mirror of
https://github.com/vcscsvcscs/GenerationsHeritage.git
synced 2025-08-12 22:09:07 +02:00
switch zitadel to cockroachDB
This commit is contained in:
104
deployment/zitadel/cert-job.yaml
Normal file
104
deployment/zitadel/cert-job.yaml
Normal file
@@ -0,0 +1,104 @@
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: zitadel-cert-creator
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: secret-creator
|
||||
rules:
|
||||
- apiGroups: [ "" ]
|
||||
resources: [ "secrets" ]
|
||||
verbs: [ "create" ]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: zitadel-cert-creator
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: zitadel-cert-creator
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: secret-creator
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: create-zitadel-cert
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
restartPolicy: OnFailure
|
||||
serviceAccountName: zitadel-cert-creator
|
||||
containers:
|
||||
- command:
|
||||
- /bin/bash
|
||||
- -ecx
|
||||
- |
|
||||
cockroach cert create-client \
|
||||
--certs-dir /cockroach/cockroach-certs \
|
||||
--ca-key /cockroach/cockroach-certs/ca.key \
|
||||
--lifetime 8760h \
|
||||
zitadel
|
||||
export SECRET=$(cat <<EOF
|
||||
{
|
||||
"apiVersion": "v1",
|
||||
"kind": "Secret",
|
||||
"data": {
|
||||
"ca.crt": "$(base64 /cockroach/cockroach-certs/ca.crt --wrap 0)",
|
||||
"tls.crt": "$(base64 /cockroach/cockroach-certs/client.zitadel.crt --wrap 0)",
|
||||
"tls.key": "$(base64 /cockroach/cockroach-certs/client.zitadel.key --wrap 0)"
|
||||
},
|
||||
"metadata": {
|
||||
"name": "db-cockroachdb-zitadel-secret"
|
||||
},
|
||||
"type": "kubernetes.io/tls"
|
||||
}
|
||||
EOF
|
||||
)
|
||||
export APISERVER=https://kubernetes.default.svc SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
|
||||
export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) TOKEN=$(cat ${SERVICEACCOUNT}/token) CACERT=${SERVICEACCOUNT}/ca.crt
|
||||
curl \
|
||||
--cacert ${CACERT} \
|
||||
--header "Authorization: Bearer ${TOKEN}" \
|
||||
--header "Content-Type: application/json" \
|
||||
-X POST ${APISERVER}/api/v1/namespaces/${NAMESPACE}/secrets \
|
||||
--data "$(echo -n $SECRET | tr -d '\n')"
|
||||
image: cockroachdb/cockroach:v23.1.8
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: create-zitadel-cert
|
||||
volumeMounts:
|
||||
- mountPath: /cockroach/cockroach-certs/
|
||||
name: certs
|
||||
initContainers:
|
||||
- command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
- cp -f /certs/* /cockroach-certs/; chmod 0400 /cockroach-certs/*.key
|
||||
image: busybox
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: copy-certs
|
||||
volumeMounts:
|
||||
- mountPath: /cockroach-certs/
|
||||
name: certs
|
||||
- mountPath: /certs/
|
||||
name: certs-secret
|
||||
volumes:
|
||||
- emptyDir: {}
|
||||
name: certs
|
||||
- name: certs-secret
|
||||
projected:
|
||||
defaultMode: 420
|
||||
sources:
|
||||
- secret:
|
||||
items:
|
||||
- key: ca.crt
|
||||
mode: 256
|
||||
path: ca.crt
|
||||
- key: ca.key
|
||||
mode: 256
|
||||
path: ca.key
|
||||
name: db-cockroachdb-ca-secret
|
||||
@@ -1,126 +0,0 @@
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: certs-creator
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: secret-creator
