Merge branch 'master' into 297-update-documentation-to-match-new-openappstack-cli

.gitlab-ci.yml

@@ -77,6 +77,7 @@ install:
     paths:
     - ./clusters
     expire_in: 1 month
+    when: always
   only:
     changes:
       - .gitlab-ci.yml

README.md

@@ -9,4 +9,3 @@ cluster.
 Please refer to https://docs.openappstack.net for further details,
 and to [the installation tutorial](docs/installation_instructions.md) for a step
 by step installation tutorial how to bootstrap your cluster.
-

ansible/group_vars/all/oas.yml

@@ -14,11 +14,12 @@ ansible_python_interpreter: "/usr/bin/env python3"
 
 # Nextcloud administrator password
 nextcloud_password: "{{ lookup('password', '{{ cluster_dir }}/secrets/nextcloud_admin_password chars=ascii_letters') }}"
-# Nextcloud mariadb password for nextcloud db
 nextcloud_mariadb_password: "{{ lookup('password', '{{ cluster_dir }}/secrets/nextcloud_mariadb_password chars=ascii_letters') }}"
-# Nextcloud mariadb root password
 nextcloud_mariadb_root_password: "{{ lookup('password', '{{ cluster_dir }}/secrets/nextcloud_mariadb_root_password chars=ascii_letters') }}"
-# Grafana administrator password
+onlyoffice_jwt_secret: "{{ lookup('password', '{{ cluster_dir }}/secrets/onlyoffice_jwt_secret chars=ascii_letters') }}"
+onlyoffice_postgresql_password: "{{ lookup('password', '{{ cluster_dir }}/secrets/onlyoffice_postgresql_password chars=ascii_letters') }}"
+onlyoffice_rabbitmq_password: "{{ lookup('password', '{{ cluster_dir }}/secrets/onlyoffice_rabbitmq_password chars=ascii_letters') }}"
+
 grafana_admin_password: "{{ lookup('password', '{{ cluster_dir }}/secrets/grafana_admin_password chars=ascii_letters') }}"
 
 # Kubernetes version
@@ -27,7 +28,8 @@ kubernetes_version: "v1.14.3-rancher1-1"
 # git repo versions
 git_charts_version: 'HEAD'
 git_local_storage_version: 'HEAD'
-git_nextcloud_version: '21aac1909edf5dc84eae067a536a16e16ca897fb'
+# version of the https://open.greenhost.net/openappstack/nextcloud repo
+git_nextcloud_version: '569aedb4e8831fb81c84f4087c142b739b9e6521'
 
 # Application versions
 # https://github.com/kubernetes-sigs/krew/releases

ansible/group_vars/all/settings.yml.example

@@ -19,3 +19,20 @@ helmfiles:
   - 10-nginx
   - 15-monitoring
   - 20-nextcloud
+
+# Optional, custom rke config.
+# I.e. you can set the desired Kubernetes version but please be aware of
+# the [every rke release has only a few supported kubernetes versions](https://rancher.com/docs/rke/latest/en/config-options/#kubernetes-version).
+#
+# rke_custom_config:
+#   kubernetes_version: "v1.14.3-rancher1-1"
+#
+# Another example is allowing to disable ipv6 in pods by
+# passing adding an additional argument to the kubelet:
+# `--allowed-unsafe-sysctls net.ipv6.conf.all.disable_ipv6`
+#
+# rke_custom_config:
+#   services:
+#     kubelet:
+#       extra_args:
+#         allowed-unsafe-sysctls: 'net.ipv6.conf.all.disable_ipv6'

ansible/roles/apps/tasks/helmfiles.yml

@@ -2,6 +2,7 @@
 - name: Clone nextcloud repo
   tags:
     - git
+    - nextcloud
   git:
     repo: 'https://open.greenhost.net/openappstack/nextcloud'
     dest: '{{ data_directory }}/source/repos/nextcloud'
@@ -10,6 +11,7 @@
 - name: Clone local-storage repo
   tags:
     - git
+    - local-storage
   git:
     repo: 'https://open.greenhost.net/openappstack/local-storage'
     dest: '{{ data_directory }}/source/repos/local-storage'
@@ -22,6 +24,9 @@
     - NEXTCLOUD_PASSWORD: "{{ nextcloud_password }}"
     - NEXTCLOUD_MARIADB_PASSWORD: "{{ nextcloud_mariadb_password }}"
     - NEXTCLOUD_MARIADB_ROOT_PASSWORD: "{{ nextcloud_mariadb_root_password }}"
+    - ONLYOFFICE_JWT_SECRET: "{{ onlyoffice_jwt_secret }}"
+    - ONLYOFFICE_POSTGRESQL_PASSWORD: "{{ onlyoffice_postgresql_password }}"
+    - ONLYOFFICE_RABBITMQ_PASSWORD: "{{ onlyoffice_rabbitmq_password }}"
     - GRAFANA_ADMIN_PASSWORD: "{{ grafana_admin_password }}"
   shell: |
     set -e -x -o pipefail

