Chart version 2.0.0 - no Bitnami

2025-12-03 13:14:37 +03:00 · 2025-12-03 13:14:37 +03:00 · 214f94f8b5
commit 214f94f8b5
parent 0a7499c373
4 changed files with 54 additions and 259 deletions
--- a/yonote-chart-service/Chart.yaml
+++ b/yonote-chart-service/Chart.yaml
@ -1,6 +1,6 @@
 apiVersion: v2
 name: yonote-chart
-version: 1.3.0
+version: 2.0.0
 description:
  Generic application Helm chart.
  This chart includes multiple dependencies. The base of this chart is derived from the Dysnix app chart.
@ -53,12 +53,6 @@ dependencies:
    condition: minio.enabled
    alias: minio

-#  - name: app
-#    version: "0.3.15"
-#    repository: https://artifacts.wilix.dev/repository/helm-dysnix
-#    condition: keycloak.enabled
-#    alias: keycloak
-
  - name: keycloakx
    version: "1.3.2"
    repository: https://codecentric.github.io/helm-charts
--- a/yonote-chart-service/secret-values.yaml
+++ b/yonote-chart-service/secret-values.yaml
@ -13,7 +13,7 @@ global:
          UTILS_SECRET: "7bd5e9ac4415dd0dbf6b7721e2a21e9427b268cd0140c7516d13dece5024d479" # Сгенерируйте уникальный случайный ключ. Формат не важен, но вы все равно можете использовать`openssl rand -hex 32` в вашем терминале, чтобы создать это.
          TELEGRAM_BOT_TOKEN: "1234"
          UNSPLASH_API_ACCESS_KEY: "a-yGo6HpRP6jNfravx4Bz-oiPrRnH_5-24Xa9ZPlePE"
-          LICENSE_KEY: "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3NjAzNDA0NTYsImV4cCI6MTc2MzA2NzU5OX0.Umhd1az0qC8EXEiC8xvVuqrxG2oEePGGWa_RAYWgzSKavXy7qnaIn_pjK8J56UfP8nDLVC6rxgjPhs0g8bZfrDslYrzMuiWstUt5TDwFDfjZbqHvxzShkBZ5FUSM-qFD3qdGnfBucKdt046CY40_S0hlN3Rjl7WasnOZHnyTlHpbVeaFTwc8fsWL0IxBOxCF73F7hI4S7FC15ANwUD4WwKQDCGxYJ5ZTn5uYZII9WZ2wjWC-__xGEehZ7cHmwRAPcm471zEwkUY9sXRoMjITtTbtFkCChpp8BPC1zBUdWVPgtMqFnFbtjhtmDiCiQeebVqz9tjE_wgU6gBhNpJhXaA" # Обратитесь в отдел продаж для получения
+          LICENSE_KEY: "" # Обратитесь в отдел продаж для получения
          SERVICE_WORKER_PUBLIC_KEY: "1234"
          SERVICE_WORKER_PRIVATE_KEY: "1234"
        # Генерация ключей (web-push) Service Worker
@ -38,8 +38,9 @@ minio:
 keycloak:
  database:
    password: password1
-  #secrets:
-  #  secrets:
-  #    stringData:
-  #      KEYCLOAK_ADMIN_PASSWORD: secret
-  #      KC_DB_PASSWORD: "password1"
+  secrets:
+    secrets:
+      stringData:
+        KEYCLOAK_ADMIN_PASSWORD: secret
+        KC_DB_PASSWORD: "password1"
+        OIDC_CLIENT_SECRET: "iS3jOA3Z7zXBwSN8EzJm36ybz57JNgpR"
--- a/yonote-chart-service/templates/realm-configmap.yaml
+++ b/yonote-chart-service/templates/realm-configmap.yaml
@ -1,169 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: realm-export
-data:
-  realm-export.json: |
-    {
-    "realm": "yonote",
-    "enabled": true,
-    "notBefore": 1647809856,
-    "defaultSignatureAlgorithm": "RS256",
-    "revokeRefreshToken": false,
-    "refreshTokenMaxReuse": 0,
-    "accessTokenLifespan": 300,
-    "accessTokenLifespanForImplicitFlow": 900,
-    "ssoSessionIdleTimeout": 1800,
-    "ssoSessionMaxLifespan": 36000,
-    "ssoSessionIdleTimeoutRememberMe": 0,
-    "ssoSessionMaxLifespanRememberMe": 0,
-    "offlineSessionIdleTimeout": 2592000,
-    "offlineSessionMaxLifespanEnabled": false,
-    "offlineSessionMaxLifespan": 5184000,
-    "clientSessionIdleTimeout": 0,
-    "clientSessionMaxLifespan": 0,
-    "clientOfflineSessionIdleTimeout": 0,
-    "clientOfflineSessionMaxLifespan": 0,
-    "accessCodeLifespan": 60,
-    "accessCodeLifespanUserAction": 300,
-    "accessCodeLifespanLogin": 1800,
-    "actionTokenGeneratedByAdminLifespan": 43200,
-    "actionTokenGeneratedByUserLifespan": 300,
-    "oauth2DeviceCodeLifespan": 600,
-    "oauth2DevicePollingInterval": 5,
-    "sslRequired": "external",
-    "registrationAllowed": true,
-    "registrationEmailAsUsername": true,
-    "rememberMe": true,
-    "verifyEmail": false,
-    "loginWithEmailAllowed": true,
-    "duplicateEmailsAllowed": false,
-    "resetPasswordAllowed": true,
-    "editUsernameAllowed": false,
-    "bruteForceProtected": false,
-    "permanentLockout": false,
-    "maxFailureWaitSeconds": 900,
-    "minimumQuickLoginWaitSeconds": 60,
-    "waitIncrementSeconds": 60,
-    "quickLoginCheckMilliSeconds": 1000,
-    "maxDeltaTimeSeconds": 43200,
-    "failureFactor": 30,
-    "clients": [
-        {
-        "clientId": "{{ .Values.global.yonote.config.plain.data.OIDC_CLIENT_ID }}",
-        "secret": "{{ .Values.global.yonote.config.secret.stringData.OIDC_CLIENT_SECRET }}",
-        "redirectUris": [
-            "https://*.{{ .Values.global.yonote.baseListenAddress }}/*",
-            "http://*.{{ .Values.global.yonote.baseListenAddress }}/*",
-            "http://team.{{ .Values.global.yonote.baseListenAddress }}/*",
-            "https://team.{{ .Values.global.yonote.baseListenAddress }}/*",
-            "https://team.{{ .Values.global.yonote.baseListenAddress }}/auth/oidc.callback/*"
