(#47) v0.62.1 - Projects v1alpha1 milestone complete

(#47) Remove the prod-iam-zitadel namespace

docs/examples/platforms/reference/certificates.cue

@@ -1,5 +1,21 @@
 package holos
 
+#PlatformServers: {
+	for cluster in #Platform.clusters {
+		(cluster.name): {
+			"https-istio-ingress-httpbin": {
+				let cert = #PlatformCerts[cluster.name+"-httpbin"]
+				hosts: [for host in cert.spec.dnsNames {"istio-ingress/\(host)"}]
+				port: name:          "https-istio-ingress-httpbin"
+				port: number:        443
+				port: protocol:      "HTTPS"
+				tls: credentialName: cert.spec.secretName
+				tls: mode:           "SIMPLE"
+			}
+		}
+	}
+}
+
 #PlatformCerts: {
 	// Globally scoped platform services are defined here.
 	login: #PlatformCert & {

docs/examples/platforms/reference/clusters/accounts/iam/iam.cue

@@ -4,4 +4,4 @@ package holos
 #InputKeys: project: "iam"
 
 // Shared dependencies for all components in this collection.
-#DependsOn: namespaces: name: "\(#StageName)-secrets-namespaces"
+#DependsOn: namespaces: name: "\(#StageName)-secrets-stores"

docs/examples/platforms/reference/clusters/accounts/iam/zitadel/postgres/postgres.cue

@@ -37,7 +37,7 @@ spec: components: KubernetesObjectsList: [
 	#KubernetesObjects & {
 		metadata: name: "prod-iam-postgres"
 
-		_dependsOn: "prod-secrets-namespaces": _
+		_dependsOn: "prod-secrets-stores":     _
 		_dependsOn: "prod-iam-postgres-certs": _
 		apiObjectMap: OBJECTS.apiObjectMap
 	},
@@ -68,7 +68,7 @@ let OBJECTS = #APIObjects & {
 					replicas: 2
 					dataVolumeClaimSpec: {
 						accessModes: ["ReadWriteOnce"]
-						resources: requests: storage: "10Gi"
+						resources: requests: storage: "20Gi"
 					}
 				}]
 				standby: {
@@ -124,7 +124,7 @@ let OBJECTS = #APIObjects & {
 						"\(BucketRepoName)-cipher-type": "aes-256-cbc"
 						// "The convention we recommend for setting this variable is /pgbackrest/$NAMESPACE/$CLUSTER_NAME/repoN"
 						// Ref: https://access.crunchydata.com/documentation/postgres-operator/latest/tutorials/backups-disaster-recovery/backups#understanding-backup-configuration-and-basic-operations
-						"\(BucketRepoName)-path": "/pgbackrest/\(#TargetNamespace)/\(metadata.name)/\(manual.repoName)"
+						"\(BucketRepoName)-path": "/pgbackrest/\(metadata.namespace)/\(metadata.name)/\(manual.repoName)"
 					}
 					repos: [
 						{
@@ -165,7 +165,7 @@ let HighlyAvailable = {
 			replicas: 2
 			dataVolumeClaimSpec: {
 				accessModes: ["ReadWriteOnce"]
-				resources: requests: storage: string | *"10Gi"
+				resources: requests: storage: string | *"20Gi"
 			}
 			affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: [{
 				weight: 1

docs/examples/platforms/reference/clusters/accounts/iam/zitadel/zitadel.cue

@@ -1,7 +1,9 @@
 package holos
 
-#InstancePrefix:  "prod-iam"
-#TargetNamespace: #InstancePrefix + "-zitadel"
+#InstancePrefix: "prod-iam"
+
+// The namespace is managed by a project.
+#TargetNamespace: _Projects.iam.environments.prod.namespace
 
 // _DBName is the database name used across multiple holos components in this project
 _DBName: "zitadel"

docs/examples/platforms/reference/clusters/foundation/cloud/argocd/argocd.cue

@@ -25,9 +25,9 @@ spec: components: HelmChartList: [
 		_values: #ArgoCDValues & {
 			kubeVersionOverride: "1.29.0"
 			global: domain: "argocd.\(#ClusterName).\(#Platform.org.domain)"
-
+			dex: enabled:   false
+			// for integration with istio
 			configs: params: "server.insecure": true
-
 			configs: cm: {
 				"admin.enabled": false
 				"oidc.config":   yaml.Marshal(OIDCConfig)
@@ -49,7 +49,7 @@ let OBJECTS = #APIObjects & {
 				ArgoCD + ".\(#Platform.org.domain)",
 				ArgoCD + ".\(#ClusterName).\(#Platform.org.domain)",
 			]
-			spec: gateways: ["istio-ingress/\(Namespace)"]
+			spec: gateways: ["istio-ingress/default"]
 			spec: http: [{route: [{destination: {
 				host: "argocd-server.\(Namespace).svc.cluster.local"
 				port: number: 80

docs/examples/platforms/reference/clusters/foundation/cloud/argocd/values.cue

@@ -887,7 +887,7 @@ package holos
 	//# Dex
 	dex: {
 		// -- Enable dex
-		enabled: true
+		enabled: *true | false
 		// -- Dex name
 		name: "dex-server"
 

docs/examples/platforms/reference/clusters/foundation/cloud/mesh/istio/gateway/gateway.cue

@@ -7,48 +7,53 @@ let Name = "gateway"
 #InputKeys: component: Name
 #TargetNamespace: "istio-ingress"
 
-let LoginCert = #PlatformCerts.login
-
 spec: components: KubernetesObjectsList: [
 	#KubernetesObjects & {
-		_dependsOn: "prod-secrets-namespaces": _
-		_dependsOn: "prod-mesh-istio-base":    _
-		_dependsOn: "prod-mesh-ingress":       _
+		_dependsOn: "prod-secrets-stores":  _
+		_dependsOn: "prod-mesh-istio-base": _
+		_dependsOn: "prod-mesh-ingress":    _
 
 		metadata: name: "\(#InstancePrefix)-\(Name)"
 		apiObjectMap: OBJECTS.apiObjectMap
 	},
 ]
 
+// GatewayServers represents all hosts for all VirtualServices in the cluster attached to Gateway/default
+// NOTE: This is a critical structure because the default Gateway should be used in most cases.
+let GatewayServers = {
+	for Project in _Projects {
+		for server in (#ProjectTemplate & {project: Project}).ClusterGatewayServers {
+			(server.port.name): server
+		}
+	}
+
+	for k, svc in #OptionalServices {
+		if svc.enabled && list.Contains(svc.clusterNames, #ClusterName) {
+			for server in svc.servers {
+				(server.port.name): server
+			}
+		}
+	}
+
+	if #PlatformServers[#ClusterName] != _|_ {
+		for server in #PlatformServers[#ClusterName] {
+			(server.port.name): server
+		}
+	}
+}
+
 let OBJECTS = #APIObjects & {
 	apiObjects: {
-		ExternalSecret: login: #ExternalSecret & {
-			_name: "login"
-		}
 		Gateway: default: #Gateway & {
 			metadata: name:      "default"
 			metadata: namespace: #TargetNamespace
+
 			spec: selector: istio: "ingressgateway"
-			spec: servers: [
-				{
-					hosts: [for dnsName in LoginCert.spec.dnsNames {"prod-iam-zitadel/\(dnsName)"}]
-					port: name:          "https-prod-iam-login"
-					port: number:        443
-					port: protocol:      "HTTPS"
-					tls: credentialName: LoginCert.spec.secretName
-					tls: mode:           "SIMPLE"
-				},
-			]
+			spec: servers: [for x in GatewayServers {x}]
 		}
 
 		for k, svc in #OptionalServices {
 			if svc.enabled && list.Contains(svc.clusterNames, #ClusterName) {
-				Gateway: "\(svc.name)": #Gateway & {
-					metadata: name:      svc.name
-					metadata: namespace: #TargetNamespace
-					spec: selector: istio: "ingressgateway"
-					spec: servers: [for s in svc.servers {s}]
-				}
 				for k, s in svc.servers {
 					ExternalSecret: "\(s.tls.credentialName)": _
 				}

docs/examples/platforms/reference/clusters/foundation/cloud/mesh/istio/httpbin/httpbin.cue

@@ -3,7 +3,6 @@ package holos
 let Name = "httpbin"
 let ComponentName = "\(#InstancePrefix)-\(Name)"
 
-let SecretName = #InputKeys.cluster + "-" + Name
 let MatchLabels = {
 	app:                          Name
 	"app.kubernetes.io/instance": ComponentName
@@ -18,7 +17,7 @@ let Metadata = {
 
 #TargetNamespace: "istio-ingress"
 
-let Cert = #PlatformCerts[SecretName]
+let Cert = #PlatformCerts["\(#ClusterName)-httpbin"]
 
 spec: components: KubernetesObjectsList: [
 	#KubernetesObjects & {
@@ -63,24 +62,10 @@ let OBJECTS = #APIObjects & {
 				{port: 80, targetPort: 8080, protocol: "TCP", name: "http"},
 			]
 		}
-		Gateway: httpbin: #Gateway & {
-			metadata: Metadata
-			spec: selector: istio: "ingressgateway"
-			spec: servers: [
-				{
-					hosts: [for host in Cert.spec.dnsNames {"\(#TargetNamespace)/\(host)"}]
-					port: name:          "https-\(ComponentName)"
-					port: number:        443
-					port: protocol:      "HTTPS"
-					tls: credentialName: Cert.spec.secretName
-					tls: mode:           "SIMPLE"
-				},
-			]
-		}
 		VirtualService: httpbin: #VirtualService & {
 			metadata: Metadata
 			spec: hosts: [for host in Cert.spec.dnsNames {host}]
-			spec: gateways: ["\(#TargetNamespace)/\(Name)"]
+			spec: gateways: ["istio-ingress/default"]
 			spec: http: [{route: [{destination: host: Name}]}]
 		}
 	}

