mirror of
https://github.com/zitadel/zitadel.git
synced 2025-11-15 09:23:36 +00:00
ad25f35539
* feat(operator): add base for zitadel operator * fix(operator): changed pipeline to release operator * fix(operator): fmt with only one parameter * fix(operator): corrected workflow job name * fix(zitadelctl): added restore and backuplist command * fix(zitadelctl): scale for restore * chore(container): use scratch for deploy container * fix(zitadelctl): limit image to scratch * fix(migration): added migration scripts for newer version * fix(operator): changed handling of kubeconfig in operator logic * fix(operator): changed handling of secrets in operator logic * fix(operator): use new version of zitadel * fix(operator): added path for migrations * fix(operator): delete doublets of migration scripts * fix(operator): delete subpaths and integrate logic into init container * fix(operator): corrected path in dockerfile for local migrations * fix(operator): added migrations for cockroachdb-secure * fix(operator): delete logic for ambassador module * fix(operator): added read and write secret commands * fix(operator): correct and align operator pipeline with zitadel pipeline * fix(operator): correct yaml error in operator pipeline * fix(operator): correct action name in operator pipeline * fix(operator): correct case-sensitive filename in operator pipeline * fix(operator): upload artifacts from buildx output * fix(operator): corrected attribute spelling error * fix(operator): combined jobs for operator binary and image * fix(operator): added missing comma in operator pipeline * fix(operator): added codecov for operator image * fix(operator): added codecov for operator image * fix(testing): code changes for testing and several unit-tests (#1009) * fix(operator): usage of interface of kubernetes client for testing and several unit-tests * fix(operator): several unit-tests * fix(operator): several unit-tests * fix(operator): changed order for the operator logic * fix(operator): added version of zitadelctl from semantic release * fix(operator): corrected function call with version of zitadelctl * fix(operator): corrected function call with version of zitadelctl * fix(operator): add check output to operator release pipeline * fix(operator): set --short length everywhere to 12 * fix(operator): zitadel setup in job instead of exec with several unit tests * fix(operator): fixes to combine newest zitadel and testing branch * fix(operator): corrected path in Dockerfile * fix(operator): fixed unit-test that was ignored during changes * fix(operator): fixed unit-test that was ignored during changes * fix(operator): corrected Dockerfile to correctly use env variable * fix(operator): quickfix takeoff deployment * fix(operator): corrected the clusterrolename in the applied artifacts * fix: update secure migrations * fix(operator): migrations (#1057) * fix(operator): copied migrations from orbos repository * fix(operator): newest migrations * chore: use cockroach-secure * fix: rename migration * fix: remove insecure cockroach migrations Co-authored-by: Stefan Benz <stefan@caos.ch> * fix: finalize labels * fix(operator): cli logging concurrent and fixe deployment of operator during restore * fix: finalize labels and cli commands * fix: restore * chore: cockroachdb is always secure * chore: use orbos consistent-labels latest commit * test: make tests compatible with new labels * fix: default to sa token for start command * fix: use cockroachdb v12.02 * fix: don't delete flyway user * test: fix migration test * fix: use correct table qualifiers * fix: don't alter sequence ownership * fix: upgrade flyway * fix: change ownership of all dbs and tables to admin user * fix: change defaultdb user * fix: treat clientid status codes >= 400 as errors * fix: reconcile specified ZITADEL version, not binary version * fix: add ca-certs * fix: use latest orbos code * fix: use orbos with fixed race condition * fix: use latest ORBOS code * fix: use latest ORBOS code * fix: make migration and scaling around restoring work * fix(operator): move zitadel operator * chore(migrations): include owner change migration * feat(db): add code base for database operator * fix(db): change used image registry for database operator * fix(db): generated mock * fix(db): add accidentally ignored file * fix(db): add cockroachdb backup image to pipeline * fix(db): correct pipeline and image versions * fix(db): correct version of used orbos * fix(db): correct database import * fix(db): go mod tidy * fix(db): use new version for orbos * fix(migrations): include migrations into zitadelctl binary (#1211) * fix(db): use statik to integrate migrations into binary * fix(migrations): corrections unit tests and pipeline for integrated migrations into zitadelctl binary * fix(migrations): correction in dockerfile for pipeline build * fix(migrations): correction in dockerfile for pipeline build * fix(migrations): dockerfile changes for cache optimization * fix(database): correct used part-of label in database operator * fix(database): correct used selectable label in zitadel operator * fix(operator): correct lables for user secrets in zitadel operator * fix(operator): correct lables for service test in zitadel operator * fix: don't enable database features for user operations (#1227) * fix: don't enable database features for user operations * fix: omit database feature for connection info adapter * fix: use latest orbos version * fix: update ORBOS (#1240) Co-authored-by: Florian Forster <florian@caos.ch> Co-authored-by: Elio Bischof <eliobischof@gmail.com>
151 lines
4.0 KiB
Go
151 lines
4.0 KiB
Go
package node
|
|
|
|
import (
|
|
"crypto/rsa"
|
|
"errors"
|
|
"github.com/caos/zitadel/operator"
|
|
"reflect"
|
|
|
|
"github.com/caos/orbos/pkg/labels"
|
|
|
|
"github.com/caos/orbos/mntr"
|
|
"github.com/caos/orbos/pkg/kubernetes"
|
|
"github.com/caos/orbos/pkg/kubernetes/resources/secret"
|
|
"github.com/caos/zitadel/operator/database/kinds/databases/core"
|
|
"github.com/caos/zitadel/operator/database/kinds/databases/managed/certificate/certificates"
|
|
"github.com/caos/zitadel/operator/database/kinds/databases/managed/certificate/pem"
|
|
)
|
|
|
|
const (
|
|
caCertKey = "ca.crt"
|
|
caPrivKeyKey = "ca.key"
|
|
nodeCertKey = "node.crt"
|
|
nodePrivKeyKey = "node.key"
|
|
)
|
|
|
|
func AdaptFunc(
|
|
monitor mntr.Monitor,
|
|
namespace string,
|
|
nameLabels *labels.Name,
|
|
clusterDns string,
|
|
generateIfNotExists bool,
|
|
) (
|
|
operator.QueryFunc,
|
|
operator.DestroyFunc,
|
|
error,
|
|
) {
|
|
|
|
caPrivKey := new(rsa.PrivateKey)
|
|
caCert := make([]byte, 0)
|
|
nodeSecretSelector := labels.MustK8sMap(labels.DeriveNameSelector(nameLabels, false))
|
|
|
|
return func(k8sClient kubernetes.ClientInt, queried map[string]interface{}) (operator.EnsureFunc, error) {
|
|
queriers := make([]operator.QueryFunc, 0)
|
|
|
|
currentDB, err := core.ParseQueriedForDatabase(queried)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
allNodeSecrets, err := k8sClient.ListSecrets(namespace, nodeSecretSelector)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if len(allNodeSecrets.Items) == 0 {
|
|
|
|
if !generateIfNotExists {
|
|
return nil, errors.New("node secret not found")
|
|
}
|
|
|
|
emptyCert := true
|
|
emptyKey := true
|
|
if currentCaCert := currentDB.GetCertificate(); currentCaCert != nil && len(currentCaCert) != 0 {
|
|
emptyCert = false
|
|
caCert = currentCaCert
|
|
}
|
|
if currentCaCertKey := currentDB.GetCertificateKey(); currentCaCertKey != nil && !reflect.DeepEqual(currentCaCertKey, &rsa.PrivateKey{}) {
|
|
emptyKey = false
|
|
caPrivKey = currentCaCertKey
|
|
}
|
|
|
|
if emptyCert || emptyKey {
|
|
caPrivKeyInternal, caCertInternal, err := certificates.NewCA()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
caPrivKey = caPrivKeyInternal
|
|
caCert = caCertInternal
|
|
|
|
nodePrivKey, nodeCert, err := certificates.NewNode(caPrivKey, caCert, namespace, clusterDns)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
pemNodePrivKey, err := pem.EncodeKey(nodePrivKey)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
pemCaPrivKey, err := pem.EncodeKey(caPrivKey)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
pemCaCert, err := pem.EncodeCertificate(caCert)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
pemNodeCert, err := pem.EncodeCertificate(nodeCert)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
nodeSecretData := map[string]string{
|
|
caPrivKeyKey: string(pemCaPrivKey),
|
|
caCertKey: string(pemCaCert),
|
|
nodePrivKeyKey: string(pemNodePrivKey),
|
|
nodeCertKey: string(pemNodeCert),
|
|
}
|
|
queryNodeSecret, err := secret.AdaptFuncToEnsure(namespace, labels.AsSelectable(nameLabels), nodeSecretData)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
queriers = append(queriers, operator.ResourceQueryToZitadelQuery(queryNodeSecret))
|
|
}
|
|
} else {
|
|
key, err := pem.DecodeKey(allNodeSecrets.Items[0].Data[caPrivKeyKey])
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
caPrivKey = key
|
|
|
|
cert, err := pem.DecodeCertificate(allNodeSecrets.Items[0].Data[caCertKey])
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
caCert = cert
|
|
}
|
|
|
|
currentDB.SetCertificate(caCert)
|
|
currentDB.SetCertificateKey(caPrivKey)
|
|
|
|
return operator.QueriersToEnsureFunc(monitor, false, queriers, k8sClient, queried)
|
|
}, func(k8sClient kubernetes.ClientInt) error {
|
|
allNodeSecrets, err := k8sClient.ListSecrets(namespace, nodeSecretSelector)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
for _, deleteSecret := range allNodeSecrets.Items {
|
|
destroyer, err := secret.AdaptFuncToDestroy(namespace, deleteSecret.Name)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if err := destroyer(k8sClient); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
return nil
|
|
}, nil
|
|
}
|