diff --git a/yonote-chart-service/Chart.yaml b/yonote-chart-service/Chart.yaml index d8344f2..1d43c99 100644 --- a/yonote-chart-service/Chart.yaml +++ b/yonote-chart-service/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: yonote-chart -version: 1.3.0 +version: 2.0.0 description: Generic application Helm chart. This chart includes multiple dependencies. The base of this chart is derived from the Dysnix app chart. @@ -53,12 +53,6 @@ dependencies: condition: minio.enabled alias: minio -# - name: app -# version: "0.3.15" -# repository: https://artifacts.wilix.dev/repository/helm-dysnix -# condition: keycloak.enabled -# alias: keycloak - - name: keycloakx version: "1.3.2" repository: https://codecentric.github.io/helm-charts diff --git a/yonote-chart-service/secret-values.yaml b/yonote-chart-service/secret-values.yaml index 6ba5ca9..388175c 100644 --- a/yonote-chart-service/secret-values.yaml +++ b/yonote-chart-service/secret-values.yaml @@ -13,7 +13,7 @@ global: UTILS_SECRET: "7bd5e9ac4415dd0dbf6b7721e2a21e9427b268cd0140c7516d13dece5024d479" # Сгенерируйте уникальный случайный ключ. Формат не важен, но вы все равно можете использовать`openssl rand -hex 32` в вашем терминале, чтобы создать это. TELEGRAM_BOT_TOKEN: "1234" UNSPLASH_API_ACCESS_KEY: "a-yGo6HpRP6jNfravx4Bz-oiPrRnH_5-24Xa9ZPlePE" - LICENSE_KEY: "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3NjAzNDA0NTYsImV4cCI6MTc2MzA2NzU5OX0.Umhd1az0qC8EXEiC8xvVuqrxG2oEePGGWa_RAYWgzSKavXy7qnaIn_pjK8J56UfP8nDLVC6rxgjPhs0g8bZfrDslYrzMuiWstUt5TDwFDfjZbqHvxzShkBZ5FUSM-qFD3qdGnfBucKdt046CY40_S0hlN3Rjl7WasnOZHnyTlHpbVeaFTwc8fsWL0IxBOxCF73F7hI4S7FC15ANwUD4WwKQDCGxYJ5ZTn5uYZII9WZ2wjWC-__xGEehZ7cHmwRAPcm471zEwkUY9sXRoMjITtTbtFkCChpp8BPC1zBUdWVPgtMqFnFbtjhtmDiCiQeebVqz9tjE_wgU6gBhNpJhXaA" # Обратитесь в отдел продаж для получения + LICENSE_KEY: "" # Обратитесь в отдел продаж для получения SERVICE_WORKER_PUBLIC_KEY: "1234" SERVICE_WORKER_PRIVATE_KEY: "1234" # Генерация ключей (web-push) Service Worker @@ -38,8 +38,9 @@ minio: keycloak: database: password: password1 - #secrets: - # secrets: - # stringData: - # KEYCLOAK_ADMIN_PASSWORD: secret - # KC_DB_PASSWORD: "password1" + secrets: + secrets: + stringData: + KEYCLOAK_ADMIN_PASSWORD: secret + KC_DB_PASSWORD: "password1" + OIDC_CLIENT_SECRET: "iS3jOA3Z7zXBwSN8EzJm36ybz57JNgpR" diff --git a/yonote-chart-service/templates/realm-configmap.yaml b/yonote-chart-service/templates/realm-configmap.yaml deleted file mode 100644 index 7b15b13..0000000 --- a/yonote-chart-service/templates/realm-configmap.yaml +++ /dev/null @@ -1,169 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: realm-export -data: - realm-export.json: | - { - "realm": "yonote", - "enabled": true, - "notBefore": 1647809856, - "defaultSignatureAlgorithm": "RS256", - "revokeRefreshToken": false, - "refreshTokenMaxReuse": 0, - "accessTokenLifespan": 300, - "accessTokenLifespanForImplicitFlow": 900, - "ssoSessionIdleTimeout": 1800, - "ssoSessionMaxLifespan": 36000, - "ssoSessionIdleTimeoutRememberMe": 0, - "ssoSessionMaxLifespanRememberMe": 0, - "offlineSessionIdleTimeout": 2592000, - "offlineSessionMaxLifespanEnabled": false, - "offlineSessionMaxLifespan": 5184000, - "clientSessionIdleTimeout": 0, - "clientSessionMaxLifespan": 0, - "clientOfflineSessionIdleTimeout": 0, - "clientOfflineSessionMaxLifespan": 0, - "accessCodeLifespan": 60, - "accessCodeLifespanUserAction": 300, - "accessCodeLifespanLogin": 1800, - "actionTokenGeneratedByAdminLifespan": 43200, - "actionTokenGeneratedByUserLifespan": 300, - "oauth2DeviceCodeLifespan": 600, - "oauth2DevicePollingInterval": 5, - "sslRequired": "external", - "registrationAllowed": true, - "registrationEmailAsUsername": true, - "rememberMe": true, - "verifyEmail": false, - "loginWithEmailAllowed": true, - "duplicateEmailsAllowed": false, - "resetPasswordAllowed": true, - "editUsernameAllowed": false, - "bruteForceProtected": false, - "permanentLockout": false, - "maxFailureWaitSeconds": 900, - "minimumQuickLoginWaitSeconds": 60, - "waitIncrementSeconds": 60, - "quickLoginCheckMilliSeconds": 1000, - "maxDeltaTimeSeconds": 43200, - "failureFactor": 30, - "clients": [ - { - "clientId": "{{ .Values.global.yonote.config.plain.data.OIDC_CLIENT_ID }}", - "secret": "{{ .Values.global.yonote.config.secret.stringData.OIDC_CLIENT_SECRET }}", - "redirectUris": [ - "https://*.