From 0348cd60367ea7956afe2636c8e298c6e1916748 Mon Sep 17 00:00:00 2001 From: Haim Kortovich Date: Wed, 24 Jul 2024 14:14:18 -0500 Subject: [PATCH 1/7] Add IAM_OWNER if its firstOrg admin [ZITADOPER-5] --- src/internal/controller/organization_controller.go | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/src/internal/controller/organization_controller.go b/src/internal/controller/organization_controller.go index 6b6634f..3f05328 100644 --- a/src/internal/controller/organization_controller.go +++ b/src/internal/controller/organization_controller.go @@ -159,6 +159,12 @@ func (wr *wrappedOrganizationReconciler) reconcileInitialAdmin(ctx context.Conte } } ctx = middleware.SetOrgID(ctx, wr.organization.Status.OrgId) + roles := []string{ + "ORG_OWNER", + } + if wr.organization.Name == zitadelCluster.Spec.FirstOrgName { + roles = append(roles, "IAM_OWNER") + } var userid string if adminUser == nil { resp, err := ztdClient.AddHumanUser(ctx, &pb.AddHumanUserRequest{ @@ -179,9 +185,7 @@ func (wr *wrappedOrganizationReconciler) reconcileInitialAdmin(ctx context.Conte { if _, err := ztdClient.AddOrgMember(ctx, &pb.AddOrgMemberRequest{ UserId: userid, - Roles: []string{ - "ORG_OWNER", - }, + Roles: roles, }); err != nil { if !strings.Contains(err.Error(), "Errors.Org.Member.RolesNotChanged") { return fmt.Errorf("Error adding org member: %v", err) @@ -195,9 +199,7 @@ func (wr *wrappedOrganizationReconciler) reconcileInitialAdmin(ctx context.Conte { if _, err := ztdClient.UpdateOrgMember(ctx, &pb.UpdateOrgMemberRequest{ UserId: userid, - Roles: []string{ - "ORG_OWNER", - }, + Roles: roles, }); err != nil { if !strings.Contains(err.Error(), "Errors.Org.Member.RolesNotChanged") { return fmt.Errorf("Error updating org member: %v", err) From 569db609eefb8dc8dc47dd822764bbd11bd3c863 Mon Sep 17 00:00:00 2001 From: Haim Kortovich Date: Thu, 25 Jul 2024 12:31:06 -0500 Subject: [PATCH 2/7] Use admin client to add IAM_OWNER role [ZITADOPER-5] --- .../controller/organization_controller.go | 55 ++++++++++++++++--- 1 file changed, 47 insertions(+), 8 deletions(-) diff --git a/src/internal/controller/organization_controller.go b/src/internal/controller/organization_controller.go index 3f05328..4c4a520 100644 --- a/src/internal/controller/organization_controller.go +++ b/src/internal/controller/organization_controller.go @@ -25,8 +25,11 @@ import ( zitadelv1alpha1 "bitbucket.org/topmanage-software-engineering/zitadel-k8s-operator/src/api/v1alpha1" condition "bitbucket.org/topmanage-software-engineering/zitadel-k8s-operator/src/pkg/condition" "bitbucket.org/topmanage-software-engineering/zitadel-k8s-operator/src/pkg/controller/zitadel" + zitadelClient "bitbucket.org/topmanage-software-engineering/zitadel-k8s-operator/src/pkg/zitadel" + "github.com/zitadel/zitadel-go/v2/pkg/client/admin" "github.com/zitadel/zitadel-go/v2/pkg/client/management" "github.com/zitadel/zitadel-go/v2/pkg/client/middleware" + adm "github.com/zitadel/zitadel-go/v2/pkg/client/zitadel/admin" pb "github.com/zitadel/zitadel-go/v2/pkg/client/zitadel/management" "k8s.io/client-go/util/workqueue" ctrl "sigs.k8s.io/controller-runtime" @@ -150,6 +153,14 @@ func (wr *wrappedOrganizationReconciler) reconcileInitialAdmin(ctx context.Conte if err != nil { return err } + var adminClient *admin.Client + if zitadelCluster.Spec.FirstOrgName == wr.organization.Name { + adminClient, err = zitadelClient.NewAdminClient(ctx, zitadelCluster, *wr.refResolver) + if err != nil { + return err + } + } + adminUser, err := ztdClient.GetUserByLoginNameGlobal(ctx, &pb.GetUserByLoginNameGlobalRequest{ LoginName: strings.ToLower(fmt.Sprintf("%s@%s.%s", wr.organization.Spec.OrganizationAdmin.UserName, wr.organization.Name, zitadelCluster.Spec.Host)), }) @@ -159,12 +170,6 @@ func (wr *wrappedOrganizationReconciler) reconcileInitialAdmin(ctx context.Conte } } ctx = middleware.SetOrgID(ctx, wr.organization.Status.OrgId) - roles := []string{ - "ORG_OWNER", - } - if wr.organization.Name == zitadelCluster.Spec.FirstOrgName { - roles = append(roles, "IAM_OWNER") - } var userid string if adminUser == nil { resp, err := ztdClient.AddHumanUser(ctx, &pb.AddHumanUserRequest{ @@ -185,13 +190,30 @@ func (wr *wrappedOrganizationReconciler) reconcileInitialAdmin(ctx context.Conte { if _, err := ztdClient.AddOrgMember(ctx, &pb.AddOrgMemberRequest{ UserId: userid, - Roles: roles, + Roles: []string{ + "ORG_OWNER", + }, }); err != nil { if !strings.Contains(err.Error(), "Errors.Org.Member.RolesNotChanged") { return fmt.Errorf("Error adding org member: %v", err) } } } + if adminClient != nil { + { + if _, err := adminClient.AddIAMMember(ctx, &adm.AddIAMMemberRequest{ + UserId: userid, + Roles: []string{ + "IAM_OWNER", + }, + }); err != nil { + if !strings.Contains(err.Error(), "RolesNotChanged") { + return fmt.Errorf("Error adding org member: %v", err) + } + } + } + } + } else { userid = adminUser.User.Id } @@ -199,12 +221,29 @@ func (wr *wrappedOrganizationReconciler) reconcileInitialAdmin(ctx context.Conte { if _, err := ztdClient.UpdateOrgMember(ctx, &pb.UpdateOrgMemberRequest{ UserId: userid, - Roles: roles, + Roles: []string{ + "ORG_OWNER", + }, }); err != nil { if !strings.Contains(err.Error(), "Errors.Org.Member.RolesNotChanged") { return fmt.Errorf("Error updating org member: %v", err) } } + + if adminClient != nil { + { + if _, err := adminClient.UpdateIAMMember(ctx, &adm.UpdateIAMMemberRequest{ + UserId: userid, + Roles: []string{ + "IAM_OWNER", + }, + }); err != nil { + if !strings.Contains(err.Error(), "RolesNotChanged") { + return fmt.Errorf("Error updating org member: %v", err) + } + } + } + } } patch := client.MergeFrom(wr.organization.DeepCopy()) wr.organization.Status.AdminId = userid From bd9705ff9965425a8da4088cac2b23e2683c7b97 Mon Sep 17 00:00:00 2001 From: Haim Kortovich Date: Thu, 25 Jul 2024 12:53:50 -0500 Subject: [PATCH 3/7] Always add member instead [ZITADOPER-5] --- .../controller/organization_controller.go | 26 +++++++++---------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/src/internal/controller/organization_controller.go b/src/internal/controller/organization_controller.go index 4c4a520..8548677 100644 --- a/src/internal/controller/organization_controller.go +++ b/src/internal/controller/organization_controller.go @@ -199,20 +199,6 @@ func (wr *wrappedOrganizationReconciler) reconcileInitialAdmin(ctx context.Conte } } } - if adminClient != nil { - { - if _, err := adminClient.AddIAMMember(ctx, &adm.AddIAMMemberRequest{ - UserId: userid, - Roles: []string{ - "IAM_OWNER", - }, - }); err != nil { - if !strings.Contains(err.Error(), "RolesNotChanged") { - return fmt.Errorf("Error adding org member: %v", err) - } - } - } - } } else { userid = adminUser.User.Id @@ -231,6 +217,18 @@ func (wr *wrappedOrganizationReconciler) reconcileInitialAdmin(ctx context.Conte } if adminClient != nil { + { + if _, err := adminClient.AddIAMMember(ctx, &adm.AddIAMMemberRequest{ + UserId: userid, + Roles: []string{ + "IAM_OWNER", + }, + }); err != nil { + if !strings.Contains(err.Error(), "RolesNotChanged") || !strings.Contains(err.Error(), "AlreadyExists") { + return fmt.Errorf("Error adding org member: %v", err) + } + } + } { if _, err := adminClient.UpdateIAMMember(ctx, &adm.UpdateIAMMemberRequest{ UserId: userid, From 8d533ba5bd5709b915a8c66072853d43e50bca50 Mon Sep 17 00:00:00 2001 From: Haim Kortovich Date: Thu, 25 Jul 2024 13:02:14 -0500 Subject: [PATCH 4/7] Use and instead of or [ZITADOPER-5] --- src/internal/controller/organization_controller.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/internal/controller/organization_controller.go b/src/internal/controller/organization_controller.go index 8548677..12e7f1e 100644 --- a/src/internal/controller/organization_controller.go +++ b/src/internal/controller/organization_controller.go @@ -224,7 +224,7 @@ func (wr *wrappedOrganizationReconciler) reconcileInitialAdmin(ctx context.Conte "IAM_OWNER", }, }); err != nil { - if !strings.Contains(err.Error(), "RolesNotChanged") || !strings.Contains(err.Error(), "AlreadyExists") { + if !strings.Contains(err.Error(), "RolesNotChanged") && !strings.Contains(err.Error(), "AlreadyExists") { return