WIP: Manifest update

2024-12-22 11:54:52 +01:00 · 2024-12-22 11:54:52 +01:00 · 29de0493c9
commit 29de0493c9
9 changed files with 250 additions and 0 deletions
--- a/README.md
+++ b/README.md
--- a/manifests/configmap.yaml
+++ b/manifests/configmap.yaml
@ -0,0 +1,104 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: zitadel-config
+  namespace: zitadel
+data:
+  # Replace StoreConfig.Engine with "postgres"
+  management.json: |
+    {
+      "Stuns": [
+          {
+              "Proto": "udp",
+              "URI": "stun:$TURN_DOMAIN:3478",
+              "Username": "",
+              "Password": null
+          }
+      ],
+      "TURNConfig": {
+          "Turns": [
+              {
+                  "Proto": "udp",
+                  "URI": "turn:$TURN_DOMAIN:3478",
+                  "Username": "$TURN_USER",
+                  "Password": "$TURN_PASSWORD"
+              }
+          ],
+          "CredentialsTTL": "12h",
+          "Secret": "secret",
+          "TimeBasedCredentials": false
+      },
+      "Signal": {
+          "Proto": "$NETBIRD_SIGNAL_PROTOCOL",
+          "URI": "netbird.beta.halia.dev:$NETBIRD_SIGNAL_PORT",
+          "Username": "",
+          "Password": null
+      },
+      "ReverseProxy": {
+          "TrustedHTTPProxies": [],
+          "TrustedHTTPProxiesCount": 0,
+          "TrustedPeers": [
+               "0.0.0.0/0"
+          ]
+      },
+      "Datadir": "",
+      "DataStoreEncryptionKey": "$NETBIRD_DATASTORE_ENC_KEY",
+      "StoreConfig": {
+          "Engine": "sqlite"
+      },
+      "HttpConfig": {
+          "Address": "0.0.0.0:443",
+          "AuthIssuer": "$NETBIRD_AUTH_AUTHORITY",
+          "AuthAudience": "$NETBIRD_AUTH_AUDIENCE",
+          "AuthKeysLocation": "$NETBIRD_AUTH_JWT_CERTS",
+          "AuthUserIDClaim": "$NETBIRD_AUTH_USER_ID_CLAIM",
+          "CertFile":"$NETBIRD_MGMT_API_CERT_FILE",
+          "CertKey":"$NETBIRD_MGMT_API_CERT_KEY_FILE",
+          "IdpSignKeyRefreshEnabled": $NETBIRD_MGMT_IDP_SIGNKEY_REFRESH,
+          "OIDCConfigEndpoint":"$NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT"
+      },
+      "IdpManagerConfig": {
+          "ManagerType": "$NETBIRD_MGMT_IDP",
+          "ClientConfig": {
+              "Issuer": "$NETBIRD_AUTH_AUTHORITY",
+              "TokenEndpoint": "$NETBIRD_AUTH_TOKEN_ENDPOINT",
+              "ClientID": "$NETBIRD_IDP_MGMT_CLIENT_ID",
+              "ClientSecret": "$NETBIRD_IDP_MGMT_CLIENT_SECRET",
+              "GrantType": "client_credentials"
+          },
+          "ExtraConfig": $NETBIRD_IDP_MGMT_EXTRA_CONFIG,
+          "Auth0ClientCredentials": null,
+          "AzureClientCredentials": null,
+          "KeycloakClientCredentials": null,
+          "ZitadelClientCredentials": null
+       },
+      "DeviceAuthorizationFlow": {
+          "Provider": "$NETBIRD_AUTH_DEVICE_AUTH_PROVIDER",
+
+          "ProviderConfig": {
+            "Audience": "$NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE",
+            "AuthorizationEndpoint": "",
+            "Domain": "$NETBIRD_AUTH0_DOMAIN",
+            "ClientID": "$NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID",
+            "ClientSecret": "",
+            "TokenEndpoint": "$NETBIRD_AUTH_TOKEN_ENDPOINT",
+            "DeviceAuthEndpoint": "$NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT",
+            "Scope": "$NETBIRD_AUTH_DEVICE_AUTH_SCOPE",
+            "UseIDToken": $NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN,
+            "RedirectURLs": null
+           }
+      },
+      "PKCEAuthorizationFlow": {
+          "ProviderConfig": {
+              "Audience": "$NETBIRD_AUTH_PKCE_AUDIENCE",
+              "ClientID": "$NETBIRD_AUTH_CLIENT_ID",
+              "ClientSecret": "$NETBIRD_AUTH_CLIENT_SECRET",
+              "Domain": "",
+              "AuthorizationEndpoint": "$NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT",
+              "TokenEndpoint": "$NETBIRD_AUTH_TOKEN_ENDPOINT",
+              "Scope": "$NETBIRD_AUTH_SUPPORTED_SCOPES",
+              "RedirectURLs": [$NETBIRD_AUTH_PKCE_REDIRECT_URLS],
+              "UseIDToken": $NETBIRD_AUTH_PKCE_USE_ID_TOKEN
+          }
+      }
+    }
--- a/manifests/database.yaml
+++ b/manifests/database.yaml
@ -0,0 +1,35 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: zitadel-db
+  namespace: zitadel
+
+spec:
+  instances: 2
+
+  storage:
+    size: 1Gi
+    storageClass: redundant-storage-class
+
+  bootstrap:
+    initdb:
+      database: zitadel
+      owner: zitadel
+      secret:
+        name: zitadel-db-user
+
+  enableSuperuserAccess: true
+  superuserSecret:
+    name: zitadel-db-superuser
+
+  postgresql:
+    pg_hba:
+      - host all all all md5
+
+  resources:
+    requests:
+      cpu: 100m
+      memory: 100Mi
+    limits:
+      cpu: 500m
+      memory: 500Mi
--- a/manifests/deployment.yaml
+++ b/manifests/deployment.yaml
@ -0,0 +1,61 @@
+# TODO
+#
+# Update var envs
+# Create necessary secrets
+# Explore volume organisation
+# Test multiple replicas configuration
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+    name: netbird
+    namespace: netbird
+spec:
+    replicas: 1
+    selector:
+        matchLabels:
+            app: netbird
+    template:
+        metadata:
+            labels:
+                app: netbird
+        spec:
+            hostname: netbird
+            subdomain: netbird
+            containers:
+              - name: dashboard
+                image: netbirdio/dashboard:v2.3.0
+                ports:
+                  - containerPort: 80
+                env:
+                  - name: NETBIRD_MGMT_API_ENDPOINT
+                    value: ""
+                  - name: NETBIRD_MGMT_GRPC_API_ENDPOINT
+                    value: ""
+                  # OIDC
+                  - name: AUTH_AUDIENCE
+                    value: ""
+                  - name: AUTH_CLIENT_ID
+                    value: ""
+                  - name: AUTH_CLIENT_SECRET
+                    value: ""
+                  - name: AUTH_AUTHORITY
+                    value: ""
+                  - name: USE_AUTH0
+                    value: ""
+                  - name: AUTH_SUPPORTED_SCOPES
+                    value: ""
+                  - name: AUTH_REDIRECT_URI
+                    value: ""
+                  - name: AUTH_SILENT_REDIRECT_URI
+                    value: ""
+                  - name: NETBIRD_TOKEN_SOURCE
+                    value: ""
+              - name: management
+                image: netbirdio/management:0.27.5
+                  #command: [""]
+                ports:
+                  - containerPort: 443
+              # MISSING
+              # - coturn
+              # - signal
--- a/manifests/ingress.yaml
+++ b/manifests/ingress.yaml
@ -0,0 +1,18 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+    name: netbird-ingress
+    namespace: netbird
+    annotations:
+      kubernetes.io/ingress.class: "traefik"
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - kind: Rule
+      match: Host(`netbird.beta.halia.dev`)
+      services:
+        - name: netbird-svc
+          namespace: netbird
+          port: 80
+          passHostHeader: true
--- a/manifests/kustomization.yaml
+++ b/manifests/kustomization.yaml
@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: netbird
+
+resources:
+  - namespace.yaml
+  - service.yaml
+  - ingress.yaml
+  - deployment.yaml
+
--- a/manifests/namespace.yaml
+++ b/manifests/namespace.yaml
@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: netbird
--- a/manifests/secret.yaml
+++ b/manifests/secret.yaml
--- a/manifests/service.yaml
+++ b/manifests/service.yaml
@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+    name: netbird-svc
+    namespace: netbird
+spec:
+    ports:
+        - name: dashboard
+          port: 80
+          protocol: TCP
+          targetPort: 8080
+        - name: management
+          port: 443
+          protocol: TCP
+          targetPort: 4443
+    selector:
+        app: netbird