sarex/iac
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Zitadel to brusnika prod

Browse Source
This commit is contained in:
Kochetkov S 2026-06-05 12:06:29 +03:00
parent 2285c1a467
commit 996bac6a9c
3 changed files with 173 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
clusters/brusnika-prod/infrastructure/kustomization.yaml
View File

@ -6,6 +6,7 @@ resources:
- ../../../infrastructure/istio-gateway - ../../../infrastructure/istio-gateway
- ../../../infrastructure/istio-config - ../../../infrastructure/istio-config
- ../../../infrastructure/vault - ../../../infrastructure/vault
- ../../../infrastructure/zitadel
- ./vault-ingress.yaml - ./vault-ingress.yaml
patches: patches:
- path: ./patches/istio-gateway.yaml - path: ./patches/istio-gateway.yaml
@ -29,3 +30,10 @@ patches:
kind: HelmRelease kind: HelmRelease
name: vault name: vault
namespace: vault namespace: vault
- path: ./patches/zitadel.yaml
target:
group: helm.toolkit.fluxcd.io
version: v2
kind: HelmRelease
name: zitadel
namespace: zitadel

35
clusters/brusnika-prod/infrastructure/patches/istio-config.yaml
View File

@ -120,6 +120,13 @@ spec:
issuerRef: issuerRef:
name: letsencrypt name: letsencrypt
kind: ClusterIssuer kind: ClusterIssuer
zitadel-tls:
namespace: ingress-nginx
dnsNames:
- zitadel.brusnika.onprem.sarex.io
issuerRef:
name: letsencrypt
kind: ClusterIssuer
istio: istio:
envoyFilters: {} envoyFilters: {}
authorizationPolicies: {} authorizationPolicies: {}
@ -285,6 +292,16 @@ spec:
- vault.prod.brusnika.sarex.lonsdaleites.ru - vault.prod.brusnika.sarex.lonsdaleites.ru
tls: tls:
credentialName: vault-prod-tls credentialName: vault-prod-tls
zitadel:
name: zitadel-gw
namespace: ingress-nginx
selector:
istio: ingressgateway
servers:
- hosts:
- zitadel.brusnika.onprem.sarex.io
tls:
credentialName: zitadel-tls
rabbitmq: rabbitmq:
name: rabbitmq-gw name: rabbitmq-gw
namespace: ingress-nginx namespace: ingress-nginx
@ -586,6 +603,24 @@ spec:
prefix: / prefix: /
service: vault-vault-contour.vault.svc.cluster.local service: vault-vault-contour.vault.svc.cluster.local
port: 8200 port: 8200
zitadel-vs:
namespace: zitadel
hosts:
- zitadel.brusnika.onprem.sarex.io
gateways:
- ingress-nginx/zitadel-gw
routes:
- match:
- port: 80
uri:
prefix: /
redirect:
scheme: https
redirectCode: 308
- path:
prefix: /
service: zitadel-idp-contour.zitadel.svc.cluster.local
port: 8080
rabbitmq-vs: rabbitmq-vs:
namespace: workflow namespace: workflow
hosts: hosts:

130
clusters/brusnika-prod/infrastructure/patches/zitadel.yaml Normal file
View File

@ -0,0 +1,130 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: zitadel
namespace: zitadel
spec:
postRenderers:
- kustomize:
patches:
- target:
group: apps
version: v1
kind: Deployment
name: zitadel-idp-contour
patch: |-
- op: replace
path: /spec/template/metadata/annotations/vault.hashicorp.com~1agent-inject-template-zitadel-vault-config.yaml
value: |-
{{- with secret "secrets/data/zitadel/postgresql" -}}
Database:
postgres:
User:
Password: |-
{{ index .Data.data "password" }}
Admin:
Password: |-
{{ index .Data.data "adminPassword" }}
FirstInstance:
Org:
Human:
Password: |-
{{ index .Data.data "humanPassword" }}
{{- end -}}
- target:
group: batch
version: v1
kind: Job
name: zitadel-idp-contour-init
patch: |-
- op: replace
path: /spec/template/metadata/annotations/vault.hashicorp.com~1agent-inject-template-zitadel-vault-config.yaml
value: |-
{{- with secret "secrets/data/zitadel/postgresql" -}}
Database:
postgres:
User:
Password: |-
{{ index .Data.data "password" }}
Admin:
Password: |-
{{ index .Data.data "adminPassword" }}
FirstInstance:
Org:
Human:
Password: |-
{{ index .Data.data "humanPassword" }}
{{- end -}}
- target:
group: batch
version: v1
kind: Job
name: zitadel-idp-contour-setup
patch: |-
- op: replace
path: /spec/template/metadata/annotations/vault.hashicorp.com~1agent-inject-template-zitadel-vault-config.yaml
value: |-
{{- with secret "secrets/data/zitadel/postgresql" -}}
Database:
postgres:
User:
Password: |-
{{ index .Data.data "password" }}
Admin:
Password: |-
{{ index .Data.data "adminPassword" }}
FirstInstance:
Org:
Human:
Password: |-
{{ index .Data.data "humanPassword" }}
{{- end -}}
values:
zitadel:
configmapConfig:
ExternalDomain: zitadel.brusnika.onprem.sarex.io
ExternalSecure: true
debug:
enabled: false
postgresqlSecret:
vault:
enabled: true
role: zitadel
authPath: auth/kubernetes
secretPath: secrets/data/zitadel/postgresql
secretKey: password
kvVersion: 2
fileName: zitadel-vault-config.yaml
serviceAccount:
create: true
name: zitadel
replicaCount: 1
pdb:
enabled: false
env:
- name: ZITADEL_DEFAULTINSTANCE_FEATURES_LOGINV2_REQUIRED
value: "false"
- name: ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_VERIFIERS
value: "bcrypt,pbkdf2"
- name: ZITADEL_MACHINE_IDENTIFICATION_HOSTNAME_ENABLED
value: "true"
- name: ZITADEL_DATABASE_POSTGRES_HOST
value: "192.168.2.45"
- name: ZITADEL_DATABASE_POSTGRES_PORT
value: "5432"
- name: ZITADEL_DATABASE_POSTGRES_USER_USERNAME
value: "zitadel"
- name: ZITADEL_DATABASE_POSTGRES_ADMIN_EXISTINGDATABASE
value: "zitadel"
- name: ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME
value: "zitadel"
- name: ZITADEL_DATABASE_POSTGRES_DATABASE
value: "zitadel"
- name: ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE
value: "disable"
- name: ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE
value: "disable"
- name: ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_USERNAME
value: "zitadel-admin"
- name: ZITADEL_DEFAULTINSTANCE_ORG_NAME
value: "Sarex"