owncloud / ocis-charts Goto Github PK

View Code? Open in Web Editor NEW

46.0 19.0 26.0 3.05 MB

:chart_with_upwards_trend: Helm Charts for ownCloud's OCIS

Home Page: https://owncloud.dev/ocis/deployment/kubernetes/

License: Apache License 2.0

Mustache 41.15% Smarty 17.61% Starlark 24.06% Makefile 17.18%

helm kubernetes ocis cloud-native containers devops

ocis-charts's Introduction

ownCloud Infinite Scale Community Kubernetes Helm Charts

The code is provided as-is with no warranties.

Warning

As of 11.07.2024 we switched the branching model used in this chart. main will now contain the future oCIS 6 adjustments, while oCIS 5 will be contained in stable-5. Please change your chart usage accordingly.

Usage

Helm must be installed to use the charts. Please refer to Helm's documentation to get started.

This chart repository and it's charts are still in an experimental phase, and it has not yet been published. For instructions on how to run it anyways the the respective chart's readme.

Chart documentation is available in oCIS directory.

List of breaking changes by version

Please check the documentation for breaking changes by version: doc.owncloud.com

Contributing

We'd love to have you contribute! Please refer to our contribution guidelines for details.

License

Apache 2.0 License.

ocis-charts's People

Contributors

Stargazers

Watchers

ocis-charts's Issues

random secrets and store them in secrets

We must not have secrets in the values.yaml

secrets:
  jwt: xxx
  machineAuth: xxx
  transfer: xxx

remove settings persistence

The settings service will use the metadata storage service for persistence and therefore will no longer need a persistent volume

Use unique names -- include release name

This is the first Helm Chart I've encountered that don't include the release name in the names of created object. If I helm install mycloud ocis/ocis, I expect deployments/services/... objects to be named mycloud-web, mycloud-proxy, ... so they don't conflict with other installed charts.

This is even the default in the helm create chart. Why did you get rid of the fullname macro? This is dangerous.

Track breaking chart version changes

We have a note in the documentation that a major (breaking) chart change needs manual intervention, but there is nothing described about how to identify the relevant change.

When we will introduce tagging, I propose a change file or files which document the changes from one tagged version to the next which we can include into the documentation. This will help readers to quickly identify those items to take a closer look on.

The HowTo needs to be discussed, but I guess it can be achieved via script.

@wkloucek @dragonchaser

Implement NetworkPolicy

https://cloud.redhat.com/blog/guide-to-kubernetes-ingress-network-policies

improve CI

do linting
run the chart in CI
do some testing
generate chart documentation
publish the helm chart on github pages (https://github.com/helm/chart-releaser) and choose a domain (owncloud.dev?)

add optional ingress for the cs3api gateway

One may want to use the cs3api from outside the cluster. Therefore we need to add an optional ingress

values.adoc.yaml description improvements

In both values.adoc.yaml file and the description table file an update is needed.
This is because in the original file, links to external pages are written in markdown style like:
[cs3org/wopiserver](https://github.com/cs3org/wopiserver)

To make it usable for Antora/Asciidoc, this must be written like:
https://github.com/cs3org/wopiserver[cs3org/wopiserver]

Some templates are missing metadata.namespace

Some templates are missing metadata.namespace. Particularly I noticed it in the templates/_secrets ones.

At first sight this seems like a mistake?

make this chart minikube friendly

This chart should be easily runable on minikube.

Though there are currently some pitfalls which needs to be addressed:

oCIS relies on the external fqnd (OCIS_URL) inside the cluster
OCIS relies on the exact port match when setting OCIS_URL but minikube tunnel does use random ports
the oCIS chart relies on external ingress as of #2

should we provide an operator instead of a helm-chart?

Operators have possibilites, that a helm-chart doesn't have: https://kubernetes.io/docs/concepts/extend-kubernetes/operator/

More resources:

There is the Operator SDK that allows one to package a Helm chart as operator or program the operator in Go.
We could start with the Helm operator and transition (rewrite) the operator in Go, if we need so.

Transportability of operators between different Kubernetes distributions is mainly dependent on the Resource Classes, one uses (just like in Helm charts).

We could use the operator for maintenance tasks as:

generating secrets & certificates if not provided (this is hard with plain Helm)
certificate rotation (this is hard with plain Helm)
backup & restore
migration

Operator examples to look at:

etcd operatorhttps://github.com/coreos/etcd-operator (but is archived)
Red Hat CodeReady Workspaces, but where does the Code live?

remove or scale store

the store is currently not scaleable, see also owncloud/ocis#3913

change default bind passwords for the IDP and REVA ldap users

currently we use the default LDAP bind passwords for the REVA and IDP bind users. They also need to be configurable for #5

use new public share manager (with metadata storage backend)

cs3org/reva#2644 moves the public shares in the public share manager from local disk to the metadata storage. Therefore we need to adapt config and volumes

Add an env map as a fallback for options not yet supported

I'm currently using OCIS with this chart: https://github.com/k8s-at-home/charts/blob/master/charts/stable/owncloud-ocis/
and setting options like this:

# -- environment variables. See more environment variables in the [ownclohttps://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common/values.yaml# @default -- See below
env:
  OCIS_LOG_LEVEL: debug #info
  # -- Set the container timezone
  TZ: UTC
  # PROXY_ENABLE_BASIC_AUTH: "true"
  ACCOUNTS_DEMO_USERS_AND_GROUPS: false
  OCIS_URL: https://
  PROXY_TLS: false
  # OIDC
  PROXY_AUTOPROVISION_ACCOUNTS: "true"
  PROXY_OIDC_ISSUER: https://
  WEB_OIDC_AUTHORITY: https://
  WEB_OIDC_CLIENT_ID: owncloud-web
  STORAGE_OIDC_ISSUER: https://
  STORAGE_FRONTEND_PUBLIC_URL: http://localhost:9200
  # activate s3ng storage driver
  STORAGE_HOME_DRIVER: s3ng
  STORAGE_USERS_DRIVER: s3ng
  STORAGE_METADATA_DRIVER: ocis # keep metadata on ocis storage since this are only small files atm
  STORAGE_USERS_DRIVER_S3NG_ENDPOINT: https://
  STORAGE_USERS_DRIVER_S3NG_REGION: 
  # App registry
  STORAGE_APP_REGISTRY_MIMETYPES_JSON: /config/mimetypes.json
  # Theme
  WEB_UI_THEME_SERVER: https://public.internetapi.cn
  WEB_UI_THEME_PATH: /internal/ocis-theme.json

Can we also add a env map as a fallback for options not yet supported? So people can start using this chart sooner.

oidc without external ldap?

I'm trying to hookup authentik with ocis, but it seems the helm chart requires an external ldap server when using authentik. I'm confused how to get that going?

switch to jsoncs3 share manager

As of oCIS 2.0.0-beta.8 the jsonCS3 share manager (public and user shares) is available.

We should allow to switch (one needs to run a migration command) to the jsonCS3 manager.

document persistent volume sizing

write documentation about the sizing of PVs, eg

ocis-charts/charts/ocis/values.yaml

Line 350 in 88a271d

size: 5Gi

For the storage-users service we also need to account the storage driver (oCIS vs S3ng) and the cleanup cronjob

remove service user idp setting

remove the METADATA_SERVICE_USER_IDP setting after owncloud/ocis#3343 is fixed

scale and persist NATS

NATS is currently started as an oCIS service.
How can we scale it?
How do we persist event streams?
Should we switch to a NATS Helmchart? -> https://docs.nats.io/running-a-nats-service/nats-kubernetes/helm-charts

Improve values-desc-table.adoc output

We describe in values.yaml how "defaults" are defined. This file is then transformed via a script and the values-desc-table.adoc.gotmpl to the final adoc file.

My question is, could we improve the script in a way that it transforms http://<pod>: --> \http://<pod>: (adding a backslash at the beginning) and as special bounus wrap the complete link in backticks. This would tell antora not to create a resolvable link (which cant be resolved by link checkers) but highlights it when rendered. This is only necessary for the adoc table description output.

Preferable a list of possible links to be processed like that when starting with:... would be ideal to be open for any upcoming links.

remove storageSharing persistence

The storage sharing service will use the metadata storage service for persistence and therefore will no longer need a persistent volume

Add values schema

Add a values schema, like eg. #57 tried to do it.

Needed for eg. a OpenShift Helm chart certification (https://redhat-connect.gitbook.io/partner-guide-for-red-hat-openshift-and-container/helm-chart-certification/helm-chart-requirements)

We should find a way to enforce the proper adaption of the schema in future PRs.

clean up aborted uploads

run ocis storage-users uploads clean as a cron job to clean up aborted uploads

add option to enable encrypted communication

NATS / event bus (see also #105)
GRCP
http, e.g. use PROXY_HTTPS_CACERT to trust self signed domains

Issue warning if best practices are not followed for current configuration

issue a warning (similar to the one for peristence), when ...

the idm or idp is used (no external user management configured)
nats is used (no external nats is configured, see also #12)
no external cache is configured (see also #108)
basic authentication is enabled
insecure options are set
service are not scaled (see #15)
ocis image tag is not a semver version!?
demo users are enabled
email authentication is "none"

use external IDP and IDM

add the possibility to use an external IDP and IDM instead of the internal one

persistence as a globale parameter?

Hi Folks,

comin from community maintained nextcloud chart locking for some more cloud-native "Storage-Cloud".
Your Chart and the docs look good so far! ❤️
I try to configure this chart on my k8s, atm i configure the persistence Parameter, would it maybe be useful to have a global Parameter for persistence? Or maybe a "feature" for this.

define supported kubernetes api versions

define supported kubernetes api versions on which this helm chart is supported

don't set `*_INSECURE` variables to true

On a production instance with valid ssl certificates there is no need to set _INSECURE variables to true. Currently we have some hardcoded to true.

We should default them to false or remove them at all (can we easily set up a CA in Kubernetes?)

unknown field "secretRef" in io.k8s.api.core.v1.EnvVar

$ helm upgrade --install -f values.yaml ocis ./ocis
Release "ocis" does not exist. Installing it now.
Error: unable to build kubernetes objects from release manifest: error validating "": error validating data: [ValidationError(Deployment.spec.template.spec.containers[0].env[8]): unknown field "secretRef" in io.k8s.api.core.v1.EnvVar, ValidationError(Deployment.spec.template.spec.containers[0].env[9]): unknown field "secretRef" in io.k8s.api.core.v1.EnvVar]

Sounds like some keys are missing in the yaml template?

add affinity settings

add settings to inject:

affinity
anti-affinity

add simple oCIS deployment

add a simple oCIS deployment chart:

for at home use / with single or double digit user numbers
resource saving by not starting every service individually
allow flexible configuration to eg. use an external OIDC IDP

(ownCloud internal info: base that on the ocis-beta instances deployment)

service registry

oCIS partially implements a service registry.

There are reasons for not using it in Kubernetes, because we would loose Kubernetes features like:

~~https://kubernetes.io/docs/concepts/services-networking/service-topology/~~ https://kubernetes.io/docs/concepts/services-networking/topology-aware-hints/

add notifications service

we now have notifications service to send emails. We need to start that and expose email configuration

graph pod expects graph-ldap-bind-password in ldap-bind-secrets

The documentation is missing the graph-ldap-bind-password in ldap-bind-secrets when setting up cis with an external ids and ldap provider

Events:
  Type     Reason     Age                     From               Message
  ----     ------     ----                    ----               -------
  Normal   Scheduled  6m36s                   default-scheduler  Successfully assigned cloud-idp/graph-5994fd888d-fskff to worker-ash-bvv
  Warning  Failed     4m22s (x12 over 6m36s)  kubelet            Error: couldn't find key graph-ldap-bind-password in Secret cloud-idp/ldap-bind-secrets
  Normal   Pulled     96s (x25 over 6m36s)    kubelet            Container image "owncloud/ocis:2.0.0" already present on machine

Solved by adding it to the secret

apiVersion: v1
kind: Secret
metadata:
  name: ldap-bind-secrets
  namespace: cloud-idp
type: Opaque
data:
  # Base64 encoded password for the LDAP bind user.
  reva-ldap-bind-password: notSecretPassword (as base64 decoded string)
  graph-ldap-bind-password: notSecretPassword (as base64 decoded string)

`storage-metadata` service panics on gRPC calls from `accounts` service

storage-metadata service panics on gRPC calls from accounts service:

I'm using the latest commit of the chart, persistent volumes are mounted successfully.

Error log from storage-metadata pod:

goroutine 516 [running]:
runtime/debug.Stack()
	runtime/debug/stack.go:24 +0x65
runtime/debug.PrintStack()
	runtime/debug/stack.go:16 +0x19
github.com/cs3org/reva/v2/internal/grpc/interceptors/recovery.recoveryFunc({0x40b3cc0, 0xc0013d4660}, {0x3b67c40, 0x5a13ee0})
	github.com/cs3org/reva/[email protected]/internal/grpc/interceptors/recovery/recovery.go:48 +0x31
github.com/grpc-ecosystem/go-grpc-middleware/recovery.recoverFrom({0x40b3cc0, 0xc0013d4660}, {0x3b67c40, 0x5a13ee0}, 0xc000d10940)
	github.com/grpc-ecosystem/[email protected]/recovery/interceptors.go:61 +0x36
github.com/grpc-ecosystem/go-grpc-middleware/recovery.UnaryServerInterceptor.func1.1()
	github.com/grpc-ecosystem/[email protected]/recovery/interceptors.go:29 +0x7b
panic({0x3b67c40, 0x5a13ee0})
	runtime/panic.go:1038 +0x215
github.com/cs3org/reva/v2/pkg/storage/utils/decomposedfs/node.(*Node).InternalPath(...)
	github.com/cs3org/reva/[email protected]/pkg/storage/utils/decomposedfs/node/node.go:457
github.com/cs3org/reva/v2/pkg/storage/utils/decomposedfs.(*Decomposedfs).CreateStorageSpace(0xc0001d22d0, {0x40b3cc0, 0xc0013d4960}, 0xc0000c2a80)
	github.com/cs3org/reva/[email protected]/pkg/storage/utils/decomposedfs/spaces.go:94 +0x4a0
github.com/cs3org/reva/v2/internal/grpc/services/storageprovider.(*service).CreateStorageSpace(0xc0001d2320, {0x40b3cc0, 0xc0013d4960}, 0xc0000c2a80)
	github.com/cs3org/reva/[email protected]/internal/grpc/services/storageprovider/storageprovider.go:435 +0x46
github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1._ProviderAPI_CreateStorageSpace_Handler.func1({0x40b3cc0, 0xc0013d4960}, {0x3ed6920, 0xc0000c2a80})
	github.com/cs3org/[email protected]/cs3/storage/provider/v1beta1/provider_api.pb.go:5948 +0x78
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc.UnaryServerInterceptor.func1({0x40b3cc0, 0xc0013d4870}, {0x3ed6920, 0xc0000c2a80}, 0xc0008fc040, 0xc0001b2c30)
	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/[email protected]/interceptor.go:325 +0x61c
github.com/grpc-ecosystem/go-grpc-middleware.ChainUnaryServer.func1.1.1({0x40b3cc0, 0xc0013d4870}, {0x3ed6920, 0xc0000c2a80})
	github.com/grpc-ecosystem/[email protected]/chain.go:25 +0x3a
github.com/cs3org/reva/v2/internal/grpc/interceptors/auth.NewUnary.func1({0x40b3cc0, 0xc0013d4660}, {0x3ed6920, 0xc0000c2a80}, 0xc0008fc040, 0xc0008fc060)
	github.com/cs3org/reva/[email protected]/internal/grpc/interceptors/auth/auth.go:127 +0x41b
github.com/grpc-ecosystem/go-grpc-middleware.ChainUnaryServer.func1.1.1({0x40b3cc0, 0xc0013d4660}, {0x3ed6920, 0xc0000c2a80})
	github.com/grpc-ecosystem/[email protected]/chain.go:25 +0x3a
github.com/grpc-ecosystem/go-grpc-middleware/recovery.UnaryServerInterceptor.func1({0x40b3cc0, 0xc0013d4660}, {0x3ed6920, 0xc0000c2a80}, 0xc0010b33f8, 0x490997)
	github.com/grpc-ecosystem/[email protected]/recovery/interceptors.go:33 +0xc8
github.com/grpc-ecosystem/go-grpc-middleware.ChainUnaryServer.func1.1.1({0x40b3cc0, 0xc0013d4660}, {0x3ed6920, 0xc0000c2a80})
	github.com/grpc-ecosystem/[email protected]/chain.go:25 +0x3a
