feat: enable HTTPS, OIDC auth, Collabora, ClamAV, and OPA policies

README.md

@@ -18,7 +18,7 @@ Welcome to the **Opencloud Helm Chart** repository! This repository is intended
 
 This repository is created to **welcome contributions from the community**. It does not contain official charts from OpenCloud GmbH and is **not officially supported by OpenCloud GmbH**. Instead, these charts are maintained by the open-source community.
 
-OpenCloud is a cloud collaboration platform that provides file sync and share, document collaboration, and more. This Helm chart deploys OpenCloud with Keycloak for authentication, MinIO for object storage and Collabora for document editing.
+OpenCloud is a cloud collaboration platform that provides file sync and share, document collaboration, and more. This Helm chart deploys OpenCloud with Keycloak for authentication, OpenLDAP for user management, ClamAV for virus scanning, and Collabora for document editing.
 
 ## 🚀 Version table
 
@@ -34,7 +34,7 @@ OpenCloud is a cloud collaboration platform that provides file sync and share, d
 | 6.1.0            | 2.2.0 |
 | 6.2.0            | 2.3.0 |
 | 7.0.0            | 2.4.0, 2.4.1, 2.4.2 |
-| 7.1.0            | 2.4.3 |
+| 7.1.0            | 2.4.3, 2.4.4 |
 
 
 ## 💡 Contributing
@@ -52,7 +52,7 @@ This includes:
 - Kubernetes 1.33+
 - Helm 3.18.0+
 - PV provisioner support in the underlying infrastructure (if persistence is enabled)
-- External ingress controller (e.g., Traefik) for routing traffic to the services
+- Gateway API compatible ingress controller (e.g., Cilium Gateway) for HTTPS routing
 
 ## 📦 Available Charts
 
@@ -63,9 +63,11 @@ This repository contains the following charts:
 The complete OpenCloud deployment with all components for production use:
 
 - Full microservices architecture
-- Keycloak for authentication
-- MinIO for object storage
+- Keycloak for OIDC authentication
+- OpenLDAP for user directory
+- ClamAV for virus scanning
 - Document editing with Collabora
+- OPA policies for file type restrictions
 
 [View Production Chart Documentation](./charts/opencloud/README.md)
 
@@ -75,13 +77,21 @@ This project is licensed under the **AGPLv3** license. See the [LICENSE](LICENSE
 
 ## ⚡ Quick Start
 
-Follow these steps to quickly deploy OpenCloud using the Helm chart:
+Follow these steps to quickly deploy OpenCloud using Helmfile:
 
-1. **Install the OpenCloud Helm chart:**
-  ```sh
-  helm install opencloud \
-    oci://ghcr.io/tim-herbie/opencloud-helm/opencloud \
-    --version 2.4.3 \
-    --namespace opencloud \
-    --create-namespace
-  ```
+1. **Navigate to the helmfile directory:**
+   ```sh
+   cd charts/opencloud/deployments/helm
+   ```
+
+2. **Deploy the full stack:**
+   ```sh
+   helmfile sync
+   ```
+
+   This deploys Keycloak, OpenLDAP, ClamAV, and OpenCloud with Collabora in their respective namespaces.
+
+3. **Verify the deployment:**
+   ```sh
+   kubectl get pods -A | grep -E "opencloud|keycloak|openldap|clamav"
+   ```

charts/opencloud/Chart.yaml

@@ -9,7 +9,7 @@ maintainers:
   - name: Tim Herbert
     url: https://timherbert.de
 type: application
-version: 2.4.3
+version: 2.4.4
 # renovate: datasource=docker depName=opencloudeu/opencloud-rolling
 appVersion: latest
 kubeVersion: ""

charts/opencloud/README.md

@@ -33,7 +33,7 @@ Welcome to the **OpenCloud Helm Charts** repository! This repository is intended
 
 This repository is created to **welcome contributions from the community**. It does not contain official charts from OpenCloud GmbH and is **not officially supported by OpenCloud GmbH**. Instead, these charts are maintained by the open-source community.
 
-OpenCloud is a cloud collaboration platform that provides file sync and share, document collaboration, and more. This Helm chart deploys OpenCloud with Keycloak for authentication, MinIO for object storage, and options for document editing with Collabora.
+OpenCloud is a cloud collaboration platform that provides file sync and share, document collaboration, and more. This Helm chart deploys OpenCloud with Keycloak for OIDC authentication, OpenLDAP for user directory, ClamAV for virus scanning, and Collabora for document editing.
 
 ## 💬 Community
 
@@ -56,37 +56,37 @@ Please ensure that your PR follows best practices and includes necessary documen
 
 ## Prerequisites
 
-- Kubernetes 1.19+
-- Helm 3.2.0+
+- Kubernetes 1.33+
+- Helm 3.18.0+
 - PV provisioner support in the underlying infrastructure (if persistence is enabled)
-- External ingress controller (e.g., Cilium Gateway API) for routing traffic to the services
+- Gateway API compatible ingress controller (e.g., Cilium Gateway) for HTTPS routing
 
 ## 📦 Installation
 
-To install the chart with the release name `opencloud`:
+To install the full stack using Helmfile:
 
 ```bash
-# Navigate to the chart directory first
-cd /path/to/helm-repo/charts/opencloud
+# Navigate to the helmfile directory
+cd charts/opencloud/deployments/helm
 
-# Then run the installation command
-helm install opencloud . \
-  --namespace opencloud \
-  --create-namespace \
-  --set httpRoute.enabled=true \
-  --set httpRoute.gateway.name=opencloud-gateway \
-  --set httpRoute.gateway.namespace=kube-system
+# Deploy all components (Keycloak, OpenLDAP, ClamAV, OpenCloud)
+helmfile sync
 ```
 
-Alternatively, from the repository root:
+Alternatively, to install just the OpenCloud chart with Helm:
 
 ```bash
-helm install opencloud ./charts/opencloud \
+# Navigate to the chart directory first
+cd /path/to/helm-repo/charts/opencloud
+
+# Then run the installation command
+helm install opencloud . \
   --namespace opencloud \
   --create-namespace \
   --set httpRoute.enabled=true \
-  --set httpRoute.gateway.name=opencloud-gateway \
-  --set httpRoute.gateway.namespace=kube-system
+  --set httpRoute.gateway.name=cilium-gateway \
+  --set httpRoute.gateway.namespace=kube-system \
+  --set httpRoute.gateway.sectionName=opencloud
 ```
 
 ## Architecture
@@ -95,8 +95,8 @@ This Helm chart deploys the following components:
 
 1. **OpenCloud** - Main application (fork of ownCloud Infinite Scale)
 2. **Keycloak** - Authentication provider with OpenID Connect
-3. **PostgreSQL** - Database for Keycloak
-4. **MinIO** - S3-compatible object storage
+3. **OpenLDAP** - User directory service
+4. **ClamAV** - Virus scanning for uploaded files
 5. **Collabora** - Online document editor (CODE - Collabora Online Development Edition)
 6. **Collaboration Service** - WOPI server that connects OpenCloud with document editors
 
@@ -250,7 +250,7 @@ This will prepend `my-registry.com/` to all image references in the chart. For e
 | `opencloud.smtp.insecure` | SMTP insecure | `false` |
 | `opencloud.smtp.authentication` | SMTP authentication | `plain` |
 | `opencloud.smtp.encryption` | SMTP encryption | `starttls` |
-| `opencloud.storage.mode` | Choice between s3 and posixfs for user files | `s3` |
+| `opencloud.storage.mode` | Choice between `s3`, `posixfs`, or `decomposed` for user files | `s3` |
 | `opencloud.proxyTls` | Use TLS between proxy and OpenCloud | `false` |
 | `opencloud.gatewayGrpcAddr` | gRPC address for the REVA gateway | `0.0.0.0:9142` |
 | `opencloud.proxyEnableBasicAuth` | Enable basic auth for proxy | `false` |
@@ -327,17 +327,29 @@ The following options allow setting up a POSIX-compatible filesystem (such as NF
 
 **Note:** When using `posixfs` mode, ensure that the underlying storage supports the required access mode (e.g., `ReadWriteMany` for multiple replicas). The underlying filesystem must support `flock` and `xattrs` so for NFS the minimum version is 4.2.
 
-### NATS Messaging Configuration
+> **Warning: CephFS and Backup Compatibility**
+>
+> When using `posixfs` with **CephFS** as the underlying storage, be aware that CephFS snapshot and clone operations may not work correctly in some Ceph versions. This can cause backup tools (e.g., Velero, Kasten) to fail when trying to snapshot the PVC.
+>
+> If you rely on PVC-level backups, consider using the **`decomposed`** storage driver instead. The `decomposed` driver stores metadata on the PVC and is more compatible with CephFS snapshot/clone operations.
+>
+> Alternatively, verify that your Ceph version supports CephFS snapshots properly before relying on PVC-level backups with `posixfs`.
+
+### OpenCloud Decomposed Storage Settings
 
-| Parameter  | Description | Default |
-| ---------- | ----------- | ------- |
-| `opencloud.nats.external.enabled` | Use an external NATS server (required for high availability) | `false` |
-| `opencloud.nats.external.endpoint` | Endpoint of the external NATS server | `nats.opencloud-nats.svc.cluster.local:4222` |
-| `opencloud.nats.external.cluster` | NATS cluster name | `opencloud-cluster` |
-| `opencloud.nats.external.tls.enabled` | Enable TLS for communication with NATS | `false` |
-| `opencloud.nats.external.tls.certTrusted` | Set to `false` if the external NATS server's certificate is not trusted by default (e.g. self-signed) | `true` |
-| `opencloud.nats.external.tls.insecure` | Disable certificate validation (not recommended for production) | `false` |
-| `opencloud.nats.external.tls.caSecretName` | Name of the Kubernetes Secret containing the CA certificate (only required if `certTrusted` is `false`) | `opencloud-nats-ca` |
+The `decomposed` storage driver stores all metadata and blobs on a PVC (no S3 required). It is a good alternative to `posixfs` when using CephFS, as it is more compatible with CephFS snapshot/clone operations.
+
+| Parameter | Description | Default |
+| --------- | ----------- | ------- |
+| `opencloud.storage.decomposed.maxConcurrency` | Maximum number of concurrent operations | `100` |
+| `opencloud.storage.decomposed.rootPath` | Path of storage root directory in openCloud pod | `/var/lib/opencloud/storage` |
+| `opencloud.storage.decomposed.persistence.enabled` | Enable persistence for decomposed storage | `true` |
+| `opencloud.storage.decomposed.persistence.existingClaim` | Name of existing PVC instead of the settings below | `""` |
+| `opencloud.storage.decomposed.persistence.size` | Size of the decomposed persistent volume | `30Gi` |
+| `opencloud.storage.decomposed.persistence.storageClass` | Storage class for decomposed volume | `""` |
+| `opencloud.storage.decomposed.persistence.accessMode` | Access mode for decomposed volume | `ReadWriteOnce` |
+
+### NATS Messaging Configuration
 
 > 💡 The secret referenced by `caSecretName` **must contain a key named `ca.crt`** with the root CA certificate used to verify the external NATS server.
 > Example: