- onlyoffice kubernetes resource limits and pvc

- continuous deploy revision - environments variables validation - vscode tasks for deploy - vscode testing some new plugins
2026-04-10 03:21:05 +00:00
parent e3bcb3c864
commit a9e368beb1
12 changed files with 101 additions and 26 deletions
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -17,7 +17,6 @@
 				"ms-kubernetes-tools.vscode-kubernetes-tools",
 				"redhat.ansible",
 				"mtxr.sqltools-driver-mysql",
-				"stateful.runme",
 				"yzhang.markdown-all-in-one",
 				"davidanson.vscode-markdownlint",
 				"eamodio.gitlens",
@@ -28,7 +27,10 @@
 				"eamodio.gitlens",
 				"shd101wyy.markdown-preview-enhanced",
 				"bierner.markdown-mermaid",
-				"bierner.markdown-preview-github-styles"
+				"bierner.markdown-preview-github-styles",
+				"sycl.markdown-command-runner",
+				"jeepshen.vscode-markdown-code-runner",
+				"batyan-soft.fast-tasks"
 			]
 		}
 	}
--- a/.gitea/workflows/app-continuous-deploy.yaml
+++ b/.gitea/workflows/app-continuous-deploy.yaml
@@ -35,6 +35,7 @@ jobs:
      - name: Deploy
        shell: bash
        env:
+          # used by kustomization requires env files
          MARIADB_USER: ${{ secrets.MARIADB_USER }}
          MARIADB_PASSWORD: ${{ secrets.MARIADB_PASSWORD }}
          MARIADB_ROOT_PASSWORD: ${{ secrets.MARIADB_ROOT_PASSWORD }}
@@ -42,6 +43,8 @@ jobs:
          PBS_REPOSITORY: ${{ secrets.PBS_REPOSITORY }}
          PBS_PASSWORD: ${{ secrets.PBS_PASSWORD }}
          PBS_FINGERPRINT: ${{ secrets.PBS_FINGERPRINT }}
+          ONLYOFFICE_SECRET:  ${{ secrets.ONLYOFFICE_SECRET }}
+
          # used only on helm set values - only required as environment variables
          NEXTCLOUD_HOST: ${{ secrets.NEXTCLOUD_HOST }}
          NEXTCLOUD_USERNAME: ${{ secrets.NEXTCLOUD_USERNAME }}
@@ -51,23 +54,27 @@ jobs:
          set -euo pipefail

          # ensure cleanup always runs
-          trap 'rm -f \
-                    deploy/app/.env.d/*' EXIT
+          trap '
+          [ -d deploy/app/.env.d ] && rm -rf deploy/app/.env.d/*;
+          [ -d deploy/app/onlyoffice/.env.d ] && rm -rf deploy/app/onlyoffice/.env.d/*;
+          ' EXIT

          # setup secrets files

-          echo "MARIADB_USER=${MARIADB_USER}" >> deploy/app/.env.d/nextcloud-mariadb.env
-          echo "MARIADB_PASSWORD=${MARIADB_PASSWORD}" >> deploy/app/.env.d/nextcloud-mariadb.env
-          echo "MARIADB_ROOT_PASSWORD=${MARIADB_ROOT_PASSWORD}" >> deploy/app/.env.d/nextcloud-mariadb.env
-          echo "MARIADB_DATABASE=${MARIADB_DATABASE}" >> deploy/app/.env.d/nextcloud-mariadb.env
+          echo "MARIADB_USER=${MARIADB_USER:?Missing MARIADB_USER}" >> deploy/app/.env.d/nextcloud-mariadb.env
+          echo "MARIADB_PASSWORD=${MARIADB_PASSWORD:?Missing MARIADB_PASSWORD}" >> deploy/app/.env.d/nextcloud-mariadb.env
+          echo "MARIADB_ROOT_PASSWORD=${MARIADB_ROOT_PASSWORD:?Missing MARIADB_ROOT_PASSWORD}" >> deploy/app/.env.d/nextcloud-mariadb.env
+          echo "MARIADB_DATABASE=${MARIADB_DATABASE:?Missing MARIADB_DATABASE}" >> deploy/app/.env.d/nextcloud-mariadb.env

-          echo "PBS_REPOSITORY=${PBS_REPOSITORY}" >> deploy/app/.env.d/pbs.env
-          echo "PBS_PASSWORD=${PBS_PASSWORD}" >> deploy/app/.env.d/pbs.env
-          echo "PBS_FINGERPRINT=${PBS_FINGERPRINT}" >> deploy/app/.env.d/pbs.env
+          echo "PBS_REPOSITORY=${PBS_REPOSITORY:?Missing PBS_REPOSITORY}" >> deploy/app/.env.d/pbs.env
+          echo "PBS_PASSWORD=${PBS_PASSWORD:?Missing PBS_PASSWORD}" >> deploy/app/.env.d/pbs.env
+          echo "PBS_FINGERPRINT=${PBS_FINGERPRINT:?Missing PBS_FINGERPRINT}" >> deploy/app/.env.d/pbs.env

+          echo "secret=${ONLYOFFICE_SECRET:?Missing ONLYOFFICE_SECRET}" >> deploy/app/onlyoffice/.env.d/onlyoffice.env
          
          # enforce secrets files security
          chmod 600 deploy/app/.env.d/*
-     
+          chmod 600 deploy/app/onlyoffice/.env.d/*
+
          # invoke deploy script
          ops-scripts/apply-app.sh
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -1,6 +1,7 @@
 {
    "cSpell.words": [
        "authentik",
+        "documentserver",
        "onlyoffice"
    ]
 }
--- a/.vscode/tasks.json
+++ b/.vscode/tasks.json
@@ -0,0 +1,19 @@
+{
+    // See https://go.microsoft.com/fwlink/?LinkId=733558
+    // for the documentation about the tasks.json format
+    "version": "2.0.0",
+    "tasks": [
+        {
+            "label": "Apply Infra",
+            "type": "shell",
+            "command": "./ops-scripts/apply-infra.sh",
+            "problemMatcher": [],
+        },
+        {
+            "label": "Apply App",
+            "type": "shell",
+            "command": "./ops-scripts/apply-app.sh",
+            "problemMatcher": []
+        }
+    ]
+}
--- a/README.md
+++ b/README.md
@@ -117,7 +117,6 @@ su -s /bin/bash www-data -c "php occ files:scan-app-data"

 ### Mimetype migrations available

-
 ```bash

 # Rebuild appdata and caches
@@ -139,8 +138,12 @@ su -s /bin/bash www-data -c "php occ maintenance:repair --include-expensive"

 This script is intended to be executed only by low‑privilege deployment identities, such as the **continuous‑deploy** ServiceAccount or an application maintainer with equivalent permissions.

+Can be executed in VS Code using the “Apply App” task.
+
 ```bash
+#!/bin/bash
 ./ops-scripts/apply-app.sh
+
 ```

 **Responsibilities:**
@@ -158,6 +161,7 @@ This script is intended to be executed only by low‑privilege deployment identi

 **Security context:**
 This script requires elevated cluster‑level permissions and must be executed only by platform maintainers, not by the continuous‑deploy identity.
+Can be executed in VS Code using the “Apply Infra” task.

 ```bash
 ./ops-scripts/apply-infra.sh
@@ -178,6 +182,7 @@ This script requires elevated cluster‑level permissions and must be executed o
 kubectl exec -it nextcloud-mariadb-0 -- mariadb -u nextcloud -h nextcloud-mariadb.cloud-limbosolutions-com.svc.cluster.local -p
 ```

+
 **Restore database:**

 ``` bash
--- a/deploy/app/kustomization.yaml
+++ b/deploy/app/kustomization.yaml
@@ -14,7 +14,7 @@ resources:
  - ./storage-limbosolutions-com/pvc.yaml
  - ./mariadb-deploy.yaml
  - ./backups/backup-pbs-cronjob.yaml
-  # - ./onlyoffice  - enable to execute manually, required cicd revision to be enable by default 
+  - ./onlyoffice

 generatorOptions:
  disableNameSuffixHash: true
--- a/deploy/app/onlyoffice/deployment.yaml
+++ b/deploy/app/onlyoffice/deployment.yaml
@@ -26,3 +26,25 @@ spec:
                secretKeyRef:
                  name: onlyoffice
                  key: secret
+
+          resources:
+            limits:
+              memory: "2048Mi"
+              cpu: "1000m"
+            requests:
+              memory: "256Mi"
+              cpu: "250m"
+
+          volumeMounts:
+            - name: onlyoffice-data
+              mountPath: /var/www/onlyoffice/Data
+            - name: onlyoffice-logs
+              mountPath: /var/log/onlyoffice
+
+      volumes:
+        - name: onlyoffice-data
+          persistentVolumeClaim:
+            claimName: onlyoffice-data
+        - name: onlyoffice-logs
+          persistentVolumeClaim:
+            claimName: onlyoffice-logs
--- a/deploy/app/onlyoffice/kustomization.yaml
+++ b/deploy/app/onlyoffice/kustomization.yaml
@@ -6,7 +6,6 @@ secretGenerator:
    envs:
      - ./.env.d/onlyoffice.env

-
 generatorOptions:
  disableNameSuffixHash: true
 namespace: cloud-limbosolutions-com
@@ -14,3 +13,4 @@ namespace: cloud-limbosolutions-com
 resources:
  - ./deployment.yaml
  - ./service.yaml
+  - ./pvc.yaml
--- a/deploy/app/onlyoffice/pvc.yaml
+++ b/deploy/app/onlyoffice/pvc.yaml
@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: onlyoffice-data
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 8Gi
+---
+
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: onlyoffice-logs
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
--- a/deploy/infra/ingress.yaml
+++ b/deploy/infra/ingress.yaml
@@ -54,7 +54,7 @@ spec:
      middlewares:
          # middleware managed by icarus
         - name: authentik-forward-auth
-           namespace: kube-system
+           namespace: traefik-common
         - name: nextcloud-security-headers
         - name: rate-limit

--- a/ops-scripts/apply-app.sh
+++ b/ops-scripts/apply-app.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 set -e
-echo "Executing app deploy."
+echo "Executing nextcloud app deploy."

 kubectl kustomize deploy/app | kubectl apply -f -

@@ -21,15 +21,14 @@ helm repo add nextcloud https://nextcloud.github.io/helm/ --force-update

 load_env_file "deploy/app/.env.d/nextcloud-mariadb.env"
 load_env_file "deploy/app/.env.d/nextcloud-secrets.env"
-
 
 helm upgrade --install nextcloud nextcloud/nextcloud \
 --values ./deploy/app/helm-values.yaml \
- --set externalDatabase.user=${MARIADB_USER} \
- --set externalDatabase.password=${MARIADB_PASSWORD} \
- --set externalDatabase.database=${MARIADB_DATABASE} \
- --set nextcloud.host=${NEXTCLOUD_HOST} \
- --set nextcloud.username=${NEXTCLOUD_USERNAME} \
- --set nextcloud.password=${NEXTCLOUD_PASSWORD} \
+ --set externalDatabase.user=${MARIADB_USER:?Missing MARIADB_USER} \
+ --set externalDatabase.password=${MARIADB_PASSWORD:?Missing MARIADB_PASSWORD} \
+ --set externalDatabase.database=${MARIADB_DATABASE:?Missing MARIADB_DATABASE} \
+ --set nextcloud.host=${NEXTCLOUD_HOST:?Missing NEXTCLOUD_HOST} \
+ --set nextcloud.username=${NEXTCLOUD_USERNAME:?Missing NEXTCLOUD_USERNAME} \
+ --set nextcloud.password=${NEXTCLOUD_PASSWORD:?Missing NEXTCLOUD_PASSWORD} \
 --namespace cloud-limbosolutions-com
 
--- a/ops-scripts/apply-infra.sh
+++ b/ops-scripts/apply-infra.sh
@@ -3,5 +3,3 @@ set -e
 echo "Executing infra deploy."

 kubectl kustomize deploy/infra | kubectl -n cloud-limbosolutions-com apply -f -
-
-