diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
new file mode 100644
index 0000000000000000000000000000000000000000..701ed90f67f4a5b07ec00ca57d3a6d7cbbc0e8b3
--- /dev/null
+++ b/.gitlab-ci.yml
@@ -0,0 +1,11 @@
+include:
+ - remote: https://open.greenhost.net/stackspin/stackspin/-/raw/main/.gitlab/ci_templates/helm_package.yml
+ - template: 'Workflows/MergeRequest-Pipelines.gitlab-ci.yml'
+
+stages:
+ - lint-helm-chart
+ - package-helm-chart
+ - release-helm-chart
+
+variables:
+ CHART_NAME: nextcloud-onlyoffice
diff --git a/.gitlab/merge_request_templates/DEFAULT.md b/.gitlab/merge_request_templates/DEFAULT.md
index 598e6cb7921492f3f8075b4cd9e6e473c7c01ba1..317b21313fe651a0e7a40cc30fc800f55be64748 100644
--- a/.gitlab/merge_request_templates/DEFAULT.md
+++ b/.gitlab/merge_request_templates/DEFAULT.md
@@ -2,6 +2,6 @@ Thank you for making a Merge Request. Before you merge this, please make sure
that you:
- [ ] Updated chart version number
-- [ ] Manually tested chart changes with the openappstack bootstrap script
-- [ ] Created an MR in openappstack/openappstack that applies the changes from this MR
-- [ ] Tests in that MR in openappstack/openappstack succeed
+- [ ] Manually tested chart changes with the stackspin bootstrap script
+- [ ] Created an MR in stackspin/stackspin that applies the changes from this MR
+- [ ] Tests in that MR in stackspin/stackspin succeed
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 86126abee3020346ac986d1dc497a3a930e5de32..ac9adb60bdb858d9dd6fd4e15af074bc69408394 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,39 @@
-## Unreleased
+## [0.5.3] - 2021-12-01
+* Chart is now available on via helm repository:
+ https://open.greenhost.net/api/v4/projects/1/packages/helm/stable
+
+## [0.5.2] - 2021-11-03
+
+* Allow setting custom Kubernetes labels and annotations on onlyoffice deployment
+ and pod.
+
+## [0.5.1] - 2021-11-03
+
+* Fix mistakes in sociallogin config
+
+## [0.5.0] - 2021-11-02
+
+* Change the sociallogin settings structure so it can be automatically converted
+ to JSON
+
+ If you use sociallogin, you need to change the settings to conform the
+ structure currently under `sociallogin.custom_oidc` in `values.yaml`.
+
+ Example:
+
+ ```yaml
+ sociallogin:
+ custom_oidc:
+ authorizeUrl: "sso.${domain}/oauth2/auth"
+ tokenUrl: "sso.${domain}/oauth2/token"
+ userInfoUrl: "sso.${domain}/userinfo"
+ clientSecret: "${nextcloud_oauth_client_secret}"
+ ```
+
+## [0.4.0] - 2021-11-02
+
+* Replace pod probes by exec ones to actually check healthcheck status
* Update NC chart to 2.9.0
- This in turn updates the mariadb dependency chart from 7.10 to 9.6, which
brings along some changes to helm value names: see [their upgrade
diff --git a/Chart.lock b/Chart.lock
index cc8f4e50709474189e4ebfbf61fa99c524cf408b..e428e1215412ce2d0c87de6f324ee5d3dcff7143 100644
--- a/Chart.lock
+++ b/Chart.lock
@@ -1,15 +1,15 @@
dependencies:
- name: nextcloud
repository: https://nextcloud.github.io/helm
- version: 2.9.0
+ version: 2.11.3
- name: rabbitmq
repository: https://charts.bitnami.com/bitnami
- version: 8.24.1
+ version: 8.26.1
- name: redis
repository: https://charts.bitnami.com/bitnami
- version: 10.5.7
+ version: 15.7.4
- name: postgresql
repository: https://charts.bitnami.com/bitnami
- version: 10.12.8
-digest: sha256:1891233216ad1a2b5da2cba77196d22ca51d60c962bdc26612110c7e7cfea2eb
-generated: "2021-10-27T04:08:09.977844271Z"
+ version: 10.13.15
