Fix redis hostname

Reviewed-on: #2
Reviewed-by: Micke <kano@sunet.se>

applicationsets/applicationset.yaml

@@ -0,0 +1,45 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: customer-applications
+  namespace: argocd
+spec:
+  goTemplate: true
+  goTemplateOptions: ["missingkey=error"]
+  generators:
+    - git:
+        repoURL: 'https://platform.sunet.se/Drive/k8s-manifests'
+        revision: HEAD
+        directories:
+          - path: 'customers/overlays/*'
+  template:
+    metadata:
+      name: '{{index .path.segments 2}}'
+    spec:
+      project: default
+      source:
+        repoURL: 'https://platform.sunet.se/Drive/k8s-manifests'
+        targetRevision: HEAD
+        path: 'customers/overlays/{{index .path.segments 2}}/test'
+      destination:
+        server: https://kubernetes.default.svc
+        namespace: '{{index .path.segments 2}}'
+      syncPolicy:
+        automated:
+          prune: false
+          selfHeal: true
+          allowEmpty: false
+        syncOptions: # maybe needs FIXME
+          - Validate=true # disables resource validation (equivalent to 'kubectl apply --validate=false') ( true by default ).
+          - CreateNamespace=true # Namespace Auto-Creation ensures that namespace specified as the application destination exists in the destination cluster.
+          - PrunePropagationPolicy=foreground # Supported policies are background, foreground and orphan.
+          - PruneLast=true # Allow the ability for resource pruning to happen as a final, implicit wave of a sync operation
+          - RespectIgnoreDifferences=true # When syncing changes, respect fields ignored by the ignoreDifferences configuration
+          - ApplyOutOfSyncOnly=true # Only sync out-of-sync resources, rather than applying every object in the application
+        retry:
+          limit: 5
+          backoff:
+            duration: 5s
+            factor: 2
+            maxDuration: 3m
+      revisionHistoryLimit: 2

argocd-ingress/overlays/test/argocd-ingress.yaml

@@ -11,7 +11,7 @@ spec:
     service:
       name: argocd-server
       port:
-        number: 8443
+        number: 80
   ingressClassName: traefik
   tls:
     - hosts:

argocd-nginx/base/argocd-cert-issuer.yaml

@@ -0,0 +1,15 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: letsencrypt
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: drive@sunet.se
+    privateKeySecretRef:
+      name: letsencrypt
+    solvers:
+      - http01:
+          ingress: 
+            class: nginx
+

argocd-nginx/base/argocd-ingress.yaml

@@ -0,0 +1,22 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: argocd-ingress
+  namespace: argocd
+spec:
+  ingressClassName: nginx
+  tls:
+    - hosts:
+        - argocd.drive.test.sunet.se 
+      secretName: tls-secret
+  rules:
+  - host: argocd.drive.test.sunet.se
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: argocd-server
+            port:
+              name: https

argocd-nginx/base/kustomization.yaml

@@ -0,0 +1,3 @@
+resources:
+  - argocd-ingress.yaml
+  - argocd-cert-issuer.yaml

argocd-nginx/overlays/dev/argocd-ingress.yaml

@@ -0,0 +1,28 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: argocd-ingress
+  namespace: argocd
+spec:
+  defaultBackend:
+    service:
+      name: argocd-server
+      port:
+        number: 80
+  ingressClassName: nginx
+  tls:
+    - hosts:
+        - argocd.drive.test.sunet.dev
+      secretName: tls-secret
+ 
+  rules:
+  - host: argocd.drive.test.sunet.dev
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: argocd-server
+            port:
+              number: 80

argocd-nginx/overlays/dev/kustomization.yaml

@@ -1,7 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- ../../../base
+- ../../base
 patches:
-- path: nextcloud-deployment.yml
-- path: nextcloud-ingress.yml
+- path: argocd-ingress.yaml

argocd-nginx/overlays/prod/argocd-ingress.yaml

@@ -1,26 +1,31 @@
----
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: customer-ingress
+  name: argocd-ingress
+  namespace: argocd
   annotations:
     kubernetes.io/ingress.class: traefik
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
 spec:
+  defaultBackend:
+    service:
+      name: argocd-server
+      port:
+        number: 8443
   tls:
     - hosts:
-        - vr.drive.test.sunet.se 
+        - argocd.drive.sunet.se 
       secretName: tls-secret
   
   rules:
-  - host: vr.drive.test.sunet.se
+  - host: argocd.drive.sunet.se
     http:
       paths:
       - path: /
         pathType: Prefix
         backend: 
           service:
-            name: customer-node
+            name: argocd-server
             port:
               number: 80

argocd-nginx/overlays/prod/drive/argocd-ingress.yaml

@@ -0,0 +1,30 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: argocd-ingress
+  namespace: argocd
+  annotations:
+    cert-manager.io/issuer: "letsencrypt"
+    acme.cert-manager.io/http01-edit-in-place: "true"
+spec:
+  defaultBackend:
+    service:
+      name: argocd-server
+      port:
+        number: 80
+  ingressClassName: nginx
+  tls:
+    - hosts:
+        - argocd.drive.sunet.se 
+      secretName: tls-secret
+  rules:
+  - host: argocd.drive.sunet.se
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: argocd-server
+            port:
+              number: 80

argocd-nginx/overlays/prod/drive/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources: [../../../base]
+patches:
+  - path: argocd-ingress.yaml

argocd-nginx/overlays/prod/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+patches:
+- path: argocd-ingress.yaml

argocd-nginx/overlays/prod/sunet/argocd-ingress.yaml

@@ -0,0 +1,30 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: argocd-ingress
+  annotations:
+    cert-manager.io/issuer: "letsencrypt"
+    acme.cert-manager.io/http01-edit-in-place: "true"
+  namespace: argocd
+spec:
+  defaultBackend:
+    service:
+      name: argocd-server
+      port:
+        number: 80
+  ingressClassName: nginx
+  tls:
+    - hosts:
+        - sunet-argocd.drive.sunet.se 
+      secretName: tls-secret
+  rules:
+  - host: sunet-argocd.drive.sunet.se
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: argocd-server
+            port:
+              number: 80

argocd-nginx/overlays/prod/sunet/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources: [../../../base]
+patches:
+  - path: argocd-ingress.yaml

argocd-nginx/overlays/prod/vr/argocd-ingress.yaml

@@ -0,0 +1,30 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: argocd-ingress
+  namespace: argocd
+  annotations:
+    cert-manager.io/issuer: "letsencrypt"
+    acme.cert-manager.io/http01-edit-in-place: "true"
+spec:
+  defaultBackend:
+    service:
+      name: argocd-server
+      port:
+        number: 80
+  ingressClassName: nginx
+  tls:
+    - hosts:
+        - vr-argocd.drive.sunet.se 
+      secretName: tls-secret
+  rules:
+  - host: vr-argocd.drive.sunet.se
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: argocd-server
+            port:
+              number: 80

argocd-nginx/overlays/prod/vr/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources: [../../../base]
+patches:
+  - path: argocd-ingress.yaml

argocd-nginx/overlays/test/drive/argocd-ingress.yaml

@@ -0,0 +1,30 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: argocd-ingress
+  namespace: argocd
+  annotations:
+    cert-manager.io/issuer: "letsencrypt"
+    acme.cert-manager.io/http01-edit-in-place: "true"
+spec:
+  defaultBackend:
+    service:
+      name: argocd-server
+      port:
+        number: 80
+  ingressClassName: nginx
+  tls:
+    - hosts:
+        - argocd.drive.test.sunet.se 
+      secretName: tls-secret
+  rules:
+  - host: argocd.drive.test.sunet.se
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: argocd-server
+            port:
+              number: 80

argocd-nginx/overlays/test/drive/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources: [../../../base]
+patches:
+  - path: argocd-ingress.yaml

argocd-nginx/overlays/test/sunet/argocd-ingress.yaml

@@ -0,0 +1,31 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: argocd-ingress
+  namespace: argocd
+  annotations:
+    cert-manager.io/issuer: "letsencrypt"
+    acme.cert-manager.io/http01-edit-in-place: "true"
+spec:
+  defaultBackend:
+    service:
+      name: argocd-server
+      port:
+        number: 80
+  ingressClassName: nginx
+  tls:
+    - hosts:
+        - sunet-argocd.drive.test.sunet.se 
+        - sunet-kube.drive.test.sunet.se 
+      secretName: tls-secret
+  rules:
+  - host: sunet-argocd.drive.test.sunet.se
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: argocd-server
+            port:
+              number: 80

argocd-nginx/overlays/test/sunet/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources: [../../../base]
+patches:
+  - path: argocd-ingress.yaml

argocd-nginx/overlays/test/vr/argocd-ingress.yaml

@@ -0,0 +1,30 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: argocd-ingress
+  namespace: argocd
+  annotations:
+    cert-manager.io/issuer: "letsencrypt"
+    acme.cert-manager.io/http01-edit-in-place: "true"
+spec:
+  defaultBackend:
+    service:
+      name: argocd-server
+      port:
+        number: 80
+  ingressClassName: nginx
+  tls:
+    - hosts:
+        - vr-argocd.drive.test.sunet.se 
+      secretName: tls-secret
+  rules:
+  - host: vr-argocd.drive.test.sunet.se
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: argocd-server
+            port:
+              number: 80

argocd-nginx/overlays/test/vr/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources: [../../../base]
+patches:
+  - path: argocd-ingress.yaml

argocd/base/kustomization.yaml

@@ -3,4 +3,4 @@ kind: Kustomization
 
 namespace: argocd
 resources:
-- https://raw.githubusercontent.com/argoproj/argo-cd/v2.10.0/manifests/ha/install.yaml
+- https://raw.githubusercontent.com/argoproj/argo-cd/v2.10.4/manifests/ha/install.yaml

backups/base/backup-cronjob.yaml

@@ -0,0 +1,60 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: backup
+spec:
+  schedule: "0 0 * * *"
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          volumes:
+            - name: backup-storage
+              emptyDir: {}
+            - name: ipc-storage
+              emptyDir: {}
+          restartPolicy: Never
+          containers:
+            - name: backup-container
+              image: docker.sunet.se/drive/duplicity:bookworm-slim-1
+              command: ["bash"]
+              args: [ "-c", "duplicity /backup_storage rclone://destination:$(BUCKET) --no-encryption --full-if-older-than 1M; touch /backup_ipc/stop" ]
+              env:
+                - name: RCLONE_CONFIG_DESTINATION_ACL
+                  value: private
+                - name: RCLONE_CONFIG_DESTINATION_TYPE
+                  value: s3
+                - name: RCLONE_CONFIG_DESTINATION_ENDPOINT
+                  value: s3.sto3.safedc.net
+                - name: RCLONE_CONFIG_DESTINATION_PROVIDER
+                  value: Ceph
+              volumeMounts:
+                - name: backup-storage
+                  mountPath: /backup_storage
+                  mountPropagation: HostToContainer
+                - name: ipc-storage
+                  mountPath: /backup_ipc
+            - name: mount-container
+              image: rclone/rclone:1.69.0
+              args: ["mount", "--allow-non-empty", "source:$(BUCKET)", "/backup_storage"]
+              securityContext:
+                privileged: true
+              env:
+                - name: RCLONE_CONFIG_SOURCE_ACL
+                  value: private
+                - name: RCLONE_CONFIG_SOURCE_TYPE
+                  value: s3
+                - name: RCLONE_CONFIG_SOURCE_ENDPOINT
+                  value: s3.sto4.safedc.net
+                - name: RCLONE_CONFIG_SOURCE_PROVIDER
+                  value: Ceph
+              volumeMounts:
+                - name: backup-storage
+                  mountPath: /backup_storage
+                  mountPropagation: Bidirectional
+                - name: ipc-storage
+                  mountPath: /backup_ipc
+              livenessProbe:
+                exec:
+                  command: ["sh", "-c", "if test -f /backup_ipc/stop; then umount /backup_storage; exit 1; fi;"]

backups/base/kustomization.yaml

@@ -0,0 +1,4 @@
+---
+kind: Kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+resources: ['backup-cronjob.yaml']

backups/overlays/test/xrootd/backup-cronjob.yaml

@@ -0,0 +1,40 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: backup
+spec:
+  schedule: "15 02 * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          hostname: xrootd-test-mirror
+          containers:
+            - name: backup-container
+              env:
+                - name: BUCKET
+                  value: "xrootd-test-mirror"
+                - name: RCLONE_CONFIG_DESTINATION_ACCESS_KEY_ID
+                  valueFrom:
+                    secretKeyRef:
+                      name: xrootd-secret
+                      key: "destination-access-key-id"
+                - name: RCLONE_CONFIG_DESTINATION_SECRET_ACCESS_KEY
+                  valueFrom:
+                    secretKeyRef:
+                      name: xrootd-secret
+                      key: "destination-secret-access-key"
+            - name: mount-container
+              env:
+                - name: BUCKET
+                  value: "xrootd-test"
+                - name: RCLONE_CONFIG_SOURCE_ACCESS_KEY_ID
+                  valueFrom:
+                    secretKeyRef:
+                      name: xrootd-secret
+                      key: "source-access-key-id"
+                - name: RCLONE_CONFIG_SOURCE_SECRET_ACCESS_KEY
+                  valueFrom:
+                    secretKeyRef:
+                      name: xrootd-secret
+                      key: "source-secret-access-key"

backups/overlays/test/xrootd/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+kind: Kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+resources: [../../../base]
+patches: 
+  - path: backup-cronjob.yaml
+

cinder/cinder-csi-controllerplugin.yaml

@@ -69,7 +69,7 @@ spec:
             - mountPath: /var/lib/csi/sockets/pluginproxy/
               name: socket-dir
         - name: csi-resizer
-          image: registry.k8s.io/sig-storage/csi-resizer:v1.7.0
+          image: registry.k8s.io/sig-storage/csi-resizer:v1.8.0
           args:
             - "--csi-address=$(ADDRESS)"
             - "--timeout=3m"
@@ -93,7 +93,7 @@ spec:
             - mountPath: /var/lib/csi/sockets/pluginproxy/
               name: socket-dir
         - name: cinder-csi-plugin
-          image: registry.k8s.io/provider-os/cinder-csi-plugin:v1.27.1
+          image: registry.k8s.io/provider-os/cinder-csi-plugin:v1.28.2
           args:
             - /bin/cinder-csi-plugin
             - "--endpoint=$(CSI_ENDPOINT)"

customers/base/apache-configmap.yml

@@ -1,73 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: apache-configmap
-data:
-  000-default.conf: |
-    LoadModule remoteip_module /usr/lib/apache2/modules/mod_remoteip.so
-    LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
-    <VirtualHost *:80>
-            ServerAdmin webmaster@localhost
-            DocumentRoot /var/www/html
-            # Log format config
-            LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" common
-            SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
-
-            # Header config
-            RemoteIPHeader X-Forwarded-For
-            RemoteIPInternalProxy 37.156.195.14
-            RemoteIPInternalProxy 37.156.195.19
-            RemoteIPInternalProxy 37.156.195.84
-            RemoteIPInternalProxy 37.156.195.92
-            #ErrorDocument 404 /404.html
-            ErrorLog ${APACHE_LOG_DIR}/error.log
-            CustomLog ${APACHE_LOG_DIR}/access.log combined env=forwarded
-
-            ErrorLog ${APACHE_LOG_DIR}/error.log
-            CustomLog ${APACHE_LOG_DIR}/access.log combined
-            <Directory /var/www/html/>
-                    LimitRequestBody 0
-                    Require all granted
-                    AllowOverride All
-                    Options FollowSymLinks MultiViews
-
-                    <IfModule mod_dav.c>
-                        Dav off
-                    </IfModule>
-            </Directory>
-    </VirtualHost>
-    <VirtualHost *:443>
-            ServerAdmin webmaster@localhost
-            DocumentRoot /var/www/html
-            # Log format config
-            LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" common
-            SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
-
-            # Header config
-            RemoteIPHeader X-Forwarded-For
-            RemoteIPInternalProxy 37.156.195.14
-            RemoteIPInternalProxy 37.156.195.19
-            RemoteIPInternalProxy 37.156.195.84
-            RemoteIPInternalProxy 37.156.195.92
-            #ErrorDocument 404 /404.html
-            ErrorLog ${APACHE_LOG_DIR}/error.log
-            CustomLog ${APACHE_LOG_DIR}/access.log combined env=forwarded
-            SSLEngine On
-            SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
-            SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
-            <Directory /var/www/html/>
-                    LimitRequestBody 0
-                    Require all granted
-                    AllowOverride All
-                    Options FollowSymLinks MultiViews
-
-                    <IfModule mod_dav.c>
-                        Dav off
-                    </IfModule>
-            </Directory>
-            <Directory /var/www/html/data>
-                Order allow,deny
-                deny from all
-            </Directory>
-    </VirtualHost>
-    # vim: syntax=apache ts=4 sw=4 sts=4 sr noet

customers/base/apache-php-configmap.yml

@@ -1,162 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: apache-php-configmap
-data:
-  php.ini: |
-    [PHP]
-    allow_url_fopen = On
-    allow_url_include = Off
-    auto_append_file =
-    auto_globals_jit = On
-    auto_prepend_file =
-    default_charset = "UTF-8"
-    default_mimetype = "text/html"
-    default_socket_timeout = 60
-    disable_classes =
-    disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,
-    display_errors = Off
-    display_startup_errors = Off
-    doc_root =
-    enable_dl = Off
-    engine = On
-    error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
-    expose_php = Off
-    file_uploads = On
-    ignore_repeated_errors = Off
-    ignore_repeated_source = Off
-    implicit_flush = Off
-    log_errors = On
-    log_errors_max_len = 1024
-    max_execution_time = 86400
-    max_file_uploads = 20
-    max_input_time = 86400
-    memory_limit = 512M
-    output_buffering = Off
-    post_max_size = 30G
-    precision = 14
-    register_argc_argv = Off
-    report_memleaks = On
-    request_order = "GP"
-    serialize_precision = -1
-    short_open_tag = Off
-    unserialize_callback_func =
-    upload_max_filesize = 30G
-    user_dir =
-    variables_order = "GPCS"
-    zend.enable_gc = On
-    zend.exception_ignore_args = On
-    zlib.output_compression = Off
-    [CLI Server]
-    cli_server.color = On
-    [Date]
-    ; Nothing here
-    [filter]
-    ; Nothing here
-    [iconv]
-    ; Nothing here
-    [imap]
-    ; Nothing here
-    [intl]
-    ; Nothing here
-    [sqlite3]
-    ; Nothing here
-    [Pcre]
-    ; Nothing here
-    [Pdo]
-    ; Nothing here
-    [Pdo_mysql]
-    pdo_mysql.default_socket=
-    [Phar]
-    ; Nothing here
-    [mail function]
-    SMTP = localhost
-    smtp_port = 25
-    mail.add_x_header = Off
-    [ODBC]
-    odbc.allow_persistent = On
-    odbc.check_persistent = On
-    odbc.max_persistent = -1
-    odbc.max_links = -1
-    odbc.defaultlrl = 4096
-    odbc.defaultbinmode = 1
-    [MySQLi]
-    mysqli.max_persistent = -1
-    mysqli.allow_persistent = On
-    mysqli.max_links = -1
-    mysqli.default_port = 3306
-    mysqli.default_socket =
-    mysqli.default_host =
-    mysqli.default_user =
-    mysqli.default_pw =
-    mysqli.reconnect = Off
-    [mysqlnd]
-    mysqlnd.collect_statistics = On
-    mysqlnd.collect_memory_statistics = Off
-    [OCI8]
-    ; Nothing here
-    [PostgreSQL]
-    pgsql.allow_persistent = On
-    pgsql.auto_reset_persistent = Off
-    pgsql.max_persistent = -1
-    pgsql.max_links = -1
-    pgsql.ignore_notice = 0
-    pgsql.log_notice = 0
-    [bcmath]
-    bcmath.scale = 0
-    [browscap]
-    ; Nothing here
-    [Session]
-    session.save_handler = files
-    session.use_strict_mode = 0
-    session.use_cookies = 1
-    session.use_only_cookies = 1
-    session.name = PHPSESSID
-    session.auto_start = 0
-    session.cookie_lifetime = 0
-    session.cookie_path = /
-    session.cookie_domain =
-    session.cookie_httponly =
-    session.cookie_samesite =
-    session.serialize_handler = php
-    session.gc_probability = 0
-    session.gc_divisor = 1000
-    session.gc_maxlifetime = 1440
-    session.referer_check =
-    session.cache_limiter = nocache
-    session.cache_expire = 180
-    session.use_trans_sid = 0
-    session.sid_length = 26
-    session.trans_sid_tags = "a=href,area=href,frame=src,form="
-    session.sid_bits_per_character = 5
-    [Assertion]
-    zend.assertions = -1
-    [COM]
-    ; Nothing here
-    [mbstring]
-    ; Nothing here
-    [gd]
-    ; Nothing here
-    [exif]
-    ; Nothing here
-    [Tidy]
-    tidy.clean_output = Off
-    [soap]
-    soap.wsdl_cache_enabled=1
-    soap.wsdl_cache_dir="/tmp"
-    soap.wsdl_cache_ttl=86400
-    soap.wsdl_cache_limit = 5
-    [sysvshm]
-    ; Nothing here
-    [ldap]
-    ldap.max_links = -1
-    [dba]
-    ; Nothing here
-    [opcache]
-    opcache.interned_strings_buffer=64
-    [curl]
-    ; Nothing here
-    [openssl]
-    ; Nothing here
-    [ffi]
-    ; Nothing here

customers/base/apcu-configmap.yml

@@ -1,8 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: apcu-configmap
-data:
-  apcu.ini: |
-    extension=apcu.so
-    apc.enable_cli=1

customers/base/cli-php-configmap.yml

@@ -1,162 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: cli-php-configmap
-data:
-  php.ini: |
-    [PHP]
-    allow_url_fopen = On
-    allow_url_include = Off
-    auto_append_file =
-    auto_globals_jit = On
-    auto_prepend_file =
-    default_charset = "UTF-8"
-    default_mimetype = "text/html"
-    default_socket_timeout = 60
-    disable_classes =
-    disable_functions =
-    display_errors = Off
-    display_startup_errors = Off
-    doc_root =
-    enable_dl = Off
-    engine = On
-    error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
-    expose_php = On
-    file_uploads = On
-    ignore_repeated_errors = Off
-    ignore_repeated_source = Off
-    implicit_flush = Off
-    log_errors = On
-    log_errors_max_len = 1024
-    max_execution_time = 86400
-    max_file_uploads = 20
-    max_input_time = 86400
-    memory_limit = -1
-    output_buffering = Off
-    post_max_size = 16G
-    precision = 14
-    register_argc_argv = Off
-    report_memleaks = On
-    request_order = "GP"
-    serialize_precision = -1
-    short_open_tag = Off
-    unserialize_callback_func =
-    upload_max_filesize = 16G
-    user_dir =
-    variables_order = "GPCS"
-    zend.enable_gc = On
-    zend.exception_ignore_args = On
-    zlib.output_compression = Off
-    [CLI Server]
-    cli_server.color = On
-    [Date]
-    ; Nothing here
-    [filter]
-    ; Nothing here
-    [iconv]
-    ; Nothing here
-    [imap]
-    ; Nothing here
-    [intl]
-    ; Nothing here
-    [sqlite3]
-    ; Nothing here
-    [Pcre]
-    ; Nothing here
-    [Pdo]
-    ; Nothing here
-    [Pdo_mysql]
-    pdo_mysql.default_socket=
-    [Phar]
-    ; Nothing here
-    [mail function]
-    SMTP = localhost
-    smtp_port = 25
-    mail.add_x_header = Off
-    [ODBC]
-    odbc.allow_persistent = On
-    odbc.check_persistent = On
-    odbc.max_persistent = -1
-    odbc.max_links = -1
-    odbc.defaultlrl = 4096
-    odbc.defaultbinmode = 1
-    [MySQLi]
-    mysqli.max_persistent = -1
-    mysqli.allow_persistent = On
-    mysqli.max_links = -1
-    mysqli.default_port = 3306
-    mysqli.default_socket =
-    mysqli.default_host =
-    mysqli.default_user =
-    mysqli.default_pw =
-    mysqli.reconnect = Off
-    [mysqlnd]
-    mysqlnd.collect_statistics = On
-    mysqlnd.collect_memory_statistics = Off
-    [OCI8]
-    ; Nothing here
-    [PostgreSQL]
-    pgsql.allow_persistent = On
-    pgsql.auto_reset_persistent = Off
-    pgsql.max_persistent = -1
-    pgsql.max_links = -1
-    pgsql.ignore_notice = 0
-    pgsql.log_notice = 0
-    [bcmath]
-    bcmath.scale = 0
-    [browscap]
-    ; Nothing here
-    [Session]
-    session.save_handler = files
-    session.use_strict_mode = 0
-    session.use_cookies = 1
-    session.use_only_cookies = 1
-    session.name = PHPSESSID
-    session.auto_start = 0
-    session.cookie_lifetime = 0
-    session.cookie_path = /
-    session.cookie_domain =
-    session.cookie_httponly =
-    session.cookie_samesite =
-    session.serialize_handler = php
-    session.gc_probability = 0
-    session.gc_divisor = 1000
-    session.gc_maxlifetime = 1440
-    session.referer_check =
-    session.cache_limiter = nocache
-    session.cache_expire = 180
-    session.use_trans_sid = 0
-    session.sid_length = 26
-    session.trans_sid_tags = "a=href,area=href,frame=src,form="
-    session.sid_bits_per_character = 5
-    [Assertion]
-    zend.assertions = -1
-    [COM]
-    ; Nothing here
-    [mbstring]
-    ; Nothing here
-    [gd]
-    ; Nothing here
-    [exif]
-    ; Nothing here
-    [Tidy]
-    tidy.clean_output = Off
-    [soap]
-    soap.wsdl_cache_enabled=1
-    soap.wsdl_cache_dir="/tmp"
-    soap.wsdl_cache_ttl=86400
-    soap.wsdl_cache_limit = 5
-    [sysvshm]
-    ; Nothing here
-    [ldap]
-    ldap.max_links = -1
-    [dba]
-    ; Nothing here
-    [opcache]
-    opcache.interned_strings_buffer=64
-    [curl]
-    ; Nothing here
-    [openssl]
-    ; Nothing here
-    [ffi]
-    ; Nothing here

customers/base/env-configmap.yml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nextcloud-env
+data:
+  GSS_MASTER_URL: 'https://drive.test.sunet.se'
+  LOOKUP_SERVER: 'https://lookup.drive.test.sunet.se'
+  MAIL_DOMAIN: 'drive.test.sunet.se'
+  MAIL_FROM_ADDRESS: 'noreply'
+  MAIL_SMTPHOST: 'smtp.sunet.se'
+  MAIL_SMTPNAME: 'noreply@drive.test.sunet.se'
+  MYSQL_DATABASE: 'nextcloud_customer'
+  MYSQL_HOST: 'proxysqlcluster.proxysql'
+  MYSQL_PORT: '6033'
+  MYSQL_USER: 'nextcloud_customer'
+  NEXTCLOUD_ADMIN_USER: 'admin'
+  NEXTCLOUD_TRUSTED_DOMAINS: 'customer.drive.test.sunet.se'
+  NEXTCLOUD_VERSION_STRING: '30.0.5.2'
+  OBJECTSTORE_S3_AUTOCREATE: 'true'
+  OBJECTSTORE_S3_BUCKET: 'primary-customer-drive-test.sunet.se'
+  OBJECTSTORE_S3_HOST: 's3.sto4.safedc.net'
+  OBJECTSTORE_S3_REGION: 'us-east-1'
+  OBJECTSTORE_S3_SSL: 'true'
+  OBJECTSTORE_S3_USEPATH_STYLE: 'true'
+  REDIS_HOST: 'redis'
+  SITE_NAME: 'customer.drive.test.sunet.se'

customers/base/files/000-default.conf

@@ -0,0 +1,73 @@
+LoadModule remoteip_module /usr/lib/apache2/modules/mod_remoteip.so
+LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
+<VirtualHost *:80>
+        ServerAdmin webmaster@localhost
+        DocumentRoot /var/www/html
+        # Log format config
+        LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" xforwardedfor
+        SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+
+        PassEnv HOSTNAME
+        Header append Set-Cookie "SERVERID=%{HOSTNAME}e;Path=/;SameSite=Lax;HttpOnly;Secure"
+
+        # Header config
+        RemoteIPHeader X-Forwarded-For
+        RemoteIPInternalProxy 37.156.195.14
+        RemoteIPInternalProxy 37.156.195.19
+        RemoteIPInternalProxy 37.156.195.84
+        RemoteIPInternalProxy 37.156.195.92
+        #ErrorDocument 404 /404.html
+        ErrorLog ${APACHE_LOG_DIR}/error.log
+        CustomLog ${APACHE_LOG_DIR}/access.log xforwardedfor env=forwarded
+        CustomLog ${APACHE_LOG_DIR}/access.log combined env=!forwarded
+        <Directory /var/www/html/>
+                LimitRequestBody 0
+                Require all granted
+                AllowOverride All
+                Options FollowSymLinks MultiViews
+
+                <IfModule mod_dav.c>
+                    Dav off
+                </IfModule>
+        </Directory>
+</VirtualHost>
+<VirtualHost *:443>
+        ServerAdmin webmaster@localhost
+        DocumentRoot /var/www/html
+        # Log format config
+        LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" xforwardedfor
+        SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+
+        PassEnv HOSTNAME
+        Header append Set-Cookie "SERVERID=%{HOSTNAME}e;Path=/;SameSite=Lax;HttpOnly;Secure"
+
+        # Header config
+        RemoteIPHeader X-Forwarded-For
+        RemoteIPInternalProxy 37.156.195.14
+        RemoteIPInternalProxy 37.156.195.19
+        RemoteIPInternalProxy 37.156.195.84
+        RemoteIPInternalProxy 37.156.195.92
+        #ErrorDocument 404 /404.html
+        ErrorLog ${APACHE_LOG_DIR}/error.log
+        CustomLog ${APACHE_LOG_DIR}/access.log xforwardedfor env=forwarded
+        CustomLog ${APACHE_LOG_DIR}/access.log combined env=!forwarded
+        SSLEngine On
+        SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
+        SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+        <Directory /var/www/html/>
+                LimitRequestBody 0
+                Require all granted
+                AllowOverride All
+                Options FollowSymLinks MultiViews
+
+                <IfModule mod_dav.c>
+                    Dav off
+                </IfModule>
+        </Directory>
+        <Directory /var/www/html/data>
+            Order allow,deny
+            deny from all
+        </Directory>
+</VirtualHost>
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
+

customers/base/files/apache-php.ini

@@ -0,0 +1,157 @@
+[PHP]
+allow_url_fopen = On
+allow_url_include = Off
+auto_append_file =
+auto_globals_jit = On
+auto_prepend_file =
+default_charset = "UTF-8"
+default_mimetype = "text/html"
+default_socket_timeout = 60
+disable_classes =
+disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,
+display_errors = Off
+display_startup_errors = Off
+doc_root =
+enable_dl = Off
+engine = On
+error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
+expose_php = Off
+file_uploads = On
+ignore_repeated_errors = Off
+ignore_repeated_source = Off
+implicit_flush = Off
+log_errors = On
+log_errors_max_len = 1024
+max_execution_time = 86400
+max_file_uploads = 20
+max_input_time = 86400
+memory_limit = 512M
+output_buffering = Off
+post_max_size = 30G
+precision = 14
+register_argc_argv = Off
+report_memleaks = On
+request_order = "GP"
+serialize_precision = -1
+short_open_tag = Off
+unserialize_callback_func =
+upload_max_filesize = 30G
+user_dir =
+variables_order = "GPCS"
+zend.enable_gc = On
+zend.exception_ignore_args = On
+zlib.output_compression = Off
+[CLI Server]
+cli_server.color = On
+[Date]
+; Nothing here
+[filter]
+; Nothing here
+[iconv]
+; Nothing here
+[imap]
+; Nothing here
+[intl]
+; Nothing here
+[sqlite3]
+; Nothing here
+[Pcre]
+; Nothing here
+[Pdo]
+; Nothing here
+[Pdo_mysql]
+pdo_mysql.default_socket=
+[Phar]
+; Nothing here
+[mail function]
+SMTP = localhost
+smtp_port = 25
+mail.add_x_header = Off
+[ODBC]
+odbc.allow_persistent = On
+odbc.check_persistent = On
+odbc.max_persistent = -1
+odbc.max_links = -1
+odbc.defaultlrl = 4096
+odbc.defaultbinmode = 1
+[MySQLi]
+mysqli.max_persistent = -1
+mysqli.allow_persistent = On
+mysqli.max_links = -1
+mysqli.default_port = 3306
+mysqli.default_socket =
+mysqli.default_host =
+mysqli.default_user =
+mysqli.default_pw =
+mysqli.reconnect = Off
+[mysqlnd]
+mysqlnd.collect_statistics = On
+mysqlnd.collect_memory_statistics = Off
+[OCI8]
+; Nothing here
+[PostgreSQL]
+pgsql.allow_persistent = On
+pgsql.auto_reset_persistent = Off
+pgsql.max_persistent = -1
+pgsql.max_links = -1
+pgsql.ignore_notice = 0
+pgsql.log_notice = 0
+[bcmath]
+bcmath.scale = 0
+[browscap]
+; Nothing here
+[Session]
+session.save_handler = files
+session.use_strict_mode = 0
+session.use_cookies = 1
+session.use_only_cookies = 1
+session.name = PHPSESSID
+session.auto_start = 0
+session.cookie_lifetime = 0
+session.cookie_path = /
+session.cookie_domain =
+session.cookie_httponly =
+session.cookie_samesite =
+session.serialize_handler = php
+session.gc_probability = 0
+session.gc_divisor = 1000
+session.gc_maxlifetime = 1440
+session.referer_check =
+session.cache_limiter = nocache
+session.cache_expire = 180
+session.use_trans_sid = 0
+session.sid_length = 26
+session.trans_sid_tags = "a=href,area=href,frame=src,form="
+session.sid_bits_per_character = 5
+[Assertion]
+zend.assertions = -1
+[COM]
+; Nothing here
+[mbstring]
+; Nothing here
+[gd]
+; Nothing here
+[exif]
+; Nothing here
+[Tidy]
+tidy.clean_output = Off
+[soap]
+soap.wsdl_cache_enabled=1
+soap.wsdl_cache_dir="/tmp"
+soap.wsdl_cache_ttl=86400
+soap.wsdl_cache_limit = 5
+[sysvshm]
+; Nothing here
+[ldap]
+ldap.max_links = -1
+[dba]
+; Nothing here
+[opcache]
+opcache.interned_strings_buffer=64
+[curl]
+; Nothing here
+[openssl]
+; Nothing here
+[ffi]
+; Nothing here
+

customers/base/files/apcu.ini

@@ -0,0 +1,3 @@
+extension=apcu.so
+apc.enable_cli=1
+

customers/base/files/cli-php.ini

@@ -0,0 +1,157 @@
+[PHP]
+allow_url_fopen = On
+allow_url_include = Off
+auto_append_file =
+auto_globals_jit = On
+auto_prepend_file =
+default_charset = "UTF-8"
+default_mimetype = "text/html"
+default_socket_timeout = 60
+disable_classes =
+disable_functions =
+display_errors = Off
+display_startup_errors = Off
+doc_root =
+enable_dl = Off
+engine = On
+error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
+expose_php = On
+file_uploads = On
+ignore_repeated_errors = Off
+ignore_repeated_source = Off
+implicit_flush = Off
+log_errors = On
+log_errors_max_len = 1024
+max_execution_time = 86400
+max_file_uploads = 20
+max_input_time = 86400
+memory_limit = -1
+output_buffering = Off
+post_max_size = 16G
+precision = 14
+register_argc_argv = Off
+report_memleaks = On
+request_order = "GP"
+serialize_precision = -1
+short_open_tag = Off
+unserialize_callback_func =
+upload_max_filesize = 16G
+user_dir =
+variables_order = "GPCS"
+zend.enable_gc = On
+zend.exception_ignore_args = On
+zlib.output_compression = Off
+[CLI Server]
+cli_server.color = On
+[Date]
+; Nothing here
+[filter]
+; Nothing here
+[iconv]
+; Nothing here
+[imap]
+; Nothing here
+[intl]
+; Nothing here
+[sqlite3]
+; Nothing here
+[Pcre]
+; Nothing here
+[Pdo]
+; Nothing here
+[Pdo_mysql]
+pdo_mysql.default_socket=
+[Phar]
+; Nothing here
+[mail function]
+SMTP = localhost
+smtp_port = 25
+mail.add_x_header = Off
+[ODBC]
+odbc.allow_persistent = On
+odbc.check_persistent = On
+odbc.max_persistent = -1
+odbc.max_links = -1
+odbc.defaultlrl = 4096
+odbc.defaultbinmode = 1
+[MySQLi]
+mysqli.max_persistent = -1
+mysqli.allow_persistent = On
+mysqli.max_links = -1
+mysqli.default_port = 3306
+mysqli.default_socket =
+mysqli.default_host =
+mysqli.default_user =
+mysqli.default_pw =
+mysqli.reconnect = Off
+[mysqlnd]
+mysqlnd.collect_statistics = On
+mysqlnd.collect_memory_statistics = Off
+[OCI8]
+; Nothing here
+[PostgreSQL]
+pgsql.allow_persistent = On
+pgsql.auto_reset_persistent = Off
+pgsql.max_persistent = -1
+pgsql.max_links = -1
+pgsql.ignore_notice = 0
+pgsql.log_notice = 0
+[bcmath]
+bcmath.scale = 0
+[browscap]
+; Nothing here
+[Session]
+session.save_handler = files
+session.use_strict_mode = 0
+session.use_cookies = 1
+session.use_only_cookies = 1
+session.name = PHPSESSID
+session.auto_start = 0
+session.cookie_lifetime = 0
+session.cookie_path = /
+session.cookie_domain =
+session.cookie_httponly =
+session.cookie_samesite =
+session.serialize_handler = php
+session.gc_probability = 0
+session.gc_divisor = 1000
+session.gc_maxlifetime = 1440
+session.referer_check =
+session.cache_limiter = nocache
+session.cache_expire = 180
+session.use_trans_sid = 0
+session.sid_length = 26
+session.trans_sid_tags = "a=href,area=href,frame=src,form="
+session.sid_bits_per_character = 5
+[Assertion]
+zend.assertions = -1
+[COM]
+; Nothing here
+[mbstring]
+; Nothing here
+[gd]
+; Nothing here
+[exif]
+; Nothing here
+[Tidy]
+tidy.clean_output = Off
+[soap]
+soap.wsdl_cache_enabled=1
+soap.wsdl_cache_dir="/tmp"
+soap.wsdl_cache_ttl=86400
+soap.wsdl_cache_limit = 5
+[sysvshm]
+; Nothing here
+[ldap]
+ldap.max_links = -1
+[dba]
+; Nothing here
+[opcache]
+opcache.interned_strings_buffer=64
+[curl]
+; Nothing here
+[openssl]
+; Nothing here
+[ffi]
+; Nothing here
+

customers/base/files/config.php

@@ -0,0 +1,107 @@
+<?php
+$CONFIG = array (
+  'app_install_overwrite' =>
+    array (
+      0 => 'globalsiteselector',
+    ),
+  'apps_paths' =>
+    array (
+      0 =>
+        array (
+          'path' => '/var/www/html/apps',
+          'url' => '/apps',
+          'writable' => false,
+        ),
+      1 =>
+        array (
+          'path' => '/var/www/html/custom_apps',
+          'url' => '/custom_apps',
+          'writable' => true,
+        ),
+    ),
+  'appstoreenabled' => false,
+  'config_is_read_only' => true,
+  'csrf.disabled' => true,
+  'datadirectory' => '/var/www/html/data',
+  'dbhost' => '{{MYSQL_HOST}}:{{MYSQL_PORT}}',
+  'dbname' => '{{MYSQL_DATABASE}}',
+  'dbpassword' => '{{MYSQL_PASSWORD}}',
+  'dbport' => '{{MYSQL_PORT}}',
+  'dbtableprefix' => 'oc_',
+  'dbtype' => 'mysql',
+  'dbuser' => '{{MYSQL_USER}}',
+  'default_phone_region' => 'SE',
+  'forcessl' => true,
+  'gs.enabled' => 'true',
+  'gs.federation' => 'global',
+  'gs.trustedHosts' => ['*.sunet.se'],
+  'htaccess.RewriteBase' => '/',
+  'installed' => true,
+  'instanceid' => '{{NEXTCLOUD_INSTANCEID}}',
+  'integrity.check.disabled' => true,
+  'log_type' => 'file',
+  'loglevel' => 0,
+  'lookup_server' => '{{LOOKUP_SERVER}}',
+  'mail_domain' => '{{MAIL_DOMAIN}}',
+  'mail_from_address' => '{{MAIL_FROM_ADDRESS}}',
+  'mail_sendmailmode' => 'smtp',
+  'mail_smtpauth' => 1,
+  'mail_smtpauthtype' => 'LOGIN',
+  'mail_smtphost' => '{{MAIL_SMTPHOST}}',
+  'mail_smtpmode' => 'smtp',
+  'mail_smtpname' => '{{MAIL_SMTPNAME}}',
+  'mail_smtppassword' => '{{MAIL_SMTPPASSWORD}}',
+  'mail_smtpport' => '587',
+  'mail_smtpsecure' => 'tls',
+  'mail_template_class' => 'OCA\DriveEmailTemplate\EMailTemplate',
+  'memcache.distributed' => '\\OC\\Memcache\\Redis',
+  'memcache.local' => '\\OC\\Memcache\\APCu',
+  'memcache.locking' => '\\OC\\Memcache\\Redis',
+  'mysql.utf8mb4' => true,
+  'objectstore' =>
+    array (
+      'class' => '\\OC\\Files\\ObjectStore\\S3',
+      'arguments' =>
+        array (
+          'autocreate' => false,
+          'bucket' => '{{OBJECTSTORE_S3_BUCKET}}',
+          'hostname' => '{{OBJECTSTORE_S3_HOST}}',
+          'key' => '{{OBJECTSTORE_S3_KEY}}',
+          'legacy_auth' => false,
+          'objectPrefix' => 'urn:oid:',
+          'port' => '',
+          'region' => '{{OBJECTSTORE_S3_REGION}}',
+          'secret' => '{{OBJECTSTORE_S3_SECRET}}',
+          'use_path_style' => true,
+          'use_ssl' => true,
+        ),
+    ),
+  'overwrite.cli.url' => 'https://{{SITE_NAME}}/',
+  'overwritehost' => '{{SITE_NAME}}',
+  'overwriteprotocol' => 'https',
+  'passwordsalt' => '{{NEXTCLOUD_PASSWORDSALT}}',
+  'secret' => '{{NEXTCLOUD_SECRET}}',
+  'redis' =>
+    array (
+      'host' => '{{REDIS_HOST}}',
+      'port' => 6379,
+    ),
+  'skeletondirectory' => '',
+  'templatedirectory' => '',
+  'trusted_domains' =>
+    array (
+      0 => '{{NEXTCLOUD_TRUSTED_DOMAINS}}'
+    ),
+  'trusted_proxies' =>
+    array (
+      0 => '10.0.0.0/8'
+    ),
+  'twofactor_enforced' => 'true',
+  'twofactor_enforced_groups' =>
+    array (
+      0 => 'admin',
+    ),
+  'updatechecker' => false,
+  'version' => '{{NEXTCLOUD_VERSION_STRING}}',
+);
+

customers/base/files/nc-upgrade

@@ -0,0 +1,14 @@
+#!/bin/bash
+sed "s/config_is_read_only\(.\) => true,/config_is_read_only\1 => false,/" /var/www/html/config/config.php > /var/www/html/config/config.php.tmp
+mv /var/www/html/config/config.php.tmp /var/www/html/config/config.php
+php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ upgrade
+php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ maintenance:update:htaccess
+php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ maintenance:repair
+php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ maintenance:mode --off
+php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ db:add-missing-primary-keys
+php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ db:add-missing-columns
+php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ db:add-missing-indices
+sed "s/config_is_read_only\(.\) => false,/config_is_read_only\1 => true,/" /var/www/html/config/config.php > /var/www/html/config/config.php.tmp
+mv /var/www/html/config/config.php.tmp /var/www/html/config/config.php
+chown www-data:www-data /var/www/html/config/config.php
+

customers/base/kustomization.yaml

@@ -1,13 +1,37 @@
 resources:
-  - apache-configmap.yml
-  - apache-php-configmap.yml
-  - apcu-configmap.yml
-  - cli-php-configmap.yml
-  - nextcloud-configmap.yml
+  - env-configmap.yml
+  - nextcloud-cert-issuer.yml
   - nextcloud-deployment.yml
   - nextcloud-ingress.yml
   - nextcloud-service.yml
   - redis-deployment.yml
   - redis-service.yml
   - s3-service.yml
-  - script-configmap.yml
+
+configMapGenerator:
+  - name: apache-configmap
+    files:
+      - files/000-default.conf
+  - name: apache-php-configmap
+    files:
+      - php.ini=files/apache-php.ini
+  - name: apcu-configmap
+    files:
+      - files/apcu.ini
+  - name: nextcloud-configmap
+    files:
+      - files/config.php
+  - name: cli-php-configmap
+    files:
+      - php.ini=files/cli-php.ini
+  - name: script-configmap
+    files:
+      - files/nc-upgrade
+
+generatorOptions:
+  disableNameSuffixHash: true
+
+images:
+  - name: nextcloud-custom-image
+    newName: docker.sunet.se/drive/nextcloud-custom
+    newTag: 30.0.5.2-2

customers/base/nextcloud-cert-issuer.yml

@@ -0,0 +1,15 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: letsencrypt
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: drive@sunet.se
+    privateKeySecretRef:
+      name: letsencrypt
+    solvers:
+      - http01:
+          ingress: 
+            class: nginx
+

customers/base/nextcloud-configmap.yml

@@ -1,115 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: nextcloud-configmap
-data:
-  config.php: |
-    <?php
-    $CONFIG = array (
-      'app_install_overwrite' =>
-        array (
-          0 => 'globalsiteselector',
-        ),
-      'apps_paths' =>
-        array (
-          0 =>
-            array (
-              'path' => '/var/www/html/apps',
-              'url' => '/apps',
-              'writable' => false,
-            ),
-          1 =>
-            array (
-              'path' => '/var/www/html/custom_apps',
-              'url' => '/custom_apps',
-              'writable' => true,
-            ),
-        ),
-      'appstoreenabled' => false,
-      'config_is_read_only' => true,
-      'csrf.disabled' => true,
-      'datadirectory' => '/var/www/html/data',
-      'dbhost' => '{{MYSQL_HOST}}:{{MYSQL_PORT}}',
-      'dbname' => '{{MYSQL_DATABASE}}',
-      'dbpassword' => '{{MYSQL_PASSWORD}}',
-      'dbport' => '{{MYSQL_PORT}}',
-      'dbtableprefix' => 'oc_',
-      'dbtype' => 'mysql',
-      'dbuser' => '{{MYSQL_USER}}',
-      'default_phone_region' => 'SE',
-      'forcessl' => true,
-      'gs.enabled' => 'true',
-      'gs.federation' => 'global',
-      'gs.trustedHosts' => ['*.sunet.se'],
-      'gss.jwt.key' => '{{GSS_JWT_KEY}}',
-      'gss.master.url' => '{{GSS_MASTER_URL}}',
-      'gss.mode' => 'slave',
-      'gss.user.discovery.module' => '\\OCA\\GlobalSiteSelector\\UserDiscoveryModules\\ManualUserMapping',
-      'installed' => true,
-      'instanceid' => '{{NEXTCLOUD_INSTANCEID}}',
-      'integrity.check.disabled' => true,
-      'log_type' => 'file',
-      'loglevel' => 0,
-      'lookup_server' => '{{LOOKUP_SERVER}}',
-      'mail_domain' => '{{MAIL_DOMAIN}}',
-      'mail_from_address' => '{{MAIL_FROM_ADDRESS}}',
-      'mail_sendmailmode' => 'smtp',
-      'mail_smtpauth' => 1,
-      'mail_smtpauthtype' => 'LOGIN',
-      'mail_smtphost' => '{{MAIL_SMTPHOST}}',
-      'mail_smtpmode' => 'smtp',
-      'mail_smtpname' => '{{MAIL_SMTPNAME}}',
-      'mail_smtppassword' => '{{MAIL_SMTPPASSWORD}}',
-      'mail_smtpport' => '587',
-      'mail_smtpsecure' => 'tls',
-      'mail_template_class' => 'OCA\DriveEmailTemplate\EMailTemplate',
-      'memcache.distributed' => '\\OC\\Memcache\\Redis',
-      'memcache.local' => '\\OC\\Memcache\\APCu',
-      'memcache.locking' => '\\OC\\Memcache\\Redis',
-      'mysql.utf8mb4' => true,
-      'objectstore' =>
-        array (
-          'class' => '\\OC\\Files\\ObjectStore\\S3',
-          'arguments' =>
-            array (
-              'autocreate' => false,
-              'bucket' => '{{OBJECTSTORE_S3_BUCKET}}',
-              'hostname' => '{{OBJECTSTORE_S3_HOST}}',
-              'key' => '{{OBJECTSTORE_S3_KEY}}',
-              'legacy_auth' => false,
-              'objectPrefix' => 'urn:oid:',
-              'port' => '',
-              'region' => '{{OBJECTSTORE_S3_REGION}}',
-              'secret' => '{{OBJECTSTORE_S3_SECRET}}',
-              'use_path_style' => true,
-              'use_ssl' => true,
-            ),
-        ),
-      'overwrite.cli.url' => 'https://{{SITE_NAME}}',
-      'overwritehost' => '{{SITE_NAME}}',
-      'overwriteprotocol' => 'https',
-      'passwordsalt' => '{{NEXTCLOUD_PASSWORDSALT}}',
-      'secret' => '{{NEXTCLOUD_SECRET}}',
-      'redis' =>
-        array (
-          'host' => '{{REDIS_HOST}}',
-          'port' => 6379,
-        ),
-      'skeletondirectory' => '',
-      'templatedirectory' => '',
-      'trusted_domains' =>
-        array (
-          0 => '{{NEXTCLOUD_TRUSTED_DOMAINS}}'
-        ),
-      'trusted_proxies' =>
-        array (
-          0 => '10.0.0.0/8'
-        ),
-      'twofactor_enforced' => 'true',
-      'twofactor_enforced_groups' =>
-        array (
-          0 => 'admin',
-        ),
-      'updatechecker' => false,
-      'version' => '{{NEXTCLOUD_VERSION_STRING}}',
-    );

customers/base/nextcloud-deployment.yml

@@ -11,16 +11,6 @@ spec:
       app: customer-node
   updateStrategy:
     type: RollingUpdate
-  volumeClaimTemplates:
-    - metadata:
-        name: nextcloud-data
-      spec:
-        storageClassName: csi-sc-cinderplugin
-        accessModes:
-          - ReadWriteOnce
-        resources:
-          requests:
-            storage: 1Gi
   template:
     metadata:
       labels:
@@ -28,9 +18,25 @@ spec:
         kano: micke
     spec:
       restartPolicy: Always
+      initContainers:
+        - image: docker.sunet.se/sunet/docker-jinja:latest
+          name: init-config
+          volumeMounts:
+            - name: nextcloud-config
+              mountPath: /tmp/config.php.template
+              subPath: config.php
+            - name: nextcloud-data
+              mountPath: /var/www/html/config
+              subPath: config
+          envFrom:
+            - configMapRef:
+                name: nextcloud-env
+            - secretRef:
+                name: nextcloud-secrets
+          command: ["/bin/bash", "-c", "/usr/bin/j2 -f env -o /var/www/html/config/config.php /tmp/config.php.template"]
       containers:
         - name: customer
-          image: docker.sunet.se/drive/nextcloud-custom:27.1.6.3-5
+          image: nextcloud-custom-image
           volumeMounts:
             - name: nextcloud-data
               mountPath: /var/www/html/config/
@@ -76,105 +82,6 @@ spec:
             postStart:
               exec:
                 command: ["/bin/bash", "-c", "/usr/local/bin/nc-upgrade"]
-      initContainers:
-        - image: docker.sunet.se/sunet/docker-jinja:latest
-          name: init-config
-          volumeMounts:
-            - name: nextcloud-config
-              mountPath: /tmp/config.php.template
-              subPath: config.php
-            - name: nextcloud-data
-              mountPath: /var/www/html/config
-              subPath: config
-          env:
-            - name: GSS_MASTER_URL
-              value: "https://drive.test.sunet.se"
-            - name: GSS_JWT_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: gss-secret
-                  key: "jwt_key"
-            - name: LOOKUP_SERVER
-              value: "https://lookup.drive.test.sunet.se"
-            - name: MAIL_DOMAIN
-              value: "drive.test.sunet.se"
-            - name: MAIL_FROM_ADDRESS
-              value: "noreply"
-            - name: MAIL_SMTPHOST
-              value: "smtp.sunet.se"
-            - name: MAIL_SMTPNAME
-              value: "noreply@drive.test.sunet.se"
-            - name: MAIL_SMTPPASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: mail-secret
-                  key: "smtp_password"
-            - name: MYSQL_DATABASE
-              value: "nextcloud_customer"
-            - name: MYSQL_USER
-              value: "nextcloud_customer"
-            - name: MYSQL_HOST
-              value: "proxysqlcluster.proxysql"
-            - name: MYSQL_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: db-secret
-                  key: "db_password"
-            - name: MYSQL_PORT
-              value: "6033"
-            - name: NEXTCLOUD_TRUSTED_DOMAINS
-              value: "customer.drive.test.sunet.se"
-            - name: NEXTCLOUD_ADMIN_USER
-              value: admin
-            - name: NEXTCLOUD_VERSION_STRING
-              value: "26.0.1.2"
-            - name: NEXTCLOUD_ADMIN_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: nc-secret
-                  key: "nc_admin_password"
-            - name: NEXTCLOUD_PASSWORDSALT
-              valueFrom:
-                secretKeyRef:
-                  name: nc-secret
-                  key: "nc_passwordsalt"
-            - name: NEXTCLOUD_INSTANCEID
-              valueFrom:
-                secretKeyRef:
-                  name: nc-secret
-                  key: "nc_instanceid"
-            - name: NEXTCLOUD_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: nc-secret
-                  key: "nc_secret"
-            - name: OBJECTSTORE_S3_REGION
-              value: "us-east-1"
-            - name: OBJECTSTORE_S3_HOST
-              value: "s3.sto4.safedc.net"
-            - name: OBJECTSTORE_S3_BUCKET
-              value: "primary-customer-drive-test.sunet.se"
-            - name: OBJECTSTORE_S3_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: s3-secret
-                  key: "s3_key"
-            - name: OBJECTSTORE_S3_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: s3-secret
-                  key: "s3_secret"
-            - name: OBJECTSTORE_S3_USEPATH_STYLE
-              value: "true"
-            - name: OBJECTSTORE_S3_AUTOCREATE
-              value: "true"
-            - name: OBJECTSTORE_S3_SSL
-              value: "true"
-            - name: REDIS_HOST
-              value: "redis"
-            - name: SITE_NAME
-              value: "customer.drive.test.sunet.se"
-          command: ["/bin/bash", "-c", "/usr/bin/j2 -f env -o /var/www/html/config/config.php /tmp/config.php.template"]
       volumes:
         - name: script-config
           configMap:
@@ -213,3 +120,5 @@ spec:
             items:
               - key: "config.php"
                 path: "config.php"
+        - name: nextcloud-data
+          emptyDir: {}

customers/base/nextcloud-ingress.yml

@@ -4,10 +4,15 @@ kind: Ingress
 metadata:
   name: customer-ingress
   annotations:
-    kubernetes.io/ingress.class: traefik
-    traefik.ingress.kubernetes.io/router.entrypoints: websecure
-    traefik.ingress.kubernetes.io/router.tls: "true"
+    cert-manager.io/issuer: "letsencrypt"
+    acme.cert-manager.io/http01-edit-in-place: "true"
+    nginx.ingress.kubernetes.io/affinity-mode: "persistent"
+    nginx.ingress.kubernetes.io/affinity: "cookie"
+    nginx.ingress.kubernetes.io/session-cookie-expires: "172800"
+    nginx.ingress.kubernetes.io/session-cookie-max-age: "172800"
+    nginx.ingress.kubernetes.io/session-cookie-name: "sticky"
 spec:
+  ingressClassName: nginx
   defaultBackend:
     service:
       name: customer-node
@@ -17,7 +22,6 @@ spec:
     - hosts:
         - customer.drive.test.sunet.se
       secretName: tls-secret
-  
   rules:
   - host: customer.drive.test.sunet.se
     http:

customers/base/script-configmap.yml

@@ -1,19 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: script-configmap
-data:
-  nc-upgrade: |
-    #!/bin/bash
-    sed "s/config_is_read_only\(.\) => true,/config_is_read_only\1 => false,/" /var/www/html/config/config.php > /var/www/html/config/config.php.tmp
-    mv /var/www/html/config/config.php.tmp /var/www/html/config/config.php
-    php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ app:disable globalsiteselector
-    php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ upgrade
-    php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ app:enable globalsiteselector
-    php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ maintenance:repair
-    php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ maintenance:mode --off
-    php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ db:add-missing-primary-keys
-    php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ db:add-missing-columns
-    php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ db:add-missing-indices
-    sed "s/config_is_read_only\(.\) => false,/config_is_read_only\1 => true,/" /var/www/html/config/config.php > /var/www/html/config/config.php.tmp
-    mv /var/www/html/config/config.php.tmp /var/www/html/config/config.php

customers/overlays/nordunet/test/env-configmap.yml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nextcloud-env
+data:
+  MYSQL_DATABASE: 'nextcloud_nordunet'
+  MYSQL_USER: 'nextcloud_nordunet'
+  NEXTCLOUD_TRUSTED_DOMAINS: 'nordunet.drive.test.sunet.se'
+  OBJECTSTORE_S3_BUCKET: 'primary-nordunet-drive-test.sunet.se'
+  SITE_NAME: 'nordunet.drive.test.sunet.se'

customers/overlays/nordunet/test/kustomization.yaml

@@ -1,7 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- ../../../base
+  - ../../../base
 patches:
-- path: nextcloud-deployment.yml
-- path: nextcloud-ingress.yml
+  - path: env-configmap.yml
+  - path: nextcloud-deployment.yml
+  - path: nextcloud-ingress.yml

customers/overlays/nordunet/test/nextcloud-deployment.yml

@@ -6,30 +6,3 @@ metadata:
     app: customer-node
 spec:
   replicas: 1
-  template:
-    metadata:
-      labels:
-        app: customer-node
-    spec:
-      initContainers:
-        - image: docker.sunet.se/sunet/docker-jinja:latest
-          name: init-config
-          env:
-            - name: MYSQL_DATABASE
-              value: "nextcloud_nordunet"
-            - name: MYSQL_USER
-              value: "nextcloud_nordunet"
-            - name: GSS_MASTER_URL
-              value: "https://drive.test.sunet.se"
-            - name: LOOKUP_SERVER
-              value: "https://lookup.drive.test.sunet.se"
-            - name: MAIL_DOMAIN
-              value: "drive.test.sunet.se"
-            - name: MAIL_SMTPNAME
-              value: "noreply@drive.test.sunet.se"
-            - name: NEXTCLOUD_TRUSTED_DOMAINS
-              value: "nordunet.drive.test.sunet.se"
-            - name: OBJECTSTORE_S3_BUCKET
-              value: "primary-nordunet-drive-test.sunet.se"
-            - name: SITE_NAME
-              value: "nordunet.drive.test.sunet.se"

customers/overlays/nordunet/test/nextcloud-ingress.yml

@@ -4,15 +4,15 @@ kind: Ingress
 metadata:
   name: customer-ingress
   annotations:
-    kubernetes.io/ingress.class: traefik
-    traefik.ingress.kubernetes.io/router.entrypoints: websecure
-    traefik.ingress.kubernetes.io/router.tls: "true"
+    cert-manager.io/issuer: "letsencrypt"
+    acme.cert-manager.io/http01-edit-in-place: "true"
 spec:
+  ingressClassName: nginx
   tls:
     - hosts:
         - nordunet.drive.test.sunet.se
       secretName: tls-secret
-  
+  ingressClassName: nginx
   rules:
   - host: nordunet.drive.test.sunet.se
     http:

customers/overlays/richir/test/env-configmap.yml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nextcloud-env
+data:
+  MYSQL_DATABASE: 'nextcloud_richir'
+  MYSQL_USER: 'nextcloud_richir'
+  NEXTCLOUD_TRUSTED_DOMAINS: 'richir.drive.test.sunet.se'
+  OBJECTSTORE_S3_BUCKET: 'primary-richir-drive-test.sunet.se'
+  SITE_NAME: 'richir.drive.test.sunet.se'

customers/overlays/richir/test/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../../base
+patches:
+  - path: env-configmap.yml
+  - path: nextcloud-deployment.yml
+  - path: nextcloud-ingress.yml

customers/overlays/richir/test/nextcloud-deployment.yml

@@ -0,0 +1,8 @@
+kind: StatefulSet
+apiVersion: apps/v1
+metadata:
+  name: customer-node
+  labels:
+    app: customer-node
+spec:
+  replicas: 2

customers/overlays/richir/test/nextcloud-ingress.yml

@@ -0,0 +1,26 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: customer-ingress
+  annotations:
+    cert-manager.io/issuer: "letsencrypt"
+    acme.cert-manager.io/http01-edit-in-place: "true"
+spec:
+  ingressClassName: nginx
+  tls:
+    - hosts:
+        - richir.drive.test.sunet.se
+      secretName: tls-secret
+  ingressClassName: nginx
+  rules:
+  - host: richir.drive.test.sunet.se
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: customer-node
+            port:
+              number: 80

customers/overlays/vinnova/test/env-configmap.yml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nextcloud-env
+data:
+  MYSQL_DATABASE: 'nextcloud_vinnova'
+  MYSQL_USER: 'nextcloud_vinnova'
+  NEXTCLOUD_TRUSTED_DOMAINS: 'vinnova.drive.test.sunet.se'
+  OBJECTSTORE_S3_BUCKET: 'primary-vinnova-test.sunet.se'
+  SITE_NAME: 'vinnova.drive.test.sunet.se'

customers/overlays/vinnova/test/kustomization.yaml

@@ -1,7 +1,8 @@
-apiVersion: 'kustomize.config.k8s.io/v1beta1'
+apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-bases:
-- ../../../base
-patchesStrategicMerge:
-  - nextcloud-deployment.yml
-  - nextcloud-ingress.yml
+resources:
+  - ../../../base
+patches:
+  - path: env-configmap.yml
+  - path: nextcloud-deployment.yml
+  - path: nextcloud-ingress.yml

customers/overlays/vinnova/test/nextcloud-deployment.yml

@@ -5,30 +5,4 @@ metadata:
   labels:
     app: customer-node
 spec:
-  template:
-    metadata:
-      labels:
-        app: customer-node
-    spec:
-      initContainers:
-        - image: docker.sunet.se/sunet/docker-jinja:latest
-          name: init-config
-          env:
-            - name: MYSQL_DATABASE
-              value: "nextcloud_vinnova"
-            - name: MYSQL_USER
-              value: "nextcloud_vinnova"
-            - name: GSS_MASTER_URL
-              value: "https://drive.test.sunet.se"
-            - name: LOOKUP_SERVER
-              value: "https://lookup.drive.test.sunet.se"
-            - name: MAIL_DOMAIN
-              value: "drive.test.sunet.se"
-            - name: MAIL_SMTPNAME
-              value: "noreply@drive.test.sunet.se"
-            - name: NEXTCLOUD_TRUSTED_DOMAINS
-              value: "vinnova.drive.test.sunet.se"
-            - name: OBJECTSTORE_S3_BUCKET
-              value: "primary-vinnova-test.sunet.se"
-            - name: SITE_NAME
-              value: "vinnova.drive.test.sunet.se"
+  replicas: 1

customers/overlays/vinnova/test/nextcloud-ingress.yml

@@ -4,15 +4,15 @@ kind: Ingress
 metadata:
   name: customer-ingress
   annotations:
-    kubernetes.io/ingress.class: traefik
-    traefik.ingress.kubernetes.io/router.entrypoints: websecure
-    traefik.ingress.kubernetes.io/router.tls: "true"
+    cert-manager.io/issuer: "letsencrypt"
+    acme.cert-manager.io/http01-edit-in-place: "true"
 spec:
+  ingressClassName: nginx
   tls:
     - hosts:
         - vinnova.drive.test.sunet.se
       secretName: tls-secret
-  
+  ingressClassName: nginx
   rules:
   - host: vinnova.drive.test.sunet.se
     http:

customers/overlays/vr/test/nextcloud-deployment.yml

@@ -1,35 +0,0 @@
-kind: StatefulSet
-apiVersion: apps/v1
-metadata:
-  name: customer-node
-  labels:
-    app: customer-node
-spec:
-  replicas: 1
-  template:
-    metadata:
-      labels:
-        app: customer-node
-    spec:
-      initContainers:
-        - image: docker.sunet.se/sunet/docker-jinja:latest
-          name: init-config
-          env:
-            - name: MYSQL_DATABASE
-              value: "nextcloud_vr"
-            - name: MYSQL_USER
-              value: "nextcloud_vr"
-            - name: GSS_MASTER_URL
-              value: "https://drive.test.sunet.se"
-            - name: LOOKUP_SERVER
-              value: "https://lookup.drive.test.sunet.se"
-            - name: MAIL_DOMAIN
-              value: "drive.test.sunet.se"
-            - name: MAIL_SMTPNAME
-              value: "noreply@drive.test.sunet.se"
-            - name: NEXTCLOUD_TRUSTED_DOMAINS
-              value: "vr.drive.test.sunet.se"
-            - name: OBJECTSTORE_S3_BUCKET
-              value: "primary-vr-drive-test.sunet.se"
-            - name: SITE_NAME
-              value: "vr.drive.test.sunet.se"

health/overlays/drive-test/health-ingress.yml

@@ -5,20 +5,18 @@ metadata:
   name: health-ingress
   namespace: health
   annotations:
-    traefik.ingress.kubernetes.io/router.entrypoints: websecure
-    traefik.ingress.kubernetes.io/router.tls: "true"
+    kubernetes.io/ingress.class: nginx
 spec:
   defaultBackend:
     service:
       name: health-node
       port:
         number: 8443
-  ingressClassName: traefik
+  ingressClassName: nginx
   tls:
     - hosts:
         - kube.drive.test.sunet.se 
       secretName: tls-secret
-  
   rules:
   - host: kube.drive.test.sunet.se
     http:

health/overlays/sunet-prod/health-ingress.yml

@@ -0,0 +1,30 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: health-ingress
+  namespace: health
+  annotations:
+    kubernetes.io/ingress.class: nginx
+spec:
+  defaultBackend:
+    service:
+      name: health-node
+      port:
+        number: 8443
+  ingressClassName: nginx
+  tls:
+    - hosts:
+        - sunet-kube.drive.sunet.se 
+      secretName: tls-secret
+  rules:
+  - host: sunet-kube.drive.sunet.se
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend: 
+          service:
+            name: health-node
+            port:
+              number: 8080

health/overlays/sunet-prod/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+patches:
+- path: health-ingress.yml

health/overlays/sunet-test/health-ingress.yml

@@ -0,0 +1,30 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: health-ingress
+  namespace: health
+  annotations:
+    kubernetes.io/ingress.class: nginx
+spec:
+  defaultBackend:
+    service:
+      name: health-node
+      port:
+        number: 8443
+  ingressClassName: nginx
+  tls:
+    - hosts:
+        - sunet-kube.drive.test.sunet.se 
+      secretName: tls-secret
+  rules:
+  - host: sunet-kube.drive.test.sunet.se
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend: 
+          service:
+            name: health-node
+            port:
+              number: 8080

health/overlays/sunet-test/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+patches:
+- path: health-ingress.yml

jupyter/base/jupyterhub-cert-issuer.yaml

@@ -0,0 +1,15 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: letsencrypt
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: drive@sunet.se
+    privateKeySecretRef:
+      name: letsencrypt
+    solvers:
+      - http01:
+          ingress: 
+            class: nginx
+

jupyter/base/jupyterhub-ingress.yml

@@ -4,7 +4,6 @@ kind: Ingress
 metadata:
   name: jupyterhub-ingress
   annotations:
-    kubernetes.io/ingress.class: traefik
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
 spec:

jupyter/base/kustomization.yaml

@@ -1,4 +1,4 @@
 ---
-resources: [jupyterhub-ingress.yml, jupyterhub-service.yml]
+resources: [jupyterhub-ingress.yml, jupyterhub-service.yml, jupyterhub-cert-issuer.yaml]
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization

jupyter/overlays/dev/vr/jupyterhub-ingress.yml

@@ -0,0 +1,28 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: jupyterhub-ingress
+  annotations:
+    kubernetes.io/ingress.class: nginx
+spec:
+  defaultBackend:
+    service:
+      name: proxy-public
+      port:
+        number: 80
+  ingressClassName: nginx
+  tls:
+    - hosts:
+        - vr-jupyter.drive.sunet.se
+      secretName: prod-tls-secret
+  rules:
+  - host: vr-jupyter.drive.sunet.se
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend: 
+          service:
+            name: proxy-public
+            port:
+              number: 80

jupyter/overlays/dev/vr/jupyterhub-service.yml

@@ -0,0 +1,24 @@
+---
+apiVersion: v1
+items:
+- apiVersion: v1
+  kind: Service
+  metadata:
+    labels:
+      app: jupyterhub-node
+    name: jupyterhub-node
+  spec:
+    ports:
+    - port: 8080
+      protocol: TCP
+      targetPort: 8080
+    selector:
+      app: jupyterhub-node
+    sessionAffinity: None
+    type: ClusterIP
+  status:
+    loadBalancer: {}
+kind: List
+metadata:
+  resourceVersion: ""
+  selfLink: ""

jupyter/overlays/dev/vr/kustomization.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources: [../../../base/]
+helmCharts:
+  - includeCRDs: true
+    name: jupyterhub
+    releaseName: vr-jupyterhub
+    valuesFile: ./values/values.yaml
+    version: 3.2.1
+    namespace: vr-jupyterhub
+helmGlobals:
+  chartHome: ../../../base/charts/
+patches:
+  - path: jupyterhub-ingress.yml
+  - path: jupyterhub-service.yml

jupyter/overlays/dev/vr/values/values.yaml

@@ -0,0 +1,335 @@
+debug:
+  enabled: true
+hub:
+  config:
+    Authenticator:
+      auto_login: true
+      enable_auth_state: true
+    JupyterHub:
+      tornado_settings:
+        headers: { 'Content-Security-Policy': "frame-ancestors *;" }
+  db:
+    pvc:
+      storageClassName: csi-sc-cinderplugin
+  extraConfig:
+    oauthCode: |
+      import time
+      import requests
+      from datetime import datetime
+      from oauthenticator.generic import GenericOAuthenticator
+      token_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/index.php/apps/oauth2/api/v1/token'
+      debug = os.environ.get('NEXTCLOUD_DEBUG_OAUTH', 'false').lower() in ['true', '1', 'yes']
+
+      def get_nextcloud_access_token(refresh_token):
+        client_id = os.environ['NEXTCLOUD_CLIENT_ID']
+        client_secret = os.environ['NEXTCLOUD_CLIENT_SECRET']
+
+        code = refresh_token
+        data = {
+          'grant_type': 'refresh_token',
+          'code': code,
+          'refresh_token': refresh_token,
+          'client_id': client_id,
+          'client_secret': client_secret
+        }
+        response = requests.post(token_url, data=data)
+        if debug:
+          print(response.text)
+        return response.json()
+
+      def post_auth_hook(authenticator, handler, authentication):
+        user = authentication['auth_state']['oauth_user']['ocs']['data']['id']
+        auth_state = authentication['auth_state']
+        auth_state['token_expires'] =  time.time() + auth_state['token_response']['expires_in']
+        authentication['auth_state'] = auth_state
+        return authentication
+
+      class NextcloudOAuthenticator(GenericOAuthenticator):
+        def __init__(self, *args, **kwargs):
+          super().__init__(*args, **kwargs)
+          self.user_dict = {}
+
+        async def pre_spawn_start(self, user, spawner):
+          super().pre_spawn_start(user, spawner)
+          auth_state = await user.get_auth_state()
+          if not auth_state:
+            return
+          access_token = auth_state['access_token']
+          spawner.environment['NEXTCLOUD_ACCESS_TOKEN'] = access_token
+
+        async def refresh_user(self, user, handler=None):
+          auth_state = await user.get_auth_state()
+          if not auth_state:
+            if debug:
+              print(f'auth_state missing for {user}')
+            return False
+          access_token = auth_state['access_token']
+          refresh_token = auth_state['refresh_token']
+          token_response = auth_state['token_response']
+          now = time.time()
+          now_hr = datetime.fromtimestamp(now)
+          expires = auth_state['token_expires']
+          expires_hr = datetime.fromtimestamp(expires)
+          expires = 0
+          if debug:
+            print(f'auth_state for {user}: {auth_state}')
+          if now >= expires:
+            if debug:
+              print(f'Time is: {now_hr}, token expired: {expires_hr}')
+              print(f'Refreshing token for {user}')
+            try:
+              token_response = get_nextcloud_access_token(refresh_token)
+              auth_state['access_token'] = token_response['access_token']
+              auth_state['refresh_token'] = token_response['refresh_token']
+              auth_state['token_expires'] = now + token_response['expires_in']
+              auth_state['token_response'] = token_response
+              if debug:
+                print(f'Successfully refreshed token for {user.name}')
+                print(f'auth_state for {user.name}: {auth_state}')
+              return {'name': user.name, 'auth_state': auth_state}
+            except Exception as e:
+              if debug:
+                print(f'Failed to refresh token for {user}')
+              return False
+            return False
+          if debug:
+            print(f'Time is: {now_hr}, token expires: {expires_hr}')
+          return True
+
+      c.JupyterHub.authenticator_class = NextcloudOAuthenticator
+      c.NextcloudOAuthenticator.client_id = os.environ['NEXTCLOUD_CLIENT_ID']
+      c.NextcloudOAuthenticator.client_secret = os.environ['NEXTCLOUD_CLIENT_SECRET']
+      c.NextcloudOAuthenticator.login_service = 'Sunet Drive'
+      c.NextcloudOAuthenticator.username_claim = lambda r: r.get('ocs', {}).get('data', {}).get('id')
+      c.NextcloudOAuthenticator.userdata_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/ocs/v2.php/cloud/user?format=json'
+      c.NextcloudOAuthenticator.authorize_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/index.php/apps/oauth2/authorize'
+      c.NextcloudOAuthenticator.token_url = token_url
+      c.NextcloudOAuthenticator.oauth_callback_url = 'https://' + os.environ['JUPYTER_HOST'] + '/hub/oauth_callback'
+      c.NextcloudOAuthenticator.allow_all = True
+      c.NextcloudOAuthenticator.refresh_pre_spawn = True
+      c.NextcloudOAuthenticator.enable_auth_state = True
+      c.NextcloudOAuthenticator.auth_refresh_age = 3600
+      c.NextcloudOAuthenticator.post_auth_hook = post_auth_hook
+
+    serviceCode: |
+      import sys
+      c.JupyterHub.load_roles = [
+          {
+              "name": "refresh-token",
+              "services": [
+                "refresh-token"
+              ],
+              "scopes": [
+                "read:users",
+                "admin:auth_state"
+              ]
+          },
+          {
+              "name": "user",
+              "scopes": [
+                "access:services!service=refresh-token",
+                "read:services!service=refresh-token",
+                "self",
+              ],
+          },
+          {
+              "name": "server",
+              "scopes": [
+                "access:services!service=refresh-token",
+                "read:services!service=refresh-token",
+                "inherit",
+              ],
+          }
+      ]
+      c.JupyterHub.services = [
+          {
+              'name': 'refresh-token',
+              'url': 'http://' + os.environ.get('HUB_SERVICE_HOST', 'hub') + ':' + os.environ.get('HUB_SERVICE_PORT_REFRESH_TOKEN', '8082'),
+              'display': False,
+              'oauth_no_confirm': True,
+              'api_token': os.environ['JUPYTERHUB_API_KEY'],
+              'command': [sys.executable, '/usr/local/etc/jupyterhub/refresh-token.py']
+          }
+      ]
+      c.JupyterHub.admin_users = {"refresh-token"}
+      c.JupyterHub.api_tokens = {
+          os.environ['JUPYTERHUB_API_KEY']: "refresh-token",
+      }
+  extraFiles:
+    refresh-token.py: 
+      mountPath: /usr/local/etc/jupyterhub/refresh-token.py
+      stringData: |
+        """A token refresh service authenticating with the Hub.
+
+        This service serves `/services/refresh-token/`,
+        authenticated with the Hub,
+        showing the user their own info.
+        """
+        import json
+        import os
+        import requests
+        import socket
+        from jupyterhub.services.auth import HubAuthenticated
+        from jupyterhub.utils import url_path_join
+        from tornado.httpserver import HTTPServer
+        from tornado.ioloop import IOLoop
+        from tornado.web import Application, HTTPError, RequestHandler, authenticated
+        from urllib.parse import urlparse
+        debug = os.environ.get('NEXTCLOUD_DEBUG_OAUTH', 'false').lower() in ['true', '1', 'yes']
+        def my_debug(s):
+          if debug:
+            with open("/proc/1/fd/1", "a") as stdout:
+              print(s, file=stdout)
+
+
+        class RefreshHandler(HubAuthenticated, RequestHandler):
+            def api_request(self, method, url, **kwargs):
+                my_debug(f'{self.hub_auth}')
+                url = url_path_join(self.hub_auth.api_url, url)
+                allow_404 = kwargs.pop('allow_404', False)
+                headers = kwargs.setdefault('headers', {})
+                headers.setdefault('Authorization', f'token {self.hub_auth.api_token}')
+                try:
+                    r = requests.request(method, url, **kwargs)
+                except requests.ConnectionError as e:
+                    my_debug(f'Error connecting to {url}: {e}')
+                    msg = f'Failed to connect to Hub API at {url}.'
+                    msg += f'  Is the Hub accessible at this URL (from host: {socket.gethostname()})?'
+
+                    if '127.0.0.1' in url:
+                        msg += '  Make sure to set c.JupyterHub.hub_ip to an IP accessible to' + \
+                               ' single-user servers if the servers are not on the same host as the Hub.'
+                    raise HTTPError(500, msg)
+
+                data = None
+                if r.status_code == 404 and allow_404:
+                    pass
+                elif r.status_code == 403:
+                    my_debug(
+                        'Lacking permission to check authorization with JupyterHub,' + 
+                        f' my auth token may have expired: [{r.status_code}] {r.reason}'
+                    )
+                    my_debug(r.text)
+                    raise HTTPError(
+                        500,
+                        'Permission failure checking authorization, I may need a new token'
+                    )
+                elif r.status_code >= 500:
+                    my_debug(f'Upstream failure verifying auth token: [{r.status_code}] {r.reason}')
+                    my_debug(r.text)
+                    raise HTTPError(
+                        502, 'Failed to check authorization (upstream problem)')
+                elif r.status_code >= 400:
+                    my_debug(f'Failed to check authorization: [{r.status_code}] {r.reason}')
+                    my_debug(r.text)
+                    raise HTTPError(500, 'Failed to check authorization')
+                else:
+                    data = r.json()
+                return data
+
+            @authenticated
+            def get(self):
+                user_model = self.get_current_user()
+                # Fetch current auth state
+                user_data = self.api_request('GET', url_path_join('users', user_model['name']))
+                auth_state = user_data['auth_state']
+                access_token = auth_state['access_token']
+                token_expires = auth_state['token_expires']
+
+                self.set_header('content-type', 'application/json')
+                self.write(json.dumps({'access_token': access_token, 'token_expires': token_expires}, indent=1, sort_keys=True))
+
+        class PingHandler(RequestHandler):
+
+            def get(self):
+                my_debug(f"DEBUG: In ping get")
+                self.set_header('content-type', 'application/json')
+                self.write(json.dumps({'ping': 1}))
+
+
+        def main():
+            app = Application([
+                (os.environ['JUPYTERHUB_SERVICE_PREFIX'] + 'tokens', RefreshHandler),
+                (os.environ['JUPYTERHUB_SERVICE_PREFIX'] + '/?', PingHandler),
+            ])
+
+            http_server = HTTPServer(app)
+            url = urlparse(os.environ['JUPYTERHUB_SERVICE_URL'])
+
+            http_server.listen(url.port)
+
+            IOLoop.current().start()
+
+        if __name__ == '__main__':
+            main()
+  networkPolicy:
+    ingress:
+      - ports:
+          - port: 8082
+        from:
+          - podSelector:
+              matchLabels:
+                hub.jupyter.org/network-access-hub: "true"
+  service:
+    extraPorts:
+      - port: 8082
+        targetPort: 8082
+        name: refresh-token
+  extraEnv:
+    NEXTCLOUD_DEBUG_OAUTH: "no"
+    NEXTCLOUD_HOST: vr.drive.sunet.se
+    JUPYTER_HOST: vr-jupyter.drive.sunet.se
+    JUPYTERHUB_API_KEY:
+      valueFrom:
+        secretKeyRef:
+          name: jupyterhub-secrets
+          key: api-key
+    JUPYTERHUB_CRYPT_KEY:
+      valueFrom:
+        secretKeyRef:
+          name: jupyterhub-secrets
+          key: crypt-key
+    NEXTCLOUD_CLIENT_ID:
+      valueFrom:
+        secretKeyRef:
+          name: nextcloud-oauth-secrets
+          key: client-id
+    NEXTCLOUD_CLIENT_SECRET:
+      valueFrom:
+        secretKeyRef:
+          name: nextcloud-oauth-secrets
+          key: client-secret
+proxy:
+  chp:
+    networkPolicy:
+      egress:
+        - to:
+            - podSelector:
+                matchLabels:
+                  app: jupyterhub
+                  component: hub
+          ports:
+            - port: 8082
+singleuser:
+  image:
+    name: docker.sunet.se/drive/jupyter-custom
+    tag: lab-4.0.10-sunet4
+  storage:
+    dynamic:
+      storageClass: csi-sc-cinderplugin
+  extraEnv:
+    JUPYTER_ENABLE_LAB: "yes"
+    JUPYTER_HOST: vr-jupyter.drive.sunet.se
+    NEXTCLOUD_HOST: vr.drive.sunet.se
+  extraFiles:
+    jupyter_notebook_config:
+      mountPath: /home/jovyan/.jupyter/jupyter_server_config.py
+      stringData: |
+        import os
+        c = get_config()
+        c.NotebookApp.allow_origin = '*'
+        c.NotebookApp.tornado_settings = {
+            'headers': { 'Content-Security-Policy': "frame-ancestors *;" }
+        }
+        os.system('/usr/local/bin/nc-sync')
+      mode: 0644

jupyter/overlays/prod/sunet/jupyterhub-ingress.yml

@@ -0,0 +1,33 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: jupyterhub-ingress
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    cert-manager.io/issuer: "letsencrypt"
+    acme.cert-manager.io/http01-edit-in-place: "true"
+spec:
+  ingressClassName: nginx
+  defaultBackend:
+    service:
+      name: proxy-public
+      port:
+        number: 80
+  tls:
+    - hosts:
+        - sunet-jupyter.drive.sunet.se 
+        - sunet-kube.drive.sunet.se 
+      secretName: tls-secret
+  
+  rules:
+  - host: sunet-jupyter.drive.sunet.se
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend: 
+          service:
+            name: proxy-public
+            port:
+              number: 80

jupyter/overlays/prod/sunet/jupyterhub-service.yml

@@ -0,0 +1,24 @@
+---
+apiVersion: v1
+items:
+- apiVersion: v1
+  kind: Service
+  metadata:
+    labels:
+      app: jupyterhub-node
+    name: jupyterhub-node
+  spec:
+    ports:
+    - port: 8080
+      protocol: TCP
+      targetPort: 8080
+    selector:
+      app: jupyterhub-node
+    sessionAffinity: None
+    type: ClusterIP
+  status:
+    loadBalancer: {}
+kind: List
+metadata:
+  resourceVersion: ""
+  selfLink: ""

jupyter/overlays/prod/sunet/kustomization.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources: [../../../base/]
+helmCharts:
+  - includeCRDs: true
+    name: jupyterhub
+    releaseName: sunet-jupyterhub
+    valuesFile: ./values/values.yaml
+    version: 3.2.1
+    namespace: sunet-jupyterhub
+helmGlobals:
+  chartHome: ../../../base/charts/
+patches:
+  - path: jupyterhub-ingress.yml
+  - path: jupyterhub-service.yml

