Merge branch 'topic/standalone-kubelet'

25 files changed, 538 insertions, 426 deletions

diff --git a/roles/apps/collabora/code/tasks/main.yml b/roles/apps/collabora/code/tasks/main.yml
index 57bdfa34..74f3240a 100644
--- a/roles/apps/collabora/code/tasks/main.yml
+++ b/roles/apps/collabora/code/tasks/main.yml
@@ -21,19 +21,26 @@
   when: "'custom_image' in item.value"
   include_tasks: custom-image.yml
 
-- name: generate pod manifests
+- name: install pod manifest
   loop: "{{ collabora_code_instances | dict2items }}"
   loop_control:
     label: "{{ item.key }}"
-  template:
-    src: "pod.yml.j2"
-    dest: "/etc/kubernetes/manifests/collabora-code-{{ item.key }}.yml"
-    mode: 0600
+  vars:
+    kubernetes_standalone_pod:
+      name: "collabora-code-{{ item.key }}"
+      spec: "{{ lookup('template', 'pod-spec.yml.j2') }}"
+      mode: "0600"
+      config_hash_items:
+      - path: "{{ collabora_code_base_path }}/{{ item.key }}/config/loolwsd.xml"
+        properties:
+        - checksum
+  include_role:
+    name: kubernetes/standalone/pod
 
 - name: configure nginx vhost
   loop: "{{ collabora_code_instances | dict2items }}"
-  include_role:
-    name: nginx/vhost
+  loop_control:
+    label: "{{ item.key }}"
   vars:
     nginx_vhost:
       name: "collabora-code-{{ item.key }}"
@@ -41,3 +48,5 @@
       acme: true
       hostnames:
       - "{{ item.value.hostname }}"
+  include_role:
+    name: nginx/vhost
diff --git a/roles/apps/collabora/code/templates/pod-spec.yml.j2 b/roles/apps/collabora/code/templates/pod-spec.yml.j2
new file mode 100644
index 00000000..04d2d25a
--- /dev/null
+++ b/roles/apps/collabora/code/templates/pod-spec.yml.j2
@@ -0,0 +1,25 @@
+containers:
+- name: collabora-code
+  image: "collabora/code{% if 'custom_image' in item.value %}/{{ item.key }}{% endif %}:{{ item.value.version }}"
+  resources:
+    limits:
+      memory: "4Gi"
+  env:
+  - name: "DONT_GEN_SSL_CERT"
+    value: "1"
+  - name: "extra_params"
+    value: "--o:ssl.enable=false --o:ssl.termination=true"
+  volumeMounts:
+  - name: config
+    mountPath: /etc/loolwsd/loolwsd.xml
+    subPath: loolwsd.xml
+    readOnly: true
+  ports:
+  - containerPort: 9980
+    hostPort: {{ item.value.port }}
+    hostIP: 127.0.0.1
+volumes:
+- name: config
+  hostPath:
+    path: "{{ collabora_code_base_path }}/{{ item.key }}/config/"
+    type: Directory
diff --git a/roles/apps/collabora/code/templates/pod.yml.j2 b/roles/apps/collabora/code/templates/pod.yml.j2
deleted file mode 100644
index 53fb4c0d..00000000
--- a/roles/apps/collabora/code/templates/pod.yml.j2
+++ /dev/null
@@ -1,30 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: "collabora-code-{{ item.key }}"
-spec:
-  containers:
-  - name: collabora-code
-    image: "collabora/code{% if 'custom_image' in item.value %}/{{ item.key }}{% endif %}:{{ item.value.version }}"
-    resources:
-      limits:
-        memory: "4Gi"
-    env:
-    - name: "DONT_GEN_SSL_CERT"
-      value: "1"
-    - name: "extra_params"
-      value: "--o:ssl.enable=false --o:ssl.termination=true"
-    volumeMounts:
-    - name: config
-      mountPath: /etc/loolwsd/loolwsd.xml
-      subPath: loolwsd.xml
-      readOnly: true
-    ports:
-    - containerPort: 9980
-      hostPort: {{ item.value.port }}
-      hostIP: 127.0.0.1
-  volumes:
-  - name: config
-    hostPath:
-      path: "{{ collabora_code_base_path }}/{{ item.key }}/config/"
-      type: Directory
diff --git a/roles/apps/coturn/tasks/main.yml b/roles/apps/coturn/tasks/main.yml
index 132e4847..176be664 100644
--- a/roles/apps/coturn/tasks/main.yml
+++ b/roles/apps/coturn/tasks/main.yml
@@ -68,8 +68,15 @@
   include_role:
     name: nginx/vhost
 
-- name: generate pod manifests
-  template:
-    src: "pod.yml.j2"
-    dest: "/etc/kubernetes/manifests/coturn-{{ coturn_realm }}.yml"
-    mode: 0600
+- name: install pod manifest
+  vars:
+    kubernetes_standalone_pod:
+      name: "coturn-{{ coturn_realm }}"
+      spec: "{{ lookup('template', 'pod-spec.yml.j2') }}"
+      mode: "0600"
+      config_hash_items:
+      - path: "{{ coturn_base_path }}/{{ coturn_realm }}/config/turnserver.conf"
+        properties:
+        - checksum
+  include_role:
+    name: kubernetes/standalone/pod
diff --git a/roles/apps/coturn/templates/pod-spec.yml.j2 b/roles/apps/coturn/templates/pod-spec.yml.j2
new file mode 100644
index 00000000..d157af37
--- /dev/null
+++ b/roles/apps/coturn/templates/pod-spec.yml.j2
@@ -0,0 +1,32 @@
+securityContext:
+  allowPrivilegeEscalation: false
+  runAsUser: {{ coturn_uid }}
+  runAsGroup: {{ coturn_gid }}
+hostNetwork: true
+containers:
+- name: coturn
+  image: "instrumentisto/coturn:{{ coturn_version }}"
+  args:
+    - --log-file=stdout
+  resources:
+    limits:
+      memory: "1Gi"
+  volumeMounts:
+  - name: config
+    mountPath: /etc/coturn/
+    readOnly: true
+  - name: run
+    mountPath: /var/run
+  - name: lib
+    mountPath: /var/lib/coturn
+volumes:
+- name: config
+  hostPath:
+    path: "{{ coturn_base_path }}/{{ coturn_realm }}/config/"
+    type: Directory
+- name: run
+  emptyDir:
+    medium: Memory
+- name: lib
+  emptyDir:
+    medium: Memory
diff --git a/roles/apps/coturn/templates/pod.yml.j2 b/roles/apps/coturn/templates/pod.yml.j2
deleted file mode 100644
index 7c127c13..00000000
--- a/roles/apps/coturn/templates/pod.yml.j2
+++ /dev/null
@@ -1,37 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: "coturn-{{ coturn_realm }}"
-spec:
-  securityContext:
-    allowPrivilegeEscalation: false
-    runAsUser: {{ coturn_uid }}
-    runAsGroup: {{ coturn_gid }}
-  hostNetwork: true
-  containers:
-  - name: coturn
-    image: "instrumentisto/coturn:{{ coturn_version }}"
-    args:
-      - --log-file=stdout
-    resources:
-      limits:
-        memory: "1Gi"
-    volumeMounts:
-    - name: config
-      mountPath: /etc/coturn/
-      readOnly: true
-    - name: run
-      mountPath: /var/run
-    - name: lib
-      mountPath: /var/lib/coturn
-  volumes:
-  - name: config
-    hostPath:
-      path: "{{ coturn_base_path }}/{{ coturn_realm }}/config/"
-      type: Directory
-  - name: run
-    emptyDir:
-      medium: Memory
-  - name: lib
-    emptyDir:
-      medium: Memory
diff --git a/roles/apps/etherpad-lite/tasks/main.yml b/roles/apps/etherpad-lite/tasks/main.yml
index 0beeb1e1..105b89d9 100644
--- a/roles/apps/etherpad-lite/tasks/main.yml
+++ b/roles/apps/etherpad-lite/tasks/main.yml
@@ -92,24 +92,29 @@
     owner: "{{ etherpad_lite_app_uid }}"
     group: "{{ etherpad_lite_app_gid }}"
 
-
-- name: generate pod manifests
+- name: install pod manifest
   loop: "{{ etherpad_lite_instances | dict2items }}"
   loop_control:
     label: "{{ item.key }}"
-  template:
-    src: "pod-with-{{ item.value.database.type }}.yml.j2"
-    dest: "/etc/kubernetes/manifests/etherpad-lite-{{ item.key }}.yml"
-    mode: 0600
-
+  vars:
+    kubernetes_standalone_pod:
+      name: "etherpad-lite-{{ item.key }}"
+      spec: "{{ lookup('template', 'pod-spec-with-{{ item.value.database.type }}.yml.j2') }}"
+      mode: "0600"
+      config_hash_items:
+      - path: "{{ etherpad_lite_base_path }}/{{ item.key }}/config/settings.json"
+        properties:
+        - checksum
+  include_role:
+    name: kubernetes/standalone/pod
 
 - name: configure nginx vhost
   loop: "{{ etherpad_lite_instances | dict2items }}"
-  include_role:
-    name: nginx/vhost
   vars:
     nginx_vhost:
       name: "etherpad-lite-{{ item.key }}"
       content: "{{ lookup('template', 'nginx-vhost.conf.j2') }}"
       acme: true
       hostnames: "{{ item.value.hostnames }}"
+  include_role:
+    name: nginx/vhost
diff --git a/roles/apps/etherpad-lite/templates/pod-spec-with-mariadb.yml.j2 b/roles/apps/etherpad-lite/templates/pod-spec-with-mariadb.yml.j2
new file mode 100644
index 00000000..f608d6ab
--- /dev/null
+++ b/roles/apps/etherpad-lite/templates/pod-spec-with-mariadb.yml.j2
@@ -0,0 +1,49 @@
+securityContext:
+  allowPrivilegeEscalation: false
+containers:
+- name: etherpad-lite
+  image: spreadspace/etherpad-lite:{{ item.value.version }}
+  # securityContext:
+  #   runAsUser: {{ etherpad_lite_app_uid }}
+  #   runAsGroup: {{ etherpad_lite_app_gid }}
+  resources:
+    limits:
+      memory: "4Gi"
+  volumeMounts:
+  - name: config
+    mountPath: /opt/etherpad-lite/settings.json
+    subPath: settings.json
+    readOnly: true
+  ports:
+  - containerPort: 9001
+    hostPort: {{ item.value.port }}
+    hostIP: 127.0.0.1
+- name: database
+  image: "mariadb:{{ item.value.database.version }}"
+  securityContext:
+    runAsUser: {{ etherpad_lite_db_uid }}
+    runAsGroup: {{ etherpad_lite_db_gid }}
+  resources:
+    limits:
+      memory: "4Gi"
+  env:
+  - name: MYSQL_RANDOM_ROOT_PASSWORD
+    value: "true"
+  - name: MYSQL_DATABASE
+    value: etherpad-lite
+  - name: MYSQL_USER
+    value: etherpad-lite
+  - name: MYSQL_PASSWORD
+    value: "{{ item.value.database.password }}"
+  volumeMounts:
+  - name: database
+    mountPath: /var/lib/mysql
+volumes:
+- name: config
+  hostPath:
+    path: "{{ etherpad_lite_base_path }}/{{ item.key }}/config/"
+    type: Directory
+- name: database
+  hostPath:
+    path: "{{ etherpad_lite_base_path }}/{{ item.key }}/{{ item.value.database.type }}"
+    type: Directory
diff --git a/roles/apps/etherpad-lite/templates/pod-with-mariadb.yml.j2 b/roles/apps/etherpad-lite/templates/pod-with-mariadb.yml.j2
deleted file mode 100644
index 9391290f..00000000
--- a/roles/apps/etherpad-lite/templates/pod-with-mariadb.yml.j2
+++ /dev/null
@@ -1,54 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: "etherpad-lite-{{ item.key }}"
-spec:
-  securityContext:
-    allowPrivilegeEscalation: false
-  containers:
-  - name: etherpad-lite
-    image: spreadspace/etherpad-lite:{{ item.value.version }}
-    # securityContext:
-    #   runAsUser: {{ etherpad_lite_app_uid }}
-    #   runAsGroup: {{ etherpad_lite_app_gid }}
-    resources:
-      limits:
-        memory: "4Gi"
-    volumeMounts:
-    - name: config
-      mountPath: /opt/etherpad-lite/settings.json
-      subPath: settings.json
-      readOnly: true
-    ports:
-    - containerPort: 9001
-      hostPort: {{ item.value.port }}
-      hostIP: 127.0.0.1
-  - name: database
-    image: "mariadb:{{ item.value.database.version }}"
-    securityContext:
-      runAsUser: {{ etherpad_lite_db_uid }}
-      runAsGroup: {{ etherpad_lite_db_gid }}
-    resources:
-      limits:
-        memory: "4Gi"
-    env:
-    - name: MYSQL_RANDOM_ROOT_PASSWORD
-      value: "true"
-    - name: MYSQL_DATABASE
-      value: etherpad-lite
-    - name: MYSQL_USER
-      value: etherpad-lite
-    - name: MYSQL_PASSWORD
-      value: "{{ item.value.database.password }}"
-    volumeMounts:
-    - name: database
-      mountPath: /var/lib/mysql
-  volumes:
-  - name: config
-    hostPath:
-      path: "{{ etherpad_lite_base_path }}/{{ item.key }}/config/"
-      type: Directory
-  - name: database
-    hostPath:
-      path: "{{ etherpad_lite_base_path }}/{{ item.key }}/{{ item.value.database.type }}"
-      type: Directory
diff --git a/roles/apps/jitsi/meet/tasks/main.yml b/roles/apps/jitsi/meet/tasks/main.yml
index 66644f8f..16e05ced 100644
--- a/roles/apps/jitsi/meet/tasks/main.yml
+++ b/roles/apps/jitsi/meet/tasks/main.yml
@@ -17,11 +17,18 @@
     dest: "{{ jitsi_meet_base_path }}/{{ jitsi_meet_inst_name }}/scripts/prosody/cont-init.sh"
     mode: 0755
 
-- name: generate pod manifests
-  template:
-    src: "pod.yml.j2"
-    dest: "/etc/kubernetes/manifests/jitsi-meet-{{ jitsi_meet_inst_name }}.yml"
-    mode: 0600
+- name: install pod manifest
+  vars:
+    kubernetes_standalone_pod:
+      name: "jitsi-meet-{{ jitsi_meet_inst_name }}"
+      spec: "{{ lookup('template', 'pod-spec.yml.j2') }}"
+      mode: "0600"
+      config_hash_items:
+      - path: "{{ jitsi_meet_base_path }}/{{ jitsi_meet_inst_name }}/scripts/prosody/cont-init.sh"
+        properties:
+        - checksum
+  include_role:
+    name: kubernetes/standalone/pod
 
 ## TODO: https://github.com/jitsi/jitsi-meet/blob/master/doc/turn.md
 
diff --git a/roles/apps/jitsi/meet/templates/pod-spec.yml.j2 b/roles/apps/jitsi/meet/templates/pod-spec.yml.j2
new file mode 100644
index 00000000..7461658f
--- /dev/null
+++ b/roles/apps/jitsi/meet/templates/pod-spec.yml.j2
@@ -0,0 +1,185 @@
+initContainers:
+- name: prepare-config
+  image: busybox
+  workingDir: /config
+  command:
+    - sh
+    - -c
+    - mkdir -p jicofo prosody web jvb
+  volumeMounts:
+  - name: config
+    mountPath: /config
+containers:
+- name: jicofo
+  image: "jitsi/jicofo:{{ jitsi_meet_version }}"
+  resources:
+    requests:
+      memory: "1Gi"
+    limits:
+      memory: "4Gi"
+  volumeMounts:
+  - name: config
+    subPath: jicofo
+    mountPath: /config
+  env:
+  - name: XMPP_SERVER
+    value: 127.0.0.1
+  - name: XMPP_DOMAIN
+    value: meet.jitsi
+  - name: XMPP_AUTH_DOMAIN
+    value: auth.meet.jitsi
+  - name: XMPP_INTERNAL_MUC_DOMAIN
+    value: internal-muc.meet.jitsi
+
+  - name: JICOFO_COMPONENT_SECRET
+    value: "{{ jitsi_meet_secrets.jicofo_component_secret }}"
+  - name: JICOFO_AUTH_USER
+    value: focus
+  - name: JICOFO_AUTH_PASSWORD
+    value: "{{ jitsi_meet_secrets.jicofo_auth_password }}"
+
+  - name: JVB_BREWERY_MUC
+    value: jvbbrewery
+
+  - name: TZ
+    value: {{ jitsi_meet_timezone }}
+
+- name: prosody
+  image: "jitsi/prosody:{{ jitsi_meet_version }}"
+  resources:
+    requests:
+      memory: "128Mi"
+    limits:
+      memory: "512Mi"
+  volumeMounts:
+  - name: scripts
+    subPath: prosody/cont-init.sh
+    mountPath: /etc/cont-init.d/99-k8s
+  - name: config
+    subPath: prosody
+    mountPath: /config
+  env:
+  - name: XMPP_DOMAIN
+    value: meet.jitsi
+  - name: XMPP_AUTH_DOMAIN
+    value: auth.meet.jitsi
+  - name: XMPP_MUC_DOMAIN
+    value: muc.meet.jitsi
+  - name: XMPP_INTERNAL_MUC_DOMAIN
+    value: internal-muc.meet.jitsi
+
+  - name: JICOFO_COMPONENT_SECRET
+    value: "{{ jitsi_meet_secrets.jicofo_component_secret }}"
+  - name: JICOFO_AUTH_USER
+    value: focus
+  - name: JICOFO_AUTH_PASSWORD
+    value: "{{ jitsi_meet_secrets.jicofo_auth_password }}"
+
+  - name: JVB_AUTH_USER
+    value: jvb
+  - name: JVB_AUTH_PASSWORD
+    value: "{{ jitsi_meet_secrets.jvb_auth_password }}"
+  - name: JVB_TCP_HARVESTER_DISABLED
+    value: "true"
+
+  - name: TZ
+    value: {{ jitsi_meet_timezone }}
+
+- name: web
+  image: "jitsi/web:{{ jitsi_meet_version }}"
+  resources:
+    requests:
+      memory: "256Mi"
+    limits:
+      memory: "1Gi"
+  ports:
+  - protocol: TCP
+    containerPort: 80
+    hostPort: {{ jitsi_meet_http_port }}
+    hostIP: 127.0.0.1
+  volumeMounts:
+  - name: config
+    subPath: web
+    mountPath: /config
+  env:
+  - name: DISABLE_HTTPS
+    value: "1"
+  - name: ENABLE_HTTP_REDIRECT
+    value: "0"
+
+  - name: XMPP_SERVER
+    value: 127.0.0.1
+  - name: XMPP_DOMAIN
+    value: meet.jitsi
+  - name: XMPP_AUTH_DOMAIN
+    value: auth.meet.jitsi
+  - name: XMPP_INTERNAL_MUC_DOMAIN
+    value: internal-muc.meet.jitsi
+  - name: XMPP_BOSH_URL_BASE
+    value: http://127.0.0.1:5280
+  - name: XMPP_MUC_DOMAIN
+    value: muc.meet.jitsi
+
+  - name: JICOFO_AUTH_USER
+    value: focus
+
+  - name: JVB_TCP_HARVESTER_DISABLED
+    value: "true"
+
+  - name: TZ
+    value: {{ jitsi_meet_timezone }}
+
+- name: jvb
+  image: "jitsi/jvb:{{ jitsi_meet_version }}"
+  resources:
+    requests:
+      memory: "1Gi"
+    limits:
+      memory: "4Gi"
+  ports:
+  - protocol: UDP
+    containerPort: {{ jitsi_meet_jvb_port }}
+    hostPort: {{ jitsi_meet_jvb_port }}
+    hostIP: "{{ external_ip | default(ansible_default_ipv4.address) }}"
+  volumeMounts:
+  - name: config
+    subPath: jvb
+    mountPath: /config
+  env:
+  - name: XMPP_SERVER
+    value: 127.0.0.1
+  - name: XMPP_DOMAIN
+    value: meet.jitsi
+  - name: XMPP_AUTH_DOMAIN
+    value: auth.meet.jitsi
+  - name: XMPP_INTERNAL_MUC_DOMAIN
+    value: internal-muc.meet.jitsi
+
+  - name: JICOFO_AUTH_USER
+    value: focus
+  - name: JICOFO_AUTH_PASSWORD
+    value: "{{ jitsi_meet_secrets.jicofo_auth_password }}"
+
+  - name: JVB_AUTH_USER
+    value: jvb
+  - name: JVB_AUTH_PASSWORD
+    value: "{{ jitsi_meet_secrets.jvb_auth_password }}"
+  - name: JVB_BREWERY_MUC
+    value: jvbbrewery
+  - name: JVB_PORT
+    value: "{{ jitsi_meet_jvb_port }}"
+  - name: JVB_TCP_HARVESTER_DISABLED
+    value: "true"
+  - name: DOCKER_HOST_ADDRESS
+    value: "{{ external_ip | default(ansible_default_ipv4.address) }}"
+
+  - name: TZ
+    value: {{ jitsi_meet_timezone }}
+
+volumes:
+- name: scripts
+  hostPath:
+    path: "{{ jitsi_meet_base_path }}/{{ jitsi_meet_inst_name }}/scripts"
+- name: config
+  emptyDir:
+    medium: Memory
diff --git a/roles/apps/jitsi/meet/templates/pod.yml.j2 b/roles/apps/jitsi/meet/templates/pod.yml.j2
deleted file mode 100644
index 1504211a..00000000
--- a/roles/apps/jitsi/meet/templates/pod.yml.j2
+++ /dev/null
@@ -1,190 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: "jitsi-meet-{{ jitsi_meet_inst_name }}"
-spec:
-  initContainers:
-  - name: prepare-config
-    image: busybox
-    workingDir: /config
-    command:
-      - sh
-      - -c
-      - mkdir -p jicofo prosody web jvb
-    volumeMounts:
-    - name: config
-      mountPath: /config
-  containers:
-  - name: jicofo
-    image: "jitsi/jicofo:{{ jitsi_meet_version }}"
-    resources:
-      requests:
-        memory: "1Gi"
-      limits:
-        memory: "4Gi"
-    volumeMounts:
-    - name: config
-      subPath: jicofo
-      mountPath: /config
-    env:
-    - name: XMPP_SERVER
-      value: 127.0.0.1
-    - name: XMPP_DOMAIN
-      value: meet.jitsi
-    - name: XMPP_AUTH_DOMAIN
-      value: auth.meet.jitsi
-    - name: XMPP_INTERNAL_MUC_DOMAIN
-      value: internal-muc.meet.jitsi
-
-    - name: JICOFO_COMPONENT_SECRET
-      value: "{{ jitsi_meet_secrets.jicofo_component_secret }}"
-    - name: JICOFO_AUTH_USER
-      value: focus
-    - name: JICOFO_AUTH_PASSWORD
-      value: "{{ jitsi_meet_secrets.jicofo_auth_password }}"
-
-    - name: JVB_BREWERY_MUC
-      value: jvbbrewery
-
-    - name: TZ
-      value: {{ jitsi_meet_timezone }}
-
-  - name: prosody
-    image: "jitsi/prosody:{{ jitsi_meet_version }}"
-    resources:
-      requests:
-        memory: "128Mi"
-      limits:
-        memory: "512Mi"
-    volumeMounts:
-    - name: scripts
-      subPath: prosody/cont-init.sh
-      mountPath: /etc/cont-init.d/99-k8s
-    - name: config
-      subPath: prosody
-      mountPath: /config
-    env:
-    - name: XMPP_DOMAIN
-      value: meet.jitsi
-    - name: XMPP_AUTH_DOMAIN
-      value: auth.meet.jitsi
-    - name: XMPP_MUC_DOMAIN
-      value: muc.meet.jitsi
-    - name: XMPP_INTERNAL_MUC_DOMAIN
-      value: internal-muc.meet.jitsi
-
-    - name: JICOFO_COMPONENT_SECRET
-      value: "{{ jitsi_meet_secrets.jicofo_component_secret }}"
-    - name: JICOFO_AUTH_USER
-      value: focus
-    - name: JICOFO_AUTH_PASSWORD
-      value: "{{ jitsi_meet_secrets.jicofo_auth_password }}"
-
-    - name: JVB_AUTH_USER
-      value: jvb
-    - name: JVB_AUTH_PASSWORD
-      value: "{{ jitsi_meet_secrets.jvb_auth_password }}"
-    - name: JVB_TCP_HARVESTER_DISABLED
-      value: "true"
-
-    - name: TZ
-      value: {{ jitsi_meet_timezone }}
-
-  - name: web
-    image: "jitsi/web:{{ jitsi_meet_version }}"
-    resources:
-      requests:
-        memory: "256Mi"
-      limits:
-        memory: "1Gi"
-    ports:
-    - protocol: TCP
-      containerPort: 80
-      hostPort: {{ jitsi_meet_http_port }}
-      hostIP: 127.0.0.1
-    volumeMounts:
-    - name: config
-      subPath: web
-      mountPath: /config
-    env:
-    - name: DISABLE_HTTPS
-      value: "1"
-    - name: ENABLE_HTTP_REDIRECT
-      value: "0"
-
-    - name: XMPP_SERVER
-      value: 127.0.0.1
-    - name: XMPP_DOMAIN
-      value: meet.jitsi
-    - name: XMPP_AUTH_DOMAIN
-      value: auth.meet.jitsi
-    - name: XMPP_INTERNAL_MUC_DOMAIN
-      value: internal-muc.meet.jitsi
-    - name: XMPP_BOSH_URL_BASE
-      value: http://127.0.0.1:5280
-    - name: XMPP_MUC_DOMAIN
-      value: muc.meet.jitsi
-
-    - name: JICOFO_AUTH_USER
-      value: focus
-
-    - name: JVB_TCP_HARVESTER_DISABLED
-      value: "true"
-
-    - name: TZ
-      value: {{ jitsi_meet_timezone }}
-
-  - name: jvb
-    image: "jitsi/jvb:{{ jitsi_meet_version }}"
-    resources:
-      requests:
-        memory: "1Gi"
-      limits:
-        memory: "4Gi"
-    ports:
-    - protocol: UDP
-      containerPort: {{ jitsi_meet_jvb_port }}
-      hostPort: {{ jitsi_meet_jvb_port }}
-      hostIP: "{{ external_ip | default(ansible_default_ipv4.address) }}"
-    volumeMounts:
-    - name: config
-      subPath: jvb
-      mountPath: /config
-    env:
-    - name: XMPP_SERVER
-      value: 127.0.0.1
-    - name: XMPP_DOMAIN
-      value: meet.jitsi
-    - name: XMPP_AUTH_DOMAIN
-      value: auth.meet.jitsi
-    - name: XMPP_INTERNAL_MUC_DOMAIN
-      value: internal-muc.meet.jitsi
-
-    - name: JICOFO_AUTH_USER
-      value: focus
-    - name: JICOFO_AUTH_PASSWORD
-      value: "{{ jitsi_meet_secrets.jicofo_auth_password }}"
-
-    - name: JVB_AUTH_USER
-      value: jvb
-    - name: JVB_AUTH_PASSWORD
-      value: "{{ jitsi_meet_secrets.jvb_auth_password }}"
-    - name: JVB_BREWERY_MUC
-      value: jvbbrewery
-    - name: JVB_PORT
-      value: "{{ jitsi_meet_jvb_port }}"
-    - name: JVB_TCP_HARVESTER_DISABLED
-      value: "true"
-    - name: DOCKER_HOST_ADDRESS
-      value: "{{ external_ip | default(ansible_default_ipv4.address) }}"
-
-    - name: TZ
-      value: {{ jitsi_meet_timezone }}
-
-  volumes:
-  - name: scripts
-    hostPath:
-      path: "{{ jitsi_meet_base_path }}/{{ jitsi_meet_inst_name }}/scripts"
-  - name: config
-    emptyDir:
-      medium: Memory
diff --git a/roles/apps/nextcloud/tasks/main.yml b/roles/apps/nextcloud/tasks/main.yml
index b08ce2d0..325fa15d 100644
--- a/roles/apps/nextcloud/tasks/main.yml
+++ b/roles/apps/nextcloud/tasks/main.yml
@@ -102,14 +102,24 @@
   when: "'custom_image' in item.value"
   include_tasks: custom-image.yml
 
-- name: generate pod manifests
+- name: install pod manifest
   loop: "{{ nextcloud_instances | dict2items }}"
   loop_control:
     label: "{{ item.key }}"
-  template:
-    src: "pod-with-{{ item.value.database.type }}.yml.j2"
-    dest: "/etc/kubernetes/manifests/nextcloud-{{ item.key }}.yml"
-    mode: 0600
+  vars:
+    kubernetes_standalone_pod:
+      name: "nextcloud-{{ item.key }}"
+      spec: "{{ lookup('template', 'pod-spec-with-{{ item.value.database.type }}.yml.j2') }}"
+      mode: "0600"
+      config_hash_items:
+      - path: "{{ nextcloud_base_path }}/{{ item.key }}/config/apache-site.conf"
+        properties:
+        - checksum
+      - path: "{{ nextcloud_base_path }}/{{ item.key }}/config/ports.conf"
+        properties:
+        - checksum
+  include_role:
+    name: kubernetes/standalone/pod
 
 
 - name: install cron trigger script
@@ -141,8 +151,8 @@
 
 - name: configure nginx vhost
   loop: "{{ nextcloud_instances | dict2items }}"
-  include_role:
-    name: nginx/vhost
+  loop_control:
+    label: "{{ item.key }}"
   vars:
     nginx_vhost:
       name: "nextcloud-{{ item.key }}"
@@ -156,6 +166,8 @@
         replacement: "https://$host/"
       - redirect: "http://$host:8080/"
         replacement: "https://$host/"
+  include_role:
+    name: nginx/vhost
 
 
 - name: install management scripts
diff --git a/roles/apps/nextcloud/templates/pod-spec-with-mariadb.yml.j2 b/roles/apps/nextcloud/templates/pod-spec-with-mariadb.yml.j2
new file mode 100644
index 00000000..b587cad3
--- /dev/null
+++ b/roles/apps/nextcloud/templates/pod-spec-with-mariadb.yml.j2
@@ -0,0 +1,77 @@
+securityContext:
+  allowPrivilegeEscalation: false
+containers:
+- name: nextcloud
+  image: "nextcloud{% if 'custom_image' in item.value %}/{{ item.key }}{% endif %}:{{ item.value.version }}"
+  securityContext:
+    runAsUser: {{ nextcloud_app_uid }}
+    runAsGroup: {{ nextcloud_app_gid }}
+  resources:
+    limits:
+      memory: "4Gi"
+{% if 'new' in item.value and item.value.new %}
+  env:
+  - name: NEXTCLOUD_TRUSTED_DOMAINS
+    value: "{{ item.value.hostnames | join(' ') }}"
+  - name: MYSQL_HOST
+    value: 127.0.0.1
+  - name: MYSQL_DATABASE
+    value: nextcloud
+  - name: MYSQL_USER
+    value: nextcloud
+  - name: MYSQL_PASSWORD
+    value: "{{ item.value.database.password }}"
+{% endif %}
+  volumeMounts:
+  - name: nextcloud
+    mountPath: /var/www/html
+  - name: config
+    mountPath: /etc/apache2/sites-available/000-default.conf
+    subPath: apache-site.conf
+    readOnly: true
+  - name: config
+    mountPath: /etc/apache2/ports.conf
+    subPath: ports.conf
+    readOnly: true
+  ports:
+  - containerPort: 8080
+    hostPort: {{ item.value.port }}
+    hostIP: 127.0.0.1
+- name: database
+  image: "mariadb:{{ item.value.database.version }}"
+  args:
+  - --transaction-isolation=READ-COMMITTED
+  - --binlog-format=ROW
+  securityContext:
+    runAsUser: {{ nextcloud_db_uid }}
+    runAsGroup: {{ nextcloud_db_gid }}
+  resources:
+    limits:
+      memory: "2Gi"
+{% if 'new' in item.value and item.value.new %}
+  env:
+  - name: MYSQL_RANDOM_ROOT_PASSWORD
+    value: "true"
+  - name: MYSQL_DATABASE
+    value: nextcloud
+  - name: MYSQL_USER
+    value: nextcloud
+  - name: MYSQL_PASSWORD
+    value: "{{ item.value.database.password }}"
+{% endif %}
+  volumeMounts:
+  - name: database
+    mountPath: /var/lib/mysql
+volumes:
+- name: config
+  hostPath:
+    path: "{{ nextcloud_base_path }}/{{ item.key }}/config/"
+    type: Directory
+- name: nextcloud
+  hostPath:
+    path: "{{ nextcloud_base_path }}/{{ item.key }}/nextcloud"
+    type: Directory
+- name: database
+  hostPath:
+    path: "{{ nextcloud_base_path }}/{{ item.key }}/{{ item.value.database.type }}"
+    type: Directory
diff --git a/roles/apps/nextcloud/templates/pod-with-mariadb.yml.j2 b/roles/apps/nextcloud/templates/pod-with-mariadb.yml.j2
deleted file mode 100644
index 20752490..00000000
--- a/roles/apps/nextcloud/templates/pod-with-mariadb.yml.j2
+++ /dev/null
@@ -1,82 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: "nextcloud-{{ item.key }}"
-spec:
-  securityContext:
-    allowPrivilegeEscalation: false
-  containers:
-  - name: nextcloud
-    image: "nextcloud{% if 'custom_image' in item.value %}/{{ item.key }}{% endif %}:{{ item.value.version }}"
-    securityContext:
-      runAsUser: {{ nextcloud_app_uid }}
-      runAsGroup: {{ nextcloud_app_gid }}
-    resources:
-      limits:
-        memory: "4Gi"
-{% if 'new' in item.value and item.value.new %}
-    env:
-    - name: NEXTCLOUD_TRUSTED_DOMAINS
-      value: "{{ item.value.hostnames | join(' ') }}"
-    - name: MYSQL_HOST
-      value: 127.0.0.1
-    - name: MYSQL_DATABASE
-      value: nextcloud
-    - name: MYSQL_USER
-      value: nextcloud
-    - name: MYSQL_PASSWORD
-      value: "{{ item.value.database.password }}"
-{% endif %}
-    volumeMounts:
-    - name: nextcloud
-      mountPath: /var/www/html
-    - name: config
-      mountPath: /etc/apache2/sites-available/000-default.conf
-      subPath: apache-site.conf
-      readOnly: true
-    - name: config
-      mountPath: /etc/apache2/ports.conf
-      subPath: ports.conf
-      readOnly: true
-    ports:
-    - containerPort: 8080
-      hostPort: {{ item.value.port }}
-      hostIP: 127.0.0.1
-  - name: database
-    image: "mariadb:{{ item.value.database.version }}"
-    args:
-    - --transaction-isolation=READ-COMMITTED
-    - --binlog-format=ROW
-    securityContext:
-      runAsUser: {{ nextcloud_db_uid }}
-      runAsGroup: {{ nextcloud_db_gid }}
-    resources:
-      limits:
-        memory: "2Gi"
-{% if 'new' in item.value and item.value.new %}
-    env:
-    - name: MYSQL_RANDOM_ROOT_PASSWORD
-      value: "true"
-    - name: MYSQL_DATABASE
-      value: nextcloud
-    - name: MYSQL_USER
-      value: nextcloud
-    - name: MYSQL_PASSWORD
-      value: "{{ item.value.database.password }}"
-{% endif %}
-    volumeMounts:
-    - name: database
-      mountPath: /var/lib/mysql
-  volumes:
-  - name: config
-    hostPath:
-      path: "{{ nextcloud_base_path }}/{{ item.key }}/config/"
-      type: Directory
-  - name: nextcloud
-    hostPath:
-      path: "{{ nextcloud_base_path }}/{{ item.key }}/nextcloud"
-      type: Directory
-  - name: database
-    hostPath:
-      path: "{{ nextcloud_base_path }}/{{ item.key }}/{{ item.value.database.type }}"
-      type: Directory
diff --git a/roles/kubernetes/standalone/defaults/main.yml b/roles/kubernetes/standalone/base/defaults/main.yml
index b0c14b11..b0c14b11 100644
--- a/roles/kubernetes/standalone/defaults/main.yml
+++ b/roles/kubernetes/standalone/base/defaults/main.yml
diff --git a/roles/kubernetes/standalone/handlers/main.yml b/roles/kubernetes/standalone/base/handlers/main.yml
index 26438551..26438551 100644
--- a/roles/kubernetes/standalone/handlers/main.yml
+++ b/roles/kubernetes/standalone/base/handlers/main.yml
diff --git a/roles/kubernetes/standalone/tasks/main.yml b/roles/kubernetes/standalone/base/tasks/main.yml
index 241c3136..241c3136 100644
--- a/roles/kubernetes/standalone/tasks/main.yml
+++ b/roles/kubernetes/standalone/base/tasks/main.yml
diff --git a/roles/kubernetes/standalone/templates/cni-no-portmap.conflist.j2 b/roles/kubernetes/standalone/base/templates/cni-no-portmap.conflist.j2
index be47f216..be47f216 100644
--- a/roles/kubernetes/standalone/templates/cni-no-portmap.conflist.j2
+++ b/roles/kubernetes/standalone/base/templates/cni-no-portmap.conflist.j2
diff --git a/roles/kubernetes/standalone/templates/cni-with-localonly-portmap.conflist.j2 b/roles/kubernetes/standalone/base/templates/cni-with-localonly-portmap.conflist.j2
index acaf7eba..acaf7eba 100644
--- a/roles/kubernetes/standalone/templates/cni-with-localonly-portmap.conflist.j2
+++ b/roles/kubernetes/standalone/base/templates/cni-with-localonly-portmap.conflist.j2
diff --git a/roles/kubernetes/standalone/templates/cni-with-portmap.conflist.j2 b/roles/kubernetes/standalone/base/templates/cni-with-portmap.conflist.j2
index 9f9b2b9a..9f9b2b9a 100644
--- a/roles/kubernetes/standalone/templates/cni-with-portmap.conflist.j2
+++ b/roles/kubernetes/standalone/base/templates/cni-with-portmap.conflist.j2
diff --git a/roles/kubernetes/standalone/templates/kubelet-config.yml.j2 b/roles/kubernetes/standalone/base/templates/kubelet-config.yml.j2
index d6af0f24..d6af0f24 100644
--- a/roles/kubernetes/standalone/templates/kubelet-config.yml.j2
+++ b/roles/kubernetes/standalone/base/templates/kubelet-config.yml.j2
diff --git a/roles/kubernetes/standalone/templates/kubelet.service.override.j2 b/roles/kubernetes/standalone/base/templates/kubelet.service.override.j2
index fe8bfb4c..fe8bfb4c 100644
--- a/roles/kubernetes/standalone/templates/kubelet.service.override.j2
+++ b/roles/kubernetes/standalone/base/templates/kubelet.service.override.j2
diff --git a/roles/kubernetes/standalone/pod/defaults/main.yml b/roles/kubernetes/standalone/pod/defaults/main.yml
new file mode 100644
index 00000000..2eae33a3
--- /dev/null
+++ b/roles/kubernetes/standalone/pod/defaults/main.yml
@@ -0,0 +1,23 @@
+---
+# kubernetes_standalone_pod:
+#   name: example
+#   labels:
+#     foo: bar
+#   annotations:
+#     hello: world
+#   spec: |
+#     containers:
+#     - name: test
+#       image: "debian:stable"
+#       command:
+#       - /bin/bash
+#       - -c
+#       - "sleep inf"
+#   mode: "0600"
+#   config_hash_items:
+#   - path: /path/to/configfile
+#     properties:
+#     - checksum
+#     - mode
+#     - uid
+#     - gid
diff --git a/roles/kubernetes/standalone/pod/tasks/main.yml b/roles/kubernetes/standalone/pod/tasks/main.yml
new file mode 100644
index 00000000..7f87cf3f
--- /dev/null
+++ b/roles/kubernetes/standalone/pod/tasks/main.yml
@@ -0,0 +1,74 @@
+---
+- name: generate config-hash
+  when: "'config_hash_items' in kubernetes_standalone_pod"
+  block:
+  - name: create directory for config-hash files
+    file:
+      path: /etc/kubernetes/config-hashes
+      state: directory
+
+  - name: gather stats for config-hash items
+    loop: "{{ kubernetes_standalone_pod.config_hash_items }}"
+    loop_control:
+      loop_var: config_hash_item
+      label: "{{ config_hash_item.path }} ({{ config_hash_item.properties | sort | join(', ') }})"
+    stat:
+      path: "{{ config_hash_item.path }}"
+      get_checksum: yes
+      checksum_algorithm: sha256
+    register: config_hash_items_stat
+
+  - assert:
+      msg: "at least one config-hash item does not exist"
+      that: false not in (config_hash_items_stat.results | map(attribute='stat.exists'))
+
+  - name: generate config-hash file
+    copy:
+      content: |
+        {% for result in config_hash_items_stat.results %}
+        {{ result.config_hash_item.path }}:
+        {%   for property in (result.config_hash_item.properties | sort) %}
+          {{ property }}: {{ result.stat[property] }}
+        {%   endfor %}
+        {% endfor %}
+      dest: "/etc/kubernetes/config-hashes/{{ kubernetes_standalone_pod.name }}.yml"
+
+  - name: compute config-hash value from file
+    stat:
+      path: "/etc/kubernetes/config-hashes/{{ kubernetes_standalone_pod.name }}.yml"
+      get_checksum: yes
+      checksum_algorithm: sha256
+    register: config_hash_file_stat
+
+  - name: set config-hash value
+    set_fact:
+      config_hash_value: "{{ config_hash_file_stat.stat.checksum }}"
+
+- name: remove config-hash file
+  when: "'config_hash_items' not in kubernetes_standalone_pod"
+  file:
+    path: "/etc/kubernetes/config-hashes/{{ kubernetes_standalone_pod.name }}.yml"
+    state: absent
+
+- name: generate pod manifest
+  copy:
+    content: |
+      apiVersion: v1
+      kind: Pod
+      metadata:
+        name: "{{ kubernetes_standalone_pod.name }}"
+      {% if 'labels' in kubernetes_standalone_pod %}
+        labels:
+          {{ kubernetes_standalone_pod.labels | to_nice_yaml(indent=2) | indent(4) }}{% endif %}
+      {% if config_hash_value is defined or'annotations' in kubernetes_standalone_pod %}
+        annotations:
+      {%   if config_hash_value is defined %}
+          config-hash: "{{ config_hash_value }}"
+      {%   endif %}
+      {%   if 'annotations' in kubernetes_standalone_pod %}
+          {{ kubernetes_standalone_pod.annotations | default({}) | to_nice_yaml(indent=2) | indent(4) }}{% endif %}
+      {% endif %}
+      spec:
+        {{ kubernetes_standalone_pod.spec | indent(2) }}
+    dest: "/etc/kubernetes/manifests/{{ kubernetes_standalone_pod.name }}.yml"
+    mode: "{{ kubernetes_standalone_pod.mode | default(omit) }}"