feat(operator): make running ZITADEL easy (#1562)

* docs: describe crd mode

* docs: fix links

* docs: fix commands and crdb resources

* feat: add configure command

* chore: use latest ORBOS

* chore: use latest ORBOS

* docs: start gitops docs

* fix: compile

* chore: fix build script path

* chore: remove redundant prebuild

* chore: add configure.go

* docs: describe gitops mode

* docs: point template links to main branch

* docs: fix versions

* feat: initialize empty keys

* feat: reconfigure running ZITADEL

* docs: describe crd mode

* docs: fix links

* docs: fix commands and crdb resources

* feat: add configure command

* chore: use latest ORBOS

* chore: use latest ORBOS

* docs: start gitops docs

* fix: compile

* chore: fix build script path

* chore: remove redundant prebuild

* chore: add configure.go

* docs: describe gitops mode

* docs: point template links to main branch

* docs: fix versions

* feat: initialize empty keys

* feat: reconfigure running ZITADEL

* test: fix

* docs: keys are generated with configure

* docs: remove keys from template

* chore: pass compile time data

* chore: use latest ORBOS

* fix: when in-cluster, use in-cluster k8s client

* fix: try in-cluster config if kubeconfig is empty

* fix: reduce unneeded side effects for configure command

* docs: boom version

* chore: use latest ORBOS

* chore: use latest ORBOS

* initial commit

* inital changes

* commit WIP Information Architecture

* commit a working state

* add static assets and project

* add org and fix img names

* add plausible

* remove img

* change sidebar to easier mgmt

* add openid oauth and domains

* lint md

* quickstarts

* add auth flow

* identity brokering

* remove site

* fix broken links

* extend footer

* extend readme

* fix: styling

* fix: zitadel logo on index

* styling

* border

* fix: nav

* fix: nav

* fix: index

* fix: corrected zitadelctl examples

* fix: rename architecture to concepts

* fix: introductions

* fix: introductions

* fix: introductions

* docs: cli r/w secrets examples

* docs: finish ZITADEL Enterprise Cloud

* docs: mention ZITADEL Enterprise Cloud tier

* docs: comment configuration options

* docs: fix broken links

* docs: move some introduction texts around

* docs: twilio and email are mandatory

* docs: download latest binaries

Co-authored-by: Florian Forster <florian@caos.ch>
Co-authored-by: fabi <fabienne.gerschwiler@gmail.com>
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
Co-authored-by: Stefan Benz <stefan@caos.ch>

operator/database/kinds/databases/managed/adapt.go

@@ -36,7 +36,7 @@ const (
 	image              = "cockroachdb/cockroach:v20.2.3"
 )
 
-func AdaptFunc(
+func Adapter(
 	componentLabels *labels.Component,
 	namespace string,
 	timestamp string,
@@ -44,18 +44,7 @@ func AdaptFunc(
 	tolerations []corev1.Toleration,
 	version string,
 	features []string,
-) func(
-	monitor mntr.Monitor,
-	desired *tree.Tree,
-	current *tree.Tree,
-) (
-	operator.QueryFunc,
-	operator.DestroyFunc,
-	map[string]*secret.Secret,
-	map[string]*secret.Existing,
-	bool,
-	error,
-) {
+) operator.AdaptFunc {
 
 	return func(
 		monitor mntr.Monitor,
@@ -64,6 +53,7 @@ func AdaptFunc(
 	) (
 		operator.QueryFunc,
 		operator.DestroyFunc,
+		operator.ConfigureFunc,
 		map[string]*secret.Secret,
 		map[string]*secret.Existing,
 		bool,
@@ -79,7 +69,7 @@ func AdaptFunc(
 
 		desiredKind, err := parseDesiredV0(desired)
 		if err != nil {
-			return nil, nil, nil, nil, false, errors.Wrap(err, "parsing desired state failed")
+			return nil, nil, nil, nil, nil, false, errors.Wrap(err, "parsing desired state failed")
 		}
 		desired.Parsed = desiredKind
 
@@ -102,15 +92,15 @@ func AdaptFunc(
 
 		queryCert, destroyCert, addUser, deleteUser, listUsers, err := certificate.AdaptFunc(internalMonitor, namespace, componentLabels, desiredKind.Spec.ClusterDns, isFeatureDatabase)
 		if err != nil {
-			return nil, nil, nil, nil, false, err
+			return nil, nil, nil, nil, nil, false, err
 		}
 		addRoot, err := addUser("root")
 		if err != nil {
-			return nil, nil, nil, nil, false, err
+			return nil, nil, nil, nil, nil, false, err
 		}
 		destroyRoot, err := deleteUser("root")
 		if err != nil {
-			return nil, nil, nil, nil, false, err
+			return nil, nil, nil, nil, nil, false, err
 		}
 
 		queryRBAC, destroyRBAC, err := rbac.AdaptFunc(internalMonitor, namespace, labels.MustForName(componentLabels, serviceAccountName))
@@ -136,7 +126,7 @@ func AdaptFunc(
 			desiredKind.Spec.Resources,
 		)
 		if err != nil {
-			return nil, nil, nil, nil, false, err
+			return nil, nil, nil, nil, nil, false, err
 		}
 
 		queryS, destroyS, err := services.AdaptFunc(
@@ -157,12 +147,12 @@ func AdaptFunc(
 
 		queryPDB, err := pdb.AdaptFuncToEnsure(namespace, labels.MustForName(componentLabels, pdbName), cockroachSelector, "1")
 		if err != nil {
-			return nil, nil, nil, nil, false, err
+			return nil, nil, nil, nil, nil, false, err
 		}
 
 		destroyPDB, err := pdb.AdaptFuncToDestroy(namespace, pdbName)
 		if err != nil {
-			return nil, nil, nil, nil, false, err
+			return nil, nil, nil, nil, nil, false, err
 		}
 
 		currentDB := &Current{
@@ -176,7 +166,11 @@ func AdaptFunc(
 		}
 		current.Parsed = currentDB
 
-		queriers := make([]operator.QueryFunc, 0)
+		var (
+			queriers    = make([]operator.QueryFunc, 0)
+			destroyers  = make([]operator.DestroyFunc, 0)
+			configurers = make([]operator.ConfigureFunc, 0)
+		)
 		if isFeatureDatabase {
 			queriers = append(queriers,
 				queryRBAC,
@@ -189,7 +183,6 @@ func AdaptFunc(
 			)
 		}
 
-		destroyers := make([]operator.DestroyFunc, 0)
 		if isFeatureDatabase {
 			destroyers = append(destroyers,
 				operator.ResourceDestroyToZitadelDestroy(destroyPDB),
@@ -213,7 +206,7 @@ func AdaptFunc(
 			for backupName, desiredBackup := range desiredKind.Spec.Backups {
 				currentBackup := &tree.Tree{}
 				if timestamp == "" || !oneBackup || (timestamp != "" && strings.HasPrefix(timestamp, backupName)) {
-					queryB, destroyB, secrets, existing, migrateB, err := backups.GetQueryAndDestroyFuncs(
+					queryB, destroyB, configureB, secrets, existing, migrateB, err := backups.Adapt(
 						internalMonitor,
 						desiredBackup,
 						currentBackup,
@@ -228,7 +221,7 @@ func AdaptFunc(
 						features,
 					)
 					if err != nil {
-						return nil, nil, nil, nil, false, err
+						return nil, nil, nil, nil, nil, false, err
 					}
 
 					migrate = migrate || migrateB
@@ -236,6 +229,7 @@ func AdaptFunc(
 					secret.AppendSecrets(backupName, allSecrets, secrets, allExisting, existing)
 					destroyers = append(destroyers, destroyB)
 					queriers = append(queriers, queryB)
+					configurers = append(configurers, configureB)
 				}
 			}
 		}
@@ -262,6 +256,14 @@ func AdaptFunc(
 				return ensure, err
 			},
 			operator.DestroyersToDestroyFunc(internalMonitor, destroyers),
+			func(k8sClient kubernetes.ClientInt, queried map[string]interface{}, gitops bool) error {
+				for i := range configurers {
+					if err := configurers[i](k8sClient, queried, gitops); err != nil {
+						return err
+					}
+				}
+				return nil
+			},
 			allSecrets,
 			allExisting,
 			migrate,

operator/database/kinds/databases/managed/adapt_backup_test.go

@@ -84,7 +84,7 @@ func TestManaged_AdaptBucketBackup(t *testing.T) {
 	bucket.SetBackup(k8sClient, namespace, labels, saJson)
 	k8sClient.EXPECT().WaitUntilStatefulsetIsReady(namespace, SfsName, true, true, 60*time.Second)
 
-	query, _, _, _, _, err := AdaptFunc(componentLabels, namespace, timestamp, nodeselector, tolerations, version, features)(monitor, desired, &tree.Tree{})
+	query, _, _, _, _, _, err := Adapter(componentLabels, namespace, timestamp, nodeselector, tolerations, version, features)(monitor, desired, &tree.Tree{})
 	assert.NoError(t, err)
 
 	databases := []string{"test1", "test2"}
@@ -124,7 +124,7 @@ func TestManaged_AdaptBucketInstantBackup(t *testing.T) {
 
 	desired := getTreeWithDBAndBackup(t, masterkey, saJson, backupName)
 
-	query, _, _, _, _, err := AdaptFunc(componentLabels, namespace, timestamp, nodeselector, tolerations, version, features)(monitor, desired, &tree.Tree{})
+	query, _, _, _, _, _, err := Adapter(componentLabels, namespace, timestamp, nodeselector, tolerations, version, features)(monitor, desired, &tree.Tree{})
 	assert.NoError(t, err)
 
 	databases := []string{"test1", "test2"}
@@ -165,7 +165,7 @@ func TestManaged_AdaptBucketCleanAndRestore(t *testing.T) {
 
 	desired := getTreeWithDBAndBackup(t, masterkey, saJson, backupName)
 
-	query, _, _, _, _, err := AdaptFunc(componentLabels, namespace, timestamp, nodeselector, tolerations, version, features)(monitor, desired, &tree.Tree{})
+	query, _, _, _, _, _, err := Adapter(componentLabels, namespace, timestamp, nodeselector, tolerations, version, features)(monitor, desired, &tree.Tree{})
 	assert.NoError(t, err)
 
 	databases := []string{"test1", "test2"}

operator/database/kinds/databases/managed/adapt_test.go

@@ -133,7 +133,7 @@ func TestManaged_Adapt1(t *testing.T) {
 	dbCurrent.EXPECT().SetCertificateKey(gomock.Any()).MinTimes(1).MaxTimes(1)
 	k8sClient.EXPECT().ApplySecret(gomock.Any()).MinTimes(1).MaxTimes(1)
 
-	query, _, _, _, _, err := AdaptFunc(componentLabels, namespace, timestamp, nodeselector, tolerations, version, features)(monitor, desired, &tree.Tree{})
+	query, _, _, _, _, _, err := Adapter(componentLabels, namespace, timestamp, nodeselector, tolerations, version, features)(monitor, desired, &tree.Tree{})
 	assert.NoError(t, err)
 
 	ensure, err := query(k8sClient, queried)
@@ -245,7 +245,7 @@ func TestManaged_Adapt2(t *testing.T) {
 	dbCurrent.EXPECT().SetCertificateKey(gomock.Any()).MinTimes(1).MaxTimes(1)
 	k8sClient.EXPECT().ApplySecret(gomock.Any()).MinTimes(1).MaxTimes(1)
 
-	query, _, _, _, _, err := AdaptFunc(componentLabels, namespace, timestamp, nodeselector, tolerations, version, features)(monitor, desired, &tree.Tree{})
+	query, _, _, _, _, _, err := Adapter(componentLabels, namespace, timestamp, nodeselector, tolerations, version, features)(monitor, desired, &tree.Tree{})
 	assert.NoError(t, err)
 
 	ensure, err := query(k8sClient, queried)