diff --git a/README.md b/README.md index 8c24fdf..3ec178d 100644 --- a/README.md +++ b/README.md @@ -71,14 +71,14 @@ spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/name: vault + app.kubernetes.io/name: vault-test template: metadata: labels: - app.kubernetes.io/name: vault + app.kubernetes.io/name: vault-test annotations: vault.security.banzaicloud.io/vault-addr: "https://vault.avroid.tech" # внешний адрес vault - vault.security.banzaicloud.io/vault-role: "vault-k8s-role" # роль из под которой будем ходить в vault + vault.security.banzaicloud.io/vault-role: "sandbox" # роль из под которой будем ходить в vault vault.security.banzaicloud.io/vault-skip-verify: "false" # проверять сертификат или нет на стороне vault # vault.security.banzaicloud.io/vault-tls-secret: "vault-tls" # сертификат для vault если он самоподписанный # vault.security.banzaicloud.io/vault-agent: "false" # запускать акента который будет отслеживать изменения секрета @@ -89,6 +89,13 @@ spec: - name: alpine image: alpine command: ["sh", "-c", "echo $POSTGRES_DSN && echo going to sleep... && sleep 10000"] + resources: + requests: + cpu: 50m + memory: 32Mi + limits: + cpu: 100m + memory: 64Mi env: - name: POSTGRES_DSN # переменная окружения куда попадет секрет value: vault:prj-tavro-cloud-backend/data/k8s/avroid.local/ns-tarvo-cloud-dev/svc-messenger-core-api#POSTGRES_DSN # путь до секрета diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/avroid-prod/.rbac/argocd-apps-harbor-registry-secret.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-prod/.rbac/argocd-apps-harbor-registry-secret.yaml index 710f090..d61db52 100644 --- a/clusters/k8s-avroid-office.prod.local/namespaces/avroid-prod/.rbac/argocd-apps-harbor-registry-secret.yaml +++ b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-prod/.rbac/argocd-apps-harbor-registry-secret.yaml @@ -6,6 +6,11 @@ metadata: app.kubernetes.io/managed-by: argocd name: harbor-registry-secret namespace: avroid-prod + annotations: + vault.security.banzaicloud.io/vault-addr: "https://vault.avroid.tech" + vault.security.banzaicloud.io/vault-role: "avroid-staging" + vault.security.banzaicloud.io/vault-skip-verify: "false" + vault.security.banzaicloud.io/vault-path: "avroid-office" type: kubernetes.io/dockerconfigjson data: .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3IuYXZyb2lkLnRlY2giOnsidXNlcm5hbWUiOiJ2YXVsdDp0ZWFtLWRldm9wcy9kYXRhL3NlcnZpY2VzL3JlZ2lzdHJ5L0hhcmJvci9oYXJib3IuYXZyb2lkLnRlY2gjc2VydmljZS51c2VyLmNpLmxvZ2luIiwicGFzc3dvcmQiOiJ2YXVsdDp0ZWFtLWRldm9wcy9kYXRhL3NlcnZpY2VzL3JlZ2lzdHJ5L0hhcmJvci9oYXJib3IuYXZyb2lkLnRlY2gjc2VydmljZS51c2VyLmNpLnRva2VuIiwiYXV0aCI6ImNtOWliM1FrWTJrNlNGSnFPV2xJUVhoMlZVbDFlVlJhYjJkMVMxQmtSMjFVUzA4MlVqbGtVbm89In19fQo= diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/.rbac/argocd-apps-harbor-registry-secret.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/.rbac/argocd-apps-harbor-registry-secret.yaml index 1860c12..bfdad16 100644 --- a/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/.rbac/argocd-apps-harbor-registry-secret.yaml +++ b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/.rbac/argocd-apps-harbor-registry-secret.yaml @@ -6,6 +6,11 @@ metadata: app.kubernetes.io/managed-by: argocd name: harbor-registry-secret namespace: avroid-staging + annotations: + vault.security.banzaicloud.io/vault-addr: "https://vault.avroid.tech" + vault.security.banzaicloud.io/vault-role: "avroid-staging" + vault.security.banzaicloud.io/vault-skip-verify: "false" + vault.security.banzaicloud.io/vault-path: "avroid-office" type: kubernetes.io/dockerconfigjson data: .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3IuYXZyb2lkLnRlY2giOnsidXNlcm5hbWUiOiJ2YXVsdDp0ZWFtLWRldm9wcy9kYXRhL3NlcnZpY2VzL3JlZ2lzdHJ5L0hhcmJvci9oYXJib3IuYXZyb2lkLnRlY2gjc2VydmljZS51c2VyLmNpLmxvZ2luIiwicGFzc3dvcmQiOiJ2YXVsdDp0ZWFtLWRldm9wcy9kYXRhL3NlcnZpY2VzL3JlZ2lzdHJ5L0hhcmJvci9oYXJib3IuYXZyb2lkLnRlY2gjc2VydmljZS51c2VyLmNpLnRva2VuIiwiYXV0aCI6ImNtOWliM1FrWTJrNlNGSnFPV2xJUVhoMlZVbDFlVlJhYjJkMVMxQmtSMjFVUzA4MlVqbGtVbm89In19fQo= diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot-staging/values-ovveride.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot-staging/values-ovveride.yaml index 7d3727b..9df9d28 100644 --- a/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot-staging/values-ovveride.yaml +++ b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot-staging/values-ovveride.yaml @@ -34,6 +34,13 @@ resources: nodeSelector: node-role.kubernetes.io/worker: "" +## @param podAnnotations Pod annotations. +podAnnotations: + vault.security.banzaicloud.io/vault-addr: "https://vault.avroid.tech" + vault.security.banzaicloud.io/vault-role: "avroid-staging" + vault.security.banzaicloud.io/vault-skip-verify: "false" + vault.security.banzaicloud.io/vault-path: "avroid-office" + ## @section App parameters app: @@ -118,6 +125,14 @@ app: webhook: secret: "${vault:team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging#app.configuration.bitbucket.webhook.secret}" +## @section Security parameters + +serviceAccount: + ## @param serviceAccount.create Specifies whether a service account should be created + create: false + ## @param serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated using the fullname template + name: "vault" + ## ref: https://kubernetes.io/docs/user-guide/ingress/ ingress: