feat(operator): zitadel and database operator (#1208)

* feat(operator): add base for zitadel operator

* fix(operator): changed pipeline to release operator

* fix(operator): fmt with only one parameter

* fix(operator): corrected workflow job name

* fix(zitadelctl): added restore and backuplist command

* fix(zitadelctl): scale for restore

* chore(container): use scratch for deploy container

* fix(zitadelctl): limit image to scratch

* fix(migration): added migration scripts for newer version

* fix(operator): changed handling of kubeconfig in operator logic

* fix(operator): changed handling of secrets in operator logic

* fix(operator): use new version of zitadel

* fix(operator): added path for migrations

* fix(operator): delete doublets of migration scripts

* fix(operator): delete subpaths and integrate logic into init container

* fix(operator): corrected path in dockerfile for local migrations

* fix(operator): added migrations for cockroachdb-secure

* fix(operator): delete logic for ambassador module

* fix(operator): added read and write secret commands

* fix(operator): correct and align operator pipeline with zitadel pipeline

* fix(operator): correct yaml error in operator pipeline

* fix(operator): correct action name in operator pipeline

* fix(operator): correct case-sensitive filename in operator pipeline

* fix(operator): upload artifacts from buildx output

* fix(operator): corrected attribute spelling error

* fix(operator): combined jobs for operator binary and image

* fix(operator): added missing comma in operator pipeline

* fix(operator): added codecov for operator image

* fix(operator): added codecov for operator image

* fix(testing): code changes for testing and several unit-tests (#1009)

* fix(operator): usage of interface of kubernetes client for testing and several unit-tests

* fix(operator): several unit-tests

* fix(operator): several unit-tests

* fix(operator): changed order for the operator logic

* fix(operator): added version of zitadelctl from semantic release

* fix(operator): corrected function call with version of zitadelctl

* fix(operator): corrected function call with version of zitadelctl

* fix(operator): add check output to operator release pipeline

* fix(operator): set --short length everywhere to 12

* fix(operator): zitadel setup in job instead of exec with several unit tests

* fix(operator): fixes to combine newest zitadel and testing branch

* fix(operator): corrected path in Dockerfile

* fix(operator): fixed unit-test that was ignored during changes

* fix(operator): fixed unit-test that was ignored during changes

* fix(operator): corrected Dockerfile to correctly use env variable

* fix(operator): quickfix takeoff deployment

* fix(operator): corrected the clusterrolename in the applied artifacts

* fix: update secure migrations

* fix(operator): migrations (#1057)

* fix(operator): copied migrations from orbos repository

* fix(operator): newest migrations

* chore: use cockroach-secure

* fix: rename migration

* fix: remove insecure cockroach migrations

Co-authored-by: Stefan Benz <stefan@caos.ch>

* fix: finalize labels

* fix(operator): cli logging concurrent and fixe deployment of operator during restore

* fix: finalize labels and cli commands

* fix: restore

* chore: cockroachdb is always secure

* chore: use orbos consistent-labels latest commit

* test: make tests compatible with new labels

* fix: default to sa token for start command

* fix: use cockroachdb v12.02

* fix: don't delete flyway user

* test: fix migration test

* fix: use correct table qualifiers

* fix: don't alter sequence ownership

* fix: upgrade flyway

* fix: change ownership of all dbs and tables to admin user

* fix: change defaultdb user

* fix: treat clientid status codes >= 400 as errors

* fix: reconcile specified ZITADEL version, not binary version

* fix: add ca-certs

* fix: use latest orbos code

* fix: use orbos with fixed race condition

* fix: use latest ORBOS code

* fix: use latest ORBOS code

* fix: make migration and scaling around restoring work

* fix(operator): move zitadel operator

* chore(migrations): include owner change migration

* feat(db): add code base for database operator

* fix(db): change used image registry for database operator

* fix(db): generated mock

* fix(db): add accidentally ignored file

* fix(db): add cockroachdb backup image to pipeline

* fix(db): correct pipeline and image versions

* fix(db): correct version of used orbos

* fix(db): correct database import

* fix(db): go mod tidy

* fix(db): use new version for orbos

* fix(migrations): include migrations into zitadelctl binary (#1211)

* fix(db): use statik to integrate migrations into binary

* fix(migrations): corrections unit tests and pipeline for integrated migrations into zitadelctl binary

* fix(migrations): correction in dockerfile for pipeline build

* fix(migrations): correction in dockerfile for pipeline build

* fix(migrations):  dockerfile changes for cache optimization

* fix(database): correct used part-of label in database operator

* fix(database): correct used selectable label in zitadel operator

* fix(operator): correct lables for user secrets in zitadel operator

* fix(operator): correct lables for service test in zitadel operator

* fix: don't enable database features for user operations (#1227)

* fix: don't enable database features for user operations

* fix: omit database feature for connection info adapter

* fix: use latest orbos version

* fix: update ORBOS (#1240)

Co-authored-by: Florian Forster <florian@caos.ch>
Co-authored-by: Elio Bischof <eliobischof@gmail.com>

operator/database/kinds/databases/core/current.go

@@ -0,0 +1,64 @@
+package core
+
+import (
+	"crypto/rsa"
+	"errors"
+	"github.com/caos/orbos/pkg/kubernetes"
+	"github.com/caos/orbos/pkg/tree"
+	"github.com/caos/zitadel/operator"
+)
+
+const queriedName = "database"
+
+type DatabaseCurrent interface {
+	GetURL() string
+	GetPort() string
+	GetReadyQuery() operator.EnsureFunc
+	GetCertificateKey() *rsa.PrivateKey
+	SetCertificateKey(*rsa.PrivateKey)
+	GetCertificate() []byte
+	SetCertificate([]byte)
+	GetAddUserFunc() func(user string) (operator.QueryFunc, error)
+	GetDeleteUserFunc() func(user string) (operator.DestroyFunc, error)
+	GetListUsersFunc() func(k8sClient kubernetes.ClientInt) ([]string, error)
+	GetListDatabasesFunc() func(k8sClient kubernetes.ClientInt) ([]string, error)
+}
+
+func ParseQueriedForDatabase(queried map[string]interface{}) (DatabaseCurrent, error) {
+	queriedDB, ok := queried[queriedName]
+	if !ok {
+		return nil, errors.New("no current state for database found")
+	}
+	currentDBTree, ok := queriedDB.(*tree.Tree)
+	if !ok {
+		return nil, errors.New("current state does not fullfil interface")
+	}
+	currentDB, ok := currentDBTree.Parsed.(DatabaseCurrent)
+	if !ok {
+		return nil, errors.New("current state does not fullfil interface")
+	}
+
+	return currentDB, nil
+}
+
+func SetQueriedForDatabase(queried map[string]interface{}, databaseCurrent *tree.Tree) {
+	queried[queriedName] = databaseCurrent
+}
+
+func SetQueriedForDatabaseDBList(queried map[string]interface{}, databases []string) {
+	currentDBList := &CurrentDBList{
+		Common: &tree.Common{
+			Kind:    "DBList",
+			Version: "V0",
+		},
+		Current: &DatabaseCurrentDBList{
+			Databases: databases,
+		},
+	}
+
+	currentDB := &tree.Tree{
+		Parsed: currentDBList,
+	}
+
+	SetQueriedForDatabase(queried, currentDB)
+}

operator/database/kinds/databases/core/dblist.go

@@ -0,0 +1,65 @@
+package core
+
+import (
+	"crypto/rsa"
+	"github.com/caos/orbos/pkg/kubernetes"
+	"github.com/caos/orbos/pkg/tree"
+	"github.com/caos/zitadel/operator"
+)
+
+var current DatabaseCurrent = &CurrentDBList{}
+
+type CurrentDBList struct {
+	Common  *tree.Common `yaml:",inline"`
+	Current *DatabaseCurrentDBList
+}
+
+type DatabaseCurrentDBList struct {
+	Databases []string
+}
+
+func (c *CurrentDBList) GetURL() string {
+	return ""
+}
+
+func (c *CurrentDBList) GetPort() string {
+	return ""
+}
+
+func (c *CurrentDBList) GetReadyQuery() operator.EnsureFunc {
+	return nil
+}
+
+func (c *CurrentDBList) GetCertificateKey() *rsa.PrivateKey {
+	return nil
+}
+
+func (c *CurrentDBList) SetCertificateKey(key *rsa.PrivateKey) {
+	return
+}
+
+func (c *CurrentDBList) GetCertificate() []byte {
+	return nil
+}
+
+func (c *CurrentDBList) SetCertificate(cert []byte) {
+	return
+}
+
+func (c *CurrentDBList) GetListDatabasesFunc() func(k8sClient kubernetes.ClientInt) ([]string, error) {
+	return func(k8sClient kubernetes.ClientInt) ([]string, error) {
+		return c.Current.Databases, nil
+	}
+}
+
+func (c *CurrentDBList) GetListUsersFunc() func(k8sClient kubernetes.ClientInt) ([]string, error) {
+	return nil
+}
+
+func (c *CurrentDBList) GetAddUserFunc() func(user string) (operator.QueryFunc, error) {
+	return nil
+}
+
+func (c *CurrentDBList) GetDeleteUserFunc() func(user string) (operator.DestroyFunc, error) {
+	return nil
+}

operator/database/kinds/databases/core/generate.go

@@ -0,0 +1,3 @@
+package core
+
+//go:generate mockgen -source current.go -package coremock -destination mock/current.mock.go github.com/caos/internal/operator/database/kinds/databases/core DatabaseCurrent

operator/database/kinds/databases/core/mock/current.mock.go

@@ -0,0 +1,186 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: current.go
+
+// Package coremock is a generated GoMock package.
+package coremock
+
+import (
+	rsa "crypto/rsa"
+	kubernetes "github.com/caos/orbos/pkg/kubernetes"
+	operator "github.com/caos/zitadel/operator"
+	gomock "github.com/golang/mock/gomock"
+	reflect "reflect"
+)
+
+// MockDatabaseCurrent is a mock of DatabaseCurrent interface
+type MockDatabaseCurrent struct {
+	ctrl     *gomock.Controller
+	recorder *MockDatabaseCurrentMockRecorder
+}
+
+// MockDatabaseCurrentMockRecorder is the mock recorder for MockDatabaseCurrent
+type MockDatabaseCurrentMockRecorder struct {
+	mock *MockDatabaseCurrent
+}
+
+// NewMockDatabaseCurrent creates a new mock instance
+func NewMockDatabaseCurrent(ctrl *gomock.Controller) *MockDatabaseCurrent {
+	mock := &MockDatabaseCurrent{ctrl: ctrl}
+	mock.recorder = &MockDatabaseCurrentMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use
+func (m *MockDatabaseCurrent) EXPECT() *MockDatabaseCurrentMockRecorder {
+	return m.recorder
+}
+
+// GetURL mocks base method
+func (m *MockDatabaseCurrent) GetURL() string {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetURL")
+	ret0, _ := ret[0].(string)
+	return ret0
+}
+
+// GetURL indicates an expected call of GetURL
+func (mr *MockDatabaseCurrentMockRecorder) GetURL() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetURL", reflect.TypeOf((*MockDatabaseCurrent)(nil).GetURL))
+}
+
+// GetPort mocks base method
+func (m *MockDatabaseCurrent) GetPort() string {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetPort")
+	ret0, _ := ret[0].(string)
+	return ret0
+}
+
+// GetPort indicates an expected call of GetPort
+func (mr *MockDatabaseCurrentMockRecorder) GetPort() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetPort", reflect.TypeOf((*MockDatabaseCurrent)(nil).GetPort))
+}
+
+// GetReadyQuery mocks base method
+func (m *MockDatabaseCurrent) GetReadyQuery() operator.EnsureFunc {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetReadyQuery")
+	ret0, _ := ret[0].(operator.EnsureFunc)
+	return ret0
+}
+
+// GetReadyQuery indicates an expected call of GetReadyQuery
+func (mr *MockDatabaseCurrentMockRecorder) GetReadyQuery() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetReadyQuery", reflect.TypeOf((*MockDatabaseCurrent)(nil).GetReadyQuery))
+}
+
+// GetCertificateKey mocks base method
+func (m *MockDatabaseCurrent) GetCertificateKey() *rsa.PrivateKey {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetCertificateKey")
+	ret0, _ := ret[0].(*rsa.PrivateKey)
+	return ret0
+}
+
+// GetCertificateKey indicates an expected call of GetCertificateKey
+func (mr *MockDatabaseCurrentMockRecorder) GetCertificateKey() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetCertificateKey", reflect.TypeOf((*MockDatabaseCurrent)(nil).GetCertificateKey))
+}
+
+// SetCertificateKey mocks base method
+func (m *MockDatabaseCurrent) SetCertificateKey(arg0 *rsa.PrivateKey) {
+	m.ctrl.T.Helper()
+	m.ctrl.Call(m, "SetCertificateKey", arg0)
+}
+
+// SetCertificateKey indicates an expected call of SetCertificateKey
+func (mr *MockDatabaseCurrentMockRecorder) SetCertificateKey(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetCertificateKey", reflect.TypeOf((*MockDatabaseCurrent)(nil).SetCertificateKey), arg0)
+}
+
+// GetCertificate mocks base method
+func (m *MockDatabaseCurrent) GetCertificate() []byte {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetCertificate")
+	ret0, _ := ret[0].([]byte)
+	return ret0
+}
+
+// GetCertificate indicates an expected call of GetCertificate
+func (mr *MockDatabaseCurrentMockRecorder) GetCertificate() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetCertificate", reflect.TypeOf((*MockDatabaseCurrent)(nil).GetCertificate))
+}
+
+// SetCertificate mocks base method
+func (m *MockDatabaseCurrent) SetCertificate(arg0 []byte) {
+	m.ctrl.T.Helper()
+	m.ctrl.Call(m, "SetCertificate", arg0)
+}
+
+// SetCertificate indicates an expected call of SetCertificate
+func (mr *MockDatabaseCurrentMockRecorder) SetCertificate(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetCertificate", reflect.TypeOf((*MockDatabaseCurrent)(nil).SetCertificate), arg0)
+}
+
+// GetAddUserFunc mocks base method
+func (m *MockDatabaseCurrent) GetAddUserFunc() func(string) (operator.QueryFunc, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetAddUserFunc")
+	ret0, _ := ret[0].(func(string) (operator.QueryFunc, error))
+	return ret0
+}
+
+// GetAddUserFunc indicates an expected call of GetAddUserFunc
+func (mr *MockDatabaseCurrentMockRecorder) GetAddUserFunc() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetAddUserFunc", reflect.TypeOf((*MockDatabaseCurrent)(nil).GetAddUserFunc))
+}
+
+// GetDeleteUserFunc mocks base method
+func (m *MockDatabaseCurrent) GetDeleteUserFunc() func(string) (operator.DestroyFunc, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetDeleteUserFunc")
+	ret0, _ := ret[0].(func(string) (operator.DestroyFunc, error))
+	return ret0
+}
+
+// GetDeleteUserFunc indicates an expected call of GetDeleteUserFunc
+func (mr *MockDatabaseCurrentMockRecorder) GetDeleteUserFunc() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetDeleteUserFunc", reflect.TypeOf((*MockDatabaseCurrent)(nil).GetDeleteUserFunc))
+}
+
+// GetListUsersFunc mocks base method
+func (m *MockDatabaseCurrent) GetListUsersFunc() func(kubernetes.ClientInt) ([]string, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetListUsersFunc")
+	ret0, _ := ret[0].(func(kubernetes.ClientInt) ([]string, error))
+	return ret0
+}
+
+// GetListUsersFunc indicates an expected call of GetListUsersFunc
+func (mr *MockDatabaseCurrentMockRecorder) GetListUsersFunc() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetListUsersFunc", reflect.TypeOf((*MockDatabaseCurrent)(nil).GetListUsersFunc))
+}
+
+// GetListDatabasesFunc mocks base method
+func (m *MockDatabaseCurrent) GetListDatabasesFunc() func(kubernetes.ClientInt) ([]string, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetListDatabasesFunc")
+	ret0, _ := ret[0].(func(kubernetes.ClientInt) ([]string, error))
+	return ret0
+}
+
+// GetListDatabasesFunc indicates an expected call of GetListDatabasesFunc
+func (mr *MockDatabaseCurrentMockRecorder) GetListDatabasesFunc() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetListDatabasesFunc", reflect.TypeOf((*MockDatabaseCurrent)(nil).GetListDatabasesFunc))
+}