minimal collabora

Signed-off-by: Nicolas Bigler <[email protected]>

Makefile

@@ -94,4 +94,26 @@ clean: ## Clean the project
 
 .PHONY: pre-commit-hook
 pre-commit-hook: ## Install pre-commit hook in .git/hooks
-	/usr/bin/cp -fa .githooks/pre-commit .git/hooks/pre-commit
+	/usr/bin/cp -fa .githooks/pre-commit .git/hooks/pre-commit
+
+.PHONY: local-appcat-development
+local-appcat-development : instance=vshn
+local-appcat-development: local-sed-substitution gen-golden kindev-install ## Run local development for appcat
+
+local-sed-substitution:
+	sed -i 's/grpcEndpoint.*/grpcEndpoint: $(LINUX_IP_ADDRESS):9443/g' tests/vshn.yml
+	sed -i 's/proxyFunction.*/proxyFunction: true/g' tests/vshn.yml
+
+kindev-install:
+	kubectl apply -f https://raw.githubusercontent.com/vshn/appcat/refs/heads/master/hack/functionproxy/function.yaml
+	kubectl apply -f https://raw.githubusercontent.com/vshn/appcat/refs/heads/master/hack/functionproxy/proxyconfig.yaml
+
+.PHONY: local-appcat-development-revert
+local-appcat-development-revert : instance=vshn
+local-appcat-development-revert: revert-sed-substitution gen-golden  ## Revert local development for appcat
+	kubectl delete -f https://raw.githubusercontent.com/vshn/appcat/refs/heads/master/hack/functionproxy/function.yaml
+	kubectl delete -f https://raw.githubusercontent.com/vshn/appcat/refs/heads/master/hack/functionproxy/proxyconfig.yaml
+
+
+revert-sed-substitution:
+	git checkout master tests/vshn.yml

Makefile.vars.mk

@@ -52,3 +52,6 @@ YAMLLINT_ARGS   ?= --no-warnings
 YAMLLINT_CONFIG ?= .yamllint.yml
 YAMLLINT_IMAGE  ?= docker.io/cytopia/yamllint:latest
 YAMLLINT_DOCKER ?= $(DOCKER_CMD) $(DOCKER_ARGS) $(root_volume) $(YAMLLINT_IMAGE)
+
+
+LINUX_IP_ADDRESS := $(shell ip -4 addr show dev docker0 | grep inet | awk -F' ' '{print $$2}' | awk -F'/' '{print $$1}')

class/defaults.yml

@@ -55,7 +55,7 @@ parameters:
       appcat:
         registry: ghcr.io
         repository: vshn/appcat
-        tag: v4.98.0
+        tag: nextcloud_collabora
       functionAppcat:
         registry: ${appcat:images:appcat:registry}
         repository: ${appcat:images:appcat:repository}
@@ -861,6 +861,8 @@ parameters:
               cert-manager.io/cluster-issuer: letsencrypt-production
               haproxy.router.openshift.io/timeout: 120s
               haproxy.router.openshift.io/hsts_header: max-age=31536000;preload
+            collabora_ingress_annotations: |
+              cert-manager.io/cluster-issuer: letsencrypt-production
           openshiftTemplate:
             serviceName: nextcloudbyvshn
             description: "Nextcloud is an open source suite of client-server software for creating and using file hosting services."

component/provider.jsonnet

@@ -54,8 +54,8 @@ local providerRBAC = {
       },
       {
         apiGroups: [ '' ],
-        resources: [ 'namespaces', 'serviceaccounts', 'secrets', 'pods', 'pods/log', 'pods/portforward', 'pods/status', 'services' ],
-        verbs: [ 'get', 'list', 'watch', 'create', 'watch', 'patch', 'update', 'delete' ],
+        resources: [ 'namespaces', 'serviceaccounts', 'secrets', 'pods', 'pods/log', 'pods/portforward', 'pods/status', 'pods/attach', 'pods/exec', 'services' ],
+        verbs: [ '*' ],
       },
       {
         apiGroups: [ 'apps' ],
@@ -65,7 +65,7 @@ local providerRBAC = {
       {
         apiGroups: [ 'apps' ],
         resources: [ 'statefulsets', 'deployments' ],
-        verbs: [ 'get', 'delete', 'watch', 'list', 'patch' ],
+        verbs: [ 'get', 'delete', 'watch', 'list', 'patch', 'update', 'create' ],
       },
       {
         apiGroups: [ 'rbac.authorization.k8s.io' ],
@@ -163,6 +163,22 @@ local providerRBAC = {
         resources: [ 'poddisruptionbudgets' ],
         verbs: [ 'get', 'list', 'watch', 'update', 'patch', 'create', 'delete' ],
       },
+      {
+        apiGroups: [ 'networking.k8s.io' ],
+        resources: [ 'ingresses' ],
+        verbs: [ 'get', 'list', 'watch', 'update', 'patch', 'create', 'delete' ],
+      },
+      {
+        apiGroups: [ '' ],
+        resources: [ 'persistentvolumeclaims' ],
+        verbs: [ 'get', 'list', 'watch', 'create', 'watch', 'patch', 'update', 'delete' ],
+      },
+      {
+        // This is needed for the privileged SCC - Nextcloud -> Collabora
+        apiGroups: [ 'security.openshift.io' ],
+        resources: [ 'securitycontextconstraints' ],
+        verbs: [ '*' ],
+      },
     ],
   },
   helm: {

