From 996bac6a9c78222934352d09b885a251e7dbce44 Mon Sep 17 00:00:00 2001 From: Kochetkov S Date: Fri, 5 Jun 2026 12:06:29 +0300 Subject: [PATCH] Add Zitadel to brusnika prod --- .../infrastructure/kustomization.yaml | 8 ++ .../infrastructure/patches/istio-config.yaml | 35 +++++ .../infrastructure/patches/zitadel.yaml | 130 ++++++++++++++++++ 3 files changed, 173 insertions(+) create mode 100644 clusters/brusnika-prod/infrastructure/patches/zitadel.yaml diff --git a/clusters/brusnika-prod/infrastructure/kustomization.yaml b/clusters/brusnika-prod/infrastructure/kustomization.yaml index 4c62b0d..494c6e1 100644 --- a/clusters/brusnika-prod/infrastructure/kustomization.yaml +++ b/clusters/brusnika-prod/infrastructure/kustomization.yaml @@ -6,6 +6,7 @@ resources: - ../../../infrastructure/istio-gateway - ../../../infrastructure/istio-config - ../../../infrastructure/vault + - ../../../infrastructure/zitadel - ./vault-ingress.yaml patches: - path: ./patches/istio-gateway.yaml @@ -29,3 +30,10 @@ patches: kind: HelmRelease name: vault namespace: vault + - path: ./patches/zitadel.yaml + target: + group: helm.toolkit.fluxcd.io + version: v2 + kind: HelmRelease + name: zitadel + namespace: zitadel diff --git a/clusters/brusnika-prod/infrastructure/patches/istio-config.yaml b/clusters/brusnika-prod/infrastructure/patches/istio-config.yaml index 0325c2d..84b9d5c 100644 --- a/clusters/brusnika-prod/infrastructure/patches/istio-config.yaml +++ b/clusters/brusnika-prod/infrastructure/patches/istio-config.yaml @@ -120,6 +120,13 @@ spec: issuerRef: name: letsencrypt kind: ClusterIssuer + zitadel-tls: + namespace: ingress-nginx + dnsNames: + - zitadel.brusnika.onprem.sarex.io + issuerRef: + name: letsencrypt + kind: ClusterIssuer istio: envoyFilters: {} authorizationPolicies: {} @@ -285,6 +292,16 @@ spec: - vault.prod.brusnika.sarex.lonsdaleites.ru tls: credentialName: vault-prod-tls + zitadel: + name: zitadel-gw + namespace: ingress-nginx + selector: + istio: ingressgateway + servers: + - hosts: + - zitadel.brusnika.onprem.sarex.io + tls: + credentialName: zitadel-tls rabbitmq: name: rabbitmq-gw namespace: ingress-nginx @@ -586,6 +603,24 @@ spec: prefix: / service: vault-vault-contour.vault.svc.cluster.local port: 8200 + zitadel-vs: + namespace: zitadel + hosts: + - zitadel.brusnika.onprem.sarex.io + gateways: + - ingress-nginx/zitadel-gw + routes: + - match: + - port: 80 + uri: + prefix: / + redirect: + scheme: https + redirectCode: 308 + - path: + prefix: / + service: zitadel-idp-contour.zitadel.svc.cluster.local + port: 8080 rabbitmq-vs: namespace: workflow hosts: diff --git a/clusters/brusnika-prod/infrastructure/patches/zitadel.yaml b/clusters/brusnika-prod/infrastructure/patches/zitadel.yaml new file mode 100644 index 0000000..edad088 --- /dev/null +++ b/clusters/brusnika-prod/infrastructure/patches/zitadel.yaml @@ -0,0 +1,130 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: zitadel + namespace: zitadel +spec: + postRenderers: + - kustomize: + patches: + - target: + group: apps + version: v1 + kind: Deployment + name: zitadel-idp-contour + patch: |- + - op: replace + path: /spec/template/metadata/annotations/vault.hashicorp.com~1agent-inject-template-zitadel-vault-config.yaml + value: |- + {{- with secret "secrets/data/zitadel/postgresql" -}} + Database: + postgres: + User: + Password: |- + {{ index .Data.data "password" }} + Admin: + Password: |- + {{ index .Data.data "adminPassword" }} + FirstInstance: + Org: + Human: + Password: |- + {{ index .Data.data "humanPassword" }} + {{- end -}} + - target: + group: batch + version: v1 + kind: Job + name: zitadel-idp-contour-init + patch: |- + - op: replace + path: /spec/template/metadata/annotations/vault.hashicorp.com~1agent-inject-template-zitadel-vault-config.yaml + value: |- + {{- with secret "secrets/data/zitadel/postgresql" -}} + Database: + postgres: + User: + Password: |- + {{ index .Data.data "password" }} + Admin: + Password: |- + {{ index .Data.data "adminPassword" }} + FirstInstance: + Org: + Human: + Password: |- + {{ index .Data.data "humanPassword" }} + {{- end -}} + - target: + group: batch + version: v1 + kind: Job + name: zitadel-idp-contour-setup + patch: |- + - op: replace + path: /spec/template/metadata/annotations/vault.hashicorp.com~1agent-inject-template-zitadel-vault-config.yaml + value: |- + {{- with secret "secrets/data/zitadel/postgresql" -}} + Database: + postgres: + User: + Password: |- + {{ index .Data.data "password" }} + Admin: + Password: |- + {{ index .Data.data "adminPassword" }} + FirstInstance: + Org: + Human: + Password: |- + {{ index .Data.data "humanPassword" }} + {{- end -}} + values: + zitadel: + configmapConfig: + ExternalDomain: zitadel.brusnika.onprem.sarex.io + ExternalSecure: true + debug: + enabled: false + postgresqlSecret: + vault: + enabled: true + role: zitadel + authPath: auth/kubernetes + secretPath: secrets/data/zitadel/postgresql + secretKey: password + kvVersion: 2 + fileName: zitadel-vault-config.yaml + serviceAccount: + create: true + name: zitadel + replicaCount: 1 + pdb: + enabled: false + env: + - name: ZITADEL_DEFAULTINSTANCE_FEATURES_LOGINV2_REQUIRED + value: "false" + - name: ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_VERIFIERS + value: "bcrypt,pbkdf2" + - name: ZITADEL_MACHINE_IDENTIFICATION_HOSTNAME_ENABLED + value: "true" + - name: ZITADEL_DATABASE_POSTGRES_HOST + value: "192.168.2.45" + - name: ZITADEL_DATABASE_POSTGRES_PORT + value: "5432" + - name: ZITADEL_DATABASE_POSTGRES_USER_USERNAME + value: "zitadel" + - name: ZITADEL_DATABASE_POSTGRES_ADMIN_EXISTINGDATABASE + value: "zitadel" + - name: ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME + value: "zitadel" + - name: ZITADEL_DATABASE_POSTGRES_DATABASE + value: "zitadel" + - name: ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE + value: "disable" + - name: ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE + value: "disable" + - name: ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_USERNAME + value: "zitadel-admin" + - name: ZITADEL_DEFAULTINSTANCE_ORG_NAME + value: "Sarex"