feat: Replace Nextcloud with oCIS (ownCloud Infinite Scale)

Removes the full Nextcloud stack (PostgreSQL/CNPG, Valkey, Caddy sidecar) and replaces it with oCIS at drive.tr1ceracop.de. oCIS is self-contained (no external DB/cache needed) with S3ng storage backend on Hetzner Object Storage (bucket: ocis-tr1ceracop). Chart sourced from git via vendir since it is not published to a Helm repo. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-04 20:19:54 +02:00 · 2026-04-04 20:19:54 +02:00 · ffa171bfb0
parent d1959dd6cf
commit ffa171bfb0
127 changed files with 5781 additions and 1151 deletions
--- a/envs/production/_apps/nextcloud/argocd/ignore-jobs.overlay.ytt.yaml
+++ b/envs/production/_apps/nextcloud/argocd/ignore-jobs.overlay.ytt.yaml
@ -1,16 +0,0 @@
 #@ load("@ytt:overlay", "overlay")
 #@overlay/match by=overlay.all, expects="1+"
 ---
 #@overlay/match-child-defaults missing_ok=True
 spec:
  ignoreDifferences:
    - group: batch
      kind: Job
      jsonPointers:
        - /spec/selector
        - /spec/template/metadata/labels
  syncPolicy:
    syncOptions:
      #@overlay/append
      - RespectIgnoreDifferences=true
--- a/envs/production/_apps/nextcloud/app-data.ytt.yaml
+++ b/envs/production/_apps/nextcloud/app-data.ytt.yaml
@ -2,4 +2,4 @@
 ---
 #@overlay/match-child-defaults missing_ok=True
 application:
-  namespace: nextcloud
+  namespace: ocis
--- a/envs/production/env-data.ytt.yaml
+++ b/envs/production/env-data.ytt.yaml
@ -14,4 +14,4 @@ environment:
    - proto: hcloud-csi
    - proto: cloudnative-pg
    - proto: metrics-server
-    - proto: nextcloud
+    - proto: ocis
--- a/prototypes/nextcloud/helm/nextcloud.yaml
+++ b/prototypes/nextcloud/helm/nextcloud.yaml
@ -1,198 +0,0 @@
 ---
 _hostname: &hostname nextcloud.tr1ceracop.de
 replicaCount: 1
 image:
  flavor: fpm-alpine
 nginx:
  enabled: false
 nextcloud:
  host: *hostname
  existingSecret:
    enabled: true
    secretName: nextcloud-admin-secret
    usernameKey: nextcloud-username
    passwordKey: nextcloud-password
  objectStore:
    s3:
      enabled: true
      bucket: nextcloud-tr1ceracop
      host: nbg1.your-objectstorage.com
      port: "443"
      ssl: true
      region: nbg1
      usePathStyle: true
      existingSecret: nextcloud-s3-credentials
      secretKeys:
        accessKey: ACCESS_KEY_ID
        secretKey: SECRET_ACCESS_KEY
  defaultConfigs:
    .htaccess: false
    apache-pretty-urls.config.php: false
    apcu.config.php: false
    apps.config.php: false
    autoconfig.php: false
    redis.config.php: false
    reverse-proxy.config.php: false
    s3.config.php: false
    smtp.config.php: false
    swift.config.php: false
    upgrade-disable-web.config.php: false
    helm-metrics.config.php: false
  extraEnv:
    - name: TRUSTED_PROXIES
      value: "10.0.0.0/8"
    - name: OVERWRITEPROTOCOL
      value: "https"
    - name: OVERWRITEHOST
      value: *hostname
    - name: OVERWRITECLIURL
      value: "https://nextcloud.tr1ceracop.de"
    - name: NC_default_phone_region
      value: "DE"
  phpConfigs:
    uploadLimit.ini: |
      upload_max_filesize = 16G
      post_max_size = 16G
      max_input_time = 3600
      max_execution_time = 3600
    opcache.ini: |
      opcache.enable=1
      opcache.interned_strings_buffer=32
      opcache.max_accelerated_files=10000
      opcache.memory_consumption=256
      opcache.save_comments=1
      opcache.revalidate_freq=60
  extraSidecarContainers:
    - name: caddy
      image: caddy:2-alpine
      ports:
        - name: http
          containerPort: 80
          protocol: TCP
      volumeMounts:
        - name: nextcloud-main
          mountPath: /var/www/
          subPath: root
        - name: nextcloud-main
          mountPath: /var/www/html
          subPath: html
        - name: nextcloud-main
          mountPath: /var/www/html/data
          subPath: data
        - name: nextcloud-main
          mountPath: /var/www/html/config
          subPath: config
        - name: nextcloud-main
          mountPath: /var/www/html/custom_apps
          subPath: custom_apps
        - name: nextcloud-main
          mountPath: /var/www/tmp
          subPath: tmp
        - name: nextcloud-main
          mountPath: /var/www/html/themes
          subPath: themes
        - name: caddy-config
          mountPath: /etc/caddy
      resources:
        requests:
          cpu: 50m
          memory: 32Mi
        limits:
          memory: 64Mi
      livenessProbe:
        httpGet:
          path: /status.php
          port: 80
          httpHeaders:
            - name: Host
              value: *hostname
        initialDelaySeconds: 30
        periodSeconds: 15
        timeoutSeconds: 5
      readinessProbe:
        httpGet:
          path: /status.php
          port: 80
          httpHeaders:
            - name: Host
              value: *hostname
        initialDelaySeconds: 30
        periodSeconds: 15
        timeoutSeconds: 5
  extraVolumes:
    - name: caddy-config
      configMap:
        name: nextcloud-caddy-config
  strategy:
    type: Recreate
 internalDatabase:
  enabled: false
 externalDatabase:
  enabled: true
  type: postgresql
  host: nextcloud-cnpg-rw.nextcloud.svc:5432
  database: nextcloud
  existingSecret:
    enabled: true
    secretName: nextcloud-cnpg-app
    usernameKey: username
    passwordKey: password
 mariadb:
  enabled: false
 postgresql:
  enabled: false
 redis:
  enabled: false
 externalRedis:
  enabled: true
  host: nextcloud-valkey.nextcloud.svc
  port: "6379"
  existingSecret:
    enabled: true
    secretName: nextcloud-valkey-password
    passwordKey: password
 cronjob:
  enabled: true
 persistence:
  enabled: true
  size: 2Gi
  storageClass: local-path
  annotations:
    helm.sh/resource-policy: keep
 ingress:
  enabled: true
  className: traefik
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
  tls:
    - secretName: nextcloud-tls
      hosts:
        - *hostname
 resources:
  requests:
    cpu: 200m
    memory: 256Mi
  limits:
    memory: 512Mi
--- a/prototypes/nextcloud/vendir/vendir-data.ytt.yaml
+++ b/prototypes/nextcloud/vendir/vendir-data.ytt.yaml
@ -1,8 +0,0 @@
 #@data/values-schema
 ---
 #@overlay/match-child-defaults missing_ok=True
 application:
  #! renovate: datasource=helm
  name: nextcloud
  url: https://nextcloud.github.io/helm/
  version: 9.0.4
--- a/prototypes/nextcloud/ytt/admin-secret-job.ytt.yaml
+++ b/prototypes/nextcloud/ytt/admin-secret-job.ytt.yaml
@ -1,85 +0,0 @@
 #@ load("@ytt:data", "data")
 #@ ns = data.values.application.namespace
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: nextcloud-secret-init
  namespace: #@ ns
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: nextcloud-secret-init
  namespace: #@ ns
 rules:
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "create"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: nextcloud-secret-init
  namespace: #@ ns
 subjects:
  - kind: ServiceAccount
    name: nextcloud-secret-init
    namespace: #@ ns
 roleRef:
  kind: Role
  name: nextcloud-secret-init
  apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
  name: nextcloud-secret-init
  namespace: #@ ns
  annotations:
    argocd.argoproj.io/sync-options: Replace=true
 spec:
  ttlSecondsAfterFinished: 300
  template:
    spec:
      serviceAccountName: nextcloud-secret-init
      restartPolicy: OnFailure
      containers:
        - name: init
          image: alpine/k8s:1.32.3
          command:
            - sh
            - -c
            - |
              set -e
              if ! kubectl get secret nextcloud-admin-secret -n ${NAMESPACE} >/dev/null 2>&1; then
                PASSWORD=$(head -c 32 /dev/urandom | base64 | tr -dc 'a-zA-Z0-9' | head -c 24)
                kubectl create secret generic nextcloud-admin-secret \
                  -n ${NAMESPACE} \
                  --from-literal=nextcloud-username=admin \
                  --from-literal=nextcloud-password="${PASSWORD}"
                echo "Created nextcloud-admin-secret"
              else
                echo "nextcloud-admin-secret already exists, skipping"
              fi
              if ! kubectl get secret nextcloud-valkey-password -n ${NAMESPACE} >/dev/null 2>&1; then
                VALKEY_PASSWORD=$(head -c 32 /dev/urandom | base64 | tr -dc 'a-zA-Z0-9' | head -c 24)
                kubectl create secret generic nextcloud-valkey-password \
                  -n ${NAMESPACE} \
                  --from-literal=password="${VALKEY_PASSWORD}"
                echo "Created nextcloud-valkey-password"
              else
                echo "nextcloud-valkey-password already exists, skipping"
              fi
          env:
            - name: NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
--- a/prototypes/nextcloud/ytt/caddy.ytt.yaml
+++ b/prototypes/nextcloud/ytt/caddy.ytt.yaml
@ -1,61 +0,0 @@
 #@ load("@ytt:data", "data")
 #@ ns = data.values.application.namespace
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: nextcloud-caddy-config
  namespace: #@ ns
 data:
  Caddyfile: |
    :80 {
        root * /var/www/html
        header {
            Referrer-Policy "no-referrer"
            X-Content-Type-Options "nosniff"
            X-Frame-Options "SAMEORIGIN"
            X-Permitted-Cross-Domain-Policies "none"
            X-Robots-Tag "noindex, nofollow"
            X-XSS-Protection "1; mode=block"
            -X-Powered-By
        }
        redir /.well-known/carddav /remote.php/dav/ 301
        redir /.well-known/caldav /remote.php/dav/ 301
        redir /.well-known/* /index.php{uri} 301
        @blocked path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/*
        respond @blocked 404
        @davclnt {
            path /
            header User-Agent DavClnt*
        }
        redir @davclnt /remote.php/webdav/ 302
        redir /remote /remote.php{uri} 301
        php_fastcgi 127.0.0.1:9000 {
            env HTTPS on
            env modHeadersAvailable true
            env front_controller_active true
            resolve_root_symlink
        }
        @static path *.css *.js *.mjs *.svg *.gif *.ico *.jpg *.png *.webp *.wasm *.tflite *.map *.ogg *.flac
        header @static Cache-Control "max-age=15778463"
        @fonts path *.otf *.woff *.woff2
        header @fonts Cache-Control "max-age=604800"
        encode gzip
        file_server
        request_body {
            max_size 16GB
        }
    }
--- a/prototypes/nextcloud/ytt/cnpg-cluster.ytt.yaml
+++ b/prototypes/nextcloud/ytt/cnpg-cluster.ytt.yaml
@ -1,36 +0,0 @@
 #@ load("@ytt:data", "data")
 #@ ns = data.values.application.namespace
 ---
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
  name: nextcloud-cnpg
  namespace: #@ ns
 spec:
  instances: 2
  bootstrap:
    initdb:
      database: nextcloud
      owner: nextcloud
  storage:
    size: 5Gi
    storageClass: hcloud-volumes
  resources:
    requests:
      cpu: 100m
      memory: 256Mi
    limits:
      memory: 512Mi
  postgresql:
    parameters:
      shared_buffers: "64MB"
      effective_cache_size: "128MB"
      work_mem: "4MB"
      maintenance_work_mem: "32MB"
      max_connections: "100"
--- a/prototypes/nextcloud/ytt/valkey.ytt.yaml
+++ b/prototypes/nextcloud/ytt/valkey.ytt.yaml
@ -1,78 +0,0 @@
 #@ load("@ytt:data", "data")
 #@ ns = data.values.application.namespace
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: nextcloud-valkey
  namespace: #@ ns
  labels:
    app.kubernetes.io/name: valkey
    app.kubernetes.io/instance: nextcloud
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: valkey
      app.kubernetes.io/instance: nextcloud
  template:
    metadata:
      labels:
        app.kubernetes.io/name: valkey
        app.kubernetes.io/instance: nextcloud
    spec:
      containers:
        - name: valkey
          image: valkey/valkey:8-alpine
          args:
            - valkey-server
            - --requirepass
            - $(VALKEY_PASSWORD)
          env:
            - name: VALKEY_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: nextcloud-valkey-password
                  key: password
          ports:
            - name: valkey
              containerPort: 6379
              protocol: TCP
          resources:
            requests:
              cpu: 50m
              memory: 64Mi
            limits:
              memory: 128Mi
          livenessProbe:
            tcpSocket:
              port: valkey
            initialDelaySeconds: 10
            periodSeconds: 10
          readinessProbe:
            tcpSocket:
              port: valkey
            initialDelaySeconds: 5
            periodSeconds: 5
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: nextcloud-valkey
  namespace: #@ ns
  labels:
    app.kubernetes.io/name: valkey
    app.kubernetes.io/instance: nextcloud
 spec:
  type: ClusterIP
  ports:
    - port: 6379
      targetPort: valkey
      protocol: TCP
      name: valkey
  selector:
    app.kubernetes.io/name: valkey
    app.kubernetes.io/instance: nextcloud
--- a/prototypes/nextcloud/app-data.ytt.yaml
+++ b/prototypes/nextcloud/app-data.ytt.yaml
@ -2,4 +2,4 @@
 ---
 #@overlay/match-child-defaults missing_ok=True
 application:
-  namespace: nextcloud
+  namespace: ocis
--- a/prototypes/ocis/helm/ocis.yaml
+++ b/prototypes/ocis/helm/ocis.yaml
@ -0,0 +1,83 @@
 ---
 externalDomain: drive.tr1ceracop.de
 ingress:
  enabled: true
  ingressClassName: traefik
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
  tls:
    - secretName: ocis-tls
      hosts:
        - drive.tr1ceracop.de
 features:
  emailNotifications:
    enabled: false
 secretRefs:
  s3CredentialsSecretRef: ocis-s3-credentials
 services:
  storageusers:
    storageBackend:
      driver: s3ng
      driverConfig:
        s3ng:
          endpoint: https://nbg1.your-objectstorage.com
          region: nbg1
          bucket: ocis-tr1ceracop
    persistence:
      enabled: true
      storageClassName: local-path
      size: 5Gi
      accessModes:
        - ReadWriteOnce
  storagesystem:
    persistence:
      enabled: true
      storageClassName: local-path
      size: 5Gi
      accessModes:
        - ReadWriteOnce
  idm:
    persistence:
      enabled: true
      storageClassName: local-path
      size: 1Gi
      accessModes:
        - ReadWriteOnce
  nats:
    persistence:
      enabled: true
      storageClassName: local-path
      size: 1Gi
      accessModes:
        - ReadWriteOnce
  search:
    persistence:
      enabled: true
      storageClassName: local-path
      size: 5Gi
      accessModes:
        - ReadWriteOnce
  web:
    persistence:
      enabled: true
      storageClassName: local-path
      size: 1Gi
      accessModes:
        - ReadWriteOnce
  thumbnails:
    persistence:
      enabled: true
      storageClassName: local-path
      size: 2Gi
      accessModes:
        - ReadWriteOnce
--- a/prototypes/nextcloud/vendir/base.ytt.yaml
+++ b/prototypes/nextcloud/vendir/base.ytt.yaml
@ -8,9 +8,8 @@ directories:
  - path: #@ "charts/" + app.name
    contents:
      - path: .
-        helmChart:
+        git:
-          name: #@ app.name
+          url: #@ app.gitUrl
-          version: #@ app.version
+          ref: #@ app.gitRef
-          repository:
+        newRootPath: #@ app.chartPath
            url: #@ app.url
        lazy: true
--- a/prototypes/ocis/vendir/vendir-data.ytt.yaml
+++ b/prototypes/ocis/vendir/vendir-data.ytt.yaml
@ -0,0 +1,8 @@
 #@data/values-schema
 ---
 #@overlay/match-child-defaults missing_ok=True
 application:
  name: ocis
  gitUrl: https://github.com/owncloud/ocis-charts.git
  gitRef: main
  chartPath: charts/ocis
--- a/prototypes/nextcloud/ytt/ns.ytt.yaml
+++ b/prototypes/nextcloud/ytt/ns.ytt.yaml
--- a/prototypes/ocis/ytt/s3-secret-job.ytt.yaml
+++ b/prototypes/ocis/ytt/s3-secret-job.ytt.yaml
@ -0,0 +1,77 @@
 #@ load("@ytt:data", "data")
 #@ ns = data.values.application.namespace
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: ocis-secret-init
  namespace: #@ ns
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: ocis-secret-init
  namespace: #@ ns
 rules:
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "create"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: ocis-secret-init
  namespace: #@ ns
 subjects:
  - kind: ServiceAccount
    name: ocis-secret-init
    namespace: #@ ns
 roleRef:
  kind: Role
  name: ocis-secret-init
  apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
  name: ocis-secret-init
  namespace: #@ ns
  annotations:
    argocd.argoproj.io/sync-options: Replace=true
 spec:
  ttlSecondsAfterFinished: 300
  template:
    spec:
      serviceAccountName: ocis-secret-init
      restartPolicy: OnFailure
      containers:
        - name: init
          image: alpine/k8s:1.32.3
          command:
            - sh
            - -c
            - |
              set -e
              SECRET_NAME="ocis-s3-credentials"
              if ! kubectl get secret "${SECRET_NAME}" -n ${NAMESPACE} >/dev/null 2>&1; then
                echo "ERROR: Secret ${SECRET_NAME} does not exist in namespace ${NAMESPACE}."
                echo "Please create it manually with keys 'accessKey' and 'secretKey':"
                echo "  kubectl create secret generic ${SECRET_NAME} -n ${NAMESPACE} \\"
                echo "    --from-literal=accessKey=<your-access-key> \\"
                echo "    --from-literal=secretKey=<your-secret-key>"
                exit 1
              else
                echo "Secret ${SECRET_NAME} exists, OK"
              fi
          env:
            - name: NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
--- a/rendered/argocd/production/app-nextcloud.yaml
+++ b/rendered/argocd/production/app-nextcloud.yaml
@ -5,21 +5,15 @@ metadata:
    myks.dev/environment: production
  finalizers:
    - resources-finalizer.argocd.argoproj.io
-  name: app-production-nextcloud
+  name: app-production-ocis
  namespace: argocd
 spec:
  destination:
-    namespace: nextcloud
+    namespace: ocis
    server: https://kubernetes.default.svc
  ignoreDifferences:
    - group: batch
      jsonPointers:
        - /spec/selector
        - /spec/template/metadata/labels
      kind: Job
  project: env-production
  source:
-    path: rendered/envs/production/nextcloud
+    path: rendered/envs/production/ocis
    repoURL: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
    targetRevision: main
  syncPolicy:
@ -29,4 +23,3 @@ spec:
    syncOptions:
      - CreateNamespace=true
      - ServerSideApply=true
      - RespectIgnoreDifferences=true
--- a/rendered/envs/production/nextcloud/cluster-nextcloud-cnpg.yaml
+++ b/rendered/envs/production/nextcloud/cluster-nextcloud-cnpg.yaml
@ -1,29 +0,0 @@
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  name: nextcloud-cnpg
  namespace: nextcloud
 spec:
  bootstrap:
    initdb:
      database: nextcloud
      owner: nextcloud
  instances: 2
  postgresql:
    parameters:
      effective_cache_size: 128MB
      maintenance_work_mem: 32MB
      max_connections: "100"
      shared_buffers: 64MB
      work_mem: 4MB
  resources:
    limits:
      memory: 512Mi
    requests:
      cpu: 100m
      memory: 256Mi
  storage:
    size: 5Gi
    storageClass: hcloud-volumes
--- a/rendered/envs/production/nextcloud/configmap-nextcloud-caddy-config.yaml
+++ b/rendered/envs/production/nextcloud/configmap-nextcloud-caddy-config.yaml
@ -1,58 +0,0 @@
 apiVersion: v1
 data:
  Caddyfile: |
    :80 {
        root * /var/www/html
        header {
            Referrer-Policy "no-referrer"
            X-Content-Type-Options "nosniff"
            X-Frame-Options "SAMEORIGIN"
            X-Permitted-Cross-Domain-Policies "none"
            X-Robots-Tag "noindex, nofollow"
            X-XSS-Protection "1; mode=block"
            -X-Powered-By
        }
        redir /.well-known/carddav /remote.php/dav/ 301
        redir /.well-known/caldav /remote.php/dav/ 301
        redir /.well-known/* /index.php{uri} 301
        @blocked path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/*
        respond @blocked 404
        @davclnt {
            path /
            header User-Agent DavClnt*
        }
        redir @davclnt /remote.php/webdav/ 302
        redir /remote /remote.php{uri} 301
        php_fastcgi 127.0.0.1:9000 {
            env HTTPS on
            env modHeadersAvailable true
            env front_controller_active true
            resolve_root_symlink
        }
        @static path *.css *.js *.mjs *.svg *.gif *.ico *.jpg *.png *.webp *.wasm *.tflite *.map *.ogg *.flac
        header @static Cache-Control "max-age=15778463"
        @fonts path *.otf *.woff *.woff2
        header @fonts Cache-Control "max-age=604800"
        encode gzip
        file_server
        request_body {
            max_size 16GB
        }
    }
 kind: ConfigMap
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  name: nextcloud-caddy-config
  namespace: nextcloud
--- a/rendered/envs/production/nextcloud/configmap-nextcloud-phpconfig.yaml
+++ b/rendered/envs/production/nextcloud/configmap-nextcloud-phpconfig.yaml
@ -1,26 +0,0 @@
 apiVersion: v1
 data:
  opcache.ini: |-
    opcache.enable=1
    opcache.interned_strings_buffer=32
    opcache.max_accelerated_files=10000
    opcache.memory_consumption=256
    opcache.save_comments=1
    opcache.revalidate_freq=60
  uploadLimit.ini: |-
    upload_max_filesize = 16G
    post_max_size = 16G
    max_input_time = 3600
    max_execution_time = 3600
 kind: ConfigMap
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: nextcloud
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: nextcloud
    app.kubernetes.io/version: 33.0.0
    helm.sh/chart: nextcloud-9.0.4
  name: nextcloud-phpconfig
  namespace: nextcloud
--- a/rendered/envs/production/nextcloud/deployment-nextcloud-valkey.yaml
+++ b/rendered/envs/production/nextcloud/deployment-nextcloud-valkey.yaml
@ -1,55 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: nextcloud
    app.kubernetes.io/name: valkey
  name: nextcloud-valkey
  namespace: nextcloud
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/instance: nextcloud
      app.kubernetes.io/name: valkey
  template:
    metadata:
      labels:
        app.kubernetes.io/instance: nextcloud
        app.kubernetes.io/name: valkey
    spec:
      containers:
        - args:
            - valkey-server
            - --requirepass
            - $(VALKEY_PASSWORD)
          env:
            - name: VALKEY_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: password
                  name: nextcloud-valkey-password
          image: valkey/valkey:8-alpine
          livenessProbe:
            initialDelaySeconds: 10
            periodSeconds: 10
            tcpSocket:
              port: valkey
          name: valkey
          ports:
            - containerPort: 6379
              name: valkey
              protocol: TCP
          readinessProbe:
            initialDelaySeconds: 5
            periodSeconds: 5
            tcpSocket:
              port: valkey
          resources:
            limits:
              memory: 128Mi
            requests:
              cpu: 50m
              memory: 64Mi
--- a/rendered/envs/production/nextcloud/deployment-nextcloud.yaml
+++ b/rendered/envs/production/nextcloud/deployment-nextcloud.yaml
@ -1,358 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/component: app
    app.kubernetes.io/instance: nextcloud
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: nextcloud
    app.kubernetes.io/version: 33.0.0
    helm.sh/chart: nextcloud-9.0.4
  name: nextcloud
  namespace: nextcloud
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/component: app
      app.kubernetes.io/instance: nextcloud
      app.kubernetes.io/name: nextcloud
  strategy:
    type: Recreate
  template:
    metadata:
      annotations:
        hooks-hash: 9525c2748a6c7cd0e28ec740623d0b3fa5a75c83b51ccfd136bc89c76737b204
        nextcloud-config-hash: 97fd373864ae7c5da0eb066761ee479483364e3957160cacca360fc6a66c03f7
        php-config-hash: b638f66fd8d65de8364dbad6efc59a6524c7b2e2377b5623cf5e921e4d3d2400
      labels:
        app.kubernetes.io/component: app
        app.kubernetes.io/instance: nextcloud
        app.kubernetes.io/name: nextcloud
    spec:
      containers:
        - env:
            - name: POSTGRES_HOST
              value: nextcloud-cnpg-rw.nextcloud.svc:5432
            - name: POSTGRES_DB
              value: nextcloud
            - name: POSTGRES_USER
              valueFrom:
                secretKeyRef:
                  key: username
                  name: nextcloud-cnpg-app
            - name: POSTGRES_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: password
                  name: nextcloud-cnpg-app
            - name: NEXTCLOUD_ADMIN_USER
              valueFrom:
                secretKeyRef:
                  key: nextcloud-username
                  name: nextcloud-admin-secret
            - name: NEXTCLOUD_ADMIN_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: nextcloud-password
                  name: nextcloud-admin-secret
            - name: NEXTCLOUD_TRUSTED_DOMAINS
              value: nextcloud.tr1ceracop.de
            - name: OPENMETRICS_ALLOWED_CLIENTS
              value: 127.0.0.1,10.42.0.0/16,10.43.0.0/16
            - name: NEXTCLOUD_DATA_DIR
              value: /var/www/html/data
            - name: REDIS_HOST
              value: nextcloud-valkey.nextcloud.svc
            - name: REDIS_HOST_PORT
              value: "6379"
            - name: REDIS_HOST_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: password
                  name: nextcloud-valkey-password
            - name: OBJECTSTORE_S3_SSL
              value: "true"
            - name: OBJECTSTORE_S3_USEPATH_STYLE
              value: "true"
            - name: OBJECTSTORE_S3_AUTOCREATE
              value: "false"
            - name: OBJECTSTORE_S3_REGION
              value: nbg1
            - name: OBJECTSTORE_S3_PORT
              value: "443"
            - name: OBJECTSTORE_S3_STORAGE_CLASS
              value: STANDARD
            - name: OBJECTSTORE_S3_HOST
              value: nbg1.your-objectstorage.com
            - name: OBJECTSTORE_S3_BUCKET
              value: nextcloud-tr1ceracop
            - name: OBJECTSTORE_S3_KEY
              valueFrom:
                secretKeyRef:
                  key: ACCESS_KEY_ID
                  name: nextcloud-s3-credentials
            - name: OBJECTSTORE_S3_SECRET
              valueFrom:
                secretKeyRef:
                  key: SECRET_ACCESS_KEY
                  name: nextcloud-s3-credentials
            - name: OBJECTSTORE_S3_SSE_C_KEY
              value: ""
            - name: TRUSTED_PROXIES
              value: 10.0.0.0/8
            - name: OVERWRITEPROTOCOL
              value: https
            - name: OVERWRITEHOST
              value: nextcloud.tr1ceracop.de
            - name: OVERWRITECLIURL
              value: https://nextcloud.tr1ceracop.de
            - name: NC_default_phone_region
              value: DE
          image: docker.io/library/nextcloud:33.0.0-fpm-alpine
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
            httpGet:
              httpHeaders:
                - name: Host
                  value: nextcloud.tr1ceracop.de
              path: /status.php
              port: 80
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 5
          name: nextcloud
          ports:
            - containerPort: 80
              name: http
              protocol: TCP
          readinessProbe:
            failureThreshold: 3
            httpGet:
              httpHeaders:
                - name: Host
                  value: nextcloud.tr1ceracop.de
              path: /status.php
              port: 80
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 5
          resources:
            limits:
              memory: 512Mi
            requests:
              cpu: 200m
              memory: 256Mi
          volumeMounts:
            - mountPath: /var/www/
              name: nextcloud-main
              subPath: root
            - mountPath: /var/www/html
              name: nextcloud-main
              subPath: html
            - mountPath: /var/www/html/data
              name: nextcloud-main
              subPath: data
            - mountPath: /var/www/html/config
              name: nextcloud-main
              subPath: config
            - mountPath: /var/www/html/custom_apps
              name: nextcloud-main
              subPath: custom_apps
            - mountPath: /var/www/tmp
              name: nextcloud-main
              subPath: tmp
            - mountPath: /var/www/html/themes
              name: nextcloud-main
              subPath: themes
            - mountPath: /usr/local/etc/php/conf.d/opcache.ini
              name: nextcloud-phpconfig
              subPath: opcache.ini
            - mountPath: /usr/local/etc/php/conf.d/uploadLimit.ini
              name: nextcloud-phpconfig
              subPath: uploadLimit.ini
        - command:
            - /cron.sh
          env:
            - name: POSTGRES_HOST
              value: nextcloud-cnpg-rw.nextcloud.svc:5432
            - name: POSTGRES_DB
              value: nextcloud
            - name: POSTGRES_USER
              valueFrom:
                secretKeyRef:
                  key: username
                  name: nextcloud-cnpg-app
            - name: POSTGRES_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: password
                  name: nextcloud-cnpg-app
            - name: NEXTCLOUD_ADMIN_USER
              valueFrom:
                secretKeyRef:
                  key: nextcloud-username
                  name: nextcloud-admin-secret
            - name: NEXTCLOUD_ADMIN_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: nextcloud-password
                  name: nextcloud-admin-secret
            - name: NEXTCLOUD_TRUSTED_DOMAINS
              value: nextcloud.tr1ceracop.de
            - name: OPENMETRICS_ALLOWED_CLIENTS
              value: 127.0.0.1,10.42.0.0/16,10.43.0.0/16
            - name: NEXTCLOUD_DATA_DIR
              value: /var/www/html/data
            - name: REDIS_HOST
              value: nextcloud-valkey.nextcloud.svc
            - name: REDIS_HOST_PORT
              value: "6379"
            - name: REDIS_HOST_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: password
                  name: nextcloud-valkey-password
            - name: OBJECTSTORE_S3_SSL
              value: "true"
            - name: OBJECTSTORE_S3_USEPATH_STYLE
              value: "true"
            - name: OBJECTSTORE_S3_AUTOCREATE
              value: "false"
            - name: OBJECTSTORE_S3_REGION
              value: nbg1
            - name: OBJECTSTORE_S3_PORT
              value: "443"
            - name: OBJECTSTORE_S3_STORAGE_CLASS
              value: STANDARD
            - name: OBJECTSTORE_S3_HOST
              value: nbg1.your-objectstorage.com
            - name: OBJECTSTORE_S3_BUCKET
              value: nextcloud-tr1ceracop
            - name: OBJECTSTORE_S3_KEY
              valueFrom:
                secretKeyRef:
                  key: ACCESS_KEY_ID
                  name: nextcloud-s3-credentials
            - name: OBJECTSTORE_S3_SECRET
              valueFrom:
                secretKeyRef:
                  key: SECRET_ACCESS_KEY
                  name: nextcloud-s3-credentials
            - name: OBJECTSTORE_S3_SSE_C_KEY
              value: ""
            - name: TRUSTED_PROXIES
              value: 10.0.0.0/8
            - name: OVERWRITEPROTOCOL
              value: https
            - name: OVERWRITEHOST
              value: nextcloud.tr1ceracop.de
            - name: OVERWRITECLIURL
              value: https://nextcloud.tr1ceracop.de
            - name: NC_default_phone_region
              value: DE
          image: docker.io/library/nextcloud:33.0.0-fpm-alpine
          imagePullPolicy: IfNotPresent
          name: nextcloud-cron
          resources: {}
          volumeMounts:
            - mountPath: /var/www/
              name: nextcloud-main
              subPath: root
            - mountPath: /var/www/html
              name: nextcloud-main
              subPath: html
            - mountPath: /var/www/html/data
              name: nextcloud-main
              subPath: data
            - mountPath: /var/www/html/config
              name: nextcloud-main
              subPath: config
            - mountPath: /var/www/html/custom_apps
              name: nextcloud-main
              subPath: custom_apps
            - mountPath: /var/www/tmp
              name: nextcloud-main
              subPath: tmp
            - mountPath: /var/www/html/themes
              name: nextcloud-main
              subPath: themes
            - mountPath: /usr/local/etc/php/conf.d/opcache.ini
              name: nextcloud-phpconfig
              subPath: opcache.ini
            - mountPath: /usr/local/etc/php/conf.d/uploadLimit.ini
              name: nextcloud-phpconfig
              subPath: uploadLimit.ini
        - image: caddy:2-alpine
          livenessProbe:
            httpGet:
              httpHeaders:
                - name: Host
                  value: nextcloud.tr1ceracop.de
              path: /status.php
              port: 80
            initialDelaySeconds: 30
            periodSeconds: 15
            timeoutSeconds: 5
          name: caddy
          ports:
            - containerPort: 80
              name: http
              protocol: TCP
          readinessProbe:
            httpGet:
              httpHeaders:
                - name: Host
                  value: nextcloud.tr1ceracop.de
              path: /status.php
              port: 80
            initialDelaySeconds: 30
            periodSeconds: 15
            timeoutSeconds: 5
          resources:
            limits:
              memory: 64Mi
            requests:
              cpu: 50m
              memory: 32Mi
          volumeMounts:
            - mountPath: /var/www/
              name: nextcloud-main
              subPath: root
            - mountPath: /var/www/html
              name: nextcloud-main
              subPath: html
            - mountPath: /var/www/html/data
              name: nextcloud-main
              subPath: data
            - mountPath: /var/www/html/config
              name: nextcloud-main
              subPath: config
            - mountPath: /var/www/html/custom_apps
              name: nextcloud-main
              subPath: custom_apps
            - mountPath: /var/www/tmp
              name: nextcloud-main
              subPath: tmp
            - mountPath: /var/www/html/themes
              name: nextcloud-main
              subPath: themes
            - mountPath: /etc/caddy
              name: caddy-config
      securityContext:
        fsGroup: 33
      volumes:
        - name: nextcloud-main
          persistentVolumeClaim:
            claimName: nextcloud-nextcloud
        - configMap:
            name: nextcloud-phpconfig
          name: nextcloud-phpconfig
        - configMap:
            name: nextcloud-caddy-config
          name: caddy-config
--- a/rendered/envs/production/nextcloud/job-nextcloud-secret-init.yaml
+++ b/rendered/envs/production/nextcloud/job-nextcloud-secret-init.yaml
@ -1,48 +0,0 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
    argocd.argoproj.io/sync-options: Replace=true
  name: nextcloud-secret-init
  namespace: nextcloud
 spec:
  template:
    spec:
      containers:
        - command:
            - sh
            - -c
            - |
              set -e
              if ! kubectl get secret nextcloud-admin-secret -n ${NAMESPACE} >/dev/null 2>&1; then
                PASSWORD=$(head -c 32 /dev/urandom | base64 | tr -dc 'a-zA-Z0-9' | head -c 24)
                kubectl create secret generic nextcloud-admin-secret \
                  -n ${NAMESPACE} \
                  --from-literal=nextcloud-username=admin \
                  --from-literal=nextcloud-password="${PASSWORD}"
                echo "Created nextcloud-admin-secret"
              else
                echo "nextcloud-admin-secret already exists, skipping"
              fi
              if ! kubectl get secret nextcloud-valkey-password -n ${NAMESPACE} >/dev/null 2>&1; then
                VALKEY_PASSWORD=$(head -c 32 /dev/urandom | base64 | tr -dc 'a-zA-Z0-9' | head -c 24)
                kubectl create secret generic nextcloud-valkey-password \
                  -n ${NAMESPACE} \
                  --from-literal=password="${VALKEY_PASSWORD}"
                echo "Created nextcloud-valkey-password"
              else
                echo "nextcloud-valkey-password already exists, skipping"
              fi
          env:
            - name: NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
          image: alpine/k8s:1.32.3
          name: init
      restartPolicy: OnFailure
      serviceAccountName: nextcloud-secret-init
  ttlSecondsAfterFinished: 300
--- a/rendered/envs/production/nextcloud/service-nextcloud-valkey.yaml
+++ b/rendered/envs/production/nextcloud/service-nextcloud-valkey.yaml
@ -1,20 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: nextcloud
    app.kubernetes.io/name: valkey
  name: nextcloud-valkey
  namespace: nextcloud
 spec:
  ports:
    - name: valkey
      port: 6379
      protocol: TCP
      targetPort: valkey
  selector:
    app.kubernetes.io/instance: nextcloud
    app.kubernetes.io/name: valkey
  type: ClusterIP
--- a/rendered/envs/production/nextcloud/service-nextcloud.yaml
+++ b/rendered/envs/production/nextcloud/service-nextcloud.yaml
@ -1,26 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/component: app
    app.kubernetes.io/instance: nextcloud
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/monitor: enabled
    app.kubernetes.io/name: nextcloud
    app.kubernetes.io/version: 33.0.0
    helm.sh/chart: nextcloud-9.0.4
  name: nextcloud
  namespace: nextcloud
 spec:
  ports:
    - name: http
      port: 8080
      protocol: TCP
      targetPort: 80
  selector:
    app.kubernetes.io/component: app
    app.kubernetes.io/instance: nextcloud
    app.kubernetes.io/name: nextcloud
  type: ClusterIP
--- a/rendered/envs/production/ocis/configmap-appregistry-config.yaml
+++ b/rendered/envs/production/ocis/configmap-appregistry-config.yaml
@ -0,0 +1,16 @@
 apiVersion: v1
 data:
  app-registry.yaml: |
    ---
 kind: ConfigMap
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: appregistry-config
  namespace: ocis
--- a/rendered/envs/production/ocis/configmap-auth-service.yaml
+++ b/rendered/envs/production/ocis/configmap-auth-service.yaml
@ -0,0 +1,10 @@
 apiVersion: v1
 data:
  service-account-id: 46ec47ba-00e9-4114-950c-5743e5be4cee
 kind: ConfigMap
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels: null
  name: auth-service
  namespace: ocis
--- a/rendered/envs/production/ocis/configmap-graph.yaml
+++ b/rendered/envs/production/ocis/configmap-graph.yaml
@ -0,0 +1,10 @@
 apiVersion: v1
 data:
  application-id: 1160b6ab-f9d7-464e-96a3-f2a3568ce67f
 kind: ConfigMap
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels: null
  name: graph
  namespace: ocis
--- a/rendered/envs/production/ocis/configmap-proxy-config.yaml
+++ b/rendered/envs/production/ocis/configmap-proxy-config.yaml
@ -0,0 +1,52 @@
 apiVersion: v1
 data:
  csp.yaml: |
    ---
    directives:
      child-src:
        - '''self'''
      connect-src:
        - '''self'''
      default-src:
        - '''none'''
      font-src:
        - '''self'''
      frame-ancestors:
        - '''self'''
      frame-src:
        - '''self'''
        - 'blob:'
      img-src:
        - '''self'''
        - 'data:'
        - 'blob:'
      manifest-src:
        - '''self'''
      media-src:
        - '''self'''
      object-src:
        - '''self'''
        - 'blob:'
      script-src:
        - '''self'''
        - '''unsafe-inline'''
      style-src:
        - '''self'''
        - '''unsafe-inline'''
  proxy.yaml: |
    ---
    policy_selector:
      static:
        policy: ocis
 kind: ConfigMap
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: proxy-config
  namespace: ocis
--- a/rendered/envs/production/ocis/configmap-sharing-banned-passwords-frontend.yaml
+++ b/rendered/envs/production/ocis/configmap-sharing-banned-passwords-frontend.yaml
@ -0,0 +1,15 @@
 apiVersion: v1
 data:
  sharing-banned-passwords.txt: ""
 kind: ConfigMap
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: sharing-banned-passwords-frontend
  namespace: ocis
--- a/rendered/envs/production/ocis/configmap-sharing-banned-passwords-sharing.yaml
+++ b/rendered/envs/production/ocis/configmap-sharing-banned-passwords-sharing.yaml
@ -0,0 +1,15 @@
 apiVersion: v1
 data:
  sharing-banned-passwords.txt: ""
 kind: ConfigMap
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: sharing-banned-passwords-sharing
  namespace: ocis
--- a/rendered/envs/production/ocis/configmap-storage-users.yaml
+++ b/rendered/envs/production/ocis/configmap-storage-users.yaml
@ -0,0 +1,10 @@
 apiVersion: v1
 data:
  storage-uuid: e77de552-42dc-4d0d-ab83-2fdd35294451
 kind: ConfigMap
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels: null
  name: storage-users
  namespace: ocis
--- a/rendered/envs/production/ocis/configmap-thumbnails-cleanup-script-configmap.yaml
+++ b/rendered/envs/production/ocis/configmap-thumbnails-cleanup-script-configmap.yaml
@ -0,0 +1,16 @@
 apiVersion: v1
 data:
  thumbnails-cleanup-script.sh: |
    #!/bin/sh
    find /var/lib/ocis/thumbnails \
      -atime \
      30 \
      -exec rm -rf {} \;
    true
 kind: ConfigMap
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  name: thumbnails-cleanup-script-configmap
  namespace: ocis
--- a/rendered/envs/production/ocis/configmap-web-config.yaml
+++ b/rendered/envs/production/ocis/configmap-web-config.yaml
@ -0,0 +1,18 @@
 apiVersion: v1
 data:
  web.yaml: |
    ---
    web:
      config:
 kind: ConfigMap
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: web-config
  namespace: ocis
--- a/rendered/envs/production/ocis/cronjob-storage-users-clean-expired-uploads.yaml
+++ b/rendered/envs/production/ocis/cronjob-storage-users-clean-expired-uploads.yaml
@ -0,0 +1,123 @@
 apiVersion: batch/v1
 kind: CronJob
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: storage-users-clean-expired-uploads
  namespace: ocis
 spec:
  concurrencyPolicy: Forbid
  failedJobsHistoryLimit: 3
  jobTemplate:
    spec:
      parallelism: 1
      template:
        metadata:
          labels:
            app: storage-users-clean-expired-uploads
            app.kubernetes.io/instance: ocis
            app.kubernetes.io/managed-by: Helm
            app.kubernetes.io/name: ocis
            app.kubernetes.io/version: 7.1.4
            helm.sh/chart: ocis-0.7.0
        spec:
          containers:
            - args:
                - storage-users
                - uploads
                - sessions
                - --clean
                - --expired
                - --processing=false
              command:
                - ocis
              env:
                - name: MICRO_REGISTRY
                  value: nats-js-kv
                - name: MICRO_REGISTRY_ADDRESS
                  value: nats:9233
                - name: STORAGE_USERS_LOG_COLOR
                  value: "false"
                - name: STORAGE_USERS_LOG_LEVEL
                  value: info
                - name: STORAGE_USERS_LOG_PRETTY
                  value: "false"
                - name: STORAGE_USERS_DRIVER
                  value: s3ng
                - name: STORAGE_USERS_S3NG_ENDPOINT
                  value: https://nbg1.your-objectstorage.com
                - name: STORAGE_USERS_S3NG_REGION
                  value: nbg1
                - name: STORAGE_USERS_S3NG_ACCESS_KEY
                  valueFrom:
                    secretKeyRef:
                      key: accessKey
                      name: ocis-s3-credentials
                - name: STORAGE_USERS_S3NG_SECRET_KEY
                  valueFrom:
                    secretKeyRef:
                      key: secretKey
                      name: ocis-s3-credentials
                - name: STORAGE_USERS_S3NG_BUCKET
                  value: ocis-tr1ceracop
                - name: STORAGE_USERS_JWT_SECRET
                  valueFrom:
                    secretKeyRef:
                      key: jwt-secret
                      name: jwt-secret
                - name: OCIS_TRANSFER_SECRET
                  valueFrom:
                    secretKeyRef:
                      key: transfer-secret
                      name: transfer-secret
                - name: STORAGE_USERS_MOUNT_ID
                  valueFrom:
                    configMapKeyRef:
                      key: storage-uuid
                      name: storage-users
                - name: STORAGE_USERS_SERVICE_ACCOUNT_ID
                  valueFrom:
                    configMapKeyRef:
                      key: service-account-id
                      name: auth-service
                - name: STORAGE_USERS_SERVICE_ACCOUNT_SECRET
                  valueFrom:
                    secretKeyRef:
                      key: service-account-secret
                      name: service-account-secret
              image: owncloud/ocis:7.1.4
              imagePullPolicy: IfNotPresent
              name: storage-users-clean-expired-uploads
              resources: {}
              securityContext:
                readOnlyRootFilesystem: true
                runAsGroup: 1000
                runAsNonRoot: true
                runAsUser: 1000
              volumeMounts:
                - mountPath: /tmp
                  name: tmp-volume
                - mountPath: /var/lib/ocis
                  name: storageusers-data
          nodeSelector: {}
          restartPolicy: Never
          securityContext:
            fsGroup: 1000
            fsGroupChangePolicy: OnRootMismatch
          volumes:
            - emptyDir: {}
              name: tmp-volume
            - name: storageusers-data
              persistentVolumeClaim:
                claimName: storageusers-data
      ttlSecondsAfterFinished: 86400
  schedule: 0 * * * *
  startingDeadlineSeconds: 600
  successfulJobsHistoryLimit: 3
  suspend: true
--- a/rendered/envs/production/ocis/cronjob-storage-users-purge-expired-trash-bin-items.yaml
+++ b/rendered/envs/production/ocis/cronjob-storage-users-purge-expired-trash-bin-items.yaml
@ -0,0 +1,104 @@
 apiVersion: batch/v1
 kind: CronJob
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: storage-users-purge-expired-trash-bin-items
  namespace: ocis
 spec:
  concurrencyPolicy: Forbid
  failedJobsHistoryLimit: 3
  jobTemplate:
    spec:
      parallelism: 1
      template:
        metadata:
          labels:
            app: storage-users-purge-expired-trash-bin-items
            app.kubernetes.io/instance: ocis
            app.kubernetes.io/managed-by: Helm
            app.kubernetes.io/name: ocis
            app.kubernetes.io/version: 7.1.4
            helm.sh/chart: ocis-0.7.0
        spec:
          containers:
            - args:
                - storage-users
                - trash-bin
                - purge-expired
              command:
                - ocis
              env:
                - name: MICRO_REGISTRY
                  value: nats-js-kv
                - name: MICRO_REGISTRY_ADDRESS
                  value: nats:9233
                - name: OCIS_EVENTS_ENDPOINT
                  value: nats:9233
                - name: STORAGE_USERS_LOG_COLOR
                  value: "false"
                - name: STORAGE_USERS_LOG_LEVEL
                  value: info
                - name: STORAGE_USERS_LOG_PRETTY
                  value: "false"
                - name: STORAGE_USERS_JWT_SECRET
                  valueFrom:
                    secretKeyRef:
                      key: jwt-secret
                      name: jwt-secret
                - name: OCIS_TRANSFER_SECRET
                  valueFrom:
                    secretKeyRef:
                      key: transfer-secret
                      name: transfer-secret
                - name: STORAGE_USERS_MOUNT_ID
                  valueFrom:
                    configMapKeyRef:
                      key: storage-uuid
                      name: storage-users
                - name: STORAGE_USERS_SERVICE_ACCOUNT_ID
                  valueFrom:
                    configMapKeyRef:
                      key: service-account-id
                      name: auth-service
                - name: STORAGE_USERS_SERVICE_ACCOUNT_SECRET
                  valueFrom:
                    secretKeyRef:
                      key: service-account-secret
                      name: service-account-secret
              image: owncloud/ocis:7.1.4
              imagePullPolicy: IfNotPresent
              name: storage-users-purge-expired-trash-bin-items
              resources: {}
              securityContext:
                readOnlyRootFilesystem: true
                runAsGroup: 1000
                runAsNonRoot: true
                runAsUser: 1000
              volumeMounts:
                - mountPath: /tmp
                  name: tmp-volume
                - mountPath: /var/lib/ocis
                  name: storageusers-data
          nodeSelector: {}
          restartPolicy: Never
          securityContext:
            fsGroup: 1000
            fsGroupChangePolicy: OnRootMismatch
          volumes:
            - emptyDir: {}
              name: tmp-volume
            - name: storageusers-data
              persistentVolumeClaim:
                claimName: storageusers-data
      ttlSecondsAfterFinished: 86400
  schedule: 0 * * * *
  startingDeadlineSeconds: 600
  successfulJobsHistoryLimit: 3
  suspend: true
--- a/rendered/envs/production/ocis/cronjob-storage-users-restart-postprocessing.yaml
+++ b/rendered/envs/production/ocis/cronjob-storage-users-restart-postprocessing.yaml
@ -0,0 +1,106 @@
 apiVersion: batch/v1
 kind: CronJob
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: storage-users-restart-postprocessing
  namespace: ocis
 spec:
  concurrencyPolicy: Forbid
  failedJobsHistoryLimit: 3
  jobTemplate:
    spec:
      parallelism: 1
      template:
        metadata:
          labels:
            app: storage-users-restart-postprocessing
            app.kubernetes.io/instance: ocis
            app.kubernetes.io/managed-by: Helm
            app.kubernetes.io/name: ocis
            app.kubernetes.io/version: 7.1.4
            helm.sh/chart: ocis-0.7.0
        spec:
          containers:
            - args:
                - storage-users
                - uploads
                - sessions
                - --restart
                - --processing=true
              command:
                - ocis
              env:
                - name: MICRO_REGISTRY
                  value: nats-js-kv
                - name: MICRO_REGISTRY_ADDRESS
                  value: nats:9233
                - name: OCIS_EVENTS_ENDPOINT
                  value: nats:9233
                - name: STORAGE_USERS_LOG_COLOR
                  value: "false"
                - name: STORAGE_USERS_LOG_LEVEL
                  value: info
                - name: STORAGE_USERS_LOG_PRETTY
                  value: "false"
                - name: STORAGE_USERS_JWT_SECRET
                  valueFrom:
                    secretKeyRef:
                      key: jwt-secret
                      name: jwt-secret
                - name: OCIS_TRANSFER_SECRET
                  valueFrom:
                    secretKeyRef:
                      key: transfer-secret
                      name: transfer-secret
                - name: STORAGE_USERS_MOUNT_ID
                  valueFrom:
                    configMapKeyRef:
                      key: storage-uuid
                      name: storage-users
                - name: STORAGE_USERS_SERVICE_ACCOUNT_ID
                  valueFrom:
                    configMapKeyRef:
                      key: service-account-id
                      name: auth-service
                - name: STORAGE_USERS_SERVICE_ACCOUNT_SECRET
                  valueFrom:
                    secretKeyRef:
                      key: service-account-secret
                      name: service-account-secret
              image: owncloud/ocis:7.1.4
              imagePullPolicy: IfNotPresent
              name: storage-users-restart-postprocessing
              resources: {}
              securityContext:
                readOnlyRootFilesystem: true
                runAsGroup: 1000
                runAsNonRoot: true
                runAsUser: 1000
              volumeMounts:
                - mountPath: /tmp
                  name: tmp-volume
                - mountPath: /var/lib/ocis
                  name: storageusers-data
          nodeSelector: {}
          restartPolicy: Never
          securityContext:
            fsGroup: 1000
            fsGroupChangePolicy: OnRootMismatch
          volumes:
            - emptyDir: {}
              name: tmp-volume
            - name: storageusers-data
              persistentVolumeClaim:
                claimName: storageusers-data
      ttlSecondsAfterFinished: 86400
  schedule: 0 * * * *
  startingDeadlineSeconds: 600
  successfulJobsHistoryLimit: 3
  suspend: true
--- a/rendered/envs/production/ocis/cronjob-thumbnails-cleanup.yaml
+++ b/rendered/envs/production/ocis/cronjob-thumbnails-cleanup.yaml
@ -0,0 +1,66 @@
 apiVersion: batch/v1
 kind: CronJob
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
    ignore-check.kube-linter.io/latest-tag: using the stable tag on this busybox image is better than having an outdated image
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: thumbnails-cleanup
  namespace: ocis
 spec:
  concurrencyPolicy: Forbid
  failedJobsHistoryLimit: 3
  jobTemplate:
    spec:
      parallelism: 1
      template:
        metadata:
          labels:
            app: thumbnails-cleanup
            app.kubernetes.io/instance: ocis
            app.kubernetes.io/managed-by: Helm
            app.kubernetes.io/name: ocis
            app.kubernetes.io/version: 7.1.4
            helm.sh/chart: ocis-0.7.0
        spec:
          containers:
            - command:
                - /bin/sh
                - /script/thumbnails-cleanup-script.sh
              image: busybox:stable
              imagePullPolicy: IfNotPresent
              name: thumbnails-cleanup
              resources: {}
              securityContext:
                readOnlyRootFilesystem: true
                runAsGroup: 1000
                runAsNonRoot: true
                runAsUser: 1000
              volumeMounts:
                - mountPath: /var/lib/ocis
                  name: thumbnails-data
                - mountPath: /script
                  name: script
          nodeSelector: {}
          restartPolicy: Never
          securityContext:
            fsGroup: 1000
            fsGroupChangePolicy: OnRootMismatch
          volumes:
            - name: thumbnails-data
              persistentVolumeClaim:
                claimName: thumbnails-data
            - configMap:
                defaultMode: 320
                name: thumbnails-cleanup-script-configmap
              name: script
      ttlSecondsAfterFinished: 86400
  schedule: 0 * * * *
  startingDeadlineSeconds: 600
  successfulJobsHistoryLimit: 3
  suspend: true
--- a/rendered/envs/production/ocis/deployment-activitylog.yaml
+++ b/rendered/envs/production/ocis/deployment-activitylog.yaml
@ -0,0 +1,120 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: activitylog
  namespace: ocis
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: activitylog
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: activitylog
        app.kubernetes.io/instance: ocis
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: ocis
        app.kubernetes.io/version: 7.1.4
        helm.sh/chart: ocis-0.7.0
    spec:
      containers:
        - args:
            - activitylog
            - server
          command:
            - ocis
          env:
            - name: MICRO_REGISTRY
              value: nats-js-kv
            - name: MICRO_REGISTRY_ADDRESS
              value: nats:9233
            - name: OCIS_EVENTS_ENDPOINT
              value: nats:9233
            - name: OCIS_CORS_ALLOW_ORIGINS
              value: https://drive.tr1ceracop.de
            - name: OCIS_PERSISTENT_STORE
              value: nats-js-kv
            - name: OCIS_PERSISTENT_STORE_NODES
              value: nats:9233
            - name: ACTIVITYLOG_LOG_COLOR
              value: "false"
            - name: ACTIVITYLOG_LOG_LEVEL
              value: info
            - name: ACTIVITYLOG_LOG_PRETTY
              value: "false"
            - name: ACTIVITYLOG_TRACING_ENABLED
              value: "false"
            - name: ACTIVITYLOG_TRACING_TYPE
              value: jaeger
            - name: ACTIVITYLOG_TRACING_ENDPOINT
              value: null
            - name: ACTIVITYLOG_TRACING_COLLECTOR
              value: null
            - name: ACTIVITYLOG_DEBUG_PPROF
              value: "false"
            - name: ACTIVITYLOG_HTTP_ADDR
              value: 0.0.0.0:9195
            - name: ACTIVITYLOG_DEBUG_ADDR
              value: 0.0.0.0:9197
            - name: ACTIVITYLOG_SERVICE_ACCOUNT_ID
              valueFrom:
                configMapKeyRef:
                  key: service-account-id
                  name: auth-service
            - name: ACTIVITYLOG_SERVICE_ACCOUNT_SECRET
              valueFrom:
                secretKeyRef:
                  key: service-account-secret
                  name: service-account-secret
            - name: ACTIVITYLOG_JWT_SECRET
              valueFrom:
                secretKeyRef:
                  key: jwt-secret
                  name: jwt-secret
          image: owncloud/ocis:7.1.4
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: metrics-debug
            initialDelaySeconds: 60
            periodSeconds: 20
            timeoutSeconds: 10
          name: activitylog
          ports:
            - containerPort: 9195
              name: http
            - containerPort: 9197
              name: metrics-debug
          resources: {}
          securityContext:
            readOnlyRootFilesystem: true
            runAsGroup: 1000
            runAsNonRoot: true
            runAsUser: 1000
          volumeMounts:
            - mountPath: /etc/ocis/messaging-system-ca
              name: messaging-system-ca
              readOnly: true
      nodeSelector: {}
      securityContext:
        fsGroup: 1000
        fsGroupChangePolicy: OnRootMismatch
      volumes:
        - emptyDir: {}
          name: messaging-system-ca
--- a/rendered/envs/production/ocis/deployment-appregistry.yaml
+++ b/rendered/envs/production/ocis/deployment-appregistry.yaml
@ -0,0 +1,108 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: appregistry
  namespace: ocis
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: appregistry
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      annotations:
        checksum/config: 0dffa4f8f27458fef0dec7d83ed4cc950c3d3793ad1ac0a3a3139ee3a8715bf0
      labels:
        app: appregistry
        app.kubernetes.io/instance: ocis
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: ocis
        app.kubernetes.io/version: 7.1.4
        helm.sh/chart: ocis-0.7.0
    spec:
      containers:
        - args:
            - app-registry
            - server
          command:
            - ocis
          env:
            - name: MICRO_REGISTRY
              value: nats-js-kv
            - name: MICRO_REGISTRY_ADDRESS
              value: nats:9233
            - name: APP_REGISTRY_LOG_COLOR
              value: "false"
            - name: APP_REGISTRY_LOG_LEVEL
              value: info
            - name: APP_REGISTRY_LOG_PRETTY
              value: "false"
            - name: APP_REGISTRY_TRACING_ENABLED
              value: "false"
            - name: APP_REGISTRY_TRACING_TYPE
              value: jaeger
            - name: APP_REGISTRY_TRACING_ENDPOINT
              value: null
            - name: APP_REGISTRY_TRACING_COLLECTOR
              value: null
            - name: APP_REGISTRY_DEBUG_PPROF
              value: "false"
            - name: APP_REGISTRY_GRPC_ADDR
              value: 0.0.0.0:9242
            - name: APP_REGISTRY_DEBUG_ADDR
              value: 0.0.0.0:9243
            - name: APP_REGISTRY_JWT_SECRET
              valueFrom:
                secretKeyRef:
                  key: jwt-secret
                  name: jwt-secret
          image: owncloud/ocis:7.1.4
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: metrics-debug
            initialDelaySeconds: 60
            periodSeconds: 20
            timeoutSeconds: 10
          name: appregistry
          ports:
            - containerPort: 9242
              name: grpc
            - containerPort: 9243
              name: metrics-debug
          resources: {}
          securityContext:
            readOnlyRootFilesystem: true
            runAsGroup: 1000
            runAsNonRoot: true
            runAsUser: 1000
          volumeMounts:
            - mountPath: /tmp
              name: tmp-volume
            - mountPath: /etc/ocis
              name: configs
      nodeSelector: {}
      securityContext:
        fsGroup: 1000
        fsGroupChangePolicy: OnRootMismatch
      volumes:
        - emptyDir: {}
          name: tmp-volume
        - configMap:
            name: appregistry-config
          name: configs
--- a/rendered/envs/production/ocis/deployment-audit.yaml
+++ b/rendered/envs/production/ocis/deployment-audit.yaml
@ -0,0 +1,89 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: audit
  namespace: ocis
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: audit
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: audit
        app.kubernetes.io/instance: ocis
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: ocis
        app.kubernetes.io/version: 7.1.4
        helm.sh/chart: ocis-0.7.0
    spec:
      containers:
        - args:
            - audit
            - server
          command:
            - ocis
          env:
            - name: MICRO_REGISTRY
              value: nats-js-kv
            - name: MICRO_REGISTRY_ADDRESS
              value: nats:9233
            - name: OCIS_EVENTS_ENDPOINT
              value: nats:9233
            - name: AUDIT_LOG_COLOR
              value: "false"
            - name: AUDIT_LOG_LEVEL
              value: info
            - name: AUDIT_LOG_PRETTY
              value: "false"
            - name: AUDIT_DEBUG_PPROF
              value: "false"
            - name: AUDIT_DEBUG_ADDR
              value: 0.0.0.0:9229
            - name: AUDIT_LOG_TO_CONSOLE
              value: "true"
          image: owncloud/ocis:7.1.4
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: metrics-debug
            initialDelaySeconds: 60
            periodSeconds: 20
            timeoutSeconds: 10
          name: audit
          ports:
            - containerPort: 9229
              name: metrics-debug
          resources: {}
          securityContext:
            readOnlyRootFilesystem: true
            runAsGroup: 1000
            runAsNonRoot: true
            runAsUser: 1000
          volumeMounts:
            - mountPath: /etc/ocis/messaging-system-ca
              name: messaging-system-ca
              readOnly: true
      nodeSelector: {}
      securityContext:
        fsGroup: 1000
        fsGroupChangePolicy: OnRootMismatch
      volumes:
        - emptyDir: {}
          name: messaging-system-ca
--- a/rendered/envs/production/ocis/deployment-authmachine.yaml
+++ b/rendered/envs/production/ocis/deployment-authmachine.yaml
@ -0,0 +1,106 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: authmachine
  namespace: ocis
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: authmachine
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: authmachine
        app.kubernetes.io/instance: ocis
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: ocis
        app.kubernetes.io/version: 7.1.4
        helm.sh/chart: ocis-0.7.0
    spec:
      containers:
        - args:
            - auth-machine
            - server
          command:
            - ocis
          env:
            - name: MICRO_REGISTRY
              value: nats-js-kv
            - name: MICRO_REGISTRY_ADDRESS
              value: nats:9233
            - name: AUTH_MACHINE_LOG_COLOR
              value: "false"
            - name: AUTH_MACHINE_LOG_LEVEL
              value: info
            - name: AUTH_MACHINE_LOG_PRETTY
              value: "false"
            - name: AUTH_MACHINE_TRACING_ENABLED
              value: "false"
            - name: AUTH_MACHINE_TRACING_TYPE
              value: jaeger
            - name: AUTH_MACHINE_TRACING_ENDPOINT
              value: null
            - name: AUTH_MACHINE_TRACING_COLLECTOR
              value: null
            - name: AUTH_MACHINE_DEBUG_PPROF
              value: "false"
            - name: AUTH_MACHINE_GRPC_ADDR
              value: 0.0.0.0:9166
            - name: AUTH_MACHINE_DEBUG_ADDR
              value: 0.0.0.0:9167
            - name: AUTH_MACHINE_JWT_SECRET
              valueFrom:
                secretKeyRef:
                  key: jwt-secret
                  name: jwt-secret
            - name: AUTH_MACHINE_API_KEY
              valueFrom:
                secretKeyRef:
                  key: machine-auth-api-key
                  name: machine-auth-api-key
          image: owncloud/ocis:7.1.4
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: metrics-debug
            initialDelaySeconds: 60
            periodSeconds: 20
            timeoutSeconds: 10
          name: authmachine
          ports:
            - containerPort: 9166
              name: grpc
            - containerPort: 9167
              name: metrics-debug
          resources: {}
          securityContext:
            readOnlyRootFilesystem: true
            runAsGroup: 1000
            runAsNonRoot: true
            runAsUser: 1000
          volumeMounts:
            - mountPath: /tmp
              name: tmp-volume
      nodeSelector: {}
      securityContext:
        fsGroup: 1000
        fsGroupChangePolicy: OnRootMismatch
      volumes:
        - emptyDir: {}
          name: tmp-volume
--- a/rendered/envs/production/ocis/deployment-authservice.yaml
+++ b/rendered/envs/production/ocis/deployment-authservice.yaml
@ -0,0 +1,111 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: authservice
  namespace: ocis
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: authservice
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: authservice
        app.kubernetes.io/instance: ocis
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: ocis
        app.kubernetes.io/version: 7.1.4
        helm.sh/chart: ocis-0.7.0
    spec:
      containers:
        - args:
            - auth-service
            - server
          command:
            - ocis
          env:
            - name: MICRO_REGISTRY
              value: nats-js-kv
            - name: MICRO_REGISTRY_ADDRESS
              value: nats:9233
            - name: AUTH_SERVICE_LOG_COLOR
              value: "false"
            - name: AUTH_SERVICE_LOG_LEVEL
              value: info
            - name: AUTH_SERVICE_LOG_PRETTY
              value: "false"
            - name: AUTH_SERVICE_TRACING_ENABLED
              value: "false"
            - name: AUTH_SERVICE_TRACING_TYPE
              value: jaeger
            - name: AUTH_SERVICE_TRACING_ENDPOINT
              value: null
            - name: AUTH_SERVICE_TRACING_COLLECTOR
              value: null
            - name: AUTH_SERVICE_DEBUG_PPROF
              value: "false"
            - name: AUTH_SERVICE_GRPC_ADDR
              value: 0.0.0.0:9616
            - name: AUTH_SERVICE_DEBUG_ADDR
              value: 0.0.0.0:9617
            - name: AUTH_SERVICE_JWT_SECRET
              valueFrom:
                secretKeyRef:
                  key: jwt-secret
                  name: jwt-secret
            - name: AUTH_SERVICE_SERVICE_ACCOUNT_ID
              valueFrom:
                configMapKeyRef:
                  key: service-account-id
                  name: auth-service
            - name: AUTH_SERVICE_SERVICE_ACCOUNT_SECRET
              valueFrom:
                secretKeyRef:
                  key: service-account-secret
                  name: service-account-secret
          image: owncloud/ocis:7.1.4
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: metrics-debug
            initialDelaySeconds: 60
            periodSeconds: 20
            timeoutSeconds: 10
          name: authservice
          ports:
            - containerPort: 9616
              name: grpc
            - containerPort: 9617
              name: metrics-debug
          resources: {}
          securityContext:
            readOnlyRootFilesystem: true
            runAsGroup: 1000
            runAsNonRoot: true
            runAsUser: 1000
          volumeMounts:
            - mountPath: /tmp
              name: tmp-volume
      nodeSelector: {}
      securityContext:
        fsGroup: 1000
        fsGroupChangePolicy: OnRootMismatch
      volumes:
        - emptyDir: {}
          name: tmp-volume
--- a/rendered/envs/production/ocis/deployment-clientlog.yaml
+++ b/rendered/envs/production/ocis/deployment-clientlog.yaml
@ -0,0 +1,110 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: clientlog
  namespace: ocis
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: clientlog
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: clientlog
        app.kubernetes.io/instance: ocis
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: ocis
        app.kubernetes.io/version: 7.1.4
        helm.sh/chart: ocis-0.7.0
    spec:
      containers:
        - args:
            - clientlog
            - server
          command:
            - ocis
          env:
            - name: MICRO_REGISTRY
              value: nats-js-kv
            - name: MICRO_REGISTRY_ADDRESS
              value: nats:9233
            - name: OCIS_EVENTS_ENDPOINT
              value: nats:9233
            - name: CLIENTLOG_LOG_COLOR
              value: "false"
            - name: CLIENTLOG_LOG_LEVEL
              value: info
            - name: CLIENTLOG_LOG_PRETTY
              value: "false"
            - name: CLIENTLOG_TRACING_ENABLED
              value: "false"
            - name: CLIENTLOG_TRACING_TYPE
              value: jaeger
            - name: CLIENTLOG_TRACING_ENDPOINT
              value: null
            - name: CLIENTLOG_TRACING_COLLECTOR
              value: null
            - name: CLIENTLOG_DEBUG_PPROF
              value: "false"
            - name: CLIENTLOG_DEBUG_ADDR
              value: 0.0.0.0:9260
            - name: CLIENTLOG_SERVICE_ACCOUNT_ID
              valueFrom:
                configMapKeyRef:
                  key: service-account-id
                  name: auth-service
            - name: CLIENTLOG_SERVICE_ACCOUNT_SECRET
              valueFrom:
                secretKeyRef:
                  key: service-account-secret
                  name: service-account-secret
            - name: CLIENTLOG_JWT_SECRET
              valueFrom:
                secretKeyRef:
                  key: jwt-secret
                  name: jwt-secret
          image: owncloud/ocis:7.1.4
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: metrics-debug
            initialDelaySeconds: 60
            periodSeconds: 20
            timeoutSeconds: 10
          name: clientlog
          ports:
            - containerPort: 9260
              name: metrics-debug
          resources: {}
          securityContext:
            readOnlyRootFilesystem: true
            runAsGroup: 1000
            runAsNonRoot: true
            runAsUser: 1000
          volumeMounts:
            - mountPath: /etc/ocis/messaging-system-ca
              name: messaging-system-ca
              readOnly: true
      nodeSelector: {}
      securityContext:
        fsGroup: 1000
        fsGroupChangePolicy: OnRootMismatch
      volumes:
        - emptyDir: {}
          name: messaging-system-ca
--- a/rendered/envs/production/ocis/deployment-eventhistory.yaml
+++ b/rendered/envs/production/ocis/deployment-eventhistory.yaml
@ -0,0 +1,95 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: eventhistory
  namespace: ocis
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: eventhistory
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: eventhistory
        app.kubernetes.io/instance: ocis
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: ocis
        app.kubernetes.io/version: 7.1.4
        helm.sh/chart: ocis-0.7.0
    spec:
      containers:
        - args:
            - eventhistory
            - server
          command:
            - ocis
          env:
            - name: MICRO_REGISTRY
              value: nats-js-kv
            - name: MICRO_REGISTRY_ADDRESS
              value: nats:9233
            - name: OCIS_EVENTS_ENDPOINT
              value: nats:9233
            - name: OCIS_PERSISTENT_STORE
              value: nats-js-kv
            - name: OCIS_PERSISTENT_STORE_NODES
              value: nats:9233
            - name: EVENTHISTORY_LOG_COLOR
              value: "false"
            - name: EVENTHISTORY_LOG_LEVEL
              value: info
            - name: EVENTHISTORY_LOG_PRETTY
              value: "false"
            - name: EVENTHISTORY_DEBUG_PPROF
              value: "false"
            - name: EVENTHISTORY_GRPC_ADDR
              value: 0.0.0.0:8080
            - name: EVENTHISTORY_DEBUG_ADDR
              value: 0.0.0.0:9270
          image: owncloud/ocis:7.1.4
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: metrics-debug
            initialDelaySeconds: 60
            periodSeconds: 20
            timeoutSeconds: 10
          name: eventhistory
          ports:
            - containerPort: 8080
              name: grpc
            - containerPort: 9270
              name: metrics-debug
          resources: {}
          securityContext:
            readOnlyRootFilesystem: true
            runAsGroup: 1000
            runAsNonRoot: true
            runAsUser: 1000
          volumeMounts:
            - mountPath: /etc/ocis/messaging-system-ca
              name: messaging-system-ca
              readOnly: true
      nodeSelector: {}
      securityContext:
        fsGroup: 1000
        fsGroupChangePolicy: OnRootMismatch
      volumes:
        - emptyDir: {}
          name: messaging-system-ca
--- a/rendered/envs/production/ocis/deployment-frontend.yaml
+++ b/rendered/envs/production/ocis/deployment-frontend.yaml
@ -0,0 +1,176 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: frontend
  namespace: ocis
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: frontend
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      annotations:
        checksum/config: a0c1b014e95dfcfe5b9f1eb6be20415d3deb0c51a2ee065b08bff8881c0f448d
      labels:
        app: frontend
        app.kubernetes.io/instance: ocis
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: ocis
        app.kubernetes.io/version: 7.1.4
        helm.sh/chart: ocis-0.7.0
    spec:
      containers:
        - args:
            - frontend
            - server
          command:
            - ocis
          env:
            - name: MICRO_REGISTRY
              value: nats-js-kv
            - name: MICRO_REGISTRY_ADDRESS
              value: nats:9233
            - name: OCIS_CORS_ALLOW_ORIGINS
              value: https://drive.tr1ceracop.de
            - name: OCIS_EVENTS_ENDPOINT
              value: nats:9233
            - name: FRONTEND_LOG_COLOR
              value: "false"
            - name: FRONTEND_LOG_LEVEL
              value: info
            - name: FRONTEND_LOG_PRETTY
              value: "false"
            - name: FRONTEND_TRACING_ENABLED
              value: "false"
            - name: FRONTEND_TRACING_TYPE
              value: jaeger
            - name: FRONTEND_TRACING_ENDPOINT
              value: null
            - name: FRONTEND_TRACING_COLLECTOR
              value: null
            - name: FRONTEND_DEBUG_PPROF
              value: "false"
            - name: FRONTEND_HTTP_ADDR
              value: 0.0.0.0:9140
            - name: FRONTEND_DEBUG_ADDR
              value: 0.0.0.0:9141
            - name: FRONTEND_PUBLIC_URL
              value: https://drive.tr1ceracop.de
            - name: OCIS_LDAP_SERVER_WRITE_ENABLED
              value: "true"
            - name: FRONTEND_JWT_SECRET
              valueFrom:
                secretKeyRef:
                  key: jwt-secret
                  name: jwt-secret
            - name: FRONTEND_APP_HANDLER_INSECURE
              value: "false"
            - name: FRONTEND_ARCHIVER_INSECURE
              value: "false"
            - name: FRONTEND_OCS_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD
              value: "false"
            - name: FRONTEND_OCS_PUBLIC_SHARE_MUST_HAVE_PASSWORD
              value: "false"
            - name: FRONTEND_SEARCH_MIN_LENGTH
              value: "3"
            - name: FRONTEND_ARCHIVER_MAX_SIZE
              value: "1073741824"
            - name: FRONTEND_ARCHIVER_MAX_NUM_FILES
              value: "10000"
            - name: FRONTEND_FULL_TEXT_SEARCH_ENABLED
              value: "false"
            - name: OCIS_SHOW_USER_EMAIL_IN_RESULTS
              value: "false"
            - name: FRONTEND_OCS_STAT_CACHE_STORE
              value: noop
            - name: OCIS_EDITION
              value: Community
            - name: FRONTEND_MACHINE_AUTH_API_KEY
              valueFrom:
                secretKeyRef:
                  key: machine-auth-api-key
                  name: machine-auth-api-key
            - name: FRONTEND_SERVICE_ACCOUNT_ID
              valueFrom:
                configMapKeyRef:
                  key: service-account-id
                  name: auth-service
            - name: FRONTEND_SERVICE_ACCOUNT_SECRET
              valueFrom:
                secretKeyRef:
                  key: service-account-secret
                  name: service-account-secret
            - name: OCIS_TRANSFER_SECRET
              valueFrom:
                secretKeyRef:
                  key: transfer-secret
                  name: transfer-secret
            - name: FRONTEND_AUTO_ACCEPT_SHARES
              value: "true"
            - name: FRONTEND_MAX_CONCURRENCY
              value: "100"
            - name: FRONTEND_PASSWORD_POLICY_MIN_CHARACTERS
              value: "0"
            - name: FRONTEND_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS
              value: "0"
            - name: FRONTEND_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS
              value: "0"
            - name: FRONTEND_PASSWORD_POLICY_MIN_DIGITS
              value: "0"
            - name: FRONTEND_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS
              value: "0"
            - name: FRONTEND_PASSWORD_POLICY_BANNED_PASSWORDS_LIST
              value: /etc/ocis/sharing-banned-passwords.txt
            - name: OCIS_ENABLE_OCM
              value: "false"
          image: owncloud/ocis:7.1.4
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: metrics-debug
            initialDelaySeconds: 60
            periodSeconds: 20
            timeoutSeconds: 10
          name: frontend
          ports:
            - containerPort: 9140
              name: http
            - containerPort: 9141
              name: metrics-debug
          resources: {}
          securityContext:
            readOnlyRootFilesystem: true
            runAsGroup: 1000
            runAsNonRoot: true
            runAsUser: 1000
          volumeMounts:
            - mountPath: /tmp
              name: tmp-volume
            - mountPath: /etc/ocis
              name: configs
      nodeSelector: {}
      securityContext:
        fsGroup: 1000
        fsGroupChangePolicy: OnRootMismatch
      volumes:
        - emptyDir: {}
          name: tmp-volume
        - configMap:
            name: sharing-banned-passwords-frontend
          name: configs
--- a/rendered/envs/production/ocis/deployment-gateway.yaml
+++ b/rendered/envs/production/ocis/deployment-gateway.yaml
@ -0,0 +1,119 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: gateway
  namespace: ocis
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: gateway
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: gateway
        app.kubernetes.io/instance: ocis
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: ocis
        app.kubernetes.io/version: 7.1.4
        helm.sh/chart: ocis-0.7.0
    spec:
      containers:
        - args:
            - gateway
            - server
          command:
            - ocis
          env:
            - name: MICRO_REGISTRY
              value: nats-js-kv
            - name: MICRO_REGISTRY_ADDRESS
              value: nats:9233
            - name: GATEWAY_LOG_COLOR
              value: "false"
            - name: GATEWAY_LOG_LEVEL
              value: info
            - name: GATEWAY_LOG_PRETTY
              value: "false"
            - name: GATEWAY_TRACING_ENABLED
              value: "false"
            - name: GATEWAY_TRACING_TYPE
              value: jaeger
            - name: GATEWAY_TRACING_ENDPOINT
              value: null
            - name: GATEWAY_TRACING_COLLECTOR
              value: null
            - name: GATEWAY_DEBUG_PPROF
              value: "false"
            - name: GATEWAY_GRPC_ADDR
              value: 0.0.0.0:9142
            - name: GATEWAY_DEBUG_ADDR
              value: 0.0.0.0:9143
            - name: GATEWAY_FRONTEND_PUBLIC_URL
              value: https://drive.tr1ceracop.de
            - name: GATEWAY_STAT_CACHE_STORE
              value: noop
            - name: GATEWAY_PROVIDER_CACHE_STORE
              value: noop
            - name: GATEWAY_CREATE_HOME_CACHE_STORE
              value: memory
            - name: GATEWAY_STORAGE_USERS_MOUNT_ID
              valueFrom:
                configMapKeyRef:
                  key: storage-uuid
                  name: storage-users
            - name: GATEWAY_JWT_SECRET
              valueFrom:
                secretKeyRef:
                  key: jwt-secret
                  name: jwt-secret
            - name: OCIS_TRANSFER_SECRET
              valueFrom:
                secretKeyRef:
                  key: transfer-secret
                  name: transfer-secret
          image: owncloud/ocis:7.1.4
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: metrics-debug
            initialDelaySeconds: 60
            periodSeconds: 20
            timeoutSeconds: 10
          name: gateway
          ports:
            - containerPort: 9142
              name: grpc
            - containerPort: 9143
              name: metrics-debug
          resources: {}
          securityContext:
            readOnlyRootFilesystem: true
            runAsGroup: 1000
            runAsNonRoot: true
            runAsUser: 1000
          volumeMounts:
            - mountPath: /tmp
              name: tmp-volume
      nodeSelector: {}
      securityContext:
        fsGroup: 1000
        fsGroupChangePolicy: OnRootMismatch
      volumes:
        - emptyDir: {}
          name: tmp-volume
--- a/rendered/envs/production/ocis/deployment-graph.yaml
+++ b/rendered/envs/production/ocis/deployment-graph.yaml
@ -0,0 +1,152 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: graph
  namespace: ocis
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: graph
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: graph
        app.kubernetes.io/instance: ocis
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: ocis
        app.kubernetes.io/version: 7.1.4
        helm.sh/chart: ocis-0.7.0
    spec:
      containers:
        - args:
            - graph
            - server
          command:
            - ocis
          env:
            - name: MICRO_REGISTRY
              value: nats-js-kv
            - name: MICRO_REGISTRY_ADDRESS
              value: nats:9233
            - name: OCIS_CORS_ALLOW_ORIGINS
              value: https://drive.tr1ceracop.de
            - name: OCIS_EVENTS_ENDPOINT
              value: nats:9233
            - name: OCIS_CACHE_STORE
              value: nats-js-kv
            - name: OCIS_CACHE_STORE_NODES
              value: nats:9233
            - name: OCIS_CACHE_DISABLE_PERSISTENCE
              value: "true"
            - name: GRAPH_LOG_COLOR
              value: "false"
            - name: GRAPH_LOG_LEVEL
              value: info
            - name: GRAPH_LOG_PRETTY
              value: "false"
            - name: GRAPH_TRACING_ENABLED
              value: "false"
            - name: GRAPH_TRACING_TYPE
              value: jaeger
            - name: GRAPH_TRACING_ENDPOINT
              value: null
            - name: GRAPH_TRACING_COLLECTOR
              value: null
            - name: GRAPH_DEBUG_PPROF
              value: "false"
            - name: GRAPH_HTTP_ADDR
              value: 0.0.0.0:9120
            - name: GRAPH_DEBUG_ADDR
              value: 0.0.0.0:9124
            - name: GRAPH_SPACES_WEBDAV_BASE
              value: https://drive.tr1ceracop.de
            - name: GRAPH_IDENTITY_SEARCH_MIN_LENGTH
              value: "3"
            - name: GRAPH_LDAP_URI
              value: ldaps://idm:9235
            - name: GRAPH_LDAP_CACERT
              value: /etc/ocis/ldap-ca/ldap-ca.crt
            - name: GRAPH_LDAP_BIND_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: graph-ldap-bind-password
                  name: ldap-bind-secrets
            - name: OCIS_SHOW_USER_EMAIL_IN_RESULTS
              value: "false"
            - name: GRAPH_APPLICATION_ID
              valueFrom:
                configMapKeyRef:
                  key: application-id
                  name: graph
            - name: GRAPH_JWT_SECRET
              valueFrom:
                secretKeyRef:
                  key: jwt-secret
                  name: jwt-secret
            - name: OCIS_DEFAULT_LANGUAGE
              value: en
            - name: GRAPH_SERVICE_ACCOUNT_ID
              valueFrom:
                configMapKeyRef:
                  key: service-account-id
                  name: auth-service
            - name: GRAPH_SERVICE_ACCOUNT_SECRET
              valueFrom:
                secretKeyRef:
                  key: service-account-secret
                  name: service-account-secret
            - name: OCIS_ENABLE_OCM
              value: "false"
          image: owncloud/ocis:7.1.4
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: metrics-debug
            initialDelaySeconds: 60
            periodSeconds: 20
            timeoutSeconds: 10
          name: graph
          ports:
            - containerPort: 9120
              name: http
            - containerPort: 9124
              name: metrics-debug
          resources: {}
          securityContext:
            readOnlyRootFilesystem: true
            runAsGroup: 1000
            runAsNonRoot: true
            runAsUser: 1000
          volumeMounts:
            - mountPath: /etc/ocis/messaging-system-ca
              name: messaging-system-ca
              readOnly: true
            - mountPath: /etc/ocis/ldap-ca
              name: ldap-ca
              readOnly: true
      nodeSelector: {}
      securityContext:
        fsGroup: 1000
        fsGroupChangePolicy: OnRootMismatch
      volumes:
        - emptyDir: {}
          name: messaging-system-ca
        - name: ldap-ca
          secret:
            secretName: ldap-ca
--- a/rendered/envs/production/ocis/deployment-groups.yaml
+++ b/rendered/envs/production/ocis/deployment-groups.yaml
@ -0,0 +1,118 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: groups
  namespace: ocis
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: groups
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: groups
        app.kubernetes.io/instance: ocis
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: ocis
        app.kubernetes.io/version: 7.1.4
        helm.sh/chart: ocis-0.7.0
    spec:
      containers:
        - args:
            - groups
            - server
          command:
            - ocis
          env:
            - name: MICRO_REGISTRY
              value: nats-js-kv
            - name: MICRO_REGISTRY_ADDRESS
              value: nats:9233
            - name: GROUPS_LOG_COLOR
              value: "false"
            - name: GROUPS_LOG_LEVEL
              value: info
            - name: GROUPS_LOG_PRETTY
              value: "false"
            - name: GROUPS_TRACING_ENABLED
              value: "false"
            - name: GROUPS_TRACING_TYPE
              value: jaeger
            - name: GROUPS_TRACING_ENDPOINT
              value: null
            - name: GROUPS_TRACING_COLLECTOR
              value: null
            - name: GROUPS_DEBUG_PPROF
              value: "false"
            - name: GROUPS_GRPC_ADDR
              value: 0.0.0.0:9160
            - name: GROUPS_DEBUG_ADDR
              value: 0.0.0.0:9161
            - name: GROUPS_LDAP_URI
              value: ldaps://idm:9235
            - name: GROUPS_LDAP_CACERT
              value: /etc/ocis/ldap-ca/ldap-ca.crt
            - name: GROUPS_LDAP_BIND_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: reva-ldap-bind-password
                  name: ldap-bind-secrets
            - name: GROUPS_IDP_URL
              value: https://drive.tr1ceracop.de
            - name: GROUPS_JWT_SECRET
              valueFrom:
                secretKeyRef:
                  key: jwt-secret
                  name: jwt-secret
          image: owncloud/ocis:7.1.4
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: metrics-debug
            initialDelaySeconds: 60
            periodSeconds: 20
            timeoutSeconds: 10
          name: groups
          ports:
            - containerPort: 9160
              name: grpc
            - containerPort: 9161
              name: metrics-debug
          resources: {}
          securityContext:
            readOnlyRootFilesystem: true
            runAsGroup: 1000
            runAsNonRoot: true
            runAsUser: 1000
          volumeMounts:
            - mountPath: /tmp
              name: tmp-volume
            - mountPath: /etc/ocis/ldap-ca
              name: ldap-ca
              readOnly: true
      nodeSelector: {}
      securityContext:
        fsGroup: 1000
        fsGroupChangePolicy: OnRootMismatch
      volumes:
        - emptyDir: {}
          name: tmp-volume
        - name: ldap-ca
          secret:
            secretName: ldap-ca
--- a/rendered/envs/production/ocis/deployment-idm.yaml
+++ b/rendered/envs/production/ocis/deployment-idm.yaml
@ -0,0 +1,150 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: idm
  namespace: ocis
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: idm
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: idm
        app.kubernetes.io/instance: ocis
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: ocis
        app.kubernetes.io/version: 7.1.4
        helm.sh/chart: ocis-0.7.0
    spec:
      containers:
        - args:
            - idm
            - server
          command:
            - ocis
          env:
            - name: MICRO_REGISTRY
              value: nats-js-kv
            - name: MICRO_REGISTRY_ADDRESS
              value: nats:9233
            - name: IDM_LOG_COLOR
              value: "false"
            - name: IDM_LOG_LEVEL
              value: info
            - name: IDM_LOG_PRETTY
              value: "false"
            - name: IDM_TRACING_ENABLED
              value: "false"
            - name: IDM_TRACING_TYPE
              value: jaeger
            - name: IDM_TRACING_ENDPOINT
              value: null
            - name: IDM_TRACING_COLLECTOR
              value: null
            - name: IDM_DEBUG_PPROF
              value: "false"
            - name: IDM_LDAPS_ADDR
              value: 0.0.0.0:9235
            - name: IDM_DEBUG_ADDR
              value: 0.0.0.0:9239
            - name: IDM_CREATE_DEMO_USERS
              value: "false"
            - name: OCIS_OIDC_ISSUER
              value: https://drive.tr1ceracop.de
            - name: IDM_ADMIN_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: password
                  name: admin-user
            - name: IDM_ADMIN_USER_ID
              valueFrom:
                secretKeyRef:
                  key: user-id
                  name: admin-user
            - name: IDM_SVC_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: graph-ldap-bind-password
                  name: ldap-bind-secrets
            - name: IDM_REVASVC_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: reva-ldap-bind-password
                  name: ldap-bind-secrets
            - name: IDM_IDPSVC_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: idp-ldap-bind-password
                  name: ldap-bind-secrets
            - name: IDM_LDAPS_CERT
              value: /etc/ocis/ldap-cert/ldap.crt
            - name: IDM_LDAPS_KEY
              value: /etc/ocis/ldap-cert/ldap.key
          image: owncloud/ocis:7.1.4
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: metrics-debug
            initialDelaySeconds: 60
            periodSeconds: 20
            timeoutSeconds: 10
          name: idm
          ports:
            - containerPort: 9235
              name: ldaps
            - containerPort: 9239
              name: metrics-debug
          resources: {}
          securityContext:
            readOnlyRootFilesystem: true
            runAsGroup: 1000
            runAsNonRoot: true
            runAsUser: 1000
          volumeMounts:
            - mountPath: /etc/ocis/ldap-cert
              name: ldap-cert
              readOnly: true
            - mountPath: /var/lib/ocis
              name: idm-data
      initContainers:
        - command:
            - mkdir
            - -p
            - /var/lib/ocis/idm
          image: busybox:stable
          imagePullPolicy: IfNotPresent
          name: init-dir
          resources: {}
          securityContext:
            readOnlyRootFilesystem: true
            runAsGroup: 1000
            runAsNonRoot: true
            runAsUser: 1000
          volumeMounts:
            - mountPath: /var/lib/ocis
              name: idm-data
      nodeSelector: {}
      securityContext:
        fsGroup: 1000
        fsGroupChangePolicy: OnRootMismatch
      volumes:
        - name: ldap-cert
          secret:
            secretName: ldap-cert
        - name: idm-data
          persistentVolumeClaim:
            claimName: idm-data
--- a/rendered/envs/production/ocis/deployment-idp.yaml
+++ b/rendered/envs/production/ocis/deployment-idp.yaml
@ -0,0 +1,121 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
    ignore-check.kube-linter.io/env-var-secret: IDP_ENCRYPTION_SECRET_FILE is no secret, it's the file path to the secret
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: idp
  namespace: ocis
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: idp
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: idp
        app.kubernetes.io/instance: ocis
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: ocis
        app.kubernetes.io/version: 7.1.4
        helm.sh/chart: ocis-0.7.0
    spec:
      containers:
        - args:
            - idp
            - server
          command:
            - ocis
          env:
            - name: MICRO_REGISTRY
              value: nats-js-kv
            - name: MICRO_REGISTRY_ADDRESS
              value: nats:9233
            - name: IDP_LOG_COLOR
              value: "false"
            - name: IDP_LOG_LEVEL
              value: info
            - name: IDP_LOG_PRETTY
              value: "false"
            - name: IDP_TRACING_ENABLED
              value: "false"
            - name: IDP_TRACING_TYPE
              value: jaeger
            - name: IDP_TRACING_ENDPOINT
              value: null
            - name: IDP_TRACING_COLLECTOR
              value: null
            - name: IDP_DEBUG_PPROF
              value: "false"
            - name: IDP_HTTP_ADDR
              value: 0.0.0.0:9130
            - name: IDP_DEBUG_ADDR
              value: 0.0.0.0:9134
            - name: OCIS_URL
              value: https://drive.tr1ceracop.de
            - name: IDP_LDAP_URI
              value: ldaps://idm:9235
            - name: IDP_LDAP_TLS_CACERT
              value: /etc/ocis/ldap-ca/ldap-ca.crt
            - name: IDP_LDAP_BIND_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: idp-ldap-bind-password
                  name: ldap-bind-secrets
            - name: IDP_SIGNING_PRIVATE_KEY_FILES
              value: /etc/ocis/idp/private-key.pem
            - name: IDP_ENCRYPTION_SECRET_FILE
              value: /etc/ocis/idp/encryption.key
          image: owncloud/ocis:7.1.4
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: metrics-debug
            initialDelaySeconds: 60
            periodSeconds: 20
            timeoutSeconds: 10
          name: idp
          ports:
            - containerPort: 9130
              name: http
            - containerPort: 9134
              name: metrics-debug
          resources: {}
          securityContext:
            readOnlyRootFilesystem: true
            runAsGroup: 1000
            runAsNonRoot: true
            runAsUser: 1000
          volumeMounts:
            - mountPath: /var/lib/ocis
              name: ocis-data-tmp
            - mountPath: /etc/ocis/ldap-ca
              name: ldap-ca
              readOnly: true
            - mountPath: /etc/ocis/idp
              name: idp-secrets
              readOnly: true
      nodeSelector: {}
      securityContext:
        fsGroup: 1000
        fsGroupChangePolicy: OnRootMismatch
      volumes:
        - emptyDir: {}
          name: ocis-data-tmp
        - name: ldap-ca
          secret:
            secretName: ldap-ca
        - name: idp-secrets
          secret:
            secretName: idp-secrets
--- a/rendered/envs/production/ocis/deployment-nats.yaml
+++ b/rendered/envs/production/ocis/deployment-nats.yaml
@ -0,0 +1,84 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: nats
  namespace: ocis
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: nats
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: nats
        app.kubernetes.io/instance: ocis
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: ocis
        app.kubernetes.io/version: 7.1.4
        helm.sh/chart: ocis-0.7.0
    spec:
      containers:
        - args:
            - nats
            - server
          command:
            - ocis
          env:
            - name: NATS_LOG_COLOR
              value: "false"
            - name: NATS_LOG_LEVEL
              value: info
            - name: NATS_LOG_PRETTY
              value: "false"
            - name: NATS_DEBUG_PPROF
              value: "false"
            - name: NATS_NATS_HOST
              value: 0.0.0.0
            - name: NATS_NATS_PORT
              value: "9233"
            - name: NATS_DEBUG_ADDR
              value: 0.0.0.0:9234
          image: owncloud/ocis:7.1.4
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: metrics-debug
            initialDelaySeconds: 60
            periodSeconds: 20
            timeoutSeconds: 10
          name: nats
          ports:
            - containerPort: 9233
              name: nats
            - containerPort: 9234
              name: metrics-debug
          resources: {}
          securityContext:
            readOnlyRootFilesystem: true
            runAsGroup: 1000
            runAsNonRoot: true
            runAsUser: 1000
          volumeMounts:
            - mountPath: /var/lib/ocis
              name: nats-data
      nodeSelector: {}
      securityContext:
        fsGroup: 1000
        fsGroupChangePolicy: OnRootMismatch
      volumes:
        - name: nats-data
          persistentVolumeClaim:
            claimName: nats-data
--- a/rendered/envs/production/ocis/deployment-ocdav.yaml
+++ b/rendered/envs/production/ocis/deployment-ocdav.yaml
@ -0,0 +1,110 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: ocdav
  namespace: ocis
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: ocdav
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: ocdav
        app.kubernetes.io/instance: ocis
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: ocis
        app.kubernetes.io/version: 7.1.4
        helm.sh/chart: ocis-0.7.0
    spec:
      containers:
        - args:
            - ocdav
            - server
          command:
            - ocis
          env:
            - name: MICRO_REGISTRY
              value: nats-js-kv
            - name: MICRO_REGISTRY_ADDRESS
              value: nats:9233
            - name: OCIS_CORS_ALLOW_ORIGINS
              value: https://drive.tr1ceracop.de
            - name: OCDAV_LOG_COLOR
              value: "false"
            - name: OCDAV_LOG_LEVEL
              value: info
            - name: OCDAV_LOG_PRETTY
              value: "false"
            - name: OCDAV_TRACING_ENABLED
              value: "false"
            - name: OCDAV_TRACING_TYPE
              value: jaeger
            - name: OCDAV_TRACING_ENDPOINT
              value: null
            - name: OCDAV_TRACING_COLLECTOR
              value: null
            - name: OCDAV_DEBUG_PPROF
              value: "false"
            - name: OCDAV_HTTP_ADDR
              value: 0.0.0.0:8080
            - name: OCDAV_DEBUG_ADDR
              value: 0.0.0.0:9163
            - name: OCDAV_PUBLIC_URL
              value: https://drive.tr1ceracop.de
            - name: OCIS_EDITION
              value: Community
            - name: OCDAV_INSECURE
              value: "false"
            - name: OCDAV_JWT_SECRET
              valueFrom:
                secretKeyRef:
                  key: jwt-secret
                  name: jwt-secret
            - name: OCDAV_MACHINE_AUTH_API_KEY
              valueFrom:
                secretKeyRef:
                  key: machine-auth-api-key
                  name: machine-auth-api-key
          image: owncloud/ocis:7.1.4
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: metrics-debug
            initialDelaySeconds: 60
            periodSeconds: 20
            timeoutSeconds: 10
          name: ocdav
          ports:
            - containerPort: 8080
              name: http
            - containerPort: 9163
              name: metrics-debug
          resources: {}
          securityContext:
            readOnlyRootFilesystem: true
            runAsGroup: 1000
            runAsNonRoot: true
            runAsUser: 1000
          volumeMounts: null
      nodeSelector: {}
      securityContext:
        fsGroup: 1000
        fsGroupChangePolicy: OnRootMismatch
      volumes: null
--- a/rendered/envs/production/ocis/deployment-ocs.yaml
+++ b/rendered/envs/production/ocis/deployment-ocs.yaml
@ -0,0 +1,107 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: ocs
  namespace: ocis
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: ocs
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: ocs
        app.kubernetes.io/instance: ocis
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: ocis
        app.kubernetes.io/version: 7.1.4
        helm.sh/chart: ocis-0.7.0
    spec:
      containers:
        - args:
            - ocs
            - server
          command:
            - ocis
          env:
            - name: MICRO_REGISTRY
              value: nats-js-kv
            - name: MICRO_REGISTRY_ADDRESS
              value: nats:9233
            - name: OCIS_CORS_ALLOW_ORIGINS
              value: https://drive.tr1ceracop.de
            - name: OCIS_CACHE_STORE
              value: nats-js-kv
            - name: OCIS_CACHE_STORE_NODES
              value: nats:9233
            - name: OCIS_CACHE_DISABLE_PERSISTENCE
              value: "true"
            - name: OCS_LOG_COLOR
              value: "false"
            - name: OCS_LOG_LEVEL
              value: info
            - name: OCS_LOG_PRETTY
              value: "false"
            - name: OCS_TRACING_ENABLED
              value: "false"
            - name: OCS_TRACING_TYPE
              value: jaeger
            - name: OCS_TRACING_ENDPOINT
              value: null
            - name: OCS_TRACING_COLLECTOR
              value: null
            - name: OCS_DEBUG_PPROF
              value: "false"
            - name: OCS_HTTP_ADDR
              value: 0.0.0.0:9110
            - name: OCS_DEBUG_ADDR
              value: 0.0.0.0:9114
            - name: OCS_IDM_ADDRESS
              value: https://drive.tr1ceracop.de
            - name: OCS_JWT_SECRET
              valueFrom:
                secretKeyRef:
                  key: jwt-secret
                  name: jwt-secret
          image: owncloud/ocis:7.1.4
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: metrics-debug
            initialDelaySeconds: 60
            periodSeconds: 20
            timeoutSeconds: 10
          name: ocs
          ports:
            - containerPort: 9110
              name: http
            - containerPort: 9114
              name: metrics-debug
          resources: {}
          securityContext:
            readOnlyRootFilesystem: true
            runAsGroup: 1000
            runAsNonRoot: true
            runAsUser: 1000
          volumeMounts: null
      nodeSelector: {}
      securityContext:
        fsGroup: 1000
        fsGroupChangePolicy: OnRootMismatch
      volumes: null
--- a/rendered/envs/production/ocis/deployment-postprocessing.yaml
+++ b/rendered/envs/production/ocis/deployment-postprocessing.yaml
@ -0,0 +1,93 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: postprocessing
  namespace: ocis
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: postprocessing
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: postprocessing
        app.kubernetes.io/instance: ocis
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: ocis
        app.kubernetes.io/version: 7.1.4
        helm.sh/chart: ocis-0.7.0
    spec:
      containers:
        - args:
            - postprocessing
            - server
          command:
            - ocis
          env:
            - name: MICRO_REGISTRY
              value: nats-js-kv
            - name: MICRO_REGISTRY_ADDRESS
              value: nats:9233
            - name: OCIS_EVENTS_ENDPOINT
              value: nats:9233
            - name: OCIS_PERSISTENT_STORE
              value: nats-js-kv
            - name: OCIS_PERSISTENT_STORE_NODES
              value: nats:9233
            - name: POSTPROCESSING_LOG_COLOR
              value: "false"
            - name: POSTPROCESSING_LOG_LEVEL
              value: info
            - name: POSTPROCESSING_LOG_PRETTY
              value: "false"
            - name: POSTPROCESSING_DEBUG_PPROF
              value: "false"
            - name: POSTPROCESSING_DEBUG_ADDR
              value: 0.0.0.0:9255
            - name: POSTPROCESSING_WORKERS
              value: "3"
          image: owncloud/ocis:7.1.4
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: metrics-debug
            initialDelaySeconds: 60
            periodSeconds: 20
            timeoutSeconds: 10
          name: postprocessing
          ports:
            - containerPort: 9255
              name: metrics-debug
          resources: {}
          securityContext:
            readOnlyRootFilesystem: true
            runAsGroup: 1000
            runAsNonRoot: true
            runAsUser: 1000
          volumeMounts:
            - mountPath: /etc/ocis/messaging-system-ca
              name: messaging-system-ca
              readOnly: true
      nodeSelector: {}
      securityContext:
        fsGroup: 1000
        fsGroupChangePolicy: OnRootMismatch
      volumes:
        - emptyDir: {}
          name: messaging-system-ca
--- a/rendered/envs/production/ocis/deployment-proxy.yaml
+++ b/rendered/envs/production/ocis/deployment-proxy.yaml
@ -0,0 +1,137 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: proxy
  namespace: ocis
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: proxy
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      annotations:
        checksum/config: 941efbdfcec62bd56f340d707523e4dbbdaef0b8501880d4fa52a89ccc0e3233
      labels:
        app: proxy
        app.kubernetes.io/instance: ocis
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: ocis
        app.kubernetes.io/version: 7.1.4
        helm.sh/chart: ocis-0.7.0
    spec:
      containers:
        - args:
            - proxy
            - server
          command:
            - ocis
          env:
            - name: MICRO_REGISTRY
              value: nats-js-kv
            - name: MICRO_REGISTRY_ADDRESS
              value: nats:9233
            - name: OCIS_CACHE_STORE
              value: nats-js-kv
            - name: OCIS_CACHE_STORE_NODES
              value: nats:9233
            - name: OCIS_CACHE_DISABLE_PERSISTENCE
              value: "true"
            - name: OCIS_EVENTS_ENDPOINT
              value: nats:9233
            - name: PROXY_LOG_COLOR
              value: "false"
            - name: PROXY_LOG_LEVEL
              value: info
            - name: PROXY_LOG_PRETTY
              value: "false"
            - name: PROXY_TRACING_ENABLED
              value: "false"
            - name: PROXY_TRACING_TYPE
              value: jaeger
            - name: PROXY_TRACING_ENDPOINT
              value: null
            - name: PROXY_TRACING_COLLECTOR
              value: null
            - name: PROXY_DEBUG_PPROF
              value: "false"
            - name: PROXY_HTTP_ADDR
              value: 0.0.0.0:9200
            - name: PROXY_DEBUG_ADDR
              value: 0.0.0.0:9205
            - name: PROXY_OIDC_ISSUER
              value: https://drive.tr1ceracop.de
            - name: PROXY_TLS
              value: "false"
            - name: PROXY_OIDC_INSECURE
              value: "false"
            - name: PROXY_JWT_SECRET
              valueFrom:
                secretKeyRef:
                  key: jwt-secret
                  name: jwt-secret
            - name: PROXY_MACHINE_AUTH_API_KEY
              valueFrom:
                secretKeyRef:
                  key: machine-auth-api-key
                  name: machine-auth-api-key
            - name: PROXY_SERVICE_ACCOUNT_ID
              valueFrom:
                configMapKeyRef:
                  key: service-account-id
                  name: auth-service
            - name: PROXY_SERVICE_ACCOUNT_SECRET
              valueFrom:
                secretKeyRef:
                  key: service-account-secret
                  name: service-account-secret
            - name: PROXY_CSP_CONFIG_FILE_LOCATION
              value: /etc/ocis/csp.yaml
            - name: PROXY_AUTOPROVISION_ACCOUNTS
              value: "false"
          image: owncloud/ocis:7.1.4
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: metrics-debug
            initialDelaySeconds: 60
            periodSeconds: 20
            timeoutSeconds: 10
          name: proxy
          ports:
            - containerPort: 9200
              name: http
            - containerPort: 9205
              name: metrics-debug
          resources: {}
          securityContext:
            readOnlyRootFilesystem: true
            runAsGroup: 1000
            runAsNonRoot: true
            runAsUser: 1000
          volumeMounts:
            - mountPath: /etc/ocis
              name: configs
      nodeSelector: {}
      securityContext:
        fsGroup: 1000
        fsGroupChangePolicy: OnRootMismatch
      volumes:
        - configMap:
            name: proxy-config
          name: configs
--- a/rendered/envs/production/ocis/deployment-search.yaml
+++ b/rendered/envs/production/ocis/deployment-search.yaml
@ -0,0 +1,122 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: search
  namespace: ocis
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: search
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: search
        app.kubernetes.io/instance: ocis
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: ocis
        app.kubernetes.io/version: 7.1.4
        helm.sh/chart: ocis-0.7.0
    spec:
      containers:
        - args:
            - search
            - server
          command:
            - ocis
          env:
            - name: MICRO_REGISTRY
              value: nats-js-kv
            - name: MICRO_REGISTRY_ADDRESS
              value: nats:9233
            - name: OCIS_EVENTS_ENDPOINT
              value: nats:9233
            - name: SEARCH_LOG_COLOR
              value: "false"
            - name: SEARCH_LOG_LEVEL
              value: info
            - name: SEARCH_LOG_PRETTY
              value: "false"
            - name: SEARCH_TRACING_ENABLED
              value: "false"
            - name: SEARCH_TRACING_TYPE
              value: jaeger
            - name: SEARCH_TRACING_ENDPOINT
              value: null
            - name: SEARCH_TRACING_COLLECTOR
              value: null
            - name: SEARCH_DEBUG_PPROF
              value: "false"
            - name: SEARCH_GRPC_ADDR
              value: 0.0.0.0:9220
            - name: SEARCH_DEBUG_ADDR
              value: 0.0.0.0:9224
            - name: SEARCH_EXTRACTOR_TYPE
              value: basic
            - name: SEARCH_EXTRACTOR_CS3SOURCE_INSECURE
              value: "false"
            - name: SEARCH_JWT_SECRET
              valueFrom:
                secretKeyRef:
                  key: jwt-secret
                  name: jwt-secret
            - name: SEARCH_SERVICE_ACCOUNT_ID
              valueFrom:
                configMapKeyRef:
                  key: service-account-id
                  name: auth-service
            - name: SEARCH_SERVICE_ACCOUNT_SECRET
              valueFrom:
                secretKeyRef:
                  key: service-account-secret
                  name: service-account-secret
            - name: OCIS_ASYNC_UPLOADS
              value: "true"
          image: owncloud/ocis:7.1.4
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: metrics-debug
            initialDelaySeconds: 60
            periodSeconds: 20
            timeoutSeconds: 10
          name: search
          ports:
            - containerPort: 9220
              name: grpc
            - containerPort: 9224
              name: metrics-debug
          resources: {}
          securityContext:
            readOnlyRootFilesystem: true
            runAsGroup: 1000
            runAsNonRoot: true
            runAsUser: 1000
          volumeMounts:
            - mountPath: /etc/ocis/messaging-system-ca
              name: messaging-system-ca
              readOnly: true
            - mountPath: /var/lib/ocis
              name: search-data
      nodeSelector: {}
      securityContext:
        fsGroup: 1000
        fsGroupChangePolicy: OnRootMismatch
      volumes:
        - emptyDir: {}
          name: messaging-system-ca
        - name: search-data
          persistentVolumeClaim:
            claimName: search-data
--- a/rendered/envs/production/ocis/deployment-settings.yaml
+++ b/rendered/envs/production/ocis/deployment-settings.yaml
@ -0,0 +1,133 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: settings
  namespace: ocis
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: settings
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      annotations:
        checksum/config: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
      labels:
        app: settings
        app.kubernetes.io/instance: ocis
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: ocis
        app.kubernetes.io/version: 7.1.4
        helm.sh/chart: ocis-0.7.0
    spec:
      containers:
        - args:
            - settings
            - server
          command:
            - ocis
          env:
            - name: MICRO_REGISTRY
              value: nats-js-kv
            - name: MICRO_REGISTRY_ADDRESS
              value: nats:9233
            - name: OCIS_CORS_ALLOW_ORIGINS
              value: https://drive.tr1ceracop.de
            - name: OCIS_CACHE_STORE
              value: nats-js-kv
            - name: OCIS_CACHE_STORE_NODES
              value: nats:9233
            - name: OCIS_CACHE_DISABLE_PERSISTENCE
              value: "true"
            - name: OCIS_DEFAULT_LANGUAGE
              value: en
            - name: SETTINGS_LOG_COLOR
              value: "false"
            - name: SETTINGS_LOG_LEVEL
              value: info
            - name: SETTINGS_LOG_PRETTY
              value: "false"
            - name: SETTINGS_TRACING_ENABLED
              value: "false"
            - name: SETTINGS_TRACING_TYPE
              value: jaeger
            - name: SETTINGS_TRACING_ENDPOINT
              value: null
            - name: SETTINGS_TRACING_COLLECTOR
              value: null
            - name: SETTINGS_DEBUG_PPROF
              value: "false"
            - name: SETTINGS_HTTP_ADDR
              value: 0.0.0.0:9190
            - name: SETTINGS_GRPC_ADDR
              value: 0.0.0.0:9191
            - name: SETTINGS_DEBUG_ADDR
              value: 0.0.0.0:9194
            - name: SETTINGS_ADMIN_USER_ID
              valueFrom:
                secretKeyRef:
                  key: user-id
                  name: admin-user
            - name: SETTINGS_JWT_SECRET
              valueFrom:
                secretKeyRef:
                  key: jwt-secret
                  name: jwt-secret
            - name: SETTINGS_SERVICE_ACCOUNT_IDS
              valueFrom:
                configMapKeyRef:
                  key: service-account-id
                  name: auth-service
            - name: OCIS_SYSTEM_USER_API_KEY
              valueFrom:
                secretKeyRef:
                  key: api-key
                  name: storage-system
            - name: OCIS_SYSTEM_USER_ID
              valueFrom:
                secretKeyRef:
                  key: user-id
                  name: storage-system
          image: owncloud/ocis:7.1.4
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: metrics-debug
            initialDelaySeconds: 60
            periodSeconds: 20
            timeoutSeconds: 10
          name: settings
          ports:
            - containerPort: 9190
              name: http
            - containerPort: 9191
              name: grpc
            - containerPort: 9194
              name: metrics-debug
          resources: {}
          securityContext:
            readOnlyRootFilesystem: true
            runAsGroup: 1000
            runAsNonRoot: true
            runAsUser: 1000
          volumeMounts: null
      nodeSelector: {}
      securityContext:
        fsGroup: 1000
        fsGroupChangePolicy: OnRootMismatch
      volumes: null
--- a/rendered/envs/production/ocis/deployment-sharing.yaml
+++ b/rendered/envs/production/ocis/deployment-sharing.yaml
@ -0,0 +1,155 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: sharing
  namespace: ocis
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: sharing
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: sharing
        app.kubernetes.io/instance: ocis
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: ocis
        app.kubernetes.io/version: 7.1.4
        helm.sh/chart: ocis-0.7.0
    spec:
      containers:
        - args:
            - sharing
            - server
          command:
            - ocis
          env:
            - name: MICRO_REGISTRY
              value: nats-js-kv
            - name: MICRO_REGISTRY_ADDRESS
              value: nats:9233
            - name: OCIS_EVENTS_ENDPOINT
              value: nats:9233
            - name: SHARING_LOG_COLOR
              value: "false"
            - name: SHARING_LOG_LEVEL
              value: info
            - name: SHARING_LOG_PRETTY
              value: "false"
            - name: SHARING_TRACING_ENABLED
              value: "false"
            - name: SHARING_TRACING_TYPE
              value: jaeger
            - name: SHARING_TRACING_ENDPOINT
              value: null
            - name: SHARING_TRACING_COLLECTOR
              value: null
            - name: SHARING_DEBUG_PPROF
              value: "false"
            - name: SHARING_GRPC_ADDR
              value: 0.0.0.0:9150
            - name: SHARING_DEBUG_ADDR
              value: 0.0.0.0:9151
            - name: SHARING_JWT_SECRET
              valueFrom:
                secretKeyRef:
                  key: jwt-secret
                  name: jwt-secret
            - name: SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD
              value: "false"
            - name: SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD
              value: "false"
            - name: SHARING_PASSWORD_POLICY_MIN_CHARACTERS
              value: "0"
            - name: SHARING_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS
              value: "0"
            - name: SHARING_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS
              value: "0"
            - name: SHARING_PASSWORD_POLICY_MIN_DIGITS
              value: "0"
            - name: SHARING_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS
              value: "0"
            - name: SHARING_PASSWORD_POLICY_BANNED_PASSWORDS_LIST
              value: /etc/ocis/sharing-banned-passwords.txt
            - name: SHARING_USER_DRIVER
              value: jsoncs3
            - name: SHARING_USER_JSONCS3_SYSTEM_USER_API_KEY
              valueFrom:
                secretKeyRef:
                  key: api-key
                  name: storage-system
            - name: SHARING_USER_JSONCS3_SYSTEM_USER_ID
              valueFrom:
                secretKeyRef:
                  key: user-id
                  name: storage-system
            - name: SHARING_PUBLIC_DRIVER
              value: jsoncs3
            - name: SHARING_PUBLIC_JSONCS3_SYSTEM_USER_API_KEY
              valueFrom:
                secretKeyRef:
                  key: api-key
                  name: storage-system
            - name: SHARING_PUBLIC_JSONCS3_SYSTEM_USER_ID
              valueFrom:
                secretKeyRef:
                  key: user-id
                  name: storage-system
            - name: SHARING_USER_JSONCS3_MAX_CONCURRENCY
              value: "20"
          image: owncloud/ocis:7.1.4
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: metrics-debug
            initialDelaySeconds: 60
            periodSeconds: 20
            timeoutSeconds: 10
          name: sharing
          ports:
            - containerPort: 9150
              name: grpc
            - containerPort: 9151
              name: metrics-debug
          resources: {}
          securityContext:
            readOnlyRootFilesystem: true
            runAsGroup: 1000
            runAsNonRoot: true
            runAsUser: 1000
          volumeMounts:
            - mountPath: /tmp
              name: tmp-volume
            - mountPath: /etc/ocis/messaging-system-ca
              name: messaging-system-ca
              readOnly: true
            - mountPath: /etc/ocis
              name: configs
      nodeSelector: {}
      securityContext:
        fsGroup: 1000
        fsGroupChangePolicy: OnRootMismatch
      volumes:
        - emptyDir: {}
          name: tmp-volume
        - emptyDir: {}
          name: messaging-system-ca
        - configMap:
            name: sharing-banned-passwords-sharing
          name: configs
--- a/rendered/envs/production/ocis/deployment-sse.yaml
+++ b/rendered/envs/production/ocis/deployment-sse.yaml
@ -0,0 +1,108 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: sse
  namespace: ocis
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: sse
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: sse
        app.kubernetes.io/instance: ocis
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: ocis
        app.kubernetes.io/version: 7.1.4
        helm.sh/chart: ocis-0.7.0
    spec:
      containers:
        - args:
            - sse
            - server
          command:
            - ocis
          env:
            - name: MICRO_REGISTRY
              value: nats-js-kv
            - name: MICRO_REGISTRY_ADDRESS
              value: nats:9233
            - name: OCIS_CORS_ALLOW_ORIGINS
              value: https://drive.tr1ceracop.de
            - name: OCIS_EVENTS_ENDPOINT
              value: nats:9233
            - name: SSE_LOG_COLOR
              value: "false"
            - name: SSE_LOG_LEVEL
              value: info
            - name: SSE_LOG_PRETTY
              value: "false"
            - name: SSE_TRACING_ENABLED
              value: "false"
            - name: SSE_TRACING_TYPE
              value: jaeger
            - name: SSE_TRACING_ENDPOINT
              value: null
            - name: SSE_TRACING_COLLECTOR
              value: null
            - name: SSE_DEBUG_PPROF
              value: "false"
            - name: SSE_DEBUG_ADDR
              value: 0.0.0.0:9135
            - name: SSE_HTTP_ADDR
              value: 0.0.0.0:9939
            - name: SSE_KEEPALIVE_INTERVAL
              value: 30s
            - name: SSE_JWT_SECRET
              valueFrom:
                secretKeyRef:
                  key: jwt-secret
                  name: jwt-secret
          image: owncloud/ocis:7.1.4
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: metrics-debug
            initialDelaySeconds: 60
            periodSeconds: 20
            timeoutSeconds: 10
          name: sse
          ports:
            - containerPort: 9939
              name: http
            - containerPort: 9135
              name: metrics-debug
          resources: {}
          securityContext:
            readOnlyRootFilesystem: true
            runAsGroup: 1000
            runAsNonRoot: true
            runAsUser: 1000
          volumeMounts:
            - mountPath: /etc/ocis/messaging-system-ca
              name: messaging-system-ca
              readOnly: true
      nodeSelector: {}
      securityContext:
        fsGroup: 1000
        fsGroupChangePolicy: OnRootMismatch
      volumes:
        - emptyDir: {}
          name: messaging-system-ca
--- a/rendered/envs/production/ocis/deployment-storagepubliclink.yaml
+++ b/rendered/envs/production/ocis/deployment-storagepubliclink.yaml
@ -0,0 +1,105 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: storagepubliclink
  namespace: ocis
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: storagepubliclink
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: storagepubliclink
        app.kubernetes.io/instance: ocis
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: ocis
        app.kubernetes.io/version: 7.1.4
        helm.sh/chart: ocis-0.7.0
    spec:
      containers:
        - args:
            - storage-publiclink
            - server
          command:
            - ocis
          env:
            - name: MICRO_REGISTRY
              value: nats-js-kv
            - name: MICRO_REGISTRY_ADDRESS
              value: nats:9233
            - name: OCIS_PERSISTENT_STORE
              value: nats-js-kv
            - name: OCIS_PERSISTENT_STORE_NODES
              value: nats:9233
            - name: STORAGE_PUBLICLINK_LOG_COLOR
              value: "false"
            - name: STORAGE_PUBLICLINK_LOG_LEVEL
              value: info
            - name: STORAGE_PUBLICLINK_LOG_PRETTY
              value: "false"
            - name: STORAGE_PUBLICLINK_TRACING_ENABLED
              value: "false"
            - name: STORAGE_PUBLICLINK_TRACING_TYPE
              value: jaeger
            - name: STORAGE_PUBLICLINK_TRACING_ENDPOINT
              value: null
            - name: STORAGE_PUBLICLINK_TRACING_COLLECTOR
              value: null
            - name: STORAGE_PUBLICLINK_DEBUG_PPROF
              value: "false"
            - name: STORAGE_PUBLICLINK_GRPC_ADDR
              value: 0.0.0.0:9178
            - name: STORAGE_PUBLICLINK_DEBUG_ADDR
              value: 0.0.0.0:9179
            - name: STORAGE_PUBLICLINK_JWT_SECRET
              valueFrom:
                secretKeyRef:
                  key: jwt-secret
                  name: jwt-secret
          image: owncloud/ocis:7.1.4
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: metrics-debug
            initialDelaySeconds: 60
            periodSeconds: 20
            timeoutSeconds: 10
          name: storagepubliclink
          ports:
            - containerPort: 9178
              name: grpc
            - containerPort: 9179
              name: metrics-debug
          resources: {}
          securityContext:
            readOnlyRootFilesystem: true
            runAsGroup: 1000
            runAsNonRoot: true
            runAsUser: 1000
          volumeMounts:
            - mountPath: /tmp
              name: tmp-volume
      nodeSelector: {}
      securityContext:
        fsGroup: 1000
        fsGroupChangePolicy: OnRootMismatch
      volumes:
        - emptyDir: {}
          name: tmp-volume
--- a/rendered/envs/production/ocis/deployment-storageshares.yaml
+++ b/rendered/envs/production/ocis/deployment-storageshares.yaml
@ -0,0 +1,101 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: storageshares
  namespace: ocis
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: storageshares
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: storageshares
        app.kubernetes.io/instance: ocis
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: ocis
        app.kubernetes.io/version: 7.1.4
        helm.sh/chart: ocis-0.7.0
    spec:
      containers:
        - args:
            - storage-shares
            - server
          command:
            - ocis
          env:
            - name: MICRO_REGISTRY
              value: nats-js-kv
            - name: MICRO_REGISTRY_ADDRESS
              value: nats:9233
            - name: STORAGE_SHARES_LOG_COLOR
              value: "false"
            - name: STORAGE_SHARES_LOG_LEVEL
              value: info
            - name: STORAGE_SHARES_LOG_PRETTY
              value: "false"
            - name: STORAGE_SHARES_TRACING_ENABLED
              value: "false"
            - name: STORAGE_SHARES_TRACING_TYPE
              value: jaeger
            - name: STORAGE_SHARES_TRACING_ENDPOINT
              value: null
            - name: STORAGE_SHARES_TRACING_COLLECTOR
              value: null
            - name: STORAGE_SHARES_DEBUG_PPROF
              value: "false"
            - name: STORAGE_SHARES_GRPC_ADDR
              value: 0.0.0.0:9154
            - name: STORAGE_SHARES_DEBUG_ADDR
              value: 0.0.0.0:9156
            - name: STORAGE_SHARES_JWT_SECRET
              valueFrom:
                secretKeyRef:
                  key: jwt-secret
                  name: jwt-secret
          image: owncloud/ocis:7.1.4
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: metrics-debug
            initialDelaySeconds: 60
            periodSeconds: 20
            timeoutSeconds: 10
          name: storageshares
          ports:
            - containerPort: 9154
              name: grpc
            - containerPort: 9156
              name: metrics-debug
          resources: {}
          securityContext:
            readOnlyRootFilesystem: true
            runAsGroup: 1000
            runAsNonRoot: true
            runAsUser: 1000
          volumeMounts:
            - mountPath: /tmp
              name: tmp-volume
      nodeSelector: {}
      securityContext:
        fsGroup: 1000
        fsGroupChangePolicy: OnRootMismatch
      volumes:
        - emptyDir: {}
          name: tmp-volume
--- a/rendered/envs/production/ocis/deployment-storagesystem.yaml
+++ b/rendered/envs/production/ocis/deployment-storagesystem.yaml
@ -0,0 +1,130 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: storagesystem
  namespace: ocis
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: storagesystem
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: storagesystem
        app.kubernetes.io/instance: ocis
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: ocis
        app.kubernetes.io/version: 7.1.4
        helm.sh/chart: ocis-0.7.0
    spec:
      containers:
        - args:
            - storage-system
            - server
          command:
            - ocis
          env:
            - name: MICRO_REGISTRY
              value: nats-js-kv
            - name: MICRO_REGISTRY_ADDRESS
              value: nats:9233
            - name: OCIS_CACHE_STORE
              value: nats-js-kv
            - name: OCIS_CACHE_STORE_NODES
              value: nats:9233
            - name: OCIS_CACHE_DISABLE_PERSISTENCE
              value: "true"
            - name: STORAGE_SYSTEM_LOG_COLOR
              value: "false"
            - name: STORAGE_SYSTEM_LOG_LEVEL
              value: info
            - name: STORAGE_SYSTEM_LOG_PRETTY
              value: "false"
            - name: STORAGE_SYSTEM_TRACING_ENABLED
              value: "false"
            - name: STORAGE_SYSTEM_TRACING_TYPE
              value: jaeger
            - name: STORAGE_SYSTEM_TRACING_ENDPOINT
              value: null
            - name: STORAGE_SYSTEM_TRACING_COLLECTOR
              value: null
            - name: STORAGE_SYSTEM_DEBUG_PPROF
              value: "false"
            - name: STORAGE_SYSTEM_GRPC_ADDR
              value: 0.0.0.0:9215
            - name: STORAGE_SYSTEM_DEBUG_ADDR
              value: 0.0.0.0:9217
            - name: STORAGE_SYSTEM_HTTP_ADDR
              value: 0.0.0.0:9216
            - name: STORAGE_SYSTEM_DATA_SERVER_URL
              value: http://storagesystem:9216/data
            - name: STORAGE_SYSTEM_DRIVER
              value: ocis
            - name: STORAGE_SYSTEM_JWT_SECRET
              valueFrom:
                secretKeyRef:
                  key: storage-system-jwt-secret
                  name: storage-system-jwt-secret
            - name: OCIS_SYSTEM_USER_API_KEY
              valueFrom:
                secretKeyRef:
                  key: api-key
                  name: storage-system
            - name: OCIS_SYSTEM_USER_ID
              valueFrom:
                secretKeyRef:
                  key: user-id
                  name: storage-system
          image: owncloud/ocis:7.1.4
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: metrics-debug
            initialDelaySeconds: 60
            periodSeconds: 20
            timeoutSeconds: 10
          name: storagesystem
          ports:
            - containerPort: 9215
              name: grpc
            - containerPort: 9216
              name: http
            - containerPort: 9217
              name: metrics-debug
          resources: {}
          securityContext:
            readOnlyRootFilesystem: true
            runAsGroup: 1000
            runAsNonRoot: true
            runAsUser: 1000
          volumeMounts:
            - mountPath: /tmp
              name: tmp-volume
            - mountPath: /var/lib/ocis
              name: storagesystem-data
      nodeSelector: {}
      securityContext:
        fsGroup: 1000
        fsGroupChangePolicy: OnRootMismatch
      volumes:
        - emptyDir: {}
          name: tmp-volume
        - name: storagesystem-data
          persistentVolumeClaim:
            claimName: storagesystem-data
--- a/rendered/envs/production/ocis/deployment-storageusers.yaml
+++ b/rendered/envs/production/ocis/deployment-storageusers.yaml
@ -0,0 +1,195 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: storageusers
  namespace: ocis
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: storageusers
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: storageusers
        app.kubernetes.io/instance: ocis
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: ocis
        app.kubernetes.io/version: 7.1.4
        helm.sh/chart: ocis-0.7.0
    spec:
      containers:
        - args:
            - storage-users
            - server
          command:
            - ocis
          env:
            - name: MICRO_REGISTRY
              value: nats-js-kv
            - name: MICRO_REGISTRY_ADDRESS
              value: nats:9233
            - name: OCIS_EVENTS_ENDPOINT
              value: nats:9233
            - name: OCIS_CACHE_STORE
              value: nats-js-kv
            - name: OCIS_CACHE_STORE_NODES
              value: nats:9233
            - name: OCIS_CACHE_DISABLE_PERSISTENCE
              value: "true"
            - name: OCIS_CORS_ALLOW_ORIGINS
              value: https://drive.tr1ceracop.de
            - name: STORAGE_USERS_GATEWAY_GRPC_ADDR
              value: gateway:9142
            - name: STORAGE_USERS_LOG_COLOR
              value: "false"
            - name: STORAGE_USERS_LOG_LEVEL
              value: info
            - name: STORAGE_USERS_LOG_PRETTY
              value: "false"
            - name: STORAGE_USERS_TRACING_ENABLED
              value: "false"
            - name: STORAGE_USERS_TRACING_TYPE
              value: jaeger
            - name: STORAGE_USERS_TRACING_ENDPOINT
              value: null
            - name: STORAGE_USERS_TRACING_COLLECTOR
              value: null
            - name: STORAGE_USERS_DEBUG_PPROF
              value: "false"
            - name: STORAGE_USERS_GRPC_ADDR
              value: 0.0.0.0:9157
            - name: STORAGE_USERS_DEBUG_ADDR
              value: 0.0.0.0:9159
            - name: STORAGE_USERS_HTTP_ADDR
              value: 0.0.0.0:9158
            - name: STORAGE_USERS_DATA_SERVER_URL
              value: http://storageusers:9158/data
            - name: STORAGE_USERS_DRIVER
              value: s3ng
            - name: STORAGE_USERS_S3NG_MAX_CONCURRENCY
              value: "100"
            - name: STORAGE_USERS_S3NG_ENDPOINT
              value: https://nbg1.your-objectstorage.com
            - name: STORAGE_USERS_S3NG_REGION
              value: nbg1
            - name: STORAGE_USERS_S3NG_ACCESS_KEY
              valueFrom:
                secretKeyRef:
                  key: accessKey
                  name: ocis-s3-credentials
            - name: STORAGE_USERS_S3NG_SECRET_KEY
              valueFrom:
                secretKeyRef:
                  key: secretKey
                  name: ocis-s3-credentials
            - name: STORAGE_USERS_S3NG_BUCKET
              value: ocis-tr1ceracop
            - name: STORAGE_USERS_S3NG_PUT_OBJECT_DISABLE_CONTENT_SHA256
              value: "false"
            - name: STORAGE_USERS_S3NG_PUT_OBJECT_DISABLE_MULTIPART
              value: "false"
            - name: STORAGE_USERS_S3NG_PUT_OBJECT_SEND_CONTENT_MD5
              value: "true"
            - name: STORAGE_USERS_S3NG_PUT_OBJECT_CONCURRENT_STREAM_PARTS
              value: "true"
            - name: STORAGE_USERS_S3NG_PUT_OBJECT_NUM_THREADS
              value: "4"
            - name: STORAGE_USERS_S3NG_PUT_OBJECT_PART_SIZE
              value: "0"
            - name: STORAGE_USERS_UPLOAD_EXPIRATION
              value: "86400"
            - name: STORAGE_USERS_PURGE_TRASH_BIN_PERSONAL_DELETE_BEFORE
              value: 720h
            - name: STORAGE_USERS_PURGE_TRASH_BIN_PROJECT_DELETE_BEFORE
              value: 720h
            - name: STORAGE_USERS_SERVICE_ACCOUNT_ID
              valueFrom:
                configMapKeyRef:
                  key: service-account-id
                  name: auth-service
            - name: STORAGE_USERS_SERVICE_ACCOUNT_SECRET
              valueFrom:
                secretKeyRef:
                  key: service-account-secret
                  name: service-account-secret
            - name: STORAGE_USERS_STAT_CACHE_STORE
              value: noop
            - name: STORAGE_USERS_MOUNT_ID
              valueFrom:
                configMapKeyRef:
                  key: storage-uuid
                  name: storage-users
            - name: STORAGE_USERS_JWT_SECRET
              valueFrom:
                secretKeyRef:
                  key: jwt-secret
                  name: jwt-secret
            - name: OCIS_TRANSFER_SECRET
              valueFrom:
                secretKeyRef:
                  key: transfer-secret
                  name: transfer-secret
            - name: OCIS_ASYNC_UPLOADS
              value: "true"
            - name: STORAGE_USERS_EVENTS_NUM_CONSUMERS
              value: "10"
            - name: STORAGE_USERS_DATA_GATEWAY_URL
              value: http://frontend:9140/data/
          image: owncloud/ocis:7.1.4
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: metrics-debug
            initialDelaySeconds: 60
            periodSeconds: 20
            timeoutSeconds: 10
          name: storageusers
          ports:
            - containerPort: 9157
              name: grpc
            - containerPort: 9158
              name: http
            - containerPort: 9159
              name: metrics-debug
          resources: {}
          securityContext:
            readOnlyRootFilesystem: true
            runAsGroup: 1000
            runAsNonRoot: true
            runAsUser: 1000
          volumeMounts:
            - mountPath: /tmp
              name: tmp-volume
            - mountPath: /etc/ocis/messaging-system-ca
              name: messaging-system-ca
              readOnly: true
            - mountPath: /var/lib/ocis
              name: storageusers-data
      nodeSelector: {}
      securityContext:
        fsGroup: 1000
        fsGroupChangePolicy: OnRootMismatch
      volumes:
        - emptyDir: {}
          name: tmp-volume
        - emptyDir: {}
          name: messaging-system-ca
        - name: storageusers-data
          persistentVolumeClaim:
            claimName: storageusers-data
--- a/rendered/envs/production/ocis/deployment-thumbnails.yaml
+++ b/rendered/envs/production/ocis/deployment-thumbnails.yaml
@ -0,0 +1,122 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: thumbnails
  namespace: ocis
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: thumbnails
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: thumbnails
        app.kubernetes.io/instance: ocis
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: ocis
        app.kubernetes.io/version: 7.1.4
        helm.sh/chart: ocis-0.7.0
    spec:
      containers:
        - args:
            - thumbnails
            - server
          command:
            - ocis
          env:
            - name: MICRO_REGISTRY
              value: nats-js-kv
            - name: MICRO_REGISTRY_ADDRESS
              value: nats:9233
            - name: OCIS_CORS_ALLOW_ORIGINS
              value: https://drive.tr1ceracop.de
            - name: THUMBNAILS_LOG_COLOR
              value: "false"
            - name: THUMBNAILS_LOG_LEVEL
              value: info
            - name: THUMBNAILS_LOG_PRETTY
              value: "false"
            - name: THUMBNAILS_TRACING_ENABLED
              value: "false"
            - name: THUMBNAILS_TRACING_TYPE
              value: jaeger
            - name: THUMBNAILS_TRACING_ENDPOINT
              value: null
            - name: THUMBNAILS_TRACING_COLLECTOR
              value: null
            - name: THUMBNAILS_DEBUG_PPROF
              value: "false"
            - name: THUMBNAILS_GRPC_ADDR
              value: 0.0.0.0:9185
            - name: THUMBNAILS_HTTP_ADDR
              value: 0.0.0.0:9186
            - name: THUMBNAILS_DEBUG_ADDR
              value: 0.0.0.0:9189
            - name: THUMBNAILS_DATA_ENDPOINT
              value: http://thumbnails:9186/thumbnails/data
            - name: THUMBNAILS_MAX_CONCURRENT_REQUESTS
              value: "0"
            - name: THUMBNAILS_MAX_INPUT_IMAGE_FILE_SIZE
              value: 50MB
            - name: THUMBNAILS_MAX_INPUT_WIDTH
              value: "7680"
            - name: THUMBNAILS_MAX_INPUT_HEIGHT
              value: "7680"
            - name: THUMBNAILS_WEBDAVSOURCE_INSECURE
              value: "false"
            - name: THUMBNAILS_CS3SOURCE_INSECURE
              value: "false"
            - name: THUMBNAILS_TRANSFER_TOKEN
              valueFrom:
                secretKeyRef:
                  key: thumbnails-transfer-secret
                  name: thumbnails-transfer-secret
          image: owncloud/ocis:7.1.4
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: metrics-debug
            initialDelaySeconds: 60
            periodSeconds: 20
            timeoutSeconds: 10
          name: thumbnails
          ports:
            - containerPort: 9185
              name: grpc
            - containerPort: 9186
              name: http
            - containerPort: 9189
              name: metrics-debug
          resources: {}
          securityContext:
            readOnlyRootFilesystem: true
            runAsGroup: 1000
            runAsNonRoot: true
            runAsUser: 1000
          volumeMounts:
            - mountPath: /var/lib/ocis
              name: thumbnails-data
      nodeSelector: {}
      securityContext:
        fsGroup: 1000
        fsGroupChangePolicy: OnRootMismatch
      volumes:
        - name: thumbnails-data
          persistentVolumeClaim:
            claimName: thumbnails-data
--- a/rendered/envs/production/ocis/deployment-userlog.yaml
+++ b/rendered/envs/production/ocis/deployment-userlog.yaml
@ -0,0 +1,116 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: userlog
  namespace: ocis
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: userlog
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: userlog
        app.kubernetes.io/instance: ocis
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: ocis
        app.kubernetes.io/version: 7.1.4
        helm.sh/chart: ocis-0.7.0
    spec:
      containers:
        - args:
            - userlog
            - server
          command:
            - ocis
          env:
            - name: MICRO_REGISTRY
              value: nats-js-kv
            - name: MICRO_REGISTRY_ADDRESS
              value: nats:9233
            - name: OCIS_CORS_ALLOW_ORIGINS
              value: https://drive.tr1ceracop.de
            - name: OCIS_EVENTS_ENDPOINT
              value: nats:9233
            - name: OCIS_PERSISTENT_STORE
              value: nats-js-kv
            - name: OCIS_PERSISTENT_STORE_NODES
              value: nats:9233
            - name: OCIS_DEFAULT_LANGUAGE
              value: en
            - name: USERLOG_LOG_COLOR
              value: "false"
            - name: USERLOG_LOG_LEVEL
              value: info
            - name: USERLOG_LOG_PRETTY
              value: "false"
            - name: USERLOG_DEBUG_PPROF
              value: "false"
            - name: USERLOG_HTTP_ADDR
              value: 0.0.0.0:8080
            - name: USERLOG_DEBUG_ADDR
              value: 0.0.0.0:9210
            - name: USERLOG_SERVICE_ACCOUNT_ID
              valueFrom:
                configMapKeyRef:
                  key: service-account-id
                  name: auth-service
            - name: USERLOG_SERVICE_ACCOUNT_SECRET
              valueFrom:
                secretKeyRef:
                  key: service-account-secret
                  name: service-account-secret
            - name: USERLOG_JWT_SECRET
              valueFrom:
                secretKeyRef:
                  key: jwt-secret
                  name: jwt-secret
            - name: USERLOG_MAX_CONCURRENCY
              value: "1"
          image: owncloud/ocis:7.1.4
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: metrics-debug
            initialDelaySeconds: 60
            periodSeconds: 20
            timeoutSeconds: 10
          name: userlog
          ports:
            - containerPort: 8080
              name: http
            - containerPort: 9210
              name: metrics-debug
          resources: {}
          securityContext:
            readOnlyRootFilesystem: true
            runAsGroup: 1000
            runAsNonRoot: true
            runAsUser: 1000
          volumeMounts:
            - mountPath: /etc/ocis/messaging-system-ca
              name: messaging-system-ca
              readOnly: true
      nodeSelector: {}
      securityContext:
        fsGroup: 1000
        fsGroupChangePolicy: OnRootMismatch
      volumes:
        - emptyDir: {}
          name: messaging-system-ca
--- a/rendered/envs/production/ocis/deployment-users.yaml
+++ b/rendered/envs/production/ocis/deployment-users.yaml
@ -0,0 +1,118 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: users
  namespace: ocis
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: users
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: users
        app.kubernetes.io/instance: ocis
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: ocis
        app.kubernetes.io/version: 7.1.4
        helm.sh/chart: ocis-0.7.0
    spec:
      containers:
        - args:
            - users
            - server
          command:
            - ocis
          env:
            - name: MICRO_REGISTRY
              value: nats-js-kv
            - name: MICRO_REGISTRY_ADDRESS
              value: nats:9233
            - name: USERS_LOG_COLOR
              value: "false"
            - name: USERS_LOG_LEVEL
              value: info
            - name: USERS_LOG_PRETTY
              value: "false"
            - name: USERS_TRACING_ENABLED
              value: "false"
            - name: USERS_TRACING_TYPE
              value: jaeger
            - name: USERS_TRACING_ENDPOINT
              value: null
            - name: USERS_TRACING_COLLECTOR
              value: null
            - name: USERS_DEBUG_PPROF
              value: "false"
            - name: USERS_GRPC_ADDR
              value: 0.0.0.0:9144
            - name: USERS_DEBUG_ADDR
              value: 0.0.0.0:9145
            - name: USERS_LDAP_URI
              value: ldaps://idm:9235
            - name: USERS_LDAP_CACERT
              value: /etc/ocis/ldap-ca/ldap-ca.crt
            - name: USERS_LDAP_BIND_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: reva-ldap-bind-password
                  name: ldap-bind-secrets
            - name: USERS_IDP_URL
              value: https://drive.tr1ceracop.de
            - name: USERS_JWT_SECRET
              valueFrom:
                secretKeyRef:
                  key: jwt-secret
                  name: jwt-secret
          image: owncloud/ocis:7.1.4
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: metrics-debug
            initialDelaySeconds: 60
            periodSeconds: 20
            timeoutSeconds: 10
          name: users
          ports:
            - containerPort: 9144
              name: grpc
            - containerPort: 9145
              name: metrics-debug
          resources: {}
          securityContext:
            readOnlyRootFilesystem: true
            runAsGroup: 1000
            runAsNonRoot: true
            runAsUser: 1000
          volumeMounts:
            - mountPath: /tmp
              name: tmp-volume
            - mountPath: /etc/ocis/ldap-ca
              name: ldap-ca
              readOnly: true
      nodeSelector: {}
      securityContext:
        fsGroup: 1000
        fsGroupChangePolicy: OnRootMismatch
      volumes:
        - emptyDir: {}
          name: tmp-volume
        - name: ldap-ca
          secret:
            secretName: ldap-ca
--- a/rendered/envs/production/ocis/deployment-web.yaml
+++ b/rendered/envs/production/ocis/deployment-web.yaml
@ -0,0 +1,133 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: web
  namespace: ocis
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: web
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      annotations:
        checksum/config: cec3e646a6e624081e4fe2c886cae482477f21ba2edc86cee2e89c17d92f2034
      labels:
        app: web
        app.kubernetes.io/instance: ocis
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: ocis
        app.kubernetes.io/version: 7.1.4
        helm.sh/chart: ocis-0.7.0
    spec:
      containers:
        - args:
            - web
            - server
          command:
            - ocis
          env:
            - name: MICRO_REGISTRY
              value: nats-js-kv
            - name: MICRO_REGISTRY_ADDRESS
              value: nats:9233
            - name: OCIS_CORS_ALLOW_ORIGINS
              value: https://drive.tr1ceracop.de
            - name: WEB_LOG_COLOR
              value: "false"
            - name: WEB_LOG_LEVEL
              value: info
            - name: WEB_LOG_PRETTY
              value: "false"
            - name: WEB_TRACING_ENABLED
              value: "false"
            - name: WEB_TRACING_TYPE
              value: jaeger
            - name: WEB_TRACING_ENDPOINT
              value: null
            - name: WEB_TRACING_COLLECTOR
              value: null
            - name: WEB_DEBUG_PPROF
              value: "false"
            - name: WEB_HTTP_ADDR
              value: 0.0.0.0:9100
            - name: WEB_DEBUG_ADDR
              value: 0.0.0.0:9104
            - name: WEB_OIDC_AUTHORITY
              value: https://drive.tr1ceracop.de
            - name: WEB_OIDC_CLIENT_ID
              value: web
            - name: WEB_OIDC_SCOPE
              value: openid profile email
            - name: WEB_UI_THEME_SERVER
              value: https://drive.tr1ceracop.de
            - name: WEB_UI_THEME_PATH
              value: /themes/owncloud/theme.json
            - name: WEB_UI_CONFIG_SERVER
              value: https://drive.tr1ceracop.de
            - name: WEB_OPTION_CONTEXTHELPERS_READ_MORE
              value: "true"
            - name: WEB_OPTION_DISABLE_FEEDBACK_LINK
              value: "true"
            - name: WEB_OPTION_TOKEN_STORAGE_LOCAL
              value: "true"
            - name: WEB_JWT_SECRET
              valueFrom:
                secretKeyRef:
                  key: jwt-secret
                  name: jwt-secret
          image: owncloud/ocis:7.1.4
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: metrics-debug
            initialDelaySeconds: 60
            periodSeconds: 20
            timeoutSeconds: 10
          name: web
          ports:
            - containerPort: 9100
              name: http
            - containerPort: 9104
              name: metrics-debug
          resources: {}
          securityContext:
            readOnlyRootFilesystem: true
            runAsGroup: 1000
            runAsNonRoot: true
            runAsUser: 1000
          volumeMounts:
            - mountPath: /etc/ocis
              name: configs
            - mountPath: /var/lib/ocis/web/assets/apps
              name: apps
            - mountPath: /var/lib/ocis
              name: web-data
      nodeSelector: {}
      securityContext:
        fsGroup: 1000
        fsGroupChangePolicy: OnRootMismatch
      volumes:
        - configMap:
            name: web-config
          name: configs
        - emptyDir: {}
          name: apps
        - name: web-data
          persistentVolumeClaim:
            claimName: web-data
--- a/rendered/envs/production/ocis/deployment-webdav.yaml
+++ b/rendered/envs/production/ocis/deployment-webdav.yaml
@ -0,0 +1,96 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: webdav
  namespace: ocis
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: webdav
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: webdav
        app.kubernetes.io/instance: ocis
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: ocis
        app.kubernetes.io/version: 7.1.4
        helm.sh/chart: ocis-0.7.0
    spec:
      containers:
        - args:
            - webdav
            - server
          command:
            - ocis
          env:
            - name: MICRO_REGISTRY
              value: nats-js-kv
            - name: MICRO_REGISTRY_ADDRESS
              value: nats:9233
            - name: OCIS_CORS_ALLOW_ORIGINS
              value: https://drive.tr1ceracop.de
            - name: WEBDAV_LOG_COLOR
              value: "false"
            - name: WEBDAV_LOG_LEVEL
              value: info
            - name: WEBDAV_LOG_PRETTY
              value: "false"
            - name: WEBDAV_TRACING_ENABLED
              value: "false"
            - name: WEBDAV_TRACING_TYPE
              value: jaeger
            - name: WEBDAV_TRACING_ENDPOINT
              value: null
            - name: WEBDAV_TRACING_COLLECTOR
              value: null
            - name: WEBDAV_DEBUG_PPROF
              value: "false"
            - name: WEBDAV_HTTP_ADDR
              value: 0.0.0.0:9115
            - name: WEBDAV_DEBUG_ADDR
              value: 0.0.0.0:9119
            - name: OCIS_PUBLIC_URL
              value: https://drive.tr1ceracop.de
          image: owncloud/ocis:7.1.4
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: metrics-debug
            initialDelaySeconds: 60
            periodSeconds: 20
            timeoutSeconds: 10
          name: webdav
          ports:
            - containerPort: 9115
              name: http
            - containerPort: 9119
              name: metrics-debug
          resources: {}
          securityContext:
            readOnlyRootFilesystem: true
            runAsGroup: 1000
            runAsNonRoot: true
            runAsUser: 1000
          volumeMounts: null
      nodeSelector: {}
      securityContext:
        fsGroup: 1000
        fsGroupChangePolicy: OnRootMismatch
      volumes: null
--- a/rendered/envs/production/ocis/deployment-webfinger.yaml
+++ b/rendered/envs/production/ocis/deployment-webfinger.yaml
@ -0,0 +1,100 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: webfinger
  namespace: ocis
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: webfinger
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: webfinger
        app.kubernetes.io/instance: ocis
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: ocis
        app.kubernetes.io/version: 7.1.4
        helm.sh/chart: ocis-0.7.0
    spec:
      containers:
        - args:
            - webfinger
            - server
          command:
            - ocis
          env:
            - name: MICRO_REGISTRY
              value: nats-js-kv
            - name: MICRO_REGISTRY_ADDRESS
              value: nats:9233
            - name: OCIS_CORS_ALLOW_ORIGINS
              value: https://drive.tr1ceracop.de
            - name: WEBFINGER_LOG_COLOR
              value: "false"
            - name: WEBFINGER_LOG_LEVEL
              value: info
            - name: WEBFINGER_LOG_PRETTY
              value: "false"
            - name: WEBFINGER_TRACING_ENABLED
              value: "false"
            - name: WEBFINGER_TRACING_TYPE
              value: jaeger
            - name: WEBFINGER_TRACING_ENDPOINT
              value: null
            - name: WEBFINGER_TRACING_COLLECTOR
              value: null
            - name: WEBFINGER_DEBUG_PPROF
              value: "false"
            - name: WEBFINGER_HTTP_ADDR
              value: 0.0.0.0:8080
            - name: WEBFINGER_DEBUG_ADDR
              value: 0.0.0.0:8081
            - name: WEBFINGER_OIDC_ISSUER
              value: https://drive.tr1ceracop.de
            - name: WEBFINGER_OWNCLOUD_SERVER_INSTANCE_URL
              value: https://drive.tr1ceracop.de
            - name: WEBFINGER_INSECURE
              value: "false"
          image: owncloud/ocis:7.1.4
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: metrics-debug
            initialDelaySeconds: 60
            periodSeconds: 20
            timeoutSeconds: 10
          name: webfinger
          ports:
            - containerPort: 8080
              name: http
            - containerPort: 8081
              name: metrics-debug
          resources: {}
          securityContext:
            readOnlyRootFilesystem: true
            runAsGroup: 1000
            runAsNonRoot: true
            runAsUser: 1000
          volumeMounts: null
      nodeSelector: {}
      securityContext:
        fsGroup: 1000
        fsGroupChangePolicy: OnRootMismatch
      volumes: null
--- a/rendered/envs/production/nextcloud/ingress-nextcloud.yaml
+++ b/rendered/envs/production/nextcloud/ingress-nextcloud.yaml
@ -5,28 +5,27 @@ metadata:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
    cert-manager.io/cluster-issuer: letsencrypt
  labels:
-    app.kubernetes.io/component: app
+    app.kubernetes.io/instance: ocis
    app.kubernetes.io/instance: nextcloud
    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/name: nextcloud
+    app.kubernetes.io/name: ocis
-    app.kubernetes.io/version: 33.0.0
+    app.kubernetes.io/version: 7.1.4
-    helm.sh/chart: nextcloud-9.0.4
+    helm.sh/chart: ocis-0.7.0
-  name: nextcloud
+  name: proxy
-  namespace: nextcloud
+  namespace: ocis
 spec:
  ingressClassName: traefik
  rules:
-    - host: nextcloud.tr1ceracop.de
+    - host: drive.tr1ceracop.de
      http:
        paths:
          - backend:
              service:
-                name: nextcloud
+                name: proxy
                port:
-                  number: 8080
+                  number: 9200
            path: /
            pathType: Prefix
  tls:
