221 lines
9.1 KiB
Go
221 lines
9.1 KiB
Go
/*
|
|
Copyright 2024.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package controller
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"strings"
|
|
"time"
|
|
|
|
zitadelv1alpha1 "bitbucket.org/topmanage-software-engineering/zitadel-k8s-operator/src/api/v1alpha1"
|
|
"bitbucket.org/topmanage-software-engineering/zitadel-k8s-operator/src/pkg/builder"
|
|
condition "bitbucket.org/topmanage-software-engineering/zitadel-k8s-operator/src/pkg/condition"
|
|
"bitbucket.org/topmanage-software-engineering/zitadel-k8s-operator/src/pkg/controller/zitadel"
|
|
"github.com/zitadel/zitadel-go/v3/pkg/client/management"
|
|
"github.com/zitadel/zitadel-go/v3/pkg/client/middleware"
|
|
app "github.com/zitadel/zitadel-go/v3/pkg/client/zitadel/app"
|
|
pb "github.com/zitadel/zitadel-go/v3/pkg/client/zitadel/management"
|
|
durationpb "google.golang.org/protobuf/types/known/durationpb"
|
|
corev1 "k8s.io/api/core/v1"
|
|
"k8s.io/apimachinery/pkg/types"
|
|
"k8s.io/client-go/util/workqueue"
|
|
ctrl "sigs.k8s.io/controller-runtime"
|
|
"sigs.k8s.io/controller-runtime/pkg/client"
|
|
ctrlClient "sigs.k8s.io/controller-runtime/pkg/client"
|
|
"sigs.k8s.io/controller-runtime/pkg/controller"
|
|
)
|
|
|
|
// OIDCAppReconciler reconciles a OIDCApp object
|
|
type OIDCAppReconciler struct {
|
|
client.Client
|
|
RefResolver *zitadelv1alpha1.RefResolver
|
|
ConditionReady *condition.Ready
|
|
RequeueInterval time.Duration
|
|
Builder *builder.Builder
|
|
}
|
|
|
|
func NewOIDCAppReconciler(client client.Client, refResolver *zitadelv1alpha1.RefResolver, builder *builder.Builder, conditionReady *condition.Ready,
|
|
requeueInterval time.Duration) *OIDCAppReconciler {
|
|
return &OIDCAppReconciler{
|
|
Client: client,
|
|
RefResolver: refResolver,
|
|
ConditionReady: conditionReady,
|
|
RequeueInterval: requeueInterval,
|
|
Builder: builder,
|
|
}
|
|
}
|
|
|
|
//+kubebuilder:rbac:groups=zitadel.topmanage.com,resources=oidcapps,verbs=get;list;watch;create;update;patch;delete
|
|
//+kubebuilder:rbac:groups=zitadel.topmanage.com,resources=oidcapps/status,verbs=get;update;patch
|
|
//+kubebuilder:rbac:groups=zitadel.topmanage.com,resources=oidcapps/finalizers,verbs=update
|
|
|
|
// Reconcile is part of the main kubernetes reconciliation loop which aims to
|
|
// move the current state of the cluster closer to the desired state.
|
|
func (r *OIDCAppReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
|
|
var OIDCApp zitadelv1alpha1.OIDCApp
|
|
if err := r.Get(ctx, req.NamespacedName, &OIDCApp); err != nil {
|
|
return ctrl.Result{}, client.IgnoreNotFound(err)
|
|
}
|
|
wr := newWrappedOIDCAppReconciler(r.Client, r.RefResolver, r.Builder, &OIDCApp)
|
|
wf := newWrappedOIDCAppFinalizer(r.Client, &OIDCApp, r.RefResolver)
|
|
tf := zitadel.NewZitadelFinalizer(r.Client, wf)
|
|
tr := zitadel.NewZitadelReconciler(r.Client, r.ConditionReady, wr, tf, r.RequeueInterval)
|
|
|
|
result, err := tr.Reconcile(ctx, &OIDCApp)
|
|
if err != nil {
|
|
return result, fmt.Errorf("error reconciling in OIDCAppReconciler: %v", err)
|
|
}
|
|
return result, nil
|
|
}
|
|
|
|
type wrappedOIDCAppReconciler struct {
|
|
client.Client
|
|
refResolver *zitadelv1alpha1.RefResolver
|
|
OIDCApp *zitadelv1alpha1.OIDCApp
|
|
Builder *builder.Builder
|
|
}
|
|
|
|
func newWrappedOIDCAppReconciler(client client.Client, refResolver *zitadelv1alpha1.RefResolver, builder *builder.Builder,
|
|
OIDCApp *zitadelv1alpha1.OIDCApp) zitadel.WrappedReconciler {
|
|
return &wrappedOIDCAppReconciler{
|
|
Client: client,
|
|
refResolver: refResolver,
|
|
OIDCApp: OIDCApp,
|
|
Builder: builder,
|
|
}
|
|
}
|
|
|
|
func (wr *wrappedOIDCAppReconciler) Reconcile(ctx context.Context, ztdClient *management.Client) error {
|
|
org, err := wr.OIDCApp.Organization(ctx, wr.refResolver)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
project, err := wr.OIDCApp.Project(ctx, wr.refResolver)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
responseTypes := []app.OIDCResponseType{}
|
|
for _, r := range wr.OIDCApp.Spec.ResponseTypes {
|
|
responseTypes = append(responseTypes, app.OIDCResponseType(app.OIDCResponseType_value[string(r)]))
|
|
}
|
|
grantTypes := []app.OIDCGrantType{}
|
|
for _, r := range wr.OIDCApp.Spec.GrantTypes {
|
|
grantTypes = append(grantTypes, app.OIDCGrantType(app.OIDCGrantType_value[string(r)]))
|
|
}
|
|
|
|
if wr.OIDCApp.Status.AppId != "" {
|
|
appResp, err := ztdClient.GetAppByID(middleware.SetOrgID(ctx, org.Status.OrgId), &pb.GetAppByIDRequest{
|
|
ProjectId: project.Status.ProjectId,
|
|
AppId: string(wr.OIDCApp.Status.AppId),
|
|
})
|
|
// TODO: fix flow
|
|
if err != nil {
|
|
return fmt.Errorf("Error getting OIDCApp: %v", err)
|
|
}
|
|
if appResp.App != nil {
|
|
_, err := ztdClient.UpdateOIDCAppConfig(middleware.SetOrgID(ctx, org.Status.OrgId), &pb.UpdateOIDCAppConfigRequest{ProjectId: project.Status.ProjectId, AppId: wr.OIDCApp.Status.AppId,
|
|
RedirectUris: wr.OIDCApp.Spec.RedirectUris,
|
|
ResponseTypes: responseTypes,
|
|
GrantTypes: grantTypes,
|
|
AppType: app.OIDCAppType(app.OIDCAppType_value[wr.OIDCApp.Spec.AppType]),
|
|
AuthMethodType: app.OIDCAuthMethodType(app.OIDCAuthMethodType_value[wr.OIDCApp.Spec.AuthMethodType]),
|
|
PostLogoutRedirectUris: wr.OIDCApp.Spec.PostLogoutRedirectUris,
|
|
DevMode: wr.OIDCApp.Spec.DevMode,
|
|
AccessTokenType: app.OIDCTokenType(app.OIDCTokenType_value[wr.OIDCApp.Spec.AccessTokenType]),
|
|
AccessTokenRoleAssertion: wr.OIDCApp.Spec.AccessTokenRoleAssertion,
|
|
IdTokenRoleAssertion: wr.OIDCApp.Spec.IdTokenRoleAssertion,
|
|
IdTokenUserinfoAssertion: wr.OIDCApp.Spec.IdTokenUserinfoAssertion,
|
|
ClockSkew: durationpb.New(wr.OIDCApp.Spec.ClockSkew.Duration),
|
|
AdditionalOrigins: wr.OIDCApp.Spec.AdditionalOrigins,
|
|
SkipNativeAppSuccessPage: wr.OIDCApp.Spec.SkipNativeAppSuccessPage,
|
|
})
|
|
if err != nil {
|
|
if !strings.Contains(err.Error(), "No changes") {
|
|
return fmt.Errorf("Error updating OIDCApp: %v", err)
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
}
|
|
|
|
resp, err := ztdClient.AddOIDCApp(middleware.SetOrgID(ctx, org.Status.OrgId),
|
|
&pb.AddOIDCAppRequest{
|
|
Name: wr.OIDCApp.Name,
|
|
ProjectId: project.Status.ProjectId,
|
|
RedirectUris: wr.OIDCApp.Spec.RedirectUris,
|
|
ResponseTypes: responseTypes,
|
|
GrantTypes: grantTypes,
|
|
AppType: app.OIDCAppType(app.OIDCAppType_value[wr.OIDCApp.Spec.AppType]),
|
|
AuthMethodType: app.OIDCAuthMethodType(app.OIDCAuthMethodType_value[wr.OIDCApp.Spec.AuthMethodType]),
|
|
PostLogoutRedirectUris: wr.OIDCApp.Spec.PostLogoutRedirectUris,
|
|
Version: app.OIDCVersion_OIDC_VERSION_1_0,
|
|
DevMode: wr.OIDCApp.Spec.DevMode,
|
|
AccessTokenType: app.OIDCTokenType(app.OIDCTokenType_value[wr.OIDCApp.Spec.AccessTokenType]),
|
|
AccessTokenRoleAssertion: wr.OIDCApp.Spec.AccessTokenRoleAssertion,
|
|
IdTokenRoleAssertion: wr.OIDCApp.Spec.IdTokenRoleAssertion,
|
|
IdTokenUserinfoAssertion: wr.OIDCApp.Spec.IdTokenUserinfoAssertion,
|
|
ClockSkew: durationpb.New(wr.OIDCApp.Spec.ClockSkew.Duration),
|
|
AdditionalOrigins: wr.OIDCApp.Spec.AdditionalOrigins,
|
|
SkipNativeAppSuccessPage: wr.OIDCApp.Spec.SkipNativeAppSuccessPage,
|
|
},
|
|
)
|
|
if err != nil {
|
|
if strings.Contains(err.Error(), "AlreadyExists") {
|
|
return nil
|
|
}
|
|
return fmt.Errorf("error creating OIDCApp in Zitadel: %v", err)
|
|
}
|
|
key := types.NamespacedName{
|
|
Name: wr.OIDCApp.ClientSecretName(),
|
|
Namespace: wr.OIDCApp.Namespace,
|
|
}
|
|
|
|
// client-secret for backwards compatability
|
|
secretData := map[string][]byte{"client-secret": []byte(resp.ClientSecret), "clientSecret": []byte(resp.ClientSecret), "appId": []byte(resp.AppId), "clientId": []byte(resp.ClientId)}
|
|
secret, err := wr.Builder.BuildSecret(builder.SecretOpts{Immutable: false, Zitadel: nil, Key: key, Data: secretData}, wr.OIDCApp)
|
|
if err != nil {
|
|
return fmt.Errorf("error building Secret: %v", err)
|
|
}
|
|
if err := wr.Create(ctx, secret); err != nil {
|
|
return fmt.Errorf("error creating Client-secret Secret: %v", err)
|
|
}
|
|
patch := ctrlClient.MergeFrom(wr.OIDCApp.DeepCopy())
|
|
wr.OIDCApp.Status.AppId = resp.AppId
|
|
wr.OIDCApp.Status.ClientId = resp.ClientId
|
|
return wr.Client.Status().Patch(ctx, wr.OIDCApp, patch)
|
|
}
|
|
|
|
func (wr *wrappedOIDCAppReconciler) PatchStatus(ctx context.Context, patcher condition.Patcher) error {
|
|
patch := client.MergeFrom(wr.OIDCApp.DeepCopy())
|
|
patcher(&wr.OIDCApp.Status)
|
|
|
|
if err := wr.Client.Status().Patch(ctx, wr.OIDCApp, patch); err != nil {
|
|
return fmt.Errorf("error patching OIDCApp status: %v", err)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// SetupWithManager sets up the controller with the Manager.
|
|
func (r *OIDCAppReconciler) SetupWithManager(mgr ctrl.Manager) error {
|
|
return ctrl.NewControllerManagedBy(mgr).
|
|
For(&zitadelv1alpha1.OIDCApp{}).
|
|
Owns(&corev1.Secret{}).
|
|
WithOptions(controller.Options{RateLimiter: workqueue.NewItemExponentialFailureRateLimiter(time.Millisecond*500, time.Minute*3)}).
|
|
Complete(r)
|
|
}
|