{{/* SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS" SPDX-License-Identifier: Apache-2.0 */}} --- autoscaling: enabled: false collabora: extra_params: "--o:ssl.enable=false --o:ssl.termination=true" username: "collabora-internal-admin" password: {{ .Values.secrets.collabora.adminPassword | quote }} aliasgroups: - host: "https://{{ .Values.global.hosts.nextcloud }}.{{ .Values.global.domain }}" fullnameOverride: "collabora" grafana: dashboards: enabled: {{ .Values.grafana.dashboards.enabled }} labels: {{ .Values.grafana.dashboards.labels | toYaml | nindent 6 }} annotations: {{ .Values.grafana.dashboards.annotations | toYaml | nindent 6 }} image: repository: "{{ .Values.global.imageRegistry | default .Values.images.collabora.registry }}/{{ .Values.images.collabora.repository }}" tag: {{ .Values.images.collabora.tag | quote }} pullPolicy: {{ .Values.global.imagePullPolicy | quote }} imagePullSecrets: {{- range .Values.global.imagePullSecrets }} - name: {{ . | quote }} {{- end }} ingress: annotations: # Ingress NGINX nginx.ingress.kubernetes.io/upstream-hash-by: "$arg_WOPISrc" nginx.ingress.kubernetes.io/proxy-body-size: "0" nginx.ingress.kubernetes.io/proxy-read-timeout: "600" nginx.ingress.kubernetes.io/proxy-send-timeout: "600" nginx.ingress.kubernetes.io/server-snippet: | # block admin and metrics endpoint from outside by default location /cool/getMetrics { deny all; return 403; } location /cool/adminws/ { deny all; return 403; } location /browser/dist/admin/admin.html { deny all; return 403; } # NGINX nginx.org/websocket-services: "collabora" nginx.org/lb-method: "hash $arg_WOPISrc consistent" nginx.org/proxy-read-timeout: "600" nginx.org/proxy-send-timeout: "600" nginx.org/client-max-body-size: "0" nginx.org/server-snippets: | # block admin and metrics endpoint from outside by default location /cool/getMetrics { deny all; return 403; } location /cool/adminws/ { deny all; return 403; } location /browser/dist/admin/admin.html { deny all; return 403; } # HAProxy haproxy.org/timeout-tunnel: "3600s" haproxy.org/backend-config-snippet: | balance url_param WOPISrc check_post hash-type consistent # HAProxy - Community: https://haproxy-ingress.github.io/ haproxy-ingress.github.io/timeout-tunnel: "3600s" haproxy-ingress.github.io/balance-algorithm: "url_param WOPISrc check_post" haproxy-ingress.github.io/config-backend: | hash-type consistent # block admin urls from outside acl admin_url path_beg /cool/getMetrics acl admin_url path_beg /cool/adminws/ acl admin_url path_beg /browser/dist/admin/admin.html http-request deny if admin_url enabled: {{ .Values.ingress.enabled }} className: {{ .Values.ingress.ingressClassName | quote }} hosts: - host: "{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}" paths: - path: "/" pathType: "Prefix" tls: - secretName: {{ .Values.ingress.tls.secretName | quote }} hosts: - "{{ .Values.global.hosts.collabora }}.{{ .Values.global.domain }}" podSecurityContext: fsGroup: 100 prometheus: servicemonitor: enabled: {{ .Values.prometheus.serviceMonitors.enabled }} labels: {{ .Values.prometheus.serviceMonitors.labels | toYaml | nindent 6 }} rules: enabled: {{ .Values.prometheus.prometheusRules.enabled }} additionalLabels: {{ .Values.prometheus.prometheusRules.labels | toYaml | nindent 6 }} replicaCount: {{ .Values.replicas.collabora }} resources: {{ .Values.resources.collabora | toYaml | nindent 2 }} securityContext: allowPrivilegeEscalation: true privileged: false readOnlyRootFilesystem: false runAsNonRoot: true runAsUser: 100 runAsGroup: 101 seccompProfile: type: "RuntimeDefault" capabilities: drop: - "ALL" add: - "CHOWN" - "DAC_OVERRIDE" - "FOWNER" - "FSETID" - "KILL" - "SETGID" - "SETUID" - "SETPCAP" - "NET_BIND_SERVICE" - "NET_RAW" - "SYS_CHROOT" - "MKNOD" seLinuxOptions: {{ .Values.seLinuxOptions.collabora | toYaml | nindent 4 }} serviceAccount: create: true ...