docs: sync addon docs with explicit external/internal service modes

Обновлена документация под новые аддоны (gitlab, redis, mongodb, kafka, kafka-ui, rabbitmq) и новую модель явного выбора зависимостей. Добавлены и унифицированы описания переключателей *_database_mode и *_redis_mode, обновлена таблица зависимостей аддонов, примеры конфигурации и список vault-секретов.
2026-04-29 23:21:04 +03:00
parent dde2fc8a8a
commit 38aaadbfb1
128 changed files with 2881 additions and 902 deletions
--- a/docs/security.md
+++ b/docs/security.md
@@ -74,6 +74,104 @@ annotations:

 Секрет будет доступен в поде как `/vault/secrets/config.env`.

+### Примеры: как подключать env в манифесты из HashiCorp Vault
+
+#### Вариант 1 — Vault Agent Injector + `source /vault/secrets/*.env`
+
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: app-with-injector
+  namespace: my-app
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: app-with-injector
+  template:
+    metadata:
+      labels:
+        app: app-with-injector
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/role: "my-app"
+        vault.hashicorp.com/agent-inject-secret-app.env: "secret/data/myapp/config"
+        vault.hashicorp.com/agent-inject-template-app.env: |
+          {{- with secret "secret/data/myapp/config" -}}
+          DB_PASSWORD={{ .Data.data.db_password }}
+          API_KEY={{ .Data.data.api_key }}
+          {{- end }}
+    spec:
+      serviceAccountName: my-app
+      containers:
+        - name: app
+          image: ghcr.io/example/app:latest
+          command: ["/bin/sh", "-c"]
+          args:
+            - |
+              set -a
+              . /vault/secrets/app.env
+              set +a
+              exec /app/start
+```
+
+#### Вариант 2 — Vault → ExternalSecret → `envFrom.secretRef`
+
+```yaml
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: app-env
+  namespace: my-app
+spec:
+  secretStoreRef:
+    name: vault-backend
+    kind: ClusterSecretStore
+  target:
+    name: app-env
+  data:
+    - secretKey: DB_PASSWORD
+      remoteRef:
+        key: secret/myapp
+        property: db_password
+    - secretKey: API_KEY
+      remoteRef:
+        key: secret/myapp
+        property: api_key
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: app-with-envfrom
+  namespace: my-app
+spec:
+  template:
+    spec:
+      containers:
+        - name: app
+          image: ghcr.io/example/app:latest
+          envFrom:
+            - secretRef:
+                name: app-env
+```
+
+#### Вариант 3 — отдельные env-переменные через `secretKeyRef`
+
+```yaml
+env:
+  - name: DB_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: app-env
+        key: DB_PASSWORD
+  - name: API_KEY
+    valueFrom:
+      secretKeyRef:
+        name: app-env
+        key: API_KEY
+```
+
 ### Kubernetes Auth Method

 ```bash