From 2b16b7af4aff397651f67640c3fc3824587998ee Mon Sep 17 00:00:00 2001 From: "artem.drozdov" Date: Fri, 9 Aug 2024 13:47:23 +0300 Subject: [PATCH] update --- yonote-chart/secret-values.yaml | 4 +- yonote-chart/templates/ingress.yaml | 30 +++ ...fic-http-to-https-redirect-middleware.yaml | 2 +- .../traefik-wss-headers-middleware.yaml | 2 +- yonote-chart/values.yaml | 218 +++++++++++++----- 5 files changed, 192 insertions(+), 64 deletions(-) create mode 100644 yonote-chart/templates/ingress.yaml rename traefic-http-to-https-redirect-middleware.yaml => yonote-chart/traefic-http-to-https-redirect-middleware.yaml (81%) rename traefik-wss-headers-middleware.yaml => yonote-chart/traefik-wss-headers-middleware.yaml (82%) diff --git a/yonote-chart/secret-values.yaml b/yonote-chart/secret-values.yaml index c21f90f..4d73ce3 100644 --- a/yonote-chart/secret-values.yaml +++ b/yonote-chart/secret-values.yaml @@ -7,13 +7,13 @@ global: POSTGRES_PASSWORD: wsGZ6kXhr5 AWS_ACCESS_KEY_ID: "" # Ваш идентификатор ключа доступа к AWS. Поведение в SelfHosted: устанавливает логин сервис аккаунта для доступа приложения к Minio S3 хранилищу AWS_SECRET_ACCESS_KEY: "minioadmin" # Ваш секретный ключ доступа AWS. Поведение в SelfHosted: устанавливает пароль сервис аккаунта для доступа приложения к Minio S3 хранилищу - OIDC_CLIENT_SECRET: "minioadminsecret" + OIDC_CLIENT_SECRET: "Kdq8rk5Pv5RW1c5kHXpnyfrmMRzI9xSD" SECRET_KEY: "659a8881b186198c3146e316f6dab67df25496534d1fa156d624b037260df688" # Сгенерируйте 32-байтовый случайный ключ в шестнадцатеричном коде. Вам следует использовать `openssl rand -hex 32` в вашем терминале для генерации случайного значения. SMTP_PASSWORD: "1234" UTILS_SECRET: "7bd5e9ac4415dd0dbf6b7721e2a21e9427b268cd0140c7516d13dece5024d479" # Сгенерируйте уникальный случайный ключ. Формат не важен, но вы все равно можете использовать`openssl rand -hex 32` в вашем терминале, чтобы создать это. TELEGRAM_BOT_TOKEN: "1234" UNSPLASH_API_ACCESS_KEY: "a-yGo6HpRP6jNfravx4Bz-oiPrRnH_5-24Xa9ZPlePE" - LICENSE_KEY: "" # Обратитесь в отдел продаж для получения + LICENSE_KEY: "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJkdW1teSI6ImRhdGEiLCJkYXRhIjoiZHVtbXkiLCJpYXQiOjE2NjQ4OTUyNjUsImV4cCI6MTgyMjY4MzI2NX0.Qudc2d-MKc4DT-UBAVydgowiYQnzzWolvbJTjPB5dwEI32Wb64sgkXOfXKsRf9_wP3UK0-65QYVkMHM76ImhM9HCHv9LWJBQeD0q2rF243cMkMUNfKXAX8-SmLu9kMZzm0fL02IBnv5TCHIF7u6GgGRk3US6WbVhzqHGxrdJ2b3HwD_cI3mcLKCtTfO_GDiUfAv7u5Ddi-6tCfFRvH633BLPKIMO5cePh_AdHykO_2p7z_ypUfsVgqxHkq8KwNuuaI6CpwE48P-7mXuM9xEWu3-prSZpaI4rIZA6JFpGMWyiGs4GDvjRFssq4GUPvYJnkZ2w_W_liSMdC5hg0PFxcw" # Обратитесь в отдел продаж для получения SERVICE_WORKER_PUBLIC_KEY: "1234" SERVICE_WORKER_PRIVATE_KEY: "1234" # Генерация ключей (web-push) Service Worker diff --git a/yonote-chart/templates/ingress.yaml b/yonote-chart/templates/ingress.yaml new file mode 100644 index 0000000..74ee4aa --- /dev/null +++ b/yonote-chart/templates/ingress.yaml @@ -0,0 +1,30 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ .Values.ingress.name }} + namespace: {{ .Values.ingress.namespace }} + annotations: + {{- range $key, $value := .Values.ingress.annotations }} + {{ $key }}: "{{ $value }}" + {{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} + tls: + - secretName: "{{ .Values.ingress.tls.secretName }}" + hosts: + {{- range .Values.ingress.tls.hosts }} + - "{{ . }}" + {{- end }} + rules: + - host: "{{ .Values.ingress.hostname }}" + http: + paths: + {{- range .Values.ingress.rules.paths }} + - path: {{ .path }} + pathType: {{ .pathType }} + backend: + service: + name: {{ .service.name }} + port: + number: {{ .service.port | int }} + {{- end }} \ No newline at end of file diff --git a/traefic-http-to-https-redirect-middleware.yaml b/yonote-chart/traefic-http-to-https-redirect-middleware.yaml