v1alpha1

package
v0.8.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 25, 2026 License: Apache-2.0 Imports: 3 Imported by: 0

Documentation

Overview

Package v1alpha1 contains API Schema definitions for the tenant v1alpha1 API group. +kubebuilder:object:generate=true +groupName=tenant.otterscale.io

Index

Constants

This section is empty.

Variables

View Source 
var (
	// GroupVersion is group version used to register these objects.
	GroupVersion = schema.GroupVersion{Group: "tenant.otterscale.io", Version: "v1alpha1"}

	// SchemeBuilder is used to add go types to the GroupVersionKind scheme.
	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)

	// AddToScheme adds the types in this group-version to the given scheme.
	AddToScheme = SchemeBuilder.AddToScheme
)

Functions

This section is empty.

Types

type MemberRole 

type MemberRole string

MemberRole defines the role of a member in the workspace. It determines the RBAC permissions granted within the target namespace. +kubebuilder:validation:Enum=admin;edit;view +enum 

const (
	// MemberRoleAdmin has full control over the workspace resources.
	MemberRoleAdmin MemberRole = "admin"
	// MemberRoleEdit can create/update application resources but cannot modify role bindings.
	MemberRoleEdit MemberRole = "edit"
	// MemberRoleView has read-only access to resources.
	MemberRoleView MemberRole = "view"
)

type NetworkIsolationSpec 

type NetworkIsolationSpec struct {
	// Enabled toggles the enforcement of network isolation.
	// If true, default deny-all ingress rules are applied except for allowed namespaces.
	// +optional
	Enabled bool `json:"enabled"`

	// AllowedNamespaces specifies a list of external namespaces permitted to access this workspace
	// when isolation is enabled. Essential system namespaces (e.g., 'istio-system', 'monitoring')
	// should be included here if required.
	// +listType=set
	// +kubebuilder:validation:MaxItems=64
	// +kubebuilder:validation:items:MinLength=1
	// +kubebuilder:validation:items:MaxLength=63
	// +kubebuilder:validation:items:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?)$`
	// +optional
	AllowedNamespaces []string `json:"allowedNamespaces,omitempty"`
}

NetworkIsolationSpec configures network policies for the workspace. It supports both standard NetworkPolicy and Istio AuthorizationPolicy. +kubebuilder:validation:XValidation:rule="!has(self.allowedNamespaces) || size(self.allowedNamespaces) == 0 || self.enabled",message="allowedNamespaces can only be set when network isolation is enabled"

func (*NetworkIsolationSpec) DeepCopy 

func (in *NetworkIsolationSpec) DeepCopy() *NetworkIsolationSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkIsolationSpec.

func (*NetworkIsolationSpec) DeepCopyInto 

func (in *NetworkIsolationSpec) DeepCopyInto(out *NetworkIsolationSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ResourceReference 

type ResourceReference struct {
	// Name is the name of the referenced resource.
	// +required
	Name string `json:"name"`

	// Namespace is the namespace of the referenced resource.
	// Empty for cluster-scoped resources.
	// +optional
	Namespace string `json:"namespace,omitempty"`
}

ResourceReference is a lightweight reference to a Kubernetes resource managed by the operator.

func (*ResourceReference) DeepCopy 

func (in *ResourceReference) DeepCopy() *ResourceReference

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceReference.

func (*ResourceReference) DeepCopyInto 

func (in *ResourceReference) DeepCopyInto(out *ResourceReference)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Workspace 

type Workspace struct {
	metav1.TypeMeta `json:",inline"`

	// Standard object's metadata.
	// +optional
	metav1.ObjectMeta `json:"metadata,omitzero"`

	// Spec defines the desired behavior of the Workspace.
	// +required
	Spec WorkspaceSpec `json:"spec"`

	// Status represents the current information about the Workspace.
	// +optional
	Status WorkspaceStatus `json:"status,omitzero"`
}

Workspace is the Schema for the workspaces API. A Workspace represents a logical isolation unit (Namespace) with associated policies, quotas, and member access.

func (*Workspace) DeepCopy 

func (in *Workspace) DeepCopy() *Workspace

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Workspace.

func (*Workspace) DeepCopyInto 

func (in *Workspace) DeepCopyInto(out *Workspace)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Workspace) DeepCopyObject 

func (in *Workspace) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type WorkspaceList 

type WorkspaceList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitzero"`
	Items           []Workspace `json:"items"`
}

WorkspaceList contains a list of Workspace resources.

func (*WorkspaceList) DeepCopy 

func (in *WorkspaceList) DeepCopy() *WorkspaceList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkspaceList.

func (*WorkspaceList) DeepCopyInto 

func (in *WorkspaceList) DeepCopyInto(out *WorkspaceList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*WorkspaceList) DeepCopyObject 

func (in *WorkspaceList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type WorkspaceMember 

type WorkspaceMember struct {
	// Role defines the authorization level (Admin, Edit, View).
	// +required
	Role MemberRole `json:"role"`

	// Subject is the unique identifier of the member (e.g., OIDC subject or username).
	// This identifier maps directly to the Kubernetes RBAC Subject.
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:MaxLength=63
	// +kubebuilder:validation:Pattern=`^([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]$`
	// +required
	Subject string `json:"subject"`

