feat(lib): add RoleRef support

VERSION

@@ -1 +1 @@
-v0.11.1-dev
+v0.11.2

go.mod

@@ -11,7 +11,7 @@ require (
 	github.com/onsi/ginkgo/v2 v2.25.1
 	github.com/onsi/gomega v1.38.1
 	github.com/openmcp-project/controller-utils v0.18.0
-	github.com/openmcp-project/openmcp-operator/api v0.11.1
+	github.com/openmcp-project/openmcp-operator/api v0.11.2
 	github.com/spf13/cobra v1.9.1
 	k8s.io/api v0.33.4
 	k8s.io/apimachinery v0.33.4

lib/clusteraccess/clusteraccess.go

@@ -41,8 +41,12 @@ type Reconciler interface {
 	WithRetryInterval(interval time.Duration) Reconciler
 	// WithMCPPermissions sets the permissions for the MCP AccessRequest.
 	WithMCPPermissions(permissions []clustersv1alpha1.PermissionsRequest) Reconciler
+	// WithMCPRoleRefs sets the RoleRefs for the MCP AccessRequest.
+	WithMCPRoleRefs(roleRefs []commonapi.RoleRef) Reconciler
 	// WithWorkloadPermissions sets the permissions for the Workload AccessRequest.
 	WithWorkloadPermissions(permissions []clustersv1alpha1.PermissionsRequest) Reconciler
+	// WithWorkloadRoleRefs sets the RoleRefs for the Workload AccessRequest.
+	WithWorkloadRoleRefs(roleRefs []commonapi.RoleRef) Reconciler
 	// WithMCPScheme sets the scheme for the MCP Kubernetes client.
 	WithMCPScheme(scheme *runtime.Scheme) Reconciler
 	// WithWorkloadScheme sets the scheme for the Workload Kubernetes client.
@@ -80,7 +84,9 @@ type reconcilerImpl struct {
 	controllerName        string
 	retryInterval         time.Duration
 	mcpPermissions        []clustersv1alpha1.PermissionsRequest
+	mcpRoleRefs           []commonapi.RoleRef
 	workloadPermissions   []clustersv1alpha1.PermissionsRequest
+	workloadRoleRefs      []commonapi.RoleRef
 	mcpScheme             *runtime.Scheme
 	workloadScheme        *runtime.Scheme
 }
@@ -94,7 +100,9 @@ func NewClusterAccessReconciler(platformClusterClient client.Client, controllerN
 		controllerName:        controllerName,
 		retryInterval:         5 * time.Second,
 		mcpPermissions:        []clustersv1alpha1.PermissionsRequest{},
+		mcpRoleRefs:           []commonapi.RoleRef{},
 		workloadPermissions:   []clustersv1alpha1.PermissionsRequest{},
+		workloadRoleRefs:      []commonapi.RoleRef{},
 		mcpScheme:             runtime.NewScheme(),
 		workloadScheme:        runtime.NewScheme(),
 	}
@@ -110,11 +118,21 @@ func (r *reconcilerImpl) WithMCPPermissions(permissions []clustersv1alpha1.Permi
 	return r
 }
 
+func (r *reconcilerImpl) WithMCPRoleRefs(roleRefs []commonapi.RoleRef) Reconciler {
+	r.mcpRoleRefs = roleRefs
+	return r
+}
+
 func (r *reconcilerImpl) WithWorkloadPermissions(permissions []clustersv1alpha1.PermissionsRequest) Reconciler {
 	r.workloadPermissions = permissions
 	return r
 }
 
+func (r *reconcilerImpl) WithWorkloadRoleRefs(roleRefs []commonapi.RoleRef) Reconciler {
+	r.workloadRoleRefs = roleRefs
+	return r
+}
+
 func (r *reconcilerImpl) WithMCPScheme(scheme *runtime.Scheme) Reconciler {
 	r.mcpScheme = scheme
 	return r
@@ -210,7 +228,7 @@ func (r *reconcilerImpl) Reconcile(ctx context.Context, request reconcile.Reques
 		requestNameMCP, requestNamespace, &commonapi.ObjectReference{
 			Name:      request.Name,
 			Namespace: requestNamespace,
-		}, nil, r.mcpPermissions, metadata)
+		}, nil, r.mcpPermissions, r.mcpRoleRefs, metadata)
 
 	if err != nil {
 		return reconcile.Result{}, fmt.Errorf("failed to create or update MCP AccessRequest: %w", err)
@@ -253,7 +271,7 @@ func (r *reconcilerImpl) Reconcile(ctx context.Context, request reconcile.Reques
 		requestNameWorkload, requestNamespace, &commonapi.ObjectReference{
 			Name:      requestNameWorkload,
 			Namespace: requestNamespace,
-		}, nil, r.workloadPermissions, metadata)
+		}, nil, r.workloadPermissions, r.workloadRoleRefs, metadata)
 
 	if err != nil {
 		return reconcile.Result{}, fmt.Errorf("failed to create or update Workload AccessRequest: %w", err)
@@ -486,10 +504,11 @@ func ensureClusterRequest(ctx context.Context, platformClusterClient client.Clie
 
 func ensureAccessRequest(ctx context.Context, platformClusterClient client.Client, requestName, requestNamespace string,
 	requestRef *commonapi.ObjectReference, clusterRef *commonapi.ObjectReference,
-	permissions []clustersv1alpha1.PermissionsRequest, metadata resources.MetadataMutator) (*clustersv1alpha1.AccessRequest, error) {
+	permissions []clustersv1alpha1.PermissionsRequest, roleRefs []commonapi.RoleRef, metadata resources.MetadataMutator) (*clustersv1alpha1.AccessRequest, error) {
 
 	mutator := newAccessRequestMutator(requestName, requestNamespace).
 		WithPermissions(permissions).
+		WithRoleRefs(roleRefs).
 		WithMetadata(metadata)
 
 	if requestRef != nil {
@@ -659,6 +678,7 @@ type accessRequestMutator struct {
 	requestRef  *commonapi.ObjectReference
 	clusterRef  *commonapi.ObjectReference
 	permissions []clustersv1alpha1.PermissionsRequest
+	roleRefs    []commonapi.RoleRef
 	metadata    resources.MetadataMutator
 }
 
@@ -684,6 +704,11 @@ func (m *accessRequestMutator) WithPermissions(permissions []clustersv1alpha1.Pe
 	return m
 }
 
+func (m *accessRequestMutator) WithRoleRefs(roleRefs []commonapi.RoleRef) *accessRequestMutator {
+	m.roleRefs = roleRefs
+	return m
+}
+
 func (m *accessRequestMutator) WithMetadata(metadata resources.MetadataMutator) *accessRequestMutator {
 	m.metadata = metadata
 	return m
@@ -724,6 +749,8 @@ func (m *accessRequestMutator) MetadataMutator() resources.MetadataMutator {
 func (m *accessRequestMutator) Mutate(accessRequest *clustersv1alpha1.AccessRequest) error {
 	accessRequest.Spec.Permissions = m.permissions
 
+	accessRequest.Spec.RoleRefs = m.roleRefs
+
 	if m.requestRef != nil {
 		accessRequest.Spec.RequestRef = m.requestRef
 	}

lib/clusteraccess/clusteraccess_test.go

@@ -58,11 +58,21 @@ func buildTestEnvironmentReconcile(testdataDir string, objectsWitStatus ...clien
 				},
 			}
 
+			roleRefs := []commonapi.RoleRef{
+				{
+					Kind:      "ClusterRole",
+					Name:      "cluster-admin",
+					Namespace: "",
+				},
+			}
+
 			r := clusteraccess.NewClusterAccessReconciler(c, controllerName)
 			r.WithMCPScheme(scheme).
 				WithWorkloadScheme(scheme).
 				WithMCPPermissions(permissions).
+				WithMCPRoleRefs(roleRefs).
 				WithWorkloadPermissions(permissions).
+				WithWorkloadRoleRefs(roleRefs).
 				WithRetryInterval(1 * time.Second)
 			return r
 		}).

lib/go.mod

@@ -8,7 +8,7 @@ require (
 	github.com/onsi/ginkgo/v2 v2.25.1
 	github.com/onsi/gomega v1.38.1
 	github.com/openmcp-project/controller-utils v0.18.0
-	github.com/openmcp-project/openmcp-operator/api v0.11.1
+	github.com/openmcp-project/openmcp-operator/api v0.11.2
 	k8s.io/api v0.33.4
 	k8s.io/apimachinery v0.33.4
 	k8s.io/client-go v0.33.4