kustomize/base/manifests/app-nextcloud.yaml

##
# Kubernetes deployment configuration for running Nextcloud on PHP FPM with
# an Nginx reverse proxy.
#
# @author Guy Elsmore-Paddock (guy@inveniem.com)
# @copyright Copyright (c) 2019-2022, Inveniem
# @license GNU AGPL version 3 or any later version
#
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nextcloud
spec:
  replicas: 1
  revisionHistoryLimit: 2
  selector:
    matchLabels:
      app: backend-nextcloud
  template:
    metadata:
      labels:
        app: backend-nextcloud
        role: backend
    spec:
      affinity:
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            # Prevent multiple replicas from being on the same node.
            - labelSelector:
                matchExpressions:
                  - key: app
                    operator: In
                    values:
                      - backend-nextcloud
              topologyKey: "kubernetes.io/hostname"

      containers:
        # Container: The PHP-FPM-based Nextcloud backend
        - name: backend-nextcloud-fpm
          image: "inveniem/nextcloud-fpm:latest"
          resources:
            requests:
              cpu: 100m
              memory: 128Mi
            limits:
              cpu: 1500m
              memory: 1280Mi
          volumeMounts:
            - name: volume-nextcloud-app
              mountPath: /var/www/html
            - name: volume-php-cache
              mountPath: /mnt/php-file-cache
          env:
            - name: NEXTCLOUD_FILE_LOCKING_ENABLED
              valueFrom:
                configMapKeyRef:
                  name: environment
                  key: enableFileLocking
            - name: NEXTCLOUD_TRUSTED_DOMAINS
              valueFrom:
                configMapKeyRef:
                  name: environment
                  key: trustedDomains
            - name: TRUSTED_PROXIES
              valueFrom:
                configMapKeyRef:
                  name: environment
                  key: trustedProxies
            - name: NEXTCLOUD_ADMIN_USER
              valueFrom:
                secretKeyRef:
                  name: "nextcloud-admin-creds"
                  key: username
            - name: NEXTCLOUD_ADMIN_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: "nextcloud-admin-creds"
                  key: password
            - name: MYSQL_HOST
              valueFrom:
                secretKeyRef:
                  name: "nextcloud-mysql-creds"
                  key: hostname
            - name: MYSQL_DATABASE
              valueFrom:
                secretKeyRef:
                  name: "nextcloud-mysql-creds"
                  key: database
            - name: MYSQL_USER
              valueFrom:
                secretKeyRef:
                  name: "nextcloud-mysql-creds"
                  key: username
            - name: MYSQL_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: "nextcloud-mysql-creds"
                  key: password
            - name: REDIS_HOST
              value: "internal-redis"
            - name: REDIS_PORT
              value: "6379"
            - name: REDIS_KEY
              valueFrom:
                secretKeyRef:
                  name: "nextcloud-redis-creds"
                  key: password

        # Container: Nginx Server Middleware
        - name: middle-nextcloud-nginx
          image: "inveniem/nextcloud-nginx-middleware:latest"
          ports:
            - containerPort: 80

          resources:
            requests:
              cpu: 10m
              memory: 16Mi
            limits:
              cpu: 250m
              memory: 128Mi

          volumeMounts:
            - name: volume-nextcloud-app
              mountPath: /var/www/html
              readOnly: true

          startupProbe:
            # After pod creation, allow Nextcloud to take up to 10 minutes
            # (5 seconds x 120 attempts) before concluding the container
            # has failed, to allow for automated updates at launch.
            periodSeconds: 5
            failureThreshold: 120
            httpGet:
              path: "/status.php"
              port: 80
              httpHeaders:
                - name: "Host"
                  # This host gets overwritten by
                  # components/ingress-dns/kustomization.yaml
                  value: "nextcloud.local"

          # This probe kicks in after startup, according to the docs:
          # "Once the startup probe has succeeded once, the liveness probe takes
          # over to provide a fast response to container deadlocks."
          #
          # From:
          # https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
          livenessProbe:
            periodSeconds: 15
            timeoutSeconds: 10
            # Restart container after it is down for 5 minutes. The readiness
            # probe should prevent it from receiving traffic within 5 seconds of
            # it becoming unresponsive.
            failureThreshold: 20
            successThreshold: 1
            httpGet:
              path: "/status.php"
              port: 80
              httpHeaders:
                - name: "Host"
                  # This host gets overwritten by
                  # components/ingress-dns/kustomization.yaml
                  value: "nextcloud.local"

          readinessProbe:
            periodSeconds: 5
            timeoutSeconds: 3
            failureThreshold: 3
            # Ensure stability across two checks before continuing to route
            # traffic, so we don't sawtooth during heavy request load between
            # being available-unavailable-available-unavailable.
            successThreshold: 2
            httpGet:
              # This path should work both before and after installation.
              # In local testing, Nextcloud serves up the installer regardless
              # of which URL is provided.
              path: "/index.php/login?direct=1"
              port: 80
              httpHeaders:
                - name: "Host"
                  # This host gets overwritten by
                  # components/ingress-dns/kustomization.yaml
                  value: "nextcloud.local"

      volumes:
        # Ephemeral volume that contains the loaded Nextcloud software,
        # shared between the Nextcloud PHP-FPM and Nginx containers within the
        # same pod
        - name: volume-nextcloud-app
          emptyDir: {}
        # Ephemeral volume for on-disk PHP opcode cache
        - name: volume-php-cache
          emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
  name: internal-nextcloud
  labels:
    role: internal-service
spec:
  type: ClusterIP
  ports:
    - port: 80
  selector:
    app: backend-nextcloud
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: frontend-nextcloud-ingress
  labels:
    owning-app: "nextcloud"
  annotations:
    cert-manager.io/issuer: letsencrypt-production
    nginx.ingress.kubernetes.io/rewrite-target: /
    nginx.ingress.kubernetes.io/proxy-connect-timeout: "60"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
    nginx.ingress.kubernetes.io/proxy-body-size: "10g"
spec:
  ingressClassName: nginx
  tls:
    - hosts:
        # This host gets overwritten by components/ingress-dns/kustomization.yaml
        - "nextcloud.local"
      secretName: nextcloud-tls-certificate
  rules:
    # This host gets overwritten by components/ingress-dns/kustomization.yaml
    - host: "nextcloud.local"
      http:
        paths:
          - path: "/"
            pathType: Prefix
            backend:
              service:
                name: internal-nextcloud
                port:
                  number: 80