chore: add current provisioning state before migration

cluster/git/default/gitconfig

@@ -0,0 +1,20 @@
+[user]
+	name = DevAdm
+	email = devadm@cloudnative.zone
+	signingkey = /home/devadm/.ssh/id_cdci.pub
+[filter "lfs"]
+	process = git-lfs filter-process
+	required = true
+	clean = git-lfs clean -- %f
+	smudge = git-lfs smudge -- %f
+[core]
+	quotepath = false
+[commit]
+	template = /home/devadm/.stCommitMsg
+	gpgsign = true
+[branch]
+	autosetuprebase = always
+[init]
+	defaultBranch = main
+[gpg]
+	format = ssh

cluster/git/default/gitea/full_app.ini

@@ -0,0 +1,154 @@
+APP_NAME = Local Repo CloudNative zone
+RUN_MODE = prod
+RUN_USER = git
+WORK_PATH = /data/gitea
+
+[repository]
+ROOT = /data/git/repositories
+
+[repository.local]
+LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
+
+[repository.upload]
+TEMP_PATH = /data/gitea/uploads
+
+[server]
+PROTOCOL = http
+APP_DATA_PATH = /data/gitea
+SSH_DOMAIN = localrepo.cloudnative.zone
+DOMAIN = localrepo.cloudnative.zone
+HTTP_ADDR = 0.0.0.0
+HTTP_PORT = 3000
+ROOT_URL = https://localrepo.cloudnative.zone/
+DISABLE_SSH = false
+LFS_START_SERVER = true
+shFS_MAX_FILE_SIZE = 0
+LFS_LOCK_PAGING_NUM = 50
+; Permission for unix socket
+UNIX_SOCKET_PERMISSION = 666
+START_SSH_SERVER = true
+BUILTIN_SSH_SERVER_USER = git
+; The network interface the builtin SSH server should listen on
+; SSH_LISTEN_HOST =
+; Port number to be exposed in clone URL
+SSH_PORT = 2022
+; The port number the builtin SSH server should listen on
+SSH_LISTEN_PORT = %(SSH_PORT)s
+; Root path of SSH directory, default is '~/.ssh', but you have to use '/home/git/.ssh'.
+; SSH_ROOT_PATH =
+SSH_ROOT_PATH = /data/git/repositories
+; Gitea will create a authorized_keys file by default when it is not using the internal ssh server
+; If you intend to use the AuthorizedKeysCommand functionality then you should turn this off.
+SSH_CREATE_AUTHORIZED_KEYS_FILE = false
+; For the built-in SSH server, choose the ciphers to support for SSH connections,
+; for system SSH this setting has no effect
+SSH_SERVER_CIPHERS = aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, arcfour256, arcfour128
+; For the built-in SSH server, choose the key exchange algorithms to support for SSH connections
+; for system SSH this setting has no effect
+SSH_SERVER_KEY_EXCHANGES = diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, curve25519-sha256@libssh.org
+; for system SSH this setting has no effect
+SSH_SERVER_MACS = hmac-sha2-256-etm@openssh.com, hmac-sha2-256, hmac-sha1, hmac-sha1-96
+; Directory to create temporary files in when testing public keys using ssh-keygen,
+; default is the system temporary directory.
+; SSH_KEY_TEST_PATH =
+; Path to ssh-keygen, default is 'ssh-keygen' which means the shell is responsible for finding out which one to call.
+SSH_KEYGEN_PATH = ssh-keygen
+; Enable SSH Authorized Key Backup when rewriting all keys, default is true
+SSH_BACKUP_AUTHORIZED_KEYS = true
+; Enable exposure of SSH clone URL to anonymous visitors, default is false
+SSH_EXPOSE_ANONYMOUS = false
+; Indicate whether to check minimum key size with corresponding type
+MINIMUM_KEY_SIZE_CHECK = false
+; Disable CDN even in "prod" mode
+DISABLE_ROUTER_LOG = false
+OFFLINE_MODE = true
+
+; Generate steps:
+; $ ./gitea cert -ca=true -duration=8760h0m0s -host=myhost.example.com
+; 
+; Or from a .pfx file exported from the Windows certificate store (do
+; not forget to export the private key):
+; $ openssl pkcs12 -in cert.pfx -out cert.pem -nokeys
+; $ openssl pkcs12 -in cert.pfx -out key.pem -nocerts -nodes
+# CERT_FILE                       = /data/gitea/conf/ssl/fullchain.pem
+# KEY_FILE                        = /data/gitea/conf/ssl/privkey.pem
+[database]
+PATH = /data/gitea/gitea.db
+DB_TYPE = postgres
+HOST = db:5432
+NAME = gitea
+USER = gitea
+PASSWD = gitea
+LOG_SQL = false
+SCHEMA = 
+SSL_MODE = disable
+
+[indexer]
+ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
+
+[session]
+PROVIDER_CONFIG = /data/gitea/sessions
+PROVIDER = file
+
+[picture]
+AVATAR_UPLOAD_PATH = /data/gitea/avatars
+REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
+
+[attachment]
+PATH = /data/gitea/attachments
+
+[log]
+MODE = console
+LEVEL = info
+ROOT_PATH = /data/gitea/log
+
+[security]
+INSTALL_LOCK = false
+SECRET_KEY = 
+REVERSE_PROXY_LIMIT = 1
+REVERSE_PROXY_TRUSTED_PROXIES = *
+PASSWORD_HASH_ALGO = pbkdf2
+
+[service]
+DISABLE_REGISTRATION = false
+REQUIRE_SIGNIN_VIEW = false
+REGISTER_EMAIL_CONFIRM = false
+ENABLE_NOTIFY_MAIL = false
+ALLOW_ONLY_EXTERNAL_REGISTRATION = false
+ENABLE_CAPTCHA = false
+DEFAULT_KEEP_EMAIL_PRIVATE = false
+DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+DEFAULT_ENABLE_TIMETRACKING = true
+NO_REPLY_ADDRESS = noreply.localrepo.cloudnative.zone
+
+[lfs]
+PATH = /data/git/lfs
+
+[mailer]
+ENABLED = false
+
+[openid]
+ENABLE_OPENID_SIGNIN = true
+ENABLE_OPENID_SIGNUP = true
+
+[cron.update_checker]
+ENABLED = false
+
+[repository.pull-request]
+DEFAULT_MERGE_STYLE = merge
+
+[repository.signing]
+DEFAULT_TRUST_MODEL = committer
+
+[oauth2]
+
+[webhook] 
+; Hook task queue length, increase if webhook shooting starts hanging
+QUEUE_LENGTH    = 1000
+; Deliver timeout in seconds
+DELIVER_TIMEOUT =
+; Allow insecure certification
+SKIP_TLS_VERIFY = false
+; Number of history information in each page
+PAGING_NUM      = 10
+ALLOWED_HOST_LIST = 10.11.1.0/24

