add traefik oauth forward

cmd/auth/dockerfile

@@ -1,5 +1,8 @@
 FROM --platform=$BUILDPLATFORM golang:alpine AS build
 
+ARG TARGETOS
+ARG TARGETARCH
+
 WORKDIR /app
 
 COPY . .

cmd/auth/main.go

@@ -19,9 +19,9 @@ import (
 )
 
 var (
-	cert             = flag.String("cert", "/etc/gh-auth-service/ssl/tls.crt", "Specify the path of TLS cert")
-	key              = flag.String("key", "/etc/gh-auth-service/ssl/tls.key", "Specify the path of TLS key")
-	zitadelAccessKey = flag.String("zitadel-access-key", "/etc/gh-auth-service/zitadel/api-key.json", "Specify the path of Zitadel access key")
+	cert             = flag.String("cert", "/etc/gh-authz/ssl/tls.crt", "Specify the path of TLS cert")
+	key              = flag.String("key", "/etc/gh-authz/ssl/tls.key", "Specify the path of TLS key")
+	zitadelAccessKey = flag.String("zitadel-access-key", "/etc/gh-authz/zitadel/api-key.json", "Specify the path of Zitadel access key")
 	httpsPort        = flag.String("https", ":443", "Specify port for http secure hosting(example for format :443)")
 	httpPort         = flag.String("http", ":80", "Specify port for http hosting(example for format :80)")
 	zitadelURI       = flag.String("zitadel-uri", "zitadel.varghacsongor.hu", "Specify the Zitadel URI")

cmd/backend/dockerfile

@@ -1,5 +1,8 @@
 FROM --platform=$BUILDPLATFORM golang:alpine AS build
 
+ARG TARGETOS
+ARG TARGETARCH
+
 WORKDIR /app
 
 COPY . .

deployment/auth-service-argo.yaml

@@ -1,22 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: gh-auth-service
-spec:
-  project: generations-heritage-vv
-  source:
-    repoURL: 'https://github.com/vcscsvcscs/GenerationsHeritage'
-    path: deployment/auth-service
-    targetRevision: main
-    kustomize:
-      namespace: generations-heritage
-  destination:
-    server: 'https://kubernetes.default.svc'
-    namespace: generations-heritage
-  syncPolicy:
-    automated:
-      selfHeal: true
-    syncOptions:
-      - CreateNamespace=true
-      - ServerSideApply=true
-    

deployment/auth-service/service.yaml

@@ -1,17 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app.kubernetes.io/instance: gh-auth-service
-    app.kubernetes.io/name: gh-auth-service
-  name: gh-auth-service
-spec:
-  ports:
-  - name: gin
-    port: 443
-    protocol: TCP
-    targetPort: 443
-  selector:
-    app.kubernetes.io/instance: gh-auth-service
-    app.kubernetes.io/name: gh-auth-service
-  type: ClusterIP

deployment/auth-service/zitadel-acces-key.yaml

@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: zitadel-service-account
-data:
-  api-key.json: eyJ0eXBlIjoiYXBwbGljYXRpb24iLCJrZXlJZCI6IjI2NzQxOTk4NzY3MTUxNTM4OCIsImtleSI6Ii0tLS0tQkVHSU4gUlNBIFBSSVZBVEUgS0VZLS0tLS1cbk1JSUVwQUlCQUFLQ0FRRUF1b3hpdytnWURkMXRwTjc1VUUyejVGN2tRRTVQdzVYYmNOTDFuK3RrUEd0MnRBeDBcbkFZalhUTWVZMGRTUzF3cHhEMGpWVnkwZzJ1Z2gyUzNZL1lrL0ZSWHZMMEhIRmd4N1V4RGFnV2VFNGwvazlIUTJcbjF5Tmx0UjY4NzdoaXN5L2ViOWhVMWxvRG10RDRjZEhSWStOYXBmeG41cFN0Ulh6b2tpYTdnVVl5V0pCdW5FU1pcbkZWM0tsY1g5Nkp3c0RoTXkvdWFFNmtYd1lhUmRWODZENVNueHRvZGFFUzU1cUxYMFhmYUE0VjBleGtQalNpLzNcbnRJNy9WMWY3NnFycTZyK25lN1luZFVGOXVxaHViY3gxZXJSTzZGZm4zWnVMOHhIdVVLVURLWWh6M0xUdjdCYStcbmtMcGd1VFdKdXJ0ZyswNmhFUkw5TFFpUVRwNGNsSEdIYzU3TndRSURBUUFCQW9JQkFBeUJKb210UUJlRjFUaXNcbi9aZEZiaDZMd2M4UnNNVVNnWUFoay9kaFJ2bkoxazRoVzVGU3crUFFxVXkvYkF4Z0ZjNEplc3Q2S2U2aWlzcE5cbkNYT05SSjQ4TnlrNnhvYVMxWjF1enNiSDBwOStBQkhtekZwRmRDYmM1WnRJQjgydEVzTDZoRTFPQVZuYVVoMEhcbkRIc2VuVS90Q0dYcloyWDJCbnp0ZmJvZm8zWk9NdHBIMW91SXRvOFRoRWZWYkVSSFdKN1IrUVFoZVJwbEV6dUpcbkpIdm12cHorMFFkOWVGbjRaUWViOU1DOFRSSW5sTzNyK1d0S1VrWWk1dzlwNTVBSXZiM2RROVpKR2NSSk9RbnlcbnMwTlpRV2tkblJSN05sV0pZUUtPdVIzYVQ1MlY3eER5NDJ5Q1hSTHhEOEU3SWt5aXMvbkswVjlucWNML29DYUhcbkovUURJY0VDZ1lFQTR4TWQ0TGJhNHZjREZMUjJmUHJLUnRkYms3YktGV01BQUx4K2srbXgwY2tyZitMdUY2QVdcbkJpbU9MeFk5TnZrenpQdkVmeG5IWW1DN1NpS2IxbGhUMDBQcGsyWld2SjBESWpaMUc1cXRCQkJpODQvUHVqZ0pcbmFEbFlseUM3T1gyTmlNL25STVN0SnYxamZuZk8rOWZqYnlZNXhSRXMya1U3b24yM091TzgxMGtDZ1lFQTBrKzFcbjZTNTZaQ3BFSkorUWZzaDdvSkFOZkpaMnRyS0diaXVGRlNpdFRLT081am5Dd0pacjVDNW44dUhaT3REUUNkMVFcbmgwWTlEOHUyTlE0NU50ZElzOWNmRGVEVFV6QUF0aVk1Uk9TMzc3MG1MMVNZNWVpQkQ5c081ekZ6enI2aVJBa2hcbjRFZGZlYVNlakFmMHdYVnBMWk9CekRyTXlIaWJzWjJPbjVmcmFya0NnWUVBcVN1ZjBiOUkyVmgvY2hoMFFlNHhcbmJvK1pDVFpmM1lrUkFudHJyZFNvQm92aUhYZTZPOTJuS3RZZ3VKSFA3em0vVHRLdTlLWUc5aExzMVhGdE9rWTVcbnhTWk9TT013Y1hwa1VFUFVBVW05NWs0eStoUEZCWTRqN0FMMUxqcFRZYVJaSW5rSmFpRkFndEM2SkFrc0tsSVBcbmZjb3p0YzV5NVBZNVZIaG1YcmcyQXdrQ2dZRUF1SWJUMTNxK1RIQ0JSWmp6VVNwYXZuQm1SUEJIek5rcTlqTWRcbkc0bUxOSGsxZ204Zm41YmJwMlBJTk9WUWtqaHdzSmNNZHdSN3d3WThJcVVPTWo0R1BqVDd2Rk9OVjZvQWxkRkhcbjRsakR3b2UxbjBXY3VleWNnT3IxVW9palViMFY1cGdVcnhJd2hTeVpKOGc3U2hyWVkvTE9xZ0RWZVBmSnM3ZklcblVlTWIzWkVDZ1lBcGpuZ2ZHckFQbmpzV3hxMXRxQ2RjVThUYmtsMHh2c3ZZVndWR0wrUlJXZlZKQkdFOXpwUVhcbmM2S01mdzR6VXMwUVc5NlJMYXZyQVR3b3JON1p0a05sZXZZNU9HYmpvTWRGN2praUhlTWFzeUh4c25iK0ZPUEtcbkgyZ0FVT0grbGV2WUpiQ3ZqbkM2R3RTR3d2ZVAvRWR2Mng0NTVRVFQ1WTZwck1ZOGdxVWw0QT09XG4tLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLVxuIiwiYXBwSWQiOiIyNjczNjUwMzYyMTU3NjMxOTUiLCJjbGllbnRJZCI6IjI2NzM2NTAzNjIxNTgyODczMUBnZW5lcmF0aW9uc2hlcml0YWdlIn0=

