fix(nextcloud): auto-sync DB password from Vault rotation into config.php

Nextcloud persists dbpassword in config.php on its PVC and ignores MYSQL_PASSWORD env var after initial install. When Vault rotates the MySQL password, config.php goes stale causing HTTP 500 crash loops. Adds a before-starting hook that patches config.php with the current MYSQL_PASSWORD on every pod start. Combined with Stakater Reloader annotation, the full rotation chain is now automated: Vault rotates → ESO syncs Secret → Reloader restarts pod → hook patches config.php → Nextcloud connects with new password. Also fixes stale existingClaim (nextcloud-data-iscsi → nextcloud-data-proxmox).
2026-04-10 22:23:41 +01:00 · 2026-04-10 22:23:41 +01:00 · a0392a9617
commit a0392a9617
parent 92e0c18e81
3 changed files with 1294 additions and 1206 deletions
--- a/stacks/nextcloud/chart_values.yaml
+++ b/stacks/nextcloud/chart_values.yaml
@ -83,10 +83,16 @@ nextcloud:
    - name: apache-tuning
      configMap:
        name: nextcloud-apache-tuning
+    - name: db-password-sync
+      configMap:
+        name: nextcloud-db-password-sync
+        defaultMode: 0755
  extraVolumeMounts:
    - name: apache-tuning
      mountPath: /etc/apache2/mods-available/mpm_prefork.conf
      subPath: mpm_prefork.conf
+    - name: db-password-sync
+      mountPath: /docker-entrypoint-hooks.d/before-starting

 internalDatabase:
  enabled: false
@ -107,7 +113,7 @@ externalDatabase:

 persistence:
  enabled: true
-  existingClaim: nextcloud-data-iscsi
+  existingClaim: nextcloud-data-proxmox

  accessMode: ReadWriteOnce
  size: 20Gi
@ -140,6 +146,7 @@ podAnnotations:
  diun.enable: "true"
  diun.include_tags: "^[0-9]+(?:.[0-9]+)?(?:.[0-9]+)?.*"
  dependency.kyverno.io/wait-for: "mysql.dbaas:3306,redis.redis:6379"
+  secret.reloader.stakater.com/reload: "nextcloud-db-creds"

 collabora:
  enabled: false # Using onlyoffice instead