Skip to main content

GitOps Mode on an existing Kubernetes cluster

What I need

I'd like to have a reproducible ZITADEL environment and a pull-based configuration management for safe and comfortable day-two operations.

First, copy the template files database.yml and zitadel.yml to the root of a new git Repository. Then adjust the values in database.yml and zitadel.yml to match your environment. Especially the values for the domain, cluster DNS, storage class, email and Twilio are important.

Now open a terminal and execute the following commands.

# Download the zitadelctl binarycurl -s https://api.github.com/repos/caos/zitadel/releases/latest | grep "browser_download_url.*zitadelctl-$(uname | awk '{print tolower($0)}')-amd64" | cut -d '"' -f 4 | sudo wget -i - -O /usr/local/bin/zitadelctl && sudo chmod +x /usr/local/bin/zitadelctl && sudo chown $(id -u):$(id -g) /usr/local/bin/zitadelctlsudo chmod +x /usr/local/bin/zitadelctlsudo chown $(id -u):$(id -g) /usr/local/bin/zitadelctl
# Create an orb file at ${HOME}/.orb/configMY_GIT_REPO="[email protected]:me/my-orb.git"zitadelctl --gitops configure --repourl ${MY_GIT_REPO} --masterkey "$(openssl rand -base64 21)"
# Write the Twiilio sender ID and auth token so that ZITADEL is able to send your users SMS.TWILIO_SID=<My Twilio Sender ID>TWILIO_AUTH_TOKEN=<My Twilio auth token>zitadelctl --gitops writesecret zitadel.twiliosid.encrypted --value $SIDzitadelctl --gitops writesecret zitadel.twilioauthtoken.encrypted --value $TWILIO_AUTH_TOKEN
# Write your email relays app key so that ZITADEL is able to verify your users email addressesEMAIL_APP_KEY=<My email relays app key>zitadelctl --gitops writesecret zitadel.emailappkey.encrypted --value $EMAIL_APP_KEY
# Deploy the operators to the current-context of your ~/.kube/config filezitadelctl --gitops takeoff
# Enjoy watching the zitadel pods becoming readywatch "kubectl --namespace caos-zitadel get pods"

ZITADEL needs gRPC-Web for client-server communication, which the widely spread NGINX Ingress Controller doesn't support out-of-the-box but Ambassador does. If you don't have an Ambassador running, we recommend you run it with our operator BOOM. Do so by adding the template boom.yml to the root of your Repository and execute the following commands.

# Download the orbctl binarycurl -s https://api.github.com/repos/caos/orbos/releases/latest | grep "browser_download_url.*orbctl.$(uname).$(uname -m)" | cut -d '"' -f 4 | sudo wget -i - -O /usr/local/bin/orbctlsudo chmod +x /usr/local/bin/orbctlsudo chown $(id -u):$(id -g) /usr/local/bin/orbctl
# Deploy the operator to the current-context of your ~/.kube/config fileorbctl --gitops takeoff
# Enjoy watching the ambassador pod becoming readywatch "kubectl --namespace caos-system get pods"

Congratulations, you can accept traffic at four new ZITADEL subdomains now.