add ManagedControlPlane type

Diaphteiros · Diaphteiros · commit 5dd409f6baea · 2025-08-28T10:07:36.000+02:00
diff --git a/api/core/v2alpha1/managedcontrolplane_auth.go b/api/core/v2alpha1/managedcontrolplane_auth.go
@@ -0,0 +1,76 @@
+package v2alpha1
+
+import (
+	commonapi "github.com/openmcp-project/openmcp-operator/api/common"
+)
+
+// AuthenticationConfiguration contains the configuration for the enabled OpenID Connect identity providers
+type AuthenticationConfiguration struct {
+	// +kubebuilder:validation:Optional
+	EnableSystemIdentityProvider *bool `json:"enableSystemIdentityProvider"`
+	// +kubebuilder:validation:Optional
+	IdentityProviders []IdentityProvider `json:"identityProviders,omitempty"`
+}
+
+// IdentityProvider contains the configuration for an OpenID Connect identity provider
+type IdentityProvider struct {
+	// Name is the name of the identity provider.
+	// The name must be unique among all identity providers.
+	// The name must only contain lowercase letters.
+	// The length must not exceed 63 characters.
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:MaxLength=63
+	// +kubebuilder:validation:Pattern=`^[a-z]+$`
+	Name string `json:"name"`
+	// IssuerURL is the issuer URL of the identity provider.
+	// +kubebuilder:validation:Required
+	IssuerURL string `json:"issuerURL"`
+	// ClientID is the client ID of the identity provider.
+	// +kubebuilder:validation:Required
+	ClientID string `json:"clientID"`
+	// UsernameClaim is the claim that contains the username.
+	// +kubebuilder:validation:Required
+	UsernameClaim string `json:"usernameClaim"`
+	// GroupsClaim is the claim that contains the groups.
+	// +kubebuilder:validation:Optional
+	GroupsClaim string `json:"groupsClaim"`
+	// CABundle: When set, the OpenID server's certificate will be verified by one of the authorities in the bundle.
+	// Otherwise, the host's root CA set will be used.
+	// +kubebuilder:validation:Optional
+	CABundle string `json:"caBundle,omitempty"`
+	// SigningAlgs is the list of allowed JOSE asymmetric signing algorithms.
+	// +kubebuilder:validation:Optional
+	SigningAlgs []string `json:"signingAlgs,omitempty"`
+	// RequiredClaims is a map of required claims. If set, the identity provider must provide these claims in the ID token.
+	// +kubebuilder:validation:Optional
+	RequiredClaims map[string]string `json:"requiredClaims,omitempty"`
+
+	// ClientAuthentication contains configuration for OIDC clients
+	// +kubebuilder:validation:Optional
+	ClientConfig ClientAuthenticationConfig `json:"clientConfig,omitempty"`
+}
+
+// ClientAuthenticationConfig contains configuration for OIDC clients
+type ClientAuthenticationConfig struct {
+	// ClientSecret is a references to a secret containing the client secret.
+	// The client secret will be added to the generated kubeconfig with the "--oidc-client-secret" flag.
+	// +kubebuilder:validation:Optional
+	ClientSecret *commonapi.LocalSecretReference `json:"clientSecret,omitempty"`
+	// ExtraConfig is added to the client configuration in the kubeconfig.
+	// Can either be a single string value, a list of string values or no value.
+	// Must not contain any of the following keys:
+	// - "client-id"
+	// - "client-secret"
+	// - "issuer-url"
+	//
+	// +kubebuilder:validation:Optional
+	ExtraConfig map[string]SingleOrMultiStringValue `json:"extraConfig,omitempty"`
+}
+
+// SingleOrMultiStringValue is a type that can hold either a single string value or a list of string values.
+type SingleOrMultiStringValue struct {
+	// Value is a single string value.
+	Value string `json:"value,omitempty"`
+	// Values is a list of string values.
+	Values []string `json:"values,omitempty"`
+}
diff --git a/api/core/v2alpha1/managedcontrolplane_authz.go b/api/core/v2alpha1/managedcontrolplane_authz.go
@@ -0,0 +1,47 @@
+package v2alpha1
+
+import (
+	rbacv1 "k8s.io/api/rbac/v1"
+)
+
+type AuthorizationConfiguration struct {
+	// Members is a list of members with their assigned roles.
+	Members []Member `json:"members,omitempty"`
+}
+
+type Member struct {
+	Subject `json:",inline"`
+
+	// Roles is a list of roles assigned to the subject.
+	Roles []string `json:"roles,omitempty"`
+}
+
+// Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference,
+// or a value for non-objects such as user and group names.
+// +kubebuilder:validation:XValidation:rule="self.kind == 'ServiceAccount' || !has(self.__namespace__)",message="Namespace must not be specified if Kind is User or Group"
+// +kubebuilder:validation:XValidation:rule="self.kind != 'ServiceAccount' || has(self.__namespace__)",message="Namespace is required for ServiceAccount"
+type Subject struct {
+	// Kind of object being referenced. Can be "User", "Group", or "ServiceAccount".
+	// +kubebuilder:validation:Enum=User;Group;ServiceAccount
+	Kind string `json:"kind"`
+
+	// Name of the object being referenced.
+	Name string `json:"name"`
+
+	// Namespace of the referenced object. Required if Kind is "ServiceAccount". Must not be specified if Kind is "User" or "Group".
+	// +optional
+	Namespace string `json:"namespace,omitempty"`
+}
+
+// RbacV1 converts the Subject to a Kubernetes RBAC v1 Subject.
+func (s Subject) RbacV1() rbacv1.Subject {
+	rs := rbacv1.Subject{
+		Kind:      s.Kind,
+		Name:      s.Name,
+		Namespace: s.Namespace,
+	}
+	if s.Kind != rbacv1.ServiceAccountKind {
+		rs.APIGroup = rbacv1.GroupName
+	}
+	return rs
+}
diff --git a/api/core/v2alpha1/zz_generated.deepcopy.go b/api/core/v2alpha1/zz_generated.deepcopy.go
