Release 13.0.0 - Nextcloud 26.0.13

Commits in this release: v12.0.0...v13.0.0

This release upgrades to Nextcloud 26 and fixes a critical bug with the loading of custom apps that was inadvertently introduced in release 11.0.0 (Nextcloud 24.0.12).

Important Upgrade Notes

Take care when upgrading existing deployments. Major upgrades must be applied in sequence.

See Upgrading an Existing Nextcloud Deployment on AKS in the README for instructions on how to upgrade an existing deployment.

Full Changelog (since 12.0.0)

Bug Fixes

• [CRITICAL] Initialization of custom apps and themes fixed when using nginx frontend: Corrected entry point initialization of permissions on the custom_apps and custom_themes folders so that their static assets get served up properly by the nginx container. This issue was introduced in v11.0.0 of this repository as part of porting over entrypoint changes from Nextcloud 24.0.12. There was a typo preventing the folders from being synced properly and the permissions were too restrictive for the nginx container to be able to read static assets properly.

Enhancements

• Upgraded to Nextcloud 26.0.13.

Release 12.0.0 - Nextcloud 25.0.13

Commits in this release: v11.0.0...v12.0.0

This release upgrades to Nextcloud 25 and updates to the Cisco Talos version of ClamAV.

Important Upgrade Notes

Take care when upgrading existing deployments. Major upgrades must be applied in sequence.

See Upgrading an Existing Nextcloud Deployment on AKS in the README for instructions on how to upgrade an existing deployment.

Full Changelog (since 11.0.0)

Enhancements

• Upgraded to Nextcloud 25.0.13.
• Switched to the Cisco Talos ClamAV docker images.

Release 11.0.0 - Nextcloud 24.0.12

Commits in this release: v10.2.2...v11.0.0

This release upgrades to Nextcloud 24, adds support for MySQL Flexible Server on Azure, and improves the DevOps user experience in a few ways.

Important Upgrade Notes

Take care when upgrading existing deployments. Major upgrades must be applied in sequence.

See Upgrading an Existing Nextcloud Deployment on AKS in the README for instructions on how to upgrade an existing deployment.

Changes Required to Overlays

• If you use New Relic monitoring, the subscription key has moved from publish.profile into config-environment.yaml in the profile. See the appropriate part of config-environment.yaml in the sample overlay.
• If you wish to use the new maintenance page feature, you must add settings for it in your config-environment.yaml file.

Full Changelog (since 10.2.2)

Deprecations

• Dropped support for Postgres, since this kit is designed and tested only with MySQL and MariaDB. The deployment manifests are hardcoded to only support MySQL environment variables, so supporting other databases in the entry point didn't really make sense.

New Features

• Introduced an ingress-level maintenance page feature, for use during scheduled downtime.

Enhancements

• Upgraded to Nextcloud 24.0.12.
• Enhanced the dump-db command:
  • Now, the default behavior is to write output to a file that is automatically named with the timestamp at the time export starts.
  • Adds --to-stdout option if output to standard out is desired.
  • Now exports with --disable-keys so that imports of a backup are faster.
  • Now exports with --single-transaction so that exports do not acquire table locks but are more consistent.
• Added logic to configure the MySQL connection from environment variables even after installation: Nextcloud generates the config with database settings the first time that it is run, but from then on it does not automatically update the variables from the environment. This is a real pain if the password or hostname of the DB server needs to change, because an admin has to update the credentials in BOTH the environment AND the config volume, which is often mounted read-only. So, to support closer to a zero downtime deployment model for database connection string changes, this new config snippet should keep the database connection info in sync with the environment on a read-only config folder, even if what's in the config file is not in sync.
• Moved configuration of New Relic from publishing time to run time so that the same Docker image can be used in multiple environments that report to different New Relic subscriptions and applications.
• Cleaned up and enhanced the entry point script, incorporating some additional configuration options for Apache installations from upstream:
  • The initialization lock should now get released if the entry point script crashes.
  • Added support for the APACHE_DISABLE_REWRITE_IP environment variable.
  • Added support for the APACHE_RUN_USER and APACHE_RUN_GROUP environment variables (though a user who wants to use this would also require have to customize the storage mount configuration to ensure that storage mounts with the correct user ID).
  • Fixed up syncing process so that custom themes are synced the same way as custom apps.
  • DRYed-up several places in the code.
  • Added inline docs.
  • Renamed several functions for clarity of purpose.
• Applied various dependabot security fixes to the sftp-ws-server component.

Hotfix 10.2.2

This hotfix modifies the MySQL/MariaDB driver configuration to use a combined CA for both BaltimoreCyberTrustRoot & DigiCertGlobalRootG2 when connecting to Azure Database for MySQL and Azure Database for MariaDB.

To use this hotfix:

1. Publish a Docker image from this version to your local ACR.
2. Update the kustomization.yaml file in your overlay to use the new version that you published.
3. Update configure-storage.nextcloud.yaml in your overlay to mount the /var/www/html/config with readOnly set to false.
4. Deploy the image.
5. Wait for Nextcloud to deploy and start successfully.

You can then change /var/www/html/config to mount with readOnly set to true and re-deploy.

Hotfix 10.2.1 - Nextcloud 23.0.10

This is a hotfix to disable flock() on configuration files. In more recent versions of Kubernetes on AKS, the flock() call appears to return an error instead of blocking, so if multiple concurrent requests come in, several will return a cryptic error about a NULL logger back to the client. Similarly, if Nextcloud Cron attempted to run while another request was starting, Cron would fail with the same error.

See #24 for details on this issue.

Release 10.2.0 - Nextcloud 23.0.10 - Kustomize-based Deployment

This release tweaks how pods are scheduled on "burstable" nodes. If you do not use this feature, you do not need to update.

Important Upgrade Notes

Take care when upgrading existing deployments. Major upgrades must be applied in sequence.

See Upgrading an Existing Nextcloud Deployment on AKS in the README for instructions on how to upgrade an existing deployment.

Full Changelog (since 10.1.1)

Enhancements

• Since v7.0.0, the FPM and Apace pods have had tolerations to allow scheduling on nodes that had a inveniem.com/workload-type taint of burstable. Now, as long as you add a inveniem.com/workload-type label equal to burstable to those nodes, the same pods will prefer to be scheduled on those nodes (rather than just tolerating them). This allows cluster operators to benefit from node pools using a "burstable" VM class like B4ms to run workloads that have a sporadic usage pattern (like Nextcloud HTTP requests.
• Both the ClamAV pod and the Nextcloud CronJob now both tolerate and prefer burstable nodes for scheduling. As mentioned above, the nodes will need to have both a inveniem.com/workload-type taint equal to burstable and inveniem.com/workload-type label equal to burstable for this to work. Otherwise, scheduling will happen as it did in prior releases.

Hotfix 10.1.1

This is a hotfix that corrects several major flaws with the upload clean-up CronJob.

IMPORTANT: Take care when upgrading existing deployments. Major upgrades must be applied in sequence.

This hotfix includes no other changes.

See Upgrading an Existing Nextcloud Deployment on AKS in the README for instructions on how to upgrade an existing deployment.

Release 10.1.0 - Nextcloud 23.0.10 - Kustomize-based Deployment

This release upgrades to Nextcloud 23.0.10, nginx 1.23.1, and Alpine 3.16.

Important Upgrade Notes

Take care when upgrading existing deployments. Major upgrades must be applied in sequence.

See Upgrading an Existing Nextcloud Deployment on AKS in the README for instructions on how to upgrade an existing deployment.

config.php Updates

Docker images generated by this repository contain several *.config.php snippets that get loaded by Nextcloud at run-time. Unfortunately, during upgrades, Nextcloud appears to merge these snippets into the main config.php file alongside other important settings for your instance, making it difficult to keep these settings up-to-date with what's in this project. To ensure that you are getting the proper setting values, we encourage you to edit your config.php file manually and remove superfluous settings so that it contains only the following keys:

• default_phone_region
• simpleSignUpLink.shown
• instanceid
• passwordsalt
• secret
• trusted_domains
• datadirectory
• dbtype
• version
• overwrite.cli.url
• dbname
• dbhost
• dbport
• dbtableprefix
• dbuser
• dbpassword
• installed
• maintenance
• mysql.utf8mb4
• app_install_overwrite

App Updates

The example list of application URLs has been updated. You should compare your NEXTCLOUD_CUSTOM_APPS setting in the publish.profile of your overlay(s) against what's in overlays/00-sample/publish.profile and update accordingly.

New Relic Updates

Older versions of the New Relic Agent are no longer available on the New Relic server. The NEW_RELIC_AGENT_URL variable in publish.profile has been updated to point to 10.2.0.314 instead. If you want New Relic to work in your images, you will need to update the NEW_RELIC_AGENT_URL variable in the publish.profile file(s) of your overlay(s) before publishing your images to ACR.

Full Changelog (since 10.0.1)

New Features

• CronJob/nextcloud-failed-upload-cleanup was added for purging failed uploads. All web-file-upload files that are older than 7 days are removed every hour.
• The trashbin_retention_obligation configuration parameter of Nextcloud now defaults to removing files from trashbins once they are older than 14 days; or, to remove files earlier whenever the server is running low on space.
• Support for the initialization locking feature of Nextcloud's official 23.0.4 Docker image was added to the Docker entrypoint script for this project. It can be disabled with NEXTCLOUD_INIT_LOCK being set to false, but we default it on in our image since we support running multiple pods by default. You will still need to mount the config folder read-write during updates in order for them to be successful.
• The "Exclude Directories" plug-in was added to the example list of custom apps. This app allows Nextcloud to be configured to ignore certain folders (like .snapshot) when scanning files and folders.
• The "OpenID Connect Login" plug-in was added to the example list of custom apps. This may provide better UX for Azure AD than the SAML plug-in, but its use in this project should be considered experimental and still needs more testing.

Enhancements

• Preview generation is no longer disabled for images >= 1024x1024. To support this, we recommend running at least 6 replicas of Nextcloud at a time (7+ are preferred), so that thumbnail generation for a large folder of images does not result in a denial of service. If possible, use auto-scaling on your Kubernetes cluster and automatically scale the number of Nextcloud instances based on load.
• nginx timeouts have been extended up to 30 mins to support long uploads. This is intended as a short-term mitigation for nextcloud/server#17992.
• Several security updates were applied to the SFTP-WS add-in.

Bug fixes

• The nextcloud-cron image now uses the -apache image rather than the -fpm image to work around nextcloud/docker#1819.
• The role annotation on Redis deployments has been corrected to database to prevent Redis from being the target of two different PodDisruptionBudget manifests, which previously prevented Kubernetes cluster upgrades.
• The rigger launch-shell sub-command now no longer selects terminated pods nor completed Cron pods. The selection of which pod to enter is based on the deployment label and the status of the deployment.
• Attempting to run ./occ after entering a Nextcloud pod now no longer results in the error message, 'Cannot write into "config\" directory!'. The NEXTCLOUD_CONFIG_READ_ONLY environment variable is now set dynamically at runtime if it has not been provided by the pod environment.
• CronJob jobs for file clean-up, file scan, and standard Nextcloud cron will no longer overlap if they are running for a long time. Instead, only one instance is allowed to run at a time.

Hotfix 10.0.1 - Nextcloud 23.0.2 + Patch for `user_saml`

This is a hotfix that patches nextcloud/user_saml#548.

• If you are already running v10.0.0 of this kit and are not using user_saml, you do not need to deploy this hotfix.
• Users running version v9.x of this kit can upgrade directly to this hotfix without installing v10.0.0 first.

IMPORTANT: Take care when upgrading existing deployments. Major upgrades must be applied in sequence.

This hotfix includes Nextcloud 23.0.2.

See Upgrading an Existing Nextcloud Deployment on AKS in the README for instructions on how to upgrade an existing deployment.

Release 10.0.0 - Nextcloud 23.0.2 - Kustomize-based Deployment

IMPORTANT: Take care when upgrading existing deployments. Major upgrades must be applied in sequence.

This release upgrades to Nextcloud 23.0.2.

See Upgrading an Existing Nextcloud Deployment on AKS in the README for instructions on how to upgrade an existing deployment.