Merge pull request 'feat(all): global cleanning adding dev overlay' (#1) from ldap_ext into develop

Reviewed-on: #1
This commit is contained in:
vfebvre 2023-09-18 09:56:46 +02:00
commit 42f438d5a2
57 changed files with 473 additions and 1740 deletions

View File

@ -1,12 +1,33 @@
# nextcloud-kustom # nextcloud-kustom
**WARNING - test branch, does not respect the target strategy for a production environment** Base include :
- nextcloud app
- postgres
- ...
Default configuration (base directory) :
- use an external S3,
- use local authentication,
- use internal K8s certificate,
- use postgresSQL
If you want change, you must do your configuration in the overlays section
Overlays dev sections install :
- base
- rename namespace to nextcloud-dev
- use cert-manager (to install CRDs requirement, check requires/)
**To install a test cluster on your machine**
1. Create cluster 1. Create cluster
```kind create cluster --config requires/cluster/cluster.yaml``` ```kind create cluster --config requires/cluster/cluster.yaml```
2. Install operators and openldap(dev) 2. Install operators, cert-manager and openldap(dev)
```kubectl apply -k requires/``` ```kubectl apply -k requires/```
@ -18,9 +39,4 @@
```kubectl apply -k overlays/dev``` ```kubectl apply -k overlays/dev```
## cert-manager
Install crds :
```kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.0/cert-manager.yaml```

View File

@ -1,6 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1alpha1 apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component kind: Component
namespace: nextcloud
configurations: configurations:
- ./configurations/cnpg-config.yaml - ./configurations/cnpg-config.yaml

View File

@ -2,7 +2,6 @@ apiVersion: postgresql.cnpg.io/v1
kind: Cluster kind: Cluster
metadata: metadata:
name: nextcloud-postgres name: nextcloud-postgres
namespace: nextcloud
spec: spec:
instances: 1 instances: 1
primaryUpdateStrategy: unsupervised primaryUpdateStrategy: unsupervised

View File

@ -1,6 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1alpha1 apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component kind: Component
namespace: nextcloud
resources: resources:
- deployment.yaml - deployment.yaml

View File

@ -1,16 +1,11 @@
apiVersion: kustomize.config.k8s.io/v1beta1 apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
namespace: nextcloud
generatorOptions: generatorOptions:
disableNameSuffixHash: true disableNameSuffixHash: true
# référence à l'exemple cadoles. # référence à l'exemple cadoles.
# cela force la mise à jours des secret en questions liés aux ressources ayant le labels "tenant" lorsque modifié # cela force la mise à jours des secret en questions liés aux ressources ayant le labels "tenant" lorsque modifié
configurations:
#- https://forge.cadoles.com/CadolesKube/c-kustom/raw/branch/develop/base/minio/configurations/tenants.minio.min.io.yaml
# => importé en locale pour pouvoir faire un kustomize build
- ./resources/nextcloud/resources/files/minio/configurations/tenants.minio.min.io.yaml
resources: resources:
- ./resources/nextcloud - ./resources/nextcloud

View File

@ -1,63 +1,43 @@
apiVersion: kustomize.config.k8s.io/v1beta1 apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
# namespace: nextcloud
generatorOptions: generatorOptions:
disableNameSuffixHash: true # suppression des suffixe en hash en bout de nom disableNameSuffixHash: true # suppression des suffixe en hash en bout de nom
resources: resources:
- ./resources/deployment.yaml - ./resources/deployment.yaml
# - ./resources/namespace.yaml
- ./resources/nextcloud-tenant.yaml
- ./resources/nextcloud-service.yaml - ./resources/nextcloud-service.yaml
- ./resources/pvc.yaml
- ./resources/job.yaml
- ./resources/ConfigMap.yaml
- ./resources/nextcloud-rolebinding.yaml - ./resources/nextcloud-rolebinding.yaml
- ./resources/nextcloud-role.yaml - ./resources/nextcloud-role.yaml
- ./resources/nextcloud-serviceaccount.yaml - ./resources/nextcloud-serviceaccount.yaml
- ./resources/ingress.yaml - ./resources/ingress.yaml
- ./resources/ConfigMap-ldap-script.yaml - ./resources/pvc/00-main.yaml
- ./resources/pvc/01-html.yaml
#- ./resources/secret.yaml - ./resources/pvc/02-data.yaml
- ./resources/pvc/03-config.yaml
- ./resources/pvc/04-custom.yaml
- ./resources/pvc/06-tmp.yaml
- ./resources/pvc/07-themes.yaml
configMapGenerator: configMapGenerator:
- name: nextcloud-parameters
files:
- ./resources/files/parameters.yaml
- name: nextcloud-env - name: nextcloud-env
literals: literals:
- MINIO_SERVICE_NAME=$(MINIO_SERVICE_HOST):$(MINIO_SERVICE_PORT) # pas nécessaire je pense - NEXTCLOUD_ADMIN_USER="admin"
- MINIO_SERVICE_HOST=minio - NEXTCLOUD_ADMIN_PASSWORD="cadoles" # 5
- MINIO_SERVICE_PORT=443 - NEXTCLOUD_TRUSTED_DOMAINS="*.cadoles.fr"
- PHP_MEMORY_LIMIT="512M"
- PHP_UPLOAD_LIMIT="4G"
- MAIL_FROM_ADDRESS="user"
- MAIL_DOMAIN="cadoles.fr"
- SMTP_HOST="smtp.cadoles.com"
- SMTP_SECURE="ssl"
- SMTP_PORT="465"
- SMTP_AUTHTYPE="LOGIN"
secretGenerator: secretGenerator:
# Voir https://github.com/minio/operator/issues/856
- name: nextcloud-minio-user
literals:
- CONSOLE_ACCESS_KEY=minio_root
- CONSOLE_SECRET_KEY=MinioRootNotSoSecret
options:
disableNameSuffixHash: true
# Voir https://github.com/minio/operator/issues/856
- name: nextcloud-minio-configuration
files:
- ./resources/files/minio/config.env # A modifier si modification mot de passe et user CONSOLE [ACCESS-SECRET]
options:
disableNameSuffixHash: true
- name: nextcloud-smtp - name: nextcloud-smtp
literals: literals:
- smtp-username=user - smtp-username=secretuser
- smtp-password=password - smtp-password=secretpassword
options: options:
disableNameSuffixHash: true disableNameSuffixHash: true
vars: # génération d'information pour wait-for-bootstrap du pod nextcloud
- name: MINIO_BOOTSTRAP_JOB_NAME
objref:
name: create-minio-bucket
kind: Job
apiVersion: batch/v1
fieldref:
fieldpath: metadata.name

View File

@ -1,46 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: script-config-ldap
data:
poststart-ldap.sh: |
#!/bin/sh
NEXTCLOUD_READY=0
MAX_RETRIES=30
RETRY_INTERVAL=10
touch /etc/script/validator.txt
# Vérifiez si LDAP est déjà activé
# if ! su -s /bin/sh -c "/var/www/html/occ app:list --output=json" www-data | jq -e '.enabled | has("user_ldap")'; then
# Activez le module LDAP si ce n'est pas déjà fait
# su -s /bin/sh -c "/var/www/html/occ app:enable user_ldap" www-data
#fi
for i in $(seq 1 $MAX_RETRIES); do
if curl -fsS "http://localhost/status.php" > /dev/null; then
NEXTCLOUD_READY=1
break
else
echo "En attente de Nextcloud (tentative $i/$MAX_RETRIES)..." >> /etc/script/validator.txt
sleep $RETRY_INTERVAL
fi
done
if [ $NEXTCLOUD_READY -eq 0 ]; then
echo "Nextcloud n'est pas prêt après $MAX_RETRIES tentatives. Abandon de l'initialisation LDAP." >> /etc/script/validator.txt
exit 1
fi
su -s /bin/sh -c "/var/www/html/occ app:enable user_ldap" www-data
# Configurez LDAP (configuration minimale)
su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapHost --value='ldap.example.com'" www-data
su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapBase --value='dc=example,dc=com'" www-data
su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapAgentName --value='cn=admin,dc=example,dc=com'" www-data
su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapAgentPassword --value='your_password'" www-data
# Lancez le processus principal de Nextcloud normalement ça ne marche pas ça ! donc plutot poststart.
#exec /entrypoint.sh "$@"
# su -s /bin/sh -c "/var/www/html/occ app:enable user_ldap" www-data
# est fonctionnel dans le pods nextcloud !

View File

@ -1,14 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: update-config
data:
custom-script.sh: |
#!/bin/sh
HOSTS_FILE="/etc/hosts"
# Ajoutez l'entrée au fichier hosts
MINIO_SERVICE_IP="${MINIO_SERVICE_HOST}"
MINIO_NAME="${MINIO_SERVICE_NAME}"
echo "$MINIO_SERVICE_IP" minio >> $HOSTS_FILE

View File

@ -4,9 +4,9 @@ metadata:
labels: labels:
app: nextcloud app: nextcloud
component: app component: app
name: app name: nextcloud-app
spec: spec:
# serviceName: nextcloud # serviceName: nextcloud
replicas: 1 replicas: 1
selector: selector:
matchLabels: matchLabels:
@ -21,16 +21,16 @@ spec:
containers: containers:
- image: reg.cadoles.com/proxy_cache/library/nextcloud:27.0.2-apache - image: reg.cadoles.com/proxy_cache/library/nextcloud:27.0.2-apache
imagePullPolicy: Always imagePullPolicy: Always
name: app name: nextcloud
ports: ports:
- containerPort: 80 - containerPort: 80
lifecycle: lifecycle:
postStart: postStart:
exec: exec:
command: ["/bin/sh", "-c", "cp /var/run/secrets/kubernetes.io/serviceaccount/ca.crt /usr/local/share/ca-certificates/ks.crt && update-ca-certificates && /etc/script/poststart-ldap.sh && touch /etc/script/try01.txt"] command: ["/bin/sh", "-c", "cp /var/run/secrets/kubernetes.io/serviceaccount/ca.crt /usr/local/share/ca-certificates/ks.crt && update-ca-certificates"]
# envFrom: envFrom:
# - configMapRef: - configMapRef:
# name: nextcloud-env name: nextcloud-env
env: env:
- name: POSTGRES_DB - name: POSTGRES_DB
value: nextcloud value: nextcloud
@ -46,56 +46,16 @@ spec:
key: password key: password
- name: POSTGRES_HOST - name: POSTGRES_HOST
value: $(NEXTCLOUD_POSTGRES_RW_SERVICE_HOST) #value: nextcloud-postgres-rw.nextcloud.svc.cluster.local value: $(NEXTCLOUD_POSTGRES_RW_SERVICE_HOST) #value: nextcloud-postgres-rw.nextcloud.svc.cluster.local
- name: NEXTCLOUD_ADMIN_USER
value: admin
- name: NEXTCLOUD_ADMIN_PASSWORD # 5
value: cadoles
- name: NEXTCLOUD_TRUSTED_DOMAINS
value: "*.cadoles.fr"
- name: NEXTCLOUD_INIT_LOCK - name: NEXTCLOUD_INIT_LOCK
value: "true" value: "true"
- name: PHP_MEMORY_LIMIT
value: 512M
- name: PHP_UPLOAD_LIMIT
value: 4G
- name: POD_INDEX - name: POD_INDEX
valueFrom: valueFrom:
fieldRef: fieldRef:
fieldPath: metadata.name fieldPath: metadata.name
- name: REDIS_HOST - name: REDIS_HOST
value: redis # équivaut à redis.nextcloud.svc.cluster.local value: redis
# value: $(RFS_NEXTCLOUD_REDIS_SERVICE_HOST) => For redis-operator
- name: REDIS_HOST_PORT - name: REDIS_HOST_PORT
value: "6379" value: "6379"
######################
# Partie minio S3
- name: OBJECTSTORE_S3_HOST
value: minio:$(MINIO_SERVICE_PORT)
# value: $(MINIO_SERVICE_NAME):$(MINIO_SERVICE_PORT)
- name: OBJECTSTORE_S3_BUCKET
value: nextcloud-minio
- name: OBJECTSTORE_S3_KEY # 15
value: minio_root
- name: OBJECTSTORE_S3_SECRET
value: MinioRootNotSoSecret
- name: OBJECTSTORE_S3_USEPATH_STYLE
value: "true"
- name: OBJECTSTORE_S3_SSL # 18
value: "true"
##################################
# Mise en place SMTP
- name: MAIL_FROM_ADDRESS
value: "user"
- name: MAIL_DOMAIN
value: "domain.com"
- name: SMTP_HOST
value: "domain.com"
- name: SMTP_SECURE
value: "ssl"
- name: SMTP_PORT
value: "465"
- name: SMTP_AUTHTYPE
value: "LOGIN"
- name: SMTP_NAME - name: SMTP_NAME
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
@ -106,34 +66,8 @@ spec:
secretKeyRef: secretKeyRef:
name: nextcloud-smtp name: nextcloud-smtp
key: smtp-password key: smtp-password
- name: NEXTCLOUD_DATA_DIR - name: NEXTCLOUD_DATA_DIR
value: "/var/www/html/data" value: "/var/www/html/data"
livenessProbe: # vérifie si c'est planté ou non
httpGet:
path: /status.php
port: 80 # en reférence à ingress.yaml ?
httpHeaders:
- name: Host
value: nxt.cadoles.fr # valeurs égale à celle dans ingress.yaml
initialDelaySeconds: 50
periodSeconds: 15
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 5
readinessProbe: # vérifie si c'est ok pour envoyer des requête ou non
httpGet:
path: /status.php
port: 80 # en référence à ingress.yaml ?
httpHeaders:
- name: Host
value: nxt.cadoles.fr # valeurs égale à celle dans ingress.yaml
initialDelaySeconds: 50
periodSeconds: 15
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 5
volumeMounts: volumeMounts:
- mountPath: /var/www/ - mountPath: /var/www/
name: nextcloud-main-volume name: nextcloud-main-volume
@ -149,45 +83,7 @@ spec:
name: nextcloud-tmp-volume name: nextcloud-tmp-volume
- mountPath: /var/www/html/themes - mountPath: /var/www/html/themes
name: nextcloud-themes-volume name: nextcloud-themes-volume
# ICI montage pour les script !
- mountPath: /etc/script/poststart-ldap.sh
name: script-config-ldap
subPath: poststart-ldap.sh
- mountPath: /etc/script/custom-script.sh
name: update-config-script
subPath: custom-script.sh
- mountPath: /etc/minio-ccerts
name: minio-certs
readOnly: true
# MOUNT-TRY-multi-instance
# - name: nextcloud-config-volume # monte le fichier de configuration dans
# mountPath: /var/www/html/config # les instances supplémentaire
# readOnly: false # via le configmap ConfigMaps-php.yaml
restartPolicy: Always
serviceAccountName: nextcloud-sa # declare user for initcontainer
# trois volumes pour les script
volumes: volumes:
- name: minio-certs
secret:
secretName: nextcloud-minio-tls # montage des certificat de minio
- name: update-config-script
configMap:
name: update-config
defaultMode: 0744
- name: script-config-ldap
configMap:
name: script-config-ldap
defaultMode: 0744
# MOUNT-TRY-multi-instance
# - name: nextcloud-config-volume # permet de monter le fichier de configuration dans
# configMap: # les instances supplémentaires
# name: nextcloud-config # via le configmap ConfigMaps-php.yaml
- name: nextcloud-main-volume - name: nextcloud-main-volume
persistentVolumeClaim: persistentVolumeClaim:
claimName: nextcloud-main-pvc claimName: nextcloud-main-pvc
@ -209,23 +105,5 @@ spec:
- name: nextcloud-themes-volume - name: nextcloud-themes-volume
persistentVolumeClaim: persistentVolumeClaim:
claimName: nextcloud-themes-pvc claimName: nextcloud-themes-pvc
restartPolicy: Always
initContainers: # cf README.md part ##YAML explain / ### PODS WAIT serviceAccountName: nextcloud-sa # declare user for initcontainer
- name: wait-for-bootstrap
image: reg.cadoles.com/proxy_cache/groundnuty/k8s-wait-for:v1.3
args:
- job
- $(MINIO_BOOTSTRAP_JOB_NAME)
#####################################################
# For REDIS-OPERATOR USE THIS TO SET PORT
#####################################################
# - name: REDIS_HOST_PORT
# value: $(RFS_NEXTCLOUD_REDIS_SERVICE_PORT)
# - name: REDIS_HOST_PASSWORD
# valueFrom:
# secretKeyRef:
# name: redis-secret
# key: password
#####################################################

View File

@ -1,4 +0,0 @@
export MINIO_ROOT_USER="minio_root"
export MINIO_ROOT_PASSWORD="MinioRootNotSoSecret"
export MINIO_STORAGE_CLASS_STANDARD="EC:2"
export MINIO_BROWSER="on"

View File

@ -1,8 +0,0 @@
#API minio
minio_url: 'http://%env(string:MINIO_SERVICE_NAME)%:9000'
minio_key: '%env(string:MINIO_KEY)%'
minio_secret: '%env(string:MINIO_SECRET)%'
minio_bucket: 'nextcloud'
minio_root: ''
minio_path_style: true
minio_secure: false

View File

@ -4,7 +4,7 @@ metadata:
name: nextcloud name: nextcloud
annotations: annotations:
# kustomize.config.k8s.io/needs: configmap/nextcloud-envi # kustomize.config.k8s.io/needs: configmap/nextcloud-envi
nginx.ingress.kubernetes.io/proxy-body-size: "138m" nginx.ingress.kubernetes.io/proxy-body-size: "138m"
nginx.ingress.kubernetes.io/enable-cors: "true" #cf 01 nginx.ingress.kubernetes.io/enable-cors: "true" #cf 01
nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For" #cf 01 nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For" #cf 01
@ -13,7 +13,7 @@ metadata:
spec: spec:
ingressClassName: nginx ingressClassName: nginx
rules: rules:
- host: nxt.cadoles.fr - host: nxt.base.fr
http: http:
paths: paths:
- path: / - path: /

View File

@ -1,63 +0,0 @@
apiVersion: batch/v1
kind: Job
metadata:
name: create-minio-bucket
spec:
template:
spec:
initContainers:
- name: wait-for-minio
image: busybox
envFrom:
- configMapRef:
name: nextcloud-env
command: ["sh", "-c"]
args:
- |
echo "attente du service minio..."
cnt=0
tout=300
while [ 1 ]
do
http_code=$(wget --server-response https://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT}/minio/health/live 2>&1 | awk '/^ HTTP/{print $2}')
if [ "${http_code}" != "200" ]; then
echo "waiting for https://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT}"
sleep 1
else
exit 0
fi
cnt=$((cnt+1))
if [ "${cnt}" -ge "${tout}" ]; then
exit 3
fi
done
# Encore nécessaire ?
containers:
- name: create-bucket
image: minio/mc
envFrom:
- configMapRef:
name: nextcloud-env
env:
- name: CONSOLE_ACCESS_KEY
valueFrom:
secretKeyRef:
name: nextcloud-minio-user
key: CONSOLE_ACCESS_KEY
- name: CONSOLE_SECRET_KEY
valueFrom:
secretKeyRef:
name: nextcloud-minio-user
key: CONSOLE_SECRET_KEY
command: ["sh", "-c"]
args:
- |
echo "création de l'alias my-minio"
mc alias set --insecure my-minio http://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT} ${CONSOLE_ACCESS_KEY} ${CONSOLE_SECRET_KEY}
echo "création du bucket..."
mc mb --insecure my-minio/nextcloud-minio
echo "Bucket créé. normalement"
restartPolicy: OnFailure
# Est-ce que je mettrais pas mon ldap ici ? => ConfigMap-ldap-script.yaml ?

View File

@ -1,4 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: nextcloud

View File

@ -1,4 +1,3 @@
---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
@ -17,10 +16,12 @@ rules:
- v1 - v1
resources: resources:
- secrets - secrets
- services
- pods
verbs: verbs:
- get - get
- list - list
- patch #- patch
# Declaration d'un role nommé status-reader et attribution de droit # Declaration d'un role nommé status-reader et attribution de droit

View File

@ -1,33 +0,0 @@
apiVersion: minio.min.io/v2
kind: Tenant
metadata:
name: nextcloud-minio
spec:
certConfig:
dnsNames:
- "minio"
pools:
- servers: 2
name: pool-0
volumesPerServer: 2
volumeClaimTemplate:
metadata:
name: nextcloud-minio-data # juste son nom dans le cluster
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
# env:
# - name: MINIO_CONSOLE_TLS_ENABLE
# value: "off"
containerSecurityContext:
runAsUser: 1000 # droit d'accès user
runAsGroup: 1000 # droit d'accès group
runAsNonRoot: true # accès sans être root
configuration:
name: nextcloud-minio-configuration # cf resources/nextcloud/resources/kustomization.yaml
users:
- name: nextcloud-minio-user # cf resources/nextcloud/resources/kustomization.yaml

View File

@ -1,83 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-main-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 5Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-html-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 5Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-data-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 20Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-config-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-custom-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 2Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-tmp-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 5Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-themes-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 2Gi

View File

@ -0,0 +1,11 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-main-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 1Gi

View File

@ -0,0 +1,12 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-html-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 5Gi

View File

@ -0,0 +1,11 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-data-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 1Gi

View File

@ -0,0 +1,11 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-config-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 1Gi

View File

@ -0,0 +1,11 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-custom-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 2Gi

View File

@ -0,0 +1,11 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-tmp-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 5Gi

View File

@ -0,0 +1,11 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-themes-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 2Gi

View File

@ -1,9 +0,0 @@
apiVersion: metallb.io/v1beta1
kind: L2Advertisement
metadata:
name: l2-ip-pool-ad
namespace: metallb-system
spec:
ipAddressPools:
- main-pool

View File

@ -1,8 +0,0 @@
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
name: main-pool
namespace: metallb-system
spec:
addresses:
- 172.18.10.100-172.18.10.200

View File

@ -1,7 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: metallb-system
resources:
- ipaddresspoool.yaml
- advertise.yaml

View File

@ -2,87 +2,30 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
namespace: nextcloud-dev namespace: nextcloud-dev
# ressources utilisées, appel de base et ajout de namespace.yaml #namePrefix: dev-
configurations:
- ./resources/files/minio/configurations/tenants.minio.min.io.yaml
resources: resources:
- ../../base/ - ../../base/
- resources/namespace.yaml
- resources/ssl.yaml
- resources/cert-manager - resources/cert-manager
- resources/nextcloud/namespace.yaml
#- resources/host-config.yaml - resources/nextcloud/ssl.yaml
- resources/nextcloud/cm-ldap-script.yaml
# deux façon de faire la seconde ici => - resources/nextcloud/minio-tenant.yaml
# - patches/nextcloud-patch.yaml - resources/nextcloud/job-minio.yaml
patches: patches:
- path: patches/deployment.yaml
- path: patches/nginx-ingress.yaml - path: patches/nginx-ingress.yaml
- path: patches/ConfigMap-redis.yaml
patchesStrategicMerge: - path: patches/nextcloud-env.yaml
- patches/redis-config.yaml target:
- patches/ConfigMaps.yaml kind: ConfigMap
- patches/ConfigMap-ldap-script.yaml name: nextcloud-env
- patches/job.yaml
patchesJson6902:
- target:
group: apps
version: v1 version: v1
kind: Deployment
name: app
path: patches/nextcloud-variables.yaml
- target:
group: apps
version: v1
kind: Deployment
name: app
path: patches/nextcloud-postgres.yaml
### S3 patch do not work !
# W not ok, R not ok
#- target:
# group: apps
# version: v1
# kind: Deployment
# name: app
# path: patches/nextcloud-S3.yaml
- target:
group: apps
version: v1
kind: Deployment
name: app
path: patches/nextcloud-probe.yaml
- target:
group: apps
version: v1
kind: Deployment
name: app
path: patches/nextcloud-smtp.yaml
#- target:
# group: apps
# version: v1
# kind: Ingress
# name: nextcloud
# path: patches/ingress-nextcloud.yaml
- target:
group: apps
version: v2
kind: Tenant
name: nextcloud-minio
path: patches/tenant-conf.yaml
- target:
group: apps
version: v1
kind: Deployment
name: app
path: patches/nextcloud-ldap.yaml
#- target:
# group: apps
# version: v1
# kind: Ingress
# name: nextcloud
# path: patches/ingress-cert-manager.yaml
# PARTIE MINIO # PARTIE MINIO
@ -91,94 +34,42 @@ patchesJson6902:
#- name: db-user-pass #- name: db-user-pass
# envs: # envs:
# - ./resources/files/minio/config.env # - ./resources/files/minio/config.env
secretGenerator: secretGenerator:
#Voir https://github.com/minio/operator/issues/856 #Voir https://github.com/minio/operator/issues/856
- name: nextcloud-minio-user - name: nextcloud-minio-user
behavior: replace
literals: literals:
- CONSOLE_ACCESS_KEY=minio_root - CONSOLE_ACCESS_KEY=minio_root
- CONSOLE_SECRET_KEY=MinioRootNotSoSecret - CONSOLE_SECRET_KEY=MinioRootNotSoSecret
- name: nextcloud-minio-configuration - name: nextcloud-minio-configuration
behavior: replace
files: files:
- ./resources/files/minio/config.env # A modifier si modification mot de passe et user CONSOLE [ACCESS-SECRET] - ./resources/files/minio/config.env # A modifier si modification mot de passe et user CONSOLE [ACCESS-SECRET]
# ajout de Variable, et redéfinition de certaines # ajout de Variable, et redéfinition de certaines
configMapGenerator: configMapGenerator:
#- name: nextcloud-parameters #- name: nextcloud-parameters
# files: # files:
# - ./resources/files/parameters.yaml # - ./resources/files/parameters.yaml
- name: nextcloud-env #- name: nextcloud-env
behavior: replace # behavior: replace
literals: # literals:
- MINIO_SERVICE_NAME=$(MINIO_SERVICE_HOST):$(MINIO_SERVICE_PORT) # - MINIO_SERVICE_NAME=$(MINIO_SERVICE_HOST):$(MINIO_SERVICE_PORT)
- MINIO_SERVICE_HOST=minio # - MINIO_SERVICE_HOST=minio
- MINIO_SERVICE_PORT=443 # - MINIO_SERVICE_PORT=443
options: # options:
disableNameSuffixHash: true # disableNameSuffixHash: true
- name: nextcloud-smtp - name: nextcloud-smtp
literals: literals:
- smtp-username=user - smtp-username=ouchemail
- smtp-password=password - smtp-password=HjkEHJ2676yiu2
options: options:
disableNameSuffixHash: true disableNameSuffixHash: true
# PARTIE MAUVAISE IDEE vars: # génération d'information pour wait-for-bootstrap du pod nextcloud
- name: MINIO_BOOTSTRAP_JOB_NAME
#replacements: objref:
# - source: name: create-minio-bucket
# kind: ConfigMap kind: Job
# name: host-config apiVersion: batch/v1
# fieldPath: data.NEXTCLOUD_HOST fieldref:
# targets: fieldpath: metadata.name
# - select:
# kind: Ingress
# name: nextcloud
# fieldPaths:
# - /spec/rules[0]/host
# - select:
# kind: Deployment
# name: app
# fieldPaths:
# - /spec/template/spec/containers[0]/readinessProbe/httpGet/httpHeaders[0].value
# - /spec/template/spec/containers[0]/livenessProbe/httpGet/httpHeaders[0].value
#vars:
# - name: NEXTCLOUD_HOST
# objref:
# kind: ConfigMap
# name: host-config
# apiVersion: v1
# fieldref:
# fieldpath: data.NEXTCLOUD_HOST
## faire un fichier patch.yaml et ajouter les données à modifier comme dans les patch mse
#
# patchesStrategicMerge => deprecated use patches instead
# patchesJson6902: => deprecated use patches instead
# vars => deprecated use replacements instead
# PRINCIPE DU PATCHE
#- target:
# version: v1
# kind: Deployment # ce type de kind .. qui signifie ni plus ni moins ce type de type -_-
# name: app
# path: patches/le patch.yaml
# modif pour l'image ?
#images:
#- name: foo/bar
# newName: foo/bar
# newTag: 3.4.5

View File

@ -1,627 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: nextcloud-dev
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: nextcloud-sa
namespace: nextcloud-dev
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: status-reader
namespace: nextcloud-dev
rules:
- apiGroups:
- batch
- v1
resources:
- jobs
verbs:
- get
- list
- apiGroups:
- ""
- v1
resources:
- secrets
verbs:
- get
- list
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: status-reader
namespace: nextcloud-dev
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: status-reader
subjects:
- kind: ServiceAccount
name: nextcloud-sa
namespace: nextcloud-dev
---
apiVersion: v1
data:
redis-config: |
maxmemory 4mb
maxmemory-policy volatile-lru
appendonly yes
kind: ConfigMap
metadata:
name: cm-redis-config
namespace: nextcloud-dev
---
apiVersion: v1
data:
NEXTCLOUD_HOST: nxt.serveur.fr
kind: ConfigMap
metadata:
name: host-config
namespace: nextcloud-dev
---
apiVersion: v1
data:
MINIO_SERVICE_HOST: minio
MINIO_SERVICE_NAME: $(MINIO_SERVICE_HOST):$(MINIO_SERVICE_PORT)
MINIO_SERVICE_PORT: "443"
kind: ConfigMap
metadata:
name: nextcloud-env
namespace: nextcloud-dev
---
apiVersion: v1
data:
parameters.yaml: |2-
#API minio
minio_url: 'http://%env(string:MINIO_SERVICE_NAME)%:9000'
minio_key: '%env(string:MINIO_KEY)%'
minio_secret: '%env(string:MINIO_SECRET)%'
minio_bucket: 'nextcloud'
minio_root: ''
minio_path_style: true
minio_secure: false
kind: ConfigMap
metadata:
name: nextcloud-parameters
namespace: nextcloud-dev
---
apiVersion: v1
data:
poststart-ldap.sh: |
#!/bin/sh
# Vérifiez si LDAP est déjà activé
if ! su -s /bin/sh -c "/var/www/html/occ app:list --output=json" www-data | jq -e '.enabled | has("user_ldap")'; then
# Activez le module LDAP si ce n'est pas déjà fait
su -s /bin/sh -c "/var/www/html/occ app:enable user_ldap" www-data
echo 'activation de ldap'
fi
# Configurez LDAP (configuration minimale)
su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapHost --value='ldap.example.com'" www-data
su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapBase --value='dc=example,dc=com'" www-data
su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapAgentName --value='cn=admin,dc=example,dc=com'" www-data
su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapAgentPassword --value='your_password'" www-data
echo 'ldap configured'
# Lancez le processus principal de Nextcloud normalement ça ne marche pas ça ! donc plutot poststart.
#exec /entrypoint.sh "$@"
kind: ConfigMap
metadata:
name: script-config-ldap
namespace: nextcloud-dev
---
apiVersion: v1
data:
custom-script.sh: |-
#!/bin/sh
HOSTS_FILE="/etc/hosts"
# Ajoutez l'entrée au fichier hosts
MINIO_SERVICE_IP="${MINIO_SERVICE_HOST}"
MINIO_NAME="${MINIO_SERVICE_NAME}"
echo "$MINIO_SERVICE_IP" minio >> $HOSTS_FILE
kind: ConfigMap
metadata:
name: update-config
namespace: nextcloud-dev
---
apiVersion: v1
data:
config.env: |
ZXhwb3J0IE1JTklPX1JPT1RfVVNFUj0ibWluaW9fcm9vdCIKZXhwb3J0IE1JTklPX1JPT1
RfUEFTU1dPUkQ9Ik1pbmlvUm9vdE5vdFNvU2VjcmV0IgpleHBvcnQgTUlOSU9fU1RPUkFH
RV9DTEFTU19TVEFOREFSRD0iRUM6MiIKZXhwb3J0IE1JTklPX0JST1dTRVI9Im9uIg==
kind: Secret
metadata:
name: nextcloud-minio-configuration
namespace: nextcloud-dev
type: Opaque
---
apiVersion: v1
data:
CONSOLE_ACCESS_KEY: bWluaW9fcm9vdA==
CONSOLE_SECRET_KEY: TWluaW9Sb290Tm90U29TZWNyZXQ=
kind: Secret
metadata:
name: nextcloud-minio-user
namespace: nextcloud-dev
type: Opaque
---
apiVersion: v1
kind: Service
metadata:
labels:
app: nextcloud
component: app
name: nextcloud
namespace: nextcloud-dev
spec:
ports:
- port: 80
selector:
app: nextcloud
component: app
---
apiVersion: v1
kind: Service
metadata:
labels:
app: redis
name: redis
namespace: nextcloud-dev
spec:
ports:
- port: 6379
selector:
app: redis
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-config-pvc
namespace: nextcloud-dev
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
volumeMode: Filesystem
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-custom-pvc
namespace: nextcloud-dev
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
volumeMode: Filesystem
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-data-pvc
namespace: nextcloud-dev
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20Gi
volumeMode: Filesystem
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-html-pvc
namespace: nextcloud-dev
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
volumeMode: Filesystem
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-main-pvc
namespace: nextcloud-dev
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
volumeMode: Filesystem
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-themes-pvc
namespace: nextcloud-dev
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
volumeMode: Filesystem
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-tmp-pvc
namespace: nextcloud-dev
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
volumeMode: Filesystem
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nextcloud
component: app
name: app
namespace: nextcloud-dev
spec:
replicas: 1
selector:
matchLabels:
app: nextcloud
component: app
template:
metadata:
labels:
app: nextcloud
component: app
spec:
containers:
- env:
- name: POSTGRES_DB
value: nextcloud
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
key: username
name: nextcloud-postgres-app
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: nextcloud-postgres-app
- name: POSTGRES_HOST
value: $(NEXTCLOUD_POSTGRES_RW_SERVICE_HOST)
- name: NEXTCLOUD_ADMIN_USER
value: admincadoles
- name: NEXTCLOUD_ADMIN_PASSWORD
value: CadolesNotSecret
- name: NEXTCLOUD_TRUSTED_DOMAINS
value: '*.cadoles.fr'
- name: NEXTCLOUD_INIT_LOCK
value: 512M
- name: PHP_MEMORY_LIMIT
value: 4G
- name: PHP_UPLOAD_LIMIT
value: 4G
- name: POD_INDEX
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: REDIS_HOST
value: redis
- name: REDIS_HOST_PORT
value: "6379"
- name: OBJECTSTORE_S3_HOST
value: minio:$(MINIO_SERVICE_PORT)
- name: OBJECTSTORE_S3_BUCKET
value: nextcloud-minio
- name: OBJECTSTORE_S3_KEY
value: minio_root
- name: OBJECTSTORE_S3_SECRET
value: MinioRootNotSoSecret
- name: OBJECTSTORE_S3_USEPATH_STYLE
value: "true"
- name: OBJECTSTORE_S3_SSL
value: "true"
- name: NEXTCLOUD_DATA_DIR
value: /var/www/html/data
image: reg.cadoles.com/proxy_cache/library/nextcloud:26.0.1-apache
imagePullPolicy: Always
lifecycle:
postStart:
exec:
command:
- /bin/sh
- -c
- cp /var/run/secrets/kubernetes.io/serviceaccount/ca.crt /usr/local/share/ca-certificates/ks.crt
&& update-ca-certificates
- /etc/script/poststart-ldap.sh
livenessProbe:
failureThreshold: 5
httpGet:
httpHeaders:
- name: Host
value: nxt.cadoles.fr
path: /status.php
port: 80
initialDelaySeconds: 50
periodSeconds: 15
successThreshold: 1
timeoutSeconds: 5
name: app
ports:
- containerPort: 80
readinessProbe:
failureThreshold: 5
httpGet:
httpHeaders:
- name: Host
value: nxt.cadoles.fr
path: /status.php
port: 80
initialDelaySeconds: 50
periodSeconds: 15
successThreshold: 1
timeoutSeconds: 5
volumeMounts:
- mountPath: /var/www/
name: nextcloud-main-volume
- mountPath: /var/www/html
name: nextcloud-html-volume
- mountPath: /var/www/html/data
name: nextcloud-data-volume
- mountPath: /var/www/html/config
name: nextcloud-config-volume
- mountPath: /var/www/html/custom_apps
name: nextcloud-custom-volume
- mountPath: /var/www/tmp
name: nextcloud-tmp-volume
- mountPath: /var/www/html/themes
name: nextcloud-themes-volume
- mountPath: /etc/script/poststart-ldap.sh
name: script-config-ldap
subPath: poststart-ldap.sh
- mountPath: /etc/script/custom-script.sh
name: update-config-script
subPath: custom-script.sh
- mountPath: /etc/minio-ccerts
name: minio-certs
readOnly: true
initContainers:
- args:
- job
- create-minio-bucket
image: reg.cadoles.com/proxy_cache/groundnuty/k8s-wait-for:v1.3
name: wait-for-bootstrap
restartPolicy: Always
serviceAccountName: nextcloud-sa
volumes:
- name: minio-certs
secret:
secretName: nextcloud-minio-tls
- configMap:
defaultMode: 484
name: update-config
name: update-config-script
- configMap:
defaultMode: 484
name: script-config-ldap
name: script-config-ldap
- name: nextcloud-main-volume
persistentVolumeClaim:
claimName: nextcloud-main-pvc
- name: nextcloud-html-volume
persistentVolumeClaim:
claimName: nextcloud-html-pvc
- name: nextcloud-data-volume
persistentVolumeClaim:
claimName: nextcloud-data-pvc
- name: nextcloud-config-volume
persistentVolumeClaim:
claimName: nextcloud-config-pvc
- name: nextcloud-custom-volume
persistentVolumeClaim:
claimName: nextcloud-custom-pvc
- name: nextcloud-tmp-volume
persistentVolumeClaim:
claimName: nextcloud-tmp-pvc
- name: nextcloud-themes-volume
persistentVolumeClaim:
claimName: nextcloud-themes-pvc
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: redis
name: redis
namespace: nextcloud-dev
spec:
replicas: 1
selector:
matchLabels:
app: redis
template:
metadata:
labels:
app: redis
spec:
containers:
- command:
- redis-server
- /redis-master/redis.conf
image: redis:alpine
name: redis
ports:
- containerPort: 6379
volumeMounts:
- mountPath: /redis-master-data
name: data
- mountPath: /redis-master
name: config
restartPolicy: Always
volumes:
- emptyDir: {}
name: data
- configMap:
items:
- key: redis-config
path: redis.conf
name: cm-redis-config
name: config
---
apiVersion: batch/v1
kind: Job
metadata:
name: create-minio-bucket
namespace: nextcloud-dev
spec:
template:
spec:
containers:
- args:
- |
echo "création de l'alias my-minio"
mc alias set --insecure my-minio http://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT} ${CONSOLE_ACCESS_KEY} ${CONSOLE_SECRET_KEY}
echo "création du bucket..."
mc mb --insecure my-minio/nextcloud-minio
echo "Bucket créé. normalement"
command:
- sh
- -c
env:
- name: CONSOLE_ACCESS_KEY
valueFrom:
secretKeyRef:
key: CONSOLE_ACCESS_KEY
name: nextcloud-minio-user
- name: CONSOLE_SECRET_KEY
valueFrom:
secretKeyRef:
key: CONSOLE_SECRET_KEY
name: nextcloud-minio-user
envFrom:
- configMapRef:
name: nextcloud-env
image: minio/mc
name: create-bucket
initContainers:
- args:
- |
echo "attente du service minio..."
cnt=0
tout=300
while [ 1 ]
do
http_code=$(wget --server-response https://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT}/minio/health/live 2>&1 | awk '/^ HTTP/{print $2}')
if [ "${http_code}" != "200" ]; then
echo "waiting for https://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT}"
sleep 1
else
exit 0
fi
cnt=$((cnt+1))
if [ "${cnt}" -ge "${tout}" ]; then
exit 3
fi
done
command:
- sh
- -c
envFrom:
- configMapRef:
name: nextcloud-env
image: busybox
name: wait-for-minio
restartPolicy: OnFailure
---
apiVersion: minio.min.io/v2
kind: Tenant
metadata:
name: nextcloud-minio
namespace: nextcloud-dev
spec:
certConfig:
dnsNames:
- minio
configuration:
name: nextcloud-minio-configuration
pools:
- containerSecurityContext:
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
name: pool-0
servers: 2
volumeClaimTemplate:
metadata:
name: nextcloud-minio-data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
volumesPerServer: 2
users:
- name: nextcloud-minio-user
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/cors-allow-headers: X-Forwarded-For
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/proxy-body-size: 138m
name: nextcloud
namespace: nextcloud-dev
spec:
ingressClassName: nginx
rules:
- host: nxt.cadoles.fr
http:
paths:
- backend:
service:
name: nextcloud
port:
number: 80
path: /
pathType: Prefix
---
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: nextcloud-postgres
namespace: nextcloud-dev
spec:
bootstrap:
initdb:
database: nextcloud
owner: nextcloud
instances: 1
primaryUpdateStrategy: unsupervised
storage:
size: 5Gi

View File

@ -1,76 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: script-config-ldap
data:
poststart-ldap.sh: |
#!/bin/sh
NEXTCLOUD_READY=0
MAX_RETRIES=30
RETRY_INTERVAL=10
touch /etc/script/validator.txt
# Vérifiez si LDAP est déjà activé
# if ! su -s /bin/sh -c "/var/www/html/occ app:list --output=json" www-data | jq -e '.enabled | has("user_ldap")'; then
# Activez le module LDAP si ce n'est pas déjà fait
# su -s /bin/sh -c "/var/www/html/occ app:enable user_ldap" www-data
#fi
for i in $(seq 1 $MAX_RETRIES); do
if curl -fsS "http://localhost/status.php" > /dev/null; then
NEXTCLOUD_READY=1
break
else
echo "En attente de Nextcloud (tentative $i/$MAX_RETRIES)..." >> /etc/script/validator.txt
sleep $RETRY_INTERVAL
fi
done
if [ $NEXTCLOUD_READY -eq 0 ]; then
echo "Nextcloud n'est pas prêt après $MAX_RETRIES tentatives. Abandon de l'initialisation LDAP." >> /etc/script/validator.txt
exit 1
fi
su -s /bin/sh -c "/var/www/html/occ app:install user_ldap" www-data
su -s /bin/sh -c "/var/www/html/occ app:update user_ldap" www-data
su -s /bin/sh -c "/var/www/html/occ app:enable user_ldap" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:create-empty-config" www-data
## test if backend ldap is activated and create empty config if not
#
#touch /tmp/nxt-ldap.txt
#su -s /bin/sh -c "/var/www/html/occ ldap:show-config s01 > /tmp/nextcloud-ldap.txt" www-data
#if grep -q "Invalid configID" /tmp/nextcloud-ldap.txt; then
# sudo -u www-data php /var/www/html/nextcloud/occ ldap:create-empty-config -q
#fi
# Configurez LDAP (configuration minimale)
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldap_host '${NEXTCLOUD_LDAP_HOST}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldap_base '${NEXTCLOUD_LDAP_BASE}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldap_dn '${NEXTCLOUD_LDAP_DN}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldap_agent_password '${NEXTCLOUD_LDAP_PASSWD}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapBaseGroups '${NEXTCLOUD_LDAP_BASE_GROUPS}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapBaseUsers '${NEXTCLOUD_LDAP_BASE_USERS}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapConfigurationActive '${NEXTCLOUD_LDAP_ACTIVE_CONF}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapExperiencedAdmin '${NEXTCLOUD_LDAP_ADMIN_EXP}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapExpertUUIDUserAttr '${NEXTCLOUD_LDAP_EXP_UUID}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapLoginFilter '${NEXTCLOUD_LDAP_LOGIN_FILTER}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapPort '${NEXTCLOUD_LDAP_PORT}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapUserFilter '${NEXTCLOUD_LDAP_USR_FILTR}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapUserFilterObjectclass '${NEXTCLOUD_LDAP_OBJ_FILTR}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapEmailAttribute '${NEXTCLOUD_LDAP_MAIL_ATTR}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapUserDisplayName '${NEXTCLOUD_LDAP_USER_DISP}'" www-data
#sudo -u www-data php /var/www/html/nextcloud/occ ldap:set-config s01 ldapGroupFilter "${ldapGroupFilter}"
#sudo -u www-data php /var/www/html/nextcloud/occ ldap:set-config s01 ldapGroupFilterObjectclass "${ldapGroupFilterObjectclass}"
#sudo -u www-data php /var/www/html/nextcloud/occ ldap:set-config s01 ldapGroupMemberAssocAttr "${ldapGroupMemberAssocAttr}"
# Lancez le processus principal de Nextcloud normalement ça ne marche pas ça ! donc plutot poststart.
#exec /entrypoint.sh "$@"
# su -s /bin/sh -c "/var/www/html/occ app:enable user_ldap" www-data
# est fonctionnel dans le pods nextcloud !
#liste config : su -s /bin/sh -c "/var/www/html/occ config:list" www-data

View File

@ -1,14 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: update-config
data:
custom-script.sh: |
#!/bin/sh
HOSTS_FILE="/etc/hosts"
# Ajoutez l'entrée au fichier hosts
MINIO_SERVICE_IP="${MINIO_SERVICE_HOST}"
MINIO_NAME="${MINIO_SERVICE_NAME}"
echo "$MINIO_SERVICE_IP" minio >> $HOSTS_FILE

View File

@ -0,0 +1,91 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: nextcloud-app
spec:
replicas: 3
template:
spec:
initContainers:
- name: wait-for-bootstrap
image: reg.cadoles.com/proxy_cache/groundnuty/k8s-wait-for:v1.3
args:
- job
- $(MINIO_BOOTSTRAP_JOB_NAME)
containers:
- name: nextcloud
env:
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: nextcloud-postgres-app
key: username
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: nextcloud-postgres-app
key: password
- name: OBJECTSTORE_S3_BUCKET
value: nxt-minio
- name: OBJECTSTORE_S3_AUTOCREATE
value: "true"
- name: OBJECTSTORE_S3_KEY
valueFrom:
secretKeyRef:
name: nextcloud-minio-user
key: CONSOLE_ACCESS_KEY
- name: OBJECTSTORE_S3_SECRET
valueFrom:
secretKeyRef:
name: nextcloud-minio-user
key: CONSOLE_SECRET_KEY
- name: OBJECTSTORE_S3_HOST
value: minio:$(MINIO_SERVICE_PORT)
- name: OBJECTSTORE_S3_PORT
value: "443"
- name: OBJECTSTORE_S3_SSL
value: "true"
- name: OBJECTSTORE_S3_USEPATH_STYLE
value: "true"
livenessProbe:
httpGet:
path: /status.php
port: 80
httpHeaders:
- name: Host
value: nxt.cadoles.lan
initialDelaySeconds: 50
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
readinessProbe:
httpGet:
path: /status.php
port: 80
httpHeaders:
- name: Host
value: nxt.cadoles.lan
initialDelaySeconds: 50
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
volumeMounts:
- mountPath: /docker-entrypoint-hooks.d/post-installation/ldap.sh
name: script-config-ldap
subPath: poststart-ldap.sh
- mountPath: /etc/minio-ccerts
name: minio-certs
readOnly: true
volumes:
- name: minio-certs
secret:
secretName: nextcloud-minio-tls
- name: script-config-ldap
configMap:
name: script-config-ldap
defaultMode: 0755
restartPolicy: Always
serviceAccountName: nextcloud-sa

View File

@ -1,36 +0,0 @@
#- op: replace
# path: /metadata/annotations/nginx.ingress.kubernetes.io~1proxy-body-size
# value: "1G"
#- op: replace
# path: /metadata/annotations/nginx.ingress.kubernetes.io~1enable-cors
# value: "true"
#- op: replace
# path: /metadata/annotations/nginx.ingress.kubernetes.io~1cors-allow-headers
# value: "X-Forwarded-For"
# En cas de besoin
#- op: add
# path: /metadata/annotations/nginx.ingress.kubernetes.io~1client_max_body_size
# value: "100m"
#- op: replace
# path: /spec/rules/0/host
# value: nxt.cadoles.fr
#- op: replace
# path: /spec/rules/0/http/paths/0/path
# value: /
#- op: replace
# path: /spec/rules/0/http/paths/0/pathType
# value: Prefix
#- op: replace
# path: /spec/rules/0/http/paths/0/backend/service/name
# value: nextcloud
#- op: replace
# path: /spec/rules/0/http/paths/0/backend/service/port/number
# value: 80
# logiquement path =
# path: /metadata/annotations/nginx.ingress.kubernetes.io/proxy-body-size
# sauf que ... json voila, "/" est à remplacer par ~1

View File

@ -1,65 +0,0 @@
apiVersion: batch/v1
kind: Job
metadata:
name: create-minio-bucket
spec:
template:
spec:
initContainers:
- name: wait-for-minio
image: reg.cadoles.com/proxy_cache/library/debian:bookworm
envFrom:
- configMapRef:
name: nextcloud-env
command: ["sh", "-c"]
args:
- |
echo "attente du service minio..."
cnt=0
tout=300
apt update && apt install --yes --force-yes wget openssl
cp /var/run/secrets/kubernetes.io/serviceaccount/ca.crt /usr/local/share/ca-certificates/ks.crt && update-ca-certificates
while [ 1 ]
do
http_code=$(wget --server-response https://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT}/minio/health/live 2>&1 | awk '/^ HTTP/{print $2}')
if [ "${http_code}" != "200" ]; then
echo "waiting for https://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT}"
sleep 1
else
exit 0
fi
cnt=$((cnt+1))
if [ "${cnt}" -ge "${tout}" ]; then
exit 3
fi
done
# Encore nécessaire ?
containers:
- name: create-bucket
image: minio/mc
envFrom:
- configMapRef:
name: nextcloud-env
env:
- name: CONSOLE_ACCESS_KEY
valueFrom:
secretKeyRef:
name: nextcloud-minio-user
key: CONSOLE_ACCESS_KEY
- name: CONSOLE_SECRET_KEY
valueFrom:
secretKeyRef:
name: nextcloud-minio-user
key: CONSOLE_SECRET_KEY
command: ["sh", "-c"]
args:
- |
echo "création de l'alias my-minio"
mc alias set --insecure my-minio http://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT} ${CONSOLE_ACCESS_KEY} ${CONSOLE_SECRET_KEY}
echo "création du bucket..."
mc mb --insecure my-minio/nextcloud-minio
echo "Bucket créé. normalement"
restartPolicy: OnFailure

View File

@ -1,24 +0,0 @@
- op: replace
path: /spec/template/spec/containers/0/env/13/value #OBJECTSTORE_S3_HOST
value: minio:$(MINIO_SERVICE_PORT)
- op: replace
path: /spec/template/spec/containers/0/env/14/value #OBJECTSTORE_S3_BUCKET
value: nextcloud-minio
- op: replace
path: /spec/template/spec/containers/0/env/15/value #OBJECTSTORE_S3_KEY
valueFrom:
secretKeyRef:
name: nextcloud-minio-user # kustomize racine
key: CONSOLE_ACCESS_KEY
- op: replace
path: /spec/template/spec/containers/0/env/16/value #OBJECTSTORE_S3_SECRET
valueFrom:
secretKeyRef:
name: nextcloud-minio-user # kustomize racine
key: CONSOLE_SECRET_KEY
- op: replace
path: /spec/template/spec/containers/0/env/17/value #OBJECTSTORE_S3_USEPATH_STYLE
value: "true"
- op: replace
path: /spec/template/spec/containers/0/env/18/value #OBJECTSTORE_S3_SSL
value: "true"

View File

@ -0,0 +1,72 @@
- op: replace
path: "/data/NEXTCLOUD_TRUSTED_DOMAINS"
value: "*.cadoles.lan"
- op: replace
path: "/data/OBJECTSTORE_S3_HOST"
value: minio:$(MINIO_SERVICE_PORT)
- op: replace
path: "/data/OBJECTSTORE_S3_BUCKET"
value: nextcloud-minio
- op: replace
path: "/data/OBJECTSTORE_S3_USEPATH_STYLE"
value: "true"
- op: replace
path: "/data/OBJECTSTORE_S3_SSL"
value: "true"
- op: replace
path: "/data/NEXTCLOUD_LDAP_HOST"
value: ldaps://ldap.cadoles.com
- op: replace
path: "/data/NEXTCLOUD_LDAP_BASE"
value: ou=cadoles,o=gouv,c=fr
- op: replace
path: "/data/NEXTCLOUD_LDAP_DN"
value: cn=reader,o=gouv,c=fr
- op: replace
path: "/data/NEXTCLOUD_LDAP_PASSWD"
value: phooge2jaidae4ohguChi6quoo8okahn2ru6aixutahmiuFoh6ooshae
- op: replace
path: "/data/NEXTCLOUD_LDAP_BASE_GROUPS"
value: ou=groups,ou=cadoles,o=gouv,c=fr
- op: replace
path: "/data/NEXTCLOUD_LDAP_BASE_USERS"
value: ou=users,ou=cadoles,o=gouv,c=fr
- op: replace
path: "/data/NEXTCLOUD_LDAP_ACTIVE_CONF"
value: '1'
- op: replace
path: "/data/NEXTCLOUD_LDAP_ADMIN_EXP"
value: '0'
- op: replace
path: "/data/NEXTCLOUD_LDAP_EXP_UUID"
value: cn
- op: replace
path: "/data/NEXTCLOUD_LDAP_LOGIN_FILTER"
value: (&(objectClass=person)(uid=%uid))
- op: replace
path: "/data/NEXTCLOUD_LDAP_LOGIN_FILTER_ATTR"
value: uid
- op: replace
path: "/data/NEXTCLOUD_LDAP_PORT"
value: '636'
- op: replace
path: "/data/NEXTCLOUD_LDAP_USR_FILTR"
value: (|(objectclass=person))
- op: replace
path: "/data/NEXTCLOUD_LDAP_OBJ_FILTR"
value: person
- op: replace
path: "/data/NEXTCLOUD_LDAP_MAIL_ATTR"
value: mail
- op: replace
path: "/data/NEXTCLOUD_LDAP_USER_DISP"
value: cn
- op: replace
path: "/data/NEXTCLOUD_LDAP_GROUP_FILTR"
value: (&(|(objectclass=cadolesGroup)))
- op: replace
path: "/data/NEXTCLOUD_LDAP_GROUP_FILTR_OBJCLASS"
value: cadolesGroup
- op: replace
path: "/data/NEXTCLOUD_LDAP_GROUP_MEMBR_ASSO"
value: gidNumber

View File

@ -1,75 +0,0 @@
- op: add
path: "/spec/template/spec/containers/0/env/-"
value:
name: NEXTCLOUD_LDAP_HOST
value: openldap.openldap
- op: add
path: "/spec/template/spec/containers/0/env/-"
value:
name: NEXTCLOUD_LDAP_BASE
value: dc=example,dc=org
- op: add
path: "/spec/template/spec/containers/0/env/-"
value:
name: NEXTCLOUD_LDAP_DN
value: cn=admin,dc=example,dc=org
- op: add
path: "/spec/template/spec/containers/0/env/-"
value:
name: NEXTCLOUD_LDAP_PASSWD
value: "adminpassword"
- op: add
path: "/spec/template/spec/containers/0/env/-"
value:
name: NEXTCLOUD_LDAP_BASE_GROUPS
value: dc=example,dc=org
- op: add
path: "/spec/template/spec/containers/0/env/-"
value:
name: NEXTCLOUD_LDAP_BASE_USERS
value: ou=users,dc=example,dc=org
- op: add
path: "/spec/template/spec/containers/0/env/-"
value:
name: NEXTCLOUD_LDAP_ACTIVE_CONF
value: "1"
- op: add
path: "/spec/template/spec/containers/0/env/-"
value:
name: NEXTCLOUD_LDAP_ADMIN_EXP
value: "0"
- op: add
path: "/spec/template/spec/containers/0/env/-"
value:
name: NEXTCLOUD_LDAP_EXP_UUID
value: cn
- op: add
path: "/spec/template/spec/containers/0/env/-"
value:
name: NEXTCLOUD_LDAP_LOGIN_FILTER
value: (&(objectClass=posixAccount)(cn=%uid))
- op: add
path: "/spec/template/spec/containers/0/env/-"
value:
name: NEXTCLOUD_LDAP_PORT
value: "1389"
- op: add
path: "/spec/template/spec/containers/0/env/-"
value:
name: NEXTCLOUD_LDAP_USR_FILTR
value: (|(objectclass=posixAccount))
- op: add
path: "/spec/template/spec/containers/0/env/-"
value:
name: NEXTCLOUD_LDAP_OBJ_FILTR
value: posixAccount
- op: add
path: "/spec/template/spec/containers/0/env/-"
value:
name: NEXTCLOUD_LDAP_MAIL_ATTR
value: mail
- op: add
path: "/spec/template/spec/containers/0/env/-"
value:
name: NEXTCLOUD_LDAP_USER_DISP
value: cn

View File

@ -1,26 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: app
spec:
template:
spec:
containers:
- name: app
env:
- name: NEXTCLOUD_ADMIN_USER
value: admincadoles
- name: NEXTCLOUD_ADMIN_PASSWORD
value: cadoles
- name: PHP_MEMORY_LIMIT
value: 512M
- name: PHP_UPLOAD_LIMIT
value: 4G
- name: REDIS_HOST
value: redis
- name: REDIS_HOST_PORT
value: "6379"
- name: NEXTCLOUD_DATA_DIR
value: "/var/www/html/data"
- name: NEXTCLOUD_TRUSTED_DOMAINS
value: "*.cadoles.fr"

View File

@ -1,34 +0,0 @@
# USER POSTGRES
# UNIQUEMENT Si vous ne passez pas par l'operateur.
#- op: replace
# path: /spec/template/spec/containers/env/0/value #POSTGRES_DB
# value: username
#- op: replace
# path: /spec/template/spec/containers/env/1/value #POSTGRES_USER
# value: username
#- op: replace
# path: /spec/template/spec/containers/env/2/value #POSTGRES_PASSWORD
# value: password
# CONF POSTGRES
- op: replace
path: /spec/template/spec/containers/0/env/3/value #POSTGRES_HOST
value: $(NEXTCLOUD_POSTGRES_RW_SERVICE_HOST)
- op: replace
path: /spec/template/spec/containers/0/env/0/value #POSTGRES_DB
value: nextcloud
#Name: nextcloud-postgres-app
#Namespace: nextcloud
#Labels: cnpg.io/cluster=nextcloud-postgres
# cnpg.io/reload=true
#Annotations: cnpg.io/operatorVersion: 1.18.1
#
#Type: kubernetes.io/basic-auth
#
#Data
#====
#password: 64 bytes
#pgpass: 112 bytes
#username: 9 bytes

View File

@ -1,47 +0,0 @@
# livenessProbe
- op: replace
path: /spec/template/spec/containers/0/livenessProbe/httpGet/httpHeaders/0/value
value: nxt.cadoles.fr
- op: replace
path: /spec/template/spec/containers/0/livenessProbe/httpGet/port
value: 80
- op: replace
path: /spec/template/spec/containers/0/livenessProbe/initialDelaySeconds
value: 50
- op: replace
path: /spec/template/spec/containers/0/livenessProbe/periodSeconds
value: 10
- op: replace
path: /spec/template/spec/containers/0/livenessProbe/timeoutSeconds
value: 5
- op: replace
path: /spec/template/spec/containers/0/livenessProbe/successThreshold
value: 1
- op: replace
path: /spec/template/spec/containers/0/livenessProbe/failureThreshold
value: 6
# readinessProbe
- op: replace
path: /spec/template/spec/containers/0/readinessProbe/httpGet/httpHeaders/0/value
value: nxt.cadoles.fr
- op: replace
path: /spec/template/spec/containers/0/readinessProbe/httpGet/port
value: 80
- op: replace
path: /spec/template/spec/containers/0/readinessProbe/initialDelaySeconds
value: 50
- op: replace
path: /spec/template/spec/containers/0/readinessProbe/periodSeconds
value: 10
- op: replace
path: /spec/template/spec/containers/0/readinessProbe/timeoutSeconds
value: 5
- op: replace
path: /spec/template/spec/containers/0/readinessProbe/successThreshold
value: 1
- op: replace
path: /spec/template/spec/containers/0/readinessProbe/failureThreshold
value: 6

View File

@ -1,26 +0,0 @@
- op: replace
path: /spec/template/spec/containers/0/env/19/value #MAIL_FROM_ADDRESS
value: "usercadoles"
- op: replace
path: /spec/template/spec/containers/0/env/20/value #MAIL_DOMAIN
value: "cadoles.com"
- op: replace
path: /spec/template/spec/containers/0/env/21/value #SMTP_HOST
value: "groupware.cadoles.com"
- op: replace
path: /spec/template/spec/containers/0/env/22/value #SMTP_SECURE
value: "ssl"
- op: replace
path: /spec/template/spec/containers/0/env/23/value #SMTP_PORT
value: "587"
- op: replace
path: /spec/template/spec/containers/0/env/24/value #SMTP_AUTHTYPE
value: "LOGIN"
# THEORIQUEMENT LA MODIFICATION du secret generator lié dans kustomize suffit.
#- op: replace
# path: /spec/template/spec/containers/0/env/25/value #SMTP_NAME
# value:
#- op: replace
# path: /spec/template/spec/containers/0/env/26/value #SMTP_PASSWORD
# value:

View File

@ -1,34 +0,0 @@
# USER MDP NEXTCLOUD
- op: replace
path: /spec/template/spec/containers/0/env/4/value #NEXTCLOUD_ADMIN_USER
value: admincadoles
- op: replace
path: /spec/template/spec/containers/0/env/5/value #NEXTCLOUD_ADMIN_PASSWORD
value: CadolesNotSecret
# CONF NEXTCLOUD PHP
- op: replace
path: /spec/template/spec/containers/0/env/8/value #PHP_MEMORY_LIMIT
value: 512M
- op: replace
path: /spec/template/spec/containers/0/env/9/value #PHP_UPLOAD_LIMIT
value: 4G
# CONF NEXTCLOUD REDIS
- op: replace
path: /spec/template/spec/containers/0/env/11/value #REDIS_HOST
value: redis
- op: replace
path: /spec/template/spec/containers/0/env/12/value #REDIS_HOST_PORT
value: "6379"
# CONF NEXTCLOUD
#- op: replace
# path: /spec/template/spec/containers/0/env/27/value #NEXTCLOUD_DATA_DIR
# value: "/var/www/html/data"
- op: replace
path: /spec/template/spec/containers/0/env/6/value #NEXTCLOUD_TRUSTED_DOMAINS
value: "*.cadoles.fr"

View File

@ -13,10 +13,10 @@ spec:
ingressClassName: nginx ingressClassName: nginx
tls: tls:
- hosts: - hosts:
- nxt.cadoles.fr - nxt.cadoles.lan
secretName: cadoles-selfsigned-ca secretName: cadoles-selfsigned-ca
rules: rules:
- host: nxt.cadoles.fr - host: nxt.cadoles.lan
http: http:
paths: paths:
- path: / - path: /

View File

@ -1,21 +0,0 @@
- op: replace
path: /spec/certConfig/dnsNames
value: ["minio"]
- op: replace
path: /spec/pools/0/servers
value: 2
- op: replace
path: /spec/pools/0/volumesPerServer
value: 3
- op: replace
path: /spec/pools/0/volumeClaimTemplate/spec/resources/requests/storage
value: 3Gi
- op: replace
path: /spec/pools/0/containerSecurityContext/runAsUser
value: 1000
- op: replace
path: /spec/pools/0/containerSecurityContext/runAsGroup
value: 1000
- op: replace
path: /spec/pools/0/containerSecurityContext/runAsNonRoot
value: true

View File

@ -5,3 +5,4 @@ resources:
- ./resources/cluster-issuer.yaml - ./resources/cluster-issuer.yaml
- ./resources/ca.yaml - ./resources/ca.yaml
- ./resources/issuer.yaml - ./resources/issuer.yaml

View File

@ -9,7 +9,7 @@ spec:
isCA: true isCA: true
commonName: cadoles-selfsigned-ca commonName: cadoles-selfsigned-ca
# secretName: root-secret # secretName: root-secret
secretName: cadoles-selfsigned-ca secretName: cadoles-selfsigned-ca-secret
privateKey: privateKey:
algorithm: ECDSA algorithm: ECDSA
size: 256 size: 256

View File

@ -6,4 +6,4 @@ metadata:
# namespace: ingress-nginx # namespace: ingress-nginx
spec: spec:
ca: ca:
secretName: cadoles-selfsigned-ca secretName: cadoles-selfsigned-ca-secret

View File

@ -1,4 +1,4 @@
export MINIO_ROOT_USER="cadoles" export MINIO_ROOT_USER="minio_root"
export MINIO_ROOT_PASSWORD="cadoles;21" export MINIO_ROOT_PASSWORD="MinioRootNotSoSecret"
export MINIO_STORAGE_CLASS_STANDARD="EC:2" export MINIO_STORAGE_CLASS_STANDARD="EC:2"
export MINIO_BROWSER="on" export MINIO_BROWSER="on"

View File

@ -0,0 +1,46 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: script-config-ldap
data:
poststart-ldap.sh: |
#!/bin/sh
/bin/sh -c "/var/www/html/occ app:install user_ldap"
/bin/sh -c "/var/www/html/occ app:update user_ldap"
/bin/sh -c "/var/www/html/occ app:enable user_ldap"
/bin/sh -c "/var/www/html/occ ldap:show-config s01 > /tmp/nxt-ldap.txt"
if grep -q "Invalid configID" /tmp/nxt-ldap.txt; then
/bin/sh -c "/var/www/html/occ ldap:create-empty-config"
fi
# Configurez LDAP (configuration minimale)
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldap_host '${NEXTCLOUD_LDAP_HOST}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldap_base '${NEXTCLOUD_LDAP_BASE}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldap_dn '${NEXTCLOUD_LDAP_DN}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldap_agent_password '${NEXTCLOUD_LDAP_PASSWD}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapBaseGroups '${NEXTCLOUD_LDAP_BASE_GROUPS}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapBaseUsers '${NEXTCLOUD_LDAP_BASE_USERS}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapConfigurationActive '${NEXTCLOUD_LDAP_ACTIVE_CONF}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapExperiencedAdmin '${NEXTCLOUD_LDAP_ADMIN_EXP}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapExpertUUIDUserAttr '${NEXTCLOUD_LDAP_EXP_UUID}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapLoginFilter '${NEXTCLOUD_LDAP_LOGIN_FILTER}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapLoginFilterAttributes '${NEXTCLOUD_LDAP_LOGIN_FILTER_ATTR}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapPort '${NEXTCLOUD_LDAP_PORT}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapUserFilter '${NEXTCLOUD_LDAP_USR_FILTR}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapUserFilterObjectclass '${NEXTCLOUD_LDAP_OBJ_FILTR}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapEmailAttribute '${NEXTCLOUD_LDAP_MAIL_ATTR}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapUserDisplayName '${NEXTCLOUD_LDAP_USER_DISP}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapGroupFilter '${NEXTCLOUD_LDAP_GROUP_FILTR}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapGroupFilterObjectclass '${NEXTCLOUD_LDAP_GROUP_FILTR_OBJCLASS}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapGroupMemberAssocAttr '${NEXTCLOUD_LDAP_GROUP_MEMBR_ASSO}'"
# Lancez le processus principal de Nextcloud normalement ça ne marche pas ça ! donc plutot poststart.
#exec /entrypoint.sh "$@"
# /bin/sh -c "/var/www/html/occ app:enable user_ldap"
# est fonctionnel dans le pods nextcloud !
#liste config : /bin/sh -c "/var/www/html/occ config:list"

View File

@ -0,0 +1,41 @@
apiVersion: batch/v1
kind: Job
metadata:
name: create-minio-bucket
spec:
template:
spec:
initContainers:
- name: wait-for-minio
image: reg.cadoles.com/proxy_cache/groundnuty/k8s-wait-for:v1.3
args:
- service
- minio
containers:
- name: create-bucket
image: minio/mc
envFrom:
- configMapRef:
name: nextcloud-env
env:
- name: CONSOLE_ACCESS_KEY
valueFrom:
secretKeyRef:
name: nextcloud-minio-user
key: CONSOLE_ACCESS_KEY
- name: CONSOLE_SECRET_KEY
valueFrom:
secretKeyRef:
name: nextcloud-minio-user
key: CONSOLE_SECRET_KEY
command: ["sh", "-c"]
args:
- |
echo "création de l'alias my-minio"
mc alias set --insecure my-minio https://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT} ${CONSOLE_ACCESS_KEY} ${CONSOLE_SECRET_KEY}
echo "création du bucket..."
mc mb --insecure my-minio/nextcloud-minio
echo "Bucket créé. normalement"
restartPolicy: OnFailure
serviceAccountName: nextcloud-sa # declare user for initcontainer

View File

@ -0,0 +1,29 @@
apiVersion: minio.min.io/v2
kind: Tenant
metadata:
name: nextcloud-minio
spec:
certConfig:
dnsNames:
- "minio"
pools:
- servers: 2
name: pool-0
volumesPerServer: 3
volumeClaimTemplate:
metadata:
name: nextcloud-minio-data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 3Gi
containerSecurityContext:
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
configuration:
name: nextcloud-minio-configuration
users:
- name: nextcloud-minio-user

View File

@ -15,7 +15,7 @@ spec:
- cadoles - cadoles
# The use of the common name field has been deprecated since 2000 and is # The use of the common name field has been deprecated since 2000 and is
# discouraged from being used. # discouraged from being used.
commonName: cadoles.fr commonName: cadoles.lan
isCA: false isCA: false
privateKey: privateKey:
algorithm: RSA algorithm: RSA
@ -27,8 +27,8 @@ spec:
# At least one of a DNS Name, URI, or IP address is required. # At least one of a DNS Name, URI, or IP address is required.
dnsNames: dnsNames:
- nextcloud - nextcloud
- nextcloud.cadoles.fr - nextcloud.cadoles.lan
- nxt.cadoles.fr - nxt.cadoles.lan
# Issuer references are always required. # Issuer references are always required.
issuerRef: issuerRef:
name: cadoles-ca-issuer name: cadoles-ca-issuer

View File

@ -8,5 +8,6 @@ resources:
- https://forge.cadoles.com/CadolesKube/c-kustom//base/cloudnative-pg-operator?ref=develop - https://forge.cadoles.com/CadolesKube/c-kustom//base/cloudnative-pg-operator?ref=develop
#- https://forge.cadoles.com/CadolesKube/c-kustom//base/redis?ref=develop # Nextcloud ne fonctionne pas avec la couche sentinelle #- https://forge.cadoles.com/CadolesKube/c-kustom//base/redis?ref=develop # Nextcloud ne fonctionne pas avec la couche sentinelle
- https://forge.cadoles.com/CadolesKube/c-kustom//base/minio?ref=develop - https://forge.cadoles.com/CadolesKube/c-kustom//base/minio?ref=develop
- https://forge.cadoles.com/vfebvre/openldap-kustom?ref=develop #- https://forge.cadoles.com/vfebvre/openldap-kustom?ref=develop
#- ./lb => déplacé dans dev/ car propre à l'environnement cible #- ./lb => déplacé dans dev/ car propre à l'environnement cible
- https://github.com/cert-manager/cert-manager/releases/download/v1.12.0/cert-manager.yaml