locals { authentik_url = "http://authentik.${var.domain}-auth.svc" authentik_token = data.kubernetes_secret_v1.authentik.data["AUTHENTIK_BOOTSTRAP_TOKEN"] common-labels = { "vynil.solidite.fr/owner-name" = var.instance "vynil.solidite.fr/owner-namespace" = var.namespace "vynil.solidite.fr/owner-category" = var.category "vynil.solidite.fr/owner-component" = var.component "app.kubernetes.io/managed-by" = "vynil" "app.kubernetes.io/name" = var.component "app.kubernetes.io/instance" = var.instance } nextcloud-labels = merge(local.common-labels, { }) } data "kubernetes_secret_v1" "authentik" { metadata { name = "authentik" namespace = "${var.domain}-auth" } } data "kubernetes_ingress_v1" "authentik" { metadata { name = "authentik" namespace = "${var.domain}-auth" } } data "kustomization_overlay" "data" { namespace = var.namespace common_labels = local.nextcloud-labels resources = [for file in fileset(path.module, "*.yaml"): file if file != "index.yaml"] images { name = "nextcloud" new_name = "${var.images.nextcloud.registry}/${var.images.nextcloud.repository}" new_tag = "${var.images.nextcloud.tag}" } patches { target { kind = "Deployment" name = "nextcloud" } patch = <<-EOF apiVersion: apps/v1 kind: Deployment metadata: name: nextcloud annotations: secret.reloader.stakater.com/reload: "${var.instance}-${var.component}-pg-app,${var.component}-${var.instance}-id,${var.component}-${var.instance}-secret,${var.component}" spec: template: spec: volumes: - name: certs secret: secretName: "${var.instance}-cert" defaultMode: 0444 - name: config configMap: name: "${var.component}-${var.instance}-init" defaultMode: 0777 containers: - name: nextcloud image: "${var.images.nextcloud.registry}/${var.images.nextcloud.repository}:${var.images.nextcloud.tag}" imagePullPolicy: "${var.images.nextcloud.pullPolicy}" command: ["/usr/local/bin/wrapper"] args: ["php-fpm"] env: - name: POSTGRES_HOST value: "${var.instance}-${var.component}-pg-rw.${var.namespace}.svc" - name: POSTGRES_DB value: "${var.component}" - name: POSTGRES_USER valueFrom: secretKeyRef: name: "${var.instance}-${var.component}-pg-app" - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: name: "${var.instance}-${var.component}-pg-app" - name: NEXTCLOUD_TRUSTED_DOMAINS value: "${local.dns_name}" - name: REDIS_HOST value: "${var.instance}-${var.component}-redis.${var.namespace}.svc" - name: REDIS_HOST_PORT value: "6379" - name: OAUTH2_CONNECTOR_NAME value: "${var.openid-name}" - name: OAUTH2_DISCOVER_URI value: "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${var.component}-${var.instance}/.well-known/openid-configuration" - name: OAUTH2_CLIENT_ID valueFrom: secretKeyRef: name: "${var.component}-${var.instance}-id" key: client-id - name: OAUTH2_CLIENT_SECRET valueFrom: secretKeyRef: name: "${var.component}-${var.instance}-secret" key: client-secret - name: INSTANCE value: "${var.instance}" - name: ONLYOFFICE_JWT_SECRET valueFrom: secretKeyRef: name: "${var.component}" key: onlyoffice-jwt-secret - name: COLLABORA_PASSWORD valueFrom: secretKeyRef: name: "${var.component}" key: collabora-password resources: {} volumeMounts: - name: certs mountPath: /etc/local-ca readOnly: true - name: config mountPath: "/docker-entrypoint-hooks.d/before-starting/autostart.sh" subPath: "autostart.sh" - name: config mountPath: "/usr/local/bin/wrapper" subPath: "wrapper" - name: nextcloud-nginx image: "${var.images.nginx.registry}/${var.images.nginx.repository}:${var.images.nginx.tag}" imagePullPolicy: "${var.images.nginx.pullPolicy}" resources: {} readinessProbe: httpGet: httpHeaders: - name: Host value: "${local.dns_name}" livenessProbe: httpGet: httpHeaders: - name: Host value: "${local.dns_name}" EOF } patches { target { kind = "Deployment" name = "nextcloud-metrics" } patch = <<-EOF apiVersion: apps/v1 kind: Deployment metadata: name: nextcloud-metrics annotations: secret.reloader.stakater.com/reload: "nextcloud" spec: template: spec: containers: - name: metrics-exporter image: "${var.images.exporter.registry}/${var.images.exporter.repository}:${var.images.exporter.tag}" imagePullPolicy: "${var.images.exporter.pullPolicy}" env: - name: NEXTCLOUD_SERVER value: "https://${local.dns_name}" - name: NEXTCLOUD_TLS_SKIP_VERIFY value: "${var.issuer=="letsencrypt-prod"?"false":"true"}" EOF } patches { target { kind = "PersistentVolumeClaim" name = "nextcloud-nextcloud" } patch = <<-EOF kind: PersistentVolumeClaim apiVersion: v1 metadata: name: nextcloud-nextcloud annotations: k8up.io/backup: "true" spec: accessModes: - "${var.storage.volume.accessMode}" resources: requests: storage: "${var.storage.volume.size}" EOF } patches { target { kind = "HorizontalPodAutoscaler" name = "nextcloud" } patch = <<-EOF apiVersion: autoscaling/v1 kind: HorizontalPodAutoscaler metadata: name: nextcloud spec: minReplicas: ${var.hpa.min-replicas} maxReplicas: ${var.hpa.max-replicas} targetCPUUtilizationPercentage: ${var.hpa.avg-cpu} EOF } patches { target { kind = "PersistentVolumeClaim" name = "nextcloud-nextcloud" } patch = <<-EOF kind: PersistentVolumeClaim apiVersion: v1 metadata: name: nextcloud-nextcloud annotations: k8up.io/backup: "true" EOF } }