Release v0.15.1

Changes included in v0.15.1:

🚀 Features

• allow to skip the workload cluster management #171
  • [DEVELOPER][FEATURE] Allow to skip management of Workload cluster in Access Request Reconciler

🐛 Fixes

• access request handling for MCP V2 #172
  • [USER][BUGFIX] Correctly handle MCPs without an OIDC config
    Change : to _ for the access secret provider prefix.

Release v0.15.0

Changes included in v0.15.0:

🔨 Refactoring

• move access request handling into own lib function #160
  • [DEVELOPER][FEATURE] The lib/clusteraccess package's Manager interface has been expanded with the WaitForClusterAccess method, which creates/updates an AccessRequest for an existing Cluster or ClusterRequest.

🚀 Features

• support token auth for ManagedControlPlaneV2 #168
  • [USER][FEATURE] Allow static token configuration in IAM section of ManagedControlPlaneV2
• Improve clusteraccess #167
  • [DEVELOPER][FEATURE] The StableRequestName and StableRequestNameFromLocalName functions from the lib/clusteraccess package now shorten resulting names if they exceed the character limit for k8s resource names. A hash suffix prevents conflicts for different keys with the same prefix.
  • [DEVELOPER][FEATURE] The NewTestClusterAccessManager function from lib/accessrequest serves as an implementation of the Manager interface that is suited to be used in unit tests. It fakes readiness of ClusterRequest and AccessRequest resources that it creates and returns k8s fake clients instead. The fake clients have to be configured before. While this makes the Manager usable in unit tests, the code creating the Manager still has to differentiate between the creation of a regular one or the test implementation.

Release v0.14.0

Changes included in v0.14.0:

🔨 Refactoring

• OIDC validation and defaulting #157
  • [OPERATOR][BREAKING] The naming restriction for the default OIDC provider has been removed (was restricted to default before) and it is now defaulted to openmcp instead.
  • [USER][BREAKING] The validation for the spec.iam.oidcProviders field in the ManagedControlPlaneV2 resource has been changed in multiple ways:
    • usernamePrefix and groupsPrefix have been removed and are now always assumed to be <name>:
    • name is not allowed to be set to system (prevents k8s service account impersonation)
    • The regex validation rule for name has been fixed
    • issuer and clientID are now required and the former one must look like an URL
    • Duplicate OIDC provider names or ones that clash with the default OIDC provider are now prevented
• change default scheduler scope to 'Cluster' #153
  • [OPERATOR][BREAKING] The scheduler's default scope has been changed to Cluster (was Namespaced before).
• make logging verbosity case-insensitive #155
  • [OPERATOR][OTHER] It is now possible to specify the logging verbosity in the PlatformService, ClusterProvider, and ServiceProvider resources also in lowercase.

🚀 Features

• sync Cluster conditions to MCP #152
  • [USER][FEATURE] The MCPv2 resource now syncs conditions from its primary Cluster into its own status.
• MCP purpose override #151
  • [USER][FEATURE] The label core.openmcp.cloud/purpose can now be used on ManagedControlPlaneV2 resources to override the default cluster purpose.

Release v0.13.1

Changes included in v0.13.1:

🐛 Fixes

• mcpv2 conditions #150
  • [USER][BUGFIX] Fixed an invalid condition type in the MCPv2 resource that prevent status updates and by that the MCPv2 from becoming ready.

Release v0.13.0

Changes included in v0.13.0:

🚀 Features

• [feature] [operator] MCPv2 controller #115: The MCPv2 controller is now part of the openmcp-operator.

Release v0.12.0

Changes included in v0.12.0:

🔨 Refactoring

• [breaking] [operator] AccessRequest api #141: The AccessRequest resource has been refactored for a better differentiation between token and oidc access requests.

🐛 Fixes

• [bugfix] [operator] fix cluster printer columns #140: The additional printer columns for the Cluster resource will now correctly show up on kubectl get.
• [bugfix] [operator] remove namespace from ClusterProfile's provider and providerconfig references #138: The providerRef and providerConfigRef fields in the ClusterProfile's spec now only take a name and no namespace, as intended.

