feat(draft): add AddAccessRequest API

Author: maximiliantech

Taskfile.yaml

@@ -2,9 +2,9 @@ version: 3
 
 vars:
   NESTED_MODULES: api
-  API_DIRS: '{{.ROOT_DIR}}/api/v1alpha1/...'
+  API_DIRS: '{{.ROOT_DIR}}/api/...'
   MANIFEST_OUT: '{{.ROOT_DIR}}/config/crd/bases'
-  CODE_DIRS: '{{.ROOT_DIR}}/cmd/... {{.ROOT_DIR}}/internal/... {{.ROOT_DIR}}/api/v1alpha1/...'
+  CODE_DIRS: '{{.ROOT_DIR}}/cmd/... {{.ROOT_DIR}}/internal/... {{.ROOT_DIR}}/api/...'
   COMPONENTS: 'cluster-provider-kind'
   REPO_NAME: 'https://github.com/openmcp-project/cluster-provider-kind'
   GENERATE_DOCS_INDEX: "false"

api/clusters/v1alpha1/accessrequest_types.go

@@ -0,0 +1,113 @@
+package v1alpha1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	apimachinery "k8s.io/apimachinery/pkg/types"
+)
+
+type RequestPhase string
+
+const (
+	// AccessRequestPending is the phase if the AccessRequest has not been scheduled yet.
+	AccessRequestPending RequestPhase = "Pending"
+	// AccessRequestGranted is the phase if the AccessRequest has been granted.
+	AccessRequestGranted RequestPhase = "Granted"
+)
+
+// +kubebuilder:validation:XValidation:rule="!has(oldSelf.clusterRef) || has(self.clusterRef)", message="clusterRef may not be removed once set"
+// +kubebuilder:validation:XValidation:rule="!has(oldSelf.requestRef) || has(self.requestRef)", message="requestRef may not be removed once set"
+type AccessRequestSpec struct {
+	// ClusterRef is the reference to the Cluster for which access is requested.
+	// If set, requestRef will be ignored.
+	// This value is immutable.
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="clusterRef is immutable"
+	// +optional
+	ClusterRef *ObjectReference `json:"clusterRef,omitempty"`
+
+	// RequestRef is the reference to the ClusterRequest for whose Cluster access is requested.
+	// Is ignored if clusterRef is set.
+	// This value is immutable.
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="requestRef is immutable"
+	// +optional
+	RequestRef *ObjectReference `json:"requestRef,omitempty"`
+
+	// Permissions are the requested permissions.
+	Permissions []PermissionsRequest `json:"permissions"`
+}
+
+type PermissionsRequest struct {
+	// Namespace is the namespace for which the permissions are requested.
+	// If empty, this will result in a ClusterRole, otherwise in a Role in the respective namespace.
+	// Note that for a Role, the namespace needs to either exist or a permission to create it must be included in the requested permissions (it will be created automatically then), otherwise the request will be rejected.
+	// +optional
+	Namespace string `json:"namespace,omitempty"`
+
+	// Rules are the requested RBAC rules.
+	Rules []rbacv1.PolicyRule `json:"rules"`
+}
+
+// AccessRequestStatus defines the observed state of AccessRequest
+type AccessRequestStatus struct {
+	// Conditions contains the conditions.
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+
+	// Phase is the current phase of the request.
+	// +kubebuilder:default=Pending
+	// +kubebuilder:validation:Enum=Pending;Granted;Denied
+	Phase RequestPhase `json:"phase"`
+
+	// SecretRef holds the reference to the secret that contains the actual credentials.
+	SecretRef *SecretReference `json:"secretRef,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:shortName=ar;areq
+// +kubebuilder:metadata:labels="openmcp.cloud/cluster=platform"
+// +kubebuilder:selectablefield:JSONPath=".status.phase"
+// +kubebuilder:printcolumn:JSONPath=".status.phase",name="Phase",type=string
+
+// AccessRequest is the Schema for the accessrequests API
+type AccessRequest struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   AccessRequestSpec   `json:"spec,omitempty"`
+	Status AccessRequestStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// AccessRequestList contains a list of AccessRequest
+type AccessRequestList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []AccessRequest `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&AccessRequest{}, &AccessRequestList{})
+}
+
+// ObjectReference is a reference to an object in any namespace.
+type ObjectReference apimachinery.NamespacedName
+
+// LocalObjectReference is a reference to an object in the same namespace as the resource referencing it.
+type LocalObjectReference corev1.LocalObjectReference
+
+// SecretReference is a reference to a secret in any namespace with a key.
+type SecretReference struct {
+	ObjectReference `json:",inline"`
+	// Key is the key in the secret to use.
+	Key string `json:"key"`
+}
+
+// LocalSecretReference is a reference to a secret in the same namespace as the resource referencing it with a key.
+type LocalSecretReference struct {
+	LocalObjectReference `json:",inline"`
+	// Key is the key in the secret to use.
+	Key string `json:"key"`
+}

api/v1alpha1/cluster_types.go api/clusters/v1alpha1/cluster_types.goapi/v1alpha1/cluster_types.go renamed to api/clusters/v1alpha1/cluster_types.go

@@ -21,29 +21,6 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
-// Phase is a custom type representing the phase of a cluster.
-type Phase string
-
-// Constants representing the phases of an instance lifecycle.
-const (
-	Pending     Phase = "Pending"
-	Progressing Phase = "Progressing"
-	Ready       Phase = "Ready"
-	Failed      Phase = "Failed"
-	Terminating Phase = "Terminating"
-	Unknown     Phase = "Unknown"
-)
-
-// ClusterConditionType is a custom type representing the condition type of a cluster.
-type ClusterConditionType string
-
-// Constants representing the conditions of a cluster.
-const (
-	ClusterReady ClusterConditionType = "Ready"
-	KindReady    ClusterConditionType = "KindReady"
-	MetalLBReady ClusterConditionType = "MetalLBReady"
-)
-
 // ClusterSpec defines the desired state of Cluster.
 type ClusterSpec struct{}
 
@@ -65,7 +42,7 @@ type ClusterStatus struct {
 	ObservedGeneration int64 `json:"observedGeneration"`
 
 	// +kubebuilder:default=Unknown
-	Phase Phase `json:"phase"`
+	Phase string `json:"phase"`
 
 	// APIServer is the API server endpoint of the cluster.
 	// +optional

api/clusters/v1alpha1/groupversion_info.go

@@ -0,0 +1,36 @@
+/*
+Copyright 2025.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package v1alpha1 contains API Schema definitions for the  v1alpha1 API group.
+// +kubebuilder:object:generate=true
+// +groupName=clusters.openmcp.cloud
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"sigs.k8s.io/controller-runtime/pkg/scheme"
+)
+
+var (
+	// GroupVersion is group version used to register these objects.
+	GroupVersion = schema.GroupVersion{Group: "clusters.openmcp.cloud", Version: "v1alpha1"}
+
+	// SchemeBuilder is used to add go types to the GroupVersionKind scheme.
+	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
+
+	// AddToScheme adds the types in this group-version to the given scheme.
+	AddToScheme = SchemeBuilder.AddToScheme
+)