diff --git a/README.md b/README.md index c7b3338..268a7ef 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,14 @@ # Yonote Helm Chart +**Критическое изменение** + +Данный чарт предназначен только для новых развертываний! + +Версия 2.x.x не совместима с предыдущими версиями 1.x.x данного чарта. Если вы попытаетесь использовать этот чарт для обновления существующего развертывания Yonote, это приведет к потере данных. + +Руководство по миграции будет предоставлено в ближайшее время. + + ## Обзор Этот Helm chart позволяет развернуть **Yonote** в Kubernetes. Он предоставляет быстрый и простой способ установки, настройки и управления приложением с помощью Helm. @@ -48,6 +57,26 @@ helm install app -f values.yaml -f secret-values.yaml -n yonote-onprem . ``` После выполнения команды начнётся установка приложения и всех дополнительных сервисов к нему. Остаётся только подождать, пока все сервисы запустятся. +### 5. Keycloak + +Перед первым входом в Yonote необходимо обновить поле **Valid redirect URIs** клиента yonote в области (realm) Yonote в системе Keycloak. + +Уже существуют две записи, поэтому достаточно просто скопировать их и отредактировать. + +Например: + +Существующие записи: +* http://example.com/* +* https://example.com/* + +Добавить следующие: +* http://app.example.com/* +* https://app.example.com/* +* https://app.example.com/auth/oidc.callback/* +* https://team.example.com/* + +Примечание: символы * в URL-адресах являются подстановочными знаками и обозначают любые дополнительные пути после указанного базового URL. + ### Обратная связь Если у вас есть вопросы или вам нужна помощь, пишите на email: hello@yonote.ru \ No newline at end of file diff --git a/yonote-chart-service/Chart.lock b/yonote-chart-service/Chart.lock index a59078e..fe552e9 100644 --- a/yonote-chart-service/Chart.lock +++ b/yonote-chart-service/Chart.lock @@ -14,17 +14,17 @@ dependencies: - name: app repository: https://dysnix.github.io/charts version: 0.3.15 -- name: postgresql - repository: https://charts.bitnami.com/bitnami - version: 11.6.6 +- name: postgres + repository: https://groundhog2k.github.io/helm-charts/ + version: 0.3.9 - name: redis - repository: https://charts.bitnami.com/bitnami - version: 16.12.1 + repository: https://groundhog2k.github.io/helm-charts/ + version: 0.7.0 - name: minio - repository: https://charts.bitnami.com/bitnami - version: 12.7.0 -- name: keycloak - repository: https://charts.bitnami.com/bitnami - version: 14.0.0 -digest: sha256:928723e189de54fafe19316743b8f9d08d7c74f9728b0c4afb1f5cd3ee1e83dc -generated: "2024-08-25T00:46:01.648512702+03:00" + repository: https://charts.min.io/ + version: 5.4.0 +- name: keycloakx + repository: https://codecentric.github.io/helm-charts + version: 1.3.2 +digest: sha256:ad0128ad6d526a8946d659481ec5dc19d1faf785919efbcc689a37ae80bc820e +generated: "2025-10-30T14:17:59.001901626+03:00" diff --git a/yonote-chart-service/Chart.yaml b/yonote-chart-service/Chart.yaml index a70fa48..f454093 100644 --- a/yonote-chart-service/Chart.yaml +++ b/yonote-chart-service/Chart.yaml @@ -1,9 +1,9 @@ apiVersion: v2 name: yonote-chart -version: 1.2.0 +version: 2.0.0 description: Generic application Helm chart. - This chart includes multiple dependencies. The base of this chart is derived from the Dynix app chart. + This chart includes multiple dependencies. The base of this chart is derived from the Dysnix app chart. maintainers: - name: Dysnix email: support@dysnix.com @@ -29,32 +29,32 @@ dependencies: version: "0.3.15" repository: https://dysnix.github.io/charts alias: yonote-worker - + - name: app version: "0.3.15" repository: https://dysnix.github.io/charts alias: yonote-collaboration - - name: postgresql - version: "11.6.6" - repository: https://charts.bitnami.com/bitnami - condition: yonoteDatabase.enabled - alias: yonoteDatabase + - name: postgres + version: "0.3.9" + repository: https://groundhog2k.github.io/helm-charts/ + condition: postgres.enabled + alias: postgres - name: redis - version: "16.12.1" - repository: https://charts.bitnami.com/bitnami - condition: yonote-redis.enabled - alias: yonote-redis + version: "0.7.0" + repository: https://groundhog2k.github.io/helm-charts/ + condition: redis.enabled + alias: redis - name: minio - version: "12.7.0" - repository: https://charts.bitnami.com/bitnami + version: "5.4.0" + repository: https://charts.min.io/ condition: minio.enabled alias: minio - - name: keycloak - version: "14.0.0" - repository: https://charts.bitnami.com/bitnami + - name: keycloakx + version: "1.3.2" + repository: https://codecentric.github.io/helm-charts condition: keycloak.enabled - alias: keycloak \ No newline at end of file + alias: keycloak diff --git a/yonote-chart-service/secret-values.yaml b/yonote-chart-service/secret-values.yaml index f53e7ee..8e7022f 100644 --- a/yonote-chart-service/secret-values.yaml +++ b/yonote-chart-service/secret-values.yaml @@ -3,41 +3,43 @@ global: config: secret: stringData: - DATABASE_URL: 'postgres://{{ .Values.yonoteDatabase.global.postgresql.auth.username }}:{{ .Values.yonoteDatabase.global.postgresql.auth.password }}@yonote-database:5432/{{ .Values.yonoteDatabase.global.postgresql.auth.database }}' - POSTGRES_PASSWORD: "{{ .Values.yonoteDatabase.global.postgresql.auth.password }}" - AWS_ACCESS_KEY_ID: "{{ .Values.minio.customUser }}" # Ваш идентификатор ключа доступа к AWS. - AWS_SECRET_ACCESS_KEY: "{{ .Values.minio.customAccessKey }}" # Ваш секретный ключ доступа AWS. - OIDC_CLIENT_SECRET: "Kdq8rk5Pv5RW1c5kHXpnyfrmMRzI9xSD" # Секретный ключ клиента для аутентификации по OpenID Connect (OIDC). + DATABASE_URL: 'postgres://{{ .Values.postgres.userDatabase.user }}:{{ .Values.postgres.userDatabase.password }}@yonote-database:5432/{{ .Values.postgres.userDatabase.name }}' + POSTGRES_PASSWORD: "{{ .Values.postgres.userDatabase.password }}" + AWS_ACCESS_KEY_ID: "qwer12314q" # Ваш идентификатор ключа доступа к AWS. + AWS_SECRET_ACCESS_KEY: "qwer-12314q-qwersa" # Ваш секретный ключ доступа AWS. + OIDC_CLIENT_SECRET: "{{ .Values.keycloak.secrets.secrets.stringData.OIDC_CLIENT_SECRET }}" # Секретный ключ клиента для аутентификации по OpenID Connect (OIDC). SECRET_KEY: "659a8881b186198c3146e316f6dab67df25496534d1fa156d624b037260df688" # Сгенерируйте 32-байтовый случайный ключ в шестнадцатеричном коде. Вам следует использовать `openssl rand -hex 32` в вашем терминале для генерации случайного значения. SMTP_PASSWORD: "1234" UTILS_SECRET: "7bd5e9ac4415dd0dbf6b7721e2a21e9427b268cd0140c7516d13dece5024d479" # Сгенерируйте уникальный случайный ключ. Формат не важен, но вы все равно можете использовать`openssl rand -hex 32` в вашем терминале, чтобы создать это. TELEGRAM_BOT_TOKEN: "1234" - UNSPLASH_API_ACCESS_KEY: "a-yGo6HpRP6jNfravx4Bz-oiPrRnH_5-24Xa9ZPlePE" - LICENSE_KEY: "qwerty-123456-zxcvb" # Обратитесь в отдел продаж для получения - SERVICE_WORKER_PUBLIC_KEY: "1234" + UNSPLASH_API_ACCESS_KEY: "a-yGo6HpRP6jNfravx4Bz-oiPrRnH_5-24Xa9ZPlePE" + LICENSE_KEY: "" # Обратитесь в отдел продаж для получения + SERVICE_WORKER_PUBLIC_KEY: "1234" SERVICE_WORKER_PRIVATE_KEY: "1234" # Генерация ключей (web-push) Service Worker - # 1) Установить Node.js и npm + # 1) Установить Node.js и npm # 2) Выполнить команду для генерации ключей # npx web-push generate-vapid-keys # 3) Полученные значения ввести в .env файл (SERVICE_WORKER_PUBLIC_KEY, SERVICE_WORKER_PRIVATE_KEY) - -yonoteDatabase: - global: - postgresql: - auth: - password: "wsGZ6kXhr5" - postgresPassword: "QQYw4UjOU" -# yonote-redis: # Если используете auth для redis -# auth: -# password: "12345678" +postgres: + settings: + superuserPassword: "QQYw4UjOU" + userDatabase: + password: "wsGZ6kXhr5" + +redis: + args: + - "--user redis:redis" minio: - customAccessKey: "qwer-12314q-qwersa" - auth: - rootPassword: "qwettaas" + rootPassword: "qwettaas" keycloak: - auth: - adminPassword: "root" \ No newline at end of file + database: + password: keycloakdbpassword + secrets: + secrets: + stringData: + KEYCLOAK_ADMIN_PASSWORD: secret + OIDC_CLIENT_SECRET: "iS3jOA3Z7zXBwSN8EzJm36ybz57JNgpR" diff --git a/yonote-chart-service/templates/configmap-initdb.yaml b/yonote-chart-service/templates/configmap-initdb.yaml index 65c5c4a..071fc8a 100644 --- a/yonote-chart-service/templates/configmap-initdb.yaml +++ b/yonote-chart-service/templates/configmap-initdb.yaml @@ -3,5 +3,12 @@ kind: ConfigMap metadata: name: postgres-init-scripts data: - init.sql: | - CREATE DATABASE "{{ .Values.keycloak.externalDatabase.database }}"; \ No newline at end of file + init-keycloak-db.sh: | + !