Compare commits
17 Commits
hotfix-web
...
main
| Author | SHA1 | Date |
|---|---|---|
 Артем Дроздов
|
a9b549ab60 | |
|
Артем Дроздов
|
fb55099d38 | |
|
Артем Дроздов
|
9f5628403e | |
|
Артем Дроздов
|
706d723ca1 | |
|
Артем Дроздов
|
823f6bbb5c | |
|
Артем Дроздов
|
9f7f8d2257 | |
|
Артем Дроздов
|
dd555125e6 | |
|
Артем Дроздов
|
37eea62a2b | |
|
Артем Дроздов
|
64fcda3a28 | |
|
Артем Дроздов
|
54af3b16f5 | |
 Даниил Милин
|
81ba95b080 | |
|
Артем Дроздов
|
08c62b5eb8 | |
|
Артем Дроздов
|
50232216b2 | |
artem.drozdov
|
0abff732d1 | |
|
artem.drozdov
|
fcaec2b232 | |
|
artem.drozdov
|
9e75835634 | |
|
artem.drozdov
|
93f513401a |
|
|
@ -1,146 +0,0 @@
|
|||
########## Обязательные переменные ##########
|
||||
|
||||
# Система Yonote поставляется с несколькими дополнительными сервисами:
|
||||
# - PostgreSQL - основная БД для хранения данных
|
||||
# - Keycloak - сервер авторизации
|
||||
# - Minio - S3 файловое хранилище
|
||||
# - Redis - key-value хранилище
|
||||
# - Nginx - используется как reverse-proxy для всех сервисов
|
||||
#
|
||||
# Мы рекомендуем для каждого сервиса (кроме nginx) создать поддомены:
|
||||
# Если мы хотим, чтобы Yonote был доступен по адресу domain.ru -> 80.11.121.12 (пример),
|
||||
# то необходимо также создать следующие DNS записи для корректной работы системы:
|
||||
# - domain.ru -> 80.11.121.12
|
||||
# - auth.domain.ru -> domain.ru
|
||||
# - s3.domain.ru -> domain.ru
|
||||
#
|
||||
# Если вы запускаете сервис с HTTPS,
|
||||
# необходимо соответсвенно поменять на https:// и wss://
|
||||
|
||||
### Keycloak
|
||||
AUTH_VERSION=latest
|
||||
|
||||
# Адрес сервера авторизации (с http/https)
|
||||
KC_YNT_HOST=auth.example.ru
|
||||
KC_YNT_HOST_PROTOCOL=http://
|
||||
KC_YNT_PORT=9080
|
||||
KC_YNT_URL=${KC_YNT_HOST_PROTOCOL}${KC_YNT_HOST}:${KC_YNT_PORT}
|
||||
KC_YNT_INTERNAL_URL=${KC_YNT_HOST_PROTOCOL}${KC_YNT_HOST}
|
||||
|
||||
# Подключение к базе данных (база создается автоматически)
|
||||
KC_DB=keycloak
|
||||
KC_DB_USERNAME=keycloak
|
||||
KC_DB_PASSWORD=keycloak
|
||||
|
||||
# Настройка клиента авторизации (ключ от OIDC провайдера)
|
||||
KC_CLIENT_SECRET=MY-BRAND-NEW-SECRET-KEY
|
||||
|
||||
# Адрес сервера S3/Minio (с http/https)
|
||||
MINIO_YNT_INTERNAL_HOST=s3.example.ru
|
||||
MINIO_YNT_HOST=s3.example.ru:9080
|
||||
MINIO_ADMIN_YNT_HOST=s3-admin.example.ru
|
||||
MINIO_YNT_HOST_PROTOCOL=http://
|
||||
MINIO_YNT_URL=${MINIO_YNT_HOST_PROTOCOL}${MINIO_YNT_HOST}
|
||||
# Логин и пароль для администратора S3 (пользователь создается автоматически)
|
||||
MINIO_ADMIN_USERNAME=admin
|
||||
MINIO_ADMIN_PASSWORD=adminadmin
|
||||
|
||||
# Адрес для Yonote (укажите домен или адрес сервера)
|
||||
BASENAME_FOR_SUBDOMAIN=app.example.ru:9080
|
||||
YNT_HTTP_PROTOCOL=http://
|
||||
YNT_WEBSOCKET_PROTOCOL=ws://
|
||||
YNT_INTERNAL_URL=app.example.ru
|
||||
|
||||
### OAuth/OIDC (Keycloak) - сервер авторизации
|
||||
KC_USERNAME=admin
|
||||
KC_PASSWORD=adminadmin
|
||||
|
||||
### S3 совместимое хранилище (Minio)
|
||||
MINIO_ACCESS_KEY_ID=yonote
|
||||
MINIO_SECRET_ACCESS_KEY=service-account-pass
|
||||
|
||||
### Yonote
|
||||
APP_VERSION=latest
|
||||
|
||||
# Данные для подключения к БД (БД и пользователь будут созданны автоматически)
|
||||
YNT_DB_NAME=yonote
|
||||
YNT_DB_USER=postgres
|
||||
YNT_DB_PASSWORD=azsxdc
|
||||
|
||||
# Максимальный размер одно файла для загрузки в хранилище (в байтах)
|
||||
AWS_S3_UPLOAD_MAX_SIZE=226214400
|
||||
|
||||
# Ключ шыфрования (32 байта). Рекомендуем использовать команду ниже для генерации ключа:
|
||||
# `openssl rand -hex 32`
|
||||
# храните данный ключ в надежном месте
|
||||
SECRET_KEY=
|
||||
|
||||
# Уникальный random ключ. Используется для различных крипто-функций,
|
||||
# рекомендуем так же использовать команду ниже для генерации ключа:
|
||||
# `openssl rand -hex 32`
|
||||
UTILS_SECRET=
|
||||
|
||||
# SMTP сервер
|
||||
SMTP_HOST=smtp.example-mail.ru
|
||||
SMTP_PORT=587
|
||||
SMTP_USERNAME=noreply@example-mail.ru
|
||||
SMTP_PASSWORD=
|
||||
SMTP_FROM_EMAIL=noreply@example-mail.ru
|
||||
SMTP_REPLY_EMAIL=support@example-mail.ru
|
||||
SMTP_TLS_CIPHERS=
|
||||
SMTP_SECURE=false
|
||||
|
||||
# Лицензионный ключ
|
||||
# Для получения, обратитесь в отдел продаж hello@yonote.ru
|
||||
LICENSE_KEY=
|
||||
|
||||
############ OPTIONAL ################
|
||||
|
||||
# Производить редирект на HTTPS если запрос пришел на HTTP
|
||||
FORCE_HTTPS=false
|
||||
|
||||
# Отслеживать появление новых версий
|
||||
ENABLE_UPDATES=false
|
||||
|
||||
# Как много подпроцессов множно запускать.
|
||||
# Самый простой вариант подсчета: разделить доступный объем памяти сервера на 512Мб
|
||||
WEB_CONCURRENCY=1
|
||||
|
||||
# Максимальный размер файла импорта (Для импорта из Notion, Confluence и тд)
|
||||
MAXIMUM_IMPORT_SIZE=5120000
|
||||
|
||||
# Логировать HTTP запросы.
|
||||
# DEBUG=http
|
||||
|
||||
# Список почтовых доменов с которых разрешена регистрация. Домены разделяются запятыми.
|
||||
# По умолчанию разрешены любые домены
|
||||
# ALLOWED_DOMAINS=
|
||||
|
||||
# Отправка отчетов об ошибках разработчикам.
|
||||
# Закомментируйте, если не хотите делиться отчетами об ошибках
|
||||
SENTRY_DSN=https://5bdaaba1cf8043ba9cc43933b65f3b46@sentry.wilix.dev/7
|
||||
|
||||
# Логотип команды, который будет отображаться при входе в систему.
|
||||
# Будет уменьшен до height: 60px
|
||||
# TEAM_LOGO=https://example.com/images/logo.png
|
||||
|
||||
# Язык по умолчанию
|
||||
DEFAULT_LANGUAGE=ru_RU
|
||||
|
||||
# Ключи для отправки WEB Push уведомлений
|
||||
# Инструкция по получению ключей https://yo.yonote.ru/share/onprem/doc/ustanovka-i-nastrojka-KbTxPbAUoo#h-generaciya-klyuchej-web-push-service-worker
|
||||
SERVICE_WORKER_PUBLIC_KEY=
|
||||
SERVICE_WORKER_PRIVATE_KEY=
|
||||
|
||||
# Интеграция с Telegram. Если TELEGRAM_BOT_TOKEN не указан, то интеграция отключена
|
||||
# Инструкция по настройке https://yo.yonote.ru/share/onprem/doc/integraciya-s-telegram-9d2l0erXGN
|
||||
# TELEGRAM_BOT_TOKEN=
|
||||
# TELEGRAM_BOT_URL=
|
||||
|
||||
# Интеграция с Loop https://loop.ru/. Если LOOP_KEY не указан, то интеграция отключена
|
||||
# LOOP_KEY=
|
||||
# LOOP_SECRET=
|
||||
# LOOP_VERIFICATION_TOKEN=
|
||||
# LOOP_MESSAGE_ACTIONS=true
|
||||
|
||||
OPENAI_API_KEY=123
|
||||
|
|
@ -1,174 +0,0 @@
|
|||
version: "3"
|
||||
services:
|
||||
yonote:
|
||||
container_name: yonote
|
||||
image: images.updates.yonote.ru/yonote:${APP_VERSION}
|
||||
env_file:
|
||||
- .env
|
||||
ports:
|
||||
- "3000"
|
||||
depends_on:
|
||||
- postgres
|
||||
- redis
|
||||
- keycloak
|
||||
- s3-client
|
||||
command: yarn start:selfhosted
|
||||
environment:
|
||||
BIND_HOST: 0.0.0.0
|
||||
PORT: 3000
|
||||
URL: ${YNT_HTTP_PROTOCOL}${BASENAME_FOR_SUBDOMAIN}
|
||||
COLLABORATION_URL: ${YNT_WEBSOCKET_PROTOCOL}${BASENAME_FOR_SUBDOMAIN}
|
||||
DATABASE_URL: postgres://${YNT_DB_USER}:${YNT_DB_PASSWORD}@postgres:5432/${YNT_DB_NAME}
|
||||
OIDC_CLIENT_ID: yonote
|
||||
OIDC_CLIENT_SECRET: ${KC_CLIENT_SECRET}
|
||||
OIDC_AUTH_URI: ${KC_YNT_URL}/realms/yonote/protocol/openid-connect/auth
|
||||
OIDC_TOKEN_URI: ${KC_YNT_URL}/realms/yonote/protocol/openid-connect/token
|
||||
OIDC_USERINFO_URI: ${KC_YNT_URL}/realms/yonote/protocol/openid-connect/userinfo
|
||||
OIDC_LOGOUT_URI: ${KC_YNT_URL}/realms/yonote/protocol/openid-connect/logout
|
||||
AWS_S3_UPLOAD_BUCKET_URL: ${MINIO_YNT_URL}
|
||||
AWS_ACCESS_KEY_ID: ${MINIO_ACCESS_KEY_ID}
|
||||
AWS_SECRET_ACCESS_KEY: ${MINIO_SECRET_ACCESS_KEY}
|
||||
AWS_S3_UPLOAD_BUCKET_NAME: yonote-bucket
|
||||
AWS_REGION: xx-xxxx-x
|
||||
TELEGRAM_API_URL: https://api.telegram.org
|
||||
OIDC_DISPLAY_NAME: email
|
||||
OIDC_SCOPES: openid email
|
||||
REDIS_URL: redis://redis:6379
|
||||
PGSSLMODE: disable
|
||||
USE_LEGACY_LOGOUT: true
|
||||
AWS_S3_FORCE_PATH_STYLE: true
|
||||
AWS_S3_ACL: private
|
||||
volumes:
|
||||
- ./License.key:/opt/yonote/License.key
|
||||
networks:
|
||||
- yonote-network
|
||||
external_links:
|
||||
- "nginx:${KC_YNT_HOST}"
|
||||
- "nginx:${MINIO_YNT_HOST}"
|
||||
|
||||
redis:
|
||||
container_name: redis
|
||||
image: redis:7-alpine
|
||||
restart: unless-stopped
|
||||
user: "redis:redis"
|
||||
networks:
|
||||
- yonote-network
|
||||
|
||||
postgres:
|
||||
container_name: postgres
|
||||
image: postgres:14
|
||||
restart: unless-stopped
|
||||
environment:
|
||||
POSTGRES_DB: ${YNT_DB_NAME}
|
||||
POSTGRES_USER: ${YNT_DB_USER}
|
||||
POSTGRES_PASSWORD: ${YNT_DB_PASSWORD}
|
||||
KC_DB_USERNAME: ${KC_DB_USERNAME}
|
||||
KC_DB_PASSWORD: ${KC_DB_PASSWORD}
|
||||
user: "postgres:postgres"
|
||||
volumes:
|
||||
- db:/var/lib/postgresql/data
|
||||
- ./postgres/init-keycloak-db.sh:/docker-entrypoint-initdb.d/init-keycloak-db.sh
|
||||
networks:
|
||||
- yonote-network
|
||||
|
||||
s3:
|
||||
container_name: minio
|
||||
image: minio/minio:RELEASE.2024-03-03T17-50-39Z
|
||||
restart: unless-stopped
|
||||
environment:
|
||||
- MINIO_ROOT_USER=${MINIO_ADMIN_USERNAME}
|
||||
- MINIO_ROOT_PASSWORD=${MINIO_ADMIN_PASSWORD}
|
||||
command: server --address :9000 --console-address :9001 /data
|
||||
ports:
|
||||
- "9000"
|
||||
- "9001"
|
||||
volumes:
|
||||
- minio:/data
|
||||
networks:
|
||||
- yonote-network
|
||||
|
||||
s3-client:
|
||||
container_name: minio-client
|
||||
image: minio/mc:RELEASE.2022-08-28T20-08-11Z
|
||||
volumes:
|
||||
- ./minio:/tmp/policies
|
||||
environment:
|
||||
MINIO_ACCESS_KEY_ID: ${MINIO_ACCESS_KEY_ID}
|
||||
MINIO_SECRET_ACCESS_KEY: ${MINIO_SECRET_ACCESS_KEY}
|
||||
MINIO_ADMIN_USERNAME: ${MINIO_ADMIN_USERNAME}
|
||||
MINIO_ADMIN_PASSWORD: ${MINIO_ADMIN_PASSWORD}
|
||||
entrypoint: >
|
||||
/bin/sh -c "
|
||||
/usr/bin/mc config host add myminio http://minio:9000 ${MINIO_ADMIN_USERNAME} ${MINIO_ADMIN_PASSWORD};
|
||||
/usr/bin/mc mb myminio/yonote-bucket;
|
||||
/usr/bin/mc policy set-json /tmp/policies/minio-bucket-policy.json myminio/yonote-bucket;
|
||||
/usr/bin/mc admin user add myminio ${MINIO_ACCESS_KEY_ID} ${MINIO_SECRET_ACCESS_KEY};
|
||||
/usr/bin/mc admin policy add myminio yonote-policy /tmp/policies/minio-user-policy.json;
|
||||
/usr/bin/mc admin policy set myminio yonote-policy user=${MINIO_ACCESS_KEY_ID};
|
||||
exit 0;
|
||||
"
|
||||
networks:
|
||||
- yonote-network
|
||||
depends_on:
|
||||
- s3
|
||||
|
||||
keycloak:
|
||||
container_name: keycloak
|
||||
image: images.updates.yonote.ru/yonote-keycloak:${AUTH_VERSION}
|
||||
ports:
|
||||
- "8080"
|
||||
environment:
|
||||
KC_HOSTNAME: ${KC_YNT_HOST}
|
||||
OIDC_CLIENT_SECRET: ${KC_CLIENT_SECRET}
|
||||
YNT_HTTP_PROTOCOL: ${YNT_HTTP_PROTOCOL}
|
||||
BASENAME_FOR_SUBDOMAIN: ${BASENAME_FOR_SUBDOMAIN}
|
||||
KEYCLOAK_ADMIN: ${KC_USERNAME}
|
||||
KEYCLOAK_ADMIN_PASSWORD: ${KC_PASSWORD}
|
||||
KC_DB: postgres
|
||||
KC_DB_URL: jdbc:postgresql://postgres:5432/keycloak
|
||||
KC_DB_USERNAME: ${KC_DB_USERNAME}
|
||||
KC_DB_PASSWORD: ${KC_DB_PASSWORD}
|
||||
PROXY_ADDRESS_FORWARDING: true
|
||||
KC_PROXY_ADDRESS_FORWARDING: true
|
||||
KC_PROXY: edge
|
||||
KC_HOSTNAME_STRICT: false
|
||||
KC_HOSTNAME_STRICT_HTTPS: false
|
||||
KC_HTTP_ENABLED: true
|
||||
# KC_HTTPS_ENABLED: false
|
||||
# KC_HOSTNAME_DEBUG: true
|
||||
command: start-dev --spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true --import-realm
|
||||
networks:
|
||||
- yonote-network
|
||||
depends_on:
|
||||
- postgres
|
||||
|
||||
nginx:
|
||||
container_name: nginx
|
||||
image: nginx
|
||||
ports:
|
||||
- 80:80
|
||||
environment:
|
||||
BASENAME_FOR_SUBDOMAIN: ${BASENAME_FOR_SUBDOMAIN}
|
||||
MINIO_YNT_HOST: ${MINIO_YNT_HOST}
|
||||
MINIO_ADMIN_YNT_HOST: ${MINIO_ADMIN_YNT_HOST}
|
||||
KC_YNT_HOST: ${KC_YNT_HOST}
|
||||
DOLLAR: "$"
|
||||
volumes:
|
||||
- ./nginx/default.conf.tmpl:/etc/nginx/conf.d/default.conf.tmpl
|
||||
networks:
|
||||
yonote-network:
|
||||
depends_on:
|
||||
- postgres
|
||||
- redis
|
||||
- keycloak
|
||||
- s3-client
|
||||
- yonote
|
||||
command: /bin/bash -c "envsubst < /etc/nginx/conf.d/default.conf.tmpl > /etc/nginx/conf.d/default.conf && nginx -g 'daemon off;'"
|
||||
|
||||
networks:
|
||||
yonote-network:
|
||||
name: yonote-internal-network
|
||||
|
||||
volumes:
|
||||
db:
|
||||
minio:
|
||||
|
|
@ -1,33 +0,0 @@
|
|||
{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Principal": {
|
||||
"AWS": [
|
||||
"*"
|
||||
]
|
||||
},
|
||||
"Action": [
|
||||
"s3:GetBucketLocation"
|
||||
],
|
||||
"Resource": [
|
||||
"arn:aws:s3:::yonote-bucket"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Principal": {
|
||||
"AWS": [
|
||||
"*"
|
||||
]
|
||||
},
|
||||
"Action": [
|
||||
"s3:GetObject"
|
||||
],
|
||||
"Resource": [
|
||||
"arn:aws:s3:::yonote-bucket/*"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -1,17 +0,0 @@
|
|||
{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Sid": "VisualEditor",
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"s3:DeleteObject",
|
||||
"s3:GetObject",
|
||||
"s3:PutObject"
|
||||
],
|
||||
"Resource": [
|
||||
"arn:aws:s3:::yonote-bucket/*"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -1,94 +0,0 @@
|
|||
server {
|
||||
server_name ${BASENAME_FOR_SUBDOMAIN};
|
||||
proxy_http_version 1.1;
|
||||
proxy_busy_buffers_size 512k;
|
||||
proxy_buffers 4 512k;
|
||||
proxy_buffer_size 256k;
|
||||
proxy_connect_timeout 75s;
|
||||
|
||||
location / {
|
||||
proxy_pass http://yonote:3000;
|
||||
proxy_set_header Host ${DOLLAR}host;
|
||||
proxy_set_header Connection '';
|
||||
chunked_transfer_encoding off;
|
||||
proxy_cache off;
|
||||
}
|
||||
|
||||
location ^~/realtime {
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade ${DOLLAR}http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
proxy_set_header Host ${DOLLAR}host;
|
||||
proxy_pass http://yonote:3000;
|
||||
}
|
||||
location ^~/collaboration {
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade ${DOLLAR}http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
proxy_set_header Host ${DOLLAR}host;
|
||||
proxy_pass http://yonote:3000;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
server_name ${MINIO_YNT_HOST};
|
||||
proxy_http_version 1.1;
|
||||
proxy_busy_buffers_size 512k;
|
||||
proxy_buffers 4 512k;
|
||||
proxy_buffer_size 256k;
|
||||
proxy_read_timeout 300s;
|
||||
proxy_connect_timeout 75s;
|
||||
|
||||
location / {
|
||||
proxy_pass http://s3:9000;
|
||||
proxy_set_header Connection '';
|
||||
chunked_transfer_encoding off;
|
||||
proxy_set_header Host ${DOLLAR}host;
|
||||
proxy_cache off;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
server_name ${MINIO_ADMIN_YNT_HOST};
|
||||
proxy_http_version 1.1;
|
||||
proxy_busy_buffers_size 512k;
|
||||
proxy_buffers 4 512k;
|
||||
proxy_buffer_size 256k;
|
||||
proxy_read_timeout 300s;
|
||||
proxy_connect_timeout 75s;
|
||||
|
||||
location / {
|
||||
proxy_pass http://s3:9001;
|
||||
proxy_set_header Connection '';
|
||||
chunked_transfer_encoding off;
|
||||
proxy_cache off;
|
||||
|
||||
# To support websocket
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade ${DOLLAR}http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_set_header Origin '';
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
server_name ${KC_YNT_HOST};
|
||||
proxy_http_version 1.1;
|
||||
proxy_busy_buffers_size 512k;
|
||||
proxy_buffers 4 512k;
|
||||
proxy_buffer_size 256k;
|
||||
proxy_read_timeout 300s;
|
||||
proxy_connect_timeout 75s;
|
||||
|
||||
proxy_set_header X-Forwarded-Host ${DOLLAR}host;
|
||||
proxy_set_header X-Forwarded-Server ${DOLLAR}host;
|
||||
proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; # To forward the original client's IP address
|
||||
proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme; # to forward the original protocol (HTTP or HTTPS)
|
||||
proxy_set_header Host ${DOLLAR}host; # to forward the original host requested by the client
|
||||
proxy_set_header X-Real-IP ${DOLLAR}remote_addr;
|
||||
|
||||
location / {
|
||||
proxy_pass http://keycloak:8080;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -1,8 +0,0 @@
|
|||
#!/bin/bash
|
||||
set -e
|
||||
|
||||
psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
|
||||
CREATE DATABASE keycloak;
|
||||
CREATE USER ${KC_DB_USERNAME} WITH PASSWORD '${KC_DB_PASSWORD}';
|
||||
GRANT ALL PRIVILEGES ON DATABASE keycloak TO ${KC_DB_USERNAME};
|
||||
EOSQL
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
Boost Software License - Version 1.0 - August 17th, 2003
|
||||
|
||||
Permission is hereby granted, free of charge, to any person or organization obtaining a copy of the software and accompanying documentation covered by this license (the "Software") to use, reproduce, display, distribute, execute, and transmit the Software, and to prepare derivative works of the Software, and to permit third-parties to whom the Software is furnished to do so, all subject to the following:
|
||||
|
||||
The copyright notices in the Software and this entire statement, including the above license grant, this restriction and the following disclaimer, must be included in all copies of the Software, in whole or in part, and all derivative works of the Software, unless such copies or derivative works are solely in the form of machine-executable object code generated by a source language processor.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR ANYONE DISTRIBUTING THE SOFTWARE BE LIABLE FOR ANY DAMAGES OR OTHER LIABILITY, WHETHER IN CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||
|
|
@ -0,0 +1,53 @@
|
|||
# Yonote Helm Chart
|
||||
|
||||
## Обзор
|
||||
|
||||
Этот Helm chart позволяет развернуть **Yonote** в Kubernetes. Он предоставляет быстрый и простой способ установки, настройки и управления приложением с помощью Helm.
|
||||
|
||||
В нашем проекте используются два подхода для управления сервисами с помощью Helm chart'ов: "mono" и "service". В варианте "mono" все сервисы запускаются в одном pod'е, что позволяет снизить использование ресурсов. В подходе "service" каждый сервис запускается в отдельном pod'е, что улучшает отказоустойчивость и стабильность системы, но требует больше ресурсов.
|
||||
|
||||
## Требования
|
||||
|
||||
- Kubernetes cluster
|
||||
- Helm
|
||||
- Ingress Controller (nginx/traefik)
|
||||
|
||||
## Установка
|
||||
|
||||
### 1. Добавление репозиториев Helm
|
||||
|
||||
Перед установкой зависимостей необходимо добавить репозитории, из которых будут загружаться чарты:
|
||||
|
||||
```bash
|
||||
helm repo add dysnix https://dysnix.github.io/charts
|
||||
helm repo add bitnami https://charts.bitnami.com/bitnami
|
||||
helm repo update
|
||||
```
|
||||
|
||||
### 2. Выполните сборку зависимостей Helm chart
|
||||
|
||||
```bash
|
||||
helm dependency build
|
||||
```
|
||||
|
||||
### 3. Настройка значений
|
||||
|
||||
Перед развертыванием приложения через Helm необходимо внести валидные значения в файлы values.yaml и secret-values.yaml. Эти файлы содержат параметры конфигурации, которые будут использованы при установке приложения.
|
||||
|
||||
Настройте необходимые параметры. В файлах values.yaml и secret-values.yaml вы найдете различные секции, каждая из которых соответствует определенной части конфигурации приложения. Внимательно изучите комментарии в этих файлах; они указывают на места, где необходимо внести изменения. Обратите особое внимание на секцию ingress, так как её настройка важна для правильной работы приложения. Вам потребуется заменить или настроить значения в этой секции в соответствии с вашими требованиями.
|
||||
Также обратите внимание на все строки с доменом example.com — его необходимо заменить на ваше собственное доменное имя, которое будет использоваться для работы приложения. Учтите, что путь в переменных и в конфигурации Ingress менять не нужно, заменяйте только сам домен.
|
||||
|
||||
Более подробно ознакомиться с переменными вы можете по следующей ссылке: https://yo.yonote.ru/share/onprem/doc/peremennye-okruzheniya-mOI8Jl6B05
|
||||
|
||||
### 4. Запуск приложения
|
||||
|
||||
После настройки значений выполните команду:
|
||||
|
||||
```bash
|
||||
helm install app -f values.yaml -f secret-values.yaml -n yonote-onprem .
|
||||
```
|
||||
После выполнения команды начнётся установка приложения и всех дополнительных сервисов к нему. Остаётся только подождать, пока все сервисы запустятся.
|
||||
|
||||
### Обратная связь
|
||||
|
||||
Если у вас есть вопросы или вам нужна помощь, пишите на email: hello@yonote.ru
|
||||
|
|
@ -1,147 +0,0 @@
|
|||
########## Обязательные переменные ##########
|
||||
|
||||
# Система Yonote поставляется с несколькими дополнительными сервисами:
|
||||
# - PostgreSQL - основная БД для хранения данных
|
||||
# - Keycloak - сервер авторизации
|
||||
# - Minio - S3 файловое хранилище
|
||||
# - Redis - key-value хранилище
|
||||
# - Nginx - используется как reverse-proxy для всех сервисов
|
||||
#
|
||||
# Мы рекомендуем для каждого сервиса (кроме nginx) создать поддомены:
|
||||
# Если мы хотим, чтобы Yonote был доступен по адресу domain.ru -> 80.11.121.12 (пример),
|
||||
# то необходимо также создать следующие DNS записи для корректной работы системы:
|
||||
# - domain.ru -> 80.11.121.12
|
||||
# - auth.domain.ru -> domain.ru
|
||||
# - s3.domain.ru -> domain.ru
|
||||
#
|
||||
# Если вы запускаете сервис с HTTPS,
|
||||
# необходимо соответсвенно поменять на https:// и wss://
|
||||
|
||||
### Keycloak
|
||||
AUTH_VERSION=latest
|
||||
|
||||
# Адрес сервера авторизации (с http/https)
|
||||
KC_YNT_HOST=auth.demoqtech.ru
|
||||
KC_YNT_HOST_PROTOCOL=https://
|
||||
KC_YNT_EXTERNAL_PORT=9443 # Внешний порт обращения по адресу
|
||||
KC_YNT_URL=${KC_YNT_HOST_PROTOCOL}${KC_YNT_HOST}:${KC_YNT_EXTERNAL_PORT} # Адрес для клиентской стороны
|
||||
KC_YNT_INTERNAL_URL=${KC_YNT_HOST_PROTOCOL}${KC_YNT_HOST} # Адрес для серверной стороны
