This repository has been archived by the owner on Apr 29, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 9
/
adapt.go
106 lines (89 loc) · 3.4 KB
/
adapt.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
package rbac
import (
"github.com/caos/orbos/internal/operator/orbiter/kinds/clusters/kubernetes"
"github.com/caos/orbos/internal/operator/orbiter/kinds/clusters/kubernetes/resources/clusterrole"
"github.com/caos/orbos/internal/operator/orbiter/kinds/clusters/kubernetes/resources/clusterrolebinding"
"github.com/caos/orbos/internal/operator/orbiter/kinds/clusters/kubernetes/resources/role"
"github.com/caos/orbos/internal/operator/orbiter/kinds/clusters/kubernetes/resources/rolebinding"
"github.com/caos/orbos/internal/operator/orbiter/kinds/clusters/kubernetes/resources/serviceaccount"
"github.com/caos/orbos/internal/operator/zitadel"
"github.com/caos/orbos/mntr"
)
func AdaptFunc(
monitor mntr.Monitor,
namespace string,
name string,
labels map[string]string,
) (
zitadel.QueryFunc,
zitadel.DestroyFunc,
error,
) {
internalMonitor := monitor.WithField("component", "rbac")
serviceAccountName := name
roleName := name
clusterRoleName := name
destroySA, err := serviceaccount.AdaptFuncToDestroy(namespace, serviceAccountName)
if err != nil {
return nil, nil, err
}
destroyR, err := role.AdaptFuncToDestroy(namespace, roleName)
if err != nil {
return nil, nil, err
}
destroyCR, err := clusterrole.AdaptFuncToDestroy(clusterRoleName)
if err != nil {
return nil, nil, err
}
destroyRB, err := rolebinding.AdaptFuncToDestroy(namespace, roleName)
if err != nil {
return nil, nil, err
}
destroyCRB, err := clusterrolebinding.AdaptFuncToDestroy(roleName)
if err != nil {
return nil, nil, err
}
destroyers := []zitadel.DestroyFunc{
zitadel.ResourceDestroyToZitadelDestroy(destroyR),
zitadel.ResourceDestroyToZitadelDestroy(destroyCR),
zitadel.ResourceDestroyToZitadelDestroy(destroyRB),
zitadel.ResourceDestroyToZitadelDestroy(destroyCRB),
zitadel.ResourceDestroyToZitadelDestroy(destroySA),
}
querySA, err := serviceaccount.AdaptFuncToEnsure(namespace, serviceAccountName, labels)
if err != nil {
return nil, nil, err
}
queryR, err := role.AdaptFuncToEnsure(namespace, roleName, labels, []string{""}, []string{"secrets"}, []string{"create", "get"})
if err != nil {
return nil, nil, err
}
queryCR, err := clusterrole.AdaptFuncToEnsure(clusterRoleName, labels, []string{"certificates.k8s.io"}, []string{"certificatesigningrequests"}, []string{"create", "get", "watch"})
if err != nil {
return nil, nil, err
}
subjects := []rolebinding.Subject{{Kind: "ServiceAccount", Name: serviceAccountName, Namespace: namespace}}
queryRB, err := rolebinding.AdaptFuncToEnsure(namespace, roleName, labels, subjects, roleName)
if err != nil {
return nil, nil, err
}
subjectsCRB := []clusterrolebinding.Subject{{Kind: "ServiceAccount", Name: serviceAccountName, Namespace: namespace}}
queryCRB, err := clusterrolebinding.AdaptFuncToEnsure(roleName, labels, subjectsCRB, roleName)
if err != nil {
return nil, nil, err
}
queriers := []zitadel.QueryFunc{
//serviceaccount
zitadel.ResourceQueryToZitadelQuery(querySA),
//rbac
zitadel.ResourceQueryToZitadelQuery(queryR),
zitadel.ResourceQueryToZitadelQuery(queryCR),
zitadel.ResourceQueryToZitadelQuery(queryRB),
zitadel.ResourceQueryToZitadelQuery(queryCRB),
}
return func(k8sClient *kubernetes.Client, queried map[string]interface{}) (zitadel.EnsureFunc, error) {
return zitadel.QueriersToEnsureFunc(internalMonitor, false, queriers, k8sClient, queried)
},
zitadel.DestroyersToDestroyFunc(internalMonitor, destroyers),
nil
}