sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 07:21:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
671179100970c46755c09bf78cdee2bb34d40d0a
opendesk/helmfile/apps/collabora/values.yaml
Dominik Kaminski 89ac783dc3 chore(collabora): Quote strings
2023-09-13 19:33:47 +02:00

88 lines
2.8 KiB
YAML
Raw Blame History

# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
# https://github.com/CollaboraOnline/online/blob/master/kubernetes/helm/README.md or
# https://github.com/CollaboraOnline/online/blob/master/kubernetes/helm/collabora-online/values.yaml
fullnameOverride: "collabora"
image:
pullPolicy: "IfNotPresent"
collabora:
extra_params: "--o:ssl.enable=false --o:ssl.termination=true"
ingress:
annotations:
# Ingress NGINX
nginx.ingress.kubernetes.io/upstream-hash-by: "$arg_WOPISrc"
nginx.ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
nginx.ingress.kubernetes.io/server-snippet: |
# block admin and metrics endpoint from outside by default
location /cool/getMetrics { deny all; return 403; }
location /cool/adminws/ { deny all; return 403; }
location /browser/dist/admin/admin.html { deny all; return 403; }
# NGINX
nginx.org/websocket-services: "collabora"
nginx.org/lb-method: "hash $arg_WOPISrc consistent"
nginx.org/proxy-read-timeout: "600"
nginx.org/proxy-send-timeout: "600"
nginx.org/client-max-body-size: "0"
nginx.org/server-snippets: |
# block admin and metrics endpoint from outside by default
location /cool/getMetrics { deny all; return 403; }
location /cool/adminws/ { deny all; return 403; }
location /browser/dist/admin/admin.html { deny all; return 403; }
# HAProxy
haproxy.org/timeout-tunnel: "3600s"
haproxy.org/backend-config-snippet: |
balance url_param WOPISrc check_post
hash-type consistent
# HAProxy - Community: https://haproxy-ingress.github.io/
haproxy-ingress.github.io/timeout-tunnel: "3600s"
haproxy-ingress.github.io/balance-algorithm: "url_param WOPISrc check_post"
haproxy-ingress.github.io/config-backend: |
hash-type consistent
# block admin urls from outside
acl admin_url path_beg /cool/getMetrics
acl admin_url path_beg /cool/adminws/
acl admin_url path_beg /browser/dist/admin/admin.html
http-request deny if admin_url
autoscaling:
enabled: false
serviceAccount:
create: true
securityContext:
allowPrivilegeEscalation: true
privileged: false
readOnlyRootFilesystem: false
runAsNonRoot: true
runAsUser: 100
runAsGroup: 101
seccompProfile:
type: "RuntimeDefault"
capabilities:
drop:
- "ALL"
add:
- "CHOWN"
- "DAC_OVERRIDE"
- "FOWNER"
- "FSETID"
- "KILL"
- "SETGID"
- "SETUID"
- "SETPCAP"
- "NET_BIND_SERVICE"
- "NET_RAW"
- "SYS_CHROOT"
- "MKNOD"
podSecurityContext:
fsGroup: 100
...
Reference in New Issue View Git Blame Copy Permalink