jupyter/overlays/prod/sunet/values/values.yaml

@@ -0,0 +1,337 @@
+debug:
+  enabled: true
+hub:
+  config:
+    Authenticator:
+      auto_login: true
+      enable_auth_state: true
+    JupyterHub:
+      tornado_settings:
+        headers: { 'Content-Security-Policy': "frame-ancestors *;" }
+  db:
+    pvc:
+      storageClassName: csi-sc-cinderplugin
+  extraConfig:
+    oauthCode: |
+      import time
+      import requests
+      from datetime import datetime
+      from oauthenticator.generic import GenericOAuthenticator
+      token_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/index.php/apps/oauth2/api/v1/token'
+      debug = os.environ.get('NEXTCLOUD_DEBUG_OAUTH', 'false').lower() in ['true', '1', 'yes']
+
+      def get_nextcloud_access_token(refresh_token):
+        client_id = os.environ['NEXTCLOUD_CLIENT_ID']
+        client_secret = os.environ['NEXTCLOUD_CLIENT_SECRET']
+
+        code = refresh_token
+        data = {
+          'grant_type': 'refresh_token',
+          'code': code,
+          'refresh_token': refresh_token,
+          'client_id': client_id,
+          'client_secret': client_secret
+        }
+        response = requests.post(token_url, data=data)
+        if debug:
+          print(response.text)
+        return response.json()
+
+      def post_auth_hook(authenticator, handler, authentication):
+        user = authentication['auth_state']['oauth_user']['ocs']['data']['id']
+        auth_state = authentication['auth_state']
+        auth_state['token_expires'] =  time.time() + auth_state['token_response']['expires_in']
+        authentication['auth_state'] = auth_state
+        return authentication
+
+      class NextcloudOAuthenticator(GenericOAuthenticator):
+        def __init__(self, *args, **kwargs):
+          super().__init__(*args, **kwargs)
+          self.user_dict = {}
+
+        async def pre_spawn_start(self, user, spawner):
+          super().pre_spawn_start(user, spawner)
+          auth_state = await user.get_auth_state()
+          if not auth_state:
+            return
+          access_token = auth_state['access_token']
+          spawner.environment['NEXTCLOUD_ACCESS_TOKEN'] = access_token
+
+        async def refresh_user(self, user, handler=None):
+          auth_state = await user.get_auth_state()
+          if not auth_state:
+            if debug:
+              print(f'auth_state missing for {user}')
+            return False
+          access_token = auth_state['access_token']
+          refresh_token = auth_state['refresh_token']
+          token_response = auth_state['token_response']
+          now = time.time()
+          now_hr = datetime.fromtimestamp(now)
+          expires = auth_state['token_expires']
+          expires_hr = datetime.fromtimestamp(expires)
+          expires = 0
+          if debug:
+            print(f'auth_state for {user}: {auth_state}')
+          if now >= expires:
+            if debug:
+              print(f'Time is: {now_hr}, token expired: {expires_hr}')
+              print(f'Refreshing token for {user}')
+            try:
+              token_response = get_nextcloud_access_token(refresh_token)
+              auth_state['access_token'] = token_response['access_token']
+              auth_state['refresh_token'] = token_response['refresh_token']
+              auth_state['token_expires'] = now + token_response['expires_in']
+              auth_state['token_response'] = token_response
+              if debug:
+                print(f'Successfully refreshed token for {user.name}')
+                print(f'auth_state for {user.name}: {auth_state}')
+              return {'name': user.name, 'auth_state': auth_state}
+            except Exception as e:
+              if debug:
+                print(f'Failed to refresh token for {user}')
+              return False
+            return False
+          if debug:
+            print(f'Time is: {now_hr}, token expires: {expires_hr}')
+          return True
+
+      c.JupyterHub.authenticator_class = NextcloudOAuthenticator
+      c.NextcloudOAuthenticator.client_id = os.environ['NEXTCLOUD_CLIENT_ID']
+      c.NextcloudOAuthenticator.client_secret = os.environ['NEXTCLOUD_CLIENT_SECRET']
+      c.NextcloudOAuthenticator.login_service = 'Sunet Drive'
+      c.NextcloudOAuthenticator.username_claim = lambda r: r.get('ocs', {}).get('data', {}).get('id')
+      c.NextcloudOAuthenticator.userdata_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/ocs/v2.php/cloud/user?format=json'
+      c.NextcloudOAuthenticator.authorize_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/index.php/apps/oauth2/authorize'
+      c.NextcloudOAuthenticator.token_url = token_url
+      c.NextcloudOAuthenticator.oauth_callback_url = 'https://' + os.environ['JUPYTER_HOST'] + '/hub/oauth_callback'
+      c.NextcloudOAuthenticator.allow_all = True
+      c.NextcloudOAuthenticator.refresh_pre_spawn = True
+      c.NextcloudOAuthenticator.enable_auth_state = True
+      c.NextcloudOAuthenticator.auth_refresh_age = 3600
+      c.NextcloudOAuthenticator.post_auth_hook = post_auth_hook
+
+    serviceCode: |
+      import sys
+      c.JupyterHub.load_roles = [
+          {
+              "name": "refresh-token",
+              "services": [
+                "refresh-token"
+              ],
+              "scopes": [
+                "read:users",
+                "admin:auth_state"
+              ]
+          },
+          {
+              "name": "user",
+              "scopes": [
+                "access:services!service=refresh-token",
+                "read:services!service=refresh-token",
+                "self",
+              ],
+          },
+          {
+              "name": "server",
+              "scopes": [
+                "access:services!service=refresh-token",
+                "read:services!service=refresh-token",
+                "inherit",
+              ],
+          }
+      ]
+      c.JupyterHub.services = [
+          {
+              'name': 'refresh-token',
+              'url': 'http://' + os.environ.get('HUB_SERVICE_HOST', 'hub') + ':' + os.environ.get('HUB_SERVICE_PORT_REFRESH_TOKEN', '8082'),
+              'display': False,
+              'oauth_no_confirm': True,
+              'api_token': os.environ['JUPYTERHUB_API_KEY'],
+              'command': [sys.executable, '/usr/local/etc/jupyterhub/refresh-token.py']
+          }
+      ]
+      c.JupyterHub.admin_users = {"refresh-token"}
+      c.JupyterHub.api_tokens = {
+          os.environ['JUPYTERHUB_API_KEY']: "refresh-token",
+      }
+  extraFiles:
+    refresh-token.py: 
+      mountPath: /usr/local/etc/jupyterhub/refresh-token.py
+      stringData: |
+        """A token refresh service authenticating with the Hub.
+
+        This service serves `/services/refresh-token/`,
+        authenticated with the Hub,
+        showing the user their own info.
+        """
+        import json
+        import os
+        import requests
+        import socket
+        from jupyterhub.services.auth import HubAuthenticated
+        from jupyterhub.utils import url_path_join
+        from tornado.httpserver import HTTPServer
+        from tornado.ioloop import IOLoop
+        from tornado.web import Application, HTTPError, RequestHandler, authenticated
+        from urllib.parse import urlparse
+        debug = os.environ.get('NEXTCLOUD_DEBUG_OAUTH', 'false').lower() in ['true', '1', 'yes']
+        def my_debug(s):
+          if debug:
+            with open("/proc/1/fd/1", "a") as stdout:
+              print(s, file=stdout)
+
+
+        class RefreshHandler(HubAuthenticated, RequestHandler):
+            def api_request(self, method, url, **kwargs):
+                my_debug(f'{self.hub_auth}')
+                url = url_path_join(self.hub_auth.api_url, url)
+                allow_404 = kwargs.pop('allow_404', False)
+                headers = kwargs.setdefault('headers', {})
+                headers.setdefault('Authorization', f'token {self.hub_auth.api_token}')
+                try:
+                    r = requests.request(method, url, **kwargs)
+                except requests.ConnectionError as e:
+                    my_debug(f'Error connecting to {url}: {e}')
+                    msg = f'Failed to connect to Hub API at {url}.'
+                    msg += f'  Is the Hub accessible at this URL (from host: {socket.gethostname()})?'
+
+                    if '127.0.0.1' in url:
+                        msg += '  Make sure to set c.JupyterHub.hub_ip to an IP accessible to' + \
+                               ' single-user servers if the servers are not on the same host as the Hub.'
+                    raise HTTPError(500, msg)
+
+                data = None
+                if r.status_code == 404 and allow_404:
+                    pass
+                elif r.status_code == 403:
+                    my_debug(
+                        'Lacking permission to check authorization with JupyterHub,' + 
+                        f' my auth token may have expired: [{r.status_code}] {r.reason}'
+                    )
+                    my_debug(r.text)
+                    raise HTTPError(
+                        500,
+                        'Permission failure checking authorization, I may need a new token'
+                    )
+                elif r.status_code >= 500:
+                    my_debug(f'Upstream failure verifying auth token: [{r.status_code}] {r.reason}')
+                    my_debug(r.text)
+                    raise HTTPError(
+                        502, 'Failed to check authorization (upstream problem)')
+                elif r.status_code >= 400:
+                    my_debug(f'Failed to check authorization: [{r.status_code}] {r.reason}')
+                    my_debug(r.text)
+                    raise HTTPError(500, 'Failed to check authorization')
+                else:
+                    data = r.json()
+                return data
+
+            @authenticated
+            def get(self):
+                user_model = self.get_current_user()
+                # Fetch current auth state
+                user_data = self.api_request('GET', url_path_join('users', user_model['name']))
+                auth_state = user_data['auth_state']
+                access_token = auth_state['access_token']
+                token_expires = auth_state['token_expires']
+
+                self.set_header('content-type', 'application/json')
+                self.write(json.dumps({'access_token': access_token, 'token_expires': token_expires}, indent=1, sort_keys=True))
+
+        class PingHandler(RequestHandler):
+
+            def get(self):
+                my_debug(f"DEBUG: In ping get")
+                self.set_header('content-type', 'application/json')
+                self.write(json.dumps({'ping': 1}))
+
+
+        def main():
+            app = Application([
+                (os.environ['JUPYTERHUB_SERVICE_PREFIX'] + 'tokens', RefreshHandler),
+                (os.environ['JUPYTERHUB_SERVICE_PREFIX'] + '/?', PingHandler),
+            ])
+
+            http_server = HTTPServer(app)
+            url = urlparse(os.environ['JUPYTERHUB_SERVICE_URL'])
+
+            http_server.listen(url.port)
+
+            IOLoop.current().start()
+
+        if __name__ == '__main__':
+            main()
+  networkPolicy:
+    ingress:
+      - ports:
+          - port: 8082
+        from:
+          - podSelector:
+              matchLabels:
+                hub.jupyter.org/network-access-hub: "true"
+  service:
+    extraPorts:
+      - port: 8082
+        targetPort: 8082
+        name: refresh-token
+  extraEnv:
+    NEXTCLOUD_DEBUG_OAUTH: "no"
+    NEXTCLOUD_HOST: sunet.drive.sunet.se
+    JUPYTER_HOST: sunet-jupyter.drive.sunet.se
+    JUPYTERHUB_API_KEY:
+      valueFrom:
+        secretKeyRef:
+          name: jupyterhub-secrets
+          key: api-key
+    JUPYTERHUB_CRYPT_KEY:
+      valueFrom:
+        secretKeyRef:
+          name: jupyterhub-secrets
+          key: crypt-key
+    NEXTCLOUD_CLIENT_ID:
+      valueFrom:
+        secretKeyRef:
+          name: nextcloud-oauth-secrets
+          key: client-id
+    NEXTCLOUD_CLIENT_SECRET:
+      valueFrom:
+        secretKeyRef:
+          name: nextcloud-oauth-secrets
+          key: client-secret
+    networkPolicy:
+      enabled: false
+proxy:
+  chp:
+    networkPolicy:
+      egress:
+        - to:
+            - podSelector:
+                matchLabels:
+                  app: jupyterhub
+                  component: hub
+          ports:
+            - port: 8082
+singleuser:
+  image:
+    name: docker.sunet.se/drive/jupyter-custom
+    tag: lab-4.0.10-sunet5
+  storage:
+    dynamic:
+      storageClass: csi-sc-cinderplugin
+  extraEnv:
+    JUPYTER_ENABLE_LAB: "yes"
+    JUPYTER_HOST: sunet-jupyter.drive.sunet.se
+    NEXTCLOUD_HOST: sunet.drive.sunet.se
+  extraFiles:
+    jupyter_notebook_config:
+      mountPath: /home/jovyan/.jupyter/jupyter_server_config.py
+      stringData: |
+        import os
+        c = get_config()
+        c.NotebookApp.allow_origin = '*'
+        c.NotebookApp.tornado_settings = {
+            'headers': { 'Content-Security-Policy': "frame-ancestors *;" }
+        }
+        os.system('/usr/local/bin/nc-sync')
+      mode: 0644

jupyter/overlays/prod/vr/jupyterhub-ingress.yml

@@ -0,0 +1,30 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: jupyterhub-ingress
+  annotations:
+    cert-manager.io/issuer: "letsencrypt"
+    acme.cert-manager.io/http01-edit-in-place: "true"
+spec:
+  defaultBackend:
+    service:
+      name: proxy-public
+      port:
+        number: 8443
+  tls:
+    - hosts:
+        - vr-jupyter.drive.sunet.se 
+      secretName: tls-secret
+  ingressClassName: nginx
+  rules:
+  - host: vr-jupyter.drive.sunet.se
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend: 
+          service:
+            name: proxy-public
+            port:
+              number: 80

jupyter/overlays/prod/vr/jupyterhub-service.yml

@@ -0,0 +1,25 @@
+---
+apiVersion: v1
+items:
+- apiVersion: v1
+  kind: Service
+  metadata:
+    labels:
+      app: jupyterhub-node
+    name: jupyterhub-node
+  spec:
+    ports:
+    - port: 8080
+      protocol: TCP
+      targetPort: 8080
+    selector:
+      app: jupyterhub-node
+    sessionAffinity: None
+    type: ClusterIP
+  status:
+    loadBalancer: {}
+kind: List
+metadata:
+  resourceVersion: ""
+  selfLink: ""
+

jupyter/overlays/prod/vr/kustomization.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources: [../../../base/]
+helmCharts:
+  - includeCRDs: true
+    name: jupyterhub
+    releaseName: vr-jupyterhub
+    valuesFile: ./values/values.yaml
+    version: 3.2.1
+    namespace: vr-jupyterhub
+helmGlobals:
+  chartHome: ../../../base/charts/
+patches:
+  - path: jupyterhub-ingress.yml
+  - path: jupyterhub-service.yml

