cleaning repo

This commit is contained in:
vfebvre 2023-09-06 15:26:07 +02:00
parent 4b0ab40b0d
commit 7fca904584
6 changed files with 23 additions and 701 deletions

View File

@ -1,12 +1,33 @@
# nextcloud-kustom # nextcloud-kustom
**WARNING - test branch, does not respect the target strategy for a production environment** Base include :
- nextcloud app
- postgres
- ...
Default configuration (base directory) :
- use an external S3,
- use local authentication,
- use internal K8s certificate,
- use postgresSQL
If you want change, you must do your configuration in the overlays section
Overlays dev sections install :
- base
- rename namespace to nextcloud-dev
- use cert-manager (to install CRDs requirement, check requires/)
**To install a test cluster on your machine**
1. Create cluster 1. Create cluster
```kind create cluster --config requires/cluster/cluster.yaml``` ```kind create cluster --config requires/cluster/cluster.yaml```
2. Install operators and openldap(dev) 2. Install operators, cert-manager and openldap(dev)
```kubectl apply -k requires/``` ```kubectl apply -k requires/```
@ -18,9 +39,4 @@
```kubectl apply -k overlays/dev``` ```kubectl apply -k overlays/dev```
## cert-manager
Install crds :
```kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.0/cert-manager.yaml```

View File

@ -1,9 +0,0 @@
apiVersion: metallb.io/v1beta1
kind: L2Advertisement
metadata:
name: l2-ip-pool-ad
namespace: metallb-system
spec:
ipAddressPools:
- main-pool

View File

@ -1,8 +0,0 @@
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
name: main-pool
namespace: metallb-system
spec:
addresses:
- 172.18.10.100-172.18.10.200

View File

@ -1,7 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: metallb-system
resources:
- ipaddresspoool.yaml
- advertise.yaml

View File

@ -1,627 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: nextcloud-dev
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: nextcloud-sa
namespace: nextcloud-dev
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: status-reader
namespace: nextcloud-dev
rules:
- apiGroups:
- batch
- v1
resources:
- jobs
verbs:
- get
- list
- apiGroups:
- ""
- v1
resources:
- secrets
verbs:
- get
- list
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: status-reader
namespace: nextcloud-dev
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: status-reader
subjects:
- kind: ServiceAccount
name: nextcloud-sa
namespace: nextcloud-dev
---
apiVersion: v1
data:
redis-config: |
maxmemory 4mb
maxmemory-policy volatile-lru
appendonly yes
kind: ConfigMap
metadata:
name: cm-redis-config
namespace: nextcloud-dev
---
apiVersion: v1
data:
NEXTCLOUD_HOST: nxt.serveur.fr
kind: ConfigMap
metadata:
name: host-config
namespace: nextcloud-dev
---
apiVersion: v1
data:
MINIO_SERVICE_HOST: minio
MINIO_SERVICE_NAME: $(MINIO_SERVICE_HOST):$(MINIO_SERVICE_PORT)
MINIO_SERVICE_PORT: "443"
kind: ConfigMap
metadata:
name: nextcloud-env
namespace: nextcloud-dev
---
apiVersion: v1
data:
parameters.yaml: |2-
#API minio
minio_url: 'http://%env(string:MINIO_SERVICE_NAME)%:9000'
minio_key: '%env(string:MINIO_KEY)%'
minio_secret: '%env(string:MINIO_SECRET)%'
minio_bucket: 'nextcloud'
minio_root: ''
minio_path_style: true
minio_secure: false
kind: ConfigMap
metadata:
name: nextcloud-parameters
namespace: nextcloud-dev
---
apiVersion: v1
data:
poststart-ldap.sh: |
#!/bin/sh
# Vérifiez si LDAP est déjà activé
if ! su -s /bin/sh -c "/var/www/html/occ app:list --output=json" www-data | jq -e '.enabled | has("user_ldap")'; then
# Activez le module LDAP si ce n'est pas déjà fait
su -s /bin/sh -c "/var/www/html/occ app:enable user_ldap" www-data
echo 'activation de ldap'
fi
# Configurez LDAP (configuration minimale)
su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapHost --value='ldap.example.com'" www-data
su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapBase --value='dc=example,dc=com'" www-data
su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapAgentName --value='cn=admin,dc=example,dc=com'" www-data
su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapAgentPassword --value='your_password'" www-data
echo 'ldap configured'
# Lancez le processus principal de Nextcloud normalement ça ne marche pas ça ! donc plutot poststart.
#exec /entrypoint.sh "$@"
kind: ConfigMap
metadata:
name: script-config-ldap
namespace: nextcloud-dev
---
apiVersion: v1
data:
custom-script.sh: |-
#!/bin/sh
HOSTS_FILE="/etc/hosts"
# Ajoutez l'entrée au fichier hosts
MINIO_SERVICE_IP="${MINIO_SERVICE_HOST}"
MINIO_NAME="${MINIO_SERVICE_NAME}"
echo "$MINIO_SERVICE_IP" minio >> $HOSTS_FILE
kind: ConfigMap
metadata:
name: update-config
namespace: nextcloud-dev
---
apiVersion: v1
data:
config.env: |
ZXhwb3J0IE1JTklPX1JPT1RfVVNFUj0ibWluaW9fcm9vdCIKZXhwb3J0IE1JTklPX1JPT1
RfUEFTU1dPUkQ9Ik1pbmlvUm9vdE5vdFNvU2VjcmV0IgpleHBvcnQgTUlOSU9fU1RPUkFH
RV9DTEFTU19TVEFOREFSRD0iRUM6MiIKZXhwb3J0IE1JTklPX0JST1dTRVI9Im9uIg==
kind: Secret
metadata:
name: nextcloud-minio-configuration
namespace: nextcloud-dev
type: Opaque
---
apiVersion: v1
data:
CONSOLE_ACCESS_KEY: bWluaW9fcm9vdA==
CONSOLE_SECRET_KEY: TWluaW9Sb290Tm90U29TZWNyZXQ=
kind: Secret
metadata:
name: nextcloud-minio-user
namespace: nextcloud-dev
type: Opaque
---
apiVersion: v1
kind: Service
metadata:
labels:
app: nextcloud
component: app
name: nextcloud
namespace: nextcloud-dev
spec:
ports:
- port: 80
selector:
app: nextcloud
component: app
---
apiVersion: v1
kind: Service
metadata:
labels:
app: redis
name: redis
namespace: nextcloud-dev
spec:
ports:
- port: 6379
selector:
app: redis
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-config-pvc
namespace: nextcloud-dev
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
volumeMode: Filesystem
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-custom-pvc
namespace: nextcloud-dev
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
volumeMode: Filesystem
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-data-pvc
namespace: nextcloud-dev
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20Gi
volumeMode: Filesystem
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-html-pvc
namespace: nextcloud-dev
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
volumeMode: Filesystem
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-main-pvc
namespace: nextcloud-dev
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
volumeMode: Filesystem
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-themes-pvc
namespace: nextcloud-dev
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
volumeMode: Filesystem
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-tmp-pvc
namespace: nextcloud-dev
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
volumeMode: Filesystem
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nextcloud
component: app
name: app
namespace: nextcloud-dev
spec:
replicas: 1
selector:
matchLabels:
app: nextcloud
component: app
template:
metadata:
labels:
app: nextcloud
component: app
spec:
containers:
- env:
- name: POSTGRES_DB
value: nextcloud
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
key: username
name: nextcloud-postgres-app
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: nextcloud-postgres-app
- name: POSTGRES_HOST
value: $(NEXTCLOUD_POSTGRES_RW_SERVICE_HOST)
- name: NEXTCLOUD_ADMIN_USER
value: admincadoles
- name: NEXTCLOUD_ADMIN_PASSWORD
value: CadolesNotSecret
- name: NEXTCLOUD_TRUSTED_DOMAINS
value: '*.cadoles.fr'
- name: NEXTCLOUD_INIT_LOCK
value: 512M
- name: PHP_MEMORY_LIMIT
value: 4G
- name: PHP_UPLOAD_LIMIT
value: 4G
- name: POD_INDEX
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: REDIS_HOST
value: redis
- name: REDIS_HOST_PORT
value: "6379"
- name: OBJECTSTORE_S3_HOST
value: minio:$(MINIO_SERVICE_PORT)
- name: OBJECTSTORE_S3_BUCKET
value: nextcloud-minio
- name: OBJECTSTORE_S3_KEY
value: minio_root
- name: OBJECTSTORE_S3_SECRET
value: MinioRootNotSoSecret
- name: OBJECTSTORE_S3_USEPATH_STYLE
value: "true"
- name: OBJECTSTORE_S3_SSL
value: "true"
- name: NEXTCLOUD_DATA_DIR
value: /var/www/html/data
image: reg.cadoles.com/proxy_cache/library/nextcloud:26.0.1-apache
imagePullPolicy: Always
lifecycle:
postStart:
exec:
command:
- /bin/sh
- -c
- cp /var/run/secrets/kubernetes.io/serviceaccount/ca.crt /usr/local/share/ca-certificates/ks.crt
&& update-ca-certificates
- /etc/script/poststart-ldap.sh
livenessProbe:
failureThreshold: 5
httpGet:
httpHeaders:
- name: Host
value: nxt.cadoles.fr
path: /status.php
port: 80
initialDelaySeconds: 50
periodSeconds: 15
successThreshold: 1
timeoutSeconds: 5
name: app
ports:
- containerPort: 80
readinessProbe:
failureThreshold: 5
httpGet:
httpHeaders:
- name: Host
value: nxt.cadoles.fr
path: /status.php
port: 80
initialDelaySeconds: 50
periodSeconds: 15
successThreshold: 1
timeoutSeconds: 5
volumeMounts:
- mountPath: /var/www/
name: nextcloud-main-volume
- mountPath: /var/www/html
name: nextcloud-html-volume
- mountPath: /var/www/html/data
name: nextcloud-data-volume
- mountPath: /var/www/html/config
name: nextcloud-config-volume
- mountPath: /var/www/html/custom_apps
name: nextcloud-custom-volume
- mountPath: /var/www/tmp
name: nextcloud-tmp-volume
- mountPath: /var/www/html/themes
name: nextcloud-themes-volume
- mountPath: /etc/script/poststart-ldap.sh
name: script-config-ldap
subPath: poststart-ldap.sh
- mountPath: /etc/script/custom-script.sh
name: update-config-script
subPath: custom-script.sh
- mountPath: /etc/minio-ccerts
name: minio-certs
readOnly: true
initContainers:
- args:
- job
- create-minio-bucket
image: reg.cadoles.com/proxy_cache/groundnuty/k8s-wait-for:v1.3
name: wait-for-bootstrap
restartPolicy: Always
serviceAccountName: nextcloud-sa
volumes:
- name: minio-certs
secret:
secretName: nextcloud-minio-tls
- configMap:
defaultMode: 484
name: update-config
name: update-config-script
- configMap:
defaultMode: 484
name: script-config-ldap
name: script-config-ldap
- name: nextcloud-main-volume
persistentVolumeClaim:
claimName: nextcloud-main-pvc
- name: nextcloud-html-volume
persistentVolumeClaim:
claimName: nextcloud-html-pvc
- name: nextcloud-data-volume
persistentVolumeClaim:
claimName: nextcloud-data-pvc
- name: nextcloud-config-volume
persistentVolumeClaim:
claimName: nextcloud-config-pvc
- name: nextcloud-custom-volume
persistentVolumeClaim:
claimName: nextcloud-custom-pvc
- name: nextcloud-tmp-volume
persistentVolumeClaim:
claimName: nextcloud-tmp-pvc
- name: nextcloud-themes-volume
persistentVolumeClaim:
claimName: nextcloud-themes-pvc
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: redis
name: redis
namespace: nextcloud-dev
spec:
replicas: 1
selector:
matchLabels:
app: redis
template:
metadata:
labels:
app: redis
spec:
containers:
- command:
- redis-server
- /redis-master/redis.conf
image: redis:alpine
name: redis
ports:
- containerPort: 6379
volumeMounts:
- mountPath: /redis-master-data
name: data
- mountPath: /redis-master
name: config
restartPolicy: Always
volumes:
- emptyDir: {}
name: data
- configMap:
items:
- key: redis-config
path: redis.conf
name: cm-redis-config
name: config
---
apiVersion: batch/v1
kind: Job
metadata:
name: create-minio-bucket
namespace: nextcloud-dev
spec:
template:
spec:
containers:
- args:
- |
echo "création de l'alias my-minio"
mc alias set --insecure my-minio http://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT} ${CONSOLE_ACCESS_KEY} ${CONSOLE_SECRET_KEY}
echo "création du bucket..."
mc mb --insecure my-minio/nextcloud-minio
echo "Bucket créé. normalement"
command:
- sh
- -c
env:
- name: CONSOLE_ACCESS_KEY
valueFrom:
secretKeyRef:
key: CONSOLE_ACCESS_KEY
name: nextcloud-minio-user
- name: CONSOLE_SECRET_KEY
valueFrom:
secretKeyRef:
key: CONSOLE_SECRET_KEY
name: nextcloud-minio-user
envFrom:
- configMapRef:
name: nextcloud-env
image: minio/mc
name: create-bucket
initContainers:
- args:
- |
echo "attente du service minio..."
cnt=0
tout=300
while [ 1 ]
do
http_code=$(wget --server-response https://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT}/minio/health/live 2>&1 | awk '/^ HTTP/{print $2}')
if [ "${http_code}" != "200" ]; then
echo "waiting for https://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT}"
sleep 1
else
exit 0
fi
cnt=$((cnt+1))
if [ "${cnt}" -ge "${tout}" ]; then
exit 3
fi
done
command:
- sh
- -c
envFrom:
- configMapRef:
name: nextcloud-env
image: busybox
name: wait-for-minio
restartPolicy: OnFailure
---
apiVersion: minio.min.io/v2
kind: Tenant
metadata:
name: nextcloud-minio
namespace: nextcloud-dev
spec:
certConfig:
dnsNames:
- minio
configuration:
name: nextcloud-minio-configuration
pools:
- containerSecurityContext:
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
name: pool-0
servers: 2
volumeClaimTemplate:
metadata:
name: nextcloud-minio-data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
volumesPerServer: 2
users:
- name: nextcloud-minio-user
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/cors-allow-headers: X-Forwarded-For
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/proxy-body-size: 138m
name: nextcloud
namespace: nextcloud-dev
spec:
ingressClassName: nginx
rules:
- host: nxt.cadoles.fr
http:
paths:
- backend:
service:
name: nextcloud
port:
number: 80
path: /
pathType: Prefix
---
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: nextcloud-postgres
namespace: nextcloud-dev
spec:
bootstrap:
initdb:
database: nextcloud
owner: nextcloud
instances: 1
primaryUpdateStrategy: unsupervised
storage:
size: 5Gi

View File

@ -1,43 +0,0 @@
- op: replace
path: /spec/template/spec/containers/0/env/13/value #OBJECTSTORE_S3_HOST
value: minio:$(MINIO_SERVICE_PORT)
- op: replace
path: /spec/template/spec/containers/0/env/14/value #OBJECTSTORE_S3_BUCKET
value: nextcloud-minio
- op: replace
path: /spec/template/spec/containers/0/env/15/value #OBJECTSTORE_S3_KEY
valueFrom:
secretKeyRef:
name: nextcloud-minio-user # kustomize racine
key: CONSOLE_ACCESS_KEY
- op: replace
path: /spec/template/spec/containers/0/env/16/value #OBJECTSTORE_S3_SECRET
valueFrom:
secretKeyRef:
name: nextcloud-minio-user # kustomize racine
key: CONSOLE_SECRET_KEY
- op: replace
path: /spec/template/spec/containers/0/env/17/value #OBJECTSTORE_S3_USEPATH_STYLE
value: "true"
- op: replace
path: /spec/template/spec/containers/0/env/18/value #OBJECTSTORE_S3_SSL
value: "true"
# Partie AWS S3
- name: OBJECTSTORE_S3_BUCKET
value: nextcloud-cadoles
- name: OBJECTSTORE_S3_HOST
value: s3.fr-par.swc.cloud
- name: OBJECTSTORE_S3_PORT
value: "443"
- name: OBJECTSTORE_S3_REGION
value: fr-par
- name: OBJECTSTORE_S3_KEY # 15
value: SCWGDBJ75JYMY2XVRG9A
- name: OBJECTSTORE_S3_SECRET
value: fd3bfcc2-cd39-453b-acea-5c5f3a241960
- name: OBJECTSTORE_S3_USEPATH_STYLE
value: "true"
- name: OBJECTSTORE_S3_SSL # 18
value: "true"