diff --git a/README.md b/README.md index 2afee87..fe39a95 100644 --- a/README.md +++ b/README.md @@ -1,12 +1,33 @@ # nextcloud-kustom -**WARNING - test branch, does not respect the target strategy for a production environment** +Base include : + +- nextcloud app +- postgres +- ... + +Default configuration (base directory) : + +- use an external S3, +- use local authentication, +- use internal K8s certificate, +- use postgresSQL + +If you want change, you must do your configuration in the overlays section + +Overlays dev sections install : + +- base +- rename namespace to nextcloud-dev +- use cert-manager (to install CRDs requirement, check requires/) + +**To install a test cluster on your machine** 1. Create cluster ```kind create cluster --config requires/cluster/cluster.yaml``` -2. Install operators and openldap(dev) +2. Install operators, cert-manager and openldap(dev) ```kubectl apply -k requires/``` @@ -18,9 +39,4 @@ ```kubectl apply -k overlays/dev``` -## cert-manager - -Install crds : - -```kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.0/cert-manager.yaml``` diff --git a/base/components/cnpg-database/kustomization.yaml b/base/components/cnpg-database/kustomization.yaml index 4b17195..ed011ef 100644 --- a/base/components/cnpg-database/kustomization.yaml +++ b/base/components/cnpg-database/kustomization.yaml @@ -1,6 +1,5 @@ apiVersion: kustomize.config.k8s.io/v1alpha1 kind: Component -namespace: nextcloud configurations: - ./configurations/cnpg-config.yaml diff --git a/base/components/cnpg-database/resources/nextcloud-cnpg.yaml b/base/components/cnpg-database/resources/nextcloud-cnpg.yaml index 1f7b5c1..9191ba0 100644 --- a/base/components/cnpg-database/resources/nextcloud-cnpg.yaml +++ b/base/components/cnpg-database/resources/nextcloud-cnpg.yaml @@ -2,7 +2,6 @@ apiVersion: postgresql.cnpg.io/v1 kind: Cluster metadata: name: nextcloud-postgres - namespace: nextcloud spec: instances: 1 primaryUpdateStrategy: unsupervised diff --git a/base/components/one-redis/kustomization.yaml b/base/components/one-redis/kustomization.yaml index f069490..9f0c58c 100644 --- a/base/components/one-redis/kustomization.yaml +++ b/base/components/one-redis/kustomization.yaml @@ -1,8 +1,7 @@ apiVersion: kustomize.config.k8s.io/v1alpha1 kind: Component -namespace: nextcloud resources: - deployment.yaml - redis-service.yaml -- ConfigMap-redis.yaml \ No newline at end of file +- ConfigMap-redis.yaml diff --git a/base/kustomization.yaml b/base/kustomization.yaml index 79d89db..37c03ad 100644 --- a/base/kustomization.yaml +++ b/base/kustomization.yaml @@ -1,16 +1,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: nextcloud generatorOptions: disableNameSuffixHash: true # référence à l'exemple cadoles. # cela force la mise à jours des secret en questions liés aux ressources ayant le labels "tenant" lorsque modifié -configurations: -#- https://forge.cadoles.com/CadolesKube/c-kustom/raw/branch/develop/base/minio/configurations/tenants.minio.min.io.yaml -# => importé en locale pour pouvoir faire un kustomize build -- ./resources/nextcloud/resources/files/minio/configurations/tenants.minio.min.io.yaml resources: - ./resources/nextcloud @@ -36,4 +31,4 @@ components: # - name: nextcloud-config-volume # permet de monter le fichier de configuration dans # configMap: # les instances supplémentaires -# name: nextcloud-config # via le configmap ConfigMaps-php.yaml \ No newline at end of file +# name: nextcloud-config # via le configmap ConfigMaps-php.yaml diff --git a/base/resources/nextcloud/kustomization.yaml b/base/resources/nextcloud/kustomization.yaml index 492d3ea..6f61f6a 100644 --- a/base/resources/nextcloud/kustomization.yaml +++ b/base/resources/nextcloud/kustomization.yaml @@ -1,63 +1,43 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -# namespace: nextcloud generatorOptions: disableNameSuffixHash: true # suppression des suffixe en hash en bout de nom resources: - ./resources/deployment.yaml -# - ./resources/namespace.yaml -- ./resources/nextcloud-tenant.yaml - ./resources/nextcloud-service.yaml -- ./resources/pvc.yaml -- ./resources/job.yaml -- ./resources/ConfigMap.yaml - ./resources/nextcloud-rolebinding.yaml - ./resources/nextcloud-role.yaml - ./resources/nextcloud-serviceaccount.yaml - ./resources/ingress.yaml -- ./resources/ConfigMap-ldap-script.yaml - -#- ./resources/secret.yaml - +- ./resources/pvc/00-main.yaml +- ./resources/pvc/01-html.yaml +- ./resources/pvc/02-data.yaml +- ./resources/pvc/03-config.yaml +- ./resources/pvc/04-custom.yaml +- ./resources/pvc/06-tmp.yaml +- ./resources/pvc/07-themes.yaml configMapGenerator: -- name: nextcloud-parameters - files: - - ./resources/files/parameters.yaml - name: nextcloud-env literals: - - MINIO_SERVICE_NAME=$(MINIO_SERVICE_HOST):$(MINIO_SERVICE_PORT) # pas nécessaire je pense - - MINIO_SERVICE_HOST=minio - - MINIO_SERVICE_PORT=443 + - NEXTCLOUD_ADMIN_USER="admin" + - NEXTCLOUD_ADMIN_PASSWORD="cadoles" # 5 + - NEXTCLOUD_TRUSTED_DOMAINS="*.cadoles.fr" + - PHP_MEMORY_LIMIT="512M" + - PHP_UPLOAD_LIMIT="4G" + - MAIL_FROM_ADDRESS="user" + - MAIL_DOMAIN="cadoles.fr" + - SMTP_HOST="smtp.cadoles.com" + - SMTP_SECURE="ssl" + - SMTP_PORT="465" + - SMTP_AUTHTYPE="LOGIN" secretGenerator: -# Voir https://github.com/minio/operator/issues/856 -- name: nextcloud-minio-user - literals: - - CONSOLE_ACCESS_KEY=minio_root - - CONSOLE_SECRET_KEY=MinioRootNotSoSecret - options: - disableNameSuffixHash: true -# Voir https://github.com/minio/operator/issues/856 -- name: nextcloud-minio-configuration - files: - - ./resources/files/minio/config.env # A modifier si modification mot de passe et user CONSOLE [ACCESS-SECRET] - options: - disableNameSuffixHash: true - name: nextcloud-smtp literals: - - smtp-username=user - - smtp-password=password + - smtp-username=secretuser + - smtp-password=secretpassword options: disableNameSuffixHash: true - -vars: # génération d'information pour wait-for-bootstrap du pod nextcloud -- name: MINIO_BOOTSTRAP_JOB_NAME - objref: - name: create-minio-bucket - kind: Job - apiVersion: batch/v1 - fieldref: - fieldpath: metadata.name diff --git a/base/resources/nextcloud/resources/ConfigMap-ldap-script.yaml b/base/resources/nextcloud/resources/ConfigMap-ldap-script.yaml deleted file mode 100644 index 220bbe5..0000000 --- a/base/resources/nextcloud/resources/ConfigMap-ldap-script.yaml +++ /dev/null @@ -1,46 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: script-config-ldap -data: - poststart-ldap.sh: | - #!/bin/sh - - NEXTCLOUD_READY=0 - MAX_RETRIES=30 - RETRY_INTERVAL=10 - - touch /etc/script/validator.txt - # Vérifiez si LDAP est déjà activé - # if ! su -s /bin/sh -c "/var/www/html/occ app:list --output=json" www-data | jq -e '.enabled | has("user_ldap")'; then - # Activez le module LDAP si ce n'est pas déjà fait - # su -s /bin/sh -c "/var/www/html/occ app:enable user_ldap" www-data - #fi - for i in $(seq 1 $MAX_RETRIES); do - if curl -fsS "http://localhost/status.php" > /dev/null; then - NEXTCLOUD_READY=1 - break - else - echo "En attente de Nextcloud (tentative $i/$MAX_RETRIES)..." >> /etc/script/validator.txt - sleep $RETRY_INTERVAL - fi - done - - if [ $NEXTCLOUD_READY -eq 0 ]; then - echo "Nextcloud n'est pas prêt après $MAX_RETRIES tentatives. Abandon de l'initialisation LDAP." >> /etc/script/validator.txt - exit 1 - fi - - su -s /bin/sh -c "/var/www/html/occ app:enable user_ldap" www-data - - # Configurez LDAP (configuration minimale) - su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapHost --value='ldap.example.com'" www-data - su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapBase --value='dc=example,dc=com'" www-data - su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapAgentName --value='cn=admin,dc=example,dc=com'" www-data - su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapAgentPassword --value='your_password'" www-data - - # Lancez le processus principal de Nextcloud normalement ça ne marche pas ça ! donc plutot poststart. - #exec /entrypoint.sh "$@" - -# su -s /bin/sh -c "/var/www/html/occ app:enable user_ldap" www-data -# est fonctionnel dans le pods nextcloud ! \ No newline at end of file diff --git a/base/resources/nextcloud/resources/ConfigMap.yaml b/base/resources/nextcloud/resources/ConfigMap.yaml deleted file mode 100644 index 4f8dea7..0000000 --- a/base/resources/nextcloud/resources/ConfigMap.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: update-config -data: - custom-script.sh: | - #!/bin/sh - - HOSTS_FILE="/etc/hosts" - - # Ajoutez l'entrée au fichier hosts - MINIO_SERVICE_IP="${MINIO_SERVICE_HOST}" - MINIO_NAME="${MINIO_SERVICE_NAME}" - echo "$MINIO_SERVICE_IP" minio >> $HOSTS_FILE \ No newline at end of file diff --git a/base/resources/nextcloud/resources/deployment.yaml b/base/resources/nextcloud/resources/deployment.yaml index 60b6dfa..20a4334 100644 --- a/base/resources/nextcloud/resources/deployment.yaml +++ b/base/resources/nextcloud/resources/deployment.yaml @@ -4,9 +4,9 @@ metadata: labels: app: nextcloud component: app - name: app + name: nextcloud-app spec: -# serviceName: nextcloud + # serviceName: nextcloud replicas: 1 selector: matchLabels: @@ -21,16 +21,16 @@ spec: containers: - image: reg.cadoles.com/proxy_cache/library/nextcloud:27.0.2-apache imagePullPolicy: Always - name: app + name: nextcloud ports: - containerPort: 80 lifecycle: postStart: exec: - command: ["/bin/sh", "-c", "cp /var/run/secrets/kubernetes.io/serviceaccount/ca.crt /usr/local/share/ca-certificates/ks.crt && update-ca-certificates && /etc/script/poststart-ldap.sh && touch /etc/script/try01.txt"] -# envFrom: -# - configMapRef: -# name: nextcloud-env + command: ["/bin/sh", "-c", "cp /var/run/secrets/kubernetes.io/serviceaccount/ca.crt /usr/local/share/ca-certificates/ks.crt && update-ca-certificates"] + envFrom: + - configMapRef: + name: nextcloud-env env: - name: POSTGRES_DB value: nextcloud @@ -46,56 +46,16 @@ spec: key: password - name: POSTGRES_HOST value: $(NEXTCLOUD_POSTGRES_RW_SERVICE_HOST) #value: nextcloud-postgres-rw.nextcloud.svc.cluster.local - - name: NEXTCLOUD_ADMIN_USER - value: admin - - name: NEXTCLOUD_ADMIN_PASSWORD # 5 - value: cadoles - - name: NEXTCLOUD_TRUSTED_DOMAINS - value: "*.cadoles.fr" - name: NEXTCLOUD_INIT_LOCK value: "true" - - name: PHP_MEMORY_LIMIT - value: 512M - - name: PHP_UPLOAD_LIMIT - value: 4G - name: POD_INDEX valueFrom: fieldRef: fieldPath: metadata.name - name: REDIS_HOST - value: redis # équivaut à redis.nextcloud.svc.cluster.local -# value: $(RFS_NEXTCLOUD_REDIS_SERVICE_HOST) => For redis-operator + value: redis - name: REDIS_HOST_PORT value: "6379" - ###################### - # Partie minio S3 - - name: OBJECTSTORE_S3_HOST - value: minio:$(MINIO_SERVICE_PORT) -# value: $(MINIO_SERVICE_NAME):$(MINIO_SERVICE_PORT) - - name: OBJECTSTORE_S3_BUCKET - value: nextcloud-minio - - name: OBJECTSTORE_S3_KEY # 15 - value: minio_root - - name: OBJECTSTORE_S3_SECRET - value: MinioRootNotSoSecret - - name: OBJECTSTORE_S3_USEPATH_STYLE - value: "true" - - name: OBJECTSTORE_S3_SSL # 18 - value: "true" - ################################## -# Mise en place SMTP - - name: MAIL_FROM_ADDRESS - value: "user" - - name: MAIL_DOMAIN - value: "domain.com" - - name: SMTP_HOST - value: "domain.com" - - name: SMTP_SECURE - value: "ssl" - - name: SMTP_PORT - value: "465" - - name: SMTP_AUTHTYPE - value: "LOGIN" - name: SMTP_NAME valueFrom: secretKeyRef: @@ -106,34 +66,8 @@ spec: secretKeyRef: name: nextcloud-smtp key: smtp-password - - name: NEXTCLOUD_DATA_DIR value: "/var/www/html/data" - livenessProbe: # vérifie si c'est planté ou non - httpGet: - path: /status.php - port: 80 # en reférence à ingress.yaml ? - httpHeaders: - - name: Host - value: nxt.cadoles.fr # valeurs égale à celle dans ingress.yaml - initialDelaySeconds: 50 - periodSeconds: 15 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 5 - readinessProbe: # vérifie si c'est ok pour envoyer des requête ou non - httpGet: - path: /status.php - port: 80 # en référence à ingress.yaml ? - httpHeaders: - - name: Host - value: nxt.cadoles.fr # valeurs égale à celle dans ingress.yaml - initialDelaySeconds: 50 - periodSeconds: 15 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 5 - volumeMounts: - mountPath: /var/www/ name: nextcloud-main-volume @@ -149,45 +83,7 @@ spec: name: nextcloud-tmp-volume - mountPath: /var/www/html/themes name: nextcloud-themes-volume - -# ICI montage pour les script ! - - mountPath: /etc/script/poststart-ldap.sh - name: script-config-ldap - subPath: poststart-ldap.sh - - mountPath: /etc/script/custom-script.sh - name: update-config-script - subPath: custom-script.sh - - mountPath: /etc/minio-ccerts - name: minio-certs - readOnly: true - - # MOUNT-TRY-multi-instance -# - name: nextcloud-config-volume # monte le fichier de configuration dans -# mountPath: /var/www/html/config # les instances supplémentaire -# readOnly: false # via le configmap ConfigMaps-php.yaml - - restartPolicy: Always - serviceAccountName: nextcloud-sa # declare user for initcontainer - - # trois volumes pour les script volumes: - - name: minio-certs - secret: - secretName: nextcloud-minio-tls # montage des certificat de minio - - name: update-config-script - configMap: - name: update-config - defaultMode: 0744 - - name: script-config-ldap - configMap: - name: script-config-ldap - defaultMode: 0744 - -# MOUNT-TRY-multi-instance -# - name: nextcloud-config-volume # permet de monter le fichier de configuration dans -# configMap: # les instances supplémentaires -# name: nextcloud-config # via le configmap ConfigMaps-php.yaml - - name: nextcloud-main-volume persistentVolumeClaim: claimName: nextcloud-main-pvc @@ -209,23 +105,5 @@ spec: - name: nextcloud-themes-volume persistentVolumeClaim: claimName: nextcloud-themes-pvc - - initContainers: # cf README.md part ##YAML explain / ### PODS WAIT - - name: wait-for-bootstrap - image: reg.cadoles.com/proxy_cache/groundnuty/k8s-wait-for:v1.3 - args: - - job - - $(MINIO_BOOTSTRAP_JOB_NAME) - - -##################################################### -# For REDIS-OPERATOR USE THIS TO SET PORT -##################################################### -# - name: REDIS_HOST_PORT -# value: $(RFS_NEXTCLOUD_REDIS_SERVICE_PORT) -# - name: REDIS_HOST_PASSWORD -# valueFrom: -# secretKeyRef: -# name: redis-secret -# key: password -##################################################### + restartPolicy: Always + serviceAccountName: nextcloud-sa # declare user for initcontainer diff --git a/base/resources/nextcloud/resources/files/minio/config.env b/base/resources/nextcloud/resources/files/minio/config.env deleted file mode 100644 index d8176ff..0000000 --- a/base/resources/nextcloud/resources/files/minio/config.env +++ /dev/null @@ -1,4 +0,0 @@ -export MINIO_ROOT_USER="minio_root" -export MINIO_ROOT_PASSWORD="MinioRootNotSoSecret" -export MINIO_STORAGE_CLASS_STANDARD="EC:2" -export MINIO_BROWSER="on" \ No newline at end of file diff --git a/base/resources/nextcloud/resources/files/parameters.yaml b/base/resources/nextcloud/resources/files/parameters.yaml deleted file mode 100644 index d751b3a..0000000 --- a/base/resources/nextcloud/resources/files/parameters.yaml +++ /dev/null @@ -1,8 +0,0 @@ - #API minio - minio_url: 'http://%env(string:MINIO_SERVICE_NAME)%:9000' - minio_key: '%env(string:MINIO_KEY)%' - minio_secret: '%env(string:MINIO_SECRET)%' - minio_bucket: 'nextcloud' - minio_root: '' - minio_path_style: true - minio_secure: false \ No newline at end of file diff --git a/base/resources/nextcloud/resources/ingress.yaml b/base/resources/nextcloud/resources/ingress.yaml index 97fe7a9..544a1dd 100644 --- a/base/resources/nextcloud/resources/ingress.yaml +++ b/base/resources/nextcloud/resources/ingress.yaml @@ -4,16 +4,16 @@ metadata: name: nextcloud annotations: -# kustomize.config.k8s.io/needs: configmap/nextcloud-envi + # kustomize.config.k8s.io/needs: configmap/nextcloud-envi nginx.ingress.kubernetes.io/proxy-body-size: "138m" - nginx.ingress.kubernetes.io/enable-cors: "true" #cf 01 + nginx.ingress.kubernetes.io/enable-cors: "true" #cf 01 nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For" #cf 01 # nginx.ingress.kubernetes.io/client_max_body_size: "100m" spec: ingressClassName: nginx rules: - - host: nxt.cadoles.fr + - host: nxt.base.fr http: paths: - path: / @@ -24,4 +24,4 @@ spec: port: number: 80 -# cf 01 => https://artifacthub.io/packages/helm/nextcloud/nextcloud \ No newline at end of file +# cf 01 => https://artifacthub.io/packages/helm/nextcloud/nextcloud diff --git a/base/resources/nextcloud/resources/job.yaml b/base/resources/nextcloud/resources/job.yaml deleted file mode 100644 index 66a7db8..0000000 --- a/base/resources/nextcloud/resources/job.yaml +++ /dev/null @@ -1,63 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: create-minio-bucket -spec: - template: - spec: - initContainers: - - name: wait-for-minio - image: busybox - envFrom: - - configMapRef: - name: nextcloud-env - command: ["sh", "-c"] - args: - - | - echo "attente du service minio..." - cnt=0 - tout=300 - while [ 1 ] - do - http_code=$(wget --server-response https://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT}/minio/health/live 2>&1 | awk '/^ HTTP/{print $2}') - if [ "${http_code}" != "200" ]; then - echo "waiting for https://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT}" - sleep 1 - else - exit 0 - fi - - cnt=$((cnt+1)) - if [ "${cnt}" -ge "${tout}" ]; then - exit 3 - fi - done -# Encore nécessaire ? - containers: - - name: create-bucket - image: minio/mc - envFrom: - - configMapRef: - name: nextcloud-env - env: - - name: CONSOLE_ACCESS_KEY - valueFrom: - secretKeyRef: - name: nextcloud-minio-user - key: CONSOLE_ACCESS_KEY - - name: CONSOLE_SECRET_KEY - valueFrom: - secretKeyRef: - name: nextcloud-minio-user - key: CONSOLE_SECRET_KEY - command: ["sh", "-c"] - args: - - | - echo "création de l'alias my-minio" - mc alias set --insecure my-minio http://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT} ${CONSOLE_ACCESS_KEY} ${CONSOLE_SECRET_KEY} - echo "création du bucket..." - mc mb --insecure my-minio/nextcloud-minio - echo "Bucket créé. normalement" - restartPolicy: OnFailure -# Est-ce que je mettrais pas mon ldap ici ? => ConfigMap-ldap-script.yaml ? - diff --git a/base/resources/nextcloud/resources/namespace.yaml b/base/resources/nextcloud/resources/namespace.yaml deleted file mode 100644 index d1f173a..0000000 --- a/base/resources/nextcloud/resources/namespace.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: nextcloud diff --git a/base/resources/nextcloud/resources/nextcloud-role.yaml b/base/resources/nextcloud/resources/nextcloud-role.yaml index 42d952e..9921d09 100644 --- a/base/resources/nextcloud/resources/nextcloud-role.yaml +++ b/base/resources/nextcloud/resources/nextcloud-role.yaml @@ -1,4 +1,3 @@ ---- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -17,10 +16,12 @@ rules: - v1 resources: - secrets + - services + - pods verbs: - get - list - - patch + #- patch # Declaration d'un role nommé status-reader et attribution de droit diff --git a/base/resources/nextcloud/resources/nextcloud-tenant.yaml b/base/resources/nextcloud/resources/nextcloud-tenant.yaml deleted file mode 100644 index e0036ac..0000000 --- a/base/resources/nextcloud/resources/nextcloud-tenant.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: minio.min.io/v2 -kind: Tenant -metadata: - name: nextcloud-minio -spec: - certConfig: - dnsNames: - - "minio" - pools: - - servers: 2 - name: pool-0 - volumesPerServer: 2 - volumeClaimTemplate: - metadata: - name: nextcloud-minio-data # juste son nom dans le cluster - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 2Gi - # env: - # - name: MINIO_CONSOLE_TLS_ENABLE - # value: "off" - containerSecurityContext: - runAsUser: 1000 # droit d'accès user - runAsGroup: 1000 # droit d'accès group - runAsNonRoot: true # accès sans être root - configuration: - name: nextcloud-minio-configuration # cf resources/nextcloud/resources/kustomization.yaml - users: - - name: nextcloud-minio-user # cf resources/nextcloud/resources/kustomization.yaml - diff --git a/base/resources/nextcloud/resources/pvc.yaml b/base/resources/nextcloud/resources/pvc.yaml deleted file mode 100644 index 7a5d10e..0000000 --- a/base/resources/nextcloud/resources/pvc.yaml +++ /dev/null @@ -1,83 +0,0 @@ -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: nextcloud-main-pvc -spec: - accessModes: - - ReadWriteOnce - volumeMode: Filesystem - resources: - requests: - storage: 5Gi ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: nextcloud-html-pvc -spec: - accessModes: - - ReadWriteOnce - volumeMode: Filesystem - resources: - requests: - storage: 5Gi ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: nextcloud-data-pvc -spec: - accessModes: - - ReadWriteOnce - volumeMode: Filesystem - resources: - requests: - storage: 20Gi ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: nextcloud-config-pvc -spec: - accessModes: - - ReadWriteOnce - volumeMode: Filesystem - resources: - requests: - storage: 1Gi ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: nextcloud-custom-pvc -spec: - accessModes: - - ReadWriteOnce - volumeMode: Filesystem - resources: - requests: - storage: 2Gi ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: nextcloud-tmp-pvc -spec: - accessModes: - - ReadWriteOnce - volumeMode: Filesystem - resources: - requests: - storage: 5Gi ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: nextcloud-themes-pvc -spec: - accessModes: - - ReadWriteOnce - volumeMode: Filesystem - resources: - requests: - storage: 2Gi diff --git a/base/resources/nextcloud/resources/pvc/00-main.yaml b/base/resources/nextcloud/resources/pvc/00-main.yaml new file mode 100644 index 0000000..9454edf --- /dev/null +++ b/base/resources/nextcloud/resources/pvc/00-main.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nextcloud-main-pvc +spec: + accessModes: + - ReadWriteOnce + volumeMode: Filesystem + resources: + requests: + storage: 1Gi diff --git a/base/resources/nextcloud/resources/pvc/01-html.yaml b/base/resources/nextcloud/resources/pvc/01-html.yaml new file mode 100644 index 0000000..21799c4 --- /dev/null +++ b/base/resources/nextcloud/resources/pvc/01-html.yaml @@ -0,0 +1,12 @@ + +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nextcloud-html-pvc +spec: + accessModes: + - ReadWriteOnce + volumeMode: Filesystem + resources: + requests: + storage: 5Gi diff --git a/base/resources/nextcloud/resources/pvc/02-data.yaml b/base/resources/nextcloud/resources/pvc/02-data.yaml new file mode 100644 index 0000000..2c6d7e9 --- /dev/null +++ b/base/resources/nextcloud/resources/pvc/02-data.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nextcloud-data-pvc +spec: + accessModes: + - ReadWriteOnce + volumeMode: Filesystem + resources: + requests: + storage: 1Gi diff --git a/base/resources/nextcloud/resources/pvc/03-config.yaml b/base/resources/nextcloud/resources/pvc/03-config.yaml new file mode 100644 index 0000000..1cf8e84 --- /dev/null +++ b/base/resources/nextcloud/resources/pvc/03-config.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nextcloud-config-pvc +spec: + accessModes: + - ReadWriteOnce + volumeMode: Filesystem + resources: + requests: + storage: 1Gi diff --git a/base/resources/nextcloud/resources/pvc/04-custom.yaml b/base/resources/nextcloud/resources/pvc/04-custom.yaml new file mode 100644 index 0000000..35d2d7a --- /dev/null +++ b/base/resources/nextcloud/resources/pvc/04-custom.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nextcloud-custom-pvc +spec: + accessModes: + - ReadWriteOnce + volumeMode: Filesystem + resources: + requests: + storage: 2Gi diff --git a/base/resources/nextcloud/resources/pvc/06-tmp.yaml b/base/resources/nextcloud/resources/pvc/06-tmp.yaml new file mode 100644 index 0000000..e676abc --- /dev/null +++ b/base/resources/nextcloud/resources/pvc/06-tmp.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nextcloud-tmp-pvc +spec: + accessModes: + - ReadWriteOnce + volumeMode: Filesystem + resources: + requests: + storage: 5Gi diff --git a/base/resources/nextcloud/resources/pvc/07-themes.yaml b/base/resources/nextcloud/resources/pvc/07-themes.yaml new file mode 100644 index 0000000..09d93f9 --- /dev/null +++ b/base/resources/nextcloud/resources/pvc/07-themes.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nextcloud-themes-pvc +spec: + accessModes: + - ReadWriteOnce + volumeMode: Filesystem + resources: + requests: + storage: 2Gi diff --git a/overlays/dev/cluster/lb/advertise.yaml b/overlays/dev/cluster/lb/advertise.yaml deleted file mode 100644 index d251dba..0000000 --- a/overlays/dev/cluster/lb/advertise.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: metallb.io/v1beta1 -kind: L2Advertisement -metadata: - name: l2-ip-pool-ad - namespace: metallb-system -spec: - ipAddressPools: - - main-pool - diff --git a/overlays/dev/cluster/lb/ipaddresspoool.yaml b/overlays/dev/cluster/lb/ipaddresspoool.yaml deleted file mode 100644 index da37f87..0000000 --- a/overlays/dev/cluster/lb/ipaddresspoool.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: metallb.io/v1beta1 -kind: IPAddressPool -metadata: - name: main-pool - namespace: metallb-system -spec: - addresses: - - 172.18.10.100-172.18.10.200 diff --git a/overlays/dev/cluster/lb/kustomization.yaml b/overlays/dev/cluster/lb/kustomization.yaml deleted file mode 100644 index f5994df..0000000 --- a/overlays/dev/cluster/lb/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: metallb-system - -resources: -- ipaddresspoool.yaml -- advertise.yaml diff --git a/overlays/dev/kustomization.yaml b/overlays/dev/kustomization.yaml index 5996d14..a654973 100644 --- a/overlays/dev/kustomization.yaml +++ b/overlays/dev/kustomization.yaml @@ -2,87 +2,30 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: nextcloud-dev -# ressources utilisées, appel de base et ajout de namespace.yaml +#namePrefix: dev- + +configurations: +- ./resources/files/minio/configurations/tenants.minio.min.io.yaml + resources: - ../../base/ -- resources/namespace.yaml -- resources/ssl.yaml - resources/cert-manager - -#- resources/host-config.yaml - -# deux façon de faire la seconde ici => -# - patches/nextcloud-patch.yaml +- resources/nextcloud/namespace.yaml +- resources/nextcloud/ssl.yaml +- resources/nextcloud/cm-ldap-script.yaml +- resources/nextcloud/minio-tenant.yaml +- resources/nextcloud/job-minio.yaml patches: +- path: patches/deployment.yaml - path: patches/nginx-ingress.yaml - -patchesStrategicMerge: - - patches/redis-config.yaml - - patches/ConfigMaps.yaml - - patches/ConfigMap-ldap-script.yaml - - patches/job.yaml - -patchesJson6902: -- target: - group: apps +- path: patches/ConfigMap-redis.yaml +- path: patches/nextcloud-env.yaml + target: + kind: ConfigMap + name: nextcloud-env version: v1 - kind: Deployment - name: app - path: patches/nextcloud-variables.yaml -- target: - group: apps - version: v1 - kind: Deployment - name: app - path: patches/nextcloud-postgres.yaml -### S3 patch do not work ! -# W not ok, R not ok -#- target: -# group: apps -# version: v1 -# kind: Deployment -# name: app -# path: patches/nextcloud-S3.yaml -- target: - group: apps - version: v1 - kind: Deployment - name: app - path: patches/nextcloud-probe.yaml -- target: - group: apps - version: v1 - kind: Deployment - name: app - path: patches/nextcloud-smtp.yaml -#- target: -# group: apps -# version: v1 -# kind: Ingress -# name: nextcloud -# path: patches/ingress-nextcloud.yaml -- target: - group: apps - version: v2 - kind: Tenant - name: nextcloud-minio - path: patches/tenant-conf.yaml -- target: - group: apps - version: v1 - kind: Deployment - name: app - path: patches/nextcloud-ldap.yaml - - -#- target: -# group: apps -# version: v1 -# kind: Ingress -# name: nextcloud -# path: patches/ingress-cert-manager.yaml # PARTIE MINIO @@ -91,94 +34,42 @@ patchesJson6902: #- name: db-user-pass # envs: # - ./resources/files/minio/config.env + secretGenerator: - #Voir https://github.com/minio/operator/issues/856 +#Voir https://github.com/minio/operator/issues/856 - name: nextcloud-minio-user - behavior: replace literals: - CONSOLE_ACCESS_KEY=minio_root - CONSOLE_SECRET_KEY=MinioRootNotSoSecret - name: nextcloud-minio-configuration - behavior: replace files: - - ./resources/files/minio/config.env # A modifier si modification mot de passe et user CONSOLE [ACCESS-SECRET] - + - ./resources/files/minio/config.env # A modifier si modification mot de passe et user CONSOLE [ACCESS-SECRET] # ajout de Variable, et redéfinition de certaines configMapGenerator: #- name: nextcloud-parameters # files: # - ./resources/files/parameters.yaml -- name: nextcloud-env - behavior: replace - literals: - - MINIO_SERVICE_NAME=$(MINIO_SERVICE_HOST):$(MINIO_SERVICE_PORT) - - MINIO_SERVICE_HOST=minio - - MINIO_SERVICE_PORT=443 - options: - disableNameSuffixHash: true +#- name: nextcloud-env +# behavior: replace +# literals: +# - MINIO_SERVICE_NAME=$(MINIO_SERVICE_HOST):$(MINIO_SERVICE_PORT) +# - MINIO_SERVICE_HOST=minio +# - MINIO_SERVICE_PORT=443 +# options: +# disableNameSuffixHash: true - name: nextcloud-smtp literals: - - smtp-username=user - - smtp-password=password + - smtp-username=ouchemail + - smtp-password=HjkEHJ2676yiu2 options: disableNameSuffixHash: true -# PARTIE MAUVAISE IDEE - -#replacements: -# - source: -# kind: ConfigMap -# name: host-config -# fieldPath: data.NEXTCLOUD_HOST -# targets: -# - select: -# kind: Ingress -# name: nextcloud -# fieldPaths: -# - /spec/rules[0]/host -# - select: -# kind: Deployment -# name: app -# fieldPaths: -# - /spec/template/spec/containers[0]/readinessProbe/httpGet/httpHeaders[0].value -# - /spec/template/spec/containers[0]/livenessProbe/httpGet/httpHeaders[0].value - -#vars: -# - name: NEXTCLOUD_HOST -# objref: -# kind: ConfigMap -# name: host-config -# apiVersion: v1 -# fieldref: -# fieldpath: data.NEXTCLOUD_HOST - - - - - - - - - - - - -## faire un fichier patch.yaml et ajouter les données à modifier comme dans les patch mse -# -# patchesStrategicMerge => deprecated use patches instead -# patchesJson6902: => deprecated use patches instead -# vars => deprecated use replacements instead - -# PRINCIPE DU PATCHE -#- target: -# version: v1 -# kind: Deployment # ce type de kind .. qui signifie ni plus ni moins ce type de type -_- -# name: app -# path: patches/le patch.yaml - -# modif pour l'image ? -#images: -#- name: foo/bar -# newName: foo/bar -# newTag: 3.4.5 \ No newline at end of file +vars: # génération d'information pour wait-for-bootstrap du pod nextcloud +- name: MINIO_BOOTSTRAP_JOB_NAME + objref: + name: create-minio-bucket + kind: Job + apiVersion: batch/v1 + fieldref: + fieldpath: metadata.name diff --git a/overlays/dev/output.yaml b/overlays/dev/output.yaml deleted file mode 100644 index 86ceef7..0000000 --- a/overlays/dev/output.yaml +++ /dev/null @@ -1,627 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: nextcloud-dev ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: nextcloud-sa - namespace: nextcloud-dev ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: status-reader - namespace: nextcloud-dev -rules: -- apiGroups: - - batch - - v1 - resources: - - jobs - verbs: - - get - - list -- apiGroups: - - "" - - v1 - resources: - - secrets - verbs: - - get - - list - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: status-reader - namespace: nextcloud-dev -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: status-reader -subjects: -- kind: ServiceAccount - name: nextcloud-sa - namespace: nextcloud-dev ---- -apiVersion: v1 -data: - redis-config: | - maxmemory 4mb - maxmemory-policy volatile-lru - appendonly yes -kind: ConfigMap -metadata: - name: cm-redis-config - namespace: nextcloud-dev ---- -apiVersion: v1 -data: - NEXTCLOUD_HOST: nxt.serveur.fr -kind: ConfigMap -metadata: - name: host-config - namespace: nextcloud-dev ---- -apiVersion: v1 -data: - MINIO_SERVICE_HOST: minio - MINIO_SERVICE_NAME: $(MINIO_SERVICE_HOST):$(MINIO_SERVICE_PORT) - MINIO_SERVICE_PORT: "443" -kind: ConfigMap -metadata: - name: nextcloud-env - namespace: nextcloud-dev ---- -apiVersion: v1 -data: - parameters.yaml: |2- - #API minio - minio_url: 'http://%env(string:MINIO_SERVICE_NAME)%:9000' - minio_key: '%env(string:MINIO_KEY)%' - minio_secret: '%env(string:MINIO_SECRET)%' - minio_bucket: 'nextcloud' - minio_root: '' - minio_path_style: true - minio_secure: false -kind: ConfigMap -metadata: - name: nextcloud-parameters - namespace: nextcloud-dev ---- -apiVersion: v1 -data: - poststart-ldap.sh: | - #!/bin/sh - - # Vérifiez si LDAP est déjà activé - if ! su -s /bin/sh -c "/var/www/html/occ app:list --output=json" www-data | jq -e '.enabled | has("user_ldap")'; then - # Activez le module LDAP si ce n'est pas déjà fait - su -s /bin/sh -c "/var/www/html/occ app:enable user_ldap" www-data - echo 'activation de ldap' - fi - - # Configurez LDAP (configuration minimale) - su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapHost --value='ldap.example.com'" www-data - su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapBase --value='dc=example,dc=com'" www-data - su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapAgentName --value='cn=admin,dc=example,dc=com'" www-data - su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapAgentPassword --value='your_password'" www-data - - echo 'ldap configured' - - # Lancez le processus principal de Nextcloud normalement ça ne marche pas ça ! donc plutot poststart. - #exec /entrypoint.sh "$@" -kind: ConfigMap -metadata: - name: script-config-ldap - namespace: nextcloud-dev ---- -apiVersion: v1 -data: - custom-script.sh: |- - #!/bin/sh - - HOSTS_FILE="/etc/hosts" - - # Ajoutez l'entrée au fichier hosts - MINIO_SERVICE_IP="${MINIO_SERVICE_HOST}" - MINIO_NAME="${MINIO_SERVICE_NAME}" - echo "$MINIO_SERVICE_IP" minio >> $HOSTS_FILE -kind: ConfigMap -metadata: - name: update-config - namespace: nextcloud-dev ---- -apiVersion: v1 -data: - config.env: | - ZXhwb3J0IE1JTklPX1JPT1RfVVNFUj0ibWluaW9fcm9vdCIKZXhwb3J0IE1JTklPX1JPT1 - RfUEFTU1dPUkQ9Ik1pbmlvUm9vdE5vdFNvU2VjcmV0IgpleHBvcnQgTUlOSU9fU1RPUkFH - RV9DTEFTU19TVEFOREFSRD0iRUM6MiIKZXhwb3J0IE1JTklPX0JST1dTRVI9Im9uIg== -kind: Secret -metadata: - name: nextcloud-minio-configuration - namespace: nextcloud-dev -type: Opaque ---- -apiVersion: v1 -data: - CONSOLE_ACCESS_KEY: bWluaW9fcm9vdA== - CONSOLE_SECRET_KEY: TWluaW9Sb290Tm90U29TZWNyZXQ= -kind: Secret -metadata: - name: nextcloud-minio-user - namespace: nextcloud-dev -type: Opaque ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app: nextcloud - component: app - name: nextcloud - namespace: nextcloud-dev -spec: - ports: - - port: 80 - selector: - app: nextcloud - component: app ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app: redis - name: redis - namespace: nextcloud-dev -spec: - ports: - - port: 6379 - selector: - app: redis ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: nextcloud-config-pvc - namespace: nextcloud-dev -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - volumeMode: Filesystem ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: nextcloud-custom-pvc - namespace: nextcloud-dev -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 2Gi - volumeMode: Filesystem ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: nextcloud-data-pvc - namespace: nextcloud-dev -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 20Gi - volumeMode: Filesystem ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: nextcloud-html-pvc - namespace: nextcloud-dev -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 5Gi - volumeMode: Filesystem ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: nextcloud-main-pvc - namespace: nextcloud-dev -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 5Gi - volumeMode: Filesystem ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: nextcloud-themes-pvc - namespace: nextcloud-dev -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 2Gi - volumeMode: Filesystem ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: nextcloud-tmp-pvc - namespace: nextcloud-dev -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 5Gi - volumeMode: Filesystem ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: nextcloud - component: app - name: app - namespace: nextcloud-dev -spec: - replicas: 1 - selector: - matchLabels: - app: nextcloud - component: app - template: - metadata: - labels: - app: nextcloud - component: app - spec: - containers: - - env: - - name: POSTGRES_DB - value: nextcloud - - name: POSTGRES_USER - valueFrom: - secretKeyRef: - key: username - name: nextcloud-postgres-app - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: nextcloud-postgres-app - - name: POSTGRES_HOST - value: $(NEXTCLOUD_POSTGRES_RW_SERVICE_HOST) - - name: NEXTCLOUD_ADMIN_USER - value: admincadoles - - name: NEXTCLOUD_ADMIN_PASSWORD - value: CadolesNotSecret - - name: NEXTCLOUD_TRUSTED_DOMAINS - value: '*.cadoles.fr' - - name: NEXTCLOUD_INIT_LOCK - value: 512M - - name: PHP_MEMORY_LIMIT - value: 4G - - name: PHP_UPLOAD_LIMIT - value: 4G - - name: POD_INDEX - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: REDIS_HOST - value: redis - - name: REDIS_HOST_PORT - value: "6379" - - name: OBJECTSTORE_S3_HOST - value: minio:$(MINIO_SERVICE_PORT) - - name: OBJECTSTORE_S3_BUCKET - value: nextcloud-minio - - name: OBJECTSTORE_S3_KEY - value: minio_root - - name: OBJECTSTORE_S3_SECRET - value: MinioRootNotSoSecret - - name: OBJECTSTORE_S3_USEPATH_STYLE - value: "true" - - name: OBJECTSTORE_S3_SSL - value: "true" - - name: NEXTCLOUD_DATA_DIR - value: /var/www/html/data - image: reg.cadoles.com/proxy_cache/library/nextcloud:26.0.1-apache - imagePullPolicy: Always - lifecycle: - postStart: - exec: - command: - - /bin/sh - - -c - - cp /var/run/secrets/kubernetes.io/serviceaccount/ca.crt /usr/local/share/ca-certificates/ks.crt - && update-ca-certificates - - /etc/script/poststart-ldap.sh - livenessProbe: - failureThreshold: 5 - httpGet: - httpHeaders: - - name: Host - value: nxt.cadoles.fr - path: /status.php - port: 80 - initialDelaySeconds: 50 - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 5 - name: app - ports: - - containerPort: 80 - readinessProbe: - failureThreshold: 5 - httpGet: - httpHeaders: - - name: Host - value: nxt.cadoles.fr - path: /status.php - port: 80 - initialDelaySeconds: 50 - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 5 - volumeMounts: - - mountPath: /var/www/ - name: nextcloud-main-volume - - mountPath: /var/www/html - name: nextcloud-html-volume - - mountPath: /var/www/html/data - name: nextcloud-data-volume - - mountPath: /var/www/html/config - name: nextcloud-config-volume - - mountPath: /var/www/html/custom_apps - name: nextcloud-custom-volume - - mountPath: /var/www/tmp - name: nextcloud-tmp-volume - - mountPath: /var/www/html/themes - name: nextcloud-themes-volume - - mountPath: /etc/script/poststart-ldap.sh - name: script-config-ldap - subPath: poststart-ldap.sh - - mountPath: /etc/script/custom-script.sh - name: update-config-script - subPath: custom-script.sh - - mountPath: /etc/minio-ccerts - name: minio-certs - readOnly: true - initContainers: - - args: - - job - - create-minio-bucket - image: reg.cadoles.com/proxy_cache/groundnuty/k8s-wait-for:v1.3 - name: wait-for-bootstrap - restartPolicy: Always - serviceAccountName: nextcloud-sa - volumes: - - name: minio-certs - secret: - secretName: nextcloud-minio-tls - - configMap: - defaultMode: 484 - name: update-config - name: update-config-script - - configMap: - defaultMode: 484 - name: script-config-ldap - name: script-config-ldap - - name: nextcloud-main-volume - persistentVolumeClaim: - claimName: nextcloud-main-pvc - - name: nextcloud-html-volume - persistentVolumeClaim: - claimName: nextcloud-html-pvc - - name: nextcloud-data-volume - persistentVolumeClaim: - claimName: nextcloud-data-pvc - - name: nextcloud-config-volume - persistentVolumeClaim: - claimName: nextcloud-config-pvc - - name: nextcloud-custom-volume - persistentVolumeClaim: - claimName: nextcloud-custom-pvc - - name: nextcloud-tmp-volume - persistentVolumeClaim: - claimName: nextcloud-tmp-pvc - - name: nextcloud-themes-volume - persistentVolumeClaim: - claimName: nextcloud-themes-pvc ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: redis - name: redis - namespace: nextcloud-dev -spec: - replicas: 1 - selector: - matchLabels: - app: redis - template: - metadata: - labels: - app: redis - spec: - containers: - - command: - - redis-server - - /redis-master/redis.conf - image: redis:alpine - name: redis - ports: - - containerPort: 6379 - volumeMounts: - - mountPath: /redis-master-data - name: data - - mountPath: /redis-master - name: config - restartPolicy: Always - volumes: - - emptyDir: {} - name: data - - configMap: - items: - - key: redis-config - path: redis.conf - name: cm-redis-config - name: config ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: create-minio-bucket - namespace: nextcloud-dev -spec: - template: - spec: - containers: - - args: - - | - echo "création de l'alias my-minio" - mc alias set --insecure my-minio http://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT} ${CONSOLE_ACCESS_KEY} ${CONSOLE_SECRET_KEY} - echo "création du bucket..." - mc mb --insecure my-minio/nextcloud-minio - echo "Bucket créé. normalement" - command: - - sh - - -c - env: - - name: CONSOLE_ACCESS_KEY - valueFrom: - secretKeyRef: - key: CONSOLE_ACCESS_KEY - name: nextcloud-minio-user - - name: CONSOLE_SECRET_KEY - valueFrom: - secretKeyRef: - key: CONSOLE_SECRET_KEY - name: nextcloud-minio-user - envFrom: - - configMapRef: - name: nextcloud-env - image: minio/mc - name: create-bucket - initContainers: - - args: - - | - echo "attente du service minio..." - cnt=0 - tout=300 - while [ 1 ] - do - http_code=$(wget --server-response https://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT}/minio/health/live 2>&1 | awk '/^ HTTP/{print $2}') - if [ "${http_code}" != "200" ]; then - echo "waiting for https://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT}" - sleep 1 - else - exit 0 - fi - - cnt=$((cnt+1)) - if [ "${cnt}" -ge "${tout}" ]; then - exit 3 - fi - done - command: - - sh - - -c - envFrom: - - configMapRef: - name: nextcloud-env - image: busybox - name: wait-for-minio - restartPolicy: OnFailure ---- -apiVersion: minio.min.io/v2 -kind: Tenant -metadata: - name: nextcloud-minio - namespace: nextcloud-dev -spec: - certConfig: - dnsNames: - - minio - configuration: - name: nextcloud-minio-configuration - pools: - - containerSecurityContext: - runAsGroup: 1000 - runAsNonRoot: true - runAsUser: 1000 - name: pool-0 - servers: 2 - volumeClaimTemplate: - metadata: - name: nextcloud-minio-data - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 2Gi - volumesPerServer: 2 - users: - - name: nextcloud-minio-user ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - nginx.ingress.kubernetes.io/cors-allow-headers: X-Forwarded-For - nginx.ingress.kubernetes.io/enable-cors: "true" - nginx.ingress.kubernetes.io/proxy-body-size: 138m - name: nextcloud - namespace: nextcloud-dev -spec: - ingressClassName: nginx - rules: - - host: nxt.cadoles.fr - http: - paths: - - backend: - service: - name: nextcloud - port: - number: 80 - path: / - pathType: Prefix ---- -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: nextcloud-postgres - namespace: nextcloud-dev -spec: - bootstrap: - initdb: - database: nextcloud - owner: nextcloud - instances: 1 - primaryUpdateStrategy: unsupervised - storage: - size: 5Gi diff --git a/overlays/dev/patches/ConfigMap-ldap-script.yaml b/overlays/dev/patches/ConfigMap-ldap-script.yaml deleted file mode 100644 index 60915a6..0000000 --- a/overlays/dev/patches/ConfigMap-ldap-script.yaml +++ /dev/null @@ -1,76 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: script-config-ldap -data: - poststart-ldap.sh: | - #!/bin/sh - - NEXTCLOUD_READY=0 - MAX_RETRIES=30 - RETRY_INTERVAL=10 - - touch /etc/script/validator.txt - # Vérifiez si LDAP est déjà activé - # if ! su -s /bin/sh -c "/var/www/html/occ app:list --output=json" www-data | jq -e '.enabled | has("user_ldap")'; then - # Activez le module LDAP si ce n'est pas déjà fait - # su -s /bin/sh -c "/var/www/html/occ app:enable user_ldap" www-data - #fi - for i in $(seq 1 $MAX_RETRIES); do - if curl -fsS "http://localhost/status.php" > /dev/null; then - NEXTCLOUD_READY=1 - break - else - echo "En attente de Nextcloud (tentative $i/$MAX_RETRIES)..." >> /etc/script/validator.txt - sleep $RETRY_INTERVAL - fi - done - - if [ $NEXTCLOUD_READY -eq 0 ]; then - echo "Nextcloud n'est pas prêt après $MAX_RETRIES tentatives. Abandon de l'initialisation LDAP." >> /etc/script/validator.txt - exit 1 - fi - - su -s /bin/sh -c "/var/www/html/occ app:install user_ldap" www-data - su -s /bin/sh -c "/var/www/html/occ app:update user_ldap" www-data - su -s /bin/sh -c "/var/www/html/occ app:enable user_ldap" www-data - su -s /bin/sh -c "/var/www/html/occ ldap:create-empty-config" www-data - - ## test if backend ldap is activated and create empty config if not - # - #touch /tmp/nxt-ldap.txt - #su -s /bin/sh -c "/var/www/html/occ ldap:show-config s01 > /tmp/nextcloud-ldap.txt" www-data - #if grep -q "Invalid configID" /tmp/nextcloud-ldap.txt; then - # sudo -u www-data php /var/www/html/nextcloud/occ ldap:create-empty-config -q - #fi - - # Configurez LDAP (configuration minimale) - - su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldap_host '${NEXTCLOUD_LDAP_HOST}'" www-data - su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldap_base '${NEXTCLOUD_LDAP_BASE}'" www-data - su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldap_dn '${NEXTCLOUD_LDAP_DN}'" www-data - su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldap_agent_password '${NEXTCLOUD_LDAP_PASSWD}'" www-data - su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapBaseGroups '${NEXTCLOUD_LDAP_BASE_GROUPS}'" www-data - su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapBaseUsers '${NEXTCLOUD_LDAP_BASE_USERS}'" www-data - su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapConfigurationActive '${NEXTCLOUD_LDAP_ACTIVE_CONF}'" www-data - su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapExperiencedAdmin '${NEXTCLOUD_LDAP_ADMIN_EXP}'" www-data - su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapExpertUUIDUserAttr '${NEXTCLOUD_LDAP_EXP_UUID}'" www-data - su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapLoginFilter '${NEXTCLOUD_LDAP_LOGIN_FILTER}'" www-data - su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapPort '${NEXTCLOUD_LDAP_PORT}'" www-data - su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapUserFilter '${NEXTCLOUD_LDAP_USR_FILTR}'" www-data - su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapUserFilterObjectclass '${NEXTCLOUD_LDAP_OBJ_FILTR}'" www-data - su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapEmailAttribute '${NEXTCLOUD_LDAP_MAIL_ATTR}'" www-data - su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapUserDisplayName '${NEXTCLOUD_LDAP_USER_DISP}'" www-data - - #sudo -u www-data php /var/www/html/nextcloud/occ ldap:set-config s01 ldapGroupFilter "${ldapGroupFilter}" - #sudo -u www-data php /var/www/html/nextcloud/occ ldap:set-config s01 ldapGroupFilterObjectclass "${ldapGroupFilterObjectclass}" - #sudo -u www-data php /var/www/html/nextcloud/occ ldap:set-config s01 ldapGroupMemberAssocAttr "${ldapGroupMemberAssocAttr}" - - - # Lancez le processus principal de Nextcloud normalement ça ne marche pas ça ! donc plutot poststart. - #exec /entrypoint.sh "$@" - - # su -s /bin/sh -c "/var/www/html/occ app:enable user_ldap" www-data - # est fonctionnel dans le pods nextcloud ! - - #liste config : su -s /bin/sh -c "/var/www/html/occ config:list" www-data diff --git a/overlays/dev/patches/redis-config.yaml b/overlays/dev/patches/ConfigMap-redis.yaml similarity index 88% rename from overlays/dev/patches/redis-config.yaml rename to overlays/dev/patches/ConfigMap-redis.yaml index fd6d819..113f162 100644 --- a/overlays/dev/patches/redis-config.yaml +++ b/overlays/dev/patches/ConfigMap-redis.yaml @@ -6,4 +6,4 @@ data: redis-config: | maxmemory 4mb maxmemory-policy volatile-lru - appendonly yes + appendonly yes \ No newline at end of file diff --git a/overlays/dev/patches/ConfigMaps.yaml b/overlays/dev/patches/ConfigMaps.yaml deleted file mode 100644 index 4f8dea7..0000000 --- a/overlays/dev/patches/ConfigMaps.