diff --git a/.github/ct-install.yaml b/.github/ct-install.yaml index 7456a9e0e33..389be2dd256 100644 --- a/.github/ct-install.yaml +++ b/.github/ct-install.yaml @@ -1,6 +1,6 @@ remote: origin target-branch: master -helm-extra-args: --timeout 240s +helm-extra-args: --timeout 300s chart-yaml-schema: .github/chart_schema.yaml chart-dirs: - charts/incubator @@ -41,14 +41,9 @@ excluded-charts: - charts/dev/assettocorsa - charts/dev/server-7daystodie chart-repos: -- truecharts-old=https://truecharts.org - truecharts=https://charts.truecharts.org - truecharts-library=https://library-charts.truecharts.org - bitnami=https://charts.bitnami.com/bitnami -- amd-gpu-helm=https://radeonopencompute.github.io/k8s-device-plugin/ - metallb=https://metallb.github.io/metallb - grafana=https://grafana.github.io/helm-charts - prometheus=https://prometheus-community.github.io/helm-charts -- k8s-at-home-libraries=https://library-charts.k8s-at-home.com -- k8s-at-home=https://k8s-at-home.com/charts -- jetstack=https://charts.jetstack.io diff --git a/.github/ct-lint.yaml b/.github/ct-lint.yaml index c5363e58cb4..833386676ff 100644 --- a/.github/ct-lint.yaml +++ b/.github/ct-lint.yaml @@ -13,14 +13,9 @@ chart-dirs: - charts/SCALE excluded-charts: [] chart-repos: -- truecharts-old=https://truecharts.org - truecharts=https://charts.truecharts.org - truecharts-library=https://library-charts.truecharts.org - bitnami=https://charts.bitnami.com/bitnami -- amd-gpu-helm=https://radeonopencompute.github.io/k8s-device-plugin/ - metallb=https://metallb.github.io/metallb - grafana=https://grafana.github.io/helm-charts - prometheus=https://prometheus-community.github.io/helm-charts -- k8s-at-home-libraries=https://library-charts.k8s-at-home.com -- k8s-at-home=https://k8s-at-home.com/charts -- jetstack=https://charts.jetstack.io diff --git a/.github/workflows/catalog-test.yaml b/.github/workflows/catalog-test.yaml index 94e274fbaa8..d4b3583f011 100644 --- a/.github/workflows/catalog-test.yaml +++ b/.github/workflows/catalog-test.yaml @@ -15,7 +15,7 @@ jobs: name: Test SCALE Catalog runs-on: ubuntu-latest container: - image: ghcr.io/truecharts/devcontainer:v2.3.0@sha256:a163ad40427cd75a31a0365afb832f97e512d420429ed091b90b18a034526264 + image: ghcr.io/truecharts/devcontainer:v2.4.0@sha256:395ee7ed8b9cba6569ddeba77b7ceb86fdb79b91a19c639625d7bc54cb1ccc1d steps: - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3 name: Checkout @@ -32,3 +32,10 @@ jobs: - name: build-and-run run: | tools/build-release.sh + + - uses: vishnudxb/cancel-workflow@v1.2 + if: failure() + with: + repo: truecharts/apps + workflow_id: ${{ github.run_id }} + access_token: ${{ github.token }} diff --git a/.github/workflows/charts-lint.yaml b/.github/workflows/charts-lint.yaml index c0387e69a93..14858f6847e 100644 --- a/.github/workflows/charts-lint.yaml +++ b/.github/workflows/charts-lint.yaml @@ -127,7 +127,7 @@ jobs: uses: helm/chart-testing-action@dae259e86a35ff09145c0805e2d7dd3f7207064a # tag=v2.2.1 - name: Run chart-testing (lint) - run: ct lint --config ".github/ct-lint.yaml" --charts "${{ matrix.chart }}" || ct lint --config ".github/ct-lint.yaml" --charts "${{ matrix.chart }}" + run: ct lint --config ".github/ct-lint.yaml" --charts "${{ matrix.chart }}" || ct lint --config ".github/ct-lint.yaml" --charts "${{ matrix.chart }}" lint-charts2: needs: @@ -161,7 +161,7 @@ jobs: uses: helm/chart-testing-action@dae259e86a35ff09145c0805e2d7dd3f7207064a # tag=v2.2.1 - name: Run chart-testing (lint) - run: ct lint --config ".github/ct-lint.yaml" --charts "${{ matrix.chart }}" || ct lint --config ".github/ct-lint.yaml" --charts "${{ matrix.chart }}" + run: ct lint --config ".github/ct-lint.yaml" --charts "${{ matrix.chart }}" || ct lint --config ".github/ct-lint.yaml" --charts "${{ matrix.chart }}" lint-charts3: needs: @@ -195,7 +195,7 @@ jobs: uses: helm/chart-testing-action@dae259e86a35ff09145c0805e2d7dd3f7207064a # tag=v2.2.1 - name: Run chart-testing (lint) - run: ct lint --config ".github/ct-lint.yaml" --charts "${{ matrix.chart }}" || ct lint --config ".github/ct-lint.yaml" --charts "${{ matrix.chart }}" + run: ct lint --config ".github/ct-lint.yaml" --charts "${{ matrix.chart }}" || ct lint --config ".github/ct-lint.yaml" --charts "${{ matrix.chart }}" lint-charts4: needs: @@ -229,7 +229,7 @@ jobs: uses: helm/chart-testing-action@dae259e86a35ff09145c0805e2d7dd3f7207064a # tag=v2.2.1 - name: Run chart-testing (lint) - run: ct lint --config ".github/ct-lint.yaml" --charts "${{ matrix.chart }}" || ct lint --config ".github/ct-lint.yaml" --charts "${{ matrix.chart }}" + run: ct lint --config ".github/ct-lint.yaml" --charts "${{ matrix.chart }}" || ct lint --config ".github/ct-lint.yaml" --charts "${{ matrix.chart }}" lint-charts5: needs: @@ -263,7 +263,7 @@ jobs: uses: helm/chart-testing-action@dae259e86a35ff09145c0805e2d7dd3f7207064a # tag=v2.2.1 - name: Run chart-testing (lint) - run: ct lint --config ".github/ct-lint.yaml" --charts "${{ matrix.chart }}" || ct lint --config ".github/ct-lint.yaml" --charts "${{ matrix.chart }}" + run: ct lint --config ".github/ct-lint.yaml" --charts "${{ matrix.chart }}" || ct lint --config ".github/ct-lint.yaml" --charts "${{ matrix.chart }}" lint-charts6: needs: @@ -297,7 +297,7 @@ jobs: uses: helm/chart-testing-action@dae259e86a35ff09145c0805e2d7dd3f7207064a # tag=v2.2.1 - name: Run chart-testing (lint) - run: ct lint --config ".github/ct-lint.yaml" --charts "${{ matrix.chart }}" || ct lint --config ".github/ct-lint.yaml" --charts "${{ matrix.chart }}" + run: ct lint --config ".github/ct-lint.yaml" --charts "${{ matrix.chart }}" || ct lint --config ".github/ct-lint.yaml" --charts "${{ matrix.chart }}" # Summarize matrix https://github.community/t/status-check-for-a-matrix-jobs/127354/7 @@ -318,3 +318,10 @@ jobs: - name: Check lint matrix status if: ${{ ( (needs.generate-lint-matrix.outputs.detected1 == 'true') && (needs.lint-charts1.result != 'success') ) && ( (needs.generate-lint-matrix.outputs.detected2 == 'true') && ( (needs.lint-charts2.result != 'success') || ( needs.lint-charts2.result != 'skipped' ) ) ) && ( (needs.generate-lint-matrix.outputs.detected3 == 'true') && ( (needs.lint-charts3.result != 'success') || ( needs.lint-charts3.result != 'skipped' ) ) ) && ( (needs.generate-lint-matrix.outputs.detected4 == 'true') && ( (needs.lint-charts4.result != 'success') || ( needs.lint-charts4.result != 'skipped' ) ) ) && ( (needs.generate-lint-matrix.outputs.detected5 == 'true') && ( (needs.lint-charts5.result != 'success') || ( needs.lint-charts5.result != 'skipped' ) ) ) && ( (needs.generate-lint-matrix.outputs.detected6 == 'true') && ( (needs.lint-charts6.result != 'success') || ( needs.lint-charts6.result != 'skipped' ) ) ) }} run: exit 1 + + - uses: vishnudxb/cancel-workflow@v1.2 + if: failure() + with: + repo: truecharts/apps + workflow_id: ${{ github.run_id }} + access_token: ${{ github.token }} diff --git a/.github/workflows/charts-release.yaml b/.github/workflows/charts-release.yaml index 31f1fac219f..e22dbcae5b2 100644 --- a/.github/workflows/charts-release.yaml +++ b/.github/workflows/charts-release.yaml @@ -14,7 +14,7 @@ jobs: release: runs-on: ubuntu-latest container: - image: ghcr.io/truecharts/devcontainer:v2.3.0@sha256:a163ad40427cd75a31a0365afb832f97e512d420429ed091b90b18a034526264 + image: ghcr.io/truecharts/devcontainer:v2.4.0@sha256:395ee7ed8b9cba6569ddeba77b7ceb86fdb79b91a19c639625d7bc54cb1ccc1d concurrency: gitpush steps: - name: Install Kubernetes tools @@ -31,14 +31,12 @@ jobs: - name: Prep Helm run: | - helm repo add truecharts-old https://truecharts.org helm repo add truecharts https://charts.truecharts.org helm repo add truecharts-library https://library-charts.truecharts.org helm repo add bitnami https://charts.bitnami.com/bitnami helm repo add metallb https://metallb.github.io/metallb helm repo add grafana https://grafana.github.io/helm-charts helm repo add prometheus https://prometheus-community.github.io/helm-charts - helm repo add amd-gpu-helm https://radeonopencompute.github.io/k8s-device-plugin/ helm repo update - name: Checkout diff --git a/.github/workflows/charts-test.yaml b/.github/workflows/charts-test.yaml index 0da59323a63..665f84f33cc 100644 --- a/.github/workflows/charts-test.yaml +++ b/.github/workflows/charts-test.yaml @@ -163,7 +163,7 @@ jobs: uses: nolar/setup-k3d-k3s@v1 with: version: v1.24 - + k3d-args: -p 31990-31999:31990-31999@server:0 - name: Remove node taints run: | kubectl taint --all=true nodes node.cloudprovider.kubernetes.io/uninitialized- || true @@ -173,7 +173,7 @@ jobs: sed -i 's/tccr.io/ghcr.io/g' ${{ matrix.chart }}/values.yaml - name: Run chart-testing (install) - run: ct install --config ".github/ct-install.yaml" --charts "${{ matrix.chart }}" --upgrade || ct install --config ".github/ct-install.yaml" --charts "${{ matrix.chart }}" --upgrade + run: ct install --config ".github/ct-install.yaml" --charts "${{ matrix.chart }}" --upgrade install-charts2: needs: @@ -210,6 +210,7 @@ jobs: uses: nolar/setup-k3d-k3s@v1 with: version: v1.24 + k3d-args: -p 31990-31999:31990-31999@server:0 - name: Remove node taints run: | @@ -220,7 +221,7 @@ jobs: sed -i 's/tccr.io/ghcr.io/g' ${{ matrix.chart }}/values.yaml - name: Run chart-testing (install) - run: ct install --config ".github/ct-install.yaml" --charts "${{ matrix.chart }}" --upgrade || ct install --config ".github/ct-install.yaml" --charts "${{ matrix.chart }}" --upgrade + run: ct install --config ".github/ct-install.yaml" --charts "${{ matrix.chart }}" --upgrade install-charts3: @@ -258,7 +259,7 @@ jobs: uses: nolar/setup-k3d-k3s@v1 with: version: v1.24 - + k3d-args: -p 31990-31999:31990-31999@server:0 - name: Remove node taints run: | kubectl taint --all=true nodes node.cloudprovider.kubernetes.io/uninitialized- || true @@ -268,7 +269,7 @@ jobs: sed -i 's/tccr.io/ghcr.io/g' ${{ matrix.chart }}/values.yaml - name: Run chart-testing (install) - run: ct install --config ".github/ct-install.yaml" --charts "${{ matrix.chart }}" --upgrade || ct install --config ".github/ct-install.yaml" --charts "${{ matrix.chart }}" --upgrade + run: ct install --config ".github/ct-install.yaml" --charts "${{ matrix.chart }}" --upgrade install-charts4: needs: @@ -305,7 +306,7 @@ jobs: uses: nolar/setup-k3d-k3s@v1 with: version: v1.24 - + k3d-args: -p 31990-31999:31990-31999@server:0 - name: Remove node taints run: | kubectl taint --all=true nodes node.cloudprovider.kubernetes.io/uninitialized- || true @@ -315,7 +316,7 @@ jobs: sed -i 's/tccr.io/ghcr.io/g' ${{ matrix.chart }}/values.yaml - name: Run chart-testing (install) - run: ct install --config ".github/ct-install.yaml" --charts "${{ matrix.chart }}" --upgrade || ct install --config ".github/ct-install.yaml" --charts "${{ matrix.chart }}" --upgrade + run: ct install --config ".github/ct-install.yaml" --charts "${{ matrix.chart }}" --upgrade install-charts5: needs: @@ -352,7 +353,7 @@ jobs: uses: nolar/setup-k3d-k3s@v1 with: version: v1.24 - + k3d-args: -p 31990-31999:31990-31999@server:0 - name: Remove node taints run: | kubectl taint --all=true nodes node.cloudprovider.kubernetes.io/uninitialized- || true @@ -362,7 +363,7 @@ jobs: sed -i 's/tccr.io/ghcr.io/g' ${{ matrix.chart }}/values.yaml - name: Run chart-testing (install) - run: ct install --config ".github/ct-install.yaml" --charts "${{ matrix.chart }}" --upgrade || ct install --config ".github/ct-install.yaml" --charts "${{ matrix.chart }}" --upgrade + run: ct install --config ".github/ct-install.yaml" --charts "${{ matrix.chart }}" --upgrade install-charts6: needs: @@ -399,7 +400,7 @@ jobs: uses: nolar/setup-k3d-k3s@v1 with: version: v1.24 - + k3d-args: -p 31990-31999:31990-31999@server:0 - name: Remove node taints run: | kubectl taint --all=true nodes node.cloudprovider.kubernetes.io/uninitialized- || true @@ -409,7 +410,7 @@ jobs: sed -i 's/tccr.io/ghcr.io/g' ${{ matrix.chart }}/values.yaml - name: Run chart-testing (install) - run: ct install --config ".github/ct-install.yaml" --charts "${{ matrix.chart }}" --upgrade || ct install --config ".github/ct-install.yaml" --charts "${{ matrix.chart }}" --upgrade + run: ct install --config ".github/ct-install.yaml" --charts "${{ matrix.chart }}" --upgrade # Summarize matrix https://github.community/t/status-check-for-a-matrix-jobs/127354/7 install_success: @@ -429,3 +430,10 @@ jobs: - name: Check install matrix status if: ${{ ( (needs.generate-install-matrix.outputs.detected1 == 'true') && (needs.install-charts1.result != 'success') ) && ( (needs.generate-install-matrix.outputs.detected2 == 'true') && ( (needs.install-charts2.result != 'success') || ( needs.install-charts2.result != 'skipped' ) ) ) && ( (needs.generate-install-matrix.outputs.detected3 == 'true') && ( (needs.install-charts3.result != 'success') || ( needs.install-charts3.result != 'skipped' ) ) ) && ( (needs.generate-install-matrix.outputs.detected4 == 'true') && ( (needs.install-charts4.result != 'success') || ( needs.install-charts4.result != 'skipped' ) ) ) && ( (needs.generate-install-matrix.outputs.detected5 == 'true') && ( (needs.install-charts5.result != 'success') || ( needs.install-charts5.result != 'skipped' ) ) ) && ( (needs.generate-install-matrix.outputs.detected6 == 'true') && ( (needs.install-charts6.result != 'success') || ( needs.install-charts6.result != 'skipped' ) ) ) }} run: exit 1 + + - uses: vishnudxb/cancel-workflow@v1.2 + if: failure() + with: + repo: truecharts/apps + workflow_id: ${{ github.run_id }} + access_token: ${{ github.token }} diff --git a/.github/workflows/pr-validate.yaml b/.github/workflows/pr-validate.yaml index 1c81b896dab..7e9532b6f62 100644 --- a/.github/workflows/pr-validate.yaml +++ b/.github/workflows/pr-validate.yaml @@ -51,7 +51,6 @@ jobs: needs: - pr-metadata # - charts-changelog - - charts-lint with: checkoutCommit: ${{ needs.charts-changelog.outputs.commitHash }} chartChangesDetected: ${{ needs.pr-metadata.outputs.addedOrModified }} diff --git a/charts/stable/nextcloud/Chart.yaml b/charts/stable/nextcloud/Chart.yaml index 55155c5709e..f4ad8e22855 100644 --- a/charts/stable/nextcloud/Chart.yaml +++ b/charts/stable/nextcloud/Chart.yaml @@ -33,7 +33,7 @@ sources: - https://github.com/nextcloud/docker - https://github.com/nextcloud/helm type: application -version: 14.0.16 +version: 15.0.0 annotations: truecharts.org/catagories: | - cloud diff --git a/charts/stable/nextcloud/ci/basic-values.yaml b/charts/stable/nextcloud/ci/basic-values.yaml new file mode 100644 index 00000000000..0e1ca145546 --- /dev/null +++ b/charts/stable/nextcloud/ci/basic-values.yaml @@ -0,0 +1,11 @@ +env: + # IP used for exposing nextcloud + # Often the service or nodePort IP + AccessIP: "127.0.0.1" + +service: + main: + ports: + main: + port: 8080 + targetPort: 8080 diff --git a/charts/stable/nextcloud/questions.yaml b/charts/stable/nextcloud/questions.yaml index fc12221f6a3..57f0d915736 100644 --- a/charts/stable/nextcloud/questions.yaml +++ b/charts/stable/nextcloud/questions.yaml @@ -109,11 +109,12 @@ questions: schema: type: string default: "172.16.0.0/16" - - variable: NODE_IP - label: "NODE_IP (First Install Only)" - description: "Sets nextcloud nodeip for nodeport connections (Ensure this is correct at first install!)" + - variable: AccessIP + label: "Access IP" + description: "Set to the IP-Address used to reach Nextcloud. Most often the Service or NodePort IP (Ensure this is correct!)" schema: type: string + required: true $ref: - "definitions/nodeIP" @@ -180,7 +181,7 @@ questions: description: "The internal(!) port on the container the Application runs on" schema: type: int - default: 80 + default: 8080 - variable: serviceexpert group: "Networking and Services" @@ -209,6 +210,15 @@ questions: additional_attrs: true type: dict attrs: + - variable: html + label: "App html Storage" + description: "Stores the Application html." + schema: + additional_attrs: true + type: dict + attrs: +# Include{persistenceBasic} +# Include{persistenceAdvanced} - variable: data label: "App Data Storage" description: "Stores the Application Data." diff --git a/charts/stable/nextcloud/templates/_configmap.tpl b/charts/stable/nextcloud/templates/_configmap.tpl index 3bb5a51325b..92231b6b0f7 100644 --- a/charts/stable/nextcloud/templates/_configmap.tpl +++ b/charts/stable/nextcloud/templates/_configmap.tpl @@ -13,23 +13,17 @@ {{- end }} {{- end }} {{- end }} + + --- apiVersion: v1 kind: ConfigMap metadata: name: nextcloudconfig data: - NEXTCLOUD_TRUSTED_DOMAINS: {{ ( printf "%v %v %v %v %v" "test.fakedomain.dns" ( .Values.env.NODE_IP | default "localhost" ) ( printf "%v-%v" .Release.Name "nextcloud" ) ( printf "%v-%v" .Release.Name "nextcloud-hpb" ) $hosts ) | quote }} + NEXTCLOUD_TRUSTED_DOMAINS: {{ ( printf "%v %v %v %v %v %v %v %v" "test.fakedomain.dns" "localhost" "127.0.0.1" ( printf "%v:%v" "127.0.0.1" .Values.service.main.ports.main.port ) ( .Values.env.AccessIP | default "localhost" ) ( printf "%v-%v" .Release.Name "nextcloud" ) ( printf "%v-%v" .Release.Name "nextcloud-backend" ) $hosts ) | quote }} {{- if .Values.ingress.main.enabled }} APACHE_DISABLE_REWRITE_IP: "1" {{- end }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: hpbconfig -data: - NEXTCLOUD_URL: {{ ( printf "%v-%v" .Release.Name "nextcloud" ) | quote }} - {{- end -}} diff --git a/charts/stable/nextcloud/templates/_cronjob.tpl b/charts/stable/nextcloud/templates/_cronjob.tpl index 6ebfbe7d70c..472f9d39810 100644 --- a/charts/stable/nextcloud/templates/_cronjob.tpl +++ b/charts/stable/nextcloud/templates/_cronjob.tpl @@ -1,9 +1,10 @@ {{/* Define the cronjob */}} {{- define "nextcloud.cronjob" -}} +{{- if .Values.cronjob.enabled -}} {{- $jobName := include "tc.common.names.fullname" . }} --- -apiVersion: batch/v1beta1 +apiVersion: batch/v1 kind: CronJob metadata: name: {{ printf "%s-cronjob" $jobName }} @@ -31,12 +32,17 @@ spec: {{- end }} containers: - name: {{ .Chart.Name }} - image: "{{ .Values.image.repository }}:{{ default .Values.image.tag }}" + image: '{{ include "tc.common.images.selector" . }}' imagePullPolicy: {{ default .Values.image.pullPolicy }} - command: [ "php" ] - args: - - "-f" - - "/var/www/html/cron.php" + command: + - "/bin/sh" + - "-c" + - | + /bin/bash <<'EOF' + echo "running nextcloud cronjob..." + php -f /var/www/html/cron.php + echo "cronjob finished" + EOF # Will mount configuration files as www-data (id: 33) by default for nextcloud {{- with (include "tc.common.controller.volumeMounts" . | trim) }} volumeMounts: @@ -45,7 +51,9 @@ spec: securityContext: runAsUser: 33 runAsGroup: 33 + readOnlyRootFilesystem: true + runAsNonRoot: true resources: {{ toYaml .Values.resources | indent 16 }} - +{{- end -}} {{- end -}} diff --git a/charts/stable/nextcloud/templates/_hpb.tpl b/charts/stable/nextcloud/templates/_hpb.tpl new file mode 100644 index 00000000000..1854dcf0403 --- /dev/null +++ b/charts/stable/nextcloud/templates/_hpb.tpl @@ -0,0 +1,123 @@ +{{/* Define the hbp container */}} +{{- define "nextcloud.hpb" -}} +{{- $jobName := include "tc.common.names.fullname" . }} +image: '{{ include "tc.common.images.selector" . }}' +imagePullPolicy: '{{ .Values.image.pullPolicy }}' +securityContext: + runAsUser: 33 + runAsGroup: 33 + readOnlyRootFilesystem: true + runAsNonRoot: true +{{- with (include "tc.common.controller.volumeMounts" . | trim) }} +volumeMounts: + {{ nindent 2 . }} +{{- end }} +ports: + - containerPort: 7867 +readinessProbe: + httpGet: + path: /push/test/cookie + port: 7867 + httpHeaders: + - name: Host + value: "test.fakedomain.dns" + initialDelaySeconds: {{ .Values.probes.readiness.spec.initialDelaySeconds }} + periodSeconds: {{ .Values.probes.readiness.spec.periodSeconds }} + timeoutSeconds: {{ .Values.probes.readiness.spec.timeoutSeconds }} + failureThreshold: {{ .Values.probes.readiness.spec.failureThreshold }} +livenessProbe: + httpGet: + path: /push/test/cookie + port: 7867 + httpHeaders: + - name: Host + value: "test.fakedomain.dns" + initialDelaySeconds: {{ .Values.probes.liveness.spec.initialDelaySeconds }} + periodSeconds: {{ .Values.probes.liveness.spec.periodSeconds }} + timeoutSeconds: {{ .Values.probes.liveness.spec.timeoutSeconds }} + failureThreshold: {{ .Values.probes.liveness.spec.failureThreshold }} +startupProbe: + httpGet: + path: /push/test/cookie + port: 7867 + httpHeaders: + - name: Host + value: "test.fakedomain.dns" + initialDelaySeconds: {{ .Values.probes.startup.spec.initialDelaySeconds }} + periodSeconds: {{ .Values.probes.startup.spec.periodSeconds }} + timeoutSeconds: {{ .Values.probes.startup.spec.timeoutSeconds }} + failureThreshold: {{ .Values.probes.startup.spec.failureThreshold }} +command: + - "/bin/sh" + - "-c" + - | + /bin/bash <<'EOF' + set -m + echo "Waiting for notify_push file to be available..." + until [ -f /var/www/html/custom_apps/notify_push/bin/x86_64/notify_push ] + do + sleep 10 + echo "Notify_push not found... waiting..." + done + echo "Waiting for Nextcloud to start..." + until $(curl --output /dev/null --silent --head --fail -H "Host: test.fakedomain.dns" http://127.0.0.1:8080/status.php); do + echo "Nextcloud not found... waiting..." + sleep 10 + done + until $(curl --silent --fail -H "Host: test.fakedomain.dns" http://127.0.0.1:8080/status.php | jq --raw-output '.installed' | grep "true"); do + echo "Nextcloud not installed... waiting..." + sleep 10 + done + echo "Nextcloud instance with Notify_push found... Launching High Performance Backend..." + /var/www/html/custom_apps/notify_push/bin/x86_64/notify_push /var/www/html/config/config.php & + + until $(curl --output /dev/null --silent --head --fail -H "Host: test.fakedomain.dns" http://127.0.0.1:7867/push/test/cookie); do + echo "High Performance Backend not running ... waiting..." + sleep 10 + done + echo "High Performance Backend found..." + {{- $accessurl := ( printf "http://%v:%v" ( .Values.env.AccessIP | default ( printf "%v-%v" .Release.Name "nextcloud" ) ) .Values.service.main.ports.main.port ) }} + {{- if .Values.ingress.main.enabled }} + {{- with (first .Values.ingress.main.hosts) }} + {{- $accessurl = ( printf "https://%s" .host ) }} + {{- end }} + {{- end }} + echo "Configuring High Performance Backend for url: {{ $accessurl }}" + php /var/www/html/occ notify_push:setup {{ $accessurl }}/push + fg + EOF +env: + - name: NEXTCLOUD_URL + value: 'http://127.0.0.1:8080' + - name: METRICS_PORT + value: '7868' + - name: TRUSTED_PROXIES + value: "{{ .Values.env.TRUSTED_PROXIES }}" + - name: POSTGRES_DB + value: "{{ .Values.postgresql.postgresqlDatabase }}" + - name: POSTGRES_USER + value: "{{ .Values.postgresql.postgresqlUsername }}" + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: dbcreds + key: postgresql-password + - name: POSTGRES_HOST + valueFrom: + secretKeyRef: + name: dbcreds + key: plainporthost + - name: REDIS_HOST + valueFrom: + secretKeyRef: + name: rediscreds + key: plainhost + - name: REDIS_HOST_PASSWORD + valueFrom: + secretKeyRef: + name: rediscreds + key: redis-password +envFrom: + - configMapRef: + name: nextcloudconfig +{{- end -}} diff --git a/charts/stable/nextcloud/templates/_nginx.tpl b/charts/stable/nextcloud/templates/_nginx.tpl new file mode 100644 index 00000000000..f428db0e503 --- /dev/null +++ b/charts/stable/nextcloud/templates/_nginx.tpl @@ -0,0 +1,54 @@ +{{/* Define the nginx container */}} +{{- define "nextcloud.nginx" -}} +image: tccr.io/truecharts/nginx-unprivileged:v1.23.0@sha256:e0e989581b7935192d6023ac4a2c19045df39b69b43b894fedbd09726b34c133 +imagePullPolicy: '{{ .Values.image.pullPolicy }}' +securityContext: + runAsUser: 33 + runAsGroup: 33 + readOnlyRootFilesystem: true + runAsNonRoot: true +{{- with (include "tc.common.controller.volumeMounts" . | trim) }} +volumeMounts: + {{ nindent 2 . }} +{{- end }} + - mountPath: /etc/nginx/nginx.conf + name: nginx + readOnly: true + subPath: nginx.conf +ports: + - containerPort: 8080 + +readinessProbe: + httpGet: + path: /robots.txt + port: 8080 + httpHeaders: + - name: Host + value: "test.fakedomain.dns" + initialDelaySeconds: {{ .Values.probes.readiness.spec.initialDelaySeconds }} + periodSeconds: {{ .Values.probes.readiness.spec.periodSeconds }} + timeoutSeconds: {{ .Values.probes.readiness.spec.timeoutSeconds }} + failureThreshold: {{ .Values.probes.readiness.spec.failureThreshold }} +livenessProbe: + httpGet: + path: /robots.txt + port: 8080 + httpHeaders: + - name: Host + value: "test.fakedomain.dns" + initialDelaySeconds: {{ .Values.probes.liveness.spec.initialDelaySeconds }} + periodSeconds: {{ .Values.probes.liveness.spec.periodSeconds }} + timeoutSeconds: {{ .Values.probes.liveness.spec.timeoutSeconds }} + failureThreshold: {{ .Values.probes.liveness.spec.failureThreshold }} +startupProbe: + httpGet: + path: /robots.txt + port: 8080 + httpHeaders: + - name: Host + value: "test.fakedomain.dns" + initialDelaySeconds: {{ .Values.probes.startup.spec.initialDelaySeconds }} + periodSeconds: {{ .Values.probes.startup.spec.periodSeconds }} + timeoutSeconds: {{ .Values.probes.startup.spec.timeoutSeconds }} + failureThreshold: {{ .Values.probes.startup.spec.failureThreshold }} +{{- end -}} diff --git a/charts/stable/nextcloud/templates/common.yaml b/charts/stable/nextcloud/templates/common.yaml index ae63960a6f1..49b8cf85838 100644 --- a/charts/stable/nextcloud/templates/common.yaml +++ b/charts/stable/nextcloud/templates/common.yaml @@ -7,8 +7,13 @@ {{- $newMiddlewares := append .Values.ingress.main.fixedMiddlewares "tc-nextcloud-chain" }} {{- $_ := set .Values.ingress.main "fixedMiddlewares" $newMiddlewares -}} -{{/* Render cronjob for nextcloud */}} -{{- include "nextcloud.cronjob" . }} +{{- if .Values.hpb.enabled -}} +{{- $_ := set .Values.additionalContainers "hpb" (include "nextcloud.hpb" . | fromYaml) -}} +{{- end -}} +{{- $_ := set .Values.additionalContainers "nginx" (include "nextcloud.nginx" . | fromYaml) -}} {{/* Render the templates */}} {{ include "tc.common.loader.apply" . }} + +{{/* Render cronjob for nextcloud */}} +{{- include "nextcloud.cronjob" . }} diff --git a/charts/stable/nextcloud/values.yaml b/charts/stable/nextcloud/values.yaml index 64f3512fb2b..293e13f9629 100644 --- a/charts/stable/nextcloud/values.yaml +++ b/charts/stable/nextcloud/values.yaml @@ -1,7 +1,7 @@ image: - repository: tccr.io/truecharts/nextcloud + repository: tccr.io/truecharts/nextcloud-fpm pullPolicy: IfNotPresent - tag: v24.0.2@sha256:63d35a53582c992e684f045df2d08b5aba3e7588da52353b23dbdc28e1ef2f59 + tag: v24.0.2@sha256:2e8ce7bc258d243b81a3ff65bbae356e8e94d7844758f4342ca711709bdbe078 securityContext: readOnlyRootFilesystem: false @@ -17,20 +17,103 @@ service: ports: main: port: 10020 - targetPort: 80 - hpb: + targetPort: 8080 + backend: enabled: true ports: hpb: enabled: true port: 7867 targetPort: 7867 + hpb-metrics: + enabled: true + port: 7868 + targetPort: 7868 + fpm: + enabled: true + port: 9000 + targetPort: 9000 + secretEnv: NEXTCLOUD_ADMIN_USER: "admin" NEXTCLOUD_ADMIN_PASSWORD: "adminpass" +probes: + liveness: + custom: true + spec: + initialDelaySeconds: 25 + httpGet: + path: /status.php + port: 8080 + httpHeaders: + - name: Host + value: "test.fakedomain.dns" + + readiness: + custom: true + spec: + initialDelaySeconds: 25 + httpGet: + path: /status.php + port: 8080 + httpHeaders: + - name: Host + value: "test.fakedomain.dns" + + startup: + custom: true + spec: + initialDelaySeconds: 25 + httpGet: + path: /status.php + port: 8080 + httpHeaders: + - name: Host + value: "test.fakedomain.dns" + +initContainers: + prestart: + image: '{{ include "tc.common.images.selector" . }}' + securityContext: + runAsUser: 0 + runAsGroup: 0 + privileged: true + command: + - "/bin/sh" + - "-c" + - | + /bin/bash <<'EOF' + if [[ -f /data/config/config.php ]] && [[ ! -f /html/config/config.php ]]; then + echo "migrating from single to dual PVC's..." + echo "moving to placeholder location..." + mv -f /var/www/html/data/* /var/www/html/data/tomigrate/ + echo "moving userdata to data-pvc root..." + mv -f /var/www/html/data/tomigrate/data/* /var/www/html/data/ + echo "removing old data folder..." + rm -rf /var/www/html/data/tomigrate/data + echo "moving config, apps, templates and other content to html-pvc root..." + mv -f /var/www/html/data/tomigrate/data/* /var/www/html/data/ + echo "Removing migration temporary folder..." + rm -rf /var/www/html/data/tomigrate + fi + echo "Enforcing chmod 770 on data-dir..." + chmod 770 /var/www/html/data + echo "Migrating old data when found..." + EOF + + volumeMounts: + - name: data + mountPath: "/var/www/html/data" + - name: html + mountPath: "/var/www/html" + env: - TRUSTED_PROXIES: "172.16.0.0/16" + # IP used for exposing nextcloud + # Often the service or nodePort IP + # Defaults to the main serviceName for CI purposes. + AccessIP: + TRUSTED_PROXIES: "172.16.0.0/16 127.0.0.1" POSTGRES_DB: "{{ .Values.postgresql.postgresqlDatabase }}" POSTGRES_USER: "{{ .Values.postgresql.postgresqlUsername }}" POSTGRES_PASSWORD: @@ -55,47 +138,231 @@ envFrom: name: nextcloudconfig persistence: - data: + html: enabled: true mountPath: "/var/www/html" + data: + enabled: true + mountPath: "/var/www/html/data" + varrun: + enabled: true + cache: + enabled: true + type: emptyDir + mountPath: /var/cache/nginx + medium: Memory + nginx: + enabled: "true" + mountPath: "/etc/nginx" + noMount: true + readOnly: true + type: "custom" + volumeSpec: + configMap: + name: '{{ include "tc.common.names.fullname" . }}-nginx' + items: + - key: nginx.conf + path: nginx.conf -probes: - liveness: - custom: true - spec: - httpGet: - path: /status.php - port: 80 - httpHeaders: - - name: Host - value: "test.fakedomain.dns" +configmap: + nginx: + enabled: true + data: + nginx.conf: |- + worker_processes auto; - readiness: - custom: true - spec: - httpGet: - path: /status.php - port: 80 - httpHeaders: - - name: Host - value: "test.fakedomain.dns" + error_log /var/log/nginx/error.log warn; + pid /var/run/nginx.pid; - startup: - custom: true - spec: - httpGet: - path: /status.php - port: 80 - httpHeaders: - - name: Host - value: "test.fakedomain.dns" + + events { + worker_connections 1024; + } + + + http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + # Prevent nginx HTTP Server Detection + server_tokens off; + + keepalive_timeout 65; + + #gzip on; + + upstream php-handler { + server 127.0.0.1:9000; + } + + server { + listen 8080; + + # Forward Notify_Push "High Performance Backend" to it's own container + location ^~ /push/ { + proxy_pass http://127.0.0.1:7867/; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + # HSTS settings + # WARNING: Only add the preload option once you read about + # the consequences in https://hstspreload.org/. This option + # will add the domain to a hardcoded list that is shipped + # in all major browsers and getting removed from this list + # could take several months. + #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; + + # set max upload size + client_max_body_size 512M; + fastcgi_buffers 64 4K; + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + # Pagespeed is not supported by Nextcloud, so if your server is built + # with the `ngx_pagespeed` module, uncomment this line to disable it. + #pagespeed off; + + # HTTP response headers borrowed from Nextcloud `.htaccess` + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Remove X-Powered-By, which is an information leak + fastcgi_hide_header X-Powered-By; + + # Path to the root of your installation + root /var/www/html; + + # Specify how to handle directories -- specifying `/index.php$request_uri` + # here as the fallback means that Nginx always exhibits the desired behaviour + # when a client requests a path that corresponds to a directory that exists + # on the server. In particular, if that directory contains an index.php file, + # that file is correctly served; if it doesn't, then the request is passed to + # the front-end controller. This consistent behaviour means that we don't need + # to specify custom rules for certain paths (e.g. images and other assets, + # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus + # `try_files $uri $uri/ /index.php$request_uri` + # always provides the desired behaviour. + index index.php index.html /index.php$request_uri; + + # Rule borrowed from `.htaccess` to handle Microsoft DAV clients + location = / { + if ( $http_user_agent ~ ^DavClnt ) { + return 302 /remote.php/webdav/$is_args$args; + } + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + # Make a regex exception for `/.well-known` so that clients can still + # access it despite the existence of the regex rule + # `location ~ /(\.|autotest|...)` which would otherwise handle requests + # for `/.well-known`. + location ^~ /.well-known { + # The rules in this block are an adaptation of the rules + # in `.htaccess` that concern `/.well-known`. + + location = /.well-known/carddav { return 301 /remote.php/dav/; } + location = /.well-known/caldav { return 301 /remote.php/dav/; } + + location /.well-known/acme-challenge { try_files $uri $uri/ =404; } + location /.well-known/pki-validation { try_files $uri $uri/ =404; } + + # Let Nextcloud's API for `/.well-known` URIs handle all other + # requests by passing them to the front-end controller. + return 301 /index.php$request_uri; + } + + # Rules borrowed from `.htaccess` to hide certain paths from clients + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } + + # Ensure this block, which passes PHP files to the PHP process, is above the blocks + # which handle static assets (as seen below). If this block is not declared first, + # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` + # to the URI, resulting in a HTTP 500 error response. + location ~ \.php(?:$|/) { + # Required for legacy support + rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri; + + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + set $path_info $fastcgi_path_info; + + try_files $fastcgi_script_name =404; + + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $path_info; + #fastcgi_param HTTPS on; + + fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice + fastcgi_param front_controller_active true; # Enable pretty urls + fastcgi_pass php-handler; + + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + location ~ \.(?:css|js|svg|gif)$ { + try_files $uri /index.php$request_uri; + expires 6M; # Cache-Control policy borrowed from `.htaccess` + access_log off; # Optional: Don't log access to assets + } + + location ~ \.woff2?$ { + try_files $uri /index.php$request_uri; + expires 7d; # Cache-Control policy borrowed from `.htaccess` + access_log off; # Optional: Don't log access to assets + } + + # Rule borrowed from `.htaccess` + location /remote { + return 301 /remote.php$request_uri; + } + + location / { + try_files $uri $uri/ /index.php$request_uri; + } + } + } cronjob: + enabled: true schedule: "*/5 * * * *" annotations: {} failedJobsHistoryLimit: 5 successfulJobsHistoryLimit: 2 +hpb: + enabled: true + postgresql: enabled: true existingSecret: "dbcreds"