simon/kube
1
0
Fork 0
forked from k-space/kube
Code Pull Requests Activity

nextcloud: add cron via readinessProbe; block external webcron; run as UID 1000

Browse Source
This commit is contained in:
Erki Aas 2023-08-28 20:11:40 +03:00
parent 79f9704cf5
commit 912d15a23b
1 changed files with 47 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
nextcloud/application.yaml
View File

@ -56,9 +56,25 @@ spec:
app.kubernetes.io/name: nextcloud app.kubernetes.io/name: nextcloud
spec: spec:
enableServiceLinks: false enableServiceLinks: false
initContainers:
- name: setup-php-config
image: nextcloud@sha256:072d9d3b8428d6b31fe7ed603737d4173f0ca85c0f1d0d8607fd4741fdfa49a9
command: [ "/bin/sh","-c" ]
args: ["cp -r /usr/local/etc/php/conf.d/. /config/"]
volumeMounts:
- mountPath: /config
name: php-config
containers: containers:
- name: nextcloud - name: nextcloud
image: nextcloud:production-apache image: nextcloud@sha256:072d9d3b8428d6b31fe7ed603737d4173f0ca85c0f1d0d8607fd4741fdfa49a9
readinessProbe:
exec:
command:
- /usr/local/bin/php
- /var/www/html/cron.php
initialDelaySeconds: 1
periodSeconds: 300
timeoutSeconds: 30
env: env:
- name: OIDC_CLIENT_ID - name: OIDC_CLIENT_ID
valueFrom: valueFrom:
@ -91,7 +107,7 @@ spec:
- name: NEXTCLOUD_ADMIN_USER - name: NEXTCLOUD_ADMIN_USER
value: admin value: admin
- name: NEXTCLOUD_TRUSTED_DOMAINS - name: NEXTCLOUD_TRUSTED_DOMAINS
value: nextcloud.k-space.ee value: nextcloud.k-space.ee nextcloud # This is for reference - these values are not actually changed by env after installation.
- name: OBJECTSTORE_S3_HOST - name: OBJECTSTORE_S3_HOST
value: 172.20.9.2 value: 172.20.9.2
- name: OBJECTSTORE_S3_PORT - name: OBJECTSTORE_S3_PORT
@ -148,12 +164,31 @@ spec:
- mountPath: /var/www/html/config/oidc.config.php - mountPath: /var/www/html/config/oidc.config.php
name: config name: config
subPath: oidc.config.php subPath: oidc.config.php
- name: php-config
mountPath: /usr/local/etc/php/conf.d/
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
volumes: volumes:
- name: php-config
emptyDir: {}
- name: config - name: config
projected: projected:
sources: sources:
- configMap: - configMap:
name: nextcloud-config name: nextcloud-config
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
fsGroupChangePolicy: "OnRootMismatch"
sysctls:
- name: net.ipv4.ip_unprivileged_port_start
value: "0"
volumeClaimTemplates: volumeClaimTemplates:
- metadata: - metadata:
name: data name: data
@ -185,6 +220,7 @@ metadata:
traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true" traefik.ingress.kubernetes.io/router.tls: "true"
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
traefik.ingress.kubernetes.io/router.middlewares: nextcloud-nextcloud-block-external-cron@kubernetescrd
spec: spec:
rules: rules:
- host: nextcloud.k-space.ee - host: nextcloud.k-space.ee
@ -201,6 +237,15 @@ spec:
- hosts: - hosts:
- "*.k-space.ee" - "*.k-space.ee"
--- ---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: nextcloud-block-external-cron
spec:
replacePathRegex:
regex: /cron.php
replacement: /
---
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
metadata: metadata: