Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / f5844311ebcbc539fe919a2020d1237857b852f0 / . / app / onlyoffice / prod.jsonnet
blob: 28fcb2367a05d738f1d53629f2a9849fa3584102 [file] [log] [blame]
Serge Bazanski06b61d42020-09-15 18:21:35 +0000[diff] [blame]1// ONLYOFFICE document server.
2// JWT secret needs to be generated as follows per environment:
3// kubectl -n onlyoffice-prod create secret generic documentserver-jwt --from-literal=jwt=$(pwgen 32 1)
4
Radek Pietruszewskif5844312023-10-27 22:41:18 +0200[diff] [blame^]5local kube = import "../../kube/hscloud.libsonnet";
Serge Bazanski06b61d42020-09-15 18:21:35 +0000[diff] [blame]6local policies = import "../../kube/policies.libsonnet";
7
8{
9 onlyoffice:: {
10 local oo = self,
11 local cfg = oo.cfg,
12 cfg:: {
13 namespace: error "cfg.namespace must be set",
Piotr Dobrowolski49787062022-02-09 21:30:16 +0100[diff] [blame]14 image: "onlyoffice/documentserver:7.0.0.132",
Serge Bazanski06b61d42020-09-15 18:21:35 +0000[diff] [blame]15 storageClassName: "waw-hdd-redundant-3",
16 domain: error "cfg.domain must be set",
17 },
18
19 ns: kube.Namespace(cfg.namespace),
20
21 pvc: oo.ns.Contain(kube.PersistentVolumeClaim("documentserver")) {
22 spec+: {
23 storageClassName: cfg.storageClassName,
24 accessModes: [ "ReadWriteOnce" ],
25 resources: {
26 requests: {
27 storage: "10Gi",
28 },
29 },
30 },
31 },
32
33 deploy: oo.ns.Contain(kube.Deployment("documentserver")) {
34 spec+: {
35 template+: {
36 spec+: {
37 containers_: {
38 documentserver: kube.Container("default") {
39 image: cfg.image,
40 resources: {
41 requests: { memory: "4G", cpu: "100m" },
42 limits: { memory: "8G", cpu: "2" },
43 },
44 env_: {
45 JWT_ENABLED: "true",
46 JWT_SECRET: { secretKeyRef: { name: "documentserver-jwt", key: "jwt", }},
47 },
48 ports_: {
49 http: { containerPort: 80 },
50 },
51 local make(sp, p) = { name: "data", mountPath: p, subPath: sp },
52 volumeMounts: [
53 // Per upstream Dockerfile:
Radek Pietruszewskif5844312023-10-27 22:41:18 +0200[diff] [blame^]54 // VOLUME /var/log/$COMPANY_NAME /var/lib/$COMPANY_NAME
Serge Bazanski06b61d42020-09-15 18:21:35 +0000[diff] [blame]55 // /var/www/$COMPANY_NAME/Data /var/lib/postgresql
56 // /var/lib/rabbitmq /var/lib/redis
57 // /usr/share/fonts/truetype/custom
58 make("log", "/var/log/onlyoffice"),
59 make("www-data", "/var/www/onlyoffice/Data"),
60 make("postgres", "/var/lib/postgresql"),
61 make("rabbit", "/var/lib/rabbitmq"),
62 make("redis", "/var/lib/redis"),
63 make("fonts", "/usr/share/fonts/truetype/custom"),
64 ],
65 },
66 },
67 volumes_: {
68 data: kube.PersistentVolumeClaimVolume(oo.pvc),
69 },
70 },
71 },
72 },
73 },
74
75 svc: oo.ns.Contain(kube.Service("documentserver")) {
76 target_pod:: oo.deploy.spec.template,
77 },
Radek Pietruszewskif5844312023-10-27 22:41:18 +0200[diff] [blame^]78
79 ingress: oo.ns.Contain(kube.SimpleIngress("office")) {
80 hosts:: [cfg.domain],
81 target_service:: oo.svc,
Serge Bazanski06b61d42020-09-15 18:21:35 +0000[diff] [blame]82 },
83
84 // Needed because the documentserver runs its own supervisor, and:
85 // - rabbitmq wants to mkdir in /run, which starts out with the wrong permissions
86 // - nginx wants to bind to port 80
87 insecure: policies.AllowNamespaceInsecure(cfg.namespace),
88 },
89
90 prod: self.onlyoffice {
91 cfg+: {
92 namespace: "onlyoffice-prod",
93 domain: "office.hackerspace.pl",
94 },
95 },
96}