installed new nextcloud, errors with Content Security Policy

[migs35323]

Describe your Issue

Installed a new helm chart for nextcloud and now i am facing this issue

this didnt happen in an old version that i had installed before. i re-used most of the same configuration from an old deployment in the same enviroment.

this error is preventing me from enabling apps and other stuff.

In the values file you can see i already tried some fixes i found in the web (like overwriteprotocol flag)

Logs and Errors

Refused to connect to 'http://domain.com/remote.php/dav/' because it violates the following Content Security Policy directive: "connect-src 'self'".

overview:1 Refused to connect to 'http://domain.com/index.php/.well-known/webfinger' because it violates the following Content Security Policy directive: "connect-src 'self'".

overview:1 Refused to connect to 'http://domain.com/remote.php/dav/' because it violates the following Content Security Policy directive: "connect-src 'self'".

overview:1 Refused to connect to 'http://domain.com/index.php/.well-known/nodeinfo' because it violates the following Content Security Policy directive: "connect-src 'self'".

Describe your Environment

• Kubernetes distribution: k3s v1.27

• Helm Version (or App that manages helm): latest helm

• Helm Chart Version: 4.6.6

• values.yaml:

image:
  repository: nextcloud
  flavor: fpm
  tag:
  pullPolicy: IfNotPresent

replicaCount: 1
ingress:
  enabled: true
  className: traefik
  annotations:
    traefik.ingress.kubernetes.io/router.middlewares: nextcloud-add-hsts-header@kubernetescrd
    cert-manager.io/cluster-issuer: cluster-issuer
  tls:
    - secretName: nextcloud.domain.com-tls
      hosts:
        - nextcloud.domain.com

phpClientHttpsFix:
  enabled: true
  protocol: https

nextcloud:
  host: nextcloud.domain.com
  username: changeme
  password: changeme
  update: 0
  containerPort: 80
  datadir: /var/www/html/data
  phpConfigs: {}
  defaultConfigs:
    .htaccess: true
    redis.config.php: true
    apache-pretty-urls.config.php: true
    apcu.config.php: true
    apps.config.php: true
    autoconfig.php: true
    smtp.config.php: true
  configs: 
    login.config.php: |-
      <?php
      $CONFIG = array (
        'social_login_auto_redirect' => true
      );
    proxy.config.php: |-
      <?php
      $CONFIG = array (
        'trusted_proxies' => array(
          0 => '127.0.0.1',
          1 => '10.0.0.0/8',
        ),
        'forwarded_for_headers' => array('HTTP_X_FORWARDED_FOR'),
        'overwriteprotocol' => 'https',
        'overwrite.cli.url' => 'https://nextcloud.domain.com',
      );

nginx:
  enabled: true
  image:
    repository: nginx
    tag: alpine
    pullPolicy: IfNotPresent
  config:
    default: true

internalDatabase:
  enabled: false
externalDatabase:
  enabled: false
mariadb:
  enabled: false
postgresql:
  enabled: true
  global:
    postgresql:
      auth:
        username: nextcloud
        password: changeme
        database: nextcloud
        postgresPassword: changeme
  primary:
    persistence:
      enabled: true
    startupProbe:
      enabled: true
      initialDelaySeconds: 30

redis:
  enabled: true
  architecture: standalone
  auth:
    enabled: true
    password: "changeme"

cronjob:
  enabled: true

service:
  type: ClusterIP
  port: 8080

persistence:
  enabled: true

[jessebot]

Hmmm, I've not seen this one before, but I don't use traefik personally. Do you have the ability to try with ingress-nginx? With nginx, we recommend some of these annotations: https://github.com/nextcloud/helm/tree/main/charts/nextcloud#service-discovery-with-nginx-and-ingress