From 5532fea488e3965f5483f02dc924a1a6fe50d227 Mon Sep 17 00:00:00 2001
From: Tanguy Herbron <tanguy.herbron@outlook.com>
Date: Mon, 3 Mar 2025 20:10:59 +0100
Subject: [PATCH] feat: Add full configuration

---
 manifests/configmap.yaml       | 14 +-----------
 manifests/database-backup.yaml | 10 +++++++++
 manifests/database.yaml        | 25 +++++++++++++++++++--
 manifests/deployment.yaml      | 29 +++++++++++++++---------
 manifests/ingress.yaml         | 41 ++++++++++++++++++++--------------
 manifests/kustomization.yaml   |  5 ++---
 manifests/secret.yaml          |  0
 manifests/secrets.yaml         | 24 ++++++++++++++++++++
 8 files changed, 103 insertions(+), 45 deletions(-)
 create mode 100644 manifests/database-backup.yaml
 delete mode 100644 manifests/secret.yaml
 create mode 100644 manifests/secrets.yaml

diff --git a/manifests/configmap.yaml b/manifests/configmap.yaml
index 6bed2b9..b78f931 100644
--- a/manifests/configmap.yaml
+++ b/manifests/configmap.yaml
@@ -4,19 +4,7 @@ metadata:
   name: zitadel-config
   namespace: zitadel
 data:
-  first-step.yaml: |
-    FirstInstance:
-      InstanceName: ZITADEL
-      Org:
-        Name: 'Halis'
-        Human:
-          # use the loginname root@zitadel.localhost
-          Username: 'admin'
-          Password: 'RootPassword1!'
-          Email:
-            Address: 'admin@zitadel.beta.halia.dev'
-            Verified: true
   config.yaml: |
-    ExternalDomain: zitadel.beta.halia.dev
+    ExternalDomain: zitadel.halis.io
     ExternalSecure: true
     ExternalPort: 443
diff --git a/manifests/database-backup.yaml b/manifests/database-backup.yaml
new file mode 100644
index 0000000..7ebccc5
--- /dev/null
+++ b/manifests/database-backup.yaml
@@ -0,0 +1,10 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: ScheduledBackup
+metadata:
+  name: zitadel-db-backup
+  namespace: zitadel
+spec:
+  schedule: "0 0 0 * * *"
+  backupOwnerReference: self
+  cluster:
+    name: zitadel-db
diff --git a/manifests/database.yaml b/manifests/database.yaml
index 17f00df..88d3d9a 100644
--- a/manifests/database.yaml
+++ b/manifests/database.yaml
@@ -5,11 +5,11 @@ metadata:
   namespace: zitadel
 
 spec:
-  instances: 2
+  instances: 3
 
   storage:
     size: 1Gi
-    storageClass: redundant-storage-class
+    storageClass: local-path
 
   bootstrap:
     initdb:
@@ -26,6 +26,24 @@ spec:
     pg_hba:
       - host all all all md5
 
+  backup:
+    barmanObjectStore:
+      destinationPath: "s3://halis/cloudnativepg"
+      endpointURL: https://s3.halia.dev
+      s3Credentials:
+        accessKeyId:
+          name: s3-secret
+          key: AWS_ACCESS_KEY_ID
+        secretAccessKey:
+          name: s3-secret
+          key: AWS_SECRET_ACCESS_KEY
+        region:
+          name: s3-secret
+          key: AWS_REGION
+      wal:
+        compression: gzip
+        maxParallel: 8
+
   resources:
     requests:
       cpu: 100m
@@ -33,3 +51,6 @@ spec:
     limits:
       cpu: 500m
       memory: 500Mi
+
+  monitoring:
+    enablePodMonitor: true
diff --git a/manifests/deployment.yaml b/manifests/deployment.yaml
index f958e7e..57e097b 100644
--- a/manifests/deployment.yaml
+++ b/manifests/deployment.yaml
@@ -1,10 +1,3 @@
-# TODO
-#
-# Update var envs
-# Create necessary secrets
-# Explore volume organisation
-# Test multiple replicas configuration
-
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -25,7 +18,13 @@ spec:
             containers:
               - name: zitadel
                 image: ghcr.io/zitadel/zitadel:v2.51.3
-                command: ["/app/zitadel", "start-from-init", "--config", "/tmp/config.yaml", "--steps", "/tmp/first-step.yaml", "--masterkey", "'MasterkeyNeedsToHave32Characte'", "--tlsMode", "external"]
+                command: [
+                  "/app/zitadel", "start-from-init", 
+                  "--config", "/tmp/config.yaml", 
+                  "--steps", "/tmp/first-step.yaml", 
+                  "--masterkeyFromEnv", 
+                  "--tlsMode", "external"
+                ]
                 ports:
                   - containerPort: 8080
                 env:
@@ -62,15 +61,25 @@ spec:
                   - name: ZITADEL_EXTERNALSECURE
                     value: "true"
                   - name: ZITADEL_EXTERNALDOMAIN
-                    value: "zitadel.beta.halia.dev"
+                    value: "zitadel.halis.io"
+                  - name: ZITADEL_MASTERKEY
+                    valueFrom:
+                      secretKeyRef:
+                        name: zitadel-masterkey
+                        key: masterkey
+                  - name: ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_COST
+                    value: "12"
                 volumeMounts:
                   - mountPath: "/tmp/config.yaml"
                     name: zitadel-config
                     subPath: config.yaml
                   - mountPath: "/tmp/first-step.yaml"
-                    name: zitadel-config
+                    name: zitadel-secret-config
                     subPath: first-step.yaml
             volumes:
               - name: zitadel-config
                 configMap:
                   name: zitadel-config
+              - name: zitadel-secret-config
+                secret:
+                  secretName: zitadel-secret-config
diff --git a/manifests/ingress.yaml b/manifests/ingress.yaml
index 16b993e..f7be13f 100644
--- a/manifests/ingress.yaml
+++ b/manifests/ingress.yaml
@@ -1,19 +1,26 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
+apiVersion: networking.k8s.io/v1
+kind: Ingress
 metadata:
-    name: zitadel-ingress
-    namespace: zitadel
-    annotations:
-      kubernetes.io/ingress.class: "traefik"
-      traefik.ingress.kubernetes.io/preserve-host-header: "true"
+  name: zitadel-ingress
+  namespace: zitadel
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+    kubernetes.io/ingress.class: nginx-external
+    acme.cert-manager.io/http01-edit-in-place: "true"
 spec:
-  entryPoints:
-    - websecure
-  routes:
-    - kind: Rule
-      match: Host(`zitadel.beta.halia.dev`)
-      services:
-        - name: zitadel-svc
-          namespace: zitadel
-          port: 80
-          passHostHeader: true
+  tls:
+  - hosts:
+    - zitadel.halis.io
+    secretName: zitadel-halis-io-tls
+  ingressClassName: nginx-external
+  rules:
+  - host: zitadel.halis.io
+    http:
+      paths:
+        - path: /
+          pathType: Prefix
+          backend:
+            service:
+              name: zitadel-svc
+              port:
+                number: 80
diff --git a/manifests/kustomization.yaml b/manifests/kustomization.yaml
index f6fe158..a7cdb13 100644
--- a/manifests/kustomization.yaml
+++ b/manifests/kustomization.yaml
@@ -1,13 +1,12 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
-namespace: zitadel
-
 resources:
   - namespace.yaml
+  - secrets.yaml
   - service.yaml
   - ingress.yaml
   - database.yaml
+  - database-backup.yaml
   - configmap.yaml
   - deployment.yaml
-
diff --git a/manifests/secret.yaml b/manifests/secret.yaml
deleted file mode 100644
index e69de29..0000000
diff --git a/manifests/secrets.yaml b/manifests/secrets.yaml
new file mode 100644
index 0000000..22668c2
--- /dev/null
+++ b/manifests/secrets.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: zitadel-secrets
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: https://git.halis.io/athens-school/k3s-secrets.git
+    targetRevision: prod-migration
+    path: zitadel
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=false
+      - ApplyOutOfSyncOnly=true
+      - PruneLast=true
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: zitadel