fixup deployment

2025-08-14 06:49:05 +02:00 · 2024-10-27 12:03:29 +01:00
parent 6ee87d059e
commit b745b49d9b
12 changed files with 129 additions and 323 deletions
--- a/deployment/backend/ingressRoute.yaml
+++ b/deployment/backend/ingressRoute.yaml
@@ -1,4 +1,3 @@
---
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
@@ -16,15 +15,3 @@ spec:
          port: 443
          scheme: https
          serversTransport: gh-backend
-  tls: {}
---
-apiVersion: traefik.containo.us/v1alpha1
-kind: ServersTransport
-metadata:
-  name: gh-backend
-  annotations:
-    argocd.argoproj.io/hook: PostSync
-spec:
-    insecureSkipVerify: true
-    rootCAsSecrets:
-    - gh-backend-tls
--- a/deployment/memgraph/kustomization.yaml
+++ b/deployment/memgraph/kustomization.yaml
@@ -10,7 +10,7 @@ helmCharts:
    repo: https://memgraph.github.io/helm-charts
    releaseName: memgraph
    namespace: generations-heritage
-    version: 0.1.1
+    version: 0.1.6
    valuesFile: ./values.yaml

 patches:
--- a/deployment/memgraph/secrets.yaml
+++ b/deployment/memgraph/secrets.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: memgraph-secrets
+  annotations:
+    argocd.argoproj.io/hook: PreSync
+  labels:
+    secret-generator.cs.sap.com/enabled: "true"
+stringData:
+  USER: "%generate"
+  PASSWORD: "%generate"
--- a/deployment/memgraph/values.yaml
+++ b/deployment/memgraph/values.yaml
@@ -1,7 +1,5 @@
 image:
  repository: memgraph/memgraph
-  # Overrides the image tag whose default is v{{ .Chart.AppVersion }}
-  tag: ""
  pullPolicy: IfNotPresent

 replicaCount: 1
@@ -11,7 +9,6 @@ service:
  port: 7687
  targetPort: 7687
  protocol: TCP
-  annotations: {}

 persistentVolumeClaim:
  storagePVC: true
@@ -24,29 +21,8 @@ memgraphConfig:
  - "--bolt-cert-file=/etc/memgraph/ssl/tls.crt"
  - "--bolt-key-file=/etc/memgraph/ssl/tls.key"

-# Annotations to add to the statefulSet
-statefulSetAnnotations: {}
-# Annotations to add to the Pod
-podAnnotations: {}
-
-resources:
-  {}
-  # We usually recommend not to specify default resources and to leave this as a conscious
-  # choice for the user. This also increases chances charts run on environments with little
-  # resources, such as Minikube. If you do want to specify resources, uncomment the following
-  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-  # limits:
-  #   cpu: 100m
-  #   memory: 128Mi
-  # requests:
-  #   cpu: 100m
-  #   memory: 128Mi
-
-serviceAccount:
-  # Specifies whether a service account should be created
-  create: true
-  # Annotations to add to the service account
-  annotations: {}
-  # The name of the service account to use.
-  # If not set and create is true, a name is generated using the fullname template
-  name: ""
+secrets:
+  enabled: false
+  name: memgraph-secrets
+  userKey: USER
+  passwordKey: PASSWORD
--- a/deployment/server-transport.yaml
+++ b/deployment/server-transport.yaml
@@ -0,0 +1,6 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: ServersTransport
+metadata:
+  name: server-transport
+spec:
+  insecureSkipVerify: true
--- a/deployment/zitadel/cert-job.yaml
+++ b/deployment/zitadel/cert-job.yaml
@@ -1,148 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: certs-creator
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: secret-creator
-rules:
-  - apiGroups: [ "" ]
-    resources: [ "secrets" ]
-    verbs: [ "create", "patch" ]
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: certs-creator
-subjects:
-  - kind: ServiceAccount
-    name:  certs-creator
-roleRef:
-  kind: Role
-  name: secret-creator
-  apiGroup: rbac.authorization.k8s.io
---
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: create-certs
-spec:
-  template:
-    spec:
-      restartPolicy: OnFailure
-      serviceAccountName: certs-creator
-      initContainers:
-      - command:
-          - /bin/ash
-          - -c
-          - |
-            function createKey() {
-              USER=$1
-              openssl genrsa -out ${USER}.key 2048
-              echo "created ${USER}.key"
-            }
-
-            function createSigningRequest() {
-              USER=$1
-              openssl req -new -key ${USER}.key -extensions 'v3_req' -out ${USER}.csr -config <(generateServerConfig)
-              echo "created ${USER}.csr"
-            }
-
-            function generateServerConfig() {
-              cat<<EOF
-              [req]
-              distinguished_name = req_distinguished_name
-              x509_extensions = v3_req
-              prompt = no
-              [req_distinguished_name]
-              CN = db-postgresql
-              [v3_req]
-              keyUsage = keyEncipherment, dataEncipherment
-              extendedKeyUsage = serverAuth
-              subjectAltName = DNS:postgres,DNS:zitadel,DNS:db-postgresql
-            EOF
-            }
-
-            function signCertificate() {
-              INCSR=$1 OUTCRT=$2 CA_CRT=$3 CA_KEY=$4
-              openssl x509 -req -in $INCSR -CA $CA_CRT -CAkey $CA_KEY -CAcreateserial -days 365 -out $OUTCRT -extensions v3_req -extfile <(generateServerConfig)
-            }
-
-            function secretJson {
-              USER=$1
-              cat<<EOF
-              {
-                "apiVersion": "v1",
-                "kind": "Secret",
-                "data": {
-                  "ca.crt": "$(base64 -w 0 ./ca.crt)",
-                  "tls.crt": "$(base64 -w 0 ./${USER}.crt)",
-                  "tls.key": "$(base64 -w 0 ./${USER}.key)"
-                },
-                "metadata": {
-                  "name": "${USER}-cert"
-                },
-                "type": "kubernetes.io/tls"
-              }
-            EOF
-            }
-
-            function createCertSecret {
-              USER=$1
-              secretJson ${USER} >> ${USER}-cert.json
-            }
-
-            cd /secret
-
-            # Create a CA key and cert for signing other certs
-            createKey ca
-            openssl req -x509 -new -nodes -key ca.key -days 365 -out ca.crt -subj "/CN=My Custom CA"
-
-            createKey postgres
-            createSigningRequest postgres
-            signCertificate postgres.csr postgres.crt ca.crt ca.key
-            createCertSecret postgres
-
-            createKey zitadel
-            createSigningRequest zitadel
-            signCertificate zitadel.csr zitadel.crt ca.crt ca.key
-            createCertSecret zitadel
-        image: alpine/openssl
-        imagePullPolicy: IfNotPresent
-        name: create-certs
-        volumeMounts:
-          - mountPath: /secret
-            name: secret
-      containers:
-      - image: alpine/curl
-        name: apply-certs
-        imagePullPolicy: IfNotPresent
-        command:
-          - /bin/ash
-          - -c
-          - |
-            export APISERVER=https://kubernetes.default.svc SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
-            export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) TOKEN=$(cat ${SERVICEACCOUNT}/token) CACERT=${SERVICEACCOUNT}/ca.crt
-
-            function uploadSecret {
-              USER=$1
-              curl \
-                --cacert ${CACERT} \
-                --header "Authorization: Bearer ${TOKEN}" \
-                --header "Content-Type: application/json" \
-                -X POST ${APISERVER}/api/v1/namespaces/${NAMESPACE}/secrets \
-                --data "$(tr -d '\n' < /secret/${USER}-cert.json)" \
-                > /dev/null || echo "error uploading ${USER} secret: $?"
-            }
-        
-            uploadSecret postgres
-            uploadSecret zitadel
-        volumeMounts:
-          - mountPath: /secret
-            name: secret
-      volumes:
-        - name: secret
-          emptyDir:
-            medium: Memory
--- a/deployment/zitadel/certificate.yaml
+++ b/deployment/zitadel/certificate.yaml
@@ -0,0 +1,97 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: trust-manager-selfsigned-issuer
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: zitadel-root-certificate
+spec:
+  isCA: true
+  commonName: zitadel-root-certificate-ca
+  secretName: zitadel-root-certificate-ca-secret
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: trust-manager-selfsigned-issuer
+    kind: Issuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: zitadel-ca-issuer
+spec:
+  ca:
+    secretName: zitadel-root-certificate-ca-secret
+---
+apiVersion: trust.cert-manager.io/v1alpha1
+kind: Bundle
+metadata:
+  name: in-cluster-trust-bundle
+spec:
+  sources:
+  - useDefaultCAs: true
+  - secret:
+      name: "zitadel-root-certificate-ca-secret"
+      key: "tls.crt"
+  target:
+    configMap:
+      key: "trust-bundle.pem"
+---
+# Certificate for PostgreSQL
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: postgres-certificate
+  namespace: default
+spec:
+  duration: 8760h # 1 year
+  renewBefore: 720h # 30 days
+  commonName: "db-postgresql"
+  dnsNames:
+    - "postgres"
+    - "db-postgresql"
+    - "zitadel"
+  secretName: postgres-cert
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 2048
+  usages:
+    - key encipherment
+    - data encipherment
+  issuerRef:
+    name: zitadel-ca-issuer
+    kind: Issuer
+
+---
+# Certificate for Zitadel
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: zitadel-certificate
+  namespace: default
+spec:
+  duration: 8760h # 1 year
+  renewBefore: 720h # 30 days
+  commonName: "zitadel"
+  dnsNames:
+    - "postgres"
+    - "db-postgresql"
+    - "zitadel"
+  secretName: zitadel-cert
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 2048
+  usages:
+    - key encipherment
+    - data encipherment
+  issuerRef:
+    name: zitadel-ca-issuer
+    kind: Issuer
--- a/deployment/zitadel/ingressRoute.yaml
+++ b/deployment/zitadel/ingressRoute.yaml
@@ -1,4 +1,3 @@
---
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
@@ -24,4 +23,4 @@ spec:
          port: 8080
          scheme: h2c
          passHostHeader: true
-  tls: {}
+  tls: {}
--- a/deployment/zitadel/kustomization.yaml
+++ b/deployment/zitadel/kustomization.yaml
@@ -18,7 +18,7 @@ helmCharts:
    repo: https://charts.zitadel.com
    releaseName: zitadel
    namespace: generations-heritage
-    version: 7.12.1
+    version: 8.5.0
    valuesFile: ./values.yaml

 patches:
--- a/deployment/zitadel/values.yaml
+++ b/deployment/zitadel/values.yaml
@@ -1,11 +1,11 @@
 zitadel:
+  selfSignedCert:
+    enabled: true
  masterkeySecretName: zitadel-masterkey
  configmapConfig:
    ExternalSecure: true
    ExternalDomain: zitadel.varghacsongor.hu
    ExternalPort: 443
-    TLS:
-      Enabled: false
    Database:
      Postgres:
        Host: db-postgresql
@@ -24,16 +24,10 @@ zitadel:
          SSL:
            Mode: verify-full

-  dbSslCaCrtSecret: postgres-cert
+  dbSslCaCrtSecret: zitadel-root-certificate-ca-secret
  dbSslAdminCrtSecret: postgres-cert
  dbSslUserCrtSecret: zitadel-cert

-image:
-  repository: ghcr.io/zitadel/zitadel
-  pullPolicy: IfNotPresent
-  # Overrides the image tag whose default is the chart appVersion.
-  tag: "v2.51.0"
-
 annotations:
  argocd.argoproj.io/sync-wave: "5"
  argocd.argoproj.io/hook: Sync