nextcloud: add cron via readinessProbe; block external webcron; run as UID 1000

2023-08-28 20:11:40 +03:00
parent 79f9704cf5
commit 912d15a23b
1 changed files with 47 additions and 2 deletions
--- a/nextcloud/application.yaml
+++ b/nextcloud/application.yaml
@@ -56,9 +56,25 @@ spec:
        app.kubernetes.io/name: nextcloud
    spec:
      enableServiceLinks: false
+      initContainers:
+        - name: setup-php-config
+          image: nextcloud@sha256:072d9d3b8428d6b31fe7ed603737d4173f0ca85c0f1d0d8607fd4741fdfa49a9
+          command: [ "/bin/sh","-c" ]
+          args: ["cp -r /usr/local/etc/php/conf.d/. /config/"]
+          volumeMounts:
+            - mountPath: /config
+              name: php-config
      containers:
        - name: nextcloud
-          image: nextcloud:production-apache
+          image: nextcloud@sha256:072d9d3b8428d6b31fe7ed603737d4173f0ca85c0f1d0d8607fd4741fdfa49a9
+          readinessProbe:
+            exec:
+              command:
+                - /usr/local/bin/php
+                - /var/www/html/cron.php
+            initialDelaySeconds: 1
+            periodSeconds: 300
+            timeoutSeconds: 30
          env:
            - name: OIDC_CLIENT_ID
              valueFrom:
@@ -91,7 +107,7 @@ spec:
            - name: NEXTCLOUD_ADMIN_USER
              value: admin
            - name: NEXTCLOUD_TRUSTED_DOMAINS
-              value: nextcloud.k-space.ee
+              value: nextcloud.k-space.ee nextcloud # This is for reference - these values are not actually changed by env after installation.
            - name: OBJECTSTORE_S3_HOST
              value: 172.20.9.2
            - name: OBJECTSTORE_S3_PORT
@@ -148,12 +164,31 @@ spec:
            - mountPath: /var/www/html/config/oidc.config.php
              name: config
              subPath: oidc.config.php
+            - name: php-config
+              mountPath: /usr/local/etc/php/conf.d/
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+              add:
+                - NET_BIND_SERVICE
      volumes:
+        - name: php-config
+          emptyDir: {}
        - name: config
          projected:
            sources:
              - configMap:
                  name: nextcloud-config
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+        fsGroupChangePolicy: "OnRootMismatch"
+        sysctls:
+          - name: net.ipv4.ip_unprivileged_port_start
+            value: "0"
  volumeClaimTemplates:
    - metadata:
        name: data
@@ -185,6 +220,7 @@ metadata:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
+    traefik.ingress.kubernetes.io/router.middlewares: nextcloud-nextcloud-block-external-cron@kubernetescrd
 spec:
  rules:
  - host: nextcloud.k-space.ee
@@ -201,6 +237,15 @@ spec:
  - hosts:
    - "*.k-space.ee"
 ---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: nextcloud-block-external-cron
+spec:
+  replacePathRegex:
+    regex: /cron.php
+    replacement: /
+---
 apiVersion: v1
 kind: ConfigMap
 metadata: