suse-coder
diff --git a/‎README.md
Lines changed: 1 addition & 845 deletions b/‎README.md
Lines changed: 1 addition & 845 deletions
diff --git a/‎charts/opencloud/Chart.yaml
Lines changed: 1 addition & 1 deletion b/‎charts/opencloud/Chart.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎charts/opencloud/README.md
Lines changed: 27 additions & 12 deletions b/‎charts/opencloud/README.md
Lines changed: 27 additions & 12 deletions
diff --git a/‎charts/opencloud/templates/_helpers/tpl.yaml
Lines changed: 26 additions & 0 deletions b/‎charts/opencloud/templates/_helpers/tpl.yaml
Lines changed: 26 additions & 0 deletions
diff --git a/‎charts/opencloud/templates/collabora/deployment.yaml
Lines changed: 2 additions & 2 deletions b/‎charts/opencloud/templates/collabora/deployment.yaml
Lines changed: 2 additions & 2 deletions
diff --git a/‎charts/opencloud/templates/collaboration/deployment.yaml
Lines changed: 14 additions & 10 deletions b/‎charts/opencloud/templates/collaboration/deployment.yaml
Lines changed: 14 additions & 10 deletions
diff --git a/‎charts/opencloud/templates/gateway/gateway.yaml
Lines changed: 72 additions & 12 deletions b/‎charts/opencloud/templates/gateway/gateway.yaml
Lines changed: 72 additions & 12 deletions
diff --git a/‎charts/opencloud/templates/keycloak/deployment.yaml
Lines changed: 2 additions & 2 deletions b/‎charts/opencloud/templates/keycloak/deployment.yaml
Lines changed: 2 additions & 2 deletions
@@ -10,7 +10,7 @@ maintainers:
     email: [email protected]
     url: https://opencloud.eu
 type: application
-version: 0.1.5
+version: 0.1.7
 # renovate: datasource=docker depName=opencloudeu/opencloud-rolling
 appVersion: latest
 kubeVersion: ""
 
@@ -191,6 +191,25 @@ Key interactions:
 
 The following table lists the configurable parameters of the OpenCloud chart and their default values.
 
+### Using Private Registries
+
+The chart supports using private container registries through global overrides. This is useful for:
+- Air-gapped environments
+- Corporate registry mirrors
+- Pull-through caches
+
+To use a private registry for all images:
+
+```bash
+helm install opencloud ./charts/opencloud \
+  --set global.image.registry=my-registry.com \
+  --set global.image.pullPolicy=Always
+```
+
+This will prepend `my-registry.com/` to all image references in the chart. For example:
+- `keycloak/keycloak:26.1.4` becomes `my-registry.com/keycloak/keycloak:26.1.4`
+- `opencloudeu/opencloud-rolling:latest` becomes `my-registry.com/opencloudeu/opencloud-rolling:latest`
+
 ### Global Settings
 
 | Parameter | Description | Default |
@@ -202,14 +221,18 @@ The following table lists the configurable parameters of the OpenCloud chart and
 | `global.domain.collabora` | Domain for Collabora | `collabora.opencloud.test` |
 | `global.domain.onlyoffice` | Domain for OnlyOffice | `onlyoffice.opencloud.test` |
 | `global.domain.companion` | Domain for Companion | `companion.opencloud.test` |
+| `global.domain.wopi` | Domain for WOPI server | `wopiserver.opencloud.test` |
 | `global.tls.enabled` | Enable TLS (set to false when using gateway TLS termination externally) | `false` |
 | `global.tls.secretName` | secretName for TLS certificate | `""` |
 | `global.storage.storageClass` | Storage class for persistent volumes | `""` |
+| `global.image.registry` | Global registry override for all images (e.g., `my-registry.com`) | `""` |
+| `global.image.pullPolicy` | Global pull policy override for all images (`Always`, `IfNotPresent`, `Never`) | `""` |
 
 ### Image Settings
 
 | Parameter | Description | Default |
 | --------- | ----------- | ------- |
+| `image.registry` | OpenCloud image registry | `docker.io` |
 | `image.repository` | OpenCloud image repository | `opencloudeu/opencloud-rolling` |
 | `image.tag` | OpenCloud image tag | `latest` |
 | `image.pullPolicy` | Image pull policy | `IfNotPresent` |
@@ -325,7 +348,6 @@ This ensures the `X-Forwarded-Proto: https` header is added as required by OnlyO
 | Parameter | Description | Default |
 | --------- | ----------- | ------- |
 | `collaboration.enabled` | Enable collaboration service | `true` |
-| `collaboration.wopiDomain` | WOPI server domain | `collaboration.opencloud.test` |
 | `collaboration.resources` | CPU/Memory resource requests/limits | `{}` |
 
 ## Gateway API Configuration
@@ -384,7 +406,7 @@ The following HTTPRoutes are created when `httpRoute.enabled` is set to `true`:
    - Headers: Adds Permissions-Policy header to prevent browser features like interest-based advertising
 
 7. **Collaboration (WOPI) HTTPRoute** (when `collaboration.enabled` is `true`):
-   - Hostname: `collaboration.wopiDomain`
+   - Hostname: `global.domain.wopi`
    - Service: `{{ release-name }}-collaboration`
    - Port: 9300
    - Headers: Adds Permissions-Policy header to prevent browser features like interest-based advertising
@@ -447,19 +469,12 @@ Apply the ClusterIssuer:
 kubectl apply -f cluster-issuer.yaml
 ```
 
-### Step 3: Create a Wildcard Certificate for OpenCloud Domains
+### Step 4: Create a Wildcard Certificate for OpenCloud Domains
 
 Create a wildcard certificate for all OpenCloud subdomains:
 
 ```yaml
-# cluster-issuer.yaml
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: selfsigned-issuer
-spec:
-  selfSigned: {}
----
+# certificate.yaml
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -478,7 +493,7 @@ spec:
 Apply the certificate:
 
 ```bash
-kubectl apply -f cluster-issuer.yaml
+kubectl apply -f certificate.yaml
 ```
 
 ### Step 4: Configure DNS
 
@@ -148,6 +148,32 @@ Create a fully qualified Tika name.
 
 {{/* namespace helper removed - use .Release.Namespace directly */}}
 
+{{/*
+Return the image registry, using global override if set
+*/}}
+{{- define "opencloud.image.registry" -}}
+{{- coalesce .global.image.registry .registry -}}
+{{- end -}}
+
+{{/*
+Return the image pull policy, using global override if set
+*/}}
+{{- define "opencloud.image.pullPolicy" -}}
+{{- coalesce .global.image.pullPolicy .pullPolicy -}}
+{{- end -}}
+
+{{/*
+Return the full image name with registry
+*/}}
+{{- define "opencloud.image" -}}
+{{- $registry := include "opencloud.image.registry" (dict "registry" .imageValues.registry "global" .global) -}}
+{{- if $registry -}}
+{{- printf "%s/%s:%s" $registry .imageValues.repository .imageValues.tag -}}
+{{- else -}}
+{{- printf "%s:%s" .imageValues.repository .imageValues.tag -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Return the appropriate apiVersion for ingress
 */}}
 
@@ -20,8 +20,8 @@ spec:
     spec:
       containers:
         - name: collabora
-          image: {{ .Values.collabora.image.repository }}:{{ .Values.collabora.image.tag }}
-          imagePullPolicy: {{ .Values.collabora.image.pullPolicy | default "IfNotPresent" }}
+          image: {{ include "opencloud.image" (dict "imageValues" .Values.collabora.image "global" .Values.global) | quote }}
+          imagePullPolicy: {{ include "opencloud.image.pullPolicy" (dict "pullPolicy" .Values.collabora.image.pullPolicy "global" .Values.global) }}
           command: ['/bin/bash', '-c']
           args:
             - 'coolconfig generate-proof-key && /start-collabora-online.sh'
 
