diff --git a/yonote-chart/.helmignore b/yonote-chart/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/yonote-chart/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/yonote-chart/Chart.lock b/yonote-chart/Chart.lock new file mode 100644 index 0000000..e151c95 --- /dev/null +++ b/yonote-chart/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: app + repository: https://artifacts.wilix.dev/repository/helm-dysnix + version: 0.3.15 +digest: sha256:6985fbb96cac8e45b5378e68b0362afcd0d0c70457ba0c7f8f6bc861029deb5e +generated: "2024-01-23T15:14:18.270104458+03:00" diff --git a/yonote-chart/Chart.yaml b/yonote-chart/Chart.yaml new file mode 100644 index 0000000..4e56d5f --- /dev/null +++ b/yonote-chart/Chart.yaml @@ -0,0 +1,9 @@ +apiVersion: v2 +name: yonote-chart +version: 1.0.1 + +dependencies: + - name: app + version: "0.3.15" + repository: https://artifacts.wilix.dev/repository/helm-dysnix + alias: yonote-web diff --git a/yonote-chart/charts/app-0.3.15.tgz b/yonote-chart/charts/app-0.3.15.tgz new file mode 100644 index 0000000..b7125eb Binary files /dev/null and b/yonote-chart/charts/app-0.3.15.tgz differ diff --git a/yonote-chart/secret-values.yaml b/yonote-chart/secret-values.yaml new file mode 100644 index 0000000..908e468 --- /dev/null +++ b/yonote-chart/secret-values.yaml @@ -0,0 +1,17 @@ +global: + yonote: + config: + secret: + stringData: + AWS_ACCESS_KEY_ID: "" + AWS_SECRET_ACCESS_KEY: "" + OIDC_CLIENT_SECRET: "" + SECRET_KEY: "" + SMTP_PASSWORD: "" + UTILS_SECRET: "" + TELEGRAM_BOT_TOKEN: "" + DATABASE_URL: "" #postgres://@:5432/yonote + REDIS_URL: "" #redis://username:password>@:6379 + LICENSE_KEY: "" + SERVICE_WORKER_PUBLIC_KEY: "" + SERVICE_WORKER_PRIVATE_KEY: "" diff --git a/yonote-chart/templates/configmap.yaml b/yonote-chart/templates/configmap.yaml new file mode 100644 index 0000000..52ca6f9 --- /dev/null +++ b/yonote-chart/templates/configmap.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: yonote-configs + labels: + {{- include "common.labels.standard" $ | nindent 4 }} + {{- with .Values.global.yonote.config.plain.data }} +data: + {{- include "common.tplvalues.render" (dict "value" . "context" $) | nindent 2 }} + {{- end }} \ No newline at end of file diff --git a/yonote-chart/templates/secret.yaml b/yonote-chart/templates/secret.yaml new file mode 100644 index 0000000..96a343f --- /dev/null +++ b/yonote-chart/templates/secret.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Secret +metadata: + name: yonote-secrets + labels: + {{- include "common.labels.standard" $ | nindent 4 }} +type: Opaque + {{- with .Values.global.yonote.config.secret.data }} +data: + {{- toYaml . | nindent 2 }} + {{- end }} + {{- with .Values.global.yonote.config.secret.stringData }} +stringData: {{- include "common.tplvalues.render" (dict "value" . "context" $) | nindent 2 }} + {{- end }} \ No newline at end of file diff --git a/yonote-chart/templates/traefic-http-to-https-redirect-middleware.yaml b/yonote-chart/templates/traefic-http-to-https-redirect-middleware.yaml new file mode 100644 index 0000000..93c470f --- /dev/null +++ b/yonote-chart/templates/traefic-http-to-https-redirect-middleware.yaml @@ -0,0 +1,10 @@ +{{- if eq $.Values.global.yonote.ingress.ingressClassName "traefik" }} +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: redirect-https +spec: + redirectScheme: + scheme: https + permanent: true +{{- end }} \ No newline at end of file diff --git a/yonote-chart/templates/traefik-wss-headers-middleware.yaml b/yonote-chart/templates/traefik-wss-headers-middleware.yaml new file mode 100644 index 0000000..c8fc1bd --- /dev/null +++ b/yonote-chart/templates/traefik-wss-headers-middleware.yaml @@ -0,0 +1,10 @@ +{{- if eq $.Values.global.yonote.ingress.ingressClassName "traefik" }} +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: wss-headers +spec: + headers: + customRequestHeaders: + X-Forwarded-Proto: https +{{- end }} \ No newline at end of file diff --git a/yonote-chart/values.yaml b/yonote-chart/values.yaml new file mode 100644 index 0000000..c8b7ce0 --- /dev/null +++ b/yonote-chart/values.yaml @@ -0,0 +1,128 @@ +global: + yonote: + ingress: + ingressClassName: nginx + keycloak: + hostName: auth.example.com + realmName: yonote + ### Forbidden_Subdomains: app,localhost,yonote + baseListenAddress: example.com + config: + plain: + data: + FORCE_HTTPS: "false" + BIND_HOST: 0.0.0.0 + PORT: "3000" + URL: 'http://{{ .Values.global.yonote.baseListenAddress }}' + COLLABORATION_URL: 'wss://{{ .Values.global.yonote.baseListenAddress }}' + OIDC_CLIENT_ID: yonote + OIDC_AUTH_URI: 'http://{{ .Values.global.yonote.keycloak.hostName }}/realms/{{ .Values.global.yonote.keycloak.realmName }}/protocol/openid-connect/auth' + OIDC_LOGOUT_URI: 'http://{{ .Values.global.yonote.keycloak.hostName }}/realms/{{ .Values.global.yonote.keycloak.realmName }}/protocol/openid-connect/logout' + OIDC_TOKEN_URI: 'http://{{ .Values.global.yonote.keycloak.hostName }}/realms/{{ .Values.global.yonote.keycloak.realmName }}/protocol/openid-connect/token' + OIDC_USERINFO_URI: 'http://{{ .Values.global.yonote.keycloak.hostName }}/realms/{{ .Values.global.yonote.keycloak.realmName }}/protocol/openid-connect/userinfo' + AWS_S3_UPLOAD_BUCKET_URL: "" + AWS_S3_UPLOAD_BUCKET_NAME: yonote-bucket + AWS_REGION: "" + AWS_S3_UPLOAD_MAX_SIZE: "226214400" + TELEGRAM_API_URL: https://api.telegram.org + OIDC_DISPLAY_NAME: email + OIDC_SCOPES: openid email + PGSSLMODE: disable + USE_LEGACY_LOGOUT: "true" + AWS_S3_FORCE_PATH_STYLE: "true" + AWS_S3_ACL: private + SMTP_HOST: "" + SMTP_USERNAME: "" + SMTP_FROM_EMAIL: "" + SMTP_REPLY_EMAIL: "" + SMTP_PORT: "" + SMTP_SECURE: "" #connection will be upgraded: https://nodemailer.com/smtp/ + SMTP_REQUIRE_TLS: "" + +name: yonote + +yonote-web: + fullnameOverride: yonote-web + nameOverride: yonote-web + name: web + image: + registry: images.updates.yonote.ru + repository: yonote + tag: 1.15.1 + pullPolicy: IfNotPresent + resources: + limits: + cpu: "1" + memory: 1Gi + requests: + cpu: 250m + memory: 256Mi + ingress: + enabled: true + hostname: '"example.com"' + ingressClassName: nginx + path: '/' + pathType: Prefix + annotations: + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + nginx.ingress.kubernetes.io/server-snippets: | + location /realtime { + proxy_set_header Upgrade $http_upgrade; + proxy_http_version 1.1; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host $host; + proxy_set_header Connection "upgrade"; + proxy_cache_bypass $http_upgrade; + } + + nginx.ingress.kubernetes.io/configuration-snippet: | + more_set_headers "Host $http_host"; + more_set_headers "X-Real-IP $remote_addr"; + more_set_headers "X-Forwarded-Proto $scheme"; + more_set_headers "X-Forwarded-For $proxy_add_x_forwarded_for"; + cert-manager.io/cluster-issuer: "" + extraTls: + - hosts: + - "example.com" + secretName: example-tls + containerPorts: + - containerPort: 3000 + name: app + protocol: TCP + service: + type: ClusterIP + port: 80 + targetPort: app + envFrom: + - configMapRef: + name: yonote-configs + - secretRef: + name: yonote-secrets + + podLabels: + redis-client: 'true' + podAnnotations: + checksum/configmap: "{{ toJson .Values.global.yonote.config.plain | sha256sum }}" + checksum/secret: "{{ toJson .Values.global.yonote.config.secret | sha256sum }}" + readinessProbe: + enabled: true + failureThreshold: 6 + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + httpGet: + path: /_health + port: app + livenessProbe: + enabled: true + failureThreshold: 6 + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + httpGet: + path: /_health + port: app