cluster/git/default/gitea/patch-app-ini.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+# Info: Script to patch Gita app.ini after init 
+# Author: JesusPerezLorenzo 
+# Release: 1.0
+# Date: 19-11-2023
+
+ROOT_DATA=${ROOT_DATA:-/data}
+DATA_REPO=${DATA_REPO:-$ROOT_DATA/repo}
+
+[ ! -r "$DATA_REPO/gitea/conf/app.ini" ] && echo "Error: app.ini not found " && exit 1
+
+[ ! -r "gitea/webhook_app.ini" ]  && echo "Error: no gitea/webhook_api.ini" && exit 1 
+
+if ! grep -q "\[webhook\]" "$DATA_REPO/gitea/conf/app.ini" ; then
+     	cat gitea/webhook_app.ini >> "$DATA_REPO/gitea/conf/app.ini" 
+	sudo systemctl restart pod-repo.service
+fi
+

cluster/git/default/gitea/webhook_app.ini

@@ -0,0 +1,11 @@
+
+[webhook] 
+; Hook task queue length, increase if webhook shooting starts hanging
+QUEUE_LENGTH    = 1000
+; Deliver timeout in seconds
+DELIVER_TIMEOUT =
+; Allow insecure certification
+SKIP_TLS_VERIFY = false
+; Number of history information in each page
+PAGING_NUM      = 10
+ALLOWED_HOST_LIST = 10.11.1.0/24

cluster/git/default/install-git.sh

@@ -0,0 +1,95 @@
+#!/bin/bash
+# Info: Script to install/create service pod_repo
+# Author: JesusPerezLorenzo 
+# Release: 1.0
+# Date: 19-11-2023
+
+ROOT_DATA=${ROOT_DATA:-/data}
+DATA_REPO=${DATA_REPO:-$ROOT_DATA/repo}
+DATA_DOC=${DATA_DOC:-$ROOT_DATA/doc}
+DATA_DBS=${DATA_DBS:-$ROOT_DATA/dbs}
+DATA_WEBHOOKS=${DATA_WEBHOOKS:-$ROOT_DATA/webhooks}
+
+ROOT_SOURCE=$(dirname "$0")
+
+exit 1
+sudo mkdir -p $ROOT_DATA
+sudo chown -R $(id -u):$(id -g)  $ROOT_DATA
+
+if [ ! -r "env" ] ; then 
+	echo "# Env settings " >env
+	echo "DATA_REPO=$DATA_REPO" >>env
+	echo "DATA_DOC=$DATA_DOC" >>env
+	echo "DATA_DBS=$DATA_DBS" >>env
+fi
+
+if [ ! -d "$DATA_REPO" ] && [ -r "$ROOT_SOURCE/data.tar.gz" ] ; then 
+   sudo tar -C / -xzf "$ROOT_SOURCE/data.tar.gz" && echo "Data Services installed !"
+else
+	sudo mkdir -p $DATA_REPO/gitea/conf
+	sudo mkdir -p $DATA_DOC
+	sudo mkdir -p $DATA_DBS
+fi
+
+hostname=$(hostname -s)
+id=$(id -u)
+
+if [ -r "gitconfig" ] ; then 
+   [ ! -r "$HOME/.gitconfig" ] && cp gitconfig "$HOME/.gitconfig" 
+   [ -d "/home/devadm" ] && [ ! -r "/home/devadm/.gitconfig" ] && sudo cp gitconfig "/home/devadm/.gitconfig"  && sudo chown devadm "/home/devadm/.gitconfig"
+fi
+
+[ ! -d "/dao/$hostname/services/pod_repo" ] && sudo mkdir -p "/dao/$hostname/services/pod_repo"  
+
+sudo chown -R $id /dao  
+
+cp -pr *  "/dao/$hostname/services/pod_repo"
+
+cd  "/dao/$hostname/services/pod_repo"  || exit 1
+
+if [ -r "gitea/full_app.ini" ] && [ ! -r "$DATA_REPO/gitea/conf/app.ini" ] ; then
+   cp gitea/full_app.ini "$DATA_REPO/gitea/conf/app.ini"
+fi
+
+if [ ! -r "app.ini" ] ; then 
+   ln -s $DATA_REPO/gitea/conf/app.ini . 
+fi
+
+# [ -r "bin/apply.sh" ] && ./bin/apply.sh 
+
+# Add systemd service
+sudo cp pod-repo.service /lib/systemd/system
+sudo systemctl daemon-reload
+sudo systemctl enable pod-repo.service
+sudo systemctl restart pod-repo.service
+
+if [ -r 'ddeploy_docker-compose.yml' ] ; then 
+   mv deploy_docker-compose.yml docker-compose.yml
+   val_timeout=10
+   wait=10
+   echo -n "Waiting services to come up ... "
+   while [ -z "$nc_port" ] 
+   do 
+     if nc -zv -w 1 "10.11.1.10" 3000 >/dev/null 2>/dev/null ; then 
+       nc_port=1	
+     fi
+     if [ -z "$nc_port" ] ; then 
+       sleep "$wait"
+       num=$((num + wait))
+       [ "$val_timeout" -gt  0 ] && [ "$num" -gt "$val_timeout" ] && break
+       echo -n "$num "
+     fi
+   done
+   echo ""
+   [ -r "gitea/full_app.ini" ] &&  cp gitea/full_app.ini "$DATA_REPO/gitea/conf/app.ini"
+   sudo systemctl restart pod-repo.service
+fi
+
+# Fix /etc/hosts for repo operations 
+sudo sed -i /^10.11.1.10/d /etc/hosts 
+sudo sed -i "s/$hostname/$hostname.pub/g" /etc/hosts 
+echo "10.11.1.10 $hostname localrepo.cloudnative.zone"  | sudo tee -a /etc/hosts
+
+
+exit 0
+

cluster/git/default/nginx.conf

@@ -0,0 +1,56 @@
+worker_processes 1;
+user root root;
+
+events { worker_connections 1024; }
+http {
+
+    sendfile on;
+
+    upstream gitea {
+        server basecamp-0:3000;
+    }
+
+    server {
+	#listen 80;
+	#server_name basecamp-0;
+	listen 443 ssl;
+        listen [::]:443 ssl;
+       	http2 on;
+	server_name localrepo.cloudnative.zone
+        charset utf-8;
+        client_max_body_size 300m;
+	# Paths to certificate files.
+        ssl_certificate /etc/ssl-dom/fullchain.pem;
+        ssl_certificate_key /etc/ssl-dom/privkey.pem;
+        # File to be used as index
+        index index.html;
+
+        # Overrides logs defined in nginx.conf, allows per site logs.
+	# error_log /dev/stdout warn;
+	#access_log /dev/stdout main;
+
+        location / {
+            proxy_pass http://gitea/;
+
+            proxy_redirect   off;
+            proxy_set_header Host $host:$server_port;
+            proxy_set_header X-Forwarded-Proto $scheme;
+	    proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-NginX-Proxy true;
+            proxy_set_header Referer $http_referer;
+            proxy_http_version 1.1;
+            proxy_hide_header X-Powered-By;
+        }
+
+        location /doc/ {
+            autoindex on;
+            alias /doc/;
+        }
+    }
+    server {
+      listen 80;
+      listen [::]:80;
+      return 301 https://$host$request_uri;
+    }
+}

cluster/git/default/ssl/cert.pem

@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIENjCCAx6gAwIBAgISA3koQWqBejvQFqDe89mHEnQGMA0GCSqGSIb3DQEBCwUA
+MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
+EwJSMzAeFw0yMzEwMjIwOTQ5NTBaFw0yNDAxMjAwOTQ5NDlaMCUxIzAhBgNVBAMT
+GmxvY2FscmVwby5jbG91ZG5hdGl2ZS56b25lMFkwEwYHKoZIzj0CAQYIKoZIzj0D
+AQcDQgAEl1tWJ1J7rxIjtN64tcvwhSKJVLB4C7uJQafTph5HqCBX8YQtFlWDL6r4
+CqT7I6xZoVT8+rBmd3Km1NX8sDkagKOCAhwwggIYMA4GA1UdDwEB/wQEAwIHgDAd
+BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNV
+HQ4EFgQUBpEVhM1Mz7pZ6VkDgXA5dVv+FrkwHwYDVR0jBBgwFoAUFC6zF7dYVsuu
+UAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8v
+cjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9y
+Zy8wJQYDVR0RBB4wHIIabG9jYWxyZXBvLmNsb3VkbmF0aXZlLnpvbmUwEwYDVR0g
+BAwwCjAIBgZngQwBAgEwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgDatr9rP7W2
+Ip+bwrtca+hwkXFsu1GEhTS9pD0wSNf7qwAAAYtXAWRrAAAEAwBHMEUCIQDQZM3i
+3f39bi+vRyN4tTuQGHB7rw4Ik2KEeBJPb19hagIgHh8b3chscsG7VQiAeR5bx7Yk
+5OiJjjjq1zcfjT7GyY4AdgA7U3d1Pi25gE6LMFsG/kA7Z9hPw/THvQANLXJv4frU
+FwAAAYtXAWRYAAAEAwBHMEUCIE8i31Q7bMb4E4zZwe5Q1C4B/vZLmeVTW07Pq9TM
+XqHiAiEAz+LjDT+kA1kn/Pm6a2coQOQ1IDPO9KOYjM9xmLm0DnswDQYJKoZIhvcN
+AQELBQADggEBADPEPYQsHNRnAPdzHZLgoiTqedZtQE6OaDai3J+wWcRO0DbYFBSg
+5rg8yRSqoQLxAxBSu2R+ZOEFru/b/nzDycMTIM0rNCNeEAPVbPntrUPDzKKI/KDS
+u2hMZBoAz0G/5oFtZU65pLACOy+4NNvQPI0ZGMqSXO5IK4bNXMX67jRVQU/tNVIx
+Ci18lsiS+jpH6BB3CDxRFVRCm/fYIbAEgevGrdsQDTX0O2FEkelgEuKsxwGY3rnN
+ovONHsYx1azojcNyJ0H33b7JcrOPEHfuxsqwE3VpGqJGDcXSLVJzEg6es24UESJG
+F8G/vRJmWCT+Q3xOhynQCgufMlOBOoFJDKA=
+-----END CERTIFICATE-----

cluster/git/default/ssl/chain.pem

@@ -0,0 +1,61 @@
+-----BEGIN CERTIFICATE-----
+MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
+WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
+R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
+sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
+NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
+Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
+/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
+AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
+FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
+AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
+Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
+gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
+PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
+ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
+CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
+lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
+avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
+yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
+yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
+hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
+HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
+MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
+nLRbwHOoq7hHwg==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
+ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
+wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
+LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
+4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
+bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
+sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
+Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
+FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
+SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
+PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
+TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
+SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
+c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
+ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
+b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
+U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
+MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
+5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
+9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
+WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
+he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
+Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
+-----END CERTIFICATE-----

cluster/git/default/ssl/fullchain.pem

@@ -0,0 +1,86 @@
+-----BEGIN CERTIFICATE-----
+MIIENjCCAx6gAwIBAgISA3koQWqBejvQFqDe89mHEnQGMA0GCSqGSIb3DQEBCwUA
+MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
+EwJSMzAeFw0yMzEwMjIwOTQ5NTBaFw0yNDAxMjAwOTQ5NDlaMCUxIzAhBgNVBAMT
+GmxvY2FscmVwby5jbG91ZG5hdGl2ZS56b25lMFkwEwYHKoZIzj0CAQYIKoZIzj0D
+AQcDQgAEl1tWJ1J7rxIjtN64tcvwhSKJVLB4C7uJQafTph5HqCBX8YQtFlWDL6r4
+CqT7I6xZoVT8+rBmd3Km1NX8sDkagKOCAhwwggIYMA4GA1UdDwEB/wQEAwIHgDAd
+BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNV
+HQ4EFgQUBpEVhM1Mz7pZ6VkDgXA5dVv+FrkwHwYDVR0jBBgwFoAUFC6zF7dYVsuu
+UAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8v
+cjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9y
+Zy8wJQYDVR0RBB4wHIIabG9jYWxyZXBvLmNsb3VkbmF0aXZlLnpvbmUwEwYDVR0g
+BAwwCjAIBgZngQwBAgEwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgDatr9rP7W2
+Ip+bwrtca+hwkXFsu1GEhTS9pD0wSNf7qwAAAYtXAWRrAAAEAwBHMEUCIQDQZM3i
+3f39bi+vRyN4tTuQGHB7rw4Ik2KEeBJPb19hagIgHh8b3chscsG7VQiAeR5bx7Yk
+5OiJjjjq1zcfjT7GyY4AdgA7U3d1Pi25gE6LMFsG/kA7Z9hPw/THvQANLXJv4frU
+FwAAAYtXAWRYAAAEAwBHMEUCIE8i31Q7bMb4E4zZwe5Q1C4B/vZLmeVTW07Pq9TM
+XqHiAiEAz+LjDT+kA1kn/Pm6a2coQOQ1IDPO9KOYjM9xmLm0DnswDQYJKoZIhvcN
+AQELBQADggEBADPEPYQsHNRnAPdzHZLgoiTqedZtQE6OaDai3J+wWcRO0DbYFBSg
+5rg8yRSqoQLxAxBSu2R+ZOEFru/b/nzDycMTIM0rNCNeEAPVbPntrUPDzKKI/KDS
+u2hMZBoAz0G/5oFtZU65pLACOy+4NNvQPI0ZGMqSXO5IK4bNXMX67jRVQU/tNVIx
+Ci18lsiS+jpH6BB3CDxRFVRCm/fYIbAEgevGrdsQDTX0O2FEkelgEuKsxwGY3rnN
+ovONHsYx1azojcNyJ0H33b7JcrOPEHfuxsqwE3VpGqJGDcXSLVJzEg6es24UESJG
+F8G/vRJmWCT+Q3xOhynQCgufMlOBOoFJDKA=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
+WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
+R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
+sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
+NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
+Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
+/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
+AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
+FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
+AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
+Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
+gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
+PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
+ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
+CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
+lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
+avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
+yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
+yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
+hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
+HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
+MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
+nLRbwHOoq7hHwg==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
+ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
+wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
+LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
+4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
+bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
+sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
+Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
+FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
+SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
+PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
+TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
+SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
+c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
+ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
+b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
+U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
+MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
+5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
+9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
+WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
+he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
+Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
+-----END CERTIFICATE-----

