No OneTemporary
Actions

Authored By

Unknown

Size

24 KB

Referenced Files

None

Subscribers

None

View Options

	diff --git a/helm/templates/proxy-configmap.yaml b/helm/templates/proxy-configmap.yaml
	index 775de6f..9ceac5d 100644
	--- a/helm/templates/proxy-configmap.yaml
	+++ b/helm/templates/proxy-configmap.yaml
	@@ -1,454 +1,455 @@
	{{- if .Values.proxy.enabled -}}
	kind: ConfigMap
	apiVersion: v1
	metadata:
	name: proxy-config
	data:
	nginx.conf: \|
	worker_processes auto;
	error_log stderr info;
	pid /run/nginx.pid;

	# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
	include /usr/share/nginx/modules/*.conf;

	events {
	worker_connections 1024;
	}

	http {
	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
	'$status $body_bytes_sent "$http_referer" '
	'"$http_user_agent" "$http_x_forwarded_for"';

	access_log /dev/stdout main;

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	map $http_upgrade $connection_upgrade {
	default upgrade;
	'' close;
	}

	resolver {{ .Values.clusterDns }} valid=10s;

	map $dav_backend $backend_url {
	default http://{{ .Values.imap.host }}/dav/;
	alternative http://roundcube/dav/;
	}

	# Load modular configuration files from the /etc/nginx/conf.d directory.
	# See http://nginx.org/en/docs/ngx_core_module.html#include
	# for more information.
	include /etc/nginx/conf.d/*.conf;

	# Rewrite $remote_addr with $proxy_protocol_addr
	set_real_ip_from 10.0.0.0/8;
	real_ip_header proxy_protocol;

	server {
	listen 6080;
	listen 6081 proxy_protocol;
	listen 6443 ssl;
	listen 6444 ssl proxy_protocol;


	ssl_certificate /etc/certs/tls.crt;
	ssl_certificate_key /etc/certs/tls.key;

	server_name services.{{ template "kolab.websiteDomain" . }};
	root /usr/share/nginx/html;

	location / {
	proxy_pass http://kolab-services;
	proxy_redirect off;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Host $host;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_no_cache 1;
	proxy_cache_bypass 1;
	client_max_body_size 11m;
	}
	}

	server {
	listen 6080;
	listen 6081 proxy_protocol;
	listen 6443 ssl;
	listen 6444 ssl proxy_protocol;


	ssl_certificate /etc/certs/tls.crt;
	ssl_certificate_key /etc/certs/tls.key;

	server_name admin.{{ template "kolab.websiteDomain" . }};
	root /usr/share/nginx/html;

	location / {
	proxy_pass http://kolab;
	proxy_redirect off;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Host $host;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_no_cache 1;
	proxy_cache_bypass 1;
	client_max_body_size 11m;
	}

	location /prometheus {
	rewrite /prometheus/(.*) /$1 break;
	proxy_pass http://prometheus:9090;
	proxy_redirect off;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Host $host;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "Upgrade";
	proxy_no_cache 1;
	proxy_cache_bypass 1;
	client_max_body_size 11m;
	}

	{{- if .Values.grafana.enabled }}
	location /grafana {
	proxy_pass http://grafana:3000;
	proxy_redirect off;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Host $host;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "Upgrade";
	proxy_no_cache 1;
	proxy_cache_bypass 1;
	client_max_body_size 11m;
	}
	{{- end }}

	{{- if .Values.loki.enabled }}
	location /loki {
	proxy_pass http://loki:3100;
	proxy_redirect off;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Host $host;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "Upgrade";
	proxy_no_cache 1;
	proxy_cache_bypass 1;
	client_max_body_size 11m;
	}
	{{- end }}

	{{- if .Values.victorialogs.enabled }}
	location /select {
	proxy_pass http://victorialogs:9428;
	proxy_redirect off;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Host $host;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "Upgrade";
	proxy_no_cache 1;
	proxy_cache_bypass 1;
	client_max_body_size 11m;
	}
	{{- end }}

	}

	server {
	listen 6080 default_server;
	listen 6081 default_server proxy_protocol;
	listen 6443 default_server ssl;
	listen 6444 default_server ssl proxy_protocol;
	listen [::]:6443 ssl ipv6only=on;

	ssl_certificate /etc/certs/tls.crt;
	ssl_certificate_key /etc/certs/tls.key;

	server_name {{ template "kolab.websiteDomain" . }};
	+ server_name *.{{ template "kolab.websiteDomain" . }};
	root /usr/share/nginx/html;

	# Load configuration files for the default server block.
	include /etc/nginx/default.d/*.conf;

	location = /health {
	access_log off;
	add_header 'Content-Type' 'application/json';
	return 200 '{"status":"UP"}';
	}

	location / {
	proxy_pass http://kolab;
	proxy_redirect off;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Host $host;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_no_cache 1;
	proxy_cache_bypass 1;
	# Mostly for files, swoole has a 10MB limit
	client_max_body_size 11m;
	}

	location /meetmedia {
	proxy_pass http://meet;
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection $connection_upgrade;
	proxy_set_header Host $host;
	}

	location /meetmedia/api {
	proxy_pass http://meet;
	proxy_redirect off;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Host $host;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_no_cache 1;
	proxy_cache_bypass 1;
	}

	location {{ .Values.proxy.webmailPath }} {
	proxy_pass http://roundcube;
	proxy_redirect off;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Host $host;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_no_cache 1;
	proxy_cache_bypass 1;
	}

	location /chwala {
	proxy_pass http://roundcube;
	proxy_redirect off;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Host $host;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_no_cache 1;
	proxy_cache_bypass 1;
	}

	location /Microsoft-Server-ActiveSync {
	proxy_pass http://roundcube;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_send_timeout 910s;
	proxy_read_timeout 910s;
	fastcgi_send_timeout 910s;
	fastcgi_read_timeout 910s;
	}

	location ~* ^/\.well-known/autoconfig {
	proxy_pass http://roundcube;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	}

	location ~* ^/autodiscover/autodiscover\.xml {
	proxy_pass http://roundcube;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	}

	location ~* ^/\.well-known/(caldav\|carddav) {
	auth_request /auth;
	auth_request_set $dav_backend $upstream_http_davbackend;

	# We can't dynamically set the proxy target with vanilla nginx. We can only select between a list of predefined options via map.
	proxy_pass $backend_url;
	proxy_redirect http:// $scheme://;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	}

	- location /dav {
	+ location ~ ^/(dav\|calendar\|addressbooks) {
	auth_request /auth;
	auth_request_set $dav_backend $upstream_http_davbackend;

	# We can't dynamically set the proxy target with vanilla nginx. We can only select between a list of predefined options via map.
	proxy_pass $backend_url;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	}

	{{- if .Values.collabora.enabled }}
	# static files
	location ^~ /browser {
	proxy_pass http://collabora;
	proxy_set_header Host $http_host;
	}

	# WOPI discovery URL
	location ^~ /hosting/discovery {
	proxy_pass http://collabora;
	proxy_set_header Host $http_host;
	}

	# Capabilities
	location ^~ /hosting/capabilities {
	proxy_pass http://collabora;
	proxy_set_header Host $http_host;
	}

	# main websocket
	location ~ ^/cool/(.*)/ws$ {
	proxy_pass http://collabora;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "Upgrade";
	proxy_set_header Host $http_host;
	proxy_read_timeout 36000s;
	}

	# download, presentation and image upload
	location ~ ^/(c\|l)ool {
	proxy_pass http://collabora;
	proxy_set_header Host $http_host;
	}

	# Admin Console websocket
	location ^~ /cool/adminws {
	proxy_pass http://collabora;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "Upgrade";
	proxy_set_header Host $http_host;
	proxy_read_timeout 36000s;
	}
	{{- end }}

	{{- if .Values.nextcloud.enabled }}
	location /nextcloud {
	proxy_pass http://nextcloud:80;
	proxy_redirect off;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Host $host;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "Upgrade";
	proxy_no_cache 1;
	proxy_cache_bypass 1;
	client_max_body_size 11m;
	}
	{{- end }}

	location = /auth {
	internal;
	proxy_pass http://kolab/api/webhooks/nginx-httpauth;
	proxy_pass_request_body off;
	proxy_set_header Content-Length "";
	proxy_set_header X-Original-URI $request_uri;

	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	}

	location /healthz {
	auth_basic off;
	allow all;
	return 200;
	}

	error_page 404 /404.html;
	location = /40x.html {
	}

	error_page 500 502 503 504 /50x.html;
	location = /50x.html {
	}

	}
	}

	mail {
	server_name {{ template "kolab.websiteDomain" . }};
	auth_http http://{{ .Values.kolab.servicesService }}/api/webhooks/nginx;

	proxy_pass_error_message on;
	proxy_smtp_auth on;
	xclient off;

	ssl_certificate /etc/certs/tls.crt;
	ssl_certificate_key /etc/certs/tls.key;

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
	ssl_ciphers HIGH:!aNULL:!MD5;

	server {
	listen 6143;
	listen 6144 proxy_protocol;
	protocol imap;

	proxy on;
	starttls on;
	}

	server {
	listen 6993 ssl;
	listen 6994 ssl proxy_protocol;
	set_real_ip_from 10.0.0.0/8;
	protocol imap;
	proxy on;
	}

	server {
	listen 6465 ssl;
	listen 6466 ssl proxy_protocol;
	set_real_ip_from 10.0.0.0/8;
	protocol smtp;
	proxy on;
	proxy_protocol on;
	}

	server {
	listen 6587;
	listen 6588 proxy_protocol;
	set_real_ip_from 10.0.0.0/8;
	protocol smtp;
	proxy on;
	starttls on;
	proxy_protocol on;
	}

	}

	stream {
	server {
	listen 6190;
	proxy_pass {{ .Values.imap.host }}:4190;
	}
	}
	{{- end }}
	diff --git a/helm/templates/roundcube-deployment.yaml b/helm/templates/roundcube-deployment.yaml
	index 692f65f..e0b77d1 100644
	--- a/helm/templates/roundcube-deployment.yaml
	+++ b/helm/templates/roundcube-deployment.yaml
	@@ -1,226 +1,231 @@
	{{- if and .Values.roundcube.enabled -}}
	apiVersion: apps/v1
	kind: Deployment
	metadata:
	annotations:
	alpha.image.policy.openshift.io/resolve-names: '*'
	labels:
	app: roundcube
	app.kubernetes.io/name: roundcube
	app.kubernetes.io/part-of: kolab-app
	name: roundcube
	spec:
	replicas: {{ .Values.roundcube.replicas }}
	revisionHistoryLimit: 10
	selector:
	matchLabels:
	app: roundcube
	strategy:
	rollingUpdate:
	maxSurge: 1
	maxUnavailable: 1
	type: RollingUpdate
	template:
	metadata:
	annotations:
	checksum/config: {{ include (print $.Template.BasePath "/kolab-configmap.yaml") . \| sha256sum }}
	checksum/secret: {{ include (print $.Template.BasePath "/kolab-secret.yaml") . \| sha256sum }}
	checksum/mariadb-secret: {{ include (print $.Template.BasePath "/mariadb-secret.yaml") . \| sha256sum }}
	labels:
	app: roundcube
	spec:
	{{- if and .Values.openshift }}
	# Spread over nodes so source-ip's towards database/imap are distinguishable
	topologySpreadConstraints:
	- maxSkew: 1
	topologyKey: kubernetes.io/hostname
	whenUnsatisfiable: DoNotSchedule
	labelSelector:
	matchLabels:
	app: roundcube
	{{- end }}
	volumes:
	- name: roundcube-data
	emptyDir: {}
	{{- if .Values.image.pullSecret }}
	imagePullSecrets:
	- name: registry-pull-secret
	{{- end }}
	initContainers:
	- name: roundcube-db-wait
	image: {{ .Values.image.roundcubeImage }}
	imagePullPolicy: {{ .Values.image.pullPolicy }}
	command:
	- bash
	- -c
	- "until echo 'SELECT 1;' \| mysql -u \"$DB_RC_USERNAME\" -p\"$DB_RC_PASSWORD\" -h \"$DB_HOST\" \"$DB_RC_DATABASE\"; do echo waiting for mysql; sleep 2; done"
	env:
	- name: DB_RC_DATABASE
	valueFrom:
	secretKeyRef:
	key: roundcube-database-name
	name: mariadb
	- name: DB_RC_USERNAME
	valueFrom:
	secretKeyRef:
	key: roundcube-database-user
	name: mariadb
	- name: DB_RC_PASSWORD
	valueFrom:
	secretKeyRef:
	key: roundcube-database-password
	name: mariadb
	- name: DB_HOST
	valueFrom:
	secretKeyRef:
	key: database-host
	name: mariadb
	containers:
	- name: roundcube
	image: {{ .Values.image.roundcubeImage }}
	imagePullPolicy: {{ .Values.image.pullPolicy }}
	resources:
	{{- toYaml .Values.roundcube.resources \| nindent 10 }}
	ports:
	- containerPort: 8080
	protocol: TCP
	terminationMessagePath: /dev/termination-log
	terminationMessagePolicy: File
	envFrom:
	- configMapRef:
	name: kolab-config
	- secretRef:
	name: kolab-config-secret
	env:
	- name: SKIN
	value: "{{ .Values.roundcube.skin }}"
	- name: FORCE_SKIN
	value: "{{ .Values.roundcube.forceSkin }}"
	{{- if .Values.roundcube.skinsAllowed }}
	- name: SKINS_ALLOWED
	value: "{{ .Values.roundcube.skinsAllowed }}"
	{{- end }}
	- name: RUN_MIGRATIONS
	value: "{{ .Values.roundcube.runMigrations }}"
	{{- if .Values.roundcube.productName }}
	- name: PRODUCT_NAME
	value: "{{ .Values.roundcube.productName }}"
	{{- end }}
	{{- if .Values.roundcube.supportUrl }}
	- name: SUPPORT_URL
	value: "{{ .Values.roundcube.supportUrl }}"
	{{- end }}
	- name: DB_RC_DATABASE
	valueFrom:
	secretKeyRef:
	key: roundcube-database-name
	name: mariadb
	- name: DB_RC_USERNAME
	valueFrom:
	secretKeyRef:
	key: roundcube-database-user
	name: mariadb
	- name: DB_RC_PASSWORD
	valueFrom:
	secretKeyRef:
	key: roundcube-database-password
	name: mariadb
	- name: IMAP_TLS
	value: "{{ .Values.imap.tls }}"
	- name: SUBMISSION_HOST
	value: "{{ .Values.postfix.submissionHost }}"
	- name: SUBMISSION_PORT
	value: "{{ .Values.postfix.submissionPort }}"
	- name: SUBMISSION_ENCRYPTION
	value: "{{ .Values.postfix.submissionEncryption }}"
	- name: FILEAPI_WOPI_OFFICE
	value: "http://collabora"
	- name: FILEAPI_KOLABFILES_BASEURI
	value: "http://kolab/api"
	- name: KOLAB_API_URL
	value: "http://kolab"
	- name: PER_USER_LOGGING
	value: "true"
	# - name: KOLAB_API_DEBUG
	# value: "true"
	- name: ACTIVESYNC_DEBUG
	value: "true"
	# - name: SQL_DEBUG
	# value: "true"
	# - name: IMAP_DEBUG
	# value: "true"
	# - name: DAV_DEBUG
	# value: "true"
	- name: CALENDAR_CALDAV_SERVER
	value: "http://imap/dav"
	- name: TASKLIST_CALDAV_SERVER
	value: "http://imap/dav"
	- name: KOLAB_ADDRESSBOOK_CARDDAV_SERVER
	value: "http://imap/dav"
	# We have to set the public url, otherwise the generated javascript will contain references to internal urls.
	- name: KOLAB_FILES_URL
	value: "https://{{ template "kolab.websiteDomain" . }}/chwala/"
	- name: KOLAB_FILES_SERVER_URL
	value: "http://localhost:8080/chwala/"
	- name: FILE_API_URL
	value: "https://{{ template "kolab.websiteDomain" . }}/chwala/api/"
	- name: FILE_API_SERVER_URL
	value: "http://roundcube/chwala/api/"
	- name: KOLAB_FREEBUSY_SERVER
	value: "http://imap/freebusy/user/%u"
	- name: LOG_DRIVER
	value: "logfmt"
	- name: WEBMAIL_URL
	value: "{{ .Values.kolab.webmailUrl }}"
	- name: REDIS_HOST
	value: "{{ .Values.redis.host }}"
	- name: REDIS_PASSWORD
	valueFrom:
	secretKeyRef:
	key: database-password
	name: redis
	{{- if .Values.roundcube.disabledPlugins }}
	- name: DISABLED_PLUGINS
	value: {{ .Values.roundcube.disabledPlugins }}
	{{- end }}
	{{- if .Values.roundcube.extraPlugins }}
	- name: EXTRA_PLUGINS
	value: {{ .Values.roundcube.extraPlugins }}
	{{- end }}
	{{- if .Values.roundcube.extraConfig }}
	- name: EXTRA_CONFIG
	value: \|
	{{ .Values.roundcube.extraConfig \| nindent 14 }}
	{{- end }}
	- name: DB_HOST
	valueFrom:
	secretKeyRef:
	key: database-host
	name: mariadb
	- name: DB_ROOT_PASSWORD
	valueFrom:
	secretKeyRef:
	key: database-root-password
	name: mariadb
	- name: KOLABOBJECTS_COMPAT_MODE
	value: "{{ .Values.roundcube.kolabObjectCompatMode }}"
	{{- if .Values.roundcube.kolabObjectCompatMode }}
	- name: CALDAV_WELLKNOWN_REDIRECT_PATH
	value: "/dav"
	- name: CARDDAV_WELLKNOWN_REDIRECT_PATH
	value: "/dav"
	+{{- end }}
	+# FIXME this only works in kolabObjectCompatMode for now
	+{{- if .Values.roundcube.davUrlBase }}
	+ - name: DAV_URL_BASE
	+ value: "{{ .Values.roundcube.davUrlBase }}"
	{{- end }}
	- name: OAUTH_TOKEN_URI
	value: "http://kolab/oauth/token/"
	- name: OAUTH_REDIRECT_URI
	value: "https://{{ template "kolab.websiteDomain" . }}{{ .Values.proxy.webmailPath }}/index.php/login/oauth"
	- name: KOLAB_HELPDESK_ALLOWED_TASKS
	value: "settings"
	volumeMounts:
	- mountPath: /data
	name: roundcube-data
	dnsPolicy: ClusterFirst
	restartPolicy: Always
	schedulerName: default-scheduler
	terminationGracePeriodSeconds: 30
	{{- end }}

File Metadata

Mime Type: text/x-diff
Expires: Mon, Apr 6, 1:13 AM (2 d, 5 h ago)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 18831813
Default Alt Text: (24 KB)

No OneTemporaryActions

View Options

File Metadata

Event Timeline

No OneTemporary
Actions