From 569db609eefb8dc8dc47dd822764bbd11bd3c863 Mon Sep 17 00:00:00 2001 From: Haim Kortovich Date: Thu, 25 Jul 2024 12:31:06 -0500 Subject: [PATCH] Use admin client to add IAM_OWNER role [ZITADOPER-5] --- .../controller/organization_controller.go | 55 ++++++++++++++++--- 1 file changed, 47 insertions(+), 8 deletions(-) diff --git a/src/internal/controller/organization_controller.go b/src/internal/controller/organization_controller.go index 3f05328..4c4a520 100644 --- a/src/internal/controller/organization_controller.go +++ b/src/internal/controller/organization_controller.go @@ -25,8 +25,11 @@ import ( zitadelv1alpha1 "bitbucket.org/topmanage-software-engineering/zitadel-k8s-operator/src/api/v1alpha1" condition "bitbucket.org/topmanage-software-engineering/zitadel-k8s-operator/src/pkg/condition" "bitbucket.org/topmanage-software-engineering/zitadel-k8s-operator/src/pkg/controller/zitadel" + zitadelClient "bitbucket.org/topmanage-software-engineering/zitadel-k8s-operator/src/pkg/zitadel" + "github.com/zitadel/zitadel-go/v2/pkg/client/admin" "github.com/zitadel/zitadel-go/v2/pkg/client/management" "github.com/zitadel/zitadel-go/v2/pkg/client/middleware" + adm "github.com/zitadel/zitadel-go/v2/pkg/client/zitadel/admin" pb "github.com/zitadel/zitadel-go/v2/pkg/client/zitadel/management" "k8s.io/client-go/util/workqueue" ctrl "sigs.k8s.io/controller-runtime" @@ -150,6 +153,14 @@ func (wr *wrappedOrganizationReconciler) reconcileInitialAdmin(ctx context.Conte if err != nil { return err } + var adminClient *admin.Client + if zitadelCluster.Spec.FirstOrgName == wr.organization.Name { + adminClient, err = zitadelClient.NewAdminClient(ctx, zitadelCluster, *wr.refResolver) + if err != nil { + return err + } + } + adminUser, err := ztdClient.GetUserByLoginNameGlobal(ctx, &pb.GetUserByLoginNameGlobalRequest{ LoginName: strings.ToLower(fmt.Sprintf("%s@%s.%s", wr.organization.Spec.OrganizationAdmin.UserName, wr.organization.Name, zitadelCluster.Spec.Host)), }) @@ -159,12 +170,6 @@ func (wr *wrappedOrganizationReconciler) reconcileInitialAdmin(ctx context.Conte } } ctx = middleware.SetOrgID(ctx, wr.organization.Status.OrgId) - roles := []string{ - "ORG_OWNER", - } - if wr.organization.Name == zitadelCluster.Spec.FirstOrgName { - roles = append(roles, "IAM_OWNER") - } var userid string if adminUser == nil { resp, err := ztdClient.AddHumanUser(ctx, &pb.AddHumanUserRequest{ @@ -185,13 +190,30 @@ func (wr *wrappedOrganizationReconciler) reconcileInitialAdmin(ctx context.Conte { if _, err := ztdClient.AddOrgMember(ctx, &pb.AddOrgMemberRequest{ UserId: userid, - Roles: roles, + Roles: []string{ + "ORG_OWNER", + }, }); err != nil { if !strings.Contains(err.Error(), "Errors.Org.Member.RolesNotChanged") { return fmt.Errorf("Error adding org member: %v", err) } } } + if adminClient != nil { + { + if _, err := adminClient.AddIAMMember(ctx, &adm.AddIAMMemberRequest{ + UserId: userid, + Roles: []string{ + "IAM_OWNER", + }, + }); err != nil { + if !strings.Contains(err.Error(), "RolesNotChanged") { + return fmt.Errorf("Error adding org member: %v", err) + } + } + } + } + } else { userid = adminUser.User.Id } @@ -199,12 +221,29 @@ func (wr *wrappedOrganizationReconciler) reconcileInitialAdmin(ctx context.Conte { if _, err := ztdClient.UpdateOrgMember(ctx, &pb.UpdateOrgMemberRequest{ UserId: userid, - Roles: roles, + Roles: []string{ + "ORG_OWNER", + }, }); err != nil { if !strings.Contains(err.Error(), "Errors.Org.Member.RolesNotChanged") { return fmt.Errorf("Error updating org member: %v", err) } } + + if adminClient != nil { + { + if _, err := adminClient.UpdateIAMMember(ctx, &adm.UpdateIAMMemberRequest{ + UserId: userid, + Roles: []string{ + "IAM_OWNER", + }, + }); err != nil { + if !strings.Contains(err.Error(), "RolesNotChanged") { + return fmt.Errorf("Error updating org member: %v", err) + } + } + } + } } patch := client.MergeFrom(wr.organization.DeepCopy()) wr.organization.Status.AdminId = userid