|
||||
|
||||
# Подключение к базе данных (база создается автоматически)
|
||||
KC_DB=keycloak
|
||||
KC_DB_USERNAME=keycloak
|
||||
KC_DB_PASSWORD=
|
||||
|
||||
# Настройка клиента авторизации (ключ от OIDC провайдера)
|
||||
KC_CLIENT_SECRET=
|
||||
|
||||
# Адрес сервера S3/Minio (с http/https)
|
||||
MINIO_YNT_HOST=s3.demoqtech.ru
|
||||
MINIO_ADMIN_YNT_HOST=s3-admin.demoqtech.ru
|
||||
MINIO_YNT_EXTERNAL_PORT=9443
|
||||
MINIO_YNT_HOST_PROTOCOL=https://
|
||||
MINIO_YNT_URL=${MINIO_YNT_HOST_PROTOCOL}${MINIO_YNT_HOST}:${MINIO_YNT_EXTERNAL_PORT}
|
||||
MINIO_ADMIN_YNT_URL=${MINIO_YNT_HOST_PROTOCOL}${MINIO_ADMIN_YNT_HOST}:${MINIO_YNT_EXTERNAL_PORT}
|
||||
# Логин и пароль для администратора S3 (пользователь создается автоматически)
|
||||
MINIO_ADMIN_USERNAME=admin
|
||||
MINIO_ADMIN_PASSWORD=
|
||||
|
||||
# Адрес для Yonote (укажите домен или адрес сервера)
|
||||
BASENAME_FOR_SUBDOMAIN=demoqtech.ru:9443
|
||||
YNT_HTTP_PROTOCOL=https://
|
||||
YNT_WEBSOCKET_PROTOCOL=wss://
|
||||
# YNT_INTERNAL_URL=app.kb.demoqtech.ru
|
||||
|
||||
### OAuth/OIDC (Keycloak) - сервер авторизации
|
||||
KC_USERNAME=admin
|
||||
KC_PASSWORD=
|
||||
|
||||
### S3 совместимое хранилище (Minio)
|
||||
MINIO_ACCESS_KEY_ID=yonote
|
||||
MINIO_SECRET_ACCESS_KEY=
|
||||
|
||||
### Yonote
|
||||
APP_VERSION=latest
|
||||
|
||||
# Данные для подключения к БД (БД и пользователь будут созданны автоматически)
|
||||
YNT_DB_NAME=yonote
|
||||
YNT_DB_USER=postgres
|
||||
YNT_DB_PASSWORD=
|
||||
|
||||
# Максимальный размер одно файла для загрузки в хранилище (в байтах)
|
||||
AWS_S3_UPLOAD_MAX_SIZE=226214400
|
||||
|
||||
# Ключ шыфрования (32 байта). Рекомендуем использовать команду ниже для генерации ключа:
|
||||
# `openssl rand -hex 32`
|
||||
# храните данный ключ в надежном месте
|
||||
SECRET_KEY=
|
||||
|
||||
# Уникальный random ключ. Используется для различных крипто-функций,
|
||||
# рекомендуем так же использовать команду ниже для генерации ключа:
|
||||
# `openssl rand -hex 32`
|
||||
UTILS_SECRET=
|
||||
|
||||
# SMTP сервер
|
||||
SMTP_HOST=
|
||||
SMTP_PORT=
|
||||
SMTP_USERNAME=
|
||||
SMTP_PASSWORD=
|
||||
SMTP_FROM_EMAIL=
|
||||
SMTP_REPLY_EMAIL=
|
||||
SMTP_TLS_CIPHERS=
|
||||
SMTP_SECURE=
|
||||
|
||||
# Лицензионный ключ
|
||||
# Для получения, обратитесь в отдел продаж hello@yonote.ru
|
||||
LICENSE_KEY=
|
||||
|
||||
############ OPTIONAL ################
|
||||
|
||||
# Производить редирект на HTTPS если запрос пришел на HTTP
|
||||
FORCE_HTTPS=false
|
||||
|
||||
# Отслеживать появление новых версий
|
||||
ENABLE_UPDATES=false
|
||||
|
||||
# Как много подпроцессов множно запускать.
|
||||
# Самый простой вариант подсчета: разделить доступный объем памяти сервера на 512Мб
|
||||
WEB_CONCURRENCY=1
|
||||
|
||||
# Максимальный размер файла импорта (Для импорта из Notion, Confluence и тд)
|
||||
MAXIMUM_IMPORT_SIZE=5120000
|
||||
|
||||
# Логировать HTTP запросы.
|
||||
# DEBUG=http
|
||||
|
||||
# Список почтовых доменов с которых разрешена регистрация. Домены разделяются запятыми.
|
||||
# По умолчанию разрешены любые домены
|
||||
# ALLOWED_DOMAINS=
|
||||
|
||||
# Отправка отчетов об ошибках разработчикам.
|
||||
# Закомментируйте, если не хотите делиться отчетами об ошибках
|
||||
SENTRY_DSN=https://5bdaaba1cf8043ba9cc43933b65f3b46@sentry.wilix.dev/7
|
||||
|
||||
# Логотип команды, который будет отображаться при входе в систему.
|
||||
# Будет уменьшен до height: 60px
|
||||
# TEAM_LOGO=https://example.com/images/logo.png
|
||||
|
||||
# Язык по умолчанию
|
||||
DEFAULT_LANGUAGE=ru_RU
|
||||
|
||||
# Ключи для отправки WEB Push уведомлений
|
||||
# Инструкция по получению ключей https://yo.yonote.ru/share/onprem/doc/ustanovka-i-nastrojka-KbTxPbAUoo#h-generaciya-klyuchej-web-push-service-worker
|
||||
SERVICE_WORKER_PUBLIC_KEY=
|
||||
SERVICE_WORKER_PRIVATE_KEY=
|
||||
|
||||
# Интеграция с Telegram. Если TELEGRAM_BOT_TOKEN не указан, то интеграция отключена
|
||||
# Инструкция по настройке https://yo.yonote.ru/share/onprem/doc/integraciya-s-telegram-9d2l0erXGN
|
||||
# TELEGRAM_BOT_TOKEN=
|
||||
# TELEGRAM_BOT_URL=
|
||||
|
||||
# Интеграция с Loop https://loop.ru/. Если LOOP_KEY не указан, то интеграция отключена
|
||||
# LOOP_KEY=
|
||||
# LOOP_SECRET=
|
||||
# LOOP_VERIFICATION_TOKEN=
|
||||
# LOOP_MESSAGE_ACTIONS=true
|
||||
|
||||
OPENAI_API_KEY=123
|
||||
|
|
@ -1,176 +0,0 @@
|
|||
services:
|
||||
yonote:
|
||||
container_name: yonote
|
||||
image: images.updates.yonote.ru/yonote:${APP_VERSION}
|
||||
env_file:
|
||||
- .env
|
||||
ports:
|
||||
- "3000"
|
||||
depends_on:
|
||||
- postgres
|
||||
- redis
|
||||
- keycloak
|
||||
- s3
|
||||
command: yarn start:selfhosted
|
||||
environment:
|
||||
BIND_HOST: 0.0.0.0
|
||||
PORT: 3000
|
||||
URL: ${YNT_HTTP_PROTOCOL}app.${BASENAME_FOR_SUBDOMAIN}
|
||||
COLLABORATION_URL: ${YNT_WEBSOCKET_PROTOCOL}app.${BASENAME_FOR_SUBDOMAIN}
|
||||
DATABASE_URL: postgres://${YNT_DB_USER}:${YNT_DB_PASSWORD}@postgres:5432/${YNT_DB_NAME}
|
||||
OIDC_CLIENT_ID: yonote
|
||||
OIDC_CLIENT_SECRET: ${KC_CLIENT_SECRET}
|
||||
OIDC_AUTH_URI: ${KC_YNT_URL}/realms/yonote/protocol/openid-connect/auth
|
||||
OIDC_TOKEN_URI: ${KC_YNT_INTERNAL_URL}/realms/yonote/protocol/openid-connect/token
|
||||
OIDC_USERINFO_URI: ${KC_YNT_INTERNAL_URL}/realms/yonote/protocol/openid-connect/userinfo
|
||||
OIDC_LOGOUT_URI: ${KC_YNT_URL}/realms/yonote/protocol/openid-connect/logout
|
||||
AWS_S3_UPLOAD_BUCKET_URL: ${MINIO_YNT_URL}
|
||||
AWS_ACCESS_KEY_ID: ${MINIO_ACCESS_KEY_ID}
|
||||
AWS_SECRET_ACCESS_KEY: ${MINIO_SECRET_ACCESS_KEY}
|
||||
AWS_S3_UPLOAD_BUCKET_NAME: yonote-bucket
|
||||
AWS_REGION: xx-xxxx-x
|
||||
TELEGRAM_API_URL: https://api.telegram.org
|
||||
OIDC_DISPLAY_NAME: email
|
||||
OIDC_SCOPES: openid email
|
||||
REDIS_URL: redis://redis:6379
|
||||
PGSSLMODE: disable
|
||||
USE_LEGACY_LOGOUT: true
|
||||
AWS_S3_FORCE_PATH_STYLE: true
|
||||
AWS_S3_ACL: private
|
||||
NODE_TLS_REJECT_UNAUTHORIZED: 0
|
||||
SUBDOMAINS_ENABLED: true
|
||||
volumes:
|
||||
- ./License.key:/opt/yonote/License.key
|
||||
networks:
|
||||
- yonote-network
|
||||
external_links:
|
||||
- "nginx:${KC_YNT_HOST}"
|
||||
|
||||
redis:
|
||||
container_name: redis
|
||||
image: redis:7-alpine
|
||||
restart: unless-stopped
|
||||
user: "redis:redis"
|
||||
networks:
|
||||
- yonote-network
|
||||
|
||||
postgres:
|
||||
container_name: postgres
|
||||
image: postgres:14
|
||||
restart: unless-stopped
|
||||
environment:
|
||||
POSTGRES_DB: ${YNT_DB_NAME}
|
||||
POSTGRES_USER: ${YNT_DB_USER}
|
||||
POSTGRES_PASSWORD: ${YNT_DB_PASSWORD}
|
||||
KC_DB_USERNAME: ${KC_DB_USERNAME}
|
||||
KC_DB_PASSWORD: ${KC_DB_PASSWORD}
|
||||
user: "postgres:postgres"
|
||||
volumes:
|
||||
- ./db-data:/var/lib/postgresql/data
|
||||
- ./postgres/init-keycloak-db.sh:/docker-entrypoint-initdb.d/init-keycloak-db.sh
|
||||
networks:
|
||||
- yonote-network
|
||||
|
||||
s3:
|
||||
container_name: minio
|
||||
image: minio/minio:RELEASE.2022-08-26T19-53-15Z
|
||||
restart: unless-stopped
|
||||
environment:
|
||||
MINIO_ROOT_USER: ${MINIO_ADMIN_USERNAME}
|
||||
MINIO_ROOT_PASSWORD: ${MINIO_ADMIN_PASSWORD}
|
||||
MINIO_BROWSER_REDIRECT_URL: ${MINIO_ADMIN_YNT_URL}
|
||||
command: server --address :9000 --console-address :9001 /data
|
||||
ports:
|
||||
- "9000"
|
||||
- "9001"
|
||||
volumes:
|
||||
- ./s3-data:/data
|
||||
# - minio:/data
|
||||
networks:
|
||||
- yonote-network
|
||||
|
||||
s3-client:
|
||||
container_name: minio-client
|
||||
image: minio/mc:RELEASE.2022-08-28T20-08-11Z
|
||||
volumes:
|
||||
- ./minio:/tmp/policies
|
||||
environment:
|
||||
MINIO_ACCESS_KEY_ID: ${MINIO_ACCESS_KEY_ID}
|
||||
MINIO_SECRET_ACCESS_KEY: ${MINIO_SECRET_ACCESS_KEY}
|
||||
MINIO_ADMIN_USERNAME: ${MINIO_ADMIN_USERNAME}
|
||||
MINIO_ADMIN_PASSWORD: ${MINIO_ADMIN_PASSWORD}
|
||||
entrypoint: >
|
||||
/bin/sh -c "
|
||||
/usr/bin/mc config host add myminio http://minio:9000 ${MINIO_ADMIN_USERNAME} ${MINIO_ADMIN_PASSWORD};
|
||||
/usr/bin/mc mb myminio/yonote-bucket;
|
||||
/usr/bin/mc policy set-json /tmp/policies/minio-bucket-policy.json myminio/yonote-bucket;
|
||||
/usr/bin/mc admin user add myminio ${MINIO_ACCESS_KEY_ID} ${MINIO_SECRET_ACCESS_KEY};
|
||||
/usr/bin/mc admin policy add myminio yonote-policy /tmp/policies/minio-user-policy.json;
|
||||
/usr/bin/mc admin policy set myminio yonote-policy user=${MINIO_ACCESS_KEY_ID};
|
||||
exit 0;
|
||||
"
|
||||
networks:
|
||||
- yonote-network
|
||||
depends_on:
|
||||
- nginx
|
||||
|
||||
keycloak:
|
||||
container_name: keycloak
|
||||
image: images.updates.yonote.ru/yonote-keycloak:${AUTH_VERSION}
|
||||
ports:
|
||||
- "8080"
|
||||
environment:
|
||||
KC_HOSTNAME: ${KC_YNT_HOST}
|
||||
KC_HOSTNAME_PORT: ${KC_YNT_EXTERNAL_PORT}
|
||||
OIDC_CLIENT_SECRET: ${KC_CLIENT_SECRET}
|
||||
YNT_HTTP_PROTOCOL: ${YNT_HTTP_PROTOCOL}
|
||||
BASENAME_FOR_SUBDOMAIN: app.${BASENAME_FOR_SUBDOMAIN}
|
||||
KEYCLOAK_ADMIN: ${KC_USERNAME}
|
||||
KEYCLOAK_ADMIN_PASSWORD: ${KC_PASSWORD}
|
||||
KC_DB: postgres
|
||||
KC_DB_URL: jdbc:postgresql://postgres:5432/keycloak
|
||||
KC_DB_USERNAME: ${KC_DB_USERNAME}
|
||||
KC_DB_PASSWORD: ${KC_DB_PASSWORD}
|
||||
KC_PROXY_ADDRESS_FORWARDING: true
|
||||
PROXY_ADDRESS_FORWARDING: true
|
||||
KC_PROXY: edge
|
||||
KC_HOSTNAME_STRICT: false
|
||||
command: start --spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true --import-realm
|
||||
networks:
|
||||
- yonote-network
|
||||
depends_on:
|
||||
- postgres
|
||||
|
||||
nginx:
|
||||
container_name: nginx
|
||||
image: nginx
|
||||
ports:
|
||||
- 80:80
|
||||
- 443:443
|
||||
environment:
|
||||
BASENAME_FOR_SUBDOMAIN: ${BASENAME_FOR_SUBDOMAIN}
|
||||
MINIO_YNT_HOST: ${MINIO_YNT_HOST}
|
||||
MINIO_ADMIN_YNT_HOST: ${MINIO_ADMIN_YNT_HOST}
|
||||
KC_YNT_HOST: ${KC_YNT_HOST}
|
||||
DOLLAR: "$"
|
||||
volumes:
|
||||
- ./nginx/default.conf.tmpl:/etc/nginx/conf.d/default.conf.tmpl
|
||||
- ./nginx/server.crt.pem:/etc/nginx/ssl/server.crt.pem
|
||||
- ./nginx/server.key.pem:/etc/nginx/ssl/server.key.pem
|
||||
networks:
|
||||
yonote-network:
|
||||
depends_on:
|
||||
- postgres
|
||||
- redis
|
||||
- keycloak
|
||||
- s3
|
||||
- yonote
|
||||
command: /bin/bash -c "envsubst < /etc/nginx/conf.d/default.conf.tmpl > /etc/nginx/conf.d/default.conf && nginx -g 'daemon off;'"
|
||||
|
||||
networks:
|
||||
yonote-network:
|
||||
name: yonote-internal-network
|
||||
|
||||
volumes:
|
||||
db:
|
||||
minio:
|
||||
|
|
@ -1,33 +0,0 @@
|
|||
{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Principal": {
|
||||
"AWS": [
|
||||
"*"
|
||||
]
|
||||
},
|
||||
"Action": [
|
||||
"s3:GetBucketLocation"
|
||||
],
|
||||
"Resource": [
|
||||
"arn:aws:s3:::yonote-bucket"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Principal": {
|
||||
"AWS": [
|
||||
"*"
|
||||
]
|
||||
},
|
||||
"Action": [
|
||||
"s3:GetObject"
|
||||
],
|
||||
"Resource": [
|
||||
"arn:aws:s3:::yonote-bucket/*"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -1,17 +0,0 @@
|
|||
{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Sid": "VisualEditor",
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"s3:DeleteObject",
|
||||
"s3:GetObject",
|
||||
"s3:PutObject"
|
||||
],
|
||||
"Resource": [
|
||||
"arn:aws:s3:::yonote-bucket/*"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
@ -1,169 +0,0 @@
|
|||
server {
|
||||
server_name ${BASENAME_FOR_SUBDOMAIN} ${MINIO_YNT_HOST} ${MINIO_ADMIN_YNT_HOST} ${KC_YNT_HOST};
|
||||
listen 80;
|
||||
return 301 https://${DOLLAR}host${DOLLAR}request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
server_name ${BASENAME_FOR_SUBDOMAIN};
|
||||
listen 443 ssl;
|
||||
|
||||
ssl_certificate /etc/nginx/ssl/server.crt.pem;
|
||||
ssl_certificate_key /etc/nginx/ssl/server.key.pem;
|
||||
|
||||
proxy_http_version 1.1;
|
||||
proxy_busy_buffers_size 512k;
|
||||
proxy_buffers 4 512k;
|
||||
proxy_buffer_size 256k;
|
||||
proxy_connect_timeout 75s;
|
||||
|
||||
location / {
|
||||
proxy_pass http://yonote:3000;
|
||||
proxy_set_header Host ${DOLLAR}host;
|
||||
proxy_set_header Connection '';
|
||||
chunked_transfer_encoding off;
|
||||
proxy_cache off;
|
||||
}
|
||||
|
||||
location ^~/realtime {
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade ${DOLLAR}http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
proxy_set_header Host ${DOLLAR}host;
|
||||
proxy_pass http://yonote:3000;
|
||||
}
|
||||
location ^~/collaboration {
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade ${DOLLAR}http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
proxy_set_header Host ${DOLLAR}host;
|
||||
proxy_pass http://yonote:3000;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
server_name ${MINIO_YNT_HOST};
|
||||
|
||||
ssl_certificate /etc/nginx/ssl/server.crt.pem;
|
||||
ssl_certificate_key /etc/nginx/ssl/server.key.pem;
|
||||
|
||||
# To allow special characters in headers
|
||||
ignore_invalid_headers off;
|
||||
# Allow any size file to be uploaded.
|
||||
# Set to a value such as 1000m; to restrict file size to a specific value
|
||||
client_max_body_size 0;
|
||||
# To disable buffering
|
||||
proxy_buffering off;
|
||||
|
||||
# Use Docker DNS
|
||||
# You might not need this section but in case you need to resolve
|
||||
# docker service names inside the container then this can be useful.
|
||||
# resolver 127.0.0.11 valid=10s;
|
||||
# resolver_timeout 5s;
|
||||
|
||||
# Apparently the following line might prevent caching of DNS lookups
|
||||
# and force nginx to resolve the name on each request via the internal
|
||||
# Docker DNS.
|
||||
# set ${DOLLAR}upstream "s3";
|
||||
|
||||
# Proxy requests to the Minio API on port 9000
|
||||
location / {
|
||||
proxy_pass http://s3:9000;
|
||||
|
||||
proxy_set_header X-Real-IP ${DOLLAR}remote_addr;
|
||||
proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme;
|
||||
proxy_set_header Host ${DOLLAR}http_host;
|
||||
|
||||
proxy_connect_timeout 300;
|
||||
|
||||
# To support websocket
|
||||
# Default is HTTP/1, keepalive is only enabled in HTTP/1.1
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade ${DOLLAR}http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
chunked_transfer_encoding off;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
server_name ${MINIO_ADMIN_YNT_HOST};
|
||||
|
||||
ssl_certificate /etc/nginx/ssl/server.crt.pem;
|
||||
ssl_certificate_key /etc/nginx/ssl/server.key.pem;
|
||||
|
||||
# To allow special characters in headers
|
||||
ignore_invalid_headers off;
