Upgrade to v1.1.0

MinBZK · Jan 16, 2025 · 6964eaf · 6964eaf
1 parent 00fed55
commit 6964eaf
Show file tree

Hide file tree

Showing 37 changed files with 5,843 additions and 4,315 deletions.
diff --git a/README.md b/README.md
@@ -4,6 +4,28 @@
 
 This is the infrastructure as code repository to deploy [OpenDesk](https://opendesk.eu/en/) on a haven compliant kubernetes cluster. It is deployed to namespace tn-openbsw-opendesk
 
+## Generating your own opendesk
+
+There are several ways to install opendesk. The easiest is to directly use helmfile in the opendesk cloned repo. Unfortunately our Kubernetes requires us to use flux to deploy workloads. Since time was limited we choose to do a simple generating op yamls and deploy that with flux.
+
+prerequisite:
+
+1. [helmfile](https://helmfile.readthedocs.io/en/latest/) installed.
+2. python 3 installed
+
+To generate your own yaml manifests you can do the following:
+
+1. clone [opendesk](https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git)
+2. checkout the latest release (git tag, git checkout 'tag')
+3. set a master password export MASTER_PASSWORD=xxx
+4. change the script generate-by-apps.sh to point OPENDESK_REPO_PATH to the directory where you checked out the opendesk repo
+5. in the cloned opendesk repo change the /helmfile/environments/dev/sample.yaml.gotmpl to your desired config. we used the sample.yaml.gotmpl from this repo.
+6. install requirements.txt
+7. run generate-by-app.sh
+8. run split.py and fix any errors
+9. run kubectl apply -k . (or let flux deploy it for you by committing the changes)
+
+
 ## How to contribute
 
 See [contributing docs](CONTRIBUTING.md)

diff --git a/descrypt.sh b/descrypt.sh
@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+for file in manifests/*-secrets.yaml;
+do
+  sops -d -i "$file"
+done
diff --git a/encrypt.sh b/encrypt.sh
@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+for file in manifests/*-secrets.yaml;
+do
+  sops -e -i "$file"
+done
diff --git a/generate-by-apps.sh b/generate-by-apps.sh
@@ -8,6 +8,7 @@ cd ${OPENDESK_REPO_PATH}/../
 for APP_PATH in ${OPENDESK_REPO_PATH}/helmfile/apps/* ; do
     APP_NAME=${APP_PATH##*/}
     echo "Generating manifests for ${APP_NAME}"
+    echo "helmfile template -e dev -f '${APP_PATH}/helmfile.yaml.gotmpl' > '${SCRIPT_DIR}/manifests/${APP_NAME}.yaml'"
 
     helmfile template -e dev -f "${APP_PATH}/helmfile.yaml.gotmpl" > "${SCRIPT_DIR}/manifests/${APP_NAME}.yaml"
 

diff --git a/kustomization.yaml b/kustomization.yaml
@@ -4,28 +4,29 @@ kind: Kustomization
 namespace: tn-openbsw-opendesk
 
