HaimKortovich
e061f6750f
All checks were successful
Build and Publish / build-release (push) Successful in 1m29s
332 lines
11 KiB
Go
332 lines
11 KiB
Go
/*
|
|
Copyright 2024.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package controller
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"fmt"
|
|
"strings"
|
|
"time"
|
|
|
|
zitadelv1alpha1 "gitea.corredorconect.com/software-engineering/zitadel-resources-operator/api/v1alpha1"
|
|
"gitea.corredorconect.com/software-engineering/zitadel-resources-operator/pkg/builder"
|
|
condition "gitea.corredorconect.com/software-engineering/zitadel-resources-operator/pkg/condition"
|
|
"gitea.corredorconect.com/software-engineering/zitadel-resources-operator/pkg/controller/core"
|
|
clientv2 "github.com/zitadel/zitadel-go/v3/pkg/client"
|
|
"github.com/zitadel/zitadel-go/v3/pkg/client/zitadel/application/v2"
|
|
"github.com/zitadel/zitadel-go/v3/pkg/client/zitadel/filter/v2"
|
|
corev1 "k8s.io/api/core/v1"
|
|
"k8s.io/apimachinery/pkg/types"
|
|
"k8s.io/client-go/util/workqueue"
|
|
ctrl "sigs.k8s.io/controller-runtime"
|
|
"sigs.k8s.io/controller-runtime/pkg/client"
|
|
ctrlClient "sigs.k8s.io/controller-runtime/pkg/client"
|
|
"sigs.k8s.io/controller-runtime/pkg/controller"
|
|
"sigs.k8s.io/controller-runtime/pkg/reconcile"
|
|
)
|
|
|
|
// APIAppReconciler reconciles a APIApp object
|
|
type APIAppReconciler struct {
|
|
client.Client
|
|
RefResolver *zitadelv1alpha1.RefResolver
|
|
ConditionReady *condition.Ready
|
|
RequeueInterval time.Duration
|
|
Builder *builder.Builder
|
|
}
|
|
|
|
func NewAPIAppReconciler(client client.Client, refResolver *zitadelv1alpha1.RefResolver, builder *builder.Builder, conditionReady *condition.Ready,
|
|
requeueInterval time.Duration) *APIAppReconciler {
|
|
return &APIAppReconciler{
|
|
Client: client,
|
|
RefResolver: refResolver,
|
|
ConditionReady: conditionReady,
|
|
RequeueInterval: requeueInterval,
|
|
Builder: builder,
|
|
}
|
|
}
|
|
|
|
//+kubebuilder:rbac:groups=zitadel.github.com,resources=apiapps,verbs=get;list;watch;create;update;patch;delete
|
|
//+kubebuilder:rbac:groups=zitadel.github.com,resources=apiapps/status,verbs=get;update;patch
|
|
//+kubebuilder:rbac:groups=zitadel.github.com,resources=apiapps/finalizers,verbs=update
|
|
|
|
// Reconcile is part of the main kubernetes reconciliation loop which aims to
|
|
// move the current state of the cluster closer to the desired state.
|
|
func (r *APIAppReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
|
|
var APIApp zitadelv1alpha1.APIApp
|
|
if err := r.Get(ctx, req.NamespacedName, &APIApp); err != nil {
|
|
return ctrl.Result{}, client.IgnoreNotFound(err)
|
|
}
|
|
wr := newWrappedAPIAppReconciler(r.Client, r.RefResolver, r.Builder, &APIApp)
|
|
wf := newWrappedAPIAppFinalizer(r.Client, &APIApp, r.RefResolver)
|
|
tf := core.NewCoreFinalizer(r.Client, wf)
|
|
tr := core.NewCoreReconciler(r.Client, r.ConditionReady, wr, tf, r.RequeueInterval)
|
|
|
|
result, err := tr.Reconcile(ctx, &APIApp)
|
|
if err != nil {
|
|
return result, fmt.Errorf("error reconciling in APIAppReconciler: %v", err)
|
|
}
|
|
return result, nil
|
|
}
|
|
|
|
type wrappedAPIAppReconciler struct {
|
|
client.Client
|
|
refResolver *zitadelv1alpha1.RefResolver
|
|
APIApp *zitadelv1alpha1.APIApp
|
|
Builder *builder.Builder
|
|
}
|
|
|
|
func newWrappedAPIAppReconciler(client client.Client, refResolver *zitadelv1alpha1.RefResolver, builder *builder.Builder,
|
|
APIApp *zitadelv1alpha1.APIApp) core.WrappedCoreReconciler {
|
|
return &wrappedAPIAppReconciler{
|
|
Client: client,
|
|
refResolver: refResolver,
|
|
APIApp: APIApp,
|
|
Builder: builder,
|
|
}
|
|
}
|
|
|
|
type apiAppReconcilePhase struct {
|
|
Name string
|
|
Reconcile func(context.Context, *clientv2.Client) error
|
|
}
|
|
|
|
func (wr *wrappedAPIAppReconciler) Reconcile(ctx context.Context, ztdClient *clientv2.Client) error {
|
|
phases := []apiAppReconcilePhase{
|
|
{
|
|
Name: "apiapp",
|
|
Reconcile: wr.reconcileApp,
|
|
},
|
|
{
|
|
Name: "keys",
|
|
Reconcile: wr.reconcileKeys,
|
|
},
|
|
}
|
|
for _, p := range phases {
|
|
err := p.Reconcile(ctx, ztdClient)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (wr *wrappedAPIAppReconciler) reconcileApp(ctx context.Context, ztdClient *clientv2.Client) error {
|
|
projectRef, err := wr.APIApp.Project(ctx, wr.refResolver)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if projectRef.ID == "" {
|
|
return fmt.Errorf("Project has not been created yet...")
|
|
}
|
|
|
|
var appid *string
|
|
var clientid *string
|
|
appList, err := ztdClient.ApplicationServiceV2().ListApplications(ctx,
|
|
&application.ListApplicationsRequest{
|
|
Filters: []*application.ApplicationSearchFilter{
|
|
{
|
|
Filter: &application.ApplicationSearchFilter_NameFilter{
|
|
NameFilter: &application.ApplicationNameFilter{
|
|
Name: wr.APIApp.Spec.APIAppName,
|
|
Method: filter.TextFilterMethod_TEXT_FILTER_METHOD_EQUALS,
|
|
},
|
|
},
|
|
},
|
|
{
|
|
Filter: &application.ApplicationSearchFilter_ProjectIdFilter{
|
|
ProjectIdFilter: &application.ProjectIDFilter{
|
|
ProjectId: projectRef.ID,
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
)
|
|
if err != nil {
|
|
return fmt.Errorf("Error listing APIApps: %v", err)
|
|
}
|
|
|
|
if len(appList.Applications) > 0 {
|
|
appid = &appList.Applications[0].ApplicationId
|
|
clientid = &appList.Applications[0].GetApiConfiguration().ClientId
|
|
}
|
|
|
|
if appid == nil {
|
|
resp, err := ztdClient.ApplicationServiceV2().CreateApplication(ctx,
|
|
&application.CreateApplicationRequest{
|
|
Name: wr.APIApp.Spec.APIAppName,
|
|
ProjectId: projectRef.ID,
|
|
ApplicationType: &application.CreateApplicationRequest_ApiConfiguration{
|
|
ApiConfiguration: &application.CreateAPIApplicationRequest{
|
|
AuthMethodType: application.APIAuthMethodType(application.APIAuthMethodType_value[wr.APIApp.Spec.AuthMethodType]),
|
|
},
|
|
},
|
|
},
|
|
)
|
|
if err != nil {
|
|
return fmt.Errorf("error creating APIApp in Zitadel: %v", err)
|
|
}
|
|
key := types.NamespacedName{
|
|
Name: wr.APIApp.ClientSecretName(),
|
|
Namespace: wr.APIApp.Namespace,
|
|
}
|
|
secretData := map[string][]byte{
|
|
"clientSecret": []byte(resp.GetApiConfiguration().ClientSecret),
|
|
"appId": []byte(resp.ApplicationId),
|
|
"clientId": []byte(resp.GetApiConfiguration().ClientId),
|
|
"projectId": []byte(projectRef.ID),
|
|
}
|
|
secret, err := wr.Builder.BuildSecret(builder.SecretOpts{Immutable: false, Key: key, Data: secretData}, wr.APIApp)
|
|
if err != nil {
|
|
return fmt.Errorf("error building Secret: %v", err)
|
|
}
|
|
if err := wr.Create(ctx, secret); err != nil {
|
|
return fmt.Errorf("error creating Client-secret Secret: %v", err)
|
|
}
|
|
appid = &resp.ApplicationId
|
|
clientid = &resp.GetApiConfiguration().ClientId
|
|
} else {
|
|
_, err := ztdClient.ApplicationServiceV2().UpdateApplication(ctx,
|
|
&application.UpdateApplicationRequest{
|
|
Name: wr.APIApp.Spec.APIAppName,
|
|
ProjectId: projectRef.ID,
|
|
ApplicationId: *appid,
|
|
ApplicationType: &application.UpdateApplicationRequest_ApiConfiguration{
|
|
ApiConfiguration: &application.UpdateAPIApplicationConfigurationRequest{
|
|
AuthMethodType: application.APIAuthMethodType(application.APIAuthMethodType_value[wr.APIApp.Spec.AuthMethodType]),
|
|
},
|
|
},
|
|
},
|
|
)
|
|
if err != nil {
|
|
if !strings.Contains(err.Error(), "No Changes") {
|
|
return fmt.Errorf("error updating APIApp in Zitadel: %v", err)
|
|
}
|
|
}
|
|
}
|
|
patch := ctrlClient.MergeFrom(wr.APIApp.DeepCopy())
|
|
wr.APIApp.Status.AppId = appid
|
|
wr.APIApp.Status.ClientId = clientid
|
|
return wr.Client.Status().Patch(ctx, wr.APIApp, patch)
|
|
}
|
|
|
|
type Key struct {
|
|
Type string `json:"type"`
|
|
KeyID string `json:"keyId"`
|
|
Key string `json:"key"`
|
|
AppID string `json:"appId"`
|
|
ClientID string `json:"clientId"`
|
|
}
|
|
|
|
func (wr *wrappedAPIAppReconciler) reconcileKeys(ctx context.Context, ztdClient *clientv2.Client) error {
|
|
if wr.APIApp.Spec.AuthMethodType == "API_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT" {
|
|
projectRef, err := wr.APIApp.Project(ctx, wr.refResolver)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if wr.APIApp.Status.AppId == nil {
|
|
return fmt.Errorf("APIApp has not been created yet...")
