feat: add RoleRefs to AccessRequest API (#128)

maximiliantech · web-flow · commit 2de11003d1c2 · 2025-08-27T12:58:05.000+02:00
* feat: add `RoleRefs` to `AccessRequest`

* feat: release v0.11.1
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-v0.11.0-dev
+v0.11.1
diff --git a/api/clusters/v1alpha1/accessrequest_types.go b/api/clusters/v1alpha1/accessrequest_types.go
@@ -37,6 +37,10 @@ type AccessRequestSpec struct {
 	// +optional
 	Permissions []PermissionsRequest `json:"permissions,omitempty"`
 
+	// RoleRefs are references to existing (Cluster)Roles that should be bound to the created serviceaccount or OIDC user.
+	// +optional
+	RoleRefs []commonapi.RoleRef `json:"roleRefs,omitempty"`
+
 	// OIDCProvider is a configuration for an OIDC provider that should be used for authentication and associated role bindings.
 	// If set, the handling ClusterProvider will create an OIDC-based access for the AccessRequest, if supported.
 	// Otherwise, a serviceaccount with a token will be created and bound to the requested permissions.
diff --git a/api/clusters/v1alpha1/zz_generated.deepcopy.go b/api/clusters/v1alpha1/zz_generated.deepcopy.go
diff --git a/api/crds/manifests/clusters.openmcp.cloud_accessrequests.yaml b/api/crds/manifests/clusters.openmcp.cloud_accessrequests.yaml
@@ -295,6 +295,36 @@ spec:
                 x-kubernetes-validations:
                 - message: requestRef is immutable
                   rule: self == oldSelf
+              roleRefs:
+                description: RoleRefs are references to existing (Cluster)Roles that
+                  should be bound to the created serviceaccount or OIDC user.
+                items:
+                  description: RoleRef defines a reference to a (cluster) role that
+                    should be bound to the subjects.
+                  properties:
+                    kind:
+                      description: |-
+                        Kind is the kind of the role to bind to the subjects.
+                        It must be 'Role' or 'ClusterRole'.
+                      enum:
+                      - Role
+                      - ClusterRole
+                      type: string
+                    name:
+                      description: Name is the name of the role or cluster role to
+                        bind to the subjects.
+                      minLength: 1
+                      type: string
+                    namespace:
+                      description: |-
+                        Namespace is the namespace of the role to bind to the subjects.
+                        It must be set if the kind is 'Role' and may not be set if the kind is 'ClusterRole'.
+                      type: string
+                  required:
+                  - kind
+                  - name
+                  type: object
+                type: array
             type: object
             x-kubernetes-validations:
             - message: clusterRef may not be removed once set
diff --git a/go.mod b/go.mod
@@ -11,7 +11,7 @@ require (
 	github.com/onsi/ginkgo/v2 v2.25.1
 	github.com/onsi/gomega v1.38.1
 	github.com/openmcp-project/controller-utils v0.18.0
-	github.com/openmcp-project/openmcp-operator/api v0.11.0
+	github.com/openmcp-project/openmcp-operator/api v0.11.1
 	github.com/spf13/cobra v1.9.1
 	k8s.io/api v0.33.4
 	k8s.io/apimachinery v0.33.4
diff --git a/lib/go.mod b/lib/go.mod
@@ -8,7 +8,7 @@ require (
 	github.com/onsi/ginkgo/v2 v2.25.1
 	github.com/onsi/gomega v1.38.1
 	github.com/openmcp-project/controller-utils v0.18.0
-	github.com/openmcp-project/openmcp-operator/api v0.11.0
+	github.com/openmcp-project/openmcp-operator/api v0.11.1
 	k8s.io/api v0.33.4
 	k8s.io/apimachinery v0.33.4
 	k8s.io/client-go v0.33.4
