CadolesKube
/
nextcloud-kustom
7
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat(all): global cleanning adding dev overlay

This commit is contained in:
vfebvre 2023-09-04 12:40:18 +02:00 committed by Philippe Caseiro
parent acb545c1a0
commit 94c32cfb98
57 changed files with 473 additions and 1740 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
README.md
View File

@ -1,12 +1,33 @@
# nextcloud-kustom # nextcloud-kustom
**WARNING - test branch, does not respect the target strategy for a production environment** Base include :
- nextcloud app
- postgres
- ...
Default configuration (base directory) :
- use an external S3,
- use local authentication,
- use internal K8s certificate,
- use postgresSQL
If you want change, you must do your configuration in the overlays section
Overlays dev sections install :
- base
- rename namespace to nextcloud-dev
- use cert-manager (to install CRDs requirement, check requires/)
**To install a test cluster on your machine**
1. Create cluster 1. Create cluster
```kind create cluster --config requires/cluster/cluster.yaml``` ```kind create cluster --config requires/cluster/cluster.yaml```
2. Install operators and openldap(dev) 2. Install operators, cert-manager and openldap(dev)
```kubectl apply -k requires/``` ```kubectl apply -k requires/```
@ -18,9 +39,4 @@
```kubectl apply -k overlays/dev``` ```kubectl apply -k overlays/dev```
## cert-manager
Install crds :
```kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.0/cert-manager.yaml```

1
base/components/cnpg-database/kustomization.yaml
View File

@ -1,6 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1alpha1 apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component kind: Component
namespace: nextcloud
configurations: configurations:
- ./configurations/cnpg-config.yaml - ./configurations/cnpg-config.yaml

1
base/components/cnpg-database/resources/nextcloud-cnpg.yaml
View File

@ -2,7 +2,6 @@ apiVersion: postgresql.cnpg.io/v1
kind: Cluster kind: Cluster
metadata: metadata:
name: nextcloud-postgres name: nextcloud-postgres
namespace: nextcloud
spec: spec:
instances: 1 instances: 1
primaryUpdateStrategy: unsupervised primaryUpdateStrategy: unsupervised

3
base/components/one-redis/kustomization.yaml
View File

@ -1,8 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1alpha1 apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component kind: Component
namespace: nextcloud
resources: resources:
- deployment.yaml - deployment.yaml
- redis-service.yaml - redis-service.yaml
- ConfigMap-redis.yaml - ConfigMap-redis.yaml

7
base/kustomization.yaml
View File

@ -1,16 +1,11 @@
apiVersion: kustomize.config.k8s.io/v1beta1 apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
namespace: nextcloud
generatorOptions: generatorOptions:
disableNameSuffixHash: true disableNameSuffixHash: true
# référence à l'exemple cadoles. # référence à l'exemple cadoles.
# cela force la mise à jours des secret en questions liés aux ressources ayant le labels "tenant" lorsque modifié # cela force la mise à jours des secret en questions liés aux ressources ayant le labels "tenant" lorsque modifié
configurations:
#- https://forge.cadoles.com/CadolesKube/c-kustom/raw/branch/develop/base/minio/configurations/tenants.minio.min.io.yaml
# => importé en locale pour pouvoir faire un kustomize build
- ./resources/nextcloud/resources/files/minio/configurations/tenants.minio.min.io.yaml
resources: resources:
- ./resources/nextcloud - ./resources/nextcloud
@ -36,4 +31,4 @@ components:
# - name: nextcloud-config-volume # permet de monter le fichier de configuration dans # - name: nextcloud-config-volume # permet de monter le fichier de configuration dans
# configMap: # les instances supplémentaires # configMap: # les instances supplémentaires
# name: nextcloud-config # via le configmap ConfigMaps-php.yaml # name: nextcloud-config # via le configmap ConfigMaps-php.yaml

60
base/resources/nextcloud/kustomization.yaml
View File

@ -1,63 +1,43 @@
apiVersion: kustomize.config.k8s.io/v1beta1 apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
# namespace: nextcloud
generatorOptions: generatorOptions:
disableNameSuffixHash: true # suppression des suffixe en hash en bout de nom disableNameSuffixHash: true # suppression des suffixe en hash en bout de nom
resources: resources:
- ./resources/deployment.yaml - ./resources/deployment.yaml
# - ./resources/namespace.yaml
- ./resources/nextcloud-tenant.yaml
- ./resources/nextcloud-service.yaml - ./resources/nextcloud-service.yaml
- ./resources/pvc.yaml
- ./resources/job.yaml
- ./resources/ConfigMap.yaml
- ./resources/nextcloud-rolebinding.yaml - ./resources/nextcloud-rolebinding.yaml
- ./resources/nextcloud-role.yaml - ./resources/nextcloud-role.yaml
- ./resources/nextcloud-serviceaccount.yaml - ./resources/nextcloud-serviceaccount.yaml
- ./resources/ingress.yaml - ./resources/ingress.yaml
- ./resources/ConfigMap-ldap-script.yaml - ./resources/pvc/00-main.yaml
- ./resources/pvc/01-html.yaml
#- ./resources/secret.yaml - ./resources/pvc/02-data.yaml
- ./resources/pvc/03-config.yaml
- ./resources/pvc/04-custom.yaml
- ./resources/pvc/06-tmp.yaml
- ./resources/pvc/07-themes.yaml
configMapGenerator: configMapGenerator:
- name: nextcloud-parameters
files:
- ./resources/files/parameters.yaml
- name: nextcloud-env - name: nextcloud-env
literals: literals:
- MINIO_SERVICE_NAME=$(MINIO_SERVICE_HOST):$(MINIO_SERVICE_PORT) # pas nécessaire je pense - NEXTCLOUD_ADMIN_USER="admin"
- MINIO_SERVICE_HOST=minio - NEXTCLOUD_ADMIN_PASSWORD="cadoles" # 5
- MINIO_SERVICE_PORT=443 - NEXTCLOUD_TRUSTED_DOMAINS="*.cadoles.fr"
- PHP_MEMORY_LIMIT="512M"
- PHP_UPLOAD_LIMIT="4G"
- MAIL_FROM_ADDRESS="user"
- MAIL_DOMAIN="cadoles.fr"
- SMTP_HOST="smtp.cadoles.com"
- SMTP_SECURE="ssl"
- SMTP_PORT="465"
- SMTP_AUTHTYPE="LOGIN"
secretGenerator: secretGenerator:
# Voir https://github.com/minio/operator/issues/856
- name: nextcloud-minio-user
literals:
- CONSOLE_ACCESS_KEY=minio_root
- CONSOLE_SECRET_KEY=MinioRootNotSoSecret
options:
disableNameSuffixHash: true
# Voir https://github.com/minio/operator/issues/856
- name: nextcloud-minio-configuration
files:
- ./resources/files/minio/config.env # A modifier si modification mot de passe et user CONSOLE [ACCESS-SECRET]
options:
disableNameSuffixHash: true
- name: nextcloud-smtp - name: nextcloud-smtp
literals: literals:
- smtp-username=user - smtp-username=secretuser
- smtp-password=password - smtp-password=secretpassword
options: options:
disableNameSuffixHash: true disableNameSuffixHash: true
vars: # génération d'information pour wait-for-bootstrap du pod nextcloud
- name: MINIO_BOOTSTRAP_JOB_NAME
objref:
name: create-minio-bucket
kind: Job
apiVersion: batch/v1
fieldref:
fieldpath: metadata.name

46
base/resources/nextcloud/resources/ConfigMap-ldap-script.yaml
View File

@ -1,46 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: script-config-ldap
data:
poststart-ldap.sh: |
#!/bin/sh
NEXTCLOUD_READY=0
MAX_RETRIES=30
RETRY_INTERVAL=10
touch /etc/script/validator.txt
# Vérifiez si LDAP est déjà activé
# if ! su -s /bin/sh -c "/var/www/html/occ app:list --output=json" www-data | jq -e '.enabled | has("user_ldap")'; then
# Activez le module LDAP si ce n'est pas déjà fait
# su -s /bin/sh -c "/var/www/html/occ app:enable user_ldap" www-data
#fi
for i in $(seq 1 $MAX_RETRIES); do
if curl -fsS "http://localhost/status.php" > /dev/null; then
NEXTCLOUD_READY=1
break
else
echo "En attente de Nextcloud (tentative $i/$MAX_RETRIES)..." >> /etc/script/validator.txt
sleep $RETRY_INTERVAL
fi
done
if [ $NEXTCLOUD_READY -eq 0 ]; then
echo "Nextcloud n'est pas prêt après $MAX_RETRIES tentatives. Abandon de l'initialisation LDAP." >> /etc/script/validator.txt
exit 1
fi
su -s /bin/sh -c "/var/www/html/occ app:enable user_ldap" www-data
# Configurez LDAP (configuration minimale)
su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapHost --value='ldap.example.com'" www-data
su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapBase --value='dc=example,dc=com'" www-data
su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapAgentName --value='cn=admin,dc=example,dc=com'" www-data
su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapAgentPassword --value='your_password'" www-data
# Lancez le processus principal de Nextcloud normalement ça ne marche pas ça ! donc plutot poststart.
#exec /entrypoint.sh "$@"
# su -s /bin/sh -c "/var/www/html/occ app:enable user_ldap" www-data
# est fonctionnel dans le pods nextcloud !

