diff --git a/charts/incubator/nextcloud/Chart.yaml b/charts/incubator/nextcloud/Chart.yaml index f92d465fdf3..fead7bf93f2 100644 --- a/charts/incubator/nextcloud/Chart.yaml +++ b/charts/incubator/nextcloud/Chart.yaml @@ -29,7 +29,7 @@ sources: - https://github.com/nextcloud/docker - https://github.com/nextcloud/helm type: application -version: 20.0.4 +version: 20.1.0 annotations: truecharts.org/catagories: | - cloud diff --git a/charts/incubator/nextcloud/questions.yaml b/charts/incubator/nextcloud/questions.yaml index 9a9fe8fe93f..98efd8f9cda 100644 --- a/charts/incubator/nextcloud/questions.yaml +++ b/charts/incubator/nextcloud/questions.yaml @@ -375,28 +375,59 @@ questions: label: Enable Collabora description: | Enable and configure Collabora.
- This will NOT deploy the needed container.
- You need to deploy it yourself. + It will also deploy the needed container.
+ Keep in mind that this will run as root. schema: type: boolean default: false show_subquestions_if: true subquestions: - - variable: url - label: URL + - variable: interface_mode + label: Interface Mode schema: type: string required: true + default: default + enum: + - value: default + description: Default + - value: compact + description: Compact + - value: tabbed + description: Tabbed + - variable: username + label: Username + schema: + type: string + default: admin + required: true + - variable: password + label: Password + schema: + type: string default: "" - - variable: allow_list - label: Allow List + required: true + - variable: dictionaries + label: Dictionaries schema: type: list + empty: false + required: true default: - - "0.0.0.0/0" + - de_DE + - en_GB + - en_US + - el_GR + - es_ES + - fr_FR + - pt_BR + - pt_PT + - it + - nl + - ru items: - - variable: allow_entry - label: Allow Entry + - variable: dictionary + label: Dictionary schema: type: string required: true diff --git a/charts/incubator/nextcloud/templates/_configmap.tpl b/charts/incubator/nextcloud/templates/_configmap.tpl index c3a97b6c24b..527df08a216 100644 --- a/charts/incubator/nextcloud/templates/_configmap.tpl +++ b/charts/incubator/nextcloud/templates/_configmap.tpl @@ -58,6 +58,29 @@ clamav-config: CLAMAV_NO_MILTERD: "true" CLAMD_STARTUP_TIMEOUT: "1800" +collabora-config: + enabled: {{ .Values.nextcloud.collabora.enabled }} + data: + aliasgroup1: {{ $accessUrl }} + server_name: {{ $accessHostPort }} + dictionaries: {{ join " " .Values.nextcloud.collabora.dictionaries }} + username: {{ .Values.nextcloud.collabora.username | quote }} + password: {{ .Values.nextcloud.collabora.password | quote }} + DONT_GEN_SSL_CERT: "true" + # mount_jail_tree is only used for local storage + # not needed for WOPI https://github.com/CollaboraOnline/online/issues/3604#issuecomment-989833814 + extra_params: | + --o:ssl.enable=false + --o:ssl.termination=true + --o:net.service_root=/collabora + --o:home_mode.enable=true + --o:welcome.enable=false + --o:logging.level=warning + --o:logging.level_startup=warning + --o:security.seccomp=true + --o:mount_jail_tree=false + --o:user_interface.mode={{ .Values.nextcloud.collabora.user_interface_mode }} + nextcloud-config: enabled: true data: @@ -76,12 +99,6 @@ nextcloud-config: NEXTCLOUD_ADMIN_PASSWORD: {{ .Values.nextcloud.credentials.initialAdminPassword | quote }} {{/* PHP Variables */}} - {{- if not (mustRegexMatch "^[0-9]+(M|G){1}$" .Values.nextcloud.php.memory_limit) -}} - {{- fail (printf "Nextcloud - Expected Memory Limit to be in format [1M, 1G] but got [%v]" .Values.nextcloud.php.memory_limit) -}} - {{- end -}} - {{- if not (mustRegexMatch "^[0-9]+(M|G){1}$" .Values.nextcloud.php.upload_limit) -}} - {{- fail (printf "Nextcloud - Expected Memory Limit to be in format [1M, 1G] but got [%v]" .Values.nextcloud.php.upload_limit) -}} - {{- end }} PHP_MEMORY_LIMIT: {{ .Values.nextcloud.php.memory_limit | quote }} PHP_UPLOAD_LIMIT: {{ .Values.nextcloud.php.upload_limit | quote }} @@ -93,9 +110,6 @@ nextcloud-config: {{/* Previews */}} NX_PREVIEWS: {{ .Values.nextcloud.previews.enabled | quote }} - {{- if not (deepEqual .Values.nextcloud.previews.providers (uniq .Values.nextcloud.previews.providers)) }} - {{- fail (printf "Nextcloud - Expected preview providers to be unique but got [%v]" .Values.nextcloud.previews.providers) }} - {{- end }} NX_PREVIEW_PROVIDERS: {{ join " " .Values.nextcloud.previews.providers }} NX_PREVIEW_MAX_X: {{ .Values.nextcloud.previews.max_x | quote }} NX_PREVIEW_MAX_Y: {{ .Values.nextcloud.previews.max_y | quote }} @@ -143,15 +157,13 @@ nextcloud-config: NX_CLAMAV_INFECTED_ACTION: {{ .Values.nextcloud.clamav.infected_action | quote }} {{- end }} - {{- if and .Values.nextcloud.collabora.enabled .Values.nextcloud.onlyoffice.enabled -}} - {{- fail "Nextcloud - Expected only one of [Collabora, OnlyOffice] to be enabled" -}} - {{- end }} - {{/* Collabora */}} NX_COLLABORA: {{ .Values.nextcloud.collabora.enabled | quote }} {{- if .Values.nextcloud.collabora.enabled }} - NX_COLLABORA_URL: {{ .Values.nextcloud.collabora.url | quote }} - NX_COLLABORA_ALLOWLIST: {{ join "," .Values.nextcloud.collabora.allow_list | quote }} + NX_COLLABORA_URL: {{ printf "%v/collabora" $accessUrl | quote }} + # Ideally this would be a combo of: public ip, pod cidr, svc cidr + # But not always people have static IP. + NX_COLLABORA_ALLOWLIST: "0.0.0.0/0" {{- end }} {{/* Only Office */}} diff --git a/charts/incubator/nextcloud/templates/_ingressInjector.tpl b/charts/incubator/nextcloud/templates/_ingressInjector.tpl new file mode 100644 index 00000000000..d1b92b45071 --- /dev/null +++ b/charts/incubator/nextcloud/templates/_ingressInjector.tpl @@ -0,0 +1,24 @@ +{{- define "nextcloud.ingressInjector" -}} + {{- if .Values.ingress.main.enabled -}} + {{- $injectPaths := list -}} + {{- if .Values.nextcloud.collabora.enabled -}} + {{- $injectPaths = $injectPaths mustAppend (include "nextcloud.collabora.ingress" $ | fromYaml) -}} + {{- end -}} + {{/* Append more paths here if needed */}} + + {{- range $host := .Values.ingress.main.hosts -}} + {{- $paths := $host.paths -}} + {{- $paths = concat $paths $injectPaths -}} + {{- $_ := set $host "paths" $paths -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{- define "nextcloud.collabora.ingress" -}} +{{- $fullname := include "tc.v1.common.lib.chart.names.fullname" . }} +path: /collabora +pathType: Prefix +service: + name: {{ printf "%v-collabora" $fullname }} + port: {{ .Values.service.collabora.ports.collabora.port }} +{{- end -}} diff --git a/charts/incubator/nextcloud/templates/_validation.tpl b/charts/incubator/nextcloud/templates/_validation.tpl new file mode 100644 index 00000000000..0b8aa4cf532 --- /dev/null +++ b/charts/incubator/nextcloud/templates/_validation.tpl @@ -0,0 +1,38 @@ +{{- define "nextcloud.validation" -}} + + {{- if not (mustRegexMatch "^[0-9]+(M|G){1}$" .Values.nextcloud.php.memory_limit) -}} + {{- fail (printf "Nextcloud - Expected Memory Limit to be in format [1M, 1G] but got [%v]" .Values.nextcloud.php.memory_limit) -}} + {{- end -}} + + {{- if not (mustRegexMatch "^[0-9]+(M|G){1}$" .Values.nextcloud.php.upload_limit) -}} + {{- fail (printf "Nextcloud - Expected Memory Limit to be in format [1M, 1G] but got [%v]" .Values.nextcloud.php.upload_limit) -}} + {{- end -}} + + {{- if not (deepEqual .Values.nextcloud.previews.providers (uniq .Values.nextcloud.previews.providers)) -}} + {{- fail (printf "Nextcloud - Expected preview providers to be unique but got [%v]" .Values.nextcloud.previews.providers) -}} + {{- end -}} + + {{- if and .Values.nextcloud.collabora.enabled .Values.nextcloud.onlyoffice.enabled -}} + {{- fail "Nextcloud - Expected only one of [Collabora, OnlyOffice] to be enabled" -}} + {{- end -}} + + {{- if contains "$" .Values.nextcloud.collabora.password -}} + {{- fail "Nextcloud - Collabora [Password] cannot contain [$]" -}} + {{- end -}} + + {{- if .Values.nextcloud.collabora.enabled -}} + {{- if lt (len .Values.nextcloud.collabora.password) 8 -}} + {{- fail "Nextcloud - Collabora [Password] must be at least 8 characters" -}} + {{- end -}} + + {{- $collaboraUIModes := (list "default" "compact" "tabbed") -}} + {{- if not (mustHas .Values.nextcloud.collabora.interface_mode $collaboraUIModes) -}} + {{- fail (printf "Nextcloud - Expected [Interface Mode] in Collabora to be one of [%v], but got [%v]" (join "," $collaboraUIModes) .Values.nextcloud.collabora.interface_mode) -}} + {{- end -}} + + {{- if not .Values.nextcloud.collabora.dictionaries -}} + {{- fail "Nextcloud - Expected non-empty Collabora [Dictionaries]" -}} + {{- end -}} + {{- end -}} + +{{- end -}} diff --git a/charts/incubator/nextcloud/templates/common.yaml b/charts/incubator/nextcloud/templates/common.yaml index d1383651f41..22ed3e0e564 100644 --- a/charts/incubator/nextcloud/templates/common.yaml +++ b/charts/incubator/nextcloud/templates/common.yaml @@ -1,6 +1,8 @@ {{/* Make sure all variables are set properly */}} {{- include "tc.v1.common.loader.init" . -}} +{{- include "nextcloud.validation" $ -}} + {{/* Render configmaps for all pods */}} {{- $configmaps := include "nextcloud.configmaps" . | fromYaml -}} {{- if $configmaps -}} @@ -47,11 +49,20 @@ {{- $_ := set .Values.service.imaginary "enabled" false -}} {{- end -}} +{{/* Disable [collabora] if requested */}} +{{- if not .Values.nextcloud.collabora.enabled -}} + {{- $_ := set .Values.workload.collabora "enabled" false -}} + {{- $_ := set .Values.service.collabora "enabled" false -}} +{{- end -}} + {{/* Create [cronjobs] defined */}} {{- $cronjobs := include "nextcloud.cronjobs" . | fromYaml -}} {{- if $cronjobs -}} {{- $_ := mustMergeOverwrite .Values.workload $cronjobs -}} {{- end -}} +{{/* TODO: Do we have to cleanup when something (eg Collabora) is disabled? */}} +{{- include "nextcloud.ingressInjector" $ -}} + {{/* Render the templates */}} {{- include "tc.v1.common.loader.apply" . -}} diff --git a/charts/incubator/nextcloud/values.yaml b/charts/incubator/nextcloud/values.yaml index 30a5f3ef6e4..868e3a644bd 100644 --- a/charts/incubator/nextcloud/values.yaml +++ b/charts/incubator/nextcloud/values.yaml @@ -18,6 +18,10 @@ clamavImage: repository: tccr.io/truecharts/clamav pullPolicy: IfNotPresent tag: v1.1.0@sha256:ab196d867fcfddedc8dc965d67a2e6824ca65488cf616cc707e9c36efd54e086 +collaboraImage: + repository: tccr.io/truecharts/collabora + pullPolicy: IfNotPresent + tag: v23.05.0.5.1@sha256:a753bfe9d5479e992e914f5818bc96f33ff95dd3760cb10938ae2296286c416e nextcloud: # Initial Credentials @@ -82,12 +86,24 @@ nextcloud: enabled: true # Collabora settings collabora: - # It will not deploy the container - # Only add the Collabora settings + # It will also deploy the container enabled: false - url: "" - allow_list: - - 0.0.0.0/0 + # default|compact|tabbed + interface_mode: default + username: admin + password: changeme + dictionaries: + - de_DE + - en_GB + - en_US + - el_GR + - es_ES + - fr_FR + - pt_BR + - pt_PT + - it + - nl + - ru onlyoffice: # It will not deploy the container # Only add the OnlyOffice settings @@ -254,6 +270,39 @@ workload: enabled: true type: tcp port: "{{ .Values.service.clamav.ports.clamav.targetPort }}" + collabora: + enabled: true + type: Deployment + strategy: RollingUpdate + replicas: 1 + podSpec: + containers: + collabora: + primary: true + enabled: true + imageSelector: collaboraImage + # TODO: Check how low we can go + securityContext: + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + readOnlyRootFilesystem: false + envFrom: + - configMapRef: + name: collabora-config + probes: + readiness: + enabled: true + type: http + port: "{{ .Values.service.collabora.ports.collabora.targetPort }}" + liveness: + enabled: true + type: http + port: "{{ .Values.service.collabora.ports.collabora.targetPort }}" + startup: + enabled: true + type: tcp + port: "{{ .Values.service.collabora.ports.collabora.targetPort }}" cronjobs: # Don't change names, it's used in the persistence @@ -321,6 +370,15 @@ service: port: 3310 targetPort: 3310 targetSelector: clamav + collabora: + enabled: true + targetSelector: collabora + ports: + collabora: + enabled: true + port: 9980 + targetPort: 9980 + targetSelector: collabora persistence: php-tune: