diff --git a/README.md b/README.md index b22d0c403..1d9008926 100644 --- a/README.md +++ b/README.md @@ -46,6 +46,7 @@ This repository contains a set of files to deploy ONLYOFFICE Docs into a Kuberne * [9. Update ONLYOFFICE Docs license (optional)](#9-update-onlyoffice-docs-license-optional) * [10. ONLYOFFICE Docs installation test (optional)](#10-onlyoffice-docs-installation-test-optional) * [11. Run Jobs in a private k8s cluster (optional)](#11-run-jobs-in-a-private-k8s-cluster-optional) + * [12. Access to the info page (optional)](#12-access-to-the-info-page-optional) - [Using Grafana to visualize metrics (optional)](#using-grafana-to-visualize-metrics-optional) * [1. Deploy Grafana](#1-deploy-grafana) + [1.1 Deploy Grafana without installing ready-made dashboards](#11-deploy-grafana-without-installing-ready-made-dashboards) @@ -451,6 +452,10 @@ The `helm delete` command removes all the Kubernetes components associated with | `proxy.workerConnections` | Defines the nginx config [worker_connections](https://nginx.org/en/docs/ngx_core_module.html#worker_connections) directive | `4096` | | `proxy.secureLinkSecret` | Defines secret for the nginx config directive [secure_link_md5](https://nginx.org/en/docs/http/ngx_http_secure_link_module.html#secure_link_md5) | `verysecretstring` | | `proxy.infoAllowedIP` | Defines ip addresses for accessing the info page | `[]` | +| `proxy.infoAllowedUser` | Defines user name for accessing the info page. If not set to, Nginx [Basic Authentication](https://nginx.org/en/docs/http/ngx_http_auth_basic_module.html) will not be applied to access the info page. For more details, see [here](#12-access-to-the-info-page-optional) | `""` | +| `proxy.infoAllowedPassword` | Defines user password for accessing the info page. Used if `proxy.infoAllowedUser` is set | `password` | +| `proxy.infoAllowedSecretKeyName` | The name of the key that contains the info auth user password. Used if `proxy.infoAllowedUser` is set | `info-auth-password` | +| `proxy.infoAllowedExistingSecret` | Name of existing secret to use for info auth password. Used if `proxy.infoAllowedUser` is set. Must contain the key specified in `proxy.infoAllowedSecretKeyName`. If set to, it takes priority over the `proxy.infoAllowedPassword` | `""` | | `proxy.welcomePage.enabled` | Defines whether the welcome page will be displayed | `true` | | `proxy.image.repository` | Docservice Proxy container image repository* | `onlyoffice/docs-proxy-de` | | `proxy.image.tag` | Docservice Proxy container image tag | `7.5.1-1` | @@ -940,6 +945,15 @@ Next, when executing the commands `helm install|upgrade|rollback|delete`, set th > **Note**: If it is possible to use a Web Proxy in your network to ensure the Pods containers have access to the Internet, then you can leave the parameter `privateCluster=false`, not manually create a configmaps with sql scripts and set the parameter `webProxy.enabled=true`, also setting the appropriate parameters for the Web Proxy. +### 12. Access to the info page (optional) + +The access to `/info` page is limited by default. +In order to allow the access to it, you need to specify the IP addresses or subnets (that will be Proxy container clients in this case) using `proxy.infoAllowedIP` parameter. +Taking into consideration the specifics of Kubernetes net interaction it is possible to get the original IP of the user (being Proxy client) though it's not a standard scenario. +Generally the Pods / Nodes / Load Balancer addresses will actually be the clients, so these addresses are to be used. +In this case the access to the info page will be available to everyone. +You can further limit the access to the `info` page using Nginx [Basic Authentication](https://nginx.org/en/docs/http/ngx_http_auth_basic_module.html) which you can turn on by setting `proxy.infoAllowedUser` parameter value and by setting the password using `proxy.infoAllowedPassword` parameter, alternatively you can use the existing secret with password by setting its name with `proxy.infoAllowedExistingSecret` parameter. + ## Using Grafana to visualize metrics (optional) *This step is optional. You can skip this section if you don't want to install Grafana* diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 0542a141f..9388b134e 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -106,6 +106,37 @@ Return Redis password {{- end }} {{- end -}} +{{/* +Get the info auth password secret +*/}} +{{- define "ds.info.secretName" -}} +{{- if .Values.proxy.infoAllowedExistingSecret -}} + {{- printf "%s" (tpl .Values.proxy.infoAllowedExistingSecret $) -}} +{{- else if .Values.proxy.infoAllowedPassword -}} + {{- printf "%s-info-auth" .Release.Name -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a secret object should be created for info auth +*/}} +{{- define "ds.info.createSecret" -}} +{{- if and .Values.proxy.infoAllowedUser (not .Values.proxy.infoAllowedExistingSecret) -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return info auth password +*/}} +{{- define "ds.info.password" -}} +{{- if not (empty .Values.proxy.infoAllowedPassword) }} + {{- .Values.proxy.infoAllowedPassword }} +{{- else }} + {{- required "A info auth Password is required!" .Values.proxy.infoAllowedPassword }} +{{- end }} +{{- end -}} + {{/* Get the PVC name */}} diff --git a/templates/deployments/docservice.yaml b/templates/deployments/docservice.yaml index 839d9c841..9a49e9dee 100644 --- a/templates/deployments/docservice.yaml +++ b/templates/deployments/docservice.yaml @@ -134,11 +134,22 @@ spec: livenessProbe: {{- omit .Values.proxy.livenessProbe "enabled" | toYaml | nindent 12 }} {{- end }} resources: {{ toYaml .Values.proxy.resources | nindent 12 }} - {{- if .Values.proxy.infoAllowedIP }} + {{- if or .Values.proxy.infoAllowedIP .Values.proxy.infoAllowedUser }} env: + {{- if .Values.proxy.infoAllowedIP }} - name: INFO_ALLOWED_IP value: {{ join " " .Values.proxy.infoAllowedIP }} {{- end }} + {{- if .Values.proxy.infoAllowedUser }} + - name: INFO_ALLOWED_USER + value: {{ .Values.proxy.infoAllowedUser }} + - name: INFO_ALLOWED_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "ds.info.secretName" . }} + key: {{ .Values.proxy.infoAllowedSecretKeyName }} + {{- end }} + {{- end }} envFrom: - configMapRef: name: documentserver diff --git a/templates/secrets/info-auth.yaml b/templates/secrets/info-auth.yaml new file mode 100644 index 000000000..32f49dde6 --- /dev/null +++ b/templates/secrets/info-auth.yaml @@ -0,0 +1,14 @@ +{{- if eq (include "ds.info.createSecret" .) "true" }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-info-auth + namespace: {{ include "ds.namespace" . | quote }} + {{- if .Values.commonLabels }} + labels: + {{- include "ds.labels.commonLabels" . | trim | nindent 4 }} + {{- end }} +type: Opaque +stringData: + {{ .Values.proxy.infoAllowedSecretKeyName }}: {{ include "ds.info.password" . | quote }} +{{- end }} diff --git a/values.yaml b/values.yaml index 6b9a2de9d..a93ac8061 100644 --- a/values.yaml +++ b/values.yaml @@ -532,6 +532,23 @@ proxy: ## - 10.244.0.79 ## - 192.168.1.0/24 infoAllowedIP: [] + ## proxy.infoAllowedUser Defines user name for accessing the info page + ## If not set to, Nginx Basic Authentication will not be applied to access the info page + ## ref: https://nginx.org/en/docs/http/ngx_http_auth_basic_module.html + ## For more details, see here: + ## ref: https://github.com/ONLYOFFICE/Kubernetes-Docs#12-access-to-the-info-page-optional + infoAllowedUser: "" + ## proxy.infoAllowedSecretKeyName The name of the key that contains the info auth user password + ## Used if `proxy.infoAllowedUser` is set + infoAllowedSecretKeyName: info-auth-password + ## proxy.infoAllowedExistingSecret Name of existing secret to use for info auth password + ## Used if `proxy.infoAllowedUser` is set + ## Must contain the key specified in `proxy.infoAllowedSecretKeyName` + ## If set to, it takes priority over the `proxy.infoAllowedPassword` + infoAllowedExistingSecret: "" + ## proxy.infoAllowedPassword Defines user password for accessing the info page + ## Used if `proxy.infoAllowedUser` is set + infoAllowedPassword: "password" ## proxy.welcomePage.enabled Defines whether the welcome page will be displayed welcomePage: enabled: true