ApplicationCredential Type Declaration

gndrmnn · gndrmnn · commit 5829389c5295 · 2026-03-30T11:01:07.000+02:00
On-behalf-of: SAP nils.gondermann@sap.com
diff --git a/api/v1alpha1/applicationcredential_types.go b/api/v1alpha1/applicationcredential_types.go
@@ -16,7 +16,42 @@ limitations under the License.
 
 package v1alpha1
 
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +kubebuilder:validation:Enum:=CONNECT;DELETE;GET;HEAD;OPTIONS;PATCH;POST;PUT;TRACE
+type HTTPMethod string
+
+const (
+	HTTPMethodCONNECT HTTPMethod = "CONNECT"
+	HTTPMethodDELETE  HTTPMethod = "DELETE"
+	HTTPMethodGET     HTTPMethod = "GET"
+	HTTPMethodHEAD    HTTPMethod = "HEAD"
+	HTTPMethodOPTIONS HTTPMethod = "OPTIONS"
+	HTTPMethodPATCH   HTTPMethod = "PATCH"
+	HTTPMethodPOST    HTTPMethod = "POST"
+	HTTPMethodPUT     HTTPMethod = "PUT"
+	HTTPMethodTRACE   HTTPMethod = "TRACE"
+)
+
+// ApplicationCredentialAccessRule defines an access rule
+// +kubebuilder:validation:MinProperties:=1
+type ApplicationCredentialAccessRule struct {
+	// path that the application credential is permitted to access
+	// +kubebuilder:validation:MaxLength=1024
+	// +optional
+	Path *string `json:"path,omitempty"`
+
+	// method that the application credential is permitted to use for a given API endpoint
+	// +optional
+	Method *HTTPMethod `json:"method,omitempty"`
+
+	// serviceRef identifier for the service that the application credential is permitted to access
+	// +optional
+	ServiceRef *KubernetesNameRef `json:"serviceRef,omitempty"`
+}
+
 // ApplicationCredentialResourceSpec contains the desired state of the resource.
+// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="ApplicationCredentialResourceSpec is immutable"
 type ApplicationCredentialResourceSpec struct {
 	// name will be the name of the created resource. If not specified, the
 	// name of the ORC object will be used.
@@ -31,38 +66,95 @@ type ApplicationCredentialResourceSpec struct {
 
 	// userRef is a reference to the ORC User which this resource is associated with.
 	// +required
-	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="userRef is immutable"
 	UserRef KubernetesNameRef `json:"userRef,omitempty"`
 
-	// TODO(scaffolding): Add more types.
-	// To see what is supported, you can take inspiration from the CreateOpts structure from
-	// github.com/gophercloud/gophercloud/v2/openstack/identity/v3/applicationcredentials
-	//
-	// Until you have implemented mutability for the field, you must add a CEL validation
-	// preventing the field being modified:
-	// `// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="<fieldname> is immutable"`
+	// unrestricted is a flag indicating whether the application credential may be used for creation or destruction of other application credentials or trusts
+	// +optional
+	Unrestricted *bool `json:"unrestricted,omitempty"`
+
+	// secret used to authenticate against the API
+	// +required
+	Secret ApplicationCredentialSecretSpec `json:"secret,omitempty,omitzero"`
+
+	// roleRefs may only contain roles that the user has assigned on the project. If not provided, the roles assigned to the application credential will be the same as the roles in the current token.
+	// +kubebuilder:validation:MaxItems:=256
+	// +listType=atomic
+	// +optional
+	RoleRefs []KubernetesNameRef `json:"roleRefs,omitempty"`
+
+	// accessRules is a list of fine grained access control rules
+	// +kubebuilder:validation:MaxItems:=256
+	// +listType=atomic
+	// +optional
+	AccessRules []ApplicationCredentialAccessRule `json:"accessRules,omitempty"`
+
+	// expiresAt is the time of expiration for the application credential. If unset, the application credential does not expire.
+	// +optional
+	ExpiresAt *metav1.Time `json:"expiresAt,omitempty"`
 }
 
-// ApplicationCredentialFilter defines an existing resource by its properties
 // +kubebuilder:validation:MinProperties:=1
+// +kubebuilder:validation:MaxProperties:=1
+type ApplicationCredentialSecretSpec struct {
+	// secretRef is a reference to a Secret containing the application credential secret
+	// +required
+	SecretRef KubernetesNameRef `json:"secretRef,omitempty"`
+}
+
+// ApplicationCredentialFilter defines an existing resource by its properties
+// +kubebuilder:validation:MinProperties:=2
 type ApplicationCredentialFilter struct {
+	// userRef is a reference to the ORC User which this resource is associated with.
+	// +required
+	UserRef KubernetesNameRef `json:"userRef,omitempty"`
+
 	// name of the existing resource
 	// +optional
 	Name *OpenStackName `json:"name,omitempty"`
 
 	// description of the existing resource
-	// +kubebuilder:validation:MinLength:=1
-	// +kubebuilder:validation:MaxLength:=255
+	// +kubebuilder:validation:MaxLength:=1024
 	// +optional
 	Description *string `json:"description,omitempty"`
+}
 
-	// userRef is a reference to the ORC User which this resource is associated with.
+type ApplicationCredentialRoleStatus struct {
+	// name of an existing role
+	// +kubebuilder:validation:MaxLength:=1024
 	// +optional
-	UserRef *KubernetesNameRef `json:"userRef,omitempty"`
+	Name *string `json:"name,omitempty"`
 
-	// TODO(scaffolding): Add more types.
-	// To see what is supported, you can take inspiration from the ListOpts structure from
-	// github.com/gophercloud/gophercloud/v2/openstack/identity/v3/applicationcredentials
+	// id is the ID of a role
+	// +kubebuilder:validation:MaxLength:=1024
+	// +optional
+	ID *string `json:"id,omitempty"`
+
+	// domainID of the domain of this role
+	// +kubebuilder:validation:MaxLength:=1024
+	// +optional
+	DomainID *string `json:"domainID,omitempty"`
+}
+
+type ApplicationCredentialAccessRuleStatus struct {
+	// id is the ID of this access rule
+	// +kubebuilder:validation:MaxLength:=1024
+	// +optional
+	ID *string `json:"id,omitempty"`
+
+	// path that the application credential is permitted to access
+	// +kubebuilder:validation:MaxLength:=1024
+	// +optional
+	Path *string `json:"path,omitempty"`
+
+	// method that the application credential is permitted to use for a given API endpoint
+	// +kubebuilder:validation:MaxLength=32
+	// +optional
+	Method *string `json:"method,omitempty"`
+
+	// service type identifier for the service that the application credential is permitted to access
+	// +kubebuilder:validation:MaxLength:=1024
+	// +optional
+	Service *string `json:"service,omitempty"`
 }
 
 // ApplicationCredentialResourceStatus represents the observed state of the resource.
@@ -77,12 +169,28 @@ type ApplicationCredentialResourceStatus struct {
 	// +optional
 	Description string `json:"description,omitempty"`
 
-	// userID is the ID of the User to which the resource is associated.
+	// unrestricted is a flag indicating whether the application credential may be used for creation or destruction of other application credentials or trusts
+	// +optional
+	Unrestricted bool `json:"unrestricted,omitempty"`
+
+	// projectID of the project the application credential was created for and that authentication requests using this application credential will be scoped to.
 	// +kubebuilder:validation:MaxLength=1024
 	// +optional
-	UserID string `json:"userID,omitempty"`
+	ProjectID string `json:"projectID,omitempty"`
+
+	// roles is a list of role objects may only contain roles that the user has assigned on the project
+	// +kubebuilder:validation:MaxItems:=64
+	// +listType=atomic
+	// +optional
+	Roles []ApplicationCredentialRoleStatus `json:"roles"`
 
-	// TODO(scaffolding): Add more types.
-	// To see what is supported, you can take inspiration from the ApplicationCredential structure from
-	// github.com/gophercloud/gophercloud/v2/openstack/identity/v3/applicationcredentials
+	// expiresAt is the time of expiration for the application credential. If unset, the application credential does not expire.
+	// +optional
+	ExpiresAt *metav1.Time `json:"expiresAt"`
+
+	// accessRules is a list of fine grained access control rules
+	// +kubebuilder:validation:MaxItems:=64
+	// +listType=atomic
+	// +optional
+	AccessRules []ApplicationCredentialAccessRuleStatus `json:"accessRules,omitempty"`
 }
