update yonote-mono

yonote-chart-mono/Chart.lock

@@ -10,6 +10,9 @@ dependencies:
   version: 16.12.1
 - name: minio
   repository: https://charts.bitnami.com/bitnami
-  version: 14.6.20
+  version: 12.7.0
-digest: sha256:dfaa7914dc55b5c305826ec1ed880af5c50904131aca19fe758d779719d35e99
+- name: keycloak
-generated: "2024-07-17T16:05:55.571392551+03:00"
+  repository: https://charts.bitnami.com/bitnami
+  version: 14.0.0
+digest: sha256:b12099844193a7a06a5d15b80774592b1cf73af191b654154a9c7a6e8d51a2e0
+generated: "2024-08-25T04:02:50.20628049+03:00"

yonote-chart-mono/Chart.yaml

@@ -1,9 +1,9 @@
 apiVersion: v2
 name: yonote-chart
-version: 1.2.1
+version: 1.2.0
 description:
   Generic application Helm chart.
-  This chart includes multiple dependencies. The base of this chart is derived from the Dysnix app chart.
+  This chart includes multiple dependencies. The base of this chart is derived from the Dynix app chart.
 maintainers:
   - name: Dysnix
     email: support@dysnix.com
@@ -18,8 +18,8 @@ dependencies:
   - name: postgresql
     version: "11.6.6"
     repository: https://charts.bitnami.com/bitnami
-    condition: yonote-database.enabled
+    condition: yonoteDatabase.enabled
-    alias: yonote-database
+    alias: yonoteDatabase
 
   - name: redis
     version: "16.12.1"
@@ -28,7 +28,13 @@ dependencies:
     alias: yonote-redis
 
   - name: minio
-    version: "14.6.20"
+    version: "12.7.0"
     repository: https://charts.bitnami.com/bitnami
     condition: minio.enabled
     alias: minio
+
+  - name: keycloak
+    version: "14.0.0"
+    repository: https://charts.bitnami.com/bitnami
+    condition: keycloak.enabled
+    alias: keycloak

