Properly configure certificate to be used with collabora application

270e996b · sonicaj · f4639626 · 270e996b · 270e996b · 270e996b
Commit 270e996b authored Sep 14, 2021 by sonicaj
7 changed files
--- a/test/collabora/1.0.0/questions.yaml
+++ b/test/collabora/1.0.0/questions.yaml
@@ -64,7 +64,7 @@ questions:
          description: 'e.g. "--o:welcome.enable=false", See more on /etc/loolwsd/loowsd.xml. Separate params with space'
          schema:
            type: string
-            default: "--o:welcome.enable=false --o:user_interface.mode=notebookbar --o:ssl.termination=true --o:ssl.enable=false"
+            default: "--o:welcome.enable=false --o:user_interface.mode=notebookbar --o:ssl.termination=true --o:ssl.enable=false --o:net.proto=IPv4"
        - variable: DONT_GEN_SSL_CERT
          label: "DONT_GEN_SSL_CERT"
          description: "When set to true it does NOT generate an SSL cert, you have to use your own"
@@ -84,6 +84,15 @@ questions:
            default: ''
            valid_chars: '^$|^[a-z]{1,}\\{1}\.{1}[a-z]{1,}\\{1}\.{1}[a-z]{1,}$'

+  - variable: certificate
+    description: "Collabora Certificate"
+    label: "Certificate"
+    group: "Collabora Configuration"
+    schema:
+      type: int
+      $ref:
+        - "definitions/certificate"
+
  - variable: extraAppVolumeMounts
    label: "Collabora Extra Host Path Volumes"
    group: "Storage"

--- a/test/collabora/1.0.0/templates/_helpers.tpl
+++ b/test/collabora/1.0.0/templates/_helpers.tpl
@@ -4,3 +4,37 @@ Retrieve secret name for secure credentials
 {{- define "secretName" -}}
 {{- print "credentials" -}}
 {{- end -}}
+
+
+{{/*
+Retrieve true/false if certificate is configured
+*/}}
+{{- define "certAvailable" -}}
+{{- if .Values.certificate -}}
+{{- $values := (. | mustDeepCopy) -}}
+{{- $_ := set $values "commonCertOptions" (dict "certKeyName" $values.Values.certificate) -}}
+{{- template "common.resources.cert_present" $values -}}
+{{- else -}}
+{{- false -}}
+{{- end -}}
+{{- end -}}
+
+
+{{/*
+Retrieve public key of certificate
+*/}}
+{{- define "cert.publicKey" -}}
+{{- $values := (. | mustDeepCopy) -}}
+{{- $_ := set $values "commonCertOptions" (dict "certKeyName" $values.Values.certificate "publicKey" true) -}}
+{{ include "common.resources.cert" $values }}
+{{- end -}}
+
+
+{{/*
+Retrieve private key of certificate
+*/}}
+{{- define "cert.privateKey" -}}
+{{- $values := (. | mustDeepCopy) -}}
+{{- $_ := set $values "commonCertOptions" (dict "certKeyName" $values.Values.certificate) -}}
+{{ include "common.resources.cert" $values }}
+{{- end -}}
--- a/test/collabora/1.0.0/templates/nginx-conf.yaml
+++ b/test/collabora/1.0.0/templates/nginx-conf.yaml
@@ -6,10 +6,6 @@ metadata:
    rollme: {{ randAlphaNum 5 | quote }}
 data:
  config: |-
-    load_module modules/ngx_http_uploadprogress_module.so;
-    user www-data www-data;
-    worker_processes  1;
-
    events {
        worker_connections  1024;
    }
@@ -32,33 +28,24 @@ data:
            application/rss+xml
            image/svg+xml;

-        # reserve 1MB under the name 'proxied' to track uploads
-        upload_progress proxied 1m;
-
        sendfile        on;
-        #tcp_nopush     on;
        client_max_body_size 1000m;

-        #keepalive_timeout  0;
        keepalive_timeout  65;

        # Disable tokens for security (#23684)
        server_tokens off;

        gzip  on;
-        #upload_store /var/tmp/firmware;
        client_body_temp_path /var/tmp/firmware;

-        error_log syslog:server=unix:/var/run/log,nohostname;
-        access_log syslog:server=unix:/var/run/log,nohostname;
-
        server {
-            server_name  localhost;
+            server_name  nginx;
            listen                 0.0.0.0:443 default_server ssl http2;
            listen                 [::]:443 default_server ssl http2;

-            ssl_certificate        "/nginx.crt";
-            ssl_certificate_key    "/nginx.key";
+            ssl_certificate        "/etc/nginx/server.crt";
+            ssl_certificate_key    "/etc/nginx/server.key";

            ssl_session_timeout    120m;
            ssl_session_cache      shared:ssl:16m;
@@ -68,10 +55,6 @@ data:
            ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EDH+aRSA:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384;
            add_header Strict-Transport-Security max-age=31536000;

-            # Security Headers
-            add_header X-Content-Type-Options nosniff;
-            add_header X-XSS-Protection "1";
-
            location = /robots.txt {
              add_header Content-Type text/plain;
              proxy_set_header Referer "http://nginx";
@@ -80,9 +63,8 @@ data:

