Merge pull request #511 from vshn/nextcloud_collabora

Add Collabora integration for Nextcloud

Makefile

@@ -94,4 +94,4 @@ clean: ## Clean the project
 
 .PHONY: pre-commit-hook
 pre-commit-hook: ## Install pre-commit hook in .git/hooks
-	/usr/bin/cp -fa .githooks/pre-commit .git/hooks/pre-commit
+	/usr/bin/cp -fa .githooks/pre-commit .git/hooks/pre-commit

class/appcat.yml

@@ -71,6 +71,7 @@ parameters:
           - ${_base_directory}/component/vshn_appcat_services.jsonnet
           - ${_base_directory}/component/billing.jsonnet
           - ${_base_directory}/component/rbac_testing.jsonnet
+          - ${_base_directory}/component/vshn_nextcloud.jsonnet
         input_type: jsonnet
         output_path: appcat/
 

class/defaults.yml

@@ -55,7 +55,7 @@ parameters:
       appcat:
         registry: ghcr.io
         repository: vshn/appcat
-        tag: v4.102.1
+        tag: v4.104.0
       functionAppcat:
         registry: ${appcat:images:appcat:registry}
         repository: ${appcat:images:appcat:repository}
@@ -85,6 +85,10 @@ parameters:
         registry: docker.io
         image: proxysql/proxysql
         version: '2.7.1'
+      collabora:
+        registry: docker.io
+        image: collabora/code
+        tag: "24.04.9.2.1"
     =_crd_version: ${appcat:images:appcat:tag}
 
     namespace: syn-appcat
@@ -866,10 +870,13 @@ parameters:
           restoreSA: nextcloudserviceaccount
           restoreRoleRules: ${appcat:defaultRestoreRoleRules}
           additionalInputs:
+            collabora_image: ${appcat:images:collabora:registry}/${appcat:images:collabora:image}:${appcat:images:collabora:tag}
+            collaboraCPULimit: "1"
+            collaboraCPURequests: 250m
+            collaboraMemoryLimit: 1Gi
+            collaboraMemoryRequests: 256Mi
             ingress_annotations: |
               cert-manager.io/cluster-issuer: letsencrypt-production
-              haproxy.router.openshift.io/timeout: 120s
-              haproxy.router.openshift.io/hsts_header: max-age=31536000;preload
           openshiftTemplate:
             serviceName: nextcloudbyvshn
             description: "Nextcloud is an open source suite of client-server software for creating and using file hosting services."

component/provider.jsonnet

@@ -54,7 +54,7 @@ local providerRBAC = {
       },
       {
         apiGroups: [ '' ],
-        resources: [ 'namespaces', 'serviceaccounts', 'secrets', 'pods', 'pods/log', 'pods/portforward', 'pods/status', 'services' ],
+        resources: [ 'namespaces', 'serviceaccounts', 'secrets', 'pods', 'pods/log', 'pods/portforward', 'pods/status', 'pods/attach', 'pods/exec', 'services' ],
         verbs: [ 'get', 'list', 'watch', 'create', 'watch', 'patch', 'update', 'delete' ],
       },
       {
@@ -65,7 +65,7 @@ local providerRBAC = {
       {
         apiGroups: [ 'apps' ],
         resources: [ 'statefulsets', 'deployments' ],
-        verbs: [ 'get', 'delete', 'watch', 'list', 'patch' ],
+        verbs: [ 'get', 'delete', 'watch', 'list', 'patch', 'update', 'create' ],
       },
       {
         apiGroups: [ 'rbac.authorization.k8s.io' ],
@@ -164,10 +164,20 @@ local providerRBAC = {
         verbs: [ 'get', 'list', 'watch', 'update', 'patch', 'create', 'delete' ],
       },
       {
-        apiGroups: [ 'apps' ],
-        resources: [ 'statefulsets' ],
+        apiGroups: [ 'networking.k8s.io' ],
+        resources: [ 'ingresses' ],
+        verbs: [ 'get', 'list', 'watch', 'update', 'patch', 'create', 'delete' ],
+      },
+      {
+        apiGroups: [ '' ],
+        resources: [ 'persistentvolumeclaims' ],
         verbs: [ 'get', 'list', 'watch', 'create', 'watch', 'patch', 'update', 'delete' ],
       },
+      {
+        apiGroups: [ 'security.openshift.io' ],
+        resources: [ 'securitycontextconstraints' ],
+        verbs: [ 'use' ],
+      },
     ],
   },
   helm: {

component/vshn_nextcloud.jsonnet

@@ -0,0 +1,50 @@
+local com = import 'lib/commodore.libjsonnet';
+local kap = import 'lib/kapitan.libjsonnet';
+local kube = import 'lib/kube.libjsonnet';
+
+local common = import 'common.libsonnet';
+
+local inv = kap.inventory();
+local params = inv.parameters.appcat;
+local nextcloudParams = params.services.vshn.nextcloud;
+local isOpenshift = std.startsWith(inv.parameters.facts.distribution, 'openshift') || inv.parameters.facts.distribution == 'oke';
+
+
+local scc =
+  {
+    allowHostDirVolumePlugin: true,
+    allowHostIPC: true,
+    allowHostNetwork: true,
+    allowHostPID: true,
+    allowHostPorts: true,
+    allowPrivilegeEscalation: false,
+    allowPrivilegedContainer: true,
+    allowedCapabilities: [
+      'MKNOD',
+      'CHOWN',
+      'SYS_CHROOT',
+      'FOWNER',
+    ],
+    apiVersion: 'security.openshift.io/v1',
+    defaultAddCapabilities: [
+      'MKNOD',
+      'CHOWN',
+      'SYS_CHROOT',
+      'FOWNER',
+    ],
+    kind: 'SecurityContextConstraints',
+    metadata: {
+      name: 'appcat-collabora',
+    },
+    readOnlyRootFilesystem: false,
+    runAsUser: {
+      type: 'MustRunAsNonRoot',
+    },
+    seLinuxContext: {
+      type: 'MustRunAs',
+    },
+  };
+
+if params.services.vshn.enabled then {
+  [if params.services.vshn.nextcloud.enabled && isOpenshift then '22_scc_appcat']: scc,
+} else {}

tests/golden/apiserver/appcat/appcat/10_function_appcat.yaml

@@ -3,6 +3,6 @@ kind: Function
 metadata:
   name: function-appcat
 spec:
-  package: ghcr.io/vshn/appcat:v4.102.1-func
+  package: ghcr.io/vshn/appcat:v4.104.0-func
   runtimeConfigRef:
     name: function-appcat

tests/golden/apiserver/appcat/appcat/apiserver/30_deployment.yaml

@@ -29,7 +29,7 @@ spec:
             - --secure-port=9443
             - --tls-cert-file=/apiserver.local.config/certificates/tls.crt
             - --tls-private-key-file=/apiserver.local.config/certificates/tls.key
-          image: ghcr.io/vshn/appcat:v4.102.1
+          image: ghcr.io/vshn/appcat:v4.104.0
           livenessProbe:
             failureThreshold: 3
             httpGet:

tests/golden/billing/appcat/appcat/10_function_appcat.yaml

@@ -3,6 +3,6 @@ kind: Function
 metadata:
   name: function-appcat
 spec:
-  package: ghcr.io/vshn/appcat:v4.102.1-func
+  package: ghcr.io/vshn/appcat:v4.104.0-func
   runtimeConfigRef:
     name: function-appcat

tests/golden/billing/appcat/appcat/apiserver/30_deployment.yaml

@@ -29,7 +29,7 @@ spec:
             - --secure-port=9443
             - --tls-cert-file=/apiserver.local.config/certificates/tls.crt
             - --tls-private-key-file=/apiserver.local.config/certificates/tls.key
-          image: ghcr.io/vshn/appcat:v4.102.1
+          image: ghcr.io/vshn/appcat:v4.104.0
           livenessProbe:
             failureThreshold: 3
             httpGet:

tests/golden/billing/appcat/appcat/sli_exporter/apps_v1_deployment_appcat-sliexporter-controller-manager.yaml

@@ -36,7 +36,7 @@ spec:
           value: "false"
         - name: APPCAT_SLI_VSHNMARIADB
           value: "false"
-        image: ghcr.io/vshn/appcat:v4.102.1
+        image: ghcr.io/vshn/appcat:v4.104.0
         livenessProbe:
           httpGet:
             path: /healthz

tests/golden/cloudscale-metrics-collector-cloud/appcat/appcat/10_function_appcat.yaml

@@ -3,6 +3,6 @@ kind: Function
 metadata:
   name: function-appcat
 spec:
-  package: ghcr.io/vshn/appcat:v4.102.1-func
+  package: ghcr.io/vshn/appcat:v4.104.0-func
   runtimeConfigRef:
     name: function-appcat

tests/golden/cloudscale-metrics-collector-cloud/appcat/appcat/apiserver/30_deployment.yaml

@@ -29,7 +29,7 @@ spec:
             - --secure-port=9443
             - --tls-cert-file=/apiserver.local.config/certificates/tls.crt
             - --tls-private-key-file=/apiserver.local.config/certificates/tls.key
-          image: ghcr.io/vshn/appcat:v4.102.1
+          image: ghcr.io/vshn/appcat:v4.104.0
           livenessProbe:
             failureThreshold: 3
             httpGet:

tests/golden/cloudscale-metrics-collector-cloud/appcat/appcat/sli_exporter/apps_v1_deployment_appcat-sliexporter-controller-manager.yaml

@@ -36,7 +36,7 @@ spec:
           value: "false"
         - name: APPCAT_SLI_VSHNMARIADB
           value: "false"
-        image: ghcr.io/vshn/appcat:v4.102.1
+        image: ghcr.io/vshn/appcat:v4.104.0
         livenessProbe:
           httpGet:
             path: /healthz

tests/golden/cloudscale-metrics-collector-managed/appcat/appcat/10_function_appcat.yaml

@@ -3,6 +3,6 @@ kind: Function
 metadata:
   name: function-appcat
 spec:
-  package: ghcr.io/vshn/appcat:v4.102.1-func
+  package: ghcr.io/vshn/appcat:v4.104.0-func
   runtimeConfigRef:
     name: function-appcat

tests/golden/cloudscale-metrics-collector-managed/appcat/appcat/apiserver/30_deployment.yaml

@@ -29,7 +29,7 @@ spec:
             - --secure-port=9443
             - --tls-cert-file=/apiserver.local.config/certificates/tls.crt
             - --tls-private-key-file=/apiserver.local.config/certificates/tls.key
-          image: ghcr.io/vshn/appcat:v4.102.1
+          image: ghcr.io/vshn/appcat:v4.104.0
           livenessProbe:
             failureThreshold: 3
             httpGet:

tests/golden/cloudscale-metrics-collector-managed/appcat/appcat/sli_exporter/apps_v1_deployment_appcat-sliexporter-controller-manager.yaml

@@ -36,7 +36,7 @@ spec:
           value: "false"
         - name: APPCAT_SLI_VSHNMARIADB
           value: "false"
-        image: ghcr.io/vshn/appcat:v4.102.1
+        image: ghcr.io/vshn/appcat:v4.104.0
         livenessProbe:
           httpGet:
             path: /healthz

tests/golden/cloudscale/appcat/appcat/10_function_appcat.yaml

@@ -3,6 +3,6 @@ kind: Function
 metadata:
   name: function-appcat
 spec:
-  package: ghcr.io/vshn/appcat:v4.102.1-func
+  package: ghcr.io/vshn/appcat:v4.104.0-func
   runtimeConfigRef:
     name: function-appcat

tests/golden/cloudscale/appcat/appcat/10_provider_kubernetes.yaml

@@ -102,6 +102,8 @@ rules:
       - pods/log
       - pods/portforward
       - pods/status
+      - pods/attach
+      - pods/exec
       - services
     verbs:
       - get
@@ -130,6 +132,8 @@ rules:
       - watch
       - list
       - patch
+      - update
+      - create
   - apiGroups:
       - rbac.authorization.k8s.io
     resourceNames:
@@ -352,9 +356,21 @@ rules:
       - create
       - delete
   - apiGroups:
-      - apps
+      - networking.k8s.io
     resources:
-      - statefulsets
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+      - update
+      - patch
+      - create
+      - delete
+  - apiGroups:
+      - ''
+    resources:
+      - persistentvolumeclaims
     verbs:
       - get
       - list
@@ -364,6 +380,12 @@ rules:
       - patch
       - update
       - delete
+  - apiGroups:
+      - security.openshift.io
+    resources:
+      - securitycontextconstraints
+    verbs:
+      - use
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

tests/golden/cloudscale/appcat/appcat/apiserver/30_deployment.yaml

@@ -29,7 +29,7 @@ spec:
             - --secure-port=9443
             - --tls-cert-file=/apiserver.local.config/certificates/tls.crt
             - --tls-private-key-file=/apiserver.local.config/certificates/tls.key
-          image: ghcr.io/vshn/appcat:v4.102.1
+          image: ghcr.io/vshn/appcat:v4.104.0
           livenessProbe:
             failureThreshold: 3
             httpGet:

tests/golden/controllers/appcat/appcat/10_function_appcat.yaml

@@ -3,6 +3,6 @@ kind: Function
 metadata:
   name: function-appcat
 spec:
-  package: ghcr.io/vshn/appcat:v4.102.1-func
+  package: ghcr.io/vshn/appcat:v4.104.0-func
   runtimeConfigRef:
     name: function-appcat

tests/golden/controllers/appcat/appcat/apiserver/30_deployment.yaml

@@ -29,7 +29,7 @@ spec:
             - --secure-port=9443
             - --tls-cert-file=/apiserver.local.config/certificates/tls.crt
             - --tls-private-key-file=/apiserver.local.config/certificates/tls.key
-          image: ghcr.io/vshn/appcat:v4.102.1
+          image: ghcr.io/vshn/appcat:v4.104.0
           livenessProbe:
             failureThreshold: 3
             httpGet:

tests/golden/controllers/appcat/appcat/controllers/appcat/30_deployment.yaml

@@ -23,7 +23,7 @@ spec:
           env:
             - name: PLANS_NAMESPACE
               value: syn-appcat
-          image: ghcr.io/vshn/appcat:v4.102.1
+          image: ghcr.io/vshn/appcat:v4.104.0
           livenessProbe:
             httpGet:
               path: /healthz

tests/golden/defaults/appcat/appcat/10_function_appcat.yaml

@@ -3,6 +3,6 @@ kind: Function
 metadata:
   name: function-appcat
 spec:
-  package: ghcr.io/vshn/appcat:v4.102.1-func
+  package: ghcr.io/vshn/appcat:v4.104.0-func
   runtimeConfigRef:
     name: function-appcat

tests/golden/defaults/appcat/appcat/apiserver/30_deployment.yaml

@@ -29,7 +29,7 @@ spec:
             - --secure-port=9443
             - --tls-cert-file=/apiserver.local.config/certificates/tls.crt
             - --tls-private-key-file=/apiserver.local.config/certificates/tls.key
-          image: ghcr.io/vshn/appcat:v4.102.1
+          image: ghcr.io/vshn/appcat:v4.104.0
           livenessProbe:
             failureThreshold: 3
             httpGet:

tests/golden/defaults/appcat/appcat/sli_exporter/apps_v1_deployment_appcat-sliexporter-controller-manager.yaml

@@ -36,7 +36,7 @@ spec:
           value: "false"
         - name: APPCAT_SLI_VSHNMARIADB
           value: "false"
-        image: ghcr.io/vshn/appcat:v4.102.1
+        image: ghcr.io/vshn/appcat:v4.104.0
         livenessProbe:
           httpGet:
             path: /healthz

tests/golden/exoscale-metrics-collector-cloud/appcat/appcat/10_function_appcat.yaml

@@ -3,6 +3,6 @@ kind: Function
 metadata:
   name: function-appcat
 spec:
-  package: ghcr.io/vshn/appcat:v4.102.1-func
+  package: ghcr.io/vshn/appcat:v4.104.0-func
   runtimeConfigRef:
     name: function-appcat

tests/golden/exoscale-metrics-collector-cloud/appcat/appcat/apiserver/30_deployment.yaml

@@ -29,7 +29,7 @@ spec:
             - --secure-port=9443
             - --tls-cert-file=/apiserver.local.config/certificates/tls.crt
             - --tls-private-key-file=/apiserver.local.config/certificates/tls.key
-          image: ghcr.io/vshn/appcat:v4.102.1
+          image: ghcr.io/vshn/appcat:v4.104.0
           livenessProbe:
             failureThreshold: 3
             httpGet:

tests/golden/exoscale-metrics-collector-cloud/appcat/appcat/sli_exporter/apps_v1_deployment_appcat-sliexporter-controller-manager.yaml

@@ -36,7 +36,7 @@ spec:
           value: "false"
         - name: APPCAT_SLI_VSHNMARIADB
           value: "false"
-        image: ghcr.io/vshn/appcat:v4.102.1
+        image: ghcr.io/vshn/appcat:v4.104.0
         livenessProbe:
           httpGet:
             path: /healthz

tests/golden/exoscale-metrics-collector-managed/appcat/appcat/10_function_appcat.yaml

@@ -3,6 +3,6 @@ kind: Function
 metadata:
   name: function-appcat
 spec:
-  package: ghcr.io/vshn/appcat:v4.102.1-func
+  package: ghcr.io/vshn/appcat:v4.104.0-func
   runtimeConfigRef:
     name: function-appcat