From 802eef042e18ca9df7af97d322455d7ded63349f Mon Sep 17 00:00:00 2001 From: Tanguy Herbron Date: Wed, 21 Sep 2022 18:24:46 +0200 Subject: [PATCH] feat(ocis): Add basic drive configuration Add OwnCloud Infinity Scale as drive to the cluster. The current configuration only includes enough for a beta environment. --- README.md | 3 +- ocis/config-map.yaml | 60 ------------- ocis/deployment.yaml | 210 ++++++++++++++++++++++++++++++++++++++----- ocis/ingress.yaml | 33 ++++--- ocis/namespace.yaml | 4 + ocis/pvc-config.yaml | 19 ++++ ocis/pvc-data.yaml | 19 ++++ ocis/service.yaml | 16 ++-- 8 files changed, 261 insertions(+), 103 deletions(-) delete mode 100644 ocis/config-map.yaml create mode 100644 ocis/namespace.yaml create mode 100644 ocis/pvc-config.yaml create mode 100644 ocis/pvc-data.yaml diff --git a/README.md b/README.md index 7309eb5..d0b923e 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ | therbron.com | Personal website | Public | Socrates | - | - | - | Not configured | Not configured | Awaiting configuration | | Traefik | Reverse proxy and load balancer | Public* | Socrates | - | - | - | Configured | Configured | Completed | | Adguard | DNS ad blocker and custom DNS server | Private | Socrates | - | - | - | Not configured | Not configured | Completed | -| Owncloud Infinity Scale | File hosting webUI | Public | Plato | PostgreSQL | Drive files | Not configured | Not configured | Not configured | Awaiting configuration | +| Owncloud Infinity Scale | File hosting webUI | Public | Plato | ? | Drive files | Managed by Longhorn | Configured | Not available | Completed | | Home assistant | Home automation and monitoring | Private | Pythagoras-a | PostgreSQL | - | Not configured | Not configured | Not configured | Awaiting configuration | | Vikunja | To-do and Kanban boards | Public | Pythagoras-b | - | - | - | Not configured | Not configured | Migrate to Gitlab | | Gitlab | Version control system | Public | Pythagoras-b | PostgreSQL | User created content | Not configured | Not configured | Not configured | Awaiting configuration | @@ -60,6 +60,7 @@ longhorn - ~~Setup DB container sidecars for automated backups to Longhorn volume~~ - Setup secrets configuration through CI/CD variable injection - Explore permission issues when issuing OVH API keys (not working for wildcard and `beta.halia.dev` subdomain) +- Setup default users for services - ~~Setup log and metric monitoring~~ - ~~Define namespaces through yaml files~~ - ~~Look into CockroachDB for redundant database~~ Judged too complicated, moving to a 1 to 1 relationship between services and databases diff --git a/ocis/config-map.yaml b/ocis/config-map.yaml deleted file mode 100644 index 0958131..0000000 --- a/ocis/config-map.yaml +++ /dev/null @@ -1,60 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: ocis-cfmap -data: - file-from-cfgmap: | - token_manager: - jwt_secret: FhiGf^OHYAZ7dG71ahYCKqijFwR!=0Ow - machine_auth_api_key: ej1Z+nyhbBtnqxarIY4Tsy-2+HZtn77- - system_user_api_key: O%n*G#ppGY7XkQZu4G9Ond11R$5^r0O0 - transfer_secret: J!V67qd*OzhxETqjemD9NM4.G0TtFUK3 - system_user_id: 22040a20-6a6e-4852-890f-4b75fc83fe16 - admin_user_id: 9daeabac-8bd1-4832-b901-2d8b9cbc0c9b - graph: - spaces: - insecure: true - identity: - ldap: - bind_password: '!m-jDVnCELY=aY%*b@DXPrm9axqZyaZ$' - idp: - ldap: - bind_password: 8nH+VikJ$05P8+M!ZB#fW7R-.G3hE+xP - idm: - service_user_passwords: - admin_password: qXY0%X8%DIIG5w3e8JbgVgaD*ac!bJkr - idm_password: '!m-jDVnCELY=aY%*b@DXPrm9axqZyaZ$' - reva_password: .0OrTAuRdnJ*Kt&=t3$Q1Ks!nQ+WAx*p - idp_password: 8nH+VikJ$05P8+M!ZB#fW7R-.G3hE+xP - proxy: - insecure_backends: true - frontend: - archiver: - insecure: true - auth_basic: - auth_providers: - ldap: - bind_password: .0OrTAuRdnJ*Kt&=t3$Q1Ks!nQ+WAx*p - auth_bearer: - auth_providers: - oidc: - insecure: true - users: - drivers: - ldap: - bind_password: .0OrTAuRdnJ*Kt&=t3$Q1Ks!nQ+WAx*p - groups: - drivers: - ldap: - bind_password: .0OrTAuRdnJ*Kt&=t3$Q1Ks!nQ+WAx*p - storage_system: - data_provider_insecure: true - storage_users: - data_provider_insecure: true - ocdav: - insecure: true - thumbnails: - thumbnail: - transfer_secret: gOm2#L4V9DGJ=fdPrHwZ%CmBje#r9j@E - webdav_allow_insecure: true - cs3_allow_insecure: true diff --git a/ocis/deployment.yaml b/ocis/deployment.yaml index ac30156..0284cc4 100644 --- a/ocis/deployment.yaml +++ b/ocis/deployment.yaml @@ -1,38 +1,200 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: ocis + name: chart-owncloud-ocis + namespace: drive + labels: + app.kubernetes.io/instance: chart + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: owncloud-ocis + app.kubernetes.io/version: 2.0.0 + helm-revision: "1" + helm.sh/chart: owncloud-ocis-8.1.1 + annotations: + rollme: oHHac spec: + revisionHistoryLimit: 3 replicas: 1 + strategy: + type: Recreate selector: matchLabels: - app: ocis + app.kubernetes.io/name: owncloud-ocis + app.kubernetes.io/instance: chart template: metadata: + annotations: + labels: - app: ocis + app.kubernetes.io/name: owncloud-ocis + app.kubernetes.io/instance: chart spec: - containers: - - name: ocis - image: owncloud/ocis - ports: - - containerPort: 9200 + + serviceAccountName: default + securityContext: + + fsGroup: 568 + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 568 + runAsUser: 568 + supplementalGroups: + - 568 + dnsPolicy: ClusterFirst + dnsConfig: + options: + + - name: ndots + value: "1" + enableServiceLinks: false + terminationGracePeriodSeconds: 10 + initContainers: + + - name: prepare + image: tccr.io/truecharts/multi-init:v0.0.1@sha256:4c2caebee117b055f379377fd0fd306f2ee0e6697fd47d9364073e0e9e6f2e02 + securityContext: + runAsUser: 0 + resources: + limits: + cpu: 4000m + memory: 8Gi + requests: + cpu: 10m + memory: 50Mi env: - - name: IDM_CREATE_DEMO_USERS - value: "true" - - name: INSECURE - value: "true" - - name: OCIS_JWT_SECRET - value: "Something_random_not_normal" - - name: STORAGE_TRANSFER_SECRET - value: "Something_very_secure" - - name: OCIS_MACHINE_AUTH_API_KEY - value: "A_very_random_api_key" + command: + - "/bin/sh" + - "-c" + - | + /bin/bash <<'EOF' + echo "Automatically correcting permissions..." + + EOF + volumeMounts: - - name: mnt - mountPath: /etc/ocis/ocis.yaml - subPath: ocis-config + - command: + - /bin/sh + - -c + - | + if test -f /etc/ocis/ocis.yaml; then exit 0; fi && + /usr/bin/ocis init -f --insecure yes > /etc/ocis/password + image: 'tccr.io/truecharts/ocis:2.0.0@sha256:208f181966b2ef710633e17c27d143e866f40e186c67dd1c3f78748f6f871e82' + name: init + volumeMounts: + - mountPath: /etc/ocis + name: config + nodeName: slave-1 + containers: + - name: chart-owncloud-ocis + image: tccr.io/truecharts/ocis:2.0.0@sha256:208f181966b2ef710633e17c27d143e866f40e186c67dd1c3f78748f6f871e82 + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: [] + drop: [] + privileged: false + readOnlyRootFilesystem: false + runAsNonRoot: true + + env: + - name: UMASK + value: "2" + - name: UMASK_SET + value: "2" + - name: S6_READ_ONLY_ROOT + value: "1" + - name: NVIDIA_VISIBLE_DEVICES + value: "void" + - name: TZ + value: "Europe/Copenhagen" + - name: "ACCOUNTS_DEMO_USERS_AND_GROUPS" + value: "false" + - name: "OCIS_INSECURE" + value: "true" + - name: "OCIS_JWT_SECRET" + valueFrom: + secretKeyRef: + key: OCIS_JWT_SECRET + name: ocis-secrets + - name: "OCIS_LOG_COLOR" + value: "true" + - name: "OCIS_LOG_PRETTY" + value: "true" + - name: "OCIS_MACHINE_AUTH_API_KEY" + valueFrom: + secretKeyRef: + key: OCIS_MACHINE_AUTH_API_KEY + name: ocis-secrets + - name: "OCIS_URL" + value: "https://drive.beta.halia.dev" + - name: "PROXY_HTTP_ADDR" + value: "0.0.0.0:9200" + - name: "PROXY_TLS" + value: "false" + - name: "STORAGE_TRANSFER_SECRET" + valueFrom: + secretKeyRef: + key: STORAGE_TRANSFER_SECRET + name: ocis-secrets + envFrom: + ports: + - name: main + containerPort: 9200 + protocol: TCP + volumeMounts: + + - mountPath: /etc/ocis + name: config + - mountPath: /var/lib/ocis + name: data + - mountPath: /shared + name: shared + - mountPath: /tmp + name: temp + - mountPath: /var/logs + name: varlogs + livenessProbe: + tcpSocket: + port: 9200 + initialDelaySeconds: 10 + failureThreshold: 5 + timeoutSeconds: 5 + periodSeconds: 10 + readinessProbe: + tcpSocket: + port: 9200 + initialDelaySeconds: 10 + failureThreshold: 5 + timeoutSeconds: 5 + periodSeconds: 10 + startupProbe: + tcpSocket: + port: 9200 + initialDelaySeconds: 10 + failureThreshold: 60 + timeoutSeconds: 2 + periodSeconds: 5 + + resources: + limits: + cpu: 4000m + memory: 8Gi + requests: + cpu: 10m + memory: 50Mi volumes: - - name: mnt - configMap: - name: ocis-cfmap + - name: config + persistentVolumeClaim: + claimName: chart-owncloud-ocis-config + - name: data + persistentVolumeClaim: + claimName: chart-owncloud-ocis-data + - name: shared + emptyDir: + {} + - name: temp + emptyDir: + {} + - name: varlogs + emptyDir: + {} diff --git a/ocis/ingress.yaml b/ocis/ingress.yaml index 85888c5..e716ae4 100644 --- a/ocis/ingress.yaml +++ b/ocis/ingress.yaml @@ -1,14 +1,23 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute +apiVersion: networking.k8s.io/v1 +kind: Ingress metadata: - name: ocis-ingress - + name: ocis-ingress + namespace: drive + annotations: + kubernetes.io/ingress.class: "traefik" spec: - entryPoints: - - web - routes: - - match: Host(`drive.diogenes.halia`) - kind: Rule - services: - - name: ocis-svc - port: 9200 + tls: + - secretName: ocis-beta-tls + hosts: + - drive.beta.halia.dev + rules: + - host: drive.beta.halia.dev + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: chart-owncloud-ocis + port: + number: 9200 diff --git a/ocis/namespace.yaml b/ocis/namespace.yaml new file mode 100644 index 0000000..7dd1096 --- /dev/null +++ b/ocis/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: drive diff --git a/ocis/pvc-config.yaml b/ocis/pvc-config.yaml new file mode 100644 index 0000000..31b5856 --- /dev/null +++ b/ocis/pvc-config.yaml @@ -0,0 +1,19 @@ +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: chart-owncloud-ocis-config + namespace: drive + labels: + helm.sh/chart: owncloud-ocis-8.1.1 + app.kubernetes.io/name: owncloud-ocis + app.kubernetes.io/instance: chart + helm-revision: "1" + app.kubernetes.io/version: "2.0.0" + app.kubernetes.io/managed-by: Helm +spec: + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: "200Mi" + storageClassName: flat-storage-class diff --git a/ocis/pvc-data.yaml b/ocis/pvc-data.yaml new file mode 100644 index 0000000..ff1b7da --- /dev/null +++ b/ocis/pvc-data.yaml @@ -0,0 +1,19 @@ +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: chart-owncloud-ocis-data + namespace: drive + labels: + helm.sh/chart: owncloud-ocis-8.1.1 + app.kubernetes.io/name: owncloud-ocis + app.kubernetes.io/instance: chart + helm-revision: "1" + app.kubernetes.io/version: "2.0.0" + app.kubernetes.io/managed-by: Helm +spec: + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: "10Gi" + storageClassName: flat-storage-class diff --git a/ocis/service.yaml b/ocis/service.yaml index 76ee79c..afff09b 100644 --- a/ocis/service.yaml +++ b/ocis/service.yaml @@ -1,13 +1,17 @@ apiVersion: v1 kind: Service metadata: - name: ocis-svc + name: chart-owncloud-ocis + namespace: drive labels: - app: ocis + app.kubernetes.io/instance: chart + app.kubernetes.io/name: owncloud-ocis spec: - type: ClusterIP ports: - - name: http - port: 9200 + - port: 9200 + targetPort: 9200 + protocol: TCP + name: http selector: - app: ocis + app.kubernetes.io/name: owncloud-ocis + app.kubernetes.io/instance: chart