Initial commit

[ZITADOPER-1]
2024-04-15 14:44:46 -05:00
parent 95e7d1cb69
commit e4eef2928a
121 changed files with 9053 additions and 0 deletions
--- a/src/internal/controller/oidcapp_controller.go
+++ b/src/internal/controller/oidcapp_controller.go
@@ -0,0 +1,217 @@
+/*
+Copyright 2024.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controller
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"time"
+
+	zitadelv1alpha1 "bitbucket.org/topmanage-software-engineering/zitadel-k8s-operator/src/api/v1alpha1"
+	"bitbucket.org/topmanage-software-engineering/zitadel-k8s-operator/src/pkg/builder"
+	condition "bitbucket.org/topmanage-software-engineering/zitadel-k8s-operator/src/pkg/condition"
+	"bitbucket.org/topmanage-software-engineering/zitadel-k8s-operator/src/pkg/controller/zitadel"
+	"github.com/zitadel/zitadel-go/v2/pkg/client/management"
+	"github.com/zitadel/zitadel-go/v2/pkg/client/middleware"
+	app "github.com/zitadel/zitadel-go/v2/pkg/client/zitadel/app"
+	pb "github.com/zitadel/zitadel-go/v2/pkg/client/zitadel/management"
+	durationpb "google.golang.org/protobuf/types/known/durationpb"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/util/workqueue"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	ctrlClient "sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller"
+)
+
+// OIDCAppReconciler reconciles a OIDCApp object
+type OIDCAppReconciler struct {
+	client.Client
+	RefResolver     *zitadelv1alpha1.RefResolver
+	ConditionReady  *condition.Ready
+	RequeueInterval time.Duration
+	Builder         *builder.Builder
+}
+
+func NewOIDCAppReconciler(client client.Client, refResolver *zitadelv1alpha1.RefResolver, builder *builder.Builder, conditionReady *condition.Ready,
+	requeueInterval time.Duration) *OIDCAppReconciler {
+	return &OIDCAppReconciler{
+		Client:          client,
+		RefResolver:     refResolver,
+		ConditionReady:  conditionReady,
+		RequeueInterval: requeueInterval,
+		Builder:         builder,
+	}
+}
+
+//+kubebuilder:rbac:groups=zitadel.topmanage.com,resources=oidcapps,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=zitadel.topmanage.com,resources=oidcapps/status,verbs=get;update;patch
+//+kubebuilder:rbac:groups=zitadel.topmanage.com,resources=oidcapps/finalizers,verbs=update
+
+// Reconcile is part of the main kubernetes reconciliation loop which aims to
+// move the current state of the cluster closer to the desired state.
+func (r *OIDCAppReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	var OIDCApp zitadelv1alpha1.OIDCApp
+	if err := r.Get(ctx, req.NamespacedName, &OIDCApp); err != nil {
+		return ctrl.Result{}, client.IgnoreNotFound(err)
+	}
+	wr := newWrappedOIDCAppReconciler(r.Client, r.RefResolver, r.Builder, &OIDCApp)
+	wf := newWrappedOIDCAppFinalizer(r.Client, &OIDCApp, r.RefResolver)
+	tf := zitadel.NewZitadelFinalizer(r.Client, wf)
+	tr := zitadel.NewZitadelReconciler(r.Client, r.ConditionReady, wr, tf, r.RequeueInterval)
+
+	result, err := tr.Reconcile(ctx, &OIDCApp)
+	if err != nil {
+		return result, fmt.Errorf("error reconciling in OIDCAppReconciler: %v", err)
+	}
+	return result, nil
+}
+
+type wrappedOIDCAppReconciler struct {
+	client.Client
+	refResolver *zitadelv1alpha1.RefResolver
+	OIDCApp     *zitadelv1alpha1.OIDCApp
+	Builder     *builder.Builder
+}
+
+func newWrappedOIDCAppReconciler(client client.Client, refResolver *zitadelv1alpha1.RefResolver, builder *builder.Builder,
+	OIDCApp *zitadelv1alpha1.OIDCApp) zitadel.WrappedReconciler {
+	return &wrappedOIDCAppReconciler{
+		Client:      client,
+		refResolver: refResolver,
+		OIDCApp:     OIDCApp,
+		Builder:     builder,
+	}
+}
+
+func (wr *wrappedOIDCAppReconciler) Reconcile(ctx context.Context, ztdClient *management.Client) error {
+	org, err := wr.OIDCApp.Organization(ctx, wr.refResolver)
+	if err != nil {
+		return err
+	}
+	project, err := wr.OIDCApp.Project(ctx, wr.refResolver)
+	if err != nil {
+		return err
+	}
+	responseTypes := []app.OIDCResponseType{}
+	for _, r := range wr.OIDCApp.Spec.ResponseTypes {
+		responseTypes = append(responseTypes, app.OIDCResponseType(app.OIDCResponseType_value[string(r)]))
+	}
+	grantTypes := []app.OIDCGrantType{}
+	for _, r := range wr.OIDCApp.Spec.GrantTypes {
+		grantTypes = append(grantTypes, app.OIDCGrantType(app.OIDCGrantType_value[string(r)]))
+	}
+	if wr.OIDCApp.Status.AppId != "" {
+		appResp, err := ztdClient.GetAppByID(middleware.SetOrgID(ctx, org.Status.OrgId), &pb.GetAppByIDRequest{
+			ProjectId: project.Status.ProjectId,
+			AppId:     string(wr.OIDCApp.Status.AppId),
+		})
+		if err != nil {
+			return fmt.Errorf("Error getting OIDCApp: %v", err)
+		}
+		if appResp.App != nil {
+			_, err := ztdClient.UpdateOIDCAppConfig(middleware.SetOrgID(ctx, org.Status.OrgId), &pb.UpdateOIDCAppConfigRequest{ProjectId: project.Status.ProjectId, AppId: wr.OIDCApp.Status.AppId,
+				RedirectUris:             wr.OIDCApp.Spec.RedirectUris,
+				ResponseTypes:            responseTypes,
+				GrantTypes:               grantTypes,
+				AppType:                  app.OIDCAppType(app.OIDCAppType_value[wr.OIDCApp.Spec.AppType]),
+				AuthMethodType:           app.OIDCAuthMethodType(app.OIDCAuthMethodType_value[wr.OIDCApp.Spec.AuthMethodType]),
+				PostLogoutRedirectUris:   wr.OIDCApp.Spec.PostLogoutRedirectUris,
+				DevMode:                  wr.OIDCApp.Spec.DevMode,
+				AccessTokenType:          app.OIDCTokenType(app.OIDCTokenType_value[wr.OIDCApp.Spec.AccessTokenType]),
+				AccessTokenRoleAssertion: wr.OIDCApp.Spec.AccessTokenRoleAssertion,
+				IdTokenRoleAssertion:     wr.OIDCApp.Spec.IdTokenRoleAssertion,
+				IdTokenUserinfoAssertion: wr.OIDCApp.Spec.IdTokenUserinfoAssertion,
+				ClockSkew:                durationpb.New(wr.OIDCApp.Spec.ClockSkew.Duration),
+				AdditionalOrigins:        wr.OIDCApp.Spec.AdditionalOrigins,
+				SkipNativeAppSuccessPage: wr.OIDCApp.Spec.SkipNativeAppSuccessPage,
+			})
+			if err != nil {
+				if !strings.Contains(err.Error(), "No changes") {
+					return fmt.Errorf("Error updating OIDCApp: %v", err)
+				}
+			}
+			return nil
+		}
+	}
+
+	resp, err := ztdClient.AddOIDCApp(middleware.SetOrgID(ctx, org.Status.OrgId),
+		&pb.AddOIDCAppRequest{
+			Name:                     wr.OIDCApp.Name,
+			ProjectId:                project.Status.ProjectId,
+			RedirectUris:             wr.OIDCApp.Spec.RedirectUris,
+			ResponseTypes:            responseTypes,
+			GrantTypes:               grantTypes,
+			AppType:                  app.OIDCAppType(app.OIDCAppType_value[wr.OIDCApp.Spec.AppType]),
+			AuthMethodType:           app.OIDCAuthMethodType(app.OIDCAuthMethodType_value[wr.OIDCApp.Spec.AuthMethodType]),
+			PostLogoutRedirectUris:   wr.OIDCApp.Spec.PostLogoutRedirectUris,
+			Version:                  app.OIDCVersion_OIDC_VERSION_1_0,
+			DevMode:                  wr.OIDCApp.Spec.DevMode,
+			AccessTokenType:          app.OIDCTokenType(app.OIDCTokenType_value[wr.OIDCApp.Spec.AccessTokenType]),
+			AccessTokenRoleAssertion: wr.OIDCApp.Spec.AccessTokenRoleAssertion,
+			IdTokenRoleAssertion:     wr.OIDCApp.Spec.IdTokenRoleAssertion,
+			IdTokenUserinfoAssertion: wr.OIDCApp.Spec.IdTokenUserinfoAssertion,
+			ClockSkew:                durationpb.New(wr.OIDCApp.Spec.ClockSkew.Duration),
+			AdditionalOrigins:        wr.OIDCApp.Spec.AdditionalOrigins,
+			SkipNativeAppSuccessPage: wr.OIDCApp.Spec.SkipNativeAppSuccessPage,
+		},
+	)
+	if err != nil {
+		if strings.Contains(err.Error(), "AlreadyExists") {
+			return nil
+		}
+		return fmt.Errorf("error creating OIDCApp in Zitadel: %v", err)
+	}
+	key := types.NamespacedName{
+		Name:      wr.OIDCApp.Name + "-client-secret",
+		Namespace: wr.OIDCApp.Namespace,
+	}
+
+	secretData := map[string][]byte{"client-secret": []byte(resp.ClientSecret)}
+	secret, err := wr.Builder.BuildSecret(builder.SecretOpts{Immutable: true, Zitadel: nil, Key: key, Data: secretData}, wr.OIDCApp)
+	if err != nil {
+		return fmt.Errorf("error building Secret: %v", err)
+	}
+	if err := wr.Create(ctx, secret); err != nil {
+		return fmt.Errorf("error creating Client-secret Secret: %v", err)
+	}
+	patch := ctrlClient.MergeFrom(wr.OIDCApp.DeepCopy())
+	wr.OIDCApp.Status.AppId = resp.AppId
+	wr.OIDCApp.Status.ClientId = resp.ClientId
+	return wr.Client.Status().Patch(ctx, wr.OIDCApp, patch)
+}
+
+func (wr *wrappedOIDCAppReconciler) PatchStatus(ctx context.Context, patcher condition.Patcher) error {
+	patch := client.MergeFrom(wr.OIDCApp.DeepCopy())
+	patcher(&wr.OIDCApp.Status)
+
+	if err := wr.Client.Status().Patch(ctx, wr.OIDCApp, patch); err != nil {
+		return fmt.Errorf("error patching OIDCApp status: %v", err)
+	}
+	return nil
+}
+
+// SetupWithManager sets up the controller with the Manager.
+func (r *OIDCAppReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewControllerManagedBy(mgr).
+		For(&zitadelv1alpha1.OIDCApp{}).
+		Owns(&corev1.Secret{}).
+		WithOptions(controller.Options{RateLimiter: workqueue.NewItemExponentialFailureRateLimiter(time.Millisecond*500, time.Minute*3)}).
+		Complete(r)
+}