Merge pull request #1 from k8sonlab/develop

varet80 · web-flow · commit 0647c9823083 · 2025-07-11T17:58:51.000+02:00
Next Major Release: v7
diff --git a/.github/workflows/lint-test.yaml b/.github/workflows/lint-test.yaml
@@ -5,7 +5,7 @@ on:
     paths:
 jobs:
   changes:
-    runs-on: ubuntu-latest-low
+    runs-on: ubuntu-latest
 
     outputs:
       src: ${{ steps.changes.outputs.src}}
@@ -22,7 +22,7 @@ jobs:
               - 'charts/nextcloud/templates/**'
 
   lint:
-    runs-on: ubuntu-latest-low
+    runs-on: ubuntu-latest
     needs: changes
     if: needs.changes.outputs.src != 'false'
     steps:
@@ -162,7 +162,7 @@ jobs:
             exit $EXIT
 
   summary:
-    runs-on: ubuntu-latest-low
+    runs-on: ubuntu-latest
     needs: [changes, test]
     if: always()
     steps:
diff --git a/charts/nextcloud/CHANGELOG.md b/charts/nextcloud/CHANGELOG.md
@@ -0,0 +1,28 @@
+# Changelog
+
+This Helm-Chart increase there major version on every breaking change (or major version of Nextcloud itself) inspired by semantic releases.
+
+Here we list all major versions and their breaking changes for migration.
+
+## v7
+
+- update redis to v20 (see [CHANGELOG](https://github.com/bitnami/charts/blob/main/bitnami/redis/CHANGELOG.md#2000-2024-08-09))
+- update redis to v21 (see [CHANGELOG](https://github.com/bitnami/charts/blob/main/bitnami/redis/CHANGELOG.md#2100-2025-05-06)
+- update postgresql to v16 (see [CHANGELOG](https://github.com/bitnami/charts/blob/main/bitnami/postgresql/CHANGELOG.md#1600-2024-10-02))
+    - maybe use [pgautoupgrade](https://github.com/pgautoupgrade/docker-pgautoupgrade) to update to v17 (helm v16), with:
+      ```yaml
+      postgresql:
+        primary:
+          initContainers:
+            - name: upgrade
+              image: "pgautoupgrade/pgautoupgrade:17-alpine"
+              env:
+                - name: "PGAUTO_ONESHOT"
+                  value: "yes"
+              volumeMounts:
+                - mountPath: "/bitnami/postgresql"
+                  name: "data"
+      ```
+- update mariadb to v19 (see [CHANGELOG](https://github.com/bitnami/charts/blob/main/bitnami/mariadb/CHANGELOG.md#1900-2024-07-11))
+- update mariadb to v20 (see [CHANGELOG](https://github.com/bitnami/charts/blob/main/bitnami/mariadb/CHANGELOG.md#2000-2024-11-08))
+- update nextcloud to v31 (see [CHANGELOG](https://nextcloud.com/changelog/#31-0-0))
diff --git a/charts/nextcloud/Chart.lock b/charts/nextcloud/Chart.lock
@@ -1,15 +1,15 @@
 dependencies:
 - name: postgresql
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 15.5.0
+  version: 16.7.4
 - name: mariadb
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 18.2.0
+  version: 20.5.5
 - name: redis
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 19.6.4
+  version: 21.1.3
 - name: collabora-online
   repository: https://collaboraonline.github.io/online
   version: 1.1.20
-digest: sha256:00e8d82d28825fd3f46e7e7d888d1aac93ebdb5135f6a4d7e6ae0c3155881c27
-generated: "2024-12-15T19:47:53.357052+01:00"
+digest: sha256:47979e007ed8bb4a53ec00c5e457da110573a6e067f24da505144f475b26981c
+generated: "2025-05-18T15:22:37.968306345+02:00"
diff --git a/charts/nextcloud/Chart.yaml b/charts/nextcloud/Chart.yaml
@@ -1,8 +1,8 @@
 apiVersion: v2
 name: nextcloud
-version: 6.6.10
+version: 7.0.1
 # renovate: image=docker.io/library/nextcloud
-appVersion: 30.0.10
+appVersion: 31.0.7
 description: A file sharing server that puts the control and security of your own data back into your hands.
 keywords:
   - nextcloud
@@ -28,15 +28,15 @@ maintainers:
     url: https://jessebot.work
 dependencies:
   - name: postgresql
-    version: 15.5.0
+    version: 16.7.4
     repository: oci://registry-1.docker.io/bitnamicharts
     condition: postgresql.enabled
   - name: mariadb
-    version: 18.2.0
+    version: 20.5.5
     repository: oci://registry-1.docker.io/bitnamicharts
     condition: mariadb.enabled
   - name: redis
-    version: 19.6.4
+    version: 21.1.3
     repository: oci://registry-1.docker.io/bitnamicharts
     condition: redis.enabled
   - name: collabora-online
diff --git a/charts/nextcloud/README.md b/charts/nextcloud/README.md
@@ -15,6 +15,7 @@ helm install my-release nextcloud/nextcloud
 * [Prerequisites](#prerequisites)
 * [Installing the Chart](#installing-the-chart)
 * [Uninstalling the Chart](#uninstalling-the-chart)
+* [Upgrade / Breaking Changes](#upgrade--breaking-changes)
 * [Configuration](#configuration)
     * [Ingress](#ingress)
         * [Ingress Sticky-Sessions](#ingress-sticky-sessions)
@@ -97,6 +98,11 @@ helm delete my-release
 
 The command removes all the Kubernetes components associated with the chart and deletes the release.
 
+## Upgrade / Breaking Changes
+
+There is a Changelog of breaking changes here: [CHANGELOG.md](./CHANGELOG.md).
+You should read it bevore updating.
+
 ## Configuration
 
 The following table lists the configurable parameters of the nextcloud chart and their default values.
diff --git a/charts/nextcloud/files/nginx.config.tpl b/charts/nextcloud/files/nginx.config.tpl
@@ -1,7 +1,15 @@
+# Version 2024-07-17
+
 upstream php-handler {
     server 127.0.0.1:9000;
 }
 
+# Set the `immutable` cache control options only for assets with a cache busting `v` argument
+map $arg_v $asset_immutable {
+    "" "";
+    default ", immutable";
+}
+
 server {
     {{- if and (has "IPv4" .Values.nginx.ipFamilies) (has "IPv6" .Values.nginx.ipFamilies) }}
     # Both IPv4 and IPv6 are enabled
@@ -14,6 +22,12 @@ server {
     listen {{ .Values.nginx.containerPort }};
     {{- end }}
 
+    # Path to the root of your installation
+    root /var/www/html;
+
+    # Prevent nginx HTTP Server Detection
+    server_tokens off;
+
     # HSTS settings
     # WARNING: Only add the preload option once you read about
     # the consequences in https://hstspreload.org/. This option
@@ -26,8 +40,9 @@ server {
     {{- end }}
     {{- end }}
 
-    # set max upload size
-    client_max_body_size 10G;
+    # set max upload size and increase upload timeout:
+    client_max_body_size 512M;
+    client_body_timeout 300s;
     fastcgi_buffers 64 4K;
 
     # Enable gzip but do not remove ETag headers
@@ -36,27 +51,30 @@ server {
     gzip_comp_level 4;
     gzip_min_length 256;
     gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
-    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+    gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
 
     # Pagespeed is not supported by Nextcloud, so if your server is built
     # with the `ngx_pagespeed` module, uncomment this line to disable it.
     #pagespeed off;
 
+    # The settings allows you to optimize the HTTP2 bandwidth.
+    # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
+    # for tuning hints
+    client_body_buffer_size 512k;
+
     # Remove X-Powered-By, which is an information leak
     fastcgi_hide_header X-Powered-By;
 
-    # Add .mjs as a file extension for javascript
+    # Set .mjs and .wasm MIME types
     # Either include it in the default mime.types list
-    # or include you can include that list explicitly and add the file extension
+    # and include that list explicitly or add the file extension
     # only for Nextcloud like below:
     include mime.types;
     types {
         text/javascript js mjs;
+        application/wasm wasm;
     }
 
-    # Path to the root of your installation
-    root /var/www/html;
-
     # Specify how to handle directories -- specifying `/index.php$request_uri`
     # here as the fallback means that Nginx always exhibits the desired behaviour
     # when a client requests a path that corresponds to a directory that exists
@@ -91,10 +109,10 @@ server {
 
         location = /.well-known/carddav     { return 301 /remote.php/dav/; }
         location = /.well-known/caldav      { return 301 /remote.php/dav/; }
-        # Anything else is dynamically handled by Nextcloud
-        location ^~ /.well-known            { return 301 /index.php$uri; }
 
-        try_files $uri $uri/ =404;
+        # Let Nextcloud's API for `/.well-known` URIs handle all other
+        # requests by passing them to the front-end controller.
+        return 301 /index.php$request_uri;
     }
 
     # Rules borrowed from `.htaccess` to hide certain paths from clients
@@ -106,8 +124,8 @@ server {
     # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
     # to the URI, resulting in a HTTP 500 error response.
     location ~ \.php(?:$|/) {
-        # Required for legacy support
-        rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;
+    # Required for legacy support
+        rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;
 
         fastcgi_split_path_info ^(.+?\.php)(/.*)$;
         set $path_info $fastcgi_path_info;
@@ -117,28 +135,35 @@ server {
         include fastcgi_params;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         fastcgi_param PATH_INFO $path_info;
-        #fastcgi_param HTTPS on;
+        fastcgi_param HTTPS on;
 
         fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
         fastcgi_param front_controller_active true;     # Enable pretty urls
         fastcgi_pass php-handler;
 
         fastcgi_intercept_errors on;
         fastcgi_request_buffering off;
+
+        fastcgi_max_temp_file_size 0;
     }
 
-    location ~ \.(?:css|js|svg|gif)$ {
+    location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ {
         try_files $uri /index.php$request_uri;
         expires 6M;         # Cache-Control policy borrowed from `.htaccess`
         access_log off;     # Optional: Don't log access to assets
     }
 
-    location ~ \.woff2?$ {
+    location ~ \.(otf|woff2?)$ {
         try_files $uri /index.php$request_uri;
         expires 7d;         # Cache-Control policy borrowed from `.htaccess`
         access_log off;     # Optional: Don't log access to assets
     }
 
+    # Rule borrowed from `.htaccess`
+    location /remote {
+        return 301 /remote.php$request_uri;
+    }
+
     location / {
         try_files $uri $uri/ /index.php$request_uri;
     }
diff --git a/charts/nextcloud/templates/metrics/deployment.yaml b/charts/nextcloud/templates/metrics/deployment.yaml
@@ -64,6 +64,8 @@ spec:
               value: {{ .Values.metrics.tlsSkipVerify | quote }}
             - name: NEXTCLOUD_INFO_APPS
               value: {{ .Values.metrics.info.apps | quote }}
+            - name: NEXTCLOUD_INFO_UPDATE
+              value: {{ .Values.metrics.info.update | quote }}
           ports:
             - name: metrics
               containerPort: 9205
diff --git a/charts/nextcloud/templates/metrics/prometheus-rules.yaml b/charts/nextcloud/templates/metrics/prometheus-rules.yaml
@@ -0,0 +1,61 @@
+{{- if .Values.metrics.rules.enabled }}
+{{- $fullname := include "nextcloud.fullname" . }}
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: {{ $fullname }}
+  labels:
+    {{- include "nextcloud.labels"  ( dict "rootContext" $ ) | nindent 4 }}
+    {{- with .Values.metrics.rules.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  groups:
+    {{- with .Values.metrics.rules.defaults }}
+    {{- if .enabled }}
+    {{- $filter := .filter | default (printf `namespace="%s",job=~"^%s.*"` $.Release.Namespace $fullname) }}
+    - name: {{ $fullname }}-Defaults
+      rules:
+        - alert: "nextcloud: not reachable"
+          expr: 'avg(nextcloud_up{ {{ $filter }} }) without(endpoint,container,pod,instance) < 1'
+          for: 5m
+          labels:
+            severity: "critical"
+            {{- with .labels }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+          annotations:
+            {{`
+            summary: "Nextcloud in {{ $labels.namespace }} is not reachable by exporter"
+            `}}
+        - alert: "nextcloud: outdated version"
+          expr: 'sum(nextcloud_system_update_available{ {{ $filter }} }) without(endpoint,container,pod,instance) > 0'
+          labels:
+            severity: "warning"
+            {{- with .labels }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+          annotations:
+            {{`
+            summary: "Nextcloud in {{ $labels.namespace }} is outdated"
+            `}}
+        - alert: "nextcloud: outdated apps"
+          expr: 'sum(nextcloud_apps_updates_available_total{ {{ $filter }} }) without(endpoint,container,pod,instance) > 0'
+          labels:
+            severity: "warning"
+            {{- with .labels }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+          annotations:
+            {{`
+            summary: "Nextcloud in {{ $labels.namespace }} has {{ $value }} outdated Apps"
+            `}}
+    {{- end }}
+    {{- end }}{{/* end-with prometheus.rules.default */}}
+    {{- with .Values.metrics.rules.additionalRules }}
+    - name: {{ $fullname }}-Additional
+      rules:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+{{- end }}
+
diff --git a/charts/nextcloud/values.yaml b/charts/nextcloud/values.yaml
@@ -347,7 +347,6 @@ nginx:
       "Strict-Transport-Security": ""
       "Referrer-Policy": "no-referrer"
       "X-Content-Type-Options": "nosniff"
-      "X-Download-Options": "noopen"
       "X-Frame-Options": "SAMEORIGIN"
       "X-Permitted-Cross-Domain-Policies": "none"
       "X-Robots-Tag": "noindex, nofollow"
@@ -778,10 +777,11 @@ metrics:
     # Optional: becomes NEXTCLOUD_INFO_APPS env var in the nextcloud-exporter container.
     # Enables gathering of apps-related metrics. Defaults to false
     apps: false
+    update: false
 
   image:
     repository: xperimental/nextcloud-exporter
-    tag: 0.6.2
+    tag: 0.8.0
     pullPolicy: IfNotPresent
     # pullSecrets:
     #   - myRegistrKeySecretName
@@ -863,6 +863,27 @@ metrics:
     ##
     labels: {}
 
+  rules:
+    # -- Deploy Prometheus Rules (Alerts) for the exporter
+    # @section -- Metrics
+    enabled: false
+    # -- Label on Prometheus Rules CRD Manifest
+    # @section -- Metrics
+    labels: {}
+    defaults:
+      # -- Add Default Rules
+      # @section -- Metrics
+      enabled: true
+      # -- Label on the rules (the severity is already set)
+      # @section -- Metrics
+      labels: {}
+      # -- Filter on metrics on alerts (default just for this helm-chart)
+      # @section -- Metrics
+      filter: ""
+    # -- Add own Rules to Prometheus Rules
+    # @section -- Metrics
+    additionalRules: []
+
 
 rbac:
   enabled: false