|
|
}
|
|
|
|
if wr.APIApp.Status.KeyId != nil {
|
|
keyList, err := ztdClient.ApplicationServiceV2().ListApplicationKeys(ctx, &application.ListApplicationKeysRequest{
|
|
Filters: []*application.ApplicationKeySearchFilter{
|
|
{
|
|
Filter: &application.ApplicationKeySearchFilter_ApplicationIdFilter{
|
|
ApplicationIdFilter: &application.ApplicationKeyApplicationIDFilter{
|
|
ApplicationId: *wr.APIApp.Status.AppId,
|
|
},
|
|
},
|
|
},
|
|
{
|
|
Filter: &application.ApplicationKeySearchFilter_ProjectIdFilter{
|
|
ProjectIdFilter: &application.ApplicationKeyProjectIDFilter{
|
|
ProjectId: projectRef.ID,
|
|
},
|
|
},
|
|
},
|
|
},
|
|
})
|
|
if err != nil {
|
|
return fmt.Errorf("Error listing application keys: %v", err)
|
|
}
|
|
|
|
for _, key := range keyList.Keys {
|
|
if key.KeyId == *wr.APIApp.Status.KeyId {
|
|
return nil
|
|
}
|
|
}
|
|
}
|
|
|
|
resp, err := ztdClient.ApplicationServiceV2().CreateApplicationKey(ctx, &application.CreateApplicationKeyRequest{
|
|
ApplicationId: *wr.APIApp.Status.AppId,
|
|
ProjectId: projectRef.ID,
|
|
})
|
|
|
|
if err != nil {
|
|
return fmt.Errorf("Error adding Key to app: %v", err)
|
|
}
|
|
|
|
key := types.NamespacedName{
|
|
Name: wr.APIApp.PrivateKeySecretName(),
|
|
Namespace: wr.APIApp.Namespace,
|
|
}
|
|
var jsonKey Key
|
|
if err = json.Unmarshal(resp.KeyDetails, &jsonKey); err != nil {
|
|
return fmt.Errorf("Could not unmarshal key details: %v", err)
|
|
}
|
|
secretData := map[string][]byte{
|
|
"clientId": []byte(jsonKey.ClientID),
|
|
"type": []byte(jsonKey.Type),
|
|
"keyId": []byte(jsonKey.KeyID),
|
|
"appId": []byte(jsonKey.AppID),
|
|
"key": []byte(jsonKey.Key),
|
|
}
|
|
secret, err := wr.Builder.BuildSecret(builder.SecretOpts{Immutable: false, Key: key, Data: secretData}, wr.APIApp)
|
|
if err != nil {
|
|
return fmt.Errorf("error building Secret: %v", err)
|
|
}
|
|
if err := wr.Create(ctx, secret); err != nil {
|
|
return fmt.Errorf("error creating private-key Secret: %v", err)
|
|
}
|
|
patch := ctrlClient.MergeFrom(wr.APIApp.DeepCopy())
|
|
wr.APIApp.Status.KeyId = &resp.KeyId
|
|
return wr.Client.Status().Patch(ctx, wr.APIApp, patch)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (wr *wrappedAPIAppReconciler) PatchStatus(ctx context.Context, patcher condition.Patcher) error {
|
|
patch := client.MergeFrom(wr.APIApp.DeepCopy())
|
|
patcher(&wr.APIApp.Status)
|
|
|
|
if err := wr.Client.Status().Patch(ctx, wr.APIApp, patch); err != nil {
|
|
return fmt.Errorf("error patching APIApp status: %v", err)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// SetupWithManager sets up the controller with the Manager.
|
|
func (r *APIAppReconciler) SetupWithManager(mgr ctrl.Manager) error {
|
|
return ctrl.NewControllerManagedBy(mgr).
|
|
For(&zitadelv1alpha1.APIApp{}).
|
|
Owns(&corev1.Secret{}).
|
|
WithOptions(controller.Options{RateLimiter: workqueue.NewTypedItemExponentialFailureRateLimiter[reconcile.Request](time.Millisecond*500, time.Minute*3)}).
|
|
Complete(r)
|
|
}
|