diff --git a/VERSION b/VERSION index b6052ad..a5de145 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -v0.11.0-dev \ No newline at end of file +v0.11.1 \ No newline at end of file diff --git a/api/clusters/v1alpha1/accessrequest_types.go b/api/clusters/v1alpha1/accessrequest_types.go index c822a3c..bb97ce2 100644 --- a/api/clusters/v1alpha1/accessrequest_types.go +++ b/api/clusters/v1alpha1/accessrequest_types.go @@ -37,6 +37,10 @@ type AccessRequestSpec struct { // +optional Permissions []PermissionsRequest `json:"permissions,omitempty"` + // RoleRefs are references to existing (Cluster)Roles that should be bound to the created serviceaccount or OIDC user. + // +optional + RoleRefs []commonapi.RoleRef `json:"roleRefs,omitempty"` + // OIDCProvider is a configuration for an OIDC provider that should be used for authentication and associated role bindings. // If set, the handling ClusterProvider will create an OIDC-based access for the AccessRequest, if supported. // Otherwise, a serviceaccount with a token will be created and bound to the requested permissions. diff --git a/api/clusters/v1alpha1/zz_generated.deepcopy.go b/api/clusters/v1alpha1/zz_generated.deepcopy.go index b7af543..18a688c 100644 --- a/api/clusters/v1alpha1/zz_generated.deepcopy.go +++ b/api/clusters/v1alpha1/zz_generated.deepcopy.go @@ -90,6 +90,11 @@ func (in *AccessRequestSpec) DeepCopyInto(out *AccessRequestSpec) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.RoleRefs != nil { + in, out := &in.RoleRefs, &out.RoleRefs + *out = make([]common.RoleRef, len(*in)) + copy(*out, *in) + } if in.OIDCProvider != nil { in, out := &in.OIDCProvider, &out.OIDCProvider *out = new(common.OIDCProviderConfig) diff --git a/api/crds/manifests/clusters.openmcp.cloud_accessrequests.yaml b/api/crds/manifests/clusters.openmcp.cloud_accessrequests.yaml index d08f145..ab619f5 100644 --- a/api/crds/manifests/clusters.openmcp.cloud_accessrequests.yaml +++ b/api/crds/manifests/clusters.openmcp.cloud_accessrequests.yaml @@ -295,6 +295,36 @@ spec: x-kubernetes-validations: - message: requestRef is immutable rule: self == oldSelf + roleRefs: + description: RoleRefs are references to existing (Cluster)Roles that + should be bound to the created serviceaccount or OIDC user. + items: + description: RoleRef defines a reference to a (cluster) role that + should be bound to the subjects. + properties: + kind: + description: |- + Kind is the kind of the role to bind to the subjects. + It must be 'Role' or 'ClusterRole'. + enum: + - Role + - ClusterRole + type: string + name: + description: Name is the name of the role or cluster role to + bind to the subjects. + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the role to bind to the subjects. + It must be set if the kind is 'Role' and may not be set if the kind is 'ClusterRole'. + type: string + required: + - kind + - name + type: object + type: array type: object x-kubernetes-validations: - message: clusterRef may not be removed once set diff --git a/go.mod b/go.mod index f1d197c..d8dd68b 100644 --- a/go.mod +++ b/go.mod @@ -11,7 +11,7 @@ require ( github.com/onsi/ginkgo/v2 v2.25.1 github.com/onsi/gomega v1.38.1 github.com/openmcp-project/controller-utils v0.18.0 - github.com/openmcp-project/openmcp-operator/api v0.11.0 + github.com/openmcp-project/openmcp-operator/api v0.11.1 github.com/spf13/cobra v1.9.1 k8s.io/api v0.33.4 k8s.io/apimachinery v0.33.4 diff --git a/lib/go.mod b/lib/go.mod index da25722..082ea47 100644 --- a/lib/go.mod +++ b/lib/go.mod @@ -8,7 +8,7 @@ require ( github.com/onsi/ginkgo/v2 v2.25.1 github.com/onsi/gomega v1.38.1 github.com/openmcp-project/controller-utils v0.18.0 - github.com/openmcp-project/openmcp-operator/api v0.11.0 + github.com/openmcp-project/openmcp-operator/api v0.11.1 k8s.io/api v0.33.4 k8s.io/apimachinery v0.33.4 k8s.io/client-go v0.33.4