Adds an emptyDir volume mounted at /tmp for the web deployment. This resolves 500 errors during POST/DELETE operations for branding logos, which require a writable temporary directory for multipart data spooling on a read-only root filesystem.
Adds `fsGroup` to the S3 backup cronjob's security context to ensure proper volume ownership. Increases the SSH key secret's `defaultMode` to grant group read access, resolving permission failures when reading the SSH key.
Migrate ~180 LOC of openssl/kubectl init Jobs to declarative Secret
manifests reconciled by mittwald/kubernetes-secret-generator (random
strings, SSH keypair) and cert-manager Certificates (RSA private key +
self-signed CA chain). mittwald only fills empty fields, so existing
populated Secrets keep their current values across the migration.
Changes:
- New prototype kubernetes-secret-generator (chart 3.4.1, mittwald helm
repo). Cluster-wide informer reconciler, no webhook -> cold-bootstrap
safe via ArgoCD retries.
- New cert-manager selfsigned ClusterIssuer (in-cluster trust root).
letsencrypt remains for public-DNS endpoints.
- forgejo: admin-secret Job replaced with a mittwald-annotated Secret
(hex-encoded 24-char password). Deploy-key Job split: mittwald
ssh-keypair Secret + slim Job that uploads pubkey to Forgejo and
copies privkey into the argocd repo Secret.
- ocis: 13 Secrets / 16 random fields now mittwald-managed (UUIDs
replaced with opaque random hex; ocis treats user-id as opaque). IDP
RSA signing key, LDAP self-signed CA, and LDAP server cert produced
by cert-manager. Per-Deployment ytt overlay remaps volume key paths
(tls.crt -> ldap-ca.crt, tls.key -> private-key.pem, etc.) since the
ocis chart mounts Secrets raw without items support. Old multi-secret
s3-secret-job replaced with a slim external-secret precheck Job that
only validates pre-created Hetzner S3/Storage Box credentials.
- Application sync-wave -10 on cert-manager and kubernetes-secret-
generator so they install before consumers. ArgoCD selfHeal handles
any residual races.
CLAUDE.md: remove the "all namespaces use privileged PodSecurity"
convention. Existing namespaces still carry the label and will be
audited separately.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Increase Traefik readTimeout from 600s to 3600s to prevent connection drops during large uploads, and enable the suspended cleanUpExpiredUploads CronJob so stale TUS sessions are automatically purged.
Increases memory requests for the IDM and NATS services to enhance stability and performance.
Updates application, service account, and storage UUIDs in configuration maps, reflecting a re-initialization or re-rendering of OIDC settings.
Assigns specific CPU and memory requests and limits to the storageusers service to ensure stable operation and efficient resource utilization.
Introduces pod anti-affinity for storageusers to prevent it from being scheduled on the same node as victoria-metrics-single, improving resilience and preventing potential resource contention.
Introduces a daily Kubernetes CronJob that utilizes rclone to perform compressed backups of oCIS S3 data to a Hetzner Storage Box via SFTP.
This new backup mechanism requires the manual creation of an 'ocis-storagebox-credentials' secret, which holds the Storage Box host, user, and SSH private key. A check is added to the secret initialization job to ensure this essential external secret exists.
Removes the full Nextcloud stack (PostgreSQL/CNPG, Valkey, Caddy) and
deploys oCIS at drive.tr1ceracop.de. oCIS is self-contained — no
external database or cache needed.
Key design decisions:
- S3ng storage backend on Hetzner Object Storage (ocis-tr1ceracop)
- Chart fetched via vendir git source (not published to a Helm repo)
- All secrets generated in-cluster via PreSync init Job (never in git)
- Memory requests on all pods to prevent node overcommit
- Persistence on local-path for metadata (idm, nats, search, storage)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Removes the full Nextcloud stack (PostgreSQL/CNPG, Valkey, Caddy sidecar)
and replaces it with oCIS at drive.tr1ceracop.de. oCIS is self-contained
(no external DB/cache needed) with S3ng storage backend on Hetzner Object
Storage (bucket: ocis-tr1ceracop). Chart sourced from git via vendir since
it is not published to a Helm repo.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
