From 2712269293a0235844c18e22f02bc67fc81e39b2 Mon Sep 17 00:00:00 2001
From: OlegErshov <olezhka1629@gmail.com>
Date: Thu, 29 Jan 2026 12:00:07 +0100
Subject: [PATCH 1/2] feat: introduced registrationAllowed toggle in idp spec

On-behalf-of: SAP aleh.yarshou@sap.com
---
 .../identityproviderconfiguration_types.go    |  3 +-
 ...esh.io_identityproviderconfigurations.yaml |  3 ++
 .../apiexport-core.platform-mesh.io.yaml      | 28 ++++---------------
 ...rconfigurations.core.platform-mesh.io.yaml |  5 +++-
 internal/subroutine/idp.go                    |  4 +++
 internal/subroutine/idp/subroutine.go         |  6 ++--
 6 files changed, 22 insertions(+), 27 deletions(-)

diff --git a/api/v1alpha1/identityproviderconfiguration_types.go b/api/v1alpha1/identityproviderconfiguration_types.go
index 987dcbf..5f22f2c 100644
--- a/api/v1alpha1/identityproviderconfiguration_types.go
+++ b/api/v1alpha1/identityproviderconfiguration_types.go
@@ -25,7 +25,8 @@ type IdentityProviderClientConfig struct {
 
 // IdentityProviderConfigurationSpec defines the desired state of IdentityProviderConfiguration
 type IdentityProviderConfigurationSpec struct {
-	Clients []IdentityProviderClientConfig `json:"clients"`
+	RegistrationAllowed bool                           `json:"registrationAllowed"`
+	Clients             []IdentityProviderClientConfig `json:"clients"`
 }
 
 // ManagedClient tracks a client that is managed by the operator.
diff --git a/config/crd/bases/core.platform-mesh.io_identityproviderconfigurations.yaml b/config/crd/bases/core.platform-mesh.io_identityproviderconfigurations.yaml
index 6a1ba9f..d9b2d21 100644
--- a/config/crd/bases/core.platform-mesh.io_identityproviderconfigurations.yaml
+++ b/config/crd/bases/core.platform-mesh.io_identityproviderconfigurations.yaml
@@ -79,8 +79,11 @@ spec:
                   - redirectUris
                   type: object
                 type: array
+              registrationAllowed:
+                type: boolean
             required:
             - clients
+            - registrationAllowed
             type: object
           status:
             description: status defines the observed state of IdentityProviderConfiguration
diff --git a/config/resources/apiexport-core.platform-mesh.io.yaml b/config/resources/apiexport-core.platform-mesh.io.yaml
index 361fe9a..6d8d9aa 100644
--- a/config/resources/apiexport-core.platform-mesh.io.yaml
+++ b/config/resources/apiexport-core.platform-mesh.io.yaml
@@ -1,28 +1,12 @@
-apiVersion: apis.kcp.io/v1alpha2
+apiVersion: apis.kcp.io/v1alpha1
 kind: APIExport
 metadata:
   creationTimestamp: null
   name: core.platform-mesh.io
 spec:
-  resources:
-  - group: core.platform-mesh.io
-    name: authorizationmodels
-    schema: v260112-5925c7e.authorizationmodels.core.platform-mesh.io
-    storage:
-      crd: {}
-  - group: core.platform-mesh.io
-    name: identityproviderconfigurations
-    schema: v260123-dbda1fc.identityproviderconfigurations.core.platform-mesh.io
-    storage:
-      crd: {}
-  - group: core.platform-mesh.io
-    name: invites
-    schema: v251007-1d3512f.invites.core.platform-mesh.io
-    storage:
-      crd: {}
-  - group: core.platform-mesh.io
-    name: stores
-    schema: v250718-a64f278.stores.core.platform-mesh.io
-    storage:
-      crd: {}
+  latestResourceSchemas:
+  - v250718-a64f278.stores.core.platform-mesh.io
+  - v251007-1d3512f.invites.core.platform-mesh.io
+  - v260112-5925c7e.authorizationmodels.core.platform-mesh.io
+  - v260129-b6b2199.identityproviderconfigurations.core.platform-mesh.io
 status: {}
diff --git a/config/resources/apiresourceschema-identityproviderconfigurations.core.platform-mesh.io.yaml b/config/resources/apiresourceschema-identityproviderconfigurations.core.platform-mesh.io.yaml
index 68b0d22..cc9d66f 100644
--- a/config/resources/apiresourceschema-identityproviderconfigurations.core.platform-mesh.io.yaml
+++ b/config/resources/apiresourceschema-identityproviderconfigurations.core.platform-mesh.io.yaml
@@ -2,7 +2,7 @@ apiVersion: apis.kcp.io/v1alpha1
 kind: APIResourceSchema
 metadata:
   creationTimestamp: null
-  name: v260123-dbda1fc.identityproviderconfigurations.core.platform-mesh.io
+  name: v260129-b6b2199.identityproviderconfigurations.core.platform-mesh.io
 spec:
   group: core.platform-mesh.io
   names:
@@ -76,8 +76,11 @@ spec:
                 - redirectUris
                 type: object
               type: array
+            registrationAllowed:
+              type: boolean
           required:
           - clients
+          - registrationAllowed
           type: object
         status:
           description: status defines the observed state of IdentityProviderConfiguration
diff --git a/internal/subroutine/idp.go b/internal/subroutine/idp.go
index 4f66b56..e0312e0 100644
--- a/internal/subroutine/idp.go
+++ b/internal/subroutine/idp.go
@@ -43,6 +43,7 @@ func NewIDPSubroutine(orgsClient client.Client, mgr mcmanager.Manager, cfg confi
 		additionalRedirectURLs:    cfg.IDP.AdditionalRedirectURLs,
 		kubectlClientRedirectURLs: cfg.IDP.KubectlClientRedirectURLs,
 		baseDomain:                cfg.BaseDomain,
+		registrationAllowed:       cfg.IDP.RegistrationAllowed,
 		limiter:                   limiter,
 	}
 }
@@ -55,6 +56,7 @@ type IDPSubroutine struct {
 	additionalRedirectURLs    []string
 	kubectlClientRedirectURLs []string
 	baseDomain                string
+	registrationAllowed       bool
 	limiter                   workqueue.TypedRateLimiter[*v1alpha1.IdentityProviderConfiguration]
 }
 
@@ -116,6 +118,8 @@ func (i *IDPSubroutine) Process(ctx context.Context, instance runtimeobject.Runt
 
 	idp := &v1alpha1.IdentityProviderConfiguration{ObjectMeta: metav1.ObjectMeta{Name: workspaceName}}
 	_, err = controllerutil.CreateOrPatch(ctx, cl.GetClient(), idp, func() error {
+		idp.Spec.RegistrationAllowed = i.registrationAllowed
+
 		for _, desired := range clients {
 			idp.Spec.Clients = ensureClient(idp.Spec.Clients, desired)
 		}
diff --git a/internal/subroutine/idp/subroutine.go b/internal/subroutine/idp/subroutine.go
index 5740f53..409438d 100644
--- a/internal/subroutine/idp/subroutine.go
+++ b/internal/subroutine/idp/subroutine.go
@@ -145,7 +145,7 @@ func (s *subroutine) Process(ctx context.Context, instance runtimeobject.Runtime
 	realmName := idpConfig.Name
 	oidcClient, adminClient := s.newOIDCClient(realmName)
 
-	if err := s.ensureRealm(ctx, adminClient, realmName, log); err != nil {
+	if err := s.ensureRealm(ctx, adminClient, realmName, idpConfig.Spec.RegistrationAllowed, log); err != nil {
 		return ctrl.Result{}, errors.NewOperatorError(err, true, false)
 	}
 
@@ -183,14 +183,14 @@ func (s *subroutine) Process(ctx context.Context, instance runtimeobject.Runtime
 	return ctrl.Result{}, nil
 }
 
-func (s *subroutine) ensureRealm(ctx context.Context, adminClient *keycloak.AdminClient, realmName string, log *logger.Logger) error {
+func (s *subroutine) ensureRealm(ctx context.Context, adminClient *keycloak.AdminClient, realmName string, registrationAllowed bool, log *logger.Logger) error {
 	realmConfig := keycloak.RealmConfig{
 		Realm:                       realmName,
 		DisplayName:                 realmName,
 		Enabled:                     true,
 		LoginWithEmailAllowed:       true,
 		RegistrationEmailAsUsername: true,
-		RegistrationAllowed:         s.cfg.IDP.RegistrationAllowed,
+		RegistrationAllowed:         registrationAllowed,
 		SSOSessionIdleTimeout:       s.cfg.IDP.AccessTokenLifespan,
 		AccessTokenLifespan:         s.cfg.IDP.AccessTokenLifespan,
 	}

From ad3d0b7d5b4fe1f30919e14573cadfe5cf466985 Mon Sep 17 00:00:00 2001
From: OlegErshov <olezhka1629@gmail.com>
Date: Thu, 29 Jan 2026 12:24:39 +0100
Subject: [PATCH 2/2] chore: updated apiexport

On-behalf-of: SAP aleh.yarshou@sap.com
---
 Taskfile.yaml                                 |  2 +-
 .../apiexport-core.platform-mesh.io.yaml      | 28 +++++++++++++++----
 2 files changed, 23 insertions(+), 7 deletions(-)

diff --git a/Taskfile.yaml b/Taskfile.yaml
index 6ba3e68..554369e 100644
--- a/Taskfile.yaml
+++ b/Taskfile.yaml
@@ -7,7 +7,7 @@ vars:
   ENVTEST_VERSION: release-0.19
   CRD_DIRECTORY: config/crd/bases
   KCP_APIGEN_VERSION: v0.29.0
-  KCP_VERSION: 0.28.3
+  KCP_VERSION: 0.29.0
   GOLANGCI_LINT_VERSION: v2.8.0
   GOARCH:
     sh: go env GOARCH
diff --git a/config/resources/apiexport-core.platform-mesh.io.yaml b/config/resources/apiexport-core.platform-mesh.io.yaml
index 6d8d9aa..6dcf341 100644
--- a/config/resources/apiexport-core.platform-mesh.io.yaml
+++ b/config/resources/apiexport-core.platform-mesh.io.yaml
@@ -1,12 +1,28 @@
-apiVersion: apis.kcp.io/v1alpha1
+apiVersion: apis.kcp.io/v1alpha2
 kind: APIExport
 metadata:
   creationTimestamp: null
   name: core.platform-mesh.io
 spec:
-  latestResourceSchemas:
-  - v250718-a64f278.stores.core.platform-mesh.io
-  - v251007-1d3512f.invites.core.platform-mesh.io
-  - v260112-5925c7e.authorizationmodels.core.platform-mesh.io
-  - v260129-b6b2199.identityproviderconfigurations.core.platform-mesh.io
+  resources:
+  - group: core.platform-mesh.io
+    name: authorizationmodels
+    schema: v260112-5925c7e.authorizationmodels.core.platform-mesh.io
+    storage:
+      crd: {}
+  - group: core.platform-mesh.io
+    name: identityproviderconfigurations
+    schema: v260129-b6b2199.identityproviderconfigurations.core.platform-mesh.io
+    storage:
+      crd: {}
+  - group: core.platform-mesh.io
+    name: invites
+    schema: v251007-1d3512f.invites.core.platform-mesh.io
+    storage:
+      crd: {}
+  - group: core.platform-mesh.io
+    name: stores
+    schema: v250718-a64f278.stores.core.platform-mesh.io
+    storage:
+      crd: {}
 status: {}