deployment/authN/configs/traefik-forward-auth.ini

@@ -0,0 +1,8 @@
+rule.example_public.action=allow
+rule.example_public.rule=Host("stats.example.com") && PathPrefix("/api/public")
+
+rule.example_api.action=allow
+rule.example_api.rule=Host("api.example.com") && Headers("X-API-Authorization", "a-long-api-key")
+
+rule.example_api_query.action=allow
+rule.example_api_query.rule=Host("api.example.com") && && Query("api_key=a-long-api-key")

deployment/authN/deployment.yaml

@@ -0,0 +1,78 @@
+#
+# Traefik Forward Auth Deployment
+#
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: traefik-forward-auth
+  labels:
+    app: traefik-forward-auth
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: traefik-forward-auth
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: traefik-forward-auth
+    spec:
+      serviceAccountName: traefik-ingress-controller
+      terminationGracePeriodSeconds: 60
+      containers:
+      - image: thomseddon/traefik-forward-auth:2
+        name: traefik-forward-auth
+        ports:
+        - containerPort: 4181
+          protocol: TCP
+        resources:
+          limits:
+            memory: "256Mi"
+            cpu: "500m"
+          requests:
+            memory: "128Mi"
+            cpu: "250m"
+        env:
+        - name: CONFIG
+          value: "/config"
+        - name: DOMAIN
+          value: "varghacsongor.hu"
+        # INSECURE_COOKIE is required if not using a https entrypoint
+        # - name: INSECURE_COOKIE
+        #   value: "true"
+        # Remove COOKIE_DOMAIN if not using auth host mode
+        - name: COOKIE_DOMAIN
+          value: "example.com"
+        - name: AUTH_HOST
+          value: "auth.example.com"
+        - name: LOG_LEVEL
+          value: "info"
+        - name: PROVIDERS_GOOGLE_CLIENT_ID
+          valueFrom:
+            secretKeyRef:
+              name: traefik-forward-auth-secrets
+              key: google-client-id
+        - name: PROVIDERS_GOOGLE_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: traefik-forward-auth-secrets
+              key: google-client-secret
+        - name: SECRET
+          valueFrom:
+            secretKeyRef:
+              name: traefik-forward-auth-secrets
+              key: secret
+        volumeMounts:
+        - name: configs
+          mountPath: /configexample
+          subPath: traefik-forward-auth.ini
+
+      volumes:
+      - name: configs
+        configMap:
+          name: configs
+      - name: traefik-forward-auth-secrets
+        secret:
+          secretName: traefik-forward-auth-secrets

deployment/authN/ingress.yaml

@@ -0,0 +1,20 @@
+#
+# Auth Ingress
+#
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-forward-auth
+  labels:
+    app: traefik
+spec:
+  entryPoints:
+    - https
+  routes:
+  - match: Host(`auth.varghacsongor.hu`)
+    kind: Rule
+    services:
+    - name: traefik-forward-auth
+      port: 4181
+  tls:
+    certresolver: default

deployment/authN/kustomization.yaml

@@ -0,0 +1,26 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+commonLabels:
+  app: traefik-forward-auth
+
+resources:
+- deployment.yaml
+- service.yaml
+- ingress.yaml
+- middleware.yaml
+
+#
+# Configs
+#
+configMapGenerator:
+- name: configs
+  files:
+    - configs/traefik-forward-auth.ini
+
+#
+# Secrets
+#
+secretGenerator:
+- name: traefik-forward-auth-secrets
+  env: secrets/traefik-forward-auth.env

deployment/authN/middleware.yaml

@@ -0,0 +1,9 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: traefik-forward-auth
+spec:
+  forwardAuth:
+    address: http://traefik-forward-auth:4181
+    authResponseHeaders:
+      - X-Forwarded-User

deployment/authN/secrets/traefik-forward-auth.env

@@ -0,0 +1,3 @@
+google-client-id=client-id
+google-client-secret=client-secret
+secret=something-random

