diff --git a/yonote-chart/secret-values.yaml b/yonote-chart/secret-values.yaml index c21f90f..862eeb2 100644 --- a/yonote-chart/secret-values.yaml +++ b/yonote-chart/secret-values.yaml @@ -7,7 +7,7 @@ global: POSTGRES_PASSWORD: wsGZ6kXhr5 AWS_ACCESS_KEY_ID: "" # Ваш идентификатор ключа доступа к AWS. Поведение в SelfHosted: устанавливает логин сервис аккаунта для доступа приложения к Minio S3 хранилищу AWS_SECRET_ACCESS_KEY: "minioadmin" # Ваш секретный ключ доступа AWS. Поведение в SelfHosted: устанавливает пароль сервис аккаунта для доступа приложения к Minio S3 хранилищу - OIDC_CLIENT_SECRET: "minioadminsecret" + OIDC_CLIENT_SECRET: "Kdq8rk5Pv5RW1c5kHXpnyfrmMRzI9xSD" SECRET_KEY: "659a8881b186198c3146e316f6dab67df25496534d1fa156d624b037260df688" # Сгенерируйте 32-байтовый случайный ключ в шестнадцатеричном коде. Вам следует использовать `openssl rand -hex 32` в вашем терминале для генерации случайного значения. SMTP_PASSWORD: "1234" UTILS_SECRET: "7bd5e9ac4415dd0dbf6b7721e2a21e9427b268cd0140c7516d13dece5024d479" # Сгенерируйте уникальный случайный ключ. Формат не важен, но вы все равно можете использовать`openssl rand -hex 32` в вашем терминале, чтобы создать это. diff --git a/yonote-chart/templates/ingress.yaml b/yonote-chart/templates/ingress.yaml new file mode 100644 index 0000000..04bc8a6 --- /dev/null +++ b/yonote-chart/templates/ingress.yaml @@ -0,0 +1,34 @@ +{{- if .Values.ingress.enabled }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ .Values.ingress.name }} + namespace: {{ .Values.ingress.namespace }} + annotations: + {{- range $key, $value := .Values.ingress.annotations }} + {{ $key }}: "{{ $value }}" + {{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} + tls: + - secretName: "{{ .Values.ingress.tls.secretName }}" + hosts: + {{- range .Values.ingress.tls.hosts }} + - "{{ . }}" + {{- end }} + rules: + {{- range .Values.ingress.rules }} + - host: "{{ .host }}" + http: + paths: + {{- range .paths }} + - path: {{ .path }} + pathType: {{ .pathType }} + backend: + service: + name: {{ .service.name }} + port: + number: {{ .service.port | int }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/traefic-http-to-https-redirect-middleware.yaml b/yonote-chart/traefic-http-to-https-redirect-middleware.yaml similarity index 81% rename from traefic-http-to-https-redirect-middleware.yaml rename to yonote-chart/traefic-http-to-https-redirect-middleware.yaml index 93c470f..f1129b1 100644 --- a/traefic-http-to-https-redirect-middleware.yaml +++ b/yonote-chart/traefic-http-to-https-redirect-middleware.yaml @@ -2,7 +2,7 @@ apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: - name: redirect-https + name: yonote-onprem-redirect-https spec: redirectScheme: scheme: https diff --git a/traefik-wss-headers-middleware.yaml b/yonote-chart/traefik-wss-headers-middleware.yaml similarity index 82% rename from traefik-wss-headers-middleware.yaml rename to yonote-chart/traefik-wss-headers-middleware.yaml index c8fc1bd..e70cfc2 100644 --- a/traefik-wss-headers-middleware.yaml +++ b/yonote-chart/traefik-wss-headers-middleware.yaml @@ -2,7 +2,7 @@ apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: - name: wss-headers + name: yonote-onprem-wss-headers spec: headers: customRequestHeaders: diff --git a/yonote-chart/values.yaml b/yonote-chart/values.yaml index a183892..b3bd94d 100644 --- a/yonote-chart/values.yaml +++ b/yonote-chart/values.yaml @@ -6,16 +6,13 @@ global: username: yonote yonote: - ingress: - ingressClassName: nginx - dbMigrationEnv: production-ssl-disabled # Режим подключения к базе данных при выполнении миграций. При использовании SSL подключения, установите значение `production` - - baseListenAddress: example.com + baseListenAddress: onprem-test.stands.wilix.dev config: plain: data: + DEPLOYMENT: hosted NODE_ENV: production FORCE_HTTPS: "false" PGSSLMODE: disable # Отключает SSL подключение к базе данных. Уберите эту строку, если вы используете SSL подключение к PostgreSQL @@ -30,17 +27,18 @@ global: AI_URL: "1234" AI_API_KEY: "1234" + WEB_CONCURRENCY: "1" - URL: 'http://app.{{ .Values.global.yonote.baseListenAddress }}' # Базовый url приложения + URL: 'https://app.{{ .Values.global.yonote.baseListenAddress }}' # Базовый url приложения COLLABORATION_URL: 'wss://app.{{ .Values.global.yonote.baseListenAddress }}' # Cервер, для нормальной работы это не нужно устанавливать OIDC_DISPLAY_NAME: email OIDC_SCOPES: openid email - OIDC_CLIENT_ID: yonote - OIDC_AUTH_URI: 'yonote-keycloak:8080/realms/yonote/protocol/openid-connect/auth' - OIDC_LOGOUT_URI: 'yonote-keycloak:8080/realms/yonote/protocol/openid-connect/logout' - OIDC_TOKEN_URI: 'yonote-keycloak:8080/realms/yonote/protocol/openid-connect/token' - OIDC_USERINFO_URI: 'yonote-keycloak:8080/realms/yonote/protocol/openid-connect/userinfo' + OIDC_CLIENT_ID: yonote-local + OIDC_AUTH_URI: 'https://auth.yonote.ru/realms/yonote-test/protocol/openid-connect/auth' + OIDC_LOGOUT_URI: 'https://auth.yonote.ru/realms/yonote-test/protocol/openid-connect/logout' + OIDC_TOKEN_URI: 'https://auth.yonote.ru/realms/yonote-test/protocol/openid-connect/token' + OIDC_USERINFO_URI: 'https://auth.yonote.ru/realms/yonote-test/protocol/openid-connect/userinfo' AWS_S3_ACL: private AWS_S3_UPLOAD_BUCKET_URL: yonote-minio:9000 # Адрес S3 хранилища @@ -77,6 +75,104 @@ global: cron_enabled: "true" url: http://yonote-web/api/cron.schedule + # ingress: + # enabled: true + # hostname: 'app.onprem-test.stands.wilix.dev' + # ingressClassName: traefik + # path: '/' + # pathType: Prefix + # annotations: + # cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev + # # nginx.ingress.kubernetes.io/force-ssl-redirect: "false" + # # nginx.ingress.kubernetes.io/configuration-snippet: | + # # more_set_headers "Host $http_host"; + # # more_set_headers "X-Real-IP $remote_addr"; + # # more_set_headers "X-Forwarded-Proto $scheme"; + # # more_set_headers "X-Forwarded-For $proxy_add_x_forwarded_for"; + +ingress: + enabled: true + name: yonote-ingress + namespace: yonote-onprem + ingressClassName: traefik + # hostname: "*.onprem-test.stands.wilix.dev" + tls: + secretName: "wildcard.onprem-test.stands.wilix.dev" + hosts: + - "*.onprem-test.stands.wilix.dev" + # - "tete.onprem-test.stands.wilix.dev" + # - "dada.onprem-test.stands.wilix.dev" + rules: + - host: "*.onprem-test.stands.wilix.dev" + paths: + - path: / + pathType: Prefix + service: + name: yonote-web + port: 80 + - path: /realtime + pathType: Prefix + service: + name: yonote-websockets + port: 80 + - path: /whiteboard + pathType: Prefix + service: + name: yonote-whiteboard + port: 80 + - path: /collaboration + pathType: Prefix + service: + name: yonote-collaboration + port: 80 + # - host: "tete.onprem-test.stands.wilix.dev" + # paths: + # - path: / + # pathType: Prefix + # service: + # name: yonote-web + # port: 80 + # - path: /realtime + # pathType: Prefix + # service: + # name: yonote-websockets + # port: 80 + # - path: /whiteboard + # pathType: Prefix + # service: + # name: yonote-whiteboard + # port: 80 + # - path: /collaboration + # pathType: Prefix + # service: + # name: yonote-collaboration + # port: 80 + # - host: "dada.onprem-test.stands.wilix.dev" + # paths: + # - path: / + # pathType: Prefix + # service: + # name: yonote-web + # port: 80 + # - path: /realtime + # pathType: Prefix + # service: + # name: yonote-websockets + # port: 80 + # - path: /whiteboard + # pathType: Prefix + # service: + # name: yonote-whiteboard + # port: 80 + # - path: /collaboration + # pathType: Prefix + # service: + # name: yonote-collaboration + # port: 80 + + annotations: + cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev + yonote-web: fullnameOverride: yonote-web nameOverride: yonote-web @@ -85,15 +181,15 @@ yonote-web: image: registry: images.updates.yonote.ru repository: yonote - tag: 1.19.5 + tag: 1.19.8 pullPolicy: IfNotPresent command: ["/bin/sh", "-c"] - args: ['yarn start:selfhosted --services=web'] + args: ['IS_COMPILED=true