feat(zitadel): first deployment

Smana · Sep 17, 2024 · 3e944c5 · 3e944c5
1 parent 0b9ab4b
commit 3e944c5
Show file tree

Hide file tree

Showing 14 changed files with 232 additions and 2 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -52,5 +52,5 @@ jobs:
           version: "latest"
           verb: call
           module: github.com/Smana/daggerverse/kubeconform@kubeconform/v0.1.0
-          args: validate --manifests "." --kustomize --flux --env="cluster_name:foobar,region:eu-west-3,domain_name:example.com" --catalog --crds https://github.com/kubernetes-sigs/gateway-api/tree/main/config/crd/experimental,https://raw.githubusercontent.com/grafana/grafana-operator/master/config/crd/bases/grafana.integreatly.org_grafanadashboards.yaml  # These are CRDs that are not supported yet by the datree catalog
+          args: validate --manifests "." --kustomize --flux --env="cluster_name:foobar,region:eu-west-3,domain_name:example.com,vpc_cidr_block:10.0.0.0/8" --catalog --crds https://github.com/kubernetes-sigs/gateway-api/tree/main/config/crd/experimental,https://raw.githubusercontent.com/grafana/grafana-operator/master/config/crd/bases/grafana.integreatly.org_grafanadashboards.yaml  # These are CRDs that are not supported yet by the datree catalog
           # cloud-token: ${{ secrets.DAGGER_CLOUD_TOKEN }}
diff --git a/security/base/cert-manager/vault-clusterissuer.yaml b/security/base/cert-manager/vault-clusterissuer.yaml
@@ -11,7 +11,7 @@ spec:
     auth:
       appRole:
         path: approle
-        roleId: 327586f1-a4f1-ee9f-5b58-3636dcb19664 # !! This value changes each time I recreate the whole platform
+        roleId: dcf37ef0-1810-dfc6-0634-8232003cde5b # !! This value changes each time I recreate the whole platform
         secretRef:
           name: cert-manager-vault-approle
           key: secret_id
diff --git a/security/base/zitadel/certificate.yaml b/security/base/zitadel/certificate.yaml
@@ -0,0 +1,15 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: zitadel
+spec:
+  secretName: zitadel-certificate
+  duration: 2160h # 90d
+  renewBefore: 360h # 15d
+  commonName: zitadel.priv.${domain_name}
+  dnsNames:
+    - zitadel.priv.${domain_name}
+  issuerRef:
+    name: vault
+    kind: ClusterIssuer
+    group: cert-manager.io
diff --git a/security/base/zitadel/externalsecret-sqlinstance-masterpassword.yaml b/security/base/zitadel/externalsecret-sqlinstance-masterpassword.yaml
@@ -0,0 +1,20 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: zitadel-sqlinstance-masterpassword
+spec:
+  data:
+    - secretKey: ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD
+      remoteRef:
+        key: zitadel/envvars
+  refreshInterval: 20m
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: clustersecretstore
+  target:
+    template:
+      data:
+        password: "{{ .ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD }}"
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: zitadel-pg-masterpassword
diff --git a/security/base/zitadel/externalsecret-zitadel-envvars.yaml b/security/base/zitadel/externalsecret-zitadel-envvars.yaml
@@ -0,0 +1,18 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: zitadel-envvars
+  namespace: tooling
+spec:
+  dataFrom:
+    - extract:
+        conversionStrategy: Default
+        key: zitadel/envvars
+  refreshInterval: 20m
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: clustersecretstore
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: zitadel-envvars
diff --git a/security/base/zitadel/gateway.yaml b/security/base/zitadel/gateway.yaml
@@ -0,0 +1,23 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: zitadel
+spec:
+  gatewayClassName: cilium
+  infrastructure:
+    annotations:
+      service.beta.kubernetes.io/aws-load-balancer-name: "ogenki-zitadel-gateway"
+      service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance
+      service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
+      service.beta.kubernetes.io/aws-load-balancer-type: "external"
+      external-dns.alpha.kubernetes.io/hostname: "zitadel.priv.${domain_name}"
+  listeners:
+    - name: http
+      hostname: "*.priv.${domain_name}"
+      port: 443
+      protocol: TLS
+      allowedRoutes:
+        namespaces:
+          from: Same
+      tls:
+        mode: Passthrough
diff --git a/security/base/zitadel/helmrelease.yaml b/security/base/zitadel/helmrelease.yaml
@@ -0,0 +1,53 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: zitadel
+spec:
+  interval: 30m
+  driftDetection:
+    mode: enabled
+  chart:
+    spec:
+      chart: zitadel
+      version: "8.5.0" # Not available yet
+      sourceRef:
+        kind: HelmRepository
+        name: zitadel
+      interval: 12h
+  values:
+    zitadel:
+      # reference: https://zitadel.com/docs/self-hosting/manage/configure
+      masterkey: ApnB2MUlRa63KRIE0iT1WlM4ZNZOvZF6
+      configmapConfig:
+        Log:
+          Formatter:
+            Format: json
+        ExternalPort: 443
+        ExternalSecure: true
+        ExternalDomain: "zitadel.priv.${domain_name}"
+        TLS:
+          Enabled: true
+          KeyPath: /tls/tls.key
+          CertPath: /tls/tls.crt
+        Database:
+          Postgres:
+            Host: sqlinstance-xplane-zitadel
+            Port: 5432
+            Database: zitadel
+            MaxOpenConns: 20
+            MaxIdleConns: 10
+            MaxConnLifetime: 30m
+            MaxConnIdleTime: 5m
+
+    envVarsSecret: zitadel-envvars
+
+    # Mount certificate generated by cert-manager
+    extraVolumes:
+      - name: zitadel-certificate
+        secret:
+          defaultMode: 420
+          secretName: zitadel-certificate
+    extraVolumeMounts:
+      - name: zitadel-certificate
+        mountPath: /tls
+        readOnly: true
diff --git a/security/base/zitadel/kustomization.yaml b/security/base/zitadel/kustomization.yaml
@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: security
+resources:
+  - externalsecret-sqlinstance-masterpassword.yaml
+  - externalsecret-zitadel-envvars.yaml
+  - certificate.yaml
+  - gateway.yaml
+  - helmrelease.yaml
+  - network-policy.yaml
+  - source.yaml
+  - sqlinstance.yaml
+  - tlsroute.yaml
diff --git a/security/base/zitadel/network-policy.yaml b/security/base/zitadel/network-policy.yaml
@@ -0,0 +1,37 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: zitadel
+spec:
+  description: "Allow internal traffic to the Zitadel service."
+  endpointSelector:
+    matchLabels:
+      k8s:app.kubernetes.io/name: zitadel
+  egress:
+    - toEndpoints:
+        - matchLabels:
+            k8s:io.kubernetes.pod.namespace: kube-system
+            k8s:k8s-app: kube-dns
+      toPorts:
+        - ports:
+            - port: "53"
+              protocol: UDP
+            - port: "53"
+              protocol: TCP
+    - toEntities:
+        - world
+      toPorts:
+        - ports:
+            - port: "80"
+              protocol: TCP
+            - port: "443"
+              protocol: TCP
+            - port: "5432"
+              protocol: TCP
+  ingress:
+    - fromCIDR:
+        - "${vpc_cidr_block}"
+      toPorts:
+        - ports:
+            - port: "8080"
+              protocol: TCP
diff --git a/security/base/zitadel/source.yaml b/security/base/zitadel/source.yaml
@@ -0,0 +1,7 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: zitadel
+spec:
+  interval: 24h
+  url: https://charts.zitadel.com
diff --git a/security/base/zitadel/sqlinstance.yaml b/security/base/zitadel/sqlinstance.yaml
@@ -0,0 +1,21 @@
+apiVersion: cloud.ogenki.io/v1alpha1
+kind: SQLInstance
+metadata:
+  name: xplane-zitadel
+spec:
+  parameters:
+    engine: postgres
+    engineVersion: "16"
+    size: small
+    storageGB: 20
+    databases:
+      - owner: zitadel
+        name: zitadel
+    passwordSecretRef:
+      namespace: security
+      name: zitadel-pg-masterpassword
+      key: password
+  compositionRef:
+    name: xsqlinstances.cloud.ogenki.io
+  writeConnectionSecretToRef:
+    name: xplane-zitadel-rds
diff --git a/security/base/zitadel/tlsroute.yaml b/security/base/zitadel/tlsroute.yaml
@@ -0,0 +1,13 @@
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: TLSRoute
+metadata:
+  name: zitadel
+spec:
+  parentRefs:
+    - name: zitadel
+  hostnames:
+    - "zitadel.priv.${domain_name}"
+  rules:
+    - backendRefs:
+        - name: zitadel
+          port: 8080
diff --git a/security/mycluster-0/kustomization.yaml b/security/mycluster-0/kustomization.yaml
@@ -5,4 +5,5 @@ resources:
   - ../base/kyverno
   - ../base/cert-manager
   - ../base/vault-snapshot
+  - ../base/zitadel
   - external-secrets
diff --git a/tooling/base/headlamp/helmrelease.yaml b/tooling/base/headlamp/helmrelease.yaml
@@ -4,6 +4,8 @@ metadata:
   name: headlamp
 spec:
   interval: 30m
+  driftDetection:
+    mode: enabled
   chart:
     spec:
       chart: headlamp
@@ -27,6 +29,13 @@ spec:
           - name: script
             mountPath: /scripts
 
+    resources:
+      limits:
+        memory: 128Mi
+      requests:
+        cpu: 100m
+        memory: 128Mi
+
     volumeMounts:
       - name: headlamp-plugins
         mountPath: /build/plugins