diff --git a/deployment/backend/ingressRoute.yaml b/deployment/backend/ingressRoute.yaml index 87ee565..c2cb2d2 100644 --- a/deployment/backend/ingressRoute.yaml +++ b/deployment/backend/ingressRoute.yaml @@ -1,4 +1,3 @@ ---- apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: @@ -16,15 +15,3 @@ spec: port: 443 scheme: https serversTransport: gh-backend - tls: {} ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: ServersTransport -metadata: - name: gh-backend - annotations: - argocd.argoproj.io/hook: PostSync -spec: - insecureSkipVerify: true - rootCAsSecrets: - - gh-backend-tls \ No newline at end of file diff --git a/deployment/memgraph/kustomization.yaml b/deployment/memgraph/kustomization.yaml index 051d667..78b40ca 100644 --- a/deployment/memgraph/kustomization.yaml +++ b/deployment/memgraph/kustomization.yaml @@ -10,7 +10,7 @@ helmCharts: repo: https://memgraph.github.io/helm-charts releaseName: memgraph namespace: generations-heritage - version: 0.1.1 + version: 0.1.6 valuesFile: ./values.yaml patches: diff --git a/deployment/memgraph/secrets.yaml b/deployment/memgraph/secrets.yaml new file mode 100644 index 0000000..54b1740 --- /dev/null +++ b/deployment/memgraph/secrets.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Secret +metadata: + name: memgraph-secrets + annotations: + argocd.argoproj.io/hook: PreSync + labels: + secret-generator.cs.sap.com/enabled: "true" +stringData: + USER: "%generate" + PASSWORD: "%generate" \ No newline at end of file diff --git a/deployment/memgraph/values.yaml b/deployment/memgraph/values.yaml index 2d39dba..7a4e21f 100644 --- a/deployment/memgraph/values.yaml +++ b/deployment/memgraph/values.yaml @@ -1,7 +1,5 @@ image: repository: memgraph/memgraph - # Overrides the image tag whose default is v{{ .Chart.AppVersion }} - tag: "" pullPolicy: IfNotPresent replicaCount: 1 @@ -11,7 +9,6 @@ service: port: 7687 targetPort: 7687 protocol: TCP - annotations: {} persistentVolumeClaim: storagePVC: true @@ -24,29 +21,8 @@ memgraphConfig: - "--bolt-cert-file=/etc/memgraph/ssl/tls.crt" - "--bolt-key-file=/etc/memgraph/ssl/tls.key" -# Annotations to add to the statefulSet -statefulSetAnnotations: {} -# Annotations to add to the Pod -podAnnotations: {} - -resources: - {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -serviceAccount: - # Specifies whether a service account should be created - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" \ No newline at end of file +secrets: + enabled: false + name: memgraph-secrets + userKey: USER + passwordKey: PASSWORD \ No newline at end of file diff --git a/deployment/server-transport.yaml b/deployment/server-transport.yaml new file mode 100644 index 0000000..bb3ca3a --- /dev/null +++ b/deployment/server-transport.yaml @@ -0,0 +1,6 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: ServersTransport +metadata: + name: server-transport +spec: + insecureSkipVerify: true diff --git a/deployment/zitadel/cert-job.yaml b/deployment/zitadel/cert-job.yaml deleted file mode 100644 index b535362..0000000 --- a/deployment/zitadel/cert-job.yaml +++ /dev/null @@ -1,148 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: certs-creator ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: secret-creator -rules: - - apiGroups: [ "" ] - resources: [ "secrets" ] - verbs: [ "create", "patch" ] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: certs-creator -subjects: - - kind: ServiceAccount - name: certs-creator -roleRef: - kind: Role - name: secret-creator - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: create-certs -spec: - template: - spec: - restartPolicy: OnFailure - serviceAccountName: certs-creator - initContainers: - - command: - - /bin/ash - - -c - - | - function createKey() { - USER=$1 - openssl genrsa -out ${USER}.key 2048 - echo "created ${USER}.key" - } - - function createSigningRequest() { - USER=$1 - openssl req -new -key ${USER}.key -extensions 'v3_req' -out ${USER}.csr -config <(generateServerConfig) - echo "created ${USER}.csr" - } - - function generateServerConfig() { - cat<> ${USER}-cert.json - } - - cd /secret - - # Create a CA key and cert for signing other certs - createKey ca - openssl req -x509 -new -nodes -key ca.key -days 365 -out ca.crt -subj "/CN=My Custom CA" - - createKey postgres - createSigningRequest postgres - signCertificate postgres.csr postgres.crt ca.crt ca.key - createCertSecret postgres - - createKey zitadel - createSigningRequest zitadel - signCertificate zitadel.csr zitadel.crt ca.crt ca.key - createCertSecret zitadel - image: alpine/openssl - imagePullPolicy: IfNotPresent - name: create-certs - volumeMounts: - - mountPath: /secret - name: secret - containers: - - image: alpine/curl - name: apply-certs - imagePullPolicy: IfNotPresent - command: - - /bin/ash - - -c - - | - export APISERVER=https://kubernetes.default.svc SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount - export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) TOKEN=$(cat ${SERVICEACCOUNT}/token) CACERT=${SERVICEACCOUNT}/ca.crt - - function uploadSecret { - USER=$1 - curl \ - --cacert ${CACERT} \ - --header "Authorization: Bearer ${TOKEN}" \ - --header "Content-Type: application/json" \ - -X POST ${APISERVER}/api/v1/namespaces/${NAMESPACE}/secrets \ - --data "$(tr -d '\n' < /secret/${USER}-cert.json)" \ - > /dev/null || echo "error uploading ${USER} secret: $?" - } - - uploadSecret postgres - uploadSecret zitadel - volumeMounts: - - mountPath: /secret - name: secret - volumes: - - name: secret - emptyDir: - medium: Memory \ No newline at end of file diff --git a/deployment/zitadel/certificate.yaml b/deployment/zitadel/certificate.yaml new file mode 100644 index 0000000..0650f31 --- /dev/null +++ b/deployment/zitadel/certificate.yaml @@ -0,0 +1,97 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: trust-manager-selfsigned-issuer +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: zitadel-root-certificate +spec: + isCA: true + commonName: zitadel-root-certificate-ca + secretName: zitadel-root-certificate-ca-secret + privateKey: + algorithm: ECDSA + size: 256 + issuerRef: + name: trust-manager-selfsigned-issuer + kind: Issuer + group: cert-manager.io +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: zitadel-ca-issuer +spec: + ca: + secretName: zitadel-root-certificate-ca-secret +--- +apiVersion: trust.cert-manager.io/v1alpha1 +kind: Bundle +metadata: + name: in-cluster-trust-bundle +spec: + sources: + - useDefaultCAs: true + - secret: + name: "zitadel-root-certificate-ca-secret" + key: "tls.crt" + target: + configMap: + key: "trust-bundle.pem" +--- +# Certificate for PostgreSQL +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: postgres-certificate + namespace: default +spec: + duration: 8760h # 1 year + renewBefore: 720h # 30 days + commonName: "db-postgresql" + dnsNames: + - "postgres" + - "db-postgresql" + - "zitadel" + secretName: postgres-cert + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + usages: + - key encipherment + - data encipherment + issuerRef: + name: zitadel-ca-issuer + kind: Issuer + +--- +# Certificate for Zitadel +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: zitadel-certificate + namespace: default +spec: + duration: 8760h # 1 year + renewBefore: 720h # 30 days + commonName: "zitadel" + dnsNames: + - "postgres" + - "db-postgresql" + - "zitadel" + secretName: zitadel-cert + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + usages: + - key encipherment + - data encipherment + issuerRef: + name: zitadel-ca-issuer + kind: Issuer \ No newline at end of file diff --git a/deployment/zitadel/ingressRoute.yaml b/deployment/zitadel/ingressRoute.yaml index 715cf9f..988e2e9 100644 --- a/deployment/zitadel/ingressRoute.yaml +++ b/deployment/zitadel/ingressRoute.yaml @@ -1,4 +1,3 @@ ---- apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: @@ -24,4 +23,4 @@ spec: port: 8080 scheme: h2c passHostHeader: true - tls: {} \ No newline at end of file + tls: {} diff --git a/deployment/zitadel/kustomization.yaml b/deployment/zitadel/kustomization.yaml index 4938e35..7e7f6fc 100644 --- a/deployment/zitadel/kustomization.yaml +++ b/deployment/zitadel/kustomization.yaml @@ -18,7 +18,7 @@ helmCharts: repo: https://charts.zitadel.com releaseName: zitadel namespace: generations-heritage - version: 7.12.1 + version: 8.5.0 valuesFile: ./values.yaml patches: diff --git a/deployment/zitadel/values.yaml b/deployment/zitadel/values.yaml index 4969b8f..8aba22b 100644 --- a/deployment/zitadel/values.yaml +++ b/deployment/zitadel/values.yaml @@ -1,11 +1,11 @@ zitadel: + selfSignedCert: + enabled: true masterkeySecretName: zitadel-masterkey configmapConfig: ExternalSecure: true ExternalDomain: zitadel.varghacsongor.hu ExternalPort: 443 - TLS: - Enabled: false Database: Postgres: Host: db-postgresql @@ -24,16 +24,10 @@ zitadel: SSL: Mode: verify-full - dbSslCaCrtSecret: postgres-cert + dbSslCaCrtSecret: zitadel-root-certificate-ca-secret dbSslAdminCrtSecret: postgres-cert dbSslUserCrtSecret: zitadel-cert -image: - repository: ghcr.io/zitadel/zitadel - pullPolicy: IfNotPresent - # Overrides the image tag whose default is the chart appVersion. - tag: "v2.51.0" - annotations: argocd.argoproj.io/sync-wave: "5" argocd.argoproj.io/hook: Sync diff --git a/docker/docker-compose.yaml b/docker/docker-compose.yaml deleted file mode 100644 index d9b7132..0000000 --- a/docker/docker-compose.yaml +++ /dev/null @@ -1,117 +0,0 @@ -version: '3.8' - -services: - traefik: - image: "traefik:v3.1" - container_name: "traefik" - command: - #- "--log.level=DEBUG" - - "--api.insecure=true" - - "--providers.docker=true" - - "--providers.docker.exposedbydefault=false" - - "--entryPoints.web.address=:80" - ports: - - "1080:80" - - "18080:8080" - volumes: - - "/var/run/docker.sock:/var/run/docker.sock:ro" - - memgraph: - image: memgraph/memgraph-mage:latest - container_name: memgraph-mage - ports: - - "7687:7687" - - "7444:7444" - command: ["--log-level=TRACE"] - - lab: - image: memgraph/lab:latest - container_name: memgraph-lab - ports: - - "3555:3000" - depends_on: - - memgraph - environment: - - 'QUICK_CONNECT_MG_HOST=memgraph' - - 'QUICK_CONNECT_MG_PORT=7687' - - gh-backend: - image: vcscsvcscs/gheritage-backend-service:latest - depends_on: - - memgraph - ports: - - "8665:80" - environment: - - memgraph=bolt://memgraph:7687 - volumes: - - /data/generations-heritage/postgresql/data:/var/lib/postgresql/data - labels: - - "traefik.enable=true" - - "traefik.http.routers.gh-backend.rule=Host(`csaladbackend.varghacsongor.hu`)" - - "traefik.http.routers.gh-backend.entrypoints=web" - - "traefik.http.routers.gh-backend.middlewares=gh-auth-service" - - "traefik.http.middlewares.gh-auth-service.forwardauth.address=https://gh-auth-service/auth/" - - "traefik.http.middlewares.gh-auth-service.forwardauth.authResponseHeaders=id" - - "traefik.http.middlewares.gh-auth-service.forwardauth.tls.insecureSkipVerify=true" - - - gh-auth-service: - image: vcscsvcscs/gheritage-auth-service:latest - depends_on: - - memgraph - ports: - - "8666:80" - environment: - - memgraph=bolt://memgraph:7687 - volumes: - - /data/generations-heritage/postgresql/data:/var/lib/postgresql/data - labels: - - "traefik.http.middlewares.gh-auth-service.forwardauth.address=https://gh-auth-service/auth/" - - "traefik.http.middlewares.gh-auth-service.forwardauth.authResponseHeaders=id" - - "traefik.http.middlewares.gh-auth-service.forwardauth.tls.insecureSkipVerify=true" - - zitadel: - restart: 'always' - networks: - - 'zitadel' - image: 'ghcr.io/zitadel/zitadel:latest' - command: 'start-from-init --masterkey "${ZITADEL_MASTERKEY}" --tlsMode disabled' - environment: - - 'ZITADEL_DATABASE_POSTGRES_HOST=db' - - 'ZITADEL_DATABASE_POSTGRES_PORT=5432' - - 'ZITADEL_DATABASE_POSTGRES_DATABASE=zitadel' - - 'ZITADEL_DATABASE_POSTGRES_USER_USERNAME=zitadel' - - 'ZITADEL_DATABASE_POSTGRES_USER_PASSWORD=zitadel' - - 'ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE=disable' - - 'ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME=postgres' - - 'ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD=postgres' - - 'ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE=disable' - - 'ZITADEL_EXTERNALSECURE=false' - - 'ZITADEL_DEFAULTINSTANCE_SMTPCONFIGURATION_SMTP_HOST=${SMTP_HOST}' - - 'ZITADEL_DEFAULTINSTANCE_SMTPCONFIGURATION_SMTP_USER=${SMTP_USER}' - - 'ZITADEL_DEFAULTINSTANCE_SMTPCONFIGURATION_SMTP_PASSWORD=${SMTP_PASSWORD}' - depends_on: - db: - condition: 'service_healthy' - ports: - - '8089:8080' - - db: - restart: 'always' - image: postgres:16-alpine - environment: - - POSTGRES_USER=postgres - - POSTGRES_PASSWORD=postgres - - POSTGRES_DB=zitadel - networks: - - 'zitadel' - healthcheck: - test: ["CMD-SHELL", "pg_isready", "-d", "zitadel", "-U", "postgres"] - interval: '10s' - timeout: '30s' - retries: 5 - start_period: '20s' - -networks: - zitadel: - driver: bridge \ No newline at end of file diff --git a/kustomization.yaml b/kustomization.yaml index 98ecf79..50814fd 100644 --- a/kustomization.yaml +++ b/kustomization.yaml @@ -4,8 +4,9 @@ namespace: argocd resources: - ./deployment/cert-issuer.yaml + - ./deployment/server-transport.yaml - ./deployment/project-argo.yaml - - ./deployment/auth-service-argo.yaml - - ./deployment/memgraph-argo.yaml - - ./deployment/backend-argo.yaml - ./deployment/zitadel-argo.yaml + - ./deployment/memgraph-argo.yaml + - ./deployment/auth-service-argo.yaml + - ./deployment/backend-argo.yaml