feat: add optional SCIM provisioning support for Workbench

Author: timtalbot

api/core/v1beta1/site_types.go

@@ -481,6 +481,26 @@ type InternalWorkbenchSpec struct {
 	// annotations, tolerations, and other pod-level settings.
 	// +optional
 	SessionConfig *product.SessionConfig `json:"sessionConfig,omitempty"`
+
+	// SCIM configures SCIM user provisioning for Workbench.
+	// Requires SSO (OIDC or SAML) to be configured.
+	// +optional
+	SCIM *WorkbenchSCIMConfig `json:"scim,omitempty"`
+}
+
+// WorkbenchSCIMConfig configures SCIM user provisioning for Workbench.
+type WorkbenchSCIMConfig struct {
+	// Enabled controls whether SCIM provisioning is active.
+	// +kubebuilder:default=false
+	Enabled bool `json:"enabled"`
+
+	// TokenSecretName is the name of a pre-existing Kubernetes Secret in the same
+	// namespace that contains the SCIM bearer token.
+	// The secret must have a key named "token".
+	// If not specified and Enabled is true, the operator generates a random token
+	// and stores it in a Secret named "<workbench-name>-scim-token".
+	// +optional
+	TokenSecretName string `json:"tokenSecretName,omitempty"`
 }
 
 type InternalWorkbenchExperimentalFeatures struct {

api/core/v1beta1/workbench_types.go

@@ -114,6 +114,10 @@ type WorkbenchSpec struct {
 	// Empty or whitespace-only content will be ignored.
 	// See: https://docs.posit.co/ide/server-pro/admin/authenticating_users/customizing_signin.html
 	AuthLoginPageHtml string `json:"authLoginPageHtml,omitempty"`
+
+	// SCIM configures SCIM user provisioning.
+	// +optional
+	SCIM *WorkbenchSCIMConfig `json:"scim,omitempty"`
 }
 
 // TODO: Validation should require Volume definition for off-host-execution...

api/core/v1beta1/zz_generated.deepcopy.go

@@ -1564,6 +1564,27 @@ spec:
                     type: object
                   replicas:
                     type: integer
+                  scim:
+                    description: |-
+                      SCIM configures SCIM user provisioning for Workbench.
+                      Requires SSO (OIDC or SAML) to be configured.
+                    properties:
+                      enabled:
+                        default: false
+                        description: Enabled controls whether SCIM provisioning is
+                          active.
+                        type: boolean
+                      tokenSecretName:
+                        description: |-
+                          TokenSecretName is the name of a pre-existing Kubernetes Secret in the same
+                          namespace that contains the SCIM bearer token.
+                          The secret must have a key named "token".
+                          If not specified and Enabled is true, the operator generates a random token
+                          and stores it in a Secret named "<workbench-name>-scim-token".
+                        type: string
+                    required:
+                    - enabled
+                    type: object
                   sessionConfig:
                     description: |-
                       SessionConfig allows configuring Workbench session pods, including dynamic labels,

client-go/applyconfiguration/core/v1beta1/internalworkbenchspec.go

@@ -703,6 +703,24 @@ spec:
                 type: string
               replicas:
                 type: integer
+              scim:
+                description: SCIM configures SCIM user provisioning.
+                properties:
+                  enabled:
+                    default: false
+                    description: Enabled controls whether SCIM provisioning is active.
+                    type: boolean
+                  tokenSecretName:
+                    description: |-
+                      TokenSecretName is the name of a pre-existing Kubernetes Secret in the same
+                      namespace that contains the SCIM bearer token.
+                      The secret must have a key named "token".
+                      If not specified and Enabled is true, the operator generates a random token
+                      and stores it in a Secret named "<workbench-name>-scim-token".
+                    type: string
+                required:
+                - enabled
+                type: object
               secret:
                 description: Secret configures the secret management for this Workbench
                 properties:

client-go/applyconfiguration/core/v1beta1/workbenchscimconfig.go

@@ -455,6 +455,11 @@ func (r *SiteReconciler) reconcileWorkbench(
 		targetWorkbench.Spec.AuthLoginPageHtml = site.Spec.Workbench.AuthLoginPageHtml
 	}
 
+	// Propagate SCIM config
+	if site.Spec.Workbench.SCIM != nil {
+		targetWorkbench.Spec.SCIM = site.Spec.Workbench.SCIM
+	}
+
 	// Merge user-provided sessionConfig from Site spec into the operator-constructed SessionConfig.
 	// DynamicLabels, Labels, and Annotations are merged for Pod/Service/Job configs.
 	// Service.Type is overwritten when non-empty. Other Pod fields (Tolerations,