component/vshn_appcat_services.jsonnet

@@ -177,7 +177,45 @@ local vshn_appcat_service(name, serviceParams) =
     },
   };
 
+
+  local scc =
+    {
+      allowHostDirVolumePlugin: true,
+      allowHostIPC: true,
+      allowHostNetwork: true,
+      allowHostPID: true,
+      allowHostPorts: true,
+      allowPrivilegeEscalation: false,
+      allowPrivilegedContainer: true,
+      allowedCapabilities: [
+      'MKNOD',
+      'CHOWN',
+      'SYS_CHROOT',
+      'FOWNER',
+      ],
+      apiVersion: 'security.openshift.io/v1',
+      defaultAddCapabilities: [
+      'MKNOD',
+      'CHOWN',
+      'SYS_CHROOT',
+      'FOWNER',
+      ],
+      kind: 'SecurityContextConstraints',
+      metadata: {
+      annotations: {},
+      name: 'appcat-collabora',
+      },
+      readOnlyRootFilesystem: false,
+      runAsUser: {
+      type: 'MustRunAsNonRoot',
+      },
+      seLinuxContext: {
+      type: 'MustRunAs',
+      },
+    };
+
   if params.services.vshn.enabled && serviceParams.enabled then {
+    '20_scc_appcat': scc,
     ['20_xrd_vshn_%s' % name]: xrd,
     ['20_rbac_vshn_%s' % name]: xrds.CompositeClusterRoles(xrd),
     ['21_composition_vshn_%s' % name]: composition,

tests/golden/apiserver/appcat/appcat/10_function_appcat.yaml

@@ -3,6 +3,6 @@ kind: Function
 metadata:
   name: function-appcat
 spec:
-  package: ghcr.io/vshn/appcat:v4.98.0-func
+  package: ghcr.io/vshn/appcat:nextcloud_collabora-func
   runtimeConfigRef:
     name: function-appcat

tests/golden/apiserver/appcat/appcat/apiserver/30_deployment.yaml

@@ -29,7 +29,7 @@ spec:
             - --secure-port=9443
             - --tls-cert-file=/apiserver.local.config/certificates/tls.crt
             - --tls-private-key-file=/apiserver.local.config/certificates/tls.key
-          image: ghcr.io/vshn/appcat:v4.98.0
+          image: ghcr.io/vshn/appcat:nextcloud_collabora
           livenessProbe:
             failureThreshold: 3
             httpGet:

tests/golden/billing/appcat/appcat/10_function_appcat.yaml

@@ -3,6 +3,6 @@ kind: Function
 metadata:
   name: function-appcat
 spec:
-  package: ghcr.io/vshn/appcat:v4.98.0-func
+  package: ghcr.io/vshn/appcat:nextcloud_collabora-func
   runtimeConfigRef:
     name: function-appcat

tests/golden/billing/appcat/appcat/apiserver/30_deployment.yaml

@@ -29,7 +29,7 @@ spec:
             - --secure-port=9443
             - --tls-cert-file=/apiserver.local.config/certificates/tls.crt
             - --tls-private-key-file=/apiserver.local.config/certificates/tls.key
-          image: ghcr.io/vshn/appcat:v4.98.0
+          image: ghcr.io/vshn/appcat:nextcloud_collabora
           livenessProbe:
             failureThreshold: 3
             httpGet:

tests/golden/billing/appcat/appcat/sli_exporter/apps_v1_deployment_appcat-sliexporter-controller-manager.yaml

