feat: MCPv2 controller

README.md

@@ -124,25 +124,33 @@ spec:
     name: my-cluster
     namespace: default
 
-  permissions:
-    # Role
-    - namespace: default
-      rules:
-        - apiGroups:
-            - ""
-          resources:
-            - "secrets"
-          verbs:
-            - "*"
-    # ClusterRole
-    - rules:
-        - apiGroups:
-            - ""
-          resources:
-            - "configmaps"
-          verbs:
-            - "*"
-
+  token:
+    permissions:
+      # Role + RoleBinding
+      - namespace: default
+        rules:
+          - apiGroups:
+              - ""
+            resources:
+              - "secrets"
+            verbs:
+              - "*"
+      # ClusterRole + ClusterRoleBinding
+      - rules:
+          - apiGroups:
+              - ""
+            resources:
+              - "configmaps"
+            verbs:
+              - "*"
+    roleRefs:
+      # bind to existing Role
+      - kind: Role
+        name: my-role
+        namespace: my-namespace
+      # bind to existing ClusterRole
+      - kind: ClusterRole
+        name: cluster-admin
 ```
 
 This will result in a `ServiceAccount` on the referenced `Cluster` with the specified permissions applied.

api/clusters/v1alpha1/cluster_types.go

@@ -130,8 +130,8 @@ func (c *Cluster) GetTenancyCount() int {
 func (c *Cluster) GetRequestUIDs() sets.Set[string] {
 	res := sets.New[string]()
 	for _, fin := range c.Finalizers {
-		if strings.HasPrefix(fin, RequestFinalizerOnClusterPrefix) {
-			res.Insert(strings.TrimPrefix(fin, RequestFinalizerOnClusterPrefix))
+		if uid, ok := strings.CutPrefix(fin, RequestFinalizerOnClusterPrefix); ok {
+			res.Insert(uid)
 		}
 	}
 	return res

api/clusters/v1alpha1/constants.go

@@ -84,13 +84,16 @@ const (
 	// SecretKeyCreationTimestamp is the name of the key in the AccessRequest secret that contains the creation timestamp.
 	// This value is optional and must not be set for non-expiring authentication methods.
 	SecretKeyCreationTimestamp = "creationTimestamp"
-	// SecretKeyCAData is the name of the key in the AccessRequest secret that contains the CA data.
-	// This value is optional and must not be set.
-	SecretKeyCAData = "caData"
-	// SecretKeyHost is the name of the key in the AccessRequest secret that contains the host.
-	// This value is optional and must not be set.
-	SecretKeyHost = "host"
 	// SecretKeyClientID is the name of the key in the AccessRequest secret that contains the client ID.
 	// This value is optional and must not be set for non-OIDC-based authentication methods.
 	SecretKeyClientID = "clientID"
+	// SecretKeyHost is the name of the key in the AccessRequest secret that contains the host of the cluster.
+	// This value is optional.
+	SecretKeyHost = "host"
+	// SecretKeyCA is the name of the key in the AccessRequest secret that contains the CA certificate of the cluster.
+	// This value is optional.
+	SecretKeyCA = "ca.crt"
+	// SecretKeyToken is the name of the key in the AccessRequest secret that contains the token.
+	// This value is optional.
+	SecretKeyToken = "token"
 )

api/clusters/v1alpha1/constants/reasons.go

@@ -11,4 +11,18 @@ const (
 	ReasonConfigurationProblem = "ConfigurationProblem"
 	// ReasonInternalError indicates that something went wrong internally.
 	ReasonInternalError = "InternalError"
+	// ReasonWaitingForNamespaceDeletion indicates that something is waiting for a namespace to be deleted.
+	ReasonWaitingForNamespaceDeletion = "WaitingForNamespaceDeletion"
+	// ReasonWaitingForClusterRequest indicates that something is waiting for a ClusterRequest to become ready.
+	ReasonWaitingForClusterRequest = "WaitingForClusterRequest"
+	// ReasonWaitingForClusterRequestDeletion indicates that something is waiting for a ClusterRequest to be deleted.
+	ReasonWaitingForClusterRequestDeletion = "WaitingForClusterRequestDeletion"
+	// ReasonWaitingForAccessRequest indicates that something is waiting for an AccessRequest to become ready.
+	ReasonWaitingForAccessRequest = "WaitingForAccessRequest"
+	// ReasonWaitingForAccessRequestDeletion indicates that something is waiting for an AccessRequest to be deleted.
+	ReasonWaitingForAccessRequestDeletion = "WaitingForAccessRequestDeletion"
+	// ReasonWaitingForServices indicates that something is waiting for one or more service providers to do something.
+	ReasonWaitingForServices = "WaitingForServices"
+	// ReasonWaitingForServiceDeletion indicates that something is waiting for a service to be deleted.
+	ReasonWaitingForServiceDeletion = "WaitingForServiceDeletion"
 )

api/core/v2alpha1/constants.go

@@ -3,4 +3,29 @@ package v2alpha1
 const (
 	// DefaultOIDCProviderName is the identifier for the default OIDC provider.
 	DefaultOIDCProviderName = "default"
+	// DefaultMCPClusterPurpose is the default purpose for ManagedControlPlane clusters.
+	DefaultMCPClusterPurpose = "mcp"
+)
+
+const (
+	MCPNameLabel      = GroupName + "/mcp-name"
+	MCPNamespaceLabel = GroupName + "/mcp-namespace"
+	OIDCProviderLabel = GroupName + "/oidc-provider"
+
+	MCPFinalizer = GroupName + "/mcp"
+
+	// ServiceDependencyFinalizerPrefix is the prefix for the dependency finalizers that are added to MCP resources by associated services.
+	ServiceDependencyFinalizerPrefix = "services.openmcp.cloud/"
+	// ClusterRequestFinalizerPrefix is the prefix for the finalizers that are added to MCP resources for cluster requests.
+	ClusterRequestFinalizerPrefix = "request.clusters.openmcp.cloud/"
+)
+
+const (
+	ConditionMeta = "Meta"
+
+	ConditionClusterRequestReady       = "ClusterRequestReady"
+	ConditionPrefixOIDCAccessReady     = "OIDCAccessReady:"
+	ConditionAllAccessReady            = "AllAccessReady"
+	ConditionAllServicesDeleted        = "AllServicesDeleted"
+	ConditionAllClusterRequestsDeleted = "AllClusterRequestsDeleted"
 )

api/core/v2alpha1/groupversion_info.go

@@ -7,9 +7,11 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/scheme"
 )
 
+const GroupName = "core.openmcp.cloud"
+
 var (
 	// GroupVersion is group version used to register these objects
-	GroupVersion = schema.GroupVersion{Group: "core.openmcp.cloud", Version: "v2alpha1"}
+	GroupVersion = schema.GroupVersion{Group: GroupName, Version: "v2alpha1"}
 
 	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
 	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}

api/core/v2alpha1/managedcontrolplane_types.go

@@ -18,7 +18,8 @@ type ManagedControlPlaneV2Status struct {
 	// Each referenced secret is expected to contain a 'kubeconfig' key with the kubeconfig that was generated for the respective OIDC provider for the ManagedControlPlaneV2.
 	// The default OIDC provider, if configured, uses the name "default" in this mapping.
 	// The "default" key is also used if the ClusterProvider does not support OIDC-based access and created a serviceaccount with a token instead.
-	Access map[string]commonapi.LocalObjectReference `json:"access"`
+	// +optional
+	Access map[string]commonapi.LocalObjectReference `json:"access,omitempty"`
 }
 
 type IAMConfig struct {