fix(collabora): Update Ingress annotations and set securityContext

2025-12-07 16:01:37 +01:00 · 2023-09-10 15:22:49 +02:00
parent 6d23534ee0
commit b5583caec1
4 changed files with 94 additions and 37 deletions
--- a/helmfile/apps/collabora/values.gotmpl
+++ b/helmfile/apps/collabora/values.gotmpl
@@ -33,14 +33,9 @@ collabora:
  aliasgroups:
    - host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}:443"

-{{- if not (eq .Values.cluster.container.engine "containerd") }}
-# In case of issues with "Failed to exec command '/usr/bin/loolforkit' (EPERM: Operation not permitted)...", activate:
-# Ref.: https://github.com/CollaboraOnline/online/issues/2800
-securityContext:
-  capabilities:
-    add:
-      - "MKNOD"
-{{- end }}

 replicaCount: {{ .Values.replicas.collabora }}
+
+resources:
+  {{ .Values.resources.collabora | toYaml | nindent 2 }}
 ...
--- a/helmfile/apps/collabora/values.yaml
+++ b/helmfile/apps/collabora/values.yaml
@@ -14,20 +14,74 @@ collabora:

 ingress:
  annotations:
-    # nginx
+    # Ingress NGINX
    nginx.ingress.kubernetes.io/upstream-hash-by: "$arg_WOPISrc"
+    nginx.ingress.kubernetes.io/proxy-body-size: "0"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
+    nginx.ingress.kubernetes.io/server-snippet: |
+      # block admin and metrics endpoint from outside by default
+      location /cool/getMetrics { deny all; return 403; }
+      location /cool/adminws/ { deny all; return 403; }
+      location /browser/dist/admin/admin.html { deny all; return 403; }
+    # NGINX
+    nginx.org/websocket-services: "collabora"
+    nginx.org/lb-method: "hash $arg_WOPISrc consistent"
+    nginx.org/proxy-read-timeout: "600"
+    nginx.org/proxy-send-timeout: "600"
+    nginx.org/client-max-body-size: "0"
+    nginx.org/server-snippets: |
+      # block admin and metrics endpoint from outside by default
+      location /cool/getMetrics { deny all; return 403; }
+      location /cool/adminws/ { deny all; return 403; }
+      location /browser/dist/admin/admin.html { deny all; return 403; }
    # HAProxy
    haproxy.org/timeout-tunnel: "3600s"
    haproxy.org/backend-config-snippet: |
-     mode http
-      balance leastconn
-      stick-table type string len 2048 size 1k store conn_cur
-      http-request set-var(txn.wopisrcconns) url_param(WOPISrc),table_conn_cur()
-      http-request track-sc1 url_param(WOPISrc)
-      stick match url_param(WOPISrc) if { var(txn.wopisrcconns) -m int gt 0 }
-      stick store-request url_param(WOPISrc)
-    nginx.org/websocket-services: "collabora"
-    nginx.org/lb-method: "hash $arg_WOPISrc consistent"
+       balance url_param WOPISrc check_post
+       hash-type consistent
+    # HAProxy - Community: https://haproxy-ingress.github.io/
+    haproxy-ingress.github.io/timeout-tunnel: 3600s
+    haproxy-ingress.github.io/balance-algorithm: url_param WOPISrc check_post
+    haproxy-ingress.github.io/config-backend: |
+      hash-type consistent
+      # block admin urls from outside
+      acl admin_url path_beg /cool/getMetrics
+      acl admin_url path_beg /cool/adminws/
+      acl admin_url path_beg /browser/dist/admin/admin.html
+      http-request deny if admin_url
 autoscaling:
  enabled: false
+
+serviceAccount:
+  create: true
+
+securityContext:
+  allowPrivilegeEscalation: true
+  privileged: false
+  readOnlyRootFilesystem: false
+  runAsNonRoot: true
+  runAsUser: 100
+  runAsGroup: 101
+  seccompProfile:
+    type: "RuntimeDefault"
+  capabilities:
+    drop:
+      - "ALL"
+    add:
+      - "CHOWN"
+      - "DAC_OVERRIDE"
+      - "FOWNER"
+      - "FSETID"
+      - "KILL"
+      - "SETGID"
+      - "SETUID"
+      - "SETPCAP"
+      - "NET_BIND_SERVICE"
+      - "NET_RAW"
+      - "SYS_CHROOT"
+      - "MKNOD"
+
+podSecurityContext:
+  fsGroup: 100
 ...