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: update-config -data: - custom-script.sh: | - #!/bin/sh - - HOSTS_FILE="/etc/hosts" - - # Ajoutez l'entrée au fichier hosts - MINIO_SERVICE_IP="${MINIO_SERVICE_HOST}" - MINIO_NAME="${MINIO_SERVICE_NAME}" - echo "$MINIO_SERVICE_IP" minio >> $HOSTS_FILE \ No newline at end of file diff --git a/overlays/dev/patches/deployment.yaml b/overlays/dev/patches/deployment.yaml new file mode 100644 index 0000000..3e39575 --- /dev/null +++ b/overlays/dev/patches/deployment.yaml @@ -0,0 +1,91 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nextcloud-app +spec: + replicas: 3 + template: + spec: + initContainers: + - name: wait-for-bootstrap + image: reg.cadoles.com/proxy_cache/groundnuty/k8s-wait-for:v1.3 + args: + - job + - $(MINIO_BOOTSTRAP_JOB_NAME) + containers: + - name: nextcloud + env: + - name: POSTGRES_USER + valueFrom: + secretKeyRef: + name: nextcloud-postgres-app + key: username + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: nextcloud-postgres-app + key: password + - name: OBJECTSTORE_S3_BUCKET + value: nxt-minio + - name: OBJECTSTORE_S3_AUTOCREATE + value: "true" + - name: OBJECTSTORE_S3_KEY + valueFrom: + secretKeyRef: + name: nextcloud-minio-user + key: CONSOLE_ACCESS_KEY + - name: OBJECTSTORE_S3_SECRET + valueFrom: + secretKeyRef: + name: nextcloud-minio-user + key: CONSOLE_SECRET_KEY + - name: OBJECTSTORE_S3_HOST + value: minio:$(MINIO_SERVICE_PORT) + - name: OBJECTSTORE_S3_PORT + value: "443" + - name: OBJECTSTORE_S3_SSL + value: "true" + - name: OBJECTSTORE_S3_USEPATH_STYLE + value: "true" + + livenessProbe: + httpGet: + path: /status.php + port: 80 + httpHeaders: + - name: Host + value: nxt.cadoles.lan + initialDelaySeconds: 50 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 6 + readinessProbe: + httpGet: + path: /status.php + port: 80 + httpHeaders: + - name: Host + value: nxt.cadoles.lan + initialDelaySeconds: 50 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 6 + volumeMounts: + - mountPath: /docker-entrypoint-hooks.d/post-installation/ldap.sh + name: script-config-ldap + subPath: poststart-ldap.sh + - mountPath: /etc/minio-ccerts + name: minio-certs + readOnly: true + volumes: + - name: minio-certs + secret: + secretName: nextcloud-minio-tls + - name: script-config-ldap + configMap: + name: script-config-ldap + defaultMode: 0755 + restartPolicy: Always + serviceAccountName: nextcloud-sa diff --git a/overlays/dev/patches/ingress-nextcloud.yaml b/overlays/dev/patches/ingress-nextcloud.yaml deleted file mode 100644 index 4243a29..0000000 --- a/overlays/dev/patches/ingress-nextcloud.yaml +++ /dev/null @@ -1,36 +0,0 @@ -#- op: replace -# path: /metadata/annotations/nginx.ingress.kubernetes.io~1proxy-body-size -# value: "1G" -#- op: replace -# path: /metadata/annotations/nginx.ingress.kubernetes.io~1enable-cors -# value: "true" -#- op: replace -# path: /metadata/annotations/nginx.ingress.kubernetes.io~1cors-allow-headers -# value: "X-Forwarded-For" - -# En cas de besoin -#- op: add -# path: /metadata/annotations/nginx.ingress.kubernetes.io~1client_max_body_size -# value: "100m" - -#- op: replace -# path: /spec/rules/0/host -# value: nxt.cadoles.fr -#- op: replace -# path: /spec/rules/0/http/paths/0/path -# value: / -#- op: replace -# path: /spec/rules/0/http/paths/0/pathType -# value: Prefix -#- op: replace -# path: /spec/rules/0/http/paths/0/backend/service/name -# value: nextcloud -#- op: replace -# path: /spec/rules/0/http/paths/0/backend/service/port/number -# value: 80 - - - -# logiquement path = -# path: /metadata/annotations/nginx.ingress.kubernetes.io/proxy-body-size -# sauf que ... json voila, "/" est à remplacer par ~1 \ No newline at end of file diff --git a/overlays/dev/patches/job.yaml b/overlays/dev/patches/job.yaml deleted file mode 100644 index 7f125c8..0000000 --- a/overlays/dev/patches/job.yaml +++ /dev/null @@ -1,65 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: create-minio-bucket -spec: - template: - spec: - initContainers: - - name: wait-for-minio - image: reg.cadoles.com/proxy_cache/library/debian:bookworm - envFrom: - - configMapRef: - name: nextcloud-env - command: ["sh", "-c"] - args: - - | - echo "attente du service minio..." - cnt=0 - tout=300 - apt update && apt install --yes --force-yes wget openssl - cp /var/run/secrets/kubernetes.io/serviceaccount/ca.crt /usr/local/share/ca-certificates/ks.crt && update-ca-certificates - while [ 1 ] - do - http_code=$(wget --server-response https://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT}/minio/health/live 2>&1 | awk '/^ HTTP/{print $2}') - if [ "${http_code}" != "200" ]; then - echo "waiting for https://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT}" - sleep 1 - else - exit 0 - fi - - cnt=$((cnt+1)) - if [ "${cnt}" -ge "${tout}" ]; then - exit 3 - fi - done -# Encore nécessaire ? - containers: - - name: create-bucket - image: minio/mc - envFrom: - - configMapRef: - name: nextcloud-env - env: - - name: CONSOLE_ACCESS_KEY - valueFrom: - secretKeyRef: - name: nextcloud-minio-user - key: CONSOLE_ACCESS_KEY - - name: CONSOLE_SECRET_KEY - valueFrom: - secretKeyRef: - name: nextcloud-minio-user - key: CONSOLE_SECRET_KEY - command: ["sh", "-c"] - args: - - | - echo "création de l'alias my-minio" - mc alias set --insecure my-minio http://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT} ${CONSOLE_ACCESS_KEY} ${CONSOLE_SECRET_KEY} - echo "création du bucket..." - mc mb --insecure my-minio/nextcloud-minio - echo "Bucket créé. normalement" - restartPolicy: OnFailure - - diff --git a/overlays/dev/patches/nextcloud-S3.yaml b/overlays/dev/patches/nextcloud-S3.yaml deleted file mode 100644 index 62b77f0..0000000 --- a/overlays/dev/patches/nextcloud-S3.yaml +++ /dev/null @@ -1,24 +0,0 @@ -- op: replace - path: /spec/template/spec/containers/0/env/13/value #OBJECTSTORE_S3_HOST - value: minio:$(MINIO_SERVICE_PORT) -- op: replace - path: /spec/template/spec/containers/0/env/14/value #OBJECTSTORE_S3_BUCKET - value: nextcloud-minio -- op: replace - path: /spec/template/spec/containers/0/env/15/value #OBJECTSTORE_S3_KEY - valueFrom: - secretKeyRef: - name: nextcloud-minio-user # kustomize racine - key: CONSOLE_ACCESS_KEY -- op: replace - path: /spec/template/spec/containers/0/env/16/value #OBJECTSTORE_S3_SECRET - valueFrom: - secretKeyRef: - name: nextcloud-minio-user # kustomize racine - key: CONSOLE_SECRET_KEY -- op: replace - path: /spec/template/spec/containers/0/env/17/value #OBJECTSTORE_S3_USEPATH_STYLE - value: "true" -- op: replace - path: /spec/template/spec/containers/0/env/18/value #OBJECTSTORE_S3_SSL - value: "true" diff --git a/overlays/dev/patches/nextcloud-env.yaml b/overlays/dev/patches/nextcloud-env.yaml new file mode 100644 index 0000000..9fb7506 --- /dev/null +++ b/overlays/dev/patches/nextcloud-env.yaml @@ -0,0 +1,72 @@ +- op: replace + path: "/data/NEXTCLOUD_TRUSTED_DOMAINS" + value: "*.cadoles.lan" +- op: replace + path: "/data/OBJECTSTORE_S3_HOST" + value: minio:$(MINIO_SERVICE_PORT) +- op: replace + path: "/data/OBJECTSTORE_S3_BUCKET" + value: nextcloud-minio +- op: replace + path: "/data/OBJECTSTORE_S3_USEPATH_STYLE" + value: "true" +- op: replace + path: "/data/OBJECTSTORE_S3_SSL" + value: "true" +- op: replace + path: "/data/NEXTCLOUD_LDAP_HOST" + value: ldaps://ldap.cadoles.com +- op: replace + path: "/data/NEXTCLOUD_LDAP_BASE" + value: ou=cadoles,o=gouv,c=fr +- op: replace + path: "/data/NEXTCLOUD_LDAP_DN" + value: cn=reader,o=gouv,c=fr +- op: replace + path: "/data/NEXTCLOUD_LDAP_PASSWD" + value: phooge2jaidae4ohguChi6quoo8okahn2ru6aixutahmiuFoh6ooshae +- op: replace + path: "/data/NEXTCLOUD_LDAP_BASE_GROUPS" + value: ou=groups,ou=cadoles,o=gouv,c=fr +- op: replace + path: "/data/NEXTCLOUD_LDAP_BASE_USERS" + value: ou=users,ou=cadoles,o=gouv,c=fr +- op: replace + path: "/data/NEXTCLOUD_LDAP_ACTIVE_CONF" + value: '1' +- op: replace + path: "/data/NEXTCLOUD_LDAP_ADMIN_EXP" + value: '0' +- op: replace + path: "/data/NEXTCLOUD_LDAP_EXP_UUID" + value: cn +- op: replace + path: "/data/NEXTCLOUD_LDAP_LOGIN_FILTER" + value: (&(objectClass=person)(uid=%uid)) +- op: replace + path: "/data/NEXTCLOUD_LDAP_LOGIN_FILTER_ATTR" + value: uid +- op: replace + path: "/data/NEXTCLOUD_LDAP_PORT" + value: '636' +- op: replace + path: "/data/NEXTCLOUD_LDAP_USR_FILTR" + value: (|(objectclass=person)) +- op: replace + path: "/data/NEXTCLOUD_LDAP_OBJ_FILTR" + value: person +- op: replace + path: "/data/NEXTCLOUD_LDAP_MAIL_ATTR" + value: mail +- op: replace + path: "/data/NEXTCLOUD_LDAP_USER_DISP" + value: cn +- op: replace + path: "/data/NEXTCLOUD_LDAP_GROUP_FILTR" + value: (&(|(objectclass=cadolesGroup))) +- op: replace + path: "/data/NEXTCLOUD_LDAP_GROUP_FILTR_OBJCLASS" + value: cadolesGroup +- op: replace + path: "/data/NEXTCLOUD_LDAP_GROUP_MEMBR_ASSO" + value: gidNumber diff --git a/overlays/dev/patches/nextcloud-ldap.yaml b/overlays/dev/patches/nextcloud-ldap.yaml deleted file mode 100644 index 5223f3c..0000000 --- a/overlays/dev/patches/nextcloud-ldap.yaml +++ /dev/null @@ -1,75 +0,0 @@ -- op: add - path: "/spec/template/spec/containers/0/env/-" - value: - name: NEXTCLOUD_LDAP_HOST - value: openldap.openldap -- op: add - path: "/spec/template/spec/containers/0/env/-" - value: - name: NEXTCLOUD_LDAP_BASE - value: dc=example,dc=org -- op: add - path: "/spec/template/spec/containers/0/env/-" - value: - name: NEXTCLOUD_LDAP_DN - value: cn=admin,dc=example,dc=org -- op: add - path: "/spec/template/spec/containers/0/env/-" - value: - name: NEXTCLOUD_LDAP_PASSWD - value: "adminpassword" -- op: add - path: "/spec/template/spec/containers/0/env/-" - value: - name: NEXTCLOUD_LDAP_BASE_GROUPS - value: dc=example,dc=org -- op: add - path: "/spec/template/spec/containers/0/env/-" - value: - name: NEXTCLOUD_LDAP_BASE_USERS - value: ou=users,dc=example,dc=org -- op: add - path: "/spec/template/spec/containers/0/env/-" - value: - name: NEXTCLOUD_LDAP_ACTIVE_CONF - value: "1" -- op: add - path: "/spec/template/spec/containers/0/env/-" - value: - name: NEXTCLOUD_LDAP_ADMIN_EXP - value: "0" -- op: add - path: "/spec/template/spec/containers/0/env/-" - value: - name: NEXTCLOUD_LDAP_EXP_UUID - value: cn -- op: add - path: "/spec/template/spec/containers/0/env/-" - value: - name: NEXTCLOUD_LDAP_LOGIN_FILTER - value: (&(objectClass=posixAccount)(cn=%uid)) -- op: add - path: "/spec/template/spec/containers/0/env/-" - value: - name: NEXTCLOUD_LDAP_PORT - value: "1389" -- op: add - path: "/spec/template/spec/containers/0/env/-" - value: - name: NEXTCLOUD_LDAP_USR_FILTR - value: (|(objectclass=posixAccount)) -- op: add - path: "/spec/template/spec/containers/0/env/-" - value: - name: NEXTCLOUD_LDAP_OBJ_FILTR - value: posixAccount -- op: add - path: "/spec/template/spec/containers/0/env/-" - value: - name: NEXTCLOUD_LDAP_MAIL_ATTR - value: mail -- op: add - path: "/spec/template/spec/containers/0/env/-" - value: - name: NEXTCLOUD_LDAP_USER_DISP - value: cn \ No newline at end of file diff --git a/overlays/dev/patches/nextcloud-patch.yaml b/overlays/dev/patches/nextcloud-patch.yaml deleted file mode 100644 index 85375d3..0000000 --- a/overlays/dev/patches/nextcloud-patch.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: app -spec: - template: - spec: - containers: - - name: app - env: - - name: NEXTCLOUD_ADMIN_USER - value: admincadoles - - name: NEXTCLOUD_ADMIN_PASSWORD - value: cadoles - - name: PHP_MEMORY_LIMIT - value: 512M - - name: PHP_UPLOAD_LIMIT - value: 4G - - name: REDIS_HOST - value: redis - - name: REDIS_HOST_PORT - value: "6379" - - name: NEXTCLOUD_DATA_DIR - value: "/var/www/html/data" - - name: NEXTCLOUD_TRUSTED_DOMAINS - value: "*.cadoles.fr" diff --git a/overlays/dev/patches/nextcloud-postgres.yaml b/overlays/dev/patches/nextcloud-postgres.yaml deleted file mode 100644 index 4bc95fa..0000000 --- a/overlays/dev/patches/nextcloud-postgres.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# USER POSTGRES -# UNIQUEMENT Si vous ne passez pas par l'operateur. -#- op: replace -# path: /spec/template/spec/containers/env/0/value #POSTGRES_DB -# value: username -#- op: replace -# path: /spec/template/spec/containers/env/1/value #POSTGRES_USER -# value: username -#- op: replace -# path: /spec/template/spec/containers/env/2/value #POSTGRES_PASSWORD -# value: password - -# CONF POSTGRES -- op: replace - path: /spec/template/spec/containers/0/env/3/value #POSTGRES_HOST - value: $(NEXTCLOUD_POSTGRES_RW_SERVICE_HOST) -- op: replace - path: /spec/template/spec/containers/0/env/0/value #POSTGRES_DB - value: nextcloud - - -#Name: nextcloud-postgres-app -#Namespace: nextcloud -#Labels: cnpg.io/cluster=nextcloud-postgres -# cnpg.io/reload=true -#Annotations: cnpg.io/operatorVersion: 1.18.1 -# -#Type: kubernetes.io/basic-auth -# -#Data -#==== -#password: 64 bytes -#pgpass: 112 bytes -#username: 9 bytes diff --git a/overlays/dev/patches/nextcloud-probe.yaml b/overlays/dev/patches/nextcloud-probe.yaml deleted file mode 100644 index 8b30e15..0000000 --- a/overlays/dev/patches/nextcloud-probe.yaml +++ /dev/null @@ -1,47 +0,0 @@ -# livenessProbe -- op: replace - path: /spec/template/spec/containers/0/livenessProbe/httpGet/httpHeaders/0/value - value: nxt.cadoles.fr -- op: replace - path: /spec/template/spec/containers/0/livenessProbe/httpGet/port - value: 80 -- op: replace - path: /spec/template/spec/containers/0/livenessProbe/initialDelaySeconds - value: 50 -- op: replace - path: /spec/template/spec/containers/0/livenessProbe/periodSeconds - value: 10 -- op: replace - path: /spec/template/spec/containers/0/livenessProbe/timeoutSeconds - value: 5 -- op: replace - path: /spec/template/spec/containers/0/livenessProbe/successThreshold - value: 1 -- op: replace - path: /spec/template/spec/containers/0/livenessProbe/failureThreshold - value: 6 - - -# readinessProbe -- op: replace - path: /spec/template/spec/containers/0/readinessProbe/httpGet/httpHeaders/0/value - value: nxt.cadoles.fr -- op: replace - path: /spec/template/spec/containers/0/readinessProbe/httpGet/port - value: 80 -- op: replace - path: /spec/template/spec/containers/0/readinessProbe/initialDelaySeconds - value: 50 -- op: replace - path: /spec/template/spec/containers/0/readinessProbe/periodSeconds - value: 10 -- op: replace - path: /spec/template/spec/containers/0/readinessProbe/timeoutSeconds - value: 5 -- op: replace - path: /spec/template/spec/containers/0/readinessProbe/successThreshold - value: 1 -- op: replace - path: /spec/template/spec/containers/0/readinessProbe/failureThreshold - value: 6 - diff --git a/overlays/dev/patches/nextcloud-smtp.yaml b/overlays/dev/patches/nextcloud-smtp.yaml deleted file mode 100644 index c72aa6c..0000000 --- a/overlays/dev/patches/nextcloud-smtp.yaml +++ /dev/null @@ -1,26 +0,0 @@ -- op: replace - path: /spec/template/spec/containers/0/env/19/value #MAIL_FROM_ADDRESS - value: "usercadoles" -- op: replace - path: /spec/template/spec/containers/0/env/20/value #MAIL_DOMAIN - value: "cadoles.com" -- op: replace - path: /spec/template/spec/containers/0/env/21/value #SMTP_HOST - value: "groupware.cadoles.com" -- op: replace - path: /spec/template/spec/containers/0/env/22/value #SMTP_SECURE - value: "ssl" -- op: replace - path: /spec/template/spec/containers/0/env/23/value #SMTP_PORT - value: "587" -- op: replace - path: /spec/template/spec/containers/0/env/24/value #SMTP_AUTHTYPE - value: "LOGIN" - -# THEORIQUEMENT LA MODIFICATION du secret generator lié dans kustomize suffit. -#- op: replace -# path: /spec/template/spec/containers/0/env/25/value #SMTP_NAME -# value: -#- op: replace -# path: /spec/template/spec/containers/0/env/26/value #SMTP_PASSWORD -# value: diff --git a/overlays/dev/patches/nextcloud-variables.yaml b/overlays/dev/patches/nextcloud-variables.yaml deleted file mode 100644 index e3e7d44..0000000 --- a/overlays/dev/patches/nextcloud-variables.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# USER MDP NEXTCLOUD -- op: replace - path: /spec/template/spec/containers/0/env/4/value #NEXTCLOUD_ADMIN_USER - value: admincadoles -- op: replace - path: /spec/template/spec/containers/0/env/5/value #NEXTCLOUD_ADMIN_PASSWORD - value: CadolesNotSecret - -# CONF NEXTCLOUD PHP - -- op: replace - path: /spec/template/spec/containers/0/env/8/value #PHP_MEMORY_LIMIT - value: 512M -- op: replace - path: /spec/template/spec/containers/0/env/9/value #PHP_UPLOAD_LIMIT - value: 4G - -# CONF NEXTCLOUD REDIS - -- op: replace - path: /spec/template/spec/containers/0/env/11/value #REDIS_HOST - value: redis -- op: replace - path: /spec/template/spec/containers/0/env/12/value #REDIS_HOST_PORT - value: "6379" - -# CONF NEXTCLOUD - -#- op: replace -# path: /spec/template/spec/containers/0/env/27/value #NEXTCLOUD_DATA_DIR -# value: "/var/www/html/data" -- op: replace - path: /spec/template/spec/containers/0/env/6/value #NEXTCLOUD_TRUSTED_DOMAINS - value: "*.cadoles.fr" diff --git a/overlays/dev/patches/nginx-ingress.yaml b/overlays/dev/patches/nginx-ingress.yaml index c8977de..b96071e 100644 --- a/overlays/dev/patches/nginx-ingress.yaml +++ b/overlays/dev/patches/nginx-ingress.yaml @@ -5,18 +5,18 @@ metadata: annotations: nginx.ingress.kubernetes.io/proxy-body-size: "5m" - nginx.ingress.kubernetes.io/enable-cors: "true" - nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For" + nginx.ingress.kubernetes.io/enable-cors: "true" + nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For" cert-manager.io/issuer: cadoles-selfsigned-ca spec: ingressClassName: nginx tls: - hosts: - - nxt.cadoles.fr + - nxt.cadoles.lan secretName: cadoles-selfsigned-ca rules: - - host: nxt.cadoles.fr + - host: nxt.cadoles.lan http: paths: - path: / diff --git a/overlays/dev/patches/tenant-conf.yaml b/overlays/dev/patches/tenant-conf.yaml deleted file mode 100644 index d1afac5..0000000 --- a/overlays/dev/patches/tenant-conf.yaml +++ /dev/null @@ -1,21 +0,0 @@ -- op: replace - path: /spec/certConfig/dnsNames - value: ["minio"] -- op: replace - path: /spec/pools/0/servers - value: 2 -- op: replace - path: /spec/pools/0/volumesPerServer - value: 3 -- op: replace - path: /spec/pools/0/volumeClaimTemplate/spec/resources/requests/storage - value: 3Gi -- op: replace - path: /spec/pools/0/containerSecurityContext/runAsUser - value: 1000 -- op: replace - path: /spec/pools/0/containerSecurityContext/runAsGroup - value: 1000 -- op: replace - path: /spec/pools/0/containerSecurityContext/runAsNonRoot - value: true diff --git a/overlays/dev/resources/cert-manager/kustomization.yaml b/overlays/dev/resources/cert-manager/kustomization.yaml index 1d3af80..7aba831 100644 --- a/overlays/dev/resources/cert-manager/kustomization.yaml +++ b/overlays/dev/resources/cert-manager/kustomization.yaml @@ -4,4 +4,5 @@ kind: Kustomization resources: - ./resources/cluster-issuer.yaml - ./resources/ca.yaml -- ./resources/issuer.yaml \ No newline at end of file +- ./resources/issuer.yaml + diff --git a/overlays/dev/resources/cert-manager/resources/ca.yaml b/overlays/dev/resources/cert-manager/resources/ca.yaml index 454a39c..5049166 100644 --- a/overlays/dev/resources/cert-manager/resources/ca.yaml +++ b/overlays/dev/resources/cert-manager/resources/ca.yaml @@ -9,7 +9,7 @@ spec: isCA: true commonName: cadoles-selfsigned-ca # secretName: root-secret - secretName: cadoles-selfsigned-ca + secretName: cadoles-selfsigned-ca-secret privateKey: algorithm: ECDSA size: 256 diff --git a/overlays/dev/resources/cert-manager/resources/issuer.yaml b/overlays/dev/resources/cert-manager/resources/issuer.yaml index 7b5105c..182c070 100644 --- a/overlays/dev/resources/cert-manager/resources/issuer.yaml +++ b/overlays/dev/resources/cert-manager/resources/issuer.yaml @@ -6,4 +6,4 @@ metadata: # namespace: ingress-nginx spec: ca: - secretName: cadoles-selfsigned-ca \ No newline at end of file + secretName: cadoles-selfsigned-ca-secret diff --git a/overlays/dev/resources/files/minio/config.env b/overlays/dev/resources/files/minio/config.env index f443282..d8176ff 100644 --- a/overlays/dev/resources/files/minio/config.env +++ b/overlays/dev/resources/files/minio/config.env @@ -1,4 +1,4 @@ -export MINIO_ROOT_USER="cadoles" -export MINIO_ROOT_PASSWORD="cadoles;21" +export MINIO_ROOT_USER="minio_root" +export MINIO_ROOT_PASSWORD="MinioRootNotSoSecret" export MINIO_STORAGE_CLASS_STANDARD="EC:2" export MINIO_BROWSER="on" \ No newline at end of file diff --git a/base/resources/nextcloud/resources/files/minio/configurations/tenants.minio.min.io.yaml b/overlays/dev/resources/files/minio/configurations/tenants.minio.min.io.yaml similarity index 100% rename from base/resources/nextcloud/resources/files/minio/configurations/tenants.minio.min.io.yaml rename to overlays/dev/resources/files/minio/configurations/tenants.minio.min.io.yaml diff --git a/overlays/dev/resources/nextcloud/cm-ldap-script.yaml b/overlays/dev/resources/nextcloud/cm-ldap-script.yaml new file mode 100644 index 0000000..ed71b7f --- /dev/null +++ b/overlays/dev/resources/nextcloud/cm-ldap-script.yaml @@ -0,0 +1,46 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: script-config-ldap +data: + poststart-ldap.sh: | + #!/bin/sh + + /bin/sh -c "/var/www/html/occ app:install user_ldap" + /bin/sh -c "/var/www/html/occ app:update user_ldap" + /bin/sh -c "/var/www/html/occ app:enable user_ldap" + + /bin/sh -c "/var/www/html/occ ldap:show-config s01 > /tmp/nxt-ldap.txt" + if grep -q "Invalid configID" /tmp/nxt-ldap.txt; then + /bin/sh -c "/var/www/html/occ ldap:create-empty-config" + fi + + # Configurez LDAP (configuration minimale) + + /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldap_host '${NEXTCLOUD_LDAP_HOST}'" + /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldap_base '${NEXTCLOUD_LDAP_BASE}'" + /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldap_dn '${NEXTCLOUD_LDAP_DN}'" + /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldap_agent_password '${NEXTCLOUD_LDAP_PASSWD}'" + /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapBaseGroups '${NEXTCLOUD_LDAP_BASE_GROUPS}'" + /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapBaseUsers '${NEXTCLOUD_LDAP_BASE_USERS}'" + /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapConfigurationActive '${NEXTCLOUD_LDAP_ACTIVE_CONF}'" + /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapExperiencedAdmin '${NEXTCLOUD_LDAP_ADMIN_EXP}'" + /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapExpertUUIDUserAttr '${NEXTCLOUD_LDAP_EXP_UUID}'" + /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapLoginFilter '${NEXTCLOUD_LDAP_LOGIN_FILTER}'" + /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapLoginFilterAttributes '${NEXTCLOUD_LDAP_LOGIN_FILTER_ATTR}'" + /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapPort '${NEXTCLOUD_LDAP_PORT}'" + /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapUserFilter '${NEXTCLOUD_LDAP_USR_FILTR}'" + /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapUserFilterObjectclass '${NEXTCLOUD_LDAP_OBJ_FILTR}'" + /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapEmailAttribute '${NEXTCLOUD_LDAP_MAIL_ATTR}'" + /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapUserDisplayName '${NEXTCLOUD_LDAP_USER_DISP}'" + /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapGroupFilter '${NEXTCLOUD_LDAP_GROUP_FILTR}'" + /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapGroupFilterObjectclass '${NEXTCLOUD_LDAP_GROUP_FILTR_OBJCLASS}'" + /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapGroupMemberAssocAttr '${NEXTCLOUD_LDAP_GROUP_MEMBR_ASSO}'" + + # Lancez le processus principal de Nextcloud normalement ça ne marche pas ça ! donc plutot poststart. + #exec /entrypoint.sh "$@" + + # /bin/sh -c "/var/www/html/occ app:enable user_ldap" + # est fonctionnel dans le pods nextcloud ! + + #liste config : /bin/sh -c "/var/www/html/occ config:list" diff --git a/overlays/dev/resources/host-config.yaml b/overlays/dev/resources/nextcloud/host-config.yaml similarity index 100% rename from overlays/dev/resources/host-config.yaml rename to overlays/dev/resources/nextcloud/host-config.yaml diff --git a/overlays/dev/resources/nextcloud/job-minio.yaml b/overlays/dev/resources/nextcloud/job-minio.yaml new file mode 100644 index 0000000..14bab7b --- /dev/null +++ b/overlays/dev/resources/nextcloud/job-minio.yaml @@ -0,0 +1,41 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: create-minio-bucket +spec: + template: + spec: + initContainers: + - name: wait-for-minio + image: reg.cadoles.com/proxy_cache/groundnuty/k8s-wait-for:v1.3 + args: + - service + - minio + containers: + - name: create-bucket + image: minio/mc + envFrom: + - configMapRef: + name: nextcloud-env + env: + - name: CONSOLE_ACCESS_KEY + valueFrom: + secretKeyRef: + name: nextcloud-minio-user + key: CONSOLE_ACCESS_KEY + - name: CONSOLE_SECRET_KEY + valueFrom: + secretKeyRef: + name: nextcloud-minio-user + key: CONSOLE_SECRET_KEY + command: ["sh", "-c"] + args: + - | + echo "création de l'alias my-minio" + mc alias set --insecure my-minio https://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT} ${CONSOLE_ACCESS_KEY} ${CONSOLE_SECRET_KEY} + echo "création du bucket..." + mc mb --insecure my-minio/nextcloud-minio + echo "Bucket créé. normalement" + restartPolicy: OnFailure + serviceAccountName: nextcloud-sa # declare user for initcontainer + diff --git a/overlays/dev/resources/nextcloud/minio-tenant.yaml b/overlays/dev/resources/nextcloud/minio-tenant.yaml new file mode 100644 index 0000000..36c4aa0 --- /dev/null +++ b/overlays/dev/resources/nextcloud/minio-tenant.yaml @@ -0,0 +1,29 @@ +apiVersion: minio.min.io/v2 +kind: Tenant +metadata: + name: nextcloud-minio +spec: + certConfig: + dnsNames: + - "minio" + pools: + - servers: 2 + name: pool-0 + volumesPerServer: 3 + volumeClaimTemplate: + metadata: + name: nextcloud-minio-data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 3Gi + containerSecurityContext: + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true + configuration: + name: nextcloud-minio-configuration + users: + - name: nextcloud-minio-user diff --git a/overlays/dev/resources/namespace.yaml b/overlays/dev/resources/nextcloud/namespace.yaml similarity index 100% rename from overlays/dev/resources/namespace.yaml rename to overlays/dev/resources/nextcloud/namespace.yaml diff --git a/overlays/dev/resources/ssl.yaml b/overlays/dev/resources/nextcloud/ssl.yaml similarity index 90% rename from overlays/dev/resources/ssl.yaml rename to overlays/dev/resources/nextcloud/ssl.yaml index 6f2098d..f14efa3 100644 --- a/overlays/dev/resources/ssl.yaml +++ b/overlays/dev/resources/nextcloud/ssl.yaml @@ -15,7 +15,7 @@ spec: - cadoles # The use of the common name field has been deprecated since 2000 and is # discouraged from being used. - commonName: cadoles.fr + commonName: cadoles.lan isCA: false privateKey: algorithm: RSA @@ -27,8 +27,8 @@ spec: # At least one of a DNS Name, URI, or IP address is required. dnsNames: - nextcloud - - nextcloud.cadoles.fr - - nxt.cadoles.fr + - nextcloud.cadoles.lan + - nxt.cadoles.lan # Issuer references are always required. issuerRef: name: cadoles-ca-issuer @@ -37,4 +37,4 @@ spec: kind: Issuer # This is optional since cert-manager will default to this value however # if you are using an external issuer, change this to that issuer group. - group: cert-manager.io \ No newline at end of file + group: cert-manager.io diff --git a/requires/kustomization.yaml b/requires/kustomization.yaml index e0c5711..f1b9ea9 100644 --- a/requires/kustomization.yaml +++ b/requires/kustomization.yaml @@ -8,5 +8,6 @@ resources: - https://forge.cadoles.com/CadolesKube/c-kustom//base/cloudnative-pg-operator?ref=develop #- https://forge.cadoles.com/CadolesKube/c-kustom//base/redis?ref=develop # Nextcloud ne fonctionne pas avec la couche sentinelle - https://forge.cadoles.com/CadolesKube/c-kustom//base/minio?ref=develop -- https://forge.cadoles.com/vfebvre/openldap-kustom?ref=develop +#- https://forge.cadoles.com/vfebvre/openldap-kustom?ref=develop #- ./lb => déplacé dans dev/ car propre à l'environnement cible +- https://github.com/cert-manager/cert-manager/releases/download/v1.12.0/cert-manager.yaml