feat(ocis): Add basic drive configuration

Add OwnCloud Infinity Scale as drive to the cluster. The current configuration only includes enough for a beta environment.
This commit is contained in:
Tanguy Herbron 2022-09-21 18:24:46 +02:00
parent 838ccaccf2
commit 802eef042e
8 changed files with 261 additions and 103 deletions

View File

@ -5,7 +5,7 @@
| therbron.com | Personal website | Public | Socrates | - | - | - | Not configured | Not configured | Awaiting configuration |
| Traefik | Reverse proxy and load balancer | Public* | Socrates | - | - | - | Configured | Configured | Completed |
| Adguard | DNS ad blocker and custom DNS server | Private | Socrates | - | - | - | Not configured | Not configured | Completed |
| Owncloud Infinity Scale | File hosting webUI | Public | Plato | PostgreSQL | Drive files | Not configured | Not configured | Not configured | Awaiting configuration |
| Owncloud Infinity Scale | File hosting webUI | Public | Plato | ? | Drive files | Managed by Longhorn | Configured | Not available | Completed |
| Home assistant | Home automation and monitoring | Private | Pythagoras-a | PostgreSQL | - | Not configured | Not configured | Not configured | Awaiting configuration |
| Vikunja | To-do and Kanban boards | Public | Pythagoras-b | - | - | - | Not configured | Not configured | Migrate to Gitlab |
| Gitlab | Version control system | Public | Pythagoras-b | PostgreSQL | User created content | Not configured | Not configured | Not configured | Awaiting configuration |
@ -60,6 +60,7 @@ longhorn
- ~~Setup DB container sidecars for automated backups to Longhorn volume~~
- Setup secrets configuration through CI/CD variable injection
- Explore permission issues when issuing OVH API keys (not working for wildcard and `beta.halia.dev` subdomain)
- Setup default users for services
- ~~Setup log and metric monitoring~~
- ~~Define namespaces through yaml files~~
- ~~Look into CockroachDB for redundant database~~ Judged too complicated, moving to a 1 to 1 relationship between services and databases

View File

@ -1,60 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: ocis-cfmap
data:
file-from-cfgmap: |
token_manager:
jwt_secret: FhiGf^OHYAZ7dG71ahYCKqijFwR!=0Ow
machine_auth_api_key: ej1Z+nyhbBtnqxarIY4Tsy-2+HZtn77-
system_user_api_key: O%n*G#ppGY7XkQZu4G9Ond11R$5^r0O0
transfer_secret: J!V67qd*OzhxETqjemD9NM4.G0TtFUK3
system_user_id: 22040a20-6a6e-4852-890f-4b75fc83fe16
admin_user_id: 9daeabac-8bd1-4832-b901-2d8b9cbc0c9b
graph:
spaces:
insecure: true
identity:
ldap:
bind_password: '!m-jDVnCELY=aY%*b@DXPrm9axqZyaZ$'
idp:
ldap:
bind_password: 8nH+VikJ$05P8+M!ZB#fW7R-.G3hE+xP
idm:
service_user_passwords:
admin_password: qXY0%X8%DIIG5w3e8JbgVgaD*ac!bJkr
idm_password: '!m-jDVnCELY=aY%*b@DXPrm9axqZyaZ$'
reva_password: .0OrTAuRdnJ*Kt&=t3$Q1Ks!nQ+WAx*p
idp_password: 8nH+VikJ$05P8+M!ZB#fW7R-.G3hE+xP
proxy:
insecure_backends: true
frontend:
archiver:
insecure: true
auth_basic:
auth_providers:
ldap:
bind_password: .0OrTAuRdnJ*Kt&=t3$Q1Ks!nQ+WAx*p
auth_bearer:
auth_providers:
oidc:
insecure: true
users:
drivers:
ldap:
bind_password: .0OrTAuRdnJ*Kt&=t3$Q1Ks!nQ+WAx*p
groups:
drivers:
ldap:
bind_password: .0OrTAuRdnJ*Kt&=t3$Q1Ks!nQ+WAx*p
storage_system:
data_provider_insecure: true
storage_users:
data_provider_insecure: true
ocdav:
insecure: true
thumbnails:
thumbnail:
transfer_secret: gOm2#L4V9DGJ=fdPrHwZ%CmBje#r9j@E
webdav_allow_insecure: true
cs3_allow_insecure: true

View File

@ -1,38 +1,200 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: ocis
name: chart-owncloud-ocis
namespace: drive
labels:
app.kubernetes.io/instance: chart
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: owncloud-ocis
app.kubernetes.io/version: 2.0.0
helm-revision: "1"
helm.sh/chart: owncloud-ocis-8.1.1
annotations:
rollme: oHHac
spec:
revisionHistoryLimit: 3
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app: ocis
app.kubernetes.io/name: owncloud-ocis
app.kubernetes.io/instance: chart
template:
metadata:
annotations:
labels:
app: ocis
app.kubernetes.io/name: owncloud-ocis
app.kubernetes.io/instance: chart
spec:
containers:
- name: ocis
image: owncloud/ocis
ports:
- containerPort: 9200
serviceAccountName: default
securityContext:
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 568
runAsUser: 568
supplementalGroups:
- 568
dnsPolicy: ClusterFirst
dnsConfig:
options:
- name: ndots
value: "1"
enableServiceLinks: false
terminationGracePeriodSeconds: 10
initContainers:
- name: prepare
image: tccr.io/truecharts/multi-init:v0.0.1@sha256:4c2caebee117b055f379377fd0fd306f2ee0e6697fd47d9364073e0e9e6f2e02
securityContext:
runAsUser: 0
resources:
limits:
cpu: 4000m
memory: 8Gi
requests:
cpu: 10m
memory: 50Mi
env:
- name: IDM_CREATE_DEMO_USERS
value: "true"
- name: INSECURE
value: "true"
- name: OCIS_JWT_SECRET
value: "Something_random_not_normal"
- name: STORAGE_TRANSFER_SECRET
value: "Something_very_secure"
- name: OCIS_MACHINE_AUTH_API_KEY
value: "A_very_random_api_key"
command:
- "/bin/sh"
- "-c"
- |
/bin/bash <<'EOF'
echo "Automatically correcting permissions..."
EOF
volumeMounts:
- name: mnt
mountPath: /etc/ocis/ocis.yaml
subPath: ocis-config
- command:
- /bin/sh
- -c
- |
if test -f /etc/ocis/ocis.yaml; then exit 0; fi &&
/usr/bin/ocis init -f --insecure yes > /etc/ocis/password
image: 'tccr.io/truecharts/ocis:2.0.0@sha256:208f181966b2ef710633e17c27d143e866f40e186c67dd1c3f78748f6f871e82'
name: init
volumeMounts:
- mountPath: /etc/ocis
name: config
nodeName: slave-1
containers:
- name: chart-owncloud-ocis
image: tccr.io/truecharts/ocis:2.0.0@sha256:208f181966b2ef710633e17c27d143e866f40e186c67dd1c3f78748f6f871e82
imagePullPolicy: IfNotPresent
securityContext:
allowPrivilegeEscalation: false
capabilities:
add: []
drop: []
privileged: false
readOnlyRootFilesystem: false
runAsNonRoot: true
env:
- name: UMASK
value: "2"
- name: UMASK_SET
value: "2"
- name: S6_READ_ONLY_ROOT
value: "1"
- name: NVIDIA_VISIBLE_DEVICES
value: "void"
- name: TZ
value: "Europe/Copenhagen"
- name: "ACCOUNTS_DEMO_USERS_AND_GROUPS"
value: "false"
- name: "OCIS_INSECURE"
value: "true"
- name: "OCIS_JWT_SECRET"
valueFrom:
secretKeyRef:
key: OCIS_JWT_SECRET
name: ocis-secrets
- name: "OCIS_LOG_COLOR"
value: "true"
- name: "OCIS_LOG_PRETTY"
value: "true"
- name: "OCIS_MACHINE_AUTH_API_KEY"
valueFrom:
secretKeyRef:
key: OCIS_MACHINE_AUTH_API_KEY
name: ocis-secrets
- name: "OCIS_URL"
value: "https://drive.beta.halia.dev"
- name: "PROXY_HTTP_ADDR"
value: "0.0.0.0:9200"
- name: "PROXY_TLS"
value: "false"
- name: "STORAGE_TRANSFER_SECRET"
valueFrom:
secretKeyRef:
key: STORAGE_TRANSFER_SECRET
name: ocis-secrets
envFrom:
ports:
- name: main
containerPort: 9200
protocol: TCP
volumeMounts:
- mountPath: /etc/ocis
name: config
- mountPath: /var/lib/ocis
name: data
- mountPath: /shared
name: shared
- mountPath: /tmp
name: temp
- mountPath: /var/logs
name: varlogs
livenessProbe:
tcpSocket:
port: 9200
initialDelaySeconds: 10
failureThreshold: 5
timeoutSeconds: 5
periodSeconds: 10
readinessProbe:
tcpSocket:
port: 9200
initialDelaySeconds: 10
failureThreshold: 5
timeoutSeconds: 5
periodSeconds: 10
startupProbe:
tcpSocket:
port: 9200
initialDelaySeconds: 10
failureThreshold: 60
timeoutSeconds: 2
periodSeconds: 5
resources:
limits:
cpu: 4000m
memory: 8Gi
requests:
cpu: 10m
memory: 50Mi
volumes:
- name: mnt
configMap:
name: ocis-cfmap
- name: config
persistentVolumeClaim:
claimName: chart-owncloud-ocis-config
- name: data
persistentVolumeClaim:
claimName: chart-owncloud-ocis-data
- name: shared
emptyDir:
{}
- name: temp
emptyDir:
{}
- name: varlogs
emptyDir:
{}

View File

@ -1,14 +1,23 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ocis-ingress
name: ocis-ingress
namespace: drive
annotations:
kubernetes.io/ingress.class: "traefik"
spec:
entryPoints:
- web
routes:
- match: Host(`drive.diogenes.halia`)
kind: Rule
services:
- name: ocis-svc
port: 9200
tls:
- secretName: ocis-beta-tls
hosts:
- drive.beta.halia.dev
rules:
- host: drive.beta.halia.dev
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: chart-owncloud-ocis
port:
number: 9200

4
ocis/namespace.yaml Normal file
View File

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: drive

19
ocis/pvc-config.yaml Normal file
View File

@ -0,0 +1,19 @@
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: chart-owncloud-ocis-config
namespace: drive
labels:
helm.sh/chart: owncloud-ocis-8.1.1
app.kubernetes.io/name: owncloud-ocis
app.kubernetes.io/instance: chart
helm-revision: "1"
app.kubernetes.io/version: "2.0.0"
app.kubernetes.io/managed-by: Helm
spec:
accessModes:
- "ReadWriteOnce"
resources:
requests:
storage: "200Mi"
storageClassName: flat-storage-class

19
ocis/pvc-data.yaml Normal file
View File

@ -0,0 +1,19 @@
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: chart-owncloud-ocis-data
namespace: drive
labels:
helm.sh/chart: owncloud-ocis-8.1.1
app.kubernetes.io/name: owncloud-ocis
app.kubernetes.io/instance: chart
helm-revision: "1"
app.kubernetes.io/version: "2.0.0"
app.kubernetes.io/managed-by: Helm
spec:
accessModes:
- "ReadWriteOnce"
resources:
requests:
storage: "10Gi"
storageClassName: flat-storage-class

View File

@ -1,13 +1,17 @@
apiVersion: v1
kind: Service
metadata:
name: ocis-svc
name: chart-owncloud-ocis
namespace: drive
labels:
app: ocis
app.kubernetes.io/instance: chart
app.kubernetes.io/name: owncloud-ocis
spec:
type: ClusterIP
ports:
- name: http
port: 9200
- port: 9200
targetPort: 9200
protocol: TCP
name: http
selector:
app: ocis
app.kubernetes.io/name: owncloud-ocis
app.kubernetes.io/instance: chart