From 325d445731983536c8fea29d259ea4775af6ae78 Mon Sep 17 00:00:00 2001 From: Debakel Orakel Date: Fri, 2 Aug 2024 14:58:10 +0200 Subject: [PATCH] Remove operator dependencies --- class/defaults.yml | 2 + class/nextcloud.yml | 6 - component/database.jsonnet | 22 -- component/redis.jsonnet | 22 -- postprocess/patch_labels.jsonnet | 30 --- tests/defaults.yml | 29 --- .../nextcloud/templates/config.yaml | 155 ++++++++++++- .../nextcloud/templates/deployment.yaml | 33 ++- .../nextcloud/templates/ingress.yaml | 2 +- .../nextcloud/templates/nextcloud-pvc.yaml | 4 +- .../nextcloud/templates/nginx-config.yaml | 215 +++++++----------- .../nextcloud/templates/service.yaml | 2 +- .../templates/primary/statefulset.yaml | 26 ++- .../templates/primary/svc-headless.yaml | 7 +- .../postgresql/templates/primary/svc.yaml | 4 +- .../redis/templates/configmap.yaml | 4 +- .../redis/templates/headless-svc.yaml | 5 +- .../redis/templates/health-configmap.yaml | 4 +- .../redis/templates/master/application.yaml | 26 ++- .../redis/templates/master/service.yaml | 4 +- .../redis/templates/scripts-configmap.yaml | 4 +- .../nextcloud/templates/config.yaml | 155 ++++++++++++- .../nextcloud/templates/deployment.yaml | 33 ++- .../nextcloud/templates/ingress.yaml | 2 +- .../nextcloud/templates/nextcloud-pvc.yaml | 4 +- .../nextcloud/templates/nginx-config.yaml | 215 +++++++----------- .../nextcloud/templates/service.yaml | 2 +- .../templates/primary/statefulset.yaml | 26 ++- .../templates/primary/svc-headless.yaml | 7 +- .../postgresql/templates/primary/svc.yaml | 4 +- .../redis/templates/configmap.yaml | 4 +- .../redis/templates/headless-svc.yaml | 5 +- .../redis/templates/health-configmap.yaml | 4 +- .../redis/templates/master/application.yaml | 26 ++- .../redis/templates/master/service.yaml | 4 +- .../redis/templates/scripts-configmap.yaml | 4 +- 36 files changed, 626 insertions(+), 475 deletions(-) delete mode 100644 component/database.jsonnet delete mode 100644 component/redis.jsonnet delete mode 100644 postprocess/patch_labels.jsonnet diff --git a/class/defaults.yml b/class/defaults.yml index abbee82..5a011b8 100644 --- a/class/defaults.yml +++ b/class/defaults.yml @@ -194,6 +194,8 @@ parameters: k8up.io/backup: 'false' networkPolicy: enabled: false + pdb: + create: false readReplicas: persistence: annotations: diff --git a/class/nextcloud.yml b/class/nextcloud.yml index 96d9998..6991f08 100644 --- a/class/nextcloud.yml +++ b/class/nextcloud.yml @@ -68,9 +68,3 @@ parameters: name: nextcloud namespace: ${nextcloud:namespace:name} dependency_update: false - # commodore: - # postprocess: - # filters: - # - type: jsonnet - # path: ${_instance}//10_helmchart/ - # filter: postprocess/patch_pvc.jsonnet diff --git a/component/database.jsonnet b/component/database.jsonnet deleted file mode 100644 index 0d16b29..0000000 --- a/component/database.jsonnet +++ /dev/null @@ -1,22 +0,0 @@ -// main template for nextcloud -local crdb = import 'lib/cockroach-operator.libsonnet'; -local kap = import 'lib/kapitan.libjsonnet'; -local kube = import 'lib/kube.libjsonnet'; -local prom = import 'lib/prometheus.libsonnet'; -local inv = kap.inventory(); -// The hiera parameters for the component -local params = inv.parameters.nextcloud; - -local hasPrometheus = std.member(inv.applications, 'prometheus'); -local hasOperator = std.member(inv.applications, 'cockroach-operator'); - - -// CockroachDB - -local cockroachdb = crdb.database('database', params.namespace.name, params.database.spec); - - -// Define outputs below -{ - '10_database': cockroachdb, -} diff --git a/component/redis.jsonnet b/component/redis.jsonnet deleted file mode 100644 index ff29f94..0000000 --- a/component/redis.jsonnet +++ /dev/null @@ -1,22 +0,0 @@ -// main template for nextcloud -local kap = import 'lib/kapitan.libjsonnet'; -local kube = import 'lib/kube.libjsonnet'; -local prom = import 'lib/prometheus.libsonnet'; -local redis = import 'lib/redis-operator.libsonnet'; -local inv = kap.inventory(); -// The hiera parameters for the component -local params = inv.parameters.nextcloud; - -local hasPrometheus = std.member(inv.applications, 'prometheus'); -local hasOperator = std.member(inv.applications, 'redis-operator'); - - -// CockroachDB - -local replication = redis.replication('redis', params.namespace.name, params.redis.spec); - - -// Define outputs below -{ - '10_redis': replication, -} diff --git a/postprocess/patch_labels.jsonnet b/postprocess/patch_labels.jsonnet deleted file mode 100644 index ae0b8f7..0000000 --- a/postprocess/patch_labels.jsonnet +++ /dev/null @@ -1,30 +0,0 @@ -local com = import 'lib/commodore.libjsonnet'; -local inv = com.inventory(); -// The hiera parameters for the component -local params = inv.parameters.nextcloud; - -local metadataPatch = { - metadata+: { - labels+: { - 'app.kubernetes.io/managed-by': 'commodore', - }, - }, -}; - -local listTemplates = [ - { - name: std.strReplace(name, '.yaml', ''), - manifest: com.yaml_load_all(std.extVar('output_path') + '/' + name), - } - for name in com.list_dir(std.extVar('output_path'), basename=true) -]; - -local patchTemplate(manifest) = [ - content + metadataPatch - for content in manifest -]; - -{ - [template.name]: patchTemplate(template.manifest) - for template in listTemplates -} diff --git a/tests/defaults.yml b/tests/defaults.yml index ac30c31..652b4a6 100644 --- a/tests/defaults.yml +++ b/tests/defaults.yml @@ -1,7 +1,6 @@ applications: - backup-k8up - cockroach-operator - - redis-operator - prometheus parameters: @@ -10,34 +9,6 @@ parameters: - type: https source: https://raw.githubusercontent.com/projectsyn/component-prometheus/master/lib/prometheus.libsonnet output_path: vendor/lib/prometheus.libsonnet - - type: https - source: https://raw.githubusercontent.com/tegridy-io/component-cockroach-operator/master/lib/cockroach-operator.libsonnet - output_path: vendor/lib/cockroach-operator.libsonnet - - type: https - source: https://raw.githubusercontent.com/tegridy-io/component-redis-operator/master/lib/redis-operator.libsonnet - output_path: vendor/lib/redis-operator.libsonnet - - cockroach_operator: - images: - cockroach: - registry: docker.io - repository: cockroachdb/cockroach - tag: v23.1.8 - - redis_operator: - images: - redis: - registry: quay.io - repository: opstree/redis - tag: v7.0.12 - sentinel: - registry: quay.io - repository: opstree/redis-sentinel - tag: v7.0.12 - exporter: - registry: quay.io - repository: opstree/redis-exporter - tag: v1.48.0 prometheus: defaultInstance: system diff --git a/tests/golden/defaults/defaults/defaults/10_helmchart/nextcloud/templates/config.yaml b/tests/golden/defaults/defaults/defaults/10_helmchart/nextcloud/templates/config.yaml index 08eee0e..000958c 100644 --- a/tests/golden/defaults/defaults/defaults/10_helmchart/nextcloud/templates/config.yaml +++ b/tests/golden/defaults/defaults/defaults/10_helmchart/nextcloud/templates/config.yaml @@ -46,6 +46,13 @@ data: $AUTOCONFIG["dbtype"] = "sqlite"; $AUTOCONFIG["dbname"] = getenv('SQLITE_DATABASE'); $autoconfig_enabled = true; + } elseif (getenv('MYSQL_DATABASE_FILE') && getenv('MYSQL_USER_FILE') && getenv('MYSQL_PASSWORD_FILE') && getenv('MYSQL_HOST')) { + $AUTOCONFIG['dbtype'] = 'mysql'; + $AUTOCONFIG['dbname'] = trim(file_get_contents(getenv('MYSQL_DATABASE_FILE'))); + $AUTOCONFIG['dbuser'] = trim(file_get_contents(getenv('MYSQL_USER_FILE'))); + $AUTOCONFIG['dbpass'] = trim(file_get_contents(getenv('MYSQL_PASSWORD_FILE'))); + $AUTOCONFIG['dbhost'] = getenv('MYSQL_HOST'); + $autoconfig_enabled = true; } elseif (getenv('MYSQL_DATABASE') && getenv('MYSQL_USER') && getenv('MYSQL_PASSWORD') && getenv('MYSQL_HOST')) { $AUTOCONFIG["dbtype"] = "mysql"; $AUTOCONFIG["dbname"] = getenv('MYSQL_DATABASE'); @@ -53,6 +60,13 @@ data: $AUTOCONFIG["dbpass"] = getenv('MYSQL_PASSWORD'); $AUTOCONFIG["dbhost"] = getenv('MYSQL_HOST'); $autoconfig_enabled = true; + } elseif (getenv('POSTGRES_DB_FILE') && getenv('POSTGRES_USER_FILE') && getenv('POSTGRES_PASSWORD_FILE') && getenv('POSTGRES_HOST')) { + $AUTOCONFIG['dbtype'] = 'pgsql'; + $AUTOCONFIG['dbname'] = trim(file_get_contents(getenv('POSTGRES_DB_FILE'))); + $AUTOCONFIG['dbuser'] = trim(file_get_contents(getenv('POSTGRES_USER_FILE'))); + $AUTOCONFIG['dbpass'] = trim(file_get_contents(getenv('POSTGRES_PASSWORD_FILE'))); + $AUTOCONFIG['dbhost'] = getenv('POSTGRES_HOST'); + $autoconfig_enabled = true; } elseif (getenv('POSTGRES_DB') && getenv('POSTGRES_USER') && getenv('POSTGRES_PASSWORD') && getenv('POSTGRES_HOST')) { $AUTOCONFIG["dbtype"] = "pgsql"; $AUTOCONFIG["dbname"] = getenv('POSTGRES_DB'); @@ -88,15 +102,100 @@ data: redis.config.php: |- '\OC\Memcache\Redis', 'memcache.locking' => '\OC\Memcache\Redis', 'redis' => array( 'host' => getenv('REDIS_HOST'), - 'port' => getenv('REDIS_HOST_PORT') ?: 6379, - 'password' => getenv('REDIS_HOST_PASSWORD'), + 'password' => getenv('REDIS_HOST_PASSWORD_FILE') ? trim(file_get_contents(getenv('REDIS_HOST_PASSWORD_FILE'))) : (string) getenv('REDIS_HOST_PASSWORD'), ), ); + + if (getenv('REDIS_HOST_PORT') !