Add space to scope

Author: sathvikkumar-octo

config/crd/bases/agent.octopus.com_workloadserviceaccounts.yaml

@@ -154,6 +154,11 @@ spec:
                       pattern: ^[\p{Ll}\p{N}]+(?:-[\p{L}\p{N}]+)*$
                       type: string
                     type: array
+                  spaces:
+                    items:
+                      pattern: ^[\p{Ll}\p{N}]+(?:-[\p{L}\p{N}]+)*$
+                      type: string
+                    type: array
                   steps:
                     items:
                       pattern: ^[\p{Ll}\p{N}]+(?:-[\p{L}\p{N}]+)*$

go.mod

@@ -3,6 +3,7 @@ module github.com/octopusdeploy/octopus-permissions-controller
 go 1.24.0
 
 require (
+	github.com/google/go-cmp v0.7.0
 	github.com/onsi/ginkgo/v2 v2.22.0
 	github.com/onsi/gomega v1.36.1
 	github.com/stretchr/testify v1.10.0
@@ -36,7 +37,6 @@ require (
 	github.com/google/btree v1.1.3 // indirect
 	github.com/google/cel-go v0.23.2 // indirect
 	github.com/google/gnostic-models v0.6.9 // indirect
-	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.24.0 // indirect

hack/test-resource.yaml

@@ -11,6 +11,8 @@ spec:
       - Development
     steps:
       - "*"
+    spaces:
+      - "test-space"
   permissions:
     clusterRoles:
       - apiGroup: "rbac.authorization.k8s.io"

internal/controller/workloadserviceaccount_controller.go

@@ -67,6 +67,9 @@ func (r *WorkloadServiceAccountReconciler) Reconcile(ctx context.Context, req ct
 		for _, step := range currentWSA.Spec.Scope.Steps {
 			log.Info("WSA has step scope", "wsa", currentWSA.Name, "step", step)
 		}
+		for _, space := range currentWSA.Spec.Scope.Spaces {
+			log.Info("WSA has space scope", "wsa", currentWSA.Name, "space", space)
+		}
 	}
 
 	log.Info("Successfully reconciled WorkloadServiceAccounts")

internal/webhook/v1beta1/workloadserviceaccount_webhook.go

@@ -67,8 +67,8 @@ func (v *WorkloadServiceAccountCustomValidator) ValidateCreate(_ context.Context
 	workloadserviceaccountlog.Info("Validation for WorkloadServiceAccount upon creation", "name", workloadserviceaccount.GetName())
 
 	scope := workloadserviceaccount.Spec.Scope
-	if len(scope.Projects)+len(scope.Environments)+len(scope.Tenants)+len(scope.Steps) == 0 {
-		return nil, fmt.Errorf("at least one scope must be defined (projects, environments, tenants, or steps)")
+	if len(scope.Projects)+len(scope.Environments)+len(scope.Tenants)+len(scope.Steps)+len(scope.Spaces) == 0 {
+		return nil, fmt.Errorf("at least one scope must be defined (projects, environments, tenants, steps, or spaces)")
 	}
 
 	return nil, nil

internal/webhook/v1beta1/workloadserviceaccount_webhook_test.go

@@ -58,6 +58,16 @@ var _ = Describe("WorkloadServiceAccount Webhook", func() {
 			Expect(warnings).To(BeNil())
 		})
 
+		It("Should allow creation with space scope", func() {
+			By("setting up a WorkloadServiceAccount with space scope")
+			obj.Spec.Scope.Spaces = []string{"production-space", "dev-space"}
+
+			By("validating the creation")
+			warnings, err := validator.ValidateCreate(ctx, obj)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(warnings).To(BeNil())
+		})
+
 		It("Should deny creation if all scopes are missing", func() {
 			By("setting up a WorkloadServiceAccount with no scopes")
 			obj.Spec.Scope = agentoctopuscomv1beta1.WorkloadServiceAccountScope{}

test/e2e/test-wsa.yaml

@@ -6,6 +6,7 @@ spec:
   scope:
     projects: ["test-project"]
     environments: ["test-env"]
+    spaces: ["test-space"]
   permissions:
     permissions:
     - apiGroups: [""]