yarn bytenode ./build/server/main.jsc --services=web'] initContainers: - name: yonote-migration - image: images.updates.yonote.ru/yonote:1.19.5 + image: images.updates.yonote.ru/yonote:1.19.8 imagePullPolicy: IfNotPresent command: - /bin/sh @@ -110,8 +206,8 @@ yonote-web: resources: limits: - cpu: 350m - memory: 512Mi + cpu: 1 + memory: 1Gi requests: cpu: 200m memory: 128Mi @@ -132,16 +228,25 @@ yonote-web: - secretRef: name: yonote-secrets - ingress: - hostname: '"*.example.com"' - ingressClassName: nginx - annotations: - nginx.ingress.kubernetes.io/force-ssl-redirect: "true" - nginx.ingress.kubernetes.io/configuration-snippet: | - more_set_headers "Host $http_host"; - more_set_headers "X-Real-IP $remote_addr"; - more_set_headers "X-Forwarded-Proto $scheme"; - more_set_headers "X-Forwarded-For $proxy_add_x_forwarded_for"; + # ingress: + # enabled: true + # hostname: 'app.onprem-test.stands.wilix.dev' + # ingressClassName: traefik + # path: '/' + # pathType: Prefix + # annotations: + # cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev + # traefik.ingress.kubernetes.io/router.middlewares: '{{ .Release.Namespace }}-redirect-https@kubernetescrd,{{.Release.Namespace }}-wss-headers@kubernetescrd,kube-system-wilix-office-ipwhitelist@kubernetescrd' + # # nginx.ingress.kubernetes.io/force-ssl-redirect: "false" + # # nginx.ingress.kubernetes.io/configuration-snippet: | + # # more_set_headers "Host $http_host"; + # # more_set_headers "X-Real-IP $remote_addr"; + # # more_set_headers "X-Forwarded-Proto $scheme"; + # # more_set_headers "X-Forwarded-For $proxy_add_x_forwarded_for"; + # extraTls: + # - hosts: + # - "app.onprem-test.stands.wilix.dev" + # secretName: "app.onprem-test.stands.wilix.dev" podLabels: redis-client: 'true' @@ -180,11 +285,11 @@ yonote-websocket: image: registry: images.updates.yonote.ru repository: yonote - tag: 1.19.5 + tag: 1.19.8 pullPolicy: IfNotPresent command: ["/bin/sh", "-c"] - args: ['yarn start:selfhosted --services=websockets'] + args: ['IS_COMPILED=true yarn bytenode ./build/server/main.jsc --services=websockets'] resources: limits: @@ -212,16 +317,25 @@ yonote-websocket: port: 80 targetPort: app - ingress: - hostname: '"*.example.com"' - ingressClassName: nginx - annotations: - nginx.ingress.kubernetes.io/force-ssl-redirect: "true" - nginx.ingress.kubernetes.io/configuration-snippet: | - more_set_headers "Host $http_host"; - more_set_headers "X-Real-IP $remote_addr"; - more_set_headers "X-Forwarded-Proto $scheme"; - more_set_headers "X-Forwarded-For $proxy_add_x_forwarded_for"; + # ingress: + # enabled: true + # hostname: 'app.onprem-test.stands.wilix.dev' + # ingressClassName: traefik + # path: '/realtime' + # pathType: Prefix + # annotations: + # cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev + # traefik.ingress.kubernetes.io/router.middlewares: '{{ .Release.Namespace }}-redirect-https@kubernetescrd,{{.Release.Namespace }}-wss-headers@kubernetescrd,kube-system-wilix-office-ipwhitelist@kubernetescrd' + # # nginx.ingress.kubernetes.io/force-ssl-redirect: "false" + # # nginx.ingress.kubernetes.io/configuration-snippet: | + # # more_set_headers "Host $http_host"; + # # more_set_headers "X-Real-IP $remote_addr"; + # # more_set_headers "X-Forwarded-Proto $scheme"; + # # more_set_headers "X-Forwarded-For $proxy_add_x_forwarded_for"; + # extraTls: + # - hosts: + # - "app.onprem-test.stands.wilix.dev" + # secretName: "app.onprem-test.stands.wilix.dev" podLabels: redis-client: 'true' @@ -260,11 +374,11 @@ yonote-whiteboard: image: registry: images.updates.yonote.ru repository: yonote - tag: 1.19.5 + tag: 1.19.8 pullPolicy: IfNotPresent command: ["/bin/sh", "-c"] - args: ['yarn start:selfhosted --services=whiteboard'] + args: ['IS_COMPILED=true yarn bytenode ./build/server/main.jsc --services=whiteboard'] resources: limits: @@ -292,16 +406,26 @@ yonote-whiteboard: port: 80 targetPort: app - ingress: - hostname: '"*.example.com"' - ingressClassName: nginx - annotations: - nginx.ingress.kubernetes.io/force-ssl-redirect: "true" - nginx.ingress.kubernetes.io/configuration-snippet: | - more_set_headers "Host $http_host"; - more_set_headers "X-Real-IP $remote_addr"; - more_set_headers "X-Forwarded-Proto $scheme"; - more_set_headers "X-Forwarded-For $proxy_add_x_forwarded_for"; + # ingress: + # enabled: true + # hostname: 'app.onprem-test.stands.wilix.dev' + # ingressClassName: traefik + # path: '/whiteboard' + # pathType: Prefix + # annotations: + # cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev + # traefik.ingress.kubernetes.io/router.middlewares: '{{ .Release.Namespace }}-redirect-https@kubernetescrd,{{.Release.Namespace }}-wss-headers@kubernetescrd,kube-system-wilix-office-ipwhitelist@kubernetescrd' + # # nginx.ingress.kubernetes.io/force-ssl-redirect: "false" + # # nginx.ingress.kubernetes.io/configuration-snippet: | + # # more_set_headers "Host $http_host"; + # # more_set_headers "X-Real-IP $remote_addr"; + # # more_set_headers "X-Forwarded-Proto $scheme"; + # # more_set_headers "X-Forwarded-For $proxy_add_x_forwarded_for"; + # extraTls: + # - hosts: + # - "app.onprem-test.stands.wilix.dev" + # secretName: "app.onprem-test.stands.wilix.dev" + podLabels: redis-client: 'true' @@ -340,19 +464,19 @@ yonote-worker: image: registry: images.updates.yonote.ru repository: yonote - tag: 1.19.5 + tag: 1.19.8 pullPolicy: IfNotPresent command: ["/bin/sh", "-c"] - args: ['yarn start:selfhosted --services=worker'] + args: ['IS_COMPILED=true yarn bytenode ./build/server/main.jsc --services=worker'] resources: limits: - cpu: 500m + cpu: 1 memory: 1Gi requests: - cpu: 250m - memory: 256Mi + cpu: 50m + memory: 128Mi checksums: null @@ -409,11 +533,11 @@ yonote-collaboration: image: registry: images.updates.yonote.ru repository: yonote - tag: 1.19.5 + tag: 1.19.8 pullPolicy: IfNotPresent command: ["/bin/sh", "-c"] - args: ['yarn start:selfhosted --services=collaboration'] + args: ['IS_COMPILED=true yarn bytenode ./build/server/main.jsc --services=collaboration'] checksums: null @@ -427,16 +551,25 @@ yonote-collaboration: port: 80 targetPort: app - ingress: - hostname: '"*.example.com"' - ingressClassName: nginx - annotations: - nginx.ingress.kubernetes.io/force-ssl-redirect: "true" - nginx.ingress.kubernetes.io/configuration-snippet: | - more_set_headers "Host $http_host"; - more_set_headers "X-Real-IP $remote_addr"; - more_set_headers "X-Forwarded-Proto $scheme"; - more_set_headers "X-Forwarded-For $proxy_add_x_forwarded_for"; + # ingress: + # enabled: true + # hostname: 'app.onprem-test.stands.wilix.dev' + # ingressClassName: traefik + # path: '/collaboration' + # pathType: Prefix + # annotations: + # cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev + # traefik.ingress.kubernetes.io/router.middlewares: '{{ .Release.Namespace }}-redirect-https@kubernetescrd,{{.Release.Namespace }}-wss-headers@kubernetescrd,kube-system-wilix-office-ipwhitelist@kubernetescrd' + # # nginx.ingress.kubernetes.io/force-ssl-redirect: "false" + # # nginx.ingress.kubernetes.io/configuration-snippet: | + # # more_set_headers "Host $http_host"; + # # more_set_headers "X-Real-IP $remote_addr"; + # # more_set_headers "X-Forwarded-Proto $scheme"; + # # more_set_headers "X-Forwarded-For $proxy_add_x_forwarded_for"; + # extraTls: + # - hosts: + # - "app.onprem-test.stands.wilix.dev" + # secretName: "app.onprem-test.stands.wilix.dev" envFrom: - configMapRef: @@ -523,13 +656,18 @@ minio: ingress: enabled: true + hostname: 's3.onprem-test.stands.wilix.dev' + ingressClassName: traefik + path: '/' + pathType: ImplementationSpecific annotations: - kubernetes.io/ingress.class: nginx - hosts: - - host: s3.example.com - paths: - - path: / - pathType: ImplementationSpecific + kubernetes.io/ingress.class: traefik + cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev + extraTls: + - hosts: + - "s3.onprem-test.stands.wilix.dev" + secretName: "s3.onprem-test.stands.wilix.dev" + resources: requests: memory: 512Mi