Merge remote-tracking branch 'upstream/main' into posixfs-support-3

Author: Your Name

README.md

@@ -1,8 +1,15 @@
-<img src="https://helm.sh/img/helm.svg" width="100px" heigth="100px">
+> [!CAUTION]
+> ## Community Charts – Not Officially Supported
+> This repository is maintained by the community and is **not** officially supported by OpenCloud GmbH.  
+>  
+> For **production-ready Helm charts** designed for **mission-critical** workloads, please use the enterprise offering, available with a [business subscription](https://opencloud.eu/en/product/service-and-support).  
+>  
+> To access **production-ready helm charts** get in touch with us via [contact form](https://opencloud.eu/en/contact-us) or Email [[email protected]](mailto:[email protected]).
 
-# OpenCloud Helm Charts
+# Community Helm Charts
 
 Welcome to the **OpenCloud Helm Charts** repository! This repository is intended as a community-driven space for developing and maintaining Helm charts for deploying OpenCloud on Kubernetes.
+**Community Maintained** This repository is **community-maintained** and **not officially supported by OpenCloud GmbH**. Use at your own risk, and feel free to contribute to improve the project!
 
 ## 📑 Table of Contents
 
@@ -110,6 +117,4 @@ A lightweight single-container deployment for development and testing:
 
 This project is licensed under the **AGPLv3** license. See the [LICENSE](LICENSE) file for more details.
 
-## Community Maintained
 
-This repository is **community-maintained** and **not officially supported by OpenCloud GmbH**. Use at your own risk, and feel free to contribute to improve the project!

charts/opencloud/README.md

@@ -268,6 +268,14 @@ This will prepend `my-registry.com/` to all image references in the chart. For e
 | `opencloud.smtp.insecure` | SMTP insecure | `false` |
 | `opencloud.smtp.authentication` | SMTP authentication | `plain` |
 | `opencloud.smtp.encryption` | SMTP encryption | `starttls` |
+| `opencloud.storage.mode` | Choice between s3 and posixfs for user files | `s3` |
+
+### OpenCloud S3 Storage Settings
+
+The following options configure S3 for user file storage, either with the internal MinIO instance or with an external S3 provider.
+
+| Parameter | Description | Default |
+| --------- | ----------- | ------- |
 | `opencloud.storage.s3.internal.enabled` | Enable internal MinIO instance | `true` |
 | `opencloud.storage.s3.internal.existingSecret` | Name of the existing secret | `` |
 | `opencloud.storage.s3.internal.rootUser` | MinIO root user | `opencloud` |
@@ -276,6 +284,7 @@ This will prepend `my-registry.com/` to all image references in the chart. For e
 | `opencloud.storage.s3.internal.region` | MinIO region | `default` |
 | `opencloud.storage.s3.internal.resources` | CPU/Memory resource requests/limits | See values.yaml |
 | `opencloud.storage.s3.internal.persistence.enabled` | Enable MinIO persistence | `true` |
+| `opencloud.storage.s3.internal.persistence.existingClaim` | Name of existing PVC instead of the settings below | `` |
 | `opencloud.storage.s3.internal.persistence.size` | Size of the MinIO persistent volume | `30Gi` |
 | `opencloud.storage.s3.internal.persistence.storageClass` | MinIO storage class | `""` |
 | `opencloud.storage.s3.internal.persistence.accessMode` | MinIO access mode | `ReadWriteOnce` |
@@ -288,6 +297,22 @@ This will prepend `my-registry.com/` to all image references in the chart. For e
 | `opencloud.storage.s3.external.bucket` | External S3 bucket | `""` |
 | `opencloud.storage.s3.external.createBucket` | Create bucket if it doesn't exist | `true` |
 
+### OpenCloud PosixFS Storage Settings
+
+The following options allow setting up a POSIX-compatible filesystem (such as NFS or CephFS) for user file storage instead of S3. This is useful for environments where object storage is not available or not desired.
+
+| Parameter | Description | Default |
+| --------- | ----------- | ------- |
+| `opencloud.storage.posixfs.idCacheStore` | Cache store, between 'memory', 'redis-sentinel', 'nats-js-kv', 'noop' | `nats-js-kv` |
+| `opencloud.storage.posixfs.rootPath` | Path of storage root directory in openCloud pod | `/var/lib/opencloud/storage` |
+| `opencloud.storage.posixfs.persistence.enabled` | Enable persistence for PosixFS | `true` |
+| `opencloud.storage.posixfs.persistence.existingClaim` | Name of existing PVC instead of the settings below | `""` |
+| `opencloud.storage.posixfs.persistence.size` | Size of the PosixFS persistent volume | `30Gi` |
+| `opencloud.storage.posixfs.persistence.storageClass` | Storage class for PosixFS volume | `""` |
+| `opencloud.storage.posixfs.persistence.accessMode` | Access mode for PosixFS volume | `ReadWriteMany` |
+
+**Note:** When using `posixfs` mode, ensure that the underlying storage supports the required access mode (e.g., `ReadWriteMany` for multiple replicas). The underlying filesystem must support `flock` and `xattrs` so for NFS the minimum version is 4.2.
+
 ### NATS Messaging Configuration
 
 | Parameter  | Description | Default |
@@ -409,6 +434,38 @@ This ensures the `X-Forwarded-Proto: https` header is added as required by OnlyO
 | `collaboration.enabled` | Enable collaboration service | `true` |
 | `collaboration.resources` | CPU/Memory resource requests/limits | `{}` |
 
+## Ingress Configuration
+
+This chart supports standard Kubernetes Ingress resources for exposing services. For environments requiring specific ingress controller features, annotation presets are available.
+
+### Ingress Settings
+
+| Parameter | Description | Default |
+| --------- | ----------- | ------- |
+| `ingress.enabled` | Enable Ingress resources | `false` |
+| `ingress.ingressClassName` | Ingress class name (e.g., nginx, traefik) | `""` |
+| `ingress.annotationsPreset` | Preset for ingress controller annotations | `""` |
+| `ingress.annotations` | Custom annotations for all ingress resources | `{}` |
+
+### Annotation Presets
+
+The `annotationsPreset` parameter helps configure ingress controller-specific features, particularly for OnlyOffice which requires the X-Forwarded-Proto header:
+
+- `nginx` - Uses configuration snippets to inject headers
+- `nginx-no-snippets` - For environments where snippets are forbidden (e.g., Rackspace)
+- `traefik` - Creates required Middleware resources
+- `haproxy` - Uses HAProxy-specific header injection
+- `contour` - Uses Contour request headers
+- `istio` - Uses Istio EnvoyFilter
+
+Example for Rackspace or security-restricted environments:
+```yaml
+ingress:
+  enabled: true
+  ingressClassName: nginx
+  annotationsPreset: nginx-no-snippets
+```
+
 ## Gateway API Configuration
 
 This chart includes HTTPRoute resources that can be used to expose the OpenCloud, Keycloak, and MinIO services externally. The HTTPRoutes are configured to route traffic to the respective services.
@@ -420,6 +477,7 @@ This chart includes HTTPRoute resources that can be used to expose the OpenCloud
 | `httpRoute.enabled` | Enable HTTPRoutes | `true` |
 | `httpRoute.gateway.name` | Gateway name | `opencloud-gateway` |
 | `httpRoute.gateway.namespace` | Gateway namespace | `""` (defaults to Release.Namespace) |
+| `httpRoute.gateway.sectionName` | Gateway section name | `""` (defaults to multiple route-specific section names for the routes listed below) |
 
 The following HTTPRoutes are created when `httpRoute.enabled` is set to `true`:
 
@@ -435,7 +493,7 @@ The following HTTPRoutes are created when `httpRoute.enabled` is set to `true`:
    - Port: 8080
    - Headers: Adds Permissions-Policy header to prevent browser features like interest-based advertising
 
-3. **MinIO HTTPRoute** (when `opencloud.storage.s3.internal.enabled` is `true`):
+3. **MinIO HTTPRoute** (when `opencloud.storage.mode` is `s3` and `opencloud.storage.s3.internal.enabled` is `true`):
    - Hostname: `global.domain.minio`
    - Service: `{{ release-name }}-minio`
    - Port: 9001
@@ -470,7 +528,7 @@ The following HTTPRoutes are created when `httpRoute.enabled` is set to `true`:
    - Port: 9300
    - Headers: Adds Permissions-Policy header to prevent browser features like interest-based advertising
 
-All HTTPRoutes are configured to use the same Gateway specified by `httpRoute.gateway.name` and `httpRoute.gateway.namespace`.
+All HTTPRoutes are configured to use the same Gateway specified by `httpRoute.gateway.name` and `httpRoute.gateway.namespace`. If `httpRoute.gateway.sectionName` is set, they also all use a single section (e.g. `https`) in the gateway resource (useful when `httpRoute.gateway.create` is `false` because a gateway already exists). Otherwise, when `httpRoute.gateway.sectionName` is left empty, each route gets its own generated `sectionName` that points to a section in the gateway resource that is automatically set up when `httpRoute.gateway.create` is `true`.
 
 ## Setting Up Gateway API with Talos, Cilium, and cert-manager
 

charts/opencloud/templates/gateway/collabora-httproute.yaml

@@ -10,7 +10,7 @@ spec:
   parentRefs:
     - name: {{ .Values.httpRoute.gateway.name }}
       namespace: {{ .Values.httpRoute.gateway.namespace | default .Release.Namespace }}
-      sectionName: collabora-https
+      sectionName: {{ .Values.httpRoute.gateway.sectionName | default "collabora-https" }}
   hostnames:
     - {{ .Values.global.domain.collabora | quote }}
   rules:

charts/opencloud/templates/gateway/collaboration-httproute.yaml

@@ -10,7 +10,7 @@ spec:
   parentRefs:
     - name: {{ .Values.httpRoute.gateway.name }}
       namespace: {{ .Values.httpRoute.gateway.namespace | default .Release.Namespace }}
-      sectionName: collaboration-https
+      sectionName: {{ .Values.httpRoute.gateway.sectionName | default "collaboration-https" }}
   hostnames:
     - {{ .Values.global.domain.wopi | quote }}
   rules:

charts/opencloud/templates/gateway/gateway.yaml

@@ -69,7 +69,7 @@ spec:
             matchLabels:
               kubernetes.io/metadata.name: {{ .Values.httpRoute.gateway.namespace | default .Release.Namespace }}
     {{- end }}
-    {{- if and .Values.opencloud.storage.s3.internal.enabled .Values.opencloud.storage.s3.internal.httpRoute.enabled }}
+    {{- if and (eq .Values.opencloud.storage.mode "s3") .Values.opencloud.storage.s3.internal.enabled .Values.opencloud.storage.s3.internal.httpRoute.enabled }}
     {{- if .Values.global.tls.enabled }}
     - name: minio-https
     {{- else }}

charts/opencloud/templates/gateway/https-httproute.yaml

@@ -9,7 +9,7 @@ spec:
   parentRefs:
     - name: {{ .Values.httpRoute.gateway.name }}
       namespace: {{ .Values.httpRoute.gateway.namespace | default .Release.Namespace }}
-      sectionName: opencloud-https
+      sectionName: {{ .Values.httpRoute.gateway.sectionName | default "opencloud-https" }}
   hostnames:
     - {{ include "opencloud.domain" . | quote }}
   rules:

charts/opencloud/templates/gateway/keycloak-https-httproute.yaml

@@ -10,7 +10,7 @@ spec:
   parentRefs:
     - name: {{ .Values.httpRoute.gateway.name }}
       namespace: {{ .Values.httpRoute.gateway.namespace | default .Release.Namespace }}
-      sectionName: keycloak-https
+      sectionName: {{ .Values.httpRoute.gateway.sectionName | default "keycloak-https" }}
   hostnames:
     - {{ include "opencloud.keycloak.domain" . | quote }}
   rules:

charts/opencloud/templates/gateway/minio-httproute.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.httpRoute.enabled .Values.opencloud.storage.s3.internal.enabled .Values.opencloud.storage.s3.internal.httpRoute.enabled }}
+{{- if and .Values.httpRoute.enabled (eq .Values.opencloud.storage.mode "s3") .Values.opencloud.storage.s3.internal.enabled .Values.opencloud.storage.s3.internal.httpRoute.enabled }}
 apiVersion: gateway.networking.k8s.io/v1beta1
 kind: HTTPRoute
 metadata:
@@ -10,7 +10,7 @@ spec:
   parentRefs:
     - name: {{ .Values.httpRoute.gateway.name }}
       namespace: {{ .Values.httpRoute.gateway.namespace | default .Release.Namespace }}
-      sectionName: minio-https
+      sectionName: {{ .Values.httpRoute.gateway.sectionName | default "minio-https" }}
   hostnames:
     - {{ include "opencloud.minio.domain" . | quote }}
   rules:

charts/opencloud/templates/gateway/onlyoffice-httproute.yaml

@@ -10,7 +10,7 @@ spec:
   parentRefs:
     - name: {{ .Values.httpRoute.gateway.name }}
       namespace: {{ .Values.httpRoute.gateway.namespace | default .Release.Namespace }}
-      sectionName: onlyoffice-https
+      sectionName: {{ .Values.httpRoute.gateway.sectionName | default "onlyoffice-https" }}
   hostnames:
     - {{ .Values.global.domain.onlyoffice | quote }}
   rules:

charts/opencloud/templates/gateway/wopi-https-httproute.yaml

@@ -10,7 +10,7 @@ spec:
   parentRefs:
     - name: {{ .Values.httpRoute.gateway.name }}
       namespace: {{ .Values.httpRoute.gateway.namespace | default .Release.Namespace }}
-      sectionName: wopi-https
+      sectionName: {{ .Values.httpRoute.gateway.sectionName | default "wopi-https" }}
   hostnames:
     - {{ .Values.global.domain.wopi | quote }}
   rules: