This commit is contained in:
Даниил Милин 2024-08-25 17:01:24 +03:00
parent 08c62b5eb8
commit 81ba95b080
26 changed files with 1849 additions and 556 deletions

View File

@ -1,2 +1,50 @@
# onprem-deploy
# Yonote Helm Chart
## Обзор
Этот Helm chart позволяет развернуть **Yonote** в Kubernetes. Он предоставляет быстрый и простой способ установки, настройки и управления приложением с помощью Helm.
## Требования
- Kubernetes cluster
- Helm
- Ingress Controller (nginx/traefik)
## Установка
### 1. Добавление репозиториев Helm
Перед установкой зависимостей, необходимо добавить репозитории, из которых будут загружаться чарты:
```bash
helm repo add dysnix https://dysnix.github.io/charts
helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo update
```
### 2. Выполните сборку зависимостей Helm chart
```bash
helm dependency build
```
### 3. Настройка значений
Перед развертыванием приложения через Helm необходимо внести валидные значения в файлы values.yaml и secret-values.yaml. Эти файлы содержат параметры конфигурации, которые будут использованы при установке приложения.
Настройте необходимые параметры. В файлах values.yaml и secret-values.yaml вы найдете различные секции, каждая из которых соответствует определенной части конфигурации приложения. Внимательно изучите комментарии в этих файлах; они указывают на места, где необходимо внести изменения. Обратите особое внимание на секцию ingress, так как её настройка важна для правильной работы приложения. Вам потребуется заменить или настроить значения в этой секции в соответствии с вашими требованиями.
Более подробно ознакомиться с переменными вы можете по следующей ссылке: https://yo.yonote.ru/doc/peremennye-okruzheniya-mOI8Jl6B05
### 4. Запуск приложения
После настройки значений выполните команду:
```bash
helm install app -f values.yaml -f secret-values.yaml -n yonote-onprem .
```
После выполнения команды начнётся установка приложения и всех дополнительных сервисов к нему. Остаётся только подождать, пока все сервисы запустятся.
### Обратная связь
Если у вас есть вопросы или вам нужна помощь, пишите на email: hello@yonote.ru

View File

@ -0,0 +1,18 @@
dependencies:
- name: app
repository: https://dysnix.github.io/charts
version: 0.3.15
- name: postgresql
repository: https://charts.bitnami.com/bitnami
version: 11.6.6
- name: redis
repository: https://charts.bitnami.com/bitnami
version: 16.12.1
- name: minio
repository: https://charts.bitnami.com/bitnami
version: 12.7.0
- name: keycloak
repository: https://charts.bitnami.com/bitnami
version: 14.0.0
digest: sha256:b12099844193a7a06a5d15b80774592b1cf73af191b654154a9c7a6e8d51a2e0
generated: "2024-08-25T04:02:50.20628049+03:00"

View File

@ -0,0 +1,40 @@
apiVersion: v2
name: yonote-chart
version: 1.2.0
description:
Generic application Helm chart.
This chart includes multiple dependencies. The base of this chart is derived from the Dynix app chart.
maintainers:
- name: Dysnix
email: support@dysnix.com
url: https://github.com/dysnix/charts/tree/main/dysnix/app
dependencies:
- name: app
version: "0.3.15"
repository: https://dysnix.github.io/charts
alias: yonote-web
- name: postgresql
version: "11.6.6"
repository: https://charts.bitnami.com/bitnami
condition: yonoteDatabase.enabled
alias: yonoteDatabase
- name: redis
version: "16.12.1"
repository: https://charts.bitnami.com/bitnami
condition: yonote-redis.enabled
alias: yonote-redis
- name: minio
version: "12.7.0"
repository: https://charts.bitnami.com/bitnami
condition: minio.enabled
alias: minio
- name: keycloak
version: "14.0.0"
repository: https://charts.bitnami.com/bitnami
condition: keycloak.enabled
alias: keycloak

View File

@ -0,0 +1,45 @@
global:
yonote:
config:
secret:
stringData:
DATABASE_URL: 'postgres://{{ .Values.yonoteDatabase.global.postgresql.auth.username }}:{{ .Values.yonoteDatabase.global.postgresql.auth.password }}@yonote-database:5432/{{ .Values.yonoteDatabase.global.postgresql.auth.database }}'
POSTGRES_PASSWORD: "{{ .Values.yonoteDatabase.global.postgresql.auth.password }}"
AWS_ACCESS_KEY_ID: "{{ .Values.minio.auth.rootUser }}" # Ваш идентификатор ключа доступа к AWS. Поведение в SelfHosted: устанавливает логин сервис аккаунта для доступа приложения к Minio S3 хранилищу
AWS_SECRET_ACCESS_KEY: "{{ .Values.minio.auth.rootPassword }}" # Ваш секретный ключ доступа AWS. Поведение в SelfHosted: устанавливает пароль сервис аккаунта для доступа приложения к Minio S3 хранилищу
OIDC_CLIENT_SECRET: "Kdq8rk5Pv5RW1c5kHXpnyfrmMRzI9xSD" # Секретный ключ клиента для аутентификации по OpenID Connect (OIDC).
SECRET_KEY: "659a8881b186198c3146e316f6dab67df25496534d1fa156d624b037260df688" # Сгенерируйте 32-байтовый случайный ключ в шестнадцатеричном коде. Вам следует использовать `openssl rand -hex 32` в вашем терминале для генерации случайного значения.
SMTP_PASSWORD: "1234"
UTILS_SECRET: "7bd5e9ac4415dd0dbf6b7721e2a21e9427b268cd0140c7516d13dece5024d479" # Сгенерируйте уникальный случайный ключ. Формат не важен, но вы все равно можете использовать`openssl rand -hex 32` в вашем терминале, чтобы создать это.
TELEGRAM_BOT_TOKEN: "1234"
UNSPLASH_API_ACCESS_KEY: "a-yGo6HpRP6jNfravx4Bz-oiPrRnH_5-24Xa9ZPlePE"
LICENSE_KEY: "qwerty-123456-zxcvb" # Обратитесь в отдел продаж для получения
SERVICE_WORKER_PUBLIC_KEY: "1234"
SERVICE_WORKER_PRIVATE_KEY: "1234"
# Генерация ключей (web-push) Service Worker
# 1) Установить Node.js и npm
# 2) Выполнить команду для генерации ключей
# npx web-push generate-vapid-keys
# 3) Полученные значения ввести в .env файл (SERVICE_WORKER_PUBLIC_KEY, SERVICE_WORKER_PRIVATE_KEY)
yonoteDatabase:
global:
postgresql:
auth:
password: "wsGZ6kXhr5"
postgresPassword: "QQYw4UjOU"
# yonote-redis: # Если используете пароль для redis
# auth:
# password: "12345678"
minio:
auth:
rootPassword: "12345678"
keycloak:
auth:
adminPassword: "root"
postgresql:
auth:
password: "tT9BqYdNyd"

View File

@ -29,7 +29,7 @@ spec:
{
"token": "$(UTILS_SECRET)"
}
'
'
restartPolicy: OnFailure
{{- end }}
---
@ -64,6 +64,6 @@ spec:
{
"token":"$(UTILS_SECRET)", "limit":"200"
}
'
'
restartPolicy: OnFailure
{{- end }}

View File

@ -0,0 +1,34 @@
{{- if .Values.ingress.enabled }}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ .Values.ingress.name }}
namespace: {{ .Values.ingress.namespace }}
annotations:
{{- range $key, $value := .Values.ingress.annotations }}
{{ $key }}: "{{ $value }}"
{{- end }}
spec:
ingressClassName: {{ .Values.ingress.ingressClassName }}
tls:
- secretName: "{{ .Values.ingress.tls.secretName }}"
hosts:
{{- range .Values.ingress.tls.hosts }}
- "{{ . }}"
{{- end }}
rules:
{{- range .Values.ingress.rules }}
- host: "{{ .host }}"
http:
paths:
{{- range .paths }}
- path: {{ .path }}
pathType: {{ .pathType }}
backend:
service:
name: {{ .service.name }}
port:
number: {{ .service.port | int }}
{{- end }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,39 @@
{{- if .Values.mcJob.enabled }}
apiVersion: batch/v1
kind: Job
metadata:
name: yonote-minio-mc-job
labels:
app: yonote-minio
spec:
template:
metadata:
labels:
app: yonote-minio
spec:
containers:
- name: mc-client
image: "docker.io/bitnami/minio-client:2024.8.13-debian-12-r0"
command: ["/bin/sh", "-c"]
args:
- |
until mc alias set myminio http://yonote-minio:9000 {{ .Values.minio.auth.rootUser }} {{ .Values.minio.auth.rootPassword }}; do
echo "Waiting for MinIO to be ready..."
sleep 5
done
if ! mc ls myminio/yonote-bucket; then
mc mb myminio/yonote-bucket
else
echo "Bucket yonote-bucket already exists."
fi
resources:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "256Mi"
cpu: "200m"
restartPolicy: OnFailure
backoffLimit: 5
ttlSecondsAfterFinished: 100
{{- end }}

View File

@ -0,0 +1,169 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: realm-export
data:
realm-export.json: |
{
"realm": "yonote",
"enabled": true,
"notBefore": 1647809856,
"defaultSignatureAlgorithm": "RS256",
"revokeRefreshToken": false,
"refreshTokenMaxReuse": 0,
"accessTokenLifespan": 300,
"accessTokenLifespanForImplicitFlow": 900,
"ssoSessionIdleTimeout": 1800,
"ssoSessionMaxLifespan": 36000,
"ssoSessionIdleTimeoutRememberMe": 0,
"ssoSessionMaxLifespanRememberMe": 0,
"offlineSessionIdleTimeout": 2592000,
"offlineSessionMaxLifespanEnabled": false,
"offlineSessionMaxLifespan": 5184000,
"clientSessionIdleTimeout": 0,
"clientSessionMaxLifespan": 0,
"clientOfflineSessionIdleTimeout": 0,
"clientOfflineSessionMaxLifespan": 0,
"accessCodeLifespan": 60,
"accessCodeLifespanUserAction": 300,
"accessCodeLifespanLogin": 1800,
"actionTokenGeneratedByAdminLifespan": 43200,
"actionTokenGeneratedByUserLifespan": 300,
"oauth2DeviceCodeLifespan": 600,
"oauth2DevicePollingInterval": 5,
"sslRequired": "external",
"registrationAllowed": true,
"registrationEmailAsUsername": true,
"rememberMe": true,
"verifyEmail": false,
"loginWithEmailAllowed": true,
"duplicateEmailsAllowed": false,
"resetPasswordAllowed": true,
"editUsernameAllowed": false,
"bruteForceProtected": false,
"permanentLockout": false,
"maxFailureWaitSeconds": 900,
"minimumQuickLoginWaitSeconds": 60,
"waitIncrementSeconds": 60,
"quickLoginCheckMilliSeconds": 1000,
"maxDeltaTimeSeconds": 43200,
"failureFactor": 30,
"clients": [
{
"clientId": "{{ .Values.global.yonote.config.plain.data.OIDC_CLIENT_ID }}",
"secret": "{{ .Values.global.yonote.config.secret.stringData.OIDC_CLIENT_SECRET }}",
"redirectUris": [
"https://*.{{ .Values.global.yonote.baseListenAddress }}/*",
"http://*.{{ .Values.global.yonote.baseListenAddress }}/*",
"http://app.{{ .Values.global.yonote.baseListenAddress }}/*",
"https://app.{{ .Values.global.yonote.baseListenAddress }}/*",
"https://app.{{ .Values.global.yonote.baseListenAddress }}/auth/oidc.callback/*"
],
"baseUrl": "https://app.{{ .Values.global.yonote.baseListenAddress }}",
"enabled": true,
"publicClient": false,
"protocol": "openid-connect",
"attributes": {
"client.secret": "{{ .Values.global.yonote.config.secret.stringData.OIDC_CLIENT_SECRET }}",
"display.on.consent.screen": "true"
},
"authenticationFlowBindingOverrides": {},
"fullScopeAllowed": false,
"protocolMappers": [
{
"name": "oidc-display-name",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-attribute-mapper",
"consentRequired": false,
"config": {
"userinfo.token.claim": "true",
"user.attribute": "{{ .Values.global.yonote.config.plain.data.OIDC_DISPLAY_NAME }}",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "{{ .Values.global.yonote.config.plain.data.OIDC_DISPLAY_NAME }}",
"jsonType.label": "String"
}
}
],
"defaultClientScopes": ["openid", "email"]
}
],
"identityProviders": [],
"internationalizationEnabled": true,
"clientScopes": [
{
"name": "openid",
"protocol": "openid-connect",
"attributes": {
"include.in.token.scope": "true",
"display.on.consent.screen": "true",
"consent.screen.text": "{{ .Values.global.yonote.config.plain.data.OIDC_DISPLAY_NAME }}"
},
"protocolMappers": []
},
{
"name": "email",
"protocol": "openid-connect",
"attributes": {
"include.in.token.scope": "true",
"display.on.consent.screen": "true"
},
"protocolMappers": [
{
"id": "56fe6d23-690a-465c-bc36-99bff8fef6eb",
"name": "email verified",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-property-mapper",
"consentRequired": false,
"config": {
"userinfo.token.claim": "true",
"user.attribute": "emailVerified",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "email_verified",
"jsonType.label": "boolean"
}
},
{
"id": "2c6acd0e-b776-48f5-9c3b-7bfdbbe712dc",
"name": "email",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-property-mapper",
"consentRequired": false,
"config": {
"userinfo.token.claim": "true",
"user.attribute": "email",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "email",
"jsonType.label": "String"
}
}
]
}
],
"browserSecurityHeaders": {
"contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';"
},
"webAuthnPolicyRpEntityName": "keycloak",
"webAuthnPolicySignatureAlgorithms": ["ES256"],
"webAuthnPolicyRpId": "",
"webAuthnPolicyAttestationConveyancePreference": "not specified",
"webAuthnPolicyAuthenticatorAttachment": "not specified",
"webAuthnPolicyRequireResidentKey": "not specified",
"webAuthnPolicyUserVerificationRequirement": "not specified",
"webAuthnPolicyCreateTimeout": 0,
"webAuthnPolicyAvoidSameAuthenticatorRegister": false,
"webAuthnPolicyAcceptableAaguids": [],
"webAuthnPolicyPasswordlessRpEntityName": "keycloak",
"webAuthnPolicyPasswordlessSignatureAlgorithms": ["ES256"],
"webAuthnPolicyPasswordlessRpId": "",
"webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified",
"webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified",
"webAuthnPolicyPasswordlessRequireResidentKey": "not specified",
"webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified",
"webAuthnPolicyPasswordlessCreateTimeout": 0,
"webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false,
"webAuthnPolicyPasswordlessAcceptableAaguids": [],
"smtpServer": {}
}

View File

@ -0,0 +1,390 @@
global:
name: yonote-app
yonote:
dbMigrationEnv: production-ssl-disabled # Режим подключения к базе данных при выполнении миграций. При использовании SSL подключения, установите значение `production`
baseListenAddress: example.com # Доменный адрес для yonote
config:
plain:
data:
DEPLOYMENT: hosted
NODE_ENV: production
FORCE_HTTPS: "false"
PGSSLMODE: disable # Отключает SSL подключение к базе данных. Уберите эту строку, если вы используете SSL подключение к PostgreSQL
BIND_HOST: 0.0.0.0 # Хост по умолчанию
PORT: "3000" # Порт по умолчанию
REDIS_URL: redis://yonote-redis-master:6379
DEFAULT_LANGUAGE: ru_RU # Язык по умолчанию
ENABLE_UPDATES: "false"
AI_URL: "1234"
AI_API_KEY: "1234"
WEB_CONCURRENCY: "1"
URL: 'https://app.{{ .Values.global.yonote.baseListenAddress }}' # Базовый url приложения
COLLABORATION_URL: 'wss://app.{{ .Values.global.yonote.baseListenAddress }}' # Cервер, для нормальной работы это не нужно устанавливать
OIDC_DISPLAY_NAME: email
OIDC_SCOPES: openid email
OIDC_CLIENT_ID: yonote
OIDC_AUTH_URI: 'https://auth.example.com/realms/yonote/protocol/openid-connect/auth' # URL для авторизации пользователей через OpenID Connect (OIDC). Пользователь перенаправляется на этот адрес для входа в систему.
OIDC_LOGOUT_URI: 'https://auth.example.com/realms/yonote/protocol/openid-connect/logout' # URL для выхода из системы через OIDC. Пользователь перенаправляется на этот адрес для завершения сессии и выхода.
OIDC_TOKEN_URI: 'https://auth.example.com/realms/yonote/protocol/openid-connect/token' # URL для получения токенов доступа и обновления. Этот адрес используется для обмена авторизационным кодом на токены
OIDC_USERINFO_URI: 'https://auth.example.com/realms/yonote/protocol/openid-connect/userinfo' # URL для получения информации о пользователе. Используется для получения данных профиля пользователя на основе его токена.
AWS_S3_ACL: private
AWS_S3_UPLOAD_BUCKET_URL: yonote-minio:9000 # Адрес S3 хранилища
AWS_S3_UPLOAD_BUCKET_NAME: yonote-bucket # Имя хранилища
AWS_REGION: "ru_RU"
AWS_S3_UPLOAD_MAX_SIZE: "226214400" # Максимальный размер хранилища
AWS_S3_FORCE_PATH_STYLE: "false" # Следует ли принудительно использовать URL-адреса стиля пути для объектов S3
S3_PROXY_ENABLED: "false" # Включает или выключает проксирование загрузки/выгрузки файлов на S3 через бэкенд, принимает boolean
S3_MULTIPART_PART_SIZE: "1000" # Настройка размера частей для multipart загрузки на S3 хранилище, принимает число, по умолчанию 1000 (1GB), значение в мегабайтах.
SUBDOMAINS_ENABLED: "true" # Поддержка поддоменов для команд
BASENAME_FOR_SUBDOMAIN: '{{ .Values.global.yonote.baseListenAddress }}' # Имя хоста
NOT_ALLOWED_SUBDOMAINS: app,collaboration,auth,api,dev,docs,doc,admin,test,quota,billing,i,storage,host,updates # Запрещенные поддомены
TELEGRAM_API_URL: https://api.telegram.org
UNSPLASH_API_BASENAME: https://api.unsplash.com
RESERVED_SUBDOMAINS: about,account,admin,advertising,api,app,assets,archive,beta,billing,blog,cache,cdn,code,community,dashboard,developer,developers,forum,help,home,http,https,imap,localhost,mail,marketing,mobile,multiplayer,new,news,newsletter,ns1,ns2,ns3,ns4,password,profile,realtime,sandbox,script,scripts,setup,signin,signup,site,smtp,support,status,static,stats,test,update,updates,ws,wss,web,websockets,www,www1,www2,www3,www4
SMTP_HOST: ""
SMTP_USERNAME: ""
SMTP_FROM_EMAIL: ""
SMTP_REPLY_EMAIL: ""
SMTP_PORT: ""
SMTP_SECURE: "" # connection will be upgraded: https://nodemailer.com/smtp/
SMTP_REQUIRE_TLS: ""
yonote_cron_calendar_events:
cron_enabled: "true"
url: http://yonote-web/api/cron.calendar_events
yonote_cron_task_scheduler:
cron_enabled: "true"
url: http://yonote-web/api/cron.schedule
yonote-web:
fullnameOverride: yonote-web
nameOverride: yonote-web
name: web
image:
registry: images.updates.yonote.ru
repository: yonote
tag: 1.19.5
pullPolicy: IfNotPresent
resources:
limits:
cpu: "1"
memory: 1Gi
requests:
cpu: 250m
memory: 256Mi
ingress:
enabled: true
name: yonote-ingress
namespace: yonote-onprem
ingressClassName: nginx
tls:
- secretName: "you_tls_secret"
hosts:
- "app.example.com"
- "team.example.com"
annotations:
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/server-snippets: |
location /realtime {
proxy_set_header Upgrade $http_upgrade;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_set_header Connection "upgrade";
proxy_cache_bypass $http_upgrade;
}
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "Host $http_host";
more_set_headers "X-Real-IP $remote_addr";
more_set_headers "X-Forwarded-Proto $scheme";
more_set_headers "X-Forwarded-For $proxy_add_x_forwarded_for";
cert-manager.io/cluster-issuer: ""
rules:
- host: "app.example.com"
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: yonote-web
port:
number: 80
- path: /realtime
pathType: Prefix
backend:
service:
name: yonote-websockets
port:
number: 80
- path: /whiteboard
pathType: Prefix
backend:
service:
name: yonote-whiteboard
port:
number: 80
- path: /collaboration
pathType: Prefix
backend:
service:
name: yonote-collaboration
port:
number: 80
- host: "team.example.com"
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: yonote-web
port:
number: 80
- path: /realtime
pathType: Prefix
backend:
service:
name: yonote-websockets
port:
number: 80
- path: /whiteboard
pathType: Prefix
backend:
service:
name: yonote-whiteboard
port:
number: 80
- path: /collaboration
pathType: Prefix
backend:
service:
name: yonote-collaboration
port:
number: 80
containerPorts:
- containerPort: 3000
name: app
protocol: TCP
service:
type: ClusterIP
port: 80
targetPort: app
envFrom:
- configMapRef:
name: yonote-configs
- secretRef:
name: yonote-secrets
podLabels:
redis-client: 'true'
podAnnotations:
checksum/configmap: "{{ toJson .Values.global.yonote.config.plain | sha256sum }}"
checksum/secret: "{{ toJson .Values.global.yonote.config.secret | sha256sum }}"
readinessProbe:
enabled: true
failureThreshold: 6
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
httpGet:
path: /_health
port: app
livenessProbe:
enabled: true
failureThreshold: 6
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
httpGet:
path: /_health
port: app
yonoteDatabase:
enabled: true
global:
postgresql:
auth:
database: "yonote"
username: "yonote"
name: yonote-database
fullnameOverride: yonote-database
nameOverride: yonote-database
primary:
persistence:
size: 500Mi
resources:
limits:
cpu: 250m
memory: 512Mi
requests:
cpu: 50m
memory: 256Mi
yonote-redis:
enabled: true
fullnameOverride: yonote-redis
nameOverride: redis
architecture: standalone
auth:
enabled: false
master:
persistence:
size: 200Mi
resources:
limits:
cpu: 250m
memory: 256Mi
requests:
cpu: 50m
memory: 128Mi
minio:
enabled: true
name: minio
fullnameOverride: yonote-minio
nameOverride: yonote-minio
auth:
rootUser: admin
persistence:
enabled: true
size: 500Mi
ingress:
enabled: true
ingressClassName: nginx
annotations:
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "Host $http_host";
more_set_headers "X-Real-IP $remote_addr";
more_set_headers "X-Forwarded-Proto $scheme";
more_set_headers "X-Forwarded-For $proxy_add_x_forwarded_for";
hosts:
- host: s3.example.com
paths:
- path: /
pathType: ImplementationSpecific
resources:
requests:
memory: 512Mi
cpu: 250m
limits:
memory: 1Gi
cpu: 500m
buckets:
- name: yonote-bucket
policy: none
mcJob:
enabled: true
keycloak:
auth:
adminUser: root
fullnameOverride: yonote-keycloak
nameOverride: yonote-keycloak
command:
- /bin/bash
- -c
- |
/opt/bitnami/keycloak/bin/kc.sh import --file=/opt/bitnami/keycloak/data/import/realm-export.json && \
/opt/bitnami/keycloak/bin/kc.sh start-dev
extraEnvVars:
- name: KC_DB_PASSWORD
value: "tT9BqYdNyd"
- name: KEYCLOAK_PRODUCTION
value: "true"
- name: KC_HOSTNAME_URL
value: "https://auth.example.com"
- name: KC_HOSTNAME_ADMIN_URL
value: "https://auth.example.com"
extraVolumes:
- name: realm-export
configMap:
name: realm-export
extraVolumeMounts:
- name: realm-export
mountPath: /opt/bitnami/keycloak/data/import/realm-export.json
subPath: realm-export.json
ingress:
enabled: true
hostname: auth.example.com
ingressClassName: traefik
tls: true
annotations:
kubernetes.io/ingress.class: traefik
# cert-manager.io/cluster-issuer: letsencrypt.example.com # Если используете
extraTls:
- hosts:
- "auth.example.com"
secretName: "you_tls_secret"
rules:
- host: "auth.example.com"
paths:
- path: /
pathType: Prefix
service:
name: yonote-keycloak
port: http
- path: /admin
pathType: Prefix
service:
name: yonote-keycloak
port: http
proxy: "edge"
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 150m
memory: 128Mi
postgresql:
enabled: true
auth:
database: keycloak
username: keycloak
name: keycloak-database
fullnameOverride: keycloak-database
nameOverride: keycloak-database
primary:
persistence:
size: 512Mi

View File

@ -20,4 +20,4 @@
.project
.idea/
*.tmproj
.vscode/
.vscode/

View File

@ -18,7 +18,13 @@ dependencies:
repository: https://charts.bitnami.com/bitnami
version: 11.6.6
- name: redis
repository: https://artifacts.wilix.dev/repository/helm-bitnami
repository: https://charts.bitnami.com/bitnami
version: 16.12.1
digest: sha256:b235eee18e9704d2eccffe52ea8a37d5431039378ae03ef2e2b738661f2a5711
generated: "2024-07-11T17:41:36.715623176+03:00"
- name: minio
repository: https://charts.bitnami.com/bitnami
version: 12.7.0
- name: keycloak
repository: https://charts.bitnami.com/bitnami
version: 14.0.0
digest: sha256:928723e189de54fafe19316743b8f9d08d7c74f9728b0c4afb1f5cd3ee1e83dc
generated: "2024-08-25T00:46:01.648512702+03:00"

View File

@ -1,6 +1,13 @@
apiVersion: v2
name: yonote-chart
version: 1.2.0
description:
Generic application Helm chart.
This chart includes multiple dependencies. The base of this chart is derived from the Dynix app chart.
maintainers:
- name: Dysnix
email: support@dysnix.com
url: https://github.com/dysnix/charts/tree/main/dysnix/app
dependencies:
- name: app
@ -31,11 +38,23 @@ dependencies:
- name: postgresql
version: "11.6.6"
repository: https://charts.bitnami.com/bitnami
condition: yonote-database.enabled
alias: yonote-database
condition: yonoteDatabase.enabled
alias: yonoteDatabase
- name: redis
version: "16.12.1"
repository: https://charts.bitnami.com/bitnami
condition: yonote-redis.enabled
alias: yonote-redis
- name: minio
version: "12.7.0"
repository: https://charts.bitnami.com/bitnami
condition: minio.enabled
alias: minio
- name: keycloak
version: "14.0.0"
repository: https://charts.bitnami.com/bitnami
condition: keycloak.enabled
alias: keycloak

View File

@ -0,0 +1,45 @@
global:
yonote:
config:
secret:
stringData:
DATABASE_URL: 'postgres://{{ .Values.yonoteDatabase.global.postgresql.auth.username }}:{{ .Values.yonoteDatabase.global.postgresql.auth.password }}@yonote-database:5432/{{ .Values.yonoteDatabase.global.postgresql.auth.database }}'
POSTGRES_PASSWORD: "{{ .Values.yonoteDatabase.global.postgresql.auth.password }}"
AWS_ACCESS_KEY_ID: "{{ .Values.minio.auth.rootUser }}" # Ваш идентификатор ключа доступа к AWS. Поведение в SelfHosted: устанавливает логин сервис аккаунта для доступа приложения к Minio S3 хранилищу
AWS_SECRET_ACCESS_KEY: "{{ .Values.minio.auth.rootPassword }}" # Ваш секретный ключ доступа AWS. Поведение в SelfHosted: устанавливает пароль сервис аккаунта для доступа приложения к Minio S3 хранилищу
OIDC_CLIENT_SECRET: "Kdq8rk5Pv5RW1c5kHXpnyfrmMRzI9xSD" # Секретный ключ клиента для аутентификации по OpenID Connect (OIDC).
SECRET_KEY: "659a8881b186198c3146e316f6dab67df25496534d1fa156d624b037260df688" # Сгенерируйте 32-байтовый случайный ключ в шестнадцатеричном коде. Вам следует использовать `openssl rand -hex 32` в вашем терминале для генерации случайного значения.
SMTP_PASSWORD: "1234"
UTILS_SECRET: "7bd5e9ac4415dd0dbf6b7721e2a21e9427b268cd0140c7516d13dece5024d479" # Сгенерируйте уникальный случайный ключ. Формат не важен, но вы все равно можете использовать`openssl rand -hex 32` в вашем терминале, чтобы создать это.
TELEGRAM_BOT_TOKEN: "1234"
UNSPLASH_API_ACCESS_KEY: "a-yGo6HpRP6jNfravx4Bz-oiPrRnH_5-24Xa9ZPlePE"
LICENSE_KEY: "qwerty-123456-zxcvb" # Обратитесь в отдел продаж для получения
SERVICE_WORKER_PUBLIC_KEY: "1234"
SERVICE_WORKER_PRIVATE_KEY: "1234"
# Генерация ключей (web-push) Service Worker
# 1) Установить Node.js и npm
# 2) Выполнить команду для генерации ключей
# npx web-push generate-vapid-keys
# 3) Полученные значения ввести в .env файл (SERVICE_WORKER_PUBLIC_KEY, SERVICE_WORKER_PRIVATE_KEY)
yonoteDatabase:
global:
postgresql:
auth:
password: "wsGZ6kXhr5"
postgresPassword: "QQYw4UjOU"
# yonote-redis: # Если используете пароль для redis
# auth:
# password: "12345678"
minio:
auth:
rootPassword: "12345678"
keycloak:
auth:
adminPassword: "root"
postgresql:
auth:
password: "tT9BqYdNyd"

View File

@ -0,0 +1,10 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: yonote-configs
labels:
{{- include "common.labels.standard" $ | nindent 4 }}
{{- with .Values.global.yonote.config.plain.data }}
data:
{{- include "common.tplvalues.render" (dict "value" . "context" $) | nindent 2 }}
{{- end }}

View File

@ -0,0 +1,69 @@
{{- if eq ($.Values.global.yonote_cron_calendar_events.cron_enabled | toString) "true" }}
apiVersion: batch/v1
kind: CronJob
metadata:
name: cron-calendar-events
spec:
schedule: "*/1 * * * *"
jobTemplate:
spec:
template:
spec:
containers:
- name: cron-calendar-events
image: curlimages/curl
imagePullPolicy: IfNotPresent
envFrom:
- secretRef:
name: yonote-secrets
command:
- /bin/sh
- -c
- >-
date;
curl
-X POST
{{ .Values.global.yonote_cron_calendar_events.url }}
-H "Content-Type: application/json"
-d '
{
"token": "$(UTILS_SECRET)"
}
'
restartPolicy: OnFailure
{{- end }}
---
{{- if eq ($.Values.global.yonote_cron_task_scheduler.cron_enabled | toString) "true" }}
apiVersion: batch/v1
kind: CronJob
metadata:
name: cron-task-scheduler
spec:
schedule: "0 */1 * * *"
jobTemplate:
spec:
template:
spec:
containers:
- name: cron-task-scheduler
image: curlimages/curl
imagePullPolicy: IfNotPresent
envFrom:
- secretRef:
name: yonote-secrets
command:
- /bin/sh
- -c
- >-
date;
curl
-X POST
{{ .Values.global.yonote_cron_task_scheduler.url }}
-H "Content-Type: application/json"
-d '
{
"token":"$(UTILS_SECRET)", "limit":"200"
}
'
restartPolicy: OnFailure
{{- end }}

View File

@ -0,0 +1,34 @@
{{- if .Values.ingress.enabled }}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ .Values.ingress.name }}
namespace: {{ .Values.ingress.namespace }}
annotations:
{{- range $key, $value := .Values.ingress.annotations }}
{{ $key }}: "{{ $value }}"
{{- end }}
spec:
ingressClassName: {{ .Values.ingress.ingressClassName }}
tls:
- secretName: "{{ .Values.ingress.tls.secretName }}"
hosts:
{{- range .Values.ingress.tls.hosts }}
- "{{ . }}"
{{- end }}
rules:
{{- range .Values.ingress.rules }}
- host: "{{ .host }}"
http:
paths:
{{- range .paths }}
- path: {{ .path }}
pathType: {{ .pathType }}
backend:
service:
name: {{ .service.name }}
port:
number: {{ .service.port | int }}
{{- end }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,39 @@
{{- if .Values.mcJob.enabled }}
apiVersion: batch/v1
kind: Job
metadata:
name: yonote-minio-mc-job
labels:
app: yonote-minio
spec:
template:
metadata:
labels:
app: yonote-minio
spec:
containers:
- name: mc-client
image: "docker.io/bitnami/minio-client:2024.8.13-debian-12-r0"
command: ["/bin/sh", "-c"]
args:
- |
until mc alias set myminio http://yonote-minio:9000 {{ .Values.minio.auth.rootUser }} {{ .Values.minio.auth.rootPassword }}; do
echo "Waiting for MinIO to be ready..."
sleep 5
done
if ! mc ls myminio/yonote-bucket; then
mc mb myminio/yonote-bucket
else
echo "Bucket yonote-bucket already exists."
fi
resources:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "256Mi"
cpu: "200m"
restartPolicy: OnFailure
backoffLimit: 5
ttlSecondsAfterFinished: 100
{{- end }}

View File

@ -0,0 +1,169 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: realm-export
data:
realm-export.json: |
{
"realm": "yonote",
"enabled": true,
"notBefore": 1647809856,
"defaultSignatureAlgorithm": "RS256",
"revokeRefreshToken": false,
"refreshTokenMaxReuse": 0,
"accessTokenLifespan": 300,
"accessTokenLifespanForImplicitFlow": 900,
"ssoSessionIdleTimeout": 1800,
"ssoSessionMaxLifespan": 36000,
"ssoSessionIdleTimeoutRememberMe": 0,
"ssoSessionMaxLifespanRememberMe": 0,
"offlineSessionIdleTimeout": 2592000,
"offlineSessionMaxLifespanEnabled": false,
"offlineSessionMaxLifespan": 5184000,
"clientSessionIdleTimeout": 0,
"clientSessionMaxLifespan": 0,
"clientOfflineSessionIdleTimeout": 0,
"clientOfflineSessionMaxLifespan": 0,
"accessCodeLifespan": 60,
"accessCodeLifespanUserAction": 300,
"accessCodeLifespanLogin": 1800,
"actionTokenGeneratedByAdminLifespan": 43200,
"actionTokenGeneratedByUserLifespan": 300,
"oauth2DeviceCodeLifespan": 600,
"oauth2DevicePollingInterval": 5,
"sslRequired": "external",
"registrationAllowed": true,
"registrationEmailAsUsername": true,
"rememberMe": true,
"verifyEmail": false,
"loginWithEmailAllowed": true,
"duplicateEmailsAllowed": false,
"resetPasswordAllowed": true,
"editUsernameAllowed": false,
"bruteForceProtected": false,
"permanentLockout": false,
"maxFailureWaitSeconds": 900,
"minimumQuickLoginWaitSeconds": 60,
"waitIncrementSeconds": 60,
"quickLoginCheckMilliSeconds": 1000,
"maxDeltaTimeSeconds": 43200,
"failureFactor": 30,
"clients": [
{
"clientId": "{{ .Values.global.yonote.config.plain.data.OIDC_CLIENT_ID }}",
"secret": "{{ .Values.global.yonote.config.secret.stringData.OIDC_CLIENT_SECRET }}",
"redirectUris": [
"https://*.{{ .Values.global.yonote.baseListenAddress }}/*",
"http://*.{{ .Values.global.yonote.baseListenAddress }}/*",
"http://app.{{ .Values.global.yonote.baseListenAddress }}/*",
"https://app.{{ .Values.global.yonote.baseListenAddress }}/*",
"https://app.{{ .Values.global.yonote.baseListenAddress }}/auth/oidc.callback/*"
],
"baseUrl": "https://app.{{ .Values.global.yonote.baseListenAddress }}",
"enabled": true,
"publicClient": false,
"protocol": "openid-connect",
"attributes": {
"client.secret": "{{ .Values.global.yonote.config.secret.stringData.OIDC_CLIENT_SECRET }}",
"display.on.consent.screen": "true"
},
"authenticationFlowBindingOverrides": {},
"fullScopeAllowed": false,
"protocolMappers": [
{
"name": "oidc-display-name",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-attribute-mapper",
"consentRequired": false,
"config": {
"userinfo.token.claim": "true",
"user.attribute": "{{ .Values.global.yonote.config.plain.data.OIDC_DISPLAY_NAME }}",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "{{ .Values.global.yonote.config.plain.data.OIDC_DISPLAY_NAME }}",
"jsonType.label": "String"
}
}
],
"defaultClientScopes": ["openid", "email"]
}
],
"identityProviders": [],
"internationalizationEnabled": true,
"clientScopes": [
{
"name": "openid",
"protocol": "openid-connect",
"attributes": {
"include.in.token.scope": "true",
"display.on.consent.screen": "true",
"consent.screen.text": "{{ .Values.global.yonote.config.plain.data.OIDC_DISPLAY_NAME }}"
},
"protocolMappers": []
},
{
"name": "email",
"protocol": "openid-connect",
"attributes": {
"include.in.token.scope": "true",
"display.on.consent.screen": "true"
},
"protocolMappers": [
{
"id": "56fe6d23-690a-465c-bc36-99bff8fef6eb",
"name": "email verified",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-property-mapper",
"consentRequired": false,
"config": {
"userinfo.token.claim": "true",
"user.attribute": "emailVerified",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "email_verified",
"jsonType.label": "boolean"
}
},
{
"id": "2c6acd0e-b776-48f5-9c3b-7bfdbbe712dc",
"name": "email",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-property-mapper",
"consentRequired": false,
"config": {
"userinfo.token.claim": "true",
"user.attribute": "email",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "email",
"jsonType.label": "String"
}
}
]
}
],
"browserSecurityHeaders": {
"contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';"
},
"webAuthnPolicyRpEntityName": "keycloak",
"webAuthnPolicySignatureAlgorithms": ["ES256"],
"webAuthnPolicyRpId": "",
"webAuthnPolicyAttestationConveyancePreference": "not specified",
"webAuthnPolicyAuthenticatorAttachment": "not specified",
"webAuthnPolicyRequireResidentKey": "not specified",
"webAuthnPolicyUserVerificationRequirement": "not specified",
"webAuthnPolicyCreateTimeout": 0,
"webAuthnPolicyAvoidSameAuthenticatorRegister": false,
"webAuthnPolicyAcceptableAaguids": [],
"webAuthnPolicyPasswordlessRpEntityName": "keycloak",
"webAuthnPolicyPasswordlessSignatureAlgorithms": ["ES256"],
"webAuthnPolicyPasswordlessRpId": "",
"webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified",
"webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified",
"webAuthnPolicyPasswordlessRequireResidentKey": "not specified",
"webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified",
"webAuthnPolicyPasswordlessCreateTimeout": 0,
"webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false,
"webAuthnPolicyPasswordlessAcceptableAaguids": [],
"smtpServer": {}
}

View File

@ -0,0 +1,14 @@
apiVersion: v1
kind: Secret
metadata:
name: yonote-secrets
labels:
{{- include "common.labels.standard" $ | nindent 4 }}
type: Opaque
{{- with .Values.global.yonote.config.secret.data }}
data:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- with .Values.global.yonote.config.secret.stringData }}
stringData: {{- include "common.tplvalues.render" (dict "value" . "context" $) | nindent 2 }}
{{- end }}

View File

@ -0,0 +1,652 @@
global:
name: yonote-app
yonote:
dbMigrationEnv: production-ssl-disabled # Режим подключения к базе данных при выполнении миграций. При использовании SSL подключения, установите значение `production`
baseListenAddress: example.com # Доменный адрес для yonote
config:
plain:
data:
DEPLOYMENT: hosted
NODE_ENV: production
FORCE_HTTPS: "false"
PGSSLMODE: disable # Отключает SSL подключение к базе данных. Уберите эту строку, если вы используете SSL подключение к PostgreSQL
BIND_HOST: 0.0.0.0 # Хост по умолчанию
PORT: "3000" # Порт по умолчанию
REDIS_URL: redis://yonote-redis-master:6379
DEFAULT_LANGUAGE: ru_RU # Язык по умолчанию
ENABLE_UPDATES: "false"
AI_URL: "1234"
AI_API_KEY: "1234"
WEB_CONCURRENCY: "1"
URL: 'https://app.{{ .Values.global.yonote.baseListenAddress }}' # Базовый url приложения
COLLABORATION_URL: 'wss://app.{{ .Values.global.yonote.baseListenAddress }}' # Cервер, для нормальной работы это не нужно устанавливать
OIDC_DISPLAY_NAME: email
OIDC_SCOPES: openid email
OIDC_CLIENT_ID: yonote
OIDC_AUTH_URI: 'https://auth.example.com/realms/yonote/protocol/openid-connect/auth' # URL для авторизации пользователей через OpenID Connect (OIDC). Пользователь перенаправляется на этот адрес для входа в систему.
OIDC_LOGOUT_URI: 'https://auth.example.com/realms/yonote/protocol/openid-connect/logout' # URL для выхода из системы через OIDC. Пользователь перенаправляется на этот адрес для завершения сессии и выхода.
OIDC_TOKEN_URI: 'https://auth.example.com/realms/yonote/protocol/openid-connect/token' # URL для получения токенов доступа и обновления. Этот адрес используется для обмена авторизационным кодом на токены
OIDC_USERINFO_URI: 'https://auth.example.com/realms/yonote/protocol/openid-connect/userinfo' # URL для получения информации о пользователе. Используется для получения данных профиля пользователя на основе его токена.
AWS_S3_ACL: private
AWS_S3_UPLOAD_BUCKET_URL: yonote-minio:9000 # Адрес S3 хранилища
AWS_S3_UPLOAD_BUCKET_NAME: yonote-bucket # Имя хранилища
AWS_REGION: "RU"
AWS_S3_UPLOAD_MAX_SIZE: "226214400" # Максимальный размер хранилища
AWS_S3_FORCE_PATH_STYLE: "false" # Следует ли принудительно использовать URL-адреса стиля пути для объектов S3
S3_PROXY_ENABLED: "false" # Включает или выключает проксирование загрузки/выгрузки файлов на S3 через бэкенд, принимает boolean
S3_MULTIPART_PART_SIZE: "1000" # Настройка размера частей для multipart загрузки на S3 хранилище, принимает число, по умолчанию 1000 (1GB), значение в мегабайтах.
SUBDOMAINS_ENABLED: "true" # Поддержка поддоменов для команд
BASENAME_FOR_SUBDOMAIN: '{{ .Values.global.yonote.baseListenAddress }}' # Имя хоста
NOT_ALLOWED_SUBDOMAINS: app,collaboration,auth,api,dev,docs,doc,admin,test,quota,billing,i,storage,host,updates # Запрещенные поддомены
TELEGRAM_API_URL: https://api.telegram.org
UNSPLASH_API_BASENAME: https://api.unsplash.com
RESERVED_SUBDOMAINS: about,account,admin,advertising,api,app,assets,archive,beta,billing,blog,cache,cdn,code,community,dashboard,developer,developers,forum,help,home,http,https,imap,localhost,mail,marketing,mobile,multiplayer,new,news,newsletter,ns1,ns2,ns3,ns4,password,profile,realtime,sandbox,script,scripts,setup,signin,signup,site,smtp,support,status,static,stats,test,update,updates,ws,wss,web,websockets,www,www1,www2,www3,www4
SMTP_HOST: ""
SMTP_USERNAME: ""
SMTP_FROM_EMAIL: ""
SMTP_REPLY_EMAIL: ""
SMTP_PORT: ""
SMTP_SECURE: "" # connection will be upgraded: https://nodemailer.com/smtp/
SMTP_REQUIRE_TLS: ""
yonote_cron_calendar_events:
cron_enabled: "true"
url: http://yonote-web/api/cron.calendar_events
yonote_cron_task_scheduler:
cron_enabled: "true"
url: http://yonote-web/api/cron.schedule
ingress:
enabled: true
name: yonote-ingress
namespace: yonote-onprem
ingressClassName: traefik
tls:
secretName: "you_tls_secret"
hosts:
- "app.example.com"
- "team.example.com"
rules:
- host: "app.example.com"
paths:
- path: /
pathType: Prefix
service:
name: yonote-web
port: 80
- path: /realtime
pathType: Prefix
service:
name: yonote-websockets
port: 80
- path: /whiteboard
pathType: Prefix
service:
name: yonote-whiteboard
port: 80
- path: /collaboration
pathType: Prefix
service:
name: yonote-collaboration
port: 80
- host: "team.example.com"
paths:
- path: /
pathType: Prefix
service:
name: yonote-web
port: 80
- path: /realtime
pathType: Prefix
service:
name: yonote-websockets
port: 80
- path: /whiteboard
pathType: Prefix
service:
name: yonote-whiteboard
port: 80
- path: /collaboration
pathType: Prefix
service:
name: yonote-collaboration
port: 80
annotations:
# cert-manager.io/cluster-issuer: letsencrypt.example.com # Если используете
yonote-web:
fullnameOverride: yonote-web
nameOverride: yonote-web
name: web
image:
registry: images.updates.yonote.ru
repository: yonote
tag: 1.19.8
pullPolicy: IfNotPresent
command: ["/bin/sh", "-c"]
args: ['IS_COMPILED=true yarn bytenode ./build/server/main.jsc --services=web']
initContainers:
- name: yonote-migration
image: images.updates.yonote.ru/yonote:1.19.8
imagePullPolicy: IfNotPresent
command:
- /bin/sh
- -c
- npx sequelize db:migrate
env:
- name: NODE_ENV
value: '{{ .Values.global.yonote.dbMigrationEnv }}' # В настройках для sequelize прописан такой env для запуска миграций без ssl
envFrom:
- configMapRef:
name: yonote-configs
- secretRef:
name: yonote-secrets
resources:
limits:
cpu: 1
memory: 1Gi
requests:
cpu: 200m
memory: 256Mi
containerPorts:
- containerPort: 3000
name: app
protocol: TCP
service:
type: ClusterIP
port: 80
targetPort: app
envFrom:
- configMapRef:
name: yonote-configs
- secretRef:
name: yonote-secrets
podLabels:
redis-client: 'true'
podAnnotations:
checksum/configmap: "{{ toJson .Values.global.yonote.config.plain | sha256sum }}"
checksum/secret: "{{ toJson .Values.global.yonote.config.secret | sha256sum }}"
readinessProbe:
enabled: true
failureThreshold: 6
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
httpGet:
path: /_health
port: app
livenessProbe:
enabled: true
failureThreshold: 6
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
httpGet:
path: /_health
port: app
yonote-websocket:
fullnameOverride: yonote-websockets
nameOverride: yonote-websockets
name: websockets
image:
registry: images.updates.yonote.ru
repository: yonote
tag: 1.19.8
pullPolicy: IfNotPresent
command: ["/bin/sh", "-c"]
args: ['IS_COMPILED=true yarn bytenode ./build/server/main.jsc --services=websockets']
resources:
limits:
cpu: 500m
memory: 1Gi
requests:
cpu: 150m
memory: 128Mi
checksums: null
envFrom:
- configMapRef:
name: yonote-configs
- secretRef:
name: yonote-secrets
containerPorts:
- containerPort: 3000
name: app
protocol: TCP
service:
type: ClusterIP
port: 80
targetPort: app
podLabels:
redis-client: 'true'
podAnnotations:
checksum/configmap: "{{ toJson .Values.global.yonote.config.plain | sha256sum }}"
checksum/secret: "{{ toJson .Values.global.yonote.config.secret | sha256sum }}"
readinessProbe:
enabled: true
failureThreshold: 6
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
httpGet:
path: /_health
port: app
livenessProbe:
enabled: true
failureThreshold: 6
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
httpGet:
path: /_health
port: app
yonote-whiteboard:
fullnameOverride: yonote-whiteboard
nameOverride: yonote-whiteboard
name: whiteboard
image:
registry: images.updates.yonote.ru
repository: yonote
tag: 1.19.8
pullPolicy: IfNotPresent
command: ["/bin/sh", "-c"]
args: ['IS_COMPILED=true yarn bytenode ./build/server/main.jsc --services=whiteboard']
resources:
limits:
cpu: 500m
memory: 1Gi
requests:
cpu: 150m
memory: 128Mi
checksums: null
envFrom:
- configMapRef:
name: yonote-configs
- secretRef:
name: yonote-secrets
containerPorts:
- containerPort: 3000
name: app
protocol: TCP
service:
type: ClusterIP
port: 80
targetPort: app
podLabels:
redis-client: 'true'
podAnnotations:
checksum/configmap: "{{ toJson .Values.global.yonote.config.plain | sha256sum }}"
checksum/secret: "{{ toJson .Values.global.yonote.config.secret | sha256sum }}"
readinessProbe:
enabled: true
failureThreshold: 6
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
httpGet:
path: /_health
port: app
livenessProbe:
enabled: true
failureThreshold: 6
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
httpGet:
path: /_health
port: app
yonote-worker:
fullnameOverride: yonote-worker
nameOverride: yonote-worker
name: worker
image:
registry: images.updates.yonote.ru
repository: yonote
tag: 1.19.8
pullPolicy: IfNotPresent
command: ["/bin/sh", "-c"]
args: ['IS_COMPILED=true yarn bytenode ./build/server/main.jsc --services=worker']
resources:
limits:
cpu: 1
memory: 1Gi
requests:
cpu: 250m
memory: 256Mi
checksums: null
containerPorts:
- containerPort: 3000
name: app
protocol: TCP
service:
type: ClusterIP
port: 80
targetPort: app
envFrom:
- configMapRef:
name: yonote-configs
- secretRef:
name: yonote-secrets
podLabels:
redis-client: 'true'
podAnnotations:
checksum/configmap: "{{ toJson .Values.global.yonote.config.plain | sha256sum }}"
checksum/secret: "{{ toJson .Values.global.yonote.config.secret | sha256sum }}"
readinessProbe:
enabled: true
failureThreshold: 6
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
httpGet:
path: /_health
port: app
livenessProbe:
enabled: true
failureThreshold: 6
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
httpGet:
path: /_health
port: app
yonote-collaboration:
fullnameOverride: yonote-collaboration
nameOverride: yonote-collaboration
name: collaboration
image:
registry: images.updates.yonote.ru
repository: yonote
tag: 1.19.8
pullPolicy: IfNotPresent
command: ["/bin/sh", "-c"]
args: ['IS_COMPILED=true yarn bytenode ./build/server/main.jsc --services=collaboration']
resources:
limits:
cpu: 500m
memory: 1Gi
requests:
cpu: 150m
memory: 128Mi
checksums: null
containerPorts:
- containerPort: 3000
name: app
protocol: TCP
service:
type: ClusterIP
port: 80
targetPort: app
envFrom:
- configMapRef:
name: yonote-configs
- secretRef:
name: yonote-secrets
podLabels:
redis-client: 'true'
podAnnotations:
checksum/configmap: "{{ toJson .Values.global.yonote.config.plain | sha256sum }}"
checksum/secret: "{{ toJson .Values.global.yonote.config.secret | sha256sum }}"
readinessProbe:
enabled: true
failureThreshold: 6
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
httpGet:
path: /_health
port: app
livenessProbe:
enabled: true
failureThreshold: 6
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
httpGet:
path: /_health
port: app
yonoteDatabase:
enabled: true
global:
postgresql:
auth:
database: "yonote"
username: "yonote"
name: yonote-database
fullnameOverride: yonote-database
nameOverride: yonote-database
primary:
persistence:
size: 5Gi
resources:
limits:
cpu: 2
memory: 8Gi
requests:
cpu: 500m
memory: 512Mi
yonote-redis:
enabled: true
fullnameOverride: yonote-redis
nameOverride: redis
architecture: standalone
auth:
enabled: false
master:
persistence:
size: 5Gi
resources:
limits:
cpu: 1
memory: 4Gi
requests:
cpu: 500m
memory: 512Mi
minio:
enabled: true
name: minio
fullnameOverride: yonote-minio
nameOverride: yonote-minio
auth:
rootUser: admin
persistence:
enabled: true
size: 5Gi
ingress:
enabled: true
hostname: 's3.example.com'
ingressClassName: traefik
path: '/'
pathType: ImplementationSpecific
annotations:
kubernetes.io/ingress.class: traefik
# cert-manager.io/cluster-issuer: letsencrypt.example.com # Если используете
extraTls:
- hosts:
- "s3.example.com"
secretName: "you_tls_secret"
resources:
requests:
memory: 512Mi
cpu: 250m
limits:
memory: 2Gi
cpu: 1
mcJob:
enabled: true
keycloak:
auth:
adminUser: root
fullnameOverride: yonote-keycloak
nameOverride: yonote-keycloak
command:
- /bin/bash
- -c
- |
/opt/bitnami/keycloak/bin/kc.sh import --file=/opt/bitnami/keycloak/data/import/realm-export.json && \
/opt/bitnami/keycloak/bin/kc.sh start-dev
extraEnvVars:
- name: KC_DB_PASSWORD
value: "{{ .Values.keycloak.postgresql.auth.password }}"
- name: KEYCLOAK_PRODUCTION
value: "true"
- name: KC_HOSTNAME_URL
value: "https://auth.example.com"
- name: KC_HOSTNAME_ADMIN_URL
value: "https://auth.example.com"
extraVolumes:
- name: realm-export
configMap:
name: realm-export
extraVolumeMounts:
- name: realm-export
mountPath: /opt/bitnami/keycloak/data/import/realm-export.json
subPath: realm-export.json
ingress:
enabled: true
hostname: auth.example.com
ingressClassName: traefik
tls: true
annotations:
kubernetes.io/ingress.class: traefik
# cert-manager.io/cluster-issuer: letsencrypt.example.com # Если используете
extraTls:
- hosts:
- "auth.example.com"
secretName: "you_tls_secret"
rules:
- host: "auth.example.com"
paths:
- path: /
pathType: Prefix
service:
name: yonote-keycloak
port: http
- path: /admin
pathType: Prefix
service:
name: yonote-keycloak
port: http
proxy: "edge"
resources:
limits:
cpu: 1
memory: 1Gi
requests:
cpu: 250m
memory: 256Mi
postgresql:
enabled: true
auth:
database: keycloak
username: keycloak
name: keycloak-database
fullnameOverride: keycloak-database
nameOverride: keycloak-database
primary:
persistence:
size: 5Gi

