diff --git a/test/collabora/1.0.0/questions.yaml b/test/collabora/1.0.0/questions.yaml index 7d7519fcc5..5fcf46624d 100644 --- a/test/collabora/1.0.0/questions.yaml +++ b/test/collabora/1.0.0/questions.yaml @@ -64,7 +64,7 @@ questions: description: 'e.g. "--o:welcome.enable=false", See more on /etc/loolwsd/loowsd.xml. Separate params with space' schema: type: string - default: "--o:welcome.enable=false --o:user_interface.mode=notebookbar --o:ssl.termination=true --o:ssl.enable=false" + default: "--o:welcome.enable=false --o:user_interface.mode=notebookbar --o:ssl.termination=true --o:ssl.enable=false --o:net.proto=IPv4" - variable: DONT_GEN_SSL_CERT label: "DONT_GEN_SSL_CERT" description: "When set to true it does NOT generate an SSL cert, you have to use your own" @@ -84,6 +84,15 @@ questions: default: '' valid_chars: '^$|^[a-z]{1,}\\{1}\.{1}[a-z]{1,}\\{1}\.{1}[a-z]{1,}$' + - variable: certificate + description: "Collabora Certificate" + label: "Certificate" + group: "Collabora Configuration" + schema: + type: int + $ref: + - "definitions/certificate" + - variable: extraAppVolumeMounts label: "Collabora Extra Host Path Volumes" group: "Storage" diff --git a/test/collabora/1.0.0/templates/_helpers.tpl b/test/collabora/1.0.0/templates/_helpers.tpl index 08b7d95f3d..82b2687b17 100644 --- a/test/collabora/1.0.0/templates/_helpers.tpl +++ b/test/collabora/1.0.0/templates/_helpers.tpl @@ -4,3 +4,37 @@ Retrieve secret name for secure credentials {{- define "secretName" -}} {{- print "credentials" -}} {{- end -}} + + +{{/* +Retrieve true/false if certificate is configured +*/}} +{{- define "certAvailable" -}} +{{- if .Values.certificate -}} +{{- $values := (. | mustDeepCopy) -}} +{{- $_ := set $values "commonCertOptions" (dict "certKeyName" $values.Values.certificate) -}} +{{- template "common.resources.cert_present" $values -}} +{{- else -}} +{{- false -}} +{{- end -}} +{{- end -}} + + +{{/* +Retrieve public key of certificate +*/}} +{{- define "cert.publicKey" -}} +{{- $values := (. | mustDeepCopy) -}} +{{- $_ := set $values "commonCertOptions" (dict "certKeyName" $values.Values.certificate "publicKey" true) -}} +{{ include "common.resources.cert" $values }} +{{- end -}} + + +{{/* +Retrieve private key of certificate +*/}} +{{- define "cert.privateKey" -}} +{{- $values := (. | mustDeepCopy) -}} +{{- $_ := set $values "commonCertOptions" (dict "certKeyName" $values.Values.certificate) -}} +{{ include "common.resources.cert" $values }} +{{- end -}} diff --git a/test/collabora/1.0.0/templates/nginx-conf.yaml b/test/collabora/1.0.0/templates/nginx-conf.yaml index 0bee6e13d1..d54d24b005 100644 --- a/test/collabora/1.0.0/templates/nginx-conf.yaml +++ b/test/collabora/1.0.0/templates/nginx-conf.yaml @@ -6,10 +6,6 @@ metadata: rollme: {{ randAlphaNum 5 | quote }} data: config: |- - load_module modules/ngx_http_uploadprogress_module.so; - user www-data www-data; - worker_processes 1; - events { worker_connections 1024; } @@ -32,33 +28,24 @@ data: application/rss+xml image/svg+xml; - # reserve 1MB under the name 'proxied' to track uploads - upload_progress proxied 1m; - sendfile on; - #tcp_nopush on; client_max_body_size 1000m; - #keepalive_timeout 0; keepalive_timeout 65; # Disable tokens for security (#23684) server_tokens off; gzip on; - #upload_store /var/tmp/firmware; client_body_temp_path /var/tmp/firmware; - error_log syslog:server=unix:/var/run/log,nohostname; - access_log syslog:server=unix:/var/run/log,nohostname; - server { - server_name localhost; + server_name nginx; listen 0.0.0.0:443 default_server ssl http2; listen [::]:443 default_server ssl http2; - ssl_certificate "/nginx.crt"; - ssl_certificate_key "/nginx.key"; + ssl_certificate "/etc/nginx/server.crt"; + ssl_certificate_key "/etc/nginx/server.key"; ssl_session_timeout 120m; ssl_session_cache shared:ssl:16m; @@ -68,10 +55,6 @@ data: ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EDH+aRSA:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384; add_header Strict-Transport-Security max-age=31536000; - # Security Headers - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1"; - location = /robots.txt { add_header Content-Type text/plain; proxy_set_header Referer "http://nginx"; @@ -80,9 +63,8 @@ data: # static files location ^~ /loleaflet { - set $upstream_collabora collabora; - proxy_pass http://$upstream_collabora:9980; - proxy_set_header Host $http_host; + proxy_pass http://collabora:9980; + proxy_set_header Host $host; proxy_set_header Referer "http://nginx"; } @@ -96,38 +78,34 @@ data: # Capabilities location ^~ /hosting/capabilities { - set $upstream_collabora collabora; - proxy_pass http://$upstream_collabora:9980; - proxy_set_header Host $http_host; + proxy_pass http://collabora:9980; + proxy_set_header Host $host; proxy_set_header Referer "http://nginx"; } # main websocket location ~ ^/lool/(.