[DO-1600] Fix use Bank VAult in avroid-staging (!62)
[DO-1600] Reviewed-on: https://git.avroid.tech/K8s/k8s-configs/pulls/62
This commit is contained in:
Denis Patrakeev
13
README.md
13
README.md
@@ -71,14 +71,14 @@ spec:
|
|||||||
replicas: 1
|
replicas: 1
|
||||||
selector:
|
selector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
app.kubernetes.io/name: vault
|
app.kubernetes.io/name: vault-test
|
||||||
template:
|
template:
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
app.kubernetes.io/name: vault
|
app.kubernetes.io/name: vault-test
|
||||||
annotations:
|
annotations:
|
||||||
vault.security.banzaicloud.io/vault-addr: "https://vault.avroid.tech" # внешний адрес vault
|
vault.security.banzaicloud.io/vault-addr: "https://vault.avroid.tech" # внешний адрес vault
|
||||||
vault.security.banzaicloud.io/vault-role: "vault-k8s-role" # роль из под которой будем ходить в vault
|
vault.security.banzaicloud.io/vault-role: "sandbox" # роль из под которой будем ходить в vault
|
||||||
vault.security.banzaicloud.io/vault-skip-verify: "false" # проверять сертификат или нет на стороне vault
|
vault.security.banzaicloud.io/vault-skip-verify: "false" # проверять сертификат или нет на стороне vault
|
||||||
# vault.security.banzaicloud.io/vault-tls-secret: "vault-tls" # сертификат для vault если он самоподписанный
|
# vault.security.banzaicloud.io/vault-tls-secret: "vault-tls" # сертификат для vault если он самоподписанный
|
||||||
# vault.security.banzaicloud.io/vault-agent: "false" # запускать акента который будет отслеживать изменения секрета
|
# vault.security.banzaicloud.io/vault-agent: "false" # запускать акента который будет отслеживать изменения секрета
|
||||||
@@ -89,6 +89,13 @@ spec:
|
|||||||
- name: alpine
|
- name: alpine
|
||||||
image: alpine
|
image: alpine
|
||||||
command: ["sh", "-c", "echo $POSTGRES_DSN && echo going to sleep... && sleep 10000"]
|
command: ["sh", "-c", "echo $POSTGRES_DSN && echo going to sleep... && sleep 10000"]
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 50m
|
||||||
|
memory: 32Mi
|
||||||
|
limits:
|
||||||
|
cpu: 100m
|
||||||
|
memory: 64Mi
|
||||||
env:
|
env:
|
||||||
- name: POSTGRES_DSN # переменная окружения куда попадет секрет
|
- name: POSTGRES_DSN # переменная окружения куда попадет секрет
|
||||||
value: vault:prj-tavro-cloud-backend/data/k8s/avroid.local/ns-tarvo-cloud-dev/svc-messenger-core-api#POSTGRES_DSN # путь до секрета
|
value: vault:prj-tavro-cloud-backend/data/k8s/avroid.local/ns-tarvo-cloud-dev/svc-messenger-core-api#POSTGRES_DSN # путь до секрета
|
||||||
|
|||||||
@@ -6,6 +6,11 @@ metadata:
|
|||||||
app.kubernetes.io/managed-by: argocd
|
app.kubernetes.io/managed-by: argocd
|
||||||
name: harbor-registry-secret
|
name: harbor-registry-secret
|
||||||
namespace: avroid-prod
|
namespace: avroid-prod
|
||||||
|
annotations:
|
||||||
|
vault.security.banzaicloud.io/vault-addr: "https://vault.avroid.tech"
|
||||||
|
vault.security.banzaicloud.io/vault-role: "avroid-staging"
|
||||||
|
vault.security.banzaicloud.io/vault-skip-verify: "false"
|
||||||
|
vault.security.banzaicloud.io/vault-path: "avroid-office"
|
||||||
type: kubernetes.io/dockerconfigjson
|
type: kubernetes.io/dockerconfigjson
|
||||||
data:
|
data:
|
||||||
.dockerconfigjson: eyJhdXRocyI6eyJoYXJib3IuYXZyb2lkLnRlY2giOnsidXNlcm5hbWUiOiJ2YXVsdDp0ZWFtLWRldm9wcy9kYXRhL3NlcnZpY2VzL3JlZ2lzdHJ5L0hhcmJvci9oYXJib3IuYXZyb2lkLnRlY2gjc2VydmljZS51c2VyLmNpLmxvZ2luIiwicGFzc3dvcmQiOiJ2YXVsdDp0ZWFtLWRldm9wcy9kYXRhL3NlcnZpY2VzL3JlZ2lzdHJ5L0hhcmJvci9oYXJib3IuYXZyb2lkLnRlY2gjc2VydmljZS51c2VyLmNpLnRva2VuIiwiYXV0aCI6ImNtOWliM1FrWTJrNlNGSnFPV2xJUVhoMlZVbDFlVlJhYjJkMVMxQmtSMjFVUzA4MlVqbGtVbm89In19fQo=
|
.dockerconfigjson: eyJhdXRocyI6eyJoYXJib3IuYXZyb2lkLnRlY2giOnsidXNlcm5hbWUiOiJ2YXVsdDp0ZWFtLWRldm9wcy9kYXRhL3NlcnZpY2VzL3JlZ2lzdHJ5L0hhcmJvci9oYXJib3IuYXZyb2lkLnRlY2gjc2VydmljZS51c2VyLmNpLmxvZ2luIiwicGFzc3dvcmQiOiJ2YXVsdDp0ZWFtLWRldm9wcy9kYXRhL3NlcnZpY2VzL3JlZ2lzdHJ5L0hhcmJvci9oYXJib3IuYXZyb2lkLnRlY2gjc2VydmljZS51c2VyLmNpLnRva2VuIiwiYXV0aCI6ImNtOWliM1FrWTJrNlNGSnFPV2xJUVhoMlZVbDFlVlJhYjJkMVMxQmtSMjFVUzA4MlVqbGtVbm89In19fQo=
|
||||||
|
|||||||
@@ -6,6 +6,11 @@ metadata:
|
|||||||
app.kubernetes.io/managed-by: argocd
|
app.kubernetes.io/managed-by: argocd
|
||||||
name: harbor-registry-secret
|
name: harbor-registry-secret
|
||||||
namespace: avroid-staging
|
namespace: avroid-staging
|
||||||
|
annotations:
|
||||||
|
vault.security.banzaicloud.io/vault-addr: "https://vault.avroid.tech"
|
||||||
|
vault.security.banzaicloud.io/vault-role: "avroid-staging"
|
||||||
|
vault.security.banzaicloud.io/vault-skip-verify: "false"
|
||||||
|
vault.security.banzaicloud.io/vault-path: "avroid-office"
|
||||||
type: kubernetes.io/dockerconfigjson
|
type: kubernetes.io/dockerconfigjson
|
||||||
data:
|
data:
|
||||||
.dockerconfigjson: eyJhdXRocyI6eyJoYXJib3IuYXZyb2lkLnRlY2giOnsidXNlcm5hbWUiOiJ2YXVsdDp0ZWFtLWRldm9wcy9kYXRhL3NlcnZpY2VzL3JlZ2lzdHJ5L0hhcmJvci9oYXJib3IuYXZyb2lkLnRlY2gjc2VydmljZS51c2VyLmNpLmxvZ2luIiwicGFzc3dvcmQiOiJ2YXVsdDp0ZWFtLWRldm9wcy9kYXRhL3NlcnZpY2VzL3JlZ2lzdHJ5L0hhcmJvci9oYXJib3IuYXZyb2lkLnRlY2gjc2VydmljZS51c2VyLmNpLnRva2VuIiwiYXV0aCI6ImNtOWliM1FrWTJrNlNGSnFPV2xJUVhoMlZVbDFlVlJhYjJkMVMxQmtSMjFVUzA4MlVqbGtVbm89In19fQo=
|
.dockerconfigjson: eyJhdXRocyI6eyJoYXJib3IuYXZyb2lkLnRlY2giOnsidXNlcm5hbWUiOiJ2YXVsdDp0ZWFtLWRldm9wcy9kYXRhL3NlcnZpY2VzL3JlZ2lzdHJ5L0hhcmJvci9oYXJib3IuYXZyb2lkLnRlY2gjc2VydmljZS51c2VyLmNpLmxvZ2luIiwicGFzc3dvcmQiOiJ2YXVsdDp0ZWFtLWRldm9wcy9kYXRhL3NlcnZpY2VzL3JlZ2lzdHJ5L0hhcmJvci9oYXJib3IuYXZyb2lkLnRlY2gjc2VydmljZS51c2VyLmNpLnRva2VuIiwiYXV0aCI6ImNtOWliM1FrWTJrNlNGSnFPV2xJUVhoMlZVbDFlVlJhYjJkMVMxQmtSMjFVUzA4MlVqbGtVbm89In19fQo=
|
||||||
|
|||||||
@@ -34,6 +34,13 @@ resources:
|
|||||||
nodeSelector:
|
nodeSelector:
|
||||||
node-role.kubernetes.io/worker: ""
|
node-role.kubernetes.io/worker: ""
|
||||||
|
|
||||||
|
## @param podAnnotations Pod annotations.
|
||||||
|
podAnnotations:
|
||||||
|
vault.security.banzaicloud.io/vault-addr: "https://vault.avroid.tech"
|
||||||
|
vault.security.banzaicloud.io/vault-role: "avroid-staging"
|
||||||
|
vault.security.banzaicloud.io/vault-skip-verify: "false"
|
||||||
|
vault.security.banzaicloud.io/vault-path: "avroid-office"
|
||||||
|
|
||||||
## @section App parameters
|
## @section App parameters
|
||||||
|
|
||||||
app:
|
app:
|
||||||
@@ -118,6 +125,14 @@ app:
|
|||||||
webhook:
|
webhook:
|
||||||
secret: "${vault:team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging#app.configuration.bitbucket.webhook.secret}"
|
secret: "${vault:team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging#app.configuration.bitbucket.webhook.secret}"
|
||||||
|
|
||||||
|
## @section Security parameters
|
||||||
|
|
||||||
|
serviceAccount:
|
||||||
|
## @param serviceAccount.create Specifies whether a service account should be created
|
||||||
|
create: false
|
||||||
|
## @param serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated using the fullname template
|
||||||
|
name: "vault"
|
||||||
|
|
||||||
## ref: https://kubernetes.io/docs/user-guide/ingress/
|
## ref: https://kubernetes.io/docs/user-guide/ingress/
|
||||||
ingress:
|
ingress:
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user