From 8eb28ab73201cc14407ae735af72c58c4cf05d5c Mon Sep 17 00:00:00 2001 From: Willy Kloucek Date: Wed, 1 Mar 2023 10:35:04 +0100 Subject: [PATCH 1/2] adapt to ocis 3.0.0 prereleases --- .drone.star | 1 - Makefile | 14 +- charts/ocis/Chart.yaml | 4 +- charts/ocis/README.md | 2 +- charts/ocis/docs/kube-versions.adoc | 2 - charts/ocis/docs/values-desc-table.adoc | 54 +++++++ charts/ocis/docs/values.adoc.yaml | 29 +++- .../templates/eventhistory/deployment.yaml | 118 ++++++++++++++++ .../ocis/templates/eventhistory/service.yaml | 20 +++ charts/ocis/templates/graph/deployment.yaml | 5 + charts/ocis/templates/idp/service.yaml | 1 - .../templates/postprocessing/deployment.yaml | 111 +++++++++++++++ charts/ocis/templates/proxy/config.yaml | 29 ++-- charts/ocis/templates/userlog/deployment.yaml | 133 ++++++++++++++++++ charts/ocis/templates/userlog/service.yaml | 20 +++ charts/ocis/templates/web/deployment.yaml | 9 ++ .../ocis/templates/webfinger/deployment.yaml | 83 +++++++++++ charts/ocis/templates/webfinger/service.yaml | 20 +++ charts/ocis/values.yaml | 29 +++- 19 files changed, 651 insertions(+), 33 deletions(-) create mode 100644 charts/ocis/templates/eventhistory/deployment.yaml create mode 100644 charts/ocis/templates/eventhistory/service.yaml create mode 100644 charts/ocis/templates/postprocessing/deployment.yaml create mode 100644 charts/ocis/templates/userlog/deployment.yaml create mode 100644 charts/ocis/templates/userlog/service.yaml create mode 100644 charts/ocis/templates/webfinger/deployment.yaml create mode 100644 charts/ocis/templates/webfinger/service.yaml diff --git a/.drone.star b/.drone.star index 744e1078c..2f4e132af 100644 --- a/.drone.star +++ b/.drone.star @@ -4,7 +4,6 @@ config = { ], # if this changes, also the kubeVersion in the Chart.yaml needs to be changed "kubernetesVersions": [ - "1.23.0", "1.24.0", "1.25.0", "1.26.0", diff --git a/Makefile b/Makefile index 1268ec778..46b8fd73c 100644 --- a/Makefile +++ b/Makefile @@ -25,19 +25,7 @@ lint: $(KUBE_LINTER) .PHONY: api -api: api-1.23.0 api-1.24.0 api-1.25.0 api-1.26.0 - - -.PHONY: api-1.23.0 -api-1.23.0: api-1.23.0-template api-1.23.0-kubeconform - -.PHONY: api-1.23.0-template -api-1.23.0-template: - helm template --kube-version 1.23.0 charts/ocis -f 'charts/ocis/ci/values_<1.25.0.yaml' > charts/ocis/ci/templated.yaml - -.PHONY: api-1.23.0-kubeconform -api-1.23.0-kubeconform: $(KUBECONFORM) - $(KUBECONFORM) -kubernetes-version 1.23.0 -summary -strict charts/ocis/ci/templated.yaml +api: api-1.24.0 api-1.25.0 api-1.26.0 .PHONY: api-1.24.0 api-1.24.0: api-1.24.0-template api-1.24.0-kubeconform diff --git a/charts/ocis/Chart.yaml b/charts/ocis/Chart.yaml index 90876ec4c..5a26b45de 100644 --- a/charts/ocis/Chart.yaml +++ b/charts/ocis/Chart.yaml @@ -10,11 +10,11 @@ maintainers: url: https://owncloud.com type: application version: 0.1.0 -appVersion: 2.0.0 +appVersion: 3.0.0-alpha.1 # supported Kubernetes versions # should only contain non EOL versions from https://kubernetes.io/releases/patch-releases/#non-active-branch-history # if this changes, also kubernetesVersions in .drone.star needs to be changed -kubeVersion: "~1.23.0 || ~1.24.0 || ~1.25.0 || ~1.26.0" +kubeVersion: "~1.24.0 || ~1.25.0 || ~1.26.0" sources: - https://github.com/owncloud/ocis-charts - https://github.com/owncloud/ocis diff --git a/charts/ocis/README.md b/charts/ocis/README.md index 842165406..f8e644866 100644 --- a/charts/ocis/README.md +++ b/charts/ocis/README.md @@ -2,7 +2,7 @@ [comment]: # (DONT EDIT THIS FILE, it is autogenerated. Instead you need to edit README.md.gotmpl) # ownCloud Infinite Scale (oCIS) Helm chart -![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.0.0](https://img.shields.io/badge/AppVersion-2.0.0-informational?style=flat-square) +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.0.0-alpha.1](https://img.shields.io/badge/AppVersion-3.0.0--alpha.1-informational?style=flat-square) Installs [ownCloud Infinite Scale](https://doc.owncloud.com/ocis/next/). diff --git a/charts/ocis/docs/kube-versions.adoc b/charts/ocis/docs/kube-versions.adoc index 803ece93d..2e16aabcd 100644 --- a/charts/ocis/docs/kube-versions.adoc +++ b/charts/ocis/docs/kube-versions.adoc @@ -9,6 +9,4 @@ a| [subs=-attributes] +~1.25.0+ a| [subs=-attributes] +~1.24.0+ -a| [subs=-attributes] -+~1.23.0+ |=== diff --git a/charts/ocis/docs/values-desc-table.adoc b/charts/ocis/docs/values-desc-table.adoc index 8d20e7dcb..445620738 100644 --- a/charts/ocis/docs/values-desc-table.adoc +++ b/charts/ocis/docs/values-desc-table.adoc @@ -42,6 +42,12 @@ a| [subs=-attributes] a| [subs=-attributes] `"noop"` | Type of the cache to use. To disable the cache, set to "noop". Can be set to "redis", then the address of Redis nodes needs to be set to `cache.nodes`. +| configRefs.graphConfigRef +a| [subs=-attributes] ++string+ +a| [subs=-attributes] +`"graph"` +| Reference to an existing graph config. | configRefs.storageUsersConfigRef a| [subs=-attributes] +string+ @@ -678,6 +684,18 @@ a| [subs=-attributes] a| [subs=-attributes] `{}` | Per-service resources configuration. Overrides the default setting from `resources` if set. +| services.eventhistory +a| [subs=-attributes] ++object+ +a| [subs=-attributes] +see detailed service configuration options below +| EVENT HISTORY service. +| services.eventhistory.resources +a| [subs=-attributes] ++object+ +a| [subs=-attributes] +`{}` +| Per-service resources configuration. Overrides the default setting from `resources` if set. | services.frontend a| [subs=-attributes] +object+ @@ -906,6 +924,18 @@ a| [subs=-attributes] a| [subs=-attributes] `{}` | Per-service resources configuration. Overrides the default setting from `resources` if set. +| services.postprocessing +a| [subs=-attributes] ++object+ +a| [subs=-attributes] +see detailed service configuration options below +| POSTPROCESSING service. +| services.postprocessing.resources +a| [subs=-attributes] ++object+ +a| [subs=-attributes] +`{}` +| Per-service resources configuration. Overrides the default setting from `resources` if set. | services.proxy a| [subs=-attributes] +object+ @@ -1344,6 +1374,18 @@ a| [subs=-attributes] a| [subs=-attributes] `{}` | Per-service resources configuration. Overrides the default setting from `resources` if set. +| services.userlog +a| [subs=-attributes] ++object+ +a| [subs=-attributes] +see detailed service configuration options below +| USERLOG service. +| services.userlog.resources +a| [subs=-attributes] ++object+ +a| [subs=-attributes] +`{}` +| Per-service resources configuration. Overrides the default setting from `resources` if set. | services.users a| [subs=-attributes] +object+ @@ -1416,6 +1458,18 @@ a| [subs=-attributes] a| [subs=-attributes] `{}` | Per-service resources configuration. Overrides the default setting from `resources` if set. +| services.webfinger +a| [subs=-attributes] ++object+ +a| [subs=-attributes] +see detailed service configuration options below +| WEBFINGER service. +| services.webfinger.resources +a| [subs=-attributes] ++object+ +a| [subs=-attributes] +`{}` +| Per-service resources configuration. Overrides the default setting from `resources` if set. | topologySpreadConstraints a| [subs=-attributes] +string+ diff --git a/charts/ocis/docs/values.adoc.yaml b/charts/ocis/docs/values.adoc.yaml index dbcf035a1..ed28a6060 100644 --- a/charts/ocis/docs/values.adoc.yaml +++ b/charts/ocis/docs/values.adoc.yaml @@ -254,6 +254,9 @@ ingress: configRefs: # -- Reference to an existing storage-users config. storageUsersConfigRef: "storage-users" + # -- Reference to an existing graph config. + graphConfigRef: "graph" + # References to secrets. # The secrets need to be manually created. @@ -419,6 +422,12 @@ services: # -- Per-service resources configuration. Overrides the default setting from `resources` if set. resources: {} + # -- EVENT HISTORY service. + # @default -- see detailed service configuration options below + eventhistory: + # -- Per-service resources configuration. Overrides the default setting from `resources` if set. + resources: {} + # -- FRONTEND service. # @default -- see detailed service configuration options below frontend: @@ -534,6 +543,12 @@ services: # -- Per-service resources configuration. Overrides the default setting from `resources` if set. resources: {} + # -- POSTPROCESSING service. + # @default -- see detailed service configuration options below + postprocessing: + # -- Per-service resources configuration. Overrides the default setting from `resources` if set. + resources: {} + # -- PROXY service. # @default -- see detailed service configuration options below proxy: @@ -772,10 +787,16 @@ services: # -- Per-service resources configuration. Overrides the default setting from `resources` if set. resources: {} + # -- USERLOG service. + # @default -- see detailed service configuration options below + userlog: + # -- Per-service resources configuration. Overrides the default setting from `resources` if set. + resources: {} + # -- USERS service. # @default -- see detailed service configuration options below users: - # -- Per-service resources configuration. Overrides the default setting from `resources` if set. + # -- Per-service resources configuration. Overrides the default setting from `resources` if set. resources: {} # -- ownCloud WEB service. @@ -829,3 +850,9 @@ services: # -- Per-service resources configuration. Overrides the default setting from `resources` if set. resources: {} + # -- WEBFINGER service. + # @default -- see detailed service configuration options below + webfinger: + # -- Per-service resources configuration. Overrides the default setting from `resources` if set. + resources: {} + diff --git a/charts/ocis/templates/eventhistory/deployment.yaml b/charts/ocis/templates/eventhistory/deployment.yaml new file mode 100644 index 000000000..4cb28baeb --- /dev/null +++ b/charts/ocis/templates/eventhistory/deployment.yaml @@ -0,0 +1,118 @@ +{{- $_ := set . "appName" "eventhistory" -}} +{{- $_ := set . "resources" (default (default (dict) .Values.resources) .Values.services.eventhistory.resources) -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .appName }} + namespace: {{ template "ocis.namespace" . }} + labels: + {{- include "ocis.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + app: {{ .appName }} + replicas: 1 + template: + metadata: + labels: + app: {{ .appName }} + {{- include "ocis.labels" . | nindent 8 }} + spec: + securityContext: + fsGroup: {{ .Values.securityContext.fsGroup }} + fsGroupChangePolicy: {{ .Values.securityContext.fsGroupChangePolicy }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- tpl . $ | nindent 8 }} + {{- end }} + containers: + - name: {{ .appName }} + image: {{ template "ocis.image" $ }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: ["ocis"] + args: ["eventhistory", "server"] + securityContext: + runAsNonRoot: true + runAsUser: {{ .Values.securityContext.runAsUser }} + runAsGroup: {{ .Values.securityContext.runAsGroup }} + readOnlyRootFilesystem: true + env: + - name: MICRO_REGISTRY + value: kubernetes + + - name: EVENTHISTORY_LOG_COLOR + value: {{ .Values.logging.color | quote }} + - name: EVENTHISTORY_LOG_LEVEL + value: {{ .Values.logging.level | quote }} + - name: EVENTHISTORY_LOG_PRETTY + value: {{ .Values.logging.pretty | quote }} + + - name: EVENTHISTORY_DEBUG_PPROF + value: {{ .Values.debug.profiling | quote }} + + - name: EVENTHISTORY_GRPC_ADDR + value: 0.0.0.0:8080 + # - name: EVENTHISTORY_DEBUG_ADDR + # value: 0.0.0.0:8081 + + # - name: EVENTHISTORY_STORE_TYPE + # value: "mem" # TODO + # - name: EVENTHISTORY_STORE_ADDRESSES + # value: "nats:9233" # TODO + + - name: EVENTHISTORY_EVENTS_ENDPOINT + {{- if not .Values.messagingSystem.external.enabled }} + value: nats:9233 + {{- else }} + value: {{ .Values.messagingSystem.external.endpoint | quote }} + - name: EVENTHISTORY_EVENTS_CLUSTER + value: {{ .Values.messagingSystem.external.cluster | quote }} + - name: EVENTHISTORY_EVENTS_ENABLE_TLS + value: {{ .Values.messagingSystem.external.tls.enabled | quote }} + - name: EVENTHISTORY_EVENTS_TLS_INSECURE + value: {{ .Values.messagingSystem.external.tls.insecure | quote }} + - name: EVENTHISTORY_EVENTS_TLS_ROOT_CA_CERTIFICATE + {{- if not .Values.messagingSystem.external.tls.certTrusted }} + value: /etc/ocis/messaging-system-ca/messaging-system-ca.crt + {{- else }} + value: "" # no cert needed + {{- end }} + {{- end }} + + # TODO: This service does not currently provide a debug port, re-enable this once that is implemented + # See: https://github.com/owncloud/ocis-charts/issues/111 + # livenessProbe: + # httpGet: + # path: /healthz + # port: metrics-debug + # timeoutSeconds: 10 + # initialDelaySeconds: 60 + # periodSeconds: 20 + # failureThreshold: 3 + + resources: {{ toYaml .resources | nindent 12 }} + + ports: + - name: grpc + containerPort: 8080 + # TODO: This service does not currently provide a debug port, re-enable this once that is implemented + # - name: metrics-debug + # containerPort: 8081 + + volumeMounts: + - name: ocis-config-tmp + mountPath: /etc/ocis # we mount that volume only to apply fsGroup to that path + - name: messaging-system-ca + mountPath: /etc/ocis/messaging-system-ca + readOnly: true + + volumes: + - name: ocis-config-tmp + emptyDir: {} + - name: messaging-system-ca + {{ if and (.Values.messagingSystem.external.enabled) (not .Values.messagingSystem.external.tls.certTrusted) }} + secret: + secretName: {{ .Values.secretRefs.messagingSystemCaRef }} + {{ else }} + emptyDir: {} + {{ end }} diff --git a/charts/ocis/templates/eventhistory/service.yaml b/charts/ocis/templates/eventhistory/service.yaml new file mode 100644 index 000000000..a4de68434 --- /dev/null +++ b/charts/ocis/templates/eventhistory/service.yaml @@ -0,0 +1,20 @@ +{{- $_ := set . "appName" "eventhistory" -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ .appName }} + namespace: {{ template "ocis.namespace" . }} + labels: + app: {{ .appName }} + ocis-metrics: enabled + {{- include "ocis.labels" . | nindent 4 }} +spec: + selector: + app: {{ .appName }} + ports: + - name: grpc + port: 8080 + protocol: TCP + # - name: metrics-debug + # port: 8081 + # protocol: TCP diff --git a/charts/ocis/templates/graph/deployment.yaml b/charts/ocis/templates/graph/deployment.yaml index 19f03c20c..c3c333c9b 100644 --- a/charts/ocis/templates/graph/deployment.yaml +++ b/charts/ocis/templates/graph/deployment.yaml @@ -157,6 +157,11 @@ spec: {{- end }} {{- end }} + - name: GRAPH_APPLICATION_ID + valueFrom: + configMapKeyRef: + name: {{ .Values.configRefs.graphConfigRef }} + key: application-id - name: GRAPH_JWT_SECRET valueFrom: diff --git a/charts/ocis/templates/idp/service.yaml b/charts/ocis/templates/idp/service.yaml index 29789a0d0..2325401f2 100644 --- a/charts/ocis/templates/idp/service.yaml +++ b/charts/ocis/templates/idp/service.yaml @@ -19,5 +19,4 @@ spec: - name: metrics-debug port: 9134 protocol: TCP - {{- end }} diff --git a/charts/ocis/templates/postprocessing/deployment.yaml b/charts/ocis/templates/postprocessing/deployment.yaml new file mode 100644 index 000000000..1e1d2fd3e --- /dev/null +++ b/charts/ocis/templates/postprocessing/deployment.yaml @@ -0,0 +1,111 @@ +{{- $_ := set . "appName" "postprocessing" -}} +{{- $_ := set . "resources" (default (default (dict) .Values.resources) .Values.services.postprocessing.resources) -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .appName }} + namespace: {{ template "ocis.namespace" . }} + labels: + {{- include "ocis.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + app: {{ .appName }} + replicas: 1 + template: + metadata: + labels: + app: {{ .appName }} + {{- include "ocis.labels" . | nindent 8 }} + spec: + securityContext: + fsGroup: {{ .Values.securityContext.fsGroup }} + fsGroupChangePolicy: {{ .Values.securityContext.fsGroupChangePolicy }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- tpl . $ | nindent 8 }} + {{- end }} + containers: + - name: {{ .appName }} + image: {{ template "ocis.image" $ }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: ["ocis"] + args: ["postprocessing", "server"] + securityContext: + runAsNonRoot: true + runAsUser: {{ .Values.securityContext.runAsUser }} + runAsGroup: {{ .Values.securityContext.runAsGroup }} + readOnlyRootFilesystem: true + env: + - name: MICRO_REGISTRY + value: kubernetes + + - name: POSTPROCESSING_LOG_COLOR + value: {{ .Values.logging.color | quote }} + - name: POSTPROCESSING_LOG_LEVEL + value: {{ .Values.logging.level | quote }} + - name: POSTPROCESSING_LOG_PRETTY + value: {{ .Values.logging.pretty | quote }} + + # - name: POSTPROCESSING_DEBUG_PPROF + # value: {{ .Values.debug.profiling | quote }} + + # - name: POSTPROCESSING_DEBUG_ADDR + # value: 0.0.0.0:TODO + + - name: POSTPROCESSING_VIRUSSCAN + value: "false" # TODO: configurable when antivirus service is added + + - name: POSTPROCESSING_EVENTS_ENDPOINT + {{- if not .Values.messagingSystem.external.enabled }} + value: nats:9233 + {{- else }} + value: {{ .Values.messagingSystem.external.endpoint | quote }} + - name: POSTPROCESSING_EVENTS_CLUSTER + value: {{ .Values.messagingSystem.external.cluster | quote }} + - name: POSTPROCESSING_EVENTS_ENABLE_TLS + value: {{ .Values.messagingSystem.external.tls.enabled | quote }} + - name: POSTPROCESSING_EVENTS_TLS_INSECURE + value: {{ .Values.messagingSystem.external.tls.insecure | quote }} + - name: POSTPROCESSING_EVENTS_TLS_ROOT_CA_CERTIFICATE + {{- if not .Values.messagingSystem.external.tls.certTrusted }} + value: /etc/ocis/messaging-system-ca/messaging-system-ca.crt + {{- else }} + value: "" # no cert needed + {{- end }} + {{- end }} + + # TODO: This service does not currently provide a debug port, re-enable this once that is implemented + # See: https://github.com/owncloud/ocis-charts/issues/111 + # livenessProbe: + # httpGet: + # path: /healthz + # port: metrics-debug + # timeoutSeconds: 10 + # initialDelaySeconds: 60 + # periodSeconds: 20 + # failureThreshold: 3 + + resources: {{ toYaml .resources | nindent 12 }} + # TODO: This service does not currently provide a debug port, re-enable this once that is implemented + # ports: + # - name: metrics-debug + # containerPort: TODO + + volumeMounts: + - name: ocis-config-tmp + mountPath: /etc/ocis # we mount that volume only to apply fsGroup to that path + - name: messaging-system-ca + mountPath: /etc/ocis/messaging-system-ca + readOnly: true + + volumes: + - name: ocis-config-tmp + emptyDir: {} + - name: messaging-system-ca + {{ if and (.Values.messagingSystem.external.enabled) (not .Values.messagingSystem.external.tls.certTrusted) }} + secret: + secretName: {{ .Values.secretRefs.messagingSystemCaRef }} + {{ else }} + emptyDir: {} + {{ end }} diff --git a/charts/ocis/templates/proxy/config.yaml b/charts/ocis/templates/proxy/config.yaml index 15e2397dd..94db33f37 100644 --- a/charts/ocis/templates/proxy/config.yaml +++ b/charts/ocis/templates/proxy/config.yaml @@ -17,9 +17,14 @@ data: - endpoint: / backend: http://web:9100 unprotected: true - - endpoint: /.well-known/ + - endpoint: /.well-known/webfinger + backend: http://webfinger:8080 + unprotected: true + - endpoint: /.well-known/openid-configuration backend: http://idp:9130 unprotected: true + - endpoint: /branding/logo + backend: http://web:9100 - endpoint: /konnect/ backend: http://idp:9130 unprotected: true @@ -28,6 +33,8 @@ data: unprotected: true - endpoint: /archiver backend: http://frontend:9140 + - endpoint: /ocs/v2.php/apps/notifications/api/v1/notifications + backend: http://userlog:8080 - type: regex endpoint: /ocs/v[12].php/cloud/user/signing-key backend: http://ocs:9110 @@ -46,6 +53,9 @@ data: - method: REPORT endpoint: /remote.php/webdav backend: http://webdav:9115 + - method: REPORT + endpoint: /dav/spaces + backend: http://webdav:9115 - type: query endpoint: /dav/?preview=1 backend: http://webdav:9115 @@ -53,21 +63,21 @@ data: endpoint: /webdav/?preview=1 backend: http://webdav:9115 - endpoint: /remote.php/ - service: com.owncloud.web.ocdav + backend: http://ocdav:8080 - endpoint: /dav/ - service: com.owncloud.web.ocdav + backend: http://ocdav:8080 - endpoint: /webdav/ - service: com.owncloud.web.ocdav + backend: http://ocdav:8080 - endpoint: /status - service: com.owncloud.web.ocdav + backend: http://ocdav:8080 unprotected: true - endpoint: /status.php - service: com.owncloud.web.ocdav + backend: http://ocdav:8080 unprotected: true - endpoint: /index.php/ - service: com.owncloud.web.ocdav + backend: http://ocdav:8080 - endpoint: /apps/ - service: com.owncloud.web.ocdav + backend: http://ocdav:8080 - endpoint: /data backend: http://frontend:9140 unprotected: true @@ -80,6 +90,3 @@ data: backend: http://graph:9120 - endpoint: /api/v0/settings backend: http://settings:9190 - - endpoint: /settings.js - backend: http://settings:9190 - unprotected: true diff --git a/charts/ocis/templates/userlog/deployment.yaml b/charts/ocis/templates/userlog/deployment.yaml new file mode 100644 index 000000000..577cf1154 --- /dev/null +++ b/charts/ocis/templates/userlog/deployment.yaml @@ -0,0 +1,133 @@ +{{- $_ := set . "appName" "userlog" -}} +{{- $_ := set . "resources" (default (default (dict) .Values.resources) .Values.services.userlog.resources) -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .appName }} + namespace: {{ template "ocis.namespace" . }} + labels: + {{- include "ocis.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + app: {{ .appName }} + replicas: 1 + template: + metadata: + labels: + app: {{ .appName }} + {{- include "ocis.labels" . | nindent 8 }} + spec: + securityContext: + fsGroup: {{ .Values.securityContext.fsGroup }} + fsGroupChangePolicy: {{ .Values.securityContext.fsGroupChangePolicy }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- tpl . $ | nindent 8 }} + {{- end }} + containers: + - name: {{ .appName }} + image: {{ template "ocis.image" $ }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: ["ocis"] + args: ["userlog", "server"] + securityContext: + runAsNonRoot: true + runAsUser: {{ .Values.securityContext.runAsUser }} + runAsGroup: {{ .Values.securityContext.runAsGroup }} + readOnlyRootFilesystem: true + env: + - name: MICRO_REGISTRY + value: kubernetes + + - name: USERLOG_LOG_COLOR + value: {{ .Values.logging.color | quote }} + - name: USERLOG_LOG_LEVEL + value: {{ .Values.logging.level | quote }} + - name: USERLOG_LOG_PRETTY + value: {{ .Values.logging.pretty | quote }} + + # - name: USERLOG_DEBUG_PPROF + # value: {{ .Values.debug.profiling | quote }} + + - name: USERLOG_HTTP_ADDR + value: 0.0.0.0:8080 + # - name: USERLOG_DEBUG_ADDR + # value: 0.0.0.0:8081 + + - name: USERLOG_STORE_TYPE + value: "mem" # TODO + # - name: USERLOG_STORE_ADDRESSES + # value: "nats:9233" # TODO + + - name: USERLOG_EVENTS_ENDPOINT + {{- if not .Values.messagingSystem.external.enabled }} + value: "nats:9233" + {{- else }} + value: {{ .Values.messagingSystem.external.endpoint | quote }} + - name: USERLOG_EVENTS_CLUSTER + value: {{ .Values.messagingSystem.external.cluster | quote }} + - name: USERLOG_EVENTS_ENABLE_TLS + value: {{ .Values.messagingSystem.external.tls.enabled | quote }} + - name: USERLOG_EVENTS_TLS_INSECURE + value: {{ .Values.messagingSystem.external.tls.insecure | quote }} + - name: USERLOG_EVENTS_TLS_ROOT_CA_CERTIFICATE + {{- if not .Values.messagingSystem.external.tls.certTrusted }} + value: /etc/ocis/messaging-system-ca/messaging-system-ca.crt + {{- else }} + value: "" # no cert needed + {{- end }} + {{- end }} + + - name: REVA_GATEWAY + value: gateway:9142 + + - name: USERLOG_MACHINE_AUTH_API_KEY + valueFrom: + secretKeyRef: + name: {{ .Values.secretRefs.machineAuthApiKeySecretRef }} + key: machine-auth-api-key + + - name: USERLOG_JWT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.secretRefs.jwtSecretRef }} + key: jwt-secret + + # TODO: This service does not currently provide a debug port, re-enable this once that is implemented + # See: https://github.com/owncloud/ocis-charts/issues/111 + # livenessProbe: + # httpGet: + # path: /healthz + # port: metrics-debug + # timeoutSeconds: 10 + # initialDelaySeconds: 60 + # periodSeconds: 20 + # failureThreshold: 3 + + resources: {{ toYaml .resources | nindent 12 }} + + ports: + - name: http + containerPort: 8080 + # TODO: This service does not currently provide a debug port, re-enable this once that is implemented + # - name: metrics-debug + # containerPort: 8081 + + volumeMounts: + - name: ocis-config-tmp + mountPath: /etc/ocis # we mount that volume only to apply fsGroup to that path + - name: messaging-system-ca + mountPath: /etc/ocis/messaging-system-ca + readOnly: true + + volumes: + - name: ocis-config-tmp + emptyDir: {} + - name: messaging-system-ca + {{ if and (.Values.messagingSystem.external.enabled) (not .Values.messagingSystem.external.tls.certTrusted) }} + secret: + secretName: {{ .Values.secretRefs.messagingSystemCaRef }} + {{ else }} + emptyDir: {} + {{ end }} diff --git a/charts/ocis/templates/userlog/service.yaml b/charts/ocis/templates/userlog/service.yaml new file mode 100644 index 000000000..9f93ff581 --- /dev/null +++ b/charts/ocis/templates/userlog/service.yaml @@ -0,0 +1,20 @@ +{{- $_ := set . "appName" "userlog" -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ .appName }} + namespace: {{ template "ocis.namespace" . }} + labels: + app: {{ .appName }} + ocis-metrics: enabled + {{- include "ocis.labels" . | nindent 4 }} +spec: + selector: + app: {{ .appName }} + ports: + - name: http + port: 8080 + protocol: TCP + # - name: metrics-debug + # port: 8081 + # protocol: TCP diff --git a/charts/ocis/templates/web/deployment.yaml b/charts/ocis/templates/web/deployment.yaml index 073855903..2d894f1b8 100644 --- a/charts/ocis/templates/web/deployment.yaml +++ b/charts/ocis/templates/web/deployment.yaml @@ -83,6 +83,15 @@ spec: - name: WEB_UI_CONFIG_SERVER value: "https://{{ .Values.externalDomain }}" + - name: REVA_GATEWAY + value: gateway:9142 + + - name: WEB_JWT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.secretRefs.jwtSecretRef }} + key: jwt-secret + livenessProbe: httpGet: path: /healthz diff --git a/charts/ocis/templates/webfinger/deployment.yaml b/charts/ocis/templates/webfinger/deployment.yaml new file mode 100644 index 000000000..a8ad9bafc --- /dev/null +++ b/charts/ocis/templates/webfinger/deployment.yaml @@ -0,0 +1,83 @@ +{{- $_ := set . "appName" "webfinger" -}} +{{- $_ := set . "resources" (default (default (dict) .Values.resources) .Values.services.webfinger.resources) -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .appName }} + namespace: {{ template "ocis.namespace" . }} + labels: + {{- include "ocis.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + app: {{ .appName }} + replicas: 1 + template: + metadata: + labels: + app: {{ .appName }} + {{- include "ocis.labels" . | nindent 8 }} + spec: + securityContext: + fsGroup: {{ .Values.securityContext.fsGroup }} + fsGroupChangePolicy: {{ .Values.securityContext.fsGroupChangePolicy }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- tpl . $ | nindent 8 }} + {{- end }} + containers: + - name: {{ .appName }} + image: {{ template "ocis.image" $ }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: ["ocis"] + args: ["webfinger", "server"] + securityContext: + runAsNonRoot: true + runAsUser: {{ .Values.securityContext.runAsUser }} + runAsGroup: {{ .Values.securityContext.runAsGroup }} + readOnlyRootFilesystem: true + env: + - name: MICRO_REGISTRY + value: kubernetes + + - name: WEBFINGER_LOG_COLOR + value: {{ .Values.logging.color | quote }} + - name: WEBFINGER_LOG_LEVEL + value: {{ .Values.logging.level | quote }} + - name: WEBFINGER_LOG_PRETTY + value: {{ .Values.logging.pretty | quote }} + + - name: WEBFINGER_DEBUG_PPROF + value: {{ .Values.debug.profiling | quote }} + + - name: WEBFINGER_HTTP_ADDR + value: 0.0.0.0:8080 + - name: WEBFINGER_DEBUG_ADDR + value: 0.0.0.0:8081 + + - name: WEBFINGER_OIDC_ISSUER + {{- if not .Values.features.externalUserManagement.enabled }} + value: "https://{{ .Values.externalDomain }}" + {{- else }} + value: {{ .Values.features.externalUserManagement.oidc.issuerURI | quote }} + {{- end }} + + - name: WEBFINGER_OWNCLOUD_SERVER_INSTANCE_URL + value: "https://{{ .Values.externalDomain }}" + + livenessProbe: + httpGet: + path: /healthz + port: metrics-debug + timeoutSeconds: 10 + initialDelaySeconds: 60 + periodSeconds: 20 + failureThreshold: 3 + + resources: {{ toYaml .resources | nindent 12 }} + + ports: + - name: http + containerPort: 8080 + - name: metrics-debug + containerPort: 8081 diff --git a/charts/ocis/templates/webfinger/service.yaml b/charts/ocis/templates/webfinger/service.yaml new file mode 100644 index 000000000..c9cdac632 --- /dev/null +++ b/charts/ocis/templates/webfinger/service.yaml @@ -0,0 +1,20 @@ +{{- $_ := set . "appName" "webfinger" -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ .appName }} + namespace: {{ template "ocis.namespace" . }} + labels: + app: {{ .appName }} + ocis-metrics: enabled + {{- include "ocis.labels" . | nindent 4 }} +spec: + selector: + app: {{ .appName }} + ports: + - name: http + port: 8080 + protocol: TCP + - name: metrics-debug + port: 8081 + protocol: TCP diff --git a/charts/ocis/values.yaml b/charts/ocis/values.yaml index ca22ba85b..e9291420f 100644 --- a/charts/ocis/values.yaml +++ b/charts/ocis/values.yaml @@ -253,6 +253,9 @@ ingress: configRefs: # -- Reference to an existing storage-users config. storageUsersConfigRef: "storage-users" + # -- Reference to an existing graph config. + graphConfigRef: "graph" + # References to secrets. # The secrets need to be manually created. @@ -418,6 +421,12 @@ services: # -- Per-service resources configuration. Overrides the default setting from `resources` if set. resources: {} + # -- EVENT HISTORY service. + # @default -- see detailed service configuration options below + eventhistory: + # -- Per-service resources configuration. Overrides the default setting from `resources` if set. + resources: {} + # -- FRONTEND service. # @default -- see detailed service configuration options below frontend: @@ -533,6 +542,12 @@ services: # -- Per-service resources configuration. Overrides the default setting from `resources` if set. resources: {} + # -- POSTPROCESSING service. + # @default -- see detailed service configuration options below + postprocessing: + # -- Per-service resources configuration. Overrides the default setting from `resources` if set. + resources: {} + # -- PROXY service. # @default -- see detailed service configuration options below proxy: @@ -771,10 +786,16 @@ services: # -- Per-service resources configuration. Overrides the default setting from `resources` if set. resources: {} + # -- USERLOG service. + # @default -- see detailed service configuration options below + userlog: + # -- Per-service resources configuration. Overrides the default setting from `resources` if set. + resources: {} + # -- USERS service. # @default -- see detailed service configuration options below users: - # -- Per-service resources configuration. Overrides the default setting from `resources` if set. + # -- Per-service resources configuration. Overrides the default setting from `resources` if set. resources: {} # -- ownCloud WEB service. @@ -827,3 +848,9 @@ services: webdav: # -- Per-service resources configuration. Overrides the default setting from `resources` if set. resources: {} + + # -- WEBFINGER service. + # @default -- see detailed service configuration options below + webfinger: + # -- Per-service resources configuration. Overrides the default setting from `resources` if set. + resources: {} From e9cad22ddd32d8ce3c71619339bbd7338bd5dad0 Mon Sep 17 00:00:00 2001 From: Willy Kloucek Date: Wed, 8 Mar 2023 15:54:19 +0100 Subject: [PATCH 2/2] replace POSTPROCESSING_VIRUSSCAN by POSTPROCESSING_STEPS --- charts/ocis/templates/postprocessing/deployment.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/ocis/templates/postprocessing/deployment.yaml b/charts/ocis/templates/postprocessing/deployment.yaml index 1e1d2fd3e..b3b736072 100644 --- a/charts/ocis/templates/postprocessing/deployment.yaml +++ b/charts/ocis/templates/postprocessing/deployment.yaml @@ -53,8 +53,8 @@ spec: # - name: POSTPROCESSING_DEBUG_ADDR # value: 0.0.0.0:TODO - - name: POSTPROCESSING_VIRUSSCAN - value: "false" # TODO: configurable when antivirus service is added + - name: POSTPROCESSING_STEPS + value: "" # TODO: set to "virusscan" to when antivirus service is added and activated - name: POSTPROCESSING_EVENTS_ENDPOINT {{- if not .Values.messagingSystem.external.enabled }}