-        ],
-        "baseUrl": "https://team.{{ .Values.global.yonote.baseListenAddress }}",
-        "enabled": true,
-        "publicClient": false,
-        "protocol": "openid-connect",
-        "attributes": {
-            "client.secret": "{{ .Values.global.yonote.config.secret.stringData.OIDC_CLIENT_SECRET }}",
-            "display.on.consent.screen": "true"
-        },
-        "authenticationFlowBindingOverrides": {},
-        "fullScopeAllowed": false,
-        "protocolMappers": [
-            {
-            "name": "oidc-display-name",
-            "protocol": "openid-connect",
-            "protocolMapper": "oidc-usermodel-attribute-mapper",
-            "consentRequired": false,
-            "config": {
-                "userinfo.token.claim": "true",
-                "user.attribute": "{{ .Values.global.yonote.config.plain.data.OIDC_DISPLAY_NAME }}",
-                "id.token.claim": "true",
-                "access.token.claim": "true",
-                "claim.name": "{{ .Values.global.yonote.config.plain.data.OIDC_DISPLAY_NAME }}",
-                "jsonType.label": "String"
-            }
-            }
-        ],
-        "defaultClientScopes": ["openid", "email"]
-        }
-    ],
-    "identityProviders": [],
-    "internationalizationEnabled": true,
-    "clientScopes": [
-        {
-        "name": "openid",
-        "protocol": "openid-connect",
-        "attributes": {
-            "include.in.token.scope": "true",
-            "display.on.consent.screen": "true",
-            "consent.screen.text": "{{ .Values.global.yonote.config.plain.data.OIDC_DISPLAY_NAME }}"
-        },
-        "protocolMappers": []
-        },
-        {
-        "name": "email",
-        "protocol": "openid-connect",
-        "attributes": {
-            "include.in.token.scope": "true",
-            "display.on.consent.screen": "true"
-        },
-        "protocolMappers": [
-            {
-            "id": "56fe6d23-690a-465c-bc36-99bff8fef6eb",
-            "name": "email verified",
-            "protocol": "openid-connect",
-            "protocolMapper": "oidc-usermodel-property-mapper",
-            "consentRequired": false,
-            "config": {
-                "userinfo.token.claim": "true",
-                "user.attribute": "emailVerified",
-                "id.token.claim": "true",
-                "access.token.claim": "true",
-                "claim.name": "email_verified",
-                "jsonType.label": "boolean"
-            }
-            },
-            {
-            "id": "2c6acd0e-b776-48f5-9c3b-7bfdbbe712dc",
-            "name": "email",
-            "protocol": "openid-connect",
-            "protocolMapper": "oidc-usermodel-property-mapper",
-            "consentRequired": false,
-            "config": {
-                "userinfo.token.claim": "true",
-                "user.attribute": "email",
-                "id.token.claim": "true",
-                "access.token.claim": "true",
-                "claim.name": "email",
-                "jsonType.label": "String"
-            }
-            }
-        ]
-        }
-    ],
-    "browserSecurityHeaders": {
-        "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';"
-    },
-    "webAuthnPolicyRpEntityName": "keycloak",
-    "webAuthnPolicySignatureAlgorithms": ["ES256"],
-    "webAuthnPolicyRpId": "",
-    "webAuthnPolicyAttestationConveyancePreference": "not specified",
-    "webAuthnPolicyAuthenticatorAttachment": "not specified",
-    "webAuthnPolicyRequireResidentKey": "not specified",
-    "webAuthnPolicyUserVerificationRequirement": "not specified",
-    "webAuthnPolicyCreateTimeout": 0,
-    "webAuthnPolicyAvoidSameAuthenticatorRegister": false,
-    "webAuthnPolicyAcceptableAaguids": [],
-    "webAuthnPolicyPasswordlessRpEntityName": "keycloak",
-    "webAuthnPolicyPasswordlessSignatureAlgorithms": ["ES256"],
-    "webAuthnPolicyPasswordlessRpId": "",
-    "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified",
-    "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified",
-    "webAuthnPolicyPasswordlessRequireResidentKey": "not specified",
-    "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified",
-    "webAuthnPolicyPasswordlessCreateTimeout": 0,
-    "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false,
-    "webAuthnPolicyPasswordlessAcceptableAaguids": [],
-    "smtpServer": {}
-    }
--- a/yonote-chart-service/values.yaml
+++ b/yonote-chart-service/values.yaml
@ -2,7 +2,7 @@ global:
  name: yonote-app
  yonote:
    dbMigrationEnv: production-ssl-disabled # Режим подключения к базе данных при выполнении миграций. При использовании SSL подключения, установите значение `production`
-    baseListenAddress: onprem-test.stands.wilix.dev # Доменный адрес для yonote
+    baseListenAddress: example.com # Доменный адрес для yonote

    config:
      plain:
@ -32,13 +32,13 @@ global:
          OIDC_DISPLAY_NAME: email
          OIDC_SCOPES: openid email
          OIDC_CLIENT_ID: yonote
-          OIDC_AUTH_URI: 'https://auth.onprem-test.stands.wilix.dev/realms/yonote/protocol/openid-connect/auth' # URL для авторизации пользователей через OpenID Connect (OIDC). Пользователь перенаправляется на этот адрес для входа в систему.
-          OIDC_LOGOUT_URI: 'https://auth.onprem-test.stands.wilix.dev/realms/yonote/protocol/openid-connect/logout' # URL для выхода из системы через OIDC. Пользователь перенаправляется на этот адрес для завершения сессии и выхода.
-          OIDC_TOKEN_URI: 'https://auth.onprem-test.stands.wilix.dev/realms/yonote/protocol/openid-connect/token' # URL для получения токенов доступа и обновления. Этот адрес используется для обмена авторизационным кодом на токены
-          OIDC_USERINFO_URI: 'https://auth.onprem-test.stands.wilix.dev/realms/yonote/protocol/openid-connect/userinfo' # URL для получения информации о пользователе. Используется для получения данных профиля пользователя на основе его токена.
+          OIDC_AUTH_URI: 'https://auth.example.com/realms/yonote/protocol/openid-connect/auth' # URL для авторизации пользователей через OpenID Connect (OIDC). Пользователь перенаправляется на этот адрес для входа в систему.
+          OIDC_LOGOUT_URI: 'https://auth.example.com/realms/yonote/protocol/openid-connect/logout' # URL для выхода из системы через OIDC. Пользователь перенаправляется на этот адрес для завершения сессии и выхода.
+          OIDC_TOKEN_URI: 'https://auth.example.com/realms/yonote/protocol/openid-connect/token' # URL для получения токенов доступа и обновления. Этот адрес используется для обмена авторизационным кодом на токены
+          OIDC_USERINFO_URI: 'https://auth.example.com/realms/yonote/protocol/openid-connect/userinfo' # URL для получения информации о пользователе. Используется для получения данных профиля пользователя на основе его токена.

