diff --git a/test/nextcloud/1.3.6/ix_values.yaml b/test/nextcloud/1.3.6/ix_values.yaml index 1c55afae66..3540094a90 100644 --- a/test/nextcloud/1.3.6/ix_values.yaml +++ b/test/nextcloud/1.3.6/ix_values.yaml @@ -2,3 +2,8 @@ image: pullPolicy: IfNotPresent repository: nextcloud tag: '22.2' +nginx: + image: + repository: nginx + tag: 1.21.3 + pullPolicy: IfNotPresent diff --git a/test/nextcloud/1.3.6/templates/_nginx.tpl b/test/nextcloud/1.3.6/templates/_nginx.tpl new file mode 100644 index 0000000000..3df19913a7 --- /dev/null +++ b/test/nextcloud/1.3.6/templates/_nginx.tpl @@ -0,0 +1,79 @@ +{{/* +Retrieve true/false if certificate is configured +*/}} +{{- define "nginx.certAvailable" -}} +{{- if .Values.certificate -}} +{{- $values := (. | mustDeepCopy) -}} +{{- $_ := set $values "commonCertOptions" (dict "certKeyName" $values.Values.certificate) -}} +{{- template "common.resources.cert_present" $values -}} +{{- else -}} +{{- false -}} +{{- end -}} +{{- end -}} + + +{{/* +Retrieve public key of certificate +*/}} +{{- define "nginx.cert.publicKey" -}} +{{- $values := (. | mustDeepCopy) -}} +{{- $_ := set $values "commonCertOptions" (dict "certKeyName" $values.Values.certificate "publicKey" true) -}} +{{ include "common.resources.cert" $values }} +{{- end -}} + + +{{/* +Retrieve private key of certificate +*/}} +{{- define "nginx.cert.privateKey" -}} +{{- $values := (. | mustDeepCopy) -}} +{{- $_ := set $values "commonCertOptions" (dict "certKeyName" $values.Values.certificate) -}} +{{ include "common.resources.cert" $values }} +{{- end -}} + + +{{/* +Retrieve configured protocol scheme for nextcloud +*/}} +{{- define "nginx.scheme" -}} +{{- if eq (include "nginx.certAvailable" .) "true" -}} +{{- print "https" -}} +{{- else -}} +{{- print "http" -}} +{{- end -}} +{{- end -}} + + +{{/* +Retrieve nginx certificate secret name +*/}} +{{- define "nginx.secretName" -}} +{{- print "nginx-secret" -}} +{{- end -}} + + +{{/* +Formats volumeMount for tls keys and trusted certs +*/}} +{{- define "nginx.tlsKeysVolumeMount" -}} +{{- if eq (include "nginx.certAvailable" .) "true" -}} +- name: cert-secret-volume + mountPath: "/etc/nginx" +{{- end -}} +{{- end -}} + +{{/* +Formats volume for tls keys and trusted certs +*/}} +{{- define "nginx.tlsKeysVolume" -}} +{{- if eq (include "nginx.certAvailable" .) "true" -}} +- name: cert-secret-volume + secret: + secretName: {{ include "nginx.secretName" . }} + items: + - key: certPublicKey + path: public.crt + - key: certPrivateKey + path: private.key +{{- end -}} +{{- end -}} diff --git a/test/nextcloud/1.3.6/templates/nginx-configmap.yaml b/test/nextcloud/1.3.6/templates/nginx-configmap.yaml new file mode 100644 index 0000000000..52be37af7c --- /dev/null +++ b/test/nextcloud/1.3.6/templates/nginx-configmap.yaml @@ -0,0 +1,52 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: "nginx-configuration" +data: + config: |- + http { + # redirects all http requests to https requests + server { + listen 80 default_server; + listen [::]:80 default_server; + return 301 https://$host$request_uri; + } + + server { + server_name localhost; + + listen 443 ssl http2; + listen [::]:433 ssl http2; + + ssl_certificate /etc/nginx/public.crt + ssl_certificate_key /etc/nginx/private.key + + ssl_session_timeout 120m; + ssl_session_cache shared:ssl:16m; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EDH+aRSA:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS; + + add_header Strict-Transport-Security max-age=31536000; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1"; + + + # maximum 3GB Upload File; change to fit your needs + client_max_body_size 3G; + + location / { + # We clear this as we will be adding it in our reverse proxy + more_clear_headers 'Strict-Transport-Security'; + proxy_pass http://localhost:80; + # set proper x-forwarded-headers + # proxy_set_header 'X-Forwarded-Host' nextcloud.domain.tld; + # proxy_set_header 'X-Forwarded-Proto' https; + # -For and -IP: + # see https://stackoverflow.com/questions/19366090/what-is-the-difference-between-x-forwarded-for-and-x-forwarded-ip + proxy_set_header 'X-Forwarded-For' $remote_addr; + proxy_set_header 'X-Forwarded-IP' $remote_addr; + } + } + }