forked from k-space/kube
nextcloud: add cron via readinessProbe; block external webcron; run as UID 1000
This commit is contained in:
parent
79f9704cf5
commit
912d15a23b
@ -56,9 +56,25 @@ spec:
|
||||
app.kubernetes.io/name: nextcloud
|
||||
spec:
|
||||
enableServiceLinks: false
|
||||
initContainers:
|
||||
- name: setup-php-config
|
||||
image: nextcloud@sha256:072d9d3b8428d6b31fe7ed603737d4173f0ca85c0f1d0d8607fd4741fdfa49a9
|
||||
command: [ "/bin/sh","-c" ]
|
||||
args: ["cp -r /usr/local/etc/php/conf.d/. /config/"]
|
||||
volumeMounts:
|
||||
- mountPath: /config
|
||||
name: php-config
|
||||
containers:
|
||||
- name: nextcloud
|
||||
image: nextcloud:production-apache
|
||||
image: nextcloud@sha256:072d9d3b8428d6b31fe7ed603737d4173f0ca85c0f1d0d8607fd4741fdfa49a9
|
||||
readinessProbe:
|
||||
exec:
|
||||
command:
|
||||
- /usr/local/bin/php
|
||||
- /var/www/html/cron.php
|
||||
initialDelaySeconds: 1
|
||||
periodSeconds: 300
|
||||
timeoutSeconds: 30
|
||||
env:
|
||||
- name: OIDC_CLIENT_ID
|
||||
valueFrom:
|
||||
@ -91,7 +107,7 @@ spec:
|
||||
- name: NEXTCLOUD_ADMIN_USER
|
||||
value: admin
|
||||
- name: NEXTCLOUD_TRUSTED_DOMAINS
|
||||
value: nextcloud.k-space.ee
|
||||
value: nextcloud.k-space.ee nextcloud # This is for reference - these values are not actually changed by env after installation.
|
||||
- name: OBJECTSTORE_S3_HOST
|
||||
value: 172.20.9.2
|
||||
- name: OBJECTSTORE_S3_PORT
|
||||
@ -148,12 +164,31 @@ spec:
|
||||
- mountPath: /var/www/html/config/oidc.config.php
|
||||
name: config
|
||||
subPath: oidc.config.php
|
||||
- name: php-config
|
||||
mountPath: /usr/local/etc/php/conf.d/
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
add:
|
||||
- NET_BIND_SERVICE
|
||||
volumes:
|
||||
- name: php-config
|
||||
emptyDir: {}
|
||||
- name: config
|
||||
projected:
|
||||
sources:
|
||||
- configMap:
|
||||
name: nextcloud-config
|
||||
securityContext:
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: "OnRootMismatch"
|
||||
sysctls:
|
||||
- name: net.ipv4.ip_unprivileged_port_start
|
||||
value: "0"
|
||||
volumeClaimTemplates:
|
||||
- metadata:
|
||||
name: data
|
||||
@ -185,6 +220,7 @@ metadata:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
||||
traefik.ingress.kubernetes.io/router.tls: "true"
|
||||
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
|
||||
traefik.ingress.kubernetes.io/router.middlewares: nextcloud-nextcloud-block-external-cron@kubernetescrd
|
||||
spec:
|
||||
rules:
|
||||
- host: nextcloud.k-space.ee
|
||||
@ -201,6 +237,15 @@ spec:
|
||||
- hosts:
|
||||
- "*.k-space.ee"
|
||||
---
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: Middleware
|
||||
metadata:
|
||||
name: nextcloud-block-external-cron
|
||||
spec:
|
||||
replacePathRegex:
|
||||
regex: /cron.php
|
||||
replacement: /
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
|
Loading…
Reference in New Issue
Block a user