applicationsets/applicationset.yaml

@@ -1,45 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: customer-applications
-  namespace: argocd
-spec:
-  goTemplate: true
-  goTemplateOptions: ["missingkey=error"]
-  generators:
-    - git:
-        repoURL: 'https://platform.sunet.se/Drive/k8s-manifests'
-        revision: HEAD
-        directories:
-          - path: 'customers/overlays/*'
-  template:
-    metadata:
-      name: '{{index .path.segments 2}}'
-    spec:
-      project: default
-      source:
-        repoURL: 'https://platform.sunet.se/Drive/k8s-manifests'
-        targetRevision: HEAD
-        path: 'customers/overlays/{{index .path.segments 2}}/test'
-      destination:
-        server: https://kubernetes.default.svc
-        namespace: '{{index .path.segments 2}}'
-      syncPolicy:
-        automated:
-          prune: false
-          selfHeal: true
-          allowEmpty: false
-        syncOptions: # maybe needs FIXME
-          - Validate=true # disables resource validation (equivalent to 'kubectl apply --validate=false') ( true by default ).
-          - CreateNamespace=true # Namespace Auto-Creation ensures that namespace specified as the application destination exists in the destination cluster.
-          - PrunePropagationPolicy=foreground # Supported policies are background, foreground and orphan.
-          - PruneLast=true # Allow the ability for resource pruning to happen as a final, implicit wave of a sync operation
-          - RespectIgnoreDifferences=true # When syncing changes, respect fields ignored by the ignoreDifferences configuration
-          - ApplyOutOfSyncOnly=true # Only sync out-of-sync resources, rather than applying every object in the application
-        retry:
-          limit: 5
-          backoff:
-            duration: 5s
-            factor: 2
-            maxDuration: 3m
-      revisionHistoryLimit: 2

argocd-ingress/overlays/test/argocd-ingress.yaml

@@ -11,7 +11,7 @@ spec:
     service:
       name: argocd-server
       port:
-        number: 80
+        number: 8443
   ingressClassName: traefik
   tls:
     - hosts:

argocd-nginx/base/argocd-cert-issuer.yaml

@@ -1,15 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Issuer
-metadata:
-  name: letsencrypt
-spec:
-  acme:
-    server: https://acme-v02.api.letsencrypt.org/directory
-    email: drive@sunet.se
-    privateKeySecretRef:
-      name: letsencrypt
-    solvers:
-      - http01:
-          ingress: 
-            class: nginx
-

argocd-nginx/base/argocd-ingress.yaml

@@ -1,22 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: argocd-ingress
-  namespace: argocd
-spec:
-  ingressClassName: nginx
-  tls:
-    - hosts:
-        - argocd.drive.test.sunet.se 
-      secretName: tls-secret
-  rules:
-  - host: argocd.drive.test.sunet.se
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: argocd-server
-            port:
-              name: https

argocd-nginx/base/kustomization.yaml

@@ -1,3 +0,0 @@
-resources:
-  - argocd-ingress.yaml
-  - argocd-cert-issuer.yaml

argocd-nginx/overlays/dev/argocd-ingress.yaml

@@ -1,28 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: argocd-ingress
-  namespace: argocd
-spec:
-  defaultBackend:
-    service:
-      name: argocd-server
-      port:
-        number: 80
-  ingressClassName: nginx
-  tls:
-    - hosts:
-        - argocd.drive.test.sunet.dev
-      secretName: tls-secret
- 
-  rules:
-  - host: argocd.drive.test.sunet.dev
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: argocd-server
-            port:
-              number: 80

argocd-nginx/overlays/prod/drive/argocd-ingress.yaml

@@ -1,30 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: argocd-ingress
-  namespace: argocd
-  annotations:
-    cert-manager.io/issuer: "letsencrypt"
-    acme.cert-manager.io/http01-edit-in-place: "true"
-spec:
-  defaultBackend:
-    service:
-      name: argocd-server
-      port:
-        number: 80
-  ingressClassName: nginx
-  tls:
-    - hosts:
-        - argocd.drive.sunet.se 
-      secretName: tls-secret
-  rules:
-  - host: argocd.drive.sunet.se
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: argocd-server
-            port:
-              number: 80

argocd-nginx/overlays/prod/drive/kustomization.yaml

@@ -1,6 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources: [../../../base]
-patches:
-  - path: argocd-ingress.yaml

argocd-nginx/overlays/prod/kustomization.yaml

@@ -1,6 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- ../../base
-patches:
-- path: argocd-ingress.yaml

argocd-nginx/overlays/prod/sunet/argocd-ingress.yaml

@@ -1,30 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: argocd-ingress
-  annotations:
-    cert-manager.io/issuer: "letsencrypt"
-    acme.cert-manager.io/http01-edit-in-place: "true"
-  namespace: argocd
-spec:
-  defaultBackend:
-    service:
-      name: argocd-server
-      port:
-        number: 80
-  ingressClassName: nginx
-  tls:
-    - hosts:
-        - sunet-argocd.drive.sunet.se 
-      secretName: tls-secret
-  rules:
-  - host: sunet-argocd.drive.sunet.se
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: argocd-server
-            port:
-              number: 80

argocd-nginx/overlays/prod/sunet/kustomization.yaml

@@ -1,6 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources: [../../../base]
-patches:
-  - path: argocd-ingress.yaml

argocd-nginx/overlays/prod/vr/argocd-ingress.yaml

@@ -1,30 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: argocd-ingress
-  namespace: argocd
-  annotations:
-    cert-manager.io/issuer: "letsencrypt"
-    acme.cert-manager.io/http01-edit-in-place: "true"
-spec:
-  defaultBackend:
-    service:
-      name: argocd-server
-      port:
-        number: 80
-  ingressClassName: nginx
-  tls:
-    - hosts:
-        - vr-argocd.drive.sunet.se 
-      secretName: tls-secret
-  rules:
-  - host: vr-argocd.drive.sunet.se
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: argocd-server
-            port:
-              number: 80

argocd-nginx/overlays/prod/vr/kustomization.yaml

@@ -1,6 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources: [../../../base]
-patches:
-  - path: argocd-ingress.yaml

argocd-nginx/overlays/test/drive/argocd-ingress.yaml

@@ -1,30 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: argocd-ingress
-  namespace: argocd
-  annotations:
-    cert-manager.io/issuer: "letsencrypt"
-    acme.cert-manager.io/http01-edit-in-place: "true"
-spec:
-  defaultBackend:
-    service:
-      name: argocd-server
-      port:
-        number: 80
-  ingressClassName: nginx
-  tls:
-    - hosts:
-        - argocd.drive.test.sunet.se 
-      secretName: tls-secret
-  rules:
-  - host: argocd.drive.test.sunet.se
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: argocd-server
-            port:
-              number: 80

argocd-nginx/overlays/test/drive/kustomization.yaml

@@ -1,6 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources: [../../../base]
-patches:
-  - path: argocd-ingress.yaml

argocd-nginx/overlays/test/sunet/argocd-ingress.yaml

@@ -1,31 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: argocd-ingress
-  namespace: argocd
-  annotations:
-    cert-manager.io/issuer: "letsencrypt"
-    acme.cert-manager.io/http01-edit-in-place: "true"
-spec:
-  defaultBackend:
-    service:
-      name: argocd-server
-      port:
-        number: 80
-  ingressClassName: nginx
-  tls:
-    - hosts:
-        - sunet-argocd.drive.test.sunet.se 
-        - sunet-kube.drive.test.sunet.se 
-      secretName: tls-secret
-  rules:
-  - host: sunet-argocd.drive.test.sunet.se
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: argocd-server
-            port:
-              number: 80

argocd-nginx/overlays/test/sunet/kustomization.yaml

@@ -1,6 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources: [../../../base]
-patches:
-  - path: argocd-ingress.yaml

argocd-nginx/overlays/test/vr/argocd-ingress.yaml

@@ -1,30 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: argocd-ingress
-  namespace: argocd
-  annotations:
-    cert-manager.io/issuer: "letsencrypt"
-    acme.cert-manager.io/http01-edit-in-place: "true"
-spec:
-  defaultBackend:
-    service:
-      name: argocd-server
-      port:
-        number: 80
-  ingressClassName: nginx
-  tls:
-    - hosts:
-        - vr-argocd.drive.test.sunet.se 
-      secretName: tls-secret
-  rules:
-  - host: vr-argocd.drive.test.sunet.se
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: argocd-server
-            port:
-              number: 80

argocd-nginx/overlays/test/vr/kustomization.yaml

@@ -1,6 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources: [../../../base]
-patches:
-  - path: argocd-ingress.yaml

argocd/base/kustomization.yaml

@@ -3,4 +3,4 @@ kind: Kustomization
 
 namespace: argocd
 resources:
-- https://raw.githubusercontent.com/argoproj/argo-cd/v2.10.4/manifests/ha/install.yaml
+- https://raw.githubusercontent.com/argoproj/argo-cd/v2.10.0/manifests/ha/install.yaml

backups/base/backup-cronjob.yaml

@@ -1,60 +0,0 @@
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: backup
-spec:
-  schedule: "0 0 * * *"
-  concurrencyPolicy: Forbid
-  jobTemplate:
-    spec:
-      template:
-        spec:
-          volumes:
-            - name: backup-storage
-              emptyDir: {}
-            - name: ipc-storage
-              emptyDir: {}
-          restartPolicy: Never
-          containers:
-            - name: backup-container
-              image: docker.sunet.se/drive/duplicity:bookworm-slim-1
-              command: ["bash"]
-              args: [ "-c", "duplicity /backup_storage rclone://destination:$(BUCKET) --no-encryption --full-if-older-than 1M; touch /backup_ipc/stop" ]
-              env:
-                - name: RCLONE_CONFIG_DESTINATION_ACL
-                  value: private
-                - name: RCLONE_CONFIG_DESTINATION_TYPE
-                  value: s3
-                - name: RCLONE_CONFIG_DESTINATION_ENDPOINT
-                  value: s3.sto3.safedc.net
-                - name: RCLONE_CONFIG_DESTINATION_PROVIDER
-                  value: Ceph
-              volumeMounts:
-                - name: backup-storage
-                  mountPath: /backup_storage
-                  mountPropagation: HostToContainer
-                - name: ipc-storage
-                  mountPath: /backup_ipc
-            - name: mount-container
-              image: rclone/rclone:1.69.0
-              args: ["mount", "--allow-non-empty", "source:$(BUCKET)", "/backup_storage"]
-              securityContext:
-                privileged: true
-              env:
-                - name: RCLONE_CONFIG_SOURCE_ACL
-                  value: private
-                - name: RCLONE_CONFIG_SOURCE_TYPE
-                  value: s3
-                - name: RCLONE_CONFIG_SOURCE_ENDPOINT
-                  value: s3.sto4.safedc.net
-                - name: RCLONE_CONFIG_SOURCE_PROVIDER
-                  value: Ceph
-              volumeMounts:
-                - name: backup-storage
-                  mountPath: /backup_storage
-                  mountPropagation: Bidirectional
-                - name: ipc-storage
-                  mountPath: /backup_ipc
-              livenessProbe:
-                exec:
-                  command: ["sh", "-c", "if test -f /backup_ipc/stop; then umount /backup_storage; exit 1; fi;"]

backups/base/kustomization.yaml

@@ -1,4 +0,0 @@
----
-kind: Kustomization
-apiVersion: kustomize.config.k8s.io/v1beta1
-resources: ['backup-cronjob.yaml']

backups/overlays/test/xrootd/backup-cronjob.yaml

@@ -1,40 +0,0 @@
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: backup
-spec:
-  schedule: "15 02 * * *"
-  jobTemplate:
-    spec:
-      template:
-        spec:
-          hostname: xrootd-test-mirror
-          containers:
-            - name: backup-container
-              env:
-                - name: BUCKET
-                  value: "xrootd-test-mirror"
-                - name: RCLONE_CONFIG_DESTINATION_ACCESS_KEY_ID
-                  valueFrom:
-                    secretKeyRef:
-                      name: xrootd-secret
-                      key: "destination-access-key-id"
-                - name: RCLONE_CONFIG_DESTINATION_SECRET_ACCESS_KEY
-                  valueFrom:
-                    secretKeyRef:
-                      name: xrootd-secret
-                      key: "destination-secret-access-key"
-            - name: mount-container
-              env:
-                - name: BUCKET
-                  value: "xrootd-test"
-                - name: RCLONE_CONFIG_SOURCE_ACCESS_KEY_ID
-                  valueFrom:
-                    secretKeyRef:
-                      name: xrootd-secret
-                      key: "source-access-key-id"
-                - name: RCLONE_CONFIG_SOURCE_SECRET_ACCESS_KEY
-                  valueFrom:
-                    secretKeyRef:
-                      name: xrootd-secret
-                      key: "source-secret-access-key"

backups/overlays/test/xrootd/kustomization.yaml

@@ -1,7 +0,0 @@
----
-kind: Kustomization
-apiVersion: kustomize.config.k8s.io/v1beta1
-resources: [../../../base]
-patches: 
-  - path: backup-cronjob.yaml
-

cinder/cinder-csi-controllerplugin.yaml

@@ -69,7 +69,7 @@ spec:
             - mountPath: /var/lib/csi/sockets/pluginproxy/
               name: socket-dir
         - name: csi-resizer
-          image: registry.k8s.io/sig-storage/csi-resizer:v1.8.0
+          image: registry.k8s.io/sig-storage/csi-resizer:v1.7.0
           args:
             - "--csi-address=$(ADDRESS)"
             - "--timeout=3m"
@@ -93,7 +93,7 @@ spec:
             - mountPath: /var/lib/csi/sockets/pluginproxy/
               name: socket-dir
         - name: cinder-csi-plugin
-          image: registry.k8s.io/provider-os/cinder-csi-plugin:v1.28.2
+          image: registry.k8s.io/provider-os/cinder-csi-plugin:v1.27.1
           args:
             - /bin/cinder-csi-plugin
             - "--endpoint=$(CSI_ENDPOINT)"

customers/base/apache-configmap.yml

@@ -0,0 +1,73 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: apache-configmap
+data:
+  000-default.conf: |
+    LoadModule remoteip_module /usr/lib/apache2/modules/mod_remoteip.so
+    LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
+    <VirtualHost *:80>
+            ServerAdmin webmaster@localhost
+            DocumentRoot /var/www/html
+            # Log format config
+            LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" common
+            SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+
+            # Header config
+            RemoteIPHeader X-Forwarded-For
+            RemoteIPInternalProxy 37.156.195.14
+            RemoteIPInternalProxy 37.156.195.19
+            RemoteIPInternalProxy 37.156.195.84
+            RemoteIPInternalProxy 37.156.195.92
+            #ErrorDocument 404 /404.html
+            ErrorLog ${APACHE_LOG_DIR}/error.log
+            CustomLog ${APACHE_LOG_DIR}/access.log combined env=forwarded
+
+            ErrorLog ${APACHE_LOG_DIR}/error.log
+            CustomLog ${APACHE_LOG_DIR}/access.log combined
+            <Directory /var/www/html/>
+                    LimitRequestBody 0
+                    Require all granted
+                    AllowOverride All
+                    Options FollowSymLinks MultiViews
+
+                    <IfModule mod_dav.c>
+                        Dav off
+                    </IfModule>
+            </Directory>
+    </VirtualHost>
+    <VirtualHost *:443>
+            ServerAdmin webmaster@localhost
+            DocumentRoot /var/www/html
+            # Log format config
+            LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" common
+            SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+
+            # Header config
+            RemoteIPHeader X-Forwarded-For
+            RemoteIPInternalProxy 37.156.195.14
+            RemoteIPInternalProxy 37.156.195.19
+            RemoteIPInternalProxy 37.156.195.84
+            RemoteIPInternalProxy 37.156.195.92
+            #ErrorDocument 404 /404.html
+            ErrorLog ${APACHE_LOG_DIR}/error.log
+            CustomLog ${APACHE_LOG_DIR}/access.log combined env=forwarded
+            SSLEngine On
+            SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
+            SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+            <Directory /var/www/html/>
+                    LimitRequestBody 0
+                    Require all granted
+                    AllowOverride All
+                    Options FollowSymLinks MultiViews
+
+                    <IfModule mod_dav.c>
+                        Dav off
+                    </IfModule>
+            </Directory>
+            <Directory /var/www/html/data>
+                Order allow,deny
+                deny from all
+            </Directory>
+    </VirtualHost>
+    # vim: syntax=apache ts=4 sw=4 sts=4 sr noet

customers/base/apache-php-configmap.yml

@@ -0,0 +1,162 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: apache-php-configmap
+data:
+  php.ini: |
+    [PHP]
+    allow_url_fopen = On
+    allow_url_include = Off
+    auto_append_file =
+    auto_globals_jit = On
+    auto_prepend_file =
+    default_charset = "UTF-8"
+    default_mimetype = "text/html"
+    default_socket_timeout = 60
+    disable_classes =
+    disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,
+    display_errors = Off
+    display_startup_errors = Off
+    doc_root =
+    enable_dl = Off
+    engine = On
+    error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
+    expose_php = Off
+    file_uploads = On
+    ignore_repeated_errors = Off
+    ignore_repeated_source = Off
+    implicit_flush = Off
+    log_errors = On
+    log_errors_max_len = 1024
+    max_execution_time = 86400
+    max_file_uploads = 20
+    max_input_time = 86400
+    memory_limit = 512M
+    output_buffering = Off
+    post_max_size = 30G
+    precision = 14
+    register_argc_argv = Off
+    report_memleaks = On
+    request_order = "GP"
+    serialize_precision = -1
+    short_open_tag = Off
+    unserialize_callback_func =
+    upload_max_filesize = 30G
+    user_dir =
+    variables_order = "GPCS"
+    zend.enable_gc = On
+    zend.exception_ignore_args = On
+    zlib.output_compression = Off
+    [CLI Server]
+    cli_server.color = On
+    [Date]
+    ; Nothing here
+    [filter]
+    ; Nothing here
+    [iconv]
+    ; Nothing here
+    [imap]
+    ; Nothing here
+    [intl]
+    ; Nothing here
+    [sqlite3]
+    ; Nothing here
+    [Pcre]
+    ; Nothing here
+    [Pdo]
+    ; Nothing here
+    [Pdo_mysql]
+    pdo_mysql.default_socket=
+    [Phar]
+    ; Nothing here
+    [mail function]
+    SMTP = localhost
+    smtp_port = 25
+    mail.add_x_header = Off
+    [ODBC]
+    odbc.allow_persistent = On
+    odbc.check_persistent = On
+    odbc.max_persistent = -1
+    odbc.max_links = -1
+    odbc.defaultlrl = 4096
+    odbc.defaultbinmode = 1
+    [MySQLi]
+    mysqli.max_persistent = -1
+    mysqli.allow_persistent = On
+    mysqli.max_links = -1
+    mysqli.default_port = 3306
+    mysqli.default_socket =
+    mysqli.default_host =
+    mysqli.default_user =
+    mysqli.default_pw =
+    mysqli.reconnect = Off
+    [mysqlnd]
+    mysqlnd.collect_statistics = On
+    mysqlnd.collect_memory_statistics = Off
+    [OCI8]
+    ; Nothing here
+    [PostgreSQL]
+    pgsql.allow_persistent = On
+    pgsql.auto_reset_persistent = Off
+    pgsql.max_persistent = -1
+    pgsql.max_links = -1
+    pgsql.ignore_notice = 0
+    pgsql.log_notice = 0
+    [bcmath]
+    bcmath.scale = 0
+    [browscap]
+    ; Nothing here
+    [Session]
+    session.save_handler = files
+    session.use_strict_mode = 0
+    session.use_cookies = 1
+    session.use_only_cookies = 1
+    session.name = PHPSESSID
+    session.auto_start = 0
+    session.cookie_lifetime = 0
+    session.cookie_path = /
+    session.cookie_domain =
+    session.cookie_httponly =
+    session.cookie_samesite =
+    session.serialize_handler = php
+    session.gc_probability = 0
+    session.gc_divisor = 1000
+    session.gc_maxlifetime = 1440
+    session.referer_check =
+    session.cache_limiter = nocache
+    session.cache_expire = 180
+    session.use_trans_sid = 0
+    session.sid_length = 26
+    session.trans_sid_tags = "a=href,area=href,frame=src,form="
+    session.sid_bits_per_character = 5
+    [Assertion]
+    zend.assertions = -1
+    [COM]
+    ; Nothing here
+    [mbstring]
+    ; Nothing here
+    [gd]
+    ; Nothing here
+    [exif]
+    ; Nothing here
+    [Tidy]
+    tidy.clean_output = Off
+    [soap]
+    soap.wsdl_cache_enabled=1
+    soap.wsdl_cache_dir="/tmp"
+    soap.wsdl_cache_ttl=86400
+    soap.wsdl_cache_limit = 5
+    [sysvshm]
+    ; Nothing here
+    [ldap]
+    ldap.max_links = -1
+    [dba]
+    ; Nothing here
+    [opcache]
+    opcache.interned_strings_buffer=64
+    [curl]
+    ; Nothing here
+    [openssl]
+    ; Nothing here
+    [ffi]
+    ; Nothing here

customers/base/apcu-configmap.yml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: apcu-configmap
+data:
+  apcu.ini: |
+    extension=apcu.so
+    apc.enable_cli=1

customers/base/cli-php-configmap.yml

@@ -0,0 +1,162 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cli-php-configmap
+data:
+  php.ini: |
+    [PHP]
+    allow_url_fopen = On
+    allow_url_include = Off
+    auto_append_file =
+    auto_globals_jit = On
+    auto_prepend_file =
+    default_charset = "UTF-8"
+    default_mimetype = "text/html"
+    default_socket_timeout = 60
+    disable_classes =
+    disable_functions =
+    display_errors = Off
+    display_startup_errors = Off
+    doc_root =
+    enable_dl = Off
+    engine = On
+    error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
+    expose_php = On
+    file_uploads = On
+    ignore_repeated_errors = Off
+    ignore_repeated_source = Off
+    implicit_flush = Off
+    log_errors = On
+    log_errors_max_len = 1024
+    max_execution_time = 86400
+    max_file_uploads = 20
+    max_input_time = 86400
+    memory_limit = -1
+    output_buffering = Off
+    post_max_size = 16G
+    precision = 14
+    register_argc_argv = Off
+    report_memleaks = On
+    request_order = "GP"
+    serialize_precision = -1
+    short_open_tag = Off
+    unserialize_callback_func =
+    upload_max_filesize = 16G
+    user_dir =
+    variables_order = "GPCS"
+    zend.enable_gc = On
+    zend.exception_ignore_args = On
+    zlib.output_compression = Off
+    [CLI Server]
+    cli_server.color = On
+    [Date]
+    ; Nothing here
+    [filter]
+    ; Nothing here
+    [iconv]
+    ; Nothing here
+    [imap]
+    ; Nothing here
+    [intl]
+    ; Nothing here
+    [sqlite3]
+    ; Nothing here
+    [Pcre]
+    ; Nothing here
+    [Pdo]
+    ; Nothing here
+    [Pdo_mysql]
+    pdo_mysql.default_socket=
+    [Phar]
+    ; Nothing here
+    [mail function]
+    SMTP = localhost
+    smtp_port = 25
+    mail.add_x_header = Off
+    [ODBC]
+    odbc.allow_persistent = On
+    odbc.check_persistent = On
+    odbc.max_persistent = -1
+    odbc.max_links = -1
+    odbc.defaultlrl = 4096
+    odbc.defaultbinmode = 1
+    [MySQLi]
+    mysqli.max_persistent = -1
+    mysqli.allow_persistent = On
+    mysqli.max_links = -1
+    mysqli.default_port = 3306
+    mysqli.default_socket =
+    mysqli.default_host =
+    mysqli.default_user =
+    mysqli.default_pw =
+    mysqli.reconnect = Off
+    [mysqlnd]
+    mysqlnd.collect_statistics = On
+    mysqlnd.collect_memory_statistics = Off
+    [OCI8]
+    ; Nothing here
+    [PostgreSQL]
+    pgsql.allow_persistent = On
+    pgsql.auto_reset_persistent = Off
+    pgsql.max_persistent = -1
+    pgsql.max_links = -1
+    pgsql.ignore_notice = 0
+    pgsql.log_notice = 0
+    [bcmath]
+    bcmath.scale = 0
+    [browscap]
+    ; Nothing here
+    [Session]
+    session.save_handler = files
+    session.use_strict_mode = 0
+    session.use_cookies = 1
+    session.use_only_cookies = 1
+    session.name = PHPSESSID
+    session.auto_start = 0
+    session.cookie_lifetime = 0
+    session.cookie_path = /
+    session.cookie_domain =
+    session.cookie_httponly =
+    session.cookie_samesite =
+    session.serialize_handler = php
+    session.gc_probability = 0
+    session.gc_divisor = 1000
+    session.gc_maxlifetime = 1440
+    session.referer_check =
+    session.cache_limiter = nocache
+    session.cache_expire = 180
+    session.use_trans_sid = 0
+    session.sid_length = 26
+    session.trans_sid_tags = "a=href,area=href,frame=src,form="
+    session.sid_bits_per_character = 5
+    [Assertion]
+    zend.assertions = -1
+    [COM]
+    ; Nothing here
+    [mbstring]
+    ; Nothing here
+    [gd]
+    ; Nothing here
+    [exif]
+    ; Nothing here
+    [Tidy]
+    tidy.clean_output = Off
+    [soap]
+    soap.wsdl_cache_enabled=1
+    soap.wsdl_cache_dir="/tmp"
+    soap.wsdl_cache_ttl=86400
+    soap.wsdl_cache_limit = 5
+    [sysvshm]
+    ; Nothing here
+    [ldap]
+    ldap.max_links = -1
+    [dba]
+    ; Nothing here
+    [opcache]
+    opcache.interned_strings_buffer=64
+    [curl]
+    ; Nothing here
+    [openssl]
+    ; Nothing here
+    [ffi]
+    ; Nothing here

customers/base/env-configmap.yml

@@ -1,26 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: nextcloud-env
-data:
-  GSS_MASTER_URL: 'https://drive.test.sunet.se'
-  LOOKUP_SERVER: 'https://lookup.drive.test.sunet.se'
-  MAIL_DOMAIN: 'drive.test.sunet.se'
-  MAIL_FROM_ADDRESS: 'noreply'
-  MAIL_SMTPHOST: 'smtp.sunet.se'
-  MAIL_SMTPNAME: 'noreply@drive.test.sunet.se'
-  MYSQL_DATABASE: 'nextcloud_customer'
-  MYSQL_HOST: 'proxysqlcluster.proxysql'
-  MYSQL_PORT: '6033'
-  MYSQL_USER: 'nextcloud_customer'
-  NEXTCLOUD_ADMIN_USER: 'admin'
-  NEXTCLOUD_TRUSTED_DOMAINS: 'customer.drive.test.sunet.se'
-  NEXTCLOUD_VERSION_STRING: '30.0.5.2'
-  OBJECTSTORE_S3_AUTOCREATE: 'true'
-  OBJECTSTORE_S3_BUCKET: 'primary-customer-drive-test.sunet.se'
-  OBJECTSTORE_S3_HOST: 's3.sto4.safedc.net'
-  OBJECTSTORE_S3_REGION: 'us-east-1'
-  OBJECTSTORE_S3_SSL: 'true'
-  OBJECTSTORE_S3_USEPATH_STYLE: 'true'
-  REDIS_HOST: 'redis'
-  SITE_NAME: 'customer.drive.test.sunet.se'

customers/base/files/000-default.conf

@@ -1,73 +0,0 @@
-LoadModule remoteip_module /usr/lib/apache2/modules/mod_remoteip.so
-LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
-<VirtualHost *:80>
-        ServerAdmin webmaster@localhost
-        DocumentRoot /var/www/html
-        # Log format config
-        LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" xforwardedfor
-        SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
-
-        PassEnv HOSTNAME
-        Header append Set-Cookie "SERVERID=%{HOSTNAME}e;Path=/;SameSite=Lax;HttpOnly;Secure"
-
-        # Header config
-        RemoteIPHeader X-Forwarded-For
-        RemoteIPInternalProxy 37.156.195.14
-        RemoteIPInternalProxy 37.156.195.19
-        RemoteIPInternalProxy 37.156.195.84
-        RemoteIPInternalProxy 37.156.195.92
-        #ErrorDocument 404 /404.html
-        ErrorLog ${APACHE_LOG_DIR}/error.log
-        CustomLog ${APACHE_LOG_DIR}/access.log xforwardedfor env=forwarded
-        CustomLog ${APACHE_LOG_DIR}/access.log combined env=!forwarded
-        <Directory /var/www/html/>
-                LimitRequestBody 0
-                Require all granted
-                AllowOverride All
-                Options FollowSymLinks MultiViews
-
-                <IfModule mod_dav.c>
-                    Dav off
-                </IfModule>
-        </Directory>
-</VirtualHost>
-<VirtualHost *:443>
-        ServerAdmin webmaster@localhost
-        DocumentRoot /var/www/html
-        # Log format config
-        LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" xforwardedfor
-        SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
-
-        PassEnv HOSTNAME
-        Header append Set-Cookie "SERVERID=%{HOSTNAME}e;Path=/;SameSite=Lax;HttpOnly;Secure"
-
-        # Header config
-        RemoteIPHeader X-Forwarded-For
-        RemoteIPInternalProxy 37.156.195.14
-        RemoteIPInternalProxy 37.156.195.19
-        RemoteIPInternalProxy 37.156.195.84
-        RemoteIPInternalProxy 37.156.195.92
-        #ErrorDocument 404 /404.html
-        ErrorLog ${APACHE_LOG_DIR}/error.log
-        CustomLog ${APACHE_LOG_DIR}/access.log xforwardedfor env=forwarded
-        CustomLog ${APACHE_LOG_DIR}/access.log combined env=!forwarded
-        SSLEngine On
-        SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
-        SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
-        <Directory /var/www/html/>
-                LimitRequestBody 0
-                Require all granted
-                AllowOverride All
-                Options FollowSymLinks MultiViews
-
-                <IfModule mod_dav.c>
-                    Dav off
-                </IfModule>
-        </Directory>
-        <Directory /var/www/html/data>
-            Order allow,deny
-            deny from all
-        </Directory>
-</VirtualHost>
-# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
-

customers/base/files/apache-php.ini

@@ -1,157 +0,0 @@
-[PHP]
-allow_url_fopen = On
-allow_url_include = Off
-auto_append_file =
-auto_globals_jit = On
-auto_prepend_file =
-default_charset = "UTF-8"
-default_mimetype = "text/html"
-default_socket_timeout = 60
-disable_classes =
-disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,
-display_errors = Off
-display_startup_errors = Off
-doc_root =
-enable_dl = Off
-engine = On
-error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
-expose_php = Off
-file_uploads = On
-ignore_repeated_errors = Off
-ignore_repeated_source = Off
-implicit_flush = Off
-log_errors = On
-log_errors_max_len = 1024
-max_execution_time = 86400
-max_file_uploads = 20
-max_input_time = 86400
-memory_limit = 512M
-output_buffering = Off
-post_max_size = 30G
-precision = 14
-register_argc_argv = Off
-report_memleaks = On
-request_order = "GP"
-serialize_precision = -1
-short_open_tag = Off
-unserialize_callback_func =
-upload_max_filesize = 30G
-user_dir =
-variables_order = "GPCS"
-zend.enable_gc = On
-zend.exception_ignore_args = On
-zlib.output_compression = Off
-[CLI Server]
-cli_server.color = On
-[Date]
-; Nothing here
-[filter]
-; Nothing here
-[iconv]
-; Nothing here
-[imap]
-; Nothing here
-[intl]
-; Nothing here
-[sqlite3]
-; Nothing here
-[Pcre]
-; Nothing here
-[Pdo]
-; Nothing here
-[Pdo_mysql]
-pdo_mysql.default_socket=
-[Phar]
-; Nothing here
-[mail function]
-SMTP = localhost
-smtp_port = 25
-mail.add_x_header = Off
-[ODBC]
-odbc.allow_persistent = On
-odbc.check_persistent = On
-odbc.max_persistent = -1
-odbc.max_links = -1
-odbc.defaultlrl = 4096
-odbc.defaultbinmode = 1
-[MySQLi]
-mysqli.max_persistent = -1
-mysqli.allow_persistent = On
-mysqli.max_links = -1
-mysqli.default_port = 3306
-mysqli.default_socket =
-mysqli.default_host =
-mysqli.default_user =
-mysqli.default_pw =
-mysqli.reconnect = Off
-[mysqlnd]
-mysqlnd.collect_statistics = On
-mysqlnd.collect_memory_statistics = Off
-[OCI8]
-; Nothing here
-[PostgreSQL]
-pgsql.allow_persistent = On
-pgsql.auto_reset_persistent = Off
-pgsql.max_persistent = -1
-pgsql.max_links = -1
-pgsql.ignore_notice = 0
-pgsql.log_notice = 0
-[bcmath]
-bcmath.scale = 0
-[browscap]
-; Nothing here
-[Session]
-session.save_handler = files
-session.use_strict_mode = 0
-session.use_cookies = 1
-session.use_only_cookies = 1
-session.name = PHPSESSID
-session.auto_start = 0
-session.cookie_lifetime = 0
-session.cookie_path = /
-session.cookie_domain =
-session.cookie_httponly =
-session.cookie_samesite =
-session.serialize_handler = php
-session.gc_probability = 0
-session.gc_divisor = 1000
-session.gc_maxlifetime = 1440
-session.referer_check =
-session.cache_limiter = nocache
-session.cache_expire = 180
-session.use_trans_sid = 0
-session.sid_length = 26
-session.trans_sid_tags = "a=href,area=href,frame=src,form="
-session.sid_bits_per_character = 5
-[Assertion]
-zend.assertions = -1
-[COM]
-; Nothing here
-[mbstring]
-; Nothing here
-[gd]
-; Nothing here
-[exif]
-; Nothing here
-[Tidy]
-tidy.clean_output = Off
-[soap]
-soap.wsdl_cache_enabled=1
-soap.wsdl_cache_dir="/tmp"
-soap.wsdl_cache_ttl=86400
-soap.wsdl_cache_limit = 5
-[sysvshm]
-; Nothing here
-[ldap]
-ldap.max_links = -1
-[dba]
-; Nothing here
-[opcache]
-opcache.interned_strings_buffer=64
-[curl]
-; Nothing here
-[openssl]
-; Nothing here
-[ffi]
-; Nothing here
-

customers/base/files/apcu.ini

@@ -1,3 +0,0 @@
-extension=apcu.so
-apc.enable_cli=1
-

customers/base/files/cli-php.ini

@@ -1,157 +0,0 @@
-[PHP]
-allow_url_fopen = On
-allow_url_include = Off
-auto_append_file =
-auto_globals_jit = On
-auto_prepend_file =
-default_charset = "UTF-8"
-default_mimetype = "text/html"
-default_socket_timeout = 60
-disable_classes =
-disable_functions =
-display_errors = Off
-display_startup_errors = Off
-doc_root =
-enable_dl = Off
-engine = On
-error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
-expose_php = On
-file_uploads = On
-ignore_repeated_errors = Off
-ignore_repeated_source = Off
-implicit_flush = Off
-log_errors = On
-log_errors_max_len = 1024
-max_execution_time = 86400
-max_file_uploads = 20
-max_input_time = 86400
-memory_limit = -1
-output_buffering = Off
-post_max_size = 16G
-precision = 14
-register_argc_argv = Off
-report_memleaks = On
-request_order = "GP"
-serialize_precision = -1
-short_open_tag = Off
-unserialize_callback_func =
-upload_max_filesize = 16G
-user_dir =
-variables_order = "GPCS"
-zend.enable_gc = On
-zend.exception_ignore_args = On
-zlib.output_compression = Off
-[CLI Server]
-cli_server.color = On
-[Date]
-; Nothing here
-[filter]
-; Nothing here
-[iconv]
-; Nothing here
-[imap]
-; Nothing here
-[intl]
-; Nothing here
-[sqlite3]
-; Nothing here
-[Pcre]
-; Nothing here
-[Pdo]
-; Nothing here
-[Pdo_mysql]
-pdo_mysql.default_socket=
-[Phar]
-; Nothing here
-[mail function]
-SMTP = localhost
-smtp_port = 25
-mail.add_x_header = Off
-[ODBC]
-odbc.allow_persistent = On
-odbc.check_persistent = On
-odbc.max_persistent = -1
-odbc.max_links = -1
-odbc.defaultlrl = 4096
-odbc.defaultbinmode = 1
-[MySQLi]
-mysqli.max_persistent = -1
-mysqli.allow_persistent = On
-mysqli.max_links = -1
-mysqli.default_port = 3306
-mysqli.default_socket =
-mysqli.default_host =
-mysqli.default_user =
-mysqli.default_pw =
-mysqli.reconnect = Off
-[mysqlnd]
-mysqlnd.collect_statistics = On
-mysqlnd.collect_memory_statistics = Off
-[OCI8]
-; Nothing here
-[PostgreSQL]
-pgsql.allow_persistent = On
-pgsql.auto_reset_persistent = Off
-pgsql.max_persistent = -1
-pgsql.max_links = -1
-pgsql.ignore_notice = 0
-pgsql.log_notice = 0
-[bcmath]
-bcmath.scale = 0
-[browscap]
-; Nothing here
-[Session]
-session.save_handler = files
-session.use_strict_mode = 0
-session.use_cookies = 1
-session.use_only_cookies = 1
-session.name = PHPSESSID
-session.auto_start = 0
-session.cookie_lifetime = 0
-session.cookie_path = /
-session.cookie_domain =
-session.cookie_httponly =
-session.cookie_samesite =
-session.serialize_handler = php
-session.gc_probability = 0
-session.gc_divisor = 1000
-session.gc_maxlifetime = 1440
-session.referer_check =
-session.cache_limiter = nocache
-session.cache_expire = 180
-session.use_trans_sid = 0
-session.sid_length = 26
-session.trans_sid_tags = "a=href,area=href,frame=src,form="
-session.sid_bits_per_character = 5
-[Assertion]
-zend.assertions = -1
-[COM]
-; Nothing here
-[mbstring]
-; Nothing here
-[gd]
-; Nothing here
-[exif]
-; Nothing here
-[Tidy]
-tidy.clean_output = Off
-[soap]
-soap.wsdl_cache_enabled=1
-soap.wsdl_cache_dir="/tmp"
-soap.wsdl_cache_ttl=86400
-soap.wsdl_cache_limit = 5
-[sysvshm]
-; Nothing here
-[ldap]
-ldap.max_links = -1
-[dba]
-; Nothing here
-[opcache]
-opcache.interned_strings_buffer=64
-[curl]
-; Nothing here
-[openssl]
-; Nothing here
-[ffi]
-; Nothing here
-

customers/base/files/config.php

@@ -1,107 +0,0 @@
-<?php
-$CONFIG = array (
-  'app_install_overwrite' =>
-    array (
-      0 => 'globalsiteselector',
-    ),
-  'apps_paths' =>
-    array (
-      0 =>
-        array (
-          'path' => '/var/www/html/apps',
-          'url' => '/apps',
-          'writable' => false,
-        ),
-      1 =>
-        array (
-          'path' => '/var/www/html/custom_apps',
-          'url' => '/custom_apps',
-          'writable' => true,
-        ),
-    ),
-  'appstoreenabled' => false,
-  'config_is_read_only' => true,
-  'csrf.disabled' => true,
-  'datadirectory' => '/var/www/html/data',
-  'dbhost' => '{{MYSQL_HOST}}:{{MYSQL_PORT}}',
-  'dbname' => '{{MYSQL_DATABASE}}',
-  'dbpassword' => '{{MYSQL_PASSWORD}}',
-  'dbport' => '{{MYSQL_PORT}}',
-  'dbtableprefix' => 'oc_',
-  'dbtype' => 'mysql',
-  'dbuser' => '{{MYSQL_USER}}',
-  'default_phone_region' => 'SE',
-  'forcessl' => true,
-  'gs.enabled' => 'true',
-  'gs.federation' => 'global',
-  'gs.trustedHosts' => ['*.sunet.se'],
-  'htaccess.RewriteBase' => '/',
-  'installed' => true,
-  'instanceid' => '{{NEXTCLOUD_INSTANCEID}}',
-  'integrity.check.disabled' => true,
-  'log_type' => 'file',
-  'loglevel' => 0,
-  'lookup_server' => '{{LOOKUP_SERVER}}',
-  'mail_domain' => '{{MAIL_DOMAIN}}',
-  'mail_from_address' => '{{MAIL_FROM_ADDRESS}}',
-  'mail_sendmailmode' => 'smtp',
-  'mail_smtpauth' => 1,
-  'mail_smtpauthtype' => 'LOGIN',
-  'mail_smtphost' => '{{MAIL_SMTPHOST}}',
-  'mail_smtpmode' => 'smtp',
-  'mail_smtpname' => '{{MAIL_SMTPNAME}}',
-  'mail_smtppassword' => '{{MAIL_SMTPPASSWORD}}',
-  'mail_smtpport' => '587',
-  'mail_smtpsecure' => 'tls',
-  'mail_template_class' => 'OCA\DriveEmailTemplate\EMailTemplate',
-  'memcache.distributed' => '\\OC\\Memcache\\Redis',
-  'memcache.local' => '\\OC\\Memcache\\APCu',
-  'memcache.locking' => '\\OC\\Memcache\\Redis',
-  'mysql.utf8mb4' => true,
-  'objectstore' =>
-    array (
-      'class' => '\\OC\\Files\\ObjectStore\\S3',
-      'arguments' =>
-        array (
-          'autocreate' => false,
-          'bucket' => '{{OBJECTSTORE_S3_BUCKET}}',
-          'hostname' => '{{OBJECTSTORE_S3_HOST}}',
-          'key' => '{{OBJECTSTORE_S3_KEY}}',
-          'legacy_auth' => false,
-          'objectPrefix' => 'urn:oid:',
-          'port' => '',
-          'region' => '{{OBJECTSTORE_S3_REGION}}',
-          'secret' => '{{OBJECTSTORE_S3_SECRET}}',
-          'use_path_style' => true,
-          'use_ssl' => true,
-        ),
-    ),
-  'overwrite.cli.url' => 'https://{{SITE_NAME}}/',
-  'overwritehost' => '{{SITE_NAME}}',
-  'overwriteprotocol' => 'https',
-  'passwordsalt' => '{{NEXTCLOUD_PASSWORDSALT}}',
-  'secret' => '{{NEXTCLOUD_SECRET}}',
-  'redis' =>
-    array (
-      'host' => '{{REDIS_HOST}}',
-      'port' => 6379,
-    ),
-  'skeletondirectory' => '',
-  'templatedirectory' => '',
-  'trusted_domains' =>
-    array (
-      0 => '{{NEXTCLOUD_TRUSTED_DOMAINS}}'
-    ),
-  'trusted_proxies' =>
-    array (
-      0 => '10.0.0.0/8'
-    ),
-  'twofactor_enforced' => 'true',
-  'twofactor_enforced_groups' =>
-    array (
-      0 => 'admin',
-    ),
-  'updatechecker' => false,
-  'version' => '{{NEXTCLOUD_VERSION_STRING}}',
-);
-

customers/base/files/nc-upgrade

@@ -1,14 +0,0 @@
-#!/bin/bash
-sed "s/config_is_read_only\(.\) => true,/config_is_read_only\1 => false,/" /var/www/html/config/config.php > /var/www/html/config/config.php.tmp
-mv /var/www/html/config/config.php.tmp /var/www/html/config/config.php
-php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ upgrade
-php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ maintenance:update:htaccess
-php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ maintenance:repair
-php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ maintenance:mode --off
-php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ db:add-missing-primary-keys
-php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ db:add-missing-columns
-php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ db:add-missing-indices
-sed "s/config_is_read_only\(.\) => false,/config_is_read_only\1 => true,/" /var/www/html/config/config.php > /var/www/html/config/config.php.tmp
-mv /var/www/html/config/config.php.tmp /var/www/html/config/config.php
-chown www-data:www-data /var/www/html/config/config.php
-

customers/base/kustomization.yaml

@@ -1,37 +1,13 @@
 resources:
-  - env-configmap.yml
-  - nextcloud-cert-issuer.yml
+  - apache-configmap.yml
+  - apache-php-configmap.yml
+  - apcu-configmap.yml
+  - cli-php-configmap.yml
+  - nextcloud-configmap.yml
   - nextcloud-deployment.yml
   - nextcloud-ingress.yml
   - nextcloud-service.yml
   - redis-deployment.yml
   - redis-service.yml
   - s3-service.yml
-
-configMapGenerator:
-  - name: apache-configmap
-    files:
-      - files/000-default.conf
-  - name: apache-php-configmap
-    files:
-      - php.ini=files/apache-php.ini
-  - name: apcu-configmap
-    files:
-      - files/apcu.ini
-  - name: nextcloud-configmap
-    files:
-      - files/config.php
-  - name: cli-php-configmap
-    files:
-      - php.ini=files/cli-php.ini
-  - name: script-configmap
-    files:
-      - files/nc-upgrade
-
-generatorOptions:
-  disableNameSuffixHash: true
-
-images:
-  - name: nextcloud-custom-image
-    newName: docker.sunet.se/drive/nextcloud-custom
-    newTag: 30.0.5.2-2
+  - script-configmap.yml

customers/base/nextcloud-cert-issuer.yml

@@ -1,15 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Issuer
-metadata:
-  name: letsencrypt
-spec:
-  acme:
-    server: https://acme-v02.api.letsencrypt.org/directory
-    email: drive@sunet.se
-    privateKeySecretRef:
-      name: letsencrypt
-    solvers:
-      - http01:
-          ingress: 
-            class: nginx
-

customers/base/nextcloud-configmap.yml

@@ -0,0 +1,115 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nextcloud-configmap
+data:
+  config.php: |
+    <?php
+    $CONFIG = array (
+      'app_install_overwrite' =>
+        array (
+          0 => 'globalsiteselector',
+        ),
+      'apps_paths' =>
+        array (
+          0 =>
+            array (
+              'path' => '/var/www/html/apps',
+              'url' => '/apps',
+              'writable' => false,
+            ),
+          1 =>
+            array (
+              'path' => '/var/www/html/custom_apps',
+              'url' => '/custom_apps',
+              'writable' => true,
+            ),
+        ),
+      'appstoreenabled' => false,
+      'config_is_read_only' => true,
+      'csrf.disabled' => true,
+      'datadirectory' => '/var/www/html/data',
+      'dbhost' => '{{MYSQL_HOST}}:{{MYSQL_PORT}}',
+      'dbname' => '{{MYSQL_DATABASE}}',
+      'dbpassword' => '{{MYSQL_PASSWORD}}',
+      'dbport' => '{{MYSQL_PORT}}',
+      'dbtableprefix' => 'oc_',
+      'dbtype' => 'mysql',
+      'dbuser' => '{{MYSQL_USER}}',
+      'default_phone_region' => 'SE',
+      'forcessl' => true,
+      'gs.enabled' => 'true',
+      'gs.federation' => 'global',
+      'gs.trustedHosts' => ['*.sunet.se'],
+      'gss.jwt.key' => '{{GSS_JWT_KEY}}',
+      'gss.master.url' => '{{GSS_MASTER_URL}}',
+      'gss.mode' => 'slave',
+      'gss.user.discovery.module' => '\\OCA\\GlobalSiteSelector\\UserDiscoveryModules\\ManualUserMapping',
+      'installed' => true,
+      'instanceid' => '{{NEXTCLOUD_INSTANCEID}}',
+      'integrity.check.disabled' => true,
+      'log_type' => 'file',
+      'loglevel' => 0,
+      'lookup_server' => '{{LOOKUP_SERVER}}',
+      'mail_domain' => '{{MAIL_DOMAIN}}',
+      'mail_from_address' => '{{MAIL_FROM_ADDRESS}}',
+      'mail_sendmailmode' => 'smtp',
+      'mail_smtpauth' => 1,
+      'mail_smtpauthtype' => 'LOGIN',
+      'mail_smtphost' => '{{MAIL_SMTPHOST}}',
+      'mail_smtpmode' => 'smtp',
+      'mail_smtpname' => '{{MAIL_SMTPNAME}}',
+      'mail_smtppassword' => '{{MAIL_SMTPPASSWORD}}',
+      'mail_smtpport' => '587',
+      'mail_smtpsecure' => 'tls',
+      'mail_template_class' => 'OCA\DriveEmailTemplate\EMailTemplate',
+      'memcache.distributed' => '\\OC\\Memcache\\Redis',
+      'memcache.local' => '\\OC\\Memcache\\APCu',
+      'memcache.locking' => '\\OC\\Memcache\\Redis',
+      'mysql.utf8mb4' => true,
+      'objectstore' =>
+        array (
+          'class' => '\\OC\\Files\\ObjectStore\\S3',
+          'arguments' =>
+            array (
+              'autocreate' => false,
+              'bucket' => '{{OBJECTSTORE_S3_BUCKET}}',
+              'hostname' => '{{OBJECTSTORE_S3_HOST}}',
+              'key' => '{{OBJECTSTORE_S3_KEY}}',
+              'legacy_auth' => false,
+              'objectPrefix' => 'urn:oid:',
+              'port' => '',
+              'region' => '{{OBJECTSTORE_S3_REGION}}',
+              'secret' => '{{OBJECTSTORE_S3_SECRET}}',
+              'use_path_style' => true,
+              'use_ssl' => true,
+            ),
+        ),
+      'overwrite.cli.url' => 'https://{{SITE_NAME}}',
+      'overwritehost' => '{{SITE_NAME}}',
+      'overwriteprotocol' => 'https',
+      'passwordsalt' => '{{NEXTCLOUD_PASSWORDSALT}}',
+      'secret' => '{{NEXTCLOUD_SECRET}}',
+      'redis' =>
+        array (
+          'host' => '{{REDIS_HOST}}',
+          'port' => 6379,
+        ),
+      'skeletondirectory' => '',
+      'templatedirectory' => '',
+      'trusted_domains' =>
+        array (
+          0 => '{{NEXTCLOUD_TRUSTED_DOMAINS}}'
+        ),
+      'trusted_proxies' =>
+        array (
+          0 => '10.0.0.0/8'
+        ),
+      'twofactor_enforced' => 'true',
+      'twofactor_enforced_groups' =>
+        array (
+          0 => 'admin',
+        ),
+      'updatechecker' => false,
+      'version' => '{{NEXTCLOUD_VERSION_STRING}}',
+    );

customers/base/nextcloud-deployment.yml

@@ -11,6 +11,16 @@ spec:
       app: customer-node
   updateStrategy:
     type: RollingUpdate
+  volumeClaimTemplates:
+    - metadata:
+        name: nextcloud-data
+      spec:
+        storageClassName: csi-sc-cinderplugin
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 1Gi
   template:
     metadata:
       labels:
@@ -18,25 +28,9 @@ spec:
         kano: micke
     spec:
       restartPolicy: Always
-      initContainers:
-        - image: docker.sunet.se/sunet/docker-jinja:latest
-          name: init-config
-          volumeMounts:
-            - name: nextcloud-config
-              mountPath: /tmp/config.php.template
-              subPath: config.php
-            - name: nextcloud-data
-              mountPath: /var/www/html/config
-              subPath: config
-          envFrom:
-            - configMapRef:
-                name: nextcloud-env
-            - secretRef:
-                name: nextcloud-secrets
-          command: ["/bin/bash", "-c", "/usr/bin/j2 -f env -o /var/www/html/config/config.php /tmp/config.php.template"]
       containers:
         - name: customer
-          image: nextcloud-custom-image
+          image: docker.sunet.se/drive/nextcloud-custom:27.1.6.3-5
           volumeMounts:
             - name: nextcloud-data
               mountPath: /var/www/html/config/
@@ -82,6 +76,105 @@ spec:
             postStart:
               exec:
                 command: ["/bin/bash", "-c", "/usr/local/bin/nc-upgrade"]
+      initContainers:
+        - image: docker.sunet.se/sunet/docker-jinja:latest
+          name: init-config
+          volumeMounts:
+            - name: nextcloud-config
+              mountPath: /tmp/config.php.template
+              subPath: config.php
+            - name: nextcloud-data
+              mountPath: /var/www/html/config
+              subPath: config
+          env:
+            - name: GSS_MASTER_URL
+              value: "https://drive.test.sunet.se"
+            - name: GSS_JWT_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: gss-secret
+                  key: "jwt_key"
+            - name: LOOKUP_SERVER
+              value: "https://lookup.drive.test.sunet.se"
+            - name: MAIL_DOMAIN
+              value: "drive.test.sunet.se"
+            - name: MAIL_FROM_ADDRESS
+              value: "noreply"
+            - name: MAIL_SMTPHOST
+              value: "smtp.sunet.se"
+            - name: MAIL_SMTPNAME
+              value: "noreply@drive.test.sunet.se"
+            - name: MAIL_SMTPPASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: mail-secret
+                  key: "smtp_password"
+            - name: MYSQL_DATABASE
+              value: "nextcloud_customer"
+            - name: MYSQL_USER
+              value: "nextcloud_customer"
+            - name: MYSQL_HOST
+              value: "proxysqlcluster.proxysql"
+            - name: MYSQL_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: db-secret
+                  key: "db_password"
+            - name: MYSQL_PORT
+              value: "6033"
+            - name: NEXTCLOUD_TRUSTED_DOMAINS
+              value: "customer.drive.test.sunet.se"
+            - name: NEXTCLOUD_ADMIN_USER
+              value: admin
+            - name: NEXTCLOUD_VERSION_STRING
+              value: "26.0.1.2"
+            - name: NEXTCLOUD_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: nc-secret
+                  key: "nc_admin_password"
+            - name: NEXTCLOUD_PASSWORDSALT
+              valueFrom:
+                secretKeyRef:
+                  name: nc-secret
+                  key: "nc_passwordsalt"
+            - name: NEXTCLOUD_INSTANCEID
+              valueFrom:
+                secretKeyRef:
+                  name: nc-secret
+                  key: "nc_instanceid"
+            - name: NEXTCLOUD_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: nc-secret
+                  key: "nc_secret"
+            - name: OBJECTSTORE_S3_REGION
+              value: "us-east-1"
+            - name: OBJECTSTORE_S3_HOST
+              value: "s3.sto4.safedc.net"
+            - name: OBJECTSTORE_S3_BUCKET
+              value: "primary-customer-drive-test.sunet.se"
+            - name: OBJECTSTORE_S3_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: s3-secret
+                  key: "s3_key"
+            - name: OBJECTSTORE_S3_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: s3-secret
+                  key: "s3_secret"
+            - name: OBJECTSTORE_S3_USEPATH_STYLE
+              value: "true"
+            - name: OBJECTSTORE_S3_AUTOCREATE
+              value: "true"
+            - name: OBJECTSTORE_S3_SSL
+              value: "true"
+            - name: REDIS_HOST
+              value: "redis"
+            - name: SITE_NAME
+              value: "customer.drive.test.sunet.se"
+          command: ["/bin/bash", "-c", "/usr/bin/j2 -f env -o /var/www/html/config/config.php /tmp/config.php.template"]
       volumes:
         - name: script-config
           configMap:
@@ -120,5 +213,3 @@ spec:
             items:
               - key: "config.php"
                 path: "config.php"
-        - name: nextcloud-data
-          emptyDir: {}

customers/base/nextcloud-ingress.yml

@@ -4,15 +4,10 @@ kind: Ingress
 metadata:
   name: customer-ingress
   annotations:
-    cert-manager.io/issuer: "letsencrypt"
-    acme.cert-manager.io/http01-edit-in-place: "true"
-    nginx.ingress.kubernetes.io/affinity-mode: "persistent"
-    nginx.ingress.kubernetes.io/affinity: "cookie"
-    nginx.ingress.kubernetes.io/session-cookie-expires: "172800"
-    nginx.ingress.kubernetes.io/session-cookie-max-age: "172800"
-    nginx.ingress.kubernetes.io/session-cookie-name: "sticky"
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
 spec:
-  ingressClassName: nginx
   defaultBackend:
     service:
       name: customer-node
@@ -22,6 +17,7 @@ spec:
     - hosts:
         - customer.drive.test.sunet.se 
       secretName: tls-secret
+  
   rules:
   - host: customer.drive.test.sunet.se
     http:

customers/base/script-configmap.yml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: script-configmap
+data:
+  nc-upgrade: |
+    #!/bin/bash
+    sed "s/config_is_read_only\(.\) => true,/config_is_read_only\1 => false,/" /var/www/html/config/config.php > /var/www/html/config/config.php.tmp
+    mv /var/www/html/config/config.php.tmp /var/www/html/config/config.php
+    php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ app:disable globalsiteselector
+    php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ upgrade
+    php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ app:enable globalsiteselector
+    php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ maintenance:repair
+    php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ maintenance:mode --off
+    php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ db:add-missing-primary-keys
+    php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ db:add-missing-columns
+    php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ db:add-missing-indices
+    sed "s/config_is_read_only\(.\) => false,/config_is_read_only\1 => true,/" /var/www/html/config/config.php > /var/www/html/config/config.php.tmp
+    mv /var/www/html/config/config.php.tmp /var/www/html/config/config.php

customers/overlays/nordunet/test/env-configmap.yml

@@ -1,10 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: nextcloud-env
-data:
-  MYSQL_DATABASE: 'nextcloud_nordunet'
-  MYSQL_USER: 'nextcloud_nordunet'
-  NEXTCLOUD_TRUSTED_DOMAINS: 'nordunet.drive.test.sunet.se'
-  OBJECTSTORE_S3_BUCKET: 'primary-nordunet-drive-test.sunet.se'
-  SITE_NAME: 'nordunet.drive.test.sunet.se'

customers/overlays/nordunet/test/kustomization.yaml

@@ -3,6 +3,5 @@ kind: Kustomization
 resources:
 - ../../../base
 patches:
-  - path: env-configmap.yml
 - path: nextcloud-deployment.yml
 - path: nextcloud-ingress.yml

customers/overlays/nordunet/test/nextcloud-deployment.yml

@@ -6,3 +6,30 @@ metadata:
     app: customer-node
 spec:
   replicas: 1
+  template:
+    metadata:
+      labels:
+        app: customer-node
+    spec:
+      initContainers:
+        - image: docker.sunet.se/sunet/docker-jinja:latest
+          name: init-config
+          env:
+            - name: MYSQL_DATABASE
+              value: "nextcloud_nordunet"
+            - name: MYSQL_USER
+              value: "nextcloud_nordunet"
+            - name: GSS_MASTER_URL
+              value: "https://drive.test.sunet.se"
+            - name: LOOKUP_SERVER
+              value: "https://lookup.drive.test.sunet.se"
+            - name: MAIL_DOMAIN
+              value: "drive.test.sunet.se"
+            - name: MAIL_SMTPNAME
+              value: "noreply@drive.test.sunet.se"
+            - name: NEXTCLOUD_TRUSTED_DOMAINS
+              value: "nordunet.drive.test.sunet.se"
+            - name: OBJECTSTORE_S3_BUCKET
+              value: "primary-nordunet-drive-test.sunet.se"
+            - name: SITE_NAME
+              value: "nordunet.drive.test.sunet.se"

customers/overlays/nordunet/test/nextcloud-ingress.yml

@@ -4,15 +4,15 @@ kind: Ingress
 metadata:
   name: customer-ingress
   annotations:
-    cert-manager.io/issuer: "letsencrypt"
-    acme.cert-manager.io/http01-edit-in-place: "true"
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
 spec:
-  ingressClassName: nginx
   tls:
     - hosts:
         - nordunet.drive.test.sunet.se 
       secretName: tls-secret
-  ingressClassName: nginx
+  
   rules:
   - host: nordunet.drive.test.sunet.se
     http:

customers/overlays/richir/test/env-configmap.yml

@@ -1,10 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: nextcloud-env
-data:
-  MYSQL_DATABASE: 'nextcloud_richir'
-  MYSQL_USER: 'nextcloud_richir'
-  NEXTCLOUD_TRUSTED_DOMAINS: 'richir.drive.test.sunet.se'
-  OBJECTSTORE_S3_BUCKET: 'primary-richir-drive-test.sunet.se'
-  SITE_NAME: 'richir.drive.test.sunet.se'

customers/overlays/richir/test/kustomization.yaml

@@ -1,8 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - ../../../base
-patches:
-  - path: env-configmap.yml
-  - path: nextcloud-deployment.yml
-  - path: nextcloud-ingress.yml

customers/overlays/richir/test/nextcloud-deployment.yml

@@ -1,8 +0,0 @@
-kind: StatefulSet
-apiVersion: apps/v1
-metadata:
-  name: customer-node
-  labels:
-    app: customer-node
-spec:
-  replicas: 2

customers/overlays/richir/test/nextcloud-ingress.yml

@@ -1,26 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: customer-ingress
-  annotations:
-    cert-manager.io/issuer: "letsencrypt"
-    acme.cert-manager.io/http01-edit-in-place: "true"
-spec:
-  ingressClassName: nginx
-  tls:
-    - hosts:
-        - richir.drive.test.sunet.se
-      secretName: tls-secret
-  ingressClassName: nginx
-  rules:
-  - host: richir.drive.test.sunet.se
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: customer-node
-            port:
-              number: 80

customers/overlays/vinnova/test/env-configmap.yml

@@ -1,10 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: nextcloud-env
-data:
-  MYSQL_DATABASE: 'nextcloud_vinnova'
-  MYSQL_USER: 'nextcloud_vinnova'
-  NEXTCLOUD_TRUSTED_DOMAINS: 'vinnova.drive.test.sunet.se'
-  OBJECTSTORE_S3_BUCKET: 'primary-vinnova-test.sunet.se'
-  SITE_NAME: 'vinnova.drive.test.sunet.se'

customers/overlays/vinnova/test/kustomization.yaml

@@ -1,8 +1,7 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
+apiVersion: 'kustomize.config.k8s.io/v1beta1'
 kind: Kustomization
-resources:
+bases:
 - ../../../base
-patches:
-  - path: env-configmap.yml
-  - path: nextcloud-deployment.yml
-  - path: nextcloud-ingress.yml
+patchesStrategicMerge:
+  - nextcloud-deployment.yml
+  - nextcloud-ingress.yml

customers/overlays/vinnova/test/nextcloud-deployment.yml

@@ -5,4 +5,30 @@ metadata:
   labels:
     app: customer-node
 spec:
-  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: customer-node
+    spec:
+      initContainers:
+        - image: docker.sunet.se/sunet/docker-jinja:latest
+          name: init-config
+          env:
+            - name: MYSQL_DATABASE
+              value: "nextcloud_vinnova"
+            - name: MYSQL_USER
+              value: "nextcloud_vinnova"
+            - name: GSS_MASTER_URL
+              value: "https://drive.test.sunet.se"
+            - name: LOOKUP_SERVER
+              value: "https://lookup.drive.test.sunet.se"
+            - name: MAIL_DOMAIN
+              value: "drive.test.sunet.se"
+            - name: MAIL_SMTPNAME
+              value: "noreply@drive.test.sunet.se"
+            - name: NEXTCLOUD_TRUSTED_DOMAINS
+              value: "vinnova.drive.test.sunet.se"
+            - name: OBJECTSTORE_S3_BUCKET
+              value: "primary-vinnova-test.sunet.se"
+            - name: SITE_NAME
+              value: "vinnova.drive.test.sunet.se"

customers/overlays/vinnova/test/nextcloud-ingress.yml

@@ -4,15 +4,15 @@ kind: Ingress
 metadata:
   name: customer-ingress
   annotations:
-    cert-manager.io/issuer: "letsencrypt"
-    acme.cert-manager.io/http01-edit-in-place: "true"
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
 spec:
-  ingressClassName: nginx
   tls:
     - hosts:
         - vinnova.drive.test.sunet.se 
       secretName: tls-secret
-  ingressClassName: nginx
+  
   rules:
   - host: vinnova.drive.test.sunet.se
     http:

customers/overlays/vr/test/kustomization.yaml

@@ -1,6 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- ../../base
+- ../../../base
 patches:
-- path: argocd-ingress.yaml
+- path: nextcloud-deployment.yml
+- path: nextcloud-ingress.yml

customers/overlays/vr/test/nextcloud-deployment.yml

@@ -0,0 +1,35 @@
+kind: StatefulSet
+apiVersion: apps/v1
+metadata:
+  name: customer-node
+  labels:
+    app: customer-node
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: customer-node
+    spec:
+      initContainers:
+        - image: docker.sunet.se/sunet/docker-jinja:latest
+          name: init-config
+          env:
+            - name: MYSQL_DATABASE
+              value: "nextcloud_vr"
+            - name: MYSQL_USER
+              value: "nextcloud_vr"
+            - name: GSS_MASTER_URL
+              value: "https://drive.test.sunet.se"
+            - name: LOOKUP_SERVER
+              value: "https://lookup.drive.test.sunet.se"
+            - name: MAIL_DOMAIN
+              value: "drive.test.sunet.se"
+            - name: MAIL_SMTPNAME
+              value: "noreply@drive.test.sunet.se"
+            - name: NEXTCLOUD_TRUSTED_DOMAINS
+              value: "vr.drive.test.sunet.se"
+            - name: OBJECTSTORE_S3_BUCKET
+              value: "primary-vr-drive-test.sunet.se"
+            - name: SITE_NAME
+              value: "vr.drive.test.sunet.se"

customers/overlays/vr/test/nextcloud-ingress.yml

@@ -1,31 +1,26 @@
+---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: argocd-ingress
-  namespace: argocd
+  name: customer-ingress
   annotations:
     kubernetes.io/ingress.class: traefik
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
 spec:
-  defaultBackend:
-    service:
-      name: argocd-server
-      port:
-        number: 8443
   tls:
     - hosts:
-        - argocd.drive.sunet.se 
+        - vr.drive.test.sunet.se 
       secretName: tls-secret
   
   rules:
-  - host: argocd.drive.sunet.se
+  - host: vr.drive.test.sunet.se
     http:
       paths:
       - path: /
         pathType: Prefix
         backend: 
           service:
-            name: argocd-server
+            name: customer-node
             port:
               number: 80

health/overlays/sunet-prod/health-ingress.yml

@@ -1,30 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: health-ingress
-  namespace: health
-  annotations:
-    kubernetes.io/ingress.class: nginx
-spec:
-  defaultBackend:
-    service:
-      name: health-node
-      port:
-        number: 8443
-  ingressClassName: nginx
-  tls:
-    - hosts:
-        - sunet-kube.drive.sunet.se 
-      secretName: tls-secret
-  rules:
-  - host: sunet-kube.drive.sunet.se
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend: 
-          service:
-            name: health-node
-            port:
-              number: 8080

health/overlays/sunet-prod/kustomization.yaml

@@ -1,6 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- ../../base
-patches:
-- path: health-ingress.yml

health/overlays/sunet-test/health-ingress.yml

@@ -1,30 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: health-ingress
-  namespace: health
-  annotations:
-    kubernetes.io/ingress.class: nginx
-spec:
-  defaultBackend:
-    service:
-      name: health-node
-      port:
-        number: 8443
-  ingressClassName: nginx
-  tls:
-    - hosts:
-        - sunet-kube.drive.test.sunet.se 
-      secretName: tls-secret
-  rules:
-  - host: sunet-kube.drive.test.sunet.se
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend: 
-          service:
-            name: health-node
-            port:
-              number: 8080

health/overlays/sunet-test/kustomization.yaml

@@ -1,6 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- ../../base
-patches:
-- path: health-ingress.yml

health/overlays/test/health-ingress.yml

@@ -5,18 +5,20 @@ metadata:
   name: health-ingress
   namespace: health
   annotations:
-    kubernetes.io/ingress.class: nginx
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
 spec:
   defaultBackend:
     service:
       name: health-node
       port:
         number: 8443
-  ingressClassName: nginx
+  ingressClassName: traefik
   tls:
     - hosts:
         - kube.drive.test.sunet.se 
       secretName: tls-secret
+  
   rules:
   - host: kube.drive.test.sunet.se
     http:

jupyter/base/jupyterhub-cert-issuer.yaml

@@ -1,15 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Issuer
-metadata:
-  name: letsencrypt
-spec:
-  acme:
-    server: https://acme-v02.api.letsencrypt.org/directory
-    email: drive@sunet.se
-    privateKeySecretRef:
-      name: letsencrypt
-    solvers:
-      - http01:
-          ingress: 
-            class: nginx
-

jupyter/base/jupyterhub-ingress.yml

@@ -4,6 +4,7 @@ kind: Ingress
 metadata:
   name: jupyterhub-ingress
   annotations:
+    kubernetes.io/ingress.class: traefik
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
 spec:

jupyter/base/kustomization.yaml

@@ -1,4 +1,4 @@
 ---
-resources: [jupyterhub-ingress.yml, jupyterhub-service.yml, jupyterhub-cert-issuer.yaml]
+resources: [jupyterhub-ingress.yml, jupyterhub-service.yml]
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization

jupyter/overlays/dev/vr/jupyterhub-ingress.yml

@@ -1,28 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: jupyterhub-ingress
-  annotations:
-    kubernetes.io/ingress.class: nginx
-spec:
-  defaultBackend:
-    service:
-      name: proxy-public
-      port:
-        number: 80
-  ingressClassName: nginx
-  tls:
-    - hosts:
-        - vr-jupyter.drive.sunet.se
-      secretName: prod-tls-secret
-  rules:
-  - host: vr-jupyter.drive.sunet.se
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend: 
-          service:
-            name: proxy-public
-            port:
-              number: 80

jupyter/overlays/dev/vr/jupyterhub-service.yml

@@ -1,24 +0,0 @@
----
-apiVersion: v1
-items:
-- apiVersion: v1
-  kind: Service
-  metadata:
-    labels:
-      app: jupyterhub-node
-    name: jupyterhub-node
-  spec:
-    ports:
-    - port: 8080
-      protocol: TCP
-      targetPort: 8080
-    selector:
-      app: jupyterhub-node
-    sessionAffinity: None
-    type: ClusterIP
-  status:
-    loadBalancer: {}
-kind: List
-metadata:
-  resourceVersion: ""
-  selfLink: ""

jupyter/overlays/dev/vr/kustomization.yaml

@@ -1,16 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources: [../../../base/]
-helmCharts:
-  - includeCRDs: true
-    name: jupyterhub
-    releaseName: vr-jupyterhub
-    valuesFile: ./values/values.yaml
-    version: 3.2.1
-    namespace: vr-jupyterhub
-helmGlobals:
-  chartHome: ../../../base/charts/
-patches:
-  - path: jupyterhub-ingress.yml
-  - path: jupyterhub-service.yml

jupyter/overlays/dev/vr/values/values.yaml

@@ -1,335 +0,0 @@
-debug:
-  enabled: true
-hub:
-  config:
-    Authenticator:
-      auto_login: true
-      enable_auth_state: true
-    JupyterHub:
-      tornado_settings:
-        headers: { 'Content-Security-Policy': "frame-ancestors *;" }
-  db:
-    pvc:
-      storageClassName: csi-sc-cinderplugin
-  extraConfig:
-    oauthCode: |
-      import time
-      import requests
-      from datetime import datetime
-      from oauthenticator.generic import GenericOAuthenticator
-      token_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/index.php/apps/oauth2/api/v1/token'
-      debug = os.environ.get('NEXTCLOUD_DEBUG_OAUTH', 'false').lower() in ['true', '1', 'yes']
-
-      def get_nextcloud_access_token(refresh_token):
-        client_id = os.environ['NEXTCLOUD_CLIENT_ID']
-        client_secret = os.environ['NEXTCLOUD_CLIENT_SECRET']
-
-        code = refresh_token
-        data = {
-          'grant_type': 'refresh_token',
-          'code': code,
-          'refresh_token': refresh_token,
-          'client_id': client_id,
-          'client_secret': client_secret
-        }
-        response = requests.post(token_url, data=data)
-        if debug:
-          print(response.text)
-        return response.json()
-
-      def post_auth_hook(authenticator, handler, authentication):
-        user = authentication['auth_state']['oauth_user']['ocs']['data']['id']
-        auth_state = authentication['auth_state']
-        auth_state['token_expires'] =  time.time() + auth_state['token_response']['expires_in']
-        authentication['auth_state'] = auth_state
-        return authentication
-
-      class NextcloudOAuthenticator(GenericOAuthenticator):
-        def __init__(self, *args, **kwargs):
-          super().__init__(*args, **kwargs)
-          self.user_dict = {}
-
-        async def pre_spawn_start(self, user, spawner):
-          super().pre_spawn_start(user, spawner)
-          auth_state = await user.get_auth_state()
-          if not auth_state:
-            return
-          access_token = auth_state['access_token']
-          spawner.environment['NEXTCLOUD_ACCESS_TOKEN'] = access_token
-
-        async def refresh_user(self, user, handler=None):
-          auth_state = await user.get_auth_state()
-          if not auth_state:
-            if debug:
-              print(f'auth_state missing for {user}')
-            return False
-          access_token = auth_state['access_token']
-          refresh_token = auth_state['refresh_token']
-          token_response = auth_state['token_response']
-          now = time.time()
-          now_hr = datetime.fromtimestamp(now)
-          expires = auth_state['token_expires']
-          expires_hr = datetime.fromtimestamp(expires)
-          expires = 0
-          if debug:
-            print(f'auth_state for {user}: {auth_state}')
-          if now >= expires:
-            if debug:
-              print(f'Time is: {now_hr}, token expired: {expires_hr}')
-              print(f'Refreshing token for {user}')
-            try:
-              token_response = get_nextcloud_access_token(refresh_token)
-              auth_state['access_token'] = token_response['access_token']
-              auth_state['refresh_token'] = token_response['refresh_token']
-              auth_state['token_expires'] = now + token_response['expires_in']
-              auth_state['token_response'] = token_response
-              if debug:
-                print(f'Successfully refreshed token for {user.name}')
-                print(f'auth_state for {user.name}: {auth_state}')
-              return {'name': user.name, 'auth_state': auth_state}
-            except Exception as e:
-              if debug:
-                print(f'Failed to refresh token for {user}')
-              return False
-            return False
-          if debug:
-            print(f'Time is: {now_hr}, token expires: {expires_hr}')
-          return True
-
-      c.JupyterHub.authenticator_class = NextcloudOAuthenticator
-      c.NextcloudOAuthenticator.client_id = os.environ['NEXTCLOUD_CLIENT_ID']
-      c.NextcloudOAuthenticator.client_secret = os.environ['NEXTCLOUD_CLIENT_SECRET']
-      c.NextcloudOAuthenticator.login_service = 'Sunet Drive'
-      c.NextcloudOAuthenticator.username_claim = lambda r: r.get('ocs', {}).get('data', {}).get('id')
-      c.NextcloudOAuthenticator.userdata_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/ocs/v2.php/cloud/user?format=json'
-      c.NextcloudOAuthenticator.authorize_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/index.php/apps/oauth2/authorize'
-      c.NextcloudOAuthenticator.token_url = token_url
-      c.NextcloudOAuthenticator.oauth_callback_url = 'https://' + os.environ['JUPYTER_HOST'] + '/hub/oauth_callback'
-      c.NextcloudOAuthenticator.allow_all = True
-      c.NextcloudOAuthenticator.refresh_pre_spawn = True
-      c.NextcloudOAuthenticator.enable_auth_state = True
-      c.NextcloudOAuthenticator.auth_refresh_age = 3600
-      c.NextcloudOAuthenticator.post_auth_hook = post_auth_hook
-
-    serviceCode: |
-      import sys
-      c.JupyterHub.load_roles = [
-          {
-              "name": "refresh-token",
-              "services": [
-                "refresh-token"
-              ],
-              "scopes": [
-                "read:users",
-                "admin:auth_state"
-              ]
-          },
-          {
-              "name": "user",
-              "scopes": [
-                "access:services!service=refresh-token",
-                "read:services!service=refresh-token",
-                "self",
-              ],
-          },
-          {
-              "name": "server",
-              "scopes": [
-                "access:services!service=refresh-token",
-                "read:services!service=refresh-token",
-                "inherit",
-              ],
-          }
-      ]
-      c.JupyterHub.services = [
-          {
-              'name': 'refresh-token',
-              'url': 'http://' + os.environ.get('HUB_SERVICE_HOST', 'hub') + ':' + os.environ.get('HUB_SERVICE_PORT_REFRESH_TOKEN', '8082'),
-              'display': False,
-              'oauth_no_confirm': True,
-              'api_token': os.environ['JUPYTERHUB_API_KEY'],
-              'command': [sys.executable, '/usr/local/etc/jupyterhub/refresh-token.py']
-          }
-      ]
-      c.JupyterHub.admin_users = {"refresh-token"}
-      c.JupyterHub.api_tokens = {
-          os.environ['JUPYTERHUB_API_KEY']: "refresh-token",
-      }
-  extraFiles:
-    refresh-token.py: 
-      mountPath: /usr/local/etc/jupyterhub/refresh-token.py
-      stringData: |
-        """A token refresh service authenticating with the Hub.
-
-        This service serves `/services/refresh-token/`,
-        authenticated with the Hub,
-        showing the user their own info.
-        """
-        import json
-        import os
-        import requests
-        import socket
-        from jupyterhub.services.auth import HubAuthenticated
-        from jupyterhub.utils import url_path_join
-        from tornado.httpserver import HTTPServer
-        from tornado.ioloop import IOLoop
-        from tornado.web import Application, HTTPError, RequestHandler, authenticated
-        from urllib.parse import urlparse
-        debug = os.environ.get('NEXTCLOUD_DEBUG_OAUTH', 'false').lower() in ['true', '1', 'yes']
-        def my_debug(s):
-          if debug:
-            with open("/proc/1/fd/1", "a") as stdout:
-              print(s, file=stdout)
-
-
-        class RefreshHandler(HubAuthenticated, RequestHandler):
-            def api_request(self, method, url, **kwargs):
-                my_debug(f'{self.hub_auth}')
-                url = url_path_join(self.hub_auth.api_url, url)
-                allow_404 = kwargs.pop('allow_404', False)
-                headers = kwargs.setdefault('headers', {})
-                headers.setdefault('Authorization', f'token {self.hub_auth.api_token}')
-                try:
-                    r = requests.request(method, url, **kwargs)
-                except requests.ConnectionError as e:
-                    my_debug(f'Error connecting to {url}: {e}')
-                    msg = f'Failed to connect to Hub API at {url}.'
-                    msg += f'  Is the Hub accessible at this URL (from host: {socket.gethostname()})?'
-
-                    if '127.0.0.1' in url:
-                        msg += '  Make sure to set c.JupyterHub.hub_ip to an IP accessible to' + \
-                               ' single-user servers if the servers are not on the same host as the Hub.'
-                    raise HTTPError(500, msg)
-
-                data = None
-                if r.status_code == 404 and allow_404:
-                    pass
-                elif r.status_code == 403:
-                    my_debug(
-                        'Lacking permission to check authorization with JupyterHub,' + 
-                        f' my auth token may have expired: [{r.status_code}] {r.reason}'
-                    )
-                    my_debug(r.text)
-                    raise HTTPError(
-                        500,
-                        'Permission failure checking authorization, I may need a new token'
-                    )
-                elif r.status_code >= 500:
-                    my_debug(f'Upstream failure verifying auth token: [{r.status_code}] {r.reason}')
-                    my_debug(r.text)
-                    raise HTTPError(
-                        502, 'Failed to check authorization (upstream problem)')
-                elif r.status_code >= 400:
-                    my_debug(f'Failed to check authorization: [{r.status_code}] {r.reason}')
-                    my_debug(r.text)
-                    raise HTTPError(500, 'Failed to check authorization')
-                else:
-                    data = r.json()
-                return data
-
-            @authenticated
-            def get(self):
-                user_model = self.get_current_user()
-                # Fetch current auth state
-                user_data = self.api_request('GET', url_path_join('users', user_model['name']))
-                auth_state = user_data['auth_state']
-                access_token = auth_state['access_token']
-                token_expires = auth_state['token_expires']
-
-                self.set_header('content-type', 'application/json')
-                self.write(json.dumps({'access_token': access_token, 'token_expires': token_expires}, indent=1, sort_keys=True))
-
-        class PingHandler(RequestHandler):
-
-            def get(self):
-                my_debug(f"DEBUG: In ping get")
-                self.set_header('content-type', 'application/json')
-                self.write(json.dumps({'ping': 1}))
-
-
-        def main():
-            app = Application([
-                (os.environ['JUPYTERHUB_SERVICE_PREFIX'] + 'tokens', RefreshHandler),
-                (os.environ['JUPYTERHUB_SERVICE_PREFIX'] + '/?', PingHandler),
-            ])
-
-            http_server = HTTPServer(app)
-            url = urlparse(os.environ['JUPYTERHUB_SERVICE_URL'])
-
-            http_server.listen(url.port)
-
-            IOLoop.current().start()
-
-        if __name__ == '__main__':
-            main()
-  networkPolicy:
-    ingress:
-      - ports:
-          - port: 8082
-        from:
-          - podSelector:
-              matchLabels:
-                hub.jupyter.org/network-access-hub: "true"
-  service:
-    extraPorts:
-      - port: 8082
-        targetPort: 8082
-        name: refresh-token
-  extraEnv:
-    NEXTCLOUD_DEBUG_OAUTH: "no"
-    NEXTCLOUD_HOST: vr.drive.sunet.se
-    JUPYTER_HOST: vr-jupyter.drive.sunet.se
-    JUPYTERHUB_API_KEY:
-      valueFrom:
-        secretKeyRef:
-          name: jupyterhub-secrets
-          key: api-key
-    JUPYTERHUB_CRYPT_KEY:
-      valueFrom:
-        secretKeyRef:
-          name: jupyterhub-secrets
-          key: crypt-key
-    NEXTCLOUD_CLIENT_ID:
-      valueFrom:
-        secretKeyRef:
-          name: nextcloud-oauth-secrets
-          key: client-id
-    NEXTCLOUD_CLIENT_SECRET:
-      valueFrom:
-        secretKeyRef:
-          name: nextcloud-oauth-secrets
-          key: client-secret
-proxy:
-  chp:
-    networkPolicy:
-      egress:
-        - to:
-            - podSelector:
-                matchLabels:
-                  app: jupyterhub
-                  component: hub
-          ports:
-            - port: 8082
-singleuser:
-  image:
-    name: docker.sunet.se/drive/jupyter-custom
-    tag: lab-4.0.10-sunet4
-  storage:
-    dynamic:
-      storageClass: csi-sc-cinderplugin
-  extraEnv:
-    JUPYTER_ENABLE_LAB: "yes"
-    JUPYTER_HOST: vr-jupyter.drive.sunet.se
-    NEXTCLOUD_HOST: vr.drive.sunet.se
-  extraFiles:
-    jupyter_notebook_config:
-      mountPath: /home/jovyan/.jupyter/jupyter_server_config.py
-      stringData: |
-        import os
-        c = get_config()
-        c.NotebookApp.allow_origin = '*'
-        c.NotebookApp.tornado_settings = {
-            'headers': { 'Content-Security-Policy': "frame-ancestors *;" }
-        }
-        os.system('/usr/local/bin/nc-sync')
-      mode: 0644

jupyter/overlays/prod/sunet/jupyterhub-ingress.yml

@@ -1,33 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: jupyterhub-ingress
-  annotations:
-    kubernetes.io/ingress.class: nginx
-    cert-manager.io/issuer: "letsencrypt"
-    acme.cert-manager.io/http01-edit-in-place: "true"
-spec:
-  ingressClassName: nginx
-  defaultBackend:
-    service:
-      name: proxy-public
-      port:
-        number: 80
-  tls:
-    - hosts:
-        - sunet-jupyter.drive.sunet.se 
-        - sunet-kube.drive.sunet.se 
-      secretName: tls-secret
-  
-  rules:
-  - host: sunet-jupyter.drive.sunet.se
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend: 
-          service:
-            name: proxy-public
-            port:
-              number: 80

jupyter/overlays/prod/sunet/jupyterhub-service.yml

@@ -1,24 +0,0 @@
----
-apiVersion: v1
-items:
-- apiVersion: v1
-  kind: Service
-  metadata:
-    labels:
-      app: jupyterhub-node
-    name: jupyterhub-node
-  spec:
-    ports:
-    - port: 8080
-      protocol: TCP
-      targetPort: 8080
-    selector:
-      app: jupyterhub-node
-    sessionAffinity: None
-    type: ClusterIP
-  status:
-    loadBalancer: {}
-kind: List
-metadata:
-  resourceVersion: ""
-  selfLink: ""

jupyter/overlays/prod/sunet/kustomization.yaml

@@ -1,16 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources: [../../../base/]
-helmCharts:
-  - includeCRDs: true
-    name: jupyterhub
-    releaseName: sunet-jupyterhub
-    valuesFile: ./values/values.yaml
-    version: 3.2.1
-    namespace: sunet-jupyterhub
-helmGlobals:
-  chartHome: ../../../base/charts/
-patches:
-  - path: jupyterhub-ingress.yml
-  - path: jupyterhub-service.yml

jupyter/overlays/prod/sunet/values/values.yaml

@@ -1,337 +0,0 @@
-debug:
-  enabled: true
-hub:
-  config:
-    Authenticator:
-      auto_login: true
-      enable_auth_state: true
-    JupyterHub:
-      tornado_settings:
-        headers: { 'Content-Security-Policy': "frame-ancestors *;" }
-  db:
-    pvc:
-      storageClassName: csi-sc-cinderplugin
-  extraConfig:
-    oauthCode: |
-      import time
-      import requests
-      from datetime import datetime
-      from oauthenticator.generic import GenericOAuthenticator
-      token_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/index.php/apps/oauth2/api/v1/token'
-      debug = os.environ.get('NEXTCLOUD_DEBUG_OAUTH', 'false').lower() in ['true', '1', 'yes']
-
-      def get_nextcloud_access_token(refresh_token):
-        client_id = os.environ['NEXTCLOUD_CLIENT_ID']
-        client_secret = os.environ['NEXTCLOUD_CLIENT_SECRET']
-
-        code = refresh_token
-        data = {
-          'grant_type': 'refresh_token',
-          'code': code,
-          'refresh_token': refresh_token,
-          'client_id': client_id,
-          'client_secret': client_secret
-        }
-        response = requests.post(token_url, data=data)
-        if debug:
-          print(response.text)
-        return response.json()
-
-      def post_auth_hook(authenticator, handler, authentication):
-        user = authentication['auth_state']['oauth_user']['ocs']['data']['id']
-        auth_state = authentication['auth_state']
-        auth_state['token_expires'] =  time.time() + auth_state['token_response']['expires_in']
-        authentication['auth_state'] = auth_state
-        return authentication
-
-      class NextcloudOAuthenticator(GenericOAuthenticator):
-        def __init__(self, *args, **kwargs):
-          super().__init__(*args, **kwargs)
-          self.user_dict = {}
-
-        async def pre_spawn_start(self, user, spawner):
-          super().pre_spawn_start(user, spawner)
-          auth_state = await user.get_auth_state()
-          if not auth_state:
-            return
-          access_token = auth_state['access_token']
-          spawner.environment['NEXTCLOUD_ACCESS_TOKEN'] = access_token
-
-        async def refresh_user(self, user, handler=None):
-          auth_state = await user.get_auth_state()
-          if not auth_state:
-            if debug:
-              print(f'auth_state missing for {user}')
-            return False
-          access_token = auth_state['access_token']
-          refresh_token = auth_state['refresh_token']
-          token_response = auth_state['token_response']
-          now = time.time()
-          now_hr = datetime.fromtimestamp(now)
-          expires = auth_state['token_expires']
-          expires_hr = datetime.fromtimestamp(expires)
-          expires = 0
-          if debug:
-            print(f'auth_state for {user}: {auth_state}')
-          if now >= expires:
-            if debug:
-              print(f'Time is: {now_hr}, token expired: {expires_hr}')
-              print(f'Refreshing token for {user}')
-            try:
-              token_response = get_nextcloud_access_token(refresh_token)
-              auth_state['access_token'] = token_response['access_token']
-              auth_state['refresh_token'] = token_response['refresh_token']
-              auth_state['token_expires'] = now + token_response['expires_in']
-              auth_state['token_response'] = token_response
-              if debug:
-                print(f'Successfully refreshed token for {user.name}')
-                print(f'auth_state for {user.name}: {auth_state}')
-              return {'name': user.name, 'auth_state': auth_state}
-            except Exception as e:
-              if debug:
-                print(f'Failed to refresh token for {user}')
-              return False
-            return False
-          if debug:
-            print(f'Time is: {now_hr}, token expires: {expires_hr}')
-          return True
-
-      c.JupyterHub.authenticator_class = NextcloudOAuthenticator
-      c.NextcloudOAuthenticator.client_id = os.environ['NEXTCLOUD_CLIENT_ID']
-      c.NextcloudOAuthenticator.client_secret = os.environ['NEXTCLOUD_CLIENT_SECRET']
-      c.NextcloudOAuthenticator.login_service = 'Sunet Drive'
-      c.NextcloudOAuthenticator.username_claim = lambda r: r.get('ocs', {}).get('data', {}).get('id')
-      c.NextcloudOAuthenticator.userdata_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/ocs/v2.php/cloud/user?format=json'
-      c.NextcloudOAuthenticator.authorize_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/index.php/apps/oauth2/authorize'
-      c.NextcloudOAuthenticator.token_url = token_url
-      c.NextcloudOAuthenticator.oauth_callback_url = 'https://' + os.environ['JUPYTER_HOST'] + '/hub/oauth_callback'
-      c.NextcloudOAuthenticator.allow_all = True
-      c.NextcloudOAuthenticator.refresh_pre_spawn = True
-      c.NextcloudOAuthenticator.enable_auth_state = True
-      c.NextcloudOAuthenticator.auth_refresh_age = 3600
-      c.NextcloudOAuthenticator.post_auth_hook = post_auth_hook
-
-    serviceCode: |
-      import sys
-      c.JupyterHub.load_roles = [
-          {
-              "name": "refresh-token",
-              "services": [
-                "refresh-token"
-              ],
-              "scopes": [
-                "read:users",
-                "admin:auth_state"
-              ]
-          },
-          {
-              "name": "user",
-              "scopes": [
-                "access:services!service=refresh-token",
-                "read:services!service=refresh-token",
-                "self",
-              ],
-          },
-          {
-              "name": "server",
-              "scopes": [
-                "access:services!service=refresh-token",
-                "read:services!service=refresh-token",
-                "inherit",
-              ],
-          }
-      ]
-      c.JupyterHub.services = [
-          {
-              'name': 'refresh-token',
-              'url': 'http://' + os.environ.get('HUB_SERVICE_HOST', 'hub') + ':' + os.environ.get('HUB_SERVICE_PORT_REFRESH_TOKEN', '8082'),
-              'display': False,
-              'oauth_no_confirm': True,
-              'api_token': os.environ['JUPYTERHUB_API_KEY'],
-              'command': [sys.executable, '/usr/local/etc/jupyterhub/refresh-token.py']
-          }
-      ]
-      c.JupyterHub.admin_users = {"refresh-token"}
-      c.JupyterHub.api_tokens = {
-          os.environ['JUPYTERHUB_API_KEY']: "refresh-token",
-      }
-  extraFiles:
-    refresh-token.py: 
-      mountPath: /usr/local/etc/jupyterhub/refresh-token.py
-      stringData: |
-        """A token refresh service authenticating with the Hub.
-
-        This service serves `/services/refresh-token/`,
-        authenticated with the Hub,
-        showing the user their own info.
-        """
-        import json
-        import os
-        import requests
-        import socket
-        from jupyterhub.services.auth import HubAuthenticated
-        from jupyterhub.utils import url_path_join
-        from tornado.httpserver import HTTPServer
-        from tornado.ioloop import IOLoop
-        from tornado.web import Application, HTTPError, RequestHandler, authenticated
-        from urllib.parse import urlparse
-        debug = os.environ.get('NEXTCLOUD_DEBUG_OAUTH', 'false').lower() in ['true', '1', 'yes']
-        def my_debug(s):
-          if debug:
-            with open("/proc/1/fd/1", "a") as stdout:
-              print(s, file=stdout)
-
-
-        class RefreshHandler(HubAuthenticated, RequestHandler):
-            def api_request(self, method, url, **kwargs):
-                my_debug(f'{self.hub_auth}')
-                url = url_path_join(self.hub_auth.api_url, url)
-                allow_404 = kwargs.pop('allow_404', False)
-                headers = kwargs.setdefault('headers', {})
-                headers.setdefault('Authorization', f'token {self.hub_auth.api_token}')
-                try:
-                    r = requests.request(method, url, **kwargs)
-                except requests.ConnectionError as e:
-                    my_debug(f'Error connecting to {url}: {e}')
-                    msg = f'Failed to connect to Hub API at {url}.'
-                    msg += f'  Is the Hub accessible at this URL (from host: {socket.gethostname()})?'
-
-                    if '127.0.0.1' in url:
-                        msg += '  Make sure to set c.JupyterHub.hub_ip to an IP accessible to' + \
-                               ' single-user servers if the servers are not on the same host as the Hub.'
-                    raise HTTPError(500, msg)
-
-                data = None
-                if r.status_code == 404 and allow_404:
-                    pass
-                elif r.status_code == 403:
-                    my_debug(
-                        'Lacking permission to check authorization with JupyterHub,' + 
-                        f' my auth token may have expired: [{r.status_code}] {r.reason}'
-                    )
-                    my_debug(r.text)
-                    raise HTTPError(
-                        500,
-                        'Permission failure checking authorization, I may need a new token'
-                    )
-                elif r.status_code >= 500:
-                    my_debug(f'Upstream failure verifying auth token: [{r.status_code}] {r.reason}')
-                    my_debug(r.text)
-                    raise HTTPError(
-                        502, 'Failed to check authorization (upstream problem)')
-                elif r.status_code >= 400:
-                    my_debug(f'Failed to check authorization: [{r.status_code}] {r.reason}')
-                    my_debug(r.text)
-                    raise HTTPError(500, 'Failed to check authorization')
-                else:
-                    data = r.json()
-                return data
-
-            @authenticated
-            def get(self):
-                user_model = self.get_current_user()
-                # Fetch current auth state
-                user_data = self.api_request('GET', url_path_join('users', user_model['name']))
-                auth_state = user_data['auth_state']
-                access_token = auth_state['access_token']
-                token_expires = auth_state['token_expires']
-
-                self.set_header('content-type', 'application/json')
-                self.write(json.dumps({'access_token': access_token, 'token_expires': token_expires}, indent=1, sort_keys=True))
-
-        class PingHandler(RequestHandler):
-
-            def get(self):
-                my_debug(f"DEBUG: In ping get")
-                self.set_header('content-type', 'application/json')
-                self.write(json.dumps({'ping': 1}))
-
-
-        def main():
-            app = Application([
-                (os.environ['JUPYTERHUB_SERVICE_PREFIX'] + 'tokens', RefreshHandler),
-                (os.environ['JUPYTERHUB_SERVICE_PREFIX'] + '/?', PingHandler),
-            ])
-
-            http_server = HTTPServer(app)
-            url = urlparse(os.environ['JUPYTERHUB_SERVICE_URL'])
-
-            http_server.listen(url.port)
-
-            IOLoop.current().start()
-
-        if __name__ == '__main__':
-            main()
-  networkPolicy:
-    ingress:
-      - ports:
-          - port: 8082
-        from:
-          - podSelector:
-              matchLabels:
-                hub.jupyter.org/network-access-hub: "true"
-  service:
-    extraPorts:
-      - port: 8082
-        targetPort: 8082
-        name: refresh-token
-  extraEnv:
-    NEXTCLOUD_DEBUG_OAUTH: "no"
-    NEXTCLOUD_HOST: sunet.drive.sunet.se
-    JUPYTER_HOST: sunet-jupyter.drive.sunet.se
-    JUPYTERHUB_API_KEY:
-      valueFrom:
-        secretKeyRef:
-          name: jupyterhub-secrets
-          key: api-key
-    JUPYTERHUB_CRYPT_KEY:
-      valueFrom:
-        secretKeyRef:
-          name: jupyterhub-secrets
-          key: crypt-key
-    NEXTCLOUD_CLIENT_ID:
-      valueFrom:
-        secretKeyRef:
-          name: nextcloud-oauth-secrets
-          key: client-id
-    NEXTCLOUD_CLIENT_SECRET:
-      valueFrom:
-        secretKeyRef:
-          name: nextcloud-oauth-secrets
-          key: client-secret
-    networkPolicy:
-      enabled: false
-proxy:
-  chp:
-    networkPolicy:
-      egress:
-        - to:
-            - podSelector:
-                matchLabels:
-                  app: jupyterhub
-                  component: hub
-          ports:
-            - port: 8082
-singleuser:
-  image:
-    name: docker.sunet.se/drive/jupyter-custom
-    tag: lab-4.0.10-sunet5
-  storage:
-    dynamic:
-      storageClass: csi-sc-cinderplugin
-  extraEnv:
-    JUPYTER_ENABLE_LAB: "yes"
-    JUPYTER_HOST: sunet-jupyter.drive.sunet.se
-    NEXTCLOUD_HOST: sunet.drive.sunet.se
-  extraFiles:
-    jupyter_notebook_config:
-      mountPath: /home/jovyan/.jupyter/jupyter_server_config.py
-      stringData: |
-        import os
-        c = get_config()
-        c.NotebookApp.allow_origin = '*'
-        c.NotebookApp.tornado_settings = {
-            'headers': { 'Content-Security-Policy': "frame-ancestors *;" }
-        }
-        os.system('/usr/local/bin/nc-sync')
-      mode: 0644

jupyter/overlays/prod/vr/jupyterhub-ingress.yml

@@ -1,30 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: jupyterhub-ingress
-  annotations:
-    cert-manager.io/issuer: "letsencrypt"
-    acme.cert-manager.io/http01-edit-in-place: "true"
-spec:
-  defaultBackend:
-    service:
-      name: proxy-public
-      port:
-        number: 8443
-  tls:
-    - hosts:
-        - vr-jupyter.drive.sunet.se 
-      secretName: tls-secret
-  ingressClassName: nginx
-  rules:
-  - host: vr-jupyter.drive.sunet.se
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend: 
-          service:
-            name: proxy-public
-            port:
-              number: 80

jupyter/overlays/prod/vr/jupyterhub-service.yml

@@ -1,25 +0,0 @@
----
-apiVersion: v1
-items:
-- apiVersion: v1
-  kind: Service
-  metadata:
-    labels:
-      app: jupyterhub-node
-    name: jupyterhub-node
-  spec:
-    ports:
-    - port: 8080
-      protocol: TCP
-      targetPort: 8080
-    selector:
-      app: jupyterhub-node
-    sessionAffinity: None
-    type: ClusterIP
-  status:
-    loadBalancer: {}
-kind: List
-metadata:
-  resourceVersion: ""
-  selfLink: ""
-

jupyter/overlays/prod/vr/kustomization.yaml

@@ -1,16 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources: [../../../base/]
-helmCharts:
-  - includeCRDs: true
-    name: jupyterhub
-    releaseName: vr-jupyterhub
-    valuesFile: ./values/values.yaml
-    version: 3.2.1
-    namespace: vr-jupyterhub
-helmGlobals:
-  chartHome: ../../../base/charts/
-patches:
-  - path: jupyterhub-ingress.yml
-  - path: jupyterhub-service.yml

