clear-onprem #5

Closed
artem.drozdov wants to merge 14 commits from clear-onprem into main
5 changed files with 192 additions and 64 deletions
Showing only changes of commit 2b16b7af4a - Show all commits

View File

@ -7,13 +7,13 @@ global:
POSTGRES_PASSWORD: wsGZ6kXhr5
AWS_ACCESS_KEY_ID: "" # Ваш идентификатор ключа доступа к AWS. Поведение в SelfHosted: устанавливает логин сервис аккаунта для доступа приложения к Minio S3 хранилищу
AWS_SECRET_ACCESS_KEY: "minioadmin" # Ваш секретный ключ доступа AWS. Поведение в SelfHosted: устанавливает пароль сервис аккаунта для доступа приложения к Minio S3 хранилищу
OIDC_CLIENT_SECRET: "minioadminsecret"
OIDC_CLIENT_SECRET: "Kdq8rk5Pv5RW1c5kHXpnyfrmMRzI9xSD"
SECRET_KEY: "659a8881b186198c3146e316f6dab67df25496534d1fa156d624b037260df688" # Сгенерируйте 32-байтовый случайный ключ в шестнадцатеричном коде. Вам следует использовать `openssl rand -hex 32` в вашем терминале для генерации случайного значения.
SMTP_PASSWORD: "1234"
UTILS_SECRET: "7bd5e9ac4415dd0dbf6b7721e2a21e9427b268cd0140c7516d13dece5024d479" # Сгенерируйте уникальный случайный ключ. Формат не важен, но вы все равно можете использовать`openssl rand -hex 32` в вашем терминале, чтобы создать это.
TELEGRAM_BOT_TOKEN: "1234"
UNSPLASH_API_ACCESS_KEY: "a-yGo6HpRP6jNfravx4Bz-oiPrRnH_5-24Xa9ZPlePE"
LICENSE_KEY: "" # Обратитесь в отдел продаж для получения
LICENSE_KEY: "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJkdW1teSI6ImRhdGEiLCJkYXRhIjoiZHVtbXkiLCJpYXQiOjE2NjQ4OTUyNjUsImV4cCI6MTgyMjY4MzI2NX0.Qudc2d-MKc4DT-UBAVydgowiYQnzzWolvbJTjPB5dwEI32Wb64sgkXOfXKsRf9_wP3UK0-65QYVkMHM76ImhM9HCHv9LWJBQeD0q2rF243cMkMUNfKXAX8-SmLu9kMZzm0fL02IBnv5TCHIF7u6GgGRk3US6WbVhzqHGxrdJ2b3HwD_cI3mcLKCtTfO_GDiUfAv7u5Ddi-6tCfFRvH633BLPKIMO5cePh_AdHykO_2p7z_ypUfsVgqxHkq8KwNuuaI6CpwE48P-7mXuM9xEWu3-prSZpaI4rIZA6JFpGMWyiGs4GDvjRFssq4GUPvYJnkZ2w_W_liSMdC5hg0PFxcw" # Обратитесь в отдел продаж для получения
SERVICE_WORKER_PUBLIC_KEY: "1234"
SERVICE_WORKER_PRIVATE_KEY: "1234"
# Генерация ключей (web-push) Service Worker

View File

@ -0,0 +1,30 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ .Values.ingress.name }}
namespace: {{ .Values.ingress.namespace }}
annotations:
{{- range $key, $value := .Values.ingress.annotations }}
{{ $key }}: "{{ $value }}"
{{- end }}
spec:
ingressClassName: {{ .Values.ingress.ingressClassName }}
tls:
- secretName: "{{ .Values.ingress.tls.secretName }}"
hosts:
{{- range .Values.ingress.tls.hosts }}
- "{{ . }}"
{{- end }}
rules:
- host: "{{ .Values.ingress.hostname }}"
http:
paths:
{{- range .Values.ingress.rules.paths }}
- path: {{ .path }}
pathType: {{ .pathType }}
backend:
service:
name: {{ .service.name }}
port:
number: {{ .service.port | int }}
{{- end }}

View File

@ -2,7 +2,7 @@
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: redirect-https
name: yonote-onprem-redirect-https
spec:
redirectScheme:
scheme: https

View File

@ -2,7 +2,7 @@
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: wss-headers
name: yonote-onprem-wss-headers
spec:
headers:
customRequestHeaders:

View File

@ -6,12 +6,12 @@ global:
username: yonote
yonote:
ingress:
ingressClassName: nginx
# ingress:
# ingressClassName: traefik
dbMigrationEnv: production-ssl-disabled # Режим подключения к базе данных при выполнении миграций. При использовании SSL подключения, установите значение `production`
baseListenAddress: example.com
baseListenAddress: onprem-test.stands.wilix.dev
config:
plain:
@ -30,17 +30,18 @@ global:
AI_URL: "1234"
AI_API_KEY: "1234"
WEB_CONCURRENCY: "1"
URL: 'http://app.{{ .Values.global.yonote.baseListenAddress }}' # Базовый url приложения
URL: 'https://app.{{ .Values.global.yonote.baseListenAddress }}' # Базовый url приложения
COLLABORATION_URL: 'wss://app.{{ .Values.global.yonote.baseListenAddress }}' # Cервер, для нормальной работы это не нужно устанавливать
OIDC_DISPLAY_NAME: email
OIDC_SCOPES: openid email
OIDC_CLIENT_ID: yonote
OIDC_AUTH_URI: 'yonote-keycloak:8080/realms/yonote/protocol/openid-connect/auth'
OIDC_LOGOUT_URI: 'yonote-keycloak:8080/realms/yonote/protocol/openid-connect/logout'
OIDC_TOKEN_URI: 'yonote-keycloak:8080/realms/yonote/protocol/openid-connect/token'
OIDC_USERINFO_URI: 'yonote-keycloak:8080/realms/yonote/protocol/openid-connect/userinfo'
OIDC_CLIENT_ID: yonote-local
OIDC_AUTH_URI: 'https://auth.yonote.ru/realms/yonote-test/protocol/openid-connect/auth'
OIDC_LOGOUT_URI: 'https://auth.yonote.ru/realms/yonote-test/protocol/openid-connect/logout'
OIDC_TOKEN_URI: 'https://auth.yonote.ru/realms/yonote-test/protocol/openid-connect/token'
OIDC_USERINFO_URI: 'https://auth.yonote.ru/realms/yonote-test/protocol/openid-connect/userinfo'
AWS_S3_ACL: private
AWS_S3_UPLOAD_BUCKET_URL: yonote-minio:9000 # Адрес S3 хранилища
@ -77,6 +78,61 @@ global:
cron_enabled: "true"
url: http://yonote-web/api/cron.schedule
# ingress:
# enabled: true
# hostname: 'app.onprem-test.stands.wilix.dev'
# ingressClassName: traefik
# path: '/'
# pathType: Prefix
# annotations:
# cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev
# traefik.ingress.kubernetes.io/router.middlewares: '{{ .Release.Namespace }}-redirect-https@kubernetescrd,{{.Release.Namespace }}-wss-headers@kubernetescrd,kube-system-wilix-office-ipwhitelist@kubernetescrd'
# # nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
# # nginx.ingress.kubernetes.io/configuration-snippet: |
# # more_set_headers "Host $http_host";
# # more_set_headers "X-Real-IP $remote_addr";
# # more_set_headers "X-Forwarded-Proto $scheme";
# # more_set_headers "X-Forwarded-For $proxy_add_x_forwarded_for";
# extraTls:
# - hosts:
# - "app.onprem-test.stands.wilix.dev"
# secretName: "app.onprem-test.stands.wilix.dev"
ingress:
enabled: true
name: yonote-ingress
namespace: yonote-onprem
ingressClassName: traefik
hostname: 'app.onprem-test.stands.wilix.dev'
tls:
secretName: "app.onprem-test.stands.wilix.dev"
hosts:
- "app.onprem-test.stands.wilix.dev"
rules:
paths:
- path: /
pathType: Prefix
service:
name: yonote-web
port: 80
- path: /realtime
pathType: Prefix
service:
name: yonote-websockets
port: 80
- path: /whiteboard
pathType: Prefix
service:
name: yonote-whiteboard
port: 80
- path: /collaboration
pathType: Prefix
service:
name: yonote-collaboration
port: 80
annotations:
cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev
traefik.ingress.kubernetes.io/router.middlewares: '{{ .Release.Namespace }}-redirect-https@kubernetescrd,{{.Release.Namespace }}-wss-headers@kubernetescrd,kube-system-wilix-office-ipwhitelist@kubernetescrd'
yonote-web:
fullnameOverride: yonote-web
nameOverride: yonote-web
@ -110,8 +166,8 @@ yonote-web:
resources:
limits:
cpu: 350m
memory: 512Mi
cpu: 1
memory: 1Gi
requests:
cpu: 200m
memory: 128Mi
@ -132,16 +188,25 @@ yonote-web:
- secretRef:
name: yonote-secrets
ingress:
hostname: '"*.example.com"'
ingressClassName: nginx
annotations:
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "Host $http_host";
more_set_headers "X-Real-IP $remote_addr";
more_set_headers "X-Forwarded-Proto $scheme";
more_set_headers "X-Forwarded-For $proxy_add_x_forwarded_for";
# ingress:
# enabled: true
# hostname: 'app.onprem-test.stands.wilix.dev'
# ingressClassName: traefik
# path: '/'
# pathType: Prefix
# annotations:
# cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev
# traefik.ingress.kubernetes.io/router.middlewares: '{{ .Release.Namespace }}-redirect-https@kubernetescrd,{{.Release.Namespace }}-wss-headers@kubernetescrd,kube-system-wilix-office-ipwhitelist@kubernetescrd'
# # nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
# # nginx.ingress.kubernetes.io/configuration-snippet: |
# # more_set_headers "Host $http_host";
# # more_set_headers "X-Real-IP $remote_addr";
# # more_set_headers "X-Forwarded-Proto $scheme";
# # more_set_headers "X-Forwarded-For $proxy_add_x_forwarded_for";
# extraTls:
# - hosts:
# - "app.onprem-test.stands.wilix.dev"
# secretName: "app.onprem-test.stands.wilix.dev"
podLabels:
redis-client: 'true'
@ -212,16 +277,25 @@ yonote-websocket:
port: 80
targetPort: app
ingress:
hostname: '"*.example.com"'
ingressClassName: nginx
annotations:
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "Host $http_host";
more_set_headers "X-Real-IP $remote_addr";
more_set_headers "X-Forwarded-Proto $scheme";
more_set_headers "X-Forwarded-For $proxy_add_x_forwarded_for";
# ingress:
# enabled: true
# hostname: 'app.onprem-test.stands.wilix.dev'
# ingressClassName: traefik
# path: '/realtime'
# pathType: Prefix
# annotations:
# cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev
# traefik.ingress.kubernetes.io/router.middlewares: '{{ .Release.Namespace }}-redirect-https@kubernetescrd,{{.Release.Namespace }}-wss-headers@kubernetescrd,kube-system-wilix-office-ipwhitelist@kubernetescrd'
# # nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
# # nginx.ingress.kubernetes.io/configuration-snippet: |
# # more_set_headers "Host $http_host";
# # more_set_headers "X-Real-IP $remote_addr";
# # more_set_headers "X-Forwarded-Proto $scheme";
# # more_set_headers "X-Forwarded-For $proxy_add_x_forwarded_for";
# extraTls:
# - hosts:
# - "app.onprem-test.stands.wilix.dev"
# secretName: "app.onprem-test.stands.wilix.dev"
podLabels:
redis-client: 'true'
@ -292,16 +366,26 @@ yonote-whiteboard:
port: 80
targetPort: app
ingress:
hostname: '"*.example.com"'
ingressClassName: nginx
annotations:
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "Host $http_host";
more_set_headers "X-Real-IP $remote_addr";
more_set_headers "X-Forwarded-Proto $scheme";
more_set_headers "X-Forwarded-For $proxy_add_x_forwarded_for";
# ingress:
# enabled: true
# hostname: 'app.onprem-test.stands.wilix.dev'
# ingressClassName: traefik
# path: '/whiteboard'
# pathType: Prefix
# annotations:
# cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev
# traefik.ingress.kubernetes.io/router.middlewares: '{{ .Release.Namespace }}-redirect-https@kubernetescrd,{{.Release.Namespace }}-wss-headers@kubernetescrd,kube-system-wilix-office-ipwhitelist@kubernetescrd'
# # nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
# # nginx.ingress.kubernetes.io/configuration-snippet: |
# # more_set_headers "Host $http_host";
# # more_set_headers "X-Real-IP $remote_addr";
# # more_set_headers "X-Forwarded-Proto $scheme";
# # more_set_headers "X-Forwarded-For $proxy_add_x_forwarded_for";
# extraTls:
# - hosts:
# - "app.onprem-test.stands.wilix.dev"
# secretName: "app.onprem-test.stands.wilix.dev"
podLabels:
redis-client: 'true'
@ -348,11 +432,11 @@ yonote-worker:
resources:
limits:
cpu: 500m
cpu: 1
memory: 1Gi
requests:
cpu: 250m
memory: 256Mi
cpu: 50m
memory: 128Mi
checksums: null
@ -427,16 +511,25 @@ yonote-collaboration:
port: 80
targetPort: app
ingress:
hostname: '"*.example.com"'
ingressClassName: nginx
annotations:
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "Host $http_host";
more_set_headers "X-Real-IP $remote_addr";
more_set_headers "X-Forwarded-Proto $scheme";
more_set_headers "X-Forwarded-For $proxy_add_x_forwarded_for";
# ingress:
# enabled: true
# hostname: 'app.onprem-test.stands.wilix.dev'
# ingressClassName: traefik
# path: '/collaboration'
# pathType: Prefix
# annotations:
# cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev
# traefik.ingress.kubernetes.io/router.middlewares: '{{ .Release.Namespace }}-redirect-https@kubernetescrd,{{.Release.Namespace }}-wss-headers@kubernetescrd,kube-system-wilix-office-ipwhitelist@kubernetescrd'
# # nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
# # nginx.ingress.kubernetes.io/configuration-snippet: |
# # more_set_headers "Host $http_host";
# # more_set_headers "X-Real-IP $remote_addr";
# # more_set_headers "X-Forwarded-Proto $scheme";
# # more_set_headers "X-Forwarded-For $proxy_add_x_forwarded_for";
# extraTls:
# - hosts:
# - "app.onprem-test.stands.wilix.dev"
# secretName: "app.onprem-test.stands.wilix.dev"
envFrom:
- configMapRef:
@ -523,13 +616,18 @@ minio:
ingress:
enabled: true
hostname: 's3.onprem-test.stands.wilix.dev'
ingressClassName: traefik
path: '/'
pathType: ImplementationSpecific
annotations:
kubernetes.io/ingress.class: nginx
hosts:
- host: s3.example.com
paths:
- path: /
pathType: ImplementationSpecific
kubernetes.io/ingress.class: traefik
cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev
extraTls:
- hosts:
- "s3.onprem-test.stands.wilix.dev"
secretName: "s3.onprem-test.stands.wilix.dev"
resources:
requests:
memory: 512Mi