yonote-chart-mono/secret-values.yaml

@@ -3,17 +3,17 @@ global:
     config:
       secret:
         stringData:
-          DATABASE_URL: 'postgres://{{ .Values.global.postgresql.auth.username }}:{{ .Values.global.postgresql.auth.password }}@yonote-db:5432/{{ .Values.global.postgresql.auth.database }}'
+          DATABASE_URL: 'postgres://{{ .Values.yonoteDatabase.global.postgresql.auth.username }}:{{ .Values.yonoteDatabase.global.postgresql.auth.password }}@yonote-database:5432/{{ .Values.yonoteDatabase.global.postgresql.auth.database }}'
-          POSTGRES_PASSWORD: wsGZ6kXhr5
+          POSTGRES_PASSWORD: "{{ .Values.yonoteDatabase.global.postgresql.auth.password }}"
-          AWS_ACCESS_KEY_ID: "minioadmin"  # Ваш идентификатор ключа доступа к AWS. Поведение в SelfHosted: устанавливает логин сервис аккаунта для доступа приложения к Minio S3 хранилищу
+          AWS_ACCESS_KEY_ID: "{{ .Values.minio.auth.rootUser }}"  # Ваш идентификатор ключа доступа к AWS. Поведение в SelfHosted: устанавливает логин сервис аккаунта для доступа приложения к Minio S3 хранилищу
-          AWS_SECRET_ACCESS_KEY: "minioadminsecret" # Ваш секретный ключ доступа AWS. Поведение в SelfHosted: устанавливает пароль сервис аккаунта для доступа приложения к Minio S3 хранилищу
+          AWS_SECRET_ACCESS_KEY: "{{ .Values.minio.auth.rootPassword }}" # Ваш секретный ключ доступа AWS. Поведение в SelfHosted: устанавливает пароль сервис аккаунта для доступа приложения к Minio S3 хранилищу
-          OIDC_CLIENT_SECRET: "" 
+          OIDC_CLIENT_SECRET: "Kdq8rk5Pv5RW1c5kHXpnyfrmMRzI9xSD" # Секретный ключ клиента для аутентификации по OpenID Connect (OIDC).
           SECRET_KEY: "659a8881b186198c3146e316f6dab67df25496534d1fa156d624b037260df688" # Сгенерируйте 32-байтовый случайный ключ в шестнадцатеричном коде. Вам следует использовать `openssl rand -hex 32` в вашем терминале для генерации случайного значения.
           SMTP_PASSWORD: "1234"
           UTILS_SECRET: "7bd5e9ac4415dd0dbf6b7721e2a21e9427b268cd0140c7516d13dece5024d479" # Сгенерируйте уникальный случайный ключ. Формат не важен, но вы все равно можете использовать`openssl rand -hex 32` в вашем терминале, чтобы создать это.
           TELEGRAM_BOT_TOKEN: "1234"
           UNSPLASH_API_ACCESS_KEY: "a-yGo6HpRP6jNfravx4Bz-oiPrRnH_5-24Xa9ZPlePE" 
-          LICENSE_KEY: "" # Обратитесь в отдел продаж для получения
+          LICENSE_KEY: "qwerty-123456-zxcvb" # Обратитесь в отдел продаж для получения
           SERVICE_WORKER_PUBLIC_KEY: "1234" 
           SERVICE_WORKER_PRIVATE_KEY: "1234"
         # Генерация ключей (web-push) Service Worker
@@ -22,10 +22,24 @@ global:
         # npx web-push generate-vapid-keys
         # 3) Полученные значения ввести в .env файл (SERVICE_WORKER_PUBLIC_KEY, SERVICE_WORKER_PRIVATE_KEY)
           
+yonoteDatabase:
+  global:
     postgresql:
       auth:
         password: "wsGZ6kXhr5"
         postgresPassword: "QQYw4UjOU"
 
+# yonote-redis: # Если используете пароль для redis
+#   auth:
+#     password: "12345678"
 
+minio:
+  auth:
+    rootPassword: "12345678"
 
+keycloak:
+  auth:
+   adminPassword: "root"
+  postgresql:
+    auth:
+      password: "tT9BqYdNyd"

yonote-chart-mono/templates/ingress.yaml

@@ -0,0 +1,34 @@
+{{- if .Values.ingress.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ .Values.ingress.name }}
+  namespace: {{ .Values.ingress.namespace }}
+  annotations:
+    {{- range $key, $value := .Values.ingress.annotations }}
+    {{ $key }}: "{{ $value }}"
+    {{- end }}
+spec:
+  ingressClassName: {{ .Values.ingress.ingressClassName }}
+  tls:
+    - secretName: "{{ .Values.ingress.tls.secretName }}"
+      hosts:
+        {{- range .Values.ingress.tls.hosts }}
+        - "{{ . }}"
+        {{- end }}
+  rules:
+    {{- range .Values.ingress.rules }}
+    - host: "{{ .host }}"
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ .path }}
+            pathType: {{ .pathType }}
+            backend:
+              service:
+                name: {{ .service.name }}
+                port:
+                  number: {{ .service.port | int }}
+          {{- end }}
+    {{- end }}
+{{- end }}

yonote-chart-mono/templates/mcJob.yaml

@@ -0,0 +1,39 @@
+{{- if .Values.mcJob.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: yonote-minio-mc-job
+  labels:
+    app: yonote-minio
+spec:
+  template:
+    metadata:
+      labels:
+        app: yonote-minio
+    spec:
+      containers:
+        - name: mc-client
+          image: "docker.io/bitnami/minio-client:2024.8.13-debian-12-r0"
+          command: ["/bin/sh", "-c"]
+          args:
+            - |
+              until mc alias set myminio http://yonote-minio:9000 {{ .Values.minio.auth.rootUser }} {{ .Values.minio.auth.rootPassword }}; do
+                echo "Waiting for MinIO to be ready..."
+                sleep 5
+              done
+              if ! mc ls myminio/yonote-bucket; then
+                mc mb myminio/yonote-bucket
+              else
+                echo "Bucket yonote-bucket already exists."
+              fi
+          resources:
+            requests:
+              memory: "128Mi"
+              cpu: "100m"
+            limits:
+              memory: "256Mi"
+              cpu: "200m"
+      restartPolicy: OnFailure
+  backoffLimit: 5
+  ttlSecondsAfterFinished: 100
+{{- end }}

yonote-chart-mono/templates/realm-configmap.yaml

@@ -0,0 +1,169 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: realm-export
+data:
+  realm-export.json: |
+    {
+    "realm": "yonote",
+    "enabled": true,
+    "notBefore": 1647809856,
+    "defaultSignatureAlgorithm": "RS256",
+    "revokeRefreshToken": false,
+    "refreshTokenMaxReuse": 0,
+    "accessTokenLifespan": 300,
+    "accessTokenLifespanForImplicitFlow": 900,
+    "ssoSessionIdleTimeout": 1800,
+    "ssoSessionMaxLifespan": 36000,
+    "ssoSessionIdleTimeoutRememberMe": 0,
+    "ssoSessionMaxLifespanRememberMe": 0,
+    "offlineSessionIdleTimeout": 2592000,
+    "offlineSessionMaxLifespanEnabled": false,
+    "offlineSessionMaxLifespan": 5184000,
+    "clientSessionIdleTimeout": 0,
+    "clientSessionMaxLifespan": 0,
+    "clientOfflineSessionIdleTimeout": 0,
+    "clientOfflineSessionMaxLifespan": 0,
+    "accessCodeLifespan": 60,
+    "accessCodeLifespanUserAction": 300,
+    "accessCodeLifespanLogin": 1800,
+    "actionTokenGeneratedByAdminLifespan": 43200,
+    "actionTokenGeneratedByUserLifespan": 300,
+    "oauth2DeviceCodeLifespan": 600,
+    "oauth2DevicePollingInterval": 5,
+    "sslRequired": "external",
+    "registrationAllowed": true,
+    "registrationEmailAsUsername": true,
+    "rememberMe": true,
+    "verifyEmail": false,
+    "loginWithEmailAllowed": true,
+    "duplicateEmailsAllowed": false,
+    "resetPasswordAllowed": true,
+    "editUsernameAllowed": false,
+    "bruteForceProtected": false,
+    "permanentLockout": false,
+    "maxFailureWaitSeconds": 900,
+    "minimumQuickLoginWaitSeconds": 60,
+    "waitIncrementSeconds": 60,
+    "quickLoginCheckMilliSeconds": 1000,
+    "maxDeltaTimeSeconds": 43200,
+    "failureFactor": 30,
+    "clients": [
+        {
+        "clientId": "{{ .Values.global.yonote.config.plain.data.OIDC_CLIENT_ID }}",
+        "secret": "{{ .Values.global.yonote.config.secret.stringData.OIDC_CLIENT_SECRET }}",
+        "redirectUris": [
+            "https://*.{{ .Values.global.yonote.baseListenAddress }}/*",
+            "http://*.{{ .Values.global.yonote.baseListenAddress }}/*",
+            "http://app.{{ .Values.global.yonote.baseListenAddress }}/*",
+            "https://app.{{ .Values.global.yonote.baseListenAddress }}/*",
+            "https://app.{{ .Values.global.yonote.baseListenAddress }}/auth/oidc.callback/*"
+        ],
+        "baseUrl": "https://app.{{ .Values.global.yonote.baseListenAddress }}",
+        "enabled": true,
+        "publicClient": false,
+        "protocol": "openid-connect",
+        "attributes": {
+            "client.secret": "{{ .Values.global.yonote.config.secret.stringData.OIDC_CLIENT_SECRET }}",
+            "display.on.consent.screen": "true"
+        },
+        "authenticationFlowBindingOverrides": {},
+        "fullScopeAllowed": false,
+        "protocolMappers": [
+            {
+            "name": "oidc-display-name",
+            "protocol": "openid-connect",
+            "protocolMapper": "oidc-usermodel-attribute-mapper",
+            "consentRequired": false,
+            "config": {
+                "userinfo.token.claim": "true",
+                "user.attribute": "{{ .Values.global.yonote.config.plain.data.OIDC_DISPLAY_NAME }}",
+                "id.token.claim": "true",
+                "access.token.claim": "true",
+                "claim.name": "{{ .Values.global.yonote.config.plain.data.OIDC_DISPLAY_NAME }}",
+                "jsonType.label": "String"
+            }
+            }
+        ],
+        "defaultClientScopes": ["openid", "email"]
+        }
+    ],
+    "identityProviders": [],
+    "internationalizationEnabled": true,
+    "clientScopes": [
+        {
+        "name": "openid",
+        "protocol": "openid-connect",
+        "attributes": {
+            "include.in.token.scope": "true",
+            "display.on.consent.screen": "true",
+            "consent.screen.text": "{{ .Values.global.yonote.config.plain.data.OIDC_DISPLAY_NAME }}"
+        },
+        "protocolMappers": []
+        },
+        {
+        "name": "email",
+        "protocol": "openid-connect",
+        "attributes": {
+            "include.in.token.scope": "true",
+            "display.on.consent.screen": "true"
+        },
+        "protocolMappers": [
+            {
+            "id": "56fe6d23-690a-465c-bc36-99bff8fef6eb",
+            "name": "email verified",
+            "protocol": "openid-connect",
+            "protocolMapper": "oidc-usermodel-property-mapper",
+            "consentRequired": false,
+            "config": {
+                "userinfo.token.claim": "true",
+                "user.attribute": "emailVerified",
+                "id.token.claim": "true",
+                "access.token.claim": "true",
+                "claim.name": "email_verified",
+                "jsonType.label": "boolean"
+            }
+            },
+            {
+            "id": "2c6acd0e-b776-48f5-9c3b-7bfdbbe712dc",
+            "name": "email",
+            "protocol": "openid-connect",
+            "protocolMapper": "oidc-usermodel-property-mapper",
+            "consentRequired": false,
+            "config": {
+                "userinfo.token.claim": "true",
+                "user.attribute": "email",
+                "id.token.claim": "true",
+                "access.token.claim": "true",
+                "claim.name": "email",
+                "jsonType.label": "String"
+            }
+            }
+        ]
+        }
+    ],
+    "browserSecurityHeaders": {
+        "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';"
+    },
+    "webAuthnPolicyRpEntityName": "keycloak",
+    "webAuthnPolicySignatureAlgorithms": ["ES256"],
+    "webAuthnPolicyRpId": "",
+    "webAuthnPolicyAttestationConveyancePreference": "not specified",
+    "webAuthnPolicyAuthenticatorAttachment": "not specified",
+    "webAuthnPolicyRequireResidentKey": "not specified",
+    "webAuthnPolicyUserVerificationRequirement": "not specified",
+    "webAuthnPolicyCreateTimeout": 0,
+    "webAuthnPolicyAvoidSameAuthenticatorRegister": false,
+    "webAuthnPolicyAcceptableAaguids": [],
+    "webAuthnPolicyPasswordlessRpEntityName": "keycloak",
+    "webAuthnPolicyPasswordlessSignatureAlgorithms": ["ES256"],
+    "webAuthnPolicyPasswordlessRpId": "",
+    "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified",
+    "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified",
+    "webAuthnPolicyPasswordlessRequireResidentKey": "not specified",
+    "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified",
+    "webAuthnPolicyPasswordlessCreateTimeout": 0,
+    "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false,
+    "webAuthnPolicyPasswordlessAcceptableAaguids": [],
+    "smtpServer": {}
+    }

yonote-chart-mono/templates/traefic-http-to-https-redirect-middleware.yaml

@@ -1,10 +0,0 @@
-{{- if eq $.Values.global.yonote.ingress.ingressClassName "traefik" }}
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: redirect-https
-spec:
-  redirectScheme:
-    scheme: https
-    permanent: true
-{{- end }}

yonote-chart-mono/templates/traefik-wss-headers-middleware.yaml

@@ -1,10 +0,0 @@
-{{- if eq $.Values.global.yonote.ingress.ingressClassName "traefik" }}
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: wss-headers
-spec:
-  headers:
-    customRequestHeaders:
-      X-Forwarded-Proto: https
-{{- end }}

yonote-chart-mono/values.yaml

@@ -1,21 +1,13 @@
 global:
   name: yonote-app
-  postgresql:
-    auth:
-      database: yonote
-      username: yonote
-
   yonote:
-    ingress:
-      ingressClassName: nginx
-
     dbMigrationEnv: production-ssl-disabled # Режим подключения к базе данных при выполнении миграций. При использовании SSL подключения, установите значение `production`
-
+    baseListenAddress: example.com # Доменный адрес для yonote
-    baseListenAddress: example.com
 
     config:
       plain:
         data:
+          DEPLOYMENT: hosted
           NODE_ENV: production
           FORCE_HTTPS: "false"
           PGSSLMODE: disable # Отключает SSL подключение к базе данных. Уберите эту строку, если вы используете SSL подключение к PostgreSQL
@@ -30,6 +22,7 @@ global:
           
           AI_URL: "1234"
           AI_API_KEY: "1234"
+          WEB_CONCURRENCY: "1"
 
           URL: 'https://app.{{ .Values.global.yonote.baseListenAddress }}' # Базовый url приложения
           COLLABORATION_URL: 'wss://app.{{ .Values.global.yonote.baseListenAddress }}' # Cервер, для нормальной работы это не нужно устанавливать
@@ -38,12 +31,20 @@ global:
           OIDC_SCOPES: openid email
           OIDC_CLIENT_ID: yonote
           OIDC_AUTH_URI: 'https://auth.example.com/realms/yonote/protocol/openid-connect/auth'
+          # OIDC_AUTH_URI: URL для авторизации пользователей через OpenID Connect (OIDC). 
+          # Пользователь перенаправляется на этот адрес для входа в систему.
           OIDC_LOGOUT_URI: 'https://auth.example.com/realms/yonote/protocol/openid-connect/logout'
+          # OIDC_LOGOUT_URI: URL для выхода из системы через OIDC. 
+          # Пользователь перенаправляется на этот адрес для завершения сессии и выхода.
           OIDC_TOKEN_URI: 'https://auth.example.com/realms/yonote/protocol/openid-connect/token'
+          # OIDC_TOKEN_URI: URL для получения токенов доступа и обновления. 
+          # Этот адрес используется для обмена авторизационным кодом на токены
           OIDC_USERINFO_URI: 'https://auth.example.com/realms/yonote/protocol/openid-connect/userinfo'
+          # OIDC_USERINFO_URI: URL для получения информации о пользователе. 
+          # Используется для получения данных профиля пользователя на основе его токена.
           