|
||||
rules:
|
||||
- apiGroups: [ "" ]
|
||||
resources: [ "secrets" ]
|
||||
verbs: [ "create", "patch" ]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: certs-creator
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: certs-creator
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: secret-creator
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: create-certs
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
restartPolicy: OnFailure
|
||||
serviceAccountName: certs-creator
|
||||
containers:
|
||||
- command:
|
||||
- /usr/local/bin/bash
|
||||
- -ecx
|
||||
- |
|
||||
apk add openssl curl
|
||||
|
||||
export APISERVER=https://kubernetes.default.svc SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
|
||||
export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) TOKEN=$(cat ${SERVICEACCOUNT}/token) CACERT=${SERVICEACCOUNT}/ca.crt
|
||||
|
||||
function createKey() {
|
||||
USER=$1
|
||||
openssl genrsa -out ${USER}.key 2048
|
||||
echo "created ${USER}.key"
|
||||
}
|
||||
|
||||
function createSigningRequest() {
|
||||
USER=$1
|
||||
openssl req -new -key ${USER}.key -extensions 'v3_req' -out ${USER}.csr -config <(generateServerConfig)
|
||||
echo "created ${USER}.csr"
|
||||
}
|
||||
|
||||
function generateServerConfig() {
|
||||
cat<<EOF
|
||||
[req]
|
||||
distinguished_name = req_distinguished_name
|
||||
x509_extensions = v3_req
|
||||
prompt = no
|
||||
[req_distinguished_name]
|
||||
CN = db-postgresql
|
||||
[v3_req]
|
||||
keyUsage = keyEncipherment, dataEncipherment
|
||||
extendedKeyUsage = serverAuth
|
||||
subjectAltName = DNS:postgres,DNS:zitadel,DNS:db-postgresql
|
||||
EOF
|
||||
}
|
||||
|
||||
function signCertificate() {
|
||||
INCSR=$1 OUTCRT=$2 CA_CRT=$3 CA_KEY=$4
|
||||
openssl x509 -req -in $INCSR -CA $CA_CRT -CAkey $CA_KEY -CAcreateserial -days 365 -out $OUTCRT -extensions v3_req -extfile <(generateServerConfig)
|
||||
}
|
||||
|
||||
function secretJson {
|
||||
USER=$1
|
||||
cat<<EOF
|
||||
{
|
||||
"apiVersion": "v1",
|
||||
"kind": "Secret",
|
||||
"data": {
|
||||
"ca.crt": "$(base64 -w 0 ./ca.crt)",
|
||||
"tls.crt": "$(base64 -w 0 ./${USER}.crt)",
|
||||
"tls.key": "$(base64 -w 0 ./${USER}.key)"
|
||||
},
|
||||
"metadata": {
|
||||
"name": "${USER}-cert"
|
||||
},
|
||||
"type": "kubernetes.io/tls"
|
||||
}
|
||||
EOF
|
||||
}
|
||||
|
||||
function createCertSecret {
|
||||
USER=$1
|
||||
echo "CACERT value: ${CACERT}"
|
||||
echo "TOKEN value: ${TOKEN}"
|
||||
echo "APISERVER value: ${APISERVER}"
|
||||
echo "NAMESPACE value: ${NAMESPACE}"
|
||||
curl \
|
||||
--cacert ${CACERT} \
|
||||
--header "Authorization: Bearer ${TOKEN}" \
|
||||
--header "Content-Type: application/json" \
|
||||
-X POST ${APISERVER}/api/v1/namespaces/${NAMESPACE}/secrets \
|
||||
--data "$(echo -n $(secretJson ${USER}) | tr -d '\n')"
|
||||
}
|
||||
|
||||
# Create a CA key and cert for signing other certs
|
||||
createKey ca
|
||||
openssl req -x509 -new -nodes -key ca.key -days 365 -out ca.crt -subj "/CN=My Custom CA"
|
||||
|
||||
createKey postgres
|
||||
createSigningRequest postgres
|
||||
signCertificate postgres.csr postgres.crt ca.crt ca.key
|
||||
createCertSecret postgres
|
||||
|
||||
createKey zitadel
|
||||
createSigningRequest zitadel
|
||||