jupyter/overlays/prod/vr/values/values.yaml

@@ -1,337 +0,0 @@
-debug:
-  enabled: true
-hub:
-  config:
-    Authenticator:
-      auto_login: true
-      enable_auth_state: true
-    JupyterHub:
-      tornado_settings:
-        headers: { 'Content-Security-Policy': "frame-ancestors *;" }
-  db:
-    pvc:
-      storageClassName: csi-sc-cinderplugin
-  extraConfig:
-    oauthCode: |
-      import time
-      import requests
-      from datetime import datetime
-      from oauthenticator.generic import GenericOAuthenticator
-      token_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/index.php/apps/oauth2/api/v1/token'
-      debug = os.environ.get('NEXTCLOUD_DEBUG_OAUTH', 'false').lower() in ['true', '1', 'yes']
-
-      def get_nextcloud_access_token(refresh_token):
-        client_id = os.environ['NEXTCLOUD_CLIENT_ID']
-        client_secret = os.environ['NEXTCLOUD_CLIENT_SECRET']
-
-        code = refresh_token
-        data = {
-          'grant_type': 'refresh_token',
-          'code': code,
-          'refresh_token': refresh_token,
-          'client_id': client_id,
-          'client_secret': client_secret
-        }
-        response = requests.post(token_url, data=data)
-        if debug:
-          print(response.text)
-        return response.json()
-
-      def post_auth_hook(authenticator, handler, authentication):
-        user = authentication['auth_state']['oauth_user']['ocs']['data']['id']
-        auth_state = authentication['auth_state']
-        auth_state['token_expires'] =  time.time() + auth_state['token_response']['expires_in']
-        authentication['auth_state'] = auth_state
-        return authentication
-
-      class NextcloudOAuthenticator(GenericOAuthenticator):
-        def __init__(self, *args, **kwargs):
-          super().__init__(*args, **kwargs)
-          self.user_dict = {}
-
-        async def pre_spawn_start(self, user, spawner):
-          super().pre_spawn_start(user, spawner)
-          auth_state = await user.get_auth_state()
-          if not auth_state:
-            return
-          access_token = auth_state['access_token']
-          spawner.environment['NEXTCLOUD_ACCESS_TOKEN'] = access_token
-
-        async def refresh_user(self, user, handler=None):
-          auth_state = await user.get_auth_state()
-          if not auth_state:
-            if debug:
-              print(f'auth_state missing for {user}')
-            return False
-          access_token = auth_state['access_token']
-          refresh_token = auth_state['refresh_token']
-          token_response = auth_state['token_response']
-          now = time.time()
-          now_hr = datetime.fromtimestamp(now)
-          expires = auth_state['token_expires']
-          expires_hr = datetime.fromtimestamp(expires)
-          expires = 0
-          if debug:
-            print(f'auth_state for {user}: {auth_state}')
-          if now >= expires:
-            if debug:
-              print(f'Time is: {now_hr}, token expired: {expires_hr}')
-              print(f'Refreshing token for {user}')
-            try:
-              token_response = get_nextcloud_access_token(refresh_token)
-              auth_state['access_token'] = token_response['access_token']
-              auth_state['refresh_token'] = token_response['refresh_token']
-              auth_state['token_expires'] = now + token_response['expires_in']
-              auth_state['token_response'] = token_response
-              if debug:
-                print(f'Successfully refreshed token for {user.name}')
-                print(f'auth_state for {user.name}: {auth_state}')
-              return {'name': user.name, 'auth_state': auth_state}
-            except Exception as e:
-              if debug:
-                print(f'Failed to refresh token for {user}')
-              return False
-            return False
-          if debug:
-            print(f'Time is: {now_hr}, token expires: {expires_hr}')
-          return True
-
-      c.JupyterHub.authenticator_class = NextcloudOAuthenticator
-      c.NextcloudOAuthenticator.client_id = os.environ['NEXTCLOUD_CLIENT_ID']
-      c.NextcloudOAuthenticator.client_secret = os.environ['NEXTCLOUD_CLIENT_SECRET']
-      c.NextcloudOAuthenticator.login_service = 'Sunet Drive'
-      c.NextcloudOAuthenticator.username_claim = lambda r: r.get('ocs', {}).get('data', {}).get('id')
-      c.NextcloudOAuthenticator.userdata_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/ocs/v2.php/cloud/user?format=json'
-      c.NextcloudOAuthenticator.authorize_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/index.php/apps/oauth2/authorize'
-      c.NextcloudOAuthenticator.token_url = token_url
-      c.NextcloudOAuthenticator.oauth_callback_url = 'https://' + os.environ['JUPYTER_HOST'] + '/hub/oauth_callback'
-      c.NextcloudOAuthenticator.allow_all = True
-      c.NextcloudOAuthenticator.refresh_pre_spawn = True
-      c.NextcloudOAuthenticator.enable_auth_state = True
-      c.NextcloudOAuthenticator.auth_refresh_age = 3600
-      c.NextcloudOAuthenticator.post_auth_hook = post_auth_hook
-
-    serviceCode: |
-      import sys
-      c.JupyterHub.load_roles = [
-          {
-              "name": "refresh-token",
-              "services": [
-                "refresh-token"
-              ],
-              "scopes": [
-                "read:users",
-                "admin:auth_state"
-              ]
-          },
-          {
-              "name": "user",
-              "scopes": [
-                "access:services!service=refresh-token",
-                "read:services!service=refresh-token",
-                "self",
-              ],
-          },
-          {
-              "name": "server",
-              "scopes": [
-                "access:services!service=refresh-token",
-                "read:services!service=refresh-token",
-                "inherit",
-              ],
-          }
-      ]
-      c.JupyterHub.services = [
-          {
-              'name': 'refresh-token',
-              'url': 'http://' + os.environ.get('HUB_SERVICE_HOST', 'hub') + ':' + os.environ.get('HUB_SERVICE_PORT_REFRESH_TOKEN', '8082'),
-              'display': False,
-              'oauth_no_confirm': True,
-              'api_token': os.environ['JUPYTERHUB_API_KEY'],
-              'command': [sys.executable, '/usr/local/etc/jupyterhub/refresh-token.py']
-          }
-      ]
-      c.JupyterHub.admin_users = {"refresh-token"}
-      c.JupyterHub.api_tokens = {
-          os.environ['JUPYTERHUB_API_KEY']: "refresh-token",
-      }
-  extraFiles:
-    refresh-token.py: 
-      mountPath: /usr/local/etc/jupyterhub/refresh-token.py
-      stringData: |
-        """A token refresh service authenticating with the Hub.
-
-        This service serves `/services/refresh-token/`,
-        authenticated with the Hub,
-        showing the user their own info.
-        """
-        import json
-        import os
-        import requests
-        import socket
-        from jupyterhub.services.auth import HubAuthenticated
-        from jupyterhub.utils import url_path_join
-        from tornado.httpserver import HTTPServer
-        from tornado.ioloop import IOLoop
-        from tornado.web import Application, HTTPError, RequestHandler, authenticated
-        from urllib.parse import urlparse
-        debug = os.environ.get('NEXTCLOUD_DEBUG_OAUTH', 'false').lower() in ['true', '1', 'yes']
-        def my_debug(s):
-          if debug:
-            with open("/proc/1/fd/1", "a") as stdout:
-              print(s, file=stdout)
-
-
-        class RefreshHandler(HubAuthenticated, RequestHandler):
-            def api_request(self, method, url, **kwargs):
-                my_debug(f'{self.hub_auth}')
-                url = url_path_join(self.hub_auth.api_url, url)
-                allow_404 = kwargs.pop('allow_404', False)
-                headers = kwargs.setdefault('headers', {})
-                headers.setdefault('Authorization', f'token {self.hub_auth.api_token}')
-                try:
-                    r = requests.request(method, url, **kwargs)
-                except requests.ConnectionError as e:
-                    my_debug(f'Error connecting to {url}: {e}')
-                    msg = f'Failed to connect to Hub API at {url}.'
-                    msg += f'  Is the Hub accessible at this URL (from host: {socket.gethostname()})?'
-
-                    if '127.0.0.1' in url:
-                        msg += '  Make sure to set c.JupyterHub.hub_ip to an IP accessible to' + \
-                               ' single-user servers if the servers are not on the same host as the Hub.'
-                    raise HTTPError(500, msg)
-
-                data = None
-                if r.status_code == 404 and allow_404:
-                    pass
-                elif r.status_code == 403:
-                    my_debug(
-                        'Lacking permission to check authorization with JupyterHub,' + 
-                        f' my auth token may have expired: [{r.status_code}] {r.reason}'
-                    )
-                    my_debug(r.text)
-                    raise HTTPError(
-                        500,
-                        'Permission failure checking authorization, I may need a new token'
-                    )
-                elif r.status_code >= 500:
-                    my_debug(f'Upstream failure verifying auth token: [{r.status_code}] {r.reason}')
-                    my_debug(r.text)
-                    raise HTTPError(
-                        502, 'Failed to check authorization (upstream problem)')
-                elif r.status_code >= 400:
-                    my_debug(f'Failed to check authorization: [{r.status_code}] {r.reason}')
-                    my_debug(r.text)
-                    raise HTTPError(500, 'Failed to check authorization')
-                else:
-                    data = r.json()
-                return data
-
-            @authenticated
-            def get(self):
-                user_model = self.get_current_user()
-                # Fetch current auth state
-                user_data = self.api_request('GET', url_path_join('users', user_model['name']))
-                auth_state = user_data['auth_state']
-                access_token = auth_state['access_token']
-                token_expires = auth_state['token_expires']
-
-                self.set_header('content-type', 'application/json')
-                self.write(json.dumps({'access_token': access_token, 'token_expires': token_expires}, indent=1, sort_keys=True))
-
-        class PingHandler(RequestHandler):
-
-            def get(self):
-                my_debug(f"DEBUG: In ping get")
-                self.set_header('content-type', 'application/json')
-                self.write(json.dumps({'ping': 1}))
-
-
-        def main():
-            app = Application([
-                (os.environ['JUPYTERHUB_SERVICE_PREFIX'] + 'tokens', RefreshHandler),
-                (os.environ['JUPYTERHUB_SERVICE_PREFIX'] + '/?', PingHandler),
-            ])
-
-            http_server = HTTPServer(app)
-            url = urlparse(os.environ['JUPYTERHUB_SERVICE_URL'])
-
-            http_server.listen(url.port)
-
-            IOLoop.current().start()
-
-        if __name__ == '__main__':
-            main()
-  networkPolicy:
-    ingress:
-      - ports:
-          - port: 8082
-        from:
-          - podSelector:
-              matchLabels:
-                hub.jupyter.org/network-access-hub: "true"
-  service:
-    extraPorts:
-      - port: 8082
-        targetPort: 8082
-        name: refresh-token
-  extraEnv:
-    NEXTCLOUD_DEBUG_OAUTH: "no"
-    NEXTCLOUD_HOST: vr.drive.sunet.se
-    JUPYTER_HOST: vr-jupyter.drive.sunet.se
-    JUPYTERHUB_API_KEY:
-      valueFrom:
-        secretKeyRef:
-          name: jupyterhub-secrets
-          key: api-key
-    JUPYTERHUB_CRYPT_KEY:
-      valueFrom:
-        secretKeyRef:
-          name: jupyterhub-secrets
-          key: crypt-key
-    NEXTCLOUD_CLIENT_ID:
-      valueFrom:
-        secretKeyRef:
-          name: nextcloud-oauth-secrets
-          key: client-id
-    NEXTCLOUD_CLIENT_SECRET:
-      valueFrom:
-        secretKeyRef:
-          name: nextcloud-oauth-secrets
-          key: client-secret
-    networkPolicy:
-      enabled: false
-proxy:
-  chp:
-    networkPolicy:
-      egress:
-        - to:
-            - podSelector:
-                matchLabels:
-                  app: jupyterhub
-                  component: hub
-          ports:
-            - port: 8082
-singleuser:
-  image:
-    name: docker.sunet.se/drive/jupyter-custom
-    tag: lab-4.0.10-sunet4
-  storage:
-    dynamic:
-      storageClass: csi-sc-cinderplugin
-  extraEnv:
-    JUPYTER_ENABLE_LAB: "yes"
-    JUPYTER_HOST: vr-jupyter.drive.sunet.se
-    NEXTCLOUD_HOST: vr.drive.sunet.se
-  extraFiles:
-    jupyter_notebook_config:
-      mountPath: /home/jovyan/.jupyter/jupyter_server_config.py
-      stringData: |
-        import os
-        c = get_config()
-        c.NotebookApp.allow_origin = '*'
-        c.NotebookApp.tornado_settings = {
-            'headers': { 'Content-Security-Policy': "frame-ancestors *;" }
-        }
-        os.system('/usr/local/bin/nc-sync')
-      mode: 0644

jupyter/overlays/test/sunet/jupyterhub-ingress.yml

@@ -4,20 +4,18 @@ kind: Ingress
 metadata:
   name: jupyterhub-ingress
   annotations:
-    kubernetes.io/ingress.class: nginx
-    cert-manager.io/issuer: "letsencrypt"
-    acme.cert-manager.io/http01-edit-in-place: "true"
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
 spec:
-  ingressClassName: nginx
   defaultBackend:
     service:
       name: proxy-public
       port:
-        number: 80
+        number: 8443
   tls:
     - hosts:
         - sunet-jupyter.drive.test.sunet.se 
-        - sunet-kube.drive.test.sunet.se 
       secretName: tls-secret
   
   rules:

jupyter/overlays/test/sunet/values/values.yaml

@@ -19,12 +19,10 @@ hub:
       from oauthenticator.generic import GenericOAuthenticator
       token_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/index.php/apps/oauth2/api/v1/token'
       debug = os.environ.get('NEXTCLOUD_DEBUG_OAUTH', 'false').lower() in ['true', '1', 'yes']
-      os.environ['OAUTH2_TOKEN_URL'] = token_url 
-      os.environ['OAUTH2_AUTHORIZE_URL'] = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/index.php/apps/oauth2/authorize'
 
       def get_nextcloud_access_token(refresh_token):
-        client_id = os.environ['OAUTH2_CLIENT_ID']
-        client_secret = os.environ['OAUTH2_CLIENT_SECRET']
+        client_id = os.environ['NEXTCLOUD_CLIENT_ID']
+        client_secret = os.environ['NEXTCLOUD_CLIENT_SECRET']
 
         code = refresh_token
         data = {
@@ -99,12 +97,12 @@ hub:
           return True
 
       c.JupyterHub.authenticator_class = NextcloudOAuthenticator
-      c.NextcloudOAuthenticator.client_id = os.environ['OAUTH2_CLIENT_ID']
-      c.NextcloudOAuthenticator.client_secret = os.environ['OAUTH2_CLIENT_SECRET']
+      c.NextcloudOAuthenticator.client_id = os.environ['NEXTCLOUD_CLIENT_ID']
+      c.NextcloudOAuthenticator.client_secret = os.environ['NEXTCLOUD_CLIENT_SECRET']
       c.NextcloudOAuthenticator.login_service = 'Sunet Drive'
-      c.NextcloudOAuthenticator.username_claim = 'kano@sunet.se' # lambda r: r.get('ocs', {}).get('data', {}).get('id')
+      c.NextcloudOAuthenticator.username_claim = lambda r: r.get('ocs', {}).get('data', {}).get('id')
       c.NextcloudOAuthenticator.userdata_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/ocs/v2.php/cloud/user?format=json'
-      c.NextcloudOAuthenticator.authorize_url = os.environ['OAUTH2_AUTHORIZE_URL']
+      c.NextcloudOAuthenticator.authorize_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/index.php/apps/oauth2/authorize'
       c.NextcloudOAuthenticator.token_url = token_url
       c.NextcloudOAuthenticator.oauth_callback_url = 'https://' + os.environ['JUPYTER_HOST'] + '/hub/oauth_callback'
       c.NextcloudOAuthenticator.allow_all = True
@@ -278,7 +276,7 @@ hub:
         targetPort: 8082
         name: refresh-token
   extraEnv:
-    NEXTCLOUD_DEBUG_OAUTH: "yes"
+    NEXTCLOUD_DEBUG_OAUTH: "no"
     NEXTCLOUD_HOST: sunet.drive.test.sunet.se
     JUPYTER_HOST: sunet-jupyter.drive.test.sunet.se
     JUPYTERHUB_API_KEY:
@@ -291,12 +289,12 @@ hub:
         secretKeyRef:
           name: jupyterhub-secrets
           key: crypt-key
-    OAUTH2_CLIENT_ID:
+    NEXTCLOUD_CLIENT_ID:
       valueFrom:
         secretKeyRef:
           name: nextcloud-oauth-secrets
           key: client-id
-    OAUTH2_CLIENT_SECRET:
+    NEXTCLOUD_CLIENT_SECRET:
       valueFrom:
         secretKeyRef:
           name: nextcloud-oauth-secrets

jupyter/overlays/test/vr/jupyterhub-ingress.yml

@@ -1,30 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: jupyterhub-ingress
-  annotations:
-    cert-manager.io/issuer: "letsencrypt"
-    acme.cert-manager.io/http01-edit-in-place: "true"
-spec:
-  defaultBackend:
-    service:
-      name: proxy-public
-      port:
-        number: 8443
-  tls:
-    - hosts:
-        - vr-jupyter.drive.test.sunet.se 
-      secretName: tls-secret
-  ingressClassName: nginx
-  rules:
-  - host: vr-jupyter.drive.test.sunet.se
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend: 
-          service:
-            name: proxy-public
-            port:
-              number: 80

jupyter/overlays/test/vr/jupyterhub-service.yml

@@ -1,24 +0,0 @@
----
-apiVersion: v1
-items:
-- apiVersion: v1
-  kind: Service
-  metadata:
-    labels:
-      app: jupyterhub-node
-    name: jupyterhub-node
-  spec:
-    ports:
-    - port: 8080
-      protocol: TCP
-      targetPort: 8080
-    selector:
-      app: jupyterhub-node
-    sessionAffinity: None
-    type: ClusterIP
-  status:
-    loadBalancer: {}
-kind: List
-metadata:
-  resourceVersion: ""
-  selfLink: ""

jupyter/overlays/test/vr/kustomization.yaml

@@ -1,16 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources: [../../../base/]
-helmCharts:
-  - includeCRDs: true
-    name: jupyterhub
-    releaseName: vr-jupyterhub
-    valuesFile: ./values/values.yaml
-    version: 3.2.1
-    namespace: vr-jupyterhub
-helmGlobals:
-  chartHome: ../../../base/charts/
-patches:
-  - path: jupyterhub-ingress.yml
-  - path: jupyterhub-service.yml