View File

@ -1,21 +0,0 @@
global:
yonote:
config:
secret:
stringData:
AI_API_KEY:
AWS_ACCESS_KEY_ID:
AWS_SECRET_ACCESS_KEY:
OIDC_CLIENT_SECRET:
SECRET_KEY:
SMTP_PASSWORD:
UTILS_SECRET:
YANDEX_METRIKA_ID:
TELEGRAM_BOT_TOKEN:
UNSPLASH_API_ACCESS_KEY:
DATABASE_URL: "" #postgres://<username:password>@<postgresql>:5432/yonote
REDIS_URL: "" #redis://username:password>@<redis>:6379
LICENSE_KEY: ""
SERVICE_WORKER_PUBLIC_KEY: ""
SERVICE_WORKER_PRIVATE_KEY: ""
QUOTA_TOKEN:

View File

@ -1,10 +0,0 @@
{{- if eq $.Values.global.yonote.ingress.ingressClassName "traefik" }}
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: redirect-https
spec:
redirectScheme:
scheme: https
permanent: true
{{- end }}

View File

@ -1,10 +0,0 @@
{{- if eq $.Values.global.yonote.ingress.ingressClassName "traefik" }}
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: wss-headers
spec:
headers:
customRequestHeaders:
X-Forwarded-Proto: https
{{- end }}

