Add APIApp crd
[ZITADOPER-1]
This commit is contained in:
Haim Kortovich
261
src/internal/controller/apiapp_controller.go
Normal file
261
src/internal/controller/apiapp_controller.go
Normal file
@@ -0,0 +1,261 @@
|
||||
/*
|
||||
Copyright 2024.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package controller
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
zitadelv1alpha1 "bitbucket.org/topmanage-software-engineering/zitadel-k8s-operator/src/api/v1alpha1"
|
||||
"bitbucket.org/topmanage-software-engineering/zitadel-k8s-operator/src/pkg/builder"
|
||||
condition "bitbucket.org/topmanage-software-engineering/zitadel-k8s-operator/src/pkg/condition"
|
||||
"bitbucket.org/topmanage-software-engineering/zitadel-k8s-operator/src/pkg/controller/zitadel"
|
||||
"github.com/zitadel/zitadel-go/v2/pkg/client/management"
|
||||
"github.com/zitadel/zitadel-go/v2/pkg/client/middleware"
|
||||
app "github.com/zitadel/zitadel-go/v2/pkg/client/zitadel/app"
|
||||
"github.com/zitadel/zitadel-go/v2/pkg/client/zitadel/authn"
|
||||
pb "github.com/zitadel/zitadel-go/v2/pkg/client/zitadel/management"
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/client-go/util/workqueue"
|
||||
ctrl "sigs.k8s.io/controller-runtime"
|
||||
"sigs.k8s.io/controller-runtime/pkg/client"
|
||||
ctrlClient "sigs.k8s.io/controller-runtime/pkg/client"
|
||||
"sigs.k8s.io/controller-runtime/pkg/controller"
|
||||
)
|
||||
|
||||
// APIAppReconciler reconciles a APIApp object
|
||||
type APIAppReconciler struct {
|
||||
client.Client
|
||||
RefResolver *zitadelv1alpha1.RefResolver
|
||||
ConditionReady *condition.Ready
|
||||
RequeueInterval time.Duration
|
||||
Builder *builder.Builder
|
||||
}
|
||||
|
||||
func NewAPIAppReconciler(client client.Client, refResolver *zitadelv1alpha1.RefResolver, builder *builder.Builder, conditionReady *condition.Ready,
|
||||
requeueInterval time.Duration) *APIAppReconciler {
|
||||
return &APIAppReconciler{
|
||||
Client: client,
|
||||
RefResolver: refResolver,
|
||||
ConditionReady: conditionReady,
|
||||
RequeueInterval: requeueInterval,
|
||||
Builder: builder,
|
||||
}
|
||||
}
|
||||
|
||||
//+kubebuilder:rbac:groups=zitadel.topmanage.com,resources=apiapps,verbs=get;list;watch;create;update;patch;delete
|
||||
//+kubebuilder:rbac:groups=zitadel.topmanage.com,resources=apiapps/status,verbs=get;update;patch
|
||||
//+kubebuilder:rbac:groups=zitadel.topmanage.com,resources=apiapps/finalizers,verbs=update
|
||||
|
||||
// Reconcile is part of the main kubernetes reconciliation loop which aims to
|
||||
// move the current state of the cluster closer to the desired state.
|
||||
func (r *APIAppReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
|
||||
var APIApp zitadelv1alpha1.APIApp
|
||||
if err := r.Get(ctx, req.NamespacedName, &APIApp); err != nil {
|
||||
return ctrl.Result{}, client.IgnoreNotFound(err)
|
||||
}
|
||||
wr := newWrappedAPIAppReconciler(r.Client, r.RefResolver, r.Builder, &APIApp)
|
||||
wf := newWrappedAPIAppFinalizer(r.Client, &APIApp, r.RefResolver)
|
||||
tf := zitadel.NewZitadelFinalizer(r.Client, wf)
|
||||
tr := zitadel.NewZitadelReconciler(r.Client, r.ConditionReady, wr, tf, r.RequeueInterval)
|
||||
|
||||
result, err := tr.Reconcile(ctx, &APIApp)
|
||||
if err != nil {
|
||||
return result, fmt.Errorf("error reconciling in APIAppReconciler: %v", err)
|
||||
}
|
||||
return result, nil
|
||||
}
|
||||
|
||||
type wrappedAPIAppReconciler struct {
|
||||
client.Client
|
||||
refResolver *zitadelv1alpha1.RefResolver
|
||||
APIApp *zitadelv1alpha1.APIApp
|
||||
Builder *builder.Builder
|
||||
}
|
||||
|
||||
func newWrappedAPIAppReconciler(client client.Client, refResolver *zitadelv1alpha1.RefResolver, builder *builder.Builder,
|
||||
APIApp *zitadelv1alpha1.APIApp) zitadel.WrappedReconciler {
|
||||
return &wrappedAPIAppReconciler{
|
||||
Client: client,
|
||||
refResolver: refResolver,
|
||||
APIApp: APIApp,
|
||||
Builder: builder,
|
||||
}
|
||||
}
|
||||
|
||||
type apiAppReoncilePhase struct {
|
||||
Name string
|
||||
Reconcile func(context.Context, *management.Client) error
|
||||
}
|
||||
|
||||
func (wr *wrappedAPIAppReconciler) Reconcile(ctx context.Context, ztdClient *management.Client) error {
|
||||
phases := []projectReconcilePhase{
|
||||
{
|
||||
Name: "apiapp",
|
||||
Reconcile: wr.reconcileApp,
|
||||
},
|
||||
{
|
||||
Name: "keys",
|
||||
Reconcile: wr.reconcileKeys,
|
||||
},
|
||||
}
|
||||
for _, p := range phases {
|
||||
err := p.Reconcile(ctx, ztdClient)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (wr *wrappedAPIAppReconciler) reconcileApp(ctx context.Context, ztdClient *management.Client) error {
|
||||
org, err := wr.APIApp.Organization(ctx, wr.refResolver)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
project, err := wr.APIApp.Project(ctx, wr.refResolver)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if wr.APIApp.Status.AppId != "" {
|
||||
appResp, err := ztdClient.GetAppByID(middleware.SetOrgID(ctx, org.Status.OrgId), &pb.GetAppByIDRequest{
|
||||
ProjectId: project.Status.ProjectId,
|
||||
AppId: string(wr.APIApp.Status.AppId),
|
||||
})
|
||||
if err != nil {
|
||||
return fmt.Errorf("Error getting APIApp: %v", err)
|
||||
}
|
||||
if appResp.App != nil {
|
||||
_, err := ztdClient.UpdateAPIAppConfig(middleware.SetOrgID(ctx, org.Status.OrgId), &pb.UpdateAPIAppConfigRequest{ProjectId: project.Status.ProjectId, AppId: wr.APIApp.Status.AppId,
|
||||
AuthMethodType: app.APIAuthMethodType(app.APIAuthMethodType_value[wr.APIApp.Spec.AuthMethodType]),
|
||||
})
|
||||
if err != nil {
|
||||
if !strings.Contains(err.Error(), "No changes") {
|
||||
return fmt.Errorf("Error updating APIApp: %v", err)
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
resp, err := ztdClient.AddAPIApp(middleware.SetOrgID(ctx, org.Status.OrgId),
|
||||
&pb.AddAPIAppRequest{
|
||||
Name: wr.APIApp.Name,
|
||||
ProjectId: project.Status.ProjectId,
|
||||
AuthMethodType: app.APIAuthMethodType(app.APIAuthMethodType_value[wr.APIApp.Spec.AuthMethodType]),
|
||||
},
|
||||
)
|
||||
if err != nil {
|
||||
if strings.Contains(err.Error(), "AlreadyExists") {
|
||||
return nil
|
||||
}
|
||||
return fmt.Errorf("error creating APIApp in Zitadel: %v", err)
|
||||
}
|
||||
key := types.NamespacedName{
|
||||
Name: wr.APIApp.Name + "-client-secret",
|
||||
Namespace: wr.APIApp.Namespace,
|
||||
}
|
||||
|
||||
secretData := map[string][]byte{"client-secret": []byte(resp.ClientSecret)}
|
||||
secret, err := wr.Builder.BuildSecret(builder.SecretOpts{Immutable: true, Zitadel: nil, Key: key, Data: secretData}, wr.APIApp)
|
||||
if err != nil {
|
||||
return fmt.Errorf("error building Secret: %v", err)
|
||||
}
|
||||
if err := wr.Create(ctx, secret); err != nil {
|
||||
return fmt.Errorf("error creating Client-secret Secret: %v", err)
|
||||
}
|
||||
patch := ctrlClient.MergeFrom(wr.APIApp.DeepCopy())
|
||||
wr.APIApp.Status.AppId = resp.AppId
|
||||
wr.APIApp.Status.ClientId = resp.ClientId
|
||||
return wr.Client.Status().Patch(ctx, wr.APIApp, patch)
|
||||
}
|
||||
|
||||
func (wr *wrappedAPIAppReconciler) reconcileKeys(ctx context.Context, ztdClient *management.Client) error {
|
||||
if wr.APIApp.Spec.AuthMethodType == "API_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT" {
|
||||
org, err := wr.APIApp.Organization(ctx, wr.refResolver)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
project, err := wr.APIApp.Project(ctx, wr.refResolver)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if wr.APIApp.Status.KeyId != "" {
|
||||
_, err = ztdClient.GetAppKey(middleware.SetOrgID(ctx, org.Status.OrgId), &pb.GetAppKeyRequest{
|
||||
ProjectId: project.Status.ProjectId,
|
||||
AppId: wr.APIApp.Status.AppId,
|
||||
KeyId: wr.APIApp.Status.KeyId,
|
||||
})
|
||||
if err != nil {
|
||||
if strings.Contains(err.Error(), "AlreadyExists") {
|
||||
return nil
|
||||
}
|
||||
}
|
||||
}
|
||||
resp, err := ztdClient.AddAppKey(middleware.SetOrgID(ctx, org.Status.OrgId), &pb.AddAppKeyRequest{
|
||||
ProjectId: project.Status.ProjectId,
|
||||
AppId: wr.APIApp.Status.AppId,
|
||||
Type: authn.KeyType_KEY_TYPE_JSON,
|
||||
ExpirationDate: nil,
|
||||
})
|
||||
|
||||
if err != nil {
|
||||
return fmt.Errorf("Error adding Key to app: %v", err)
|
||||
}
|
||||
|
||||
key := types.NamespacedName{
|
||||
Name: wr.APIApp.Name + "-privatekey-secret",
|
||||
Namespace: wr.APIApp.Namespace,
|
||||
}
|
||||
|
||||
secretData := map[string][]byte{"key.json": resp.KeyDetails}
|
||||
secret, err := wr.Builder.BuildSecret(builder.SecretOpts{Immutable: true, Zitadel: nil, Key: key, Data: secretData}, wr.APIApp)
|
||||
if err != nil {
|
||||
return fmt.Errorf("error building Secret: %v", err)
|
||||
}
|
||||
if err := wr.Create(ctx, secret); err != nil {
|
||||
return fmt.Errorf("error creating Client-secret Secret: %v", err)
|
||||
}
|
||||
patch := ctrlClient.MergeFrom(wr.APIApp.DeepCopy())
|
||||
wr.APIApp.Status.KeyId = resp.Id
|
||||
return wr.Client.Status().Patch(ctx, wr.APIApp, patch)
|
||||
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (wr *wrappedAPIAppReconciler) PatchStatus(ctx context.Context, patcher condition.Patcher) error {
|
||||
patch := client.MergeFrom(wr.APIApp.DeepCopy())
|
||||
patcher(&wr.APIApp.Status)
|
||||
|
||||
if err := wr.Client.Status().Patch(ctx, wr.APIApp, patch); err != nil {
|
||||
return fmt.Errorf("error patching APIApp status: %v", err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// SetupWithManager sets up the controller with the Manager.
|
||||
func (r *APIAppReconciler) SetupWithManager(mgr ctrl.Manager) error {
|
||||
return ctrl.NewControllerManagedBy(mgr).
|
||||
For(&zitadelv1alpha1.APIApp{}).
|
||||
Owns(&corev1.Secret{}).
|
||||
WithOptions(controller.Options{RateLimiter: workqueue.NewItemExponentialFailureRateLimiter(time.Millisecond*500, time.Minute*3)}).
|
||||
Complete(r)
|
||||
}
|
||||
91
src/internal/controller/apiapp_controller_finalizer.go
Normal file
91
src/internal/controller/apiapp_controller_finalizer.go
Normal file
@@ -0,0 +1,91 @@
|
||||
package controller
|
||||
|
||||
import (
|
||||
"strings"
|
||||
|
||||
zitadelv1alpha1 "bitbucket.org/topmanage-software-engineering/zitadel-k8s-operator/src/api/v1alpha1"
|
||||
"bitbucket.org/topmanage-software-engineering/zitadel-k8s-operator/src/pkg/controller/zitadel"
|
||||
|
||||
"context"
|
||||
"fmt"
|
||||
|
||||
"github.com/zitadel/zitadel-go/v2/pkg/client/management"
|
||||
"github.com/zitadel/zitadel-go/v2/pkg/client/middleware"
|
||||
pb "github.com/zitadel/zitadel-go/v2/pkg/client/zitadel/management"
|
||||
"sigs.k8s.io/controller-runtime/pkg/client"
|
||||
ctrlClient "sigs.k8s.io/controller-runtime/pkg/client"
|
||||
"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
|
||||
)
|
||||
|
||||
const (
|
||||
APIAppFinalizerName = "apiapp.zitadel.topmanage.com/apiapp"
|
||||
)
|
||||
|
||||
type wrappedAPIAppFinalizer struct {
|
||||
client.Client
|
||||
APIApp *zitadelv1alpha1.APIApp
|
||||
refresolver *zitadelv1alpha1.RefResolver
|
||||
}
|
||||
|
||||
func newWrappedAPIAppFinalizer(client client.Client, APIApp *zitadelv1alpha1.APIApp, refresolver *zitadelv1alpha1.RefResolver) zitadel.WrappedFinalizer {
|
||||
return &wrappedAPIAppFinalizer{
|
||||
Client: client,
|
||||
APIApp: APIApp,
|
||||
refresolver: refresolver,
|
||||
}
|
||||
}
|
||||
|
||||
func (wf *wrappedAPIAppFinalizer) AddFinalizer(ctx context.Context) error {
|
||||
if wf.ContainsFinalizer() {
|
||||
return nil
|
||||
}
|
||||
return wf.patch(ctx, wf.APIApp, func(APIApp *zitadelv1alpha1.APIApp) {
|
||||
controllerutil.AddFinalizer(APIApp, APIAppFinalizerName)
|
||||
})
|
||||
}
|
||||
|
||||
func (wf *wrappedAPIAppFinalizer) RemoveFinalizer(ctx context.Context) error {
|
||||
if !wf.ContainsFinalizer() {
|
||||
return nil
|
||||
}
|
||||
return wf.patch(ctx, wf.APIApp, func(APIApp *zitadelv1alpha1.APIApp) {
|
||||
controllerutil.RemoveFinalizer(wf.APIApp, APIAppFinalizerName)
|
||||
})
|
||||
}
|
||||
|
||||
func (wr *wrappedAPIAppFinalizer) ContainsFinalizer() bool {
|
||||
return controllerutil.ContainsFinalizer(wr.APIApp, APIAppFinalizerName)
|
||||
}
|
||||
|
||||
func (wf *wrappedAPIAppFinalizer) Reconcile(ctx context.Context, ztdClient *management.Client) error {
|
||||
if wf.APIApp.Status.AppId == "" {
|
||||
return nil
|
||||
}
|
||||
org, err := wf.APIApp.Organization(ctx, wf.refresolver)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
project, err := wf.APIApp.Project(ctx, wf.refresolver)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
_, err = ztdClient.RemoveApp(middleware.SetOrgID(ctx, org.Status.OrgId), &pb.RemoveAppRequest{ProjectId: project.Status.ProjectId, AppId: wf.APIApp.Status.AppId})
|
||||
if err != nil {
|
||||
if strings.Contains(err.Error(), "doesn't exist") {
|
||||
return nil
|
||||
}
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (wr *wrappedAPIAppFinalizer) patch(ctx context.Context, APIApp *zitadelv1alpha1.APIApp,
|
||||
patchFn func(*zitadelv1alpha1.APIApp)) error {
|
||||
patch := ctrlClient.MergeFrom(APIApp.DeepCopy())
|
||||
patchFn(APIApp)
|
||||
|
||||
if err := wr.Client.Patch(ctx, APIApp, patch); err != nil {
|
||||
return fmt.Errorf("error patching APIApp finalizer: %v", err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
@@ -84,39 +84,7 @@ func newWrappedMachineUserReconciler(client client.Client, refResolver *zitadelv
|
||||
}
|
||||
|
||||
func (wr *wrappedMachineUserReconciler) Reconcile(ctx context.Context, ztdClient *management.Client) error {
|
||||
// if wr.MachineUser.Status.AppId != "" {
|
||||
// appResp, err := ztdClient.GetAppByID(middleware.SetOrgID(ctx, org.Status.OrgId), &pb.GetAppByIDRequest{
|
||||
// ProjectId: project.Status.ProjectId,
|
||||
// AppId: string(wr.MachineUser.Status.AppId),
|
||||
// })
|
||||
// if err != nil {
|
||||
// return fmt.Errorf("Error getting MachineUser: %v", err)
|
||||
// }
|
||||
// if appResp.App != nil {
|
||||
// _, err := ztdClient.UpdateMachineUserConfig(middleware.SetOrgID(ctx, org.Status.OrgId), &pb.UpdateMachineUserConfigRequest{ProjectId: project.Status.ProjectId, AppId: wr.MachineUser.Status.AppId,
|
||||
// RedirectUris: wr.MachineUser.Spec.RedirectUris,
|
||||
// ResponseTypes: responseTypes,
|
||||
// GrantTypes: grantTypes,
|
||||
// AppType: app.MachineUserType(app.MachineUserType_value[wr.MachineUser.Spec.AppType]),
|
||||
// AuthMethodType: app.OIDCAuthMethodType(app.OIDCAuthMethodType_value[wr.MachineUser.Spec.AuthMethodType]),
|
||||
// PostLogoutRedirectUris: wr.MachineUser.Spec.PostLogoutRedirectUris,
|
||||
// DevMode: wr.MachineUser.Spec.DevMode,
|
||||
// AccessTokenType: app.OIDCTokenType(app.OIDCTokenType_value[wr.MachineUser.Spec.AccessTokenType]),
|
||||
// AccessTokenRoleAssertion: wr.MachineUser.Spec.AccessTokenRoleAssertion,
|
||||
// IdTokenRoleAssertion: wr.MachineUser.Spec.IdTokenRoleAssertion,
|
||||
// IdTokenUserinfoAssertion: wr.MachineUser.Spec.IdTokenUserinfoAssertion,
|
||||
// ClockSkew: durationpb.New(wr.MachineUser.Spec.ClockSkew.Duration),
|
||||
// AdditionalOrigins: wr.MachineUser.Spec.AdditionalOrigins,
|
||||
// SkipNativeAppSuccessPage: wr.MachineUser.Spec.SkipNativeAppSuccessPage,
|
||||
// })
|
||||
// if err != nil {
|
||||
// if !strings.Contains(err.Error(), "No changes") {
|
||||
// return fmt.Errorf("Error updating MachineUser: %v", err)
|
||||
// }
|
||||
// }
|
||||
// return nil
|
||||
// }
|
||||
// }
|
||||
// TODO: update machine user
|
||||
zitadel, err := wr.refResolver.ZitadelCluster(ctx, &wr.MachineUser.Spec.ZitadelClusterRef, wr.MachineUser.Namespace)
|
||||
if err != nil {
|
||||
return err
|
||||
|
||||
Reference in New Issue
Block a user