feat(zitadel): first deployment

[Smana]

PR Type

enhancement, configuration changes

---

Description

• Added Zitadel deployment configurations including certificates, external secrets, gateway, HelmRelease, network policy, and SQLInstance.
• Updated IAM role for service accounts EKS module version in Terraform configuration.
• Modified Crossplane configuration to remove hardcoded values and improve patching strategy.
• Updated Vault authentication roleId in cert-manager configuration.
• Updated documentation to reflect new module versions.

---

Changes walkthrough 📝

	Relevant files
Configuration changes	3 files irsa.tf Update IAM role for service accounts EKS module version    terraform/eks/irsa.tf Updated version of IAM role for service accounts EKS module. +2/-2      vault-clusterissuer.yaml Update Vault authentication roleId                                              security/base/cert-manager/vault-clusterissuer.yaml Updated roleId for Vault authentication. +1/-1      kustomization.yaml Comment out Zitadel base configuration                                      security/mycluster-0/kustomization.yaml Commented out Zitadel base configuration. +1/-0
Enhancement	11 files sql-instance-composition.yaml Modify security group configuration and patching strategy infrastructure/base/crossplane/configuration/sql-instance-composition.yaml Removed hardcoded name for security group. Added a new patch type for combining fields. +8/-3      certificate.yaml Add Zitadel certificate configuration                                        security/base/zitadel/certificate.yaml Added new certificate configuration for Zitadel. +15/-0    externalsecret-sqlinstance-masterpassword.yaml Add external secret for Zitadel SQL instance master password security/base/zitadel/externalsecret-sqlinstance-masterpassword.yaml Added external secret configuration for Zitadel SQL instance master password. +22/-0    externalsecret-zitadel-envvars.yaml Add external secret for Zitadel environment variables        security/base/zitadel/externalsecret-zitadel-envvars.yaml Added external secret configuration for Zitadel environment variables. +18/-0    gateway.yaml Add Zitadel gateway configuration with AWS load balancer  security/base/zitadel/gateway.yaml Added gateway configuration for Zitadel with AWS load balancer annotations. +23/-0    helmrelease.yaml Add HelmRelease configuration for Zitadel deployment          security/base/zitadel/helmrelease.yaml Added HelmRelease configuration for deploying Zitadel. +55/-0    kustomization.yaml Add Kustomization for Zitadel resources                                    security/base/zitadel/kustomization.yaml Added Kustomization file for Zitadel resources. +13/-0    network-policy.yaml Add network policy for Zitadel internal traffic                    security/base/zitadel/network-policy.yaml Added network policy for Zitadel to allow internal traffic. +37/-0    source.yaml Add HelmRepository source for Zitadel                                        security/base/zitadel/source.yaml Added HelmRepository source configuration for Zitadel. +7/-0      sqlinstance.yaml Add SQLInstance configuration for Zitadel                                security/base/zitadel/sqlinstance.yaml Added SQLInstance configuration for Zitadel. +18/-0    tlsroute.yaml Add TLSRoute configuration for Zitadel                                      security/base/zitadel/tlsroute.yaml Added TLSRoute configuration for Zitadel. +13/-0
Documentation	1 files README.md Update module versions in EKS README                                          terraform/eks/README.md Updated module versions in the documentation. +2/-2

---

💡 PR-Agent usage: Comment /help "your question" on any pull request to receive relevant information

[github-actions]

PR Reviewer Guide 🔍

⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪

🧪 No relevant tests

🔒 Security concerns Hardcoded Credentials: The PR includes hardcoded credentials in 'security/base/zitadel/helmrelease.yaml', which could lead to security vulnerabilities if the code is exposed publicly or mishandled. Consider using Kubernetes secrets or another secure method to handle sensitive data.

⚡ Key issues to review Hardcoded Value The roleId is hardcoded and noted to change with each platform recreation. This could lead to maintenance issues or errors if not updated properly. Consider a dynamic retrieval or a more manageable approach for configuration. Hardcoded Credentials Hardcoded credentials for database access (masterkey, Password) are present. This poses a security risk. Consider using secrets management to inject these values securely.

[github-actions]

PR Code Suggestions ✨

Category	Suggestion	Score
Security	Replace hardcoded masterkey with a reference to a Kubernetes Secret It's a security risk to hardcode sensitive keys like masterkey in the YAML files. Consider using a Kubernetes Secret for storing such sensitive information and reference it in your HelmRelease configuration. security/base/zitadel/helmrelease.yaml [19] -masterkey: ApnB2MUlRa63KRIE0iT1WlM4ZNZOvZF6 +masterkeyRef: + name: zitadel-masterkey + key: masterkey Suggestion importance[1-10]: 10 Why: This suggestion addresses a critical security risk by recommending the use of Kubernetes Secrets for sensitive information, which is essential for secure configuration management.	10
Maintainability	Replace hardcoded roleId with a reference to a Kubernetes Secret To avoid hardcoding the roleId which changes each time the platform is recreated, consider using a Kubernetes Secret to store this value and reference it in your YAML configuration. This approach enhances security and maintainability. security/base/cert-manager/vault-clusterissuer.yaml [14] -roleId: 0c1f0031-10d1-de66-83ed-9ca393c4d169 # !! This value changes each time I recreate the whole platform +roleIdRef: + name: vault-role-id + key: role_id Suggestion importance[1-10]: 9 Why: This suggestion improves security and maintainability by avoiding hardcoding a value that changes frequently, which is a best practice for managing sensitive information.	9
Possible bug	Comment out the deployment of the kyverno-plugin to prevent crashes Since the deployment of the kyverno-plugin causes Headlamp to crash, it's recommended to remove or comment out this line until the issue is resolved. This prevents potential deployment failures or disruptions. tooling/base/headlamp/deploy-plugins.sh [13] -deploy_plugin kyverno-plugin https://github.com/Kubebeam/kyverno-headlamp-plugin/releases/download/latest (Installing the plugin currently causes Headlamp to crash) +# deploy_plugin kyverno-plugin https://github.com/Kubebeam/kyverno-headlamp-plugin/releases/download/latest # Temporarily disabled due to crash issues Suggestion importance[1-10]: 8 Why: The suggestion addresses a potential bug by preventing the deployment of a plugin that causes crashes, thus avoiding disruptions.	8
Best practice	Add ownerReferences to the Certificate for better lifecycle management To ensure that the Certificate resource is correctly cleaned up when the zitadel namespace or application is deleted, consider adding an ownerReferences field that references the parent application or namespace. security/base/zitadel/certificate.yaml [1-4] apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: zitadel + ownerReferences: + - apiVersion: v1 + kind: Namespace + name: zitadel + uid: <namespace-uid> Suggestion importance[1-10]: 7 Why: Adding ownerReferences is a best practice for managing resource lifecycles, ensuring that resources are cleaned up appropriately, though it is not critical.	7

[Smana]

I opened a PR in zitadel-charts repo in order to be able to define environment variables from a secret. That will be really easier by defining them in aws secretsmanager.

[Smana]

/describe

[github-actions]

PR Description updated to latest commit (3e944c5)

[Smana]

/describe

[github-actions]

PR Description updated to latest commit (af3c945)