Chart version 2.0.0 - no Bitnami

2025-12-03 13:14:37 +03:00 · 2025-12-03 13:14:37 +03:00 · 214f94f8b5
commit 214f94f8b5
parent 0a7499c373
4 changed files with 54 additions and 259 deletions
--- a/yonote-chart-service/Chart.yaml
+++ b/yonote-chart-service/Chart.yaml
@ -1,6 +1,6 @@
 apiVersion: v2
 name: yonote-chart
-version: 1.3.0
+version: 2.0.0
 description:
  Generic application Helm chart.
  This chart includes multiple dependencies. The base of this chart is derived from the Dysnix app chart.
@ -53,12 +53,6 @@ dependencies:
    condition: minio.enabled
    alias: minio
 #  - name: app
 #    version: "0.3.15"
 #    repository: https://artifacts.wilix.dev/repository/helm-dysnix
 #    condition: keycloak.enabled
 #    alias: keycloak
  - name: keycloakx
    version: "1.3.2"
    repository: https://codecentric.github.io/helm-charts
--- a/yonote-chart-service/secret-values.yaml
+++ b/yonote-chart-service/secret-values.yaml
@ -13,7 +13,7 @@ global:
          UTILS_SECRET: "7bd5e9ac4415dd0dbf6b7721e2a21e9427b268cd0140c7516d13dece5024d479" # Сгенерируйте уникальный случайный ключ. Формат не важен, но вы все равно можете использовать`openssl rand -hex 32` в вашем терминале, чтобы создать это.
          TELEGRAM_BOT_TOKEN: "1234"
          UNSPLASH_API_ACCESS_KEY: "a-yGo6HpRP6jNfravx4Bz-oiPrRnH_5-24Xa9ZPlePE"
-          LICENSE_KEY: "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3NjAzNDA0NTYsImV4cCI6MTc2MzA2NzU5OX0.Umhd1az0qC8EXEiC8xvVuqrxG2oEePGGWa_RAYWgzSKavXy7qnaIn_pjK8J56UfP8nDLVC6rxgjPhs0g8bZfrDslYrzMuiWstUt5TDwFDfjZbqHvxzShkBZ5FUSM-qFD3qdGnfBucKdt046CY40_S0hlN3Rjl7WasnOZHnyTlHpbVeaFTwc8fsWL0IxBOxCF73F7hI4S7FC15ANwUD4WwKQDCGxYJ5ZTn5uYZII9WZ2wjWC-__xGEehZ7cHmwRAPcm471zEwkUY9sXRoMjITtTbtFkCChpp8BPC1zBUdWVPgtMqFnFbtjhtmDiCiQeebVqz9tjE_wgU6gBhNpJhXaA" # Обратитесь в отдел продаж для получения
+          LICENSE_KEY: "" # Обратитесь в отдел продаж для получения
          SERVICE_WORKER_PUBLIC_KEY: "1234"
          SERVICE_WORKER_PRIVATE_KEY: "1234"
        # Генерация ключей (web-push) Service Worker
@ -38,8 +38,9 @@ minio:
 keycloak:
  database:
    password: password1
-  #secrets:
+  secrets:
-  #  secrets:
+    secrets:
-  #    stringData:
+      stringData:
-  #      KEYCLOAK_ADMIN_PASSWORD: secret
+        KEYCLOAK_ADMIN_PASSWORD: secret
-  #      KC_DB_PASSWORD: "password1"
+        KC_DB_PASSWORD: "password1"
        OIDC_CLIENT_SECRET: "iS3jOA3Z7zXBwSN8EzJm36ybz57JNgpR"
--- a/yonote-chart-service/templates/realm-configmap.yaml
+++ b/yonote-chart-service/templates/realm-configmap.yaml
@ -1,169 +0,0 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: realm-export
 data:
  realm-export.json: |
    {
    "realm": "yonote",
    "enabled": true,
    "notBefore": 1647809856,
    "defaultSignatureAlgorithm": "RS256",
    "revokeRefreshToken": false,
    "refreshTokenMaxReuse": 0,
    "accessTokenLifespan": 300,
    "accessTokenLifespanForImplicitFlow": 900,
    "ssoSessionIdleTimeout": 1800,
    "ssoSessionMaxLifespan": 36000,
    "ssoSessionIdleTimeoutRememberMe": 0,
    "ssoSessionMaxLifespanRememberMe": 0,
    "offlineSessionIdleTimeout": 2592000,
    "offlineSessionMaxLifespanEnabled": false,
    "offlineSessionMaxLifespan": 5184000,
    "clientSessionIdleTimeout": 0,
    "clientSessionMaxLifespan": 0,
    "clientOfflineSessionIdleTimeout": 0,
    "clientOfflineSessionMaxLifespan": 0,
    "accessCodeLifespan": 60,
    "accessCodeLifespanUserAction": 300,
    "accessCodeLifespanLogin": 1800,
    "actionTokenGeneratedByAdminLifespan": 43200,
    "actionTokenGeneratedByUserLifespan": 300,
    "oauth2DeviceCodeLifespan": 600,
    "oauth2DevicePollingInterval": 5,
    "sslRequired": "external",
    "registrationAllowed": true,
    "registrationEmailAsUsername": true,
    "rememberMe": true,
    "verifyEmail": false,
    "loginWithEmailAllowed": true,
    "duplicateEmailsAllowed": false,
    "resetPasswordAllowed": true,
    "editUsernameAllowed": false,
    "bruteForceProtected": false,
    "permanentLockout": false,
    "maxFailureWaitSeconds": 900,
    "minimumQuickLoginWaitSeconds": 60,
    "waitIncrementSeconds": 60,
    "quickLoginCheckMilliSeconds": 1000,
    "maxDeltaTimeSeconds": 43200,
    "failureFactor": 30,
    "clients": [
        {
        "clientId": "{{ .Values.global.yonote.config.plain.data.OIDC_CLIENT_ID }}",
        "secret": "{{ .Values.global.yonote.config.secret.stringData.OIDC_CLIENT_SECRET }}",
        "redirectUris": [
            "https://*.{{ .Values.global.yonote.baseListenAddress }}/*",
            "http://*.{{ .Values.global.yonote.baseListenAddress }}/*",
            "http://team.{{ .Values.global.yonote.baseListenAddress }}/*",
            "https://team.{{ .Values.global.yonote.baseListenAddress }}/*",
            "https://team.{{ .Values.global.yonote.baseListenAddress }}/auth/oidc.callback/*"
        ],
        "baseUrl": "https://team.{{ .Values.global.yonote.baseListenAddress }}",
        "enabled": true,
        "publicClient": false,
        "protocol": "openid-connect",
        "attributes": {
            "client.secret": "{{ .Values.global.yonote.config.secret.stringData.OIDC_CLIENT_SECRET }}",
            "display.on.consent.screen": "true"
        },
        "authenticationFlowBindingOverrides": {},
        "fullScopeAllowed": false,
        "protocolMappers": [
            {
            "name": "oidc-display-name",
            "protocol": "openid-connect",
            "protocolMapper": "oidc-usermodel-attribute-mapper",
            "consentRequired": false,
            "config": {
                "userinfo.token.claim": "true",
                "user.attribute": "{{ .Values.global.yonote.config.plain.data.OIDC_DISPLAY_NAME }}",
                "id.token.claim": "true",
                "access.token.claim": "true",
                "claim.name": "{{ .Values.global.yonote.config.plain.data.OIDC_DISPLAY_NAME }}",
                "jsonType.label": "String"
            }
            }
        ],
        "defaultClientScopes": ["openid", "email"]
        }
    ],
    "identityProviders": [],
    "internationalizationEnabled": true,
    "clientScopes": [
        {
        "name": "openid",
        "protocol": "openid-connect",
        "attributes": {
            "include.in.token.scope": "true",
            "display.on.consent.screen": "true",
            "consent.screen.text": "{{ .Values.global.yonote.config.plain.data.OIDC_DISPLAY_NAME }}"
        },
        "protocolMappers": []
        },
        {
        "name": "email",
        "protocol": "openid-connect",
        "attributes": {
            "include.in.token.scope": "true",
            "display.on.consent.screen": "true"
        },
        "protocolMappers": [
            {
            "id": "56fe6d23-690a-465c-bc36-99bff8fef6eb",
            "name": "email verified",
            "protocol": "openid-connect",
            "protocolMapper": "oidc-usermodel-property-mapper",
            "consentRequired": false,
            "config": {
                "userinfo.token.claim": "true",
                "user.attribute": "emailVerified",
                "id.token.claim": "true",
                "access.token.claim": "true",
                "claim.name": "email_verified",
                "jsonType.label": "boolean"
            }
            },
            {
            "id": "2c6acd0e-b776-48f5-9c3b-7bfdbbe712dc",
            "name": "email",
            "protocol": "openid-connect",
            "protocolMapper": "oidc-usermodel-property-mapper",
            "consentRequired": false,
            "config": {
                "userinfo.token.claim": "true",
                "user.attribute": "email",
                "id.token.claim": "true",
                "access.token.claim": "true",
                "claim.name": "email",
                "jsonType.label": "String"
            }
            }
        ]
        }
    ],
    "browserSecurityHeaders": {
        "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';"
    },
    "webAuthnPolicyRpEntityName": "keycloak",
    "webAuthnPolicySignatureAlgorithms": ["ES256"],
    "webAuthnPolicyRpId": "",
    "webAuthnPolicyAttestationConveyancePreference": "not specified",
    "webAuthnPolicyAuthenticatorAttachment": "not specified",
    "webAuthnPolicyRequireResidentKey": "not specified",
    "webAuthnPolicyUserVerificationRequirement": "not specified",
    "webAuthnPolicyCreateTimeout": 0,
    "webAuthnPolicyAvoidSameAuthenticatorRegister": false,
    "webAuthnPolicyAcceptableAaguids": [],
    "webAuthnPolicyPasswordlessRpEntityName": "keycloak",
    "webAuthnPolicyPasswordlessSignatureAlgorithms": ["ES256"],
    "webAuthnPolicyPasswordlessRpId": "",
    "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified",
    "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified",
    "webAuthnPolicyPasswordlessRequireResidentKey": "not specified",
    "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified",
    "webAuthnPolicyPasswordlessCreateTimeout": 0,
    "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false,
    "webAuthnPolicyPasswordlessAcceptableAaguids": [],
    "smtpServer": {}
    }
--- a/yonote-chart-service/values.yaml
+++ b/yonote-chart-service/values.yaml
@ -2,7 +2,7 @@ global:
  name: yonote-app
  yonote:
    dbMigrationEnv: production-ssl-disabled # Режим подключения к базе данных при выполнении миграций. При использовании SSL подключения, установите значение `production`
-    baseListenAddress: onprem-test.stands.wilix.dev # Доменный адрес для yonote
+    baseListenAddress: example.com # Доменный адрес для yonote
    config:
      plain:
@ -32,13 +32,13 @@ global:
          OIDC_DISPLAY_NAME: email
          OIDC_SCOPES: openid email
          OIDC_CLIENT_ID: yonote
-          OIDC_AUTH_URI: 'https://auth.onprem-test.stands.wilix.dev/realms/yonote/protocol/openid-connect/auth' # URL для авторизации пользователей через OpenID Connect (OIDC). Пользователь перенаправляется на этот адрес для входа в систему.
+          OIDC_AUTH_URI: 'https://auth.example.com/realms/yonote/protocol/openid-connect/auth' # URL для авторизации пользователей через OpenID Connect (OIDC). Пользователь перенаправляется на этот адрес для входа в систему.
-          OIDC_LOGOUT_URI: 'https://auth.onprem-test.stands.wilix.dev/realms/yonote/protocol/openid-connect/logout' # URL для выхода из системы через OIDC. Пользователь перенаправляется на этот адрес для завершения сессии и выхода.
+          OIDC_LOGOUT_URI: 'https://auth.example.com/realms/yonote/protocol/openid-connect/logout' # URL для выхода из системы через OIDC. Пользователь перенаправляется на этот адрес для завершения сессии и выхода.
-          OIDC_TOKEN_URI: 'https://auth.onprem-test.stands.wilix.dev/realms/yonote/protocol/openid-connect/token' # URL для получения токенов доступа и обновления. Этот адрес используется для обмена авторизационным кодом на токены
+          OIDC_TOKEN_URI: 'https://auth.example.com/realms/yonote/protocol/openid-connect/token' # URL для получения токенов доступа и обновления. Этот адрес используется для обмена авторизационным кодом на токены
-          OIDC_USERINFO_URI: 'https://auth.onprem-test.stands.wilix.dev/realms/yonote/protocol/openid-connect/userinfo' # URL для получения информации о пользователе. Используется для получения данных профиля пользователя на основе его токена.
+          OIDC_USERINFO_URI: 'https://auth.example.com/realms/yonote/protocol/openid-connect/userinfo' # URL для получения информации о пользователе. Используется для получения данных профиля пользователя на основе его токена.
          AWS_S3_ACL: private
-          AWS_S3_UPLOAD_BUCKET_URL: 'https://api-s3.onprem-test.stands.wilix.dev' # Адрес API S3 хранилища
+          AWS_S3_UPLOAD_BUCKET_URL: 'https://api-s3.example.com' # Адрес API S3 хранилища
          AWS_S3_UPLOAD_BUCKET_NAME: yonote-bucket # Имя хранилища 
          AWS_REGION: "RU"
          AWS_S3_UPLOAD_MAX_SIZE: "226214400" # Максимальный размер хранилища
@ -78,12 +78,12 @@ ingress:
  namespace: yonote-onprem
  ingressClassName: traefik
  tls:
-    secretName: "app.onprem-test.stands.wilix.dev-tls"
+    secretName: "example.com-tls"
    hosts:
-      - "app.onprem-test.stands.wilix.dev"
+      - "app.example.com"
-      - "team.onprem-test.stands.wilix.dev"
+      - "team.example.com"
  rules:
-    - host: "app.onprem-test.stands.wilix.dev"
+    - host: "app.example.com"
      paths:
        - path: /
          pathType: Prefix
@ -105,7 +105,7 @@ ingress:
          service:
            name: yonote-collaboration
            port: 80
-    - host: "team.onprem-test.stands.wilix.dev"
+    - host: "team.example.com"
      paths:
        - path: /
          pathType: Prefix
@ -128,8 +128,8 @@ ingress:
            name: yonote-collaboration
            port: 80
-  annotations:
+  #annotations:
-    cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev # Если используете
+  #  cert-manager.io/cluster-issuer:  # Если используете
 yonote-web:
  fullnameOverride: yonote-web
@ -147,7 +147,7 @@ yonote-web:
  initContainers:
    - name: yonote-migration
-      image: images.updates.yonote.ru/yonote:1.19.8
+      image: images.updates.yonote.ru/yonote:1.22.11
      imagePullPolicy: IfNotPresent
      command:
        - /bin/sh
@ -506,7 +506,7 @@ yonote-database:
  storage:
    requestedSize: 5Gi
-    className: "longhorn"
+    className: ""
  resources:
    limits:
@ -525,7 +525,7 @@ yonote-redis:
  storage:
    requestedSize: 1Gi
-    className: "longhorn"
+    className: ""
  resources:
    limits:
      cpu: 1
@ -538,7 +538,6 @@ minio:
  enabled: true
  name: minio
  fullnameOverride: yonote-minio
  #customUser: yonote
  nameOverride: yonote-minio
  mode: standalone
  rootUser: admin
@ -550,36 +549,38 @@ minio:
  persistence:
    enabled: true
    annotations:
      helm.sh/resource-policy: keep
    size: 1Gi
-    storageClass: "longhorn"
+    storageClass: ""
  ingress:
    enabled: true
    hosts:
-      - s3.onprem-test.stands.wilix.dev
+      - s3.example.com
    ingressClassName: traefik
    path: '/'
    annotations:
      kubernetes.io/ingress.class: traefik
-      cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev # Если используете
+      #cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev # Если используете
    tls:
      - hosts:
-          - "s3.onprem-test.stands.wilix.dev"
+          - "s3.example.com"
-        secretName: "s3.onprem-test.stands.wilix.dev-tls"
+        secretName: "example.com-tls"
  consoleIngress:
    enabled: true
    hosts:
-      - api-s3.onprem-test.stands.wilix.dev
+      - api-s3.example.com
    ingressClassName: traefik
    path: '/'
    annotations:
      kubernetes.io/ingress.class: traefik
-      cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev # Если используете
+      #cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev # Если используете
    tls:
      - hosts:
-          - "api-s3.onprem-test.stands.wilix.dev"
+          - "api-s3.example.com"
-        secretName: "api-s3.onprem-test.stands.wilix.dev"
+        secretName: "example.com-tls"
  resources:
    requests:
@ -598,11 +599,11 @@ keycloak:
  nameOverride: yonote-keycloak
  image:
-    repository: quay.io/keycloak/keycloak #images.updates.yonote.ru/yonote-keycloak
+    repository: images.updates.yonote.ru/yonote-keycloak
-    tag: 19.0.3
+    tag: latest
  args:
-    - start-dev #--spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true --import-realm
+    - start-dev --spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true --import-realm
  cache:
    stack: custom
@ -611,80 +612,48 @@ keycloak:
    enabled: "false"
  extraEnv: |
    #- name: KC_LOG_LEVEL
    #  value: DEBUG
    - name: KEYCLOAK_ADMIN
-      value: root
+      valueFrom:
-      #valueFrom:
+        secretKeyRef:
-      #  secretKeyRef:
+          name: {{ include "keycloak.fullname" . }}-admin-creds
-      #    name: {{ include "keycloak.fullname" . }}-admin-creds
+          key: user
      #    key: user
    - name: KEYCLOAK_ADMIN_PASSWORD
-      value: ropoMBhQB1jwfr5y37u0GzaYmOwmXdDeFfjGC2
+      valueFrom:
-      #valueFrom:
+        secretKeyRef:
-      #  secretKeyRef:
+          name: {{ include "keycloak.fullname" . }}-admin-creds
-      #    name: {{ include "keycloak.fullname" . }}-admin-creds
+          key: password
      #    key: password
    - name: BASENAME_FOR_SUBDOMAIN
-      value: onprem-test.stands.wilix.dev
+      value: example.com
    - name: KC_HOSTNAME_STRICT
      value: "false"
    #- name: KC_HOSTNAME_ADMIN
    #  value: auth.onprem-test.stands.wilix.dev/admin
    - name: KC_HOSTNAME
-      value: auth.onprem-test.stands.wilix.dev
+      value: auth.example.com
    - name: KC_HOSTNAME_STRICT_HTTPS
      value: "false"
    - name: KC_HOSTNAME_PATH
      value: "/"
    #- name: KC_DB_URL
    #  value: jdbc:postgresql://yonote-database:5432/keycloak
    - name: KC_HTTP_ENABLED
      value: "true"
    #- name: KC_PROXY
    #  value: edge
    #- name: JAVA_OPTS_APPEND
    #  value: -Djgroups.dns.query=keycloak-headless
    #- name: KC_PROXY_HEADERS
    #  value: "xforwarded"
    - name: PROXY_ADDRESS_FORWARDING
      value: "true"
 #  extraVolumes: |
 #    - name: realm-export
 #      configMap:
 #        name: realm-export
 #  extraVolumeMounts: |
 #    - name: realm-export
 #      mountPath: /opt/keycloak/data/import
 #      readOnly: true
  http:
    relativePath: "/"
  ingress:
    enabled: true
-    hostname: auth.onprem-test.stands.wilix.dev
+    hostname: auth.example.com
    ingressClassName: traefik
    tls:
      - hosts:
-          - "auth.onprem-test.stands.wilix.dev"
+          - "auth.example.com"
-        secretName: "auth.onprem-test.stands.wilix.dev-tls"
+        secretName: "example.com-tls"
    annotations:
      kubernetes.io/ingress.class: traefik
-      cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev #Если используете
+      #cert-manager.io/cluster-issuer:  #Если используете
-      #nginx.ingress.kubernetes.io/proxy-buffer-size: "256k"
+
      #nginx.ingress.kubernetes.io/proxy-buffers: "8 256k"
      #nginx.ingress.kubernetes.io/proxy-busy-buffers-size: "256k"
      #nginx.ingress.kubernetes.io/large-client-header-buffers: "8 256k"
      #nginx.ingress.kubernetes.io/proxy-set-headers: |
      #  X-Forwarded-For: $proxy_protocol_addr
      #  X-Forwarded-Proto: $scheme
      #  Host: $host
      #nginx.ingress.kubernetes.io/use-forwarded-headers: "true"
    rules:
-      - host: "auth.onprem-test.stands.wilix.dev"
+      - host: "auth.example.com"
        paths:
          - path: /
            pathType: ImplementationSpecific