 resources:
-  - manifests/migrations-pre-secrets.yaml
-  - manifests/migrations-pre.yaml
-  - manifests/services-secrets.yaml
-  - manifests/services.yaml
-  - manifests/nubus-secrets.yaml
-  - manifests/nubus.yaml
-  - manifests/open-xchange-secrets.yaml
-  - manifests/open-xchange.yaml
-  - manifests/nextcloud-secrets.yaml
-  - manifests/nextcloud.yaml
-  - manifests/collabora-secrets.yaml
-  - manifests/collabora.yaml
-  - manifests/cryptpad.yaml
-  - manifests/jitsi-secrets.yaml
-  - manifests/jitsi.yaml
-  - manifests/element-secrets.yaml
-  - manifests/element.yaml
-  - manifests/openproject-secrets.yaml
-  - manifests/openproject.yaml
-  - manifests/xwiki-secrets.yaml
-  - manifests/xwiki.yaml
-  - manifests/openproject-bootstrap-secrets.yaml
-  - manifests/openproject-bootstrap.yaml
-  - manifests/migrations-post-secrets.yaml
-  - manifests/migrations-post.yaml
+ - manifests/collabora-secrets.yaml
+ - manifests/collabora.yaml
+ - manifests/cryptpad.yaml
+ - manifests/element-secrets.yaml
+ - manifests/element.yaml
+ - manifests/jitsi-secrets.yaml
+ - manifests/jitsi.yaml
+ - manifests/nextcloud-secrets.yaml
+ - manifests/nextcloud.yaml
+ - manifests/nubus-secrets.yaml
+ - manifests/nubus.yaml
+ - manifests/open-xchange-secrets.yaml
+ - manifests/open-xchange.yaml
+ - manifests/opendesk-migrations-post-secrets.yaml
+ - manifests/opendesk-migrations-post.yaml
+ - manifests/opendesk-migrations-pre-secrets.yaml
+ - manifests/opendesk-migrations-pre.yaml
+ - manifests/opendesk-openproject-bootstrap-secrets.yaml
+ - manifests/opendesk-openproject-bootstrap.yaml
+ - manifests/opendesk-services.yaml
+ - manifests/openproject-secrets.yaml
+ - manifests/openproject.yaml
+ - manifests/services-external-secrets.yaml
+ - manifests/services-external.yaml
+ - manifests/xwiki-secrets.yaml
+ - manifests/xwiki.yaml
diff --git a/manifests/collabora-secrets.yaml b/manifests/collabora-secrets.yaml
@@ -10,8 +10,8 @@ metadata:
         app.kubernetes.io/version: 24.04.7.2.1
         app.kubernetes.io/managed-by: Helm
 data:
-    username: ENC[AES256_GCM,data:ooNSdLhk9kZq5Pxsi737uF2BN0v/pryq4yVXi5jpuUo=,iv:zjB+siQae4jmIWziuRjwfhox/4wrF43I9HdAsl/gW5M=,tag:qvm6cBBJ76r49XKzsdii4A==,type:str]
-    password: ENC[AES256_GCM,data:hFUhmUTyqchQQHOEHyXekiIHLWUlC4/Oua8TuxrrZ8XVEEIu9Y9dG2sfO7tc4CJO+ypfiiK6JHM=,iv:s6ZC8ferwnAyLUMkEHwqGaDJeZNzX/eAIcaZN1sDt5E=,tag:VqGJPNjfDcNV0naEK57IxQ==,type:str]
+    username: ENC[AES256_GCM,data:fcYFpsctToZgIf/FigA5KS4GlEPy8IGvtXVBM+Eejas=,iv:2hmzSGWDhCRf/UtgaywWhsQQzUpVrKnx+rjbptjsGD8=,tag:Gt3lHjTvj6i/uVkNQSK4Ig==,type:str]
+    password: ENC[AES256_GCM,data:0lrNT//I1kAtSas3Mb9pwxG8lmkApsId2cH1asl5b0nyZmQY4FntVOAlMRmWO2CjNNMa58GLz+4=,iv:gtq3EIhw7+qlNTHXmvv+/L8zx0gMUynZbv3xBRhV3vo=,tag:q6oZa3TQfoQfYfIt/GgEoQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -21,14 +21,14 @@ sops:
         - recipient: age1l0ly6j6p08tqwr0p2zp9899597cdqh9m27wa3lapy60nlvyx2gvqq5azhn
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCRitLY2ZhMUxCbzc4MTBV
-            OHdWU2phZ0pHekswYitUWG9vaXA5Mmd2b1d3CkJoQk1MUGVQblkrdklBaU5HRHY2
-            Wkdoc3NaOVBWbjF3YmxVV3VnLzI1encKLS0tIDhzS1FscWNBdENwcUdESzF6d3o5
-            MVhmbmFHcWozZy9NMk9kZU1qdld1ZU0KF73PiqmP0Jk6Y70I/09A0nDsPaNagLZV
-            uId8bvAqmFXIPam7/tJc+y7YWmiBRqayy8XgAYUYvoVQ2UOQByRX0g==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArczZpb0xPNUp3ZnZsSjNr
+            ZkgxWXZzNW5uSkNhOUU5eGhGLzBaQWFjTkhVClZCaDJJOTlNTzdqNytsbFd4QjNs
+            eGthcEh2SU9Ed1ZLNkdZWVFWcnRYRjQKLS0tIHBDdnpldGYrWDZNTkI3dUtYWHVQ
+            WERWaUZmWmdKaXhqUytGSHZ3KzhIMmcK2djki32gn1lxGB7PPp+npL2ZlyzWadEP
+            90aBEhnhg5HGMXgCGiHqTuTQf9PqUZKAnNuBvRs0j0E7icQ1BduEaQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-07T09:34:08Z"
-    mac: ENC[AES256_GCM,data:5E6F5mM+mvdPnDmFwUCyf0aaZQLNxM5DB4tnoRPN6OKOTE7/8P6HKs85GRmyHSVvmg5OfVqs9NIdrf2pEmxZ6PgpA5zztsLHv6SwT9hsDiUxc12NdAq8gNuv6dNqhzg6uV59VRh/bYbH8188WGjjMQ3dKcUA6+BNjo8u2xK+AHk=,iv:dFLTsJaO/q6Eaqua9ECepbXPBSuPJES8I4xdGc0QyPY=,tag:4zjCKTsSmGLJOIJcKeO7Ng==,type:str]
+    lastmodified: "2025-01-16T19:51:32Z"
+    mac: ENC[AES256_GCM,data:y4Q9caNDurYh0QZ0w/WlweV+UbUqaMuZWbfafqbmJFvkDvW6MffGDmbnz/pOH4h4zg4iybq6aG7gT/039cmDnr1enu5kbcV3lMoPtgmOWSqfhzfQCHcq2Uj2JIbEp/LSIRJC1WDdxn2dCV9rnaJP/++l535AoEKrYzGfwstsILY=,iv:46Xj/psErde5tGr9CQANxd0p+06P47FywrsdcH/L8og=,tag:uPJ7aM1KSt36kSvUj7qY2g==,type:str]
     pgp: []
     encrypted_regex: ^(data|stringData)$
     version: 3.8.1
diff --git a/manifests/collabora.yaml b/manifests/collabora.yaml
@@ -16,7 +16,7 @@ kind: ConfigMap
 metadata:
   name: collabora
   annotations:
-    confighash: config-583854b8559f211f26d630547459ea9f
+    confighash: config-557ffd45164594601a6afa26ff804fe8
   labels:
     helm.sh/chart: collabora-online-1.1.21
     app.kubernetes.io/name: collabora-online
@@ -25,8 +25,9 @@ metadata:
     app.kubernetes.io/managed-by: Helm
 data:
   extra_params: --o:ssl.enable=false --o:ssl.termination=true --o:fetch_update_check=0
+    --o:num_prespawn_children=4 
     --o:remote_font_config.url=https://files.opendesk.apps.digilab.network/apps/richdocuments/settings/fonts.json
-    --o:net.proto=all
+    --o:net.proto=all --o:logging.level=debug
 
   aliasgroup1: https://files.opendesk.apps.digilab.network
 ---
@@ -81,7 +82,7 @@ spec:
   template:
     metadata:
       annotations:
-        confighash: config-583854b8559f211f26d630547459ea9f
+        confighash: config-557ffd45164594601a6afa26ff804fe8
         cluster-autoscaler.kubernetes.io/safe-to-evict: 'true'
       labels:
         app.kubernetes.io/name: collabora-online
@@ -111,8 +112,8 @@ spec:
           seLinuxOptions:
           seccompProfile:
             type: RuntimeDefault
-        image:
-          registry.opencode.de/bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk:24.04.7.2.1@sha256:5b00478f2c6c7372b2a67e68783d9b1a91265679bbd4afdc1416e50720d50ce6
+        image: 
+          registry.opencode.de/bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk:24.04.9.2.1@sha256:749917bf9146d8507b3a63d422a30ebe4f499700421c30527e32f322a015c73d
         imagePullPolicy: IfNotPresent
         ports:
         - name: http
@@ -160,7 +161,15 @@ spec:
             secretKeyRef:
               name: collabora
               key: password
+
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
         resources:
+          limits:
+            cpu: 99
+            memory: 4Gi
           requests:
             cpu: 0.5
             memory: 512Mi
@@ -183,19 +192,6 @@ metadata:
     app.kubernetes.io/version: 24.04.7.2.1
     app.kubernetes.io/managed-by: Helm
   annotations:
-    haproxy-ingress.github.io/balance-algorithm: url_param WOPISrc check_post
-    haproxy-ingress.github.io/config-backend: |
-      hash-type consistent
-      # block admin urls from outside
-      acl admin_url path_beg /cool/getMetrics
-      acl admin_url path_beg /cool/adminws/
-      acl admin_url path_beg /browser/dist/admin/admin.html
-      http-request deny if admin_url
-    haproxy-ingress.github.io/timeout-tunnel: 600s
-    haproxy.org/backend-config-snippet: |
-      balance url_param WOPISrc check_post
-      hash-type consistent
-    haproxy.org/timeout-tunnel: 600s
     nginx.ingress.kubernetes.io/proxy-body-size: 100M
     nginx.ingress.kubernetes.io/proxy-read-timeout: '600'
     nginx.ingress.kubernetes.io/proxy-send-timeout: '600'
@@ -205,16 +201,6 @@ metadata:
       location /cool/adminws/ { deny all; return 403; }
       location /browser/dist/admin/admin.html { deny all; return 403; }
     nginx.ingress.kubernetes.io/upstream-hash-by: $arg_WOPISrc
-    nginx.org/client-max-body-size: 100M
-    nginx.org/lb-method: hash $arg_WOPISrc consistent
-    nginx.org/proxy-read-timeout: 600s
-    nginx.org/proxy-send-timeout: 600s
-    nginx.org/server-snippets: |
-      # block admin and metrics endpoint from outside by default
-      location /cool/getMetrics { deny all; return 403; }
-      location /cool/adminws/ { deny all; return 403; }
-      location /browser/dist/admin/admin.html { deny all; return 403; }
-    nginx.org/websocket-services: collabora
 spec:
   tls:
   - hosts:

