Try simple manifest deployment (#1)

.gitignore

@@ -6,6 +6,9 @@ __pycache__/
 
 .ruff_cache/
 
+
+.venv/
+
 # disable coverage
 coverage.lcov
 htmlcov/

.sops.yaml

@@ -1,4 +1,4 @@
 creation_rules:
-  - path_regex: .*secret.*
+  - path_regex: .*secrets\.yaml$
     encrypted_regex: ^(data|stringData)$
     age: "age1l0ly6j6p08tqwr0p2zp9899597cdqh9m27wa3lapy60nlvyx2gvqq5azhn"

kustomization.yaml

@@ -2,3 +2,20 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 namespace: tn-openbsw-opendesk
+
+resources:
+  - manifests/certificates.yaml
+  - manifests/configmaps.yaml
+  - manifests/cronjobs.yaml
+  - manifests/deployments.yaml
+  - manifests/ingresss.yaml
+  - manifests/issuers.yaml
+  - manifests/jobs.yaml
+  - manifests/persistentvolumeclaims.yaml
+  - manifests/pods.yaml
+  - manifests/rolebindings.yaml
+  - manifests/roles.yaml
+  - manifests/secrets.yaml
+  - manifests/serviceaccounts.yaml
+  - manifests/services.yaml
+  - manifests/statefulsets.yaml

manifests/collabora-secrets.yaml

@@ -0,0 +1,34 @@
+# Source: collabora-online/templates/secret.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+    name: collabora
+    labels:
+        helm.sh/chart: collabora-online-1.1.21
+        app.kubernetes.io/name: collabora-online
+        app.kubernetes.io/instance: collabora-online
+        app.kubernetes.io/version: 24.04.7.2.1
+        app.kubernetes.io/managed-by: Helm
+data:
+    username: ENC[AES256_GCM,data:yTTMfLS+vFXJ9KSkXKRGQILDEAeMeDsGCV9znb7dZK4=,iv:VuRKWEfgelmELv+E606v/nJWAy1TYF597ZGPI7970fs=,tag:dwV/jRvUUju0SOaDUWQWCQ==,type:str]
+    password: ENC[AES256_GCM,data:cIC/+ltCC41g7FjsIADCZgeU+5zhxN/zF2xY/JfjiQP6qq6pD3tUZ6VtG5exic4MCZ8N3uvLmTw=,iv:eoQDNOgclGd9YnVJaN57c5flLr9xy6nRdOO36rggTt8=,tag:ozEeAHiLt2xkjxyUD7eEgA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1l0ly6j6p08tqwr0p2zp9899597cdqh9m27wa3lapy60nlvyx2gvqq5azhn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5Nk9NUC9rVnZ6Z1gvNTI5
+            UzNvaXJOTUJ4ZDREWU4yN2FndEdQMVJYUUFvCmJiWU9FdzRWMGIzdHU2SFdXWlo0
+            cjVjZFpIbXdtNURKdTQ5dzRDcmtoZHcKLS0tIG94Zjdpem50RnR2TnF2YjIxYTE3
+            dmtpbFAxQUYwQmZMYlRZZ1cya1N0S2cK0ZB6xEtKP1wBe+jy+LhpKdbQ5u8mXQiF
+            s4ZdxmihwEjuKT66IBxvfvfvgwc/Caus2GczGf9hSTCCG8PwKg04XQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-12-06T22:13:01Z"
+    mac: ENC[AES256_GCM,data:x8Q3V52uXEKq5kS2ZK2yMGBgbT8EyEjoDuG/7FxEFUrq3W5sYNna7QNax0QE0tkPbxHb6tiLtpoHMOOVlJcZH5O41DlOOChYYetaumFoKLyBeW6UxcJfbe4gls5hCE9OtK3hFzI1QP9WoZq69qyPE/BVqOate9Ot1Hl686Cl7kI=,iv:6FR9L+b/MGjl5m5WSulXSoN6RVUQnyyKFz4bCOmkdTE=,tag:w2ejc2TKCYDhv7tYBOvC+g==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.8.1

manifests/collabora.yaml

@@ -0,0 +1,237 @@
+# Source: collabora-online/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: collabora
+  labels:
+    helm.sh/chart: collabora-online-1.1.21
+    app.kubernetes.io/name: collabora-online
+    app.kubernetes.io/instance: collabora-online
+    app.kubernetes.io/version: 24.04.7.2.1
+    app.kubernetes.io/managed-by: Helm
+---
+# Source: collabora-online/templates/configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: collabora
+  annotations:
+    confighash: config-583854b8559f211f26d630547459ea9f
+  labels:
+    helm.sh/chart: collabora-online-1.1.21
+    app.kubernetes.io/name: collabora-online
+    app.kubernetes.io/instance: collabora-online
+    app.kubernetes.io/version: 24.04.7.2.1
+    app.kubernetes.io/managed-by: Helm
+data:
+  extra_params: --o:ssl.enable=false --o:ssl.termination=true --o:fetch_update_check=0
+    --o:remote_font_config.url=https://files.opendesk.apps.digilab.network/apps/richdocuments/settings/fonts.json
+    --o:net.proto=all
+
+  aliasgroup1: https://files.opendesk.apps.digilab.network
+---
+# Source: collabora-online/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: collabora
+  labels:
+    helm.sh/chart: collabora-online-1.1.21
+    app.kubernetes.io/name: collabora-online
+    app.kubernetes.io/instance: collabora-online
+    app.kubernetes.io/version: 24.04.7.2.1
+    app.kubernetes.io/managed-by: Helm
+    type: main
+spec:
+  type: ClusterIP
+  ports:
+  - port: 9980
+    targetPort: http
+    protocol: TCP
+    name: http
+  selector:
+    app.kubernetes.io/name: collabora-online
+    app.kubernetes.io/instance: collabora-online
+    type: main
+---
+# Source: collabora-online/templates/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: collabora
+  labels:
+    helm.sh/chart: collabora-online-1.1.21
+    app.kubernetes.io/name: collabora-online
+    app.kubernetes.io/instance: collabora-online
+    app.kubernetes.io/version: 24.04.7.2.1
+    app.kubernetes.io/managed-by: Helm
+spec:
+  minReadySeconds: 0
+  replicas: 1
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: collabora-online
+      app.kubernetes.io/instance: collabora-online
+      type: main
+  template:
+    metadata:
+      annotations:
+        confighash: config-583854b8559f211f26d630547459ea9f
+        cluster-autoscaler.kubernetes.io/safe-to-evict: 'true'
+      labels:
+        app.kubernetes.io/name: collabora-online
+        app.kubernetes.io/instance: collabora-online
+        type: main
+    spec:
+      terminationGracePeriodSeconds: 60
+      serviceAccountName: collabora
+      securityContext:
+        fsGroup: 100
+      containers:
+      - name: collabora-online
+        securityContext:
+          allowPrivilegeEscalation: true
+          capabilities:
+            add:
+            - CHOWN
+            - FOWNER
+            - SYS_CHROOT
+            drop:
+            - ALL
+          privileged: false
+          readOnlyRootFilesystem: false
+          runAsGroup: 101
+          runAsNonRoot: true
+          runAsUser: 100
+          seLinuxOptions:
+          seccompProfile:
+            type: RuntimeDefault
+        image: 
+          registry.opencode.de/bmi/opendesk/components/supplier/collabora/images/collabora-online-for-opendesk:24.04.7.2.1@sha256:5b00478f2c6c7372b2a67e68783d9b1a91265679bbd4afdc1416e50720d50ce6
+        imagePullPolicy: IfNotPresent
+        ports:
+        - name: http
+          containerPort: 9980
+          protocol: TCP
+        startupProbe:
+          httpGet:
+            path: /
+            port: 9980
+            scheme: HTTP
+          failureThreshold: 30
+          periodSeconds: 3
+        livenessProbe:
+          httpGet:
+            path: /
+            port: 9980
+            scheme: HTTP
+          initialDelaySeconds: 0
+          periodSeconds: 10
+          timeoutSeconds: 30
+          successThreshold: 1
+          failureThreshold: 4
+        readinessProbe:
+          httpGet:
+            path: /
+            port: 9980
+            scheme: HTTP
+          initialDelaySeconds: 0
+          periodSeconds: 10
+          timeoutSeconds: 30
+          successThreshold: 1
+          failureThreshold: 2
+
+        envFrom:
+        - configMapRef:
+            name: collabora
+        env:
+        - name: username
+          valueFrom:
+            secretKeyRef:
+              name: collabora
+              key: username
+        - name: password
+          valueFrom:
+            secretKeyRef:
+              name: collabora
+              key: password
+        resources:
+          limits:
+            cpu: 99
+            memory: 4Gi
+          requests:
+            cpu: 0.5
+            memory: 512Mi
+        volumeMounts:
+        - name: tmp
+          mountPath: /tmp
+      volumes:
+      - name: tmp
+        emptyDir: {}
+---
+# Source: collabora-online/templates/ingress.yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: collabora
+  labels:
+    helm.sh/chart: collabora-online-1.1.21
+    app.kubernetes.io/name: collabora-online
+    app.kubernetes.io/instance: collabora-online
+    app.kubernetes.io/version: 24.04.7.2.1
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    haproxy-ingress.github.io/balance-algorithm: url_param WOPISrc check_post
+    haproxy-ingress.github.io/config-backend: |
+      hash-type consistent
+      # block admin urls from outside
+      acl admin_url path_beg /cool/getMetrics
+      acl admin_url path_beg /cool/adminws/
+      acl admin_url path_beg /browser/dist/admin/admin.html
+      http-request deny if admin_url
+    haproxy-ingress.github.io/timeout-tunnel: 600s
+    haproxy.org/backend-config-snippet: |
+      balance url_param WOPISrc check_post
+      hash-type consistent
+    haproxy.org/timeout-tunnel: 600s
+    nginx.ingress.kubernetes.io/proxy-body-size: 100M
+    nginx.ingress.kubernetes.io/proxy-read-timeout: '600'
+    nginx.ingress.kubernetes.io/proxy-send-timeout: '600'
+    nginx.ingress.kubernetes.io/server-snippet: |
+      # block admin and metrics endpoint from outside by default
+      location /cool/getMetrics { deny all; return 403; }
+      location /cool/adminws/ { deny all; return 403; }
+      location /browser/dist/admin/admin.html { deny all; return 403; }
+    nginx.ingress.kubernetes.io/upstream-hash-by: $arg_WOPISrc
+    nginx.org/client-max-body-size: 100M
+    nginx.org/lb-method: hash $arg_WOPISrc consistent
+    nginx.org/proxy-read-timeout: 600s
+    nginx.org/proxy-send-timeout: 600s
+    nginx.org/server-snippets: |
+      # block admin and metrics endpoint from outside by default
+      location /cool/getMetrics { deny all; return 403; }
+      location /cool/adminws/ { deny all; return 403; }
+      location /browser/dist/admin/admin.html { deny all; return 403; }
+    nginx.org/websocket-services: collabora
+spec:
+  tls:
+  - hosts:
+    - office.opendesk.apps.digilab.network
+    secretName: opendesk-certificates-tls
+  rules:
+  - host: office.opendesk.apps.digilab.network
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: collabora
+            port:
+              number: 9980
+