Skip to content

Commit

Permalink
- added insecure switch
Browse files Browse the repository at this point in the history 
- added deployment example
  • Loading branch information
@d7oc
d7oc committed Oct 8, 2024
1 parent 5fb861d commit 57c04d7
Show file tree
Hide file tree
Showing 5 changed files with 347 additions and 0 deletions.
4 changes: 4 additions & 0 deletions charts/ocis/templates/NOTES.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ kubectl -n {{ .Release.Namespace }} get secrets/admin-user --template='{{"{{"}}.
{{- $demoUsers := .Values.features.demoUsers -}}
{{- $oidcIdpInsecure := .Values.insecure.oidcIdpInsecure -}}
{{- $ocisHttpApiInsecure := .Values.insecure.ocisHttpApiInsecure -}}
{{- $ocmInsecure := .Values.insecure.ocmInsecure -}}
{{- $externalLDAPinsecure := and .Values.features.externalUserManagement.enabled .Values.features.externalUserManagement.ldap.insecure -}}
{{- $noSMTPencryption := and .Values.features.emailNotifications.enabled (eq .Values.features.emailNotifications.smtp.encryption "none") -}}

Expand All @@ -41,6 +42,9 @@ kubectl -n {{ .Release.Namespace }} get secrets/admin-user --template='{{"{{"}}.
{{- if $oidcIdpInsecure}}
###### - `insecure.oidcIdpInsecure` should be set to `false` #####
{{- end }}
{{- if $ocmInsecure}}
###### - `insecure.ocmInsecure` should be set to `false` #####
{{- end }}
{{- if $ocisHttpApiInsecure}}
###### - `insecure.ocisHttpApiInsecure` should be set to `false` #####
{{- end }}
Expand Down
22 changes: 22 additions & 0 deletions charts/ocis/templates/ocm/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,24 @@ spec:
- name: OCM_HTTP_ADDR
value: 0.0.0.0:9280

- name: OCM_OCM_INVITE_MANAGER_INSECURE
value: {{ .Values.insecure.ocmInsecure | quote }}
- name: OCM_OCM_STORAGE_PROVIDER_INSECURE
value: {{ .Values.insecure.ocmInsecure | quote }}
- name: OCM_OCM_SHARE_PROVIDER_INSECURE
value: {{ .Values.insecure.ocmInsecure | quote }}

- name: OCM_SERVICE_ACCOUNT_ID
valueFrom:
configMapKeyRef:
name: {{ include "config.authService" . }}
key: service-account-id
- name: OCM_SERVICE_ACCOUNT_SECRET
valueFrom:
secretKeyRef:
name: {{ include "secrets.serviceAccountSecret" . }}
key: service-account-secret

{{- include "ocis.livenessProbe" . | nindent 10 }}

resources: {{ toYaml .resources | nindent 12 }}
Expand All @@ -70,6 +88,8 @@ spec:
readOnly: true
- name: {{ include "ocis.persistence.dataVolumeName" . }}
mountPath: /var/lib/ocis
- name: tmp-volume
mountPath: /tmp

{{- include "ocis.imagePullSecrets" $ | nindent 6 }}
volumes:
Expand All @@ -83,5 +103,7 @@ spec:
{{ else }}
emptyDir: {}
{{ end }}
- name: tmp-volume
emptyDir: {}
{{- include "ocis.persistence.dataVolume" . | nindent 8 }}
{{ end }}
3 changes: 3 additions & 0 deletions charts/ocis/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,9 @@ insecure:
# -- Disables SSL certificate checking for connections to the oCIS http apis.
# Not recommended for production installations.
ocisHttpApiInsecure: false
# -- Disables SSL certificate checking for connections to all OCM instances
# Not recommended for production installations.
ocmInsecure: false

cache:
# -- Type of the cache to use.
Expand Down
66 changes: 66 additions & 0 deletions deployments/ocm-install/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
# oCIS development deployment example

## Introduction

This example will deploy a mostly default oCIS setup to Kubernetes. The intent is that this will
work "out of the box" after a `helmfile sync`.

***Note***: This example is not intended for production use. It is intended to get a working oCIS
development running in Kubernetes as quickly as possible. It is not hardened in any way.

## Getting started

### Prerequisites

This example requires the following things to be installed:

- [Kubernetes](https://kubernetes.io/) cluster, with an ingress controller installed.
- [Helm](https://helm.sh/) v3
- [Helmfile](https://github.com/helmfile/helmfile)

### End result

After following the steps in this guide, you should be able to access the following endpoint, you
may want to add these to your `/etc/hosts` file pointing to your ingress controller IP:

- https://ocis.kube.owncloud.test
- https://ocis2.kube.owncloud.test

Note that if you want to use your own hostname and domain, you will have to change the `externalDomain` value.

### Deploying

In this directory, run the following commands:

```bash
$ helmfile sync
```

This will deploy all the needed steps.

### Logging in

You can get the admin password with the following command:

```bash
$ kubectl -n ocis get secrets/admin-user --template='{{.data.password | base64decode | printf "%s\n" }}'
```

and

```bash
$ kubectl -n ocis2 get secrets/admin-user --template='{{.data.password | base64decode | printf "%s\n" }}'
```


You can use this password to login with the user `admin`.

### Limitations

As this is deployed with a `ReadWriteOnce` storage access mode, the deployments persistence will be limited to
a single pod. If you want to scale the pods, you will need to change the storage access mode to `ReadWriteMany`.
If you do this, please check if your storage provider supports this access mode.

### Development

Note this chart is made for development, therefore both `demoUsers` is set to true. Using this chart in production is not recommended.
252 changes: 252 additions & 0 deletions deployments/ocm-install/helmfile.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,252 @@
releases:
- name: ocis
chart: ../../charts/ocis
namespace: ocis
values:
- image:
tag: "6.4.0"
- externalDomain: ocis.kube.owncloud.test
- ingress:
enabled: true
ingressClassName: nginx
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: 1024m
tls:
- secretName: ocis-dev-tls
hosts:
- ocis.kube.owncloud.test

- logging:
level: debug

- insecure:
oidcIdpInsecure: true
ocisHttpApiInsecure: true

- features:
demoUsers: true
ocm:
enabled: true
providers: |-
[
{
"name": "oCIS Test",
"full_name": "oCIS Test provider",
"organization": "oCIS",
"domain": "ocis2.kube.owncloud.test",
"homepage": "https://ocis2.kube.owncloud.test",
"description": "oCIS Example cloud storage",
"services": [
{
"endpoint": {
"type": {
"name": "OCM",
"description": "ocis2.kube.owncloud.test Open Cloud Mesh API"
},
"name": "ocis2.kube.owncloud.test - OCM API",
"path": "https://ocis2.kube.owncloud.test/ocm/",
"is_monitored": true
},
"api_version": "0.0.1",
"host": "http://ocis2.kube.owncloud.test"
},
{
"endpoint": {
"type": {
"name": "Webdav",
"description": "ocis2.kube.owncloud.test Webdav API"
},
"name": "ocis2.kube.owncloud.test Example - Webdav API",
"path": "https://ocis2.kube.owncloud.test/dav/",
"is_monitored": true
},
"api_version": "0.0.1",
"host": "https://ocis2.kube.owncloud.test/"
}
]
}
]
- services:
idm:
persistence:
enabled: true
accessModes:
- ReadWriteOnce

nats:
persistence:
enabled: true
accessModes:
- ReadWriteOnce

search:
persistence:
enabled: true
accessModes:
- ReadWriteOnce

storagesystem:
persistence:
enabled: true
accessModes:
- ReadWriteOnce

storageusers:
persistence:
enabled: true
accessModes:
- ReadWriteOnce
maintenance:
cleanUpExpiredUploads:
enabled: true
schedule: "* * * * *"
purgeExpiredTrashBinItems:
enabled: true
schedule: "* * * * *"
restartPostprocessing:
enabled: true
schedule: "* * * * *"

thumbnails:
persistence:
enabled: true
accessModes:
- ReadWriteOnce
maintenance:
cleanUpOldThumbnails:
enabled: true
schedule: "* * * * *"

web:
persistence:
enabled: true
accessModes:
- ReadWriteOnce

- name: ocis2
chart: ../../charts/ocis
namespace: ocis2
values:
- image:
tag: "6.4.0"
- externalDomain: ocis2.kube.owncloud.test
- ingress:
enabled: true
ingressClassName: nginx
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: 1024m
tls:
- secretName: ocis-dev-tls
hosts:
- ocis2.kube.owncloud.test

- logging:
level: debug

- insecure:
oidcIdpInsecure: true
ocisHttpApiInsecure: true
ocmInsecure: true

- features:
demoUsers: true
ocm:
enabled: true
providers: |-
[
{
"name": "oCIS Test",
"full_name": "oCIS Test provider",
"organization": "oCIS",
"domain": "ocis.kube.owncloud.test",
"homepage": "https://ocis.kube.owncloud.test",
"description": "oCIS Example cloud storage",
"services": [
{
"endpoint": {
"type": {
"name": "OCM",
"description": "ocis.kube.owncloud.test Open Cloud Mesh API"
},
"name": "ocis.kube.owncloud.test - OCM API",
"path": "https://ocis.kube.owncloud.test/ocm/",
"is_monitored": true
},
"api_version": "0.0.1",
"host": "http://ocis.kube.owncloud.test"
},
{
"endpoint": {
"type": {
"name": "Webdav",
"description": "ocis.kube.owncloud.test Webdav API"
},
"name": "ocis.kube.owncloud.test Example - Webdav API",
"path": "https://ocis.kube.owncloud.test/dav/",
"is_monitored": true
},
"api_version": "0.0.1",
"host": "https://ocis.kube.owncloud.test/"
}
]
}
]
- services:
idm:
persistence:
enabled: true
accessModes:
- ReadWriteOnce

nats:
persistence:
enabled: true
accessModes:
- ReadWriteOnce

search:
persistence:
enabled: true
accessModes:
- ReadWriteOnce

storagesystem:
persistence:
enabled: true
accessModes:
- ReadWriteOnce

storageusers:
persistence:
enabled: true
accessModes:
- ReadWriteOnce
maintenance:
cleanUpExpiredUploads:
enabled: true
schedule: "* * * * *"
purgeExpiredTrashBinItems:
enabled: true
schedule: "* * * * *"
restartPostprocessing:
enabled: true
schedule: "* * * * *"

thumbnails:
persistence:
enabled: true
accessModes:
- ReadWriteOnce
maintenance:
cleanUpOldThumbnails:
enabled: true
schedule: "* * * * *"

web:
persistence:
enabled: true
accessModes:
- ReadWriteOnce

0 comments on commit 57c04d7

Please sign in to comment.