Cleaning base and improving overlay dev

This commit is contained in:
Philippe Caseiro 2023-09-13 17:01:06 +02:00
parent 0d3f60db94
commit 240029f2dc
36 changed files with 255 additions and 880 deletions

View File

@ -1,6 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component
namespace: nextcloud
configurations:
- ./configurations/cnpg-config.yaml

View File

@ -2,7 +2,6 @@ apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: nextcloud-postgres
namespace: nextcloud
spec:
instances: 1
primaryUpdateStrategy: unsupervised

View File

@ -1,6 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component
namespace: nextcloud
resources:
- deployment.yaml

View File

@ -1,16 +1,11 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: nextcloud
generatorOptions:
disableNameSuffixHash: true
# référence à l'exemple cadoles.
# cela force la mise à jours des secret en questions liés aux ressources ayant le labels "tenant" lorsque modifié
configurations:
#- https://forge.cadoles.com/CadolesKube/c-kustom/raw/branch/develop/base/minio/configurations/tenants.minio.min.io.yaml
# => importé en locale pour pouvoir faire un kustomize build
- ./resources/nextcloud/resources/files/minio/configurations/tenants.minio.min.io.yaml
resources:
- ./resources/nextcloud

View File

@ -1,65 +1,43 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
# namespace: nextcloud
generatorOptions:
disableNameSuffixHash: true # suppression des suffixe en hash en bout de nom
resources:
- ./resources/deployment.yaml
# - ./resources/namespace.yaml
- ./resources/nextcloud-tenant.yaml
- ./resources/nextcloud-service.yaml
- ./resources/pvc.yaml
- ./resources/job.yaml
- ./resources/ConfigMap.yaml
- ./resources/nextcloud-rolebinding.yaml
- ./resources/nextcloud-role.yaml
- ./resources/nextcloud-serviceaccount.yaml
- ./resources/ingress.yaml
- ./resources/ConfigMap-ldap-script.yaml
- ./resources/ConfigMap-plugins.yaml
#- ./resources/secret.yaml
- ./resources/pvc/00-main.yaml
- ./resources/pvc/01-html.yaml
- ./resources/pvc/02-data.yaml
- ./resources/pvc/03-config.yaml
- ./resources/pvc/04-custom.yaml
- ./resources/pvc/06-tmp.yaml
- ./resources/pvc/07-themes.yaml
configMapGenerator:
- name: nextcloud-parameters
files:
- ./resources/files/parameters.yaml
- name: nextcloud-env
literals:
- MINIO_SERVICE_NAME=$(MINIO_SERVICE_HOST):$(MINIO_SERVICE_PORT) # pas nécessaire je pense
- MINIO_SERVICE_HOST=minio
- MINIO_SERVICE_PORT=443
- NEXTCLOUD_ADMIN_USER="admin"
- NEXTCLOUD_ADMIN_PASSWORD="cadoles" # 5
- NEXTCLOUD_TRUSTED_DOMAINS="*.cadoles.fr"
- PHP_MEMORY_LIMIT="512M"
- PHP_UPLOAD_LIMIT="4G"
- MAIL_FROM_ADDRESS="user"
- MAIL_DOMAIN="cadoles.fr"
- SMTP_HOST="smtp.cadoles.com"
- SMTP_SECURE="ssl"
- SMTP_PORT="465"
- SMTP_AUTHTYPE="LOGIN"
secretGenerator:
# Voir https://github.com/minio/operator/issues/856
- name: nextcloud-minio-user
literals:
- CONSOLE_ACCESS_KEY=minio_root
- CONSOLE_SECRET_KEY=MinioRootNotSoSecret
options:
disableNameSuffixHash: true
# Voir https://github.com/minio/operator/issues/856
- name: nextcloud-minio-configuration
files:
- ./resources/files/minio/config.env # A modifier si modification mot de passe et user CONSOLE [ACCESS-SECRET]
options:
disableNameSuffixHash: true
- name: nextcloud-smtp
literals:
- smtp-username=ouchemail
- smtp-password=HjkEHJ2676yiu2
- smtp-username=secretuser
- smtp-password=secretpassword
options:
disableNameSuffixHash: true
vars: # génération d'information pour wait-for-bootstrap du pod nextcloud
- name: MINIO_BOOTSTRAP_JOB_NAME
objref:
name: create-minio-bucket
kind: Job
apiVersion: batch/v1
fieldref:
fieldpath: metadata.name

View File

@ -1,46 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: script-config-ldap
data:
poststart-ldap.sh: |
#!/bin/sh
NEXTCLOUD_READY=0
MAX_RETRIES=30
RETRY_INTERVAL=10
touch /etc/script/validator.txt
# Vérifiez si LDAP est déjà activé
# if ! su -s /bin/sh -c "/var/www/html/occ app:list --output=json" www-data | jq -e '.enabled | has("user_ldap")'; then
# Activez le module LDAP si ce n'est pas déjà fait
# su -s /bin/sh -c "/var/www/html/occ app:enable user_ldap" www-data
#fi
for i in $(seq 1 $MAX_RETRIES); do
if curl -fsS "http://localhost/status.php" > /dev/null; then
NEXTCLOUD_READY=1
break
else
echo "En attente de Nextcloud (tentative $i/$MAX_RETRIES)..." >> /etc/script/validator.txt
sleep $RETRY_INTERVAL
fi
done
if [ $NEXTCLOUD_READY -eq 0 ]; then
echo "Nextcloud n'est pas prêt après $MAX_RETRIES tentatives. Abandon de l'initialisation LDAP." >> /etc/script/validator.txt
exit 1
fi
su -s /bin/sh -c "/var/www/html/occ app:enable user_ldap" www-data
# Configurez LDAP (configuration minimale)
su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapHost --value='ldap.example.com'" www-data
su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapBase --value='dc=example,dc=com'" www-data
su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapAgentName --value='cn=admin,dc=example,dc=com'" www-data
su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapAgentPassword --value='your_password'" www-data
# Lancez le processus principal de Nextcloud normalement ça ne marche pas ça ! donc plutot poststart.
#exec /entrypoint.sh "$@"
# su -s /bin/sh -c "/var/www/html/occ app:enable user_ldap" www-data
# est fonctionnel dans le pods nextcloud !

View File

@ -1,30 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: script-config-plugins
data:
poststart-plugins.sh: |
#!/bin/sh
NEXTCLOUD_READY=0
MAX_RETRIES=30
RETRY_INTERVAL=10
touch /etc/script/plugins.txt
for i in $(seq 1 $MAX_RETRIES); do
if curl -fsS "http://localhost/status.php" > /dev/null; then
NEXTCLOUD_READY=1
break
else
echo "En attente de Nextcloud (tentative $i/$MAX_RETRIES)..." >> /etc/script/plugins.txt
sleep $RETRY_INTERVAL
fi
done
if [ $NEXTCLOUD_READY -eq 0 ]; then
echo "Nextcloud n'est pas prêt après $MAX_RETRIES tentatives. Abandon de l'initialisation des plugins." >> /etc/script/plugins.txt
exit 1
fi
su -s /bin/sh -c "/var/www/html/occ app:install calendar" www-data

View File

@ -1,14 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: update-config
data:
custom-script.sh: |
#!/bin/sh
HOSTS_FILE="/etc/hosts"
# Ajoutez l'entrée au fichier hosts
MINIO_SERVICE_IP="${MINIO_SERVICE_HOST}"
MINIO_NAME="${MINIO_SERVICE_NAME}"
echo "$MINIO_SERVICE_IP" minio >> $HOSTS_FILE

View File

@ -4,9 +4,9 @@ metadata:
labels:
app: nextcloud
component: app
name: app
name: nextcloud-app
spec:
# serviceName: nextcloud
# serviceName: nextcloud
replicas: 1
selector:
matchLabels:
@ -21,16 +21,16 @@ spec:
containers:
- image: reg.cadoles.com/proxy_cache/library/nextcloud:27.0.2-apache
imagePullPolicy: Always
name: app
name: nextcloud
ports:
- containerPort: 80
lifecycle:
postStart:
exec:
command: ["/bin/sh", "-c", "cp /var/run/secrets/kubernetes.io/serviceaccount/ca.crt /usr/local/share/ca-certificates/ks.crt && update-ca-certificates && /etc/script/poststart-ldap.sh && /etc/script/poststart-plugins.sh && touch /etc/script/try01.txt"]
# envFrom:
# - configMapRef:
# name: nextcloud-env
command: ["/bin/sh", "-c", "cp /var/run/secrets/kubernetes.io/serviceaccount/ca.crt /usr/local/share/ca-certificates/ks.crt && update-ca-certificates"]
envFrom:
- configMapRef:
name: nextcloud-env
env:
- name: POSTGRES_DB
value: nextcloud
@ -46,56 +46,16 @@ spec:
key: password
- name: POSTGRES_HOST
value: $(NEXTCLOUD_POSTGRES_RW_SERVICE_HOST) #value: nextcloud-postgres-rw.nextcloud.svc.cluster.local
- name: NEXTCLOUD_ADMIN_USER
value: admin
- name: NEXTCLOUD_ADMIN_PASSWORD # 5
value: cadoles
- name: NEXTCLOUD_TRUSTED_DOMAINS
value: "*.cadoles.fr"
- name: NEXTCLOUD_INIT_LOCK
value: "true"
- name: PHP_MEMORY_LIMIT
value: 512M
- name: PHP_UPLOAD_LIMIT
value: 4G
- name: POD_INDEX
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: REDIS_HOST
value: redis # équivaut à redis.nextcloud.svc.cluster.local
# value: $(RFS_NEXTCLOUD_REDIS_SERVICE_HOST) => For redis-operator
value: redis
- name: REDIS_HOST_PORT
value: "6379"
######################
# Partie minio S3
- name: OBJECTSTORE_S3_HOST
value: minio:$(MINIO_SERVICE_PORT)
# value: $(MINIO_SERVICE_NAME):$(MINIO_SERVICE_PORT)
- name: OBJECTSTORE_S3_BUCKET
value: nextcloud-minio
- name: OBJECTSTORE_S3_KEY # 15
value: minio_root
- name: OBJECTSTORE_S3_SECRET
value: MinioRootNotSoSecret
- name: OBJECTSTORE_S3_USEPATH_STYLE
value: "true"
- name: OBJECTSTORE_S3_SSL # 18
value: "true"
##################################
# Mise en place SMTP
- name: MAIL_FROM_ADDRESS
value: "user"
- name: MAIL_DOMAIN
value: "domain.com"
- name: SMTP_HOST
value: "domain.com"
- name: SMTP_SECURE
value: "ssl"
- name: SMTP_PORT
value: "465"
- name: SMTP_AUTHTYPE
value: "LOGIN"
- name: SMTP_NAME
valueFrom:
secretKeyRef:
@ -106,34 +66,8 @@ spec:
secretKeyRef:
name: nextcloud-smtp
key: smtp-password
- name: NEXTCLOUD_DATA_DIR
value: "/var/www/html/data"
livenessProbe: # vérifie si c'est planté ou non
httpGet:
path: /status.php
port: 80 # en reférence à ingress.yaml ?
httpHeaders:
- name: Host
value: nxt.cadoles.fr # valeurs égale à celle dans ingress.yaml
initialDelaySeconds: 50
periodSeconds: 15
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 5
readinessProbe: # vérifie si c'est ok pour envoyer des requête ou non
httpGet:
path: /status.php
port: 80 # en référence à ingress.yaml ?
httpHeaders:
- name: Host
value: nxt.cadoles.fr # valeurs égale à celle dans ingress.yaml
initialDelaySeconds: 50
periodSeconds: 15
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 5
volumeMounts:
- mountPath: /var/www/
name: nextcloud-main-volume
@ -149,52 +83,7 @@ spec:
name: nextcloud-tmp-volume
- mountPath: /var/www/html/themes
name: nextcloud-themes-volume
# ICI montage pour les script !
- mountPath: /etc/script/poststart-ldap.sh
name: script-config-ldap
subPath: poststart-ldap.sh
- mountPath: /etc/script/poststart-plugins.sh
name: script-config-plugins
subPath: poststart-plugins.sh
- mountPath: /etc/script/custom-script.sh
name: update-config-script
subPath: custom-script.sh
- mountPath: /etc/minio-ccerts
name: minio-certs
readOnly: true
# MOUNT-TRY-multi-instance
# - name: nextcloud-config-volume # monte le fichier de configuration dans
# mountPath: /var/www/html/config # les instances supplémentaire
# readOnly: false # via le configmap ConfigMaps-php.yaml
restartPolicy: Always
serviceAccountName: nextcloud-sa # declare user for initcontainer
# trois volumes pour les script
volumes:
- name: minio-certs
secret:
secretName: nextcloud-minio-tls # montage des certificat de minio
- name: update-config-script
configMap:
name: update-config
defaultMode: 0744
- name: script-config-ldap
configMap:
name: script-config-ldap
defaultMode: 0744
- name: script-config-plugins
configMap:
name: script-config-plugins
defaultMode: 0744
# MOUNT-TRY-multi-instance
# - name: nextcloud-config-volume # permet de monter le fichier de configuration dans
# configMap: # les instances supplémentaires
# name: nextcloud-config # via le configmap ConfigMaps-php.yaml
- name: nextcloud-main-volume
persistentVolumeClaim:
claimName: nextcloud-main-pvc
@ -216,23 +105,5 @@ spec:
- name: nextcloud-themes-volume
persistentVolumeClaim:
claimName: nextcloud-themes-pvc
initContainers: # cf README.md part ##YAML explain / ### PODS WAIT
- name: wait-for-bootstrap
image: reg.cadoles.com/proxy_cache/groundnuty/k8s-wait-for:v1.3
args:
- job
- $(MINIO_BOOTSTRAP_JOB_NAME)
#####################################################
# For REDIS-OPERATOR USE THIS TO SET PORT
#####################################################
# - name: REDIS_HOST_PORT
# value: $(RFS_NEXTCLOUD_REDIS_SERVICE_PORT)
# - name: REDIS_HOST_PASSWORD
# valueFrom:
# secretKeyRef:
# name: redis-secret
# key: password
#####################################################
restartPolicy: Always
serviceAccountName: nextcloud-sa # declare user for initcontainer

View File

@ -1,4 +0,0 @@
export MINIO_ROOT_USER="minio_root"
export MINIO_ROOT_PASSWORD="MinioRootNotSoSecret"
export MINIO_STORAGE_CLASS_STANDARD="EC:2"
export MINIO_BROWSER="on"

View File

@ -1,8 +0,0 @@
#API minio
minio_url: 'http://%env(string:MINIO_SERVICE_NAME)%:9000'
minio_key: '%env(string:MINIO_KEY)%'
minio_secret: '%env(string:MINIO_SECRET)%'
minio_bucket: 'nextcloud'
minio_root: ''
minio_path_style: true
minio_secure: false

View File

@ -4,7 +4,7 @@ metadata:
name: nextcloud
annotations:
# kustomize.config.k8s.io/needs: configmap/nextcloud-envi
# kustomize.config.k8s.io/needs: configmap/nextcloud-envi
nginx.ingress.kubernetes.io/proxy-body-size: "138m"
nginx.ingress.kubernetes.io/enable-cors: "true" #cf 01
nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For" #cf 01
@ -13,7 +13,7 @@ metadata:
spec:
ingressClassName: nginx
rules:
- host: nxt.cadoles.fr
- host: nxt.base.fr
http:
paths:
- path: /

View File

@ -1,63 +0,0 @@
apiVersion: batch/v1
kind: Job
metadata:
name: create-minio-bucket
spec:
template:
spec:
initContainers:
- name: wait-for-minio
image: busybox
envFrom:
- configMapRef:
name: nextcloud-env
command: ["sh", "-c"]
args:
- |
echo "attente du service minio..."
cnt=0
tout=300
while [ 1 ]
do
http_code=$(wget --server-response https://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT}/minio/health/live 2>&1 | awk '/^ HTTP/{print $2}')
if [ "${http_code}" != "200" ]; then
echo "waiting for https://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT}"
sleep 1
else
exit 0
fi
cnt=$((cnt+1))
if [ "${cnt}" -ge "${tout}" ]; then
exit 3
fi
done
# Encore nécessaire ?
containers:
- name: create-bucket
image: minio/mc
envFrom:
- configMapRef:
name: nextcloud-env
env:
- name: CONSOLE_ACCESS_KEY
valueFrom:
secretKeyRef:
name: nextcloud-minio-user
key: CONSOLE_ACCESS_KEY
- name: CONSOLE_SECRET_KEY
valueFrom:
secretKeyRef:
name: nextcloud-minio-user
key: CONSOLE_SECRET_KEY
command: ["sh", "-c"]
args:
- |
echo "création de l'alias my-minio"
mc alias set --insecure my-minio http://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT} ${CONSOLE_ACCESS_KEY} ${CONSOLE_SECRET_KEY}
echo "création du bucket..."
mc mb --insecure my-minio/nextcloud-minio
echo "Bucket créé. normalement"
restartPolicy: OnFailure
# Est-ce que je mettrais pas mon ldap ici ? => ConfigMap-ldap-script.yaml ?

View File

@ -1,4 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: nextcloud

View File

@ -1,4 +1,3 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
@ -17,10 +16,12 @@ rules:
- v1
resources:
- secrets
- services
- pods
verbs:
- get
- list
- patch
#- patch
# Declaration d'un role nommé status-reader et attribution de droit

View File

@ -1,33 +0,0 @@
apiVersion: minio.min.io/v2
kind: Tenant
metadata:
name: nextcloud-minio
spec:
certConfig:
dnsNames:
- "minio"
pools:
- servers: 2
name: pool-0
volumesPerServer: 2
volumeClaimTemplate:
metadata:
name: nextcloud-minio-data # juste son nom dans le cluster
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
# env:
# - name: MINIO_CONSOLE_TLS_ENABLE
# value: "off"
containerSecurityContext:
runAsUser: 1000 # droit d'accès user
runAsGroup: 1000 # droit d'accès group
runAsNonRoot: true # accès sans être root
configuration:
name: nextcloud-minio-configuration # cf resources/nextcloud/resources/kustomization.yaml
users:
- name: nextcloud-minio-user # cf resources/nextcloud/resources/kustomization.yaml

View File

@ -1,83 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-main-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 5Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-html-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 5Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-data-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 20Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-config-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-custom-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 2Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-tmp-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 5Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-themes-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 2Gi

View File

@ -0,0 +1,11 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-main-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 1Gi

View File

@ -0,0 +1,12 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-html-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 5Gi

View File

@ -0,0 +1,11 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-data-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 1Gi

View File

@ -0,0 +1,11 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-config-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 1Gi

View File

@ -0,0 +1,11 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-custom-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 2Gi

View File

@ -0,0 +1,11 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-tmp-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 5Gi

View File

@ -0,0 +1,11 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-themes-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 2Gi

View File

@ -1,76 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: script-config-ldap
data:
poststart-ldap.sh: |
#!/bin/sh
NEXTCLOUD_READY=0
MAX_RETRIES=30
RETRY_INTERVAL=10
touch /etc/script/validator.txt
# Vérifiez si LDAP est déjà activé
# if ! su -s /bin/sh -c "/var/www/html/occ app:list --output=json" www-data | jq -e '.enabled | has("user_ldap")'; then
# Activez le module LDAP si ce n'est pas déjà fait
# su -s /bin/sh -c "/var/www/html/occ app:enable user_ldap" www-data
#fi
for i in $(seq 1 $MAX_RETRIES); do
if curl -fsS "http://localhost/status.php" > /dev/null; then
NEXTCLOUD_READY=1
break
else
echo "En attente de Nextcloud (tentative $i/$MAX_RETRIES)..." >> /etc/script/validator.txt
sleep $RETRY_INTERVAL
fi
done
if [ $NEXTCLOUD_READY -eq 0 ]; then
echo "Nextcloud n'est pas prêt après $MAX_RETRIES tentatives. Abandon de l'initialisation LDAP." >> /etc/script/validator.txt
exit 1
fi
su -s /bin/sh -c "/var/www/html/occ app:install user_ldap" www-data
su -s /bin/sh -c "/var/www/html/occ app:update user_ldap" www-data
su -s /bin/sh -c "/var/www/html/occ app:enable user_ldap" www-data
#su -s /bin/sh -c "/var/www/html/occ ldap:create-empty-config" www-data
## test if backend ldap is activated and create empty config if not
#
touch /tmp/nxt-ldap.txt
chown www-data: /tmp/nxt-ldap.txt
su -s /bin/sh -c "/var/www/html/occ ldap:show-config s01 > /tmp/nxt-ldap.txt" www-data
if grep -q "Invalid configID" /tmp/nxt-ldap.txt; then
su -s /bin/sh -c "/var/www/html/occ ldap:create-empty-config" www-data
fi
# Configurez LDAP (configuration minimale)
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldap_host '${NEXTCLOUD_LDAP_HOST}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldap_base '${NEXTCLOUD_LDAP_BASE}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldap_dn '${NEXTCLOUD_LDAP_DN}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldap_agent_password '${NEXTCLOUD_LDAP_PASSWD}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapBaseGroups '${NEXTCLOUD_LDAP_BASE_GROUPS}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapBaseUsers '${NEXTCLOUD_LDAP_BASE_USERS}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapConfigurationActive '${NEXTCLOUD_LDAP_ACTIVE_CONF}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapExperiencedAdmin '${NEXTCLOUD_LDAP_ADMIN_EXP}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapExpertUUIDUserAttr '${NEXTCLOUD_LDAP_EXP_UUID}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapLoginFilter '${NEXTCLOUD_LDAP_LOGIN_FILTER}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapLoginFilterAttributes '${NEXTCLOUD_LDAP_LOGIN_FILTER_ATTR}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapPort '${NEXTCLOUD_LDAP_PORT}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapUserFilter '${NEXTCLOUD_LDAP_USR_FILTR}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapUserFilterObjectclass '${NEXTCLOUD_LDAP_OBJ_FILTR}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapEmailAttribute '${NEXTCLOUD_LDAP_MAIL_ATTR}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapUserDisplayName '${NEXTCLOUD_LDAP_USER_DISP}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapGroupFilter '${NEXTCLOUD_LDAP_GROUP_FILTR}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapGroupFilterObjectclass '${NEXTCLOUD_LDAP_GROUP_FILTR_OBJCLASS}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapGroupMemberAssocAttr '${NEXTCLOUD_LDAP_GROUP_MEMBR_ASSO}'" www-data
# Lancez le processus principal de Nextcloud normalement ça ne marche pas ça ! donc plutot poststart.
#exec /entrypoint.sh "$@"
# su -s /bin/sh -c "/var/www/html/occ app:enable user_ldap" www-data
# est fonctionnel dans le pods nextcloud !
#liste config : su -s /bin/sh -c "/var/www/html/occ config:list" www-data

View File

@ -1,39 +1,20 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nextcloud
component: app
name: app
name: nextcloud-app
spec:
# serviceName: nextcloud
replicas: 1
selector:
matchLabels:
app: nextcloud
component: app
replicas: 3
template:
metadata:
labels:
app: nextcloud
component: app
spec:
initContainers:
- name: wait-for-bootstrap
image: reg.cadoles.com/proxy_cache/groundnuty/k8s-wait-for:v1.3
args:
- job
- $(MINIO_BOOTSTRAP_JOB_NAME)
containers:
- image: reg.cadoles.com/proxy_cache/library/nextcloud:27.0.2-apache
imagePullPolicy: Always
name: app
ports:
- containerPort: 80
lifecycle:
postStart:
exec:
command: ["/bin/sh", "-c", "cp /var/run/secrets/kubernetes.io/serviceaccount/ca.crt /usr/local/share/ca-certificates/ks.crt && update-ca-certificates && /etc/script/poststart-ldap.sh && /etc/script/poststart-plugins.sh && touch /etc/script/try01.txt"]
# envFrom:
# - configMapRef:
# name: nextcloud-env
- name: nextcloud
env:
- name: POSTGRES_DB
value: nextcloud
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
@ -44,132 +25,28 @@ spec:
secretKeyRef:
name: nextcloud-postgres-app
key: password
- name: POSTGRES_HOST
value: $(NEXTCLOUD_POSTGRES_RW_SERVICE_HOST) #value: nextcloud-postgres-rw.nextcloud.svc.cluster.local
- name: NEXTCLOUD_ADMIN_USER
value: admincadoles
- name: NEXTCLOUD_ADMIN_PASSWORD # 5
value: CadolesNotSecret
- name: NEXTCLOUD_TRUSTED_DOMAINS
value: "*.cadoles.fr"
- name: NEXTCLOUD_INIT_LOCK
- name: OBJECTSTORE_S3_BUCKET
value: nxt-minio
- name: OBJECTSTORE_S3_AUTOCREATE
value: "true"
- name: PHP_MEMORY_LIMIT
value: 512M
- name: PHP_UPLOAD_LIMIT
value: 4G
- name: POD_INDEX
- name: OBJECTSTORE_S3_KEY
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: REDIS_HOST
value: redis # équivaut à redis.nextcloud.svc.cluster.local
# value: $(RFS_NEXTCLOUD_REDIS_SERVICE_HOST) => For redis-operator
- name: REDIS_HOST_PORT
value: "6379"
######################
# Partie minio S3
secretKeyRef:
name: nextcloud-minio-user
key: CONSOLE_ACCESS_KEY
- name: OBJECTSTORE_S3_SECRET
valueFrom:
secretKeyRef:
name: nextcloud-minio-user
key: CONSOLE_SECRET_KEY
- name: OBJECTSTORE_S3_HOST
value: minio:$(MINIO_SERVICE_PORT)
- name: OBJECTSTORE_S3_BUCKET
value: nextcloud-minio
- name: OBJECTSTORE_S3_KEY # 15
value: minio_root
- name: OBJECTSTORE_S3_SECRET
value: MinioRootNotSoSecret
- name: OBJECTSTORE_S3_PORT
value: "443"
- name: OBJECTSTORE_S3_SSL
value: "true"
- name: OBJECTSTORE_S3_USEPATH_STYLE
value: "true"
- name: OBJECTSTORE_S3_SSL # 18
value: "true"
# # Partie AWS S3 => fonctionnelle sur scaleway
# - name: OBJECTSTORE_S3_BUCKET
# value: nextcloud-cadoles
# - name: OBJECTSTORE_S3_HOST
# value: s3.fr-par.scw.cloud
# - name: OBJECTSTORE_S3_PORT
# value: "443"
# - name: OBJECTSTORE_S3_REGION
# value: fr-par
# - name: OBJECTSTORE_S3_KEY
# value: MyAPIKey
# - name: OBJECTSTORE_S3_SECRET
# value: MyAPISecret
# - name: OBJECTSTORE_S3_USEPATH_STYLE
# value: "false"
# - name: OBJECTSTORE_S3_SSL
# value: "true"
# - name: OBJECTSTORE_S3_AUTOCREATE
# value: "true"
# - name: OBJECTSTORE_S3_OBJECT_PREFIX
# value: nxt_
# Mise en place SMTP
- name: MAIL_FROM_ADDRESS
value: "nextcloud"
- name: MAIL_DOMAIN
value: "cadoles.com"
- name: SMTP_HOST
value: "groupware.cadoles.com"
- name: SMTP_SECURE
value: "STARTTLS"
- name: SMTP_PORT
value: "587"
- name: SMTP_AUTHTYPE
value: "LOGIN"
- name: SMTP_NAME
valueFrom:
secretKeyRef:
name: nextcloud-smtp
key: smtp-username
- name: SMTP_PASSWORD
valueFrom:
secretKeyRef:
name: nextcloud-smtp
key: smtp-password
- name: NEXTCLOUD_DATA_DIR
value: "/var/www/html/data"
# ADD LDAP CONF
- name: NEXTCLOUD_LDAP_HOST
value: ldaps://ldap.cadoles.com
- name: NEXTCLOUD_LDAP_BASE
value: ou=cadoles,o=gouv,c=fr
- name: NEXTCLOUD_LDAP_DN
value: cn=reader,o=gouv,c=fr
- name: NEXTCLOUD_LDAP_PASSWD
value: phooge2jaidae4ohguChi6quoo8okahn2ru6aixutahmiuFoh6ooshae
- name: NEXTCLOUD_LDAP_BASE_GROUPS
value: ou=groups,ou=cadoles,o=gouv,c=fr
- name: NEXTCLOUD_LDAP_BASE_USERS
value: ou=users,ou=cadoles,o=gouv,c=fr
- name: NEXTCLOUD_LDAP_ACTIVE_CONF
value: '1'
- name: NEXTCLOUD_LDAP_ADMIN_EXP
value: '0'
- name: NEXTCLOUD_LDAP_EXP_UUID
value: cn
- name: NEXTCLOUD_LDAP_LOGIN_FILTER
value: (&(objectClass=person)(uid=%uid))
- name: NEXTCLOUD_LDAP_LOGIN_FILTER_ATTR
value: uid
- name: NEXTCLOUD_LDAP_PORT
value: '636'
- name: NEXTCLOUD_LDAP_USR_FILTR
value: (|(objectclass=person))
- name: NEXTCLOUD_LDAP_OBJ_FILTR
value: person
- name: NEXTCLOUD_LDAP_MAIL_ATTR
value: mail
- name: NEXTCLOUD_LDAP_USER_DISP
value: cn
- name: NEXTCLOUD_LDAP_GROUP_FILTR
value: (&(|(objectclass=cadolesGroup)))
- name: NEXTCLOUD_LDAP_GROUP_FILTR_OBJCLASS
value: cadolesGroup
- name: NEXTCLOUD_LDAP_GROUP_MEMBR_ASSO
value: gidNumber
livenessProbe:
httpGet:
@ -177,7 +54,7 @@ spec:
port: 80
httpHeaders:
- name: Host
value: nxt.cadoles.fr
value: nxt.cadoles.lan
initialDelaySeconds: 50
periodSeconds: 10
timeoutSeconds: 5
@ -189,105 +66,26 @@ spec:
port: 80
httpHeaders:
- name: Host
value: nxt.cadoles.fr
value: nxt.cadoles.lan
initialDelaySeconds: 50
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
volumeMounts:
- mountPath: /var/www/
name: nextcloud-main-volume
- mountPath: /var/www/html
name: nextcloud-html-volume
- mountPath: /var/www/html/data
name: nextcloud-data-volume
- mountPath: /var/www/html/config
name: nextcloud-config-volume
- mountPath: /var/www/html/custom_apps
name: nextcloud-custom-volume
- mountPath: /var/www/tmp
name: nextcloud-tmp-volume
- mountPath: /var/www/html/themes
name: nextcloud-themes-volume
# ICI montage pour les script !
- mountPath: /etc/script/poststart-ldap.sh
- mountPath: /docker-entrypoint-hooks.d/post-installation/ldap.sh
name: script-config-ldap
subPath: poststart-ldap.sh
- mountPath: /etc/script/custom-script.sh
name: update-config-script
subPath: custom-script.sh
- mountPath: /etc/minio-ccerts
name: minio-certs
readOnly: true
# MOUNT-TRY-multi-instance
# - name: nextcloud-config-volume # monte le fichier de configuration dans
# mountPath: /var/www/html/config # les instances supplémentaire
# readOnly: false # via le configmap ConfigMaps-php.yaml
restartPolicy: Always
serviceAccountName: nextcloud-sa # declare user for initcontainer
# trois volumes pour les script
volumes:
- name: minio-certs
secret:
secretName: nextcloud-minio-tls # montage des certificat de minio
- name: update-config-script
configMap:
name: update-config
defaultMode: 0744
secretName: nextcloud-minio-tls
- name: script-config-ldap
configMap:
name: script-config-ldap
defaultMode: 0744
# MOUNT-TRY-multi-instance
# - name: nextcloud-config-volume # permet de monter le fichier de configuration dans
# configMap: # les instances supplémentaires
# name: nextcloud-config # via le configmap ConfigMaps-php.yaml
- name: nextcloud-main-volume
persistentVolumeClaim:
claimName: nextcloud-main-pvc
- name: nextcloud-html-volume
persistentVolumeClaim:
claimName: nextcloud-html-pvc
- name: nextcloud-data-volume
persistentVolumeClaim:
claimName: nextcloud-data-pvc
- name: nextcloud-config-volume
persistentVolumeClaim:
claimName: nextcloud-config-pvc
- name: nextcloud-custom-volume
persistentVolumeClaim:
claimName: nextcloud-custom-pvc
- name: nextcloud-tmp-volume
persistentVolumeClaim:
claimName: nextcloud-tmp-pvc
- name: nextcloud-themes-volume
persistentVolumeClaim:
claimName: nextcloud-themes-pvc
initContainers: # cf README.md part ##YAML explain / ### PODS WAIT
- name: wait-for-bootstrap
image: reg.cadoles.com/proxy_cache/groundnuty/k8s-wait-for:v1.3
args:
- job
- $(MINIO_BOOTSTRAP_JOB_NAME)
#####################################################
# For REDIS-OPERATOR USE THIS TO SET PORT
#####################################################
# - name: REDIS_HOST_PORT
# value: $(RFS_NEXTCLOUD_REDIS_SERVICE_PORT)
# - name: REDIS_HOST_PASSWORD
# valueFrom:
# secretKeyRef:
# name: redis-secret
# key: password
#####################################################
defaultMode: 0755
restartPolicy: Always
serviceAccountName: nextcloud-sa

View File

@ -1,65 +0,0 @@
apiVersion: batch/v1
kind: Job
metadata:
name: create-minio-bucket
spec:
template:
spec:
initContainers:
- name: wait-for-minio
image: reg.cadoles.com/proxy_cache/library/debian:bookworm
envFrom:
- configMapRef:
name: nextcloud-env
command: ["sh", "-c"]
args:
- |
echo "attente du service minio..."
cnt=0
tout=300
apt update && apt install --yes --force-yes wget openssl
cp /var/run/secrets/kubernetes.io/serviceaccount/ca.crt /usr/local/share/ca-certificates/ks.crt && update-ca-certificates
while [ 1 ]
do
http_code=$(wget --server-response https://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT}/minio/health/live 2>&1 | awk '/^ HTTP/{print $2}')
if [ "${http_code}" != "200" ]; then
echo "waiting for https://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT}"
sleep 1
else
exit 0
fi
cnt=$((cnt+1))
if [ "${cnt}" -ge "${tout}" ]; then
exit 3
fi
done
# Encore nécessaire ?
containers:
- name: create-bucket
image: minio/mc
envFrom:
- configMapRef:
name: nextcloud-env
env:
- name: CONSOLE_ACCESS_KEY
valueFrom:
secretKeyRef:
name: nextcloud-minio-user
key: CONSOLE_ACCESS_KEY
- name: CONSOLE_SECRET_KEY
valueFrom:
secretKeyRef:
name: nextcloud-minio-user
key: CONSOLE_SECRET_KEY
command: ["sh", "-c"]
args:
- |
echo "création de l'alias my-minio"
mc alias set --insecure my-minio http://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT} ${CONSOLE_ACCESS_KEY} ${CONSOLE_SECRET_KEY}
echo "création du bucket..."
mc mb --insecure my-minio/nextcloud-minio
echo "Bucket créé. normalement"
restartPolicy: OnFailure

View File

@ -13,10 +13,10 @@ spec:
ingressClassName: nginx
tls:
- hosts:
- nxt.cadoles.fr
- nxt.cadoles.lan
secretName: cadoles-selfsigned-ca
rules:
- host: nxt.cadoles.fr
- host: nxt.cadoles.lan
http:
paths:
- path: /

View File

@ -1,4 +1,4 @@
export MINIO_ROOT_USER="cadoles"
export MINIO_ROOT_PASSWORD="cadoles;21"
export MINIO_ROOT_USER="minio_root"
export MINIO_ROOT_PASSWORD="MinioRootNotSoSecret"
export MINIO_STORAGE_CLASS_STANDARD="EC:2"
export MINIO_BROWSER="on"

View File

@ -0,0 +1,46 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: script-config-ldap
data:
poststart-ldap.sh: |
#!/bin/sh
/bin/sh -c "/var/www/html/occ app:install user_ldap"
/bin/sh -c "/var/www/html/occ app:update user_ldap"
/bin/sh -c "/var/www/html/occ app:enable user_ldap"
/bin/sh -c "/var/www/html/occ ldap:show-config s01 > /tmp/nxt-ldap.txt"
if grep -q "Invalid configID" /tmp/nxt-ldap.txt; then
/bin/sh -c "/var/www/html/occ ldap:create-empty-config"
fi
# Configurez LDAP (configuration minimale)
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldap_host '${NEXTCLOUD_LDAP_HOST}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldap_base '${NEXTCLOUD_LDAP_BASE}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldap_dn '${NEXTCLOUD_LDAP_DN}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldap_agent_password '${NEXTCLOUD_LDAP_PASSWD}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapBaseGroups '${NEXTCLOUD_LDAP_BASE_GROUPS}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapBaseUsers '${NEXTCLOUD_LDAP_BASE_USERS}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapConfigurationActive '${NEXTCLOUD_LDAP_ACTIVE_CONF}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapExperiencedAdmin '${NEXTCLOUD_LDAP_ADMIN_EXP}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapExpertUUIDUserAttr '${NEXTCLOUD_LDAP_EXP_UUID}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapLoginFilter '${NEXTCLOUD_LDAP_LOGIN_FILTER}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapLoginFilterAttributes '${NEXTCLOUD_LDAP_LOGIN_FILTER_ATTR}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapPort '${NEXTCLOUD_LDAP_PORT}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapUserFilter '${NEXTCLOUD_LDAP_USR_FILTR}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapUserFilterObjectclass '${NEXTCLOUD_LDAP_OBJ_FILTR}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapEmailAttribute '${NEXTCLOUD_LDAP_MAIL_ATTR}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapUserDisplayName '${NEXTCLOUD_LDAP_USER_DISP}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapGroupFilter '${NEXTCLOUD_LDAP_GROUP_FILTR}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapGroupFilterObjectclass '${NEXTCLOUD_LDAP_GROUP_FILTR_OBJCLASS}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapGroupMemberAssocAttr '${NEXTCLOUD_LDAP_GROUP_MEMBR_ASSO}'"
# Lancez le processus principal de Nextcloud normalement ça ne marche pas ça ! donc plutot poststart.
#exec /entrypoint.sh "$@"
# /bin/sh -c "/var/www/html/occ app:enable user_ldap"
# est fonctionnel dans le pods nextcloud !
#liste config : /bin/sh -c "/var/www/html/occ config:list"

View File

@ -0,0 +1,41 @@
apiVersion: batch/v1
kind: Job
metadata:
name: create-minio-bucket
spec:
template:
spec:
initContainers:
- name: wait-for-minio
image: reg.cadoles.com/proxy_cache/groundnuty/k8s-wait-for:v1.3
args:
- service
- minio
containers:
- name: create-bucket
image: minio/mc
envFrom:
- configMapRef:
name: nextcloud-env
env:
- name: CONSOLE_ACCESS_KEY
valueFrom:
secretKeyRef:
name: nextcloud-minio-user
key: CONSOLE_ACCESS_KEY
- name: CONSOLE_SECRET_KEY
valueFrom:
secretKeyRef:
name: nextcloud-minio-user
key: CONSOLE_SECRET_KEY
command: ["sh", "-c"]
args:
- |
echo "création de l'alias my-minio"
mc alias set --insecure my-minio https://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT} ${CONSOLE_ACCESS_KEY} ${CONSOLE_SECRET_KEY}
echo "création du bucket..."
mc mb --insecure my-minio/nextcloud-minio
echo "Bucket créé. normalement"
restartPolicy: OnFailure
serviceAccountName: nextcloud-sa # declare user for initcontainer

View File

@ -12,16 +12,13 @@ spec:
volumesPerServer: 3
volumeClaimTemplate:
metadata:
name: nextcloud-minio-data # juste son nom dans le cluster
name: nextcloud-minio-data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 3Gi
# env:
# - name: MINIO_CONSOLE_TLS_ENABLE
# value: "off"
containerSecurityContext:
runAsUser: 1000
runAsGroup: 1000
@ -30,4 +27,3 @@ spec:
name: nextcloud-minio-configuration
users:
- name: nextcloud-minio-user

View File

@ -15,7 +15,7 @@ spec:
- cadoles
# The use of the common name field has been deprecated since 2000 and is
# discouraged from being used.
commonName: cadoles.fr
commonName: cadoles.lan
isCA: false
privateKey:
algorithm: RSA
@ -27,8 +27,8 @@ spec:
# At least one of a DNS Name, URI, or IP address is required.
dnsNames:
- nextcloud
- nextcloud.cadoles.fr
- nxt.cadoles.fr
- nextcloud.cadoles.lan
- nxt.cadoles.lan
# Issuer references are always required.
issuerRef:
name: cadoles-ca-issuer