+digest: sha256:028d5e43dcc7f93134b201f30272fcb05ddb4dd58b21d99a07ae73bd0eb98de8
+generated: "2022-01-13T10:36:22.85758837Z"
diff --git a/Chart.yaml b/Chart.yaml
index 7fe97dcd89d9387d0ce82505efc651e4a49ca62b..c16581541b1c4a3ecf6108c248d203e075fd7a7b 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -3,22 +3,23 @@ apiVersion: v2
description: |
A helm chart for installing NextCloud and setting up ONLYOFFICE integration
name: nextcloud-onlyoffice
-version: 0.3.3
+version: 0.5.4
appVersion: NC-20.0.11-OO-6.2.2.21
+icon: https://cdn.rawgit.com/docker-library/docs/defa5ffc7123177acd60ddef6e16bddf694cc35f/nextcloud/logo.svg
dependencies:
# https://artifacthub.io/packages/helm/nextcloud/nextcloud
- name: nextcloud
- version: 2.9.0
+ version: 2.11.3
repository: "https://nextcloud.github.io/helm"
# https://artifacthub.io/packages/helm/bitnami/rabbitmq
- name: rabbitmq
- version: 8.24.1
+ version: 8.26.1
repository: "https://charts.bitnami.com/bitnami"
# https://artifacthub.io/packages/helm/bitnami/redis
- name: redis
- version: 10.5.7
+ version: 15.7.4
repository: "https://charts.bitnami.com/bitnami"
# https://artifacthub.io/packages/helm/bitnami/postgresql
- name: postgresql
- version: 10.12.8
+ version: 10.13.15
repository: "https://charts.bitnami.com/bitnami"
diff --git a/LICENSE b/LICENSE
index 4c0d78ee5cfce996936bbb6addc20a806dd18065..7737487d85060d04a3c966b1e2644e03814ec21d 100644
--- a/LICENSE
+++ b/LICENSE
@@ -186,7 +186,7 @@
same "printed page" as the copyright notice for easier
identification within third-party archives.
- Copyright 2019 OpenAppStack
+ Copyright 2019 Stackspin
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
diff --git a/README.md b/README.md
index 1aff09061fd1e88777dcb7d1b6ed1bf562b57a6e..6509c9a5172ad933e274967b48a2b274e20923e8 100644
--- a/README.md
+++ b/README.md
@@ -9,23 +9,6 @@ documentation.
Parts of this chart are based on a copy of the [COLLABORA code helm
chart](https://github.com/helm/charts/tree/master/stable/collabora-code)
-## Apps
-
-The Nextcloud app store allows admin users to install applications, many of
-which have not undergone security testing. For that reason we disabled
-downloading new apps via the app store. As the person installing Nextcloud it is
-possible to specify which applications from the app store are available for
-installation. It is also possible to enable them by default. Apps that are not
-enabled by default can be enabled through the Apps screen in Nextcloud.
-
-To install apps, edit the values.yaml file:
-
-```yaml
-apps:
- - name: sociallogin # Installs sociallogin app
- enabled: false # Disables sociallogin by default
-```
-
## Installation
@@ -45,21 +28,45 @@ secrets variables manually when you run helm install:
- `postgresql.postgresqlPassword`
- `rabbitmq.rabbitmq.password`
-Install with:
+Add our helm repository[^1]:
```
-helm install . --wait -f values-local.yaml
+helm repo add nextcloud-onlyoffice https://open.greenhost.net/api/v4/projects/1/packages/helm/stable
+```
+
+Then install the chart:
+
+```
+helm install --wait -f values-local.yaml my-nextcloud nextcloud-onlyoffice/nextcloud-onlyoffice
```
**The `--wait` is important!** We need that because of how [helm chart
-hooks](https://helm.sh/docs/charts_hooks/#hooks-and-the-release-lifecycle) work:
+hooks](https://helm.sh/docs/topics/charts_hooks/) work:
-> Note that if the --wait flag is set, Tiller will wait until all resources are
-> in a ready state and will not run the post-install hook until they are ready.
+> Note that if the --wait flag is set, the library will wait until all resources
+> are in a ready state and will not run the post-install hook until they are
+> ready.
The job in this chart needs the Nextcloud pod to be in a ready state before
being executed.
+## Apps
+
+The Nextcloud app store allows admin users to install applications, many of
+which have not undergone security testing. For that reason we disabled
+downloading new apps via the app store. As the person installing Nextcloud it is
+possible to specify which applications from the app store are available for
+installation. It is also possible to enable them by default. Apps that are not
+enabled by default can be enabled through the Apps screen in Nextcloud.
+
+To install apps, edit the values.yaml file:
+
+```yaml
+apps:
+ - name: sociallogin # Installs sociallogin app
+ enabled: false # Disables sociallogin by default
+```
+
## Values
The included `values.yaml` file configures Nextcloud to use a Mariadb database,
@@ -101,3 +108,5 @@ persistent disk (default: 2 GB) if you need more.
| `onlyoffice.nodeSelector` | Node labels for pod assignment | `{}` |
| `onlyoffice.affinity` | Affinity settings | `{}` |
| `onlyoffice.tolerations` | List of node taints to tolerate | `[]` |
+
+[^1]: If you want to test a version that is not on the `main` branch yet, use `https://open.greenhost.net/api/v4/projects/1/packages/helm/unstable`
diff --git a/templates/nextcloud-config.yaml b/templates/nextcloud-config.yaml
index c2054c57ebf4451f256bf1667e5b8c6471170274..ce4cc124f4e0866d48385eb65c604adcbecedb78 100644
--- a/templates/nextcloud-config.yaml
+++ b/templates/nextcloud-config.yaml
@@ -26,25 +26,14 @@ data:
}
}
}
- social-login-config.json: |
- {
- "apps": {
- "sociallogin": {
- "auto_create_groups": "1",
- "custom_providers": "{\"custom_oidc\": [{\"name\":\"oas\",\"title\":\"OpenAppStack\",\"authorizeUrl\":\"https:\\\/\\\/{{ .Values.sociallogin.server_name }}\\\/{{ .Values.sociallogin.oauth }}\\\/{{ .Values.sociallogin.auth_endpoint }}\",\"tokenUrl\":\"https:\\\/\\\/{{ .Values.sociallogin.server_name}}\\\/{{ .Values.sociallogin.oauth }}\\\/{{ .Values.sociallogin.token_endpoint }}\",\"userInfoUrl\":\"https:\\\/\\\/{{ .Values.sociallogin.server_name }}\\\/{{ .Values.sociallogin.oauth }}\\\/{{ .Values.sociallogin.userinfo_endpoint }}\",\"logoutUrl\":\"\",\"clientId\":\"{{ .Values.sociallogin.client_id }}\",\"clientSecret\":\"{{ .Values.sociallogin.client_secret | default "" }}\",\"scope\":\"{{ .Values.sociallogin.scope }}\",\"groupsClaim\":\"{{ .Values.sociallogin.groups_claim }}\",\"style\":\"\",\"defaultGroup\":\"\",\"groupMapping\":{\"admin\":\"admin\"}}]}",
- "update_profile_on_login": "1"
- }
- }
- }
setup-apps.sh: |
#!/bin/bash
set -ev
# Debug: place the json file in a persistent location for reuse
cp /var/local/onlyoffice-config.json /var/www/html/
- cp /var/local/social-login-config.json /var/www/html/
occ="/var/www/html/occ"
# Enable app store so we can run `install` and `enable` commands
- php occ config:system:set appstoreenabled --type boolean --value true
+ php $occ config:system:set appstoreenabled --type boolean --value true
{{- range .Values.apps }}
# -- Begin {{ .name }}
# Only install {{ .name }} if it's not installed already
@@ -59,9 +48,11 @@ data:
# Config settings from the configmap above
php $occ config:import /var/local/onlyoffice-config.json
- php $occ config:import /var/local/social-login-config.json
+ php $occ config:app:set sociallogin custom_providers --value='{"custom_oidc": [{{ .Values.sociallogin.custom_oidc | toJson }}]}'
+ php $occ config:app:set sociallogin auto_create_groups --value='{{ .Values.sociallogin.auto_create_groups }}'
+ php $occ config:app:set sociallogin update_profile_on_login --value='{{ .Values.sociallogin.update_profile_on_login }}'
# Disable app store again
- php occ config:system:set appstoreenabled --type boolean --value false
+ php $occ config:system:set appstoreenabled --type boolean --value false
#
# All values in config.json are applied by the nextcloud occ command
# config:import.
diff --git a/templates/onlyoffice-deployment.yaml b/templates/onlyoffice-deployment.yaml
index 812028d1acfa2c66e79e812514662f5701dfd248..e0470a6c6721c7b20c209e9b0e733b395fe59bc7 100644
--- a/templates/onlyoffice-deployment.yaml
+++ b/templates/onlyoffice-deployment.yaml
@@ -7,6 +7,9 @@ metadata:
helm.sh/chart: {{ include "onlyoffice-documentserver.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
+ {{- if .Values.onlyoffice.deploymentLabels }}
+ {{- toYaml .Values.onlyoffice.deploymentLabels | nindent 4 }}
+ {{- end }}
spec:
replicas: {{ .Values.onlyoffice.replicaCount }}
strategy:
@@ -20,6 +23,10 @@ spec:
labels:
app.kubernetes.io/name: {{ include "onlyoffice-documentserver.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
+ {{- if .Values.onlyoffice.podLabels }}
+ {{- toYaml .Values.onlyoffice.podLabels | nindent 8 }}
+ {{- end }}
+ annotations: {{ toYaml .Values.onlyoffice.podAnnotations | nindent 8 }}
spec:
containers:
- name: {{ .Chart.Name }}
@@ -32,10 +39,11 @@ spec:
imagePullPolicy: {{ .Values.onlyoffice.image.pullPolicy }}
{{- if .Values.onlyoffice.livenessProbe.enabled }}
livenessProbe:
- httpGet:
- path: /welcome
- port: http
- scheme: HTTP
+ exec:
+ command:
+ - "/bin/bash"
+ - "-c"
+ - "output=$(curl -s http://localhost:{{ .Values.onlyoffice.containerPort }}/healthcheck); if [ $? -ne 0 ]; then exit 1; fi; if [ \"$output\" == \"true\" ]; then exit 0; else exit 2; fi"
initialDelaySeconds: {{ .Values.onlyoffice.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.onlyoffice.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.onlyoffice.livenessProbe.timeoutSeconds }}
@@ -44,10 +52,11 @@ spec:
{{- end }}
{{- if .Values.onlyoffice.readinessProbe.enabled }}
readinessProbe:
- httpGet:
- path: /welcome
- port: http
- scheme: HTTP
+ exec:
+ command:
+ - "/bin/bash"
+ - "-c"
+ - "output=$(curl -s http://localhost:{{ .Values.onlyoffice.containerPort }}/healthcheck); if [ $? -ne 0 ]; then exit 1; fi; if [ \"$output\" == \"true\" ]; then exit 0; else exit 2; fi"
initialDelaySeconds: {{ .Values.onlyoffice.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.onlyoffice.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.onlyoffice.readinessProbe.timeoutSeconds }}
@@ -56,10 +65,11 @@ spec:
{{- end }}
{{- if .Values.onlyoffice.startupProbe.enabled }}
startupProbe:
- httpGet:
- path: /welcome
- port: http
- scheme: HTTP
+ exec:
+ command:
+ - "/bin/bash"
+ - "-c"
+ - "output=$(curl -s http://localhost:{{ .Values.onlyoffice.containerPort }}/healthcheck); if [ $? -ne 0 ]; then exit 1; fi; if [ \"$output\" == \"true\" ]; then exit 0; else exit 2; fi"
periodSeconds: {{ .Values.onlyoffice.startupProbe.periodSeconds }}
timeoutSeconds: {{ .Values.onlyoffice.startupProbe.timeoutSeconds }}
successThreshold: {{ .Values.onlyoffice.startupProbe.successThreshold }}
diff --git a/templates/onlyoffice-ingress.yaml b/templates/onlyoffice-ingress.yaml
index 88329d13f34add01b8f7936345d93dec31b8dbce..a05a3e5b40df7e26071d5fca658d843b88b2b3d4 100644
--- a/templates/onlyoffice-ingress.yaml
+++ b/templates/onlyoffice-ingress.yaml
@@ -1,7 +1,7 @@
{{- if .Values.onlyoffice.ingress.enabled -}}
{{- $fullName := include "onlyoffice-documentserver.fullname" . -}}
{{- $ingressPaths := .Values.onlyoffice.ingress.paths -}}
-apiVersion: extensions/v1beta1
+apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ $fullName }}
@@ -32,11 +32,17 @@ spec:
paths:
- path: "/"
backend:
- serviceName: {{ $fullName }}
- servicePort: http
+ service:
+ name: {{ $fullName }}
+ port:
+ name: http
+ pathType: Prefix
- path: "/spellchecker"
backend:
- serviceName: {{ $fullName }}
- servicePort: spellchecker
+ service:
+ name: {{ $fullName }}
+ port:
+ name: spellchecker
+ pathType: Prefix
{{- end }}
{{- end }}
diff --git a/values-local.yaml.example b/values-local.yaml.example
index 7e3cee72056179a0198cb81045e155113b63ac54..bab7f18c15b8f267b83ffbcd4173697607c5c577 100644
--- a/values-local.yaml.example
+++ b/values-local.yaml.example
@@ -49,21 +49,31 @@ apps:
# sociallogin enables login via oAuth/Open-ID Connect
sociallogin:
- # sociallogin.server_name is the FQDN of you oAuth server. The oAuth server needs to
- # provide the endpoints `/userinfo`, `/oauth2/token` and `/oauth2/auth` and according
- # to the oauth2 standard it needs to be accessible via https with valid certificates
- server_name: sso.oas.example.net
- # sociallogin.client_id is the client name nextcloud will use to communicate with the
- # oAuth server
- client_id: nextcloud
-
- ## sociallogin.client_secret is the password that nextcloud uses when communicating with
- ## the oauth server
- # client_secret: "YouReallyNeedToChangeThis"
-
- # sociallogin.groups_claim is the name of a claim that the nextcloud server can retrieve
- # by querying the `/userinfo` enfpoint of the openID Connect server. For every value in
- # the groups_claim a corresponding group with a `oas_` prefix will be created if they don't
- # exist yet. The user will then be added to those groups.
- # If the claim contains the value `admin` the user will be added granted admin privileges.
- groups_claim: "openappstack_roles"
+ # Because of how we import these settings, single quotes (') are not allowed
+ # in any of the values below
+ custom_oidc:
+ name: stackspin
+ title: Stackspin
+ # The oAuth server needs to provide the endpoints `/userinfo`,
+ # `/oauth2/token` and `/oauth2/auth` and according to the oauth2 standard it
+ # needs to be accessible via https with valid certificates
+ authorizeUrl: https://sso.stackspin.example.net/oauth2/auth
+ tokenUrl: https://sso.stackspin.example.net/oauth2/token
+ userInfoUrl: https://sso.stackspin.example.net/userinfo
+ logoutUrl: ""
+ # The client name nextcloud will use to communicate with the oAuth server
+ clientId: nextcloud
+ # The password that nextcloud uses when communicating with the oauth server
+ # clientSecret: YouReallyNeedToChangeThis
+ scope: "openid profile email stackspin_roles"
+ # The name of a claim that the nextcloud server can retrieve by querying the
+ # userInfoUrl of the openID Connect server. For every value in the
+ # groups_claim a corresponding group with an `stackspin_` prefix will be created
+ # if they don't exist yet. The user will then be added to those groups. If
+ # the claim contains the value `admin` the user will be granted admin
+ # privileges.
+ groupsClaim: "stackspin_roles"
+ style: ""
+ defaultGroup: ""
+ groupMapping:
+ admin: admin
diff --git a/values.yaml b/values.yaml
index e050fa515e08a7bbbf1cbe6b145e06055bfae619..554dbbd2b50e7f6727026c8bba4a03cf525a4500 100644
--- a/values.yaml
+++ b/values.yaml
@@ -8,7 +8,7 @@ nextcloud:
# Enable and configure MariaDB chart
mariadb:
enabled: true
- # Needed to fix https://open.greenhost.net/openappstack/nextcloud/issues/28#note_7070
+ # Needed to fix https://open.greenhost.net/stackspin/nextcloud/issues/28#note_7070
volumePermissions:
image:
pullSecrets: []
@@ -59,7 +59,7 @@ onlyoffice:
# Allow chainging unauthorizedStorage and httpsHstsEnabled
# Useful if you want to make Nextcloud and Onlyoffice work without proper
# certificates, i.e. when testing or in CI
- # see https://open.greenhost.net/openappstack/nextcloud/-/issues/964
+ # see https://open.greenhost.net/stackspin/nextcloud/-/issues/964
# Default is to *not* allow unauthorizedStorage and to enforce HSTS
unauthorizedStorage: false
httpsHstsEnabled: true
@@ -72,7 +72,7 @@ onlyoffice:
image:
repository: onlyoffice/documentserver
- tag: 6.2.2.21
+ tag: 6.4.2.6
pullPolicy: Always
strategy: Recreate
@@ -124,6 +124,13 @@ onlyoffice:
# cpu: 100m
# memory: 128Mi
+ # Custom labels to add to the onlyoffice documentserver deployment.
+ deploymentLabels: {}
+ # Custom labels to add to the onlyoffice documentserver pod.
+ podLabels: {}
+ # Custom annotations to add to the onlyoffice documentserver pod.
+ podAnnotations: {}
+
nodeSelector: {}
tolerations: []
@@ -156,12 +163,10 @@ onlyoffice:
failureThreshold: 120
redis:
- master:
- command: redis-server --appendonly yes
- usePassword: false
- cluster:
+ auth:
+ # Disable redis password authentication altogether.
enabled: false
-
+ architecture: standalone
postgresql:
persistence:
@@ -174,14 +179,25 @@ postgresql:
rabbitmq:
auth:
password: password
+ erlangCookie: stub
sociallogin:
- server_name: sso.oas.example.net
- client_id: nextcloud
- groups_claim: openappstack_roles
- oauth: oauth2
- auth_endpoint: "auth"
- token_endpoint: "token"
- userinfo_endpoint: "userinfo"
- scope: "openid profile email openappstack_roles"
- # client_secret: "YouReallyNeedToChangeThis"
+ update_profile_on_login: 1
+ auto_create_groups: 1
+ # Because of how we import these settings, single quotes (') are not allowed
+ # in any of the values below
+ custom_oidc:
+ name: remote
+ title: Remote login
+ authorizeUrl: https://sso.stackspin.example.net/oauth2/auth
+ tokenUrl: https://sso.stackspin.example.net/oauth2/token
+ userInfoUrl: https://sso.stackspin.example.net/userinfo
+ logoutUrl: ""
+ clientId: nextcloud
+ # clientSecret: YouReallyNeedToChangeThis
+ scope: "openid profile email roles"
+ groupsClaim: "roles"
+ style: ""
+ defaultGroup: ""
+ groupMapping:
+ admin: admin