Properly configure certificate to be used with collabora application

test/collabora/1.0.0/questions.yaml

@@ -64,7 +64,7 @@ questions:
           description: 'e.g. "--o:welcome.enable=false", See more on /etc/loolwsd/loowsd.xml. Separate params with space'
           schema:
             type: string
-            default: "--o:welcome.enable=false --o:user_interface.mode=notebookbar --o:ssl.termination=true --o:ssl.enable=false"
+            default: "--o:welcome.enable=false --o:user_interface.mode=notebookbar --o:ssl.termination=true --o:ssl.enable=false --o:net.proto=IPv4"
         - variable: DONT_GEN_SSL_CERT
           label: "DONT_GEN_SSL_CERT"
           description: "When set to true it does NOT generate an SSL cert, you have to use your own"
@@ -84,6 +84,15 @@ questions:
             default: ''
             valid_chars: '^$|^[a-z]{1,}\\{1}\.{1}[a-z]{1,}\\{1}\.{1}[a-z]{1,}$'
 
+  - variable: certificate
+    description: "Collabora Certificate"
+    label: "Certificate"
+    group: "Collabora Configuration"
+    schema:
+      type: int
+      $ref:
+        - "definitions/certificate"
+
   - variable: extraAppVolumeMounts
     label: "Collabora Extra Host Path Volumes"
     group: "Storage"

test/collabora/1.0.0/templates/_helpers.tpl

@@ -4,3 +4,37 @@ Retrieve secret name for secure credentials
 {{- define "secretName" -}}
 {{- print "credentials" -}}
 {{- end -}}
+
+
+{{/*
+Retrieve true/false if certificate is configured
+*/}}
+{{- define "certAvailable" -}}
+{{- if .Values.certificate -}}
+{{- $values := (. | mustDeepCopy) -}}
+{{- $_ := set $values "commonCertOptions" (dict "certKeyName" $values.Values.certificate) -}}
+{{- template "common.resources.cert_present" $values -}}
+{{- else -}}
+{{- false -}}
+{{- end -}}
+{{- end -}}
+
+
+{{/*
+Retrieve public key of certificate
+*/}}
+{{- define "cert.publicKey" -}}
+{{- $values := (. | mustDeepCopy) -}}
+{{- $_ := set $values "commonCertOptions" (dict "certKeyName" $values.Values.certificate "publicKey" true) -}}
+{{ include "common.resources.cert" $values }}
+{{- end -}}
+
+
+{{/*
+Retrieve private key of certificate
+*/}}
+{{- define "cert.privateKey" -}}
+{{- $values := (. | mustDeepCopy) -}}
+{{- $_ := set $values "commonCertOptions" (dict "certKeyName" $values.Values.certificate) -}}
+{{ include "common.resources.cert" $values }}
+{{- end -}}

test/collabora/1.0.0/templates/nginx-conf.yaml

@@ -6,10 +6,6 @@ metadata:
     rollme: {{ randAlphaNum 5 | quote }}
 data:
   config: |-
-    load_module modules/ngx_http_uploadprogress_module.so;
-    user www-data www-data;
-    worker_processes  1;
-
     events {
         worker_connections  1024;
     }
@@ -32,33 +28,24 @@ data:
             application/rss+xml
             image/svg+xml;
 
-        # reserve 1MB under the name 'proxied' to track uploads
-        upload_progress proxied 1m;
-
         sendfile        on;
-        #tcp_nopush     on;
         client_max_body_size 1000m;
 
-        #keepalive_timeout  0;
         keepalive_timeout  65;
 
         # Disable tokens for security (#23684)
         server_tokens off;
 
         gzip  on;
-        #upload_store /var/tmp/firmware;
         client_body_temp_path /var/tmp/firmware;
 
-        error_log syslog:server=unix:/var/run/log,nohostname;
-        access_log syslog:server=unix:/var/run/log,nohostname;
-
         server {
-            server_name  localhost;
+            server_name  nginx;
             listen                 0.0.0.0:443 default_server ssl http2;
             listen                 [::]:443 default_server ssl http2;
 
-            ssl_certificate        "/nginx.crt";
-            ssl_certificate_key    "/nginx.key";
+            ssl_certificate        "/etc/nginx/server.crt";
+            ssl_certificate_key    "/etc/nginx/server.key";
 
             ssl_session_timeout    120m;
             ssl_session_cache      shared:ssl:16m;
@@ -68,10 +55,6 @@ data:
             ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EDH+aRSA:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384;
             add_header Strict-Transport-Security max-age=31536000;
 
-            # Security Headers
-            add_header X-Content-Type-Options nosniff;
-            add_header X-XSS-Protection "1";
-
             location = /robots.txt {
               add_header Content-Type text/plain;
               proxy_set_header Referer "http://nginx";
@@ -80,9 +63,8 @@ data:
 
             # static files
             location ^~ /loleaflet {
-                set $upstream_collabora collabora;
-                proxy_pass http://$upstream_collabora:9980;
-                proxy_set_header Host $http_host;
+                proxy_pass http://collabora:9980;
+                proxy_set_header Host $host;
                 proxy_set_header Referer "http://nginx";
             }
 
@@ -96,38 +78,34 @@ data:
 
             # Capabilities
             location ^~ /hosting/capabilities {
-                set $upstream_collabora collabora;
-                proxy_pass http://$upstream_collabora:9980;
-                proxy_set_header Host $http_host;
+                proxy_pass http://collabora:9980;
+                proxy_set_header Host $host;
                 proxy_set_header Referer "http://nginx";
             }
 
             # main websocket
             location ~ ^/lool/(.*)/ws$ {
-                set $upstream_collabora collabora;
-                proxy_pass http://$upstream_collabora:9980;
+                proxy_pass http://collabora:9980;
+                proxy_set_header Host $host;
                 proxy_set_header Upgrade $http_upgrade;
                 proxy_set_header Connection "Upgrade";
-                proxy_set_header Host $http_host;
                 proxy_set_header Referer "http://nginx";
                 proxy_read_timeout 36000s;
             }
 
             # download, presentation and image upload
             location ~ ^/lool {
-                set $upstream_collabora collabora;
-                proxy_pass http://$upstream_collabora:9980;
-                proxy_set_header Host $http_host;
+                proxy_pass http://collabora:9980;
+                proxy_set_header Host $host;
                 proxy_set_header Referer "http://nginx";
             }
 
             # Admin Console websocket
             location ^~ /lool/adminws {
-                set $upstream_collabora collabora;
-                proxy_pass http://$upstream_collabora:9980;
+                proxy_pass http://collabora:9980;
+                proxy_set_header Host $host;
                 proxy_set_header Upgrade $http_upgrade;
                 proxy_set_header Connection "Upgrade";
-                proxy_set_header Host $http_host;
                 proxy_set_header Referer "http://nginx";
                 proxy_read_timeout 36000s;
             }
@@ -136,8 +114,8 @@ data:
         server {
             listen    0.0.0.0:80;
             listen    [::]:80;
-            server_name localhost;
-            return 307 https://$host:443$request_uri;
+            server_name nginx;
+            return 307 https://$host:{{ .Values.nodePort }}}$request_uri;
         }
 
     }

test/collabora/1.0.0/templates/nginx-deployment.yaml

@@ -13,6 +13,13 @@ spec: {{ include "common.deployment.common_spec" $values | nindent 2 }}
             mountPath: /etc/nginx/nginx.conf
             readOnly: true
             subPath: config
+          - name: certs
+            mountPath: /etc/nginx/server.crt
+            subPath: certPublicKey
+          - name: certs
+            mountPath: /etc/nginx/server.key
+            subPath: certPrivateKey
+
         ports:
         - name: http
           containerPort: 80
@@ -22,6 +29,9 @@ spec: {{ include "common.deployment.common_spec" $values | nindent 2 }}
           protocol: TCP
       volumes:
         - name: configuration
-        configMap:
-          defaultMode: 0700
-          name: "nginx-config"
+          configMap:
+            defaultMode: 0700
+            name: "nginx-config"
+        - name: certs
+          secret:
+            secretName: {{ include "secretName" . }}

test/collabora/1.0.0/templates/nginx-service.yaml

@@ -1,6 +1,7 @@
 {{ $port := .Values.nodePort }}
 {{ $ports := list }}
-{{ $ports = mustAppend $ports (dict "name" "https" "port" $port "nodePort" $port "targetPort" "collabora") }}
+{{ $ports = mustAppend $ports (dict "name" "https" "port" $port "nodePort" $port "targetPort" "https") }}
 {{ $params := (. | mustDeepCopy) }}
-{{ $_ := set $params "common" (dict "nameSuffix" "nginx") "commonService" (dict "ports" $ports "type" "NodePort" ) }}
+{{ $_ := set $params "common" (dict "nameSuffix" "nginx") }}
+{{ $_2 := set $params "commonService" (dict "ports" $ports "type" "NodePort" ) }}
 {{ include "common.classes.service" $params }}

test/collabora/1.0.0/templates/secrets.yaml

@@ -7,3 +7,9 @@ type: Opaque
 data:
   username: {{ .Values.config.username | b64enc | quote }}
   password: {{ .Values.config.password | b64enc | quote }}
+  {{ if eq (include "certAvailable" .) "true" }}
+  certPublicKey: {{ (include "cert.publicKey" .) | toString | b64enc | quote }}
+  certPrivateKey: {{ (include "cert.privateKey" .) | toString | b64enc | quote }}
+  {{ else }}
+    {{ fail "No certificate configured for Collabora" }}
+  {{ end }}

test/collabora/1.0.0/templates/service.yaml

@@ -1,6 +1,6 @@
 {{ $port := .Values.nodePort }}
 {{ $ports := list }}
-{{ $ports = mustAppend $ports (dict "name" "collabora" "port" $port "nodePort" $port "targetPort" "collabora") }}
+{{ $ports = mustAppend $ports (dict "name" "collabora" "port" 9980 "targetPort" "collabora") }}
 {{ $params := . }}
 {{ $_ := set $params "commonService" (dict "ports" $ports "type" "ClusterIP" ) }}
 {{ include "common.classes.service" $params }}