nexcloud helm

applications/base/nextcloud-cert-issuer.yml

@@ -0,0 +1,15 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: letsencrypt
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: drive@sunet.se
+    privateKeySecretRef:
+      name: letsencrypt
+    solvers:
+      - http01:
+          ingress:
+            class: nginx
+

applications/richir-test/richir-test.yaml

@@ -0,0 +1,45 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: richir-test
+  namespace: argocd
+  labels:
+    name: richir-test
+spec:
+  project: default
+  sources:
+    - repoURL: 'https://nextcloud.github.io/helm/'
+      chart: nextcloud
+      targetRevision: 6.5.1
+      helm:
+        valueFiles:
+          - $values/applications/richir-test/values.yaml
+    - repoURL: 'https://platform.sunet.se/Drive/k8s-manifests'
+      targetRevision: richir-nextcloud-helm
+      path: applications/base/
+      ref: values
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: richir
+  info:
+    - name: 'Example:'
+      value: 'https://example.com'
+  syncPolicy:
+    automated:
+      prune: false
+      selfHeal: true
+      allowEmpty: false
+    syncOptions: # maybe needs FIXME
+      - Validate=true # disables resource validation (equivalent to 'kubectl apply --validate=false') ( true by default ).
+      - CreateNamespace=true # Namespace Auto-Creation ensures that namespace specified as the application destination exists in the destination cluster.
+      - PrunePropagationPolicy=foreground # Supported policies are background, foreground and orphan.
+      - PruneLast=true # Allow the ability for resource pruning to happen as a final, implicit wave of a sync operation
+      - RespectIgnoreDifferences=true # When syncing changes, respect fields ignored by the ignoreDifferences configuration
+      - ApplyOutOfSyncOnly=true # Only sync out-of-sync resources, rather than applying every object in the application
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m
+  revisionHistoryLimit: 10

