From 4a2e811efc5c46851cef8fa023d3c08ea9560e57 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Huss?= Date: Wed, 26 Jul 2023 12:48:42 +0200 Subject: [PATCH] fixes --- .../apps_v1_Deployment_gitea-memcached.yaml | 89 +++++++ apps/gitea/apps_v1_StatefulSet_gitea.yaml | 247 ++++++++++++++++++ apps/gitea/index.rhai | 2 +- apps/gitea/index.yaml | 182 ++++++------- apps/gitea/v1_Secret_gitea-init.yaml | 26 +- apps/gitea/v1_Secret_gitea.yaml | 34 ++- apps/gitea/v1_Service_gitea-http.yaml | 8 +- apps/gitea/v1_Service_gitea-memcached.yaml | 23 ++ apps/gitea/v1_Service_gitea-ssh.yaml | 6 +- apps/nextcloud/configs.tf | 39 +++ apps/nextcloud/datas.tf | 35 +++ apps/nextcloud/index.yaml | 156 +++++++---- apps/nextcloud/oauth2.tf | 60 +++++ apps/nextcloud/secret.tf | 2 +- 14 files changed, 715 insertions(+), 194 deletions(-) create mode 100644 apps/gitea/apps_v1_Deployment_gitea-memcached.yaml create mode 100644 apps/gitea/apps_v1_StatefulSet_gitea.yaml create mode 100644 apps/gitea/v1_Service_gitea-memcached.yaml create mode 100644 apps/nextcloud/configs.tf create mode 100644 apps/nextcloud/oauth2.tf diff --git a/apps/gitea/apps_v1_Deployment_gitea-memcached.yaml b/apps/gitea/apps_v1_Deployment_gitea-memcached.yaml new file mode 100644 index 0000000..7f3e048 --- /dev/null +++ b/apps/gitea/apps_v1_Deployment_gitea-memcached.yaml @@ -0,0 +1,89 @@ +# Source: gitea/charts/memcached/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gitea-memcached + namespace: vynil-ci + labels: + app.kubernetes.io/name: memcached + helm.sh/chart: memcached-6.3.13 + app.kubernetes.io/instance: gitea + app.kubernetes.io/managed-by: Helm +spec: + selector: + matchLabels: + app.kubernetes.io/name: memcached + app.kubernetes.io/instance: gitea + replicas: 1 + strategy: + rollingUpdate: {} + type: RollingUpdate + template: + metadata: + labels: + app.kubernetes.io/name: memcached + helm.sh/chart: memcached-6.3.13 + app.kubernetes.io/instance: gitea + app.kubernetes.io/managed-by: Helm + annotations: + spec: + + affinity: + podAffinity: + + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + app.kubernetes.io/name: memcached + app.kubernetes.io/instance: gitea + topologyKey: kubernetes.io/hostname + weight: 1 + nodeAffinity: + + securityContext: + fsGroup: 1001 + serviceAccountName: default + containers: + - name: memcached + image: docker.io/bitnami/memcached:1.6.19-debian-11-r3 + imagePullPolicy: "IfNotPresent" + securityContext: + runAsNonRoot: true + runAsUser: 1001 + env: + - name: BITNAMI_DEBUG + value: "false" + - name: MEMCACHED_PORT_NUMBER + value: "11211" + ports: + - name: memcache + containerPort: 11211 + livenessProbe: + failureThreshold: 6 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + tcpSocket: + port: memcache + readinessProbe: + failureThreshold: 6 + initialDelaySeconds: 5 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 3 + tcpSocket: + port: memcache + resources: + limits: {} + requests: + cpu: 250m + memory: 256Mi + volumeMounts: + - name: tmp + mountPath: /tmp + volumes: + - name: tmp + emptyDir: {} \ No newline at end of file diff --git a/apps/gitea/apps_v1_StatefulSet_gitea.yaml b/apps/gitea/apps_v1_StatefulSet_gitea.yaml new file mode 100644 index 0000000..85d1522 --- /dev/null +++ b/apps/gitea/apps_v1_StatefulSet_gitea.yaml @@ -0,0 +1,247 @@ +# Source: gitea/templates/gitea/statefulset.yaml +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: gitea + annotations: + labels: + helm.sh/chart: gitea-8.0.3 + app: gitea + app.kubernetes.io/name: gitea + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "1.19.1" + version: "1.19.1" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: gitea + app.kubernetes.io/instance: gitea + serviceName: gitea + template: + metadata: + annotations: + checksum/config: 92a115496ca24d008eee552477c9d92637e4c5dafa30a3f43dbffed1ea616881 + checksum/ldap_0: 9356e28431e375c7fc7d624460a9f41c243f14c3f9765c40aa2b13cf46203eaf + labels: + helm.sh/chart: gitea-8.0.3 + app: gitea + app.kubernetes.io/name: gitea + app.kubernetes.io/instance: gitea + app.kubernetes.io/version: "1.19.1" + version: "1.19.1" + app.kubernetes.io/managed-by: Helm + spec: + + securityContext: + fsGroup: 1000 + initContainers: + - name: init-directories + image: "gitea/gitea:1.19.1" + imagePullPolicy: Always + command: ["/usr/sbin/init_directory_structure.sh"] + env: + - name: GITEA_APP_INI + value: /data/gitea/conf/app.ini + - name: GITEA_CUSTOM + value: /data/gitea + - name: GITEA_WORK_DIR + value: /data + - name: GITEA_TEMP + value: /tmp/gitea + - name: TZ + value: Europe/Paris + volumeMounts: + - name: init + mountPath: /usr/sbin + - name: temp + mountPath: /tmp + - name: data + mountPath: /data + + securityContext: + capabilities: + add: + - SYS_CHROOT + resources: + limits: {} + requests: + cpu: 100m + memory: 128Mi + - name: init-app-ini + image: "gitea/gitea:1.19.1" + imagePullPolicy: Always + command: ["/usr/sbin/config_environment.sh"] + env: + - name: GITEA_APP_INI + value: /data/gitea/conf/app.ini + - name: GITEA_CUSTOM + value: /data/gitea + - name: GITEA_WORK_DIR + value: /data + - name: GITEA_TEMP + value: /tmp/gitea + - name: TZ + value: Europe/Paris + - name: ENV_TO_INI__DATABASE__LOG_SQL + value: "false" + - name: ENV_TO_INI__LOG__LEVEL + value: Debug + volumeMounts: + - name: config + mountPath: /usr/sbin + - name: temp + mountPath: /tmp + - name: data + mountPath: /data + - name: inline-config-sources + mountPath: /env-to-ini-mounts/inlines/ + + securityContext: + capabilities: + add: + - SYS_CHROOT + resources: + limits: {} + requests: + cpu: 100m + memory: 128Mi + - name: configure-gitea + image: "gitea/gitea:1.19.1" + command: ["/usr/sbin/configure_gitea.sh"] + imagePullPolicy: Always + securityContext: + capabilities: + add: + - SYS_CHROOT + runAsUser: 1000 + env: + - name: GITEA_APP_INI + value: /data/gitea/conf/app.ini + - name: GITEA_CUSTOM + value: /data/gitea + - name: GITEA_WORK_DIR + value: /data + - name: GITEA_TEMP + value: /tmp/gitea + - name: GITEA_LDAP_BIND_DN_0 + valueFrom: + secretKeyRef: + key: bindDn + name: gitea-ldap + - name: GITEA_LDAP_PASSWORD_0 + valueFrom: + secretKeyRef: + key: bindPassword + name: gitea-ldap + - name: GITEA_ADMIN_USERNAME + valueFrom: + secretKeyRef: + key: username + name: gitea-admin-user + - name: GITEA_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: gitea-admin-user + - name: TZ + value: Europe/Paris + volumeMounts: + - name: init + mountPath: /usr/sbin + - name: temp + mountPath: /tmp + - name: data + mountPath: /data + + resources: + limits: {} + requests: + cpu: 100m + memory: 128Mi + terminationGracePeriodSeconds: 60 + containers: + - name: gitea + image: "gitea/gitea:1.19.1" + imagePullPolicy: Always + env: + # SSH Port values have to be set here as well for openssh configuration + - name: SSH_LISTEN_PORT + value: "2222" + - name: SSH_PORT + value: "2222" + - name: SSH_LOG_LEVEL + value: "INFO" + - name: GITEA_APP_INI + value: /data/gitea/conf/app.ini + - name: GITEA_CUSTOM + value: /data/gitea + - name: GITEA_WORK_DIR + value: /data + - name: GITEA_TEMP + value: /tmp/gitea + - name: TMPDIR + value: /tmp/gitea + - name: TZ + value: Europe/Paris + ports: + - name: ssh + containerPort: 2222 + - name: http + containerPort: 3000 + livenessProbe: + failureThreshold: 10 + initialDelaySeconds: 200 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: http + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: http + timeoutSeconds: 1 + resources: + {} + securityContext: + capabilities: + add: + - SYS_CHROOT + volumeMounts: + - name: temp + mountPath: /tmp + - name: data + mountPath: /data + - mountPath: /data/gitea/public/css + name: gitea-themes + volumes: + - name: init + secret: + secretName: gitea-init + defaultMode: 110 + - name: config + secret: + secretName: gitea + defaultMode: 110 + - configMap: + name: gitea-themes + name: gitea-themes + - name: inline-config-sources + secret: + secretName: gitea-inline-config + - name: temp + emptyDir: {} + volumeClaimTemplates: + - metadata: + name: data + spec: + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: "10Gi" \ No newline at end of file diff --git a/apps/gitea/index.rhai b/apps/gitea/index.rhai index 04ad77f..a14b0c9 100644 --- a/apps/gitea/index.rhai +++ b/apps/gitea/index.rhai @@ -4,7 +4,7 @@ const SRC=src; const DEST=dest; fn pre_pack() { shell("helm repo add gitea-charts https://dl.gitea.io/charts/"); - shell(`helm template gitea gitea-charts/gitea --namespace=vynil-ci --values values.yml >${global::SRC}/chart.yaml`); + shell(`helm template gitea --version 8.0.3 gitea-charts/gitea --namespace=vynil-ci --values values.yml >${global::SRC}/chart.yaml`); } fn post_pack() { shell(`rm -f ${global::DEST}/v1_Pod_gitea-test-connection.yaml`); diff --git a/apps/gitea/index.yaml b/apps/gitea/index.yaml index 5092434..7fd0aaa 100644 --- a/apps/gitea/index.yaml +++ b/apps/gitea/index.yaml @@ -9,66 +9,11 @@ metadata: A painless self-hosted Git service. Gitea is a community managed lightweight code hosting solution written in Go. It is published under the MIT license. options: - domain: - default: your-company + default-branch: + default: main examples: - - your-company + - main type: string - volume: - default: - size: 10Gi - examples: - - size: 10Gi - properties: - size: - default: 10Gi - type: string - type: object - webhook: - default: - allowed-hosts: private - skip-tls-verify: false - examples: - - allowed-hosts: private - skip-tls-verify: false - properties: - allowed-hosts: - default: private - type: string - skip-tls-verify: - default: false - type: boolean - type: object - disable-registration: - default: true - examples: - - true - type: boolean - domain-name: - default: your_company.com - examples: - - your_company.com - type: string - release: - default: 8.3.0 - examples: - - 8.3.0 - type: string - timezone: - default: Europe/Paris - examples: - - Europe/Paris - type: string - load-balancer: - default: - ip: '' - examples: - - ip: '' - properties: - ip: - default: '' - type: string - type: object postgres: default: replicas: 1 @@ -89,16 +34,66 @@ options: default: '14' type: string type: object + domain-name: + default: your_company.com + examples: + - your_company.com + type: string + sub-domain: + default: git + examples: + - git + type: string + admin: + default: + email: git-admin@git.your_company.com + name: gitea_admin + examples: + - email: git-admin@git.your_company.com + name: gitea_admin + properties: + email: + default: git-admin@git.your_company.com + type: string + name: + default: gitea_admin + type: string + type: object + replicas: + default: 1 + examples: + - 1 + type: integer issuer: default: letsencrypt-prod examples: - letsencrypt-prod type: string - ingress-class: - default: traefik + disable-registration: + default: true examples: - - traefik + - true + type: boolean + timezone: + default: Europe/Paris + examples: + - Europe/Paris type: string + load-balancer: + default: + ip: '' + examples: + - ip: '' + properties: + ip: + default: '' + type: string + type: object + ssh-port: + default: 2222 + examples: + - 2222 + type: integer push-create: default: org: 'true' @@ -119,19 +114,44 @@ options: default: 'true' type: string type: object - admin: - default: - email: git-admin@git.your_company.com - name: gitea_admin + domain: + default: your-company examples: - - email: git-admin@git.your_company.com - name: gitea_admin + - your-company + type: string + release: + default: 8.3.0 + examples: + - 8.3.0 + type: string + ingress-class: + default: traefik + examples: + - traefik + type: string + webhook: + default: + allowed-hosts: private + skip-tls-verify: false + examples: + - allowed-hosts: private + skip-tls-verify: false properties: - email: - default: git-admin@git.your_company.com + allowed-hosts: + default: private type: string - name: - default: gitea_admin + skip-tls-verify: + default: false + type: boolean + type: object + volume: + default: + size: 10Gi + examples: + - size: 10Gi + properties: + size: + default: 10Gi type: string type: object images: @@ -197,26 +217,6 @@ options: type: string type: object type: object - ssh-port: - default: 2222 - examples: - - 2222 - type: integer - default-branch: - default: main - examples: - - main - type: string - replicas: - default: 1 - examples: - - 1 - type: integer - sub-domain: - default: git - examples: - - git - type: string theme: default: gitea-modern examples: diff --git a/apps/gitea/v1_Secret_gitea-init.yaml b/apps/gitea/v1_Secret_gitea-init.yaml index 1feb147..3bae4fc 100644 --- a/apps/gitea/v1_Secret_gitea-init.yaml +++ b/apps/gitea/v1_Secret_gitea-init.yaml @@ -4,12 +4,12 @@ kind: Secret metadata: name: gitea-init labels: - helm.sh/chart: gitea-9.0.4 + helm.sh/chart: gitea-8.0.3 app: gitea app.kubernetes.io/name: gitea app.kubernetes.io/instance: gitea - app.kubernetes.io/version: "1.20.1" - version: "1.20.1" + app.kubernetes.io/version: "1.19.1" + version: "1.19.1" app.kubernetes.io/managed-by: Helm type: Opaque stringData: @@ -24,12 +24,14 @@ stringData: set -euo pipefail set -x + chown 1000:1000 /data mkdir -p /data/git/.ssh chmod -R 700 /data/git/.ssh [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf # prepare temp directory structure mkdir -p "${GITEA_TEMP}" + chown 1000:1000 "${GITEA_TEMP}" chmod ug+rwx "${GITEA_TEMP}" @@ -47,24 +49,6 @@ stringData: echo "Gitea migrate might fail due to database connection...This init-container will try again in a few seconds" exit 1 } - function test_redis_connection() { - local RETRY=0 - local MAX=30 - - echo 'Wait for redis to become avialable...' - until [ "${RETRY}" -ge "${MAX}" ]; do - nc -vz -w2 gitea-redis-cluster-headless.vynil-ci.svc.cluster.local 6379 && break - RETRY=$[${RETRY}+1] - echo "...not ready yet (${RETRY}/${MAX})" - done - - if [ "${RETRY}" -ge "${MAX}" ]; then - echo "Redis not reachable after '${MAX}' attempts!" - exit 1 - fi - } - - test_redis_connection function configure_admin_user() { local ACCOUNT_ID=$(gitea admin user list --admin | grep -e "\s\+${GITEA_ADMIN_USERNAME}\s\+" | awk -F " " "{printf \$1}") if [[ -z "${ACCOUNT_ID}" ]]; then diff --git a/apps/gitea/v1_Secret_gitea.yaml b/apps/gitea/v1_Secret_gitea.yaml index 49644e9..3afe6d0 100644 --- a/apps/gitea/v1_Secret_gitea.yaml +++ b/apps/gitea/v1_Secret_gitea.yaml @@ -4,16 +4,15 @@ kind: Secret metadata: name: gitea labels: - helm.sh/chart: gitea-9.0.4 + helm.sh/chart: gitea-8.0.3 app: gitea app.kubernetes.io/name: gitea app.kubernetes.io/instance: gitea - app.kubernetes.io/version: "1.20.1" - version: "1.20.1" + app.kubernetes.io/version: "1.19.1" + version: "1.19.1" app.kubernetes.io/managed-by: Helm type: Opaque stringData: - assertions: | config_environment.sh: |- #!/usr/bin/env bash set -euo pipefail @@ -51,14 +50,14 @@ stringData: env2ini::log " + '${setting}'" if [[ -z "${section}" ]]; then - export "GITEA____${setting^^}=${value}" # '^^' makes the variable content uppercase + export "ENV_TO_INI____${setting^^}=${value}" # '^^' makes the variable content uppercase return fi local masked_section="${section//./_0X2E_}" # '//' instructs to replace all matches masked_section="${masked_section//-/_0X2D_}" - export "GITEA__${masked_section^^}__${setting^^}=${value}" # '^^' makes the variable content uppercase + export "ENV_TO_INI__${masked_section^^}__${setting^^}=${value}" # '^^' makes the variable content uppercase } function env2ini::reload_preset_envs() { @@ -132,16 +131,15 @@ stringData: # - initially used to set up Gitea # Anyway, they won't harm existing app.ini files - export GITEA__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN) - export GITEA__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY) - export GITEA__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET) - export GITEA__SERVER__LFS_JWT_SECRET=$(gitea generate secret LFS_JWT_SECRET) + export ENV_TO_INI__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN) + export ENV_TO_INI__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY) + export ENV_TO_INI__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET) + export ENV_TO_INI__SERVER__LFS_JWT_SECRET=$(gitea generate secret LFS_JWT_SECRET) env2ini::log "...Initial secrets generated\n" } - - # save existing envs prior to script execution. Necessary to keep order of preexisting and custom envs - env | (grep GITEA || [[ $? == 1 ]]) > /tmp/existing-envs + + env | (grep ENV_TO_INI || [[ $? == 1 ]]) > /tmp/existing-envs # MUST BE CALLED BEFORE OTHER CONFIGURATION env2ini::generate_initial_secrets @@ -162,10 +160,10 @@ stringData: env2ini::log ' - oauth2.JWT_SECRET' env2ini::log ' - server.LFS_JWT_SECRET' - unset GITEA__SECURITY__INTERNAL_TOKEN - unset GITEA__SECURITY__SECRET_KEY - unset GITEA__OAUTH2__JWT_SECRET - unset GITEA__SERVER__LFS_JWT_SECRET + unset ENV_TO_INI__SECURITY__INTERNAL_TOKEN + unset ENV_TO_INI__SECURITY__SECRET_KEY + unset ENV_TO_INI__OAUTH2__JWT_SECRET + unset ENV_TO_INI__SERVER__LFS_JWT_SECRET fi - environment-to-ini -o $GITEA_APP_INI \ No newline at end of file + environment-to-ini -o $GITEA_APP_INI -p ENV_TO_INI \ No newline at end of file diff --git a/apps/gitea/v1_Service_gitea-http.yaml b/apps/gitea/v1_Service_gitea-http.yaml index b92895f..26fed0f 100644 --- a/apps/gitea/v1_Service_gitea-http.yaml +++ b/apps/gitea/v1_Service_gitea-http.yaml @@ -4,12 +4,12 @@ kind: Service metadata: name: gitea-http labels: - helm.sh/chart: gitea-9.0.4 + helm.sh/chart: gitea-8.0.3 app: gitea app.kubernetes.io/name: gitea app.kubernetes.io/instance: gitea - app.kubernetes.io/version: "1.20.1" - version: "1.20.1" + app.kubernetes.io/version: "1.19.1" + version: "1.19.1" app.kubernetes.io/managed-by: Helm annotations: {} @@ -19,7 +19,7 @@ spec: ports: - name: http port: 3000 - targetPort: + targetPort: 3000 selector: app.kubernetes.io/name: gitea app.kubernetes.io/instance: gitea \ No newline at end of file diff --git a/apps/gitea/v1_Service_gitea-memcached.yaml b/apps/gitea/v1_Service_gitea-memcached.yaml new file mode 100644 index 0000000..92bf309 --- /dev/null +++ b/apps/gitea/v1_Service_gitea-memcached.yaml @@ -0,0 +1,23 @@ +# Source: gitea/charts/memcached/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: gitea-memcached + namespace: vynil-ci + labels: + app.kubernetes.io/name: memcached + helm.sh/chart: memcached-6.3.13 + app.kubernetes.io/instance: gitea + app.kubernetes.io/managed-by: Helm + annotations: +spec: + type: ClusterIP + sessionAffinity: None + ports: + - name: memcache + port: 11211 + targetPort: memcache + nodePort: null + selector: + app.kubernetes.io/name: memcached + app.kubernetes.io/instance: gitea \ No newline at end of file diff --git a/apps/gitea/v1_Service_gitea-ssh.yaml b/apps/gitea/v1_Service_gitea-ssh.yaml index 17dbdc6..b1b1751 100644 --- a/apps/gitea/v1_Service_gitea-ssh.yaml +++ b/apps/gitea/v1_Service_gitea-ssh.yaml @@ -4,12 +4,12 @@ kind: Service metadata: name: gitea-ssh labels: - helm.sh/chart: gitea-9.0.4 + helm.sh/chart: gitea-8.0.3 app: gitea app.kubernetes.io/name: gitea app.kubernetes.io/instance: gitea - app.kubernetes.io/version: "1.20.1" - version: "1.20.1" + app.kubernetes.io/version: "1.19.1" + version: "1.19.1" app.kubernetes.io/managed-by: Helm annotations: metallb.universe.tf/address-pool: mlb-pool-public diff --git a/apps/nextcloud/configs.tf b/apps/nextcloud/configs.tf new file mode 100644 index 0000000..a7c51ac --- /dev/null +++ b/apps/nextcloud/configs.tf @@ -0,0 +1,39 @@ +locals { + script-head = <<-EOF + #!/bin/bash + export user=www-data + run_as() { + if [ "$(id -u)" = 0 ]; then + su -p "$user" -s /bin/sh -c "$*" + else + sh -c "$*" + fi + } + cp /etc/local-ca/ca.crt /usr/local/share/ca-certificates/ + update-ca-certificate + run_as ./occ app:install user_oidc ||: + run_as ./occ user_oidc:provider "$${OAUTH2_CONNECTOR_NAME}" --clientid="$${OAUTH2_CLIENT_ID}" \ + --clientsecret="$${OAUTH2_CLIENT_SECRET}" \ + --discoveryuri="$${OAUTH2_DISCOVER_URI}" + EOF + script-apps = concat( + var.apps.deck?["run_as ./occ app:install deck ||:"]:[], + var.apps.calendar?["run_as ./occ app:install calendar ||:"]:[], + var.apps.contacts?["run_as ./occ app:install contacts ||:"]:[], + var.apps.groupfolders?["run_as ./occ app:install groupfolders ||:"]:[], + var.apps.notes?["run_as ./occ app:install notes ||:"]:[], + var.apps.tasks?["run_as ./occ app:install tasks ||:"]:[], + var.apps.spreed?["run_as ./occ app:install spreed ||:"]:[]) +} + +resource "kubectl_manifest" "nextcloud-config" { + yaml_body = <<-EOF + apiVersion: v1 + kind: ConfigMap + metadata: + name: "${var.component}-${var.instance}-init" + namespace: "${var.namespace}" + labels: ${jsonencode(local.common-labels)} + data: ${jsonencode({ "autostart.sh" = join("\n", concat([local.script-head],local.script-apps))})} + EOF +} diff --git a/apps/nextcloud/datas.tf b/apps/nextcloud/datas.tf index 543999a..2ecd66c 100644 --- a/apps/nextcloud/datas.tf +++ b/apps/nextcloud/datas.tf @@ -11,6 +11,20 @@ locals { } } +data "kubernetes_secret_v1" "authentik" { + metadata { + name = "authentik" + namespace = "${var.domain}-auth" + } +} + +data "kubernetes_ingress_v1" "authentik" { + metadata { + name = "authentik" + namespace = "${var.domain}-auth" + } +} + data "kustomization_overlay" "data" { namespace = var.namespace common_labels = local.common-labels @@ -37,6 +51,9 @@ data "kustomization_overlay" "data" { - name: certs secret: secretName: "${var.instance}-cert" + - name: config + configMap: + name: ${kubectl_manifest.nextcloud-config.name} containers: - name: nextcloud image: "${var.images.nextcloud.registry}/${var.images.nextcloud.repository}:${var.images.nextcloud.tag}" @@ -60,12 +77,30 @@ data "kustomization_overlay" "data" { value: "${var.instance}-${var.component}-redis.${var.namespace}.svc" - name: REDIS_HOST_PORT value: "6379" + - name: OAUTH2_CONNECTOR_NAME + value: "${var.openid-name}" + - name: OAUTH2_DISCOVER_URI + value: "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${var.component}-${var.instance}/.well-known/openid-configuration" + - name: OAUTH2_CLIENT_ID + valueFrom: + secretKeyRef: + name: "${var.component}-${var.instance}-id" + key: client-id + - name: OAUTH2_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: "${var.component}-${var.instance}-secret" + key: client-secret + resources: {} volumeMounts: - name: certs mountPath: /etc/local-ca readOnly: true + - name: config + mountPath: "/docker-entrypoint-hooks.d/before-starting/autostart.sh" + subPath: "autostart.sh" - name: nextcloud-nginx image: "${var.images.nginx.registry}/${var.images.nginx.repository}:${var.images.nginx.tag}" imagePullPolicy: "${var.images.nginx.pullPolicy}" diff --git a/apps/nextcloud/index.yaml b/apps/nextcloud/index.yaml index 4f5b80e..129922f 100644 --- a/apps/nextcloud/index.yaml +++ b/apps/nextcloud/index.yaml @@ -6,16 +6,6 @@ metadata: name: nextcloud description: null options: - sub-domain: - default: cloud - examples: - - cloud - type: string - domain-name: - default: your_company.com - examples: - - your_company.com - type: string storage: default: accessMode: ReadWriteOnce @@ -35,6 +25,16 @@ options: default: 10Gi type: string type: object + openid-name: + default: vynil + examples: + - vynil + type: string + domain: + default: your-company + examples: + - your-company + type: string images: default: exporter: @@ -138,6 +138,21 @@ options: type: string type: object type: object + issuer: + default: letsencrypt-prod + examples: + - letsencrypt-prod + type: string + domain-name: + default: your_company.com + examples: + - your_company.com + type: string + ingress-class: + default: traefik + examples: + - traefik + type: string hpa: default: avg-cpu: 50 @@ -158,51 +173,6 @@ options: default: 1 type: integer type: object - postgres: - default: - replicas: 1 - storage: 5Gi - version: '14' - examples: - - replicas: 1 - storage: 5Gi - version: '14' - properties: - replicas: - default: 1 - type: integer - storage: - default: 5Gi - type: string - version: - default: '14' - type: string - type: object - admin: - default: - name: nextcloud_admin - examples: - - name: nextcloud_admin - properties: - name: - default: nextcloud_admin - type: string - type: object - domain: - default: your-company - examples: - - your-company - type: string - ingress-class: - default: traefik - examples: - - traefik - type: string - issuer: - default: letsencrypt-prod - examples: - - letsencrypt-prod - type: string redis: default: exporter: @@ -236,6 +206,81 @@ options: default: 2Gi type: string type: object + sub-domain: + default: cloud + examples: + - cloud + type: string + admin: + default: + name: nextcloud_admin + examples: + - name: nextcloud_admin + properties: + name: + default: nextcloud_admin + type: string + type: object + apps: + default: + calendar: false + contacts: false + deck: false + groupfolders: true + notes: false + spreed: false + tasks: false + examples: + - calendar: false + contacts: false + deck: false + groupfolders: true + notes: false + spreed: false + tasks: false + properties: + calendar: + default: false + type: boolean + contacts: + default: false + type: boolean + deck: + default: false + type: boolean + groupfolders: + default: true + type: boolean + notes: + default: false + type: boolean + spreed: + default: false + type: boolean + tasks: + default: false + type: boolean + type: object + postgres: + default: + replicas: 1 + storage: 5Gi + version: '14' + examples: + - replicas: 1 + storage: 5Gi + version: '14' + properties: + replicas: + default: 1 + type: integer + storage: + default: 5Gi + type: string + version: + default: '14' + type: string + type: object dependencies: [] providers: kubernetes: true @@ -244,3 +289,4 @@ providers: postgresql: null restapi: null http: null +tfaddtype: null diff --git a/apps/nextcloud/oauth2.tf b/apps/nextcloud/oauth2.tf new file mode 100644 index 0000000..a5bdca7 --- /dev/null +++ b/apps/nextcloud/oauth2.tf @@ -0,0 +1,60 @@ +resource "kubectl_manifest" "oauth2-secret" { + ignore_fields = ["metadata.annotations"] + yaml_body = <<-EOF + apiVersion: "secretgenerator.mittwald.de/v1alpha1" + kind: "StringSecret" + metadata: + name: "${var.component}-${var.instance}-id" + namespace: "${var.namespace}" + labels: ${jsonencode(local.common-labels)} + spec: + forceRegenerate: false + fields: + - fieldName: "client-id" + length: "32" + EOF +} +data "kubernetes_secret_v1" "oauth2-client-id" { + depends_on = [kubectl_manifest.gitea_ldap] + metadata { + name = kubectl_manifest.oauth2-secret.name + namespace = var.namespace + } +} + +data "authentik_scope_mapping" "oauth2" { + managed_list = [ + "goauthentik.io/providers/oauth2/scope-email", + "goauthentik.io/providers/oauth2/scope-openid", + "goauthentik.io/providers/oauth2/scope-profile" + ] +} +data "authentik_flow" "default-authorization-flow" { + slug = "default-provider-authorization-implicit-consent" +} +data "authentik_flow" "default-authentication-flow" { + slug = "default-authentication-flow" +} + +resource "authentik_provider_oauth2" "oauth2" { + name = "${var.component}-${var.instance}" + client_id = "${data.kubernetes_secret_v1.oauth2-client-id.data["client-id"]}" + authentication_flow = data.authentik_flow.default-authentication-flow.id + authorization_flow = data.authentik_flow.default-authorization-flow.id + client_type = "confidential" + sub_mode = "user_username" + property_mappings = data.authentik_scope_mapping.oauth2.ids + redirect_uris = [ + "https://${local.dns-name}/apps/user_oidc/code" + ] +} + +resource "kubernetes_secret_v1" "oauth2-client-secret" { + metadata { + name = "${var.component}-${var.instance}-secret" + namespace = var.namespace + } + data = { + client-secret = authentik_provider_oauth2.oauth2.client_secret + } +} diff --git a/apps/nextcloud/secret.tf b/apps/nextcloud/secret.tf index 5cb6064..90edb53 100644 --- a/apps/nextcloud/secret.tf +++ b/apps/nextcloud/secret.tf @@ -1,5 +1,5 @@ -resource "kubectl_manifest" "gitea_secret" { +resource "kubectl_manifest" "prj_secret" { ignore_fields = ["metadata.annotations"] yaml_body = <<-EOF apiVersion: "secretgenerator.mittwald.de/v1alpha1"