.gitlab-ci.yml

@@ -3,11 +3,82 @@ include:
   - remote: https://open.greenhost.net/stackspin/stackspin/-/raw/main/.gitlab/ci_templates/dummy_job.yml
   - template: 'Workflows/MergeRequest-Pipelines.gitlab-ci.yml'
 
+.use-kubernetes:
+  image:
+    name: alpine/k8s:1.22.6
+    entrypoint: ["/bin/sh", "-c"]
+  before_script:
+    - kubectl config get-contexts
+    - kubectl config use-context stackspin/kubernetes-agent-setup:stackspin-k8s-agent
+
+.chart-changes-rules:
+  rules:
+    - changes:
+      - templates/**/*.yaml
+      - taiko-tests/**/*.js
+      - values-local.yaml.example
+      - values.yaml
+      - Chart.yaml
+
 stages:
   - lint-helm-chart
+  - install-helm-chart
+  - test-helm-chart
   - package-helm-chart
   - release-helm-chart
   - dummy
 
 variables:
   CHART_NAME: nextcloud-onlyoffice
+  RELEASE_NAME: "nc$CI_MERGE_REQUEST_IID"
+
+delete-helmrelease:
+  stage: install-helm-chart
+  script:
+    - cd ${CHART_DIR:-"."}
+    - ./fully-delete-helmrelease.sh "$RELEASE_NAME"
+  environment:
+    name: helmrelease/$RELEASE_NAME
+    action: stop
+  extends:
+    - .use-kubernetes
+    - .chart-changes-rules
+  # This job will fail if a helmrelease didn't exist (yet). For example in a
+  # first pipeline for an MR.
+  allow_failure: true
+
+install-helmrelease:
+  stage: install-helm-chart
+  needs:
+    # This job contains the `helm dep` artifacts
+    - job: lint-helm
+    # We can't install if there's still an installation from a previous run
+    # present.
+    - job: delete-helmrelease
+  script:
+    - cd ${CHART_DIR:-"."}
+    - cp values-local.yaml.example values-ci.yaml
+    # This sets the domains to files-MR_ID.gitlab.stackspin.net and
+    # office-MR_ID.gitlab.stackspin.net
+    - sed -i "s/\.your\.domain/-$RELEASE_NAME.gitlab.stackspin.net/" values-ci.yaml
+    # Make sure TLS certificate secrets for different MRs do not clash
+    - sed -i "s/files-cert/files-cert-$RELEASE_NAME/" values-ci.yaml
+    - sed -i "s/office-cert/office-cert-$RELEASE_NAME/" values-ci.yaml
+    - helm install --wait "$RELEASE_NAME" . -f values-ci.yaml
+  environment:
+    name: helmrelease/$RELEASE_NAME
+    url: https://files-$RELEASE_NAME.gitlab.stackspin.net
+    auto_stop_in: 1 week
+    on_stop: delete-helmrelease
+  extends:
+    - .use-kubernetes
+    - .chart-changes-rules
+
+test-helm-chart:
+  stage: test-helm-chart
+  script:
+    - cd ${CHART_DIR:-"."}
+    - helm test --logs "$RELEASE_NAME"
+  extends:
+    - .use-kubernetes
+    - .chart-changes-rules

.helmignore

@@ -21,3 +21,7 @@
 *.tmproj
 .vscode/
 README.md
+Screenshot*
+CHANGELOG.md
+LICENSE
+renovate.json

Chart.yaml

@@ -3,7 +3,7 @@ apiVersion: v2
 description: |
   A helm chart for installing NextCloud and setting up ONLYOFFICE integration
 name: nextcloud-onlyoffice
-version: 0.7.39
+version: 0.7.40
 appVersion: NC-23.0.3-OO-7.0.1.37
 icon: https://cdn.rawgit.com/docker-library/docs/defa5ffc7123177acd60ddef6e16bddf694cc35f/nextcloud/logo.svg
 dependencies:

