add OCM (#701)

* add OCM --------- Co-authored-by: Willy Kloucek <[email protected]>
owncloud · Nov 8, 2024 · 867e17c · 867e17c
1 parent b4dd2c6
commit 867e17c
Show file tree

Hide file tree

Showing 14 changed files with 858 additions and 2 deletions.
diff --git a/charts/ocis/ci/deployment-values.yaml b/charts/ocis/ci/deployment-values.yaml
@@ -16,6 +16,13 @@ logging:
 insecure:
   oidcIdpInsecure: true
   ocisHttpApiInsecure: true
+features:
+  virusscan:
+    enabled: true
+  policies:
+    enabled: true
+  ocm:
+    enabled: true
 services:
   idm:
     persistence:
@@ -42,6 +49,11 @@ services:
       enabled: true
       accessModes:
         - ReadWriteOnce
+  ocm:
+    persistence:
+      enabled: true
+      accessModes:
+        - ReadWriteOnce
   store:
     persistence:
       enabled: true

diff --git a/charts/ocis/ci/values.yaml b/charts/ocis/ci/values.yaml
@@ -96,6 +96,8 @@ features:
     enabled: true
   policies:
     enabled: true
+  ocm:
+    enabled: true
 
 extraLabels:
   extra1: lorem
@@ -208,6 +210,19 @@ services:
       cleanUpOldThumbnails:
         enabled: true
 
+  ocm:
+    persistence:
+      enabled: true
+      storageClassName: default-storage
+      accessModes:
+        - ReadWriteOnce
+      size: 10Gi
+      annotations:
+        anno-1: test
+      finalizers: []
+      selectorLabels:
+        selector1: foobar
+
 secretRefs:
   notificationsSmtpSecretRef: "smtp-secret"
 

diff --git a/charts/ocis/docs/values-desc-table.adoc b/charts/ocis/docs/values-desc-table.adoc
@@ -786,6 +786,30 @@ a| [subs=-attributes]
 a| [subs=-attributes]
 `"en"`
 | The default language. If not defined, English will be used as default. See the documentation for more details.
+| features.ocm.enabled
+a| [subs=-attributes]
++bool+
+a| [subs=-attributes]
+`false`
+| Enables OCM service
+| features.ocm.invitationExpiry
+a| [subs=-attributes]
++string+
+a| [subs=-attributes]
+`"24h0m0s"`
+| Expiry duration for invite tokens.
+| features.ocm.providersConfigRef
+a| [subs=-attributes]
++string+
+a| [subs=-attributes]
+`""`
+| Required reference to an existing provider config. Will be mounted to /etc/ocis Does not get autogenerated. Documentation can be found at https://doc.owncloud.com/ocis/next/deployment/services/s-list/ocm.html#trust-between-instances
+| features.ocm.requestTimeout
+a| [subs=-attributes]
++string+
+a| [subs=-attributes]
+`"30s"`
+| Timeout specifies a time limit for requests made to OCM endpoints.
 | features.policies.enabled
 a| [subs=-attributes]
 +bool+
@@ -1116,6 +1140,12 @@ a| [subs=-attributes]
 a| [subs=-attributes]
 `false`
 | Disables SSL certificate checking for connections to the oCIS http apis. Not recommended for production installations.
+| insecure.ocmInsecure
+a| [subs=-attributes]
++bool+
+a| [subs=-attributes]
+`false`
+| Disables SSL certificate checking for connections to all OCM instances Not recommended for production installations.
 | insecure.oidcIdpInsecure
 a| [subs=-attributes]
 +bool+
@@ -2820,6 +2850,132 @@ a| [subs=-attributes]
 a| [subs=-attributes]
 `{}`
 | Per-service resources configuration. Overrides the default setting from `resources` if set.
+| services.ocm
+a| [subs=-attributes]
++object+
+a| [subs=-attributes]
+see detailed service configuration options below
+| OCM service.
+| services.ocm.affinity
+a| [subs=-attributes]
++object+
+a| [subs=-attributes]
+`{}`
+| Affinity settings for the ocs service. See the documentation of this setting in approvider for examples.
+| services.ocm.extraLabels
+a| [subs=-attributes]
++object+
+a| [subs=-attributes]
+`{}`
+| Per-service custom labels
+| services.ocm.image.pullPolicy
+a| [subs=-attributes]
++string+
+a| [subs=-attributes]
+`nil`
+| Image pull policy
+| services.ocm.image.repository
+a| [subs=-attributes]
++string+
+a| [subs=-attributes]
+`""`
+| Image repository
+| services.ocm.image.sha
+a| [subs=-attributes]
++string+
+a| [subs=-attributes]
+`""`
+| Image sha / digest (optional).
+| services.ocm.image.tag
+a| [subs=-attributes]
++string+
+a| [subs=-attributes]
+`""`
+| Image tag.
+| services.ocm.nodeSelector
+a| [subs=-attributes]
++object+
+a| [subs=-attributes]
+`{}`
+| Per-service nodeSelector configuration. Overrides the default setting from `nodeSelector` if set.
+| services.ocm.persistence
+a| [subs=-attributes]
++object+
+a| [subs=-attributes]
+see detailed persistence configuration options below
+| Persistence settings.
+| services.ocm.persistence.accessModes
+a| [subs=-attributes]
++list+
+a| [subs=-attributes]
+`["ReadWriteOnce"]`
+| Persistent volume access modes.
+| services.ocm.persistence.annotations
+a| [subs=-attributes]
++object+
+a| [subs=-attributes]
+`{}`
+| Persistent volume annotations.
+| services.ocm.persistence.chownInitContainer
+a| [subs=-attributes]
++bool+
+a| [subs=-attributes]
+`false`
+| Enables an initContainer to chown the volume. The initContainer is run as root. This is not needed if the driver applies the fsGroup from the securityContext. The image specified in `initContainerImage` will be used for this container.
+| services.ocm.persistence.claimName
+a| [subs=-attributes]
++string+
+a| [subs=-attributes]
+`""`
+| Use a custom name for the PVC instead of the default one.
+| services.ocm.persistence.enabled
+a| [subs=-attributes]
++bool+
+a| [subs=-attributes]
+`false`
+| Enables persistence. Needs to be enabled on production installations. If not enabled, pod restarts will lead to data loss. Also scaling this service to more than one replica is not possible if the pods don't share the same volume.
+| services.ocm.persistence.existingClaim
+a| [subs=-attributes]
++string+
+a| [subs=-attributes]
+`nil`
+| Use an existing PersistentVolumeClaim for persistence.
+| services.ocm.persistence.finalizers
+a| [subs=-attributes]
++list+
+a| [subs=-attributes]
+`["kubernetes.io/pvc-protection"]`
+| Persistent volume finalizers.
+| services.ocm.persistence.selectorLabels
+a| [subs=-attributes]
++object+
+a| [subs=-attributes]
+`{}`
+| Persistent volume selector labels.
+| services.ocm.persistence.size
+a| [subs=-attributes]
++string+
+a| [subs=-attributes]
+`"1Gi"`
+| Size of the persistent volume.
+| services.ocm.persistence.storageClassName
+a| [subs=-attributes]
++string+
+a| [subs=-attributes]
+`nil`
+| Storage class to use. Uses the default storage class if not set.
+| services.ocm.priorityClassName
+a| [subs=-attributes]
++string+
+a| [subs=-attributes]
+`""`
+| Per-service priorityClassName configuration. Overrides the default setting from `priorityClassName` if set.
+| services.ocm.resources
+a| [subs=-attributes]
++object+
+a| [subs=-attributes]
+`{}`
+| Per-service resources configuration. Overrides the default setting from `resources` if set.
 | services.ocs
 a| [subs=-attributes]
 +object+

diff --git a/charts/ocis/docs/values.adoc.yaml b/charts/ocis/docs/values.adoc.yaml
@@ -132,6 +132,9 @@ insecure:
   # -- Disables SSL certificate checking for connections to the oCIS http apis.
   # Not recommended for production installations.
   ocisHttpApiInsecure: false
+  # -- Disables SSL certificate checking for connections to all OCM instances
+  # Not recommended for production installations.
+  ocmInsecure: false
 
 cache:
   # -- Type of the cache to use.
@@ -640,6 +643,20 @@ features:
     maxSize: 1073741824
     # -- Max number of files that can be packed into an archive.
     maxNumFiles: 10000
+  # OCM settings
+  ocm:
+    # -- Enables OCM service
+    enabled: false
+    # -- Expiry duration for invite tokens.
+    invitationExpiry: 24h0m0s
+    # -- Timeout specifies a time limit for requests made to OCM endpoints.
+    requestTimeout: 30s
+    # -- Required reference to an existing provider config.
+    # Will be mounted to /etc/ocis
+    # Does not get autogenerated.
+    # Documentation can be found at https://doc.owncloud.com/ocis/next/deployment/services/s-list/ocm.html#trust-between-instances
+    providersConfigRef: ""
+
 # Ingress for oCIS.
 ingress:
   # -- Enables the Ingress.
@@ -1489,6 +1506,62 @@ services:
       # -- Image pull policy
       pullPolicy:
 
+  # -- OCM service.
+  # @default -- see detailed service configuration options below
+  ocm:
+    # -- Per-service resources configuration. Overrides the default setting from `resources` if set.
+    resources: {}
+    # -- Per-service nodeSelector configuration. Overrides the default setting from `nodeSelector` if set.
+    nodeSelector: {}
+    # -- Per-service priorityClassName configuration. Overrides the default setting from `priorityClassName` if set.
+    priorityClassName: ""
+    # -- Affinity settings for the ocs service. See the documentation of this setting in approvider for examples.
+    affinity: {}
+    # -- Per-service custom labels
+    extraLabels: {}
+    # Per-service image configuration. Overrides the default setting from `image` if set.
+    image:
+      # -- Image repository
+      repository: ""
+      # -- Image tag.
+      tag: ""
+      # -- Image sha / digest (optional).
+      sha: ""
+      # -- Image pull policy
+      pullPolicy:
+    # -- Persistence settings.
+    # @default -- see detailed persistence configuration options below
+    persistence:
+      # -- Enables persistence.
+      # Needs to be enabled on production installations.
+      # If not enabled, pod restarts will lead to data loss.
+      # Also scaling this service to more than one replica is not possible if the pods don't share the same volume.
+      enabled: false
+      # -- Enables an initContainer to chown the volume.
+      # The initContainer is run as root.
+      # This is not needed if the driver applies the fsGroup from the securityContext.
+      # The image specified in `initContainerImage` will be used for this container.
+      chownInitContainer: false
+      # -- Storage class to use.
+      # Uses the default storage class if not set.
+      storageClassName:
+      # -- Persistent volume access modes.
+      accessModes:
+        - ReadWriteOnce
+      # -- Size of the persistent volume.
+      size: 1Gi
+      # -- Persistent volume annotations.
+      annotations: {}
+      # -- Persistent volume finalizers.
+      finalizers:
+        - kubernetes.io/pvc-protection
+      # -- Persistent volume selector labels.
+      selectorLabels: {}
+      # -- Use a custom name for the PVC instead of the default one.
+      claimName: ""
+      # -- Use an existing PersistentVolumeClaim for persistence.
+      existingClaim:
+
   # -- OCS service.
   # @default -- see detailed service configuration options below
   ocs:

diff --git a/charts/ocis/templates/NOTES.txt b/charts/ocis/templates/NOTES.txt
@@ -17,6 +17,7 @@ You're now running
 {{- $demoUsers := .Values.features.demoUsers -}}
 {{- $oidcIdpInsecure := .Values.insecure.oidcIdpInsecure -}}
 {{- $ocisHttpApiInsecure := .Values.insecure.ocisHttpApiInsecure -}}
+{{- $ocmInsecure := .Values.insecure.ocmInsecure -}}
 {{- $externalLDAPinsecure := and .Values.features.externalUserManagement.enabled .Values.features.externalUserManagement.ldap.insecure -}}
 {{- $noSMTPencryption := and .Values.features.emailNotifications.enabled (eq .Values.features.emailNotifications.smtp.encryption "none") -}}
 
@@ -25,7 +26,7 @@ You can get the initial "admin" administrator user password by running:
 kubectl -n {{ .Release.Namespace }} get secrets/{{ .Values.secretRefs.adminUserSecretRef | default "admin-user" }} --template='{{"{{"}}.data.password | base64decode | printf "%s\n" {{"}}"}}'
 {{- end }}
 
-{{ if or $noExternalUserManagement $demoUsers $oidcIdpInsecure $ocisHttpApiInsecure $externalLDAPinsecure $noSMTPencryption }}
+{{ if or $noExternalUserManagement $demoUsers $oidcIdpInsecure $ocisHttpApiInsecure $externalLDAPinsecure $noSMTPencryption $ocmInsecure }}
 #################################################################################
 ######   WARNING: Your deployment of oCIS does not follow all best          #####
 ######   practices for production deployments of oCIS.                      #####
@@ -41,6 +42,9 @@ kubectl -n {{ .Release.Namespace }} get secrets/{{ .Values.secretRefs.adminUserS
 {{- if $oidcIdpInsecure}}
 ######     - `insecure.oidcIdpInsecure` should be set to `false`            #####
 {{- end }}
+{{- if $ocmInsecure}}
+######     - `insecure.ocmInsecure` should be set to `false`                #####
+{{- end }}
 {{- if $ocisHttpApiInsecure}}
 ######     - `insecure.ocisHttpApiInsecure` should be set to `false`        #####
 {{- end }}
@@ -62,8 +66,9 @@ kubectl -n {{ .Release.Namespace }} get secrets/{{ .Values.secretRefs.adminUserS
 {{- $storagesystemUnpersisted := not .Values.services.storagesystem.persistence.enabled -}}
 {{- $webUnpersisted := not .Values.services.web.persistence.enabled -}}
 {{- $storageusersUnpersisted := not .Values.services.storageusers.persistence.enabled -}}
+{{- $ocmUnpersisted := not .Values.services.ocm.persistence.enabled -}}
 
-{{ if or $storagesystemUnpersisted $webUnpersisted $storageusersUnpersisted $idmUnpersisted $searchUnpersisted $natsUnpersisted }}
+{{ if or $storagesystemUnpersisted $webUnpersisted $storageusersUnpersisted $idmUnpersisted $searchUnpersisted $natsUnpersisted $ocmUnpersisted }}
 #################################################################################
 ######   WARNING: Persistence is disabled for some services.                #####
 ######   You will lose your data when a service's pod is terminated.        #####
@@ -87,6 +92,9 @@ kubectl -n {{ .Release.Namespace }} get secrets/{{ .Values.secretRefs.adminUserS
 {{- if $natsUnpersisted }}
 ######     - nats                                                           #####
 {{- end }}
+{{- if $ocmUnpersisted }}
+######     - ocm                                                           #####
+{{- end }}
 #################################################################################
 {{- end }}
 

diff --git a/charts/ocis/templates/_common/_tplvalues.tpl b/charts/ocis/templates/_common/_tplvalues.tpl
@@ -51,6 +51,7 @@ Adds the app names to the scope and set the name of the app based on the input p
   {{- $_ := set .scope "appNameNats" "nats" -}}
   {{- $_ := set .scope "appNameNotifications" "notifications" -}}
   {{- $_ := set .scope "appNameOcdav" "ocdav" -}}
+  {{- $_ := set .scope "appNameOcm" "ocm" -}}
   {{- $_ := set .scope "appNameOcs" "ocs" -}}
   {{- $_ := set .scope "appNamePolicies" "policies" -}}
   {{- $_ := set .scope "appNamePostprocessing" "postprocessing" -}}

diff --git a/charts/ocis/templates/frontend/deployment.yaml b/charts/ocis/templates/frontend/deployment.yaml
@@ -166,6 +166,9 @@ spec:
             - name: FRONTEND_PASSWORD_POLICY_BANNED_PASSWORDS_LIST
               value: /etc/ocis/sharing-banned-passwords.txt
 
+            - name: OCIS_ENABLE_OCM
+              value: {{ .Values.features.ocm.enabled | quote }}
+
             {{- include "ocis.caEnv" $ | nindent 12}}
 
           {{- include "ocis.livenessProbe" . | nindent 10 }}