sarex/iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: sarex:master
Branches Tags
sarex:master
sarex:argocd-helm-master
sarex:helm
sarex:helm-master
..
compare: sarex:helm
Branches Tags
sarex:master
sarex:argocd-helm-master
sarex:helm
sarex:helm-master

No commits in common. "master" and "helm" have entirely different histories.
master ... helm

253 changed files with 628 additions and 31948 deletions
Show Stats Expand all files Collapse all files

344
README.md
View File

@ -1,349 +1,7 @@
# FluxCD v2 Monorepooo
# FluxCD v2 Monorepo
Репозиторий Infrastructure as Code, управляемый [FluxCD v2](https://fluxcd.io/) с использованием Kustomize-оверлеев и Helm-релизов.
## Карта инфраструктуры и межсервисных маршрутов
Диаграмма ниже показывает инфраструктурные компоненты кластера, их зависимости и типовые маршруты вызовов между бизнес-сервисами.
```mermaid
flowchart LR
%% ===== Внешний контур =====
User([👤 Пользователь<br/>Web / Mobile]):::ext
Admin([🛡 Администратор<br/>kubectl / flux]):::ext
LE([🔐 Let's Encrypt<br/>ACME v2]):::ext
GitRepo([📦 Git Repository<br/>FluxCD source]):::ext
OCI([🐳 OCI Registry<br/>cr.yandex]):::ext
%% ===== GitOps =====
subgraph GITOPS["⚙️ GitOps Control Plane"]
direction TB
FluxSource[source-controller]:::flux
FluxKust[kustomize-controller]:::flux
FluxHelm[helm-controller]:::flux
FluxNotif[notification-controller]:::flux
FluxSource --> FluxKust
FluxSource --> FluxHelm
FluxKust --> FluxNotif
FluxHelm --> FluxNotif
end
%% ===== Edge / Service Mesh =====
subgraph EDGE["🌐 Edge & Service Mesh — istio-system"]
direction TB
Gateway["Istio Gateway<br/>:443 / :80<br/>LoadBalancer"]:::mesh
Pilot["istiod / Pilot<br/>xDS :15010/:15012"]:::mesh
Base[Istio Base<br/>CRDs + RBAC]:::mesh
Cert["cert-manager<br/>v1.x"]:::mesh
IssuerProd[ClusterIssuer<br/>letsencrypt-prod]:::mesh
IssuerIstio[ClusterIssuer<br/>letsencrypt-istio]:::mesh
Pilot -->|sidecar inject| Gateway
Base --> Pilot
Cert --> IssuerProd
Cert --> IssuerIstio
IssuerIstio -. TLS cert .-> Gateway
end
%% ===== Платформа =====
subgraph PLATFORM["🛠 Платформа"]
direction TB
Dashboard["K8s Dashboard<br/>UI :8443"]:::platform
LPP["local-path-provisioner<br/>StorageClass: local-path"]:::platform
Vault["HashiCorp Vault<br/>:8200 KV/Transit"]:::platform
S3Proxy["S3 Proxy<br/>S3 API gateway"]:::platform
end
%% ===== Identity =====
subgraph IDENTITY["🪪 Identity & SSO"]
direction TB
Zitadel["Zitadel<br/>OIDC :8080"]:::identity
Keycloak["Keycloak<br/>OIDC/SAML :8080"]:::identity
OpenLDAP["OpenLDAP<br/>:389 / :636"]:::identity
Keycloak -- "LDAP federation" --> OpenLDAP
end
%% ===== Данные =====
subgraph DATA["🗄 Хранилища данных"]
direction TB
PG[("PostgreSQL<br/>:5432<br/>HA primary/replica")]:::data
Redis[("Redis<br/>:6379<br/>cache + pub/sub")]:::data
MinIO[("MinIO<br/>S3 :9000<br/>console :9001")]:::data
end
%% ===== Messaging =====
subgraph MSG["📨 Messaging"]
direction TB
Kafka[["Kafka<br/>:9092 / :9093 SASL<br/>3 brokers"]]:::msg
ZK[["ZooKeeper / KRaft<br/>:2181"]]:::msg
RMQ[["RabbitMQ<br/>:5672 / mgmt :15672"]]:::msg
Kafka --- ZK
end
%% ===== BPM =====
subgraph BPM["🔧 BPM"]
direction TB
Camunda["Camunda Platform<br/>REST :8080 / Tasklist"]:::app
Operate["Camunda Operate<br/>UI :8081"]:::app
end
%% ===== Бизнес-сервисы (каждый в своём namespace) =====
subgraph APPS["💼 Бизнес-сервисы — namespaces"]
direction LR
CI["ns: control-interface"]:::app
Django["ns: django"]:::app
EAV["ns: eav"]:::app
Workspaces["ns: workspaces"]:::app
Projects["ns: projects"]:::app
PM["ns: pm"]:::app
Contracts["ns: contracts"]:::app
Resources["ns: resources"]:::app
Subs["ns: subscriptions"]:::app
SysLog["ns: system-log"]:::app
MsgHub["ns: message-hub"]:::app
FaaS["ns: faas"]:::app
Flows["ns: flows"]:::app
Docs["ns: documentations"]:::app
DocLink["ns: document-link"]:::app
Attach["ns: attachments"]:::app
Transmittal["ns: transmittal"]:::app
CDE["ns: cde"]:::app
Drawings["ns: drawings"]:::app
BIM["ns: bim"]:::app
Stamp["ns: stamp-verification"]:::app
Inspect["ns: inspections"]:::app
Checklists["ns: checklists"]:::app
Remarks["ns: remarks"]:::app
Issues["ns: issues"]:::app
RFI["ns: rfi"]:::app
Reviews["ns: reviews"]:::app
Prescr["ns: prescriptions"]:::app
Compare["ns: comparisons"]:::app
Measure["ns: measurements"]:::app
Mapper["ns: mapper"]:::app
XSection["ns: cross-section"]:::app
Process["ns: processing"]:::app
Notes["ns: notes"]:::app
end
%% ===== GitOps потоки =====
Admin ==>|git push| GitRepo
GitRepo ==>|pull/poll| FluxSource
OCI ==>|OCI charts| FluxSource
FluxKust ==>|apply manifests| EDGE
FluxKust ==>|apply manifests| PLATFORM
FluxKust ==>|apply manifests| IDENTITY
FluxHelm ==>|HelmRelease| DATA
FluxHelm ==>|HelmRelease| MSG
FluxHelm ==>|HelmRelease| BPM
FluxHelm ==>|HelmRelease| APPS
%% ===== Внешний трафик =====
User ==>|HTTPS 443| Gateway
LE -. ACME HTTP-01 .-> Cert
Gateway ==>|VirtualService<br/>mTLS| CI
Gateway ==>|/api| Django
Gateway ==>|/bim| BIM
Gateway ==>|/cde| CDE
Gateway ==>|/docs| Docs
Gateway ==>|/pm| PM
Gateway ==>|VirtualService| Camunda
Gateway ==>|VirtualService| Operate
Gateway ==>|/auth| Keycloak
Gateway ==>|/oauth| Zitadel
Gateway ==>|/dashboard| Dashboard
Gateway ==>|/minio| MinIO
Admin -.->|kubectl| Dashboard
%% ===== Frontend → backend (через control-interface) =====
CI -- "API gateway" --> Django
CI -- "API gateway" --> PM
CI -- "API gateway" --> Projects
CI -- "API gateway" --> Workspaces
%% ===== Подключения к данным =====
Django -- "JDBC/ORM" --> PG
EAV -- "JDBC" --> PG
PM -- "JDBC" --> PG
Contracts -- "JDBC" --> PG
Resources -- "JDBC" --> PG
Projects -- "JDBC" --> PG
Workspaces -- "JDBC" --> PG
Subs -- "JDBC" --> PG
SysLog -- "JDBC" --> PG
Docs -- "JDBC" --> PG
DocLink -- "JDBC" --> PG
CDE -- "JDBC" --> PG
BIM -- "JDBC" --> PG
Drawings -- "JDBC" --> PG
Inspect -- "JDBC" --> PG
Checklists -- "JDBC" --> PG
Issues -- "JDBC" --> PG
Remarks -- "JDBC" --> PG
RFI -- "JDBC" --> PG
Reviews -- "JDBC" --> PG
Prescr -- "JDBC" --> PG
Compare -- "JDBC" --> PG
Measure -- "JDBC" --> PG
Mapper -- "JDBC" --> PG
XSection -- "JDBC" --> PG
Notes -- "JDBC" --> PG
Stamp -- "JDBC" --> PG
Transmittal -- "JDBC" --> PG
Camunda -- "JDBC" --> PG
Operate -- "JDBC" --> PG
Zitadel -- "JDBC" --> PG
Keycloak -- "JDBC" --> PG
%% ===== Redis (общий кэш / sessions) =====
Django -- "session/cache" --> Redis
CI -- "session" --> Redis
PM -- "cache" --> Redis
Workspaces -- "cache" --> Redis
Subs -- "pub/sub realtime" --> Redis
MsgHub -- "pub/sub" --> Redis
Flows -- "state" --> Redis
FaaS -- "queue" --> Redis
Camunda -- "cache" --> Redis
Keycloak -- "session" --> Redis
%% ===== S3 / объектное хранилище =====
Attach -- "PUT/GET" --> S3Proxy
Docs -- "filestream" --> S3Proxy
BIM -- "IFC/RVT" --> S3Proxy
Drawings -- "DWG/PDF" --> S3Proxy
CDE -- "files" --> S3Proxy
Compare -- "rendered diff" --> S3Proxy
Stamp -- "signed PDF" --> S3Proxy
Transmittal -- "bundles" --> S3Proxy
Process -- "raw + результаты" --> S3Proxy
Mapper -- "tiles" --> S3Proxy
Measure -- "snapshots" --> S3Proxy
XSection -- "профили" --> S3Proxy
S3Proxy -- "S3 API" --> MinIO
%% ===== Vault (secrets) =====
Django -. "kv" .-> Vault
Camunda -. "approle" .-> Vault
Keycloak -. "kv" .-> Vault
Zitadel -. "kv" .-> Vault
FaaS -. "approle" .-> Vault
Flows -. "approle" .-> Vault
%% ===== Storage / PVC =====
PG -.->|PVC| LPP
Redis -.->|PVC| LPP
Kafka -.->|PVC| LPP
ZK -.->|PVC| LPP
RMQ -.->|PVC| LPP
MinIO -.->|PVC| LPP
Vault -.->|PVC| LPP
%% ===== Kafka (event bus) =====
SysLog -- "consume audit.*" --> Kafka
MsgHub -- "produce notify.*" --> Kafka
Subs -- "consume notify.*" --> Kafka
Flows -- "produce/consume flows.*" --> Kafka
Camunda -- "produce bpm.events" --> Kafka
Operate -- "consume zeebe-records" --> Kafka
BIM -- "produce bim.processed" --> Kafka
Drawings -- "produce drawings.uploaded" --> Kafka
Process -- "consume processing.jobs" --> Kafka
Compare -- "consume drawings.uploaded" --> Kafka
Inspect -- "produce inspect.events" --> Kafka
Issues -- "consume inspect.events" --> Kafka
Remarks -- "produce remarks.events" --> Kafka
Reviews -- "consume remarks.events" --> Kafka
%% ===== RabbitMQ (work queues) =====
FaaS -- "consume tasks.*" --> RMQ
Flows -- "publish tasks.*" --> RMQ
Process -- "publish jobs" --> RMQ
Mapper -- "consume tile.jobs" --> RMQ
XSection -- "consume xs.jobs" --> RMQ
Stamp -- "consume sign.jobs" --> RMQ
Camunda -- "consume bpm.tasks" --> RMQ
%% ===== Межсервисные REST маршруты =====
PM -- "REST" --> Projects
PM -- "REST" --> Contracts
PM -- "REST" --> Resources
Projects -- "REST" --> Workspaces
Contracts -- "REST" --> Resources
Inspect -- "REST" --> Checklists
Inspect -- "REST" --> Issues
Issues -- "REST" --> Remarks
Reviews -- "REST" --> RFI
Reviews -- "REST" --> Prescr
RFI -- "REST" --> DocLink
DocLink --> Docs
DocLink --> CDE
CDE -- "REST" --> Docs
CDE -- "REST" --> Drawings
CDE -- "REST" --> BIM
Transmittal -- "REST" --> CDE
Transmittal -- "REST" --> Docs
Drawings -- "REST" --> Compare
Drawings -- "REST" --> Stamp
Measure -- "REST" --> Mapper
Mapper -- "REST" --> XSection
XSection --> Process
BIM -- "REST" --> Process
Notes -- "REST" --> DocLink
Flows -- "trigger" --> FaaS
Flows -- "start" --> Camunda
Camunda -- "callback" --> Flows
EAV -- "schemas" --> Django
MsgHub -- "deliver email/push" --> Subs
%% ===== AuthN / AuthZ =====
Django -. "OIDC validate" .-> Keycloak
CI -. "OIDC login" .-> Keycloak
PM -. "JWT" .-> Keycloak
Camunda -. "JWT" .-> Zitadel
Operate -. "OIDC" .-> Zitadel
Dashboard -. "OIDC" .-> Keycloak
BIM -. "JWT" .-> Keycloak
CDE -. "JWT" .-> Keycloak
Docs -. "JWT" .-> Keycloak
%% ===== Service mesh sidecar metrics =====
CI -. "envoy" .-> Pilot
Django -. "envoy" .-> Pilot
Camunda -. "envoy" .-> Pilot
BIM -. "envoy" .-> Pilot
Flows -. "envoy" .-> Pilot
%% ===== Стили =====
classDef ext fill:#1f2937,stroke:#9ca3af,stroke-width:2px,color:#f9fafb
classDef flux fill:#6366f1,stroke:#3730a3,stroke-width:2px,color:#fff
classDef mesh fill:#7c3aed,stroke:#4c1d95,stroke-width:2px,color:#fff
classDef platform fill:#0ea5e9,stroke:#075985,stroke-width:2px,color:#fff
classDef identity fill:#f59e0b,stroke:#92400e,stroke-width:2px,color:#fff
classDef data fill:#10b981,stroke:#065f46,stroke-width:2px,color:#fff
classDef msg fill:#ef4444,stroke:#991b1b,stroke-width:2px,color:#fff
classDef app fill:#ec4899,stroke:#9d174d,stroke-width:2px,color:#fff
style GITOPS fill:#e0e7ff,stroke:#6366f1,stroke-width:2px
style EDGE fill:#ede9fe,stroke:#7c3aed,stroke-width:2px
style PLATFORM fill:#e0f2fe,stroke:#0ea5e9,stroke-width:2px
style IDENTITY fill:#fef3c7,stroke:#f59e0b,stroke-width:2px
style DATA fill:#d1fae5,stroke:#10b981,stroke-width:2px
style MSG fill:#fee2e2,stroke:#ef4444,stroke-width:2px
style BPM fill:#fce7f3,stroke:#ec4899,stroke-width:2px
style APPS fill:#fce7f3,stroke:#ec4899,stroke-width:2px
```
📂 **Подробные диаграммы по каждому бизнес-сервису:** [`docs/apps/`](./docs/apps/README.md)
**Легенда:**
- 🟪 **Edge / Mesh** — терминация TLS, маршрутизация и mTLS между сервисами (Istio + cert-manager)
- 🟦 **Платформа** — служебные компоненты (storage, secrets, S3 proxy, dashboard)
- 🟧 **Identity** — единый вход и федерация пользователей (Zitadel, Keycloak, OpenLDAP)
- 🟩 **Данные** — постоянные хранилища (PostgreSQL, Redis, MinIO)
- 🟥 **Messaging** — асинхронный обмен (Kafka, RabbitMQ)
- 🟪 **Бизнес-сервисы** — прикладная логика (Camunda, бизнес-приложения)
## Структура репозитория
```

7
apps/attachments/base/helmrelease.yaml
View File

@ -9,7 +9,7 @@ spec:
chart:
spec:
chart: universal-chart
version: "0.1.9"
version: "0.1.8"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
@ -28,8 +28,7 @@ spec:
attachments:
enabled: true
serviceAccount:
enabled:
_default: true
# Не создаём SA — используем существующий из base/serviceaccount.yaml.
name:
_default: attachments-vault
deployment:
@ -81,6 +80,8 @@ spec:
_default: 0.0.0.0:8000
podAnnotations:
_default:
# Порт Vault 8200 добавлен к дефолтным портам трейсинга — иначе
# чарт перезатрёт их одиночным "8200" и SigNoz перестанет ходить.
traffic.sidecar.istio.io/excludeOutboundPorts: "4317,4318,9411,8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"

2
apps/attachments/base/kustomization.yaml
View File

@ -3,4 +3,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: attachments
resources:
- namespace.yaml
- serviceaccount.yaml
- helmrelease.yaml

2
apps/transmittal/base/namespace.yaml → apps/attachments/base/namespace.yaml
View File

@ -2,6 +2,6 @@
apiVersion: v1
kind: Namespace
metadata:
name: transmittal
name: attachments
labels:
istio-injection: enabled

5
apps/attachments/base/serviceaccount.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: attachments-vault
namespace: attachments

10
apps/attachments/yc-k8s-test/kustomization.yaml
View File

@ -4,8 +4,8 @@ kind: Kustomization
resources:
- ../base
- postgresql.yaml
patches: []
# - path: replicas.yaml
# target:
# kind: HelmRelease
# name: attachments
patches:
- path: replicas.yaml
target:
kind: HelmRelease
name: attachments

4
apps/attachments/yc-k8s-test/postgresql.yaml
View File

@ -89,10 +89,6 @@ spec:
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
resources:
requests:
cpu: 50m
memory: 128Mi
nodeSelector:
dedicated: db
tolerations:

2
apps/attachments/yc-k8s-test/replicas.yaml
View File

@ -10,4 +10,4 @@ spec:
attachments:
deployment:
replicaCount:
_default: 2
_default: 1

6
apps/bim/base/backend-deployment.yaml
View File

@ -50,7 +50,7 @@ spec:
serviceAccountName: bim-vault
containers:
- name: backend
image: cr.yandex/crp3ccidau046kdj8g9q/bim-api:contour_3d704fef
image: cr.yandex/crp3ccidau046kdj8g9q/bim-backend-v2:donstroi1
imagePullPolicy: IfNotPresent
command: ["/bin/sh", "-ec"]
args:
@ -58,7 +58,7 @@ spec:
set -a
[ -f /vault/secrets/bim-postgresql ] && . /vault/secrets/bim-postgresql
set +a
exec ./httpserver
exec ./entrypoint.sh
ports:
- name: http
containerPort: 8000
@ -88,7 +88,7 @@ spec:
value: "0"
resources:
requests:
cpu: 25m
cpu: 100m
memory: 100Mi
livenessProbe:
httpGet:

4
apps/bim/base/backend-service.yaml
View File

@ -2,7 +2,7 @@
apiVersion: v1
kind: Service
metadata:
name: backend-svc
name: backend-service
namespace: bim
spec:
type: ClusterIP
@ -10,6 +10,6 @@ spec:
app: backend
ports:
- name: http
port: 80
port: 8000
targetPort: 8000
protocol: TCP

3
apps/bim/yc-k8s-test/postgresql.yaml
View File

@ -92,8 +92,7 @@ spec:
failureThreshold: 6
resources:
requests:
cpu: 50m
memory: 128Mi
memory: 512Mi
nodeSelector:
dedicated: db
tolerations:

4
apps/cde/base/cde-flowscallback.yaml
View File

@ -54,7 +54,7 @@ spec:
value: "true"
resources:
requests:
cpu: "25m"
memory: 128Mi
cpu: "1"
memory: 1Gi
imagePullSecrets:
- name: regcred

4
apps/cde/base/cde-splitpdf.yaml
View File

@ -54,7 +54,7 @@ spec:
value: "true"
resources:
requests:
cpu: "25m"
memory: 128Mi
cpu: "1"
memory: 1Gi
imagePullSecrets:
- name: regcred

4
apps/cde/base/cde-worker-copy.yaml
View File

@ -54,7 +54,7 @@ spec:
value: "true"
resources:
requests:
cpu: "25m"
memory: 128Mi
cpu: "1"
memory: 1Gi
imagePullSecrets:
- name: regcred

4
apps/cde/base/cde-worker-create-versions.yaml
View File

@ -54,7 +54,7 @@ spec:
value: "true"
resources:
requests:
cpu: "25m"
memory: 128Mi
cpu: "1"
memory: 1Gi
imagePullSecrets:
- name: regcred

4
apps/cde/base/cde-worker-markings.yaml
View File

@ -54,7 +54,7 @@ spec:
value: "true"
resources:
requests:
cpu: "25m"
memory: 128Mi
cpu: "1"
memory: 1Gi
imagePullSecrets:
- name: regcred

4
apps/cde/base/cde-worker-sign.yaml
View File

@ -54,7 +54,7 @@ spec:
value: "true"
resources:
requests:
cpu: "25m"
memory: 128Mi
cpu: "1"
memory: 1Gi
imagePullSecrets:
- name: regcred

4
apps/cde/base/cde-worker-update-bundles.yaml
View File

@ -54,7 +54,7 @@ spec:
value: "true"
resources:
requests:
cpu: "25m"
memory: 128Mi
cpu: "1"
memory: 1Gi
imagePullSecrets:
- name: regcred

4
apps/cde/base/cde.yaml
View File

@ -54,7 +54,7 @@ spec:
value: "true"
resources:
requests:
cpu: "25m"
memory: 128Mi
cpu: "1"
memory: 1Gi
imagePullSecrets:
- name: regcred

66
apps/checklists/base/backend-deployment.yaml
View File

@ -17,41 +17,11 @@ spec:
labels:
app: checklists-backend
service: checklists-backend
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: checklists
vault.hashicorp.com/agent-inject-secret-checklists-db: secrets/data/postgresql/apps/checklists
vault.hashicorp.com/agent-inject-template-checklists-db: |-
{{- with secret "secrets/data/postgresql/apps/checklists" -}}
DATABASE_HOST=postgresql.checklists.svc.cluster.local
DATABASE_PORT=5432
DATABASE_NAME=checklists_db
DATABASE_USER={{ index .Data.data "username" }}
DATABASE_PASSWORD={{ index .Data.data "password" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-checklists-jwt-public: secrets/data/vault/common/rsa_keys
vault.hashicorp.com/agent-inject-template-checklists-jwt-public: |-
{{- with secret "secrets/data/vault/common/rsa_keys" -}}
{{ index .Data.data "public_key" }}
{{- end -}}
spec:
serviceAccountName: checklists-vault
containers:
- name: api
image: cr.yandex/crp3ccidau046kdj8g9q/checklists-backend:production_68f242cd
imagePullPolicy: IfNotPresent
command: ["/bin/bash", "-ec"]
args:
- |
set -a
[ -f /vault/secrets/checklists-db ] && . /vault/secrets/checklists-db
[ -f /vault/secrets/checklists-jwt-public ] && export JWT_AUTH_PUBLIC_KEY="$(cat /vault/secrets/checklists-jwt-public)"
set +a
exec ./entrypoint.sh
ports:
- name: http
containerPort: 8000
@ -64,17 +34,47 @@ spec:
- name: HTTP_APP_ROOT_PATH
value: /checklists
- name: HTTP_APP_WORKERS
value: "1"
value: "8"
- name: HTTP_APP_ADMIN_ENABLE
value: "true"
- name: JWT_AUTH_ENABLE
value: "true"
- name: DEBUG
value: "false"
- name: DATABASE_USER
valueFrom:
secretKeyRef:
key: username
name: postgresql-secret
- name: DATABASE_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: postgresql-secret
- name: DATABASE_NAME
valueFrom:
secretKeyRef:
key: database
name: postgresql-secret
- name: DATABASE_PORT
valueFrom:
secretKeyRef:
key: port
name: postgresql-secret
- name: DATABASE_HOST
valueFrom:
secretKeyRef:
key: hostname
name: postgresql-secret
- name: JWT_AUTH_PUBLIC_KEY
valueFrom:
secretKeyRef:
key: public-key
name: jwt-secret
resources:
requests:
cpu: "25m"
memory: 128Mi
cpu: "1"
memory: 1Gi
imagePullSecrets:
- name: regcred

4
apps/checklists/base/backend-service.yaml
View File

@ -3,11 +3,11 @@ apiVersion: v1
kind: Service
metadata:
name: rfi-backend-api-svc
namespace: checklists
namespace: rfi
spec:
type: ClusterIP
selector:
app: checklists-backend
app: rfi-backend-api
ports:
- name: http
port: 80

1
apps/checklists/base/kustomization.yaml
View File

@ -4,6 +4,5 @@ kind: Kustomization
namespace: checklists
resources:
- namespace.yaml
- serviceaccount.yaml
- backend-deployment.yaml
- backend-service.yaml

5
apps/checklists/base/serviceaccount.yaml
View File

@ -1,5 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: checklists-vault
namespace: checklists

29
apps/checklists/yc-k8s-test/postgresql.yaml
View File

@ -2,14 +2,14 @@ apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: postgresql
namespace: checklists
namespace: checklists
spec:
interval: 5m
timeout: 2h
chart:
spec:
chart: postgresql-contour
version: "17.0.7"
version: "17.0.2"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
@ -44,7 +44,7 @@ spec:
image:
registry: cr.yandex/crp3ccidau046kdj8g9q
repository: contour/postgresql
tag: 17.0.7
tag: 17.0.2
pullPolicy: Always
metrics:
enabled: false
@ -61,7 +61,7 @@ spec:
command:
- /bin/sh
- -c
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
- exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
@ -72,7 +72,7 @@ spec:
command:
- /bin/sh
- -c
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
- exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
@ -83,16 +83,12 @@ spec:
command:
- /bin/sh
- -c
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
- exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
resources:
requests:
cpu: 50m
memory: 128Mi
nodeSelector:
dedicated: db
tolerations:
@ -102,19 +98,12 @@ spec:
effect: NoSchedule
contour:
enabled: true
adminUser: "postgres"
sharedPreloadLibraries: "pg_stat_statements,uuid-ossp"
vault:
enabled: true
role: postgresql
authPath: auth/kubernetes
secretPath: secrets/data/postgresql/admin
secretKey: postgres-password
usersSecretPath: secrets/data/postgresql/users
adminUser: ""
adminPasswordSecretKey: ""
sharedPreloadLibraries: "pg_stat_statements"
databases:
- name: checklists_db
user: checklists
passwordKey: checklists
extensions: []
restoreFromDump: false
s3-proxy:

2
apps/comparisons/base/backend-deployment.yaml
View File

@ -111,7 +111,7 @@ spec:
value: /etc/app/tasks-execution-config.json
resources:
requests:
cpu: 25m
cpu: 100m
memory: 100Mi
volumeMounts:
- name: tasks-execution-config

2
apps/comparisons/base/frontend-deployment.yaml
View File

@ -33,7 +33,7 @@ spec:
protocol: TCP
resources:
requests:
cpu: 25m
cpu: 100m
memory: 100Mi
volumeMounts:
- name: nginx-configmap

3
apps/comparisons/yc-k8s-test/postgresql.yaml
View File

@ -91,8 +91,7 @@ spec:
failureThreshold: 6
resources:
requests:
cpu: 50m
memory: 128Mi
memory: 512Mi
nodeSelector:
dedicated: db
tolerations:

3
apps/contracts/yc-k8s-test/postgresql.yaml
View File

@ -58,8 +58,7 @@ spec:
size: 20Gi
resources:
requests:
cpu: 50m
memory: 128Mi
memory: 512Mi
customLivenessProbe:
exec:
command:

4
apps/control-interface/base/service.yaml
View File

@ -2,13 +2,13 @@
apiVersion: v1
kind: Service
metadata:
name: frontend-svc
name: srx-admin-svc
namespace: control-interface
spec:
type: ClusterIP
selector:
app: srx-admin
ports:
- port: 80
- port: 8080
targetPort: 80
protocol: TCP

2
apps/cross-section/base/deployment.yaml
View File

@ -40,7 +40,7 @@ spec:
failureThreshold: 20
resources:
requests:
cpu: 25m
cpu: 100m
memory: 100Mi
imagePullSecrets:
- name: regcred

18
apps/django/base/backend-deployment.yaml
View File

@ -50,7 +50,7 @@ spec:
{{- with secret "secrets/data/minio/apps/django" -}}
AWS_S3_ENDPOINT_URL=https://minio.contour.infra.sarex.tech
S3_HOST=https://minio.contour.infra.sarex.tech
{{- $buckets := index .Data.data "buckets" }}
{{- $buckets := index .Data.data "buckets" -}}
S3_BUCKET={{- if gt (len $buckets) 0 -}}{{ index (index $buckets 0) "name" }}{{- else -}}django{{- end -}}
S3_LOGIN={{ index .Data.data "access_key" }}
S3_PASSWORD={{ index .Data.data "secret_key" }}
@ -127,11 +127,11 @@ spec:
- name: DJANGO_SETTINGS_MODULE
value: config.settings.production
- name: CELERY_REDIS_HOST
value: redis
value: redis-service
- name: CELERY_REDIS_PORT
value: "6379"
- name: DJANGO_REDIS_HOST
value: redis
value: redis-service
- name: DJANGO_REDIS_PORT
value: "6379"
- name: BIMV2_INTERNAL_HOST
@ -149,13 +149,13 @@ spec:
- name: MEASUREMENTS_USE_MEASUREMENTS
value: "1"
- name: SERVER_API_HOST
value: https://sarex.contour.infra.sarex.tech
value: https://wb.sarex.io
- name: SERVER_HOST
value: https://sarex.contour.infra.sarex.tech
value: https://wb.sarex.io
- name: WORKFLOWS_HOST
value: https://sarex.contour.infra.sarex.tech
value: https://wb.sarex.io
- name: WORKFLOWS_BASE_HOST
value: https://sarex.contour.infra.sarex.tech
value: https://wb.sarex.io
- name: WORKFLOWS_USE
value: "1"
- name: SERVER_S3_STREAM_IMPORT
@ -203,8 +203,8 @@ spec:
resources:
requests:
cpu: "25m"
memory: 128Mi
cpu: "1"
memory: 1Gi
volumeMounts:
- name: django-configmap
mountPath: /opt/sarex/config/settings/production.py

10
apps/django/base/celery-deployment.yaml
View File

@ -50,7 +50,7 @@ spec:
{{- with secret "secrets/data/minio/apps/django" -}}
AWS_S3_ENDPOINT_URL=https://minio.contour.infra.sarex.tech
S3_HOST=https://minio.contour.infra.sarex.tech
{{- $buckets := index .Data.data "buckets" }}
{{- $buckets := index .Data.data "buckets" -}}
S3_BUCKET={{- if gt (len $buckets) 0 -}}{{ index (index $buckets 0) "name" }}{{- else -}}django{{- end -}}
S3_LOGIN={{ index .Data.data "access_key" }}
S3_PASSWORD={{ index .Data.data "secret_key" }}
@ -121,11 +121,11 @@ spec:
- name: DJANGO_SETTINGS_MODULE
value: config.settings.production
- name: CELERY_REDIS_HOST
value: redis
value: redis-service
- name: CELERY_REDIS_PORT
value: "6379"
- name: DJANGO_REDIS_HOST
value: redis
value: redis-service
- name: DJANGO_REDIS_PORT
value: "6379"
- name: BIMV2_INTERNAL_HOST
@ -194,8 +194,8 @@ spec:
value: "False"
resources:
requests:
cpu: "25m"
memory: 128Mi
cpu: "1"
memory: 1Gi
volumeMounts:
- name: django-configmap
mountPath: /opt/sarex/config/settings/production.py

6
apps/django/base/django-configmap.yaml
View File

@ -55,7 +55,7 @@ data:
FILE_UPLOAD_PERMISSIONS = 0o644
DEBUG = False
CSRF_COOKIE_SECURE = True
CSRF_TRUSTED_ORIGINS = ["https://sarex.contour.infra.sarex.tech", "http://sarex.contour.infra.sarex.tech"]
CSRF_TRUSTED_ORIGINS = ["https://lk.srx.wb.ru:30443", "https://lk.srx.wb.ru"]
SESSION_COOKIE_SECURE = True
SECURE_SSL_REDIRECT = False
@ -87,7 +87,7 @@ data:
'Bearer',
)
HOST = "https://sarex.contour.infra.sarex.tech"
HOST = "https://wb.sarex.io"
POSTGRES_DATABASE = os.environ.get('DJANGO_POSTGRES_DATABASE')
POSTGRES_USER = os.environ.get('DJANGO_POSTGRES_USER')
@ -310,7 +310,7 @@ data:
DEBUG=True
WEB_APP_AUTH_MODE='jwt-session-based'
#WEB_APP_AUTH_MODE='jwt-session-based'
SAREX_MODULES_SETTINGS = {

2
apps/django/base/frontend-deployment.yaml
View File

@ -34,7 +34,7 @@ spec:
protocol: TCP
resources:
requests:
cpu: 25m
cpu: 100m
memory: 100Mi
volumeMounts:
- name: nginx-configmap

17
apps/django/base/nginx-configmap.yaml
View File

@ -80,19 +80,10 @@ data:
# }
location ~^/workspaces-v2/(.+).js {
proxy_http_version 1.1;
proxy_set_header Connection "";
rewrite /workspaces-v2/(.+) /$1 break;
proxy_pass http://frontend-svc.workspaces.svc.cluster.local:80;
}
location ~^/workspaces-v2/(.+)\.wasm$ {
proxy_http_version 1.1;
proxy_set_header Connection "";
rewrite ^/workspaces-v2/(.+) /$1 break;
proxy_pass http://frontend-svc.workspaces.svc.cluster.local:80;
}
location @index {
add_header Cache-Control 'no-cache, must-revalidate, proxy-revalidate, max-age=0';
if_modified_since off;
@ -100,10 +91,10 @@ data:
try_files /static/index.html =404;
}
# location ~^/workflows/(.+).js {
# rewrite /workflows/(.+) /$1 break;
# proxy_pass http://frontend-svc.processing.svc.cluster.local:80;
# }
location ~^/workflows/(.+).js {
rewrite /workflows/(.+) /$1 break;
proxy_pass http://frontend-svc.processing.svc.cluster.local:80;
}
location /service-worker.js {
try_files /static/$uri @index;
}

2
apps/django/base/srx-admin-deployment.yaml
View File

@ -26,7 +26,7 @@ spec:
protocol: TCP
resources:
requests:
cpu: 25m
cpu: 100m
memory: 100Mi
imagePullSecrets:
- name: regcred

2
apps/django/yc-k8s-test/kustomization.yaml
View File

@ -4,6 +4,4 @@ kind: Kustomization
resources:
- ../base
- postgresql.yaml
- redis-deployment.yaml
- redis-service.yaml
patches: []

3
apps/django/yc-k8s-test/postgresql.yaml
View File

@ -91,8 +91,7 @@ spec:
failureThreshold: 6
resources:
requests:
cpu: 50m
memory: 128Mi
memory: 512Mi
nodeSelector:
dedicated: db
tolerations:

27
apps/django/yc-k8s-test/redis-deployment.yaml
View File

@ -1,27 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: redis
namespace: django
labels:
app: redis
spec:
replicas: 1
selector:
matchLabels:
app: redis
template:
metadata:
labels:
app: redis
spec:
containers:
- name: redis
image: cr.yandex/crp3ccidau046kdj8g9q/redis:latest
imagePullPolicy: Always
ports:
- containerPort: 6379
protocol: TCP
imagePullSecrets:
- name: regcred

13
apps/django/yc-k8s-test/redis-service.yaml
View File

@ -1,13 +0,0 @@
---
apiVersion: v1
kind: Service
metadata:
name: redis
namespace: django
spec:
selector:
app: redis
ports:
- port: 6379
targetPort: 6379
protocol: TCP

2
apps/document-link/base/deployment.yaml
View File

@ -27,7 +27,7 @@ spec:
protocol: TCP
resources:
requests:
cpu: 25m
cpu: 100m
memory: 100Mi
imagePullSecrets:
- name: regcred

30
apps/documentations/base/api-deployment.yaml
View File

@ -72,7 +72,7 @@ spec:
exec /app/entrypoint.sh
ports:
- name: http
containerPort: 8080
containerPort: 8000
protocol: TCP
env:
- name: POSTGRES_POOL_SIZE
@ -82,9 +82,9 @@ spec:
- name: ZITADEL_DOMAIN
value: zitadel-srx.wb.ru
- name: USE_ZITADEL
value: "0"
value: "1"
- name: FLOWS_URL
value: http://backend-svc.flows.svc.cluster.local:80
value: http://backend-service.flows.svc.cluster.local:8000
- name: LAST_MASTER_BIM
value: "36311"
- name: API_ADDRESS
@ -98,7 +98,7 @@ spec:
- name: ENABLE_SSL
value: "0"
- name: WORKSPACE_V2_EXTERNAL_URL
value: https://sarex.contour.infra.sarex.tech/workspaces-v2/
value: https://srx.wb.ru/workspaces-v2/
- name: ENABLE_S3
value: "1"
- name: CONTAINER_REGISTRY
@ -108,15 +108,15 @@ spec:
- name: LAST_SLAVE_1_BIM
value: "1000000"
- name: HOST
value: http://backend-api-svc.documentations.svc.cluster.local:80
value: http://documentations-api.documentations.svc.cluster.local:8080
- name: FILE_STREAM_HOST
value: sarex.contour.infra.sarex.tech
value: srx.wb.ru
- name: DOCUMENTATION_URL
value: http://documentations-api.documentations.svc.cluster.local:80/
value: http://documentations-api.documentations.svc.cluster.local:8080/
- name: WORKFLOW_URL
value: http://backend-svc.processing.svc.cluster.local:80/
value: http://workflows-api-service.workflow.svc.cluster.local:8000/
- name: WORKSPACE_URL
value: http://backend-svc.workspaces.svc.cluster.local:80/
value: http://workspaces-service.workspaces.svc.cluster.local:8000/
- name: BIM_API_URL
value: http://bim-api-service.bim.svc.cluster.local:8080/
- name: BIM_API_V2_URL
@ -124,9 +124,9 @@ spec:
- name: WORKSPACE_BUNDLE_VERSION
value: v1
- name: SYSTEM_LOG_URL
value: http://backend-svc.system-log.svc.cluster.local:80
value: http://api-service.system-log.svc.cluster.local:8000
- name: DJANGO_HOST
value: http://backend-svc.django.svc.cluster.local:80
value: http://backend.django.svc.cluster.local:8000
- name: MARKS_PROCESSING_URL
value: http://marks-service:8000
- name: PUBLIC_LINK_HOST
@ -152,9 +152,9 @@ spec:
- name: CACHE_CLEANUP_INTERVAL
value: 60s
- name: ENABLE_AUTH_JWT_IN_URL
value: "true"
- name: ENABLE_SIGNATURE_IN_URL
value: "false"
- name: ENABLE_SIGNATURE_IN_URL
value: "true"
- name: USE_CACHE_IN_FILE_STREAMER
value: "0"
- name: VALKEY_ADDR
@ -166,8 +166,8 @@ spec:
resources:
requests:
cpu: "25m"
memory: 128Mi
cpu: "1"
memory: 1Gi
imagePullSecrets:
- name: regcred

2
apps/documentations/base/api-service.yaml
View File

@ -11,5 +11,5 @@ spec:
ports:
- name: http
port: 80
targetPort: 8080
targetPort: 8000
protocol: TCP

18
apps/documentations/base/filestream-deployment.yaml
View File

@ -72,7 +72,7 @@ spec:
exec /app/file_entrypoint.sh
ports:
- name: http
containerPort: 8080
containerPort: 8000
protocol: TCP
env:
- name: POSTGRES_POOL_SIZE
@ -82,9 +82,9 @@ spec:
- name: ZITADEL_DOMAIN
value: zitadel-srx.wb.ru
- name: USE_ZITADEL
value: "0"
value: "1"
- name: FLOWS_URL
value: http://backend-svc.flows.svc.cluster.local:80
value: http://backend-service.flows.svc.cluster.local:8000
- name: LAST_MASTER_BIM
value: "36311"
- name: API_ADDRESS
@ -108,15 +108,15 @@ spec:
- name: LAST_SLAVE_1_BIM
value: "1000000"
- name: HOST
value: http://backend-api-svc.documentations.svc.cluster.local:80
value: http://documentations-api.documentations.svc.cluster.local:8080
- name: FILE_STREAM_HOST
value: srx.wb.ru
- name: DOCUMENTATION_URL
value: http://backend-api-svc.documentations.svc.cluster.local:80/
value: http://documentations-api.documentations.svc.cluster.local:8080/
- name: WORKFLOW_URL
value: http://workflows-api-service.workflow.svc.cluster.local:8000/
- name: WORKSPACE_URL
value: http://backend-svc.workspaces.svc.cluster.local:80/
value: http://workspaces-service.workspaces.svc.cluster.local:8000/
- name: BIM_API_URL
value: http://bim-api-service.bim.svc.cluster.local:8080/
- name: BIM_API_V2_URL
@ -126,7 +126,7 @@ spec:
- name: SYSTEM_LOG_URL
value: http://api-service.system-log.svc.cluster.local:8000
- name: DJANGO_HOST
value: http://backend-svc.django.svc.cluster.local:80
value: http://backend.django.svc.cluster.local:8000
- name: MARKS_PROCESSING_URL
value: http://marks-service:8000
- name: PUBLIC_LINK_HOST
@ -166,8 +166,8 @@ spec:
resources:
requests:
cpu: "25m"
memory: 128Mi
cpu: "1"
memory: 1Gi
imagePullSecrets:
- name: regcred

2
apps/documentations/base/filestream-service.yaml
View File

@ -11,5 +11,5 @@ spec:
ports:
- name: http
port: 80
targetPort: 8080
targetPort: 8000
protocol: TCP

4
apps/documentations/base/frontend-deployment.yaml
View File

@ -18,7 +18,7 @@ spec:
spec:
containers:
- name: frontend
image: cr.yandex/crp3ccidau046kdj8g9q/documentation-frontend-app:brusnika_ae1bb076
image: cr.yandex/crp3ccidau046kdj8g9q/documentation-frontend-app:brusnika_ce5555d3
imagePullPolicy: IfNotPresent
ports:
- name: http
@ -26,7 +26,7 @@ spec:
protocol: TCP
resources:
requests:
cpu: 25m
cpu: 100m
memory: 100Mi
imagePullSecrets:
- name: regcred

22
apps/documentations/base/pdm-deployment.yaml
View File

@ -106,13 +106,13 @@ spec:
- name: CACHE_DEFAULT_EXPIRATION
value: 60s
- name: DJANGO_HOST
value: http://backend-svc.django.svc.cluster.local:80
value: http://backend.django.svc.cluster.local:8000
- name: DJANGO_ORIGINATOR
value: docs_prod
- name: DOCUMENTATION_URL
value: http://backend-api-svc.documentations.svc.cluster.local:80/
value: http://documentations-api.documentations.svc.cluster.local:8080/
- name: EAV_URL
value: http://backend-svc.eav.svc.cluster.local:80
value: http://eav-service.eav.svc.cluster.local:8000
- name: ENABLE_OBSERVABILITY
value: "false"
- name: ENABLE_S3
@ -122,7 +122,7 @@ spec:
- name: ENVIRONMENT
value: prod
- name: FLOWS_URL
value: http://backend-svc.flows.svc.cluster.local:80
value: http://backend-service.flows.svc.cluster.local:8000
- name: HEIGHT_THUMB_ATTACHMENTS
value: "300"
- name: HEIGHT_THUMB_STATES
@ -147,13 +147,13 @@ spec:
- name: S3_SERVICE_ACCOUNT
value: /vault/secrets/documentations-s3-account-json
- name: STATES_URL
value: http://backend-svc.workspaces.svc.cluster.local:80/
value: http://workspaces-service.workspaces.svc.cluster.local:8000/
- name: SUBSCRIPTIONS_URL
value: http://backend-svc.subscriptions.svc.cluster.local:80
value: http://sarex-subscriptions-service.subscriptions.svc.cluster.local:80
- name: SYSTEM_LOG_URL
value: http://api-service.system-log.svc.cluster.local:8000
- name: TARGET_URL
value: http://backend-svc.django.svc.cluster.local:80
value: http://backend.django.svc.cluster.local:8000
- name: USE_CACHE_IN_FILE_STREAMER
value: "1"
- name: USE_SUBSCRIPTIONS
@ -167,15 +167,15 @@ spec:
- name: WORKFLOW_IMAGES_VERSION
value: master
- name: WORKFLOW_URL
value: http://backend-svc.processing.svc.cluster.local:80/
value: http://workflows-api-service.workflow.svc.cluster.local:8000/
- name: WORKSPACE_BUNDLE_VERSION
value: v1
- name: WORKSPACE_URL
value: http://backend-svc.workspaces.svc.cluster.local:80/
value: http://workspaces-service.workspaces.svc.cluster.local:8000/
resources:
requests:
cpu: "25m"
memory: 128Mi
cpu: "1"
memory: 1Gi
imagePullSecrets:
- name: regcred

2
apps/documentations/yc-k8s-test/kustomization.yaml
View File

@ -4,6 +4,4 @@ kind: Kustomization
resources:
- ../base
- postgresql.yaml
- redis-deployment.yaml
- redis-service.yaml
patches: []

3
apps/documentations/yc-k8s-test/postgresql.yaml
View File

@ -91,8 +91,7 @@ spec:
failureThreshold: 6
resources:
requests:
cpu: 50m
memory: 128Mi
memory: 512Mi
nodeSelector:
dedicated: db
tolerations:

27
apps/documentations/yc-k8s-test/redis-deployment.yaml
View File

@ -1,27 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: redis
namespace: documentations
labels:
app: redis
spec:
replicas: 1
selector:
matchLabels:
app: redis
template:
metadata:
labels:
app: redis
spec:
containers:
- name: redis
image: cr.yandex/crp3ccidau046kdj8g9q/redis:latest
imagePullPolicy: Always
ports:
- containerPort: 6379
protocol: TCP
imagePullSecrets:
- name: regcred

13
apps/documentations/yc-k8s-test/redis-service.yaml
View File

@ -1,13 +0,0 @@
---
apiVersion: v1
kind: Service
metadata:
name: redis
namespace: documentations
spec:
selector:
app: redis
ports:
- port: 6379
targetPort: 6379
protocol: TCP

3
apps/drawings/yc-k8s-test/postgresql.yaml
View File

@ -91,8 +91,7 @@ spec:
failureThreshold: 6
resources:
requests:
cpu: 50m
memory: 128Mi
memory: 512Mi
nodeSelector:
dedicated: db
tolerations:

2
apps/eav/base/backend-deployment.yaml
View File

@ -89,7 +89,7 @@ spec:
resources:
requests:
cpu: 25m
cpu: 100m
memory: 100Mi
volumeMounts:

4
apps/eav/base/backend-service.yaml
View File

@ -2,7 +2,7 @@
apiVersion: v1
kind: Service
metadata:
name: backend-svc
name: backend-service
namespace: eav
spec:
type: ClusterIP
@ -10,6 +10,6 @@ spec:
app: backend
ports:
- name: http
port: 80
port: 8000
targetPort: 8000
protocol: TCP

3
apps/eav/yc-k8s-test/postgresql.yaml
View File

@ -91,8 +91,7 @@ spec:
failureThreshold: 6
resources:
requests:
cpu: 50m
memory: 128Mi
memory: 512Mi
nodeSelector:
dedicated: db
tolerations:

6
apps/faas/base/export-reviews.yaml
View File

@ -38,7 +38,7 @@ spec:
- name: DOCUMENTATIONS_HOST
value: https://sarex.contour.infra.sarex.tech/documentations
- name: EAV_HOST
value: http://backend-svc.eav.svc.cluster.local:80
value: http://eav-service.eav.svc.cluster.local:8000
- name: TRANSMITTALS_INTERNAL_HOST
value: http://transmittal-service.transmittal.svc.cluster.local:80/internal/v1
- name: DJANGO_TIMEOUT
@ -58,7 +58,7 @@ spec:
resources:
requests:
cpu: "25m"
memory: 128Mi
cpu: "1"
memory: 1Gi
imagePullSecrets:
- name: regcred

14
apps/flows/base/backend-deployment.yaml
View File

@ -86,17 +86,17 @@ spec:
- name: CELERY_QUEUE
value: flow
- name: EAV_HOST
value: http://backend-svc.eav.svc.cluster.local:80
value: http://eav-service.eav.svc.cluster.local:8000
- name: DJANGO_HOST
value: http://backend-svc.django.svc.cluster.local:80/api
value: http://backend-svc.django.svc.cluster.local:8000/api
- name: PLANNING_HOST
value: http://backend-svc.pm.svc.cluster.local:80/api/pm/msp
value: http://backend-service.pm.svc.cluster.local:8000/api/pm/msp
- name: PLANNING_USE
value: "True"
- name: DOCUMENTATION_HOST
value: http://backend-api-svc.documentations.svc.cluster.local:80/internal/v1
value: http://documentations-api.documentations.svc.cluster.local:8080/internal/v1
- name: DOCUMENTATION_EXTERNAL_HOST
value: http://backend-api-svc.documentations.svc.cluster.local:80/api/v1
value: http://documentations-api.documentations.svc.cluster.local:8080/api/v1
- name: ENABLE_ANALYTICS
value: "1"
- name: ENABLE_CELERY
@ -131,7 +131,7 @@ spec:
value: "60"
resources:
requests:
cpu: "25m"
memory: 128Mi
cpu: "1"
memory: 1Gi
imagePullSecrets:
- name: regcred

14
apps/flows/base/celery-deployment.yaml
View File

@ -86,17 +86,17 @@ spec:
- name: CELERY_QUEUE
value: flow
- name: EAV_HOST
value: http://backend-svc.eav.svc.cluster.local:80
value: http://eav-service.eav.svc.cluster.local:8000
- name: DJANGO_HOST
value: http://backend-svc.django.svc.cluster.local:80/api
value: http://backend-svc.django.svc.cluster.local:8000/api
- name: PLANNING_HOST
value: http://backend-service.pm.svc.cluster.local:80/api/pm/msp
value: http://backend-service.pm.svc.cluster.local:8000/api/pm/msp
- name: PLANNING_USE
value: "True"
- name: DOCUMENTATION_HOST
value: http://backend-api-svc.documentations.svc.cluster.local:80/internal/v1
value: http://documentations-api.documentations.svc.cluster.local:8080/internal/v1
- name: DOCUMENTATION_EXTERNAL_HOST
value: http://backend-api-svc.documentations.svc.cluster.local:80/api/v1
value: http://documentations-api.documentations.svc.cluster.local:8080/api/v1
- name: ENABLE_ANALYTICS
value: "1"
- name: ENABLE_CELERY
@ -131,7 +131,7 @@ spec:
value: "60"
resources:
requests:
cpu: "25m"
memory: 128Mi
cpu: "1"
memory: 1Gi
imagePullSecrets:
- name: regcred

2
apps/flows/base/frontend-deployment.yaml
View File

@ -26,7 +26,7 @@ spec:
protocol: TCP
resources:
requests:
cpu: 25m
cpu: 100m
memory: 100Mi
imagePullSecrets:
- name: regcred

3
apps/flows/yc-k8s-test/postgresql.yaml
View File

@ -91,8 +91,7 @@ spec:
failureThreshold: 6
resources:
requests:
cpu: 50m
memory: 128Mi
memory: 512Mi
nodeSelector:
dedicated: db
tolerations:

4
apps/inspections/base/backend-deployment.yaml
View File

@ -114,7 +114,7 @@ spec:
resources:
requests:
cpu: "25m"
memory: 128Mi
cpu: "1"
memory: 1Gi
imagePullSecrets:
- name: regcred

4
apps/inspections/yc-k8s-test/postgresql.yaml
View File

@ -89,10 +89,6 @@ spec:
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
resources:
requests:
cpu: 50m
memory: 128Mi
nodeSelector:
dedicated: db
tolerations:

24
apps/issues/base/backend-deployment.yaml
View File

@ -100,33 +100,33 @@ spec:
- name: ENVIRONMENT
value: production
- name: AERO_PUBLIC_HOST
value: https://sarex.contour.infra.sarex.tech
value: https://srx.wb.ru
- name: AERO_HOST
value: https://sarex.contour.infra.sarex.tech
value: https://srx.wb.ru
- name: BASE_AERO_URL
value: https://sarex.contour.infra.sarex.tech
value: https://srx.wb.ru
- name: BASE_AUTH_URL
value: http://backend-svc.django.svc.cluster.local:80
value: http://backend-svc.django.svc.cluster.local:8000
- name: WORKFLOWS_HOST
value: http://backend-svc.workflow.svc.cluster.local:80
value: http://workflows-api-service.workflow.svc.cluster.local:8000
- name: WORKFLOWS_URL
value: http://backend-svc.workflow.svc.cluster.local:80
value: http://workflows-api-service.workflow.svc.cluster.local:8000
- name: RESOURCES_API_HOST
value: http://backend-svc.resources.svc.cluster.local:80
value: http://resources-service.resources.svc.cluster.local:8000
- name: EAV_HOST
value: http://backend-svc.eav.svc.cluster.local:80
value: http://eav-service.eav.svc.cluster.local:8000
- name: SAREX_API
value: https://sarex.contour.infra.sarex.tech
value: https://srx.wb.ru
- name: DOCUMENTATIONS_URL
value: http://documentations-api-svc.documentations.svc.cluster.local:80
value: http://documentations-api.documentations.svc.cluster.local:8080
- name: DJANGO_SETTINGS_MODULE
value: config.settings.production
- name: API_ADDRESS
value: "8000"
resources:
requests:
cpu: "25m"
memory: 128Mi
cpu: "1"
memory: 1Gi
volumeMounts:
- name: production-configmap
mountPath: /src/config/settings/production.py

12
apps/issues/base/celery-deployment.yaml
View File

@ -106,27 +106,27 @@ spec:
- name: BASE_AERO_URL
value: https://srx.wb.ru
- name: BASE_AUTH_URL
value: http://backend-svc.django.svc.cluster.local:80
value: http://backend-svc.django.svc.cluster.local:8000
- name: WORKFLOWS_HOST
value: http://workflows-api-service.workflow.svc.cluster.local:8000
- name: WORKFLOWS_URL
value: http://workflows-api-service.workflow.svc.cluster.local:8000
- name: RESOURCES_API_HOST
value: http://backend-svc.resources.svc.cluster.local:80
value: http://resources-service.resources.svc.cluster.local:8000
- name: EAV_HOST
value: http://backend-svc.eav.svc.cluster.local:80
value: http://eav-service.eav.svc.cluster.local:8000
- name: SAREX_API
value: https://srx.wb.ru
- name: DOCUMENTATIONS_URL
value: http://backend-api-svc.documentations.svc.cluster.local:80
value: http://documentations-api.documentations.svc.cluster.local:8080
- name: DJANGO_SETTINGS_MODULE
value: config.settings.production
- name: API_ADDRESS
value: "8000"
resources:
requests:
cpu: "25m"
memory: 128Mi
cpu: "1"
memory: 1Gi
volumeMounts:
- name: production-configmap
mountPath: /src/config/settings/production.py

2
apps/issues/base/frontend-deployment.yaml
View File

@ -26,7 +26,7 @@ spec:
protocol: TCP
resources:
requests:
cpu: 25m
cpu: 100m
memory: 100Mi
imagePullSecrets:
- name: regcred

8
apps/issues/base/production-configmap.yaml
View File

@ -40,7 +40,7 @@ data:
DEBUG = False
# -----------------------------------------------------------------------------
REVIEW_HOST='http://backend-svc.flows.svc.cluster.local:80'
REVIEW_HOST='http://backend-service.flows.svc.cluster.local:8000'
# -----------------------------------------------------------------------------
# EXTERNAL SERVICES END
@ -60,10 +60,6 @@ data:
USE_NOTIFICATIONS = True
# JWT SETTINGS START
if not os.environ.get("JWT_PRIVATE_KEY"):
os.environ["JWT_PRIVATE_KEY"] = _read_secret_file("/vault/secrets/django-jwt-private")
if not os.environ.get("JWT_PUBLIC_KEY"):
os.environ["JWT_PUBLIC_KEY"] = _read_secret_file("/vault/secrets/django-jwt-public")
# ---------------------------------------------------------------------------------------------------------------------
SIMPLE_JWT_ISSUER = os.getenv("SIMPLE_JWT_ISSUER", default="default_issuer")
@ -126,7 +122,7 @@ data:
AERO_PUBLIC_HOST = os.getenv("AERO_PUBLIC_HOST", default=SAREX_API)
BASE_AERO_URL = "http://backend-svc.django.svc.cluster.local:80"
BASE_AERO_URL = "http://backend-svc.django.svc.cluster.local:8000"
ENVIRONMENT = "production"

3
apps/issues/yc-k8s-test/postgresql.yaml
View File

@ -91,8 +91,7 @@ spec:
failureThreshold: 6
resources:
requests:
cpu: 50m
memory: 128Mi
memory: 512Mi
nodeSelector:
dedicated: db
tolerations:

2
apps/mapper/base/deployment.yaml
View File

@ -99,7 +99,7 @@ spec:
value: "120"
resources:
requests:
cpu: "25m"
cpu: "1"
memory: 128Mi
imagePullSecrets:
- name: regcred

4
apps/mapper/base/service.yaml
View File

@ -2,13 +2,13 @@
apiVersion: v1
kind: Service
metadata:
name: backend-svc
name: backend-service
namespace: mapper
spec:
type: ClusterIP
selector:
app: backend
ports:
- port: 80
- port: 8000
targetPort: 8000
protocol: TCP

4
apps/measurements/base/deployment.yaml
View File

@ -49,7 +49,7 @@ spec:
value: "false"
resources:
requests:
cpu: 25m
memory: 128Mi
cpu: 500m
memory: 512Mi
imagePullSecrets:
- name: regcred

119
apps/message-hub/base/deployment.yaml
View File

@ -17,56 +17,11 @@ spec:
labels:
app: message-hub
service: message-hub
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: message-hub
vault.hashicorp.com/agent-inject-secret-message-hub-db: secrets/data/postgresql/apps/message-hub
vault.hashicorp.com/agent-inject-template-message-hub-db: |-
{{- with secret "secrets/data/postgresql/apps/message-hub" -}}
DB_USERNAME={{ index .Data.data "username" }}
DB_PASSWORD={{ index .Data.data "password" }}
DB_DATABASE=pm_db
DB_HOST=postgresql.pm.svc.cluster.local
DB_PORT=5432
{{- end -}}
vault.hashicorp.com/agent-inject-secret-message-hub-s3: secrets/data/minio/apps/message-hub
vault.hashicorp.com/agent-inject-template-message-hub-s3: |-
{{- with secret "secrets/data/minio/apps/message-hub" -}}
S3_HOST={{ index .Data.data.client "endpoint" }}
S3_LOGIN={{ index .Data.data "access_key" }}
S3_PASSWORD={{ index .Data.data "secret_key" }}
{{- $buckets := index .Data.data "buckets" }}
S3_BUCKET={{- if gt (len $buckets) 0 -}}{{ index (index $buckets 0) "name" }}{{- else -}}rfi{{- end -}}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-message-hub-kafka: secrets/data/kafka/apps/message-hub
vault.hashicorp.com/agent-inject-template-message-hub-kafka: |-
{{- with secret "secrets/data/kafka/apps/message-hub" -}}
KAFKA_USERNAME={{ index .Data.data "username" }}
KAFKA_PASSWORD={{ index .Data.data "password" }}
KAFKA_HOST=kafka-kafka-contour-controller-headless.kafka.svc.cluster.local
KAFKA_PORT=9094
KAFKA_SECURITY_PROTOCOL={{ index .Data.data.auth "security_protocol" }}
KAFKA_SASL_MECHANISM={{ index .Data.data.auth "sasl_mechanism" }}
{{- end -}}
spec:
serviceAccountName: message-hub-vault
containers:
- name: message-hub
image: cr.yandex/crp3ccidau046kdj8g9q/message-hub:production_24425472
imagePullPolicy: IfNotPresent
command: ["/bin/bash", "-ec"]
args:
- |
set -a
[ -f /vault/secrets/message-hub-db ] && . /vault/secrets/message-hub-db
[ -f /vault/secrets/message-hub-s3 ] && . /vault/secrets/message-hub-s3
[ -f /vault/secrets/message-hub-kafka ] && . /vault/secrets/message-hub-kafka
set +a
exec /opt/entrypoint.sh
ports:
- name: http
containerPort: 8000
@ -79,7 +34,8 @@ spec:
- name: SETTINGS_MAX_RETRIES
value: "1"
- name: SETTINGS_TOPICS
value: '{"planning": "pm", "assets": "assets_broadcast", "project_entity": "issues_broadcast"}'
value: '{"planning": "pm", "assets": "assets_broadcast", "project_entity":
"issues_broadcast"}'
- name: SETTINGS_PDF_CONVERTER_HOST
value: http://export-project-service.django.svc.cluster.local:8000
- name: SAREX_BASE_HOST
@ -88,9 +44,76 @@ spec:
value: redis.pm.svc.cluster.local
- name: CACHE_PORT
value: "6379"
- name: KAFKA_SECURITY_PROTOCOL
value: SSL
- name: KAFKA_SASL_MECHANISM
value: SCRAM-SHA-512
- name: KAFKA_SSL_CAFILE
value: /usr/local/share/ca-certificates/kafka.crt
- name: KAFKA_USERNAME
valueFrom:
secretKeyRef:
key: username
name: kafka-secret
- name: KAFKA_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: kafka-secret
- name: KAFKA_PORT
valueFrom:
secretKeyRef:
key: port
name: kafka-secret
- name: KAFKA_HOST
valueFrom:
secretKeyRef:
key: hostname
name: kafka-secret
- name: DB_USERNAME
valueFrom:
secretKeyRef:
key: username
name: postgresql-secret
- name: DB_DATABASE
valueFrom:
secretKeyRef:
key: database
name: postgresql-secret
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: postgresql-secret
- name: DB_PORT
valueFrom:
secretKeyRef:
key: port
name: postgresql-secret
- name: S3_LOGIN
valueFrom:
secretKeyRef:
key: username
name: s3-secret
- name: S3_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: s3-secret
- name: S3_BUCKET
valueFrom:
secretKeyRef:
key: bucket
name: s3-secret
- name: S3_HOST
valueFrom:
secretKeyRef:
key: host
name: s3-secret
resources:
requests:
cpu: "25m"
memory: 128Mi
cpu: "1"
memory: 1Gi
imagePullSecrets:
- name: regcred

1
apps/message-hub/base/kustomization.yaml
View File

@ -4,6 +4,5 @@ kind: Kustomization
namespace: message-hub
resources:
- namespace.yaml
- serviceaccount.yaml
- deployment.yaml
- service.yaml

5
apps/message-hub/base/serviceaccount.yaml
View File

@ -1,5 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: message-hub-vault
namespace: message-hub

4
apps/notes/base/backend-deployment.yaml
View File

@ -114,7 +114,7 @@ spec:
value: "5432"
resources:
requests:
cpu: "25m"
memory: 128Mi
cpu: "1"
memory: 512Mi
imagePullSecrets:
- name: regcred

2
apps/notes/base/frontend-deployment.yaml
View File

@ -34,7 +34,7 @@ spec:
protocol: TCP
resources:
requests:
cpu: 25m
cpu: 100m
memory: 100Mi
volumeMounts:
- name: nginx-configmap

3
apps/notes/yc-k8s-test/postgresql.yaml
View File

@ -58,8 +58,7 @@ spec:
size: 20Gi
resources:
requests:
cpu: 50m
memory: 128Mi
memory: 512Mi
customLivenessProbe:
exec:
command:

2
apps/notes/yc-k8s-test/replicas.yaml
View File

@ -5,4 +5,4 @@ metadata:
name: backend
namespace: notes
spec:
replicas: 1
replicas: 2

176
apps/pm/base/backend-deployment.yaml
View File

@ -17,56 +17,11 @@ spec:
labels:
app: backend
service: api
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: pm
vault.hashicorp.com/agent-inject-secret-pm-db: secrets/data/postgresql/apps/pm
vault.hashicorp.com/agent-inject-template-pm-db: |-
{{- with secret "secrets/data/postgresql/apps/pm" -}}
DB_USERNAME={{ index .Data.data "username" }}
DB_PASSWORD={{ index .Data.data "password" }}
DB_DATABASE=pm_db
DB_HOST=postgresql.pm.svc.cluster.local
DB_PORT=5432
{{- end -}}
vault.hashicorp.com/agent-inject-secret-pm-rabbitmq: secrets/data/rabbitmq/apps/pm
vault.hashicorp.com/agent-inject-template-pm-rabbitmq: |-
{{- with secret "secrets/data/rabbitmq/apps/pm" -}}
CELERY_RABBITMQ_HOST=rabbitmq.rabbitmq.svc.cluster.local
CELERY_RABBITMQ_PORT=5672
CELERY_RABBITMQ_USER={{ index .Data.data "username" }}
CELERY_RABBITMQ_PASSWORD={{ index .Data.data "password" }}
CELERY_RABBITMQ_VHOST={{ index .Data.data "vhost" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-pm-s3: secrets/data/minio/apps/pm
vault.hashicorp.com/agent-inject-template-pm-s3: |-
{{- with secret "secrets/data/minio/apps/pm" -}}
S3_HOST={{ index .Data.data.client "endpoint" }}
S3_LOGIN={{ index .Data.data "access_key" }}
S3_PASSWORD={{ index .Data.data "secret_key" }}
{{- $buckets := index .Data.data "buckets" }}
S3_BUCKET={{- if gt (len $buckets) 0 -}}{{ index (index $buckets 0) "name" }}{{- else -}}pm-bucket{{- end -}}
S3_VERIFY=False
{{- end -}}
spec:
serviceAccountName: pm-vault
containers:
- name: api
image: cr.yandex/crp3ccidau046kdj8g9q/pm-backend:production_0843a55d
imagePullPolicy: IfNotPresent
command: ["/bin/bash", "-ec"]
args:
- |
set -a
[ -f /vault/secrets/pm-db ] && . /vault/secrets/pm-db
[ -f /vault/secrets/pm-rabbitmq ] && . /vault/secrets/pm-rabbitmq
[ -f /vault/secrets/pm-s3 ] && . /vault/secrets/pm-s3
set +a
exec /opt/sarex/entrypoint.sh
ports:
- name: http
containerPort: 8000
@ -98,6 +53,67 @@ spec:
value: C.UTF-8
- name: PYTHONUTF8
value: "1"
- name: DB_USERNAME
valueFrom:
secretKeyRef:
name: postgresql-secrets
key: username
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: postgresql-secrets
key: password
- name: DB_DATABASE
valueFrom:
secretKeyRef:
name: postgresql-secrets
key: database
- name: DB_HOST
valueFrom:
secretKeyRef:
name: postgresql-secrets
key: hostname
- name: DB_PORT
valueFrom:
secretKeyRef:
name: postgresql-secrets
key: port
- name: S3_HOST
valueFrom:
secretKeyRef:
name: s3-secrets
key: endpoint
- name: S3_LOGIN
valueFrom:
secretKeyRef:
name: s3-secrets
key: login
- name: S3_PASSWORD
valueFrom:
secretKeyRef:
name: s3-secrets
key: password
- name: S3_BUCKET
valueFrom:
secretKeyRef:
name: s3-secrets
key: bucket
# - name: CACHE_HOST
# valueFrom:
# secretKeyRef:
# name: cache-secret-pm
# key: host
# - name: CACHE_PORT
# valueFrom:
# secretKeyRef:
# name: cache-secret-pm
# key: port
# - name: CACHE_PASSWORD
# valueFrom:
# secretKeyRef:
# name: cache-secret-pm
# key: password
- name: CACHE_SSL
value: "False"
- name: CACHE_SSL_CA_CERTS
@ -105,9 +121,71 @@ spec:
- name: CACHE_ENABLE
value: "False"
- name: CLICKHOUSE_ENABLE
value: "False"
value: 'False'
- name: KAFKA_ENABLE
value: "False"
value: 'False'
# - name: KAFKA_BOOTSTRAP_SERVERS
# valueFrom:
# secretKeyRef:
# name: ya-kafka-secret-pm
# key: bootstrap_servers
# - name: KAFKA_SECURITY_PROTOCOL
# valueFrom:
# secretKeyRef:
# name: ya-kafka-secret-pm
# key: security_protocol
# - name: KAFKA_SASL_MECHANISM
# valueFrom:
# secretKeyRef:
# name: ya-kafka-secret-pm
# key: sasl_mechanism
# - name: KAFKA_SASL_PLAIN_USERNAME
# valueFrom:
# secretKeyRef:
# name: ya-kafka-secret-pm
# key: sasl_username
# - name: KAFKA_SASL_PLAIN_PASSWORD
# valueFrom:
# secretKeyRef:
# name: ya-kafka-secret-pm
# key: sasl_password
# - name: KAFKA_SSL_CAFILE
# valueFrom:
# secretKeyRef:
# name: ya-kafka-secret-pm
# key: ssl_cafile
# - name: KAFKA_TOPICS
# valueFrom:
# secretKeyRef:
# name: ya-kafka-secret-pm
# key: topics
- name: CELERY_RABBITMQ_HOST
valueFrom:
secretKeyRef:
name: rabbitmq-secrets
key: hostname
- name: CELERY_RABBITMQ_PORT
valueFrom:
secretKeyRef:
name: rabbitmq-secrets
key: port
- name: CELERY_RABBITMQ_USER
valueFrom:
secretKeyRef:
name: rabbitmq-secrets
key: username
- name: CELERY_RABBITMQ_PASSWORD
valueFrom:
secretKeyRef:
name: rabbitmq-secrets
key: password
- name: CELERY_RABBITMQ_VHOST
valueFrom:
secretKeyRef:
name: rabbitmq-secrets
key: vhost
- name: AUTH_PUBLIC_TOKEN_URL
value: "https://lk.sarex.io/api/token/public/"
- name: SERVER_HOST
@ -126,7 +204,7 @@ spec:
value: "INFO"
resources:
requests:
cpu: "25m"
memory: 128Mi
cpu: "1"
memory: 1Gi
imagePullSecrets:
- name: regcred

188
apps/pm/base/celery-deployment.yaml
View File

@ -17,56 +17,25 @@ spec:
labels:
app: celery
service: celery
annotations:
traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-pre-populate-only: "true"
vault.hashicorp.com/auth-path: auth/kubernetes
vault.hashicorp.com/role: pm
vault.hashicorp.com/agent-inject-secret-pm-db: secrets/data/postgresql/apps/pm
vault.hashicorp.com/agent-inject-template-pm-db: |-
{{- with secret "secrets/data/postgresql/apps/pm" -}}
DB_USERNAME={{ index .Data.data "username" }}
DB_PASSWORD={{ index .Data.data "password" }}
DB_DATABASE=pm_db
DB_HOST=postgresql.pm.svc.cluster.local
DB_PORT=5432
{{- end -}}
vault.hashicorp.com/agent-inject-secret-pm-rabbitmq: secrets/data/rabbitmq/apps/pm
vault.hashicorp.com/agent-inject-template-pm-rabbitmq: |-
{{- with secret "secrets/data/rabbitmq/apps/pm" -}}
CELERY_RABBITMQ_HOST=rabbitmq.rabbitmq.svc.cluster.local
CELERY_RABBITMQ_PORT=5672
CELERY_RABBITMQ_USER={{ index .Data.data "username" }}
CELERY_RABBITMQ_PASSWORD={{ index .Data.data "password" }}
CELERY_RABBITMQ_VHOST={{ index .Data.data "vhost" }}
{{- end -}}
vault.hashicorp.com/agent-inject-secret-pm-s3: secrets/data/minio/apps/pm
vault.hashicorp.com/agent-inject-template-pm-s3: |-
{{- with secret "secrets/data/minio/apps/pm" -}}
S3_HOST={{ index .Data.data.client "endpoint" }}
S3_LOGIN={{ index .Data.data "access_key" }}
S3_PASSWORD={{ index .Data.data "secret_key" }}
{{- $buckets := index .Data.data "buckets" }}
S3_BUCKET={{- if gt (len $buckets) 0 -}}{{ index (index $buckets 0) "name" }}{{- else -}}pm-bucket{{- end -}}
S3_VERIFY=False
{{- end -}}
spec:
serviceAccountName: pm-vault
containers:
- name: celery
image: cr.yandex/crp3ccidau046kdj8g9q/pm-backend:production_0843a55d
imagePullPolicy: IfNotPresent
command: ["/bin/bash", "-ec"]
args:
- |
set -a
[ -f /vault/secrets/pm-db ] && . /vault/secrets/pm-db
[ -f /vault/secrets/pm-rabbitmq ] && . /vault/secrets/pm-rabbitmq
[ -f /vault/secrets/pm-s3 ] && . /vault/secrets/pm-s3
set +a
exec celery -A config worker -B -l info -E -Q pm -n default_worker.%h --concurrency=2
command:
- celery
- "-A"
- config
- worker
- "-B"
- "-l"
- info
- "-E"
- "-Q"
- pm
- "-n"
- default_worker.%h
- "--concurrency=2"
ports:
- name: http
containerPort: 8000
@ -98,6 +67,67 @@ spec:
value: C.UTF-8
- name: PYTHONUTF8
value: "1"
- name: DB_USERNAME
valueFrom:
secretKeyRef:
name: postgresql-secrets
key: username
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: postgresql-secrets
key: password
- name: DB_DATABASE
valueFrom:
secretKeyRef:
name: postgresql-secrets
key: database
- name: DB_HOST
valueFrom:
secretKeyRef:
name: postgresql-secrets
key: hostname
- name: DB_PORT
valueFrom:
secretKeyRef:
name: postgresql-secrets
key: port
- name: S3_HOST
valueFrom:
secretKeyRef:
name: s3-secrets
key: endpoint
- name: S3_LOGIN
valueFrom:
secretKeyRef:
name: s3-secrets
key: login
- name: S3_PASSWORD
valueFrom:
secretKeyRef:
name: s3-secrets
key: password
- name: S3_BUCKET
valueFrom:
secretKeyRef:
name: s3-secrets
key: bucket
# - name: CACHE_HOST
# valueFrom:
# secretKeyRef:
# name: cache-secret-pm
# key: host
# - name: CACHE_PORT
# valueFrom:
# secretKeyRef:
# name: cache-secret-pm
# key: port
# - name: CACHE_PASSWORD
# valueFrom:
# secretKeyRef:
# name: cache-secret-pm
# key: password
- name: CACHE_SSL
value: "False"
- name: CACHE_SSL_CA_CERTS
@ -105,9 +135,71 @@ spec:
- name: CACHE_ENABLE
value: "False"
- name: CLICKHOUSE_ENABLE
value: "False"
value: 'False'
- name: KAFKA_ENABLE
value: "False"
value: 'False'
# - name: KAFKA_BOOTSTRAP_SERVERS
# valueFrom:
# secretKeyRef:
# name: ya-kafka-secret-pm
# key: bootstrap_servers
# - name: KAFKA_SECURITY_PROTOCOL
# valueFrom:
# secretKeyRef:
# name: ya-kafka-secret-pm
# key: security_protocol
# - name: KAFKA_SASL_MECHANISM
# valueFrom:
# secretKeyRef:
# name: ya-kafka-secret-pm
# key: sasl_mechanism
# - name: KAFKA_SASL_PLAIN_USERNAME
# valueFrom:
# secretKeyRef:
# name: ya-kafka-secret-pm
# key: sasl_username
# - name: KAFKA_SASL_PLAIN_PASSWORD
# valueFrom:
# secretKeyRef:
# name: ya-kafka-secret-pm
# key: sasl_password
# - name: KAFKA_SSL_CAFILE
# valueFrom:
# secretKeyRef:
# name: ya-kafka-secret-pm
# key: ssl_cafile
# - name: KAFKA_TOPICS
# valueFrom:
# secretKeyRef:
# name: ya-kafka-secret-pm
# key: topics
- name: CELERY_RABBITMQ_HOST
valueFrom:
secretKeyRef:
name: rabbitmq-secrets
key: hostname
- name: CELERY_RABBITMQ_PORT
valueFrom:
secretKeyRef:
name: rabbitmq-secrets
key: port
- name: CELERY_RABBITMQ_USER
valueFrom:
secretKeyRef:
name: rabbitmq-secrets
key: username
- name: CELERY_RABBITMQ_PASSWORD
valueFrom:
secretKeyRef:
name: rabbitmq-secrets
key: password
- name: CELERY_RABBITMQ_VHOST
valueFrom:
secretKeyRef:
name: rabbitmq-secrets
key: vhost
- name: AUTH_PUBLIC_TOKEN_URL
value: "https://lk.sarex.io/api/token/public/"
- name: SERVER_HOST
@ -126,6 +218,6 @@ spec:
value: "INFO"
resources:
requests:
memory: 128Mi
memory: 1Gi
imagePullSecrets:
- name: regcred

1
apps/pm/base/kustomization.yaml
View File

@ -4,7 +4,6 @@ kind: Kustomization
namespace: pm
resources:
- namespace.yaml
- serviceaccount.yaml
