cfssl-config.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: cfssl-entrypoint
data:
  entrypoint.sh: |
    #! /bin/bash

    if [ ! -f csr_server.json ] || [ ! -f config_server.json  ]; then
        echo "no csr_server.json or config_server.json detected!";
    fi;
    while [ ! -f csr_server.json ] || [ ! -f config_server.json  ]; do
        sleep 1;
    done;

    if [ ! -f ca-key.pem ]
    then
        cfssl genkey -initca=true csr_server.json | cfssljson -bare ca;
    fi

    cfssl serve -address=0.0.0.0 -ca-key ca-key.pem -ca ca.pem -config config_server.json

cfssl-deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    component: cfssl
  name: cfssl
spec:
  selector:
    matchLabels:
      component: cfssl
  replicas: 1
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        component: cfssl
    spec:
      initContainers:
        - name: volume-mount-chown
          image: busybox
          command: ["sh", "-c", "chown -R 33:0 /cfssl"]
          volumeMounts:
            - mountPath: /cfssl
              name: $APP-cfssl-persistent-storage
      containers:
        - image: cfssl/cfssl
          resources: {}
          name: cfssl
          ports:
            - containerPort: 8888
              name: cfssl
          volumeMounts:
            - mountPath: /cfssl
              name: $APP-cfssl-persistent-storage
            - mountPath: /cfssl/entrypoint.sh
              subPath: entrypoint.sh
              name: $APP-cfssl-entrypoint
          workingDir: /cfssl
          command:
            - /bin/bash
          args:
            - /cfssl/entrypoint.sh
      restartPolicy: Always
      volumes:
        - name: $APP-cfssl-persistent-storage
          persistentVolumeClaim:
            claimName: $APP-cfssl-pvc
        - name: $APP-cfssl-entrypoint
          configMap:
            name: $APP-cfssl-entrypoint
            defaultMode: 0744

cfssl-pvc.yaml

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: cfssl-pvc
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
  storageClassName: hcloud-volumes

cfssl-service.yaml

apiVersion: v1
kind: Service
metadata:
  name: cfssl
  labels:
    component: cfssl
spec:
  selector:
    component: cfssl
  ports:
    - port: 8888
  clusterIP: None

nextcloud-deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    component: nextcloud
  name: nextcloud
spec:
  selector:
    matchLabels:
      component: nextcloud
  replicas: 1
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        component: nextcloud
    spec:
      containers:
        - image: $NEXTCLOUD_IMAGE
          resources: {}
          name: nextcloud
          env: 
            - name: MYSQL_DATABASE
              valueFrom:
                secretKeyRef:
                  key: MYSQL_DATABASE
                  name: mariadb-secrets
            - name: MYSQL_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: MYSQL_PASSWORD
                  name: mariadb-secrets
            - name: MYSQL_USER
              valueFrom:
                secretKeyRef:
                  key: MYSQL_USER
                  name: mariadb-secrets
            - name: OVERWRITEPROTOCOL
              value: https
          ports:
            - containerPort: 80
              name: $APP-app
          volumeMounts:
            - mountPath: /var/www/html
              name: $APP-nextcloud-persistent-storage
            - mountPath: /cfssl
              name: $APP-cfssl-persistent-storage
      restartPolicy: Always
      volumes:
        - name: $APP-nextcloud-persistent-storage
          persistentVolumeClaim:
            claimName: $APP-nextcloud-pvc
        - name: $APP-cfssl-persistent-storage
          persistentVolumeClaim:
            claimName: $APP-cfssl-pvc
      imagePullSecrets:
        - name: jbm-registry-cred

nextcloud-ingress.yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/issuer: "letsencrypt-production"
    nginx.ingress.kubernetes.io/enable-cors: "true"
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/cors-allow-headers: "authorization,content-type"
    nginx.ingress.kubernetes.io/cors-exposed-headers: "authorization,content-type"
    nginx.ingress.kubernetes.io/proxy-body-size: "128m"
    nginx.ingress.kubernetes.io/server-snippet: |-
      location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
      }
      location ^~ /.well-known {
        location = /.well-known/carddav {
          return 301 /remote.php/dav/;
        }
        location = /.well-known/caldav  {
          return 301 /remote.php/dav/;
        }
        return 301 /index.php$request_uri;
      }
      location /remote {
        return 301 /remote.php$request_uri;
      }    
spec:
  tls:
    - hosts:
        - $DOMAIN
      secretName: $APP-tls
  rules:
    - host: $DOMAIN
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: nextcloud
                port: 
                  number: 80

nextcloud-pvc.yaml

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: nextcloud-pvc
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 20Gi
  storageClassName: hcloud-volumes

nextcloud-service.yaml

apiVersion: v1
kind: Service
metadata:
  name: nextcloud
  labels:
    component: nextcloud
spec:
  selector:
    component: nextcloud
  ports:
    - name: nextcloud
      port: 80
  clusterIP: None