fix(collabora): Add/update Helmfile for Collabora Controller to be used in EE deployments

2025-12-07 16:01:37 +01:00 · 2024-12-10 15:44:28 +01:00
parent 4602396583
commit a63d7cb861
9 changed files with 68 additions and 36 deletions
--- a/docs/enhanced-configuration/gitops.md
+++ b/docs/enhanced-configuration/gitops.md
@@ -44,6 +44,10 @@ References:
 Afterwards, you can use the resulting manifests within an standard Argo CD workflow.
 > **Note**<br>
 > When creating the Argo CD application based on the resulting manifests you must not use the `Automated Sync Policy`
 > offered by Argo CD, as you have to manually ensure the applications are updated in the required sequence.
 ## Option 2: Helmfile plugin
 It is possible to deploy openDesk via Argo CD with community developed
@@ -52,4 +56,5 @@ It is possible to deploy openDesk via Argo CD with community developed
 You can find an example for this approach in the
 [Argo CD Deployments](https://gitlab.opencode.de/bmi/opendesk/deployment/options/argocd-deploy) repository.
 It contains an example Helm chart (`opendesk-parent`) to create Argo CD Applications via a Helm chart (`opendesk`)
-according to `app of apps pattern` and is using sync waves to follow dependencies.
+according to `app of apps pattern` and is using sync waves to ensure to required deployment and update sequence
 for openDesk is met.
--- a/helmfile/apps/collabora/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/collabora/helmfile-child.yaml.gotmpl
@@ -12,6 +12,16 @@ repositories:
    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.collabora.registry }}/{{ .Values.charts.collabora.repository }}"
  # Collabora Controller - Enterprise Only
  # Source: https://github.com/CollaboraOnline/online
  - name: "collabora-controller-repo"
    keyring: "../../files/gpg-pubkeys/collaboraoffice-com.gpg"
    verify: {{ .Values.charts.collaboraController.verify }}
    username: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
    password: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.collaboraController.registry }}/{{ .Values.charts.collaboraController.repository }}"
 releases:
  - name: "collabora-online"
    chart: "collabora-online-repo/{{ .Values.charts.collabora.name }}"
@@ -22,6 +32,14 @@ releases:
      - {{ . }}
      {{ end }}
    installed: {{ .Values.collabora.enabled }}
  - name: "collabora-controller"
    chart: "collabora-controller-repo/{{ .Values.charts.collaboraController.name }}"
    version: "{{ .Values.charts.collaboraController.version }}"
    values:
      {{ range .Values.customization.release.collaboraController }}
      - {{ . }}
      {{ end }}
    installed: {{ .Values.collaboraController.enabled }}
 commonLabels:
  deployStage: "050-components"
--- a/helmfile/apps/collabora/values.yaml.gotmpl
+++ b/helmfile/apps/collabora/values.yaml.gotmpl
@@ -8,17 +8,30 @@ autoscaling:
  enabled: false
 collabora:
  aliasgroups:
    - host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
  env:
    - name: "POD_NAME"
      valueFrom:
        fieldRef:
          fieldPath: "metadata.name"
  extra_params: >
    --o:ssl.enable=false
    --o:ssl.termination=true
    --o:fetch_update_check=0
    --o:num_prespawn_children={{ .Values.technical.collabora.numPrespawnChildren }}
    --o:remote_font_config.url=https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/apps/richdocuments/settings/fonts.json
    --o:net.proto={{ if eq .Values.cluster.networking.ipFamilies "DualStack" }}all{{ else }}{{ .Values.cluster.networking.ipFamilies }}{{ end }}
-
+    {{- if .Values.debug.enabled }}
    --o:logging.level=debug
    {{- end }}
    {{- if .Values.collaboraController.enabled }}
    --o:indirection_endpoint.url=https://{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}/controller/routeToken
    --o:monitors.monitor[0]=wss://{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}/controller/ws
    --o:monitors.monitor[@retryInterval]=5
    {{- end }}
  username: "collabora-internal-admin"
  password: {{ .Values.secrets.collabora.adminPassword | quote }}
  aliasgroups:
    - host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
 fullnameOverride: "collabora"
@@ -34,8 +47,11 @@ imagePullSecrets:
 ingress:
  annotations:
-    # Ingress NGINX
+    {{- if .Values.collaboraController.enabled }}
    nginx.ingress.kubernetes.io/upstream-hash-by: "$arg_RouteToken"
    {{- else }}
    nginx.ingress.kubernetes.io/upstream-hash-by: "$arg_WOPISrc"
    {{- end }}
    nginx.ingress.kubernetes.io/proxy-body-size: "{{ .Values.ingress.parameters.bodySize.collabora }}"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "{{ .Values.ingress.parameters.bodyTimeout.collabora }}"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "{{ .Values.ingress.parameters.bodyTimeout.collabora }}"
@@ -44,32 +60,6 @@ ingress:
      location /cool/getMetrics { deny all; return 403; }
      location /cool/adminws/ { deny all; return 403; }
      location /browser/dist/admin/admin.html { deny all; return 403; }
    # NGINX
    nginx.org/websocket-services: "collabora"
    nginx.org/lb-method: "hash $arg_WOPISrc consistent"
    nginx.org/proxy-read-timeout: "{{ .Values.ingress.parameters.bodyTimeout.collabora }}s"
    nginx.org/proxy-send-timeout: "{{ .Values.ingress.parameters.bodyTimeout.collabora }}s"
    nginx.org/client-max-body-size: "{{ .Values.ingress.parameters.bodySize.collabora }}"
    nginx.org/server-snippets: |
      # block admin and metrics endpoint from outside by default
      location /cool/getMetrics { deny all; return 403; }
      location /cool/adminws/ { deny all; return 403; }
      location /browser/dist/admin/admin.html { deny all; return 403; }
    # HAProxy
    haproxy.org/timeout-tunnel: "{{ .Values.ingress.parameters.bodyTimeout.collabora }}s"
    haproxy.org/backend-config-snippet: |
       balance url_param WOPISrc check_post
       hash-type consistent
    # HAProxy - Community: https://haproxy-ingress.github.io/
    haproxy-ingress.github.io/timeout-tunnel: "{{ .Values.ingress.parameters.bodyTimeout.collabora }}s"
    haproxy-ingress.github.io/balance-algorithm: "url_param WOPISrc check_post"
    haproxy-ingress.github.io/config-backend: |
      hash-type consistent
      # block admin urls from outside
      acl admin_url path_beg /cool/getMetrics
      acl admin_url path_beg /cool/adminws/
      acl admin_url path_beg /browser/dist/admin/admin.html
      http-request deny if admin_url
  enabled: {{ .Values.ingress.enabled }}
  className: {{ .Values.ingress.ingressClassName | quote }}
  hosts:
--- a/helmfile/apps/opendesk-services/values-home.yaml.gotmpl
+++ b/helmfile/apps/opendesk-services/values-home.yaml.gotmpl
@@ -10,7 +10,6 @@ global:
 ingress:
  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
  host: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
  tls:
    secretName: {{ .Values.ingress.tls.secretName | quote }}
 ...
--- a/helmfile/apps/services-external/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/services-external/helmfile-child.yaml.gotmpl
@@ -83,15 +83,14 @@ repositories:
    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.minio.registry }}/{{ .Values.charts.minio.repository }}"
-  # openDesk Enterprise Repositories
+  # openDesk Enterprise
  # Cassandra
  # Source: https://github.com/bitnami/charts/
  - name: "cassandra-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.cassandra.verify }}
-    username: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.cassandra.registry }}/{{ .Values.charts.cassandra.repository }}"
--- a/helmfile/environments/default/charts.yaml.gotmpl
+++ b/helmfile/environments/default/charts.yaml.gotmpl
@@ -55,6 +55,13 @@ charts:
    name: "collabora-online"
    version: "1.1.21"
    verify: true
  collaboraController:
    # Component is required for openDesk Enterprise only.
    registry: ""
    repository: ""
    name: ""
    version: ""
    verify: true
  cryptpad:
    # providerCategory: "Supplier"
    # providerResponsible: "XWiki"
--- a/helmfile/environments/default/customization.yaml.gotmpl
+++ b/helmfile/environments/default/customization.yaml.gotmpl
@@ -70,6 +70,7 @@ customization:
    # openDesk Enterprise Components
    cassandra: {}
    collaboraController: {}
    opendeskSynapseAdmin: {}
    opendeskSynapseAdminbotBootstrap: {}
    opendeskSynapseAdminbotPipe: {}
@@ -77,4 +78,5 @@ customization:
    opendeskSynapseAuditbotBootstrap: {}
    opendeskSynapseAuditbotPipe: {}
    opendeskSynapseGroupsync: {}
 ...
--- a/helmfile/environments/default/opendesk_main.yaml.gotmpl
+++ b/helmfile/environments/default/opendesk_main.yaml.gotmpl
@@ -84,4 +84,7 @@ elementAdmin:
 elementGroupsync:
  enabled: false
  namespace: ~
 collaboraController:
  enabled: false
  namespace: ~
 ...
--- a/helmfile/environments/default/technical.yaml.gotmpl
+++ b/helmfile/environments/default/technical.yaml.gotmpl
@@ -0,0 +1,9 @@
 # SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
 # SPDX-License-Identifier: Apache-2.0
 ---
 technical:
  # Collabora related technical settings
  collabora:
    # Defines the value for the start parameter `-o:num_prespawn_children`
    numPrespawnChildren: 4
 ...