workspace

func AuthorizeCreation ¶

func AuthorizeCreation(ctx context.Context, reader client.Reader, userInfo authenticationv1.UserInfo, ws *tenantv1alpha1.Workspace, operatorSA string, maxPerUser int) error

AuthorizeCreation checks whether the requesting user is allowed to create a Workspace. Non-privileged callers must list themselves as an admin member of the new Workspace and must not exceed the per-user workspace quota.

maxPerUser controls the maximum number of workspaces a regular user may administer. A value of 0 disables quota enforcement.

Privileged callers (group, operator SA, or cluster-admin ClusterRole holders) bypass both the self-admin requirement and the quota.

Allowed callers (checked cheapest-first):

• Members of a privileged group (system:masters, kubeadm:cluster-admins)
• The operator's own ServiceAccount (operatorSA)
• A user who is listed as an "admin" member in the new workspace AND under quota
• A user bound to a privileged ClusterRole (e.g. cluster-admin) via ClusterRoleBinding

func AuthorizeModification ¶

func AuthorizeModification(ctx context.Context, reader client.Reader, userInfo authenticationv1.UserInfo, workspace *tenantv1alpha1.Workspace, operatorSA string) error

AuthorizeModification checks whether the requesting user is allowed to update the given Workspace. The workspace parameter must be the **old** (pre-update) object so that a user cannot grant themselves admin and approve in the same request.

reader is used to list ClusterRoleBindings for privileged ClusterRole checks. operatorSA is the full service account identity of the controller-manager (e.g. "system:serviceaccount:otterscale-system:tenant-operator-controller-manager"). It is provided at startup so the operator works regardless of the namespace it is deployed in.

Allowed callers (checked cheapest-first):

• Members of a privileged group (system:masters, kubeadm:cluster-admins)
• The operator's own ServiceAccount (operatorSA)
• A workspace member whose role is "admin" in the current (old) spec
• A user bound to a privileged ClusterRole (e.g. cluster-admin) via ClusterRoleBinding

func IsOwned ¶

func IsOwned(refs []metav1.OwnerReference, uid types.UID) bool

IsOwned checks if the object is owned by the given UID to prevent adoption conflicts.

func LabelsForWorkspace ¶

func LabelsForWorkspace(workspace, version string) map[string]string

LabelsForWorkspace returns a standard set of labels for resources managed by this operator.

func OperatorServiceAccountIdentity ¶

func OperatorServiceAccountIdentity(namespace, saName string) string

OperatorServiceAccountIdentity constructs the full Kubernetes service account identity string from the pod namespace and service account name. Example: OperatorServiceAccountIdentity("otterscale-system", "controller-manager") returns "system:serviceaccount:otterscale-system:controller-manager".

func ReconcileHarbor ¶ added in v0.8.6

func ReconcileHarbor(
	ctx context.Context,
	c client.Client,
	scheme *runtime.Scheme,
	w *tenantv1alpha1.Workspace,
	version string,
	harborClient harbor.Client,
	harborURL string,
) error

ReconcileHarbor ensures the Harbor project, robot account, docker-registry Secret, and default ServiceAccount imagePullSecrets are configured for the workspace.

func ReconcileHelmRepository ¶ added in v0.9.0

func ReconcileHelmRepository(ctx context.Context, c client.Client, scheme *runtime.Scheme, w *tenantv1alpha1.Workspace, version string, harborURL string) error

ReconcileHelmRepository ensures a FluxCD HelmRepository (type: oci) exists in the workspace namespace, pointing to the Harbor OCI registry for the workspace project.

func ReconcileLimitRange ¶

func ReconcileLimitRange(ctx context.Context, c client.Client, scheme *runtime.Scheme, w *tenantv1alpha1.Workspace, version string) error

ReconcileLimitRange applies default limits if defined, or deletes the range if removed.

func ReconcileNamespace ¶

func ReconcileNamespace(ctx context.Context, c client.Client, scheme *runtime.Scheme, w *tenantv1alpha1.Workspace, version string) error

ReconcileNamespace ensures the Namespace exists and is properly labeled.

func ReconcileNetworkIsolation ¶

func ReconcileNetworkIsolation(ctx context.Context, c client.Client, scheme *runtime.Scheme, w *tenantv1alpha1.Workspace, version string) error

ReconcileNetworkIsolation ensures the NetworkPolicy matches the desired state. When isolation is enabled, a deny-all ingress policy is created with explicit allow rules for same-namespace traffic and any configured AllowedNamespaces. When disabled, the NetworkPolicy is removed.

func ReconcileResourceQuota ¶

func ReconcileResourceQuota(ctx context.Context, c client.Client, scheme *runtime.Scheme, w *tenantv1alpha1.Workspace, version string) error

ReconcileResourceQuota applies quota constraints if defined, or deletes the quota if removed.

func ReconcileRoleBindings ¶

func ReconcileRoleBindings(ctx context.Context, c client.Client, scheme *runtime.Scheme, w *tenantv1alpha1.Workspace, version string) error

ReconcileRoleBindings groups members by role and creates the necessary bindings.

func ValidateNamespaceUniqueness ¶ added in v0.8.3

func ValidateNamespaceUniqueness(ctx context.Context, reader client.Reader, ws *tenantv1alpha1.Workspace) error

ValidateNamespaceUniqueness ensures no other Workspace already claims the same target namespace. Without this check two Workspaces could reference the same namespace and the second would be permanently stuck at Ready=False.