From 7c0db9861f2f30854d9c1fdf384b153a5271bacf Mon Sep 17 00:00:00 2001 From: Haim Kortovich Date: Mon, 27 May 2024 22:29:43 -0500 Subject: [PATCH] Add rootTlsSecret [ZITADOPER-1] --- ops/chart/crds/zitadelcluster-crd.yaml | 15 ++++++++++++++ src/api/v1alpha1/zitadelcluster_types.go | 3 ++- src/api/v1alpha1/zz_generated.deepcopy.go | 1 + ...zitadel.topmanage.com_zitadelclusters.yaml | 15 ++++++++++++++ src/pkg/builder/job_builder.go | 20 +++++++++++++++++++ src/pkg/controller/configmap/controller.go | 3 +++ 6 files changed, 56 insertions(+), 1 deletion(-) diff --git a/ops/chart/crds/zitadelcluster-crd.yaml b/ops/chart/crds/zitadelcluster-crd.yaml index 10b2e9f..3f89183 100644 --- a/ops/chart/crds/zitadelcluster-crd.yaml +++ b/ops/chart/crds/zitadelcluster-crd.yaml @@ -175,6 +175,20 @@ spec: More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object + rootTLSSecret: + description: SecretReference represents a Secret Reference. It has + enough information to retrieve secret in any namespace + properties: + name: + description: name is unique within a namespace to reference a + secret resource. + type: string + namespace: + description: namespace defines the space within which the secret + name must be unique. + type: string + type: object + x-kubernetes-map-type: atomic serviceAnnotations: additionalProperties: type: string @@ -235,6 +249,7 @@ spec: - image - purpose - resources + - rootTLSSecret - smtpConfig type: object status: diff --git a/src/api/v1alpha1/zitadelcluster_types.go b/src/api/v1alpha1/zitadelcluster_types.go index 89c2ce5..c719b2f 100644 --- a/src/api/v1alpha1/zitadelcluster_types.go +++ b/src/api/v1alpha1/zitadelcluster_types.go @@ -82,7 +82,8 @@ type ZitadelClusterSpec struct { ServiceAnnotations map[string]string `json:"serviceAnnotations,omitempty"` // +kubebuilder:default=3 // +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:podCount"} - Replicas int32 `json:"replicas,omitempty"` + Replicas int32 `json:"replicas,omitempty"` + RootTLSSecret corev1.SecretReference `json:"rootTLSSecret"` } // ZitadelClusterStatus defines the observed state of ZitadelCluster diff --git a/src/api/v1alpha1/zz_generated.deepcopy.go b/src/api/v1alpha1/zz_generated.deepcopy.go index c8a94a7..4dcfe0e 100644 --- a/src/api/v1alpha1/zz_generated.deepcopy.go +++ b/src/api/v1alpha1/zz_generated.deepcopy.go @@ -870,6 +870,7 @@ func (in *ZitadelClusterSpec) DeepCopyInto(out *ZitadelClusterSpec) { (*out)[key] = val } } + out.RootTLSSecret = in.RootTLSSecret } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ZitadelClusterSpec. diff --git a/src/config/crd/bases/zitadel.topmanage.com_zitadelclusters.yaml b/src/config/crd/bases/zitadel.topmanage.com_zitadelclusters.yaml index 0da1228..cc22bb0 100644 --- a/src/config/crd/bases/zitadel.topmanage.com_zitadelclusters.yaml +++ b/src/config/crd/bases/zitadel.topmanage.com_zitadelclusters.yaml @@ -176,6 +176,20 @@ spec: More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object + rootTLSSecret: + description: SecretReference represents a Secret Reference. It has + enough information to retrieve secret in any namespace + properties: + name: + description: name is unique within a namespace to reference a + secret resource. + type: string + namespace: + description: namespace defines the space within which the secret + name must be unique. + type: string + type: object + x-kubernetes-map-type: atomic serviceAnnotations: additionalProperties: type: string @@ -236,6 +250,7 @@ spec: - image - purpose - resources + - rootTLSSecret - smtpConfig type: object status: diff --git a/src/pkg/builder/job_builder.go b/src/pkg/builder/job_builder.go index 46a2655..cec29c6 100644 --- a/src/pkg/builder/job_builder.go +++ b/src/pkg/builder/job_builder.go @@ -37,6 +37,11 @@ func (b *Builder) BuildInitJob(zitadel *zitadelv1alpha1.ZitadelCluster, key type }, EnableServiceLinks: &enableServiceLinks, Volumes: []corev1.Volume{ + {Name: "certs", VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: zitadel.Spec.RootTLSSecret.Name, + }, + }}, {Name: "zitadel-config-yaml", VolumeSource: corev1.VolumeSource{ConfigMap: &corev1.ConfigMapVolumeSource{LocalObjectReference: corev1.LocalObjectReference{Name: configuration.ConfigurationName(zitadel)}}}}, }, Containers: []corev1.Container{ @@ -47,8 +52,23 @@ func (b *Builder) BuildInitJob(zitadel *zitadelv1alpha1.ZitadelCluster, key type "init", "--config", "/config/zitadel-config-yaml", }, + Env: []corev1.EnvVar{ + { + Name: "ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_ROOTCERT", + Value: "/certs/ca.crt", + }, + { + Name: "ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_CERT", + Value: "/certs/tls.crt", + }, + { + Name: "ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_KEY", + Value: "/certs/tls.key", + }, + }, VolumeMounts: []corev1.VolumeMount{ {Name: "zitadel-config-yaml", MountPath: "/config"}, + {Name: "certs", MountPath: "/certs"}, }, }, }, diff --git a/src/pkg/controller/configmap/controller.go b/src/pkg/controller/configmap/controller.go index 60554a0..ec35f80 100644 --- a/src/pkg/controller/configmap/controller.go +++ b/src/pkg/controller/configmap/controller.go @@ -33,6 +33,9 @@ func (r *ConfigMapReconciler) ReconcileZitadelConfiguration(ctx context.Context, Database: Cockroach: Host: %s + Admin: + SSL: + Mode: require ExternalDomain: %s ExternalPort: %d ExternalSecure: %t