fix(collabora): Add/update Helmfile for Collabora Controller to be used in EE deployments

2025-12-06 07:21:36 +01:00 · 2024-12-10 15:44:28 +01:00
parent 4602396583
commit a63d7cb861
9 changed files with 68 additions and 36 deletions
--- a/docs/enhanced-configuration/gitops.md
+++ b/docs/enhanced-configuration/gitops.md
@@ -44,6 +44,10 @@ References:

 Afterwards, you can use the resulting manifests within an standard Argo CD workflow.

+> **Note**<br>
+> When creating the Argo CD application based on the resulting manifests you must not use the `Automated Sync Policy`
+> offered by Argo CD, as you have to manually ensure the applications are updated in the required sequence.
+
 ## Option 2: Helmfile plugin

 It is possible to deploy openDesk via Argo CD with community developed
@@ -52,4 +56,5 @@ It is possible to deploy openDesk via Argo CD with community developed
 You can find an example for this approach in the
 [Argo CD Deployments](https://gitlab.opencode.de/bmi/opendesk/deployment/options/argocd-deploy) repository.
 It contains an example Helm chart (`opendesk-parent`) to create Argo CD Applications via a Helm chart (`opendesk`)
-according to `app of apps pattern` and is using sync waves to follow dependencies.
+according to `app of apps pattern` and is using sync waves to ensure to required deployment and update sequence
+for openDesk is met.
--- a/helmfile/apps/collabora/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/collabora/helmfile-child.yaml.gotmpl
@@ -12,6 +12,16 @@ repositories:
    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.collabora.registry }}/{{ .Values.charts.collabora.repository }}"

+  # Collabora Controller - Enterprise Only
+  # Source: https://github.com/CollaboraOnline/online
+  - name: "collabora-controller-repo"
+    keyring: "../../files/gpg-pubkeys/collaboraoffice-com.gpg"
+    verify: {{ .Values.charts.collaboraController.verify }}
+    username: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    oci: true
+    url: "{{ .Values.global.helmRegistry | default .Values.charts.collaboraController.registry }}/{{ .Values.charts.collaboraController.repository }}"
+
 releases:
  - name: "collabora-online"
    chart: "collabora-online-repo/{{ .Values.charts.collabora.name }}"
@@ -22,6 +32,14 @@ releases:
      - {{ . }}
      {{ end }}
    installed: {{ .Values.collabora.enabled }}
+  - name: "collabora-controller"
+    chart: "collabora-controller-repo/{{ .Values.charts.collaboraController.name }}"
+    version: "{{ .Values.charts.collaboraController.version }}"
+    values:
+      {{ range .Values.customization.release.collaboraController }}
+      - {{ . }}
+      {{ end }}
+    installed: {{ .Values.collaboraController.enabled }}

 commonLabels:
  deployStage: "050-components"
--- a/helmfile/apps/collabora/values.yaml.gotmpl
+++ b/helmfile/apps/collabora/values.yaml.gotmpl
@@ -8,17 +8,30 @@ autoscaling:
  enabled: false

 collabora:
+  aliasgroups:
+    - host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
+  env:
+    - name: "POD_NAME"
+      valueFrom:
+        fieldRef:
+          fieldPath: "metadata.name"
  extra_params: >
    --o:ssl.enable=false
    --o:ssl.termination=true
    --o:fetch_update_check=0
+    --o:num_prespawn_children={{ .Values.technical.collabora.numPrespawnChildren }}
    --o:remote_font_config.url=https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}/apps/richdocuments/settings/fonts.json
    --o:net.proto={{ if eq .Values.cluster.networking.ipFamilies "DualStack" }}all{{ else }}{{ .Values.cluster.networking.ipFamilies }}{{ end }}
-
+    {{- if .Values.debug.enabled }}
+    --o:logging.level=debug
+    {{- end }}
+    {{- if .Values.collaboraController.enabled }}
+    --o:indirection_endpoint.url=https://{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}/controller/routeToken
+    --o:monitors.monitor[0]=wss://{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}/controller/ws
+    --o:monitors.monitor[@retryInterval]=5
+    {{- end }}
  username: "collabora-internal-admin"
  password: {{ .Values.secrets.collabora.adminPassword | quote }}
-  aliasgroups:
-    - host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"

 fullnameOverride: "collabora"

@@ -34,8 +47,11 @@ imagePullSecrets:

 ingress:
  annotations:
-    # Ingress NGINX
+    {{- if .Values.collaboraController.enabled }}
+    nginx.ingress.kubernetes.io/upstream-hash-by: "$arg_RouteToken"
+    {{- else }}
    nginx.ingress.kubernetes.io/upstream-hash-by: "$arg_WOPISrc"
+    {{- end }}
    nginx.ingress.kubernetes.io/proxy-body-size: "{{ .Values.ingress.parameters.bodySize.collabora }}"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "{{ .Values.ingress.parameters.bodyTimeout.collabora }}"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "{{ .Values.ingress.parameters.bodyTimeout.collabora }}"
@@ -44,32 +60,6 @@ ingress:
      location /cool/getMetrics { deny all; return 403; }
      location /cool/adminws/ { deny all; return 403; }
      location /browser/dist/admin/admin.html { deny all; return 403; }
-    # NGINX
-    nginx.org/websocket-services: "collabora"
-    nginx.org/lb-method: "hash $arg_WOPISrc consistent"
-    nginx.org/proxy-read-timeout: "{{ .Values.ingress.parameters.bodyTimeout.collabora }}s"
-    nginx.org/proxy-send-timeout: "{{ .Values.ingress.parameters.bodyTimeout.collabora }}s"
-    nginx.org/client-max-body-size: "{{ .Values.ingress.parameters.bodySize.collabora }}"
-    nginx.org/server-snippets: |
-      # block admin and metrics endpoint from outside by default
-      location /cool/getMetrics { deny all; return 403; }
-      location /cool/adminws/ { deny all; return 403; }
-      location /browser/dist/admin/admin.html { deny all; return 403; }
-    # HAProxy
-    haproxy.org/timeout-tunnel: "{{ .Values.ingress.parameters.bodyTimeout.collabora }}s"
-    haproxy.org/backend-config-snippet: |
-       balance url_param WOPISrc check_post
-       hash-type consistent
-    # HAProxy - Community: https://haproxy-ingress.github.io/
-    haproxy-ingress.github.io/timeout-tunnel: "{{ .Values.ingress.parameters.bodyTimeout.collabora }}s"
-    haproxy-ingress.github.io/balance-algorithm: "url_param WOPISrc check_post"
-    haproxy-ingress.github.io/config-backend: |
-      hash-type consistent
-      # block admin urls from outside
-      acl admin_url path_beg /cool/getMetrics
-      acl admin_url path_beg /cool/adminws/
-      acl admin_url path_beg /browser/dist/admin/admin.html
-      http-request deny if admin_url
  enabled: {{ .Values.ingress.enabled }}
  className: {{ .Values.ingress.ingressClassName | quote }}
  hosts:
--- a/helmfile/apps/opendesk-services/values-home.yaml.gotmpl
+++ b/helmfile/apps/opendesk-services/values-home.yaml.gotmpl
@@ -10,7 +10,6 @@ global:

 ingress:
  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
-  host: "{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}"
  tls:
    secretName: {{ .Values.ingress.tls.secretName | quote }}
 ...
--- a/helmfile/apps/services-external/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/services-external/helmfile-child.yaml.gotmpl
@@ -83,15 +83,14 @@ repositories:
    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.minio.registry }}/{{ .Values.charts.minio.repository }}"

-  # openDesk Enterprise Repositories
-
+  # openDesk Enterprise
  # Cassandra
  # Source: https://github.com/bitnami/charts/
  - name: "cassandra-repo"
    keyring: "../../files/gpg-pubkeys/opencode.gpg"
    verify: {{ .Values.charts.cassandra.verify }}
-    username: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_USERNAME" | quote }}
-    password: {{ env "OD_ENTERPRISE_PRIVATE_REGISTRY_PASSWORD" | quote }}
+    username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
+    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.cassandra.registry }}/{{ .Values.charts.cassandra.repository }}"

--- a/helmfile/environments/default/charts.yaml.gotmpl
+++ b/helmfile/environments/default/charts.yaml.gotmpl
@@ -55,6 +55,13 @@ charts:
    name: "collabora-online"
    version: "1.1.21"
    verify: true
+  collaboraController:
+    # Component is required for openDesk Enterprise only.
+    registry: ""
+    repository: ""
+    name: ""
+    version: ""
+    verify: true
  cryptpad:
    # providerCategory: "Supplier"
    # providerResponsible: "XWiki"
--- a/helmfile/environments/default/customization.yaml.gotmpl
+++ b/helmfile/environments/default/customization.yaml.gotmpl
@@ -70,6 +70,7 @@ customization:

    # openDesk Enterprise Components
    cassandra: {}
+    collaboraController: {}
    opendeskSynapseAdmin: {}
    opendeskSynapseAdminbotBootstrap: {}
    opendeskSynapseAdminbotPipe: {}
@@ -77,4 +78,5 @@ customization:
    opendeskSynapseAuditbotBootstrap: {}
    opendeskSynapseAuditbotPipe: {}
    opendeskSynapseGroupsync: {}
+
 ...
--- a/helmfile/environments/default/opendesk_main.yaml.gotmpl
+++ b/helmfile/environments/default/opendesk_main.yaml.gotmpl
@@ -84,4 +84,7 @@ elementAdmin:
 elementGroupsync:
  enabled: false
  namespace: ~
+collaboraController:
+  enabled: false
+  namespace: ~
 ...
--- a/helmfile/environments/default/technical.yaml.gotmpl
+++ b/helmfile/environments/default/technical.yaml.gotmpl
@@ -0,0 +1,9 @@
+# SPDX-FileCopyrightText: 2024 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+technical:
+  # Collabora related technical settings
+  collabora:
+    # Defines the value for the start parameter `-o:num_prespawn_children`
+    numPrespawnChildren: 4
+...