From 4efee8f3454bfe5b3cd80ed1066c90628f0fd45f Mon Sep 17 00:00:00 2001 From: ostempel Date: Mon, 3 Nov 2025 11:39:38 +0100 Subject: [PATCH 01/20] add zitadel oidc --- deploy_control_plane.yaml | 2 + roles/zitadel/README.md | 7 ++ roles/zitadel/defaults/main.yaml | 2 + roles/zitadel/tasks/main.yaml | 22 ++++++ roles/zitadel/templates/postgres.yaml | 102 +++++++++++++++++++++++++ roles/zitadel/templates/values.yaml.j2 | 39 ++++++++++ 6 files changed, 174 insertions(+) create mode 100644 roles/zitadel/README.md create mode 100644 roles/zitadel/defaults/main.yaml create mode 100644 roles/zitadel/tasks/main.yaml create mode 100644 roles/zitadel/templates/postgres.yaml create mode 100644 roles/zitadel/templates/values.yaml.j2 diff --git a/deploy_control_plane.yaml b/deploy_control_plane.yaml index 2b0312cc..d1167c97 100644 --- a/deploy_control_plane.yaml +++ b/deploy_control_plane.yaml @@ -27,6 +27,8 @@ tags: valkey - name: auth-dex tags: auth + - name: zitadel + tags: auth - name: metal-roles/control-plane/roles/metal tags: metal diff --git a/roles/zitadel/README.md b/roles/zitadel/README.md new file mode 100644 index 00000000..8f036413 --- /dev/null +++ b/roles/zitadel/README.md @@ -0,0 +1,7 @@ +# Zitadel + +Role that deploys and manages and configures Zitadel, an open-source identity and access management system. + +## UI + +Because `ExternalSecure: true` is set by default, Zitadel will be available over HTTPS. We may need to change this to `false` if we want to use HTTP. diff --git a/roles/zitadel/defaults/main.yaml b/roles/zitadel/defaults/main.yaml new file mode 100644 index 00000000..bacd9a28 --- /dev/null +++ b/roles/zitadel/defaults/main.yaml @@ -0,0 +1,2 @@ +--- +zitadel_chart_version: "9.12.3" \ No newline at end of file diff --git a/roles/zitadel/tasks/main.yaml b/roles/zitadel/tasks/main.yaml new file mode 100644 index 00000000..6dbb5a70 --- /dev/null +++ b/roles/zitadel/tasks/main.yaml @@ -0,0 +1,22 @@ +--- + +- name: Add stable Zitadel Helm repository + kubernetes.core.helm_repository: + name: zitadel + repo_url: https://charts.zitadel.com/ + +- name: Deploy postgresql for Zitadel + kubernetes.core.k8s: + state: present + definition: "{{ lookup('template', 'postgres.yaml') }}" + namespace: zitadel + +- name: Deploy Zitadel + kubernetes.core.helm: + chart_ref: zitadel/zitadel + chart_version: "{{ zitadel_chart_version }}" + release_name: zitadel + release_namespace: zitadel + create_namespace: true + values: "{{ lookup('template', 'values.yaml.j2') | from_yaml }}" + wait: true \ No newline at end of file diff --git a/roles/zitadel/templates/postgres.yaml b/roles/zitadel/templates/postgres.yaml new file mode 100644 index 00000000..e2cdfb28 --- /dev/null +++ b/roles/zitadel/templates/postgres.yaml @@ -0,0 +1,102 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: zitadel +--- +apiVersion: v1 +kind: Service +metadata: + name: zitadel-postgresql + labels: + app.kubernetes.io/component: database +spec: + type: ClusterIP + ports: + - port: 5432 + targetPort: postgresql + protocol: TCP + name: postgresql + selector: + app.kubernetes.io/component: database +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: zitadel-postgresql + labels: + app.kubernetes.io/component: database +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 8Gi +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: zitadel-postgresql + labels: + app.kubernetes.io/name: zitadel + app.kubernetes.io/component: database +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: zitadel + app.kubernetes.io/component: database + template: + metadata: + labels: + app.kubernetes.io/name: zitadel + app.kubernetes.io/component: database + spec: + containers: + - name: postgresql + image: postgres:17-alpine + imagePullPolicy: IfNotPresent + ports: + - name: postgresql + containerPort: 5432 + protocol: TCP + env: + - name: POSTGRES_USER + value: postgres + - name: POSTGRES_PASSWORD + value: postgres + - name: POSTGRES_DB + value: postgres + livenessProbe: + exec: + command: + - pg_isready + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 3 + readinessProbe: + exec: + command: + - pg_isready + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 3 + resources: + limits: + cpu: 1000m + memory: 1024Mi + requests: + cpu: 100m + memory: 128Mi + volumeMounts: + - name: data + mountPath: /var/lib/postgresql/data + volumes: + - name: data + persistentVolumeClaim: + claimName: zitadel-postgresql +--- \ No newline at end of file diff --git a/roles/zitadel/templates/values.yaml.j2 b/roles/zitadel/templates/values.yaml.j2 new file mode 100644 index 00000000..8574fa0d --- /dev/null +++ b/roles/zitadel/templates/values.yaml.j2 @@ -0,0 +1,39 @@ +--- +zitadel: + masterkey: x123456789012345678901234567891y + secretConfig: + Database: + Postgres: + User: + Password: postgres + Admin: + Password: postgres + configmapConfig: + ExternalDomain: zitadel.172.17.0.1.nip.io + ExternalPort: 80 + TLS: + Enabled: false + Database: + Postgres: + Host: zitadel-postgresql + Port: 5432 + Database: zitadel + MaxOpenConns: 20 + MaxIdleConns: 10 + MaxConnLifetime: 30m + MaxConnIdleTime: 5m + User: + Username: postgres + SSL: + Mode: disable + Admin: + Username: postgres + SSL: + Mode: disable +ingress: + enabled: true + className: nginx +login: + ingress: + enabled: true + className: nginx \ No newline at end of file From 4b474c9ecc8a2bd8207e5e665cd091b24db1ab33 Mon Sep 17 00:00:00 2001 From: ostempel Date: Wed, 5 Nov 2025 15:31:44 +0100 Subject: [PATCH 02/20] draft oidc default configuration --- roles/zitadel/defaults/main.yaml | 17 ++++- roles/zitadel/files/go.mod | 32 ++++++++++ roles/zitadel/files/go.sum | 89 +++++++++++++++++++++++++++ roles/zitadel/files/zitadel_config.go | 64 +++++++++++++++++++ roles/zitadel/tasks/main.yaml | 4 +- 5 files changed, 204 insertions(+), 2 deletions(-) create mode 100644 roles/zitadel/files/go.mod create mode 100644 roles/zitadel/files/go.sum create mode 100644 roles/zitadel/files/zitadel_config.go diff --git a/roles/zitadel/defaults/main.yaml b/roles/zitadel/defaults/main.yaml index bacd9a28..b6457404 100644 --- a/roles/zitadel/defaults/main.yaml +++ b/roles/zitadel/defaults/main.yaml @@ -1,2 +1,17 @@ --- -zitadel_chart_version: "9.12.3" \ No newline at end of file +zitadel_chart_version: "9.12.3" + +zitadel_app: + - projectId: metal-stack + id: metal-stack + name: metal-stack + oidcConfig: + appType: OIDC_APP_TYPE_WEB # WEB + responseType: # CODE + - OIDC_RESPONSE_TYPE_CODE + grantTypes: # AUTHORIZATION_CODE + - OIDC_GRANT_TYPE_AUTHORIZATION_CODE + authMethod: OIDC_AUTH_METHOD_TYPE_POST # Post + accessTokenType: OIDC_TOKEN_TYPE_BEARER # Bearer + redirectUris: + - http://v2.api.172.17.0.1.nip.io:8080/auth/openid-connect/callback diff --git a/roles/zitadel/files/go.mod b/roles/zitadel/files/go.mod new file mode 100644 index 00000000..0871af6b --- /dev/null +++ b/roles/zitadel/files/go.mod @@ -0,0 +1,32 @@ +module github.com/metal-stack/zitadel-init + +go 1.25 + +require github.com/zitadel/zitadel-go/v3 v3.14.3 + +require ( + github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect + github.com/go-jose/go-jose/v4 v4.1.2 // indirect + github.com/go-logr/logr v1.4.3 // indirect + github.com/go-logr/stdr v1.2.2 // indirect + github.com/gorilla/securecookie v1.1.2 // indirect + github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1 // indirect + github.com/muhlemmer/gu v0.3.1 // indirect + github.com/sirupsen/logrus v1.9.3 // indirect + github.com/zitadel/logging v0.6.2 // indirect + github.com/zitadel/oidc/v3 v3.44.0 // indirect + github.com/zitadel/schema v1.3.1 // indirect + go.opentelemetry.io/auto/sdk v1.1.0 // indirect + go.opentelemetry.io/otel v1.37.0 // indirect + go.opentelemetry.io/otel/metric v1.37.0 // indirect + go.opentelemetry.io/otel/trace v1.37.0 // indirect + golang.org/x/crypto v0.39.0 // indirect + golang.org/x/net v0.40.0 // indirect + golang.org/x/oauth2 v0.30.0 // indirect + golang.org/x/sys v0.33.0 // indirect + golang.org/x/text v0.27.0 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 // indirect + google.golang.org/grpc v1.74.2 // indirect + google.golang.org/protobuf v1.36.7 // indirect +) diff --git a/roles/zitadel/files/go.sum b/roles/zitadel/files/go.sum new file mode 100644 index 00000000..7c5a027c --- /dev/null +++ b/roles/zitadel/files/go.sum @@ -0,0 +1,89 @@ +github.com/bmatcuk/doublestar/v4 v4.9.0 h1:DBvuZxjdKkRP/dr4GVV4w2fnmrk5Hxc90T51LZjv0JA= +github.com/bmatcuk/doublestar/v4 v4.9.0/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/envoyproxy/protoc-gen-validate v1.2.1 h1:DEo3O99U8j4hBFwbJfrz9VtgcDfUKS7KJ7spH3d86P8= +github.com/envoyproxy/protoc-gen-validate v1.2.1/go.mod h1:d/C80l/jxXLdfEIhX1W2TmLfsJ31lvEjwamM4DxlWXU= +github.com/go-chi/chi/v5 v5.2.2 h1:CMwsvRVTbXVytCk1Wd72Zy1LAsAh9GxMmSNWLHCG618= +github.com/go-chi/chi/v5 v5.2.2/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops= +github.com/go-jose/go-jose/v4 v4.1.2 h1:TK/7NqRQZfgAh+Td8AlsrvtPoUyiHh0LqVvokh+1vHI= +github.com/go-jose/go-jose/v4 v4.1.2/go.mod h1:22cg9HWM1pOlnRiY+9cQYJ9XHmya1bYW8OeDM6Ku6Oo= +github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI= +github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= +github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= +github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= +github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= +github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= +github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA= +github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1 h1:X5VWvz21y3gzm9Nw/kaUeku/1+uBhcekkmy4IkffJww= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1/go.mod h1:Zanoh4+gvIgluNqcfMVTJueD4wSS5hT7zTt4Mrutd90= +github.com/jeremija/gosubmit v0.2.8 h1:mmSITBz9JxVtu8eqbN+zmmwX7Ij2RidQxhcwRVI4wqA= +github.com/jeremija/gosubmit v0.2.8/go.mod h1:Ui+HS073lCFREXBbdfrJzMB57OI/bdxTiLtrDHHhFPI= +github.com/muhlemmer/gu v0.3.1 h1:7EAqmFrW7n3hETvuAdmFmn4hS8W+z3LgKtrnow+YzNM= +github.com/muhlemmer/gu v0.3.1/go.mod h1:YHtHR+gxM+bKEIIs7Hmi9sPT3ZDUvTN/i88wQpZkrdM= +github.com/muhlemmer/httpforwarded v0.1.0 h1:x4DLrzXdliq8mprgUMR0olDvHGkou5BJsK/vWUetyzY= +github.com/muhlemmer/httpforwarded v0.1.0/go.mod h1:yo9czKedo2pdZhoXe+yDkGVbU0TJ0q9oQ90BVoDEtw0= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/rs/cors v1.11.1 h1:eU3gRzXLRK57F5rKMGMZURNdIG4EoAmX8k94r9wXWHA= +github.com/rs/cors v1.11.1/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU= +github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= +github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= +github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +github.com/zitadel/logging v0.6.2 h1:MW2kDDR0ieQynPZ0KIZPrh9ote2WkxfBif5QoARDQcU= +github.com/zitadel/logging v0.6.2/go.mod h1:z6VWLWUkJpnNVDSLzrPSQSQyttysKZ6bCRongw0ROK4= +github.com/zitadel/oidc/v3 v3.44.0 h1:wxpZm/VNQrWHGSB4Ld1rMcjpZvExHz+ikbNhzKyJOck= +github.com/zitadel/oidc/v3 v3.44.0/go.mod h1:5ki8s9CWoB4iGmtULndiVxwM8xt7IylZIaudro7jEq4= +github.com/zitadel/schema v1.3.1 h1:QT3kwiRIRXXLVAs6gCK/u044WmUVh6IlbLXUsn6yRQU= +github.com/zitadel/schema v1.3.1/go.mod h1:071u7D2LQacy1HAN+YnMd/mx1qVE2isb0Mjeqg46xnU= +github.com/zitadel/zitadel-go/v3 v3.14.3 h1:TxH1yS+0BOIgo/RsyqJHv35KREsl7PyPTq5o1kvuo7w= +github.com/zitadel/zitadel-go/v3 v3.14.3/go.mod h1:T8jYBDnhk1xiSw8OR3zpXeB5GI4VzkKgqnvz3WHkg9A= +go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA= +go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A= +go.opentelemetry.io/otel v1.37.0 h1:9zhNfelUvx0KBfu/gb+ZgeAfAgtWrfHJZcAqFC228wQ= +go.opentelemetry.io/otel v1.37.0/go.mod h1:ehE/umFRLnuLa/vSccNq9oS1ErUlkkK71gMcN34UG8I= +go.opentelemetry.io/otel/metric v1.37.0 h1:mvwbQS5m0tbmqML4NqK+e3aDiO02vsf/WgbsdpcPoZE= +go.opentelemetry.io/otel/metric v1.37.0/go.mod h1:04wGrZurHYKOc+RKeye86GwKiTb9FKm1WHtO+4EVr2E= +go.opentelemetry.io/otel/sdk v1.36.0 h1:b6SYIuLRs88ztox4EyrvRti80uXIFy+Sqzoh9kFULbs= +go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY= +go.opentelemetry.io/otel/sdk/metric v1.36.0 h1:r0ntwwGosWGaa0CrSt8cuNuTcccMXERFwHX4dThiPis= +go.opentelemetry.io/otel/sdk/metric v1.36.0/go.mod h1:qTNOhFDfKRwX0yXOqJYegL5WRaW376QbB7P4Pb0qva4= +go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mxVK7z4= +go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0= +golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM= +golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U= +golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY= +golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds= +golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI= +golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU= +golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw= +golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= +golang.org/x/text v0.27.0 h1:4fGWRpyh641NLlecmyl4LOe6yDdfaYNrGb2zdfo4JV4= +golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU= +google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822 h1:oWVWY3NzT7KJppx2UKhKmzPq4SRe0LdCijVRwvGeikY= +google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822/go.mod h1:h3c4v36UTKzUiuaOKQ6gr3S+0hovBtUrXzTG/i3+XEc= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 h1:fc6jSaCT0vBduLYZHYrBBNY4dsWuvgyff9noRNDdBeE= +google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A= +google.golang.org/grpc v1.74.2 h1:WoosgB65DlWVC9FqI82dGsZhWFNBSLjQ84bjROOpMu4= +google.golang.org/grpc v1.74.2/go.mod h1:CtQ+BGjaAIXHs/5YS3i473GqwBBa1zGQNevxdeBEXrM= +google.golang.org/protobuf v1.36.7 h1:IgrO7UwFQGJdRNXH/sQux4R1Dj1WAKcLElzeeRaXV2A= +google.golang.org/protobuf v1.36.7/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/roles/zitadel/files/zitadel_config.go b/roles/zitadel/files/zitadel_config.go new file mode 100644 index 00000000..3cbd5044 --- /dev/null +++ b/roles/zitadel/files/zitadel_config.go @@ -0,0 +1,64 @@ +package main + +import ( + "context" + "log" + "log/slog" + "os" + + "github.com/zitadel/zitadel-go/v3/pkg/client" + app "github.com/zitadel/zitadel-go/v3/pkg/client/zitadel/app/v2beta" + "github.com/zitadel/zitadel-go/v3/pkg/zitadel" +) + +func main() { + domain := "zitadel.172.17.0.1.nip.io" + token := "6YQZnz9sHSqCuWfPw620E3g3NqutTSXmEc_C1kBX6e4vuWTY2TD6DRPCks8Pn23g9ZQiaLo" + + ctx := context.Background() + + authOption := client.PAT(token) + + api, err := client.New(ctx, zitadel.New(domain, zitadel.WithPort(4443), zitadel.WithInsecureSkipVerifyTLS()), client.WithAuth(authOption)) + if err != nil { + slog.Error("could not create api client", "error", err) + os.Exit(1) + } + + // resp, err := api.ManagementService().GetMyOrg(ctx, &management.GetMyOrgRequest{}) + // if err != nil { + // slog.Error("gRPC call failed", "error", err) + // os.Exit(1) + // } + + resp, err := api.AppServiceV2Beta().CreateApplication(ctx, &app.CreateApplicationRequest{ + ProjectId: "345345430017671203", + Name: "metal-stack", + Id: "metal-stack", + CreationRequestType: &app.CreateApplicationRequest_OidcRequest{ + OidcRequest: &app.CreateOIDCApplicationRequest{ + RedirectUris: []string{ + "http://v2.api.172.17.0.1.nip.io:8080/auth/openid-connect/callback", + }, + ResponseTypes: []app.OIDCResponseType{ + app.OIDCResponseType_OIDC_RESPONSE_TYPE_CODE, + }, + GrantTypes: []app.OIDCGrantType{ + app.OIDCGrantType_OIDC_GRANT_TYPE_AUTHORIZATION_CODE, + }, + AppType: app.OIDCAppType_OIDC_APP_TYPE_WEB, + AuthMethodType: app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_POST, + AccessTokenType: app.OIDCTokenType_OIDC_TOKEN_TYPE_BEARER, + Version: app.OIDCVersion_OIDC_VERSION_1_0, + PostLogoutRedirectUris: []string{}, + DevMode: true, + }, + }, + }) + if err != nil { + slog.Error("gRPC call failed", "error", err) + os.Exit(1) + } + + log.Printf("Successfully called API: Your application is %s", resp.AppId) +} diff --git a/roles/zitadel/tasks/main.yaml b/roles/zitadel/tasks/main.yaml index 6dbb5a70..b4b5f6c9 100644 --- a/roles/zitadel/tasks/main.yaml +++ b/roles/zitadel/tasks/main.yaml @@ -19,4 +19,6 @@ release_namespace: zitadel create_namespace: true values: "{{ lookup('template', 'values.yaml.j2') | from_yaml }}" - wait: true \ No newline at end of file + wait: true + +# TODO: Create initial OIDC app and admin user via API call or CLI \ No newline at end of file From b9fd3375240da680355771c91664c20bd59b506a Mon Sep 17 00:00:00 2001 From: ostempel Date: Thu, 6 Nov 2025 10:16:14 +0100 Subject: [PATCH 03/20] fix test-script --- roles/zitadel/files/zitadel_config.go | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/roles/zitadel/files/zitadel_config.go b/roles/zitadel/files/zitadel_config.go index 3cbd5044..d81482c0 100644 --- a/roles/zitadel/files/zitadel_config.go +++ b/roles/zitadel/files/zitadel_config.go @@ -8,12 +8,17 @@ import ( "github.com/zitadel/zitadel-go/v3/pkg/client" app "github.com/zitadel/zitadel-go/v3/pkg/client/zitadel/app/v2beta" + project "github.com/zitadel/zitadel-go/v3/pkg/client/zitadel/project/v2beta" "github.com/zitadel/zitadel-go/v3/pkg/zitadel" ) func main() { domain := "zitadel.172.17.0.1.nip.io" - token := "6YQZnz9sHSqCuWfPw620E3g3NqutTSXmEc_C1kBX6e4vuWTY2TD6DRPCks8Pn23g9ZQiaLo" + token := os.Args[1] + if token == "" { + slog.Error("personal access token not provided") + os.Exit(1) + } ctx := context.Background() @@ -25,14 +30,18 @@ func main() { os.Exit(1) } - // resp, err := api.ManagementService().GetMyOrg(ctx, &management.GetMyOrgRequest{}) - // if err != nil { - // slog.Error("gRPC call failed", "error", err) - // os.Exit(1) - // } + projectResp, err := api.ProjectServiceV2Beta().ListProjects(ctx, &project.ListProjectsRequest{}) + if err != nil { + slog.Error("gRPC call failed", "error", err) + os.Exit(1) + } + + slog.Info("Projects", slog.Int("count", len(projectResp.Projects))) + + projectId := projectResp.Projects[0].Id resp, err := api.AppServiceV2Beta().CreateApplication(ctx, &app.CreateApplicationRequest{ - ProjectId: "345345430017671203", + ProjectId: projectId, Name: "metal-stack", Id: "metal-stack", CreationRequestType: &app.CreateApplicationRequest_OidcRequest{ @@ -61,4 +70,8 @@ func main() { } log.Printf("Successfully called API: Your application is %s", resp.AppId) + + // Get client_id and client_secret + log.Printf("Client ID: %s", resp.GetApiResponse().ClientId) + log.Printf("Client Secret: %s", resp.GetApiResponse().ClientSecret) } From 5883a79ad70420b9beffcb251dc59afb3b8e28fd Mon Sep 17 00:00:00 2001 From: ostempel Date: Thu, 6 Nov 2025 15:35:25 +0100 Subject: [PATCH 04/20] remove local test zitadel go script --- roles/zitadel/files/go.mod | 32 ---------- roles/zitadel/files/go.sum | 89 --------------------------- roles/zitadel/files/zitadel_config.go | 77 ----------------------- 3 files changed, 198 deletions(-) delete mode 100644 roles/zitadel/files/go.mod delete mode 100644 roles/zitadel/files/go.sum delete mode 100644 roles/zitadel/files/zitadel_config.go diff --git a/roles/zitadel/files/go.mod b/roles/zitadel/files/go.mod deleted file mode 100644 index 0871af6b..00000000 --- a/roles/zitadel/files/go.mod +++ /dev/null @@ -1,32 +0,0 @@ -module github.com/metal-stack/zitadel-init - -go 1.25 - -require github.com/zitadel/zitadel-go/v3 v3.14.3 - -require ( - github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect - github.com/go-jose/go-jose/v4 v4.1.2 // indirect - github.com/go-logr/logr v1.4.3 // indirect - github.com/go-logr/stdr v1.2.2 // indirect - github.com/gorilla/securecookie v1.1.2 // indirect - github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1 // indirect - github.com/muhlemmer/gu v0.3.1 // indirect - github.com/sirupsen/logrus v1.9.3 // indirect - github.com/zitadel/logging v0.6.2 // indirect - github.com/zitadel/oidc/v3 v3.44.0 // indirect - github.com/zitadel/schema v1.3.1 // indirect - go.opentelemetry.io/auto/sdk v1.1.0 // indirect - go.opentelemetry.io/otel v1.37.0 // indirect - go.opentelemetry.io/otel/metric v1.37.0 // indirect - go.opentelemetry.io/otel/trace v1.37.0 // indirect - golang.org/x/crypto v0.39.0 // indirect - golang.org/x/net v0.40.0 // indirect - golang.org/x/oauth2 v0.30.0 // indirect - golang.org/x/sys v0.33.0 // indirect - golang.org/x/text v0.27.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 // indirect - google.golang.org/grpc v1.74.2 // indirect - google.golang.org/protobuf v1.36.7 // indirect -) diff --git a/roles/zitadel/files/go.sum b/roles/zitadel/files/go.sum deleted file mode 100644 index 7c5a027c..00000000 --- a/roles/zitadel/files/go.sum +++ /dev/null @@ -1,89 +0,0 @@ -github.com/bmatcuk/doublestar/v4 v4.9.0 h1:DBvuZxjdKkRP/dr4GVV4w2fnmrk5Hxc90T51LZjv0JA= -github.com/bmatcuk/doublestar/v4 v4.9.0/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc= -github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= -github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/envoyproxy/protoc-gen-validate v1.2.1 h1:DEo3O99U8j4hBFwbJfrz9VtgcDfUKS7KJ7spH3d86P8= -github.com/envoyproxy/protoc-gen-validate v1.2.1/go.mod h1:d/C80l/jxXLdfEIhX1W2TmLfsJ31lvEjwamM4DxlWXU= -github.com/go-chi/chi/v5 v5.2.2 h1:CMwsvRVTbXVytCk1Wd72Zy1LAsAh9GxMmSNWLHCG618= -github.com/go-chi/chi/v5 v5.2.2/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops= -github.com/go-jose/go-jose/v4 v4.1.2 h1:TK/7NqRQZfgAh+Td8AlsrvtPoUyiHh0LqVvokh+1vHI= -github.com/go-jose/go-jose/v4 v4.1.2/go.mod h1:22cg9HWM1pOlnRiY+9cQYJ9XHmya1bYW8OeDM6Ku6Oo= -github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI= -github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= -github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= -github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= -github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= -github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= -github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= -github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= -github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= -github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= -github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA= -github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1 h1:X5VWvz21y3gzm9Nw/kaUeku/1+uBhcekkmy4IkffJww= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1/go.mod h1:Zanoh4+gvIgluNqcfMVTJueD4wSS5hT7zTt4Mrutd90= -github.com/jeremija/gosubmit v0.2.8 h1:mmSITBz9JxVtu8eqbN+zmmwX7Ij2RidQxhcwRVI4wqA= -github.com/jeremija/gosubmit v0.2.8/go.mod h1:Ui+HS073lCFREXBbdfrJzMB57OI/bdxTiLtrDHHhFPI= -github.com/muhlemmer/gu v0.3.1 h1:7EAqmFrW7n3hETvuAdmFmn4hS8W+z3LgKtrnow+YzNM= -github.com/muhlemmer/gu v0.3.1/go.mod h1:YHtHR+gxM+bKEIIs7Hmi9sPT3ZDUvTN/i88wQpZkrdM= -github.com/muhlemmer/httpforwarded v0.1.0 h1:x4DLrzXdliq8mprgUMR0olDvHGkou5BJsK/vWUetyzY= -github.com/muhlemmer/httpforwarded v0.1.0/go.mod h1:yo9czKedo2pdZhoXe+yDkGVbU0TJ0q9oQ90BVoDEtw0= -github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= -github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/rs/cors v1.11.1 h1:eU3gRzXLRK57F5rKMGMZURNdIG4EoAmX8k94r9wXWHA= -github.com/rs/cors v1.11.1/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU= -github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= -github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= -github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= -github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= -github.com/zitadel/logging v0.6.2 h1:MW2kDDR0ieQynPZ0KIZPrh9ote2WkxfBif5QoARDQcU= -github.com/zitadel/logging v0.6.2/go.mod h1:z6VWLWUkJpnNVDSLzrPSQSQyttysKZ6bCRongw0ROK4= -github.com/zitadel/oidc/v3 v3.44.0 h1:wxpZm/VNQrWHGSB4Ld1rMcjpZvExHz+ikbNhzKyJOck= -github.com/zitadel/oidc/v3 v3.44.0/go.mod h1:5ki8s9CWoB4iGmtULndiVxwM8xt7IylZIaudro7jEq4= -github.com/zitadel/schema v1.3.1 h1:QT3kwiRIRXXLVAs6gCK/u044WmUVh6IlbLXUsn6yRQU= -github.com/zitadel/schema v1.3.1/go.mod h1:071u7D2LQacy1HAN+YnMd/mx1qVE2isb0Mjeqg46xnU= -github.com/zitadel/zitadel-go/v3 v3.14.3 h1:TxH1yS+0BOIgo/RsyqJHv35KREsl7PyPTq5o1kvuo7w= -github.com/zitadel/zitadel-go/v3 v3.14.3/go.mod h1:T8jYBDnhk1xiSw8OR3zpXeB5GI4VzkKgqnvz3WHkg9A= -go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA= -go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A= -go.opentelemetry.io/otel v1.37.0 h1:9zhNfelUvx0KBfu/gb+ZgeAfAgtWrfHJZcAqFC228wQ= -go.opentelemetry.io/otel v1.37.0/go.mod h1:ehE/umFRLnuLa/vSccNq9oS1ErUlkkK71gMcN34UG8I= -go.opentelemetry.io/otel/metric v1.37.0 h1:mvwbQS5m0tbmqML4NqK+e3aDiO02vsf/WgbsdpcPoZE= -go.opentelemetry.io/otel/metric v1.37.0/go.mod h1:04wGrZurHYKOc+RKeye86GwKiTb9FKm1WHtO+4EVr2E= -go.opentelemetry.io/otel/sdk v1.36.0 h1:b6SYIuLRs88ztox4EyrvRti80uXIFy+Sqzoh9kFULbs= -go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY= -go.opentelemetry.io/otel/sdk/metric v1.36.0 h1:r0ntwwGosWGaa0CrSt8cuNuTcccMXERFwHX4dThiPis= -go.opentelemetry.io/otel/sdk/metric v1.36.0/go.mod h1:qTNOhFDfKRwX0yXOqJYegL5WRaW376QbB7P4Pb0qva4= -go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mxVK7z4= -go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0= -golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM= -golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U= -golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY= -golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds= -golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI= -golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU= -golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw= -golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= -golang.org/x/text v0.27.0 h1:4fGWRpyh641NLlecmyl4LOe6yDdfaYNrGb2zdfo4JV4= -golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU= -google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822 h1:oWVWY3NzT7KJppx2UKhKmzPq4SRe0LdCijVRwvGeikY= -google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822/go.mod h1:h3c4v36UTKzUiuaOKQ6gr3S+0hovBtUrXzTG/i3+XEc= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 h1:fc6jSaCT0vBduLYZHYrBBNY4dsWuvgyff9noRNDdBeE= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A= -google.golang.org/grpc v1.74.2 h1:WoosgB65DlWVC9FqI82dGsZhWFNBSLjQ84bjROOpMu4= -google.golang.org/grpc v1.74.2/go.mod h1:CtQ+BGjaAIXHs/5YS3i473GqwBBa1zGQNevxdeBEXrM= -google.golang.org/protobuf v1.36.7 h1:IgrO7UwFQGJdRNXH/sQux4R1Dj1WAKcLElzeeRaXV2A= -google.golang.org/protobuf v1.36.7/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY= -gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= -gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= -gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= -gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/roles/zitadel/files/zitadel_config.go b/roles/zitadel/files/zitadel_config.go deleted file mode 100644 index d81482c0..00000000 --- a/roles/zitadel/files/zitadel_config.go +++ /dev/null @@ -1,77 +0,0 @@ -package main - -import ( - "context" - "log" - "log/slog" - "os" - - "github.com/zitadel/zitadel-go/v3/pkg/client" - app "github.com/zitadel/zitadel-go/v3/pkg/client/zitadel/app/v2beta" - project "github.com/zitadel/zitadel-go/v3/pkg/client/zitadel/project/v2beta" - "github.com/zitadel/zitadel-go/v3/pkg/zitadel" -) - -func main() { - domain := "zitadel.172.17.0.1.nip.io" - token := os.Args[1] - if token == "" { - slog.Error("personal access token not provided") - os.Exit(1) - } - - ctx := context.Background() - - authOption := client.PAT(token) - - api, err := client.New(ctx, zitadel.New(domain, zitadel.WithPort(4443), zitadel.WithInsecureSkipVerifyTLS()), client.WithAuth(authOption)) - if err != nil { - slog.Error("could not create api client", "error", err) - os.Exit(1) - } - - projectResp, err := api.ProjectServiceV2Beta().ListProjects(ctx, &project.ListProjectsRequest{}) - if err != nil { - slog.Error("gRPC call failed", "error", err) - os.Exit(1) - } - - slog.Info("Projects", slog.Int("count", len(projectResp.Projects))) - - projectId := projectResp.Projects[0].Id - - resp, err := api.AppServiceV2Beta().CreateApplication(ctx, &app.CreateApplicationRequest{ - ProjectId: projectId, - Name: "metal-stack", - Id: "metal-stack", - CreationRequestType: &app.CreateApplicationRequest_OidcRequest{ - OidcRequest: &app.CreateOIDCApplicationRequest{ - RedirectUris: []string{ - "http://v2.api.172.17.0.1.nip.io:8080/auth/openid-connect/callback", - }, - ResponseTypes: []app.OIDCResponseType{ - app.OIDCResponseType_OIDC_RESPONSE_TYPE_CODE, - }, - GrantTypes: []app.OIDCGrantType{ - app.OIDCGrantType_OIDC_GRANT_TYPE_AUTHORIZATION_CODE, - }, - AppType: app.OIDCAppType_OIDC_APP_TYPE_WEB, - AuthMethodType: app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_POST, - AccessTokenType: app.OIDCTokenType_OIDC_TOKEN_TYPE_BEARER, - Version: app.OIDCVersion_OIDC_VERSION_1_0, - PostLogoutRedirectUris: []string{}, - DevMode: true, - }, - }, - }) - if err != nil { - slog.Error("gRPC call failed", "error", err) - os.Exit(1) - } - - log.Printf("Successfully called API: Your application is %s", resp.AppId) - - // Get client_id and client_secret - log.Printf("Client ID: %s", resp.GetApiResponse().ClientId) - log.Printf("Client Secret: %s", resp.GetApiResponse().ClientSecret) -} From 02ce377b783a1813d699d7fded0de1ff9ee625c9 Mon Sep 17 00:00:00 2001 From: ostempel Date: Thu, 6 Nov 2025 17:16:44 +0100 Subject: [PATCH 05/20] fix current progress --- compose.yaml | 4 +- deploy_control_plane.yaml | 4 +- inventories/group_vars/all/images.yaml | 2 +- .../group_vars/control-plane/metal.yml | 7 +- roles/zitadel/README.md | 10 ++ roles/zitadel/defaults/main.yaml | 3 + roles/zitadel/tasks/main.yaml | 14 ++- roles/zitadel/templates/postgres.yaml | 102 ------------------ roles/zitadel/templates/values.yaml.j2 | 28 ++++- roles/zitadel/templates/zitadel-init.yaml | 54 ++++++++++ 10 files changed, 107 insertions(+), 121 deletions(-) delete mode 100644 roles/zitadel/templates/postgres.yaml create mode 100644 roles/zitadel/templates/zitadel-init.yaml diff --git a/compose.yaml b/compose.yaml index 67762c08..b9a2969b 100644 --- a/compose.yaml +++ b/compose.yaml @@ -9,9 +9,9 @@ services: # for developing role dependencies # TODO: make this a switch # - ${HOME}/.ansible/roles/ansible-common:/root/.ansible/roles/ansible-common:ro - # - ${HOME}/.ansible/roles/metal-roles:/root/.ansible/roles/metal-roles:ro + - ${HOME}/.ansible/roles/metal-roles:/root/.ansible/roles/metal-roles:ro # - ${HOME}/.ansible/roles/metal-ansible-modules:/root/.ansible/roles/metal-ansible-modules:ro - # - ${HOME}/git/github.com/metal-stack/helm-charts:/helm-charts:ro + - ${HOME}/git/metal-stack/helm-charts:/helm-charts:ro environment: - ANSIBLE_CONFIG=/mini-lab/ansible.cfg - KUBECONFIG=/mini-lab/.kubeconfig diff --git a/deploy_control_plane.yaml b/deploy_control_plane.yaml index d1167c97..6768c473 100644 --- a/deploy_control_plane.yaml +++ b/deploy_control_plane.yaml @@ -20,13 +20,13 @@ tags: headscale - name: metal-roles/control-plane/roles/masterdata-db tags: masterdata-db + - name: metal-roles/control-plane/roles/zitadel-db + tags: zitadel-db - name: metal-roles/control-plane/roles/auditing-timescaledb when: metal_auditing_timescaledb_enabled tags: auditing - name: metal-roles/control-plane/roles/valkey tags: valkey - - name: auth-dex - tags: auth - name: zitadel tags: auth - name: metal-roles/control-plane/roles/metal diff --git a/inventories/group_vars/all/images.yaml b/inventories/group_vars/all/images.yaml index f79bfd9f..ac426098 100644 --- a/inventories/group_vars/all/images.yaml +++ b/inventories/group_vars/all/images.yaml @@ -13,7 +13,7 @@ setup_yaml: # metal_api_image_name: # metal_api_image_tag: # metal_apiserver_image_name: -# metal_apiserver_image_tag: +metal_apiserver_image_tag: pr-89 # metal_metalctl_image_name: # metal_metalctl_image_tag: # metal_masterdata_api_image_name: diff --git a/inventories/group_vars/control-plane/metal.yml b/inventories/group_vars/control-plane/metal.yml index 9ec398f3..e00fdabf 100644 --- a/inventories/group_vars/control-plane/metal.yml +++ b/inventories/group_vars/control-plane/metal.yml @@ -1,4 +1,6 @@ --- +metal_helm_chart_local_path: /helm-charts/charts/metal-control-plane + metal_set_resource_limits: no metal_check_api_health_endpoint: http://api.{{ metal_control_plane_ingress_dns }}:8080/metal/v1/health metal_api_headscale_control_plane_address: "http://headscale.{{ metal_control_plane_ingress_dns }}:8080" @@ -15,10 +17,9 @@ metal_api_nsq_tcp_address: nsqd:4150 metal_apiserver_enabled: true metal_apiserver_url: http://v2.api.{{ metal_control_plane_ingress_dns }}:8080 -metal_apiserver_oidc_discovery_url: http://auth.{{ metal_control_plane_ingress_dns }}:8080/dex/.well-known/openid-configuration +metal_apiserver_oidc_secret_name: zitadel-client-credentials +metal_apiserver_oidc_discovery_url: https://zitadel.{{ metal_control_plane_ingress_dns }}:4443/.well-known/openid-configuration metal_apiserver_oidc_end_session_url: "" -metal_apiserver_oidc_client_id: metal-stack -metal_apiserver_oidc_client_secret: secret metal_apiserver_redis_password: change-me-soon metal_apiserver_admin_subjects: "CiQwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDESBWxvY2Fs@oidc" diff --git a/roles/zitadel/README.md b/roles/zitadel/README.md index 8f036413..1a98d063 100644 --- a/roles/zitadel/README.md +++ b/roles/zitadel/README.md @@ -5,3 +5,13 @@ Role that deploys and manages and configures Zitadel, an open-source identity an ## UI Because `ExternalSecure: true` is set by default, Zitadel will be available over HTTPS. We may need to change this to `false` if we want to use HTTP. + +UI will be available at `https://zitadel.172.17.0.1.nip.io:4443`. + +Admin: +- Username: `admin@metalstack.zitadel.172.17.0.1.nip.io` +- Password: `Password1!` + + +## Problems +- login image not loading because of csp \ No newline at end of file diff --git a/roles/zitadel/defaults/main.yaml b/roles/zitadel/defaults/main.yaml index b6457404..18e51b5c 100644 --- a/roles/zitadel/defaults/main.yaml +++ b/roles/zitadel/defaults/main.yaml @@ -1,6 +1,9 @@ --- zitadel_chart_version: "9.12.3" +zitadel_db_address: zitadel-db +zitadel_db_password: change-me + zitadel_app: - projectId: metal-stack id: metal-stack diff --git a/roles/zitadel/tasks/main.yaml b/roles/zitadel/tasks/main.yaml index b4b5f6c9..de0b2e9c 100644 --- a/roles/zitadel/tasks/main.yaml +++ b/roles/zitadel/tasks/main.yaml @@ -5,20 +5,18 @@ name: zitadel repo_url: https://charts.zitadel.com/ -- name: Deploy postgresql for Zitadel - kubernetes.core.k8s: - state: present - definition: "{{ lookup('template', 'postgres.yaml') }}" - namespace: zitadel - - name: Deploy Zitadel kubernetes.core.helm: chart_ref: zitadel/zitadel chart_version: "{{ zitadel_chart_version }}" release_name: zitadel - release_namespace: zitadel + release_namespace: metal-control-plane create_namespace: true values: "{{ lookup('template', 'values.yaml.j2') | from_yaml }}" wait: true -# TODO: Create initial OIDC app and admin user via API call or CLI \ No newline at end of file +- name: Create initial application + kubernetes.core.k8s: + state: present + definition: "{{ lookup('template', 'zitadel-init.yaml') }}" + namespace: metal-control-plane \ No newline at end of file diff --git a/roles/zitadel/templates/postgres.yaml b/roles/zitadel/templates/postgres.yaml deleted file mode 100644 index e2cdfb28..00000000 --- a/roles/zitadel/templates/postgres.yaml +++ /dev/null @@ -1,102 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: zitadel ---- -apiVersion: v1 -kind: Service -metadata: - name: zitadel-postgresql - labels: - app.kubernetes.io/component: database -spec: - type: ClusterIP - ports: - - port: 5432 - targetPort: postgresql - protocol: TCP - name: postgresql - selector: - app.kubernetes.io/component: database ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: zitadel-postgresql - labels: - app.kubernetes.io/component: database -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 8Gi ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: zitadel-postgresql - labels: - app.kubernetes.io/name: zitadel - app.kubernetes.io/component: database -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: zitadel - app.kubernetes.io/component: database - template: - metadata: - labels: - app.kubernetes.io/name: zitadel - app.kubernetes.io/component: database - spec: - containers: - - name: postgresql - image: postgres:17-alpine - imagePullPolicy: IfNotPresent - ports: - - name: postgresql - containerPort: 5432 - protocol: TCP - env: - - name: POSTGRES_USER - value: postgres - - name: POSTGRES_PASSWORD - value: postgres - - name: POSTGRES_DB - value: postgres - livenessProbe: - exec: - command: - - pg_isready - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - exec: - command: - - pg_isready - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 3 - resources: - limits: - cpu: 1000m - memory: 1024Mi - requests: - cpu: 100m - memory: 128Mi - volumeMounts: - - name: data - mountPath: /var/lib/postgresql/data - volumes: - - name: data - persistentVolumeClaim: - claimName: zitadel-postgresql ---- \ No newline at end of file diff --git a/roles/zitadel/templates/values.yaml.j2 b/roles/zitadel/templates/values.yaml.j2 index 8574fa0d..8db887f8 100644 --- a/roles/zitadel/templates/values.yaml.j2 +++ b/roles/zitadel/templates/values.yaml.j2 @@ -5,17 +5,29 @@ zitadel: Database: Postgres: User: - Password: postgres + Password: {{ zitadel_db_password }} Admin: - Password: postgres + Password: {{ zitadel_db_password }} configmapConfig: + FirstInstance: + InstanceName: MetalStack + Org: + Name: MetalStack + Human: + Username: admin + FirstName: Metal + LastName: Stack + NickName: + DisplayName: MetalStack Admin + Password: Password1! + PasswordChangeRequired: false ExternalDomain: zitadel.172.17.0.1.nip.io ExternalPort: 80 TLS: Enabled: false Database: Postgres: - Host: zitadel-postgresql + Host: {{ zitadel_db_address }} Port: 5432 Database: zitadel MaxOpenConns: 20 @@ -33,7 +45,17 @@ zitadel: ingress: enabled: true className: nginx +env: + - name: ZITADEL_API_URL + value: https://zitadel.172.17.0.1.nip.io:4443 +image: + tag: v4.6.4 login: + image: + tag: v4.6.4 + env: + - name: ZITADEL_API_URL + value: https://zitadel.172.17.0.1.nip.io:4443 ingress: enabled: true className: nginx \ No newline at end of file diff --git a/roles/zitadel/templates/zitadel-init.yaml b/roles/zitadel/templates/zitadel-init.yaml new file mode 100644 index 00000000..0fea2aab --- /dev/null +++ b/roles/zitadel/templates/zitadel-init.yaml @@ -0,0 +1,54 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: zitadel-init +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: zitadel-init +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["create"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: zitadel-init +subjects: + - kind: ServiceAccount + name: zitadel-init +roleRef: + kind: Role + name: zitadel-init + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: zitadel-init-job +spec: + backoffLimit: 0 + template: + spec: + serviceAccountName: zitadel-init + restartPolicy: Never + containers: + - name: zitadel-init + image: ghcr.io/metal-stack/zitadel-init:pr-1 + pullPolicy: Always + args: + - "zitadel-init" + - "--zitadel-endpoint=zitadel.172.17.0.1.nip.io" + - "--zitadel-port=4443" + - "--zitadel-pat=$(ZITADEL_PAT)" + - "--namespace=metal-control-plane" + - "--secret=zitadel-client-credentials" + env: + - name: ZITADEL_PAT + valueFrom: + secretKeyRef: + name: iam-admin-pat + key: pat \ No newline at end of file From c705dc3eae76c0ded565ffeac24f79eb4deb4c39 Mon Sep 17 00:00:00 2001 From: ostempel Date: Mon, 10 Nov 2025 10:11:32 +0100 Subject: [PATCH 06/20] remove unused config --- roles/zitadel/defaults/main.yaml | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/roles/zitadel/defaults/main.yaml b/roles/zitadel/defaults/main.yaml index 18e51b5c..255d6d8b 100644 --- a/roles/zitadel/defaults/main.yaml +++ b/roles/zitadel/defaults/main.yaml @@ -3,18 +3,3 @@ zitadel_chart_version: "9.12.3" zitadel_db_address: zitadel-db zitadel_db_password: change-me - -zitadel_app: - - projectId: metal-stack - id: metal-stack - name: metal-stack - oidcConfig: - appType: OIDC_APP_TYPE_WEB # WEB - responseType: # CODE - - OIDC_RESPONSE_TYPE_CODE - grantTypes: # AUTHORIZATION_CODE - - OIDC_GRANT_TYPE_AUTHORIZATION_CODE - authMethod: OIDC_AUTH_METHOD_TYPE_POST # Post - accessTokenType: OIDC_TOKEN_TYPE_BEARER # Bearer - redirectUris: - - http://v2.api.172.17.0.1.nip.io:8080/auth/openid-connect/callback From 91c9227f10fee34e148778c89283aaec27e2ac61 Mon Sep 17 00:00:00 2001 From: ostempel Date: Mon, 10 Nov 2025 10:29:30 +0100 Subject: [PATCH 07/20] add zitadel default vars --- roles/zitadel/defaults/main.yaml | 5 +++++ roles/zitadel/tasks/main.yaml | 6 +++--- roles/zitadel/templates/values.yaml.j2 | 10 +++++----- roles/zitadel/templates/zitadel-init.yaml | 4 ++-- 4 files changed, 15 insertions(+), 10 deletions(-) diff --git a/roles/zitadel/defaults/main.yaml b/roles/zitadel/defaults/main.yaml index 255d6d8b..10429937 100644 --- a/roles/zitadel/defaults/main.yaml +++ b/roles/zitadel/defaults/main.yaml @@ -1,5 +1,10 @@ --- zitadel_chart_version: "9.12.3" +zitadel_domain: zitadel.{{ metal_control_plane_ingress_dns }} +zitadel_ingress_dns: https://{{ zitadel_domain }}:4443 + +zitadel_admin_password: Password1! +zitadel_master_key: x123456789012345678901234567891y zitadel_db_address: zitadel-db zitadel_db_password: change-me diff --git a/roles/zitadel/tasks/main.yaml b/roles/zitadel/tasks/main.yaml index de0b2e9c..9372f30a 100644 --- a/roles/zitadel/tasks/main.yaml +++ b/roles/zitadel/tasks/main.yaml @@ -10,13 +10,13 @@ chart_ref: zitadel/zitadel chart_version: "{{ zitadel_chart_version }}" release_name: zitadel - release_namespace: metal-control-plane + release_namespace: "{{ metal_control_plane_namespace }}" create_namespace: true values: "{{ lookup('template', 'values.yaml.j2') | from_yaml }}" wait: true -- name: Create initial application +- name: Create init job kubernetes.core.k8s: state: present definition: "{{ lookup('template', 'zitadel-init.yaml') }}" - namespace: metal-control-plane \ No newline at end of file + namespace: "{{ metal_control_plane_namespace }}" \ No newline at end of file diff --git a/roles/zitadel/templates/values.yaml.j2 b/roles/zitadel/templates/values.yaml.j2 index 8db887f8..6a1c2228 100644 --- a/roles/zitadel/templates/values.yaml.j2 +++ b/roles/zitadel/templates/values.yaml.j2 @@ -1,6 +1,6 @@ --- zitadel: - masterkey: x123456789012345678901234567891y + masterkey: {{ zitadel_master_key}} secretConfig: Database: Postgres: @@ -19,9 +19,9 @@ zitadel: LastName: Stack NickName: DisplayName: MetalStack Admin - Password: Password1! + Password: {{ zitadel_admin_password }} PasswordChangeRequired: false - ExternalDomain: zitadel.172.17.0.1.nip.io + ExternalDomain: {{ zitadel_domain }} ExternalPort: 80 TLS: Enabled: false @@ -47,7 +47,7 @@ ingress: className: nginx env: - name: ZITADEL_API_URL - value: https://zitadel.172.17.0.1.nip.io:4443 + value: {{ zitadel_ingress_dns }} image: tag: v4.6.4 login: @@ -55,7 +55,7 @@ login: tag: v4.6.4 env: - name: ZITADEL_API_URL - value: https://zitadel.172.17.0.1.nip.io:4443 + value: {{ zitadel_ingress_dns }} ingress: enabled: true className: nginx \ No newline at end of file diff --git a/roles/zitadel/templates/zitadel-init.yaml b/roles/zitadel/templates/zitadel-init.yaml index 0fea2aab..14444cfe 100644 --- a/roles/zitadel/templates/zitadel-init.yaml +++ b/roles/zitadel/templates/zitadel-init.yaml @@ -41,10 +41,10 @@ spec: pullPolicy: Always args: - "zitadel-init" - - "--zitadel-endpoint=zitadel.172.17.0.1.nip.io" + - "--zitadel-endpoint={{ zitadel_domain }}" - "--zitadel-port=4443" - "--zitadel-pat=$(ZITADEL_PAT)" - - "--namespace=metal-control-plane" + - "--namespace={{ metal_control_plane_namespace }}" - "--secret=zitadel-client-credentials" env: - name: ZITADEL_PAT From edcd22776597c91eb379140d039ad1f006fb3b22 Mon Sep 17 00:00:00 2001 From: ostempel Date: Mon, 10 Nov 2025 12:04:50 +0100 Subject: [PATCH 08/20] remove local helm chart --- compose.yaml | 2 +- inventories/group_vars/all/images.yaml | 4 ++-- inventories/group_vars/control-plane/metal.yml | 4 ---- 3 files changed, 3 insertions(+), 7 deletions(-) diff --git a/compose.yaml b/compose.yaml index b9a2969b..9ba3bb30 100644 --- a/compose.yaml +++ b/compose.yaml @@ -11,7 +11,7 @@ services: # - ${HOME}/.ansible/roles/ansible-common:/root/.ansible/roles/ansible-common:ro - ${HOME}/.ansible/roles/metal-roles:/root/.ansible/roles/metal-roles:ro # - ${HOME}/.ansible/roles/metal-ansible-modules:/root/.ansible/roles/metal-ansible-modules:ro - - ${HOME}/git/metal-stack/helm-charts:/helm-charts:ro + # - ${HOME}/git/metal-stack/helm-charts:/helm-charts:ro environment: - ANSIBLE_CONFIG=/mini-lab/ansible.cfg - KUBECONFIG=/mini-lab/.kubeconfig diff --git a/inventories/group_vars/all/images.yaml b/inventories/group_vars/all/images.yaml index ac426098..9eddb099 100644 --- a/inventories/group_vars/all/images.yaml +++ b/inventories/group_vars/all/images.yaml @@ -42,8 +42,8 @@ metal_apiserver_image_tag: pr-89 ## helm charts ## -# metal_helm_chart_version: -# metal_helm_chart_repo: +metal_helm_chart_version: 0.7.0 +metal_helm_chart_repo: https://helm.metal-stack.io/pull_requests/make-oidc-secret-configurable # further overrides can be looked up in the metal-role projects where the mapping is defined: # https://github.com/metal-stack/metal-roles/blob/master/defaults/main.yaml diff --git a/inventories/group_vars/control-plane/metal.yml b/inventories/group_vars/control-plane/metal.yml index e00fdabf..c498ef86 100644 --- a/inventories/group_vars/control-plane/metal.yml +++ b/inventories/group_vars/control-plane/metal.yml @@ -1,12 +1,8 @@ --- -metal_helm_chart_local_path: /helm-charts/charts/metal-control-plane - metal_set_resource_limits: no metal_check_api_health_endpoint: http://api.{{ metal_control_plane_ingress_dns }}:8080/metal/v1/health metal_api_headscale_control_plane_address: "http://headscale.{{ metal_control_plane_ingress_dns }}:8080" -# metal_helm_chart_local_path: /helm-charts/charts/metal-control-plane - metal_api_replicas: 1 metal_api_view_key: metal-view metal_api_edit_key: metal-edit From 788f36ad4812dceac0dbb1da2f7950a5df22b253 Mon Sep 17 00:00:00 2001 From: ostempel Date: Mon, 10 Nov 2025 12:45:02 +0100 Subject: [PATCH 09/20] set metal-roles version --- compose.yaml | 2 +- inventories/group_vars/all/images.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/compose.yaml b/compose.yaml index 9ba3bb30..9bbfdf94 100644 --- a/compose.yaml +++ b/compose.yaml @@ -9,7 +9,7 @@ services: # for developing role dependencies # TODO: make this a switch # - ${HOME}/.ansible/roles/ansible-common:/root/.ansible/roles/ansible-common:ro - - ${HOME}/.ansible/roles/metal-roles:/root/.ansible/roles/metal-roles:ro + # - ${HOME}/.ansible/roles/metal-roles:/root/.ansible/roles/metal-roles:ro # - ${HOME}/.ansible/roles/metal-ansible-modules:/root/.ansible/roles/metal-ansible-modules:ro # - ${HOME}/git/metal-stack/helm-charts:/helm-charts:ro environment: diff --git a/inventories/group_vars/all/images.yaml b/inventories/group_vars/all/images.yaml index 9eddb099..522e86c2 100644 --- a/inventories/group_vars/all/images.yaml +++ b/inventories/group_vars/all/images.yaml @@ -35,7 +35,7 @@ metal_apiserver_image_tag: pr-89 ## # ansible_common_version: -# metal_roles_version: +metal_roles_version: 3e4b2f14bffef0685b8e2d4d195a895489c4cd0e # metal_ansible_modules_version: ## From 15093b29d2433ab919518f4de704bbaf12a31353 Mon Sep 17 00:00:00 2001 From: ostempel Date: Wed, 19 Nov 2025 12:08:31 +0100 Subject: [PATCH 10/20] add feedback --- compose.yaml | 2 +- inventories/group_vars/all/images.yaml | 2 +- roles/zitadel/README.md | 2 +- roles/zitadel/defaults/main.yaml | 3 +++ roles/zitadel/tasks/main.yaml | 11 +++-------- roles/zitadel/templates/values.yaml.j2 | 14 +++++++------- roles/zitadel/templates/zitadel-init.yaml | 2 +- 7 files changed, 17 insertions(+), 19 deletions(-) diff --git a/compose.yaml b/compose.yaml index 9bbfdf94..67762c08 100644 --- a/compose.yaml +++ b/compose.yaml @@ -11,7 +11,7 @@ services: # - ${HOME}/.ansible/roles/ansible-common:/root/.ansible/roles/ansible-common:ro # - ${HOME}/.ansible/roles/metal-roles:/root/.ansible/roles/metal-roles:ro # - ${HOME}/.ansible/roles/metal-ansible-modules:/root/.ansible/roles/metal-ansible-modules:ro - # - ${HOME}/git/metal-stack/helm-charts:/helm-charts:ro + # - ${HOME}/git/github.com/metal-stack/helm-charts:/helm-charts:ro environment: - ANSIBLE_CONFIG=/mini-lab/ansible.cfg - KUBECONFIG=/mini-lab/.kubeconfig diff --git a/inventories/group_vars/all/images.yaml b/inventories/group_vars/all/images.yaml index 522e86c2..2748266d 100644 --- a/inventories/group_vars/all/images.yaml +++ b/inventories/group_vars/all/images.yaml @@ -35,7 +35,7 @@ metal_apiserver_image_tag: pr-89 ## # ansible_common_version: -metal_roles_version: 3e4b2f14bffef0685b8e2d4d195a895489c4cd0e +metal_roles_version: 3f6a68eb1d6d53c76f2172b181f2599521da423b # metal_ansible_modules_version: ## diff --git a/roles/zitadel/README.md b/roles/zitadel/README.md index 1a98d063..7b67c7c7 100644 --- a/roles/zitadel/README.md +++ b/roles/zitadel/README.md @@ -1,6 +1,6 @@ # Zitadel -Role that deploys and manages and configures Zitadel, an open-source identity and access management system. +Role that deploys and manages and configures Zitadel, an open-source identity and access management system. Here you can find the project: [Zitadel](https://zitadel.com/) ## UI diff --git a/roles/zitadel/defaults/main.yaml b/roles/zitadel/defaults/main.yaml index 10429937..d7ad8fb4 100644 --- a/roles/zitadel/defaults/main.yaml +++ b/roles/zitadel/defaults/main.yaml @@ -8,3 +8,6 @@ zitadel_admin_password: Password1! zitadel_master_key: x123456789012345678901234567891y zitadel_db_address: zitadel-db zitadel_db_password: change-me + +zitadel_init_image: ghcr.io/metal-stack/zitadel-init +zitadel_init_image_tag: pr-1 \ No newline at end of file diff --git a/roles/zitadel/tasks/main.yaml b/roles/zitadel/tasks/main.yaml index 9372f30a..0b44fff6 100644 --- a/roles/zitadel/tasks/main.yaml +++ b/roles/zitadel/tasks/main.yaml @@ -1,15 +1,10 @@ --- - -- name: Add stable Zitadel Helm repository - kubernetes.core.helm_repository: - name: zitadel - repo_url: https://charts.zitadel.com/ - - name: Deploy Zitadel kubernetes.core.helm: - chart_ref: zitadel/zitadel + name: zitadel + chart_ref: zitadel chart_version: "{{ zitadel_chart_version }}" - release_name: zitadel + chart_repo_url: https://charts.zitadel.com/ release_namespace: "{{ metal_control_plane_namespace }}" create_namespace: true values: "{{ lookup('template', 'values.yaml.j2') | from_yaml }}" diff --git a/roles/zitadel/templates/values.yaml.j2 b/roles/zitadel/templates/values.yaml.j2 index 6a1c2228..4356f00e 100644 --- a/roles/zitadel/templates/values.yaml.j2 +++ b/roles/zitadel/templates/values.yaml.j2 @@ -10,15 +10,15 @@ zitadel: Password: {{ zitadel_db_password }} configmapConfig: FirstInstance: - InstanceName: MetalStack + InstanceName: metal-stack Org: - Name: MetalStack + Name: metal-stack Human: Username: admin FirstName: Metal LastName: Stack NickName: - DisplayName: MetalStack Admin + DisplayName: metal-stack admin Password: {{ zitadel_admin_password }} PasswordChangeRequired: false ExternalDomain: {{ zitadel_domain }} @@ -48,11 +48,11 @@ ingress: env: - name: ZITADEL_API_URL value: {{ zitadel_ingress_dns }} -image: - tag: v4.6.4 +# image: +# tag: v4.6.4 login: - image: - tag: v4.6.4 + # image: + # tag: v4.6.4 env: - name: ZITADEL_API_URL value: {{ zitadel_ingress_dns }} diff --git a/roles/zitadel/templates/zitadel-init.yaml b/roles/zitadel/templates/zitadel-init.yaml index 14444cfe..866f01ca 100644 --- a/roles/zitadel/templates/zitadel-init.yaml +++ b/roles/zitadel/templates/zitadel-init.yaml @@ -37,7 +37,7 @@ spec: restartPolicy: Never containers: - name: zitadel-init - image: ghcr.io/metal-stack/zitadel-init:pr-1 + image: "{{ zitadel_init_image }}:{{ zitadel_init_image_tag }}" pullPolicy: Always args: - "zitadel-init" From 3c3c550b194bbe84a4f82b6efa8c48a9885bb57a Mon Sep 17 00:00:00 2001 From: ostempel Date: Wed, 19 Nov 2025 13:21:43 +0100 Subject: [PATCH 11/20] fix oidc secret race conditions --- roles/zitadel/tasks/main.yaml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/roles/zitadel/tasks/main.yaml b/roles/zitadel/tasks/main.yaml index 0b44fff6..a774bfa3 100644 --- a/roles/zitadel/tasks/main.yaml +++ b/roles/zitadel/tasks/main.yaml @@ -14,4 +14,15 @@ kubernetes.core.k8s: state: present definition: "{{ lookup('template', 'zitadel-init.yaml') }}" - namespace: "{{ metal_control_plane_namespace }}" \ No newline at end of file + namespace: "{{ metal_control_plane_namespace }}" + +- name: Wait for Secret zitadel-client-credentials + kubernetes.core.k8s_info: + api_version: v1 + kind: Secret + name: zitadel-client-credentials + namespace: "{{ metal_control_plane_namespace }}" + register: secret_info + until: secret_info.resources | length > 0 + retries: 10 + delay: 5 From 21d9a4acfb0a92c9df8b2c5814711718164e9442 Mon Sep 17 00:00:00 2001 From: Gerrit Date: Tue, 2 Dec 2025 14:18:06 +0100 Subject: [PATCH 12/20] Minor updates. --- inventories/group_vars/all/release_vector.yaml | 2 +- inventories/group_vars/control-plane/metal.yml | 6 +++--- roles/zitadel/README.md | 4 ++-- roles/zitadel/defaults/main.yaml | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/inventories/group_vars/all/release_vector.yaml b/inventories/group_vars/all/release_vector.yaml index dbd0c441..e5eef4a3 100644 --- a/inventories/group_vars/all/release_vector.yaml +++ b/inventories/group_vars/all/release_vector.yaml @@ -37,7 +37,7 @@ metal_apiserver_image_tag: pr-89 ## # ansible_common_version: -metal_roles_version: 3f6a68eb1d6d53c76f2172b181f2599521da423b +metal_roles_version: add-zitadel-role # metal_ansible_modules_version: ## diff --git a/inventories/group_vars/control-plane/metal.yml b/inventories/group_vars/control-plane/metal.yml index c498ef86..ce4a82f2 100644 --- a/inventories/group_vars/control-plane/metal.yml +++ b/inventories/group_vars/control-plane/metal.yml @@ -15,10 +15,10 @@ metal_apiserver_url: http://v2.api.{{ metal_control_plane_ingress_dns }}:8080 metal_apiserver_oidc_secret_name: zitadel-client-credentials metal_apiserver_oidc_discovery_url: https://zitadel.{{ metal_control_plane_ingress_dns }}:4443/.well-known/openid-configuration -metal_apiserver_oidc_end_session_url: "" +metal_apiserver_oidc_end_session_url: "https://zitadel.{{ metal_control_plane_ingress_dns }}:4443/oidc/v1/end_session" metal_apiserver_redis_password: change-me-soon -metal_apiserver_admin_subjects: "CiQwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDESBWxvY2Fs@oidc" +metal_apiserver_admin_subjects: "admin@metal-stack.zitadel.172.17.0.1.nip.io@oidc" metal_api_images: - id: firewall-ubuntu-3.0 @@ -163,4 +163,4 @@ metal_auditing_timescaledb_enabled: true # headscale metal_api_headscale_enabled: true -metal_api_headscale_tls: no \ No newline at end of file +metal_api_headscale_tls: no diff --git a/roles/zitadel/README.md b/roles/zitadel/README.md index 7b67c7c7..3ef2214d 100644 --- a/roles/zitadel/README.md +++ b/roles/zitadel/README.md @@ -9,9 +9,9 @@ Because `ExternalSecure: true` is set by default, Zitadel will be available over UI will be available at `https://zitadel.172.17.0.1.nip.io:4443`. Admin: -- Username: `admin@metalstack.zitadel.172.17.0.1.nip.io` +- Username: `admin@metal-stack.zitadel.172.17.0.1.nip.io` - Password: `Password1!` ## Problems -- login image not loading because of csp \ No newline at end of file +- login image not loading because of csp diff --git a/roles/zitadel/defaults/main.yaml b/roles/zitadel/defaults/main.yaml index d7ad8fb4..fce8f3f4 100644 --- a/roles/zitadel/defaults/main.yaml +++ b/roles/zitadel/defaults/main.yaml @@ -1,5 +1,5 @@ --- -zitadel_chart_version: "9.12.3" +zitadel_chart_version: "9.13.0" zitadel_domain: zitadel.{{ metal_control_plane_ingress_dns }} zitadel_ingress_dns: https://{{ zitadel_domain }}:4443 @@ -10,4 +10,4 @@ zitadel_db_address: zitadel-db zitadel_db_password: change-me zitadel_init_image: ghcr.io/metal-stack/zitadel-init -zitadel_init_image_tag: pr-1 \ No newline at end of file +zitadel_init_image_tag: pr-1 From 9f871b5122a255ff11c75087db7ec8124c543a32 Mon Sep 17 00:00:00 2001 From: Gerrit Date: Wed, 3 Dec 2025 16:25:41 +0100 Subject: [PATCH 13/20] [skip ci] Intermediate state --- compose.yaml | 2 +- deploy_control_plane.yaml | 2 +- .../group_vars/control-plane/zitadel.yaml | 6 ++ roles/zitadel/README.md | 17 ------ roles/zitadel/defaults/main.yaml | 13 ---- roles/zitadel/tasks/main.yaml | 28 --------- roles/zitadel/templates/values.yaml.j2 | 61 ------------------- roles/zitadel/templates/zitadel-init.yaml | 54 ---------------- 8 files changed, 8 insertions(+), 175 deletions(-) create mode 100644 inventories/group_vars/control-plane/zitadel.yaml delete mode 100644 roles/zitadel/README.md delete mode 100644 roles/zitadel/defaults/main.yaml delete mode 100644 roles/zitadel/tasks/main.yaml delete mode 100644 roles/zitadel/templates/values.yaml.j2 delete mode 100644 roles/zitadel/templates/zitadel-init.yaml diff --git a/compose.yaml b/compose.yaml index 54a6b6f4..fddac0d5 100644 --- a/compose.yaml +++ b/compose.yaml @@ -9,7 +9,7 @@ services: # for developing role dependencies # TODO: make this a switch # - ${HOME}/.ansible/roles/ansible-common:/root/.ansible/roles/ansible-common:ro - # - ${HOME}/.ansible/roles/metal-roles:/root/.ansible/roles/metal-roles:ro + - ${HOME}/.ansible/roles/metal-roles:/root/.ansible/roles/metal-roles:ro # - ${HOME}/.ansible/roles/metal-ansible-modules:/root/.ansible/roles/metal-ansible-modules:ro # - ${HOME}/git/github.com/metal-stack/helm-charts:/helm-charts:ro environment: diff --git a/deploy_control_plane.yaml b/deploy_control_plane.yaml index 6768c473..84436081 100644 --- a/deploy_control_plane.yaml +++ b/deploy_control_plane.yaml @@ -27,7 +27,7 @@ tags: auditing - name: metal-roles/control-plane/roles/valkey tags: valkey - - name: zitadel + - name: metal-roles/control-plane/roles/zitadel tags: auth - name: metal-roles/control-plane/roles/metal tags: metal diff --git a/inventories/group_vars/control-plane/zitadel.yaml b/inventories/group_vars/control-plane/zitadel.yaml new file mode 100644 index 00000000..a4f23698 --- /dev/null +++ b/inventories/group_vars/control-plane/zitadel.yaml @@ -0,0 +1,6 @@ +--- +zitadel_ingress_dns: https://{{ zitadel_domain }}:4443 + +zitadel_admin_password: Password1! +zitadel_master_key: x123456789012345678901234567891y +zitadel_db_password: change-me diff --git a/roles/zitadel/README.md b/roles/zitadel/README.md deleted file mode 100644 index 3ef2214d..00000000 --- a/roles/zitadel/README.md +++ /dev/null @@ -1,17 +0,0 @@ -# Zitadel - -Role that deploys and manages and configures Zitadel, an open-source identity and access management system. Here you can find the project: [Zitadel](https://zitadel.com/) - -## UI - -Because `ExternalSecure: true` is set by default, Zitadel will be available over HTTPS. We may need to change this to `false` if we want to use HTTP. - -UI will be available at `https://zitadel.172.17.0.1.nip.io:4443`. - -Admin: -- Username: `admin@metal-stack.zitadel.172.17.0.1.nip.io` -- Password: `Password1!` - - -## Problems -- login image not loading because of csp diff --git a/roles/zitadel/defaults/main.yaml b/roles/zitadel/defaults/main.yaml deleted file mode 100644 index fce8f3f4..00000000 --- a/roles/zitadel/defaults/main.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -zitadel_chart_version: "9.13.0" - -zitadel_domain: zitadel.{{ metal_control_plane_ingress_dns }} -zitadel_ingress_dns: https://{{ zitadel_domain }}:4443 - -zitadel_admin_password: Password1! -zitadel_master_key: x123456789012345678901234567891y -zitadel_db_address: zitadel-db -zitadel_db_password: change-me - -zitadel_init_image: ghcr.io/metal-stack/zitadel-init -zitadel_init_image_tag: pr-1 diff --git a/roles/zitadel/tasks/main.yaml b/roles/zitadel/tasks/main.yaml deleted file mode 100644 index a774bfa3..00000000 --- a/roles/zitadel/tasks/main.yaml +++ /dev/null @@ -1,28 +0,0 @@ ---- -- name: Deploy Zitadel - kubernetes.core.helm: - name: zitadel - chart_ref: zitadel - chart_version: "{{ zitadel_chart_version }}" - chart_repo_url: https://charts.zitadel.com/ - release_namespace: "{{ metal_control_plane_namespace }}" - create_namespace: true - values: "{{ lookup('template', 'values.yaml.j2') | from_yaml }}" - wait: true - -- name: Create init job - kubernetes.core.k8s: - state: present - definition: "{{ lookup('template', 'zitadel-init.yaml') }}" - namespace: "{{ metal_control_plane_namespace }}" - -- name: Wait for Secret zitadel-client-credentials - kubernetes.core.k8s_info: - api_version: v1 - kind: Secret - name: zitadel-client-credentials - namespace: "{{ metal_control_plane_namespace }}" - register: secret_info - until: secret_info.resources | length > 0 - retries: 10 - delay: 5 diff --git a/roles/zitadel/templates/values.yaml.j2 b/roles/zitadel/templates/values.yaml.j2 deleted file mode 100644 index 4356f00e..00000000 --- a/roles/zitadel/templates/values.yaml.j2 +++ /dev/null @@ -1,61 +0,0 @@ ---- -zitadel: - masterkey: {{ zitadel_master_key}} - secretConfig: - Database: - Postgres: - User: - Password: {{ zitadel_db_password }} - Admin: - Password: {{ zitadel_db_password }} - configmapConfig: - FirstInstance: - InstanceName: metal-stack - Org: - Name: metal-stack - Human: - Username: admin - FirstName: Metal - LastName: Stack - NickName: - DisplayName: metal-stack admin - Password: {{ zitadel_admin_password }} - PasswordChangeRequired: false - ExternalDomain: {{ zitadel_domain }} - ExternalPort: 80 - TLS: - Enabled: false - Database: - Postgres: - Host: {{ zitadel_db_address }} - Port: 5432 - Database: zitadel - MaxOpenConns: 20 - MaxIdleConns: 10 - MaxConnLifetime: 30m - MaxConnIdleTime: 5m - User: - Username: postgres - SSL: - Mode: disable - Admin: - Username: postgres - SSL: - Mode: disable -ingress: - enabled: true - className: nginx -env: - - name: ZITADEL_API_URL - value: {{ zitadel_ingress_dns }} -# image: -# tag: v4.6.4 -login: - # image: - # tag: v4.6.4 - env: - - name: ZITADEL_API_URL - value: {{ zitadel_ingress_dns }} - ingress: - enabled: true - className: nginx \ No newline at end of file diff --git a/roles/zitadel/templates/zitadel-init.yaml b/roles/zitadel/templates/zitadel-init.yaml deleted file mode 100644 index 866f01ca..00000000 --- a/roles/zitadel/templates/zitadel-init.yaml +++ /dev/null @@ -1,54 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: zitadel-init ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: zitadel-init -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["create"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: zitadel-init -subjects: - - kind: ServiceAccount - name: zitadel-init -roleRef: - kind: Role - name: zitadel-init - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: zitadel-init-job -spec: - backoffLimit: 0 - template: - spec: - serviceAccountName: zitadel-init - restartPolicy: Never - containers: - - name: zitadel-init - image: "{{ zitadel_init_image }}:{{ zitadel_init_image_tag }}" - pullPolicy: Always - args: - - "zitadel-init" - - "--zitadel-endpoint={{ zitadel_domain }}" - - "--zitadel-port=4443" - - "--zitadel-pat=$(ZITADEL_PAT)" - - "--namespace={{ metal_control_plane_namespace }}" - - "--secret=zitadel-client-credentials" - env: - - name: ZITADEL_PAT - valueFrom: - secretKeyRef: - name: iam-admin-pat - key: pat \ No newline at end of file From d46713d7e01e46df17c49c299643aa06cbdc5cc6 Mon Sep 17 00:00:00 2001 From: ostempel Date: Thu, 4 Dec 2025 16:29:19 +0100 Subject: [PATCH 14/20] [skip ci] add zitadel config --- compose.yaml | 2 +- .../group_vars/control-plane/zitadel.yaml | 19 +++++++++++++++++++ 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/compose.yaml b/compose.yaml index fddac0d5..54a6b6f4 100644 --- a/compose.yaml +++ b/compose.yaml @@ -9,7 +9,7 @@ services: # for developing role dependencies # TODO: make this a switch # - ${HOME}/.ansible/roles/ansible-common:/root/.ansible/roles/ansible-common:ro - - ${HOME}/.ansible/roles/metal-roles:/root/.ansible/roles/metal-roles:ro + # - ${HOME}/.ansible/roles/metal-roles:/root/.ansible/roles/metal-roles:ro # - ${HOME}/.ansible/roles/metal-ansible-modules:/root/.ansible/roles/metal-ansible-modules:ro # - ${HOME}/git/github.com/metal-stack/helm-charts:/helm-charts:ro environment: diff --git a/inventories/group_vars/control-plane/zitadel.yaml b/inventories/group_vars/control-plane/zitadel.yaml index a4f23698..724d8208 100644 --- a/inventories/group_vars/control-plane/zitadel.yaml +++ b/inventories/group_vars/control-plane/zitadel.yaml @@ -4,3 +4,22 @@ zitadel_ingress_dns: https://{{ zitadel_domain }}:4443 zitadel_admin_password: Password1! zitadel_master_key: x123456789012345678901234567891y zitadel_db_password: change-me + +zitadel_config: + static_users: + - first_name: Olli + last_name: Owner + email: olli.owner@metal-stack.io + password: Olli.Owner123! + - first_name: Gerrit + last_name: Guest + email: gerrit.guest@metal-stack.io + password: Gerrit.Guest123! + project: + id: metal-stack + name: metal-stack + application: + # later id will be added but currently not possible with zitadel + id: metal-stack + name: metal-stack + redirect_uri: http://v2.api.172.17.0.1.nip.io:8080/auth/openid-connect/callback From d6692b82f36040370e0b03c0749fbbb228001acb Mon Sep 17 00:00:00 2001 From: ostempel Date: Wed, 10 Dec 2025 10:25:29 +0100 Subject: [PATCH 15/20] use release vector for zitadel --- inventories/group_vars/all/release_vector.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/inventories/group_vars/all/release_vector.yaml b/inventories/group_vars/all/release_vector.yaml index e5eef4a3..e84890fb 100644 --- a/inventories/group_vars/all/release_vector.yaml +++ b/inventories/group_vars/all/release_vector.yaml @@ -1,5 +1,5 @@ --- -metal_stack_release_version: develop +metal_stack_release_version: add-zitadel metal_stack_release_vectors: - url: oci://ghcr.io/metal-stack/releases:{{ metal_stack_release_version }} @@ -46,6 +46,5 @@ metal_roles_version: add-zitadel-role metal_helm_chart_version: 0.7.0 metal_helm_chart_repo: https://helm.metal-stack.io/pull_requests/make-oidc-secret-configurable - # further overrides can be looked up in the metal-role projects where the mapping is defined: # https://github.com/metal-stack/metal-roles/blob/master/defaults/main.yaml From 2686a3f635ddb5f31a1a476cde2310cdfa860946 Mon Sep 17 00:00:00 2001 From: ostempel Date: Thu, 11 Dec 2025 10:09:57 +0100 Subject: [PATCH 16/20] adjust to latest state of zitadel-role --- inventories/group_vars/control-plane/zitadel.yaml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/inventories/group_vars/control-plane/zitadel.yaml b/inventories/group_vars/control-plane/zitadel.yaml index 724d8208..f45059d2 100644 --- a/inventories/group_vars/control-plane/zitadel.yaml +++ b/inventories/group_vars/control-plane/zitadel.yaml @@ -1,11 +1,12 @@ --- -zitadel_ingress_dns: https://{{ zitadel_domain }}:4443 +zitadel_endpoint: zitadel.{{ metal_control_plane_namespace }}.svc.cluster.local +zitadel_external_domain: zitadel.{{ metal_control_plane_ingress_dns }} +zitadel_ingress_dns: https://{{ zitadel_external_domain }}:4443 +zitadel_port: 8080 +zitadel_skip_verify_tls: true +zitadel_insecure: true -zitadel_admin_password: Password1! -zitadel_master_key: x123456789012345678901234567891y -zitadel_db_password: change-me - -zitadel_config: +zitadel_init_config: static_users: - first_name: Olli last_name: Owner From 14aa47280125f9f0e2c31bc396c6fb12c0fa3ce7 Mon Sep 17 00:00:00 2001 From: Stefan Majer Date: Fri, 12 Dec 2025 14:32:32 +0100 Subject: [PATCH 17/20] Use release vektor pr --- inventories/group_vars/all/release_vector.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/inventories/group_vars/all/release_vector.yaml b/inventories/group_vars/all/release_vector.yaml index e84890fb..3db4dd70 100644 --- a/inventories/group_vars/all/release_vector.yaml +++ b/inventories/group_vars/all/release_vector.yaml @@ -15,7 +15,7 @@ metal_stack_release_vectors: # metal_api_image_name: # metal_api_image_tag: # metal_apiserver_image_name: -metal_apiserver_image_tag: pr-89 +# metal_apiserver_image_tag: pr-89 # metal_metalctl_image_name: # metal_metalctl_image_tag: # metal_masterdata_api_image_name: @@ -37,14 +37,14 @@ metal_apiserver_image_tag: pr-89 ## # ansible_common_version: -metal_roles_version: add-zitadel-role +# metal_roles_version: add-zitadel-role # metal_ansible_modules_version: ## ## helm charts ## -metal_helm_chart_version: 0.7.0 -metal_helm_chart_repo: https://helm.metal-stack.io/pull_requests/make-oidc-secret-configurable +# metal_helm_chart_version: 0.7.0 +# metal_helm_chart_repo: https://helm.metal-stack.io/pull_requests/make-oidc-secret-configurable # further overrides can be looked up in the metal-role projects where the mapping is defined: # https://github.com/metal-stack/metal-roles/blob/master/defaults/main.yaml From 17da49cf1ac7f374f92e175eb3520a4f95b52d5d Mon Sep 17 00:00:00 2001 From: Stefan Majer Date: Fri, 12 Dec 2025 14:53:21 +0100 Subject: [PATCH 18/20] final adjustments --- README.md | 19 +++++++++++++++++++ .../group_vars/all/release_vector.yaml | 6 +++--- .../group_vars/control-plane/metal.yml | 2 +- 3 files changed, 23 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 84044c4d..057191fd 100644 --- a/README.md +++ b/README.md @@ -211,3 +211,22 @@ An Nginx is running inside of the www container to allow automatic testing of ou ![Network topology](docs/network.svg) > Figure 2: mini-lab network topology illustration. + +## V2 Quickstart + +Login with [cli](https://github.com/metal-stack/cli): + +```bash +$ metalctlv2 login --provider openid-connect +``` + +User: olli.owner@metal-stack.io +Password: Olli.Owner123! + +User: gerrit.guest@metal-stack.io +Password: Gerrit.Guest123! + +Zitadel Admin: + +User: admin@metal-stack.zitadel.172.17.0.1.nip.io +Password: Password1! diff --git a/inventories/group_vars/all/release_vector.yaml b/inventories/group_vars/all/release_vector.yaml index 3db4dd70..461c7b38 100644 --- a/inventories/group_vars/all/release_vector.yaml +++ b/inventories/group_vars/all/release_vector.yaml @@ -15,7 +15,7 @@ metal_stack_release_vectors: # metal_api_image_name: # metal_api_image_tag: # metal_apiserver_image_name: -# metal_apiserver_image_tag: pr-89 +metal_apiserver_image_tag: v0.1.1 # metal_metalctl_image_name: # metal_metalctl_image_tag: # metal_masterdata_api_image_name: @@ -37,14 +37,14 @@ metal_stack_release_vectors: ## # ansible_common_version: -# metal_roles_version: add-zitadel-role +metal_roles_version: v0.17.28 # metal_ansible_modules_version: ## ## helm charts ## -# metal_helm_chart_version: 0.7.0 +metal_helm_chart_version: 0.7.0 # metal_helm_chart_repo: https://helm.metal-stack.io/pull_requests/make-oidc-secret-configurable # further overrides can be looked up in the metal-role projects where the mapping is defined: # https://github.com/metal-stack/metal-roles/blob/master/defaults/main.yaml diff --git a/inventories/group_vars/control-plane/metal.yml b/inventories/group_vars/control-plane/metal.yml index ce4a82f2..441d6fce 100644 --- a/inventories/group_vars/control-plane/metal.yml +++ b/inventories/group_vars/control-plane/metal.yml @@ -18,7 +18,7 @@ metal_apiserver_oidc_discovery_url: https://zitadel.{{ metal_control_plane_ingre metal_apiserver_oidc_end_session_url: "https://zitadel.{{ metal_control_plane_ingress_dns }}:4443/oidc/v1/end_session" metal_apiserver_redis_password: change-me-soon -metal_apiserver_admin_subjects: "admin@metal-stack.zitadel.172.17.0.1.nip.io@oidc" +metal_apiserver_admin_subjects: "admin@metal-stack.zitadel.172.17.0.1.nip.io@openid-connect" metal_api_images: - id: firewall-ubuntu-3.0 From 48c7050917ff7168b88eaeadc2211b28918c9974 Mon Sep 17 00:00:00 2001 From: ostempel Date: Wed, 14 Jan 2026 15:12:48 +0100 Subject: [PATCH 19/20] use develop release --- inventories/group_vars/all/release_vector.yaml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/inventories/group_vars/all/release_vector.yaml b/inventories/group_vars/all/release_vector.yaml index 461c7b38..f880f685 100644 --- a/inventories/group_vars/all/release_vector.yaml +++ b/inventories/group_vars/all/release_vector.yaml @@ -1,12 +1,11 @@ --- -metal_stack_release_version: add-zitadel +metal_stack_release_version: develop metal_stack_release_vectors: - url: oci://ghcr.io/metal-stack/releases:{{ metal_stack_release_version }} variable_mapping_path: metal_stack_release.mapping include_role_defaults: metal-roles/common/roles/defaults oci_cosign_verify_key: "{{ lookup('file', 'cosign.pub') }}" - ## ## for development purposes, you can override releases from our image vector here ## @@ -15,7 +14,7 @@ metal_stack_release_vectors: # metal_api_image_name: # metal_api_image_tag: # metal_apiserver_image_name: -metal_apiserver_image_tag: v0.1.1 +# metal_apiserver_image_tag: # metal_metalctl_image_name: # metal_metalctl_image_tag: # metal_masterdata_api_image_name: @@ -37,14 +36,14 @@ metal_apiserver_image_tag: v0.1.1 ## # ansible_common_version: -metal_roles_version: v0.17.28 +# metal_roles_version: # metal_ansible_modules_version: ## ## helm charts ## -metal_helm_chart_version: 0.7.0 +# metal_helm_chart_version: # metal_helm_chart_repo: https://helm.metal-stack.io/pull_requests/make-oidc-secret-configurable # further overrides can be looked up in the metal-role projects where the mapping is defined: # https://github.com/metal-stack/metal-roles/blob/master/defaults/main.yaml From ff91e5766754414c9f6f079813185e3b3205cfbd Mon Sep 17 00:00:00 2001 From: Gerrit Date: Wed, 14 Jan 2026 15:14:59 +0100 Subject: [PATCH 20/20] Cleanup release vector file. --- inventories/group_vars/all/release_vector.yaml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/inventories/group_vars/all/release_vector.yaml b/inventories/group_vars/all/release_vector.yaml index f880f685..5ca134c2 100644 --- a/inventories/group_vars/all/release_vector.yaml +++ b/inventories/group_vars/all/release_vector.yaml @@ -6,6 +6,7 @@ metal_stack_release_vectors: variable_mapping_path: metal_stack_release.mapping include_role_defaults: metal-roles/common/roles/defaults oci_cosign_verify_key: "{{ lookup('file', 'cosign.pub') }}" + ## ## for development purposes, you can override releases from our image vector here ## @@ -23,9 +24,9 @@ metal_stack_release_vectors: # metal_console_image_tag: # metal_core_image_name: # metal_core_image_tag: -# headscale_image_tag: v0.26.1 -# headscale_db_backup_restore_sidecar_image_tag: latest -# headscale_db_backup_restore_sidecar_image_name: ghcr.io/metal-stack/backup-restore-sidecar +# headscale_image_tag: +# headscale_db_backup_restore_sidecar_image_tag: +# headscale_db_backup_restore_sidecar_image_name: # headscale_db_image_tag: 17-alpine # headscale_db_image_name: postgres # ... @@ -44,6 +45,6 @@ metal_stack_release_vectors: ## # metal_helm_chart_version: -# metal_helm_chart_repo: https://helm.metal-stack.io/pull_requests/make-oidc-secret-configurable -# further overrides can be looked up in the metal-role projects where the mapping is defined: -# https://github.com/metal-stack/metal-roles/blob/master/defaults/main.yaml +# metal_helm_chart_repo: +# further overrides can be looked up in metal-roles where the mapping is defined: +# https://github.com/metal-stack/metal-roles/blob/master/common/roles/defaults/defaults/main.yaml