|
||||
# Allow any size file to be uploaded.
|
||||
# Set to a value such as 1000m; to restrict file size to a specific value
|
||||
client_max_body_size 0;
|
||||
# To disable buffering
|
||||
proxy_buffering off;
|
||||
|
||||
# Use Docker DNS
|
||||
# You might not need this section but in case you need to resolve
|
||||
# docker service names inside the container then this can be useful.
|
||||
# resolver 127.0.0.11 valid=10s;
|
||||
# resolver_timeout 5s;
|
||||
|
||||
# Apparently the following line might prevent caching of DNS lookups
|
||||
# and force nginx to resolve the name on each request via the internal
|
||||
# Docker DNS.
|
||||
# set ${DOLLAR}upstream "s3";
|
||||
|
||||
# Minio Console (UI)
|
||||
location / {
|
||||
# This was really the key for me. Even though the Nginx docs say
|
||||
# that with a URI part in the `proxy_pass` directive, the `/console/`
|
||||
# URI should automatically be rewritten, this wasn't working for me.
|
||||
# rewrite ^/console/(.*)${DOLLAR} /${DOLLAR}1 break;
|
||||
|
||||
proxy_pass http://s3:9001;
|
||||
|
||||
proxy_set_header X-Real-IP ${DOLLAR}remote_addr;
|
||||
proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme;
|
||||
proxy_set_header Host ${DOLLAR}http_host;
|
||||
|
||||
proxy_connect_timeout 300;
|
||||
proxy_set_header Connection "";
|
||||
chunked_transfer_encoding off;
|
||||
|
||||
# To support websocket
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade ${DOLLAR}http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_set_header Origin '';
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
server_name ${KC_YNT_HOST};
|
||||
listen 443 ssl;
|
||||
|
||||
ssl_certificate /etc/nginx/ssl/server.crt.pem;
|
||||
ssl_certificate_key /etc/nginx/ssl/server.key.pem;
|
||||
|
||||
proxy_http_version 1.1;
|
||||
proxy_busy_buffers_size 512k;
|
||||
proxy_buffers 4 512k;
|
||||
proxy_buffer_size 256k;
|
||||
proxy_read_timeout 300s;
|
||||
proxy_connect_timeout 75s;
|
||||
|
||||
proxy_set_header Host ${DOLLAR}host; # to forward the original host requested by the client
|
||||
proxy_set_header X-Real-IP ${DOLLAR}remote_addr;
|
||||
proxy_set_header X-Forwarded-Host ${DOLLAR}host;
|
||||
proxy_set_header X-Forwarded-Port 9443;
|
||||
proxy_set_header X-Forwarded-Server ${DOLLAR}host;
|
||||
proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; # To forward the original client's IP address
|
||||
proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme; # to forward the original protocol (HTTP or HTTPS)
|
||||
|
||||
location / {
|
||||
proxy_pass http://keycloak:8080;
|
||||
}
|
||||
}
|
||||
|
|
@ -1,8 +0,0 @@
|
|||
#!/bin/bash
|
||||
set -e
|
||||
|
||||
psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
|
||||
CREATE DATABASE keycloak;
|
||||
CREATE USER ${KC_DB_USERNAME} WITH PASSWORD '${KC_DB_PASSWORD}';
|
||||
GRANT ALL PRIVILEGES ON DATABASE keycloak TO ${KC_DB_USERNAME};
|
||||
EOSQL
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
dependencies:
|
||||
- name: app
|
||||
repository: https://dysnix.github.io/charts
|
||||
version: 0.3.15
|
||||
- name: postgresql
|
||||
repository: https://charts.bitnami.com/bitnami
|
||||
version: 11.6.6
|
||||
- name: redis
|
||||
repository: https://charts.bitnami.com/bitnami
|
||||
version: 16.12.1
|
||||
- name: minio
|
||||
repository: https://charts.bitnami.com/bitnami
|
||||
version: 12.7.0
|
||||
- name: keycloak
|
||||
repository: https://charts.bitnami.com/bitnami
|
||||
version: 14.0.0
|
||||
digest: sha256:b12099844193a7a06a5d15b80774592b1cf73af191b654154a9c7a6e8d51a2e0
|
||||
generated: "2024-08-25T04:02:50.20628049+03:00"
|
||||
|
|
@ -0,0 +1,40 @@
|
|||
apiVersion: v2
|
||||
name: yonote-chart
|
||||
version: 1.2.0
|
||||
description:
|
||||
Generic application Helm chart.
|
||||
This chart includes multiple dependencies. The base of this chart is derived from the Dynix app chart.
|
||||
maintainers:
|
||||
- name: Dysnix
|
||||
email: support@dysnix.com
|
||||
url: https://github.com/dysnix/charts/tree/main/dysnix/app
|
||||
|
||||
dependencies:
|
||||
- name: app
|
||||
version: "0.3.15"
|
||||
repository: https://dysnix.github.io/charts
|
||||
alias: yonote-web
|
||||
|
||||
- name: postgresql
|
||||
version: "11.6.6"
|
||||
repository: https://charts.bitnami.com/bitnami
|
||||
condition: yonoteDatabase.enabled
|
||||
alias: yonoteDatabase
|
||||
|
||||
- name: redis
|
||||
version: "16.12.1"
|
||||
repository: https://charts.bitnami.com/bitnami
|
||||
condition: yonote-redis.enabled
|
||||
alias: yonote-redis
|
||||
|
||||
- name: minio
|
||||
version: "12.7.0"
|
||||
repository: https://charts.bitnami.com/bitnami
|
||||
condition: minio.enabled
|
||||
alias: minio
|
||||
|
||||
- name: keycloak
|
||||
version: "14.0.0"
|
||||
repository: https://charts.bitnami.com/bitnami
|
||||
condition: keycloak.enabled
|
||||
alias: keycloak
|
||||
|
|
@ -0,0 +1,45 @@
|
|||
global:
|
||||
yonote:
|
||||
config:
|
||||
secret:
|
||||
stringData:
|
||||
DATABASE_URL: 'postgres://{{ .Values.yonoteDatabase.global.postgresql.auth.username }}:{{ .Values.yonoteDatabase.global.postgresql.auth.password }}@yonote-database:5432/{{ .Values.yonoteDatabase.global.postgresql.auth.database }}'
|
||||
POSTGRES_PASSWORD: "{{ .Values.yonoteDatabase.global.postgresql.auth.password }}"
|
||||
AWS_ACCESS_KEY_ID: "{{ .Values.minio.auth.rootUser }}" # Ваш идентификатор ключа доступа к AWS. Поведение в SelfHosted: устанавливает логин сервис аккаунта для доступа приложения к Minio S3 хранилищу
|
||||
AWS_SECRET_ACCESS_KEY: "{{ .Values.minio.auth.rootPassword }}" # Ваш секретный ключ доступа AWS. Поведение в SelfHosted: устанавливает пароль сервис аккаунта для доступа приложения к Minio S3 хранилищу
|
||||
OIDC_CLIENT_SECRET: "Kdq8rk5Pv5RW1c5kHXpnyfrmMRzI9xSD" # Секретный ключ клиента для аутентификации по OpenID Connect (OIDC).
|
||||
SECRET_KEY: "659a8881b186198c3146e316f6dab67df25496534d1fa156d624b037260df688" # Сгенерируйте 32-байтовый случайный ключ в шестнадцатеричном коде. Вам следует использовать `openssl rand -hex 32` в вашем терминале для генерации случайного значения.
|
||||
SMTP_PASSWORD: "1234"
|
||||
UTILS_SECRET: "7bd5e9ac4415dd0dbf6b7721e2a21e9427b268cd0140c7516d13dece5024d479" # Сгенерируйте уникальный случайный ключ. Формат не важен, но вы все равно можете использовать`openssl rand -hex 32` в вашем терминале, чтобы создать это.
|
||||
TELEGRAM_BOT_TOKEN: "1234"
|
||||
UNSPLASH_API_ACCESS_KEY: "a-yGo6HpRP6jNfravx4Bz-oiPrRnH_5-24Xa9ZPlePE"
|
||||
LICENSE_KEY: "qwerty-123456-zxcvb" # Обратитесь в отдел продаж для получения
|
||||
SERVICE_WORKER_PUBLIC_KEY: "1234"
|
||||
SERVICE_WORKER_PRIVATE_KEY: "1234"
|
||||
# Генерация ключей (web-push) Service Worker
|
||||
# 1) Установить Node.js и npm
|
||||
# 2) Выполнить команду для генерации ключей
|
||||
# npx web-push generate-vapid-keys
|
||||
# 3) Полученные значения ввести в .env файл (SERVICE_WORKER_PUBLIC_KEY, SERVICE_WORKER_PRIVATE_KEY)
|
||||
|
||||
yonoteDatabase:
|
||||
global:
|
||||
postgresql:
|
||||
auth:
|
||||
password: "wsGZ6kXhr5"
|
||||
postgresPassword: "QQYw4UjOU"
|
||||
|
||||
# yonote-redis: # Если используете пароль для redis
|
||||
# auth:
|
||||
# password: "12345678"
|
||||
|
||||
minio:
|
||||
auth:
|
||||
rootPassword: "12345678"
|
||||
|
||||
keycloak:
|
||||
auth:
|
||||
adminPassword: "root"
|
||||
postgresql:
|
||||
auth:
|
||||
password: "tT9BqYdNyd"
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: yonote-configs
|
||||
labels:
|
||||
{{- include "common.labels.standard" $ | nindent 4 }}
|
||||
{{- with .Values.global.yonote.config.plain.data }}
|
||||
data:
|
||||
{{- include "common.tplvalues.render" (dict "value" . "context" $) | nindent 2 }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,69 @@
|
|||
{{- if eq ($.Values.global.yonote_cron_calendar_events.cron_enabled | toString) "true" }}
|
||||
apiVersion: batch/v1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: cron-calendar-events
|
||||
spec:
|
||||
schedule: "*/1 * * * *"
|
||||
jobTemplate:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
containers:
|
||||
- name: cron-calendar-events
|
||||
image: curlimages/curl
|
||||
imagePullPolicy: IfNotPresent
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: yonote-secrets
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
- >-
|
||||
date;
|
||||
curl
|
||||
-X POST
|
||||
{{ .Values.global.yonote_cron_calendar_events.url }}
|
||||
-H "Content-Type: application/json"
|
||||
-d '
|
||||
{
|
||||
"token": "$(UTILS_SECRET)"
|
||||
}
|
||||
'
|
||||
restartPolicy: OnFailure
|
||||
{{- end }}
|
||||
---
|
||||
{{- if eq ($.Values.global.yonote_cron_task_scheduler.cron_enabled | toString) "true" }}
|
||||
apiVersion: batch/v1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: cron-task-scheduler
|
||||
spec:
|
||||
schedule: "0 */1 * * *"
|
||||
jobTemplate:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
containers:
|
||||
- name: cron-task-scheduler
|
||||
image: curlimages/curl
|
||||
imagePullPolicy: IfNotPresent
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: yonote-secrets
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
- >-
|
||||
date;
|
||||
curl
|
||||
-X POST
|
||||
{{ .Values.global.yonote_cron_task_scheduler.url }}
|
||||
-H "Content-Type: application/json"
|
||||
-d '
|
||||
{
|
||||
"token":"$(UTILS_SECRET)", "limit":"200"
|
||||
}
|
||||
'
|
||||
restartPolicy: OnFailure
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,34 @@
|
|||
{{- if .Values.ingress.enabled }}
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: {{ .Values.ingress.name }}
|
||||
namespace: {{ .Values.ingress.namespace }}
|
||||
annotations:
|
||||
{{- range $key, $value := .Values.ingress.annotations }}
|
||||
{{ $key }}: "{{ $value }}"
|
||||
{{- end }}
|
||||
spec:
|
||||
ingressClassName: {{ .Values.ingress.ingressClassName }}
|
||||
tls:
|
||||
- secretName: "{{ .Values.ingress.tls.secretName }}"
|
||||
hosts:
|
||||
{{- range .Values.ingress.tls.hosts }}
|
||||
- "{{ . }}"
|
||||
{{- end }}
|
||||
rules:
|
||||
{{- range .Values.ingress.rules }}
|
||||
- host: "{{ .host }}"
|
||||
http:
|
||||
paths:
|
||||
{{- range .paths }}
|
||||
- path: {{ .path }}
|
||||
pathType: {{ .pathType }}
|
||||
backend:
|
||||
service:
|
||||
name: {{ .service.name }}
|
||||
port:
|
||||
number: {{ .service.port | int }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,39 @@
|
|||
{{- if .Values.mcJob.enabled }}
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: yonote-minio-mc-job
|
||||
labels:
|
||||
app: yonote-minio
|
||||
spec:
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: yonote-minio
|
||||
spec:
|
||||
containers:
|
||||
- name: mc-client
|
||||
image: "docker.io/bitnami/minio-client:2024.8.13-debian-12-r0"
|
||||
command: ["/bin/sh", "-c"]
|
||||
args:
|
||||
- |
|
||||
until mc alias set myminio http://yonote-minio:9000 {{ .Values.minio.auth.rootUser }} {{ .Values.minio.auth.rootPassword }}; do
|
||||
echo "Waiting for MinIO to be ready..."
|
||||
sleep 5
|
||||
done
|
||||
if ! mc ls myminio/yonote-bucket; then
|
||||
mc mb myminio/yonote-bucket
|
||||
else
|
||||
echo "Bucket yonote-bucket already exists."
|
||||
fi
|
||||
resources:
|
||||
requests:
|
||||
memory: "128Mi"
|
||||
cpu: "100m"
|
||||
limits:
|
||||
memory: "256Mi"
|
||||
cpu: "200m"
|
||||
restartPolicy: OnFailure
|
||||
backoffLimit: 5
|
||||
ttlSecondsAfterFinished: 100
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,169 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: realm-export
|
||||
data:
|
||||
realm-export.json: |
|
||||
{
|
||||
"realm": "yonote",
|
||||
"enabled": true,
|
||||
"notBefore": 1647809856,
|
||||
"defaultSignatureAlgorithm": "RS256",
|
||||
"revokeRefreshToken": false,
|
||||
"refreshTokenMaxReuse": 0,
|
||||
"accessTokenLifespan": 300,
|
||||
"accessTokenLifespanForImplicitFlow": 900,
|
||||
"ssoSessionIdleTimeout": 1800,
|
||||
"ssoSessionMaxLifespan": 36000,
|
||||
"ssoSessionIdleTimeoutRememberMe": 0,
|
||||
"ssoSessionMaxLifespanRememberMe": 0,
|
||||
"offlineSessionIdleTimeout": 2592000,
|
||||
"offlineSessionMaxLifespanEnabled": false,
|
||||
"offlineSessionMaxLifespan": 5184000,
|
||||
"clientSessionIdleTimeout": 0,
|
||||
"clientSessionMaxLifespan": 0,
|
||||
"clientOfflineSessionIdleTimeout": 0,
|
||||
"clientOfflineSessionMaxLifespan": 0,
|
||||
"accessCodeLifespan": 60,
|
||||
"accessCodeLifespanUserAction": 300,
|
||||
"accessCodeLifespanLogin": 1800,
|
||||
"actionTokenGeneratedByAdminLifespan": 43200,
|
||||
"actionTokenGeneratedByUserLifespan": 300,
|
||||
"oauth2DeviceCodeLifespan": 600,
|
||||
"oauth2DevicePollingInterval": 5,
|
||||
"sslRequired": "external",
|
||||
"registrationAllowed": true,
|
||||
"registrationEmailAsUsername": true,
|
||||
"rememberMe": true,
|
||||
"verifyEmail": false,
|
||||
"loginWithEmailAllowed": true,
|
||||
"duplicateEmailsAllowed": false,
|
||||
"resetPasswordAllowed": true,
|
||||
"editUsernameAllowed": false,
|
||||
"bruteForceProtected": false,
|
||||
"permanentLockout": false,
|
||||
"maxFailureWaitSeconds": 900,
|
||||
"minimumQuickLoginWaitSeconds": 60,
|
||||
"waitIncrementSeconds": 60,
|
||||
"quickLoginCheckMilliSeconds": 1000,
|
||||
"maxDeltaTimeSeconds": 43200,
|
||||
"failureFactor": 30,
|
||||
"clients": [
|
||||
{
|
||||
"clientId": "{{ .Values.global.yonote.config.plain.data.OIDC_CLIENT_ID }}",
|
||||
"secret": "{{ .Values.global.yonote.config.secret.stringData.OIDC_CLIENT_SECRET }}",
|
||||
"redirectUris": [
|
||||
"https://*.{{ .Values.global.yonote.baseListenAddress }}/*",
|
||||
"http://*.{{ .Values.global.yonote.baseListenAddress }}/*",
|
||||
"http://app.{{ .Values.global.yonote.baseListenAddress }}/*",
|
||||
"https://app.{{ .Values.global.yonote.baseListenAddress }}/*",
|
||||
"https://app.{{ .Values.global.yonote.baseListenAddress }}/auth/oidc.callback/*"
|
||||
],
|
||||
"baseUrl": "https://app.{{ .Values.global.yonote.baseListenAddress }}",
|
||||
"enabled": true,
|
||||
"publicClient": false,
|
||||
"protocol": "openid-connect",
|
||||
"attributes": {
|
||||
"client.secret": "{{ .Values.global.yonote.config.secret.stringData.OIDC_CLIENT_SECRET }}",
|
||||
"display.on.consent.screen": "true"
|
||||
},
|
||||
"authenticationFlowBindingOverrides": {},
|
||||
"fullScopeAllowed": false,
|
||||
"protocolMappers": [
|
||||
{
|
||||
"name": "oidc-display-name",
|
||||
"protocol": "openid-connect",
|
||||
"protocolMapper": "oidc-usermodel-attribute-mapper",
|
||||
"consentRequired": false,
|
||||
"config": {
|
||||
"userinfo.token.claim": "true",
|
||||
"user.attribute": "{{ .Values.global.yonote.config.plain.data.OIDC_DISPLAY_NAME }}",
|
||||
"id.token.claim": "true",
|
||||
"access.token.claim": "true",
|
||||
"claim.name": "{{ .Values.global.yonote.config.plain.data.OIDC_DISPLAY_NAME }}",
|
||||
"jsonType.label": "String"
|
||||
}
|
||||
}
|
||||
],
|
||||
"defaultClientScopes": ["openid", "email"]
|
||||
}
|
||||
],
|
||||
"identityProviders": [],
|
||||
"internationalizationEnabled": true,
|
||||
"clientScopes": [
|
||||
{
|
||||
"name": "openid",
|
||||
"protocol": "openid-connect",
|
||||
"attributes": {
|
||||
"include.in.token.scope": "true",
|
||||
"display.on.consent.screen": "true",
|
||||
"consent.screen.text": "{{ .Values.global.yonote.config.plain.data.OIDC_DISPLAY_NAME }}"
|
||||
},
|
||||
"protocolMappers": []
|
||||
},
|
||||
{
|
||||
"name": "email",
|
||||
"protocol": "openid-connect",
|
||||
"attributes": {
|
||||
"include.in.token.scope": "true",
|
||||
"display.on.consent.screen": "true"
|
||||
},
|
||||
"protocolMappers": [
|
||||
{
|
||||
"id": "56fe6d23-690a-465c-bc36-99bff8fef6eb",
|
||||
"name": "email verified",
|
||||
"protocol": "openid-connect",
|
||||
"protocolMapper": "oidc-usermodel-property-mapper",
|
||||
"consentRequired": false,
|
||||
"config": {
|
||||
"userinfo.token.claim": "true",
|
||||
"user.attribute": "emailVerified",
|
||||
"id.token.claim": "true",
|
||||
"access.token.claim": "true",
|
||||
"claim.name": "email_verified",
|
||||
"jsonType.label": "boolean"
|
||||
}
|
||||
},
|
||||
{
|
||||
"id": "2c6acd0e-b776-48f5-9c3b-7bfdbbe712dc",
|
||||
"name": "email",
|
||||
"protocol": "openid-connect",
|
||||
"protocolMapper": "oidc-usermodel-property-mapper",
|
||||
"consentRequired": false,
|
||||
"config": {
|
||||
"userinfo.token.claim": "true",
|
||||
"user.attribute": "email",
|
||||
"id.token.claim": "true",
|
||||
"access.token.claim": "true",
|
||||
"claim.name": "email",
|
||||
"jsonType.label": "String"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"browserSecurityHeaders": {
|
||||
"contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';"
|
||||
},
|
||||
"webAuthnPolicyRpEntityName": "keycloak",
|
||||
"webAuthnPolicySignatureAlgorithms": ["ES256"],
|
||||
"webAuthnPolicyRpId": "",
|
||||
"webAuthnPolicyAttestationConveyancePreference": "not specified",
|
||||
"webAuthnPolicyAuthenticatorAttachment": "not specified",
|
||||
"webAuthnPolicyRequireResidentKey": "not specified",
|
||||
"webAuthnPolicyUserVerificationRequirement": "not specified",
|
||||
"webAuthnPolicyCreateTimeout": 0,
|
||||
"webAuthnPolicyAvoidSameAuthenticatorRegister": false,
|
||||
"webAuthnPolicyAcceptableAaguids": [],
|
||||
"webAuthnPolicyPasswordlessRpEntityName": "keycloak",
|
||||
"webAuthnPolicyPasswordlessSignatureAlgorithms": ["ES256"],
|
||||
"webAuthnPolicyPasswordlessRpId": "",
|
||||
"webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified",
|
||||
"webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified",
|
||||
"webAuthnPolicyPasswordlessRequireResidentKey": "not specified",
|
||||
"webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified",
|
||||
"webAuthnPolicyPasswordlessCreateTimeout": 0,
|
||||
"webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false,
|
||||
"webAuthnPolicyPasswordlessAcceptableAaguids": [],
|
||||
"smtpServer": {}
|
||||
}
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: yonote-secrets
|
||||
labels:
|
||||
{{- include "common.labels.standard" $ | nindent 4 }}
|
||||
type: Opaque
|
||||
{{- with .Values.global.yonote.config.secret.data }}
|
||||
data:
|
||||
{{- toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- with .Values.global.yonote.config.secret.stringData }}
|
||||
stringData: {{- include "common.tplvalues.render" (dict "value" . "context" $) | nindent 2 }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,389 @@
|
|||
global:
|
||||
name: yonote-app
|
||||
yonote:
|
||||
dbMigrationEnv: production-ssl-disabled # Режим подключения к базе данных при выполнении миграций. При использовании SSL подключения, установите значение `production`
|
||||
baseListenAddress: example.com # Доменный адрес для yonote
|
||||
|
||||
config:
|
||||
plain:
|
||||
data:
|
||||
NODE_ENV: production
|
||||
FORCE_HTTPS: "false"
|
||||
PGSSLMODE: disable # Отключает SSL подключение к базе данных. Уберите эту строку, если вы используете SSL подключение к PostgreSQL
|
||||
WEB_CONCURRENCY: "1"
|
||||
|
||||
BIND_HOST: 0.0.0.0 # Хост по умолчанию
|
||||
PORT: "3000" # Порт по умолчанию
|
||||
|
||||
REDIS_URL: redis://yonote-redis-master:6379
|
||||
|
||||
DEFAULT_LANGUAGE: ru_RU # Язык по умолчанию
|
||||
ENABLE_UPDATES: "false"
|
||||
|
||||
AI_URL: "1234"
|
||||
AI_API_KEY: "1234"
|
||||
|
||||
URL: 'https://app.{{ .Values.global.yonote.baseListenAddress }}' # Базовый url приложения
|
||||
COLLABORATION_URL: 'wss://app.{{ .Values.global.yonote.baseListenAddress }}' # Cервер, для нормальной работы это не нужно устанавливать
|
||||
|
||||
OIDC_DISPLAY_NAME: email
|
||||
OIDC_SCOPES: openid email
|
||||
OIDC_CLIENT_ID: yonote
|
||||
OIDC_AUTH_URI: 'https://auth.example.com/realms/yonote/protocol/openid-connect/auth' # URL для авторизации пользователей через OpenID Connect (OIDC). Пользователь перенаправляется на этот адрес для входа в систему.
|
||||
OIDC_LOGOUT_URI: 'https://auth.example.com/realms/yonote/protocol/openid-connect/logout' # URL для выхода из системы через OIDC. Пользователь перенаправляется на этот адрес для завершения сессии и выхода.
|
||||
OIDC_TOKEN_URI: 'https://auth.example.com/realms/yonote/protocol/openid-connect/token' # URL для получения токенов доступа и обновления. Этот адрес используется для обмена авторизационным кодом на токены
|
||||
OIDC_USERINFO_URI: 'https://auth.example.com/realms/yonote/protocol/openid-connect/userinfo' # URL для получения информации о пользователе. Используется для получения данных профиля пользователя на основе его токена.
|
||||
|
||||
AWS_S3_ACL: private
|
||||
AWS_S3_UPLOAD_BUCKET_URL: yonote-minio:9000 # Адрес S3 хранилища
|
||||
AWS_S3_UPLOAD_BUCKET_NAME: yonote-bucket # Имя хранилища
|
||||
AWS_REGION: "ru_RU"
|
||||
AWS_S3_UPLOAD_MAX_SIZE: "226214400" # Максимальный размер хранилища
|
||||
AWS_S3_FORCE_PATH_STYLE: "false" # Следует ли принудительно использовать URL-адреса стиля пути для объектов S3
|
||||
S3_PROXY_ENABLED: "false" # Включает или выключает проксирование загрузки/выгрузки файлов на S3 через бэкенд, принимает boolean
|
||||
S3_MULTIPART_PART_SIZE: "1000" # Настройка размера частей для multipart загрузки на S3 хранилище, принимает число, по умолчанию 1000 (1GB), значение в мегабайтах.
|
||||
|
||||
SUBDOMAINS_ENABLED: "true" # Поддержка поддоменов для команд
|
||||
BASENAME_FOR_SUBDOMAIN: '{{ .Values.global.yonote.baseListenAddress }}' # Имя хоста
|
||||
NOT_ALLOWED_SUBDOMAINS: app,collaboration,auth,api,dev,docs,doc,admin,test,quota,billing,i,storage,host,updates # Запрещенные поддомены
|
||||
|
||||
TELEGRAM_API_URL: https://api.telegram.org
|
||||
|
||||
UNSPLASH_API_BASENAME: https://api.unsplash.com
|
||||
|
||||
RESERVED_SUBDOMAINS: about,account,admin,advertising,api,app,assets,archive,beta,billing,blog,cache,cdn,code,community,dashboard,developer,developers,forum,help,home,http,https,imap,localhost,mail,marketing,mobile,multiplayer,new,news,newsletter,ns1,ns2,ns3,ns4,password,profile,realtime,sandbox,script,scripts,setup,signin,signup,site,smtp,support,status,static,stats,test,update,updates,ws,wss,web,websockets,www,www1,www2,www3,www4
|
||||
|
||||
SMTP_HOST: ""
|
||||
SMTP_USERNAME: ""
|
||||
SMTP_FROM_EMAIL: ""
|
||||
SMTP_REPLY_EMAIL: ""
|
||||
SMTP_PORT: ""
|
||||
SMTP_SECURE: "" # connection will be upgraded: https://nodemailer.com/smtp/
|
||||
SMTP_REQUIRE_TLS: ""
|
||||
|
||||
yonote_cron_calendar_events:
|
||||
cron_enabled: "true"
|
||||
url: http://yonote-web/api/cron.calendar_events
|
||||
|
||||
yonote_cron_task_scheduler:
|
||||
cron_enabled: "true"
|
||||
url: http://yonote-web/api/cron.schedule
|
||||
|
||||
yonote-web:
|
||||
fullnameOverride: yonote-web
|
||||
nameOverride: yonote-web
|
||||
name: web
|
||||
image:
|
||||
registry: images.updates.yonote.ru
|
||||
repository: yonote
|
||||
tag: 1.19.5
|
||||
pullPolicy: IfNotPresent
|
||||
resources:
|
||||
limits:
|
||||
cpu: "1"
|
||||
memory: 1Gi
|
||||
requests:
|
||||
cpu: 250m
|
||||
memory: 256Mi
|
||||
|
||||
ingress:
|
||||
enabled: true
|
||||
name: yonote-ingress
|
||||
namespace: yonote-onprem
|
||||
ingressClassName: nginx
|
||||
tls:
|
||||
- secretName: "you_tls_secret"
|
||||
hosts:
|
||||
- "app.example.com"
|
||||
- "team.example.com"
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
|
||||
nginx.ingress.kubernetes.io/server-snippets: |
|
||||
location /realtime {
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_cache_bypass $http_upgrade;
|
||||
}
|
||||
nginx.ingress.kubernetes.io/configuration-snippet: |
|
||||
more_set_headers "Host $http_host";
|
||||
more_set_headers "X-Real-IP $remote_addr";
|
||||
more_set_headers "X-Forwarded-Proto $scheme";
|
||||
more_set_headers "X-Forwarded-For $proxy_add_x_forwarded_for";
|
||||
cert-manager.io/cluster-issuer: ""
|
||||
|
||||
rules:
|
||||
- host: "app.example.com"
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: yonote-web
|
||||
port:
|
||||
number: 80
|
||||
- path: /realtime
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: yonote-websockets
|
||||
port:
|
||||
number: 80
|
||||
- path: /whiteboard
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: yonote-whiteboard
|
||||
port:
|
||||
number: 80
|
||||
- path: /collaboration
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: yonote-collaboration
|
||||
port:
|
||||
number: 80
|
||||
|
||||
- host: "team.example.com"
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: yonote-web
|
||||
port:
|
||||
number: 80
|
||||
- path: /realtime
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: yonote-websockets
|
||||
port:
|
||||
number: 80
|
||||
- path: /whiteboard
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: yonote-whiteboard
|
||||
port:
|
||||
number: 80
|
||||
- path: /collaboration
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: yonote-collaboration
|
||||
port:
|
||||
number: 80
|
||||
|
||||
containerPorts:
|
||||
- containerPort: 3000
|
||||
name: app
|
||||
protocol: TCP
|
||||
service:
|
||||
type: ClusterIP
|
||||
port: 80
|
||||
targetPort: app
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: yonote-configs
|
||||
- secretRef:
|
||||
name: yonote-secrets
|
||||
|
||||
podLabels:
|
||||
redis-client: 'true'
|
||||
podAnnotations:
|
||||
checksum/configmap: "{{ toJson .Values.global.yonote.config.plain | sha256sum }}"
|
||||
checksum/secret: "{{ toJson .Values.global.yonote.config.secret | sha256sum }}"
|
||||
readinessProbe:
|
||||
enabled: true
|
||||
failureThreshold: 6
|
||||
initialDelaySeconds: 60
|
||||
periodSeconds: 10
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 5
|
||||
httpGet:
|
||||
path: /_health
|
||||
port: app
|
||||
livenessProbe:
|
||||
enabled: true
|
||||
failureThreshold: 6
|
||||
initialDelaySeconds: 60
|
||||
periodSeconds: 10
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 5
|
||||
httpGet:
|
||||
path: /_health
|
||||
port: app
|
||||
|
||||
yonoteDatabase:
|
||||
enabled: true
|
||||
global:
|
||||
postgresql:
|
||||
auth:
|
||||
database: "yonote"
|
||||
username: "yonote"
|
||||
name: yonote-database
|
||||
fullnameOverride: yonote-database
|
||||
nameOverride: yonote-database
|
||||
|
||||
primary:
|
||||
persistence:
|
||||
size: 500Mi
|
||||
resources:
|
||||
limits:
|
||||
cpu: 250m
|
||||
memory: 512Mi
|
||||
requests:
|
||||
cpu: 50m
|
||||
memory: 256Mi
|
||||
|
||||
yonote-redis:
|
||||
enabled: true
|
||||
fullnameOverride: yonote-redis
|
||||
nameOverride: redis
|
||||
architecture: standalone
|
||||
|
||||
auth:
|
||||
enabled: false
|
||||
|
||||
master:
|
||||
persistence:
|
||||
size: 200Mi
|
||||
resources:
|
||||
limits:
|
||||
cpu: 250m
|
||||
memory: 256Mi
|
||||
requests:
|
||||
cpu: 50m
|
||||
memory: 128Mi
|
||||
|
||||
minio:
|
||||
enabled: true
|
||||
name: minio
|
||||
fullnameOverride: yonote-minio
|
||||
nameOverride: yonote-minio
|
||||
auth:
|
||||
rootUser: admin
|
||||
|
||||
persistence:
|
||||
enabled: true
|
||||
size: 500Mi
|
||||
|
||||
ingress:
|
||||
enabled: true
|
||||
ingressClassName: nginx
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
|
||||
nginx.ingress.kubernetes.io/configuration-snippet: |
|
||||
more_set_headers "Host $http_host";
|
||||
more_set_headers "X-Real-IP $remote_addr";
|
||||
more_set_headers "X-Forwarded-Proto $scheme";
|
||||
more_set_headers "X-Forwarded-For $proxy_add_x_forwarded_for";
|
||||
hosts:
|
||||
- host: s3.example.com
|
||||
paths:
|
||||
- path: /
|
||||
pathType: ImplementationSpecific
|
||||
|
||||
resources:
|
||||
requests:
|
||||
memory: 512Mi
|
||||
cpu: 250m
|
||||
limits:
|
||||
memory: 1Gi
|
||||
cpu: 500m
|
||||
|
||||
buckets:
|
||||
- name: yonote-bucket
|
||||
policy: none
|
||||
|
||||
mcJob:
|
||||
enabled: true
|
||||
|
||||
keycloak:
|
||||
auth:
|
||||
adminUser: root
|
||||
|
||||
fullnameOverride: yonote-keycloak
|
||||
nameOverride: yonote-keycloak
|
||||
|
||||
command:
|
||||
- /bin/bash
|
||||
- -c
|
||||
- |
|
||||
/opt/bitnami/keycloak/bin/kc.sh import --file=/opt/bitnami/keycloak/data/import/realm-export.json && \
|
||||
/opt/bitnami/keycloak/bin/kc.sh start-dev
|
||||
|
||||
extraEnvVars:
|
||||
- name: KC_DB_PASSWORD
|
||||
value: "tT9BqYdNyd"
|
||||
- name: KEYCLOAK_PRODUCTION
|
||||
value: "true"
|
||||
- name: KC_HOSTNAME_URL
|
||||
value: "https://auth.example.com"
|
||||
- name: KC_HOSTNAME_ADMIN_URL
|
||||
value: "https://auth.example.com"
|
||||
|
||||
extraVolumes:
|
||||
- name: realm-export
|
||||
configMap:
|
||||
name: realm-export
|
||||
|
||||
extraVolumeMounts:
|
||||
- name: realm-export
|
||||
mountPath: /opt/bitnami/keycloak/data/import/realm-export.json
|
||||
subPath: realm-export.json
|
||||
|
||||
ingress:
|
||||
enabled: true
|
||||
hostname: auth.example.com
|
||||
ingressClassName: traefik
|
||||
tls: true
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: traefik
|
||||
# cert-manager.io/cluster-issuer: letsencrypt.example.com # Если используете
|
||||
extraTls:
|
||||
- hosts:
|
||||
- "auth.example.com"
|
||||
secretName: "you_tls_secret"
|
||||
rules:
|
||||
- host: "auth.example.com"
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
service:
|
||||
name: yonote-keycloak
|
||||
port: http
|
||||
- path: /admin
|
||||
pathType: Prefix
|
||||
service:
|
||||
name: yonote-keycloak
|
||||
port: http
|
||||
|
||||
proxy: "edge"
|
||||
|
||||
resources:
|
||||
limits:
|
||||
cpu: 500m
|
||||
memory: 512Mi
|
||||
requests:
|
||||
cpu: 150m
|
||||
memory: 128Mi
|
||||
|
||||
postgresql:
|
||||
enabled: true
|
||||
auth:
|
||||
database: keycloak
|
||||
username: keycloak
|
||||
name: keycloak-database
|
||||
fullnameOverride: keycloak-database
|
||||
nameOverride: keycloak-database
|
||||
primary:
|
||||
persistence:
|
||||
size: 512Mi
|
||||
|
|
@ -0,0 +1,23 @@
|
|||
# Patterns to ignore when building packages.
|
||||
# This supports shell glob matching, relative path matching, and
|
||||
# negation (prefixed with !). Only one pattern per line.
|
||||
.DS_Store
|
||||
# Common VCS dirs
|
||||
.git/
|
||||
.gitignore
|
||||
.bzr/
|
||||
.bzrignore
|
||||
.hg/
|
||||
.hgignore
|
||||
.svn/
|
||||
# Common backup files
|
||||
*.swp
|
||||
*.bak
|
||||
*.tmp
|
||||
*.orig
|
||||
*~
|
||||
# Various IDEs
|
||||
.project
|
||||
.idea/
|
||||
*.tmproj
|
||||
.vscode/
|
||||
|
|
@ -0,0 +1,30 @@
|
|||
dependencies:
|
||||
- name: app
|
||||
repository: https://dysnix.github.io/charts
|
||||
version: 0.3.15
|
||||
- name: app
|
||||
repository: https://dysnix.github.io/charts
|
||||
version: 0.3.15
|
||||
- name: app
|
||||
repository: https://dysnix.github.io/charts
|
||||
version: 0.3.15
|
||||
- name: app
|
||||
repository: https://dysnix.github.io/charts
|
||||
version: 0.3.15
|
||||
- name: app
|
||||
repository: https://dysnix.github.io/charts
|
||||
version: 0.3.15
|
||||
- name: postgresql
|
||||
repository: https://charts.bitnami.com/bitnami
|
||||
version: 11.6.6
|
||||
- name: redis
|
||||
repository: https://charts.bitnami.com/bitnami
|
||||
version: 16.12.1
|
||||
- name: minio
|
||||
repository: https://charts.bitnami.com/bitnami
|
||||
version: 12.7.0
|
||||
- name: keycloak
|
||||
repository: https://charts.bitnami.com/bitnami
|
||||
version: 14.0.0
|
||||
digest: sha256:928723e189de54fafe19316743b8f9d08d7c74f9728b0c4afb1f5cd3ee1e83dc
|
||||
generated: "2024-08-25T00:46:01.648512702+03:00"
|
||||
|
|
@ -0,0 +1,60 @@
|
|||
apiVersion: v2
|
||||
name: yonote-chart
|
||||
version: 1.2.0
|
||||
description:
|
||||
Generic application Helm chart.
|
||||
This chart includes multiple dependencies. The base of this chart is derived from the Dynix app chart.
|
||||
maintainers:
|
||||
- name: Dysnix
|
||||
email: support@dysnix.com
|
||||
url: https://github.com/dysnix/charts/tree/main/dysnix/app
|
||||
|
||||
dependencies:
|
||||
- name: app
|
||||
version: "0.3.15"
|
||||
repository: https://dysnix.github.io/charts
|
||||
alias: yonote-web
|
||||
|
||||
- name: app
|
||||
version: "0.3.15"
|
||||
repository: https://dysnix.github.io/charts
|
||||
alias: yonote-websocket
|
||||
|
||||
- name: app
|
||||
version: "0.3.15"
|
||||
repository: https://dysnix.github.io/charts
|
||||
alias: yonote-whiteboard
|
||||
|
||||
- name: app
|
||||
version: "0.3.15"
|
||||
repository: https://dysnix.github.io/charts
|
||||
alias: yonote-worker
|
||||
|
||||
- name: app
|
||||
version: "0.3.15"
|
||||
repository: https://dysnix.github.io/charts
|
||||
alias: yonote-collaboration
|
||||
|
||||
- name: postgresql
|
||||
version: "11.6.6"
|
||||
repository: https://charts.bitnami.com/bitnami
|
||||
condition: yonoteDatabase.enabled
|
||||
alias: yonoteDatabase
|
||||
|
||||
- name: redis
|
||||
version: "16.12.1"
|
||||
repository: https://charts.bitnami.com/bitnami
|
||||
condition: yonote-redis.enabled
|
||||
alias: yonote-redis
|
||||
|
||||
- name: minio
|
||||
version: "12.7.0"
|
||||
repository: https://charts.bitnami.com/bitnami
|
||||
condition: minio.enabled
|
||||
alias: minio
|
||||
|
||||
- name: keycloak
|
||||
version: "14.0.0"
|
||||
repository: https://charts.bitnami.com/bitnami
|
||||
condition: keycloak.enabled
|
||||
alias: keycloak
|
||||
|
|
@ -0,0 +1,46 @@
|
|||
global:
|
||||
yonote:
|
||||
config:
|
||||
secret:
|
||||
stringData:
|
||||
DATABASE_URL: 'postgres://{{ .Values.yonoteDatabase.global.postgresql.auth.username }}:{{ .Values.yonoteDatabase.global.postgresql.auth.password }}@yonote-database:5432/{{ .Values.yonoteDatabase.global.postgresql.auth.database }}'
|
||||
POSTGRES_PASSWORD: "{{ .Values.yonoteDatabase.global.postgresql.auth.password }}"
|
||||
AWS_ACCESS_KEY_ID: "{{ .Values.minio.customUser }}" # Ваш идентификатор ключа доступа к AWS.
|
||||
AWS_SECRET_ACCESS_KEY: "{{ .Values.minio.customAccessKey }}" # Ваш секретный ключ доступа AWS.
|
||||
OIDC_CLIENT_SECRET: "Kdq8rk5Pv5RW1c5kHXpnyfrmMRzI9xSD" # Секретный ключ клиента для аутентификации по OpenID Connect (OIDC).
|
||||
SECRET_KEY: "659a8881b186198c3146e316f6dab67df25496534d1fa156d624b037260df688" # Сгенерируйте 32-байтовый случайный ключ в шестнадцатеричном коде. Вам следует использовать `openssl rand -hex 32` в вашем терминале для генерации случайного значения.
|
||||
SMTP_PASSWORD: "1234"
|
||||
UTILS_SECRET: "7bd5e9ac4415dd0dbf6b7721e2a21e9427b268cd0140c7516d13dece5024d479" # Сгенерируйте уникальный случайный ключ. Формат не важен, но вы все равно можете использовать`openssl rand -hex 32` в вашем терминале, чтобы создать это.
|
||||
TELEGRAM_BOT_TOKEN: "1234"
|
||||
UNSPLASH_API_ACCESS_KEY: "a-yGo6HpRP6jNfravx4Bz-oiPrRnH_5-24Xa9ZPlePE"
|
||||
LICENSE_KEY: "qwerty-123456-zxcvb" # Обратитесь в отдел продаж для получения
|
||||
SERVICE_WORKER_PUBLIC_KEY: "1234"
|
||||
SERVICE_WORKER_PRIVATE_KEY: "1234"
|
||||
# Генерация ключей (web-push) Service Worker
|
||||
# 1) Установить Node.js и npm
|
||||
# 2) Выполнить команду для генерации ключей
|
||||
# npx web-push generate-vapid-keys
|
||||
# 3) Полученные значения ввести в .env файл (SERVICE_WORKER_PUBLIC_KEY, SERVICE_WORKER_PRIVATE_KEY)
|
||||
|
||||
yonoteDatabase:
|
||||
global:
|
||||
postgresql:
|
||||
auth:
|
||||
password: "wsGZ6kXhr5"
|
||||
postgresPassword: "QQYw4UjOU"
|
||||
|
||||
# yonote-redis: # Если используете пароль для redis
|
||||
# auth:
|
||||
# password: "12345678"
|
||||
|
||||
minio:
|
||||
customAccessKey: "qwer-12314q-qwersa"
|
||||
auth:
|
||||
rootPassword: "qwettaas"
|
||||
|
||||
keycloak:
|
||||
auth:
|
||||
adminPassword: "root"
|
||||
postgresql:
|
||||
auth:
|
||||
password: "tT9BqYdNyd"
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: yonote-configs
|
||||
labels:
|
||||
{{- include "common.labels.standard" $ | nindent 4 }}
|
||||
{{- with .Values.global.yonote.config.plain.data }}
|
||||
data:
|
||||
{{- include "common.tplvalues.render" (dict "value" . "context" $) | nindent 2 }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,69 @@
|
|||
{{- if eq ($.Values.global.yonote_cron_calendar_events.cron_enabled | toString) "true" }}
|
||||
apiVersion: batch/v1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: cron-calendar-events
|
||||
spec:
|
||||
schedule: "*/1 * * * *"
|
||||
jobTemplate:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
containers:
|
||||
- name: cron-calendar-events
|
||||
image: curlimages/curl
|
||||
imagePullPolicy: IfNotPresent
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: yonote-secrets
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
- >-
|
||||
date;
|
||||
curl
|
||||
-X POST
|
||||
{{ .Values.global.yonote_cron_calendar_events.url }}
|
||||
-H "Content-Type: application/json"
|
||||
-d '
|
||||
{
|
||||
"token": "$(UTILS_SECRET)"
|
||||
}
|
||||
'
|
||||
restartPolicy: OnFailure
|
||||
{{- end }}
|
||||
---
|
||||
{{- if eq ($.Values.global.yonote_cron_task_scheduler.cron_enabled | toString) "true" }}
|
||||
apiVersion: batch/v1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: cron-task-scheduler
|
||||
spec:
|
||||
schedule: "0 */1 * * *"
|
||||
jobTemplate:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
containers:
|
||||
- name: cron-task-scheduler
|
||||
image: curlimages/curl
|
||||
imagePullPolicy: IfNotPresent
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: yonote-secrets
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
- >-
|
||||
date;
|
||||
curl
|
||||
-X POST
|
||||
{{ .Values.global.yonote_cron_task_scheduler.url }}
|
||||
-H "Content-Type: application/json"
|
||||
-d '
|
||||
{
|
||||
"token":"$(UTILS_SECRET)", "limit":"200"
|
||||
}
|
||||
'
|
||||
restartPolicy: OnFailure
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,34 @@
|
|||
{{- if .Values.ingress.enabled }}
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: {{ .Values.ingress.name }}
|
||||
namespace: {{ .Values.ingress.namespace }}
|
||||
annotations:
|
||||
{{- range $key, $value := .Values.ingress.annotations }}
|
||||
{{ $key }}: "{{ $value }}"
|
||||
{{- end }}
|
||||
spec:
|
||||
ingressClassName: {{ .Values.ingress.ingressClassName }}
|
||||
tls:
|
||||
- secretName: "{{ .Values.ingress.tls.secretName }}"
|
||||
hosts:
|
||||
{{- range .Values.ingress.tls.hosts }}
|
||||
- "{{ . }}"
|
||||
{{- end }}
|
||||
rules:
|
||||
{{- range .Values.ingress.rules }}
|
||||
- host: "{{ .host }}"
|
||||
http:
|
||||
paths:
|
||||
{{- range .paths }}
|
||||
- path: {{ .path }}
|
||||
pathType: {{ .pathType }}
|
||||
backend:
|
||||
service:
|
||||
name: {{ .service.name }}
|
||||
port:
|
||||
number: {{ .service.port | int }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,120 @@
|
|||
{{- if .Values.mcJob.enabled }}
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: yonote-minio-mc-job
|
||||
labels:
|
||||
app: yonote-minio
|
||||
spec:
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: yonote-minio
|
||||
spec:
|
||||
containers:
|
||||
- name: mc-client
|
||||
image: "docker.io/bitnami/minio-client:2024.8.13-debian-12-r0"
|
||||
command: ["/bin/sh", "-c"]
|
||||
args:
|
||||
- |
|
||||
until mc alias set myminio http://yonote-minio:9000 {{ .Values.minio.auth.rootUser }} {{ .Values.minio.auth.rootPassword }}; do
|
||||
echo "Waiting for MinIO to be ready..."
|
||||
sleep 5
|
||||
done
|
||||
echo "MinIO is ready and alias is set."
|
||||
|
||||
# Создание пользователя
|
||||
if ! mc admin user add myminio {{ .Values.minio.customUser }} {{ .Values.minio.customAccessKey }}; then
|
||||
echo "User {{ .Values.minio.customUser }} already exists or failed to create."
|
||||
else
|
||||
echo "User {{ .Values.minio.customUser }} created successfully."
|
||||
fi
|
||||
|
||||
# Назначение политики для нового пользователя
|
||||
cat <<EOF > /tmp/minio-user-policy.json
|
||||
{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Sid": "VisualEditor",
|
||||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"s3:DeleteObject",
|
||||
"s3:GetObject",
|
||||
"s3:PutObject"
|
||||
],
|
||||
"Resource": [
|
||||
"arn:aws:s3:::yonote-bucket/*"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
EOF
|
||||
echo "User policy JSON file created."
|
||||
|
||||
mc admin policy create myminio yonote-policy /tmp/minio-user-policy.json
|
||||
echo "User policy created and applied."
|
||||
|
||||
# Создание бакета
|
||||
if ! mc ls myminio/yonote-bucket; then
|
||||
mc mb myminio/yonote-bucket
|
||||
echo "Bucket yonote-bucket created successfully."
|
||||
else
|
||||
echo "Bucket yonote-bucket already exists."
|
||||
fi
|
||||
|
||||
# Установка политик для бакета
|
||||
cat <<EOF > /tmp/minio-bucket-policy.json
|
||||
{
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Principal": {
|
||||
"AWS": [
|
||||
"*"
|
||||
]
|
||||
},
|
||||
"Action": [
|
||||
"s3:GetBucketLocation"
|
||||
],
|
||||
"Resource": [
|
||||
"arn:aws:s3:::yonote-bucket"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Principal": {
|
||||
"AWS": [
|
||||
"*"
|
||||
]
|
||||
},
|
||||
"Action": [
|
||||
"s3:GetObject"
|
||||
],
|
||||
"Resource": [
|
||||
"arn:aws:s3:::yonote-bucket/*"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
EOF
|
||||
echo "Bucket policy JSON file created."
|
||||
|
||||
mc anonymous set-json /tmp/minio-bucket-policy.json myminio/yonote-bucket
|
||||
echo "Bucket policy applied."
|
||||
|
||||
mc admin policy attach myminio yonote-policy --user={{ .Values.minio.customUser }}
|
||||
echo "Policy attached to user {{ .Values.minio.customUser }}."
|
||||
|
||||
resources:
|
||||
requests:
|
||||
memory: "128Mi"
|
||||
cpu: "100m"
|
||||
limits:
|
||||
memory: "256Mi"
|
||||
cpu: "200m"
|
||||
restartPolicy: OnFailure
|
||||
backoffLimit: 5
|
||||
ttlSecondsAfterFinished: 180
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,169 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: realm-export
|
||||
data:
|
||||
realm-export.json: |
|
||||
{
|
||||
"realm": "yonote",
|
||||
"enabled": true,
|
||||
"notBefore": 1647809856,
|
||||
"defaultSignatureAlgorithm": "RS256",
|
||||
"revokeRefreshToken": false,
|
||||
"refreshTokenMaxReuse": 0,
|
||||
"accessTokenLifespan": 300,
|
||||
"accessTokenLifespanForImplicitFlow": 900,
|
||||
"ssoSessionIdleTimeout": 1800,
|
||||
"ssoSessionMaxLifespan": 36000,
|
||||
"ssoSessionIdleTimeoutRememberMe": 0,
|
||||
"ssoSessionMaxLifespanRememberMe": 0,
|
||||
"offlineSessionIdleTimeout": 2592000,
|
||||
"offlineSessionMaxLifespanEnabled": false,
|
||||
"offlineSessionMaxLifespan": 5184000,
|
||||
"clientSessionIdleTimeout": 0,
|
||||
"clientSessionMaxLifespan": 0,
|
||||
"clientOfflineSessionIdleTimeout": 0,
|
||||
"clientOfflineSessionMaxLifespan": 0,
|
||||
"accessCodeLifespan": 60,
|
||||
"accessCodeLifespanUserAction": 300,
|
||||
"accessCodeLifespanLogin": 1800,
|
||||
"actionTokenGeneratedByAdminLifespan": 43200,
|
||||
"actionTokenGeneratedByUserLifespan": 300,
|
||||
"oauth2DeviceCodeLifespan": 600,
|
||||
"oauth2DevicePollingInterval": 5,
|
||||
"sslRequired": "external",
|
||||
"registrationAllowed": true,
|
||||
"registrationEmailAsUsername": true,
|
||||
"rememberMe": true,
|
||||
"verifyEmail": false,
|
||||
"loginWithEmailAllowed": true,
|
||||
"duplicateEmailsAllowed": false,
|
||||
"resetPasswordAllowed": true,
|
||||
"editUsernameAllowed": false,
|
||||
"bruteForceProtected": false,
|
||||
"permanentLockout": false,
|
||||
"maxFailureWaitSeconds": 900,
|
||||
"minimumQuickLoginWaitSeconds": 60,
|
||||
"waitIncrementSeconds": 60,
|
||||
"quickLoginCheckMilliSeconds": 1000,
|
||||
"maxDeltaTimeSeconds": 43200,
|
||||
"failureFactor": 30,
|
||||
"clients": [
|
||||
{
|
||||
"clientId": "{{ .Values.global.yonote.config.plain.data.OIDC_CLIENT_ID }}",
|
||||
"secret": "{{ .Values.global.yonote.config.secret.stringData.OIDC_CLIENT_SECRET }}",
|
||||
"redirectUris": [
|
||||
"https://*.{{ .Values.global.yonote.baseListenAddress }}/*",
|
||||
"http://*.{{ .Values.global.yonote.baseListenAddress }}/*",
|
||||
"http://app.{{ .Values.global.yonote.baseListenAddress }}/*",
|
||||
"https://app.{{ .Values.global.yonote.baseListenAddress }}/*",
|
||||
"https://app.{{ .Values.global.yonote.baseListenAddress }}/auth/oidc.callback/*"
|
||||
],
|
||||
"baseUrl": "https://app.{{ .Values.global.yonote.baseListenAddress }}",
|
||||
"enabled": true,
|
||||
"publicClient": false,
|
||||
"protocol": "openid-connect",
|
||||
"attributes": {
|
||||
"client.secret": "{{ .Values.global.yonote.config.secret.stringData.OIDC_CLIENT_SECRET }}",
|
||||
"display.on.consent.screen": "true"
|
||||
},
|
||||
"authenticationFlowBindingOverrides": {},
|
||||
"fullScopeAllowed": false,
|
||||
"protocolMappers": [
|
||||
{
|
||||
"name": "oidc-display-name",
|
||||
"protocol": "openid-connect",
|
||||
"protocolMapper": "oidc-usermodel-attribute-mapper",
|
||||
"consentRequired": false,
|
||||
"config": {
|
||||
"userinfo.token.claim": "true",
|
||||
"user.attribute": "{{ .Values.global.yonote.config.plain.data.OIDC_DISPLAY_NAME }}",
|
||||
"id.token.claim": "true",
|
||||
"access.token.claim": "true",
|
||||
"claim.name": "{{ .Values.global.yonote.config.plain.data.OIDC_DISPLAY_NAME }}",
|
||||
"jsonType.label": "String"
|
||||
}
|
||||
}
|
||||
],
|
||||
"defaultClientScopes": ["openid", "email"]
|
||||
}
|
||||
],
|
||||
"identityProviders": [],
|
||||
"internationalizationEnabled": true,
|
||||
"clientScopes": [
|
||||
{
|
||||
"name": "openid",
|
||||
"protocol": "openid-connect",
|
||||
"attributes": {
|
||||
"include.in.token.scope": "true",
|
||||
"display.on.consent.screen": "true",
|
||||
"consent.screen.text": "{{ .Values.global.yonote.config.plain.data.OIDC_DISPLAY_NAME }}"
|
||||
},
|
||||
"protocolMappers": []
|
||||
},
|
||||
{
|
||||
"name": "email",
|
||||
"protocol": "openid-connect",
|
||||
"attributes": {
|
||||
"include.in.token.scope": "true",
|
||||
"display.on.consent.screen": "true"
|
||||
},
|
||||
"protocolMappers": [
|
||||
{
|
||||
"id": "56fe6d23-690a-465c-bc36-99bff8fef6eb",
|
||||
"name": "email verified",
|
||||
"protocol": "openid-connect",
|
||||
"protocolMapper": "oidc-usermodel-property-mapper",
|
||||
"consentRequired": false,
|
||||
"config": {
|
||||
"userinfo.token.claim": "true",
|
||||
"user.attribute": "emailVerified",
|
||||
"id.token.claim": "true",
|
||||
"access.token.claim": "true",
|
||||
"claim.name": "email_verified",
|
||||
"jsonType.label": "boolean"
|
||||
}
|
||||
},
|
||||
{
|
||||
"id": "2c6acd0e-b776-48f5-9c3b-7bfdbbe712dc",
|
||||
"name": "email",
|
||||
"protocol": "openid-connect",
|
||||
"protocolMapper": "oidc-usermodel-property-mapper",
|
||||
"consentRequired": false,
|
||||
"config": {
|
||||
"userinfo.token.claim": "true",
|
||||
"user.attribute": "email",
|
||||
"id.token.claim": "true",
|
||||
"access.token.claim": "true",
|
||||
"claim.name": "email",
|
||||
"jsonType.label": "String"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"browserSecurityHeaders": {
|
||||
"contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';"
|
||||
},
|
||||
"webAuthnPolicyRpEntityName": "keycloak",
|
||||
"webAuthnPolicySignatureAlgorithms": ["ES256"],
|
||||
"webAuthnPolicyRpId": "",
|
||||
"webAuthnPolicyAttestationConveyancePreference": "not specified",
|
||||
"webAuthnPolicyAuthenticatorAttachment": "not specified",
|
||||
"webAuthnPolicyRequireResidentKey": "not specified",
|
||||
"webAuthnPolicyUserVerificationRequirement": "not specified",
|
||||
"webAuthnPolicyCreateTimeout": 0,
|
||||
"webAuthnPolicyAvoidSameAuthenticatorRegister": false,
|
||||
"webAuthnPolicyAcceptableAaguids": [],
|
||||
"webAuthnPolicyPasswordlessRpEntityName": "keycloak",
|
||||
"webAuthnPolicyPasswordlessSignatureAlgorithms": ["ES256"],
|
||||
"webAuthnPolicyPasswordlessRpId": "",
|
||||
"webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified",
|
||||
"webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified",
|
||||
"webAuthnPolicyPasswordlessRequireResidentKey": "not specified",
|
||||
"webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified",
|
||||
"webAuthnPolicyPasswordlessCreateTimeout": 0,
|
||||
"webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false,
|
||||
"webAuthnPolicyPasswordlessAcceptableAaguids": [],
|
||||
"smtpServer": {}
|
||||
}
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: yonote-secrets
|
||||
labels:
|
||||
{{- include "common.labels.standard" $ | nindent 4 }}
|
||||
type: Opaque
|
||||
{{- with .Values.global.yonote.config.secret.data }}
|
||||
data:
|
||||
{{- toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- with .Values.global.yonote.config.secret.stringData }}
|
||||
stringData: {{- include "common.tplvalues.render" (dict "value" . "context" $) | nindent 2 }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,669 @@
|
|||
global:
|
||||
name: yonote-app
|
||||
yonote:
|
||||
dbMigrationEnv: production-ssl-disabled # Режим подключения к базе данных при выполнении миграций. При использовании SSL подключения, установите значение `production`
|
||||
baseListenAddress: example.com # Доменный адрес для yonote
|
||||
|
||||
config:
|
||||
plain:
|
||||
data:
|
||||
NODE_ENV: production
|
||||
FORCE_HTTPS: "false"
|
||||
PGSSLMODE: disable # Отключает SSL подключение к базе данных. Уберите эту строку, если вы используете SSL подключение к PostgreSQL
|
||||
WEB_CONCURRENCY: "1"
|
||||
|
||||
BIND_HOST: 0.0.0.0 # Хост по умолчанию
|
||||
PORT: "3000" # Порт по умолчанию
|
||||
|
||||
REDIS_URL: redis://yonote-redis-master:6379
|
||||
|
||||
DEFAULT_LANGUAGE: ru_RU # Язык по умолчанию
|
||||
ENABLE_UPDATES: "false"
|
||||
|
||||
AI_URL: "1234"
|
||||
AI_API_KEY: "1234"
|
||||
|
||||
URL: 'https://app.{{ .Values.global.yonote.baseListenAddress }}' # Базовый url приложения
|
||||
COLLABORATION_URL: 'wss://app.{{ .Values.global.yonote.baseListenAddress }}' # Cервер, для нормальной работы это не нужно устанавливать
|
||||
|
||||
OIDC_DISPLAY_NAME: email
|
||||
OIDC_SCOPES: openid email
|
||||
OIDC_CLIENT_ID: yonote
|
||||
OIDC_AUTH_URI: 'https://auth.example.com/realms/yonote/protocol/openid-connect/auth' # URL для авторизации пользователей через OpenID Connect (OIDC). Пользователь перенаправляется на этот адрес для входа в систему.
|
||||
OIDC_LOGOUT_URI: 'https://auth.example.com/realms/yonote/protocol/openid-connect/logout' # URL для выхода из системы через OIDC. Пользователь перенаправляется на этот адрес для завершения сессии и выхода.
|
||||
OIDC_TOKEN_URI: 'https://auth.example.com/realms/yonote/protocol/openid-connect/token' # URL для получения токенов доступа и обновления. Этот адрес используется для обмена авторизационным кодом на токены
|
||||
OIDC_USERINFO_URI: 'https://auth.example.com/realms/yonote/protocol/openid-connect/userinfo' # URL для получения информации о пользователе. Используется для получения данных профиля пользователя на основе его токена.
|
||||
|
||||
AWS_S3_ACL: private
|
||||
AWS_S3_UPLOAD_BUCKET_URL: 'https://api-s3.example.com' # Адрес API S3 хранилища
|
||||
AWS_S3_UPLOAD_BUCKET_NAME: yonote-bucket # Имя хранилища
|
||||
AWS_REGION: "RU"
|
||||
AWS_S3_UPLOAD_MAX_SIZE: "226214400" # Максимальный размер хранилища
|
||||
AWS_S3_FORCE_PATH_STYLE: "false" # Следует ли принудительно использовать URL-адреса стиля пути для объектов S3
|
||||
S3_PROXY_ENABLED: "false" # Включает или выключает проксирование загрузки/выгрузки файлов на S3 через бэкенд, принимает boolean
|
||||
S3_MULTIPART_PART_SIZE: "1000" # Настройка размера частей для multipart загрузки на S3 хранилище, принимает число, по умолчанию 1000 (1GB), значение в мегабайтах.
|
||||
|
||||
SUBDOMAINS_ENABLED: "true" # Поддержка поддоменов для команд
|
||||
BASENAME_FOR_SUBDOMAIN: '{{ .Values.global.yonote.baseListenAddress }}' # Имя хоста
|
||||
NOT_ALLOWED_SUBDOMAINS: app,collaboration,auth,api,dev,docs,doc,admin,test,quota,billing,i,storage,host,updates # Запрещенные поддомены
|
||||
|
||||
TELEGRAM_API_URL: https://api.telegram.org
|
||||
|
||||
UNSPLASH_API_BASENAME: https://api.unsplash.com
|
||||
|
||||
RESERVED_SUBDOMAINS: about,account,admin,advertising,api,app,assets,archive,beta,billing,blog,cache,cdn,code,community,dashboard,developer,developers,forum,help,home,http,https,imap,localhost,mail,marketing,mobile,multiplayer,new,news,newsletter,ns1,ns2,ns3,ns4,password,profile,realtime,sandbox,script,scripts,setup,signin,signup,site,smtp,support,status,static,stats,test,update,updates,ws,wss,web,websockets,www,www1,www2,www3,www4
|
||||
|
||||
SMTP_HOST: ""
|
||||
SMTP_USERNAME: ""
|
||||
SMTP_FROM_EMAIL: ""
|
||||
SMTP_REPLY_EMAIL: ""
|
||||
SMTP_PORT: ""
|
||||
SMTP_SECURE: "" # connection will be upgraded: https://nodemailer.com/smtp/
|
||||
SMTP_REQUIRE_TLS: ""
|
||||
|
||||
yonote_cron_calendar_events:
|
||||
cron_enabled: "true"
|
||||
url: http://yonote-web/api/cron.calendar_events
|
||||
|
||||
yonote_cron_task_scheduler:
|
||||
cron_enabled: "true"
|
||||
url: http://yonote-web/api/cron.schedule
|
||||
|
||||
ingress:
|
||||
enabled: true
|
||||
name: yonote-ingress
|
||||
namespace: yonote-onprem
|
||||
ingressClassName: traefik
|
||||
tls:
|
||||
secretName: "you_tls_secret"
|
||||
hosts:
|
||||
- "app.example.com"
|
||||
- "team.example.com"
|
||||
rules:
|
||||
- host: "app.example.com"
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
service:
|
||||
name: yonote-web
|
||||
port: 80
|
||||
- path: /realtime
|
||||
pathType: Prefix
|
||||
service:
|
||||
name: yonote-websockets
|
||||
port: 80
|
||||
- path: /whiteboard
|
||||
pathType: Prefix
|
||||
service:
|
||||
name: yonote-whiteboard
|
||||
port: 80
|
||||
- path: /collaboration
|
||||
pathType: Prefix
|
||||
service:
|
||||
name: yonote-collaboration
|
||||
port: 80
|
||||
- host: "team.example.com"
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
service:
|
||||
name: yonote-web
|
||||
port: 80
|
||||
- path: /realtime
|
||||
pathType: Prefix
|
||||
service:
|
||||
name: yonote-websockets
|
||||
port: 80
|
||||
- path: /whiteboard
|
||||
pathType: Prefix
|
||||
service:
|
||||
name: yonote-whiteboard
|
||||
port: 80
|
||||
- path: /collaboration
|
||||
pathType: Prefix
|
||||
service:
|
||||
name: yonote-collaboration
|
||||
port: 80
|
||||
|
||||
annotations:
|
||||
# cert-manager.io/cluster-issuer: letsencrypt.example.com # Если используете
|
||||
|
||||
yonote-web:
|
||||
fullnameOverride: yonote-web
|
||||
nameOverride: yonote-web
|
||||
name: web
|
||||
|
||||
image:
|
||||
registry: images.updates.yonote.ru
|
||||
repository: yonote
|
||||
tag: 1.19.8
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
command: ["/bin/sh", "-c"]
|
||||
args: ['IS_COMPILED=true yarn bytenode ./build/server/main.jsc --services=web']
|
||||
|
||||
initContainers:
|
||||
- name: yonote-migration
|
||||
image: images.updates.yonote.ru/yonote:1.19.8
|
||||
imagePullPolicy: IfNotPresent
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
- npx sequelize db:migrate
|
||||
env:
|
||||
- name: NODE_ENV
|
||||
value: '{{ .Values.global.yonote.dbMigrationEnv }}' # В настройках для sequelize прописан такой env для запуска миграций без ssl
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: yonote-configs
|
||||
- secretRef:
|
||||
name: yonote-secrets
|
||||
|
||||
resources:
|
||||
limits:
|
||||
cpu: 1
|
||||
memory: 1Gi
|
||||
requests:
|
||||
cpu: 200m
|
||||
memory: 256Mi
|
||||
|
||||
containerPorts:
|
||||
- containerPort: 3000
|
||||
name: app
|
||||
protocol: TCP
|
||||
|
||||
service:
|
||||
type: ClusterIP
|
||||
port: 80
|
||||
targetPort: app
|
||||
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: yonote-configs
|
||||
- secretRef:
|
||||
name: yonote-secrets
|
||||
|
||||
podLabels:
|
||||
redis-client: 'true'
|
||||
|
||||
podAnnotations:
|
||||
checksum/configmap: "{{ toJson .Values.global.yonote.config.plain | sha256sum }}"
|
||||
checksum/secret: "{{ toJson .Values.global.yonote.config.secret | sha256sum }}"
|
||||
|
||||
readinessProbe:
|
||||
enabled: true
|
||||
failureThreshold: 6
|
||||
initialDelaySeconds: 60
|
||||
periodSeconds: 10
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 5
|
||||
httpGet:
|
||||
path: /_health
|
||||
port: app
|
||||
|
||||
livenessProbe:
|
||||
enabled: true
|
||||
failureThreshold: 6
|
||||
initialDelaySeconds: 60
|
||||
periodSeconds: 10
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 5
|
||||
httpGet:
|
||||
path: /_health
|
||||
port: app
|
||||
|
||||
yonote-websocket:
|
||||
fullnameOverride: yonote-websockets
|
||||
nameOverride: yonote-websockets
|
||||
name: websockets
|
||||
|
||||
image:
|
||||
registry: images.updates.yonote.ru
|
||||
repository: yonote
|
||||
tag: 1.19.8
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
command: ["/bin/sh", "-c"]
|
||||
args: ['IS_COMPILED=true yarn bytenode ./build/server/main.jsc --services=websockets']
|
||||
|
||||
resources:
|
||||
limits:
|
||||
cpu: 500m
|
||||
memory: 1Gi
|
||||
requests:
|
||||
cpu: 150m
|
||||
memory: 128Mi
|
||||
|
||||
checksums: null
|
||||
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: yonote-configs
|
||||
- secretRef:
|
||||
name: yonote-secrets
|
||||
|
||||
containerPorts:
|
||||
- containerPort: 3000
|
||||
name: app
|
||||
protocol: TCP
|
||||
|
||||
service:
|
||||
type: ClusterIP
|
||||
port: 80
|
||||
targetPort: app
|
||||
|
||||
podLabels:
|
||||
redis-client: 'true'
|
||||
|
||||
podAnnotations:
|
||||
checksum/configmap: "{{ toJson .Values.global.yonote.config.plain | sha256sum }}"
|
||||
checksum/secret: "{{ toJson .Values.global.yonote.config.secret | sha256sum }}"
|
||||
|
||||
readinessProbe:
|
||||
enabled: true
|
||||
failureThreshold: 6
|
||||
initialDelaySeconds: 60
|
||||
periodSeconds: 10
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 5
|
||||
httpGet:
|
||||
path: /_health
|
||||
port: app
|
||||
|
||||
livenessProbe:
|
||||
enabled: true
|
||||
failureThreshold: 6
|
||||
initialDelaySeconds: 60
|
||||
periodSeconds: 10
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 5
|
||||
httpGet:
|
||||
path: /_health
|
||||
port: app
|
||||
|
||||
yonote-whiteboard:
|
||||
fullnameOverride: yonote-whiteboard
|
||||
nameOverride: yonote-whiteboard
|
||||
name: whiteboard
|
||||
|
||||
image:
|
||||
registry: images.updates.yonote.ru
|
||||
repository: yonote
|
||||
tag: 1.19.8
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
command: ["/bin/sh", "-c"]
|
||||
args: ['IS_COMPILED=true yarn bytenode ./build/server/main.jsc --services=whiteboard']
|
||||
|
||||
resources:
|
||||
limits:
|
||||
cpu: 500m
|
||||
memory: 1Gi
|
||||
requests:
|
||||
cpu: 150m
|
||||
memory: 128Mi
|
||||
|
||||
checksums: null
|
||||
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: yonote-configs
|
||||
- secretRef:
|
||||
name: yonote-secrets
|
||||
|
||||
containerPorts:
|
||||
- containerPort: 3000
|
||||
name: app
|
||||
protocol: TCP
|
||||
|
||||
service:
|
||||
type: ClusterIP
|
||||
port: 80
|
||||
targetPort: app
|
||||
|
||||
podLabels:
|
||||
redis-client: 'true'
|
||||
|
||||
podAnnotations:
|
||||
checksum/configmap: "{{ toJson .Values.global.yonote.config.plain | sha256sum }}"
|
||||
checksum/secret: "{{ toJson .Values.global.yonote.config.secret | sha256sum }}"
|
||||
|
||||
readinessProbe:
|
||||
enabled: true
|
||||
failureThreshold: 6
|
||||
initialDelaySeconds: 60
|
||||
periodSeconds: 10
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 5
|
||||
httpGet:
|
||||
path: /_health
|
||||
port: app
|
||||
|
||||
livenessProbe:
|
||||
enabled: true
|
||||
failureThreshold: 6
|
||||
initialDelaySeconds: 60
|
||||
periodSeconds: 10
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 5
|
||||
httpGet:
|
||||
path: /_health
|
||||
port: app
|
||||
|
||||
yonote-worker:
|
||||
fullnameOverride: yonote-worker
|
||||
nameOverride: yonote-worker
|
||||
name: worker
|
||||
|
||||
image:
|
||||
registry: images.updates.yonote.ru
|
||||
repository: yonote
|
||||
tag: 1.19.8
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
command: ["/bin/sh", "-c"]
|
||||
args: ['IS_COMPILED=true yarn bytenode ./build/server/main.jsc --services=worker']
|
||||
|
||||
resources:
|
||||
limits:
|
||||
cpu: 1
|
||||
memory: 1Gi
|
||||
requests:
|
||||
cpu: 250m
|
||||
memory: 256Mi
|
||||
|
||||
checksums: null
|
||||
|
||||
containerPorts:
|
||||
- containerPort: 3000
|
||||
name: app
|
||||
protocol: TCP
|
||||
|
||||
service:
|
||||
type: ClusterIP
|
||||
port: 80
|
||||
targetPort: app
|
||||
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: yonote-configs
|
||||
- secretRef:
|
||||
name: yonote-secrets
|
||||
|
||||
podLabels:
|
||||
redis-client: 'true'
|
||||
|
||||
podAnnotations:
|
||||
checksum/configmap: "{{ toJson .Values.global.yonote.config.plain | sha256sum }}"
|
||||
checksum/secret: "{{ toJson .Values.global.yonote.config.secret | sha256sum }}"
|
||||
|
||||
readinessProbe:
|
||||
enabled: true
|
||||
failureThreshold: 6
|
||||
initialDelaySeconds: 60
|
||||
periodSeconds: 10
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 5
|
||||
httpGet:
|
||||
path: /_health
|
||||
port: app
|
||||
|
||||
livenessProbe:
|
||||
enabled: true
|
||||
failureThreshold: 6
|
||||
initialDelaySeconds: 60
|
||||
periodSeconds: 10
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 5
|
||||
httpGet:
|
||||
path: /_health
|
||||
port: app
|
||||
|
||||
yonote-collaboration:
|
||||
fullnameOverride: yonote-collaboration
|
||||
nameOverride: yonote-collaboration
|
||||
name: collaboration
|
||||
|
||||
image:
|
||||
registry: images.updates.yonote.ru
|
||||
repository: yonote
|
||||
tag: 1.19.8
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
command: ["/bin/sh", "-c"]
|
||||
args: ['IS_COMPILED=true yarn bytenode ./build/server/main.jsc --services=collaboration']
|
||||
|
||||
resources:
|
||||
limits:
|
||||
cpu: 500m
|
||||
memory: 1Gi
|
||||
requests:
|
||||
cpu: 150m
|
||||
memory: 128Mi
|
||||
|
||||
checksums: null
|
||||
|
||||
containerPorts:
|
||||
- containerPort: 3000
|
||||
name: app
|
||||
protocol: TCP
|
||||
|
||||
service:
|
||||
type: ClusterIP
|
||||
port: 80
|
||||
targetPort: app
|
||||
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: yonote-configs
|
||||
- secretRef:
|
||||
name: yonote-secrets
|
||||
|
||||
podLabels:
|
||||
redis-client: 'true'
|
||||
|
||||
podAnnotations:
|
||||
checksum/configmap: "{{ toJson .Values.global.yonote.config.plain | sha256sum }}"
|
||||
checksum/secret: "{{ toJson .Values.global.yonote.config.secret | sha256sum }}"
|
||||
|
||||
readinessProbe:
|
||||
enabled: true
|
||||
failureThreshold: 6
|
||||
initialDelaySeconds: 60
|
||||
periodSeconds: 10
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 5
|
||||
httpGet:
|
||||
path: /_health
|
||||
port: app
|
||||
|
||||
livenessProbe:
|
||||
enabled: true
|
||||
failureThreshold: 6
|
||||
initialDelaySeconds: 60
|
||||
periodSeconds: 10
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 5
|
||||
httpGet:
|
||||
path: /_health
|
||||
port: app
|
||||
|
||||
yonoteDatabase:
|
||||
enabled: true
|
||||
global:
|
||||
postgresql:
|
||||
auth:
|
||||
database: "yonote"
|
||||
username: "yonote"
|
||||
name: yonote-database
|
||||
fullnameOverride: yonote-database
|
||||
nameOverride: yonote-database
|
||||
|
||||
primary:
|
||||
persistence:
|
||||
size: 5Gi
|
||||
resources:
|
||||
limits:
|
||||
cpu: 2
|
||||
memory: 8Gi
|
||||
requests:
|
||||
cpu: 500m
|
||||
memory: 512Mi
|
||||
|
||||
yonote-redis:
|
||||
enabled: true
|
||||
fullnameOverride: yonote-redis
|
||||
nameOverride: redis
|
||||
architecture: standalone
|
||||
|
||||
auth:
|
||||
enabled: false
|
||||
|
||||
master:
|
||||
persistence:
|
||||
size: 5Gi
|
||||
resources:
|
||||
limits:
|
||||
cpu: 1
|
||||
memory: 4Gi
|
||||
requests:
|
||||
cpu: 500m
|
||||
memory: 512Mi
|
||||
|
||||
minio:
|
||||
enabled: true
|
||||
name: minio
|
||||
fullnameOverride: yonote-minio
|
||||
customUser: yonote
|
||||
nameOverride: yonote-minio
|
||||
auth:
|
||||
rootUser: admin
|
||||
|
||||
image:
|
||||
tag: 2024.8.3-debian-12-r1
|
||||
|
||||
persistence:
|
||||
enabled: true
|
||||
size: 5Gi
|
||||
|
||||
ingress:
|
||||
enabled: true
|
||||
hostname: 's3.example.com'
|
||||
ingressClassName: traefik
|
||||
path: '/'
|
||||
pathType: ImplementationSpecific
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: traefik
|
||||
# cert-manager.io/cluster-issuer: letsencrypt.example.com # Если используете
|
||||
extraTls:
|
||||
- hosts:
|
||||
- "s3.example.com"
|
||||
secretName: "you_tls_secret"
|
||||
|
||||
apiIngress:
|
||||
enabled: true
|
||||
hostname: 'api-s3.example.com'
|
||||
ingressClassName: traefik
|
||||
path: '/'
|
||||
pathType: ImplementationSpecific
|
||||
servicePort: minio-api
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: traefik
|
||||
# cert-manager.io/cluster-issuer: letsencrypt.example.com # Если используете
|
||||
extraTls:
|
||||
- hosts:
|
||||
- "api-s3.example.com"
|
||||
secretName: "api-s3.example.com"
|
||||
|
||||
resources:
|
||||
requests:
|
||||
memory: 512Mi
|
||||
cpu: 250m
|
||||
limits:
|
||||
memory: 2Gi
|
||||
cpu: 1
|
||||
|
||||
mcJob:
|
||||
enabled: true
|
||||
|
||||
keycloak:
|
||||
auth:
|
||||
adminUser: root
|
||||
|
||||
fullnameOverride: yonote-keycloak
|
||||
nameOverride: yonote-keycloak
|
||||
|
||||
command:
|
||||
- /bin/bash
|
||||
- -c
|
||||
- |
|
||||
/opt/bitnami/keycloak/bin/kc.sh import --file=/opt/bitnami/keycloak/data/import/realm-export.json && \
|
||||
/opt/bitnami/keycloak/bin/kc.sh start-dev
|
||||
|
||||
extraEnvVars:
|
||||
- name: KC_DB_PASSWORD
|
||||
value: "{{ .Values.keycloak.postgresql.auth.password }}"
|
||||
- name: KEYCLOAK_PRODUCTION
|
||||
value: "true"
|
||||
- name: KC_HOSTNAME_URL
|
||||
value: "https://auth.example.com"
|
||||
- name: KC_HOSTNAME_ADMIN_URL
|
||||
value: "https://auth.example.com"
|
||||
|
||||
extraVolumes:
|
||||
- name: realm-export
|
||||
configMap:
|
||||
name: realm-export
|
||||
|
||||
extraVolumeMounts:
|
||||
- name: realm-export
|
||||
mountPath: /opt/bitnami/keycloak/data/import/realm-export.json
|
||||
subPath: realm-export.json
|
||||
|
||||
ingress:
|
||||
enabled: true
|
||||
hostname: auth.example.com
|
||||
ingressClassName: traefik
|
||||
tls: true
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: traefik
|
||||
# cert-manager.io/cluster-issuer: letsencrypt.example.com # Если используете
|
||||
extraTls:
|
||||
- hosts:
|
||||
- "auth.example.com"
|
||||
secretName: "you_tls_secret"
|
||||
rules:
|
||||
- host: "auth.example.com"
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
service:
|
||||
name: yonote-keycloak
|
||||
port: http
|
||||
- path: /admin
|
||||
pathType: Prefix
|
||||
service:
|
||||
name: yonote-keycloak
|
||||
port: http
|
||||
|
||||
proxy: "edge"
|
||||
|
||||
resources:
|
||||
limits:
|
||||
cpu: 1
|
||||
memory: 1Gi
|
||||
requests:
|
||||
cpu: 250m
|
||||
memory: 256Mi
|
||||
|
||||
postgresql:
|
||||
enabled: true
|
||||
auth:
|
||||
database: keycloak
|
||||
username: keycloak
|
||||
name: keycloak-database
|
||||
fullnameOverride: keycloak-database
|
||||
nameOverride: keycloak-database
|
||||
primary:
|
||||
persistence:
|
||||
size: 5Gi
|
||||
Loading…
Reference in New Issue