diff --git a/docs/enhanced-configuration/gitops.md b/docs/enhanced-configuration/gitops.md index 04cbda9b..f0bfa2f6 100644 --- a/docs/enhanced-configuration/gitops.md +++ b/docs/enhanced-configuration/gitops.md @@ -44,6 +44,10 @@ References: Afterwards, you can use the resulting manifests within an standard Argo CD workflow. +> **Note**
+> When creating the Argo CD application based on the resulting manifests you must not use the `Automated Sync Policy` +> offered by Argo CD, as you have to manually ensure the applications are updated in the required sequence. + ## Option 2: Helmfile plugin It is possible to deploy openDesk via Argo CD with community developed @@ -52,4 +56,5 @@ It is possible to deploy openDesk via Argo CD with community developed You can find an example for this approach in the [Argo CD Deployments](https://gitlab.opencode.de/bmi/opendesk/deployment/options/argocd-deploy) repository. It contains an example Helm chart (`opendesk-parent`) to create Argo CD Applications via a Helm chart (`opendesk`) -according to `app of apps pattern` and is using sync waves to follow dependencies. +according to `app of apps pattern` and is using sync waves to ensure to required deployment and update sequence +for openDesk is met. diff --git a/helmfile/apps/collabora/helmfile-child.yaml.gotmpl b/helmfile/apps/collabora/helmfile-child.yaml.gotmpl index 4191ad26..0ab6ab13 100644 --- a/helmfile/apps/collabora/helmfile-child.yaml.gotmpl +++ b/helmfile/apps/collabora/helmfile-child.yaml.gotmpl @@ -12,6 +12,16 @@ repositories: oci: true url: "{{ .Values.global.helmRegistry | default .Values.charts.collabora.registry }}/{{ .Values.charts.collabora.repository }}" + # Collabora Controller - Enterprise Only + # Source: https://github.com/CollaboraOnline/online + - name: "collabora-controller-repo" + keyring: "../../files/gpg-pubkeys/collaboraoffice-com.gpg" + verify: {{ .Values.charts.collaboraController.verify }} + username: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }} + password: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }} + oci: true + url: "{{ .Values.global.helmRegistry | default .Values.charts.collaboraController.registry }}/{{ .Values.charts.collaboraController.repository }}" + releases: - name: "collabora-online" chart: "collabora-online-repo/{{ .Values.charts.collabora.name }}" @@ -22,6 +32,14 @@ releases: - {{ . }} {{ end }} installed: {{ .Values.collabora.enabled }} + - name: "collabora-controller" + chart: "collabora-controller-repo/{{ .Values.charts.collaboraController.name }}" + version: "{{ .Values.charts.collaboraController.version }}" + values: + {{ range .Values.customization.release.collaboraController }} + - {{ . }} + {{ end }} + installed: {{ .Values.collaboraController.enabled }} commonLabels: deployStage: "050-components" diff --git a/helmfile/apps/collabora/values.yaml.gotmpl b/helmfile/apps/collabora/values.yaml.gotmpl index 3c8d47b1..8b9a5aa2 100644 --- a/helmfile/apps/collabora/values.yaml.gotmpl +++ b/helmfile/apps/collabora/values.yaml.gotmpl @@ -8,17 +8,30 @@ autoscaling: enabled: false collabora: + aliasgroups: + - host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}" + env: + - name: "POD_NAME" + valueFrom: + fieldRef: + fieldPath: "metadata.name" extra_params: > --o:ssl.enable=false --o:ssl.termination=true --o:fetch_update_check=0 + --o:num_prespawn_children={{ .Values.technical.collabora.numPrespawnChildren }} --o:remote_font_config.url=https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/apps/richdocuments/settings/fonts.json --o:net.proto={{ if eq .Values.cluster.networking.ipFamilies "DualStack" }}all{{ else }}{{ .Values.cluster.networking.ipFamilies }}{{ end }} - + {{- if .Values.debug.enabled }} + --o:logging.level=debug + {{- end }} + {{- if .Values.collaboraController.enabled }} + --o:indirection_endpoint.url=https://{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}/controller/routeToken + --o:monitors.monitor[0]=wss://{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}/controller/ws + --o:monitors.monitor[@retryInterval]=5 + {{- end }} username: "collabora-internal-admin" password: {{ .Values.secrets.collabora.adminPassword | quote }} - aliasgroups: - - host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}" fullnameOverride: "collabora" @@ -34,8 +47,11 @@ imagePullSecrets: ingress: annotations: - # Ingress NGINX + {{- if .Values.collaboraController.enabled }} + nginx.ingress.kubernetes.io/upstream-hash-by: "$arg_RouteToken" + {{- else }} nginx.ingress.kubernetes.io/upstream-hash-by: "$arg_WOPISrc" + {{- end }} nginx.ingress.kubernetes.io/proxy-body-size: "{{ .Values.ingress.parameters.bodySize.collabora }}" nginx.ingress.kubernetes.io/proxy-read-timeout: "{{ .Values.ingress.parameters.bodyTimeout.collabora }}" nginx.ingress.kubernetes.io/proxy-send-timeout: "{{ .Values.ingress.parameters.bodyTimeout.collabora }}" @@ -44,32 +60,6 @@ ingress: location /cool/getMetrics { deny all; return 403; } location /cool/adminws/ { deny all; return 403; } location /browser/dist/admin/admin.html { deny all; return 403; } - # NGINX - nginx.org/websocket-services: "collabora" - nginx.org/lb-method: "hash $arg_WOPISrc consistent" - nginx.org/proxy-read-timeout: "{{ .Values.ingress.parameters.bodyTimeout.collabora }}s" - nginx.org/proxy-send-timeout: "{{ .Values.ingress.parameters.bodyTimeout.collabora }}s" - nginx.org/client-max-body-size: "{{ .Values.ingress.parameters.bodySize.collabora }}" - nginx.org/server-snippets: | - # block admin and metrics endpoint from outside by default - location /cool/getMetrics { deny all; return 403; } - location /cool/adminws/ { deny all; return 403; } - location /browser/dist/admin/admin.html { deny all; return 403; } - # HAProxy - haproxy.org/timeout-tunnel: "{{ .Values.ingress.parameters.bodyTimeout.collabora }}s" - haproxy.org/backend-config-snippet: | - balance url_param WOPISrc check_post - hash-type consistent - # HAProxy - Community: https://haproxy-ingress.github.io/ - haproxy-ingress.github.io/timeout-tunnel: "{{ .Values.ingress.parameters.bodyTimeout.collabora }}s" - haproxy-ingress.github.io/balance-algorithm: "url_param WOPISrc check_post" - haproxy-ingress.github.io/config-backend: | - hash-type consistent - # block admin urls from outside - acl admin_url path_beg /cool/getMetrics - acl admin_url path_beg /cool/adminws/ - acl admin_url path_beg /browser/dist/admin/admin.html - http-request deny if admin_url enabled: {{ .Values.ingress.enabled }} className: {{ .Values.ingress.ingressClassName | quote }} hosts: diff --git a/helmfile/apps/opendesk-services/values-home.yaml.gotmpl b/helmfile/apps/opendesk-services/values-home.yaml.gotmpl index 02c93683..91dd4448 100644 --- a/helmfile/apps/opendesk-services/values-home.yaml.gotmpl +++ b/helmfile/apps/opendesk-services/values-home.yaml.gotmpl @@ -10,7 +10,6 @@ global: ingress: ingressClassName: {{ .Values.ingress.ingressClassName | quote }} - host: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}" tls: secretName: {{ .Values.ingress.tls.secretName | quote }} ... diff --git a/helmfile/apps/services-external/helmfile-child.yaml.gotmpl b/helmfile/apps/services-external/helmfile-child.yaml.gotmpl index d45ecd8c..397b68a3 100644 --- a/helmfile/apps/services-external/helmfile-child.yaml.gotmpl +++ b/helmfile/apps/services-external/helmfile-child.yaml.gotmpl @@ -83,15 +83,14 @@ repositories: oci: true url: "{{ .Values.global.helmRegistry | default .Values.charts.minio.registry }}/{{ .Values.charts.minio.repository }}" - # openDesk Enterprise Repositories - + # openDesk Enterprise # Cassandra # Source: https://github.com/bitnami/charts/ - name: "cassandra-repo" keyring: "../../files/gpg-pubkeys/opencode.gpg" verify: {{ .Values.charts.cassandra.verify }} - username: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }} - password: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }} + username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }} + password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }} oci: true url: "{{ .Values.global.helmRegistry | default .Values.charts.cassandra.registry }}/{{ .Values.charts.cassandra.repository }}" diff --git a/helmfile/environments/default/charts.yaml.gotmpl b/helmfile/environments/default/charts.yaml.gotmpl index 0961443a..f91db86c 100644 --- a/helmfile/environments/default/charts.yaml.gotmpl +++ b/helmfile/environments/default/charts.yaml.gotmpl @@ -55,6 +55,13 @@ charts: name: "collabora-online" version: "1.1.21" verify: true + collaboraController: + # Component is required for openDesk Enterprise only. + registry: "" + repository: "" + name: "" + version: "" + verify: true cryptpad: # providerCategory: "Supplier" # providerResponsible: "XWiki" diff --git a/helmfile/environments/default/customization.yaml.gotmpl b/helmfile/environments/default/customization.yaml.gotmpl index 2a9e0e9f..772fa3f5 100644 --- a/helmfile/environments/default/customization.yaml.gotmpl +++ b/helmfile/environments/default/customization.yaml.gotmpl @@ -70,6 +70,7 @@ customization: # openDesk Enterprise Components cassandra: {} + collaboraController: {} opendeskSynapseAdmin: {} opendeskSynapseAdminbotBootstrap: {} opendeskSynapseAdminbotPipe: {} @@ -77,4 +78,5 @@ customization: opendeskSynapseAuditbotBootstrap: {} opendeskSynapseAuditbotPipe: {} opendeskSynapseGroupsync: {} + ... diff --git a/helmfile/environments/default/opendesk_main.yaml.gotmpl b/helmfile/environments/default/opendesk_main.yaml.gotmpl index e8310664..7b8db222 100644 --- a/helmfile/environments/default/opendesk_main.yaml.gotmpl +++ b/helmfile/environments/default/opendesk_main.yaml.gotmpl @@ -84,4 +84,7 @@ elementAdmin: elementGroupsync: enabled: false namespace: ~ +collaboraController: + enabled: false + namespace: ~ ... diff --git a/helmfile/environments/default/technical.yaml.gotmpl b/helmfile/environments/default/technical.yaml.gotmpl new file mode 100644 index 00000000..7f5fccfd --- /dev/null +++ b/helmfile/environments/default/technical.yaml.gotmpl @@ -0,0 +1,9 @@ +# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH +# SPDX-License-Identifier: Apache-2.0 +--- +technical: + # Collabora related technical settings + collabora: + # Defines the value for the start parameter `-o:num_prespawn_children` + numPrespawnChildren: 4 +...