yonote/onprem-deploy
17
0
Fork 0
Code Pull Requests Releases Activity

Compare commits

merge into: yonote:main
Branches Tags
yonote:main
yonote:2.0.0
yonote:mono
yonote:hotfix-websocket-minio
...
pull from: yonote:2.0.0
Branches Tags
yonote:2.0.0
yonote:main
yonote:mono
yonote:hotfix-websocket-minio

12 Commits
main ... 2.0.0

Author SHA1 Message Date
Stuart Armstrong
6bdd590d1a Merge pull request 'Remove-Bitnami-Dependencies' (#7) from Remove-Bitnami-Dependencies into 2.0.0 
Reviewed-on: #7
 2025-12-08 11:15:42 +00:00
sarmstrong
35a52529ff Clean up secret-values. 2025-12-08 14:13:26 +03:00
sarmstrong
61be0e0405 Enable cronjobs. 2025-12-08 14:10:03 +03:00
sarmstrong
6ee15ba226 Update the README 2025-12-08 09:19:18 +03:00
sarmstrong
03d9b1156d Refactor the chart for ease of use. 2025-12-05 16:03:34 +03:00
sarmstrong
5adbdbdcee . 2025-12-05 09:56:49 +03:00
sarmstrong
a9f9703eaa Minio bucket and user policy fixes. 2025-12-05 09:55:47 +03:00
sarmstrong
854ed6da5f Bitnami removed. 2025-12-04 11:43:13 +03:00
sarmstrong
214f94f8b5 Chart version 2.0.0 - no Bitnami 2025-12-03 13:14:37 +03:00
sarmstrong
0a7499c373 . 2025-12-02 08:29:58 +03:00
sarmstrong
23ad2174ab work in progress 2025-11-25 11:29:04 +03:00
sarmstrong
ce2e8543cf Replace Bitnami Charts and images. 2025-10-16 16:26:38 +03:00
8 changed files with 331 additions and 466 deletions
Show Stats Expand all files Collapse all files

29
README.md
View File

@ -1,5 +1,14 @@
# Yonote Helm Chart
**Критическое изменение**
Данный чарт предназначен только для новых развертываний!
Версия 2.x.x не совместима с предыдущими версиями 1.x.x данного чарта. Если вы попытаетесь использовать этот чарт для обновления существующего развертывания Yonote, это приведет к потере данных.
Руководство по миграции будет предоставлено в ближайшее время.
## Обзор
Этот Helm chart позволяет развернуть **Yonote** в Kubernetes. Он предоставляет быстрый и простой способ установки, настройки и управления приложением с помощью Helm.
@ -48,6 +57,26 @@ helm install app -f values.yaml -f secret-values.yaml -n yonote-onprem .
```
После выполнения команды начнётся установка приложения и всех дополнительных сервисов к нему. Остаётся только подождать, пока все сервисы запустятся.
### 5. Keycloak
Перед первым входом в Yonote необходимо обновить поле **Valid redirect URIs** клиента yonote в области (realm) Yonote в системе Keycloak.
Уже существуют две записи, поэтому достаточно просто скопировать их и отредактировать.
Например:
Существующие записи:
* http://example.com/*
* https://example.com/*
Добавить следующие:
* http://app.example.com/*
* https://app.example.com/*
* https://app.example.com/auth/oidc.callback/*
* https://team.example.com/*
Примечание: символы * в URL-адресах являются подстановочными знаками и обозначают любые дополнительные пути после указанного базового URL.
### Обратная связь
Если у вас есть вопросы или вам нужна помощь, пишите на email: hello@yonote.ru

24
yonote-chart-service/Chart.lock
View File

@ -14,17 +14,17 @@ dependencies:
- name: app
repository: https://dysnix.github.io/charts
version: 0.3.15
- name: postgresql
repository: https://charts.bitnami.com/bitnami
version: 11.6.6
- name: postgres
repository: https://groundhog2k.github.io/helm-charts/
version: 0.3.9
- name: redis
repository: https://charts.bitnami.com/bitnami
version: 16.12.1
repository: https://groundhog2k.github.io/helm-charts/
version: 0.7.0
- name: minio
repository: https://charts.bitnami.com/bitnami
version: 12.7.0
- name: keycloak
repository: https://charts.bitnami.com/bitnami
version: 14.0.0
digest: sha256:928723e189de54fafe19316743b8f9d08d7c74f9728b0c4afb1f5cd3ee1e83dc
generated: "2024-08-25T00:46:01.648512702+03:00"
repository: https://charts.min.io/
version: 5.4.0
- name: keycloakx
repository: https://codecentric.github.io/helm-charts
version: 1.3.2
digest: sha256:ad0128ad6d526a8946d659481ec5dc19d1faf785919efbcc689a37ae80bc820e
generated: "2025-10-30T14:17:59.001901626+03:00"

32
yonote-chart-service/Chart.yaml
View File

@ -1,9 +1,9 @@
apiVersion: v2
name: yonote-chart
version: 1.2.0
version: 2.0.0
description:
Generic application Helm chart.
