Skip to content

feat: support token auth for ManagedControlPlaneV2 #168

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Sep 24, 2025
Merged

feat: support token auth for ManagedControlPlaneV2 #168

merged 5 commits into from
Sep 24, 2025

Conversation

reshnm
Copy link
Contributor

@reshnm reshnm commented Sep 24, 2025
edited
Loading

What this PR does / why we need it:

Previously it was only possible to configure a ManagedControlPlaneV2 IAM with OIDC.
This PR introduces a static token configuration for the IAM.
A user can provide a list of named static token configurations. For each configuration, the openmcp-operator will create a AccessRequest and writes the kubeconfig secret to ManagedControlPlaneV2 access map.
In the access map all tokens will be prefixed with token: and all oidc configs will be prefixed with oidc: to prevent name clashes.

In order to make it easier for the user to identify what field does what, the oidc configuration has been restureuctured.
The default providers role bindings are now under .spec.iam.oidc.defaultProvider.
Addition user specified OIDC providers are now specified under .spec.iam.oidc.extraProviders.

apiVersion: core.openmcp.cloud/v2alpha1
kind: ManagedControlPlaneV2
metadata:
  name: mcp-01
  namespace: foo
spec:
  iam:
    oidc:
      defaultProvider:
        roleBindings: # this sets the role bindings for the default OIDC provider (no effect if none is configured)
        - subjects:
          - kind: User
            name: john.doe@example.com
          roleRefs:
          - kind: ClusterRole
            name: cluster-admin
            
        extraProviders: # here, additional OIDC providers can be configured
        - name: my-oidc-provider
          issuer: https://oidc.example.com
          clientID: my-client-id
          extraScopes:
          - foo
          roleBindings:
          - subjects:
            - kind: User
              name: foo
            - kind: Group
              name: bar
            roleRefs:
            - kind: ClusterRole
              name: my-cluster-role
            - kind: Role
              name: my-role
              namespace: default
              
      tokens: # here, static tokens can be configured
      - name: admin # this token will be named 'admin' and must be unique per MCP
        # roleRefs and permissions can be either set individually or together
        roleRefs: # this sets the role bindings for the static token named 'admin'
          - kind: ClusterRole
            name: cluster-admin
        permissions: # here, additional permissions can be configured
          - rules:
              - apiGroups: [ '' ]
                resources: [ 'secretcs']
                verbs: [ '*' ]
      - name: viewer
        permissions:
          - rules:
              - apiGroups: [ '' ]
                resources: [ 'pods', 'services' ]
                verbs: [ 'get', 'list', 'watch' ]

Which issue(s) this PR fixes:
Fixes #260

Special notes for your reviewer:

Release note:

Allow static token configuration in IAM section of ManagedControlPlaneV2

@reshnm reshnm requested a review from Diaphteiros September 24, 2025 12:34
@reshnm reshnm merged commit f808b30 into main Sep 24, 2025
6 checks passed
@reshnm reshnm deleted the feat/mcp-support-token-auth branch September 24, 2025 13:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Diaphteiros Diaphteiros Diaphteiros approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Task: enable automation of MCPv2 creation and access

2 participants

@reshnm @Diaphteiros