ansible/roles/apps/tasks/init.yml

@@ -47,6 +47,9 @@
     - config
     - helmfile
     - oas
+    - nextcloud
+    - prometheus
+    - nginx
   file:
     state: touch
     path: "{{ configuration_directory }}/values/apps/{{ item }}.yaml.gotmpl"

ansible/roles/rke_configuration/defaults/main.yml

-rke_configuration_location: "{{ data_directory }}/rke/cluster.yml"
-rke_ssh_key_path: "{{ data_directory }}/ssh/ssh_key"
-rke_ssh_agent_auth: "false"
-# Whether to support customer flexvolume driver plugins, by mounting the path
-# /usr/libexec/kubernetes/kubelet-plugins/volume/exec into kubelet.
-flexvolume_plugins: false

ansible/roles/rke_configuration/templates/cluster.yml.j2 → ansible/roles/rke_configuration/files/cluster-defaults.yml

-nodes:
-{% for node in groups['all'] %}
-- address: {{ hostvars[node]['ansible_host'] }}
-  # port: "22"
-  # internal_address: ""
-  role:
-{% if hostvars[node]['inventory_hostname'] in groups.master %}
-  - controlplane
-  - etcd
-{% endif %}
-{% if hostvars[node]['inventory_hostname'] in groups.worker %}
-  - worker
-{% endif %}
-  hostname_override: {{ hostvars[node]['inventory_hostname'] }}
-  user: {{ hostvars[node]['ansible_user'] }}
-  # docker_socket: /var/run/docker.sock
-  # ssh_key: ""
-{% if rke_ssh_key_path is defined %}
-  ssh_key_path: {{ rke_ssh_key_path }}
-{% else %}
-  # ssh_key_path: ""
-{% endif %}
-  # labels: {}
-{% endfor %}
+addon_job_timeout: 0
+addons: ''
+addons_include: []
+authentication:
+  options: {}
+  sans: []
+  strategy: x509
+authorization:
+  mode: rbac
+  options: {}
+bastion_host:
+  address: ''
+  port: ''
+  ssh_key: ''
+  ssh_key_path: ''
+  user: ''
+cloud_provider:
+  name: ''
+cluster_name: ''
+ignore_docker_version: false
+ingress:
+  extra_args: {}
+  node_selector: {}
+  options: {}
+  # Set this to none, so we can install nginx ourselves.
+  provider: none
+kubernetes_version: 'v1.14.3-rancher1-1'
+monitoring:
+  options: {}
+  provider: ''
+network:
+  options: {}
+  plugin: canal
+prefix_path: ''
+private_registries: []
 services:
   etcd:
-    image: ""
+    ca_cert: ''
+    cert: ''
+    creation: ''
     external_urls: []
-    ca_cert: ""
-    cert: ""
-    key: ""
-    path: ""
+    image: ''
+    key: ''
+    path: ''
+    retention: ''
     snapshot: false
-    retention: ""
-    creation: ""
   kube-api:
-    image: ""
-    service_cluster_ip_range: 10.43.0.0/16
-    service_node_port_range: ""
+    image: ''
     pod_security_policy: false
+    service_cluster_ip_range: 10.43.0.0/16
+    service_node_port_range: ''
   kube-controller:
-    image: ""
     cluster_cidr: 10.42.0.0/16
+    image: ''
     service_cluster_ip_range: 10.43.0.0/16
-  scheduler:
-    image: ""
   kubelet:
-    image: ""
+    cluster_dns_server: 10.43.0.10
+    cluster_domain: cluster.local
     extra_args:
-      containerized: "true"
-{% if flexvolume_plugins %}
-      volume-plugin-dir: /usr/libexec/kubernetes/kubelet-plugins/volume/exec
-{% endif %}
+      containerized: 'true'
     extra_binds:
     # Make local storage work with persistent volumes that use `subpath`
     # see https://open.greenhost.net/openappstack/openappstack/issues/236
-    - "/:/rootfs:rshared"
-{% if flexvolume_plugins %}
-    - /usr/libexec/kubernetes/kubelet-plugins/volume/exec:/usr/libexec/kubernetes/kubelet-plugins/volume/exec
-{% endif %}
-    cluster_domain: cluster.local
-    infra_container_image: ""
-    cluster_dns_server: 10.43.0.10
+    - /:/rootfs:rshared
     fail_swap_on: false
+    image: ''
+    infra_container_image: ''
   kubeproxy:
-    image: ""
-network:
-  plugin: canal
-  options: {}
-authentication:
-  strategy: x509
-  options: {}
-  sans: []
-addons: ""
-addons_include: []
-ssh_agent_auth: {{ rke_ssh_agent_auth }}
-authorization:
-  mode: rbac
-  options: {}
-ignore_docker_version: false
-kubernetes_version: {{ kubernetes_version }}
-private_registries: []
-ingress:
-  # Set this to none, so we can install nginx ourselves.
-  provider: none
-  options: {}
-  node_selector: {}
-  extra_args: {}
-cluster_name: ""
-cloud_provider:
-  name: ""
-prefix_path: ""
-addon_job_timeout: 0
-bastion_host:
-  address: ""
-  port: ""
-  user: ""
-  ssh_key: ""
-  ssh_key_path: ""
-monitoring:
-  provider: ""
-  options: {}
+    image: ''
+  scheduler:
+    image: ''
+ssh_agent_auth: false

ansible/roles/rke_configuration/tasks/main.yml

@@ -29,8 +29,24 @@
   become: true
 
 
-- name: Copy rke cluster configuration file
-  template:
-    src: "cluster.yml.j2"
-    dest: "{{ rke_configuration_location }}"
+- name: Deploy rke cluster configuration file
+  tags:
+    - tmp
+    - rke
+  vars:
+    additional_config:
+      nodes:
+        - address: "{{ ansible_host }}"
+          hostname_override: "{{ inventory_hostname }}"
+          role:
+            - controlplane
+            - etcd
+            - worker
+          ssh_key_path: '/var/lib/OpenAppStack/ssh/ssh_key'
+          user: "{{ ansible_user }}"
+    # Allow undefined rke_custom_config variable
+    custom_config: "{{ rke_custom_config | default({}) }}"
+  copy:
+    content: "{{ lookup('file', 'cluster-defaults.yml') | from_yaml | combine(additional_config, custom_config, recursive=True) | to_nice_yaml(indent=2) }}"
+    dest: "{{ data_directory }}/rke/cluster.yml"
   become: true

docs/installation_instructions.md

@@ -4,9 +4,9 @@ This document describes how you can set up a single-node OpenAppStack cluster.
 Support for multi-node clusters will come in the future.
 
 > **NOTE:** All commands in these installation instructions need to be run on a
-> trusted machine that is *not* the VPS that will run OpenAppStack. The
-> installation process will generate some secrets that will be saved to this
-> machine.
+> trusted provisioning machine (i.e., your laptop) that is *not* the VPS that
+> will run OpenAppStack. The installation process will generate some secrets
+> that will be saved to this machine.
 
 If you encounter any difficulties while following these instructions, please
 [open an issue following our contact
@@ -40,27 +40,26 @@ guide][https://openappstack.net/contact.html).
 
 ## Install OpenAppStack command line tool
 
-On your **local machine**, clone the OpenAppStack git repository:
+On your **provisioning machine**, clone the OpenAppStack git repository:
 
     $ git clone https://open.greenhost.net/openappstack/openappstack.git
     $ cd openappstack
 
-If you installed `virtualenv`, create and activate it:
 
-    $ python3 -m venv env
-    $ . env/bin/activate
-
-Next, install the OpenAppStack CLI client by running the following commands: 
-
-First, create a python virtual environment called "env" that uses python 3. This
-makes sure we do not change any of your other python projects. The second command
-"activates" the virtualenv. 
+If you installed `virtualenv`, create a python virtual environment called "env"
+that uses python 3. This makes sure we do not change any of your other python
+projects. The second command "activates" the virtualenv. 
 
 > **NOTE:** Activating the virtualenv means you will use that environment to
 > install and run python programs instead of your global environment. If you
 > close your terminal or open a new one, you need to activate the virtualenv
 > again.
 
+    $ python3 -m venv env
+    $ . env/bin/activate
+
+Next, install the OpenAppStack CLI client by running the following commands: 
+
     $ pip3 install -r requirements.txt
 
 > *Hint:* if the `pip3 install` command results in a [segmentation
@@ -182,12 +181,21 @@ issue](https://open.greenhost.net/openappstack/openappstack/issues/317)
 Before you continue, if you have not made DNS entries with the CLI tool, you
 need to make them now. It is important to start with configuring DNS because
 depending on your DNS setup/provider, it takes a while (sometimes hours) to
-propagate. You need one dedicated (sub)domain entry and a wild card entry for
-everything inside it. For example, create these two records for your domain:
+propagate. 
+
+You need one dedicated (sub)domain entry and a wildcard entry for everything
+inside it. For example, create an A record for these domains:
 
 - An `A` record `oas.example.org` pointing to the VPSs IP address
 - A `CNAME` record `*.oas.example.org` pointing to `oas.example.org`.
 