	// Name is the human-readable display name of the member.
	// +optional
	Name *string `json:"name,omitempty"`
}

WorkspaceMember defines a single member entity associated with a workspace.

func (*WorkspaceMember) DeepCopy 

func (in *WorkspaceMember) DeepCopy() *WorkspaceMember

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkspaceMember.

func (*WorkspaceMember) DeepCopyInto 

func (in *WorkspaceMember) DeepCopyInto(out *WorkspaceMember)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type WorkspaceSpec 

type WorkspaceSpec struct {
	// Namespace is the name of the Kubernetes Namespace to be created for this workspace.
	// It must be unique across all Workspaces.
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:MaxLength=63
	// +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?)$`
	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="namespace is immutable"
	// +kubebuilder:validation:XValidation:rule="!(self in ['default','kube-system','kube-public','kube-node-lease','otterscale-system'])",message="namespace is reserved and cannot be used for a workspace"
	// +required
	Namespace string `json:"namespace"`

	// Members is the list of members granted access to this workspace.
	// +listType=map
	// +listMapKey=subject
	// +kubebuilder:validation:MinItems=1
	// +kubebuilder:validation:XValidation:rule="self.exists(u, u.role == 'admin')",message="at least one workspace member must have role 'admin'"
	// +required
	Members []WorkspaceMember `json:"members"`

	// ResourceQuota defines the compute resource constraints (CPU, Memory, etc.) applied to the underlying namespace.
	// The actual schema is composed at runtime by the Schema RPC from the core/v1 ResourceQuota.
	// +kubebuilder:pruning:PreserveUnknownFields
	// +optional
	ResourceQuota *runtime.RawExtension `json:"resourceQuota,omitempty"`

	// LimitRange defines the default resource limits and requests for pods in the workspace.
	// The actual schema is composed at runtime by the Schema RPC from the core/v1 LimitRange.
	// +kubebuilder:pruning:PreserveUnknownFields
	// +optional
	LimitRange *runtime.RawExtension `json:"limitRange,omitempty"`

	// NetworkIsolation defines the ingress traffic rules for the workspace.
	// +optional
	NetworkIsolation NetworkIsolationSpec `json:"networkIsolation,omitzero"`
}

WorkspaceSpec defines the desired state of the Workspace. It includes member management, resource constraints, and network security settings.

func (*WorkspaceSpec) DeepCopy 

func (in *WorkspaceSpec) DeepCopy() *WorkspaceSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkspaceSpec.

func (*WorkspaceSpec) DeepCopyInto 

func (in *WorkspaceSpec) DeepCopyInto(out *WorkspaceSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type WorkspaceStatus 

type WorkspaceStatus struct {
	// ObservedGeneration is the most recent generation observed by the controller.
	// It corresponds to the Workspace's generation, which is updated on mutation by the API Server.
	// This allows clients to determine whether the controller has processed the latest spec changes.
	// +optional
	ObservedGeneration int64 `json:"observedGeneration,omitempty"`

	// NamespaceRef is a reference to the Namespace managed by this Workspace.
	// +optional
	NamespaceRef *ResourceReference `json:"namespaceRef,omitempty"`

	// ResourceQuotaRef is a reference to the ResourceQuota managed by this Workspace.
	// +optional
	ResourceQuotaRef *ResourceReference `json:"resourceQuotaRef,omitempty"`

	// LimitRangeRef is a reference to the LimitRange managed by this Workspace.
	// +optional
	LimitRangeRef *ResourceReference `json:"limitRangeRef,omitempty"`

	// RoleBindingRefs contains references to all RBAC RoleBindings created for the workspace members.
	// +listType=map
	// +listMapKey=name
	// +optional
	RoleBindingRefs []ResourceReference `json:"roleBindingRefs,omitempty"`

	// PeerAuthenticationRef is a reference to the Istio PeerAuthentication resource for mTLS settings.
	// +optional
	PeerAuthenticationRef *ResourceReference `json:"peerAuthenticationRef,omitempty"`

	// AuthorizationPolicyRef is a reference to the Istio AuthorizationPolicy enforcing network isolation.
	// +optional
	AuthorizationPolicyRef *ResourceReference `json:"authorizationPolicyRef,omitempty"`

	// NetworkPolicyRef is a reference to the NetworkPolicy enforcing network isolation.
	// +optional
	NetworkPolicyRef *ResourceReference `json:"networkPolicyRef,omitempty"`

	// Conditions store the status conditions of the Workspace (e.g., Ready, Failed).
	// +listType=map
	// +listMapKey=type
	// +optional
	Conditions []metav1.Condition `json:"conditions,omitempty"`
}

WorkspaceStatus defines the observed state of the Workspace. It contains references to the actual Kubernetes resources created by the operator.

func (*WorkspaceStatus) DeepCopy 

func (in *WorkspaceStatus) DeepCopy() *WorkspaceStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkspaceStatus.

func (*WorkspaceStatus) DeepCopyInto 

func (in *WorkspaceStatus) DeepCopyInto(out *WorkspaceStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.