collabora - migrate library (#2084)

* initial commit

* common files

* templates

* typo

* add migration

* todo

* envs

* fixeas

* cool user

* typo

* reduce logging

* setpcap

* uniq mount points

* fix path

* caps for nginx

* nginx caps

* nginx

* add metadata

* add ui

* bump version

* portal

* test values

* add migration

* fix checks

* wait for collab

* fix migration

* version bump

* add default dictionaries

* custom params

library/ix-dev/charts/collabora/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: common
-  repository: file://../../../common/2304.0.1
-  version: 2304.0.1
-digest: sha256:1ed155c6760e1166e2cb75b52bc5e81c6bdf0252c16ff5ede001157077c41670
-generated: "2023-04-24T13:38:56.059842894+03:00"
+  repository: file://../../../common
+  version: 1.2.9
+digest: sha256:af1a9a1f87e3e48453c9f25f909f5ebcd7fa6e25162b7b425448ba752bcdbc5c
+generated: "2024-01-26T16:50:11.787195004+02:00"

library/ix-dev/charts/collabora/Chart.yaml

@@ -1,11 +1,9 @@
 name: collabora
-description: |
-  Collabora Online Development Edition \u2013 an awesome, Online Office
-  suite image suitable for home use.
+description: Collabora is a collaborative online office suite based on LibreOffice technology
 annotations:
   title: Collabora
 type: application
-version: 1.2.30
+version: 2.0.0
 apiVersion: v2
 appVersion: 23.05.8.2.1
 kubeVersion: '>=1.16.0-0'
@@ -15,12 +13,13 @@ maintainers:
     email: dev@ixsystems.com
 dependencies:
   - name: common
-    repository: file://../../../common/2304.0.1
-    version: 2304.0.1
-home: https://github.com/CollaboraOnline/online
+    repository: file://../../../common
+    version: 1.2.9
+home: https://www.collaboraoffice.com/
 icon: https://media.sys.truenas.net/apps/collabora/icons/icon.png
 sources:
-  - https://github.com/CollaboraOnline/online.git
+  - https://www.collaboraoffice.com/
+  - https://github.com/CollaboraOnline/online
   - https://hub.docker.com/r/collabora/code
 keywords:
   - office

library/ix-dev/charts/collabora/README.md

@@ -1,8 +1,3 @@
-Collabora Online Development Edition
-=====
+# Collabora
 
-Collabora Online Development Edition - An awesome, Online Office suite image suitable for home use!
-Introduction
-------------
-
-This chart bootstraps Collabora deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+[Collabora](https://www.collaboraoffice.com/) is a collaborative online office suite based on LibreOffice technology

library/ix-dev/charts/collabora/app-readme.md

@@ -1,9 +1,3 @@
-Collabora Online Development Edition
-=====
+# Collabora
 
-An awesome, Online Office suite image suitable for home use.
-With the Collabora Online Development Edition (CODE) Docker Image you can host
-your own online Office Suite at home! This Docker image is aimed at home users
-and contains the latest and greatest developments. Simply integrate it in your
-preferred File Sync and Share (FSS), to easily get your own online Office 
-Suite up and running!
+[Collabora](https://www.collaboraoffice.com/) is a collaborative online office suite based on LibreOffice technology

library/ix-dev/charts/collabora/ci/basic-values.yaml

@@ -0,0 +1,16 @@
+collaboraConfig:
+  username: 'my-username'
+  password: 'my-password'
+  dictionaries:
+    - en_GB
+    - en_US
+  aliasGroup1:
+    - nc.example.com
+    - other-nc.example.com
+  serverName: collabora.example.com:9980
+  extraParams:
+    - --o:welcome.enable=false
+    - --o:user_interface.mode=notebookbar
+    - --o:ssl.termination=true
+    - --o:ssl.enable=false
+    - --o:net.proto=IPv4

library/ix-dev/charts/collabora/ci/http-values.yaml

@@ -1,29 +0,0 @@
-nodePort: 31980
-config:
-  DONT_GEN_SSL_CERT: 'true'
-  dictionaries: de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru
-  enableWebUI: false
-  aliasgroup1:
-    - nextcloud.domain.tld
-    - othernextcloud.domain.tld
-  extra_params: --o:welcome.enable=false --o:user_interface.mode=notebookbar --o:ssl.termination=true
-    --o:ssl.enable=false --o:net.proto=IPv4 --o:net.post_allow.host[0]=.+ --o:storage.wopi.host[0]=.+
-  password: changeme
-  server_name: ssh.sonicaj.com:49980
-  timezone: Asia/Karachi
-  username: admin
-ixChartContext:
-  isInstall: false
-  isUpdate: true
-  isUpgrade: false
-  operation: UPDATE
-  storageClassName: ix-storage-class-col
-  upgradeMetadata: {}
-ixExternalInterfacesConfiguration: []
-ixExternalInterfacesConfigurationNames: []
-ixVolumes: []
-environmentVariables: []
-extraAppVolumeMounts: []
-ixCertificateAuthorities: {}
-ixCertificates: {}
-certificate:

library/ix-dev/charts/collabora/ci/https-values.yaml

@@ -1,45 +1,16 @@
-certificate: 55
-nodePort: 31980
-config:
-  DONT_GEN_SSL_CERT: 'true'
-  dictionaries: de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru
-  enableWebUI: true
-  aliasgroup1:
-    - nextcloud.domain.tld
-    - othernextcloud.domain.tld
-  extra_params: --o:welcome.enable=false --o:user_interface.mode=notebookbar --o:ssl.termination=true
-    --o:ssl.enable=false --o:net.proto=IPv4 --o:net.post_allow.host[0]=.+ --o:storage.wopi.host[0]=.+
-  password: changeme
-  server_name: ssh.sonicaj.com
-  timezone: Asia/Karachi
-  username: admin
-ixChartContext:
-  isInstall: false
-  isUpdate: true
-  isUpgrade: false
-  operation: UPDATE
-  storageClassName: ix-storage-class-col
-  upgradeMetadata: {}
-ixExternalInterfacesConfiguration: []
-ixExternalInterfacesConfigurationNames: []
-ixVolumes: []
-environmentVariables: []
-extraAppVolumeMounts: []
-ixCertificateAuthorities: {}
+collaboraConfig:
+  username: 'my-username'
+  password: 'my-password'
+  aliasGroup1:
+    - nc.example.com
+    - other-nc.example.com
+  serverName: collabora.example.com
+
+collaboraNetwork:
+  certificateID: 1
+
 ixCertificates:
-  '55':
-    CA_type_existing: false
-    CA_type_intermediate: false
-    CA_type_internal: false
-    CSR: null
-    DN: /CN=ad/C=US/ST=asdf/L=asdf/O=adsf/OU=asdf/emailAddress=a@a.com/subjectAltName=IP
-      Address:192.168.0.3, IP Address:192.168.0.5, IP Address:192.168.0.182, IP Address:192.168.0.129,
-      IP Address:192.168.0.146
-    can_be_revoked: false
-    cert_type: CERTIFICATE
-    cert_type_CSR: false
-    cert_type_existing: true
-    cert_type_internal: false
+  "1":
     certificate: |
       -----BEGIN CERTIFICATE-----
       MIIEdjCCA16gAwIBAgIDYFMYMA0GCSqGSIb3DQEBCwUAMGwxDDAKBgNVBAMMA2Fz
@@ -67,7 +38,6 @@ ixCertificates:
       x5TKv3wcPnktx0zMPfLb5BTSE9rc9djcBG0eIAsPT4FgiatCUChe7VhuMnqskxEz
       MymJLoq8+mzucRwFkOkR2EIt1x+Irl2mJVMeBow63rVZfUQBD8h++LqB
       -----END CERTIFICATE-----
-
       -----BEGIN CERTIFICATE-----
       MIIEhDCCA2ygAwIBAgIDYFMXMA0GCSqGSIb3DQEBCwUAMGwxDDAKBgNVBAMMA2Fz
       ZDELMAkGA1UEBhMCVVMxDTALBgNVBAgMBGFzZGYxCzAJBgNVBAcMAmFmMQ0wCwYD
@@ -95,94 +65,6 @@ ixCertificates:
       +Fq0uqcZLu4Mdo0CPs4e5sHRyldEnRSKh0DVLprq9zr/GMipmPLJUsT5Jed3sj0w
       M7Y3vwxshpo=
       -----END CERTIFICATE-----
-    certificate_path: /etc/certificates/slog3.crt
-    chain: true
-    chain_list:
-    - |
-      -----BEGIN CERTIFICATE-----
-      MIIEdjCCA16gAwIBAgIDYFMYMA0GCSqGSIb3DQEBCwUAMGwxDDAKBgNVBAMMA2Fz
-      ZDELMAkGA1UEBhMCVVMxDTALBgNVBAgMBGFzZGYxCzAJBgNVBAcMAmFmMQ0wCwYD
-      VQQKDARhc2RmMQwwCgYDVQQLDANhc2QxFjAUBgkqhkiG9w0BCQEWB2FAYS5jb20w
-      HhcNMjEwODMwMjMyMzU0WhcNMjMxMjAzMjMyMzU0WjBuMQswCQYDVQQDDAJhZDEL
-      MAkGA1UEBhMCVVMxDTALBgNVBAgMBGFzZGYxDTALBgNVBAcMBGFzZGYxDTALBgNV
-      BAoMBGFkc2YxDTALBgNVBAsMBGFzZGYxFjAUBgkqhkiG9w0BCQEWB2FAYS5jb20w
-      ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7+1xOHRQyOnQTHFcrdasX
-      Zl0gzutVlA890a1wiQpdD5dOtCLo7+eqVYjqVKo9W8RUIArXWmBu/AbkH7oVFWC1
-      P973W1+ArF5sA70f7BZgqRKJTIisuIFIlRETgfnP2pfQmHRZtGaIJRZI4vQCdYgW
-      2g0KOvvNcZJCVq1OrhKiNiY1bWCp66DGg0ic6OEkZFHTm745zUNQaf2dNgsxKU0H
-      PGjVLJI//yrRFAOSBUqgD4c50krnMF7fU/Fqh+UyOu8t6Y/HsySh3urB+Zie331t
-      AzV6QV39KKxRflNx/yuWrtIEslGTm+xHKoCYJEk/nZ3mX8Y5hG6wWAb7A/FuDVg3
-      AgMBAAGjggEdMIIBGTAnBgNVHREEIDAehwTAqAADhwTAqAAFhwTAqAC2hwTAqACB
-      hwTAqACSMB0GA1UdDgQWBBQ4G2ff4tgZl4vmo4xCfqmJhdqShzAMBgNVHRMBAf8E
-      AjAAMIGYBgNVHSMEgZAwgY2AFLlYf9L99nxJDcpCM/LT3V5hQ/a3oXCkbjBsMQww
-      CgYDVQQDDANhc2QxCzAJBgNVBAYTAlVTMQ0wCwYDVQQIDARhc2RmMQswCQYDVQQH
-      DAJhZjENMAsGA1UECgwEYXNkZjEMMAoGA1UECwwDYXNkMRYwFAYJKoZIhvcNAQkB
-      FgdhQGEuY29tggNgUxcwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwEwDgYDVR0PAQH/
-      BAQDAgWgMA0GCSqGSIb3DQEBCwUAA4IBAQA6FpOInEHB5iVk3FP67GybJ29vHZTD
-      KQHbQgmg8s4L7qIsA1HQ+DMCbdylpA11x+t/eL/n48BvGw2FNXpN6uykhLHJjbKR
-      h8yITa2KeD3LjLYhScwIigXmTVYSP3km6s8jRL6UKT9zttnIHyXVpBDya6Q4WTMx
-      fmfC6O7t1PjQ5ZyVtzizIUP8ah9n4TKdXU4A3QIM6WsJXpHb+vqp1WDWJ7mKFtgj
-      x5TKv3wcPnktx0zMPfLb5BTSE9rc9djcBG0eIAsPT4FgiatCUChe7VhuMnqskxEz
-      MymJLoq8+mzucRwFkOkR2EIt1x+Irl2mJVMeBow63rVZfUQBD8h++LqB
-      -----END CERTIFICATE-----
-    - |
-      -----BEGIN CERTIFICATE-----
-      MIIEhDCCA2ygAwIBAgIDYFMXMA0GCSqGSIb3DQEBCwUAMGwxDDAKBgNVBAMMA2Fz
-      ZDELMAkGA1UEBhMCVVMxDTALBgNVBAgMBGFzZGYxCzAJBgNVBAcMAmFmMQ0wCwYD
-      VQQKDARhc2RmMQwwCgYDVQQLDANhc2QxFjAUBgkqhkiG9w0BCQEWB2FAYS5jb20w
-      HhcNMjEwODMwMjMyMDQ1WhcNMzEwODI4MjMyMDQ1WjBsMQwwCgYDVQQDDANhc2Qx
-      CzAJBgNVBAYTAlVTMQ0wCwYDVQQIDARhc2RmMQswCQYDVQQHDAJhZjENMAsGA1UE
-      CgwEYXNkZjEMMAoGA1UECwwDYXNkMRYwFAYJKoZIhvcNAQkBFgdhQGEuY29tMIIB
-      IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq//c0hEEr83CS1pMgsHX50jt
-      2MqIbcf63UUNJTiYpUUvUQSFJFc7m/dr+RTZvu97eDCnD5K2qkHHvTPaPZwY+Djf
-      iy7N641Sz6u/y3Yo3xxs1Aermsfedh48vusJpjbkT2XS44VjbkrpKcWDNVpp3Evd
-      M7oJotXeUsZ+imiyVCfr4YhoY5gbGh/r+KN9Wf9YKoUyfLLZGwdZkhtX2zIbidsL
-      Thqi9YTaUHttGinjiBBum234u/CfvKXsfG3yP2gvBGnlvZnM9ktv+lVffYNqlf7H
-      VmB1bKKk84HtzuW5X76SGAgOG8eHX4x5ZLI1WQUuoQOVRl1I0UCjBtbz8XhwvQID
-      AQABo4IBLTCCASkwLQYDVR0RBCYwJIcEwKgABYcEwKgAA4cEwKgAkocEwKgAtYcE
-      wKgAgYcEwKgAtjAdBgNVHQ4EFgQUuVh/0v32fEkNykIz8tPdXmFD9rcwDwYDVR0T
-      AQH/BAUwAwEB/zCBmAYDVR0jBIGQMIGNgBS5WH/S/fZ8SQ3KQjPy091eYUP2t6Fw
-      pG4wbDEMMAoGA1UEAwwDYXNkMQswCQYDVQQGEwJVUzENMAsGA1UECAwEYXNkZjEL
-      MAkGA1UEBwwCYWYxDTALBgNVBAoMBGFzZGYxDDAKBgNVBAsMA2FzZDEWMBQGCSqG
-      SIb3DQEJARYHYUBhLmNvbYIDYFMXMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
-      BQcDAjAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAKEocOmVuWlr
-      zegtKYMe8NhHIkFY9oVn5ym6RHNOJpPH4QF8XYC3Z5+iC5yGh4P/jVe/4I4SF6Ql
-      PtofU0jNq5vzapt/y+m008eXqPQFmoUOvu+JavoRVcRx2LIP5AgBA1mF56CSREsX
-      TkuJAA9IUQ8EjnmAoAeKINuPaKxGDuU8BGCMqr/qd564MKNf9XYL+Fb2rlkA0O2d
-      2No34DQLgqSmST/LAvPM7Cbp6knYgnKmGr1nETCXasg1cueHLnWWTvps2HiPp2D/
-      +Fq0uqcZLu4Mdo0CPs4e5sHRyldEnRSKh0DVLprq9zr/GMipmPLJUsT5Jed3sj0w
-      M7Y3vwxshpo=
-      -----END CERTIFICATE-----'
-    city: asdf
-    common: ad
-    country: US
-    csr_path: /etc/certificates/slog3.csr
-    digest_algorithm: SHA256
-    email: a@a.com
-    extensions:
-      AuthorityKeyIdentifier: |
-        keyid:B9:58:7F:D2:FD:F6:7C:49:0D:CA:42:33:F2:D3:DD:5E:61:43:F6:B7
-        DirName:/CN=asd/C=US/ST=asdf/L=af/O=asdf/OU=asd/emailAddress=a@a.com
-        serial:60:53:17
-      BasicConstraints: CA:FALSE
-      ExtendedKeyUsage: TLS Web Server Authentication
-      KeyUsage: Digital Signature, Key Encipherment
-      SubjectAltName: |
-        IP Address:192.168.0.3, IP Address:192.168.0.5, IP Address:192.168.0.182,
-        IP Address:192.168.0.129, IP Address:192.168.0.146
-      SubjectKeyIdentifier: 38:1B:67:DF:E2:D8:19:97:8B:E6:A3:8C:42:7E:A9:89:85:DA:92:87
-    fingerprint: 59:7A:49:6D:04:CE:70:E5:AF:9A:FB:75:3C:26:58:7D:B7:8E:A6:9D
-    from: Tue Aug 31 04:23:54 2021
-    id: 55
-    internal: 'NO'
-    issuer: external
-    key_length: 2048
-    key_type: RSA
-    lifetime: 825
-    name: slog3
-    organization: adsf
-    organizational_unit: asdf
-    parsed: true
     privatekey: |
       -----BEGIN PRIVATE KEY-----
       MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC7+1xOHRQyOnQT
@@ -212,19 +94,3 @@ ixCertificates:
       qQ+66XnfsA9G/bu4MDS9AX83iahD9IdLXQAy8I19prAbpVumKegPbMnNYNB/TYEc
       3G15AKCXo7jjOUtHY01DCQ==
       -----END PRIVATE KEY-----
-    privatekey_path: /etc/certificates/slog3.key
-    revoked: false
-    revoked_date: null
-    root_path: /etc/certificates
-    san:
-    - IP Address:192.168.0.3
-    - IP Address:192.168.0.5
-    - IP Address:192.168.0.182
-    - IP Address:192.168.0.129
-    - IP Address:192.168.0.146
-    serial: 6312728
-    signedby: null
-    state: asdf
-    subject_name_hash: 1673640987
-    type: 8
-    until: Mon Dec  4 04:23:54 2023

