From c846f5d92e7ac33c336da521b5501a553133ce09 Mon Sep 17 00:00:00 2001 From: Smaine Kahlouch Date: Fri, 8 Nov 2024 17:37:22 +0100 Subject: [PATCH] feat(harbor): configure oidc auth with zitadel --- .github/workflows/ci.yaml | 3 -- README.md | 2 +- dagger.json | 2 +- dagger/go.mod | 34 ++++++------ dagger/go.sum | 52 +++++++++---------- .../configuration/kcl/cnpginstance/kcl.mod | 2 +- .../configuration/kcl/cnpginstance/main.k | 2 +- .../sql-instance-composition.yaml | 2 +- .../sql-instance-definition.yaml | 2 +- .../cert-manager/vault-clusterissuer.yaml | 2 +- security/base/zitadel/certificate.yaml | 1 + security/base/zitadel/gateway.yaml | 2 +- security/base/zitadel/sqlinstance.yaml | 2 +- .../harbor/externalsecret-admin-password.yaml | 1 - ... externalsecret-cnpg-harbor-registry.yaml} | 7 ++- .../externalsecret-valkey-password.yaml | 1 - tooling/base/harbor/helmrelease-harbor.yaml | 5 +- tooling/base/harbor/helmrelease-valkey.yaml | 1 - tooling/base/harbor/httproute.yaml | 1 - tooling/base/harbor/kustomization.yaml | 3 +- tooling/base/harbor/s3-bucket.yaml | 1 - .../base/harbor/serviceaccount-harbor.yaml | 1 - tooling/base/harbor/sqlinstance.yaml | 23 ++++---- 23 files changed, 69 insertions(+), 83 deletions(-) rename tooling/base/harbor/{externalsecret-sqlinstance-password.yaml => externalsecret-cnpg-harbor-registry.yaml} (69%) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index bf432869..31d16dee 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -28,7 +28,6 @@ jobs: verb: call module: github.com/Smana/daggerverse/pre-commit-tf@pre-commit-tf/v0.1.1 args: run --dir "." --tf-binary="tofu" - # cloud-token: ${{ secrets.DAGGER_CLOUD_TOKEN }} kubernetes-validation: name: Kubernetes validation ☸ @@ -44,7 +43,6 @@ jobs: verb: call module: github.com/Smana/daggerverse/kubeconform@kubeconform/v0.1.0 args: validate --manifests "./clusters" --catalog - # cloud-token: ${{ secrets.DAGGER_CLOUD_TOKEN }} - name: Validate Kubernetes manifests (Kustomize directories) uses: dagger/dagger-for-github@v7 @@ -53,4 +51,3 @@ jobs: verb: call module: github.com/Smana/daggerverse/kubeconform@kubeconform/v0.1.0 args: validate --manifests "." --kustomize --flux --env="cluster_name:foobar,region:eu-west-3,domain_name:example.com" --catalog --crds https://github.com/kubernetes-sigs/gateway-api/tree/main/config/crd/experimental,https://raw.githubusercontent.com/grafana/grafana-operator/master/config/crd/bases/grafana.integreatly.org_grafanadashboards.yaml # These are CRDs that are not supported yet by the datree catalog - # cloud-token: ${{ secrets.DAGGER_CLOUD_TOKEN }} diff --git a/README.md b/README.md index 4040d2b0..23e62255 100644 --- a/README.md +++ b/README.md @@ -90,7 +90,7 @@ Additionally, I have put a constraint on the resources the controllers can manag The Harbor installation follows best practices for high availability. It leverages recent Crossplane features such as `Composition functions`: - External RDS database -- Redis cluster using the Bitnami Helm chart +- Valkey cluster using the Bitnami Helm chart - Storing artifacts in S3 🏷️ Related blog post: [Going Further with Crossplane: Compositions and Functions](https://blog.ogenki.io/post/crossplane_composition_functions/) diff --git a/dagger.json b/dagger.json index c7430374..0319f887 100644 --- a/dagger.json +++ b/dagger.json @@ -1,6 +1,6 @@ { "name": "cloud-native-ref", - "engineVersion": "v0.13.7", + "engineVersion": "v0.14.0", "sdk": "go", "dependencies": [ { diff --git a/dagger/go.mod b/dagger/go.mod index 55396cf3..f813960b 100644 --- a/dagger/go.mod +++ b/dagger/go.mod @@ -7,7 +7,7 @@ toolchain go1.23.2 require github.com/aws/aws-sdk-go v1.55.5 require ( - github.com/99designs/gqlgen v0.17.55 + github.com/99designs/gqlgen v0.17.56 github.com/Khan/genqlient v0.7.0 github.com/cenkalti/backoff/v4 v4.3.0 // indirect github.com/go-logr/logr v1.4.2 // indirect @@ -18,23 +18,23 @@ require ( github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect github.com/sosodev/duration v1.3.1 // indirect github.com/vektah/gqlparser/v2 v2.5.19 - go.opentelemetry.io/otel v1.31.0 - go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.7.0 - go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.7.0 - go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.31.0 - go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.31.0 - go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.31.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.31.0 - go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.31.0 - go.opentelemetry.io/otel/log v0.7.0 - go.opentelemetry.io/otel/metric v1.31.0 - go.opentelemetry.io/otel/sdk v1.31.0 - go.opentelemetry.io/otel/sdk/log v0.7.0 - go.opentelemetry.io/otel/sdk/metric v1.31.0 - go.opentelemetry.io/otel/trace v1.31.0 + go.opentelemetry.io/otel v1.32.0 + go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.8.0 + go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.8.0 + go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.32.0 + go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.32.0 + go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.32.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.32.0 + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.32.0 + go.opentelemetry.io/otel/log v0.8.0 + go.opentelemetry.io/otel/metric v1.32.0 + go.opentelemetry.io/otel/sdk v1.32.0 + go.opentelemetry.io/otel/sdk/log v0.8.0 + go.opentelemetry.io/otel/sdk/metric v1.32.0 + go.opentelemetry.io/otel/trace v1.32.0 go.opentelemetry.io/proto/otlp v1.3.1 - golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c - golang.org/x/net v0.30.0 // indirect + golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f + golang.org/x/net v0.31.0 // indirect golang.org/x/sync v0.9.0 golang.org/x/sys v0.27.0 // indirect golang.org/x/text v0.20.0 // indirect diff --git a/dagger/go.sum b/dagger/go.sum index 113eadd0..61978981 100644 --- a/dagger/go.sum +++ b/dagger/go.sum @@ -1,5 +1,5 @@ -github.com/99designs/gqlgen v0.17.55 h1:3vzrNWYyzSZjGDFo68e5j9sSauLxfKvLp+6ioRokVtM= -github.com/99designs/gqlgen v0.17.55/go.mod h1:3Bq768f8hgVPGZxL8aY9MaYmbxa6llPM/qu1IGH1EJo= +github.com/99designs/gqlgen v0.17.56 h1:+J42ARAHvnysH6klO9Wq+tCsGF32cpAgU3SyF0VRJtI= +github.com/99designs/gqlgen v0.17.56/go.mod h1:rmB6vLvtL8uf9F9w0/irJ5alBkD8DJvj35ET31BKbtY= github.com/Khan/genqlient v0.7.0 h1:GZ1meyRnzcDTK48EjqB8t3bcfYvHArCUUvgOwpz1D4w= github.com/Khan/genqlient v0.7.0/go.mod h1:HNyy3wZvuYwmW3Y7mkoQLZsa/R5n5yIRajS1kPBvSFM= github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883 h1:bvNMNQO63//z+xNgfBlViaCIJKLlCJ6/fmUseuG0wVQ= @@ -43,42 +43,42 @@ github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsT github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/vektah/gqlparser/v2 v2.5.19 h1:bhCPCX1D4WWzCDvkPl4+TP1N8/kLrWnp43egplt7iSg= github.com/vektah/gqlparser/v2 v2.5.19/go.mod h1:y7kvl5bBlDeuWIvLtA9849ncyvx6/lj06RsMrEjVy3U= -go.opentelemetry.io/otel v1.31.0 h1:NsJcKPIW0D0H3NgzPDHmo0WW6SptzPdqg/L1zsIm2hY= -go.opentelemetry.io/otel v1.31.0/go.mod h1:O0C14Yl9FgkjqcCZAsE053C13OaddMYr/hz6clDkEJE= +go.opentelemetry.io/otel v1.32.0 h1:WnBN+Xjcteh0zdk01SVqV55d/m62NJLJdIyb4y/WO5U= +go.opentelemetry.io/otel v1.32.0/go.mod h1:00DCVSB0RQcnzlwyTfqtxSm+DRr9hpYrHjNGiBHVQIg= go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.0.0-20240518090000-14441aefdf88 h1:oM0GTNKGlc5qHctWeIGTVyda4iFFalOzMZ3Ehj5rwB4= go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.0.0-20240518090000-14441aefdf88/go.mod h1:JGG8ebaMO5nXOPnvKEl+DiA4MGwFjCbjsxT1WHIEBPY= go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.3.0 h1:ccBrA8nCY5mM0y5uO7FT0ze4S0TuFcWdDB2FxGMTjkI= go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.3.0/go.mod h1:/9pb6634zi2Lk8LYg9Q0X8Ar6jka4dkFOylBLbVQPCE= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.31.0 h1:FZ6ei8GFW7kyPYdxJaV2rgI6M+4tvZzhYsQ2wgyVC08= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.31.0/go.mod h1:MdEu/mC6j3D+tTEfvI15b5Ci2Fn7NneJ71YMoiS3tpI= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.31.0 h1:ZsXq73BERAiNuuFXYqP4MR5hBrjXfMGSO+Cx7qoOZiM= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.31.0/go.mod h1:hg1zaDMpyZJuUzjFxFsRYBoccE86tM9Uf4IqNMUxvrY= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.31.0 h1:K0XaT3DwHAcV4nKLzcQvwAgSyisUghWoY20I7huthMk= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.31.0/go.mod h1:B5Ki776z/MBnVha1Nzwp5arlzBbE3+1jk+pGmaP5HME= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.31.0 h1:FFeLy03iVTXP6ffeN2iXrxfGsZGCjVx0/4KlizjyBwU= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.31.0/go.mod h1:TMu73/k1CP8nBUpDLc71Wj/Kf7ZS9FK5b53VapRsP9o= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.31.0 h1:lUsI2TYsQw2r1IASwoROaCnjdj2cvC2+Jbxvk6nHnWU= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.31.0/go.mod h1:2HpZxxQurfGxJlJDblybejHB6RX6pmExPNe517hREw4= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.32.0 h1:j7ZSD+5yn+lo3sGV69nW04rRR0jhYnBwjuX3r0HvnK0= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.32.0/go.mod h1:WXbYJTUaZXAbYd8lbgGuvih0yuCfOFC5RJoYnoLcGz8= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.32.0 h1:t/Qur3vKSkUCcDVaSumWF2PKHt85pc7fRvFuoVT8qFU= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.32.0/go.mod h1:Rl61tySSdcOJWoEgYZVtmnKdA0GeKrSqkHC1t+91CH8= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.32.0 h1:IJFEoHiytixx8cMiVAO+GmHR6Frwu+u5Ur8njpFO6Ac= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.32.0/go.mod h1:3rHrKNtLIoS0oZwkY2vxi+oJcwFRWdtUyRII+so45p8= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.32.0 h1:9kV11HXBHZAvuPUZxmMWrH8hZn/6UnHX4K0mu36vNsU= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.32.0/go.mod