mirror of
https://github.com/zitadel/zitadel.git
synced 2024-12-23 16:27:35 +00:00
25c9d7371d
* fix(zitadelctl): implement takedown command * fix(zitadelctl): correct destroy flow * fix(zitadelctl): correct backup commands to read crds beforehand * fix: add of destroyfile * fix: clean for userlist * fix: determine mode by --gitops flag for backups * refactor: return error instead of higher order function * fix(destroy): needs no self-reconciling Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(destroy): needs no self-reconciling Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> * fix(logs): fix double handled error Co-authored-by: Elio Bischof <eliobischof@gmail.com> Co-authored-by: Elio Bischof <eliobischof@gmail.com>
107 lines
3.3 KiB
Go
107 lines
3.3 KiB
Go
package rbac
|
|
|
|
import (
|
|
"github.com/caos/orbos/mntr"
|
|
"github.com/caos/orbos/pkg/kubernetes"
|
|
"github.com/caos/orbos/pkg/kubernetes/resources/clusterrole"
|
|
"github.com/caos/orbos/pkg/kubernetes/resources/clusterrolebinding"
|
|
"github.com/caos/orbos/pkg/kubernetes/resources/role"
|
|
"github.com/caos/orbos/pkg/kubernetes/resources/rolebinding"
|
|
"github.com/caos/orbos/pkg/kubernetes/resources/serviceaccount"
|
|
"github.com/caos/orbos/pkg/labels"
|
|
"github.com/caos/zitadel/operator"
|
|
)
|
|
|
|
func AdaptFunc(
|
|
monitor mntr.Monitor,
|
|
namespace string,
|
|
nameLabels *labels.Name,
|
|
) (
|
|
operator.QueryFunc,
|
|
operator.DestroyFunc,
|
|
error,
|
|
) {
|
|
|
|
internalMonitor := monitor.WithField("component", "rbac")
|
|
|
|
serviceAccountLabels := nameLabels
|
|
roleLabels := nameLabels
|
|
clusterRoleLabels := nameLabels
|
|
|
|
destroySA, err := serviceaccount.AdaptFuncToDestroy(namespace, serviceAccountLabels.Name())
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
destroyR, err := role.AdaptFuncToDestroy(roleLabels.Name(), namespace)
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
destroyCR, err := clusterrole.AdaptFuncToDestroy(clusterRoleLabels.Name())
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
destroyRB, err := rolebinding.AdaptFuncToDestroy(namespace, roleLabels.Name())
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
destroyCRB, err := clusterrolebinding.AdaptFuncToDestroy(roleLabels.Name())
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
destroyers := []operator.DestroyFunc{
|
|
operator.ResourceDestroyToZitadelDestroy(destroyR),
|
|
operator.ResourceDestroyToZitadelDestroy(destroyCR),
|
|
operator.ResourceDestroyToZitadelDestroy(destroyRB),
|
|
operator.ResourceDestroyToZitadelDestroy(destroyCRB),
|
|
operator.ResourceDestroyToZitadelDestroy(destroySA),
|
|
}
|
|
|
|
querySA, err := serviceaccount.AdaptFuncToEnsure(namespace, serviceAccountLabels)
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
queryR, err := role.AdaptFuncToEnsure(namespace, roleLabels, []string{""}, []string{"secrets"}, []string{"create", "get"})
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
queryCR, err := clusterrole.AdaptFuncToEnsure(clusterRoleLabels, []string{"certificates.k8s.io"}, []string{"certificatesigningrequests"}, []string{"create", "get", "watch"})
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
subjects := []rolebinding.Subject{{Kind: "ServiceAccount", Name: serviceAccountLabels.Name(), Namespace: namespace}}
|
|
queryRB, err := rolebinding.AdaptFuncToEnsure(namespace, roleLabels, subjects, roleLabels.Name())
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
subjectsCRB := []clusterrolebinding.Subject{{Kind: "ServiceAccount", Name: serviceAccountLabels.Name(), Namespace: namespace}}
|
|
queryCRB, err := clusterrolebinding.AdaptFuncToEnsure(roleLabels, subjectsCRB, roleLabels.Name())
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
queriers := []operator.QueryFunc{
|
|
//serviceaccount
|
|
operator.ResourceQueryToZitadelQuery(querySA),
|
|
//rbac
|
|
operator.ResourceQueryToZitadelQuery(queryR),
|
|
operator.ResourceQueryToZitadelQuery(queryCR),
|
|
operator.ResourceQueryToZitadelQuery(queryRB),
|
|
operator.ResourceQueryToZitadelQuery(queryCRB),
|
|
}
|
|
return func(k8sClient kubernetes.ClientInt, queried map[string]interface{}) (operator.EnsureFunc, error) {
|
|
return operator.QueriersToEnsureFunc(internalMonitor, false, queriers, k8sClient, queried)
|
|
},
|
|
operator.DestroyersToDestroyFunc(internalMonitor, destroyers),
|
|
nil
|
|
|
|
}
|