Skip to content
This repository was archived by the owner on Nov 26, 2025. It is now read-only.
This repository was archived by the owner on Nov 26, 2025. It is now read-only.

Auto-configure Collabora SSL based on ingress settings #109

Open
Open
Auto-configure Collabora SSL based on ingress settings#109
Labels
Type:Enhancement
@michaelstingl

Description

@michaelstingl
michaelstingl
opened on Jul 23, 2025

Problem

When using Collabora with an Ingress controller that handles TLS termination (like nginx), Collabora's internal SSL must be disabled. Otherwise, Collabora crashes with segmentation faults. Users often don't realize this and experience deployment failures.

Current Workaround

Users must manually set:

collabora:
  ssl:
    enabled: false
    verification: false

Reference: opencloud-compose Configuration

The opencloud-compose repository handles this exact scenario correctly:

# From opencloud-compose .env.example:
COLLABORA_SSL_ENABLE: false    # Set to false when using reverse proxy
DONT_GEN_SSL_CERT: "YES"       # Don't generate internal certificates

# And in their docker-compose configuration:
extra_params: |
  --o:ssl.enable=false
  --o:ssl.termination=true     # SSL is terminated at proxy

This confirms that Collabora SSL should be disabled when using a reverse proxy/ingress that handles TLS termination.

Proposed Solution

Automatically configure Collabora SSL based on ingress settings. If ingress is enabled (which implies TLS termination at ingress level), disable Collabora's internal SSL.

Implementation

In templates/collabora/deployment.yaml, modify the extra_params:

- name: extra_params
  value: >-
    {{- if .Values.ingress.enabled }}
    --o:ssl.enable=false --o:ssl.termination=true
    {{- else if .Values.collabora.ssl.enabled }}
    --o:ssl.enable=true
    {{- else }}
    --o:ssl.enable=false
    {{- end }}
    {{- if .Values.collabora.ssl.verification }}
    --o:ssl.verification=true
    {{- else }}
    --o:ssl.verification=false
    {{- end }}

Alternative: Add documentation and validation

If auto-configuration is too opinionated, at least add validation:

{{- if and .Values.ingress.enabled .Values.collabora.enabled .Values.collabora.ssl.enabled }}
  {{- fail "Error: When using Ingress with TLS, Collabora SSL must be disabled. Set collabora.ssl.enabled=false" }}
{{- end }}

Benefits

  • Prevents common deployment failures
  • Reduces configuration complexity
  • Follows the principle of sensible defaults
  • Still allows manual override if needed
  • Aligns with opencloud-compose patterns

Real-world Example

During Rackspace deployment, Collabora crashed with:

kit-001-001 segfaulted
Failed to create COOLWSD and die

This was due to SSL conflicts between Ingress TLS termination and Collabora's internal SSL.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type:Enhancement

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions