diff --git a/Taskfile.yaml b/Taskfile.yaml index 6ba3e68..554369e 100644 --- a/Taskfile.yaml +++ b/Taskfile.yaml @@ -7,7 +7,7 @@ vars: ENVTEST_VERSION: release-0.19 CRD_DIRECTORY: config/crd/bases KCP_APIGEN_VERSION: v0.29.0 - KCP_VERSION: 0.28.3 + KCP_VERSION: 0.29.0 GOLANGCI_LINT_VERSION: v2.8.0 GOARCH: sh: go env GOARCH diff --git a/api/v1alpha1/identityproviderconfiguration_types.go b/api/v1alpha1/identityproviderconfiguration_types.go index 987dcbf..5f22f2c 100644 --- a/api/v1alpha1/identityproviderconfiguration_types.go +++ b/api/v1alpha1/identityproviderconfiguration_types.go @@ -25,7 +25,8 @@ type IdentityProviderClientConfig struct { // IdentityProviderConfigurationSpec defines the desired state of IdentityProviderConfiguration type IdentityProviderConfigurationSpec struct { - Clients []IdentityProviderClientConfig `json:"clients"` + RegistrationAllowed bool `json:"registrationAllowed"` + Clients []IdentityProviderClientConfig `json:"clients"` } // ManagedClient tracks a client that is managed by the operator. diff --git a/config/crd/bases/core.platform-mesh.io_identityproviderconfigurations.yaml b/config/crd/bases/core.platform-mesh.io_identityproviderconfigurations.yaml index 6a1ba9f..d9b2d21 100644 --- a/config/crd/bases/core.platform-mesh.io_identityproviderconfigurations.yaml +++ b/config/crd/bases/core.platform-mesh.io_identityproviderconfigurations.yaml @@ -79,8 +79,11 @@ spec: - redirectUris type: object type: array + registrationAllowed: + type: boolean required: - clients + - registrationAllowed type: object status: description: status defines the observed state of IdentityProviderConfiguration diff --git a/config/resources/apiexport-core.platform-mesh.io.yaml b/config/resources/apiexport-core.platform-mesh.io.yaml index 361fe9a..6dcf341 100644 --- a/config/resources/apiexport-core.platform-mesh.io.yaml +++ b/config/resources/apiexport-core.platform-mesh.io.yaml @@ -12,7 +12,7 @@ spec: crd: {} - group: core.platform-mesh.io name: identityproviderconfigurations - schema: v260123-dbda1fc.identityproviderconfigurations.core.platform-mesh.io + schema: v260129-b6b2199.identityproviderconfigurations.core.platform-mesh.io storage: crd: {} - group: core.platform-mesh.io diff --git a/config/resources/apiresourceschema-identityproviderconfigurations.core.platform-mesh.io.yaml b/config/resources/apiresourceschema-identityproviderconfigurations.core.platform-mesh.io.yaml index 68b0d22..cc9d66f 100644 --- a/config/resources/apiresourceschema-identityproviderconfigurations.core.platform-mesh.io.yaml +++ b/config/resources/apiresourceschema-identityproviderconfigurations.core.platform-mesh.io.yaml @@ -2,7 +2,7 @@ apiVersion: apis.kcp.io/v1alpha1 kind: APIResourceSchema metadata: creationTimestamp: null - name: v260123-dbda1fc.identityproviderconfigurations.core.platform-mesh.io + name: v260129-b6b2199.identityproviderconfigurations.core.platform-mesh.io spec: group: core.platform-mesh.io names: @@ -76,8 +76,11 @@ spec: - redirectUris type: object type: array + registrationAllowed: + type: boolean required: - clients + - registrationAllowed type: object status: description: status defines the observed state of IdentityProviderConfiguration diff --git a/internal/subroutine/idp.go b/internal/subroutine/idp.go index 4f66b56..e0312e0 100644 --- a/internal/subroutine/idp.go +++ b/internal/subroutine/idp.go @@ -43,6 +43,7 @@ func NewIDPSubroutine(orgsClient client.Client, mgr mcmanager.Manager, cfg confi additionalRedirectURLs: cfg.IDP.AdditionalRedirectURLs, kubectlClientRedirectURLs: cfg.IDP.KubectlClientRedirectURLs, baseDomain: cfg.BaseDomain, + registrationAllowed: cfg.IDP.RegistrationAllowed, limiter: limiter, } } @@ -55,6 +56,7 @@ type IDPSubroutine struct { additionalRedirectURLs []string kubectlClientRedirectURLs []string baseDomain string + registrationAllowed bool limiter workqueue.TypedRateLimiter[*v1alpha1.IdentityProviderConfiguration] } @@ -116,6 +118,8 @@ func (i *IDPSubroutine) Process(ctx context.Context, instance runtimeobject.Runt idp := &v1alpha1.IdentityProviderConfiguration{ObjectMeta: metav1.ObjectMeta{Name: workspaceName}} _, err = controllerutil.CreateOrPatch(ctx, cl.GetClient(), idp, func() error { + idp.Spec.RegistrationAllowed = i.registrationAllowed + for _, desired := range clients { idp.Spec.Clients = ensureClient(idp.Spec.Clients, desired) } diff --git a/internal/subroutine/idp/subroutine.go b/internal/subroutine/idp/subroutine.go index 5740f53..409438d 100644 --- a/internal/subroutine/idp/subroutine.go +++ b/internal/subroutine/idp/subroutine.go @@ -145,7 +145,7 @@ func (s *subroutine) Process(ctx context.Context, instance runtimeobject.Runtime realmName := idpConfig.Name oidcClient, adminClient := s.newOIDCClient(realmName) - if err := s.ensureRealm(ctx, adminClient, realmName, log); err != nil { + if err := s.ensureRealm(ctx, adminClient, realmName, idpConfig.Spec.RegistrationAllowed, log); err != nil { return ctrl.Result{}, errors.NewOperatorError(err, true, false) } @@ -183,14 +183,14 @@ func (s *subroutine) Process(ctx context.Context, instance runtimeobject.Runtime return ctrl.Result{}, nil } -func (s *subroutine) ensureRealm(ctx context.Context, adminClient *keycloak.AdminClient, realmName string, log *logger.Logger) error { +func (s *subroutine) ensureRealm(ctx context.Context, adminClient *keycloak.AdminClient, realmName string, registrationAllowed bool, log *logger.Logger) error { realmConfig := keycloak.RealmConfig{ Realm: realmName, DisplayName: realmName, Enabled: true, LoginWithEmailAllowed: true, RegistrationEmailAsUsername: true, - RegistrationAllowed: s.cfg.IDP.RegistrationAllowed, + RegistrationAllowed: registrationAllowed, SSOSessionIdleTimeout: s.cfg.IDP.AccessTokenLifespan, AccessTokenLifespan: s.cfg.IDP.AccessTokenLifespan, }