vcscsvcscs/GenerationsHeritage
1
0
Fork 0
mirror of https://github.com/vcscsvcscs/GenerationsHeritage.git synced 2025-08-16 07:49:06 +02:00
Code Issues Packages Projects Releases Wiki Activity

switch to psql

Browse Source
This commit is contained in:
Vargha Csongor
2024-10-27 09:53:00 +01:00
parent 708f07a7ef
commit 6ee87d059e
6 changed files with 164 additions and 109 deletions
Download Patch File Download Diff File Expand all files Collapse all files

193
deployment/zitadel/cert-job.yaml
View File

@@ -1,10 +1,7 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: zitadel-cert-creator
annotations:
argocd.argoproj.io/hook: Sync
argocd.argoproj.io/sync-wave: "2"
name: certs-creator
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
@@ -13,18 +10,15 @@ metadata:
rules:
- apiGroups: [ "" ]
resources: [ "secrets" ]
verbs: [ "create" ]
verbs: [ "create", "patch" ]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: zitadel-cert-creator
annotations:
argocd.argoproj.io/hook: Sync
argocd.argoproj.io/sync-wave: "2"
name: certs-creator
subjects:
- kind: ServiceAccount
name: zitadel-cert-creator
name: certs-creator
roleRef:
kind: Role
name: secret-creator
@@ -33,81 +27,122 @@ roleRef:
apiVersion: batch/v1
kind: Job
metadata:
name: create-zitadel-cert
annotations:
argocd.argoproj.io/hook: Sync
argocd.argoproj.io/sync-wave: "2"
name: create-certs
spec:
template:
spec:
restartPolicy: OnFailure
serviceAccountName: zitadel-cert-creator
containers:
- command:
- /bin/bash
- -ecx
- |
cockroach cert create-client \
--certs-dir /cockroach/cockroach-certs \
--ca-key /cockroach/cockroach-certs/ca.key \
--lifetime 8760h \
zitadel
export SECRET=$(cat <<EOF
{
"apiVersion": "v1",
"kind": "Secret",
"data": {
"ca.crt": "$(base64 /cockroach/cockroach-certs/ca.crt --wrap 0)",
"tls.crt": "$(base64 /cockroach/cockroach-certs/client.zitadel.crt --wrap 0)",
"tls.key": "$(base64 /cockroach/cockroach-certs/client.zitadel.key --wrap 0)"
},
"metadata": {
"name": "db-cockroachdb-zitadel-secret"
},
"type": "kubernetes.io/tls"
}
EOF
)
export APISERVER=https://kubernetes.default.svc SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) TOKEN=$(cat ${SERVICEACCOUNT}/token) CACERT=${SERVICEACCOUNT}/ca.crt
curl \
--cacert ${CACERT} \
--header "Authorization: Bearer ${TOKEN}" \
--header "Content-Type: application/json" \
-X POST ${APISERVER}/api/v1/namespaces/${NAMESPACE}/secrets \
--data "$(echo -n $SECRET | tr -d '\n')"
image: cockroachdb/cockroach:v23.1.8
imagePullPolicy: IfNotPresent
name: create-zitadel-cert
volumeMounts:
- mountPath: /cockroach/cockroach-certs/
name: certs
serviceAccountName: certs-creator
initContainers:
- command:
- /bin/sh
- -c
- cp -f /certs/* /cockroach-certs/; chmod 0400 /cockroach-certs/*.key
image: busybox
- /bin/ash
- -c
- |
function createKey() {
USER=$1
openssl genrsa -out ${USER}.key 2048
echo "created ${USER}.key"
}
function createSigningRequest() {
USER=$1
openssl req -new -key ${USER}.key -extensions 'v3_req' -out ${USER}.csr -config <(generateServerConfig)
echo "created ${USER}.csr"
}
function generateServerConfig() {
cat<<EOF
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
CN = db-postgresql
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS:postgres,DNS:zitadel,DNS:db-postgresql
EOF
}
function signCertificate() {
INCSR=$1 OUTCRT=$2 CA_CRT=$3 CA_KEY=$4
openssl x509 -req -in $INCSR -CA $CA_CRT -CAkey $CA_KEY -CAcreateserial -days 365 -out $OUTCRT -extensions v3_req -extfile <(generateServerConfig)
}
function secretJson {
USER=$1
cat<<EOF
{
"apiVersion": "v1",
"kind": "Secret",
"data": {
"ca.crt": "$(base64 -w 0 ./ca.crt)",
"tls.crt": "$(base64 -w 0 ./${USER}.crt)",
"tls.key": "$(base64 -w 0 ./${USER}.key)"
},
"metadata": {
"name": "${USER}-cert"
},
"type": "kubernetes.io/tls"
}
EOF
}
function createCertSecret {
USER=$1
secretJson ${USER} >> ${USER}-cert.json
}
cd /secret
# Create a CA key and cert for signing other certs
createKey ca
openssl req -x509 -new -nodes -key ca.key -days 365 -out ca.crt -subj "/CN=My Custom CA"
createKey postgres
createSigningRequest postgres
signCertificate postgres.csr postgres.crt ca.crt ca.key
createCertSecret postgres
createKey zitadel
createSigningRequest zitadel
signCertificate zitadel.csr zitadel.crt ca.crt ca.key
createCertSecret zitadel
image: alpine/openssl
imagePullPolicy: IfNotPresent
name: copy-certs
name: create-certs
volumeMounts:
- mountPath: /cockroach-certs/
name: certs
- mountPath: /certs/
name: certs-secret
- mountPath: /secret
name: secret
containers:
- image: alpine/curl
name: apply-certs
imagePullPolicy: IfNotPresent
command:
- /bin/ash
- -c
- |
export APISERVER=https://kubernetes.default.svc SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) TOKEN=$(cat ${SERVICEACCOUNT}/token) CACERT=${SERVICEACCOUNT}/ca.crt
function uploadSecret {
USER=$1
curl \
--cacert ${CACERT} \
--header "Authorization: Bearer ${TOKEN}" \
--header "Content-Type: application/json" \
-X POST ${APISERVER}/api/v1/namespaces/${NAMESPACE}/secrets \
--data "$(tr -d '\n' < /secret/${USER}-cert.json)" \
> /dev/null || echo "error uploading ${USER} secret: $?"
}
uploadSecret postgres
uploadSecret zitadel
volumeMounts:
- mountPath: /secret
name: secret
volumes:
- emptyDir: {}
name: certs
- name: certs-secret
projected:
defaultMode: 420
sources:
- secret:
items:
- key: ca.crt
mode: 256
path: ca.crt
- key: ca.key
mode: 256
path: ca.key
name: cockroachdb-ca-secret
- name: secret
emptyDir:
medium: Memory