initial commit

prod/README.md

@@ -0,0 +1 @@
+Dit zijn alle services op het PROD-cluster:

prod/bookstack/README.md

@@ -0,0 +1,6 @@
+user: admin@dialdcs.com
+password: Bookstack01@
+
+user: allardkrings@gmail.com
+password: Bookstack01@
+

prod/bookstack/bookstack.yaml

@@ -0,0 +1,111 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: bookstack
+  namespace: bookstack
+  labels:
+    app: bookstack
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: bookstack
+  template:
+    metadata:
+      labels:
+        app: bookstack
+    spec:
+      containers:
+      - name: bookstack
+        image: linuxserver/bookstack
+        ports:
+        - containerPort: 80
+        env:
+        - name: APP_URL
+          value: https://bookstack-prod.allarddcs.nl
+        - name: PUID
+          value: "1001"
+        - name: PGID
+          value: "986"
+        - name: DB_HOST
+          value: "mariadb.mariadb"
+        - name: DB_USER
+          value: "bookstack"
+        - name: DB_PASS
+          value: "bookstack"
+        - name: DB_DATABASE
+          value: "bookstack"
+        volumeMounts:
+        - mountPath: "/config"
+          name: bookstackvolume
+      volumes:
+      - name: bookstackvolume
+        persistentVolumeClaim:
+          claimName: bookstack-pvc
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: bookstack
+  namespace: bookstack
+  labels:
+    app: bookstack
+spec:
+  ports:
+  - port: 80
+    protocol: TCP
+  selector:
+    app: bookstack
+  type: ClusterIP
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: bookstack-tls
+  namespace: bookstack
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`bookstack-prod.allarddcs.nl`)
+    kind: Rule
+    services:
+    - name: bookstack
+      port: 80
+  tls:
+    certResolver: letsencrypt
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: bookstack-pv
+spec:
+  storageClassName: ""
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  mountOptions:
+    - hard
+    - nfsvers=4.1
+  nfs:
+    server: 192.168.2.110
+    path: /mnt/nfs_share/bookstack
+    readOnly: false
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: bookstack-pvc
+  namespace: bookstack
+spec:
+  storageClassName: ""
+  volumeName: bookstack-pv
+  accessModes:
+    - ReadWriteMany
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 1Gi
+

prod/bookstack/catalog-info.yaml

@@ -0,0 +1,11 @@
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: prod-bookstack
+  title: Bookstack (prod)
+spec:
+  type: service
+  lifecycle: production
+  owner: platform-team
+  partOf:
+    - ../catalog-info.yaml

prod/bookstack/password

@@ -0,0 +1 @@
+$2y$10$OjssYrHC0lDRCH.2/XQ6.OnAypqeG2hb6zZniqk7OxD2J3

prod/catalog-info.yaml

@@ -0,0 +1,36 @@
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: PROD-cluster
+  namespace: default
+  description: deployments PROD-cluster
+  annotations:
+    backstage.io/techdocs-ref: dir:.
+  links:
+    - url: https://github.com/AllardKrings/kubernetes/dev/
+      title: AllardDCS PROD-cluster
+  docs:
+    - url: ./README.md
+spec:
+  type: service
+  lifecycle: production
+  owner: group:default/allarddcs
+    - ./postgres16/catalog-info.yaml
+    - ./mattermost/catalog-info.yaml
+    - ./nginx/catalog-info.yaml
+    - ./wordpress/catalog-info.yaml
+    - ./spreed/catalog-info.yaml
+    - ./traefik/catalog-info.yaml
+    - ./postgres14/catalog-info.yaml
+    - ./dnsutils/catalog-info.yaml
+    - ./nextcloud/catalog-info.yaml
+    - ./drupal/catalog-info.yaml
+    - ./bookstack/catalog-info.yaml
+    - ./mariadb/catalog-info.yaml
+    - ./kubernetes/catalog-info.yaml
+    - ./pgadmin/catalog-info.yaml
+    - ./nodejs/catalog-info.yaml
+    - ./matterbridge/catalog-info.yaml
+    - ./postgres13/catalog-info.yaml
+    - ./phpmyadmin/catalog-info.yaml
+    - ./xwiki/catalog-info.yaml

prod/dnsutils/catalog-info.yaml

@@ -0,0 +1,11 @@
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: prod-dnsutils
+  title: Dnsutils (prod)
+spec:
+  type: service
+  lifecycle: production
+  owner: platform-team
+  partOf:
+    - ../catalog-info.yaml

prod/dnsutils/dnsutils.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: dnsutils
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: dnsutils
+  namespace: dnsutils
+spec:
+  containers:
+  - name: dnsutils
+    image: registry.k8s.io/e2e-test-images/jessie-dnsutils:1.3
+    command:
+      - sleep
+      - "infinity"
+    imagePullPolicy: IfNotPresent
+  restartPolicy: Always

prod/drupal/catalog-info.yaml

@@ -0,0 +1,11 @@
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: prod-drupal
+  title: Drupal (prod)
+spec:
+  type: service
+  lifecycle: production
+  owner: platform-team
+  partOf:
+    - ../catalog-info.yaml

prod/drupal/drupal.yaml

@@ -0,0 +1,146 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: drupal
+  namespace: drupal
+  labels:
+    app: drupal
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: drupal
+  template:
+    metadata:
+      labels:
+        app: drupal
+    spec:
+      initContainers:
+        - name: init-sites-volume
+          image: drupal
+          command: ['/bin/bash', '-c']
+          args: ['chown www-data:www-data /var/www/html/sites -R']
+          volumeMounts:
+          - name: drupal-data
+            mountPath: /var/www/html/sites
+            subPath: sites
+      containers:
+        - name: drupal
+          image: drupal:8.6
+          imagePullPolicy: Always
+          env:
+          - name: ServerName
+            value: drupal-prod.alldcs.nl
+#          - name: GITEA__database__DB_TYPE
+#            value: mysql
+#          - name: GITEA__database__HOST
+#            value: mariadb.mariadb:3306
+#          - name: GITEA__database__NAME
+#            value: gitea
+#          - name: GITEA__database__USER
+#            value: gitea
+#          - name: GITEA__database__PASSWD
+#            value: gitea
+          ports:
+            - containerPort: 80
+          volumeMounts:
+            - name: drupal-data
+              mountPath: /var/www/html/modules
+              subPath: modules
+            - name: drupal-data
+              mountPath: /var/www/html/profiles
+              subPath: profiles
+            - name: drupal-data
+              mountPath: /var/www/html/themes
+              subPath: themes
+            - name: drupal-data
+              mountPath: /var/www/html/sites
+              subPath: sites
+      volumes:
+        - name: drupal-data
+          persistentVolumeClaim:
+            claimName: drupal-pvc
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: drupal
+  namespace: drupal
+  labels:
+    app: drupal
+spec:
+  sessionAffinity: None
+  ports:
+    - protocol: TCP
+      port: 80
+  selector:
+    app: drupal
+  type: LoadBalancer
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: drupal-tls
+  namespace: drupal
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`drupal-prod.alldcs.nl`)
+    kind: Rule
+    services:
+    - name: drupal
+      port: 80
+  tls:
+    certResolver: letsencrypt
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: drupal-http
+  namespace: drupal
+spec:
+  entryPoints:
+    - web
+  routes:
+  - match: Host(`drupal-prod.alldcs.nl`)
+    kind: Rule
+    services:
+    - name: drupal
+      port: 80
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: drupal-pv
+spec:
+  storageClassName: ""
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  mountOptions:
+    - hard
+    - nfsvers=4.1
+  nfs:
+    server: 192.168.2.110
+    path: /mnt/nfs_share/drupal/riscv
+    readOnly: false
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: drupal-pvc
+  namespace: drupal
+spec:
+  storageClassName: ""
+  volumeName: drupal-pv
+  accessModes:
+    - ReadWriteMany
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 1Gi
+
+

prod/grafana/README.md

@@ -0,0 +1,3 @@
+1) enable microk8s built-in observability
+2) apply ingressroute-tls (in namespace observability)
+3) log in with password: prom-operator

prod/grafana/ingressroute-tls.yaml

@@ -0,0 +1,16 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: grafana-tls
+  namespace: observability
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`grafana-prod.allarddcs.nl`)
+    kind: Rule
+    services:
+    - name: kube-prom-stack-grafana
+      port: 80
+  tls:
+    certResolver: letsencrypt

prod/grafana/ingressroute-tls2.yaml

@@ -0,0 +1,16 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: grafana-tls-alldcs
+  namespace: observability
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`grafana-prod.alldcs.nl`)
+    kind: Rule
+    services:
+    - name: kube-prom-stack-grafana
+      port: 80
+  tls:
+    certResolver: letsencrypt

prod/kubernetes/README.md

@@ -0,0 +1,17 @@
+3) microk8s enable dashboard
+2) creer account: kubectl apply -f ServiceAccount.yaml
+3) creeer clusterrolebinding: kubectl aply -f ClusterRoleBinding.yaml
+4) creeer ingressroute: kubectl apply -f Ingressroute-tls.yaml
+5) genereer token: 
+kubectl -n kube-system create token admin-user --duration=8544h
+
+Herinstallatie:
+
+na herinstallatie moet je de config opnieuw kopieren anders klopt het certificaat niet meer:
+
+sudo cp -i /var/snap/microk8s/current/credentials/client.config  ${HOME}/.kube/config
+
+sudo chown $(id -u):$(id -g) $HOME/.kube/configsudo chown $(id -u):$(id -g) $HOME/.kube/configsudo chown $(id -u):$(id -g) $HOME/.kube/configsudo chown $(id -u):$(id -g) $HOME/.kube/config
+
+
+

prod/kubernetes/TIPS.md

@@ -0,0 +1,38 @@
+#Als een pvc in de status "terminating" blijft hangen kan het volgende commando 
+#helpen:
+
+kubectl patch pvc {PVC_NAME} -p '{"metadata":{"finalizers":null}}'
+
+#Switchen van context:
+
+kubectl config set-context --current --namespace=tektontutorial
+
+#Als je bij uitvoeren van kubectl  "connection refused " krijgt
+#kunnen de volgende commando's helpen:
+
+sudo microk8s.refresh-certs --cert ca.crt
+sudo microk8s.refresh-certs --cert server.crt
+
+aanpassen clusternaam:
+
+nano /var/snap/micrk8s/current/credentials/client.config
+
+Daarna certificaten opnieuw genereren:
+
+sudo microk8s.refresh-certs --cert ca.crt
+sudo microk8s.refresh-certs --cert server.crt
+
+kubectl configuratie opnieuw genereren:
+
+microk8s.kubectl config view --raw > $HOME/.kube/config
+
+#metallb speaker permission errors 
+
+sudo nano /etc/apparmor.d/cri-containerd.apparmor.d
+network, 
+sudo apparmor_parser -r /etc/apparmor.d/cri-containerd.apparmor.d
+
+#volle schijf:
+
+sudo microk8s ctr images list -q | xargs -r sudo microk8s ctr images rm
+

prod/kubernetes/catalog-info.yaml

@@ -0,0 +1,11 @@
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: prod-kubernetes
+  title: Kubernetes (prod)
+spec:
+  type: service
+  lifecycle: production
+  owner: platform-team
+  partOf:
+    - ../catalog-info.yaml

prod/kubernetes/cluster-issuer.yaml

@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt
+spec:
+  acme:
+    email: admin@allarddcs.nl
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-account-key
+    solvers:
+    - http01:
+        ingress:
+          class: traefik

prod/kubernetes/clusterrolebinding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: admin-user
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: admin-user
+  namespace: kube-system

prod/kubernetes/create-token.sh

@@ -0,0 +1 @@
+microk8s kubectl -n kube-system create token admin-user --duration=8544h

prod/kubernetes/ingressroute-dashboard.yaml

@@ -0,0 +1,30 @@
+apiVersion: traefik.io/v1alpha1
+kind: ServersTransport
+metadata:
+  name: kubernetes-dashboard-transport
+  namespace: kube-system
+
+spec:
+  serverName: kubernetes-dashboard
+  insecureSkipVerify: true
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: kubernetes-dashboard-tls
+  namespace: kube-system
+spec:
+  entryPoints:                      # [1]
+    - websecure
+  routes:                           # [2]
+  - kind: Rule
+    match:   Host(`kubernetes-prod.allarddcs.nl`) # [3]
+    priority: 10                    # [4]
+    services:                       # [8]
+    - kind: Service
+      name: kubernetes-dashboard
+      namespace: kube-system
+      port: 443                      # [9]
+      serversTransport: kubernetes-dashboard-transport
+  tls:                              # [11]
+    certResolver: letsencrypt

prod/kubernetes/ingressroute-tls-prod.yaml

@@ -0,0 +1,31 @@
+apiVersion: traefik.io/v1alpha1
+kind: ServersTransport
+metadata:
+  name: kubernetes-dashboard-transport
+  namespace: kube-system
+
+spec:
+  serverName: kubernetes-dashboard
+  insecureSkipVerify: true
+
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: kubernetes-dashboard-tls
+  namespace: kube-system
+spec:
+  entryPoints:                      # [1]
+    - websecure
+  routes:                           # [2]
+  - kind: Rule
+    match:   Host(`kubernetes-prod.allarddcs.nl`) # [3]
+    priority: 10                    # [4]
+    services:                       # [8]
+    - kind: Service
+      name: kubernetes-dashboard
+      namespace: kube-system
+      port: 443                      # [9]
+      serversTransport: kubernetes-dashboard-transport
+  tls:                              # [11]
+    certResolver: letsencrypt

prod/kubernetes/serviceaccount.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: admin-user
+  namespace: kube-system

prod/mariadb/catalog-info.yaml

@@ -0,0 +1,11 @@
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: prod-mariadb
+  title: Mariadb (prod)
+spec:
+  type: service
+  lifecycle: production
+  owner: platform-team
+  partOf:
+    - ../catalog-info.yaml

prod/mariadb/create-secret.sh

@@ -0,0 +1 @@
+microk8s kubectl create secret generic mariadb-secret --from-file=username=./username.txt --from-file=password=./password.txt

prod/mariadb/login.sh

@@ -0,0 +1 @@
+microk8s kubectl exec -it mariadb-sts-0 -- mariadb -uroot -psecret -n databases

prod/mariadb/mariadb-prod.yaml

@@ -0,0 +1,81 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: mariadb
+  namespace: mariadb
+  labels:
+    app: mariadb
+spec:
+  ports:
+  - port: 3306
+    name: mariadb-port
+  clusterIP: None
+  selector:
+    app: mariadb
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: mariadb-sts
+  namespace: mariadb
+spec:
+  serviceName: "mariadb"
+  replicas: 1
+  selector:
+    matchLabels:
+      app: mariadb
+  template:
+    metadata:
+      labels:
+        app: mariadb
+    spec:
+      containers:
+      - name: mariadb
+        image: mariadb:10.11.4
+        ports:
+        - containerPort: 3306
+          name: mariadb-port
+        env:
+        - name: MARIADB_ROOT_PASSWORD
+          value: "jamesbrown"
+        - name: innodb_force_recovery
+          value: "1"
+        volumeMounts:
+        - name: datadir
+          mountPath: /var/lib/mysql/
+      volumes:
+      - name: datadir
+        persistentVolumeClaim:
+          claimName: mariadb-pvc
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: mariadb-pv
+  labels:
+    type: local
+spec:
+  storageClassName: ""
+  capacity:
+    storage: 4Gi
+  accessModes:
+    - ReadWriteMany
+  nfs:
+    server: 192.168.2.110
+    path: /mnt/nfs_share/mariadb/prod/
+    readOnly: false
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: mariadb-pvc
+  namespace: mariadb
+spec:
+  storageClassName: ""
+  volumeName: mariadb-pv
+  accessModes:
+    - ReadWriteMany
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 4Gi

prod/mariadb/password.txt

@@ -0,0 +1 @@
+secret

prod/mariadb/username.txt

@@ -0,0 +1 @@
+root

prod/matterbridge/bot-account.txt

@@ -0,0 +1,3 @@
+user: matrix
+password: Matrix01@
+key: xfxh83q14prftd61c4y4hiuw6w

prod/matterbridge/catalog-info.yaml

@@ -0,0 +1,11 @@
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: prod-matterbridge
+  title: Matterbridge (prod)
+spec:
+  type: service
+  lifecycle: production
+  owner: platform-team
+  partOf:
+    - ../catalog-info.yaml

prod/matterbridge/logs.txt

@@ -0,0 +1,8 @@
+time="2025-02-28T11:15:19Z" level=info msg="Running version 1.26.1-dev c4157a4" prefix=main
+time="2025-02-28T11:15:19Z" level=info msg="WARNING: THIS IS A DEVELOPMENT VERSION. Things may break." prefix=main
+time="2025-02-28T11:15:19Z" level=info msg="Parsing gateway mygateway" prefix=router
+time="2025-02-28T11:15:19Z" level=info msg="Starting bridge: matrix.my-matrix " prefix=router
+time="2025-02-28T11:15:19Z" level=info msg="Connecting https://matrix-lp.allarddcs.nl" prefix=matrix
+time="2025-02-28T11:15:20Z" level=info msg="Connection succeeded" prefix=matrix
+time="2025-02-28T11:15:20Z" level=info msg="matrix.my-matrix: joining #mattermost (ID: #mattermostmatrix.my-matrix)" prefix=matrix
+time="2025-02-28T11:15:20Z" level=fatal msg="Starting gateway failed: Bridge matrix.my-matrix failed to join channel: contents=[123 34 101 114 114 99 111 100 101 34 58 34 77 95 85 78 75 78 79 87 78 34 44 34 101 114 114 111 114 34 58 34 35 109 97 116 116 101 114 109 111 115 116 32 119 97 115 32 110 111 116 32 108 101 103 97 108 32 114 111 111 109 32 73 68 32 111 114 32 114 111 111 109 32 97 108 105 97 115 34 125] msg=Failed to POST JSON to /_matrix/client/r0/join/#mattermost code=400 wrapped=M_UNKNOWN: #mattermost was not legal room ID or room alias" prefix=main

prod/matterbridge/matterbridge.yaml

@@ -0,0 +1,72 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: matterbridge
+  namespace: mattermost
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: matterbridge
+  template:
+    metadata:
+      labels:
+        app: matterbridge
+    spec:
+      containers:
+        - name: matterbridge
+          image: 42wim/matterbridge:latest
+          volumeMounts:
+            - name: config-volume
+              mountPath: /etc/matterbridge
+      volumes:
+        - name: config-volume
+          configMap:
+            name: matterbridge-config
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: matterbridge
+  namespace: mattermost
+spec:
+  selector:
+    app: matterbridge
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 4242
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: matterbridge-config
+  namespace: mattermost
+data:
+  matterbridge.toml: |
+    [general]
+    RemoteNickFormat="{NICK}"
+
+    [matrix]
+    [matrix.my-matrix]
+    Server="https://matrix-lp.allarddcs.nl"
+    Login="mattermost"
+    Password="Matrix01@"
+    RemoteNickFormat="{NICK}"
+
+    [mattermost]
+    [mattermost.my-mattermost]
+    Server="mattermost-prod.allarddcs.nl"
+    Token="xfxh83q14prftd61c4y4hiuw6w"
+    Team="matrix"
+    RemoteNickFormat="{NICK}"
+
+    [[gateway]]
+    name="mygateway"
+    enable=true
+    [[gateway.inout]]
+    account="matrix.my-matrix"
+    channel="!UDCHpOSdDiIbbhoBrb:matrix-lp.allarddcs.nl"
+    [[gateway.inout]]
+    account="mattermost.my-mattermost"
+    channel="matrix"

prod/mattermost/README.md

@@ -0,0 +1,5 @@
+Nieuwe gebruikers toevoegen:
+
+- naar system console
+- signup
+- aanmelden aanzetten

prod/mattermost/catalog-info.yaml

@@ -0,0 +1,11 @@
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: prod-mattermost
+  title: Mattermost (prod)
+spec:
+  type: service
+  lifecycle: production
+  owner: platform-team
+  partOf:
+    - ../catalog-info.yaml

prod/mattermost/mattermost.yaml

@@ -0,0 +1,144 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: mattermost
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mattermost
+  namespace: mattermost
+  labels:
+    app: mattermost
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: mattermost
+  template:
+    metadata:
+      labels:
+        app: mattermost
+    spec:
+      containers:
+      - name: mattermost
+        image: allardkrings/mattermost
+        env:
+        - name: DB_PORT_NUMBER
+          value: "3306"
+        - name: MM_SQLSETTINGS_DRIVERNAME
+          value: "mysql"
+        - name: MM_SQLSETTINGS_DATASOURCE
+          value: "mattermost:mattermost@tcp(mariadb.mariadb.svc.cluster.local:3306)/mattermost?charset=utf8mb4,utf8&readTimeout=30s&writeTimeout=30s"
+        - name: MM_USERNAME
+          value: "mattermost"
+        - name: MM_PASSWORD
+          value: "mattermost"
+        - name: MM_DBNAME
+          value: "mattermost"
+        - name: DOMAIN
+          value: "mattermost-prod.allarddcs.nl"
+        - name: MM_SERVICESETTINGS_SITEURL
+          value: "https://mattermost-prod.allarddcs.nl"
+        - name: PMA_HOST
+          value: mariadb.mariadb.svc.cluster.local
+        - name: PMA_PORT
+          value: "3306"
+        - name: MYSQL_ROOT_PASSWORD
+          value: "zabbix"
+        - name: TZ
+          value: "UTZ"
+        volumeMounts:
+        - mountPath: /mattermost/config
+          name: mattermost
+        - mountPath: /mattermost/data
+          name: mattermost
+        - mountPath: /mattermost/logs
+          name: mattermost
+        - mountPath: /mattermost/plugins
+          name: mattermost
+      volumes:
+      - name: mattermost
+        persistentVolumeClaim:
+          claimName: mattermost-pvc
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: mattermost
+  namespace: mattermost
+spec:
+  ports:
+  - name: http
+    targetPort: 8065
+    port: 8065
+  selector:
+    app: mattermost
+  type: NodePort
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: mattermost-http
+  namespace: mattermost
+spec:
+  entryPoints:
+    - web
+  routes:
+  - match: Host(`mattermost-prod.allarddcs.nl`)
+    kind: Rule
+    services:
+    - name: mattermost
+      port: 8065
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: mattermost-tls
+  namespace: mattermost
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`mattermost-prod.allarddcs.nl`)
+    kind: Rule
+    services:
+    - name: mattermost
+      port: 8065
+  tls:
+    certResolver: letsencrypt
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: mattermost-pv
+spec:
+  storageClassName: ""
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  mountOptions:
+    - hard
+    - nfsvers=4.1
+  nfs:
+    server: 192.168.2.110
+    path: /mnt/nfs_share/mattermost
+    readOnly: false
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: mattermost-pvc
+  namespace: mattermost
+spec:
+  storageClassName: ""
+  volumeName: mattermost-pv
+  accessModes:
+    - ReadWriteMany
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 1Gi
+

prod/nextcloud/README.md

@@ -0,0 +1,66 @@
+#Installeren:
+1. zorg dat mariadb draait
+2. kubectl apply -f 
+
+#NATS
+Neural Autonomic Transport System
+| Feature                    | Role of NATS in Nextcloud                 |
+| -------------------------- | ----------------------------------------- |
+| Real-time events           | Broadcast file/app events across services |
+| Microservice messaging     | Decouples internal communication          |
+| Push notifications         | Enables scalable mobile/web push          |
+| Scaling WebSocket services | Helps distribute WebSocket load           |
+#SPREED
+"Spread" + "Speed"
+Spreed started as a standalone WebRTC project, originally developed by the German company struktur AG.
+Struktur AG was later acquired by Nextcloud GmbH, and Spreed became tightly integrated with Nextcloud Talk.
+| Feature                    | Role of Spreed                                   |
+| -------------------------- | ------------------------------------------------ |
+| **Video & voice calls**    | Handles WebRTC signaling for 1:1 and group calls |
+| **Text chat**              | Powers chat rooms, messages, mentions, etc.      |
+| **Screensharing**          | Facilitates screen sharing over WebRTC           |
+| **TURN/STUN support**      | Helps users connect through firewalls/NATs       |
+| **Signaling server**       | Coordinates call setup between users             |
+| **Multiparty conferences** | Manages group call state and media routing       |
+The High-performance backend developed by our Partner Struktur AG available in their 
+GitHub organisation. 
+The High-performance backend itself consists of multiple modules, the most important ones 
+being a: 
+- signaling server and a 
+- WebRTC media gateway.
+
+Nextcloud Talk comes as an app within Nextcloud, but it needs 
+- Spreed (the WebRTC backend) and a 
+- TURN server for video and audio calls. The best practice is to set up Coturn for this.
+
+#TURN server: 
+This acts as a fallback for peer-to-peer connections if direct connection fails.
+A TURN server is used to proxy the traffic from participants behind a firewall. 
+If individual participants cannot connect to others a TURN server is most likely required
+Voor Matrix en Nextcloud gebruiken we coturn. coturn draait in cluster LattePanda en is door traefik exposed op poorten:
+
+ - name: turn-udp
+containerPort: 3478
+protocol: UDP
+ - name: turn-tcp
+containerPort: 3478
+protocol: TCP
+ - name: turns-tcp
+containerPort: 5349
+protocol: TCP
+
+#STUN server: 
+This is used to discover the public IP address of a client when it's behind a NAT (e.g., router).
+
+#Handige commando's:
+
+kubectl exec -n nextcloud -it deployment/nextcloud -- cat /var/www/html/config/config.php
+
+#Upgrade:
+kubectl exec -it nextcloud-55b6c999bd-pzwxb -n nextcloud  -- php /var/www/html/occ upgrade
+
+5-10-2025: upgrade naar 32.0.0
+
+
+
+

prod/nextcloud/catalog-info.yaml

@@ -0,0 +1,11 @@
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: prod-nextcloud
+  title: Nextcloud (prod)
+spec:
+  type: service
+  lifecycle: production
+  owner: platform-team
+  partOf:
+    - ../catalog-info.yaml

prod/nextcloud/logs

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+NAMESPACE="nextcloud"
+
+if [ "$#" -ne 1 ]; then
+    echo "Usage: $0 <nextcloud|spreed>"
+    exit 1
+fi
+
+APP_NAME=$1
+
+if [[ "$APP_NAME" != "nextcloud" && "$APP_NAME" != "spreed" ]]; then
+    echo "Error: Invalid argument. Use 'nextcloud' or 'spreed'."
+    exit 1
+fi
+
+POD_NAME=$(microk8s kubectl get pods -n $NAMESPACE -l app=$APP_NAME -o jsonpath='{.items[0].metadata.name}')
+
+if [ -z "$POD_NAME" ]; then
+    echo "Error: No pod found for app=$APP_NAME in namespace $NAMESPACE"
+    exit 1
+fi
+
+echo "Fetching logs for pod: $POD_NAME"
+microk8s kubectl logs -n $NAMESPACE $POD_NAME

prod/nextcloud/nats.yaml

@@ -0,0 +1,33 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nats
+  namespace: nextcloud
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nats
+  template:
+    metadata:
+      labels:
+        app: nats
+    spec:
+      containers:
+        - name: nats
+          image: nats:latest
+          ports:
+            - containerPort: 4222
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: nats
+  namespace: nextcloud
+spec:
+  selector:
+    app: nats
+  ports:
+    - name: client
+      port: 4222
+      targetPort: 4222

prod/nextcloud/nextcloud-certificate/README.md

@@ -0,0 +1,45 @@
+AANMAKEN CERTIFICAAT:
+
+Uitleg:
+
+omdat traefik de TLS interrupt doet moet Nextcloud Traefik vertrouwen. 
+Er komt immers alleen http verkeer bij Nextcloud binnen.
+Verkeer van buiten moet echter wel weten dat het echt met  Nextcloud praat. 
+Daarom werkt het Trafik default certificate ook niet. 
+Je moet dus een eigen certificaat aanmaken voor nextcloud-prod.allard.dcs. 
+Dit doe je in mijn geval via cert-manager die op zijn beurt de cert-issuer Letstencrypt gebruikt. In je route geef je dan ipv TLS Letsencrypt de naam van het secret op dat je certificaat bevat. Dus Traefik doet nog steeds de TLS-interrupt, 
+maar gebruikt daarbij het Nextcloud certificaat i.p.v. het default certificaat.
+
+
+2.Maak certificaat aan:
+
+kubectl apply -f certificate.yaml
+
+3.Updaten route:
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: nextcloud
+  namespace: traefik
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`nextcloud-prod.allarddcs.nl`)
+      kind: Rule
+      services:
+        - name: nextcloud
+          port: 80
+  tls:
+    secretName: nextcloud-prod.allarddcs.nl
+
+4.herstarten traefik:
+
+kubectl rollout restart deployment traefik -n traefik
+
+5: checken certificaat issuer:
+
+openssl s_client -connect nextcloud-prod.allarddcs.nl:443 -servername nextcloud-prod.allarddcs.nl | openssl x509 -noout -text | grep "Issuer:"
+
+Dit mag nu niet meer TRAEFIK DEFAULT CERTIFICATE zijn.

prod/nextcloud/nextcloud-certificate/certificate.yaml

@@ -0,0 +1,16 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: nextcloud-prod.allarddcs.nl
+  namespace: nextcloud
+spec:
+  dnsNames:
+  - nextcloud-prod.allarddcs.nl
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: letsencrypt
+  secretName: nextcloud-prod.allarddcs.nl
+  usages:
+  - digital signature
+  - key encipherment

prod/nextcloud/nextcloud-certificate/check-sertificate.sh

@@ -0,0 +1 @@
+openssl s_client -connect nextcloud-prod.allarddcs.nl:443 -servername nextcloud-prod.allarddcs.nl | openssl x509 -noout -text | grep "Issuer:"

prod/nextcloud/nextcloud-certificate/nextcloud-selfsigned.crt

@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFLTCCAxWgAwIBAgIUPO3LZvWoawNHGXyTzL706CRIeWEwDQYJKoZIhvcNAQEL
+BQAwJjEkMCIGA1UEAwwbbmV4dGNsb3VkLXByb2QuYWxsYXJkZGNzLm5sMB4XDTI1
+MDIwNjA4MDMzNVoXDTI2MDIwNjA4MDMzNVowJjEkMCIGA1UEAwwbbmV4dGNsb3Vk
+LXByb2QuYWxsYXJkZGNzLm5sMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
+AgEAnN/IBA7l6Np7DV9olpGStpVyFc//o/78sp+rtHQB+U8ipqx3IB9gnMLhwPMb
+WhUczE/3uAv4FXHmC1BHgC791fVFaG0EnTvnQ/lgQUA6YxWMqVD/DeXdOwpbvR8z
+5i5ej/+R9NJU1Z+bHFs7qezyjt32woqU/AcbppIqSaotqOMg8VXa0JAWoDREGAvj
+i2mrQuVjJtDCb3VtCsCy0QjrxFUuWkL1mlbMbu7eK7nNAayLT3EXnyL/aqk1ehlw
+NBmhpHH8w5JgF7lhOzhb79JiiIu8TmvFiSkVJ+5b8Vshq2VbGIOVi9d9O5vzLYsO
+96EGtC6je8MdrWrOscnVnlU6QBiCx0zIAUEcmZJGBM9EGObJ99tiGLyjyhAAT3yS
+2AUpnRx1t0NSugT5/TDokfMWAfPrcvy7YL557V82Nj0GWlfJAKf9mFyCvqkLNDpr
+2XUaecAkXFYXYYHh6CPOcGhxIvKeoWvxUVVucIQ4AEWstnRvpX9dxdWTmnIJ3mwI
+f5BO/UqwuEhIMPOSHcK1f1WALGqySYRynVR3woMZe0d1fEqjUa90QGrBlzkZGC7m
+qQ/s66la61Za4Z2xpLf+bpIWF58i3QrTgML+J4/2eukDBoHEGuRw/eT0Q1Nm273k
+P0285RVB7Ajfjz6H0GpY0biF7A4qUtQQFMiTaj6v8+uerIsCAwEAAaNTMFEwHQYD
+VR0OBBYEFLpljsx8toJnnXd2DbN4JNg7xfoVMB8GA1UdIwQYMBaAFLpljsx8toJn
+nXd2DbN4JNg7xfoVMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIB
+ADVC+HEVR4O+xxHLCcYC2L6z4unKG03oFEglqwPYYPrBX05yhrY3hCE4poWDRi4s
+o+Mlan01yPIHKVN/YnlRvwsTqlyZGeQ1proFWOYAEC5e/iuEkZUlFkscaI74FcQH
+yw0B61He2nDi7xIWJZdzxZngnYvZ/A7GkmM9Bb+7sPfc/CBOkRLab7+OT93pNR7i
+dMcNaRuMbdSQPIxO4J04Zzf8ecb7ueuxcNrZcAPO0g0gBvnY/YC5tCTnhtASX2mq
+mroPi+u1YHXvUS+gBZmVE1DeFRhmtv40r9oosa/15zNJV/ORlK9ibiS5m0ykyBZP
+aPSmHfjLc0RXMCRqxs4SSr1wHwM+WLquuX4IpnpkS9fuxRl8MLdHx0xXvAPg8/pW
+0rk5+aaDUWrU5Uli+6cYelzVUAEtwXKBg3wiclk7v3QIdtTLDCmYg8J5SIVb+X9+
+o8BQH9V6x6h0MDobZeX972gs4bxDmYFAD4eXAb78FFFDLE8EFzS/LgnPLsuaE9Yg
+fMYJ3xzXxSb1Q52yT8L/fxfJlNQ9m0rS3klCJJCffzRCCV9pf/zeP5A9aaRm5gvR
+rL158acXwbQh/u02HyO6eGQZp4GePEQolbJPUuVCl6hEtQiszTl0VjAExnWGbu/3
+Xv79AAS75T7uyjezSpx7Ts6EK4FYz8bxb5zJyTMn86v/
+-----END CERTIFICATE-----

prod/nextcloud/nextcloud-certificate/nextcloud-selfsigned.key

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQCc38gEDuXo2nsN
+X2iWkZK2lXIVz/+j/vyyn6u0dAH5TyKmrHcgH2CcwuHA8xtaFRzMT/e4C/gVceYL
+UEeALv3V9UVobQSdO+dD+WBBQDpjFYypUP8N5d07Clu9HzPmLl6P/5H00lTVn5sc
+Wzup7PKO3fbCipT8BxumkipJqi2o4yDxVdrQkBagNEQYC+OLaatC5WMm0MJvdW0K
+wLLRCOvEVS5aQvWaVsxu7t4ruc0BrItPcRefIv9qqTV6GXA0GaGkcfzDkmAXuWE7
+OFvv0mKIi7xOa8WJKRUn7lvxWyGrZVsYg5WL1307m/Mtiw73oQa0LqN7wx2tas6x
+ydWeVTpAGILHTMgBQRyZkkYEz0QY5sn322IYvKPKEABPfJLYBSmdHHW3Q1K6BPn9
+MOiR8xYB8+ty/LtgvnntXzY2PQZaV8kAp/2YXIK+qQs0OmvZdRp5wCRcVhdhgeHo
+I85waHEi8p6ha/FRVW5whDgARay2dG+lf13F1ZOacgnebAh/kE79SrC4SEgw85Id
+wrV/VYAsarJJhHKdVHfCgxl7R3V8SqNRr3RAasGXORkYLuapD+zrqVrrVlrhnbGk
+t/5ukhYXnyLdCtOAwv4nj/Z66QMGgcQa5HD95PRDU2bbveQ/TbzlFUHsCN+PPofQ
+aljRuIXsDipS1BAUyJNqPq/z656siwIDAQABAoICAAGyxIISvTdzohBnf4Tdx5ZV
+cNo+mbhnSsoOQ3gdJ2ZRDoF6bYG6BTw9Od9yYlHr15d4qChkbMeip4ho0pVXLOVT
+lfBG+d1P6DWKrhmWvesTsSWmHFTEr8vzVUHrZA7yYpCxhh1953A2naHFdRRmXcvh
+KEo74NgHpat8epu4jWz+JH2oXcmTPcN3PWN7QXfhaXq8bAHgEbLONSOAKY9sxsyl
+1W4hunH0zZrH2Dzl8ou5l/qAsW5GHTjE4zDStK3Dt0XF/CQL4iFvntdayVgD0ZBD
+3wKEVSuid7mqcXFf+LHX05Ak4IoWh6MNEallD4Dry9xIgvmUh644cUtocXkY2BwU
+MK8yg33uYw4CKKB/tQLWhcOROAqU1VBkiqXVprbWwXtZo6EvdA+eAmHxsuYdAC/l
+S/lLyew9nyT69RkDJpXE7C6nZ3ut0wfRs8VAwWnr7JtYPbYosjZ4ACzADFnUWkJt
+DUxivk58Ew/AH8saDQfaVTcO2J4R8T8VupBh7axzNKJG2E/zt/53BPa1Iy7/DDtd
+AIQeRt1G2t/qWznQ+7c9HelGFoUjVAAAj2vUCaYe8WdyNcwG0Powqf6s1jZ9rRU9
+KSFrAbygNeHiq4VzS7D+0N93nvZqstLxvnuTGFD8T6Q1B9FbFuA4mevyQRBFE5SF
+WIDQ4c/RU5VtQEvAt7FxAoIBAQDNla5rP7qqR40PnHKpuqCShG8xzdm/gc2FkE/b
+BUb25h/S2kPFCSGasPLpL/F0m3v4mx6jiMyRAdQVxOHV2bs0RdL2V3z65+swCfNf
+ESvTOAsGDIH4BbrqWwOSonSTFL006T2ACXDArvmYd4572KZ2B8Qv3Pp1TO4i1j3z
+/HBoi3F7FwZaYGZT1pVWAkoXCDQj46QSz7Cgo6zR1lhKiQkPcqpAVlFghLfTiEdz
+obeOX8oDdmKyh6SkJIiZ//VNivdBgL/TmBD0ZdNXnf+6Ys8iww+sWobAPgPva7Bl
+TNgZzH0HEXwC8i8DZh0s1oCdAbaFuisalzGtqUHwqMQDQD2RAoIBAQDDWB7DVfYr
+rKzRF2IJke7YeXWLl5DCW3SQjohF40Or0zyoVEDEvQgQFL0JLQ7wv9ZzJvt+GjaH
+iNcKRYBVR1nb6Fw1TDu+cI8DhsWg13UK30S/H9O5w0s6YlwY+62knlOWepl84pAp
+Y1a9u0+/UR7WJm5eO7plZMqggyWdArjIek56xrCnvvPuxv9HCKxpJKcwTLVlA5q3
+vihfIBM3i32TLOeo7A81IBGHVGstHY6b4ch8IW0tS5GJFwAIvwgxCFxanQjHrwfp
+HLbigTXKcqX1gzJeuHV2K3Y10qSNfZNbZxvcYyxnQ63+0tgpHorJqj1/aLM4y3E3
+op/LgyBjPypbAoIBADdN0tPrGu3/vYS7k2TxXYzMr5T4SWFpK76IadMDgmmc0mbI
+bH6uzClu/ImaahvyT9E6+W0Iue8wTLtmcVIz9lZDilLWijp89RnBM4UZe26gnuaL
+qtLrx7KPtVBW/4EpjRSUwgSVhY1wBJjtYJkUWQNbZ31wtrejcFRSyeu+twaIrIhu
+UzkwwZZAHYA7sW6suEoHTPX6hQtRvIXeYXX7k0JimEYiclXCnij7ei0zDcvxHMj9
+qeNY9gNqCI1U+8pWXdlzJydmuvjkA4yIZmjfd9VkH+0/lQxWInzfvV4i4+dcyS2D
+mJa6S8dgSuzq70JNWapzwHCwx55t790rqT8uouECggEAZjLBDXL4sorJcy7nlJgr
+vEd3Lsvh6T0Ns99N/jpTGh8OmgZSSFuZT0h6ScWwDlZfLKmVY7j1FF2MG4yXAoas
+xXdAXoX+r7iVqcOlu2tdiY2bmt5c19ALmIUDJ/LsOra2hoCnsoWZ5H1bUTIhG7em
+CWXb0iMvdoKP3AAg+o8E+6W5T1SJ8Yjed+rWfWRVR0Ds00EembWUCVNMLdBLHYE1
+9nzEykSOBD49zW5mEBlplbY/PGoEg3EIuA83blv7PiPgpWuIv2ecHOJv7/qnmL34
+g4TbImEg2u0MEEae3oN3R5efJOMhxPjMnAfVHVYkSDNvryuosCsHlZLYRRHaLPJM
+BwKCAQAl06bCvDxbRONlnlMss/NOpx28IMgqSoM8jGYFy/hXni/PXrySZ9KurtE7
+PGaccgzUxJsZxDLuQuqgZ2XDu+TfwDKitjJq3bmIQPq3c0vp5hCL1WnWOuLstjpP
+xUxZwXXIHdTeKeTnIQchvPFt7a6EZxXDmKtwYtNLVeORsmhMnjpl0oR11sT7c8ea
+PP6+uYzKwPUNcT39HQPAEkevN0oAEqSJZHmEpsO2KLsvB1h5iM1lq70TNer7Slps
+x46utJPQA2Jqneb0lNHGBJGCJHUWH1UnCLlcC/QbQst+8bgU/jWST4ZJ4ReqcE9b
+94Uzs1ncbpaJSiptNhu74s1ivs25
+-----END PRIVATE KEY-----

prod/nextcloud/nextcloud.yaml

@@ -0,0 +1,258 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: nextcloud
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: nextcloud-prod.allarddcs.nl
+  namespace: nextcloud
+spec:
+  dnsNames:
+  - nextcloud-prod.allarddcs.nl
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: letsencrypt
+  secretName: nextcloud-prod.allarddcs.nl
+  usages:
+  - digital signature
+  - key encipherment
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nextcloud                  # < name of the deploymentand reference
+  namespace: nextcloud
+  labels:
+    app: nextcloud                 # < label for tagging and reference
+spec:
+  replicas: 1                      # < number of pods to deploy
+  selector:
+    matchLabels:
+      app: nextcloud
+  strategy:
+    rollingUpdate:
+      maxSurge: 1                  # < The number of pods that can be created above the desired amount of pods during an update
+      maxUnavailable: 1            # < The number of pods that can be unavailable during the update process
+    type: RollingUpdate            # < New pods are added gradually, and old pods are terminated gradually
+  template:
+    metadata:
+      labels:
+        app: nextcloud
+    spec:
+      containers:
+      - image: nextcloud
+        name: nextcloud                    # < name of container
+        imagePullPolicy: Always            # < always use the latest image when creating container/pod
+        env:                               # < environment variables. See https://hub.docker.com/r/linuxserver/nextcloud
+        - name: PGID
+          value: "1000"                    # < group "ubuntu"
+        - name: PUID
+          value: "1000"                    # < user "ubuntu"
+        - name: MYSQL_HOST
+          value: mariadb.mariadb.svc.cluster.local
+        - name: MYSQL_DATABASE
+          value: "nextcloud"
+        - name: MYSQL_USER
+          value: "nextcloud"
+        - name: MYSQL_PASSWORD
+          value: "nextcloud"
+        - name: MYSQL_ROOT_PASSWORD
+          value: "zabbix"
+        - name: NEXTCLOUD_HOSTNAME
+          value: "nextcloud-prod.allarddcs.nl"
+        - name: TZ
+          value: Europe/Amsterdam
+        - name: OVERWRITEPROTOCOL
+          value: "https"
+        - name: APACHE_SERVER_NAME
+          value: "nextcloud-prod.allarddcs.nl"
+        ports:
+         - containerPort: 80              # < required network portnumber. See https://hub.docker.com/r/linuxserver/nextcloud
+           name: http
+           protocol: TCP
+        volumeMounts:                      # < the volume mount in the container. Look at the relation volumelabel->pvc->pv
+         - name: nfs-nextcloud
+           mountPath: /var/www/html
+           subPath: html
+         - name: nfs-nextcloud
+           mountPath: /var/www/html/data
+           subPath: data
+         - name: nfs-nextcloud
+           mountPath: /var/www/html/config
+           subPath: config
+         - name: nfs-nextcloud
+           mountPath: /var/www/html/custom_apps
+           subPath: nextapps
+         - name: nfs-nextcloud
+           mountPath: /etc/apache2/apache2.conf
+           subPath: apache2.conf
+      volumes:
+      - name: nfs-nextcloud                # < linkname of the volume for the pvc
+        persistentVolumeClaim:
+          claimName: nextcloud-pvc         # < pvc name we created in the previous yaml
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: nextcloud                          # < name of the service
+  namespace: nextcloud
+spec:
+  selector:
+    app: nextcloud                         # < reference to the deployment (connects service with the deployment)
+  ports:
+    - name: http
+      protocol: TCP
+      port: 80
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: nextcloud-http
+  namespace: nextcloud
+spec:
+  entryPoints:
+    - web
+  routes:
+    - match: Host(`nextcloud-prod.allarddcs.nl`)
+      kind: Rule
+      services:
+        - name: nextcloud
+          port: 80
+      middlewares:
+        - name: redirect-to-https
+          namespace: nextcloud
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: nextcloud-tls
+  namespace: nextcloud
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`nextcloud-prod.allarddcs.nl`)
+      kind: Rule
+      services:
+        - name: nextcloud
+          port: 80
+      middlewares:
+        - name: nextcloud-headers
+          namespace: nextcloud
+  tls:
+    secretName: nextcloud-prod.allarddcs.nl
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: nextcloud-well-known
+  namespace: nextcloud
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`nextcloud-prod.allarddcs.nl`) && PathPrefix(`/.well-known`)
+    kind: Rule
+    middlewares:
+    - name: nextcloud-well-known-redirect
+      namespace: nextcloud
+    services:
+    - name: nextcloud
+      port: 80
+  tls:
+    secretName: nextcloud-prod.allarddcs.nl
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: nextcloud-talk
+  namespace: nextcloud
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`nextcloud-prod.allarddcs.nl`) && PathPrefix(`/nextcloud/apps/spreed`)
+      kind: Rule
+      services:
+        - name: nextcloud
+          port: 80
+      middlewares:
+        - name: nextcloud-headers
+          namespace: nextcloud
+  tls:
+    secretName: nextcloud-prod.allarddcs.nl
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: nextcloud-headers
+  namespace: nextcloud
+spec:
+  headers:
+    stsSeconds: 31536000
+    stsIncludeSubdomains: true
+    stsPreload: true
+    customRequestHeaders:
+      X-Forwarded-Proto: "https"
+      Connection: "Upgrade"
+      Upgrade: "websocket"
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: redirect-to-https
+  namespace: nextcloud
+spec:
+  redirectScheme:
+    scheme: https
+    permanent: true
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: nextcloud-well-known-redirect
+  namespace: nextcloud
+spec:
+  redirectRegex:
+    regex: "https://(.*)/.well-known/(card|cal)dav"
+    replacement: "https://${1}/remote.php/dav/"
+    permanent: true
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: nextcloud-pv
+spec:
+  storageClassName: ""
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  mountOptions:
+    - hard
+    - nfsvers=4.1
+  nfs:
+    server: 192.168.2.110
+    path: /mnt/nfs_share/nextcloud
+    readOnly: false
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: nextcloud-pvc
+  namespace: nextcloud
+spec:
+  storageClassName: ""
+  volumeName: nextcloud-pv
+  accessModes:
+    - ReadWriteMany
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 10Gi
+

prod/nextcloud/spreed-certificate/spreed-certificate.yaml

@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: spreed-prod.allarddcs.nl
+  namespace: nextcloud
+spec:
+  secretName: spreed-prod.allarddcs.nl
+  issuerRef:
+    name: letsencrypt
+    kind: ClusterIssuer
+  dnsNames:
+    - spreed-prod.allarddcs.nl

prod/nextcloud/spreed.yaml

@@ -0,0 +1,152 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: spreed-prod.allarddcs.nl
+  namespace: nextcloud
+spec:
+  secretName: spreed-prod.allarddcs.nl
+  issuerRef:
+    name: letsencrypt
+    kind: ClusterIssuer
+  dnsNames:
+    - spreed-prod.allarddcs.nl
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: spreed
+  namespace: nextcloud
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: spreed
+  template:
+    metadata:
+      labels:
+        app: spreed
+    spec:
+      containers:
+        - name: spreed
+          image: ghcr.io/strukturag/nextcloud-spreed-signaling:latest
+          ports:
+            - containerPort: 3478
+            - containerPort: 5349
+            - containerPort: 8443
+            - containerPort: 8080
+          volumeMounts:
+            - mountPath: /var/run
+              name: spreed-socket
+            - mountPath: /etc/tls
+              name: spreed-prod-cert
+              readOnly: true
+            - name: spreed-config
+              mountPath: /config/server.conf  # Mount location inside the container
+              subPath: server.conf  # Ensure we only mount the file, not the entire directory
+      volumes:
+        - name: spreed-socket
+          emptyDir: {}
+        - name: spreed-prod-cert
+          secret:
+            secretName: spreed-prod.allarddcs.nl
+        - name: spreed-config
+          persistentVolumeClaim:
+            claimName: spreed-pvc
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: spreed
+  namespace: nextcloud
+spec:
+  type: ClusterIP
+  selector:
+    app: spreed
+  ports:
+    - name: websocket-web
+      protocol: TCP
+      port: 8080
+      targetPort: 8080
+    - name: websocket
+      protocol: TCP
+      port: 8443
+      targetPort: 8443
+    - name: stun-port
+      protocol: TCP
+      port: 3478
+      targetPort: 3478
+    - name: signaling-port
+      protocol: TCP
+      port: 5349
+      targetPort: 5349
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: spreed-pv
+spec:
+  storageClassName: ""
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  mountOptions:
+    - hard
+    - nfsvers=4.1
+  nfs:
+    server: 192.168.2.110
+    path: /mnt/nfs_share/spreed
+    readOnly: false
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: spreed-pvc
+  namespace: nextcloud
+spec:
+  storageClassName: ""
+  volumeName: spreed-pv
+  accessModes:
+    - ReadWriteMany
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 1Gi
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: spreed
+  namespace: nextcloud
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`spreed-prod.allarddcs.nl`)
+      kind: Rule
+      services:
+        - name: spreed
+          port: 8080
+      middlewares:
+        - name: websocket-headers
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: websocket-headers
+  namespace: nextcloud
+spec:
+  headers:
+    customRequestHeaders:
+      X-Forwarded-Proto: "https"
+    customResponseHeaders:
+      Connection: "Upgrade"
+      Upgrade: "websocket"
+    accessControlAllowMethods:
+      - GET
+      - OPTIONS
+      - POST
+    accessControlAllowHeaders:
+      - "*"
+

prod/nginx/catalog-info.yaml

@@ -0,0 +1,11 @@
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: prod-nginx
+  title: Nginx (prod)
+spec:
+  type: service
+  lifecycle: production
+  owner: platform-team
+  partOf:
+    - ../catalog-info.yaml

prod/nginx/nginx-prod.yaml

@@ -0,0 +1,101 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: nginx
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: nginx-pv
+spec:
+  storageClassName: ""
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  mountOptions:
+    - hard
+    - nfsvers=4.1
+  nfs:
+    server: 192.168.2.110
+    path: /mnt/nfs_share/nginx-prod
+    readOnly: false
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: nginx-pvc
+  namespace: nginx
+spec:
+  storageClassName: ""
+  volumeName: nginx-pv
+  accessModes:
+    - ReadWriteMany
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 1Gi
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx
+  namespace: nginx
+  labels:
+    app: nginx
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:1.14.2
+        volumeMounts:
+        - mountPath: /usr/share/nginx/html
+          name: nginx
+          subPath: html
+        ports:
+        - containerPort: 80
+      volumes:
+      - name: nginx
+        persistentVolumeClaim:
+          claimName: nginx-pvc
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: nginx
+  namespace: nginx
+  labels:
+    name: nginx
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      name: http
+  selector:
+    app: nginx
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: nginx-tls-alldcs
+  namespace: nginx
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`nginx-prod.alldcs.nl`)
+    kind: Rule
+    services:
+    - name: nginx
+      port: 80
+  tls:
+    certResolver: letsencrypt

prod/nodejs/catalog-info.yaml

@@ -0,0 +1,11 @@
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: prod-nodejs
+  title: Nodejs (prod)
+spec:
+  type: service
+  lifecycle: production
+  owner: platform-team
+  partOf:
+    - ../catalog-info.yaml

prod/nodejs/myfirstnodejsapp.yaml

@@ -0,0 +1,156 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nodejs
+  namespace: nodejs
+  labels:
+    app: nodejs
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nodejs
+  template:
+    metadata:
+      labels:
+        app: nodejs
+    spec:
+      containers:
+      - name: nodejs
+        image: allardkrings/myfirstnodejsapp
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 8080
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: nodejs
+  namespace: nodejs
+  labels:
+    app: nodejs
+spec:
+  ports:
+  - port: 8080
+    protocol: TCP
+  selector:
+    app: nodejs
+  type: ClusterIP
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: nodejs-tls
+  namespace: nodejs
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`nodejs-prod.alldcs.nl`)
+    kind: Rule
+    services:
+    - name: nodejs
+      port: 8080
+  tls:
+    certResolver: letsencrypt
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: nodejs-http
+  namespace: nodejs
+spec:
+  entryPoints:
+    - web
+  routes:
+  - match: Host(`nodejs-prod.alldcs.nl`)
+    kind: Rule
+    services:
+    - name: nodejs
+      port: 8080
+---
+apiVersion: apps/v1
+kind: ReplicaSet
+metadata:
+  labels:
+    app: mongodb
+  name: mongodb
+  namespace: nodejs
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: mongodb
+  template:
+    metadata:
+      labels:
+        app: mongodb
+    spec:
+      containers:
+      - image: mongodb/mongodb-community-server
+        name: mongodb
+#        args: ["--dbpath","/data/db"]
+        env:
+        - name: MONGO_INITDB_ROOT_USERNAME
+          value: admin
+        - name: MONGO_INITDB_ROOT_PASSWORD
+          value: Mongodb01
+        volumeMounts:
+        - name: "mongo-data-dir"
+          mountPath: "/data/db"
+      volumes:
+      - name: "mongo-data-dir"
+        persistentVolumeClaim:
+          claimName: "nodejs-pvc"
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: mongodb
+  name: mongodb
+  namespace: nodejs
+spec:
+  ports:
+  - port: 27017
+    protocol: TCP
+    targetPort: 27017
+  selector:
+    app: mongodb
+  type: ClusterIP
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: nodejs-pv
+spec:
+  storageClassName: ""
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  mountOptions:
+    - hard
+    - nfsvers=4.1
+  nfs:
+    server: 192.168.2.110
+    path: /mnt/nfs_share/nodejsapp
+    readOnly: false
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: nodejs-pvc
+  namespace: nodejs
+spec:
+  storageClassName: ""
+  volumeName: nodejs-pv
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 1Gi
+
+

prod/nodejs/nodejs.yaml

@@ -0,0 +1,156 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nodejs
+  namespace: nodejs
+  labels:
+    app: nodejs
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nodejs
+  template:
+    metadata:
+      labels:
+        app: nodejs
+    spec:
+      containers:
+      - name: nodejs
+        image: allardkrings/nodejs
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 8080
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: nodejs
+  namespace: nodejs
+  labels:
+    app: nodejs
+spec:
+  ports:
+  - port: 8080
+    protocol: TCP
+  selector:
+    app: nodejs
+  type: ClusterIP
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: nodejs-tls
+  namespace: nodejs
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`nodejs-prod.alldcs.nl`)
+    kind: Rule
+    services:
+    - name: nodejs
+      port: 8080
+  tls:
+    certResolver: letsencrypt
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: nodejs-http
+  namespace: nodejs
+spec:
+  entryPoints:
+    - web
+  routes:
+  - match: Host(`nodejs-prod.alldcs.nl`)
+    kind: Rule
+    services:
+    - name: nodejs
+      port: 8080
+---
+apiVersion: apps/v1
+kind: ReplicaSet
+metadata:
+  labels:
+    app: mongodb
+  name: mongodb
+  namespace: nodejs
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: mongodb
+  template:
+    metadata:
+      labels:
+        app: mongodb
+    spec:
+      containers:
+      - image: mongodb/mongodb-community-server
+        name: mongodb
+#        args: ["--dbpath","/data/db"]
+        env:
+        - name: MONGO_INITDB_ROOT_USERNAME
+          value: admin
+        - name: MONGO_INITDB_ROOT_PASSWORD
+          value: Mongodb01
+        volumeMounts:
+        - name: "mongo-data-dir"
+          mountPath: "/data/db"
+      volumes:
+      - name: "mongo-data-dir"
+        persistentVolumeClaim:
+          claimName: "nodejs-pvc"
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: mongodb
+  name: mongodb
+  namespace: nodejs
+spec:
+  ports:
+  - port: 27017
+    protocol: TCP
+    targetPort: 27017
+  selector:
+    app: mongodb
+  type: ClusterIP
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: nodejs-pv
+spec:
+  storageClassName: ""
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  mountOptions:
+    - hard
+    - nfsvers=4.1
+  nfs:
+    server: 192.168.2.110
+    path: /mnt/nfs_share/nodejsapp
+    readOnly: false
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: nodejs-pvc
+  namespace: nodejs
+spec:
+  storageClassName: ""
+  volumeName: nodejs-pv
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 1Gi
+
+

prod/pgadmin/README.md

@@ -0,0 +1,12 @@
+inloggen in pgadmin:
+
+user: allard@alldcs.nl
+password: Pgadmin01@
+
+connecting to servers:
+
+server: postgres13
+user zabbix
+passworrd: zabbix
+
+

prod/pgadmin/catalog-info.yaml

@@ -0,0 +1,11 @@
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: prod-pgadmin
+  title: Pgadmin (prod)
+spec:
+  type: service
+  lifecycle: production
+  owner: platform-team
+  partOf:
+    - ../catalog-info.yaml

prod/pgadmin/pgadmin.yaml

@@ -0,0 +1,109 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: pgadmin-pv
+spec:
+  storageClassName: ""
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  mountOptions:
+    - hard
+    - nfsvers=4.1
+  nfs:
+    server: 192.168.2.110
+    path: /mnt/nfs_share/pgadmin/prod
+    readOnly: false
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: pgadmin-pvc
+  namespace: postgres
+spec:
+  storageClassName: ""
+  volumeName: pgadmin-pv
+  accessModes:
+    - ReadWriteMany
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 1Gi
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pgadmin
+  namespace: postgres
+  labels:
+    app: pgadmin
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: pgadmin
+  template:
+    metadata:
+      labels:
+        app: pgadmin
+    spec:
+      containers:
+      - name: pgadmin
+        image: dpage/pgadmin4:9.5.0
+        ports:
+          - containerPort: 80
+        env:
+        - name: PGADMIN_DEFAULT_EMAIL
+          value: admin@allarddcs.nl
+        - name: PGADMIN_DEFAULT_PASSWORD
+          value: Pgadmin01@
+        volumeMounts:
+        - mountPath: /var/lib/pgadmin
+          name: pgadmin
+#        - mountPath: /etc/ssl/certs
+#          name: certs
+      volumes:
+      - name: pgadmin
+        persistentVolumeClaim:
+          claimName: pgadmin-pvc
+      - name: certs
+        secret:
+          secretName: cockroachdb.node
+          defaultMode: 256
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: pgadmin
+  namespace: postgres
+  labels:
+    name: pgadmin
+spec:
+  selector:
+    app.kubernetes.io/name: pgadmin
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 80
+  selector:
+    app: pgadmin
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: pgadmin-tls
+  namespace: postgres
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`pgadmin-prod.allarddcs.nl`)
+    kind: Rule
+    services:
+    - name: pgadmin
+      port: 80
+  tls:
+    certResolver: letsencrypt

prod/pgadmin/secret-cockroachdb-client-root.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+data:
+  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKVENDQWcyZ0F3SUJBZ0lRV1FaUEZBWUE4bHlSSDU0OHlrWEJ6VEFOQmdrcWhraUc5dzBCQVFzRkFEQXIKTVJJd0VBWURWUVFLRXdsRGIyTnJjbTloWTJneEZUQVRCZ05WQkFNVERFTnZZMnR5YjJGamFDQkRRVEFlRncweQpOREEzTWpnd09USXpNVEphRncwek5EQTRNRFl3T1RJek1USmFNQ3N4RWpBUUJnTlZCQW9UQ1VOdlkydHliMkZqCmFERVZNQk1HQTFVRUF4TU1RMjlqYTNKdllXTm9JRU5CTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEEKTUlJQkNnS0NBUUVBcjNWSlk4ZEUzT0x2QjVTRWhOL1dQVlViUVQ1QVdad0hYMnhPbngyZ1VmU09VTEt1M1lJYgpwM09mNmc3SzR4TG4zVm14azJIeXQ3dlAzVUhEZVdFSnRiUjJoOVBjNldRdFZpK0ZsRldSU0owSjdQYS9TWVJ6CnZvTlk1REVybXRWbUhFSytZZEFzUG5IdVAvTyt6ZlVHaDBtSENxRFQzYzZCNFNNaGdYN2hGSTBySzBnaEErcjEKZWh5TUEraXdCVm1mYXRDaUdJMjVVV3lKOVVMVCt5L0FyT3hxTWlrdXc2bkVEbWJRQlA1bjRNdlZKdFc2YW1CUAozSnBWYzVhOTN4VHlKZWpKc1J2cHZxUzRHQ2FYYytRVyt1YTVqK0lSKzU3c0NFWmU3dnJPYy8yeVhIQzgzOHhVClBLQ3BVZjhENlZiUWlIeU1rMkdDbElxblA3UmxRa3BRclFJREFRQUJvMFV3UXpBT0JnTlZIUThCQWY4RUJBTUMKQXVRd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkFUQWRCZ05WSFE0RUZnUVUvODhhRkZJWFZkZEllWnNKMVVzSQo2bHdvc0Q0d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFJOEdKM2JvVmVwS3RaMllYWFhOT29HbGRPbytwS3FsCjE5Uk5jai9JOC8wUlp4OFk4WFFJdnFBRWxBWWZITi91WEtiZlhTVzVyaDE3cUI0aTgxa2VyR3ErWEwxRnBsMlQKdWJrWDY3MVFxamVFbzZHaDY2d2RwMTRzKzRMaUZGQkJGNDQ3K2ZJTVptV0tQc1N5ME80RklsYytHZ245SXFOdQozWHkyVFlXbmZoUWEvTzZDcXdkZVpEamNtSFhmanRpTjdSZFZsdlhidERVUk1NVnNjNDZjNlZsQW5Ic0Q1dThrCnBvMkF2THkzR1hRYUJFb01NNW1OTVJsSlBYeThPM1Y2ZjJoeFpTWUNFNWtrSmhFNXJkUkczR2ltYnhvN0crbisKaHVEcTFML3NHQjBJcmpOSnNPN0dMVVJwREROZFJVbmlCb1NGWWh5R3JaUnFDRkVuT0RLUXRocz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+  client.root.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURJRENDQWdpZ0F3SUJBZ0lRV1V5SlNadzh0UjRaTzdiVjg3dm50REFOQmdrcWhraUc5dzBCQVFzRkFEQXIKTVJJd0VBWURWUVFLRXdsRGIyTnJjbTloWTJneEZUQVRCZ05WQkFNVERFTnZZMnR5YjJGamFDQkRRVEFlRncweQpOREEzTWpnd09USXpNak5hRncweU9UQTRNREl3T1RJek1qTmFNQ014RWpBUUJnTlZCQW9UQ1VOdlkydHliMkZqCmFERU5NQXNHQTFVRUF4TUVjbTl2ZERDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUIKQU40RHpoOTlsNi9ycWpvRlNKbWdQcWxoVHZWYk0rejRmZEVSTW9LT1VQSkhmVjdOMXhRMC9JL0htVkR4WW5RMwpCSVZucERmNnVpc1lVM0FHQkZPbGRFWk43bXlUaDhEaDZlTFlkM2RrSzY4VjVFQTNKU1VmK3lGNmgwNWQxRlg1CnJiMTV1MEFhallOMm1IVHRZenQwalZGR1pGbURocFRPN1hGbWQ2cGNmNmdqT2VVKyt0TjJHZFdFc3pVeUphSDEKM0tBSStBVjN4TFZra0U1Tk9NeU54dGF3R2Z6RjlmY2dFS0Z3Zmora0hOdFZEcnpFcDVaR2h0TlBrUXlyRTlXMwpndi85VkNwcHFnUGE3YzV1ajJTd3Btb3E0a1NMbXJ4ay9tL0FZbzFsWktYbjgxb2liODFyV2k2QWxSbDZjTjFyCllWd1VoOFZYTmFOL3h0YmhHemhGbU9rQ0F3RUFBYU5JTUVZd0RnWURWUjBQQVFIL0JBUURBZ1dnTUJNR0ExVWQKSlFRTU1Bb0dDQ3NHQVFVRkJ3TUNNQjhHQTFVZEl3UVlNQmFBRlAvUEdoUlNGMVhYU0htYkNkVkxDT3BjS0xBKwpNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFzOVlxSmppUTZTWExMZlBwMmdPMTQzZ0JlU2NvbGhqalpxREQrCmEwTkdyM3ZiaU9YcVB6b0JkVmhmNkN0a0RHZkh4OVIyaTFoNzBleDF5azBoczUrVjNLSUxqWmRSdUVSS2NoTXMKa3htWExhQll3UVAxT0dPNmVEbSt5STZ5bUdsNjg5QTc0ZEdXMWtrcElON3JkSVRZeXFGaHJLUUF2WjE4ODNlTgp0Uk9Vb0ZLa3R1SWNnTm9YY3BtU1UxaC9OK05EUUpwQzlsckRoWmxCSXlhbkVFTkwyRHBOdTNvU0gxVGcwUTFOCjVLdjd4dkRQREhoZnFJOWF1UkJ2Ky8zRExzeDNwMUtVZTljbHZSbGxxSllzOERXNEJFamxLNkRoS1ZIelFLK1QKSER3UVg3VXpIOHRoODNZd0FxMWZZVDlienBoZ2JrNnRoV3MrNDJDTGg5bG15SGg2Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+  client.root.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBM2dQT0gzMlhyK3VxT2dWSW1hQStxV0ZPOVZzejdQaDkwUkV5Z281UThrZDlYczNYCkZEVDhqOGVaVVBGaWREY0VoV2VrTi9xNkt4aFRjQVlFVTZWMFJrM3ViSk9Id09IcDR0aDNkMlFycnhYa1FEY2wKSlIvN0lYcUhUbDNVVmZtdHZYbTdRQnFOZzNhWWRPMWpPM1NOVVVaa1dZT0dsTTd0Y1daM3FseC9xQ001NVQ3NgowM1laMVlTek5USWxvZlhjb0FqNEJYZkV0V1NRVGswNHpJM0cxckFaL01YMTl5QVFvWEIrUDZRYzIxVU92TVNuCmxrYUcwMCtSREtzVDFiZUMvLzFVS21tcUE5cnR6bTZQWkxDbWFpcmlSSXVhdkdUK2I4QmlqV1ZrcGVmeldpSnYKeld0YUxvQ1ZHWHB3M1d0aFhCU0h4VmMxbzMvRzF1RWJPRVdZNlFJREFRQUJBb0lCQVFDRG1JSFBES1NpcysrYwpvSkVkN212MS9pWE5MUmdrT0U1clkrUXFtcXpFVHpleXdCUGllRjNUNDUydTZzVk8yV1dtcFg0amFFeDlTdGY2CktMYmIxZENMODVtRlpoVXJjVDB2SnR2NU9yamgrUG5vVGtlSUwrS3RQM0dBTkFHdVRHWjlUdkI4Mk1CVTBqRWYKN2EzS0NoWFJ2UVd5UVZHK1ZzRkxYRTlGL2JuMU1JRkluaE8wYnJ1cHVRWUFZZlo5aXdXV2tNdWF6TUl4bmdhawpIV3lNQmxYZVdDbFdrc0R5STJQTy9EaUtLd1V3WmVWWVJDenVTYWpWVmhHS2Z3Z2tMd1pTRDVYKzh5N0hjemRFCmxVVUtLalJmdzQzQkxqTUt2bkM1QzBiYjJvdDlzbXprTXAwTVhWSk5ndzhDenQ1T2pxa2t5a0xiUE9nQ256bkkKcGdzZTBVRlpBb0dCQVBkOHB5K0x3WW85YWYvMHBXVmM1bUM5VVVQbm9sTXZRTGhENUJ0Qmg3ckMrM3ovUDUwNgpYLy92QnNURlZGb1VGMGFVWmQxd3J0WkNybkM0YnZ2M3ZKR0ZoN3J3anlvRUR6VGRXNXFxZXJWUGU1eHFwYVdaCkZ2bVJjVllsV0ZIbGFhK3dNNHhWMXVhK1VaR2Q3K1R6NzZndTI0azVWK1R6YVJnODJzR3dNaGxmQW9HQkFPV20KMlBTQkt4Y2NTTlU0dUpIVGFSQUl5dlYwSmhtYjl3NURaczN6ZjJZQVYvSHJSUUNLMlAxTENrTmFrNUIxdlo1cQpMck0vN0R2T3lCRngzNU9zbzQ0TmRaWEJqTExpVEdWL3RRazJsYVBhNFNuTWV5Z1N4N2M5ZUY2REQ3TlA2SGVHCkk0eHgxTE5Ed2Rud2RzZ3dhYnY1ZDd3UnFPa1JYU2QzSTBncTRFcTNBb0dCQU5vbUhwaGljRzhTUTJWQ21LZ0kKZzJteWR2ZU1MaUYwL1c5dktKcDk0TTVYSUtiRnQ2VTMxM2Naa3JYUDJ0S3I4dmhieG82eXpPcEFUTk0vUDFVSwp3a1RqbHdqSkV1ak9PemsyQlpFSHhMSWRKYkJ5c1NDUEdSbFRncnVVbjQxUTB4L3lDUDRpakJOSW4wM2tFWm1YCkRDRUxiS2hBeTZFY2pmNjNaWHhsZTBPeEFvR0FNNExWTHlLNTg1a1lqUnNINjAyc1J6aHhyZFM3cHdyZ3c0WkMKelBkTklDZjdrZnZmb2x1Q2lHNElnMHNSeGxsaWl1SHVUNjZLNG05aldPWmQ2OVhSYWMrRERIQTVpdlpQaElTOApxckJmcUQwMFBCZnRsL04rY0krTkxFWGhnNnJzemNKOHZzZlptY3djOHpHSXN5YUkwTzBIK2x0THM5dDlOWmozCmhQeDVDc2tDZ1lBNU1uaUwzK09OZWxxRzUwclVRbFI1a0N1amhOTHlXSmFab3RPRkp5Z2dDUjJBcE5nb3VEUXEKcktIK09OYTY2L1VCM0V2YnhORnZtdm1EbWdrcnQyRHA0SEx3bFNsQUF1K1NyRjFteGtNQ1JNdFZkdDNpRUhEaQo0ZjFJMHhGS0x1Y29Ld28wWStPdVcyelhyTHpsb3JQQW1seUNoNlpvd1RNUUcrMjcwTmw0Nnc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
+kind: Secret
+metadata:
+  name: cockroachdb.client.root
+  namespace: postgres
+type: Opaque

prod/pgadmin/secret-cockroachdb-node.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+data:
+  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKVENDQWcyZ0F3SUJBZ0lRV1FaUEZBWUE4bHlSSDU0OHlrWEJ6VEFOQmdrcWhraUc5dzBCQVFzRkFEQXIKTVJJd0VBWURWUVFLRXdsRGIyTnJjbTloWTJneEZUQVRCZ05WQkFNVERFTnZZMnR5YjJGamFDQkRRVEFlRncweQpOREEzTWpnd09USXpNVEphRncwek5EQTRNRFl3T1RJek1USmFNQ3N4RWpBUUJnTlZCQW9UQ1VOdlkydHliMkZqCmFERVZNQk1HQTFVRUF4TU1RMjlqYTNKdllXTm9JRU5CTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEEKTUlJQkNnS0NBUUVBcjNWSlk4ZEUzT0x2QjVTRWhOL1dQVlViUVQ1QVdad0hYMnhPbngyZ1VmU09VTEt1M1lJYgpwM09mNmc3SzR4TG4zVm14azJIeXQ3dlAzVUhEZVdFSnRiUjJoOVBjNldRdFZpK0ZsRldSU0owSjdQYS9TWVJ6CnZvTlk1REVybXRWbUhFSytZZEFzUG5IdVAvTyt6ZlVHaDBtSENxRFQzYzZCNFNNaGdYN2hGSTBySzBnaEErcjEKZWh5TUEraXdCVm1mYXRDaUdJMjVVV3lKOVVMVCt5L0FyT3hxTWlrdXc2bkVEbWJRQlA1bjRNdlZKdFc2YW1CUAozSnBWYzVhOTN4VHlKZWpKc1J2cHZxUzRHQ2FYYytRVyt1YTVqK0lSKzU3c0NFWmU3dnJPYy8yeVhIQzgzOHhVClBLQ3BVZjhENlZiUWlIeU1rMkdDbElxblA3UmxRa3BRclFJREFRQUJvMFV3UXpBT0JnTlZIUThCQWY4RUJBTUMKQXVRd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkFUQWRCZ05WSFE0RUZnUVUvODhhRkZJWFZkZEllWnNKMVVzSQo2bHdvc0Q0d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFJOEdKM2JvVmVwS3RaMllYWFhOT29HbGRPbytwS3FsCjE5Uk5jai9JOC8wUlp4OFk4WFFJdnFBRWxBWWZITi91WEtiZlhTVzVyaDE3cUI0aTgxa2VyR3ErWEwxRnBsMlQKdWJrWDY3MVFxamVFbzZHaDY2d2RwMTRzKzRMaUZGQkJGNDQ3K2ZJTVptV0tQc1N5ME80RklsYytHZ245SXFOdQozWHkyVFlXbmZoUWEvTzZDcXdkZVpEamNtSFhmanRpTjdSZFZsdlhidERVUk1NVnNjNDZjNlZsQW5Ic0Q1dThrCnBvMkF2THkzR1hRYUJFb01NNW1OTVJsSlBYeThPM1Y2ZjJoeFpTWUNFNWtrSmhFNXJkUkczR2ltYnhvN0crbisKaHVEcTFML3NHQjBJcmpOSnNPN0dMVVJwREROZFJVbmlCb1NGWWh5R3JaUnFDRkVuT0RLUXRocz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+  client.root.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURJRENDQWdpZ0F3SUJBZ0lRV1V5SlNadzh0UjRaTzdiVjg3dm50REFOQmdrcWhraUc5dzBCQVFzRkFEQXIKTVJJd0VBWURWUVFLRXdsRGIyTnJjbTloWTJneEZUQVRCZ05WQkFNVERFTnZZMnR5YjJGamFDQkRRVEFlRncweQpOREEzTWpnd09USXpNak5hRncweU9UQTRNREl3T1RJek1qTmFNQ014RWpBUUJnTlZCQW9UQ1VOdlkydHliMkZqCmFERU5NQXNHQTFVRUF4TUVjbTl2ZERDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUIKQU40RHpoOTlsNi9ycWpvRlNKbWdQcWxoVHZWYk0rejRmZEVSTW9LT1VQSkhmVjdOMXhRMC9JL0htVkR4WW5RMwpCSVZucERmNnVpc1lVM0FHQkZPbGRFWk43bXlUaDhEaDZlTFlkM2RrSzY4VjVFQTNKU1VmK3lGNmgwNWQxRlg1CnJiMTV1MEFhallOMm1IVHRZenQwalZGR1pGbURocFRPN1hGbWQ2cGNmNmdqT2VVKyt0TjJHZFdFc3pVeUphSDEKM0tBSStBVjN4TFZra0U1Tk9NeU54dGF3R2Z6RjlmY2dFS0Z3Zmora0hOdFZEcnpFcDVaR2h0TlBrUXlyRTlXMwpndi85VkNwcHFnUGE3YzV1ajJTd3Btb3E0a1NMbXJ4ay9tL0FZbzFsWktYbjgxb2liODFyV2k2QWxSbDZjTjFyCllWd1VoOFZYTmFOL3h0YmhHemhGbU9rQ0F3RUFBYU5JTUVZd0RnWURWUjBQQVFIL0JBUURBZ1dnTUJNR0ExVWQKSlFRTU1Bb0dDQ3NHQVFVRkJ3TUNNQjhHQTFVZEl3UVlNQmFBRlAvUEdoUlNGMVhYU0htYkNkVkxDT3BjS0xBKwpNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFzOVlxSmppUTZTWExMZlBwMmdPMTQzZ0JlU2NvbGhqalpxREQrCmEwTkdyM3ZiaU9YcVB6b0JkVmhmNkN0a0RHZkh4OVIyaTFoNzBleDF5azBoczUrVjNLSUxqWmRSdUVSS2NoTXMKa3htWExhQll3UVAxT0dPNmVEbSt5STZ5bUdsNjg5QTc0ZEdXMWtrcElON3JkSVRZeXFGaHJLUUF2WjE4ODNlTgp0Uk9Vb0ZLa3R1SWNnTm9YY3BtU1UxaC9OK05EUUpwQzlsckRoWmxCSXlhbkVFTkwyRHBOdTNvU0gxVGcwUTFOCjVLdjd4dkRQREhoZnFJOWF1UkJ2Ky8zRExzeDNwMUtVZTljbHZSbGxxSllzOERXNEJFamxLNkRoS1ZIelFLK1QKSER3UVg3VXpIOHRoODNZd0FxMWZZVDlienBoZ2JrNnRoV3MrNDJDTGg5bG15SGg2Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+  client.root.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBM2dQT0gzMlhyK3VxT2dWSW1hQStxV0ZPOVZzejdQaDkwUkV5Z281UThrZDlYczNYCkZEVDhqOGVaVVBGaWREY0VoV2VrTi9xNkt4aFRjQVlFVTZWMFJrM3ViSk9Id09IcDR0aDNkMlFycnhYa1FEY2wKSlIvN0lYcUhUbDNVVmZtdHZYbTdRQnFOZzNhWWRPMWpPM1NOVVVaa1dZT0dsTTd0Y1daM3FseC9xQ001NVQ3NgowM1laMVlTek5USWxvZlhjb0FqNEJYZkV0V1NRVGswNHpJM0cxckFaL01YMTl5QVFvWEIrUDZRYzIxVU92TVNuCmxrYUcwMCtSREtzVDFiZUMvLzFVS21tcUE5cnR6bTZQWkxDbWFpcmlSSXVhdkdUK2I4QmlqV1ZrcGVmeldpSnYKeld0YUxvQ1ZHWHB3M1d0aFhCU0h4VmMxbzMvRzF1RWJPRVdZNlFJREFRQUJBb0lCQVFDRG1JSFBES1NpcysrYwpvSkVkN212MS9pWE5MUmdrT0U1clkrUXFtcXpFVHpleXdCUGllRjNUNDUydTZzVk8yV1dtcFg0amFFeDlTdGY2CktMYmIxZENMODVtRlpoVXJjVDB2SnR2NU9yamgrUG5vVGtlSUwrS3RQM0dBTkFHdVRHWjlUdkI4Mk1CVTBqRWYKN2EzS0NoWFJ2UVd5UVZHK1ZzRkxYRTlGL2JuMU1JRkluaE8wYnJ1cHVRWUFZZlo5aXdXV2tNdWF6TUl4bmdhawpIV3lNQmxYZVdDbFdrc0R5STJQTy9EaUtLd1V3WmVWWVJDenVTYWpWVmhHS2Z3Z2tMd1pTRDVYKzh5N0hjemRFCmxVVUtLalJmdzQzQkxqTUt2bkM1QzBiYjJvdDlzbXprTXAwTVhWSk5ndzhDenQ1T2pxa2t5a0xiUE9nQ256bkkKcGdzZTBVRlpBb0dCQVBkOHB5K0x3WW85YWYvMHBXVmM1bUM5VVVQbm9sTXZRTGhENUJ0Qmg3ckMrM3ovUDUwNgpYLy92QnNURlZGb1VGMGFVWmQxd3J0WkNybkM0YnZ2M3ZKR0ZoN3J3anlvRUR6VGRXNXFxZXJWUGU1eHFwYVdaCkZ2bVJjVllsV0ZIbGFhK3dNNHhWMXVhK1VaR2Q3K1R6NzZndTI0azVWK1R6YVJnODJzR3dNaGxmQW9HQkFPV20KMlBTQkt4Y2NTTlU0dUpIVGFSQUl5dlYwSmhtYjl3NURaczN6ZjJZQVYvSHJSUUNLMlAxTENrTmFrNUIxdlo1cQpMck0vN0R2T3lCRngzNU9zbzQ0TmRaWEJqTExpVEdWL3RRazJsYVBhNFNuTWV5Z1N4N2M5ZUY2REQ3TlA2SGVHCkk0eHgxTE5Ed2Rud2RzZ3dhYnY1ZDd3UnFPa1JYU2QzSTBncTRFcTNBb0dCQU5vbUhwaGljRzhTUTJWQ21LZ0kKZzJteWR2ZU1MaUYwL1c5dktKcDk0TTVYSUtiRnQ2VTMxM2Naa3JYUDJ0S3I4dmhieG82eXpPcEFUTk0vUDFVSwp3a1RqbHdqSkV1ak9PemsyQlpFSHhMSWRKYkJ5c1NDUEdSbFRncnVVbjQxUTB4L3lDUDRpakJOSW4wM2tFWm1YCkRDRUxiS2hBeTZFY2pmNjNaWHhsZTBPeEFvR0FNNExWTHlLNTg1a1lqUnNINjAyc1J6aHhyZFM3cHdyZ3c0WkMKelBkTklDZjdrZnZmb2x1Q2lHNElnMHNSeGxsaWl1SHVUNjZLNG05aldPWmQ2OVhSYWMrRERIQTVpdlpQaElTOApxckJmcUQwMFBCZnRsL04rY0krTkxFWGhnNnJzemNKOHZzZlptY3djOHpHSXN5YUkwTzBIK2x0THM5dDlOWmozCmhQeDVDc2tDZ1lBNU1uaUwzK09OZWxxRzUwclVRbFI1a0N1amhOTHlXSmFab3RPRkp5Z2dDUjJBcE5nb3VEUXEKcktIK09OYTY2L1VCM0V2YnhORnZtdm1EbWdrcnQyRHA0SEx3bFNsQUF1K1NyRjFteGtNQ1JNdFZkdDNpRUhEaQo0ZjFJMHhGS0x1Y29Ld28wWStPdVcyelhyTHpsb3JQQW1seUNoNlpvd1RNUUcrMjcwTmw0Nnc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
+  node.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQrakNDQXVLZ0F3SUJBZ0lRSFg4K0ZtNTF2eW5NdHl5b1c0SXhFakFOQmdrcWhraUc5dzBCQVFzRkFEQXIKTVJJd0VBWURWUVFLRXdsRGIyTnJjbTloWTJneEZUQVRCZ05WQkFNVERFTnZZMnR5YjJGamFDQkRRVEFlRncweQpOREEzTWpnd09USXpNamxhRncweU9UQTRNREl3T1RJek1qbGFNQ014RWpBUUJnTlZCQW9UQ1VOdlkydHliMkZqCmFERU5NQXNHQTFVRUF4TUVibTlrWlRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUIKQUw5SmpZRm80UnFsOEFUcmFLNXdwM2x4Tk5iRTh2a1IzRyszYXV0elNydTkxamFMeVZ1akVzZFhFa0ZpSnZURQpmNTZDL2VXajdaVjY4N1hFaFZiU3FyZUwyRG5oY0Q4M09JelZXS2VKekt6bFV6QkdwQi9xRko4ZkZBeVJMNXIxClVsb1ZQWmE2NjlqRzJreFZmOTI2OFF0VFhia3dpZ1ZOdXB3di9PU0M0THVmTVA1RlZ6Z0IxTEcrbEhvemJzdzkKNC80TXVuNWtlQVd5bG5wcmJ5eW9yc1B0RFdvbktmS3ErNDBBczJ5SWgySGFSd09hTHlpMytZZmZHUzI0K1NkVAp5Ukc1NjVrb1lKeVFyOGVVU2RVTDM0RFB3WW1UazhtK0lySlNoZHdBSXdiZ20vVTh2em5OMHBWRG0xRm82akp1ClZ1NTJQQndMT2VIUGMvTlY4b0c0Ym1FQ0F3RUFBYU9DQVNBd2dnRWNNQTRHQTFVZER3RUIvd1FFQXdJRm9EQWQKQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0h3WURWUjBqQkJnd0ZvQVUvODhhRkZJWApWZGRJZVpzSjFVc0k2bHdvc0Q0d2dja0dBMVVkRVFTQndUQ0J2b0lKYkc5allXeG9iM04wZ2hKamIyTnJjbTloClkyaGtZaTF3ZFdKc2FXT0NHbU52WTJ0eWIyRmphR1JpTFhCMVlteHBZeTVrWldaaGRXeDBnaXhqYjJOcmNtOWgKWTJoa1lpMXdkV0pzYVdNdVpHVm1ZWFZzZEM1emRtTXVZMngxYzNSbGNpNXNiMk5oYklJTktpNWpiMk5yY205aApZMmhrWW9JVktpNWpiMk5yY205aFkyaGtZaTVrWldaaGRXeDBnaWNxTG1OdlkydHliMkZqYUdSaUxtUmxabUYxCmJIUXVjM1pqTG1Oc2RYTjBaWEl1Ykc5allXeUhCSDhBQUFFd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFDT3oKT2JsNXl4K0Q2ZFV6c1hPK1lPZG9VZnNlNjVzajk2ZEx3SmhwUjhZc21sY2JiVDJKVzBWckE4VmNLU1NudWhQSgppTWx6RkNzYTJsek1TSXpnU2o3N0hTUXZ2TUxQeXh6K0hFSDVQOTd6Yi9YdkdxWEpxS0t1UDNNLzZmalcyRG9qCks4RWFDQVNsRUNBekpuVkdYOHlZNWNheFY2NlFWRHBxcTJmTjVUVEw0QmtHTW5iWnhaanZJTWFZOEtLNWgwTHMKODhiSDNLTzdieFUyUEszdGFDZVpsTHIwUTVyTWkrM1NTMGRuMEVRV3h2Mi9uaGxqckVDSU0xQzZPcE15amthQgp0bW1icnJPcHREMUZvbjIxb2VERmpsUlJ4WVFKTmYyVFdrUkdkdHRaOVhXVWROblZuY2hId3ZvbTd2eHNHbW85CnBDdTVOSXFPZFp3OHRVa2ZFZ2c9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+  node.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBdjBtTmdXamhHcVh3Qk90b3JuQ25lWEUwMXNUeStSSGNiN2RxNjNOS3U3M1dOb3ZKClc2TVN4MWNTUVdJbTlNUi9ub0w5NWFQdGxYcnp0Y1NGVnRLcXQ0dllPZUZ3UHpjNGpOVllwNG5Nck9WVE1FYWsKSCtvVW54OFVESkV2bXZWU1doVTlscnJyMk1iYVRGVi8zYnJ4QzFOZHVUQ0tCVTI2bkMvODVJTGd1NTh3L2tWWApPQUhVc2I2VWVqTnV6RDNqL2d5NmZtUjRCYktXZW10dkxLaXV3KzBOYWljcDhxcjdqUUN6YklpSFlkcEhBNW92CktMZjVoOThaTGJqNUoxUEpFYm5ybVNoZ25KQ3Z4NVJKMVF2ZmdNL0JpWk9UeWI0aXNsS0YzQUFqQnVDYjlUeS8KT2MzU2xVT2JVV2pxTW01VzduWThIQXM1NGM5ejgxWHlnYmh1WVFJREFRQUJBb0lCQVFDODlnZlhZcWVjRDNmLwpKQjJRMUxCY0F6elRQRk5aUUErbVBHWmVtTkdtakcxa0RNcW92M3I1ZUVZTVdNMXExZ0hMc0ZMbjJ2d0R3aVdsCjFiQnlpRUVrZC96dGtJbTFxUE13REVFN242Q1UyeVZHZDBJQ1ZOWnlLZDFBWE52T0U3RjZVNmsza1FjU2FiMlQKMHBJeGswNHloZlA3MEx0SGFmV0IvTld4VnFoeUxhWDZIOCt2UkszWmNMU0YwRGY3YUpKRTNuVjFzazlvUGNqcgpxQnpKdDdDZVBZbkRRbWlaNGF3c05zS3Vlc3VvNklLRnpTd0k1ckg5bElDSDk5Vzh1Wk1zbzRMTWtlSThvRTk1CnJIZmVhUFUwOUZtdVpHUWVxcTQ3R2Jid2xJbWFrUzk3NElCanY1dTdhME9hRUN6a3JxVzhBWTRQczVMQVk3TjIKbHlnREJUYkJBb0dCQU5HVVU3YXAzSkRMSkpZa053OFZaMVVSV29rWi82cXE0RDN4cnNET3JtN09lbERjVmdGVQorL2ZKR05yVnBTSGxIZGFPcUU3alVXM3BvWE9JSnpmYjVWTkhVMVlhbXg5Mm5LeTc4WjREa1ZNOWNNbU9ScWZKCmlmZEdGUEV0SHFOb3R3RC9oN2xNZHdMRXFXTVpHSHYyTk9aOSs2RVdMbEl0eGhKd2F5OTF2QXo5QW9HQkFPbW8KQk5xSFU3TXFjbVUvZFpiU2tEYUVYUTVYUUNwVllEaUR2QmdZNXYyOW52NHBBNDF5NjhhajlaUmxuTE9Ic2xtbgp2QnMrc3ZwaVlRV0hPdzRCWlBCSkVjSk56UHlDQTdmSG56K2lOc0hjSEZZcFpqQU12RlhxbG44ZGhnMFc4bUV4CkJYZkxKSHZZZTdwanU2aXhJV2RKWGJNVFpWbUI3eVFSazduUkhCWTFBb0dCQUtBajQ1ZVcwWmU5OGJYYjlFcE4KUTRqbjJyTWFMNWFjUFA1NEZ0enkwS3lRanp3TU1KZVI5WHBQcWZORS9vb1l4U1QyR3JzMHpUcmNJMmJoS1g1dwpReG5RVFdoa3FoVnZqNllaY2pVWWFzb2REM3FqZ1craCt3NzcrUEtVVkczdWpLOXhrYWJRTzd2Y3c4V2FIbkJTCkgvZmpXZ3VycERkZERKVjRXeDZIcXVxTkFvR0JBS0E0R1ZQcjFjWVdoaWpOTWduQXl5akc3TFJudWRVTmhCUmMKcUw3eFhIdUQ2aUVuNklxMjBkdjlFK20xSDVXdnArbDRiakZVZGcvaEk5eFJsWG9PRkxQN3R0VEEycDRQWFJOSgpLL2JMZWJiSEF4dEYrZzlhdkU1QnRQN25OTU9IQjU4RHFWY3lrZ3JtTURsb0tBY05wdlVYUnN3RHNjeUZuNERoCkdLWWpNSm85QW9HQVM0ekFjeWVzWktrVlRyVEFNTkgyMDF6RjZ0UlE2SnhSQm1FM0pMVTF3ZDNIUVd4RDU3Z3MKSWZ5NzVuaUYxY3M2OUVxZDlnd1diaUpnT0tpZHdaY0xTOHNRTENYVjg0cHdKaUFOeC92VzJaYkxGOXREU2xSUQpQb05FWmhPdThyK1owU0I3WU4zQ1NWVTRaQzNvVVMzbWNRTkY4ajFwTkRlem9JTVFmYTByK2F3PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
+kind: Secret
+metadata:
+  name: cockroachdb.node
+  namespace: postgres
+type: Opaque

prod/phpmyadmin/catalog-info.yaml

@@ -0,0 +1,11 @@
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: prod-phpmyadmin
+  title: Phpmyadmin (prod)
+spec:
+  type: service
+  lifecycle: production
+  owner: platform-team
+  partOf:
+    - ../catalog-info.yaml

prod/phpmyadmin/phpmyadmin.yaml

@@ -0,0 +1,61 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: phpmyadmin
+  namespace: mariadb
+  labels:
+    app: phpmyadmin
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: phpmyadmin
+  template:
+    metadata:
+      labels:
+        app: phpmyadmin
+    spec:
+      containers:
+      - name: phpmyadmin
+        image: phpmyadmin
+        ports:
+          - containerPort: 80
+        env:
+        - name: PMA_HOST
+          value: mariadb
+        - name: PMA_PORT
+          value: "3306"
+        - name: MYSQL_ROOT_PASSWORD
+          value: "zabbix"
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: phpmyadmin
+  namespace: mariadb
+spec:
+  selector:
+    app.kubernetes.io/name: phpmyadmin
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 80
+  selector:
+    app: phpmyadmin
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: phpmyadmin-tls
+  namespace: mariadb
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`phpmyadmin-prod.allarddcs.nl`)
+    kind: Rule
+    services:
+    - name: phpmyadmin
+      port: 80
+  tls:
+    certResolver: letsencrypt

prod/postgres13/README.md

@@ -0,0 +1,18 @@
+#corrupte WAL-archive
+
+#postgres starten zonder database te starten door volgende toe te voegen in yaml:: 
+
+        command: ["sh"]
+        args: ["-c", "while true; do echo $(date -u) >> /tmp/run.log; sleep 5; done"]
+
+#dan inloggen in draaiende container
+
+kubectl exec -it postgres14-0 -n postgres -- sh
+
+#Switchen naar user POSTGRES
+
+su postgres
+
+#WAL-arhive resetten:
+
+pg_resetwal /var/lib/postgresql/data -f

prod/postgres13/catalog-info.yaml

@@ -0,0 +1,11 @@
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: prod-postgres13
+  title: Postgres13 (prod)
+spec:
+  type: service
+  lifecycle: production
+  owner: platform-team
+  partOf:
+    - ../catalog-info.yaml

prod/postgres13/postgres13prod.yaml

@@ -0,0 +1,93 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: postgres
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: postgres13-pv
+spec:
+  storageClassName: ""
+  capacity:
+    storage: 2Gi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  mountOptions:
+    - hard
+    - nfsvers=4.1
+  nfs:
+    server: 192.168.2.110
+    path: /mnt/nfs_share/postgres13prod
+    readOnly: false
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: postgres13-pvc
+  namespace: postgres
+spec:
+  storageClassName: ""
+  volumeName: postgres13-pv
+  accessModes:
+    - ReadWriteMany
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 2Gi
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: postgres13
+  namespace: postgres
+spec:
+  serviceName: postgres13
+  replicas: 1
+  selector:
+    matchLabels:
+      app: postgres13
+  template:
+    metadata:
+      labels:
+        app: postgres13
+    spec:
+      containers:
+      - name: postgres13
+        image: postgres:13
+        ports:
+          - containerPort: 5432
+        env:
+        - name: POSTGRES_DB
+          value: zabbix
+        - name: POSTGRES_USER
+          value: zabbix
+        - name: POSTGRES_PASSWORD
+          value: zabbix
+        - name: POSTGRES_EXTENSIONS
+          value: pg_trgm
+        volumeMounts:
+        - mountPath: /var/lib/postgresql/data
+          name: postgres
+      volumes:
+      - name: postgres
+        persistentVolumeClaim:
+          claimName: postgres13-pvc
+      nodeSelector:
+        kubernetes.io/arch: arm64
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: postgres13
+  labels:
+    name: postgres13
+  namespace: postgres
+spec:
+  type: ClusterIP
+  ports:
+    - port: 5432
+      name: postgres
+  selector:
+    app: postgres13

prod/postgres14/README.md

@@ -0,0 +1,18 @@
+#corrupte WAL-archive
+
+#postgres starten zonder database te starten door volgende toe te voegen in yaml:: 
+
+        command: ["sh"]
+        args: ["-c", "while true; do echo $(date -u) >> /tmp/run.log; sleep 5; done"]
+
+#dan inloggen in draaiende container
+
+kubectl exec -it postgres14-0 -n postgres -- sh
+
+#Switchen naar user POSTGRES
+
+su postgres
+
+#WAL-arhive resetten:
+
+pg_resetwal /var/lib/postgresql/data -f

prod/postgres14/catalog-info.yaml

@@ -0,0 +1,11 @@
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: prod-postgres14
+  title: Postgres14 (prod)
+spec:
+  type: service
+  lifecycle: production
+  owner: platform-team
+  partOf:
+    - ../catalog-info.yaml

prod/postgres14/postgres14prod.yaml

@@ -0,0 +1,87 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: postgres14
+  namespace: postgres
+spec:
+  serviceName: postgres14
+  replicas: 1
+  selector:
+    matchLabels:
+      app: postgres14
+  template:
+    metadata:
+      labels:
+        app: postgres14
+    spec:
+      containers:
+
+      - name: postgres14
+        image: postgres:14
+#        command: ["sh"]
+#        args: ["-c", "while true; do echo $(date -u) >> /tmp/run.log; sleep 5; done"]
+        ports:
+          - containerPort: 5432
+        env:
+        - name: POSTGRES_DB
+          value: postgres
+        - name: POSTGRES_USER
+          value: postgres
+        - name: POSTGRES_PASSWORD
+          value: Postgres14
+        volumeMounts:
+        - mountPath: /var/lib/postgresql/data
+          name: postgres
+      volumes:
+      - name: postgres
+        persistentVolumeClaim:
+          claimName: postgres14-pvc
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: postgres14
+  namespace: postgres
+  labels:
+    name: postgres14
+spec:
+  type: ClusterIP
+  ports:
+    - port: 5432
+      name: postgres
+  selector:
+    app: postgres14
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: postgres14-pv
+spec:
+  storageClassName: ""
+  capacity:
+    storage: 2Gi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  mountOptions:
+    - hard
+    - nfsvers=4.1
+  nfs:
+    server: 192.168.2.110
+    path: /mnt/nfs_share/postgres14prod
+    readOnly: false
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: postgres14-pvc
+  namespace: postgres
+spec:
+  storageClassName: ""
+  volumeName: postgres14-pv
+  accessModes:
+    - ReadWriteMany
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 2Gi

prod/postgres16/catalog-info.yaml

@@ -0,0 +1,11 @@
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: prod-postgres16
+  title: Postgres16 (prod)
+spec:
+  type: service
+  lifecycle: production
+  owner: platform-team
+  partOf:
+    - ../catalog-info.yaml

prod/postgres16/postgres16prod.yaml

@@ -0,0 +1,84 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: postgres16
+  namespace: postgres
+spec:
+  serviceName: postgres16
+  replicas: 1
+  selector:
+    matchLabels:
+      app: postgres16
+  template:
+    metadata:
+      labels:
+        app: postgres16
+    spec:
+      containers:
+      - name: postgres16
+        image: postgres:16
+        ports:
+          - containerPort: 5432
+        env:
+        - name: POSTGRES_DB
+          value: defectdojo
+        - name: POSTGRES_USER
+          value: defectdojo
+        - name: POSTGRES_PASSWORD
+          value: defectdojo
+        volumeMounts:
+        - mountPath: /var/lib/postgresql/data
+          name: postgres
+      volumes:
+      - name: postgres
+        persistentVolumeClaim:
+          claimName: postgres16-pvc
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: postgres16
+  namespace: postgres
+  labels:
+    name: postgres16
+spec:
+  type: ClusterIP
+  ports:
+    - port: 5432
+      name: postgres
+  selector:
+    app: postgres16
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: postgres16-pv
+spec:
+  storageClassName: ""
+  capacity:
+    storage: 2Gi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  mountOptions:
+    - hard
+    - nfsvers=4.1
+  nfs:
+    server: 192.168.2.110
+    path: /mnt/nfs_share/postgres16prod
+    readOnly: false
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: postgres16-pvc
+  namespace: postgres
+spec:
+  storageClassName: ""
+  volumeName: postgres16-pv
+  accessModes:
+    - ReadWriteMany
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 2Gi

prod/spreed/catalog-info.yaml

@@ -0,0 +1,11 @@
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: prod-spreed
+  title: Spreed (prod)
+spec:
+  type: service
+  lifecycle: production
+  owner: platform-team
+  partOf:
+    - ../catalog-info.yaml

prod/spreed/prod/spreed-certificate/spreed-certificate-internal.yaml

@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: spreed-prod.allarddcs.nl
+  namespace: nextcloud
+spec:
+  secretName: spreed-prod.allarddcs.nl
+  issuerRef:
+    name: letsencrypt
+    kind: ClusterIssuer
+  dnsNames:
+    - spreed.nextcloud.svc.cluster.local

prod/spreed/prod/spreed-certificate/spreed-certificate.yaml

@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: spreed-prod.allarddcs.nl
+  namespace: nextcloud
+spec:
+  secretName: spreed-prod.allarddcs.nl
+  issuerRef:
+    name: letsencrypt
+    kind: ClusterIssuer
+  dnsNames:
+    - spreed-prod.allarddcs.nl

prod/spreed/prod/spreed.yaml

@@ -0,0 +1,139 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: spreed
+  namespace: nextcloud
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: spreed
+  template:
+    metadata:
+      labels:
+        app: spreed
+    spec:
+      containers:
+        - name: spreed
+          image: ghcr.io/strukturag/nextcloud-spreed-signaling:latest
+          ports:
+            - containerPort: 3478
+            - containerPort: 5349
+            - containerPort: 8443
+            - containerPort: 8080
+          volumeMounts:
+            - mountPath: /var/run
+              name: spreed-socket
+            - mountPath: /etc/tls
+              name: spreed-prod-cert
+              readOnly: true
+            - name: spreed-config
+              mountPath: /config/server.conf  # Mount location inside the container
+              subPath: server.conf  # Ensure we only mount the file, not the entire directory
+      volumes:
+        - name: spreed-socket
+          emptyDir: {}
+        - name: spreed-prod-cert
+          secret:
+            secretName: spreed-prod.allarddcs.nl
+        - name: spreed-config
+          persistentVolumeClaim:
+            claimName: spreed-pvc
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: spreed
+  namespace: nextcloud
+spec:
+  type: ClusterIP
+  selector:
+    app: spreed
+  ports:
+    - name: websocket-web
+      protocol: TCP
+      port: 8080
+      targetPort: 8080
+    - name: websocket
+      protocol: TCP
+      port: 8443
+      targetPort: 8443
+    - name: stun-port
+      protocol: TCP
+      port: 3478
+      targetPort: 3478
+    - name: signaling-port
+      protocol: TCP
+      port: 5349
+      targetPort: 5349
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: spreed-pv
+spec:
+  storageClassName: ""
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  mountOptions:
+    - hard
+    - nfsvers=4.1
+  nfs:
+    server: 192.168.2.110
+    path: /mnt/nfs_share/spreed
+    readOnly: false
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: spreed-pvc
+  namespace: nextcloud
+spec:
+  storageClassName: ""
+  volumeName: spreed-pv
+  accessModes:
+    - ReadWriteMany
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 1Gi
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: spreed
+  namespace: nextcloud
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`spreed-prod.allarddcs.nl`)
+      kind: Rule
+      services:
+        - name: spreed
+          port: 8080
+#      middlewares:
+#        - name: websocket-headers
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: websocket-headers
+  namespace: nextcloud
+spec:
+  headers:
+    customRequestHeaders:
+      X-Forwarded-Proto: "https"
+    customResponseHeaders:
+      Connection: "Upgrade"
+      Upgrade: "websocket"
+    accessControlAllowMethods:
+      - GET
+      - OPTIONS
+      - POST
+    accessControlAllowHeaders:
+      - "*"
+

prod/traefik/README.md

@@ -0,0 +1,36 @@
+1) traefik installeren via helmchart:
+helm repo add traefik https://helm.traefik.io/traefik
+helm repo update
+kubectl create namespace traefik
+
+2) persistent storage aanmaken:
+
+kubectl apply -f traefik-pvc.yaml
+
+When enabling persistence for certificates, permissions on acme.json can be
+lost when Traefik restarts. You can ensure correct permissions with an
+initContainer. See https://github.com/traefik/traefik-helm-chart/blob/master/EXAMPLES.md#use-traefik-native-lets-encrypt-integration-without-cert-manager
+
+3) Installeren
+
+helm install traefik traefik/traefik -f values.yaml -n traefik
+
+CHECK OF PORTFORWARDING VAN POORT 80 en 443 OP DE ROUTER NAAR DE LOADBALANCER GOED STAAT! 
+HERSTART NA WIJZIGING DE KPN-ROUTER!
+
+4) TLS verzwaren (tlsoption.yml is afkomstig van whoami-voorbeeld)
+
+kubectl apply -f tlsoption.yaml 
+
+7) Daschboard toegankelijk maken (dashboard.yaml is afkomstig van helm-documentatie van traefik zelf) 
+
+kubectl apply -f ingressroute-dashboard.yaml - n traefik
+
+#migreren:
+
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+
+
+
+

prod/traefik/catalog-info.yaml

@@ -0,0 +1,11 @@
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: prod-traefik
+  title: Traefik (prod)
+spec:
+  type: service
+  lifecycle: production
+  owner: platform-team
+  partOf:
+    - ../catalog-info.yaml

prod/traefik/clusterrole.yaml

@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: traefik
+rules:
+  - apiGroups: ["traefik.io"]
+    resources: ["ingressroutes", "ingressroutesstatus"]
+    verbs: ["get", "list", "watch", "create", "update", "delete"]
+  - apiGroups: [""]
+    resources: ["services", "endpoints", "pods", "secrets"]
+    verbs: ["get", "list", "watch"]

prod/traefik/clusterrolebinding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: traefik-ingressroute
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: traefik
+subjects:
+  - kind: ServiceAccount
+    name: traefik
+    namespace: traefik

prod/traefik/ingressroute-dashboard.yaml

@@ -0,0 +1,14 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-dashboard
+  namespace: traefik
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`traefik-prod.allarddcs.nl`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
+      kind: Rule
+      services:
+        - name: api@internal
+          kind: TraefikService

prod/traefik/tlsoption.yaml

@@ -0,0 +1,8 @@
+apiVersion: traefik.io/v1alpha1
+kind: TLSOption
+metadata:
+  name: tsloption
+  namespace: traefik
+spec:
+  minVersion: VersionTLS12
+

prod/traefik/traefik-pvc.yaml

@@ -0,0 +1,34 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: traefik-pv
+spec:
+  storageClassName: ""
+  capacity:
+    storage: 128Mi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  mountOptions:
+    - hard
+    - nfsvers=4.1
+  nfs:
+    server: 192.168.2.110
+    path: /mnt/nfs_share/traefik/prod
+    readOnly: false
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: traefik-pvc
+  namespace: traefik
+spec:
+  storageClassName: ""
+  volumeName: traefik-pv
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 128Mi
+

prod/traefik/values.yaml

@@ -0,0 +1,218 @@
+USER-SUPPLIED VALUES:
+additionalArguments: []
+additionalVolumeMounts: []
+affinity: {}
+autoscaling:
+  enabled: false
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      email: admin@allarddcs.nl
+      storage: /data/acme.json
+      httpChallenge:
+        entryPoint: web
+commonLabels: {}
+core:
+  defaultRuleSyntax: v2
+deployment:
+  additionalContainers: []
+  additionalVolumes: []
+  annotations: {}
+  dnsConfig: {}
+  enabled: true
+  imagePullSecrets: []
+  initContainers:
+    - name: volume-permissions
+      image: busybox:latest
+      command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"]
+      volumeMounts:
+      - mountPath: /data
+        name: data
+  kind: Deployment
+  labels: {}
+  lifecycle: {}
+  minReadySeconds: 0
+  podAnnotations: {}
+  podLabels: {}
+  replicas: 1
+  runtimeClassName: null
+  shareProcessNamespace: false
+  terminationGracePeriodSeconds: 60
+env:
+envFrom: []
+experimental:
+  kubernetesGateway:
+    enabled: false
+  plugins: {}
+extraObjects: []
+globalArguments:
+- --global.checknewversion
+- --global.sendanonymoususage
+hostNetwork: false
+image:
+  pullPolicy: Always
+  registry: docker.io
+  repository: traefik
+  tag: ""
+ingressClass:
+  enabled: true
+  isDefaultClass: true
+ingressRoute:
+  dashboard:
+    annotations: {}
+    enabled: true
+    entryPoints:
+    - traefik
+    labels: {}
+    matchRule: PathPrefix(`/dashboard`) || PathPrefix(`/api`)
+    middlewares: []
+    tls: {}
+  healthcheck:
+    annotations: {}
+    enabled: false
+    entryPoints:
+    - traefik
+    labels: {}
+    matchRule: PathPrefix(`/ping`)
+    middlewares: []
+    tls: {}
+livenessProbe:
+  failureThreshold: 3
+  initialDelaySeconds: 2
+  periodSeconds: 10
+  successThreshold: 1
+  timeoutSeconds: 2
+logs:
+  access:
+    enabled: false
+    fields:
+      general:
+        defaultmode: keep
+        names: {}
+      headers:
+        defaultmode: drop
+        names: {}
+    filters: {}
+  general:
+    level: ERROR
+metrics:
+  prometheus:
+    entryPoint: metrics
+nodeSelector: {}
+persistence:
+  enabled: true
+  existingClaim: traefik-pvc
+  path: /data
+podDisruptionBudget:
+  enabled: false
+podSecurityContext:
+  fsGroupChangePolicy: OnRootMismatch
+  runAsGroup: 65532
+  runAsNonRoot: true
+  runAsUser: 65532
+podSecurityPolicy:
+  enabled: false
+ports:
+  metrics:
+    expose:
+      default: false
+    exposedPort: 9100
+    port: 9100
+    protocol: TCP
+  traefik:
+    expose:
+      default: true
+    exposedPort: 9000
+    port: 9000
+    protocol: TCP
+  web:
+    expose:
+      default: true
+    exposedPort: 80
+    port: 8000
+    protocol: TCP
+    allowACMEByPass: true
+  websecure:
+    expose:
+      default: true
+    exposedPort: 443
+    http3:
+      enabled: false
+    forwardedHeaders:
+      trustedIPs:
+        - "10.0.0.0/8"      # Adjust based on your network
+        - "192.168.0.0/16"
+        - "172.16.0.0/12"
+    middlewares: []
+    port: 8443
+    protocol: TCP
+    allowACMEByPass: true
+    tls:
+      certResolver: ""
+      domains: []
+      enabled: true
+      options: ""
+priorityClassName: ""
+providers:
+  file:
+    content: ""
+    enabled: false
+    watch: true
+  kubernetesCRD:
+    allowCrossNamespace: false
+    allowEmptyServices: false
+    allowExternalNameServices: false
+    enabled: true
+    namespaces: []
+  kubernetesIngress:
+    allowEmptyServices: false
+    allowExternalNameServices: false
+    disableIngressClassLookup: false
+    enabled: true
+    namespaces: []
+    publishedService:
+      enabled: false
+rbac:
+  enabled: true
+  namespaced: false
+  secretResourceNames: []
+readinessProbe:
+  failureThreshold: 1
+  initialDelaySeconds: 2
+  periodSeconds: 10
+  successThreshold: 1
+  timeoutSeconds: 2
+resources: {}
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
+  readOnlyRootFilesystem: true
+service:
+  additionalServices: {}
+  annotations: {}
+  annotationsTCP: {}
+  annotationsUDP: {}
+  enabled: true
+  externalIPs: []
+  labels: {}
+  loadBalancerSourceRanges: []
+  single: true
+  spec: {}
+  type: LoadBalancer
+serviceAccount:
+  name: ""
+serviceAccountAnnotations: {}
+startupProbe: null
+tlsOptions: {}
+tlsStore: {}
+tolerations: []
+topologySpreadConstraints: []
+tracing: {}
+updateStrategy:
+  rollingUpdate:
+    maxSurge: 1
+    maxUnavailable: 0
+  type: RollingUpdate
+volumes: []

prod/wordpress/catalog-info.yaml

@@ -0,0 +1,11 @@
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: prod-wordpress
+  title: Wordpress (prod)
+spec:
+  type: service
+  lifecycle: production
+  owner: platform-team
+  partOf:
+    - ../catalog-info.yaml

prod/wordpress/prod/ingressroute-http.yml

@@ -0,0 +1,15 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: wordpress-http
+spec:
+  entryPoints:
+    - web
+  routes:
+  - match: Host(`wordpress.alldcs.nl`)
+    kind: Rule
+    middlewares:
+      - name: redirect-to-https
+    services:
+    - name: wordpress
+      port: 80

prod/wordpress/prod/ingressroute-tls.yml

@@ -0,0 +1,15 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: wordpress-tls
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`wordpress.alldcs.nl`)
+    kind: Rule
+    services:
+    - name: wordpress
+      port: 80
+  tls:
+    certResolver: letsencrypt

prod/wordpress/prod/wordpress-pv.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: wordpress-pv
+  labels:
+    type: local
+spec:
+  storageClassName: ""
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  nfs:
+    server: 192.168.40.100
+    path: /mnt/nfs_share/wordpress
+    readOnly: false

prod/wordpress/prod/wordpress-pvc.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: wordpress-pvc
+spec:
+  storageClassName: ""
+  volumeName: wordpress-pv
+  accessModes:
+    - ReadWriteMany
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 1G
+
+
+
+
+

prod/wordpress/prod/wordpress.yaml

@@ -0,0 +1,51 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: wordpress
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: wordpress
+  template:
+    metadata:
+      labels:
+        app: wordpress
+    spec:
+      containers:
+        - name: wordpress
+          image: wordpress
+          ports:
+          - containerPort: 80
+            name: wordpress
+          volumeMounts:
+            - name: wordpress-data
+              mountPath: /var/www
+          env:
+            - name: WORDPRESS_DB_HOST
+              value: mariadb-service
+            - name: WORDPRESS_DB_PASSWORD
+              value: wordpress
+            - name: WORDPRESS_DB_USER
+              value: wordpress
+            - name: WORDPRESS_DB_NAME
+              value: wordpress
+      volumes:
+        - name: wordpress-data
+          persistentVolumeClaim:
+            claimName: wordpress-pvc
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: wordpress
+spec:
+  type: NodePort
+  selector:
+    app: wordpress
+  ports:
+    - name: http
+      protocol: TCP
+      port: 80
+      targetPort: 80

prod/wordpress/riscv/README.md

@@ -0,0 +1,2 @@
+user: admin
+password: Wz76)2Tbv%vB!4)5R&

prod/wordpress/riscv/ingressroutes.yaml

@@ -0,0 +1,46 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: wordpress-http
+  namespace: wordpress
+spec:
+  entryPoints:
+    - web
+  routes:
+    - match: Host(`wordpress-riscv.allarddcs.nl`)
+      kind: Rule
+      services:
+        - name: joomla
+          port: 80
+      middlewares:
+        - name: redirect-to-https
+          namespace: wordpress
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: wordpress-tls
+  namespace: wordpress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`wordpress-riscv.allarddcs.nl`)
+      kind: Rule
+      services:
+        - name: wordpress
+          port: 80
+  tls:
+    certResolver: letsencrypt
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: redirect-to-https
+  namespace: wordpress
+spec:
+  redirectScheme:
+    scheme: https
+    permanent: true
+
+

prod/wordpress/riscv/wordpress.yaml

@@ -0,0 +1,153 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: wordpress
+  namespace: wordpress
+  labels:
+    app: wordpress
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: wordpress
+  strategy:
+    rollingUpdate:
+      maxSurge: 0
+      maxUnavailable: 1
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: wordpress
+    spec:
+      containers:
+      - image: riscv64/wordpress:6.7.2-php8.1-fpm-alpine
+        name: wordpress
+        imagePullPolicy: Always
+        env:
+        - name: WORDPRESS_DB_HOST
+          value: "mariadb.mariadb"
+        - name: WORDPRESS_DB_PASSWORD
+          value: "wordpress"
+        - name: WORDPRESS_DB_USER
+          value: "wordpress"
+        - name: WORDPRESS_DB_NAME
+          value: "wordpress"
+        ports:
+         - containerPort: 9000
+           name: php-fpm
+           protocol: TCP
+        volumeMounts:
+         - name: nfs-wordpress
+           mountPath: /var/www/html
+           subPath: html
+      - name: nginx
+        image: riscv64/nginx:1.27.4-alpine
+        ports:
+          - containerPort: 80
+        volumeMounts:
+          - name: nfs-wordpress
+            mountPath: /var/www/html
+            subPath: html
+          - name: nfs-wordpress
+            mountPath: /etc/nginx/conf.d/default.conf
+            subPath: default.conf
+      volumes:
+      - name: nfs-wordpress
+        persistentVolumeClaim:
+          claimName: wordpress-pvc
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: wordpress
+  namespace: wordpress
+spec:
+  selector:
+    app: wordpress
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 80
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: wordpress-pv
+spec:
+  storageClassName: ""
+  capacity:
+    storage: 2Gi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  mountOptions:
+    - hard
+    - nfsvers=4.1
+  nfs:
+    server: 192.168.2.110
+    path: /mnt/nfs_share/wordpress/riscv
+    readOnly: false
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: wordpress-pvc
+  namespace: wordpress
+spec:
+  storageClassName: ""
+  volumeName: wordpress-pv
+  accessModes:
+    - ReadWriteMany
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 2Gi
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: wordpress-http
+  namespace: wordpress
+spec:
+  entryPoints:
+    - web
+  routes:
+    - match: Host(`wordpress-riscv.allarddcs.nl`)
+      kind: Rule
+      services:
+        - name: wordpress
+          port: 80
+      middlewares:
+        - name: redirect-to-https
+          namespace: wordpress
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: wordpress-tls
+  namespace: wordpress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`wordpress-riscv.allarddcs.nl`)
+      kind: Rule
+      services:
+        - name: wordpress
+          port: 80
+  tls:
+    certResolver: letsencrypt
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: redirect-to-https
+  namespace: wordpress
+spec:
+  redirectScheme:
+    scheme: https
+    permanent: true
+
+
+

prod/xwiki/catalog-info.yaml

@@ -0,0 +1,11 @@
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: prod-xwiki
+  title: Xwiki (prod)
+spec:
+  type: service
+  lifecycle: production
+  owner: platform-team
+  partOf:
+    - ../catalog-info.yaml

prod/xwiki/xwiki.yaml

@@ -0,0 +1,128 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: xwiki
+  namespace: xwiki
+  labels:
+    app: xwiki
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: xwiki
+  template:
+    metadata:
+      labels:
+        app: xwiki
+    spec:
+      containers:
+      - name: xwiki
+        image: xwiki
+        ports:
+        - containerPort: 8080
+        env:
+        - name: DB_DATABASE
+          value: xwiki
+        - name: DB_USER
+          value: xwiki
+        - name: DB_PASSWORD
+          value: xwiki
+        - name: DB_HOST
+          value: mariadb.mariadb
+        volumeMounts:
+        - mountPath: "/usr/local/xwiki"
+          name: xwikidata
+      volumes:
+      - name: xwikidata
+        persistentVolumeClaim:
+          claimName: xwiki-pvc
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: xwiki
+  namespace: xwiki
+  labels:
+    app: xwiki
+spec:
+  ports:
+  - port: 8080
+    protocol: TCP
+  selector:
+    app: xwiki
+  type: NodePort
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: xwiki-pv
+spec:
+  storageClassName: ""
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  mountOptions:
+    - hard
+    - nfsvers=4.1
+  nfs:
+    server: 192.168.2.110
+    path: /mnt/nfs_share/xwiki
+    readOnly: false
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: xwiki-pvc
+  namespace: xwiki
+spec:
+  storageClassName: ""
+  volumeName: xwiki-pv
+  accessModes:
+    - ReadWriteMany
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 1Gi
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: xwiki-http
+  namespace: xwiki
+spec:
+  entryPoints:
+    - web
+  routes:
+  - match: Host(`xwiki-prod.allarddcs.nl`)
+    kind: Rule
+    middlewares:
+    services:
+    - name: xwiki
+      port: 8080
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: xwiki-tls
+  namespace: xwiki
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`xwiki-prod.allarddcs.nl`)
+    kind: Rule
+    services:
+    - name: xwiki
+      port: 8080
+  tls:
+    certResolver: letsencrypt
+
+
+
+
+
+
+
+