diff --git a/ops/chart/.helmignore b/ops/chart/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/ops/chart/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/ops/chart/Chart.yaml b/ops/chart/Chart.yaml new file mode 100644 index 0000000..e6b807b --- /dev/null +++ b/ops/chart/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +name: zitadel-resources-operator +description: A Helm chart for Kubernetes +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "0.1.0" diff --git a/ops/chart/crds/action-crd.yaml b/ops/chart/crds/action-crd.yaml new file mode 100644 index 0000000..d4f7667 --- /dev/null +++ b/ops/chart/crds/action-crd.yaml @@ -0,0 +1,173 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.17.3 + name: actions.zitadel.github.com +spec: + group: zitadel.github.com + names: + kind: Action + listKind: ActionList + plural: actions + singular: action + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Action is the Schema for the actions API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ActionSpec defines the desired state of Action + properties: + allowedToFail: + default: true + type: boolean + organizationRef: + description: |- + INSERT ADDITIONAL SPEC FIELDS - desired state of cluster + Important: Run "make" to regenerate code after modifying this file + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + script: + type: string + timeout: + format: duration + type: string + required: + - allowedToFail + - organizationRef + - script + - timeout + type: object + status: + description: ActionStatus defines the observed state of Action + properties: + actionId: + default: "" + type: string + conditions: + description: |- + INSERT ADDITIONAL STATUS FIELD - define observed state of cluster + Important: Run "make" to regenerate code after modifying this file + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + required: + - actionId + type: object + type: object + served: true + storage: true + subresources: + status: {} + diff --git a/ops/chart/crds/apiapp-crd.yaml b/ops/chart/crds/apiapp-crd.yaml new file mode 100644 index 0000000..3115837 --- /dev/null +++ b/ops/chart/crds/apiapp-crd.yaml @@ -0,0 +1,176 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.17.3 + name: apiapps.zitadel.github.com +spec: + group: zitadel.github.com + names: + kind: APIApp + listKind: APIAppList + plural: apiapps + singular: apiapp + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: APIApp is the Schema for the apiapps API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: APIAppSpec defines the desired state of APIApp + properties: + authMethodType: + enum: + - API_AUTH_METHOD_TYPE_BASIC + - API_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT + type: string + projectRef: + description: |- + INSERT ADDITIONAL SPEC FIELDS - desired state of cluster + Important: Run "make" to regenerate code after modifying this file + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + required: + - authMethodType + - projectRef + type: object + status: + description: APIAppStatus defines the observed state of APIApp + properties: + appId: + default: "" + type: string + clientId: + default: "" + type: string + conditions: + description: |- + INSERT ADDITIONAL STATUS FIELD - define observed state of cluster + Important: Run "make" to regenerate code after modifying this file + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + keyId: + default: "" + type: string + required: + - appId + - clientId + - keyId + type: object + type: object + served: true + storage: true + subresources: + status: {} + diff --git a/ops/chart/crds/connection-crd.yaml b/ops/chart/crds/connection-crd.yaml new file mode 100644 index 0000000..d18b8e0 --- /dev/null +++ b/ops/chart/crds/connection-crd.yaml @@ -0,0 +1,239 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.17.3 + name: connections.zitadel.github.com +spec: + group: zitadel.github.com + names: + kind: Connection + listKind: ConnectionList + plural: connections + singular: connection + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Connection is the Schema for the connections API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ConnectionSpec defines the desired state of Connection + properties: + authentication: + properties: + jwt: + properties: + jwtSecretKey: + description: SecretKeySelector selects a key of a Secret. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or its key must + be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + scopes: + items: + type: string + type: array + required: + - jwtSecretKey + - scopes + type: object + password: + properties: + passwordSecretKey: + description: SecretKeySelector selects a key of a Secret. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or its key must + be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + scopes: + items: + type: string + type: array + username: + type: string + required: + - passwordSecretKey + - scopes + - username + type: object + pat: + description: |- + EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN! + NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized. + properties: + tokenSecretKey: + description: SecretKeySelector selects a key of a Secret. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or its key must + be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + required: + - tokenSecretKey + type: object + type: object + x-kubernetes-validations: + - message: exactly one of pat, password, or jwt must be specified + rule: '[has(self.pat), has(self.password), has(self.jwt)].filter(x, + x).size() == 1' + host: + description: |- + INSERT ADDITIONAL SPEC FIELDS - desired state of cluster + Important: Run "make" to regenerate code after modifying this file + type: string + insecureSkipVerifyTLS: + default: false + type: boolean + port: + type: integer + secure: + default: true + type: boolean + required: + - authentication + - host + - insecureSkipVerifyTLS + - secure + type: object + status: + description: ConnectionStatus defines the observed state of Connection + properties: + conditions: + description: |- + INSERT ADDITIONAL STATUS FIELD - define observed state of cluster + Important: Run "make" to regenerate code after modifying this file + Conditions for the Connection object. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} + diff --git a/ops/chart/crds/flow-crd.yaml b/ops/chart/crds/flow-crd.yaml new file mode 100644 index 0000000..d893200 --- /dev/null +++ b/ops/chart/crds/flow-crd.yaml @@ -0,0 +1,227 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.17.3 + name: flows.zitadel.github.com +spec: + group: zitadel.github.com + names: + kind: Flow + listKind: FlowList + plural: flows + singular: flow + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Flow is the Schema for the flows API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: FlowSpec defines the desired state of Flow + properties: + actionRefs: + items: + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + type: array + flowType: + enum: + - FLOW_TYPE_EXTERNAL_AUTHENTICATION + - "1" + - "2" + - "3" + - "4" + type: string + organizationRef: + description: |- + INSERT ADDITIONAL SPEC FIELDS - desired state of cluster + Important: Run "make" to regenerate code after modifying this file + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + triggerType: + enum: + - TRIGGER_TYPE_POST_AUTHENTICATION + - TRIGGER_TYPE_PRE_CREATION + - TRIGGER_TYPE_POST_CREATION + - TRIGGER_TYPE_POST_AUTHENTICATION + - TRIGGER_TYPE_PRE_CREATION + - TRIGGER_TYPE_POST_CREATION + - "1" + - "2" + - "3" + - "4" + - "5" + - "6" + type: string + required: + - actionRefs + - flowType + - organizationRef + - triggerType + type: object + status: + description: FlowStatus defines the observed state of Flow + properties: + conditions: + description: |- + INSERT ADDITIONAL STATUS FIELD - define observed state of cluster + Important: Run "make" to regenerate code after modifying this file + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} + diff --git a/ops/chart/crds/machineuser-crd.yaml b/ops/chart/crds/machineuser-crd.yaml new file mode 100644 index 0000000..d3aa46e --- /dev/null +++ b/ops/chart/crds/machineuser-crd.yaml @@ -0,0 +1,278 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.17.3 + name: machineusers.zitadel.github.com +spec: + group: zitadel.github.com + names: + kind: MachineUser + listKind: MachineUserList + plural: machineusers + singular: machineuser + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: MachineUser is the Schema for the machineusers API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: MachineUserSpec defines the desired state of MachineUser + properties: + accessTokenType: + enum: + - ACCESS_TOKEN_TYPE_BEARER + - ACCESS_TOKEN_TYPE_JWT + type: string + authorizations: + items: + properties: + projectRef: + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + roleKeys: + items: + type: string + type: array + required: + - projectRef + type: object + type: array + internalPermissions: + items: + properties: + resource: + properties: + instance: + type: object + organization: + properties: + orgId: + type: string + required: + - orgId + type: object + project: + properties: + projectId: + type: string + required: + - projectId + type: object + projectGrant: + properties: + orgId: + type: string + projectId: + type: string + required: + - orgId + - projectId + type: object + type: object + x-kubernetes-validations: + - message: exactly one of organization, instance, project, or + projectGrant must be specified + rule: '[has(self.organization), has(self.instance), has(self.project), + has(self.projectGrant)].filter(x, x).size() == 1' + roles: + items: + type: string + maxItems: 50 + type: array + required: + - resource + type: object + maxItems: 100 + type: array + metadata: + items: + additionalProperties: + type: string + type: object + type: array + organizationRef: + description: |- + INSERT ADDITIONAL SPEC FIELDS - desired state of cluster + Important: Run "make" to regenerate code after modifying this file + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + username: + type: string + required: + - accessTokenType + - organizationRef + - username + type: object + status: + description: MachineUserStatus defines the observed state of MachineUser + properties: + conditions: + description: |- + INSERT ADDITIONAL STATUS FIELD - define observed state of cluster + Important: Run "make" to regenerate code after modifying this file + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + keyId: + type: string + patId: + type: string + userId: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} + diff --git a/ops/chart/crds/oidcapp-crd.yaml b/ops/chart/crds/oidcapp-crd.yaml new file mode 100644 index 0000000..6c14017 --- /dev/null +++ b/ops/chart/crds/oidcapp-crd.yaml @@ -0,0 +1,242 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.17.3 + name: oidcapps.zitadel.github.com +spec: + group: zitadel.github.com + names: + kind: OIDCApp + listKind: OIDCAppList + plural: oidcapps + singular: oidcapp + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: OIDCApp is the Schema for the oidcapps API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: OIDCAppSpec defines the desired state of OIDCApp + properties: + accessTokenRoleAssertion: + type: boolean + accessTokenType: + enum: + - OIDC_TOKEN_TYPE_BEARER + - OIDC_TOKEN_TYPE_JWT + type: string + additionalOrigins: + items: + type: string + type: array + appType: + enum: + - OIDC_APP_TYPE_WEB + - OIDC_APP_TYPE_USER_AGENT + - OIDC_APP_TYPE_NATIVE + type: string + authMethodType: + enum: + - OIDC_AUTH_METHOD_TYPE_BASIC + - OIDC_AUTH_METHOD_TYPE_POST + - OIDC_AUTH_METHOD_TYPE_NONE + - OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT + type: string + backChannelLogoutUri: + type: string + clockSkew: + format: duration + type: string + devMode: + type: boolean + grantTypes: + items: + enum: + - OIDC_GRANT_TYPE_AUTHORIZATION_CODE + - OIDC_GRANT_TYPE_IMPLICIT + - OIDC_GRANT_TYPE_REFRESH_TOKEN + - OIDC_GRANT_TYPE_DEVICE_CODE + - OIDC_GRANT_TYPE_TOKEN_EXCHANGE + type: string + type: array + idTokenRoleAssertion: + type: boolean + idTokenUserinfoAssertion: + type: boolean + oidcAppName: + type: string + postLogoutRedirectUris: + items: + type: string + type: array + projectRef: + description: |- + INSERT ADDITIONAL SPEC FIELDS - desired state of cluster + Important: Run "make" to regenerate code after modifying this file + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + redirectUris: + items: + type: string + type: array + responseTypes: + items: + enum: + - OIDC_RESPONSE_TYPE_CODE + - OIDC_RESPONSE_TYPE_ID_TOKEN + - OIDC_RESPONSE_TYPE_ID_TOKEN_TOKEN + type: string + type: array + skipNativeAppSuccessPage: + type: boolean + required: + - accessTokenRoleAssertion + - accessTokenType + - appType + - authMethodType + - clockSkew + - devMode + - grantTypes + - idTokenRoleAssertion + - idTokenUserinfoAssertion + - oidcAppName + - postLogoutRedirectUris + - projectRef + - redirectUris + - responseTypes + - skipNativeAppSuccessPage + type: object + status: + description: OIDCAppStatus defines the observed state of OIDCApp + properties: + appId: + type: string + clientId: + type: string + conditions: + description: |- + INSERT ADDITIONAL STATUS FIELD - define observed state of cluster + Important: Run "make" to regenerate code after modifying this file + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + required: + - appId + type: object + type: object + served: true + storage: true + subresources: + status: {} + diff --git a/ops/chart/crds/organization-crd.yaml b/ops/chart/crds/organization-crd.yaml new file mode 100644 index 0000000..08cd6ea --- /dev/null +++ b/ops/chart/crds/organization-crd.yaml @@ -0,0 +1,163 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.17.3 + name: organizations.zitadel.github.com +spec: + group: zitadel.github.com + names: + kind: Organization + listKind: OrganizationList + plural: organizations + singular: organization + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Organization is the Schema for the organizations API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: OrganizationSpec defines the desired state of Organization + properties: + connectionRef: + description: |- + INSERT ADDITIONAL SPEC FIELDS - desired state of cluster + Important: Run "make" to regenerate code after modifying this file + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + organizationName: + type: string + required: + - connectionRef + - organizationName + type: object + status: + description: OrganizationStatus defines the observed state of Organization + properties: + conditions: + description: |- + INSERT ADDITIONAL STATUS FIELD - define observed state of cluster + Important: Run "make" to regenerate code after modifying this file + Conditions for the Database object. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + organizationId: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} + diff --git a/ops/chart/crds/project-crd.yaml b/ops/chart/crds/project-crd.yaml new file mode 100644 index 0000000..bbecd29 --- /dev/null +++ b/ops/chart/crds/project-crd.yaml @@ -0,0 +1,239 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.17.3 + name: projects.zitadel.github.com +spec: + group: zitadel.github.com + names: + kind: Project + listKind: ProjectList + plural: projects + singular: project + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Project is the Schema for the projects API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ProjectSpec defines the desired state of Project + properties: + grants: + items: + properties: + organizationRef: + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + roleKeys: + items: + type: string + type: array + required: + - organizationRef + - roleKeys + type: object + type: array + hasProjectCheck: + type: boolean + organizationRef: + description: |- + INSERT ADDITIONAL SPEC FIELDS - desired state of cluster + Important: Run "make" to regenerate code after modifying this file + https://zitadel.com/docs/apis/resources/mgmt/management-service-add-project + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + type: string + kind: + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + name: + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + namespace: + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + type: string + resourceVersion: + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency + type: string + uid: + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids + type: string + type: object + x-kubernetes-map-type: atomic + projectName: + type: string + projectRoleAssertion: + type: boolean + projectRoleCheck: + type: boolean + roles: + items: + properties: + displayName: + type: string + group: + type: string + key: + type: string + required: + - displayName + - group + - key + type: object + type: array + required: + - organizationRef + - projectName + type: object + status: + description: ProjectStatus defines the observed state of Project + properties: + conditions: + description: |- + INSERT ADDITIONAL STATUS FIELD - define observed state of cluster + Important: Run "make" to regenerate code after modifying this file + Conditions for the Database object. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + projectId: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} + diff --git a/ops/chart/templates/_helpers.tpl b/ops/chart/templates/_helpers.tpl new file mode 100644 index 0000000..cff92e6 --- /dev/null +++ b/ops/chart/templates/_helpers.tpl @@ -0,0 +1,65 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "zitadel-resources-operator.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "zitadel-resources-operator.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "zitadel-resources-operator.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "zitadel-resources-operator.labels" -}} +helm.sh/chart: {{ include "zitadel-resources-operator.chart" . }} +{{ include "zitadel-resources-operator.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "zitadel-resources-operator.selectorLabels" -}} +app.kubernetes.io/name: {{ include "zitadel-resources-operator.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "zitadel-resources-operator.serviceAccountName" -}} +{{- $default := (include "zitadel-resources-operator.fullname" .) }} +{{- with .Values.serviceAccount }} +{{- if .create }} +{{- default $default .name }} +{{- else }} +{{- default "default" .name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/ops/chart/templates/connection-editor-rbac.yaml b/ops/chart/templates/connection-editor-rbac.yaml new file mode 100644 index 0000000..ee62378 --- /dev/null +++ b/ops/chart/templates/connection-editor-rbac.yaml @@ -0,0 +1,25 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "zitadel-resources-operator.fullname" . }}-connection-editor-role + labels: + {{- include "zitadel-resources-operator.labels" . | nindent 4 }} +rules: +- apiGroups: + - zitadel.github.com + resources: + - connections + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - zitadel.github.com + resources: + - connections/status + verbs: + - get diff --git a/ops/chart/templates/connection-viewer-rbac.yaml b/ops/chart/templates/connection-viewer-rbac.yaml new file mode 100644 index 0000000..bc01e2d --- /dev/null +++ b/ops/chart/templates/connection-viewer-rbac.yaml @@ -0,0 +1,21 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "zitadel-resources-operator.fullname" . }}-connection-viewer-role + labels: + {{- include "zitadel-resources-operator.labels" . | nindent 4 }} +rules: +- apiGroups: + - zitadel.github.com + resources: + - connections + verbs: + - get + - list + - watch +- apiGroups: + - zitadel.github.com + resources: + - connections/status + verbs: + - get diff --git a/ops/chart/templates/deployment.yaml b/ops/chart/templates/deployment.yaml new file mode 100644 index 0000000..e3b53c0 --- /dev/null +++ b/ops/chart/templates/deployment.yaml @@ -0,0 +1,90 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "zitadel-resources-operator.fullname" . }}-controller-manager + labels: + app.kubernetes.io/component: manager + app.kubernetes.io/created-by: src + app.kubernetes.io/part-of: src + control-plane: controller-manager + {{- include "zitadel-resources-operator.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.controllerManager.replicas }} + selector: + matchLabels: + control-plane: controller-manager + {{- include "zitadel-resources-operator.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + control-plane: controller-manager + {{- include "zitadel-resources-operator.selectorLabels" . | nindent 8 }} + annotations: + kubectl.kubernetes.io/default-container: manager + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux + containers: + - args: {{- toYaml .Values.controllerManager.kubeRbacProxy.args | nindent 8 }} + env: + - name: KUBERNETES_CLUSTER_DOMAIN + value: {{ quote .Values.kubernetesClusterDomain }} + image: {{ .Values.controllerManager.kubeRbacProxy.image.repository }}:{{ .Values.controllerManager.kubeRbacProxy.image.tag + | default .Chart.AppVersion }} + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + protocol: TCP + resources: {{- toYaml .Values.controllerManager.kubeRbacProxy.resources | nindent + 10 }} + securityContext: {{- toYaml .Values.controllerManager.kubeRbacProxy.containerSecurityContext + | nindent 10 }} + - args: {{- toYaml .Values.controllerManager.manager.args | nindent 8 }} + command: + - /manager + env: + - name: KUBERNETES_CLUSTER_DOMAIN + value: {{ quote .Values.kubernetesClusterDomain }} + image: {{ .Values.controllerManager.manager.image.repository }}:{{ .Values.controllerManager.manager.image.tag + | default .Chart.AppVersion }} + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: {{- toYaml .Values.controllerManager.manager.resources | nindent 10 + }} + securityContext: {{- toYaml .Values.controllerManager.manager.containerSecurityContext + | nindent 10 }} + nodeSelector: {{- toYaml .Values.controllerManager.nodeSelector | nindent 8 }} + securityContext: {{- toYaml .Values.controllerManager.podSecurityContext | nindent + 8 }} + serviceAccountName: {{ include "zitadel-resources-operator.serviceAccountName" . + }} + terminationGracePeriodSeconds: 10 + tolerations: {{- toYaml .Values.controllerManager.tolerations | nindent 8 }} + topologySpreadConstraints: {{- toYaml .Values.controllerManager.topologySpreadConstraints + | nindent 8 }} diff --git a/ops/chart/templates/leader-election-rbac.yaml b/ops/chart/templates/leader-election-rbac.yaml new file mode 100644 index 0000000..33469ab --- /dev/null +++ b/ops/chart/templates/leader-election-rbac.yaml @@ -0,0 +1,59 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "zitadel-resources-operator.fullname" . }}-leader-election-role + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: src + app.kubernetes.io/part-of: src + {{- include "zitadel-resources-operator.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "zitadel-resources-operator.fullname" . }}-leader-election-rolebinding + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: src + app.kubernetes.io/part-of: src + {{- include "zitadel-resources-operator.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: '{{ include "zitadel-resources-operator.fullname" . }}-leader-election-role' +subjects: +- kind: ServiceAccount + name: '{{ include "zitadel-resources-operator.serviceAccountName" . }}' + namespace: '{{ .Release.Namespace }}' diff --git a/ops/chart/templates/manager-rbac.yaml b/ops/chart/templates/manager-rbac.yaml new file mode 100644 index 0000000..e72dd10 --- /dev/null +++ b/ops/chart/templates/manager-rbac.yaml @@ -0,0 +1,95 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "zitadel-resources-operator.fullname" . }}-manager-role + labels: + {{- include "zitadel-resources-operator.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - list + - patch + - watch +- apiGroups: + - zitadel.github.com + resources: + - connections + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - zitadel.github.com + resources: + - connections/finalizers + verbs: + - update +- apiGroups: + - zitadel.github.com + resources: + - connections/status + verbs: + - get + - patch + - update +- apiGroups: + - zitadel.topmanage.com + resources: + - machineusers + - oidcapps + - organizations + - projects + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - zitadel.topmanage.com + resources: + - machineusers/finalizers + - oidcapps/finalizers + - organizations/finalizers + - projects/finalizers + verbs: + - update +- apiGroups: + - zitadel.topmanage.com + resources: + - machineusers/status + - oidcapps/status + - organizations/status + - projects/status + verbs: + - get + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "zitadel-resources-operator.fullname" . }}-manager-rolebinding + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: src + app.kubernetes.io/part-of: src + {{- include "zitadel-resources-operator.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: '{{ include "zitadel-resources-operator.fullname" . }}-manager-role' +subjects: +- kind: ServiceAccount + name: '{{ include "zitadel-resources-operator.serviceAccountName" . }}' + namespace: '{{ .Release.Namespace }}' diff --git a/ops/chart/templates/metrics-reader-rbac.yaml b/ops/chart/templates/metrics-reader-rbac.yaml new file mode 100644 index 0000000..4815551 --- /dev/null +++ b/ops/chart/templates/metrics-reader-rbac.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "zitadel-resources-operator.fullname" . }}-metrics-reader + labels: + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: src + app.kubernetes.io/part-of: src + {{- include "zitadel-resources-operator.labels" . | nindent 4 }} +rules: +- nonResourceURLs: + - /metrics + verbs: + - get diff --git a/ops/chart/templates/metrics-service.yaml b/ops/chart/templates/metrics-service.yaml new file mode 100644 index 0000000..d56fbaa --- /dev/null +++ b/ops/chart/templates/metrics-service.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "zitadel-resources-operator.fullname" . }}-controller-manager-metrics-service + labels: + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: src + app.kubernetes.io/part-of: src + control-plane: controller-manager + {{- include "zitadel-resources-operator.labels" . | nindent 4 }} +spec: + type: {{ .Values.metricsService.type }} + selector: + control-plane: controller-manager + {{- include "zitadel-resources-operator.selectorLabels" . | nindent 4 }} + ports: + {{- .Values.metricsService.ports | toYaml | nindent 2 }} diff --git a/ops/chart/templates/proxy-rbac.yaml b/ops/chart/templates/proxy-rbac.yaml new file mode 100644 index 0000000..f4963f8 --- /dev/null +++ b/ops/chart/templates/proxy-rbac.yaml @@ -0,0 +1,40 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "zitadel-resources-operator.fullname" . }}-proxy-role + labels: + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: src + app.kubernetes.io/part-of: src + {{- include "zitadel-resources-operator.labels" . | nindent 4 }} +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "zitadel-resources-operator.fullname" . }}-proxy-rolebinding + labels: + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: src + app.kubernetes.io/part-of: src + {{- include "zitadel-resources-operator.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: '{{ include "zitadel-resources-operator.fullname" . }}-proxy-role' +subjects: +- kind: ServiceAccount + name: '{{ include "zitadel-resources-operator.serviceAccountName" . }}' + namespace: '{{ .Release.Namespace }}' diff --git a/ops/chart/templates/serviceaccount.yaml b/ops/chart/templates/serviceaccount.yaml new file mode 100644 index 0000000..0bab4fd --- /dev/null +++ b/ops/chart/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{ if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "zitadel-resources-operator.serviceAccountName" . }} + labels: + {{- include "zitadel-resources-operator.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automount }} +{{- end }} diff --git a/ops/chart/values.yaml b/ops/chart/values.yaml new file mode 100644 index 0000000..4be59d2 --- /dev/null +++ b/ops/chart/values.yaml @@ -0,0 +1,61 @@ +controllerManager: + kubeRbacProxy: + args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=0 + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + image: + repository: gcr.io/kubebuilder/kube-rbac-proxy + tag: v0.13.1 + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi + manager: + args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=127.0.0.1:8080 + - --leader-elect + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + image: + repository: controller + tag: latest + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + nodeSelector: {} + podSecurityContext: + runAsNonRoot: true + replicas: 1 + tolerations: [] + topologySpreadConstraints: [] +kubernetesClusterDomain: cluster.local +metricsService: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: https + type: ClusterIP +serviceAccount: + annotations: {} + automount: true + create: true + name: "" diff --git a/src/api/v1alpha1/machineuser_types.go b/src/api/v1alpha1/machineuser_types.go index 655a9a6..312fa6b 100644 --- a/src/api/v1alpha1/machineuser_types.go +++ b/src/api/v1alpha1/machineuser_types.go @@ -44,14 +44,14 @@ type ProjectGrantResource struct { OrgID string `json:"orgId"` } -type ConnectionResource struct{} +type InstanceResource struct{} -// +kubebuilder:validation:XValidation:rule="[has(self.organization), has(self.connection), has(self.project), has(self.projectGrant)].filter(x, x).size() == 1",message="exactly one of organization, connection, project, or projectGrant must be specified" +// +kubebuilder:validation:XValidation:rule="[has(self.organization), has(self.instance), has(self.project), has(self.projectGrant)].filter(x, x).size() == 1",message="exactly one of organization, instance, project, or projectGrant must be specified" type Resource struct { // +optional Organization *OrganizationResource `json:"organization,omitempty"` // +optional - Connection *ConnectionResource `json:"connection,omitempty"` + Instance *InstanceResource `json:"instance,omitempty"` // +optional Project *ProjectResource `json:"project,omitempty"` // +optional diff --git a/src/api/v1alpha1/zz_generated.deepcopy.go b/src/api/v1alpha1/zz_generated.deepcopy.go index 6a8e9f0..4016be4 100644 --- a/src/api/v1alpha1/zz_generated.deepcopy.go +++ b/src/api/v1alpha1/zz_generated.deepcopy.go @@ -366,21 +366,6 @@ func (in *ConnectionRef) DeepCopy() *ConnectionRef { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ConnectionResource) DeepCopyInto(out *ConnectionResource) { - *out = *in -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConnectionResource. -func (in *ConnectionResource) DeepCopy() *ConnectionResource { - if in == nil { - return nil - } - out := new(ConnectionResource) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ConnectionSpec) DeepCopyInto(out *ConnectionSpec) { *out = *in @@ -547,6 +532,21 @@ func (in *Grant) DeepCopy() *Grant { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *InstanceResource) DeepCopyInto(out *InstanceResource) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InstanceResource. +func (in *InstanceResource) DeepCopy() *InstanceResource { + if in == nil { + return nil + } + out := new(InstanceResource) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *InternalPermissions) DeepCopyInto(out *InternalPermissions) { *out = *in @@ -1198,9 +1198,9 @@ func (in *Resource) DeepCopyInto(out *Resource) { *out = new(OrganizationResource) **out = **in } - if in.Connection != nil { - in, out := &in.Connection, &out.Connection - *out = new(ConnectionResource) + if in.Instance != nil { + in, out := &in.Instance, &out.Instance + *out = new(InstanceResource) **out = **in } if in.Project != nil { diff --git a/src/cmd/main.go b/src/cmd/main.go index f8de394..78063f3 100644 --- a/src/cmd/main.go +++ b/src/cmd/main.go @@ -48,6 +48,7 @@ var ( func init() { utilruntime.Must(clientgoscheme.AddToScheme(scheme)) + utilruntime.Must(zitadelv1alpha1.AddToScheme(scheme)) //+kubebuilder:scaffold:scheme } @@ -73,7 +74,7 @@ func main() { Metrics: server.Options{BindAddress: metricsAddr}, HealthProbeBindAddress: probeAddr, LeaderElection: enableLeaderElection, - LeaderElectionID: "88a0b43c.github.com", + LeaderElectionID: "r8a0b43c.github.com", // LeaderElectionReleaseOnCancel defines if the leader should step down voluntarily // when the Manager ends. This requires the binary to immediately end when the // Manager is stopped, otherwise, this setting is unsafe. Setting this significantly @@ -98,7 +99,7 @@ func main() { requeueZitadel := 5 * time.Minute if err = controller.NewConnectionReconciler(client, refResolver, builder, conditionReady, requeueZitadel).SetupWithManager(mgr); err != nil { - setupLog.Error(err, "unable to create controller", "controller", "Organization") + setupLog.Error(err, "unable to create controller", "controller", "Connection") os.Exit(1) } diff --git a/src/config/crd/bases/zitadel.github.com_machineusers.yaml b/src/config/crd/bases/zitadel.github.com_machineusers.yaml index ac92fb4..d74c715 100644 --- a/src/config/crd/bases/zitadel.github.com_machineusers.yaml +++ b/src/config/crd/bases/zitadel.github.com_machineusers.yaml @@ -102,7 +102,7 @@ spec: properties: resource: properties: - connection: + instance: type: object organization: properties: @@ -130,9 +130,9 @@ spec: type: object type: object x-kubernetes-validations: - - message: exactly one of organization, connection, project, - or projectGrant must be specified - rule: '[has(self.organization), has(self.connection), has(self.project), + - message: exactly one of organization, instance, project, or + projectGrant must be specified + rule: '[has(self.organization), has(self.instance), has(self.project), has(self.projectGrant)].filter(x, x).size() == 1' roles: items: diff --git a/src/config/rbac/role.yaml b/src/config/rbac/role.yaml index db3b9d6..70c5c32 100644 --- a/src/config/rbac/role.yaml +++ b/src/config/rbac/role.yaml @@ -4,6 +4,15 @@ kind: ClusterRole metadata: name: manager-role rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - list + - patch + - watch - apiGroups: - zitadel.github.com resources: @@ -30,3 +39,38 @@ rules: - get - patch - update +- apiGroups: + - zitadel.topmanage.com + resources: + - machineusers + - oidcapps + - organizations + - projects + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - zitadel.topmanage.com + resources: + - machineusers/finalizers + - oidcapps/finalizers + - organizations/finalizers + - projects/finalizers + verbs: + - update +- apiGroups: + - zitadel.topmanage.com + resources: + - machineusers/status + - oidcapps/status + - organizations/status + - projects/status + verbs: + - get + - patch + - update diff --git a/src/internal/controller/connection_controller.go b/src/internal/controller/connection_controller.go index a80b238..6e88ec3 100644 --- a/src/internal/controller/connection_controller.go +++ b/src/internal/controller/connection_controller.go @@ -56,6 +56,7 @@ func NewConnectionReconciler(client client.Client, refResolver *zitadelv1alpha1. //+kubebuilder:rbac:groups=zitadel.github.com,resources=connections,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=zitadel.github.com,resources=connections/status,verbs=get;update;patch //+kubebuilder:rbac:groups=zitadel.github.com,resources=connections/finalizers,verbs=update +// +kubebuilder:rbac:groups="",resources=secrets,verbs=list;watch;create;patch // Reconcile is part of the main kubernetes reconciliation loop which aims to // move the current state of the cluster closer to the desired state. diff --git a/src/internal/controller/instance_controller_test.gold b/src/internal/controller/instance_controller_test.gold deleted file mode 100644 index 0ab5c63..0000000 --- a/src/internal/controller/instance_controller_test.gold +++ /dev/null @@ -1,84 +0,0 @@ -/* -Copyright 2024. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package controller - -import ( - "context" - - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - "k8s.io/apimachinery/pkg/api/errors" - "k8s.io/apimachinery/pkg/types" - "sigs.k8s.io/controller-runtime/pkg/reconcile" - - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - - zitadelv1alpha1 "github.com/HaimKortovich/zitadel-k8s-operator/api/v1alpha1" -) - -var _ = Describe("ZitadelInstance Controller", func() { - Context("When reconciling a resource", func() { - const resourceName = "test-resource" - - ctx := context.Background() - - typeNamespacedName := types.NamespacedName{ - Name: resourceName, - Namespace: "default", // TODO(user):Modify as needed - } - zitadelinstance := &zitadelv1alpha1.ZitadelInstance{} - - BeforeEach(func() { - By("creating the custom resource for the Kind ZitadelInstance") - err := k8sClient.Get(ctx, typeNamespacedName, zitadelinstance) - if err != nil && errors.IsNotFound(err) { - resource := &zitadelv1alpha1.ZitadelInstance{ - ObjectMeta: metav1.ObjectMeta{ - Name: resourceName, - Namespace: "default", - }, - // TODO(user): Specify other spec details if needed. - } - Expect(k8sClient.Create(ctx, resource)).To(Succeed()) - } - }) - - AfterEach(func() { - // TODO(user): Cleanup logic after each test, like removing the resource instance. - resource := &zitadelv1alpha1.ZitadelInstance{} - err := k8sClient.Get(ctx, typeNamespacedName, resource) - Expect(err).NotTo(HaveOccurred()) - - By("Cleanup the specific resource instance ZitadelInstance") - Expect(k8sClient.Delete(ctx, resource)).To(Succeed()) - }) - It("should successfully reconcile the resource", func() { - By("Reconciling the created resource") - controllerReconciler := &ZitadelInstanceReconciler{ - Client: k8sClient, - Scheme: k8sClient.Scheme(), - } - - _, err := controllerReconciler.Reconcile(ctx, reconcile.Request{ - NamespacedName: typeNamespacedName, - }) - Expect(err).NotTo(HaveOccurred()) - // TODO(user): Add more specific assertions depending on your controller's reconciliation logic. - // Example: If you expect a certain status condition after reconciliation, verify it here. - }) - }) -}) diff --git a/src/internal/controller/machineuser_controller.gold b/src/internal/controller/machineuser_controller.go similarity index 97% rename from src/internal/controller/machineuser_controller.gold rename to src/internal/controller/machineuser_controller.go index 2f5c82b..655f5d7 100644 --- a/src/internal/controller/machineuser_controller.gold +++ b/src/internal/controller/machineuser_controller.go @@ -6,10 +6,10 @@ import ( "slices" "time" - zitadelv1alpha1 "github.com/HaimKortovich/zitadel-k8s-operator/api/v1alpha1" - "github.com/HaimKortovich/zitadel-k8s-operator/pkg/builder" - condition "github.com/HaimKortovich/zitadel-k8s-operator/pkg/condition" - "github.com/HaimKortovich/zitadel-k8s-operator/pkg/controller/core" + zitadelv1alpha1 "github.com/HaimKortovich/zitadel-resources-operator/api/v1alpha1" + "github.com/HaimKortovich/zitadel-resources-operator/pkg/builder" + condition "github.com/HaimKortovich/zitadel-resources-operator/pkg/condition" + "github.com/HaimKortovich/zitadel-resources-operator/pkg/controller/core" clientv2 "github.com/zitadel/zitadel-go/v3/pkg/client" "github.com/zitadel/zitadel-go/v3/pkg/client/zitadel/filter/v2" "github.com/zitadel/zitadel-go/v3/pkg/client/zitadel/internal_permission/v2" diff --git a/src/internal/controller/machineuser_controller_finalizer.gold b/src/internal/controller/machineuser_controller_finalizer.go similarity index 93% rename from src/internal/controller/machineuser_controller_finalizer.gold rename to src/internal/controller/machineuser_controller_finalizer.go index 43c445b..fd144c9 100644 --- a/src/internal/controller/machineuser_controller_finalizer.gold +++ b/src/internal/controller/machineuser_controller_finalizer.go @@ -1,8 +1,8 @@ package controller import ( - zitadelv1alpha1 "github.com/HaimKortovich/zitadel-k8s-operator/api/v1alpha1" - "github.com/HaimKortovich/zitadel-k8s-operator/pkg/controller/core" + zitadelv1alpha1 "github.com/HaimKortovich/zitadel-resources-operator/api/v1alpha1" + "github.com/HaimKortovich/zitadel-resources-operator/pkg/controller/core" "context" "fmt" diff --git a/src/internal/controller/oidcapp_controller.gold b/src/internal/controller/oidcapp_controller.go similarity index 96% rename from src/internal/controller/oidcapp_controller.gold rename to src/internal/controller/oidcapp_controller.go index 6976eec..2e2c3e4 100644 --- a/src/internal/controller/oidcapp_controller.gold +++ b/src/internal/controller/oidcapp_controller.go @@ -21,10 +21,10 @@ import ( "fmt" "time" - zitadelv1alpha1 "github.com/HaimKortovich/zitadel-k8s-operator/api/v1alpha1" - "github.com/HaimKortovich/zitadel-k8s-operator/pkg/builder" - condition "github.com/HaimKortovich/zitadel-k8s-operator/pkg/condition" - "github.com/HaimKortovich/zitadel-k8s-operator/pkg/controller/core" + zitadelv1alpha1 "github.com/HaimKortovich/zitadel-resources-operator/api/v1alpha1" + "github.com/HaimKortovich/zitadel-resources-operator/pkg/builder" + condition "github.com/HaimKortovich/zitadel-resources-operator/pkg/condition" + "github.com/HaimKortovich/zitadel-resources-operator/pkg/controller/core" clientv2 "github.com/zitadel/zitadel-go/v3/pkg/client" "github.com/zitadel/zitadel-go/v3/pkg/client/zitadel/application/v2" "github.com/zitadel/zitadel-go/v3/pkg/client/zitadel/filter/v2" @@ -191,7 +191,7 @@ func (wr *wrappedOIDCAppReconciler) Reconcile(ctx context.Context, ztdClient *cl } secretData := map[string][]byte{"clientSecret": []byte(resp.GetApiConfiguration().ClientSecret), "appId": []byte(resp.ApplicationId), "clientId": []byte(resp.GetApiConfiguration().ClientId)} - secret, err := wr.Builder.BuildSecret(builder.SecretOpts{Immutable: false, Zitadel: nil, Key: key, Data: secretData}, wr.OIDCApp) + secret, err := wr.Builder.BuildSecret(builder.SecretOpts{Immutable: false, Key: key, Data: secretData}, wr.OIDCApp) if err != nil { return fmt.Errorf("error building Secret: %v", err) } diff --git a/src/internal/controller/oidcapp_controller_finalizer.gold b/src/internal/controller/oidcapp_controller_finalizer.go similarity index 93% rename from src/internal/controller/oidcapp_controller_finalizer.gold rename to src/internal/controller/oidcapp_controller_finalizer.go index 869405e..6a14529 100644 --- a/src/internal/controller/oidcapp_controller_finalizer.gold +++ b/src/internal/controller/oidcapp_controller_finalizer.go @@ -3,8 +3,8 @@ package controller import ( "strings" - zitadelv1alpha1 "github.com/HaimKortovich/zitadel-k8s-operator/api/v1alpha1" - "github.com/HaimKortovich/zitadel-k8s-operator/pkg/controller/core" + zitadelv1alpha1 "github.com/HaimKortovich/zitadel-resources-operator/api/v1alpha1" + "github.com/HaimKortovich/zitadel-resources-operator/pkg/controller/core" "context" "fmt" diff --git a/src/internal/controller/organization_controller.gold b/src/internal/controller/organization_controller.go similarity index 95% rename from src/internal/controller/organization_controller.gold rename to src/internal/controller/organization_controller.go index 376566a..cdd2053 100644 --- a/src/internal/controller/organization_controller.gold +++ b/src/internal/controller/organization_controller.go @@ -21,9 +21,9 @@ import ( "fmt" "time" - zitadelv1alpha1 "github.com/HaimKortovich/zitadel-k8s-operator/api/v1alpha1" - condition "github.com/HaimKortovich/zitadel-k8s-operator/pkg/condition" - "github.com/HaimKortovich/zitadel-k8s-operator/pkg/controller/core" + zitadelv1alpha1 "github.com/HaimKortovich/zitadel-resources-operator/api/v1alpha1" + condition "github.com/HaimKortovich/zitadel-resources-operator/pkg/condition" + "github.com/HaimKortovich/zitadel-resources-operator/pkg/controller/core" clientv2 "github.com/zitadel/zitadel-go/v3/pkg/client" "github.com/zitadel/zitadel-go/v3/pkg/client/zitadel/object/v2" "github.com/zitadel/zitadel-go/v3/pkg/client/zitadel/org/v2" diff --git a/src/internal/controller/organization_controller_finalizer.gold b/src/internal/controller/organization_controller_finalizer.go similarity index 93% rename from src/internal/controller/organization_controller_finalizer.gold rename to src/internal/controller/organization_controller_finalizer.go index e3af8a9..5cb9c0e 100644 --- a/src/internal/controller/organization_controller_finalizer.gold +++ b/src/internal/controller/organization_controller_finalizer.go @@ -1,8 +1,8 @@ package controller import ( - zitadelv1alpha1 "github.com/HaimKortovich/zitadel-k8s-operator/api/v1alpha1" - "github.com/HaimKortovich/zitadel-k8s-operator/pkg/controller/core" + zitadelv1alpha1 "github.com/HaimKortovich/zitadel-resources-operator/api/v1alpha1" + "github.com/HaimKortovich/zitadel-resources-operator/pkg/controller/core" "context" "fmt" diff --git a/src/internal/controller/project_controller.gold b/src/internal/controller/project_controller.go similarity index 97% rename from src/internal/controller/project_controller.gold rename to src/internal/controller/project_controller.go index be7ee70..616c6a7 100644 --- a/src/internal/controller/project_controller.gold +++ b/src/internal/controller/project_controller.go @@ -23,9 +23,9 @@ import ( "sort" "time" - zitadelv1alpha1 "github.com/HaimKortovich/zitadel-k8s-operator/api/v1alpha1" - condition "github.com/HaimKortovich/zitadel-k8s-operator/pkg/condition" - "github.com/HaimKortovich/zitadel-k8s-operator/pkg/controller/core" + zitadelv1alpha1 "github.com/HaimKortovich/zitadel-resources-operator/api/v1alpha1" + condition "github.com/HaimKortovich/zitadel-resources-operator/pkg/condition" + "github.com/HaimKortovich/zitadel-resources-operator/pkg/controller/core" clientv2 "github.com/zitadel/zitadel-go/v3/pkg/client" "github.com/zitadel/zitadel-go/v3/pkg/client/zitadel/filter/v2" diff --git a/src/internal/controller/project_controller_finalizer.gold b/src/internal/controller/project_controller_finalizer.go similarity index 93% rename from src/internal/controller/project_controller_finalizer.gold rename to src/internal/controller/project_controller_finalizer.go index 06cc01c..402ea33 100644 --- a/src/internal/controller/project_controller_finalizer.gold +++ b/src/internal/controller/project_controller_finalizer.go @@ -1,8 +1,8 @@ package controller import ( - zitadelv1alpha1 "github.com/HaimKortovich/zitadel-k8s-operator/api/v1alpha1" - "github.com/HaimKortovich/zitadel-k8s-operator/pkg/controller/core" + zitadelv1alpha1 "github.com/HaimKortovich/zitadel-resources-operator/api/v1alpha1" + "github.com/HaimKortovich/zitadel-resources-operator/pkg/controller/core" "context" "fmt"