Stefan Benz 25c9d7371d
fix(zitadelctl): implementation for commands in crd mode (#1685)
* fix(zitadelctl): implement takedown command

* fix(zitadelctl): correct destroy flow

* fix(zitadelctl): correct backup commands to read crds beforehand

* fix: add of destroyfile

* fix: clean for userlist

* fix: determine mode by --gitops flag for backups

* refactor: return error instead of higher order function

* fix(destroy): needs no self-reconciling

Co-authored-by: Elio Bischof <eliobischof@gmail.com>

* fix(destroy): needs no self-reconciling

Co-authored-by: Elio Bischof <eliobischof@gmail.com>

* fix(logs): fix double handled error

Co-authored-by: Elio Bischof <eliobischof@gmail.com>

* fix(logs): fix double handled error

Co-authored-by: Elio Bischof <eliobischof@gmail.com>

* fix(logs): fix double handled error

Co-authored-by: Elio Bischof <eliobischof@gmail.com>

* fix(logs): fix double handled error

Co-authored-by: Elio Bischof <eliobischof@gmail.com>

* fix(logs): fix double handled error

Co-authored-by: Elio Bischof <eliobischof@gmail.com>

* fix(logs): fix double handled error

Co-authored-by: Elio Bischof <eliobischof@gmail.com>

* fix(logs): fix double handled error

Co-authored-by: Elio Bischof <eliobischof@gmail.com>

* fix(logs): fix double handled error

Co-authored-by: Elio Bischof <eliobischof@gmail.com>

* fix(logs): fix double handled error

Co-authored-by: Elio Bischof <eliobischof@gmail.com>

* fix(logs): fix double handled error

Co-authored-by: Elio Bischof <eliobischof@gmail.com>

* fix(logs): fix double handled error

Co-authored-by: Elio Bischof <eliobischof@gmail.com>

* fix(logs): fix double handled error

Co-authored-by: Elio Bischof <eliobischof@gmail.com>

* fix(logs): fix double handled error

Co-authored-by: Elio Bischof <eliobischof@gmail.com>

* fix(logs): fix double handled error

Co-authored-by: Elio Bischof <eliobischof@gmail.com>

* fix(logs): fix double handled error

Co-authored-by: Elio Bischof <eliobischof@gmail.com>

* fix(logs): fix double handled error

Co-authored-by: Elio Bischof <eliobischof@gmail.com>

* fix(logs): fix double handled error

Co-authored-by: Elio Bischof <eliobischof@gmail.com>

* fix(logs): fix double handled error

Co-authored-by: Elio Bischof <eliobischof@gmail.com>

* fix(logs): fix double handled error

Co-authored-by: Elio Bischof <eliobischof@gmail.com>

* fix(logs): fix double handled error

Co-authored-by: Elio Bischof <eliobischof@gmail.com>

* fix(logs): fix double handled error

Co-authored-by: Elio Bischof <eliobischof@gmail.com>

* fix(logs): fix double handled error

Co-authored-by: Elio Bischof <eliobischof@gmail.com>

* fix(logs): fix double handled error

Co-authored-by: Elio Bischof <eliobischof@gmail.com>

* fix(logs): fix double handled error

Co-authored-by: Elio Bischof <eliobischof@gmail.com>

* fix(logs): fix double handled error

Co-authored-by: Elio Bischof <eliobischof@gmail.com>

* fix(logs): fix double handled error

Co-authored-by: Elio Bischof <eliobischof@gmail.com>

* fix(logs): fix double handled error

Co-authored-by: Elio Bischof <eliobischof@gmail.com>

Co-authored-by: Elio Bischof <eliobischof@gmail.com>
2021-07-20 15:47:48 +02:00

107 lines
3.3 KiB
Go

package rbac
import (
"github.com/caos/orbos/mntr"
"github.com/caos/orbos/pkg/kubernetes"
"github.com/caos/orbos/pkg/kubernetes/resources/clusterrole"
"github.com/caos/orbos/pkg/kubernetes/resources/clusterrolebinding"
"github.com/caos/orbos/pkg/kubernetes/resources/role"
"github.com/caos/orbos/pkg/kubernetes/resources/rolebinding"
"github.com/caos/orbos/pkg/kubernetes/resources/serviceaccount"
"github.com/caos/orbos/pkg/labels"
"github.com/caos/zitadel/operator"
)
func AdaptFunc(
monitor mntr.Monitor,
namespace string,
nameLabels *labels.Name,
) (
operator.QueryFunc,
operator.DestroyFunc,
error,
) {
internalMonitor := monitor.WithField("component", "rbac")
serviceAccountLabels := nameLabels
roleLabels := nameLabels
clusterRoleLabels := nameLabels
destroySA, err := serviceaccount.AdaptFuncToDestroy(namespace, serviceAccountLabels.Name())
if err != nil {
return nil, nil, err
}
destroyR, err := role.AdaptFuncToDestroy(roleLabels.Name(), namespace)
if err != nil {
return nil, nil, err
}
destroyCR, err := clusterrole.AdaptFuncToDestroy(clusterRoleLabels.Name())
if err != nil {
return nil, nil, err
}
destroyRB, err := rolebinding.AdaptFuncToDestroy(namespace, roleLabels.Name())
if err != nil {
return nil, nil, err
}
destroyCRB, err := clusterrolebinding.AdaptFuncToDestroy(roleLabels.Name())
if err != nil {
return nil, nil, err
}
destroyers := []operator.DestroyFunc{
operator.ResourceDestroyToZitadelDestroy(destroyR),
operator.ResourceDestroyToZitadelDestroy(destroyCR),
operator.ResourceDestroyToZitadelDestroy(destroyRB),
operator.ResourceDestroyToZitadelDestroy(destroyCRB),
operator.ResourceDestroyToZitadelDestroy(destroySA),
}
querySA, err := serviceaccount.AdaptFuncToEnsure(namespace, serviceAccountLabels)
if err != nil {
return nil, nil, err
}
queryR, err := role.AdaptFuncToEnsure(namespace, roleLabels, []string{""}, []string{"secrets"}, []string{"create", "get"})
if err != nil {
return nil, nil, err
}
queryCR, err := clusterrole.AdaptFuncToEnsure(clusterRoleLabels, []string{"certificates.k8s.io"}, []string{"certificatesigningrequests"}, []string{"create", "get", "watch"})
if err != nil {
return nil, nil, err
}
subjects := []rolebinding.Subject{{Kind: "ServiceAccount", Name: serviceAccountLabels.Name(), Namespace: namespace}}
queryRB, err := rolebinding.AdaptFuncToEnsure(namespace, roleLabels, subjects, roleLabels.Name())
if err != nil {
return nil, nil, err
}
subjectsCRB := []clusterrolebinding.Subject{{Kind: "ServiceAccount", Name: serviceAccountLabels.Name(), Namespace: namespace}}
queryCRB, err := clusterrolebinding.AdaptFuncToEnsure(roleLabels, subjectsCRB, roleLabels.Name())
if err != nil {
return nil, nil, err
}
queriers := []operator.QueryFunc{
//serviceaccount
operator.ResourceQueryToZitadelQuery(querySA),
//rbac
operator.ResourceQueryToZitadelQuery(queryR),
operator.ResourceQueryToZitadelQuery(queryCR),
operator.ResourceQueryToZitadelQuery(queryRB),
operator.ResourceQueryToZitadelQuery(queryCRB),
}
return func(k8sClient kubernetes.ClientInt, queried map[string]interface{}) (operator.EnsureFunc, error) {
return operator.QueriersToEnsureFunc(internalMonitor, false, queriers, k8sClient, queried)
},
operator.DestroyersToDestroyFunc(internalMonitor, destroyers),
nil
}