diff --git a/manifests/cryptpad.yaml b/manifests/cryptpad.yaml
@@ -23,7 +23,7 @@ data:
   config.js: |
     /* globals module */
 
-    module.exports = {
+    module.exports = {  
             httpUnsafeOrigin: 'https://pad.opendesk.apps.digilab.network',
             httpSafeOrigin: 'https://pad.opendesk.apps.digilab.network',
             adminKeys: [],
@@ -127,8 +127,8 @@ spec:
           seLinuxOptions:
           seccompProfile:
             type: RuntimeDefault
-        image:
-          registry.opencode.de/bmi/opendesk/components/supplier/xwiki/images-mirror/cryptpad:opendesk-20231222@sha256:f4d20d5c38c87b11ed1a1b46ef6a3633d32c6758ebdff8556458f040318fa5e2
+        image: 
+          registry.opencode.de/bmi/opendesk/components/supplier/xwiki/images-mirror/cryptpad:opendesk-20241022@sha256:3e5bf06cb9d0a7ec8257874b8b347599200eb677fc428a2e043ccab06ef2be17
         imagePullPolicy: IfNotPresent
         command: [/bin/sh, -c]
         volumeMounts:
@@ -146,6 +146,9 @@ spec:
             echo "$VALUE" >> "$FILE"
           fi
         resources:
+          limits:
+            cpu: 99
+            memory: 2Gi
           requests:
             cpu: 0.1
             memory: 512Mi
@@ -164,8 +167,8 @@ spec:
           seLinuxOptions:
           seccompProfile:
             type: RuntimeDefault
-        image:
-          registry.opencode.de/bmi/opendesk/components/supplier/xwiki/images-mirror/cryptpad:opendesk-20231222@sha256:f4d20d5c38c87b11ed1a1b46ef6a3633d32c6758ebdff8556458f040318fa5e2
+        image: 
+          registry.opencode.de/bmi/opendesk/components/supplier/xwiki/images-mirror/cryptpad:opendesk-20241022@sha256:3e5bf06cb9d0a7ec8257874b8b347599200eb677fc428a2e043ccab06ef2be17
         imagePullPolicy: IfNotPresent
         env:
         - name: CPAD_MAIN_DOMAIN
@@ -208,6 +211,9 @@ spec:
           failureThreshold: 5
           successThreshold: 1
         resources:
+          limits:
+            cpu: 99
+            memory: 2Gi
           requests:
             cpu: 0.1
             memory: 512Mi