From 57c04d74b960819a77de30cda655ab95a8bb6d7b Mon Sep 17 00:00:00 2001 From: Dennis Sieben Date: Thu, 12 Sep 2024 16:19:59 +0200 Subject: [PATCH] - added insecure switch - added deployment example --- charts/ocis/templates/NOTES.txt | 4 + charts/ocis/templates/ocm/deployment.yaml | 22 ++ charts/ocis/values.yaml | 3 + deployments/ocm-install/README.md | 66 ++++++ deployments/ocm-install/helmfile.yaml | 252 ++++++++++++++++++++++ 5 files changed, 347 insertions(+) create mode 100644 deployments/ocm-install/README.md create mode 100644 deployments/ocm-install/helmfile.yaml diff --git a/charts/ocis/templates/NOTES.txt b/charts/ocis/templates/NOTES.txt index 4e0b9585b..aeccf05d1 100644 --- a/charts/ocis/templates/NOTES.txt +++ b/charts/ocis/templates/NOTES.txt @@ -22,6 +22,7 @@ kubectl -n {{ .Release.Namespace }} get secrets/admin-user --template='{{"{{"}}. {{- $demoUsers := .Values.features.demoUsers -}} {{- $oidcIdpInsecure := .Values.insecure.oidcIdpInsecure -}} {{- $ocisHttpApiInsecure := .Values.insecure.ocisHttpApiInsecure -}} +{{- $ocmInsecure := .Values.insecure.ocmInsecure -}} {{- $externalLDAPinsecure := and .Values.features.externalUserManagement.enabled .Values.features.externalUserManagement.ldap.insecure -}} {{- $noSMTPencryption := and .Values.features.emailNotifications.enabled (eq .Values.features.emailNotifications.smtp.encryption "none") -}} @@ -41,6 +42,9 @@ kubectl -n {{ .Release.Namespace }} get secrets/admin-user --template='{{"{{"}}. {{- if $oidcIdpInsecure}} ###### - `insecure.oidcIdpInsecure` should be set to `false` ##### {{- end }} +{{- if $ocmInsecure}} +###### - `insecure.ocmInsecure` should be set to `false` ##### +{{- end }} {{- if $ocisHttpApiInsecure}} ###### - `insecure.ocisHttpApiInsecure` should be set to `false` ##### {{- end }} diff --git a/charts/ocis/templates/ocm/deployment.yaml b/charts/ocis/templates/ocm/deployment.yaml index b1da03e34..16422ff32 100644 --- a/charts/ocis/templates/ocm/deployment.yaml +++ b/charts/ocis/templates/ocm/deployment.yaml @@ -52,6 +52,24 @@ spec: - name: OCM_HTTP_ADDR value: 0.0.0.0:9280 + - name: OCM_OCM_INVITE_MANAGER_INSECURE + value: {{ .Values.insecure.ocmInsecure | quote }} + - name: OCM_OCM_STORAGE_PROVIDER_INSECURE + value: {{ .Values.insecure.ocmInsecure | quote }} + - name: OCM_OCM_SHARE_PROVIDER_INSECURE + value: {{ .Values.insecure.ocmInsecure | quote }} + + - name: OCM_SERVICE_ACCOUNT_ID + valueFrom: + configMapKeyRef: + name: {{ include "config.authService" . }} + key: service-account-id + - name: OCM_SERVICE_ACCOUNT_SECRET + valueFrom: + secretKeyRef: + name: {{ include "secrets.serviceAccountSecret" . }} + key: service-account-secret + {{- include "ocis.livenessProbe" . | nindent 10 }} resources: {{ toYaml .resources | nindent 12 }} @@ -70,6 +88,8 @@ spec: readOnly: true - name: {{ include "ocis.persistence.dataVolumeName" . }} mountPath: /var/lib/ocis + - name: tmp-volume + mountPath: /tmp {{- include "ocis.imagePullSecrets" $ | nindent 6 }} volumes: @@ -83,5 +103,7 @@ spec: {{ else }} emptyDir: {} {{ end }} + - name: tmp-volume + emptyDir: {} {{- include "ocis.persistence.dataVolume" . | nindent 8 }} {{ end }} diff --git a/charts/ocis/values.yaml b/charts/ocis/values.yaml index 92c809143..1bd178d95 100644 --- a/charts/ocis/values.yaml +++ b/charts/ocis/values.yaml @@ -131,6 +131,9 @@ insecure: # -- Disables SSL certificate checking for connections to the oCIS http apis. # Not recommended for production installations. ocisHttpApiInsecure: false + # -- Disables SSL certificate checking for connections to all OCM instances + # Not