mirror of
https://github.com/vcscsvcscs/GenerationsHeritage.git
synced 2025-08-13 06:19:05 +02:00
114 lines
3.3 KiB
YAML
114 lines
3.3 KiB
YAML
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: zitadel-cert-creator
|
|
annotations:
|
|
argocd.argoproj.io/hook: Sync
|
|
argocd.argoproj.io/sync-wave: "2"
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: secret-creator
|
|
rules:
|
|
- apiGroups: [ "" ]
|
|
resources: [ "secrets" ]
|
|
verbs: [ "create" ]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: zitadel-cert-creator
|
|
annotations:
|
|
argocd.argoproj.io/hook: Sync
|
|
argocd.argoproj.io/sync-wave: "2"
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: zitadel-cert-creator
|
|
roleRef:
|
|
kind: Role
|
|
name: secret-creator
|
|
apiGroup: rbac.authorization.k8s.io
|
|
---
|
|
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
name: create-zitadel-cert
|
|
annotations:
|
|
argocd.argoproj.io/hook: Sync
|
|
argocd.argoproj.io/sync-wave: "2"
|
|
spec:
|
|
template:
|
|
spec:
|
|
restartPolicy: OnFailure
|
|
serviceAccountName: zitadel-cert-creator
|
|
containers:
|
|
- command:
|
|
- /bin/bash
|
|
- -ecx
|
|
- |
|
|
cockroach cert create-client \
|
|
--certs-dir /cockroach/cockroach-certs \
|
|
--ca-key /cockroach/cockroach-certs/ca.key \
|
|
--lifetime 8760h \
|
|
zitadel
|
|
export SECRET=$(cat <<EOF
|
|
{
|
|
"apiVersion": "v1",
|
|
"kind": "Secret",
|
|
"data": {
|
|
"ca.crt": "$(base64 /cockroach/cockroach-certs/ca.crt --wrap 0)",
|
|
"tls.crt": "$(base64 /cockroach/cockroach-certs/client.zitadel.crt --wrap 0)",
|
|
"tls.key": "$(base64 /cockroach/cockroach-certs/client.zitadel.key --wrap 0)"
|
|
},
|
|
"metadata": {
|
|
"name": "db-cockroachdb-zitadel-secret"
|
|
},
|
|
"type": "kubernetes.io/tls"
|
|
}
|
|
EOF
|
|
)
|
|
export APISERVER=https://kubernetes.default.svc SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
|
|
export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) TOKEN=$(cat ${SERVICEACCOUNT}/token) CACERT=${SERVICEACCOUNT}/ca.crt
|
|
curl \
|
|
--cacert ${CACERT} \
|
|
--header "Authorization: Bearer ${TOKEN}" \
|
|
--header "Content-Type: application/json" \
|
|
-X POST ${APISERVER}/api/v1/namespaces/${NAMESPACE}/secrets \
|
|
--data "$(echo -n $SECRET | tr -d '\n')"
|
|
image: cockroachdb/cockroach:v23.1.8
|
|
imagePullPolicy: IfNotPresent
|
|
name: create-zitadel-cert
|
|
volumeMounts:
|
|
- mountPath: /cockroach/cockroach-certs/
|
|
name: certs
|
|
initContainers:
|
|
- command:
|
|
- /bin/sh
|
|
- -c
|
|
- cp -f /certs/* /cockroach-certs/; chmod 0400 /cockroach-certs/*.key
|
|
image: busybox
|
|
imagePullPolicy: IfNotPresent
|
|
name: copy-certs
|
|
volumeMounts:
|
|
- mountPath: /cockroach-certs/
|
|
name: certs
|
|
- mountPath: /certs/
|
|
name: certs-secret
|
|
volumes:
|
|
- emptyDir: {}
|
|
name: certs
|
|
- name: certs-secret
|
|
projected:
|
|
defaultMode: 420
|
|
sources:
|
|
- secret:
|
|
items:
|
|
- key: ca.crt
|
|
mode: 256
|
|
path: ca.crt
|
|
- key: ca.key
|
|
mode: 256
|
|
path: ca.key
|
|
name: db-cockroachdb-ca-secret
|