iac/apps/processing/base/api-deployment.yaml

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: workflows-api
  namespace: processing
  labels:
    app: workflows-api
    service: workflows-api
spec:
  replicas: 1
  selector:
    matchLabels:
      app: workflows-api
  template:
    metadata:
      labels:
        app: workflows-api
        service: workflows-api
      annotations:
        traffic.sidecar.istio.io/excludeOutboundPorts: "8200"
        vault.hashicorp.com/agent-init-first: "true"
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-pre-populate-only: "true"
        vault.hashicorp.com/auth-path: auth/kubernetes
        vault.hashicorp.com/role: processing
        vault.hashicorp.com/agent-inject-secret-processing-postgresql: secrets/data/postgresql/apps/processing
        vault.hashicorp.com/agent-inject-template-processing-postgresql: |-
          {{- with secret "secrets/data/postgresql/apps/processing" -}}
          POSTGRES_ADDRESS=postgresql.processing.svc.cluster.local
          POSTGRES_PORT=5432
          POSTGRES_USER={{ index .Data.data "username" }}
          POSTGRES_PASSWORD={{ index .Data.data "password" }}
          POSTGRES_DB=workflow_db
          {{- end -}}          
        vault.hashicorp.com/agent-inject-secret-processing-jwt-public: secrets/data/vault/common/rsa_keys
        vault.hashicorp.com/agent-inject-template-processing-jwt-public: |-
          {{- with secret "secrets/data/vault/common/rsa_keys" -}}
          {{ index .Data.data "public_key" }}
          {{- end -}}          
    spec:
      serviceAccountName: processing-vault
      containers:
        - name: workflows-api
          image: cr.yandex/crp3ccidau046kdj8g9q/workflows-api_prod:075fc0
          imagePullPolicy: IfNotPresent
          command: ["/bin/bash", "-ec"]
          args:
            - |
              set -a
              [ -f /vault/secrets/processing-postgresql ] && . /vault/secrets/processing-postgresql
              [ -f /vault/secrets/processing-jwt-public ] && export PUBLIC_KEY="$(cat /vault/secrets/processing-jwt-public)"
              set +a
              exec /httpserver migrate              
          ports:
            - name: http
              containerPort: 8080
              protocol: TCP
          env:
            - name: POSTGRES_POOL_SIZE
              value: "3"
            - name: HTTP_HOST
              value: 0.0.0.0:8080
            - name: DJANGO_HOST
              value: http://backend-svc.django.svc.cluster.local:80
            - name: S3_SERVICE_ACCOUNT
              value: /etc/sarex/yc-s3/yc-s3-service-account.json
            - name: ENABLE_SQL_QUERY
              value: "0"
            - name: POSTGRES_SSL_USE
              value: "0"
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.name
          resources:
            requests:
              cpu: "1"
              memory: 1Gi
      imagePullSecrets:
        - name: regcred