openmcp-project · robertgraeff · Oct 23, 2025 · Oct 14, 2025
diff --git a/api/clusters/v1alpha1/accessrequest_types.go b/api/clusters/v1alpha1/accessrequest_types.go
@@ -87,7 +87,9 @@ type AccessRequestStatus struct {
 	commonapi.Status `json:",inline"`
 
 	// SecretRef holds the reference to the secret that contains the actual credentials.
-	SecretRef *commonapi.ObjectReference `json:"secretRef,omitempty"`
+	// The secret is in the same namespace as the AccessRequest.
+	// +optional
+	SecretRef *commonapi.LocalObjectReference `json:"secretRef,omitempty"`
 }
 
 func (ars AccessRequestStatus) IsGranted() bool {

diff --git a/api/clusters/v1alpha1/zz_generated.deepcopy.go b/api/clusters/v1alpha1/zz_generated.deepcopy.go
diff --git a/api/crds/manifests/clusters.openmcp.cloud_accessrequests.yaml b/api/crds/manifests/clusters.openmcp.cloud_accessrequests.yaml
@@ -477,19 +477,21 @@ spec:
                 description: Phase is the current phase of the resource.
                 type: string
               secretRef:
-                description: SecretRef holds the reference to the secret that contains
-                  the actual credentials.
+                description: |-
+                  SecretRef holds the reference to the secret that contains the actual credentials.
+                  The secret is in the same namespace as the AccessRequest.
                 properties:
                   name:
-                    description: Name is the name of the object.
-                    type: string
-                  namespace:
-                    description: Namespace is the namespace of the object.
+                    default: ""
+                    description: |-
+                      Name of the referent.
+                      This field is effectively required, but due to backwards compatibility is
+                      allowed to be empty. Instances of this type with an empty value here are
+                      almost certainly wrong.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
                     type: string
-                required:
-                - name
-                - namespace
                 type: object
+                x-kubernetes-map-type: atomic
             required:
             - observedGeneration
             - phase

diff --git a/internal/controllers/managedcontrolplane/controller_test.go b/internal/controllers/managedcontrolplane/controller_test.go
@@ -248,9 +248,8 @@ var _ = Describe("ManagedControlPlane Controller", func() {
 			ar.SetNamespace(platformNamespace)
 			Expect(env.Client(platform).Get(env.Ctx, client.ObjectKeyFromObject(ar), ar)).To(Succeed())
 			ar.Status.Phase = clustersv1alpha1.REQUEST_GRANTED
-			ar.Status.SecretRef = &commonapi.ObjectReference{
-				Name:      ar.Name,
-				Namespace: ar.Namespace,
+			ar.Status.SecretRef = &commonapi.LocalObjectReference{
+				Name: ar.Name,
 			}
 			sec := &corev1.Secret{}
 			sec.SetName(ar.Status.SecretRef.Name)
@@ -270,9 +269,8 @@ var _ = Describe("ManagedControlPlane Controller", func() {
 			ar.SetNamespace(platformNamespace)
 			Expect(env.Client(platform).Get(env.Ctx, client.ObjectKeyFromObject(ar), ar)).To(Succeed())
 			ar.Status.Phase = clustersv1alpha1.REQUEST_GRANTED
-			ar.Status.SecretRef = &commonapi.ObjectReference{
-				Name:      ar.Name,
-				Namespace: ar.Namespace,
+			ar.Status.SecretRef = &commonapi.LocalObjectReference{
+				Name: ar.Name,
 			}
 			sec := &corev1.Secret{}
 			sec.SetName(ar.Status.SecretRef.Name)

diff --git a/lib/clusteraccess/advanced/clusteraccess.go b/lib/clusteraccess/advanced/clusteraccess.go
@@ -981,7 +981,7 @@ func AccessFromAccessRequest(ctx context.Context, platformClusterClient client.C
 
 	s := &corev1.Secret{}
 	s.Name = ar.Status.SecretRef.Name
-	s.Namespace = ar.Status.SecretRef.Namespace
+	s.Namespace = ar.Namespace
 
 	if err := platformClusterClient.Get(ctx, client.ObjectKeyFromObject(s), s); err != nil {
 		return nil, fmt.Errorf("unable to get secret '%s/%s' for AccessRequest '%s/%s': %w", s.Namespace, s.Name, ar.Namespace, ar.Name, err)
@@ -1185,9 +1185,8 @@ func FakeAccessRequestReadiness(kcfgData []byte) FakingCallback {
 
 		// mock AccessRequest status
 		old := ar.DeepCopy()
-		ar.Status.SecretRef = &commonapi.ObjectReference{
-			Name:      s.Name,
-			Namespace: s.Namespace,
+		ar.Status.SecretRef = &commonapi.LocalObjectReference{
+			Name: s.Name,
 		}
 		ar.Status.Phase = clustersv1alpha1.REQUEST_GRANTED
 		ar.Status.ObservedGeneration = ar.Generation
@@ -1279,7 +1278,7 @@ func FakeAccessRequestDeletion(finalizersToRemoveFromAccessRequest, finalizersTo
 		if ar.Status.SecretRef != nil {
 			s := &corev1.Secret{}
 			s.Name = ar.Status.SecretRef.Name
-			s.Namespace = ar.Status.SecretRef.Namespace
+			s.Namespace = ar.Namespace
 
 			if len(finalizersToRemoveFromSecret) > 0 {
 				// fetch secret to remove finalizers

diff --git a/lib/clusteraccess/clusteraccess.go b/lib/clusteraccess/clusteraccess.go
@@ -407,7 +407,7 @@ func createClusterForAccessRequest(ctx context.Context, platformClusterClient cl
 	accessSecret := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      accessRequest.Status.SecretRef.Name,
-			Namespace: accessRequest.Status.SecretRef.Namespace,
+			Namespace: accessRequest.Namespace,
 		},
 	}
 

diff --git a/lib/clusteraccess/clusteraccess_test.go b/lib/clusteraccess/clusteraccess_test.go
@@ -210,15 +210,13 @@ var _ = Describe("ClusterAccessReconciler", func() {
 			Expect(env.Client().Status().Update(env.Ctx, accessRequestWorkload)).To(Succeed())
 
 			// set the secret reference for the MCP access request and the workload access request
-			accessRequestMCP.Status.SecretRef = &commonapi.ObjectReference{
-				Name:      "mcp-access",
-				Namespace: expectedRequestNamespace,
+			accessRequestMCP.Status.SecretRef = &commonapi.LocalObjectReference{
+				Name: "mcp-access",
 			}
 			Expect(env.Client().Status().Update(env.Ctx, accessRequestMCP)).To(Succeed())
 
-			accessRequestWorkload.Status.SecretRef = &commonapi.ObjectReference{
-				Name:      "workload-access",
-				Namespace: expectedRequestNamespace,
+			accessRequestWorkload.Status.SecretRef = &commonapi.LocalObjectReference{
+				Name: "workload-access",
 			}
 			Expect(env.Client().Status().Update(env.Ctx, accessRequestWorkload)).To(Succeed())
 
@@ -275,9 +273,8 @@ var _ = Describe("ClusterAccessReconciler", func() {
 			env.ShouldReconcile(request, "reconcilerImpl should not return an error")
 
 			// set the secret reference for the MCP access request
-			accessRequestMCP.Status.SecretRef = &commonapi.ObjectReference{
-				Name:      "mcp-access",
-				Namespace: expectedRequestNamespace,
+			accessRequestMCP.Status.SecretRef = &commonapi.LocalObjectReference{
+				Name: "mcp-access",
 			}
 			Expect(env.Client().Status().Update(env.Ctx, accessRequestMCP)).To(Succeed())
 
@@ -441,7 +438,7 @@ var _ = Describe("ClusterAccessManager", func() {
 		}()
 
 		Eventually(func() bool {
-			// read rhe cluster request
+			// read the cluster request
 			if err := env.Client().Get(ctx, client.ObjectKeyFromObject(clusterRequest), clusterRequest); err != nil {
 				return false
 			}
@@ -464,9 +461,8 @@ var _ = Describe("ClusterAccessManager", func() {
 			if accessRequest.Status.Phase != clustersv1alpha1.REQUEST_GRANTED {
 				accessRequest.Status.Phase = clustersv1alpha1.REQUEST_GRANTED
 
-				accessRequest.Status.SecretRef = &commonapi.ObjectReference{
-					Name:      "access",
-					Namespace: "default",
+				accessRequest.Status.SecretRef = &commonapi.LocalObjectReference{
+					Name: "access",
 				}
 
 				if err := env.Client().Status().Update(ctx, accessRequest); err != nil {

diff --git a/lib/clusteraccess/testdata/test-03/access-secrets.yaml b/lib/clusteraccess/testdata/test-03/access-secrets.yaml
@@ -2,6 +2,6 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: access
-  namespace: default
+  namespace: test-namespace
 data:
   kubeconfig: YXBpVmVyc2lvbjogdjEKa2luZDogQ29uZmlnCnByZWZlcmVuY2VzOiB7fQpjbHVzdGVyczoKLSBjbHVzdGVyOgogICAgc2VydmVyOiBodHRwczovL2FwaS5jbHVzdGVyLWIuZXhhbXBsZS5jb206NjQ0MwogIG5hbWU6IGNsdXN0ZXIKY29udGV4dHM6Ci0gY29udGV4dDoKICAgIGNsdXN0ZXI6IGNsdXN0ZXIKICAgIHVzZXI6IHVzZXIKICBuYW1lOiBjb250ZXh0CmN1cnJlbnQtY29udGV4dDogY29udGV4dAp1c2VyczoKLSBuYW1lOiB1c2VyCiAgdXNlcjoKICAgIHRva2VuOiBhYmM=
diff --git a/lib/clusteraccess/testing.go b/lib/clusteraccess/testing.go
@@ -109,16 +109,15 @@ func (m *testManagerImpl) WaitForClusterAccess(ctx context.Context, localName st
 	}
 	old := ar.DeepCopy()
 	ar.Status.Phase = clustersv1alpha1.REQUEST_GRANTED
-	ar.Status.SecretRef = &commonapi.ObjectReference{
-		Name:      ar.Name,
-		Namespace: ar.Namespace,
+	ar.Status.SecretRef = &commonapi.LocalObjectReference{
+		Name: ar.Name,
 	}
 	if err := m.platformClusterClient.Status().Patch(ctx, ar, client.MergeFrom(old)); err != nil {
 		return nil, nil, fmt.Errorf("failed to update AccessRequest status: %w", err)
 	}
 	sec := &corev1.Secret{}
 	sec.Name = ar.Status.SecretRef.Name
-	sec.Namespace = ar.Status.SecretRef.Namespace
+	sec.Namespace = ar.Namespace
 	if _, err := controllerutil.CreateOrUpdate(ctx, m.platformClusterClient, sec, func() error {
 		sec.Data = map[string][]byte{
 			clustersv1alpha1.SecretKeyKubeconfig: []byte("fake:" + localName),