diff --git a/applications/base/nextcloud-cert-issuer.yml b/applications/base/nextcloud-cert-issuer.yml new file mode 100644 index 0000000..8fdb1ef --- /dev/null +++ b/applications/base/nextcloud-cert-issuer.yml @@ -0,0 +1,15 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: letsencrypt +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: drive@sunet.se + privateKeySecretRef: + name: letsencrypt + solvers: + - http01: + ingress: + class: nginx + diff --git a/applications/richir-test/richir-test.yaml b/applications/richir-test/richir-test.yaml new file mode 100644 index 0000000..67e46ad --- /dev/null +++ b/applications/richir-test/richir-test.yaml @@ -0,0 +1,45 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: richir-test + namespace: argocd + labels: + name: richir-test +spec: + project: default + sources: + - repoURL: 'https://nextcloud.github.io/helm/' + chart: nextcloud + targetRevision: 6.5.1 + helm: + valueFiles: + - $values/applications/richir-test/values.yaml + - repoURL: 'https://platform.sunet.se/Drive/k8s-manifests' + targetRevision: richir-nextcloud-helm + path: applications/base/ + ref: values + destination: + server: https://kubernetes.default.svc + namespace: richir + info: + - name: 'Example:' + value: 'https://example.com' + syncPolicy: + automated: + prune: false + selfHeal: true + allowEmpty: false + syncOptions: # maybe needs FIXME + - Validate=true # disables resource validation (equivalent to 'kubectl apply --validate=false') ( true by default ). + - CreateNamespace=true # Namespace Auto-Creation ensures that namespace specified as the application destination exists in the destination cluster. + - PrunePropagationPolicy=foreground # Supported policies are background, foreground and orphan. + - PruneLast=true # Allow the ability for resource pruning to happen as a final, implicit wave of a sync operation + - RespectIgnoreDifferences=true # When syncing changes, respect fields ignored by the ignoreDifferences configuration + - ApplyOutOfSyncOnly=true # Only sync out-of-sync resources, rather than applying every object in the application + retry: + limit: 5 + backoff: + duration: 5s + factor: 2 + maxDuration: 3m + revisionHistoryLimit: 10 diff --git a/applications/richir-test/values.yaml b/applications/richir-test/values.yaml new file mode 100644 index 0000000..ced7dbf --- /dev/null +++ b/applications/richir-test/values.yaml @@ -0,0 +1,413 @@ +# image: +# repository: 'docker.sunet.se/drive/nextcloud-custom' +# tag: '29.0.10.3-1' +# pullPolicy: 'Always' +image: + repository: nextcloud + flavor: apache + # default is generated by flavor and appVersion + tag: + pullPolicy: IfNotPresent + +nameOverride: "" +fullnameOverride: "" +podAnnotations: {} +deploymentAnnotations: {} +deploymentLabels: {} + +replicaCount: 1 + +ingress: + enabled: true + className: 'nginx' + annotations: + acme.cert-manager.io/http01-edit-in-place: 'true' + cert-manager.io/issuer: 'letsencrypt' + tls: + - secretName: 'tls-secret' + hosts: + - 'richir.drive.test.sunet.se' + labels: + app.kubernetes.io/instance: 'richir' + path: '/' + pathType: 'Prefix' + +lifecycle: {} + # postStartCommand: [] + # preStopCommand: [] + +phpClientHttpsFix: + enabled: false + protocol: 'https' + +nextcloud: + host: 'richir.drive.test.sunet.se' + existingSecret: + enabled: true + secretName: 'nc-secret' + passwordKey: 'nc_admin_password' + usernameKey: 'nc_admin_user' + smtpHostKey: 'smtp_host' + smtpPasswordKey: 'smtp_password' + smtpUsernameKey: 'smtp_user' + update: 0 + containerPort: 80 + datadir: '/var/www/html/data' + persistence: + subPath: + trustedDomains: + - 'customer.drive.test.sunet.se' + mail: + enabled: true + fromAddress: 'noreply@drive.test.sunet.se' + domain: 'drive.test.sunet.se' + smtp: + secure: 'tls' + port: 587 + authtype: 'LOGIN' + objectStore: + s3: + enabled: true + legacyAuth: false + ssl: true + port: 443 + region: 'us-east-1' + prefix: 'urn:oid:' + usePathStyle: true + autoCreate: true + storageClass: 'STANDARD' + existingSecret: 's3-secret' + secretKeys: + bucket: 's3_bucket' + accessKey: 's3_key' + host: 's3_host' + secretKey: 's3_secret' + + ## PHP Configuration files + # Will be injected in /usr/local/etc/php/conf.d for apache image and in /usr/local/etc/php-fpm.d when nginx.enabled: true + phpConfigs: {} #FIXME? + ## Default config files that utilize environment variables: + # see: https://github.com/nextcloud/docker/tree/master#auto-configuration-via-environment-variables + # IMPORTANT: Will be used only if you put extra configs, otherwise default will come from nextcloud itself + # Default confgurations can be found here: https://github.com/nextcloud/docker/tree/master/.config + defaultConfigs: + # To protect /var/www/html/config + .htaccess: true + # Apache configuration for rewrite urls + apache-pretty-urls.config.php: false + # Define APCu as local cache + apcu.config.php: false + # Apps directory configs + apps.config.php: false + # Used for auto configure database + autoconfig.php: false + # Redis default configuration + redis.config.php: true + # Reverse proxy default configuration + reverse-proxy.config.php: false + # S3 Object Storage as primary storage + s3.config.php: true + # SMTP default configuration via environment variables + smtp.config.php: true + # Swift Object Storage as primary storage + swift.config.php: false + # disables the web based updater as the default nextcloud docker image does not support it + upgrade-disable-web.config.php: true + + # Extra config files created in /var/www/html/config/ + # ref: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#multiple-config-php-file + configs: {} #FIXME? + # For example, to enable image and text file previews: + # previews.config.php: |- + # true, + # 'enabledPreviewProviders' => array ( + # 'OC\Preview\Movie', + # 'OC\Preview\PNG', + # 'OC\Preview\JPEG', + # 'OC\Preview\GIF', + # 'OC\Preview\BMP', + # 'OC\Preview\XBitmap', + # 'OC\Preview\MP3', + # 'OC\Preview\MP4', + # 'OC\Preview\TXT', + # 'OC\Preview\MarkDown', + # 'OC\Preview\PDF' + # ), + # ); + + # Hooks for auto configuration + # Here you could write small scripts which are placed in `/docker-entrypoint-hooks.d//helm.sh` + # ref: https://github.com/nextcloud/docker?tab=readme-ov-file#auto-configuration-via-hook-folders + hooks: + pre-installation: + post-installation: + pre-upgrade: + post-upgrade: + before-starting: + + ## Strategy used to replace old pods + ## IMPORTANT: use with care, it is suggested to leave as that for upgrade purposes + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + strategy: + type: Recreate + # type: RollingUpdate + # rollingUpdate: + # maxSurge: 1 + # maxUnavailable: 0 + + ## + ## Extra environment variables + extraEnv: + # - name: SOME_SECRET_ENV + # valueFrom: + # secretKeyRef: + # name: nextcloud + # key: secret_key + + # Extra init containers that runs before pods start. + extraInitContainers: [] + # - name: do-something + # image: busybox + # command: ['do', 'something'] + + # Extra sidecar containers. + extraSidecarContainers: [] + # - name: nextcloud-logger + # image: busybox + # command: [/bin/sh, -c, 'while ! test -f "/run/nextcloud/data/nextcloud.log"; do sleep 1; done; tail -n+1 -f /run/nextcloud/data/nextcloud.log'] + # volumeMounts: + # - name: nextcloud-data + # mountPath: /run/nextcloud/data + + # Extra mounts for the pods. Example shown is for connecting a legacy NFS volume + # to NextCloud pods in Kubernetes. This can then be configured in External Storage + extraVolumes: + # - name: nfs + # nfs: + # server: "10.0.0.1" + # path: "/nextcloud_data" + # readOnly: false + extraVolumeMounts: + # - name: nfs + # mountPath: "/legacy_data" + + # Set securityContext parameters for the nextcloud CONTAINER only (will not affect nginx container). + # For example, you may need to define runAsNonRoot directive + securityContext: {} + # runAsUser: 33 + # runAsGroup: 33 + # runAsNonRoot: true + # readOnlyRootFilesystem: false + + # Set securityContext parameters for the entire pod. For example, you may need to define runAsNonRoot directive + podSecurityContext: {} + # runAsUser: 33 + # runAsGroup: 33 + # runAsNonRoot: true + # readOnlyRootFilesystem: false + + # Settings for the MariaDB init container + mariaDbInitContainer: + resources: {} + # Set mariadb initContainer securityContext parameters. For example, you may need to define runAsNonRoot directive + securityContext: {} + + # Settings for the PostgreSQL init container + postgreSqlInitContainer: + resources: {} + # Set postgresql initContainer securityContext parameters. For example, you may need to define runAsNonRoot directive + securityContext: {} + +internalDatabase: + enabled: false + +externalDatabase: + enabled: true + type: 'mysql' + host: 'proxysqlcluster.proxysql:6033' + database: 'nextcloud_richir' + existingSecret: + enabled: true + secretName: 'db-secret' + passwordKey: 'db_password' + usernameKey: 'db_username' + +redis: + enabled: true + auth: + enabled: false + global: + storageClass: "" + master: + persistence: + enabled: true + replica: + persistence: + enabled: true + +## Cronjob to execute Nextcloud background tasks +## ref: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/background_jobs_configuration.html#cron +## +cronjob: + enabled: false + + ## Cronjob sidecar resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + + # Allow configuration of lifecycle hooks + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ + lifecycle: + postStartCommand: ["/bin/bash", "-c", "/usr/local/bin/nc-upgrade"] + # preStopCommand: [] + # Set securityContext parameters. For example, you may need to define runAsNonRoot directive + securityContext: {} + # runAsUser: 33 + # runAsGroup: 33 + # runAsNonRoot: true + # readOnlyRootFilesystem: true + +service: + type: 'ClusterIP' + port: 8080 + loadBalancerIP: "" + nodePort: + # -- use additional annotation on service for nextcloud + annotations: {} + +persistence: + enabled: true + storageClass: 'csi-sc-cinderplugin' + accessMode: 'ReadWriteOnce' + size: '1Gi' + nextcloudData: + enabled: false + +resources: + limits: + cpu: '2' + memory: '2Gi' + requests: + cpu: '1' + memory: '512Mi' + +readinessProbe: + tcpSocket: + port: 80 + initialDelaySeconds: 10 + periodSeconds: 60 +livenessProbe: + tcpSocket: + port: 80 + initialDelaySeconds: 20 + periodSeconds: 180 + +## Prometheus Exporter / Metrics +## +metrics: + enabled: false + + replicaCount: 1 + # Optional: becomes NEXTCLOUD_SERVER env var in the nextcloud-exporter container. + # Without it, we will use the full name of the nextcloud service + server: "" + # The metrics exporter needs to know how you serve Nextcloud either http or https + https: false + # Use API token if set, otherwise fall back to password authentication + # https://github.com/xperimental/nextcloud-exporter#token-authentication + # Currently you still need to set the token manually in your nextcloud install + token: "" + timeout: 5s + # if set to true, exporter skips certificate verification of Nextcloud server. + tlsSkipVerify: false + info: + # Optional: becomes NEXTCLOUD_INFO_APPS env var in the nextcloud-exporter container. + # Enables gathering of apps-related metrics. Defaults to false + apps: false + + image: + repository: xperimental/nextcloud-exporter + tag: 0.6.2 + pullPolicy: IfNotPresent + # pullSecrets: + # - myRegistrKeySecretName + + ## Metrics exporter resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + + # -- Metrics exporter pod Annotation + podAnnotations: {} + + # -- Metrics exporter pod Labels + podLabels: {} + + # -- Metrics exporter pod nodeSelector + nodeSelector: {} + + # -- Metrics exporter pod tolerations + tolerations: [] + + # -- Metrics exporter pod affinity + affinity: {} + + service: + type: ClusterIP + # Use serviceLoadBalancerIP to request a specific static IP, + # otherwise leave blank + loadBalancerIP: + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9205" + labels: {} + + # -- security context for the metrics CONTAINER in the pod + securityContext: + runAsUser: 1000 + runAsNonRoot: true + # allowPrivilegeEscalation: false + # capabilities: + # drop: + # - ALL + + # -- security context for the metrics POD + podSecurityContext: {} + # runAsNonRoot: true + # seccompProfile: + # type: RuntimeDefault + + ## Prometheus Operator ServiceMonitor configuration + ## + serviceMonitor: + ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator + ## + enabled: false + + ## @param metrics.serviceMonitor.namespace Namespace in which Prometheus is running + ## + namespace: "" + + ## @param metrics.serviceMonitor.namespaceSelector The selector of the namespace where the target service is located (defaults to the release namespace) + namespaceSelector: + + ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. + ## + jobLabel: "" + + ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + interval: 30s + + ## @param metrics.serviceMonitor.scrapeTimeout Specify the timeout after which the scrape is ended + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + scrapeTimeout: "" + + ## @param metrics.serviceMonitor.labels Extra labels for the ServiceMonitor + ## + labels: {} diff --git a/proxysql/base/proxysql-configmap.yml b/proxysql/base/proxysql-configmap.yml index a9c25f6..07b5018 100644 --- a/proxysql/base/proxysql-configmap.yml +++ b/proxysql/base/proxysql-configmap.yml @@ -300,6 +300,13 @@ data: transaction_persistent=1 active=1 }, + { + username="nextcloud_richir" + password="{{RICHIR_PASSWORD}}" + default_hostgroup=10 + transaction_persistent=1 + active=1 + }, { username="nextcloud_rkh" password="{{RKH_PASSWORD}}" diff --git a/proxysql/base/proxysql-deployment.yml b/proxysql/base/proxysql-deployment.yml index 4cb105e..3eb63e0 100644 --- a/proxysql/base/proxysql-deployment.yml +++ b/proxysql/base/proxysql-deployment.yml @@ -247,6 +247,11 @@ spec: secretKeyRef: name: proxysql-secret key: "proxysql_oru_password" + - name: RICHIR_PASSWORD + valueFrom: + secretKeyRef: + name: proxysql-secret + key: "proxysql_richir_password" - name: RKH_PASSWORD valueFrom: secretKeyRef: