2020-09-15 18:21:35 +00:00
|
|
|
// ONLYOFFICE document server.
|
|
|
|
// JWT secret needs to be generated as follows per environment:
|
|
|
|
// kubectl -n onlyoffice-prod create secret generic documentserver-jwt --from-literal=jwt=$(pwgen 32 1)
|
|
|
|
|
2023-10-27 20:41:18 +00:00
|
|
|
local kube = import "../../kube/hscloud.libsonnet";
|
2020-09-15 18:21:35 +00:00
|
|
|
local policies = import "../../kube/policies.libsonnet";
|
|
|
|
|
|
|
|
{
|
|
|
|
onlyoffice:: {
|
|
|
|
local oo = self,
|
|
|
|
local cfg = oo.cfg,
|
|
|
|
cfg:: {
|
|
|
|
namespace: error "cfg.namespace must be set",
|
2022-02-09 20:30:16 +00:00
|
|
|
image: "onlyoffice/documentserver:7.0.0.132",
|
2020-09-15 18:21:35 +00:00
|
|
|
storageClassName: "waw-hdd-redundant-3",
|
|
|
|
domain: error "cfg.domain must be set",
|
|
|
|
},
|
|
|
|
|
|
|
|
ns: kube.Namespace(cfg.namespace),
|
|
|
|
|
|
|
|
pvc: oo.ns.Contain(kube.PersistentVolumeClaim("documentserver")) {
|
|
|
|
spec+: {
|
|
|
|
storageClassName: cfg.storageClassName,
|
|
|
|
accessModes: [ "ReadWriteOnce" ],
|
|
|
|
resources: {
|
|
|
|
requests: {
|
|
|
|
storage: "10Gi",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
|
|
|
|
deploy: oo.ns.Contain(kube.Deployment("documentserver")) {
|
|
|
|
spec+: {
|
|
|
|
template+: {
|
|
|
|
spec+: {
|
|
|
|
containers_: {
|
|
|
|
documentserver: kube.Container("default") {
|
|
|
|
image: cfg.image,
|
|
|
|
resources: {
|
|
|
|
requests: { memory: "4G", cpu: "100m" },
|
|
|
|
limits: { memory: "8G", cpu: "2" },
|
|
|
|
},
|
|
|
|
env_: {
|
|
|
|
JWT_ENABLED: "true",
|
|
|
|
JWT_SECRET: { secretKeyRef: { name: "documentserver-jwt", key: "jwt", }},
|
|
|
|
},
|
|
|
|
ports_: {
|
|
|
|
http: { containerPort: 80 },
|
|
|
|
},
|
|
|
|
local make(sp, p) = { name: "data", mountPath: p, subPath: sp },
|
|
|
|
volumeMounts: [
|
|
|
|
// Per upstream Dockerfile:
|
2023-10-27 20:41:18 +00:00
|
|
|
// VOLUME /var/log/$COMPANY_NAME /var/lib/$COMPANY_NAME
|
2020-09-15 18:21:35 +00:00
|
|
|
// /var/www/$COMPANY_NAME/Data /var/lib/postgresql
|
|
|
|
// /var/lib/rabbitmq /var/lib/redis
|
|
|
|
// /usr/share/fonts/truetype/custom
|
|
|
|
make("log", "/var/log/onlyoffice"),
|
|
|
|
make("www-data", "/var/www/onlyoffice/Data"),
|
|
|
|
make("postgres", "/var/lib/postgresql"),
|
|
|
|
make("rabbit", "/var/lib/rabbitmq"),
|
|
|
|
make("redis", "/var/lib/redis"),
|
|
|
|
make("fonts", "/usr/share/fonts/truetype/custom"),
|
|
|
|
],
|
|
|
|
},
|
|
|
|
},
|
|
|
|
volumes_: {
|
|
|
|
data: kube.PersistentVolumeClaimVolume(oo.pvc),
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
|
|
|
|
svc: oo.ns.Contain(kube.Service("documentserver")) {
|
|
|
|
target_pod:: oo.deploy.spec.template,
|
|
|
|
},
|
2023-10-27 20:41:18 +00:00
|
|
|
|
|
|
|
ingress: oo.ns.Contain(kube.SimpleIngress("office")) {
|
|
|
|
hosts:: [cfg.domain],
|
|
|
|
target_service:: oo.svc,
|
2020-09-15 18:21:35 +00:00
|
|
|
},
|
|
|
|
|
|
|
|
// Needed because the documentserver runs its own supervisor, and:
|
|
|
|
// - rabbitmq wants to mkdir in /run, which starts out with the wrong permissions
|
|
|
|
// - nginx wants to bind to port 80
|
|
|
|
insecure: policies.AllowNamespaceInsecure(cfg.namespace),
|
|
|
|
},
|
|
|
|
|
|
|
|
prod: self.onlyoffice {
|
|
|
|
cfg+: {
|
|
|
|
namespace: "onlyoffice-prod",
|
|
|
|
domain: "office.hackerspace.pl",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|