Merge pull request #35 from wkloucek/revamp-wopiserver

revamp wopiserver
cs3org · Jul 30, 2022 · d3275cc · d3275cc
2 parents fae6dc9 + 709d64a
commit d3275cc
Show file tree

Hide file tree

Showing 15 changed files with 239 additions and 318 deletions.
diff --git a/wopiserver/Chart.yaml b/wopiserver/Chart.yaml
@@ -2,13 +2,12 @@ apiVersion: v2
 name: wopiserver
 description: A Vendor-neutral Web-application Open Platform Interface (WOPI) gateway for EFSS systems
 type: application
-version: 0.4.0
-appVersion: v6.7.0
+version: 0.5.0
+appVersion: v8.3.2
 kubeVersion: ">= 1.19.0"
 home: https://github.com/cs3org/wopiserver
 sources:
   - https://github.com/cs3org/wopiserver
-  - https://github.com/cs3org/wopibridge
 maintainers:
   - name: SamuAlfageme
     email: samuel.alfageme.sainz@cern.ch
@@ -19,10 +18,9 @@ keywords:
   - efss
 annotations:
   artifacthub.io/changes: |
-    - "Increase pinned versions to improve compatibility with sciencemes/MeshApps@0.1.0"
+    - "Switch to newer CS3org WOPI server version."
+    - "Revamp configuration options."
   artifacthub.io/images: |
     - name: wopiserver
-      image: cs3org/wopiserver:v6.7.0
-    - name: wopibridge
-      image: cs3org/wopibridge:v4.0.0
+      image: cs3org/wopiserver:v8.3.2
   artifacthub.io/containsSecurityUpdates: "false"
diff --git a/wopiserver/README.md b/wopiserver/README.md
diff --git a/wopiserver/ci/wopibridge-values.yaml b/wopiserver/ci/wopibridge-values.yaml
diff --git a/wopiserver/templates/_helpers.tpl b/wopiserver/templates/_helpers.tpl
@@ -43,13 +43,6 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end -}}
 
-{{- define "wopibridge.labels" -}}
-helm.sh/chart: {{ include "wopiserver.chart" . }}
-{{ include "wopibridge.selectorLabels" . }}
-app.kubernetes.io/version: {{ .Values.wopibridge.image.tag | quote }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end -}}
-
 {{/*
 Selector labels
 */}}
@@ -58,11 +51,6 @@ app.kubernetes.io/name: {{ include "wopiserver.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 
-{{- define "wopibridge.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "wopiserver.name" . }}-{{ .Values.wopibridge.name }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end -}}
-
 {{/*
 Returns the WOPI Server external URL
 */}}
@@ -81,21 +69,3 @@ Returns the WOPI Server external URL
     {{- end -}}
   {{- end -}}
 {{- end -}}
-
-{{- define "wopibridge.url" -}}
-{{- with .Values.wopibridge -}}
-  {{- if .bridgeUrl -}}
-    {{- .bridgeUrl }}
-  {{- else -}}
-    {{- if .ingress.hostname -}}
-      {{- if .ingress.tls -}}
-      https://{{ .ingress.hostname }}{{ .ingress.path }}
-      {{- else -}}
-      http://{{ .ingress.hostname }}{{ .ingress.path }}
-      {{- end -}}
-    {{- else -}}
-      http://{{ template "wopiserver.fullname" $ }}-{{ .name }}:{{ .service.port }}
-    {{- end -}}
-  {{- end -}}
-{{- end -}}
-{{- end -}}
diff --git a/wopiserver/templates/_tplvalues.tpl b/wopiserver/templates/_tplvalues.tpl
@@ -0,0 +1,13 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Renders a value that contains template.
+Usage:
+{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" .) }}
+*/}}
+{{- define "common.tplvalues.render" -}}
+    {{- if typeIs "string" .value }}
+        {{- tpl .value .context }}
+    {{- else }}
+        {{- tpl (.value | toYaml) .context }}
+    {{- end }}
+{{- end -}}
diff --git a/wopiserver/templates/configmap.yaml b/wopiserver/templates/configmap.yaml
@@ -5,32 +5,120 @@ metadata:
   labels:
     {{- include "wopiserver.labels" . | nindent 4 }}
 data:
-  # TODO: move hardcoded values to fallback values
-  # https://docs.python.org/3/library/configparser.html#fallback-values
   wopiserver.conf: |-
+    # This config is based on https://github.com/cs3org/wopiserver/blob/master/wopiserver.conf
+
     [general]
+    # Storage access layer to be loaded in order to operate this WOPI server
     storagetype = cs3
-    port = {{ .Values.service.port }}
 
-{{- range $provider, $url := index .Values.config.appProviders }}
-    {{ $provider }} = {{ $url }}
-{{- end }}
+    # Port where to listen for WOPI requests
+    port = {{ .Values.service.port }}
 
-    tokenvalidity = 86400
+    # Logging level.
+    # Valid values are: Debug, Info, Warning, Error.
+    loglevel = {{ .Values.config.logLevel }}
 
+    # URL of your WOPI server or your HA proxy in front of it
     wopiurl = {{ template "wopiserver.url" . }}
-    downloadurl = {{ template "wopiserver.url" . }}/wopi/cbox/download
 
-    loglevel = {{ .Values.config.loglevel }}
+    # URL for direct download of files. The complete URL that is sent
+    # to clients will include the access_token argument
+    downloadurl = {{ template "wopiserver.url" . }}/wopi/iop/download
+
+    # The internal server engine to use (defaults to flask).
+    # Set to waitress for production installations.
+    internalserver = waitress
+
+    # List of file extensions deemed incompatible with LibreOffice:
+    # interoperable locking will be disabled for such files
+    nonofficetypes = .md .zmd .txt .epd
+
+    # List of file extensions to be supported by Collabora (deprecated)
+    codeofficetypes = .odt .ott .ods .ots .odp .otp .odg .otg .doc .dot .xls .xlt .xlm .ppt .pot .pps .vsd .dxf .wmf .cdr .pages .number .key
+
+    # WOPI access token expiration time [seconds]
+    tokenvalidity = {{ .Values.config.token.validity }}
+
+    # WOPI lock expiration time [seconds]
+    wopilockexpiration = {{ .Values.config.wopi.lock.expiration }}
+
+    # WOPI lock strict check: if True, WOPI locks will be compared according to specs,
+    # that is their representation must match. False (default) allows for a more relaxed
+    # comparison, which compensates incorrect lock requests from Microsoft Office Online
+    # on-premise setups.
+    wopilockstrictcheck = False
+
+    # Enable support of rename operations from WOPI apps. This is currently
+    # disabled by default as it has been observed that both MS Office and Collabora
+    # Online do not play well with this feature.
+    enablerename = {{ .Values.config.enableRename }}
+
+    # Detection of external Microsoft Office or LibreOffice locks. By default, lock files
+    # compatible with Office for Desktop applications are detected, assuming that the
+    # underlying storage can be mounted as a remote filesystem: in this case, WOPI GetLock
+    # and SetLock operations return such locks and prevent online apps from entering edit mode.
+    # This feature can be disabled in order to operate a pure WOPI server for online apps.
+    detectexternallocks = {{ .Values.config.detectExternalLocks }}
+
+    # Location of the webconflict files. By default, such files are stored in the same path
+    # as the original file. If that fails (e.g. because of missing permissions),
+    # an attempt is made to store such files in this path if specified, otherwise
+    # the system falls back to the recovery space (cf. io|recoverypath).
+    # The keywords <user_initial> and <username> are replaced with the actual username's
+    # initial letter and the actual username, respectively, so you can use e.g.
+    # /your_storage/home/user_initial/username
+    #conflictpath = /
+
+    # ownCloud's WOPI proxy configuration. Disabled by default.
+    #wopiproxy = https://external-wopi-proxy.com
+    #wopiproxysecretfile = /path/to/your/shared-key-file
+    #proxiedappname = Name of your proxied app
 
     [security]
+    # Location of the secret files. Requires a restart of the
+    # WOPI server when either the files or their content change.
+    wopisecretfile = /var/run/secrets/wopisecret
+    # iop secret is not used for cs3 storage type
+    #iopsecretfile = /var/run/secrets/iopsecret
+
+    # Use https as opposed to http (requires certificate)
     usehttps = no
-    wopisecretfile = /etc/wopi/wopisecret
-    iopsecretfile = /etc/wopi/iopsecret
 
-    [cs3]
-    revagateway = {{ .Values.config.cs3.revahost }}
-    authtokenvalidity = 3600
+    # Certificate and key for https. Requires a restart
+    # to apply a change.
+    wopicert = /etc/grid-security/host.crt
+    wopikey = /etc/grid-security/host.key
+
+    [bridge]
+    # SSL certificate check for the connected apps
+    sslverify = {{ .Values.config.bridge.sslVerify }}
+
+    # Minimal time interval between two consecutive save operations [seconds]
+    #saveinterval = 200
+
+    # Minimal time interval before a closed file is WOPI-unlocked [seconds]
+    #unlockinterval = 90
+
+    # CodiMD: disable creating zipped bundles when files contain pictures
+    #disablezip = False
 
     [io]
+    # Size used for buffered reads [bytes]
     chunksize = 4194304
+
+    # Path to a recovery space in case of I/O errors when reaching to the remote storage.
+    # This is expected to be a local path, and it is provided in order to ease user support.
+    # Defaults to the indicated spool folder.
+    #recoverypath = /var/spool/wopirecovery
+
+    [cs3]
+    # Host and port of the Reva(-like) CS3-compliant GRPC gateway endpoint
+    revagateway = {{ .Values.config.cs3.gateway }}
+
+    # Reva/gRPC authentication token expiration time [seconds]
+    # The default value matches Reva's default
+    authtokenvalidity = {{ .Values.config.cs3.authTokenValidity }}
+
+    # SSL certificate check for Reva
+    sslverify = {{ .Values.config.cs3.sslVerify }}
diff --git a/wopiserver/templates/deployment.yaml b/wopiserver/templates/deployment.yaml
@@ -1,7 +1,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ include "wopiserver.fullname" . }}
+  name: {{ template "wopiserver.fullname" . }}
   labels:
     {{- include "wopiserver.labels" . | nindent 4 }}
 spec:
@@ -13,32 +13,40 @@ spec:
     metadata:
       labels:
         {{- include "wopiserver.selectorLabels" . | nindent 8 }}
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
     spec:
+      securityContext:
+          fsGroup: {{ $.Values.securityContext.fsGroup }}
       containers:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: {{ $.Values.securityContext.runAsUser }}
+            runAsGroup: {{ $.Values.securityContext.runAsGroup }}
+            readOnlyRootFilesystem: true
+          resources: {{ toYaml $.Values.resources | nindent 12 }}
           ports:
             - name: http
               containerPort: 8880
               protocol: TCP
           volumeMounts:
-            - name: {{ include "wopiserver.fullname" . }}-confdir
+            - name: tmp-volume
+              mountPath: /tmp
+            - name: log-volume
+              mountPath: /var/log/wopi/
+            - name: recovery-volume
+              mountPath: /var/spool/wopirecovery/
+            # config
+            - name: config
               mountPath: /etc/wopi/wopiserver.conf
               subPath: wopiserver.conf
-            - name: {{ include "wopiserver.fullname" . }}-confdir
-              mountPath: /etc/wopi/wopisecret
+            # secrets
+            - name: secrets
+              mountPath: /var/run/secrets/wopisecret
               subPath: wopisecret
-            - name: {{ include "wopiserver.fullname" . }}-confdir
-              mountPath: /etc/wopi/iopsecret
-              subPath: iopsecret
-            {{- if .Values.extraVolumeMounts }}
-            {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
-            {{- end }}
-          {{- if .Values.env }}
-          env:
-            {{- toYaml .Values.env | nindent 12 }}
-          {{- end }}
           livenessProbe:
             httpGet:
               path: /
@@ -48,13 +56,19 @@ spec:
               path: /
               port: http
       volumes:
-        - name: {{ include "wopiserver.fullname" . }}-confdir
-          projected:
-            sources:
-              - configMap:
-                  name: {{ template "wopiserver.fullname" . }}-config
-              - secret:
-                  name: {{ template "wopiserver.fullname" . }}-secrets
-        {{- if .Values.extraVolumes }}
-        {{- toYaml .Values.extraVolumes | nindent 8 }}
-        {{- end }}
+        - name: tmp-volume
+          emptyDir: {}
+        - name: log-volume
+          emptyDir: {}
+        - name: recovery-volume
+          emptyDir: {}
+        - name: config
+          configMap:
+            name: {{ template "wopiserver.fullname" . }}-config
+        - name: secrets
+          secret:
+            {{ if .Values.secretsRef }}
+            secretName: {{ .Values.secretsRef }}
+            {{ else }}
+            secretName: {{ template "wopiserver.fullname" . }}-secrets
+            {{ end }}
diff --git a/wopiserver/templates/extra-resources.yaml b/wopiserver/templates/extra-resources.yaml
@@ -0,0 +1,4 @@
+{{- range .Values.extraResources }}
+---
+{{ include "common.tplvalues.render" (dict "value" . "context" $) }}
+{{- end }}
diff --git a/wopiserver/templates/secrets.yaml b/wopiserver/templates/secrets.yaml
@@ -1,3 +1,4 @@
+{{ if not .Values.secretsRef }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -6,13 +7,9 @@ metadata:
     {{- include "wopiserver.labels" . | nindent 4 }}
 type: Opaque
 data:
-  {{ if .Values.config.wopisecret }}
-  wopisecret: "{{ .Values.config.wopisecret | b64enc }}"
+  {{ if .Values.secrets.wopiSecret }}
+  wopisecret: "{{ .Values.secrets.wopiSecret | b64enc }}"
   {{ else }}
   wopisecret: "{{ randAlphaNum 24 | b64enc }}"
   {{ end }}
-  {{ if .Values.config.iopsecret }}
-  iopsecret: "{{ .Values.config.iopsecret | b64enc }}"
-  {{ else }}
-  iopsecret: "{{ randAlphaNum 24 | b64enc }}"
-  {{ end }}
+{{ end }}
diff --git a/wopiserver/templates/service.yaml b/wopiserver/templates/service.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ include "wopiserver.fullname" . }}
+  name: {{ template "wopiserver.fullname" . }}
   labels:
     {{- include "wopiserver.labels" . | nindent 4 }}
 spec: