ungleich-public/ungleich-k8s
6
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

zammad: update nginx config

Browse source
This commit is contained in:
Nico Schottelius 2021-10-10 00:11:39 +09:00
parent 689346f1b8
commit 2044a9b802
2 changed files with 177 additions and 68 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

63
apps/zammad/nginx/default.conf
View file

@ -12,18 +12,6 @@ server {
ssl_certificate /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/fullchain.pem; ssl_certificate /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/privkey.pem;
# Increase timeouts -- mainly for initial setup
proxy_read_timeout 300;
proxy_send_timeout 300;
proxy_connect_timeout 300;
# HSTS settings
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
# set max upload size # set max upload size
client_max_body_size 512M; client_max_body_size 512M;
@ -37,45 +25,40 @@ server {
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
root /opt/zammad/public;
location = /robots.txt { location = /robots.txt {
allow all; allow all;
log_not_found off; log_not_found off;
access_log off; access_log off;
} }
# Make a regex exception for `/.well-known` so that clients can still location /ws {
# access it despite the existence of the regex rule proxy_http_version 1.1;
# `location ~ /(\.|autotest|...)` which would otherwise handle requests proxy_set_header Upgrade $http_upgrade;
# for `/.well-known`. proxy_set_header Connection "Upgrade";
# location ^~ /.well-known { proxy_set_header CLIENT_IP $remote_addr;
# # The rules in this block are an adaptation of the rules proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# # in `.htaccess` that concern `/.well-known`. proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 86400;
proxy_pass http://localhost:6042;
}
# location = /.well-known/carddav { return 301 /remote.php/dav/; }
# location = /.well-known/caldav { return 301 /remote.php/dav/; }
# location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
# location /.well-known/pki-validation { try_files $uri $uri/ =404; }
# # Let Nextcloud's API for `/.well-known` URIs handle all other
# # requests by passing them to the front-end controller.
# return 301 /index.php$request_uri;
# }
location / { location / {
#try_files $uri $uri/ /index.php$request_uri; proxy_set_header Host $http_host;
proxy_set_header CLIENT_IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8080; # Change this line in an SSO setup
proxy_set_header X-Forwarded-User "";
# Forward original host name to be seen in unicorn proxy_read_timeout 300;
proxy_set_header Host $host; proxy_pass http://localhost:3000;
# Server name and address like being available in PHP
proxy_set_header SERVER_NAME $server_name;
proxy_set_header SERVER_ADDR $server_addr;
# Forward client ip address to rack/rails so logging
proxy_set_header X-Forwarded-For $remote_addr;
gzip on;
gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml;
gzip_proxied any;
} }
} }

182
apps/zammad/templates/deployment.yaml
View file

@ -31,6 +31,56 @@ spec:
persistentVolumeClaim: persistentVolumeClaim:
claimName: {{ tpl .Values.identifier . }}-postgres-data claimName: {{ tpl .Values.identifier . }}-postgres-data
--- ---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Release.Name }}-elasticsearch
spec:
selector:
matchLabels:
app: {{ .Release.Name }}-elasticsearch
replicas: 1
template:
metadata:
labels:
app: {{ .Release.Name }}-elasticsearch
spec:
containers:
- name: elasticsearch
image: zammad/zammad-docker-compose:zammad-elasticsearch-{{ .Chart.AppVersion }}
env:
- name: discovery.type
value: "single-node"
# Required, because elasticsearch is using chroot()
securityContext:
capabilities:
add: ["SYS_CHROOT"]
#image: docker.elastic.co/elasticsearch/elasticsearch:7.15.0
# resources:
# requests:
# memory: "64Mi"
# cpu: "100m"
# limits:
# memory: "128Mi"
# cpu: "500m"
ports:
- containerPort: 9200
---
apiVersion: v1
kind: Service
metadata:
name: {{ .Release.Name }}-elasticsearch
labels:
app: {{ .Release.Name }}-elasticsearch
spec:
type: ClusterIP
ports:
- port: 9200
name: elasticsearch
selector:
app: {{ .Release.Name }}-elasticsearch
---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
@ -91,7 +141,7 @@ spec:
secretKeyRef: secretKeyRef:
name: {{ tpl .Values.identifier . }}-postgres-config name: {{ tpl .Values.identifier . }}-postgres-config
key: POSTGRES_USER key: POSTGRES_USER
- name: POSTGRESQL_PASSWORD - name: POSTGRESQL_PASS
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: {{ tpl .Values.identifier . }}-postgres-config name: {{ tpl .Values.identifier . }}-postgres-config
@ -101,13 +151,14 @@ spec:
secretKeyRef: secretKeyRef:
name: {{ tpl .Values.identifier . }}-postgres-config name: {{ tpl .Values.identifier . }}-postgres-config
key: POSTGRES_DB key: POSTGRES_DB
- name: ELASTICSEARCH_HOST
value: "{{ .Release.Name }}-elasticsearch"
volumeMounts: volumeMounts:
- name: zammad-data - name: zammad-data
mountPath: "/opt/zammad" mountPath: "/opt/zammad"
containers: containers:
- name: nginx - name: nginx
image: nginx:1.21-alpine image: nginx:1.21.3-alpine
ports: ports:
- containerPort: 443 - containerPort: 443
volumeMounts: volumeMounts:
@ -116,7 +167,7 @@ spec:
- name: etcletsencrypt - name: etcletsencrypt
mountPath: "/etc/letsencrypt" mountPath: "/etc/letsencrypt"
- name: zammad-data - name: zammad-data
mountPath: "/var/www/html" mountPath: "/opt/zammad"
# Is it ready to work? # Is it ready to work?
readinessProbe: readinessProbe:
tcpSocket: tcpSocket:
@ -140,26 +191,6 @@ spec:
cpu: "500m" cpu: "500m"
ports: ports:
- containerPort: 11211 - containerPort: 11211
- name: elasticsearch
image: zammad/zammad-docker-compose:zammad-elasticsearch-{{ .Chart.AppVersion }}
env:
- name: discovery.type
value: "single-node"
# Required, because elasticsearch is using chroot()
securityContext:
capabilities:
add: ["SYS_CHROOT"]
#image: docker.elastic.co/elasticsearch/elasticsearch:7.15.0
# resources:
# requests:
# memory: "64Mi"
# cpu: "100m"
# limits:
# memory: "128Mi"
# cpu: "500m"
ports:
- containerPort: 9200
- name: redis - name: redis
image: redis:6.2.6-alpine image: redis:6.2.6-alpine
# resources: # resources:
@ -171,8 +202,11 @@ spec:
# cpu: "500m" # cpu: "500m"
ports: ports:
- containerPort: 6379 - containerPort: 6379
- name: zammad - name: zammad-railsserver
image: zammad/zammad-docker-compose:zammad-{{ .Chart.AppVersion }} image: zammad/zammad-docker-compose:zammad-{{ .Chart.AppVersion }}
command:
- /docker-entrypoint.sh
- zammad-railsserver
# Wait for 10 minutes to get ready # Wait for 10 minutes to get ready
# startupProbe: # startupProbe:
# httpGet: # httpGet:
@ -194,7 +228,7 @@ spec:
# failureThreshold: 3 # failureThreshold: 3
# periodSeconds: 30 # periodSeconds: 30
ports: ports:
- containerPort: 8080 - containerPort: 3000
name: rails name: rails
env: env:
- name: POSTGRESQL_HOST - name: POSTGRESQL_HOST
@ -204,7 +238,7 @@ spec:
secretKeyRef: secretKeyRef:
name: {{ tpl .Values.identifier . }}-postgres-config name: {{ tpl .Values.identifier . }}-postgres-config
key: POSTGRES_USER key: POSTGRES_USER
- name: POSTGRESQL_PASSWORD - name: POSTGRESQL_PASS
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: {{ tpl .Values.identifier . }}-postgres-config name: {{ tpl .Values.identifier . }}-postgres-config
@ -219,7 +253,7 @@ spec:
- name: MEMCACHE_SERVERS - name: MEMCACHE_SERVERS
value: "localhost:11211" value: "localhost:11211"
- name: ELASTICSEARCH_HOST - name: ELASTICSEARCH_HOST
value: "localhost" value: "{{ .Release.Name }}-elasticsearch"
# - name: ZAMMAD_TRUSTED_DOMAINS # - name: ZAMMAD_TRUSTED_DOMAINS
# value: "{{ tpl .Values.fqdn . }}" # value: "{{ tpl .Values.fqdn . }}"
# - name: ZAMMAD_ADMIN_USER # - name: ZAMMAD_ADMIN_USER
@ -235,6 +269,98 @@ spec:
volumeMounts: volumeMounts:
- name: zammad-data - name: zammad-data
mountPath: "/opt/zammad" mountPath: "/opt/zammad"
- name: zammad-scheduler
image: zammad/zammad-docker-compose:zammad-{{ .Chart.AppVersion }}
command:
- /docker-entrypoint.sh
- zammad-scheduler
env:
- name: POSTGRESQL_HOST
value: {{ .Release.Name }}-postgres
- name: POSTGRESQL_USER
valueFrom:
secretKeyRef:
name: {{ tpl .Values.identifier . }}-postgres-config
key: POSTGRES_USER
- name: POSTGRESQL_PASS
valueFrom:
secretKeyRef:
name: {{ tpl .Values.identifier . }}-postgres-config
key: POSTGRES_PASSWORD
- name: POSTGRESQL_DB
valueFrom:
secretKeyRef:
name: {{ tpl .Values.identifier . }}-postgres-config
key: POSTGRES_DB
- name: REDIS_URL
value: "redis://localhost:6379"
- name: MEMCACHE_SERVERS
value: "localhost:11211"
- name: ELASTICSEARCH_HOST
value: "{{ .Release.Name }}-elasticsearch"
# - name: ZAMMAD_TRUSTED_DOMAINS
# value: "{{ tpl .Values.fqdn . }}"
# - name: ZAMMAD_ADMIN_USER
# valueFrom:
# secretKeyRef:
# name: {{ tpl .Values.identifier . }}-zammad
# key: USERNAME
# - name: ZAMMAD_ADMIN_PASSWORD
# valueFrom:
# secretKeyRef:
# name: {{ tpl .Values.identifier . }}-zammad
# key: PASSWORD
volumeMounts:
- name: zammad-data
mountPath: "/opt/zammad"
- name: zammad-websocket
image: zammad/zammad-docker-compose:zammad-{{ .Chart.AppVersion }}
command:
- sh
- -c
- "cd /opt/zammad && bundle exec script/websocket-server.rb -b :: -p 6042 start"
env:
- name: POSTGRESQL_HOST
value: {{ .Release.Name }}-postgres
- name: POSTGRESQL_USER
valueFrom:
secretKeyRef:
name: {{ tpl .Values.identifier . }}-postgres-config
key: POSTGRES_USER
- name: POSTGRESQL_PASS
valueFrom:
secretKeyRef:
name: {{ tpl .Values.identifier . }}-postgres-config
key: POSTGRES_PASSWORD
- name: POSTGRESQL_DB
valueFrom:
secretKeyRef:
name: {{ tpl .Values.identifier . }}-postgres-config
key: POSTGRES_DB
- name: REDIS_URL
value: "redis://localhost:6379"
- name: MEMCACHE_SERVERS
value: "localhost:11211"
- name: ELASTICSEARCH_HOST
value: "{{ .Release.Name }}-elasticsearch"
# - name: ZAMMAD_TRUSTED_DOMAINS
# value: "{{ tpl .Values.fqdn . }}"
# - name: ZAMMAD_ADMIN_USER
# valueFrom:
# secretKeyRef:
# name: {{ tpl .Values.identifier . }}-zammad
# key: USERNAME
# - name: ZAMMAD_ADMIN_PASSWORD
# valueFrom:
# secretKeyRef:
# name: {{ tpl .Values.identifier . }}-zammad
# key: PASSWORD
volumeMounts:
- name: zammad-data
mountPath: "/opt/zammad"
ports:
- containerPort: 6042
name: websocket
volumes: volumes:
- name: etcletsencrypt - name: etcletsencrypt
persistentVolumeClaim: persistentVolumeClaim: