Add initial admin
[ZITADOPER-1]
This commit is contained in:
Haim Kortovich
@@ -27,6 +27,7 @@ import (
|
||||
"time"
|
||||
|
||||
zitadelv1alpha1 "bitbucket.org/topmanage-software-engineering/zitadel-k8s-operator/src/api/v1alpha1"
|
||||
"bitbucket.org/topmanage-software-engineering/zitadel-k8s-operator/src/pkg/admin"
|
||||
builder "bitbucket.org/topmanage-software-engineering/zitadel-k8s-operator/src/pkg/builder"
|
||||
condition "bitbucket.org/topmanage-software-engineering/zitadel-k8s-operator/src/pkg/condition"
|
||||
"bitbucket.org/topmanage-software-engineering/zitadel-k8s-operator/src/pkg/configuration"
|
||||
@@ -39,9 +40,12 @@ import (
|
||||
systemapiaccount "bitbucket.org/topmanage-software-engineering/zitadel-k8s-operator/src/pkg/systemapi"
|
||||
zitadelClient "bitbucket.org/topmanage-software-engineering/zitadel-k8s-operator/src/pkg/zitadel"
|
||||
"github.com/hashicorp/go-multierror"
|
||||
"github.com/zitadel/zitadel-go/v2/pkg/client/middleware"
|
||||
"github.com/zitadel/zitadel-go/v2/pkg/client/system"
|
||||
authn "github.com/zitadel/zitadel-go/v2/pkg/client/zitadel/authn"
|
||||
"github.com/zitadel/zitadel-go/v2/pkg/client/zitadel/management"
|
||||
pb "github.com/zitadel/zitadel-go/v2/pkg/client/zitadel/system"
|
||||
"github.com/zitadel/zitadel-go/v2/pkg/client/zitadel/user"
|
||||
appsv1 "k8s.io/api/apps/v1"
|
||||
batchv1 "k8s.io/api/batch/v1"
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
@@ -148,6 +152,14 @@ func (r *ZitadelClusterReconciler) Reconcile(ctx context.Context, req ctrl.Reque
|
||||
Name: "DefaultInstance",
|
||||
Reconcile: r.reconcileDefaultInstance,
|
||||
},
|
||||
{
|
||||
Name: "InitialAdminSecret",
|
||||
Reconcile: r.reconcileInitialAdminPassword,
|
||||
},
|
||||
{
|
||||
Name: "InitialAdmin",
|
||||
Reconcile: r.reconcileInitialHumanUser,
|
||||
},
|
||||
}
|
||||
|
||||
for _, p := range phases {
|
||||
@@ -390,8 +402,8 @@ func (r *ZitadelClusterReconciler) reconcileDefaultInstance(ctx context.Context,
|
||||
if strings.Contains(err.Error(), "Instance not found") {
|
||||
// if Instance doesn't exist, then create and assign secrets
|
||||
resp, err := ztdClient.CreateInstance(ctx, &pb.CreateInstanceRequest{
|
||||
InstanceName: "DEFAULT",
|
||||
FirstOrgName: "DEFAULT",
|
||||
InstanceName: zitadel.Spec.FirstOrgName,
|
||||
FirstOrgName: zitadel.Spec.FirstOrgName,
|
||||
CustomDomain: zitadel.Spec.Host,
|
||||
Owner: &pb.CreateInstanceRequest_Machine_{Machine: &pb.CreateInstanceRequest_Machine{
|
||||
Name: "k8s-operator",
|
||||
@@ -436,6 +448,89 @@ func (r *ZitadelClusterReconciler) reconcileDefaultInstance(ctx context.Context,
|
||||
return ctrl.Result{}, nil
|
||||
}
|
||||
|
||||
func (r *ZitadelClusterReconciler) reconcileInitialAdminPassword(ctx context.Context, zitadel *zitadelv1alpha1.ZitadelCluster) (ctrl.Result, error) {
|
||||
secretName := admin.AdminPasswordSecretName(zitadel)
|
||||
key := types.NamespacedName{
|
||||
Name: secretName,
|
||||
Namespace: zitadel.Namespace,
|
||||
}
|
||||
_, err := r.SecretReconciler.ReconcileRandomPassword(ctx, key, systemapiaccount.Key, zitadel)
|
||||
|
||||
if err != nil {
|
||||
return ctrl.Result{}, err
|
||||
}
|
||||
return ctrl.Result{}, nil
|
||||
}
|
||||
|
||||
func (r *ZitadelClusterReconciler) reconcileInitialHumanUser(ctx context.Context, zitadel *zitadelv1alpha1.ZitadelCluster) (ctrl.Result, error) {
|
||||
managementClient, err := zitadelClient.NewClient(ctx, zitadel, *r.RefResolver)
|
||||
if err != nil {
|
||||
return ctrl.Result{}, err
|
||||
}
|
||||
defer managementClient.Connection.Close()
|
||||
|
||||
secretName := admin.AdminPasswordSecretName(zitadel)
|
||||
key := types.NamespacedName{
|
||||
Name: secretName,
|
||||
Namespace: zitadel.Namespace,
|
||||
}
|
||||
password, err := r.SecretReconciler.ReconcileRandomPassword(ctx, key, admin.Key, zitadel)
|
||||
if err != nil {
|
||||
return ctrl.Result{}, err
|
||||
}
|
||||
|
||||
org, err := managementClient.GetMyOrg(ctx, &management.GetMyOrgRequest{})
|
||||
if err != nil {
|
||||
return ctrl.Result{}, fmt.Errorf("Error getting org: %v", err)
|
||||
}
|
||||
users, err := managementClient.ListUsers(middleware.SetOrgID(ctx, org.Org.Id), &management.ListUsersRequest{})
|
||||
if err != nil {
|
||||
return ctrl.Result{}, fmt.Errorf("Error getting users: %v", err)
|
||||
}
|
||||
userid := zitadel.Status.InitialAdminId
|
||||
for _, u := range users.Result {
|
||||
if admin.AccountName == u.UserName {
|
||||
userid = u.Id
|
||||
}
|
||||
}
|
||||
if userid == "" {
|
||||
resp, err := managementClient.AddHumanUser(middleware.SetOrgID(ctx, org.Org.Id), &management.AddHumanUserRequest{
|
||||
UserName: admin.AccountName,
|
||||
Profile: &management.AddHumanUserRequest_Profile{
|
||||
FirstName: admin.AccountName,
|
||||
LastName: admin.AccountName,
|
||||
NickName: admin.AccountName,
|
||||
DisplayName: admin.AccountName,
|
||||
Gender: user.Gender_GENDER_DIVERSE,
|
||||
PreferredLanguage: "en",
|
||||
},
|
||||
InitialPassword: password,
|
||||
Email: &management.AddHumanUserRequest_Email{
|
||||
Email: "test@test.com",
|
||||
IsEmailVerified: true,
|
||||
},
|
||||
})
|
||||
userid = resp.UserId
|
||||
if err != nil {
|
||||
return ctrl.Result{}, fmt.Errorf("Error adding human user: %v", err)
|
||||
}
|
||||
{
|
||||
|
||||
if _, err = managementClient.AddOrgMember(middleware.SetOrgID(ctx, org.Org.Id), &management.AddOrgMemberRequest{
|
||||
UserId: userid,
|
||||
Roles: []string{
|
||||
"IAM_OWNER",
|
||||
},
|
||||
}); err != nil {
|
||||
return ctrl.Result{}, fmt.Errorf("Error adding org member: %v", err)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
patch := client.MergeFrom(zitadel.DeepCopy())
|
||||
zitadel.Status.InitialAdminId = userid
|
||||
return ctrl.Result{}, r.Status().Patch(ctx, zitadel, patch)
|
||||
}
|
||||
func GetIssuer(zitadel *zitadelv1alpha1.ZitadelCluster) string {
|
||||
scheme := "http"
|
||||
if zitadel.Spec.ExternalSecure {
|
||||
|
||||
Reference in New Issue
Block a user