          AWS_S3_ACL: private
-          AWS_S3_UPLOAD_BUCKET_URL: 'https://api-s3.onprem-test.stands.wilix.dev' # Адрес API S3 хранилища
+          AWS_S3_UPLOAD_BUCKET_URL: 'https://api-s3.example.com' # Адрес API S3 хранилища
          AWS_S3_UPLOAD_BUCKET_NAME: yonote-bucket # Имя хранилища 
          AWS_REGION: "RU"
          AWS_S3_UPLOAD_MAX_SIZE: "226214400" # Максимальный размер хранилища
@ -78,12 +78,12 @@ ingress:
  namespace: yonote-onprem
  ingressClassName: traefik
  tls:
-    secretName: "app.onprem-test.stands.wilix.dev-tls"
+    secretName: "example.com-tls"
    hosts:
-      - "app.onprem-test.stands.wilix.dev"
-      - "team.onprem-test.stands.wilix.dev"
+      - "app.example.com"
+      - "team.example.com"
  rules:
-    - host: "app.onprem-test.stands.wilix.dev"
+    - host: "app.example.com"
      paths:
        - path: /
          pathType: Prefix
@ -105,7 +105,7 @@ ingress:
          service:
            name: yonote-collaboration
            port: 80
-    - host: "team.onprem-test.stands.wilix.dev"
+    - host: "team.example.com"
      paths:
        - path: /
          pathType: Prefix
@ -128,8 +128,8 @@ ingress:
            name: yonote-collaboration
            port: 80

-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev # Если используете
+  #annotations:
+  #  cert-manager.io/cluster-issuer:  # Если используете

 yonote-web:
  fullnameOverride: yonote-web
@ -147,7 +147,7 @@ yonote-web:

  initContainers:
    - name: yonote-migration
-      image: images.updates.yonote.ru/yonote:1.19.8
+      image: images.updates.yonote.ru/yonote:1.22.11
      imagePullPolicy: IfNotPresent
      command:
        - /bin/sh
@ -506,7 +506,7 @@ yonote-database:

  storage:
    requestedSize: 5Gi
-    className: "longhorn"
+    className: ""

  resources:
    limits:
@ -525,7 +525,7 @@ yonote-redis:

  storage:
    requestedSize: 1Gi
-    className: "longhorn"
+    className: ""
  resources:
    limits:
      cpu: 1
@ -538,7 +538,6 @@ minio:
  enabled: true
  name: minio
  fullnameOverride: yonote-minio
-  #customUser: yonote
  nameOverride: yonote-minio
  mode: standalone
  rootUser: admin
@ -550,36 +549,38 @@ minio:

  persistence:
    enabled: true
+    annotations:
+      helm.sh/resource-policy: keep
    size: 1Gi
-    storageClass: "longhorn"
+    storageClass: ""

  ingress:
    enabled: true
    hosts:
-      - s3.onprem-test.stands.wilix.dev
+      - s3.example.com
    ingressClassName: traefik
    path: '/'
    annotations:
      kubernetes.io/ingress.class: traefik
-      cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev # Если используете
+      #cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev # Если используете
    tls:
      - hosts:
-          - "s3.onprem-test.stands.wilix.dev"
-        secretName: "s3.onprem-test.stands.wilix.dev-tls"
+          - "s3.example.com"
+        secretName: "example.com-tls"

  consoleIngress:
    enabled: true
    hosts:
-      - api-s3.onprem-test.stands.wilix.dev
+      - api-s3.example.com
    ingressClassName: traefik
    path: '/'
    annotations:
      kubernetes.io/ingress.class: traefik
-      cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev # Если используете
+      #cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev # Если используете
    tls:
      - hosts:
-          - "api-s3.onprem-test.stands.wilix.dev"
-        secretName: "api-s3.onprem-test.stands.wilix.dev"
+          - "api-s3.example.com"
+        secretName: "example.com-tls"