jupyter/overlays/test/vr/values/values.yaml

@@ -1,337 +0,0 @@
-debug:
-  enabled: true
-hub:
-  config:
-    Authenticator:
-      auto_login: true
-      enable_auth_state: true
-    JupyterHub:
-      tornado_settings:
-        headers: { 'Content-Security-Policy': "frame-ancestors *;" }
-  db:
-    pvc:
-      storageClassName: csi-sc-cinderplugin
-  extraConfig:
-    oauthCode: |
-      import time
-      import requests
-      from datetime import datetime
-      from oauthenticator.generic import GenericOAuthenticator
-      token_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/index.php/apps/oauth2/api/v1/token'
-      debug = os.environ.get('NEXTCLOUD_DEBUG_OAUTH', 'false').lower() in ['true', '1', 'yes']
-
-      def get_nextcloud_access_token(refresh_token):
-        client_id = os.environ['NEXTCLOUD_CLIENT_ID']
-        client_secret = os.environ['NEXTCLOUD_CLIENT_SECRET']
-
-        code = refresh_token
-        data = {
-          'grant_type': 'refresh_token',
-          'code': code,
-          'refresh_token': refresh_token,
-          'client_id': client_id,
-          'client_secret': client_secret
-        }
-        response = requests.post(token_url, data=data)
-        if debug:
-          print(response.text)
-        return response.json()
-
-      def post_auth_hook(authenticator, handler, authentication):
-        user = authentication['auth_state']['oauth_user']['ocs']['data']['id']
-        auth_state = authentication['auth_state']
-        auth_state['token_expires'] =  time.time() + auth_state['token_response']['expires_in']
-        authentication['auth_state'] = auth_state
-        return authentication
-
-      class NextcloudOAuthenticator(GenericOAuthenticator):
-        def __init__(self, *args, **kwargs):
-          super().__init__(*args, **kwargs)
-          self.user_dict = {}
-
-        async def pre_spawn_start(self, user, spawner):
-          super().pre_spawn_start(user, spawner)
-          auth_state = await user.get_auth_state()
-          if not auth_state:
-            return
-          access_token = auth_state['access_token']
-          spawner.environment['NEXTCLOUD_ACCESS_TOKEN'] = access_token
-
-        async def refresh_user(self, user, handler=None):
-          auth_state = await user.get_auth_state()
-          if not auth_state:
-            if debug:
-              print(f'auth_state missing for {user}')
-            return False
-          access_token = auth_state['access_token']
-          refresh_token = auth_state['refresh_token']
-          token_response = auth_state['token_response']
-          now = time.time()
-          now_hr = datetime.fromtimestamp(now)
-          expires = auth_state['token_expires']
-          expires_hr = datetime.fromtimestamp(expires)
-          expires = 0
-          if debug:
-            print(f'auth_state for {user}: {auth_state}')
-          if now >= expires:
-            if debug:
-              print(f'Time is: {now_hr}, token expired: {expires_hr}')
-              print(f'Refreshing token for {user}')
-            try:
-              token_response = get_nextcloud_access_token(refresh_token)
-              auth_state['access_token'] = token_response['access_token']
-              auth_state['refresh_token'] = token_response['refresh_token']
-              auth_state['token_expires'] = now + token_response['expires_in']
-              auth_state['token_response'] = token_response
-              if debug:
-                print(f'Successfully refreshed token for {user.name}')
-                print(f'auth_state for {user.name}: {auth_state}')
-              return {'name': user.name, 'auth_state': auth_state}
-            except Exception as e:
-              if debug:
-                print(f'Failed to refresh token for {user}')
-              return False
-            return False
-          if debug:
-            print(f'Time is: {now_hr}, token expires: {expires_hr}')
-          return True
-
-      c.JupyterHub.authenticator_class = NextcloudOAuthenticator
-      c.NextcloudOAuthenticator.client_id = os.environ['NEXTCLOUD_CLIENT_ID']
-      c.NextcloudOAuthenticator.client_secret = os.environ['NEXTCLOUD_CLIENT_SECRET']
-      c.NextcloudOAuthenticator.login_service = 'Sunet Drive'
-      c.NextcloudOAuthenticator.username_claim = lambda r: r.get('ocs', {}).get('data', {}).get('id')
-      c.NextcloudOAuthenticator.userdata_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/ocs/v2.php/cloud/user?format=json'
-      c.NextcloudOAuthenticator.authorize_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/index.php/apps/oauth2/authorize'
-      c.NextcloudOAuthenticator.token_url = token_url
-      c.NextcloudOAuthenticator.oauth_callback_url = 'https://' + os.environ['JUPYTER_HOST'] + '/hub/oauth_callback'
-      c.NextcloudOAuthenticator.allow_all = True
-      c.NextcloudOAuthenticator.refresh_pre_spawn = True
-      c.NextcloudOAuthenticator.enable_auth_state = True
-      c.NextcloudOAuthenticator.auth_refresh_age = 3600
-      c.NextcloudOAuthenticator.post_auth_hook = post_auth_hook
-
-    serviceCode: |
-      import sys
-      c.JupyterHub.load_roles = [
-          {
-              "name": "refresh-token",
-              "services": [
-                "refresh-token"
-              ],
-              "scopes": [
-                "read:users",
-                "admin:auth_state"
-              ]
-          },
-          {
-              "name": "user",
-              "scopes": [
-                "access:services!service=refresh-token",
-                "read:services!service=refresh-token",
-                "self",
-              ],
-          },
-          {
-              "name": "server",
-              "scopes": [
-                "access:services!service=refresh-token",
-                "read:services!service=refresh-token",
-                "inherit",
-              ],
-          }
-      ]
-      c.JupyterHub.services = [
-          {
-              'name': 'refresh-token',
-              'url': 'http://' + os.environ.get('HUB_SERVICE_HOST', 'hub') + ':' + os.environ.get('HUB_SERVICE_PORT_REFRESH_TOKEN', '8082'),
-              'display': False,
-              'oauth_no_confirm': True,
-              'api_token': os.environ['JUPYTERHUB_API_KEY'],
-              'command': [sys.executable, '/usr/local/etc/jupyterhub/refresh-token.py']
-          }
-      ]
-      c.JupyterHub.admin_users = {"refresh-token"}
-      c.JupyterHub.api_tokens = {
-          os.environ['JUPYTERHUB_API_KEY']: "refresh-token",
-      }
-  extraFiles:
-    refresh-token.py: 
-      mountPath: /usr/local/etc/jupyterhub/refresh-token.py
-      stringData: |
-        """A token refresh service authenticating with the Hub.
-
-        This service serves `/services/refresh-token/`,
-        authenticated with the Hub,
-        showing the user their own info.
-        """
-        import json
-        import os
-        import requests
-        import socket
-        from jupyterhub.services.auth import HubAuthenticated
-        from jupyterhub.utils import url_path_join
-        from tornado.httpserver import HTTPServer
-        from tornado.ioloop import IOLoop
-        from tornado.web import Application, HTTPError, RequestHandler, authenticated
-        from urllib.parse import urlparse
-        debug = os.environ.get('NEXTCLOUD_DEBUG_OAUTH', 'false').lower() in ['true', '1', 'yes']
-        def my_debug(s):
-          if debug:
-            with open("/proc/1/fd/1", "a") as stdout:
-              print(s, file=stdout)
-
-
-        class RefreshHandler(HubAuthenticated, RequestHandler):
-            def api_request(self, method, url, **kwargs):
-                my_debug(f'{self.hub_auth}')
-                url = url_path_join(self.hub_auth.api_url, url)
-                allow_404 = kwargs.pop('allow_404', False)
-                headers = kwargs.setdefault('headers', {})
-                headers.setdefault('Authorization', f'token {self.hub_auth.api_token}')
-                try:
-                    r = requests.request(method, url, **kwargs)
-                except requests.ConnectionError as e:
-                    my_debug(f'Error connecting to {url}: {e}')
-                    msg = f'Failed to connect to Hub API at {url}.'
-                    msg += f'  Is the Hub accessible at this URL (from host: {socket.gethostname()})?'
-
-                    if '127.0.0.1' in url:
-                        msg += '  Make sure to set c.JupyterHub.hub_ip to an IP accessible to' + \
-                               ' single-user servers if the servers are not on the same host as the Hub.'
-                    raise HTTPError(500, msg)
-
-                data = None
-                if r.status_code == 404 and allow_404:
-                    pass
-                elif r.status_code == 403:
-                    my_debug(
-                        'Lacking permission to check authorization with JupyterHub,' + 
-                        f' my auth token may have expired: [{r.status_code}] {r.reason}'
-                    )
-                    my_debug(r.text)
-                    raise HTTPError(
-                        500,
-                        'Permission failure checking authorization, I may need a new token'
-                    )
-                elif r.status_code >= 500:
-                    my_debug(f'Upstream failure verifying auth token: [{r.status_code}] {r.reason}')
-                    my_debug(r.text)
-                    raise HTTPError(
-                        502, 'Failed to check authorization (upstream problem)')
-                elif r.status_code >= 400:
-                    my_debug(f'Failed to check authorization: [{r.status_code}] {r.reason}')
-                    my_debug(r.text)
-                    raise HTTPError(500, 'Failed to check authorization')
-                else:
-                    data = r.json()
-                return data
-
-            @authenticated
-            def get(self):
-                user_model = self.get_current_user()
-                # Fetch current auth state
-                user_data = self.api_request('GET', url_path_join('users', user_model['name']))
-                auth_state = user_data['auth_state']
-                access_token = auth_state['access_token']
-                token_expires = auth_state['token_expires']
-
-                self.set_header('content-type', 'application/json')
-                self.write(json.dumps({'access_token': access_token, 'token_expires': token_expires}, indent=1, sort_keys=True))
-
-        class PingHandler(RequestHandler):
-
-            def get(self):
-                my_debug(f"DEBUG: In ping get")
-                self.set_header('content-type', 'application/json')
-                self.write(json.dumps({'ping': 1}))
-
-
-        def main():
-            app = Application([
-                (os.environ['JUPYTERHUB_SERVICE_PREFIX'] + 'tokens', RefreshHandler),
-                (os.environ['JUPYTERHUB_SERVICE_PREFIX'] + '/?', PingHandler),
-            ])
-
-            http_server = HTTPServer(app)
-            url = urlparse(os.environ['JUPYTERHUB_SERVICE_URL'])
-
-            http_server.listen(url.port)
-
-            IOLoop.current().start()
-
-        if __name__ == '__main__':
-            main()
-  networkPolicy:
-    ingress:
-      - ports:
-          - port: 8082
-        from:
-          - podSelector:
-              matchLabels:
-                hub.jupyter.org/network-access-hub: "true"
-  service:
-    extraPorts:
-      - port: 8082
-        targetPort: 8082
-        name: refresh-token
-  extraEnv:
-    NEXTCLOUD_DEBUG_OAUTH: "no"
-    NEXTCLOUD_HOST: vr.drive.test.sunet.se
-    JUPYTER_HOST: vr-jupyter.drive.test.sunet.se
-    JUPYTERHUB_API_KEY:
-      valueFrom:
-        secretKeyRef:
-          name: jupyterhub-secrets
-          key: api-key
-    JUPYTERHUB_CRYPT_KEY:
-      valueFrom:
-        secretKeyRef:
-          name: jupyterhub-secrets
-          key: crypt-key
-    NEXTCLOUD_CLIENT_ID:
-      valueFrom:
-        secretKeyRef:
-          name: nextcloud-oauth-secrets
-          key: client-id
-    NEXTCLOUD_CLIENT_SECRET:
-      valueFrom:
-        secretKeyRef:
-          name: nextcloud-oauth-secrets
-          key: client-secret
-    networkPolicy:
-      enabled: false
-proxy:
-  chp:
-    networkPolicy:
-      egress:
-        - to:
-            - podSelector:
-                matchLabels:
-                  app: jupyterhub
-                  component: hub
-          ports:
-            - port: 8082
-singleuser:
-  image:
-    name: docker.sunet.se/drive/jupyter-custom
-    tag: lab-4.0.10-sunet4
-  storage:
-    dynamic:
-      storageClass: csi-sc-cinderplugin
-  extraEnv:
-    JUPYTER_ENABLE_LAB: "yes"
-    JUPYTER_HOST: vr-jupyter.drive.test.sunet.se
-    NEXTCLOUD_HOST: vr.drive.test.sunet.se
-  extraFiles:
-    jupyter_notebook_config:
-      mountPath: /home/jovyan/.jupyter/jupyter_server_config.py
-      stringData: |
-        import os
-        c = get_config()
-        c.NotebookApp.allow_origin = '*'
-        c.NotebookApp.tornado_settings = {
-            'headers': { 'Content-Security-Policy': "frame-ancestors *;" }
-        }
-        os.system('/usr/local/bin/nc-sync')
-      mode: 0644

portal/base/drive-ingress.yml

@@ -1,30 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: drive-ingress
-  namespace: portal
-  annotations:
-    kubernetes.io/ingress.class: nginx
-spec:
-  defaultBackend:
-    service:
-      name: portal-node
-      port:
-        number: 8080
-  tls:
-    - hosts:
-        - drive.test.sunet.se 
-      secretName: drive-tls-secret
-  ingressClassName: nginx 
-  rules:
-  - host: drive.test.sunet.se
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend: 
-          service:
-            name: portal-node
-            port:
-              number: 8080

portal/base/kustomization.yaml

@@ -1,9 +0,0 @@
-resources:
-- drive-ingress.yml
-- portal-cert-manager.yml
-- portal-deployment.yml
-- portal-ingress.yml
-- portal-namespace.yml
-- portal-service.yml
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization

portal/base/portal-cert-manager.yml

@@ -1,15 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Issuer
-metadata:
-  name: letsencrypt
-spec:
-  acme:
-    server: https://acme-v02.api.letsencrypt.org/directory
-    email: drive@sunet.se
-    privateKeySecretRef:
-      name: letsencrypt
-    solvers:
-      - http01:
-          ingress: 
-            class: nginx
-

portal/base/portal-deployment.yml

@@ -1,30 +0,0 @@
----
-kind: Deployment
-apiVersion: apps/v1
-metadata:
-  name: portal-node
-  namespace: portal
-  creationTimestamp:
-  labels:
-    app: portal-node
-spec:
-  replicas: 3
-  selector:
-    matchLabels:
-      app: portal-node
-  template:
-    metadata:
-      creationTimestamp:
-      labels:
-        app: portal-node
-    spec:
-      containers:
-      - name: portal
-        image: docker.sunet.se/drive/portal:0.1.2-3
-        imagePullPolicy: Always
-        resources: {}
-        env:
-          - name: DRIVE_DOMAIN
-            value: "drive.test.sunet.se"
-  strategy: {}
-status: {}

portal/base/portal-ingress.yml

@@ -1,30 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: portal-ingress
-  namespace: portal
-  annotations:
-    kubernetes.io/ingress.class: nginx
-spec:
-  defaultBackend:
-    service:
-      name: portal-node
-      port:
-        number: 8080
-  tls:
-    - hosts:
-        - portal.drive.test.sunet.se 
-      secretName: tls-secret
-  ingressClassName: nginx 
-  rules:
-  - host: portal.drive.test.sunet.se
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend: 
-          service:
-            name: portal-node
-            port:
-              number: 8080

portal/base/portal-namespace.yml

@@ -1,8 +0,0 @@
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: portal
-spec:
-  finalizers:
-  - kubernetes

portal/base/portal-service.yml

@@ -1,25 +0,0 @@
----
-apiVersion: v1
-items:
-- apiVersion: v1
-  kind: Service
-  metadata:
-    labels:
-      app: portal-node
-    name: portal-node
-    namespace: portal
-  spec:
-    ports:
-    - port: 8080
-      protocol: TCP
-      targetPort: 8080
-    selector:
-      app: portal-node
-    sessionAffinity: None
-    type: ClusterIP
-  status:
-    loadBalancer: {}
-kind: List
-metadata:
-  resourceVersion: ""
-  selfLink: ""

portal/overlays/prod/drive-ingress.yml

@@ -1,32 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: drive-ingress
-  namespace: portal
-  annotations:
-    kubernetes.io/ingress.class: nginx
-    cert-manager.io/issuer: "letsencrypt"
-    acme.cert-manager.io/http01-edit-in-place: "true"
-spec:
-  defaultBackend:
-    service:
-      name: portal-node
-      port:
-        number: 8080
-  ingressClassName: nginx
-  tls:
-    - hosts:
-        - drive.sunet.se 
-      secretName: drive-tls-secret
-  rules:
-  - host: drive.sunet.se
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend: 
-          service:
-            name: portal-node
-            port:
-              number: 8080

portal/overlays/prod/kustomization.yaml

@@ -1,8 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- ../../base
-patches:
-- path: drive-ingress.yml
-- path: portal-ingress.yml
-- path: portal-deployment.yml

portal/overlays/prod/portal-deployment.yml

@@ -1,27 +0,0 @@
----
-kind: Deployment
-apiVersion: apps/v1
-metadata:
-  name: portal-node
-  namespace: portal
-  creationTimestamp:
-  labels:
-    app: portal-node
-spec:
-  replicas: 3
-  selector:
-    matchLabels:
-      app: portal-node
-  template:
-    metadata:
-      creationTimestamp:
-      labels:
-        app: portal-node
-    spec:
-      containers:
-      - name: portal
-        env:
-          - name: DRIVE_DOMAIN
-            value: "drive.sunet.se"
-  strategy: {}
-status: {}

portal/overlays/prod/portal-ingress.yml

@@ -1,32 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: portal-ingress
-  namespace: portal
-  annotations:
-    kubernetes.io/ingress.class: nginx
-    cert-manager.io/issuer: "letsencrypt"
-    acme.cert-manager.io/http01-edit-in-place: "true"
-spec:
-  defaultBackend:
-    service:
-      name: portal-node
-      port:
-        number: 8080
-  ingressClassName: nginx
-  tls:
-    - hosts:
-        - portal.drive.sunet.se 
-      secretName: tls-secret
-  rules:
-  - host: portal.drive.sunet.se
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend: 
-          service:
-            name: portal-node
-            port:
-              number: 8080

portal/overlays/test/drive-ingress.yml

@@ -1,32 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: drive-ingress
-  namespace: portal
-  annotations:
-    kubernetes.io/ingress.class: nginx
-    cert-manager.io/issuer: "letsencrypt"
-    acme.cert-manager.io/http01-edit-in-place: "true"
-spec:
-  defaultBackend:
-    service:
-      name: portal-node
-      port:
-        number: 8080
-  ingressClassName: nginx
-  tls:
-    - hosts:
-        - drive.test.sunet.se 
-      secretName: drive-tls-secret
-  rules:
-  - host: drive.test.sunet.se
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend: 
-          service:
-            name: portal-node
-            port:
-              number: 8080

portal/overlays/test/kustomization.yaml

@@ -1,8 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- ../../base
-patches:
-- path: drive-ingress.yml
-- path: portal-ingress.yml
-- path: portal-deployment.yml

portal/overlays/test/portal-deployment.yml

@@ -1,27 +0,0 @@
----
-kind: Deployment
-apiVersion: apps/v1
-metadata:
-  name: portal-node
-  namespace: portal
-  creationTimestamp:
-  labels:
-    app: portal-node
-spec:
-  replicas: 3
-  selector:
-    matchLabels:
-      app: portal-node
-  template:
-    metadata:
-      creationTimestamp:
-      labels:
-        app: portal-node
-    spec:
-      containers:
-      - name: portal
-        env:
-          - name: DRIVE_DOMAIN
-            value: "drive.test.sunet.se"
-  strategy: {}
-status: {}

portal/overlays/test/portal-ingress.yml

@@ -1,32 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: portal-ingress
-  namespace: portal
-  annotations:
-    kubernetes.io/ingress.class: nginx
-    cert-manager.io/issuer: "letsencrypt"
-    acme.cert-manager.io/http01-edit-in-place: "true"
-spec:
-  defaultBackend:
-    service:
-      name: portal-node
-      port:
-        number: 8080
-  ingressClassName: nginx
-  tls:
-    - hosts:
-        - portal.drive.test.sunet.se 
-      secretName: tls-secret
-  rules:
-  - host: portal.drive.test.sunet.se
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend: 
-          service:
-            name: portal-node
-            port:
-              number: 8080

proxysql/base/proxysql-configmap.yml

@@ -300,13 +300,6 @@ data:
           transaction_persistent=1
           active=1
       },
-      {
-          username="nextcloud_richir"
-          password="{{RICHIR_PASSWORD}}"
-          default_hostgroup=10
-          transaction_persistent=1
-          active=1
-      },
       {
           username="nextcloud_rkh"
           password="{{RKH_PASSWORD}}"