            # static files
            location ^~ /loleaflet {
-                set $upstream_collabora collabora;
-                proxy_pass http://$upstream_collabora:9980;
-                proxy_set_header Host $http_host;
+                proxy_pass http://collabora:9980;
+                proxy_set_header Host $host;
                proxy_set_header Referer "http://nginx";
            }

@@ -96,38 +78,34 @@ data:

            # Capabilities
            location ^~ /hosting/capabilities {
-                set $upstream_collabora collabora;
-                proxy_pass http://$upstream_collabora:9980;
-                proxy_set_header Host $http_host;
+                proxy_pass http://collabora:9980;
+                proxy_set_header Host $host;
                proxy_set_header Referer "http://nginx";
            }

            # main websocket
            location ~ ^/lool/(.*)/ws$ {
-                set $upstream_collabora collabora;
-                proxy_pass http://$upstream_collabora:9980;
+                proxy_pass http://collabora:9980;
+                proxy_set_header Host $host;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "Upgrade";
-                proxy_set_header Host $http_host;
                proxy_set_header Referer "http://nginx";
                proxy_read_timeout 36000s;
            }

            # download, presentation and image upload
            location ~ ^/lool {
-                set $upstream_collabora collabora;
-                proxy_pass http://$upstream_collabora:9980;
-                proxy_set_header Host $http_host;
+                proxy_pass http://collabora:9980;
+                proxy_set_header Host $host;
                proxy_set_header Referer "http://nginx";
            }

            # Admin Console websocket
            location ^~ /lool/adminws {
-                set $upstream_collabora collabora;
-                proxy_pass http://$upstream_collabora:9980;
+                proxy_pass http://collabora:9980;
+                proxy_set_header Host $host;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "Upgrade";
-                proxy_set_header Host $http_host;
                proxy_set_header Referer "http://nginx";
                proxy_read_timeout 36000s;
            }
@@ -136,8 +114,8 @@ data:
        server {
            listen    0.0.0.0:80;
            listen    [::]:80;
-            server_name localhost;
-            return 307 https://$host:443$request_uri;
+            server_name nginx;
+            return 307 https://$host:{{ .Values.nodePort }}}$request_uri;
        }

    }
--- a/test/collabora/1.0.0/templates/nginx-deployment.yaml
+++ b/test/collabora/1.0.0/templates/nginx-deployment.yaml
@@ -13,6 +13,13 @@ spec: {{ include "common.deployment.common_spec" $values | nindent 2 }}
            mountPath: /etc/nginx/nginx.conf
            readOnly: true
            subPath: config
+          - name: certs
+            mountPath: /etc/nginx/server.crt
+            subPath: certPublicKey
+          - name: certs
+            mountPath: /etc/nginx/server.key
+            subPath: certPrivateKey
+
        ports:
        - name: http
          containerPort: 80
@@ -22,6 +29,9 @@ spec: {{ include "common.deployment.common_spec" $values | nindent 2 }}
          protocol: TCP
      volumes:
        - name: configuration
-        configMap:
-          defaultMode: 0700
-          name: "nginx-config"
+          configMap:
+            defaultMode: 0700
+            name: "nginx-config"
+        - name: certs
+          secret:
+            secretName: {{ include "secretName" . }}
--- a/test/collabora/1.0.0/templates/nginx-service.yaml
+++ b/test/collabora/1.0.0/templates/nginx-service.yaml
 {{ $port := .Values.nodePort }}
 {{ $ports := list }}
-{{ $ports = mustAppend $ports (dict "name" "https" "port" $port "nodePort" $port "targetPort" "collabora") }}
+{{ $ports = mustAppend $ports (dict "name" "https" "port" $port "nodePort" $port "targetPort" "https") }}
 {{ $params := (. | mustDeepCopy) }}
-{{ $_ := set $params "common" (dict "nameSuffix" "nginx") "commonService" (dict "ports" $ports "type" "NodePort" ) }}
+{{ $_ := set $params "common" (dict "nameSuffix" "nginx") }}
+{{ $_2 := set $params "commonService" (dict "ports" $ports "type" "NodePort" ) }}
 {{ include "common.classes.service" $params }}
--- a/test/collabora/1.0.0/templates/secrets.yaml
+++ b/test/collabora/1.0.0/templates/secrets.yaml
@@ -7,3 +7,9 @@ type: Opaque
 data:
  username: {{ .Values.config.username | b64enc | quote }}
  password: {{ .Values.config.password | b64enc | quote }}
+  {{ if eq (include "certAvailable" .) "true" }}
+  certPublicKey: {{ (include "cert.publicKey" .) | toString | b64enc | quote }}
+  certPrivateKey: {{ (include "cert.privateKey" .) | toString | b64enc | quote }}
+  {{ else }}
+    {{ fail "No certificate configured for Collabora" }}
+  {{ end }}
--- a/test/collabora/1.0.0/templates/service.yaml
+++ b/test/collabora/1.0.0/templates/service.yaml
 {{ $port := .Values.nodePort }}
 {{ $ports := list }}
-{{ $ports = mustAppend $ports (dict "name" "collabora" "port" $port "nodePort" $port "targetPort" "collabora") }}
+{{ $ports = mustAppend $ports (dict "name" "collabora" "port" 9980 "targetPort" "collabora") }}
 {{ $params := . }}
 {{ $_ := set $params "commonService" (dict "ports" $ports "type" "ClusterIP" ) }}
 {{ include "common.classes.service" $params }}