Remove 'allowed domains' config from Hocuspocus (#273)

* Remove 'allowed domains' config from Hocuspocus

* Update changeset.md

Author: brunopagno

.changeset/ninety-jobs-compete.md

@@ -0,0 +1,5 @@
+---
+"@openproject/helm-charts": patch
+---
+
+Remove 'allowed domains' configuration from Hocuspocus - The value is not used anymore

charts/openproject/README.md

@@ -102,25 +102,6 @@ openproject.admin_user.name="Firstname Lastname"
 openproject.admin_user.mail="[email protected]"
 ```
 
-#### Real-time collaboration (Hocuspocus)
-
-OpenProject supports real-time collaboration features through a WebSocket backend called Hocuspocus. To enable Hocuspocus, it is necessary to set the allowed domains for hocuspocus to communicate with:
-
-```yaml
-hocuspocus:
-  ...
-
-  allowedOpenProjectDomains:
-    - my-openproject-domain.com
-```
-
-**Important**: The `allowedOpenProjectDomains` can be the top level domain (e.g. my-openproject-domain.com) or subdomain (e.g. openproject.example.com). No wildcards are allowed.
-
-The configuration accepts multiple domains in case of a single websocket server for multiple OpenProject instances.
-
-The domains are passed to the Hocuspocus container as the `ALLOWED_DOMAINS` environment variable (comma-separated). This setting is a security feature that restricts which the Hocuspocus server will be able to connect to.
-
-
 ### TMP volume mounts
 
 OpenProject needs some tmp volumes to be mounted in `/app/tmp`  and `/tmp`, if `global.containerSecurityContext.readOnlyRootFilesystem` is set to true.

charts/openproject/templates/hocuspocus-deployment.yaml

@@ -62,8 +62,6 @@ spec:
                 secretKeyRef:
                   name: {{ .Values.hocuspocus.auth.existingSecret }}
                   key: {{ .Values.hocuspocus.auth.secretKey }}
-            - name: ALLOWED_DOMAINS
-              value: {{ join "," .Values.hocuspocus.allowedOpenProjectDomains | quote }}
           volumeMounts:
             {{- include "hocuspocus.tmpVolumeMounts" . | indent 12 }}
             {{- if .Values.egress.tls.rootCA.fileName }}

charts/openproject/values.yaml

@@ -523,9 +523,6 @@ hocuspocus:
 
   podAnnotations:
 
-  allowedOpenProjectDomains:
-    - openproject.example.com
-
   service:
     port: 1234
 

spec/charts/openproject/hocuspocus_spec.rb

@@ -79,47 +79,4 @@
       expect(secret_env['valueFrom']['secretKeyRef']['key']).to eq 'secret'
     end
   end
-
-  context 'when allowedOpenProjectDomains is configured' do
-    let(:default_values) do
-      HelmTemplate.with_defaults(
-        <<~YAML
-          hocuspocus:
-            enabled: true
-            allowedOpenProjectDomains:
-              - example.org
-              - sometest.com
-        YAML
-      )
-    end
-
-    it 'sets the ALLOWED_DOMAINS environment variable with comma-separated domains' do
-      deployment = template.dig('Deployment/optest-openproject-hocuspocus')
-      env = deployment.dig('spec', 'template', 'spec', 'containers').first['env']
-      allowed_domains_env = env.find { |e| e['name'] == 'ALLOWED_DOMAINS' }
-
-      expect(allowed_domains_env).not_to be_nil
-      expect(allowed_domains_env['value']).to eq 'example.org,sometest.com'
-    end
-  end
-
-  context 'when allowedOpenProjectDomains uses default values' do
-    let(:default_values) do
-      HelmTemplate.with_defaults(
-        <<~YAML
-          hocuspocus:
-            enabled: true
-        YAML
-      )
-    end
-
-    it 'sets the ALLOWED_DOMAINS environment variable with default domain' do
-      deployment = template.dig('Deployment/optest-openproject-hocuspocus')
-      env = deployment.dig('spec', 'template', 'spec', 'containers').first['env']
-      allowed_domains_env = env.find { |e| e['name'] == 'ALLOWED_DOMAINS' }
-
-      expect(allowed_domains_env).not_to be_nil
-      expect(allowed_domains_env['value']).to eq 'openproject.example.com'
-    end
-  end
 end