suse-coder
diff --git a/‎charts/opencloud-microservices/Chart.yaml‎
Lines changed: 2 additions & 2 deletions b/‎charts/opencloud-microservices/Chart.yaml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎charts/opencloud-microservices/README.md‎
Lines changed: 25 additions & 63 deletions b/‎charts/opencloud-microservices/README.md‎
Lines changed: 25 additions & 63 deletions
diff --git a/‎charts/opencloud-microservices/deployments/timoni/configmap.yaml‎
Lines changed: 45 additions & 3 deletions b/‎charts/opencloud-microservices/deployments/timoni/configmap.yaml‎
Lines changed: 45 additions & 3 deletions
diff --git a/‎charts/opencloud-microservices/deployments/timoni/job.yaml‎
Lines changed: 22 additions & 0 deletions b/‎charts/opencloud-microservices/deployments/timoni/job.yaml‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎charts/opencloud-microservices/deployments/timoni/opencloud.cue‎
Lines changed: 88 additions & 3 deletions b/‎charts/opencloud-microservices/deployments/timoni/opencloud.cue‎
Lines changed: 88 additions & 3 deletions
@@ -12,9 +12,9 @@ maintainers:
     email: [email protected]
     url: https://opencloud.eu
 type: application
-version: 0.2.0
+version: 0.2.7
 # renovate: datasource=docker depName=opencloudeu/opencloud-rolling
-appVersion: 3.2.1
+appVersion: 3.4.0
 kubeVersion: ""
 sources:
   - https://github.com/opencloud-eu/helm
 
@@ -997,71 +997,9 @@ Or via command line:
 --set opencloud.proxy.basicAuth.enabled=true
 ```
 
-
-#### Improved Namespace Handling
-
-The chart now automatically uses the correct namespace across all resources, eliminating the need to manually set the namespace in multiple places.
-
-The following HTTPRoutes are created when `httpRoute.enabled` is set to `true`:
-
-1. **OpenCloud Proxy HTTPRoute (`oc-proxy-https`)**:
-   - Hostname: `global.domain.opencloud`
-   - Service: `{{ release-name }}-opencloud`
-   - Port: 9200
-   - Headers: Removes Permissions-Policy header to prevent browser console errors
-
-2. **Keycloak HTTPRoute (`oc-keycloak-https`)** (when `keycloak.enabled` is `true`):
-   - Hostname: `global.domain.keycloak`
-   - Service: `{{ release-name }}-keycloak`
-   - Port: 8080
-   - Headers: Adds Permissions-Policy header to prevent browser features like interest-based advertising
-
-3. **MinIO HTTPRoute (`oc-minio-https`)** (when `opencloud.storage.s3.internal.enabled` is `true`):
-   - Hostname: `global.domain.minio`
-   - Service: `{{ release-name }}-minio`
-   - Port: 9001
-   - Headers: Adds Permissions-Policy header to prevent browser features like interest-based advertising
-
-   default user: opencloud
-   pass: opencloud-secret-key
-
-4. **MinIO Console HTTPRoute (`oc-minio-console-https`)** (when `opencloud.storage.s3.internal.enabled` is `true`):
-   - Hostname: `console.minio.opencloud.test` (or `global.domain.minioConsole` if defined)
-   - Service: `{{ release-name }}-minio`
-   - Port: 9001
-   - Headers: Adds Permissions-Policy header to prevent browser features like interest-based advertising
-
-5. **OnlyOffice HTTPRoute (`oc-onlyoffice-https`)** (when `onlyoffice.enabled` is `true`):
-   - Hostname: `global.domain.onlyoffice`
-   - Service: `{{ release-name }}-onlyoffice`
-   - Port: 443 (or 80 if using HTTP)
-   - Path: "/"
-   - This route is used to access the OnlyOffice Document Server for collaborative editing
-
-6. **WOPI HTTPRoute (`oc-wopi-https`)** (when `onlyoffice.collaboration.enabled` and `onlyoffice.enabled` are `true`):
-   - Hostname: `global.domain.wopi` (or `collaboration.wopiDomain`)
-   - Service: `{{ release-name }}-collaboration`
-   - Port: 9300
-   - Path: "/"
-   - This route is used for the WOPI protocol communication between OnlyOffice and the collaboration service
-
-7. **Collabora HTTPRoute** (when `collabora.enabled` is `true`):
-   - Hostname: `global.domain.collabora`
-   - Service: `{{ release-name }}-collabora`
-   - Port: 9980
-   - Headers: Adds Permissions-Policy header to prevent browser features like interest-based advertising
-
-8. **Collaboration (WOPI) HTTPRoute** (when `collaboration.enabled` is `true`):
-   - Hostname: `collaboration.wopiDomain`
-   - Service: `{{ release-name }}-collaboration`
-   - Port: 9300
-   - Headers: Adds Permissions-Policy header to prevent browser features like interest-based advertising
-
-All HTTPRoutes are configured to use the same Gateway specified by `httpRoute.gateway.name` and `httpRoute.gateway.namespace`.
-
 ## Setting Up Gateway API with Talos, Cilium, and cert-manager
 
-This section provides a practical guide to setting up the Gateway API with Talos, Cilium, and cert-manager for the production OpenCloud chart.
+This section provides a practical guide to setting up the Gateway API with Talos Kubernetes, Cilium, and cert-manager for the production OpenCloud chart.
 
 ### Prerequisites
 
@@ -1235,6 +1173,30 @@ spec:
       allowedRoutes:
         namespaces:
           from: All
+    - name: oc-collabora-https
+      protocol: HTTPS
+      port: 443
+      hostname: "collabora.opencloud.test"
+      tls:
+        mode: Terminate
+        certificateRefs:
+          - name: opencloud-wildcard-tls
+            namespace: kube-system
+      allowedRoutes:
+        namespaces:
+          from: All
+    - name: oc-collaboration-https
+      protocol: HTTPS
+      port: 443
+      hostname: "collaboration.opencloud.test"
+      tls:
+        mode: Terminate
+        certificateRefs:
+          - name: opencloud-wildcard-tls
+            namespace: kube-system
+      allowedRoutes:
+        namespaces:
+          from: All
     - name: oc-onlyoffice-https
       protocol: HTTPS
       port: 443
 
@@ -9,6 +9,11 @@ metadata:
   name: openldap
 ---
 apiVersion: v1
+kind: Namespace
+metadata:
+  name: clamav
+---
+apiVersion: v1
 kind: ConfigMap
 metadata:
   name: opencloud-config
@@ -18,7 +23,14 @@ data:
   # Global Configuration
   ###############################################################################
   EXTERNAL_DOMAIN: "cloud.opencloud.test"
-  TAG: "3.0.0"
+  TAG: ""
+
+  ###############################################################################
+  # Deployment Strategy
+  ###############################################################################
+  DEPLOY_TYPE: "Recreate"
+  MAX_SURGE: "25%"
+  MAX_UNAV: "25%"
 
   OPENCLOUD_WEB_URL: "https://www.opencloud.eu"
   OPENCLOUD_LOGGING_LEVEL: "debug"
@@ -42,9 +54,9 @@ data:
   ###############################################################################
   # Persistence StorageClass and AccessModes (global defaults)
   ###############################################################################
-  PERSISTENCE_STORAGE_CLASS_NAME: "ceph-cephfs"
+  PERSISTENCE_STORAGE_CLASS_NAME: ""
   # Comma-separated for runtime to split into a list, e.g. "ReadWriteMany" or "ReadWriteOnce,ReadOnlyMany"
-  PERSISTENCE_ACCESS_MODES: "ReadWriteMany"
+  PERSISTENCE_ACCESS_MODES: "ReadWriteOnce"
 
   ###############################################################################
   # Persistence (service PVC sizes and toggles)
@@ -117,6 +129,11 @@ data:
   ###############################################################################
   SEARCH_EXTRACTOR_TYPE: "tika"
 
+  ###############################################################################
+  # Demo Users
+  ###############################################################################
+  DEMO_USERS_ENABLED: "false"
+
   ###############################################################################
   # Collabora Configuration
   ###############################################################################
@@ -146,3 +163,28 @@ data:
   ###############################################################################
   WOPI_INGRESS_DOMAIN: "wopi.opencloud.test"
   WOPI_COLLABORA_TLS_HOST: "wopi-collabora.kube.opencloud.test"
+
+  ###############################################################################
+  # Antivirus
+  ###############################################################################
+  ANTIVIRUS_ENABLED: "true"
+  ANTIVIRUS_INFECTED_FILE_HANDLING: "abort"
+  ANTIVIRUS_ICAP_URL: "http://clamav-icap.clamav:1344"
+  ANTIVIRUS_ICAP_SERVICE: "avscan"
+
+  ###############################################################################
+  # ClamAV Configuration
+  ###############################################################################
+  CLAMAV_REPLICA_COUNT: "1"
+  CLAMAV_RESOURCES_LIMITS_CPU: "500m"
+  CLAMAV_RESOURCES_LIMITS_MEMORY: "512Mi"
+  CLAMAV_RESOURCES_REQUESTS_CPU: "250m"
+  CLAMAV_RESOURCES_REQUESTS_MEMORY: "256Mi"
+  CLAMAV_PERSISTENCE_SIZE: "10Gi"
+  CLAMAV_FRESHCLAM_IMAGE_TAG: "1.4.0"
+  CLAMAV_CLAMD_IMAGE_TAG: "1.4.0"
+  CLAMAV_ICAP_IMAGE_TAG: "0.5.10"
+  CLAMAV_ICAP_IMAGE_REPOSITORY: "bmi/opendesk/components/platform-development/images/clamav-icap"
+  CLAMAV_ICAP_IMAGE_REGISTRY: "registry.opencode.de"
+  CLAMAV_ICAP_CLAMD_HOST: "clamav-clamd"
+  CLAMAV_MILTER_CLAMD_HOST: "clamav-clamd"
@@ -0,0 +1,22 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: clamav-db-chown
+  namespace: clamav
+spec:
+  backoffLimit: 1
+  template:
+    spec:
+      restartPolicy: Never
+      containers:
+        - name: chown
+          image: busybox:1.36
+          imagePullPolicy: IfNotPresent
+          command: ["/bin/sh", "-c", "chown -R 100:100 /var/lib/clamav"]
+          volumeMounts:
+            - name: clamav-database
+              mountPath: /var/lib/clamav
+      volumes:
+        - name: clamav-database
+          persistentVolumeClaim:
+            claimName: clamav-db
@@ -15,17 +15,17 @@ bundle: {
         // },
         "opencloud": {
             module: {
-                url:     "oci://ghcr.io/stefanprodan/modules/flux-helm-release"
+                url: "oci://ghcr.io/stefanprodan/modules/flux-helm-release"
                 version: "latest"
             }
             namespace: "opencloud"
             values: {
                 repository: {
-                    url: "oci://ghcr.io/suse-coder/helm-charts"
+                    url: "oci://ghcr.io/opencloud-eu/helm-charts"
                 }
                 chart: {
                     name:    "opencloud-microservices"
-                    version: "0.2.0"
+                    version: "0.2.7"
                 }
                 sync: {
                     timeout: 10
@@ -35,6 +35,15 @@ bundle: {
                     // Global persistence indirection (like _domainFilter pattern)
                     _persistenceStorageClassName: string @timoni(runtime:string:PERSISTENCE_STORAGE_CLASS_NAME)
                     _persistenceAccessModes:     string @timoni(runtime:string:PERSISTENCE_ACCESS_MODES)
+
+                    deploymentStrategy: {
+                        type: string @timoni(runtime:string:DEPLOY_TYPE)
+                        rollingUpdate: {
+                            maxSurge: string @timoni(runtime:string:MAX_SURGE)
+                            maxUnavailable: string @timoni(runtime:string:MAX_UNAV)
+                        }
+                    }
+
                     logging: {
                         level: string @timoni(runtime:string:OPENCLOUD_LOGGING_LEVEL)
                     }
@@ -106,6 +115,15 @@ bundle: {
                         }
                     }
                     features: {
+                        demoUsers: bool @timoni(runtime:bool:DEMO_USERS_ENABLED)
+                        virusscan: {
+                            enabled: bool @timoni(runtime:bool:ANTIVIRUS_ENABLED)
+                            infectedFileHandling: string @timoni(runtime:string:ANTIVIRUS_INFECTED_FILE_HANDLING)
+                            icap: {
+                                url: string @timoni(runtime:string:ANTIVIRUS_ICAP_URL)
+                                service: string @timoni(runtime:string:ANTIVIRUS_ICAP_SERVICE)
+                            }
+                        }
                         externalUserManagement: {
                             enabled: bool @timoni(runtime:bool:EXTERNAL_USER_MANAGEMENT_ENABLED)
                             adminUUID: string @timoni(runtime:string:EXTERNAL_USER_MANAGEMENT_ADMIN_UUID)
@@ -524,6 +542,73 @@ bundle: {
                     }
                 }
             }
+        },
+        "clamav": {
+            module: {
+                url: "oci://ghcr.io/stefanprodan/modules/flux-helm-release"
+                version: "latest"
+            }
+            namespace: "clamav"
+            values: {
+                repository: {
+                    url: "https://gitlab.opencode.de/api/v4/projects/1381/packages/helm/stable"
+                }
+                chart: {
+                    name:    "opendesk-clamav"
+                    version: "4.0.6"
+                }
+                sync: {
+                    timeout: 5
+                    createNamespace: true
+                }
+                helmValues: {
+                    // Global persistence indirection (like _domainFilter pattern)
+                    _persistenceStorageClassName: string @timoni(runtime:string:PERSISTENCE_STORAGE_CLASS_NAME)
+                    _persistenceAccessModes:     string @timoni(runtime:string:PERSISTENCE_ACCESS_MODES)
+
+                    replicaCount: string @timoni(runtime:string:CLAMAV_REPLICA_COUNT)
+                    resources: {
+                        limits: {
+                            cpu: string @timoni(runtime:string:CLAMAV_RESOURCES_LIMITS_CPU)
+                            memory: string @timoni(runtime:string:CLAMAV_RESOURCES_LIMITS_MEMORY)
+                        }
+                        requests: {
+                            cpu: string @timoni(runtime:string:CLAMAV_RESOURCES_REQUESTS_CPU)
+                            memory: string @timoni(runtime:string:CLAMAV_RESOURCES_REQUESTS_MEMORY)
+                        }
+                    }
+                    persistence: {
+                        accessModes: [ "\(_persistenceAccessModes)" ]
+                        size: string @timoni(runtime:string:CLAMAV_PERSISTENCE_SIZE)
+                        storageClass: "\(_persistenceStorageClassName)"
+                    }
+                    freshclam: {
+                        image: {
+                            tag: string @timoni(runtime:string:CLAMAV_FRESHCLAM_IMAGE_TAG)
+                        }
+                    }
+                    clamd: {
+                        image: {
+                            tag: string @timoni(runtime:string:CLAMAV_CLAMD_IMAGE_TAG)
+                        }
+                    }
+                    icap: {
+                        image: {
+                            registry: string @timoni(runtime:string:CLAMAV_ICAP_IMAGE_REGISTRY)
+                            repository: string @timoni(runtime:string:CLAMAV_ICAP_IMAGE_REPOSITORY)
+                            tag: string @timoni(runtime:string:CLAMAV_ICAP_IMAGE_TAG)
+                        }
+                        settings: {
+                            clamdModClamdHost: string @timoni(runtime:string:CLAMAV_ICAP_CLAMD_HOST)
+                        }
+                    }
+                    milter: {
+                        settings: {
+                            clamdHost: string @timoni(runtime:string:CLAMAV_MILTER_CLAMD_HOST)
+                        }
+                    }
+                }
+            }
         }
     }
 }