diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index f6b3735d..5b85d57c 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -52,5 +52,5 @@ jobs: version: "latest" verb: call module: github.com/Smana/daggerverse/kubeconform@kubeconform/v0.1.0 - args: validate --manifests "." --kustomize --flux --env="cluster_name:foobar,region:eu-west-3,domain_name:example.com" --catalog --crds https://github.com/kubernetes-sigs/gateway-api/tree/main/config/crd/experimental,https://raw.githubusercontent.com/grafana/grafana-operator/master/config/crd/bases/grafana.integreatly.org_grafanadashboards.yaml # These are CRDs that are not supported yet by the datree catalog + args: validate --manifests "." --kustomize --flux --env="cluster_name:foobar,region:eu-west-3,domain_name:example.com,vpc_cidr_block:10.0.0.0/8" --catalog --crds https://github.com/kubernetes-sigs/gateway-api/tree/main/config/crd/experimental,https://raw.githubusercontent.com/grafana/grafana-operator/master/config/crd/bases/grafana.integreatly.org_grafanadashboards.yaml # These are CRDs that are not supported yet by the datree catalog # cloud-token: ${{ secrets.DAGGER_CLOUD_TOKEN }} diff --git a/security/base/cert-manager/vault-clusterissuer.yaml b/security/base/cert-manager/vault-clusterissuer.yaml index 88b1a83e..e66afa92 100644 --- a/security/base/cert-manager/vault-clusterissuer.yaml +++ b/security/base/cert-manager/vault-clusterissuer.yaml @@ -11,7 +11,7 @@ spec: auth: appRole: path: approle - roleId: 327586f1-a4f1-ee9f-5b58-3636dcb19664 # !! This value changes each time I recreate the whole platform + roleId: dcf37ef0-1810-dfc6-0634-8232003cde5b # !! This value changes each time I recreate the whole platform secretRef: name: cert-manager-vault-approle key: secret_id diff --git a/security/base/zitadel/certificate.yaml b/security/base/zitadel/certificate.yaml new file mode 100644 index 00000000..0e18e0ff --- /dev/null +++ b/security/base/zitadel/certificate.yaml @@ -0,0 +1,15 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: zitadel +spec: + secretName: zitadel-certificate + duration: 2160h # 90d + renewBefore: 360h # 15d + commonName: zitadel.priv.${domain_name} + dnsNames: + - zitadel.priv.${domain_name} + issuerRef: + name: vault + kind: ClusterIssuer + group: cert-manager.io diff --git a/security/base/zitadel/externalsecret-sqlinstance-masterpassword.yaml b/security/base/zitadel/externalsecret-sqlinstance-masterpassword.yaml new file mode 100644 index 00000000..fb14de4e --- /dev/null +++ b/security/base/zitadel/externalsecret-sqlinstance-masterpassword.yaml @@ -0,0 +1,20 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: zitadel-sqlinstance-password +spec: + data: + - secretKey: ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD + remoteRef: + key: zitadel/envvars + refreshInterval: 20m + secretStoreRef: + kind: ClusterSecretStore + name: clustersecretstore + target: + template: + data: + password: "{{ .ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD }}" + creationPolicy: Owner + deletionPolicy: Retain + name: zitadel-pg-masterpassword diff --git a/security/base/zitadel/externalsecret-zitadel-envvars.yaml b/security/base/zitadel/externalsecret-zitadel-envvars.yaml new file mode 100644 index 00000000..fd7ded5b --- /dev/null +++ b/security/base/zitadel/externalsecret-zitadel-envvars.yaml @@ -0,0 +1,18 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: zitadel-envvars + namespace: tooling +spec: + dataFrom: + - extract: + conversionStrategy: Default + key: zitadel/envvars + refreshInterval: 20m + secretStoreRef: + kind: ClusterSecretStore + name: clustersecretstore + target: + creationPolicy: Owner + deletionPolicy: Retain + name: zitadel-envvars diff --git a/security/base/zitadel/gateway.yaml b/security/base/zitadel/gateway.yaml new file mode 100644 index 00000000..b05b0292 --- /dev/null +++ b/security/base/zitadel/gateway.yaml @@ -0,0 +1,23 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: zitadel +spec: + gatewayClassName: cilium + infrastructure: + annotations: + service.beta.kubernetes.io/aws-load-balancer-name: "ogenki-zitadel-gateway" + service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance + service.beta.kubernetes.io/aws-load-balancer-scheme: "internal" + service.beta.kubernetes.io/aws-load-balancer-type: "external" + external-dns.alpha.kubernetes.io/hostname: "zitadel.priv.${domain_name}" + listeners: + - name: http + hostname: "*.priv.${domain_name}" + port: 443 + protocol: TLS + allowedRoutes: + namespaces: + from: Same + tls: + mode: Passthrough diff --git a/security/base/zitadel/helmrelease.yaml b/security/base/zitadel/helmrelease.yaml new file mode 100644 index 00000000..c900fbc6 --- /dev/null +++ b/security/base/zitadel/helmrelease.yaml @@ -0,0 +1,53 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: zitadel +spec: + interval: 30m + driftDetection: + mode: enabled + chart: + spec: + chart: zitadel + version: "8.5.0" # Not available yet + sourceRef: + kind: HelmRepository + name: zitadel + interval: 12h + values: + zitadel: + # reference: https://zitadel.com/docs/self-hosting/manage/configure + masterkey: ApnB2MUlRa63KRIE0iT1WlM4ZNZOvZF6 + configmapConfig: + Log: + Formatter: + Format: json + ExternalPort: 443 + ExternalSecure: true + ExternalDomain: "zitadel.priv.${domain_name}" + TLS: + Enabled: true + KeyPath: /tls/tls.key + CertPath: /tls/tls.crt + Database: + Postgres: + Host: sqlinstance-xplane-zitadel + Port: 5432 + Database: zitadel + MaxOpenConns: 20 + MaxIdleConns: 10 + MaxConnLifetime: 30m + MaxConnIdleTime: 5m + + envVarsSecret: zitadel-envvars + + # Mount certificate generated by cert-manager + extraVolumes: + - name: zitadel-certificate + secret: + defaultMode: 420 + secretName: zitadel-certificate + extraVolumeMounts: + - name: zitadel-certificate + mountPath: /tls + readOnly: true diff --git a/security/base/zitadel/kustomization.yaml b/security/base/zitadel/kustomization.yaml new file mode 100644 index 00000000..4a49c7d6 --- /dev/null +++ b/security/base/zitadel/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: security +resources: + - externalsecret-sqlinstance-masterpassword.yaml + - externalsecret-zitadel-envvars.yaml + - certificate.yaml + - gateway.yaml + - helmrelease.yaml + - network-policy.yaml + - source.yaml + - sqlinstance.yaml + - tlsroute.yaml diff --git a/security/base/zitadel/network-policy.yaml b/security/base/zitadel/network-policy.yaml new file mode 100644 index 00000000..1f04cf12 --- /dev/null +++ b/security/base/zitadel/network-policy.yaml @@ -0,0 +1,37 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: zitadel +spec: + description: "Allow internal traffic to the Zitadel service." + endpointSelector: + matchLabels: + k8s:app.kubernetes.io/name: zitadel + egress: + - toEndpoints: + - matchLabels: + k8s:io.kubernetes.pod.namespace: kube-system + k8s:k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: UDP + - port: "53" + protocol: TCP + - toEntities: + - world + toPorts: + - ports: + - port: "80" + protocol: TCP + - port: "443" + protocol: TCP + - port: "5432" + protocol: TCP + ingress: + - fromCIDR: + - "${vpc_cidr_block}" + toPorts: + - ports: + - port: "8080" + protocol: TCP diff --git a/security/base/zitadel/source.yaml b/security/base/zitadel/source.yaml new file mode 100644 index 00000000..76d49107 --- /dev/null +++ b/security/base/zitadel/source.yaml @@ -0,0 +1,7 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: zitadel +spec: + interval: 24h + url: https://charts.zitadel.com diff --git a/security/base/zitadel/sqlinstance.yaml b/security/base/zitadel/sqlinstance.yaml new file mode 100644 index 00000000..fb07895b --- /dev/null +++ b/security/base/zitadel/sqlinstance.yaml @@ -0,0 +1,21 @@ +apiVersion: cloud.ogenki.io/v1alpha1 +kind: SQLInstance +metadata: + name: xplane-zitadel +spec: + parameters: + engine: postgres + engineVersion: "16" + size: small + storageGB: 20 + databases: + - owner: zitadel + name: zitadel + passwordSecretRef: + namespace: security + name: zitadel-pg-masterpassword + key: password + compositionRef: + name: xsqlinstances.cloud.ogenki.io + writeConnectionSecretToRef: + name: xplane-zitadel-rds diff --git a/security/base/zitadel/tlsroute.yaml b/security/base/zitadel/tlsroute.yaml new file mode 100644 index 00000000..14426e93 --- /dev/null +++ b/security/base/zitadel/tlsroute.yaml @@ -0,0 +1,13 @@ +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: TLSRoute +metadata: + name: zitadel +spec: + parentRefs: + - name: zitadel + hostnames: + - "zitadel.priv.${domain_name}" + rules: + - backendRefs: + - name: zitadel + port: 8080 diff --git a/security/mycluster-0/kustomization.yaml b/security/mycluster-0/kustomization.yaml index 317eb9c1..b17f72b4 100644 --- a/security/mycluster-0/kustomization.yaml +++ b/security/mycluster-0/kustomization.yaml @@ -5,4 +5,5 @@ resources: - ../base/kyverno - ../base/cert-manager - ../base/vault-snapshot + - ../base/zitadel - external-secrets diff --git a/tooling/base/headlamp/helmrelease.yaml b/tooling/base/headlamp/helmrelease.yaml index d2756e46..b3f2761f 100644 --- a/tooling/base/headlamp/helmrelease.yaml +++ b/tooling/base/headlamp/helmrelease.yaml @@ -4,6 +4,8 @@ metadata: name: headlamp spec: interval: 30m + driftDetection: + mode: enabled chart: spec: chart: headlamp @@ -27,6 +29,13 @@ spec: - name: script mountPath: /scripts + resources: + limits: + memory: 128Mi + requests: + cpu: 100m + memory: 128Mi + volumeMounts: - name: headlamp-plugins mountPath: /build/plugins