github.com/cs3org/reva/v2/internal/grpc/interceptors/log.NewUnary.func1({0x40b3cc0, 0xc0013d4660}, {0x3ed6920, 0xc0000c2a80}, 0xc0008fc040, 0xc0008fc0a0)
	github.com/cs3org/reva/[email protected]/internal/grpc/interceptors/log/log.go:39 +0x9a
github.com/grpc-ecosystem/go-grpc-middleware.ChainUnaryServer.func1.1.1({0x40b3cc0, 0xc0013d4660}, {0x3ed6920, 0xc0000c2a80})
	github.com/grpc-ecosystem/[email protected]/chain.go:25 +0x3a
github.com/cs3org/reva/v2/internal/grpc/interceptors/useragent.NewUnary.func1({0x40b3cc0, 0xc0013d4660}, {0x3ed6920, 0xc0000c2a80}, 0x1, 0xc0008fc0c0)
	github.com/cs3org/reva/[email protected]/internal/grpc/interceptors/useragent/useragent.go:38 +0xe9
github.com/grpc-ecosystem/go-grpc-middleware.ChainUnaryServer.func1.1.1({0x40b3cc0, 0xc0013d4660}, {0x3ed6920, 0xc0000c2a80})
	github.com/grpc-ecosystem/[email protected]/chain.go:25 +0x3a
github.com/cs3org/reva/v2/internal/grpc/interceptors/token.NewUnary.func1({0x40b3cc0, 0xc0013d45d0}, {0x3ed6920, 0xc0000c2a80}, 0x3f9be00, 0xc0008fc0e0)
	github.com/cs3org/reva/[email protected]/internal/grpc/interceptors/token/token.go:44 +0x159
github.com/grpc-ecosystem/go-grpc-middleware.ChainUnaryServer.func1.1.1({0x40b3cc0, 0xc0013d45d0}, {0x3ed6920, 0xc0000c2a80})
	github.com/grpc-ecosystem/[email protected]/chain.go:25 +0x3a
github.com/cs3org/reva/v2/internal/grpc/interceptors/appctx.NewUnary.func1({0x40b3cc0, 0xc0013d44b0}, {0x3ed6920, 0xc0000c2a80}, 0x18, 0xc0008fc100)
	github.com/cs3org/reva/[email protected]/internal/grpc/interceptors/appctx/appctx.go:42 +0x5ab
github.com/grpc-ecosystem/go-grpc-middleware.ChainUnaryServer.func1.1.1({0x40b3cc0, 0xc0013d44b0}, {0x3ed6920, 0xc0000c2a80})
	github.com/grpc-ecosystem/[email protected]/chain.go:25 +0x3a
github.com/grpc-ecosystem/go-grpc-middleware.ChainUnaryServer.func1({0x40b3cc0, 0xc0013d44b0}, {0x3ed6920, 0xc0000c2a80}, 0xc0000a1bd0, 0x3b66860)
	github.com/grpc-ecosystem/[email protected]/chain.go:34 +0xbf
github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1._ProviderAPI_CreateStorageSpace_Handler({0x3fd7440, 0xc0001d2320}, {0x40b3cc0, 0xc0013d44b0}, 0xc0000c2a20, 0xc00141adb0)
	github.com/cs3org/[email protected]/cs3/storage/provider/v1beta1/provider_api.pb.go:5950 +0x138
google.golang.org/grpc.(*Server).processUnaryRPC(0xc00184e000, {0x40e3338, 0xc0007691e0}, 0xc0010f4480, 0xc000e5a7e0, 0x5a342b0, 0x0)
	google.golang.org/[email protected]/server.go:1282 +0xccf
google.golang.org/grpc.(*Server).handleStream(0xc00184e000, {0x40e3338, 0xc0007691e0}, 0xc0010f4480, 0x0)
	google.golang.org/[email protected]/server.go:1619 +0xa2a
google.golang.org/grpc.(*Server).serveStreams.func1.2()
	google.golang.org/[email protected]/server.go:921 +0x98
created by google.golang.org/grpc.(*Server).serveStreams.func1
	google.golang.org/[email protected]/server.go:919 +0x294
2022-05-09T08:23:33Z ERR runtime error: invalid memory address or nil pointer dereference pkg=rgrpc service=storage traceid=00000000000000000000000000000000
2022-05-09T08:23:33Z ERR unary code=Internal end="09/May/2022:08:23:33 +0000" from=tcp://172.16.10.226:58786 pkg=rgrpc service=storage start="09/May/2022:08:23:33 +0000" time_ns=16548482 traceid=00000000000000000000000000000000 uri=/cs3.storage.provider.v1beta1.ProviderAPI/CreateStorageSpace user-agent=grpc-go/1.45.0
2022-05-09T08:23:44Z DBG refreshing external service-registration service={"endpoints":[],"metadata":null,"name":"com.owncloud.storage.metadata","nodes":[{"address":"0.0.0.0:9215","id":"com.owncloud.storage.metadata-5e906fea-03c1-4209-ae9b-63eaa0818399","metadata":{"broker":"http","protocol":"grpc","registry":"kubernetes","server":"grpc","transport":"grpc"}}],"version":"1.19.1"}

Error log from accounts pod:

2022-05-09T08:22:04Z ERR handler init error="could not create metadata storage: cs3 backend was configured but failed to start: rpc error: code = Internal desc = runtime error: invalid memory address or nil pointer dereference" service=accounts

Supported Kubernetes versions in descending order

When reading the documentation, imho the supported Kubernetes versions should be in descending order (highest first), this is the referenced table which is in ascending order atm.

Switch/enable liveness checks for idm, nats, audit and notification

The idm, nats, audits and notification service currently provide no/incomplete debug endpoints. Fix the health checks for those, once owncloud/ocis#5002 and owncloud/ocis#5003 are fixed.

scale all services

currently there are some services that are not being scaled.

ensure that no service has replicas: 1, and that every service has an optional resource HorizontalPodAutoscaler

expose per service resource configuration

Instead of having a global resources configuration

ocis-charts/charts/ocis/values.yaml

Lines 297 to 304 in ebaafbb

 # -- Resources to apply to all services. 

 resources: {} 

 # limits: 

 # cpu: 100m 

 # memory: 128Mi 

 # requests: 

 # cpu: 100m 

 # memory: 128Mi

we need to expose per service resources configuration, like we did it on experimental for some services: c0d7a57

external dependencies

we have some external dependencies:

ldap server / IDM
OIDC provider / IDP
event bus (NATS)
cache (eg. redis)
WOPI office application, eg. Collabora / OnlyOffice
WOPi server

Including them all into our chart will become a huge mess.
We need to decide how to document them and if we provide deployment examples for them.

inital admin user with random password

create an inital admin user with random password

office integration

TODO

how to scale the app providers
how to scale the app registry, see also owncloud/ocis#3832

Already done

Document external dependencies

how to run cs3org/wopiserver https://github.com/cs3org/charts/tree/master/wopiserver
how to run Collabora https://github.com/CollaboraOnline/online/tree/master/kubernetes/helm/collabora-online
how to run OnlyOffice https://github.com/ONLYOFFICE/Kubernetes-Docs

-> see https://github.com/owncloud/ocis-charts/tree/master/deployments/ocis-office

oCIS

how to start multiple app providers (per web office)

-> see

ocis-charts/charts/ocis/values.yaml

Lines 191 to 215 in 567df01

 officeSuites: 

 - # -- Name of the office suite. Will be displayed to the users. 

 name: Collabora 

 # -- Enables the office suite. 

 enabled: false 

 # -- URI of the office suite. 

 uri: https://collabora.owncloud.test 

 # -- URI for the icon of the office suite. Will be displayed to the users. 

 iconURI: https://collabora.owncloud.test/favicon.ico 

 # -- Disables SSL certificate checking for connections to the office suites http api. 

 # Not recommended for production installations. 

 insecure: false 

 - # -- Name of the office suite. Will be displayed to the users. 

 name: OnlyOffice 

 # -- Enables the office suite. 

 enabled: false 

 # -- URI of the office suite. 

 uri: https://onlyoffice.owncloud.test 

 # -- URI for the icon of the office suite. Will be displayed to the users. 

 iconURI: https://onlyoffice.owncloud.test/web-apps/apps/documenteditor/main/resources/img/favicon.ico 

 # -- Disables SSL certificate checking for connections to the office suites http api. 

 # Not recommended for production installations. 

 insecure: false 

 # -- Disables Chat functionality of OnlyOffice 

 disableChat: false

Kubernetes 1.20.x is EOL

https://kubernetes.io/releases/patch-releases/#non-active-branch-history

Should we remove it from the supported versions? From an API perspective we are still compatible.

make it easier to set up secrets

creating secrets for the oCIS chart is a manual process currently. We should aim at making this easier.

Can't login as local admin - stuck in "access denied" loop

Problem

The deployment seems to go OK and I can reach the web UI using a LE-signed certificate. I get the login prompt and enter the credentials ("admin" and the password from secret). It logs me in but then immediately redirects to a brief "access denied" message before looping endlessly.

Technical Information

Kubernetes: v1.25.4 (microk8s, latest)
Helm: v3.10.3
OCIS: v0.1.0 (git tag)

Install

$ helm install ocis ./charts/ocis --values ../values.yaml
NAME: ocis
LAST DEPLOYED: Thu Jan  5 20:16:44 2023
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
You're now running

You can get the initial "admin" administrator user password by running:

kubectl -n <namespace> get secrets/admin-user --template='{{.data.password | base64decode}}'

values.yaml

externalDomain: owncloud.apps.k8s.example.com
ingress:
  enabled: true
  ingressClassName: nginx
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size: 1024m
    cert-manager.io/cluster-issuer: ingress-issuer
  tls:
  - hosts:
    - owncloud.apps.k8s.example.com
    secretName: owncloud-tls-secret

Web browser console output

2vendor-63563129.js:18 [UserManager] getUser: user not found in storage
vendor-63563129.js:18 [UserManager] signinRedirectCallback: success, signed in subject vn047YDEoJdbFHQ7@x0o8AjgeB8vaEK8M5rD1nIR359aUVKRXsY8LSSOCzV_8rJwROifQQAn9PxBxgomJlmPNEQ
vendor-63563129.js:18 [UserManager] getUser: user loaded
vendor-63563129.js:69          GET https://owncloud.apps.k8s.example.com/ocs/v1.php/cloud/user 401

(anonymous) @ oidc-callback?code=8SZsDYCDhI9Tr4sLHTFYE3Yzl5F-ZLkm&scope=email%20openid%20profile&session_state=3e9554d246b5d51a8b74198a6a0718353f6f8f1861d7c9fef14fe7557418dc00.uLU43RPb_o1qLypgjg2OyzvjkzL4qx-7qOg4mWBEVBg&state=65868ecd3490470bbe26eb37ac4f7d88:87

vendor-63563129.js:18 Uncaught (in promise) Error: Redirected when going from "/oidc-callback?code=8SZsDYCDhI9Tr4sLHTFYE3Yzl5F-ZLkm&scope=email%20openid%20profile&session_state=3e9554d246b5d51a8b74198a6a0718353f6f8f1861d7c9fef14fe7557418dc00.uLU43RPb_o1qLypgjg2OyzvjkzL4qx-7qOg4mWBEVBg&state=65868ecd3490470bbe26eb37ac4f7d88" to "/files/spaces/personal" via a navigation guard.

documentation needs fixes

fix documentation for:

secrets/admin-user: password is not used when external user management feature is enabled
external ldap insecure option and ldap-ca secret

audit service

ocis has an audit service which needs to be added

Configuration - adoc (Antora) table

As discussed, the following is a test table showing which table definition is necessary for a working output. Note that I have:

added more rows with different content for test purposes
added comments to the first content cells which show the possible go definition
see the + characters needed for passthru, in this example to render mustache brackets properly
see the xref definition to link to a particular section header

[caption=]
.value.yaml configuration description
[width="100%",cols="~,~,~,~",options="header"]
|===
| Key
| Type
| Default Value
| Description

| `secretRefs.storageSystemJwtSecretRef` 
// `{{$key_value }}` 

a| [subs=-attributes]
+string+
// +{{$type_value }}+

a| [subs=-attributes]
+"storage-system-jwt-secret"+
// +{{.default_value}}+

a| [subs=-attributes]
Reference to an existing storage-system secret (see xref:secrets[Secrets])
// {{.description}}

| `services.idm.persistence.accessModes` 
a| [subs=-attributes]
+list+
a| [subs=-attributes]
+["ReadWriteMany"]+
a| [subs=-attributes]
Persistent volume access modes. Needs to be `["ReadWriteMany"]` when scaling this service beyond one instance.

| `services.idm.persistence.annotations` 
a| [subs=-attributes]
+object+
a| [subs=-attributes]
+{}+
a| [subs=-attributes]
Persistent volume annotations.

|===

@wkloucek @dragonchaser fyi

	# -- Resources to apply to all services.
	resources: {}
	# limits:
	# cpu: 100m
	# memory: 128Mi
	# requests:
	# cpu: 100m
	# memory: 128Mi

	officeSuites:
	- # -- Name of the office suite. Will be displayed to the users.
	name: Collabora
	# -- Enables the office suite.
	enabled: false
	# -- URI of the office suite.
	uri: https://collabora.owncloud.test
	# -- URI for the icon of the office suite. Will be displayed to the users.
	iconURI: https://collabora.owncloud.test/favicon.ico
	# -- Disables SSL certificate checking for connections to the office suites http api.
	# Not recommended for production installations.
	insecure: false
	- # -- Name of the office suite. Will be displayed to the users.
	name: OnlyOffice
	# -- Enables the office suite.
	enabled: false
	# -- URI of the office suite.
	uri: https://onlyoffice.owncloud.test
	# -- URI for the icon of the office suite. Will be displayed to the users.
	iconURI: https://onlyoffice.owncloud.test/web-apps/apps/documenteditor/main/resources/img/favicon.ico
	# -- Disables SSL certificate checking for connections to the office suites http api.
	# Not recommended for production installations.
	insecure: false
	# -- Disables Chat functionality of OnlyOffice
	disableChat: false

owncloud / ocis-charts Goto Github PK

ocis-charts's Introduction

ownCloud Infinite Scale Community Kubernetes Helm Charts

Usage

List of breaking changes by version

Contributing

License

ocis-charts's People

Contributors

Stargazers

Watchers

Forkers

ocis-charts's Issues

TODO

Already done

Document external dependencies

oCIS

Problem

Technical Information

Recommend Projects

Recommend Topics

Recommend Org