vcscsvcscs/GenerationsHeritage
1
0
Fork 0
mirror of https://github.com/vcscsvcscs/GenerationsHeritage.git synced 2025-08-13 22:39:06 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add zitadel values file template from example

Browse Source
This commit is contained in:
Vargha Csongor
2024-03-10 20:52:05 +01:00
parent 3c47578809
commit bb7370ae33
6 changed files with 196 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

126
deployment/certs-job.yaml Normal file
View File

@@ -0,0 +1,126 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: certs-creator
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: secret-creator
rules:
- apiGroups: [ "" ]
resources: [ "secrets" ]
verbs: [ "create", "patch" ]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: certs-creator
subjects:
- kind: ServiceAccount
name: certs-creator
roleRef:
kind: Role
name: secret-creator
apiGroup: rbac.authorization.k8s.io
---
apiVersion: batch/v1
kind: Job
metadata:
name: create-certs
spec:
template:
spec:
restartPolicy: OnFailure
serviceAccountName: certs-creator
containers:
- command:
- /usr/local/bin/bash
- -ecx
- |
apk add openssl curl
export APISERVER=https://kubernetes.default.svc SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) TOKEN=$(cat ${SERVICEACCOUNT}/token) CACERT=${SERVICEACCOUNT}/ca.crt
function createKey() {
USER=$1
openssl genrsa -out ${USER}.key 2048
echo "created ${USER}.key"
}
function createSigningRequest() {
USER=$1
openssl req -new -key ${USER}.key -extensions 'v3_req' -out ${USER}.csr -config <(generateServerConfig)
echo "created ${USER}.csr"
}
function generateServerConfig() {
cat<<EOF
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
CN = db-postgresql
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS:postgres,DNS:zitadel,DNS:db-postgresql
EOF
}
function signCertificate() {
INCSR=$1 OUTCRT=$2 CA_CRT=$3 CA_KEY=$4
openssl x509 -req -in $INCSR -CA $CA_CRT -CAkey $CA_KEY -CAcreateserial -days 365 -out $OUTCRT -extensions v3_req -extfile <(generateServerConfig)
}
function secretJson {
USER=$1
cat<<EOF
{
"apiVersion": "v1",
"kind": "Secret",
"data": {
"ca.crt": "$(base64 -w 0 ./ca.crt)",
"tls.crt": "$(base64 -w 0 ./${USER}.crt)",
"tls.key": "$(base64 -w 0 ./${USER}.key)"
},
"metadata": {
"name": "${USER}-cert"
},
"type": "kubernetes.io/tls"
}
EOF
}
function createCertSecret {
USER=$1
echo "CACERT value: ${CACERT}"
echo "TOKEN value: ${TOKEN}"
echo "APISERVER value: ${APISERVER}"
echo "NAMESPACE value: ${NAMESPACE}"
curl \
--cacert ${CACERT} \
--header "Authorization: Bearer ${TOKEN}" \
--header "Content-Type: application/json" \
-X POST ${APISERVER}/api/v1/namespaces/${NAMESPACE}/secrets \
--data "$(echo -n $(secretJson ${USER}) | tr -d '\n')"
}
# Create a CA key and cert for signing other certs
createKey ca
openssl req -x509 -new -nodes -key ca.key -days 365 -out ca.crt -subj "/CN=My Custom CA"
createKey postgres
createSigningRequest postgres
signCertificate postgres.csr postgres.crt ca.crt ca.key
createCertSecret postgres
createKey zitadel
createSigningRequest zitadel
signCertificate zitadel.csr zitadel.crt ca.crt ca.key
createCertSecret zitadel
image: bash:5.2.15
imagePullPolicy: IfNotPresent
name: create-certs

35
deployment/zitadel_values.yaml Normal file
View File

@@ -0,0 +1,35 @@
zitadel:
masterkey: x123456789012345678901234567891y
configmapConfig:
ExternalSecure: false
ExternalDomain: 127.0.0.1.sslip.io
TLS:
Enabled: false
Database:
Postgres:
Host: db-postgresql
Port: 5432
Database: zitadel
MaxOpenConns: 20
MaxIdleConns: 10
MaxConnLifetime: 30m
MaxConnIdleTime: 5m
User:
Username: zitadel
SSL:
Mode: verify-full
Admin:
Username: postgres
SSL:
Mode: verify-full
secretConfig:
Database:
Postgres:
User:
Password: xyz
Admin:
Password: abc
dbSslCaCrtSecret: postgres-cert
dbSslAdminCrtSecret: postgres-cert
dbSslUserCrtSecret: zitadel-cert