mirror of
https://github.com/vcscsvcscs/GenerationsHeritage.git
synced 2025-08-12 22:09:07 +02:00
fixup deployment
This commit is contained in:
@@ -1,4 +1,3 @@
|
||||
---
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: IngressRoute
|
||||
metadata:
|
||||
@@ -16,15 +15,3 @@ spec:
|
||||
port: 443
|
||||
scheme: https
|
||||
serversTransport: gh-backend
|
||||
tls: {}
|
||||
---
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: ServersTransport
|
||||
metadata:
|
||||
name: gh-backend
|
||||
annotations:
|
||||
argocd.argoproj.io/hook: PostSync
|
||||
spec:
|
||||
insecureSkipVerify: true
|
||||
rootCAsSecrets:
|
||||
- gh-backend-tls
|
||||
@@ -10,7 +10,7 @@ helmCharts:
|
||||
repo: https://memgraph.github.io/helm-charts
|
||||
releaseName: memgraph
|
||||
namespace: generations-heritage
|
||||
version: 0.1.1
|
||||
version: 0.1.6
|
||||
valuesFile: ./values.yaml
|
||||
|
||||
patches:
|
||||
|
||||
11
deployment/memgraph/secrets.yaml
Normal file
11
deployment/memgraph/secrets.yaml
Normal file
@@ -0,0 +1,11 @@
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: memgraph-secrets
|
||||
annotations:
|
||||
argocd.argoproj.io/hook: PreSync
|
||||
labels:
|
||||
secret-generator.cs.sap.com/enabled: "true"
|
||||
stringData:
|
||||
USER: "%generate"
|
||||
PASSWORD: "%generate"
|
||||
@@ -1,7 +1,5 @@
|
||||
image:
|
||||
repository: memgraph/memgraph
|
||||
# Overrides the image tag whose default is v{{ .Chart.AppVersion }}
|
||||
tag: ""
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
replicaCount: 1
|
||||
@@ -11,7 +9,6 @@ service:
|
||||
port: 7687
|
||||
targetPort: 7687
|
||||
protocol: TCP
|
||||
annotations: {}
|
||||
|
||||
persistentVolumeClaim:
|
||||
storagePVC: true
|
||||
@@ -24,29 +21,8 @@ memgraphConfig:
|
||||
- "--bolt-cert-file=/etc/memgraph/ssl/tls.crt"
|
||||
- "--bolt-key-file=/etc/memgraph/ssl/tls.key"
|
||||
|
||||
# Annotations to add to the statefulSet
|
||||
statefulSetAnnotations: {}
|
||||
# Annotations to add to the Pod
|
||||
podAnnotations: {}
|
||||
|
||||
resources:
|
||||
{}
|
||||
# We usually recommend not to specify default resources and to leave this as a conscious
|
||||
# choice for the user. This also increases chances charts run on environments with little
|
||||
# resources, such as Minikube. If you do want to specify resources, uncomment the following
|
||||
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
|
||||
# limits:
|
||||
# cpu: 100m
|
||||
# memory: 128Mi
|
||||
# requests:
|
||||
# cpu: 100m
|
||||
# memory: 128Mi
|
||||
|
||||
serviceAccount:
|
||||
# Specifies whether a service account should be created
|
||||
create: true
|
||||
# Annotations to add to the service account
|
||||
annotations: {}
|
||||
# The name of the service account to use.
|
||||
# If not set and create is true, a name is generated using the fullname template
|
||||
name: ""
|
||||
secrets:
|
||||
enabled: false
|
||||
name: memgraph-secrets
|
||||
userKey: USER
|
||||
passwordKey: PASSWORD
|
||||
6
deployment/server-transport.yaml
Normal file
6
deployment/server-transport.yaml
Normal file
@@ -0,0 +1,6 @@
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: ServersTransport
|
||||
metadata:
|
||||
name: server-transport
|
||||
spec:
|
||||
insecureSkipVerify: true
|
||||
@@ -1,148 +0,0 @@
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: certs-creator
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: secret-creator
|
||||
rules:
|
||||
- apiGroups: [ "" ]
|
||||
resources: [ "secrets" ]
|
||||
verbs: [ "create", "patch" ]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: certs-creator
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: certs-creator
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: secret-creator
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: create-certs
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
restartPolicy: OnFailure
|
||||
serviceAccountName: certs-creator
|
||||
initContainers:
|
||||
- command:
|
||||
- /bin/ash
|
||||
- -c
|
||||
- |
|
||||
function createKey() {
|
||||
USER=$1
|
||||
openssl genrsa -out ${USER}.key 2048
|
||||
echo "created ${USER}.key"
|
||||
}
|
||||
|
||||
function createSigningRequest() {
|
||||
USER=$1
|
||||
openssl req -new -key ${USER}.key -extensions 'v3_req' -out ${USER}.csr -config <(generateServerConfig)
|
||||
echo "created ${USER}.csr"
|
||||
}
|
||||
|
||||
function generateServerConfig() {
|
||||
cat<<EOF
|
||||
[req]
|
||||
distinguished_name = req_distinguished_name
|
||||
x509_extensions = v3_req
|
||||
prompt = no
|
||||
[req_distinguished_name]
|
||||
CN = db-postgresql
|
||||
[v3_req]
|
||||
keyUsage = keyEncipherment, dataEncipherment
|
||||
extendedKeyUsage = serverAuth
|
||||
subjectAltName = DNS:postgres,DNS:zitadel,DNS:db-postgresql
|
||||
EOF
|
||||
}
|
||||
|
||||
function signCertificate() {
|
||||
INCSR=$1 OUTCRT=$2 CA_CRT=$3 CA_KEY=$4
|
||||
openssl x509 -req -in $INCSR -CA $CA_CRT -CAkey $CA_KEY -CAcreateserial -days 365 -out $OUTCRT -extensions v3_req -extfile <(generateServerConfig)
|
||||
}
|
||||
|
||||
function secretJson {
|
||||
USER=$1
|
||||
cat<<EOF
|
||||
{
|
||||
"apiVersion": "v1",
|
||||
"kind": "Secret",
|
||||
"data": {
|
||||
"ca.crt": "$(base64 -w 0 ./ca.crt)",
|
||||
"tls.crt": "$(base64 -w 0 ./${USER}.crt)",
|
||||
"tls.key": "$(base64 -w 0 ./${USER}.key)"
|
||||
},
|
||||
"metadata": {
|
||||
"name": "${USER}-cert"
|
||||
},
|
||||
"type": "kubernetes.io/tls"
|
||||
}
|
||||
EOF
|
||||
}
|
||||
|
||||
function createCertSecret {
|
||||
USER=$1
|
||||
secretJson ${USER} >> ${USER}-cert.json
|
||||
}
|
||||
|
||||
cd /secret
|
||||
|
||||
# Create a CA key and cert for signing other certs
|
||||
createKey ca
|
||||
openssl req -x509 -new -nodes -key ca.key -days 365 -out ca.crt -subj "/CN=My Custom CA"
|
||||
|
||||
createKey postgres
|
||||
createSigningRequest postgres
|
||||
signCertificate postgres.csr postgres.crt ca.crt ca.key
|
||||
createCertSecret postgres
|
||||
|
||||
createKey zitadel
|
||||
createSigningRequest zitadel
|
||||
signCertificate zitadel.csr zitadel.crt ca.crt ca.key
|
||||
createCertSecret zitadel
|
||||
image: alpine/openssl
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: create-certs
|
||||
volumeMounts:
|
||||
- mountPath: /secret
|
||||
name: secret
|
||||
containers:
|
||||
- image: alpine/curl
|
||||
name: apply-certs
|
||||
imagePullPolicy: IfNotPresent
|
||||
command:
|
||||
- /bin/ash
|
||||
- -c
|
||||
- |
|
||||
export APISERVER=https://kubernetes.default.svc SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
|
||||
export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) TOKEN=$(cat ${SERVICEACCOUNT}/token) CACERT=${SERVICEACCOUNT}/ca.crt
|
||||
|
||||
function uploadSecret {
|
||||
USER=$1
|
||||
curl \
|
||||
--cacert ${CACERT} \
|
||||
--header "Authorization: Bearer ${TOKEN}" \
|
||||
--header "Content-Type: application/json" \
|
||||
-X POST ${APISERVER}/api/v1/namespaces/${NAMESPACE}/secrets \
|
||||
--data "$(tr -d '\n' < /secret/${USER}-cert.json)" \
|
||||
> /dev/null || echo "error uploading ${USER} secret: $?"
|
||||
}
|
||||
|
||||
uploadSecret postgres
|
||||
uploadSecret zitadel
|
||||
volumeMounts:
|
||||
- mountPath: /secret
|
||||
name: secret
|
||||
volumes:
|
||||
- name: secret
|
||||
emptyDir:
|
||||
medium: Memory
|
||||
97
deployment/zitadel/certificate.yaml
Normal file
97
deployment/zitadel/certificate.yaml
Normal file
@@ -0,0 +1,97 @@
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Issuer
|
||||
metadata:
|
||||
name: trust-manager-selfsigned-issuer
|
||||
spec:
|
||||
selfSigned: {}
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: zitadel-root-certificate
|
||||
spec:
|
||||
isCA: true
|
||||
commonName: zitadel-root-certificate-ca
|
||||
secretName: zitadel-root-certificate-ca-secret
|
||||
privateKey:
|
||||
algorithm: ECDSA
|
||||
size: 256
|
||||
issuerRef:
|
||||
name: trust-manager-selfsigned-issuer
|
||||
kind: Issuer
|
||||
group: cert-manager.io
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Issuer
|
||||
metadata:
|
||||
name: zitadel-ca-issuer
|
||||
spec:
|
||||
ca:
|
||||
secretName: zitadel-root-certificate-ca-secret
|
||||
---
|
||||
apiVersion: trust.cert-manager.io/v1alpha1
|
||||
kind: Bundle
|
||||
metadata:
|
||||
name: in-cluster-trust-bundle
|
||||
spec:
|
||||
sources:
|
||||
- useDefaultCAs: true
|
||||
- secret:
|
||||
name: "zitadel-root-certificate-ca-secret"
|
||||
key: "tls.crt"
|
||||
target:
|
||||
configMap:
|
||||
key: "trust-bundle.pem"
|
||||
---
|
||||
# Certificate for PostgreSQL
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: postgres-certificate
|
||||
namespace: default
|
||||
spec:
|
||||
duration: 8760h # 1 year
|
||||
renewBefore: 720h # 30 days
|
||||
commonName: "db-postgresql"
|
||||
dnsNames:
|
||||
- "postgres"
|
||||
- "db-postgresql"
|
||||
- "zitadel"
|
||||
secretName: postgres-cert
|
||||
privateKey:
|
||||
algorithm: RSA
|
||||
encoding: PKCS1
|
||||
size: 2048
|
||||
usages:
|
||||
- key encipherment
|
||||
- data encipherment
|
||||
issuerRef:
|
||||
name: zitadel-ca-issuer
|
||||
kind: Issuer
|
||||
|
||||
---
|
||||
# Certificate for Zitadel
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: zitadel-certificate
|
||||
namespace: default
|
||||
spec:
|
||||
duration: 8760h # 1 year
|
||||
renewBefore: 720h # 30 days
|
||||
commonName: "zitadel"
|
||||
dnsNames:
|
||||
- "postgres"
|
||||
- "db-postgresql"
|
||||
- "zitadel"
|
||||
secretName: zitadel-cert
|
||||
privateKey:
|
||||
algorithm: RSA
|
||||
encoding: PKCS1
|
||||
size: 2048
|
||||
usages:
|
||||
- key encipherment
|
||||
- data encipherment
|
||||
issuerRef:
|
||||
name: zitadel-ca-issuer
|
||||
kind: Issuer
|
||||
@@ -1,4 +1,3 @@
|
||||
---
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: IngressRoute
|
||||
metadata:
|
||||
@@ -24,4 +23,4 @@ spec:
|
||||
port: 8080
|
||||
scheme: h2c
|
||||
passHostHeader: true
|
||||
tls: {}
|
||||
tls: {}
|
||||
|
||||
@@ -18,7 +18,7 @@ helmCharts:
|
||||
repo: https://charts.zitadel.com
|
||||
releaseName: zitadel
|
||||
namespace: generations-heritage
|
||||
version: 7.12.1
|
||||
version: 8.5.0
|
||||
valuesFile: ./values.yaml
|
||||
|
||||
patches:
|
||||
|
||||
@@ -1,11 +1,11 @@
|
||||
zitadel:
|
||||
selfSignedCert:
|
||||
enabled: true
|
||||
masterkeySecretName: zitadel-masterkey
|
||||
configmapConfig:
|
||||
ExternalSecure: true
|
||||
ExternalDomain: zitadel.varghacsongor.hu
|
||||
ExternalPort: 443
|
||||
TLS:
|
||||
Enabled: false
|
||||
Database:
|
||||
Postgres:
|
||||
Host: db-postgresql
|
||||
@@ -24,16 +24,10 @@ zitadel:
|
||||
SSL:
|
||||
Mode: verify-full
|
||||
|
||||
dbSslCaCrtSecret: postgres-cert
|
||||
dbSslCaCrtSecret: zitadel-root-certificate-ca-secret
|
||||
dbSslAdminCrtSecret: postgres-cert
|
||||
dbSslUserCrtSecret: zitadel-cert
|
||||
|
||||
image:
|
||||
repository: ghcr.io/zitadel/zitadel
|
||||
pullPolicy: IfNotPresent
|
||||
# Overrides the image tag whose default is the chart appVersion.
|
||||
tag: "v2.51.0"
|
||||
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-wave: "5"
|
||||
argocd.argoproj.io/hook: Sync
|
||||
|
||||
@@ -1,117 +0,0 @@
|
||||
version: '3.8'
|
||||
|
||||
services:
|
||||
traefik:
|
||||
image: "traefik:v3.1"
|
||||
container_name: "traefik"
|
||||
command:
|
||||
#- "--log.level=DEBUG"
|
||||
- "--api.insecure=true"
|
||||
- "--providers.docker=true"
|
||||
- "--providers.docker.exposedbydefault=false"
|
||||
- "--entryPoints.web.address=:80"
|
||||
ports:
|
||||
- "1080:80"
|
||||
- "18080:8080"
|
||||
volumes:
|
||||
- "/var/run/docker.sock:/var/run/docker.sock:ro"
|
||||
|
||||
memgraph:
|
||||
image: memgraph/memgraph-mage:latest
|
||||
container_name: memgraph-mage
|
||||
ports:
|
||||
- "7687:7687"
|
||||
- "7444:7444"
|
||||
command: ["--log-level=TRACE"]
|
||||
|
||||
lab:
|
||||
image: memgraph/lab:latest
|
||||
container_name: memgraph-lab
|
||||
ports:
|
||||
- "3555:3000"
|
||||
depends_on:
|
||||
- memgraph
|
||||
environment:
|
||||
- 'QUICK_CONNECT_MG_HOST=memgraph'
|
||||
- 'QUICK_CONNECT_MG_PORT=7687'
|
||||
|
||||
gh-backend:
|
||||
image: vcscsvcscs/gheritage-backend-service:latest
|
||||
depends_on:
|
||||
- memgraph
|
||||
ports:
|
||||
- "8665:80"
|
||||
environment:
|
||||
- memgraph=bolt://memgraph:7687
|
||||
volumes:
|
||||
- /data/generations-heritage/postgresql/data:/var/lib/postgresql/data
|
||||
labels:
|
||||
- "traefik.enable=true"
|
||||
- "traefik.http.routers.gh-backend.rule=Host(`csaladbackend.varghacsongor.hu`)"
|
||||
- "traefik.http.routers.gh-backend.entrypoints=web"
|
||||
- "traefik.http.routers.gh-backend.middlewares=gh-auth-service"
|
||||
- "traefik.http.middlewares.gh-auth-service.forwardauth.address=https://gh-auth-service/auth/"
|
||||
- "traefik.http.middlewares.gh-auth-service.forwardauth.authResponseHeaders=id"
|
||||
- "traefik.http.middlewares.gh-auth-service.forwardauth.tls.insecureSkipVerify=true"
|
||||
|
||||
|
||||
gh-auth-service:
|
||||
image: vcscsvcscs/gheritage-auth-service:latest
|
||||
depends_on:
|
||||
- memgraph
|
||||
ports:
|
||||
- "8666:80"
|
||||
environment:
|
||||
- memgraph=bolt://memgraph:7687
|
||||
volumes:
|
||||
- /data/generations-heritage/postgresql/data:/var/lib/postgresql/data
|
||||
labels:
|
||||
- "traefik.http.middlewares.gh-auth-service.forwardauth.address=https://gh-auth-service/auth/"
|
||||
- "traefik.http.middlewares.gh-auth-service.forwardauth.authResponseHeaders=id"
|
||||
- "traefik.http.middlewares.gh-auth-service.forwardauth.tls.insecureSkipVerify=true"
|
||||
|
||||
zitadel:
|
||||
restart: 'always'
|
||||
networks:
|
||||
- 'zitadel'
|
||||
image: 'ghcr.io/zitadel/zitadel:latest'
|
||||
command: 'start-from-init --masterkey "${ZITADEL_MASTERKEY}" --tlsMode disabled'
|
||||
environment:
|
||||
- 'ZITADEL_DATABASE_POSTGRES_HOST=db'
|
||||
- 'ZITADEL_DATABASE_POSTGRES_PORT=5432'
|
||||
- 'ZITADEL_DATABASE_POSTGRES_DATABASE=zitadel'
|
||||
- 'ZITADEL_DATABASE_POSTGRES_USER_USERNAME=zitadel'
|
||||
- 'ZITADEL_DATABASE_POSTGRES_USER_PASSWORD=zitadel'
|
||||
- 'ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE=disable'
|
||||
- 'ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME=postgres'
|
||||
- 'ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD=postgres'
|
||||
- 'ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE=disable'
|
||||
- 'ZITADEL_EXTERNALSECURE=false'
|
||||
- 'ZITADEL_DEFAULTINSTANCE_SMTPCONFIGURATION_SMTP_HOST=${SMTP_HOST}'
|
||||
- 'ZITADEL_DEFAULTINSTANCE_SMTPCONFIGURATION_SMTP_USER=${SMTP_USER}'
|
||||
- 'ZITADEL_DEFAULTINSTANCE_SMTPCONFIGURATION_SMTP_PASSWORD=${SMTP_PASSWORD}'
|
||||
depends_on:
|
||||
db:
|
||||
condition: 'service_healthy'
|
||||
ports:
|
||||
- '8089:8080'
|
||||
|
||||
db:
|
||||
restart: 'always'
|
||||
image: postgres:16-alpine
|
||||
environment:
|
||||
- POSTGRES_USER=postgres
|
||||
- POSTGRES_PASSWORD=postgres
|
||||
- POSTGRES_DB=zitadel
|
||||
networks:
|
||||
- 'zitadel'
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "pg_isready", "-d", "zitadel", "-U", "postgres"]
|
||||
interval: '10s'
|
||||
timeout: '30s'
|
||||
retries: 5
|
||||
start_period: '20s'
|
||||
|
||||
networks:
|
||||
zitadel:
|
||||
driver: bridge
|
||||
@@ -4,8 +4,9 @@ namespace: argocd
|
||||
|
||||
resources:
|
||||
- ./deployment/cert-issuer.yaml
|
||||
- ./deployment/server-transport.yaml
|
||||
- ./deployment/project-argo.yaml
|
||||
- ./deployment/auth-service-argo.yaml
|
||||
- ./deployment/memgraph-argo.yaml
|
||||
- ./deployment/backend-argo.yaml
|
||||
- ./deployment/zitadel-argo.yaml
|
||||
- ./deployment/memgraph-argo.yaml
|
||||
- ./deployment/auth-service-argo.yaml
|
||||
- ./deployment/backend-argo.yaml
|
||||
|
||||
Reference in New Issue
Block a user