hackerspace kustomize

+ move static env to dockerfile + doorboy-direct refactor
move parts of CLUSTER doc to ansible, clarify doc
2025-08-14 01:19:43 +03:00 · 2025-08-14 01:17:34 +03:00 · 2025-08-08 03:06:29 +03:00 · 2025-08-08 03:03:49 +03:00 · 2025-08-08 00:45:29 +03:00 · 2025-08-07 22:11:50 +03:00
296 changed files with 18930 additions and 80788 deletions
--- a/.drone.yml
+++ b/.drone.yml
@@ -1,10 +0,0 @@
---
-kind: pipeline
-type: kubernetes
-name: gitleaks
-
-steps:
- name: gitleaks
-  image: zricethezav/gitleaks
-  commands:
-  - gitleaks detect --source=/drone/src
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,14 @@
+*.keys
 *secrets.yml
 *secret.yml
 *.swp
 *.save
 *.1
+
+# Kustomize with Helm and secrets:
+charts/
+*.env
+
+### IntelliJ IDEA ###
+.idea
+*.iml
--- a/.yamllint
+++ b/.yamllint
@@ -0,0 +1,4 @@
+extends: default
+ignore-from-file: .gitignore
+rules:
+  line-length: disable
--- a/CLUSTER.md
+++ b/CLUSTER.md
@@ -0,0 +1,137 @@
+# Kubernetes cluster
+Kubernetes hosts run on [PVE Cluster](https://wiki.k-space.ee/en/hosting/proxmox). Hosts are listed in Ansible [inventory](ansible/inventory.yml).
+
+## `kubectl`
+- Authorization [ACLs](cluster-role-bindings.yml)
+- [Troubleshooting `no such host`](#systemd-resolved-issues)
+
+Authenticate to auth.k-space.ee:
+```bash
+kubectl krew install oidc-login
+mkdir -p ~/.kube
+
+cat << EOF > ~/.kube/config
+apiVersion: v1
+clusters:
+- cluster:
+    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1EVXdNakEzTXpVMU1Wb1hEVE15TURReU9UQTNNelUxTVZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBS2J2CjY3UFlXVHJMc3ZCQTZuWHUvcm55SlVhNnppTnNWTVN6N2w4ekhxM2JuQnhqWVNPUDJhN1RXTnpUTmZDanZBWngKTmlNbXJya1hpb2dYQWpVVkhSUWZlYm81TFIrb0JBOTdLWlcrN01UMFVJRXBuWVVaaTdBRHlaS01vcEJFUXlMNwp1SlU5UDhnNUR1T29FRHZieGJSMXFuV1JZRXpteFNmSFpocllpMVA3bFd4emkxR243eGRETFZaMjZjNm0xR3Y1CnViRjZyaFBXK1JSVkhiQzFKakJGeTBwRXdhYlUvUTd0Z2dic0JQUjk5NVZvMktCeElBelRmbHhVanlYVkJ3MjEKU2d3ZGI1amlpemxEM0NSbVdZZ0ZrRzd0NTVZeGF3ZmpaQjh5bW4xYjhUVjkwN3dRcG8veU8zM3RaaEE3L3BFUwpBSDJYeDk5bkpMbFVGVUtSY1A4Q0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZKNnZKeVk1UlJ1aklQWGxIK2ZvU3g2QzFRT2RNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBQ04zcGtCTVM3ekkrbUhvOWdTZQp6SzdXdjl3bXlCTVE5Q3crQXBSNnRBQXg2T1VIN0d1enc5TTV2bXNkYjkrYXBKMHBlZFB4SUg3YXZ1aG9SUXNMCkxqTzRSVm9BMG9aNDBZV3J3UStBR0dvdkZuaWNleXRNcFVSNEZjRXc0ZDRmcGl6V3d0TVNlRlRIUXR6WG84V2MKNFJGWC9xUXNVR1NWa01PaUcvcVVrSFpXQVgyckdhWXZ1Tkw2eHdSRnh5ZHpsRTFSUk56TkNvQzVpTXhjaVRNagpackEvK0pqVEFWU2FuNXZnODFOSmthZEphbmNPWmEwS3JEdkZzd1JJSG5CMGpMLzh3VmZXSTV6czZURU1VZUk1ClF6dU01QXUxUFZ4VXZJUGhlMHl6UXZjWDV5RlhnMkJGU3MzKzJBajlNcENWVTZNY2dSSTl5TTRicitFTUlHL0kKY0pjPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+    server: https://master.kube.k-space.ee:6443
+  name: kubernetes
+contexts:
+- context:
+    cluster: kubernetes
+    user: oidc
+  name: default
+current-context: default
+kind: Config
+preferences: {}
+users:
+- name: oidc
+  user:
+    exec:
+      apiVersion: client.authentication.k8s.io/v1beta1
+      args:
+      - oidc-login
+      - get-token
+      - --oidc-issuer-url=https://auth.k-space.ee/
+      - --oidc-client-id=passmower.kubelogin
+      - --oidc-extra-scope=profile,email,groups
+      - --listen-address=127.0.0.1:27890
+      command: kubectl
+      env: null
+      provideClusterInfo: false
+EOF
+
+# Test it:
+kubectl get nodes # opens browser for authentication
+```
+
+### systemd-resolved issues
+```sh
+Unable to connect to the server: dial tcp: lookup master.kube.k-space.ee on 127.0.0.53:53: no such host
+```
+```
+Network → VPN → `IPv4` → Other nameservers (Muud nimeserverid): `172.21.0.1`
+Network → VPN → `IPv6` → Other nameservers (Muud nimeserverid): `2001:bb8:4008:21::1`
+Network → VPN → `IPv4` → Search domains (Otsingudomeenid): `kube.k-space.ee`
+Network → VPN → `IPv6` → Search domains (Otsingudomeenid): `kube.k-space.ee`
+```
+
+## Cluster formation
+Created Ubuntu 22.04 VM-s on Proxmox with local storage.
+Added some ARM64 workers by using Ubuntu 22.04 server on Raspberry Pi.
+
+First master:
+```
+kubeadm init --token-ttl=120m --pod-network-cidr=10.244.0.0/16 --control-plane-endpoint "master.kube.k-space.ee:6443" --upload-certs --apiserver-cert-extra-sans master.kube.k-space.ee --node-name master1.kube.k-space.ee
+```
+
+Joining nodes:
+```
+# On a master:
+kubeadm token create --print-join-command
+
+# Joining node:
+<printed join command --node-name "$(hostname -f)"
+```
+
+Set AZ labels:
+```
+for j in $(seq 1 9); do
+  for t in master mon worker; do
+    kubectl label nodes ${t}${j}.kube.k-space.ee topology.kubernetes.io/zone=node${j}
+  done
+done
+```
+
+After forming the cluster add taints:
+
+```bash
+for j in $(seq 1 9); do
+  kubectl label nodes worker${j}.kube.k-space.ee node-role.kubernetes.io/worker=''
+done
+
+for j in $(seq 1 4); do
+  kubectl taint nodes mon${j}.kube.k-space.ee dedicated=monitoring:NoSchedule
+  kubectl label nodes mon${j}.kube.k-space.ee dedicated=monitoring
+done
+```
+
+For `arm64` nodes add suitable taint to prevent scheduling non-multiarch images on them:
+
+```bash
+kubectl taint nodes worker9.kube.k-space.ee arch=arm64:NoSchedule
+```
+
+For door controllers:
+```
+for j in ground front back; do
+  kubectl taint nodes door-${j}.kube.k-space.ee dedicated=door:NoSchedule
+  kubectl label nodes door-${j}.kube.k-space.ee dedicated=door
+  kubectl taint nodes door-${j}.kube.k-space.ee arch=arm64:NoSchedule
+done
+```
+
+## Technology mapping
+Our self-hosted Kubernetes stack compared to AWS based deployments:
+
+| Hipster startup   | Self-hosted hackerspace             | Purpose                                                             |
+|-------------------|-------------------------------------|---------------------------------------------------------------------|
+| AWS ALB           | Traefik                             | Reverse proxy also known as ingress controller in Kubernetes jargon |
+| AWS AMP           | Prometheus Operator                 | Monitoring and alerting                                             |
+| AWS CloudTrail    | ECK Operator                        | Log aggregation                                                     |
+| AWS DocumentDB    | MongoDB Community Operator          | Highly available NoSQL database                                     |
+| AWS EBS           | Longhorn                            | Block storage for arbitrary applications needing persistent storage |
+| AWS EC2           | Proxmox                             | Virtualization layer                                                |
+| AWS ECR           | Harbor                              | Docker registry                                                     |
+| AWS EKS           | kubeadm                             | Provision Kubernetes master nodes                                   |
+| AWS NLB           | MetalLB                             | L2/L3 level load balancing                                          |
+| AWS RDS for MySQL | MySQL Operator                      | Provision highly available relational databases                     |
+| AWS Route53       | Bind and RFC2136                    | DNS records and Let's Encrypt DNS validation                        |
+| AWS S3            | Minio Operator                      | Highly available object storage                                     |
+| AWS VPC           | Calico                              | Overlay network                                                     |
+| Dex               | Passmower                           | ACL mapping and OIDC provider which integrates with GitHub/Samba    |
+| GitHub Actions    | Woodpecker                          | Build Docker images                                                 |
+| GitHub            | Gitea                               | Source code management, issue tracking                              |
+| GitHub OAuth2     | Samba (Active Directory compatible) | Source of truth for authentication and authorization                |
+| Gmail             | Wildduck                            | E-mail                                                              |
--- a/CONTRIBUTORS.md
+++ b/CONTRIBUTORS.md
@@ -10,3 +10,4 @@ this Git repository happen:
 * Song Meo <songmeo@k-space.ee>
 * Rasmus Kallas <rasmus@k-space.ee>
 * Kristjan Kuusk <kkuusk@k-space.ee>
+* Erki Aas <eaas@k-space.ee>
--- a/README.md
+++ b/README.md
@@ -1,258 +1,72 @@
-# Kubernetes cluster manifests
+# k-space.ee infrastructure
+Kubernetes manifests, Ansible [playbooks](ansible/README.md), and documentation for K-SPACE services.

-## Introduction
+<!-- TODO: Docs for adding to ArgoCD (auto-)sync -->
+- Repo is deployed with [ArgoCD](https://argocd.k-space.ee). For `kubectl` access, see [CLUSTER.md](CLUSTER.md#kubectl).
+- Debugging Kubernetes [on Wiki](https://wiki.k-space.ee/en/hosting/debugging-kubernetes)
+- Need help? → [`#kube`](https://k-space-ee.slack.com/archives/C02EYV1NTM2)

-This is the Kubernetes manifests of services running on k-space.ee domains:
+Jump to docs: [inventory-app](hackerspace/README.md) / [cameras](_disabled/camtiler/README.md) / [doors](https://wiki.k-space.ee/en/hosting/doors) / [list of apps](https://auth.k-space.ee) // [all infra](ansible/inventory.yml) / [network](https://wiki.k-space.ee/en/hosting/network) / [retro](https://wiki.k-space.ee/en/hosting/retro) / [non-infra](https://wiki.k-space.ee)

- [Authelia](https://auth.k-space.ee) for authentication
- [Drone.io](https://drone.k-space.ee) for building Docker images
- [Harbor](https://harbor.k-space.ee) for hosting Docker images
- [ArgoCD](https://argocd.k-space.ee) for deploying Kubernetes manifests and
-  Helm charts into the cluster
- [camtiler](https://cams.k-space.ee) for cameras
- [Longhorn Dashboard](https://longhorn.k-space.ee) for administering
-  Longhorn storage
- [Kubernetes Dashboard](https://kubernetes-dashboard.k-space.ee/) for read-only overview
-  of the Kubernetes cluster
- [Wildduck Webmail](https://webmail.k-space.ee/)
+Tip: Search the repo for `kind: xyz` for examples.

-Most endpoints are protected by OIDC autentication or Authelia SSO middleware.
+## Supporting services
+- Build [Git](https://git.k-space.ee) repositories with [Woodpecker](https://woodpecker.k-space.ee)[^nodrone].
+- Passmower: Authz with `kind: OIDCClient` (or `kind: OIDCMiddlewareClient`[^authz]).
+- Traefik[^nonginx]: Expose services with `kind: Service` + `kind: Ingress` (TLS and DNS **included**).

+[^nodrone]: Replaces Drone CI.

-## Cluster access
+### Additional
+- bind: Manage _additional_ DNS records with `kind: DNSEndpoint`.
+- [Prometheus](https://wiki.k-space.ee/en/hosting/monitoring): Collect metrics with `kind: PodMonitor` (alerts with `kind: PrometheusRule`).
+- [Slack bots](SLACK.md) and Kubernetes [CLUSTER.md](CLUSTER.md) itself.
+<!-- TODO: Redirects: external-dns.alpha.kubernetes.io/hostname + in -extras.yaml: IngressRoute and Middleware -->

-General discussion is happening in the `#kube` Slack channel.
+[^nonginx]: No nginx annotations! Use `kind: Ingress` instead. `IngressRoute` is not used as it doesn't support [`external-dns`](bind/README.md) out of the box.
+[^authz]: Applications should use OpenID Connect (`kind: OIDCClient`) for authentication, whereever possible. If not possible, use `kind: OIDCMiddlewareClient` client, which will provide authentication via a Traefik middleware (`traefik.ingress.kubernetes.io/router.middlewares: passmower-proxmox@kubernetescrd`). Sometimes you might use both for extra security.

-For bootstrap access obtain `/etc/kubernetes/admin.conf` from one of the master
-nodes and place it under `~/.kube/config` on your machine.
+### Network

-Once Authelia is working, OIDC access for others can be enabled with
-running following on Kubernetes masters:
+All nodes are in Infra VLAN 21. Routing is implemented with BGP, all nodes and the router make a full-mesh. Both Serice LB IPs and Pod IPs are advertised to the router. Router does NAT for outbound pod traffic.
+See the [Calico installation](tigera-operator/application.yml) for Kube side and Routing / BGP in the router.
+Static routes for 193.40.103.36/30 have been added in pve nodes to make them communicating with Passmower via Traefik more stable - otherwise packets coming back to the PVE are routed directly via VLAN 21 internal IPs by the worker nodes, breaking TCP.

-```bash
-patch /etc/kubernetes/manifests/kube-apiserver.yaml - << EOF
-@@ -23,6 +23,10 @@
-     - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
-     - --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
-     - --etcd-servers=https://127.0.0.1:2379
-+    - --oidc-issuer-url=https://auth.k-space.ee
-+    - --oidc-client-id=kubelogin
-+    - --oidc-username-claim=preferred_username
-+    - --oidc-groups-claim=groups
-     - --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
-     - --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
-     - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
-EOF
-sudo systemctl daemon-reload
-systemctl restart kubelet
-```
+<!-- Linked to by https://wiki.k-space.ee/e/en/hosting/storage -->
+### Databases / -stores:
+- Dragonfly: `kind: Dragonfly` (replaces Redis[^redisdead])
+- Longhorn: `storageClassName: longhorn` (filesystem storage)
+- Mongo[^mongoproblems]: `kind: MongoDBCommunity` (NAS* `inventory-mongodb`)
+- Minio S3: `kind: MinioBucketClaim` with `class: dedicated` (NAS*: `class: external`)
+- MariaDB*: search for `mysql`, `mariadb`[^mariadb] (replaces MySQL)
+- Postgres*: hardcoded to [harbor/application.yml](harbor/application.yml)
+- Seeded secrets: `kind: SecretClaim` (generates random secret in templated format)
+- Secrets in git: https://git.k-space.ee/secretspace (members personal info, API credentials, see argocd/deploy_key.pub comment)

-Afterwards following can be used to talk to the Kubernetes cluster using
-OIDC credentials:
+\* External, hosted directly on [nas.k-space.ee](https://wiki.k-space.ee/en/hosting/storage)

-```bash
-kubectl krew install oidc-login
-mkdir -p ~/.kube
-cat << EOF > ~/.kube/config
-apiVersion: v1
-clusters:
- cluster:
-    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1EVXdNakEzTXpVMU1Wb1hEVE15TURReU9UQTNNelUxTVZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBS2J2CjY3UFlXVHJMc3ZCQTZuWHUvcm55SlVhNnppTnNWTVN6N2w4ekhxM2JuQnhqWVNPUDJhN1RXTnpUTmZDanZBWngKTmlNbXJya1hpb2dYQWpVVkhSUWZlYm81TFIrb0JBOTdLWlcrN01UMFVJRXBuWVVaaTdBRHlaS01vcEJFUXlMNwp1SlU5UDhnNUR1T29FRHZieGJSMXFuV1JZRXpteFNmSFpocllpMVA3bFd4emkxR243eGRETFZaMjZjNm0xR3Y1CnViRjZyaFBXK1JSVkhiQzFKakJGeTBwRXdhYlUvUTd0Z2dic0JQUjk5NVZvMktCeElBelRmbHhVanlYVkJ3MjEKU2d3ZGI1amlpemxEM0NSbVdZZ0ZrRzd0NTVZeGF3ZmpaQjh5bW4xYjhUVjkwN3dRcG8veU8zM3RaaEE3L3BFUwpBSDJYeDk5bkpMbFVGVUtSY1A4Q0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZKNnZKeVk1UlJ1aklQWGxIK2ZvU3g2QzFRT2RNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBQ04zcGtCTVM3ekkrbUhvOWdTZQp6SzdXdjl3bXlCTVE5Q3crQXBSNnRBQXg2T1VIN0d1enc5TTV2bXNkYjkrYXBKMHBlZFB4SUg3YXZ1aG9SUXNMCkxqTzRSVm9BMG9aNDBZV3J3UStBR0dvdkZuaWNleXRNcFVSNEZjRXc0ZDRmcGl6V3d0TVNlRlRIUXR6WG84V2MKNFJGWC9xUXNVR1NWa01PaUcvcVVrSFpXQVgyckdhWXZ1Tkw2eHdSRnh5ZHpsRTFSUk56TkNvQzVpTXhjaVRNagpackEvK0pqVEFWU2FuNXZnODFOSmthZEphbmNPWmEwS3JEdkZzd1JJSG5CMGpMLzh3VmZXSTV6czZURU1VZUk1ClF6dU01QXUxUFZ4VXZJUGhlMHl6UXZjWDV5RlhnMkJGU3MzKzJBajlNcENWVTZNY2dSSTl5TTRicitFTUlHL0kKY0pjPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
-    server: https://master.kube.k-space.ee:6443
-  name: kubernetes
-contexts:
- context:
-    cluster: kubernetes
-    user: oidc
-  name: default
-current-context: default
-kind: Config
-preferences: {}
-users:
- name: oidc
-  user:
-    exec:
-      apiVersion: client.authentication.k8s.io/v1beta1
-      args:
-      - oidc-login
-      - get-token
-      - --oidc-issuer-url=https://auth.k-space.ee
-      - --oidc-client-id=kubelogin
-      - --oidc-use-pkce
-      - --oidc-extra-scope=profile,email,groups
-      - --listen-address=127.0.0.1:27890
-      command: kubectl
-      env: null
-      provideClusterInfo: false
-EOF
-```
+[^mariadb]: As of 2024-07-30 used by auth, authelia, bitwarden, etherpad, freescout, git, grafana, nextcloud, wiki, woodpecker

-For access control mapping see [cluster-role-bindings.yml](cluster-role-bindings.yml)
+[^redisdead]: Redis has been replaced as redis-operatori couldn't handle itself: didn't reconcile after reboots, master URI was empty, and clients complained about missing masters. Dragonfly replaces KeyDB.

+[^mongoproblems]: Mongo problems: Incompatible with rawfile csi (wiredtiger.wt corrupts), complicated resizing (PVCs from statefulset PVC template).

