From e05a9134302b08acc612a38140fe3f659a78f1d9 Mon Sep 17 00:00:00 2001
From: Tanguy Herbron <tanguy.herbron@outlook.com>
Date: Wed, 8 May 2024 09:44:04 +0200
Subject: [PATCH] WIP: Initial commit

Includes a basic docker-compose and a hopefully working k8s manifest set.
---
 docker-compose.yml           | 46 +++++++++++++++++++++++++
 manifests/database.yaml      | 35 +++++++++++++++++++
 manifests/deployment.yaml    | 65 ++++++++++++++++++++++++++++++++++++
 manifests/ingress.yaml       | 23 +++++++++++++
 manifests/kustomization.yaml | 11 ++++++
 manifests/namespace.yaml     |  4 +++
 manifests/secret.yaml        |  0
 manifests/service.yaml       | 13 ++++++++
 8 files changed, 197 insertions(+)
 create mode 100644 docker-compose.yml
 create mode 100644 manifests/database.yaml
 create mode 100644 manifests/deployment.yaml
 create mode 100644 manifests/ingress.yaml
 create mode 100644 manifests/kustomization.yaml
 create mode 100644 manifests/namespace.yaml
 create mode 100644 manifests/secret.yaml
 create mode 100644 manifests/service.yaml

diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..cc51159
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,46 @@
+version: '3.8'
+
+services:
+  zitadel:
+    restart: 'always'
+    networks:
+      - 'zitadel'
+    image: 'ghcr.io/zitadel/zitadel:latest'
+    command: 'start-from-init --masterkey "MasterkeyNeedsToHave32Characters" --tlsMode disabled'
+    environment:
+      - 'ZITADEL_DATABASE_POSTGRES_HOST=db'
+      - 'ZITADEL_DATABASE_POSTGRES_PORT=5432'
+      - 'ZITADEL_DATABASE_POSTGRES_DATABASE=zitadel'
+      - 'ZITADEL_DATABASE_POSTGRES_USER_USERNAME=zitadel'
+      - 'ZITADEL_DATABASE_POSTGRES_USER_PASSWORD=zitadel'
+      - 'ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE=disable'
+      - 'ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME=postgres'
+      - 'ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD=postgres'
+      - 'ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE=disable'
+      - 'ZITADEL_EXTERNALSECURE=false'
+      - 'ZITADEL_EXTERNALDOMAIN=diogenes.halia'
+    depends_on:
+      db:
+        condition: 'service_healthy'
+    ports:
+      - '8080:8080'
+
+  db:
+    restart: 'always'
+    image: postgres:16-alpine
+    environment:
+      - POSTGRES_USER=postgres
+      - POSTGRES_PASSWORD=postgres
+    networks:
+      - 'zitadel'
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready", "-d", "db_prod"]
+      interval: '10s'
+      timeout: '30s'
+      retries: 5
+      start_period: '20s'
+    ports:
+      - '5432:5432'
+
+networks:
+  zitadel:
diff --git a/manifests/database.yaml b/manifests/database.yaml
new file mode 100644
index 0000000..17f00df
--- /dev/null
+++ b/manifests/database.yaml
@@ -0,0 +1,35 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: zitadel-db
+  namespace: zitadel
+
+spec:
+  instances: 2
+
+  storage:
+    size: 1Gi
+    storageClass: redundant-storage-class
+
+  bootstrap:
+    initdb:
+      database: zitadel
+      owner: zitadel
+      secret:
+        name: zitadel-db-user
+
+  enableSuperuserAccess: true
+  superuserSecret:
+    name: zitadel-db-superuser
+
+  postgresql:
+    pg_hba:
+      - host all all all md5
+
+  resources:
+    requests:
+      cpu: 100m
+      memory: 100Mi
+    limits:
+      cpu: 500m
+      memory: 500Mi
diff --git a/manifests/deployment.yaml b/manifests/deployment.yaml
new file mode 100644
index 0000000..ec903d6
--- /dev/null
+++ b/manifests/deployment.yaml
@@ -0,0 +1,65 @@
+# TODO
+#
+# Update var envs
+# Create necessary secrets
+# Explore volume organisation
+# Test multiple replicas configuration
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+    name: zitadel
+    namespace: zitadel
+spec:
+    replicas: 1
+    selector:
+        matchLabels:
+            app: zitadel
+    template:
+        metadata:
+            labels:
+                app: zitadel
+        spec:
+            hostname: zitadel
+            subdomain: zitadel
+            containers:
+              - name: zitadel
+                image: ghcr.io/zitadel/zitadel:v2.50.0-rc.2
+                command: ["/app/zitadel", "start-from-init", "--masterkey", "'MasterkeyNeedsToHave32Characte'", "--tlsMode", "external"]
+                ports:
+                  - containerPort: 8080
+                env:
+                  - name: ZITADEL_DATABASE_POSTGRES_HOST
+                    value: "zitadel-db-rw.zitadel.svc.cluster.local"
+                  - name: ZITADEL_DATABASE_POSTGRES_PORT
+                    value: "5432"
+                  - name: ZITADEL_DATABASE_POSTGRES_DATABASE
+                    value: "zitadel"
+                  - name: ZITADEL_DATABASE_POSTGRES_USER_USERNAME
+                    valueFrom:
+                      secretKeyRef:
+                        name: zitadel-db-user
+                        key: username
+                  - name: ZITADEL_DATABASE_POSTGRES_USER_PASSWORD
+                    valueFrom:
+                      secretKeyRef:
+                        name: zitadel-db-user
+                        key: password
+                  - name: ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE
+                    value: "disable"
+                  - name: ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME
+                    valueFrom:
+                      secretKeyRef:
+                        name: zitadel-db-superuser
+                        key: username
+                  - name: ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD
+                    valueFrom:
+                      secretKeyRef:
+                        name: zitadel-db-superuser
+                        key: password
+                  - name: ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE # Note : Does not need to be secure, as everything is internal to the cluster
+                    value: "disable"
+                  - name: ZITADEL_EXTERNALSECURE
+                    value: "false"
+                  - name: ZITADEL_EXTERNALDOMAIN
+                    value: "https://zitadel.beta.halia.dev"
diff --git a/manifests/ingress.yaml b/manifests/ingress.yaml
new file mode 100644
index 0000000..d59867a
--- /dev/null
+++ b/manifests/ingress.yaml
@@ -0,0 +1,23 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+    name: zitadel-ingress
+    namespace: zitadel
+    annotations:
+        kubernetes.io/ingress.class: "traefik"
+spec:
+    tls:
+      - secretName: zitadel-beta-tls
+        hosts:
+            - zitadel.beta.halia.dev
+    rules:
+      - host: zitadel.beta.halia.dev
+        http:
+            paths:
+              - path: /
+                pathType: Prefix
+                backend:
+                    service:
+                        name: zitadel-svc
+                        port:
+                            number: 80
diff --git a/manifests/kustomization.yaml b/manifests/kustomization.yaml
new file mode 100644
index 0000000..ac002a9
--- /dev/null
+++ b/manifests/kustomization.yaml
@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: zitadel
+
+resources:
+  - namespace.yaml
+  - service.yaml
+  - ingress.yaml
+  - database.yaml
+  - deployment.yaml
diff --git a/manifests/namespace.yaml b/manifests/namespace.yaml
new file mode 100644
index 0000000..80de841
--- /dev/null
+++ b/manifests/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: zitadel
diff --git a/manifests/secret.yaml b/manifests/secret.yaml
new file mode 100644
index 0000000..e69de29
diff --git a/manifests/service.yaml b/manifests/service.yaml
new file mode 100644
index 0000000..3d4c717
--- /dev/null
+++ b/manifests/service.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+    name: zitadel-svc
+    namespace: zitadel
+spec:
+    ports:
+        - name: http
+          port: 80
+          protocol: TCP
+          targetPort: 8080
+    selector:
+        app: zitadel