Merge branch '1106-fix-security-and-setup-warnings' into 'main'

Resolve "Fix security and setup warnings" Closes #1106 See merge request !571

Merge branch '1106-fix-security-and-setup-warnings' into 'main'
Resolve "Fix security and setup warnings" Closes #1106 See merge request !571
b4f15a31 · Arie Peterson · e677442c · ae485021 · b4f15a31
Commit b4f15a31 authored 1 year ago by Arie Peterson
--- a/templates/nextcloud-onlyoffice-config.yaml
+++ b/templates/nextcloud-onlyoffice-config.yaml
@@ -13,7 +13,9 @@ data:
  setup-apps.sh: |
    #!/bin/bash
-    # This script gets executed as a postStart command inside the Nextcloud pod.
+    # This script gets executed by the Kubernetes Job `{{ .Release.Name }}-setup-apps`,
+    # which gets created by Helm after every chart install and upgrade.
+    #
    # The script:
    #
    #   * Installs all apps declared in the `apps` helm values array
@@ -23,7 +25,7 @@ data:
    #   * Runs upgrade routines after installation of a new release or new
    #     pinned apps.
    #   * Configures single-sign-on
-    #   * Persists and loads the config.json config file
+    #   * Loads Nextcloud config from the config.json
    #   * Updates database indices, columns, keys, etc needed after NC upgrade
    # Copied from the NC docker entrypoint to run OCC commands
@@ -37,8 +39,22 @@ data:
    echo "STARTING SETUP-APPS.SH"
-    # Debug: place the json file in a persistent location for reuse
+    # Starting in version 0.15.18 of this chart (Stackspin 2.10), we no longer
-    cp /var/local/config.json /var/www/html/
+    # copy config.json from /var/local to the web root. We remove the copied
+    # file if we think we can safely do so.
+    if [ -f /var/www/html/config.json ]
+    then
+        echo "Found copy of config.json in web root."
+        if diff -q /var/www/html/config.json /var/local/config.json >/dev/null
+        then
+            echo "It's identical to the current config from the configmap."
+            echo "Deleting it from the web root."
+            rm /var/www/html/config.json
+        else
+            echo "It's different from the current config from the configmap."
+            echo "Keeping it around for manual reconciliation."
+        fi
+    fi
    occ="/var/www/html/occ"
    count=0
@@ -115,6 +131,9 @@ data:
      # Extract app into target directory. The app tars usually contain a folder
      # named after the app name
      tar -xf "{{ .name }}.tar.gz" -C "$target_directory"
+      # Ownership in the archive can be anything. Nextcloud wants it to be
+      # www-data.
+      chown -R 33:33 "$target_directory"
      rm "{{ .name }}.tar.gz"
    fi
    {{- else }}
@@ -209,7 +228,7 @@ data:
            },
            "oidc_login_disable_registration": false,
            "oidc_login_webdav_enabled": true,
-            "debug": {{ .Values.nextcloud.debug | quote }}
+            "debug": {{ .Values.nextcloud.debug }}
        },
        "apps":{
            "core":{