From cd9e72240e052cb076b2ceb067e120a7fd8c1808 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Sch=C3=BCnemann?= <rene.schuenemann@sap.com>
Date: Mon, 29 Sep 2025 13:42:50 +0200
Subject: [PATCH 1/2] fix: token access requests

---
 api/core/v2alpha1/constants.go                |  4 +-
 .../controllers/managedcontrolplane/access.go | 18 +++++--
 .../managedcontrolplane/controller_test.go    | 53 +++++++++++++++++++
 .../testdata/test-01/onboarding/mcp-03.yaml   | 26 +++++++++
 4 files changed, 96 insertions(+), 5 deletions(-)
 create mode 100644 internal/controllers/managedcontrolplane/testdata/test-01/onboarding/mcp-03.yaml

diff --git a/api/core/v2alpha1/constants.go b/api/core/v2alpha1/constants.go
index 7e37122..d879128 100644
--- a/api/core/v2alpha1/constants.go
+++ b/api/core/v2alpha1/constants.go
@@ -40,6 +40,6 @@ const (
 )
 
 const (
-	OIDCNamePrefix  = "oidc:"
-	TokenNamePrefix = "token:"
+	OIDCNamePrefix  = "oidc_"
+	TokenNamePrefix = "token_"
 )
diff --git a/internal/controllers/managedcontrolplane/access.go b/internal/controllers/managedcontrolplane/access.go
index 8c456a2..c79465e 100644
--- a/internal/controllers/managedcontrolplane/access.go
+++ b/internal/controllers/managedcontrolplane/access.go
@@ -90,15 +90,27 @@ func (r *ManagedControlPlaneReconciler) createOrUpdateDesiredAccessRequests(ctx
 
 	// create or update AccessRequests for the ManagedControlPlane
 	if mcp.DeletionTimestamp.IsZero() {
-		oidcProviders = make([]commonapi.OIDCProviderConfig, 0, len(mcp.Spec.IAM.OIDC.ExtraProviders)+1)
-		if r.Config.DefaultOIDCProvider != nil && len(mcp.Spec.IAM.OIDC.DefaultProvider.RoleBindings) > 0 {
+		oidcProvidersLen := 1
+		defaultProviderRoleBindingsLen := 0
+
+		if mcp.Spec.IAM.OIDC != nil {
+			oidcProvidersLen += len(mcp.Spec.IAM.OIDC.ExtraProviders)
+			defaultProviderRoleBindingsLen = len(mcp.Spec.IAM.OIDC.DefaultProvider.RoleBindings)
+		}
+
+		oidcProviders = make([]commonapi.OIDCProviderConfig, 0, oidcProvidersLen)
+
+		if r.Config.DefaultOIDCProvider != nil && defaultProviderRoleBindingsLen > 0 {
 			// add default OIDC provider, unless it has been disabled
 			defaultOidc := r.Config.DefaultOIDCProvider.DeepCopy()
 			defaultOidc.Name = corev2alpha1.DefaultOIDCProviderName
 			defaultOidc.RoleBindings = mcp.Spec.IAM.OIDC.DefaultProvider.RoleBindings
 			oidcProviders = append(oidcProviders, *defaultOidc)
 		}
-		oidcProviders = append(oidcProviders, mcp.Spec.IAM.OIDC.ExtraProviders...)
+
+		if mcp.Spec.IAM.OIDC != nil && len(mcp.Spec.IAM.OIDC.ExtraProviders) > 0 {
+			oidcProviders = append(oidcProviders, mcp.Spec.IAM.OIDC.ExtraProviders...)
+		}
 
 		tokenProviders = mcp.Spec.IAM.Tokens
 	}
diff --git a/internal/controllers/managedcontrolplane/controller_test.go b/internal/controllers/managedcontrolplane/controller_test.go
index a91b9f2..eac9b77 100644
--- a/internal/controllers/managedcontrolplane/controller_test.go
+++ b/internal/controllers/managedcontrolplane/controller_test.go
@@ -814,4 +814,57 @@ var _ = Describe("ManagedControlPlane Controller", func() {
 		Expect(cr.Spec.WaitForClusterDeletion).To(PointTo(BeTrue()))
 	})
 
+	It("should correctly handle an MCP without OIDC providers", func() {
+		rec, env := defaultTestSetup("testdata", "test-01")
+
+		mcp := &corev2alpha1.ManagedControlPlaneV2{}
+		mcp.SetName("mcp-03")
+		mcp.SetNamespace("test")
+		Expect(env.Client(onboarding).Get(env.Ctx, client.ObjectKeyFromObject(mcp), mcp)).To(Succeed())
+		env.ShouldReconcile(mcpRec, testutils.RequestFromObject(mcp))
+
+		platformNamespace, err := libutils.StableMCPNamespace(mcp.Name, mcp.Namespace)
+		Expect(err).ToNot(HaveOccurred())
+
+		cr := &clustersv1alpha1.ClusterRequest{}
+		cr.SetName(mcp.Name)
+		cr.SetNamespace(platformNamespace)
+		Expect(env.Client(platform).Get(env.Ctx, client.ObjectKeyFromObject(cr), cr)).To(Succeed())
+
+		// fake ClusterRequest ready status and Cluster resource
+		By("fake: ClusterRequest readiness")
+		cluster := &clustersv1alpha1.Cluster{}
+		cluster.SetName("cluster-01")
+		cluster.SetNamespace(platformNamespace)
+		cluster.Spec.Purposes = []string{rec.Config.MCPClusterPurpose}
+		Expect(env.Client(platform).Create(env.Ctx, cluster)).To(Succeed())
+		cluster.Status.Conditions = []metav1.Condition{
+			{
+				Type:               "TestCondition1",
+				Status:             metav1.ConditionTrue,
+				Reason:             "TestReason",
+				Message:            "This is a test condition",
+				LastTransitionTime: metav1.Now(),
+				ObservedGeneration: 1,
+			},
+			{
+				Type:               "TestCondition2",
+				Status:             metav1.ConditionFalse,
+				Reason:             "TestReason",
+				Message:            "This is another test condition",
+				LastTransitionTime: metav1.Now(),
+				ObservedGeneration: 1,
+			},
+		}
+		Expect(env.Client(platform).Status().Update(env.Ctx, cluster)).To(Succeed())
+		cr.Status.Phase = clustersv1alpha1.REQUEST_GRANTED
+		cr.Status.Cluster = &commonapi.ObjectReference{
+			Name:      cluster.Name,
+			Namespace: cluster.Namespace,
+		}
+		Expect(env.Client(platform).Status().Update(env.Ctx, cr)).To(Succeed())
+
+		env.ShouldReconcile(mcpRec, testutils.RequestFromObject(mcp))
+	})
+
 })
diff --git a/internal/controllers/managedcontrolplane/testdata/test-01/onboarding/mcp-03.yaml b/internal/controllers/managedcontrolplane/testdata/test-01/onboarding/mcp-03.yaml
new file mode 100644
index 0000000..d2f08ff
--- /dev/null
+++ b/internal/controllers/managedcontrolplane/testdata/test-01/onboarding/mcp-03.yaml
@@ -0,0 +1,26 @@
+apiVersion: core.openmcp.cloud/v2alpha1
+kind: ManagedControlPlaneV2
+metadata:
+  name: mcp-03
+  namespace: test
+  finalizers:
+  - services.openmcp.cloud/sp-01
+  - services.openmcp.cloud/sp-02
+spec:
+  iam:
+    tokens:
+      - name: admin
+        roleRefs:
+          - kind: ClusterRole
+            name: cluster-admin
+        permissions:
+          - rules:
+              - apiGroups: [ '' ]
+                resources: [ 'secretcs']
+                verbs: [ '*' ]
+      - name: viewer
+        permissions:
+          - rules:
+              - apiGroups: [ '' ]
+                resources: [ 'pods', 'services' ]
+                verbs: [ 'get', 'list', 'watch' ]
\ No newline at end of file

From ff85f88077e70c1510d6f693740ad6f0fb42c88d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Sch=C3=BCnemann?= <rene.schuenemann@sap.com>
Date: Mon, 29 Sep 2025 13:43:42 +0200
Subject: [PATCH 2/2] feat: release v0.15.1

---
 VERSION    | 2 +-
 go.mod     | 4 ++--
 lib/go.mod | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/VERSION b/VERSION
index 068cd29..2080a12 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-v0.15.0-dev
\ No newline at end of file
+v0.15.1
\ No newline at end of file
diff --git a/go.mod b/go.mod
index c2eed72..c461435 100644
--- a/go.mod
+++ b/go.mod
@@ -14,8 +14,8 @@ require (
 	github.com/onsi/ginkgo/v2 v2.25.3
 	github.com/onsi/gomega v1.38.2
 	github.com/openmcp-project/controller-utils v0.22.0
-	github.com/openmcp-project/openmcp-operator/api v0.15.0
-	github.com/openmcp-project/openmcp-operator/lib v0.15.0
+	github.com/openmcp-project/openmcp-operator/api v0.15.1
+	github.com/openmcp-project/openmcp-operator/lib v0.15.1
 	github.com/spf13/cobra v1.10.1
 	k8s.io/api v0.34.1
 	k8s.io/apimachinery v0.34.1
diff --git a/lib/go.mod b/lib/go.mod
index a707510..5e92b2c 100644
--- a/lib/go.mod
+++ b/lib/go.mod
@@ -8,7 +8,7 @@ require (
 	github.com/onsi/ginkgo/v2 v2.25.3
 	github.com/onsi/gomega v1.38.2
 	github.com/openmcp-project/controller-utils v0.22.0
-	github.com/openmcp-project/openmcp-operator/api v0.15.0
+	github.com/openmcp-project/openmcp-operator/api v0.15.1
 	k8s.io/api v0.34.1
 	k8s.io/apimachinery v0.34.1
 	k8s.io/client-go v0.34.1