diff --git a/yonote-chart-mono/Chart.lock b/yonote-chart-mono/Chart.lock index 6a6910e..b42e272 100644 --- a/yonote-chart-mono/Chart.lock +++ b/yonote-chart-mono/Chart.lock @@ -10,6 +10,9 @@ dependencies: version: 16.12.1 - name: minio repository: https://charts.bitnami.com/bitnami - version: 14.6.20 -digest: sha256:dfaa7914dc55b5c305826ec1ed880af5c50904131aca19fe758d779719d35e99 -generated: "2024-07-17T16:05:55.571392551+03:00" + version: 12.7.0 +- name: keycloak + repository: https://charts.bitnami.com/bitnami + version: 14.0.0 +digest: sha256:b12099844193a7a06a5d15b80774592b1cf73af191b654154a9c7a6e8d51a2e0 +generated: "2024-08-25T04:02:50.20628049+03:00" diff --git a/yonote-chart-mono/Chart.yaml b/yonote-chart-mono/Chart.yaml index 6606fa7..14e7f59 100644 --- a/yonote-chart-mono/Chart.yaml +++ b/yonote-chart-mono/Chart.yaml @@ -1,9 +1,9 @@ apiVersion: v2 name: yonote-chart -version: 1.2.1 +version: 1.2.0 description: Generic application Helm chart. - This chart includes multiple dependencies. The base of this chart is derived from the Dysnix app chart. + This chart includes multiple dependencies. The base of this chart is derived from the Dynix app chart. maintainers: - name: Dysnix email: support@dysnix.com @@ -14,12 +14,12 @@ dependencies: version: "0.3.15" repository: https://dysnix.github.io/charts alias: yonote-web - + - name: postgresql version: "11.6.6" repository: https://charts.bitnami.com/bitnami - condition: yonote-database.enabled - alias: yonote-database + condition: yonoteDatabase.enabled + alias: yonoteDatabase - name: redis version: "16.12.1" @@ -28,7 +28,13 @@ dependencies: alias: yonote-redis - name: minio - version: "14.6.20" + version: "12.7.0" repository: https://charts.bitnami.com/bitnami condition: minio.enabled - alias: minio \ No newline at end of file + alias: minio + + - name: keycloak + version: "14.0.0" + repository: https://charts.bitnami.com/bitnami + condition: keycloak.enabled + alias: keycloak \ No newline at end of file diff --git a/yonote-chart-mono/charts/app-0.3.15.tgz b/yonote-chart-mono/charts/app-0.3.15.tgz deleted file mode 100644 index b7125eb..0000000 Binary files a/yonote-chart-mono/charts/app-0.3.15.tgz and /dev/null differ diff --git a/yonote-chart-mono/charts/minio-14.6.20.tgz b/yonote-chart-mono/charts/minio-14.6.20.tgz deleted file mode 100644 index e3c59bc..0000000 Binary files a/yonote-chart-mono/charts/minio-14.6.20.tgz and /dev/null differ diff --git a/yonote-chart-mono/charts/postgresql-11.6.6.tgz b/yonote-chart-mono/charts/postgresql-11.6.6.tgz deleted file mode 100644 index b743d2b..0000000 Binary files a/yonote-chart-mono/charts/postgresql-11.6.6.tgz and /dev/null differ diff --git a/yonote-chart-mono/charts/redis-16.12.1.tgz b/yonote-chart-mono/charts/redis-16.12.1.tgz deleted file mode 100644 index 8be70f6..0000000 Binary files a/yonote-chart-mono/charts/redis-16.12.1.tgz and /dev/null differ diff --git a/yonote-chart-mono/secret-values.yaml b/yonote-chart-mono/secret-values.yaml index 3cbd5a8..2c6663b 100644 --- a/yonote-chart-mono/secret-values.yaml +++ b/yonote-chart-mono/secret-values.yaml @@ -1,31 +1,45 @@ -global: +global: yonote: config: secret: stringData: - DATABASE_URL: 'postgres://{{ .Values.global.postgresql.auth.username }}:{{ .Values.global.postgresql.auth.password }}@yonote-db:5432/{{ .Values.global.postgresql.auth.database }}' - POSTGRES_PASSWORD: wsGZ6kXhr5 - AWS_ACCESS_KEY_ID: "minioadmin" # Ваш идентификатор ключа доступа к AWS. Поведение в SelfHosted: устанавливает логин сервис аккаунта для доступа приложения к Minio S3 хранилищу - AWS_SECRET_ACCESS_KEY: "minioadminsecret" # Ваш секретный ключ доступа AWS. Поведение в SelfHosted: устанавливает пароль сервис аккаунта для доступа приложения к Minio S3 хранилищу - OIDC_CLIENT_SECRET: "" + DATABASE_URL: 'postgres://{{ .Values.yonoteDatabase.global.postgresql.auth.username }}:{{ .Values.yonoteDatabase.global.postgresql.auth.password }}@yonote-database:5432/{{ .Values.yonoteDatabase.global.postgresql.auth.database }}' + POSTGRES_PASSWORD: "{{ .Values.yonoteDatabase.global.postgresql.auth.password }}" + AWS_ACCESS_KEY_ID: "{{ .Values.minio.auth.rootUser }}" # Ваш идентификатор ключа доступа к AWS. Поведение в SelfHosted: устанавливает логин сервис аккаунта для доступа приложения к Minio S3 хранилищу + AWS_SECRET_ACCESS_KEY: "{{ .Values.minio.auth.rootPassword }}" # Ваш секретный ключ доступа AWS. Поведение в SelfHosted: устанавливает пароль сервис аккаунта для доступа приложения к Minio S3 хранилищу + OIDC_CLIENT_SECRET: "Kdq8rk5Pv5RW1c5kHXpnyfrmMRzI9xSD" # Секретный ключ клиента для аутентификации по OpenID Connect (OIDC). SECRET_KEY: "659a8881b186198c3146e316f6dab67df25496534d1fa156d624b037260df688" # Сгенерируйте 32-байтовый случайный ключ в шестнадцатеричном коде. Вам следует использовать `openssl rand -hex 32` в вашем терминале для генерации случайного значения. SMTP_PASSWORD: "1234" UTILS_SECRET: "7bd5e9ac4415dd0dbf6b7721e2a21e9427b268cd0140c7516d13dece5024d479" # Сгенерируйте уникальный случайный ключ. Формат не важен, но вы все равно можете использовать`openssl rand -hex 32` в вашем терминале, чтобы создать это. TELEGRAM_BOT_TOKEN: "1234" UNSPLASH_API_ACCESS_KEY: "a-yGo6HpRP6jNfravx4Bz-oiPrRnH_5-24Xa9ZPlePE" - LICENSE_KEY: "" # Обратитесь в отдел продаж для получения + LICENSE_KEY: "qwerty-123456-zxcvb" # Обратитесь в отдел продаж для получения SERVICE_WORKER_PUBLIC_KEY: "1234" SERVICE_WORKER_PRIVATE_KEY: "1234" - # Генерация ключей (web-push) Service Worker - # 1) Установить Node.js и npm - # 2) Выполнить команду для генерации ключей - # npx web-push generate-vapid-keys - # 3) Полученные значения ввести в .env файл (SERVICE_WORKER_PUBLIC_KEY, SERVICE_WORKER_PRIVATE_KEY) + # Генерация ключей (web-push) Service Worker + # 1) Установить Node.js и npm + # 2) Выполнить команду для генерации ключей + # npx web-push generate-vapid-keys + # 3) Полученные значения ввести в .env файл (SERVICE_WORKER_PUBLIC_KEY, SERVICE_WORKER_PRIVATE_KEY) - postgresql: - auth: - password: "wsGZ6kXhr5" - postgresPassword: "QQYw4UjOU" +yonoteDatabase: + global: + postgresql: + auth: + password: "wsGZ6kXhr5" + postgresPassword: "QQYw4UjOU" - - \ No newline at end of file +# yonote-redis: # Если используете пароль для redis +# auth: +# password: "12345678" + +minio: + auth: + rootPassword: "12345678" + +keycloak: + auth: + adminPassword: "root" + postgresql: + auth: + password: "tT9BqYdNyd" \ No newline at end of file diff --git a/yonote-chart-mono/templates/cronjob.yaml b/yonote-chart-mono/templates/cronjob.yaml index 21de386..60a2763 100644 --- a/yonote-chart-mono/templates/cronjob.yaml +++ b/yonote-chart-mono/templates/cronjob.yaml @@ -29,7 +29,7 @@ spec: { "token": "$(UTILS_SECRET)" } - ' + ' restartPolicy: OnFailure {{- end }} --- @@ -64,6 +64,6 @@ spec: { "token":"$(UTILS_SECRET)", "limit":"200" } - ' + ' restartPolicy: OnFailure {{- end }} \ No newline at end of file diff --git a/yonote-chart-mono/templates/ingress.yaml