- onlyoffice kubernetes resource limits and pvc

- continuous deploy revision - environments variables validation - vscode tasks for deploy - vscode testing some new plugins
2026-04-10 03:21:05 +00:00
parent e3bcb3c864
commit a9e368beb1
12 changed files with 101 additions and 26 deletions
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -17,7 +17,6 @@
 				"ms-kubernetes-tools.vscode-kubernetes-tools",
 				"redhat.ansible",
 				"mtxr.sqltools-driver-mysql",
 				"stateful.runme",
 				"yzhang.markdown-all-in-one",
 				"davidanson.vscode-markdownlint",
 				"eamodio.gitlens",
@@ -28,7 +27,10 @@
 				"eamodio.gitlens",
 				"shd101wyy.markdown-preview-enhanced",
 				"bierner.markdown-mermaid",
-				"bierner.markdown-preview-github-styles"
+				"bierner.markdown-preview-github-styles",
 				"sycl.markdown-command-runner",
 				"jeepshen.vscode-markdown-code-runner",
 				"batyan-soft.fast-tasks"
 			]
 		}
 	}
--- a/.gitea/workflows/app-continuous-deploy.yaml
+++ b/.gitea/workflows/app-continuous-deploy.yaml
@@ -35,6 +35,7 @@ jobs:
      - name: Deploy
        shell: bash
        env:
          # used by kustomization requires env files
          MARIADB_USER: ${{ secrets.MARIADB_USER }}
          MARIADB_PASSWORD: ${{ secrets.MARIADB_PASSWORD }}
          MARIADB_ROOT_PASSWORD: ${{ secrets.MARIADB_ROOT_PASSWORD }}
@@ -42,6 +43,8 @@ jobs:
          PBS_REPOSITORY: ${{ secrets.PBS_REPOSITORY }}
          PBS_PASSWORD: ${{ secrets.PBS_PASSWORD }}
          PBS_FINGERPRINT: ${{ secrets.PBS_FINGERPRINT }}
          ONLYOFFICE_SECRET:  ${{ secrets.ONLYOFFICE_SECRET }}
          # used only on helm set values - only required as environment variables
          NEXTCLOUD_HOST: ${{ secrets.NEXTCLOUD_HOST }}
          NEXTCLOUD_USERNAME: ${{ secrets.NEXTCLOUD_USERNAME }}
@@ -51,23 +54,27 @@ jobs:
          set -euo pipefail
          # ensure cleanup always runs
-          trap 'rm -f \
+          trap '
-                    deploy/app/.env.d/*' EXIT
+          [ -d deploy/app/.env.d ] && rm -rf deploy/app/.env.d/*;
          [ -d deploy/app/onlyoffice/.env.d ] && rm -rf deploy/app/onlyoffice/.env.d/*;
          ' EXIT
          # setup secrets files
-          echo "MARIADB_USER=${MARIADB_USER}" >> deploy/app/.env.d/nextcloud-mariadb.env
+          echo "MARIADB_USER=${MARIADB_USER:?Missing MARIADB_USER}" >> deploy/app/.env.d/nextcloud-mariadb.env
-          echo "MARIADB_PASSWORD=${MARIADB_PASSWORD}" >> deploy/app/.env.d/nextcloud-mariadb.env
+          echo "MARIADB_PASSWORD=${MARIADB_PASSWORD:?Missing MARIADB_PASSWORD}" >> deploy/app/.env.d/nextcloud-mariadb.env
-          echo "MARIADB_ROOT_PASSWORD=${MARIADB_ROOT_PASSWORD}" >> deploy/app/.env.d/nextcloud-mariadb.env
+          echo "MARIADB_ROOT_PASSWORD=${MARIADB_ROOT_PASSWORD:?Missing MARIADB_ROOT_PASSWORD}" >> deploy/app/.env.d/nextcloud-mariadb.env
-          echo "MARIADB_DATABASE=${MARIADB_DATABASE}" >> deploy/app/.env.d/nextcloud-mariadb.env
+          echo "MARIADB_DATABASE=${MARIADB_DATABASE:?Missing MARIADB_DATABASE}" >> deploy/app/.env.d/nextcloud-mariadb.env
-          echo "PBS_REPOSITORY=${PBS_REPOSITORY}" >> deploy/app/.env.d/pbs.env
+          echo "PBS_REPOSITORY=${PBS_REPOSITORY:?Missing PBS_REPOSITORY}" >> deploy/app/.env.d/pbs.env
-          echo "PBS_PASSWORD=${PBS_PASSWORD}" >> deploy/app/.env.d/pbs.env
+          echo "PBS_PASSWORD=${PBS_PASSWORD:?Missing PBS_PASSWORD}" >> deploy/app/.env.d/pbs.env
-          echo "PBS_FINGERPRINT=${PBS_FINGERPRINT}" >> deploy/app/.env.d/pbs.env
+          echo "PBS_FINGERPRINT=${PBS_FINGERPRINT:?Missing PBS_FINGERPRINT}" >> deploy/app/.env.d/pbs.env
          echo "secret=${ONLYOFFICE_SECRET:?Missing ONLYOFFICE_SECRET}" >> deploy/app/onlyoffice/.env.d/onlyoffice.env
          # enforce secrets files security
          chmod 600 deploy/app/.env.d/*
-     
+          chmod 600 deploy/app/onlyoffice/.env.d/*
          # invoke deploy script
          ops-scripts/apply-app.sh
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -1,6 +1,7 @@
 {
    "cSpell.words": [
        "authentik",
        "documentserver",
        "onlyoffice"
    ]
 }
--- a/.vscode/tasks.json
+++ b/.vscode/tasks.json
@@ -0,0 +1,19 @@
 {
    // See https://go.microsoft.com/fwlink/?LinkId=733558
    // for the documentation about the tasks.json format
    "version": "2.0.0",
    "tasks": [
        {
            "label": "Apply Infra",
            "type": "shell",
            "command": "./ops-scripts/apply-infra.sh",
            "problemMatcher": [],
        },
        {
            "label": "Apply App",
            "type": "shell",
            "command": "./ops-scripts/apply-app.sh",
            "problemMatcher": []
        }
    ]
 }
--- a/README.md
+++ b/README.md
@@ -117,7 +117,6 @@ su -s /bin/bash www-data -c "php occ files:scan-app-data"
 ### Mimetype migrations available
 ```bash
 # Rebuild appdata and caches
@@ -139,8 +138,12 @@ su -s /bin/bash www-data -c "php occ maintenance:repair --include-expensive"
 This script is intended to be executed only by low‑privilege deployment identities, such as the **continuous‑deploy** ServiceAccount or an application maintainer with equivalent permissions.
 Can be executed in VS Code using the “Apply App” task.
 ```bash
 #!/bin/bash
 ./ops-scripts/apply-app.sh
 ```
 **Responsibilities:**
@@ -158,6 +161,7 @@ This script is intended to be executed only by low‑privilege deployment identi
 **Security context:**
 This script requires elevated cluster‑level permissions and must be executed only by platform maintainers, not by the continuous‑deploy identity.
 Can be executed in VS Code using the “Apply Infra” task.
 ```bash
 ./ops-scripts/apply-infra.sh
@@ -178,6 +182,7 @@ This script requires elevated cluster‑level permissions and must be executed o
 kubectl exec -it nextcloud-mariadb-0 -- mariadb -u nextcloud -h nextcloud-mariadb.cloud-limbosolutions-com.svc.cluster.local -p
 ```
 **Restore database:**
 ``` bash
--- a/deploy/app/kustomization.yaml
+++ b/deploy/app/kustomization.yaml
@@ -14,7 +14,7 @@ resources:
  - ./storage-limbosolutions-com/pvc.yaml
  - ./mariadb-deploy.yaml
  - ./backups/backup-pbs-cronjob.yaml
-  # - ./onlyoffice  - enable to execute manually, required cicd revision to be enable by default 
+  - ./onlyoffice
 generatorOptions:
  disableNameSuffixHash: true
--- a/deploy/app/onlyoffice/deployment.yaml
+++ b/deploy/app/onlyoffice/deployment.yaml
@@ -26,3 +26,25 @@ spec:
                secretKeyRef:
                  name: onlyoffice
                  key: secret
          resources:
            limits:
              memory: "2048Mi"
              cpu: "1000m"
            requests:
              memory: "256Mi"
              cpu: "250m"
          volumeMounts:
            - name: onlyoffice-data
              mountPath: /var/www/onlyoffice/Data
            - name: onlyoffice-logs
              mountPath: /var/log/onlyoffice
      volumes:
        - name: onlyoffice-data
          persistentVolumeClaim:
            claimName: onlyoffice-data
        - name: onlyoffice-logs
          persistentVolumeClaim:
            claimName: onlyoffice-logs
--- a/deploy/app/onlyoffice/kustomization.yaml
+++ b/deploy/app/onlyoffice/kustomization.yaml
@@ -6,7 +6,6 @@ secretGenerator:
    envs:
      - ./.env.d/onlyoffice.env
 generatorOptions:
  disableNameSuffixHash: true
 namespace: cloud-limbosolutions-com
@@ -14,3 +13,4 @@ namespace: cloud-limbosolutions-com
 resources:
  - ./deployment.yaml
  - ./service.yaml
  - ./pvc.yaml
--- a/deploy/app/onlyoffice/pvc.yaml
+++ b/deploy/app/onlyoffice/pvc.yaml
@@ -0,0 +1,22 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: onlyoffice-data
 spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 8Gi
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: onlyoffice-logs
 spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
--- a/deploy/infra/ingress.yaml
+++ b/deploy/infra/ingress.yaml
@@ -54,7 +54,7 @@ spec:
      middlewares:
          # middleware managed by icarus
         - name: authentik-forward-auth
-           namespace: kube-system
+           namespace: traefik-common
         - name: nextcloud-security-headers
         - name: rate-limit
--- a/ops-scripts/apply-app.sh
+++ b/ops-scripts/apply-app.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 set -e
-echo "Executing app deploy."
+echo "Executing nextcloud app deploy."
 kubectl kustomize deploy/app | kubectl apply -f -
@@ -21,15 +21,14 @@ helm repo add nextcloud https://nextcloud.github.io/helm/ --force-update
 load_env_file "deploy/app/.env.d/nextcloud-mariadb.env"
 load_env_file "deploy/app/.env.d/nextcloud-secrets.env"
 helm upgrade --install nextcloud nextcloud/nextcloud \
 --values ./deploy/app/helm-values.yaml \
- --set externalDatabase.user=${MARIADB_USER} \
+ --set externalDatabase.user=${MARIADB_USER:?Missing MARIADB_USER} \
- --set externalDatabase.password=${MARIADB_PASSWORD} \
+ --set externalDatabase.password=${MARIADB_PASSWORD:?Missing MARIADB_PASSWORD} \
- --set externalDatabase.database=${MARIADB_DATABASE} \
+ --set externalDatabase.database=${MARIADB_DATABASE:?Missing MARIADB_DATABASE} \
- --set nextcloud.host=${NEXTCLOUD_HOST} \
+ --set nextcloud.host=${NEXTCLOUD_HOST:?Missing NEXTCLOUD_HOST} \
- --set nextcloud.username=${NEXTCLOUD_USERNAME} \
+ --set nextcloud.username=${NEXTCLOUD_USERNAME:?Missing NEXTCLOUD_USERNAME} \
- --set nextcloud.password=${NEXTCLOUD_PASSWORD} \
+ --set nextcloud.password=${NEXTCLOUD_PASSWORD:?Missing NEXTCLOUD_PASSWORD} \
 --namespace cloud-limbosolutions-com
--- a/ops-scripts/apply-infra.sh
+++ b/ops-scripts/apply-infra.sh
@@ -3,5 +3,3 @@ set -e
 echo "Executing infra deploy."
 kubectl kustomize deploy/infra | kubectl -n cloud-limbosolutions-com apply -f -
`@@ -3,5 +3,3 @@ set -e`
	`echo "Executing infra deploy."`	`echo "Executing infra deploy."`

	`kubectl kustomize deploy/infra \| kubectl -n cloud-limbosolutions-com apply -f -`	`kubectl kustomize deploy/infra \| kubectl -n cloud-limbosolutions-com apply -f -`