  resources:
    requests:
@ -598,11 +599,11 @@ keycloak:
  nameOverride: yonote-keycloak

  image:
-    repository: quay.io/keycloak/keycloak #images.updates.yonote.ru/yonote-keycloak
-    tag: 19.0.3
+    repository: images.updates.yonote.ru/yonote-keycloak
+    tag: latest

  args:
-    - start-dev #--spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true --import-realm
+    - start-dev --spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true --import-realm

  cache:
    stack: custom
@ -611,80 +612,48 @@ keycloak:
    enabled: "false"

  extraEnv: |
-    #- name: KC_LOG_LEVEL
-    #  value: DEBUG
    - name: KEYCLOAK_ADMIN
-      value: root
-      #valueFrom:
-      #  secretKeyRef:
-      #    name: {{ include "keycloak.fullname" . }}-admin-creds
-      #    key: user
+      valueFrom:
+        secretKeyRef:
+          name: {{ include "keycloak.fullname" . }}-admin-creds
+          key: user
    - name: KEYCLOAK_ADMIN_PASSWORD
-      value: ropoMBhQB1jwfr5y37u0GzaYmOwmXdDeFfjGC2
-      #valueFrom:
-      #  secretKeyRef:
-      #    name: {{ include "keycloak.fullname" . }}-admin-creds
-      #    key: password
+      valueFrom:
+        secretKeyRef:
+          name: {{ include "keycloak.fullname" . }}-admin-creds
+          key: password
    - name: BASENAME_FOR_SUBDOMAIN
-      value: onprem-test.stands.wilix.dev
+      value: example.com
    - name: KC_HOSTNAME_STRICT
      value: "false"
-    #- name: KC_HOSTNAME_ADMIN
-    #  value: auth.onprem-test.stands.wilix.dev/admin
    - name: KC_HOSTNAME
-      value: auth.onprem-test.stands.wilix.dev
+      value: auth.example.com
    - name: KC_HOSTNAME_STRICT_HTTPS
      value: "false"
    - name: KC_HOSTNAME_PATH
      value: "/"
-    #- name: KC_DB_URL
-    #  value: jdbc:postgresql://yonote-database:5432/keycloak
    - name: KC_HTTP_ENABLED
      value: "true"
-    #- name: KC_PROXY
-    #  value: edge
-    #- name: JAVA_OPTS_APPEND
-    #  value: -Djgroups.dns.query=keycloak-headless
-    #- name: KC_PROXY_HEADERS
-    #  value: "xforwarded"
    - name: PROXY_ADDRESS_FORWARDING
      value: "true"

-#  extraVolumes: |
-#    - name: realm-export
-#      configMap:
-#        name: realm-export
-
-#  extraVolumeMounts: |
-#    - name: realm-export
-#      mountPath: /opt/keycloak/data/import
-#      readOnly: true
-
  http:
    relativePath: "/"

  ingress:
    enabled: true
-    hostname: auth.onprem-test.stands.wilix.dev
+    hostname: auth.example.com
    ingressClassName: traefik
    tls:
      - hosts:
-          - "auth.onprem-test.stands.wilix.dev"
-        secretName: "auth.onprem-test.stands.wilix.dev-tls"
+          - "auth.example.com"
+        secretName: "example.com-tls"
    annotations:
      kubernetes.io/ingress.class: traefik
-      cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev #Если используете
-      #nginx.ingress.kubernetes.io/proxy-buffer-size: "256k"
-      #nginx.ingress.kubernetes.io/proxy-buffers: "8 256k"
-      #nginx.ingress.kubernetes.io/proxy-busy-buffers-size: "256k"
-      #nginx.ingress.kubernetes.io/large-client-header-buffers: "8 256k"
-      #nginx.ingress.kubernetes.io/proxy-set-headers: |
-      #  X-Forwarded-For: $proxy_protocol_addr
-      #  X-Forwarded-Proto: $scheme
-      #  Host: $host
-      #nginx.ingress.kubernetes.io/use-forwarded-headers: "true"
+      #cert-manager.io/cluster-issuer:  #Если используете
+
    rules:
-      - host: "auth.onprem-test.stands.wilix.dev"
+      - host: "auth.example.com"
        paths:
          - path: /
            pathType: ImplementationSpecific