14
base/resources/nextcloud/resources/ConfigMap.yaml
View File

@ -1,14 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: update-config
data:
custom-script.sh: |
#!/bin/sh
HOSTS_FILE="/etc/hosts"
# Ajoutez l'entrée au fichier hosts
MINIO_SERVICE_IP="${MINIO_SERVICE_HOST}"
MINIO_NAME="${MINIO_SERVICE_NAME}"
echo "$MINIO_SERVICE_IP" minio >> $HOSTS_FILE

142
base/resources/nextcloud/resources/deployment.yaml
View File

@ -4,9 +4,9 @@ metadata:
labels: labels:
app: nextcloud app: nextcloud
component: app component: app
name: app name: nextcloud-app
spec: spec:
# serviceName: nextcloud # serviceName: nextcloud
replicas: 1 replicas: 1
selector: selector:
matchLabels: matchLabels:
@ -21,16 +21,16 @@ spec:
containers: containers:
- image: reg.cadoles.com/proxy_cache/library/nextcloud:27.0.2-apache - image: reg.cadoles.com/proxy_cache/library/nextcloud:27.0.2-apache
imagePullPolicy: Always imagePullPolicy: Always
name: app name: nextcloud
ports: ports:
- containerPort: 80 - containerPort: 80
lifecycle: lifecycle:
postStart: postStart:
exec: exec:
command: ["/bin/sh", "-c", "cp /var/run/secrets/kubernetes.io/serviceaccount/ca.crt /usr/local/share/ca-certificates/ks.crt && update-ca-certificates && /etc/script/poststart-ldap.sh && touch /etc/script/try01.txt"] command: ["/bin/sh", "-c", "cp /var/run/secrets/kubernetes.io/serviceaccount/ca.crt /usr/local/share/ca-certificates/ks.crt && update-ca-certificates"]
# envFrom: envFrom:
# - configMapRef: - configMapRef:
# name: nextcloud-env name: nextcloud-env
env: env:
- name: POSTGRES_DB - name: POSTGRES_DB
value: nextcloud value: nextcloud
@ -46,56 +46,16 @@ spec:
key: password key: password
- name: POSTGRES_HOST - name: POSTGRES_HOST
value: $(NEXTCLOUD_POSTGRES_RW_SERVICE_HOST) #value: nextcloud-postgres-rw.nextcloud.svc.cluster.local value: $(NEXTCLOUD_POSTGRES_RW_SERVICE_HOST) #value: nextcloud-postgres-rw.nextcloud.svc.cluster.local
- name: NEXTCLOUD_ADMIN_USER
value: admin
- name: NEXTCLOUD_ADMIN_PASSWORD # 5
value: cadoles
- name: NEXTCLOUD_TRUSTED_DOMAINS
value: "*.cadoles.fr"
- name: NEXTCLOUD_INIT_LOCK - name: NEXTCLOUD_INIT_LOCK
value: "true" value: "true"
- name: PHP_MEMORY_LIMIT
value: 512M
- name: PHP_UPLOAD_LIMIT
value: 4G
- name: POD_INDEX - name: POD_INDEX
valueFrom: valueFrom:
fieldRef: fieldRef:
fieldPath: metadata.name fieldPath: metadata.name
- name: REDIS_HOST - name: REDIS_HOST
value: redis # équivaut à redis.nextcloud.svc.cluster.local value: redis
# value: $(RFS_NEXTCLOUD_REDIS_SERVICE_HOST) => For redis-operator
- name: REDIS_HOST_PORT - name: REDIS_HOST_PORT
value: "6379" value: "6379"
######################
# Partie minio S3
- name: OBJECTSTORE_S3_HOST
value: minio:$(MINIO_SERVICE_PORT)
# value: $(MINIO_SERVICE_NAME):$(MINIO_SERVICE_PORT)
- name: OBJECTSTORE_S3_BUCKET
value: nextcloud-minio
- name: OBJECTSTORE_S3_KEY # 15
value: minio_root
- name: OBJECTSTORE_S3_SECRET
value: MinioRootNotSoSecret
- name: OBJECTSTORE_S3_USEPATH_STYLE
value: "true"
- name: OBJECTSTORE_S3_SSL # 18
value: "true"
##################################
# Mise en place SMTP
- name: MAIL_FROM_ADDRESS
value: "user"
- name: MAIL_DOMAIN
value: "domain.com"
- name: SMTP_HOST
value: "domain.com"
- name: SMTP_SECURE
value: "ssl"
- name: SMTP_PORT
value: "465"
- name: SMTP_AUTHTYPE
value: "LOGIN"
- name: SMTP_NAME - name: SMTP_NAME
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
@ -106,34 +66,8 @@ spec:
secretKeyRef: secretKeyRef:
name: nextcloud-smtp name: nextcloud-smtp
key: smtp-password key: smtp-password
- name: NEXTCLOUD_DATA_DIR - name: NEXTCLOUD_DATA_DIR
value: "/var/www/html/data" value: "/var/www/html/data"
livenessProbe: # vérifie si c'est planté ou non
httpGet:
path: /status.php
port: 80 # en reférence à ingress.yaml ?
httpHeaders:
- name: Host
value: nxt.cadoles.fr # valeurs égale à celle dans ingress.yaml
initialDelaySeconds: 50
periodSeconds: 15
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 5
readinessProbe: # vérifie si c'est ok pour envoyer des requête ou non
httpGet:
path: /status.php
port: 80 # en référence à ingress.yaml ?
httpHeaders:
- name: Host
value: nxt.cadoles.fr # valeurs égale à celle dans ingress.yaml
initialDelaySeconds: 50
periodSeconds: 15
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 5
volumeMounts: volumeMounts:
- mountPath: /var/www/ - mountPath: /var/www/
name: nextcloud-main-volume name: nextcloud-main-volume
@ -149,45 +83,7 @@ spec:
name: nextcloud-tmp-volume name: nextcloud-tmp-volume
- mountPath: /var/www/html/themes - mountPath: /var/www/html/themes
name: nextcloud-themes-volume name: nextcloud-themes-volume
# ICI montage pour les script !
- mountPath: /etc/script/poststart-ldap.sh
name: script-config-ldap
subPath: poststart-ldap.sh
- mountPath: /etc/script/custom-script.sh
name: update-config-script
subPath: custom-script.sh
- mountPath: /etc/minio-ccerts
name: minio-certs
readOnly: true
# MOUNT-TRY-multi-instance
# - name: nextcloud-config-volume # monte le fichier de configuration dans
# mountPath: /var/www/html/config # les instances supplémentaire
# readOnly: false # via le configmap ConfigMaps-php.yaml
restartPolicy: Always
serviceAccountName: nextcloud-sa # declare user for initcontainer
# trois volumes pour les script
volumes: volumes:
- name: minio-certs
secret:
secretName: nextcloud-minio-tls # montage des certificat de minio
- name: update-config-script
configMap:
name: update-config
defaultMode: 0744
- name: script-config-ldap
configMap:
name: script-config-ldap
defaultMode: 0744
# MOUNT-TRY-multi-instance
# - name: nextcloud-config-volume # permet de monter le fichier de configuration dans
# configMap: # les instances supplémentaires
# name: nextcloud-config # via le configmap ConfigMaps-php.yaml
- name: nextcloud-main-volume - name: nextcloud-main-volume
persistentVolumeClaim: persistentVolumeClaim:
claimName: nextcloud-main-pvc claimName: nextcloud-main-pvc
@ -209,23 +105,5 @@ spec:
- name: nextcloud-themes-volume - name: nextcloud-themes-volume
persistentVolumeClaim: persistentVolumeClaim:
claimName: nextcloud-themes-pvc claimName: nextcloud-themes-pvc
restartPolicy: Always
initContainers: # cf README.md part ##YAML explain / ### PODS WAIT serviceAccountName: nextcloud-sa # declare user for initcontainer
- name: wait-for-bootstrap
image: reg.cadoles.com/proxy_cache/groundnuty/k8s-wait-for:v1.3
args:
- job
- $(MINIO_BOOTSTRAP_JOB_NAME)
#####################################################
# For REDIS-OPERATOR USE THIS TO SET PORT
#####################################################
# - name: REDIS_HOST_PORT
# value: $(RFS_NEXTCLOUD_REDIS_SERVICE_PORT)
# - name: REDIS_HOST_PASSWORD
# valueFrom:
# secretKeyRef:
# name: redis-secret
# key: password
#####################################################

4
base/resources/nextcloud/resources/files/minio/config.env
View File

@ -1,4 +0,0 @@
export MINIO_ROOT_USER="minio_root"
export MINIO_ROOT_PASSWORD="MinioRootNotSoSecret"
export MINIO_STORAGE_CLASS_STANDARD="EC:2"
export MINIO_BROWSER="on"

8
base/resources/nextcloud/resources/files/parameters.yaml
View File

@ -1,8 +0,0 @@
#API minio
minio_url: 'http://%env(string:MINIO_SERVICE_NAME)%:9000'
minio_key: '%env(string:MINIO_KEY)%'
minio_secret: '%env(string:MINIO_SECRET)%'
minio_bucket: 'nextcloud'
minio_root: ''
minio_path_style: true
minio_secure: false

8
base/resources/nextcloud/resources/ingress.yaml
View File

@ -4,16 +4,16 @@ metadata:
name: nextcloud name: nextcloud
annotations: annotations:
# kustomize.config.k8s.io/needs: configmap/nextcloud-envi # kustomize.config.k8s.io/needs: configmap/nextcloud-envi
nginx.ingress.kubernetes.io/proxy-body-size: "138m" nginx.ingress.kubernetes.io/proxy-body-size: "138m"
nginx.ingress.kubernetes.io/enable-cors: "true" #cf 01 nginx.ingress.kubernetes.io/enable-cors: "true" #cf 01
nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For" #cf 01 nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For" #cf 01
# nginx.ingress.kubernetes.io/client_max_body_size: "100m" # nginx.ingress.kubernetes.io/client_max_body_size: "100m"
spec: spec:
ingressClassName: nginx ingressClassName: nginx
rules: rules:
- host: nxt.cadoles.fr - host: nxt.base.fr
http: http:
paths: paths:
- path: / - path: /
@ -24,4 +24,4 @@ spec:
port: port:
number: 80 number: 80
# cf 01 => https://artifacthub.io/packages/helm/nextcloud/nextcloud # cf 01 => https://artifacthub.io/packages/helm/nextcloud/nextcloud

63
base/resources/nextcloud/resources/job.yaml
View File

@ -1,63 +0,0 @@
apiVersion: batch/v1
kind: Job
metadata:
name: create-minio-bucket
spec:
template:
spec:
initContainers:
- name: wait-for-minio
image: busybox
envFrom:
- configMapRef:
name: nextcloud-env
command: ["sh", "-c"]
args:
- |
echo "attente du service minio..."
cnt=0
tout=300
while [ 1 ]
do
http_code=$(wget --server-response https://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT}/minio/health/live 2>&1 | awk '/^ HTTP/{print $2}')
if [ "${http_code}" != "200" ]; then
echo "waiting for https://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT}"
sleep 1
else
exit 0
fi
cnt=$((cnt+1))
if [ "${cnt}" -ge "${tout}" ]; then
exit 3
fi
done
# Encore nécessaire ?
containers:
- name: create-bucket
image: minio/mc
envFrom:
- configMapRef:
name: nextcloud-env
env:
- name: CONSOLE_ACCESS_KEY
valueFrom:
secretKeyRef:
name: nextcloud-minio-user
key: CONSOLE_ACCESS_KEY
- name: CONSOLE_SECRET_KEY
valueFrom:
secretKeyRef:
name: nextcloud-minio-user
key: CONSOLE_SECRET_KEY
command: ["sh", "-c"]
args:
- |
echo "création de l'alias my-minio"
mc alias set --insecure my-minio http://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT} ${CONSOLE_ACCESS_KEY} ${CONSOLE_SECRET_KEY}
echo "création du bucket..."
mc mb --insecure my-minio/nextcloud-minio
echo "Bucket créé. normalement"
restartPolicy: OnFailure
# Est-ce que je mettrais pas mon ldap ici ? => ConfigMap-ldap-script.yaml ?

4
base/resources/nextcloud/resources/namespace.yaml
View File

@ -1,4 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: nextcloud

5
base/resources/nextcloud/resources/nextcloud-role.yaml
View File

@ -1,4 +1,3 @@
---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
@ -17,10 +16,12 @@ rules:
- v1 - v1
resources: resources:
- secrets - secrets
- services
- pods
verbs: verbs:
- get - get
- list - list
- patch #- patch
# Declaration d'un role nommé status-reader et attribution de droit # Declaration d'un role nommé status-reader et attribution de droit

33
base/resources/nextcloud/resources/nextcloud-tenant.yaml
View File

@ -1,33 +0,0 @@
apiVersion: minio.min.io/v2
kind: Tenant
metadata:
name: nextcloud-minio
spec:
certConfig:
dnsNames:
- "minio"
pools:
- servers: 2
name: pool-0
volumesPerServer: 2
volumeClaimTemplate:
metadata:
name: nextcloud-minio-data # juste son nom dans le cluster
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
# env:
# - name: MINIO_CONSOLE_TLS_ENABLE
# value: "off"
containerSecurityContext:
runAsUser: 1000 # droit d'accès user
runAsGroup: 1000 # droit d'accès group
runAsNonRoot: true # accès sans être root
configuration:
name: nextcloud-minio-configuration # cf resources/nextcloud/resources/kustomization.yaml
users:
- name: nextcloud-minio-user # cf resources/nextcloud/resources/kustomization.yaml

83
base/resources/nextcloud/resources/pvc.yaml
View File

@ -1,83 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-main-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 5Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-html-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 5Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-data-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 20Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-config-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-custom-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 2Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-tmp-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 5Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-themes-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 2Gi

11
base/resources/nextcloud/resources/pvc/00-main.yaml Normal file
View File

@ -0,0 +1,11 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-main-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 1Gi

12
base/resources/nextcloud/resources/pvc/01-html.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-html-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 5Gi

11
base/resources/nextcloud/resources/pvc/02-data.yaml Normal file
View File

@ -0,0 +1,11 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-data-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 1Gi

11
base/resources/nextcloud/resources/pvc/03-config.yaml Normal file
View File

@ -0,0 +1,11 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-config-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 1Gi

11
base/resources/nextcloud/resources/pvc/04-custom.yaml Normal file
View File

@ -0,0 +1,11 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-custom-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 2Gi

11
base/resources/nextcloud/resources/pvc/06-tmp.yaml Normal file
View File

@ -0,0 +1,11 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-tmp-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 5Gi

11
base/resources/nextcloud/resources/pvc/07-themes.yaml Normal file
View File

@ -0,0 +1,11 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-themes-pvc
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 2Gi

9
overlays/dev/cluster/lb/advertise.yaml
View File

@ -1,9 +0,0 @@
apiVersion: metallb.io/v1beta1
kind: L2Advertisement
metadata:
name: l2-ip-pool-ad
namespace: metallb-system
spec:
ipAddressPools:
- main-pool

8
overlays/dev/cluster/lb/ipaddresspoool.yaml
View File

@ -1,8 +0,0 @@
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
name: main-pool
namespace: metallb-system
spec:
addresses:
- 172.18.10.100-172.18.10.200

7
overlays/dev/cluster/lb/kustomization.yaml
View File

@ -1,7 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: metallb-system
resources:
- ipaddresspoool.yaml
- advertise.yaml

183
overlays/dev/kustomization.yaml
View File

@ -2,87 +2,30 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
namespace: nextcloud-dev namespace: nextcloud-dev
# ressources utilisées, appel de base et ajout de namespace.yaml #namePrefix: dev-
configurations:
- ./resources/files/minio/configurations/tenants.minio.min.io.yaml
resources: resources:
- ../../base/ - ../../base/
- resources/namespace.yaml
- resources/ssl.yaml
- resources/cert-manager - resources/cert-manager
- resources/nextcloud/namespace.yaml
#- resources/host-config.yaml - resources/nextcloud/ssl.yaml
- resources/nextcloud/cm-ldap-script.yaml
# deux façon de faire la seconde ici => - resources/nextcloud/minio-tenant.yaml
# - patches/nextcloud-patch.yaml - resources/nextcloud/job-minio.yaml
patches: patches:
- path: patches/deployment.yaml
- path: patches/nginx-ingress.yaml - path: patches/nginx-ingress.yaml
- path: patches/ConfigMap-redis.yaml
patchesStrategicMerge: - path: patches/nextcloud-env.yaml
- patches/redis-config.yaml target:
- patches/ConfigMaps.yaml kind: ConfigMap
- patches/ConfigMap-ldap-script.yaml name: nextcloud-env
- patches/job.yaml
patchesJson6902:
- target:
group: apps
version: v1 version: v1
kind: Deployment
name: app
path: patches/nextcloud-variables.yaml
- target:
group: apps
version: v1
kind: Deployment
name: app
path: patches/nextcloud-postgres.yaml
### S3 patch do not work !
# W not ok, R not ok
#- target:
# group: apps
# version: v1
# kind: Deployment
# name: app
# path: patches/nextcloud-S3.yaml
- target:
group: apps
version: v1
kind: Deployment
name: app
path: patches/nextcloud-probe.yaml
- target:
group: apps
version: v1
kind: Deployment
name: app
path: patches/nextcloud-smtp.yaml
#- target:
# group: apps
# version: v1
# kind: Ingress
# name: nextcloud
# path: patches/ingress-nextcloud.yaml
- target:
group: apps
version: v2
kind: Tenant
name: nextcloud-minio
path: patches/tenant-conf.yaml
- target:
group: apps
version: v1
kind: Deployment
name: app
path: patches/nextcloud-ldap.yaml
#- target:
# group: apps
# version: v1
# kind: Ingress
# name: nextcloud
# path: patches/ingress-cert-manager.yaml
# PARTIE MINIO # PARTIE MINIO
@ -91,94 +34,42 @@ patchesJson6902:
#- name: db-user-pass #- name: db-user-pass
# envs: # envs:
# - ./resources/files/minio/config.env # - ./resources/files/minio/config.env
secretGenerator: secretGenerator:
#Voir https://github.com/minio/operator/issues/856 #Voir https://github.com/minio/operator/issues/856
- name: nextcloud-minio-user - name: nextcloud-minio-user
behavior: replace
literals: literals:
- CONSOLE_ACCESS_KEY=minio_root - CONSOLE_ACCESS_KEY=minio_root
- CONSOLE_SECRET_KEY=MinioRootNotSoSecret - CONSOLE_SECRET_KEY=MinioRootNotSoSecret
- name: nextcloud-minio-configuration - name: nextcloud-minio-configuration
behavior: replace
files: files:
- ./resources/files/minio/config.env # A modifier si modification mot de passe et user CONSOLE [ACCESS-SECRET] - ./resources/files/minio/config.env # A modifier si modification mot de passe et user CONSOLE [ACCESS-SECRET]
# ajout de Variable, et redéfinition de certaines # ajout de Variable, et redéfinition de certaines
configMapGenerator: configMapGenerator:
#- name: nextcloud-parameters #- name: nextcloud-parameters
# files: # files:
# - ./resources/files/parameters.yaml # - ./resources/files/parameters.yaml
- name: nextcloud-env #- name: nextcloud-env
behavior: replace # behavior: replace
literals: # literals:
- MINIO_SERVICE_NAME=$(MINIO_SERVICE_HOST):$(MINIO_SERVICE_PORT) # - MINIO_SERVICE_NAME=$(MINIO_SERVICE_HOST):$(MINIO_SERVICE_PORT)
- MINIO_SERVICE_HOST=minio # - MINIO_SERVICE_HOST=minio
- MINIO_SERVICE_PORT=443 # - MINIO_SERVICE_PORT=443
options: # options:
disableNameSuffixHash: true # disableNameSuffixHash: true
- name: nextcloud-smtp - name: nextcloud-smtp
literals: literals:
- smtp-username=user - smtp-username=ouchemail
- smtp-password=password - smtp-password=HjkEHJ2676yiu2
options: options:
disableNameSuffixHash: true disableNameSuffixHash: true
# PARTIE MAUVAISE IDEE vars: # génération d'information pour wait-for-bootstrap du pod nextcloud
- name: MINIO_BOOTSTRAP_JOB_NAME
#replacements: objref:
# - source: name: create-minio-bucket
# kind: ConfigMap kind: Job
# name: host-config apiVersion: batch/v1
# fieldPath: data.NEXTCLOUD_HOST fieldref:
# targets: fieldpath: metadata.name
# - select:
# kind: Ingress
# name: nextcloud
# fieldPaths:
# - /spec/rules[0]/host
# - select:
# kind: Deployment
# name: app
# fieldPaths:
# - /spec/template/spec/containers[0]/readinessProbe/httpGet/httpHeaders[0].value
# - /spec/template/spec/containers[0]/livenessProbe/httpGet/httpHeaders[0].value
#vars:
# - name: NEXTCLOUD_HOST
# objref:
# kind: ConfigMap
# name: host-config
# apiVersion: v1
# fieldref:
# fieldpath: data.NEXTCLOUD_HOST
## faire un fichier patch.yaml et ajouter les données à modifier comme dans les patch mse
#
# patchesStrategicMerge => deprecated use patches instead
# patchesJson6902: => deprecated use patches instead
# vars => deprecated use replacements instead
# PRINCIPE DU PATCHE
#- target:
# version: v1
# kind: Deployment # ce type de kind .. qui signifie ni plus ni moins ce type de type -_-
# name: app
# path: patches/le patch.yaml
# modif pour l'image ?
#images:
#- name: foo/bar
# newName: foo/bar
# newTag: 3.4.5

627
overlays/dev/output.yaml
View File

@ -1,627 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: nextcloud-dev
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: nextcloud-sa
namespace: nextcloud-dev
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: status-reader
namespace: nextcloud-dev
rules:
- apiGroups:
- batch
- v1
resources:
- jobs
verbs:
- get
- list
- apiGroups:
- ""
- v1
resources:
- secrets
verbs:
- get
- list
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: status-reader
namespace: nextcloud-dev
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: status-reader
subjects:
- kind: ServiceAccount
name: nextcloud-sa
namespace: nextcloud-dev
---
apiVersion: v1
data:
redis-config: |
maxmemory 4mb
maxmemory-policy volatile-lru
appendonly yes
kind: ConfigMap
metadata:
name: cm-redis-config
namespace: nextcloud-dev
---
apiVersion: v1
data:
NEXTCLOUD_HOST: nxt.serveur.fr
kind: ConfigMap
metadata:
name: host-config
namespace: nextcloud-dev
---
apiVersion: v1
data:
MINIO_SERVICE_HOST: minio
MINIO_SERVICE_NAME: $(MINIO_SERVICE_HOST):$(MINIO_SERVICE_PORT)
MINIO_SERVICE_PORT: "443"
kind: ConfigMap
metadata:
name: nextcloud-env
namespace: nextcloud-dev
---
apiVersion: v1
data:
parameters.yaml: |2-
#API minio
minio_url: 'http://%env(string:MINIO_SERVICE_NAME)%:9000'
minio_key: '%env(string:MINIO_KEY)%'
minio_secret: '%env(string:MINIO_SECRET)%'
minio_bucket: 'nextcloud'
minio_root: ''
minio_path_style: true
minio_secure: false
kind: ConfigMap
metadata:
name: nextcloud-parameters
namespace: nextcloud-dev
---
apiVersion: v1
data:
poststart-ldap.sh: |
#!/bin/sh
# Vérifiez si LDAP est déjà activé
if ! su -s /bin/sh -c "/var/www/html/occ app:list --output=json" www-data | jq -e '.enabled | has("user_ldap")'; then
# Activez le module LDAP si ce n'est pas déjà fait
su -s /bin/sh -c "/var/www/html/occ app:enable user_ldap" www-data
echo 'activation de ldap'
fi
# Configurez LDAP (configuration minimale)
su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapHost --value='ldap.example.com'" www-data
su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapBase --value='dc=example,dc=com'" www-data
su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapAgentName --value='cn=admin,dc=example,dc=com'" www-data
su -s /bin/sh -c "/var/www/html/occ config:app:set user_ldap ldapAgentPassword --value='your_password'" www-data
echo 'ldap configured'
# Lancez le processus principal de Nextcloud normalement ça ne marche pas ça ! donc plutot poststart.
#exec /entrypoint.sh "$@"
kind: ConfigMap
metadata:
name: script-config-ldap
namespace: nextcloud-dev
---
apiVersion: v1
data:
custom-script.sh: |-
#!/bin/sh
HOSTS_FILE="/etc/hosts"
# Ajoutez l'entrée au fichier hosts
MINIO_SERVICE_IP="${MINIO_SERVICE_HOST}"
MINIO_NAME="${MINIO_SERVICE_NAME}"
echo "$MINIO_SERVICE_IP" minio >> $HOSTS_FILE
kind: ConfigMap
metadata:
name: update-config
namespace: nextcloud-dev
---
apiVersion: v1
data:
config.env: |
ZXhwb3J0IE1JTklPX1JPT1RfVVNFUj0ibWluaW9fcm9vdCIKZXhwb3J0IE1JTklPX1JPT1
RfUEFTU1dPUkQ9Ik1pbmlvUm9vdE5vdFNvU2VjcmV0IgpleHBvcnQgTUlOSU9fU1RPUkFH
RV9DTEFTU19TVEFOREFSRD0iRUM6MiIKZXhwb3J0IE1JTklPX0JST1dTRVI9Im9uIg==
kind: Secret
metadata:
name: nextcloud-minio-configuration
namespace: nextcloud-dev
type: Opaque
---
apiVersion: v1
data:
CONSOLE_ACCESS_KEY: bWluaW9fcm9vdA==
CONSOLE_SECRET_KEY: TWluaW9Sb290Tm90U29TZWNyZXQ=
kind: Secret
metadata:
name: nextcloud-minio-user
namespace: nextcloud-dev
type: Opaque
---
apiVersion: v1
kind: Service
metadata:
labels:
app: nextcloud
component: app
name: nextcloud
namespace: nextcloud-dev
spec:
ports:
- port: 80
selector:
app: nextcloud
component: app
---
apiVersion: v1
kind: Service
metadata:
labels:
app: redis
name: redis
namespace: nextcloud-dev
spec:
ports:
- port: 6379
selector:
app: redis
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-config-pvc
namespace: nextcloud-dev
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
volumeMode: Filesystem
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-custom-pvc
namespace: nextcloud-dev
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
volumeMode: Filesystem
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-data-pvc
namespace: nextcloud-dev
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20Gi
volumeMode: Filesystem
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-html-pvc
namespace: nextcloud-dev
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
volumeMode: Filesystem
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-main-pvc
namespace: nextcloud-dev
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
volumeMode: Filesystem
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-themes-pvc
namespace: nextcloud-dev
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
volumeMode: Filesystem
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-tmp-pvc
namespace: nextcloud-dev
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
volumeMode: Filesystem
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: nextcloud
component: app
name: app
namespace: nextcloud-dev
spec:
replicas: 1
selector:
matchLabels:
app: nextcloud
component: app
template:
metadata:
labels:
app: nextcloud
component: app
spec:
containers:
- env:
- name: POSTGRES_DB
value: nextcloud
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
key: username
name: nextcloud-postgres-app
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: nextcloud-postgres-app
- name: POSTGRES_HOST
value: $(NEXTCLOUD_POSTGRES_RW_SERVICE_HOST)
- name: NEXTCLOUD_ADMIN_USER
value: admincadoles
- name: NEXTCLOUD_ADMIN_PASSWORD
value: CadolesNotSecret
- name: NEXTCLOUD_TRUSTED_DOMAINS
value: '*.cadoles.fr'
- name: NEXTCLOUD_INIT_LOCK
value: 512M
- name: PHP_MEMORY_LIMIT
value: 4G
- name: PHP_UPLOAD_LIMIT
value: 4G
- name: POD_INDEX
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: REDIS_HOST
value: redis
- name: REDIS_HOST_PORT
value: "6379"
- name: OBJECTSTORE_S3_HOST
value: minio:$(MINIO_SERVICE_PORT)
- name: OBJECTSTORE_S3_BUCKET
value: nextcloud-minio
- name: OBJECTSTORE_S3_KEY
value: minio_root
- name: OBJECTSTORE_S3_SECRET
value: MinioRootNotSoSecret
- name: OBJECTSTORE_S3_USEPATH_STYLE
value: "true"
- name: OBJECTSTORE_S3_SSL
value: "true"
- name: NEXTCLOUD_DATA_DIR
value: /var/www/html/data
image: reg.cadoles.com/proxy_cache/library/nextcloud:26.0.1-apache
imagePullPolicy: Always
lifecycle:
postStart:
exec:
command:
- /bin/sh
- -c
- cp /var/run/secrets/kubernetes.io/serviceaccount/ca.crt /usr/local/share/ca-certificates/ks.crt
&& update-ca-certificates
- /etc/script/poststart-ldap.sh
livenessProbe:
failureThreshold: 5
httpGet:
httpHeaders:
- name: Host
value: nxt.cadoles.fr
path: /status.php
port: 80
initialDelaySeconds: 50
periodSeconds: 15
successThreshold: 1
timeoutSeconds: 5
name: app
ports:
- containerPort: 80
readinessProbe:
failureThreshold: 5
httpGet:
httpHeaders:
- name: Host
value: nxt.cadoles.fr
path: /status.php
port: 80
initialDelaySeconds: 50
periodSeconds: 15
successThreshold: 1
timeoutSeconds: 5
volumeMounts:
- mountPath: /var/www/
name: nextcloud-main-volume
- mountPath: /var/www/html
name: nextcloud-html-volume
- mountPath: /var/www/html/data
name: nextcloud-data-volume
- mountPath: /var/www/html/config
name: nextcloud-config-volume
- mountPath: /var/www/html/custom_apps
name: nextcloud-custom-volume
- mountPath: /var/www/tmp
name: nextcloud-tmp-volume
- mountPath: /var/www/html/themes
name: nextcloud-themes-volume
- mountPath: /etc/script/poststart-ldap.sh
name: script-config-ldap
subPath: poststart-ldap.sh
- mountPath: /etc/script/custom-script.sh
name: update-config-script
subPath: custom-script.sh
- mountPath: /etc/minio-ccerts
name: minio-certs
readOnly: true
initContainers:
- args:
- job
- create-minio-bucket
image: reg.cadoles.com/proxy_cache/groundnuty/k8s-wait-for:v1.3
name: wait-for-bootstrap
restartPolicy: Always
serviceAccountName: nextcloud-sa
volumes:
- name: minio-certs
secret:
secretName: nextcloud-minio-tls
- configMap:
defaultMode: 484
name: update-config
name: update-config-script
- configMap:
defaultMode: 484
name: script-config-ldap
name: script-config-ldap
- name: nextcloud-main-volume
persistentVolumeClaim:
claimName: nextcloud-main-pvc
- name: nextcloud-html-volume
persistentVolumeClaim:
claimName: nextcloud-html-pvc
- name: nextcloud-data-volume
persistentVolumeClaim:
claimName: nextcloud-data-pvc
- name: nextcloud-config-volume
persistentVolumeClaim:
claimName: nextcloud-config-pvc
- name: nextcloud-custom-volume
persistentVolumeClaim:
claimName: nextcloud-custom-pvc
- name: nextcloud-tmp-volume
persistentVolumeClaim:
claimName: nextcloud-tmp-pvc
- name: nextcloud-themes-volume
persistentVolumeClaim:
claimName: nextcloud-themes-pvc
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: redis
name: redis
namespace: nextcloud-dev
spec:
replicas: 1
selector:
matchLabels:
app: redis
template:
metadata:
labels:
app: redis
spec:
containers:
- command:
- redis-server
- /redis-master/redis.conf
image: redis:alpine
name: redis
ports:
- containerPort: 6379
volumeMounts:
- mountPath: /redis-master-data
name: data
- mountPath: /redis-master
name: config
restartPolicy: Always
volumes:
- emptyDir: {}
name: data
- configMap:
items:
- key: redis-config
path: redis.conf
name: cm-redis-config
name: config
---
apiVersion: batch/v1
kind: Job
metadata:
name: create-minio-bucket
namespace: nextcloud-dev
spec:
template:
spec:
containers:
- args:
- |
echo "création de l'alias my-minio"
mc alias set --insecure my-minio http://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT} ${CONSOLE_ACCESS_KEY} ${CONSOLE_SECRET_KEY}
echo "création du bucket..."
mc mb --insecure my-minio/nextcloud-minio
echo "Bucket créé. normalement"
command:
- sh
- -c
env:
- name: CONSOLE_ACCESS_KEY
valueFrom:
secretKeyRef:
key: CONSOLE_ACCESS_KEY
name: nextcloud-minio-user
- name: CONSOLE_SECRET_KEY
valueFrom:
secretKeyRef:
key: CONSOLE_SECRET_KEY
name: nextcloud-minio-user
envFrom:
- configMapRef:
name: nextcloud-env
image: minio/mc
name: create-bucket
initContainers:
- args:
- |
echo "attente du service minio..."
cnt=0
tout=300
while [ 1 ]
do
http_code=$(wget --server-response https://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT}/minio/health/live 2>&1 | awk '/^ HTTP/{print $2}')
if [ "${http_code}" != "200" ]; then
echo "waiting for https://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT}"
sleep 1
else
exit 0
fi
cnt=$((cnt+1))
if [ "${cnt}" -ge "${tout}" ]; then
exit 3
fi
done
command:
- sh
- -c
envFrom:
- configMapRef:
name: nextcloud-env
image: busybox
name: wait-for-minio
restartPolicy: OnFailure
---
apiVersion: minio.min.io/v2
kind: Tenant
metadata:
name: nextcloud-minio
namespace: nextcloud-dev
spec:
certConfig:
dnsNames:
- minio
configuration:
name: nextcloud-minio-configuration
pools:
- containerSecurityContext:
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
name: pool-0
servers: 2
volumeClaimTemplate:
metadata:
name: nextcloud-minio-data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
volumesPerServer: 2
users:
- name: nextcloud-minio-user
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/cors-allow-headers: X-Forwarded-For
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/proxy-body-size: 138m
name: nextcloud
namespace: nextcloud-dev
spec:
ingressClassName: nginx
rules:
- host: nxt.cadoles.fr
http:
paths:
- backend:
service:
name: nextcloud
port:
number: 80
path: /
pathType: Prefix
---
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: nextcloud-postgres
namespace: nextcloud-dev
spec:
bootstrap:
initdb:
database: nextcloud
owner: nextcloud
instances: 1
primaryUpdateStrategy: unsupervised
storage:
size: 5Gi

76
overlays/dev/patches/ConfigMap-ldap-script.yaml
View File

@ -1,76 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: script-config-ldap
data:
poststart-ldap.sh: |
#!/bin/sh
NEXTCLOUD_READY=0
MAX_RETRIES=30
RETRY_INTERVAL=10
touch /etc/script/validator.txt
# Vérifiez si LDAP est déjà activé
# if ! su -s /bin/sh -c "/var/www/html/occ app:list --output=json" www-data | jq -e '.enabled | has("user_ldap")'; then
# Activez le module LDAP si ce n'est pas déjà fait
# su -s /bin/sh -c "/var/www/html/occ app:enable user_ldap" www-data
#fi
for i in $(seq 1 $MAX_RETRIES); do
if curl -fsS "http://localhost/status.php" > /dev/null; then
NEXTCLOUD_READY=1
break
else
echo "En attente de Nextcloud (tentative $i/$MAX_RETRIES)..." >> /etc/script/validator.txt
sleep $RETRY_INTERVAL
fi
done
if [ $NEXTCLOUD_READY -eq 0 ]; then
echo "Nextcloud n'est pas prêt après $MAX_RETRIES tentatives. Abandon de l'initialisation LDAP." >> /etc/script/validator.txt
exit 1
fi
su -s /bin/sh -c "/var/www/html/occ app:install user_ldap" www-data
su -s /bin/sh -c "/var/www/html/occ app:update user_ldap" www-data
su -s /bin/sh -c "/var/www/html/occ app:enable user_ldap" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:create-empty-config" www-data
## test if backend ldap is activated and create empty config if not
#
#touch /tmp/nxt-ldap.txt
#su -s /bin/sh -c "/var/www/html/occ ldap:show-config s01 > /tmp/nextcloud-ldap.txt" www-data
#if grep -q "Invalid configID" /tmp/nextcloud-ldap.txt; then
# sudo -u www-data php /var/www/html/nextcloud/occ ldap:create-empty-config -q
#fi
# Configurez LDAP (configuration minimale)
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldap_host '${NEXTCLOUD_LDAP_HOST}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldap_base '${NEXTCLOUD_LDAP_BASE}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldap_dn '${NEXTCLOUD_LDAP_DN}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldap_agent_password '${NEXTCLOUD_LDAP_PASSWD}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapBaseGroups '${NEXTCLOUD_LDAP_BASE_GROUPS}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapBaseUsers '${NEXTCLOUD_LDAP_BASE_USERS}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapConfigurationActive '${NEXTCLOUD_LDAP_ACTIVE_CONF}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapExperiencedAdmin '${NEXTCLOUD_LDAP_ADMIN_EXP}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapExpertUUIDUserAttr '${NEXTCLOUD_LDAP_EXP_UUID}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapLoginFilter '${NEXTCLOUD_LDAP_LOGIN_FILTER}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapPort '${NEXTCLOUD_LDAP_PORT}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapUserFilter '${NEXTCLOUD_LDAP_USR_FILTR}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapUserFilterObjectclass '${NEXTCLOUD_LDAP_OBJ_FILTR}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapEmailAttribute '${NEXTCLOUD_LDAP_MAIL_ATTR}'" www-data
su -s /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapUserDisplayName '${NEXTCLOUD_LDAP_USER_DISP}'" www-data
#sudo -u www-data php /var/www/html/nextcloud/occ ldap:set-config s01 ldapGroupFilter "${ldapGroupFilter}"
#sudo -u www-data php /var/www/html/nextcloud/occ ldap:set-config s01 ldapGroupFilterObjectclass "${ldapGroupFilterObjectclass}"
#sudo -u www-data php /var/www/html/nextcloud/occ ldap:set-config s01 ldapGroupMemberAssocAttr "${ldapGroupMemberAssocAttr}"
# Lancez le processus principal de Nextcloud normalement ça ne marche pas ça ! donc plutot poststart.
#exec /entrypoint.sh "$@"
# su -s /bin/sh -c "/var/www/html/occ app:enable user_ldap" www-data
# est fonctionnel dans le pods nextcloud !
#liste config : su -s /bin/sh -c "/var/www/html/occ config:list" www-data

2
overlays/dev/patches/redis-config.yaml → overlays/dev/patches/ConfigMap-redis.yaml
View File

@ -6,4 +6,4 @@ data:
redis-config: | redis-config: |
maxmemory 4mb maxmemory 4mb
maxmemory-policy volatile-lru maxmemory-policy volatile-lru
appendonly yes appendonly yes

14
overlays/dev/patches/ConfigMaps.yaml
View File

@ -1,14 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: update-config
data:
custom-script.sh: |
#!/bin/sh
HOSTS_FILE="/etc/hosts"
# Ajoutez l'entrée au fichier hosts
MINIO_SERVICE_IP="${MINIO_SERVICE_HOST}"
MINIO_NAME="${MINIO_SERVICE_NAME}"
echo "$MINIO_SERVICE_IP" minio >> $HOSTS_FILE

91
overlays/dev/patches/deployment.yaml Normal file
View File

@ -0,0 +1,91 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: nextcloud-app
spec:
replicas: 3
template:
spec:
initContainers:
- name: wait-for-bootstrap
image: reg.cadoles.com/proxy_cache/groundnuty/k8s-wait-for:v1.3
args:
- job
- $(MINIO_BOOTSTRAP_JOB_NAME)
containers:
- name: nextcloud
env:
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: nextcloud-postgres-app
key: username
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: nextcloud-postgres-app
key: password
- name: OBJECTSTORE_S3_BUCKET
value: nxt-minio
- name: OBJECTSTORE_S3_AUTOCREATE
value: "true"
- name: OBJECTSTORE_S3_KEY
valueFrom:
secretKeyRef:
name: nextcloud-minio-user
key: CONSOLE_ACCESS_KEY
- name: OBJECTSTORE_S3_SECRET
valueFrom:
secretKeyRef:
name: nextcloud-minio-user
key: CONSOLE_SECRET_KEY
- name: OBJECTSTORE_S3_HOST
value: minio:$(MINIO_SERVICE_PORT)
- name: OBJECTSTORE_S3_PORT
value: "443"
- name: OBJECTSTORE_S3_SSL
value: "true"
- name: OBJECTSTORE_S3_USEPATH_STYLE
value: "true"
livenessProbe:
httpGet:
path: /status.php
port: 80
httpHeaders:
- name: Host
value: nxt.cadoles.lan
initialDelaySeconds: 50
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
readinessProbe:
httpGet:
path: /status.php
port: 80
httpHeaders:
- name: Host
value: nxt.cadoles.lan
initialDelaySeconds: 50
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
volumeMounts:
- mountPath: /docker-entrypoint-hooks.d/post-installation/ldap.sh
name: script-config-ldap
subPath: poststart-ldap.sh
- mountPath: /etc/minio-ccerts
name: minio-certs
readOnly: true
volumes:
- name: minio-certs
secret:
secretName: nextcloud-minio-tls
- name: script-config-ldap
configMap:
name: script-config-ldap
defaultMode: 0755
restartPolicy: Always
serviceAccountName: nextcloud-sa

36
overlays/dev/patches/ingress-nextcloud.yaml
View File

@ -1,36 +0,0 @@
#- op: replace
# path: /metadata/annotations/nginx.ingress.kubernetes.io~1proxy-body-size
# value: "1G"
#- op: replace
# path: /metadata/annotations/nginx.ingress.kubernetes.io~1enable-cors
# value: "true"
#- op: replace
# path: /metadata/annotations/nginx.ingress.kubernetes.io~1cors-allow-headers
# value: "X-Forwarded-For"
# En cas de besoin
#- op: add
# path: /metadata/annotations/nginx.ingress.kubernetes.io~1client_max_body_size
# value: "100m"
#- op: replace
# path: /spec/rules/0/host
# value: nxt.cadoles.fr
#- op: replace
# path: /spec/rules/0/http/paths/0/path
# value: /
#- op: replace
# path: /spec/rules/0/http/paths/0/pathType
# value: Prefix
#- op: replace
# path: /spec/rules/0/http/paths/0/backend/service/name
# value: nextcloud
#- op: replace
# path: /spec/rules/0/http/paths/0/backend/service/port/number
# value: 80
# logiquement path =
# path: /metadata/annotations/nginx.ingress.kubernetes.io/proxy-body-size
# sauf que ... json voila, "/" est à remplacer par ~1

65
overlays/dev/patches/job.yaml
View File

@ -1,65 +0,0 @@
apiVersion: batch/v1
kind: Job
metadata:
name: create-minio-bucket
spec:
template:
spec:
initContainers:
- name: wait-for-minio
image: reg.cadoles.com/proxy_cache/library/debian:bookworm
envFrom:
- configMapRef:
name: nextcloud-env
command: ["sh", "-c"]
args:
- |
echo "attente du service minio..."
cnt=0
tout=300
apt update && apt install --yes --force-yes wget openssl
cp /var/run/secrets/kubernetes.io/serviceaccount/ca.crt /usr/local/share/ca-certificates/ks.crt && update-ca-certificates
while [ 1 ]
do
http_code=$(wget --server-response https://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT}/minio/health/live 2>&1 | awk '/^ HTTP/{print $2}')
if [ "${http_code}" != "200" ]; then
echo "waiting for https://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT}"
sleep 1
else
exit 0
fi
cnt=$((cnt+1))
if [ "${cnt}" -ge "${tout}" ]; then
exit 3
fi
done
# Encore nécessaire ?
containers:
- name: create-bucket
image: minio/mc
envFrom:
- configMapRef:
name: nextcloud-env
env:
- name: CONSOLE_ACCESS_KEY
valueFrom:
secretKeyRef:
name: nextcloud-minio-user
key: CONSOLE_ACCESS_KEY
- name: CONSOLE_SECRET_KEY
valueFrom:
secretKeyRef:
name: nextcloud-minio-user
key: CONSOLE_SECRET_KEY
command: ["sh", "-c"]
args:
- |
echo "création de l'alias my-minio"
mc alias set --insecure my-minio http://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT} ${CONSOLE_ACCESS_KEY} ${CONSOLE_SECRET_KEY}
echo "création du bucket..."
mc mb --insecure my-minio/nextcloud-minio
echo "Bucket créé. normalement"
restartPolicy: OnFailure

24
overlays/dev/patches/nextcloud-S3.yaml
View File

@ -1,24 +0,0 @@
- op: replace
path: /spec/template/spec/containers/0/env/13/value #OBJECTSTORE_S3_HOST
value: minio:$(MINIO_SERVICE_PORT)
- op: replace
path: /spec/template/spec/containers/0/env/14/value #OBJECTSTORE_S3_BUCKET
value: nextcloud-minio
- op: replace
path: /spec/template/spec/containers/0/env/15/value #OBJECTSTORE_S3_KEY
valueFrom:
secretKeyRef:
name: nextcloud-minio-user # kustomize racine
key: CONSOLE_ACCESS_KEY
- op: replace
path: /spec/template/spec/containers/0/env/16/value #OBJECTSTORE_S3_SECRET
valueFrom:
secretKeyRef:
name: nextcloud-minio-user # kustomize racine
key: CONSOLE_SECRET_KEY
- op: replace
path: /spec/template/spec/containers/0/env/17/value #OBJECTSTORE_S3_USEPATH_STYLE
value: "true"
- op: replace
path: /spec/template/spec/containers/0/env/18/value #OBJECTSTORE_S3_SSL
value: "true"

72
overlays/dev/patches/nextcloud-env.yaml Normal file
View File

@ -0,0 +1,72 @@
- op: replace
path: "/data/NEXTCLOUD_TRUSTED_DOMAINS"
value: "*.cadoles.lan"
- op: replace
path: "/data/OBJECTSTORE_S3_HOST"
value: minio:$(MINIO_SERVICE_PORT)
- op: replace
path: "/data/OBJECTSTORE_S3_BUCKET"
value: nextcloud-minio
- op: replace
path: "/data/OBJECTSTORE_S3_USEPATH_STYLE"
value: "true"
- op: replace
path: "/data/OBJECTSTORE_S3_SSL"
value: "true"
- op: replace
path: "/data/NEXTCLOUD_LDAP_HOST"
value: ldaps://ldap.cadoles.com
- op: replace
path: "/data/NEXTCLOUD_LDAP_BASE"
value: ou=cadoles,o=gouv,c=fr
- op: replace
path: "/data/NEXTCLOUD_LDAP_DN"
value: cn=reader,o=gouv,c=fr
- op: replace
path: "/data/NEXTCLOUD_LDAP_PASSWD"
value: phooge2jaidae4ohguChi6quoo8okahn2ru6aixutahmiuFoh6ooshae
- op: replace
path: "/data/NEXTCLOUD_LDAP_BASE_GROUPS"
value: ou=groups,ou=cadoles,o=gouv,c=fr
- op: replace
path: "/data/NEXTCLOUD_LDAP_BASE_USERS"
value: ou=users,ou=cadoles,o=gouv,c=fr
- op: replace
path: "/data/NEXTCLOUD_LDAP_ACTIVE_CONF"
value: '1'
- op: replace
path: "/data/NEXTCLOUD_LDAP_ADMIN_EXP"
value: '0'
- op: replace
path: "/data/NEXTCLOUD_LDAP_EXP_UUID"
value: cn
- op: replace
path: "/data/NEXTCLOUD_LDAP_LOGIN_FILTER"
value: (&(objectClass=person)(uid=%uid))
- op: replace
path: "/data/NEXTCLOUD_LDAP_LOGIN_FILTER_ATTR"
value: uid
- op: replace
path: "/data/NEXTCLOUD_LDAP_PORT"
value: '636'
- op: replace
path: "/data/NEXTCLOUD_LDAP_USR_FILTR"
value: (|(objectclass=person))
- op: replace
path: "/data/NEXTCLOUD_LDAP_OBJ_FILTR"
value: person
- op: replace
path: "/data/NEXTCLOUD_LDAP_MAIL_ATTR"
value: mail
- op: replace
path: "/data/NEXTCLOUD_LDAP_USER_DISP"
value: cn
- op: replace
path: "/data/NEXTCLOUD_LDAP_GROUP_FILTR"
value: (&(|(objectclass=cadolesGroup)))
- op: replace
path: "/data/NEXTCLOUD_LDAP_GROUP_FILTR_OBJCLASS"
value: cadolesGroup
- op: replace
path: "/data/NEXTCLOUD_LDAP_GROUP_MEMBR_ASSO"
value: gidNumber

75
overlays/dev/patches/nextcloud-ldap.yaml
View File

@ -1,75 +0,0 @@
- op: add
path: "/spec/template/spec/containers/0/env/-"
value:
name: NEXTCLOUD_LDAP_HOST
value: openldap.openldap
- op: add
path: "/spec/template/spec/containers/0/env/-"
value:
name: NEXTCLOUD_LDAP_BASE
value: dc=example,dc=org
- op: add
path: "/spec/template/spec/containers/0/env/-"
value:
name: NEXTCLOUD_LDAP_DN
value: cn=admin,dc=example,dc=org
- op: add
path: "/spec/template/spec/containers/0/env/-"
value:
name: NEXTCLOUD_LDAP_PASSWD
value: "adminpassword"
- op: add
path: "/spec/template/spec/containers/0/env/-"
value:
name: NEXTCLOUD_LDAP_BASE_GROUPS
value: dc=example,dc=org
- op: add
path: "/spec/template/spec/containers/0/env/-"
value:
name: NEXTCLOUD_LDAP_BASE_USERS
value: ou=users,dc=example,dc=org
- op: add
path: "/spec/template/spec/containers/0/env/-"
value:
name: NEXTCLOUD_LDAP_ACTIVE_CONF
value: "1"
- op: add
path: "/spec/template/spec/containers/0/env/-"
value:
name: NEXTCLOUD_LDAP_ADMIN_EXP
value: "0"
- op: add
path: "/spec/template/spec/containers/0/env/-"
value:
name: NEXTCLOUD_LDAP_EXP_UUID
value: cn
- op: add
path: "/spec/template/spec/containers/0/env/-"
value:
name: NEXTCLOUD_LDAP_LOGIN_FILTER
value: (&(objectClass=posixAccount)(cn=%uid))
- op: add
path: "/spec/template/spec/containers/0/env/-"
value:
name: NEXTCLOUD_LDAP_PORT
value: "1389"
- op: add
path: "/spec/template/spec/containers/0/env/-"
value:
name: NEXTCLOUD_LDAP_USR_FILTR
value: (|(objectclass=posixAccount))
- op: add
path: "/spec/template/spec/containers/0/env/-"
value:
name: NEXTCLOUD_LDAP_OBJ_FILTR
value: posixAccount
- op: add
path: "/spec/template/spec/containers/0/env/-"
value:
name: NEXTCLOUD_LDAP_MAIL_ATTR
value: mail
- op: add
path: "/spec/template/spec/containers/0/env/-"
value:
name: NEXTCLOUD_LDAP_USER_DISP
value: cn

26
overlays/dev/patches/nextcloud-patch.yaml
View File

@ -1,26 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: app
spec:
template:
spec:
containers:
- name: app
env:
- name: NEXTCLOUD_ADMIN_USER
value: admincadoles
- name: NEXTCLOUD_ADMIN_PASSWORD
value: cadoles
- name: PHP_MEMORY_LIMIT
value: 512M
- name: PHP_UPLOAD_LIMIT
value: 4G
- name: REDIS_HOST
value: redis
- name: REDIS_HOST_PORT
value: "6379"
- name: NEXTCLOUD_DATA_DIR
value: "/var/www/html/data"
- name: NEXTCLOUD_TRUSTED_DOMAINS
value: "*.cadoles.fr"

34
overlays/dev/patches/nextcloud-postgres.yaml
View File

@ -1,34 +0,0 @@
# USER POSTGRES
# UNIQUEMENT Si vous ne passez pas par l'operateur.
#- op: replace
# path: /spec/template/spec/containers/env/0/value #POSTGRES_DB
# value: username
#- op: replace
# path: /spec/template/spec/containers/env/1/value #POSTGRES_USER
# value: username
#- op: replace
# path: /spec/template/spec/containers/env/2/value #POSTGRES_PASSWORD
# value: password
# CONF POSTGRES
- op: replace
path: /spec/template/spec/containers/0/env/3/value #POSTGRES_HOST
value: $(NEXTCLOUD_POSTGRES_RW_SERVICE_HOST)
- op: replace
path: /spec/template/spec/containers/0/env/0/value #POSTGRES_DB
value: nextcloud
#Name: nextcloud-postgres-app
#Namespace: nextcloud
#Labels: cnpg.io/cluster=nextcloud-postgres
# cnpg.io/reload=true
#Annotations: cnpg.io/operatorVersion: 1.18.1
#
#Type: kubernetes.io/basic-auth
#
#Data
#====
#password: 64 bytes
#pgpass: 112 bytes
#username: 9 bytes

47
overlays/dev/patches/nextcloud-probe.yaml
View File

@ -1,47 +0,0 @@
# livenessProbe
- op: replace
path: /spec/template/spec/containers/0/livenessProbe/httpGet/httpHeaders/0/value
value: nxt.cadoles.fr
- op: replace
path: /spec/template/spec/containers/0/livenessProbe/httpGet/port
value: 80
- op: replace
path: /spec/template/spec/containers/0/livenessProbe/initialDelaySeconds
value: 50
- op: replace
path: /spec/template/spec/containers/0/livenessProbe/periodSeconds
value: 10
- op: replace
path: /spec/template/spec/containers/0/livenessProbe/timeoutSeconds
value: 5
- op: replace
path: /spec/template/spec/containers/0/livenessProbe/successThreshold
value: 1
- op: replace
path: /spec/template/spec/containers/0/livenessProbe/failureThreshold
value: 6
# readinessProbe
- op: replace
path: /spec/template/spec/containers/0/readinessProbe/httpGet/httpHeaders/0/value
value: nxt.cadoles.fr
- op: replace
path: /spec/template/spec/containers/0/readinessProbe/httpGet/port
value: 80
- op: replace
path: /spec/template/spec/containers/0/readinessProbe/initialDelaySeconds
value: 50
- op: replace
path: /spec/template/spec/containers/0/readinessProbe/periodSeconds
value: 10
- op: replace
path: /spec/template/spec/containers/0/readinessProbe/timeoutSeconds
value: 5
- op: replace
path: /spec/template/spec/containers/0/readinessProbe/successThreshold
value: 1
- op: replace
path: /spec/template/spec/containers/0/readinessProbe/failureThreshold
value: 6

26
overlays/dev/patches/nextcloud-smtp.yaml
View File

@ -1,26 +0,0 @@
- op: replace
path: /spec/template/spec/containers/0/env/19/value #MAIL_FROM_ADDRESS
value: "usercadoles"
- op: replace
path: /spec/template/spec/containers/0/env/20/value #MAIL_DOMAIN
value: "cadoles.com"
- op: replace
path: /spec/template/spec/containers/0/env/21/value #SMTP_HOST
value: "groupware.cadoles.com"
- op: replace
path: /spec/template/spec/containers/0/env/22/value #SMTP_SECURE
value: "ssl"
- op: replace
path: /spec/template/spec/containers/0/env/23/value #SMTP_PORT
value: "587"
- op: replace
path: /spec/template/spec/containers/0/env/24/value #SMTP_AUTHTYPE
value: "LOGIN"
# THEORIQUEMENT LA MODIFICATION du secret generator lié dans kustomize suffit.
#- op: replace
# path: /spec/template/spec/containers/0/env/25/value #SMTP_NAME
# value:
#- op: replace
# path: /spec/template/spec/containers/0/env/26/value #SMTP_PASSWORD
# value:

34
overlays/dev/patches/nextcloud-variables.yaml
View File

@ -1,34 +0,0 @@
# USER MDP NEXTCLOUD
- op: replace
path: /spec/template/spec/containers/0/env/4/value #NEXTCLOUD_ADMIN_USER
value: admincadoles
- op: replace
path: /spec/template/spec/containers/0/env/5/value #NEXTCLOUD_ADMIN_PASSWORD
value: CadolesNotSecret
# CONF NEXTCLOUD PHP
- op: replace
path: /spec/template/spec/containers/0/env/8/value #PHP_MEMORY_LIMIT
value: 512M
- op: replace
path: /spec/template/spec/containers/0/env/9/value #PHP_UPLOAD_LIMIT
value: 4G
# CONF NEXTCLOUD REDIS
- op: replace
path: /spec/template/spec/containers/0/env/11/value #REDIS_HOST
value: redis
- op: replace
path: /spec/template/spec/containers/0/env/12/value #REDIS_HOST_PORT
value: "6379"
# CONF NEXTCLOUD
#- op: replace
# path: /spec/template/spec/containers/0/env/27/value #NEXTCLOUD_DATA_DIR
# value: "/var/www/html/data"
- op: replace
path: /spec/template/spec/containers/0/env/6/value #NEXTCLOUD_TRUSTED_DOMAINS
value: "*.cadoles.fr"

8
overlays/dev/patches/nginx-ingress.yaml
View File

@ -5,18 +5,18 @@ metadata:
annotations: annotations:
nginx.ingress.kubernetes.io/proxy-body-size: "5m" nginx.ingress.kubernetes.io/proxy-body-size: "5m"
nginx.ingress.kubernetes.io/enable-cors: "true" nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For" nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For"
cert-manager.io/issuer: cadoles-selfsigned-ca cert-manager.io/issuer: cadoles-selfsigned-ca
spec: spec:
ingressClassName: nginx ingressClassName: nginx
tls: tls:
- hosts: - hosts:
- nxt.cadoles.fr - nxt.cadoles.lan
secretName: cadoles-selfsigned-ca secretName: cadoles-selfsigned-ca
rules: rules:
- host: nxt.cadoles.fr - host: nxt.cadoles.lan
http: http:
paths: paths:
- path: / - path: /

21
overlays/dev/patches/tenant-conf.yaml
View File

@ -1,21 +0,0 @@
- op: replace
path: /spec/certConfig/dnsNames
value: ["minio"]
- op: replace
path: /spec/pools/0/servers
value: 2
- op: replace
path: /spec/pools/0/volumesPerServer
value: 3
- op: replace
path: /spec/pools/0/volumeClaimTemplate/spec/resources/requests/storage
value: 3Gi
- op: replace
path: /spec/pools/0/containerSecurityContext/runAsUser
value: 1000
- op: replace
path: /spec/pools/0/containerSecurityContext/runAsGroup
value: 1000
- op: replace
path: /spec/pools/0/containerSecurityContext/runAsNonRoot
value: true

3
overlays/dev/resources/cert-manager/kustomization.yaml
View File

@ -4,4 +4,5 @@ kind: Kustomization
resources: resources:
- ./resources/cluster-issuer.yaml - ./resources/cluster-issuer.yaml
- ./resources/ca.yaml - ./resources/ca.yaml
- ./resources/issuer.yaml - ./resources/issuer.yaml

2
overlays/dev/resources/cert-manager/resources/ca.yaml
View File

@ -9,7 +9,7 @@ spec:
isCA: true isCA: true
commonName: cadoles-selfsigned-ca commonName: cadoles-selfsigned-ca
# secretName: root-secret # secretName: root-secret
secretName: cadoles-selfsigned-ca secretName: cadoles-selfsigned-ca-secret
privateKey: privateKey:
algorithm: ECDSA algorithm: ECDSA
size: 256 size: 256

2
overlays/dev/resources/cert-manager/resources/issuer.yaml
View File

@ -6,4 +6,4 @@ metadata:
# namespace: ingress-nginx # namespace: ingress-nginx
spec: spec:
ca: ca:
secretName: cadoles-selfsigned-ca secretName: cadoles-selfsigned-ca-secret

4
overlays/dev/resources/files/minio/config.env
View File

@ -1,4 +1,4 @@
export MINIO_ROOT_USER="cadoles" export MINIO_ROOT_USER="minio_root"
export MINIO_ROOT_PASSWORD="cadoles;21" export MINIO_ROOT_PASSWORD="MinioRootNotSoSecret"
export MINIO_STORAGE_CLASS_STANDARD="EC:2" export MINIO_STORAGE_CLASS_STANDARD="EC:2"
export MINIO_BROWSER="on" export MINIO_BROWSER="on"

0
base/resources/nextcloud/resources/files/minio/configurations/tenants.minio.min.io.yaml → overlays/dev/resources/files/minio/configurations/tenants.minio.min.io.yaml
View File

46
overlays/dev/resources/nextcloud/cm-ldap-script.yaml Normal file
View File

@ -0,0 +1,46 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: script-config-ldap
data:
poststart-ldap.sh: |
#!/bin/sh
/bin/sh -c "/var/www/html/occ app:install user_ldap"
/bin/sh -c "/var/www/html/occ app:update user_ldap"
/bin/sh -c "/var/www/html/occ app:enable user_ldap"
/bin/sh -c "/var/www/html/occ ldap:show-config s01 > /tmp/nxt-ldap.txt"
if grep -q "Invalid configID" /tmp/nxt-ldap.txt; then
/bin/sh -c "/var/www/html/occ ldap:create-empty-config"
fi
# Configurez LDAP (configuration minimale)
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldap_host '${NEXTCLOUD_LDAP_HOST}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldap_base '${NEXTCLOUD_LDAP_BASE}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldap_dn '${NEXTCLOUD_LDAP_DN}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldap_agent_password '${NEXTCLOUD_LDAP_PASSWD}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapBaseGroups '${NEXTCLOUD_LDAP_BASE_GROUPS}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapBaseUsers '${NEXTCLOUD_LDAP_BASE_USERS}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapConfigurationActive '${NEXTCLOUD_LDAP_ACTIVE_CONF}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapExperiencedAdmin '${NEXTCLOUD_LDAP_ADMIN_EXP}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapExpertUUIDUserAttr '${NEXTCLOUD_LDAP_EXP_UUID}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapLoginFilter '${NEXTCLOUD_LDAP_LOGIN_FILTER}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapLoginFilterAttributes '${NEXTCLOUD_LDAP_LOGIN_FILTER_ATTR}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapPort '${NEXTCLOUD_LDAP_PORT}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapUserFilter '${NEXTCLOUD_LDAP_USR_FILTR}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapUserFilterObjectclass '${NEXTCLOUD_LDAP_OBJ_FILTR}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapEmailAttribute '${NEXTCLOUD_LDAP_MAIL_ATTR}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapUserDisplayName '${NEXTCLOUD_LDAP_USER_DISP}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapGroupFilter '${NEXTCLOUD_LDAP_GROUP_FILTR}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapGroupFilterObjectclass '${NEXTCLOUD_LDAP_GROUP_FILTR_OBJCLASS}'"
/bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapGroupMemberAssocAttr '${NEXTCLOUD_LDAP_GROUP_MEMBR_ASSO}'"
# Lancez le processus principal de Nextcloud normalement ça ne marche pas ça ! donc plutot poststart.
#exec /entrypoint.sh "$@"
# /bin/sh -c "/var/www/html/occ app:enable user_ldap"
# est fonctionnel dans le pods nextcloud !
#liste config : /bin/sh -c "/var/www/html/occ config:list"

0
overlays/dev/resources/host-config.yaml → overlays/dev/resources/nextcloud/host-config.yaml
View File

41
overlays/dev/resources/nextcloud/job-minio.yaml Normal file
View File

@ -0,0 +1,41 @@
apiVersion: batch/v1
kind: Job
metadata:
name: create-minio-bucket
spec:
template:
spec:
initContainers:
- name: wait-for-minio
image: reg.cadoles.com/proxy_cache/groundnuty/k8s-wait-for:v1.3
args:
- service
- minio
containers:
- name: create-bucket
image: minio/mc
envFrom:
- configMapRef:
name: nextcloud-env
env:
- name: CONSOLE_ACCESS_KEY
valueFrom:
secretKeyRef:
name: nextcloud-minio-user
key: CONSOLE_ACCESS_KEY
- name: CONSOLE_SECRET_KEY
valueFrom:
secretKeyRef:
name: nextcloud-minio-user
key: CONSOLE_SECRET_KEY
command: ["sh", "-c"]
args:
- |
echo "création de l'alias my-minio"
mc alias set --insecure my-minio https://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT} ${CONSOLE_ACCESS_KEY} ${CONSOLE_SECRET_KEY}
echo "création du bucket..."
mc mb --insecure my-minio/nextcloud-minio
echo "Bucket créé. normalement"
restartPolicy: OnFailure
serviceAccountName: nextcloud-sa # declare user for initcontainer

29
overlays/dev/resources/nextcloud/minio-tenant.yaml Normal file
View File

@ -0,0 +1,29 @@
apiVersion: minio.min.io/v2
kind: Tenant
metadata:
name: nextcloud-minio
spec:
certConfig:
dnsNames:
- "minio"
pools:
- servers: 2
name: pool-0
volumesPerServer: 3
volumeClaimTemplate:
metadata:
name: nextcloud-minio-data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 3Gi
containerSecurityContext:
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
configuration:
name: nextcloud-minio-configuration
users:
- name: nextcloud-minio-user

0
overlays/dev/resources/namespace.yaml → overlays/dev/resources/nextcloud/namespace.yaml
View File

8
overlays/dev/resources/ssl.yaml → overlays/dev/resources/nextcloud/ssl.yaml
View File

@ -15,7 +15,7 @@ spec:
- cadoles - cadoles
# The use of the common name field has been deprecated since 2000 and is # The use of the common name field has been deprecated since 2000 and is
# discouraged from being used. # discouraged from being used.
commonName: cadoles.fr commonName: cadoles.lan
isCA: false isCA: false
privateKey: privateKey:
algorithm: RSA algorithm: RSA
@ -27,8 +27,8 @@ spec:
# At least one of a DNS Name, URI, or IP address is required. # At least one of a DNS Name, URI, or IP address is required.
dnsNames: dnsNames:
- nextcloud - nextcloud
- nextcloud.cadoles.fr - nextcloud.cadoles.lan
- nxt.cadoles.fr - nxt.cadoles.lan
# Issuer references are always required. # Issuer references are always required.
issuerRef: issuerRef:
name: cadoles-ca-issuer name: cadoles-ca-issuer
@ -37,4 +37,4 @@ spec:
kind: Issuer kind: Issuer
# This is optional since cert-manager will default to this value however # This is optional since cert-manager will default to this value however
# if you are using an external issuer, change this to that issuer group. # if you are using an external issuer, change this to that issuer group.
group: cert-manager.io group: cert-manager.io

3
requires/kustomization.yaml
View File

@ -8,5 +8,6 @@ resources:
- https://forge.cadoles.com/CadolesKube/c-kustom//base/cloudnative-pg-operator?ref=develop - https://forge.cadoles.com/CadolesKube/c-kustom//base/cloudnative-pg-operator?ref=develop
#- https://forge.cadoles.com/CadolesKube/c-kustom//base/redis?ref=develop # Nextcloud ne fonctionne pas avec la couche sentinelle #- https://forge.cadoles.com/CadolesKube/c-kustom//base/redis?ref=develop # Nextcloud ne fonctionne pas avec la couche sentinelle
- https://forge.cadoles.com/CadolesKube/c-kustom//base/minio?ref=develop - https://forge.cadoles.com/CadolesKube/c-kustom//base/minio?ref=develop
- https://forge.cadoles.com/vfebvre/openldap-kustom?ref=develop #- https://forge.cadoles.com/vfebvre/openldap-kustom?ref=develop
#- ./lb => déplacé dans dev/ car propre à l'environnement cible #- ./lb => déplacé dans dev/ car propre à l'environnement cible
- https://github.com/cert-manager/cert-manager/releases/download/v1.12.0/cert-manager.yaml