    - hosts:
-        - nextcloud.tr1ceracop.de
+        - drive.tr1ceracop.de
-      secretName: nextcloud-tls
+      secretName: ocis-tls
--- a/rendered/envs/production/ocis/job-ocis-secret-init.yaml
+++ b/rendered/envs/production/ocis/job-ocis-secret-init.yaml
@ -0,0 +1,40 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
    argocd.argoproj.io/sync-options: Replace=true
  name: ocis-secret-init
  namespace: ocis
 spec:
  template:
    spec:
      containers:
        - command:
            - sh
            - -c
            - |
              set -e
              SECRET_NAME="ocis-s3-credentials"
              if ! kubectl get secret "${SECRET_NAME}" -n ${NAMESPACE} >/dev/null 2>&1; then
                echo "ERROR: Secret ${SECRET_NAME} does not exist in namespace ${NAMESPACE}."
                echo "Please create it manually with keys 'accessKey' and 'secretKey':"
                echo "  kubectl create secret generic ${SECRET_NAME} -n ${NAMESPACE} \\"
                echo "    --from-literal=accessKey=<your-access-key> \\"
                echo "    --from-literal=secretKey=<your-secret-key>"
                exit 1
              else
                echo "Secret ${SECRET_NAME} exists, OK"
              fi
          env:
            - name: NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
          image: alpine/k8s:1.32.3
          name: init
      restartPolicy: OnFailure
      serviceAccountName: ocis-secret-init
  ttlSecondsAfterFinished: 300
--- a/rendered/envs/production/nextcloud/namespace-nextcloud.yaml
+++ b/rendered/envs/production/nextcloud/namespace-nextcloud.yaml
@ -5,5 +5,5 @@ metadata:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    pod-security.kubernetes.io/enforce: privileged
-  name: nextcloud
+  name: ocis
-  namespace: nextcloud
+  namespace: ocis
--- a/rendered/envs/production/ocis/persistentvolumeclaim-idm-data.yaml
+++ b/rendered/envs/production/ocis/persistentvolumeclaim-idm-data.yaml
@ -0,0 +1,22 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  finalizers:
    - kubernetes.io/pvc-protection
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: idm-data
  namespace: ocis
 spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
  storageClassName: local-path
--- a/rendered/envs/production/ocis/persistentvolumeclaim-nats-data.yaml
+++ b/rendered/envs/production/ocis/persistentvolumeclaim-nats-data.yaml
@ -0,0 +1,22 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  finalizers:
    - kubernetes.io/pvc-protection
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: nats-data
  namespace: ocis
 spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
  storageClassName: local-path
--- a/rendered/envs/production/ocis/persistentvolumeclaim-search-data.yaml
+++ b/rendered/envs/production/ocis/persistentvolumeclaim-search-data.yaml
@ -0,0 +1,22 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  finalizers:
    - kubernetes.io/pvc-protection
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: search-data
  namespace: ocis
 spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 5Gi
  storageClassName: local-path
--- a/rendered/envs/production/ocis/persistentvolumeclaim-storagesystem-data.yaml
+++ b/rendered/envs/production/ocis/persistentvolumeclaim-storagesystem-data.yaml
@ -0,0 +1,22 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  finalizers:
    - kubernetes.io/pvc-protection
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: storagesystem-data
  namespace: ocis
 spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 5Gi
  storageClassName: local-path
--- a/rendered/envs/production/ocis/persistentvolumeclaim-storageusers-data.yaml
+++ b/rendered/envs/production/ocis/persistentvolumeclaim-storageusers-data.yaml
@ -0,0 +1,22 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  finalizers:
    - kubernetes.io/pvc-protection
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: storageusers-data
  namespace: ocis
 spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 5Gi
  storageClassName: local-path
--- a/rendered/envs/production/nextcloud/persistentvolumeclaim-nextcloud-nextcloud.yaml
+++ b/rendered/envs/production/nextcloud/persistentvolumeclaim-nextcloud-nextcloud.yaml
@ -3,16 +3,14 @@ kind: PersistentVolumeClaim
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
    helm.sh/resource-policy: keep
  labels:
-    app.kubernetes.io/component: app
+    app.kubernetes.io/instance: ocis
    app.kubernetes.io/instance: nextcloud
    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/name: nextcloud
+    app.kubernetes.io/name: ocis
-    app.kubernetes.io/version: 33.0.0
+    app.kubernetes.io/version: 7.1.4
-    helm.sh/chart: nextcloud-9.0.4
+    helm.sh/chart: ocis-0.7.0
-  name: nextcloud-nextcloud
+  name: thumbnails-data
-  namespace: nextcloud
+  namespace: ocis
 spec:
  accessModes:
    - ReadWriteOnce
--- a/rendered/envs/production/ocis/persistentvolumeclaim-web-data.yaml
+++ b/rendered/envs/production/ocis/persistentvolumeclaim-web-data.yaml
@ -0,0 +1,20 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
  name: web-data
  namespace: ocis
 spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
  storageClassName: local-path
--- a/rendered/envs/production/nextcloud/role-nextcloud-secret-init.yaml
+++ b/rendered/envs/production/nextcloud/role-nextcloud-secret-init.yaml
@ -3,8 +3,8 @@ kind: Role
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
-  name: nextcloud-secret-init
+  name: ocis-secret-init
-  namespace: nextcloud
+  namespace: ocis
 rules:
  - apiGroups:
      - ""
--- a/rendered/envs/production/nextcloud/rolebinding-nextcloud-secret-init.yaml
+++ b/rendered/envs/production/nextcloud/rolebinding-nextcloud-secret-init.yaml
@ -3,13 +3,13 @@ kind: RoleBinding
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
-  name: nextcloud-secret-init
+  name: ocis-secret-init
-  namespace: nextcloud
+  namespace: ocis
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
-  name: nextcloud-secret-init
+  name: ocis-secret-init
 subjects:
  - kind: ServiceAccount
-    name: nextcloud-secret-init
+    name: ocis-secret-init
-    namespace: nextcloud
+    namespace: ocis
--- a/rendered/envs/production/ocis/secret-admin-user.yaml
+++ b/rendered/envs/production/ocis/secret-admin-user.yaml
@ -0,0 +1,11 @@
 apiVersion: v1
 data:
  password: YlpRdWlYYVdXZXhJRzI3cE5BMzR6RWVMajFLVzBr
  user-id: NzE4ZTlmOTEtNmU3ZS00ZDMwLWE0MjktODcxMmQ4NDU1ODZl
 kind: Secret
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels: null
  name: admin-user
  namespace: ocis
--- a/rendered/envs/production/ocis/secret-collaboration-wopi-secret.yaml
+++ b/rendered/envs/production/ocis/secret-collaboration-wopi-secret.yaml
@ -0,0 +1,10 @@
 apiVersion: v1
 data:
  wopi-secret: T1FDSW0wNmZ3bWJldFpta0JwU29td2FRU3lkMk4x
 kind: Secret
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels: null
  name: collaboration-wopi-secret
  namespace: ocis
--- a/rendered/envs/production/ocis/secret-idp-secrets.yaml
+++ b/rendered/envs/production/ocis/secret-idp-secrets.yaml
@ -0,0 +1,11 @@
 apiVersion: v1
 data:
  encryption.key: LktHOEQ0U1JpTmEofERhYi9EMjBKbWEzYDRmJkVaJlg=
  private-key.pem: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS0FJQkFBS0NBZ0VBdm5BTUxGMW1JUzd3M0pETEhPeCtMUjY5U2hCSUxReXorQXFkN0d1TUNlcytzKzFlCkVORHVQRW85VE5iZVJHdzBtbjVWMU9iY2lPSG1CaFlSMjh6UHl4RFhmZUhuWVFpczl0cFFUQ3hhNmJPTDcwOFIKd2JDdkM3eW53QURQU05kRUFUbFNDR3NBbTZJaHpOZUhOc3ZUVlZCVU03NDhWd3lmT1F2MU1lQnN2MDlDOWxIVAovb2xpU1RQbkhIeEZXUFVZOHJ0QTEvRzM2cnJCaGtLYkhKWnd2S242Vi9jdXNnbDVZMHQzNmdCMEYyMlkrd0ppCjU3ejZEdGQ1SWo0VEtSNWVEN1dGM0ZsamYrWElGQVNPVFRJUEtUcWRQZTQ5TFcvaWxwMVlnZXdQTnBiSWwrTy8KZ3pwQ0o1ZUlzMlhIYmVnRFRVRTZTU1FrenVWUUlCY2luY2dicTA1MzJnVmpkRklVdEptaTg4elg0US9sNkZuZQptZDVGV2diY29KYjg0YXk3VmZ2NjNLMHpqcXlxK2taU0Roay91eW1wM3NxY3ZqU1BkOW01Vk1VYnFSUUw5cUpyCnczUVBhRlNKdlFvMjQyTG5WZE1TakRJVEgwZUtJdExLNkwxQW9KVW8zRFlpb3U4V0ExOUZGS2NHVE5MeHhONzEKRGk5dmQ0Q1BYR2pvRjQyTFFHVFVFY2hDRDRBZzRaZHVqZUVmb0ZTWEhXQmtHM0M4SjJJODFqeDdSTXdNMVFXdAphWjVRMmVTb2xyWHVJTFpnQTc4SWZmc2NYRGZQK0NOQ1l3RTI2dWUxVnFDd2FnMUxEV0UyWFY0ZFdQWUpuQnR6CndwN0p2aGR2MHpBeUprVGhLYVloUlgvVFljTDF0djV3VnZvSnZtTDV6UXBNeTBsWnZscFFtSDlEaHNNQ0F3RUEKQVFLQ0FnQmJJUUVpUmJ0Mmk2RGsyMERtNFdCcnRQYjl0eGJpdjk1ckJxR1ZuYzFRZmNydWpOcmpqeWRCb0lELwpBUjh4Zk5vYlIvTkl3d1NyVi9ZYjJYbklSWlQxNW1SSUw4N3FCeDNGcnFpWUd1MlNRY0huelYyQTQweVFnRUdCCnhxRnFpT0JZK1pZQXd6dHlQajZRYUY2aTRSeUxDYnFSWENwQnVaK0R5KzRVWlFHRTlxZmplVHJKNWZJcmQzUFQKbE1BV2xvck90TDZOMTNTY0Zhdy8xQ1dubzNIbFJpMnU1SERxNzArd0xVLy9vU0hzaUJ5Wm1RVzlRUmdqL0FaUwpWWVFUdkIxa3hRZCtieVFHOHUwd2J4R3RiUlFHTmE5REVIc2tBQk5jNFlTVi8yRTBUU2xHVGN5NlBpbWtDb1oyCjJuQjVibm9PQVBXa1JIQjh0UTBIbmlxSmVGV01hN2UzRW1BZ2UzYzM0Y0VXSVZkKzcxcUNoQlFGVG0ySWlTVE8KU3NKUXZKVHM3QTJ6SnZTRmJDSWpKTUZ3VzZaWGVBR3ZlSHp2d3NEdnNmTjRiS3BFVVpjVkorUTFDWlRKKzRQYwo0RU15ZnJBN2ozcXpld0liRFFuNWlKMFFEd2d0SHNQVURaenNncWIvcUQyWiswNEdDY2xGWXY3cDBiWnZQU2FjCmxXaGdzeUcrZWl5Y1BPaHVSdjV2N3VSYWlJZjVQUUxkNVBONWczdkhGeThRdjlYSXBlSUp1V1F4VXAyVlJCVEMKOEpOK1Ria2FsdXhKYlRnSzRTRzhGV1JnTVBYTlRheWRiOXlhUTZERkR2NkFFTTBUYmtvNUlVZ1R0MWtNdDFNagpOK1JJOXdjWW9aRWVJNUdhRDlwWlNLOUE2eDRDNGhuUUJRYUpjSW55WUxGcUJlYjE0UUtDQVFFQTVNZ2ppRFZpClQxczJFVlJLOFBEV2xZRE5MZEV6Q01lRzJ3d3dkVXoxekpTL05haWhyZXVLd21jNS9kdGpVWmQ0NXh4MHNHRlAKOURNTTJNdjNFT3RHWEVLcWwxRGo1ekxwYmFLTTdGZGdSYk0rUjJaVjU5OVczbytxZC9raTJRazRVVVJ6MFJBeAp6S0o5NGt3WjQwdTZZb0dHUHBtMjNuVTZtNzM4dWFXN29GNXVXL3RXRDN1QnRoM2YwRFQ1MDNPNEhEWFlpbncvCnd1RE1HUmpDTlhVYlJXRzk4cnhwU29IQUpnTjRCbituSTlHaUNmNWwwUUFGMHMxSXlyZWpQOGJwYWlJcUZUTGUKUEtyMEFUM3JTSXk5dGhtOEVxOWUwcEllWDRkR2FVbnA4TW44M3ozYkZUZmJ6U1RKbi9VdHNUNkdIc3Q1YnRlSAptZmplb0gvQ282Z0tjUUtDQVFFQTFSZ1dOU2Y1UjdJK0lHYVAwK1hNUXNzSHpmeFVhQWo2M01DeU9RdDFFRnNsCmZSb21JSkNHTVBub0EyWlhGWHBHa1RPaVF6VUZTMFR0NmlhczZJeU40cExSdUpEY3BWd2kwaDhQZncyV0RaMUgKUnV2M0tOZnNrQlpQT1lpelVlSnQzWkhDUkJHMjVCTFdGbldlWUY1Z1VlWHJ6V2Z1RU1vcWxGVDBsZmgxWWZuVQpVQTFDUkxOTHV3anpRT2lTeCtvY2NHanpkOTFuMnNhSEw4a05tSVo0K0p3d0RKMmloUXAwYWZoTSs2dWtLayt2Cjd0dm52dDZWWXhaUXNkMnlYWlJjbUF4V0tnWVlpeE9JNUVGdU9wVTdwRU5lLzF5V3pndzJaNGRLbTRBWDNKM0UKOGp4bks0em9CdCthYXBVYlJnc2d3WWJCWkpEREF0RkhlUEFhSFVNMmN3S0NBUUF0cjJXaENvQUNOc1dhT2tubwp5VDhnaGFMelZrWXBwNlpmVVpUUHA3bWh5OFpQRWNpUGNXeTVHMkh5Tm9BangrcWx4QUh0UXRGemcwbzZkS2gyCm9YVGdjWk9kT2RMNDFTclY4TkxSVXpWdlZiYkhEVUYwVng0Q3ZZK2QrNHNnNmYxc0JRNVhuak5EbU9Nb2NHZnYKQXExS2hIRHBTVXJDSzRpemx3SERsTHZkNzExOFVybEJ5RGtEdy8xd2wxT1lEUkNqMllEUFRyWncxUEVNeGV2cQpQdU5lUElGdzJuendHdTdpNkdoc2E4dFZsTVFWMk00K0tSSUFvV3U2eDJiN0VsNkVDaVI3TFRoQnh5V0lwZk80Ci9obllKbFZ2S2NQMnFxVVVFSEJZRUNGK0t1ZXJNSy95RWNCN3U2L2ptRk15aExqRnAzNHRTeTdSNldlVGgwKzMKM0pPUkFvSUJBUUNFYitybGNJbWFTS29hQXdRaXd2QlhGczRyOUVZVlBuZURHWFBxeGpja1NqR2JkZFA2YXpncgpXalliWHRDQ3RiTUQ3VjVNZkxoa2xsdHpLa1JPWjRTTEs0cVNOZDRjRzQ0OG56ZEhWSTlNdU5JaXZ1YW1pTVFxCnJPTGlOQmFXcnE1dmhYYUNUYXdvUlppdTdyelcwZkQxRlh1ZTlwZmI4WG5USkpXNlcyZkEwNzlqWFVveFhtbVQKdmJWSlF3SnVvdzYzd2xLR3phRU5ORk95bkRjSjg1RmRtZHkzQ29XR1FBQW9HRHpvTVQzZldoVlMwM05OaWhLNApPWmMvWkRURnVqNXQ5VVRiNjF2M205VjVYeno5eGVBQ2NDaXJkc1QzSEZuM3IvcnJlQW5jZ0dWMTA1cWZVM3lsClFQVThocDBqeENqQWZsclZnSzdpb21UVVFnMUk0SXdIQW9JQkFGd3JGVFRtbk14dCt4RitHUmRVbTMwVXBYMGsKVVlpOENLV0llZ3ErR1ViOW1hU0o4LytEYmJRRDZwdks3Zmw2S0swOXR0WjNabGN0M050dnd1cnR2TWw5eDRtRgo3Q2RFRkp3RWhoSmdyTVdhMUJzc25LYndibGVNRUR2T0xOc2piS1V4UlRNaWFEdHA5RXBKNkV6dmxFZU1YOEZyCno0aXRwTXpoZW5uWlNwWU9FS0JsVVJhSGFERVdZTDdGblhIc1BNakZNaGRHdmJROUFLTUk5N1RtazNvNG9Ld1gKQmluNm1FQStaM3NFd1ljYk1tNHFDbTZ2NUMrVW90WWN0SjFOMGFldXRMWkhDZnlia0RBWkVTaTlITkNua2h5UQp2M3RqY3NVQmVRWk0rUFRMK3dJVGd4TEF6Q0lMT0d6Y1YzZFRXK3d6SzE4aUhaTXNxeHROOWF4ajBvND0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K
 kind: Secret
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels: null
  name: idp-secrets
  namespace: ocis
--- a/rendered/envs/production/ocis/secret-jwt-secret.yaml
+++ b/rendered/envs/production/ocis/secret-jwt-secret.yaml
@ -0,0 +1,10 @@
 apiVersion: v1
 data:
  jwt-secret: eWU2dHdSTjlYM3R0SkZhT0lFdnFpWHJzclRaMDND
 kind: Secret
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels: null
  name: jwt-secret
  namespace: ocis
--- a/rendered/envs/production/ocis/secret-ldap-bind-secrets.yaml
+++ b/rendered/envs/production/ocis/secret-ldap-bind-secrets.yaml
@ -0,0 +1,12 @@
 apiVersion: v1
 data:
  graph-ldap-bind-password: b09yM2dZZDE0VFlEUWlBOEJZWDlGY2FlZFBXUWhG
  idp-ldap-bind-password: a3lYWWtER3FlSlhLcXpQb25uYTRySDU3SGh0WHFO
  reva-ldap-bind-password: SGoybVlLSFZVaDRKZkhxMkxlcmJJam9pOWVUT0p4
 kind: Secret
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels: null
  name: ldap-bind-secrets
  namespace: ocis
--- a/rendered/envs/production/ocis/secret-ldap-ca.yaml
+++ b/rendered/envs/production/ocis/secret-ldap-ca.yaml
@ -0,0 +1,10 @@
 apiVersion: v1
 data:
  ldap-ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREekNDQWZlZ0F3SUJBZ0lRWTZUaXZOUjZhQ3JmV1l5OWtVTjVCakFOQmdrcWhraUc5dzBCQVFzRkFEQVMKTVJBd0RnWURWUVFERXdkc1pHRndMV05oTUI0WERUSTJNRFF3TkRFNE1UWXhOMW9YRFRJM01EUXdOREU0TVRZeApOMW93RWpFUU1BNEdBMVVFQXhNSGJHUmhjQzFqWVRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDCkFRb0NnZ0VCQUxPNC95N3NyRGFYVUg2ZjJRN2I3UmZKd2Rvb2JuL1dDMGhqaEFLOVpacXdFUjB6ZUtvTWY3NHMKendMc3BhSm1sYjZCV3ZzWDh2Z3BJOXhJcUoxcVdBWVNlRCtKa0xVT3B0UER0R0R5U3RTVWlDb2xuUWZPZGxzQQp4K2FhOGNqU3A4OHQ2RmFOR3ZxNGxIMXljdnRSektRaTJHNkQrOUpFcDdDOVFPOWg4bFJaSkFMODJ1bHR6T3B5ClVWTUR4OWxQR2NmWEFhZklUTUxPQ1o1c0xVWmNMeU9aRlVWbnROS3NBT0Fqc1greWltUnc1NVZSMEczSWcrMFIKMWpaSVZmVFA2OTZqcWFPN3BuU1pNdlBSUkk1OFB0S0x1bU9oT0RxZHhsUEtEWU5LYUZ3TmlwNmJZUGd5Y2x3Tgo5dzlodkdUZ2t3dzZPSFdRenp3akw0Y0tWOCt6RnhjQ0F3RUFBYU5oTUY4d0RnWURWUjBQQVFIL0JBUURBZ0trCk1CMEdBMVVkSlFRV01CUUdDQ3NHQVFVRkJ3TUJCZ2dyQmdFRkJRY0RBakFQQmdOVkhSTUJBZjhFQlRBREFRSC8KTUIwR0ExVWREZ1FXQkJTZlR0cEp2R1V4UjZhbXdxZllkem1EU0U0bnRUQU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBUUVBYkdvZVJaTk9IWDlZWWpWZ3JaZjRDZ0txMlhkb0VkcEVETEdyNGwyZ1c3Z0xHdjd1ZmFpa0ltODhLRHNjClFrbjlLdmhwYU1EdHloajN3NnZNdHQ4T3R2MjRIc2dibFo1SUtFREN1aU50ajVvUXhoWHY5WEMwM3AxUkFwU0oKY3BRbElnNEtWbE5TWUVHcmYwUTI1aVNYL1NjbnJXWHJUK1luR2pOM0xXdEo3UElNb214b3lWMnpjdFdTVVp4NQpsOXpsYnMwRTNZV0RCWFdXRXkrOThPTitWeFlQSTZSQS9HbHIyUnJTY2M2RHdZMWhPMFpoY0Jnd0lwcXEzbmlhCjVBbWdCY3JNcTB5R0NISVR1UUpUc0pzU3RhWGN3ZURYWTNUa2ZucW5FN0p5TCtONVFlc0gwakdIeEZ0aTFTRlUKdWRsNmFYbFFDVVo0T0ZYeE1VSkp3cGNTRlE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
 kind: Secret
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels: null
  name: ldap-ca
  namespace: ocis
--- a/rendered/envs/production/ocis/secret-ldap-cert.yaml
+++ b/rendered/envs/production/ocis/secret-ldap-cert.yaml
@ -0,0 +1,11 @@
 apiVersion: v1
 data:
  ldap.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURHakNDQWdLZ0F3SUJBZ0lRVnJvZnVmVWRSR0JBeXVacEQrMTRsREFOQmdrcWhraUc5dzBCQVFzRkFEQVMKTVJBd0RnWURWUVFERXdkc1pHRndMV05oTUI0WERUSTJNRFF3TkRFNE1UWXhOMW9YRFRJM01EUXdOREU0TVRZeApOMW93RGpFTU1Bb0dBMVVFQXhNRGFXUnRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDCkFRRUExOUdMWjBEQW5UMGF5OGpCM0tCS1ZzVDVnVVhGNFpvNGZ5aXZmODJqTlVMQXhWa0I5OWFQMWJiby8wNXMKVjk4Ylk2UjNuMHhqVENxTGRkbXhwdjlwdi9rcVlRb1ZCMnpKZ0NWWVFLK2NvK0dNTGpoUnpBV1FHaG1Lb0RwNwpKb2VBeHVzK0xBbWVyM2ZiWFNpeG4vd3FUaUNrd3QxcHk4cVUyRVc2QnNKRUJJNlovZlZiMWhrQ2oybjJVVE9xCmM4RUdyLzdzTXhoUGdOaE5BQW9NVnFUMCt2Nmk3dWdDRVVtYm0xb3RHTm9NVjZCOVJXbWFBdHZlRlVLSytaYkgKMEVUZHVTRXZYWE40VitsYkMzQlFoWUI4UTFMYjROdlNTaXhudFRRb2R0ZWRiMXdDQlpBeWRkSVNoWkxJZVdMbApOOUxkYWZDTVppQUtuaUxXM251VDRiWlRkUUlEQVFBQm8zQXdiakFPQmdOVkhROEJBZjhFQkFNQ0JhQXdIUVlEClZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01Bd0dBMVVkRXdFQi93UUNNQUF3SHdZRFZSMGoKQkJnd0ZvQVVuMDdhU2J4bE1VZW1wc0tuMkhjNWcwaE9KN1V3RGdZRFZSMFJCQWN3QllJRGFXUnRNQTBHQ1NxRwpTSWIzRFFFQkN3VUFBNElCQVFCVHFlaTJXay9VUTl3aEtBbytmcm5NYTBLeURUVFpWTklPMDhHRi9rNWt3MmlXCmZlWGdtakJtTHA2N2NWdEN6MjBsN2REWTBrUHVnNUtTbW5aWHA5VE5tSUVOMDlnOHoyT3Z0eGpHV1hPM2RpUm8KSS83TmNpQWpUbmYyKzIxeXRlazRSUUlucWIzWjZyczg4aVhMeUlKQ2JPdEVyNGRyQTJibjdINk04a29OZ2JLbwpJb014bzlBOEFpdzVrRElzZkNxYXg2NWFJcnNhUy8wbGZ5NTBITHRTU1VaSWs4TFFtM0FtQmVmRnBCVUdHVi9RCnBNSUFlYkVzbmNLKy9lY052dVZDTGNLVFIrWE05Q1JCd3NZQzlBc0tNdGFtTFdlMHp6aDV1SUIzTDg2Y1FOTnQKZ2JkNC9YVENpV2xWVGtDNTZEbjFDWlRzRHUzdHYvaSswMVpqcnlTeQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
  ldap.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBMTlHTFowREFuVDBheThqQjNLQktWc1Q1Z1VYRjRabzRmeWl2Zjgyak5VTEF4VmtCCjk5YVAxYmJvLzA1c1Y5OGJZNlIzbjB4alRDcUxkZG14cHY5cHYva3FZUW9WQjJ6SmdDVllRSytjbytHTUxqaFIKekFXUUdobUtvRHA3Sm9lQXh1cytMQW1lcjNmYlhTaXhuL3dxVGlDa3d0MXB5OHFVMkVXNkJzSkVCSTZaL2ZWYgoxaGtDajJuMlVUT3FjOEVHci83c014aFBnTmhOQUFvTVZxVDArdjZpN3VnQ0VVbWJtMW90R05vTVY2QjlSV21hCkF0dmVGVUtLK1piSDBFVGR1U0V2WFhONFYrbGJDM0JRaFlCOFExTGI0TnZTU2l4bnRUUW9kdGVkYjF3Q0JaQXkKZGRJU2haTEllV0xsTjlMZGFmQ01aaUFLbmlMVzNudVQ0YlpUZFFJREFRQUJBb0lCQUEvMXB2c0c3VGVBVHVMNQpaelkrVVEzUC8vYWtJS1lERm1EZHN2WlNIUTRFMW4vQmloSWVuV2VPNE1KenRXWER1RlJrYlMzRnZTVkprMWFWClVRa1FjSi93RWVDZVpqKzB0dmhYeXFPOThta01FQXp1SnQ1ZDZ2SWN3V3ViR3Jhd1MxcHFiam5EZGZQYVI1YU4Kb0tIVnJ5czByc2RBcUdDWURDQXJ4OWVJSEkrTXhoa2pvZlVaeW5EdnZ6ZFRwekR4eVRjT0FMTmQ4b3RqZVR4VApLam5QZjRhQm9WVlJmQ25zeDN4dEdONnhQTUJ4K2Z6Ynp0OCtwaDZyOVRHeFZ0VkRUK1E4ajlpV0RCME11WDBGCkZCVE40MDNJN0h6VXpaamxVbDdPYXFtR3dGMDBkY2o1UVNtenA4NTFTdjltamRidWI4b0xhMVJWYVpndUNTaGwKNkF2ZW9HRUNnWUVBOFlabDBJVk4yNVJsdGQzRnZiK2dYcXVHTjdZSDZLTkdMeThnYlVNOHd3RlU1QXRDaHdpNApJUTcrWkVhaDBtZC9ROWNJN1p3RWx3N2cxTWZremJEZHBrS205bExEQXhtRlhoS08xVXlRcnlObjQ1UHUrSDhWCmt3UHd1UUFMWldrZHF5V09ub2xtM21kMlh6b3BKcDN3TG8vNGRhR3d3SFp6c2paamxBNkpmK2NDZ1lFQTVNQysKdGJROWh1NTZKTnpzV3RiUDZlVlRoK0JGN1MwSlN6WkV6bnJ1MS94NXY3U1hTYi9WbTk1WjBIc2tHVG5QaVowNwpTZ2hRUm1mamFMdHpKMVFITC9iMTZIcXpRSmh3MDg0YlVSNUxhVWt4S3VBVm9OM0lPaVhGRnlYQm81TGduekFDClpRZWh6bFV6SjFSeEZGbFh1S0ZDR0UwNlBRTmNsYWMycDcva0ZrTUNnWUVBalBUSzV1OWxpUWtLY3lHRERrS1AKN2JCZEhKWjM5eVdUQ0dhUW5qUG5la2VFcTdLR21SaFZuYldLY2l0bXRjMEJVUzVtWDRYMmg5Si9GSyswc1BiUAo1UUJ4UU1EOFh3cTk4ekVSZXhxOE5mcUwzeDJ2RWdmWkozdmRPWnIxQzdKVlJsVWM3eGx4bDhyNklvbG5Dc3FTCktocUwvdHJtdE94c2lVMkV3QnZiMDNFQ2dZRUFweGtJOW5Cb05XV0V3ZUxEb0lPa013WTY0MWwzbXc0MzZNSUcKdHhIajROQmtHeDZQR09kUjRWOG1HbjJwVytmMzYxMTRqdGJOMVBCVWxRL0F5V3kvSjFGdVJsbERFWitKWTU3KwpJMTVPMWVVS1RuaU1OQXR1Rk5POFNmRmhwdHhHeXVIbURlanFVRys2UXpPU3VydWNzWmpTVURBeHA1b0tDcU92CjhBL2pURU1DZ1lBd1hWOHQ2RWpTaFZINEJZL01BTTdkNk96NlVMWXBHbzlzT05EdDV3bUc0MDdoMVczRkpsNkIKOERoV0NVWEdQRUN2T1ZBMnhXTDJlVFFZWUxWY3BQYk0wNGZnT2pLNjFocVpHY2pxUWcyT0Z3emUrdXAzY2ttYQpTQXdQcE9LWGRETWE5VWFrVUQ3UTk0VVRlbDJZeU0yeTVSdXZWRk5iOURVd25TWVJxZm9BeEE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
 kind: Secret
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels: null
  name: ldap-cert
  namespace: ocis
--- a/rendered/envs/production/ocis/secret-machine-auth-api-key.yaml
+++ b/rendered/envs/production/ocis/secret-machine-auth-api-key.yaml
@ -0,0 +1,10 @@
 apiVersion: v1
 data:
  machine-auth-api-key: aEZZMkdWcVVBWWhjejNFRjRQRUNRVXZLbHpzUUpL
 kind: Secret
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels: null
  name: machine-auth-api-key
  namespace: ocis
--- a/rendered/envs/production/ocis/secret-service-account-secret.yaml
+++ b/rendered/envs/production/ocis/secret-service-account-secret.yaml
@ -0,0 +1,10 @@
 apiVersion: v1
 data:
  service-account-secret: NThMNVYzMnBsUUJ5UlBsZE10aDZuUEJOZnRNTU1W
 kind: Secret
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels: null
  name: service-account-secret
  namespace: ocis
--- a/rendered/envs/production/ocis/secret-storage-system-jwt-secret.yaml
+++ b/rendered/envs/production/ocis/secret-storage-system-jwt-secret.yaml
@ -0,0 +1,10 @@
 apiVersion: v1
 data:
  storage-system-jwt-secret: TWRKWW0zUFRFS2NwSDI1UFFXN3ZkZGdCdURIUnN6
 kind: Secret
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels: null
  name: storage-system-jwt-secret
  namespace: ocis
--- a/rendered/envs/production/ocis/secret-storage-system.yaml
+++ b/rendered/envs/production/ocis/secret-storage-system.yaml
@ -0,0 +1,11 @@
 apiVersion: v1
 data:
  api-key: RDhWVTFYblF6cjZHeGF6OHpPZnhHNEYxTHhHQ0ZI
  user-id: MDQ1NzJjMGUtZGUxZi00ODZiLWE4YTEtMmYxZjI1NmM1Nzc1
 kind: Secret
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels: null
  name: storage-system
  namespace: ocis
--- a/rendered/envs/production/ocis/secret-thumbnails-transfer-secret.yaml
+++ b/rendered/envs/production/ocis/secret-thumbnails-transfer-secret.yaml
@ -0,0 +1,10 @@
 apiVersion: v1
 data:
  thumbnails-transfer-secret: NGtlWEw4c3BJcm9sZzBiRFpBdWlhbExrMnJKM2N5
 kind: Secret
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels: null
  name: thumbnails-transfer-secret
  namespace: ocis
--- a/rendered/envs/production/ocis/secret-transfer-secret.yaml
+++ b/rendered/envs/production/ocis/secret-transfer-secret.yaml
@ -0,0 +1,10 @@
 apiVersion: v1
 data:
  transfer-secret: aU0wdXNRM2RIRXNTQXdzeHgxTXNkTnlqamQwV0p3
 kind: Secret
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels: null
  name: transfer-secret
  namespace: ocis
--- a/rendered/envs/production/ocis/service-activitylog.yaml
+++ b/rendered/envs/production/ocis/service-activitylog.yaml
@ -0,0 +1,27 @@
 apiVersion: v1
 kind: Service
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app: activitylog
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
    ocis-metrics: enabled
  name: activitylog
  namespace: ocis
 spec:
  ports:
    - appProtocol: http
      name: http
      port: 9195
      protocol: TCP
    - appProtocol: http
      name: metrics-debug
      port: 9197
      protocol: TCP
  selector:
    app: activitylog
--- a/rendered/envs/production/ocis/service-appregistry.yaml
+++ b/rendered/envs/production/ocis/service-appregistry.yaml
@ -0,0 +1,27 @@
 apiVersion: v1
 kind: Service
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app: appregistry
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
    ocis-metrics: enabled
  name: appregistry
  namespace: ocis
 spec:
  ports:
    - appProtocol: grpc
      name: grpc
      port: 9242
      protocol: TCP
    - appProtocol: http
      name: metrics-debug
      port: 9243
      protocol: TCP
  selector:
    app: appregistry
--- a/rendered/envs/production/ocis/service-audit.yaml
+++ b/rendered/envs/production/ocis/service-audit.yaml
@ -0,0 +1,23 @@
 apiVersion: v1
 kind: Service
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app: audit
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
    ocis-metrics: enabled
  name: audit
  namespace: ocis
 spec:
  ports:
    - appProtocol: http
      name: metrics-debug
      port: 9229
      protocol: TCP
  selector:
    app: audit
--- a/rendered/envs/production/ocis/service-authmachine.yaml
+++ b/rendered/envs/production/ocis/service-authmachine.yaml
@ -0,0 +1,27 @@
 apiVersion: v1
 kind: Service
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app: authmachine
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
    ocis-metrics: enabled
  name: authmachine
  namespace: ocis
 spec:
  ports:
    - appProtocol: grpc
      name: grpc
      port: 9166
      protocol: TCP
    - appProtocol: http
      name: metrics-debug
      port: 9167
      protocol: TCP
  selector:
    app: authmachine
--- a/rendered/envs/production/ocis/service-authservice.yaml
+++ b/rendered/envs/production/ocis/service-authservice.yaml
@ -0,0 +1,27 @@
 apiVersion: v1
 kind: Service
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app: authservice
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
    ocis-metrics: enabled
  name: authservice
  namespace: ocis
 spec:
  ports:
    - appProtocol: grpc
      name: grpc
      port: 9616
      protocol: TCP
    - appProtocol: http
      name: metrics-debug
      port: 9617
      protocol: TCP
  selector:
    app: authservice
--- a/rendered/envs/production/ocis/service-clientlog.yaml
+++ b/rendered/envs/production/ocis/service-clientlog.yaml
@ -0,0 +1,23 @@
 apiVersion: v1
 kind: Service
 metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
  labels:
    app: clientlog
    app.kubernetes.io/instance: ocis
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ocis
    app.kubernetes.io/version: 7.1.4
    helm.sh/chart: ocis-0.7.0
    ocis-metrics: enabled
  name: clientlog
  namespace: ocis
 spec:
  ports:
    - appProtocol: http
      name: metrics-debug
      port: 9260
      protocol: TCP
  selector:
    app: clientlog
--- a/Show more
+++ b/Show more