@@ -36,7 +36,7 @@ spec:
           value: "false"
         - name: APPCAT_SLI_VSHNMARIADB
           value: "false"
-        image: ghcr.io/vshn/appcat:v4.98.0
+        image: ghcr.io/vshn/appcat:nextcloud_collabora
         livenessProbe:
           httpGet:
             path: /healthz

tests/golden/cloudscale-metrics-collector-cloud/appcat/appcat/10_function_appcat.yaml

@@ -3,6 +3,6 @@ kind: Function
 metadata:
   name: function-appcat
 spec:
-  package: ghcr.io/vshn/appcat:v4.98.0-func
+  package: ghcr.io/vshn/appcat:nextcloud_collabora-func
   runtimeConfigRef:
     name: function-appcat

tests/golden/cloudscale-metrics-collector-cloud/appcat/appcat/apiserver/30_deployment.yaml

@@ -29,7 +29,7 @@ spec:
             - --secure-port=9443
             - --tls-cert-file=/apiserver.local.config/certificates/tls.crt
             - --tls-private-key-file=/apiserver.local.config/certificates/tls.key
-          image: ghcr.io/vshn/appcat:v4.98.0
+          image: ghcr.io/vshn/appcat:nextcloud_collabora
           livenessProbe:
             failureThreshold: 3
             httpGet:

tests/golden/cloudscale-metrics-collector-cloud/appcat/appcat/sli_exporter/apps_v1_deployment_appcat-sliexporter-controller-manager.yaml

@@ -36,7 +36,7 @@ spec:
           value: "false"
         - name: APPCAT_SLI_VSHNMARIADB
           value: "false"
-        image: ghcr.io/vshn/appcat:v4.98.0
+        image: ghcr.io/vshn/appcat:nextcloud_collabora
         livenessProbe:
           httpGet:
             path: /healthz

tests/golden/cloudscale-metrics-collector-managed/appcat/appcat/10_function_appcat.yaml

@@ -3,6 +3,6 @@ kind: Function
 metadata:
   name: function-appcat
 spec:
-  package: ghcr.io/vshn/appcat:v4.98.0-func
+  package: ghcr.io/vshn/appcat:nextcloud_collabora-func
   runtimeConfigRef:
     name: function-appcat

tests/golden/cloudscale-metrics-collector-managed/appcat/appcat/apiserver/30_deployment.yaml

@@ -29,7 +29,7 @@ spec:
             - --secure-port=9443
             - --tls-cert-file=/apiserver.local.config/certificates/tls.crt
             - --tls-private-key-file=/apiserver.local.config/certificates/tls.key
-          image: ghcr.io/vshn/appcat:v4.98.0
+          image: ghcr.io/vshn/appcat:nextcloud_collabora
           livenessProbe:
             failureThreshold: 3
             httpGet:

tests/golden/cloudscale-metrics-collector-managed/appcat/appcat/sli_exporter/apps_v1_deployment_appcat-sliexporter-controller-manager.yaml

@@ -36,7 +36,7 @@ spec:
           value: "false"
         - name: APPCAT_SLI_VSHNMARIADB
           value: "false"
-        image: ghcr.io/vshn/appcat:v4.98.0
+        image: ghcr.io/vshn/appcat:nextcloud_collabora
         livenessProbe:
           httpGet:
             path: /healthz

tests/golden/cloudscale/appcat/appcat/10_function_appcat.yaml

@@ -3,6 +3,6 @@ kind: Function
 metadata:
   name: function-appcat
 spec:
-  package: ghcr.io/vshn/appcat:v4.98.0-func
+  package: ghcr.io/vshn/appcat:nextcloud_collabora-func
   runtimeConfigRef:
     name: function-appcat

tests/golden/cloudscale/appcat/appcat/10_provider_kubernetes.yaml

@@ -102,16 +102,11 @@ rules:
       - pods/log
       - pods/portforward
       - pods/status
+      - pods/attach
+      - pods/exec
       - services
     verbs:
-      - get
-      - list
-      - watch
-      - create
-      - watch
-      - patch
-      - update
-      - delete
+      - '*'
   - apiGroups:
       - apps
     resources:
@@ -130,6 +125,8 @@ rules:
       - watch
       - list
       - patch
+      - update
+      - create
   - apiGroups:
       - rbac.authorization.k8s.io
     resourceNames:
@@ -351,6 +348,37 @@ rules:
       - patch
       - create
       - delete
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+      - update
+      - patch
+      - create
+      - delete
+  - apiGroups:
+      - ''
+    resources:
+      - persistentvolumeclaims
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - watch
+      - patch
+      - update
+      - delete
+  - apiGroups:
+      - security.openshift.io
+    resources:
+      - securitycontextconstraints
+    verbs:
+      - '*'
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

tests/golden/cloudscale/appcat/appcat/apiserver/30_deployment.yaml

@@ -29,7 +29,7 @@ spec:
             - --secure-port=9443
             - --tls-cert-file=/apiserver.local.config/certificates/tls.crt
             - --tls-private-key-file=/apiserver.local.config/certificates/tls.key
-          image: ghcr.io/vshn/appcat:v4.98.0
+          image: ghcr.io/vshn/appcat:nextcloud_collabora
           livenessProbe:
             failureThreshold: 3
             httpGet:

tests/golden/controllers/appcat/appcat/10_function_appcat.yaml

@@ -3,6 +3,6 @@ kind: Function
 metadata:
   name: function-appcat
 spec:
-  package: ghcr.io/vshn/appcat:v4.98.0-func
+  package: ghcr.io/vshn/appcat:nextcloud_collabora-func
   runtimeConfigRef:
     name: function-appcat

tests/golden/controllers/appcat/appcat/apiserver/30_deployment.yaml

@@ -29,7 +29,7 @@ spec:
             - --secure-port=9443
             - --tls-cert-file=/apiserver.local.config/certificates/tls.crt
             - --tls-private-key-file=/apiserver.local.config/certificates/tls.key
-          image: ghcr.io/vshn/appcat:v4.98.0
+          image: ghcr.io/vshn/appcat:nextcloud_collabora
           livenessProbe:
             failureThreshold: 3
             httpGet:

tests/golden/controllers/appcat/appcat/controllers/appcat/30_deployment.yaml

@@ -23,7 +23,7 @@ spec:
           env:
             - name: PLANS_NAMESPACE
               value: syn-appcat
-          image: ghcr.io/vshn/appcat:v4.98.0
+          image: ghcr.io/vshn/appcat:nextcloud_collabora
           livenessProbe:
             httpGet:
               path: /healthz

tests/golden/defaults/appcat/appcat/10_function_appcat.yaml

@@ -3,6 +3,6 @@ kind: Function
 metadata:
   name: function-appcat
 spec:
-  package: ghcr.io/vshn/appcat:v4.98.0-func
+  package: ghcr.io/vshn/appcat:nextcloud_collabora-func
   runtimeConfigRef:
     name: function-appcat

tests/golden/defaults/appcat/appcat/apiserver/30_deployment.yaml

@@ -29,7 +29,7 @@ spec:
             - --secure-port=9443
             - --tls-cert-file=/apiserver.local.config/certificates/tls.crt
             - --tls-private-key-file=/apiserver.local.config/certificates/tls.key
-          image: ghcr.io/vshn/appcat:v4.98.0
+          image: ghcr.io/vshn/appcat:nextcloud_collabora
           livenessProbe:
             failureThreshold: 3
             httpGet:

tests/golden/defaults/appcat/appcat/sli_exporter/apps_v1_deployment_appcat-sliexporter-controller-manager.yaml

@@ -36,7 +36,7 @@ spec:
           value: "false"
         - name: APPCAT_SLI_VSHNMARIADB
           value: "false"
-        image: ghcr.io/vshn/appcat:v4.98.0
+        image: ghcr.io/vshn/appcat:nextcloud_collabora
         livenessProbe:
           httpGet:
             path: /healthz

tests/golden/exoscale-metrics-collector-cloud/appcat/appcat/10_function_appcat.yaml

@@ -3,6 +3,6 @@ kind: Function
 metadata:
   name: function-appcat
 spec:
-  package: ghcr.io/vshn/appcat:v4.98.0-func
+  package: ghcr.io/vshn/appcat:nextcloud_collabora-func
   runtimeConfigRef:
     name: function-appcat

tests/golden/exoscale-metrics-collector-cloud/appcat/appcat/apiserver/30_deployment.yaml

@@ -29,7 +29,7 @@ spec:
             - --secure-port=9443
             - --tls-cert-file=/apiserver.local.config/certificates/tls.crt
             - --tls-private-key-file=/apiserver.local.config/certificates/tls.key
-          image: ghcr.io/vshn/appcat:v4.98.0
+          image: ghcr.io/vshn/appcat:nextcloud_collabora
           livenessProbe:
             failureThreshold: 3
             httpGet: