Skip to content

Commit

Permalink
Merge branch 'release/11.0.0'
Browse files Browse the repository at this point in the history
  • Loading branch information
Guy Elsmore-Paddock committed Mar 28, 2024
2 parents aec3db1 + de26f12 commit 483bad1
Show file tree
Hide file tree
Showing 24 changed files with 1,149 additions and 563 deletions.
3 changes: 3 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# Change log
See the [releases](https://github.com/Inveniem/nextcloud-azure-aks/releases)
page for notes that go with each release.
19 changes: 10 additions & 9 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,16 +32,17 @@ this kit:

| nextcloud-azure-aks | Kubernetes Version Compatibility* | Nextcloud Version | Deployment Mechanism |
|---------------------|-----------------------------------|-------------------|-----------------------------|
| 1.x | 1.15-1.21 | 15.x | Shell scripts and templates |
| 2.x | 1.15-1.21 | 16.x | Shell scripts and templates |
| 3.x | 1.15-1.21 | 17.x | Shell scripts and templates |
| 4.x | 1.15-1.21 | 18.x | Shell scripts and templates |
| 5.x | 1.15-1.21 | 19.x | Shell scripts and templates |
| 11.x | Only tested on 1.25+ | 24.x | Kustomize and Rigger CLI |
| 10.x | 1.16-1.22+ | 23.x | Kustomize and Rigger CLI |
| 9.x | 1.16-1.22+ | 22.x | Kustomize and Rigger CLI |
| 8.x | 1.16-1.22+ | 21.x | Kustomize and Rigger CLI |
| 7.x | 1.16-1.22+ | 20.x | Kustomize and Rigger CLI |
| 6.x | 1.16-1.22+ | 19.x | Shell scripts and templates |
| 7.x | 1.16-1.22+ | 20.x | Kustomize and Rigger |
| 8.x | 1.16-1.22+ | 21.x | Kustomize and Rigger |
| 9.x | 1.16-1.22+ | 22.x | Kustomize and Rigger |
| 10.x | 1.16-1.22+ | 23.x | Kustomize and Rigger |
| 5.x | 1.15-1.21 | 19.x | Shell scripts and templates |
| 4.x | 1.15-1.21 | 18.x | Shell scripts and templates |
| 3.x | 1.15-1.21 | 17.x | Shell scripts and templates |
| 2.x | 1.15-1.21 | 16.x | Shell scripts and templates |
| 1.x | 1.15-1.21 | 15.x | Shell scripts and templates |

### Switching from "Shell Script" Deployment to "Kustomize" Deployment
If you are running version 1.x through 6.x of this kit and are now upgrading to
Expand Down
13 changes: 6 additions & 7 deletions SECURITY.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,15 +2,14 @@

## Supported Versions
| Version | Supported |
| ------- | ------------------ |
| 7.x | :white_check_mark: |
| 6.x | :white_check_mark: |
| < 6.0 | :x: |
|---------| ------------------ |
| 11.x | :white_check_mark: |
| < 11.0 | :x: |

## Reporting a Vulnerability
Please do not report vulnerabilities using the issue queue. Instead, please email
sysadmins@inveniem.com if you believe you have found a vulnerability in the way that our
Docker images are packaged or configured.
Please do not report vulnerabilities using the issue queue. Instead, please
email sysadmins at inveniem dot com if you believe you have found a
vulnerability in the way that our Docker images are packaged or configured.

If you believe you have found a vulnerability in Nextcloud itself, please do not report
your issue to us. Instead, report it through Nextcloud's own system at
Expand Down
80 changes: 64 additions & 16 deletions bin/rigger
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ storage_secrets_generator_bin_path="generate_secrets_azure_files_storage.php"
generated_storage_secrets_path="manifests/generated/secrets-azure_files.yaml"

mysql_secrets_path="manifests/secrets-mysql.yaml"
mysql_secret_name="nextcloud-mysql-creds"

generated_sftp_host_keys_secrets_path="manifests/generated/secrets-sftp-host-keys.yaml"
sftp_host_keys_secret_name="sftp-host-keys"
Expand Down Expand Up @@ -125,7 +126,7 @@ sub_help() {
echo " launch-shell Launches an sh shell on a Nextcloud pod."
echo " launch-db-shell Launches a MySQL interactive shell connected to the Nextcloud database."
echo ""
echo " dump-db Dumps the contents of the Nextcloud MySQL database to standard output."
echo " dump-db [options] Dumps the contents of the Nextcloud MySQL database to a file or standard out."
echo ""

if [[ "${have_addon_commands}" -ne 0 ]]; then
Expand Down Expand Up @@ -194,8 +195,6 @@ sub_publish() {
echo "Building and publishing Nextcloud image '${publish_version}'..."
echo ""

export REGISTRY_NAME
export REGISTRY_HOST
export NEW_RELIC_KEY
export NEW_RELIC_AGENT_URL
export NEW_RELIC_APP
Expand Down Expand Up @@ -283,8 +282,6 @@ sub_add_sftp_user() {
local is_arg_missing=0
local username="${1:-}"

require_command "cut"

if [[ -z "${username}" ]]; then
is_arg_missing=1
fi
Expand Down Expand Up @@ -812,7 +809,7 @@ sub_launch_db_shell() {
db_credentials=$(
sops --decrypt "${mysql_secrets_encrypted_path}" | \
yq eval \
'. | select(.metadata.name == "nextcloud-mysql-creds") | .stringData' -
". | select(.metadata.name == \"${mysql_secret_name}\") | .stringData" -
)

db_hostname=$(echo "${db_credentials}" | yq eval '.hostname' -)
Expand Down Expand Up @@ -847,17 +844,46 @@ sub_dump_db() {
local db_username
local db_password

local write_to_stdout=0
local ordered_dump=0

for arg in "$@"; do
case "${arg}" in
'--to-stdout')
write_to_stdout=1
;;
'--ordered-dump')
ordered_dump=1
;;
*)
echo "Usage: ${program_name} dump-db [--to-stdout] [--ordered-dump]"
echo ""
echo "When '--to-stdout' is specified, the backup is written to standard"
echo "out. Otherwise, a new file is created on disk with the date and time"
echo "that the backup started."
echo ""
echo "When '--ordered-dump' is specified, the export is written out in"
echo "descending primary key order, and the export contains one insert"
echo "statement per record rather than using extended inserts."
echo ""

exit 0
;;
esac
done

require_command "mysqldump"

mysql_secrets_encrypted_path=$(
get_encrypted_secret_path "${mysql_secrets_path}"
)

require_command "mysql"
require_encrypted_secrets_file "${mysql_secrets_encrypted_path}"

db_credentials=$(
sops --decrypt "${mysql_secrets_encrypted_path}" | \
yq eval \
'. | select(.metadata.name == "nextcloud-mysql-creds") | .stringData' -
". | select(.metadata.name == \"${mysql_secret_name}\") | .stringData" -
)

db_hostname=$(echo "${db_credentials}" | yq eval '.hostname' -)
Expand All @@ -866,15 +892,37 @@ sub_dump_db() {
db_username=$(echo "${db_credentials}" | yq eval '.username' -)
db_password=$(echo "${db_credentials}" | yq eval '.password' -)

mysqldump \
--no-tablespaces \
--skip-extended-insert \
--order-by-primary \
--host="${db_hostname}" \
--databases "${db_schema}" \
--port="${db_port}" \
--user="${db_username}" \
options=(
--host="${db_hostname}"
--port="${db_port}"
--user="${db_username}"
--password="${db_password}"
--no-tablespaces
--disable-keys
--single-transaction
--databases "${db_schema}"
)

if [[ "${ordered_dump}" -eq 1 ]]; then
options+=(
--skip-extended-insert
--order-by-primary
)
fi

if [[ "${write_to_stdout}" -eq 1 ]]; then
mysqldump "${options[@]}"
else
require_command "pv"

dump_filename="$(date +"%Y-%m-%d")-${db_hostname}-${db_schema}.sql"

echo "Exporting database to '${dump_filename}'."
echo ""

mysqldump "${options[@]}" | pv >"${dump_filename}"
fi

echo ""
}

Expand Down
10 changes: 10 additions & 0 deletions components/http-apache/manifests/app-nextcloud.apache.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -132,6 +132,16 @@ spec:
secretKeyRef:
name: "nextcloud-redis-creds"
key: password
- name: NEW_RELIC_KEY
valueFrom:
configMapKeyRef:
name: environment
key: newRelicSubscriptionKey
- name: NEW_RELIC_APP
valueFrom:
configMapKeyRef:
name: environment
key: newRelicApplicationName
startupProbe:
# After pod creation, allow Nextcloud to take up to 10 minutes
# (5 seconds x 120 attempts) before concluding the container
Expand Down
10 changes: 10 additions & 0 deletions components/http-nginx-fpm/manifests/app-nextcloud.nginx-fpm.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,16 @@ spec:
secretKeyRef:
name: "nextcloud-redis-creds"
key: password
- name: NEW_RELIC_KEY
valueFrom:
configMapKeyRef:
name: environment
key: newRelicSubscriptionKey
- name: NEW_RELIC_APP
valueFrom:
configMapKeyRef:
name: environment
key: newRelicApplicationName

# Container: Nginx Server Middleware
- name: middle-nextcloud-nginx
Expand Down
51 changes: 51 additions & 0 deletions components/maintenance_page/kustomization.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
##
# Kustomization component to serve up a maintenance page instead of Nextcloud.
#
# The configuration for the maintenance page comes from a
# config-environment.yaml file provided by the overlay for the environment. This
# functionality has been provided as a component so that it only needs to be
# referenced by an overlay when traffic served by that overlay should be routed
# away from Nextcloud, such as during scheduled downtime. The component
# accomplishes this by rewriting the ingress routes for Nextcloud to route
# traffic to the maintenance page service instead of Nextcloud itself.
#
# To enable the maintenance page for the environment of an overlay:
# 1. Customize the appropriate settings in the config-environment.yaml of the
# overlay.
# 2. Uncomment the reference to this component in the `kustomization.yaml` file.
# 3. Re-deploy the overlay.
#
# To disable the maintenance page for the environment of an overlay:
# 1. Comment out the reference to this component in the `kustomization.yaml`
# file.
# 2. Re-deploy the overlay.
#
# @author Guy Elsmore-Paddock ([email protected])
# @copyright Copyright (c) 2023-2024, Inveniem
# @license GNU AGPL version 3 or any later version
#
apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component

resources:
- manifests/app-maintenance_page.yaml

patches:
- target:
kind: Ingress
name: "frontend-nextcloud-ingress"
labelSelector: "owning-app=nextcloud"
patch: |
[
{
"op": "replace",
"path": "/spec/rules/0/http/paths/0/backend/service/name",
"value": "internal-maintenance-page"
},
{
"op": "replace",
"path": "/spec/rules/0/http/paths/0/backend/service/port/number",
"value": 8080
}
]
105 changes: 105 additions & 0 deletions components/maintenance_page/manifests/app-maintenance_page.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
##
# Kubernetes deployment manifest for running a simple maintenance page during
# scheduled/planned downtime.
#
# The messages displayed are configured in the config-environment.yaml file
# provided by the overlay for the environment.
#
# @author Guy Elsmore-Paddock ([email protected])
# @copyright Copyright (c) 2023-2024, Inveniem
# @license GNU AGPL version 3 or any later version
#
apiVersion: apps/v1
kind: Deployment
metadata:
name: maintenance-page
spec:
replicas: 1
revisionHistoryLimit: 2
selector:
matchLabels:
app: frontend-maintenance-page
role: frontend
template:
metadata:
labels:
app: frontend-maintenance-page
role: frontend
spec:
tolerations:
# Allow scheduling this job on burstable nodes.
- key: inveniem.com/workload-type
operator: Equal
value: burstable
effect: NoSchedule
containers:
- name: frontend-maintenance-page
image: "wickerlabs/maintenance:latest"
ports:
- containerPort: 8080
resources:
requests:
cpu: 100m
memory: 64Mi
limits:
cpu: 100m
memory: 128Mi
env:
- name: TITLE
valueFrom:
configMapKeyRef:
name: environment
key: maintenanceTitle
- name: HEADLINE
valueFrom:
configMapKeyRef:
name: environment
key: maintenanceHeadline
- name: MESSAGE
valueFrom:
configMapKeyRef:
name: environment
key: maintenanceMessage
- name: CONTACT_LINK
valueFrom:
configMapKeyRef:
name: environment
key: maintenanceContactLink
- name: MAIL_ADDRESS
valueFrom:
configMapKeyRef:
name: environment
key: maintenanceMailAddress
- name: TEAM_NAME
valueFrom:
configMapKeyRef:
name: environment
key: maintenanceTeamName
- name: LINK_COLOR
valueFrom:
configMapKeyRef:
name: environment
key: maintenanceLinkColor
- name: THEME
valueFrom:
configMapKeyRef:
name: environment
key: maintenanceTheme
- name: RESPONSE_CODE
valueFrom:
configMapKeyRef:
name: environment
key: maintenanceResponseCode
---
apiVersion: v1
kind: Service
metadata:
name: internal-maintenance-page
labels:
role: internal-service
spec:
type: ClusterIP
ports:
- port: 8080
selector:
app: frontend-maintenance-page
4 changes: 2 additions & 2 deletions docker/backend-nextcloud-apache/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,10 @@
# NOTE: All COPY paths are relative to the parent folder (../docker).
#
# @author Guy Elsmore-Paddock ([email protected])
# @copyright Copyright (c) 2019, Inveniem
# @copyright Copyright (c) 2019-2024, Inveniem
# @license GNU AGPL version 3 or any later version
#
FROM nextcloud:23.0.10-apache
FROM nextcloud:24.0.12-apache

ENV NEXTCLOUD_CONFIG_READ_ONLY "false"
ENV NEXTCLOUD_INIT_LOCK "true"
Expand Down
Loading

0 comments on commit 483bad1

Please sign in to comment.