diff --git a/applications/richir-test/application.yaml b/applications/richir-test/application.yaml new file mode 100644 index 0000000..e46ff96 --- /dev/null +++ b/applications/richir-test/application.yaml @@ -0,0 +1,35 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: richir-test + namespace: argocd + labels: + name: richir-test +spec: + project: default + sources: + - repoURL: 'https://platform.sunet.se/Drive/k8s-manifests' + targetRevision: richir-more-labb + path: customers/overlays/richir/test/ + destination: + server: https://kubernetes.default.svc + namespace: richir + syncPolicy: + automated: + prune: false + selfHeal: true + allowEmpty: false + syncOptions: # maybe needs FIXME + - Validate=true # disables resource validation (equivalent to 'kubectl apply --validate=false') ( true by default ). + - CreateNamespace=true # Namespace Auto-Creation ensures that namespace specified as the application destination exists in the destination cluster. + - PrunePropagationPolicy=foreground # Supported policies are background, foreground and orphan. + - PruneLast=true # Allow the ability for resource pruning to happen as a final, implicit wave of a sync operation + - RespectIgnoreDifferences=true # When syncing changes, respect fields ignored by the ignoreDifferences configuration + - ApplyOutOfSyncOnly=true # Only sync out-of-sync resources, rather than applying every object in the application + retry: + limit: 5 + backoff: + duration: 5s + factor: 2 + maxDuration: 3m + revisionHistoryLimit: 10 diff --git a/customers/base/apache-configmap.yml b/customers/base/apache-configmap.yml index e2fe17f..ceffefc 100644 --- a/customers/base/apache-configmap.yml +++ b/customers/base/apache-configmap.yml @@ -10,9 +10,12 @@ data: ServerAdmin webmaster@localhost DocumentRoot /var/www/html # Log format config - LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" common + LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" xforwardedfor SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded + PassEnv HOSTNAME + Header append Set-Cookie "SERVERID=%{HOSTNAME}e;Path=/;SameSite=Lax;HttpOnly;Secure" + # Header config RemoteIPHeader X-Forwarded-For RemoteIPInternalProxy 37.156.195.14 @@ -21,10 +24,8 @@ data: RemoteIPInternalProxy 37.156.195.92 #ErrorDocument 404 /404.html ErrorLog ${APACHE_LOG_DIR}/error.log - CustomLog ${APACHE_LOG_DIR}/access.log combined env=forwarded - - ErrorLog ${APACHE_LOG_DIR}/error.log - CustomLog ${APACHE_LOG_DIR}/access.log combined + CustomLog ${APACHE_LOG_DIR}/access.log xforwardedfor env=forwarded + CustomLog ${APACHE_LOG_DIR}/access.log combined env=!forwarded LimitRequestBody 0 Require all granted @@ -40,9 +41,12 @@ data: ServerAdmin webmaster@localhost DocumentRoot /var/www/html # Log format config - LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" common + LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" xforwardedfor SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded + PassEnv HOSTNAME + Header append Set-Cookie "SERVERID=%{HOSTNAME}e;Path=/;SameSite=Lax;HttpOnly;Secure" + # Header config RemoteIPHeader X-Forwarded-For RemoteIPInternalProxy 37.156.195.14 @@ -51,7 +55,8 @@ data: RemoteIPInternalProxy 37.156.195.92 #ErrorDocument 404 /404.html ErrorLog ${APACHE_LOG_DIR}/error.log - CustomLog ${APACHE_LOG_DIR}/access.log combined env=forwarded + CustomLog ${APACHE_LOG_DIR}/access.log xforwardedfor env=forwarded + CustomLog ${APACHE_LOG_DIR}/access.log combined env=!forwarded SSLEngine On SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key diff --git a/customers/base/cronjob/cronjob.yml b/customers/base/cronjob/cronjob.yml new file mode 100644 index 0000000..a6ab204 --- /dev/null +++ b/customers/base/cronjob/cronjob.yml @@ -0,0 +1,19 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: customer-job +spec: + schedule: "0 * * * *" + concurrencyPolicy: Forbid + jobTemplate: + spec: + template: + spec: + restartPolicy: Never + containers: + - name: cronjob + image: alpine + command: ["sleep"] + args: ["10000"] + securityContext: + privileged: true diff --git a/customers/base/cronjob/kustomization.yaml b/customers/base/cronjob/kustomization.yaml new file mode 100644 index 0000000..74dc975 --- /dev/null +++ b/customers/base/cronjob/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - cronjob.yml diff --git a/customers/base/nextcloud-deployment.yml b/customers/base/nextcloud-deployment.yml index 77e6c31..8478efb 100644 --- a/customers/base/nextcloud-deployment.yml +++ b/customers/base/nextcloud-deployment.yml @@ -11,16 +11,6 @@ spec: app: customer-node updateStrategy: type: RollingUpdate - volumeClaimTemplates: - - metadata: - name: nextcloud-data - spec: - storageClassName: csi-sc-cinderplugin - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi template: metadata: labels: @@ -213,3 +203,5 @@ spec: items: - key: "config.php" path: "config.php" + - name: nextcloud-data + emptyDir: {} diff --git a/customers/base/nextcloud-ingress.yml b/customers/base/nextcloud-ingress.yml index 5c473df..e0dce7f 100644 --- a/customers/base/nextcloud-ingress.yml +++ b/customers/base/nextcloud-ingress.yml @@ -6,6 +6,11 @@ metadata: annotations: cert-manager.io/issuer: "letsencrypt" acme.cert-manager.io/http01-edit-in-place: "true" + nginx.ingress.kubernetes.io/affinity-mode: "persistent" + nginx.ingress.kubernetes.io/affinity: "cookie" + nginx.ingress.kubernetes.io/session-cookie-expires: "172800" + nginx.ingress.kubernetes.io/session-cookie-max-age: "172800" + nginx.ingress.kubernetes.io/session-cookie-name: "sticky" spec: ingressClassName: nginx defaultBackend: @@ -15,16 +20,15 @@ spec: number: 8443 tls: - hosts: - - customer.drive.test.sunet.se + - customer.drive.test.sunet.se secretName: tls-secret - rules: - host: customer.drive.test.sunet.se http: paths: - path: / pathType: Prefix - backend: + backend: service: name: customer-node port: diff --git a/customers/base/script-configmap.yml b/customers/base/script-configmap.yml index a99349c..1d18e42 100644 --- a/customers/base/script-configmap.yml +++ b/customers/base/script-configmap.yml @@ -5,6 +5,7 @@ metadata: data: nc-upgrade: | #!/bin/bash + chown -R www-data:root /var/www/html/config sed "s/config_is_read_only\(.\) => true,/config_is_read_only\1 => false,/" /var/www/html/config/config.php > /var/www/html/config/config.php.tmp mv /var/www/html/config/config.php.tmp /var/www/html/config/config.php php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ upgrade diff --git a/customers/overlays/richir/test/kustomization.yaml b/customers/overlays/richir/test/kustomization.yaml new file mode 100644 index 0000000..e258878 --- /dev/null +++ b/customers/overlays/richir/test/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../../base +patches: +- path: nextcloud-deployment.yml +- path: nextcloud-ingress.yml diff --git a/customers/overlays/richir/test/nextcloud-deployment.yml b/customers/overlays/richir/test/nextcloud-deployment.yml new file mode 100644 index 0000000..7258578 --- /dev/null +++ b/customers/overlays/richir/test/nextcloud-deployment.yml @@ -0,0 +1,37 @@ +kind: StatefulSet +apiVersion: apps/v1 +metadata: + name: customer-node + labels: + app: customer-node +spec: + replicas: 2 + template: + metadata: + labels: + app: customer-node + spec: + containers: + - name: customer + image: docker.sunet.se/drive/nextcloud-custom:30.0.5.2-2 + initContainers: + - name: init-config + env: + - name: MYSQL_DATABASE + value: "nextcloud_richir" + - name: MYSQL_USER + value: "nextcloud_richir" + - name: GSS_MASTER_URL + value: "https://drive.test.sunet.se" + - name: LOOKUP_SERVER + value: "https://lookup.drive.test.sunet.se" + - name: MAIL_DOMAIN + value: "drive.test.sunet.se" + - name: MAIL_SMTPNAME + value: "noreply@drive.test.sunet.se" + - name: NEXTCLOUD_TRUSTED_DOMAINS + value: "richir.drive.test.sunet.se" + - name: OBJECTSTORE_S3_BUCKET + value: "primary-richir-drive-test.sunet.se" + - name: SITE_NAME + value: "richir.drive.test.sunet.se" diff --git a/customers/overlays/richir/test/nextcloud-ingress.yml b/customers/overlays/richir/test/nextcloud-ingress.yml new file mode 100644 index 0000000..1f95bfb --- /dev/null +++ b/customers/overlays/richir/test/nextcloud-ingress.yml @@ -0,0 +1,26 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: customer-ingress + annotations: + cert-manager.io/issuer: "letsencrypt" + acme.cert-manager.io/http01-edit-in-place: "true" +spec: + ingressClassName: nginx + tls: + - hosts: + - richir.drive.test.sunet.se + secretName: tls-secret + ingressClassName: nginx + rules: + - host: richir.drive.test.sunet.se + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: customer-node + port: + number: 80