nextcloud · jessebot · Apr 23, 2023 · Apr 29, 2023 · Apr 29, 2023 · Nov 29, 2023
diff --git a/charts/nextcloud/Chart.yaml b/charts/nextcloud/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: nextcloud
-version: 4.5.4
+version: 4.6.0
 appVersion: 27.1.4
 description: A file sharing server that puts the control and security of your own data back into your hands.
 keywords:

diff --git a/charts/nextcloud/README.md b/charts/nextcloud/README.md
@@ -2,6 +2,8 @@
 
 [Nextcloud](https://nextcloud.com/) is a file sharing server that puts the control and security of your own data back into your hands.
 
+> **Warning**: Please see [Breaking Changes](#breaking-changes) before upgrading this helm chart!
+
 ## TL;DR;
 
 ```console
@@ -136,7 +138,8 @@ The following table lists the configurable parameters of the nextcloud chart and
 | `nextcloud.extraVolumes`                                   | specify additional volumes for the NextCloud pod                                                    | `{}`                       |
 | `nextcloud.extraVolumeMounts`                              | specify additional volume mounts for the NextCloud pod                                              | `{}`                       |
 | `nextcloud.securityContext`                                | Optional security context for the NextCloud container                                               | `nil`                      |
-| `nextcloud.podSecurityContext`                             | Optional security context for the NextCloud pod (applies to all containers in the pod)              | `nil`                      |
+| `nextcloud.podSecurityContext`                             | Optional security context for the NextCloud pod (applies to all containers in the pod)              | `{fsgroup: 33}`            |
+| `nextcloud.podSecurityContext.fsGroup`                     | special supplemental group that applies to all containers in the NextCloud pod                      | `33`                       |
 | `nginx.enabled`                                            | Enable nginx (requires you use php-fpm image)                                                       | `false`                    |
 | `nginx.image.repository`                                   | nginx Image name, e.g. use `nginxinc/nginx-unprivileged` for rootless container                     | `nginx`                    |
 | `nginx.image.tag`                                          | nginx Image tag                                                                                     | `alpine`                   |
@@ -445,6 +448,21 @@ persistence:
   accessMode: ReadWriteMany
 ```
 
+## Security Contexts
+
+These are all the [SecurityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#securitycontext-v1-core) objects you can configure for this helm chart:
+
+| config option               | Description                                                           |
+|:---------------------------:|:----------------------------------------------------------------------|
+| `nextcloud.securityContext` | Optional SecurityContext for the NextCloud container                  |
+| `cronjob.securityContext`   | Optional SecurityContext for cronjob                                  |
+| `nginx.securityContext`     | Optional SecurityContext for the nginx container in the nextcloud pod |
+
+You can also set the [PodSecurityContext](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#podsecuritycontext-v1-core) for the nextcloud pod.
+By default, `nextcloud.podSecurityContext.fsGroup` is set to `33` (the `www-data` user's GID). Set this to `82` if you're using an alpine nextcloud image.
+
+### Breaking Changes from `4.5.x` -> `4.6.0`
+By default, `nextcloud.podSecurityContext.fsGroup` is now set to `33` (the `www-data` user's GID). Set this to `82` if you're using an nextcloud alpine image.
 
 ## Running `occ` commands
 Sometimes you need to run an [occ](https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/occ_command.html) command on the Nextcloud container directly. You can do that by running commands as the user `www-data` via the `kubectl exec` command.

diff --git a/charts/nextcloud/templates/deployment.yaml b/charts/nextcloud/templates/deployment.yaml
@@ -352,19 +352,12 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
       securityContext:
+        # this is deprecated and will be removed in a future release - use nextcloud.podSecurityContext instead
         {{- with .Values.securityContext }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
         {{- with .Values.nextcloud.podSecurityContext }}
         {{- toYaml . | nindent 8 }}
-        {{- else }}
-        {{- if .Values.nginx.enabled }}
-        # Will mount configuration files as www-data (id: 82) for nextcloud
-        fsGroup: 82
-        {{- else }}
-        # Will mount configuration files as www-data (id: 33) for nextcloud
-        fsGroup: 33
-        {{- end }}
         {{- end }}{{/* end-with podSecurityContext */}}
       {{- if .Values.rbac.enabled }}
       serviceAccountName: {{ .Values.rbac.serviceaccount.name }}

diff --git a/charts/nextcloud/values.yaml b/charts/nextcloud/values.yaml
@@ -192,20 +192,25 @@ nextcloud:
   #  - name: nfs
   #    mountPath: "/legacy_data"
 
-  # Set securityContext parameters for the nextcloud CONTAINER only (will not affect nginx container).
-  # For example, you may need to define runAsNonRoot directive
+  # Set SecurityContext parameters for the nextcloud CONTAINER only (will not affect nginx container)
+  # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#securitycontext-v1-core
   securityContext: {}
-  #   runAsUser: 33
-  #   runAsGroup: 33
-  #   runAsNonRoot: true
-  #   readOnlyRootFilesystem: false
-
-  # Set securityContext parameters for the entire pod. For example, you may need to define runAsNonRoot directive
-  podSecurityContext: {}
-  #   runAsUser: 33
-  #   runAsGroup: 33
-  #   runAsNonRoot: true
-  #   readOnlyRootFilesystem: false
+    # if using a nextcloud image with alpine as the base image, change 33 to 82 for both runAsUser and runAsGroup
+    # runAsUser: 33
+    # runAsGroup: 33
+    # runAsNonRoot: true
+    # allowPrivilegeEscalation: false
+    # readOnlyRootFilesystem: false
+
+  # Set podSecurityContext parameters for all containers in the nextcloud pod, defaults to fsGroup `33`
+  # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#podsecuritycontext-v1-core
+  podSecurityContext:
+    # Change to 82 if you're using an alpine base image for the nextcloud container
+    fsGroup: 33
+    # runAsUser: 33
+    # runAsGroup: 33
+    # runAsNonRoot: true
+    # readOnlyRootFilesystem: false
 
 nginx:
   ## You need to set an fpm version of the image for nextcloud if you want to use nginx!
@@ -225,8 +230,9 @@ nginx:
   resources: {}
 
   # Set nginx container securityContext parameters. For example, you may need to define runAsNonRoot directive
+  # ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#securitycontext-v1-core
   securityContext: {}
-  # the nginx alpine container default user is 82
+  # the nginx:alpine container www-data user is 82
   #   runAsUser: 82
   #   runAsGroup: 33
   #   runAsNonRoot: true
@@ -534,7 +540,6 @@ metrics:
     ##
     labels: {}
 
-
 rbac:
   enabled: false
   serviceaccount: