feat: adding improved support for custom account types (#118)

* feat: allow configurable custom account types in webhook

On-behalf-of: @SAP <simon@simontesar.com>

* feat: support custom account types with pre-provisioned workspace types

On-behalf-of: @SAP <simon@simontesar.com>

* feat: remove "account" from default accounttypes

On-behalf-of: @SAP <simon@simontesar.com>

* feat: remove enum from account.spec.accounttype

On-behalf-of: @SAP <simon@simontesar.com>

* feat: treat all non-org accounts the same("account" accountType is not special)

On-behalf-of: @SAP <simon@simontesar.com>

* fix: use right workspace type

* fix: correct additional account types cli flag binding

On-behalf-of: @SAP <simon@simontesar.com>

* fix: update test setup to match custom account types changes

- Update APIExport schema reference to use correct version
- Fix test expectation for workspace type naming

Signed-off-by: Bastian Echterhölter <bastian.echterhoelter@sap.com>
On-behalf-of: @SAP <bastian.echterhoelter@sap.com>

* feat: add org label to generated workspace types

- Add core.platform-mesh.io/org label to org and account workspace types
- Rename subroutine constants to shorter names

Signed-off-by: Bastian Echterhölter <bastian.echterhoelter@sap.com>
On-behalf-of: @SAP <bastian.echterhoelter@sap.com>

---------

Signed-off-by: Bastian Echterhölter <bastian.echterhoelter@sap.com>
Co-authored-by: I547291 <aaron.schweig@sap.com>
Co-authored-by: Bastian Echterhölter <bastian.echterhoelter@sap.com>

Author: 3 people

api/v1alpha1/account_types.go

@@ -31,7 +31,6 @@ const (
 // AccountSpec defines the desired state of Account
 type AccountSpec struct {
 	// Type specifies the intended type for this Account object.
-	// +kubebuilder:validation:Enum=org;account
 	Type AccountType `json:"type"`
 
 	// The display name for this account

api/v1alpha1/account_webhook.go

@@ -12,11 +12,11 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 )
 
-func SetupAccountWebhookWithManager(mgr ctrl.Manager, denyList []string) error {
+func SetupAccountWebhookWithManager(mgr ctrl.Manager, organizationNameDenyList []string, accountTypeAllowList []AccountType) error {
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(&Account{}).
 		WithDefaulter(&AccountDefaulter{}).
-		WithValidator(&AccountValidator{DenyList: denyList}).
+		WithValidator(&AccountValidator{OrganizationNameDenyList: organizationNameDenyList, AccountTypeAllowList: accountTypeAllowList}).
 		Complete()
 }
 
@@ -40,11 +40,17 @@ var _ webhook.CustomDefaulter = &AccountDefaulter{}
 var _ webhook.CustomValidator = &AccountValidator{}
 
 type AccountValidator struct {
-	DenyList []string
+	OrganizationNameDenyList []string
+	AccountTypeAllowList     []AccountType
 }
 
 func (v *AccountValidator) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
 	account := obj.(*Account)
+
+	if !slices.Contains(v.AccountTypeAllowList, account.Spec.Type) {
+		return nil, fmt.Errorf("account type %s not in allowlist", account.Spec.Type)
+	}
+
 	if account.Spec.Type != AccountTypeOrg {
 		return nil, nil
 	}
@@ -53,7 +59,7 @@ func (v *AccountValidator) ValidateCreate(ctx context.Context, obj runtime.Objec
 		return nil, fmt.Errorf("organization name %q is too short, must be at least 3 characters", account.Name)
 	}
 
-	if slices.Contains(v.DenyList, account.Name) {
+	if slices.Contains(v.OrganizationNameDenyList, account.Name) {
 		return nil, fmt.Errorf("organization name %q is not allowed", account.Name)
 	}
 
@@ -63,6 +69,10 @@ func (v *AccountValidator) ValidateCreate(ctx context.Context, obj runtime.Objec
 func (v *AccountValidator) ValidateUpdate(ctx context.Context, oldObj, newObj runtime.Object) (admission.Warnings, error) {
 	account := newObj.(*Account)
 
+	if !slices.Contains(v.AccountTypeAllowList, account.Spec.Type) {
+		return nil, fmt.Errorf("account type %s not in allowlist", account.Spec.Type)
+	}
+
 	if account.Spec.Type != AccountTypeOrg {
 		return nil, nil
 	}
@@ -71,7 +81,7 @@ func (v *AccountValidator) ValidateUpdate(ctx context.Context, oldObj, newObj ru
 		return nil, fmt.Errorf("organization name %q is too short, must be at least 3 characters", account.Name)
 	}
 
-	if slices.Contains(v.DenyList, account.Name) {
+	if slices.Contains(v.OrganizationNameDenyList, account.Name) {
 		return nil, fmt.Errorf("organization name %q is not allowed", account.Name)
 	}
 

api/v1alpha1/account_webhook_test.go

@@ -39,7 +39,7 @@ func TestAccountValidator_ValidateCreate(t *testing.T) {
 			name: "non-organization account with denied name",
 			account: &Account{
 				ObjectMeta: metav1.ObjectMeta{Name: "admin"},
-				Spec:       AccountSpec{Type: "personal"},
+				Spec:       AccountSpec{Type: "account"},
 			},
 			denyList:    []string{"admin", "root", "system"},
 			expectError: false,
@@ -67,7 +67,7 @@ func TestAccountValidator_ValidateCreate(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			validator := &AccountValidator{DenyList: tt.denyList}
+			validator := &AccountValidator{OrganizationNameDenyList: tt.denyList, AccountTypeAllowList: []AccountType{AccountTypeAccount, AccountTypeOrg}}
 			_, err := validator.ValidateCreate(context.Background(), tt.account)
 
 			if tt.expectError {
@@ -117,10 +117,10 @@ func TestAccountValidator_ValidateUpdate(t *testing.T) {
 			expectError: false,
 		},
 		{
-			name: "changing from personal to organization with denied name",
+			name: "changing from account to organization with denied name",
 			oldAccount: &Account{
 				ObjectMeta: metav1.ObjectMeta{Name: "admin"},
-				Spec:       AccountSpec{Type: "personal"},
+				Spec:       AccountSpec{Type: "account"},
 			},
 			newAccount: &Account{
 				ObjectMeta: metav1.ObjectMeta{Name: "admin"},
@@ -131,10 +131,10 @@ func TestAccountValidator_ValidateUpdate(t *testing.T) {
 			errorMsg:    `organization name "admin" is not allowed`,
 		},
 		{
-			name: "changing from personal to organization with allowed name",
+			name: "changing from account to organization with allowed name",
 			oldAccount: &Account{
 				ObjectMeta: metav1.ObjectMeta{Name: "my-account"},
-				Spec:       AccountSpec{Type: "personal"},
+				Spec:       AccountSpec{Type: "account"},
 			},
 			newAccount: &Account{
 				ObjectMeta: metav1.ObjectMeta{Name: "my-account"},
@@ -144,27 +144,27 @@ func TestAccountValidator_ValidateUpdate(t *testing.T) {
 			expectError: false,
 		},
 		{
-			name: "changing from organization to personal with denied name",
+			name: "changing from organization to account with denied name",
 			oldAccount: &Account{
 				ObjectMeta: metav1.ObjectMeta{Name: "admin"},
 				Spec:       AccountSpec{Type: "org"},
 			},
 			newAccount: &Account{
 				ObjectMeta: metav1.ObjectMeta{Name: "admin"},
-				Spec:       AccountSpec{Type: "personal"},
+				Spec:       AccountSpec{Type: "account"},
 			},
 			denyList:    []string{"admin", "root", "system"},
 			expectError: false,
 		},
 		{
-			name: "updating personal account with denied name",
+			name: "updating account account with denied name",
 			oldAccount: &Account{
 				ObjectMeta: metav1.ObjectMeta{Name: "admin"},
-				Spec:       AccountSpec{Type: "personal"},
+				Spec:       AccountSpec{Type: "account"},
 			},
 			newAccount: &Account{
 				ObjectMeta: metav1.ObjectMeta{Name: "admin"},
-				Spec:       AccountSpec{Type: "personal"},
+				Spec:       AccountSpec{Type: "account"},
 			},
 			denyList:    []string{"admin", "root", "system"},
 			expectError: false,
@@ -200,7 +200,7 @@ func TestAccountValidator_ValidateUpdate(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			validator := &AccountValidator{DenyList: tt.denyList}
+			validator := &AccountValidator{OrganizationNameDenyList: tt.denyList, AccountTypeAllowList: []AccountType{AccountTypeAccount, AccountTypeOrg}}
 			_, err := validator.ValidateUpdate(context.Background(), tt.oldAccount, tt.newAccount)
 
 			if tt.expectError {

api/v1alpha1/zz_generated.deepcopy.go

@@ -169,8 +169,13 @@ func RunController(_ *cobra.Command, _ []string) { // coverage-ignore
 			}
 		}
 
+		accountTypeAllowList := []v1alpha1.AccountType{v1alpha1.AccountTypeOrg}
+		for _, additionalType := range operatorCfg.Webhooks.AdditionalAccountTypes {
+			accountTypeAllowList = append(accountTypeAllowList, v1alpha1.AccountType(additionalType))
+		}
+
 		log.Info().Strs("deniedNames", denyList).Msg("webhooks are enabled")
-		if err := v1alpha1.SetupAccountWebhookWithManager(mgr.GetLocalManager(), denyList); err != nil {
+		if err := v1alpha1.SetupAccountWebhookWithManager(mgr.GetLocalManager(), denyList, accountTypeAllowList); err != nil {
 			log.Fatal().Err(err).Str("webhook", "Account").Msg("unable to create webhook")
 		}
 	}

cmd/operator.go

@@ -97,9 +97,6 @@ spec:
                 type: array
               type:
                 description: Type specifies the intended type for this Account object.
-                enum:
-                - org
-                - account
                 type: string
             required:
             - displayName

config/crd/core.platform-mesh.io_accounts.yaml

@@ -2,7 +2,7 @@ apiVersion: apis.kcp.io/v1alpha1
 kind: APIResourceSchema
 metadata:
   creationTimestamp: null
-  name: v250915-1185c0b.accounts.core.platform-mesh.io
+  name: v260109-82344be.accounts.core.platform-mesh.io
 spec:
   group: core.platform-mesh.io
   names:
@@ -93,9 +93,6 @@ spec:
               type: array
             type:
               description: Type specifies the intended type for this Account object.
-              enum:
-              - org
-              - account
               type: string
           required:
           - displayName

config/resources/apiresourceschema-accounts.core.platform-mesh.io.yaml

@@ -3,10 +3,11 @@ package config
 // OperatorConfig struct to hold the app config
 type OperatorConfig struct {
 	Webhooks struct {
-		Enabled  bool   `mapstructure:"webhooks-enabled" default:"false"`
-		CertDir  string `mapstructure:"webhooks-cert-dir" default:"certs"`
-		Port     int    `mapstructure:"webhooks-port" default:"9443"`
-		DenyList string `mapstructure:"webhooks-deny-list"`
+		Enabled                bool     `mapstructure:"webhooks-enabled" default:"false"`
+		CertDir                string   `mapstructure:"webhooks-cert-dir" default:"certs"`
+		Port                   int      `mapstructure:"webhooks-port" default:"9443"`
+		DenyList               string   `mapstructure:"webhooks-deny-list"`
+		AdditionalAccountTypes []string `mapstructure:"webhooks-additional-account-types"`
 	} `mapstructure:",squash"`
 	Subroutines struct {
 		WorkspaceType struct {

internal/config/config.go

@@ -241,7 +241,7 @@ func (s *AccountTestSuite) verifyWorkspace(ctx context.Context, orgName, account
 	s.Require().NoError(s.rootOrgsDefaultClient.Get(ctx, types.NamespacedName{Name: accountName}, workspace))
 	s.Equal(accountName, workspace.Name)
 	s.NotNil(workspace.Spec.Type)
-	expectedType := kcptenancyv1alpha.WorkspaceTypeName(fmt.Sprintf("%s-acc", orgName))
+	expectedType := kcptenancyv1alpha.WorkspaceTypeName(fmt.Sprintf("%s-%s", orgName, v1alpha1.AccountTypeAccount))
 	s.Equal(expectedType, workspace.Spec.Type.Name)
 }
 

internal/controller/account_controller_test.go

@@ -6,7 +6,7 @@ metadata:
 spec:
   latestResourceSchemas:
     - v260126-7c674ee.accountinfos.core.platform-mesh.io
-    - v250915-1185c0b.accounts.core.platform-mesh.io
+    - v260109-82344be.accounts.core.platform-mesh.io
   permissionClaims:
     - resource: apibindings
       group: apis.kcp.io