Redo where KC clients are built

dominodatalab · Jun 13, 2023 · 10a4895 · 10a4895
1 parent ba2c6cf
commit 10a4895
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 48 deletions.
diff --git a/pkg/controller/imagebuild/component/builddispatcher.go b/pkg/controller/imagebuild/component/builddispatcher.go
@@ -23,12 +23,11 @@ import (
 )
 
 type BuildDispatcherComponent struct {
-	cfg      config.Buildkit
-	pool     worker.Pool
-	phase    *phase.TransitionHelper
-	newRelic *newrelic.Application
-	keyCloak *gocloak.GoCloak
-	jwt      *gocloak.JWT
+	cfg         config.Buildkit
+	pool        worker.Pool
+	phase       *phase.TransitionHelper
+	newRelic    *newrelic.Application
+	keycloakCfg config.Keycloak
 
 	delete  <-chan client.ObjectKey
 	cancels sync.Map
@@ -38,17 +37,15 @@ func BuildDispatcher(
 	cfg config.Buildkit,
 	pool worker.Pool,
 	nr *newrelic.Application,
-	kc *gocloak.GoCloak,
-	jwt *gocloak.JWT,
+	kc config.Keycloak,
 	ch <-chan client.ObjectKey,
 ) *BuildDispatcherComponent {
 	return &BuildDispatcherComponent{
-		cfg:      cfg,
-		pool:     pool,
-		delete:   ch,
-		newRelic: nr,
-		keyCloak: kc,
-		jwt:      jwt,
+		cfg:         cfg,
+		pool:        pool,
+		delete:      ch,
+		newRelic:    nr,
+		keycloakCfg: kc,
 	}
 }
 
@@ -189,14 +186,17 @@ func (c *BuildDispatcherComponent) Reconcile(ctx *core.Context) (ctrl.Result, er
 	clientInitSeg.End()
 
 	secrets := c.cfg.Secrets
-	// TODO: look at the CR value for whether or not JWT population is enabled
+	// TODO: look at the CR value to determine if JWT injection is enabled
 	if true {
-		// TODO: why do we even bother calling LoginClient and injecting a client if we still have to refresh here?
-		// c.keyCloak.RefreshToken(ctx, c.jwt.RefreshToken, c.keyCloak.cli)
-		// c.keyCloak.Login()
-		// c.keyCloak.RefreshToken(ctx, )
-		// TODO: thread vault creds in here
-		secrets["SERVICE_TOKEN"] = "foo"
+		kc := gocloak.NewClient(c.keycloakCfg.Server)
+		// grant type client_credentials
+		// cfg.Scopes...
+		jwt, err := kc.LoginClient(buildCtx, c.keycloakCfg.ClientID, c.keycloakCfg.ClientSecret, c.keycloakCfg.Realm)
+		if err != nil {
+			log.Error(err, fmt.Sprintf("Failed to acquire Keycloak credentials %s", c.keycloakCfg.ClientID))
+		} else {
+			secrets["SERVICE_TOKEN"] = jwt.AccessToken
+		}
 	}
 
 	buildOpts := buildkit.BuildOptions{

diff --git a/pkg/controller/imagebuild/imagebuild.go b/pkg/controller/imagebuild/imagebuild.go
@@ -1,7 +1,6 @@
 package imagebuild
 
 import (
-	"github.com/Nerzal/gocloak/v13"
 	"github.com/dominodatalab/controller-util/core"
 	"github.com/newrelic/go-agent/v3/newrelic"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -18,16 +17,10 @@ import (
 
 var ch = make(chan client.ObjectKey)
 
-func Register(mgr ctrl.Manager,
-	cfg config.Controller,
-	pool worker.Pool,
-	nr *newrelic.Application,
-	kc *gocloak.GoCloak,
-	jwt *gocloak.JWT,
-) error {
+func Register(mgr ctrl.Manager, cfg config.Controller, pool worker.Pool, nr *newrelic.Application) error {
 	return core.NewReconciler(mgr).
 		For(&hephv1.ImageBuild{}).
-		Component("build-dispatcher", component.BuildDispatcher(cfg.Buildkit, pool, nr, kc, jwt, ch)).
+		Component("build-dispatcher", component.BuildDispatcher(cfg.Buildkit, pool, nr, cfg.Keycloak, ch)).
 		WithControllerOptions(controller.Options{MaxConcurrentReconciles: cfg.ImageBuildMaxConcurrency}).
 		WithWebhooks().
 		Complete()

diff --git a/pkg/controller/start.go b/pkg/controller/start.go
@@ -5,7 +5,6 @@ import (
 	"os"
 	"time"
 
-	"github.com/Nerzal/gocloak/v13"
 	"github.com/go-logr/logr"
 	"github.com/go-logr/zapr"
 	"github.com/newrelic/go-agent/v3/integrations/nrzap"
@@ -50,11 +49,6 @@ func Start(cfg config.Controller) error {
 	}
 	defer nr.Shutdown(5 * time.Second)
 
-	kc, jwt, err := configureKeyCloak(cfg.KeyCloak)
-	if err != nil {
-		return err
-	}
-
 	mgr, err := createManager(log, cfg.Manager)
 	if err != nil {
 		return err
@@ -68,7 +62,7 @@ func Start(cfg config.Controller) error {
 		return err
 	}
 
-	if err = registerControllers(log, mgr, pool, nr, kc, jwt, cfg); err != nil {
+	if err = registerControllers(log, mgr, pool, nr, cfg); err != nil {
 		return err
 	}
 
@@ -95,14 +89,6 @@ func configureNewRelic(log *zap.Logger, cfg config.NewRelic) (*newrelic.Applicat
 	)
 }
 
-func configureKeyCloak(cfg config.KeyCloak) (*gocloak.GoCloak, *gocloak.JWT, error) {
-	c := gocloak.NewClient(cfg.Server)
-	// grant type client_credentials
-	// cfg.Scopes...
-	jwt, err := c.LoginClient(context.TODO(), cfg.ClientID, cfg.ClientSecret, cfg.Realm)
-	return c, jwt, err
-}
-
 func createManager(log logr.Logger, cfg config.Manager) (ctrl.Manager, error) {
 	log.Info("Adding API types to runtime scheme")
 	scheme := runtime.NewScheme()
@@ -185,12 +171,10 @@ func registerControllers(
 	mgr ctrl.Manager,
 	pool worker.Pool,
 	nr *newrelic.Application,
-	kc *gocloak.GoCloak,
-	jwt *gocloak.JWT,
 	cfg config.Controller,
 ) error {
 	log.Info("Registering ImageBuild controller")
-	if err := imagebuild.Register(mgr, cfg, pool, nr, kc, jwt); err != nil {
+	if err := imagebuild.Register(mgr, cfg, pool, nr); err != nil {
 		return err
 	}