diff --git a/README.md b/README.md index 2afee87..fe39a95 100644 --- a/README.md +++ b/README.md @@ -1,12 +1,33 @@ # nextcloud-kustom -**WARNING - test branch, does not respect the target strategy for a production environment** +Base include : + +- nextcloud app +- postgres +- ... + +Default configuration (base directory) : + +- use an external S3, +- use local authentication, +- use internal K8s certificate, +- use postgresSQL + +If you want change, you must do your configuration in the overlays section + +Overlays dev sections install : + +- base +- rename namespace to nextcloud-dev +- use cert-manager (to install CRDs requirement, check requires/) + +**To install a test cluster on your machine** 1. Create cluster ```kind create cluster --config requires/cluster/cluster.yaml``` -2. Install operators and openldap(dev) +2. Install operators, cert-manager and openldap(dev) ```kubectl apply -k requires/``` @@ -18,9 +39,4 @@ ```kubectl apply -k overlays/dev``` -## cert-manager - -Install crds : - -```kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.0/cert-manager.yaml``` diff --git a/overlays/dev/cluster/lb/advertise.yaml b/overlays/dev/cluster/lb/advertise.yaml deleted file mode 100644 index d251dba..0000000 --- a/overlays/dev/cluster/lb/advertise.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: metallb.io/v1beta1 -kind: L2Advertisement -metadata: - name: l2-ip-pool-ad - namespace: metallb-system -spec: - ipAddressPools: - - main-pool - diff --git a/overlays/dev/cluster/lb/ipaddresspoool.yaml b/overlays/dev/cluster/lb/ipaddresspoool.yaml deleted file mode 100644 index da37f87..0000000 --- a/overlays/dev/cluster/lb/ipaddresspoool.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: metallb.io/v1beta1 -kind: IPAddressPool -metadata: - name: main-pool - namespace: metallb-system -spec: - addresses: - - 172.18.10.100-172.18.10.200 diff --git a/overlays/dev/cluster/lb/kustomization.yaml b/overlays/dev/cluster/lb/kustomization.yaml deleted file mode 100644 index f5994df..0000000 --- a/overlays/dev/cluster/lb/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: metallb-system - -resources: -- ipaddresspoool.yaml -- advertise.yaml diff --git a/overlays/dev/output.yaml b/overlays/dev/output.yaml deleted file mode 100644 index 86ceef7..0000000 --- a/overlays/dev/output.yaml +++ /dev/null @@ -1,627 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: nextcloud-dev ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: nextcloud-sa - namespace: nextcloud-dev ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: status-reader - namespace: nextcloud-dev -rules: -- apiGroups: - - batch - - v1 - resources: - - jobs - verbs: - - get - - list -- apiGroups: - - "" - - v1 - resources: - - secrets - verbs: - - get - - list - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: status-reader - namespace: nextcloud-dev -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: status-reader -subjects: -- kind: ServiceAccount - name: nextcloud-sa - namespace: nextcloud-dev ---- -apiVersion: v1 -data: - redis-config: | - maxmemory 4mb - maxmemory-policy volatile-lru - appendonly yes -kind: ConfigMap -metadata: - name: cm-redis-config - namespace: nextcloud-dev ---- -apiVersion: v1 -data: - NEXTCLOUD_HOST: nxt.serveur.fr -kind: ConfigMap -metadata: - name: host-config - namespace: nextcloud-dev ---- -apiVersion: v1 -data: - MINIO_SERVICE_HOST: minio - MINIO_SERVICE_NAME: $(MINIO_SERVICE_HOST):$(MINIO_SERVICE_PORT) - MINIO_SERVICE_PORT: "443" -kind: ConfigMap -metadata: - name: nextcloud-env - namespace: nextcloud-dev ---- -apiVersion: v1 -data: - parameters.yaml: |2- - #API minio - minio_url: 'http://%env(string:MINIO_SERVICE_NAME)%:9000' - minio_key: '%env(string:MINIO_KEY)%' - minio_secret: '%env(string:MINIO_SECRET)%' - minio_bucket: 'nextcloud' - minio_root: '' - minio_path_style: true - minio_secure: false -kind: ConfigMap -metadata: - name: nextcloud-parameters - namespace: nextcloud-dev ---- -apiVersion: v1 -data: - poststart-ldap.sh: | - #!/bin/sh - - # Vérifiez si LDAP est déjà activé - if ! su -s /bin/sh -c "/var/www/html/occ app:list --output=json" www-data | jq -e '.enabled | has("user_ldap")'; then - # Activez le module LDAP si ce n'est pas déjà fait - su -s /bin/sh -c "/var/www/html/occ app:enable user_ldap" www-data - echo 'activation de ldap' - fi - - # Configurez LDAP (configuration minimale) - su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapHost --value='ldap.example.com'" www-data - su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapBase --value='dc=example,dc=com'" www-data - su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapAgentName --value='cn=admin,dc=example,dc=com'" www-data - su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapAgentPassword --value='your_password'" www-data - - echo 'ldap configured' - - # Lancez le processus principal de Nextcloud normalement ça ne marche pas ça ! donc plutot poststart. - #exec /entrypoint.sh "$@" -kind: ConfigMap -metadata: - name: script-config-ldap - namespace: nextcloud-dev ---- -apiVersion: v1 -data: - custom-script.sh: |- - #!/bin/sh - - HOSTS_FILE="/etc/hosts" - - # Ajoutez l'entrée au fichier hosts - MINIO_SERVICE_IP="${MINIO_SERVICE_HOST}" - MINIO_NAME="${MINIO_SERVICE_NAME}" - echo "$MINIO_SERVICE_IP" minio >> $HOSTS_FILE -kind: ConfigMap -metadata: - name: update-config - namespace: nextcloud-dev ---- -apiVersion: v1 -data: - config.env: | - ZXhwb3J0IE1JTklPX1JPT1RfVVNFUj0ibWluaW9fcm9vdCIKZXhwb3J0IE1JTklPX1JPT1 - RfUEFTU1dPUkQ9Ik1pbmlvUm9vdE5vdFNvU2VjcmV0IgpleHBvcnQgTUlOSU9fU1RPUkFH - RV9DTEFTU19TVEFOREFSRD0iRUM6MiIKZXhwb3J0IE1JTklPX0JST1dTRVI9Im9uIg== -kind: Secret -metadata: - name: nextcloud-minio-configuration - namespace: nextcloud-dev -type: Opaque ---- -apiVersion: v1 -data: - CONSOLE_ACCESS_KEY: bWluaW9fcm9vdA== - CONSOLE_SECRET_KEY: TWluaW9Sb290Tm90U29TZWNyZXQ= -kind: Secret -metadata: - name: nextcloud-minio-user - namespace: nextcloud-dev -type: Opaque ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app: nextcloud - component: app - name: nextcloud - namespace: nextcloud-dev -spec: - ports: - - port: 80 - selector: - app: nextcloud - component: app ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app: redis - name: redis - namespace: nextcloud-dev -spec: - ports: - - port: 6379 - selector: - app: redis ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: nextcloud-config-pvc - namespace: nextcloud-dev -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - volumeMode: Filesystem ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: nextcloud-custom-pvc - namespace: nextcloud-dev -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 2Gi - volumeMode: Filesystem ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: nextcloud-data-pvc - namespace: nextcloud-dev -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 20Gi - volumeMode: Filesystem ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: nextcloud-html-pvc - namespace: nextcloud-dev -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 5Gi - volumeMode: Filesystem ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: nextcloud-main-pvc - namespace: nextcloud-dev -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 5Gi - volumeMode: Filesystem ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: nextcloud-themes-pvc - namespace: nextcloud-dev -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 2Gi - volumeMode: Filesystem ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: nextcloud-tmp-pvc - namespace: nextcloud-dev -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 5Gi - volumeMode: Filesystem ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: nextcloud - component: app - name: app - namespace: nextcloud-dev -spec: - replicas: 1 - selector: - matchLabels: - app: nextcloud - component: app - template: - metadata: - labels: - app: nextcloud - component: app - spec: - containers: - - env: - - name: POSTGRES_DB - value: nextcloud - - name: POSTGRES_USER - valueFrom: - secretKeyRef: - key: username - name: nextcloud-postgres-app - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: nextcloud-postgres-app - - name: POSTGRES_HOST - value: $(NEXTCLOUD_POSTGRES_RW_SERVICE_HOST) - - name: NEXTCLOUD_ADMIN_USER - value: admincadoles - - name: NEXTCLOUD_ADMIN_PASSWORD - value: CadolesNotSecret - - name: NEXTCLOUD_TRUSTED_DOMAINS - value: '*.cadoles.fr' - - name: NEXTCLOUD_INIT_LOCK - value: 512M - - name: PHP_MEMORY_LIMIT - value: 4G - - name: PHP_UPLOAD_LIMIT - value: 4G - - name: POD_INDEX - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: REDIS_HOST - value: redis - - name: REDIS_HOST_PORT - value: "6379" - - name: OBJECTSTORE_S3_HOST - value: minio:$(MINIO_SERVICE_PORT) - - name: OBJECTSTORE_S3_BUCKET - value: nextcloud-minio - - name: OBJECTSTORE_S3_KEY - value: minio_root - - name: OBJECTSTORE_S3_SECRET - value: MinioRootNotSoSecret - - name: OBJECTSTORE_S3_USEPATH_STYLE - value: "true" - - name: OBJECTSTORE_S3_SSL - value: "true" - - name: NEXTCLOUD_DATA_DIR - value: /var/www/html/data - image: reg.cadoles.com/proxy_cache/library/nextcloud:26.0.1-apache - imagePullPolicy: Always - lifecycle: - postStart: - exec: - command: - - /bin/sh - - -c - - cp /var/run/secrets/kubernetes.io/serviceaccount/ca.crt /usr/local/share/ca-certificates/ks.crt - && update-ca-certificates - - /etc/script/poststart-ldap.sh - livenessProbe: - failureThreshold: 5 - httpGet: - httpHeaders: - - name: Host - value: nxt.cadoles.fr - path: /status.php - port: 80 - initialDelaySeconds: 50 - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 5 - name: app - ports: - - containerPort: 80 - readinessProbe: - failureThreshold: 5 - httpGet: - httpHeaders: - - name: Host - value: nxt.cadoles.fr - path: /status.php - port: 80 - initialDelaySeconds: 50 - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 5 - volumeMounts: - - mountPath: /var/www/ - name: nextcloud-main-volume - - mountPath: /var/www/html - name: nextcloud-html-volume - - mountPath: /var/www/html/data - name: nextcloud-data-volume - - mountPath: /var/www/html/config - name: nextcloud-config-volume - - mountPath: /var/www/html/custom_apps - name: nextcloud-custom-volume - - mountPath: /var/www/tmp - name: nextcloud-tmp-volume - - mountPath: /var/www/html/themes - name: nextcloud-themes-volume - - mountPath: /etc/script/poststart-ldap.sh - name: script-config-ldap - subPath: poststart-ldap.sh - - mountPath: /etc/script/custom-script.sh - name: update-config-script - subPath: custom-script.sh - - mountPath: /etc/minio-ccerts - name: minio-certs - readOnly: true - initContainers: - - args: - - job - - create-minio-bucket - image: reg.cadoles.com/proxy_cache/groundnuty/k8s-wait-for:v1.3 - name: wait-for-bootstrap - restartPolicy: Always - serviceAccountName: nextcloud-sa - volumes: - - name: minio-certs - secret: - secretName: nextcloud-minio-tls - - configMap: - defaultMode: 484 - name: update-config - name: update-config-script - - configMap: - defaultMode: 484 - name: script-config-ldap - name: script-config-ldap - - name: nextcloud-main-volume - persistentVolumeClaim: - claimName: nextcloud-main-pvc - - name: nextcloud-html-volume - persistentVolumeClaim: - claimName: nextcloud-html-pvc - - name: nextcloud-data-volume - persistentVolumeClaim: - claimName: nextcloud-data-pvc - - name: nextcloud-config-volume - persistentVolumeClaim: - claimName: nextcloud-config-pvc - - name: nextcloud-custom-volume - persistentVolumeClaim: - claimName: nextcloud-custom-pvc - - name: nextcloud-tmp-volume - persistentVolumeClaim: - claimName: nextcloud-tmp-pvc - - name: nextcloud-themes-volume - persistentVolumeClaim: - claimName: nextcloud-themes-pvc ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: redis - name: redis - namespace: nextcloud-dev -spec: - replicas: 1 - selector: - matchLabels: - app: redis - template: - metadata: - labels: - app: redis - spec: - containers: - - command: - - redis-server - - /redis-master/redis.conf - image: redis:alpine - name: redis - ports: - - containerPort: 6379 - volumeMounts: - - mountPath: /redis-master-data - name: data - - mountPath: /redis-master - name: config - restartPolicy: Always - volumes: - - emptyDir: {} - name: data - - configMap: - items: - - key: redis-config - path: redis.conf - name: cm-redis-config - name: config ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: create-minio-bucket - namespace: nextcloud-dev -spec: - template: - spec: - containers: - - args: - - | - echo "création de l'alias my-minio" - mc alias set --insecure my-minio http://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT} ${CONSOLE_ACCESS_KEY} ${CONSOLE_SECRET_KEY} - echo "création du bucket..." - mc mb --insecure my-minio/nextcloud-minio - echo "Bucket créé. normalement" - command: - - sh - - -c - env: - - name: CONSOLE_ACCESS_KEY - valueFrom: - secretKeyRef: - key: CONSOLE_ACCESS_KEY - name: nextcloud-minio-user - - name: CONSOLE_SECRET_KEY - valueFrom: - secretKeyRef: - key: CONSOLE_SECRET_KEY - name: nextcloud-minio-user - envFrom: - - configMapRef: - name: nextcloud-env - image: minio/mc - name: create-bucket - initContainers: - - args: - - | - echo "attente du service minio..." - cnt=0 - tout=300 - while [ 1 ] - do - http_code=$(wget --server-response https://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT}/minio/health/live 2>&1 | awk '/^ HTTP/{print $2}') - if [ "${http_code}" != "200" ]; then - echo "waiting for https://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT}" - sleep 1 - else - exit 0 - fi - - cnt=$((cnt+1)) - if [ "${cnt}" -ge "${tout}" ]; then - exit 3 - fi - done - command: - - sh - - -c - envFrom: - - configMapRef: - name: nextcloud-env - image: busybox - name: wait-for-minio - restartPolicy: OnFailure ---- -apiVersion: minio.min.io/v2 -kind: Tenant -metadata: - name: nextcloud-minio - namespace: nextcloud-dev -spec: - certConfig: - dnsNames: - - minio - configuration: - name: nextcloud-minio-configuration - pools: - - containerSecurityContext: - runAsGroup: 1000 - runAsNonRoot: true - runAsUser: 1000 - name: pool-0 - servers: 2 - volumeClaimTemplate: - metadata: - name: nextcloud-minio-data - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 2Gi - volumesPerServer: 2 - users: - - name: nextcloud-minio-user ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - nginx.ingress.kubernetes.io/cors-allow-headers: X-Forwarded-For - nginx.ingress.kubernetes.io/enable-cors: "true" - nginx.ingress.kubernetes.io/proxy-body-size: 138m - name: nextcloud - namespace: nextcloud-dev -spec: - ingressClassName: nginx - rules: - - host: nxt.cadoles.fr - http: - paths: - - backend: - service: - name: nextcloud - port: - number: 80 - path: / - pathType: Prefix ---- -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: nextcloud-postgres - namespace: nextcloud-dev -spec: - bootstrap: - initdb: - database: nextcloud - owner: nextcloud - instances: 1 - primaryUpdateStrategy: unsupervised - storage: - size: 5Gi diff --git a/overlays/dev/patches/nextcloud-S3.yaml b/overlays/dev/patches/nextcloud-S3.yaml deleted file mode 100644 index bdc4381..0000000 --- a/overlays/dev/patches/nextcloud-S3.yaml +++ /dev/null @@ -1,43 +0,0 @@ -- op: replace - path: /spec/template/spec/containers/0/env/13/value #OBJECTSTORE_S3_HOST - value: minio:$(MINIO_SERVICE_PORT) -- op: replace - path: /spec/template/spec/containers/0/env/14/value #OBJECTSTORE_S3_BUCKET - value: nextcloud-minio -- op: replace - path: /spec/template/spec/containers/0/env/15/value #OBJECTSTORE_S3_KEY - valueFrom: - secretKeyRef: - name: nextcloud-minio-user # kustomize racine - key: CONSOLE_ACCESS_KEY -- op: replace - path: /spec/template/spec/containers/0/env/16/value #OBJECTSTORE_S3_SECRET - valueFrom: - secretKeyRef: - name: nextcloud-minio-user # kustomize racine - key: CONSOLE_SECRET_KEY -- op: replace - path: /spec/template/spec/containers/0/env/17/value #OBJECTSTORE_S3_USEPATH_STYLE - value: "true" -- op: replace - path: /spec/template/spec/containers/0/env/18/value #OBJECTSTORE_S3_SSL - value: "true" - - - # Partie AWS S3 - - name: OBJECTSTORE_S3_BUCKET - value: nextcloud-cadoles - - name: OBJECTSTORE_S3_HOST - value: s3.fr-par.swc.cloud - - name: OBJECTSTORE_S3_PORT - value: "443" - - name: OBJECTSTORE_S3_REGION - value: fr-par - - name: OBJECTSTORE_S3_KEY # 15 - value: SCWGDBJ75JYMY2XVRG9A - - name: OBJECTSTORE_S3_SECRET - value: fd3bfcc2-cd39-453b-acea-5c5f3a241960 - - name: OBJECTSTORE_S3_USEPATH_STYLE - value: "true" - - name: OBJECTSTORE_S3_SSL # 18 - value: "true" \ No newline at end of file