library/ix-dev/charts/collabora/metadata.yaml

@@ -1,8 +1,8 @@
 runAsContext:
   - userName: cool
     groupName: cool
-    gid: 104
-    uid: 106
+    uid: 100
+    gid: 101
     description: Collabora runs as non-root user.
   - userName: root
     groupName: root
@@ -12,28 +12,16 @@ runAsContext:
 capabilities:
   - name: CHOWN
     description: Collabora and Nginx are able to chown files.
+  - name: SETPCAP
+    description: Collabora is able to set process capabilities.
   - name: FOWNER
-    description: Collabora and Nginx are able to bypass permission checks for it's sub-processes.
+    description: Collabora is able to bypass permission checks for it's sub-processes.
   - name: SYS_CHROOT
-    description: Collabora and Nginx are able to use chroot.
-  - name: MKNOD
-    description: Collabora and Nginx are able to create device nodes.
-  - name: DAC_OVERRIDE
-    description: Nginx is able to bypass permission checks.
+    description: Collabora is able to use chroot.
   - name: SETGID
     description: Nginx is able to set group ID for it's sub-processes.
   - name: SETUID
     description: Nginx is able to set user ID for it's sub-processes.
-  - name: FSETID
-    description: Nginx is able to set file capabilities.
-  - name: KILL
-    description: Nginx is able to kill processes.
-  - name: SETPCAP
-    description: Nginx is able to set process capabilities.
-  - name: NET_BIND_SERVICE
-    description: Nginx is able to bind to privileged ports.
-  - name: NET_RAW
-    description: Nginx is able to use raw sockets.
-  - name: AUDIT_WRITE
-    description: Nginx is able to write to audit log.
+  - name: MKNOD
+    description: Collabora is able to create device nodes.
 hostMounts: []

library/ix-dev/charts/collabora/migrations/migrate

@@ -0,0 +1,71 @@
+#!/usr/bin/python3
+import json
+import os
+import sys
+
+def migrate_common_lib(values):
+    delete_keys = [
+        'nodePort', 'certificate', 'enableResourceLimits', 'cpuLimit', 'memLimit',
+        'environmentVariables', 'extraAppVolumeMounts', 'config', 'updateStrategy',
+        'nginx',
+    ]
+
+    values.update({
+        # Migrate Network
+        'collaboraNetwork': {
+            'webPort': values['nodePort'],
+            'certificateID': values['certificate'],
+        },
+        # Migrate Resources
+        'resources': {
+            'limits': {
+                'cpu': values.get('cpuLimit', '4000m'),
+                'memory': values.get('memLimit', '8Gi'),
+            }
+        },
+        'TZ': values['config']['timezone'],
+        # Migrate Config
+        'collaboraConfig': {
+            'enableWebUI': values['config']['enableWebUI'],
+            'username': values['config']['username'],
+            'password': values['config']['password'],
+            'serverName': values['config']['server_name'],
+            'dictionaries': [d for d in values['config']['dictionaries'].split(' ') if d],
+            'extraParams': [p for p in values['config']['extra_params'].split(' ') if p],
+            'aliasGroup1': values['config']['aliasgroup1'],
+            'additionalEnvs': values.get('environmentVariables', []),
+        },
+        # Migrate Storage
+        'collaboraStorage': {
+            'additionalStorages': [
+                {
+                    'type': 'hostPath',
+                    'hostPathConfig': {'hostPath': e['hostPath']},
+                    'mountPath': e['mountPath'],
+                    'readOnly': e.get('readOnly', False),
+                }
+                for e in values.get('extraAppVolumeMounts', [])
+            ],
+        },
+    })
+
+    for k in delete_keys:
+        values.pop(k, None)
+
+    return values
+
+def migrate(values):
+    # If this missing, we have already migrated
+    if not 'nodePort' in values.keys():
+        return values
+
+    return migrate_common_lib(values)
+
+
+if __name__ == '__main__':
+    if len(sys.argv) != 2:
+        exit(1)
+
+    if os.path.exists(sys.argv[1]):
+        with open(sys.argv[1], 'r') as f:
+            print(json.dumps(migrate(json.loads(f.read()))))

library/ix-dev/charts/collabora/questions.yaml

@@ -1,41 +1,44 @@
 groups:
-  - name: "Collabora Configuration"
-    description: "Configure Collabora"
-  - name: "Collabora Environment Variables"
-    description: "Set the environment that will be visible to the container"
-  - name: "Networking"
-    description: "Configure Networking for Collabora"
-  - name: "Storage"
-    description: "Configure Storage for Collabora"
-  - name: "Resource Limits"
-    description: "Set CPU/memory limits for Kubernetes Pod"
+  - name: Collabora Configuration
+    description: Configure Collabora
+  - name: User and Group Configuration
+    description: Configure User and Group for Collabora
+  - name: Network Configuration
+    description: Configure Network for Collabora
+  - name: Storage Configuration
+    description: Configure Storage for Collabora
+  - name: Resources Configuration
+    description: Configure Resources for Collabora
 
 portals:
   web_portal:
     protocols:
-      - "https"
+      - "$kubernetes-resource_configmap_portal_protocol"
     host:
-      - "$variable-config.server_name"
+      - "$kubernetes-resource_configmap_portal_host"
     ports:
-      - "$variable-nodePort"
-    path: "/browser/dist/admin/admin.html"
+      - "$kubernetes-resource_configmap_portal_port"
+    path: "$kubernetes-resource_configmap_portal_path"
 
 questions:
-  - variable: config
-    label: "Container Configuration"
-    group: "Collabora Configuration"
+  - variable: TZ
+    group: Collabora Configuration
+    label: Timezone
+    schema:
+      type: string
+      default: Etc/UTC
+      required: true
+      $ref:
+        - definitions/timezone
+
+  - variable: collaboraConfig
+    label: ""
+    group: Collabora Configuration
     schema:
       type: dict
       attrs:
-        - variable: timezone
-          label: "Timezone"
-          group: "Collabora Configuration"
-          schema:
-            type: string
-            $ref:
-              - "definitions/timezone"
         - variable: enableWebUI
-          label: "Enable WebUI"
+          label: Enable WebUI
           description: |
             Enable WebUI for Collabora
             If you enable this, you will need to set a username and password</br>
@@ -43,147 +46,326 @@ questions:
             type: boolean
             default: true
         - variable: username
-          label: "Username for WebUI"
+          label: Username for WebUI
           show_if: [[enableWebUI, "=", true]]
           schema:
             type: string
-            default: "admin"
+            default: ""
             required: true
         - variable: password
-          label: "Password for WebUI"
+          label: Password for WebUI
           schema:
             type: string
+            default: ""
             private: true
-            default: "changeme"
+            required: true
             show_if: [[enableWebUI, "=", true]]
             valid_chars: "[a-zA-Z0-9!@#%^&*?]{8,}"
             valid_chars_error: |
-              Password must be at least 8 characters long</br>
-              Can contain at numbers, letters, and the following characters: !@#%^&*?
-            required: true
-        - variable: aliasgroup1
-          label: "Alias Group 1"
+              Password must be at least 8 characters long and contain at least one of the following:</br>
+              - Uppercase letter</br>
+              - Lowercase letter</br>
+              - Number</br>
+              - Special character</br>
+        - variable: serverName
+          label: Server Name
+          description: The server name for Collabora.
+          schema:
+            type: string
+            default: ""
+            $ref:
+              - "definitions/nodeIP"
+        - variable: aliasGroup1
+          label: Alias Group 1
           description: |
             List of domains that will be allowed to access the Collabora server
             Type one domain per line
           schema:
             type: list
+            default: []
             items:
               - variable: alias
-                label: "Alias"
+                label: Alias
                 schema:
                   type: string
         - variable: dictionaries
-          label: "Dictionaries to use, leave empty to use all"
+          label: Dictionaries
+          description: Dictionaries to be used by Collabora.
           schema:
-            type: string
-            default: "de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru"
-        - variable: extra_params
-          label: "Extra Parameters to add"
-          description: 'e.g. "--o:welcome.enable=false", See more on /etc/loolwsd/loowsd.xml. Separate params with space'
+            type: list
+            default:
+              - de_DE
+              - en_GB
+              - en_US
+              - es_ES
+              - fr_FR
+              - it
+              - nl
+              - pt_BR
+              - pt_PT
+              - ru
+            items:
+              - variable: dictionary
+                label: Dictionary
+                schema:
+                  type: string
+                  default: ""
+                  required: true
+        - variable: extraParams
+          label: Extra Parameters
+          description: Extra parameters to be passed to Collabora.
           schema:
-            type: string
-            default: "--o:welcome.enable=false --o:user_interface.mode=notebookbar --o:ssl.termination=true --o:ssl.enable=false --o:net.proto=IPv4"
-        - variable: server_name
-          label: "Server Name"
-          description: |
-            When this environment variable is set (is not “”), then its value will be used as server name in /etc/loolwsd/loolwsd.xml.
-            Without this, CODE is not delivering a correct host for the websocket connection in case of a proxy in front of it.</br>
-            If a port is not specified, the below configured Node Port will be used.
+            type: list
+            default:
+              - --o:welcome.enable=false
+              - --o:user_interface.mode=notebookbar
+              - --o:ssl.termination=true
+              - --o:ssl.enable=false
+              - --o:net.proto=IPv4
+              - --o:logging.level=warning
+              - --o:logging.level_startup=warning
+              - --o:mount_jail_tree=false
+            items:
+              - variable: extraParam
+                label: Extra Parameter
+                schema:
+                  type: string
+                  default: ""
+                  required: true
+        - variable: additionalEnvs
+          label: Additional Environment Variables
+          description: Configure additional environment variables  forCollabora.
           schema:
-            type: string
-            $ref:
-              - "definitions/nodeIP"
+            type: list
+            default: []
+            items:
+              - variable: env
+                label: Environment Variable
+                schema:
+                  type: dict
+                  attrs:
+                    - variable: name
+                      label: Name
+                      schema:
+                        type: string
+                        required: true
+                    - variable: value
+                      label: Value
+                      schema:
+                        type: string
+                        required: true
 
-  - variable: certificate
-    description: |
-      Collabora Certificate</br>
-      If you do not choose a certificate and do not configure an external reverse proxy</br>
-      you might have to adjust the extra_params.
-    label: "Certificate"
-    group: "Collabora Configuration"
+  - variable: collaboraNetwork
+    label: ""
+    group: Network Configuration
     schema:
-      type: int
-      $ref:
-        - "definitions/certificate"
-      "null": true
+      type: dict
+      attrs:
+        - variable: webPort
+          label: Web Port
+          description: The port for the Collabora Web UI.
+          schema:
+            type: int
+            default: 9980
+            min: 9000
+            max: 65535
+            required: true
+        - variable: certificateID
+          label: Certificate
+          description: The certificate for Collabora.
+          schema:
+            type: int
+            "null": true
+            $ref:
+              - "definitions/certificate"
 
-  - variable: extraAppVolumeMounts
-    label: "Collabora Extra Host Path Volumes"
-    group: "Storage"
+  - variable: collaboraStorage
+    label: ""
+    group: Storage Configuration
     schema:
-      type: list
-      items:
-        - variable: extraAppVolume
-          label: "Collabora Host Path Volume"
-          description: "Add an extra host path volume for Collabora application"
+      type: dict
+      attrs:
+        - variable: additionalStorages
+          label: Additional Storage
+          description: Additional storage for Collabora.
           schema:
-            type: dict
-            attrs:
-              - variable: mountPath
-                label: "Mount Path in Pod"
-                description: "Path where the volume will be mounted inside the pod"
-                schema:
-                  type: path
-                  required: true
-              - variable: hostPath
-                label: "Host Path"
-                description: "Host path"
+            type: list
+            default: []
+            items:
+              - variable: storageEntry
+                label: Storage Entry
                 schema:
-                  type: hostpath
-                  required: true
+                  type: dict
+                  attrs:
+                    - variable: type
+                      label: Type
+                      description: |
+                        ixVolume: Is dataset created automatically by the system.</br>
+                        Host Path: Is a path that already exists on the system.</br>
+                        SMB Share: Is a SMB share that is mounted to a persistent volume claim.
+                      schema:
+                        type: string
+                        required: true
+                        default: "ixVolume"
+                        immutable: true
+                        enum:
+                          - value: "hostPath"
+                            description: Host Path (Path that already exists on the system)
+                          - value: "ixVolume"
+                            description: ixVolume (Dataset created automatically by the system)
+                          - value: "smb-pv-pvc"
+                            description: SMB Share (Mounts a persistent volume claim to a SMB share)
+                    - variable: readOnly
+                      label: Read Only
+                      description: Mount the volume as read only.
+                      schema:
+                        type: boolean
+                        default: false
+                    - variable: mountPath
+                      label: Mount Path
+                      description: The path inside the container to mount the storage.
+                      schema:
+                        type: path
+                        required: true
+                    - variable: hostPathConfig
+                      label: Host Path Configuration
+                      schema:
+                        type: dict
+                        show_if: [["type", "=", "hostPath"]]
+                        attrs:
+                          - variable: aclEnable
+                            label: Enable ACL
+                            description: Enable ACL for the dataset.
+                            schema:
+                              type: boolean
+                              default: false
+                          - variable: acl
+                            label: ACL Configuration
+                            schema:
+                              type: dict
+                              show_if: [["aclEnable", "=", true]]
+                              attrs: []
+                              $ref:
+                                - "normalize/acl"
+                          - variable: hostPath
+                            label: Host Path
+                            description: The host path to use for storage.
+                            schema:
+                              type: hostpath
+                              show_if: [["aclEnable", "=", false]]
+                              required: true
+                    - variable: ixVolumeConfig
+                      label: ixVolume Configuration
+                      description: The configuration for the ixVolume dataset.
+                      schema:
+                        type: dict
+                        show_if: [["type", "=", "ixVolume"]]
+                        $ref:
+                          - "normalize/ixVolume"
+                        attrs:
+                          - variable: aclEnable
+                            label: Enable ACL
+                            description: Enable ACL for the dataset.
+                            schema:
+                              type: boolean
+                              default: false
+                          - variable: datasetName
+                            label: Dataset Name
+                            description: The name of the dataset to use for storage.
+                            schema:
+                              type: string
+                              required: true
+                              immutable: true
+                              default: "storage_entry"
+                          - variable: aclEntries
+                            label: ACL Configuration
+                            schema:
+                              type: dict
+                              show_if: [["aclEnable", "=", true]]
+                              attrs: []
+                    - variable: smbConfig
+                      label: SMB Share Configuration
+                      description: The configuration for the SMB Share.
+                      schema:
+                        type: dict
+                        show_if: [["type", "=", "smb-pv-pvc"]]
+                        attrs:
+                          - variable: server
+                            label: Server
+                            description: The server for the SMB share.
+                            schema:
+                              type: string
+                              required: true
+                          - variable: share
+                            label: Share
+                            description: The share name for the SMB share.
+                            schema:
+                              type: string
+                              required: true
+                          - variable: domain
+                            label: Domain (Optional)
+                            description: The domain for the SMB share.
+                            schema:
+                              type: string
+                          - variable: username
+                            label: Username
+                            description: The username for the SMB share.
+                            schema:
+                              type: string
+                              required: true
+                          - variable: password
+                            label: Password
+                            description: The password for the SMB share.
+                            schema:
+                              type: string
+                              required: true
+                              private: true
+                          - variable: size
+                            label: Size (in Gi)
+                            description: The size of the volume quota.
+                            schema:
+                              type: int
+                              required: true
+                              min: 1
+                              default: 1
 
-  - variable: environmentVariables
-    label: "Environment Variables"
-    group: "Collabora Environment Variables"
+  - variable: resources
+    group: Resources Configuration
+    label: ""
     schema:
-      type: list
-      default: []
-      items:
-        - variable: environmentVariable
-          label: "Environment Variable"
+      type: dict
+      attrs:
+        - variable: limits
+          label: Limits
           schema:
             type: dict
             attrs:
-              - variable: name
-                label: "Name"
+              - variable: cpu
+                label: CPU
+                description: CPU limit for WG-Easy.
                 schema:
                   type: string
-              - variable: value
-                label: "Value"
+                  max_length: 6
+                  valid_chars: '^(0\.[1-9]|[1-9][0-9]*)(\.[0-9]|m?)$'
+                  valid_chars_error: |
+                    Valid CPU limit formats are</br>
+                    - Plain Integer - eg. 1</br>
+                    - Float - eg. 0.5</br>
+                    - Milicpu - eg. 500m
+                  default: "4000m"
+                  required: true
+              - variable: memory
+                label: Memory
+                description: Memory limit for WG-Easy.
                 schema:
                   type: string
-
-  - variable: nodePort
-    label: "Node Port to use for Collabora"
-    group: "Networking"
-    schema:
-      type: int
-      default: 9980
-      min: 9000
-      max: 65535
-
-  - variable: enableResourceLimits
-    label: "Enable Pod resource limits"
-    group: "Resource Limits"
-    schema:
-      type: boolean
-      default: false
-  - variable: cpuLimit
-    label: "CPU Limit"
-    description: "CPU resource limit allow  plain integer values with suffix m(milli) e.g 1000m, 100."
-    group: "Resource Limits"
-    schema:
-      type: string
-      show_if: [["enableResourceLimits", "=", true]]
-      valid_chars: "^\\d+(?:\\.\\d+(?!.*m$)|m?$)"
-      default: "4000m"
-  - variable: memLimit
-    label: "Memory Limit"
-    group: "Resource Limits"
-    description: "Memory limits is specified by number of bytes. Followed by quantity suffix like E,P,T,G,M,k and Ei,Pi,Ti,Mi,Gi,Ki can also be used. e.g 129e6, 129M,  128974848000m, 123Mi"
-    schema:
-      type: string
-      show_if: [["enableResourceLimits", "=", true]]
-      valid_chars: "^([+-]?[0-9.]+)([eEinumkKMGTP]*[-+]?[0-9]*)$"
-      default: "8Gi"
+                  max_length: 12
+                  valid_chars: '^[1-9][0-9]*([EPTGMK]i?|e[0-9]+)?$'
+                  valid_chars_error: |
+                    Valid Memory limit formats are</br>
+                    - Suffixed with E/P/T/G/M/K - eg. 1G</br>
+                    - Suffixed with Ei/Pi/Ti/Gi/Mi/Ki - eg. 1Gi</br>
+                    - Plain Integer in bytes - eg. 1024</br>
+                    - Exponent - eg. 134e6
+                  default: "8Gi"
+                  required: true

library/ix-dev/charts/collabora/templates/NOTES.txt

@@ -0,0 +1 @@
+{{ include "ix.v1.common.lib.chart.notes" $ }}

library/ix-dev/charts/collabora/templates/_collabora.tpl

@@ -0,0 +1,65 @@
+{{- define "collabora.workload" -}}
+workload:
+  collabora:
+    enabled: true
+    primary: true
+    type: Deployment
+    podSpec:
+      hostNetwork: false
+      containers:
+        collabora:
+          enabled: true
+          primary: true
+          imageSelector: image
+          securityContext:
+            runAsUser: 100
+            runAsGroup: 101
+            readOnlyRootFilesystem: false
+            privileged: false
+            allowPrivilegeEscalation: true
+            capabilities:
+              add:
+                - CHOWN
+                - SETPCAP
+                - FOWNER
+                - SYS_CHROOT
+                - MKNOD
+          env:
+            timezone: {{ .Values.TZ }}
+            aliasgroup1: {{ join "," .Values.collaboraConfig.aliasGroup1 }}
+            dictionaries: {{ join " " .Values.collaboraConfig.dictionaries }}
+            extra_params: {{ join " " .Values.collaboraConfig.extraParams }}
+            DONT_GEN_SSL_CERT: "true"
+            {{- if .Values.collaboraConfig.enableWebUI }}
+            username: {{ .Values.collaboraConfig.username }}
+            password: {{ .Values.collaboraConfig.password }}
+            {{- end }}
+            {{- if not (contains ":" .Values.collaboraConfig.serverName) }}
+            server_name: {{ printf "%s:%v" .Values.collaboraConfig.serverName .Values.collaboraNetwork.webPort }}
+            {{- else }}
+            server_name: {{ .Values.collaboraConfig.serverName }}
+            {{- end }}
+          {{ with .Values.collaboraConfig.additionalEnvs }}
+          envList:
+            {{ range $env := . }}
+            - name: {{ $env.name }}
+              value: {{ $env.value }}
+            {{ end }}
+          {{ end }}
+          probes:
+            liveness:
+              enabled: true
+              type: http
+              path: /
+              port: 9980
+            readiness:
+              enabled: true
+              type: http
+              path: /
+              port: 9980
+            startup:
+              enabled: true
+              type: http
+              path: /
+              port: 9980
+{{- end -}}

library/ix-dev/charts/collabora/templates/_configuration.tpl

@@ -0,0 +1,104 @@
+{{- define "collabora.configuration" -}}
+  {{- $fullname := (include "ix.v1.common.lib.chart.names.fullname" $) }}
+  {{- $nginx := printf "https://%s-nginx:%v" $fullname .Values.collaboraNetwork.webPort -}}
+
+  {{- if .Values.collaboraNetwork.certificateID }}
+configmap:
+  nginx-conf:
+    enabled: true
+    data:
+      nginx.conf: |
+        events {
+            worker_connections  1024;
+        }
+        http {
+            include       mime.types;
+            default_type  application/octet-stream;
+            # Types to enable gzip compression on
+            gzip_types
+                text/plain
+                text/css
+                text/js
+                text/xml
+                text/javascript
+                application/javascript
+                application/x-javascript
+                application/json
+                application/xml
+                application/rss+xml
+                image/svg+xml;
+            sendfile        on;
+            client_max_body_size 1000m;
+            keepalive_timeout  65;
+            # Disable tokens for security (#23684)
+            server_tokens off;
+            gzip  on;
+            client_body_temp_path /var/tmp/firmware;
+            server {
+                server_name  {{ $nginx }};
+                listen                 0.0.0.0:{{ .Values.collaboraNetwork.webPort }} default_server ssl http2;
+                ssl_certificate        "/etc/certs/server.crt";
+                ssl_certificate_key    "/etc/certs/server.key";
+                ssl_session_timeout    120m;
+                ssl_session_cache      shared:ssl:16m;
+                ssl_protocols TLSv1.2 TLSv1.3;
+                ssl_prefer_server_ciphers on;
+                ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EDH+aRSA:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384;
+                add_header Strict-Transport-Security max-age=31536000;
+                location = /robots.txt {
+                  add_header Content-Type text/plain;
+                  proxy_set_header Referer {{ $nginx | quote }};
+                  return 200 "User-agent: *\nDisallow: /loleaflet/*\n";
+                }
+                # static files
+                location ^~ /browser {
+                    proxy_pass http://{{ $fullname }}:9980;
+                    proxy_set_header Host $host;
+                    # proxy_set_header Referer {{ $nginx | quote }};
+                }
+                # WOPI discovery URL
+                location ^~ /hosting/discovery {
+                    set $upstream_collabora {{ $fullname }};
+                    proxy_pass http://$upstream_collabora:9980;
+                    proxy_set_header Host $http_host;
+                    # proxy_set_header Referer {{ $nginx | quote }};
+                }
+                # Capabilities
+                location ^~ /hosting/capabilities {
+                    proxy_pass http://{{ $fullname }}:9980;
+                    proxy_set_header Host $host;
+                    # proxy_set_header Referer {{ $nginx | quote }};
+                }
+                # main websocket
+                location ~ ^/cool/(.*)/ws$ {
+                    proxy_pass http://{{ $fullname }}:9980;
+                    proxy_set_header Host $host;
+                    proxy_set_header Upgrade $http_upgrade;
+                    proxy_set_header Connection "Upgrade";
+                    # proxy_set_header Referer {{ $nginx | quote }};
+                    proxy_read_timeout 36000s;
+                }
+                # download, presentation and image upload
+                location ~ ^/(c|l)ool {
+                    proxy_pass http://{{ $fullname }}:9980;
+                    proxy_set_header Host $host;
+                    proxy_set_header Referer {{ $nginx | quote }};
+                }
+                # Admin Console websocket
+                location ^~ /cool/adminws {
+                    proxy_pass http://{{ $fullname }}:9980;
+                    proxy_set_header Host $host;
+                    proxy_set_header Upgrade $http_upgrade;
+                    proxy_set_header Connection "Upgrade";
+                    # proxy_set_header Referer {{ $nginx | quote }};
+                    proxy_read_timeout 36000s;
+                }
+            }
+        }
+
+scaleCertificate:
+  collabora-cert:
+    enabled: true
+    id: {{ .Values.collaboraNetwork.certificateID }}
+  {{- end -}}
+{{- end -}}

library/ix-dev/charts/collabora/templates/_helpers.tpl

@@ -1,40 +0,0 @@
-{{/*
-Retrieve secret name for secure credentials
-*/}}
-{{- define "secretName" -}}
-{{- print "credentials" -}}
-{{- end -}}
-
-
-{{/*
-Retrieve true/false if certificate is configured
-*/}}
-{{- define "certAvailable" -}}
-{{- if .Values.certificate -}}
-{{- $values := (. | mustDeepCopy) -}}
-{{- $_ := set $values "commonCertOptions" (dict "certKeyName" $values.Values.certificate) -}}
-{{- template "common.resources.cert_present" $values -}}
-{{- else -}}
-{{- false -}}
-{{- end -}}
-{{- end -}}
-
-
-{{/*
-Retrieve public key of certificate
-*/}}
-{{- define "cert.publicKey" -}}
-{{- $values := (. | mustDeepCopy) -}}
-{{- $_ := set $values "commonCertOptions" (dict "certKeyName" $values.Values.certificate "publicKey" true) -}}
-{{ include "common.resources.cert" $values }}
-{{- end -}}
-
-
-{{/*
-Retrieve private key of certificate
-*/}}
-{{- define "cert.privateKey" -}}
-{{- $values := (. | mustDeepCopy) -}}
-{{- $_ := set $values "commonCertOptions" (dict "certKeyName" $values.Values.certificate) -}}
-{{ include "common.resources.cert" $values }}
-{{- end -}}

library/ix-dev/charts/collabora/templates/_migration.tpl

@@ -0,0 +1,35 @@
+{{- define "collabora.get-versions" -}}
+  {{- $oldChartVersion := "" -}}
+  {{- $newChartVersion := "" -}}
+
+  {{/* Safely access the context, so it wont block CI */}}
+  {{- if hasKey .Values.global "ixChartContext" -}}
+    {{- if .Values.global.ixChartContext.upgradeMetadata -}}
+
+      {{- $oldChartVersion = .Values.global.ixChartContext.upgradeMetadata.oldChartVersion -}}
+      {{- $newChartVersion = .Values.global.ixChartContext.upgradeMetadata.newChartVersion -}}
+      {{- if and (not $oldChartVersion) (not $newChartVersion) -}}
+        {{- fail "Upgrade Metadata is missing. Cannot proceed" -}}
+      {{- end -}}
+    {{- end -}}
+  {{- end -}}
+
+  {{- toYaml (dict "old" $oldChartVersion "new" $newChartVersion) -}}
+{{- end -}}
+
+{{- define "collabora.migration" -}}
+  {{- $versions := (fromYaml (include "collabora.get-versions" $)) -}}
+  {{- if and $versions.old $versions.new -}}
+    {{- $oldV := semver $versions.old -}}
+    {{- $newV := semver $versions.new -}}
+
+    {{/* If new is v2.x.x */}}
+    {{- if eq ($newV.Major | int) 2 -}}
+      {{/* And old is v1.x.x, but lower than .2.30 */}}
+      {{- if and (eq $oldV.Major 1) (or (ne $oldV.Minor 2) (lt ($oldV.Patch | int) 30)) -}}
+        {{/* Block the upgrade */}}
+        {{- fail "Migration to 2.x.x is only allowed from 1.2.30 or higher" -}}
+      {{- end -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}

library/ix-dev/charts/collabora/templates/_nginx.tpl

@@ -0,0 +1,56 @@
+{{- define "nginx.workload" -}}
+{{- $fullname := (include "ix.v1.common.lib.chart.names.fullname" $) -}}
+workload:
+  nginx:
+    enabled: true
+    type: Deployment
+    podSpec:
+      hostNetwork: false
+      containers:
+        nginx:
+          enabled: true
+          primary: true
+          imageSelector: nginxImage
+          securityContext:
+            runAsUser: 0
+            runAsGroup: 0
+            runAsNonRoot: false
+            readOnlyRootFilesystem: false
+            capabilities:
+              add:
+                - CHOWN
+                - SETGID
+                - SETUID
+          probes:
+            liveness:
+              enabled: true
+              type: https
+              path: /robots.txt
+              port: {{ .Values.collaboraNetwork.webPort }}
+            readiness:
+              enabled: true
+              type: https
+              path: /robots.txt
+              port: {{ .Values.collaboraNetwork.webPort }}
+            startup:
+              enabled: true
+              type: https
+              path: /robots.txt
+              port: {{ .Values.collaboraNetwork.webPort }}
+      initContainers:
+        wait-collabora:
+          enabled: true
+          type: init
+          imageSelector: bashImage
+          command:
+            - bash
+          args:
+            - -c
+            - |
+              echo "Waiting for collabora to be ready at [{{ $fullname }}:9980]"
+              until nc -vz -w 5 "{{ $fullname }}" 9980; do
+                echo "Waiting for collabora to be ready at [{{ $fullname }}:9980]"
+                sleep 1
+              done
+
+{{- end -}}

library/ix-dev/charts/collabora/templates/_persistance.tpl

@@ -0,0 +1,50 @@
+{{- define "collabora.persistence" -}}
+persistence:
+  tmp:
+    enabled: true
+    type: emptyDir
+    targetSelector:
+      collabora:
+        collabora:
+          mountPath: /tmp
+      nginx:
+        nginx:
+          mountPath: /tmp
+  {{- if .Values.collaboraNetwork.certificateID }}
+  nginx-conf:
+    enabled: true
+    type: configmap
+    objectName: nginx-conf
+    defaultMode: "0600"
+    targetSelector:
+      nginx:
+        nginx:
+          mountPath: /etc/nginx/nginx.conf
+          subPath: nginx.conf
+          readOnly: true
+  cert:
+    enabled: true
+    type: secret
+    objectName: collabora-cert
+    defaultMode: "0600"
+    items:
+      - key: tls.key
+        path: server.key
+      - key: tls.crt
+        path: server.crt
+    targetSelector:
+      nginx:
+        nginx:
+          mountPath: /etc/certs
+          readOnly: true
+  {{- end }}
+  {{- range $idx, $storage := .Values.collaboraStorage.additionalStorages }}
+  {{ printf "collabora-%v:" (int $idx) }}
+    enabled: true
+    {{- include "ix.v1.common.app.storageOptions" (dict "storage" $storage) | nindent 4 }}
+    targetSelector:
+      collabora:
+        collabora:
+          mountPath: {{ $storage.mountPath }}
+  {{- end }}
+{{- end -}}

library/ix-dev/charts/collabora/templates/_portal.tpl

@@ -0,0 +1,17 @@
+{{- define "collabora.portal" -}}
+{{- $hasCert := not (empty .Values.collaboraNetwork.certificateID) }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: portal
+data:
+  {{- if .Values.collaboraConfig.enableWebUI }}
+  path: "/browser/dist/admin/admin.html"
+  {{- else }}
+  path: "/"
+  {{- end }}
+  port: {{ .Values.collaboraNetwork.webPort | quote }}
+  protocol: {{ ternary "https" "http" $hasCert }}
+  host: {{ (split ":" .Values.collaboraConfig.serverName)._0 | default "$node_ip" }}
+{{- end -}}

library/ix-dev/charts/collabora/templates/_service.tpl

@@ -0,0 +1,35 @@
+{{- define "collabora.service" -}}
+{{- $hasCert := not (empty .Values.collaboraNetwork.certificateID) }}
+service:
+  collabora:
+    enabled: true
+    primary: true
+    {{/* If a certificate is selected, turn collabora
+        to clusterIP, nginx will be the "frontend" */}}
+    type: {{ ternary "ClusterIP" "NodePort" $hasCert }}
+    targetSelector: collabora
+    ports:
+      webui:
+        enabled: true
+        primary: true
+        port: {{ ternary 9980 .Values.collaboraNetwork.webPort $hasCert }}
+        {{- if not .Values.collaboraNetwork.certificateID }}
+        nodePort: {{ .Values.collaboraNetwork.webPort }}
+        {{- end }}
+        targetPort: 9980
+        targetSelector: collabora
+  {{- if .Values.collaboraNetwork.certificateID }}
+  nginx:
+    enabled: true
+    type: NodePort
+    targetSelector: nginx
+    ports:
+      webui:
+        enabled: true
+        primary: true
+        port: {{ .Values.collaboraNetwork.webPort }}
+        nodePort: {{ .Values.collaboraNetwork.webPort }}
+        targetPort: {{ .Values.collaboraNetwork.webPort }}
+        targetSelector: nginx
+  {{- end -}}
+{{- end -}}

library/ix-dev/charts/collabora/templates/common.yaml

@@ -0,0 +1,17 @@
+{{- include "ix.v1.common.loader.init" . -}}
+
+{{- include "collabora.migration" $ -}}
+
+{{/* Merge the templates with Values */}}
+{{- $_ := mustMergeOverwrite .Values (include "collabora.configuration" $ | fromYaml) -}}
+{{- $_ := mustMergeOverwrite .Values (include "collabora.workload" $ | fromYaml) -}}
+{{- if .Values.collaboraNetwork.certificateID -}}
+  {{- $_ := mustMergeOverwrite .Values (include "nginx.workload" $ | fromYaml) -}}
+{{- end }}
+{{- $_ := mustMergeOverwrite .Values (include "collabora.service" $ | fromYaml) -}}
+{{- $_ := mustMergeOverwrite .Values (include "collabora.persistence" $ | fromYaml) -}}
+
+{{/* Create the configmap for portal manually*/}}
+{{- include "collabora.portal" $ -}}
+
+{{- include "ix.v1.common.loader.apply" . -}}

library/ix-dev/charts/collabora/templates/deployment.yaml

@@ -1,144 +0,0 @@
-{{ include "common.storage.hostPathValidate" .Values }}
-apiVersion: {{ template "common.capabilities.deployment.apiVersion" . }}
-kind: Deployment
-metadata:
-  name: {{ template "common.names.fullname" . }}-collabora
-  labels: {{ include "common.labels" . | nindent 4 }}
-spec:
-  strategy:
-    type: {{ .Values.updateStrategy }}
-  selector:
-    matchLabels: {{ include "common.labels.selectorLabels" . | nindent 6 }}
-  template:
-    metadata:
-      name: {{ template "common.names.fullname" . }}
-      labels: {{ include "common.labels.selectorLabels" . | nindent 8 }}
-    spec:
-      containers:
-        {{ if .Values.certificate }}
-        - name: {{ .Chart.Name }}-nginx
-          image: {{ printf "%s:%s" .Values.nginx.image.repository .Values.nginx.image.tag }}
-          imagePullPolicy: {{ .Values.nginx.image.pullPolicy }}
-          volumeMounts:
-            - name: configuration
-              mountPath: /etc/nginx/nginx.conf
-              readOnly: true
-              subPath: config
-            - name: certs
-              mountPath: /etc/nginx/server.crt
-              subPath: certPublicKey
-            - name: certs
-              mountPath: /etc/nginx/server.key
-              subPath: certPrivateKey
-          ports:
-          - name: http
-            containerPort: 80
-            protocol: TCP
-          - name: https
-            containerPort: 443
-            protocol: TCP
-          livenessProbe:
-            httpGet:
-              scheme: HTTPS
-              path: /robots.txt
-              port: 443
-            initialDelaySeconds: 10
-            periodSeconds: 10
-            timeoutSeconds: 5
-            failureThreshold: 5
-            successThreshold: 1
-          readinessProbe:
-            httpGet:
-              scheme: HTTPS
-              path: /robots.txt
-              port: 443
-            initialDelaySeconds: 10
-            periodSeconds: 10
-            timeoutSeconds: 5
-            failureThreshold: 5
-            successThreshold: 2
-          startupProbe:
-            httpGet:
-              scheme: HTTPS
-              path: /robots.txt
-              port: 443
-            initialDelaySeconds: 10
-            periodSeconds: 5
-            timeoutSeconds: 2
-            failureThreshold: 60
-            successThreshold: 1
-        {{ end }}
-        - name: {{ .Chart.Name }}
-          {{ include "common.resources.limitation" . | nindent 10 }}
-          {{ include "common.containers.imageConfig" .Values.image | nindent 10 }}
-          {{ if .Values.extraAppVolumeMounts }}
-          volumeMounts:
-          {{ range $index, $hostPathConfiguration := .Values.extraAppVolumeMounts }}
-            - name: extrappvolume-{{ $index }}
-              mountPath: {{ $hostPathConfiguration.mountPath }}
-          {{ end }}
-          {{ end }}
-          livenessProbe:
-            httpGet:
-              path: /
-              port: 9980
-            initialDelaySeconds: 10
-            periodSeconds: 10
-            timeoutSeconds: 5
-            failureThreshold: 5
-            successThreshold: 1
-          readinessProbe:
-            httpGet:
-              path: /
-              port: 9980
-            initialDelaySeconds: 10
-            periodSeconds: 10
-            timeoutSeconds: 5
-            failureThreshold: 5
-            successThreshold: 1
-          startupProbe:
-            httpGet:
-              path: /
-              port: 9980
-            initialDelaySeconds: 10
-            periodSeconds: 10
-            timeoutSeconds: 5
-            failureThreshold: 5
-            successThreshold: 1
-          ports:
-            - name: collabora
-              protocol: TCP
-              containerPort: 9980
-          {{ $envList := (default list .Values.environmentVariables) }}
-          {{ $secretName := (include "secretName" .) }}
-          {{ $envConfig := .Values.config }}
-          {{ $envList = mustAppend $envList (dict "name" "timezone" "value" $envConfig.timezone) }}
-          {{ $envList = mustAppend $envList (dict "name" "aliasgroup1" "value" (join "," $envConfig.aliasgroup1)) }}
-          {{ $envList = mustAppend $envList (dict "name" "dictionaries" "value" $envConfig.dictionaries) }}
-          {{ $envList = mustAppend $envList (dict "name" "extra_params" "value" $envConfig.extra_params) }}
-          {{ $envList = mustAppend $envList (dict "name" "DONT_GEN_SSL_CERT" "value" "true") }}
-          {{ if not (contains ":" $envConfig.server_name) }}
-            {{ $envList = mustAppend $envList (dict "name" "server_name" "value" (printf "%v:%v" $envConfig.server_name .Values.nodePort)) }}
-          {{ else }}
-            {{ $envList = mustAppend $envList (dict "name" "server_name" "value" (printf "%v" $envConfig.server_name)) }}
-          {{ end }}
-          {{ if $envConfig.enableWebUI }}
-            {{ $envList = mustAppend $envList (dict "name" "username" "valueFromSecret" true "secretName" $secretName "secretKey" "username") }}
-            {{ $envList = mustAppend $envList (dict "name" "password" "valueFromSecret" true "secretName" $secretName "secretKey" "password") }}
-          {{ end }}
-          {{ include "common.containers.allEnvironmentVariables" (dict "environmentVariables" $envList) | nindent 10 }}
-      volumes:
-        {{ if .Values.certificate }}
-        - name: configuration
-          configMap:
-            defaultMode: 0700
-            name: "nginx-config"
-        - name: certs
-          secret:
-            secretName: {{ include "secretName" . }}
-        {{ end }}
-      {{ range $index, $hostPathConfiguration := .Values.extraAppVolumeMounts }}
-        - name: extrappvolume-{{ $index }}
-          hostPath:
-            path: {{ $hostPathConfiguration.hostPath }}
-      {{ end }}

