From ce1aff6a0b43f374f359fffe95af75856446c144 Mon Sep 17 00:00:00 2001 From: Maximilian Techritz Date: Thu, 28 Aug 2025 15:34:39 +0200 Subject: [PATCH 1/3] feat(lib): add RoleRef support --- lib/clusteraccess/clusteraccess.go | 33 +++++++++++++++++++++++++++--- 1 file changed, 30 insertions(+), 3 deletions(-) diff --git a/lib/clusteraccess/clusteraccess.go b/lib/clusteraccess/clusteraccess.go index b942472..0a849c1 100644 --- a/lib/clusteraccess/clusteraccess.go +++ b/lib/clusteraccess/clusteraccess.go @@ -41,8 +41,12 @@ type Reconciler interface { WithRetryInterval(interval time.Duration) Reconciler // WithMCPPermissions sets the permissions for the MCP AccessRequest. WithMCPPermissions(permissions []clustersv1alpha1.PermissionsRequest) Reconciler + // WithMCPRoleRefs sets the RoleRefs for the MCP AccessRequest. + WithMCPRoleRefs(roleRefs []commonapi.RoleRef) Reconciler // WithWorkloadPermissions sets the permissions for the Workload AccessRequest. WithWorkloadPermissions(permissions []clustersv1alpha1.PermissionsRequest) Reconciler + // WithWorkloadRoleRefs sets the RoleRefs for the Workload AccessRequest. + WithWorkloadRoleRefs(roleRefs []commonapi.RoleRef) Reconciler // WithMCPScheme sets the scheme for the MCP Kubernetes client. WithMCPScheme(scheme *runtime.Scheme) Reconciler // WithWorkloadScheme sets the scheme for the Workload Kubernetes client. @@ -80,7 +84,9 @@ type reconcilerImpl struct { controllerName string retryInterval time.Duration mcpPermissions []clustersv1alpha1.PermissionsRequest + mcpRoleRefs []commonapi.RoleRef workloadPermissions []clustersv1alpha1.PermissionsRequest + workloadRoleRefs []commonapi.RoleRef mcpScheme *runtime.Scheme workloadScheme *runtime.Scheme } @@ -94,7 +100,9 @@ func NewClusterAccessReconciler(platformClusterClient client.Client, controllerN controllerName: controllerName, retryInterval: 5 * time.Second, mcpPermissions: []clustersv1alpha1.PermissionsRequest{}, + mcpRoleRefs: []commonapi.RoleRef{}, workloadPermissions: []clustersv1alpha1.PermissionsRequest{}, + workloadRoleRefs: []commonapi.RoleRef{}, mcpScheme: runtime.NewScheme(), workloadScheme: runtime.NewScheme(), } @@ -110,11 +118,21 @@ func (r *reconcilerImpl) WithMCPPermissions(permissions []clustersv1alpha1.Permi return r } +func (r *reconcilerImpl) WithMCPRoleRefs(roleRefs []commonapi.RoleRef) Reconciler { + r.mcpRoleRefs = roleRefs + return r +} + func (r *reconcilerImpl) WithWorkloadPermissions(permissions []clustersv1alpha1.PermissionsRequest) Reconciler { r.workloadPermissions = permissions return r } +func (r *reconcilerImpl) WithWorkloadRoleRefs(roleRefs []commonapi.RoleRef) Reconciler { + r.workloadRoleRefs = roleRefs + return r +} + func (r *reconcilerImpl) WithMCPScheme(scheme *runtime.Scheme) Reconciler { r.mcpScheme = scheme return r @@ -210,7 +228,7 @@ func (r *reconcilerImpl) Reconcile(ctx context.Context, request reconcile.Reques requestNameMCP, requestNamespace, &commonapi.ObjectReference{ Name: request.Name, Namespace: requestNamespace, - }, nil, r.mcpPermissions, metadata) + }, nil, r.mcpPermissions, r.mcpRoleRefs, metadata) if err != nil { return reconcile.Result{}, fmt.Errorf("failed to create or update MCP AccessRequest: %w", err) @@ -253,7 +271,7 @@ func (r *reconcilerImpl) Reconcile(ctx context.Context, request reconcile.Reques requestNameWorkload, requestNamespace, &commonapi.ObjectReference{ Name: requestNameWorkload, Namespace: requestNamespace, - }, nil, r.workloadPermissions, metadata) + }, nil, r.workloadPermissions, r.workloadRoleRefs, metadata) if err != nil { return reconcile.Result{}, fmt.Errorf("failed to create or update Workload AccessRequest: %w", err) @@ -486,10 +504,11 @@ func ensureClusterRequest(ctx context.Context, platformClusterClient client.Clie func ensureAccessRequest(ctx context.Context, platformClusterClient client.Client, requestName, requestNamespace