platform-mesh · OlegErshov · Jan 29, 2026 · Jan 29, 2026
diff --git a/Taskfile.yaml b/Taskfile.yaml
@@ -7,7 +7,7 @@ vars:
   ENVTEST_VERSION: release-0.19
   CRD_DIRECTORY: config/crd/bases
   KCP_APIGEN_VERSION: v0.29.0
-  KCP_VERSION: 0.28.3
+  KCP_VERSION: 0.29.0
   GOLANGCI_LINT_VERSION: v2.8.0
   GOARCH:
     sh: go env GOARCH

diff --git a/api/v1alpha1/identityproviderconfiguration_types.go b/api/v1alpha1/identityproviderconfiguration_types.go
@@ -25,7 +25,8 @@ type IdentityProviderClientConfig struct {
 
 // IdentityProviderConfigurationSpec defines the desired state of IdentityProviderConfiguration
 type IdentityProviderConfigurationSpec struct {
-	Clients []IdentityProviderClientConfig `json:"clients"`
+	RegistrationAllowed bool                           `json:"registrationAllowed"`
+	Clients             []IdentityProviderClientConfig `json:"clients"`
 }
 
 // ManagedClient tracks a client that is managed by the operator.

diff --git a/config/crd/bases/core.platform-mesh.io_identityproviderconfigurations.yaml b/config/crd/bases/core.platform-mesh.io_identityproviderconfigurations.yaml
@@ -79,8 +79,11 @@ spec:
                   - redirectUris
                   type: object
                 type: array
+              registrationAllowed:
+                type: boolean
             required:
             - clients
+            - registrationAllowed
             type: object
           status:
             description: status defines the observed state of IdentityProviderConfiguration

diff --git a/config/resources/apiexport-core.platform-mesh.io.yaml b/config/resources/apiexport-core.platform-mesh.io.yaml
@@ -12,7 +12,7 @@ spec:
       crd: {}
   - group: core.platform-mesh.io
     name: identityproviderconfigurations
-    schema: v260123-dbda1fc.identityproviderconfigurations.core.platform-mesh.io
+    schema: v260129-b6b2199.identityproviderconfigurations.core.platform-mesh.io
     storage:
       crd: {}
   - group: core.platform-mesh.io

diff --git a/config/resources/apiresourceschema-identityproviderconfigurations.core.platform-mesh.io.yaml b/config/resources/apiresourceschema-identityproviderconfigurations.core.platform-mesh.io.yaml
@@ -2,7 +2,7 @@ apiVersion: apis.kcp.io/v1alpha1
 kind: APIResourceSchema
 metadata:
   creationTimestamp: null
-  name: v260123-dbda1fc.identityproviderconfigurations.core.platform-mesh.io
+  name: v260129-b6b2199.identityproviderconfigurations.core.platform-mesh.io
 spec:
   group: core.platform-mesh.io
   names:
@@ -76,8 +76,11 @@ spec:
                 - redirectUris
                 type: object
               type: array
+            registrationAllowed:
+              type: boolean
           required:
           - clients
+          - registrationAllowed
           type: object
         status:
           description: status defines the observed state of IdentityProviderConfiguration

diff --git a/internal/subroutine/idp.go b/internal/subroutine/idp.go
@@ -43,6 +43,7 @@ func NewIDPSubroutine(orgsClient client.Client, mgr mcmanager.Manager, cfg confi
 		additionalRedirectURLs:    cfg.IDP.AdditionalRedirectURLs,
 		kubectlClientRedirectURLs: cfg.IDP.KubectlClientRedirectURLs,
 		baseDomain:                cfg.BaseDomain,
+		registrationAllowed:       cfg.IDP.RegistrationAllowed,
 		limiter:                   limiter,
 	}
 }
@@ -55,6 +56,7 @@ type IDPSubroutine struct {
 	additionalRedirectURLs    []string
 	kubectlClientRedirectURLs []string
 	baseDomain                string
+	registrationAllowed       bool
 	limiter                   workqueue.TypedRateLimiter[*v1alpha1.IdentityProviderConfiguration]
 }
 
@@ -116,6 +118,8 @@ func (i *IDPSubroutine) Process(ctx context.Context, instance runtimeobject.Runt
 
 	idp := &v1alpha1.IdentityProviderConfiguration{ObjectMeta: metav1.ObjectMeta{Name: workspaceName}}
 	_, err = controllerutil.CreateOrPatch(ctx, cl.GetClient(), idp, func() error {
+		idp.Spec.RegistrationAllowed = i.registrationAllowed
+
 		for _, desired := range clients {
 			idp.Spec.Clients = ensureClient(idp.Spec.Clients, desired)
 		}

diff --git a/internal/subroutine/idp/subroutine.go b/internal/subroutine/idp/subroutine.go
@@ -145,7 +145,7 @@ func (s *subroutine) Process(ctx context.Context, instance runtimeobject.Runtime
 	realmName := idpConfig.Name
 	oidcClient, adminClient := s.newOIDCClient(realmName)
 
-	if err := s.ensureRealm(ctx, adminClient, realmName, log); err != nil {
+	if err := s.ensureRealm(ctx, adminClient, realmName, idpConfig.Spec.RegistrationAllowed, log); err != nil {
 		return ctrl.Result{}, errors.NewOperatorError(err, true, false)
 	}
 
@@ -183,14 +183,14 @@ func (s *subroutine) Process(ctx context.Context, instance runtimeobject.Runtime
 	return ctrl.Result{}, nil
 }
 
-func (s *subroutine) ensureRealm(ctx context.Context, adminClient *keycloak.AdminClient, realmName string, log *logger.Logger) error {
+func (s *subroutine) ensureRealm(ctx context.Context, adminClient *keycloak.AdminClient, realmName string, registrationAllowed bool, log *logger.Logger) error {
 	realmConfig := keycloak.RealmConfig{
 		Realm:                       realmName,
 		DisplayName:                 realmName,
 		Enabled:                     true,
 		LoginWithEmailAllowed:       true,
 		RegistrationEmailAsUsername: true,
-		RegistrationAllowed:         s.cfg.IDP.RegistrationAllowed,
+		RegistrationAllowed:         registrationAllowed,
 		SSOSessionIdleTimeout:       s.cfg.IDP.AccessTokenLifespan,
 		AccessTokenLifespan:         s.cfg.IDP.AccessTokenLifespan,
 	}