From 77c62cabe9ab7077f563ec7ad8aed89e5d94e5a0 Mon Sep 17 00:00:00 2001 From: vfebvre Date: Wed, 30 Aug 2023 11:35:31 +0200 Subject: [PATCH] creation de nextcloud-kustom --- base/cluster/lb/advertise.yaml | 9 + base/cluster/lb/ipaddresspoool.yaml | 8 + base/cluster/lb/kustomization.yaml | 7 + .../configurations/cnpg-config.yaml | 8 + .../cnpg-database/kustomization.yaml | 10 + .../resources/nextcloud-cnpg.yaml | 14 + .../components/one-redis/ConfigMap-redis.yaml | 8 + base/components/one-redis/deployment.yaml | 39 ++ base/components/one-redis/kustomization.yaml | 8 + base/components/one-redis/readme.md | 5 + base/components/one-redis/redis-service.yaml | 11 + base/kustomization.yaml | 39 ++ base/resources/nextcloud/kustomization.yaml | 63 ++ .../resources/ConfigMap-ldap-script.yaml | 46 ++ .../nextcloud/resources/ConfigMap.yaml | 14 + .../nextcloud/resources/deployment.yaml | 231 +++++++ .../resources/files/minio/config.env | 4 + .../configurations/tenants.minio.min.io.yaml | 14 + .../nextcloud/resources/files/parameters.yaml | 8 + .../nextcloud/resources/ingress.yaml | 26 + base/resources/nextcloud/resources/job.yaml | 63 ++ .../nextcloud/resources/namespace.yaml | 4 + .../nextcloud/resources/nextcloud-role.yaml | 42 ++ .../resources/nextcloud-rolebinding.yaml | 14 + .../resources/nextcloud-service.yaml | 14 + .../resources/nextcloud-serviceaccount.yaml | 7 + .../nextcloud/resources/nextcloud-tenant.yaml | 33 + .../nextcloud/resources/nodeport-service.yaml | 16 + base/resources/nextcloud/resources/pvc.yaml | 83 +++ overlays/dev/cluster/lb/advertise.yaml | 9 + overlays/dev/cluster/lb/ipaddresspoool.yaml | 8 + overlays/dev/cluster/lb/kustomization.yaml | 7 + overlays/dev/kustomization.yaml | 171 +++++ overlays/dev/output.yaml | 627 ++++++++++++++++++ .../dev/patches/ConfigMap-ldap-script.yaml | 76 +++ overlays/dev/patches/ConfigMaps.yaml | 14 + overlays/dev/patches/ingress-nextcloud.yaml | 36 + overlays/dev/patches/job.yaml | 65 ++ overlays/dev/patches/nextcloud-S3.yaml | 24 + overlays/dev/patches/nextcloud-ldap.yaml | 75 +++ overlays/dev/patches/nextcloud-patch.yaml | 26 + overlays/dev/patches/nextcloud-postgres.yaml | 34 + overlays/dev/patches/nextcloud-probe.yaml | 47 ++ overlays/dev/patches/nextcloud-smtp.yaml | 26 + overlays/dev/patches/nextcloud-variables.yaml | 34 + overlays/dev/patches/redis-config.yaml | 9 + overlays/dev/patches/tenant-conf.yaml | 21 + overlays/dev/resources/files/minio/config.env | 4 + overlays/dev/resources/host-config.yaml | 6 + overlays/dev/resources/namespace.yaml | 4 + requires/README.md | 12 + requires/cluster/cluster.yaml | 8 + requires/cluster/nginx/kustomization.yaml | 2 + requires/kustomization.yaml | 12 + 54 files changed, 2205 insertions(+) create mode 100644 base/cluster/lb/advertise.yaml create mode 100644 base/cluster/lb/ipaddresspoool.yaml create mode 100644 base/cluster/lb/kustomization.yaml create mode 100644 base/components/cnpg-database/configurations/cnpg-config.yaml create mode 100644 base/components/cnpg-database/kustomization.yaml create mode 100644 base/components/cnpg-database/resources/nextcloud-cnpg.yaml create mode 100644 base/components/one-redis/ConfigMap-redis.yaml create mode 100644 base/components/one-redis/deployment.yaml create mode 100644 base/components/one-redis/kustomization.yaml create mode 100644 base/components/one-redis/readme.md create mode 100644 base/components/one-redis/redis-service.yaml create mode 100644 base/kustomization.yaml create mode 100644 base/resources/nextcloud/kustomization.yaml create mode 100644 base/resources/nextcloud/resources/ConfigMap-ldap-script.yaml create mode 100644 base/resources/nextcloud/resources/ConfigMap.yaml create mode 100644 base/resources/nextcloud/resources/deployment.yaml create mode 100644 base/resources/nextcloud/resources/files/minio/config.env create mode 100644 base/resources/nextcloud/resources/files/minio/configurations/tenants.minio.min.io.yaml create mode 100644 base/resources/nextcloud/resources/files/parameters.yaml create mode 100644 base/resources/nextcloud/resources/ingress.yaml create mode 100644 base/resources/nextcloud/resources/job.yaml create mode 100644 base/resources/nextcloud/resources/namespace.yaml create mode 100644 base/resources/nextcloud/resources/nextcloud-role.yaml create mode 100644 base/resources/nextcloud/resources/nextcloud-rolebinding.yaml create mode 100644 base/resources/nextcloud/resources/nextcloud-service.yaml create mode 100644 base/resources/nextcloud/resources/nextcloud-serviceaccount.yaml create mode 100644 base/resources/nextcloud/resources/nextcloud-tenant.yaml create mode 100644 base/resources/nextcloud/resources/nodeport-service.yaml create mode 100644 base/resources/nextcloud/resources/pvc.yaml create mode 100644 overlays/dev/cluster/lb/advertise.yaml create mode 100644 overlays/dev/cluster/lb/ipaddresspoool.yaml create mode 100644 overlays/dev/cluster/lb/kustomization.yaml create mode 100644 overlays/dev/kustomization.yaml create mode 100644 overlays/dev/output.yaml create mode 100644 overlays/dev/patches/ConfigMap-ldap-script.yaml create mode 100644 overlays/dev/patches/ConfigMaps.yaml create mode 100644 overlays/dev/patches/ingress-nextcloud.yaml create mode 100644 overlays/dev/patches/job.yaml create mode 100644 overlays/dev/patches/nextcloud-S3.yaml create mode 100644 overlays/dev/patches/nextcloud-ldap.yaml create mode 100644 overlays/dev/patches/nextcloud-patch.yaml create mode 100644 overlays/dev/patches/nextcloud-postgres.yaml create mode 100644 overlays/dev/patches/nextcloud-probe.yaml create mode 100644 overlays/dev/patches/nextcloud-smtp.yaml create mode 100644 overlays/dev/patches/nextcloud-variables.yaml create mode 100644 overlays/dev/patches/redis-config.yaml create mode 100644 overlays/dev/patches/tenant-conf.yaml create mode 100644 overlays/dev/resources/files/minio/config.env create mode 100644 overlays/dev/resources/host-config.yaml create mode 100644 overlays/dev/resources/namespace.yaml create mode 100644 requires/README.md create mode 100644 requires/cluster/cluster.yaml create mode 100644 requires/cluster/nginx/kustomization.yaml create mode 100644 requires/kustomization.yaml diff --git a/base/cluster/lb/advertise.yaml b/base/cluster/lb/advertise.yaml new file mode 100644 index 0000000..d251dba --- /dev/null +++ b/base/cluster/lb/advertise.yaml @@ -0,0 +1,9 @@ +apiVersion: metallb.io/v1beta1 +kind: L2Advertisement +metadata: + name: l2-ip-pool-ad + namespace: metallb-system +spec: + ipAddressPools: + - main-pool + diff --git a/base/cluster/lb/ipaddresspoool.yaml b/base/cluster/lb/ipaddresspoool.yaml new file mode 100644 index 0000000..da37f87 --- /dev/null +++ b/base/cluster/lb/ipaddresspoool.yaml @@ -0,0 +1,8 @@ +apiVersion: metallb.io/v1beta1 +kind: IPAddressPool +metadata: + name: main-pool + namespace: metallb-system +spec: + addresses: + - 172.18.10.100-172.18.10.200 diff --git a/base/cluster/lb/kustomization.yaml b/base/cluster/lb/kustomization.yaml new file mode 100644 index 0000000..f5994df --- /dev/null +++ b/base/cluster/lb/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: metallb-system + +resources: +- ipaddresspoool.yaml +- advertise.yaml diff --git a/base/components/cnpg-database/configurations/cnpg-config.yaml b/base/components/cnpg-database/configurations/cnpg-config.yaml new file mode 100644 index 0000000..2eb79d2 --- /dev/null +++ b/base/components/cnpg-database/configurations/cnpg-config.yaml @@ -0,0 +1,8 @@ +--- +nameReference: +- kind: Secret + fieldSpecs: + - path: spec/superuserSecret/name + kind: Cluster + - path: spec/bootstrap/initdb/secret/name + kind: Cluster diff --git a/base/components/cnpg-database/kustomization.yaml b/base/components/cnpg-database/kustomization.yaml new file mode 100644 index 0000000..4b17195 --- /dev/null +++ b/base/components/cnpg-database/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +namespace: nextcloud + +configurations: +- ./configurations/cnpg-config.yaml + +resources: +- ./resources/nextcloud-cnpg.yaml + diff --git a/base/components/cnpg-database/resources/nextcloud-cnpg.yaml b/base/components/cnpg-database/resources/nextcloud-cnpg.yaml new file mode 100644 index 0000000..1f7b5c1 --- /dev/null +++ b/base/components/cnpg-database/resources/nextcloud-cnpg.yaml @@ -0,0 +1,14 @@ +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: nextcloud-postgres + namespace: nextcloud +spec: + instances: 1 + primaryUpdateStrategy: unsupervised + bootstrap: + initdb: + database: nextcloud + owner: nextcloud + storage: + size: 5Gi diff --git a/base/components/one-redis/ConfigMap-redis.yaml b/base/components/one-redis/ConfigMap-redis.yaml new file mode 100644 index 0000000..80f8e4c --- /dev/null +++ b/base/components/one-redis/ConfigMap-redis.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: cm-redis-config +data: + redis-config: | + maxmemory 2mb + maxmemory-policy allkeys-lru \ No newline at end of file diff --git a/base/components/one-redis/deployment.yaml b/base/components/one-redis/deployment.yaml new file mode 100644 index 0000000..f096ce8 --- /dev/null +++ b/base/components/one-redis/deployment.yaml @@ -0,0 +1,39 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: redis + name: redis +spec: + replicas: 1 + selector: + matchLabels: + app: redis + template: + metadata: + labels: + app: redis + spec: + containers: + - command: + - redis-server + - /redis-master/redis.conf + image: redis:alpine + name: redis + ports: + - containerPort: 6379 + volumeMounts: + - mountPath: /redis-master-data + name: data + - mountPath: /redis-master + name: config + restartPolicy: Always + volumes: + - name: data + emptyDir: {} + - name: config + configMap: + name: cm-redis-config + items: + - key: redis-config + path: redis.conf diff --git a/base/components/one-redis/kustomization.yaml b/base/components/one-redis/kustomization.yaml new file mode 100644 index 0000000..f069490 --- /dev/null +++ b/base/components/one-redis/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +namespace: nextcloud + +resources: +- deployment.yaml +- redis-service.yaml +- ConfigMap-redis.yaml \ No newline at end of file diff --git a/base/components/one-redis/readme.md b/base/components/one-redis/readme.md new file mode 100644 index 0000000..771f0c9 --- /dev/null +++ b/base/components/one-redis/readme.md @@ -0,0 +1,5 @@ +# README + +Pour configurer facilement et rapidement le redis passer par le fichier ConfigMap-redis.yaml !!! + +- cf https://kubernetes.io/docs/tutorials/configuration/configure-redis-using-configmap/ diff --git a/base/components/one-redis/redis-service.yaml b/base/components/one-redis/redis-service.yaml new file mode 100644 index 0000000..02d5ff0 --- /dev/null +++ b/base/components/one-redis/redis-service.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + name: redis + labels: + app: redis +spec: + ports: + - port: 6379 + selector: + app: redis \ No newline at end of file diff --git a/base/kustomization.yaml b/base/kustomization.yaml new file mode 100644 index 0000000..79d89db --- /dev/null +++ b/base/kustomization.yaml @@ -0,0 +1,39 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: nextcloud + +generatorOptions: + disableNameSuffixHash: true + +# référence à l'exemple cadoles. +# cela force la mise à jours des secret en questions liés aux ressources ayant le labels "tenant" lorsque modifié +configurations: +#- https://forge.cadoles.com/CadolesKube/c-kustom/raw/branch/develop/base/minio/configurations/tenants.minio.min.io.yaml +# => importé en locale pour pouvoir faire un kustomize build +- ./resources/nextcloud/resources/files/minio/configurations/tenants.minio.min.io.yaml + +resources: +- ./resources/nextcloud + + +components: +- ./components/cnpg-database +- ./components/one-redis + +# MOUNT-TRY-multi-instance +## A SUPPRIMER EN CAS DE REDEPLOYEMENT nextcloud doit s'intaller une FOIS, ne décommenté qu'après la première installation +#configMapGenerator: +#- name: nextcloud-config +# files: +# - ./config.php +## behavior: merge # dans le cas ou le configmap existerait déjà et que la donnée est différente. +# options: +# disableNameSuffixHash: true +## Aller aussi dans deployment.yaml pour commenter les lignes suivantes, et supprimer le fichier config.php +# - name: nextcloud-config-volume # monte le fichier de configuration dans +# mountPath: /var/www/html/config # les instances supplémentaire +# readOnly: true # via le configmap ConfigMaps-php.yaml + +# - name: nextcloud-config-volume # permet de monter le fichier de configuration dans +# configMap: # les instances supplémentaires +# name: nextcloud-config # via le configmap ConfigMaps-php.yaml \ No newline at end of file diff --git a/base/resources/nextcloud/kustomization.yaml b/base/resources/nextcloud/kustomization.yaml new file mode 100644 index 0000000..492d3ea --- /dev/null +++ b/base/resources/nextcloud/kustomization.yaml @@ -0,0 +1,63 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +# namespace: nextcloud + +generatorOptions: + disableNameSuffixHash: true # suppression des suffixe en hash en bout de nom + +resources: +- ./resources/deployment.yaml +# - ./resources/namespace.yaml +- ./resources/nextcloud-tenant.yaml +- ./resources/nextcloud-service.yaml +- ./resources/pvc.yaml +- ./resources/job.yaml +- ./resources/ConfigMap.yaml +- ./resources/nextcloud-rolebinding.yaml +- ./resources/nextcloud-role.yaml +- ./resources/nextcloud-serviceaccount.yaml +- ./resources/ingress.yaml +- ./resources/ConfigMap-ldap-script.yaml + +#- ./resources/secret.yaml + + +configMapGenerator: +- name: nextcloud-parameters + files: + - ./resources/files/parameters.yaml +- name: nextcloud-env + literals: + - MINIO_SERVICE_NAME=$(MINIO_SERVICE_HOST):$(MINIO_SERVICE_PORT) # pas nécessaire je pense + - MINIO_SERVICE_HOST=minio + - MINIO_SERVICE_PORT=443 + +secretGenerator: +# Voir https://github.com/minio/operator/issues/856 +- name: nextcloud-minio-user + literals: + - CONSOLE_ACCESS_KEY=minio_root + - CONSOLE_SECRET_KEY=MinioRootNotSoSecret + options: + disableNameSuffixHash: true +# Voir https://github.com/minio/operator/issues/856 +- name: nextcloud-minio-configuration + files: + - ./resources/files/minio/config.env # A modifier si modification mot de passe et user CONSOLE [ACCESS-SECRET] + options: + disableNameSuffixHash: true +- name: nextcloud-smtp + literals: + - smtp-username=user + - smtp-password=password + options: + disableNameSuffixHash: true + +vars: # génération d'information pour wait-for-bootstrap du pod nextcloud +- name: MINIO_BOOTSTRAP_JOB_NAME + objref: + name: create-minio-bucket + kind: Job + apiVersion: batch/v1 + fieldref: + fieldpath: metadata.name diff --git a/base/resources/nextcloud/resources/ConfigMap-ldap-script.yaml b/base/resources/nextcloud/resources/ConfigMap-ldap-script.yaml new file mode 100644 index 0000000..220bbe5 --- /dev/null +++ b/base/resources/nextcloud/resources/ConfigMap-ldap-script.yaml @@ -0,0 +1,46 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: script-config-ldap +data: + poststart-ldap.sh: | + #!/bin/sh + + NEXTCLOUD_READY=0 + MAX_RETRIES=30 + RETRY_INTERVAL=10 + + touch /etc/script/validator.txt + # Vérifiez si LDAP est déjà activé + # if ! su -s /bin/sh -c "/var/www/html/occ app:list --output=json" www-data | jq -e '.enabled | has("user_ldap")'; then + # Activez le module LDAP si ce n'est pas déjà fait + # su -s /bin/sh -c "/var/www/html/occ app:enable user_ldap" www-data + #fi + for i in $(seq 1 $MAX_RETRIES); do + if curl -fsS "http://localhost/status.php" > /dev/null; then + NEXTCLOUD_READY=1 + break + else + echo "En attente de Nextcloud (tentative $i/$MAX_RETRIES)..." >> /etc/script/validator.txt + sleep $RETRY_INTERVAL + fi + done + + if [ $NEXTCLOUD_READY -eq 0 ]; then + echo "Nextcloud n'est pas prêt après $MAX_RETRIES tentatives. Abandon de l'initialisation LDAP." >> /etc/script/validator.txt + exit 1 + fi + + su -s /bin/sh -c "/var/www/html/occ app:enable user_ldap" www-data + + # Configurez LDAP (configuration minimale) + su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapHost --value='ldap.example.com'" www-data + su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapBase --value='dc=example,dc=com'" www-data + su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapAgentName --value='cn=admin,dc=example,dc=com'" www-data + su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapAgentPassword --value='your_password'" www-data + + # Lancez le processus principal de Nextcloud normalement ça ne marche pas ça ! donc plutot poststart. + #exec /entrypoint.sh "$@" + +# su -s /bin/sh -c "/var/www/html/occ app:enable user_ldap" www-data +# est fonctionnel dans le pods nextcloud ! \ No newline at end of file diff --git a/base/resources/nextcloud/resources/ConfigMap.yaml b/base/resources/nextcloud/resources/ConfigMap.yaml new file mode 100644 index 0000000..4f8dea7 --- /dev/null +++ b/base/resources/nextcloud/resources/ConfigMap.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: update-config +data: + custom-script.sh: | + #!/bin/sh + + HOSTS_FILE="/etc/hosts" + + # Ajoutez l'entrée au fichier hosts + MINIO_SERVICE_IP="${MINIO_SERVICE_HOST}" + MINIO_NAME="${MINIO_SERVICE_NAME}" + echo "$MINIO_SERVICE_IP" minio >> $HOSTS_FILE \ No newline at end of file diff --git a/base/resources/nextcloud/resources/deployment.yaml b/base/resources/nextcloud/resources/deployment.yaml new file mode 100644 index 0000000..60b6dfa --- /dev/null +++ b/base/resources/nextcloud/resources/deployment.yaml @@ -0,0 +1,231 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: nextcloud + component: app + name: app +spec: +# serviceName: nextcloud + replicas: 1 + selector: + matchLabels: + app: nextcloud + component: app + template: + metadata: + labels: + app: nextcloud + component: app + spec: + containers: + - image: reg.cadoles.com/proxy_cache/library/nextcloud:27.0.2-apache + imagePullPolicy: Always + name: app + ports: + - containerPort: 80 + lifecycle: + postStart: + exec: + command: ["/bin/sh", "-c", "cp /var/run/secrets/kubernetes.io/serviceaccount/ca.crt /usr/local/share/ca-certificates/ks.crt && update-ca-certificates && /etc/script/poststart-ldap.sh && touch /etc/script/try01.txt"] +# envFrom: +# - configMapRef: +# name: nextcloud-env + env: + - name: POSTGRES_DB + value: nextcloud + - name: POSTGRES_USER + valueFrom: + secretKeyRef: + name: nextcloud-postgres-app + key: username + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: nextcloud-postgres-app + key: password + - name: POSTGRES_HOST + value: $(NEXTCLOUD_POSTGRES_RW_SERVICE_HOST) #value: nextcloud-postgres-rw.nextcloud.svc.cluster.local + - name: NEXTCLOUD_ADMIN_USER + value: admin + - name: NEXTCLOUD_ADMIN_PASSWORD # 5 + value: cadoles + - name: NEXTCLOUD_TRUSTED_DOMAINS + value: "*.cadoles.fr" + - name: NEXTCLOUD_INIT_LOCK + value: "true" + - name: PHP_MEMORY_LIMIT + value: 512M + - name: PHP_UPLOAD_LIMIT + value: 4G + - name: POD_INDEX + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: REDIS_HOST + value: redis # équivaut à redis.nextcloud.svc.cluster.local +# value: $(RFS_NEXTCLOUD_REDIS_SERVICE_HOST) => For redis-operator + - name: REDIS_HOST_PORT + value: "6379" + ###################### + # Partie minio S3 + - name: OBJECTSTORE_S3_HOST + value: minio:$(MINIO_SERVICE_PORT) +# value: $(MINIO_SERVICE_NAME):$(MINIO_SERVICE_PORT) + - name: OBJECTSTORE_S3_BUCKET + value: nextcloud-minio + - name: OBJECTSTORE_S3_KEY # 15 + value: minio_root + - name: OBJECTSTORE_S3_SECRET + value: MinioRootNotSoSecret + - name: OBJECTSTORE_S3_USEPATH_STYLE + value: "true" + - name: OBJECTSTORE_S3_SSL # 18 + value: "true" + ################################## +# Mise en place SMTP + - name: MAIL_FROM_ADDRESS + value: "user" + - name: MAIL_DOMAIN + value: "domain.com" + - name: SMTP_HOST + value: "domain.com" + - name: SMTP_SECURE + value: "ssl" + - name: SMTP_PORT + value: "465" + - name: SMTP_AUTHTYPE + value: "LOGIN" + - name: SMTP_NAME + valueFrom: + secretKeyRef: + name: nextcloud-smtp + key: smtp-username + - name: SMTP_PASSWORD + valueFrom: + secretKeyRef: + name: nextcloud-smtp + key: smtp-password + + - name: NEXTCLOUD_DATA_DIR + value: "/var/www/html/data" + livenessProbe: # vérifie si c'est planté ou non + httpGet: + path: /status.php + port: 80 # en reférence à ingress.yaml ? + httpHeaders: + - name: Host + value: nxt.cadoles.fr # valeurs égale à celle dans ingress.yaml + initialDelaySeconds: 50 + periodSeconds: 15 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + readinessProbe: # vérifie si c'est ok pour envoyer des requête ou non + httpGet: + path: /status.php + port: 80 # en référence à ingress.yaml ? + httpHeaders: + - name: Host + value: nxt.cadoles.fr # valeurs égale à celle dans ingress.yaml + initialDelaySeconds: 50 + periodSeconds: 15 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + + volumeMounts: + - mountPath: /var/www/ + name: nextcloud-main-volume + - mountPath: /var/www/html + name: nextcloud-html-volume + - mountPath: /var/www/html/data + name: nextcloud-data-volume + - mountPath: /var/www/html/config + name: nextcloud-config-volume + - mountPath: /var/www/html/custom_apps + name: nextcloud-custom-volume + - mountPath: /var/www/tmp + name: nextcloud-tmp-volume + - mountPath: /var/www/html/themes + name: nextcloud-themes-volume + +# ICI montage pour les script ! + - mountPath: /etc/script/poststart-ldap.sh + name: script-config-ldap + subPath: poststart-ldap.sh + - mountPath: /etc/script/custom-script.sh + name: update-config-script + subPath: custom-script.sh + - mountPath: /etc/minio-ccerts + name: minio-certs + readOnly: true + + # MOUNT-TRY-multi-instance +# - name: nextcloud-config-volume # monte le fichier de configuration dans +# mountPath: /var/www/html/config # les instances supplémentaire +# readOnly: false # via le configmap ConfigMaps-php.yaml + + restartPolicy: Always + serviceAccountName: nextcloud-sa # declare user for initcontainer + + # trois volumes pour les script + volumes: + - name: minio-certs + secret: + secretName: nextcloud-minio-tls # montage des certificat de minio + - name: update-config-script + configMap: + name: update-config + defaultMode: 0744 + - name: script-config-ldap + configMap: + name: script-config-ldap + defaultMode: 0744 + +# MOUNT-TRY-multi-instance +# - name: nextcloud-config-volume # permet de monter le fichier de configuration dans +# configMap: # les instances supplémentaires +# name: nextcloud-config # via le configmap ConfigMaps-php.yaml + + - name: nextcloud-main-volume + persistentVolumeClaim: + claimName: nextcloud-main-pvc + - name: nextcloud-html-volume + persistentVolumeClaim: + claimName: nextcloud-html-pvc + - name: nextcloud-data-volume + persistentVolumeClaim: + claimName: nextcloud-data-pvc + - name: nextcloud-config-volume + persistentVolumeClaim: + claimName: nextcloud-config-pvc + - name: nextcloud-custom-volume + persistentVolumeClaim: + claimName: nextcloud-custom-pvc + - name: nextcloud-tmp-volume + persistentVolumeClaim: + claimName: nextcloud-tmp-pvc + - name: nextcloud-themes-volume + persistentVolumeClaim: + claimName: nextcloud-themes-pvc + + initContainers: # cf README.md part ##YAML explain / ### PODS WAIT + - name: wait-for-bootstrap + image: reg.cadoles.com/proxy_cache/groundnuty/k8s-wait-for:v1.3 + args: + - job + - $(MINIO_BOOTSTRAP_JOB_NAME) + + +##################################################### +# For REDIS-OPERATOR USE THIS TO SET PORT +##################################################### +# - name: REDIS_HOST_PORT +# value: $(RFS_NEXTCLOUD_REDIS_SERVICE_PORT) +# - name: REDIS_HOST_PASSWORD +# valueFrom: +# secretKeyRef: +# name: redis-secret +# key: password +##################################################### diff --git a/base/resources/nextcloud/resources/files/minio/config.env b/base/resources/nextcloud/resources/files/minio/config.env new file mode 100644 index 0000000..d8176ff --- /dev/null +++ b/base/resources/nextcloud/resources/files/minio/config.env @@ -0,0 +1,4 @@ +export MINIO_ROOT_USER="minio_root" +export MINIO_ROOT_PASSWORD="MinioRootNotSoSecret" +export MINIO_STORAGE_CLASS_STANDARD="EC:2" +export MINIO_BROWSER="on" \ No newline at end of file diff --git a/base/resources/nextcloud/resources/files/minio/configurations/tenants.minio.min.io.yaml b/base/resources/nextcloud/resources/files/minio/configurations/tenants.minio.min.io.yaml new file mode 100644 index 0000000..8a2b60a --- /dev/null +++ b/base/resources/nextcloud/resources/files/minio/configurations/tenants.minio.min.io.yaml @@ -0,0 +1,14 @@ +--- +nameReference: +- kind: Secret + fieldSpecs: + - path: spec/credsSecret/name + kind: Tenant +- kind: Secret + fieldSpecs: + - path: spec/configuration/name + kind: Tenant +- kind: Secret + fieldSpecs: + - path: spec/users/name + kind: Tenant \ No newline at end of file diff --git a/base/resources/nextcloud/resources/files/parameters.yaml b/base/resources/nextcloud/resources/files/parameters.yaml new file mode 100644 index 0000000..d751b3a --- /dev/null +++ b/base/resources/nextcloud/resources/files/parameters.yaml @@ -0,0 +1,8 @@ + #API minio + minio_url: 'http://%env(string:MINIO_SERVICE_NAME)%:9000' + minio_key: '%env(string:MINIO_KEY)%' + minio_secret: '%env(string:MINIO_SECRET)%' + minio_bucket: 'nextcloud' + minio_root: '' + minio_path_style: true + minio_secure: false \ No newline at end of file diff --git a/base/resources/nextcloud/resources/ingress.yaml b/base/resources/nextcloud/resources/ingress.yaml new file mode 100644 index 0000000..9796b01 --- /dev/null +++ b/base/resources/nextcloud/resources/ingress.yaml @@ -0,0 +1,26 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: nextcloud + + annotations: +# kustomize.config.k8s.io/needs: configmap/nextcloud-envi + nginx.ingress.kubernetes.io/proxy-body-size: "138m" + nginx.ingress.kubernetes.io/enable-cors: "true" #cf 01 + nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For" #cf 01 +# nginx.ingress.kubernetes.io/client_max_body_size: "100m" +spec: + ingressClassName: nginx + rules: + - host: nxt.cadoles.fr + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: nextcloud + port: + number: 80 + +# cf 01 => https://artifacthub.io/packages/helm/nextcloud/nextcloud \ No newline at end of file diff --git a/base/resources/nextcloud/resources/job.yaml b/base/resources/nextcloud/resources/job.yaml new file mode 100644 index 0000000..66a7db8 --- /dev/null +++ b/base/resources/nextcloud/resources/job.yaml @@ -0,0 +1,63 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: create-minio-bucket +spec: + template: + spec: + initContainers: + - name: wait-for-minio + image: busybox + envFrom: + - configMapRef: + name: nextcloud-env + command: ["sh", "-c"] + args: + - | + echo "attente du service minio..." + cnt=0 + tout=300 + while [ 1 ] + do + http_code=$(wget --server-response https://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT}/minio/health/live 2>&1 | awk '/^ HTTP/{print $2}') + if [ "${http_code}" != "200" ]; then + echo "waiting for https://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT}" + sleep 1 + else + exit 0 + fi + + cnt=$((cnt+1)) + if [ "${cnt}" -ge "${tout}" ]; then + exit 3 + fi + done +# Encore nécessaire ? + containers: + - name: create-bucket + image: minio/mc + envFrom: + - configMapRef: + name: nextcloud-env + env: + - name: CONSOLE_ACCESS_KEY + valueFrom: + secretKeyRef: + name: nextcloud-minio-user + key: CONSOLE_ACCESS_KEY + - name: CONSOLE_SECRET_KEY + valueFrom: + secretKeyRef: + name: nextcloud-minio-user + key: CONSOLE_SECRET_KEY + command: ["sh", "-c"] + args: + - | + echo "création de l'alias my-minio" + mc alias set --insecure my-minio http://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT} ${CONSOLE_ACCESS_KEY} ${CONSOLE_SECRET_KEY} + echo "création du bucket..." + mc mb --insecure my-minio/nextcloud-minio + echo "Bucket créé. normalement" + restartPolicy: OnFailure +# Est-ce que je mettrais pas mon ldap ici ? => ConfigMap-ldap-script.yaml ? + diff --git a/base/resources/nextcloud/resources/namespace.yaml b/base/resources/nextcloud/resources/namespace.yaml new file mode 100644 index 0000000..d1f173a --- /dev/null +++ b/base/resources/nextcloud/resources/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: nextcloud diff --git a/base/resources/nextcloud/resources/nextcloud-role.yaml b/base/resources/nextcloud/resources/nextcloud-role.yaml new file mode 100644 index 0000000..42d952e --- /dev/null +++ b/base/resources/nextcloud/resources/nextcloud-role.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: status-reader +rules: +- apiGroups: + - batch + - v1 + resources: + - jobs + verbs: + - get + - list +- apiGroups: + - "" + - v1 + resources: + - secrets + verbs: + - get + - list + - patch + +# Declaration d'un role nommé status-reader et attribution de droit + +#- apiGroups: +# - "" +# - v1 +# resources: +# - services +# verbs: +# - get +# - list +#- apiGroups: +# - "" +# - v1 +# resources: +# - pods +# verbs: +# - get +# - list diff --git a/base/resources/nextcloud/resources/nextcloud-rolebinding.yaml b/base/resources/nextcloud/resources/nextcloud-rolebinding.yaml new file mode 100644 index 0000000..b829d55 --- /dev/null +++ b/base/resources/nextcloud/resources/nextcloud-rolebinding.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: status-reader +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: status-reader +subjects: +- kind: ServiceAccount + name: nextcloud-sa + +# Sert à lier le role status-reader (nextcloud-role.yaml) et l'utilisateur nextcloud-sa (nextcloud-serviceaccount.yaml) \ No newline at end of file diff --git a/base/resources/nextcloud/resources/nextcloud-service.yaml b/base/resources/nextcloud/resources/nextcloud-service.yaml new file mode 100644 index 0000000..773ad7d --- /dev/null +++ b/base/resources/nextcloud/resources/nextcloud-service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + name: nextcloud + labels: + app: nextcloud + component: app +spec: + ports: + - port: 80 + selector: + app: nextcloud + component: app + diff --git a/base/resources/nextcloud/resources/nextcloud-serviceaccount.yaml b/base/resources/nextcloud/resources/nextcloud-serviceaccount.yaml new file mode 100644 index 0000000..dde9f98 --- /dev/null +++ b/base/resources/nextcloud/resources/nextcloud-serviceaccount.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: nextcloud-sa + +# déclaration d'un user nextcloud-sa \ No newline at end of file diff --git a/base/resources/nextcloud/resources/nextcloud-tenant.yaml b/base/resources/nextcloud/resources/nextcloud-tenant.yaml new file mode 100644 index 0000000..e0036ac --- /dev/null +++ b/base/resources/nextcloud/resources/nextcloud-tenant.yaml @@ -0,0 +1,33 @@ +apiVersion: minio.min.io/v2 +kind: Tenant +metadata: + name: nextcloud-minio +spec: + certConfig: + dnsNames: + - "minio" + pools: + - servers: 2 + name: pool-0 + volumesPerServer: 2 + volumeClaimTemplate: + metadata: + name: nextcloud-minio-data # juste son nom dans le cluster + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 2Gi + # env: + # - name: MINIO_CONSOLE_TLS_ENABLE + # value: "off" + containerSecurityContext: + runAsUser: 1000 # droit d'accès user + runAsGroup: 1000 # droit d'accès group + runAsNonRoot: true # accès sans être root + configuration: + name: nextcloud-minio-configuration # cf resources/nextcloud/resources/kustomization.yaml + users: + - name: nextcloud-minio-user # cf resources/nextcloud/resources/kustomization.yaml + diff --git a/base/resources/nextcloud/resources/nodeport-service.yaml b/base/resources/nextcloud/resources/nodeport-service.yaml new file mode 100644 index 0000000..510882d --- /dev/null +++ b/base/resources/nextcloud/resources/nodeport-service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: nextcloud-nodeport # nom du service + labels: +# app: nextcloud +# component: app +spec: + type: NodePort + ports: + - port: 80 + targetPort: 80 # port du pods + nodePort: 30080 # port de la machine locale detenant les noeuds + selector: + app: nextcloud + component: app diff --git a/base/resources/nextcloud/resources/pvc.yaml b/base/resources/nextcloud/resources/pvc.yaml new file mode 100644 index 0000000..7a5d10e --- /dev/null +++ b/base/resources/nextcloud/resources/pvc.yaml @@ -0,0 +1,83 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nextcloud-main-pvc +spec: + accessModes: + - ReadWriteOnce + volumeMode: Filesystem + resources: + requests: + storage: 5Gi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nextcloud-html-pvc +spec: + accessModes: + - ReadWriteOnce + volumeMode: Filesystem + resources: + requests: + storage: 5Gi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nextcloud-data-pvc +spec: + accessModes: + - ReadWriteOnce + volumeMode: Filesystem + resources: + requests: + storage: 20Gi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nextcloud-config-pvc +spec: + accessModes: + - ReadWriteOnce + volumeMode: Filesystem + resources: + requests: + storage: 1Gi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nextcloud-custom-pvc +spec: + accessModes: + - ReadWriteOnce + volumeMode: Filesystem + resources: + requests: + storage: 2Gi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nextcloud-tmp-pvc +spec: + accessModes: + - ReadWriteOnce + volumeMode: Filesystem + resources: + requests: + storage: 5Gi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nextcloud-themes-pvc +spec: + accessModes: + - ReadWriteOnce + volumeMode: Filesystem + resources: + requests: + storage: 2Gi diff --git a/overlays/dev/cluster/lb/advertise.yaml b/overlays/dev/cluster/lb/advertise.yaml new file mode 100644 index 0000000..d251dba --- /dev/null +++ b/overlays/dev/cluster/lb/advertise.yaml @@ -0,0 +1,9 @@ +apiVersion: metallb.io/v1beta1 +kind: L2Advertisement +metadata: + name: l2-ip-pool-ad + namespace: metallb-system +spec: + ipAddressPools: + - main-pool + diff --git a/overlays/dev/cluster/lb/ipaddresspoool.yaml b/overlays/dev/cluster/lb/ipaddresspoool.yaml new file mode 100644 index 0000000..da37f87 --- /dev/null +++ b/overlays/dev/cluster/lb/ipaddresspoool.yaml @@ -0,0 +1,8 @@ +apiVersion: metallb.io/v1beta1 +kind: IPAddressPool +metadata: + name: main-pool + namespace: metallb-system +spec: + addresses: + - 172.18.10.100-172.18.10.200 diff --git a/overlays/dev/cluster/lb/kustomization.yaml b/overlays/dev/cluster/lb/kustomization.yaml new file mode 100644 index 0000000..f5994df --- /dev/null +++ b/overlays/dev/cluster/lb/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: metallb-system + +resources: +- ipaddresspoool.yaml +- advertise.yaml diff --git a/overlays/dev/kustomization.yaml b/overlays/dev/kustomization.yaml new file mode 100644 index 0000000..92b7346 --- /dev/null +++ b/overlays/dev/kustomization.yaml @@ -0,0 +1,171 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: nextcloud-dev + +# ressources utilisées, appel de base et ajout de namespace.yaml +resources: +- ../../base/ +- resources/namespace.yaml + +#- resources/host-config.yaml + +# deux façon de faire la seconde ici => +# - patches/nextcloud-patch.yaml + +patchesStrategicMerge: + - patches/redis-config.yaml + - patches/ConfigMaps.yaml + - patches/ConfigMap-ldap-script.yaml + - patches/job.yaml + +patchesJson6902: +- target: + group: apps + version: v1 + kind: Deployment + name: app + path: patches/nextcloud-variables.yaml +- target: + group: apps + version: v1 + kind: Deployment + name: app + path: patches/nextcloud-postgres.yaml + +### S3 patch do not work ! +# W not ok, R not ok +#- target: +# group: apps +# version: v1 +# kind: Deployment +# name: app +# path: patches/nextcloud-S3.yaml +- target: + group: apps + version: v1 + kind: Deployment + name: app + path: patches/nextcloud-probe.yaml +- target: + group: apps + version: v1 + kind: Deployment + name: app + path: patches/nextcloud-smtp.yaml +- target: + group: apps + version: v1 + kind: Ingress + name: nextcloud + path: patches/ingress-nextcloud.yaml +- target: + group: apps + version: v2 + kind: Tenant + name: nextcloud-minio + path: patches/tenant-conf.yaml +- target: + group: apps + version: v1 + kind: Deployment + name: app + path: patches/nextcloud-ldap.yaml + +# PARTIE MINIO + +# secret re-généré +#secretGenerator: +#- name: db-user-pass +# envs: +# - ./resources/files/minio/config.env +secretGenerator: + #Voir https://github.com/minio/operator/issues/856 +- name: nextcloud-minio-user + behavior: replace + literals: + - CONSOLE_ACCESS_KEY=minio_root + - CONSOLE_SECRET_KEY=MinioRootNotSoSecret +- name: nextcloud-minio-configuration + behavior: replace + files: + - ./resources/files/minio/config.env # A modifier si modification mot de passe et user CONSOLE [ACCESS-SECRET] + + +# ajout de Variable, et redéfinition de certaines +configMapGenerator: +#- name: nextcloud-parameters +# files: +# - ./resources/files/parameters.yaml +- name: nextcloud-env + behavior: replace + literals: + - MINIO_SERVICE_NAME=$(MINIO_SERVICE_HOST):$(MINIO_SERVICE_PORT) + - MINIO_SERVICE_HOST=minio + - MINIO_SERVICE_PORT=443 + options: + disableNameSuffixHash: true +- name: nextcloud-smtp + literals: + - smtp-username=user + - smtp-password=password + options: + disableNameSuffixHash: true + +# PARTIE MAUVAISE IDEE + +#replacements: +# - source: +# kind: ConfigMap +# name: host-config +# fieldPath: data.NEXTCLOUD_HOST +# targets: +# - select: +# kind: Ingress +# name: nextcloud +# fieldPaths: +# - /spec/rules[0]/host +# - select: +# kind: Deployment +# name: app +# fieldPaths: +# - /spec/template/spec/containers[0]/readinessProbe/httpGet/httpHeaders[0].value +# - /spec/template/spec/containers[0]/livenessProbe/httpGet/httpHeaders[0].value + +#vars: +# - name: NEXTCLOUD_HOST +# objref: +# kind: ConfigMap +# name: host-config +# apiVersion: v1 +# fieldref: +# fieldpath: data.NEXTCLOUD_HOST + + + + + + + + + + + + +## faire un fichier patch.yaml et ajouter les données à modifier comme dans les patch mse +# +# patchesStrategicMerge => deprecated use patches instead +# patchesJson6902: => deprecated use patches instead +# vars => deprecated use replacements instead + +# PRINCIPE DU PATCHE +#- target: +# version: v1 +# kind: Deployment # ce type de kind .. qui signifie ni plus ni moins ce type de type -_- +# name: app +# path: patches/le patch.yaml + +# modif pour l'image ? +#images: +#- name: foo/bar +# newName: foo/bar +# newTag: 3.4.5 \ No newline at end of file diff --git a/overlays/dev/output.yaml b/overlays/dev/output.yaml new file mode 100644 index 0000000..86ceef7 --- /dev/null +++ b/overlays/dev/output.yaml @@ -0,0 +1,627 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: nextcloud-dev +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: nextcloud-sa + namespace: nextcloud-dev +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: status-reader + namespace: nextcloud-dev +rules: +- apiGroups: + - batch + - v1 + resources: + - jobs + verbs: + - get + - list +- apiGroups: + - "" + - v1 + resources: + - secrets + verbs: + - get + - list + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: status-reader + namespace: nextcloud-dev +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: status-reader +subjects: +- kind: ServiceAccount + name: nextcloud-sa + namespace: nextcloud-dev +--- +apiVersion: v1 +data: + redis-config: | + maxmemory 4mb + maxmemory-policy volatile-lru + appendonly yes +kind: ConfigMap +metadata: + name: cm-redis-config + namespace: nextcloud-dev +--- +apiVersion: v1 +data: + NEXTCLOUD_HOST: nxt.serveur.fr +kind: ConfigMap +metadata: + name: host-config + namespace: nextcloud-dev +--- +apiVersion: v1 +data: + MINIO_SERVICE_HOST: minio + MINIO_SERVICE_NAME: $(MINIO_SERVICE_HOST):$(MINIO_SERVICE_PORT) + MINIO_SERVICE_PORT: "443" +kind: ConfigMap +metadata: + name: nextcloud-env + namespace: nextcloud-dev +--- +apiVersion: v1 +data: + parameters.yaml: |2- + #API minio + minio_url: 'http://%env(string:MINIO_SERVICE_NAME)%:9000' + minio_key: '%env(string:MINIO_KEY)%' + minio_secret: '%env(string:MINIO_SECRET)%' + minio_bucket: 'nextcloud' + minio_root: '' + minio_path_style: true + minio_secure: false +kind: ConfigMap +metadata: + name: nextcloud-parameters + namespace: nextcloud-dev +--- +apiVersion: v1 +data: + poststart-ldap.sh: | + #!/bin/sh + + # Vérifiez si LDAP est déjà activé + if ! su -s /bin/sh -c "/var/www/html/occ app:list --output=json" www-data | jq -e '.enabled | has("user_ldap")'; then + # Activez le module LDAP si ce n'est pas déjà fait + su -s /bin/sh -c "/var/www/html/occ app:enable user_ldap" www-data + echo 'activation de ldap' + fi + + # Configurez LDAP (configuration minimale) + su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapHost --value='ldap.example.com'" www-data + su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapBase --value='dc=example,dc=com'" www-data + su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapAgentName --value='cn=admin,dc=example,dc=com'" www-data + su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapAgentPassword --value='your_password'" www-data + + echo 'ldap configured' + + # Lancez le processus principal de Nextcloud normalement ça ne marche pas ça ! donc plutot poststart. + #exec /entrypoint.sh "$@" +kind: ConfigMap +metadata: + name: script-config-ldap + namespace: nextcloud-dev +--- +apiVersion: v1 +data: + custom-script.sh: |- + #!/bin/sh + + HOSTS_FILE="/etc/hosts" + + # Ajoutez l'entrée au fichier hosts + MINIO_SERVICE_IP="${MINIO_SERVICE_HOST}" + MINIO_NAME="${MINIO_SERVICE_NAME}" + echo "$MINIO_SERVICE_IP" minio >> $HOSTS_FILE +kind: ConfigMap +metadata: + name: update-config + namespace: nextcloud-dev +--- +apiVersion: v1 +data: + config.env: | + ZXhwb3J0IE1JTklPX1JPT1RfVVNFUj0ibWluaW9fcm9vdCIKZXhwb3J0IE1JTklPX1JPT1 + RfUEFTU1dPUkQ9Ik1pbmlvUm9vdE5vdFNvU2VjcmV0IgpleHBvcnQgTUlOSU9fU1RPUkFH + RV9DTEFTU19TVEFOREFSRD0iRUM6MiIKZXhwb3J0IE1JTklPX0JST1dTRVI9Im9uIg== +kind: Secret +metadata: + name: nextcloud-minio-configuration + namespace: nextcloud-dev +type: Opaque +--- +apiVersion: v1 +data: + CONSOLE_ACCESS_KEY: bWluaW9fcm9vdA== + CONSOLE_SECRET_KEY: TWluaW9Sb290Tm90U29TZWNyZXQ= +kind: Secret +metadata: + name: nextcloud-minio-user + namespace: nextcloud-dev +type: Opaque +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: nextcloud + component: app + name: nextcloud + namespace: nextcloud-dev +spec: + ports: + - port: 80 + selector: + app: nextcloud + component: app +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: redis + name: redis + namespace: nextcloud-dev +spec: + ports: + - port: 6379 + selector: + app: redis +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nextcloud-config-pvc + namespace: nextcloud-dev +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + volumeMode: Filesystem +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nextcloud-custom-pvc + namespace: nextcloud-dev +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 2Gi + volumeMode: Filesystem +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nextcloud-data-pvc + namespace: nextcloud-dev +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 20Gi + volumeMode: Filesystem +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nextcloud-html-pvc + namespace: nextcloud-dev +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi + volumeMode: Filesystem +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nextcloud-main-pvc + namespace: nextcloud-dev +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi + volumeMode: Filesystem +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nextcloud-themes-pvc + namespace: nextcloud-dev +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 2Gi + volumeMode: Filesystem +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nextcloud-tmp-pvc + namespace: nextcloud-dev +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi + volumeMode: Filesystem +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: nextcloud + component: app + name: app + namespace: nextcloud-dev +spec: + replicas: 1 + selector: + matchLabels: + app: nextcloud + component: app + template: + metadata: + labels: + app: nextcloud + component: app + spec: + containers: + - env: + - name: POSTGRES_DB + value: nextcloud + - name: POSTGRES_USER + valueFrom: + secretKeyRef: + key: username + name: nextcloud-postgres-app + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: nextcloud-postgres-app + - name: POSTGRES_HOST + value: $(NEXTCLOUD_POSTGRES_RW_SERVICE_HOST) + - name: NEXTCLOUD_ADMIN_USER + value: admincadoles + - name: NEXTCLOUD_ADMIN_PASSWORD + value: CadolesNotSecret + - name: NEXTCLOUD_TRUSTED_DOMAINS + value: '*.cadoles.fr' + - name: NEXTCLOUD_INIT_LOCK + value: 512M + - name: PHP_MEMORY_LIMIT + value: 4G + - name: PHP_UPLOAD_LIMIT + value: 4G + - name: POD_INDEX + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: REDIS_HOST + value: redis + - name: REDIS_HOST_PORT + value: "6379" + - name: OBJECTSTORE_S3_HOST + value: minio:$(MINIO_SERVICE_PORT) + - name: OBJECTSTORE_S3_BUCKET + value: nextcloud-minio + - name: OBJECTSTORE_S3_KEY + value: minio_root + - name: OBJECTSTORE_S3_SECRET + value: MinioRootNotSoSecret + - name: OBJECTSTORE_S3_USEPATH_STYLE + value: "true" + - name: OBJECTSTORE_S3_SSL + value: "true" + - name: NEXTCLOUD_DATA_DIR + value: /var/www/html/data + image: reg.cadoles.com/proxy_cache/library/nextcloud:26.0.1-apache + imagePullPolicy: Always + lifecycle: + postStart: + exec: + command: + - /bin/sh + - -c + - cp /var/run/secrets/kubernetes.io/serviceaccount/ca.crt /usr/local/share/ca-certificates/ks.crt + && update-ca-certificates + - /etc/script/poststart-ldap.sh + livenessProbe: + failureThreshold: 5 + httpGet: + httpHeaders: + - name: Host + value: nxt.cadoles.fr + path: /status.php + port: 80 + initialDelaySeconds: 50 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 5 + name: app + ports: + - containerPort: 80 + readinessProbe: + failureThreshold: 5 + httpGet: + httpHeaders: + - name: Host + value: nxt.cadoles.fr + path: /status.php + port: 80 + initialDelaySeconds: 50 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 5 + volumeMounts: + - mountPath: /var/www/ + name: nextcloud-main-volume + - mountPath: /var/www/html + name: nextcloud-html-volume + - mountPath: /var/www/html/data + name: nextcloud-data-volume + - mountPath: /var/www/html/config + name: nextcloud-config-volume + - mountPath: /var/www/html/custom_apps + name: nextcloud-custom-volume + - mountPath: /var/www/tmp + name: nextcloud-tmp-volume + - mountPath: /var/www/html/themes + name: nextcloud-themes-volume + - mountPath: /etc/script/poststart-ldap.sh + name: script-config-ldap + subPath: poststart-ldap.sh + - mountPath: /etc/script/custom-script.sh + name: update-config-script + subPath: custom-script.sh + - mountPath: /etc/minio-ccerts + name: minio-certs + readOnly: true + initContainers: + - args: + - job + - create-minio-bucket + image: reg.cadoles.com/proxy_cache/groundnuty/k8s-wait-for:v1.3 + name: wait-for-bootstrap + restartPolicy: Always + serviceAccountName: nextcloud-sa + volumes: + - name: minio-certs + secret: + secretName: nextcloud-minio-tls + - configMap: + defaultMode: 484 + name: update-config + name: update-config-script + - configMap: + defaultMode: 484 + name: script-config-ldap + name: script-config-ldap + - name: nextcloud-main-volume + persistentVolumeClaim: + claimName: nextcloud-main-pvc + - name: nextcloud-html-volume + persistentVolumeClaim: + claimName: nextcloud-html-pvc + - name: nextcloud-data-volume + persistentVolumeClaim: + claimName: nextcloud-data-pvc + - name: nextcloud-config-volume + persistentVolumeClaim: + claimName: nextcloud-config-pvc + - name: nextcloud-custom-volume + persistentVolumeClaim: + claimName: nextcloud-custom-pvc + - name: nextcloud-tmp-volume + persistentVolumeClaim: + claimName: nextcloud-tmp-pvc + - name: nextcloud-themes-volume + persistentVolumeClaim: + claimName: nextcloud-themes-pvc +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: redis + name: redis + namespace: nextcloud-dev +spec: + replicas: 1 + selector: + matchLabels: + app: redis + template: + metadata: + labels: + app: redis + spec: + containers: + - command: + - redis-server + - /redis-master/redis.conf + image: redis:alpine + name: redis + ports: + - containerPort: 6379 + volumeMounts: + - mountPath: /redis-master-data + name: data + - mountPath: /redis-master + name: config + restartPolicy: Always + volumes: + - emptyDir: {} + name: data + - configMap: + items: + - key: redis-config + path: redis.conf + name: cm-redis-config + name: config +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: create-minio-bucket + namespace: nextcloud-dev +spec: + template: + spec: + containers: + - args: + - | + echo "création de l'alias my-minio" + mc alias set --insecure my-minio http://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT} ${CONSOLE_ACCESS_KEY} ${CONSOLE_SECRET_KEY} + echo "création du bucket..." + mc mb --insecure my-minio/nextcloud-minio + echo "Bucket créé. normalement" + command: + - sh + - -c + env: + - name: CONSOLE_ACCESS_KEY + valueFrom: + secretKeyRef: + key: CONSOLE_ACCESS_KEY + name: nextcloud-minio-user + - name: CONSOLE_SECRET_KEY + valueFrom: + secretKeyRef: + key: CONSOLE_SECRET_KEY + name: nextcloud-minio-user + envFrom: + - configMapRef: + name: nextcloud-env + image: minio/mc + name: create-bucket + initContainers: + - args: + - | + echo "attente du service minio..." + cnt=0 + tout=300 + while [ 1 ] + do + http_code=$(wget --server-response https://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT}/minio/health/live 2>&1 | awk '/^ HTTP/{print $2}') + if [ "${http_code}" != "200" ]; then + echo "waiting for https://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT}" + sleep 1 + else + exit 0 + fi + + cnt=$((cnt+1)) + if [ "${cnt}" -ge "${tout}" ]; then + exit 3 + fi + done + command: + - sh + - -c + envFrom: + - configMapRef: + name: nextcloud-env + image: busybox + name: wait-for-minio + restartPolicy: OnFailure +--- +apiVersion: minio.min.io/v2 +kind: Tenant +metadata: + name: nextcloud-minio + namespace: nextcloud-dev +spec: + certConfig: + dnsNames: + - minio + configuration: + name: nextcloud-minio-configuration + pools: + - containerSecurityContext: + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + name: pool-0 + servers: 2 + volumeClaimTemplate: + metadata: + name: nextcloud-minio-data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 2Gi + volumesPerServer: 2 + users: + - name: nextcloud-minio-user +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + nginx.ingress.kubernetes.io/cors-allow-headers: X-Forwarded-For + nginx.ingress.kubernetes.io/enable-cors: "true" + nginx.ingress.kubernetes.io/proxy-body-size: 138m + name: nextcloud + namespace: nextcloud-dev +spec: + ingressClassName: nginx + rules: + - host: nxt.cadoles.fr + http: + paths: + - backend: + service: + name: nextcloud + port: + number: 80 + path: / + pathType: Prefix +--- +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: nextcloud-postgres + namespace: nextcloud-dev +spec: + bootstrap: + initdb: + database: nextcloud + owner: nextcloud + instances: 1 + primaryUpdateStrategy: unsupervised + storage: + size: 5Gi diff --git a/overlays/dev/patches/ConfigMap-ldap-script.yaml b/overlays/dev/patches/ConfigMap-ldap-script.yaml new file mode 100644 index 0000000..60915a6 --- /dev/null +++ b/overlays/dev/patches/ConfigMap-ldap-script.yaml @@ -0,0 +1,76 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: script-config-ldap +data: + poststart-ldap.sh: | + #!/bin/sh + + NEXTCLOUD_READY=0 + MAX_RETRIES=30 + RETRY_INTERVAL=10 + + touch /etc/script/validator.txt + # Vérifiez si LDAP est déjà activé + # if ! su -s /bin/sh -c "/var/www/html/occ app:list --output=json" www-data | jq -e '.enabled | has("user_ldap")'; then + # Activez le module LDAP si ce n'est pas déjà fait + # su -s /bin/sh -c "/var/www/html/occ app:enable user_ldap" www-data + #fi + for i in $(seq 1 $MAX_RETRIES); do + if curl -fsS "http://localhost/status.php" > /dev/null; then + NEXTCLOUD_READY=1 + break + else + echo "En attente de Nextcloud (tentative $i/$MAX_RETRIES)..." >> /etc/script/validator.txt + sleep $RETRY_INTERVAL + fi + done + + if [ $NEXTCLOUD_READY -eq 0 ]; then + echo "Nextcloud n'est pas prêt après $MAX_RETRIES tentatives. Abandon de l'initialisation LDAP." >> /etc/script/validator.txt + exit 1 + fi + + su -s /bin/sh -c "/var/www/html/occ app:install user_ldap" www-data + su -s /bin/sh -c "/var/www/html/occ app:update user_ldap" www-data + su -s /bin/sh -c "/var/www/html/occ app:enable user_ldap" www-data + su -s /bin/sh -c "/var/www/html/occ ldap:create-empty-config" www-data + + ## test if backend ldap is activated and create empty config if not + # + #touch /tmp/nxt-ldap.txt + #su -s /bin/sh -c "/var/www/html/occ ldap:show-config s01 > /tmp/nextcloud-ldap.txt" www-data + #if grep -q "Invalid configID" /tmp/nextcloud-ldap.txt; then + # sudo -u www-data php /var/www/html/nextcloud/occ ldap:create-empty-config -q + #fi + + # Configurez LDAP (configuration minimale) + + su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldap_host '${NEXTCLOUD_LDAP_HOST}'" www-data + su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldap_base '${NEXTCLOUD_LDAP_BASE}'" www-data + su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldap_dn '${NEXTCLOUD_LDAP_DN}'" www-data + su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldap_agent_password '${NEXTCLOUD_LDAP_PASSWD}'" www-data + su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapBaseGroups '${NEXTCLOUD_LDAP_BASE_GROUPS}'" www-data + su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapBaseUsers '${NEXTCLOUD_LDAP_BASE_USERS}'" www-data + su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapConfigurationActive '${NEXTCLOUD_LDAP_ACTIVE_CONF}'" www-data + su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapExperiencedAdmin '${NEXTCLOUD_LDAP_ADMIN_EXP}'" www-data + su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapExpertUUIDUserAttr '${NEXTCLOUD_LDAP_EXP_UUID}'" www-data + su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapLoginFilter '${NEXTCLOUD_LDAP_LOGIN_FILTER}'" www-data + su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapPort '${NEXTCLOUD_LDAP_PORT}'" www-data + su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapUserFilter '${NEXTCLOUD_LDAP_USR_FILTR}'" www-data + su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapUserFilterObjectclass '${NEXTCLOUD_LDAP_OBJ_FILTR}'" www-data + su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapEmailAttribute '${NEXTCLOUD_LDAP_MAIL_ATTR}'" www-data + su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapUserDisplayName '${NEXTCLOUD_LDAP_USER_DISP}'" www-data + + #sudo -u www-data php /var/www/html/nextcloud/occ ldap:set-config s01 ldapGroupFilter "${ldapGroupFilter}" + #sudo -u www-data php /var/www/html/nextcloud/occ ldap:set-config s01 ldapGroupFilterObjectclass "${ldapGroupFilterObjectclass}" + #sudo -u www-data php /var/www/html/nextcloud/occ ldap:set-config s01 ldapGroupMemberAssocAttr "${ldapGroupMemberAssocAttr}" + + + # Lancez le processus principal de Nextcloud normalement ça ne marche pas ça ! donc plutot poststart. + #exec /entrypoint.sh "$@" + + # su -s /bin/sh -c "/var/www/html/occ app:enable user_ldap" www-data + # est fonctionnel dans le pods nextcloud ! + + #liste config : su -s /bin/sh -c "/var/www/html/occ config:list" www-data diff --git a/overlays/dev/patches/ConfigMaps.yaml b/overlays/dev/patches/ConfigMaps.yaml new file mode 100644 index 0000000..4f8dea7 --- /dev/null +++ b/overlays/dev/patches/ConfigMaps.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: update-config +data: + custom-script.sh: | + #!/bin/sh + + HOSTS_FILE="/etc/hosts" + + # Ajoutez l'entrée au fichier hosts + MINIO_SERVICE_IP="${MINIO_SERVICE_HOST}" + MINIO_NAME="${MINIO_SERVICE_NAME}" + echo "$MINIO_SERVICE_IP" minio >> $HOSTS_FILE \ No newline at end of file diff --git a/overlays/dev/patches/ingress-nextcloud.yaml b/overlays/dev/patches/ingress-nextcloud.yaml new file mode 100644 index 0000000..32cb828 --- /dev/null +++ b/overlays/dev/patches/ingress-nextcloud.yaml @@ -0,0 +1,36 @@ +- op: replace + path: /metadata/annotations/nginx.ingress.kubernetes.io~1proxy-body-size + value: "1G" +- op: replace + path: /metadata/annotations/nginx.ingress.kubernetes.io~1enable-cors + value: "true" +- op: replace + path: /metadata/annotations/nginx.ingress.kubernetes.io~1cors-allow-headers + value: "X-Forwarded-For" + +# En cas de besoin +#- op: add +# path: /metadata/annotations/nginx.ingress.kubernetes.io~1client_max_body_size +# value: "100m" + +- op: replace + path: /spec/rules/0/host + value: nxt.cadoles.fr +- op: replace + path: /spec/rules/0/http/paths/0/path + value: / +- op: replace + path: /spec/rules/0/http/paths/0/pathType + value: Prefix +- op: replace + path: /spec/rules/0/http/paths/0/backend/service/name + value: nextcloud +- op: replace + path: /spec/rules/0/http/paths/0/backend/service/port/number + value: 80 + + + +# logiquement path = +# path: /metadata/annotations/nginx.ingress.kubernetes.io/proxy-body-size +# sauf que ... json voila, "/" est à remplacer par ~1 \ No newline at end of file diff --git a/overlays/dev/patches/job.yaml b/overlays/dev/patches/job.yaml new file mode 100644 index 0000000..7f125c8 --- /dev/null +++ b/overlays/dev/patches/job.yaml @@ -0,0 +1,65 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: create-minio-bucket +spec: + template: + spec: + initContainers: + - name: wait-for-minio + image: reg.cadoles.com/proxy_cache/library/debian:bookworm + envFrom: + - configMapRef: + name: nextcloud-env + command: ["sh", "-c"] + args: + - | + echo "attente du service minio..." + cnt=0 + tout=300 + apt update && apt install --yes --force-yes wget openssl + cp /var/run/secrets/kubernetes.io/serviceaccount/ca.crt /usr/local/share/ca-certificates/ks.crt && update-ca-certificates + while [ 1 ] + do + http_code=$(wget --server-response https://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT}/minio/health/live 2>&1 | awk '/^ HTTP/{print $2}') + if [ "${http_code}" != "200" ]; then + echo "waiting for https://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT}" + sleep 1 + else + exit 0 + fi + + cnt=$((cnt+1)) + if [ "${cnt}" -ge "${tout}" ]; then + exit 3 + fi + done +# Encore nécessaire ? + containers: + - name: create-bucket + image: minio/mc + envFrom: + - configMapRef: + name: nextcloud-env + env: + - name: CONSOLE_ACCESS_KEY + valueFrom: + secretKeyRef: + name: nextcloud-minio-user + key: CONSOLE_ACCESS_KEY + - name: CONSOLE_SECRET_KEY + valueFrom: + secretKeyRef: + name: nextcloud-minio-user + key: CONSOLE_SECRET_KEY + command: ["sh", "-c"] + args: + - | + echo "création de l'alias my-minio" + mc alias set --insecure my-minio http://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT} ${CONSOLE_ACCESS_KEY} ${CONSOLE_SECRET_KEY} + echo "création du bucket..." + mc mb --insecure my-minio/nextcloud-minio + echo "Bucket créé. normalement" + restartPolicy: OnFailure + + diff --git a/overlays/dev/patches/nextcloud-S3.yaml b/overlays/dev/patches/nextcloud-S3.yaml new file mode 100644 index 0000000..62b77f0 --- /dev/null +++ b/overlays/dev/patches/nextcloud-S3.yaml @@ -0,0 +1,24 @@ +- op: replace + path: /spec/template/spec/containers/0/env/13/value #OBJECTSTORE_S3_HOST + value: minio:$(MINIO_SERVICE_PORT) +- op: replace + path: /spec/template/spec/containers/0/env/14/value #OBJECTSTORE_S3_BUCKET + value: nextcloud-minio +- op: replace + path: /spec/template/spec/containers/0/env/15/value #OBJECTSTORE_S3_KEY + valueFrom: + secretKeyRef: + name: nextcloud-minio-user # kustomize racine + key: CONSOLE_ACCESS_KEY +- op: replace + path: /spec/template/spec/containers/0/env/16/value #OBJECTSTORE_S3_SECRET + valueFrom: + secretKeyRef: + name: nextcloud-minio-user # kustomize racine + key: CONSOLE_SECRET_KEY +- op: replace + path: /spec/template/spec/containers/0/env/17/value #OBJECTSTORE_S3_USEPATH_STYLE + value: "true" +- op: replace + path: /spec/template/spec/containers/0/env/18/value #OBJECTSTORE_S3_SSL + value: "true" diff --git a/overlays/dev/patches/nextcloud-ldap.yaml b/overlays/dev/patches/nextcloud-ldap.yaml new file mode 100644 index 0000000..5223f3c --- /dev/null +++ b/overlays/dev/patches/nextcloud-ldap.yaml @@ -0,0 +1,75 @@ +- op: add + path: "/spec/template/spec/containers/0/env/-" + value: + name: NEXTCLOUD_LDAP_HOST + value: openldap.openldap +- op: add + path: "/spec/template/spec/containers/0/env/-" + value: + name: NEXTCLOUD_LDAP_BASE + value: dc=example,dc=org +- op: add + path: "/spec/template/spec/containers/0/env/-" + value: + name: NEXTCLOUD_LDAP_DN + value: cn=admin,dc=example,dc=org +- op: add + path: "/spec/template/spec/containers/0/env/-" + value: + name: NEXTCLOUD_LDAP_PASSWD + value: "adminpassword" +- op: add + path: "/spec/template/spec/containers/0/env/-" + value: + name: NEXTCLOUD_LDAP_BASE_GROUPS + value: dc=example,dc=org +- op: add + path: "/spec/template/spec/containers/0/env/-" + value: + name: NEXTCLOUD_LDAP_BASE_USERS + value: ou=users,dc=example,dc=org +- op: add + path: "/spec/template/spec/containers/0/env/-" + value: + name: NEXTCLOUD_LDAP_ACTIVE_CONF + value: "1" +- op: add + path: "/spec/template/spec/containers/0/env/-" + value: + name: NEXTCLOUD_LDAP_ADMIN_EXP + value: "0" +- op: add + path: "/spec/template/spec/containers/0/env/-" + value: + name: NEXTCLOUD_LDAP_EXP_UUID + value: cn +- op: add + path: "/spec/template/spec/containers/0/env/-" + value: + name: NEXTCLOUD_LDAP_LOGIN_FILTER + value: (&(objectClass=posixAccount)(cn=%uid)) +- op: add + path: "/spec/template/spec/containers/0/env/-" + value: + name: NEXTCLOUD_LDAP_PORT + value: "1389" +- op: add + path: "/spec/template/spec/containers/0/env/-" + value: + name: NEXTCLOUD_LDAP_USR_FILTR + value: (|(objectclass=posixAccount)) +- op: add + path: "/spec/template/spec/containers/0/env/-" + value: + name: NEXTCLOUD_LDAP_OBJ_FILTR + value: posixAccount +- op: add + path: "/spec/template/spec/containers/0/env/-" + value: + name: NEXTCLOUD_LDAP_MAIL_ATTR + value: mail +- op: add + path: "/spec/template/spec/containers/0/env/-" + value: + name: NEXTCLOUD_LDAP_USER_DISP + value: cn \ No newline at end of file diff --git a/overlays/dev/patches/nextcloud-patch.yaml b/overlays/dev/patches/nextcloud-patch.yaml new file mode 100644 index 0000000..85375d3 --- /dev/null +++ b/overlays/dev/patches/nextcloud-patch.yaml @@ -0,0 +1,26 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: app +spec: + template: + spec: + containers: + - name: app + env: + - name: NEXTCLOUD_ADMIN_USER + value: admincadoles + - name: NEXTCLOUD_ADMIN_PASSWORD + value: cadoles + - name: PHP_MEMORY_LIMIT + value: 512M + - name: PHP_UPLOAD_LIMIT + value: 4G + - name: REDIS_HOST + value: redis + - name: REDIS_HOST_PORT + value: "6379" + - name: NEXTCLOUD_DATA_DIR + value: "/var/www/html/data" + - name: NEXTCLOUD_TRUSTED_DOMAINS + value: "*.cadoles.fr" diff --git a/overlays/dev/patches/nextcloud-postgres.yaml b/overlays/dev/patches/nextcloud-postgres.yaml new file mode 100644 index 0000000..4bc95fa --- /dev/null +++ b/overlays/dev/patches/nextcloud-postgres.yaml @@ -0,0 +1,34 @@ +# USER POSTGRES +# UNIQUEMENT Si vous ne passez pas par l'operateur. +#- op: replace +# path: /spec/template/spec/containers/env/0/value #POSTGRES_DB +# value: username +#- op: replace +# path: /spec/template/spec/containers/env/1/value #POSTGRES_USER +# value: username +#- op: replace +# path: /spec/template/spec/containers/env/2/value #POSTGRES_PASSWORD +# value: password + +# CONF POSTGRES +- op: replace + path: /spec/template/spec/containers/0/env/3/value #POSTGRES_HOST + value: $(NEXTCLOUD_POSTGRES_RW_SERVICE_HOST) +- op: replace + path: /spec/template/spec/containers/0/env/0/value #POSTGRES_DB + value: nextcloud + + +#Name: nextcloud-postgres-app +#Namespace: nextcloud +#Labels: cnpg.io/cluster=nextcloud-postgres +# cnpg.io/reload=true +#Annotations: cnpg.io/operatorVersion: 1.18.1 +# +#Type: kubernetes.io/basic-auth +# +#Data +#==== +#password: 64 bytes +#pgpass: 112 bytes +#username: 9 bytes diff --git a/overlays/dev/patches/nextcloud-probe.yaml b/overlays/dev/patches/nextcloud-probe.yaml new file mode 100644 index 0000000..8b30e15 --- /dev/null +++ b/overlays/dev/patches/nextcloud-probe.yaml @@ -0,0 +1,47 @@ +# livenessProbe +- op: replace + path: /spec/template/spec/containers/0/livenessProbe/httpGet/httpHeaders/0/value + value: nxt.cadoles.fr +- op: replace + path: /spec/template/spec/containers/0/livenessProbe/httpGet/port + value: 80 +- op: replace + path: /spec/template/spec/containers/0/livenessProbe/initialDelaySeconds + value: 50 +- op: replace + path: /spec/template/spec/containers/0/livenessProbe/periodSeconds + value: 10 +- op: replace + path: /spec/template/spec/containers/0/livenessProbe/timeoutSeconds + value: 5 +- op: replace + path: /spec/template/spec/containers/0/livenessProbe/successThreshold + value: 1 +- op: replace + path: /spec/template/spec/containers/0/livenessProbe/failureThreshold + value: 6 + + +# readinessProbe +- op: replace + path: /spec/template/spec/containers/0/readinessProbe/httpGet/httpHeaders/0/value + value: nxt.cadoles.fr +- op: replace + path: /spec/template/spec/containers/0/readinessProbe/httpGet/port + value: 80 +- op: replace + path: /spec/template/spec/containers/0/readinessProbe/initialDelaySeconds + value: 50 +- op: replace + path: /spec/template/spec/containers/0/readinessProbe/periodSeconds + value: 10 +- op: replace + path: /spec/template/spec/containers/0/readinessProbe/timeoutSeconds + value: 5 +- op: replace + path: /spec/template/spec/containers/0/readinessProbe/successThreshold + value: 1 +- op: replace + path: /spec/template/spec/containers/0/readinessProbe/failureThreshold + value: 6 + diff --git a/overlays/dev/patches/nextcloud-smtp.yaml b/overlays/dev/patches/nextcloud-smtp.yaml new file mode 100644 index 0000000..c72aa6c --- /dev/null +++ b/overlays/dev/patches/nextcloud-smtp.yaml @@ -0,0 +1,26 @@ +- op: replace + path: /spec/template/spec/containers/0/env/19/value #MAIL_FROM_ADDRESS + value: "usercadoles" +- op: replace + path: /spec/template/spec/containers/0/env/20/value #MAIL_DOMAIN + value: "cadoles.com" +- op: replace + path: /spec/template/spec/containers/0/env/21/value #SMTP_HOST + value: "groupware.cadoles.com" +- op: replace + path: /spec/template/spec/containers/0/env/22/value #SMTP_SECURE + value: "ssl" +- op: replace + path: /spec/template/spec/containers/0/env/23/value #SMTP_PORT + value: "587" +- op: replace + path: /spec/template/spec/containers/0/env/24/value #SMTP_AUTHTYPE + value: "LOGIN" + +# THEORIQUEMENT LA MODIFICATION du secret generator lié dans kustomize suffit. +#- op: replace +# path: /spec/template/spec/containers/0/env/25/value #SMTP_NAME +# value: +#- op: replace +# path: /spec/template/spec/containers/0/env/26/value #SMTP_PASSWORD +# value: diff --git a/overlays/dev/patches/nextcloud-variables.yaml b/overlays/dev/patches/nextcloud-variables.yaml new file mode 100644 index 0000000..e3e7d44 --- /dev/null +++ b/overlays/dev/patches/nextcloud-variables.yaml @@ -0,0 +1,34 @@ +# USER MDP NEXTCLOUD +- op: replace + path: /spec/template/spec/containers/0/env/4/value #NEXTCLOUD_ADMIN_USER + value: admincadoles +- op: replace + path: /spec/template/spec/containers/0/env/5/value #NEXTCLOUD_ADMIN_PASSWORD + value: CadolesNotSecret + +# CONF NEXTCLOUD PHP + +- op: replace + path: /spec/template/spec/containers/0/env/8/value #PHP_MEMORY_LIMIT + value: 512M +- op: replace + path: /spec/template/spec/containers/0/env/9/value #PHP_UPLOAD_LIMIT + value: 4G + +# CONF NEXTCLOUD REDIS + +- op: replace + path: /spec/template/spec/containers/0/env/11/value #REDIS_HOST + value: redis +- op: replace + path: /spec/template/spec/containers/0/env/12/value #REDIS_HOST_PORT + value: "6379" + +# CONF NEXTCLOUD + +#- op: replace +# path: /spec/template/spec/containers/0/env/27/value #NEXTCLOUD_DATA_DIR +# value: "/var/www/html/data" +- op: replace + path: /spec/template/spec/containers/0/env/6/value #NEXTCLOUD_TRUSTED_DOMAINS + value: "*.cadoles.fr" diff --git a/overlays/dev/patches/redis-config.yaml b/overlays/dev/patches/redis-config.yaml new file mode 100644 index 0000000..fd6d819 --- /dev/null +++ b/overlays/dev/patches/redis-config.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: cm-redis-config +data: + redis-config: | + maxmemory 4mb + maxmemory-policy volatile-lru + appendonly yes diff --git a/overlays/dev/patches/tenant-conf.yaml b/overlays/dev/patches/tenant-conf.yaml new file mode 100644 index 0000000..d1afac5 --- /dev/null +++ b/overlays/dev/patches/tenant-conf.yaml @@ -0,0 +1,21 @@ +- op: replace + path: /spec/certConfig/dnsNames + value: ["minio"] +- op: replace + path: /spec/pools/0/servers + value: 2 +- op: replace + path: /spec/pools/0/volumesPerServer + value: 3 +- op: replace + path: /spec/pools/0/volumeClaimTemplate/spec/resources/requests/storage + value: 3Gi +- op: replace + path: /spec/pools/0/containerSecurityContext/runAsUser + value: 1000 +- op: replace + path: /spec/pools/0/containerSecurityContext/runAsGroup + value: 1000 +- op: replace + path: /spec/pools/0/containerSecurityContext/runAsNonRoot + value: true diff --git a/overlays/dev/resources/files/minio/config.env b/overlays/dev/resources/files/minio/config.env new file mode 100644 index 0000000..f443282 --- /dev/null +++ b/overlays/dev/resources/files/minio/config.env @@ -0,0 +1,4 @@ +export MINIO_ROOT_USER="cadoles" +export MINIO_ROOT_PASSWORD="cadoles;21" +export MINIO_STORAGE_CLASS_STANDARD="EC:2" +export MINIO_BROWSER="on" \ No newline at end of file diff --git a/overlays/dev/resources/host-config.yaml b/overlays/dev/resources/host-config.yaml new file mode 100644 index 0000000..468e2a5 --- /dev/null +++ b/overlays/dev/resources/host-config.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: host-config +data: + NEXTCLOUD_HOST: nxt.serveur.fr diff --git a/overlays/dev/resources/namespace.yaml b/overlays/dev/resources/namespace.yaml new file mode 100644 index 0000000..5ef0f15 --- /dev/null +++ b/overlays/dev/resources/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: nextcloud-dev \ No newline at end of file diff --git a/requires/README.md b/requires/README.md new file mode 100644 index 0000000..e0aab4f --- /dev/null +++ b/requires/README.md @@ -0,0 +1,12 @@ +# README + +Permet d'installer les opérateurs nécessaire à l'utilisation de nextcloud. + +Simplement lancer le ```kustomization.yaml``` pour appliquer les **quatre** opérateurs + +- cloudnative-pg (base de donnée postgresql) +- nginx (ingress) +- minio (pour le stockage S3) +- mteallb (load-balancer, point d'entrée unique) + +le dossier ```cluster/``` contient simplement un fichier ```cluster.yaml``` pour lancer un cluster avec 3 worker et un control-plane. \ No newline at end of file diff --git a/requires/cluster/cluster.yaml b/requires/cluster/cluster.yaml new file mode 100644 index 0000000..4ea6a3b --- /dev/null +++ b/requires/cluster/cluster.yaml @@ -0,0 +1,8 @@ +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 +name: ctest +nodes: +- role: control-plane +- role: worker +- role: worker +- role: worker diff --git a/requires/cluster/nginx/kustomization.yaml b/requires/cluster/nginx/kustomization.yaml new file mode 100644 index 0000000..2fe4bf2 --- /dev/null +++ b/requires/cluster/nginx/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.4.0/deploy/static/provider/cloud/deploy.yaml \ No newline at end of file diff --git a/requires/kustomization.yaml b/requires/kustomization.yaml new file mode 100644 index 0000000..e0c5711 --- /dev/null +++ b/requires/kustomization.yaml @@ -0,0 +1,12 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + +#- https://raw.githubusercontent.com/ory/k8s/v0.30.0/helm/charts/hydra-maester/crds/crd-oauth2clients.yaml +- https://forge.cadoles.com/CadolesKube/c-kustom//base/metallb?ref=develop +- https://forge.cadoles.com/CadolesKube/c-kustom//base/nginx?ref=develop +- https://forge.cadoles.com/CadolesKube/c-kustom//base/cloudnative-pg-operator?ref=develop +#- https://forge.cadoles.com/CadolesKube/c-kustom//base/redis?ref=develop # Nextcloud ne fonctionne pas avec la couche sentinelle +- https://forge.cadoles.com/CadolesKube/c-kustom//base/minio?ref=develop +- https://forge.cadoles.com/vfebvre/openldap-kustom?ref=develop +#- ./lb => déplacé dans dev/ car propre à l'environnement cible