library/ix-dev/charts/collabora/templates/nginx-conf.yaml

@@ -1,124 +0,0 @@
-{{ if .Values.certificate }}
-{{- $serviceName := "localhost" -}}
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: "nginx-config"
-  annotations:
-    rollme: {{ randAlphaNum 5 | quote }}
-data:
-  config: |-
-    events {
-        worker_connections  1024;
-    }
-
-    http {
-        include       mime.types;
-        default_type  application/octet-stream;
-
-        # Types to enable gzip compression on
-        gzip_types
-            text/plain
-            text/css
-            text/js
-            text/xml
-            text/javascript
-            application/javascript
-            application/x-javascript
-            application/json
-            application/xml
-            application/rss+xml
-            image/svg+xml;
-
-        sendfile        on;
-        client_max_body_size 1000m;
-
-        keepalive_timeout  65;
-
-        # Disable tokens for security (#23684)
-        server_tokens off;
-
-        gzip  on;
-        client_body_temp_path /var/tmp/firmware;
-
-        server {
-            server_name  nginx;
-            listen                 0.0.0.0:443 default_server ssl http2;
-            listen                 [::]:443 default_server ssl http2;
-
-            ssl_certificate        "/etc/nginx/server.crt";
-            ssl_certificate_key    "/etc/nginx/server.key";
-
-            ssl_session_timeout    120m;
-            ssl_session_cache      shared:ssl:16m;
-
-            ssl_protocols TLSv1.2 TLSv1.3;
-            ssl_prefer_server_ciphers on;
-            ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EDH+aRSA:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384;
-            add_header Strict-Transport-Security max-age=31536000;
-
-            location = /robots.txt {
-              add_header Content-Type text/plain;
-              proxy_set_header Referer "http://nginx";
-              return 200 "User-agent: *\nDisallow: /loleaflet/*\n";
-            }
-
-            # static files
-            location ^~ /browser {
-                proxy_pass http://{{ $serviceName }}:9980;
-                proxy_set_header Host $host;
-                # proxy_set_header Referer "http://nginx";
-            }
-
-            # WOPI discovery URL
-            location ^~ /hosting/discovery {
-                set $upstream_collabora {{ $serviceName }};
-                proxy_pass http://$upstream_collabora:9980;
-                proxy_set_header Host $http_host;
-                # proxy_set_header Referer "http://nginx";
-            }
-
-            # Capabilities
-            location ^~ /hosting/capabilities {
-                proxy_pass http://{{ $serviceName }}:9980;
-                proxy_set_header Host $host;
-                # proxy_set_header Referer "http://nginx";
-            }
-
-            # main websocket
-            location ~ ^/cool/(.*)/ws$ {
-                proxy_pass http://{{ $serviceName }}:9980;
-                proxy_set_header Host $host;
-                proxy_set_header Upgrade $http_upgrade;
-                proxy_set_header Connection "Upgrade";
-                # proxy_set_header Referer "http://nginx";
-                proxy_read_timeout 36000s;
-            }
-
-            # download, presentation and image upload
-            location ~ ^/(c|l)ool {
-                proxy_pass http://{{ $serviceName }}:9980;
-                proxy_set_header Host $host;
-                proxy_set_header Referer "http://nginx";
-            }
-
-            # Admin Console websocket
-            location ^~ /cool/adminws {
-                proxy_pass http://{{ $serviceName }}:9980;
-                proxy_set_header Host $host;
-                proxy_set_header Upgrade $http_upgrade;
-                proxy_set_header Connection "Upgrade";
-                # proxy_set_header Referer "http://nginx";
-                proxy_read_timeout 36000s;
-            }
-
-        }
-        server {
-            listen    0.0.0.0:80;
-            listen    [::]:80;
-            server_name nginx;
-            return 307 https://$host:{{ .Values.nodePort }}}$request_uri;
-        }
-
-    }
-{{ end }}

library/ix-dev/charts/collabora/templates/secrets.yaml

@@ -1,21 +0,0 @@
-{{ if or .Values.config.enableWebUI .Values.certificate }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ template "secretName" . }}
-  labels: {{ include "common.labels" . | nindent 4 }}
-type: Opaque
-data:
-  {{ if .Values.config.enableWebUI }}
-  username: {{ .Values.config.username | b64enc | quote }}
-  password: {{ .Values.config.password | b64enc | quote }}
-  {{ end }}
-  {{ if .Values.certificate }}
-    {{ if eq (include "certAvailable" .) "true" }}
-  certPublicKey: {{ (include "cert.publicKey" .) | toString | b64enc | quote }}
-  certPrivateKey: {{ (include "cert.privateKey" .) | toString | b64enc | quote }}
-    {{ else }}
-      {{ fail "No certificate configured for Collabora" }}
-    {{ end }}
-  {{ end }}
-{{ end }}

library/ix-dev/charts/collabora/templates/service.yaml

@@ -1,10 +0,0 @@
-{{ $port := .Values.nodePort }}
-{{ $ports := list }}
-{{ if .Values.certificate }}
-  {{ $ports = mustAppend $ports (dict "name" "https" "nodePort" $port "targetPort" 443 "port" 443) }}
-{{ else }}
-  {{ $ports = mustAppend $ports (dict "name" "http" "nodePort" $port "targetPort" 9980 "port" 9980) }}
-{{ end }}
-{{ $params := (. | mustDeepCopy) }}
-{{ $_ := set $params "commonService" (dict "ports" $ports "type" "NodePort" ) }}
-{{ include "common.classes.service" $params }}

library/ix-dev/charts/collabora/values.yaml

@@ -2,9 +2,32 @@ image:
   pullPolicy: IfNotPresent
   repository: collabora/code
   tag: 23.05.8.2.1
-nginx:
-  image:
-    pullPolicy: IfNotPresent
-    repository: nginx
-    tag: 1.23.3
-updateStrategy: Recreate
+nginxImage:
+  pullPolicy: IfNotPresent
+  repository: nginx
+  tag: 1.23.3
+
+collaboraConfig:
+  enableWebUI: true
+  username: ''
+  password: ''
+  aliasGroup1: []
+  dictionaries: []
+  extraParams:
+    - --o:welcome.enable=false
+    - --o:user_interface.mode=notebookbar
+    - --o:ssl.termination=true
+    - --o:ssl.enable=false
+    - --o:net.proto=IPv4
+    - --o:logging.level=warning
+    - --o:logging.level_startup=warning
+    - --o:mount_jail_tree=false
+  serverName: ''
+  additionalEnvs: []
+
+collaboraNetwork:
+  webPort: 31020
+  certificateID:
+
+collaboraStorage:
+  additionalStorages: []