ungleich-public
/
ungleich-k8s
6
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

++zammad updates

This commit is contained in:
Nico Schottelius 2021-10-09 21:34:16 +09:00
parent d9a51eae57
commit ad6695f9eb
4 changed files with 141 additions and 155 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
apps/zammad/README.md
View File

@ -1,15 +0,0 @@
## Missing
- SMTP settings / secrets (ungleich mail + sops?)
- Exposing sizes in value.yaml (db, gitea)
- Maybe reducing to 1 PVC?
## Problems
* nginx and fpm need to share filesystem/data
* might be able to workaround with copying (a bit ugly)
* Sharing via cephfs is non-optimal
* Maybe separate data volume?
* Separating apps & data
* apache stays listening on port 80
* Trusted domain not set yet

119
apps/zammad/nginx/default.conf
View File

@ -37,44 +37,6 @@ server {
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Pagespeed is not supported by Nextcloud, so if your server is built
# with the `ngx_pagespeed` module, uncomment this line to disable it.
#pagespeed off;
# HTTP response headers borrowed from Nextcloud `.htaccess`
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
# Path to the root of your installation
root /var/www/html;
# Specify how to handle directories -- specifying `/index.php$request_uri`
# here as the fallback means that Nginx always exhibits the desired behaviour
# when a client requests a path that corresponds to a directory that exists
# on the server. In particular, if that directory contains an index.php file,
# that file is correctly served; if it doesn't, then the request is passed to
# the front-end controller. This consistent behaviour means that we don't need
# to specify custom rules for certain paths (e.g. images and other assets,
# `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
# `try_files $uri $uri/ /index.php$request_uri`
# always provides the desired behaviour.
index index.php index.html /index.php$request_uri;
# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
location = / {
if ( $http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/$is_args$args;
}
}
location = /robots.txt {
allow all;
log_not_found off;
@ -85,66 +47,35 @@ server {
# access it despite the existence of the regex rule
# `location ~ /(\.|autotest|...)` which would otherwise handle requests
# for `/.well-known`.
location ^~ /.well-known {
# The rules in this block are an adaptation of the rules
# in `.htaccess` that concern `/.well-known`.
# location ^~ /.well-known {
# # The rules in this block are an adaptation of the rules
# # in `.htaccess` that concern `/.well-known`.
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
# location = /.well-known/carddav { return 301 /remote.php/dav/; }
# location = /.well-known/caldav { return 301 /remote.php/dav/; }
location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
location /.well-known/pki-validation { try_files $uri $uri/ =404; }
# location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
# location /.well-known/pki-validation { try_files $uri $uri/ =404; }
# Let Nextcloud's API for `/.well-known` URIs handle all other
# requests by passing them to the front-end controller.
return 301 /index.php$request_uri;
}
# Rules borrowed from `.htaccess` to hide certain paths from clients
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
# Ensure this block, which passes PHP files to the PHP process, is above the blocks
# which handle static assets (as seen below). If this block is not declared first,
# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
# to the URI, resulting in a HTTP 500 error response.
location ~ \.php(?:$|/) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
fastcgi_param front_controller_active true; # Enable pretty urls
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ \.(?:css|js|svg|gif|png|jpg|ico)$ {
try_files $uri /index.php$request_uri;
expires 6M; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
location ~ \.woff2?$ {
try_files $uri /index.php$request_uri;
expires 7d; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
# Rule borrowed from `.htaccess`
location /remote {
return 301 /remote.php$request_uri;
}
# # Let Nextcloud's API for `/.well-known` URIs handle all other
# # requests by passing them to the front-end controller.
# return 301 /index.php$request_uri;
# }
location / {
try_files $uri $uri/ /index.php$request_uri;
#try_files $uri $uri/ /index.php$request_uri;
proxy_pass http://localhost:8080;
# Forward original host name to be seen in unicorn
proxy_set_header Host $host;
# Server name and address like being available in PHP
proxy_set_header SERVER_NAME $server_name;
proxy_set_header SERVER_ADDR $server_addr;
# Forward client ip address to rack/rails so logging
proxy_set_header X-Forwarded-For $remote_addr;
}
}

130
apps/zammad/templates/deployment.yaml
View File

@ -48,16 +48,16 @@ spec:
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Release.Name }}-nextcloud
name: {{ .Release.Name }}-zammad
spec:
selector:
matchLabels:
app: {{ .Release.Name }}-nextcloud
app: {{ .Release.Name }}-zammad
replicas: 1
template:
metadata:
labels:
app: {{ .Release.Name }}-nextcloud
app: {{ .Release.Name }}-zammad
spec:
initContainers:
- name: wait-for-cert
@ -79,7 +79,7 @@ spec:
mountPath: "/etc/nginx/conf.d/"
- name: etcletsencrypt
mountPath: "/etc/letsencrypt"
- name: nextcloud-data
- name: zammad-data
mountPath: "/var/www/html"
# Is it ready to work?
readinessProbe:
@ -93,49 +93,83 @@ spec:
port: 443
initialDelaySeconds: 15
periodSeconds: 20
- name: nextcloud
image: nextcloud:{{ .Chart.AppVersion }}-fpm-alpine
# Wait for 10 minutes to get ready
startupProbe:
httpGet:
path: /ocs/v2.php/apps/serverinfo/api/v1/info
port: fpm
failureThreshold: 20
periodSeconds: 30
# Dead if failing for 1 minute
livenessProbe:
httpGet:
path: /ocs/v2.php/apps/serverinfo/api/v1/info
port: fpm
failureThreshold: 6
periodSeconds: 10
readinessProbe:
httpGet:
path: /ocs/v2.php/apps/serverinfo/api/v1/info
port: fpm
failureThreshold: 3
periodSeconds: 30
- name: memcached
image: memcached:1.6.12-alpine
resources:
requests:
memory: "64Mi"
cpu: "100m"
limits:
memory: "128Mi"
cpu: "500m"
ports:
- containerPort: 9000
name: fpm
- containerPort: 11211
- name: elasticsearch
image: zammad/zammad-docker-docker-compose:zammad-elasticsearch-{{ .Chart.AppVersion }}
#image: docker.elastic.co/elasticsearch/elasticsearch:7.15.0
# resources:
# requests:
# memory: "64Mi"
# cpu: "100m"
# limits:
# memory: "128Mi"
# cpu: "500m"
ports:
- containerPort: 9200
- name: redis
image: redis:6.2.6-alpine
# resources:
# requests:
# memory: "64Mi"
# cpu: "100m"
# limits:
# memory: "128Mi"
# cpu: "500m"
ports:
- containerPort: 6379
- name: zammad
image: zammad/zammad-docker-docker-compose:zammad-{{ .Chart.AppVersion }}
# Wait for 10 minutes to get ready
# startupProbe:
# httpGet:
# path: /ocs/v2.php/apps/serverinfo/api/v1/info
# port: fpm
# failureThreshold: 20
# periodSeconds: 30
# Dead if failing for 1 minute
# livenessProbe:
# httpGet:
# path: /ocs/v2.php/apps/serverinfo/api/v1/info
# port: fpm
# failureThreshold: 6
# periodSeconds: 10
# readinessProbe:
# httpGet:
# path: /ocs/v2.php/apps/serverinfo/api/v1/info
# port: fpm
# failureThreshold: 3
# periodSeconds: 30
ports:
- containerPort: 8080
name: rails
env:
- name: POSTGRES_DB
valueFrom:
secretKeyRef:
name: {{ tpl .Values.identifier . }}-postgres-config
key: POSTGRES_DB
- name: NEXTCLOUD_TRUSTED_DOMAINS
- name: ZAMMAD_TRUSTED_DOMAINS
value: "{{ tpl .Values.fqdn . }}"
- name: NEXTCLOUD_ADMIN_USER
- name: ZAMMAD_ADMIN_USER
valueFrom:
secretKeyRef:
name: {{ tpl .Values.identifier . }}-nextcloud
name: {{ tpl .Values.identifier . }}-zammad
key: USERNAME
- name: NEXTCLOUD_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: {{ tpl .Values.identifier . }}-nextcloud
key: PASSWORD
# - name: ZAMMAD_ADMIN_PASSWORD
# valueFrom:
# secretKeyRef:
# name: {{ tpl .Values.identifier . }}-zammad
# key: PASSWORD
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
@ -148,14 +182,18 @@ spec:
key: POSTGRES_PASSWORD
- name: POSTGRES_HOST
value: {{ .Release.Name }}-postgres
- name: REDIS_URL
value: "redis://localhost:6379"
- name: MEMCACHE_SERVERS
value: "localhost:11211"
volumeMounts:
- name: nextcloud-data
mountPath: "/var/www/html"
- name: zammad-data
mountPath: "/opt/zammad"
volumes:
- name: etcletsencrypt
persistentVolumeClaim:
claimName: {{ tpl .Values.identifier . }}-letsencrypt-certs
- name: nextcloud-data
- name: zammad-data
persistentVolumeClaim:
claimName: {{ tpl .Values.identifier . }}-data
- name: postgres-data
@ -180,7 +218,7 @@ spec:
- port: 443
name: https
selector:
app: {{ .Release.Name }}-nextcloud
app: {{ .Release.Name }}-zammad
---
apiVersion: v1
kind: PersistentVolumeClaim
@ -200,11 +238,11 @@ metadata:
name: {{ tpl .Values.identifier . }}-data
spec:
accessModes:
- ReadWriteMany
- ReadWriteOnce
resources:
requests:
storage: {{ .Values.datasizeingb }}Gi
storageClassName: rook-cephfs
storageClassName: rook-ceph-block
---
apiVersion: v1
kind: PersistentVolumeClaim
@ -226,7 +264,7 @@ spec:
template:
metadata:
labels:
app: {{ .Release.Name }}-nextcloud
app: {{ .Release.Name }}-zammad
spec:
restartPolicy: Never
containers:
@ -269,13 +307,13 @@ metadata:
secret-generator.v1.mittwald.de/autogenerate: POSTGRES_PASSWORD
stringData:
POSTGRES_USER: "postgres"
POSTGRES_DB: "nextcloud"
POSTGRES_DB: "zammad"
---
apiVersion: v1
kind: Secret
metadata:
name: {{ tpl .Values.identifier . }}-nextcloud
name: {{ tpl .Values.identifier . }}-zammad
annotations:
secret-generator.v1.mittwald.de/autogenerate: PASSWORD
stringData:
USERNAME: "nextcloud"
USERNAME: "zammad"

32
apps/zammad/test.yaml Normal file
View File

@ -0,0 +1,32 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Release.Name }}-postgres
spec:
selector:
matchLabels:
app: {{ .Release.Name }}-postgres
replicas: 1
template:
metadata:
labels:
app: {{ .Release.Name }}-postgres
spec:
containers:
- name: postgres
image: postgres:13
ports:
- containerPort: 5432
envFrom:
- secretRef:
name: {{ tpl .Values.identifier . }}-postgres-config
volumeMounts:
- name: postgres-data
mountPath: "/var/lib/postgresql/data"
subPath: postgres
volumes:
- name: postgres-data
persistentVolumeClaim:
claimName: {{ tpl .Values.identifier . }}-postgres-data