app/onlyoffice/prod.jsonnet

// ONLYOFFICE document server.
// JWT secret needs to be generated as follows per environment:
//     kubectl -n onlyoffice-prod create secret generic documentserver-jwt --from-literal=jwt=$(pwgen 32 1)

local kube = import "../../kube/hscloud.libsonnet";
local policies = import "../../kube/policies.libsonnet";

{
    onlyoffice:: {
        local top = self,
        local cfg = top.cfg,
        cfg:: {
            namespace: error "cfg.namespace must be set",
            image: "onlyoffice/documentserver:7.0.0.132",
            storageClassName: "waw-hdd-redundant-3",
            domain: error "cfg.domain must be set",
        },

        secretRefs:: {
            jwt: { secretKeyRef: { name: "documentserver-jwt", key: "jwt", } },
        },

        local ns = kube.Namespace(cfg.namespace),

        pvc: ns.Contain(kube.PersistentVolumeClaim("documentserver")) {
            storage:: "10Gi",
            storageClass:: cfg.storageClassName,
        },

        deploy: ns.Contain(kube.Deployment("documentserver")) {
            spec+: {
                template+: {
                    spec+: {
                        containers_: {
                            documentserver: kube.Container("default") {
                                image: cfg.image,
                                resources: {
                                    requests: { memory: "4G", cpu: "100m" },
                                    limits: { memory: "8G", cpu: "2" },
                                },
                                env_: {
                                    JWT_ENABLED: "true",
                                    JWT_SECRET: top.secretRefs.jwt,
                                },
                                ports_: {
                                    http: { containerPort: 80 },
                                },
                                local make(sp, p) = { name: "data", mountPath: p, subPath: sp },
                                volumeMounts: [
                                    // Per upstream Dockerfile:
                                    // VOLUME /var/log/$COMPANY_NAME /var/lib/$COMPANY_NAME
                                    //        /var/www/$COMPANY_NAME/Data /var/lib/postgresql
                                    //        /var/lib/rabbitmq /var/lib/redis
                                    //        /usr/share/fonts/truetype/custom
                                    make("log", "/var/log/onlyoffice"),
                                    make("www-data", "/var/www/onlyoffice/Data"),
                                    make("postgres", "/var/lib/postgresql"),
                                    make("rabbit", "/var/lib/rabbitmq"),
                                    make("redis", "/var/lib/redis"),
                                    make("fonts", "/usr/share/fonts/truetype/custom"),
                                ],
                            },
                        },
                        volumes_: {
                            data: kube.PersistentVolumeClaimVolume(top.pvc),
                        },
                    },
                },
            },
        },

        svc: ns.Contain(kube.Service("documentserver")) {
            target:: top.deploy,
        },

        ingress: ns.Contain(kube.SimpleIngress("office")) {
            hosts:: [cfg.domain],
            target:: top.svc,
        },

        // Needed because the documentserver runs its own supervisor, and:
        //  - rabbitmq wants to mkdir in /run, which starts out with the wrong permissions
        //  - nginx wants to bind to port 80
        insecure: policies.AllowNamespaceInsecure(cfg.namespace),
    },

    prod: self.onlyoffice {
        cfg+: {
            namespace: "onlyoffice-prod",
            domain: "office.hackerspace.pl",
        },
    },
}