +07:00
ivan	ea053344c0	fix	2026-04-27 14:47:07 +07:00
ivan	833899028c	++	2026-04-27 14:42:20 +07:00
emelinda	df77d7ed3f	Uncomment `attachments` app in `yc-k8s-test` kustomization configuration	2026-04-24 18:20:20 +03:00
emelinda	6540febd88	Comment out `attachments` app in `yc-k8s-test` kustomization configuration	2026-04-24 18:20:00 +03:00
emelinda	14078fdb5c	Uncomment `attachments` app in `yc-k8s-test` kustomization configuration	2026-04-24 18:18:43 +03:00
emelinda	bf82f12af6	Comment out `attachments` app in `yc-k8s-test` kustomization configuration	2026-04-24 18:17:46 +03:00
emelinda	e37f20dcdc	Remove `namespace.yaml` from `attachments` kustomization	2026-04-24 18:17:03 +03:00
emelinda	8fd2a859fc	Update `attachments` HelmRelease chart version to 0.1.9	2026-04-24 18:11:54 +03:00
emelinda	98e52a13c5	Uncomment `helmrelease.yaml` in `attachments` kustomization	2026-04-24 18:08:13 +03:00
emelinda	ccf4091be7	Clean up `attachments` kustomization: comment out unused patches and HelmRelease resources	2026-04-24 18:05:00 +03:00
emelinda	315758fa99	Remove outdated comment in `attachments` HelmRelease configuration	2026-04-24 17:56:56 +03:00
emelinda	ec8b323664	Merge remote-tracking branch 'origin/master'	2026-04-24 17:33:26 +03:00
emelinda	a835c7779a	Update `attachments` app: increase default replica count to 2	2026-04-24 17:33:14 +03:00
Kochetkov S	6ce34bd126	Merge branch 'master' of ssh://158-160-253-227.nip.io:2222/infra/iac	2026-04-24 17:31:48 +03:00
Kochetkov S	538663308c	checklists	2026-04-24 17:29:36 +03:00
emelinda	fc728939d1	Remove unused ServiceAccount from `attachments` app and update HelmRelease configuration	2026-04-24 17:26:39 +03:00
emelinda	43d9f13f5b	Merge branch 'helm'	2026-04-24 17:24:57 +03:00
emelinda	82c501dc71	Migrate `attachments` app to HelmRelease: update replicas and kustomization configuration	2026-04-24 17:24:23 +03:00
Kochetkov S	0cb6221397	checklists	2026-04-24 17:23:40 +03:00
emelinda	bc8698b5db	Migrate `attachments` app to HelmRelease: replace Deployment and Service with HelmRelease and update kustomization configuration.	2026-04-24 17:21:56 +03:00
Kochetkov S	33401218b3	Merge branch 'master' of ssh://158-160-253-227.nip.io:2222/infra/iac	2026-04-24 17:03:37 +03:00
Kochetkov S	2611dd396f	cde	2026-04-24 17:00:21 +03:00
ivan	55ec116fe2	++	2026-04-24 18:48:07 +05:00
Kochetkov S	48100152f4	cde	2026-04-24 16:40:48 +03:00
Kochetkov S	949c3dd017	cde	2026-04-24 16:33:07 +03:00
Kochetkov S	a2bcdfe1b4	cde	2026-04-24 16:29:11 +03:00
Kochetkov S	722fe996d6	Fix system-log Kafka Vault template newlines	2026-04-24 14:46:29 +03:00
Kochetkov S	a4f1949193	Enable Kafka in system-log api	2026-04-24 14:45:09 +03:00
Kochetkov S	f9b7b49482	Set required KAFKA_TOPIC for system-log api	2026-04-24 14:38:07 +03:00
Kochetkov S	ac8976dcfb	Add system-log vault serviceaccount manifest	2026-04-24 14:27:38 +03:00
Kochetkov S	e924d58d89	Merge branch 'master' of ssh://158-160-253-227.nip.io:2222/infra/iac	2026-04-24 14:23:04 +03:00
Kochetkov S	fbb9180fcd	system-log	2026-04-24 14:22:48 +03:00
ivan	0e6cae1d30	++	2026-04-24 15:56:45 +05:00
ivan	80ba779ab9	++	2026-04-24 15:51:27 +05:00
ivan	28f1f4f00e	++	2026-04-24 15:41:00 +05:00
ivan	bdb5d25220	++	2026-04-24 15:37:09 +05:00