Skip to content

feat: bind AccessRequest ServiceAccount to existing ClusterRole/Role #95

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 19 commits into from
Sep 2, 2025
Merged

feat: bind AccessRequest ServiceAccount to existing ClusterRole/Role #95

merged 19 commits into from
Sep 2, 2025

Conversation

@maximiliantech
Copy link
Member

@maximiliantech maximiliantech commented Aug 27, 2025
edited
Loading

What this PR does / why we need it:
This PR is the continuation of openmcp-project/openmcp-operator#128 and openmcp-project/openmcp-operator#137. It implements the logic to use AccessRequest.spec.roleRefs to create ClusterRoleBindings/RoleBindings that are bind to the AccessRequest's service account.

We need this feature in openmcp-project/service-provider-crossplane#21 so that Flux has cluster-admin permissions (via AccessRequest's service account) to successfully install Crossplane on an MCP.

Which issue(s) this PR fixes:
Fixes openmcp-project/service-provider-crossplane#21

Related openmcp-project/openmcp-operator#128
Related openmcp-project/openmcp-operator#137

Special notes for your reviewer:
NONE

Release note:

Adding support to bind AccessRequest's ServiceAccount to ClusterRoleBindings/RoleBindings via `AccessRequest.spec.roleRefs`

@maximiliantech maximiliantech changed the title chore: update openmcp-operator to latest version feat: bind AccessRequest ServiceAccount to existing ClusterRole Aug 27, 2025
@maximiliantech maximiliantech changed the title feat: bind AccessRequest ServiceAccount to existing ClusterRole feat: bind AccessRequest ServiceAccount to existing ClusterRole/Role Sep 1, 2025
maximiliantech
maximiliantech commented Sep 1, 2025
View reviewed changes
maximiliantech
maximiliantech commented Sep 1, 2025
View reviewed changes
@n3rdc4ptn n3rdc4ptn removed their request for review September 2, 2025 11:01
@Diaphteiros
refactor: adapt to new AccessRequest structure (#102)
4fef752 
* bump cluster api dependency

* refactor: adapt to new AccessRequest structure
@maximiliantech maximiliantech marked this pull request as ready for review September 2, 2025 13:25
@maximiliantech maximiliantech merged commit 19011ec into main Sep 2, 2025
7 checks passed
@maximiliantech maximiliantech deleted the feat/accessrequest-rolerefs branch September 2, 2025 13:31
@maximiliantech maximiliantech mentioned this pull request Sep 2, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@reshnm reshnm reshnm approved these changes

@Diaphteiros Diaphteiros Diaphteiros approved these changes

@ValentinGerlach ValentinGerlach Awaiting requested review from ValentinGerlach

@robertgraeff robertgraeff Awaiting requested review from robertgraeff

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

MCP Service Account: forbidden to grant Crossplane RBAC permissions

4 participants

@maximiliantech @reshnm @Diaphteiros