222 lines
7.1 KiB
HCL
222 lines
7.1 KiB
HCL
locals {
|
|
authentik_url = "http://authentik.${var.domain}-auth.svc"
|
|
authentik_token = data.kubernetes_secret_v1.authentik.data["AUTHENTIK_BOOTSTRAP_TOKEN"]
|
|
common-labels = {
|
|
"vynil.solidite.fr/owner-name" = var.instance
|
|
"vynil.solidite.fr/owner-namespace" = var.namespace
|
|
"vynil.solidite.fr/owner-category" = var.category
|
|
"vynil.solidite.fr/owner-component" = var.component
|
|
"app.kubernetes.io/managed-by" = "vynil"
|
|
"app.kubernetes.io/name" = var.component
|
|
"app.kubernetes.io/instance" = var.instance
|
|
}
|
|
nextcloud-labels = merge(local.common-labels, {
|
|
})
|
|
}
|
|
|
|
data "kubernetes_secret_v1" "authentik" {
|
|
metadata {
|
|
name = "authentik"
|
|
namespace = "${var.domain}-auth"
|
|
}
|
|
}
|
|
|
|
data "kubernetes_ingress_v1" "authentik" {
|
|
metadata {
|
|
name = "authentik"
|
|
namespace = "${var.domain}-auth"
|
|
}
|
|
}
|
|
|
|
data "kustomization_overlay" "data" {
|
|
namespace = var.namespace
|
|
common_labels = local.nextcloud-labels
|
|
resources = [for file in fileset(path.module, "*.yaml"): file if file != "index.yaml"]
|
|
images {
|
|
name = "nextcloud"
|
|
new_name = "${var.images.nextcloud.registry}/${var.images.nextcloud.repository}"
|
|
new_tag = "${var.images.nextcloud.tag}"
|
|
}
|
|
patches {
|
|
target {
|
|
kind = "Deployment"
|
|
name = "nextcloud"
|
|
}
|
|
patch = <<-EOF
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: nextcloud
|
|
annotations:
|
|
secret.reloader.stakater.com/reload: "${var.instance}-${var.component}-pg-app,${var.component}-${var.instance}-id,${var.component}-${var.instance}-secret,${var.component}"
|
|
spec:
|
|
template:
|
|
spec:
|
|
volumes:
|
|
- name: certs
|
|
secret:
|
|
secretName: "${var.instance}-cert"
|
|
defaultMode: 0444
|
|
- name: config
|
|
configMap:
|
|
name: "${var.component}-${var.instance}-init"
|
|
defaultMode: 0777
|
|
containers:
|
|
- name: nextcloud
|
|
image: "${var.images.nextcloud.registry}/${var.images.nextcloud.repository}:${var.images.nextcloud.tag}"
|
|
imagePullPolicy: "${var.images.nextcloud.pullPolicy}"
|
|
command: ["/usr/local/bin/wrapper"]
|
|
args: ["php-fpm"]
|
|
env:
|
|
- name: POSTGRES_HOST
|
|
value: "${var.instance}-${var.component}-pg-rw.${var.namespace}.svc"
|
|
- name: POSTGRES_DB
|
|
value: "${var.component}"
|
|
- name: POSTGRES_USER
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: "${var.instance}-${var.component}-pg-app"
|
|
- name: POSTGRES_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: "${var.instance}-${var.component}-pg-app"
|
|
- name: NEXTCLOUD_TRUSTED_DOMAINS
|
|
value: "${local.dns_name}"
|
|
- name: REDIS_HOST
|
|
value: "${var.instance}-${var.component}-redis.${var.namespace}.svc"
|
|
- name: REDIS_HOST_PORT
|
|
value: "6379"
|
|
- name: OAUTH2_CONNECTOR_NAME
|
|
value: "${var.openid-name}"
|
|
- name: OAUTH2_DISCOVER_URI
|
|
value: "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/o/${var.component}-${var.instance}/.well-known/openid-configuration"
|
|
- name: OAUTH2_CLIENT_ID
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: "${var.component}-${var.instance}-id"
|
|
key: client-id
|
|
- name: OAUTH2_CLIENT_SECRET
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: "${var.component}-${var.instance}-secret"
|
|
key: client-secret
|
|
- name: INSTANCE
|
|
value: "${var.instance}"
|
|
- name: ONLYOFFICE_JWT_SECRET
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: "${var.component}"
|
|
key: onlyoffice-jwt-secret
|
|
- name: COLLABORA_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: "${var.component}"
|
|
key: collabora-password
|
|
|
|
resources:
|
|
{}
|
|
volumeMounts:
|
|
- name: certs
|
|
mountPath: /etc/local-ca
|
|
readOnly: true
|
|
- name: config
|
|
mountPath: "/docker-entrypoint-hooks.d/before-starting/autostart.sh"
|
|
subPath: "autostart.sh"
|
|
- name: config
|
|
mountPath: "/usr/local/bin/wrapper"
|
|
subPath: "wrapper"
|
|
- name: nextcloud-nginx
|
|
image: "${var.images.nginx.registry}/${var.images.nginx.repository}:${var.images.nginx.tag}"
|
|
imagePullPolicy: "${var.images.nginx.pullPolicy}"
|
|
resources:
|
|
{}
|
|
readinessProbe:
|
|
httpGet:
|
|
httpHeaders:
|
|
- name: Host
|
|
value: "${local.dns_name}"
|
|
livenessProbe:
|
|
httpGet:
|
|
httpHeaders:
|
|
- name: Host
|
|
value: "${local.dns_name}"
|
|
EOF
|
|
}
|
|
patches {
|
|
target {
|
|
kind = "Deployment"
|
|
name = "nextcloud-metrics"
|
|
}
|
|
patch = <<-EOF
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: nextcloud-metrics
|
|
annotations:
|
|
secret.reloader.stakater.com/reload: "nextcloud"
|
|
spec:
|
|
template:
|
|
spec:
|
|
containers:
|
|
- name: metrics-exporter
|
|
image: "${var.images.exporter.registry}/${var.images.exporter.repository}:${var.images.exporter.tag}"
|
|
imagePullPolicy: "${var.images.exporter.pullPolicy}"
|
|
env:
|
|
- name: NEXTCLOUD_SERVER
|
|
value: "https://${local.dns_name}"
|
|
- name: NEXTCLOUD_TLS_SKIP_VERIFY
|
|
value: "${var.issuer=="letsencrypt-prod"?"false":"true"}"
|
|
EOF
|
|
}
|
|
patches {
|
|
target {
|
|
kind = "PersistentVolumeClaim"
|
|
name = "nextcloud-nextcloud"
|
|
}
|
|
patch = <<-EOF
|
|
kind: PersistentVolumeClaim
|
|
apiVersion: v1
|
|
metadata:
|
|
name: nextcloud-nextcloud
|
|
annotations:
|
|
k8up.io/backup: "true"
|
|
spec:
|
|
accessModes:
|
|
- "${var.storage.volume.accessMode}"
|
|
resources:
|
|
requests:
|
|
storage: "${var.storage.volume.size}"
|
|
EOF
|
|
}
|
|
patches {
|
|
target {
|
|
kind = "HorizontalPodAutoscaler"
|
|
name = "nextcloud"
|
|
}
|
|
patch = <<-EOF
|
|
apiVersion: autoscaling/v1
|
|
kind: HorizontalPodAutoscaler
|
|
metadata:
|
|
name: nextcloud
|
|
spec:
|
|
minReplicas: ${var.hpa.min-replicas}
|
|
maxReplicas: ${var.hpa.max-replicas}
|
|
targetCPUUtilizationPercentage: ${var.hpa.avg-cpu}
|
|
EOF
|
|
}
|
|
patches {
|
|
target {
|
|
kind = "PersistentVolumeClaim"
|
|
name = "nextcloud-nextcloud"
|
|
}
|
|
patch = <<-EOF
|
|
kind: PersistentVolumeClaim
|
|
apiVersion: v1
|
|
metadata:
|
|
name: nextcloud-nextcloud
|
|
annotations:
|
|
k8up.io/backup: "true"
|
|
EOF
|
|
}
|
|
}
|