README.md

@@ -109,4 +109,24 @@ persistent disk (default: 2 GB) if you need more.
 | `onlyoffice.affinity`                                        | Affinity settings                                                                       | `{}`                                     |
 | `onlyoffice.tolerations`                                     | List of node taints to tolerate                                                         | `[]`                                     |
 
+## Running tests
+
+This chart comes with [Taiko tests](https://gauge.org/gauge-taiko/) that you can
+run by running `helm test <release name>`. Add the `--logs` parameter if you
+want to immediately see the console output from the Taiko test.
+
+### Running the tests locally
+
+If the tests fail, you'll want to observe the steps Taiko executes in the
+browser. To do so, install Taiko with `npm`. Then you can run the following:
+
+```
+# Set environment variables to use with Taiko. Read the script to see the
+# possible values and adjust them if necessary.
+source get-taiko-vars.sh <release_name>
+# Start Taiko and observe its steps in a browser
+taiko --observe taiko-tests/test.js
+```
+
 [^1]: If you want to test a version that is not on the `main` branch yet, use `https://open.greenhost.net/api/v4/projects/1/packages/helm/unstable`
+

fully-delete-helmrelease.sh

+#! /usr/bin/env bash
+
+if [ -z "$1" ]; then
+    echo "Usage: ./fully-delete-chart RELEASE_NAME"
+    exit 1
+else
+    release="$1"
+fi
+
+kubectl delete pod "$release-onlyoffice-documentserver-taiko-test"
+
+kubectl delete job "$release-setup-apps"
+
+# This command can fail, but that is not a problem
+kubectl delete pvc \
+    "$release-nextcloud-nextcloud" \
+    "data-$release-rabbitmq-0" \
+    "redis-data-$release-redis-master-0" \
+    "redis-data-$release-redis-slave-0" \
+    "redis-data-$release-redis-slave-1" \
+    "data-$release-mariadb-0"
+
+helm delete --wait "$release"
+
+output=$(kubectl get pod -l "app.kubernetes.io/instance=$release")
+until [ "$output" == "" ]
+do
+    echo "waiting for pods to be deleted, pods still running:"
+    echo "$output"
+    sleep 5
+    output=$(kubectl get pod -l "app.kubernetes.io/instance=$release")
+done

get-taiko-vars.sh

+if [ -z "$1" ]; then
+    echo "Usage: source get-taiko-vars.sh RELEASE_NAME"
+    return 1
+else
+    release="$1"
+fi
+
+tempfile=$(mktemp)
+
+helm get values "$release" -o json > "$tempfile"
+
+# Set this to true and add SSO details 
+# if you want to use OIDC-based login in your tests
+export USE_SSO_LOGIN=false
+export SSO_USERNAME=admin@example.com
+export SSO_USER_PW=""
+
+# Nextcloud admin username
+export NEXTCLOUD_ADMIN_USERNAME=admin
+
+# Nextcloud admin password imported from the helm values.
+NEXTCLOUD_ADMIN_PASSWORD=$(jq -r '.nextcloud.nextcloud.password' < "$tempfile")
+export NEXTCLOUD_ADMIN_PASSWORD
+
+NEXTCLOUD_URL=$(jq -r '.nextcloud.nextcloud.host' < "$tempfile")
+export NEXTCLOUD_URL
+
+ONLYOFFICE_URL=$(jq -r '.onlyoffice.server_name' < "$tempfile")
+export ONLYOFFICE_URL
+
+# Comma-separated list of applications to test. Check if taiko-tests/test.js
+# supports testing your application if you want to add apps here.
+export INSTALLED_APPS=""
+
+rm "$tempfile"
+
+echo "Imported values from Helm."

taiko-tests/test.js

+const { openBrowser, goto, textBox, into, write, click, toRightOf, below, link, press, image, waitFor, closeBrowser, screenshot } = require('taiko');
+const assert = require('assert');
+const globalTimeout = 60000
+
+const sso_username = process.env.SSO_USERNAME
+const sso_user_pw = process.env.SSO_USER_PW
+const installed_apps = process.env.INSTALLED_APPS.split(",")
+
+const nextcloudAdminUsername = process.env.NEXTCLOUD_ADMIN_USERNAME
+const nextcloudAdminPassword = process.env.NEXTCLOUD_ADMIN_PASSWORD
+
+const nextcloudUrl = process.env.NEXTCLOUD_URL
+const onlyofficeUrl = process.env.ONLYOFFICE_URL
+
+setConfig( {
+  observeTime: 0,
+  // Navigation timeout value in milliseconds for navigation after performing openTab, goto, reload, goBack, goForward, click, write, clear, press and evaluate.
+  navigationTimeout: globalTimeout,
+  highlightOnAction: 'true'
+});
+
+// Unfortunately, the tests are not 100% reliable. For that reason we
+// run them 4 times, and assume everything is OK if the tests succeed once
+(async () => {
+  process.exitCode = 1;
+  for (let i=0; i<4; i++) {
+      console.log("Running test " + i)
+      ret = await run_all_tests()
+      console.log("Ran test " + i + ", ret " + ret)
+      // If tests succeed, set exit code to 0 and exit loop
+      if (ret) {
+          console.log("exiting");
+          process.exitCode = 0;
+          break;
+      }
+  }
+})()
+
+async function sso_login_if_needed (button_text) {
+  try {
+    await console.log('Logging in with SSO...')
+    await text(button_text).exists()
+    await click(button_text)
+    await write(sso_username, into(textBox('E-mail address')))
+    await write(sso_user_pw, into(textBox('Password')))
+    await click('Go!')
+  } catch (error) {
+    await console.error(error)
+    console.log('Looks like we do not need to login, continuing')
+  }
+}
+
+// Logs the user in with Nextcloud login interface, uses above consts
+async function login_if_needed() {
+  try {
+    await console.log('Logging in without SSO...')
+    await write(nextcloudAdminUsername, into(textBox('Username or email')))
+    await write(nextcloudAdminPassword, into(textBox('Password')))
+    await click('Log in')
+  } catch (error) {
+    await console.error(error)
+    console.log('Looks like we do not need to login, continuing')
+  }
+}
+async function run_all_tests()
+{
+  var returnValue = true;
+  try {
+    console.log("Starting tests")
+
+    await openBrowser({
+      // Optimize chrome instances for docker an parallel runs, see:
+      // https://docs.taiko.dev/taiko_in_docker/
+      // https://docs.taiko.dev/frequently_asked_questions/#how-can-i-optimize-chrome-instances-for-parallel-runs%3F
+      args: [
+        "--disable-gpu",
+        "--disable-dev-shm-usage",
+        "--disable-setuid-sandbox",
+        "--no-first-run",
+        "--no-sandbox",
+        "--no-zygote",
+        "--start-maximized"
+      ]
+    });
+
+    console.log('• Onlyoffice')
+
+    await goto(onlyofficeUrl + '/welcome')
+    await waitFor(async () => (await text("Thank you for choosing ONLYOFFICE!").exists()))
+    await waitFor(async () => (await text("Document Server is running").exists()))
+
+    await goto(onlyofficeUrl + '/healthcheck')
+    await waitFor(async () => (await text("true").exists()))
+
+    console.log('• Nextcloud')
+    await goto(nextcloudUrl)
+    if (process.env.USE_SSO_LOGIN == "true") {
+        await sso_login_if_needed('Log in with Stackspin')
+    } else {
+        await login_if_needed()
+    }
+    await waitFor(async () => (await text("Recommended files").exists()), globalTimeout)
+    // Close potential nextcloud first run wizard modal
+    // https://github.com/nextcloud/firstrunwizard/issues/488
+    // Unfortunately, we need to sleep a while since I haven't found a
+    // good way that closes the modal *if* it pops up, since these
+    // tests should also work on subsequent logins.
+    await waitFor(5000)
+    await press('Escape')
+
+    // Test password app
+    if (installed_apps.indexOf("passwords") != -1) {
+        console.log('• Passwords application')
+        await click($('li[data-id=passwords]'))
+        await waitFor(async () => (await $("div.item-list").isVisible()), globalTimeout)
+    }
+
+    // Test if calendar app is enabled
+    if (installed_apps.indexOf("calendar") != -1) {
+        console.log('• Calendar application')
+        await click($('li[data-id=calendar]'))
+        await waitFor(async () => (await $("table.fc-scrollgrid").isVisible()), globalTimeout)
+    }
+
+    console.log('• Nextcloud Onlyoffice integration')
+    // Open document and type some text
+    await click($('li[data-id=files]'))
+    // Force page reload because of random empty pages for files app
+    // https://open.greenhost.net/stackspin/nextcloud/-/issues/973
+    await reload()
+
+    await waitFor(async () => (await link({class:'new'}).isVisible()), globalTimeout)
+    await click(link({class:'new'}))
+    await click('New document')
+
+    // Create random file name because NC20 will complain if file already
+    // exists
+    var file_rand = 'test-' + Math.random().toString(16).substr(2, 12)
+    await press([...file_rand])
+    await click($(".filenameform>.icon-confirm"), {waitForEvents:['targetNavigated']})
+    console.log("New tab opened")
+
+    loader1Selector = '.loader-page'
+    loader2Selector = '#asc-loadmark'
+
+    waitFor(1000)
+
+    console.log("Waiting for loader 1 to disappear")
+    await waitFor(async () => ! (await $(loader1Selector).exists()), globalTimeout)
+    console.log("Waiting for loader 2 to disappear")
+    await waitFor(async () => ! (await $(loader2Selector).exists()), globalTimeout)
+
+    console.log("Done loading, testing ONLYOFFICE")
+
+    let italicButtonId = '#id-toolbar-btn-italic'
+    await waitFor(async () => (await $(italicButtonId).isVisible()), globalTimeout)
+
+    // Activate italic button
+    let buttonStateBefore = await evaluate($(italicButtonId), (elem) => {return elem.getAttribute('class')})
+    await assert.ok(!buttonStateBefore.includes('active'))
+
+    // Search for the italic button
+    await waitFor(async () => (await $('#id_target_cursor').isVisible()), globalTimeout)
+    await click($(italicButtonId))
+
+    let buttonStateAfter = await evaluate($(italicButtonId), (elem) => {return elem.getAttribute('class')})
+    await assert.ok(buttonStateAfter.includes('active'))
+
+    await press([...'Hi from taiko!', 'Enter'])
+
+    // Deactivate italic finially
+    await click($(italicButtonId))
+    await closeTab()
+  } catch (error) {
+    await console.error(error)
+    console.log('Got an error here')
+    await screenshot()
+    returnValue = false;
+  } finally {
+    await closeBrowser()
+    console.log("Browser closed, returning " + returnValue)
+    return returnValue
+  }
+}

templates/NOTES.txt

@@ -19,7 +19,7 @@ To learn more, try:
 {{ if .Values.nextcloud.ingress.enabled }}
   echo https://{{ .Values.nextcloud.nextcloud.host }}{{ if .Values.nextcloud.nextcloudPort }}:{{ .Values.nextcloud.nextcloudPort  }}{{ end }}/
 {{- else if eq .Values.nextcloud.service.type "ClusterIP" }}
-  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ $nextcloudname }}" -o jsonpath="{.items[0].metadata.name}")
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ include "nextcloudname" . }}" -o jsonpath="{.items[0].metadata.name}")
   echo http://127.0.0.1:8080/
   kubectl port-forward $POD_NAME 8080:8080
 {{- end }}
@@ -27,14 +27,13 @@ To learn more, try:
 2. Get your nextcloud login credentials by running:
 
   echo User:     {{ .Values.nextcloud.nextcloud.username }}
-  echo Password: $(kubectl get secret --namespace {{ .Release.Namespace }} {{ $nextcloudname }} -o jsonpath="{.data.nextcloud-password}" | base64 --decode)
+  echo Password: $(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "nextcloudname" . }} -o jsonpath="{.data.nextcloud-password}" | base64 --decode)
 
 3. Get the ONLYOFFICE URL by running these commands:
+
 {{- if .Values.onlyoffice.ingress.enabled }}
 {{- range $host := .Values.onlyoffice.ingress.hosts }}
-  {{- range $.Values.onlyoffice.ingress.paths }}
-  http{{ if $.Values.onlyoffice.ingress.tls }}s{{ end }}://{{ $host }}{{ . }}
-  {{- end }}
+  echo http{{ if $.Values.onlyoffice.ingress.tls }}s{{ end }}://{{ $host }}
 {{- end }}
 {{- else if contains "NodePort" .Values.onlyoffice.service.type }}
   export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "onlyoffice-documentserver.fullname" . }})

templates/_helpers.tpl

@@ -6,6 +6,10 @@ Expand the name of the chart.
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
+{{- define "nextcloudname" -}}
+{{- printf "%s-%s" .Release.Name "nextcloud" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
 {{/*
 Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).

templates/onlyoffice-ingress.yaml

 {{- if .Values.onlyoffice.ingress.enabled -}}
 {{- $fullName := include "onlyoffice-documentserver.fullname" . -}}
-{{- $ingressPaths := .Values.onlyoffice.ingress.paths -}}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:

templates/tests/taiko-test-js-configmap.yaml

+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: "{{ .Release.Name }}-taiko-test-js"
+  labels:
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+data:
+  test.js: |-
+{{ .Files.Get "taiko-tests/test.js" | nindent 4 }}

templates/tests/taiko-test-nc-oo.yaml

+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ include "onlyoffice-documentserver.fullname" . }}-taiko-test"
+  labels:
+    app.kubernetes.io/name: {{ include "onlyoffice-documentserver.name" . }}
+    helm.sh/chart: {{ include "onlyoffice-documentserver.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+  annotations:
+    "helm.sh/hook": test
+spec:
+  containers:
+    - name: "{{ include "onlyoffice-documentserver.fullname" . }}-taiko-test"
+      image: {{ .Values.tests.image.repository }}:{{ .Values.tests.image.tag }}
+      imagePullPolicy: {{ .Values.tests.image.pullPolicy }}
+      command:
+        - "taiko"
+        - "/var/local/test.js"
+        # Wait 60 secs for the application to be somewhat ready to receive tests
+        # This is especially important if you want to run `helm test`
+        # immediately after installing, like Flux does.
+        - "--wait-time"
+        - "60000"
+      env:
+        - name: NEXTCLOUD_URL
+          value: {{ .Values.nextcloud.nextcloud.host }}
+        {{- if .Values.tests.ssoLogin.enabled }}
+        - name: USE_SSO_LOGIN
+          value: "true"
+        - name: SSO_USERNAME
+          value: {{ .Values.tests.ssoLogin.username }}
+        - name: SSO_USER_PW
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.tests.ssoLogin.passwordSecret.name }}
+              key: {{ .Values.tests.ssoLogin.passwordSecret.key }}
+              namespace: {{ .Values.tests.ssoLogin.passwordSecret.namespace }}
+        {{- else }}
+        - name: NEXTCLOUD_ADMIN_USERNAME
+          value: admin
+        - name: NEXTCLOUD_ADMIN_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.nextcloud.nextcloud.existingSecret.secretName | default (include "nextcloudname" .) }}
+              key: {{ .Values.nextcloud.nextcloud.existingSecret.passwordKey | default "nextcloud-password" }}
+        {{- end }}
+        - name: ONLYOFFICE_URL
+          value: {{ .Values.onlyoffice.server_name }}
+        - name: INSTALLED_APPS
+          value: "{{ range .Values.apps }}{{ .name }},{{ end }}"
+      volumeMounts:
+        - name: taiko-test-js
+          mountPath: /var/local
+  volumes:
+    - name: taiko-test-js
+      configMap:
+        name: {{ .Release.Name }}-taiko-test-js
+  restartPolicy: Never

templates/tests/test-connection.yaml

-apiVersion: v1
-kind: Pod
-metadata:
-  name: "{{ include "onlyoffice-documentserver.fullname" . }}-test-connection"
-  labels:
-    app.kubernetes.io/name: {{ include "onlyoffice-documentserver.name" . }}
-    helm.sh/chart: {{ include "onlyoffice-documentserver.chart" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-  annotations:
-    "helm.sh/hook": test-success
-spec:
-  containers:
-    - name: wget
-      image: busybox
-      command: ['wget']
-      args:  ['{{ include "onlyoffice-documentserver.fullname" . }}:{{ .Values.onlyoffice.service.port }}']
-  restartPolicy: Never

values-local.yaml.example

 nextcloud:
   nextcloud:
     host: "files.your.domain"
-    password: Set a password here
+    password: CHANGE_ME
 
   ingress:
     enabled: true
     annotations:
-      # Tell traefik to automatically get a TLS certificate
+      # Tell cert-manager to automatically get a TLS certificate
       kubernetes.io/tls-acme: "true"
     hosts:
       - "files.your.domain"
+    # This information is important for cert-manager, if you use it.
+    tls:
+      - hosts:
+          - "files.your.domain"
+        secretName: files-cert
 
-  # Enable and configure MariaDB chart
+  # Configure MariaDB chart
   mariadb:
     auth:
-      password: Set a mysql password
-      rootPassword: Set a mysql root user password
+      password: CHANGE_ME
+      rootPassword: CHANGE_ME
     architecture: standalone
-    primary:
-      persistence:
-        ## Enable mariadb persistence using Persistent Volume Claims.
-        enabled: true
-        size: 512Mi
+    # Enable persistence
+    # primary:
+    #   persistence:
+    #     ## Enable mariadb persistence using Persistent Volume Claims.
+    #     enabled: true
+    #     size: 512Mi
+
+  # Creates a kubernetes cronJob object that runs nextcloud's cron.php
+  # every 5 minutes (*/5 * * * *)
+  # cronjob:
+  #   enabled: true
+
+  # persistence:
+  #   enabled: true
+  #   size: 2Gi
 
 onlyoffice:
   server_name: "office.your.domain"
-  jwtSecret: Set any random secret for JWT here
+  jwtSecret: CHANGE_ME
   ingress:
     enabled: true
     hosts:
       - "office.your.domain"
+    tls:
+      - hosts:
+          - "office.your.domain"
+        secretName: office-cert
   database:
-    password: Set a database password for onlyoffice
+    password: CHANGE_ME
 
 rabbitmq:
   auth:
-    password: Set a password for rabbitmq here
+    password: CHANGE_ME
 
 # apps controls which apps will be installed and enabled in nextcloud
-apps:
-  - name: sociallogin
-    # apps[0].enabled needs to be set to true if you want to enable login via an external
-    # oauth server. In that case you need to configure all the values in `sociallogin`
-    enabled: false
-  - name: onlyoffice
-    enabled: true
+# apps:
+#   - name: sociallogin
+#     # apps[0].enabled needs to be set to true if you want to enable login via an external
+#     # oauth server. In that case you need to configure all the values in `sociallogin`
+#     enabled: false
+#   - name: onlyoffice
+#     enabled: true
 
 # sociallogin enables login via oAuth/Open-ID Connect
-sociallogin:
-  # Because of how we import these settings, single quotes (') are not allowed
-  # in any of the values below
-  custom_oidc:
-    name: stackspin
-    title: Stackspin
-    # The oAuth server needs to provide the endpoints `/userinfo`,
-    # `/oauth2/token` and `/oauth2/auth` and according to the oauth2 standard it
-    # needs to be accessible via https with valid certificates
-    authorizeUrl: https://sso.stackspin.example.net/oauth2/auth
-    tokenUrl: https://sso.stackspin.example.net/oauth2/token
-    userInfoUrl: https://sso.stackspin.example.net/userinfo
-    logoutUrl: ""
-    # The client name nextcloud will use to communicate with the oAuth server
-    clientId: nextcloud
-    # The password that nextcloud uses when communicating with the oauth server
-    # clientSecret: YouReallyNeedToChangeThis
-    scope: "openid profile email stackspin_roles"
-    # The name of a claim that the nextcloud server can retrieve by querying the
-    # userInfoUrl of the openID Connect server. For every value in the
-    # groups_claim a corresponding group with an `stackspin_` prefix will be created
-    # if they don't exist yet. The user will then be added to those groups.  If
-    # the claim contains the value `admin` the user will be granted admin
-    # privileges.
-    groupsClaim: "stackspin_roles"
-    style: ""
-    defaultGroup: ""
-    groupMapping:
-      admin: admin
+# sociallogin:
+#   # Because of how we import these settings, single quotes (') are not allowed
+#   # in any of the values below
+#   custom_oidc:
+#     name: stackspin
+#     title: Stackspin
+#     # The oAuth server needs to provide the endpoints `/userinfo`,
+#     # `/oauth2/token` and `/oauth2/auth` and according to the oauth2 standard it
+#     # needs to be accessible via https with valid certificates
+#     authorizeUrl: https://sso.stackspin.example.net/oauth2/auth
+#     tokenUrl: https://sso.stackspin.example.net/oauth2/token
+#     userInfoUrl: https://sso.stackspin.example.net/userinfo
+#     logoutUrl: ""
+#     # The client name nextcloud will use to communicate with the oAuth server
+#     clientId: nextcloud
+#     # The password that nextcloud uses when communicating with the oauth server
+#     # clientSecret: YouReallyNeedToChangeThis
+#     scope: "openid profile email stackspin_roles"
+#     # The name of a claim that the nextcloud server can retrieve by querying the
+#     # userInfoUrl of the openID Connect server. For every value in the
+#     # groups_claim a corresponding group with an `stackspin_` prefix will be created
+#     # if they don't exist yet. The user will then be added to those groups.  If
+#     # the claim contains the value `admin` the user will be granted admin
+#     # privileges.
+#     groupsClaim: "stackspin_roles"
+#     style: ""
+#     defaultGroup: ""
+#     groupMapping:
+#       admin: admin

values.yaml

+
 ---
 nextcloud:
   debug: false
@@ -19,10 +20,9 @@ nextcloud:
     enabled: true
     size: 2Gi
 
-  # Creates a kubernetes cronJob object that runs nextcloud's cron.php
-  # every 15 minutes (*/15 * * * *)
-  cronjob:
+  startupProbe:
     enabled: true
+    failureThreshold: 60
 
 apps:
   # OIDC consumer
@@ -201,3 +201,19 @@ sociallogin:
     defaultGroup: ""
     groupMapping:
       admin: admin
+
+tests:
+  image:
+    # TODO: Make a properly tagged Taiko-only image to use here
+    repository: open.greenhost.net:4567/stackspin/stackspin/stackspin-ci
+    tag: main
+    pullPolicy: IfNotPresent
+  ssoLogin:
+    # Set this to "true" to use the OIDC plugin to log in in the tests
+    # Otherwise, username "admin" and nextcloud.nextcloud.password are used
+    enabled: false
+    username: admin
+    passwordSecret:
+      name: stackspin-single-sign-on-variables
+      key: userbackend_admin_password
+      namespace: flux-system