feat: support token auth for ManagedControlPlaneV2

api/core/v2alpha1/constants.go

@@ -11,6 +11,7 @@ const (
 	MCPNameLabel            = GroupName + "/mcp-name"
 	MCPNamespaceLabel       = GroupName + "/mcp-namespace"
 	OIDCProviderLabel       = GroupName + "/oidc-provider"
+	TokenProviderLabel      = GroupName + "/token-provider"
 	MCPPurposeOverrideLabel = GroupName + "/purpose"
 
 	// ManagedPurposeMCPPurposeOverride is used as value for the managed purpose label. It must not be modified.
@@ -32,8 +33,13 @@ const (
 	ConditionClusterRequestReady       = "ClusterRequestReady"
 	ConditionClusterConditionsSynced   = "ClusterConditionsSynced"
 	ConditionPrefixClusterCondition    = "Cluster."
-	ConditionPrefixOIDCAccessReady     = "OIDCAccessReady."
+	ConditionPrefixAccessReady         = "AccessReady."
 	ConditionAllAccessReady            = "AllAccessReady"
 	ConditionAllServicesDeleted        = "AllServicesDeleted"
 	ConditionAllClusterRequestsDeleted = "AllClusterRequestsDeleted"
 )
+
+const (
+	OIDCNamePrefix  = "oidc:"
+	TokenNamePrefix = "token:"
+)

api/core/v2alpha1/managedcontrolplane_types.go

@@ -3,6 +3,8 @@ package v2alpha1
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
+	clustersv1alpha1 "github.com/openmcp-project/openmcp-operator/api/clusters/v1alpha1"
+
 	commonapi "github.com/openmcp-project/openmcp-operator/api/common"
 )
 
@@ -11,28 +13,48 @@ type ManagedControlPlaneV2Spec struct {
 	IAM IAMConfig `json:"iam"`
 }
 
-type ManagedControlPlaneV2Status struct {
-	commonapi.Status `json:",inline"`
+type IAMConfig struct {
+	// Tokens is a list of token-based access configurations.
+	// +optional
+	Tokens []TokenConfig `json:"tokens,omitempty"`
+	// OIDC is the OIDC-based access configuration.
+	OIDC *OIDCConfig `json:"oidc,omitempty"`
+}
 
-	// Access is a mapping from OIDC provider names to secret references.
-	// Each referenced secret is expected to contain a 'kubeconfig' key with the kubeconfig that was generated for the respective OIDC provider for the ManagedControlPlaneV2.
-	// The default OIDC provider, if configured, uses the name "default" in this mapping.
-	// The "default" key is also used if the ClusterProvider does not support OIDC-based access and created a serviceaccount with a token instead.
+type OIDCConfig struct {
+	// DefaultProvider is the standard OIDC provider that is enabled for all ManagedControlPlaneV2 resources.
+	DefaultProvider DefaultProviderConfig `json:"defaultProvider,omitempty"`
+	// ExtraProviders is a list of OIDC providers that should be configured for the ManagedControlPlaneV2.
+	// They are independent of the standard OIDC provider and in addition to it, unless it has been disabled by not specifying any role bindings.
 	// +optional
-	Access map[string]commonapi.LocalObjectReference `json:"access,omitempty"`
+	ExtraProviders []commonapi.OIDCProviderConfig `json:"extraProviders,omitempty"`
 }
 
-type IAMConfig struct {
+type DefaultProviderConfig struct {
 	// RoleBindings is a list of subjects with (cluster) role bindings that should be created for them.
 	// These bindings refer to the standard OIDC provider. If empty, the standard OIDC provider is disabled.
 	// Note that the username prefix is added automatically to the subjects' names, it must not be explicitly specified here.
 	// +optional
 	RoleBindings []commonapi.RoleBindings `json:"roleBindings,omitempty"`
+}
 
-	// OIDCProviders is a list of OIDC providers that should be configured for the ManagedControlPlaneV2.
-	// They are independent of the standard OIDC provider and in addition to it, unless it has been disabled by not specifying any role bindings.
+type TokenConfig struct {
+	// Name is the name of this token configuration.
+	// It is used to generate a secret name and must be unique among all token configurations in the same ManagedControlPlaneV2.
+	// +kubebuilder:validation:minLength=1
+	Name                         string `json:"name"`
+	clustersv1alpha1.TokenConfig `json:",inline"`
+}
+
+type ManagedControlPlaneV2Status struct {
+	commonapi.Status `json:",inline"`
+
+	// Access is a mapping from OIDC provider names to secret references.
+	// Each referenced secret is expected to contain a 'kubeconfig' key with the kubeconfig that was generated for the respective OIDC provider for the ManagedControlPlaneV2.
+	// The default OIDC provider, if configured, uses the name "default" in this mapping.
+	// The "default" key is also used if the ClusterProvider does not support OIDC-based access and created a serviceaccount with a token instead.
 	// +optional
-	OIDCProviders []*commonapi.OIDCProviderConfig `json:"oidcProviders,omitempty"`
+	Access map[string]commonapi.LocalObjectReference `json:"access,omitempty"`
 }
 
 // +kubebuilder:object:root=true