-# Technology mapping
+***
+_This page is referenced by wiki [front page](https://wiki.k-space.ee) as **the** technical documentation for infra._

-Our self-hosted Kubernetes stack compared to AWS based deployments:
+## nas.k-space.ee pre-migration whouses listing
+- S3: [minio-clusters](minio-clusters/README.md)
+- postgres: only harbor, 172.20.43.1

-| Hipster startup | Self-hosted hackerspace             | Purpose                                                             |
-|-----------------|-------------------------------------|---------------------------------------------------------------------|
-| AWS EC2         | Proxmox                             | Virtualization layer                                                |
-| AWS EKS         | kubeadm                             | Provision Kubernetes master nodes                                   |
-| AWS EBS         | Longhorn                            | Block storage for arbitrary applications needing persistent storage |
-| AWS NLB         | MetalLB                             | L2/L3 level load balancing                                          |
-| AWS ALB         | Traefik                             | Reverse proxy also known as ingress controller in Kubernetes jargon |
-| AWS ECR         | Harbor                              | Docker registry                                                     |
-| AWS DocumentDB  | MongoDB                             | NoSQL database                                                      |
-| AWS S3          | Minio                               | Object storage                                                      |
-| GitHub OAuth2   | Samba (Active Directory compatible) | Source of truth for authentication and authorization                |
-| Dex             | Authelia                            | ACL mapping and OIDC provider which integrates with GitHub/Samba    |
-| GitHub          | Gitea                               | Source code management, issue tracking                              |
-| GitHub Actions  | Drone                               | Build Docker images                                                 |
-| Gmail           | Wildduck                            | E-mail                                                              |
-| AWS Route53     | Bind and RFC2136                    | DNS records and Let's Encrypt DNS validation                        |
-| AWS VPC         | Calico                              | Overlay network                                                     |
+### mongodb
+- inventory
+- wildduck

-
-External dependencies running as classic virtual machines:
-
- Samba as Authelia's source of truth
- Bind as DNS server
-
-
-## Adding applications
-
-Deploy applications via [ArgoCD](https://argocd.k-space.ee)
-
-We use Treafik with Authelia for Ingress.
-Applications where possible and where applicable should use `Remote-User`
-authentication. This prevents application exposure on public Internet.
-Otherwise use OpenID Connect for authentication,
-see Argo itself as an example how that is done.
-
-See `kspace-camtiler/ingress.yml` for commented Ingress example.
-
-Note that we do not use IngressRoute objects because they don't
-support `external-dns` out of the box.
-Do NOT add nginx annotations, we use Traefik.
-Do NOT manually add DNS records, they are added by `external-dns`.
-Do NOT manually create Certificate objects,
-these should be handled by `tls:` section in Ingress.
-
-
-## Cluster formation
-
-Create Ubuntu 20.04 VM-s on Proxmox with local storage.
-
-After machines have booted up and you can reach them via SSH:
-
-```bash
-# Enable required kernel modules
-cat > /etc/modules << EOF
-overlay
-br_netfilter
-EOF
-cat /etc/modules | xargs -L 1 -t modprobe
-
-# Finetune sysctl:
-cat > /etc/sysctl.d/99-k8s.conf << EOF
-net.ipv4.conf.all.accept_redirects  = 0
-net.bridge.bridge-nf-call-iptables  = 1
-net.ipv4.ip_forward                 = 1
-net.bridge.bridge-nf-call-ip6tables = 1
-EOF
-sysctl --system
-
-# Disable Ubuntu caching DNS resolver
-systemctl disable systemd-resolved.service
-systemctl stop systemd-resolved
-rm -fv /etc/resolv.conf
-cat > /etc/resolv.conf << EOF
-nameserver 1.1.1.1
-nameserver 8.8.8.8
-EOF
-
-# Disable multipathd as Longhorn handles that itself
-systemctl mask multipathd
-systemctl disable multipathd
-systemctl stop multipathd
-
-# Disable Snapcraft
-systemctl mask snapd
-systemctl disable snapd
-systemctl stop snapd
-
-# Permit root login
-sed -i -e 's/PermitRootLogin no/PermitRootLogin without-password/' /etc/ssh/sshd_config
-systemctl reload ssh
-cat << EOF > /root/.ssh/authorized_keys
-sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBD4/e9SWYWYoNZMkkF+NirhbmHuUgjoCap42kAq0pLIXFwIqgVTCre03VPoChIwBClc8RspLKqr5W3j0fG8QwnQAAAAEc3NoOg== lauri@lauri-x13
-EOF
-userdel -f ubuntu
-apt-get remove -yq cloud-init
-
-
-```
-
-Install packages, for Raspbian set `OS=Debian_11`
-
-```bash
-OS=xUbuntu_20.04
-VERSION=1.23
-cat <<EOF | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
-deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/ /
-EOF
-cat <<EOF | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:stable:cri-o:$VERSION.list
-deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/$VERSION/$OS/ /
-EOF
-
-curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/Release.key | sudo apt-key --keyring /etc/apt/trusted.gpg.d/libcontainers.gpg add -
-curl -L https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable:cri-o:$VERSION/$OS/Release.key | sudo apt-key --keyring /etc/apt/trusted.gpg.d/libcontainers-cri-o.gpg add -
-curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
-echo "deb https://apt.kubernetes.io/ kubernetes-xenial main" > /etc/apt/sources.list.d/kubernetes.list
-
-apt-get update
-apt-get install -yqq apt-transport-https curl cri-o cri-o-runc kubelet=1.23.5-00 kubectl=1.23.5-00 kubeadm=1.23.5-00
-sudo systemctl daemon-reload
-sudo systemctl enable crio --now
-apt-mark hold kubelet kubeadm kubectl
-sed -i -e 's/unqualified-search-registries = .*/unqualified-search-registries = ["docker.io"]/' /etc/containers/registries.conf
-```
-
-On master:
-
-```
-kubeadm init --token-ttl=120m --pod-network-cidr=10.244.0.0/16 --control-plane-endpoint "master.kube.k-space.ee:6443" --upload-certs --apiserver-cert-extra-sans master.kube.k-space.ee --node-name master1.kube.k-space.ee
-```
-
-For the `kubeadm join` command specify FQDN via `--node-name $(hostname -f)`.
-
-After forming the cluster add taints:
-
-```bash
-for j in $(seq 1 9); do
-  kubectl label nodes worker${j}.kube.k-space.ee node-role.kubernetes.io/worker=''
-done
-
-for j in $(seq 1 3); do
-  kubectl taint nodes mon${j}.kube.k-space.ee dedicated=monitoring:NoSchedule
-  kubectl label nodes mon${j}.kube.k-space.ee dedicated=monitoring
-done
-
-for j in $(seq 1 4); do
-  kubectl taint nodes storage${j}.kube.k-space.ee dedicated=storage:NoSchedule
-  kubectl label nodes storage${j}.kube.k-space.ee dedicated=storage
-done
-```
-
-On Raspberry Pi you need to take additonal steps:
-
-* Manually enable cgroups by appending
-  `cgroup_memory=1 cgroup_enable=memory` to `/boot/cmdline.txt`,
-* Disable swap with `swapoff -a; apt-get purge -y dphys-swapfile`
-* For mounting Longhorn volumes on Rasbian install `open-iscsi`
-
-For `arm64` nodes add suitable taint to prevent scheduling non-multiarch images on them:
-
-```bash
-kubectl taint nodes worker9.kube.k-space.ee arch=arm64:NoSchedule
-```
+### mariadb.infra.k-space.ee (DNS from ns1 to 172.20.36.1)
+- freescout
+- gitea nb! MYSQL_ROOT_PASSWORD seems to be invalid, might be ok to reset it upstream
+- wiki
+- nextcloud
+- etherpad NB! probably NOT using kspace_etherpad_kube NB! does not take DNS likely due to netpol, hardcoded to 172.20.36.1
+- grafana
+- woodpecker
--- a/SLACK.md
+++ b/SLACK.md
@@ -0,0 +1,28 @@
+## Slack bots
+### Doorboy3
+https://api.slack.com/apps/A05NDB6FVJQ
+Slack app author: rasmus
+
+Managed by inventory-app:
+- Incoming (open-commands) to `/api/slack/doorboy`, inventory-app authorizes based on command originating from #members or #work-shop && oidc access group (floor, workshop).
+- Posts logs to a private channel. Restricted to 193.40.103.0/24.
+
+Secrets as `SLACK_DOORLOG_CALLBACK` and `SLACK_VERIFICATION_TOKEN`.
+
+### oidc-gateway
+https://api.slack.com/apps/A05DART9PP1
+Slack app author: eaas
+
+Managed by passmower:
+- Links e-mail to slackId.
+- Login via Slack (not enabled).
+
+Secrets as `slackId` and `slack-client`.
+
+### podi-podi uuenduste spämmikoobas
+https://api.slack.com/apps/A033RE9TUFK
+Slack app author: rasmus
+
+Posts Prometheus alerts to a private channel.
+
+Secret as `slack-secrets`.
--- a/_disabled/argocd_applications/cnpg.yaml
+++ b/_disabled/argocd_applications/cnpg.yaml
@@ -0,0 +1,23 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cnpg # aka in-cluster postgres
+  namespace: argocd
+spec:
+  project: k-space.ee
+  source:
+    repoURL: https://github.com/cloudnative-pg/cloudnative-pg
+    targetRevision: v1.25.1
+    path: releases
+    directory:
+      include: 'cnpg-1.25.1.yaml'
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: cnpg-system
+  syncPolicy:
+    automated:
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true # Resource is too big to fit in 262144 bytes allowed annotation size.
--- a/_disabled/argocd_applications/mongodb-operator.yaml
+++ b/_disabled/argocd_applications/mongodb-operator.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: mongodb-operator
+  namespace: argocd
+spec:
+  project: k-space.ee
+  source:
+    # also depends on git@git.k-space.ee:secretspace/kube.git
+    repoURL: git@git.k-space.ee:k-space/kube.git
+    targetRevision: HEAD
+    path: mongodb-operator
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: mongodb-operator
+  syncPolicy:
+    automated:
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
--- a/_disabled/argocd_applications/mysql-clusters.yaml
+++ b/_disabled/argocd_applications/mysql-clusters.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: mysql-clusters
+  namespace: argocd
+spec:
+  project: k-space.ee
+  source:
+    repoURL: 'git@git.k-space.ee:k-space/kube.git'
+    path: mysql-clusters
+    targetRevision: HEAD
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: mysql-clusters
+  syncPolicy:
+    automated:
+      prune: true
+    syncOptions:
+    - CreateNamespace=true
--- a/_disabled/asterisk/.gitignore
+++ b/_disabled/asterisk/.gitignore
@@ -0,0 +1 @@
+conf
--- a/_disabled/asterisk/README.md
+++ b/_disabled/asterisk/README.md
@@ -0,0 +1,13 @@
+# Asterisk
+
+Asterisk is used as 
+
+This application is managed by [ArgoCD](https://argocd.k-space.ee/applications/argocd/asterisk)
+
+Should ArgoCD be down manifests here can be applied with:
+
+```
+kubectl apply -n asterisk -f application.yaml
+```
+
+asterisk-secrets was dumped to git.k-space.ee/secretspace/kube:_disabled/asterisk
--- a/_disabled/asterisk/application.yml
+++ b/_disabled/asterisk/application.yml
@@ -0,0 +1,124 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: asterisk
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: voip.k-space.ee
+spec:
+  type: LoadBalancer
+  externalTrafficPolicy: Local
+  selector:
+    app: asterisk
+  ports:
+    - name: asterisk
+      protocol: UDP
+      port: 5060
+    - name: sip-data-10000
+      protocol: UDP
+      port: 10000
+    - name: sip-data-10001
+      protocol: UDP
+      port: 10001
+    - name: sip-data-10002
+      protocol: UDP
+      port: 10002
+    - name: sip-data-10003
+      protocol: UDP
+      port: 10003
+    - name: sip-data-10004
+      protocol: UDP
+      port: 10004
+    - name: sip-data-10005
+      protocol: UDP
+      port: 10005
+    - name: sip-data-10006
+      protocol: UDP
+      port: 10006
+    - name: sip-data-10007
+      protocol: UDP
+      port: 10007
+    - name: sip-data-10008
+      protocol: UDP
+      port: 10008
+    - name: sip-data-10009
+      protocol: UDP
+      port: 10009
+    - name: sip-data-10010
+      protocol: UDP
+      port: 10010
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: asterisk
+  labels:
+    app: asterisk
+spec:
+  selector:
+    matchLabels:
+      app: asterisk
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: asterisk
+    spec:
+      containers:
+        - name: asterisk
+          image: harbor.k-space.ee/k-space/asterisk
+          command:
+            - /usr/sbin/asterisk
+          args:
+            - -TWBpvvvdddf
+          volumeMounts:
+            - name: config
+              mountPath: /etc/asterisk
+          ports:
+            - containerPort: 8088
+              name: metrics
+      volumes:
+        - name: config
+          secret:
+            secretName: asterisk-secrets
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: asterisk
+spec:
+  selector:
+    matchLabels:
+      app: asterisk
+  podMetricsEndpoints:
+    - port: metrics
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: asterisk
+spec:
+  groups:
+    - name: asterisk
+      rules:
+        - alert: AsteriskPhoneNotRegistered
+          expr: asterisk_endpoints_state{resource=~"1.*"} < 2
+          for: 5m
+          labels:
+            severity: critical
+          annotations:
+            summary: "{{ $labels.resource }} is not registered."
+        - alert: AsteriskOutboundNumberNotRegistered
+          expr: asterisk_pjsip_outbound_registration_status == 0
+          for: 5m
+          labels:
+            severity: critical
+          annotations:
+            summary: "{{ $labels.username }} is not registered with provider."
+        - alert: AsteriskCallsPerMinuteLimitExceed
+          expr: asterisk_channels_duration_seconds > 10*60
+          for: 20m
+          labels:
+            severity: warning
+          annotations:
+            summary: "Call at channel {{ $labels.name }} is taking longer than 10m."
--- a/_disabled/asterisk/network-policies.yml
+++ b/_disabled/asterisk/network-policies.yml
@@ -0,0 +1,39 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: asterisk
+spec:
+  podSelector:
+    matchLabels:
+      app: asterisk
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: monitoring
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/name: prometheus
+    - from:
+        - ipBlock:
+            cidr: 100.101.0.0/16
+    - from:
+        - ipBlock:
+            cidr: 100.102.0.0/16
+    - from:
+        - ipBlock:
+            cidr: 81.90.125.224/32 # Lauri home
+    - from:
+        - ipBlock:
+            cidr: 172.20.8.241/32 # Erki A
+    - from:
+        - ipBlock:
+            cidr: 212.47.211.10/32 # Elisa SIP       
+  egress:
+    - to:
+        - ipBlock:
+            cidr: 212.47.211.10/32  # Elisa SIP
--- a/_disabled/asterisk/networkpolicy-base.yml
+++ b/_disabled/asterisk/networkpolicy-base.yml
--- a/_disabled/csi-proxmox/README.md
+++ b/_disabled/csi-proxmox/README.md
@@ -0,0 +1,24 @@
+# proxmox-csi
+
+1. create role in pve if it doesn't exist
+2. create user and assign permissions, preferrably at resource pool level
+    ```
+    pveum user add ks-kubernetes-csi@pve
+    pveum aclmod /pool/kspace_pool -user ks-kubernetes-csi@pve -role CSI
+    pveum user token add ks-kubernetes-csi@pve cs -privsep 0
+    ```
+    save the token!
+3. apply `proxmox-csi-plugin.yml` and `storage-class.yaml`, delete proxmox-csi default storage classes from kube.
+4. add the token from pve to `config.yaml` and create the secret: `kubectl -n csi-proxmox create secret generic proxmox-csi-plugin --from-file=config.yaml`
+5. label the nodes according to allocation:
+    ``` 
+    kubectl --kubeconfig ~/.kube/k-space label nodes worker1.kube.k-space.ee topology.kubernetes.io/region=pve-cluster topology.kubernetes.io/zone=pve1 --overwrite
+    kubectl --kubeconfig ~/.kube/k-space label nodes worker2.kube.k-space.ee topology.kubernetes.io/region=pve-cluster topology.kubernetes.io/zone=pve2 --overwrite
+    kubectl --kubeconfig ~/.kube/k-space label nodes worker3.kube.k-space.ee topology.kubernetes.io/region=pve-cluster topology.kubernetes.io/zone=pve8 --overwrite
+    kubectl --kubeconfig ~/.kube/k-space label nodes worker4.kube.k-space.ee topology.kubernetes.io/region=pve-cluster topology.kubernetes.io/zone=pve9 --overwrite
+
+    kubectl --kubeconfig ~/.kube/k-space label nodes master1.kube.k-space.ee topology.kubernetes.io/region=pve-cluster topology.kubernetes.io/zone=pve1 --overwrite
+    kubectl --kubeconfig ~/.kube/k-space label nodes master2.kube.k-space.ee topology.kubernetes.io/region=pve-cluster topology.kubernetes.io/zone=pve2 --overwrite
+    kubectl --kubeconfig ~/.kube/k-space label nodes master3.kube.k-space.ee topology.kubernetes.io/region=pve-cluster topology.kubernetes.io/zone=pve8 --overwrite
+    
+    ```
--- a/_disabled/csi-proxmox/kustomization.yaml
+++ b/_disabled/csi-proxmox/kustomization.yaml
@@ -0,0 +1,31 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: csi-proxmox
+
+helmCharts:
+  - includeCRDs: true
+    name: &name proxmox-csi-plugin
+    releaseName: *name
+    repo: oci://ghcr.io/sergelogvinov/charts
+    valuesInline:
+      node:
+        tolerations:
+          - key: node-role.kubernetes.io/control-plane
+            effect: NoSchedule
+      storageClass:
+        - name: proxmox
+          fstype: xfs
+          storage: ks-pvs
+          cache: none
+          ssd: "true"
+# Not in use, migrating off of NAS…
+#        - name: proxmox-nas
+#          fstype: xfs
+#          storage: ks-pvs-nas
+#          cache: none
+#          # ssd is false, https://github.com/sergelogvinov/proxmox-csi-plugin/issues/404
+    version: 0.3.12 # https://github.com/sergelogvinov/proxmox-csi-plugin/pkgs/container/charts%2Fproxmox-csi-plugin
+
+resources:
+- ssh://git@git.k-space.ee/secretspace/kube/proxmox-csi # secrets: proxmox-csi-plugin:config.yaml (cluster info)
--- a/_disabled/discourse/application.yaml
+++ b/_disabled/discourse/application.yaml
@@ -0,0 +1,382 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: discourse
+  annotations:
+    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+spec:
+  tls:
+    - hosts:
+        - "*.k-space.ee"
+      secretName: 
+  rules:
+    - host: "discourse.k-space.ee"
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: discourse
+                port:
+                  name: http
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: discourse
+spec:
+  type: ClusterIP
+  ipFamilyPolicy: SingleStack
+  ports:
+    - name: http
+      port: 80
+      protocol: TCP
+      targetPort: http
+  selector:
+    app.kubernetes.io/instance: discourse
+    app.kubernetes.io/name: discourse
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: discourse
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: discourse
+  annotations:
+    reloader.stakater.com/auto: "true"   
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: discourse
+      app.kubernetes.io/name: discourse
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/instance: discourse
+        app.kubernetes.io/name: discourse
+    spec:
+      serviceAccountName: discourse
+      securityContext:
+        fsGroup: 0
+        fsGroupChangePolicy: Always
+      initContainers:
+      containers:
+        - name: discourse
+          image: docker.io/bitnami/discourse:3.3.2-debian-12-r0
+          imagePullPolicy: "IfNotPresent"
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              add:
+              - CHOWN
+              - SYS_CHROOT
+              - FOWNER
+              - SETGID
+              - SETUID
+              - DAC_OVERRIDE
+              drop:
+              - ALL
+            privileged: false
+            readOnlyRootFilesystem: false
+            runAsGroup: 0
+            runAsNonRoot: false
+            runAsUser: 0
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
+          env:
+            - name: BITNAMI_DEBUG
+              value: "true"
+            - name: DISCOURSE_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: discourse-password
+                  key: username                                         
+            - name: DISCOURSE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: discourse-password
+                  key: password
+            - name: DISCOURSE_PORT_NUMBER
+              value: "8080"
+            - name: DISCOURSE_EXTERNAL_HTTP_PORT_NUMBER
+              value: "80"
+            - name: DISCOURSE_DATABASE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: discourse-postgresql
+                  key: password
+            - name: POSTGRESQL_CLIENT_CREATE_DATABASE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: discourse-postgres-superuser
+                  key: password
+            - name: POSTGRESQL_CLIENT_POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: discourse-postgres-superuser
+                  key: password
+            - name: REDIS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: discourse-redis
+                  key: redis-password
+          envFrom:
+            - configMapRef:
+                name: discourse              
+            - secretRef:
+                name: discourse-email   
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+          livenessProbe:
+            tcpSocket:
+              port: http
+            initialDelaySeconds: 500
+            periodSeconds: 10
+            timeoutSeconds: 5
+            successThreshold: 1
+            failureThreshold: 6
+          readinessProbe:
+            httpGet:
+              path: /srv/status
+              port: http
+            initialDelaySeconds: 100
+            periodSeconds: 10
+            timeoutSeconds: 5
+            successThreshold: 1
+            failureThreshold: 6
+          resources:
+            limits:
+              cpu: "6.0"
+              ephemeral-storage: 2Gi
+              memory: 12288Mi
+            requests:
+              cpu: "1.0"
+              ephemeral-storage: 50Mi
+              memory: 3072Mi
+          volumeMounts:
+            - name: discourse-data
+              mountPath: /bitnami/discourse
+              subPath: discourse
+        - name: sidekiq
+          image: docker.io/bitnami/discourse:3.3.2-debian-12-r0
+          imagePullPolicy: "IfNotPresent"
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              add:
+              - CHOWN
+              - SYS_CHROOT
+              - FOWNER
+              - SETGID
+              - SETUID
+              - DAC_OVERRIDE
+              drop:
+              - ALL
+            privileged: false
+            readOnlyRootFilesystem: false
+            runAsGroup: 0
+            runAsNonRoot: false
+            runAsUser: 0
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
+          command:
+            - /opt/bitnami/scripts/discourse/entrypoint.sh
+          args:
+            - /opt/bitnami/scripts/discourse-sidekiq/run.sh
+          env:
+            - name: BITNAMI_DEBUG
+              value: "true"
+            - name: DISCOURSE_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: discourse-password
+                  key: username              
+            - name: DISCOURSE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: discourse-password
+                  key: password
+            - name: DISCOURSE_DATABASE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: discourse-postgresql
+                  key: password                  
+            - name: DISCOURSE_POSTGRESQL_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: discourse-postgres-superuser
+                  key: password
+            - name: REDIS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: discourse-redis
+                  key: redis-password
+          envFrom:
+            - configMapRef:
+                name: discourse              
+            - secretRef:
+                name: discourse-email     
+          livenessProbe:
+            exec:
+              command: ["/bin/sh", "-c", "pgrep -f ^sidekiq"]
+            initialDelaySeconds: 500
+            periodSeconds: 10
+            timeoutSeconds: 5
+            successThreshold: 1
+            failureThreshold: 6
+          readinessProbe:
+            exec:
+              command: ["/bin/sh", "-c", "pgrep -f ^sidekiq"]
+            initialDelaySeconds: 30
+            periodSeconds: 10
+            timeoutSeconds: 5
+            successThreshold: 1
+            failureThreshold: 6
+          resources:
+            limits:
+              cpu: 750m
+              ephemeral-storage: 2Gi
+              memory: 768Mi
+            requests:
+              cpu: 500m
+              ephemeral-storage: 50Mi
+              memory: 512Mi
+          volumeMounts:
+            - name: discourse-data
+              mountPath: /bitnami/discourse
+              subPath: discourse
+      volumes:
+        - name: discourse-data
+          persistentVolumeClaim:
+            claimName: discourse-data
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: discourse-data
+  namespace: discourse
+spec:
+  accessModes:
+    - "ReadWriteOnce"
+  resources:
+    requests:
+      storage: "3Gi"
+  storageClassName: "proxmox-nas"
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: discourse
+  namespace: discourse
+data:
+  DISCOURSE_HOST: "discourse.k-space.ee"
+  DISCOURSE_SKIP_INSTALL: "yes"
+  DISCOURSE_PRECOMPILE_ASSETS: "no"
+  DISCOURSE_SITE_NAME: "K-Space Discourse"
+  DISCOURSE_USERNAME: "k-space"
+  DISCOURSE_EMAIL: "dos4dev@k-space.ee"
+  DISCOURSE_REDIS_HOST: "discourse-redis"
+  DISCOURSE_REDIS_PORT_NUMBER: "6379"
+  DISCOURSE_DATABASE_HOST: "discourse-postgres-rw"
+  DISCOURSE_DATABASE_PORT_NUMBER: "5432"
+  DISCOURSE_DATABASE_NAME: "discourse"
+  DISCOURSE_DATABASE_USER: "discourse"
+  POSTGRESQL_CLIENT_DATABASE_HOST: "discourse-postgres-rw"
+  POSTGRESQL_CLIENT_DATABASE_PORT_NUMBER: "5432"
+  POSTGRESQL_CLIENT_POSTGRES_USER: "postgres"
+  POSTGRESQL_CLIENT_CREATE_DATABASE_NAME: "discourse"
+  POSTGRESQL_CLIENT_CREATE_DATABASE_EXTENSIONS: "hstore,pg_trgm"
+---
+apiVersion: codemowers.cloud/v1beta1
+kind: OIDCClient
+metadata:
+  name: discourse
+  namespace: discourse
+spec:
+  displayName: Discourse
+  uri: https://discourse.k-space.ee
+  redirectUris:
+    - https://discourse.k-space.ee/auth/oidc/callback
+  allowedGroups:
+    - k-space:floor
+    - k-space:friends
+  grantTypes:
+    - authorization_code
+    - refresh_token
+  responseTypes:
+    - code
+  availableScopes:
+    - openid
+    - profile
+  pkce: false
+---
+apiVersion: codemowers.cloud/v1beta1
+kind: SecretClaim
+metadata:
+  name: discourse-redis
+  namespace: discourse
+spec:
+  size: 32
+  mapping:
+    - key: redis-password
+      value: "%(plaintext)s"
+    - key: REDIS_URI
+      value: "redis://:%(plaintext)s@discourse-redis"
+---
+apiVersion: dragonflydb.io/v1alpha1
+kind: Dragonfly
+metadata:
+  name: discourse-redis
+  namespace: discourse
+spec:
+  authentication:
+    passwordFromSecret:
+      key: redis-password
+      name: discourse-redis
+  replicas: 3
+  resources:
+    limits:
+      cpu: 1000m
+      memory: 1Gi
+  topologySpreadConstraints:
+    - maxSkew: 1
+      topologyKey: topology.kubernetes.io/zone
+      whenUnsatisfiable: DoNotSchedule
+      labelSelector:
+        matchLabels:
+          app: discourse-redis
+          app.kubernetes.io/part-of: dragonfly              
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: discourse-postgres
+  namespace: discourse
+spec:
+  instances: 1
+  enableSuperuserAccess: true
+  bootstrap:
+    initdb:
+      database: discourse
+      owner: discourse
+      secret:
+        name: discourse-postgresql
+      dataChecksums: true
+      encoding: 'UTF8'
+  storage:
+    size: 10Gi
+    storageClass: postgres
--- a/_disabled/freeswitch/.gitignore
+++ b/_disabled/freeswitch/.gitignore
@@ -0,0 +1 @@
+PASSWORDS.xml
--- a/_disabled/freeswitch/PASSWORDS.xml.example
+++ b/_disabled/freeswitch/PASSWORDS.xml.example
@@ -0,0 +1,14 @@
+<include>
+    <X-PRE-PROCESS cmd="set" data="default_password=">
+    <X-PRE-PROCESS cmd="set" data="ipcall_password="/>
+    <X-PRE-PROCESS cmd="set" data="1000_password="/>
+    <X-PRE-PROCESS cmd="set" data="1001_password="/>
+    <X-PRE-PROCESS cmd="set" data="1002_password="/>
+    <X-PRE-PROCESS cmd="set" data="1003_password="/>
+    <X-PRE-PROCESS cmd="set" data="1004_password="/>
+    <X-PRE-PROCESS cmd="set" data="1005_password="/>
+    <X-PRE-PROCESS cmd="set" data="1006_password="/>
+    <X-PRE-PROCESS cmd="set" data="1007_password="/>
