Init commit
This commit is contained in:
263
src/internal/controller/oidcapp_controller.gold
Normal file
263
src/internal/controller/oidcapp_controller.gold
Normal file
@@ -0,0 +1,263 @@
|
||||
/*
|
||||
Copyright 2024.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package controller
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"time"
|
||||
|
||||
zitadelv1alpha1 "github.com/HaimKortovich/zitadel-k8s-operator/api/v1alpha1"
|
||||
"github.com/HaimKortovich/zitadel-k8s-operator/pkg/builder"
|
||||
condition "github.com/HaimKortovich/zitadel-k8s-operator/pkg/condition"
|
||||
"github.com/HaimKortovich/zitadel-k8s-operator/pkg/controller/core"
|
||||
clientv2 "github.com/zitadel/zitadel-go/v3/pkg/client"
|
||||
"github.com/zitadel/zitadel-go/v3/pkg/client/zitadel/application/v2"
|
||||
"github.com/zitadel/zitadel-go/v3/pkg/client/zitadel/filter/v2"
|
||||
durationpb "google.golang.org/protobuf/types/known/durationpb"
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/client-go/util/workqueue"
|
||||
"k8s.io/utils/ptr"
|
||||
ctrl "sigs.k8s.io/controller-runtime"
|
||||
"sigs.k8s.io/controller-runtime/pkg/client"
|
||||
ctrlClient "sigs.k8s.io/controller-runtime/pkg/client"
|
||||
"sigs.k8s.io/controller-runtime/pkg/controller"
|
||||
"sigs.k8s.io/controller-runtime/pkg/reconcile"
|
||||
)
|
||||
|
||||
// OIDCAppReconciler reconciles a OIDCApp object
|
||||
type OIDCAppReconciler struct {
|
||||
client.Client
|
||||
RefResolver *zitadelv1alpha1.RefResolver
|
||||
ConditionReady *condition.Ready
|
||||
RequeueInterval time.Duration
|
||||
Builder *builder.Builder
|
||||
}
|
||||
|
||||
func NewOIDCAppReconciler(client client.Client, refResolver *zitadelv1alpha1.RefResolver, builder *builder.Builder, conditionReady *condition.Ready,
|
||||
requeueInterval time.Duration) *OIDCAppReconciler {
|
||||
return &OIDCAppReconciler{
|
||||
Client: client,
|
||||
RefResolver: refResolver,
|
||||
ConditionReady: conditionReady,
|
||||
RequeueInterval: requeueInterval,
|
||||
Builder: builder,
|
||||
}
|
||||
}
|
||||
|
||||
//+kubebuilder:rbac:groups=zitadel.topmanage.com,resources=oidcapps,verbs=get;list;watch;create;update;patch;delete
|
||||
//+kubebuilder:rbac:groups=zitadel.topmanage.com,resources=oidcapps/status,verbs=get;update;patch
|
||||
//+kubebuilder:rbac:groups=zitadel.topmanage.com,resources=oidcapps/finalizers,verbs=update
|
||||
|
||||
// Reconcile is part of the main kubernetes reconciliation loop which aims to
|
||||
// move the current state of the cluster closer to the desired state.
|
||||
func (r *OIDCAppReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
|
||||
var OIDCApp zitadelv1alpha1.OIDCApp
|
||||
if err := r.Get(ctx, req.NamespacedName, &OIDCApp); err != nil {
|
||||
return ctrl.Result{}, client.IgnoreNotFound(err)
|
||||
}
|
||||
wr := newWrappedOIDCAppReconciler(r.Client, r.RefResolver, r.Builder, &OIDCApp)
|
||||
wf := newWrappedOIDCAppFinalizer(r.Client, &OIDCApp, r.RefResolver)
|
||||
tf := core.NewCoreFinalizer(r.Client, wf)
|
||||
tr := core.NewCoreReconciler(r.Client, r.ConditionReady, wr, tf, r.RequeueInterval)
|
||||
|
||||
result, err := tr.Reconcile(ctx, &OIDCApp)
|
||||
if err != nil {
|
||||
return result, fmt.Errorf("error reconciling in OIDCAppReconciler: %v", err)
|
||||
}
|
||||
return result, nil
|
||||
}
|
||||
|
||||
type wrappedOIDCAppReconciler struct {
|
||||
client.Client
|
||||
refResolver *zitadelv1alpha1.RefResolver
|
||||
OIDCApp *zitadelv1alpha1.OIDCApp
|
||||
Builder *builder.Builder
|
||||
}
|
||||
|
||||
func newWrappedOIDCAppReconciler(client client.Client, refResolver *zitadelv1alpha1.RefResolver, builder *builder.Builder,
|
||||
OIDCApp *zitadelv1alpha1.OIDCApp) core.WrappedCoreReconciler {
|
||||
return &wrappedOIDCAppReconciler{
|
||||
Client: client,
|
||||
refResolver: refResolver,
|
||||
OIDCApp: OIDCApp,
|
||||
Builder: builder,
|
||||
}
|
||||
}
|
||||
|
||||
func (wr *wrappedOIDCAppReconciler) Reconcile(ctx context.Context, ztdClient *clientv2.Client) error {
|
||||
project, err := wr.OIDCApp.Project(ctx, wr.refResolver)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if project.Status.ProjectId == nil {
|
||||
return fmt.Errorf("Project has not been created yet...")
