From cda79c44284f991b262e0ad805a78ef5e9566c04 Mon Sep 17 00:00:00 2001
From: Vargha Csongor <Culisa1023@gmail.com>
Date: Sat, 16 Mar 2024 10:52:29 +0100
Subject: [PATCH] switch zitadel to cockroachDB

---
 deployment/zitadel/cert-job.yaml         | 104 +++++++++++++++++++
 deployment/zitadel/certs-job.yaml        | 126 -----------------------
 deployment/zitadel/cockroach-values.yaml |   2 +
 deployment/zitadel/ingressRoute.yaml     |   1 +
 deployment/zitadel/kustomization.yaml    |  16 ++-
 deployment/zitadel/postgres-values.yaml  |   9 --
 deployment/zitadel/secrets.yaml          |   4 +-
 deployment/zitadel/values.yaml           |  28 ++---
 8 files changed, 126 insertions(+), 164 deletions(-)
 create mode 100644 deployment/zitadel/cert-job.yaml
 delete mode 100644 deployment/zitadel/certs-job.yaml
 create mode 100644 deployment/zitadel/cockroach-values.yaml
 delete mode 100644 deployment/zitadel/postgres-values.yaml

diff --git a/deployment/zitadel/cert-job.yaml b/deployment/zitadel/cert-job.yaml
new file mode 100644
index 0000000..ecf10a0
--- /dev/null
+++ b/deployment/zitadel/cert-job.yaml
@@ -0,0 +1,104 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: zitadel-cert-creator
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: secret-creator
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "secrets" ]
+    verbs: [ "create" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: zitadel-cert-creator
+subjects:
+  - kind: ServiceAccount
+    name:  zitadel-cert-creator
+roleRef:
+  kind: Role
+  name: secret-creator
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: create-zitadel-cert
+spec:
+  template:
+    spec:
+      restartPolicy: OnFailure
+      serviceAccountName: zitadel-cert-creator
+      containers:
+      - command:
+          - /bin/bash
+          - -ecx
+          - |
+            cockroach cert create-client \
+            --certs-dir /cockroach/cockroach-certs \
+            --ca-key /cockroach/cockroach-certs/ca.key \
+            --lifetime 8760h \
+            zitadel
+            export SECRET=$(cat <<EOF
+            {
+              "apiVersion": "v1",
+              "kind": "Secret",
+              "data": {
+                "ca.crt": "$(base64 /cockroach/cockroach-certs/ca.crt --wrap 0)",
+                "tls.crt": "$(base64 /cockroach/cockroach-certs/client.zitadel.crt --wrap 0)",
+                "tls.key": "$(base64 /cockroach/cockroach-certs/client.zitadel.key --wrap 0)"
+              },
+              "metadata": {
+                "name": "db-cockroachdb-zitadel-secret"
+              },
+              "type": "kubernetes.io/tls"
+            }
+            EOF
+            )
+            export APISERVER=https://kubernetes.default.svc SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
+            export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) TOKEN=$(cat ${SERVICEACCOUNT}/token) CACERT=${SERVICEACCOUNT}/ca.crt
+            curl \
+            --cacert ${CACERT} \
+            --header "Authorization: Bearer ${TOKEN}" \
+            --header "Content-Type: application/json" \
+            -X POST ${APISERVER}/api/v1/namespaces/${NAMESPACE}/secrets \
+            --data "$(echo -n $SECRET | tr -d '\n')"
+        image: cockroachdb/cockroach:v23.1.8
+        imagePullPolicy: IfNotPresent
+        name: create-zitadel-cert
+        volumeMounts:
+        - mountPath: /cockroach/cockroach-certs/
+          name: certs
+      initContainers:
+      - command:
+        - /bin/sh
+        - -c
+        - cp -f /certs/* /cockroach-certs/; chmod 0400 /cockroach-certs/*.key
+        image: busybox
+        imagePullPolicy: IfNotPresent
+        name: copy-certs
+        volumeMounts:
+        - mountPath: /cockroach-certs/
+          name: certs
+        - mountPath: /certs/
+          name: certs-secret
+      volumes:
+      - emptyDir: {}
+        name: certs
+      - name: certs-secret
+        projected:
+          defaultMode: 420
+          sources:
+          - secret:
+              items:
+              - key: ca.crt
+                mode: 256
+                path: ca.crt
+              - key: ca.key
+                mode: 256
+                path: ca.key
+              name: db-cockroachdb-ca-secret
diff --git a/deployment/zitadel/certs-job.yaml b/deployment/zitadel/certs-job.yaml
deleted file mode 100644
index 1eeb1ac..0000000
--- a/deployment/zitadel/certs-job.yaml
+++ /dev/null
@@ -1,126 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: certs-creator
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: secret-creator
-rules:
-  - apiGroups: [ "" ]
-    resources: [ "secrets" ]
-    verbs: [ "create", "patch" ]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: certs-creator
-subjects:
-  - kind: ServiceAccount
-    name:  certs-creator
-roleRef:
-  kind: Role
-  name: secret-creator
-  apiGroup: rbac.authorization.k8s.io
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: create-certs
-spec:
-  template:
-    spec:
-      restartPolicy: OnFailure
-      serviceAccountName: certs-creator
-      containers:
-      - command:
-          - /usr/local/bin/bash
-          - -ecx
-          - |
-            apk add openssl curl
-            
-            export APISERVER=https://kubernetes.default.svc SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
-            export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) TOKEN=$(cat ${SERVICEACCOUNT}/token) CACERT=${SERVICEACCOUNT}/ca.crt
-
-            function createKey() {
-              USER=$1
-              openssl genrsa -out ${USER}.key 2048
-              echo "created ${USER}.key"
-            }
-
-            function createSigningRequest() {
-              USER=$1
-              openssl req -new -key ${USER}.key -extensions 'v3_req' -out ${USER}.csr -config <(generateServerConfig)
-              echo "created ${USER}.csr"
-            }
-
-            function generateServerConfig() {
-              cat<<EOF
-              [req]
-              distinguished_name = req_distinguished_name
-              x509_extensions = v3_req
-              prompt = no
-              [req_distinguished_name]
-              CN = db-postgresql
-              [v3_req]
-              keyUsage = keyEncipherment, dataEncipherment
-              extendedKeyUsage = serverAuth
-              subjectAltName = DNS:postgres,DNS:zitadel,DNS:db-postgresql
-            EOF
-            }
-
-            function signCertificate() {
-              INCSR=$1 OUTCRT=$2 CA_CRT=$3 CA_KEY=$4
-              openssl x509 -req -in $INCSR -CA $CA_CRT -CAkey $CA_KEY -CAcreateserial -days 365 -out $OUTCRT -extensions v3_req -extfile <(generateServerConfig)
-            }
-
-            function secretJson {
-              USER=$1
-              cat<<EOF
-              {
-                "apiVersion": "v1",
-                "kind": "Secret",
-                "data": {
-                  "ca.crt": "$(base64 -w 0 ./ca.crt)",
-                  "tls.crt": "$(base64 -w 0 ./${USER}.crt)",
-                  "tls.key": "$(base64 -w 0 ./${USER}.key)"
-                },
-                "metadata": {
-                  "name": "${USER}-cert"
-                },
-                "type": "kubernetes.io/tls"
-              }
-            EOF
-            }
-
-            function createCertSecret {
-              USER=$1
-              echo "CACERT value: ${CACERT}"
-              echo "TOKEN value: ${TOKEN}"
-              echo "APISERVER value: ${APISERVER}"
-              echo "NAMESPACE value: ${NAMESPACE}"
-              curl \
-              --cacert ${CACERT} \
-              --header "Authorization: Bearer ${TOKEN}" \
-              --header "Content-Type: application/json" \
-              -X POST ${APISERVER}/api/v1/namespaces/${NAMESPACE}/secrets \
-              --data "$(echo -n $(secretJson ${USER}) | tr -d '\n')"
-            }
-
-            # Create a CA key and cert for signing other certs
-            createKey ca
-            openssl req -x509 -new -nodes -key ca.key -days 365 -out ca.crt -subj "/CN=My Custom CA"
-
-            createKey postgres
-            createSigningRequest postgres
-            signCertificate postgres.csr postgres.crt ca.crt ca.key
-            createCertSecret postgres
-
-            createKey zitadel
-            createSigningRequest zitadel
-            signCertificate zitadel.csr zitadel.crt ca.crt ca.key
-            createCertSecret zitadel
-        image: bash:5.2.15
-        imagePullPolicy: IfNotPresent
-        name: create-certs
diff --git a/deployment/zitadel/cockroach-values.yaml b/deployment/zitadel/cockroach-values.yaml
new file mode 100644
index 0000000..6ba315a
--- /dev/null
+++ b/deployment/zitadel/cockroach-values.yaml
@@ -0,0 +1,2 @@
+tls:
+  enabled: true
diff --git a/deployment/zitadel/ingressRoute.yaml b/deployment/zitadel/ingressRoute.yaml
index 8303faa..7ea0aae 100644
--- a/deployment/zitadel/ingressRoute.yaml
+++ b/deployment/zitadel/ingressRoute.yaml
@@ -3,6 +3,7 @@ apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
   name: zitadel-server
+  argocd.argoproj.io/hook: PostSync
 spec:
   entryPoints:
     - websecure
diff --git a/deployment/zitadel/kustomization.yaml b/deployment/zitadel/kustomization.yaml
index acac9f9..2ab8253 100644
--- a/deployment/zitadel/kustomization.yaml
+++ b/deployment/zitadel/kustomization.yaml
@@ -2,20 +2,18 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-  - ./certs-job.yaml
+  - ./cert-job.yaml
   - ./secrets.yaml
+  - ./ingressRoute.yaml
 
 helmCharts:
-  - name: postgres
-    repo: oci://registry-1.docker.io/bitnamicharts/postgresql
-    releaseName: postgresql
-    version: 14.3.3
-    valuesFile: ./zitadel/postgres-values.yaml
+  - name: cockroachdb
+    repo: https://charts.cockroachdb.com/
+    releaseName: cockroachdb
+    version: 12.0.2
+    valuesFile: cockroach-values.yaml
   - name: zitadel
     repo: https://charts.zitadel.com
     releaseName: zitadel
     version: 7.10.0
     valuesFile: ./values.yaml
-
-patchesStrategicMerge:
-- ./ingressRoute.yaml
diff --git a/deployment/zitadel/postgres-values.yaml b/deployment/zitadel/postgres-values.yaml
deleted file mode 100644
index c74436a..0000000
--- a/deployment/zitadel/postgres-values.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-volumePermissions:
-  enabled: true
-tls:
-  enabled: true
-  certificatesSecret: postgres-cert
-  certFilename: "tls.crt"
-  certKeyFilename: "tls.key"
-auth:
-  existingSecret: postgres-auth
diff --git a/deployment/zitadel/secrets.yaml b/deployment/zitadel/secrets.yaml
index 9554537..d7a4c82 100644
--- a/deployment/zitadel/secrets.yaml
+++ b/deployment/zitadel/secrets.yaml
@@ -10,9 +10,9 @@ stringData:
 apiVersion: v1
 kind: Secret
 metadata:
-  name: postgres-auth
+  name: cockroach-auth
   labels:
     secret-generator.cs.sap.com/enabled: "true"
 stringData:
-  postgres-password: "%generate"
+  cockroach-password: "%generate"
   user-password: "%generate"
\ No newline at end of file
diff --git a/deployment/zitadel/values.yaml b/deployment/zitadel/values.yaml
index 147bf22..2ad5e80 100644
--- a/deployment/zitadel/values.yaml
+++ b/deployment/zitadel/values.yaml
@@ -6,36 +6,28 @@ zitadel:
     TLS:
       Enabled: false
     Database:
-      Postgres:
-        Host: db-postgresql
-        Port: 5432
-        Database: zitadel
-        MaxOpenConns: 20
-        MaxIdleConns: 10
-        MaxConnLifetime: 30m
-        MaxConnIdleTime: 5m
+      Cockroach:
+        Host: db-cockroachdb-public
         User:
-          Username: zitadel
           SSL:
             Mode: verify-full
         Admin:
-          Username: postgres
           SSL:
             Mode: verify-full
 
-  dbSslCaCrtSecret: postgres-cert
-  dbSslAdminCrtSecret: postgres-cert
-  dbSslUserCrtSecret: zitadel-cert
+  dbSslCaCrtSecret: db-cockroachdb-ca-secret
+  dbSslAdminCrtSecret: db-cockroachdb-client-secret
+  dbSslUserCrtSecret: db-cockroachdb-zitadel-secret
 
 env:
-  - name: ZITADEL_DATABASE_POSTGRES_USER_PASSWORD
+  - name: ZITADEL_DATABASE_COCKROACH_USER_PASSWORD
     valueFrom:
       secretKeyRef:
-        name: postgres-auth
+        name: cockroach-auth
         key: user-password
 
-  - name: ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD
+  - name: ZITADEL_DATABASE_COCKROACH_ADMIN_PASSWORD
     valueFrom:
       secretKeyRef:
-        name: postgres-auth
-        key: postgres-password
\ No newline at end of file
+        name: cockroach-auth
+        key: cockroach-password
\ No newline at end of file