{{ .Values.global.yonote.baseListenAddress }}/*", - "http://*.{{ .Values.global.yonote.baseListenAddress }}/*", - "http://team.{{ .Values.global.yonote.baseListenAddress }}/*", - "https://team.{{ .Values.global.yonote.baseListenAddress }}/*", - "https://team.{{ .Values.global.yonote.baseListenAddress }}/auth/oidc.callback/*" - ], - "baseUrl": "https://team.{{ .Values.global.yonote.baseListenAddress }}", - "enabled": true, - "publicClient": false, - "protocol": "openid-connect", - "attributes": { - "client.secret": "{{ .Values.global.yonote.config.secret.stringData.OIDC_CLIENT_SECRET }}", - "display.on.consent.screen": "true" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "protocolMappers": [ - { - "name": "oidc-display-name", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "{{ .Values.global.yonote.config.plain.data.OIDC_DISPLAY_NAME }}", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "{{ .Values.global.yonote.config.plain.data.OIDC_DISPLAY_NAME }}", - "jsonType.label": "String" - } - } - ], - "defaultClientScopes": ["openid", "email"] - } - ], - "identityProviders": [], - "internationalizationEnabled": true, - "clientScopes": [ - { - "name": "openid", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "consent.screen.text": "{{ .Values.global.yonote.config.plain.data.OIDC_DISPLAY_NAME }}" - }, - "protocolMappers": [] - }, - { - "name": "email", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true" - }, - "protocolMappers": [ - { - "id": "56fe6d23-690a-465c-bc36-99bff8fef6eb", - "name": "email verified", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "emailVerified", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "email_verified", - "jsonType.label": "boolean" - } - }, - { - "id": "2c6acd0e-b776-48f5-9c3b-7bfdbbe712dc", - "name": "email", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "email", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "email", - "jsonType.label": "String" - } - } - ] - } - ], - "browserSecurityHeaders": { - "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';" - }, - "webAuthnPolicyRpEntityName": "keycloak", - "webAuthnPolicySignatureAlgorithms": ["ES256"], - "webAuthnPolicyRpId": "", - "webAuthnPolicyAttestationConveyancePreference": "not specified", - "webAuthnPolicyAuthenticatorAttachment": "not specified", - "webAuthnPolicyRequireResidentKey": "not specified", - "webAuthnPolicyUserVerificationRequirement": "not specified", - "webAuthnPolicyCreateTimeout": 0, - "webAuthnPolicyAvoidSameAuthenticatorRegister": false, - "webAuthnPolicyAcceptableAaguids": [], - "webAuthnPolicyPasswordlessRpEntityName": "keycloak", - "webAuthnPolicyPasswordlessSignatureAlgorithms": ["ES256"], - "webAuthnPolicyPasswordlessRpId": "", - "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified", - "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified", - "webAuthnPolicyPasswordlessRequireResidentKey": "not specified", - "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified", - "webAuthnPolicyPasswordlessCreateTimeout": 0, - "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false, - "webAuthnPolicyPasswordlessAcceptableAaguids": [], - "smtpServer": {} - } \ No newline at end of file diff --git a/yonote-chart-service/values.yaml b/yonote-chart-service/values.yaml index bdf3a8e..ad7486d 100644 --- a/yonote-chart-service/values.yaml +++ b/yonote-chart-service/values.yaml @@ -2,7 +2,7 @@ global: name: yonote-app yonote: dbMigrationEnv: production-ssl-disabled # Режим подключения к базе данных при выполнении миграций. При использовании SSL подключения, установите значение `production` - baseListenAddress: onprem-test.stands.wilix.dev # Доменный адрес для yonote + baseListenAddress: example.com # Доменный адрес для yonote config: plain: @@ -32,13 +32,13 @@ global: OIDC_DISPLAY_NAME: email OIDC_SCOPES: openid email OIDC_CLIENT_ID: yonote - OIDC_AUTH_URI: 'https://auth.onprem-test.stands.wilix.dev/realms/yonote/protocol/openid-connect/auth' # URL для авторизации пользователей через OpenID Connect (OIDC). Пользователь перенаправляется на этот адрес для входа в систему. - OIDC_LOGOUT_URI: 'https://auth.onprem-test.stands.wilix.dev/realms/yonote/protocol/openid-connect/logout' # URL для выхода из системы через OIDC. Пользователь перенаправляется на этот адрес для завершения сессии и выхода. - OIDC_TOKEN_URI: 'https://auth.onprem-test.stands.wilix.dev/realms/yonote/protocol/openid-connect/token' # URL для получения токенов доступа и обновления. Этот адрес используется для обмена авторизационным кодом на токены - OIDC_USERINFO_URI: 'https://auth.onprem-test.stands.wilix.dev/realms/yonote/protocol/openid-connect/userinfo' # URL для получения информации о пользователе. Используется для получения данных профиля пользователя на основе его токена. + OIDC_AUTH_URI: 'https://auth.example.com/realms/yonote/protocol/openid-connect/auth' # URL для авторизации пользователей через OpenID Connect (OIDC). Пользователь перенаправляется на этот адрес для входа в систему. + OIDC_LOGOUT_URI: 'https://auth.example.com/realms/yonote/protocol/openid-connect/logout' # URL для выхода из системы через OIDC. Пользователь перенаправляется на этот адрес для завершения сессии и выхода. + OIDC_TOKEN_URI: 'https://auth.example.com/realms/yonote/protocol/openid-connect/token' # URL для получения токенов доступа и обновления. Этот адрес используется для обмена авторизационным кодом на токены + OIDC_USERINFO_URI: 'https://auth.example.com/realms/yonote/protocol/openid-connect/userinfo' # URL для получения информации о пользователе. Используется для получения данных профиля пользователя на основе его токена. AWS_S3_ACL: private - AWS_S3_UPLOAD_BUCKET_URL: 'https://api-s3.onprem-test.stands.wilix.dev' # Адрес API S3 хранилища + AWS_S3_UPLOAD_BUCKET_URL: 'https://api-s3.example.com' # Адрес API S3 хранилища AWS_S3_UPLOAD_BUCKET_NAME: yonote-bucket # Имя хранилища AWS_REGION: "RU" AWS_S3_UPLOAD_MAX_SIZE: "226214400" # Максимальный размер хранилища @@ -78,12 +78,12 @@ ingress: namespace: yonote-onprem ingressClassName: traefik tls: - secretName: "app.onprem-test.stands.wilix.dev-tls" + secretName: "example.com-tls" hosts: - - "app.onprem-test.stands.wilix.dev" - - "team.onprem-test.stands.wilix.dev" + - "app.example.com" + - "team.example.com" rules: - - host: "app.onprem-test.stands.wilix.dev" + - host: "app.example.com" paths: - path: / pathType: Prefix @@ -105,7 +105,7 @@ ingress: service: name: yonote-collaboration port: 80 - - host: "team.onprem-test.stands.wilix.dev" + - host: "team.example.com" paths: - path: / pathType: Prefix @@ -128,8 +128,8 @@ ingress: name: yonote-collaboration port: 80 - annotations: - cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev # Если используете + #annotations: + # cert-manager.io/cluster-issuer: # Если используете yonote-web: fullnameOverride: yonote-web @@ -147,7 +147,7 @@ yonote-web: initContainers: - name: yonote-migration - image: images.updates.yonote.ru/yonote:1.19.8 + image: images.updates.yonote.ru/yonote:1.22.11 imagePullPolicy: IfNotPresent command: - /bin/sh @@ -506,7 +506,7 @@ yonote-database: storage: requestedSize: 5Gi - className: "longhorn" + className: "" resources: limits: @@ -525,7 +525,7 @@ yonote-redis: storage: requestedSize: 1Gi - className: "longhorn" + className: "" resources: limits: cpu: 1 @@ -538,7 +538,6 @@ minio: enabled: true name: minio fullnameOverride: yonote-minio - #customUser: yonote nameOverride: yonote-minio mode: standalone rootUser: admin @@ -550,36 +549,38 @@ minio: persistence: enabled: true + annotations: + helm.sh/resource-policy: keep size: 1Gi - storageClass: "longhorn" + storageClass: "" ingress: enabled: true hosts: - - s3.onprem-test.stands.wilix.dev + - s3.example.com ingressClassName: traefik path: '/' annotations: kubernetes.io/ingress.class: traefik - cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev # Если используете + #cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev # Если используете tls: - hosts: - - "s3.onprem-test.stands.wilix.dev" - secretName: "s3.onprem-test.stands.wilix.dev-tls" + - "s3.example.com" + secretName: "example.com-tls" consoleIngress: enabled: true hosts: - - api-s3.onprem-test.stands.wilix.dev + - api-s3.example.com ingressClassName: traefik path: '/' annotations: kubernetes.io/ingress.class: traefik - cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev # Если используете + #cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev # Если используете tls: - hosts: - - "api-s3.onprem-test.stands.wilix.dev" - secretName: "api-s3.onprem-test.stands.wilix.dev" + - "api-s3.example.com" + secretName: "example.com-tls" resources: requests: @@ -598,11 +599,11 @@ keycloak: nameOverride: yonote-keycloak image: - repository: quay.io/keycloak/keycloak #images.updates.yonote.ru/yonote-keycloak - tag: 19.0.3 + repository: images.updates.yonote.ru/yonote-keycloak + tag: latest args: - - start-dev #--spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true --import-realm + - start-dev --spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true --import-realm cache: stack: custom @@ -611,80 +612,48 @@ keycloak: enabled: "false" extraEnv: | - #- name: KC_LOG_LEVEL - # value: DEBUG - name: KEYCLOAK_ADMIN - value: root - #valueFrom: - # secretKeyRef: - # name: {{ include "keycloak.fullname" . }}-admin-creds - # key: user + valueFrom: + secretKeyRef: + name: {{ include "keycloak.fullname" . }}-admin-creds + key: user - name: KEYCLOAK_ADMIN_PASSWORD - value: ropoMBhQB1jwfr5y37u0GzaYmOwmXdDeFfjGC2 - #valueFrom: - # secretKeyRef: - # name: {{ include "keycloak.fullname" . }}-admin-creds - # key: password + valueFrom: + secretKeyRef: + name: {{ include "keycloak.fullname" . }}-admin-creds + key: password - name: BASENAME_FOR_SUBDOMAIN - value: onprem-test.stands.wilix.dev + value: example.com - name: KC_HOSTNAME_STRICT value: "false" - #- name: KC_HOSTNAME_ADMIN - # value: auth.onprem-test.stands.wilix.dev/admin - name: KC_HOSTNAME - value: auth.onprem-test.stands.wilix.dev + value: auth.example.com - name: KC_HOSTNAME_STRICT_HTTPS value: "false" - name: KC_HOSTNAME_PATH value: "/" - #- name: KC_DB_URL - # value: jdbc:postgresql://yonote-database:5432/keycloak - name: KC_HTTP_ENABLED value: "true" - #- name: KC_PROXY - # value: edge - #- name: JAVA_OPTS_APPEND - # value: -Djgroups.dns.query=keycloak-headless - #- name: KC_PROXY_HEADERS - # value: "xforwarded" - name: PROXY_ADDRESS_FORWARDING value: "true" -# extraVolumes: | -# - name: realm-export -# configMap: -# name: realm-export - -# extraVolumeMounts: | -# - name: realm-export -# mountPath: /opt/keycloak/data/import -# readOnly: true - http: relativePath: "/" ingress: enabled: true - hostname: auth.onprem-test.stands.wilix.dev + hostname: auth.example.com ingressClassName: traefik tls: - hosts: - - "auth.onprem-test.stands.wilix.dev" - secretName: "auth.onprem-test.stands.wilix.dev-tls" + - "auth.example.com" + secretName: "example.com-tls" annotations: kubernetes.io/ingress.class: traefik - cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev #Если используете - #nginx.ingress.kubernetes.io/proxy-buffer-size: "256k" - #nginx.ingress.kubernetes.io/proxy-buffers: "8 256k" - #nginx.ingress.kubernetes.io/proxy-busy-buffers-size: "256k" - #nginx.ingress.kubernetes.io/large-client-header-buffers: "8 256k" - #nginx.ingress.kubernetes.io/proxy-set-headers: | - # X-Forwarded-For: $proxy_protocol_addr - # X-Forwarded-Proto: $scheme - # Host: $host - #nginx.ingress.kubernetes.io/use-forwarded-headers: "true" + #cert-manager.io/cluster-issuer: #Если используете + rules: - - host: "auth.onprem-test.stands.wilix.dev" + - host: "auth.example.com" paths: - path: / pathType: ImplementationSpecific