feat: option to restrict org creation

app/controlplane/api/controlplane/v1/status.proto

@@ -1,5 +1,5 @@
 //
-// Copyright 2023 The Chainloop Authors.
+// Copyright 2023-2025 The Chainloop Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -44,6 +44,8 @@ message InfozResponse {
   string version = 2;
   // Version of the helm chart used during deployment
   string chart_version = 3;
+  // Whether organization creation is restricted to admins
+  bool restricted_org_creation = 4;
 }
 
 message StatuszResponse {}

app/controlplane/cmd/wire.go

@@ -69,8 +69,8 @@ func wireApp(*conf.Bootstrap, credentials.ReaderWriter, log.Logger, sdk.Availabl
 	)
 }
 
-func authzConfig() *authz.Config {
-	return &authz.Config{ManagedResources: authz.ManagedResources, RolesMap: authz.RolesMap}
+func authzConfig(conf *conf.Bootstrap) *authz.Config {
+	return &authz.Config{ManagedResources: authz.ManagedResources, RolesMap: authz.RolesMap, RestrictOrgCreation: conf.RestrictOrgCreation}
 }
 
 func newJWTConfig(conf *conf.Auth) *biz.APITokenJWTConfig {

app/controlplane/configs/config.devel.yaml

@@ -16,8 +16,11 @@ server:
     #   certificate: "../../devel/devkeys/selfsigned/controlplane.crt"
     #   private_key: "../../devel/devkeys/selfsigned/controlplane.key"
 
-# nats_server:
-#  uri: nats://0.0.0.0:4222
+nats_server:
+ uri: nats://0.0.0.0:4222
+
+# Restrict organization creation to role:instance:admin
+restrict_org_creation: true
 
 certificate_authorities:
   - issuer: true
@@ -104,4 +107,4 @@ enable_profiler: true
 
 # federated_authentication:
 #   enabled: true
-#   url: http://localhost:8002/machine-identity/verify-token
+#   url: http://localhost:8002/machine-identity/verify-token