diff --git a/dagger/go.mod b/dagger/go.mod index f813960b..25045c7e 100644 --- a/dagger/go.mod +++ b/dagger/go.mod @@ -38,10 +38,10 @@ require ( golang.org/x/sync v0.9.0 golang.org/x/sys v0.27.0 // indirect golang.org/x/text v0.20.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20241113202542-65e8d215514f // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20241113202542-65e8d215514f // indirect google.golang.org/grpc v1.68.0 - google.golang.org/protobuf v1.35.1 // indirect + google.golang.org/protobuf v1.35.2 // indirect ) replace go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc => go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.0.0-20240518090000-14441aefdf88 diff --git a/dagger/go.sum b/dagger/go.sum index 61978981..aa743a65 100644 --- a/dagger/go.sum +++ b/dagger/go.sum @@ -85,14 +85,14 @@ golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s= golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug= golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4= -google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28 h1:M0KvPgPmDZHPlbRbaNU1APr28TvwvvdUPlSv7PUvy8g= -google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28/go.mod h1:dguCy7UOdZhTvLzDyt15+rOrawrpM4q7DD9dQ1P11P4= -google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28 h1:XVhgTWWV3kGQlwJHR3upFWZeTsei6Oks1apkZSeonIE= -google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI= +google.golang.org/genproto/googleapis/api v0.0.0-20241113202542-65e8d215514f h1:M65LEviCfuZTfrfzwwEoxVtgvfkFkBUbFnRbxCXuXhU= +google.golang.org/genproto/googleapis/api v0.0.0-20241113202542-65e8d215514f/go.mod h1:Yo94eF2nj7igQt+TiJ49KxjIH8ndLYPZMIRSiRcEbg0= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241113202542-65e8d215514f h1:C1QccEa9kUwvMgEUORqQD9S17QesQijxjZ84sO82mfo= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241113202542-65e8d215514f/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI= google.golang.org/grpc v1.68.0 h1:aHQeeJbo8zAkAa3pRzrVjZlbz6uSfeOXlJNQM0RAbz0= google.golang.org/grpc v1.68.0/go.mod h1:fmSPC5AsjSBCK54MyHRx48kpOti1/jRfOlwEWywNjWA= -google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA= -google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= +google.golang.org/protobuf v1.35.2 h1:8Ar7bF+apOIoThw1EdZl0p1oWvMqTHmpA2fRTyZO8io= +google.golang.org/protobuf v1.35.2/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= diff --git a/security/base/cert-manager/vault-clusterissuer.yaml b/security/base/cert-manager/vault-clusterissuer.yaml index f4e61ae7..326ca93d 100644 --- a/security/base/cert-manager/vault-clusterissuer.yaml +++ b/security/base/cert-manager/vault-clusterissuer.yaml @@ -11,7 +11,7 @@ spec: auth: appRole: path: approle - roleId: d346bc9e-91d2-a440-023a-14f32dc03072 # !! This value changes each time I recreate the whole platform + roleId: a927b9fe-616c-09f7-8b60-8fafb99f737f # !! This value changes each time I recreate the whole platform secretRef: name: cert-manager-vault-approle key: secret_id diff --git a/tooling/base/headlamp/rbac-admin.yaml b/security/base/rbac/admin.yaml similarity index 53% rename from tooling/base/headlamp/rbac-admin.yaml rename to security/base/rbac/admin.yaml index 15c574fb..f3e86016 100644 --- a/tooling/base/headlamp/rbac-admin.yaml +++ b/security/base/rbac/admin.yaml @@ -1,11 +1,11 @@ -# Giving me all the perms. Looking for a way to assign to a group instead of a user (Google Groups) +# Permissions based on groups retrieved from Zitadel apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: admin-user-clusterrolebinding + name: ogenki-admin subjects: - - kind: User - name: smaine.kahlouch@ogenki.io + - kind: Group + name: admin apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole diff --git a/security/base/rbac/kustomization.yaml b/security/base/rbac/kustomization.yaml new file mode 100644 index 00000000..c7c912ac --- /dev/null +++ b/security/base/rbac/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: security + +resources: + - admin.yaml diff --git a/security/base/zitadel/sqlinstance.yaml b/security/base/zitadel/sqlinstance.yaml index 6d533d3d..5f12f003 100644 --- a/security/base/zitadel/sqlinstance.yaml +++ b/security/base/zitadel/sqlinstance.yaml @@ -10,7 +10,7 @@ spec: createSuperuser: true objectStoreRecovery: bucketName: "eu-west-3-ogenki-cnpg-backups" - path: "zitadel-20241111" + path: "zitadel-20241116" backup: schedule: "0 0 * * *" bucketName: "eu-west-3-ogenki-cnpg-backups" diff --git a/security/mycluster-0/kustomization.yaml b/security/mycluster-0/kustomization.yaml index b17f72b4..0f92a0b3 100644 --- a/security/mycluster-0/kustomization.yaml +++ b/security/mycluster-0/kustomization.yaml @@ -5,5 +5,6 @@ resources: - ../base/kyverno - ../base/cert-manager - ../base/vault-snapshot + - ../base/rbac - ../base/zitadel - external-secrets diff --git a/tooling/base/headlamp/kustomization.yaml b/tooling/base/headlamp/kustomization.yaml index 8ed3537b..db40b5b7 100644 --- a/tooling/base/headlamp/kustomization.yaml +++ b/tooling/base/headlamp/kustomization.yaml @@ -5,4 +5,3 @@ resources: - externalsecret-zitadel-envvars.yaml - httproute.yaml - helmrelease.yaml - - rbac-admin.yaml