fmt.Errorf("Error adding org member: %v", err) } } From 1eed11ca98c5f2b9402187cddd686bc780f1e3da Mon Sep 17 00:00:00 2001 From: Haim Kortovich Date: Tue, 29 Oct 2024 17:45:10 -0500 Subject: [PATCH 5/7] add iam_member [ZITADOPER-5] --- src/internal/controller/organization_controller.go | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/src/internal/controller/organization_controller.go b/src/internal/controller/organization_controller.go index 12e7f1e..48b8ed4 100644 --- a/src/internal/controller/organization_controller.go +++ b/src/internal/controller/organization_controller.go @@ -153,13 +153,6 @@ func (wr *wrappedOrganizationReconciler) reconcileInitialAdmin(ctx context.Conte if err != nil { return err } - var adminClient *admin.Client - if zitadelCluster.Spec.FirstOrgName == wr.organization.Name { - adminClient, err = zitadelClient.NewAdminClient(ctx, zitadelCluster, *wr.refResolver) - if err != nil { - return err - } - } adminUser, err := ztdClient.GetUserByLoginNameGlobal(ctx, &pb.GetUserByLoginNameGlobalRequest{ LoginName: strings.ToLower(fmt.Sprintf("%s@%s.%s", wr.organization.Spec.OrganizationAdmin.UserName, wr.organization.Name, zitadelCluster.Spec.Host)), @@ -216,7 +209,11 @@ func (wr *wrappedOrganizationReconciler) reconcileInitialAdmin(ctx context.Conte } } - if adminClient != nil { + if zitadelCluster.Spec.FirstOrgName == wr.organization.Name { + adminClient, err := zitadelClient.NewAdminClient(ctx, zitadelCluster, *wr.refResolver) + if err != nil { + return err + } { if _, err := adminClient.AddIAMMember(ctx, &adm.AddIAMMemberRequest{ UserId: userid, From acb9945be1353a8223e0bed45ff833357e0c4851 Mon Sep 17 00:00:00 2001 From: Haim Kortovich Date: Tue, 29 Oct 2024 17:53:22 -0500 Subject: [PATCH 6/7] remove unused import [ZITADOPER-5] --- src/internal/controller/organization_controller.go | 1 - 1 file changed, 1 deletion(-) diff --git a/src/internal/controller/organization_controller.go b/src/internal/controller/organization_controller.go index 48b8ed4..78b68f4 100644 --- a/src/internal/controller/organization_controller.go +++ b/src/internal/controller/organization_controller.go @@ -26,7 +26,6 @@ import ( condition "bitbucket.org/topmanage-software-engineering/zitadel-k8s-operator/src/pkg/condition" "bitbucket.org/topmanage-software-engineering/zitadel-k8s-operator/src/pkg/controller/zitadel" zitadelClient "bitbucket.org/topmanage-software-engineering/zitadel-k8s-operator/src/pkg/zitadel" - "github.com/zitadel/zitadel-go/v2/pkg/client/admin" "github.com/zitadel/zitadel-go/v2/pkg/client/management" "github.com/zitadel/zitadel-go/v2/pkg/client/middleware" adm "github.com/zitadel/zitadel-go/v2/pkg/client/zitadel/admin" From 686d4e5e1187afee7c84f876238cba0c4c9bf364 Mon Sep 17 00:00:00 2001 From: Haim Kortovich Date: Tue, 29 Oct 2024 17:59:33 -0500 Subject: [PATCH 7/7] catch error [ZITADOPER-5] --- src/internal/controller/organization_controller.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/internal/controller/organization_controller.go b/src/internal/controller/organization_controller.go index 78b68f4..70d6810 100644 --- a/src/internal/controller/organization_controller.go +++ b/src/internal/controller/organization_controller.go @@ -220,8 +220,8 @@ func (wr *wrappedOrganizationReconciler) reconcileInitialAdmin(ctx context.Conte "IAM_OWNER", }, }); err != nil { - if !strings.Contains(err.Error(), "RolesNotChanged") && !strings.Contains(err.Error(), "AlreadyExists") { - return fmt.Errorf("Error adding org member: %v", err) + if !strings.Contains(err.Error(), "Roles have not been changed") && !strings.Contains(err.Error(), "AlreadyExists") { + return fmt.Errorf("Error adding iam member: %v", err) } } } @@ -232,8 +232,8 @@ func (wr *wrappedOrganizationReconciler) reconcileInitialAdmin(ctx context.Conte "IAM_OWNER", }, }); err != nil { - if !strings.Contains(err.Error(), "RolesNotChanged") { - return fmt.Errorf("Error updating org member: %v", err) + if !strings.Contains(err.Error(), "Roles have not been changed") { + return fmt.Errorf("Error updating iam member: %v", err) } } }