refactor ManagedControlPlane type and oidc configuration based on recent discussions

Author: Diaphteiros

api/clusters/v1alpha1/accessrequest_types.go

@@ -32,7 +32,16 @@ type AccessRequestSpec struct {
 	RequestRef *commonapi.ObjectReference `json:"requestRef,omitempty"`
 
 	// Permissions are the requested permissions.
-	Permissions []PermissionsRequest `json:"permissions"`
+	// If not empty, corresponding Roles and ClusterRoles will be created in the target cluster, potentially also creating namespaces for Roles.
+	// For token-based access, the serviceaccount will be bound to the created Roles and ClusterRoles.
+	// +optional
+	Permissions []PermissionsRequest `json:"permissions,omitempty"`
+
+	// OIDCProvider is a configuration for an OIDC provider that should be used for authentication and associated role bindings.
+	// If set, the handling ClusterProvider will create an OIDC-based access for the AccessRequest, if supported.
+	// Otherwise, a serviceaccount with a token will be created and bound to the requested permissions.
+	// +optional
+	OIDCProvider *commonapi.OIDCProviderConfig `json:"oidcProvider,omitempty"`
 }
 
 type PermissionsRequest struct {

api/clusters/v1alpha1/zz_generated.deepcopy.go

@@ -0,0 +1,2 @@
+// +kubebuilder:object:generate=true
+package common

api/common/doc.go

@@ -0,0 +1,90 @@
+package common
+
+import (
+	"strings"
+
+	rbacv1 "k8s.io/api/rbac/v1"
+)
+
+type OIDCProviderConfig struct {
+	// Name is the name of the OIDC provider.
+	// May be used in k8s resources, therefore has to be a valid k8s name.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=253
+	// +kubebuilder:validation:Pattern=`[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*`
+	Name string `json:"name"`
+
+	// Issuer is the issuer URL of the OIDC provider.
+	Issuer string `json:"issuer"`
+
+	// ClientID is the client ID to use for the OIDC provider.
+	ClientID string `json:"clientID"`
+
+	// GroupsClaim is the claim in the OIDC token that contains the groups.
+	// If empty, the default claim "groups" will be used.
+	// +kubebuilder:default="groups"
+	// +optional
+	GroupsClaim string `json:"groupsClaim"`
+
+	// UsernameClaim is the claim in the OIDC token that contains the username.
+	// If empty, the default claim "sub" will be used.
+	// +kubebuilder:default="sub"
+	// +optional
+	UsernameClaim string `json:"usernameClaim"`
+
+	// UsernamePrefix is a prefix that will be added to all usernames when referenced in RBAC rules.
+	// This is required to avoid conflicts with Kubernetes built-in users.
+	// If the prefix does not end with a colon (:), it will be added automatically.
+	// +kubebuilder:validation:MinLength=1
+	UsernamePrefix string `json:"usernamePrefix"`
+
+	// RoleBindings is a list of subjects with (cluster) role bindings that should be created for them.
+	// Note that the username prefix is added automatically to the subjects' names, it must not be explicitly specified here.
+	RoleBindings []RoleBindings `json:"roleBindings"`
+}
+
+type RoleBindings struct {
+	// Subjects is a list of subjects that should be bound to the specified roles.
+	// The subjects' names will be prefixed with the username prefix of the OIDC provider.
+	Subjects []rbacv1.Subject `json:"subjects"`
+
+	// RoleRefs is a list of (cluster) role references that the subjects should be bound to.
+	// Note that existence of the roles is not checked and missing (cluster) roles will result in ineffective (cluster) role bindings.
+	RoleRefs []RoleRef `json:"roleRefs"`
+}
+
+// +kubebuilder:validation:XValidation:rule="self.kind == 'Role' && has(self.namespace) && self.namespace != ”", message="namespace must be set if kind is 'Role'"
+// +kubebuilder:validation:XValidation:rule="self.kind == 'ClusterRole' && (!has(self.namespace) || self.namespace == ”)", message="namespace must not be set if kind is 'ClusterRole'"
+type RoleRef struct {
+	// Name is the name of the role or cluster role to bind to the subjects.
+	// +kubebuilder:validation:MinLength=1
+	Name string `json:"name"`
+
+	// Namespace is the namespace of the role to bind to the subjects.
+	// It must be set if the kind is 'Role' and may not be set if the kind is 'ClusterRole'.
+	// +optional
+	Namespace string `json:"namespace,omitempty"`
+
+	// Kind is the kind of the role to bind to the subjects.
+	// It must be 'Role' or 'ClusterRole'.
+	// +kubebuilder:validation:Enum=Role;ClusterRole
+	Kind string `json:"kind"`
+}
+
+// Default sets default values for the OIDCProviderConfig.
+// Modifies in-place and returns the receiver for chaining.
+func (o *OIDCProviderConfig) Default() *OIDCProviderConfig {
+	if o == nil {
+		return nil
+	}
+	if o.GroupsClaim == "" {
+		o.GroupsClaim = "groups"
+	}
+	if o.UsernameClaim == "" {
+		o.UsernameClaim = "sub"
+	}
+	if !strings.HasSuffix(o.UsernamePrefix, ":") {
+		o.UsernamePrefix += ":"
+	}
+	return o
+}

api/common/oidc_types.go

@@ -11,8 +11,6 @@ const (
 	StatusPhaseTerminating = "Terminating"
 )
 
-// +kubebuilder:object:generate=true
-
 // Status represents the status of an openMCP resource.
 type Status struct {
 	// ObservedGeneration is the generation of this resource that was last reconciled by the controller.

api/common/status_types.go

@@ -0,0 +1,6 @@
+package v2alpha1
+
+const (
+	// DefaultOIDCProviderName is the identifier for the default OIDC provider.
+	DefaultOIDCProviderName = "default"
+)