+    <X-PRE-PROCESS cmd="set" data="1008_password="/>
+    <X-PRE-PROCESS cmd="set" data="1009_password="/>
+</include>  
--- a/_disabled/freeswitch/README.md
+++ b/_disabled/freeswitch/README.md
@@ -0,0 +1,7 @@
+```
+kubectl -n freeswitch create secret generic freeswitch-passwords --from-file freeswitch/PASSWORDS.xml 
+```
+
+PASSWORDS.xml is in git.k-space.ee/secretspace/kube:_disabled/freeswitch
+
+freeswitch-sounds was extracted form of http://files.freeswitch.org/releases/sounds/freeswitch-sounds-en-us-callie-32000-1.0.53.tar.gz (with /us/ at root of the volume)
--- a/_disabled/freeswitch/application.yaml
+++ b/_disabled/freeswitch/application.yaml
@@ -0,0 +1,567 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: freeswitch
+  namespace: freeswitch
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: freeswitch.k-space.ee
+    metallb.universe.tf/address-pool: eenet
+    metallb.universe.tf/ip-allocated-from-pool: eenet
+spec:
+  ports:
+    - name: sip-internal-udp
+      protocol: UDP
+      port: 5060
+      targetPort: 5060
+      nodePort: 31787
+    - name: sip-nat-udp
+      protocol: UDP
+      port: 5070
+      targetPort: 5070
+      nodePort: 32241
+    - name: sip-external-udp
+      protocol: UDP
+      port: 5080
+      targetPort: 5080
+      nodePort: 31354
+    - name: sip-data-10000
+      protocol: UDP
+      port: 10000
+      targetPort: 10000
+      nodePort: 30786
+    - name: sip-data-10001
+      protocol: UDP
+      port: 10001
+      targetPort: 10001
+      nodePort: 31788
+    - name: sip-data-10002
+      protocol: UDP
+      port: 10002
+      targetPort: 10002
+      nodePort: 30247
+    - name: sip-data-10003
+      protocol: UDP
+      port: 10003
+      targetPort: 10003
+      nodePort: 32389
+    - name: sip-data-10004
+      protocol: UDP
+      port: 10004
+      targetPort: 10004
+      nodePort: 30723
+    - name: sip-data-10005
+      protocol: UDP
+      port: 10005
+      targetPort: 10005
+      nodePort: 30295
+    - name: sip-data-10006
+      protocol: UDP
+      port: 10006
+      targetPort: 10006
+      nodePort: 30782
+    - name: sip-data-10007
+      protocol: UDP
+      port: 10007
+      targetPort: 10007
+      nodePort: 32165
+    - name: sip-data-10008
+      protocol: UDP
+      port: 10008
+      targetPort: 10008
+      nodePort: 30282
+    - name: sip-data-10009
+      protocol: UDP
+      port: 10009
+      targetPort: 10009
+      nodePort: 31325
+    - name: sip-data-10010
+      protocol: UDP
+      port: 10010
+      targetPort: 10010
+      nodePort: 31234
+  selector:
+    app: freeswitch
+  type: LoadBalancer
+  externalTrafficPolicy: Local
+  ipFamilies:
+    - IPv4
+  ipFamilyPolicy: SingleStack
+  internalTrafficPolicy: Cluster
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: freeswitch-sounds
+  namespace: freeswitch
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 2Gi
+  storageClassName: longhorn
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: freeswitch
+  namespace: freeswitch
+  labels:
+    app: freeswitch
+  annotations:
+    reloader.stakater.com/auto: "true" # reloader is disabled in cluster, (re)deploy it to use
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: freeswitch
+  template:
+    metadata:
+      labels:
+        app: freeswitch
+    spec:
+      volumes:
+        - name: config
+          configMap:
+            name: freeswitch-config
+            defaultMode: 420
+        - name: directory
+          configMap:
+            name: freeswitch-directory
+            defaultMode: 420
+        - name: sounds
+          persistentVolumeClaim:
+            claimName: freeswitch-sounds
+        - name: passwords
+          secret:
+            secretName: freeswitch-passwords
+      containers:
+        - name: freeswitch
+          image: mirror.gcr.io/dheaps/freeswitch:latest
+          env:
+            - name: SOUND_TYPES
+              value: en-us-callie
+            - name: SOUND_RATES
+              value: "32000"
+          resources: {}
+          volumeMounts:
+            - name: config
+              mountPath: /etc/freeswitch/sip_profiles/external/ipcall.xml
+              subPath: ipcall.xml
+            - name: config
+              mountPath: /etc/freeswitch/dialplan/default/00_outbound_ipcall.xml
+              subPath: 00_outbound_ipcall.xml
+            - name: config
+              mountPath: /etc/freeswitch/dialplan/public.xml
+              subPath: dialplan.xml  
+            - name: config
+              mountPath: /etc/freeswitch/autoload_configs/switch.conf.xml
+              subPath: switch.xml
+            - name: config
+              mountPath: /etc/freeswitch/vars.xml
+              subPath: vars.xml
+            - name: passwords
+              mountPath: /etc/freeswitch/PASSWORDS.xml  
+              subPath: PASSWORDS.xml
+            - name: directory
+              mountPath: /etc/freeswitch/directory/default
+            - name: sounds
+              mountPath: /usr/share/freeswitch/sounds
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: freeswitch-config
+  namespace: freeswitch
+data: 
+  dialplan.xml: |
+    <!--
+    NOTICE:
+
+    This context is usually accessed via the external sip profile listening on port 5080.
+    
+    It is recommended to have separate inbound and outbound contexts.  Not only for security
+    but clearing up why you would need to do such a thing.  You don't want outside un-authenticated
+    callers hitting your default context which allows dialing calls thru your providers and results 
+    in Toll Fraud.
+    -->
+
+    <!-- http://wiki.freeswitch.org/wiki/Dialplan_XML -->
+    <include>
+      <context name="public">
+
+        <extension name="unloop">
+          <condition field="${unroll_loops}" expression="^true$"/>
+          <condition field="${sip_looped_call}" expression="^true$">
+            <action application="deflect" data="${destination_number}"/>
+          </condition>
+        </extension>
+        <!--
+            Tag anything pass thru here as an outside_call so you can make sure not
+            to create any routing loops based on the conditions that it came from 
+            the outside of the switch.  
+        -->
+        <extension name="outside_call" continue="true">
+          <condition>
+            <action application="set" data="outside_call=true"/>
+            <action application="export" data="RFC2822_DATE=${strftime(%a, %d %b %Y %T %z)}"/>
+          </condition>
+        </extension>
+
+        <extension name="call_debug" continue="true">
+          <condition field="${call_debug}" expression="^true$" break="never">
+            <action application="info"/>
+          </condition>
+        </extension>
+
+        <extension name="public_extensions">
+          <condition field="destination_number" expression="^(10[01][0-9])$">
+            <action application="transfer" data="$1 XML default"/>
+          </condition>
+        </extension>
+
+        <extension name="public_conference_extensions">
+          <condition field="destination_number" expression="^(3[5-8][01][0-9])$">
+            <action application="transfer" data="$1 XML default"/>
+          </condition>
+        </extension>
+        
+        <!--
+            You can place files in the public directory to get included.
+        -->
+        <X-PRE-PROCESS cmd="include" data="public/*.xml"/>
+        <!--
+            If you have made it this far lets challenge the caller and if they authenticate
+            lets try what they dialed in the default context. (commented out by default)
+        -->
+        <!-- TODO:
+        <extension name="check_auth" continue="true">
+          <condition field="${sip_authorized}" expression="^true$" break="never">
+            <anti-action application="respond" data="407"/>
+          </condition>
+        </extension>
+        -->
+        <extension name="transfer_to_default">
+          <condition>
+            <!-- TODO: proper ring grouping -->
+            <action application="bridge" data="user/1004@freeswitch.k-space.ee,user/1003@freeswitch.k-space.ee,sofia/gateway/ipcall/53543824"/>
+          </condition>
+        </extension>
+      </context>
+    </include>
+  ipcall.xml: |
+    <include>    
+      <gateway name="ipcall">
+        <param name="proxy" value="sip.ipcall.ee"/>
+        <param name="register" value="true"/>
+        <param name="realm" value="sip.ipcall.ee"/>
+        <param name="username" value="6659652"/>
+        <param name="password" value="$${ipcall_password}"/>
+        <param name="from-user" value="6659652"/>
+        <param name="from-domain" value="sip.ipcall.ee"/>
+        <param name="extension" value="ring_group/default"/>
+      </gateway>
+    </include>
+  00_outbound_ipcall.xml: |
+    <extension name="outbound">
+      <!-- TODO: check toll_allow ? -->
+      <condition field="destination_number" expression="^(\d+)$">
+        <action application="set" data="sip_invite_domain=sip.ipcall.ee"/>
+        <action application="bridge" data="sofia/gateway/ipcall/${destination_number}"/>
+      </condition>
+    </extension>      
+  switch.xml: |
+    <configuration name="switch.conf" description="Core Configuration">
+      <cli-keybindings>
+        <key name="1" value="help"/>
+        <key name="2" value="status"/>
+        <key name="3" value="show channels"/>
+        <key name="4" value="show calls"/>
+        <key name="5" value="sofia status"/>
+        <key name="6" value="reloadxml"/>
+        <key name="7" value="console loglevel 0"/>
+        <key name="8" value="console loglevel 7"/>
+        <key name="9" value="sofia status profile internal"/>
+        <key name="10" value="sofia profile internal siptrace on"/>
+        <key name="11" value="sofia profile internal siptrace off"/>
+        <key name="12" value="version"/>
+      </cli-keybindings>
+      <default-ptimes>
+      </default-ptimes>
+      <settings>
+        <param name="colorize-console" value="true"/>
+        <param name="dialplan-timestamps" value="false"/>
+        <param name="max-db-handles" value="50"/>
+        <param name="db-handle-timeout" value="10"/>
+        <param name="max-sessions" value="1000"/>
+        <param name="sessions-per-second" value="30"/>
+        <param name="loglevel" value="debug"/>
+        <param name="mailer-app" value="sendmail"/>
+        <param name="mailer-app-args" value="-t"/>
+        <param name="dump-cores" value="yes"/>
+        <param name="rtp-start-port" value="10000"/>
+        <param name="rtp-end-port" value="10010"/>
+      </settings>
+    </configuration>  
+  vars.xml: |
+    <include>
+      <X-PRE-PROCESS cmd="set" data="disable_system_api_commands=true"/>
+      <X-PRE-PROCESS cmd="set" data="sound_prefix=$${sounds_dir}/en/us/callie"/>
+      <X-PRE-PROCESS cmd="set" data="domain=freeswitch.k-space.ee"/>
+      <X-PRE-PROCESS cmd="set" data="domain_name=$${domain}"/>
+      <X-PRE-PROCESS cmd="set" data="hold_music=local_stream://moh"/>
+      <X-PRE-PROCESS cmd="set" data="use_profile=external"/>
+      <X-PRE-PROCESS cmd="set" data="rtp_sdes_suites=AEAD_AES_256_GCM_8|AEAD_AES_128_GCM_8|AES_CM_256_HMAC_SHA1_80|AES_CM_192_HMAC_SHA1_80|AES_CM_128_HMAC_SHA1_80|AES_CM_256_HMAC_SHA1_32|AES_CM_192_HMAC_SHA1_32|AES_CM_128_HMAC_SHA1_32|AES_CM_128_NULL_AUTH"/>
+      <X-PRE-PROCESS cmd="set" data="global_codec_prefs=OPUS,G722,PCMU,PCMA,H264,VP8"/>
+      <X-PRE-PROCESS cmd="set" data="outbound_codec_prefs=OPUS,G722,PCMU,PCMA,H264,VP8"/>
+      <X-PRE-PROCESS cmd="set" data="xmpp_client_profile=xmppc"/>
+      <X-PRE-PROCESS cmd="set" data="xmpp_server_profile=xmpps"/>
+      <X-PRE-PROCESS cmd="set" data="bind_server_ip=auto"/>
+      <X-PRE-PROCESS cmd="stun-set" data="external_rtp_ip=host:freeswitch.k-space.ee"/>
+      <X-PRE-PROCESS cmd="stun-set" data="external_sip_ip=host:freeswitch.k-space.ee"/>
+      <X-PRE-PROCESS cmd="set" data="unroll_loops=true"/>
+      <X-PRE-PROCESS cmd="set" data="outbound_caller_name=FreeSWITCH"/>
+      <X-PRE-PROCESS cmd="set" data="outbound_caller_id=0000000000"/>
+      <X-PRE-PROCESS cmd="set" data="call_debug=false"/>
+      <X-PRE-PROCESS cmd="set" data="console_loglevel=info"/>
+      <X-PRE-PROCESS cmd="set" data="default_areacode=372"/>
+      <X-PRE-PROCESS cmd="set" data="default_country=EE"/>
+      <X-PRE-PROCESS cmd="set" data="presence_privacy=false"/>
+      <X-PRE-PROCESS cmd="set" data="au-ring=%(400,200,383,417);%(400,2000,383,417)"/>
+      <X-PRE-PROCESS cmd="set" data="be-ring=%(1000,3000,425)"/>
+      <X-PRE-PROCESS cmd="set" data="ca-ring=%(2000,4000,440,480)"/>
+      <X-PRE-PROCESS cmd="set" data="cn-ring=%(1000,4000,450)"/>
+      <X-PRE-PROCESS cmd="set" data="cy-ring=%(1500,3000,425)"/>
+      <X-PRE-PROCESS cmd="set" data="cz-ring=%(1000,4000,425)"/>
+      <X-PRE-PROCESS cmd="set" data="de-ring=%(1000,4000,425)"/>
+      <X-PRE-PROCESS cmd="set" data="dk-ring=%(1000,4000,425)"/>
+      <X-PRE-PROCESS cmd="set" data="dz-ring=%(1500,3500,425)"/>
+      <X-PRE-PROCESS cmd="set" data="eg-ring=%(2000,1000,475,375)"/>
+      <X-PRE-PROCESS cmd="set" data="es-ring=%(1500,3000,425)"/>
+      <X-PRE-PROCESS cmd="set" data="fi-ring=%(1000,4000,425)"/>
+      <X-PRE-PROCESS cmd="set" data="fr-ring=%(1500,3500,440)"/>
+      <X-PRE-PROCESS cmd="set" data="hk-ring=%(400,200,440,480);%(400,3000,440,480)"/>
+      <X-PRE-PROCESS cmd="set" data="hu-ring=%(1250,3750,425)"/>
+      <X-PRE-PROCESS cmd="set" data="il-ring=%(1000,3000,400)"/>
+      <X-PRE-PROCESS cmd="set" data="in-ring=%(400,200,425,375);%(400,2000,425,375)"/>
+      <X-PRE-PROCESS cmd="set" data="jp-ring=%(1000,2000,420,380)"/>
+      <X-PRE-PROCESS cmd="set" data="ko-ring=%(1000,2000,440,480)"/>
+      <X-PRE-PROCESS cmd="set" data="pk-ring=%(1000,2000,400)"/>
+      <X-PRE-PROCESS cmd="set" data="pl-ring=%(1000,4000,425)"/>
+      <X-PRE-PROCESS cmd="set" data="ro-ring=%(1850,4150,475,425)"/>
+      <X-PRE-PROCESS cmd="set" data="rs-ring=%(1000,4000,425)"/>
+      <X-PRE-PROCESS cmd="set" data="ru-ring=%(800,3200,425)"/>
+      <X-PRE-PROCESS cmd="set" data="sa-ring=%(1200,4600,425)"/>
+      <X-PRE-PROCESS cmd="set" data="tr-ring=%(2000,4000,450)"/>
+      <X-PRE-PROCESS cmd="set" data="uk-ring=%(400,200,400,450);%(400,2000,400,450)"/>
+      <X-PRE-PROCESS cmd="set" data="us-ring=%(2000,4000,440,480)"/>
+      <X-PRE-PROCESS cmd="set" data="bong-ring=v=-7;%(100,0,941.0,1477.0);v=-7;>=2;+=.1;%(1400,0,350,440)"/>
+      <X-PRE-PROCESS cmd="set" data="beep=%(1000,0,640)"/>
+      <X-PRE-PROCESS cmd="set" data="sit=%(274,0,913.8);%(274,0,1370.6);%(380,0,1776.7)"/>
+      <X-PRE-PROCESS cmd="set" data="df_us_ssn=(?!219099999|078051120)(?!666|000|9\d{2})\d{3}(?!00)\d{2}(?!0{4})\d{4}"/>
+      <X-PRE-PROCESS cmd="set" data="df_luhn=?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|6(?:011|5[0-9]{2})[0-9]{12}|(?:2131|1800|35\d{3})\d{11}"/>
+      <XX-PRE-PROCESS cmd="set" data="digits_dialed_filter=(($${df_luhn})|($${df_us_ssn}))"/>
+      <X-PRE-PROCESS cmd="set" data="default_provider=sip.ipcall.ee"/>
+      <X-PRE-PROCESS cmd="set" data="default_provider_username="/>
+      <X-PRE-PROCESS cmd="set" data="default_provider_password="/>
+      <X-PRE-PROCESS cmd="set" data="default_provider_from_domain=sip.ipcall.ee"/>
+      <X-PRE-PROCESS cmd="set" data="default_provider_register=true"/>
+      <X-PRE-PROCESS cmd="set" data="default_provider_contact=1004"/>
+      <X-PRE-PROCESS cmd="set" data="sip_tls_version=tlsv1,tlsv1.1,tlsv1.2"/>
+      <X-PRE-PROCESS cmd="set" data="sip_tls_ciphers=ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"/>
+      <X-PRE-PROCESS cmd="set" data="internal_auth_calls=true"/>
+      <X-PRE-PROCESS cmd="set" data="internal_sip_port=5060"/>
+      <X-PRE-PROCESS cmd="set" data="internal_tls_port=5061"/>
+      <X-PRE-PROCESS cmd="set" data="internal_ssl_enable=false"/>
+      <X-PRE-PROCESS cmd="set" data="external_auth_calls=false"/>
+      <X-PRE-PROCESS cmd="set" data="external_sip_port=5080"/>
+      <X-PRE-PROCESS cmd="set" data="external_tls_port=5081"/>
+      <X-PRE-PROCESS cmd="set" data="external_ssl_enable=false"/>
+      <X-PRE-PROCESS cmd="set" data="rtp_video_max_bandwidth_in=3mb"/>
+      <X-PRE-PROCESS cmd="set" data="rtp_video_max_bandwidth_out=3mb"/>
+      <X-PRE-PROCESS cmd="set" data="suppress_cng=true"/>
+      <X-PRE-PROCESS cmd="set" data="rtp_liberal_dtmf=true"/>
+      <X-PRE-PROCESS cmd="set" data="video_mute_png=$${images_dir}/default-mute.png"/>
+      <X-PRE-PROCESS cmd="set" data="video_no_avatar_png=$${images_dir}/default-avatar.png"/>
+      <X-PRE-PROCESS cmd="include" data="PASSWORDS.xml"/>
+    </include>  
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: freeswitch-directory
+  namespace: freeswitch
+data:
+  1000.xml: |
+    <include>
+      <user id="1000">
+        <params>
+          <param name="password" value="$${1000_password}"/>
+        </params>
+        <variables>
+          <variable name="toll_allow" value="domestic,local"/>
+          <variable name="accountcode" value="1000"/>
+          <variable name="user_context" value="default"/>
+          <variable name="effective_caller_id_name" value=""/>
+          <variable name="effective_caller_id_number" value="1000"/>
+          <variable name="outbound_caller_id_name" value="$${outbound_caller_name}"/>
+          <variable name="outbound_caller_id_number" value="$${outbound_caller_id}"/>
+        </variables>
+      </user>
+    </include>
+  1001.xml: |
+    <include>
+      <user id="1001">
+        <params>
+          <param name="password" value="$${1001_password}"/>
+        </params>
+        <variables>
+          <variable name="toll_allow" value="domestic,local"/>
+          <variable name="accountcode" value="1001"/>
+          <variable name="user_context" value="default"/>
+          <variable name="effective_caller_id_name" value=""/>
+          <variable name="effective_caller_id_number" value="1001"/>
+          <variable name="outbound_caller_id_name" value="$${outbound_caller_name}"/>
+          <variable name="outbound_caller_id_number" value="$${outbound_caller_id}"/>
+        </variables>
+      </user>
+    </include>
+  1002.xml: |
+    <include>
+      <user id="1002">
+        <params>
+          <param name="password" value="$${1002_password}"/>
+        </params>
+        <variables>
+          <variable name="toll_allow" value="domestic,local"/>
+          <variable name="accountcode" value="1002"/>
+          <variable name="user_context" value="default"/>
+          <variable name="effective_caller_id_name" value=""/>
+          <variable name="effective_caller_id_number" value="1002"/>
+          <variable name="outbound_caller_id_name" value="$${outbound_caller_name}"/>
+          <variable name="outbound_caller_id_number" value="$${outbound_caller_id}"/>
+        </variables>
+      </user>
+    </include>        
+  1003.xml: |
+    <include>
+      <user id="1003">
+        <params>
+          <param name="password" value="$${1003_password}"/>
+        </params>
+        <variables>
+          <variable name="toll_allow" value="domestic,local"/>
+          <variable name="accountcode" value="1003"/>
+          <variable name="user_context" value="default"/>
+          <variable name="effective_caller_id_name" value="Erki A"/>
+          <variable name="effective_caller_id_number" value="1003"/>
+          <variable name="outbound_caller_id_name" value="$${outbound_caller_name}"/>
+          <variable name="outbound_caller_id_number" value="$${outbound_caller_id}"/>
+        </variables>
+      </user>
+    </include>
+  1004.xml: |
+    <include>
+      <user id="1004">
+        <params>
+          <param name="password" value="$${1004_password}"/>
+        </params>
+        <variables>
+          <variable name="toll_allow" value="domestic,local"/>
+          <variable name="accountcode" value="1004"/>
+          <variable name="user_context" value="default"/>
+          <variable name="effective_caller_id_name" value="Erki A"/>
+          <variable name="effective_caller_id_number" value="1004"/>
+          <variable name="outbound_caller_id_name" value="$${outbound_caller_name}"/>
+          <variable name="outbound_caller_id_number" value="$${outbound_caller_id}"/>
+        </variables>          
+      </user>
+    </include>    
+  1005.xml: |
+    <include>
+      <user id="1005">
+        <params>
+          <param name="password" value="$${1005_password}"/>
+        </params>
+        <variables>
+          <variable name="toll_allow" value="domestic,local"/>
+          <variable name="accountcode" value="1005"/>
+          <variable name="user_context" value="default"/>
+          <variable name="effective_caller_id_name" value=""/>
+          <variable name="effective_caller_id_number" value="1005"/>
+          <variable name="outbound_caller_id_name" value="$${outbound_caller_name}"/>
+          <variable name="outbound_caller_id_number" value="$${outbound_caller_id}"/>
+        </variables>          
+      </user>
+    </include>    
+  1006.xml: |
+    <include>
+      <user id="1006">
+        <params>
+          <param name="password" value="$${1006_password}"/>
+        </params>
+        <variables>
+          <variable name="toll_allow" value="domestic,local"/>
+          <variable name="accountcode" value="1006"/>
+          <variable name="user_context" value="default"/>
+          <variable name="effective_caller_id_name" value=""/>
+          <variable name="effective_caller_id_number" value="1006"/>
+          <variable name="outbound_caller_id_name" value="$${outbound_caller_name}"/>
+          <variable name="outbound_caller_id_number" value="$${outbound_caller_id}"/>
+        </variables>          
+      </user>
+    </include>          
+  1007.xml: |
+    <include>
+      <user id="1007">
+        <params>
+          <param name="password" value="$${1007_password}"/>
+        </params>
+        <variables>
+          <variable name="toll_allow" value="domestic,local"/>
+          <variable name="accountcode" value="1007"/>
+          <variable name="user_context" value="default"/>
+          <variable name="effective_caller_id_name" value=""/>
+          <variable name="effective_caller_id_number" value="1007"/>
+          <variable name="outbound_caller_id_name" value="$${outbound_caller_name}"/>
+          <variable name="outbound_caller_id_number" value="$${outbound_caller_id}"/>
+        </variables>          
+      </user>
+    </include>        
+  1008.xml: |
+    <include>
+      <user id="1008">
+        <params>
+          <param name="password" value="$${1008_password}"/>
+        </params>
+        <variables>
+          <variable name="toll_allow" value="domestic,local"/>
+          <variable name="accountcode" value="1008"/>
+          <variable name="user_context" value="default"/>
+          <variable name="effective_caller_id_name" value=""/>
+          <variable name="effective_caller_id_number" value="1008"/>
+          <variable name="outbound_caller_id_name" value="$${outbound_caller_name}"/>
+          <variable name="outbound_caller_id_number" value="$${outbound_caller_id}"/>
+        </variables>          
+      </user>
+    </include>        
+  1009.xml: |
+    <include>
+      <user id="1009">
+        <params>
+          <param name="password" value="$${1009_password}"/>
+        </params>
+        <variables>
+          <variable name="toll_allow" value="domestic,local"/>
+          <variable name="accountcode" value="1009"/>
+          <variable name="user_context" value="default"/>
+          <variable name="effective_caller_id_name" value=""/>
+          <variable name="effective_caller_id_number" value="1009"/>
+          <variable name="outbound_caller_id_name" value="$${outbound_caller_name}"/>
+          <variable name="outbound_caller_id_number" value="$${outbound_caller_id}"/>
+        </variables>          
+      </user>
+    </include>        
+  
--- a/_disabled/freeswitch/network-policies.yml
+++ b/_disabled/freeswitch/network-policies.yml
@@ -0,0 +1,49 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: freeswitch
+spec:
+  podSelector:
+    matchLabels:
+      app: freeswitch
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: monitoring
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/name: prometheus
+    - from:
+        - ipBlock:
+            cidr: 100.101.0.0/16
+    - from:
+        - ipBlock:
+            cidr: 100.102.0.0/16
+    - from:
+        - ipBlock:
+            cidr: 81.90.125.224/32 # Lauri home
+    - from:
+        - ipBlock:
+            cidr: 172.20.8.241/32 # Erki A
+    - from:
+        - ipBlock:
+            cidr: 212.47.211.10/32 # Elisa SIP
+    - from:
+        - ipBlock:
+            cidr: 212.47.211.10/32 # Elisa SIP        
+  egress:
+    - to:
+        - ipBlock:
+            cidr: 212.47.211.10/32  # Elisa SIP
+    - to:
+        - ipBlock:
+            cidr: 195.222.16.38/32  # Elisa SIP
+    - to:
+      ports:
+        - port: 53
+          protocol: UDP
--- a/_disabled/local-path-storage/README.md
+++ b/_disabled/local-path-storage/README.md
--- a/_disabled/local-path-storage/local-path-storage.yaml
+++ b/_disabled/local-path-storage/local-path-storage.yaml
@@ -62,7 +62,7 @@ spec:
      serviceAccountName: local-path-provisioner-service-account
      containers:
        - name: local-path-provisioner
-          image: rancher/local-path-provisioner:v0.0.22
+          image: mirror.gcr.io/rancher/local-path-provisioner:v0.0.22
          imagePullPolicy: IfNotPresent
          command:
            - local-path-provisioner
@@ -151,7 +151,7 @@ data:
    spec:
      containers:
      - name: helper-pod
-        image: busybox
+        image: mirror.gcr.io/library/busybox
        imagePullPolicy: IfNotPresent