applications/richir-test/values.yaml

@@ -0,0 +1,407 @@
+image:
+  repository: 'docker.sunet.se/drive/nextcloud-custom'
+  tag: '29.0.10.3-1'
+  pullPolicy: 'Always'
+
+nameOverride: ""
+fullnameOverride: ""
+podAnnotations: {}
+deploymentAnnotations: {}
+deploymentLabels: {}
+
+replicaCount: 1
+
+ingress:
+  enabled: true
+  className: 'nginx'
+  annotations:
+    acme.cert-manager.io/http01-edit-in-place: 'true'
+    cert-manager.io/issuer: 'letsencrypt'
+  tls:
+    - secretName: 'tls-secret'
+      hosts:
+        - 'richir.drive.test.sunet.se'
+  labels:
+    app.kubernetes.io/instance: 'richir'
+  path: '/'
+  pathType: 'Prefix'
+
+lifecycle: {}
+  # postStartCommand: []
+  # preStopCommand: []
+
+phpClientHttpsFix:
+  enabled: false
+  protocol: 'https'
+
+nextcloud:
+  host: 'richir.drive.test.sunet.se'
+  existingSecret:
+    enabled: true
+    secretName: 'nc-secret'
+    passwordKey: 'nc_admin_password'
+    usernameKey: 'nc_admin_user'
+    smtpHostKey: 'smtp_host'
+    smtpPasswordKey: 'smtp_password'
+    smtpUsernameKey: 'smtp_user'
+  update: 0
+  containerPort: 80
+  datadir: '/var/www/html/data'
+  persistence:
+    subPath:
+  trustedDomains:
+    - 'customer.drive.test.sunet.se'
+  mail:
+    enabled: true
+    fromAddress: 'noreply@drive.test.sunet.se'
+    domain: 'drive.test.sunet.se'
+    smtp:
+      secure: 'tls'
+      port: 587
+      authtype: 'LOGIN'
+  objectStore:
+    s3:
+      enabled: true
+      legacyAuth: false
+      ssl: true
+      port: 443
+      region: 'us-east-1'
+      prefix: 'urn:oid:'
+      usePathStyle: true
+      autoCreate: true
+      storageClass: 'STANDARD'
+      existingSecret: 's3-secret'
+      secretKeys:
+        bucket: 's3_bucket'
+        accessKey: 's3_key'
+        host: 's3_host'
+        secretKey: 's3_secret'
+
+  ## PHP Configuration files
+  # Will be injected in /usr/local/etc/php/conf.d for apache image and in /usr/local/etc/php-fpm.d when nginx.enabled: true
+  phpConfigs: {} #FIXME?
+  ## Default config files that utilize environment variables:
+  # see: https://github.com/nextcloud/docker/tree/master#auto-configuration-via-environment-variables
+  # IMPORTANT: Will be used only if you put extra configs, otherwise default will come from nextcloud itself
+  # Default confgurations can be found here: https://github.com/nextcloud/docker/tree/master/.config
+  defaultConfigs:
+    # To protect /var/www/html/config
+    .htaccess: true
+    # Apache configuration for rewrite urls
+    apache-pretty-urls.config.php: false
+    # Define APCu as local cache
+    apcu.config.php: false
+    # Apps directory configs
+    apps.config.php: false
+    # Used for auto configure database
+    autoconfig.php: false
+    # Redis default configuration
+    redis.config.php: true
+    # Reverse proxy default configuration
+    reverse-proxy.config.php: false
+    # S3 Object Storage as primary storage
+    s3.config.php: true
+    # SMTP default configuration via environment variables
+    smtp.config.php: true
+    # Swift Object Storage as primary storage
+    swift.config.php: false
+    # disables the web based updater as the default nextcloud docker image does not support it
+    upgrade-disable-web.config.php: true
+
+  # Extra config files created in /var/www/html/config/
+  # ref: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#multiple-config-php-file
+  configs: {} #FIXME?
+  # For example, to enable image and text file previews:
+  #  previews.config.php: |-
+  #    <?php
+  #    $CONFIG = array (
+  #      'enable_previews' => true,
+  #      'enabledPreviewProviders' => array (
+  #        'OC\Preview\Movie',
+  #        'OC\Preview\PNG',
+  #        'OC\Preview\JPEG',
+  #        'OC\Preview\GIF',
+  #        'OC\Preview\BMP',
+  #        'OC\Preview\XBitmap',
+  #        'OC\Preview\MP3',
+  #        'OC\Preview\MP4',
+  #        'OC\Preview\TXT',
+  #        'OC\Preview\MarkDown',
+  #        'OC\Preview\PDF'
+  #      ),
+  #    );
+
+  # Hooks for auto configuration
+  # Here you could write small scripts which are placed in `/docker-entrypoint-hooks.d/<hook-name>/helm.sh`
+  # ref: https://github.com/nextcloud/docker?tab=readme-ov-file#auto-configuration-via-hook-folders
+  hooks:
+    pre-installation:
+    post-installation:
+    pre-upgrade:
+    post-upgrade:
+    before-starting:
+
+  ## Strategy used to replace old pods
+  ## IMPORTANT: use with care, it is suggested to leave as that for upgrade purposes
+  ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
+  strategy:
+    type: Recreate
+    # type: RollingUpdate
+    # rollingUpdate:
+    #   maxSurge: 1
+    #   maxUnavailable: 0
+
+  ##
+  ## Extra environment variables
+  extraEnv:
+  #  - name: SOME_SECRET_ENV
+  #    valueFrom:
+  #      secretKeyRef:
+  #        name: nextcloud
+  #        key: secret_key
+
+  # Extra init containers that runs before pods start.
+  extraInitContainers: []
+  #  - name: do-something
+  #    image: busybox
+  #    command: ['do', 'something']
+
+  # Extra sidecar containers.
+  extraSidecarContainers: []
+  #  - name: nextcloud-logger
+  #    image: busybox
+  #    command: [/bin/sh, -c, 'while ! test -f "/run/nextcloud/data/nextcloud.log"; do sleep 1; done; tail -n+1 -f /run/nextcloud/data/nextcloud.log']
+  #    volumeMounts:
+  #    - name: nextcloud-data
+  #      mountPath: /run/nextcloud/data
+
+  # Extra mounts for the pods. Example shown is for connecting a legacy NFS volume
+  # to NextCloud pods in Kubernetes. This can then be configured in External Storage
+  extraVolumes:
+  #  - name: nfs
+  #    nfs:
+  #      server: "10.0.0.1"
+  #      path: "/nextcloud_data"
+  #      readOnly: false
+  extraVolumeMounts:
+  #  - name: nfs
+  #    mountPath: "/legacy_data"
+
+  # Set securityContext parameters for the nextcloud CONTAINER only (will not affect nginx container).
+  # For example, you may need to define runAsNonRoot directive
+  securityContext: {}
+  #   runAsUser: 33
+  #   runAsGroup: 33
+  #   runAsNonRoot: true
+  #   readOnlyRootFilesystem: false
+
+  # Set securityContext parameters for the entire pod. For example, you may need to define runAsNonRoot directive
+  podSecurityContext: {}
+  #   runAsUser: 33
+  #   runAsGroup: 33
+  #   runAsNonRoot: true
+  #   readOnlyRootFilesystem: false
+
+  # Settings for the MariaDB init container
+  mariaDbInitContainer:
+    resources: {}
+    # Set mariadb initContainer securityContext parameters. For example, you may need to define runAsNonRoot directive
+    securityContext: {}
+
+  # Settings for the PostgreSQL init container
+  postgreSqlInitContainer:
+    resources: {}
+    # Set postgresql initContainer securityContext parameters. For example, you may need to define runAsNonRoot directive
+    securityContext: {}
+
+internalDatabase:
+  enabled: false
+
+externalDatabase:
+  enabled: true
+  type: 'mysql'
+  host: 'proxysqlcluster.proxysql:6033'
+  database: 'nextcloud_richir'
+  existingSecret:
+    enabled: true
+    secretName: 'db-secret'
+    passwordKey: 'db_password'
+    usernameKey: 'db_username'
+
+redis:
+  enabled: true
+  auth:
+    enabled: false
+  global:
+    storageClass: ""
+  master:
+    persistence:
+      enabled: true
+  replica:
+    persistence:
+      enabled: true
+
+## Cronjob to execute Nextcloud background tasks
+## ref: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/background_jobs_configuration.html#cron
+##
+cronjob:
+  enabled: 'disabled'
+
+  ## Cronjob sidecar resource requests and limits
+  ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
+  ##
+  resources: {}
+
+  # Allow configuration of lifecycle hooks
+  # ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/
+  lifecycle:
+    postStartCommand: ["/bin/bash", "-c", "/usr/local/bin/nc-upgrade"]
+    # preStopCommand: []
+  # Set securityContext parameters. For example, you may need to define runAsNonRoot directive
+  securityContext: {}
+  #   runAsUser: 33
+  #   runAsGroup: 33
+  #   runAsNonRoot: true
+  #   readOnlyRootFilesystem: true
+
+service:
+  type: 'ClusterIP'
+  port: 8080
+  loadBalancerIP: ""
+  nodePort:
+  # -- use additional annotation on service for nextcloud
+  annotations: {}
+
+#persistence:
+#  enabled: true
+#  storageClass: 'csi-sc-cinderplugin'
+#  accessMode: 'ReadWriteOnce'
+#  size: '1Gi'
+#  nextcloudData:
+#    enabled: false
+
+resources:
+  limits:
+    cpu: '2'
+    memory: '2Gi'
+  requests:
+    cpu: '1'
+    memory: '512Mi'
+
+readinessProbe:
+  tcpSocket:
+    port: 80
+  initialDelaySeconds: 10
+  periodSeconds: 60
+livenessProbe:
+  tcpSocket:
+    port: 80
+  initialDelaySeconds: 20
+  periodSeconds: 180
+
+## Prometheus Exporter / Metrics
+##
+metrics:
+  enabled: false
+
+  replicaCount: 1
+  # Optional: becomes NEXTCLOUD_SERVER env var in the nextcloud-exporter container.
+  # Without it, we will use the full name of the nextcloud service
+  server: ""
+  # The metrics exporter needs to know how you serve Nextcloud either http or https
+  https: false
+  # Use API token if set, otherwise fall back to password authentication
+  # https://github.com/xperimental/nextcloud-exporter#token-authentication
+  # Currently you still need to set the token manually in your nextcloud install
+  token: ""
+  timeout: 5s
+  # if set to true, exporter skips certificate verification of Nextcloud server.
+  tlsSkipVerify: false
+  info:
+    # Optional: becomes NEXTCLOUD_INFO_APPS env var in the nextcloud-exporter container.
+    # Enables gathering of apps-related metrics. Defaults to false
+    apps: false
+
+  image:
+    repository: xperimental/nextcloud-exporter
+    tag: 0.6.2
+    pullPolicy: IfNotPresent
+    # pullSecrets:
+    #   - myRegistrKeySecretName
+
+  ## Metrics exporter resource requests and limits
+  ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
+  ##
+  resources: {}
+
+  # -- Metrics exporter pod Annotation
+  podAnnotations: {}
+
+  # -- Metrics exporter pod Labels
+  podLabels: {}
+
+  # -- Metrics exporter pod nodeSelector
+  nodeSelector: {}
+
+  # -- Metrics exporter pod tolerations
+  tolerations: []
+
+  # -- Metrics exporter pod affinity
+  affinity: {}
+
+  service:
+    type: ClusterIP
+    # Use serviceLoadBalancerIP to request a specific static IP,
+    # otherwise leave blank
+    loadBalancerIP:
+    annotations:
+      prometheus.io/scrape: "true"
+      prometheus.io/port: "9205"
+    labels: {}
+
+  # -- security context for the metrics CONTAINER in the pod
+  securityContext:
+    runAsUser: 1000
+    runAsNonRoot: true
+    # allowPrivilegeEscalation: false
+    # capabilities:
+    #   drop:
+    #     - ALL
+
+  # -- security context for the metrics POD
+  podSecurityContext: {}
+  # runAsNonRoot: true
+  # seccompProfile:
+  #   type: RuntimeDefault
+
+  ## Prometheus Operator ServiceMonitor configuration
+  ##
+  serviceMonitor:
+    ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator
+    ##
+    enabled: false
+
+    ## @param metrics.serviceMonitor.namespace Namespace in which Prometheus is running
+    ##
+    namespace: ""
+
+    ## @param metrics.serviceMonitor.namespaceSelector The selector of the namespace where the target service is located (defaults to the release namespace)
+    namespaceSelector:
+
+    ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.
+    ##
+    jobLabel: ""
+
+    ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped
+    ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
+    ##
+    interval: 30s
+
+    ## @param metrics.serviceMonitor.scrapeTimeout Specify the timeout after which the scrape is ended
+    ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
+    ##
+    scrapeTimeout: ""
+
+    ## @param metrics.serviceMonitor.labels Extra labels for the ServiceMonitor
+    ##
+    labels: {}