Feat/organization idp setup (#19)

* feat: added default subroutine for realm creation

On-behalf-of: SAP [email protected]

* feat: switched from helm to flux

On-behalf-of: SAP [email protected]

* feat: added oci repos and helm releases creation

On-behalf-of: SAP [email protected]

* feat: added values substitution

On-behalf-of: SAP [email protected]

* feat: added tests, code refactoring

On-behalf-of: SAP [email protected]

* chore: code refactoring

On-behalf-of: SAP [email protected]

* chore: more refactoring

On-behalf-of: SAP [email protected]

* fix: removed file reading, fixed naming

On-behalf-of: SAP [email protected]

* chore: tests refactoring

On-behalf-of: SAP [email protected]

* chore: added tests for getting workspace name

On-behalf-of: SAP [email protected]

* chore: fixed linter and tests issues

On-behalf-of: SAP [email protected]

* chore: more refactoring

On-behalf-of: SAP [email protected]

* added requeue after for finalize function, updated oci repo yaml

On-behalf-of: SAP [email protected]

* chore: tests update

On-behalf-of: SAP [email protected]

* chore: linter version bump

On-behalf-of: SAP [email protected]

* fix: fixed linter installing path

On-behalf-of: SAP [email protected]

* removed requeue after

On-behalf-of: SAP [email protected]

* fix: updated go mod file

On-behalf-of: SAP [email protected]

Author: OlegErshov

Taskfile.yaml

@@ -8,7 +8,7 @@ vars:
   CRD_DIRECTORY: config/crd/bases
   KCP_APIGEN_VERSION: v0.21.0
   KCP_VERSION: 0.26.1
-  GOLANGCI_LINT_VERSION: v1.64.8
+  GOLANGCI_LINT_VERSION: v2.4.0
   GOARCH:
     sh: go env GOARCH
   GOOS:
@@ -29,7 +29,7 @@ tasks:
   setup:golangci-lint:
     internal: true
     cmds:
-      - test -s {{.LOCAL_BIN}}/golangci-lint || GOBIN=$(pwd)/{{.LOCAL_BIN}} go install github.com/golangci/golangci-lint/cmd/golangci-lint@{{.GOLANGCI_LINT_VERSION}}
+      - test -s {{.LOCAL_BIN}}/golangci-lint || GOBIN=$(pwd)/{{.LOCAL_BIN}} go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@{{.GOLANGCI_LINT_VERSION}}
   setup:docker-compose:
     internal: true
     cmds:

cmd/initializer.go

@@ -4,10 +4,15 @@ import (
 	"crypto/tls"
 	"os"
 
+	helmv2 "github.com/fluxcd/helm-controller/api/v2"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 	"github.com/kcp-dev/logicalcluster/v3"
 	"github.com/spf13/cobra"
+	"k8s.io/apimachinery/pkg/runtime"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/client-go/rest"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/kcp"
 	"sigs.k8s.io/controller-runtime/pkg/metrics/server"
@@ -51,13 +56,29 @@ var initializerCmd = &cobra.Command{
 			os.Exit(1)
 		}
 
+		runtimeScheme := runtime.NewScheme()
+		utilruntime.Must(sourcev1.AddToScheme(runtimeScheme))
+		utilruntime.Must(helmv2.AddToScheme(runtimeScheme))
+
 		orgClient, err := logicalClusterClientFromKey(mgr, log)(logicalcluster.Name("root:orgs"))
 		if err != nil {
 			setupLog.Error(err, "Failed to create org client")
 			os.Exit(1)
 		}
 
-		if err := controller.NewLogicalClusterReconciler(log, mgrCfg, mgr.GetClient(), orgClient, appCfg).SetupWithManager(mgr, defaultCfg, log); err != nil {
+		inClusterConfig, err := rest.InClusterConfig()
+		if err != nil {
+			log.Error().Err(err).Msg("Failed to create in cluster config")
+			os.Exit(1)
+		}
+
+		inClusterClient, err := client.New(inClusterConfig, client.Options{Scheme: scheme})
+		if err != nil {
+			log.Error().Err(err).Msg("Failed to create in cluster client")
+			os.Exit(1)
+		}
+
+		if err := controller.NewLogicalClusterReconciler(log, mgrCfg, mgr.GetClient(), orgClient, appCfg, inClusterClient).SetupWithManager(mgr, defaultCfg, log); err != nil {
 			setupLog.Error(err, "unable to create controller", "controller", "LogicalCluster")
 			os.Exit(1)
 		}

go.mod

@@ -29,6 +29,13 @@ require (
 	sigs.k8s.io/controller-runtime v0.21.0
 )
 
+require (
+	github.com/evanphx/json-patch v5.9.11+incompatible // indirect
+	github.com/fluxcd/pkg/apis/acl v0.7.0 // indirect
+	github.com/fluxcd/pkg/apis/kustomize v1.10.0 // indirect
+	github.com/fluxcd/pkg/apis/meta v1.12.0 // indirect
+)
+
 require (
 	github.com/99designs/gqlgen v0.17.78 // indirect
 	github.com/antlr4-go/antlr/v4 v4.13.1 // indirect
@@ -39,6 +46,8 @@ require (
 	github.com/emicklei/go-restful/v3 v3.12.1 // indirect
 	github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
 	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
+	github.com/fluxcd/helm-controller/api v1.3.0
+	github.com/fluxcd/source-controller/api v1.6.2
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.8.0 // indirect
 	github.com/getsentry/sentry-go v0.35.1 // indirect
@@ -118,6 +127,6 @@ require (
 	k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d // indirect
 	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect
-	sigs.k8s.io/yaml v1.6.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.7.0 // indirect
+	sigs.k8s.io/yaml v1.6.0
 )

go.sum

@@ -24,10 +24,20 @@ github.com/emicklei/go-restful/v3 v3.12.1 h1:PJMDIM/ak7btuL8Ex0iYET9hxM3CI2sjZtz
 github.com/emicklei/go-restful/v3 v3.12.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/envoyproxy/protoc-gen-validate v1.2.1 h1:DEo3O99U8j4hBFwbJfrz9VtgcDfUKS7KJ7spH3d86P8=
 github.com/envoyproxy/protoc-gen-validate v1.2.1/go.mod h1:d/C80l/jxXLdfEIhX1W2TmLfsJ31lvEjwamM4DxlWXU=
-github.com/evanphx/json-patch v5.8.0+incompatible h1:1Av9pn2FyxPdvrWNQszj1g6D6YthSmvCfcN6SYclTJg=
-github.com/evanphx/json-patch v5.8.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/evanphx/json-patch v5.9.11+incompatible h1:ixHHqfcGvxhWkniF1tWxBHA0yb4Z+d1UQi45df52xW8=
+github.com/evanphx/json-patch v5.9.11+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/evanphx/json-patch/v5 v5.9.11 h1:/8HVnzMq13/3x9TPvjG08wUGqBTmZBsCWzjTM0wiaDU=
 github.com/evanphx/json-patch/v5 v5.9.11/go.mod h1:3j+LviiESTElxA4p3EMKAB9HXj3/XEtnUf6OZxqIQTM=
+github.com/fluxcd/helm-controller/api v1.3.0 h1:PupXPuQbksmU0g2Lc6NjIYal2HJGL+6xohsf82eGVjo=
+github.com/fluxcd/helm-controller/api v1.3.0/go.mod h1:4b8PfdH0e/9Pfol2ogdMYbQ1nLjcVu9gAv27cQzIPK4=
+github.com/fluxcd/pkg/apis/acl v0.7.0 h1:dMhZJH+g6ZRPjs4zVOAN9vHBd1DcavFgcIFkg5ooOE0=
+github.com/fluxcd/pkg/apis/acl v0.7.0/go.mod h1:uv7pXXR/gydiX4MUwlQa7vS8JONEDztynnjTvY3JxKQ=
+github.com/fluxcd/pkg/apis/kustomize v1.10.0 h1:47EeSzkQvlQZdH92vHMe2lK2iR8aOSEJq95avw5idts=
+github.com/fluxcd/pkg/apis/kustomize v1.10.0/go.mod h1:UsqMV4sqNa1Yg0pmTsdkHRJr7bafBOENIJoAN+3ezaQ=
+github.com/fluxcd/pkg/apis/meta v1.12.0 h1:XW15TKZieC2b7MN8VS85stqZJOx+/b8jATQ/xTUhVYg=
+github.com/fluxcd/pkg/apis/meta v1.12.0/go.mod h1:+son1Va60x2eiDcTwd7lcctbI6C+K3gM7R+ULmEq1SI=
+github.com/fluxcd/source-controller/api v1.6.2 h1:UmodAeqLIeF29HdTqf2GiacZyO+hJydJlepDaYsMvhc=
+github.com/fluxcd/source-controller/api v1.6.2/go.mod h1:ZJcAi0nemsnBxjVgmJl0WQzNvB0rMETxQMTdoFosmMw=
 github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
@@ -321,8 +331,8 @@ sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh
 sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
-sigs.k8s.io/structured-merge-diff/v4 v4.6.0 h1:IUA9nvMmnKWcj5jl84xn+T5MnlZKThmUW1TdblaLVAc=
-sigs.k8s.io/structured-merge-diff/v4 v4.6.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps=
+sigs.k8s.io/structured-merge-diff/v4 v4.7.0 h1:qPeWmscJcXP0snki5IYF79Z8xrl8ETFxgMd7wez1XkI=
+sigs.k8s.io/structured-merge-diff/v4 v4.7.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps=
 sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
 sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs=
 sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4=

internal/config/config.go

@@ -7,4 +7,5 @@ type Config struct {
 	} `mapstructure:",squash"`
 	APIExportEndpointSliceName string `mapstructure:"api-export-endpoint-slice-name"`
 	CoreModulePath             string `mapstructure:"core-module-path"`
+	WorkspaceDir               string `mapstructure:"workspace-dir" default:"/operator/"`
 }

internal/controller/initializer_controller.go

@@ -21,11 +21,12 @@ type LogicalClusterReconciler struct {
 	lifecycle *lifecyclecontrollerruntime.LifecycleManager
 }
 
-func NewLogicalClusterReconciler(log *logger.Logger, restCfg *rest.Config, cl, orgClient client.Client, cfg config.Config) *LogicalClusterReconciler {
+func NewLogicalClusterReconciler(log *logger.Logger, restCfg *rest.Config, cl, orgClient client.Client, cfg config.Config, inClusterClient client.Client) *LogicalClusterReconciler {
 	return &LogicalClusterReconciler{
 		lifecycle: lifecyclecontrollerruntime.NewLifecycleManager(
 			[]lifecyclesubroutine.Subroutine{
 				subroutine.NewWorkspaceInitializer(cl, orgClient, restCfg, cfg),
+				subroutine.NewRealmSubroutine(inClusterClient),
 			},
 			"logicalcluster",
 			"LogicalClusterReconciler",

internal/subroutine/manifests/organizationIdp/helmrelease.yaml

@@ -0,0 +1,16 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: organization-idp
+  namespace: default
+spec:
+  interval: 10m
+  timeout: 20m
+  chartRef:
+    kind: OCIRepository
+    name: organization-idp
+  releaseName: organization-idp
+  targetNamespace: default
+  values:
+    imagePullSecret: github
+    

internal/subroutine/manifests/organizationIdp/repository.yaml

@@ -0,0 +1,13 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: OCIRepository
+metadata:
+  name: organization-idp
+  namespace: default
+spec:
+  interval: 5m
+  url: oci://ghcr.io/platform-mesh/helm-charts/organization-idp
+  ref:
+    semver: "0.1.0"
+  secretRef:
+    name: github
+    

internal/subroutine/realm.go

@@ -0,0 +1,213 @@
+package subroutine
+
+import (
+	"bytes"
+	"context"
+	_ "embed"
+	"encoding/json"
+	"fmt"
+	"strings"
+	"text/template"
+
+	kcpv1alpha1 "github.com/kcp-dev/kcp/sdk/apis/core/v1alpha1"
+	lifecycleruntimeobject "github.com/platform-mesh/golang-commons/controller/lifecycle/runtimeobject"
+	lifecyclesubroutine "github.com/platform-mesh/golang-commons/controller/lifecycle/subroutine"
+	"github.com/platform-mesh/golang-commons/errors"
+	"github.com/platform-mesh/golang-commons/logger"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	"sigs.k8s.io/yaml"
+)
+
+var (
+	//go:embed manifests/organizationIdp/repository.yaml
+	repository string
+
+	//go:embed manifests/organizationIdp/helmrelease.yaml
+	helmRelease string
+)
+
+type realmSubroutine struct {
+	k8s client.Client
+}
+
+func NewRealmSubroutine(k8s client.Client) *realmSubroutine {
+	return &realmSubroutine{
+		k8s: k8s,
+	}
+}
+
+var _ lifecyclesubroutine.Subroutine = &realmSubroutine{}
+
+func (r *realmSubroutine) GetName() string { return "Realm" }
+
+func (r *realmSubroutine) Finalizers() []string { return []string{} }
+
+func (r *realmSubroutine) Finalize(ctx context.Context, instance lifecycleruntimeobject.RuntimeObject) (reconcile.Result, errors.OperatorError) {
+	log := logger.LoadLoggerFromContext(ctx)
+
+	lc := instance.(*kcpv1alpha1.LogicalCluster)
+	workspaceName := getWorkspaceName(lc)
+	if workspaceName == "" {
+		return ctrl.Result{}, errors.NewOperatorError(fmt.Errorf("failed to get workspace path"), true, false)
+	}
+
+	ociObj, err := unstructuredFromString(repository, nil, log)
+	if err != nil {
+		return ctrl.Result{}, errors.NewOperatorError(fmt.Errorf("failed to load OCI repository manifest: %w", err), true, true)
+	}
+	if err := r.k8s.Delete(ctx, &ociObj); err != nil {
+		return ctrl.Result{}, errors.NewOperatorError(fmt.Errorf("failed to delete OCI repository: %w", err), true, true)
+	}
+
+	helmObj, err := unstructuredFromString(helmRelease, nil, log)
+	if err != nil {
+		return ctrl.Result{}, errors.NewOperatorError(fmt.Errorf("failed to load HelmRelease  manifest: %w", err), true, true)
+	}
+	helmObj.SetName(workspaceName)
+	if err := r.k8s.Delete(ctx, &helmObj); err != nil {
+		return ctrl.Result{}, errors.NewOperatorError(fmt.Errorf("failed to delete HelmRelease: %w", err), true, true)
+	}
+
+	log.Info().Str("realm", workspaceName).Msg("Successfully finalized resources")
+	return ctrl.Result{}, nil
+}
+
+func (r *realmSubroutine) Process(ctx context.Context, instance lifecycleruntimeobject.RuntimeObject) (reconcile.Result, errors.OperatorError) {
+	lc := instance.(*kcpv1alpha1.LogicalCluster)
+
+	workspaceName := getWorkspaceName(lc)
+	if workspaceName == "" {
+		return ctrl.Result{}, errors.NewOperatorError(fmt.Errorf("failed to get workspace path"), true, false)
+	}
+
+	patch := map[string]interface{}{
+		"crossplane": map[string]interface{}{
+			"realm": map[string]interface{}{
+				"name":        workspaceName,
+				"displayName": workspaceName,
+			},
+			"client": map[string]interface{}{
+				"name":        workspaceName,
+				"displayName": workspaceName,
+			},
+		},
+		"keycloakConfig": map[string]interface{}{
+			"client": map[string]interface{}{
+				"name": workspaceName,
+				"targetSecret": map[string]interface{}{
+					"name": fmt.Sprintf("portal-client-secret-%s", workspaceName),
+				},
+			},
+		},
+	}
+
+	marshalledPatch, err := json.Marshal(patch)
+	if err != nil {
+		return ctrl.Result{}, errors.NewOperatorError(fmt.Errorf("failed to marshall patch map: %w", err), true, true)
+	}
+
+	values := apiextensionsv1.JSON{Raw: marshalledPatch}
+	releaseName := fmt.Sprintf("%s-idp", workspaceName)
+
+	err = applyManifestWithMergedValues(ctx, repository, r.k8s, nil)
+	if err != nil {
+		return ctrl.Result{}, errors.NewOperatorError(fmt.Errorf("failed to create OCI repository: %w", err), true, true)
+	}
+
+	err = applyReleaseWithValues(ctx, helmRelease, r.k8s, values, releaseName)
+	if err != nil {
+		return ctrl.Result{}, errors.NewOperatorError(fmt.Errorf("failed to create HelmRelease: %w", err), true, true)
+	}
+
+	return ctrl.Result{}, nil
+}
+
+func getWorkspaceName(lc *kcpv1alpha1.LogicalCluster) string {
+	if path, ok := lc.Annotations["kcp.io/path"]; ok {
+		pathElements := strings.Split(path, ":")
+		return pathElements[len(pathElements)-1]
+	}
+	return ""
+}
+
+func applyReleaseWithValues(ctx context.Context, release string, k8sClient client.Client, values apiextensionsv1.JSON, releaseName string) error {
+	log := logger.LoadLoggerFromContext(ctx)
+
+	obj, err := unstructuredFromString(release, map[string]string{}, log)
+	if err != nil {
+		return errors.Wrap(err, "Failed to get unstructuredFromFile")
+	}
+	obj.SetName(releaseName)
+
+	if err := unstructured.SetNestedField(obj.Object, releaseName, "spec", "releaseName"); err != nil {
+		return errors.Wrap(err, "failed to set spec.releaseName")
+	}
+
+	obj.Object["spec"].(map[string]interface{})["values"] = values
+
+	err = k8sClient.Patch(ctx, &obj, client.Apply, client.FieldOwner("security-operator"))
+	if err != nil {
+		return errors.Wrap(err, "Failed to apply manifest: (%s/%s)", obj.GetKind(), obj.GetName())
+	}
+	return nil
+}
+
+func unstructuredFromString(manifest string, templateData map[string]string, log *logger.Logger) (unstructured.Unstructured, error) {
+	manifestBytes := []byte(manifest)
+
+	res, err := ReplaceTemplate(templateData, manifestBytes)
+	if err != nil {
+		return unstructured.Unstructured{}, errors.Wrap(err, "Failed to replace template")
+	}
+
+	var objMap map[string]interface{}
+	if err := yaml.Unmarshal(res, &objMap); err != nil {
+		return unstructured.Unstructured{}, errors.Wrap(err, "Failed to unmarshal YAML from template. Output:\n%s", string(res))
+	}
+
+	log.Debug().Str("obj", fmt.Sprintf("%+v", objMap)).Msg("Unmarshalled object")
+
+	obj := unstructured.Unstructured{Object: objMap}
+
+	log.Debug().Str("kind", obj.GetKind()).Str("name", obj.GetName()).Str("namespace", obj.GetNamespace()).Msg("Applying manifest")
+	return obj, err
+}
+
+func ReplaceTemplate(templateData map[string]string, templateBytes []byte) ([]byte, error) {
+	tmpl, err := template.New("manifest").Parse(string(templateBytes))
+	if err != nil {
+		return []byte{}, errors.Wrap(err, "Failed to parse template")
+	}
+	var result bytes.Buffer
+	err = tmpl.Execute(&result, templateData)
+	if err != nil {
+		keys := make([]string, 0, len(templateData))
+		for k := range templateData {
+			keys = append(keys, k)
+		}
+		return []byte{}, errors.Wrap(err, "Failed to execute template with keys %v", keys)
+	}
+	if result.Len() == 0 {
+		return []byte{}, nil
+	}
+	return result.Bytes(), nil
+}
+
+func applyManifestWithMergedValues(ctx context.Context, manifest string, k8sClient client.Client, templateData map[string]string) error {
+	log := logger.LoadLoggerFromContext(ctx)
+
+	obj, err := unstructuredFromString(manifest, templateData, log)
+	if err != nil {
+		return err
+	}
+
+	err = k8sClient.Patch(ctx, &obj, client.Apply, client.FieldOwner("security-operator"))
+	if err != nil {
+		return errors.Wrap(err, "Failed to apply manifest (%s/%s)", obj.GetKind(), obj.GetName())
+	}
+	return nil
+}