/bin/bash + set -e + + psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL + CREATE DATABASE {{ .Values.keycloak.database.database }}; + CREATE USER {{ .Values.keycloak.database.username }} WITH PASSWORD '{{ .Values.keycloak.database.password }}'; + GRANT ALL PRIVILEGES ON DATABASE keycloak TO {{ .Values.keycloak.database.username }}; + EOSQL diff --git a/yonote-chart-service/templates/mcJob.yaml b/yonote-chart-service/templates/mcJob.yaml index 787d6e6..e8f0e73 100644 --- a/yonote-chart-service/templates/mcJob.yaml +++ b/yonote-chart-service/templates/mcJob.yaml @@ -13,54 +13,22 @@ spec: spec: containers: - name: mc-client - image: "docker.io/bitnami/minio-client:2024.8.13-debian-12-r0" + image: "minio/mc:RELEASE.2025-01-17T23-25-50Z" command: ["/bin/sh", "-c"] args: - | - until mc alias set myminio http://yonote-minio:9000 {{ .Values.minio.auth.rootUser }} {{ .Values.minio.auth.rootPassword }}; do + until mc alias set myminio http://yonote-minio:9000 {{ .Values.minio.rootUser }} {{ .Values.minio.rootPassword }}; do echo "Waiting for MinIO to be ready..." sleep 5 done echo "MinIO is ready and alias is set." - # Создание пользователя - if ! mc admin user add myminio {{ .Values.minio.customUser }} {{ .Values.minio.customAccessKey }}; then - echo "User {{ .Values.minio.customUser }} already exists or failed to create." - else - echo "User {{ .Values.minio.customUser }} created successfully." - fi - - # Назначение политики для нового пользователя - cat < /tmp/minio-user-policy.json - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "VisualEditor", - "Effect": "Allow", - "Action": [ - "s3:DeleteObject", - "s3:GetObject", - "s3:PutObject" - ], - "Resource": [ - "arn:aws:s3:::yonote-bucket/*" - ] - } - ] - } - EOF - echo "User policy JSON file created." - - mc admin policy create myminio yonote-policy /tmp/minio-user-policy.json - echo "User policy created and applied." - # Создание бакета - if ! mc ls myminio/yonote-bucket; then - mc mb myminio/yonote-bucket - echo "Bucket yonote-bucket created successfully." + if ! mc ls myminio/{{ .Values.global.yonote.config.plain.data.AWS_S3_UPLOAD_BUCKET_NAME }}; then + mc mb myminio/{{ .Values.global.yonote.config.plain.data.AWS_S3_UPLOAD_BUCKET_NAME }} + echo "Bucket {{ .Values.global.yonote.config.plain.data.AWS_S3_UPLOAD_BUCKET_NAME }} created successfully." else - echo "Bucket yonote-bucket already exists." + echo "Bucket {{ .Values.global.yonote.config.plain.data.AWS_S3_UPLOAD_BUCKET_NAME }} already exists." fi # Установка политик для бакета @@ -79,7 +47,7 @@ spec: "s3:GetBucketLocation" ], "Resource": [ - "arn:aws:s3:::yonote-bucket" + "arn:aws:s3:::{{ .Values.global.yonote.config.plain.data.AWS_S3_UPLOAD_BUCKET_NAME }}" ] }, { @@ -93,7 +61,7 @@ spec: "s3:GetObject" ], "Resource": [ - "arn:aws:s3:::yonote-bucket/*" + "arn:aws:s3:::{{ .Values.global.yonote.config.plain.data.AWS_S3_UPLOAD_BUCKET_NAME }}/*" ] } ] @@ -101,12 +69,9 @@ spec: EOF echo "Bucket policy JSON file created." - mc anonymous set-json /tmp/minio-bucket-policy.json myminio/yonote-bucket + mc anonymous set-json /tmp/minio-bucket-policy.json myminio/{{ .Values.global.yonote.config.plain.data.AWS_S3_UPLOAD_BUCKET_NAME }} echo "Bucket policy applied." - mc admin policy attach myminio yonote-policy --user={{ .Values.minio.customUser }} - echo "Policy attached to user {{ .Values.minio.customUser }}." - resources: requests: memory: "128Mi" diff --git a/yonote-chart-service/templates/realm-configmap.yaml