Skip to content

migration: unify legacy IAM resources into PlatformAccess CRD#47

Open
JoseSzycho wants to merge 5 commits into
mainfrom
46-iam-migrate-platformaccessapproval-and-platformaccessrejection-in-fraud
Open

migration: unify legacy IAM resources into PlatformAccess CRD#47
JoseSzycho wants to merge 5 commits into
mainfrom
46-iam-migrate-platformaccessapproval-and-platformaccessrejection-in-fraud

Conversation

@JoseSzycho

Copy link
Copy Markdown
Contributor

PlatformAccess Migration

This migration bumps the go.miloapis.com/milo dependency to v0.29.1 and unifies the three legacy IAM resources (PlatformAccessApproval, PlatformAccessRejection, and UserDeactivation) into the single, unified PlatformAccess CRD.

Key Changes

  1. Dependency Upgrade:

    • Bumped go.miloapis.com/milo to v0.29.1 in go.mod.
    • Bumped sigs.k8s.io/controller-runtime to v0.23.3.
  2. CRD Consolidation:

    • Replaced legacy references to PlatformAccessApproval, PlatformAccessRejection, and UserDeactivation across RBAC configurations, controller logic, and test suites.
    • Access decisions are now managed via the State field on the unified PlatformAccess CRD:
      • DEACTIVATE $\rightarrow$ PlatformAccessStateSuspended
      • REVIEW $\rightarrow$ PlatformAccessStatePending
      • ACCEPT $\rightarrow$ PlatformAccessStateApproved

scotwells
scotwells previously approved these changes Jul 1, 2026

@scotwells scotwells left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have some linter failures. Changes look good though. What's the migration process look like for existing resources? Is that documented anywhere?

@JoseSzycho

Copy link
Copy Markdown
Contributor Author

@scotwells Thanks, I just fixed the listing error.

The migration already started. Right now, a controller in Milo translates the legacy CRDs to PlatformAccess in real time.

So Milo already have all existent PlatformAccess CR for each user with the corresponding state.

Once this PR is approved again, I will left it as it is, and create a final PR in Milo, as I need to update the User controller to update the User.Status using the PlatformAccess, once that final PR is deployed, I just need to merge this PR and the existing one in auth-provider-zitadel.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

iam: migrate PlatformAccessApproval and PlatformAccessRejection in fraud

2 participants