From 66b6125e8c3001031800e21d7f49fa2b27e9490c Mon Sep 17 00:00:00 2001 From: Kochetkov S Date: Mon, 13 Apr 2026 15:34:22 +0300 Subject: [PATCH 1/4] add isito-config --- .../istio-config/base/helmrelease.yaml | 29 +++++++++++++++++++ .../istio-config/base/kustomization.yaml | 4 +++ .../istio-config/kustomization.yaml | 4 +++ infrastructure/kustomization.yaml | 1 + 4 files changed, 38 insertions(+) create mode 100644 infrastructure/istio-config/base/helmrelease.yaml create mode 100644 infrastructure/istio-config/base/kustomization.yaml create mode 100644 infrastructure/istio-config/kustomization.yaml diff --git a/infrastructure/istio-config/base/helmrelease.yaml b/infrastructure/istio-config/base/helmrelease.yaml new file mode 100644 index 0000000..ead32d5 --- /dev/null +++ b/infrastructure/istio-config/base/helmrelease.yaml @@ -0,0 +1,29 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: istio-config + namespace: default +spec: + interval: 10m + dependsOn: + - name: istio-base + namespace: istio-system + - name: istiod + namespace: istio-system + - name: ingressgateway + namespace: istio-system + chart: + spec: + chart: istio-config-contour + version: "0.1.0" + sourceRef: + kind: HelmRepository + name: yc-oci-charts + namespace: flux-system + interval: 10m + install: + remediation: + retries: 3 + upgrade: + remediation: + retries: 3 diff --git a/infrastructure/istio-config/base/kustomization.yaml b/infrastructure/istio-config/base/kustomization.yaml new file mode 100644 index 0000000..4fd939d --- /dev/null +++ b/infrastructure/istio-config/base/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - helmrelease.yaml diff --git a/infrastructure/istio-config/kustomization.yaml b/infrastructure/istio-config/kustomization.yaml new file mode 100644 index 0000000..3c2f51f --- /dev/null +++ b/infrastructure/istio-config/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./base diff --git a/infrastructure/kustomization.yaml b/infrastructure/kustomization.yaml index bf9be00..4f9e07e 100644 --- a/infrastructure/kustomization.yaml +++ b/infrastructure/kustomization.yaml @@ -15,6 +15,7 @@ resources: - redis - s3-proxy - istio-base + - istio-config - istio-pilot - istio-gateway - zitadel From ded0022fd9a418660ddf5bd71a1ef7a6454c521e Mon Sep 17 00:00:00 2001 From: Kochetkov S Date: Mon, 13 Apr 2026 16:17:37 +0300 Subject: [PATCH 2/4] add isito-config --- .../infrastructure/kustomization.yaml | 14 +- .../infrastructure/patches/camunda.yaml | 2 - .../patches/dashboard-certificate.yaml | 8 - .../infrastructure/patches/dashboard.yaml | 42 +-- .../infrastructure/patches/istio-config.yaml | 282 ++++++++++++++++++ .../infrastructure/patches/rabbitmq.yaml | 29 +- .../infrastructure/patches/zitadel.yaml | 2 +- .../dashboard/base/certificate.yaml | 12 - .../dashboard/base/kustomization.yaml | 1 - 9 files changed, 295 insertions(+), 97 deletions(-) delete mode 100644 clusters/yc-k8s-test/infrastructure/patches/dashboard-certificate.yaml create mode 100644 clusters/yc-k8s-test/infrastructure/patches/istio-config.yaml delete mode 100644 infrastructure/dashboard/base/certificate.yaml diff --git a/clusters/yc-k8s-test/infrastructure/kustomization.yaml b/clusters/yc-k8s-test/infrastructure/kustomization.yaml index 97d575b..ec4211c 100644 --- a/clusters/yc-k8s-test/infrastructure/kustomization.yaml +++ b/clusters/yc-k8s-test/infrastructure/kustomization.yaml @@ -31,6 +31,13 @@ patches: kind: HelmRelease name: ingressgateway namespace: istio-system + - path: ./patches/istio-config.yaml + target: + group: helm.toolkit.fluxcd.io + version: v2 + kind: HelmRelease + name: istio-config + namespace: default - path: ./patches/dashboard.yaml target: group: helm.toolkit.fluxcd.io @@ -38,13 +45,6 @@ patches: kind: HelmRelease name: dashboard namespace: kubernetes-dashboard - - path: ./patches/dashboard-certificate.yaml - target: - group: cert-manager.io - version: v1 - kind: Certificate - name: dashboard-tls - namespace: istio-system - path: ./patches/clusterissuer-letsencrypt.yaml target: group: cert-manager.io diff --git a/clusters/yc-k8s-test/infrastructure/patches/camunda.yaml b/clusters/yc-k8s-test/infrastructure/patches/camunda.yaml index a81bb0c..f7b99c4 100644 --- a/clusters/yc-k8s-test/infrastructure/patches/camunda.yaml +++ b/clusters/yc-k8s-test/infrastructure/patches/camunda.yaml @@ -26,8 +26,6 @@ spec: redirectUrl: "https://camunda-web-modeler.contour.infra.sarex.tech" console: redirectUrl: "https://camunda-console.contour.infra.sarex.tech" - virtualService: [] - gateway: [] identityPostgresql: primary: persistence: diff --git a/clusters/yc-k8s-test/infrastructure/patches/dashboard-certificate.yaml b/clusters/yc-k8s-test/infrastructure/patches/dashboard-certificate.yaml deleted file mode 100644 index ad191c8..0000000 --- a/clusters/yc-k8s-test/infrastructure/patches/dashboard-certificate.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: dashboard-tls - namespace: istio-system -spec: - dnsNames: - - dashboard.contour.infra.sarex.tech diff --git a/clusters/yc-k8s-test/infrastructure/patches/dashboard.yaml b/clusters/yc-k8s-test/infrastructure/patches/dashboard.yaml index 8346a1e..5a7bd7d 100644 --- a/clusters/yc-k8s-test/infrastructure/patches/dashboard.yaml +++ b/clusters/yc-k8s-test/infrastructure/patches/dashboard.yaml @@ -11,47 +11,10 @@ spec: enabled: true host: "dashboard-kong-proxy" tlsMode: "DISABLE" - virtualService: - enabled: true - annotations: {} - labels: {} - name: dashboard-virt-service - namespace: kubernetes-dashboard - gateways: - - istio-system/dashboard-gateway - hosts: - - dashboard.contour.infra.sarex.tech - http: - - match: - uriPrefix: / - route: - destination: - host: dashboard-kong-proxy - port: 80 - + enabled: false gateway: - enabled: true - name: dashboard-gateway - namespace: istio-system - selector: - istio: ingressgateway - servers: - - hosts: - - dashboard.contour.infra.sarex.tech - port: - name: https-443 - number: 443 - protocol: HTTPS - tls: - credentialName: dashboard-tls - mode: SIMPLE - - hosts: - - dashboard.contour.infra.sarex.tech - port: - name: http-80 - number: 80 - protocol: HTTP + enabled: false app: image: pullSecrets: @@ -60,4 +23,3 @@ spec: image: pullSecrets: - regcred - diff --git a/clusters/yc-k8s-test/infrastructure/patches/istio-config.yaml b/clusters/yc-k8s-test/infrastructure/patches/istio-config.yaml new file mode 100644 index 0000000..1b16c9a --- /dev/null +++ b/clusters/yc-k8s-test/infrastructure/patches/istio-config.yaml @@ -0,0 +1,282 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: istio-config + namespace: default +spec: + interval: 5m + timeout: 10m + values: + global: + env: contour + environments: + contour: + certManager: + certificates: + minio-tls: + dnsNames: + - minio.contour.infra.sarex.tech + issuerRef: + name: letsencrypt-issuer-istio + kind: ClusterIssuer + zitadel-tls: + dnsNames: + - zitadel.contour.infra.sarex.tech + issuerRef: + name: letsencrypt-issuer-istio + kind: ClusterIssuer + dashboard-tls: + dnsNames: + - dashboard.contour.infra.sarex.tech + issuerRef: + name: letsencrypt-issuer-istio + kind: ClusterIssuer + rabbitmq-tls: + dnsNames: + - rabbitmq.contour.infra.sarex.tech + issuerRef: + name: letsencrypt-issuer-istio + kind: ClusterIssuer + keycloak-tls: + dnsNames: + - keycloak.contour.infra.sarex.tech + issuerRef: + name: letsencrypt-issuer-istio + kind: ClusterIssuer + camunda-keycloak-tls: + dnsNames: + - camunda-keycloak.contour.infra.sarex.tech + issuerRef: + name: letsencrypt-issuer-istio + kind: ClusterIssuer + camunda-identity-tls: + dnsNames: + - camunda-identity.contour.infra.sarex.tech + issuerRef: + name: letsencrypt-issuer-istio + kind: ClusterIssuer + camunda-operate-tls: + dnsNames: + - camunda-operate.contour.infra.sarex.tech + issuerRef: + name: letsencrypt-issuer-istio + kind: ClusterIssuer + camunda-tasklist-tls: + dnsNames: + - camunda-tasklist.contour.infra.sarex.tech + issuerRef: + name: letsencrypt-issuer-istio + kind: ClusterIssuer + camunda-optimize-tls: + dnsNames: + - camunda-optimize.contour.infra.sarex.tech + issuerRef: + name: letsencrypt-issuer-istio + kind: ClusterIssuer + istio: + gateways: + minio: + name: minio-gateway + namespace: gateway + servers: + - hosts: + - minio.contour.infra.sarex.tech + tls: + credentialName: minio-tls + - hosts: + - minio.contour.infra.sarex.tech + zitadel: + name: zitadel-gateway + namespace: gateway + servers: + - hosts: + - zitadel.contour.infra.sarex.tech + tls: + credentialName: zitadel-tls + - hosts: + - zitadel.contour.infra.sarex.tech + dashboard: + name: dashboard-gateway + namespace: gateway + servers: + - hosts: + - dashboard.contour.infra.sarex.tech + tls: + credentialName: dashboard-tls + - hosts: + - dashboard.contour.infra.sarex.tech + rabbitmq: + name: rabbitmq-gateway + namespace: gateway + servers: + - hosts: + - rabbitmq.contour.infra.sarex.tech + tls: + credentialName: rabbitmq-tls + - hosts: + - rabbitmq.contour.infra.sarex.tech + keycloak: + name: keycloak-gateway + namespace: gateway + servers: + - hosts: + - keycloak.contour.infra.sarex.tech + tls: + credentialName: keycloak-tls + - hosts: + - keycloak.contour.infra.sarex.tech + camunda: + name: camunda-gateway + namespace: gateway + servers: + - hosts: + - camunda-keycloak.contour.infra.sarex.tech + tls: + credentialName: camunda-keycloak-tls + - hosts: + - camunda-keycloak.contour.infra.sarex.tech + - hosts: + - camunda-identity.contour.infra.sarex.tech + tls: + credentialName: camunda-identity-tls + - hosts: + - camunda-identity.contour.infra.sarex.tech + - hosts: + - camunda-operate.contour.infra.sarex.tech + tls: + credentialName: camunda-operate-tls + - hosts: + - camunda-operate.contour.infra.sarex.tech + - hosts: + - camunda-tasklist.contour.infra.sarex.tech + tls: + credentialName: camunda-tasklist-tls + - hosts: + - camunda-tasklist.contour.infra.sarex.tech + - hosts: + - camunda-optimize.contour.infra.sarex.tech + tls: + credentialName: camunda-optimize-tls + - hosts: + - camunda-optimize.contour.infra.sarex.tech + virtualServices: + minio: + name: minio-virt-service + namespace: gateway + hosts: + - minio.contour.infra.sarex.tech + gateways: + - gateway/minio-gateway + routes: + - path: + prefix: / + service: minio-minio-contour-console.minio.svc.cluster.local + port: 9001 + zitadel: + name: zitadel-virt-service + namespace: gateway + hosts: + - zitadel.contour.infra.sarex.tech + gateways: + - gateway/zitadel-gateway + routes: + - path: + prefix: / + service: zitadel-idp-contour.zitadel.svc.cluster.local + port: 8080 + dashboard: + name: dashboard-virt-service + namespace: gateway + hosts: + - dashboard.contour.infra.sarex.tech + gateways: + - gateway/dashboard-gateway + routes: + - path: + prefix: / + service: dashboard-kong-proxy.kubernetes-dashboard.svc.cluster.local + port: 80 + rabbitmq: + name: rabbitmq-virt-service + namespace: gateway + hosts: + - rabbitmq.contour.infra.sarex.tech + gateways: + - gateway/rabbitmq-gateway + routes: + - path: + prefix: / + service: rabbitmq.rabbitmq.svc.cluster.local + port: 15672 + keycloak: + name: keycloak-virt-service + namespace: gateway + hosts: + - keycloak.contour.infra.sarex.tech + gateways: + - gateway/keycloak-gateway + routes: + - path: + prefix: / + service: keycloak-keycloak-contour.keycloak.svc.cluster.local + port: 80 + camunda-keycloak: + name: camunda-keycloak-virt-service + namespace: gateway + hosts: + - camunda-keycloak.contour.infra.sarex.tech + gateways: + - gateway/camunda-gateway + routes: + - path: + prefix: / + service: camunda-keycloak.camunda.svc.cluster.local + port: 80 + camunda-identity: + name: camunda-identity-virt-service + namespace: gateway + hosts: + - camunda-identity.contour.infra.sarex.tech + gateways: + - gateway/camunda-gateway + routes: + - path: + prefix: / + service: camunda-identity.camunda.svc.cluster.local + port: 80 + camunda-operate: + name: camunda-operate-virt-service + namespace: gateway + hosts: + - camunda-operate.contour.infra.sarex.tech + gateways: + - gateway/camunda-gateway + routes: + - path: + prefix: / + service: camunda-operate.camunda.svc.cluster.local + port: 80 + camunda-tasklist: + name: camunda-tasklist-virt-service + namespace: gateway + hosts: + - camunda-tasklist.contour.infra.sarex.tech + gateways: + - gateway/camunda-gateway + routes: + - path: + prefix: / + service: camunda-tasklist.camunda.svc.cluster.local + port: 80 + camunda-optimize: + name: camunda-optimize-virt-service + namespace: gateway + hosts: + - camunda-optimize.contour.infra.sarex.tech + gateways: + - gateway/camunda-gateway + routes: + - path: + prefix: / + service: camunda-optimize.camunda.svc.cluster.local + port: 80 diff --git a/clusters/yc-k8s-test/infrastructure/patches/rabbitmq.yaml b/clusters/yc-k8s-test/infrastructure/patches/rabbitmq.yaml index 1417955..179d834 100644 --- a/clusters/yc-k8s-test/infrastructure/patches/rabbitmq.yaml +++ b/clusters/yc-k8s-test/infrastructure/patches/rabbitmq.yaml @@ -10,6 +10,9 @@ spec: global: security: allowInsecureImages: true + virtualService: null + gateway: null + certificate: null metrics: serviceMonitor: enabled: false @@ -20,32 +23,6 @@ spec: detailed: enabled: false extraServiceMonitors: [] - virtualService: - rabbitmq: - hosts: - - rabbitmq.contour.infra.sarex.tech - gateway: - grafana: - servers: - - hosts: - - rabbitmq.contour.infra.sarex.tech - port: - name: https-443 - number: 443 - protocol: HTTPS - tls: - credentialName: rmq-tls - mode: SIMPLE - - hosts: - - rabbitmq.contour.infra.sarex.tech - port: - name: http-80 - number: 80 - protocol: HTTP - certificate: - rabbitmq: - dnsNames: - - rabbitmq.contour.infra.sarex.tech replicaCount: 1 resources: requests: diff --git a/clusters/yc-k8s-test/infrastructure/patches/zitadel.yaml b/clusters/yc-k8s-test/infrastructure/patches/zitadel.yaml index f39c18d..cf311c3 100644 --- a/clusters/yc-k8s-test/infrastructure/patches/zitadel.yaml +++ b/clusters/yc-k8s-test/infrastructure/patches/zitadel.yaml @@ -9,7 +9,7 @@ spec: values: zitadel: configmapConfig: - ExternalDomain: login.contour.infra.sarex.tech + ExternalDomain: zitadel.contour.infra.sarex.tech login: env: - name: ZITADEL_DATABASE_POSTGRES_HOST diff --git a/infrastructure/dashboard/base/certificate.yaml b/infrastructure/dashboard/base/certificate.yaml deleted file mode 100644 index f33424c..0000000 --- a/infrastructure/dashboard/base/certificate.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: dashboard-tls - namespace: istio-system -spec: - secretName: dashboard-tls - issuerRef: - kind: ClusterIssuer - name: letsencrypt-issuer-istio - dnsNames: - - dashboard.example.local diff --git a/infrastructure/dashboard/base/kustomization.yaml b/infrastructure/dashboard/base/kustomization.yaml index 8ff011b..0370974 100644 --- a/infrastructure/dashboard/base/kustomization.yaml +++ b/infrastructure/dashboard/base/kustomization.yaml @@ -3,4 +3,3 @@ kind: Kustomization resources: - namespace.yaml - helmrelease.yaml - - certificate.yaml From 72d6217ad7cb3461516710529bbc35ebd8c6d13d Mon Sep 17 00:00:00 2001 From: Kochetkov S Date: Mon, 13 Apr 2026 16:21:18 +0300 Subject: [PATCH 3/4] add isito-config --- .../infrastructure/patches/istio-config.yaml | 20 ------------------- 1 file changed, 20 deletions(-) diff --git a/clusters/yc-k8s-test/infrastructure/patches/istio-config.yaml b/clusters/yc-k8s-test/infrastructure/patches/istio-config.yaml index 1b16c9a..44d4ceb 100644 --- a/clusters/yc-k8s-test/infrastructure/patches/istio-config.yaml +++ b/clusters/yc-k8s-test/infrastructure/patches/istio-config.yaml @@ -83,8 +83,6 @@ spec: - minio.contour.infra.sarex.tech tls: credentialName: minio-tls - - hosts: - - minio.contour.infra.sarex.tech zitadel: name: zitadel-gateway namespace: gateway @@ -93,8 +91,6 @@ spec: - zitadel.contour.infra.sarex.tech tls: credentialName: zitadel-tls - - hosts: - - zitadel.contour.infra.sarex.tech dashboard: name: dashboard-gateway namespace: gateway @@ -103,8 +99,6 @@ spec: - dashboard.contour.infra.sarex.tech tls: credentialName: dashboard-tls - - hosts: - - dashboard.contour.infra.sarex.tech rabbitmq: name: rabbitmq-gateway namespace: gateway @@ -113,8 +107,6 @@ spec: - rabbitmq.contour.infra.sarex.tech tls: credentialName: rabbitmq-tls - - hosts: - - rabbitmq.contour.infra.sarex.tech keycloak: name: keycloak-gateway namespace: gateway @@ -123,8 +115,6 @@ spec: - keycloak.contour.infra.sarex.tech tls: credentialName: keycloak-tls - - hosts: - - keycloak.contour.infra.sarex.tech camunda: name: camunda-gateway namespace: gateway @@ -133,32 +123,22 @@ spec: - camunda-keycloak.contour.infra.sarex.tech tls: credentialName: camunda-keycloak-tls - - hosts: - - camunda-keycloak.contour.infra.sarex.tech - hosts: - camunda-identity.contour.infra.sarex.tech tls: credentialName: camunda-identity-tls - - hosts: - - camunda-identity.contour.infra.sarex.tech - hosts: - camunda-operate.contour.infra.sarex.tech tls: credentialName: camunda-operate-tls - - hosts: - - camunda-operate.contour.infra.sarex.tech - hosts: - camunda-tasklist.contour.infra.sarex.tech tls: credentialName: camunda-tasklist-tls - - hosts: - - camunda-tasklist.contour.infra.sarex.tech - hosts: - camunda-optimize.contour.infra.sarex.tech tls: credentialName: camunda-optimize-tls - - hosts: - - camunda-optimize.contour.infra.sarex.tech virtualServices: minio: name: minio-virt-service From b139322a14504ed926df82d5efc007ea8857fe6c Mon Sep 17 00:00:00 2001 From: Kochetkov S Date: Mon, 13 Apr 2026 16:38:07 +0300 Subject: [PATCH 4/4] add missing zitadel env --- clusters/yc-k8s-test/infrastructure/patches/zitadel.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/clusters/yc-k8s-test/infrastructure/patches/zitadel.yaml b/clusters/yc-k8s-test/infrastructure/patches/zitadel.yaml index cf311c3..7743b9a 100644 --- a/clusters/yc-k8s-test/infrastructure/patches/zitadel.yaml +++ b/clusters/yc-k8s-test/infrastructure/patches/zitadel.yaml @@ -12,6 +12,8 @@ spec: ExternalDomain: zitadel.contour.infra.sarex.tech login: env: + - name: ZITADEL_DEFAULTINSTANCE_FEATURES_LOGINV2_REQUIRED + value: "false" - name: ZITADEL_DATABASE_POSTGRES_HOST value: "postgresql.postgresql.svc.cluster.local" - name: ZITADEL_DATABASE_POSTGRES_PORT @@ -32,6 +34,8 @@ spec: name: postgresql-secret key: password env: + - name: ZITADEL_DEFAULTINSTANCE_FEATURES_LOGINV2_REQUIRED + value: "false" - name: ZITADEL_DATABASE_POSTGRES_HOST value: "postgresql.postgresql.svc.cluster.local" - name: ZITADEL_DATABASE_POSTGRES_PORT