b/yonote-chart-mono/templates/ingress.yaml new file mode 100644 index 0000000..04bc8a6 --- /dev/null +++ b/yonote-chart-mono/templates/ingress.yaml @@ -0,0 +1,34 @@ +{{- if .Values.ingress.enabled }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ .Values.ingress.name }} + namespace: {{ .Values.ingress.namespace }} + annotations: + {{- range $key, $value := .Values.ingress.annotations }} + {{ $key }}: "{{ $value }}" + {{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} + tls: + - secretName: "{{ .Values.ingress.tls.secretName }}" + hosts: + {{- range .Values.ingress.tls.hosts }} + - "{{ . }}" + {{- end }} + rules: + {{- range .Values.ingress.rules }} + - host: "{{ .host }}" + http: + paths: + {{- range .paths }} + - path: {{ .path }} + pathType: {{ .pathType }} + backend: + service: + name: {{ .service.name }} + port: + number: {{ .service.port | int }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/yonote-chart-mono/templates/mcJob.yaml b/yonote-chart-mono/templates/mcJob.yaml new file mode 100644 index 0000000..7835bd2 --- /dev/null +++ b/yonote-chart-mono/templates/mcJob.yaml @@ -0,0 +1,39 @@ +{{- if .Values.mcJob.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: yonote-minio-mc-job + labels: + app: yonote-minio +spec: + template: + metadata: + labels: + app: yonote-minio + spec: + containers: + - name: mc-client + image: "docker.io/bitnami/minio-client:2024.8.13-debian-12-r0" + command: ["/bin/sh", "-c"] + args: + - | + until mc alias set myminio http://yonote-minio:9000 {{ .Values.minio.auth.rootUser }} {{ .Values.minio.auth.rootPassword }}; do + echo "Waiting for MinIO to be ready..." + sleep 5 + done + if ! mc ls myminio/yonote-bucket; then + mc mb myminio/yonote-bucket + else + echo "Bucket yonote-bucket already exists." + fi + resources: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "256Mi" + cpu: "200m" + restartPolicy: OnFailure + backoffLimit: 5 + ttlSecondsAfterFinished: 100 +{{- end }} \ No newline at end of file diff --git a/yonote-chart-mono/templates/realm-configmap.yaml b/yonote-chart-mono/templates/realm-configmap.yaml new file mode 100644 index 0000000..11d7483 --- /dev/null +++ b/yonote-chart-mono/templates/realm-configmap.yaml @@ -0,0 +1,169 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: realm-export +data: + realm-export.json: | + { + "realm": "yonote", + "enabled": true, + "notBefore": 1647809856, + "defaultSignatureAlgorithm": "RS256", + "revokeRefreshToken": false, + "refreshTokenMaxReuse": 0, + "accessTokenLifespan": 300, + "accessTokenLifespanForImplicitFlow": 900, + "ssoSessionIdleTimeout": 1800, + "ssoSessionMaxLifespan": 36000, + "ssoSessionIdleTimeoutRememberMe": 0, + "ssoSessionMaxLifespanRememberMe": 0, + "offlineSessionIdleTimeout": 2592000, + "offlineSessionMaxLifespanEnabled": false, + "offlineSessionMaxLifespan": 5184000, + "clientSessionIdleTimeout": 0, + "clientSessionMaxLifespan": 0, + "clientOfflineSessionIdleTimeout": 0, + "clientOfflineSessionMaxLifespan": 0, + "accessCodeLifespan": 60, + "accessCodeLifespanUserAction": 300, + "accessCodeLifespanLogin": 1800, + "actionTokenGeneratedByAdminLifespan": 43200, + "actionTokenGeneratedByUserLifespan": 300, + "oauth2DeviceCodeLifespan": 600, + "oauth2DevicePollingInterval": 5, + "sslRequired": "external", + "registrationAllowed": true, + "registrationEmailAsUsername": true, + "rememberMe": true, + "verifyEmail": false, + "loginWithEmailAllowed": true, + "duplicateEmailsAllowed": false, + "resetPasswordAllowed": true, + "editUsernameAllowed": false, + "bruteForceProtected": false, + "permanentLockout": false, + "maxFailureWaitSeconds": 900, + "minimumQuickLoginWaitSeconds": 60, + "waitIncrementSeconds": 60, + "quickLoginCheckMilliSeconds": 1000, + "maxDeltaTimeSeconds": 43200, + "failureFactor": 30, + "clients": [ + { + "clientId": "{{ .Values.global.yonote.config.plain.data.OIDC_CLIENT_ID }}", + "secret": "{{ .Values.global.yonote.config.secret.stringData.OIDC_CLIENT_SECRET }}", + "redirectUris": [ + "https://*.{{ .Values.global.yonote.baseListenAddress }}/*", + "http://*.{{ .Values.global.yonote.baseListenAddress }}/*", + "http://app.{{ .Values.global.yonote.baseListenAddress }}/*", + "https://app.{{ .Values.global.yonote.baseListenAddress }}/*", + "https://app.{{ .Values.global.yonote.baseListenAddress }}/auth/oidc.callback/*" + ], + "baseUrl": "https://app.{{ .Values.global.yonote.baseListenAddress }}", + "enabled": true, + "publicClient": false, + "protocol": "openid-connect", + "attributes": { + "client.secret": "{{ .Values.global.yonote.config.secret.stringData.OIDC_CLIENT_SECRET }}", + "display.on.consent.screen": "true" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": false, + "protocolMappers": [ + { + "name": "oidc-display-name", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "{{ .Values.global.yonote.config.plain.data.OIDC_DISPLAY_NAME }}", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "{{ .Values.global.yonote.config.plain.data.OIDC_DISPLAY_NAME }}", + "jsonType.label": "String" + } + } + ], + "defaultClientScopes": ["openid", "email"] + } + ], + "identityProviders": [], + "internationalizationEnabled": true, + "clientScopes": [ + { + "name": "openid", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "{{ .Values.global.yonote.config.plain.data.OIDC_DISPLAY_NAME }}" + }, + "protocolMappers": [] + }, + { + "name": "email", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true" + }, + "protocolMappers": [ + { + "id": "56fe6d23-690a-465c-bc36-99bff8fef6eb", + "name": "email verified", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "emailVerified", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email_verified", + "jsonType.label": "boolean" + } + }, + { + "id": "2c6acd0e-b776-48f5-9c3b-7bfdbbe712dc", + "name": "email", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "email", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "email", + "jsonType.label": "String" + } + } + ] + } + ], + "browserSecurityHeaders": { + "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';" + }, + "webAuthnPolicyRpEntityName": "keycloak", + "webAuthnPolicySignatureAlgorithms": ["ES256"], + "webAuthnPolicyRpId": "", + "webAuthnPolicyAttestationConveyancePreference": "not specified", + "webAuthnPolicyAuthenticatorAttachment": "not specified", + "webAuthnPolicyRequireResidentKey": "not specified", + "webAuthnPolicyUserVerificationRequirement": "not specified", + "webAuthnPolicyCreateTimeout": 0, + "webAuthnPolicyAvoidSameAuthenticatorRegister": false, + "webAuthnPolicyAcceptableAaguids": [], + "webAuthnPolicyPasswordlessRpEntityName": "keycloak", + "webAuthnPolicyPasswordlessSignatureAlgorithms": ["ES256"], + "webAuthnPolicyPasswordlessRpId": "", + "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified", + "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified", + "webAuthnPolicyPasswordlessRequireResidentKey": "not specified", + "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified", + "webAuthnPolicyPasswordlessCreateTimeout": 0, + "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false, + "webAuthnPolicyPasswordlessAcceptableAaguids": [], + "smtpServer": {} + } \ No newline at end of file diff --git a/yonote-chart-mono/templates/traefic-http-to-https-redirect-middleware.yaml b/yonote-chart-mono/templates/traefic-http-to-https-redirect-middleware.yaml deleted file mode 100644 index 93c470f..0000000 --- a/yonote-chart-mono/templates/traefic-http-to-https-redirect-middleware.yaml +++ /dev/null @@ -1,10 +0,0 @@ -{{- if eq $.Values.global.yonote.ingress.ingressClassName "traefik" }} -apiVersion: traefik.containo.us/v1alpha1 -kind: Middleware -metadata: - name: redirect-https -spec: - redirectScheme: - scheme: https - permanent: true -{{- end }} \ No newline at end of file diff --git a/yonote-chart-mono/templates/traefik-wss-headers-middleware.yaml b/yonote-chart-mono/templates/traefik-wss-headers-middleware.yaml deleted file mode 100644 index c8fc1bd..0000000 --- a/yonote-chart-mono/templates/traefik-wss-headers-middleware.yaml +++ /dev/null @@ -1,10 +0,0 @@ -{{- if eq $.Values.global.yonote.ingress.ingressClassName "traefik" }} -apiVersion: traefik.containo.us/v1alpha1 -kind: Middleware -metadata: - name: wss-headers -spec: - headers: - customRequestHeaders: - X-Forwarded-Proto: https -{{- end }} \ No newline at end of file diff --git a/yonote-chart-mono/values.yaml b/yonote-chart-mono/values.yaml index 55764a0..8b1c8ea 100644 --- a/yonote-chart-mono/values.yaml +++ b/yonote-chart-mono/values.yaml @@ -1,21 +1,13 @@ global: name: yonote-app - postgresql: - auth: - database: yonote - username: yonote - yonote: - ingress: - ingressClassName: nginx - dbMigrationEnv: production-ssl-disabled # Режим подключения к базе данных при выполнении миграций. При использовании SSL подключения, установите значение `production` - - baseListenAddress: example.com + baseListenAddress: example.com # Доменный адрес для yonote config: plain: data: + DEPLOYMENT: hosted NODE_ENV: production FORCE_HTTPS: "false" PGSSLMODE: disable # Отключает SSL подключение к базе данных. Уберите эту строку, если вы используете SSL подключение к PostgreSQL @@ -30,6 +22,7 @@ global: AI_URL: "1234" AI_API_KEY: "1234" + WEB_CONCURRENCY: "1" URL: 'https://app.{{ .Values.global.yonote.baseListenAddress }}' # Базовый url приложения COLLABORATION_URL: 'wss://app.{{ .Values.global.yonote.baseListenAddress }}' # Cервер, для нормальной работы это не нужно устанавливать @@ -38,12 +31,20 @@ global: OIDC_SCOPES: openid email OIDC_CLIENT_ID: yonote OIDC_AUTH_URI: 'https://auth.example.com/realms/yonote/protocol/openid-connect/auth' + # OIDC_AUTH_URI: URL для авторизации пользователей через OpenID Connect (OIDC). + # Пользователь перенаправляется на этот адрес для входа в систему. OIDC_LOGOUT_URI: 'https://auth.example.com/realms/yonote/protocol/openid-connect/logout' + # OIDC_LOGOUT_URI: URL для выхода из системы через OIDC. + # Пользователь перенаправляется на этот адрес для завершения сессии и выхода. OIDC_TOKEN_URI: 'https://auth.example.com/realms/yonote/protocol/openid-connect/token' + # OIDC_TOKEN_URI: URL для получения токенов доступа и обновления. + # Этот адрес используется для обмена авторизационным кодом на токены OIDC_USERINFO_URI: 'https://auth.example.com/realms/yonote/protocol/openid-connect/userinfo' + # OIDC_USERINFO_URI: URL для получения информации о пользователе. + # Используется для получения данных профиля пользователя на основе его токена. AWS_S3_ACL: private - AWS_S3_UPLOAD_BUCKET_URL: http://s3.example.com # Адрес S3 хранилища + AWS_S3_UPLOAD_BUCKET_URL: yonote-minio:9000 # Адрес S3 хранилища AWS_S3_UPLOAD_BUCKET_NAME: yonote-bucket # Имя хранилища AWS_REGION: "ru_RU" AWS_S3_UPLOAD_MAX_SIZE: "226214400" # Максимальный размер хранилища @@ -93,49 +94,101 @@ yonote-web: requests: cpu: 250m memory: 256Mi - - # ingress: - # enabled: true - # ingressClassName: traefik - # hosts: "'*.example.com'" - # annotations: - # cert-manager.io/cluster-issuer: "" - # traefik.ingress.kubernetes.io/router.middlewares: "{{ .Release.Namespace }}-redirect-https@kubernetescrd,{{ .Release.Namespace }}-wss-headers@kubernetescrd,kube-system-wilix-office-ipwhitelist@kubernetescrd" - # extraTls: - # - hosts: - # - "'*.example.com'" - # secretName: "'*.example.com'" - ingress: - enabled: true - hostname: "'*.example.com'" - ingressClassName: nginx - path: '/' - pathType: Prefix - annotations: - nginx.ingress.kubernetes.io/force-ssl-redirect: "true" - nginx.ingress.kubernetes.io/server-snippets: | - location /realtime { - proxy_set_header Upgrade $http_upgrade; - proxy_http_version 1.1; - proxy_set_header X-Forwarded-Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header Host $host; - proxy_set_header Connection "upgrade"; - proxy_cache_bypass $http_upgrade; - } +ingress: + enabled: true + name: yonote-ingress + namespace: yonote-onprem + ingressClassName: nginx + tls: + - secretName: "you_tls_secret" + hosts: + - "app.example.com" + - "team.example.com" + annotations: + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + nginx.ingress.kubernetes.io/server-snippets: | + location /realtime { + proxy_set_header Upgrade $http_upgrade; + proxy_http_version 1.1; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host $host; + proxy_set_header Connection "upgrade"; + proxy_cache_bypass $http_upgrade; + } + nginx.ingress.kubernetes.io/configuration-snippet: | + more_set_headers "Host $http_host"; + more_set_headers "X-Real-IP $remote_addr"; + more_set_headers "X-Forwarded-Proto $scheme"; + more_set_headers "X-Forwarded-For $proxy_add_x_forwarded_for"; + cert-manager.io/cluster-issuer: "" - nginx.ingress.kubernetes.io/configuration-snippet: | - more_set_headers "Host $http_host"; - more_set_headers "X-Real-IP $remote_addr"; - more_set_headers "X-Forwarded-Proto $scheme"; - more_set_headers "X-Forwarded-For $proxy_add_x_forwarded_for"; - cert-manager.io/cluster-issuer: "" - tls: - - hosts: - - "'*.example.com'" - secretName: "'*.example.com'" + rules: + - host: "app.example.com" + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: yonote-web + port: + number: 80 + - path: /realtime + pathType: Prefix + backend: + service: + name: yonote-websockets + port: + number: 80 + - path: /whiteboard + pathType: Prefix + backend: + service: + name: yonote-whiteboard + port: + number: 80 + - path: /collaboration + pathType: Prefix + backend: + service: + name: yonote-collaboration + port: + number: 80 + + - host: "team.example.com" + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: yonote-web + port: + number: 80 + - path: /realtime + pathType: Prefix + backend: + service: + name: yonote-websockets + port: + number: 80 + - path: /whiteboard + pathType: Prefix + backend: + service: + name: yonote-whiteboard + port: + number: 80 + - path: /collaboration + pathType: Prefix + backend: + service: + name: yonote-collaboration + port: + number: 80 containerPorts: - containerPort: 3000 @@ -177,10 +230,16 @@ yonote-web: path: /_health port: app -yonote-database: +yonoteDatabase: enabled: true - fullnameOverride: yonote-db - nameOverride: db + global: + postgresql: + auth: + database: "yonote" + username: "yonote" + name: yonote-database + fullnameOverride: yonote-database + nameOverride: yonote-database primary: persistence: @@ -217,25 +276,14 @@ minio: enabled: true name: minio fullnameOverride: yonote-minio - nameOverride: minio - accessKey: "minioadmin" - secretKey: "minioadminsecret" + nameOverride: yonote-minio + auth: + rootUser: admin persistence: enabled: true size: 500Mi - # ingress: - # enabled: true - # hostname: '"s3.example.com"' - # annotations: - # cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev - # traefik.ingress.kubernetes.io/router.middlewares: "{{ .Release.Namespace }}-redirect-https@kubernetescrd,{{ .Release.Namespace }}-wss-headers@kubernetescrd,kube-system-wilix-office-ipwhitelist@kubernetescrd" - # extraTls: - # - hosts: - # - s3.example.com - # secretName: s3.example.com - ingress: enabled: true ingressClassName: nginx @@ -247,7 +295,7 @@ minio: more_set_headers "X-Forwarded-Proto $scheme"; more_set_headers "X-Forwarded-For $proxy_add_x_forwarded_for"; hosts: - - host: s3.onprem-test.stands.wilix.dev + - host: s3.example.com paths: - path: / pathType: ImplementationSpecific @@ -262,4 +310,89 @@ minio: buckets: - name: yonote-bucket - policy: none \ No newline at end of file + policy: none + +mcJob: + enabled: true + +keycloak: + auth: + adminUser: root + + fullnameOverride: yonote-keycloak + nameOverride: yonote-keycloak + + command: + - /bin/bash + - -c + - | + /opt/bitnami/keycloak/bin/kc.sh import --file=/opt/bitnami/keycloak/data/import/realm-export.json && \ + /opt/bitnami/keycloak/bin/kc.sh start-dev + + extraEnvVars: + - name: KC_DB_PASSWORD + value: "tT9BqYdNyd" + - name: KEYCLOAK_PRODUCTION + value: "true" + - name: KC_HOSTNAME_URL + value: "https://auth.example.com" + - name: KC_HOSTNAME_ADMIN_URL + value: "https://auth.example.com" + + extraVolumes: + - name: realm-export + configMap: + name: realm-export + + extraVolumeMounts: + - name: realm-export + mountPath: /opt/bitnami/keycloak/data/import/realm-export.json + subPath: realm-export.json + + ingress: + enabled: true + hostname: auth.example.com + ingressClassName: traefik + tls: true + annotations: + kubernetes.io/ingress.class: traefik + # cert-manager.io/cluster-issuer: letsencrypt.example.com # Если используете + extraTls: + - hosts: + - "auth.example.com" + secretName: "you_tls_secret" + rules: + - host: "auth.example.com" + paths: + - path: / + pathType: Prefix + service: + name: yonote-keycloak + port: http + - path: /admin + pathType: Prefix + service: + name: yonote-keycloak + port: http + + proxy: "edge" + + resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 150m + memory: 128Mi + + postgresql: + enabled: true + auth: + database: keycloak + username: keycloak + name: keycloak-database + fullnameOverride: keycloak-database + nameOverride: keycloak-database + primary: + persistence: + size: 512Mi \ No newline at end of file diff --git a/yonote-chart-service/values.yaml b/yonote-chart-service/values.yaml index abdeda4..6157f86 100644 --- a/yonote-chart-service/values.yaml +++ b/yonote-chart-service/values.yaml @@ -538,7 +538,7 @@ minio: nameOverride: yonote-minio auth: rootUser: admin - rootPassword: "12345678" + persistence: enabled: true