From 423a41de152f23f4405b782b75ddeeeb7a94a8c3 Mon Sep 17 00:00:00 2001
From: Michael Quigley <michael@quigley.com>
Date: Tue, 17 Jun 2025 14:23:48 -0400
Subject: [PATCH] 'zrok admin create secrets-access-identity' (#983)

---
 cmd/zrok/adminCreateSecretsAccessIdentity.go | 93 ++++++++++++++++++++
 cmd/zrok/adminCreateSecretsIdentity.go       | 76 ----------------
 2 files changed, 93 insertions(+), 76 deletions(-)
 create mode 100644 cmd/zrok/adminCreateSecretsAccessIdentity.go
 delete mode 100644 cmd/zrok/adminCreateSecretsIdentity.go

diff --git a/cmd/zrok/adminCreateSecretsAccessIdentity.go b/cmd/zrok/adminCreateSecretsAccessIdentity.go
new file mode 100644
index 00000000..b2cdc812
--- /dev/null
+++ b/cmd/zrok/adminCreateSecretsAccessIdentity.go
@@ -0,0 +1,93 @@
+package main
+
+import (
+	"os"
+
+	"github.com/openziti/zrok/environment"
+	"github.com/openziti/zrok/environment/env_core"
+	"github.com/openziti/zrok/rest_client_zrok"
+	"github.com/openziti/zrok/rest_client_zrok/admin"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+)
+
+func init() {
+	adminCreateCmd.AddCommand(newAdminCreateSecretsIdentityCommand().cmd)
+}
+
+type adminCreateSecretsAccessIdentityCommand struct {
+	cmd *cobra.Command
+}
+
+func newAdminCreateSecretsIdentityCommand() *adminCreateSecretsAccessIdentityCommand {
+	cmd := &cobra.Command{
+		Use:     "secrets-access-identity <name>",
+		Aliases: []string{"sai"},
+		Short:   "Create a secrets access identity for accessing the secrets listener",
+		Args:    cobra.ExactArgs(1),
+	}
+	command := &adminCreateSecretsAccessIdentityCommand{cmd: cmd}
+	cmd.Run = command.run
+	return command
+}
+
+func (cmd *adminCreateSecretsAccessIdentityCommand) run(_ *cobra.Command, args []string) {
+	name := args[0]
+
+	env, err := environment.LoadRoot()
+	if err != nil {
+		panic(err)
+	}
+	zif, err := env.ZitiIdentityNamed(name)
+	if err != nil {
+		panic(err)
+	}
+	if _, err := os.Stat(zif); err == nil {
+		logrus.Errorf("identity '%v' already exists at '%v'", name, zif)
+		os.Exit(1)
+	}
+
+	zrok, err := env.Client()
+	if err != nil {
+		panic(err)
+	}
+
+	secretsAccessIdentityZId, err := cmd.createIdentity(name, env, zrok)
+	if err != nil {
+		panic(err)
+	}
+	logrus.Infof("created identity '%v' with ziti id '%v'", name, secretsAccessIdentityZId)
+
+	if err := cmd.createDialPolicy(secretsAccessIdentityZId, zrok); err != nil {
+		panic(err)
+	}
+	logrus.Infof("added dial service policy for secrets access identity '%v'", secretsAccessIdentityZId)
+}
+
+func (cmd *adminCreateSecretsAccessIdentityCommand) createIdentity(name string, env env_core.Root, zrok *rest_client_zrok.Zrok) (zId string, err error) {
+	req := admin.NewCreateIdentityParams()
+	req.Body.Name = name
+
+	resp, err := zrok.Admin.CreateIdentity(req, mustGetAdminAuth())
+	if err != nil {
+		return "", err
+	}
+
+	if err := env.SaveZitiIdentityNamed(name, resp.Payload.Cfg); err != nil {
+		return "", err
+	}
+
+	return resp.Payload.Identity, nil
+}
+
+func (cmd *adminCreateSecretsAccessIdentityCommand) createDialPolicy(secretsAccessIdentityZId string, zrok *rest_client_zrok.Zrok) error {
+	req := admin.NewAddSecretsAccessParams()
+	req.Body.SecretsAccessIdentityZID = secretsAccessIdentityZId
+
+	_, err := zrok.Admin.AddSecretsAccess(req, mustGetAdminAuth())
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
diff --git a/cmd/zrok/adminCreateSecretsIdentity.go b/cmd/zrok/adminCreateSecretsIdentity.go
deleted file mode 100644
index 4c4c8d11..00000000
--- a/cmd/zrok/adminCreateSecretsIdentity.go
+++ /dev/null
@@ -1,76 +0,0 @@
-package main
-
-import (
-	"os"
-
-	"github.com/openziti/zrok/environment"
-	"github.com/openziti/zrok/environment/env_core"
-	"github.com/openziti/zrok/rest_client_zrok"
-	"github.com/openziti/zrok/rest_client_zrok/admin"
-	"github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-)
-
-func init() {
-	adminCreateCmd.AddCommand(newAdminCreateSecretsIdentity().cmd)
-}
-
-type adminCreateSecretsIdentity struct {
-	cmd *cobra.Command
-}
-
-func newAdminCreateSecretsIdentity() *adminCreateSecretsIdentity {
-	cmd := &cobra.Command{
-		Use:     "secrets-identity <name>",
-		Aliases: []string{"si"},
-		Short:   "Create a secrets identity for accessing the secrets listener",
-		Args:    cobra.ExactArgs(1),
-	}
-	command := &adminCreateSecretsIdentity{cmd: cmd}
-	cmd.Run = command.run
-	return command
-}
-
-func (cmd *adminCreateSecretsIdentity) run(_ *cobra.Command, args []string) {
-	name := args[0]
-
-	env, err := environment.LoadRoot()
-	if err != nil {
-		panic(err)
-	}
-	zif, err := env.ZitiIdentityNamed(name)
-	if err != nil {
-		panic(err)
-	}
-	if _, err := os.Stat(zif); err == nil {
-		logrus.Errorf("identity '%v' already exists at '%v'", name, zif)
-		os.Exit(1)
-	}
-
-	zrok, err := env.Client()
-	if err != nil {
-		panic(err)
-	}
-
-	zId, err := cmd.createIdentity(name, env, zrok)
-	if err != nil {
-		panic(err)
-	}
-	logrus.Infof("created identity '%v' with ziti id '%v'", name, zId)
-}
-
-func (cmd *adminCreateSecretsIdentity) createIdentity(name string, env env_core.Root, zrok *rest_client_zrok.Zrok) (zId string, err error) {
-	req := admin.NewCreateIdentityParams()
-	req.Body.Name = name
-
-	resp, err := zrok.Admin.CreateIdentity(req, mustGetAdminAuth())
-	if err != nil {
-		return "", err
-	}
-
-	if err := env.SaveZitiIdentityNamed(name, resp.Payload.Cfg); err != nil {
-		return "", err
-	}
-
-	return resp.Payload.Identity, nil
-}