jupyter/overlays/prod/vr/values/values.yaml

@@ -0,0 +1,337 @@
+debug:
+  enabled: true
+hub:
+  config:
+    Authenticator:
+      auto_login: true
+      enable_auth_state: true
+    JupyterHub:
+      tornado_settings:
+        headers: { 'Content-Security-Policy': "frame-ancestors *;" }
+  db:
+    pvc:
+      storageClassName: csi-sc-cinderplugin
+  extraConfig:
+    oauthCode: |
+      import time
+      import requests
+      from datetime import datetime
+      from oauthenticator.generic import GenericOAuthenticator
+      token_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/index.php/apps/oauth2/api/v1/token'
+      debug = os.environ.get('NEXTCLOUD_DEBUG_OAUTH', 'false').lower() in ['true', '1', 'yes']
+
+      def get_nextcloud_access_token(refresh_token):
+        client_id = os.environ['NEXTCLOUD_CLIENT_ID']
+        client_secret = os.environ['NEXTCLOUD_CLIENT_SECRET']
+
+        code = refresh_token
+        data = {
+          'grant_type': 'refresh_token',
+          'code': code,
+          'refresh_token': refresh_token,
+          'client_id': client_id,
+          'client_secret': client_secret
+        }
+        response = requests.post(token_url, data=data)
+        if debug:
+          print(response.text)
+        return response.json()
+
+      def post_auth_hook(authenticator, handler, authentication):
+        user = authentication['auth_state']['oauth_user']['ocs']['data']['id']
+        auth_state = authentication['auth_state']
+        auth_state['token_expires'] =  time.time() + auth_state['token_response']['expires_in']
+        authentication['auth_state'] = auth_state
+        return authentication
+
+      class NextcloudOAuthenticator(GenericOAuthenticator):
+        def __init__(self, *args, **kwargs):
+          super().__init__(*args, **kwargs)
+          self.user_dict = {}
+
+        async def pre_spawn_start(self, user, spawner):
+          super().pre_spawn_start(user, spawner)
+          auth_state = await user.get_auth_state()
+          if not auth_state:
+            return
+          access_token = auth_state['access_token']
+          spawner.environment['NEXTCLOUD_ACCESS_TOKEN'] = access_token
+
+        async def refresh_user(self, user, handler=None):
+          auth_state = await user.get_auth_state()
+          if not auth_state:
+            if debug:
+              print(f'auth_state missing for {user}')
+            return False
+          access_token = auth_state['access_token']
+          refresh_token = auth_state['refresh_token']
+          token_response = auth_state['token_response']
+          now = time.time()
+          now_hr = datetime.fromtimestamp(now)
+          expires = auth_state['token_expires']
+          expires_hr = datetime.fromtimestamp(expires)
+          expires = 0
+          if debug:
+            print(f'auth_state for {user}: {auth_state}')
+          if now >= expires:
+            if debug:
+              print(f'Time is: {now_hr}, token expired: {expires_hr}')
+              print(f'Refreshing token for {user}')
+            try:
+              token_response = get_nextcloud_access_token(refresh_token)
+              auth_state['access_token'] = token_response['access_token']
+              auth_state['refresh_token'] = token_response['refresh_token']
+              auth_state['token_expires'] = now + token_response['expires_in']
+              auth_state['token_response'] = token_response
+              if debug:
+                print(f'Successfully refreshed token for {user.name}')
+                print(f'auth_state for {user.name}: {auth_state}')
+              return {'name': user.name, 'auth_state': auth_state}
+            except Exception as e:
+              if debug:
+                print(f'Failed to refresh token for {user}')
+              return False
+            return False
+          if debug:
+            print(f'Time is: {now_hr}, token expires: {expires_hr}')
+          return True
+
+      c.JupyterHub.authenticator_class = NextcloudOAuthenticator
+      c.NextcloudOAuthenticator.client_id = os.environ['NEXTCLOUD_CLIENT_ID']
+      c.NextcloudOAuthenticator.client_secret = os.environ['NEXTCLOUD_CLIENT_SECRET']
+      c.NextcloudOAuthenticator.login_service = 'Sunet Drive'
+      c.NextcloudOAuthenticator.username_claim = lambda r: r.get('ocs', {}).get('data', {}).get('id')
+      c.NextcloudOAuthenticator.userdata_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/ocs/v2.php/cloud/user?format=json'
+      c.NextcloudOAuthenticator.authorize_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/index.php/apps/oauth2/authorize'
+      c.NextcloudOAuthenticator.token_url = token_url
+      c.NextcloudOAuthenticator.oauth_callback_url = 'https://' + os.environ['JUPYTER_HOST'] + '/hub/oauth_callback'
+      c.NextcloudOAuthenticator.allow_all = True
+      c.NextcloudOAuthenticator.refresh_pre_spawn = True
+      c.NextcloudOAuthenticator.enable_auth_state = True
+      c.NextcloudOAuthenticator.auth_refresh_age = 3600
+      c.NextcloudOAuthenticator.post_auth_hook = post_auth_hook
+
+    serviceCode: |
+      import sys
+      c.JupyterHub.load_roles = [
+          {
+              "name": "refresh-token",
+              "services": [
+                "refresh-token"
+              ],
+              "scopes": [
+                "read:users",
+                "admin:auth_state"
+              ]
+          },
+          {
+              "name": "user",
+              "scopes": [
+                "access:services!service=refresh-token",
+                "read:services!service=refresh-token",
+                "self",
+              ],
+          },
+          {
+              "name": "server",
+              "scopes": [
+                "access:services!service=refresh-token",
+                "read:services!service=refresh-token",
+                "inherit",
+              ],
+          }
+      ]
+      c.JupyterHub.services = [
+          {
+              'name': 'refresh-token',
+              'url': 'http://' + os.environ.get('HUB_SERVICE_HOST', 'hub') + ':' + os.environ.get('HUB_SERVICE_PORT_REFRESH_TOKEN', '8082'),
+              'display': False,
+              'oauth_no_confirm': True,
+              'api_token': os.environ['JUPYTERHUB_API_KEY'],
+              'command': [sys.executable, '/usr/local/etc/jupyterhub/refresh-token.py']
+          }
+      ]
+      c.JupyterHub.admin_users = {"refresh-token"}
+      c.JupyterHub.api_tokens = {
+          os.environ['JUPYTERHUB_API_KEY']: "refresh-token",
+      }
+  extraFiles:
+    refresh-token.py: 
+      mountPath: /usr/local/etc/jupyterhub/refresh-token.py
+      stringData: |
+        """A token refresh service authenticating with the Hub.
+
+        This service serves `/services/refresh-token/`,
+        authenticated with the Hub,
+        showing the user their own info.
+        """
+        import json
+        import os
+        import requests
+        import socket
+        from jupyterhub.services.auth import HubAuthenticated
+        from jupyterhub.utils import url_path_join
+        from tornado.httpserver import HTTPServer
+        from tornado.ioloop import IOLoop
+        from tornado.web import Application, HTTPError, RequestHandler, authenticated
+        from urllib.parse import urlparse
+        debug = os.environ.get('NEXTCLOUD_DEBUG_OAUTH', 'false').lower() in ['true', '1', 'yes']
+        def my_debug(s):
+          if debug:
+            with open("/proc/1/fd/1", "a") as stdout:
+              print(s, file=stdout)
+
+
+        class RefreshHandler(HubAuthenticated, RequestHandler):
+            def api_request(self, method, url, **kwargs):
+                my_debug(f'{self.hub_auth}')
+                url = url_path_join(self.hub_auth.api_url, url)
+                allow_404 = kwargs.pop('allow_404', False)
+                headers = kwargs.setdefault('headers', {})
+                headers.setdefault('Authorization', f'token {self.hub_auth.api_token}')
+                try:
+                    r = requests.request(method, url, **kwargs)
+                except requests.ConnectionError as e:
+                    my_debug(f'Error connecting to {url}: {e}')
+                    msg = f'Failed to connect to Hub API at {url}.'
+                    msg += f'  Is the Hub accessible at this URL (from host: {socket.gethostname()})?'
+
+                    if '127.0.0.1' in url:
+                        msg += '  Make sure to set c.JupyterHub.hub_ip to an IP accessible to' + \
+                               ' single-user servers if the servers are not on the same host as the Hub.'
+                    raise HTTPError(500, msg)
+
+                data = None
+                if r.status_code == 404 and allow_404:
+                    pass
+                elif r.status_code == 403:
+                    my_debug(
+                        'Lacking permission to check authorization with JupyterHub,' + 
+                        f' my auth token may have expired: [{r.status_code}] {r.reason}'
+                    )
+                    my_debug(r.text)
+                    raise HTTPError(
+                        500,
+                        'Permission failure checking authorization, I may need a new token'
+                    )
+                elif r.status_code >= 500:
+                    my_debug(f'Upstream failure verifying auth token: [{r.status_code}] {r.reason}')
+                    my_debug(r.text)
+                    raise HTTPError(
+                        502, 'Failed to check authorization (upstream problem)')
+                elif r.status_code >= 400:
+                    my_debug(f'Failed to check authorization: [{r.status_code}] {r.reason}')
+                    my_debug(r.text)
+                    raise HTTPError(500, 'Failed to check authorization')
+                else:
+                    data = r.json()
+                return data
+
+            @authenticated
+            def get(self):
+                user_model = self.get_current_user()
+                # Fetch current auth state
+                user_data = self.api_request('GET', url_path_join('users', user_model['name']))
+                auth_state = user_data['auth_state']
+                access_token = auth_state['access_token']
+                token_expires = auth_state['token_expires']
+
+                self.set_header('content-type', 'application/json')
+                self.write(json.dumps({'access_token': access_token, 'token_expires': token_expires}, indent=1, sort_keys=True))
+
+        class PingHandler(RequestHandler):
+
+            def get(self):
+                my_debug(f"DEBUG: In ping get")
+                self.set_header('content-type', 'application/json')
+                self.write(json.dumps({'ping': 1}))
+
+
+        def main():
+            app = Application([
+                (os.environ['JUPYTERHUB_SERVICE_PREFIX'] + 'tokens', RefreshHandler),
+                (os.environ['JUPYTERHUB_SERVICE_PREFIX'] + '/?', PingHandler),
+            ])
+
+            http_server = HTTPServer(app)
+            url = urlparse(os.environ['JUPYTERHUB_SERVICE_URL'])
+
+            http_server.listen(url.port)
+
+            IOLoop.current().start()
+
+        if __name__ == '__main__':
+            main()
+  networkPolicy:
+    ingress:
+      - ports:
+          - port: 8082
+        from:
+          - podSelector:
+              matchLabels:
+                hub.jupyter.org/network-access-hub: "true"
+  service:
+    extraPorts:
+      - port: 8082
+        targetPort: 8082
+        name: refresh-token
+  extraEnv:
+    NEXTCLOUD_DEBUG_OAUTH: "no"
+    NEXTCLOUD_HOST: vr.drive.sunet.se
+    JUPYTER_HOST: vr-jupyter.drive.sunet.se
+    JUPYTERHUB_API_KEY:
+      valueFrom:
+        secretKeyRef:
+          name: jupyterhub-secrets
+          key: api-key
+    JUPYTERHUB_CRYPT_KEY:
+      valueFrom:
+        secretKeyRef:
+          name: jupyterhub-secrets
+          key: crypt-key
+    NEXTCLOUD_CLIENT_ID:
+      valueFrom:
+        secretKeyRef:
+          name: nextcloud-oauth-secrets
+          key: client-id
+    NEXTCLOUD_CLIENT_SECRET:
+      valueFrom:
+        secretKeyRef:
+          name: nextcloud-oauth-secrets
+          key: client-secret
+    networkPolicy:
+      enabled: false
+proxy:
+  chp:
+    networkPolicy:
+      egress:
+        - to:
+            - podSelector:
+                matchLabels:
+                  app: jupyterhub
+                  component: hub
+          ports:
+            - port: 8082
+singleuser:
+  image:
+    name: docker.sunet.se/drive/jupyter-custom
+    tag: lab-4.0.10-sunet4
+  storage:
+    dynamic:
+      storageClass: csi-sc-cinderplugin
+  extraEnv:
+    JUPYTER_ENABLE_LAB: "yes"
+    JUPYTER_HOST: vr-jupyter.drive.sunet.se
+    NEXTCLOUD_HOST: vr.drive.sunet.se
+  extraFiles:
+    jupyter_notebook_config:
+      mountPath: /home/jovyan/.jupyter/jupyter_server_config.py
+      stringData: |
+        import os
+        c = get_config()
+        c.NotebookApp.allow_origin = '*'
+        c.NotebookApp.tornado_settings = {
+            'headers': { 'Content-Security-Policy': "frame-ancestors *;" }
+        }
+        os.system('/usr/local/bin/nc-sync')
+      mode: 0644

jupyter/overlays/test/sunet/jupyterhub-ingress.yml

@@ -4,18 +4,20 @@ kind: Ingress
 metadata:
   name: jupyterhub-ingress
   annotations:
-    kubernetes.io/ingress.class: traefik
-    traefik.ingress.kubernetes.io/router.entrypoints: websecure
-    traefik.ingress.kubernetes.io/router.tls: "true"
+    kubernetes.io/ingress.class: nginx
+    cert-manager.io/issuer: "letsencrypt"
+    acme.cert-manager.io/http01-edit-in-place: "true"
 spec:
+  ingressClassName: nginx
   defaultBackend:
     service:
       name: proxy-public
       port:
-        number: 8443
+        number: 80
   tls:
     - hosts:
         - sunet-jupyter.drive.test.sunet.se 
+        - sunet-kube.drive.test.sunet.se 
       secretName: tls-secret
   
   rules:

jupyter/overlays/test/sunet/values/values.yaml

@@ -19,10 +19,12 @@ hub:
       from oauthenticator.generic import GenericOAuthenticator
       token_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/index.php/apps/oauth2/api/v1/token'
       debug = os.environ.get('NEXTCLOUD_DEBUG_OAUTH', 'false').lower() in ['true', '1', 'yes']
+      os.environ['OAUTH2_TOKEN_URL'] = token_url 
+      os.environ['OAUTH2_AUTHORIZE_URL'] = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/index.php/apps/oauth2/authorize'
 
       def get_nextcloud_access_token(refresh_token):
-        client_id = os.environ['NEXTCLOUD_CLIENT_ID']
-        client_secret = os.environ['NEXTCLOUD_CLIENT_SECRET']
+        client_id = os.environ['OAUTH2_CLIENT_ID']
+        client_secret = os.environ['OAUTH2_CLIENT_SECRET']
 
         code = refresh_token
         data = {
@@ -97,12 +99,12 @@ hub:
           return True
 
       c.JupyterHub.authenticator_class = NextcloudOAuthenticator
-      c.NextcloudOAuthenticator.client_id = os.environ['NEXTCLOUD_CLIENT_ID']
-      c.NextcloudOAuthenticator.client_secret = os.environ['NEXTCLOUD_CLIENT_SECRET']
+      c.NextcloudOAuthenticator.client_id = os.environ['OAUTH2_CLIENT_ID']
+      c.NextcloudOAuthenticator.client_secret = os.environ['OAUTH2_CLIENT_SECRET']
       c.NextcloudOAuthenticator.login_service = 'Sunet Drive'
-      c.NextcloudOAuthenticator.username_claim = lambda r: r.get('ocs', {}).get('data', {}).get('id')
+      c.NextcloudOAuthenticator.username_claim = 'kano@sunet.se' # lambda r: r.get('ocs', {}).get('data', {}).get('id')
       c.NextcloudOAuthenticator.userdata_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/ocs/v2.php/cloud/user?format=json'
-      c.NextcloudOAuthenticator.authorize_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/index.php/apps/oauth2/authorize'
+      c.NextcloudOAuthenticator.authorize_url = os.environ['OAUTH2_AUTHORIZE_URL']
       c.NextcloudOAuthenticator.token_url = token_url
       c.NextcloudOAuthenticator.oauth_callback_url = 'https://' + os.environ['JUPYTER_HOST'] + '/hub/oauth_callback'
       c.NextcloudOAuthenticator.allow_all = True
@@ -276,7 +278,7 @@ hub:
         targetPort: 8082
         name: refresh-token
   extraEnv:
-    NEXTCLOUD_DEBUG_OAUTH: "no"
+    NEXTCLOUD_DEBUG_OAUTH: "yes"
     NEXTCLOUD_HOST: sunet.drive.test.sunet.se
     JUPYTER_HOST: sunet-jupyter.drive.test.sunet.se
     JUPYTERHUB_API_KEY:
@@ -289,12 +291,12 @@ hub:
         secretKeyRef:
           name: jupyterhub-secrets
           key: crypt-key
-    NEXTCLOUD_CLIENT_ID:
+    OAUTH2_CLIENT_ID:
       valueFrom:
         secretKeyRef:
           name: nextcloud-oauth-secrets
           key: client-id
-    NEXTCLOUD_CLIENT_SECRET:
+    OAUTH2_CLIENT_SECRET:
       valueFrom:
         secretKeyRef:
           name: nextcloud-oauth-secrets

jupyter/overlays/test/vr/jupyterhub-ingress.yml

@@ -0,0 +1,30 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: jupyterhub-ingress
+  annotations:
+    cert-manager.io/issuer: "letsencrypt"
+    acme.cert-manager.io/http01-edit-in-place: "true"
+spec:
+  defaultBackend:
+    service:
+      name: proxy-public
+      port:
+        number: 8443
+  tls:
+    - hosts:
+        - vr-jupyter.drive.test.sunet.se 
+      secretName: tls-secret
+  ingressClassName: nginx
+  rules:
+  - host: vr-jupyter.drive.test.sunet.se
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend: 
+          service:
+            name: proxy-public
+            port:
+              number: 80

jupyter/overlays/test/vr/jupyterhub-service.yml

@@ -0,0 +1,24 @@
+---
+apiVersion: v1
+items:
+- apiVersion: v1
+  kind: Service
+  metadata:
+    labels:
+      app: jupyterhub-node
+    name: jupyterhub-node
+  spec:
+    ports:
+    - port: 8080
+      protocol: TCP
+      targetPort: 8080
+    selector:
+      app: jupyterhub-node
+    sessionAffinity: None
+    type: ClusterIP
+  status:
+    loadBalancer: {}
+kind: List
+metadata:
+  resourceVersion: ""
+  selfLink: ""

jupyter/overlays/test/vr/kustomization.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources: [../../../base/]
+helmCharts:
+  - includeCRDs: true
+    name: jupyterhub
+    releaseName: vr-jupyterhub
+    valuesFile: ./values/values.yaml
+    version: 3.2.1
+    namespace: vr-jupyterhub
+helmGlobals:
+  chartHome: ../../../base/charts/
+patches:
+  - path: jupyterhub-ingress.yml
+  - path: jupyterhub-service.yml

jupyter/overlays/test/vr/values/values.yaml

@@ -0,0 +1,337 @@
+debug:
+  enabled: true
+hub:
+  config:
+    Authenticator:
+      auto_login: true
+      enable_auth_state: true
+    JupyterHub:
+      tornado_settings:
+        headers: { 'Content-Security-Policy': "frame-ancestors *;" }
+  db:
+    pvc:
+      storageClassName: csi-sc-cinderplugin
+  extraConfig:
+    oauthCode: |
+      import time
+      import requests
+      from datetime import datetime
+      from oauthenticator.generic import GenericOAuthenticator
+      token_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/index.php/apps/oauth2/api/v1/token'
+      debug = os.environ.get('NEXTCLOUD_DEBUG_OAUTH', 'false').lower() in ['true', '1', 'yes']
+
+      def get_nextcloud_access_token(refresh_token):
+        client_id = os.environ['NEXTCLOUD_CLIENT_ID']
+        client_secret = os.environ['NEXTCLOUD_CLIENT_SECRET']
+
+        code = refresh_token
+        data = {
+          'grant_type': 'refresh_token',
+          'code': code,
+          'refresh_token': refresh_token,
+          'client_id': client_id,
+          'client_secret': client_secret
+        }
+        response = requests.post(token_url, data=data)
+        if debug:
+          print(response.text)
+        return response.json()
+
+      def post_auth_hook(authenticator, handler, authentication):
+        user = authentication['auth_state']['oauth_user']['ocs']['data']['id']
+        auth_state = authentication['auth_state']
+        auth_state['token_expires'] =  time.time() + auth_state['token_response']['expires_in']
+        authentication['auth_state'] = auth_state
+        return authentication
+
+      class NextcloudOAuthenticator(GenericOAuthenticator):
+        def __init__(self, *args, **kwargs):
+          super().__init__(*args, **kwargs)
+          self.user_dict = {}
+
+        async def pre_spawn_start(self, user, spawner):
+          super().pre_spawn_start(user, spawner)
+          auth_state = await user.get_auth_state()
+          if not auth_state:
+            return
+          access_token = auth_state['access_token']
+          spawner.environment['NEXTCLOUD_ACCESS_TOKEN'] = access_token
+
+        async def refresh_user(self, user, handler=None):
+          auth_state = await user.get_auth_state()
+          if not auth_state:
+            if debug:
+              print(f'auth_state missing for {user}')
+            return False
+          access_token = auth_state['access_token']
+          refresh_token = auth_state['refresh_token']
+          token_response = auth_state['token_response']
+          now = time.time()
+          now_hr = datetime.fromtimestamp(now)
+          expires = auth_state['token_expires']
+          expires_hr = datetime.fromtimestamp(expires)
+          expires = 0
+          if debug:
+            print(f'auth_state for {user}: {auth_state}')
+          if now >= expires:
+            if debug:
+              print(f'Time is: {now_hr}, token expired: {expires_hr}')
+              print(f'Refreshing token for {user}')
+            try:
+              token_response = get_nextcloud_access_token(refresh_token)
+              auth_state['access_token'] = token_response['access_token']
+              auth_state['refresh_token'] = token_response['refresh_token']
+              auth_state['token_expires'] = now + token_response['expires_in']
+              auth_state['token_response'] = token_response
+              if debug:
+                print(f'Successfully refreshed token for {user.name}')
+                print(f'auth_state for {user.name}: {auth_state}')
+              return {'name': user.name, 'auth_state': auth_state}
+            except Exception as e:
+              if debug:
+                print(f'Failed to refresh token for {user}')
+              return False
+            return False
+          if debug:
+            print(f'Time is: {now_hr}, token expires: {expires_hr}')
+          return True
+
+      c.JupyterHub.authenticator_class = NextcloudOAuthenticator
+      c.NextcloudOAuthenticator.client_id = os.environ['NEXTCLOUD_CLIENT_ID']
+      c.NextcloudOAuthenticator.client_secret = os.environ['NEXTCLOUD_CLIENT_SECRET']
+      c.NextcloudOAuthenticator.login_service = 'Sunet Drive'
+      c.NextcloudOAuthenticator.username_claim = lambda r: r.get('ocs', {}).get('data', {}).get('id')
+      c.NextcloudOAuthenticator.userdata_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/ocs/v2.php/cloud/user?format=json'
+      c.NextcloudOAuthenticator.authorize_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/index.php/apps/oauth2/authorize'
+      c.NextcloudOAuthenticator.token_url = token_url
+      c.NextcloudOAuthenticator.oauth_callback_url = 'https://' + os.environ['JUPYTER_HOST'] + '/hub/oauth_callback'
+      c.NextcloudOAuthenticator.allow_all = True
+      c.NextcloudOAuthenticator.refresh_pre_spawn = True
+      c.NextcloudOAuthenticator.enable_auth_state = True
+      c.NextcloudOAuthenticator.auth_refresh_age = 3600
+      c.NextcloudOAuthenticator.post_auth_hook = post_auth_hook
+
+    serviceCode: |
+      import sys
+      c.JupyterHub.load_roles = [
+          {
+              "name": "refresh-token",
+              "services": [
+                "refresh-token"
+              ],
+              "scopes": [
+                "read:users",
+                "admin:auth_state"
+              ]
+          },
+          {
+              "name": "user",
+              "scopes": [
+                "access:services!service=refresh-token",
+                "read:services!service=refresh-token",
+                "self",
+              ],
+          },
+          {
+              "name": "server",
+              "scopes": [
+                "access:services!service=refresh-token",
+                "read:services!service=refresh-token",
+                "inherit",
+              ],
+          }
+      ]
+      c.JupyterHub.services = [
+          {
+              'name': 'refresh-token',
+              'url': 'http://' + os.environ.get('HUB_SERVICE_HOST', 'hub') + ':' + os.environ.get('HUB_SERVICE_PORT_REFRESH_TOKEN', '8082'),
+              'display': False,
+              'oauth_no_confirm': True,
+              'api_token': os.environ['JUPYTERHUB_API_KEY'],
+              'command': [sys.executable, '/usr/local/etc/jupyterhub/refresh-token.py']
+          }
+      ]
+      c.JupyterHub.admin_users = {"refresh-token"}
+      c.JupyterHub.api_tokens = {
+          os.environ['JUPYTERHUB_API_KEY']: "refresh-token",
+      }
+  extraFiles:
+    refresh-token.py: 
+      mountPath: /usr/local/etc/jupyterhub/refresh-token.py
+      stringData: |
+        """A token refresh service authenticating with the Hub.
+
+        This service serves `/services/refresh-token/`,
+        authenticated with the Hub,
+        showing the user their own info.
+        """
+        import json
+        import os
+        import requests
+        import socket
+        from jupyterhub.services.auth import HubAuthenticated
+        from jupyterhub.utils import url_path_join
+        from tornado.httpserver import HTTPServer
+        from tornado.ioloop import IOLoop
+        from tornado.web import Application, HTTPError, RequestHandler, authenticated
+        from urllib.parse import urlparse
+        debug = os.environ.get('NEXTCLOUD_DEBUG_OAUTH', 'false').lower() in ['true', '1', 'yes']
+        def my_debug(s):
+          if debug:
+            with open("/proc/1/fd/1", "a") as stdout:
+              print(s, file=stdout)
+
+
+        class RefreshHandler(HubAuthenticated, RequestHandler):
+            def api_request(self, method, url, **kwargs):
+                my_debug(f'{self.hub_auth}')
+                url = url_path_join(self.hub_auth.api_url, url)
+                allow_404 = kwargs.pop('allow_404', False)
+                headers = kwargs.setdefault('headers', {})
+                headers.setdefault('Authorization', f'token {self.hub_auth.api_token}')
+                try:
+                    r = requests.request(method, url, **kwargs)
+                except requests.ConnectionError as e:
+                    my_debug(f'Error connecting to {url}: {e}')
+                    msg = f'Failed to connect to Hub API at {url}.'
+                    msg += f'  Is the Hub accessible at this URL (from host: {socket.gethostname()})?'
+
+                    if '127.0.0.1' in url:
+                        msg += '  Make sure to set c.JupyterHub.hub_ip to an IP accessible to' + \
+                               ' single-user servers if the servers are not on the same host as the Hub.'
+                    raise HTTPError(500, msg)
+
+                data = None
+                if r.status_code == 404 and allow_404:
+                    pass
+                elif r.status_code == 403:
+                    my_debug(
+                        'Lacking permission to check authorization with JupyterHub,' + 
+                        f' my auth token may have expired: [{r.status_code}] {r.reason}'
+                    )
+                    my_debug(r.text)
+                    raise HTTPError(
+                        500,
+                        'Permission failure checking authorization, I may need a new token'
+                    )
+                elif r.status_code >= 500:
+                    my_debug(f'Upstream failure verifying auth token: [{r.status_code}] {r.reason}')
+                    my_debug(r.text)
+                    raise HTTPError(
+                        502, 'Failed to check authorization (upstream problem)')
+                elif r.status_code >= 400:
+                    my_debug(f'Failed to check authorization: [{r.status_code}] {r.reason}')
+                    my_debug(r.text)
+                    raise HTTPError(500, 'Failed to check authorization')
+                else:
+                    data = r.json()
+                return data
+
+            @authenticated
+            def get(self):
+                user_model = self.get_current_user()
+                # Fetch current auth state
+                user_data = self.api_request('GET', url_path_join('users', user_model['name']))
+                auth_state = user_data['auth_state']
+                access_token = auth_state['access_token']
+                token_expires = auth_state['token_expires']
+
+                self.set_header('content-type', 'application/json')
+                self.write(json.dumps({'access_token': access_token, 'token_expires': token_expires}, indent=1, sort_keys=True))
+
+        class PingHandler(RequestHandler):
+
+            def get(self):
+                my_debug(f"DEBUG: In ping get")
+                self.set_header('content-type', 'application/json')
+                self.write(json.dumps({'ping': 1}))
+
+
+        def main():
+            app = Application([
+                (os.environ['JUPYTERHUB_SERVICE_PREFIX'] + 'tokens', RefreshHandler),
+                (os.environ['JUPYTERHUB_SERVICE_PREFIX'] + '/?', PingHandler),
+            ])
+
+            http_server = HTTPServer(app)
+            url = urlparse(os.environ['JUPYTERHUB_SERVICE_URL'])
+
+            http_server.listen(url.port)
+
+            IOLoop.current().start()
+
+        if __name__ == '__main__':
+            main()
+  networkPolicy:
+    ingress:
+      - ports:
+          - port: 8082
+        from:
+          - podSelector:
+              matchLabels:
+                hub.jupyter.org/network-access-hub: "true"
+  service:
+    extraPorts:
+      - port: 8082
+        targetPort: 8082
+        name: refresh-token
+  extraEnv:
+    NEXTCLOUD_DEBUG_OAUTH: "no"
+    NEXTCLOUD_HOST: vr.drive.test.sunet.se
+    JUPYTER_HOST: vr-jupyter.drive.test.sunet.se
+    JUPYTERHUB_API_KEY:
+      valueFrom:
+        secretKeyRef:
+          name: jupyterhub-secrets
+          key: api-key
+    JUPYTERHUB_CRYPT_KEY:
+      valueFrom:
+        secretKeyRef:
+          name: jupyterhub-secrets
+          key: crypt-key
+    NEXTCLOUD_CLIENT_ID:
+      valueFrom:
+        secretKeyRef:
+          name: nextcloud-oauth-secrets
+          key: client-id
+    NEXTCLOUD_CLIENT_SECRET:
+      valueFrom:
+        secretKeyRef:
+          name: nextcloud-oauth-secrets
+          key: client-secret
+    networkPolicy:
+      enabled: false
+proxy:
+  chp:
+    networkPolicy:
+      egress:
+        - to:
+            - podSelector:
+                matchLabels:
+                  app: jupyterhub
+                  component: hub
+          ports:
+            - port: 8082
+singleuser:
+  image:
+    name: docker.sunet.se/drive/jupyter-custom
+    tag: lab-4.0.10-sunet4
+  storage:
+    dynamic:
+      storageClass: csi-sc-cinderplugin
+  extraEnv:
+    JUPYTER_ENABLE_LAB: "yes"
+    JUPYTER_HOST: vr-jupyter.drive.test.sunet.se
+    NEXTCLOUD_HOST: vr.drive.test.sunet.se
+  extraFiles:
+    jupyter_notebook_config:
+      mountPath: /home/jovyan/.jupyter/jupyter_server_config.py
+      stringData: |
+        import os
+        c = get_config()
+        c.NotebookApp.allow_origin = '*'
+        c.NotebookApp.tornado_settings = {
+            'headers': { 'Content-Security-Policy': "frame-ancestors *;" }
+        }
+        os.system('/usr/local/bin/nc-sync')
+      mode: 0644

portal/base/drive-ingress.yml

@@ -0,0 +1,30 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: drive-ingress
+  namespace: portal
+  annotations:
+    kubernetes.io/ingress.class: nginx
+spec:
+  defaultBackend:
+    service:
+      name: portal-node
+      port:
+        number: 8080
+  tls:
+    - hosts:
+        - drive.test.sunet.se 
+      secretName: drive-tls-secret
+  ingressClassName: nginx 
+  rules:
+  - host: drive.test.sunet.se
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend: 
+          service:
+            name: portal-node
+            port:
+              number: 8080

portal/base/kustomization.yaml

@@ -0,0 +1,9 @@
+resources:
+- drive-ingress.yml
+- portal-cert-manager.yml
+- portal-deployment.yml
+- portal-ingress.yml
+- portal-namespace.yml
+- portal-service.yml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization

portal/base/portal-cert-manager.yml

@@ -0,0 +1,15 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: letsencrypt
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: drive@sunet.se
+    privateKeySecretRef:
+      name: letsencrypt
+    solvers:
+      - http01:
+          ingress: 
+            class: nginx
+

portal/base/portal-deployment.yml

@@ -0,0 +1,30 @@
+---
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: portal-node
+  namespace: portal
+  creationTimestamp:
+  labels:
+    app: portal-node
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: portal-node
+  template:
+    metadata:
+      creationTimestamp:
+      labels:
+        app: portal-node
+    spec:
+      containers:
+      - name: portal
+        image: docker.sunet.se/drive/portal:0.1.2-3
+        imagePullPolicy: Always
+        resources: {}
+        env:
+          - name: DRIVE_DOMAIN
+            value: "drive.test.sunet.se"
+  strategy: {}
+status: {}

portal/base/portal-ingress.yml

@@ -0,0 +1,30 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: portal-ingress
+  namespace: portal
+  annotations:
+    kubernetes.io/ingress.class: nginx
+spec:
+  defaultBackend:
+    service:
+      name: portal-node
+      port:
+        number: 8080
+  tls:
+    - hosts:
+        - portal.drive.test.sunet.se 
+      secretName: tls-secret
+  ingressClassName: nginx 
+  rules:
+  - host: portal.drive.test.sunet.se
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend: 
+          service:
+            name: portal-node
+            port:
+              number: 8080

portal/base/portal-namespace.yml

@@ -0,0 +1,8 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: portal
+spec:
+  finalizers:
+  - kubernetes

portal/base/portal-service.yml

@@ -0,0 +1,25 @@
+---
+apiVersion: v1
+items:
+- apiVersion: v1
+  kind: Service
+  metadata:
+    labels:
+      app: portal-node
+    name: portal-node
+    namespace: portal
+  spec:
+    ports:
+    - port: 8080
+      protocol: TCP
+      targetPort: 8080
+    selector:
+      app: portal-node
+    sessionAffinity: None
+    type: ClusterIP
+  status:
+    loadBalancer: {}
+kind: List
+metadata:
+  resourceVersion: ""
+  selfLink: ""

portal/overlays/prod/drive-ingress.yml

@@ -0,0 +1,32 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: drive-ingress
+  namespace: portal
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    cert-manager.io/issuer: "letsencrypt"
+    acme.cert-manager.io/http01-edit-in-place: "true"
+spec:
+  defaultBackend:
+    service:
+      name: portal-node
+      port:
+        number: 8080
+  ingressClassName: nginx
+  tls:
+    - hosts:
+        - drive.sunet.se 
+      secretName: drive-tls-secret
+  rules:
+  - host: drive.sunet.se
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend: 
+          service:
+            name: portal-node
+            port:
+              number: 8080

portal/overlays/prod/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+patches:
+- path: drive-ingress.yml
+- path: portal-ingress.yml
+- path: portal-deployment.yml

portal/overlays/prod/portal-deployment.yml

@@ -0,0 +1,27 @@
+---
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: portal-node
+  namespace: portal
+  creationTimestamp:
+  labels:
+    app: portal-node
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: portal-node
+  template:
+    metadata:
+      creationTimestamp:
+      labels:
+        app: portal-node
+    spec:
+      containers:
+      - name: portal
+        env:
+          - name: DRIVE_DOMAIN
+            value: "drive.sunet.se"
+  strategy: {}
+status: {}

portal/overlays/prod/portal-ingress.yml

@@ -0,0 +1,32 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: portal-ingress
+  namespace: portal
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    cert-manager.io/issuer: "letsencrypt"
+    acme.cert-manager.io/http01-edit-in-place: "true"
+spec:
+  defaultBackend:
+    service:
+      name: portal-node
+      port:
+        number: 8080
+  ingressClassName: nginx
+  tls:
+    - hosts:
+        - portal.drive.sunet.se 
+      secretName: tls-secret
+  rules:
+  - host: portal.drive.sunet.se
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend: 
+          service:
+            name: portal-node
+            port:
+              number: 8080

portal/overlays/test/drive-ingress.yml

@@ -0,0 +1,32 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: drive-ingress
+  namespace: portal
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    cert-manager.io/issuer: "letsencrypt"
+    acme.cert-manager.io/http01-edit-in-place: "true"
+spec:
+  defaultBackend:
+    service:
+      name: portal-node
+      port:
+        number: 8080
+  ingressClassName: nginx
+  tls:
+    - hosts:
+        - drive.test.sunet.se 
+      secretName: drive-tls-secret
+  rules:
+  - host: drive.test.sunet.se
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend: 
+          service:
+            name: portal-node
+            port:
+              number: 8080

portal/overlays/test/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base
+patches:
+- path: drive-ingress.yml
+- path: portal-ingress.yml
+- path: portal-deployment.yml

portal/overlays/test/portal-deployment.yml

@@ -0,0 +1,27 @@
+---
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: portal-node
+  namespace: portal
+  creationTimestamp:
+  labels:
+    app: portal-node
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: portal-node
+  template:
+    metadata:
+      creationTimestamp:
+      labels:
+        app: portal-node
+    spec:
+      containers:
+      - name: portal
+        env:
+          - name: DRIVE_DOMAIN
+            value: "drive.test.sunet.se"
+  strategy: {}
+status: {}

portal/overlays/test/portal-ingress.yml

@@ -0,0 +1,32 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: portal-ingress
+  namespace: portal
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    cert-manager.io/issuer: "letsencrypt"
+    acme.cert-manager.io/http01-edit-in-place: "true"
+spec:
+  defaultBackend:
+    service:
+      name: portal-node
+      port:
+        number: 8080
+  ingressClassName: nginx
+  tls:
+    - hosts:
+        - portal.drive.test.sunet.se 
+      secretName: tls-secret
+  rules:
+  - host: portal.drive.test.sunet.se
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend: 
+          service:
+            name: portal-node
+            port:
+              number: 8080

proxysql/base/proxysql-configmap.yml

@@ -300,6 +300,13 @@ data:
           transaction_persistent=1
           active=1
       },
+      {
+          username="nextcloud_richir"
+          password="{{RICHIR_PASSWORD}}"
+          default_hostgroup=10
+          transaction_persistent=1
+          active=1
+      },
       {
           username="nextcloud_rkh"
           password="{{RKH_PASSWORD}}"