- backend-deployment.yaml
- backend-service.yaml
- celery-deployment.yaml

5
apps/pm/base/serviceaccount.yaml
View File

@ -1,5 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: pm-vault
namespace: pm

24
apps/pm/yc-k8s-test/postgresql.yaml
View File

@ -9,7 +9,7 @@ spec:
chart:
spec:
chart: postgresql-contour
version: "17.0.7"
version: "17.0.2"
sourceRef:
kind: HelmRepository
name: yc-oci-charts
@ -44,7 +44,7 @@ spec:
image:
registry: cr.yandex/crp3ccidau046kdj8g9q
repository: contour/postgresql
tag: 17.0.7
tag: 17.0.2
pullPolicy: Always
metrics:
enabled: false
@ -61,7 +61,7 @@ spec:
command:
- /bin/sh
- -c
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
- exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
@ -72,7 +72,7 @@ spec:
command:
- /bin/sh
- -c
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
- exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
@ -83,7 +83,7 @@ spec:
command:
- /bin/sh
- -c
- exec pg_isready -U "postgres" -d postgres -h 127.0.0.1 -p 5432
- exec pg_isready -U "sarex" -d postgres -h 127.0.0.1 -p 5432
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
@ -91,8 +91,7 @@ spec:
failureThreshold: 6
resources:
requests:
cpu: 50m
memory: 128Mi
memory: 512Mi
nodeSelector:
dedicated: db
tolerations:
@ -102,19 +101,12 @@ spec:
effect: NoSchedule
contour:
enabled: true
adminUser: "postgres"
adminUser: ""
adminPasswordSecretKey: ""
sharedPreloadLibraries: "pg_stat_statements,ltree"
vault:
enabled: true
role: postgresql
authPath: auth/kubernetes
secretPath: secrets/data/postgresql/admin
secretKey: postgres-password
usersSecretPath: secrets/data/postgresql/users
databases:
- name: pm_db
user: pm
passwordKey: pm
extensions: []
restoreFromDump: false
s3-proxy:

33
apps/prescriptions/base/deployment.yaml
View File

@ -1,33 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: frontend
namespace: prescriptions
labels:
app: frontend
spec:
replicas: 1
selector:
matchLabels:
app: frontend
template:
metadata:
labels:
app: frontend
version: stable
spec:
containers:
- name: frontend
image: cr.yandex/crp3ccidau046kdj8g9q/prescriptions-frontend:production_d48699e6
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 80
protocol: TCP
resources:
requests:
cpu: 25m
memory: 100Mi
imagePullSecrets:
- name: regcred

8
apps/prescriptions/base/kustomization.yaml
View File

@ -1,8 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: prescriptions
resources:
- namespace.yaml
- deployment.yaml
- service.yaml

7
apps/prescriptions/base/namespace.yaml
View File

@ -1,7 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: prescriptions
labels:
istio-injection: enabled

15
apps/prescriptions/base/service.yaml
View File

@ -1,15 +0,0 @@
---
apiVersion: v1
kind: Service
metadata:
name: frontend-service
namespace: prescriptions
spec:
type: ClusterIP
selector:
app: frontend
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP

10
apps/prescriptions/yc-k8s-test/kustomization.yaml
View File

@ -1,10 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../base
patches: []
# - path: replicas.yaml
# target:
# kind: Deployment
# name: frontend

8
apps/prescriptions/yc-k8s-test/replicas.yaml
View File

@ -1,8 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: frontend
namespace: remarks
spec:
replicas: 1

8
apps/processing/base/api-deployment.yaml
View File

@ -54,7 +54,7 @@ spec:
exec /httpserver migrate
ports:
- name: http
containerPort: 8080
containerPort: 8000
protocol: TCP
env:
- name: POSTGRES_POOL_SIZE
@ -62,7 +62,7 @@ spec:
- name: HTTP_HOST
value: 0.0.0.0:8080
- name: DJANGO_HOST
value: http://backend-svc.django.svc.cluster.local:80
value: http://backend.django.svc.cluster.local:8000
- name: S3_SERVICE_ACCOUNT
value: /etc/sarex/yc-s3/yc-s3-service-account.json
- name: ENABLE_SQL_QUERY
@ -76,7 +76,7 @@ spec:
fieldPath: metadata.name
resources:
requests:
cpu: "25m"
memory: 128Mi
cpu: "1"
memory: 1Gi
imagePullSecrets:
- name: regcred

4
apps/processing/base/api-service.yaml
View File

@ -7,9 +7,9 @@ metadata:
spec:
type: ClusterIP
selector:
app: workflows-api
app: backend
ports:
- name: http
port: 80
targetPort: 8080
targetPort: 8000
protocol: TCP

16
apps/processing/base/engine-low.yaml
View File

@ -170,21 +170,21 @@ spec:
- name: WORKSPACE_API_DEBUG
value: "0"
- name: JOBS_NAMESPACE
value: processing
value: workflow
- name: ISSUE_API_DEBUG
value: "0"
- name: TOLERATION_KEY
value: dedicated
- name: TOLERATION_VALUE
value: processing
value: processing-light
- name: TOLERATION_KEY_HIGH_MEM
value: dedicated
- name: TOLERATION_VALUE_HIGH_MEM
value: processing
value: processing-light
- name: TOLERATION_KEY_PERSISTENT
value: dedicated
- name: TOLERATION_VALUE_PERSISTENT
value: processing
value: processing-light
- name: RABBITMQ_CREATE_EXCHANGE
value: autodesk.inputMessage
- name: RABBITMQ_CANCEL_EXCHANGE
@ -206,16 +206,16 @@ spec:
- name: DEFAULT_TOLERATION_KEY
value: dedicated
- name: DEFAULT_TOLERATION_VALUE
value: processing
value: processing-light
- name: DEFAULT_NODE_SELECTOR_KEY
value: dedicated
- name: DEFAULT_NODE_SELECTOR_VALUE
value: processing
value: processing-light
resources:
requests:
cpu: "25m"
memory: 128Mi
cpu: "1"
memory: 1Gi
imagePullSecrets:
- name: regcred

16
apps/processing/base/engine.yaml
View File

@ -175,21 +175,21 @@ spec:
- name: WORKSPACE_API_DEBUG
value: "0"
- name: JOBS_NAMESPACE
value: processing
value: workflow
- name: ISSUE_API_DEBUG
value: "0"
- name: TOLERATION_KEY
value: dedicated
- name: TOLERATION_VALUE
value: processing
value: processing-light
- name: TOLERATION_KEY_HIGH_MEM
value: dedicated
- name: TOLERATION_VALUE_HIGH_MEM
value: processing
value: processing-light
- name: TOLERATION_KEY_PERSISTENT
value: dedicated
- name: TOLERATION_VALUE_PERSISTENT
value: processing
value: processing-light
- name: RABBITMQ_CREATE_EXCHANGE
value: autodesk.inputMessage
- name: RABBITMQ_CANCEL_EXCHANGE
@ -207,16 +207,16 @@ spec:
- name: DEFAULT_TOLERATION_KEY
value: dedicated
- name: DEFAULT_TOLERATION_VALUE
value: processing
value: processing-light
- name: DEFAULT_NODE_SELECTOR_KEY
value: dedicated
- name: DEFAULT_NODE_SELECTOR_VALUE
value: processing
value: processing-light
resources:
requests:
cpu: "25m"
memory: 128Mi
cpu: "1"
memory: 1Gi
imagePullSecrets:
- name: regcred

6
apps/processing/base/frontend-deployment.yaml
View File

@ -18,15 +18,15 @@ spec:
spec:
containers:
- name: frontend
image: cr.yandex/crp3ccidau046kdj8g9q/workflows-frontend:ugok2_85f6ce2c
image: cr.yandex/crp3ccidau046kdj8g9q/workflows-frontend:wb_ebc15427
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 8080
containerPort: 80
protocol: TCP
resources:
requests:
cpu: 25m
cpu: 100m
memory: 100Mi
imagePullSecrets:
- name: regcred

2
apps/processing/base/frontend-service.yaml
View File

@ -11,5 +11,5 @@ spec:
ports:
- name: http
port: 80
targetPort: 8080
targetPort: 80
protocol: TCP

3
apps/processing/yc-k8s-test/postgresql.yaml
View File

@ -91,8 +91,7 @@ spec:
failureThreshold: 6
resources:
requests:
cpu: 50m
memory: 128Mi
memory: 512Mi
nodeSelector:
dedicated: db
tolerations:

2
apps/projects/base/deployment.yaml
View File

@ -40,7 +40,7 @@ spec:
failureThreshold: 20
resources:
requests:
cpu: 25m
cpu: 100m
memory: 100Mi
imagePullSecrets:
- name: regcred

2
apps/projects/yc-k8s-test/replicas.yaml
View File

@ -5,4 +5,4 @@ metadata:
name: projects-frontend-static
namespace: projects
spec:
replicas: 1
replicas: 2

2
apps/remarks/base/deployment.yaml
View File

@ -27,7 +27,7 @@ spec:
protocol: TCP
resources:
requests:
cpu: 25m
cpu: 100m
memory: 100Mi
imagePullSecrets:
- name: regcred

2
apps/resources/base/backend-deployment.yaml
View File

@ -83,7 +83,7 @@ spec:
resources:
requests:
cpu: 25m
cpu: 100m
memory: 100Mi
volumeMounts:

4
apps/resources/base/django-configmap.yaml
View File

@ -22,7 +22,7 @@ data:
# -----------------------------------------------------------------------------
SERVICE_ACCOUNTS_HOST = os.getenv(
"SERVICE_ACCOUNTS_HOST",
default="http://backend-svc.django.svc.cluster.local:80/api/core"
default="http://backend.django.svc.cluster.local:8000/api/core"
)
# -----------------------------------------------------------------------------
@ -49,7 +49,7 @@ data:
# CORS SETTINGS
SAREX_ADMIN_USERNAME = "hagen013"
SAREX_ADMIN_PASSWORD = "zealot096"
SAREX_BASE_HOST = "http://backend-svc.django.svc.cluster.local:80"
SAREX_BASE_HOST = "http://backend.django.svc.cluster.local:8000"
# -----------------------------------------------------------------------------
CORS_ALLOWED_ORIGINS = [

Some files were not shown because too many files have changed in this diff Show More