docs/examples/platforms/reference/clusters/foundation/metal/ceph/ceph.cue

@@ -10,7 +10,7 @@ package holos
 
 spec: components: HelmChartList: [
 	#HelmChart & {
-		_dependsOn: "prod-secrets-namespaces": _
+		_dependsOn: "prod-secrets-stores": _
 
 		metadata: name: "prod-metal-ceph"
 

docs/examples/platforms/reference/clusters/optional/vault/vault.cue

@@ -67,7 +67,7 @@ let OBJECTS = #APIObjects & {
 			metadata: name:      Name
 			metadata: namespace: #TargetNamespace
 			spec: hosts: [for cert in Vault.certs {cert.spec.commonName}]
-			spec: gateways: ["istio-ingress/\(Name)"]
+			spec: gateways: ["istio-ingress/default"]
 			spec: http: [
 				{
 					route: [

docs/examples/platforms/reference/clusters/projects.cue

@@ -34,6 +34,7 @@ _Projects: #Projects & {
 
 	iam: {
 		resourceId: ZitadelProjectID
+		hosts: login: _
 		clusters: {
 			core1: _
 			core2: _

docs/examples/platforms/reference/clusters/provisioner/iam/zitadel/postgres-certs/postgres-certs.cue

@@ -8,7 +8,7 @@ package holos
 
 // Refer to [Using Cert Manager to Deploy TLS for Postgres on Kubernetes](https://www.crunchydata.com/blog/using-cert-manager-to-deploy-tls-for-postgres-on-kubernetes)
 
-#TargetNamespace: "prod-iam-zitadel"
+#TargetNamespace: _Projects.iam.environments.prod.namespace
 #InputKeys: component: "postgres-certs"
 
 let DBName = "zitadel"

docs/examples/platforms/reference/namespaces.cue

@@ -22,7 +22,6 @@ let Privileged = {
 	{name: "istio-ingress"} & Restricted,
 	{name: "cert-manager"},
 	{name: "argocd"},
-	{name: "prod-iam-zitadel"},
 	{name: "arc-system"},
 	{name: "arc-runner"},
 	// https://github.com/CrunchyData/postgres-operator-examples/blob/main/kustomize/install/namespace/namespace.yaml

docs/examples/platforms/reference/platform_projects.cue

@@ -55,6 +55,18 @@ import "encoding/yaml"
 		}
 	}
 
+	// ClusterGatewayServers provides a struct of Gateway servers for the current cluster.
+	// This is intended for Gateway/default to add all servers to the default gateway.
+	ClusterGatewayServers: {
+		if project.clusters[#ClusterName] != _|_ {
+			for Stage in project.stages {
+				for server in GatewayServers[Stage.name] {
+					(server.port.name): server
+				}
+			}
+		}
+	}
+
 	workload: resources: {
 		// Provide resources only if the project is managed on --cluster-name
 		if project.clusters[#ClusterName] != _|_ {
@@ -64,10 +76,6 @@ import "encoding/yaml"
 				// Istio Gateway
 				"\(stage.slug)-gateway": #KubernetesObjects & {
 					apiObjectMap: (#APIObjects & {
-						apiObjects: Gateway: (stage.slug): #Gateway & {
-							spec: servers: [for server in GatewayServers[stage.name] {server}]
-						}
-
 						for host in GatewayServers[stage.name] {
 							apiObjects: ExternalSecret: (host.tls.credentialName): metadata: namespace: "istio-ingress"
 						}
@@ -186,7 +194,7 @@ let HTTPBIN = {
 			let Project = project
 			let Env = env
 			spec: hosts: [for host in (#EnvHosts & {project: Project, env: Env}).hosts {host.name}]
-			spec: gateways: ["istio-ingress/\(env.stageSlug)"]
+			spec: gateways: ["istio-ingress/default"]
 			spec: http: [{route: [{destination: host: Name}]}]
 		}
 	}
@@ -359,7 +367,7 @@ let AUTHPROXY = {
 		VirtualService: (Name): #VirtualService & {
 			metadata: Metadata
 			spec: hosts: ["*"]
-			spec: gateways: ["istio-ingress/\(stage.slug)"]
+			spec: gateways: ["istio-ingress/default"]
 			spec: http: [{
 				match: [{uri: prefix: AuthProxySpec.proxyPrefix}]
 				route: [{

pkg/version/embedded/patch

@@ -1 +1 @@
-0
+1