+OpenAppStack will fetch https certificates with [Let's
+Encrypt](https://letsencrypt.org) by default. In order to do this DNS entries
+need to be created.  If you don't need https certificates for your cluster while
+testing you can skip this step. Please be aware of the limitations of this:
+
+- Onlyoffice won't work since it requires a valid certificate connecting to Nextcloud.
+- You need to be able to resolve the domain names locally.
 
 ### Installation
 
@@ -226,7 +234,7 @@ When the installation is completed, you will have access to these applications:
   your cluster. Read more about Grafana in the [monitoring chapter
   below](#monitoring)
 
-You can access Nextcloud via https://files.oas.example.org. Use the username
+You can access Nextcloud via https://files.example.org. Use the username
 `admin` with the automatically generated Nextcloud password that you can find in
 `clusters/maarten/secrets/nextcloud_admin_password` on your local machine.
 ONLYOFFICE is already integrated in your Nextcloud installation which allows you

helmfiles/values/nextcloud.yaml.gotmpl

@@ -27,9 +27,6 @@ nextcloud:
           log_not_found off;
           access_log off;
         }
-        location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
-          try_files $uri /index.php$request_uri;
-        }
     hosts:
       - "files.{{ .Environment.Values.domain }}"
     tls:
@@ -82,3 +79,9 @@ onlyoffice-documentserver:
 
   onlyoffice:
     server_name: "office.{{ .Environment.Values.domain }}"
+  jwtSecret: "{{ requiredEnv "ONLYOFFICE_JWT_SECRET" }}"
+  postgresql:
+    postgresqlPassword: "{{ requiredEnv "ONLYOFFICE_POSTGRESQL_PASSWORD" }}"
+  rabbitmq:
+    rabbitmq:
+      password: "{{ requiredEnv "ONLYOFFICE_RABBITMQ_PASSWORD" }}"

openappstack/__main__.py

@@ -296,11 +296,12 @@ def test(clus, args):
             log.info(command)
             command.append('-t {tag}'.format(tag=tag))
         log.info('Running behave command %s', command)
-        behave_main(command)
+        return_code = behave_main(command)
 
         # Remove behave.ini so we don't leave secrets hanging around.
         os.remove(behave_ini)
 
+        sys.exit(return_code)
 
 def create_domain_records(domain, droplet_ip, subdomain=None):
     """

openappstack/cluster.py

@@ -199,6 +199,8 @@ class Cluster:
         behave_config['behave.userdata']['nextcloud.username'] = 'admin'
         behave_config['behave.userdata']['nextcloud.password'] = \
             nextcloud_admin_password
+        behave_config['behave.userdata']['onlyoffice.url'] = \
+            'https://office.{}/welcome'.format(self.domain)
 
         behave_config['behave.userdata']['grafana.url'] = \
             'https://grafana.{}'.format(self.domain)

test/behave/features/nextcloud.feature

@@ -4,6 +4,10 @@ Feature: Test nextcloud admin login
   I want to be able to login to nextcloud as the user admin
   And I want to be able to open a document in OnlyOffice
 
+Scenario: Test OnlyOffice welcome screen
+  When I open the onlyoffice URL
+  Then I expect that element "#status-ok-icon" is visible
+
 Scenario: Open nextcloud
   When I open the nextcloud URL
   Then I wait on element "input#user" for 25000ms to be visible
@@ -22,6 +26,7 @@ Scenario: Login to nextcloud
 Scenario: Close welcome to nextcloud modal
   When I close the nextcloud welcome wizard if it exists
   Then I wait on element "#firstrunwizard" for 1000ms to not exist
+  And I wait on element ".actions a.button.new" for 5000ms to be visible
 
 Scenario: Create a new document in OnlyOffice
   When I click on the element ".actions a.button.new"

test/behave/features/steps/login.py

@@ -10,6 +10,13 @@ from behave_webdriver.steps import *
 def before_all(context):
     pass  # login and save cookies here
 
+@when(u'I open the onlyoffice URL')
+@given(u'I open the onlyoffice URL')
+def step_impl(context):
+    """Open onlyoffice URL."""
+    print(context.nextcloud)
+    context.behave_driver.get(context.config.userdata.get('onlyoffice.url'))
+
 @when(u'I open the nextcloud URL')
 @given(u'I open the nextcloud URL')
 def step_impl(context):
@@ -23,7 +30,6 @@ def step_impl(context):
     """Open grafana URL."""
     context.behave_driver.get(context.grafana['url'])
 
-
 @when(u'I enter the "{section}" "{cred_type}" in the inputfield "{element}"')
 def step_impl(context, section, cred_type, element):
     """Enter username/password into login inputfields."""