Requirements
This section covers the internal system requirements and external service requirements for productive use.
tl;dr
openDesk is a Kubernetes-only solution and requires an existing Kubernetes (K8s) cluster.
- K8s cluster >= v1.24, CNCF Certified Kubernetes distribution
- Domain and DNS Service
- Ingress controller
- haproxy-ingress.github.io
- Ingress nginx >= 4.11.5/1.11.5 - now deprecated
- See section Ingress controller for more details.
- Helm >= v3.17.3 but not
- Helmfile >= v1.0.0
- HelmDiff >= v3.11.0
- Volume provisioner supporting RWO (read-write-once)
- Certificate handling with cert-manager
Additional openDesk Enterprise requirements
- OpenKruise3 >= v1.6
Hardware
The following minimum requirements are intended for initial evaluation deployment:
| Spec | Value |
|---|---|
| CPU | 12 Cores of x64 or x86 CPU (ARM is not supported yet) |
| RAM | 32 GB, more recommended |
| Disk | HDD or SSD, >10 GB |
Kubernetes
Any self-hosted or managed K8s cluster >= v1.24 listed in CNCF Certified Kubernetes distributions should be supported.
The deployment is tested against kubespray based clusters.
The deployment is not tested against OpenShift.
Ingress controller
The deployment is intended to be used only over HTTPS via a configured FQDN, therefore it is required to have a properly configured ingress controller deployed in your cluster.
Supported controllers
- haproxy-ingress.github.io - since openDesk 1.13
- Ingress nginx Controller - now deprecated
We plan to move to Gateway API ideally by end of 2026. The objective is to achive an implementation that is as controller agnostic as possible to give you the choice when it comes to selecting the actual implementation for your infrastructure.
haproxy-ingress.github.io
Some openDesk components, e.g. the optional UDM REST API (see functional.externalServices.nubus.udmRestApi), can hit some default global limits of the controller. Tweaking the controller deployment as shown below is best practise to avoid running into issues.
controller:
config:
config-global: |
tune.bufsize 65536
tune.http.maxhdr 256Ingress nginx
Ingress nginx is no longer maintained by upstream and its use is therefore
With the release 1.12.0 Ingress nginx introduced new security default settings, which are incompatible with current openDesk releases. If you want to use Ingress-nginx >= 1.12.0 the following settings have to be set:
controller.config.annotations-risk-level=Critical
controller.config.strict-validate-path-type=falseSee the annotations-risk-level documentation and strict-validate-path-type documentation for details.
Ensure to install at least Ingress nginx 1.11.5 or 1.12.1 due to security issues in earlier versions.
Minimal configuration
Several components in openDesk make use of snippet annotations, which are disabled by default. Please enable them using the following configuration:
controller.allowSnippetAnnotations=true
controller.admissionWebhooks.allowSnippetAnnotations=trueSee the allowSnippetAnnotations documentation for context.
Volume provisioner
Initial evaluation deployments requires a ReadWriteOnce volume provisioner.
Some components require a ReadWriteMany volume provisioner for distributed mode or horizontal scaling.
Due to restrictions on Kubernetes emptyDir you need a volume provisioner that has sticky bit support, otherwise the OpenProject seeder job will fail. The local-path-provisioner does not have sticky bit support.
Certificate management
This deployment leverages cert-manager to generate valid certificates. This is optional, but a secret containing a valid TLS certificate is required.
Only Certificate resources will be deployed; the cert-manager, including its CRD must be installed before this or
openDesk certificate management is switched off.
External services
For the development and evaluation of openDesk, we bundle some services. Be aware that for production deployments, you need to make use of your own production-grade services; see the external-services.md for configuration details.
| Group | Type | Version | Tested against |
|---|---|---|---|
| Cache | Memcached | 1.6.x | Memcached |
| Redis | 7.x.x | Redis | |
| Database | Cassandra4 | 5.0.x | Cassandra |
| MariaDB | 10.x | MariaDB | |
| PostgreSQL | 15.x | PostgreSQL | |
| Mail Transfer Agent | Postfix | ||
| PKI/CI (S/MIME) | |||
| Security | AntiVirus/ICAP | ClamAV | |
| Storage | K8s ReadWriteOnce | Ceph / Cloud specific | |
| K8s ReadWriteMany | Ceph / NFS | ||
| Object Storage | MinIO | ||
| Voice | TURN | Coturn |
Deployment
The deployment of each component is Helm based. The 35+ Helm charts are configured and templated via Helmfile to provide a streamlined deployment experience.
Helmfile requires HelmDiff to compare the desired state against the deployed state.