diff --git a/yonote-chart/templates/secret.yaml b/secret.yaml similarity index 100% rename from yonote-chart/templates/secret.yaml rename to secret.yaml diff --git a/traefic-http-to-https-redirect-middleware.yaml b/traefic-http-to-https-redirect-middleware.yaml deleted file mode 100644 index 93c470f..0000000 --- a/traefic-http-to-https-redirect-middleware.yaml +++ /dev/null @@ -1,10 +0,0 @@ -{{- if eq $.Values.global.yonote.ingress.ingressClassName "traefik" }} -apiVersion: traefik.containo.us/v1alpha1 -kind: Middleware -metadata: - name: redirect-https -spec: - redirectScheme: - scheme: https - permanent: true -{{- end }} \ No newline at end of file diff --git a/traefik-wss-headers-middleware.yaml b/traefik-wss-headers-middleware.yaml deleted file mode 100644 index c8fc1bd..0000000 --- a/traefik-wss-headers-middleware.yaml +++ /dev/null @@ -1,10 +0,0 @@ -{{- if eq $.Values.global.yonote.ingress.ingressClassName "traefik" }} -apiVersion: traefik.containo.us/v1alpha1 -kind: Middleware -metadata: - name: wss-headers -spec: - headers: - customRequestHeaders: - X-Forwarded-Proto: https -{{- end }} \ No newline at end of file diff --git a/yonote-chart/Chart.lock b/yonote-chart/Chart.lock index c67545f..c7bb5aa 100644 --- a/yonote-chart/Chart.lock +++ b/yonote-chart/Chart.lock @@ -20,8 +20,14 @@ dependencies: - name: redis repository: https://charts.bitnami.com/bitnami version: 16.12.1 +- name: app + repository: https://dysnix.github.io/charts + version: 0.3.15 +- name: postgresql + repository: https://charts.bitnami.com/bitnami + version: 11.6.2 - name: minio repository: https://charts.bitnami.com/bitnami - version: 14.6.20 -digest: sha256:ac298eab717f006b97255703008f8d675b5e0603afa5b755673455012d6d3693 -generated: "2024-07-16T12:06:23.7878103+03:00" + version: 14.0.0 +digest: sha256:d885d7c44dc28f36c26f218ca8c5ae318aced1b312b31403d00aec70d1be1d78 +generated: "2024-08-16T13:31:48.832508252+03:00" diff --git a/yonote-chart/Chart.yaml b/yonote-chart/Chart.yaml index 25064f6..97aa901 100644 --- a/yonote-chart/Chart.yaml +++ b/yonote-chart/Chart.yaml @@ -47,8 +47,20 @@ dependencies: condition: yonote-redis.enabled alias: yonote-redis + - name: app + version: "0.3.15" + repository: https://dysnix.github.io/charts + condition: keycloak.enabled + alias: keycloak + + - name: postgresql + version: "11.6.2" + repository: https://charts.bitnami.com/bitnami + condition: keycloak.keycloak-database.enabled + alias: keycloak-database + - name: minio - version: "14.6.20" + version: "14.0.0" repository: https://charts.bitnami.com/bitnami condition: minio.enabled alias: minio \ No newline at end of file diff --git a/yonote-chart/charts/minio-14.0.0.tgz b/yonote-chart/charts/minio-14.0.0.tgz new file mode 100644 index 0000000..b537195 Binary files /dev/null and b/yonote-chart/charts/minio-14.0.0.tgz differ diff --git a/yonote-chart/charts/minio-14.6.20.tgz b/yonote-chart/charts/minio-14.6.20.tgz deleted file mode 100644 index e3c59bc..0000000 Binary files a/yonote-chart/charts/minio-14.6.20.tgz and /dev/null differ diff --git a/yonote-chart/charts/postgresql-11.6.2.tgz b/yonote-chart/charts/postgresql-11.6.2.tgz new file mode 100644 index 0000000..64e0267 Binary files /dev/null and b/yonote-chart/charts/postgresql-11.6.2.tgz differ diff --git a/yonote-chart/secret-values.yaml b/yonote-chart/secret-values.yaml index c21f90f..406df18 100644 --- a/yonote-chart/secret-values.yaml +++ b/yonote-chart/secret-values.yaml @@ -3,17 +3,17 @@ global: config: secret: stringData: - DATABASE_URL: 'postgres://{{ .Values.global.postgresql.auth.username }}:{{ .Values.global.postgresql.auth.password }}@yonote-db:5432/{{ .Values.global.postgresql.auth.database }}' - POSTGRES_PASSWORD: wsGZ6kXhr5 + # DATABASE_URL: "postgres://{{ .Values.global.postgresql.auth.username }}:{{ .Values.global.postgresql.auth.password }}@yonote-db:5432/{{ .Values.global.postgresql.auth.database }}" + # POSTGRES_PASSWORD: "{{ .Values.global.postgresql.auth.password }}" AWS_ACCESS_KEY_ID: "" # Ваш идентификатор ключа доступа к AWS. Поведение в SelfHosted: устанавливает логин сервис аккаунта для доступа приложения к Minio S3 хранилищу AWS_SECRET_ACCESS_KEY: "minioadmin" # Ваш секретный ключ доступа AWS. Поведение в SelfHosted: устанавливает пароль сервис аккаунта для доступа приложения к Minio S3 хранилищу - OIDC_CLIENT_SECRET: "minioadminsecret" + OIDC_CLIENT_SECRET: "Kdq8rk5Pv5RW1c5kHXpnyfrmMRzI9xSD" SECRET_KEY: "659a8881b186198c3146e316f6dab67df25496534d1fa156d624b037260df688" # Сгенерируйте 32-байтовый случайный ключ в шестнадцатеричном коде. Вам следует использовать `openssl rand -hex 32` в вашем терминале для генерации случайного значения. SMTP_PASSWORD: "1234" UTILS_SECRET: "7bd5e9ac4415dd0dbf6b7721e2a21e9427b268cd0140c7516d13dece5024d479" # Сгенерируйте уникальный случайный ключ. Формат не важен, но вы все равно можете использовать`openssl rand -hex 32` в вашем терминале, чтобы создать это. TELEGRAM_BOT_TOKEN: "1234" UNSPLASH_API_ACCESS_KEY: "a-yGo6HpRP6jNfravx4Bz-oiPrRnH_5-24Xa9ZPlePE" - LICENSE_KEY: "" # Обратитесь в отдел продаж для получения + LICENSE_KEY: "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJkdW1teSI6ImRhdGEiLCJkYXRhIjoiZHVtbXkiLCJpYXQiOjE2NjQ4OTUyNjUsImV4cCI6MTgyMjY4MzI2NX0.Qudc2d-MKc4DT-UBAVydgowiYQnzzWolvbJTjPB5dwEI32Wb64sgkXOfXKsRf9_wP3UK0-65QYVkMHM76ImhM9HCHv9LWJBQeD0q2rF243cMkMUNfKXAX8-SmLu9kMZzm0fL02IBnv5TCHIF7u6GgGRk3US6WbVhzqHGxrdJ2b3HwD_cI3mcLKCtTfO_GDiUfAv7u5Ddi-6tCfFRvH633BLPKIMO5cePh_AdHykO_2p7z_ypUfsVgqxHkq8KwNuuaI6CpwE48P-7mXuM9xEWu3-prSZpaI4rIZA6JFpGMWyiGs4GDvjRFssq4GUPvYJnkZ2w_W_liSMdC5hg0PFxcw" # Обратитесь в отдел продаж для получения SERVICE_WORKER_PUBLIC_KEY: "1234" SERVICE_WORKER_PRIVATE_KEY: "1234" # Генерация ключей (web-push) Service Worker @@ -21,11 +21,24 @@ global: # 2) Выполнить команду для генерации ключей # npx web-push generate-vapid-keys # 3) Полученные значения ввести в .env файл (SERVICE_WORKER_PUBLIC_KEY, SERVICE_WORKER_PRIVATE_KEY) - - postgresql: - auth: - password: "wsGZ6kXhr5" - postgresPassword: "QQYw4UjOU" +yonote-database: + global: + postgresql: + auth: + password: "wsGZ6kXhr5" + postgresPassword: "QQYw4UjOU" + - +keycloak-database: + global: + postgresql: + auth: + password: "tT9BqYdNyd1" + +keycloak: + secrets: + secrets: + stringData: + KEYCLOAK_ADMIN_PASSWORD: "12345" + KC_DB_PASSWORD: "tT9BqYdNyd1" \ No newline at end of file diff --git a/yonote-chart/templates/ingress.yaml b/yonote-chart/templates/ingress.yaml new file mode 100644 index 0000000..04bc8a6 --- /dev/null +++ b/yonote-chart/templates/ingress.yaml @@ -0,0 +1,34 @@ +{{- if .Values.ingress.enabled }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ .Values.ingress.name }} + namespace: {{ .Values.ingress.namespace }} + annotations: + {{- range $key, $value := .Values.ingress.annotations }} + {{ $key }}: "{{ $value }}" + {{- end }} +spec: + ingressClassName: {{ .Values.ingress.ingressClassName }} + tls: + - secretName: "{{ .Values.ingress.tls.secretName }}" + hosts: + {{- range .Values.ingress.tls.hosts }} + - "{{ . }}" + {{- end }} + rules: + {{- range .Values.ingress.rules }} + - host: "{{ .host }}" + http: + paths: + {{- range .paths }} + - path: {{ .path }} + pathType: {{ .pathType }} + backend: + service: + name: {{ .service.name }} + port: + number: {{ .service.port | int }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/yonote-chart/values.yaml b/yonote-chart/values.yaml index a183892..cce94f2 100644 --- a/yonote-chart/values.yaml +++ b/yonote-chart/values.yaml @@ -1,21 +1,12 @@ global: - name: yonote-app - postgresql: - auth: - database: yonote - username: yonote - yonote: - ingress: - ingressClassName: nginx - dbMigrationEnv: production-ssl-disabled # Режим подключения к базе данных при выполнении миграций. При использовании SSL подключения, установите значение `production` - - baseListenAddress: example.com + baseListenAddress: onprem-test.stands.wilix.dev config: plain: data: + DEPLOYMENT: hosted NODE_ENV: production FORCE_HTTPS: "false" PGSSLMODE: disable # Отключает SSL подключение к базе данных. Уберите эту строку, если вы используете SSL подключение к PostgreSQL @@ -30,17 +21,18 @@ global: AI_URL: "1234" AI_API_KEY: "1234" + WEB_CONCURRENCY: "1" - URL: 'http://app.{{ .Values.global.yonote.baseListenAddress }}' # Базовый url приложения + URL: 'https://app.{{ .Values.global.yonote.baseListenAddress }}' # Базовый url приложения COLLABORATION_URL: 'wss://app.{{ .Values.global.yonote.baseListenAddress }}' # Cервер, для нормальной работы это не нужно устанавливать OIDC_DISPLAY_NAME: email OIDC_SCOPES: openid email - OIDC_CLIENT_ID: yonote - OIDC_AUTH_URI: 'yonote-keycloak:8080/realms/yonote/protocol/openid-connect/auth' - OIDC_LOGOUT_URI: 'yonote-keycloak:8080/realms/yonote/protocol/openid-connect/logout' - OIDC_TOKEN_URI: 'yonote-keycloak:8080/realms/yonote/protocol/openid-connect/token' - OIDC_USERINFO_URI: 'yonote-keycloak:8080/realms/yonote/protocol/openid-connect/userinfo' + OIDC_CLIENT_ID: yonote-local + OIDC_AUTH_URI: 'https://auth.yonote.ru/realms/yonote-test/protocol/openid-connect/auth' + OIDC_LOGOUT_URI: 'https://auth.yonote.ru/realms/yonote-test/protocol/openid-connect/logout' + OIDC_TOKEN_URI: 'https://auth.yonote.ru/realms/yonote-test/protocol/openid-connect/token' + OIDC_USERINFO_URI: 'https://auth.yonote.ru/realms/yonote-test/protocol/openid-connect/userinfo' AWS_S3_ACL: private AWS_S3_UPLOAD_BUCKET_URL: yonote-minio:9000 # Адрес S3 хранилища @@ -77,6 +69,89 @@ global: cron_enabled: "true" url: http://yonote-web/api/cron.schedule +ingress: + enabled: true + name: yonote-ingress + namespace: yonote-onprem + ingressClassName: traefik + # hostname: "*.onprem-test.stands.wilix.dev" + tls: + secretName: "wildcard.onprem-test.stands.wilix.dev" + hosts: + - "*.onprem-test.stands.wilix.dev" + # - "tete.onprem-test.stands.wilix.dev" + # - "dada.onprem-test.stands.wilix.dev" + rules: + - host: "*.onprem-test.stands.wilix.dev" + paths: + - path: / + pathType: Prefix + service: + name: yonote-web + port: 80 + - path: /realtime + pathType: Prefix + service: + name: yonote-websockets + port: 80 + - path: /whiteboard + pathType: Prefix + service: + name: yonote-whiteboard + port: 80 + - path: /collaboration + pathType: Prefix + service: + name: yonote-collaboration + port: 80 + # - host: "tete.onprem-test.stands.wilix.dev" + # paths: + # - path: / + # pathType: Prefix + # service: + # name: yonote-web + # port: 80 + # - path: /realtime + # pathType: Prefix + # service: + # name: yonote-websockets + # port: 80 + # - path: /whiteboard + # pathType: Prefix + # service: + # name: yonote-whiteboard + # port: 80 + # - path: /collaboration + # pathType: Prefix + # service: + # name: yonote-collaboration + # port: 80 + # - host: "dada.onprem-test.stands.wilix.dev" + # paths: + # - path: / + # pathType: Prefix + # service: + # name: yonote-web + # port: 80 + # - path: /realtime + # pathType: Prefix + # service: + # name: yonote-websockets + # port: 80 + # - path: /whiteboard + # pathType: Prefix + # service: + # name: yonote-whiteboard + # port: 80 + # - path: /collaboration + # pathType: Prefix + # service: + # name: yonote-collaboration + # port: 80 + + annotations: + cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev + yonote-web: fullnameOverride: yonote-web nameOverride: yonote-web @@ -85,15 +160,15 @@ yonote-web: image: registry: images.updates.yonote.ru repository: yonote - tag: 1.19.5 + tag: 1.19.8 pullPolicy: IfNotPresent command: ["/bin/sh", "-c"] - args: ['yarn start:selfhosted --services=web'] + args: ['IS_COMPILED=true yarn bytenode ./build/server/main.jsc --services=web'] initContainers: - name: yonote-migration - image: images.updates.yonote.ru/yonote:1.19.5 + image: images.updates.yonote.ru/yonote:1.19.8 imagePullPolicy: IfNotPresent command: - /bin/sh @@ -110,8 +185,8 @@ yonote-web: resources: limits: - cpu: 350m - memory: 512Mi + cpu: 1 + memory: 1Gi requests: cpu: 200m memory: 128Mi @@ -131,17 +206,6 @@ yonote-web: name: yonote-configs - secretRef: name: yonote-secrets - - ingress: - hostname: '"*.example.com"' - ingressClassName: nginx - annotations: - nginx.ingress.kubernetes.io/force-ssl-redirect: "true" - nginx.ingress.kubernetes.io/configuration-snippet: | - more_set_headers "Host $http_host"; - more_set_headers "X-Real-IP $remote_addr"; - more_set_headers "X-Forwarded-Proto $scheme"; - more_set_headers "X-Forwarded-For $proxy_add_x_forwarded_for"; podLabels: redis-client: 'true' @@ -180,11 +244,11 @@ yonote-websocket: image: registry: images.updates.yonote.ru repository: yonote - tag: 1.19.5 + tag: 1.19.8 pullPolicy: IfNotPresent command: ["/bin/sh", "-c"] - args: ['yarn start:selfhosted --services=websockets'] + args: ['IS_COMPILED=true yarn bytenode ./build/server/main.jsc --services=websockets'] resources: limits: @@ -212,16 +276,6 @@ yonote-websocket: port: 80 targetPort: app - ingress: - hostname: '"*.example.com"' - ingressClassName: nginx - annotations: - nginx.ingress.kubernetes.io/force-ssl-redirect: "true" - nginx.ingress.kubernetes.io/configuration-snippet: | - more_set_headers "Host $http_host"; - more_set_headers "X-Real-IP $remote_addr"; - more_set_headers "X-Forwarded-Proto $scheme"; - more_set_headers "X-Forwarded-For $proxy_add_x_forwarded_for"; podLabels: redis-client: 'true' @@ -260,11 +314,11 @@ yonote-whiteboard: image: registry: images.updates.yonote.ru repository: yonote - tag: 1.19.5 + tag: 1.19.8 pullPolicy: IfNotPresent command: ["/bin/sh", "-c"] - args: ['yarn start:selfhosted --services=whiteboard'] + args: ['IS_COMPILED=true yarn bytenode ./build/server/main.jsc --services=whiteboard'] resources: limits: @@ -292,17 +346,6 @@ yonote-whiteboard: port: 80 targetPort: app - ingress: - hostname: '"*.example.com"' - ingressClassName: nginx - annotations: - nginx.ingress.kubernetes.io/force-ssl-redirect: "true" - nginx.ingress.kubernetes.io/configuration-snippet: | - more_set_headers "Host $http_host"; - more_set_headers "X-Real-IP $remote_addr"; - more_set_headers "X-Forwarded-Proto $scheme"; - more_set_headers "X-Forwarded-For $proxy_add_x_forwarded_for"; - podLabels: redis-client: 'true' @@ -340,19 +383,19 @@ yonote-worker: image: registry: images.updates.yonote.ru repository: yonote - tag: 1.19.5 + tag: 1.19.8 pullPolicy: IfNotPresent command: ["/bin/sh", "-c"] - args: ['yarn start:selfhosted --services=worker'] + args: ['IS_COMPILED=true yarn bytenode ./build/server/main.jsc --services=worker'] resources: limits: - cpu: 500m + cpu: 1 memory: 1Gi requests: - cpu: 250m - memory: 256Mi + cpu: 50m + memory: 128Mi checksums: null @@ -409,11 +452,11 @@ yonote-collaboration: image: registry: images.updates.yonote.ru repository: yonote - tag: 1.19.5 + tag: 1.19.8 pullPolicy: IfNotPresent command: ["/bin/sh", "-c"] - args: ['yarn start:selfhosted --services=collaboration'] + args: ['IS_COMPILED=true yarn bytenode ./build/server/main.jsc --services=collaboration'] checksums: null @@ -426,17 +469,6 @@ yonote-collaboration: type: ClusterIP port: 80 targetPort: app - - ingress: - hostname: '"*.example.com"' - ingressClassName: nginx - annotations: - nginx.ingress.kubernetes.io/force-ssl-redirect: "true" - nginx.ingress.kubernetes.io/configuration-snippet: | - more_set_headers "Host $http_host"; - more_set_headers "X-Real-IP $remote_addr"; - more_set_headers "X-Forwarded-Proto $scheme"; - more_set_headers "X-Forwarded-For $proxy_add_x_forwarded_for"; envFrom: - configMapRef: @@ -473,8 +505,13 @@ yonote-collaboration: path: /_health port: app -yonote-database: - enabled: true +yonote-database: + enabled: true + global: + postgresql: + auth: + database: "yonote" + username: "yonote" fullnameOverride: yonote-db nameOverride: db @@ -507,8 +544,106 @@ yonote-redis: memory: 256Mi requests: cpu: 50m - memory: 128Mi - + memory: 128Mi + +keycloak-database: + enabled: true + global: + postgresql: + auth: + database: keycloak + username: keycloak + name: keycloak-database + fullnameOverride: yonote-keycloak-db + nameOverride: db + primary: + persistence: + size: 512Mi + +keycloak: + enabled: true + name: yonote-keycloak + fullnameOverride: yonote-keycloak + image: + registry: images.updates.yonote.ru + repository: yonote-keycloak + tag: 19-0.1.1 + command: + - /bin/sh + - -c + - /opt/keycloak/bin/kc.sh import --file=/opt/keycloak/data/import/realm-export.json --debug + - /opt/keycloak/bin/kc.sh start + configMaps: + configs: + data: + KEYCLOAK_ADMIN: root + KC_PROXY: edge + KC_HOSTNAME_STRICT: "false" + KC_HOSTNAME_ADMIN: auth.onprem-test.stands.wilix.dev + KC_HOSTNAME: auth.onprem-test.stands.wilix.dev + KC_DB: postgres + KC_DB_URL: jdbc:postgresql://yonote-keycloak-db:5432/keycloak + KC_DB_USERNAME: keycloak + KC_HOSTNAME_STRICT_HTTPS: "false" + KC_HOSTNAME_PATH: "/" + envFrom: + - configMapRef: + name: '{{ template "app.fullname" . }}-configs' + - secretRef: + name: '{{ template "app.fullname" . }}-secrets' + checksums: + - secrets.yaml + - configmaps.yaml + containerPorts: + - containerPort: 8080 + name: app + protocol: TCP + + resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 150m + memory: 128Mi + service: + type: ClusterIP + port: 8080 + targetPort: 8080 + ingress: + enabled: true + hostname: 'auth.onprem-test.stands.wilix.dev' + ingressClassName: traefik + path: '/' + pathType: Prefix + annotations: + kubernetes.io/ingress.class: traefik + cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev + extraTls: + - hosts: + - "auth.onprem-test.stands.wilix.dev" + secretName: "auth.onprem-test.stands.wilix.dev" + # livenessProbe: + # enabled: true + # failureThreshold: 6 + # initialDelaySeconds: 60 + # periodSeconds: 15 + # successThreshold: 1 + # timeoutSeconds: 5 + # httpGet: + # path: / + # port: app + # readinessProbe: + # enabled: true + # failureThreshold: 6 + # initialDelaySeconds: 60 + # periodSeconds: 15 + # successThreshold: 1 + # timeoutSeconds: 5 + # httpGet: + # path: / + # port: app + minio: enabled: true name: minio @@ -516,20 +651,24 @@ minio: nameOverride: minio accessKey: "minioadmin" secretKey: "minioadminsecret" - persistence: enabled: true size: 500Mi ingress: enabled: true + hostname: 's3.onprem-test.stands.wilix.dev' + ingressClassName: traefik + path: '/' + pathType: Prefix annotations: - kubernetes.io/ingress.class: nginx - hosts: - - host: s3.example.com - paths: - - path: / - pathType: ImplementationSpecific + kubernetes.io/ingress.class: traefik + cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev + extraTls: + - hosts: + - "s3.onprem-test.stands.wilix.dev" + secretName: "s3.onprem-test.stands.wilix.dev" + resources: requests: memory: 512Mi @@ -540,4 +679,4 @@ minio: buckets: - name: yonote-bucket - policy: none \ No newline at end of file + policy: none \ No newline at end of file diff --git a/yonote-keycloak-chart/Chart.lock b/yonote-keycloak-chart/Chart.lock index 41178bd..6351f72 100644 --- a/yonote-keycloak-chart/Chart.lock +++ b/yonote-keycloak-chart/Chart.lock @@ -6,4 +6,4 @@ dependencies: repository: https://charts.bitnami.com/bitnami version: 11.6.2 digest: sha256:4ff512f4cf7c217961e59af3e2cb656f4d6fc8441f17ce3da96ca1a03f58bf58 -generated: "2024-07-16T12:04:39.863844193+03:00" +generated: "2024-08-13T16:19:44.489332745+03:00" diff --git a/yonote-keycloak-chart/secret-values.yaml b/yonote-keycloak-chart/secret-values.yaml index 548e04f..a445ec8 100644 --- a/yonote-keycloak-chart/secret-values.yaml +++ b/yonote-keycloak-chart/secret-values.yaml @@ -1,6 +1,12 @@ +global: + postgresql: + auth: + password: "tT9BqYdNyd1" + keycloak: secrets: secrets: stringData: KEYCLOAK_ADMIN_PASSWORD: "12345" - KC_DB_PASSWORD: "3fWAxP6ZYp" \ No newline at end of file + KC_DB_PASSWORD: "tT9BqYdNyd1" + \ No newline at end of file diff --git a/yonote-keycloak-chart/traefik-forward-auth.yaml b/yonote-keycloak-chart/traefik-forward-auth.yaml new file mode 100644 index 0000000..8dbb376 --- /dev/null +++ b/yonote-keycloak-chart/traefik-forward-auth.yaml @@ -0,0 +1,89 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: traefik-forward-auth + namespace: yonote-onprem + labels: + app: traefik-forward-auth +spec: + replicas: 1 + selector: + matchLabels: + app: traefik-forward-auth + strategy: + type: Recreate + revisionHistoryLimit: 10 + progressDeadlineSeconds: 600 + template: + metadata: + labels: + app: traefik-forward-auth + spec: + containers: + - name: traefik-forward-auth + image: thomseddon/traefik-forward-auth:2 + ports: + - containerPort: 4181 + protocol: TCP + env: + - name: DOMAIN + value: "wilix.org,wilix.dev" + - name: AUTH_HOST + value: "auth.yonote.develop.wilix.dev" + - name: INSECURE_COOKIE + value: "false" + - name: DEFAULT_PROVIDER + value: "oidc" + - name: PROVIDERS_OIDC_ISSUER_URL + value: "https://auth.onprem-test.stands.wilix.dev/realms/yonote" + - name: PROVIDERS_OIDC_CLIENT_ID + value: "admin" + - name: PROVIDERS_OIDC_CLIENT_SECRET + value: "12345" + - name: SECRET + value: "0987654321" + - name: LOG_LEVEL + value: "debug" + imagePullPolicy: IfNotPresent + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + restartPolicy: Always + terminationGracePeriodSeconds: 60 + dnsPolicy: ClusterFirst + securityContext: {} + schedulerName: default-scheduler + + +--- + +apiVersion: v1 +kind: Service +metadata: + name: traefik-forward-auth + namespace: yonote-onprem + labels: + app: traefik-forward-auth +spec: + ports: + - name: auth-http + protocol: TCP + port: 4181 + targetPort: 4181 + selector: + app: traefik-forward-auth + type: ClusterIP + sessionAffinity: None + +--- + +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: traefik-forward-auth +spec: + forwardAuth: + address: https://auth.onprem-test.stands.wilix.dev:4181 + authResponseHeaders: + - X-Forwarded-User + diff --git a/yonote-keycloak-chart/values.yaml b/yonote-keycloak-chart/values.yaml index 7725f23..ab61bf3 100644 --- a/yonote-keycloak-chart/values.yaml +++ b/yonote-keycloak-chart/values.yaml @@ -18,13 +18,13 @@ keycloak: image: registry: images.updates.yonote.ru repository: yonote-keycloak - tag: latest + tag: 19-0.1.1 command: - /bin/sh - -c - - | - "/opt/keycloak/bin/kc.sh" "start" + - /opt/keycloak/bin/kc.sh import --file=/opt/keycloak/data/import/realm-export.json --debug + - /opt/keycloak/bin/kc.sh start configMaps: configs: @@ -32,11 +32,11 @@ keycloak: KEYCLOAK_ADMIN: root KC_PROXY: edge KC_HOSTNAME_STRICT: "false" - KC_HOSTNAME_ADMIN: auth.example.com/admin - KC_HOSTNAME: auth.example.com + KC_HOSTNAME_ADMIN: auth.onprem-test.stands.wilix.dev + KC_HOSTNAME: auth.onprem-test.stands.wilix.dev KC_DB: postgres KC_DB_URL: jdbc:postgresql://yonote-keycloak-db:5432/keycloak - KC_DB_URL_DATABASE: keycloak + # KC_DB_URL_DATABASE: keycloak KC_DB_USERNAME: keycloak KC_HOSTNAME_STRICT_HTTPS: "false" KC_HOSTNAME_PATH: "/" @@ -65,37 +65,42 @@ keycloak: memory: 128Mi service: - service: type: ClusterIP port: 8080 targetPort: 8080 ingress: enabled: true - ingressClassName: nginx - pathType: ImplementationSpecific - hostname: auth.example.com - path: / - tls: false + hostname: 'auth.onprem-test.stands.wilix.dev' + ingressClassName: traefik + path: '/' + pathType: Prefix + annotations: + kubernetes.io/ingress.class: traefik + cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev + extraTls: + - hosts: + - "auth.onprem-test.stands.wilix.dev" + secretName: "auth.onprem-test.stands.wilix.dev" - livenessProbe: - enabled: true - failureThreshold: 6 - initialDelaySeconds: 60 - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 5 - httpGet: - path: / - port: app + # livenessProbe: + # enabled: true + # failureThreshold: 6 + # initialDelaySeconds: 60 + # periodSeconds: 15 + # successThreshold: 1 + # timeoutSeconds: 5 + # httpGet: + # path: / + # port: app - readinessProbe: - enabled: true - failureThreshold: 6 - initialDelaySeconds: 60 - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 5 - httpGet: - path: / - port: app \ No newline at end of file + # readinessProbe: + # enabled: true + # failureThreshold: 6 + # initialDelaySeconds: 60 + # periodSeconds: 15 + # successThreshold: 1 + # timeoutSeconds: 5 + # httpGet: + # path: / + # port: app \ No newline at end of file