zitadel/operator/database/kinds/databases/managed/rbac/adapt.go

package rbac

import (
	"github.com/caos/orbos/mntr"
	"github.com/caos/orbos/pkg/kubernetes"
	"github.com/caos/orbos/pkg/kubernetes/resources/clusterrole"
	"github.com/caos/orbos/pkg/kubernetes/resources/clusterrolebinding"
	"github.com/caos/orbos/pkg/kubernetes/resources/role"
	"github.com/caos/orbos/pkg/kubernetes/resources/rolebinding"
	"github.com/caos/orbos/pkg/kubernetes/resources/serviceaccount"
	"github.com/caos/orbos/pkg/labels"
	"github.com/caos/zitadel/operator"
)

func AdaptFunc(
	monitor mntr.Monitor,
	namespace string,
	nameLabels *labels.Name,
) (
	operator.QueryFunc,
	operator.DestroyFunc,
	error,
) {

	internalMonitor := monitor.WithField("component", "rbac")

	serviceAccountLabels := nameLabels
	roleLabels := nameLabels
	clusterRoleLabels := nameLabels

	destroySA, err := serviceaccount.AdaptFuncToDestroy(namespace, serviceAccountLabels.Name())
	if err != nil {
		return nil, nil, err
	}

	destroyR, err := role.AdaptFuncToDestroy(roleLabels.Name(), namespace)
	if err != nil {
		return nil, nil, err
	}

	destroyCR, err := clusterrole.AdaptFuncToDestroy(clusterRoleLabels.Name())
	if err != nil {
		return nil, nil, err
	}

	destroyRB, err := rolebinding.AdaptFuncToDestroy(namespace, roleLabels.Name())
	if err != nil {
		return nil, nil, err
	}

	destroyCRB, err := clusterrolebinding.AdaptFuncToDestroy(roleLabels.Name())
	if err != nil {
		return nil, nil, err
	}

	destroyers := []operator.DestroyFunc{
		operator.ResourceDestroyToZitadelDestroy(destroyR),
		operator.ResourceDestroyToZitadelDestroy(destroyCR),
		operator.ResourceDestroyToZitadelDestroy(destroyRB),
		operator.ResourceDestroyToZitadelDestroy(destroyCRB),
		operator.ResourceDestroyToZitadelDestroy(destroySA),
	}

	querySA, err := serviceaccount.AdaptFuncToEnsure(namespace, serviceAccountLabels)
	if err != nil {
		return nil, nil, err
	}

	queryR, err := role.AdaptFuncToEnsure(namespace, roleLabels, []string{""}, []string{"secrets"}, []string{"create", "get"})
	if err != nil {
		return nil, nil, err
	}

	queryCR, err := clusterrole.AdaptFuncToEnsure(clusterRoleLabels, []string{"certificates.k8s.io"}, []string{"certificatesigningrequests"}, []string{"create", "get", "watch"})
	if err != nil {
		return nil, nil, err
	}

	subjects := []rolebinding.Subject{{Kind: "ServiceAccount", Name: serviceAccountLabels.Name(), Namespace: namespace}}
	queryRB, err := rolebinding.AdaptFuncToEnsure(namespace, roleLabels, subjects, roleLabels.Name())
	if err != nil {
		return nil, nil, err
	}

	subjectsCRB := []clusterrolebinding.Subject{{Kind: "ServiceAccount", Name: serviceAccountLabels.Name(), Namespace: namespace}}
	queryCRB, err := clusterrolebinding.AdaptFuncToEnsure(roleLabels, subjectsCRB, roleLabels.Name())
	if err != nil {
		return nil, nil, err
	}

	queriers := []operator.QueryFunc{
		//serviceaccount
		operator.ResourceQueryToZitadelQuery(querySA),
		//rbac
		operator.ResourceQueryToZitadelQuery(queryR),
		operator.ResourceQueryToZitadelQuery(queryCR),
		operator.ResourceQueryToZitadelQuery(queryRB),
		operator.ResourceQueryToZitadelQuery(queryCRB),
	}
	return func(k8sClient kubernetes.ClientInt, queried map[string]interface{}) (operator.EnsureFunc, error) {
			return operator.QueriersToEnsureFunc(internalMonitor, false, queriers, k8sClient, queried)
		},
		operator.DestroyersToDestroyFunc(internalMonitor, destroyers),
		nil

}