feat(controller): allow owners to promote serviceaccounts within tenant as owners (#1626)

* feat(controller): allow owners to promote serviceaccounts within tenant as owners Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: remove harpoon Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> --------- Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
2026-02-14 18:09:58 +00:00 · 2025-09-11 23:12:45 +02:00
parent a2e4e00724
commit 9fa1abac65
24 changed files with 978 additions and 87 deletions
--- a/api/v1beta2/capsuleconfiguration_types.go
+++ b/api/v1beta2/capsuleconfiguration_types.go
@@ -19,6 +19,11 @@ type CapsuleConfigurationSpec struct {
 	// Define groups which when found in the request of a user will be ignored by the Capsule
 	// this might be useful if you have one group where all the users are in, but you want to separate administrators from normal users with additional groups.
 	IgnoreUserWithGroups []string `json:"ignoreUserWithGroups,omitempty"`
+	// ServiceAccounts within tenant namespaces can be promoted to owners of the given tenant
+	// this can be achieved by labeling the serviceaccount and then they are considered owners. This can only be done by other owners of the tenant.
+	// However ServiceAccounts which have been promoted to owner can not promote further serviceAccounts.
+	// +kubebuilder:default=false
+	AllowServiceAccountPromotion bool `json:"allowServiceAccountPromotion,omitempty"`
 	// Enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix,
 	// separated by a dash. This is useful to avoid Namespace name collision in a public CaaS environment.
 	// +kubebuilder:default=false