vcscsvcscs/GenerationsHeritage
1
0
Fork 0
mirror of https://github.com/vcscsvcscs/GenerationsHeritage.git synced 2025-08-12 22:09:07 +02:00
Code Issues Packages Projects Releases Wiki Activity

switch to psql

Browse Source
This commit is contained in:
Vargha Csongor
2024-10-27 09:53:00 +01:00
parent 708f07a7ef
commit 6ee87d059e
6 changed files with 164 additions and 109 deletions
Download Patch File Download Diff File Expand all files Collapse all files

193
deployment/zitadel/cert-job.yaml
View File

@@ -1,10 +1,7 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: zitadel-cert-creator
annotations:
argocd.argoproj.io/hook: Sync
argocd.argoproj.io/sync-wave: "2"
name: certs-creator
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
@@ -13,18 +10,15 @@ metadata:
rules:
- apiGroups: [ "" ]
resources: [ "secrets" ]
verbs: [ "create" ]
verbs: [ "create", "patch" ]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: zitadel-cert-creator
annotations:
argocd.argoproj.io/hook: Sync
argocd.argoproj.io/sync-wave: "2"
name: certs-creator
subjects:
- kind: ServiceAccount
name: zitadel-cert-creator
name: certs-creator
roleRef:
kind: Role
name: secret-creator
@@ -33,81 +27,122 @@ roleRef:
apiVersion: batch/v1
kind: Job
metadata:
name: create-zitadel-cert
annotations:
argocd.argoproj.io/hook: Sync
argocd.argoproj.io/sync-wave: "2"
name: create-certs
spec:
template:
spec:
restartPolicy: OnFailure
serviceAccountName: zitadel-cert-creator
containers:
- command:
- /bin/bash
- -ecx
- |
cockroach cert create-client \
--certs-dir /cockroach/cockroach-certs \
--ca-key /cockroach/cockroach-certs/ca.key \
--lifetime 8760h \
zitadel
export SECRET=$(cat <<EOF
{
"apiVersion": "v1",
"kind": "Secret",
"data": {
"ca.crt": "$(base64 /cockroach/cockroach-certs/ca.crt --wrap 0)",
"tls.crt": "$(base64 /cockroach/cockroach-certs/client.zitadel.crt --wrap 0)",
"tls.key": "$(base64 /cockroach/cockroach-certs/client.zitadel.key --wrap 0)"
},
"metadata": {
"name": "db-cockroachdb-zitadel-secret"
},
"type": "kubernetes.io/tls"
}
EOF
)
export APISERVER=https://kubernetes.default.svc SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) TOKEN=$(cat ${SERVICEACCOUNT}/token) CACERT=${SERVICEACCOUNT}/ca.crt
curl \
--cacert ${CACERT} \
--header "Authorization: Bearer ${TOKEN}" \
--header "Content-Type: application/json" \
-X POST ${APISERVER}/api/v1/namespaces/${NAMESPACE}/secrets \
--data "$(echo -n $SECRET | tr -d '\n')"
image: cockroachdb/cockroach:v23.1.8
imagePullPolicy: IfNotPresent
name: create-zitadel-cert
volumeMounts:
- mountPath: /cockroach/cockroach-certs/
name: certs
serviceAccountName: certs-creator
initContainers:
- command:
- /bin/sh
- -c
- cp -f /certs/* /cockroach-certs/; chmod 0400 /cockroach-certs/*.key
image: busybox
- /bin/ash
- -c
- |
function createKey() {
USER=$1
openssl genrsa -out ${USER}.key 2048
echo "created ${USER}.key"
}
function createSigningRequest() {
USER=$1
openssl req -new -key ${USER}.key -extensions 'v3_req' -out ${USER}.csr -config <(generateServerConfig)
echo "created ${USER}.csr"
}
function generateServerConfig() {
cat<<EOF
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
CN = db-postgresql
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS:postgres,DNS:zitadel,DNS:db-postgresql
EOF
}
function signCertificate() {
INCSR=$1 OUTCRT=$2 CA_CRT=$3 CA_KEY=$4
openssl x509 -req -in $INCSR -CA $CA_CRT -CAkey $CA_KEY -CAcreateserial -days 365 -out $OUTCRT -extensions v3_req -extfile <(generateServerConfig)
}
function secretJson {
USER=$1
cat<<EOF
{
"apiVersion": "v1",
"kind": "Secret",
"data": {
"ca.crt": "$(base64 -w 0 ./ca.crt)",
"tls.crt": "$(base64 -w 0 ./${USER}.crt)",
"tls.key": "$(base64 -w 0 ./${USER}.key)"
},
"metadata": {
"name": "${USER}-cert"
},
"type": "kubernetes.io/tls"
}
EOF
}
function createCertSecret {
USER=$1
secretJson ${USER} >> ${USER}-cert.json
}
cd /secret
# Create a CA key and cert for signing other certs
createKey ca
openssl req -x509 -new -nodes -key ca.key -days 365 -out ca.crt -subj "/CN=My Custom CA"
createKey postgres
createSigningRequest postgres
signCertificate postgres.csr postgres.crt ca.crt ca.key
createCertSecret postgres
createKey zitadel
createSigningRequest zitadel
signCertificate zitadel.csr zitadel.crt ca.crt ca.key
createCertSecret zitadel
image: alpine/openssl
imagePullPolicy: IfNotPresent
name: copy-certs
name: create-certs
volumeMounts:
- mountPath: /cockroach-certs/
name: certs
- mountPath: /certs/
name: certs-secret
- mountPath: /secret
name: secret
containers:
- image: alpine/curl
name: apply-certs
imagePullPolicy: IfNotPresent
command:
- /bin/ash
- -c
- |
export APISERVER=https://kubernetes.default.svc SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) TOKEN=$(cat ${SERVICEACCOUNT}/token) CACERT=${SERVICEACCOUNT}/ca.crt
function uploadSecret {
USER=$1
curl \
--cacert ${CACERT} \
--header "Authorization: Bearer ${TOKEN}" \
--header "Content-Type: application/json" \
-X POST ${APISERVER}/api/v1/namespaces/${NAMESPACE}/secrets \
--data "$(tr -d '\n' < /secret/${USER}-cert.json)" \
> /dev/null || echo "error uploading ${USER} secret: $?"
}
uploadSecret postgres
uploadSecret zitadel
volumeMounts:
- mountPath: /secret
name: secret
volumes:
- emptyDir: {}
name: certs
- name: certs-secret
projected:
defaultMode: 420
sources:
- secret:
items:
- key: ca.crt
mode: 256
path: ca.crt
- key: ca.key
mode: 256
path: ca.key
name: cockroachdb-ca-secret
- name: secret
emptyDir:
medium: Memory

13
deployment/zitadel/cockroach-values.yaml
View File

@@ -1,13 +0,0 @@
tls:
enabled: true
annotations:
argocd.argoproj.io/hook: Sync
storage:
persistentVolume:
size: 5Gi
init:
jobAnnotations:
argocd.argoproj.io/hook: Sync

10
deployment/zitadel/kustomization.yaml
View File

@@ -8,12 +8,12 @@ resources:
- ./ingressRoute.yaml
helmCharts:
- name: cockroachdb
repo: https://charts.cockroachdb.com/
releaseName: cockroachdb
- name: bitnami
repo: https://charts.bitnami.com/bitnami
releaseName: postgresql
namespace: generations-heritage
version: 12.0.2
valuesFile: cockroach-values.yaml
version: 12.10.0
valuesFile: postgres-values.yaml
- name: zitadel
repo: https://charts.zitadel.com
releaseName: zitadel

25
deployment/zitadel/postgres-values.yaml Normal file
View File

@@ -0,0 +1,25 @@
annotations:
argocd.argoproj.io/hook: Sync
volumePermissions:
enabled: true
tls:
enabled: true
certificatesSecret: postgres-cert
certFilename: "tls.crt"
certKeyFilename: "tls.key"
persistence:
size: 2Gi
init:
jobAnnotations:
argocd.argoproj.io/hook: Sync
env:
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: postgres-auth
key: admin-password

4
deployment/zitadel/secrets.yaml
View File

@@ -13,11 +13,11 @@ stringData:
apiVersion: v1
kind: Secret
metadata:
name: cockroach-auth
name: postgres-auth
annotations:
argocd.argoproj.io/hook: PreSync
labels:
secret-generator.cs.sap.com/enabled: "true"
stringData:
cockroach-password: "%generate"
admin-password: "%generate"
user-password: "%generate"

28
deployment/zitadel/values.yaml
View File

@@ -7,18 +7,26 @@ zitadel:
TLS:
Enabled: false
Database:
Cockroach:
Host: cockroachdb-public
Postgres:
Host: db-postgresql
Port: 5432
Database: zitadel
MaxOpenConns: 20
MaxIdleConns: 10
MaxConnLifetime: 30m
MaxConnIdleTime: 5m
User:
Username: zitadel
SSL:
Mode: verify-full
Admin:
Username: postgres
SSL:
Mode: verify-full
dbSslCaCrtSecret: cockroachdb-ca-secret
dbSslAdminCrtSecret: cockroachdb-client-secret
dbSslUserCrtSecret: db-cockroachdb-zitadel-secret
dbSslCaCrtSecret: postgres-cert
dbSslAdminCrtSecret: postgres-cert
dbSslUserCrtSecret: zitadel-cert
image:
repository: ghcr.io/zitadel/zitadel
@@ -40,14 +48,14 @@ env:
name: zitadel-masterkey
key: admin-password
- name: ZITADEL_DATABASE_COCKROACH_USER_PASSWORD
- name: ZITADEL_DATABASE_POSTGRES_USER_PASSWORD
valueFrom:
secretKeyRef:
name: cockroach-auth
name: postgres-auth
key: user-password
- name: ZITADEL_DATABASE_COCKROACH_ADMIN_PASSWORD
- name: ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: cockroach-auth
key: cockroach-password
name: postgres-auth
key: admin-password