cluster/git/default/ssl/privkey.pem

@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgrLTLOsZOzsPArsTQ
+wTBTQPrN/CiYAc5JoYtJeiCVlD6hRANCAASXW1YnUnuvEiO03ri1y/CFIolUsHgL
+u4lBp9OmHkeoIFfxhC0WVYMvqvgKpPsjrFmhVPz6sGZ3cqbU1fywORqA
+-----END PRIVATE KEY-----

cluster/oci-reg/default/env-oci-reg.j2

@@ -0,0 +1,12 @@
+{%- if service.name == "oci-reg" %} 
+VERSION="{{service.version}}"
+OCI_DATA="{{service.oci_data}}"
+OCI_ETC="{{service.oci_etc}}"
+OCI_LOG="{{service.oci_log}}"
+OCI_USER="{{service.oci_user}}"
+OCI_USER_GROUP="{{service.oci_user_group}}"
+OCI_CMDS="{{service.oci_cmds}}" 
+OCI_BIN_PATH="{{service.oci_bin_path}}" 
+PROVISIONING_MAIN_NAME="{{main_name}}"
+SERVICES_SAVE_PATH="{{services_save_path}}"
+{%- endif %}

cluster/oci-reg/default/install-oci-reg.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+
+[ -r "env-oci-reg" ] && . ./env-oci-reg
+
+[ -f "bin/apply.sh" ] && chmod +x bin/apply.sh
+[ -f "make_istio-system_secret.sh" ] && chmod +x make_istio-system_secret.sh
+
+if [ -f "install-reg.sh" ] ; then 
+   chmod +x install-reg.sh
+   ./install-reg.sh
+fi
+
+if [ -n "$SERVICES_SAVE_PATH" ] ; then
+   sudo mkdir -p "$SERVICES_SAVE_PATH/oci-reg"
+   for it in ./* 
+   do
+      if [ -d "$it" ] ; then 
+         sudo cp -pr "$it" "$SERVICES_SAVE_PATH/oci-reg" && rm -rf "$it"
+      elif [ -f "$it" ] ; then 
+         sudo mv "$it" "$SERVICES_SAVE_PATH/oci-reg"
+      fi
+   done
+   sudo rm -f "$SERVICES_SAVE_PATH/oci-reg/$(basename "$0")"
+   sudo rm -f "$SERVICES_SAVE_PATH/oci-reg/env-oci-reg"
+   sudo chown -R devadm "$SERVICES_SAVE_PATH/oci-reg"
+   echo "service saved in $SERVICES_SAVE_PATH/oci-reg"
+fi
+
+#exit 0 

cluster/oci-reg/default/install-reg.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+kubectl apply -f ns
+kubectl apply -f volumes
+
+[ -r "bin/apply.sh" ] && ./bin/apply.sh 
+
+exit 0
+

cluster/oci-reg/default/prepare

@@ -0,0 +1,74 @@
+#!/bin/bash 
+# Info: Prepare for oci-reg installation
+# Author: JesusPerezLorenzo 
+# Release: 1.0.2
+# Date: 15-01-2024
+
+set +o errexit
+set +o pipefail
+
+SETTINGS_FILE=$1
+SERVICE_NAME=$2
+SERVICE_POS=$3
+#SETTINGS_ROOT=$4
+RUN_ROOT=$(dirname "$0")
+#ORG=$(pwd)
+
+[ -z "$SETTINGS_FILE"  ] && [ -z "$SERVICE_NAME" ] && [ -z "$SERVICE_POS" ] && exit 0
+
+YQ=$(type -P yq)
+JQ=$(type -P jq)
+[ -z "$YQ" ] && echo "yq not installed " && exit 1
+[ -z "$JQ" ] && echo "jq not installed " && exit 1
+
+_fix_name_in_files() {
+  local source=$1
+  local name_in_file=$2
+  local new_name
+  for item in  "$source"/*
+  do
+    if [ -d "$item" ] ; then   
+      _fix_name_in_files "$item" "$name_in_file" 
+    elif [ -r "$item" ] ; then   
+      new_name=$(basename "$item" | sed "s,deploy,$name_in_file,g")
+      #[ -r "$(dirname "$item")/$new_name" ] && rm -f "$item" 
+      [ -r "$item" ] && [ "$(basename "$item")" != "$new_name" ] && mv "$item" "$(dirname "$item")/$new_name"
+    fi
+  done
+}
+
+[ -r "$RUN_ROOT/env-oci-reg" ] && . "$RUN_ROOT"/env-oci-reg
+
+[ -z "$PROVISIONING" ]  && echo "PROVISIONING not found in environment" && exit 1
+
+. "$PROVISIONING"/core/lib/sops
+
+if $YQ e -o=json '.service.config' < "$SETTINGS_FILE" | tee "$RUN_ROOT/config.json" >/dev/null; then
+  echo "zot config.json generated !" 
+else
+  echo "Error: zot config.json generation !" 
+  exit 1
+fi
+prxy=$($YQ -er '.k8s_deploy.prxy' < "$SETTINGS_FILE" 2>/dev/null | sed 's/ //g' | sed 's/null//g')
+case "$prxy" in 
+  istio) ;;
+  *) [ -f "$RUN_ROOT/make_istio-system_secret.sh.j2" ] && rm -f "$RUN_ROOT/make_istio-system_secret.sh.j2"
+esac
+name_in_files=$($YQ -er '.k8s_deploy.name_in_files' < "$SETTINGS_FILE" 2>/dev/null | sed 's/ //g' | sed 's/null//g')
+[ -n "$name_in_files" ] && _fix_name_in_files "$RUN_ROOT" "$name_in_files"
+
+if [ -r "$RUN_ROOT/configMap-etc.yaml.j2" ] ; then 
+  if [ -r "$RUN_ROOT/htpasswd" ] ; then 
+    echo "  htpasswd: | " >> "$RUN_ROOT/configMap-etc.yaml.j2"
+    sed 's,^,    ,g' <"$RUN_ROOT/htpasswd"  >> "$RUN_ROOT/configMap-etc.yaml.j2"
+    rm -f "$RUN_ROOT/htpasswd"
+    echo "htpasswd added to configMap-etc.yaml" 
+  fi
+  if [ -r "$RUN_ROOT/config.json" ] ; then 
+    echo "  config.json: | " >> "$RUN_ROOT/configMap-etc.yaml.j2"
+    sed 's,^,    ,g' <"$RUN_ROOT/config.json"  >> "$RUN_ROOT/configMap-etc.yaml.j2"
+    rm -f "$RUN_ROOT/config.json"
+    echo "zot config.json added to configMap-etc.yaml" 
+  fi
+fi
+echo "Prepare $SERVICE_NAME $SERVICE_POS Done !" 

cluster/pod_repo/default/bin/apply.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+#
+TASK=${1:-up} 
+
+[ -r "docker-compose.yml" ] && [ "$TASK" == "up" ] && ARGS="-d"
+
+ROOT_PATH=$(dirname "$0")
+
+[ -r "$ROOT_PATH/../env" ] && . "$ROOT_PATH"/../env
+
+sudo podman-compose $TASK $ARGS
+

cluster/pod_repo/default/install-pod_repo.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+
+ROOT_DATA=${ROOT_DATA:-/data}
+DATA_REPO=${DATA_REPO:-$ROOT_DATA/repo}
+DATA_DOC=${DATA_DOC:-$ROOT_DATA/doc}
+DATA_DBS=${DATA_DBS:-$ROOT_DATA/dbs}
+DATA_WEBHOOKS=${DATA_WEBHOOKS:-$ROOT_DATA/webhooks}
+
+sudo mkdir -p $ROOT_DATA
+sudo chown -R $(id -u):$(id -g)  $ROOT_DATA
+
+if [ ! -r ".env" ] ; then 
+	echo "# Env settings " >.env
+	# Set your data directory, this is where gitea save files
+	echo "GITEA_DATA_DIR=$DATA_REPO" >>.env
+
+	echo "DOC_DIR=$DATA_DOC" >>.env
+	echo "DBS_DIR=$DATA_DBS" >>.env
+	echo "WEBHOOKS_DIR=$DATA_WEBHOOKS" >>.env
+fi
+
+sudo mkdir -p $GITEA_DATA_DIR/gitea/conf
+sudo mkdir -p $DATA_DOC
+sudo mkdir -p $DATA_DBS
+
+[ -r "bin/apply.sh" ] && ./bin/apply.sh 
+
+exit 0
+

cluster/postrun

@@ -0,0 +1,30 @@
+#!/bin/bash 
+# Info: postrun for oci-reg installation
+# Author: JesusPerezLorenzo 
+# Release: 1.0.2
+# Date: 15-01-2024
+
+set +o errexit
+set +o pipefail
+
+SETTINGS_FILE=$1
+SERVER_POS=$2
+TASK_POS=$3
+#SETTINGS_ROOT=$4
+RUN_ROOT=$(dirname "$0")
+#ORG=$(pwd)
+
+[ -z "$SETTINGS_FILE"  ] && [ -z "$SERVER_POS" ] && [ -z "$TASK_POS" ] && exit 0
+
+YQ=$(type -P yq)
+JQ=$(type -P jq)
+[ -z "$YQ" ] && echo "yq not installed " && exit 1
+[ -z "$JQ" ] && echo "jq not installed " && exit 1
+
+[ -r "$RUN_ROOT/env-oci-reg" ] && . "$RUN_ROOT"/env-oci-reg
+
+[ -z "$PROVISIONING" ]  && echo "PROVISIONING not found in environment" && exit 1
+
+. "$PROVISIONING"/core/lib/sops
+
+#rm -f /tmp/oci-reg_config.json

cluster/web/default/bin/apply.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+ROOT=${ROOT:-.} 
+if [ -r "$ROOT/ssl/fullchain.pem" ] ; then 
+   if [ -x "$ROOT/make_istio-system_secret.sh" ] ; then 
+      $ROOT/make_istio-system_secret.sh $ROOT/ssl
+   else
+      kubectl delete secret web-certs -n cloudnative-zone 2>/dev/null
+      kubectl create secret tls web-certs --cert=$ROOT/ssl/fullchain.pem --key=$ROOT/ssl/privkey.pem -n cloudnative-zone
+  fi
+  if [ ! -r "$ROOT/ssl/fullchain.pem" ] ; then 
+     echo "No SSL certificate" 
+     exit  
+  fi 
+fi
+echo "checking configMaps ..." 
+kubectl delete -f $ROOT/configMap-etc.yaml 2>/dev/null
+kubectl apply -f $ROOT/configMap-etc.yaml 
+
+kubectl delete -f $ROOT/web.yaml 2>/dev/null 
+kubectl delete -f $ROOT/srvc-web.yaml 2>/dev/null 
+kubectl delete -f $ROOT/prxy-virtual-srvc-web.yaml 2>/dev/null 
+kubectl delete -f $ROOT/prxy-gateway-web.yaml 2>/dev/null 
+
+kubectl apply -f $ROOT/srvc-web.yaml
+kubectl apply -f $ROOT/prxy-virtual-srvc-web.yaml
+kubectl apply -f $ROOT/prxy-gateway-web.yaml
+kubectl apply -f $ROOT/web.yaml
+
+#echo "web.cloudnative-zone reload ..." 
+#curl -s -o /dev/null -I -w "%{http_code}" https://web.cloudnative.zone
+echo "__oOo__________oOo__________oOo__" 

cluster/web/default/configMap-etc.yaml

@@ -0,0 +1,126 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: web-etc
+  namespace: cloudnative-zone
+data:
+  htpasswd: |
+    daka:saTqF5QXUuD26
+  nginx.conf: |
+      user nginx;
+
+      # Set to number of CPU cores, auto will try to autodetect.
+      worker_processes auto;
+
+      # Maximum open file descriptors per process. Should be greater than worker_connections.
+      worker_rlimit_nofile 8192;
+
+      events {
+      	# Set the maximum number of connection each worker process can open. Anything higher than this
+      	# will require Unix optimisations.
+      	worker_connections 8000;
+
+      	# Accept all new connections as they're opened.
+      	multi_accept on;
+      }
+
+      http {
+      	# HTTP
+      	#include global/http.conf;
+
+      	# MIME Types
+      	include mime.types;
+      	default_type application/octet-stream;
+
+      	# Limits & Timeouts
+      	#include global/limits.conf;
+
+        # Specifies the main log format.
+        #log_format main '$http_x_real_ip - $real_ip_header - $http_x_forwarder_for - $http_x_real_ip - $remote_addr - $remote_user [$time_local] "$request" '
+        log_format main '$http_x_real_ip - $http_x_forwarder_for - $http_x_real_ip - $remote_addr - $remote_user [$time_local] "$request" '
+                        '$status $body_bytes_sent "$http_referer" '
+                        '"$http_user_agent" ';
+        # Default Logs
+        error_log /var/log/nginx/error.log warn;
+        access_log /var/log/nginx/access.log main;
+
+      	# Gzip
+      	#include global/gzip.conf;
+
+      	# Modules
+      	include /etc/nginx/conf.d/*.conf;
+        #upstream web {
+        #  server auth:8080;
+        #}
+      	# Sites
+      	#include /etc/nginx/sites-enabled/*;
+      }
+  default: |
+    # Define path to cache and memory zone. The memory zone should be unique.
+    # keys_zone=fatstcgi-cache:100m creates the memory zone and sets the maximum size in MBs.
+    # inactive=60m will remove cached items that haven't been accessed for 60 minutes or more.
+    fastcgi_cache_path /cache levels=1:2 keys_zone=fatstcgi-cache:100m inactive=60m;
+    
+    server {
+    	# Ports to listen on, uncomment one.
+      listen 443 ssl http2;
+    	listen [::]:443 ssl http2;
+
+    	# Server name to listen for
+      server_name web.cloudnative.zone;
+
+    	# Path to document root
+    	root   /var/www/static;
+
+      # Paths to certificate files.
+      ssl_certificate /etc/ssl-dom/fullchain.pem;
+      ssl_certificate_key /etc/ssl-dom/privkey.pem;
+
+    	# File to be used as index
+    	index index.php;
+
+    	# Overrides logs defined in nginx.conf, allows per site logs.
+      error_log /dev/stdout warn;
+    	access_log /dev/stdout main;
+    	# Default server block rules
+    	include server/defaults.conf;
+    	# Fastcgi cache rules
+    	include server/fastcgi-cache.conf;
+
+      # SSL rules
+    	include server/ssl.conf;
+    	# disable_symlinks off;
+
+      #Used when a load balancer wants to determine if this server is up or not
+      location /health_check {
+        return 200;
+      }
+      location / {
+           root   /usr/share/nginx/html;
+           index  index.html index.htm;
+      }
+      #location / {
+      #  #auth_basic  "Login";
+      #  #auth_basic_user_file  /etc/nginx/htpasswd;
+      #  proxy_set_header Host $http_host;
+      #  proxy_set_header X-Real-IP $remote_addr;
+      #  proxy_set_header X-Forwarded-For
+      #  $proxy_add_x_forwarded_for;
+      #  proxy_redirect off;
+      #  proxy_pass web;
+      #}  
+    }
+
+    # Redirect http to https
+    server {
+      listen 80;
+    	listen [::]:80;
+    	server_name web.cloudnative.zone;
+      #server_name localhost;
+      #return 301 https://web.cloudnative.zone$request_uri;
+    	#return 301 https://fatstcgi-cache$request_uri;
+      location / {
+           root   /usr/share/nginx/html;
+           index  index.html index.htm;
+      }
+    }

cluster/web/default/install-web.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+kubectl apply -f ns
+kubectl apply -f volumes
+
+[ -r "bin/apply.sh" ] && ./bin/apply.sh 
+
+exit 0
+

cluster/web/default/make_istio-system_secret.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+SECRET_NAME=cloudnative-web-credentials
+SSL_PATH=${1:-ssl}
+[ ! -r "$SSL_PATH" ] && echo "SSL_PATH $SSLPATH not directory"  && exit 1
+
+NAMESPACE=istio-system
+
+echo "create $NAMESPACE secret $SECRET_NAME for tls ... "
+kubectl delete -n $NAMESPACE secret $SECRET_NAME 2>/dev/null
+kubectl create -n $NAMESPACE secret tls $SECRET_NAME \
+  --key=$SSL_PATH/privkey.pem \
+  --cert=$SSL_PATH/fullchain.pem 
+

cluster/web/default/ns/namespace.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cloudnative-zone

cluster/web/default/prxy-gateway-web.yaml

@@ -0,0 +1,29 @@
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: web-cloudnative-zone-gwy
+  namespace: istio-system
+spec:
+  selector:
+    istio: ingressgateway # use istio default ingress gateway
+  servers:
+  - port:
+      number: 80
+      name: http-cnr
+      protocol: HTTP
+    tls:
+      httpsRedirect: true
+    hosts:
+    - "web.cloudnative.zone"
+  - port:
+      number: 443
+      name: https-cnr
+      protocol: HTTPS
+    tls:
+      #mode: PASSTHROUGH
+      mode: SIMPLE
+      credentialName: cloudnative-web-credentials
+    hosts:
+    - "web.cloudnative.zone"
+    

cluster/web/default/prxy-virtual-srvc-web.yaml

@@ -0,0 +1,46 @@
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: web-cloudnative-zone
+  namespace: istio-system
+spec:
+  hosts:
+  - "web.cloudnative.zone"
+  gateways:
+  - web-cloudnative-zone-gwy
+#  tcp:
+#  - match:
+#    - port: 
+#    route:
+#    - destination:
+#        port:
+#          number: 
+#        host: web.cloudnative-zone.svc.cluster.local
+  http:
+  - match:
+    - port: 443
+    route:
+    - destination:
+        port:
+          number: 80
+        host: web.cloudnative-zone.svc.cluster.local
+ # tls:
+ # - match:
+ #   - port:
+ #     sniHosts:
+ #     - "web.cloudnative.zone"
+ #   route:
+ #   - destination:
+ #       port:
+ #         number:
+ #       host: crates.cloudnative-zone.svc.cluster.local
+ # - match:
+ #   - port: 443
+ #     sniHosts:
+ #     - "web.cloudnative.zone"
+ #   route:
+ #   - destination:
+ #       port:
+ #        number: 3000
+ #       host: web.cloudnative-zone.svc.cluster.local

cluster/web/default/srvc-web.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: web
+  namespace: cloudnative-zone
+  labels:
+    app: web-cloudnative
+spec:
+  ports:
+    - port: 443
+      name: cn-https
+    - port: 80
+      name: cn-http
+  selector:
+    app: web-cloudnative

cluster/web/default/volumes/PersistentVolumeData.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: web-data-vol
+  namespace: cloudnative-zone
+  labels:
+    app: cloudnative-zone-repo
+spec:
+  storageClassName: nfs-client
+  accessModes:
+  - ReadWriteMany
+  resources:
+    requests:
+      storage: 5Gi

cluster/web/default/web.yaml

@@ -0,0 +1,56 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: cloudnative-zone
+  name: web-deployment
+  labels:
+    app: web-cloudnative
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: web-cloudnative
+  template:
+    metadata:
+      labels:
+        app: web-cloudnative
+    spec:
+      containers:
+        - name: web-container
+          image: docker.io/nginx:alpine
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 80
+              name: cn-http
+            - containerPort: 443
+              name: cn-https
+          env:
+          volumeMounts:
+            - name: web-data-storage
+              mountPath: /usr/share/nginx/html
+            #- mountPath: /etc/ssl-dom
+            #  readOnly: true
+            #  name: web-certs
+            - mountPath: /etc/nginx/nginx.conf
+              readOnly: true
+              name: web-etc
+              subPath: nginx.conf
+      volumes:
+        - name: web-data-storage
+          persistentVolumeClaim:
+             claimName: web-data-vol
+             #claimName: web-data-claim
+        - name: web-etc
+          configMap:
+            name: web-etc
+            items:
+              - key: nginx.conf
+                path: nginx.conf
+        #- name:  web-certs
+        #  secret:
+        #    secretName: repo-certs
+        #    items:
+        #    - key: tls.crt
+        #      path: fullchain.pem
+        #    - key: tls.key
+        #      path: privkey.pem