similarity index 81% rename from traefic-http-to-https-redirect-middleware.yaml rename to yonote-chart/traefic-http-to-https-redirect-middleware.yaml index 93c470f..f1129b1 100644 --- a/traefic-http-to-https-redirect-middleware.yaml +++ b/yonote-chart/traefic-http-to-https-redirect-middleware.yaml @@ -2,7 +2,7 @@ apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: - name: redirect-https + name: yonote-onprem-redirect-https spec: redirectScheme: scheme: https diff --git a/traefik-wss-headers-middleware.yaml b/yonote-chart/traefik-wss-headers-middleware.yaml similarity index 82% rename from traefik-wss-headers-middleware.yaml rename to yonote-chart/traefik-wss-headers-middleware.yaml index c8fc1bd..e70cfc2 100644 --- a/traefik-wss-headers-middleware.yaml +++ b/yonote-chart/traefik-wss-headers-middleware.yaml @@ -2,7 +2,7 @@ apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: - name: wss-headers + name: yonote-onprem-wss-headers spec: headers: customRequestHeaders: diff --git a/yonote-chart/values.yaml b/yonote-chart/values.yaml index 4ea3593..dbf92b2 100644 --- a/yonote-chart/values.yaml +++ b/yonote-chart/values.yaml @@ -6,12 +6,12 @@ global: username: yonote yonote: - ingress: - ingressClassName: nginx + # ingress: + # ingressClassName: traefik dbMigrationEnv: production-ssl-disabled # Режим подключения к базе данных при выполнении миграций. При использовании SSL подключения, установите значение `production` - baseListenAddress: example.com + baseListenAddress: onprem-test.stands.wilix.dev config: plain: @@ -30,17 +30,18 @@ global: AI_URL: "1234" AI_API_KEY: "1234" + WEB_CONCURRENCY: "1" - URL: 'http://app.{{ .Values.global.yonote.baseListenAddress }}' # Базовый url приложения + URL: 'https://app.{{ .Values.global.yonote.baseListenAddress }}' # Базовый url приложения COLLABORATION_URL: 'wss://app.{{ .Values.global.yonote.baseListenAddress }}' # Cервер, для нормальной работы это не нужно устанавливать OIDC_DISPLAY_NAME: email OIDC_SCOPES: openid email - OIDC_CLIENT_ID: yonote - OIDC_AUTH_URI: 'yonote-keycloak:8080/realms/yonote/protocol/openid-connect/auth' - OIDC_LOGOUT_URI: 'yonote-keycloak:8080/realms/yonote/protocol/openid-connect/logout' - OIDC_TOKEN_URI: 'yonote-keycloak:8080/realms/yonote/protocol/openid-connect/token' - OIDC_USERINFO_URI: 'yonote-keycloak:8080/realms/yonote/protocol/openid-connect/userinfo' + OIDC_CLIENT_ID: yonote-local + OIDC_AUTH_URI: 'https://auth.yonote.ru/realms/yonote-test/protocol/openid-connect/auth' + OIDC_LOGOUT_URI: 'https://auth.yonote.ru/realms/yonote-test/protocol/openid-connect/logout' + OIDC_TOKEN_URI: 'https://auth.yonote.ru/realms/yonote-test/protocol/openid-connect/token' + OIDC_USERINFO_URI: 'https://auth.yonote.ru/realms/yonote-test/protocol/openid-connect/userinfo' AWS_S3_ACL: private AWS_S3_UPLOAD_BUCKET_URL: yonote-minio:9000 # Адрес S3 хранилища @@ -77,6 +78,61 @@ global: cron_enabled: "true" url: http://yonote-web/api/cron.schedule + # ingress: + # enabled: true + # hostname: 'app.onprem-test.stands.wilix.dev' + # ingressClassName: traefik + # path: '/' + # pathType: Prefix + # annotations: + # cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev + # traefik.ingress.kubernetes.io/router.middlewares: '{{ .Release.Namespace }}-redirect-https@kubernetescrd,{{.Release.Namespace }}-wss-headers@kubernetescrd,kube-system-wilix-office-ipwhitelist@kubernetescrd' + # # nginx.ingress.kubernetes.io/force-ssl-redirect: "false" + # # nginx.ingress.kubernetes.io/configuration-snippet: | + # # more_set_headers "Host $http_host"; + # # more_set_headers "X-Real-IP $remote_addr"; + # # more_set_headers "X-Forwarded-Proto $scheme"; + # # more_set_headers "X-Forwarded-For $proxy_add_x_forwarded_for"; + # extraTls: + # - hosts: + # - "app.onprem-test.stands.wilix.dev" + # secretName: "app.onprem-test.stands.wilix.dev" +ingress: + enabled: true + name: yonote-ingress + namespace: yonote-onprem + ingressClassName: traefik + hostname: 'app.onprem-test.stands.wilix.dev' + tls: + secretName: "app.onprem-test.stands.wilix.dev" + hosts: + - "app.onprem-test.stands.wilix.dev" + rules: + paths: + - path: / + pathType: Prefix + service: + name: yonote-web + port: 80 + - path: /realtime + pathType: Prefix + service: + name: yonote-websockets + port: 80 + - path: /whiteboard + pathType: Prefix + service: + name: yonote-whiteboard + port: 80 + - path: /collaboration + pathType: Prefix + service: + name: yonote-collaboration + port: 80 + annotations: + cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev + traefik.ingress.kubernetes.io/router.middlewares: '{{ .Release.Namespace }}-redirect-https@kubernetescrd,{{.Release.Namespace }}-wss-headers@kubernetescrd,kube-system-wilix-office-ipwhitelist@kubernetescrd' + yonote-web: fullnameOverride: yonote-web nameOverride: yonote-web @@ -110,8 +166,8 @@ yonote-web: resources: limits: - cpu: 350m - memory: 512Mi + cpu: 1 + memory: 1Gi requests: cpu: 200m memory: 128Mi @@ -132,16 +188,25 @@ yonote-web: - secretRef: name: yonote-secrets - ingress: - hostname: '"*.example.com"' - ingressClassName: nginx - annotations: - nginx.ingress.kubernetes.io/force-ssl-redirect: "true" - nginx.ingress.kubernetes.io/configuration-snippet: | - more_set_headers "Host $http_host"; - more_set_headers "X-Real-IP $remote_addr"; - more_set_headers "X-Forwarded-Proto $scheme"; - more_set_headers "X-Forwarded-For $proxy_add_x_forwarded_for"; + # ingress: + # enabled: true + # hostname: 'app.onprem-test.stands.wilix.dev' + # ingressClassName: traefik + # path: '/' + # pathType: Prefix + # annotations: + # cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev + # traefik.ingress.kubernetes.io/router.middlewares: '{{ .Release.Namespace }}-redirect-https@kubernetescrd,{{.Release.Namespace }}-wss-headers@kubernetescrd,kube-system-wilix-office-ipwhitelist@kubernetescrd' + # # nginx.ingress.kubernetes.io/force-ssl-redirect: "false" + # # nginx.ingress.kubernetes.io/configuration-snippet: | + # # more_set_headers "Host $http_host"; + # # more_set_headers "X-Real-IP $remote_addr"; + # # more_set_headers "X-Forwarded-Proto $scheme"; + # # more_set_headers "X-Forwarded-For $proxy_add_x_forwarded_for"; + # extraTls: + # - hosts: + # - "app.onprem-test.stands.wilix.dev" + # secretName: "app.onprem-test.stands.wilix.dev" podLabels: redis-client: 'true' @@ -212,16 +277,25 @@ yonote-websocket: port: 80 targetPort: app - ingress: - hostname: '"*.example.com"' - ingressClassName: nginx - annotations: - nginx.ingress.kubernetes.io/force-ssl-redirect: "true" - nginx.ingress.kubernetes.io/configuration-snippet: | - more_set_headers "Host $http_host"; - more_set_headers "X-Real-IP $remote_addr"; - more_set_headers "X-Forwarded-Proto $scheme"; - more_set_headers "X-Forwarded-For $proxy_add_x_forwarded_for"; + # ingress: + # enabled: true + # hostname: 'app.onprem-test.stands.wilix.dev' + # ingressClassName: traefik + # path: '/realtime' + # pathType: Prefix + # annotations: + # cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev + # traefik.ingress.kubernetes.io/router.middlewares: '{{ .Release.Namespace }}-redirect-https@kubernetescrd,{{.Release.Namespace }}-wss-headers@kubernetescrd,kube-system-wilix-office-ipwhitelist@kubernetescrd' + # # nginx.ingress.kubernetes.io/force-ssl-redirect: "false" + # # nginx.ingress.kubernetes.io/configuration-snippet: | + # # more_set_headers "Host $http_host"; + # # more_set_headers "X-Real-IP $remote_addr"; + # # more_set_headers "X-Forwarded-Proto $scheme"; + # # more_set_headers "X-Forwarded-For $proxy_add_x_forwarded_for"; + # extraTls: + # - hosts: + # - "app.onprem-test.stands.wilix.dev" + # secretName: "app.onprem-test.stands.wilix.dev" podLabels: redis-client: 'true' @@ -292,16 +366,26 @@ yonote-whiteboard: port: 80 targetPort: app - ingress: - hostname: '"*.example.com"' - ingressClassName: nginx - annotations: - nginx.ingress.kubernetes.io/force-ssl-redirect: "true" - nginx.ingress.kubernetes.io/configuration-snippet: | - more_set_headers "Host $http_host"; - more_set_headers "X-Real-IP $remote_addr"; - more_set_headers "X-Forwarded-Proto $scheme"; - more_set_headers "X-Forwarded-For $proxy_add_x_forwarded_for"; + # ingress: + # enabled: true + # hostname: 'app.onprem-test.stands.wilix.dev' + # ingressClassName: traefik + # path: '/whiteboard' + # pathType: Prefix + # annotations: + # cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev + # traefik.ingress.kubernetes.io/router.middlewares: '{{ .Release.Namespace }}-redirect-https@kubernetescrd,{{.Release.Namespace }}-wss-headers@kubernetescrd,kube-system-wilix-office-ipwhitelist@kubernetescrd' + # # nginx.ingress.kubernetes.io/force-ssl-redirect: "false" + # # nginx.ingress.kubernetes.io/configuration-snippet: | + # # more_set_headers "Host $http_host"; + # # more_set_headers "X-Real-IP $remote_addr"; + # # more_set_headers "X-Forwarded-Proto $scheme"; + # # more_set_headers "X-Forwarded-For $proxy_add_x_forwarded_for"; + # extraTls: + # - hosts: + # - "app.onprem-test.stands.wilix.dev" + # secretName: "app.onprem-test.stands.wilix.dev" + podLabels: redis-client: 'true' @@ -348,11 +432,11 @@ yonote-worker: resources: limits: - cpu: 500m + cpu: 1 memory: 1Gi requests: - cpu: 250m - memory: 256Mi + cpu: 50m + memory: 128Mi checksums: null @@ -427,16 +511,25 @@ yonote-collaboration: port: 80 targetPort: app - ingress: - hostname: '"*.example.com"' - ingressClassName: nginx - annotations: - nginx.ingress.kubernetes.io/force-ssl-redirect: "true" - nginx.ingress.kubernetes.io/configuration-snippet: | - more_set_headers "Host $http_host"; - more_set_headers "X-Real-IP $remote_addr"; - more_set_headers "X-Forwarded-Proto $scheme"; - more_set_headers "X-Forwarded-For $proxy_add_x_forwarded_for"; + # ingress: + # enabled: true + # hostname: 'app.onprem-test.stands.wilix.dev' + # ingressClassName: traefik + # path: '/collaboration' + # pathType: Prefix + # annotations: + # cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev + # traefik.ingress.kubernetes.io/router.middlewares: '{{ .Release.Namespace }}-redirect-https@kubernetescrd,{{.Release.Namespace }}-wss-headers@kubernetescrd,kube-system-wilix-office-ipwhitelist@kubernetescrd' + # # nginx.ingress.kubernetes.io/force-ssl-redirect: "false" + # # nginx.ingress.kubernetes.io/configuration-snippet: | + # # more_set_headers "Host $http_host"; + # # more_set_headers "X-Real-IP $remote_addr"; + # # more_set_headers "X-Forwarded-Proto $scheme"; + # # more_set_headers "X-Forwarded-For $proxy_add_x_forwarded_for"; + # extraTls: + # - hosts: + # - "app.onprem-test.stands.wilix.dev" + # secretName: "app.onprem-test.stands.wilix.dev" envFrom: - configMapRef: @@ -523,13 +616,18 @@ minio: ingress: enabled: true + hostname: 's3.onprem-test.stands.wilix.dev' + ingressClassName: traefik + path: '/' + pathType: ImplementationSpecific annotations: - kubernetes.io/ingress.class: nginx - hosts: - - host: s3.example.com - paths: - - path: / - pathType: ImplementationSpecific + kubernetes.io/ingress.class: traefik + cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev + extraTls: + - hosts: + - "s3.onprem-test.stands.wilix.dev" + secretName: "s3.onprem-test.stands.wilix.dev" + resources: requests: memory: 512Mi