Release v0.11.2

Changes included in v0.11.2:

🚀 Features

• [feature] [developer] add RoleRef support #137: Adding support in the lib to reference RoleRefs in the ClusterAccess reconciler.
• [feature] [user] cluster- and access-request names #134: - Prevent name conflicts for ClusterRequests and AccessRequests
• [feature] [user] package crds in component #133: Package the custom ressource definition manifests for the openmcp-operator into the OCM component
• [feature] [operator] install providers in system namespace #126: Install all providers in a common namespace "openmcp-system"
• [feature] [operator] Allow override for 'run' and 'init' command in providers #129: The init and run commands for providers can now be overwritten by using the respective fields in the spec of ServiceProvider, ClusterProvider, and PlatformService` resources.

🔧 Chores

• [breaking] [operator] remove onboarding cluster kubeconfig argument #130: The openmcp-operator now takes a --kubeconfig argument for the platform cluster kubeconfig instead of the previous --platform-cluster argument. The --onboarding-cluster argument has been removed to make the operator work without an existing onboarding cluster.

Release v0.11.1

Changes included in v0.11.1:

🚀 Features

• [feature] [user] add RoleRefs to AccessRequest API ##128: Adding support for role references in AccessRequests to bind the ServiceAccount to an existing role or cluster role.
• [feature] [operator] use K8sNameUUID instead of K8sNameHash and let each mcp have its own namespace ##114: The library functions regarding stable MCP namespace and request names have been adapted to use the new UUID-style hash functions and the concept of each MCP having its own namespace on the platform cluster.

Release v0.11.0

Changes included in v0.11.0:

🚀 Features

• [feature] [user] add ExtraVolumes and ExtraVolumeMounts to DeploymentSpec #118: Adding ExtraVolumes and ExtraVolumeMounts fields to the DeploymentSpec
• [feature] [user] add name field to AccessRequest permissions #113: It is now possible to overwrite the name of (Cluster)Roles generated by AccessRequests.
• [feature] [operator] add extra scopes to oidc provider config #108: It is now possible to specify additional scopes for OIDC providers (in AccessRequest and ManagedControlPlane api types).
• [feature] [user] add ManagedControlPlane API #104: Added the ManagedControlPlane type with api version core.openmcp.cloud/v2alpha1 and added OIDC configuration to the AccessRequest type.

🐛 Fixes

• [bugfix] [user] add ExtraVolumes and ExtraVolumeMounts to DeploymentSpec #118: Fixing permission issues on ClusterProfiles during Init job of Cluster Providers and Service Providers

🔧 Chores

• release v0.11.0 #120.
• [bugfix] [operator] remove broken validation rule #111: Removed a broken validation rule that made it impossible to apply the AccessRequest CRD.
• [breaking] [user] rename v2 MCP resource #109: The v2 ManagedControlPlane resource has been renamed to ManagedControlPlaneV2 to avoid k8s trying to convert between v1 and v2, since we want to use both in parallel for the migration period.

Release v0.10.0

Changes included in v0.10.0:

🚀 Features

• [feature] [developer] args and envs ##99: - Change of the arguments and environment variables that are passed to providers.
• [feature] [user] minor api enhancements #100: ClusterRequest resources can now be configured to delay the removal of their own finalizer (therefore also delaying their own deletion) until the corresponding Cluster is gone when the request is deleted, instead of the finalizer being removed immediately after the deletion of the Cluster has been triggered. Cluster providers need to take care to implement the feature accordingly. The spec.waitForClusterDeletion flag has no effect in situations where deletion of the ClusterRequest does not trigger a deletion of the corresponding Cluster.
• [feature] [developer] minor api enhancements #100: ServiceProvider resources must now expose a list of their service resource types in their status. Service providers must take care to implement the feature accordingly. This serves as a kind of 'service catalog' that allows to look up the k8s resources that belong to a specific service provider.

🔧 Chores

• [feature] [operator] release v0.10.0 #101: - Release v0.10.0 of the openmcp operator

🐛 Fixes

• [fix] [user] empty AccessRequestConfig during controller start up #96: Fixing possible nil pointer dereference bug while accessing empty AccessRequestConfig during start up of accessrequest controller