View File

@ -1,506 +0,0 @@
global:
postgresql:
auth:
database: yonote
username: yonote
yonote:
ingress:
ingressClassName: traefik
dbMigrationEnv: production-ssl-disabled
keycloak:
hostName: auth.example.com
realmName: yonote
baseListenAddress: example.com
config:
plain:
data:
DEPLOYMENT: hosted
FORCE_HTTPS: "false"
PGSSLMODE: disable
BIND_HOST: 0.0.0.0
PORT: "3000"
REDIS_URL: redis://yonote-redis-master:6379
DEFAULT_LANGUAGE: ru_RU
ENABLE_UPDATES: "false"
AI_URL: http://engate.wilix.dev:5001
URL: 'http://app.{{ .Values.global.yonote.baseListenAddress }}'
COLLABORATION_URL: 'wss://app.{{ .Values.global.yonote.baseListenAddress }}'
OIDC_DISPLAY_NAME: email
OIDC_SCOPES: openid email
OIDC_CLIENT_ID: yonote
OIDC_AUTH_URI: 'http://{{ .Values.global.yonote.keycloak.hostName }}/realms/{{ .Values.global.yonote.keycloak.realmName }}/protocol/openid-connect/auth'
OIDC_LOGOUT_URI: 'http://{{ .Values.global.yonote.keycloak.hostName }}/realms/{{ .Values.global.yonote.keycloak.realmName }}/protocol/openid-connect/logout'
OIDC_TOKEN_URI: 'http://{{ .Values.global.yonote.keycloak.hostName }}/realms/{{ .Values.global.yonote.keycloak.realmName }}/protocol/openid-connect/token'
OIDC_USERINFO_URI: 'http://{{ .Values.global.yonote.keycloak.hostName }}/realms/{{ .Values.global.yonote.keycloak.realmName }}/protocol/openid-connect/userinfo'
AWS_S3_ACL: private
AWS_S3_UPLOAD_BUCKET_URL: example-url-s3
AWS_S3_UPLOAD_BUCKET_NAME: yonote-bucket
AWS_REGION: ""
AWS_S3_UPLOAD_MAX_SIZE: "226214400"
AWS_S3_FORCE_PATH_STYLE: "false"
SUBDOMAINS_ENABLED: "true"
BASENAME_FOR_SUBDOMAIN: '{{ .Values.global.yonote.baseListenAddress }}'
NOT_ALLOWED_SUBDOMAINS: app,collaboration,auth,api,dev,docs,doc,admin,test,quota,billing,i,storage,host,updates
TELEGRAM_API_URL: https://api.telegram.org
UNSPLASH_API_BASENAME: https://api.unsplash.com
RESERVED_SUBDOMAINS: about,account,admin,advertising,api,app,assets,archive,beta,billing,blog,cache,cdn,code,community,dashboard,developer,developers,forum,help,home,http,https,imap,localhost,mail,marketing,mobile,multiplayer,new,news,newsletter,ns1,ns2,ns3,ns4,password,profile,realtime,sandbox,script,scripts,setup,signin,signup,site,smtp,support,status,static,stats,test,update,updates,ws,wss,web,websockets,www,www1,www2,www3,www4
SMTP_HOST: ""
SMTP_USERNAME: ""
SMTP_FROM_EMAIL: ""
SMTP_REPLY_EMAIL: ""
SMTP_PORT: ""
SMTP_SECURE: "" #connection will be upgraded: https://nodemailer.com/smtp/
SMTP_REQUIRE_TLS: ""
secret:
stringData:
DATABASE_URL: 'postgres://{{ .Values.global.postgresql.auth.username }}:{{ .Values.global.postgresql.auth.password }}@yonote-db/{{ .Values.global.postgresql.auth.database }}'
yonote_cron_calendar_events:
cron_enabled: "true"
url: http://yonote-web/api/cron.calendar_events
yonote_cron_task_scheduler:
cron_enabled: "true"
url: http://yonote-web/api/cron.schedule
name: yonote
yonote-web:
fullnameOverride: yonote-web
nameOverride: yonote-web
name: web
image:
registry: images.updates.yonote.ru
repository: yonote
tag: 1.19.5
pullPolicy: IfNotPresent
args:
- ./build/server/index.js
- '--services=web'
initContainers:
- name: yonote-migration
image: '{{ .Values.image.repository }}:{{ .Values.image.tag }}'
imagePullPolicy: IfNotPresent
command:
- /bin/sh
- '-c'
- npx sequelize db:migrate
env:
- name: NODE_ENV
value: '{{ .Values.global.yonote.dbMigrationEnv }}' # В настройках для sequelize прописан такой env для запуска миграций без ssl
envFrom:
- configMapRef:
name: yonote-configs
- secretRef:
name: yonote-secrets
resources:
limits:
cpu: 350m
memory: 512Mi
requests:
cpu: 200m
memory: 128Mi
containerPorts:
- containerPort: 3000
name: app
protocol: TCP
service:
type: ClusterIP
port: 80
targetPort: app
envFrom:
- configMapRef:
name: yonote-configs
- secretRef:
name: yonote-secrets
ingress:
enabled: true
hostname: '"*.yonote.example.com"'
ingressClassName: ""
path: '/'
pathType: Prefix
tls: false
podLabels:
redis-client: 'true'
podAnnotations:
checksum/configmap: "{{ toJson .Values.global.yonote.config.plain | sha256sum }}"
checksum/secret: "{{ toJson .Values.global.yonote.config.secret | sha256sum }}"
readinessProbe:
enabled: true
failureThreshold: 6
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
httpGet:
path: /_health
port: app
livenessProbe:
enabled: true
failureThreshold: 6
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
httpGet:
path: /_health
port: app
yonote-websocket:
fullnameOverride: yonote-websockets
nameOverride: yonote-websockets
name: websockets
image:
registry: images.updates.yonote.ru
repository: yonote
tag: 1.19.5
pullPolicy: IfNotPresent
args:
- ./build/server/index.js
- '--services=websockets'
resources:
limits:
cpu: 250m
memory: 512Mi
requests:
cpu: 50m
memory: 128Mi
checksums: null
envFrom:
- configMapRef:
name: yonote-configs
- secretRef:
name: yonote-secrets
containerPorts:
- containerPort: 3000
name: app
protocol: TCP
service:
type: ClusterIP
port: 80
targetPort: app
ingress:
enabled: true
hostname: '"*.yonote.example.com"'
ingressClassName: ""
path: '/realtime'
pathType: Prefix
tls: false
podLabels:
redis-client: 'true'
podAnnotations:
checksum/configmap: "{{ toJson .Values.global.yonote.config.plain | sha256sum }}"
checksum/secret: "{{ toJson .Values.global.yonote.config.secret | sha256sum }}"
readinessProbe:
enabled: true
failureThreshold: 6
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
httpGet:
path: /_health
port: app
livenessProbe:
enabled: true
failureThreshold: 6
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
httpGet:
path: /_health
port: app
yonote-whiteboard:
fullnameOverride: yonote-whiteboard
nameOverride: yonote-whiteboard
name: whiteboard
image:
registry: images.updates.yonote.ru
repository: yonote
tag: 1.19.5
pullPolicy: IfNotPresent
args:
- ./build/server/index.js
- '--services=whiteboard'
resources:
limits:
cpu: 250m
memory: 512Mi
requests:
cpu: 50m
memory: 128Mi
checksums: null
envFrom:
- configMapRef:
name: yonote-configs
- secretRef:
name: yonote-secrets
containerPorts:
- containerPort: 3000
name: app
protocol: TCP
service:
type: ClusterIP
port: 80
targetPort: app
ingress:
enabled: true
hostname: '"*.yonote.example.com"'
ingressClassName: ""
path: '/whiteboard'
pathType: Prefix
tls: false
podLabels:
redis-client: 'true'
podAnnotations:
checksum/configmap: "{{ toJson .Values.global.yonote.config.plain | sha256sum }}"
checksum/secret: "{{ toJson .Values.global.yonote.config.secret | sha256sum }}"
readinessProbe:
enabled: true
failureThreshold: 6
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
httpGet:
path: /_health
port: app
livenessProbe:
enabled: true
failureThreshold: 6
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
httpGet:
path: /_health
port: app
yonote-worker:
fullnameOverride: yonote-worker
nameOverride: yonote-worker
name: worker
image:
registry: images.updates.yonote.ru
repository: yonote
tag: 1.19.5
pullPolicy: IfNotPresent
args:
- ./build/server/index.js
- '--services=worker'
resources:
limits:
cpu: 500m
memory: 1Gi
requests:
cpu: 250m
memory: 256Mi
checksums: null
containerPorts:
- containerPort: 3000
name: app
protocol: TCP
service:
type: ClusterIP
port: 80
targetPort: app
envFrom:
- configMapRef:
name: yonote-configs
- secretRef:
name: yonote-secrets
podLabels:
redis-client: 'true'
podAnnotations:
checksum/configmap: "{{ toJson .Values.global.yonote.config.plain | sha256sum }}"
checksum/secret: "{{ toJson .Values.global.yonote.config.secret | sha256sum }}"
readinessProbe:
enabled: true
failureThreshold: 6
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
httpGet:
path: /_health
port: app
livenessProbe:
enabled: true
failureThreshold: 6
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
httpGet:
path: /_health
port: app
yonote-collaboration:
fullnameOverride: yonote-collaboration
nameOverride: yonote-collaboration
name: collaboration
image:
registry: images.updates.yonote.ru
repository: yonote
tag: 1.19.5
pullPolicy: IfNotPresent
args:
- ./build/server/index.js
- '--services=collaboration'
checksums: null
containerPorts:
- containerPort: 3000
name: app
protocol: TCP
service:
type: ClusterIP
port: 80
targetPort: app
ingress:
enabled: true
hostname: '"*.yonote.example.com"'
ingressClassName: ""
path: '/collaboration'
pathType: Prefix
tls: false
envFrom:
- configMapRef:
name: yonote-configs
- secretRef:
name: yonote-secrets
podLabels:
redis-client: 'true'
podAnnotations:
checksum/configmap: "{{ toJson .Values.global.yonote.config.plain | sha256sum }}"
checksum/secret: "{{ toJson .Values.global.yonote.config.secret | sha256sum }}"
readinessProbe:
enabled: true
failureThreshold: 6
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
httpGet:
path: /_health
port: app
livenessProbe:
enabled: true
failureThreshold: 6
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
httpGet:
path: /_health
port: app
yonote-database:
enabled: true
fullnameOverride: yonote-db
nameOverride: db
primary:
persistence:
size: 10Gi
resources:
limits:
cpu: 250m
memory: 512Mi
requests:
cpu: 50m
memory: 256Mi
yonote-redis:
enabled: true
fullnameOverride: yonote-redis
nameOverride: redis
architecture: standalone
auth:
enabled: false
master:
persistence:
size: 5Gi
resources:
limits:
cpu: 250m
memory: 256Mi
requests:
cpu: 50m
memory: 128Mi