sarex/iac
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Zitadel to brusnika stage

Browse Source
This commit is contained in:
Kochetkov S 2026-06-05 11:27:36 +03:00
parent c5ee8bb1c2
commit b606bbd854
3 changed files with 98 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
clusters/brusnika-stage/infrastructure/kustomization.yaml
View File

@ -6,6 +6,7 @@ resources:
- ../../../infrastructure/istio-gateway - ../../../infrastructure/istio-gateway
- ../../../infrastructure/istio-config - ../../../infrastructure/istio-config
- ../../../infrastructure/vault - ../../../infrastructure/vault
- ../../../infrastructure/zitadel
- ./lb-service-override.yaml - ./lb-service-override.yaml
- ./vault-ingress.yaml - ./vault-ingress.yaml
patches: patches:
@ -30,3 +31,10 @@ patches:
kind: HelmRelease kind: HelmRelease
name: vault name: vault
namespace: vault namespace: vault
- path: ./patches/zitadel.yaml
target:
group: helm.toolkit.fluxcd.io
version: v2
kind: HelmRelease
name: zitadel
namespace: zitadel

35
clusters/brusnika-stage/infrastructure/patches/istio-config.yaml
View File

@ -118,6 +118,13 @@ spec:
issuerRef: issuerRef:
name: letsencrypt name: letsencrypt
kind: ClusterIssuer kind: ClusterIssuer
zitadel-tls:
namespace: ingress-nginx
dnsNames:
- zitadel.test.sarex.brusnika.tech
issuerRef:
name: letsencrypt
kind: ClusterIssuer
istio: istio:
envoyFilters: {} envoyFilters: {}
authorizationPolicies: {} authorizationPolicies: {}
@ -273,6 +280,16 @@ spec:
- vault.stage.brusnika.sarex.lonsdaleites.ru - vault.stage.brusnika.sarex.lonsdaleites.ru
tls: tls:
credentialName: vault-stage-tls credentialName: vault-stage-tls
zitadel:
name: zitadel-gw
namespace: ingress-nginx
selector:
istio: ingressgateway
servers:
- hosts:
- zitadel.test.sarex.brusnika.tech
tls:
credentialName: zitadel-tls
virtualServices: virtualServices:
camunda-identity-vs: camunda-identity-vs:
namespace: camunda namespace: camunda
@ -531,3 +548,21 @@ spec:
prefix: / prefix: /
service: vault-vault-contour.vault.svc.cluster.local service: vault-vault-contour.vault.svc.cluster.local
port: 8200 port: 8200
zitadel-vs:
namespace: zitadel
hosts:
- zitadel.test.sarex.brusnika.tech
gateways:
- ingress-nginx/zitadel-gw
routes:
- match:
- port: 80
uri:
prefix: /
redirect:
scheme: https
redirectCode: 308
- path:
prefix: /
service: zitadel-idp-contour.zitadel.svc.cluster.local
port: 8080

55
clusters/brusnika-stage/infrastructure/patches/zitadel.yaml Normal file
View File

@ -0,0 +1,55 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: zitadel
namespace: zitadel
spec:
values:
zitadel:
configmapConfig:
ExternalDomain: zitadel.test.sarex.brusnika.tech
ExternalSecure: true
debug:
enabled: false
postgresqlSecret:
vault:
enabled: true
role: zitadel
authPath: auth/kubernetes
secretPath: secrets/data/zitadel/postgresql
secretKey: password
kvVersion: 2
fileName: zitadel-vault-config.yaml
serviceAccount:
create: true
name: zitadel
replicaCount: 1
pdb:
enabled: false
env:
- name: ZITADEL_DEFAULTINSTANCE_FEATURES_LOGINV2_REQUIRED
value: "false"
- name: ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_VERIFIERS
value: "bcrypt,pbkdf2"
- name: ZITADEL_MACHINE_IDENTIFICATION_HOSTNAME_ENABLED
value: "true"
- name: ZITADEL_DATABASE_POSTGRES_HOST
value: "192.168.2.45"
- name: ZITADEL_DATABASE_POSTGRES_PORT
value: "5432"
- name: ZITADEL_DATABASE_POSTGRES_USER_USERNAME
value: "zitadel"
- name: ZITADEL_DATABASE_POSTGRES_ADMIN_EXISTINGDATABASE
value: "zitadel"
- name: ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME
value: "zitadel"
- name: ZITADEL_DATABASE_POSTGRES_DATABASE
value: "zitadel"
- name: ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE
value: "disable"
- name: ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE
value: "disable"
- name: ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_USERNAME
value: "zitadel-admin"
- name: ZITADEL_DEFAULTINSTANCE_ORG_NAME
value: "Sarex"