software-engineering/zitadel-k8s-operator
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Reissue PAT if roles changed

Browse Source 
[ZITADOPER-1]
This commit is contained in:
Haim Kortovich
2024-05-20 18:12:26 -05:00
parent 8afd44dc45
commit 9e7af107d1
5 changed files with 83 additions and 120 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
src/internal/controller/machineuser_controller.go
View File

@@ -21,10 +21,12 @@ import (
project "github.com/zitadel/zitadel-go/v2/pkg/client/zitadel/project"
user "github.com/zitadel/zitadel-go/v2/pkg/client/zitadel/user"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/types"
"k8s.io/client-go/util/workqueue"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/client"
clientpkg "sigs.k8s.io/controller-runtime/pkg/client"
ctrlClient "sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/controller"
)
@@ -192,7 +194,15 @@ func (wr *wrappedMachineUserReconciler) reconcilePAT(ctx context.Context, ztdCli
}
}
if token == nil {
if token == nil || !wr.MachineUser.Status.GetConditionStatus(zitadelv1alpha1.ConditionTypePATUpToDate) {
if token != nil {
if _, err = ztdClient.RemovePersonalAccessToken(ctx, &pb.RemovePersonalAccessTokenRequest{
UserId: wr.MachineUser.Status.UserId,
TokenId: wr.MachineUser.Status.PATId,
}); err != nil {
return fmt.Errorf("Error removing PAT: %v", err)
}
}
resp, err := ztdClient.AddPersonalAccessToken(ctx, &pb.AddPersonalAccessTokenRequest{
UserId: wr.MachineUser.Status.UserId,
})
@@ -203,7 +213,7 @@ func (wr *wrappedMachineUserReconciler) reconcilePAT(ctx context.Context, ztdCli
Name: wr.MachineUser.PatSecretName(),
Namespace: wr.MachineUser.Namespace,
}
patSecret, err := wr.Builder.BuildSecret(builder.SecretOpts{
desiredPatSecret, err := wr.Builder.BuildSecret(builder.SecretOpts{
Key: key,
Immutable: true,
Data: map[string][]byte{
@@ -214,9 +224,30 @@ func (wr *wrappedMachineUserReconciler) reconcilePAT(ctx context.Context, ztdCli
if err != nil {
return fmt.Errorf("error building PAT Secret: %v", err)
}
if err := wr.Create(ctx, patSecret); err != nil {
return fmt.Errorf("error creating pat-secret Secret: %v", err)
{
var existingPatSecret corev1.Secret
if err := wr.Get(ctx, key, &existingPatSecret); err != nil {
if !errors.IsNotFound(err) {
return fmt.Errorf("error getting PAT Secret: %v", err)
}
if err := wr.Create(ctx, desiredPatSecret); err != nil {
return fmt.Errorf("error creating PAT Secret: %v", err)
}
}
patch := clientpkg.MergeFrom(existingPatSecret.DeepCopy())
existingPatSecret.Data = desiredPatSecret.Data
if err = wr.Patch(ctx, &existingPatSecret, patch); err != nil {
return err
}
}
if err = wr.PatchStatus(ctx, condition.SetPatUpToDate); err != nil {
return err
}
patch := ctrlClient.MergeFrom(wr.MachineUser.DeepCopy())
wr.MachineUser.Status.PATId = resp.TokenId
return wr.Client.Status().Patch(ctx, wr.MachineUser, patch)
@@ -268,7 +299,7 @@ func (wr *wrappedMachineUserReconciler) reconcileJWT(ctx context.Context, ztdCli
}
patSecret, err := wr.Builder.BuildSecret(builder.SecretOpts{
Key: key,
Immutable: true,
Immutable: false,
Data: secretData,
}, wr.MachineUser)
@@ -343,6 +374,11 @@ func (wr *wrappedMachineUserReconciler) reconcileUserGrants(ctx context.Context,
if existingProjectGrant == nil {
return fmt.Errorf("Error no project granted to user organization: %v", err)
}
if err = wr.PatchStatus(ctx, condition.SetPatOutOfDate); err != nil {
return err
}
_, err = ztdClient.AddUserGrant(ctx, &pb.AddUserGrantRequest{
UserId: wr.MachineUser.Status.UserId,
RoleKeys: userGrant.RoleKeys,
@@ -357,6 +393,11 @@ func (wr *wrappedMachineUserReconciler) reconcileUserGrants(ctx context.Context,
sort.Strings(existingUserGrant.RoleKeys)
sort.Strings(userGrant.RoleKeys)
if !reflect.DeepEqual(existingUserGrant.RoleKeys, userGrant.RoleKeys) {
if err = wr.PatchStatus(ctx, condition.SetPatOutOfDate); err != nil {
return err
}
_, err := ztdClient.UpdateUserGrant(ctx, &pb.UpdateUserGrantRequest{
UserId: wr.MachineUser.Status.UserId,
GrantId: existingUserGrant.Id,