ZitadelScore gains two fields, both with defaults that preserve
the previous hardcoded behavior:
pub namespace: String // default "zitadel"
pub cluster_issuer: String // default "letsencrypt-prod"
The hardcoded `NAMESPACE` const becomes `pub const DEFAULT_NAMESPACE`
and the YAML's `cert-manager.io/cluster-issuer` annotation now
substitutes `{cluster_issuer}` from the field. Existing struct-literal
ZitadelScore call sites (5 examples) updated to fall through to
`..Default::default()` so older callers compile unchanged.
New example: `examples/fleet_staging_install`. One-shot install of
the fleet stack on OKD-shaped clusters, composing in order:
1. ZitadelScore (helm) into `--zitadel-namespace`
2. ZitadelSetupScore (project + roles + fleet-ops + fleet-operator
machine users)
3. NatsK8sScore: single-instance + auth_callout + WS Route
4. NatsAuthCalloutScore: env-var-only Secret config
5. FleetOperatorScore: credentials TOML inlining the operator's
JSON keyfile via key_json (no volume mounts)
Public hostnames derive from one CLI flag: `--base-domain`. The
demo uses `cb1.nationtech.io` → sso-staging.cb1.nationtech.io and
nats-fleet-staging.cb1.nationtech.io. cert-manager `--cluster-issuer`
defaults to `letsencrypt-prod`. Image refs (`--operator-image`,
`--callout-image`) are required (private registry, no sensible
default).
Generates the issuer NKey + auth pass at install time; the callout's
Secret consumes them via env-from-secret-key. One TOML file end-to-
end: the operator pod's only mounted Secret is the credentials
TOML, single-key, no volumes.
Idempotency note: re-running ZitadelSetupScore with the same project
name short-circuits via the cached client-config. Re-runs of NATS /
operator / callout are idempotent at the Helm/K8sResourceScore level.
Jean-Gabriel Gill-Couture
4728079aea