feat: operator can now configure smtp setting for created realms (#93)

aaronschweig · web-flow · commit b45d95a8bc92 · 2025-10-06T16:28:25.000+02:00
* feat: operator can now configure smtp setting for created realms

* fix: proper smtpConfig management
diff --git a/internal/config/config.go b/internal/config/config.go
@@ -12,4 +12,19 @@ type Config struct {
 	GroupClaim                 string `mapstructure:"group-claim" default:"groups"`
 	UserClaim                  string `mapstructure:"user-claim" default:"email"`
 	DomainCALookup             bool   `mapstructure:"domain-ca-lookup" default:"false"`
+	IDP                        struct {
+		// SMTP settings
+		SMTPServer  string `mapstructure:"idp-smtp-server"`
+		SMTPPort    int    `mapstructure:"idp-smtp-port"`
+		FromAddress string `mapstructure:"idp-from-address"`
+
+		// SSL settings
+		SSL      bool `mapstructure:"idp-smtp-ssl" default:"false"`
+		StartTLS bool `mapstructure:"idp-smtp-starttls" default:"false"`
+
+		// Auth settings
+		SMTPUser               string `mapstructure:"idp-smtp-user"`
+		SMTPPasswordSecretName string `mapstructure:"idp-smtp-password-secret-name"`
+		SMTPPasswordSecretKey  string `mapstructure:"idp-smtp-password-secret-key" default:"password"`
+	} `mapstructure:",squash"`
 }
diff --git a/internal/controller/initializer_controller.go b/internal/controller/initializer_controller.go
@@ -27,7 +27,7 @@ func NewLogicalClusterReconciler(log *logger.Logger, restCfg *rest.Config, cl, o
 			[]lifecyclesubroutine.Subroutine{
 				subroutine.NewWorkspaceInitializer(cl, orgClient, restCfg, cfg),
 				subroutine.NewWorkspaceAuthConfigurationSubroutine(orgClient, inClusterClient, cfg),
-				subroutine.NewRealmSubroutine(inClusterClient, cfg.BaseDomain),
+				subroutine.NewRealmSubroutine(inClusterClient, &cfg, cfg.BaseDomain),
 			},
 			"logicalcluster",
 			"LogicalClusterReconciler",
diff --git a/internal/subroutine/manifests/organizationIdp/repository.yaml b/internal/subroutine/manifests/organizationIdp/repository.yaml
@@ -7,4 +7,4 @@ spec:
   interval: 5m
   url: oci://ghcr.io/platform-mesh/helm-charts/organization-idp
   ref:
-    semver: "0.1.1"
+    semver: "0.2.0"
diff --git a/internal/subroutine/realm.go b/internal/subroutine/realm.go
@@ -14,6 +14,7 @@ import (
 	lifecyclesubroutine "github.com/platform-mesh/golang-commons/controller/lifecycle/subroutine"
 	"github.com/platform-mesh/golang-commons/errors"
 	"github.com/platform-mesh/golang-commons/logger"
+	"github.com/platform-mesh/security-operator/internal/config"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -33,12 +34,14 @@ var (
 type realmSubroutine struct {
 	k8s        client.Client
 	baseDomain string
+	cfg        *config.Config
 }
 
-func NewRealmSubroutine(k8s client.Client, baseDomain string) *realmSubroutine {
+func NewRealmSubroutine(k8s client.Client, cfg *config.Config, baseDomain string) *realmSubroutine {
 	return &realmSubroutine{
 		k8s,
 		baseDomain,
+		cfg,
 	}
 }
 
@@ -86,30 +89,60 @@ func (r *realmSubroutine) Process(ctx context.Context, instance lifecycleruntime
 		return ctrl.Result{}, errors.NewOperatorError(fmt.Errorf("failed to get workspace path"), true, false)
 	}
 
-	patch := map[string]interface{}{
-		"crossplane": map[string]interface{}{
-			"realm": map[string]interface{}{
+	patch := map[string]any{
+		"crossplane": map[string]any{
+			"realm": map[string]any{
 				"name":        workspaceName,
 				"displayName": workspaceName,
 			},
-			"client": map[string]interface{}{
+			"client": map[string]any{
 				"name":        workspaceName,
 				"displayName": workspaceName,
 				"validRedirectUris": []string{
 					fmt.Sprintf("https://%s.%s/callback*", workspaceName, r.baseDomain),
 				},
 			},
+			"organization": map[string]any{
+				"domain": "example.com", // TODO: change
+			},
 		},
-		"keycloakConfig": map[string]interface{}{
-			"client": map[string]interface{}{
+		"keycloakConfig": map[string]any{
+			"client": map[string]any{
 				"name": workspaceName,
-				"targetSecret": map[string]interface{}{
+				"targetSecret": map[string]any{
 					"name": fmt.Sprintf("portal-client-secret-%s", workspaceName),
 				},
 			},
 		},
 	}
 
+	if r.cfg.IDP.SMTPServer != "" {
+
+		smtpConfig := map[string]any{
+			"host":     r.cfg.IDP.SMTPServer,
+			"port":     fmt.Sprintf("%d", r.cfg.IDP.SMTPPort),
+			"from":     r.cfg.IDP.FromAddress,
+			"ssl":      r.cfg.IDP.SSL,
+			"starttls": r.cfg.IDP.StartTLS,
+		}
+
+		if r.cfg.IDP.SMTPUser != "" {
+			smtpConfig["auth"] = map[string]any{
+				"username": r.cfg.IDP.SMTPUser,
+				"passwordSecretRef": map[string]any{
+					"namespace": "platform-mesh-system",
+					"name":      r.cfg.IDP.SMTPPasswordSecretName,
+					"key":       r.cfg.IDP.SMTPPasswordSecretKey,
+				},
+			}
+		}
+
+		err := unstructured.SetNestedField(patch, []any{smtpConfig}, "crossplane", "realm", "smtpConfig")
+		if err != nil {
+			return ctrl.Result{}, errors.NewOperatorError(fmt.Errorf("failed to set SMTP server config: %w", err), true, true)
+		}
+	}
+
 	marshalledPatch, err := json.Marshal(patch)
 	if err != nil {
 		return ctrl.Result{}, errors.NewOperatorError(fmt.Errorf("failed to marshall patch map: %w", err), true, true)
diff --git a/internal/subroutine/realm_test.go b/internal/subroutine/realm_test.go
@@ -8,6 +8,7 @@ import (
 	kcpv1alpha1 "github.com/kcp-dev/kcp/sdk/apis/core/v1alpha1"
 	"github.com/platform-mesh/golang-commons/errors"
 	"github.com/platform-mesh/golang-commons/logger"
+	"github.com/platform-mesh/security-operator/internal/config"
 	"github.com/platform-mesh/security-operator/internal/subroutine/mocks"
 	"github.com/stretchr/testify/mock"
 	"github.com/stretchr/testify/require"
@@ -175,7 +176,7 @@ func TestRealmSubroutine_ProcessAndFinalize(t *testing.T) {
 
 			repository, helmRelease = trim(repoYAML), trim(helmReleaseYAML)
 
-			rs := NewRealmSubroutine(clientMock, baseDomain)
+			rs := NewRealmSubroutine(clientMock, &config.Config{}, baseDomain)
 			lc := &kcpv1alpha1.LogicalCluster{}
 			lc.Annotations = map[string]string{"kcp.io/path": "root:orgs:test"}
 			res, opErr := rs.Process(context.Background(), lc)
@@ -191,7 +192,7 @@ func TestRealmSubroutine_ProcessAndFinalize(t *testing.T) {
 			})
 
 			repository, helmRelease = trim(repoYAML), trim(helmReleaseYAML)
-			rs := NewRealmSubroutine(clientMock, baseDomain)
+			rs := NewRealmSubroutine(clientMock, &config.Config{}, baseDomain)
 			lc := &kcpv1alpha1.LogicalCluster{}
 			lc.Annotations = map[string]string{"kcp.io/path": "root:orgs:test"}
 			res, opErr := rs.Process(context.Background(), lc)
@@ -202,7 +203,7 @@ func TestRealmSubroutine_ProcessAndFinalize(t *testing.T) {
 		t.Run("missing workspace annotation", func(t *testing.T) {
 			t.Parallel()
 			clientMock := newClientMock(t, nil)
-			rs := NewRealmSubroutine(clientMock, baseDomain)
+			rs := NewRealmSubroutine(clientMock, &config.Config{}, baseDomain)
 			lc := &kcpv1alpha1.LogicalCluster{}
 			res, opErr := rs.Process(context.Background(), lc)
 			require.NotNil(t, opErr)
@@ -247,7 +248,7 @@ func TestRealmSubroutine_ProcessAndFinalize(t *testing.T) {
 			t.Run(tc.name, func(t *testing.T) {
 				t.Parallel()
 				clientMock := newClientMock(t, tc.setupMocks)
-				rs := NewRealmSubroutine(clientMock, baseDomain)
+				rs := NewRealmSubroutine(clientMock, &config.Config{}, baseDomain)
 				lc := &kcpv1alpha1.LogicalCluster{}
 				lc.Annotations = map[string]string{"kcp.io/path": "root:orgs:test"}
 				res, opErr := rs.Finalize(context.Background(), lc)