h1:JyA0FHXe22E1NeNiHmVp7kFHglnexDQ7uRWDiiJ1hKQ= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.32.0 h1:cMyu9O88joYEaI47CnQkxO1XZdpoTF9fEnW2duIddhw= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.32.0/go.mod h1:6Am3rn7P9TVVeXYG+wtcGE7IE1tsQ+bP3AuWcKt/gOI= go.opentelemetry.io/otel/log v0.3.0 h1:kJRFkpUFYtny37NQzL386WbznUByZx186DpEMKhEGZs= go.opentelemetry.io/otel/log v0.3.0/go.mod h1:ziCwqZr9soYDwGNbIL+6kAvQC+ANvjgG367HVcyR/ys= -go.opentelemetry.io/otel/metric v1.31.0 h1:FSErL0ATQAmYHUIzSezZibnyVlft1ybhy4ozRPcF2fE= -go.opentelemetry.io/otel/metric v1.31.0/go.mod h1:C3dEloVbLuYoX41KpmAhOqNriGbA+qqH6PQ5E5mUfnY= -go.opentelemetry.io/otel/sdk v1.31.0 h1:xLY3abVHYZ5HSfOg3l2E5LUj2Cwva5Y7yGxnSW9H5Gk= -go.opentelemetry.io/otel/sdk v1.31.0/go.mod h1:TfRbMdhvxIIr/B2N2LQW2S5v9m3gOQ/08KsbbO5BPT0= +go.opentelemetry.io/otel/metric v1.32.0 h1:xV2umtmNcThh2/a/aCP+h64Xx5wsj8qqnkYZktzNa0M= +go.opentelemetry.io/otel/metric v1.32.0/go.mod h1:jH7CIbbK6SH2V2wE16W05BHCtIDzauciCRLoc/SyMv8= +go.opentelemetry.io/otel/sdk v1.32.0 h1:RNxepc9vK59A8XsgZQouW8ue8Gkb4jpWtJm9ge5lEG4= +go.opentelemetry.io/otel/sdk v1.32.0/go.mod h1:LqgegDBjKMmb2GC6/PrTnteJG39I8/vJCAP9LlJXEjU= go.opentelemetry.io/otel/sdk/log v0.3.0 h1:GEjJ8iftz2l+XO1GF2856r7yYVh74URiF9JMcAacr5U= go.opentelemetry.io/otel/sdk/log v0.3.0/go.mod h1:BwCxtmux6ACLuys1wlbc0+vGBd+xytjmjajwqqIul2g= -go.opentelemetry.io/otel/sdk/metric v1.31.0 h1:i9hxxLJF/9kkvfHppyLL55aW7iIJz4JjxTeYusH7zMc= -go.opentelemetry.io/otel/sdk/metric v1.31.0/go.mod h1:CRInTMVvNhUKgSAMbKyTMxqOBC0zgyxzW55lZzX43Y8= -go.opentelemetry.io/otel/trace v1.31.0 h1:ffjsj1aRouKewfr85U2aGagJ46+MvodynlQ1HYdmJys= -go.opentelemetry.io/otel/trace v1.31.0/go.mod h1:TXZkRk7SM2ZQLtR6eoAWQFIHPvzQ06FJAsO1tJg480A= +go.opentelemetry.io/otel/sdk/metric v1.32.0 h1:rZvFnvmvawYb0alrYkjraqJq0Z4ZUJAiyYCU9snn1CU= +go.opentelemetry.io/otel/sdk/metric v1.32.0/go.mod h1:PWeZlq0zt9YkYAp3gjKZ0eicRYvOh1Gd+X99x6GHpCQ= +go.opentelemetry.io/otel/trace v1.32.0 h1:WIC9mYrXf8TmY/EXuULKc8hR17vE+Hjv2cssQDe03fM= +go.opentelemetry.io/otel/trace v1.32.0/go.mod h1:+i4rkvCraA+tG6AzwloGaCtkx53Fa+L+V8e9a7YvhT8= go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0= go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= -golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c h1:7dEasQXItcW1xKJ2+gg5VOiBnqWrJc+rq0DPKyvvdbY= -golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c/go.mod h1:NQtJDoLvd6faHhE7m4T/1IY708gDefGGjR/iUW8yQQ8= -golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4= -golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU= +golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f h1:XdNn9LlyWAhLVp6P/i8QYBW+hlyhrhei9uErw2B5GJo= +golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f/go.mod h1:D5SMRVC3C2/4+F/DB1wZsLRnSNimn2Sp/NPsCrsv8ak= +golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo= +golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM= golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ= golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s= diff --git a/infrastructure/base/crossplane/configuration/kcl/cnpginstance/kcl.mod b/infrastructure/base/crossplane/configuration/kcl/cnpginstance/kcl.mod index 1f4a99c4..3f66ad6c 100644 --- a/infrastructure/base/crossplane/configuration/kcl/cnpginstance/kcl.mod +++ b/infrastructure/base/crossplane/configuration/kcl/cnpginstance/kcl.mod @@ -1,4 +1,4 @@ [package] name = "cnpginstance" edition = "v0.10.7" -version = "0.0.27" +version = "0.0.28" diff --git a/infrastructure/base/crossplane/configuration/kcl/cnpginstance/main.k b/infrastructure/base/crossplane/configuration/kcl/cnpginstance/main.k index b7d2ecc3..61214f7f 100644 --- a/infrastructure/base/crossplane/configuration/kcl/cnpginstance/main.k +++ b/infrastructure/base/crossplane/configuration/kcl/cnpginstance/main.k @@ -73,7 +73,7 @@ if oxr.spec.cnpg: primaryUpdateStrategy = oxr.spec.cnpg.primaryUpdateStrategy if oxr.spec.cnpg?.createSuperuser: enableSuperuserAccess = True - if oxr.spec.cnpg?.initSQL or oxr.spec.cnpg?.databases or oxr.spec.cnpg?.objectStoreRecovery: + if oxr.spec.cnpg?.initSQL or oxr.spec.databases or oxr.spec.cnpg?.objectStoreRecovery: bootstrap = { if oxr.spec.cnpg.objectStoreRecovery: recovery: { diff --git a/infrastructure/base/crossplane/configuration/sql-instance-composition.yaml b/infrastructure/base/crossplane/configuration/sql-instance-composition.yaml index 08fb9b0d..d094a544 100644 --- a/infrastructure/base/crossplane/configuration/sql-instance-composition.yaml +++ b/infrastructure/base/crossplane/configuration/sql-instance-composition.yaml @@ -51,7 +51,7 @@ spec: kind: KCLRun spec: target: Resources - source: oci://ttl.sh/ogenki-cnref/cnpginstance:v0.0.27-24h + source: oci://ttl.sh/ogenki-cnref/cnpginstance:v0.0.28-24h - step: ready functionRef: diff --git a/infrastructure/base/crossplane/configuration/sql-instance-definition.yaml b/infrastructure/base/crossplane/configuration/sql-instance-definition.yaml index d12a1573..c9a898a5 100644 --- a/infrastructure/base/crossplane/configuration/sql-instance-definition.yaml +++ b/infrastructure/base/crossplane/configuration/sql-instance-definition.yaml @@ -114,7 +114,7 @@ spec: createSuperuser: description: Create a superuser for the Postgres cluster. type: boolean - default: true + default: false objectStoreRecovery: type: object properties: diff --git a/security/base/cert-manager/vault-clusterissuer.yaml b/security/base/cert-manager/vault-clusterissuer.yaml index c1b91c55..2cfc2829 100644 --- a/security/base/cert-manager/vault-clusterissuer.yaml +++ b/security/base/cert-manager/vault-clusterissuer.yaml @@ -11,7 +11,7 @@ spec: auth: appRole: path: approle - roleId: 1cbd33c7-b022-408e-fe4a-c7c55dc80e76 # !! This value changes each time I recreate the whole platform + roleId: cbfb2f59-f08f-fee6-e364-be12ff4b4a9f # !! This value changes each time I recreate the whole platform secretRef: name: cert-manager-vault-approle key: secret_id diff --git a/security/base/zitadel/certificate.yaml b/security/base/zitadel/certificate.yaml index 0e18e0ff..cd6ffe90 100644 --- a/security/base/zitadel/certificate.yaml +++ b/security/base/zitadel/certificate.yaml @@ -9,6 +9,7 @@ spec: commonName: zitadel.priv.${domain_name} dnsNames: - zitadel.priv.${domain_name} + - sso.priv.${domain_name} issuerRef: name: vault kind: ClusterIssuer diff --git a/security/base/zitadel/gateway.yaml b/security/base/zitadel/gateway.yaml index b05b0292..edcaa710 100644 --- a/security/base/zitadel/gateway.yaml +++ b/security/base/zitadel/gateway.yaml @@ -10,7 +10,7 @@ spec: service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance service.beta.kubernetes.io/aws-load-balancer-scheme: "internal" service.beta.kubernetes.io/aws-load-balancer-type: "external" - external-dns.alpha.kubernetes.io/hostname: "zitadel.priv.${domain_name}" + external-dns.alpha.kubernetes.io/hostname: "zitadel.priv.${domain_name},sso.priv.${domain_name}" listeners: - name: http hostname: "*.priv.${domain_name}" diff --git a/security/base/zitadel/sqlinstance.yaml b/security/base/zitadel/sqlinstance.yaml index 5d47b52d..bc550910 100644 --- a/security/base/zitadel/sqlinstance.yaml +++ b/security/base/zitadel/sqlinstance.yaml @@ -10,7 +10,7 @@ spec: createSuperuser: true objectStoreRecovery: bucketName: "eu-west-3-ogenki-cnpg-backups" - path: "zitadel-basebackup-20241106" + path: "zitadel-20241109" backup: schedule: "0 0 * * *" bucketName: "eu-west-3-ogenki-cnpg-backups" diff --git a/tooling/base/harbor/externalsecret-admin-password.yaml b/tooling/base/harbor/externalsecret-admin-password.yaml index 55a97b00..d6f77a62 100644 --- a/tooling/base/harbor/externalsecret-admin-password.yaml +++ b/tooling/base/harbor/externalsecret-admin-password.yaml @@ -2,7 +2,6 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: admin-password - namespace: tooling spec: dataFrom: - extract: diff --git a/tooling/base/harbor/externalsecret-sqlinstance-password.yaml b/tooling/base/harbor/externalsecret-cnpg-harbor-registry.yaml similarity index 69% rename from tooling/base/harbor/externalsecret-sqlinstance-password.yaml rename to tooling/base/harbor/externalsecret-cnpg-harbor-registry.yaml index 9a82129f..babb15c4 100644 --- a/tooling/base/harbor/externalsecret-sqlinstance-password.yaml +++ b/tooling/base/harbor/externalsecret-cnpg-harbor-registry.yaml @@ -1,13 +1,12 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: - name: sqlinstance-password - namespace: tooling + name: xplane-harbor-cnpg-registry spec: dataFrom: - extract: conversionStrategy: Default - key: harbor/sqlinstance/masterpassword + key: cnpg/xplane-harbor/registry refreshInterval: 20m secretStoreRef: kind: ClusterSecretStore @@ -15,4 +14,4 @@ spec: target: creationPolicy: Owner deletionPolicy: Retain - name: harbor-pg-masterpassword + name: xplane-harbor-cnpg-registry diff --git a/tooling/base/harbor/externalsecret-valkey-password.yaml b/tooling/base/harbor/externalsecret-valkey-password.yaml index 846aed49..e8ba44dd 100644 --- a/tooling/base/harbor/externalsecret-valkey-password.yaml +++ b/tooling/base/harbor/externalsecret-valkey-password.yaml @@ -2,7 +2,6 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: harbor-valkey-password - namespace: tooling spec: dataFrom: - extract: diff --git a/tooling/base/harbor/helmrelease-harbor.yaml b/tooling/base/harbor/helmrelease-harbor.yaml index 5633fedc..3bffd8cb 100644 --- a/tooling/base/harbor/helmrelease-harbor.yaml +++ b/tooling/base/harbor/helmrelease-harbor.yaml @@ -2,7 +2,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: harbor - namespace: tooling spec: releaseName: harbor driftDetection: @@ -68,11 +67,11 @@ spec: database: type: external external: - host: "xplane-harbor-rds-service" + host: "xplane-harbor-cnpg-cluster-rw" port: "5432" username: "harbor" coreDatabase: "registry" - existingSecret: "xplane-harbor-owner-harbor" + existingSecret: "xplane-harbor-cnpg-registry" sslmode: "require" redis: diff --git a/tooling/base/harbor/helmrelease-valkey.yaml b/tooling/base/harbor/helmrelease-valkey.yaml index 9af7eb63..705cd91c 100644 --- a/tooling/base/harbor/helmrelease-valkey.yaml +++ b/tooling/base/harbor/helmrelease-valkey.yaml @@ -2,7 +2,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: harbor-valkey - namespace: tooling spec: releaseName: harbor-valkey driftDetection: diff --git a/tooling/base/harbor/httproute.yaml b/tooling/base/harbor/httproute.yaml index ef24e5a3..c9485357 100644 --- a/tooling/base/harbor/httproute.yaml +++ b/tooling/base/harbor/httproute.yaml @@ -2,7 +2,6 @@ apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: harbor - namespace: tooling spec: parentRefs: - name: platform-private diff --git a/tooling/base/harbor/kustomization.yaml b/tooling/base/harbor/kustomization.yaml index 6b20498d..825ad24d 100644 --- a/tooling/base/harbor/kustomization.yaml +++ b/tooling/base/harbor/kustomization.yaml @@ -1,9 +1,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +namespace: tooling resources: - externalsecret-admin-password.yaml - - externalsecret-sqlinstance-password.yaml + - externalsecret-cnpg-harbor-registry.yaml - externalsecret-valkey-password.yaml - helmrelease-harbor.yaml - serviceaccount-harbor.yaml diff --git a/tooling/base/harbor/s3-bucket.yaml b/tooling/base/harbor/s3-bucket.yaml index 01bc78fe..bf844d07 100644 --- a/tooling/base/harbor/s3-bucket.yaml +++ b/tooling/base/harbor/s3-bucket.yaml @@ -2,7 +2,6 @@ apiVersion: s3.aws.upbound.io/v1beta1 kind: Bucket metadata: name: harbor - namespace: tooling annotations: crossplane.io/external-name: ${region}-ogenki-harbor spec: diff --git a/tooling/base/harbor/serviceaccount-harbor.yaml b/tooling/base/harbor/serviceaccount-harbor.yaml index 686fda6c..1703a829 100644 --- a/tooling/base/harbor/serviceaccount-harbor.yaml +++ b/tooling/base/harbor/serviceaccount-harbor.yaml @@ -2,4 +2,3 @@ apiVersion: v1 kind: ServiceAccount metadata: name: harbor - namespace: tooling diff --git a/tooling/base/harbor/sqlinstance.yaml b/tooling/base/harbor/sqlinstance.yaml index 24b8c459..188b1af1 100644 --- a/tooling/base/harbor/sqlinstance.yaml +++ b/tooling/base/harbor/sqlinstance.yaml @@ -2,21 +2,16 @@ apiVersion: cloud.ogenki.io/v1alpha1 kind: SQLInstance metadata: name: xplane-harbor - namespace: tooling spec: - databases: - - owner: harbor - name: registry - size: small + size: "small" storageGB: 20 - rds: - engine: postgres - engineVersion: "16" - passwordSecretRef: - namespace: tooling - name: harbor-pg-masterpassword - key: password + cnpg: + instances: 1 + objectStoreRecovery: + bucketName: "eu-west-3-ogenki-cnpg-backups" + path: "harbor-20241109" + backup: + schedule: "0 1 * * *" + bucketName: "eu-west-3-ogenki-cnpg-backups" compositionRef: name: xsqlinstances.cloud.ogenki.io - writeConnectionSecretToRef: - name: xplane-harbor-rds