fix: access request handling for MCP V2 (#172)

Author: reshnm

VERSION

@@ -1 +1 @@
-v0.15.0-dev
+v0.15.1

api/core/v2alpha1/constants.go

@@ -40,6 +40,6 @@ const (
 )
 
 const (
-	OIDCNamePrefix  = "oidc:"
-	TokenNamePrefix = "token:"
+	OIDCNamePrefix  = "oidc_"
+	TokenNamePrefix = "token_"
 )

go.mod

@@ -14,8 +14,8 @@ require (
 	github.com/onsi/ginkgo/v2 v2.25.3
 	github.com/onsi/gomega v1.38.2
 	github.com/openmcp-project/controller-utils v0.22.0
-	github.com/openmcp-project/openmcp-operator/api v0.15.0
-	github.com/openmcp-project/openmcp-operator/lib v0.15.0
+	github.com/openmcp-project/openmcp-operator/api v0.15.1
+	github.com/openmcp-project/openmcp-operator/lib v0.15.1
 	github.com/spf13/cobra v1.10.1
 	k8s.io/api v0.34.1
 	k8s.io/apimachinery v0.34.1

internal/controllers/managedcontrolplane/access.go

@@ -90,15 +90,27 @@ func (r *ManagedControlPlaneReconciler) createOrUpdateDesiredAccessRequests(ctx
 
 	// create or update AccessRequests for the ManagedControlPlane
 	if mcp.DeletionTimestamp.IsZero() {
-		oidcProviders = make([]commonapi.OIDCProviderConfig, 0, len(mcp.Spec.IAM.OIDC.ExtraProviders)+1)
-		if r.Config.DefaultOIDCProvider != nil && len(mcp.Spec.IAM.OIDC.DefaultProvider.RoleBindings) > 0 {
+		oidcProvidersLen := 1
+		defaultProviderRoleBindingsLen := 0
+
+		if mcp.Spec.IAM.OIDC != nil {
+			oidcProvidersLen += len(mcp.Spec.IAM.OIDC.ExtraProviders)
+			defaultProviderRoleBindingsLen = len(mcp.Spec.IAM.OIDC.DefaultProvider.RoleBindings)
+		}
+
+		oidcProviders = make([]commonapi.OIDCProviderConfig, 0, oidcProvidersLen)
+
+		if r.Config.DefaultOIDCProvider != nil && defaultProviderRoleBindingsLen > 0 {
 			// add default OIDC provider, unless it has been disabled
 			defaultOidc := r.Config.DefaultOIDCProvider.DeepCopy()
 			defaultOidc.Name = corev2alpha1.DefaultOIDCProviderName
 			defaultOidc.RoleBindings = mcp.Spec.IAM.OIDC.DefaultProvider.RoleBindings
 			oidcProviders = append(oidcProviders, *defaultOidc)
 		}
-		oidcProviders = append(oidcProviders, mcp.Spec.IAM.OIDC.ExtraProviders...)
+
+		if mcp.Spec.IAM.OIDC != nil && len(mcp.Spec.IAM.OIDC.ExtraProviders) > 0 {
+			oidcProviders = append(oidcProviders, mcp.Spec.IAM.OIDC.ExtraProviders...)
+		}
 
 		tokenProviders = mcp.Spec.IAM.Tokens
 	}

internal/controllers/managedcontrolplane/controller_test.go

@@ -814,4 +814,57 @@ var _ = Describe("ManagedControlPlane Controller", func() {
 		Expect(cr.Spec.WaitForClusterDeletion).To(PointTo(BeTrue()))
 	})
 
+	It("should correctly handle an MCP without OIDC providers", func() {
+		rec, env := defaultTestSetup("testdata", "test-01")
+
+		mcp := &corev2alpha1.ManagedControlPlaneV2{}
+		mcp.SetName("mcp-03")
+		mcp.SetNamespace("test")
+		Expect(env.Client(onboarding).Get(env.Ctx, client.ObjectKeyFromObject(mcp), mcp)).To(Succeed())
+		env.ShouldReconcile(mcpRec, testutils.RequestFromObject(mcp))
+
+		platformNamespace, err := libutils.StableMCPNamespace(mcp.Name, mcp.Namespace)
+		Expect(err).ToNot(HaveOccurred())
+
+		cr := &clustersv1alpha1.ClusterRequest{}
+		cr.SetName(mcp.Name)
+		cr.SetNamespace(platformNamespace)
+		Expect(env.Client(platform).Get(env.Ctx, client.ObjectKeyFromObject(cr), cr)).To(Succeed())
+
+		// fake ClusterRequest ready status and Cluster resource
+		By("fake: ClusterRequest readiness")
+		cluster := &clustersv1alpha1.Cluster{}
+		cluster.SetName("cluster-01")
+		cluster.SetNamespace(platformNamespace)
+		cluster.Spec.Purposes = []string{rec.Config.MCPClusterPurpose}
+		Expect(env.Client(platform).Create(env.Ctx, cluster)).To(Succeed())
+		cluster.Status.Conditions = []metav1.Condition{
+			{
+				Type:               "TestCondition1",
+				Status:             metav1.ConditionTrue,
+				Reason:             "TestReason",
+				Message:            "This is a test condition",
+				LastTransitionTime: metav1.Now(),
+				ObservedGeneration: 1,
+			},
+			{
+				Type:               "TestCondition2",
+				Status:             metav1.ConditionFalse,
+				Reason:             "TestReason",
+				Message:            "This is another test condition",
+				LastTransitionTime: metav1.Now(),
+				ObservedGeneration: 1,
+			},
+		}
+		Expect(env.Client(platform).Status().Update(env.Ctx, cluster)).To(Succeed())
+		cr.Status.Phase = clustersv1alpha1.REQUEST_GRANTED
+		cr.Status.Cluster = &commonapi.ObjectReference{
+			Name:      cluster.Name,
+			Namespace: cluster.Namespace,
+		}
+		Expect(env.Client(platform).Status().Update(env.Ctx, cr)).To(Succeed())
+
+		env.ShouldReconcile(mcpRec, testutils.RequestFromObject(mcp))
+	})
+
 })

internal/controllers/managedcontrolplane/testdata/test-01/onboarding/mcp-03.yaml

@@ -0,0 +1,26 @@
+apiVersion: core.openmcp.cloud/v2alpha1
+kind: ManagedControlPlaneV2
+metadata:
+  name: mcp-03
+  namespace: test
+  finalizers:
+  - services.openmcp.cloud/sp-01
+  - services.openmcp.cloud/sp-02
+spec:
+  iam:
+    tokens:
+      - name: admin
+        roleRefs:
+          - kind: ClusterRole
+            name: cluster-admin
+        permissions:
+          - rules:
+              - apiGroups: [ '' ]
+                resources: [ 'secretcs']
+                verbs: [ '*' ]
+      - name: viewer
+        permissions:
+          - rules:
+              - apiGroups: [ '' ]
+                resources: [ 'pods', 'services' ]
+                verbs: [ 'get', 'list', 'watch' ]

lib/go.mod

@@ -8,7 +8,7 @@ require (
 	github.com/onsi/ginkgo/v2 v2.25.3
 	github.com/onsi/gomega v1.38.2
 	github.com/openmcp-project/controller-utils v0.22.0
-	github.com/openmcp-project/openmcp-operator/api v0.15.0
+	github.com/openmcp-project/openmcp-operator/api v0.15.1
 	k8s.io/api v0.34.1
 	k8s.io/apimachinery v0.34.1
 	k8s.io/client-go v0.34.1