--- a/_disabled/logging/.gitignore
+++ b/_disabled/logging/.gitignore
--- a/_disabled/logging/README.md
+++ b/_disabled/logging/README.md
@@ -1,5 +1,7 @@
 # Logging infrastructure

+Note: This is deprecated since we moved to [Logmower stack](https://github.com/logmower)
+
 ## Background

 Fluent Bit picks up the logs from Kubernetes workers and sends them to Graylog
@@ -14,7 +16,7 @@ To deploy:

 ```
 kubectl create namespace logging
-kubectl apply -n logging -f mongodb-support.yml -f application.yml -f filebeat.yml -f networkpolicy-base.yml
+kubectl apply -n logging -f zinc.yml -f application.yml -f filebeat.yml -f networkpolicy-base.yml
 kubectl rollout restart -n logging daemonset.apps/filebeat
 ```

--- a/_disabled/logging/filebeat.yml
+++ b/_disabled/logging/filebeat.yml
@@ -0,0 +1,185 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: filebeat-config
+  namespace: logging
+data:
+  filebeat.yml: |-
+    logging:
+      level: warning
+    setup:
+      ilm:
+        enabled: false
+      template:
+        name: filebeat
+        pattern: filebeat-*
+    http.enabled: true
+    filebeat.autodiscover:
+      providers:
+        - type: kubernetes
+          host: ${NODE_NAME}
+          hints.enabled: true
+          hints.default_config:
+            type: container
+            paths:
+              - /var/log/containers/*${data.kubernetes.container.id}.log
+    output:
+      elasticsearch:
+        hosts:
+          - http://zinc:4080
+        path: "/es/"
+        index: "filebeat-%{+yyyy.MM.dd}"
+        username: "${ZINC_FIRST_ADMIN_USER}"
+        password: "${ZINC_FIRST_ADMIN_PASSWORD}"
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: filebeat
+spec:
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 50%
+  selector:
+    matchLabels:
+      app: filebeat
+  template:
+    metadata:
+      labels:
+        app: filebeat
+      annotations:
+        co.elastic.logs/json.keys_under_root: "true"
+    spec:
+      serviceAccountName: filebeat
+      containers:
+        - name: filebeat
+          image: docker.elastic.co/beats/filebeat:8.4.1
+          args:
+            - -c
+            - /etc/filebeat.yml
+            - -e
+          securityContext:
+            runAsUser: 0
+          env:
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: ZINC_FIRST_ADMIN_USER
+              value: admin
+            - name: ZINC_FIRST_ADMIN_PASSWORD
+              value: salakala
+          ports:
+            - containerPort: 5066
+          resources:
+            limits:
+              memory: 200Mi
+            requests:
+              cpu: 100m
+              memory: 100Mi
+          volumeMounts:
+            - name: filebeat-config
+              mountPath: /etc/filebeat.yml
+              readOnly: true
+              subPath: filebeat.yml
+            - name: data
+              mountPath: /usr/share/filebeat/data
+            - name: varlibdockercontainers
+              mountPath: /var/lib/docker/containers
+              readOnly: true
+            - name: varlog
+              mountPath: /var/log
+              readOnly: true
+        - name: exporter
+          image: sepa/beats-exporter
+          args:
+            - -p=5066
+          ports:
+            - containerPort: 8080
+              name: exporter
+              protocol: TCP
+      volumes:
+        - name: filebeat-config
+          configMap:
+            defaultMode: 0600
+            name: filebeat-config
+        - name: varlibdockercontainers
+          hostPath:
+            path: /var/lib/docker/containers
+        - name: varlog
+          hostPath:
+            path: /var/log
+        - name: data
+          hostPath:
+            path: /var/lib/filebeat-data
+            type: DirectoryOrCreate
+      tolerations:
+        - operator: "Exists"
+          effect: "NoExecute"
+        - operator: "Exists"
+          effect: "NoSchedule"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: logging-filebeat
+subjects:
+  - kind: ServiceAccount
+    name: filebeat
+    namespace: logging
+roleRef:
+  kind: ClusterRole
+  name: filebeat
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: filebeat
+  namespace: logging
+  labels:
+    app: filebeat
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: filebeat
+spec:
+  podSelector:
+    matchLabels:
+      app: filebeat
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: prometheus-operator
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/name: prometheus
+      ports:
+        - protocol: TCP
+          port: 8080
+  egress:
+    - to:
+        - podSelector:
+            matchLabels:
+              app: zinc
+      ports:
+        - protocol: TCP
+          port: 4080
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: filebeat
+spec:
+  selector:
+    matchLabels:
+      app: filebeat
+  podMetricsEndpoints:
+    - port: exporter
--- a/_disabled/logging/networkpolicy-base.yml
+++ b/_disabled/logging/networkpolicy-base.yml
--- a/_disabled/logging/zinc.yml
+++ b/_disabled/logging/zinc.yml
@@ -0,0 +1,122 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: zinc
+spec:
+  clusterIP: None
+  selector:
+    app: zinc
+  ports:
+  - name: http
+    port: 4080
+    targetPort: 4080
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: zinc
+spec:
+  serviceName: zinc
+  replicas: 1
+  selector:
+    matchLabels:
+      app: zinc
+  template:
+    metadata:
+      labels:
+        app: zinc
+    spec:
+      securityContext:
+        fsGroup: 2000
+        runAsUser: 10000
+        runAsGroup: 3000
+        runAsNonRoot: true
+      containers:
+        - name: zinc
+          image: public.ecr.aws/zinclabs/zinc:latest
+          env:
+            - name: GIN_MODE
+              value: release
+            - name: ZINC_FIRST_ADMIN_USER
+              value: admin
+            - name: ZINC_FIRST_ADMIN_PASSWORD
+              value: salakala
+            - name: ZINC_DATA_PATH
+              value: /data
+          imagePullPolicy: Always
+          resources:
+            limits:
+              cpu: "4"
+              memory: 4Gi
+            requests:
+              cpu: 32m
+              memory: 50Mi
+          ports:
+            - containerPort: 4080
+              name: http
+          volumeMounts:
+          - name: data
+            mountPath: /data
+  volumeClaimTemplates:
+  - metadata:
+      name: data
+    spec:
+      accessModes:
+        - ReadWriteOnce
+      storageClassName: longhorn
+      resources:
+        requests:
+          storage: 20Gi
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: zinc
+  annotations:
+    cert-manager.io/cluster-issuer: default
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
+    traefik.ingress.kubernetes.io/router.middlewares: traefik-sso@kubernetescrd
+spec:
+  rules:
+  - host: zinc.k-space.ee
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: zinc
+            port:
+              number: 4080
+  tls:
+  - hosts:
+    - zinc.k-space.ee
+    secretName: zinc-tls
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: zinc
+spec:
+  podSelector:
+    matchLabels:
+      app: zinc
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app: filebeat
+    ports:
+    - protocol: TCP
+      port: 4080
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: traefik
+      podSelector:
+        matchLabels:
+          app.kubernetes.io/name: traefik
--- a/_disabled/mongodb-operator/README.md
+++ b/_disabled/mongodb-operator/README.md
@@ -0,0 +1,21 @@
+# MongoDB Community Kubernetes Operator
+
+## Derployment
+
+With ArgoCD. Render it locally:
+
+```sh
+kustomize build . --enable-helm
+```
+
+# Instantiating databases
+For each application include mongodb-netpol.yaml and kustomization in resources:
+```yaml
+resources:
+ - https://git.k-space.ee/k-space/kube//mongodb-operator/mongodb-netpol.yaml
+ - https://github.com/mongodb/mongodb-kubernetes-operator//config/rbac/?ref=v0.13.0
+```
+
+```
+kubectl create secret generic -n <application> mongodb-application-user-password --from-literal="password=$(cat /dev/urandom | base64 | head -c 30)"
+```
--- a/_disabled/mongodb-operator/kustomization.yaml
+++ b/_disabled/mongodb-operator/kustomization.yaml
@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: mongodb-operator
+
+# spec: https://kubectl.docs.kubernetes.io/references/kustomize/builtins/#_helmchartinflationgenerator_
+helmCharts:
+- includeCRDs: true
+  name: &name community-operator
+  releaseName: *name
+  repo: https://mongodb.github.io/helm-charts
+  valuesFile: values.yaml
+  version: 0.13.0 # helm search repo mongodb/community-operator --versions
--- a/_disabled/mongodb-operator/mongodb-netpol.yml
+++ b/_disabled/mongodb-operator/mongodb-netpol.yml
@@ -0,0 +1,25 @@
+# Allow any pod in this namespace to connect to MongoDB and
+# allow cluster members to talk to eachother
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: mongodb-operator
+spec:
+  podSelector:
+    matchLabels:
+      app: mongodb-svc
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+    - from:
+      - podSelector: {}
+      ports:
+      - port: 27017
+  egress:
+    - to:
+      - podSelector:
+          matchLabels:
+            app: mongodb-svc
+      ports:
+      - port: 27017
--- a/_disabled/mongodb-operator/values.yaml
+++ b/_disabled/mongodb-operator/values.yaml
--- a/_disabled/mysql-clusters/README.md
+++ b/_disabled/mysql-clusters/README.md
@@ -0,0 +1,10 @@
+# MariaDB clusters
+
+This is namespace for MariaDB clusters managed by Codemowers' sample
+[mysql-database-operator](https://github.com/codemowers/operatorlib/tree/main/samples/mysql-database-operator)
+which is deployed via [ArgoCD](https://argocd.k-space.ee/applications/argocd/mysql-database-operator)
+
+```
+kubectl create namespace mysql-clusters
+kubectl apply -n mysql-clusters -f application.yaml
+```
--- a/_disabled/mysql-clusters/dedicated.yaml
+++ b/_disabled/mysql-clusters/dedicated.yaml
@@ -0,0 +1,24 @@
+---
+apiVersion: codemowers.cloud/v1beta1
+kind: MysqlDatabaseClass
+metadata:
+  name: dedicated
+  annotations:
+    kubernetes.io/description: "Dedicated MySQL cluster"
+spec:
+  reclaimPolicy: Retain
+  replicas: 3
+  routers: 2
+  storageClass: mysql
+  podSpec:
+    containers:
+      - name: mariadb
+        image: mirror.gcr.io/library/mariadb:10.9.7@sha256:198c7a5fea3d7285762042a628fe8f83f0a7ccef559605b4cc9502e65210880b
+        imagePullPolicy: IfNotPresent
+    nodeSelector:
+      dedicated: storage
+    tolerations:
+      - effect: NoSchedule
+        key: dedicated
+        operator: Equal
+        value: storage
--- a/_disabled/mysql-clusters/external.yaml
+++ b/_disabled/mysql-clusters/external.yaml
@@ -0,0 +1,40 @@
+---
+apiVersion: codemowers.cloud/v1beta1
+kind: MysqlDatabaseClass
+metadata:
+  name: external
+  annotations:
+    kubernetes.io/description: "External MySQL cluster"
+spec:
+  reclaimPolicy: Retain
+  shared: true
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: primary-external
+spec:
+  clusterIP: None
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: external
+spec:
+  clusterIP: None
+---
+kind: Endpoints
+apiVersion: v1
+metadata:
+  name: primary-external
+subsets:
+  - addresses:
+      - ip: 172.20.36.1
+---
+kind: Endpoints
+apiVersion: v1
+metadata:
+  name: external
+subsets:
+  - addresses:
+      - ip: 172.20.36.1
--- a/_disabled/mysql-clusters/phpmyadmin.yaml
+++ b/_disabled/mysql-clusters/phpmyadmin.yaml
@@ -1,9 +1,21 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: phpmyadmin
+  namespace: mysql-clusters
+data:
+  config.user.inc.php: |
+    <?php
+    for ($i = 1; isset($hosts[$i - 1]); $i++) {
+      $cfg['Servers'][$i]['ssl'] = true;
+    }
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: phpmyadmin
-  labels:
-    app: phpmyadmin
+  namespace: mysql-clusters
 spec:
  # phpMyAdmin session handling is not really compatible with more replicas
  replicas: 1
@@ -17,32 +29,56 @@ spec:
    spec:
      containers:
        - name: phpmyadmin
-          image: phpmyadmin/phpmyadmin
+          image: mirror.gcr.io/phpmyadmin/phpmyadmin
          ports:
            - name: web
              containerPort: 80
              protocol: TCP
          env:
-            - name: PMA_ARBITRARY
-              value: "1"
            - name: PMA_HOSTS
-              value: mysql-cluster.etherpad.svc.cluster.local,mariadb.authelia,mariadb.nextcloud,172.20.36.1
+              valueFrom:
+                configMapKeyRef:
+                  name: phpmyadmin-connections
+                  key: PMA_HOSTS
+            - name: PMA_PORTS
+              valueFrom:
+                configMapKeyRef:
+                  name: phpmyadmin-connections
+                  key: PMA_HOSTS
            - name: PMA_ABSOLUTE_URI
              value: https://phpmyadmin.k-space.ee/
            - name: UPLOAD_LIMIT
              value: 10G
+      volumes:
+        - name: config
+          configMap:
+            name: phpmyadmin
+---
+apiVersion: codemowers.cloud/v1beta1
+kind: OIDCMiddlewareClient
+metadata:
+  name: phpmyadmin
+spec:
+  displayName: phpMyAdmin
+  uri: 'https://phpmyadmin.k-space.ee'
+  headerMapping:
+    email: Remote-Email
+    groups: Remote-Groups
+    name: Remote-Name
+    user: Remote-Username
+  allowedGroups:
+    - k-space:floor
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: phpmyadmin
+  namespace: mysql-clusters
  annotations:
    kubernetes.io/ingress.class: traefik
-    cert-manager.io/cluster-issuer: default
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
-    traefik.ingress.kubernetes.io/router.middlewares: traefik-sso@kubernetescrd
-    traefik.ingress.kubernetes.io/router.tls: "true"
    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
+    traefik.ingress.kubernetes.io/router.middlewares: mysql-clusters-phpmyadmin@kubernetescrd
 spec:
  rules:
  - host: phpmyadmin.k-space.ee
@@ -57,15 +93,13 @@ spec:
              number: 80
  tls:
  - hosts:
-    - phpmyadmin.k-space.ee
-    secretName: phpmyadmin-tls
+    - "*.k-space.ee"
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: phpmyadmin
-  labels:
-    app: phpmyadmin
+  namespace: mysql-clusters
 spec:
  selector:
    app: phpmyadmin
@@ -73,36 +107,3 @@ spec:
  - protocol: TCP
    port: 80
    targetPort: 80
---
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: phpmyadmin
-spec:
-  podSelector:
-    matchLabels:
-      app: phpmyadmin
-  policyTypes:
-  - Ingress
-  - Egress
-  ingress:
-    - from:
-        - namespaceSelector:
-            matchLabels:
-              kubernetes.io/metadata.name: traefik
-      ports:
-        - protocol: TCP
-          port: 80
-  egress:
-  - # Allow connecting to MySQL instance in any namespace
-    to:
-    - namespaceSelector: {}
-    ports:
-    - port: 3306
-  - # Allow connecting to any MySQL instance outside the cluster
-    to:
-    - ipBlock:
-        cidr: 0.0.0.0/0
-    ports:
-    - protocol: TCP
-      port: 3306
--- a/_disabled/mysql-clusters/shared.yaml
+++ b/_disabled/mysql-clusters/shared.yaml
@@ -0,0 +1,25 @@
+---
+apiVersion: codemowers.cloud/v1beta1
+kind: MysqlDatabaseClass
+metadata:
+  name: shared
+  annotations:
+    kubernetes.io/description: "Shared MySQL cluster"
+spec:
+  reclaimPolicy: Retain
+  shared: true
+  replicas: 3
+  routers: 2
+  storageClass: mysql
+  podSpec:
+    containers:
+      - name: mariadb
+        image: mirror.gcr.io/library/mariadb:10.9.7@sha256:198c7a5fea3d7285762042a628fe8f83f0a7ccef559605b4cc9502e65210880b
+        imagePullPolicy: IfNotPresent
+    nodeSelector:
+      dedicated: storage
+    tolerations:
+      - effect: NoSchedule
+        key: dedicated
+        operator: Equal
+        value: storage
--- a/_disabled/mysql-clusters/storageclass.yaml
+++ b/_disabled/mysql-clusters/storageclass.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: mysql
+  annotations:
+    kubernetes.io/description: |
+      Storage class for MySQL, MariaDB and similar applications that
+      implement high availability in application layer.
+      This storage class uses XFS, has no block level redundancy and
+      has block device level caching disabled.
+provisioner: csi.proxmox.sinextra.dev
+reclaimPolicy: Retain
+volumeBindingMode: WaitForFirstConsumer
+allowVolumeExpansion: true
+parameters:
+  csi.storage.k8s.io/fstype: xfs
+  storage: ks-pvs
+  cache: none
+  ssd: "true"
--- a/_disabled/openebs/README.md
+++ b/_disabled/openebs/README.md
@@ -0,0 +1,20 @@
+# XFS hostpath based local PV-s
+
+```
+wget https://openebs.github.io/charts/openebs-operator-lite.yaml
+kubectl apply -f openebs-operator-lite.yaml -f storage-class.yaml
+
+```
+
+# Raw file based local PV-s
+
+### TO BE DEPRECATED
+
+The manifests were rendered using Helm template from https://github.com/openebs/rawfile-localpv
+and subsequently modified
+
+```
+kubectl create namespace openebs
+kubectl apply -n openebs -f rawfile.yaml
+```
+
--- a/_disabled/openebs/openebs-operator-lite.yaml
+++ b/_disabled/openebs/openebs-operator-lite.yaml
@@ -0,0 +1,937 @@
+# This manifest deploys the OpenEBS control plane components, with associated CRs & RBAC rules
+# NOTE: On GKE, deploy the openebs-operator.yaml in admin context
+
+# Create the OpenEBS namespace
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openebs
+---
+# Create Maya Service Account
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: openebs-maya-operator
+  namespace: openebs
+---
+# Define Role that allows operations on K8s pods/deployments
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: openebs-maya-operator
+rules:
+- apiGroups: ["*"]
+  resources: ["nodes", "nodes/proxy"]
+  verbs: ["*"]
+- apiGroups: ["*"]
+  resources: ["namespaces", "services", "pods", "pods/exec", "deployments", "deployments/finalizers", "replicationcontrollers", "replicasets", "events", "endpoints", "configmaps", "secrets", "jobs", "cronjobs"]
+  verbs: ["*"]
+- apiGroups: ["*"]
+  resources: ["statefulsets", "daemonsets"]
+  verbs: ["*"]
+- apiGroups: ["*"]
+  resources: ["resourcequotas", "limitranges"]
+  verbs: ["list", "watch"]
+- apiGroups: ["*"]
+  resources: ["ingresses", "horizontalpodautoscalers", "verticalpodautoscalers", "poddisruptionbudgets", "certificatesigningrequests"]
+  verbs: ["list", "watch"]
+- apiGroups: ["*"]
+  resources: ["storageclasses", "persistentvolumeclaims", "persistentvolumes"]
+  verbs: ["*"]
+- apiGroups: ["apiextensions.k8s.io"]
+  resources: ["customresourcedefinitions"]
+  verbs: [ "get", "list", "create", "update", "delete", "patch"]
+- apiGroups: ["openebs.io"]
+  resources: [ "*"]
+  verbs: ["*"]
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  verbs: ["get", "create", "update"]
+- nonResourceURLs: ["/metrics"]
+  verbs: ["get"]
+---
+# Bind the Service Account with the Role Privileges.
+# TODO: Check if default account also needs to be there
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: openebs-maya-operator
+subjects:
+- kind: ServiceAccount
+  name: openebs-maya-operator
+  namespace: openebs
+roleRef:
+  kind: ClusterRole
+  name: openebs-maya-operator
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.5.0
+  creationTimestamp: null
+  name: blockdevices.openebs.io
+spec:
+  group: openebs.io
+  names:
+    kind: BlockDevice
+    listKind: BlockDeviceList
+    plural: blockdevices
+    shortNames:
+    - bd
+    singular: blockdevice
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.nodeAttributes.nodeName
+      name: NodeName
+      type: string
+    - jsonPath: .spec.path
+      name: Path
+      priority: 1
+      type: string
+    - jsonPath: .spec.filesystem.fsType
+      name: FSType
+      priority: 1
+      type: string
+    - jsonPath: .spec.capacity.storage
+      name: Size
+      type: string
+    - jsonPath: .status.claimState
+      name: ClaimState
+      type: string
+    - jsonPath: .status.state
+      name: Status
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: BlockDevice is the Schema for the blockdevices API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: DeviceSpec defines the properties and runtime status of a BlockDevice
+            properties:
+              aggregateDevice:
+                description: AggregateDevice was intended to store the hierarchical information in cases of LVM. However this is currently not implemented and may need to be re-looked into for better design. To be deprecated
+                type: string
+              capacity:
+                description: Capacity
+                properties:
+                  logicalSectorSize:
+                    description: LogicalSectorSize is blockdevice logical-sector size in bytes
+                    format: int32
+                    type: integer
+                  physicalSectorSize:
+                    description: PhysicalSectorSize is blockdevice physical-Sector size in bytes
+                    format: int32
+                    type: integer
+                  storage:
+                    description: Storage is the blockdevice capacity in bytes
+                    format: int64
+                    type: integer
+                required:
+                - storage
+                type: object
+              claimRef:
+                description: ClaimRef is the reference to the BDC which has claimed this BD
+                properties:
+                  apiVersion:
+                    description: API version of the referent.
+                    type: string
+                  fieldPath:
+                    description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.'
+                    type: string
+                  kind:
+                    description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    type: string
+                  name:
+                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                    type: string
+                  namespace:
+                    description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                    type: string
+                  resourceVersion:
+                    description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                    type: string
+                  uid:
+                    description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                    type: string
+                type: object
+              details:
+                description: Details contain static attributes of BD like model,serial, and so forth
+                properties:
+                  compliance:
+                    description: Compliance is standards/specifications version implemented by device firmware  such as SPC-1, SPC-2, etc
+                    type: string
+                  deviceType:
+                    description: DeviceType represents the type of device like sparse, disk, partition, lvm, crypt
+                    enum:
+                    - disk
+                    - partition
+                    - sparse
+                    - loop
+                    - lvm
+                    - crypt
+                    - dm
+                    - mpath
+                    type: string
+                  driveType:
+                    description: DriveType is the type of backing drive, HDD/SSD
+                    enum:
+                    - HDD
+                    - SSD
+                    - Unknown
+                    - ""
+                    type: string
+                  firmwareRevision:
+                    description: FirmwareRevision is the disk firmware revision
+                    type: string
+                  hardwareSectorSize:
+                    description: HardwareSectorSize is the hardware sector size in bytes
+                    format: int32
+                    type: integer
+                  logicalBlockSize:
+                    description: LogicalBlockSize is the logical block size in bytes reported by /sys/class/block/sda/queue/logical_block_size
+                    format: int32
+                    type: integer
+                  model:
+                    description: Model is model of disk
+                    type: string
+                  physicalBlockSize:
+                    description: PhysicalBlockSize is the physical block size in bytes reported by /sys/class/block/sda/queue/physical_block_size
+                    format: int32
+                    type: integer
+                  serial:
+                    description: Serial is serial number of disk
+                    type: string
+                  vendor:
+                    description: Vendor is vendor of disk
+                    type: string
+                type: object
+              devlinks:
+                description: DevLinks contains soft links of a block device like /dev/by-id/... /dev/by-uuid/...
+                items:
+                  description: DeviceDevLink holds the mapping between type and links like by-id type or by-path type link
+                  properties:
+                    kind:
+                      description: Kind is the type of link like by-id or by-path.
+                      enum:
+                      - by-id
+                      - by-path
+                      type: string
+                    links:
+                      description: Links are the soft links
+                      items:
+                        type: string
+                      type: array
+                  type: object
+                type: array
+              filesystem:
+                description: FileSystem contains mountpoint and filesystem type
+                properties:
+                  fsType:
+                    description: Type represents the FileSystem type of the block device
+                    type: string
+                  mountPoint:
+                    description: MountPoint represents the mountpoint of the block device.
+                    type: string
+                type: object
+              nodeAttributes:
+                description: NodeAttributes has the details of the node on which BD is attached
+                properties:
+                  nodeName:
+                    description: NodeName is the name of the Kubernetes node resource on which the device is attached
+                    type: string
+                type: object
+              parentDevice:
+                description: "ParentDevice was intended to store the UUID of the parent Block Device as is the case for partitioned block devices. \n For example: /dev/sda is the parent for /dev/sda1 To be deprecated"
+                type: string
+              partitioned:
+                description: Partitioned represents if BlockDevice has partitions or not (Yes/No) Currently always default to No. To be deprecated
+                enum:
+                - "Yes"
+                - "No"
+                type: string
+              path:
+                description: Path contain devpath (e.g. /dev/sdb)
+                type: string
+            required:
+            - capacity
+            - devlinks
+            - nodeAttributes
+            - path
+            type: object
+          status:
+            description: DeviceStatus defines the observed state of BlockDevice
+            properties:
+              claimState:
+                description: ClaimState represents the claim state of the block device
+                enum:
+                - Claimed
+                - Unclaimed
+                - Released
+                type: string
+              state:
+                description: State is the current state of the blockdevice (Active/Inactive/Unknown)
+                enum:
+                - Active
+                - Inactive
+                - Unknown
+                type: string
+            required:
+            - claimState
+            - state
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.5.0
+  creationTimestamp: null
+  name: blockdeviceclaims.openebs.io
+spec:
+  group: openebs.io
+  names:
+    kind: BlockDeviceClaim
+    listKind: BlockDeviceClaimList
+    plural: blockdeviceclaims
+    shortNames:
+    - bdc
+    singular: blockdeviceclaim
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.blockDeviceName
+      name: BlockDeviceName
+      type: string
+    - jsonPath: .status.phase
+      name: Phase
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: BlockDeviceClaim is the Schema for the blockdeviceclaims API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: DeviceClaimSpec defines the request details for a BlockDevice
+            properties:
+              blockDeviceName:
+                description: BlockDeviceName is the reference to the block-device backing this claim
+                type: string
+              blockDeviceNodeAttributes:
+                description: BlockDeviceNodeAttributes is the attributes on the node from which a BD should be selected for this claim. It can include nodename, failure domain etc.
+                properties:
+                  hostName:
+                    description: HostName represents the hostname of the Kubernetes node resource where the BD should be present
+                    type: string
+                  nodeName:
+                    description: NodeName represents the name of the Kubernetes node resource where the BD should be present
+                    type: string
+                type: object
+              deviceClaimDetails:
+                description: Details of the device to be claimed
+                properties:
+                  allowPartition:
+                    description: AllowPartition represents whether to claim a full block device or a device that is a partition
+                    type: boolean
+                  blockVolumeMode:
+                    description: 'BlockVolumeMode represents whether to claim a device in Block mode or Filesystem mode. These are use cases of BlockVolumeMode: 1) Not specified: VolumeMode check will not be effective 2) VolumeModeBlock: BD should not have any filesystem or mountpoint 3) VolumeModeFileSystem: BD should have a filesystem and mountpoint. If DeviceFormat is    specified then the format should match with the FSType in BD'
+                    type: string
+                  formatType:
+                    description: Format of the device required, eg:ext4, xfs
+                    type: string
+                type: object
+              deviceType:
+                description: DeviceType represents the type of drive like SSD, HDD etc.,
+                nullable: true
+                type: string
+              hostName:
+                description: Node name from where blockdevice has to be claimed. To be deprecated. Use NodeAttributes.HostName instead
+                type: string
+              resources:
+                description: Resources will help with placing claims on Capacity, IOPS
+                properties:
+                  requests:
+                    additionalProperties:
+                      anyOf:
+                      - type: integer
+                      - type: string
+                      pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                      x-kubernetes-int-or-string: true
+                    description: 'Requests describes the minimum resources required. eg: if storage resource of 10G is requested minimum capacity of 10G should be available TODO for validating'
+                    type: object
+                required:
+                - requests
+                type: object
+              selector:
+                description: Selector is used to find block devices to be considered for claiming
+                properties:
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                    items:
+                      description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies to.
+                          type: string
+                        operator:
+                          description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+                          type: string
+                        values:
+                          description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    type: array
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+                    type: object
+                type: object
+            type: object
+          status:
+            description: DeviceClaimStatus defines the observed state of BlockDeviceClaim
+            properties:
+              phase:
+                description: Phase represents the current phase of the claim
+                type: string
+            required:
+            - phase
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+---
+# This is the node-disk-manager related config.
+# It can be used to customize the disks probes and filters
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: openebs-ndm-config
+  namespace: openebs
+  labels:
+    openebs.io/component-name: ndm-config
+data:
+  # udev-probe is default or primary probe it should be enabled to run ndm
+  # filterconfigs contains configs of filters. To provide a group of include
+  # and exclude values add it as , separated string
+  node-disk-manager.config: |
+    probeconfigs:
+      - key: udev-probe
+        name: udev probe
+        state: true
+      - key: seachest-probe
+        name: seachest probe
+        state: false
+      - key: smart-probe
+        name: smart probe
+        state: true
+    filterconfigs:
+      - key: os-disk-exclude-filter
+        name: os disk exclude filter
+        state: true
+        exclude: "/,/etc/hosts,/boot"
+      - key: vendor-filter
+        name: vendor filter
+        state: true
+        include: ""
+        exclude: "CLOUDBYT,OpenEBS"
+      - key: path-filter
+        name: path filter
+        state: true
+        include: ""
+        exclude: "/dev/loop,/dev/fd0,/dev/sr0,/dev/ram,/dev/md,/dev/dm-,/dev/rbd,/dev/zd"
+    # metconfig can be used to decorate the block device with different types of labels
+    # that are available on the node or come in a device properties.
+    # node labels - the node where bd is discovered. A whitlisted label prefixes
+    # attribute labels - a property of the BD can be added as a ndm label as ndm.io/<property>=<property-value>
+    metaconfigs:
+      - key: node-labels
+        name: node labels
+        pattern: ""
+      - key: device-labels
+        name: device labels
+        type: ""
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: openebs-ndm
+  namespace: openebs
+  labels:
+    name: openebs-ndm
+    openebs.io/component-name: ndm
+    openebs.io/version: 3.5.0
+spec:
+  selector:
+    matchLabels:
+      name: openebs-ndm
+      openebs.io/component-name: ndm
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        name: openebs-ndm
+        openebs.io/component-name: ndm
+        openebs.io/version: 3.5.0
+    spec:
+      # By default the node-disk-manager will be run on all kubernetes nodes
+      # If you would like to limit this to only some nodes, say the nodes
+      # that have storage attached, you could label those node and use
+      # nodeSelector.
+      #
+      # e.g. label the storage nodes with - "openebs.io/nodegroup"="storage-node"
+      # kubectl label node <node-name> "openebs.io/nodegroup"="storage-node"
+      #nodeSelector:
+      #  "openebs.io/nodegroup": "storage-node"
+      serviceAccountName: openebs-maya-operator
+      hostNetwork: true
+      # host PID is used to check status of iSCSI Service when the NDM
+      # API service is enabled
+      #hostPID: true
+      containers:
+      - name: node-disk-manager
+        image: openebs/node-disk-manager:2.1.0
+        args:
+          - -v=4
+        # The feature-gate is used to enable the new UUID algorithm.
+          - --feature-gates="GPTBasedUUID"
+        # Use partition table UUID instead of create single partition to get
+        # partition UUID. Require `GPTBasedUUID` to be enabled with.
+        # - --feature-gates="PartitionTableUUID"
+        # Detect changes to device size, filesystem and mount-points without restart.
+        # - --feature-gates="ChangeDetection"
+        # The feature gate is used to start the gRPC API service. The gRPC server
+        # starts at 9115 port by default. This feature is currently in Alpha state
+        # - --feature-gates="APIService"
+        # The feature gate is used to enable NDM, to create blockdevice resources
+        # for unused partitions on the OS disk
+        # - --feature-gates="UseOSDisk"
+        imagePullPolicy: IfNotPresent
+        securityContext:
+          privileged: true
+        volumeMounts:
+        - name: config
+          mountPath: /host/node-disk-manager.config
+          subPath: node-disk-manager.config
+          readOnly: true
+          # make udev database available inside container
+        - name: udev
+          mountPath: /run/udev
+        - name: procmount
+          mountPath: /host/proc
+          readOnly: true
+        - name: devmount
+          mountPath: /dev
+        - name: basepath
+          mountPath: /var/openebs/ndm
+        - name: sparsepath
+          mountPath: /var/openebs/sparse
+        env:
+        # namespace in which NDM is installed will be passed to NDM Daemonset
+        # as environment variable
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        # pass hostname as env variable using downward API to the NDM container
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        # specify the directory where the sparse files need to be created.
+        # if not specified, then sparse files will not be created.
+        - name: SPARSE_FILE_DIR
+          value: "/var/openebs/sparse"
+        # Size(bytes) of the sparse file to be created.
+        - name: SPARSE_FILE_SIZE
+          value: "10737418240"
+        # Specify the number of sparse files to be created
+        - name: SPARSE_FILE_COUNT
+          value: "0"
+        livenessProbe:
+          exec:
+            command:
+            - pgrep
+            - "ndm"
+          initialDelaySeconds: 30
+          periodSeconds: 60
+      volumes:
+      - name: config
+        configMap:
+          name: openebs-ndm-config
+      - name: udev
+        hostPath:
+          path: /run/udev
+          type: Directory
+      # mount /proc (to access mount file of process 1 of host) inside container
+      # to read mount-point of disks and partitions
+      - name: procmount
+        hostPath:
+          path: /proc
+          type: Directory
+      - name: devmount
+      # the /dev directory is mounted so that we have access to the devices that
+      # are connected at runtime of the pod.
+        hostPath:
+          path: /dev
+          type: Directory
+      - name: basepath
+        hostPath:
+          path: /var/openebs/ndm
+          type: DirectoryOrCreate
+      - name: sparsepath
+        hostPath:
+          path: /var/openebs/sparse
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openebs-ndm-operator
+  namespace: openebs
+  labels:
+    name: openebs-ndm-operator
+    openebs.io/component-name: ndm-operator
+    openebs.io/version: 3.5.0
+spec:
+  selector:
+    matchLabels:
+      name: openebs-ndm-operator
+      openebs.io/component-name: ndm-operator
+  replicas: 1
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        name: openebs-ndm-operator
+        openebs.io/component-name: ndm-operator
+        openebs.io/version: 3.5.0
+    spec:
+      serviceAccountName: openebs-maya-operator
+      containers:
+        - name: node-disk-operator
+          image: openebs/node-disk-operator:2.1.0
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: WATCH_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            # the service account of the ndm-operator pod
+            - name: SERVICE_ACCOUNT
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.serviceAccountName
+            - name: OPERATOR_NAME
+              value: "node-disk-operator"
+            - name: CLEANUP_JOB_IMAGE
+              value: "openebs/linux-utils:3.5.0"
+            # OPENEBS_IO_IMAGE_PULL_SECRETS environment variable is used to pass the image pull secrets
+            # to the cleanup pod launched by NDM operator
+            #- name: OPENEBS_IO_IMAGE_PULL_SECRETS
+            #  value: ""
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8585
+            initialDelaySeconds: 15
+            periodSeconds: 20
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: 8585
+            initialDelaySeconds: 5
+            periodSeconds: 10
+---
+# Create NDM cluster exporter deployment.
+# This is an optional component and is not required for the basic
+# functioning of NDM
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openebs-ndm-cluster-exporter
+  namespace: openebs
+  labels:
+    name: openebs-ndm-cluster-exporter
+    openebs.io/component-name: ndm-cluster-exporter
+    openebs.io/version: 3.5.0
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      name: openebs-ndm-cluster-exporter
+      openebs.io/component-name: ndm-cluster-exporter
+  template:
+    metadata:
+      labels:
+        name: openebs-ndm-cluster-exporter
+        openebs.io/component-name: ndm-cluster-exporter
+        openebs.io/version: 3.5.0
+    spec:
+      serviceAccountName: openebs-maya-operator
+      containers:
+        - name: ndm-cluster-exporter
+          image: openebs/node-disk-exporter:2.1.0
+          command:
+            - /usr/local/bin/exporter
+          args:
+            - "start"
+            - "--mode=cluster"
+            - "--port=$(METRICS_LISTEN_PORT)"
+            - "--metrics=/metrics"
+          ports:
+            - containerPort: 9100
+              protocol: TCP
+              name: metrics
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: METRICS_LISTEN_PORT
+              value: :9100
+---
+# Create NDM cluster exporter service
+# This is optional and required only when
+# ndm-cluster-exporter deployment is used
+apiVersion: v1
+kind: Service
+metadata:
+  name: openebs-ndm-cluster-exporter-service
+  namespace: openebs
+  labels:
+    name: openebs-ndm-cluster-exporter-service
+    openebs.io/component-name: ndm-cluster-exporter
+    app: openebs-ndm-exporter
+spec:
+  clusterIP: None
+  ports:
+    - name: metrics
+      port: 9100
+      targetPort: 9100
+  selector:
+    name: openebs-ndm-cluster-exporter
+---
+# Create NDM node exporter daemonset.
+# This is an optional component used for getting disk level
+# metrics from each of the storage nodes
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: openebs-ndm-node-exporter
+  namespace: openebs
+  labels:
+    name: openebs-ndm-node-exporter
+    openebs.io/component-name: ndm-node-exporter
+    openebs.io/version: 3.5.0
+spec:
+  updateStrategy:
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      name: openebs-ndm-node-exporter
+      openebs.io/component-name: ndm-node-exporter
+  template:
+    metadata:
+      labels:
+        name: openebs-ndm-node-exporter
+        openebs.io/component-name: ndm-node-exporter
+        openebs.io/version: 3.5.0
+    spec:
+      serviceAccountName: openebs-maya-operator
+      containers:
+        - name: node-disk-exporter
+          image: openebs/node-disk-exporter:2.1.0
+          command:
+            - /usr/local/bin/exporter
+          args:
+            - "start"
+            - "--mode=node"
+            - "--port=$(METRICS_LISTEN_PORT)"
+            - "--metrics=/metrics"
+          ports:
+            - containerPort: 9101
+              protocol: TCP
+              name: metrics
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            privileged: true
+          env:
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: METRICS_LISTEN_PORT
+              value: :9101
+---
+# Create NDM node exporter service
+# This is optional and required only when
+# ndm-node-exporter daemonset is used
+apiVersion: v1
+kind: Service
+metadata:
+  name: openebs-ndm-node-exporter-service
+  namespace: openebs
+  labels:
+    name: openebs-ndm-node-exporter
+    openebs.io/component: openebs-ndm-node-exporter
+    app: openebs-ndm-exporter
+spec:
+  clusterIP: None
+  ports:
+    - name: metrics
+      port: 9101
+      targetPort: 9101
+  selector:
+    name: openebs-ndm-node-exporter
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openebs-localpv-provisioner
+  namespace: openebs
+  labels:
+    name: openebs-localpv-provisioner
+    openebs.io/component-name: openebs-localpv-provisioner
+    openebs.io/version: 3.5.0
+spec:
+  selector:
+    matchLabels:
+      name: openebs-localpv-provisioner
+      openebs.io/component-name: openebs-localpv-provisioner
+  replicas: 1
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        name: openebs-localpv-provisioner
+        openebs.io/component-name: openebs-localpv-provisioner
+        openebs.io/version: 3.5.0
+    spec:
+      serviceAccountName: openebs-maya-operator
+      containers:
+      - name: openebs-provisioner-hostpath
+        imagePullPolicy: IfNotPresent
+        image: openebs/provisioner-localpv:3.5.0
+        args:
+          - "--bd-time-out=$(BDC_BD_BIND_RETRIES)"
+        env:
+        # OPENEBS_IO_K8S_MASTER enables openebs provisioner to connect to K8s
+        # based on this address. This is ignored if empty.
+        # This is supported for openebs provisioner version 0.5.2 onwards
+        #- name: OPENEBS_IO_K8S_MASTER
+        #  value: "http://10.128.0.12:8080"
+        # OPENEBS_IO_KUBE_CONFIG enables openebs provisioner to connect to K8s
+        # based on this config. This is ignored if empty.
+        # This is supported for openebs provisioner version 0.5.2 onwards
+        #- name: OPENEBS_IO_KUBE_CONFIG
+        #  value: "/home/ubuntu/.kube/config"
+        # This sets the number of times the provisioner should try 
+        # with a polling interval of 5 seconds, to get the Blockdevice
+        # Name from a BlockDeviceClaim, before the BlockDeviceClaim
+        # is deleted. E.g. 12 * 5 seconds = 60 seconds timeout
+        - name: BDC_BD_BIND_RETRIES
+          value: "12"
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: OPENEBS_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        # OPENEBS_SERVICE_ACCOUNT provides the service account of this pod as
+        # environment variable
+        - name: OPENEBS_SERVICE_ACCOUNT
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.serviceAccountName
+        - name: OPENEBS_IO_ENABLE_ANALYTICS
+          value: "true"
+        - name: OPENEBS_IO_INSTALLER_TYPE
+          value: "openebs-operator-lite"
+        - name: OPENEBS_IO_HELPER_IMAGE
+          value: "openebs/linux-utils:3.5.0"
+        - name: OPENEBS_IO_BASE_PATH
+          value: "/var/openebs/local"
+        # LEADER_ELECTION_ENABLED is used to enable/disable leader election. By default
+        # leader election is enabled.
+        #- name: LEADER_ELECTION_ENABLED
+        #  value: "true"
+        # OPENEBS_IO_IMAGE_PULL_SECRETS environment variable is used to pass the image pull secrets
+        # to the helper pod launched by local-pv hostpath provisioner
+        #- name: OPENEBS_IO_IMAGE_PULL_SECRETS
+        #  value: ""
+        # Process name used for matching is limited to the 15 characters
+        # present in the pgrep output.
+        # So fullname can't be used here with pgrep (>15 chars).A regular expression
+        # that matches the entire command name has to specified.
+        # Anchor `^` : matches any string that starts with `provisioner-loc`
+        # `.*`: matches any string that has `provisioner-loc` followed by zero or more char
+        livenessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - test `pgrep -c "^provisioner-loc.*"` = 1
+          initialDelaySeconds: 30
+          periodSeconds: 60
+---
+
--- a/_disabled/openebs/storage-class.yaml
+++ b/_disabled/openebs/storage-class.yaml
@@ -0,0 +1,16 @@
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: openebs-hostpath-xfs
+  annotations:
+    openebs.io/cas-type: local
+    cas.openebs.io/config: |
+      - name: StorageType
+        value: "hostpath"
+      - name: BasePath
+        value: "/var/openebs/local/"
+      - name: XFSQuota
+        enabled: "true"
+provisioner: openebs.io/local
+volumeBindingMode: WaitForFirstConsumer
+reclaimPolicy: Delete
--- a/_disabled/playground/README.md
+++ b/_disabled/playground/README.md
@@ -0,0 +1,10 @@
+# Playground
+
+Playground namespace is accessible to `Developers` AD group.
+
+Novel log aggregator is being developer in this namespace:
+
+```
+kubectl create secret generic -n playground mongodb-application-readwrite-password --from-literal="password=$(cat /dev/urandom | base64 | head -c 30)"
+kubectl create secret generic -n playground mongodb-application-readonly-password --from-literal="password=$(cat /dev/urandom | base64 | head -c 30)"
+kubectl apply -n playground -f logging.yml -f mongodb-support.yml -f mongoexpress.yml -f networkpolicy-base.yml
--- a/_disabled/playground/logging.yml
+++ b/_disabled/playground/logging.yml
@@ -0,0 +1,263 @@
+---
+apiVersion: mongodbcommunity.mongodb.com/v1
+kind: MongoDBCommunity
+metadata:
+  name: mongodb
+spec:
+  additionalMongodConfig:
+    systemLog:
+      quiet: true
+  members: 3
+  type: ReplicaSet
+  version: "5.0.13"
+  security:
+    authentication:
+      modes: ["SCRAM"]
+  users:
+    - name: readwrite
+      db: application
+      passwordSecretRef:
+        name: mongodb-application-readwrite-password
+      roles:
+        - name: readWrite
+          db: application
+      scramCredentialsSecretName: mongodb-application-readwrite
+    - name: readonly
+      db: application
+      passwordSecretRef:
+        name: mongodb-application-readonly-password
+      roles:
+        - name: readOnly
+          db: application
+      scramCredentialsSecretName: mongodb-application-readonly
+  statefulSet:
+    spec:
+      logLevel: WARN
+      template:
+        spec:
+          containers:
+            - name: mongod
+              resources:
+                requests:
+                  cpu: 100m
+                  memory: 2Gi
+                limits:
+                  cpu: 2000m
+                  memory: 2Gi
+            - name: mongodb-agent
+              resources:
+                requests:
+                  cpu: 1m
+                  memory: 100Mi
+                limits: {}
+          affinity:
+            podAntiAffinity:
+              requiredDuringSchedulingIgnoredDuringExecution:
+                - labelSelector:
+                    matchExpressions:
+                      - key: app
+                        operator: In
+                        values:
+                          - mongodb-svc
+                  topologyKey: kubernetes.io/hostname
+          nodeSelector:
+            dedicated: monitoring
+          tolerations:
+            - key: dedicated
+              operator: Equal
+              value: monitoring
+              effect: NoSchedule
+      volumeClaimTemplates:
+        - metadata:
+            name: logs-volume
+          spec:
+            storageClassName: local-path
+            accessModes:
+            - ReadWriteOnce
+            resources:
+              requests:
+                storage: 512Mi
+        - metadata:
+            name: data-volume
+          spec:
+            storageClassName: local-path
+            accessModes:
+            - ReadWriteOnce
+            resources:
+              requests:
+                storage: 2Gi
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: log-shipper
+spec:
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 50%
+  selector:
+    matchLabels:
+      app: log-shipper
+  template:
+    metadata:
+      labels:
+        app: log-shipper
+    spec:
+      serviceAccountName: log-shipper
+      containers:
+        - name: log-shipper
+          image: harbor.k-space.ee/k-space/log-shipper
+          securityContext:
+            runAsUser: 0
+          env:
+            - name: MY_POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: MONGODB_HOST
+              valueFrom:
+                secretKeyRef:
+                  name: mongodb-application-readwrite
+                  key: connectionString.standard
+          ports:
+            - containerPort: 8000
+              name: metrics
+          resources:
+            limits:
+              memory: 200Mi
+            requests:
+              cpu: 100m
+              memory: 100Mi
+          volumeMounts:
+            - name: etcmachineid
+              mountPath: /etc/machine-id
+              readOnly: true
+            - name: varlibdockercontainers
+              mountPath: /var/lib/docker/containers
+              readOnly: true
+            - name: varlog
+              mountPath: /var/log
+              readOnly: true
+      volumes:
+        - name: etcmachineid
+          hostPath:
+            path: /etc/machine-id
+        - name: varlibdockercontainers
+          hostPath:
+            path: /var/lib/docker/containers
+        - name: varlog
+          hostPath:
+            path: /var/log
+      tolerations:
+        - operator: "Exists"
+          effect: "NoExecute"
+        - operator: "Exists"
+          effect: "NoSchedule"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: logging-log-shipper
+subjects:
+  - kind: ServiceAccount
+    name: log-shipper
+    namespace: playground
+roleRef:
+  kind: ClusterRole
+  name: filebeat
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: log-shipper
+  labels:
+    app: log-shipper
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: log-shipper
+spec:
+  podSelector:
+    matchLabels:
+      app: log-shipper
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: prometheus-operator
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/name: prometheus
+  egress:
+    - to:
+        - podSelector:
+            matchLabels:
+              app: mongodb-svc
+      ports:
+        - port: 27017
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: log-viewer-backend
+spec:
+  podSelector:
+    matchLabels:
+      app: log-viewer-backend
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - to:
+        - podSelector:
+            matchLabels:
+              app: mongodb-svc
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: traefik
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/name: traefik
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: log-viewer-frontend
+spec:
+  podSelector:
+    matchLabels:
+      app: log-viewer-frontend
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: traefik
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/name: traefik
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: log-shipper
+spec:
+  selector:
+    matchLabels:
+      app: log-shipper
+  podMetricsEndpoints:
+    - port: metrics
--- a/_disabled/playground/mongodb-support.yml
+++ b/_disabled/playground/mongodb-support.yml
--- a/_disabled/playground/mongoexpress.yml
+++ b/_disabled/playground/mongoexpress.yml
--- a/_disabled/playground/networkpolicy-base.yml
+++ b/_disabled/playground/networkpolicy-base.yml
--- a/_disabled/whoami-oidc/application.yaml
+++ b/_disabled/whoami-oidc/application.yaml
@@ -0,0 +1,103 @@
+---
+apiVersion: codemowers.cloud/v1beta1
+kind: OIDCClient
+metadata:
+  name: whoami-oidc
+  namespace: whoami-oidc
+spec:
+  displayName: Whoami OIDC
+  uri: https://whoami-oidc.k-space.ee
+  redirectUris:
+    - https://whoami-oidc.k-space.ee/auth/callback
+  grantTypes:
+    - authorization_code
+    - refresh_token
+  responseTypes:
+    - code
+  availableScopes:
+    - openid
+    - profile
+  pkce: false
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: whoami-oidc
+  labels:
+    app.kubernetes.io/name: whoami-oidc
+spec:
+  replicas: 1
+  revisionHistoryLimit: 0
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: whoami-oidc
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: whoami-oidc
+    spec:
+      containers:
+        - name: whoami-oidc
+          image: harbor.k-space.ee/rasmus/oidctest:latest@sha256:55927b9a50580fb087277af25fbc492b5ab4abcc1926c29ed40c190a99ced77b
+          env:
+            - name: OIDC_ROOT_URL
+              value: https://whoami-oidc.k-space.ee
+            - name: OIDC_PROVIDER
+              valueFrom:
+                secretKeyRef:
+                  name: oidc-client-whoami-oidc-owner-secrets
+                  key: OIDC_GATEWAY_URI
+            - name: OIDC_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: oidc-client-whoami-oidc-owner-secrets
+                  key: OIDC_CLIENT_ID
+            - name: OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: oidc-client-whoami-oidc-owner-secrets
+                  key: OIDC_CLIENT_SECRET
+          ports:
+            - containerPort: 9009
+              name: http
+          resources:
+            limits:
+              cpu: "1"
+              memory: "512Mi"
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: whoami-oidc
+spec:
+  selector:
+    app.kubernetes.io/name: whoami-oidc
+  ports:
+  - port: 80
+    name: http
+    targetPort: http
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: whoami-oidc
+  annotations:
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
+spec:
+  rules:
+    - host: whoami-oidc.k-space.ee
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/"
+            backend:
+              service:
+                name: whoami-oidc
+                port:
+                  name: http
+  tls:
+    - hosts:
+        - "*.k-space.ee"
--- a/argocd-image-updater/README.md
+++ b/argocd-image-updater/README.md
@@ -0,0 +1 @@
+argocd/appications/argocd-image-updater.yaml
--- a/argocd/README.md
+++ b/argocd/README.md
@@ -1,46 +1,58 @@
-# Workflow
-
 Most applications in our Kubernetes cluster are managed by ArgoCD.
+Most notably operators are NOT managed by ArgoCD.

+## Managing applications
+Update apps (see TODO below):

-# Deployment
+```
+for j in asterisk bind camtiler etherpad freescout gitea grafana hackerspace nextcloud nyancat rosdump traefik wiki wildduck; do
+cat << EOF >> applications/$j.yaml
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: $j
+  namespace: argocd
+  annotations:
+    # Works with only Kustomize and Helm. Kustomize is easy, see https://github.com/argoproj-labs/argocd-image-updater/tree/master/manifests/base for an example.
+    argocd-image-updater.argoproj.io/image-list: TODO:^2 # semver 2.*.*
+    argocd-image-updater.argoproj.io/write-back-method: git
+spec:
+  project: k-space.ee
+  source:
+    repoURL: 'git@git.k-space.ee:k-space/kube.git'
+    path: $j
+    targetRevision: HEAD
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: $j
+  syncPolicy:
+    automated:
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
+EOF
+done
+find applications -name "*.yaml" -exec kubectl apply -n argocd -f {} \;
+```

-To deploy ArgoCD:
+### Repository secrets
+1. Generate keys locally with `ssh-keygen -f argo`
+2. Add `argo.pub` in `git.k-space.ee/<your>/<repo>` → Settings → Deploy keys
+3. Add `argo` (private key) at https://argocd.k-space.ee/settings/repos along with referenced repo.
+
+## Argo Deployment
+To deploy ArgoCD itself:

 ```bash
 helm repo add argo-cd https://argoproj.github.io/argo-helm
-kubectl create secret -n argocd generic argocd-secret # Initialize empty secret for sessions
+kubectl create secret -n argocd generic argocd-secret # Empty secret for sessions
+kubectl label -n argocd secret oidc-client-argocd-owner-secrets app.kubernetes.io/part-of=argocd
+
 helm template -n argocd --release-name k6 argo-cd/argo-cd --include-crds -f values.yaml > argocd.yml
-kubectl apply -f argocd.yml -n argocd
-kubectl -n argocd rollout restart deployment/k6-argocd-redis
-kubectl -n argocd rollout restart deployment/k6-argocd-repo-server
-kubectl -n argocd rollout restart deployment/k6-argocd-server
-kubectl -n argocd rollout restart deployment/k6-argocd-notifications-controller
-kubectl -n argocd rollout restart statefulset/k6-argocd-application-controller
+kubectl apply -f argocd.yml -f application-extras.yml -f redis.yaml -f monitoring.yml -n argocd
+
+kubectl -n argocd rollout restart deployment/k6-argocd-redis deployment/k6-argocd-repo-server deployment/k6-argocd-server deployment/k6-argocd-notifications-controller statefulset/k6-argocd-application-controller
 ```

-Note: Refer to Authelia README for OIDC secret setup
-
-
-# Setting up Git secrets
-
-Generate SSH key to access Gitea:
-
-```
-ssh-keygen -t ecdsa -f id_ecdsa -C argocd.k-space.ee -P ''
-kubectl -n argocd create secret generic gitea-kube \
-  --from-literal=type=git \
-  --from-literal=url=git@git.k-space.ee:k-space/kube \
-  --from-file=sshPrivateKey=id_ecdsa
-kubectl -n argocd create secret generic gitea-kube-staging \
-  --from-literal=type=git \
-  --from-literal=url=git@git.k-space.ee:k-space/kube-staging \
-  --from-file=sshPrivateKey=id_ecdsa
-kubectl label -n argocd secret gitea-kube argocd.argoproj.io/secret-type=repository
-kubectl label -n argocd secret gitea-kube-staging argocd.argoproj.io/secret-type=repository
-rm -fv id_ecdsa
-```
-
-Have Gitea admin reset password for user `argocd` and log in with that account.
-Add the SSH key for user `argocd` from file `id_ecdsa.pub`.
-Delete any other SSH keys associated with Gitea user `argocd`.
+WARN: ArgoCD doesn't host its own redis, Dragonfly must be able to independently cold-start.
--- a/argocd/application-extras.yml
+++ b/argocd/application-extras.yml
@@ -0,0 +1,38 @@
+---
+apiVersion: codemowers.cloud/v1beta1
+kind: OIDCClient
+metadata:
+  name: argocd
+  namespace: argocd
+spec:
+  displayName: Argo CD
+  uri: https://argocd.k-space.ee
+  redirectUris:
+    - https://argocd.k-space.ee/auth/callback
+    - http://localhost:8085/auth/callback
+  allowedGroups:
+    - k-space:kubernetes:admins
+  grantTypes:
+    - authorization_code
+    - refresh_token
+  responseTypes:
+    - code
+  availableScopes:
+    - openid
+    - profile
+  pkce: false
+---
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  namespace: argocd
+  name: k-space.ee
+spec:
+  clusterResourceWhitelist:
+    - group: '*'
+      kind: '*'
+  destinations:
+    - namespace: '*'
+      server: '*'
+  sourceRepos:
+    - '*'
--- a/argocd/applications/argocd-applications.yaml
+++ b/argocd/applications/argocd-applications.yaml
@@ -0,0 +1,18 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argocd-applications
+  namespace: argocd
+spec:
+  project: k-space.ee
+  source:
+    repoURL: 'git@git.k-space.ee:k-space/kube.git'
+    path: argocd/applications
+    targetRevision: HEAD
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: argocd
+  syncPolicy:
+    automated:
+      prune: false
--- a/argocd/applications/argocd-image-updater.yaml
+++ b/argocd/applications/argocd-image-updater.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argocd-image-updater
+  namespace: argocd
+spec:
+  project: k-space.ee
+  source:
+    repoURL: 'https://github.com/argoproj-labs/argocd-image-updater.git'
+    path: manifests/base
+    targetRevision: stable
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: argocd
+  syncPolicy:
+    automated:
+      prune: true
+    syncOptions:
+    - CreateNamespace=true
--- a/argocd/applications/camtiler.yml
+++ b/argocd/applications/camtiler.yml
@@ -1,17 +1,20 @@
+---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: camtiler
+  name: bind
  namespace: argocd
 spec:
-  project: default
+  project: k-space.ee
  source:
    repoURL: 'git@git.k-space.ee:k-space/kube.git'
-    path: camtiler
+    path: bind
    targetRevision: HEAD
  destination:
    server: 'https://kubernetes.default.svc'
-    namespace: camtiler
+    namespace: bind
  syncPolicy:
+    automated:
+      prune: true
    syncOptions:
-      - CreateNamespace=true
+    - CreateNamespace=true
--- a/argocd/applications/cert-manager.yaml
+++ b/argocd/applications/cert-manager.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cert-manager
+  namespace: argocd
+spec:
+  project: k-space.ee
+  source:
+    # also depends on git@git.k-space.ee:secretspace/kube.git
+    repoURL: git@git.k-space.ee:k-space/kube.git
+    targetRevision: HEAD
+    path: cert-manager
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: cert-manager
+  syncPolicy:
+    automated:
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
--- a/argocd/applications/dragonfly.yaml
+++ b/argocd/applications/dragonfly.yaml
@@ -0,0 +1,23 @@
+# See [/dragonfly/README.md](/dragonfly-operator-system/README.md)
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: dragonfly # replaces redis and keydb
+  namespace: argocd
+spec:
+  project: k-space.ee
+  source:
+    repoURL: https://github.com/dragonflydb/dragonfly-operator
+    targetRevision: v1.1.11 # https://github.com/dragonflydb/dragonfly-operator/releases
+    path: manifests
+    directory:
+      include: 'dragonfly-operator.yaml'
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: dragonfly-operator-system
+  syncPolicy:
+    automated:
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
--- a/argocd/applications/elastic-system.yml
+++ b/argocd/applications/elastic-system.yml
@@ -1,23 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: elastic-system
-  namespace: argocd
-spec:
-  project: default
-  destination:
-    server: 'https://kubernetes.default.svc'
-    namespace: elastic-system
-  syncPolicy:
-    automated: {}
-    syncOptions:
-      - CreateNamespace=true
-  source:
-    repoURL: 'git@git.k-space.ee:k-space/kube.git'
-    path: elastic-system
-    targetRevision: HEAD
-  ignoreDifferences:
-    - group: admissionregistration.k8s.io
-      kind: ValidatingWebhookConfiguration
-      jqPathExpressions:
-        - '.webhooks[]?.clientConfig.caBundle'
--- a/argocd/applications/etherpad.yaml
+++ b/argocd/applications/etherpad.yaml
@@ -1,10 +1,11 @@
+---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: etherpad
  namespace: argocd
 spec:
-  project: default
+  project: k-space.ee
  source:
    repoURL: 'git@git.k-space.ee:k-space/kube.git'
    path: etherpad
@@ -13,5 +14,7 @@ spec:
    server: 'https://kubernetes.default.svc'
    namespace: etherpad
  syncPolicy:
+    automated:
+      prune: true
    syncOptions:
-      - CreateNamespace=true
+    - CreateNamespace=true
--- a/argocd/applications/external-dns.yml
+++ b/argocd/applications/external-dns.yml
@@ -1,17 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: external-dns
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: 'git@git.k-space.ee:k-space/kube.git'
-    path: external-dns
-    targetRevision: HEAD
-  destination:
-    server: 'https://kubernetes.default.svc'
-    namespace: external-dns
-  syncPolicy:
-    syncOptions:
-      - CreateNamespace=true
--- a/argocd/applications/external-snapshotter.yaml
+++ b/argocd/applications/external-snapshotter.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: external-snapshotter
+  namespace: argocd
+spec:
+  project: k-space.ee
+  source:
+    # also depends on git@git.k-space.ee:secretspace/kube.git
+    repoURL: git@git.k-space.ee:k-space/kube.git
+    targetRevision: HEAD
+    path: external-snapshotter
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: kube-system
+  syncPolicy:
+    automated:
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
--- a/argocd/applications/freescout.yaml
+++ b/argocd/applications/freescout.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: freescout
+  namespace: argocd
+spec:
+  project: k-space.ee
+  source:
+    repoURL: 'git@git.k-space.ee:k-space/kube.git'
+    path: freescout
+    targetRevision: HEAD
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: freescout
+  syncPolicy:
+    automated:
+      prune: true
+    syncOptions:
+    - CreateNamespace=true
--- a/argocd/applications/frigate.yaml
+++ b/argocd/applications/frigate.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: frigate
+  namespace: argocd
+spec:
+  project: k-space.ee
+  source:
+    # also depends on git@git.k-space.ee:secretspace/kube.git
+    repoURL: git@git.k-space.ee:k-space/kube.git
+    targetRevision: HEAD
+    path: frigate
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: frigate
+  syncPolicy:
+    automated:
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
--- a/argocd/applications/gitea.yaml
+++ b/argocd/applications/gitea.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: gitea
+  namespace: argocd
+spec:
+  project: k-space.ee
+  source:
+    repoURL: 'git@git.k-space.ee:k-space/kube.git'
+    path: gitea
+    targetRevision: HEAD
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: gitea
+  syncPolicy:
+    automated:
+      prune: true
+    syncOptions:
+    - CreateNamespace=true
--- a/argocd/applications/grafana.yaml
+++ b/argocd/applications/grafana.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: grafana
+  namespace: argocd
+spec:
+  project: k-space.ee
+  source:
+    # also depends on git@git.k-space.ee:secretspace/kube.git
+    repoURL: git@git.k-space.ee:k-space/kube.git
+    targetRevision: HEAD
+    path: grafana
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: grafana
+  syncPolicy:
+    automated:
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
--- a/argocd/applications/hackerspace.yaml
+++ b/argocd/applications/hackerspace.yaml
@@ -1,17 +1,20 @@
+---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: authelia
+  name: hackerspace
  namespace: argocd
 spec:
-  project: default
+  project: k-space.ee
  source:
    repoURL: 'git@git.k-space.ee:k-space/kube.git'
-    path: authelia
+    path: hackerspace
    targetRevision: HEAD
  destination:
    server: 'https://kubernetes.default.svc'
-    namespace: authelia
+    namespace: hackerspace
  syncPolicy:
+    automated:
+      prune: true
    syncOptions:
      - CreateNamespace=true
--- a/argocd/applications/harbor-operator.yaml
+++ b/argocd/applications/harbor-operator.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: harbor-operator
+  namespace: argocd
+spec:
+  project: k-space.ee
+  source:
+    # also depends on git@git.k-space.ee:secretspace/kube.git
+    repoURL: git@git.k-space.ee:k-space/kube.git
+    targetRevision: HEAD
+    path: harbor-operator
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: harbor-operator
+  syncPolicy:
+    automated:
+     prune: true
+    syncOptions:
+      - CreateNamespace=true
--- a/argocd/applications/harbor.yml
+++ b/argocd/applications/harbor.yml
@@ -1,17 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: harbor
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: 'git@git.k-space.ee:k-space/kube.git'
-    path: harbor
-    targetRevision: HEAD
-  destination:
-    server: 'https://kubernetes.default.svc'
-    namespace: harbor
-  syncPolicy:
-    syncOptions:
-      - CreateNamespace=true
--- a/argocd/applications/keel.yml
+++ b/argocd/applications/keel.yml
@@ -1,17 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: keel
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: 'git@git.k-space.ee:k-space/kube.git'
-    path: keel
-    targetRevision: HEAD
-  destination:
-    server: 'https://kubernetes.default.svc'
-    namespace: keel
-  syncPolicy:
-    syncOptions:
-      - CreateNamespace=true
--- a/argocd/applications/kube-system.yaml
+++ b/argocd/applications/kube-system.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: kube-system
+  namespace: argocd
+spec:
+  project: k-space.ee
+  source:
+    repoURL: 'git@git.k-space.ee:k-space/kube.git'
+    path: kube-system
+    targetRevision: HEAD
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: kube-system
+  syncPolicy:
+    automated:
+      prune: true
+    syncOptions:
+    - CreateNamespace=true
--- a/argocd/applications/kubernetes-dashboard.yaml
+++ b/argocd/applications/kubernetes-dashboard.yaml
@@ -1,10 +1,11 @@
+---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: kubernetes-dashboard
  namespace: argocd
 spec:
-  project: default
+  project: k-space.ee
  source:
    repoURL: 'git@git.k-space.ee:k-space/kube.git'
    path: kubernetes-dashboard
@@ -13,5 +14,7 @@ spec:
    server: 'https://kubernetes.default.svc'
    namespace: kubernetes-dashboard
  syncPolicy:
+    automated:
+      prune: true
    syncOptions:
      - CreateNamespace=true
--- a/argocd/applications/logging.yml
+++ b/argocd/applications/logging.yml
@@ -1,17 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: logging
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: 'git@git.k-space.ee:k-space/kube.git'
-    path: logging
-    targetRevision: HEAD
-  destination:
-    server: 'https://kubernetes.default.svc'
-    namespace: logging
-  syncPolicy:
-    syncOptions:
-      - CreateNamespace=true
--- a/argocd/applications/metallb-system.yaml
+++ b/argocd/applications/metallb-system.yaml
@@ -1,22 +1,21 @@
+---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: metallb-system
  namespace: argocd
 spec:
-  project: default
+  project: k-space.ee
  source:
-    repoURL: 'git@git.k-space.ee:k-space/kube.git'
-    path: metallb-system
+    # also depends on git@git.k-space.ee:secretspace/kube.git
+    repoURL: git@git.k-space.ee:k-space/kube.git
    targetRevision: HEAD
+    path: metallb-system
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: metallb-system
  syncPolicy:
+    automated:
+      prune: true
    syncOptions:
      - CreateNamespace=true
-  ignoreDifferences:
-    - group: apiextensions.k8s.io
-      kind: CustomResourceDefinition
-      jqPathExpressions:
-        - '.spec.conversion.webhook.clientConfig.caBundle'
--- a/argocd/applications/minio-clusters.yaml
+++ b/argocd/applications/minio-clusters.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: minio-clusters
+  namespace: argocd
+spec:
+  project: k-space.ee
+  source:
+    repoURL: 'git@git.k-space.ee:k-space/kube.git'
+    path: minio-clusters
+    targetRevision: HEAD
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: minio-clusters
+  syncPolicy:
+    automated:
+      prune: true
+    syncOptions:
+    - CreateNamespace=true
--- a/argocd/applications/monitoring.yaml
+++ b/argocd/applications/monitoring.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: monitoring
+  namespace: argocd
+spec:
+  project: k-space.ee
+  source:
+    repoURL: 'git@git.k-space.ee:k-space/kube.git'
+    path: monitoring
+    targetRevision: HEAD
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: monitoring
+  syncPolicy:
+    automated:
+      prune: true
+    syncOptions:
+    - CreateNamespace=true
--- a/argocd/applications/mysql-operator.yml
+++ b/argocd/applications/mysql-operator.yml
@@ -1,17 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: mysql-operator
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: 'git@git.k-space.ee:k-space/kube.git'
-    path: mysql-operator
-    targetRevision: HEAD
-  destination:
-    server: 'https://kubernetes.default.svc'
-    namespace: mysql-operator
-  syncPolicy:
-    syncOptions:
-      - CreateNamespace=true
--- a/argocd/applications/nextcloud.yaml
+++ b/argocd/applications/nextcloud.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: nextcloud
+  namespace: argocd
+spec:
+  project: k-space.ee
+  source:
+    repoURL: 'git@git.k-space.ee:k-space/kube.git'
+    path: nextcloud
+    targetRevision: HEAD
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: nextcloud
+  syncPolicy:
+    automated:
+      prune: true
+    syncOptions:
+    - CreateNamespace=true
--- a/argocd/applications/nyancat.yaml
+++ b/argocd/applications/nyancat.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: nyancat
+  namespace: argocd
+spec:
+  project: k-space.ee
+  source:
+    repoURL: 'git@git.k-space.ee:k-space/kube.git'
+    path: nyancat
+    targetRevision: HEAD
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: nyancat
+  syncPolicy:
+    automated:
+      prune: true
+    syncOptions:
+    - CreateNamespace=true
--- a/argocd/applications/passmower-members.yaml
+++ b/argocd/applications/passmower-members.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: members
+  namespace: argocd
+spec:
+  project: k-space.ee
+  source:
+    repoURL: 'git@git.k-space.ee:secretspace/members.git'
+    path: members
+    targetRevision: HEAD
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: passmower
+  syncPolicy:
+    automated:
+      prune: true
+    syncOptions:
+    - CreateNamespace=true
--- a/argocd/applications/passmower.yaml
+++ b/argocd/applications/passmower.yaml
@@ -1,17 +1,18 @@
+---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: drone
+  name: passmower
  namespace: argocd
 spec:
-  project: default
+  project: k-space.ee
  source:
    repoURL: 'git@git.k-space.ee:k-space/kube.git'
-    path: drone
+    path: passmower
    targetRevision: HEAD
  destination:
    server: 'https://kubernetes.default.svc'
-    namespace: drone
+    namespace: passmower
  syncPolicy:
-    syncOptions:
-      - CreateNamespace=true
+    automated:
+      prune: true
--- a/argocd/applications/pgweb.yaml
+++ b/argocd/applications/pgweb.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: pgweb
+  namespace: argocd
+spec:
+  project: k-space.ee
+  source:
+    repoURL: 'git@git.k-space.ee:k-space/kube.git'
+    path: pgweb
+    targetRevision: HEAD
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: pgweb
+  syncPolicy:
+    automated:
+      prune: true
+    syncOptions:
+    - CreateNamespace=true
--- a/argocd/applications/phpmyadmin.yml
+++ b/argocd/applications/phpmyadmin.yml
@@ -1,17 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: phpmyadmin
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: 'git@git.k-space.ee:k-space/kube.git'
-    path: phpmyadmin
-    targetRevision: HEAD
-  destination:
-    server: 'https://kubernetes.default.svc'
-    namespace: phpmyadmin
-  syncPolicy:
-    syncOptions:
-      - CreateNamespace=true
--- a/argocd/applications/prometheus-operator.yaml
+++ b/argocd/applications/prometheus-operator.yaml
@@ -0,0 +1,24 @@
+# Note: Do not put any Prometheus instances or exporters in this namespace, instead have them in `monitoring` namespace
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: prometheus-operator
+  namespace: argocd
+spec:
+  project: k-space.ee
+  source:
+    repoURL: https://github.com/prometheus-operator/prometheus-operator.git
+    targetRevision: v0.82.0
+    path: .
+    kustomize:
+      namespace: prometheus-operator
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: prometheus-operator
+  syncPolicy:
+    automated:
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true # Resource is too big to fit in 262144 bytes allowed annotation size.
--- a/argocd/applications/prometheus-operator.yml
+++ b/argocd/applications/prometheus-operator.yml
@@ -1,14 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: prometheus-operator
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: 'git@git.k-space.ee:k-space/kube.git'
-    path: prometheus-operator
-    targetRevision: HEAD
-  destination:
-    server: 'https://kubernetes.default.svc'
-    namespace: prometheus-operator
--- a/argocd/applications/reloader.yml
+++ b/argocd/applications/reloader.yml
@@ -1,17 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: reloader
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: 'git@git.k-space.ee:k-space/kube.git'
-    path: reloader
-    targetRevision: HEAD
-  destination:
-    server: 'https://kubernetes.default.svc'
-    namespace: reloader
-  syncPolicy:
-    syncOptions:
-      - CreateNamespace=true
--- a/argocd/applications/ripe87.yaml
+++ b/argocd/applications/ripe87.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: ripe87
+  namespace: argocd
+spec:
+  project: k-space.ee
+  source:
+    repoURL: 'git@git.k-space.ee:k-space/kube.git'
+    path: ripe87
+    targetRevision: HEAD
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: ripe87
+  syncPolicy:
+    automated:
+      prune: true
+    syncOptions:
+    - CreateNamespace=true
--- a/argocd/applications/rook-ceph.yaml
+++ b/argocd/applications/rook-ceph.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: rook-ceph
+  namespace: argocd
+spec:
+  project: k-space.ee
+  source:
+    repoURL: 'git@git.k-space.ee:k-space/kube.git'
+    path: rook-ceph
+    targetRevision: HEAD
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: rook-ceph
+  syncPolicy:
+    automated:
+      prune: true
+    syncOptions:
+    - CreateNamespace=true
--- a/argocd/applications/rosdump.yaml
+++ b/argocd/applications/rosdump.yaml
@@ -1,10 +1,11 @@
+---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: rosdump
  namespace: argocd
 spec:
-  project: default
+  project: k-space.ee
  source:
    repoURL: 'git@git.k-space.ee:k-space/kube.git'
    path: rosdump
@@ -13,5 +14,7 @@ spec:
    server: 'https://kubernetes.default.svc'
    namespace: rosdump
  syncPolicy:
+    automated:
+      prune: true
    syncOptions:
-      - CreateNamespace=true
+    - CreateNamespace=true
--- a/argocd/applications/secret-claim-operator.yaml
+++ b/argocd/applications/secret-claim-operator.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: secret-claim-operator
+  namespace: argocd
+spec:
+  project: k-space.ee
+  source:
+    repoURL: https://github.com/codemowers/operatorlib
+    path: samples/secret-claim-operator
+    targetRevision: HEAD
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: secret-claim-operator
+  syncPolicy:
+    automated:
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
--- a/argocd/applications/signs.yaml
+++ b/argocd/applications/signs.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: signs
+  namespace: argocd
+spec:
+  project: k-space.ee
+  source:
+    repoURL: 'git@git.k-space.ee:k-space/kube.git'
+    path: signs
+    targetRevision: HEAD
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: signs
+  syncPolicy:
+    automated:
+      prune: true
+    syncOptions:
+    - CreateNamespace=true
--- a/argocd/applications/tigera-operator.yaml
+++ b/argocd/applications/tigera-operator.yaml
@@ -0,0 +1,24 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: tigera-operator
+  namespace: argocd
+spec:
+  project: k-space.ee
+  source:
+    # also depends on git@git.k-space.ee:secretspace/kube.git
+    repoURL: git@git.k-space.ee:k-space/kube.git
+    targetRevision: HEAD
+    path: tigera-operator
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: tigera-operator
+    # also houses calico-system and calico-apiserver
+  syncPolicy:
+    automated:
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true # Resource is too big to fit in 262144 bytes allowed annotation size.
+      - Force=true # `--force-conflicts`, according to https://docs.tigera.io/calico/latest/operations/upgrading/kubernetes-upgrade
--- a/argocd/applications/traefik.yaml
+++ b/argocd/applications/traefik.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: traefik
+  namespace: argocd
+spec:
+  project: k-space.ee
+  source:
+    repoURL: 'git@git.k-space.ee:k-space/kube.git'
+    path: traefik
+    targetRevision: HEAD
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: traefik
+  syncPolicy:
+    automated:
+      prune: true
+    syncOptions:
+    - CreateNamespace=true
--- a/argocd/applications/whoami.yaml
+++ b/argocd/applications/whoami.yaml
@@ -1,17 +1,20 @@
+---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: foobar
+  name: whoami
  namespace: argocd
 spec:
-  project: default
+  project: k-space.ee
  source:
    repoURL: 'git@git.k-space.ee:k-space/kube.git'
-    path: foobar
+    path: whoami
    targetRevision: HEAD
  destination:
    server: 'https://kubernetes.default.svc'
-    namespace: foobar
+    namespace: whoami
  syncPolicy:
+    automated:
+      prune: true
    syncOptions:
      - CreateNamespace=true
--- a/argocd/applications/drone-execution.yml
+++ b/argocd/applications/drone-execution.yml
@@ -1,17 +1,20 @@
+---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: drone-execution
+  name: wiki
  namespace: argocd
 spec:
-  project: default
+  project: k-space.ee
  source:
    repoURL: 'git@git.k-space.ee:k-space/kube.git'
-    path: drone-execution
+    path: wiki
    targetRevision: HEAD
  destination:
    server: 'https://kubernetes.default.svc'
-    namespace: drone-execution
+    namespace: wiki
  syncPolicy:
+    automated:
+      prune: true
    syncOptions:
      - CreateNamespace=true
--- a/argocd/applications/wildduck.yaml
+++ b/argocd/applications/wildduck.yaml
@@ -1,10 +1,11 @@
+---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: wildduck
  namespace: argocd
 spec:
-  project: default
+  project: k-space.ee
  source:
    repoURL: 'git@git.k-space.ee:k-space/kube.git'
    path: wildduck
@@ -13,5 +14,7 @@ spec:
    server: 'https://kubernetes.default.svc'
    namespace: wildduck
  syncPolicy:
+    automated:
+      prune: true
    syncOptions:
      - CreateNamespace=true
--- a/argocd/applications/woodpecker.yaml
+++ b/argocd/applications/woodpecker.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: woodpecker
+  namespace: argocd
+spec:
+  project: k-space.ee
+  source:
+    # also depends on git@git.k-space.ee:secretspace/kube.git
+    repoURL: git@git.k-space.ee:k-space/kube.git
+    targetRevision: HEAD
+    path: woodpecker
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: woodpecker
+  syncPolicy:
+    automated:
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
--- a/argocd/deploy_key.pub
+++ b/argocd/deploy_key.pub
@@ -0,0 +1,2 @@
+# used for git.k-space: k-space/kube, secretspace/kube, secretspace/members
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOxYpFf85Vnxw7WNb/V5dtZT0PJ4VbBhdBNscDd8TVv/ argocd.k-space.ee
--- a/argocd/redis.yaml
+++ b/argocd/redis.yaml
@@ -0,0 +1,50 @@
+---
+apiVersion: codemowers.cloud/v1beta1
+kind: SecretClaim
+metadata:
+  name: argocd-redis
+  namespace: argocd
+spec:
+  size: 32
+  mapping:
+    - key: redis-password
+      value: "%(plaintext)s"
+    - key: REDIS_URI
+      value: "redis://:%(plaintext)s@argocd-redis"
+---
+apiVersion: dragonflydb.io/v1alpha1
+kind: Dragonfly
+metadata:
+  name: argocd-redis
+  namespace: argocd
+spec:
+  authentication:
+    passwordFromSecret:
+      key: redis-password
+      name: argocd-redis
+  replicas: 3
+  resources:
+    limits:
+      cpu: 1000m
+      memory: 1Gi
+  topologySpreadConstraints:
+    - maxSkew: 1
+      topologyKey: topology.kubernetes.io/zone
+      whenUnsatisfiable: DoNotSchedule
+      labelSelector:
+        matchLabels:
+          app: argocd-redis
+          app.kubernetes.io/part-of: dragonfly
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: argocd-redis
+  namespace: argocd
+spec:
+  selector:
+    matchLabels:
+      app: argocd-redis
+      app.kubernetes.io/part-of: dragonfly
+  podMetricsEndpoints:
+    - port: admin
--- a/argocd/values.yaml
+++ b/argocd/values.yaml
@@ -1,79 +1,29 @@
 global:
  logLevel: warn
+  domain: argocd.k-space.ee

-# We use Authelia OIDC instead of Dex
 dex:
  enabled: false

-# Maybe one day switch to Redis HA?
+redis:
+  enabled: false
 redis-ha:
  enabled: false
+externalRedis:
+  host: argocd-redis
+  existingSecret: argocd-redis

 server:
-  # HTTPS is implemented by Traefik
-  extraArgs:
-    - --insecure
  ingress:
    enabled: true
    annotations:
-      cert-manager.io/cluster-issuer: default
      external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
      traefik.ingress.kubernetes.io/router.entrypoints: websecure
-      traefik.ingress.kubernetes.io/router.tls: "true"
    hosts:
    - argocd.k-space.ee
-    tls:
+    extraTls:
     - hosts:
-       - argocd.k-space.ee
-       secretName: argocd-server-tls
-  configEnabled: true
-  config:
-    admin.enabled: "false"
-    url: https://argocd.k-space.ee
-    application.instanceLabelKey: argocd.argoproj.io/instance
-    oidc.config: |
-       name: Authelia
-       issuer: https://auth.k-space.ee
-       clientID: argocd
-       cliClientID: argocd
-       clientSecret: $oidc.config.clientSecret
-       requestedIDTokenClaims:
-         groups:
-           essential: true
-       requestedScopes:
-         - openid
-         - profile
-         - email
-         - groups
-    resource.customizations: |
-      # https://github.com/argoproj/argo-cd/issues/1704
-      networking.k8s.io/Ingress:
-          health.lua: |
-            hs = {}
-            hs.status = "Healthy"
-            return hs
-
-  # Members of ArgoCD Admins group in AD/Samba are allowed to administer Argo
-  rbacConfig:
-    policy.default: role:readonly
-    policy.csv: |
-      # Map AD groups to ArgoCD roles
-      g, Developers, role:developers
-      g, ArgoCD Admins, role:admin
-      # Allow developers to read objects
-      p, role:developers, applications, get, */*, allow
-      p, role:developers, certificates, get, *, allow
-      p, role:developers, clusters, get, *, allow
-      p, role:developers, repositories, get, *, allow
-      p, role:developers, projects, get, *, allow
-      p, role:developers, accounts, get, *, allow
-      p, role:developers, gpgkeys, get, *, allow
-      p, role:developers, logs, get, */*, allow
-      p, role:developers, applications, restart, default/camtiler, allow
-      p, role:developers, applications, override, default/camtiler, allow
-      p, role:developers, applications, action/apps/Deployment/restart, default/camtiler, allow
-      p, role:developers, applications, sync, default/camtiler, allow
-      p, role:developers, applications, update, default/camtiler, allow
+       - "*.k-space.ee"

  metrics:
    enabled: true
@@ -95,11 +45,64 @@ controller:
    enabled: true

 configs:
+  params:
+    server.insecure: true
+  rbac:
+    policy.default: role:admin
+    policy.csv: |
+      # Map AD groups to ArgoCD roles
+      g, Developers, role:developers
+      g, ArgoCD Admins, role:admin
+      # Allow developers to read objects
+      p, role:developers, applications, get, */*, allow
+      p, role:developers, certificates, get, *, allow
+      p, role:developers, clusters, get, *, allow
+      p, role:developers, repositories, get, *, allow
+      p, role:developers, projects, get, *, allow
+      p, role:developers, accounts, get, *, allow
+      p, role:developers, gpgkeys, get, *, allow
+      p, role:developers, logs, get, */*, allow
+      p, role:developers, applications, restart, default/camtiler, allow
+      p, role:developers, applications, override, default/camtiler, allow
+      p, role:developers, applications, action/apps/Deployment/restart, default/camtiler, allow
+      p, role:developers, applications, sync, default/camtiler, allow
+      p, role:developers, applications, update, default/camtiler, allow
+      # argocd-image-updater
+      p, role:image-updater, applications, get, */*, allow
+      p, role:image-updater, applications, update, */*, allow
+      g, image-updater, role:image-updater
+  cm:
+    kustomize.buildOptions: --enable-helm
+    admin.enabled: "false"
+    resource.customizations: |
+      # https://github.com/argoproj/argo-cd/issues/1704
+      networking.k8s.io/Ingress:
+          health.lua: |
+            hs = {}
+            hs.status = "Healthy"
+            return hs
+      apiextensions.k8s.io/CustomResourceDefinition:
+          ignoreDifferences: |
+            jsonPointers:
+              - "x-kubernetes-validations"
+    oidc.config: |
+       name: OpenID Connect
+       issuer: https://auth.k-space.ee/
+       clientID: $oidc-client-argocd-owner-secrets:OIDC_CLIENT_ID
+       cliClientID: $oidc-client-argocd-owner-secrets:OIDC_CLIENT_ID
+       clientSecret: $oidc-client-argocd-owner-secrets:OIDC_CLIENT_SECRET
+       requestedIDTokenClaims:
+         groups:
+           essential: true
+       requestedScopes:
+         - openid
+         - profile
+         - email
+         - groups
  secret:
    createSecret: false
-  knownHosts:
-    data:
-      ssh_known_hosts: |
+  ssh:
+    knownHosts: |
        # Copy-pasted from `ssh-keyscan git.k-space.ee`
        git.k-space.ee ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCF1+/TDRXuGwsu4SZQQwQuJusb7W1OciGAQp/ZbTTvKD+0p7fV6dXyUlWjdFmITrFNYDreDnMiOS+FvE62d2Z0=
        git.k-space.ee ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDsLyRuubdIUnTKEqOipu+9x+FforrC8+oxulVrl0ECgdIRBQnLQXIspTNwuC3MKJ4z+DPbndSt8zdN33xWys8UNEs3V5/W6zsaW20tKiaX75WK5eOL4lIDJi/+E97+c0aZBXamhxTrgkRVJ5fcAkY6C5cKEmVM5tlke3v3ihLq78/LpJYv+P947NdnthYE2oc+XGp/elZ0LNfWRPnd///+ykbwWirvQm+iiDz7PMVKkb+Q7l3vw4+zneKJWAyFNrm+aewyJV9lFZZJuHliwlHGTriSf6zhMAWyJzvYqDAN6iT5yi9KGKw60J6vj2GLuK4ULVblTyP9k9+3iELKSWW5
--- a/authelia/.gitignore
+++ b/authelia/.gitignore
@@ -1,2 +0,0 @@
-application-secrets.y*ml
-oidc-secrets.y*ml
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				`argocd/appications/argocd-image-updater.yaml`