Merge helmfiles repo

Closes #232

helmfiles/README.md

+## Introduction
+
+This repo describes the applications that are deployed to a new OpenAppStack
+instance. The `helmfile.d` directory contains information about which helm
+charts need to be deployed. The `values` directory contains values.yml overrides
+for these charts.
+
+Use [helmfile](https://github.com/roboll/helmfile) to install these applications
+to a cluster.
+
+## Usage
+
+The data in this repo is typically used by the Ansible playbooks in the
+[bootstrap](https://code.greenhost.net/openappstack/bootstrap) project. Check
+the tasks tagged `helmfile` to get more information.
+
+If you have a cluster already, and do not want to use our bootstrap script to
+install these applications, follow these steps:
+
+### Prerequisites
+
+Make sure you follow the installation instructions of
+[helmfile](https://github.com/roboll/helmfile) before you try this! Also note
+that helmfile requires `helm diff` to be installed. Install it by running
+`helm plugin install https://github.com/databus23/helm-diff`
+
+### Preparation
+
+Do these three steps to prepare the installation process:
+
+1. This repo requires some repositories to be checked out in specific directories:
+
+   ```bash
+   # Get the local-storage chart locally
+   $ git clone https://code.greenhost.net/openappstack/local-storage ../local-storage
+   ```
+
+1. The repo assumes you have a configuration file called `local.yaml` in the
+   following directory relative to this repo:
+   `../../../config/values/local.yaml`. Use our template at
+   https://code.greenhost.net/openappstack/bootstrap/blob/master/ansible/roles/configure_helmfile/templates/local.yaml.j2
+   and fill in the variables.
+
+1. You need to set some environment variables:
+   - `$NEXTCLOUD_PASSWORD` to set the Nextcloud administrator password
+   - `$COLLABORA_PASSWORD` to set the Collabora administrator password
+   - `$NEXTCLOUD_MARIADB_ROOT_PASSWORD` for the MariaDB that NextCloud uses
+   - `$GRAFANA_ADMIN_PASSWORD` for the admin password of grafana
+
+1. OAS allows you to override the nginx configuration by setting variables in
+   a file at `/oas/config/values/apps/nginx.yaml`. You can leave this file
+   empty, but it *has* to exist.
+
+1. The repo installs certmanager, which uses some custom resource definitions.
+   You need to add these resource definitions like so:
+
+   ```
+   kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.7/deploy/manifests/00-crds.yaml
+   ```
+
+### Installation
+
+Install all the applications by running:
+
+```
+$ helmfile -e oas -f helmfile.d/ apply
+```
+
+Where:
+
+- `-e oas` means that you are running this for the `oas` environment defined in
+  the files
+- `-f helmfile.d` means you want to use the description in files in the local
+  `helmfile.d` directory
+- `apply` syncs your kubernetes cluster state to the one desired by the files.
+
+**NOTE:** If you have installed this repo before, check if you still have old
+`pvc`'s for mariadb lying around. They can mess up the installation process,
+especially if you use different passwords than before.
+
+For example:
+
+```
+$ kubectl get pvc
+NAME                                 STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   AGE
+data-oas-test-files-mariadb-0        Bound    pvc-2a0dfd8f-7176-11e9-8ea4-00160a765c00   512Mi      RWO            local          9m
+```
+
+The mariadb pvc can collide with your installation. Remove it (note, this also
+removes all the data that was in that database!) by running:
+
+```
+kubectl delete pvc data-oas-test-files-mariadb-0
+```

helmfiles/helmfile.d/00-storage.yaml

+environments:
+  oas:
+    values:
+      - "../../../../config/values/local.yaml"
+
+releases:
+  - name: "oas-{{ .Environment.Values.releaseName }}-local-storage"
+    namespace: "oas"
+    chart: "../../local-storage/"
+    values:
+    - "../values/local-storage.yaml"

helmfiles/helmfile.d/05-cert-manager.yaml

+environments:
+  oas:
+    values:
+      - "../../../../config/values/local.yaml"
+
+repositories:
+  - name: jetstack
+    url: https://charts.jetstack.io
+
+releases:
+  - name: "oas-{{ .Environment.Values.releaseName }}-cert-manager"
+    namespace: "cert-manager"
+    chart: "jetstack/cert-manager"
+    version: "0.8"
+    values:
+    - "../values/cert-manager.yaml.gotmpl"
+    wait: false

helmfiles/helmfile.d/10-nginx.yaml

+environments:
+  oas:
+    values:
+      - "../../../../config/values/local.yaml"
+
+releases:
+  - name: "oas-{{ .Environment.Values.releaseName }}-proxy"
+    namespace: "oas"
+    chart: "stable/nginx-ingress"
+    values:
+    - "../values/nginx.yaml.gotmpl"
+    - "/oas/config/values/apps/nginx.yaml.gotmpl"
+    wait: false

helmfiles/helmfile.d/15-monitoring.yaml

+environments:
+  oas:
+    values:
+      - "../../../../config/values/local.yaml"
+
+releases:
+  - name: "oas-{{ .Environment.Values.releaseName }}-prometheus"
+    namespace: "oas"
+    chart: "stable/prometheus-operator"
+    values:
+    - "../values/prometheus.yaml.gotmpl"
+    - "/oas/config/values/apps/prometheus.yaml.gotmpl"
+    wait: false

helmfiles/helmfile.d/20-nextcloud.yaml

+environments:
+  oas:
+    values:
+      - "../../../../config/values/local.yaml"
+
+# Note: needs helm-git plugin (https://github.com/aslafy-z/helm-git)
+repositories:
+  - name: onlyoffice-documentserver
+    url: git+https://code.greenhost.net/openappstack/nextcloud@onlyoffice-documentserver?ref=master
+
+
+
+releases:
+  - name: "oas-{{ .Environment.Values.releaseName }}-files"
+    namespace: "oas-apps"
+    # Install from file path, so you don't run into https://github.com/roboll/helmfile/issues/726
+    chart: "../../nextcloud/nextcloud-onlyoffice"
+    values:
+    - "../values/nextcloud.yaml.gotmpl"
+    wait: true
+    timeout: 600

helmfiles/values/cert-manager.yaml.gotmpl

+ingressShim:
+  {{- if .Environment.Values.acmeStaging | default false }}
+  defaultIssuerName: "letsencrypt-staging"
+  {{- else }}
+  defaultIssuerName: "letsencrypt-production"
+  {{- end }}
+  defaultIssuerKind: ClusterIssuer

helmfiles/values/local-storage.yaml

+storageDirectory: "/var/lib/OpenAppStack/local-storage"
+defaultStorageClass: true

helmfiles/values/nextcloud.yaml.gotmpl

+nextcloud:
+  nextcloud:
+    host: "files.{{ .Environment.Values.domain }}"
+    password: "{{ requiredEnv "NEXTCLOUD_PASSWORD" }}"
+
+  ingress:
+    enabled: true
+    annotations:
+      # Tell cert-manager to automatically get a TLS certificate
+      kubernetes.io/tls-acme: "true"
+      # Set max body size high to allow big NextCloud uploads
+      nginx.ingress.kubernetes.io/proxy-body-size: 1G
+    hosts:
+      - "files.{{ .Environment.Values.domain }}"
+    tls:
+      - hosts:
+          - "files.{{ .Environment.Values.domain }}"
+        secretName: oas-{{ .Environment.Values.releaseName }}-files
+
+  # Use 2 GB of storage for NC storage (maybe make configurable later?)
+  persistence:
+    enabled: true
+    size: 2Gi
+
+  # Explicitly disable use of internal database
+  internalDatabase:
+    enabled: false
+
+  # Enable and configure MariaDB chart
+  mariadb:
+    db:
+      password: "{{ requiredEnv "NEXTCLOUD_MARIADB_PASSWORD" }}"
+    enabled: true
+    master:
+      persistence:
+        ## Enable PostgreSQL persistence using Persistent Volume Claims.
+        enabled: true
+        size: 512Mi
+    replication:
+      enabled: false
+    rootUser:
+      password: "{{ requiredEnv "NEXTCLOUD_MARIADB_ROOT_PASSWORD" }}"
+  livenessProbe:
+    initialDelaySeconds: 120
+  readinessProbe:
+    initialDelaySeconds: 120
+
+onlyoffice-documentserver:
+  ingress:
+    enabled: true
+    annotations:
+      # Tell cert-manager to automatically get a TLS certificate
+      kubernetes.io/tls-acme: "true"
+    paths:
+      - "/"
+    hosts:
+      - "office.{{ .Environment.Values.domain }}"
+    tls:
+      - hosts:
+          - "office.{{ .Environment.Values.domain }}"
+        secretName: oas-{{ .Environment.Values.releaseName }}-office
+
+  onlyoffice:
+    server_name: "office.{{ .Environment.Values.domain }}"

helmfiles/values/nginx.yaml.gotmpl

+controller:
+  # scope:
+  #   enabled: true
+  #   namespace: oas-apps
+  service:
+    externalIPs: ["{{ .Environment.Values.ip }}"]
+  resources:
+    limits:
+      cpu: 100m
+      memory: 1Gi
+    requests:
+      cpu: 50m
+      memory: 64Mi

helmfiles/values/prometheus.yaml.gotmpl

+# Depending on which DNS solution you have installed in your cluster enable the right exporter
+coreDns:
+  enabled: false
+
+kubeDns:
+  enabled: true
+
+alertmanager:
+  alertmanagerSpec:
+    storage:
+      volumeClaimTemplate:
+        metadata:
+          name: alertmanager
+        spec:
+          accessModes: ["ReadWriteOnce"]
+          resources:
+            requests:
+              storage: 2Gi
+
+prometheus:
+  prometheusSpec:
+    storageSpec:
+      volumeClaimTemplate:
+        metadata:
+          name: prometheus
+        spec:
+          accessModes: ["ReadWriteOnce"]
+          resources:
+            requests:
+              storage: 5Gi
+    # https://github.com/rancher/rancher/issues/14836 prevents 'subPath' to work
+    # with non-privileged users. This is an insecure workaround for the time
+    # being...
+    securityContext:
+      runAsUser: 0
+      fsGroup: 0
+      runAsNonRoot: false
+
+grafana:
+  adminPassword: "{{ requiredEnv "GRAFANA_ADMIN_PASSWORD" }}"
+
+  ingress:
+    enabled: true
+    annotations:
+      kubernetes.io/tls-acme: "true"
+    hosts:
+      - "grafana.{{ .Environment.Values.domain }}"
+    tls:
+      - secretName: grafana-tls
+        hosts:
+          - "grafana.{{ .Environment.Values.domain }}"
+  persistence:
+    enabled: true
+    size: 2Gi
+    accessModes: ["ReadWriteOnce"]