Enable Templates for Platform-Flavored ManagedControlPlanes via UI #167
Description
Description
As a larger organization using Crossplane, openMCP or IaD in general, you will realize that teams working along your orgs standards and rules have very similar ManagedContorlPlane setups.
Some organizations require, forbid or guide their developing teams even further. Let's support them on this way.
Tasks
- POC Exist -- cleanups and refactoring needed (update code base to latest)
- Tests outstanding - unit test
- Few features may still be left to implement
Desired End User Flow
- In Webapp, I click on New MCP, along this way I can chose a "Template"
- The Template prefills, requires, skips, validates, certain config options in my
ManagedControlPlanecreation Wizzard
Desired Platform Capability
- Platform Admins can define Templates
- for everyone in company
- for everyone in a project (out of scope)
- for everyone in a workspace (out of scope)
- How can we limit to only some orgs/people? (out of scope)
How to achieve
We will have a special new Resource called ManagedControlPlaneTemplate.
In first version: Interessted Teams can provide this manually by approaching Administrators of openMCP stack.
Future: Every user should be able to create this resource in a project/workspace they have admin access. (out of scope)
Flow (out of scope)
- Admin creates the
ManagedControlPlaneTemplate - kro creates a new RGD based on the
ManagedControlPlaneTemplate - This new Resource (
TemplateX) is then available for Users of a project/workspace. - Users can use the new Resource (
TemplateX) to create an MCP with restricted input fields - The Resource (
TemplateX) creates aManagedControlPlaneResource
Example Resource
This resource will be provided by a Stakeholder via a simple PR in a given repository (Out of scope)
Do not enable feature/merge to main until we consume from Onboarding API (@GenosseOtt organizes real example ASAP)
kind: ManagedControlPlaneTemplate
meta:
name: template-name (in scope)
namespace: project-PROJECTNAME (in scope)
templateVersion: 0.0.1 (end user given , they can update their templates)
templateEngineVersion: 0.0.1 (set by us, indicates format version)
descritiopnText: This is a Template that empowers users of organizaten ABC (in scope)
namespace: project-PROJECTNAME--ws-WORKSPACENAME (out of scope) (in scope: globally available)
spec:
meta:
name:
prefix: optional (in scope)
suffix: optional (in scope)
validationRegex: optional (out of scope)
validationMessage: optional # required in combination with regex (out of scope)
displayName:
prefix: optional (in scope)
suffix: optional (in scope)
validationRegex: optional (out of scope)
validationMessage: optional # required in combination with regex (out of scope)
chargingTarget:
type: optional | enforced # overrides the forms, make it disabled (in scope)
value: optional # overrides the forms, make it disabled (in scope)
spec:
authentication: (out of scope)
system: # maybe: openmcp (out of scope . also we want to improve the notation here)
enabled: true # optional, is the predefined value (out of scope)
changeable: true # optional, default=true (out of scope)
allowAdd: true # optional, default=true (out of scope)
customIDPs: (out of scope)
custom1:
removable: true # optional, default=false
custom2:
...
authorization: (in scope)
default: (in scope)
- name: openmcp:[email protected]
kind : User | ServiceAccount (in scope)
namespace: (in scope)
role: admin | viewer (in scope)
removable: true # optional, default=false (out of scope)
allowAdd: true # optional, default=true (in scope)
allow: (out of scope)
members:
- openmcp:[email protected]
prefix: (out of scope)
- "johannes" ## stupid example - only johanneesses are allowed
suffix: (out of scope)
- "@neonephos.eu" ## only allow
disallow: (out of scope)
members:
- openmcp:[email protected]
prefix: (out of scope)
- "johannes" ## stupid example - only johanneesses are disallowed
suffix: (out of scope)
- "@neonephos.eu" ## disallowed
components: (in scope)
default: (in scope)
- name: crossplane
version: v0.4.0
removable: true # optional, default=true
versionChangeable: true # optional, default=true
- name: provider-btp
version: v0.4.0
removable: true # optional, default=true
versionChangeable: true # optional, default=true
- name: external-secrets
version: v0.4.0
removable: true # optional, default=true
versionChangeable: true # optional, default=true
allow: (out of scope)
- name: crossplane
version:
- "v0.2.0 < v0.3.0"
- "v0.4.0"
deny: (out of scope)
- name: provider-btp
version:
- ">v0.2.0"