Add NGINX metrics and update security context

charts/nextcloud/README.md

@@ -305,6 +305,8 @@ We include an optional experimental Nextcloud Metrics exporter from [xperimental
 | `metrics.timeout`                      | When the scrape times out                                                           | `5s`                                                         |
 | `metrics.tlsSkipVerify`                | Skips certificate verification of Nextcloud server                                  | `false`                                                      |
 | `metrics.info.apps`                    | Enable gathering of apps-related metrics.                                           | `false`                                                      |
+| `metrics.nginx.enabled`                | Start NGINX metrics configuration                                                   | `false`                                                      |
+| `metrics.nginx.allow`                  | NGINX metrics configuration allow list                                              | not set   
 | `metrics.image.repository`             | Nextcloud metrics exporter image name                                               | `xperimental/nextcloud-exporter`                             |
 | `metrics.image.tag`                    | Nextcloud metrics exporter image tag                                                | `0.6.2`                                                      |
 | `metrics.image.pullPolicy`             | Nextcloud metrics exporter image pull policy                                        | `IfNotPresent`                                               |
@@ -324,7 +326,6 @@ We include an optional experimental Nextcloud Metrics exporter from [xperimental
 | `metrics.serviceMonitor.labels`        | Extra labels for the ServiceMonitor                                                 | `{}                                                          |
 
 
-
 > **Note**:
 >
 > For nextcloud to function correctly, you should specify the `nextcloud.host` parameter to specify the FQDN (recommended) or the public IP address of the nextcloud service.

charts/nextcloud/templates/deployment.yaml

@@ -360,16 +360,25 @@ spec:
         - name: nextcloud-config
           configMap:
             name: {{ template "nextcloud.fullname" . }}-config
+            {{- with .Values.nextcloud.configs.defaultMode }}
+            defaultMode: {{ . }}
+            {{- end }}
         {{- end }}
         {{- if .Values.nextcloud.phpConfigs }}
         - name: nextcloud-phpconfig
           configMap:
             name: {{ template "nextcloud.fullname" . }}-phpconfig
+            {{- with .Values.nextcloud.configs.defaultMode }}
+            defaultMode: {{ . }}
+            {{- end }}
         {{- end }}
         {{- if .Values.nginx.enabled }}
         - name: nextcloud-nginx-config
           configMap:
             name: {{ template "nextcloud.fullname" . }}-nginxconfig
+            {{- with .Values.nextcloud.configs.defaultMode }}
+            defaultMode: {{ . }}
+            {{- end }}
         {{- end }}
         {{- if not (values .Values.nextcloud.hooks | compact | empty) }}
         - name: nextcloud-hooks

charts/nextcloud/templates/metrics/deployment.yaml

@@ -79,7 +79,8 @@ spec:
           resources:
             {{- toYaml . | nindent 12 }}
           {{- end }}
+          {{- with .Values.metrics.securityContext }}
           securityContext:
-            runAsUser: 1000
-            runAsNonRoot: true
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
 {{- end }}

charts/nextcloud/templates/nginx-config.yaml

@@ -157,8 +157,38 @@ data:
   default.conf: |-
     {{- template "default.conf" $ }}
   {{- end }}
+  {{- if .Values.metrics.nginx.enabled }}
+  metrics.conf: |
+    server {
+        listen 9205;
+
+        # Path to the root of your installation
+        root /var/www/html;
+
+        # Prevent nginx HTTP Server Detection
+        server_tokens off;
+
+        add_header Referrer-Policy                      "no-referrer"   always;
+        add_header X-Content-Type-Options               "nosniff"       always;
+        add_header X-Download-Options                   "noopen"        always;
+        add_header X-Frame-Options                      "SAMEORIGIN"    always;
+        add_header X-Permitted-Cross-Domain-Policies    "none"          always;
+        add_header X-Robots-Tag                         "none"          always;
+        add_header X-XSS-Protection                     "1; mode=block" always;
+
+        # NGINX metrics
+        location /stub_status {
+            stub_status on;
+            allow 127.0.0.1;
+            {{- range .Values.metrics.nginx.allow }}
+                allow {{ . }};
+            {{- end }}
+            deny all;
+        }
+    }
+{{- end }}
   {{- if .Values.nginx.config.custom }}
   zz-custom.conf: |-
 {{ .Values.nginx.config.custom | indent 4 }}
   {{- end }}
-{{- end }}
+{{- end }}

charts/nextcloud/values.yaml

@@ -127,7 +127,9 @@ nextcloud:
     smtp.config.php: true
   # Extra config files created in /var/www/html/config/
   # ref: https://docs.nextcloud.com/server/15/admin_manual/configuration_server/config_sample_php_parameters.html#multiple-config-php-file
-  configs: {}
+  configs:
+    # set defaultMode for mounted configMaps (e.g. defaultMode: 420)
+    defaultMode: 420
 
   # For example, to use S3 as primary storage
   # ref: https://docs.nextcloud.com/server/13/admin_manual/configuration_files/primary_storage.html#simple-storage-service-s3
@@ -208,10 +210,15 @@ nextcloud:
   # Set securityContext parameters for the nextcloud CONTAINER only (will not affect nginx container).
   # For example, you may need to define runAsNonRoot directive
   securityContext: {}
-  #   runAsUser: 33
-  #   runAsGroup: 33
-  #   runAsNonRoot: true
-  #   readOnlyRootFilesystem: false
+    # allowPrivilegeEscalation: false
+    # capabilities:
+    #   drop:
+    #     - ALL
+    # privileged: false
+    # readOnlyRootFilesystem: true
+    # runAsGroup: 33
+    # runAsNonRoot: true
+    # runAsUser: 33
 
   # Set securityContext parameters for the entire pod. For example, you may need to define runAsNonRoot directive
   podSecurityContext: {}
@@ -250,11 +257,18 @@ nginx:
 
   # Set nginx container securityContext parameters. For example, you may need to define runAsNonRoot directive
   securityContext: {}
-  # the nginx alpine container default user is 82
-  #   runAsUser: 82
-  #   runAsGroup: 33
-  #   runAsNonRoot: true
-  #   readOnlyRootFilesystem: true
+    # the nginx alpine container default user is 82
+    # allowPrivilegeEscalation: false
+    # capabilities:
+    #   add:
+    #   - NET_BIND_SERVICE
+    #   drop:
+    #     - ALL
+    # privileged: false
+    # readOnlyRootFilesystem: true
+    # runAsGroup: 33
+    # runAsNonRoot: true
+    # runAsUser: 82
 
   ## Extra environment variables
   extraEnv: []
@@ -549,6 +563,26 @@ metrics:
 
   # podLabels: {}
 
+  nginx:
+    enabled: false
+    allow: []
+    # Example
+    # - 10.233.105.0/24
+    # - 10.43.0.0/16
+    service:
+      port: 9205
+
+  # Set metrics container securityContext parameters.
+  securityContext: {}
+    # allowPrivilegeEscalation: false
+    # capabilities:
+    #   drop:
+    #     - ALL
+    # privileged: false
+    # readOnlyRootFilesystem: true
+    # runAsUser: 1000
+    # runAsNonRoot: true
+
   service:
     type: ClusterIP
     ## Use serviceLoadBalancerIP to request a specific static IP,