From bd7fa11f04113271cab2d021757022c0ee784d59 Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Sat, 19 Feb 2022 13:55:57 -0500 Subject: [PATCH] [ITSA-706] Abandon Using ConfigMap for Read-only Config Volume - The `replacements` feature of Kustomize can only source values from a `ConfigMap`. - A `ConfigMap` can only contain strings. - The `readOnly` value of a mount has to be a boolean. A fix for this limitation has been requested as: https://github.com/kubernetes-sigs/kustomize/issues/4479 In the meantime, it does not look like we'll be able to drive the volume mount setting off a `ConfigMap`, so we'll just have to document that admins will need to set this in the `configure-storage.nextcloud.yaml` file. --- kustomize/README.md | 30 ++++++++++++++++ kustomize/base/manifests/app-nextcloud.yaml | 5 --- .../cronjob-nextcloud-file-scan.yaml | 5 --- .../configure-storage.nextcloud.yaml | 24 +++++++++++-- .../overlays/01-sample/kustomization.yaml | 1 - .../manifests/config-environment.yaml | 5 --- .../transformer-readonly-volumes.yaml | 36 ------------------- 7 files changed, 52 insertions(+), 54 deletions(-) delete mode 100644 kustomize/overlays/01-sample/transformer-readonly-volumes.yaml diff --git a/kustomize/README.md b/kustomize/README.md index b824e0a..811a96b 100644 --- a/kustomize/README.md +++ b/kustomize/README.md @@ -44,3 +44,33 @@ ```sh az login ``` + +## Protecting Configuration from Re-install/Modification in Production +If Nextcloud believes that the `config.php` file is missing, it will create a +new, blank `config.php` file. Unfortunately, this may trigger sporadically and +accidentally if the volume hosting Nextcloud configuration becomes disconnected +or unmounted at run-time, such as when a Kubernetes node is under significant +memory or CPU pressure, or the Azure Files storage account hosting Nextcloud is +throttling connections due to excessive IOPS or transfer throughput. Then, when +connectivity is restored, the blank `config.php` file will overwrite the real +copy of the file. + +The result for the end-user is that they will be redirected to the Nextcloud +installer. Thankfully, after https://github.com/nextcloud/server/pull/14965, the +user will see an error message rather than being given the ability to re-install +Nextcloud and take full control of the installation. Regardless, this is not the +greatest UX because the Nextcloud installation will continue to display an error +message for all users until an admin restores the `config.php` from a backup +(assuming the admin has a backup at all!). + +If you have a high-traffic or under-provisioned installation, or just want to +harden your server from security vulnerabilities that could modify your +Nextcloud configuration, it is recommended that you mount the `config` volume +read-only _except_ during initial setup and upgrades. + +To do this, from within the overlay you are deploying, change the +`containerVolumeTemplates.volumeMountTemplates.mergeSpec.readOnly` setting in +the "Nextcloud Configuration Volume" section from `false` to `true` and then +re-deploy your application. When doing maintenance or upgrades, you will need to +change this setting back to `false` until you are done. Then, change it back to +`true` to restore the installation to a hardened state. diff --git a/kustomize/base/manifests/app-nextcloud.yaml b/kustomize/base/manifests/app-nextcloud.yaml index a1014e8..fa88dd9 100644 --- a/kustomize/base/manifests/app-nextcloud.yaml +++ b/kustomize/base/manifests/app-nextcloud.yaml @@ -51,11 +51,6 @@ spec: - name: volume-php-cache mountPath: /mnt/php-file-cache env: - - name: NEXTCLOUD_CONFIG_READ_ONLY - valueFrom: - configMapKeyRef: - name: environment - key: configReadOnly - name: NEXTCLOUD_FILE_LOCKING_ENABLED valueFrom: configMapKeyRef: diff --git a/kustomize/base/manifests/cronjob-nextcloud-file-scan.yaml b/kustomize/base/manifests/cronjob-nextcloud-file-scan.yaml index 6473db5..987c7db 100644 --- a/kustomize/base/manifests/cronjob-nextcloud-file-scan.yaml +++ b/kustomize/base/manifests/cronjob-nextcloud-file-scan.yaml @@ -26,11 +26,6 @@ spec: - name: volume-nextcloud-app mountPath: /var/www/html env: - - name: NEXTCLOUD_CONFIG_READ_ONLY - valueFrom: - configMapKeyRef: - name: environment - key: configReadOnly - name: NEXTCLOUD_FILE_LOCKING_ENABLED valueFrom: configMapKeyRef: diff --git a/kustomize/overlays/01-sample/configure-storage.nextcloud.yaml b/kustomize/overlays/01-sample/configure-storage.nextcloud.yaml index 055603e..3ec10e3 100644 --- a/kustomize/overlays/01-sample/configure-storage.nextcloud.yaml +++ b/kustomize/overlays/01-sample/configure-storage.nextcloud.yaml @@ -1,6 +1,18 @@ ## -# Kustomize plugin configuration for using KST to setup workspace storage for -# each client. +# Kustomize plugin configuration for using KST to configure Nextcloud storage. +# +# This is an EXAMPLE file. Customize for your environment! If you have multiple +# environments, you can create multiple copies of the containing, sample overlay +# folder and customize manifests in each one to match your environments. +# +# This configures storage for each client/project, Nextcloud configuration, and +# Nextcloud home folders. +# +# NOTE: For improved reliability and security in a production environment, you +# should mount the "config" volume for Nextcloud read-only *except* during +# initial setup or software upgrades. +# +# See note in the "Nextcloud Configuration Volume" section below. # # @author Guy Elsmore-Paddock (guy@inveniem.com) # @copyright Copyright (c) 2022, Inveniem @@ -155,6 +167,14 @@ spec: volumeMountTemplates: - mergeSpec: mountPath: "/var/www/html/config" + # This controls whether Nextcloud config is read-only or writable. + # - Set this to "true" to prevent Nextcloud from trying to + # re-install itself in the event that Azure Files is + # intermittently unavailable. + # - Set this to "false" ONLY during initial deployment and + # upgrades. + # + readOnly: false name: prefix: "vol-" suffix: ~ diff --git a/kustomize/overlays/01-sample/kustomization.yaml b/kustomize/overlays/01-sample/kustomization.yaml index c92d31c..de13209 100644 --- a/kustomize/overlays/01-sample/kustomization.yaml +++ b/kustomize/overlays/01-sample/kustomization.yaml @@ -34,7 +34,6 @@ components: transformers: - configure-storage.nextcloud.yaml - - transformer-readonly-volumes.yaml namespace: nextcloud-sample diff --git a/kustomize/overlays/01-sample/manifests/config-environment.yaml b/kustomize/overlays/01-sample/manifests/config-environment.yaml index 7321ae6..113a068 100644 --- a/kustomize/overlays/01-sample/manifests/config-environment.yaml +++ b/kustomize/overlays/01-sample/manifests/config-environment.yaml @@ -14,11 +14,6 @@ kind: ConfigMap metadata: name: environment data: - # Set this to "false" during initial deployment and during upgrades. Set it - # to true to prevent Nextcloud from trying to re-install in the event that - # Azure Files is intermittently unavailable. - configReadOnly: false - enableFileLocking: "false" trustedProxies: "10.0.0.0/8 172.16.0.0/12 192.168.0.0/16" primaryHostname: "example.com" diff --git a/kustomize/overlays/01-sample/transformer-readonly-volumes.yaml b/kustomize/overlays/01-sample/transformer-readonly-volumes.yaml deleted file mode 100644 index 3d497f7..0000000 --- a/kustomize/overlays/01-sample/transformer-readonly-volumes.yaml +++ /dev/null @@ -1,36 +0,0 @@ -## -# Inline transformer for making config optionally read-only. -# -# Based on guidance from: -# https://github.com/kubernetes-sigs/kustomize/issues/4476 -# -# Config can be made read-only by a setting in the config-environment.yaml file -# of the environment overlay. For a high-availability and durable deployment of -# Nextcloud, it is advised to make the config read-only except during upgrades. -# Otherwise, Nextcloud is liable to overwrite the configuration file with a -# blank/new config file whenever there is an error reading the configuration -# from Azure Files (e.g., if throttled by Azure Files or AKS during high load). -# -# @author Guy Elsmore-Paddock (guy@inveniem.com) -# @copyright Copyright (c) 2022, Inveniem -# @license GNU AGPL version 3 or any later version -# -apiVersion: builtin -kind: ReplacementTransformer - -metadata: - name: transformer-readonly-volumes - -replacements: - - source: - kind: ConfigMap - name: environment - fieldPath: data.configReadOnly - targets: - - select: - kind: Deployment - name: "nextcloud" - fieldPaths: - - spec.template.spec.containers.0.volumeMounts.3.readOnly - options: - create: true