From ab6014f8c6285785be5c56cd656fe0636df4434c Mon Sep 17 00:00:00 2001 From: Thomas Kaltenbrunner Date: Wed, 1 Nov 2023 17:23:21 +0000 Subject: [PATCH] fix(cryptpad): Add CryptPad to support editing of diagrams.net files from within Nextcloud --- .gitlab-ci.yml | 18 ++++++++ README.md | 5 +++ helmfile/apps/cryptpad/helmfile.yaml | 28 ++++++++++++ helmfile/apps/cryptpad/values.gotmpl | 33 ++++++++++++++ helmfile/apps/cryptpad/values.yaml | 45 +++++++++++++++++++ helmfile/apps/nextcloud/values-bootstrap.yaml | 3 ++ helmfile/environments/default/global.yaml | 1 + helmfile/environments/default/images.yaml | 4 ++ helmfile/environments/default/replicas.yaml | 1 + helmfile/environments/default/resources.yaml | 7 +++ helmfile/environments/default/workplace.yaml | 2 + 11 files changed, 147 insertions(+) create mode 100644 helmfile/apps/cryptpad/helmfile.yaml create mode 100644 helmfile/apps/cryptpad/values.gotmpl create mode 100644 helmfile/apps/cryptpad/values.yaml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index e0091a57..be27a05f 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -78,6 +78,12 @@ variables: options: - "yes" - "no" + DEPLOY_CRYPTPAD: + description: "Enable CryptPad deployment." + value: "no" + options: + - "yes" + - "no" DEPLOY_ELEMENT: description: "Enable Element deployment." value: "no" @@ -342,6 +348,18 @@ collabora-deploy: variables: COMPONENT: "collabora" +cryptpad-deploy: + stage: "component-deploy-stage-1" + extends: ".deploy-common" + rules: + - if: > + $CI_PIPELINE_SOURCE =~ "web|schedules|triggers" && + $NAMESPACE =~ /.+/ && + ($DEPLOY_ALL_COMPONENTS != "no" || $DEPLOY_NEXTCLOUD != "no" || $DEPLOY_CRYPTPAD != "no") + when: "always" + variables: + COMPONENT: "cryptpad" + nextcloud-deploy: stage: "component-deploy-stage-1" extends: ".deploy-common" diff --git a/README.md b/README.md index 75f245d4..0eff13da 100644 --- a/README.md +++ b/README.md @@ -209,6 +209,7 @@ subdirectory `/helmfile/apps/services`. | ClamAV (Distributed) | `clamavDistributed.enabled` | `false` | Antivirus engine | Eval | | ClamAV (Simple) | `clamavSimple.enabled` | `true` | Antivirus engine | Eval | | Collabora | `collabora.enabled` | `true` | Weboffice | Functional | +| CryptPad | `cryptpad.enabled` | `true` | Weboffice | Functional | | Dovecot | `dovecot.enabled` | `true` | Mail backend | Functional | | Element | `element.enabled` | `true` | Secure communications platform | Functional | | Intercom Service | `intercom.enabled` | `true` | Cross service data exchange | Functional | @@ -315,6 +316,7 @@ actual scalability of the components (see column `Scaling (verified)`). | | `replicas.icap` | :white_check_mark: | :white_check_mark: | | | `replicas.milter` | :white_check_mark: | :white_check_mark: | | Collabora | `replicas.collabora` | :white_check_mark: | :gear: | +| CryptPad | `replicas.cryptpad` | :white_check_mark: | :gear: | | Dovecot | `replicas.dovecot` | :x: | :gear: | | Element | `replicas.element` | :white_check_mark: | :white_check_mark: | | | `replicas.synapse` | :x: | :gear: | @@ -376,6 +378,7 @@ This list gives you an overview of default security settings and if they comply | | icap | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 | | | milter | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 100 | 101 | 101 | | Collabora | collabora | :x: | :x: | :x: (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `FSETID`, `KILL`, `SETGID`, `SETUID`, `SETPCAP`, `NET_BIND_SERVICE`, `NET_RAW`, `SYS_CHROOT`, `MKNOD`) | :white_check_mark: | :x: | :white_check_mark: | 100 | 101 | 100 | +| CryptPad | cryptpad | :x: | :x: | :x: | :white_check_mark: | :x: | :x: | - | - | 4001 | | Element | element | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 | | | synapse | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 10991 | - | 10991 | | | synapseWeb | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 101 | 101 | 101 | @@ -407,6 +410,7 @@ Helm Charts which are released via openDesk CI/CD process are always signed. The | bitnami-repo (openDesk build) | yes | :white_check_mark: | | clamav-repo | yes | :white_check_mark: | | collabora-online-repo | no | :x: | +| cryptpad-online-repo | no | :x: | | intercom-service-repo | yes | :white_check_mark: | | istio-resources-repo | yes | :white_check_mark: | | jitsi-repo | yes | :white_check_mark: | @@ -516,6 +520,7 @@ flowchart TD J[Jitsi]-->K I[IntercomService]-->K C[Collabora]-->N + R[CryptPad]-->N F[Postfix]-->D ``` diff --git a/helmfile/apps/cryptpad/helmfile.yaml b/helmfile/apps/cryptpad/helmfile.yaml new file mode 100644 index 00000000..0f3972f3 --- /dev/null +++ b/helmfile/apps/cryptpad/helmfile.yaml @@ -0,0 +1,28 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +bases: + - "../../bases/environments.yaml" + +--- +repositories: + # CryptPad + # Source: https://github.com/cryptpad/helm + - name: "cryptpad-online-repo" + url: >- + {{ env "PRIVATE_CHART_REPOSITORY_URL" | + default "https://cryptpad.github.io/helm" }} + +releases: + - name: "cryptpad" + chart: "cryptpad-online-repo/cryptpad" + version: "0.0.13" + values: + - "values.yaml" + - "values.gotmpl" + installed: {{ .Values.cryptpad.enabled }} + +commonLabels: + deploy-stage: "component-1" + component: "cryptpad" +... diff --git a/helmfile/apps/cryptpad/values.gotmpl b/helmfile/apps/cryptpad/values.gotmpl new file mode 100644 index 00000000..a90dc168 --- /dev/null +++ b/helmfile/apps/cryptpad/values.gotmpl @@ -0,0 +1,33 @@ +{{/* +SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +SPDX-License-Identifier: Apache-2.0 +*/}} +--- +image: + repository: "{{ .Values.global.imageRegistry }}/{{ .Values.images.cryptpad.repository }}" + tag: {{ .Values.images.cryptpad.tag | quote }} + pullPolicy: {{ .Values.global.imagePullPolicy | quote }} + +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . | quote }} +{{- end }} + +ingress: + enabled: {{ .Values.ingress.enabled }} + className: {{ .Values.ingress.ingressClassName | quote }} + hosts: + - host: "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}" + paths: + - path: "/" + pathType: "ImplementationSpecific" + tls: + - secretName: {{ .Values.ingress.tls.secretName | quote }} + hosts: + - "{{ .Values.global.hosts.cryptpad }}.{{ .Values.global.domain }}" + +replicaCount: {{ .Values.replicas.cryptpad }} + +resources: + {{ .Values.resources.cryptpad | toYaml | nindent 2 }} +... diff --git a/helmfile/apps/cryptpad/values.yaml b/helmfile/apps/cryptpad/values.yaml new file mode 100644 index 00000000..792e5fae --- /dev/null +++ b/helmfile/apps/cryptpad/values.yaml @@ -0,0 +1,45 @@ +# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" +# SPDX-License-Identifier: Apache-2.0 +--- +# https://github.com/cryptpad/helm/blob/main/charts/cryptpad/README.md or +# https://github.com/cryptpad/helm/blob/main/charts/cryptpad/values.yaml + +# Disable registration and access to unregistered users: +# (https://docs.cryptpad.org/en/admin_guide/customization.html#application-config) + +application_config: + availablePadTypes: + - "diagram" + +# Deactivating public access breaks nextcloud plugin! +# registeredOnlyTypes: +# - "diagram" + +autoscaling: + enabled: false + +enableEmbedding: true + +fullnameOverride: "cryptpad" + +persistence: + enabled: false + +podSecurityContext: + fsGroup: 4001 + +securityContext: + seccompProfile: + type: "RuntimeDefault" + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +serviceAccount: + create: true + +workloadStateful: false +... diff --git a/helmfile/apps/nextcloud/values-bootstrap.yaml b/helmfile/apps/nextcloud/values-bootstrap.yaml index d8c942fb..19a935a3 100644 --- a/helmfile/apps/nextcloud/values-bootstrap.yaml +++ b/helmfile/apps/nextcloud/values-bootstrap.yaml @@ -11,6 +11,9 @@ config: userOidc: username: "ncoidc" + cryptpad: + enabled: true + ldapSearch: host: "univention-corporate-container" ... diff --git a/helmfile/environments/default/global.yaml b/helmfile/environments/default/global.yaml index e20399f0..26e49703 100644 --- a/helmfile/environments/default/global.yaml +++ b/helmfile/environments/default/global.yaml @@ -9,6 +9,7 @@ global: # hosts: collabora: "collabora" + cryptpad: "cryptpad" dimension: "integration" element: "chat" etherpad: "etherpad" diff --git a/helmfile/environments/default/images.yaml b/helmfile/environments/default/images.yaml index 1d91588f..61eb0fb8 100644 --- a/helmfile/environments/default/images.yaml +++ b/helmfile/environments/default/images.yaml @@ -10,6 +10,10 @@ images: repository: "souvap/tooling/images/collabora" tag: "23.05.5.3.1@sha256:496c913527ce83feb3fe2383d710851aa3781ffa56d200c75def74904d32adc3" # @supplier: "Collabora" + cryptpad: + repository: "cryptpad/cryptpad" + tag: "opendesk-20231020@sha256:b0bfe09601d8c8064e1b174d21a225ddb10aaa4103892fdfdf3d216726c26dde" + # @supplier: "XWiki" dovecot: repository: "dovecot/dovecot" tag: "2.3.20@sha256:96d414aa3f6978669b417f6468c16313a54ee6143a4846870e9f0eda280806e7" diff --git a/helmfile/environments/default/replicas.yaml b/helmfile/environments/default/replicas.yaml index 2e70c43b..8fd39182 100644 --- a/helmfile/environments/default/replicas.yaml +++ b/helmfile/environments/default/replicas.yaml @@ -7,6 +7,7 @@ replicas: # clamav-distributed clamd: 1 collabora: 1 + cryptpad: 1 dovecot: 1 element: 1 # clamav-distributed diff --git a/helmfile/environments/default/resources.yaml b/helmfile/environments/default/resources.yaml index ea9a5e8f..5342b6bb 100644 --- a/helmfile/environments/default/resources.yaml +++ b/helmfile/environments/default/resources.yaml @@ -16,6 +16,13 @@ resources: requests: cpu: 0.1 memory: "16Mi" + cryptpad: + limits: + cpu: 2 + memory: "2Gi" + requests: + cpu: 0.1 + memory: "512Mi" dovecot: limits: cpu: 0.5 diff --git a/helmfile/environments/default/workplace.yaml b/helmfile/environments/default/workplace.yaml index 30cd4fbd..5fa27ec4 100644 --- a/helmfile/environments/default/workplace.yaml +++ b/helmfile/environments/default/workplace.yaml @@ -9,6 +9,8 @@ clamavSimple: enabled: true collabora: enabled: true +cryptpad: + enabled: true dovecot: enabled: true element: