Skip to content

feat: enable HTTPS, OIDC auth, Collabora, ClamAV, and OPA policies#107

Open
suse-coder wants to merge 23 commits into
Tim-herbie:mainfrom
suse-coder:main
Open

feat: enable HTTPS, OIDC auth, Collabora, ClamAV, and OPA policies#107
suse-coder wants to merge 23 commits into
Tim-herbie:mainfrom
suse-coder:main

Conversation

@suse-coder
Copy link
Copy Markdown

@suse-coder suse-coder commented Jun 6, 2026

Summary

This PR enables a production-ready HTTPS deployment with OIDC authentication, document collaboration, virus scanning, and security policies.

Key Changes

🔐 HTTPS & TLS

  • Enable TLS termination via cilium-gateway
  • Configure all services with HTTPS URLs
  • Add HTTP→HTTPS redirect HTTPRoutes for all services
  • Update CSP to use HTTPS URLs
  • Fix config.json to use HTTPS scheme

🔑 OIDC Authentication (Keycloak)

  • Configure Keycloak OIDC with proper redirect URIs
  • Add all required scopes (openid, profile, email, groups, roles)
  • Fix roles mapper to use flat claim name
  • Deploy Keycloak HTTPRoutes in keycloak namespace
  • Enable KC_PROXY=edge for proper HTTPS handling

📄 Document Collaboration (Collabora)

  • Enable Collabora with proper WOPI configuration
  • Fix jail security warnings:
    • Add child_root_path and cache_files.path configuration
    • Set security.capabilities=false
    • Configure proper securityContext (runAsNonRoot, drop ALL capabilities)
    • Add emptyDir volumes for coolwsd-child-roots and coolwsd-cache
  • Add HTTPRoute with proper section names matching gateway listeners

🦠 Virus Scanning (ClamAV)

  • Enable ClamAV virus scanning
  • Configure infected file handling (abort on detection)
  • Set scanner socket to tcp://clamav.clamav.svc.cluster.local:3310

🛡️ Security Policies (OPA)

  • Enable OPA policies for file type restrictions
  • Restrict executable file extensions (.exe, .dll, .msi, etc.)
  • Restrict dangerous MIME types

🌐 HTTPRoutes & Gateway

  • Add HTTP→HTTPS redirect routes for all services
  • Use proper section names matching cilium-gateway listeners:
    • opencloud-proxy-http/https
    • opencloud-keycloak-http/https
    • opencloud-collabora-http/https
    • opencloud-wopi-http/https
  • Deploy Keycloak routes in keycloak namespace (no cross-namespace refs)

📚 Documentation

  • Update README with helmfile sync installation method
  • Update NOTES.txt with HTTPS URLs and enabled features
  • Update prerequisites for Kubernetes 1.33+ and Gateway API
  • Add enabled features checklist

Storage

  • Use ceph-cephfs StorageClass with RWX access mode
  • Dynamic provisioning for persistent volumes

Testing

  • Verified HTTPS access to all services
  • Verified OIDC login flow with Keycloak
  • Verified Collabora document editing
  • Verified ClamAV virus scanning
  • Verified OPA policy enforcement
  • Verified HTTP→HTTPS redirects

suse-coder added 12 commits June 6, 2026 12:22
feat: add helmfile for full stack deployment (Phase 0, Task 0.2)
e13f877 
Add helmfile.yaml composing OpenCloud + Keycloak + OpenLDAP + ClamAV
as separate charts, based on SOURCE helmfile.yaml (564 lines).

Releases:
- opencloud-secrets: shared OIDC, LDAP bind, and S3 credentials
- keycloak: bitnami/keycloak v24.3.0 with auto-imported openCloud realm
- openldap: osixia/openldap with custom schema + LDIF (users/groups)
- clamav: wiremind/clamav v3.7.1 with 2 replicas
- opencloud: monolithic chart with full SOURCE configuration

Configuration sections from SOURCE helmfile:
- Logging, external domain, ingress/gateway
- OIDC/external user management (claims, role assignment, LDAP)
- Secret refs, insecure settings
- Quotas, antivirus, SMTP
- OPA Rego policies (proxy, postprocessing, utils)
- Apps integration (WOPI with Collabora + OnlyOffice)
- Web extensions (6 init containers)

Migration plan reference: Phase 0, Task 0.2
test: add OpenLDAP/external OIDC integration tests (Phase 0, Task 0.4)
d950f6b 
Add 9 unit tests verifying external OIDC and LDAP configuration:
- OC_OIDC_ISSUER set from external issuer URL
- WEB_OIDC_METADATA_URL derived from issuer URL
- Keycloak deployment disabled when oidc.enabled=false
- Keycloak deployment created when oidc.enabled=true
- LDAP bind passwords use internal IDM secrets by default (documents gap)
- S3 credentials reference when decomposeds3 is used
- External user management with admin UUID
- LDAP connection configuration for external user management

Test results: 6 suites, 24 tests, all passing.
Note: LDAP bind secret tests document a gap to be fixed in Phase 1
(external ldap-bind-secrets not yet supported in deployment template).

Migration plan reference: Phase 0, Task 0.4
refactor: remove integrated Keycloak and PostgreSQL (Phase 1, Task 1.0)
6867088 
BREAKING CHANGE: Integrated Keycloak and PostgreSQL deployments removed.
OpenCloud now requires an external OIDC provider (e.g., Keycloak deployed
separately via helmfile).

Changes:
- Remove templates/keycloak/ directory (7 files)
- Remove templates/postgres/ directory (4 files)
- Remove files/keycloak/ directory (realm template, entrypoint script)
- Update values.yaml: replace oidc.enabled/external with direct oidc.issuerUrl/clientId
- Remove postgres section from values.yaml
- Update _helpers/tpl.yaml: simplify OIDC helpers, remove keycloak/postgres helpers
- Update deployment.yaml: use oidc.issuerUrl directly instead of oidc.enabled/external
- Update gateway.yaml: remove Keycloak listener
- Update NOTES.txt: remove Keycloak/PostgreSQL references
- Update tests: remove Keycloak HTTPRoute/Ingress tests, update OIDC tests

Migration: Users must deploy Keycloak separately (e.g., bitnami/keycloak via helmfile)
and configure oidc.issuerUrl and oidc.clientId in values.yaml.

Test results: 6 suites, 23 tests, all passing.

Migration plan reference: Phase 1, Task 1.0
feat: add Timoni bundles for FluxCD deployment (Phase 1, Task 1.2)
7cbecfd 
Add Timoni bundles for deploying OpenCloud and dependencies via FluxCD:

opencloud bundle:
- opencloud.cue: main bundle definition for monolithic chart
- runtime.cue: runtime values from ConfigMap/Secrets
- configmap.yaml: OpenCloud configuration
- secret.yaml: OIDC, LDAP bind, S3 credentials
- sa.yaml: Flux ServiceAccount + RBAC

openldap bundle (osixia/openldap):
- openldap.cue: bundle with custom LDIF + OpenCloud schema
- runtime.cue: runtime values from ConfigMap/Secrets
- configmap.yaml: LDAP configuration
- secret.yaml: admin credentials
- sa.yaml: Flux ServiceAccount + RBAC

clamav bundle (wiremind/clamav):
- clamav.cue: bundle with HA config (2 replicas, PDB, topology spread)
- runtime.cue: runtime values from ConfigMap
- configmap.yaml: ClamAV configuration
- sa.yaml: Flux ServiceAccount + RBAC (via service-account instance)

Includes README.md with install/upgrade instructions.

Test results: 6 suites, 23 tests, all passing.

Migration plan reference: Phase 1, Task 1.2
feat: add ClamAV antivirus configuration (Phase 2, Task 2.1-2.3)
fc92137 
Add antivirus scanning configuration to support ClamAV or ICAP scanners:

values.yaml:
- opencloud.antivirus.enabled: enable/disable scanning
- opencloud.antivirus.infectedFileHandling: abort/continue/delete
- opencloud.antivirus.scannerType: clamav or icap
- opencloud.antivirus.clamavSocket: ClamAV socket endpoint
- opencloud.antivirus.icapUrl: ICAP server URL
- opencloud.antivirus.icapService: ICAP service name

deployment.yaml:
- ANTIVIRUS_ENABLED, ANTIVIRUS_SCANNER_TYPE env vars
- ANTIVIRUS_INFECTED_FILE_HANDLING env var
- ANTIVIRUS_CLAMAV_SOCKET (when scannerType=clamav)
- ANTIVIRUS_ICAP_URL, ANTIVIRUS_ICAP_SERVICE (when scannerType=icap)

tests/antivirus_test.yaml:
- 8 unit tests covering all antivirus configurations
- Tests for clamav scanner type
- Tests for icap scanner type
- Tests for infected file handling options

Test results: 7 suites, 31 tests, all passing.

Migration plan reference: Phase 2, Tasks 2.1-2.3
feat: add explicit storage driver selection (Phase 3, Task 3.1-3.3)
75f4e00 
Add support for explicit storage driver selection for user files:

values.yaml:
- opencloud.storage.usersDriver: explicit driver selection
  - decomposeds3 (default when mode=s3)
  - posix (default when mode=posixfs)
  - decomposed (metadata only, no blob storage)
- If usersDriver is not set, derives from mode field

deployment.yaml:
- Updated STORAGE_USERS_DRIVER to use explicit usersDriver if set
- Falls back to mode-based selection if usersDriver is empty

tests/storage_test.yaml:
- 9 unit tests covering all storage driver configurations
- Tests for default behavior (mode-based)
- Tests for explicit driver override
- Tests for posixfs and s3 configurations

Test results: 8 suites, 40 tests, all passing.

Migration plan reference: Phase 3, Tasks 3.1-3.3
feat: add values.schema.json for JSON Schema validation (Phase 4, Tas…
340393a 
…k 4.1-4.2)

Add comprehensive JSON Schema for values.yaml validation:
- Global settings (domain, TLS, image)
- OIDC configuration (issuerUrl, clientId, CORS)
- Secret references (LDAP, S3)
- Features (external user management, virusscan, email)
- OpenCloud settings (replicas, logLevel, storage, NATS, SMTP, antivirus)
- HTTPRoute and Ingress configuration
- Collabora settings

Schema validates:
- Required formats (hostname, uri, uuid)
- Enum values (logLevel, storage drivers, access modes, etc.)
- Type constraints (boolean, integer, string)

Test results: Schema validation working correctly.

Migration plan reference: Phase 4, Tasks 4.1-4.2
feat: add Collabora improvements (Phase 5, Task 5.1-5.3)
acb333a 
Add mutual exclusion assertion and comprehensive Collabora tests:

deployment.yaml:
- Add mutual exclusion check: fails if both internal and external Collabora enabled
- WOPI proof key generation already present (coolconfig generate-proof-key)

tests/collabora_test.yaml:
- 10 unit tests covering all Collabora configurations
- Tests for mutual exclusion (internal vs external)
- Tests for WOPI proof key generation
- Tests for WOPI alias group configuration
- Tests for SSL configuration (enabled/disabled)
- Tests for MKNOD capability
- Tests for liveness and readiness probes

Test results: 9 suites, 50 tests, all passing.

Migration plan reference: Phase 5, Tasks 5.1-5.3
feat: add monitoring, extra resources, custom CA, and OPA policies (P…
cc80042 
…hase 6)

- Add ServiceMonitor template for Prometheus monitoring
- Add extra-resources template for arbitrary K8s resources
- Add custom CA chain helper for inter-service TLS
- Add OPA Rego policies ConfigMap for file/MIME restrictions
- Add monitoring, extraResources, customCA, and policies sections to values.yaml
- Add comprehensive tests for all new features (monitoring_test.yaml)
- Fix ingress section indentation in values.yaml

All 60 tests pass across 10 test suites.
feat: enable HTTPS, OIDC auth, Collabora, ClamAV, and OPA policies
e018632 
- Enable HTTPS with TLS termination via cilium-gateway
- Configure Keycloak OIDC with proper redirect URIs and scopes
- Add HTTP→HTTPS redirect routes for all services
- Enable Collabora with jail security fixes (child_root_path, capabilities)
- Enable ClamAV virus scanning with infected file handling
- Enable OPA policies for file type restrictions
- Fix CSP to use HTTPS URLs
- Update config.json to use HTTPS scheme
- Add proper section names for all HTTPRoutes matching gateway listeners
docs: update README and NOTES.txt for HTTPS-enabled deployment
f366603 
- Replace helm install with helmfile sync in Quick Start
- Update prerequisites to mention Gateway API compatible ingress
- Update component list (ClamAV, OPA, OpenLDAP instead of MinIO)
- Update NOTES.txt with HTTPS URLs instead of port-forward
- Update storage section to reflect ceph-cephfs RWX
- Add enabled features section to NOTES.txt
- Update production readiness checklist
docs: update chart README for HTTPS-enabled deployment
2b5763c 
- Update component list (OpenLDAP, ClamAV instead of PostgreSQL, MinIO)
- Add helmfile sync as primary installation method
- Update prerequisites for Kubernetes 1.33+ and Gateway API
- Update installation examples with correct gateway section names
@suse-coder
Copy link
Copy Markdown
Author

suse-coder commented Jun 6, 2026

Do you know if "{"level":"error","service":"storage-users","host.name":"opencloud-opencloud-6f8488f87b-g47fb","pkg":"rgrpc","driver":"posix","error":"error: not found: record not found in cache","path":"/var/lib/opencloud/storage/metadata/spaces/f1/bdd61a-da7c-49fc-8203-0558109d1b4f/nodes/3b","time":"2026-06-06T20:49:12Z","line":"github.com/opencloud-eu/reva/v2@v2.46.2-0.20260602061404-0e975e5456eb/pkg/storage/fs/posix/tree/assimilation.go:991","message":"could not get ids for path"}
{"level":"error","service":"storage-users","host.name":"opencloud-opencloud-6f8488f87b-g47fb","pkg":"rgrpc","driver":"posix","error":"error: not found: record not found in cache","path":"/var/lib/opencloud/storage/metadata/spaces/f1/bdd61a-da7c-49fc-8203-0558109d1b4f/nodes/78/1a","time":"2026-06-06T20:49:12Z","line":"github.com/opencloud-eu/reva/v2@v2.46.2-0.20260602061404-0e975e5456eb/pkg/storage/fs/posix/tree/assimilation.go:991","message":"could not get ids for path"}
"
in opencode pod

is normal I guess you had that also

suse-coder added 11 commits June 6, 2026 20:52
feat: make FRONTEND_CHECK_FOR_UPDATES configurable and add update.ope…
900888a 
…ncloud.eu to CSP

- Add frontendCheckForUpdates value (default: false) to disable update checks
- Make FRONTEND_CHECK_FOR_UPDATES environment variable configurable via values
- Add https://update.opencloud.eu/ to CSP connect-src to allow update checks when enabled
- Update helmfile to disable update checks by default
chore: update Timoni deployment files to match helmfile values
dd556ac 
- Enable TLS, posixfs storage with RWX access mode
- Enable antivirus (ClamAV), OPA policies, Collabora
- Add httpRoute gateway sectionName configuration
- Add frontendCheckForUpdates setting
- Update runtime.cue, opencloud.cue, and configmap.yaml
chore: add commented opencloud2 instance to Timoni bundle
9204e28 
- Second instance uses opencloud2.test domains
- Shares Keycloak and OpenLDAP with first instance
- Uses opencloud2 sectionName for HTTPRoute
- Commented out by default, uncomment to deploy
chore: remove SOURCE line references from helmfile comments
c41ed24
chore: comment out opencloud2 instance and clean up remaining changes
b31810b 
- Comment out opencloud2 instance in helmfile (multi-tenant example)
- Remove unused OIDC credentials from Timoni secret.yaml
- Update NOTES.txt to remove Keycloak section when OIDC is configured
- Make deployment strategy conditional on RWX access mode
chore: remove redundant comment block for opencloud2 instance
3bda694
feat: add decomposedfs storage driver support
57c2231 
- Add decomposed driver configuration in values.yaml
- Add STORAGE_USERS_OC_MAX_CONCURRENCY env var for decomposed driver
- Support decomposed driver in deployment template alongside posixfs and decomposeds3
feat: add decomposedfs configuration to values schema
fd56a76 
- Add decomposed object with maxConcurrency property to storage schema
docs: add CephFS backup warning for posixfs and decomposed storage se…
90a4672 
…ction

- Add warning about CephFS snapshot/clone issues with posixfs mode
- Recommend decomposed driver as alternative for CephFS environments
- Add decomposed storage settings table to README
- Add conditional warning in NOTES.txt when posixfs is used
feat: add decomposedfs storage driver support
d8e5ed5 
- Add decomposed storage mode to values.yaml and schema
- Implement decomposed PVC, volume mount, and strategy logic
- Update deployment template to support decomposed driver
- Add CephFS backup warning for posixfs mode
- Update helmfile with decomposedfs configuration
- Add data PVC size configuration to helmfile
- Update README with decomposed storage settings
- Add conditional warning in NOTES.txt for posixfs + CephFS
chore: bump chart version to 2.4.4
d3f8299 
- Update Chart.yaml version from 2.4.3 to 2.4.4
- Keep 2.4.3 entry in version table, add 2.4.4
- Update Timoni deployment version references
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@suse-coder