Massive refactor

2025-03-16 05:18:42 +01:00
parent 0bbb2ca738
commit 5e8e8590f1
9 changed files with 755 additions and 1127 deletions
--- a/src/main.rs
+++ b/src/main.rs
@@ -1,215 +1,20 @@
-use std::{collections::BTreeMap, str::from_utf8, sync::Arc, time::Duration};
+use std::{sync::Arc, time::Duration};

-use cynic::{http::SurfExt, MutationBuilder, QueryBuilder};
 use futures::StreamExt;
 use k8s_openapi::api::core::v1::Secret;
 use kube::{
-    api::{ObjectMeta, Patch, PatchParams, PostParams},
-    runtime::{
-        controller::Action,
-        events::{Event, EventType, Recorder, Reporter},
-        Controller,
-    },
-    Api, Client as KubeClient, Resource,
+    runtime::{controller::Action, Controller},
+    Api, Client as KubeClient,
 };
-use lldap_auth::login::{ClientSimpleLoginRequest, ServerLoginResponse};
 use lldap_controller::{
-    lldap::change_password,
-    resources::{ServiceUser, ServiceUserStatus},
+    context::Context,
+    lldap::LldapConfig,
+    resources::{self, ServiceUser},
 };
-use passwords::PasswordGenerator;
-use queries::{CreateUser, CreateUserVariables, ListUsers};
-use serde_json::json;
-use surf::{Client as SurfClient, Config, Url};
-use tracing::{debug, info, instrument, warn};
+use tracing::{debug, info, warn};
 use tracing_subscriber::{layer::SubscriberExt, util::SubscriberInitExt, EnvFilter, Registry};

-#[derive(thiserror::Error, Debug)]
-enum Error {
-    #[error("Failed to commit secret: {0}")]
-    Commit(#[source] kube::api::entry::CommitError),
-    #[error("{0}")]
-    Kube(#[source] kube::Error),
-    #[error("MissingObjectKey: {0}")]
-    MissingObjectKey(&'static str),
-}
-
-type Result<T, E = Error> = std::result::Result<T, E>;
-
-struct LldapConfig {
-    username: String,
-    password: String,
-    url: String,
-}
-
-impl LldapConfig {
-    async fn client(&self) -> std::result::Result<SurfClient, surf::Error> {
-        let client: SurfClient = Config::new()
-            .set_base_url(Url::parse(&self.url)?)
-            .set_timeout(Some(Duration::from_secs(1)))
-            .try_into()?;
-
-        let response: ServerLoginResponse = client
-            .post("/auth/simple/login")
-            .body_json(&ClientSimpleLoginRequest {
-                username: self.username.clone().into(),
-                password: self.password.clone(),
-            })?
-            .recv_json()
-            .await?;
-
-        let client = client
-            .config()
-            .clone()
-            .add_header("Authorization", format!("Bearer {}", response.token))?
-            .try_into()?;
-
-        Ok(client)
-    }
-}
-
-struct Data {
-    client: KubeClient,
-    lldap: LldapConfig,
-    recorder: Recorder,
-    pg: PasswordGenerator,
-}
-
-const CONTROLLER_NAME: &str = "lldap.huizinga.dev";
-
-#[instrument(skip(obj, ctx))]
-async fn reconcile(obj: Arc<ServiceUser>, ctx: Arc<Data>) -> Result<Action> {
-    let name = obj
-        .metadata
-        .name
-        .clone()
-        .ok_or(Error::MissingObjectKey(".metadata.name"))?;
-    let secret_name = format!("{name}-lldap-credentials");
-    let namespace = obj
-        .metadata
-        .namespace
-        .clone()
-        .ok_or(Error::MissingObjectKey(".metadata.namespace"))?;
-    let username = format!("{name}.{namespace}");
-    let oref = obj.controller_owner_ref(&()).unwrap();
-
-    debug!(name, "reconcile request");
-
-    let client = &ctx.client;
-    let secrets = Api::<Secret>::namespaced(client.clone(), &namespace);
-
-    // TODO: Potentially issue: someone modifies the secret and removes the pass
-    let mut created = false;
-    let mut secret = secrets
-        .entry(&secret_name)
-        .await
-        .map_err(Error::Kube)?
-        .or_insert(|| {
-            debug!(name, secret_name, "Generating new secret");
-
-            let mut contents = BTreeMap::new();
-            contents.insert("username".into(), username.clone());
-            contents.insert("password".into(), ctx.pg.generate_one().unwrap());
-
-            created = true;
-
-            Secret {
-                metadata: ObjectMeta {
-                    owner_references: Some(vec![oref]),
-                    ..Default::default()
-                },
-                string_data: Some(contents),
-                ..Default::default()
-            }
-        });
-
-    secret
-        .commit(&PostParams {
-            dry_run: false,
-            field_manager: Some(CONTROLLER_NAME.into()),
-        })
-        .await
-        .map_err(Error::Commit)?;
-    let secret = secret;
-
-    if created {
-        debug!(name, "Sending SecretCreated event");
-
-        // The reason this is here instead of inside the or_insert is that we
-        // want to send the event _after_ it successfully committed.
-        // Also or_insert is not async!
-        ctx.recorder
-            .publish(
-                &Event {
-                    type_: EventType::Normal,
-                    reason: "SecretCreated".into(),
-                    note: Some(format!("Created secret '{secret_name}'")),
-                    action: "SecretCreated".into(),
-                    secondary: Some(secret.get().object_ref(&())),
-                },
-                &obj.object_ref(&()),
-            )
-            .await
-            .map_err(Error::Kube)?;
-    }
-
-    let lldap_client = ctx.lldap.client().await.unwrap();
-
-    let operation = ListUsers::build(());
-    let response = lldap_client
-        .post("/api/graphql")
-        .run_graphql(operation)
-        .await
-        .unwrap();
-
-    if !response
-        .data
-        .expect("Should get data")
-        .users
-        .iter()
-        .any(|user| user.id == username)
-    {
-        let operation = CreateUser::build(CreateUserVariables { id: &username });
-        lldap_client
-            .post("/api/graphql")
-            .run_graphql(operation)
-            .await
-            .unwrap();
-
-        ctx.recorder
-            .publish(
-                &Event {
-                    type_: EventType::Normal,
-                    reason: "UserCreated".into(),
-                    note: Some(format!("Created user '{username}'")),
-                    action: "UserCreated".into(),
-                    secondary: None,
-                },
-                &obj.object_ref(&()),
-            )
-            .await
-            .map_err(Error::Kube)?;
-    }
-
-    let password = secret.get().data.as_ref().unwrap().get("password").unwrap();
-    let password = from_utf8(&password.0).unwrap();
-    change_password(&lldap_client, &username, password)
-        .await
-        .unwrap();
-
-    let service_users = Api::<ServiceUser>::namespaced(client.clone(), &namespace);
-    let status = json!({
-        "status": ServiceUserStatus { secret_created: secret.get().meta().creation_timestamp.as_ref().map(|ts| ts.0) }
-    });
-    service_users
-        .patch_status(&name, &PatchParams::default(), &Patch::Merge(&status))
-        .await
-        .map_err(Error::Kube)?;
-
-    Ok(Action::requeue(Duration::from_secs(3600)))
-}
-
-fn error_policy(_obj: Arc<ServiceUser>, err: &Error, _ctx: Arc<Data>) -> Action {
+fn error_policy(_obj: Arc<ServiceUser>, err: &resources::Error, _ctx: Arc<Context>) -> Action {
    warn!("error: {}", err);
    Action::requeue(Duration::from_secs(5))
 }
@@ -219,27 +24,19 @@ async fn main() -> anyhow::Result<()> {
    let logger = tracing_subscriber::fmt::layer().json();
    let env_filter = EnvFilter::try_from_default_env()
        .or_else(|_| EnvFilter::try_new("info"))
-        .unwrap();
+        .expect("Fallback should be valid");

    Registry::default().with(logger).with(env_filter).init();

    info!("Starting controller");

-    let lldap = LldapConfig {
-        username: std::env::var("LLDAP_USERNAME").unwrap(),
-        password: std::env::var("LLDAP_PASSWORD").unwrap(),
-        url: std::env::var("LLDAP_URL").unwrap(),
-    };
-
    let client = KubeClient::try_default().await?;

-    let reporter: Reporter = CONTROLLER_NAME.into();
-    let recorder = Recorder::new(client.clone(), reporter);
-
-    let pg = PasswordGenerator::new()
-        .length(32)
-        .uppercase_letters(true)
-        .strict(true);
+    let data = Context::new(
+        "lldap.huizinga.dev",
+        client.clone(),
+        LldapConfig::try_from_env()?,
+    );

    let service_users = Api::<ServiceUser>::all(client.clone());
    let secrets = Api::<Secret>::all(client.clone());
@@ -247,16 +44,7 @@ async fn main() -> anyhow::Result<()> {
    Controller::new(service_users.clone(), Default::default())
        .owns(secrets, Default::default())
        .shutdown_on_signal()
-        .run(
-            reconcile,
-            error_policy,
-            Arc::new(Data {
-                client,
-                lldap,
-                recorder,
-                pg,
-            }),
-        )
+        .run(ServiceUser::reconcile, error_policy, Arc::new(data))
        .for_each(|res| async move {
            match res {
                Ok(obj) => debug!("reconciled {:?}", obj.0.name),