*)/ws$ { - set $upstream_collabora collabora; - proxy_pass http://$upstream_collabora:9980; + proxy_pass http://collabora:9980; + proxy_set_header Host $host; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; - proxy_set_header Host $http_host; proxy_set_header Referer "http://nginx"; proxy_read_timeout 36000s; } # download, presentation and image upload location ~ ^/lool { - set $upstream_collabora collabora; - proxy_pass http://$upstream_collabora:9980; - proxy_set_header Host $http_host; + proxy_pass http://collabora:9980; + proxy_set_header Host $host; proxy_set_header Referer "http://nginx"; } # Admin Console websocket location ^~ /lool/adminws { - set $upstream_collabora collabora; - proxy_pass http://$upstream_collabora:9980; + proxy_pass http://collabora:9980; + proxy_set_header Host $host; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; - proxy_set_header Host $http_host; proxy_set_header Referer "http://nginx"; proxy_read_timeout 36000s; } @@ -136,8 +114,8 @@ data: server { listen 0.0.0.0:80; listen [::]:80; - server_name localhost; - return 307 https://$host:443$request_uri; + server_name nginx; + return 307 https://$host:{{ .Values.nodePort }}}$request_uri; } } diff --git a/test/collabora/1.0.0/templates/nginx-deployment.yaml b/test/collabora/1.0.0/templates/nginx-deployment.yaml index 086da069f4..e50d23c086 100644 --- a/test/collabora/1.0.0/templates/nginx-deployment.yaml +++ b/test/collabora/1.0.0/templates/nginx-deployment.yaml @@ -13,6 +13,13 @@ spec: {{ include "common.deployment.common_spec" $values | nindent 2 }} mountPath: /etc/nginx/nginx.conf readOnly: true subPath: config + - name: certs + mountPath: /etc/nginx/server.crt + subPath: certPublicKey + - name: certs + mountPath: /etc/nginx/server.key + subPath: certPrivateKey + ports: - name: http containerPort: 80 @@ -22,6 +29,9 @@ spec: {{ include "common.deployment.common_spec" $values | nindent 2 }} protocol: TCP volumes: - name: configuration - configMap: - defaultMode: 0700 - name: "nginx-config" + configMap: + defaultMode: 0700 + name: "nginx-config" + - name: certs + secret: + secretName: {{ include "secretName" . }} diff --git a/test/collabora/1.0.0/templates/nginx-service.yaml b/test/collabora/1.0.0/templates/nginx-service.yaml index 6c613a9171..f3b7cd7449 100644 --- a/test/collabora/1.0.0/templates/nginx-service.yaml +++ b/test/collabora/1.0.0/templates/nginx-service.yaml @@ -1,6 +1,7 @@ {{ $port := .Values.nodePort }} {{ $ports := list }} -{{ $ports = mustAppend $ports (dict "name" "https" "port" $port "nodePort" $port "targetPort" "collabora") }} +{{ $ports = mustAppend $ports (dict "name" "https" "port" $port "nodePort" $port "targetPort" "https") }} {{ $params := (. | mustDeepCopy) }} -{{ $_ := set $params "common" (dict "nameSuffix" "nginx") "commonService" (dict "ports" $ports "type" "NodePort" ) }} +{{ $_ := set $params "common" (dict "nameSuffix" "nginx") }} +{{ $_2 := set $params "commonService" (dict "ports" $ports "type" "NodePort" ) }} {{ include "common.classes.service" $params }} diff --git a/test/collabora/1.0.0/templates/secrets.yaml b/test/collabora/1.0.0/templates/secrets.yaml index e979fba4c0..4538aa5e8a 100644 --- a/test/collabora/1.0.0/templates/secrets.yaml +++ b/test/collabora/1.0.0/templates/secrets.yaml @@ -7,3 +7,9 @@ type: Opaque data: username: {{ .Values.config.username | b64enc | quote }} password: {{ .Values.config.password | b64enc | quote }} + {{ if eq (include "certAvailable" .) "true" }} + certPublicKey: {{ (include "cert.publicKey" .) | toString | b64enc | quote }} + certPrivateKey: {{ (include "cert.privateKey" .) | toString | b64enc | quote }} + {{ else }} + {{ fail "No certificate configured for Collabora" }} + {{ end }} diff --git a/test/collabora/1.0.0/templates/service.yaml b/test/collabora/1.0.0/templates/service.yaml index 7929c93a62..d14319a377 100644 --- a/test/collabora/1.0.0/templates/service.yaml +++ b/test/collabora/1.0.0/templates/service.yaml @@ -1,6 +1,6 @@ {{ $port := .Values.nodePort }} {{ $ports := list }} -{{ $ports = mustAppend $ports (dict "name" "collabora" "port" $port "nodePort" $port "targetPort" "collabora") }} +{{ $ports = mustAppend $ports (dict "name" "collabora" "port" 9980 "targetPort" "collabora") }} {{ $params := . }} {{ $_ := set $params "commonService" (dict "ports" $ports "type" "ClusterIP" ) }} {{ include "common.classes.service" $params }}