fix(overlay/dev): cleanup

Reviewed-on: #2

README.md

@@ -1,2 +1,42 @@
 # nextcloud-kustom
 
+Base include :
+
+- nextcloud app
+- postgres
+- ...
+
+Default configuration (base directory) : 
+
+- use an external S3, 
+- use local authentication,
+- use internal K8s certificate,
+- use postgresSQL
+
+If you want change, you must do your configuration in the overlays section
+
+Overlays dev sections install :
+
+- base
+- rename namespace to nextcloud-dev
+- use cert-manager (to install CRDs requirement, check requires/)
+
+**To install a test cluster on your machine**
+
+1. Create cluster
+
+```kind create cluster --config requires/cluster/cluster.yaml```
+
+2. Install operators, cert-manager and openldap(dev)
+
+```kubectl apply -k requires/```
+
+3. Define IP poll address
+
+```kubectl apply -k base/cluster/lb```
+
+4. Install nextcloud
+
+```kubectl apply -k overlays/dev```
+
+

base/cluster/lb/advertise.yaml

@@ -0,0 +1,9 @@
+apiVersion: metallb.io/v1beta1
+kind: L2Advertisement
+metadata:
+  name: l2-ip-pool-ad
+  namespace: metallb-system
+spec:
+  ipAddressPools:
+  - main-pool
+

base/cluster/lb/ipaddresspoool.yaml

@@ -0,0 +1,8 @@
+apiVersion: metallb.io/v1beta1
+kind: IPAddressPool
+metadata:
+  name: main-pool
+  namespace: metallb-system
+spec:
+  addresses:
+  - 172.18.10.100-172.18.10.200

base/cluster/lb/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: metallb-system
+
+resources:
+- ipaddresspoool.yaml
+- advertise.yaml

base/components/cnpg-database/configurations/cnpg-config.yaml

@@ -0,0 +1,8 @@
+---
+nameReference:
+- kind: Secret
+  fieldSpecs:
+  - path: spec/superuserSecret/name
+    kind: Cluster
+  - path: spec/bootstrap/initdb/secret/name
+    kind: Cluster

base/components/cnpg-database/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+configurations:
+- ./configurations/cnpg-config.yaml
+
+resources:
+- ./resources/nextcloud-cnpg.yaml
+

base/components/cnpg-database/resources/nextcloud-cnpg.yaml

@@ -0,0 +1,13 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: nextcloud-postgres
+spec:
+  instances: 1
+  primaryUpdateStrategy: unsupervised
+  bootstrap:
+    initdb:
+      database: nextcloud
+      owner: nextcloud
+  storage:
+    size: 5Gi

base/components/one-redis/ConfigMap-redis.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cm-redis-config
+data:
+  redis-config: |
+    maxmemory 2mb
+    maxmemory-policy allkeys-lru    

base/components/one-redis/deployment.yaml

@@ -0,0 +1,39 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: redis
+  name: redis
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: redis
+  template:
+    metadata:
+      labels:
+        app: redis
+    spec:
+      containers:
+      - command:
+        - redis-server
+        - /redis-master/redis.conf
+        image: redis:alpine
+        name: redis
+        ports:
+        - containerPort: 6379
+        volumeMounts:
+        - mountPath: /redis-master-data
+          name: data
+        - mountPath: /redis-master
+          name: config
+      restartPolicy: Always
+      volumes:
+      - name: data
+        emptyDir: {}
+      - name: config
+        configMap:
+          name: cm-redis-config
+          items:
+          - key: redis-config
+            path: redis.conf

base/components/one-redis/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+- deployment.yaml
+- redis-service.yaml
+- ConfigMap-redis.yaml

base/components/one-redis/readme.md

@@ -0,0 +1,5 @@
+# README
+
+Pour configurer facilement et rapidement le redis passer par le fichier ConfigMap-redis.yaml !!!
+
+- cf https://kubernetes.io/docs/tutorials/configuration/configure-redis-using-configmap/

base/components/one-redis/redis-service.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: redis
+  labels:
+    app: redis
+spec:
+  ports:
+    - port: 6379
+  selector:
+    app: redis

base/kustomization.yaml

@@ -0,0 +1,34 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+generatorOptions:
+  disableNameSuffixHash: true
+
+# référence à l'exemple cadoles. 
+# cela force la mise à jours des secret en questions liés aux ressources ayant le labels "tenant" lorsque modifié
+
+resources:
+- ./resources/nextcloud
+
+
+components:
+- ./components/cnpg-database
+- ./components/one-redis
+
+# MOUNT-TRY-multi-instance
+## A SUPPRIMER EN CAS DE REDEPLOYEMENT nextcloud doit s'intaller une FOIS, ne décommenté qu'après la première installation
+#configMapGenerator:
+#- name: nextcloud-config
+#  files:
+#  - ./config.php
+##  behavior: merge      # dans le cas ou le configmap existerait déjà et que la donnée est différente.
+#  options:
+#    disableNameSuffixHash: true  
+## Aller aussi dans deployment.yaml pour commenter les lignes suivantes, et supprimer le fichier config.php
+#        - name: nextcloud-config-volume     # monte le fichier de configuration dans 
+#          mountPath: /var/www/html/config   # les instances supplémentaire
+#          readOnly: true                    # via le configmap ConfigMaps-php.yaml
+
+#      - name: nextcloud-config-volume       # permet de monter le fichier de configuration dans 
+#        configMap:                          # les instances supplémentaires
+#          name: nextcloud-config            # via le configmap ConfigMaps-php.yaml

base/resources/nextcloud/kustomization.yaml

@@ -0,0 +1,43 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+generatorOptions:
+  disableNameSuffixHash: true # suppression des suffixe en hash en bout de nom
+
+resources:
+- ./resources/deployment.yaml
+- ./resources/nextcloud-service.yaml
+- ./resources/nextcloud-rolebinding.yaml
+- ./resources/nextcloud-role.yaml
+- ./resources/nextcloud-serviceaccount.yaml
+- ./resources/ingress.yaml
+- ./resources/pvc/00-main.yaml
+- ./resources/pvc/01-html.yaml
+- ./resources/pvc/02-data.yaml
+- ./resources/pvc/03-config.yaml
+- ./resources/pvc/04-custom.yaml
+- ./resources/pvc/06-tmp.yaml
+- ./resources/pvc/07-themes.yaml
+
+configMapGenerator:
+- name: nextcloud-env
+  literals:
+  - NEXTCLOUD_ADMIN_USER="admin"
+  - NEXTCLOUD_ADMIN_PASSWORD="cadoles" # 5
+  - NEXTCLOUD_TRUSTED_DOMAINS="*.cadoles.fr"
+  - PHP_MEMORY_LIMIT="512M"
+  - PHP_UPLOAD_LIMIT="4G"
+  - MAIL_FROM_ADDRESS="user"
+  - MAIL_DOMAIN="cadoles.fr"
+  - SMTP_HOST="smtp.cadoles.com"
+  - SMTP_SECURE="ssl"
+  - SMTP_PORT="465"
+  - SMTP_AUTHTYPE="LOGIN"
+
+secretGenerator:
+- name: nextcloud-smtp
+  literals:
+  - smtp-username=secretuser
+  - smtp-password=secretpassword
+  options:
+    disableNameSuffixHash: true

base/resources/nextcloud/resources/deployment.yaml

@@ -0,0 +1,109 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: nextcloud
+    component: app
+  name: nextcloud-app
+spec:
+  #  serviceName: nextcloud
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nextcloud
+      component: app
+  template:
+    metadata:
+      labels:
+        app: nextcloud
+        component: app
+    spec:
+      containers:
+      - image: reg.cadoles.com/proxy_cache/library/nextcloud:27.0.2-apache
+        imagePullPolicy: Always
+        name: nextcloud
+        ports:
+        - containerPort: 80
+        lifecycle:
+          postStart:
+            exec:
+              command: ["/bin/sh", "-c", "cp /var/run/secrets/kubernetes.io/serviceaccount/ca.crt /usr/local/share/ca-certificates/ks.crt && update-ca-certificates"]
+        envFrom:
+        - configMapRef:
+            name: nextcloud-env
+        env:
+        - name: POSTGRES_DB
+          value: nextcloud
+        - name: POSTGRES_USER
+          valueFrom:
+            secretKeyRef:
+              name: nextcloud-postgres-app
+              key: username
+        - name: POSTGRES_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: nextcloud-postgres-app
+              key: password
+        - name: POSTGRES_HOST
+          value: $(NEXTCLOUD_POSTGRES_RW_SERVICE_HOST) #value: nextcloud-postgres-rw.nextcloud.svc.cluster.local
+        - name: NEXTCLOUD_INIT_LOCK
+          value: "true"
+        - name: POD_INDEX
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: REDIS_HOST
+          value: redis
+        - name: REDIS_HOST_PORT
+          value: "6379"
+        - name: SMTP_NAME
+          valueFrom:
+            secretKeyRef:
+              name: nextcloud-smtp
+              key: smtp-username
+        - name: SMTP_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: nextcloud-smtp
+              key: smtp-password
+        - name: NEXTCLOUD_DATA_DIR
+          value: "/var/www/html/data"
+        volumeMounts:
+        - mountPath: /var/www/
+          name: nextcloud-main-volume
+        - mountPath: /var/www/html
+          name: nextcloud-html-volume
+        - mountPath: /var/www/html/data
+          name: nextcloud-data-volume
+        - mountPath: /var/www/html/config
+          name: nextcloud-config-volume
+        - mountPath: /var/www/html/custom_apps
+          name: nextcloud-custom-volume
+        - mountPath: /var/www/tmp
+          name: nextcloud-tmp-volume
+        - mountPath: /var/www/html/themes
+          name: nextcloud-themes-volume
+      volumes:
+      - name: nextcloud-main-volume
+        persistentVolumeClaim:
+          claimName: nextcloud-main-pvc
+      - name: nextcloud-html-volume
+        persistentVolumeClaim:
+          claimName: nextcloud-html-pvc
+      - name: nextcloud-data-volume
+        persistentVolumeClaim:
+          claimName: nextcloud-data-pvc
+      - name: nextcloud-config-volume
+        persistentVolumeClaim:
+          claimName: nextcloud-config-pvc
+      - name: nextcloud-custom-volume
+        persistentVolumeClaim:
+          claimName: nextcloud-custom-pvc
+      - name: nextcloud-tmp-volume
+        persistentVolumeClaim:
+          claimName: nextcloud-tmp-pvc
+      - name: nextcloud-themes-volume
+        persistentVolumeClaim:
+          claimName: nextcloud-themes-pvc
+      restartPolicy: Always
+      serviceAccountName: nextcloud-sa # declare user for initcontainer

base/resources/nextcloud/resources/ingress.yaml

@@ -0,0 +1,27 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: nextcloud
+
+  annotations:
+    #    kustomize.config.k8s.io/needs: configmap/nextcloud-envi
+    nginx.ingress.kubernetes.io/proxy-body-size: "138m"
+    nginx.ingress.kubernetes.io/enable-cors: "true" #cf 01
+    nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For" #cf 01
+#    nginx.ingress.kubernetes.io/client_max_body_size: "100m"
+
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: nxt.base.fr
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: nextcloud
+            port:
+              number: 80
+
+# cf 01 => https://artifacthub.io/packages/helm/nextcloud/nextcloud

base/resources/nextcloud/resources/nextcloud-role.yaml

@@ -0,0 +1,43 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: status-reader
+rules:
+- apiGroups:
+  - batch
+  - v1
+  resources:
+  - jobs
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - ""
+  - v1
+  resources:
+  - secrets
+  - services
+  - pods
+  verbs:
+  - get
+  - list
+  #- patch
+
+# Declaration d'un role nommé status-reader et attribution de droit 
+
+#- apiGroups:
+#  - ""
+#  - v1
+#  resources:
+#  - services
+#  verbs:
+#  - get
+#  - list
+#- apiGroups:
+#  - ""
+#  - v1
+#  resources:
+#  - pods
+#  verbs:
+#  - get
+#  - list

base/resources/nextcloud/resources/nextcloud-rolebinding.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: status-reader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: status-reader
+subjects:
+- kind: ServiceAccount
+  name: nextcloud-sa
+
+# Sert à lier le role status-reader (nextcloud-role.yaml) et l'utilisateur nextcloud-sa (nextcloud-serviceaccount.yaml)

base/resources/nextcloud/resources/nextcloud-service.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: nextcloud
+  labels:
+    app: nextcloud
+    component: app
+spec:
+  ports:
+  - port: 80
+  selector:
+    app: nextcloud
+    component: app
+

base/resources/nextcloud/resources/nextcloud-serviceaccount.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: nextcloud-sa
+
+# déclaration d'un user nextcloud-sa

base/resources/nextcloud/resources/nodeport-service.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: nextcloud-nodeport  # nom du service
+  labels:
+#    app: nextcloud
+#    component: app
+spec:
+  type: NodePort
+  ports:
+    - port: 80
+      targetPort: 80  # port du pods
+      nodePort: 30080 # port de la machine locale detenant les noeuds
+  selector:
+    app: nextcloud
+    component: app

base/resources/nextcloud/resources/pvc/00-main.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: nextcloud-main-pvc
+spec:
+  accessModes:
+  - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 1Gi

base/resources/nextcloud/resources/pvc/01-html.yaml

@@ -0,0 +1,12 @@
+
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: nextcloud-html-pvc
+spec:
+  accessModes:
+  - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 5Gi

base/resources/nextcloud/resources/pvc/02-data.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: nextcloud-data-pvc
+spec:
+  accessModes:
+  - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 1Gi

base/resources/nextcloud/resources/pvc/03-config.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: nextcloud-config-pvc
+spec:
+  accessModes:
+  - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 1Gi

base/resources/nextcloud/resources/pvc/04-custom.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: nextcloud-custom-pvc
+spec:
+  accessModes:
+  - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 2Gi

base/resources/nextcloud/resources/pvc/06-tmp.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: nextcloud-tmp-pvc
+spec:
+  accessModes:
+  - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 5Gi

base/resources/nextcloud/resources/pvc/07-themes.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: nextcloud-themes-pvc
+spec:
+  accessModes:
+  - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 2Gi

overlays/dev/patches/ConfigMap-redis.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cm-redis-config
+data:
+  redis-config: |
+    maxmemory 4mb
+    maxmemory-policy volatile-lru
+    appendonly yes

overlays/dev/patches/deployment.yaml

@@ -0,0 +1,79 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nextcloud-app
+spec:
+  replicas: 3
+  template:
+    spec:
+      initContainers:
+      - name: wait-for-bootstrap
+        image: reg.cadoles.com/proxy_cache/groundnuty/k8s-wait-for:v1.3
+        args:
+        - job
+        - $(MINIO_BOOTSTRAP_JOB_NAME)
+      containers:
+      - name: nextcloud
+        #envFrom:
+        #- configMapRef:
+        #  name: nextcloud-env-update
+        env:
+        - name: OBJECTSTORE_S3_KEY
+          valueFrom:
+            secretKeyRef:
+              name: nextcloud-minio-user
+              key: CONSOLE_ACCESS_KEY
+        - name: OBJECTSTORE_S3_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: nextcloud-minio-user
+              key: CONSOLE_SECRET_KEY
+
+        livenessProbe:
+          httpGet:
+            path: /status.php
+            port: 80
+            httpHeaders:
+            - name: Host
+              value: nxt.cadoles.lan
+          initialDelaySeconds: 50
+          periodSeconds: 10
+          timeoutSeconds: 5
+          successThreshold: 1
+          failureThreshold: 6
+        readinessProbe:
+          httpGet:
+            path: /status.php
+            port: 80
+            httpHeaders:
+            - name: Host
+              value: nxt.cadoles.lan
+          initialDelaySeconds: 50
+          periodSeconds: 10
+          timeoutSeconds: 5
+          successThreshold: 1
+          failureThreshold: 6
+        volumeMounts:
+        - mountPath: /docker-entrypoint-hooks.d/post-installation/ldap.sh
+          name: script-config-ldap
+          subPath: poststart-ldap.sh
+        - mountPath: /docker-entrypoint-hooks.d/before-starting/plugins.sh
+          name: script-config-plugins
+          subPath: poststart-plugins.sh
+        - mountPath: /etc/minio-ccerts
+          name: minio-certs
+          readOnly: true
+      volumes:
+      - name: minio-certs
+        secret:
+          secretName: nextcloud-minio-tls
+      - name: script-config-ldap
+        configMap:
+          name: script-config-ldap
+          defaultMode: 0755
+      - name: script-config-plugins
+        configMap:
+          name: script-config-plugins
+          defaultMode: 0755
+      restartPolicy: Always
+      serviceAccountName: nextcloud-sa

overlays/dev/patches/nextcloud-cpng.yaml

@@ -0,0 +1,9 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: nextcloud-postgres
+spec:
+  instances: 3
+  storage:
+    size: 50Gi
+    storageClass: directpv-min-io

overlays/dev/patches/nginx-ingress.yaml

@@ -0,0 +1,29 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: nextcloud
+
+  annotations:
+    nginx.ingress.kubernetes.io/proxy-body-size: "5m"
+    nginx.ingress.kubernetes.io/enable-cors: "true"
+    nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For"
+    cert-manager.io/issuer: cadoles-selfsigned-ca
+
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - nxt.cadoles.lan
+    secretName: cadoles-selfsigned-ca
+  rules:
+  - host: nxt.cadoles.lan
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: nextcloud
+            port:
+              number: 80
+

overlays/dev/resources/cert-manager/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- ./resources/cluster-issuer.yaml
+- ./resources/ca.yaml
+- ./resources/issuer.yaml
+

overlays/dev/resources/cert-manager/resources/ca.yaml

@@ -0,0 +1,19 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: cadoles-selfsigned-ca
+#  namespace: cert-manager
+#  namespace: ingress-nginx
+
+spec:
+  isCA: true
+  commonName: cadoles-selfsigned-ca
+#  secretName: root-secret
+  secretName: cadoles-selfsigned-ca-secret
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: cadoles-selfsigned-issuer
+    kind: ClusterIssuer
+    group: cert-manager.io

overlays/dev/resources/cert-manager/resources/cluster-issuer.yaml

@@ -0,0 +1,6 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: cadoles-selfsigned-issuer
+spec:
+  selfSigned: {}

overlays/dev/resources/cert-manager/resources/issuer.yaml

@@ -0,0 +1,9 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: cadoles-ca-issuer
+#  namespace: cert-manager
+#  namespace: ingress-nginx
+spec:
+  ca:
+    secretName: cadoles-selfsigned-ca-secret

overlays/dev/resources/files/minio/config.env

@@ -0,0 +1,4 @@
+export MINIO_ROOT_USER="minio_root"
+export MINIO_ROOT_PASSWORD="MinioRootNotSoSecret"
+export MINIO_STORAGE_CLASS_STANDARD="EC:2"
+export MINIO_BROWSER="on"

overlays/dev/resources/files/minio/configurations/tenants.minio.min.io.yaml

@@ -0,0 +1,14 @@
+---
+nameReference:
+- kind: Secret
+  fieldSpecs:
+  - path: spec/credsSecret/name
+    kind: Tenant
+- kind: Secret
+  fieldSpecs:
+  - path: spec/configuration/name
+    kind: Tenant
+- kind: Secret
+  fieldSpecs:
+  - path: spec/users/name
+    kind: Tenant

overlays/dev/resources/nextcloud/cm-ldap-script.yaml

@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: script-config-ldap
+data:
+  poststart-ldap.sh: |
+    #!/bin/sh
+
+    /bin/sh -c "/var/www/html/occ app:install user_ldap"
+    /bin/sh -c "/var/www/html/occ app:update user_ldap"
+    /bin/sh -c "/var/www/html/occ app:enable user_ldap"
+
+    /bin/sh -c "/var/www/html/occ ldap:show-config s01 > /tmp/nxt-ldap.txt"
+    if grep -q "Invalid configID" /tmp/nxt-ldap.txt; then
+      /bin/sh -c "/var/www/html/occ ldap:create-empty-config"
+    fi
+
+    # Configurez LDAP (configuration minimale)
+
+    /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldap_host '${NEXTCLOUD_LDAP_HOST}'"
+    /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldap_base '${NEXTCLOUD_LDAP_BASE}'"
+    /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldap_dn '${NEXTCLOUD_LDAP_DN}'"
+    /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldap_agent_password '${NEXTCLOUD_LDAP_PASSWD}'"
+    /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapBaseGroups '${NEXTCLOUD_LDAP_BASE_GROUPS}'"
+    /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapBaseUsers '${NEXTCLOUD_LDAP_BASE_USERS}'"
+    /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapConfigurationActive '${NEXTCLOUD_LDAP_ACTIVE_CONF}'"
+    /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapExperiencedAdmin '${NEXTCLOUD_LDAP_ADMIN_EXP}'"
+    /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapExpertUUIDUserAttr '${NEXTCLOUD_LDAP_EXP_UUID}'"
+    /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapLoginFilter '${NEXTCLOUD_LDAP_LOGIN_FILTER}'"
+    /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapLoginFilterAttributes '${NEXTCLOUD_LDAP_LOGIN_FILTER_ATTR}'"
+    /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapPort '${NEXTCLOUD_LDAP_PORT}'"
+    /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapUserFilter '${NEXTCLOUD_LDAP_USR_FILTR}'"
+    /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapUserFilterObjectclass '${NEXTCLOUD_LDAP_OBJ_FILTR}'"
+    /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapEmailAttribute '${NEXTCLOUD_LDAP_MAIL_ATTR}'"
+    /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapUserDisplayName '${NEXTCLOUD_LDAP_USER_DISP}'"
+    /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapGroupFilter '${NEXTCLOUD_LDAP_GROUP_FILTR}'"
+    /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapGroupFilterObjectclass '${NEXTCLOUD_LDAP_GROUP_FILTR_OBJCLASS}'"
+    /bin/sh -c "/var/www/html/occ ldap:set-config s01 ldapGroupMemberAssocAttr '${NEXTCLOUD_LDAP_GROUP_MEMBR_ASSO}'"
+    
+    # Lancez le processus principal de Nextcloud normalement ça ne marche pas ça ! donc plutot poststart.
+    #exec /entrypoint.sh "$@"
+
+    # /bin/sh -c "/var/www/html/occ app:enable user_ldap" 
+    # est fonctionnel dans le pods nextcloud ! 
+
+    #liste config : /bin/sh -c "/var/www/html/occ config:list"

overlays/dev/resources/nextcloud/cm-plugins-script.yaml

@@ -0,0 +1,34 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: script-config-plugins
+data:
+  poststart-plugins.sh: |
+    #!/bin/sh
+    set -eu
+    ( 
+      if ! flock -n 7; then
+        echo "Another process is installing plugins. waiting"
+        flock 7
+        exit 0
+      fi
+
+      echo "Installing default apps"
+      plugin_list="${NEXTCLOUD_PLUGIN_LIST}"
+      OPTS=""
+      occ="/var/www/html/occ"
+
+      installed_apps=$(mktemp)
+      /bin/sh -c "${occ} app:list" | awk '!/Enabled|Disabled/ {print substr($2, 1, length($2)-1)}' > "${installed_apps}"
+
+      for plugin in ${plugin_list}; do
+        if ! grep -q "${plugin}" "${installed_apps}"; then
+          /bin/sh -c "${occ} ${OPTS} app:install ${plugin}"
+          /bin/sh -c "${occ} ${OPTS} app:update ${plugin}"
+          /bin/sh -c "${occ} ${OPTS} app:enable ${plugin}"
+        else
+          echo "${plugin} allready installed"
+        fi
+      done
+    ) 7> /var/www/html/nextcloud-plugin-install.lock
+    echo "Apps installation finished"

overlays/dev/resources/nextcloud/host-config.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: host-config
+data:
+  NEXTCLOUD_HOST: nxt.serveur.fr

overlays/dev/resources/nextcloud/job-minio.yaml

@@ -0,0 +1,41 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: create-minio-bucket
+spec:
+  template:
+    spec:
+      initContainers:
+      - name: wait-for-minio
+        image: reg.cadoles.com/proxy_cache/groundnuty/k8s-wait-for:v1.3
+        args:
+        - service
+        - minio
+      containers:
+      - name: create-bucket
+        image: minio/mc
+        envFrom:
+        - configMapRef:
+            name: nextcloud-env
+        env:
+        - name: CONSOLE_ACCESS_KEY
+          valueFrom:
+            secretKeyRef:
+              name: nextcloud-minio-user
+              key: CONSOLE_ACCESS_KEY
+        - name: CONSOLE_SECRET_KEY
+          valueFrom:
+            secretKeyRef:
+              name: nextcloud-minio-user
+              key: CONSOLE_SECRET_KEY
+        command: ["sh", "-c"]
+        args:
+        - |
+          echo "création de l'alias my-minio"
+          mc alias set --insecure my-minio https://${MINIO_SERVICE_HOST}:${MINIO_SERVICE_PORT} ${CONSOLE_ACCESS_KEY} ${CONSOLE_SECRET_KEY}
+          echo "création du bucket..."
+          mc mb --insecure my-minio/nextcloud-minio
+          echo "Bucket créé. normalement"
+      restartPolicy: OnFailure
+      serviceAccountName: nextcloud-sa # declare user for initcontainer
+

overlays/dev/resources/nextcloud/minio-tenant.yaml

@@ -0,0 +1,52 @@
+apiVersion: minio.min.io/v2
+kind: Tenant
+metadata:
+  name: nextcloud-minio
+spec:
+  certConfig:
+    dnsNames:
+    - "minio"
+  pools:
+  - servers: 2
+    affinity:
+      nodeAffinity:
+        requiredDuringSchedulingIgnoredDuringExecution:
+          nodeSelectorTerms:
+          - matchExpressions:
+            - key: role
+              operator: In
+              values:
+              - storage
+      podAntiAffinity:
+        requiredDuringSchedulingIgnoredDuringExecution:
+        - labelSelector:
+            matchExpressions:
+            - key: v1.min.io/tenant
+              operator: In
+              values:
+              - cds
+            - key: v1.min.io/pool
+              operator: In
+              values:
+              - pool-0
+          topologyKey: kubernetes.io/hostname
+    name: pool-0
+    volumesPerServer: 3
+    volumeClaimTemplate:
+      metadata:
+        name: nextcloud-minio-data
+      spec:
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: 3Gi
+        storageClassName: directpv-min-io
+    containerSecurityContext:
+      runAsUser: 1000
+      runAsGroup: 1000
+      runAsNonRoot: true
+  configuration:
+    name: nextcloud-minio-configuration
+  users:
+  - name: nextcloud-minio-user

overlays/dev/resources/nextcloud/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: nextcloud-dev

overlays/dev/resources/nextcloud/ssl.yaml

@@ -0,0 +1,40 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: nextcloud
+spec:
+  # Secret names are always required.
+  #secretName: nextcloud-tls
+  secretName: cadoles-selfsigned-ca
+
+
+  duration: 2160h # 90d
+  renewBefore: 360h # 15d
+  subject:
+    organizations:
+    - cadoles
+  # The use of the common name field has been deprecated since 2000 and is
+  # discouraged from being used.
+  commonName: cadoles.lan
+  isCA: false
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 2048
+  usages:
+  - server auth
+  - client auth
+  # At least one of a DNS Name, URI, or IP address is required.
+  dnsNames:
+  - nextcloud
+  - nextcloud.cadoles.lan
+  - nxt.cadoles.lan
+  # Issuer references are always required.
+  issuerRef:
+    name: cadoles-ca-issuer
+    # We can reference ClusterIssuers by changing the kind here.
+    # The default value is Issuer (i.e. a locally namespaced Issuer)
+    kind: Issuer
+    # This is optional since cert-manager will default to this value however
+    # if you are using an external issuer, change this to that issuer group.
+    group: cert-manager.io

requires/README.md

@@ -0,0 +1,12 @@
+# README
+
+Permet d'installer les opérateurs nécessaire à l'utilisation de nextcloud.
+
+Simplement lancer le ```kustomization.yaml``` pour appliquer les **quatre** opérateurs
+
+- cloudnative-pg (base de donnée postgresql)
+- nginx (ingress)
+- minio (pour le stockage S3)
+- mteallb (load-balancer, point d'entrée unique)
+
+le dossier ```cluster/``` contient simplement un fichier ```cluster.yaml``` pour lancer un cluster avec 3 worker et un control-plane.

requires/cluster/cluster.yaml

@@ -0,0 +1,8 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+name: ctest
+nodes:
+- role: control-plane
+- role: worker
+- role: worker
+- role: worker

requires/cluster/nginx/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+  - https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.4.0/deploy/static/provider/cloud/deploy.yaml

requires/kustomization.yaml

@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+
+#- https://raw.githubusercontent.com/ory/k8s/v0.30.0/helm/charts/hydra-maester/crds/crd-oauth2clients.yaml
+- https://forge.cadoles.com/CadolesKube/c-kustom//base/metallb?ref=develop
+- https://forge.cadoles.com/CadolesKube/c-kustom//base/nginx?ref=develop
+- https://forge.cadoles.com/CadolesKube/c-kustom//base/cloudnative-pg-operator?ref=develop
+#- https://forge.cadoles.com/CadolesKube/c-kustom//base/redis?ref=develop # Nextcloud ne fonctionne pas avec la couche sentinelle
+- https://forge.cadoles.com/CadolesKube/c-kustom//base/minio?ref=develop
+#- https://forge.cadoles.com/vfebvre/openldap-kustom?ref=develop
+#- ./lb => déplacé dans dev/ car propre à l'environnement cible
+- https://github.com/cert-manager/cert-manager/releases/download/v1.12.0/cert-manager.yaml