@@ -26,35 +26,39 @@ spec:
       initContainers:
         # Wait for OpenCloud to be ready
         - name: wait-for-opencloud
-          image: busybox
+          image: {{ include "opencloud.image" (dict "imageValues" .Values.busybox.image "global" .Values.global) | quote }}
+          imagePullPolicy: {{ include "opencloud.image.pullPolicy" (dict "pullPolicy" .Values.busybox.image.pullPolicy "global" .Values.global) | quote }}
           command: ['sh', '-c', 'until wget -q -O- http://{{ include "opencloud.opencloud.fullname" . }}:9200/health; do echo waiting for opencloud; sleep 5; done;']
-        
+
         {{- if not .Values.opencloud.persistence.enabled }}
         # Copy config from OpenCloud API if persistence is disabled
         - name: copy-config
-          image: busybox
+          image: {{ include "opencloud.image" (dict "imageValues" .Values.busybox.image "global" .Values.global) | quote }}
+          imagePullPolicy: {{ include "opencloud.image.pullPolicy" (dict "pullPolicy" .Values.busybox.image.pullPolicy "global" .Values.global) | quote }}
           command: ['sh', '-c', 'mkdir -p /etc/opencloud && wget -q -O /etc/opencloud/config.json http://{{ include "opencloud.opencloud.fullname" . }}:9200/api/v1/config/secrets || echo "Failed to get config from OpenCloud"']
           volumeMounts:
             - name: etc-opencloud
               mountPath: /etc/opencloud
         {{- end }}
-        
+
         {{- if .Values.onlyoffice.enabled }}
         # Wait for OnlyOffice to be ready
         - name: wait-for-onlyoffice
-          image: busybox
+          image: {{ include "opencloud.image" (dict "imageValues" .Values.busybox.image "global" .Values.global) | quote }}
+          imagePullPolicy: {{ include "opencloud.image.pullPolicy" (dict "pullPolicy" .Values.busybox.image.pullPolicy "global" .Values.global) | quote }}
           command: ['sh', '-c', 'until wget -q -O- http://{{ include "opencloud.fullname" . }}-onlyoffice:80/hosting/discovery; do echo waiting for onlyoffice; sleep 2; done;']
         {{- end }}
         {{- if .Values.collabora.enabled }}
         # Wait for Collabora to be ready
         - name: wait-for-collabora
-          image: busybox
+          image: {{ include "opencloud.image" (dict "imageValues" .Values.busybox.image "global" .Values.global) | quote }}
+          imagePullPolicy: {{ include "opencloud.image.pullPolicy" (dict "pullPolicy" .Values.busybox.image.pullPolicy "global" .Values.global) | quote }}
           command: ['sh', '-c', 'until wget -q -O- http://{{ include "opencloud.fullname" . }}-collabora:9980/hosting/discovery; do echo waiting for collabora; sleep 2; done;']
         {{- end }}
       containers:
         - name: collaboration
-          image: {{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          image: {{ include "opencloud.image" (dict "imageValues" .Values.image "global" .Values.global) | quote }}
+          imagePullPolicy: {{ include "opencloud.image.pullPolicy" (dict "pullPolicy" .Values.image.pullPolicy "global" .Values.global) }}
           command: ["/bin/sh"]
           args: ["-c", "opencloud collaboration server"]
           env:
@@ -95,9 +99,9 @@ spec:
             - name: COLLABORATION_APP_PROOF_DISABLE
               value: "true"
             - name: COLLABORATION_APP_INSECURE
-              value: "{{ .Values.opencloud.insecure }}"
+              value: {{ tpl (toString .Values.opencloud.insecure) . | quote }}
             - name: COLLABORATION_CS3API_DATAGATEWAY_INSECURE
-              value: "{{ .Values.opencloud.insecure }}"
+              value: {{ tpl (toString .Values.opencloud.insecure) . | quote }}
             - name: COLLABORATION_LOG_LEVEL
               value: "{{ .Values.opencloud.logLevel }}"
             - name: OC_URL
 
@@ -17,31 +17,51 @@ spec:
       {{- toYaml . | nindent 4 }}
   {{- end }}
   listeners:
+    {{- if .Values.global.tls.enabled }}
     - name: opencloud-https
+    {{- else }}
+    - name: opencloud-http
+    {{- end }}
+      {{- if .Values.global.tls.enabled }}
       protocol: HTTPS
-      port: {{ .Values.httpRoute.gateway.port | default 443 }}
+      {{- else }}
+      protocol: HTTP
+      {{- end }}
+      port: {{ .Values.httpRoute.gateway.port }}
       hostname: {{ .Values.global.domain.opencloud | quote }}
+      {{- if .Values.global.tls.enabled }}
       tls:
         mode: Terminate
         certificateRefs:
-          - name: opencloud-wildcard-tls
+          - name: {{ .Values.global.tls.secretName }}
             namespace: {{ .Values.httpRoute.gateway.namespace | default .Release.Namespace }}
+      {{- end }}
       allowedRoutes:
         namespaces:
           from: Selector
           selector:
             matchLabels:
               kubernetes.io/metadata.name: {{ .Values.httpRoute.gateway.namespace | default .Release.Namespace }}
     {{- if .Values.keycloak.enabled }}
+    {{- if .Values.global.tls.enabled }}
     - name: keycloak-https
+    {{- else }}
+    - name: keycloak-http
+    {{- end }}
+      {{- if .Values.global.tls.enabled }}
       protocol: HTTPS
-      port: {{ .Values.httpRoute.gateway.port | default 443 }}
+      {{- else }}
+      protocol: HTTP
+      {{- end }}
+      port: {{ .Values.httpRoute.gateway.port }}
       hostname: {{ .Values.global.domain.keycloak | quote }}
+      {{- if .Values.global.tls.enabled }}
       tls:
         mode: Terminate
         certificateRefs:
-          - name: opencloud-wildcard-tls
+          - name: {{ .Values.global.tls.secretName }}
             namespace: {{ .Values.httpRoute.gateway.namespace | default .Release.Namespace }}
+      {{- end }}
       allowedRoutes:
         namespaces:
           from: Selector
@@ -50,15 +70,25 @@ spec:
               kubernetes.io/metadata.name: {{ .Values.httpRoute.gateway.namespace | default .Release.Namespace }}
     {{- end }}
     {{- if and .Values.opencloud.storage.s3.internal.enabled .Values.opencloud.storage.s3.internal.httpRoute.enabled }}
+    {{- if .Values.global.tls.enabled }}
     - name: minio-https
+    {{- else }}
+    - name: minio-http
+    {{- end }}
+      {{- if .Values.global.tls.enabled }}
       protocol: HTTPS
-      port: {{ .Values.httpRoute.gateway.port | default 443 }}
+      {{- else }}
+      protocol: HTTP
+      {{- end }}
+      port: {{ .Values.httpRoute.gateway.port }}
       hostname: {{ .Values.global.domain.minio | quote }}
+      {{- if .Values.global.tls.enabled }}
       tls:
         mode: Terminate
         certificateRefs:
-          - name: opencloud-wildcard-tls
+          - name: {{ .Values.global.tls.secretName }}
             namespace: {{ .Values.httpRoute.gateway.namespace | default .Release.Namespace }}
+      {{- end }}
       allowedRoutes:
         namespaces:
           from: Selector
@@ -67,15 +97,25 @@ spec:
               kubernetes.io/metadata.name: {{ .Values.httpRoute.gateway.namespace | default .Release.Namespace }}
     {{- end }}
     {{- if .Values.collabora.enabled }}
+    {{- if .Values.global.tls.enabled }}
     - name: collabora-https
+    {{- else }}
+    - name: collabora-http
+    {{- end }}
+      {{- if .Values.global.tls.enabled }}
       protocol: HTTPS
-      port: {{ .Values.httpRoute.gateway.port | default 443 }}
+      {{- else }}
+      protocol: HTTP
+      {{- end }}
+      port: {{ .Values.httpRoute.gateway.port }}
       hostname: {{ .Values.global.domain.collabora | quote }}
+      {{- if .Values.global.tls.enabled }}
       tls:
         mode: Terminate
         certificateRefs:
-          - name: opencloud-wildcard-tls
+          - name: {{ .Values.global.tls.secretName }}
             namespace: {{ .Values.httpRoute.gateway.namespace | default .Release.Namespace }}
+      {{- end }}
       allowedRoutes:
         namespaces:
           from: Selector
@@ -84,15 +124,25 @@ spec:
               kubernetes.io/metadata.name: {{ .Values.httpRoute.gateway.namespace | default .Release.Namespace }}
     {{- end }}
     {{- if .Values.onlyoffice.enabled }}
+    {{- if .Values.global.tls.enabled }}
     - name: onlyoffice-https
+    {{- else }}
+    - name: onlyoffice-http
+    {{- end }}
+      {{- if .Values.global.tls.enabled }}
       protocol: HTTPS
-      port: {{ .Values.httpRoute.gateway.port | default 443 }}
+      {{- else }}
+      protocol: HTTP
+      {{- end }}
+      port: {{ .Values.httpRoute.gateway.port }}
       hostname: {{ .Values.global.domain.onlyoffice | quote }}
+      {{- if .Values.global.tls.enabled }}
       tls:
         mode: Terminate
         certificateRefs:
-          - name: opencloud-wildcard-tls
+          - name: {{ .Values.global.tls.secretName }}
             namespace: {{ .Values.httpRoute.gateway.namespace | default .Release.Namespace }}
+      {{- end }}
       allowedRoutes:
         namespaces:
           from: Selector
@@ -101,15 +151,25 @@ spec:
               kubernetes.io/metadata.name: {{ .Values.httpRoute.gateway.namespace | default .Release.Namespace }}
     {{- end }}
     {{- if and .Values.onlyoffice.collaboration.enabled .Values.onlyoffice.enabled }}
+    {{- if .Values.global.tls.enabled }}
     - name: collaboration-https
+    {{- else }}
+    - name: collaboration-http
+    {{- end }}
+      {{- if .Values.global.tls.enabled }}
       protocol: HTTPS
-      port: {{ .Values.httpRoute.gateway.port | default 443 }}
+      {{- else }}
+      protocol: HTTP
+      {{- end }}
+      port: {{ .Values.httpRoute.gateway.port }}
       hostname: {{ .Values.global.domain.wopi | quote }}
+      {{- if .Values.global.tls.enabled }}
       tls:
         mode: Terminate
         certificateRefs:
-          - name: opencloud-wildcard-tls
+          - name: {{ .Values.global.tls.secretName }}
             namespace: {{ .Values.httpRoute.gateway.namespace | default .Release.Namespace }}
+      {{- end }}
       allowedRoutes:
         namespaces:
           from: Selector
 
@@ -24,8 +24,8 @@ spec:
         fsGroup: 1000
       containers:
         - name: keycloak
-          image: {{ .Values.keycloak.image.repository }}:{{ .Values.keycloak.image.tag }}
-          imagePullPolicy: {{ .Values.keycloak.image.pullPolicy }}
+          image: {{ include "opencloud.image" (dict "imageValues" .Values.keycloak.image "global" .Values.global) | quote }}
+          imagePullPolicy: {{ include "opencloud.image.pullPolicy" (dict "pullPolicy" .Values.keycloak.image.pullPolicy "global" .Values.global) }}
           securityContext:
             allowPrivilegeEscalation: false
             capabilities: