Add Zitadel to brusnika stage

2026-06-05 11:27:36 +03:00 · 2026-06-05 11:27:36 +03:00 · b606bbd854
commit b606bbd854
parent c5ee8bb1c2
3 changed files with 98 additions and 0 deletions
--- a/clusters/brusnika-stage/infrastructure/kustomization.yaml
+++ b/clusters/brusnika-stage/infrastructure/kustomization.yaml
@ -6,6 +6,7 @@ resources:
  - ../../../infrastructure/istio-gateway
  - ../../../infrastructure/istio-config
  - ../../../infrastructure/vault
+  - ../../../infrastructure/zitadel
  - ./lb-service-override.yaml
  - ./vault-ingress.yaml
 patches:
@ -30,3 +31,10 @@ patches:
      kind: HelmRelease
      name: vault
      namespace: vault
+  - path: ./patches/zitadel.yaml
+    target:
+      group: helm.toolkit.fluxcd.io
+      version: v2
+      kind: HelmRelease
+      name: zitadel
+      namespace: zitadel
--- a/clusters/brusnika-stage/infrastructure/patches/istio-config.yaml
+++ b/clusters/brusnika-stage/infrastructure/patches/istio-config.yaml
@ -118,6 +118,13 @@ spec:
              issuerRef:
                name: letsencrypt
                kind: ClusterIssuer
+            zitadel-tls:
+              namespace: ingress-nginx
+              dnsNames:
+                - zitadel.test.sarex.brusnika.tech
+              issuerRef:
+                name: letsencrypt
+                kind: ClusterIssuer
        istio:
          envoyFilters: {}
          authorizationPolicies: {}
@ -273,6 +280,16 @@ spec:
                    - vault.stage.brusnika.sarex.lonsdaleites.ru
                  tls:
                    credentialName: vault-stage-tls
+            zitadel:
+              name: zitadel-gw
+              namespace: ingress-nginx
+              selector:
+                istio: ingressgateway
+              servers:
+                - hosts:
+                    - zitadel.test.sarex.brusnika.tech
+                  tls:
+                    credentialName: zitadel-tls
          virtualServices:
            camunda-identity-vs:
              namespace: camunda
@ -531,3 +548,21 @@ spec:
                    prefix: /
                  service: vault-vault-contour.vault.svc.cluster.local
                  port: 8200
+            zitadel-vs:
+              namespace: zitadel
+              hosts:
+                - zitadel.test.sarex.brusnika.tech
+              gateways:
+                - ingress-nginx/zitadel-gw
+              routes:
+                - match:
+                    - port: 80
+                      uri:
+                        prefix: /
+                  redirect:
+                    scheme: https
+                    redirectCode: 308
+                - path:
+                    prefix: /
+                  service: zitadel-idp-contour.zitadel.svc.cluster.local
+                  port: 8080
--- a/clusters/brusnika-stage/infrastructure/patches/zitadel.yaml
+++ b/clusters/brusnika-stage/infrastructure/patches/zitadel.yaml
@ -0,0 +1,55 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: zitadel
+  namespace: zitadel
+spec:
+  values:
+    zitadel:
+      configmapConfig:
+        ExternalDomain: zitadel.test.sarex.brusnika.tech
+        ExternalSecure: true
+      debug:
+        enabled: false
+    postgresqlSecret:
+      vault:
+        enabled: true
+        role: zitadel
+        authPath: auth/kubernetes
+        secretPath: secrets/data/zitadel/postgresql
+        secretKey: password
+        kvVersion: 2
+        fileName: zitadel-vault-config.yaml
+    serviceAccount:
+      create: true
+      name: zitadel
+    replicaCount: 1
+    pdb:
+      enabled: false
+    env:
+      - name: ZITADEL_DEFAULTINSTANCE_FEATURES_LOGINV2_REQUIRED
+        value: "false"
+      - name: ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_VERIFIERS
+        value: "bcrypt,pbkdf2"
+      - name: ZITADEL_MACHINE_IDENTIFICATION_HOSTNAME_ENABLED
+        value: "true"
+      - name: ZITADEL_DATABASE_POSTGRES_HOST
+        value: "192.168.2.45"
+      - name: ZITADEL_DATABASE_POSTGRES_PORT
+        value: "5432"
+      - name: ZITADEL_DATABASE_POSTGRES_USER_USERNAME
+        value: "zitadel"
+      - name: ZITADEL_DATABASE_POSTGRES_ADMIN_EXISTINGDATABASE
+        value: "zitadel"
+      - name: ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME
+        value: "zitadel"
+      - name: ZITADEL_DATABASE_POSTGRES_DATABASE
+        value: "zitadel"
+      - name: ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE
+        value: "disable"
+      - name: ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE
+        value: "disable"
+      - name: ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_USERNAME
+        value: "zitadel-admin"
+      - name: ZITADEL_DEFAULTINSTANCE_ORG_NAME
+        value: "Sarex"