This chart includes multiple dependencies. The base of this chart is derived from the Dynix app chart.
This chart includes multiple dependencies. The base of this chart is derived from the Dysnix app chart.
maintainers:
- name: Dysnix
email: support@dysnix.com
@ -35,26 +35,26 @@ dependencies:
repository: https://dysnix.github.io/charts
alias: yonote-collaboration
- name: postgresql
version: "11.6.6"
repository: https://charts.bitnami.com/bitnami
condition: yonoteDatabase.enabled
alias: yonoteDatabase
- name: postgres
version: "0.3.9"
repository: https://groundhog2k.github.io/helm-charts/
condition: postgres.enabled
alias: postgres
- name: redis
version: "16.12.1"
repository: https://charts.bitnami.com/bitnami
condition: yonote-redis.enabled
alias: yonote-redis
version: "0.7.0"
repository: https://groundhog2k.github.io/helm-charts/
condition: redis.enabled
alias: redis
- name: minio
version: "12.7.0"
repository: https://charts.bitnami.com/bitnami
version: "5.4.0"
repository: https://charts.min.io/
condition: minio.enabled
alias: minio
- name: keycloak
version: "14.0.0"
repository: https://charts.bitnami.com/bitnami
- name: keycloakx
version: "1.3.2"
repository: https://codecentric.github.io/helm-charts
condition: keycloak.enabled
alias: keycloak

42
yonote-chart-service/secret-values.yaml
View File

@ -3,17 +3,17 @@ global:
config:
secret:
stringData:
DATABASE_URL: 'postgres://{{ .Values.yonoteDatabase.global.postgresql.auth.username }}:{{ .Values.yonoteDatabase.global.postgresql.auth.password }}@yonote-database:5432/{{ .Values.yonoteDatabase.global.postgresql.auth.database }}'
POSTGRES_PASSWORD: "{{ .Values.yonoteDatabase.global.postgresql.auth.password }}"
AWS_ACCESS_KEY_ID: "{{ .Values.minio.customUser }}" # Ваш идентификатор ключа доступа к AWS.
AWS_SECRET_ACCESS_KEY: "{{ .Values.minio.customAccessKey }}" # Ваш секретный ключ доступа AWS.
OIDC_CLIENT_SECRET: "Kdq8rk5Pv5RW1c5kHXpnyfrmMRzI9xSD" # Секретный ключ клиента для аутентификации по OpenID Connect (OIDC).
DATABASE_URL: 'postgres://{{ .Values.postgres.userDatabase.user }}:{{ .Values.postgres.userDatabase.password }}@yonote-database:5432/{{ .Values.postgres.userDatabase.name }}'
POSTGRES_PASSWORD: "{{ .Values.postgres.userDatabase.password }}"
AWS_ACCESS_KEY_ID: "qwer12314q" # Ваш идентификатор ключа доступа к AWS.
AWS_SECRET_ACCESS_KEY: "qwer-12314q-qwersa" # Ваш секретный ключ доступа AWS.
OIDC_CLIENT_SECRET: "{{ .Values.keycloak.secrets.secrets.stringData.OIDC_CLIENT_SECRET }}" # Секретный ключ клиента для аутентификации по OpenID Connect (OIDC).
SECRET_KEY: "659a8881b186198c3146e316f6dab67df25496534d1fa156d624b037260df688" # Сгенерируйте 32-байтовый случайный ключ в шестнадцатеричном коде. Вам следует использовать `openssl rand -hex 32` в вашем терминале для генерации случайного значения.
SMTP_PASSWORD: "1234"
UTILS_SECRET: "7bd5e9ac4415dd0dbf6b7721e2a21e9427b268cd0140c7516d13dece5024d479" # Сгенерируйте уникальный случайный ключ. Формат не важен, но вы все равно можете использовать`openssl rand -hex 32` в вашем терминале, чтобы создать это.
TELEGRAM_BOT_TOKEN: "1234"
UNSPLASH_API_ACCESS_KEY: "a-yGo6HpRP6jNfravx4Bz-oiPrRnH_5-24Xa9ZPlePE"
LICENSE_KEY: "qwerty-123456-zxcvb" # Обратитесь в отдел продаж для получения
LICENSE_KEY: "" # Обратитесь в отдел продаж для получения
SERVICE_WORKER_PUBLIC_KEY: "1234"
SERVICE_WORKER_PRIVATE_KEY: "1234"
# Генерация ключей (web-push) Service Worker
@ -22,22 +22,24 @@ global:
# npx web-push generate-vapid-keys
# 3) Полученные значения ввести в .env файл (SERVICE_WORKER_PUBLIC_KEY, SERVICE_WORKER_PRIVATE_KEY)
yonoteDatabase:
global:
postgresql:
auth:
password: "wsGZ6kXhr5"
postgresPassword: "QQYw4UjOU"
postgres:
settings:
superuserPassword: "QQYw4UjOU"
userDatabase:
password: "wsGZ6kXhr5"
# yonote-redis: # Если используете auth для redis
# auth:
# password: "12345678"
redis:
args:
- "--user redis:redis"
minio:
customAccessKey: "qwer-12314q-qwersa"
auth:
rootPassword: "qwettaas"
rootPassword: "qwettaas"
keycloak:
auth:
adminPassword: "root"
database:
password: keycloakdbpassword
secrets:
secrets:
stringData:
KEYCLOAK_ADMIN_PASSWORD: secret
OIDC_CLIENT_SECRET: "iS3jOA3Z7zXBwSN8EzJm36ybz57JNgpR"

11
yonote-chart-service/templates/configmap-initdb.yaml
View File

@ -3,5 +3,12 @@ kind: ConfigMap
metadata:
name: postgres-init-scripts
data:
init.sql: |
CREATE DATABASE "{{ .Values.keycloak.externalDatabase.database }}";
init-keycloak-db.sh: |
!/bin/bash
set -e
psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
CREATE DATABASE {{ .Values.keycloak.database.database }};
CREATE USER {{ .Values.keycloak.database.username }} WITH PASSWORD '{{ .Values.keycloak.database.password }}';
GRANT ALL PRIVILEGES ON DATABASE keycloak TO {{ .Values.keycloak.database.username }};
EOSQL

53
yonote-chart-service/templates/mcJob.yaml
View File

@ -13,54 +13,22 @@ spec:
spec:
containers:
- name: mc-client
image: "docker.io/bitnami/minio-client:2024.8.13-debian-12-r0"
image: "minio/mc:RELEASE.2025-01-17T23-25-50Z"
command: ["/bin/sh", "-c"]
args:
- |
until mc alias set myminio http://yonote-minio:9000 {{ .Values.minio.auth.rootUser }} {{ .Values.minio.auth.rootPassword }}; do
until mc alias set myminio http://yonote-minio:9000 {{ .Values.minio.rootUser }} {{ .Values.minio.rootPassword }}; do
echo "Waiting for MinIO to be ready..."
sleep 5
done
echo "MinIO is ready and alias is set."
# Создание пользователя
if ! mc admin user add myminio {{ .Values.minio.customUser }} {{ .Values.minio.customAccessKey }}; then
echo "User {{ .Values.minio.customUser }} already exists or failed to create."
else
echo "User {{ .Values.minio.customUser }} created successfully."
fi
# Назначение политики для нового пользователя
cat <<EOF > /tmp/minio-user-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor",
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::yonote-bucket/*"
]
}
]
}
EOF
echo "User policy JSON file created."
mc admin policy create myminio yonote-policy /tmp/minio-user-policy.json
echo "User policy created and applied."