deployment/authN/service.yaml

@@ -0,0 +1,17 @@
+#
+# Auth Service
+#
+apiVersion: v1
+kind: Service
+metadata:
+  name: traefik-forward-auth
+  labels:
+    app: traefik
+spec:
+  type: ClusterIP
+  selector:
+    app: traefik
+  ports:
+  - name: auth-http
+    port: 4181
+    targetPort: 4181

deployment/authZ/certificate.yaml

@@ -1,7 +1,7 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: gh-auth-service-certificate
+  name: gh-authz-certificate
   annotations:
     argocd.argoproj.io/hook: PreSync
 spec:
@@ -9,15 +9,15 @@ spec:
   duration: 2160h # 90d
   renewBefore: 360h # 15d
   dnsNames:
-    - gh-auth-service.generations-heritage.svc.cluster.local
-    - gh-auth-service
+    - gh-authz.generations-heritage.svc.cluster.local
+    - gh-authz
     - localhost
   ipAddresses:
     - 127.0.0.1
   subject:
     organizations:
       - GenerationsHeritage
-  secretName: gh-auth-service-tls
+  secretName: gh-authz-tls
   privateKey:
     algorithm: RSA
     encoding: PKCS1

deployment/authZ/deployment.yaml

@@ -2,29 +2,29 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    app.kubernetes.io/instance: gh-auth-service
-    app.kubernetes.io/name: gh-auth-service
+    app.kubernetes.io/instance: gh-authz
+    app.kubernetes.io/name: gh-authz
   annotations:
     argocd.argoproj.io/sync-wave: "1"
     argocd.argoproj.io/hook: Synce
-  name: gh-auth-service
+  name: gh-authz
   namespace: generations-heritage
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app.kubernetes.io/instance: gh-auth-service
-      app.kubernetes.io/name: gh-auth-service
+      app.kubernetes.io/instance: gh-authz
+      app.kubernetes.io/name: gh-authz
   template:
     metadata:
       labels:
-        app.kubernetes.io/instance: gh-auth-service
-        app.kubernetes.io/name: gh-auth-service
+        app.kubernetes.io/instance: gh-authz
+        app.kubernetes.io/name: gh-authz
     spec:
       containers:
         - image: vcscsvcscs/gheritage-auth-service:latest
           imagePullPolicy: Always
-          name: gh-auth-service
+          name: gh-authz
           ports:
           - containerPort: 443
             name: gin
@@ -38,14 +38,14 @@ spec:
               cpu: 100m
               memory: 50Mi
           volumeMounts:
-            - name: gh-auth-service-certs
-              mountPath: /etc/gh-auth-service/ssl
+            - name: gh-authz-certs
+              mountPath: /etc/gh-authz/ssl
             - name: zitadel-service-account
-              mountPath: /etc/gh-auth-service/zitadel
+              mountPath: /etc/gh-authz/zitadel
       volumes:
-      - name: gh-auth-service-certs
+      - name: gh-authz-certs
         secret:
-          secretName: gh-auth-service-tls
+          secretName: gh-authz-tls
       - name: zitadel-service-account
         secret:
           secretName: zitadel-service-account

deployment/authZ/forwardAuth.yaml

@@ -4,7 +4,7 @@ metadata:
   name: auth-service
 spec:
   forwardAuth:
-    address: https://gh-auth-service/auth/
+    address: https://gh-authz/auth/
     authResponseHeaders:
       - id
     tls:

deployment/authZ/horizontalPodAutoScaler.yaml

@@ -1,14 +1,14 @@
 apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
-  name: gh-auth-service
+  name: gh-authz
   annotations:
     argocd.argoproj.io/hook: PostSync
 spec:
   scaleTargetRef:
     apiVersion: apps/v1
     kind: Deployment
-    name: gh-auth-service
+    name: gh-authz
   minReplicas: 1
   maxReplicas: 5
   metrics:

deployment/authZ/service.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/instance: gh-authz
+    app.kubernetes.io/name: gh-authz
+  name: gh-authz
+spec:
+  ports:
+  - name: gin
+    port: 443
+    protocol: TCP
+    targetPort: 443
+  selector:
+    app.kubernetes.io/instance: gh-authz
+    app.kubernetes.io/name: gh-authz
+  type: ClusterIP

deployment/authz-argo.yaml

@@ -1,12 +1,12 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: zitadel
+  name: gh-authz
 spec:
   project: generations-heritage-vv
   source:
     repoURL: 'https://github.com/vcscsvcscs/GenerationsHeritage'
-    path: deployment/zitadel
+    path: deployment/authZ
     targetRevision: main
     kustomize:
       namespace: generations-heritage

deployment/backend/ingressRoute.yaml

@@ -1,4 +1,3 @@
----
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
@@ -16,15 +15,3 @@ spec:
           port: 443
           scheme: https
           serversTransport: gh-backend
-  tls: {}
----
-apiVersion: traefik.containo.us/v1alpha1
-kind: ServersTransport
-metadata:
-  name: gh-backend
-  annotations:
-    argocd.argoproj.io/hook: PostSync
-spec:
-    insecureSkipVerify: true
-    rootCAsSecrets:
-    - gh-backend-tls

deployment/memgraph/certificates.yaml

@@ -1,7 +1,7 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: memraph-certificate
+  name: memgraph-certificate
   annotations:
     argocd.argoproj.io/hook: PreSync
 spec:

deployment/memgraph/kustomization.yaml

@@ -4,6 +4,7 @@ namespace: generations-heritage
 
 resources:
   - ./certificates.yaml
+  - ./secrets.yaml
 
 helmCharts:
   - name: memgraph

deployment/memgraph/secrets.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: memgraph-secrets
+  annotations:
+    argocd.argoproj.io/hook: PreSync
+  labels:
+    secret-generator.cs.sap.com/enabled: "true"
+stringData:
+  USER: memgraph
+  PASSWORD: "%generate"

deployment/memgraph/values.yaml

@@ -1,52 +1,23 @@
 image:
   repository: memgraph/memgraph
-  # Overrides the image tag whose default is v{{ .Chart.AppVersion }}
-  tag: ""
-  pullPolicy: IfNotPresent
-
-replicaCount: 1
-
-service:
-  type: ClusterIP
-  port: 7687
-  targetPort: 7687
-  protocol: TCP
-  annotations: {}
+  tag: "2.20.0"
 
 persistentVolumeClaim:
-  storagePVC: true
-  storagePVCSize: 2Gi
-  logPVC: true
-  logPVCSize: 256Mi
+  storageSize: 2Gi
 
 memgraphConfig:
   - "--also-log-to-stderr=true"
   - "--bolt-cert-file=/etc/memgraph/ssl/tls.crt"
   - "--bolt-key-file=/etc/memgraph/ssl/tls.key"
 
-# Annotations to add to the statefulSet
-statefulSetAnnotations: {}
-# Annotations to add to the Pod
-podAnnotations: {}
-
-resources:
-  {}
-  # We usually recommend not to specify default resources and to leave this as a conscious
-  # choice for the user. This also increases chances charts run on environments with little
-  # resources, such as Minikube. If you do want to specify resources, uncomment the following
-  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-  # limits:
-  #   cpu: 100m
-  #   memory: 128Mi
-  # requests:
-  #   cpu: 100m
-  #   memory: 128Mi
-
-serviceAccount:
-  # Specifies whether a service account should be created
-  create: true
-  # Annotations to add to the service account
-  annotations: {}
-  # The name of the service account to use.
-  # If not set and create is true, a name is generated using the fullname template
-  name: ""
+env:
+  - name: MEMGRAPH_USER
+    valueFrom:
+      secretKeyRef:
+        name: memgraph-secrets
+        key: USER
+  - name: MEMGRAPH_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: memgraph-secrets
+        key: PASSWORD      

deployment/server-transport.yaml

@@ -0,0 +1,6 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: ServersTransport
+metadata:
+  name: server-transport
+spec:
+  insecureSkipVerify: true

deployment/zitadel/cert-job.yaml

@@ -1,113 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: zitadel-cert-creator
-  annotations: 
-    argocd.argoproj.io/hook: Sync
-    argocd.argoproj.io/sync-wave: "2"
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: secret-creator
-rules:
-  - apiGroups: [ "" ]
-    resources: [ "secrets" ]
-    verbs: [ "create" ]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: zitadel-cert-creator
-  annotations: 
-    argocd.argoproj.io/hook: Sync
-    argocd.argoproj.io/sync-wave: "2"
-subjects:
-  - kind: ServiceAccount
-    name:  zitadel-cert-creator
-roleRef:
-  kind: Role
-  name: secret-creator
-  apiGroup: rbac.authorization.k8s.io
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: create-zitadel-cert
-  annotations: 
-    argocd.argoproj.io/hook: Sync
-    argocd.argoproj.io/sync-wave: "2"
-spec:
-  template:
-    spec:
-      restartPolicy: OnFailure
-      serviceAccountName: zitadel-cert-creator
-      containers:
-      - command:
-          - /bin/bash
-          - -ecx
-          - |
-            cockroach cert create-client \
-            --certs-dir /cockroach/cockroach-certs \
-            --ca-key /cockroach/cockroach-certs/ca.key \
-            --lifetime 8760h \
-            zitadel
-            export SECRET=$(cat <<EOF
-            {
-              "apiVersion": "v1",
-              "kind": "Secret",
-              "data": {
-                "ca.crt": "$(base64 /cockroach/cockroach-certs/ca.crt --wrap 0)",
-                "tls.crt": "$(base64 /cockroach/cockroach-certs/client.zitadel.crt --wrap 0)",
-                "tls.key": "$(base64 /cockroach/cockroach-certs/client.zitadel.key --wrap 0)"
-              },
-              "metadata": {
-                "name": "db-cockroachdb-zitadel-secret"
-              },
-              "type": "kubernetes.io/tls"
-            }
-            EOF
-            )
-            export APISERVER=https://kubernetes.default.svc SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
-            export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) TOKEN=$(cat ${SERVICEACCOUNT}/token) CACERT=${SERVICEACCOUNT}/ca.crt
-            curl \
-            --cacert ${CACERT} \
-            --header "Authorization: Bearer ${TOKEN}" \
-            --header "Content-Type: application/json" \
-            -X POST ${APISERVER}/api/v1/namespaces/${NAMESPACE}/secrets \
-            --data "$(echo -n $SECRET | tr -d '\n')"
-        image: cockroachdb/cockroach:v23.1.8
-        imagePullPolicy: IfNotPresent
-        name: create-zitadel-cert
-        volumeMounts:
-        - mountPath: /cockroach/cockroach-certs/
-          name: certs
-      initContainers:
-      - command:
-        - /bin/sh
-        - -c
-        - cp -f /certs/* /cockroach-certs/; chmod 0400 /cockroach-certs/*.key
-        image: busybox
-        imagePullPolicy: IfNotPresent
-        name: copy-certs
-        volumeMounts:
-        - mountPath: /cockroach-certs/
-          name: certs
-        - mountPath: /certs/
-          name: certs-secret
-      volumes:
-      - emptyDir: {}
-        name: certs
-      - name: certs-secret
-        projected:
-          defaultMode: 420
-          sources:
-          - secret:
-              items:
-              - key: ca.crt
-                mode: 256
-                path: ca.crt
-              - key: ca.key
-                mode: 256
-                path: ca.key
-              name: cockroachdb-ca-secret

deployment/zitadel/cockroach-values.yaml

@@ -1,13 +0,0 @@
-tls:
-  enabled: true
-    
-annotations:
-  argocd.argoproj.io/hook: Sync
-
-storage:
-  persistentVolume:
-    size: 5Gi
-
-init:
-  jobAnnotations:
-    argocd.argoproj.io/hook: Sync

deployment/zitadel/ingressRoute.yaml

@@ -1,27 +0,0 @@
----
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: zitadel-server
-  annotations:
-    argocd.argoproj.io/hook: PostSync
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - kind: Rule
-      match: Host(`zitadel.varghacsongor.hu`)
-      priority: 10
-      services:
-        - name: zitadel
-          port: 8080
-          passHostHeader: true
-    - kind: Rule
-      match: Host(`zitadel.varghacsongor.hu`) && Headers(`Content-Type`, `application/grpc`)
-      priority: 11
-      services:
-        - name: zitadel
-          port: 8080
-          scheme: h2c
-          passHostHeader: true
-  tls: {}

deployment/zitadel/kustomization.yaml

@@ -1,58 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: generations-heritage
-
-resources:
-  - ./cert-job.yaml
-  - ./secrets.yaml
-  - ./ingressRoute.yaml
-
-helmCharts:
-  - name: cockroachdb
-    repo: https://charts.cockroachdb.com/
-    releaseName: cockroachdb
-    namespace: generations-heritage
-    version: 12.0.2
-    valuesFile: cockroach-values.yaml
-  - name: zitadel
-    repo: https://charts.zitadel.com
-    releaseName: zitadel
-    namespace: generations-heritage
-    version: 7.12.1
-    valuesFile: ./values.yaml
-
-patches:
-  - target:
-      kind: CronJob
-    patch: |
-      - op: replace
-        path: /apiVersion
-        value: batch/v1
-  - target:
-      name: zitadel-setup
-      kind: Job
-    patch: |
-      - op: add
-        path: /metadata/annotations/argocd.argoproj.io~1sync-wave
-        value: 4
-  - target:
-      name: zitadel-setup
-      kind: Job
-    patch: |
-      - op: add
-        path: /metadata/annotations/argocd.argoproj.io~1hook
-        value: Sync
-  - target:
-      name: zitadel-init
-      kind: Job
-    patch: |
-      - op: add
-        path: /metadata/annotations/argocd.argoproj.io~1sync-wave
-        value: 3
-  - target:
-      name: zitadel-init
-      kind: Job
-    patch: |
-      - op: add
-        path: /metadata/annotations/argocd.argoproj.io~1hook
-        value: Sync

deployment/zitadel/secrets.yaml

@@ -1,23 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: zitadel-masterkey
-  annotations:
-    argocd.argoproj.io/hook: PreSync
-  labels:
-    secret-generator.cs.sap.com/enabled: "true"
-stringData: 
-  masterkey: "%generate"
-  admin-password: "%generate"
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: cockroach-auth
-  annotations:
-    argocd.argoproj.io/hook: PreSync
-  labels:
-    secret-generator.cs.sap.com/enabled: "true"
-stringData:
-  cockroach-password: "%generate"
-  user-password: "%generate"

deployment/zitadel/values.yaml

@@ -1,53 +0,0 @@
-zitadel:
-  masterkeySecretName: zitadel-masterkey
-  configmapConfig:
-    ExternalSecure: true
-    ExternalDomain: zitadel.varghacsongor.hu
-    ExternalPort: 443
-    TLS:
-      Enabled: false
-    Database:
-      Cockroach:
-        Host: cockroachdb-public
-        User:
-          SSL:
-            Mode: verify-full
-        Admin:
-          SSL:
-            Mode: verify-full
-
-  dbSslCaCrtSecret: cockroachdb-ca-secret
-  dbSslAdminCrtSecret: cockroachdb-client-secret
-  dbSslUserCrtSecret: db-cockroachdb-zitadel-secret
-
-image:
-  repository: ghcr.io/zitadel/zitadel
-  pullPolicy: IfNotPresent
-  # Overrides the image tag whose default is the chart appVersion.
-  tag: "v2.51.0"
-
-annotations:
-  argocd.argoproj.io/sync-wave: "5"
-  argocd.argoproj.io/hook: Sync
-
-env:
-  - name: ZITADEL_FIRSTINSTANCE_ORG_HUMAN_USERNAME
-    value: "admin"
-
-  - name: ZITADEL_FIRSTINSTANCE_ORG_HUMAN_PASSWORD
-    valueFrom:
-      secretKeyRef:
-        name: zitadel-masterkey
-        key: admin-password
-
-  - name: ZITADEL_DATABASE_COCKROACH_USER_PASSWORD
-    valueFrom:
-      secretKeyRef:
-        name: cockroach-auth
-        key: user-password
-
-  - name: ZITADEL_DATABASE_COCKROACH_ADMIN_PASSWORD
-    valueFrom:
-      secretKeyRef:
-        name: cockroach-auth
-        key: cockroach-password

kustomization.yaml

@@ -4,8 +4,8 @@ namespace: argocd
 
 resources:
   - ./deployment/cert-issuer.yaml
+  - ./deployment/server-transport.yaml
   - ./deployment/project-argo.yaml
-  - ./deployment/auth-service-argo.yaml
   - ./deployment/memgraph-argo.yaml
+  - ./deployment/auth-service-argo.yaml
   - ./deployment/backend-argo.yaml
-  - ./deployment/zitadel-argo.yaml