diff --git a/clusters/brusnika-stage/infrastructure/kustomization.yaml b/clusters/brusnika-stage/infrastructure/kustomization.yaml index d8506a3..a8a4131 100644 --- a/clusters/brusnika-stage/infrastructure/kustomization.yaml +++ b/clusters/brusnika-stage/infrastructure/kustomization.yaml @@ -6,6 +6,7 @@ resources: - ../../../infrastructure/istio-gateway - ../../../infrastructure/istio-config - ../../../infrastructure/vault + - ../../../infrastructure/zitadel - ./lb-service-override.yaml - ./vault-ingress.yaml patches: @@ -30,3 +31,10 @@ patches: kind: HelmRelease name: vault namespace: vault + - path: ./patches/zitadel.yaml + target: + group: helm.toolkit.fluxcd.io + version: v2 + kind: HelmRelease + name: zitadel + namespace: zitadel diff --git a/clusters/brusnika-stage/infrastructure/patches/istio-config.yaml b/clusters/brusnika-stage/infrastructure/patches/istio-config.yaml index 88d1193..6a1bb47 100644 --- a/clusters/brusnika-stage/infrastructure/patches/istio-config.yaml +++ b/clusters/brusnika-stage/infrastructure/patches/istio-config.yaml @@ -118,6 +118,13 @@ spec: issuerRef: name: letsencrypt kind: ClusterIssuer + zitadel-tls: + namespace: ingress-nginx + dnsNames: + - zitadel.test.sarex.brusnika.tech + issuerRef: + name: letsencrypt + kind: ClusterIssuer istio: envoyFilters: {} authorizationPolicies: {} @@ -273,6 +280,16 @@ spec: - vault.stage.brusnika.sarex.lonsdaleites.ru tls: credentialName: vault-stage-tls + zitadel: + name: zitadel-gw + namespace: ingress-nginx + selector: + istio: ingressgateway + servers: + - hosts: + - zitadel.test.sarex.brusnika.tech + tls: + credentialName: zitadel-tls virtualServices: camunda-identity-vs: namespace: camunda @@ -531,3 +548,21 @@ spec: prefix: / service: vault-vault-contour.vault.svc.cluster.local port: 8200 + zitadel-vs: + namespace: zitadel + hosts: + - zitadel.test.sarex.brusnika.tech + gateways: + - ingress-nginx/zitadel-gw + routes: + - match: + - port: 80 + uri: + prefix: / + redirect: + scheme: https + redirectCode: 308 + - path: + prefix: / + service: zitadel-idp-contour.zitadel.svc.cluster.local + port: 8080 diff --git a/clusters/brusnika-stage/infrastructure/patches/zitadel.yaml b/clusters/brusnika-stage/infrastructure/patches/zitadel.yaml new file mode 100644 index 0000000..212ad8d --- /dev/null +++ b/clusters/brusnika-stage/infrastructure/patches/zitadel.yaml @@ -0,0 +1,55 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: zitadel + namespace: zitadel +spec: + values: + zitadel: + configmapConfig: + ExternalDomain: zitadel.test.sarex.brusnika.tech + ExternalSecure: true + debug: + enabled: false + postgresqlSecret: + vault: + enabled: true + role: zitadel + authPath: auth/kubernetes + secretPath: secrets/data/zitadel/postgresql + secretKey: password + kvVersion: 2 + fileName: zitadel-vault-config.yaml + serviceAccount: + create: true + name: zitadel + replicaCount: 1 + pdb: + enabled: false + env: + - name: ZITADEL_DEFAULTINSTANCE_FEATURES_LOGINV2_REQUIRED + value: "false" + - name: ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_VERIFIERS + value: "bcrypt,pbkdf2" + - name: ZITADEL_MACHINE_IDENTIFICATION_HOSTNAME_ENABLED + value: "true" + - name: ZITADEL_DATABASE_POSTGRES_HOST + value: "192.168.2.45" + - name: ZITADEL_DATABASE_POSTGRES_PORT + value: "5432" + - name: ZITADEL_DATABASE_POSTGRES_USER_USERNAME + value: "zitadel" + - name: ZITADEL_DATABASE_POSTGRES_ADMIN_EXISTINGDATABASE + value: "zitadel" + - name: ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME + value: "zitadel" + - name: ZITADEL_DATABASE_POSTGRES_DATABASE + value: "zitadel" + - name: ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE + value: "disable" + - name: ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE + value: "disable" + - name: ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_USERNAME + value: "zitadel-admin" + - name: ZITADEL_DEFAULTINSTANCE_ORG_NAME + value: "Sarex"