Add Flux sync manifests

clusters/mycluster-0/flux-system/gotk-sync.yaml

@@ -0,0 +1,27 @@
+# This manifest was generated by flux. DO NOT EDIT.
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: flux-system
+  namespace: flux-system
+spec:
+  interval: 1m0s
+  ref:
+    branch: feat_zitadel
+  secretRef:
+    name: flux-system
+  url: https://github.com/Smana/cloud-native-ref.git
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: flux-system
+  namespace: flux-system
+spec:
+  interval: 10m0s
+  path: ./clusters/mycluster-0
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system

clusters/mycluster-0/flux-system/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- gotk-components.yaml
+- gotk-sync.yaml

security/base/cert-manager/vault-clusterissuer.yaml

@@ -11,7 +11,7 @@ spec:
     auth:
       appRole:
         path: approle
-        roleId: 0c1f0031-10d1-de66-83ed-9ca393c4d169 # !! This value changes each time I recreate the whole platform
+        roleId: dcf37ef0-1810-dfc6-0634-8232003cde5b # !! This value changes each time I recreate the whole platform
         secretRef:
           name: cert-manager-vault-approle
           key: secret_id

security/base/zitadel/externalsecret-sqlinstance-password.yaml

@@ -0,0 +1,18 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: sqlinstance-password
+  namespace: tooling
+spec:
+  dataFrom:
+    - extract:
+        conversionStrategy: Default
+        key: zitadel/sqlinstance/masterpassword
+  refreshInterval: 20m
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: clustersecretstore
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: zitadel-pg-masterpassword

security/base/zitadel/gateway.yaml

@@ -15,11 +15,9 @@ spec:
     - name: http
       hostname: "*.priv.${domain_name}"
       port: 443
-      protocol: HTTPS
+      protocol: TLS
       allowedRoutes:
         namespaces:
           from: Same
       tls:
-        mode: Terminate
-        certificateRefs:
-          - name: zitadel-tls
+        mode: Passthrough

security/base/zitadel/helmrelease.yaml

@@ -37,18 +37,18 @@ spec:
             User:
               Username: zitadel
               SSL:
-                Mode: disable
+                Mode: require
             Admin:
               Username: master
               SSL:
-                Mode: disable
+                Mode: require
       secretConfig:
         Database:
           Postgres:
             User:
-              Password: xyz
+              Password: plVtvnWHv2DJs2yQJBLPKaQZ2je
             Admin:
-              Password: abc
+              Password: toto12345
 
     # Mount certificate generated by cert-manager
     extraVolumes:

security/base/zitadel/kustomization.yaml

@@ -2,9 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: security
 resources:
+  - externalsecret-sqlinstance-password.yaml
   - certificate.yaml
   - gateway.yaml
-  - httproute.yaml
   - helmrelease.yaml
   - source.yaml
   - sqlinstance.yaml
+  - tlsroute.yaml

security/base/zitadel/httproute.yaml → security/base/zitadel/tlsroute.yaml

@@ -1,5 +1,5 @@
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: TLSRoute
 metadata:
   name: zitadel
 spec:
@@ -10,4 +10,4 @@ spec:
   rules:
     - backendRefs:
         - name: zitadel
-          port: 443
+          port: 8080