feat(operator): make running ZITADEL easy (#1562)

* docs: describe crd mode * docs: fix links * docs: fix commands and crdb resources * feat: add configure command * chore: use latest ORBOS * chore: use latest ORBOS * docs: start gitops docs * fix: compile * chore: fix build script path * chore: remove redundant prebuild * chore: add configure.go * docs: describe gitops mode * docs: point template links to main branch * docs: fix versions * feat: initialize empty keys * feat: reconfigure running ZITADEL * docs: describe crd mode * docs: fix links * docs: fix commands and crdb resources * feat: add configure command * chore: use latest ORBOS * chore: use latest ORBOS * docs: start gitops docs * fix: compile * chore: fix build script path * chore: remove redundant prebuild * chore: add configure.go * docs: describe gitops mode * docs: point template links to main branch * docs: fix versions * feat: initialize empty keys * feat: reconfigure running ZITADEL * test: fix * docs: keys are generated with configure * docs: remove keys from template * chore: pass compile time data * chore: use latest ORBOS * fix: when in-cluster, use in-cluster k8s client * fix: try in-cluster config if kubeconfig is empty * fix: reduce unneeded side effects for configure command * docs: boom version * chore: use latest ORBOS * chore: use latest ORBOS * initial commit * inital changes * commit WIP Information Architecture * commit a working state * add static assets and project * add org and fix img names * add plausible * remove img * change sidebar to easier mgmt * add openid oauth and domains * lint md * quickstarts * add auth flow * identity brokering * remove site * fix broken links * extend footer * extend readme * fix: styling * fix: zitadel logo on index * styling * border * fix: nav * fix: nav * fix: index * fix: corrected zitadelctl examples * fix: rename architecture to concepts * fix: introductions * fix: introductions * fix: introductions * docs: cli r/w secrets examples * docs: finish ZITADEL Enterprise Cloud * docs: mention ZITADEL Enterprise Cloud tier * docs: comment configuration options * docs: fix broken links * docs: move some introduction texts around * docs: twilio and email are mandatory * docs: download latest binaries Co-authored-by: Florian Forster <florian@caos.ch> Co-authored-by: fabi <fabienne.gerschwiler@gmail.com> Co-authored-by: Livio Amstutz <livio.a@gmail.com> Co-authored-by: Stefan Benz <stefan@caos.ch>
2025-08-11 21:17:32 +00:00 · 2021-04-22 18:43:34 +02:00
parent 06281b5ccb
commit c0878e4509
73 changed files with 1015 additions and 536 deletions
--- a/cmd/zitadelctl/cmds/backup.go
+++ b/cmd/zitadelctl/cmds/backup.go
@@ -3,9 +3,10 @@ package cmds
 import (
 	"errors"

+	"github.com/caos/orbos/pkg/git"
+
 	"github.com/caos/orbos/pkg/kubernetes/cli"

-	"github.com/caos/zitadel/operator/api"
 	"github.com/caos/zitadel/operator/crtlgitops"
 	"github.com/spf13/cobra"
 )
@@ -41,16 +42,12 @@ func BackupCommand(getRv GetRootValues) *cobra.Command {
 			return errors.New("backup command is only supported with the --gitops flag yet")
 		}

-		k8sClient, _, err := cli.Client(monitor, orbConfig, gitClient, rv.Kubeconfig, rv.Gitops)
+		k8sClient, err := cli.Client(monitor, orbConfig, gitClient, rv.Kubeconfig, rv.Gitops)
 		if err != nil {
 			return err
 		}

-		found, err := api.ExistsDatabaseYml(gitClient)
-		if err != nil {
-			return err
-		}
-		if found {
+		if gitClient.Exists(git.DatabaseFile) {

 			if err := crtlgitops.Backup(
 				monitor,
--- a/cmd/zitadelctl/cmds/configure.go
+++ b/cmd/zitadelctl/cmds/configure.go
@@ -0,0 +1,118 @@
+package cmds
+
+import (
+	"errors"
+
+	"github.com/caos/orbos/pkg/tree"
+
+	"github.com/caos/orbos/pkg/cfg"
+	"github.com/caos/orbos/pkg/git"
+
+	"github.com/caos/orbos/pkg/kubernetes/cli"
+	"github.com/caos/orbos/pkg/orb"
+	"github.com/spf13/cobra"
+
+	orbdb "github.com/caos/zitadel/operator/database/kinds/orb"
+	orbzit "github.com/caos/zitadel/operator/zitadel/kinds/orb"
+)
+
+func ConfigCommand(getRv GetRootValues, ghClientID, ghClientSecret string) *cobra.Command {
+
+	var (
+		newMasterKey string
+		newRepoURL   string
+		cmd          = &cobra.Command{
+			Use:     "configure",
+			Short:   "Configures and reconfigures an orb",
+			Long:    "Generates missing secrets where it makes sense",
+			Aliases: []string{"reconfigure", "config", "reconfig"},
+		}
+	)
+
+	flags := cmd.Flags()
+	flags.StringVar(&newMasterKey, "masterkey", "", "Reencrypts all secrets")
+	flags.StringVar(&newRepoURL, "repourl", "", "Configures the repository URL")
+
+	cmd.RunE = func(cmd *cobra.Command, args []string) (err error) {
+
+		rv, _ := getRv()
+		defer func() {
+			err = rv.ErrFunc(err)
+		}()
+
+		if !rv.Gitops {
+			return errors.New("configure command is only supported with the --gitops flag")
+		}
+
+		if err := orb.Reconfigure(rv.Ctx, rv.Monitor, rv.OrbConfig, newRepoURL, newMasterKey, rv.GitClient, ghClientID, ghClientSecret); err != nil {
+			return err
+		}
+
+		k8sClient, err := cli.Client(rv.Monitor, rv.OrbConfig, rv.GitClient, rv.Kubeconfig, rv.Gitops)
+		if err != nil {
+			rv.Monitor.WithField("reason", err.Error()).Info("Continuing without having a Kubernetes connection")
+			err = nil
+		}
+
+		if err := cfg.ApplyOrbconfigSecret(
+			rv.OrbConfig,
+			k8sClient,
+			rv.Monitor,
+		); err != nil {
+			return err
+		}
+
+		queried := make(map[string]interface{})
+		if err := cfg.ConfigureOperators(
+			rv.GitClient,
+			rv.OrbConfig.Masterkey,
+			append(cfg.ORBOSConfigurers(
+				rv.Monitor,
+				rv.OrbConfig,
+				rv.GitClient,
+			), cfg.OperatorConfigurer(
+				git.DatabaseFile,
+				rv.Monitor,
+				rv.GitClient,
+				func() (*tree.Tree, interface{}, error) {
+					desired, err := rv.GitClient.ReadTree(git.DatabaseFile)
+					if err != nil {
+						return nil, nil, err
+					}
+
+					_, _, configure, _, _, _, err := orbdb.AdaptFunc("", nil, rv.Gitops)(rv.Monitor, desired, &tree.Tree{})
+					if err != nil {
+						return nil, nil, err
+					}
+					return desired, desired.Parsed, configure(k8sClient, queried, rv.Gitops)
+				},
+			), cfg.OperatorConfigurer(
+				git.ZitadelFile,
+				rv.Monitor,
+				rv.GitClient,
+				func() (*tree.Tree, interface{}, error) {
+					desired, err := rv.GitClient.ReadTree(git.ZitadelFile)
+					if err != nil {
+						return nil, nil, err
+					}
+
+					_, _, configure, _, _, _, err := orbzit.AdaptFunc(
+						rv.OrbConfig,
+						"configure",
+						nil,
+						rv.Gitops,
+						nil,
+					)(rv.Monitor, desired, &tree.Tree{})
+					if err != nil {
+						return nil, nil, err
+					}
+					return desired, desired.Parsed, configure(k8sClient, queried, rv.Gitops)
+				},
+			))); err != nil {
+			return err
+		}
+		rv.Monitor.Info("Configuration succeeded")
+		return nil
+	}
+	return cmd
+}
--- a/cmd/zitadelctl/cmds/readsecret.go
+++ b/cmd/zitadelctl/cmds/readsecret.go
@@ -17,7 +17,7 @@ func ReadSecretCommand(getRv GetRootValues) *cobra.Command {
 		Short:   "Print a secrets decrypted value to stdout",
 		Long:    "Print a secrets decrypted value to stdout.\nIf no path is provided, a secret can interactively be chosen from a list of all possible secrets",
 		Args:    cobra.MaximumNArgs(1),
-		Example: `zitadelctl readsecret zitadel.emailappkey > ~/emailappkey`,
+		Example: `zitadelctl readsecret database.bucket.serviceaccountjson.encrypted > ~/googlecloudstoragesa.json`,
 		RunE: func(cmd *cobra.Command, args []string) error {
 			rv, err := getRv()
 			if err != nil {
@@ -36,7 +36,7 @@ func ReadSecretCommand(getRv GetRootValues) *cobra.Command {
 				path = args[0]
 			}

-			k8sClient, _, err := cli.Client(monitor, orbConfig, gitClient, rv.Kubeconfig, rv.Gitops)
+			k8sClient, err := cli.Client(monitor, orbConfig, gitClient, rv.Kubeconfig, rv.Gitops)
 			if err != nil && !rv.Gitops {
 				return err
 			}
--- a/cmd/zitadelctl/cmds/restore.go
+++ b/cmd/zitadelctl/cmds/restore.go
@@ -43,7 +43,7 @@ func RestoreCommand(getRv GetRootValues) *cobra.Command {
 			return errors.New("restore command is only supported with the --gitops flag yet")
 		}

-		k8sClient, _, err := cli.Client(monitor, orbConfig, gitClient, rv.Kubeconfig, rv.Gitops)
+		k8sClient, err := cli.Client(monitor, orbConfig, gitClient, rv.Kubeconfig, rv.Gitops)
 		if err != nil {
 			return err
 		}
--- a/cmd/zitadelctl/cmds/root.go
+++ b/cmd/zitadelctl/cmds/root.go
@@ -71,9 +71,9 @@ $ zitadelctl --gitops -f ~/.orb/myorb [command]
 	}

 	flags := cmd.PersistentFlags()
-	flags.BoolVar(&rv.Gitops, "gitops", false, "Run orbctl in gitops mode. Not specifying this flag is only supported for BOOM and Networking Operator")
+	flags.BoolVar(&rv.Gitops, "gitops", false, "Run zitadelctl in gitops mode")
 	flags.StringVarP(&orbConfigPath, "orbconfig", "f", "~/.orb/config", "Path to the file containing the orbs git repo URL, deploy key and the master key for encrypting and decrypting secrets")
-	flags.StringVarP(&rv.Kubeconfig, "kubeconfig", "k", "~/.kube/config", "Path to the kubeconfig file to the cluster orbctl should target")
+	flags.StringVarP(&rv.Kubeconfig, "kubeconfig", "k", "~/.kube/config", "Path to the kubeconfig file to the cluster zitadelctl should target")
 	flags.BoolVar(&verbose, "verbose", false, "Print debug levelled logs")

 	return cmd, func() (*RootValues, error) {
@@ -84,18 +84,17 @@ $ zitadelctl --gitops -f ~/.orb/myorb [command]

 		rv.Monitor = monitor
 		rv.Kubeconfig = helpers.PruneHome(rv.Kubeconfig)
-		rv.GitClient = git.New(ctx, monitor, "orbos", "orbos@caos.ch")
+		rv.GitClient = git.New(ctx, monitor, "zitadel", "orbos@caos.ch")

+		var err error
 		if rv.Gitops {
 			prunedPath := helpers.PruneHome(orbConfigPath)
-			orbConfig, err := orb.ParseOrbConfig(prunedPath)
-			if err != nil {
-				orbConfig = &orb.Orb{Path: prunedPath}
-				return nil, err
+			rv.OrbConfig, err = orb.ParseOrbConfig(prunedPath)
+			if rv.OrbConfig == nil {
+				rv.OrbConfig = &orb.Orb{Path: prunedPath}
 			}
-			rv.OrbConfig = orbConfig
 		}

-		return rv, nil
+		return rv, err
 	}
 }
--- a/cmd/zitadelctl/cmds/start.go
+++ b/cmd/zitadelctl/cmds/start.go
@@ -1,8 +1,7 @@
 package cmds

 import (
-	"github.com/caos/orbos/pkg/kubernetes/cli"
-
+	"github.com/caos/orbos/pkg/kubernetes"
 	"github.com/caos/zitadel/operator/crtlcrd"
 	"github.com/caos/zitadel/operator/crtlgitops"
 	"github.com/spf13/cobra"
@@ -34,7 +33,7 @@ func StartOperator(getRv GetRootValues) *cobra.Command {
 		version := rv.Version

 		if rv.Gitops {
-			k8sClient, _, err := cli.Client(monitor, orbConfig, rv.GitClient, rv.Kubeconfig, rv.Gitops)
+			k8sClient, err := kubernetes.NewK8sClientWithPath(monitor, rv.Kubeconfig)
 			if err != nil {
 				return err
 			}
@@ -53,7 +52,6 @@ func StartOperator(getRv GetRootValues) *cobra.Command {

 func StartDatabase(getRv GetRootValues) *cobra.Command {
 	var (
-		kubeconfig  string
 		metricsAddr string
 		cmd         = &cobra.Command{
 			Use:   "database",
@@ -62,7 +60,6 @@ func StartDatabase(getRv GetRootValues) *cobra.Command {
 		}
 	)
 	flags := cmd.Flags()
-	flags.StringVar(&kubeconfig, "kubeconfig", "", "kubeconfig used by database operator")
 	flags.StringVar(&metricsAddr, "metrics-addr", "", "The address the metric endpoint binds to.")

 	cmd.RunE = func(cmd *cobra.Command, args []string) (err error) {
@@ -79,7 +76,7 @@ func StartDatabase(getRv GetRootValues) *cobra.Command {
 		version := rv.Version

 		if rv.Gitops {
-			k8sClient, _, err := cli.Client(monitor, orbConfig, rv.GitClient, rv.Kubeconfig, rv.Gitops)
+			k8sClient, err := kubernetes.NewK8sClientWithPath(monitor, rv.Kubeconfig)
 			if err != nil {
 				return err
 			}
--- a/cmd/zitadelctl/cmds/takeoff.go
+++ b/cmd/zitadelctl/cmds/takeoff.go
@@ -9,7 +9,6 @@ import (
 	"github.com/caos/orbos/mntr"
 	"github.com/caos/orbos/pkg/git"
 	"github.com/caos/orbos/pkg/kubernetes"
-	"github.com/caos/zitadel/operator/api"
 	orbzit "github.com/caos/zitadel/operator/zitadel/kinds/orb"
 	"github.com/spf13/cobra"
 	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
@@ -19,7 +18,7 @@ func TakeoffCommand(getRv GetRootValues) *cobra.Command {
 	var (
 		cmd = &cobra.Command{
 			Use:   "takeoff",
-			Short: "Launch a ZITADEL operator on the orb",
+			Short: "Launch a ZITADEL operator and database operator on the orb",
 			Long:  "Ensures a desired state of the resources on the orb",
 		}
 	)
@@ -37,7 +36,7 @@ func TakeoffCommand(getRv GetRootValues) *cobra.Command {
 		orbConfig := rv.OrbConfig
 		gitClient := rv.GitClient

-		k8sClient, _, err := cli.Client(
+		k8sClient, err := cli.Client(
 			monitor,
 			orbConfig,
 			gitClient,
@@ -92,13 +91,9 @@ func TakeoffCommand(getRv GetRootValues) *cobra.Command {

 func deployOperator(monitor mntr.Monitor, gitClient *git.Client, k8sClient kubernetes.ClientInt, version string, gitops bool) error {
 	if gitops {
-		found, err := api.ExistsZitadelYml(gitClient)
-		if err != nil {
-			return err
-		}
-		if found {
+		if gitClient.Exists(git.ZitadelFile) {

-			desiredTree, err := api.ReadZitadelYml(gitClient)
+			desiredTree, err := gitClient.ReadTree(git.ZitadelFile)
 			if err != nil {
 				return err
 			}
@@ -131,12 +126,8 @@ func deployOperator(monitor mntr.Monitor, gitClient *git.Client, k8sClient kuber

 func deployDatabase(monitor mntr.Monitor, gitClient *git.Client, k8sClient kubernetes.ClientInt, version string, gitops bool) error {
 	if gitops {
-		found, err := api.ExistsDatabaseYml(gitClient)
-		if err != nil {
-			return err
-		}
-		if found {
-			desiredTree, err := api.ReadDatabaseYml(gitClient)
+		if gitClient.Exists(git.DatabaseFile) {
+			desiredTree, err := gitClient.ReadTree(git.DatabaseFile)
 			if err != nil {
 				return err
 			}
--- a/cmd/zitadelctl/cmds/writesecret.go
+++ b/cmd/zitadelctl/cmds/writesecret.go
@@ -24,8 +24,9 @@ func WriteSecretCommand(getRv GetRootValues) *cobra.Command {
 			Short: "Encrypt a secret and push it to the repository",
 			Long:  "Encrypt a secret and push it to the repository.\nIf no path is provided, a secret can interactively be chosen from a list of all possible secrets",
 			Args:  cobra.MaximumNArgs(1),
-			Example: `orbctl writesecret mystaticprovider.bootstrapkey --file ~/.ssh/my-orb-bootstrap
-orbctl writesecret mygceprovider.google_application_credentials_value --value "$(cat $GOOGLE_APPLICATION_CREDENTIALS)" `,
+			Example: `zitadelctl writesecret database.bucket.serviceaccountjson.encrypted --file ~/googlecloudstoragesa.json
+zitadelctl writesecret database.bucket.serviceaccountjson.encrypted --value "$(cat ~/googlecloudstoragesa.json)"
+cat ~/googlecloudstoragesa.json | zitadelctl writesecret database.bucket.serviceaccountjson.encrypted --stdin`,
 		}
 	)

@@ -58,7 +59,7 @@ orbctl writesecret mygceprovider.google_application_credentials_value --value "$
 			path = args[0]
 		}

-		k8sClient, _, err := cli.Client(monitor, orbConfig, gitClient, rv.Kubeconfig, rv.Gitops)
+		k8sClient, err := cli.Client(monitor, orbConfig, gitClient, rv.Kubeconfig, rv.Gitops)
 		if err != nil && !rv.Gitops {
 			return err
 		}
--- a/cmd/zitadelctl/main.go
+++ b/cmd/zitadelctl/main.go
@@ -2,12 +2,15 @@ package main

 import (
 	"fmt"
-	"github.com/caos/zitadel/cmd/zitadelctl/cmds"
 	"os"
+
+	"github.com/caos/zitadel/cmd/zitadelctl/cmds"
 )

 var (
-	Version = "unknown"
+	Version            = "unknown"
+	githubClientID     = "none"
+	githubClientSecret = "none"
 )

 func main() {
@@ -23,6 +26,7 @@ func main() {
 		cmds.WriteSecretCommand(rootValues),
 		cmds.BackupCommand(rootValues),
 		cmds.StartDatabase(rootValues),
+		cmds.ConfigCommand(rootValues, githubClientID, githubClientSecret),
 	)

 	if err := rootCmd.Execute(); err != nil {