Merge branch 'release/10.1.0' into master

base/kustomization.yaml

@@ -12,5 +12,6 @@ resources:
   - manifests/app-clamav.yaml
   - manifests/app-redis.yaml
   - manifests/cronjob-nextcloud-cron.yaml
+  - manifests/cronjob-nextcloud-failed-upload-cleanup.yaml
   - manifests/cronjob-nextcloud-file-scan.yaml
   - manifests/pod-disruption-budgets.yaml

base/manifests/app-redis.yaml

@@ -24,7 +24,7 @@ spec:
     metadata:
       labels:
         app: db-redis
-        role: backend
+        role: database
     spec:
       initContainers:
         # This is needed to address this warning from Redis:

base/manifests/cronjob-nextcloud-cron.yaml

@@ -11,6 +11,7 @@ metadata:
   name: nextcloud-cron
 spec:
   schedule: "*/5 * * * *"
+  concurrencyPolicy: Forbid
   jobTemplate:
     spec:
       template:

base/manifests/cronjob-nextcloud-failed-upload-cleanup.yaml

@@ -0,0 +1,97 @@
+##
+# Kubernetes deployment manifest for clearing failed uploads older than 7 days
+# every hour.
+#
+# @author Guy Elsmore-Paddock (guy@inveniem.com)
+# @author Brandon McWhirter (brandon.mcwhirter@inveniem.com)
+# @copyright Copyright (c) 2022, Inveniem
+# @license GNU AGPL version 3 or any later version
+#
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: nextcloud-failed-upload-cleanup
+spec:
+  schedule: "0 * * * *"
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          restartPolicy: Never
+          containers:
+            - name: cron-nextcloud
+              image: "inveniem/nextcloud-cron:latest"
+              args:
+                - '-s'
+                - '/bin/sh'
+                - '/cleanup_uploads.sh'
+              resources:
+                requests:
+                  cpu: 25m
+                  memory: 128Mi
+                limits:
+                  cpu: 1500m
+                  memory: 512Mi
+              volumeMounts:
+                - name: volume-nextcloud-app
+                  mountPath: /var/www/html
+              env:
+                - name: NEXTCLOUD_FILE_LOCKING_ENABLED
+                  valueFrom:
+                    configMapKeyRef:
+                      name: environment
+                      key: enableFileLocking
+                - name: NEXTCLOUD_TRUSTED_DOMAINS
+                  valueFrom:
+                    configMapKeyRef:
+                      name: environment
+                      key: trustedDomains
+                - name: NEXTCLOUD_ADMIN_USER
+                  valueFrom:
+                    secretKeyRef:
+                      name: "nextcloud-admin-creds"
+                      key: username
+                - name: NEXTCLOUD_ADMIN_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      name: "nextcloud-admin-creds"
+                      key: password
+                - name: MYSQL_HOST
+                  valueFrom:
+                    secretKeyRef:
+                      name: "nextcloud-mysql-creds"
+                      key: hostname
+                - name: MYSQL_PORT
+                  valueFrom:
+                    secretKeyRef:
+                      name: "nextcloud-mysql-creds"
+                      key: port
+                - name: MYSQL_DATABASE
+                  valueFrom:
+                    secretKeyRef:
+                      name: "nextcloud-mysql-creds"
+                      key: database
+                - name: MYSQL_USER
+                  valueFrom:
+                    secretKeyRef:
+                      name: "nextcloud-mysql-creds"
+                      key: username
+                - name: MYSQL_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      name: "nextcloud-mysql-creds"
+                      key: password
+                - name: REDIS_HOST
+                  value: "internal-redis"
+                - name: REDIS_PORT
+                  value: "6379"
+                - name: REDIS_KEY
+                  valueFrom:
+                    secretKeyRef:
+                      name: "nextcloud-redis-creds"
+                      key: password
+          volumes:
+            # Ephemeral volume that contains the loaded Nextcloud software
+            - name: volume-nextcloud-app
+              emptyDir: {}

base/manifests/cronjob-nextcloud-file-scan.yaml

@@ -11,6 +11,7 @@ metadata:
   name: nextcloud-file-scan
 spec:
   schedule: "0 12,20 * * *"
+  concurrencyPolicy: Forbid
   jobTemplate:
     spec:
       template:

bin/rigger

@@ -53,6 +53,7 @@ docker_image_names=(
 )
 
 nextcloud_deployment_name="nextcloud"
+nextcloud_backend_pod_label="backend-nextcloud"
 
 environment_config_path="manifests/config-environment.yaml"
 
@@ -761,11 +762,15 @@ sub_scale() {
 #
 sub_launch_shell() {
   declare -g nextcloud_deployment_name
+  declare -g nextcloud_backend_pod_label
   declare -g error_bad_environment
 
   pod_name=$(
-    kubectl get pods -n "${namespace}" -o name |
-      grep -m1 "${nextcloud_deployment_name}" || echo ""
+    (kubectl get pods -n "${namespace}" \
+      --selector="app=${nextcloud_backend_pod_label}" \
+      --field-selector=status.phase=Running \
+      -o name |
+        grep -m1 "${nextcloud_deployment_name}") || echo ""
   )
 
   if [[ -z "${pod_name}" ]]; then

docker/backend-nextcloud-apache/Dockerfile

@@ -8,9 +8,10 @@
 # @copyright Copyright (c) 2019, Inveniem
 # @license GNU AGPL version 3 or any later version
 #
-FROM nextcloud:23.0.2-apache
+FROM nextcloud:23.0.10-apache
 
 ENV NEXTCLOUD_CONFIG_READ_ONLY "false"
+ENV NEXTCLOUD_INIT_LOCK "true"
 
 # Eliminate default APCu configuration (we're using Redis)
 #

docker/backend-nextcloud-fpm/Dockerfile

@@ -17,7 +17,9 @@
 # Patch Alpine musl to work around this issue:
 # https://gitlab.alpinelinux.org/alpine/aports/issues/10960
 #
-FROM alpine:3.10 as musl_compile
+FROM alpine:3.16 as musl_compile
+
+ENV MUSL_VERSION="1.2.3"
 
 RUN set -eux;\
     apk add --update \
@@ -39,13 +41,13 @@ RUN set -eux;\
         gpg --batch --keyserver hkp://pgp.mit.edu:80 --recv-keys "$key" ; \
     done; \
     \
-    curl -O https://www.musl-libc.org/releases/musl-1.1.24.tar.gz; \
-    curl -O https://www.musl-libc.org/releases/musl-1.1.24.tar.gz.asc; \
+    curl -O https://www.musl-libc.org/releases/musl-${MUSL_VERSION}.tar.gz; \
+    curl -O https://www.musl-libc.org/releases/musl-${MUSL_VERSION}.tar.gz.asc; \
     \
-    gpg --batch --verify musl-1.1.24.tar.gz.asc musl-1.1.24.tar.gz; \
+    gpg --batch --verify musl-${MUSL_VERSION}.tar.gz.asc musl-${MUSL_VERSION}.tar.gz; \
     \
-    tar -xvzf musl-1.1.24.tar.gz; \
-    cd ./musl-1.1.24; \
+    tar -xvzf musl-${MUSL_VERSION}.tar.gz; \
+    cd ./musl-${MUSL_VERSION}; \
     sed -i 's/char buf\[2048\]/char buf\[8192\]/' ./src/dirent/__dirent.h; \
     \
     ./configure; \
@@ -57,9 +59,10 @@ RUN set -eux;\
 ################################################################################
 # This is the container that actually gets pushed.
 #
-FROM nextcloud:23.0.2-fpm-alpine
+FROM nextcloud:23.0.10-fpm-alpine
 
 ENV NEXTCLOUD_CONFIG_READ_ONLY "false"
+ENV NEXTCLOUD_INIT_LOCK "true"
 
 # Fix-up www-data UID from 82 to 33.
 #

docker/middle-nextcloud-nginx/Dockerfile

@@ -6,6 +6,6 @@
 # @copyright Copyright (c) 2019-2022, Inveniem
 # @license GNU AGPL version 3 or any later version
 #
-FROM nginx:1.21.3-alpine
+FROM nginx:1.23.1-alpine
 
 COPY nginx.conf /etc/nginx/nginx.conf

docker/middle-nextcloud-nginx/nginx.conf

@@ -27,9 +27,16 @@ http {
     sendfile        on;
     #tcp_nopush     on;
 
+    # Prevent nginx HTTP Server Detection
+    server_tokens   off;
+
     ## Customizations for the Inveniem AKS Image ##
     keepalive_timeout  65;
 
+    proxy_connect_timeout 60;
+    proxy_send_timeout 1800;
+    proxy_read_timeout 1800;
+
     set_real_ip_from  10.0.0.0/8;
     set_real_ip_from  172.16.0.0/12;
     set_real_ip_from  192.168.0.0/16;