From 09366e040606a414a6bd6c01c84a714df2a44f82 Mon Sep 17 00:00:00 2001 From: Zach Smith Date: Mon, 27 Apr 2026 17:21:32 -0700 Subject: [PATCH] fix(iam): include PlatformAccessRejection in CRD kustomization; drop dead Denial CRD MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two related fixes to config/crd/bases/iam: 1. Add the missing iam.miloapis.com_platformaccessrejections.yaml entry to kustomization.yaml. PlatformAccessRejection was introduced in 41e0becf alongside PlatformAccessApproval (the commit message reads "introduce platform access approval, rejection, and invitation resources"), but only the approval entry made it into kustomization.yaml. PAR has 120 Go references with a real controller and webhook, so it should be in the kustomization alongside PAA. 2. Delete the dead iam.miloapis.com_platformaccessdenials.yaml CRD manifest. PlatformAccessDenial has zero references anywhere in the milo Go codebase — no type, no controller, no webhook. It was an orphaned controller-gen artifact. Regenerated docs/api/iam.md to drop the corresponding sections. --- ...am.miloapis.com_platformaccessdenials.yaml | 158 ---------- config/crd/bases/iam/kustomization.yaml | 1 + docs/api/iam.md | 294 ------------------ 3 files changed, 1 insertion(+), 452 deletions(-) delete mode 100644 config/crd/bases/iam/iam.miloapis.com_platformaccessdenials.yaml diff --git a/config/crd/bases/iam/iam.miloapis.com_platformaccessdenials.yaml b/config/crd/bases/iam/iam.miloapis.com_platformaccessdenials.yaml deleted file mode 100644 index aacce160..00000000 --- a/config/crd/bases/iam/iam.miloapis.com_platformaccessdenials.yaml +++ /dev/null @@ -1,158 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.18.0 - discovery.miloapis.com/parent-contexts: Platform - name: platformaccessdenials.iam.miloapis.com -spec: - group: iam.miloapis.com - names: - kind: PlatformAccessDenial - listKind: PlatformAccessDenialList - plural: platformaccessdenials - singular: platformaccessdenial - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - PlatformAccessDenial is the Schema for the platformaccessapprovals API. - It represents a platform access approval for a user. Once the platform access approval is created, an email will be sent to the user. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: PlatformAccessDenialSpec defines the desired state of PlatformAccessDenial. - properties: - approverRef: - description: |- - ApproverRef is the reference to the approver being approved. - If not specified, the approval was made by the system. - properties: - name: - description: Name is the name of the User being referenced. - type: string - required: - - name - type: object - subjectRef: - description: SubjectRef is the reference to the subject being approved. - properties: - email: - description: |- - Email is the email of the user being approved. - Use Email to approve an email address that is not associated with a created user. (e.g. when using PlatformInvitation) - UserRef and Email are mutually exclusive. Exactly one of them must be specified. - type: string - userRef: - description: |- - UserRef is the reference to the user being approved. - UserRef and Email are mutually exclusive. Exactly one of them must be specified. - properties: - name: - description: Name is the name of the User being referenced. - type: string - required: - - name - type: object - type: object - x-kubernetes-validations: - - message: Exactly one of email or userRef must be specified - rule: (has(self.email) && !has(self.userRef)) || (!has(self.email) - && has(self.userRef)) - required: - - subjectRef - type: object - x-kubernetes-validations: - - message: spec is immutable - rule: self == oldSelf - status: - properties: - conditions: - default: - - lastTransitionTime: "1970-01-01T00:00:00Z" - message: Platform access approval reconciliation is pending - reason: ReconcilePending - status: Unknown - type: Ready - description: Conditions provide conditions that represent the current - status of the PlatformAccessDenial. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/config/crd/bases/iam/kustomization.yaml b/config/crd/bases/iam/kustomization.yaml index 366abfce..485b046b 100644 --- a/config/crd/bases/iam/kustomization.yaml +++ b/config/crd/bases/iam/kustomization.yaml @@ -11,3 +11,4 @@ resources: - iam.miloapis.com_userdeactivations.yaml - iam.miloapis.com_platforminvitations.yaml - iam.miloapis.com_platformaccessapprovals.yaml +- iam.miloapis.com_platformaccessrejections.yaml diff --git a/docs/api/iam.md b/docs/api/iam.md index 6edfe9c3..cf5c14f5 100644 --- a/docs/api/iam.md +++ b/docs/api/iam.md @@ -16,8 +16,6 @@ Resource Types: - [PlatformAccessApproval](#platformaccessapproval) -- [PlatformAccessDenial](#platformaccessdenial) - - [PlatformAccessRejection](#platformaccessrejection) - [PlatformInvitation](#platforminvitation) @@ -834,298 +832,6 @@ If not specified, the approval was made by the system. -## PlatformAccessDenial -[↩ Parent](#iammiloapiscomv1alpha1 ) - - - - - - -PlatformAccessDenial is the Schema for the platformaccessapprovals API. -It represents a platform access approval for a user. Once the platform access approval is created, an email will be sent to the user. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
apiVersionstringiam.miloapis.com/v1alpha1true
kindstringPlatformAccessDenialtrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
specobject - PlatformAccessDenialSpec defines the desired state of PlatformAccessDenial.
-
- Validations:
  • self == oldSelf: spec is immutable
  • -
    false
    statusobject -
    -
    false
    - - -### PlatformAccessDenial.spec -[↩ Parent](#platformaccessdenial) - - - -PlatformAccessDenialSpec defines the desired state of PlatformAccessDenial. - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    subjectRefobject - SubjectRef is the reference to the subject being approved.
    -
    - Validations:
  • (has(self.email) && !has(self.userRef)) || (!has(self.email) && has(self.userRef)): Exactly one of email or userRef must be specified
  • -
    true
    approverRefobject - ApproverRef is the reference to the approver being approved. -If not specified, the approval was made by the system.
    -
    false
    - - -### PlatformAccessDenial.spec.subjectRef -[↩ Parent](#platformaccessdenialspec) - - - -SubjectRef is the reference to the subject being approved. - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    emailstring - Email is the email of the user being approved. -Use Email to approve an email address that is not associated with a created user. (e.g. when using PlatformInvitation) -UserRef and Email are mutually exclusive. Exactly one of them must be specified.
    -
    false
    userRefobject - UserRef is the reference to the user being approved. -UserRef and Email are mutually exclusive. Exactly one of them must be specified.
    -
    false
    - - -### PlatformAccessDenial.spec.subjectRef.userRef -[↩ Parent](#platformaccessdenialspecsubjectref) - - - -UserRef is the reference to the user being approved. -UserRef and Email are mutually exclusive. Exactly one of them must be specified. - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    namestring - Name is the name of the User being referenced.
    -
    true
    - - -### PlatformAccessDenial.spec.approverRef -[↩ Parent](#platformaccessdenialspec) - - - -ApproverRef is the reference to the approver being approved. -If not specified, the approval was made by the system. - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    namestring - Name is the name of the User being referenced.
    -
    true
    - - -### PlatformAccessDenial.status -[↩ Parent](#platformaccessdenial) - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    conditions[]object - Conditions provide conditions that represent the current status of the PlatformAccessDenial.
    -
    - Default: [map[lastTransitionTime:1970-01-01T00:00:00Z message:Platform access approval reconciliation is pending reason:ReconcilePending status:Unknown type:Ready]]
    -
    false
    - - -### PlatformAccessDenial.status.conditions[index] -[↩ Parent](#platformaccessdenialstatus) - - - -Condition contains details for one aspect of the current state of this API Resource. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    lastTransitionTimestring - lastTransitionTime is the last time the condition transitioned from one status to another. -This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
    -
    - Format: date-time
    -
    true
    messagestring - message is a human readable message indicating details about the transition. -This may be an empty string.
    -
    true
    reasonstring - reason contains a programmatic identifier indicating the reason for the condition's last transition. -Producers of specific condition types may define expected values and meanings for this field, -and whether the values are considered a guaranteed API. -The value should be a CamelCase string. -This field may not be empty.
    -
    true
    statusenum - status of the condition, one of True, False, Unknown.
    -
    - Enum: True, False, Unknown
    -
    true
    typestring - type of condition in CamelCase or in foo.example.com/CamelCase.
    -
    true
    observedGenerationinteger - observedGeneration represents the .metadata.generation that the condition was set based upon. -For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date -with respect to the current state of the instance.
    -
    - Format: int64
    - Minimum: 0
    -
    false
    - ## PlatformAccessRejection [↩ Parent](#iammiloapiscomv1alpha1 )