string, requestRef *commonapi.ObjectReference, clusterRef *commonapi.ObjectReference, - permissions []clustersv1alpha1.PermissionsRequest, metadata resources.MetadataMutator) (*clustersv1alpha1.AccessRequest, error) { + permissions []clustersv1alpha1.PermissionsRequest, roleRefs []commonapi.RoleRef, metadata resources.MetadataMutator) (*clustersv1alpha1.AccessRequest, error) { mutator := newAccessRequestMutator(requestName, requestNamespace). WithPermissions(permissions). + WithRoleRefs(roleRefs). WithMetadata(metadata) if requestRef != nil { @@ -659,6 +678,7 @@ type accessRequestMutator struct { requestRef *commonapi.ObjectReference clusterRef *commonapi.ObjectReference permissions []clustersv1alpha1.PermissionsRequest + roleRefs []commonapi.RoleRef metadata resources.MetadataMutator } @@ -684,6 +704,11 @@ func (m *accessRequestMutator) WithPermissions(permissions []clustersv1alpha1.Pe return m } +func (m *accessRequestMutator) WithRoleRefs(roleRefs []commonapi.RoleRef) *accessRequestMutator { + m.roleRefs = roleRefs + return m +} + func (m *accessRequestMutator) WithMetadata(metadata resources.MetadataMutator) *accessRequestMutator { m.metadata = metadata return m @@ -724,6 +749,8 @@ func (m *accessRequestMutator) MetadataMutator() resources.MetadataMutator { func (m *accessRequestMutator) Mutate(accessRequest *clustersv1alpha1.AccessRequest) error { accessRequest.Spec.Permissions = m.permissions + accessRequest.Spec.RoleRefs = m.roleRefs + if m.requestRef != nil { accessRequest.Spec.RequestRef = m.requestRef } From 70fcf0b3405744da2739d090d92b2eafb3d60b77 Mon Sep 17 00:00:00 2001 From: Maximilian Techritz Date: Mon, 1 Sep 2025 09:10:23 +0200 Subject: [PATCH 2/3] test: add roleRefs --- lib/clusteraccess/clusteraccess_test.go | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/lib/clusteraccess/clusteraccess_test.go b/lib/clusteraccess/clusteraccess_test.go index 6ac6746..0da24f8 100644 --- a/lib/clusteraccess/clusteraccess_test.go +++ b/lib/clusteraccess/clusteraccess_test.go @@ -58,11 +58,21 @@ func buildTestEnvironmentReconcile(testdataDir string, objectsWitStatus ...clien }, } + roleRefs := []commonapi.RoleRef{ + { + Kind: "ClusterRole", + Name: "cluster-admin", + Namespace: "", + }, + } + r := clusteraccess.NewClusterAccessReconciler(c, controllerName) r.WithMCPScheme(scheme). WithWorkloadScheme(scheme). WithMCPPermissions(permissions). + WithMCPRoleRefs(roleRefs). WithWorkloadPermissions(permissions). + WithWorkloadRoleRefs(roleRefs). WithRetryInterval(1 * time.Second) return r }). From 3f0099cfcc3d9704a2a7f30f8382138944dffe65 Mon Sep 17 00:00:00 2001 From: Maximilian Techritz Date: Mon, 1 Sep 2025 09:16:19 +0200 Subject: [PATCH 3/3] feat: release v0.11.2 --- VERSION | 2 +- go.mod | 2 +- lib/go.mod | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/VERSION b/VERSION index 63fedbb..1554d9b 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -v0.11.1-dev \ No newline at end of file +v0.11.2 \ No newline at end of file diff --git a/go.mod b/go.mod index d8dd68b..ebc9a7a 100644 --- a/go.mod +++ b/go.mod @@ -11,7 +11,7 @@ require ( github.com/onsi/ginkgo/v2 v2.25.1 github.com/onsi/gomega v1.38.1 github.com/openmcp-project/controller-utils v0.18.0 - github.com/openmcp-project/openmcp-operator/api v0.11.1 + github.com/openmcp-project/openmcp-operator/api v0.11.2 github.com/spf13/cobra v1.9.1 k8s.io/api v0.33.4 k8s.io/apimachinery v0.33.4 diff --git a/lib/go.mod b/lib/go.mod index 082ea47..2f7fe30 100644 --- a/lib/go.mod +++ b/lib/go.mod @@ -8,7 +8,7 @@ require ( github.com/onsi/ginkgo/v2 v2.25.1 github.com/onsi/gomega v1.38.1 github.com/openmcp-project/controller-utils v0.18.0 - github.com/openmcp-project/openmcp-operator/api v0.11.1 + github.com/openmcp-project/openmcp-operator/api v0.11.2 k8s.io/api v0.33.4 k8s.io/apimachinery v0.33.4 k8s.io/client-go v0.33.4