signCertificate zitadel.csr zitadel.crt ca.crt ca.key
|
||||
createCertSecret zitadel
|
||||
image: bash:5.2.15
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: create-certs
|
||||
2
deployment/zitadel/cockroach-values.yaml
Normal file
2
deployment/zitadel/cockroach-values.yaml
Normal file
@@ -0,0 +1,2 @@
|
||||
tls:
|
||||
enabled: true
|
||||
@@ -3,6 +3,7 @@ apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: IngressRoute
|
||||
metadata:
|
||||
name: zitadel-server
|
||||
argocd.argoproj.io/hook: PostSync
|
||||
spec:
|
||||
entryPoints:
|
||||
- websecure
|
||||
|
||||
@@ -2,20 +2,18 @@ apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
resources:
|
||||
- ./certs-job.yaml
|
||||
- ./cert-job.yaml
|
||||
- ./secrets.yaml
|
||||
- ./ingressRoute.yaml
|
||||
|
||||
helmCharts:
|
||||
- name: postgres
|
||||
repo: oci://registry-1.docker.io/bitnamicharts/postgresql
|
||||
releaseName: postgresql
|
||||
version: 14.3.3
|
||||
valuesFile: ./zitadel/postgres-values.yaml
|
||||
- name: cockroachdb
|
||||
repo: https://charts.cockroachdb.com/
|
||||
releaseName: cockroachdb
|
||||
version: 12.0.2
|
||||
valuesFile: cockroach-values.yaml
|
||||
- name: zitadel
|
||||
repo: https://charts.zitadel.com
|
||||
releaseName: zitadel
|
||||
version: 7.10.0
|
||||
valuesFile: ./values.yaml
|
||||
|
||||
patchesStrategicMerge:
|
||||
- ./ingressRoute.yaml
|
||||
|
||||
@@ -1,9 +0,0 @@
|
||||
volumePermissions:
|
||||
enabled: true
|
||||
tls:
|
||||
enabled: true
|
||||
certificatesSecret: postgres-cert
|
||||
certFilename: "tls.crt"
|
||||
certKeyFilename: "tls.key"
|
||||
auth:
|
||||
existingSecret: postgres-auth
|
||||
@@ -10,9 +10,9 @@ stringData:
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: postgres-auth
|
||||
name: cockroach-auth
|
||||
labels:
|
||||
secret-generator.cs.sap.com/enabled: "true"
|
||||
stringData:
|
||||
postgres-password: "%generate"
|
||||
cockroach-password: "%generate"
|
||||
user-password: "%generate"
|
||||
@@ -6,36 +6,28 @@ zitadel:
|
||||
TLS:
|
||||
Enabled: false
|
||||
Database:
|
||||
Postgres:
|
||||
Host: db-postgresql
|
||||
Port: 5432
|
||||
Database: zitadel
|
||||
MaxOpenConns: 20
|
||||
MaxIdleConns: 10
|
||||
MaxConnLifetime: 30m
|
||||
MaxConnIdleTime: 5m
|
||||
Cockroach:
|
||||
Host: db-cockroachdb-public
|
||||
User:
|
||||
Username: zitadel
|
||||
SSL:
|
||||
Mode: verify-full
|
||||
Admin:
|
||||
Username: postgres
|
||||
SSL:
|
||||
Mode: verify-full
|
||||
|
||||
dbSslCaCrtSecret: postgres-cert
|
||||
dbSslAdminCrtSecret: postgres-cert
|
||||
dbSslUserCrtSecret: zitadel-cert
|
||||
dbSslCaCrtSecret: db-cockroachdb-ca-secret
|
||||
dbSslAdminCrtSecret: db-cockroachdb-client-secret
|
||||
dbSslUserCrtSecret: db-cockroachdb-zitadel-secret
|
||||
|
||||
env:
|
||||
- name: ZITADEL_DATABASE_POSTGRES_USER_PASSWORD
|
||||
- name: ZITADEL_DATABASE_COCKROACH_USER_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: postgres-auth
|
||||
name: cockroach-auth
|
||||
key: user-password
|
||||
|
||||
- name: ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD
|
||||
- name: ZITADEL_DATABASE_COCKROACH_ADMIN_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: postgres-auth
|
||||
key: postgres-password
|
||||
name: cockroach-auth
|
||||
key: cockroach-password
|
||||
Reference in New Issue
Block a user