== false) { + $CONFIG['redis']['port'] = (int) getenv('REDIS_HOST_PORT'); + } elseif (getenv('REDIS_HOST')[0] != '/') { + $CONFIG['redis']['port'] = 6379; + } + } + reverse-proxy.config.php: |- + array( + 'class' => '\OC\Files\ObjectStore\S3', + 'arguments' => array( + 'bucket' => getenv('OBJECTSTORE_S3_BUCKET'), + 'region' => getenv('OBJECTSTORE_S3_REGION') ?: '', + 'hostname' => getenv('OBJECTSTORE_S3_HOST') ?: '', + 'port' => getenv('OBJECTSTORE_S3_PORT') ?: '', + 'storageClass' => getenv('OBJECTSTORE_S3_STORAGE_CLASS') ?: '', + 'objectPrefix' => getenv("OBJECTSTORE_S3_OBJECT_PREFIX") ? getenv("OBJECTSTORE_S3_OBJECT_PREFIX") : "urn:oid:", + 'autocreate' => (strtolower($autocreate) === 'false' || $autocreate == false) ? false : true, + 'use_ssl' => (strtolower($use_ssl) === 'false' || $use_ssl == false) ? false : true, + // required for some non Amazon S3 implementations + 'use_path_style' => $use_path == true && strtolower($use_path) !== 'false', + // required for older protocol versions + 'legacy_auth' => $use_legacyauth == true && strtolower($use_legacyauth) !== 'false' + ) + ) + ); + + if (getenv('OBJECTSTORE_S3_KEY_FILE')) { + $CONFIG['objectstore']['arguments']['key'] = trim(file_get_contents(getenv('OBJECTSTORE_S3_KEY_FILE'))); + } elseif (getenv('OBJECTSTORE_S3_KEY')) { + $CONFIG['objectstore']['arguments']['key'] = getenv('OBJECTSTORE_S3_KEY'); + } else { + $CONFIG['objectstore']['arguments']['key'] = ''; + } + + if (getenv('OBJECTSTORE_S3_SECRET_FILE')) { + $CONFIG['objectstore']['arguments']['secret'] = trim(file_get_contents(getenv('OBJECTSTORE_S3_SECRET_FILE'))); + } elseif (getenv('OBJECTSTORE_S3_SECRET')) { + $CONFIG['objectstore']['arguments']['secret'] = getenv('OBJECTSTORE_S3_SECRET'); + } else { + $CONFIG['objectstore']['arguments']['secret'] = ''; + } + + if (getenv('OBJECTSTORE_S3_SSE_C_KEY_FILE')) { + $CONFIG['objectstore']['arguments']['sse_c_key'] = trim(file_get_contents(getenv('OBJECTSTORE_S3_SSE_C_KEY_FILE'))); + } elseif (getenv('OBJECTSTORE_S3_SSE_C_KEY')) { + $CONFIG['objectstore']['arguments']['sse_c_key'] = getenv('OBJECTSTORE_S3_SSE_C_KEY'); + } } smtp.config.php: |- getenv('SMTP_HOST'), 'mail_smtpport' => getenv('SMTP_PORT') ?: (getenv('SMTP_SECURE') ? 465 : 25), 'mail_smtpsecure' => getenv('SMTP_SECURE') ?: '', - 'mail_smtpauth' => getenv('SMTP_NAME') && getenv('SMTP_PASSWORD'), + 'mail_smtpauth' => getenv('SMTP_NAME') && (getenv('SMTP_PASSWORD') || getenv('SMTP_PASSWORD_FILE')), 'mail_smtpauthtype' => getenv('SMTP_AUTHTYPE') ?: 'LOGIN', 'mail_smtpname' => getenv('SMTP_NAME') ?: '', - 'mail_smtppassword' => getenv('SMTP_PASSWORD') ?: '', 'mail_from_address' => getenv('MAIL_FROM_ADDRESS'), 'mail_domain' => getenv('MAIL_DOMAIN'), ); + + if (getenv('SMTP_PASSWORD_FILE')) { + $CONFIG['mail_smtppassword'] = trim(file_get_contents(getenv('SMTP_PASSWORD_FILE'))); + } elseif (getenv('SMTP_PASSWORD')) { + $CONFIG['mail_smtppassword'] = getenv('SMTP_PASSWORD'); + } else { + $CONFIG['mail_smtppassword'] = ''; + } } + swift.config.php: |- + [ + 'class' => 'OC\\Files\\ObjectStore\\Swift', + 'arguments' => [ + 'autocreate' => $autocreate == true && strtolower($autocreate) !== 'false', + 'user' => [ + 'name' => getenv('OBJECTSTORE_SWIFT_USER_NAME'), + 'password' => getenv('OBJECTSTORE_SWIFT_USER_PASSWORD'), + 'domain' => [ + 'name' => (getenv('OBJECTSTORE_SWIFT_USER_DOMAIN')) ?: 'Default', + ], + ], + 'scope' => [ + 'project' => [ + 'name' => getenv('OBJECTSTORE_SWIFT_PROJECT_NAME'), + 'domain' => [ + 'name' => (getenv('OBJECTSTORE_SWIFT_PROJECT_DOMAIN')) ?: 'Default', + ], + ], + ], + 'serviceName' => (getenv('OBJECTSTORE_SWIFT_SERVICE_NAME')) ?: 'swift', + 'region' => getenv('OBJECTSTORE_SWIFT_REGION'), + 'url' => getenv('OBJECTSTORE_SWIFT_URL'), + 'bucket' => getenv('OBJECTSTORE_SWIFT_CONTAINER_NAME'), + ] + ] + ); + } + upgrade-disable-web.config.php: |- + true, + ); kind: ConfigMap metadata: labels: app.kubernetes.io/instance: nextcloud app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: nextcloud - helm.sh/chart: nextcloud-4.5.13 + helm.sh/chart: nextcloud-5.5.2 name: nextcloud-config diff --git a/tests/golden/defaults/defaults/defaults/10_helmchart/nextcloud/templates/deployment.yaml b/tests/golden/defaults/defaults/defaults/10_helmchart/nextcloud/templates/deployment.yaml index c86d990..f7e4d67 100644 --- a/tests/golden/defaults/defaults/defaults/10_helmchart/nextcloud/templates/deployment.yaml +++ b/tests/golden/defaults/defaults/defaults/10_helmchart/nextcloud/templates/deployment.yaml @@ -6,7 +6,7 @@ metadata: app.kubernetes.io/instance: nextcloud app.kubernetes.io/managed-by: commodore app.kubernetes.io/name: nextcloud - helm.sh/chart: nextcloud-4.5.13 + helm.sh/chart: nextcloud-5.5.2 name: nextcloud spec: replicas: 1 @@ -20,7 +20,8 @@ spec: template: metadata: annotations: - nextcloud-config-hash: 1cb4ff4a2fc8d16be0438a3478ffc5ce01dc86c9b4fbcc590884b5373976decf + hooks-hash: 9525c2748a6c7cd0e28ec740623d0b3fa5a75c83b51ccfd136bc89c76737b204 + nextcloud-config-hash: 7d1514661bbed0f4ae4dd259f67b168d24f76788138bf25fa2f2753b09db94f2 nginx-config-hash: 18dd8f905a93ed27f032e9ae68084222ed7e5926f7144cda17b979780f4da54b php-config-hash: 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a labels: @@ -67,7 +68,7 @@ spec: secretKeyRef: key: redis-password name: nextcloud - image: nextcloud:28.0.2-fpm-alpine + image: nextcloud:29.0.4-fpm-alpine imagePullPolicy: IfNotPresent name: nextcloud resources: @@ -123,9 +124,21 @@ spec: - mountPath: /var/www/html/config/redis.config.php name: nextcloud-config subPath: redis.config.php + - mountPath: /var/www/html/config/reverse-proxy.config.php + name: nextcloud-config + subPath: reverse-proxy.config.php + - mountPath: /var/www/html/config/s3.config.php + name: nextcloud-config + subPath: s3.config.php - mountPath: /var/www/html/config/smtp.config.php name: nextcloud-config subPath: smtp.config.php + - mountPath: /var/www/html/config/swift.config.php + name: nextcloud-config + subPath: swift.config.php + - mountPath: /var/www/html/config/upgrade-disable-web.config.php + name: nextcloud-config + subPath: upgrade-disable-web.config.php - image: nginx:alpine imagePullPolicy: IfNotPresent livenessProbe: @@ -228,7 +241,7 @@ spec: secretKeyRef: key: redis-password name: nextcloud - image: nextcloud:28.0.2-fpm-alpine + image: nextcloud:29.0.4-fpm-alpine imagePullPolicy: IfNotPresent name: nextcloud-cron resources: @@ -284,9 +297,21 @@ spec: - mountPath: /var/www/html/config/redis.config.php name: nextcloud-config subPath: redis.config.php + - mountPath: /var/www/html/config/reverse-proxy.config.php + name: nextcloud-config + subPath: reverse-proxy.config.php + - mountPath: /var/www/html/config/s3.config.php + name: nextcloud-config + subPath: s3.config.php - mountPath: /var/www/html/config/smtp.config.php name: nextcloud-config subPath: smtp.config.php + - mountPath: /var/www/html/config/swift.config.php + name: nextcloud-config + subPath: swift.config.php + - mountPath: /var/www/html/config/upgrade-disable-web.config.php + name: nextcloud-config + subPath: upgrade-disable-web.config.php securityContext: fsGroup: 82 volumes: diff --git a/tests/golden/defaults/defaults/defaults/10_helmchart/nextcloud/templates/ingress.yaml b/tests/golden/defaults/defaults/defaults/10_helmchart/nextcloud/templates/ingress.yaml index b281977..4f6f213 100644 --- a/tests/golden/defaults/defaults/defaults/10_helmchart/nextcloud/templates/ingress.yaml +++ b/tests/golden/defaults/defaults/defaults/10_helmchart/nextcloud/templates/ingress.yaml @@ -6,7 +6,7 @@ metadata: app.kubernetes.io/instance: nextcloud app.kubernetes.io/managed-by: commodore app.kubernetes.io/name: nextcloud - helm.sh/chart: nextcloud-4.5.13 + helm.sh/chart: nextcloud-5.5.2 name: nextcloud spec: rules: diff --git a/tests/golden/defaults/defaults/defaults/10_helmchart/nextcloud/templates/nextcloud-pvc.yaml b/tests/golden/defaults/defaults/defaults/10_helmchart/nextcloud/templates/nextcloud-pvc.yaml index 7f14f23..cffb7bf 100644 --- a/tests/golden/defaults/defaults/defaults/10_helmchart/nextcloud/templates/nextcloud-pvc.yaml +++ b/tests/golden/defaults/defaults/defaults/10_helmchart/nextcloud/templates/nextcloud-pvc.yaml @@ -1,12 +1,14 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: + annotations: + helm.sh/resource-policy: keep labels: app.kubernetes.io/component: app app.kubernetes.io/instance: nextcloud app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: nextcloud - helm.sh/chart: nextcloud-4.5.13 + helm.sh/chart: nextcloud-5.5.2 name: nextcloud-nextcloud spec: accessModes: diff --git a/tests/golden/defaults/defaults/defaults/10_helmchart/nextcloud/templates/nginx-config.yaml b/tests/golden/defaults/defaults/defaults/10_helmchart/nextcloud/templates/nginx-config.yaml index ff61b94..defb6c4 100644 --- a/tests/golden/defaults/defaults/defaults/10_helmchart/nextcloud/templates/nginx-config.yaml +++ b/tests/golden/defaults/defaults/defaults/10_helmchart/nextcloud/templates/nginx-config.yaml @@ -1,143 +1,90 @@ apiVersion: v1 data: - default.conf: |- - upstream php-handler { - server 127.0.0.1:9000; - } - - server { - listen 80; - - # HSTS settings - # WARNING: Only add the preload option once you read about - # the consequences in https://hstspreload.org/. This option - # will add the domain to a hardcoded list that is shipped - # in all major browsers and getting removed from this list - # could take several months. - #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; - - # set max upload size - client_max_body_size 10G; - fastcgi_buffers 64 4K; - - # Enable gzip but do not remove ETag headers - gzip on; - gzip_vary on; - gzip_comp_level 4; - gzip_min_length 256; - gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; - gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; - - # Pagespeed is not supported by Nextcloud, so if your server is built - # with the `ngx_pagespeed` module, uncomment this line to disable it. - #pagespeed off; - - # HTTP response headers borrowed from Nextcloud `.htaccess` - add_header Referrer-Policy "no-referrer" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Download-Options "noopen" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-Robots-Tag "noindex, nofollow" always; - add_header X-XSS-Protection "1; mode=block" always; - - # Remove X-Powered-By, which is an information leak - fastcgi_hide_header X-Powered-By; - - # Path to the root of your installation - root /var/www/html; - - # Specify how to handle directories -- specifying `/index.php$request_uri` - # here as the fallback means that Nginx always exhibits the desired behaviour - # when a client requests a path that corresponds to a directory that exists - # on the server. In particular, if that directory contains an index.php file, - # that file is correctly served; if it doesn't, then the request is passed to - # the front-end controller. This consistent behaviour means that we don't need - # to specify custom rules for certain paths (e.g. images and other assets, - # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus - # `try_files $uri $uri/ /index.php$request_uri` - # always provides the desired behaviour. - index index.php index.html /index.php$request_uri; - - # Rule borrowed from `.htaccess` to handle Microsoft DAV clients - location = / { - if ( $http_user_agent ~ ^DavClnt ) { - return 302 /remote.php/webdav/$is_args$args; - } - } - - location = /robots.txt { - allow all; - log_not_found off; - access_log off; - } - - # Make a regex exception for `/.well-known` so that clients can still - # access it despite the existence of the regex rule - # `location ~ /(\.|autotest|...)` which would otherwise handle requests - # for `/.well-known`. - location ^~ /.well-known { - # The following 6 rules are borrowed from `.htaccess` - - location = /.well-known/carddav { return 301 /remote.php/dav/; } - location = /.well-known/caldav { return 301 /remote.php/dav/; } - # Anything else is dynamically handled by Nextcloud - location ^~ /.well-known { return 301 /index.php$uri; } - - try_files $uri $uri/ =404; - } - - # Rules borrowed from `.htaccess` to hide certain paths from clients - location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } - location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } - - # Ensure this block, which passes PHP files to the PHP process, is above the blocks - # which handle static assets (as seen below). If this block is not declared first, - # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` - # to the URI, resulting in a HTTP 500 error response. - location ~ \.php(?:$|/) { - # Required for legacy support - rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri; - - fastcgi_split_path_info ^(.+?\.php)(/.*)$; - set $path_info $fastcgi_path_info; - - try_files $fastcgi_script_name =404; - - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $path_info; - #fastcgi_param HTTPS on; - - fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice - fastcgi_param front_controller_active true; # Enable pretty urls - fastcgi_pass php-handler; - - fastcgi_intercept_errors on; - fastcgi_request_buffering off; - } - - location ~ \.(?:css|js|svg|gif)$ { - try_files $uri /index.php$request_uri; - expires 6M; # Cache-Control policy borrowed from `.htaccess` - access_log off; # Optional: Don't log access to assets - } - - location ~ \.woff2?$ { - try_files $uri /index.php$request_uri; - expires 7d; # Cache-Control policy borrowed from `.htaccess` - access_log off; # Optional: Don't log access to assets - } - - location / { - try_files $uri $uri/ /index.php$request_uri; - } - } + default.conf: "upstream php-handler {\n server 127.0.0.1:9000;\n}\n\nserver {\n\ + \ listen 80;\n\n # HSTS settings\n # WARNING: Only add the preload option\ + \ once you read about\n # the consequences in https://hstspreload.org/. This\ + \ option\n # will add the domain to a hardcoded list that is shipped\n #\ + \ in all major browsers and getting removed from this list\n # could take several\ + \ months.\n #add_header Strict-Transport-Security \"max-age=15768000; includeSubDomains;\ + \ preload;\" always;\n\n # set max upload size\n client_max_body_size 10G;\n\ + \ fastcgi_buffers 64 4K;\n\n # Enable gzip but do not remove ETag headers\n\ + \ gzip on;\n gzip_vary on;\n gzip_comp_level 4;\n gzip_min_length\ + \ 256;\n gzip_proxied expired no-cache no-store private no_last_modified no_etag\ + \ auth;\n gzip_types application/atom+xml application/javascript application/json\ + \ application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json\ + \ application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json\ + \ application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml\ + \ image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc\ + \ text/vtt text/x-component text/x-cross-domain-policy;\n\n # Pagespeed is\ + \ not supported by Nextcloud, so if your server is built\n # with the `ngx_pagespeed`\ + \ module, uncomment this line to disable it.\n #pagespeed off;\n\n # HTTP\ + \ response headers borrowed from Nextcloud `.htaccess`\n add_header Referrer-Policy\ + \ \"no-referrer\" always;\n add_header X-Content-Type-Options\ + \ \"nosniff\" always;\n add_header X-Download-Options\ + \ \"noopen\" always;\n add_header X-Frame-Options\ + \ \"SAMEORIGIN\" always;\n add_header X-Permitted-Cross-Domain-Policies\ + \ \"none\" always;\n add_header X-Robots-Tag \ + \ \"noindex, nofollow\" always;\n add_header X-XSS-Protection \ + \ \"1; mode=block\" always;\n\n # Remove X-Powered-By,\ + \ which is an information leak\n fastcgi_hide_header X-Powered-By;\n\n #\ + \ Add .mjs as a file extension for javascript\n # Either include it in the\ + \ default mime.types list\n # or include you can include that list explicitly\ + \ and add the file extension\n # only for Nextcloud like below:\n include\ + \ mime.types;\n types {\n text/javascript js mjs;\n } \n\n\ + \ # Path to the root of your installation\n root /var/www/html;\n\n #\ + \ Specify how to handle directories -- specifying `/index.php$request_uri`\n \ + \ # here as the fallback means that Nginx always exhibits the desired behaviour\n\ + \ # when a client requests a path that corresponds to a directory that exists\n\ + \ # on the server. In particular, if that directory contains an index.php file,\n\ + \ # that file is correctly served; if it doesn't, then the request is passed\ + \ to\n # the front-end controller. This consistent behaviour means that we\ + \ don't need\n # to specify custom rules for certain paths (e.g. images and\ + \ other assets,\n # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus\n\ + \ # `try_files $uri $uri/ /index.php$request_uri`\n # always provides the\ + \ desired behaviour.\n index index.php index.html /index.php$request_uri;\n\ + \n # Rule borrowed from `.htaccess` to handle Microsoft DAV clients\n location\ + \ = / {\n if ( $http_user_agent ~ ^DavClnt ) {\n return 302\ + \ /remote.php/webdav/$is_args$args;\n }\n }\n\n location = /robots.txt\ + \ {\n allow all;\n log_not_found off;\n access_log off;\n\ + \ }\n\n # Make a regex exception for `/.well-known` so that clients can\ + \ still\n # access it despite the existence of the regex rule\n # `location\ + \ ~ /(\\.|autotest|...)` which would otherwise handle requests\n # for `/.well-known`.\n\ + \ location ^~ /.well-known {\n # The following 6 rules are borrowed\ + \ from `.htaccess`\n\n location = /.well-known/carddav { return 301\ + \ /remote.php/dav/; }\n location = /.well-known/caldav { return 301\ + \ /remote.php/dav/; }\n # Anything else is dynamically handled by Nextcloud\n\ + \ location ^~ /.well-known { return 301 /index.php$uri; }\n\n\ + \ try_files $uri $uri/ =404;\n }\n\n # Rules borrowed from `.htaccess`\ + \ to hide certain paths from clients\n location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)\ + \ { return 404; }\n location ~ ^/(?:\\.|autotest|occ|issue|indie|db_|console)\ + \ { return 404; }\n\n # Ensure this block, which passes PHP files\ + \ to the PHP process, is above the blocks\n # which handle static assets (as\ + \ seen below). If this block is not declared first,\n # then Nginx will encounter\ + \ an infinite rewriting loop when it prepends `/index.php`\n # to the URI,\ + \ resulting in a HTTP 500 error response.\n location ~ \\.php(?:$|/) {\n \ + \ # Required for legacy support\n rewrite ^/(?!index|remote|public|cron|core\\\ + /ajax\\/update|status|ocs\\/v[12]|updater\\/.+|oc[ms]-provider\\/.+|.+\\/richdocumentscode(_arm64)?\\\ + /proxy) /index.php$request_uri;\n\n fastcgi_split_path_info ^(.+?\\.php)(/.*)$;\n\ + \ set $path_info $fastcgi_path_info;\n\n try_files $fastcgi_script_name\ + \ =404;\n\n include fastcgi_params;\n fastcgi_param SCRIPT_FILENAME\ + \ $document_root$fastcgi_script_name;\n fastcgi_param PATH_INFO $path_info;\n\ + \ #fastcgi_param HTTPS on;\n\n fastcgi_param modHeadersAvailable\ + \ true; # Avoid sending the security headers twice\n fastcgi_param\ + \ front_controller_active true; # Enable pretty urls\n fastcgi_pass\ + \ php-handler;\n\n fastcgi_intercept_errors on;\n fastcgi_request_buffering\ + \ off;\n }\n\n location ~ \\.(?:css|js|svg|gif)$ {\n try_files $uri\ + \ /index.php$request_uri;\n expires 6M; # Cache-Control policy\ + \ borrowed from `.htaccess`\n access_log off; # Optional: Don't log\ + \ access to assets\n }\n\n location ~ \\.woff2?$ {\n try_files $uri\ + \ /index.php$request_uri;\n expires 7d; # Cache-Control policy\ + \ borrowed from `.htaccess`\n access_log off; # Optional: Don't log\ + \ access to assets\n }\n\n location / {\n try_files $uri $uri/ /index.php$request_uri;\n\ + \ }\n}" kind: ConfigMap metadata: labels: app.kubernetes.io/instance: nextcloud app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: nextcloud - helm.sh/chart: nextcloud-4.5.13 + helm.sh/chart: nextcloud-5.5.2 name: nextcloud-nginxconfig diff --git a/tests/golden/defaults/defaults/defaults/10_helmchart/nextcloud/templates/service.yaml b/tests/golden/defaults/defaults/defaults/10_helmchart/nextcloud/templates/service.yaml index 23a4cc5..f41d862 100644 --- a/tests/golden/defaults/defaults/defaults/10_helmchart/nextcloud/templates/service.yaml +++ b/tests/golden/defaults/defaults/defaults/10_helmchart/nextcloud/templates/service.yaml @@ -6,7 +6,7 @@ metadata: app.kubernetes.io/instance: nextcloud app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: nextcloud - helm.sh/chart: nextcloud-4.5.13 + helm.sh/chart: nextcloud-5.5.2 name: nextcloud spec: ports: diff --git a/tests/golden/defaults/defaults/defaults/10_helmchart/postgresql/templates/primary/statefulset.yaml b/tests/golden/defaults/defaults/defaults/10_helmchart/postgresql/templates/primary/statefulset.yaml index 56bf6d2..0280fad 100644 --- a/tests/golden/defaults/defaults/defaults/10_helmchart/postgresql/templates/primary/statefulset.yaml +++ b/tests/golden/defaults/defaults/defaults/10_helmchart/postgresql/templates/primary/statefulset.yaml @@ -6,8 +6,8 @@ metadata: app.kubernetes.io/instance: postgresql app.kubernetes.io/managed-by: commodore app.kubernetes.io/name: postgresql - app.kubernetes.io/version: 16.1.0 - helm.sh/chart: postgresql-14.0.1 + app.kubernetes.io/version: 16.3.0 + helm.sh/chart: postgresql-15.5.20 name: postgresql namespace: app-defaults spec: @@ -29,8 +29,8 @@ spec: app.kubernetes.io/instance: postgresql app.kubernetes.io/managed-by: commodore app.kubernetes.io/name: postgresql - app.kubernetes.io/version: 16.1.0 - helm.sh/chart: postgresql-14.0.1 + app.kubernetes.io/version: 16.3.0 + helm.sh/chart: postgresql-15.5.20 name: postgresql spec: affinity: @@ -82,7 +82,7 @@ spec: value: error - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES value: pgaudit - image: docker.io/bitnami/postgresql:16.1.0-debian-11-r26 + image: docker.io/bitnami/postgresql:16.3.0-debian-12-r23 imagePullPolicy: IfNotPresent livenessProbe: exec: @@ -127,13 +127,23 @@ spec: drop: - ALL privileged: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true + runAsGroup: 1001 runAsNonRoot: true runAsUser: 1001 - seLinuxOptions: null + seLinuxOptions: {} seccompProfile: type: RuntimeDefault volumeMounts: + - mountPath: /tmp + name: empty-dir + subPath: tmp-dir + - mountPath: /opt/bitnami/postgresql/conf + name: empty-dir + subPath: app-conf-dir + - mountPath: /opt/bitnami/postgresql/tmp + name: empty-dir + subPath: app-tmp-dir - mountPath: /dev/shm name: dshm - mountPath: /bitnami/postgresql @@ -147,6 +157,8 @@ spec: sysctls: [] serviceAccountName: default volumes: + - emptyDir: {} + name: empty-dir - emptyDir: medium: Memory name: dshm diff --git a/tests/golden/defaults/defaults/defaults/10_helmchart/postgresql/templates/primary/svc-headless.yaml b/tests/golden/defaults/defaults/defaults/10_helmchart/postgresql/templates/primary/svc-headless.yaml index 6c2b05c..33dcb0e 100644 --- a/tests/golden/defaults/defaults/defaults/10_helmchart/postgresql/templates/primary/svc-headless.yaml +++ b/tests/golden/defaults/defaults/defaults/10_helmchart/postgresql/templates/primary/svc-headless.yaml @@ -1,15 +1,14 @@ apiVersion: v1 kind: Service metadata: - annotations: - service.alpha.kubernetes.io/tolerate-unready-endpoints: 'true' + annotations: null labels: app.kubernetes.io/component: primary app.kubernetes.io/instance: postgresql app.kubernetes.io/managed-by: commodore app.kubernetes.io/name: postgresql - app.kubernetes.io/version: 16.1.0 - helm.sh/chart: postgresql-14.0.1 + app.kubernetes.io/version: 16.3.0 + helm.sh/chart: postgresql-15.5.20 name: postgresql-hl namespace: app-defaults spec: diff --git a/tests/golden/defaults/defaults/defaults/10_helmchart/postgresql/templates/primary/svc.yaml b/tests/golden/defaults/defaults/defaults/10_helmchart/postgresql/templates/primary/svc.yaml index 0e757a6..099f140 100644 --- a/tests/golden/defaults/defaults/defaults/10_helmchart/postgresql/templates/primary/svc.yaml +++ b/tests/golden/defaults/defaults/defaults/10_helmchart/postgresql/templates/primary/svc.yaml @@ -6,8 +6,8 @@ metadata: app.kubernetes.io/instance: postgresql app.kubernetes.io/managed-by: commodore app.kubernetes.io/name: postgresql - app.kubernetes.io/version: 16.1.0 - helm.sh/chart: postgresql-14.0.1 + app.kubernetes.io/version: 16.3.0 + helm.sh/chart: postgresql-15.5.20 name: postgresql namespace: app-defaults spec: diff --git a/tests/golden/defaults/defaults/defaults/10_helmchart/redis/templates/configmap.yaml b/tests/golden/defaults/defaults/defaults/10_helmchart/redis/templates/configmap.yaml index c5cb8f9..2f13c6f 100644 --- a/tests/golden/defaults/defaults/defaults/10_helmchart/redis/templates/configmap.yaml +++ b/tests/golden/defaults/defaults/defaults/10_helmchart/redis/templates/configmap.yaml @@ -25,7 +25,7 @@ metadata: app.kubernetes.io/instance: redis app.kubernetes.io/managed-by: commodore app.kubernetes.io/name: redis - app.kubernetes.io/version: 7.2.4 - helm.sh/chart: redis-18.12.1 + app.kubernetes.io/version: 7.2.5 + helm.sh/chart: redis-19.6.4 name: redis-configuration namespace: app-defaults diff --git a/tests/golden/defaults/defaults/defaults/10_helmchart/redis/templates/headless-svc.yaml b/tests/golden/defaults/defaults/defaults/10_helmchart/redis/templates/headless-svc.yaml index af68d3e..fd03adc 100644 --- a/tests/golden/defaults/defaults/defaults/10_helmchart/redis/templates/headless-svc.yaml +++ b/tests/golden/defaults/defaults/defaults/10_helmchart/redis/templates/headless-svc.yaml @@ -1,13 +1,12 @@ apiVersion: v1 kind: Service metadata: - annotations: null labels: app.kubernetes.io/instance: redis app.kubernetes.io/managed-by: commodore app.kubernetes.io/name: redis - app.kubernetes.io/version: 7.2.4 - helm.sh/chart: redis-18.12.1 + app.kubernetes.io/version: 7.2.5 + helm.sh/chart: redis-19.6.4 name: redis-headless namespace: app-defaults spec: diff --git a/tests/golden/defaults/defaults/defaults/10_helmchart/redis/templates/health-configmap.yaml b/tests/golden/defaults/defaults/defaults/10_helmchart/redis/templates/health-configmap.yaml index 4c8a954..a2eb104 100644 --- a/tests/golden/defaults/defaults/defaults/10_helmchart/redis/templates/health-configmap.yaml +++ b/tests/golden/defaults/defaults/defaults/10_helmchart/redis/templates/health-configmap.yaml @@ -100,7 +100,7 @@ metadata: app.kubernetes.io/instance: redis app.kubernetes.io/managed-by: commodore app.kubernetes.io/name: redis - app.kubernetes.io/version: 7.2.4 - helm.sh/chart: redis-18.12.1 + app.kubernetes.io/version: 7.2.5 + helm.sh/chart: redis-19.6.4 name: redis-health namespace: app-defaults diff --git a/tests/golden/defaults/defaults/defaults/10_helmchart/redis/templates/master/application.yaml b/tests/golden/defaults/defaults/defaults/10_helmchart/redis/templates/master/application.yaml index bd484b1..23da7e6 100644 --- a/tests/golden/defaults/defaults/defaults/10_helmchart/redis/templates/master/application.yaml +++ b/tests/golden/defaults/defaults/defaults/10_helmchart/redis/templates/master/application.yaml @@ -6,12 +6,13 @@ metadata: app.kubernetes.io/instance: redis app.kubernetes.io/managed-by: commodore app.kubernetes.io/name: redis - app.kubernetes.io/version: 7.2.4 - helm.sh/chart: redis-18.12.1 + app.kubernetes.io/version: 7.2.5 + helm.sh/chart: redis-19.6.4 name: redis-master namespace: app-defaults spec: replicas: 1 + revisionHistoryLimit: 10 selector: matchLabels: app.kubernetes.io/component: master @@ -30,8 +31,8 @@ spec: app.kubernetes.io/instance: redis app.kubernetes.io/managed-by: commodore app.kubernetes.io/name: redis - app.kubernetes.io/version: 7.2.4 - helm.sh/chart: redis-18.12.1 + app.kubernetes.io/version: 7.2.5 + helm.sh/chart: redis-19.6.4 spec: affinity: nodeAffinity: null @@ -69,7 +70,7 @@ spec: value: 'no' - name: REDIS_PORT value: '6379' - image: docker.io/bitnami/redis:7.2.4-debian-11-r5 + image: docker.io/bitnami/redis:7.2.5-debian-12-r4 imagePullPolicy: IfNotPresent livenessProbe: exec: @@ -109,10 +110,11 @@ spec: capabilities: drop: - ALL - runAsGroup: 0 + readOnlyRootFilesystem: true + runAsGroup: 1001 runAsNonRoot: true runAsUser: 1001 - seLinuxOptions: null + seLinuxOptions: {} seccompProfile: type: RuntimeDefault volumeMounts: @@ -125,9 +127,11 @@ spec: - mountPath: /opt/bitnami/redis/mounted-etc name: config - mountPath: /opt/bitnami/redis/etc/ - name: redis-tmp-conf + name: empty-dir + subPath: app-conf-dir - mountPath: /tmp - name: tmp + name: empty-dir + subPath: tmp-dir enableServiceLinks: true securityContext: fsGroup: 1001 @@ -149,9 +153,7 @@ spec: name: redis-configuration name: config - emptyDir: {} - name: redis-tmp-conf - - emptyDir: {} - name: tmp + name: empty-dir updateStrategy: type: RollingUpdate volumeClaimTemplates: diff --git a/tests/golden/defaults/defaults/defaults/10_helmchart/redis/templates/master/service.yaml b/tests/golden/defaults/defaults/defaults/10_helmchart/redis/templates/master/service.yaml index 17ea8c0..a34dd72 100644 --- a/tests/golden/defaults/defaults/defaults/10_helmchart/redis/templates/master/service.yaml +++ b/tests/golden/defaults/defaults/defaults/10_helmchart/redis/templates/master/service.yaml @@ -6,8 +6,8 @@ metadata: app.kubernetes.io/instance: redis app.kubernetes.io/managed-by: commodore app.kubernetes.io/name: redis - app.kubernetes.io/version: 7.2.4 - helm.sh/chart: redis-18.12.1 + app.kubernetes.io/version: 7.2.5 + helm.sh/chart: redis-19.6.4 name: redis-master namespace: app-defaults spec: diff --git a/tests/golden/defaults/defaults/defaults/10_helmchart/redis/templates/scripts-configmap.yaml b/tests/golden/defaults/defaults/defaults/10_helmchart/redis/templates/scripts-configmap.yaml index dd89910..199fbea 100644 --- a/tests/golden/defaults/defaults/defaults/10_helmchart/redis/templates/scripts-configmap.yaml +++ b/tests/golden/defaults/defaults/defaults/10_helmchart/redis/templates/scripts-configmap.yaml @@ -22,7 +22,7 @@ metadata: app.kubernetes.io/instance: redis app.kubernetes.io/managed-by: commodore app.kubernetes.io/name: redis - app.kubernetes.io/version: 7.2.4 - helm.sh/chart: redis-18.12.1 + app.kubernetes.io/version: 7.2.5 + helm.sh/chart: redis-19.6.4 name: redis-scripts namespace: app-defaults diff --git a/tests/golden/instances/instances/instances/10_helmchart/nextcloud/templates/config.yaml b/tests/golden/instances/instances/instances/10_helmchart/nextcloud/templates/config.yaml index 08eee0e..000958c 100644 --- a/tests/golden/instances/instances/instances/10_helmchart/nextcloud/templates/config.yaml +++ b/tests/golden/instances/instances/instances/10_helmchart/nextcloud/templates/config.yaml @@ -46,6 +46,13 @@ data: $AUTOCONFIG["dbtype"] = "sqlite"; $AUTOCONFIG["dbname"] = getenv('SQLITE_DATABASE'); $autoconfig_enabled = true; + } elseif (getenv('MYSQL_DATABASE_FILE') && getenv('MYSQL_USER_FILE') && getenv('MYSQL_PASSWORD_FILE') && getenv('MYSQL_HOST')) { + $AUTOCONFIG['dbtype'] = 'mysql'; + $AUTOCONFIG['dbname'] = trim(file_get_contents(getenv('MYSQL_DATABASE_FILE'))); + $AUTOCONFIG['dbuser'] = trim(file_get_contents(getenv('MYSQL_USER_FILE'))); + $AUTOCONFIG['dbpass'] = trim(file_get_contents(getenv('MYSQL_PASSWORD_FILE'))); + $AUTOCONFIG['dbhost'] = getenv('MYSQL_HOST'); + $autoconfig_enabled = true; } elseif (getenv('MYSQL_DATABASE') && getenv('MYSQL_USER') && getenv('MYSQL_PASSWORD') && getenv('MYSQL_HOST')) { $AUTOCONFIG["dbtype"] = "mysql"; $AUTOCONFIG["dbname"] = getenv('MYSQL_DATABASE'); @@ -53,6 +60,13 @@ data: $AUTOCONFIG["dbpass"] = getenv('MYSQL_PASSWORD'); $AUTOCONFIG["dbhost"] = getenv('MYSQL_HOST'); $autoconfig_enabled = true; + } elseif (getenv('POSTGRES_DB_FILE') && getenv('POSTGRES_USER_FILE') && getenv('POSTGRES_PASSWORD_FILE') && getenv('POSTGRES_HOST')) { + $AUTOCONFIG['dbtype'] = 'pgsql'; + $AUTOCONFIG['dbname'] = trim(file_get_contents(getenv('POSTGRES_DB_FILE'))); + $AUTOCONFIG['dbuser'] = trim(file_get_contents(getenv('POSTGRES_USER_FILE'))); + $AUTOCONFIG['dbpass'] = trim(file_get_contents(getenv('POSTGRES_PASSWORD_FILE'))); + $AUTOCONFIG['dbhost'] = getenv('POSTGRES_HOST'); + $autoconfig_enabled = true; } elseif (getenv('POSTGRES_DB') && getenv('POSTGRES_USER') && getenv('POSTGRES_PASSWORD') && getenv('POSTGRES_HOST')) { $AUTOCONFIG["dbtype"] = "pgsql"; $AUTOCONFIG["dbname"] = getenv('POSTGRES_DB'); @@ -88,15 +102,100 @@ data: redis.config.php: |- '\OC\Memcache\Redis', 'memcache.locking' => '\OC\Memcache\Redis', 'redis' => array( 'host' => getenv('REDIS_HOST'), - 'port' => getenv('REDIS_HOST_PORT') ?: 6379, - 'password' => getenv('REDIS_HOST_PASSWORD'), + 'password' => getenv('REDIS_HOST_PASSWORD_FILE') ? trim(file_get_contents(getenv('REDIS_HOST_PASSWORD_FILE'))) : (string) getenv('REDIS_HOST_PASSWORD'), ), ); + + if (getenv('REDIS_HOST_PORT') !== false) { + $CONFIG['redis']['port'] = (int) getenv('REDIS_HOST_PORT'); + } elseif (getenv('REDIS_HOST')[0] != '/') { + $CONFIG['redis']['port'] = 6379; + } + } + reverse-proxy.config.php: |- + array( + 'class' => '\OC\Files\ObjectStore\S3', + 'arguments' => array( + 'bucket' => getenv('OBJECTSTORE_S3_BUCKET'), + 'region' => getenv('OBJECTSTORE_S3_REGION') ?: '', + 'hostname' => getenv('OBJECTSTORE_S3_HOST') ?: '', + 'port' => getenv('OBJECTSTORE_S3_PORT') ?: '', + 'storageClass' => getenv('OBJECTSTORE_S3_STORAGE_CLASS') ?: '', + 'objectPrefix' => getenv("OBJECTSTORE_S3_OBJECT_PREFIX") ? getenv("OBJECTSTORE_S3_OBJECT_PREFIX") : "urn:oid:", + 'autocreate' => (strtolower($autocreate) === 'false' || $autocreate == false) ? false : true, + 'use_ssl' => (strtolower($use_ssl) === 'false' || $use_ssl == false) ? false : true, + // required for some non Amazon S3 implementations + 'use_path_style' => $use_path == true && strtolower($use_path) !== 'false', + // required for older protocol versions + 'legacy_auth' => $use_legacyauth == true && strtolower($use_legacyauth) !== 'false' + ) + ) + ); + + if (getenv('OBJECTSTORE_S3_KEY_FILE')) { + $CONFIG['objectstore']['arguments']['key'] = trim(file_get_contents(getenv('OBJECTSTORE_S3_KEY_FILE'))); + } elseif (getenv('OBJECTSTORE_S3_KEY')) { + $CONFIG['objectstore']['arguments']['key'] = getenv('OBJECTSTORE_S3_KEY'); + } else { + $CONFIG['objectstore']['arguments']['key'] = ''; + } + + if (getenv('OBJECTSTORE_S3_SECRET_FILE')) { + $CONFIG['objectstore']['arguments']['secret'] = trim(file_get_contents(getenv('OBJECTSTORE_S3_SECRET_FILE'))); + } elseif (getenv('OBJECTSTORE_S3_SECRET')) { + $CONFIG['objectstore']['arguments']['secret'] = getenv('OBJECTSTORE_S3_SECRET'); + } else { + $CONFIG['objectstore']['arguments']['secret'] = ''; + } + + if (getenv('OBJECTSTORE_S3_SSE_C_KEY_FILE')) { + $CONFIG['objectstore']['arguments']['sse_c_key'] = trim(file_get_contents(getenv('OBJECTSTORE_S3_SSE_C_KEY_FILE'))); + } elseif (getenv('OBJECTSTORE_S3_SSE_C_KEY')) { + $CONFIG['objectstore']['arguments']['sse_c_key'] = getenv('OBJECTSTORE_S3_SSE_C_KEY'); + } } smtp.config.php: |- getenv('SMTP_HOST'), 'mail_smtpport' => getenv('SMTP_PORT') ?: (getenv('SMTP_SECURE') ? 465 : 25), 'mail_smtpsecure' => getenv('SMTP_SECURE') ?: '', - 'mail_smtpauth' => getenv('SMTP_NAME') && getenv('SMTP_PASSWORD'), + 'mail_smtpauth' => getenv('SMTP_NAME') && (getenv('SMTP_PASSWORD') || getenv('SMTP_PASSWORD_FILE')), 'mail_smtpauthtype' => getenv('SMTP_AUTHTYPE') ?: 'LOGIN', 'mail_smtpname' => getenv('SMTP_NAME') ?: '', - 'mail_smtppassword' => getenv('SMTP_PASSWORD') ?: '', 'mail_from_address' => getenv('MAIL_FROM_ADDRESS'), 'mail_domain' => getenv('MAIL_DOMAIN'), ); + + if (getenv('SMTP_PASSWORD_FILE')) { + $CONFIG['mail_smtppassword'] = trim(file_get_contents(getenv('SMTP_PASSWORD_FILE'))); + } elseif (getenv('SMTP_PASSWORD')) { + $CONFIG['mail_smtppassword'] = getenv('SMTP_PASSWORD'); + } else { + $CONFIG['mail_smtppassword'] = ''; + } } + swift.config.php: |- + [ + 'class' => 'OC\\Files\\ObjectStore\\Swift', + 'arguments' => [ + 'autocreate' => $autocreate == true && strtolower($autocreate) !== 'false', + 'user' => [ + 'name' => getenv('OBJECTSTORE_SWIFT_USER_NAME'), + 'password' => getenv('OBJECTSTORE_SWIFT_USER_PASSWORD'), + 'domain' => [ + 'name' => (getenv('OBJECTSTORE_SWIFT_USER_DOMAIN')) ?: 'Default', + ], + ], + 'scope' => [ + 'project' => [ + 'name' => getenv('OBJECTSTORE_SWIFT_PROJECT_NAME'), + 'domain' => [ + 'name' => (getenv('OBJECTSTORE_SWIFT_PROJECT_DOMAIN')) ?: 'Default', + ], + ], + ], + 'serviceName' => (getenv('OBJECTSTORE_SWIFT_SERVICE_NAME')) ?: 'swift', + 'region' => getenv('OBJECTSTORE_SWIFT_REGION'), + 'url' => getenv('OBJECTSTORE_SWIFT_URL'), + 'bucket' => getenv('OBJECTSTORE_SWIFT_CONTAINER_NAME'), + ] + ] + ); + } + upgrade-disable-web.config.php: |- + true, + ); kind: ConfigMap metadata: labels: app.kubernetes.io/instance: nextcloud app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: nextcloud - helm.sh/chart: nextcloud-4.5.13 + helm.sh/chart: nextcloud-5.5.2 name: nextcloud-config diff --git a/tests/golden/instances/instances/instances/10_helmchart/nextcloud/templates/deployment.yaml b/tests/golden/instances/instances/instances/10_helmchart/nextcloud/templates/deployment.yaml index c86d990..f7e4d67 100644 --- a/tests/golden/instances/instances/instances/10_helmchart/nextcloud/templates/deployment.yaml +++ b/tests/golden/instances/instances/instances/10_helmchart/nextcloud/templates/deployment.yaml @@ -6,7 +6,7 @@ metadata: app.kubernetes.io/instance: nextcloud app.kubernetes.io/managed-by: commodore app.kubernetes.io/name: nextcloud - helm.sh/chart: nextcloud-4.5.13 + helm.sh/chart: nextcloud-5.5.2 name: nextcloud spec: replicas: 1 @@ -20,7 +20,8 @@ spec: template: metadata: annotations: - nextcloud-config-hash: 1cb4ff4a2fc8d16be0438a3478ffc5ce01dc86c9b4fbcc590884b5373976decf + hooks-hash: 9525c2748a6c7cd0e28ec740623d0b3fa5a75c83b51ccfd136bc89c76737b204 + nextcloud-config-hash: 7d1514661bbed0f4ae4dd259f67b168d24f76788138bf25fa2f2753b09db94f2 nginx-config-hash: 18dd8f905a93ed27f032e9ae68084222ed7e5926f7144cda17b979780f4da54b php-config-hash: 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a labels: @@ -67,7 +68,7 @@ spec: secretKeyRef: key: redis-password name: nextcloud - image: nextcloud:28.0.2-fpm-alpine + image: nextcloud:29.0.4-fpm-alpine imagePullPolicy: IfNotPresent name: nextcloud resources: @@ -123,9 +124,21 @@ spec: - mountPath: /var/www/html/config/redis.config.php name: nextcloud-config subPath: redis.config.php + - mountPath: /var/www/html/config/reverse-proxy.config.php + name: nextcloud-config + subPath: reverse-proxy.config.php + - mountPath: /var/www/html/config/s3.config.php + name: nextcloud-config + subPath: s3.config.php - mountPath: /var/www/html/config/smtp.config.php name: nextcloud-config subPath: smtp.config.php + - mountPath: /var/www/html/config/swift.config.php + name: nextcloud-config + subPath: swift.config.php + - mountPath: /var/www/html/config/upgrade-disable-web.config.php + name: nextcloud-config + subPath: upgrade-disable-web.config.php - image: nginx:alpine imagePullPolicy: IfNotPresent livenessProbe: @@ -228,7 +241,7 @@ spec: secretKeyRef: key: redis-password name: nextcloud - image: nextcloud:28.0.2-fpm-alpine + image: nextcloud:29.0.4-fpm-alpine imagePullPolicy: IfNotPresent name: nextcloud-cron resources: @@ -284,9 +297,21 @@ spec: - mountPath: /var/www/html/config/redis.config.php name: nextcloud-config subPath: redis.config.php + - mountPath: /var/www/html/config/reverse-proxy.config.php + name: nextcloud-config + subPath: reverse-proxy.config.php + - mountPath: /var/www/html/config/s3.config.php + name: nextcloud-config + subPath: s3.config.php - mountPath: /var/www/html/config/smtp.config.php name: nextcloud-config subPath: smtp.config.php + - mountPath: /var/www/html/config/swift.config.php + name: nextcloud-config + subPath: swift.config.php + - mountPath: /var/www/html/config/upgrade-disable-web.config.php + name: nextcloud-config + subPath: upgrade-disable-web.config.php securityContext: fsGroup: 82 volumes: diff --git a/tests/golden/instances/instances/instances/10_helmchart/nextcloud/templates/ingress.yaml b/tests/golden/instances/instances/instances/10_helmchart/nextcloud/templates/ingress.yaml index ea4e86c..31f10c4 100644 --- a/tests/golden/instances/instances/instances/10_helmchart/nextcloud/templates/ingress.yaml +++ b/tests/golden/instances/instances/instances/10_helmchart/nextcloud/templates/ingress.yaml @@ -9,7 +9,7 @@ metadata: app.kubernetes.io/instance: nextcloud app.kubernetes.io/managed-by: commodore app.kubernetes.io/name: nextcloud - helm.sh/chart: nextcloud-4.5.13 + helm.sh/chart: nextcloud-5.5.2 name: nextcloud spec: rules: diff --git a/tests/golden/instances/instances/instances/10_helmchart/nextcloud/templates/nextcloud-pvc.yaml b/tests/golden/instances/instances/instances/10_helmchart/nextcloud/templates/nextcloud-pvc.yaml index 7f14f23..cffb7bf 100644 --- a/tests/golden/instances/instances/instances/10_helmchart/nextcloud/templates/nextcloud-pvc.yaml +++ b/tests/golden/instances/instances/instances/10_helmchart/nextcloud/templates/nextcloud-pvc.yaml @@ -1,12 +1,14 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: + annotations: + helm.sh/resource-policy: keep labels: app.kubernetes.io/component: app app.kubernetes.io/instance: nextcloud app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: nextcloud - helm.sh/chart: nextcloud-4.5.13 + helm.sh/chart: nextcloud-5.5.2 name: nextcloud-nextcloud spec: accessModes: diff --git a/tests/golden/instances/instances/instances/10_helmchart/nextcloud/templates/nginx-config.yaml b/tests/golden/instances/instances/instances/10_helmchart/nextcloud/templates/nginx-config.yaml index ff61b94..defb6c4 100644 --- a/tests/golden/instances/instances/instances/10_helmchart/nextcloud/templates/nginx-config.yaml +++ b/tests/golden/instances/instances/instances/10_helmchart/nextcloud/templates/nginx-config.yaml @@ -1,143 +1,90 @@ apiVersion: v1 data: - default.conf: |- - upstream php-handler { - server 127.0.0.1:9000; - } - - server { - listen 80; - - # HSTS settings - # WARNING: Only add the preload option once you read about - # the consequences in https://hstspreload.org/. This option - # will add the domain to a hardcoded list that is shipped - # in all major browsers and getting removed from this list - # could take several months. - #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; - - # set max upload size - client_max_body_size 10G; - fastcgi_buffers 64 4K; - - # Enable gzip but do not remove ETag headers - gzip on; - gzip_vary on; - gzip_comp_level 4; - gzip_min_length 256; - gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; - gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; - - # Pagespeed is not supported by Nextcloud, so if your server is built - # with the `ngx_pagespeed` module, uncomment this line to disable it. - #pagespeed off; - - # HTTP response headers borrowed from Nextcloud `.htaccess` - add_header Referrer-Policy "no-referrer" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Download-Options "noopen" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Permitted-Cross-Domain-Policies "none" always; - add_header X-Robots-Tag "noindex, nofollow" always; - add_header X-XSS-Protection "1; mode=block" always; - - # Remove X-Powered-By, which is an information leak - fastcgi_hide_header X-Powered-By; - - # Path to the root of your installation - root /var/www/html; - - # Specify how to handle directories -- specifying `/index.php$request_uri` - # here as the fallback means that Nginx always exhibits the desired behaviour - # when a client requests a path that corresponds to a directory that exists - # on the server. In particular, if that directory contains an index.php file, - # that file is correctly served; if it doesn't, then the request is passed to - # the front-end controller. This consistent behaviour means that we don't need - # to specify custom rules for certain paths (e.g. images and other assets, - # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus - # `try_files $uri $uri/ /index.php$request_uri` - # always provides the desired behaviour. - index index.php index.html /index.php$request_uri; - - # Rule borrowed from `.htaccess` to handle Microsoft DAV clients - location = / { - if ( $http_user_agent ~ ^DavClnt ) { - return 302 /remote.php/webdav/$is_args$args; - } - } - - location = /robots.txt { - allow all; - log_not_found off; - access_log off; - } - - # Make a regex exception for `/.well-known` so that clients can still - # access it despite the existence of the regex rule - # `location ~ /(\.|autotest|...)` which would otherwise handle requests - # for `/.well-known`. - location ^~ /.well-known { - # The following 6 rules are borrowed from `.htaccess` - - location = /.well-known/carddav { return 301 /remote.php/dav/; } - location = /.well-known/caldav { return 301 /remote.php/dav/; } - # Anything else is dynamically handled by Nextcloud - location ^~ /.well-known { return 301 /index.php$uri; } - - try_files $uri $uri/ =404; - } - - # Rules borrowed from `.htaccess` to hide certain paths from clients - location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } - location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } - - # Ensure this block, which passes PHP files to the PHP process, is above the blocks - # which handle static assets (as seen below). If this block is not declared first, - # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` - # to the URI, resulting in a HTTP 500 error response. - location ~ \.php(?:$|/) { - # Required for legacy support - rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri; - - fastcgi_split_path_info ^(.+?\.php)(/.*)$; - set $path_info $fastcgi_path_info; - - try_files $fastcgi_script_name =404; - - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $path_info; - #fastcgi_param HTTPS on; - - fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice - fastcgi_param front_controller_active true; # Enable pretty urls - fastcgi_pass php-handler; - - fastcgi_intercept_errors on; - fastcgi_request_buffering off; - } - - location ~ \.(?:css|js|svg|gif)$ { - try_files $uri /index.php$request_uri; - expires 6M; # Cache-Control policy borrowed from `.htaccess` - access_log off; # Optional: Don't log access to assets - } - - location ~ \.woff2?$ { - try_files $uri /index.php$request_uri; - expires 7d; # Cache-Control policy borrowed from `.htaccess` - access_log off; # Optional: Don't log access to assets - } - - location / { - try_files $uri $uri/ /index.php$request_uri; - } - } + default.conf: "upstream php-handler {\n server 127.0.0.1:9000;\n}\n\nserver {\n\ + \ listen 80;\n\n # HSTS settings\n # WARNING: Only add the preload option\ + \ once you read about\n # the consequences in https://hstspreload.org/. This\ + \ option\n # will add the domain to a hardcoded list that is shipped\n #\ + \ in all major browsers and getting removed from this list\n # could take several\ + \ months.\n #add_header Strict-Transport-Security \"max-age=15768000; includeSubDomains;\ + \ preload;\" always;\n\n # set max upload size\n client_max_body_size 10G;\n\ + \ fastcgi_buffers 64 4K;\n\n # Enable gzip but do not remove ETag headers\n\ + \ gzip on;\n gzip_vary on;\n gzip_comp_level 4;\n gzip_min_length\ + \ 256;\n gzip_proxied expired no-cache no-store private no_last_modified no_etag\ + \ auth;\n gzip_types application/atom+xml application/javascript application/json\ + \ application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json\ + \ application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json\ + \ application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml\ + \ image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc\ + \ text/vtt text/x-component text/x-cross-domain-policy;\n\n # Pagespeed is\ + \ not supported by Nextcloud, so if your server is built\n # with the `ngx_pagespeed`\ + \ module, uncomment this line to disable it.\n #pagespeed off;\n\n # HTTP\ + \ response headers borrowed from Nextcloud `.htaccess`\n add_header Referrer-Policy\ + \ \"no-referrer\" always;\n add_header X-Content-Type-Options\ + \ \"nosniff\" always;\n add_header X-Download-Options\ + \ \"noopen\" always;\n add_header X-Frame-Options\ + \ \"SAMEORIGIN\" always;\n add_header X-Permitted-Cross-Domain-Policies\ + \ \"none\" always;\n add_header X-Robots-Tag \ + \ \"noindex, nofollow\" always;\n add_header X-XSS-Protection \ + \ \"1; mode=block\" always;\n\n # Remove X-Powered-By,\ + \ which is an information leak\n fastcgi_hide_header X-Powered-By;\n\n #\ + \ Add .mjs as a file extension for javascript\n # Either include it in the\ + \ default mime.types list\n # or include you can include that list explicitly\ + \ and add the file extension\n # only for Nextcloud like below:\n include\ + \ mime.types;\n types {\n text/javascript js mjs;\n } \n\n\ + \ # Path to the root of your installation\n root /var/www/html;\n\n #\ + \ Specify how to handle directories -- specifying `/index.php$request_uri`\n \ + \ # here as the fallback means that Nginx always exhibits the desired behaviour\n\ + \ # when a client requests a path that corresponds to a directory that exists\n\ + \ # on the server. In particular, if that directory contains an index.php file,\n\ + \ # that file is correctly served; if it doesn't, then the request is passed\ + \ to\n # the front-end controller. This consistent behaviour means that we\ + \ don't need\n # to specify custom rules for certain paths (e.g. images and\ + \ other assets,\n # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus\n\ + \ # `try_files $uri $uri/ /index.php$request_uri`\n # always provides the\ + \ desired behaviour.\n index index.php index.html /index.php$request_uri;\n\ + \n # Rule borrowed from `.htaccess` to handle Microsoft DAV clients\n location\ + \ = / {\n if ( $http_user_agent ~ ^DavClnt ) {\n return 302\ + \ /remote.php/webdav/$is_args$args;\n }\n }\n\n location = /robots.txt\ + \ {\n allow all;\n log_not_found off;\n access_log off;\n\ + \ }\n\n # Make a regex exception for `/.well-known` so that clients can\ + \ still\n # access it despite the existence of the regex rule\n # `location\ + \ ~ /(\\.|autotest|...)` which would otherwise handle requests\n # for `/.well-known`.\n\ + \ location ^~ /.well-known {\n # The following 6 rules are borrowed\ + \ from `.htaccess`\n\n location = /.well-known/carddav { return 301\ + \ /remote.php/dav/; }\n location = /.well-known/caldav { return 301\ + \ /remote.php/dav/; }\n # Anything else is dynamically handled by Nextcloud\n\ + \ location ^~ /.well-known { return 301 /index.php$uri; }\n\n\ + \ try_files $uri $uri/ =404;\n }\n\n # Rules borrowed from `.htaccess`\ + \ to hide certain paths from clients\n location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)\ + \ { return 404; }\n location ~ ^/(?:\\.|autotest|occ|issue|indie|db_|console)\ + \ { return 404; }\n\n # Ensure this block, which passes PHP files\ + \ to the PHP process, is above the blocks\n # which handle static assets (as\ + \ seen below). If this block is not declared first,\n # then Nginx will encounter\ + \ an infinite rewriting loop when it prepends `/index.php`\n # to the URI,\ + \ resulting in a HTTP 500 error response.\n location ~ \\.php(?:$|/) {\n \ + \ # Required for legacy support\n rewrite ^/(?!index|remote|public|cron|core\\\ + /ajax\\/update|status|ocs\\/v[12]|updater\\/.+|oc[ms]-provider\\/.+|.+\\/richdocumentscode(_arm64)?\\\ + /proxy) /index.php$request_uri;\n\n fastcgi_split_path_info ^(.+?\\.php)(/.*)$;\n\ + \ set $path_info $fastcgi_path_info;\n\n try_files $fastcgi_script_name\ + \ =404;\n\n include fastcgi_params;\n fastcgi_param SCRIPT_FILENAME\ + \ $document_root$fastcgi_script_name;\n fastcgi_param PATH_INFO $path_info;\n\ + \ #fastcgi_param HTTPS on;\n\n fastcgi_param modHeadersAvailable\ + \ true; # Avoid sending the security headers twice\n fastcgi_param\ + \ front_controller_active true; # Enable pretty urls\n fastcgi_pass\ + \ php-handler;\n\n fastcgi_intercept_errors on;\n fastcgi_request_buffering\ + \ off;\n }\n\n location ~ \\.(?:css|js|svg|gif)$ {\n try_files $uri\ + \ /index.php$request_uri;\n expires 6M; # Cache-Control policy\ + \ borrowed from `.htaccess`\n access_log off; # Optional: Don't log\ + \ access to assets\n }\n\n location ~ \\.woff2?$ {\n try_files $uri\ + \ /index.php$request_uri;\n expires 7d; # Cache-Control policy\ + \ borrowed from `.htaccess`\n access_log off; # Optional: Don't log\ + \ access to assets\n }\n\n location / {\n try_files $uri $uri/ /index.php$request_uri;\n\ + \ }\n}" kind: ConfigMap metadata: labels: app.kubernetes.io/instance: nextcloud app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: nextcloud - helm.sh/chart: nextcloud-4.5.13 + helm.sh/chart: nextcloud-5.5.2 name: nextcloud-nginxconfig diff --git a/tests/golden/instances/instances/instances/10_helmchart/nextcloud/templates/service.yaml b/tests/golden/instances/instances/instances/10_helmchart/nextcloud/templates/service.yaml index 23a4cc5..f41d862 100644 --- a/tests/golden/instances/instances/instances/10_helmchart/nextcloud/templates/service.yaml +++ b/tests/golden/instances/instances/instances/10_helmchart/nextcloud/templates/service.yaml @@ -6,7 +6,7 @@ metadata: app.kubernetes.io/instance: nextcloud app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: nextcloud - helm.sh/chart: nextcloud-4.5.13 + helm.sh/chart: nextcloud-5.5.2 name: nextcloud spec: ports: diff --git a/tests/golden/instances/instances/instances/10_helmchart/postgresql/templates/primary/statefulset.yaml b/tests/golden/instances/instances/instances/10_helmchart/postgresql/templates/primary/statefulset.yaml index cda7862..a456e77 100644 --- a/tests/golden/instances/instances/instances/10_helmchart/postgresql/templates/primary/statefulset.yaml +++ b/tests/golden/instances/instances/instances/10_helmchart/postgresql/templates/primary/statefulset.yaml @@ -6,8 +6,8 @@ metadata: app.kubernetes.io/instance: postgresql app.kubernetes.io/managed-by: commodore app.kubernetes.io/name: postgresql - app.kubernetes.io/version: 16.1.0 - helm.sh/chart: postgresql-14.0.1 + app.kubernetes.io/version: 16.3.0 + helm.sh/chart: postgresql-15.5.20 name: postgresql namespace: app-instances spec: @@ -29,8 +29,8 @@ spec: app.kubernetes.io/instance: postgresql app.kubernetes.io/managed-by: commodore app.kubernetes.io/name: postgresql - app.kubernetes.io/version: 16.1.0 - helm.sh/chart: postgresql-14.0.1 + app.kubernetes.io/version: 16.3.0 + helm.sh/chart: postgresql-15.5.20 name: postgresql spec: affinity: @@ -82,7 +82,7 @@ spec: value: error - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES value: pgaudit - image: docker.io/bitnami/postgresql:16.1.0-debian-11-r26 + image: docker.io/bitnami/postgresql:16.3.0-debian-12-r23 imagePullPolicy: IfNotPresent livenessProbe: exec: @@ -127,13 +127,23 @@ spec: drop: - ALL privileged: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true + runAsGroup: 1001 runAsNonRoot: true runAsUser: 1001 - seLinuxOptions: null + seLinuxOptions: {} seccompProfile: type: RuntimeDefault volumeMounts: + - mountPath: /tmp + name: empty-dir + subPath: tmp-dir + - mountPath: /opt/bitnami/postgresql/conf + name: empty-dir + subPath: app-conf-dir + - mountPath: /opt/bitnami/postgresql/tmp + name: empty-dir + subPath: app-tmp-dir - mountPath: /dev/shm name: dshm - mountPath: /bitnami/postgresql @@ -147,6 +157,8 @@ spec: sysctls: [] serviceAccountName: default volumes: + - emptyDir: {} + name: empty-dir - emptyDir: medium: Memory name: dshm diff --git a/tests/golden/instances/instances/instances/10_helmchart/postgresql/templates/primary/svc-headless.yaml b/tests/golden/instances/instances/instances/10_helmchart/postgresql/templates/primary/svc-headless.yaml index 9ba6903..9684c6e 100644 --- a/tests/golden/instances/instances/instances/10_helmchart/postgresql/templates/primary/svc-headless.yaml +++ b/tests/golden/instances/instances/instances/10_helmchart/postgresql/templates/primary/svc-headless.yaml @@ -1,15 +1,14 @@ apiVersion: v1 kind: Service metadata: - annotations: - service.alpha.kubernetes.io/tolerate-unready-endpoints: 'true' + annotations: null labels: app.kubernetes.io/component: primary app.kubernetes.io/instance: postgresql app.kubernetes.io/managed-by: commodore app.kubernetes.io/name: postgresql - app.kubernetes.io/version: 16.1.0 - helm.sh/chart: postgresql-14.0.1 + app.kubernetes.io/version: 16.3.0 + helm.sh/chart: postgresql-15.5.20 name: postgresql-hl namespace: app-instances spec: diff --git a/tests/golden/instances/instances/instances/10_helmchart/postgresql/templates/primary/svc.yaml b/tests/golden/instances/instances/instances/10_helmchart/postgresql/templates/primary/svc.yaml index ce8a0fa..1259891 100644 --- a/tests/golden/instances/instances/instances/10_helmchart/postgresql/templates/primary/svc.yaml +++ b/tests/golden/instances/instances/instances/10_helmchart/postgresql/templates/primary/svc.yaml @@ -6,8 +6,8 @@ metadata: app.kubernetes.io/instance: postgresql app.kubernetes.io/managed-by: commodore app.kubernetes.io/name: postgresql - app.kubernetes.io/version: 16.1.0 - helm.sh/chart: postgresql-14.0.1 + app.kubernetes.io/version: 16.3.0 + helm.sh/chart: postgresql-15.5.20 name: postgresql namespace: app-instances spec: diff --git a/tests/golden/instances/instances/instances/10_helmchart/redis/templates/configmap.yaml b/tests/golden/instances/instances/instances/10_helmchart/redis/templates/configmap.yaml index d5a7d0b..a7a249f 100644 --- a/tests/golden/instances/instances/instances/10_helmchart/redis/templates/configmap.yaml +++ b/tests/golden/instances/instances/instances/10_helmchart/redis/templates/configmap.yaml @@ -25,7 +25,7 @@ metadata: app.kubernetes.io/instance: redis app.kubernetes.io/managed-by: commodore app.kubernetes.io/name: redis - app.kubernetes.io/version: 7.2.4 - helm.sh/chart: redis-18.12.1 + app.kubernetes.io/version: 7.2.5 + helm.sh/chart: redis-19.6.4 name: redis-configuration namespace: app-instances diff --git a/tests/golden/instances/instances/instances/10_helmchart/redis/templates/headless-svc.yaml b/tests/golden/instances/instances/instances/10_helmchart/redis/templates/headless-svc.yaml index ad2010c..ecc0c82 100644 --- a/tests/golden/instances/instances/instances/10_helmchart/redis/templates/headless-svc.yaml +++ b/tests/golden/instances/instances/instances/10_helmchart/redis/templates/headless-svc.yaml @@ -1,13 +1,12 @@ apiVersion: v1 kind: Service metadata: - annotations: null labels: app.kubernetes.io/instance: redis app.kubernetes.io/managed-by: commodore app.kubernetes.io/name: redis - app.kubernetes.io/version: 7.2.4 - helm.sh/chart: redis-18.12.1 + app.kubernetes.io/version: 7.2.5 + helm.sh/chart: redis-19.6.4 name: redis-headless namespace: app-instances spec: diff --git a/tests/golden/instances/instances/instances/10_helmchart/redis/templates/health-configmap.yaml b/tests/golden/instances/instances/instances/10_helmchart/redis/templates/health-configmap.yaml index acae7fb..e103eec 100644 --- a/tests/golden/instances/instances/instances/10_helmchart/redis/templates/health-configmap.yaml +++ b/tests/golden/instances/instances/instances/10_helmchart/redis/templates/health-configmap.yaml @@ -100,7 +100,7 @@ metadata: app.kubernetes.io/instance: redis app.kubernetes.io/managed-by: commodore app.kubernetes.io/name: redis - app.kubernetes.io/version: 7.2.4 - helm.sh/chart: redis-18.12.1 + app.kubernetes.io/version: 7.2.5 + helm.sh/chart: redis-19.6.4 name: redis-health namespace: app-instances diff --git a/tests/golden/instances/instances/instances/10_helmchart/redis/templates/master/application.yaml b/tests/golden/instances/instances/instances/10_helmchart/redis/templates/master/application.yaml index 1d8dc49..797af93 100644 --- a/tests/golden/instances/instances/instances/10_helmchart/redis/templates/master/application.yaml +++ b/tests/golden/instances/instances/instances/10_helmchart/redis/templates/master/application.yaml @@ -6,12 +6,13 @@ metadata: app.kubernetes.io/instance: redis app.kubernetes.io/managed-by: commodore app.kubernetes.io/name: redis - app.kubernetes.io/version: 7.2.4 - helm.sh/chart: redis-18.12.1 + app.kubernetes.io/version: 7.2.5 + helm.sh/chart: redis-19.6.4 name: redis-master namespace: app-instances spec: replicas: 1 + revisionHistoryLimit: 10 selector: matchLabels: app.kubernetes.io/component: master @@ -30,8 +31,8 @@ spec: app.kubernetes.io/instance: redis app.kubernetes.io/managed-by: commodore app.kubernetes.io/name: redis - app.kubernetes.io/version: 7.2.4 - helm.sh/chart: redis-18.12.1 + app.kubernetes.io/version: 7.2.5 + helm.sh/chart: redis-19.6.4 spec: affinity: nodeAffinity: null @@ -69,7 +70,7 @@ spec: value: 'no' - name: REDIS_PORT value: '6379' - image: docker.io/bitnami/redis:7.2.4-debian-11-r5 + image: docker.io/bitnami/redis:7.2.5-debian-12-r4 imagePullPolicy: IfNotPresent livenessProbe: exec: @@ -109,10 +110,11 @@ spec: capabilities: drop: - ALL - runAsGroup: 0 + readOnlyRootFilesystem: true + runAsGroup: 1001 runAsNonRoot: true runAsUser: 1001 - seLinuxOptions: null + seLinuxOptions: {} seccompProfile: type: RuntimeDefault volumeMounts: @@ -125,9 +127,11 @@ spec: - mountPath: /opt/bitnami/redis/mounted-etc name: config - mountPath: /opt/bitnami/redis/etc/ - name: redis-tmp-conf + name: empty-dir + subPath: app-conf-dir - mountPath: /tmp - name: tmp + name: empty-dir + subPath: tmp-dir enableServiceLinks: true securityContext: fsGroup: 1001 @@ -149,9 +153,7 @@ spec: name: redis-configuration name: config - emptyDir: {} - name: redis-tmp-conf - - emptyDir: {} - name: tmp + name: empty-dir updateStrategy: type: RollingUpdate volumeClaimTemplates: diff --git a/tests/golden/instances/instances/instances/10_helmchart/redis/templates/master/service.yaml b/tests/golden/instances/instances/instances/10_helmchart/redis/templates/master/service.yaml index 436cea9..47c4651 100644 --- a/tests/golden/instances/instances/instances/10_helmchart/redis/templates/master/service.yaml +++ b/tests/golden/instances/instances/instances/10_helmchart/redis/templates/master/service.yaml @@ -6,8 +6,8 @@ metadata: app.kubernetes.io/instance: redis app.kubernetes.io/managed-by: commodore app.kubernetes.io/name: redis - app.kubernetes.io/version: 7.2.4 - helm.sh/chart: redis-18.12.1 + app.kubernetes.io/version: 7.2.5 + helm.sh/chart: redis-19.6.4 name: redis-master namespace: app-instances spec: diff --git a/tests/golden/instances/instances/instances/10_helmchart/redis/templates/scripts-configmap.yaml b/tests/golden/instances/instances/instances/10_helmchart/redis/templates/scripts-configmap.yaml index e45a04d..aa04a86 100644 --- a/tests/golden/instances/instances/instances/10_helmchart/redis/templates/scripts-configmap.yaml +++ b/tests/golden/instances/instances/instances/10_helmchart/redis/templates/scripts-configmap.yaml @@ -22,7 +22,7 @@ metadata: app.kubernetes.io/instance: redis app.kubernetes.io/managed-by: commodore app.kubernetes.io/name: redis - app.kubernetes.io/version: 7.2.4 - helm.sh/chart: redis-18.12.1 + app.kubernetes.io/version: 7.2.5 + helm.sh/chart: redis-19.6.4 name: redis-scripts namespace: app-instances