如何解决使用 nginx-ingress tls/ssl 加密让我们加密在 linode k8s (v1.19) 集群上安装 nextcloud (helm) 没有按预期工作
我尝试使用 helm 在 Linode k8s 托管集群上安装 nextcloud。安装过程没有问题。一切正常。我的 nextcloud 实例是 tls 加密的,但是当我尝试登录时,没有任何反应。在浏览器的控制台我只得到信息:
Refused to send form data to 'http://cloud.my-domain.io/' because it violates the following Content Security Policy directive: "form-action 'self'".
我发现,这可能与 nextcloud 的 k8s Nginx 入口的反向代理存在问题有关。我试图通过在我的 config.PHP 中添加“overwriteprotocol”=>“https”来解决这个问题。然后错误信息消失了,但是我没有跳转到账户页面,我仍然只看到登录页面。
我还尝试使用 nextcloud helm chart 本身的 Nginx 入口。但这根本行不通。当我尝试在浏览器中访问 nextcloud 时,我只得到信息,即实例不安全。没有登录页面,根本没有 nextcloud 页面。只是空白的浏览器页面。
最后,我尝试在没有任何 tls 的情况下使用 nextcloud,效果很好。但当然,这不是我想要的。我想与 nextcloud 建立安全连接。
我不知道我还能做什么。我做错了什么?我真的希望有人能帮我解决这个问题。感谢您的帮助!
这是我的掌舵 values.yaml:
## Official nextcloud image version
## ref: https://hub.docker.com/r/library/nextcloud/tags/
##
image:
repository: nextcloud
tag: 19.0.3-apache
pullPolicy: IfNotPresent
# pullSecrets:
# - myRegistrKeySecretName
nameOverride: ""
fullnameOverride: ""
# Number of replicas to be deployed
replicaCount: 1
## Allowing use of ingress controllers
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
##
ingress:
enabled: false
# Metadata:
# annotations:
# kubernetes.io/ingress.class: Nginx
# Nginx.ingress.kubernetes.io/rewrite-target: /
# Nginx.ingress.kubernetes.io/proxy-body-size: 4G
# kubernetes.io/tls-acme: "true"
# certmanager.k8s.io/cluster-issuer: letsencrypt-prod
# Nginx.ingress.kubernetes.io/server-snippet: |-
# server_tokens off;
# proxy_hide_header X-Powered-By;
# rewrite ^/.well-kNown/webfinger /public.PHP?service=webfinger last;
# rewrite ^/.well-kNown/host-Meta /public.PHP?service=host-Meta last;
# rewrite ^/.well-kNown/host-Meta.json /public.PHP?service=host-Meta-json;
# location = /.well-kNown/carddav {
# return 301 $scheme://$host/remote.PHP/dav;
# }
# location = /.well-kNown/caldav {
# return 301 $scheme://$host/remote.PHP/dav;
# }
# location = /robots.txt {
# allow all;
# log_not_found off;
# access_log off;
# }
# location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
# deny all;
# }
# location ~ ^/(?:autotest|occ|issue|indie|db_|console) {
# deny all;
# }
# tls:
# - secretName: wa-stack-nextcloud-tls
# hosts:
# - cloud.my-domain.io
# labels: {}
# Allow configuration of lifecycle hooks
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/
lifecycle: {}
# postStartCommand: []
# preStopCommand: []
nextcloud:
host: cloud.my-domain.io
# username: admin
# password: changeme
# Use an existing secret
existingSecret:
enabled: true
secretName: nextcloud-secret
# for initiator
usernameKey: username
passwordKey: password
# secretName: nameofsecret
# usernameKey: username
# passwordKey: password
# smtpUsernameKey: smtp_username
# smtpPasswordKey: smtp_password
update: 0
datadir: /var/www/html/data
tableprefix: wa
persistence:
subPath:
mail:
enabled: false
fromAddress: user
domain: domain.com
smtp:
host: domain.com
secure: ssl
port: 465
authtype: LOGIN
name: user
password: pass
# PHP Configuration files
# Will be injected in /usr/local/etc/PHP/conf.d for apache image and in /usr/local/etc/PHP-fpm.d when Nginx.enabled: true
PHPConfigs: {}
# Default config files
# IMPORTANT: Will be used only if you put extra configs,otherwise default will come from nextcloud itself
# Default confgurations can be found here: https://github.com/nextcloud/docker/tree/master/16.0/apache/config
defaultConfigs:
# To protect /var/www/html/config
.htaccess: true
# Redis default configuration
redis.config.PHP: true
# Apache configuration for rewrite urls
apache-pretty-urls.config.PHP: true
# Define APCu as local cache
apcu.config.PHP: true
# Apps directory configs
apps.config.PHP: true
# Used for auto configure database
autoconfig.PHP: true
# SMTP default configuration
smtp.config.PHP: true
# Extra config files created in /var/www/html/config/
# ref: https://docs.nextcloud.com/server/15/admin_manual/configuration_server/config_sample_PHP_parameters.html#multiple-config-PHP-file
configs: {}
# For example,to use S3 as primary storage
# ref: https://docs.nextcloud.com/server/13/admin_manual/configuration_files/primary_storage.html#simple-storage-service-s3
#
# configs:
# s3.config.PHP: |-
# <?PHP
# $CONfig = array (
# 'objectstore' => array(
# 'class' => '\\OC\\Files\\ObjectStore\\S3',# 'arguments' => array(
# 'bucket' => 'my-bucket',# 'autocreate' => true,# 'key' => 'xxx',# 'secret' => 'xxx',# 'region' => 'us-east-1',# 'use_ssl' => true
# )
# )
# );
## Strategy used to replace old pods
## IMPORTANT: use with care,it is suggested to leave as that for upgrade purposes
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
strategy:
type: Recreate
# type: RollingUpdate
# rollingUpdate:
# maxSurge: 1
# maxUnavailable: 0
##
## Extra environment variables
extraEnv:
# - name: SOME_SECRET_ENV
# valueFrom:
# secretKeyRef:
# name: nextcloud
# key: secret_key
# Extra mounts for the pods. Example shown is for connecting a legacy NFS volume
# to NextCloud pods in Kubernetes. This can then be configured in External Storage
extraVolumes:
# - name: nfs
# nfs:
# server: "10.0.0.1"
# path: "/nextcloud_data"
# readOnly: false
extraVolumeMounts:
# - name: nfs
# mountPath: "/legacy_data"
Nginx:
## You need to set an fpm version of the image for nextcloud if you want to use Nginx!
enabled: false
image:
repository: Nginx
tag: alpine
pullPolicy: IfNotPresent
config:
# This generates the default Nginx config as per the nextcloud documentation
default: true
# custom: |-
# worker_processes 1;..
resources: {}
internalDatabase:
enabled: false
name: nextcloud
##
## External database configuration
##
externalDatabase:
enabled: true
## Supported database engines: MysqL or postgresql
type: MysqL
## Database host
host: maria-db-mariadb-primary
## Database user
# user: wa-cloud
# Database password
# password:
## Database name
database: wa-cloud
## Use a existing secret
existingSecret:
enabled: true
secretName: mariadb-secret
usernameKey: db-username
passwordKey: mariadb-password
##
## MariaDB chart configuration
##
mariadb:
## Whether to deploy a mariadb server to satisfy the applications database requirements. To use an external database set this to false and configure the externalDatabase parameters
enabled: false
db:
name: nextcloud
user: nextcloud
password: changeme
replication:
enabled: false
## Enable persistence using Persistent Volume Claims
## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
##
master:
persistence:
enabled: false
# storageClass: ""
accessMode: ReadWriteOnce
size: 8Gi
postgresql:
enabled: false
global:
postgresql:
postgresqlUsername: nextcloud
postgresqlPassword: changeme
postgresqlDatabase: nextcloud
persistence:
enabled: false
# storageClass: ""
redis:
enabled: true
usePassword: false
password: ''
## Cronjob to execute Nextcloud background tasks
## ref: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/background_jobs_configuration.html#webcron
##
cronjob:
enabled: true
# Nexcloud image is used as default but only curl is needed
image: {}
# repository: nextcloud
# tag: 16.0.3-apache
# pullPolicy: IfNotPresent
# pullSecrets:
# - myRegistrKeySecretName
# Every 5 minutes
# Note: Setting this to any any other value than 5 minutes might
# cause issues with how nextcloud background jobs are executed
schedule: "*/5 * * * *"
annotations: {}
# Set curl's insecure option if you use e.g. self-signed certificates
curlInsecure: false
FailedJobsHistoryLimit: 2
successfulJobsHistoryLimit: 2
# If not set,nextcloud deployment one will be set
# resources:
# We usually recommend not to specify default resources and to leave this as a conscIoUs
# choice for the user. This also increases chances charts run on environments with little
# resources,such as Minikube. If you do want to specify resources,uncomment the following
# lines,adjust them as necessary,and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
# If not set,nextcloud deployment one will be set
# nodeselector: {}
# If not set,nextcloud deployment one will be set
# tolerations: []
# If not set,nextcloud deployment one will be set
# affinity: {}
service:
type: ClusterIP
port: 8080
loadBalancerIP: nil
nodePort: nil
## Enable persistence using Persistent Volume Claims
## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
##
persistence:
# Nextcloud Data (/var/www/html)
enabled: true
annotations: {}
## nextcloud data Persistent Volume Storage Class
## If defined,storageClassName: <storageClass>
## If set to "-",storageClassName: "",which disables dynamic provisioning
## If undefined (the default) or set to null,no storageClassName spec is
## set,choosing the default provisioner. (gp2 on AWS,standard on
## GKE,AWS & OpenStack)
##
storageClass: "linode-block-storage"
## A manually managed Persistent Volume and Claim
## Requires persistence.enabled: true
## If defined,PVC must be created manually before volume will be bound
# existingClaim:
accessMode: ReadWriteOnce
size: 20Gi
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscIoUs
# choice for the user. This also increases chances charts run on environments with little
# resources,uncomment the following
# lines,and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
## Liveness and readiness probe values
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
##
livenessProbe:
enabled: true
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
successthreshold: 1
readinessProbe:
enabled: true
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
successthreshold: 1
startupProbe:
enabled: false
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 30
successthreshold: 1
## Enable pod autoscaling using HorizontalPodAutoscaler
## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
##
hpa:
enabled: false
cputhreshold: 60
minPods: 1
maxPods: 10
nodeselector: {}
tolerations: []
affinity: {}
## Prometheus Exporter / Metrics
##
metrics:
enabled: false
replicaCount: 1
# The metrics exporter needs to kNow how you serve Nextcloud either http or https
https: true
timeout: 5s
image:
repository: xperimental/nextcloud-exporter
tag: v0.3.0
pullPolicy: IfNotPresent
## Metrics exporter resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
##
# resources: {}
## Metrics exporter pod Annotation and Labels
# podAnnotations: {}
# podLabels: {}
service:
type: ClusterIP
## Use serviceLoadBalancerIP to request a specific static IP,## otherwise leave blank
# loadBalancerIP:
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "9205"
labels: {}
这是我的入口规则:
apiVersion: networking.k8s.io/v1
kind: Ingress
Metadata:
annotations:
kubernetes.io/ingress.class: Nginx
Nginx.ingress.kubernetes.io/rewrite-target: /
Nginx.ingress.kubernetes.io/proxy-body-size: 4G
kubernetes.io/tls-acme: "true"
cert-manager.io/cluster-issuer: letsencrypt-prod
Nginx.ingress.kubernetes.io/server-snippet: |-
server_tokens off;
proxy_hide_header X-Powered-By;
rewrite ^/.well-kNown/webfinger /public.PHP?service=webfinger last;
rewrite ^/.well-kNown/host-Meta /public.PHP?service=host-Meta last;
rewrite ^/.well-kNown/host-Meta.json /public.PHP?service=host-Meta-json;
location = /.well-kNown/carddav {
return 301 $scheme://$host/remote.PHP/dav;
}
location = /.well-kNown/caldav {
return 301 $scheme://$host/remote.PHP/dav;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:autotest|occ|issue|indie|db_|console) {
deny all;
}
name: wa-stack-cloud-ingress-Nginx
namespace: business
spec:
tls:
- hosts:
- cloud.my-domain.io
secretName: wa-cloud-tls
rules:
- host: cloud.my-domain.io
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nextcloud
port:
number: 8080
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。