[ITSA-706] Abandon Using ConfigMap for Read-only Config Volume

- The `replacements` feature of Kustomize can only source values from a
  `ConfigMap`.
- A `ConfigMap` can only contain strings.
- The `readOnly` value of a mount has to be a boolean.

A fix for this limitation has been requested as:
kubernetes-sigs/kustomize#4479

In the meantime, it does not look like we'll be able to drive the volume
mount setting off a `ConfigMap`, so we'll just have to document that
admins will need to set this in the `configure-storage.nextcloud.yaml`
file.

kustomize/README.md

@@ -44,3 +44,33 @@
    ```sh
    az login
    ```
+
+## Protecting Configuration from Re-install/Modification in Production
+If Nextcloud believes that the `config.php` file is missing, it will create a
+new, blank `config.php` file. Unfortunately, this may trigger sporadically and
+accidentally if the volume hosting Nextcloud configuration becomes disconnected
+or unmounted at run-time, such as when a Kubernetes node is under significant
+memory or CPU pressure, or the Azure Files storage account hosting Nextcloud is
+throttling connections due to excessive IOPS or transfer throughput. Then, when
+connectivity is restored, the blank `config.php` file will overwrite the real
+copy of the file.
+
+The result for the end-user is that they will be redirected to the Nextcloud
+installer. Thankfully, after https://github.com/nextcloud/server/pull/14965, the
+user will see an error message rather than being given the ability to re-install
+Nextcloud and take full control of the installation. Regardless, this is not the
+greatest UX because the Nextcloud installation will continue to display an error
+message for all users until an admin restores the `config.php` from a backup
+(assuming the admin has a backup at all!).
+
+If you have a high-traffic or under-provisioned installation, or just want to
+harden your server from security vulnerabilities that could modify your
+Nextcloud configuration, it is recommended that you mount the `config` volume
+read-only _except_ during initial setup and upgrades.
+
+To do this, from within the overlay you are deploying, change the
+`containerVolumeTemplates.volumeMountTemplates.mergeSpec.readOnly` setting in
+the "Nextcloud Configuration Volume" section from `false` to `true` and then
+re-deploy your application. When doing maintenance or upgrades, you will need to
+change this setting back to `false` until you are done. Then, change it back to
+`true` to restore the installation to a hardened state.

kustomize/base/manifests/app-nextcloud.yaml

@@ -51,11 +51,6 @@ spec:
             - name: volume-php-cache
               mountPath: /mnt/php-file-cache
           env:
-            - name: NEXTCLOUD_CONFIG_READ_ONLY
-              valueFrom:
-                configMapKeyRef:
-                  name: environment
-                  key: configReadOnly
             - name: NEXTCLOUD_FILE_LOCKING_ENABLED
               valueFrom:
                 configMapKeyRef:

kustomize/base/manifests/cronjob-nextcloud-file-scan.yaml

@@ -26,11 +26,6 @@ spec:
                 - name: volume-nextcloud-app
                   mountPath: /var/www/html
               env:
-                - name: NEXTCLOUD_CONFIG_READ_ONLY
-                  valueFrom:
-                    configMapKeyRef:
-                      name: environment
-                      key: configReadOnly
                 - name: NEXTCLOUD_FILE_LOCKING_ENABLED
                   valueFrom:
                     configMapKeyRef:

kustomize/overlays/01-sample/configure-storage.nextcloud.yaml

@@ -1,6 +1,18 @@
 ##
-# Kustomize plugin configuration for using KST to setup workspace storage for
-# each client.
+# Kustomize plugin configuration for using KST to configure Nextcloud storage.
+#
+# This is an EXAMPLE file. Customize for your environment! If you have multiple
+# environments, you can create multiple copies of the containing, sample overlay
+# folder and customize manifests in each one to match your environments.
+#
+# This configures storage for each client/project, Nextcloud configuration, and
+# Nextcloud home folders.
+#
+# NOTE: For improved reliability and security in a production environment, you
+#       should mount the "config" volume for Nextcloud read-only *except* during
+#       initial setup or software upgrades.
+#
+#       See note in the "Nextcloud Configuration Volume" section below.
 #
 # @author Guy Elsmore-Paddock (guy@inveniem.com)
 # @copyright Copyright (c) 2022, Inveniem
@@ -155,6 +167,14 @@ spec:
         volumeMountTemplates:
           - mergeSpec:
               mountPath: "/var/www/html/config"
+              # This controls whether Nextcloud config is read-only or writable.
+              # - Set this to "true" to prevent Nextcloud from trying to
+              #   re-install itself in the event that Azure Files is
+              #   intermittently unavailable.
+              # - Set this to "false" ONLY during initial deployment and
+              #   upgrades.
+              #
+              readOnly: false
             name:
               prefix: "vol-"
               suffix: ~

kustomize/overlays/01-sample/kustomization.yaml

@@ -34,7 +34,6 @@ components:
 
 transformers:
   - configure-storage.nextcloud.yaml
-  - transformer-readonly-volumes.yaml
 
 namespace: nextcloud-sample
 

kustomize/overlays/01-sample/manifests/config-environment.yaml

@@ -14,11 +14,6 @@ kind: ConfigMap
 metadata:
   name: environment
 data:
-  # Set this to "false" during initial deployment and during upgrades. Set it
-  # to true to prevent Nextcloud from trying to re-install in the event that
-  # Azure Files is intermittently unavailable.
-  configReadOnly: false
-
   enableFileLocking: "false"
   trustedProxies: "10.0.0.0/8 172.16.0.0/12 192.168.0.0/16"
   primaryHostname: "example.com"