# Создание бакета
if ! mc ls myminio/yonote-bucket; then
mc mb myminio/yonote-bucket
echo "Bucket yonote-bucket created successfully."
if ! mc ls myminio/{{ .Values.global.yonote.config.plain.data.AWS_S3_UPLOAD_BUCKET_NAME }}; then
mc mb myminio/{{ .Values.global.yonote.config.plain.data.AWS_S3_UPLOAD_BUCKET_NAME }}
echo "Bucket {{ .Values.global.yonote.config.plain.data.AWS_S3_UPLOAD_BUCKET_NAME }} created successfully."
else
echo "Bucket yonote-bucket already exists."
echo "Bucket {{ .Values.global.yonote.config.plain.data.AWS_S3_UPLOAD_BUCKET_NAME }} already exists."
fi
# Установка политик для бакета
@ -79,7 +47,7 @@ spec:
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::yonote-bucket"
"arn:aws:s3:::{{ .Values.global.yonote.config.plain.data.AWS_S3_UPLOAD_BUCKET_NAME }}"
]
},
{
@ -93,7 +61,7 @@ spec:
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::yonote-bucket/*"
"arn:aws:s3:::{{ .Values.global.yonote.config.plain.data.AWS_S3_UPLOAD_BUCKET_NAME }}/*"
]
}
]
@ -101,12 +69,9 @@ spec:
EOF
echo "Bucket policy JSON file created."
mc anonymous set-json /tmp/minio-bucket-policy.json myminio/yonote-bucket
mc anonymous set-json /tmp/minio-bucket-policy.json myminio/{{ .Values.global.yonote.config.plain.data.AWS_S3_UPLOAD_BUCKET_NAME }}
echo "Bucket policy applied."
mc admin policy attach myminio yonote-policy --user={{ .Values.minio.customUser }}
echo "Policy attached to user {{ .Values.minio.customUser }}."
resources:
requests:
memory: "128Mi"

169
yonote-chart-service/templates/realm-configmap.yaml
View File

@ -1,169 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: realm-export
data:
realm-export.json: |
{
"realm": "yonote",
"enabled": true,
"notBefore": 1647809856,
"defaultSignatureAlgorithm": "RS256",
"revokeRefreshToken": false,
"refreshTokenMaxReuse": 0,
"accessTokenLifespan": 300,
"accessTokenLifespanForImplicitFlow": 900,
"ssoSessionIdleTimeout": 1800,
"ssoSessionMaxLifespan": 36000,
"ssoSessionIdleTimeoutRememberMe": 0,
"ssoSessionMaxLifespanRememberMe": 0,
"offlineSessionIdleTimeout": 2592000,
"offlineSessionMaxLifespanEnabled": false,
"offlineSessionMaxLifespan": 5184000,
"clientSessionIdleTimeout": 0,
"clientSessionMaxLifespan": 0,
"clientOfflineSessionIdleTimeout": 0,
"clientOfflineSessionMaxLifespan": 0,
"accessCodeLifespan": 60,
"accessCodeLifespanUserAction": 300,
"accessCodeLifespanLogin": 1800,
"actionTokenGeneratedByAdminLifespan": 43200,
"actionTokenGeneratedByUserLifespan": 300,
"oauth2DeviceCodeLifespan": 600,
"oauth2DevicePollingInterval": 5,
"sslRequired": "external",
"registrationAllowed": true,
"registrationEmailAsUsername": true,
"rememberMe": true,
"verifyEmail": false,
"loginWithEmailAllowed": true,
"duplicateEmailsAllowed": false,
"resetPasswordAllowed": true,
"editUsernameAllowed": false,
"bruteForceProtected": false,
"permanentLockout": false,
"maxFailureWaitSeconds": 900,
"minimumQuickLoginWaitSeconds": 60,
"waitIncrementSeconds": 60,
"quickLoginCheckMilliSeconds": 1000,
"maxDeltaTimeSeconds": 43200,
"failureFactor": 30,
"clients": [
{
"clientId": "{{ .Values.global.yonote.config.plain.data.OIDC_CLIENT_ID }}",
"secret": "{{ .Values.global.yonote.config.secret.stringData.OIDC_CLIENT_SECRET }}",
"redirectUris": [
"https://*.{{ .Values.global.yonote.baseListenAddress }}/*",
"http://*.{{ .Values.global.yonote.baseListenAddress }}/*",
"http://app.{{ .Values.global.yonote.baseListenAddress }}/*",
"https://app.{{ .Values.global.yonote.baseListenAddress }}/*",
"https://app.{{ .Values.global.yonote.baseListenAddress }}/auth/oidc.callback/*"
],
"baseUrl": "https://app.{{ .Values.global.yonote.baseListenAddress }}",
"enabled": true,
"publicClient": false,
"protocol": "openid-connect",
"attributes": {
"client.secret": "{{ .Values.global.yonote.config.secret.stringData.OIDC_CLIENT_SECRET }}",
"display.on.consent.screen": "true"
},
"authenticationFlowBindingOverrides": {},
"fullScopeAllowed": false,
"protocolMappers": [
{
"name": "oidc-display-name",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-attribute-mapper",
"consentRequired": false,
"config": {
"userinfo.token.claim": "true",
"user.attribute": "{{ .Values.global.yonote.config.plain.data.OIDC_DISPLAY_NAME }}",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "{{ .Values.global.yonote.config.plain.data.OIDC_DISPLAY_NAME }}",
"jsonType.label": "String"
}
}
],
"defaultClientScopes": ["openid", "email"]
}
],
"identityProviders": [],
"internationalizationEnabled": true,
"clientScopes": [
{
"name": "openid",
"protocol": "openid-connect",
"attributes": {
"include.in.token.scope": "true",
"display.on.consent.screen": "true",
"consent.screen.text": "{{ .Values.global.yonote.config.plain.data.OIDC_DISPLAY_NAME }}"
},
"protocolMappers": []
},
{
"name": "email",
"protocol": "openid-connect",
"attributes": {
"include.in.token.scope": "true",
"display.on.consent.screen": "true"
},
"protocolMappers": [
{
"id": "56fe6d23-690a-465c-bc36-99bff8fef6eb",
"name": "email verified",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-property-mapper",
"consentRequired": false,
"config": {
"userinfo.token.claim": "true",
"user.attribute": "emailVerified",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "email_verified",
"jsonType.label": "boolean"
}
},
{
"id": "2c6acd0e-b776-48f5-9c3b-7bfdbbe712dc",
"name": "email",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-property-mapper",
"consentRequired": false,
"config": {
"userinfo.token.claim": "true",
"user.attribute": "email",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "email",
"jsonType.label": "String"
}
}
]
}
],
"browserSecurityHeaders": {
"contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';"
},
"webAuthnPolicyRpEntityName": "keycloak",
"webAuthnPolicySignatureAlgorithms": ["ES256"],
"webAuthnPolicyRpId": "",
"webAuthnPolicyAttestationConveyancePreference": "not specified",
"webAuthnPolicyAuthenticatorAttachment": "not specified",
"webAuthnPolicyRequireResidentKey": "not specified",
"webAuthnPolicyUserVerificationRequirement": "not specified",
"webAuthnPolicyCreateTimeout": 0,
"webAuthnPolicyAvoidSameAuthenticatorRegister": false,
"webAuthnPolicyAcceptableAaguids": [],
"webAuthnPolicyPasswordlessRpEntityName": "keycloak",
"webAuthnPolicyPasswordlessSignatureAlgorithms": ["ES256"],
"webAuthnPolicyPasswordlessRpId": "",
"webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified",
"webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified",
"webAuthnPolicyPasswordlessRequireResidentKey": "not specified",
"webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified",
"webAuthnPolicyPasswordlessCreateTimeout": 0,
"webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false,
"webAuthnPolicyPasswordlessAcceptableAaguids": [],
"smtpServer": {}
}

343
yonote-chart-service/values.yaml
View File

@ -7,6 +7,7 @@ global:
config:
plain:
data:
DEBUG: debug
NODE_ENV: production
FORCE_HTTPS: "false"
PGSSLMODE: disable # Отключает SSL подключение к базе данных. Уберите эту строку, если вы используете SSL подключение к PostgreSQL
@ -15,7 +16,7 @@ global:
BIND_HOST: 0.0.0.0 # Хост по умолчанию
PORT: "3000" # Порт по умолчанию
REDIS_URL: redis://yonote-redis-master:6379
REDIS_URL: redis://yonote-redis:6379
DEFAULT_LANGUAGE: ru_RU # Язык по умолчанию
ENABLE_UPDATES: "false"
@ -23,8 +24,10 @@ global:
AI_URL: "1234"
AI_API_KEY: "1234"
URL: 'https://app.{{ .Values.global.yonote.baseListenAddress }}' # Базовый url приложения
COLLABORATION_URL: 'wss://app.{{ .Values.global.yonote.baseListenAddress }}' # Cервер, для нормальной работы это не нужно устанавливать
URL: 'https://app.{{ .Values.global.yonote.baseListenAddress }}' # Базовый url приложения
COLLABORATION_URL: 'wss://app.{{ .Values.global.yonote.baseListenAddress }}' # Cервер, для нормальной работы это не нужно устанавливать
#DEPLOYMENT: 'hosted'
OIDC_DISPLAY_NAME: email
OIDC_SCOPES: openid email
@ -35,7 +38,7 @@ global:
OIDC_USERINFO_URI: 'https://auth.example.com/realms/yonote/protocol/openid-connect/userinfo' # URL для получения информации о пользователе. Используется для получения данных профиля пользователя на основе его токена.
AWS_S3_ACL: private
AWS_S3_UPLOAD_BUCKET_URL: 'https://api-s3.example.com' # Адрес API S3 хранилища
AWS_S3_UPLOAD_BUCKET_URL: 'https://s3.example.com' # Адрес API S3 хранилища
AWS_S3_UPLOAD_BUCKET_NAME: yonote-bucket # Имя хранилища
AWS_REGION: "RU"
AWS_S3_UPLOAD_MAX_SIZE: "226214400" # Максимальный размер хранилища
@ -53,11 +56,11 @@ global:
RESERVED_SUBDOMAINS: about,account,admin,advertising,api,app,assets,archive,beta,billing,blog,cache,cdn,code,community,dashboard,developer,developers,forum,help,home,http,https,imap,localhost,mail,marketing,mobile,multiplayer,new,news,newsletter,ns1,ns2,ns3,ns4,password,profile,realtime,sandbox,script,scripts,setup,signin,signup,site,smtp,support,status,static,stats,test,update,updates,ws,wss,web,websockets,www,www1,www2,www3,www4
SMTP_HOST: ""
SMTP_HOST: "smtp.wilix.dev"
SMTP_USERNAME: ""
SMTP_FROM_EMAIL: ""
SMTP_REPLY_EMAIL: ""
SMTP_PORT: ""
SMTP_PORT: "456"
SMTP_SECURE: "" # connection will be upgraded: https://nodemailer.com/smtp/
SMTP_REQUIRE_TLS: ""
@ -75,58 +78,58 @@ ingress:
namespace: yonote-onprem
ingressClassName: traefik
tls:
secretName: "you_tls_secret"
secretName: "example.com-tls"
hosts:
- "app.example.com"
- "team.example.com"
rules:
- host: "app.example.com"
paths:
- path: /
pathType: Prefix
service:
name: yonote-web
port: 80
- path: /realtime
pathType: Prefix
service:
name: yonote-websockets
port: 80
- path: /whiteboard
pathType: Prefix
service:
name: yonote-whiteboard
port: 80
- path: /collaboration
pathType: Prefix
service:
name: yonote-collaboration
port: 80
- host: "team.example.com"
paths:
- path: /
pathType: Prefix
service:
name: yonote-web
port: 80
- path: /realtime
pathType: Prefix
service:
name: yonote-websockets
port: 80
- path: /whiteboard
pathType: Prefix
service:
name: yonote-whiteboard
port: 80
- path: /collaboration
pathType: Prefix
service:
name: yonote-collaboration
port: 80
- host: "app.example.com"
paths:
- path: /
pathType: Prefix
service:
name: yonote-web
port: 80
- path: /realtime
pathType: Prefix
service:
name: yonote-websockets
port: 80
- path: /whiteboard
pathType: Prefix
service:
name: yonote-whiteboard
port: 80
- path: /collaboration
pathType: Prefix
service:
name: yonote-collaboration
port: 80
- host: "team.example.com"
paths:
- path: /
pathType: Prefix
service:
name: yonote-web
port: 80
- path: /realtime
pathType: Prefix
service:
name: yonote-websockets
port: 80
- path: /whiteboard
pathType: Prefix
service:
name: yonote-whiteboard
port: 80
- path: /collaboration
pathType: Prefix
service:
name: yonote-collaboration
port: 80
annotations:
# cert-manager.io/cluster-issuer: letsencrypt.example.com # Если используете
#annotations:
# cert-manager.io/cluster-issuer: # Если используете
yonote-web:
fullnameOverride: yonote-web
@ -136,7 +139,7 @@ yonote-web:
image:
registry: images.updates.yonote.ru
repository: yonote
tag: 1.19.8
tag: 1.22.11
pullPolicy: IfNotPresent
command: ["/bin/sh", "-c"]
@ -144,7 +147,7 @@ yonote-web:
initContainers:
- name: yonote-migration
image: images.updates.yonote.ru/yonote:1.19.8
image: images.updates.yonote.ru/yonote:1.22.11
imagePullPolicy: IfNotPresent
command:
- /bin/sh
@ -220,7 +223,7 @@ yonote-websocket:
image:
registry: images.updates.yonote.ru
repository: yonote
tag: 1.19.8
tag: 1.22.11
pullPolicy: IfNotPresent
command: ["/bin/sh", "-c"]
@ -289,7 +292,7 @@ yonote-whiteboard:
image:
registry: images.updates.yonote.ru
repository: yonote
tag: 1.19.8
tag: 1.22.11
pullPolicy: IfNotPresent
command: ["/bin/sh", "-c"]
@ -358,7 +361,7 @@ yonote-worker:
image:
registry: images.updates.yonote.ru
repository: yonote
tag: 1.19.8
tag: 1.22.11
pullPolicy: IfNotPresent
command: ["/bin/sh", "-c"]
@ -427,7 +430,7 @@ yonote-collaboration:
image:
registry: images.updates.yonote.ru
repository: yonote
tag: 1.19.8
tag: 1.22.11
pullPolicy: IfNotPresent
command: ["/bin/sh", "-c"]
@ -488,104 +491,106 @@ yonote-collaboration:
path: /_health
port: app
yonoteDatabase:
postgres:
enabled: true
global:
postgresql:
auth:
database: "yonote"
username: "yonote"
name: yonote-database
#settings:
# Default postgres
# superuser:
userDatabase:
name: yonote
user: yonote
fullnameOverride: yonote-database
nameOverride: yonote-database
primary:
persistence:
size: 5Gi
resources:
limits:
cpu: 2
memory: 8Gi
requests:
cpu: 500m
memory: 512Mi
storage:
requestedSize: 5Gi
className: ""
extraVolumes:
- name: init-scripts
configMap:
name: postgres-init-scripts
resources:
limits:
cpu: 2
memory: 5Gi
requests:
cpu: 500m
memory: 512Mi
extraVolumeMounts:
- name: init-scripts
mountPath: /docker-entrypoint-initdb.d
readOnly: true
extraScripts: postgres-init-scripts
yonote-redis:
redis:
enabled: true
fullnameOverride: yonote-redis
nameOverride: redis
architecture: standalone
image:
tag: 7.2.0-debian-11-r0
auth:
enabled: false
master:
persistence:
size: 5Gi
resources:
limits:
cpu: 1
memory: 4Gi
requests:
cpu: 500m
memory: 512Mi
storage:
requestedSize: 1Gi
className: ""
resources:
limits:
cpu: 1
memory: 4Gi
requests:
cpu: 500m
memory: 512Mi
minio:
enabled: true
name: minio
fullnameOverride: yonote-minio
customUser: yonote
nameOverride: yonote-minio
auth:
rootUser: admin
mode: standalone
rootUser: admin
image:
tag: 2024.8.3-debian-12-r1
policies:
- name: yonote_user_policy
statements:
- resources:
- 'arn:aws:s3:::yonote-bucket/*'
actions:
- "s3:GetObject"
- "s3:PutObject"
- "s3:DeleteObject"
users:
- accessKey: qwer12314q
secretKey: qwer-12314q-qwersa
policy: yonote_user_policy
persistence:
enabled: true
size: 5Gi
annotations:
helm.sh/resource-policy: keep
size: 1Gi
storageClass: ""
ingress:
enabled: true
hostname: 's3.example.com'
hosts:
- s3.example.com
ingressClassName: traefik
path: '/'
pathType: ImplementationSpecific
annotations:
kubernetes.io/ingress.class: traefik
# cert-manager.io/cluster-issuer: letsencrypt.example.com # Если используете
extraTls:
- hosts:
- "s3.example.com"
secretName: "you_tls_secret"
#cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev # Если используете
tls:
- hosts:
- "s3.example.com"
secretName: "example.com-tls"
apiIngress:
consoleIngress:
enabled: true
hostname: 'api-s3.example.com'
hosts:
- s3-console.example.com
ingressClassName: traefik
path: '/'
pathType: ImplementationSpecific
servicePort: minio-api
annotations:
kubernetes.io/ingress.class: traefik
# cert-manager.io/cluster-issuer: letsencrypt.example.com # Если используете
extraTls:
- hosts:
- "api-s3.example.com"
secretName: "api-s3.example.com"
#cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev # Если используете
tls:
- hosts:
- "s3-console.example.com"
secretName: "example.com-tls"
resources:
requests:
@ -599,36 +604,53 @@ mcJob:
enabled: true
keycloak:
enabled: true
fullnameOverride: yonote-keycloak
nameOverride: yonote-keycloak
auth:
adminUser: root
image:
repository: images.updates.yonote.ru/yonote-keycloak
tag: latest
proxy: "edge"
args:
- start-dev --spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true --import-realm
command:
- /bin/bash
- -c
- |
/opt/bitnami/keycloak/bin/kc.sh start --import-realm --hostname={{ .Values.ingress.hostname }} --hostname-strict=true --hostname-strict-backchannel=true --https-protocols=TLSv1.2 --proxy=edge --db postgres --db-url-host yonote-database --db-username postgres --db-password="$(DB_PASSWORD)"
cache:
stack: custom
extraEnvVars:
- name: DB_PASSWORD
proxy:
enabled: "false"
extraEnv: |
- name: KEYCLOAK_ADMIN
value: root
- name: KEYCLOAK_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: yonote-database
key: postgres-password
name: {{ include "keycloak.fullname" . }}-secrets
key: KEYCLOAK_ADMIN_PASSWORD
- name: OIDC_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: {{ include "keycloak.fullname" . }}-secrets
key: OIDC_CLIENT_SECRET
- name: BASENAME_FOR_SUBDOMAIN
value: example.com
- name: KC_HOSTNAME_STRICT
value: "false"
- name: KC_HOSTNAME
value: auth.example.com
- name: KC_HOSTNAME_STRICT_HTTPS
value: "false"
- name: KC_HOSTNAME_PATH
value: "/"
- name: KC_HTTP_ENABLED
value: "true"
- name: PROXY_ADDRESS_FORWARDING
value: "true"
extraVolumes:
- name: realm-export
configMap:
name: realm-export
extraVolumeMounts:
- name: realm-export
mountPath: /opt/bitnami/keycloak/data/import/realm-export.json
subPath: realm-export.json
http:
relativePath: "/"
ingress:
enabled: true
@ -637,20 +659,21 @@ keycloak:
tls:
- hosts:
- "auth.example.com"
secretName: "auth.example.com-tls"
secretName: "example.com-tls"
annotations:
kubernetes.io/ingress.class: traefik
# cert-manager.io/cluster-issuer: letsencrypt.example.com #Если используете
#cert-manager.io/cluster-issuer: #Если используете
rules:
- host: "auth.example.com"
paths:
- path: /
pathType: Prefix
pathType: ImplementationSpecific
service:
name: yonote-keycloak
port: http
- path: /admin
pathType: Prefix
pathType: ImplementationSpecific
service:
name: yonote-keycloak
port: http
@ -663,19 +686,27 @@ keycloak:
cpu: 250m
memory: 256Mi
postgresql:
enabled: false
dbchecker:
enabled: "true"
externalDatabase:
host: jdbc:postgresql://yonote-database
database:
vendor: postgres
hostname: yonote-database
port: 5432
user: postgres
database: keycloak
username: keycloak
livenessProbe:
livenessProbe: |
httpGet:
path: '{{ trimSuffix "/" .Values.http.relativePath}}/'
port: http
initialDelaySeconds: 240
timeoutSeconds: 5
readinessProbe:
# Readiness probe configuration
readinessProbe: |
httpGet:
path: '{{ trimSuffix "/" .Values.http.relativePath}}/realms/master'
port: http
initialDelaySeconds: 120
timeoutSeconds: 5
timeoutSeconds: 1