make accessrequests fail when referencing preemptive clusterrequests

Author: Diaphteiros

api/clusters/v1alpha1/constants/reasons.go

@@ -11,4 +11,6 @@ const (
 	ReasonConfigurationProblem = "ConfigurationProblem"
 	// ReasonInternalError indicates that something went wrong internally.
 	ReasonInternalError = "InternalError"
+	// ReasonPreemptiveRequest indicates that the ClusterRequest is preemptive and AccessRequests referencing it are denied.
+	ReasonPreemptiveRequest = "PreemptiveRequest"
 )

internal/controllers/accessrequest/controller.go

@@ -53,6 +53,9 @@ func (r *AccessRequestReconciler) Reconcile(ctx context.Context, req reconcile.R
 		WithFieldOverride(ctrlutils.STATUS_FIELD_PHASE, "Phase").
 		WithoutFields(ctrlutils.STATUS_FIELD_CONDITIONS).
 		WithPhaseUpdateFunc(func(obj *clustersv1alpha1.AccessRequest, rr ReconcileResult) (clustersv1alpha1.RequestPhase, error) {
+			if rr.Reason == cconst.ReasonPreemptiveRequest {
+				return clustersv1alpha1.REQUEST_DENIED, nil
+			}
 			return clustersv1alpha1.REQUEST_PENDING, nil
 		}).
 		Build().
@@ -112,6 +115,11 @@ func (r *AccessRequestReconciler) reconcile(ctx context.Context, req reconcile.R
 			rr.ReconcileError = errutils.WithReason(fmt.Errorf("unable to get ClusterRequest '%s/%s': %w", cr.Namespace, cr.Name, err), cconst.ReasonPlatformClusterInteractionProblem)
 			return rr
 		}
+		if cr.Spec.Preemptive {
+			rr.Reason = cconst.ReasonPreemptiveRequest
+			rr.Message = "The referenced ClusterRequest is preemptive and access cannot be granted."
+			return rr
+		}
 		if cr.Status.Phase != clustersv1alpha1.REQUEST_GRANTED {
 			rr.ReconcileError = errutils.WithReason(fmt.Errorf("ClusterRequest '%s/%s' is not granted", cr.Namespace, cr.Name), cconst.ReasonInvalidReference)
 			return rr

internal/controllers/accessrequest/controller_test.go

@@ -145,4 +145,21 @@ var _ = Describe("AccessRequest Controller", func() {
 		Expect(ar.Spec.ClusterRef).To(BeNil())
 	})
 
+	It("should deny the AccessRequest, if it references a preemptive ClusterRequest", func() {
+		env := testutils.NewEnvironmentBuilder().WithFakeClient(scheme).WithInitObjectPath("testdata", "test-01").WithReconcilerConstructor(arReconciler).Build()
+		ar := &clustersv1alpha1.AccessRequest{}
+		Expect(env.Client().Get(env.Ctx, ctrlutils.ObjectKey("mcr-access-p", "bar"), ar)).To(Succeed())
+		Expect(ar.Labels).ToNot(HaveKey(clustersv1alpha1.ProviderLabel))
+		Expect(ar.Labels).ToNot(HaveKey(clustersv1alpha1.ProfileLabel))
+		Expect(ar.Spec.ClusterRef).To(BeNil())
+		env.ShouldReconcile(testutils.RequestFromObject(ar))
+		Expect(env.Client().Get(env.Ctx, client.ObjectKeyFromObject(ar), ar)).To(Succeed())
+		Expect(ar.Status.Phase).To(Equal(clustersv1alpha1.REQUEST_DENIED))
+		Expect(ar.Status.Reason).To(Equal(cconst.ReasonPreemptiveRequest))
+		Expect(ar.Status.Message).To(ContainSubstring("preemptive"))
+		Expect(ar.Labels).ToNot(HaveKey(clustersv1alpha1.ProviderLabel))
+		Expect(ar.Labels).ToNot(HaveKey(clustersv1alpha1.ProfileLabel))
+		Expect(ar.Spec.ClusterRef).To(BeNil())
+	})
+
 })

internal/controllers/accessrequest/testdata/test-01/accessrequest-indirect-p.yaml

@@ -0,0 +1,17 @@
+apiVersion: clusters.openmcp.cloud/v1alpha1
+kind: AccessRequest
+metadata:
+  name: mcr-access-p
+  namespace: bar
+spec:
+  requestRef:
+    name: my-cluster-p
+    namespace: foo
+  permissions:
+  - rules:
+    - apiGroups:
+      - "*"
+      resources:
+      - "*"
+      verbs:
+      - "*"

internal/controllers/accessrequest/testdata/test-01/clusterrequest-p.yaml

@@ -0,0 +1,10 @@
+apiVersion: clusters.openmcp.cloud/v1alpha1
+kind: ClusterRequest
+metadata:
+  name: my-cluster-p
+  namespace: foo
+spec:
+  purpose: test
+  preemptive: true
+status:
+  phase: Granted