|
||||
}
|
||||
responseTypes := []application.OIDCResponseType{}
|
||||
for _, r := range wr.OIDCApp.Spec.ResponseTypes {
|
||||
responseTypes = append(responseTypes, application.OIDCResponseType(application.OIDCApplicationType_value[string(r)]))
|
||||
}
|
||||
grantTypes := []application.OIDCGrantType{}
|
||||
for _, r := range wr.OIDCApp.Spec.GrantTypes {
|
||||
grantTypes = append(grantTypes, application.OIDCGrantType(application.OIDCGrantType_value[string(r)]))
|
||||
}
|
||||
|
||||
var appid *string
|
||||
var clientid *string
|
||||
appList, err := ztdClient.ApplicationServiceV2().ListApplications(ctx,
|
||||
&application.ListApplicationsRequest{
|
||||
Filters: []*application.ApplicationSearchFilter{
|
||||
{
|
||||
Filter: &application.ApplicationSearchFilter_NameFilter{
|
||||
NameFilter: &application.ApplicationNameFilter{
|
||||
Name: wr.OIDCApp.Spec.OIDCAppName,
|
||||
Method: filter.TextFilterMethod_TEXT_FILTER_METHOD_EQUALS,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
Filter: &application.ApplicationSearchFilter_ProjectIdFilter{
|
||||
ProjectIdFilter: &application.ProjectIDFilter{
|
||||
ProjectId: *project.Status.ProjectId,
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
)
|
||||
if err != nil {
|
||||
return fmt.Errorf("Error listing OIDCApps: %v", err)
|
||||
}
|
||||
|
||||
if len(appList.Applications) > 0 {
|
||||
appid = &appList.Applications[0].ApplicationId
|
||||
clientid = &appList.Applications[0].GetApiConfiguration().ClientId
|
||||
}
|
||||
|
||||
if appid == nil {
|
||||
resp, err := ztdClient.ApplicationServiceV2().CreateApplication(ctx,
|
||||
&application.CreateApplicationRequest{
|
||||
Name: wr.OIDCApp.Name,
|
||||
ProjectId: *project.Status.ProjectId,
|
||||
ApplicationType: &application.CreateApplicationRequest_OidcConfiguration{
|
||||
OidcConfiguration: &application.CreateOIDCApplicationRequest{
|
||||
RedirectUris: wr.OIDCApp.Spec.RedirectUris,
|
||||
ResponseTypes: responseTypes,
|
||||
GrantTypes: grantTypes,
|
||||
AuthMethodType: application.OIDCAuthMethodType(application.OIDCTokenType_value[wr.OIDCApp.Spec.AuthMethodType]),
|
||||
PostLogoutRedirectUris: wr.OIDCApp.Spec.PostLogoutRedirectUris,
|
||||
Version: application.OIDCVersion_OIDC_VERSION_1_0,
|
||||
DevelopmentMode: wr.OIDCApp.Spec.DevMode,
|
||||
AccessTokenType: application.OIDCTokenType(application.OIDCTokenType_value[wr.OIDCApp.Spec.AccessTokenType]),
|
||||
AccessTokenRoleAssertion: wr.OIDCApp.Spec.AccessTokenRoleAssertion,
|
||||
IdTokenRoleAssertion: wr.OIDCApp.Spec.IdTokenRoleAssertion,
|
||||
IdTokenUserinfoAssertion: wr.OIDCApp.Spec.IdTokenUserinfoAssertion,
|
||||
ClockSkew: durationpb.New(wr.OIDCApp.Spec.ClockSkew.Duration),
|
||||
AdditionalOrigins: wr.OIDCApp.Spec.AdditionalOrigins,
|
||||
SkipNativeAppSuccessPage: wr.OIDCApp.Spec.SkipNativeAppSuccessPage,
|
||||
LoginVersion: &application.LoginVersion{
|
||||
Version: &application.LoginVersion_LoginV2{
|
||||
LoginV2: &application.LoginV2{
|
||||
BaseUri: nil,
|
||||
},
|
||||
},
|
||||
},
|
||||
BackChannelLogoutUri: wr.OIDCApp.Spec.BackChannelLogoutUri,
|
||||
},
|
||||
},
|
||||
},
|
||||
)
|
||||
if err != nil {
|
||||
return fmt.Errorf("error creating OIDCApp in Zitadel: %v", err)
|
||||
}
|
||||
key := types.NamespacedName{
|
||||
Name: wr.OIDCApp.ClientSecretName(),
|
||||
Namespace: wr.OIDCApp.Namespace,
|
||||
}
|
||||
|
||||
secretData := map[string][]byte{"clientSecret": []byte(resp.GetApiConfiguration().ClientSecret), "appId": []byte(resp.ApplicationId), "clientId": []byte(resp.GetApiConfiguration().ClientId)}
|
||||
secret, err := wr.Builder.BuildSecret(builder.SecretOpts{Immutable: false, Zitadel: nil, Key: key, Data: secretData}, wr.OIDCApp)
|
||||
if err != nil {
|
||||
return fmt.Errorf("error building Secret: %v", err)
|
||||
}
|
||||
if err := wr.Create(ctx, secret); err != nil {
|
||||
return fmt.Errorf("error creating Client-secret Secret: %v", err)
|
||||
}
|
||||
appid = &resp.ApplicationId
|
||||
clientid = &resp.GetApiConfiguration().ClientId
|
||||
} else {
|
||||
_, err := ztdClient.ApplicationServiceV2().UpdateApplication(ctx,
|
||||
&application.UpdateApplicationRequest{
|
||||
Name: wr.OIDCApp.Name,
|
||||
ProjectId: *project.Status.ProjectId,
|
||||
ApplicationType: &application.UpdateApplicationRequest_OidcConfiguration{
|
||||
OidcConfiguration: &application.UpdateOIDCApplicationConfigurationRequest{
|
||||
RedirectUris: wr.OIDCApp.Spec.RedirectUris,
|
||||
ResponseTypes: responseTypes,
|
||||
GrantTypes: grantTypes,
|
||||
AuthMethodType: ptr.To(application.OIDCAuthMethodType(application.OIDCTokenType_value[wr.OIDCApp.Spec.AuthMethodType])),
|
||||
PostLogoutRedirectUris: wr.OIDCApp.Spec.PostLogoutRedirectUris,
|
||||
Version: ptr.To(application.OIDCVersion_OIDC_VERSION_1_0),
|
||||
DevelopmentMode: &wr.OIDCApp.Spec.DevMode,
|
||||
AccessTokenType: ptr.To(application.OIDCTokenType(application.OIDCTokenType_value[wr.OIDCApp.Spec.AccessTokenType])),
|
||||
AccessTokenRoleAssertion: &wr.OIDCApp.Spec.AccessTokenRoleAssertion,
|
||||
IdTokenRoleAssertion: &wr.OIDCApp.Spec.IdTokenRoleAssertion,
|
||||
IdTokenUserinfoAssertion: &wr.OIDCApp.Spec.IdTokenUserinfoAssertion,
|
||||
ClockSkew: durationpb.New(wr.OIDCApp.Spec.ClockSkew.Duration),
|
||||
AdditionalOrigins: wr.OIDCApp.Spec.AdditionalOrigins,
|
||||
SkipNativeAppSuccessPage: &wr.OIDCApp.Spec.SkipNativeAppSuccessPage,
|
||||
LoginVersion: &application.LoginVersion{
|
||||
Version: &application.LoginVersion_LoginV2{
|
||||
LoginV2: &application.LoginV2{
|
||||
BaseUri: nil,
|
||||
},
|
||||
},
|
||||
},
|
||||
BackChannelLogoutUri: &wr.OIDCApp.Spec.BackChannelLogoutUri,
|
||||
},
|
||||
},
|
||||
},
|
||||
)
|
||||
if err != nil {
|
||||
return fmt.Errorf("error updating OIDCApp in Zitadel: %v", err)
|
||||
}
|
||||
}
|
||||
patch := ctrlClient.MergeFrom(wr.OIDCApp.DeepCopy())
|
||||
wr.OIDCApp.Status.AppId = appid
|
||||
wr.OIDCApp.Status.ClientId = clientid
|
||||
return wr.Client.Status().Patch(ctx, wr.OIDCApp, patch)
|
||||
}
|
||||
|
||||
func (wr *wrappedOIDCAppReconciler) PatchStatus(ctx context.Context, patcher condition.Patcher) error {
|
||||
patch := client.MergeFrom(wr.OIDCApp.DeepCopy())
|
||||
patcher(&wr.OIDCApp.Status)
|
||||
|
||||
if err := wr.Client.Status().Patch(ctx, wr.OIDCApp, patch); err != nil {
|
||||
return fmt.Errorf("error patching OIDCApp status: %v", err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// SetupWithManager sets up the controller with the Manager.
|
||||
func (r *OIDCAppReconciler) SetupWithManager(mgr ctrl.Manager) error {
|
||||
return ctrl.NewControllerManagedBy(mgr).
|
||||
For(&zitadelv1alpha1.OIDCApp{}).
|
||||
Owns(&corev1.Secret{}).
|
||||
WithOptions(controller.Options{RateLimiter: workqueue.NewTypedItemExponentialFailureRateLimiter[reconcile.Request](time.Millisecond*500, time.Minute*3)}).
|
||||
Complete(r)
|
||||
}
|
||||
Reference in New Issue
Block a user