           AWS_S3_ACL: private
-          AWS_S3_UPLOAD_BUCKET_URL: http://s3.example.com # Адрес S3 хранилища
+          AWS_S3_UPLOAD_BUCKET_URL: yonote-minio:9000 # Адрес S3 хранилища
           AWS_S3_UPLOAD_BUCKET_NAME: yonote-bucket # Имя хранилища 
           AWS_REGION: "ru_RU"
           AWS_S3_UPLOAD_MAX_SIZE: "226214400" # Максимальный размер хранилища
@@ -94,24 +95,16 @@ yonote-web:
       cpu: 250m
       memory: 256Mi
   
-  # ingress:
+ingress:
-  #   enabled: true
-  #   ingressClassName: traefik
-  #   hosts: "'*.example.com'"
-  #   annotations:
-  #     cert-manager.io/cluster-issuer: ""
-  #     traefik.ingress.kubernetes.io/router.middlewares: "{{ .Release.Namespace }}-redirect-https@kubernetescrd,{{ .Release.Namespace }}-wss-headers@kubernetescrd,kube-system-wilix-office-ipwhitelist@kubernetescrd"
-  #   extraTls:
-  #   - hosts:
-  #       - "'*.example.com'"
-  #     secretName: "'*.example.com'"
-  
-  ingress:
   enabled: true
-    hostname: "'*.example.com'"
+  name: yonote-ingress
+  namespace: yonote-onprem
   ingressClassName: nginx
-    path: '/'
+  tls:
-    pathType: Prefix
+    - secretName: "you_tls_secret"
+      hosts: 
+        - "app.example.com"
+        - "team.example.com"
   annotations:
     nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
     nginx.ingress.kubernetes.io/server-snippets: |
@@ -125,17 +118,77 @@ yonote-web:
         proxy_set_header Connection "upgrade";
         proxy_cache_bypass $http_upgrade;
       }
-
     nginx.ingress.kubernetes.io/configuration-snippet: |
       more_set_headers "Host              $http_host";
       more_set_headers "X-Real-IP         $remote_addr";
       more_set_headers "X-Forwarded-Proto $scheme";
       more_set_headers "X-Forwarded-For   $proxy_add_x_forwarded_for";        
     cert-manager.io/cluster-issuer: ""
-    tls:
+
-    - hosts:
+  rules:
-        - "'*.example.com'"
+  - host: "app.example.com"
-      secretName: "'*.example.com'"
+    http:
+      paths:
+        - path: /
+          pathType: Prefix
+          backend:
+            service:
+              name: yonote-web
+              port:
+                number: 80
+        - path: /realtime
+          pathType: Prefix
+          backend:
+            service:
+              name: yonote-websockets
+              port:
+                number: 80
+        - path: /whiteboard
+          pathType: Prefix
+          backend:
+            service:
+              name: yonote-whiteboard
+              port:
+                number: 80
+        - path: /collaboration
+          pathType: Prefix
+          backend:
+            service:
+              name: yonote-collaboration
+              port:
+                number: 80
+
+  - host: "team.example.com"
+    http:
+      paths:
+        - path: /
+          pathType: Prefix
+          backend:
+            service:
+              name: yonote-web
+              port:
+                number: 80
+        - path: /realtime
+          pathType: Prefix
+          backend:
+            service:
+              name: yonote-websockets
+              port:
+                number: 80
+        - path: /whiteboard
+          pathType: Prefix
+          backend:
+            service:
+              name: yonote-whiteboard
+              port:
+                number: 80
+        - path: /collaboration
+          pathType: Prefix
+          backend:
+            service:
+              name: yonote-collaboration
+              port:
+                number: 80
 
   containerPorts:
     - containerPort: 3000
@@ -177,10 +230,16 @@ yonote-web:
       path: /_health
       port: app
 
-yonote-database: 
+yonoteDatabase:
   enabled: true
-  fullnameOverride: yonote-db
+  global:
-  nameOverride: db
+    postgresql:
+      auth:
+        database: "yonote"
+        username: "yonote"
+  name: yonote-database
+  fullnameOverride: yonote-database
+  nameOverride: yonote-database
   
   primary:
     persistence:
@@ -217,25 +276,14 @@ minio:
   enabled: true
   name: minio
   fullnameOverride: yonote-minio
-  nameOverride: minio
+  nameOverride: yonote-minio
-  accessKey: "minioadmin"
+  auth:
-  secretKey: "minioadminsecret"
+    rootUser: admin
   
   persistence:
     enabled: true
     size: 500Mi
 
-  # ingress:
-  #   enabled: true
-  #   hostname: '"s3.example.com"'
-  #   annotations:
-  #     cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev
-  #     traefik.ingress.kubernetes.io/router.middlewares: "{{ .Release.Namespace }}-redirect-https@kubernetescrd,{{ .Release.Namespace }}-wss-headers@kubernetescrd,kube-system-wilix-office-ipwhitelist@kubernetescrd"
-  #   extraTls:
-  #   - hosts:
-  #       - s3.example.com
-  #     secretName: s3.example.com
-
   ingress:
     enabled: true
     ingressClassName: nginx
@@ -247,7 +295,7 @@ minio:
         more_set_headers "X-Forwarded-Proto $scheme";
         more_set_headers "X-Forwarded-For   $proxy_add_x_forwarded_for";
     hosts:
-      - host: s3.onprem-test.stands.wilix.dev
+      - host: s3.example.com
         paths:
           - path: /
             pathType: ImplementationSpecific
@@ -263,3 +311,88 @@ minio:
     buckets:
       - name: yonote-bucket
         policy: none
+
+mcJob:
+  enabled: true
+
+keycloak:
+  auth:
+    adminUser: root
+
+  fullnameOverride: yonote-keycloak
+  nameOverride: yonote-keycloak
+
+  command:
+    - /bin/bash
+    - -c
+    - |
+      /opt/bitnami/keycloak/bin/kc.sh import --file=/opt/bitnami/keycloak/data/import/realm-export.json && \
+      /opt/bitnami/keycloak/bin/kc.sh start-dev
+
+  extraEnvVars:
+    - name: KC_DB_PASSWORD
+      value: "tT9BqYdNyd"
+    - name: KEYCLOAK_PRODUCTION
+      value: "true"
+    - name: KC_HOSTNAME_URL
+      value: "https://auth.example.com"
+    - name: KC_HOSTNAME_ADMIN_URL
+      value: "https://auth.example.com"
+
+  extraVolumes:
+    - name: realm-export
+      configMap:
+        name: realm-export
+
+  extraVolumeMounts:
+    - name: realm-export
+      mountPath: /opt/bitnami/keycloak/data/import/realm-export.json
+      subPath: realm-export.json
+
+  ingress:
+    enabled: true
+    hostname: auth.example.com
+    ingressClassName: traefik
+    tls: true
+    annotations:
+      kubernetes.io/ingress.class: traefik
+      # cert-manager.io/cluster-issuer: letsencrypt.example.com # Если используете
+    extraTls:
+      - hosts:
+          - "auth.example.com"
+        secretName: "you_tls_secret"
+    rules:
+      - host: "auth.example.com"
+        paths: 
+          - path: /
+            pathType: Prefix
+            service:
+              name: yonote-keycloak
+              port: http
+          - path: /admin
+            pathType: Prefix
+            service:
+              name: yonote-keycloak
+              port: http
+
+  proxy: "edge"
+
+  resources:
+    limits:
+      cpu: 500m
+      memory: 512Mi
+    requests:
+      cpu: 150m
+      memory: 128Mi
+  
+  postgresql:
+    enabled: true
+    auth:
+      database: keycloak
+      username: keycloak
+    name: keycloak-database
+    fullnameOverride: keycloak-database
+    nameOverride: keycloak-database
+    primary:
+      persistence:
+        size: 512Mi

yonote-chart-service/values.yaml

@@ -538,7 +538,7 @@ minio:
   nameOverride: yonote-minio
   auth:
     rootUser: admin
-    rootPassword: "12345678"
+
 
   persistence:
     enabled: true