nextcloud: add cron via readinessProbe; block external webcron; run as UID 1000
This commit is contained in:
parent
79f9704cf5
commit
912d15a23b
@ -56,9 +56,25 @@ spec:
|
|||||||
app.kubernetes.io/name: nextcloud
|
app.kubernetes.io/name: nextcloud
|
||||||
spec:
|
spec:
|
||||||
enableServiceLinks: false
|
enableServiceLinks: false
|
||||||
|
initContainers:
|
||||||
|
- name: setup-php-config
|
||||||
|
image: nextcloud@sha256:072d9d3b8428d6b31fe7ed603737d4173f0ca85c0f1d0d8607fd4741fdfa49a9
|
||||||
|
command: [ "/bin/sh","-c" ]
|
||||||
|
args: ["cp -r /usr/local/etc/php/conf.d/. /config/"]
|
||||||
|
volumeMounts:
|
||||||
|
- mountPath: /config
|
||||||
|
name: php-config
|
||||||
containers:
|
containers:
|
||||||
- name: nextcloud
|
- name: nextcloud
|
||||||
image: nextcloud:production-apache
|
image: nextcloud@sha256:072d9d3b8428d6b31fe7ed603737d4173f0ca85c0f1d0d8607fd4741fdfa49a9
|
||||||
|
readinessProbe:
|
||||||
|
exec:
|
||||||
|
command:
|
||||||
|
- /usr/local/bin/php
|
||||||
|
- /var/www/html/cron.php
|
||||||
|
initialDelaySeconds: 1
|
||||||
|
periodSeconds: 300
|
||||||
|
timeoutSeconds: 30
|
||||||
env:
|
env:
|
||||||
- name: OIDC_CLIENT_ID
|
- name: OIDC_CLIENT_ID
|
||||||
valueFrom:
|
valueFrom:
|
||||||
@ -91,7 +107,7 @@ spec:
|
|||||||
- name: NEXTCLOUD_ADMIN_USER
|
- name: NEXTCLOUD_ADMIN_USER
|
||||||
value: admin
|
value: admin
|
||||||
- name: NEXTCLOUD_TRUSTED_DOMAINS
|
- name: NEXTCLOUD_TRUSTED_DOMAINS
|
||||||
value: nextcloud.k-space.ee
|
value: nextcloud.k-space.ee nextcloud # This is for reference - these values are not actually changed by env after installation.
|
||||||
- name: OBJECTSTORE_S3_HOST
|
- name: OBJECTSTORE_S3_HOST
|
||||||
value: 172.20.9.2
|
value: 172.20.9.2
|
||||||
- name: OBJECTSTORE_S3_PORT
|
- name: OBJECTSTORE_S3_PORT
|
||||||
@ -148,12 +164,31 @@ spec:
|
|||||||
- mountPath: /var/www/html/config/oidc.config.php
|
- mountPath: /var/www/html/config/oidc.config.php
|
||||||
name: config
|
name: config
|
||||||
subPath: oidc.config.php
|
subPath: oidc.config.php
|
||||||
|
- name: php-config
|
||||||
|
mountPath: /usr/local/etc/php/conf.d/
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
|
add:
|
||||||
|
- NET_BIND_SERVICE
|
||||||
volumes:
|
volumes:
|
||||||
|
- name: php-config
|
||||||
|
emptyDir: {}
|
||||||
- name: config
|
- name: config
|
||||||
projected:
|
projected:
|
||||||
sources:
|
sources:
|
||||||
- configMap:
|
- configMap:
|
||||||
name: nextcloud-config
|
name: nextcloud-config
|
||||||
|
securityContext:
|
||||||
|
runAsUser: 1000
|
||||||
|
runAsGroup: 1000
|
||||||
|
fsGroup: 1000
|
||||||
|
fsGroupChangePolicy: "OnRootMismatch"
|
||||||
|
sysctls:
|
||||||
|
- name: net.ipv4.ip_unprivileged_port_start
|
||||||
|
value: "0"
|
||||||
volumeClaimTemplates:
|
volumeClaimTemplates:
|
||||||
- metadata:
|
- metadata:
|
||||||
name: data
|
name: data
|
||||||
@ -185,6 +220,7 @@ metadata:
|
|||||||
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
||||||
traefik.ingress.kubernetes.io/router.tls: "true"
|
traefik.ingress.kubernetes.io/router.tls: "true"
|
||||||
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
|
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
|
||||||
|
traefik.ingress.kubernetes.io/router.middlewares: nextcloud-nextcloud-block-external-cron@kubernetescrd
|
||||||
spec:
|
spec:
|
||||||
rules:
|
rules:
|
||||||
- host: nextcloud.k-space.ee
|
- host: nextcloud.k-space.ee
|
||||||
@ -201,6 +237,15 @@ spec:
|
|||||||
- hosts:
|
- hosts:
|
||||||
- "*.k-space.ee"
|
- "*.k-space.ee"
|
||||||
---
|
---
|
||||||
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
|
kind: Middleware
|
||||||
|
metadata:
|
||||||
|
name: nextcloud-block-external-cron
|
||||||
|
spec:
|
||||||
|
replacePathRegex:
|
||||||
|
regex: /cron.php
|
||||||
|
replacement: /
|
||||||
|
---
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: ConfigMap
|
kind: ConfigMap
|
||||||
metadata:
|
metadata:
|
||||||
|
Loading…
Reference in New Issue
Block a user