b/yonote-chart-service/templates/realm-configmap.yaml deleted file mode 100644 index 11d7483..0000000 --- a/yonote-chart-service/templates/realm-configmap.yaml +++ /dev/null @@ -1,169 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: realm-export -data: - realm-export.json: | - { - "realm": "yonote", - "enabled": true, - "notBefore": 1647809856, - "defaultSignatureAlgorithm": "RS256", - "revokeRefreshToken": false, - "refreshTokenMaxReuse": 0, - "accessTokenLifespan": 300, - "accessTokenLifespanForImplicitFlow": 900, - "ssoSessionIdleTimeout": 1800, - "ssoSessionMaxLifespan": 36000, - "ssoSessionIdleTimeoutRememberMe": 0, - "ssoSessionMaxLifespanRememberMe": 0, - "offlineSessionIdleTimeout": 2592000, - "offlineSessionMaxLifespanEnabled": false, - "offlineSessionMaxLifespan": 5184000, - "clientSessionIdleTimeout": 0, - "clientSessionMaxLifespan": 0, - "clientOfflineSessionIdleTimeout": 0, - "clientOfflineSessionMaxLifespan": 0, - "accessCodeLifespan": 60, - "accessCodeLifespanUserAction": 300, - "accessCodeLifespanLogin": 1800, - "actionTokenGeneratedByAdminLifespan": 43200, - "actionTokenGeneratedByUserLifespan": 300, - "oauth2DeviceCodeLifespan": 600, - "oauth2DevicePollingInterval": 5, - "sslRequired": "external", - "registrationAllowed": true, - "registrationEmailAsUsername": true, - "rememberMe": true, - "verifyEmail": false, - "loginWithEmailAllowed": true, - "duplicateEmailsAllowed": false, - "resetPasswordAllowed": true, - "editUsernameAllowed": false, - "bruteForceProtected": false, - "permanentLockout": false, - "maxFailureWaitSeconds": 900, - "minimumQuickLoginWaitSeconds": 60, - "waitIncrementSeconds": 60, - "quickLoginCheckMilliSeconds": 1000, - "maxDeltaTimeSeconds": 43200, - "failureFactor": 30, - "clients": [ - { - "clientId": "{{ .Values.global.yonote.config.plain.data.OIDC_CLIENT_ID }}", - "secret": "{{ .Values.global.yonote.config.secret.stringData.OIDC_CLIENT_SECRET }}", - "redirectUris": [ - "https://*.{{ .Values.global.yonote.baseListenAddress }}/*", - "http://*.{{ .Values.global.yonote.baseListenAddress }}/*", - "http://app.{{ .Values.global.yonote.baseListenAddress }}/*", - "https://app.{{ .Values.global.yonote.baseListenAddress }}/*", - "https://app.{{ .Values.global.yonote.baseListenAddress }}/auth/oidc.callback/*" - ], - "baseUrl": "https://app.{{ .Values.global.yonote.baseListenAddress }}", - "enabled": true, - "publicClient": false, - "protocol": "openid-connect", - "attributes": { - "client.secret": "{{ .Values.global.yonote.config.secret.stringData.OIDC_CLIENT_SECRET }}", - "display.on.consent.screen": "true" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": false, - "protocolMappers": [ - { - "name": "oidc-display-name", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-attribute-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "{{ .Values.global.yonote.config.plain.data.OIDC_DISPLAY_NAME }}", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "{{ .Values.global.yonote.config.plain.data.OIDC_DISPLAY_NAME }}", - "jsonType.label": "String" - } - } - ], - "defaultClientScopes": ["openid", "email"] - } - ], - "identityProviders": [], - "internationalizationEnabled": true, - "clientScopes": [ - { - "name": "openid", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "consent.screen.text": "{{ .Values.global.yonote.config.plain.data.OIDC_DISPLAY_NAME }}" - }, - "protocolMappers": [] - }, - { - "name": "email", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true" - }, - "protocolMappers": [ - { - "id": "56fe6d23-690a-465c-bc36-99bff8fef6eb", - "name": "email verified", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "emailVerified", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "email_verified", - "jsonType.label": "boolean" - } - }, - { - "id": "2c6acd0e-b776-48f5-9c3b-7bfdbbe712dc", - "name": "email", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "email", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "email", - "jsonType.label": "String" - } - } - ] - } - ], - "browserSecurityHeaders": { - "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';" - }, - "webAuthnPolicyRpEntityName": "keycloak", - "webAuthnPolicySignatureAlgorithms": ["ES256"], - "webAuthnPolicyRpId": "", - "webAuthnPolicyAttestationConveyancePreference": "not specified", - "webAuthnPolicyAuthenticatorAttachment": "not specified", - "webAuthnPolicyRequireResidentKey": "not specified", - "webAuthnPolicyUserVerificationRequirement": "not specified", - "webAuthnPolicyCreateTimeout": 0, - "webAuthnPolicyAvoidSameAuthenticatorRegister": false, - "webAuthnPolicyAcceptableAaguids": [], - "webAuthnPolicyPasswordlessRpEntityName": "keycloak", - "webAuthnPolicyPasswordlessSignatureAlgorithms": ["ES256"], - "webAuthnPolicyPasswordlessRpId": "", - "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified", - "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified", - "webAuthnPolicyPasswordlessRequireResidentKey": "not specified", - "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified", - "webAuthnPolicyPasswordlessCreateTimeout": 0, - "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false, - "webAuthnPolicyPasswordlessAcceptableAaguids": [], - "smtpServer": {} - } \ No newline at end of file diff --git a/yonote-chart-service/values.yaml b/yonote-chart-service/values.yaml index 70f1645..0bbbc83 100644 --- a/yonote-chart-service/values.yaml +++ b/yonote-chart-service/values.yaml @@ -7,25 +7,28 @@ global: config: plain: data: + DEBUG: debug NODE_ENV: production FORCE_HTTPS: "false" PGSSLMODE: disable # Отключает SSL подключение к базе данных. Уберите эту строку, если вы используете SSL подключение к PostgreSQL WEB_CONCURRENCY: "1" - + BIND_HOST: 0.0.0.0 # Хост по умолчанию PORT: "3000" # Порт по умолчанию - REDIS_URL: redis://yonote-redis-master:6379 + REDIS_URL: redis://yonote-redis:6379 DEFAULT_LANGUAGE: ru_RU # Язык по умолчанию ENABLE_UPDATES: "false" - + AI_URL: "1234" AI_API_KEY: "1234" - URL: 'https://app.{{ .Values.global.yonote.baseListenAddress }}' # Базовый url приложения - COLLABORATION_URL: 'wss://app.{{ .Values.global.yonote.baseListenAddress }}' # Cервер, для нормальной работы это не нужно устанавливать - + URL: 'https://app.{{ .Values.global.yonote.baseListenAddress }}' # Базовый url приложения + COLLABORATION_URL: 'wss://app.{{ .Values.global.yonote.baseListenAddress }}' # Cервер, для нормальной работы это не нужно устанавливать + + #DEPLOYMENT: 'hosted' + OIDC_DISPLAY_NAME: email OIDC_SCOPES: openid email OIDC_CLIENT_ID: yonote @@ -35,7 +38,7 @@ global: OIDC_USERINFO_URI: 'https://auth.example.com/realms/yonote/protocol/openid-connect/userinfo' # URL для получения информации о пользователе. Используется для получения данных профиля пользователя на основе его токена. AWS_S3_ACL: private - AWS_S3_UPLOAD_BUCKET_URL: 'https://api-s3.example.com' # Адрес API S3 хранилища + AWS_S3_UPLOAD_BUCKET_URL: 'https://s3.example.com' # Адрес API S3 хранилища AWS_S3_UPLOAD_BUCKET_NAME: yonote-bucket # Имя хранилища AWS_REGION: "RU" AWS_S3_UPLOAD_MAX_SIZE: "226214400" # Максимальный размер хранилища @@ -53,11 +56,11 @@ global: RESERVED_SUBDOMAINS: about,account,admin,advertising,api,app,assets,archive,beta,billing,blog,cache,cdn,code,community,dashboard,developer,developers,forum,help,home,http,https,imap,localhost,mail,marketing,mobile,multiplayer,new,news,newsletter,ns1,ns2,ns3,ns4,password,profile,realtime,sandbox,script,scripts,setup,signin,signup,site,smtp,support,status,static,stats,test,update,updates,ws,wss,web,websockets,www,www1,www2,www3,www4 - SMTP_HOST: "" + SMTP_HOST: "smtp.wilix.dev" SMTP_USERNAME: "" SMTP_FROM_EMAIL: "" SMTP_REPLY_EMAIL: "" - SMTP_PORT: "" + SMTP_PORT: "456" SMTP_SECURE: "" # connection will be upgraded: https://nodemailer.com/smtp/ SMTP_REQUIRE_TLS: "" @@ -75,59 +78,59 @@ ingress: namespace: yonote-onprem ingressClassName: traefik tls: - secretName: "you_tls_secret" - hosts: - - "app.example.com" + secretName: "example.com-tls" + hosts: + - "app.example.com" - "team.example.com" rules: - - host: "app.example.com" - paths: - - path: / - pathType: Prefix - service: - name: yonote-web - port: 80 - - path: /realtime - pathType: Prefix - service: - name: yonote-websockets - port: 80 - - path: /whiteboard - pathType: Prefix - service: - name: yonote-whiteboard - port: 80 - - path: /collaboration - pathType: Prefix - service: - name: yonote-collaboration - port: 80 - - host: "team.example.com" - paths: - - path: / - pathType: Prefix - service: - name: yonote-web - port: 80 - - path: /realtime - pathType: Prefix - service: - name: yonote-websockets - port: 80 - - path: /whiteboard - pathType: Prefix - service: - name: yonote-whiteboard - port: 80 - - path: /collaboration - pathType: Prefix - service: - name: yonote-collaboration - port: 80 + - host: "app.example.com" + paths: + - path: / + pathType: Prefix + service: + name: yonote-web + port: 80 + - path: /realtime + pathType: Prefix + service: + name: yonote-websockets + port: 80 + - path: /whiteboard + pathType: Prefix + service: + name: yonote-whiteboard + port: 80 + - path: /collaboration + pathType: Prefix + service: + name: yonote-collaboration + port: 80 + - host: "team.example.com" + paths: + - path: / + pathType: Prefix + service: + name: yonote-web + port: 80 + - path: /realtime + pathType: Prefix + service: + name: yonote-websockets + port: 80 + - path: /whiteboard + pathType: Prefix + service: + name: yonote-whiteboard + port: 80 + - path: /collaboration + pathType: Prefix + service: + name: yonote-collaboration + port: 80 + + #annotations: + # cert-manager.io/cluster-issuer: # Если используете - annotations: - # cert-manager.io/cluster-issuer: letsencrypt.example.com # Если используете - yonote-web: fullnameOverride: yonote-web nameOverride: yonote-web @@ -136,7 +139,7 @@ yonote-web: image: registry: images.updates.yonote.ru repository: yonote - tag: 1.19.8 + tag: 1.22.11 pullPolicy: IfNotPresent command: ["/bin/sh", "-c"] @@ -144,7 +147,7 @@ yonote-web: initContainers: - name: yonote-migration - image: images.updates.yonote.ru/yonote:1.19.8 + image: images.updates.yonote.ru/yonote:1.22.11 imagePullPolicy: IfNotPresent command: - /bin/sh @@ -166,17 +169,17 @@ yonote-web: requests: cpu: 200m memory: 256Mi - + containerPorts: - containerPort: 3000 name: app protocol: TCP - + service: type: ClusterIP port: 80 targetPort: app - + envFrom: - configMapRef: name: yonote-configs @@ -185,11 +188,11 @@ yonote-web: podLabels: redis-client: 'true' - + podAnnotations: checksum/configmap: "{{ toJson .Values.global.yonote.config.plain | sha256sum }}" checksum/secret: "{{ toJson .Values.global.yonote.config.secret | sha256sum }}" - + readinessProbe: enabled: true failureThreshold: 6 @@ -200,7 +203,7 @@ yonote-web: httpGet: path: /_health port: app - + livenessProbe: enabled: true failureThreshold: 6 @@ -216,13 +219,13 @@ yonote-websocket: fullnameOverride: yonote-websockets nameOverride: yonote-websockets name: websockets - + image: registry: images.updates.yonote.ru repository: yonote - tag: 1.19.8 + tag: 1.22.11 pullPolicy: IfNotPresent - + command: ["/bin/sh", "-c"] args: ['IS_COMPILED=true yarn bytenode ./build/server/main.jsc --services=websockets'] @@ -233,32 +236,32 @@ yonote-websocket: requests: cpu: 150m memory: 128Mi - + checksums: null - + envFrom: - configMapRef: name: yonote-configs - secretRef: name: yonote-secrets - + containerPorts: - containerPort: 3000 name: app protocol: TCP - + service: type: ClusterIP port: 80 targetPort: app - + podLabels: redis-client: 'true' - + podAnnotations: checksum/configmap: "{{ toJson .Values.global.yonote.config.plain | sha256sum }}" checksum/secret: "{{ toJson .Values.global.yonote.config.secret | sha256sum }}" - + readinessProbe: enabled: true failureThreshold: 6 @@ -269,7 +272,7 @@ yonote-websocket: httpGet: path: /_health port: app - + livenessProbe: enabled: true failureThreshold: 6 @@ -285,11 +288,11 @@ yonote-whiteboard: fullnameOverride: yonote-whiteboard nameOverride: yonote-whiteboard name: whiteboard - + image: registry: images.updates.yonote.ru repository: yonote - tag: 1.19.8 + tag: 1.22.11 pullPolicy: IfNotPresent command: ["/bin/sh", "-c"] @@ -327,7 +330,7 @@ yonote-whiteboard: podAnnotations: checksum/configmap: "{{ toJson .Values.global.yonote.config.plain | sha256sum }}" checksum/secret: "{{ toJson .Values.global.yonote.config.secret | sha256sum }}" - + readinessProbe: enabled: true failureThreshold: 6 @@ -338,7 +341,7 @@ yonote-whiteboard: httpGet: path: /_health port: app - + livenessProbe: enabled: true failureThreshold: 6 @@ -358,7 +361,7 @@ yonote-worker: image: registry: images.updates.yonote.ru repository: yonote - tag: 1.19.8 + tag: 1.22.11 pullPolicy: IfNotPresent command: ["/bin/sh", "-c"] @@ -396,7 +399,7 @@ yonote-worker: podAnnotations: checksum/configmap: "{{ toJson .Values.global.yonote.config.plain | sha256sum }}" checksum/secret: "{{ toJson .Values.global.yonote.config.secret | sha256sum }}" - + readinessProbe: enabled: true failureThreshold: 6 @@ -407,7 +410,7 @@ yonote-worker: httpGet: path: /_health port: app - + livenessProbe: enabled: true failureThreshold: 6 @@ -427,7 +430,7 @@ yonote-collaboration: image: registry: images.updates.yonote.ru repository: yonote - tag: 1.19.8 + tag: 1.22.11 pullPolicy: IfNotPresent command: ["/bin/sh", "-c"] @@ -452,20 +455,20 @@ yonote-collaboration: type: ClusterIP port: 80 targetPort: app - + envFrom: - configMapRef: name: yonote-configs - secretRef: name: yonote-secrets - + podLabels: redis-client: 'true' - + podAnnotations: checksum/configmap: "{{ toJson .Values.global.yonote.config.plain | sha256sum }}" checksum/secret: "{{ toJson .Values.global.yonote.config.secret | sha256sum }}" - + readinessProbe: enabled: true failureThreshold: 6 @@ -476,7 +479,7 @@ yonote-collaboration: httpGet: path: /_health port: app - + livenessProbe: enabled: true failureThreshold: 6 @@ -488,105 +491,107 @@ yonote-collaboration: path: /_health port: app -yonoteDatabase: +postgres: enabled: true - global: - postgresql: - auth: - database: "yonote" - username: "yonote" - name: yonote-database + #settings: + # Default postgres + # superuser: + + userDatabase: + name: yonote + user: yonote + fullnameOverride: yonote-database nameOverride: yonote-database - - primary: - persistence: - size: 5Gi - resources: - limits: - cpu: 2 - memory: 8Gi - requests: - cpu: 500m - memory: 512Mi - extraVolumes: - - name: init-scripts - configMap: - name: postgres-init-scripts + storage: + requestedSize: 5Gi + className: "" - extraVolumeMounts: - - name: init-scripts - mountPath: /docker-entrypoint-initdb.d - readOnly: true + resources: + limits: + cpu: 2 + memory: 5Gi + requests: + cpu: 500m + memory: 512Mi -yonote-redis: + extraScripts: postgres-init-scripts + +redis: enabled: true fullnameOverride: yonote-redis nameOverride: redis - architecture: standalone - image: - tag: 7.2.0-debian-11-r0 - - auth: - enabled: false - - master: - persistence: - size: 5Gi - resources: - limits: - cpu: 1 - memory: 4Gi - requests: - cpu: 500m - memory: 512Mi - + + storage: + requestedSize: 1Gi + className: "" + resources: + limits: + cpu: 1 + memory: 4Gi + requests: + cpu: 500m + memory: 512Mi + minio: enabled: true name: minio fullnameOverride: yonote-minio - customUser: yonote nameOverride: yonote-minio - auth: - rootUser: admin + mode: standalone + rootUser: admin - image: - tag: 2024.8.3-debian-12-r1 + policies: + - name: yonote_user_policy + statements: + - resources: + - 'arn:aws:s3:::yonote-bucket/*' + actions: + - "s3:GetObject" + - "s3:PutObject" + - "s3:DeleteObject" + + users: + - accessKey: qwer12314q + secretKey: qwer-12314q-qwersa + policy: yonote_user_policy persistence: enabled: true - size: 5Gi - + annotations: + helm.sh/resource-policy: keep + size: 1Gi + storageClass: "" + ingress: enabled: true - hostname: 's3.example.com' + hosts: + - s3.example.com ingressClassName: traefik path: '/' - pathType: ImplementationSpecific annotations: kubernetes.io/ingress.class: traefik - # cert-manager.io/cluster-issuer: letsencrypt.example.com # Если используете - extraTls: - - hosts: - - "s3.example.com" - secretName: "you_tls_secret" + #cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev # Если используете + tls: + - hosts: + - "s3.example.com" + secretName: "example.com-tls" - apiIngress: + consoleIngress: enabled: true - hostname: 'api-s3.example.com' + hosts: + - s3-console.example.com ingressClassName: traefik path: '/' - pathType: ImplementationSpecific - servicePort: minio-api annotations: kubernetes.io/ingress.class: traefik - # cert-manager.io/cluster-issuer: letsencrypt.example.com # Если используете - extraTls: - - hosts: - - "api-s3.example.com" - secretName: "api-s3.example.com" - + #cert-manager.io/cluster-issuer: letsencrypt.rancher.wilix.dev # Если используете + tls: + - hosts: + - "s3-console.example.com" + secretName: "example.com-tls" + resources: requests: memory: 512Mi @@ -599,58 +604,76 @@ mcJob: enabled: true keycloak: + enabled: true fullnameOverride: yonote-keycloak nameOverride: yonote-keycloak - - auth: - adminUser: root - proxy: "edge" + image: + repository: images.updates.yonote.ru/yonote-keycloak + tag: latest - command: - - /bin/bash - - -c - - | - /opt/bitnami/keycloak/bin/kc.sh start --import-realm --hostname={{ .Values.ingress.hostname }} --hostname-strict=true --hostname-strict-backchannel=true --https-protocols=TLSv1.2 --proxy=edge --db postgres --db-url-host yonote-database --db-username postgres --db-password="$(DB_PASSWORD)" + args: + - start-dev --spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true --import-realm - extraEnvVars: - - name: DB_PASSWORD + cache: + stack: custom + + proxy: + enabled: "false" + + extraEnv: | + - name: KEYCLOAK_ADMIN + value: root + - name: KEYCLOAK_ADMIN_PASSWORD valueFrom: secretKeyRef: - name: yonote-database - key: postgres-password + name: {{ include "keycloak.fullname" . }}-secrets + key: KEYCLOAK_ADMIN_PASSWORD + - name: OIDC_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ include "keycloak.fullname" . }}-secrets + key: OIDC_CLIENT_SECRET + - name: BASENAME_FOR_SUBDOMAIN + value: example.com + - name: KC_HOSTNAME_STRICT + value: "false" + - name: KC_HOSTNAME + value: auth.example.com + - name: KC_HOSTNAME_STRICT_HTTPS + value: "false" + - name: KC_HOSTNAME_PATH + value: "/" + - name: KC_HTTP_ENABLED + value: "true" + - name: PROXY_ADDRESS_FORWARDING + value: "true" - extraVolumes: - - name: realm-export - configMap: - name: realm-export - - extraVolumeMounts: - - name: realm-export - mountPath: /opt/bitnami/keycloak/data/import/realm-export.json - subPath: realm-export.json + http: + relativePath: "/" ingress: enabled: true hostname: auth.example.com ingressClassName: traefik - tls: + tls: - hosts: - "auth.example.com" - secretName: "auth.example.com-tls" + secretName: "example.com-tls" annotations: kubernetes.io/ingress.class: traefik - # cert-manager.io/cluster-issuer: letsencrypt.example.com #Если используете + #cert-manager.io/cluster-issuer: #Если используете + rules: - host: "auth.example.com" - paths: + paths: - path: / - pathType: Prefix + pathType: ImplementationSpecific service: name: yonote-keycloak port: http - path: /admin - pathType: Prefix + pathType: ImplementationSpecific service: name: yonote-keycloak port: http @@ -662,20 +685,28 @@ keycloak: requests: cpu: 250m memory: 256Mi - - postgresql: - enabled: false - externalDatabase: - host: jdbc:postgresql://yonote-database + dbchecker: + enabled: "true" + + database: + vendor: postgres + hostname: yonote-database port: 5432 - user: postgres database: keycloak + username: keycloak - livenessProbe: + livenessProbe: | + httpGet: + path: '{{ trimSuffix "/" .Values.http.relativePath}}/' + port: http initialDelaySeconds: 240 timeoutSeconds: 5 - readinessProbe: + # Readiness probe configuration + readinessProbe: | + httpGet: + path: '{{ trimSuffix "/" .Values.http.relativePath}}/realms/master' + port: http initialDelaySeconds: 120 - timeoutSeconds: 5 + timeoutSeconds: 1