posit-dev
diff --git a/‎api/core/v1beta1/site_types.go‎
Lines changed: 21 additions & 0 deletions b/‎api/core/v1beta1/site_types.go‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎api/core/v1beta1/workbench_types.go‎
Lines changed: 4 additions & 0 deletions b/‎api/core/v1beta1/workbench_types.go‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎api/core/v1beta1/zz_generated.deepcopy.go‎
Lines changed: 25 additions & 0 deletions b/‎api/core/v1beta1/zz_generated.deepcopy.go‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎client-go/applyconfiguration/core/v1beta1/internalworkbenchspec.go‎
Lines changed: 9 additions & 0 deletions b/‎client-go/applyconfiguration/core/v1beta1/internalworkbenchspec.go‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎client-go/applyconfiguration/core/v1beta1/workbenchscimconfig.go‎
Lines changed: 35 additions & 0 deletions b/‎client-go/applyconfiguration/core/v1beta1/workbenchscimconfig.go‎
Lines changed: 35 additions & 0 deletions
diff --git a/‎client-go/applyconfiguration/core/v1beta1/workbenchspec.go‎
Lines changed: 9 additions & 0 deletions b/‎client-go/applyconfiguration/core/v1beta1/workbenchspec.go‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎client-go/applyconfiguration/utils.go‎
Lines changed: 2 additions & 0 deletions b/‎client-go/applyconfiguration/utils.go‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎config/crd/bases/core.posit.team_sites.yaml‎
Lines changed: 22 additions & 0 deletions b/‎config/crd/bases/core.posit.team_sites.yaml‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎config/crd/bases/core.posit.team_workbenches.yaml‎
Lines changed: 19 additions & 0 deletions b/‎config/crd/bases/core.posit.team_workbenches.yaml‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎dist/chart/templates/crd/core.posit.team_sites.yaml‎
Lines changed: 22 additions & 0 deletions b/‎dist/chart/templates/crd/core.posit.team_sites.yaml‎
Lines changed: 22 additions & 0 deletions
@@ -481,6 +481,27 @@ type InternalWorkbenchSpec struct {
 	// annotations, tolerations, and other pod-level settings.
 	// +optional
 	SessionConfig *product.SessionConfig `json:"sessionConfig,omitempty"`
+
+	// SCIM configures SCIM user provisioning for Workbench.
+	// Requires SSO (OIDC or SAML) to be configured.
+	// +optional
+	SCIM *WorkbenchSCIMConfig `json:"scim,omitempty"`
+}
+
+// WorkbenchSCIMConfig configures SCIM user provisioning for Workbench.
+type WorkbenchSCIMConfig struct {
+	// Enabled controls whether SCIM provisioning is active.
+	// +kubebuilder:default=false
+	Enabled bool `json:"enabled"`
+
+	// TokenSecretName is the name of a pre-existing Kubernetes Secret in the same
+	// namespace that contains the SCIM bearer token.
+	// The secret must have a key named "token".
+	// If not specified and Enabled is true, the operator generates a random token
+	// and stores it in a Secret named "<workbench-name>-scim-token".
+	// +optional
+	// +kubebuilder:validation:Pattern=`^[a-z0-9]([-a-z0-9]*[a-z0-9])?$`
+	TokenSecretName string `json:"tokenSecretName,omitempty"`
 }
 
 type InternalWorkbenchExperimentalFeatures struct {
 
@@ -114,6 +114,10 @@ type WorkbenchSpec struct {
 	// Empty or whitespace-only content will be ignored.
 	// See: https://docs.posit.co/ide/server-pro/admin/authenticating_users/customizing_signin.html
 	AuthLoginPageHtml string `json:"authLoginPageHtml,omitempty"`
+
+	// SCIM configures SCIM user provisioning.
+	// +optional
+	SCIM *WorkbenchSCIMConfig `json:"scim,omitempty"`
 }
 
 // TODO: Validation should require Volume definition for off-host-execution...
 
@@ -1564,6 +1564,28 @@ spec:
                     type: object
                   replicas:
                     type: integer
+                  scim:
+                    description: |-
+                      SCIM configures SCIM user provisioning for Workbench.
+                      Requires SSO (OIDC or SAML) to be configured.
+                    properties:
+                      enabled:
+                        default: false
+                        description: Enabled controls whether SCIM provisioning is
+                          active.
+                        type: boolean
+                      tokenSecretName:
+                        description: |-
+                          TokenSecretName is the name of a pre-existing Kubernetes Secret in the same
+                          namespace that contains the SCIM bearer token.
+                          The secret must have a key named "token".
+                          If not specified and Enabled is true, the operator generates a random token
+                          and stores it in a Secret named "<workbench-name>-scim-token".
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    required:
+                    - enabled
+                    type: object
                   sessionConfig:
                     description: |-
                       SessionConfig allows configuring Workbench session pods, including dynamic labels,
 
@@ -703,6 +703,25 @@ spec:
                 type: string
               replicas:
                 type: integer
+              scim:
+                description: SCIM configures SCIM user provisioning.
+                properties:
+                  enabled:
+                    default: false
+                    description: Enabled controls whether SCIM provisioning is active.
+                    type: boolean
+                  tokenSecretName:
+                    description: |-
+                      TokenSecretName is the name of a pre-existing Kubernetes Secret in the same
+                      namespace that contains the SCIM bearer token.
+                      The secret must have a key named "token".
+                      If not specified and Enabled is true, the operator generates a random token
+                      and stores it in a Secret named "<workbench-name>-scim-token".
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                    type: string
+                required:
+                - enabled
+                type: object
               secret:
                 description: Secret configures the secret management for this Workbench
                 properties:
 
@@ -1585,6 +1585,28 @@ spec:
                     type: object
                   replicas:
                     type: integer
+                  scim:
+                    description: |-
+                      SCIM configures SCIM user provisioning for Workbench.
+                      Requires SSO (OIDC or SAML) to be configured.
+                    properties:
+                      enabled:
+                        default: false
+                        description: Enabled controls whether SCIM provisioning is
+                          active.
+                        type: boolean
+                      tokenSecretName:
+                        description: |-
+                          TokenSecretName is the name of a pre-existing Kubernetes Secret in the same
+                          namespace that contains the SCIM bearer token.
+                          The secret must have a key named "token".
+                          If not specified and Enabled is true, the operator generates a random token
+                          and stores it in a Secret named "<workbench-name>-scim-token".
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    required:
+                    - enabled
+                    type: object
                   sessionConfig:
                     description: |-
                       SessionConfig allows configuring Workbench session pods, including dynamic labels,