recommended for production installations. + ocmInsecure: false cache: # -- Type of the cache to use. diff --git a/deployments/ocm-install/README.md b/deployments/ocm-install/README.md new file mode 100644 index 000000000..0ddefbc31 --- /dev/null +++ b/deployments/ocm-install/README.md @@ -0,0 +1,66 @@ +# oCIS development deployment example + +## Introduction + +This example will deploy a mostly default oCIS setup to Kubernetes. The intent is that this will +work "out of the box" after a `helmfile sync`. + +***Note***: This example is not intended for production use. It is intended to get a working oCIS +development running in Kubernetes as quickly as possible. It is not hardened in any way. + +## Getting started + +### Prerequisites + +This example requires the following things to be installed: + +- [Kubernetes](https://kubernetes.io/) cluster, with an ingress controller installed. +- [Helm](https://helm.sh/) v3 +- [Helmfile](https://github.com/helmfile/helmfile) + +### End result + +After following the steps in this guide, you should be able to access the following endpoint, you +may want to add these to your `/etc/hosts` file pointing to your ingress controller IP: + +- https://ocis.kube.owncloud.test +- https://ocis2.kube.owncloud.test + +Note that if you want to use your own hostname and domain, you will have to change the `externalDomain` value. + +### Deploying + +In this directory, run the following commands: + +```bash +$ helmfile sync +``` + +This will deploy all the needed steps. + +### Logging in + +You can get the admin password with the following command: + +```bash +$ kubectl -n ocis get secrets/admin-user --template='{{.data.password | base64decode | printf "%s\n" }}' +``` + +and + +```bash +$ kubectl -n ocis2 get secrets/admin-user --template='{{.data.password | base64decode | printf "%s\n" }}' +``` + + +You can use this password to login with the user `admin`. + +### Limitations + +As this is deployed with a `ReadWriteOnce` storage access mode, the deployments persistence will be limited to +a single pod. If you want to scale the pods, you will need to change the storage access mode to `ReadWriteMany`. +If you do this, please check if your storage provider supports this access mode. + +### Development + +Note this chart is made for development, therefore both `demoUsers` is set to true. Using this chart in production is not recommended. diff --git a/deployments/ocm-install/helmfile.yaml b/deployments/ocm-install/helmfile.yaml new file mode 100644 index 000000000..4fc9ef214 --- /dev/null +++ b/deployments/ocm-install/helmfile.yaml @@ -0,0 +1,252 @@ +releases: + - name: ocis + chart: ../../charts/ocis + namespace: ocis + values: + - image: + tag: "6.4.0" + - externalDomain: ocis.kube.owncloud.test + - ingress: + enabled: true + ingressClassName: nginx + annotations: + nginx.ingress.kubernetes.io/proxy-body-size: 1024m + tls: + - secretName: ocis-dev-tls + hosts: + - ocis.kube.owncloud.test + + - logging: + level: debug + + - insecure: + oidcIdpInsecure: true + ocisHttpApiInsecure: true + + - features: + demoUsers: true + ocm: + enabled: true + providers: |- + [ + { + "name": "oCIS Test", + "full_name": "oCIS Test provider", + "organization": "oCIS", + "domain": "ocis2.kube.owncloud.test", + "homepage": "https://ocis2.kube.owncloud.test", + "description": "oCIS Example cloud storage", + "services": [ + { + "endpoint": { + "type": { + "name": "OCM", + "description": "ocis2.kube.owncloud.test Open Cloud Mesh API" + }, + "name": "ocis2.kube.owncloud.test - OCM API", + "path": "https://ocis2.kube.owncloud.test/ocm/", + "is_monitored": true + }, + "api_version": "0.0.1", + "host": "http://ocis2.kube.owncloud.test" + }, + { + "endpoint": { + "type": { + "name": "Webdav", + "description": "ocis2.kube.owncloud.test Webdav API" + }, + "name": "ocis2.kube.owncloud.test Example - Webdav API", + "path": "https://ocis2.kube.owncloud.test/dav/", + "is_monitored": true + }, + "api_version": "0.0.1", + "host": "https://ocis2.kube.owncloud.test/" + } + ] + } + ] + + + - services: + idm: + persistence: + enabled: true + accessModes: + - ReadWriteOnce + + nats: + persistence: + enabled: true + accessModes: + - ReadWriteOnce + + search: + persistence: + enabled: true + accessModes: + - ReadWriteOnce + + storagesystem: + persistence: + enabled: true + accessModes: + - ReadWriteOnce + + storageusers: + persistence: + enabled: true + accessModes: + - ReadWriteOnce + maintenance: + cleanUpExpiredUploads: + enabled: true + schedule: "* * * * *" + purgeExpiredTrashBinItems: + enabled: true + schedule: "* * * * *" + restartPostprocessing: + enabled: true + schedule: "* * * * *" + + thumbnails: + persistence: + enabled: true + accessModes: + - ReadWriteOnce + maintenance: + cleanUpOldThumbnails: + enabled: true + schedule: "* * * * *" + + web: + persistence: + enabled: true + accessModes: + - ReadWriteOnce + + - name: ocis2 + chart: ../../charts/ocis + namespace: ocis2 + values: + - image: + tag: "6.4.0" + - externalDomain: ocis2.kube.owncloud.test + - ingress: + enabled: true + ingressClassName: nginx + annotations: + nginx.ingress.kubernetes.io/proxy-body-size: 1024m + tls: + - secretName: ocis-dev-tls + hosts: + - ocis2.kube.owncloud.test + + - logging: + level: debug + + - insecure: + oidcIdpInsecure: true + ocisHttpApiInsecure: true + ocmInsecure: true + + - features: + demoUsers: true + ocm: + enabled: true + providers: |- + [ + { + "name": "oCIS Test", + "full_name": "oCIS Test provider", + "organization": "oCIS", + "domain": "ocis.kube.owncloud.test", + "homepage": "https://ocis.kube.owncloud.test", + "description": "oCIS Example cloud storage", + "services": [ + { + "endpoint": { + "type": { + "name": "OCM", + "description": "ocis.kube.owncloud.test Open Cloud Mesh API" + }, + "name": "ocis.kube.owncloud.test - OCM API", + "path": "https://ocis.kube.owncloud.test/ocm/", + "is_monitored": true + }, + "api_version": "0.0.1", + "host": "http://ocis.kube.owncloud.test" + }, + { + "endpoint": { + "type": { + "name": "Webdav", + "description": "ocis.kube.owncloud.test Webdav API" + }, + "name": "ocis.kube.owncloud.test Example - Webdav API", + "path": "https://ocis.kube.owncloud.test/dav/", + "is_monitored": true + }, + "api_version": "0.0.1", + "host": "https://ocis.kube.owncloud.test/" + } + ] + } + ] + + - services: + idm: + persistence: + enabled: true + accessModes: + - ReadWriteOnce + + nats: + persistence: + enabled: true + accessModes: + - ReadWriteOnce + + search: + persistence: + enabled: true + accessModes: + - ReadWriteOnce + + storagesystem: + persistence: + enabled: true + accessModes: + - ReadWriteOnce + + storageusers: + persistence: + enabled: true + accessModes: + - ReadWriteOnce + maintenance: + cleanUpExpiredUploads: + enabled: true + schedule: "* * * * *" + purgeExpiredTrashBinItems: + enabled: true + schedule: "* * * * *" + restartPostprocessing: + enabled: true + schedule: "* * * * *" + + thumbnails: + persistence: + enabled: true + accessModes: + - ReadWriteOnce + maintenance: + cleanUpOldThumbnails: + enabled: true + schedule: "* * * * *" + + web: + persistence: + enabled: true + accessModes: + - ReadWriteOnce