OctopusDeploy
diff --git a/‎internal/controller/workloadserviceaccount_controller.go‎
Lines changed: 4 additions & 14 deletions b/‎internal/controller/workloadserviceaccount_controller.go‎
Lines changed: 4 additions & 14 deletions
diff --git a/‎internal/controller/workloadserviceaccount_controller_test.go‎
Lines changed: 3 additions & 0 deletions b/‎internal/controller/workloadserviceaccount_controller_test.go‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎internal/rules/engine.go‎
Lines changed: 27 additions & 9 deletions b/‎internal/rules/engine.go‎
Lines changed: 27 additions & 9 deletions
diff --git a/‎internal/rules/generator.go‎
Lines changed: 154 additions & 0 deletions b/‎internal/rules/generator.go‎
Lines changed: 154 additions & 0 deletions
@@ -54,22 +54,12 @@ func (r *WorkloadServiceAccountReconciler) Reconcile(ctx context.Context, req ct
 
 	log.Info("Found WSAs in namespace", "count", len(wsaList.Items))
 
-	for _, currentWSA := range wsaList.Items {
-		for _, project := range currentWSA.Spec.Scope.Projects {
-			log.Info("WSA has project scope", "wsa", currentWSA.Name, "project", project)
-		}
-		for _, environment := range currentWSA.Spec.Scope.Environments {
-			log.Info("WSA has environment scope", "wsa", currentWSA.Name, "environment", environment)
-		}
-		for _, tenant := range currentWSA.Spec.Scope.Tenants {
-			log.Info("WSA has tenant scope", "wsa", currentWSA.Name, "tenant", tenant)
-		}
-		for _, step := range currentWSA.Spec.Scope.Steps {
-			log.Info("WSA has step scope", "wsa", currentWSA.Name, "step", step)
-		}
+	if err := r.Engine.RegenerateFromWSAs(wsaList.Items); err != nil {
+		log.Error(err, "failed to regenerate ServiceAccount mappings from WSAs")
+		return ctrl.Result{}, err
 	}
 
-	log.Info("Successfully reconciled WorkloadServiceAccounts")
+	log.Info("Successfully reconciled all WorkloadServiceAccounts")
 	return ctrl.Result{}, nil
 }
 
 
@@ -28,6 +28,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	agentoctopuscomv1beta1 "github.com/octopusdeploy/octopus-permissions-controller/api/v1beta1"
+	"github.com/octopusdeploy/octopus-permissions-controller/internal/rules"
 )
 
 var _ = Describe("WorkloadServiceAccount Controller", func() {
@@ -68,9 +69,11 @@ var _ = Describe("WorkloadServiceAccount Controller", func() {
 		})
 		It("should successfully reconcile the resource", func() {
 			By("Reconciling the created resource")
+			engine := rules.NewInMemoryEngine()
 			controllerReconciler := &WorkloadServiceAccountReconciler{
 				Client: k8sClient,
 				Scheme: k8sClient.Scheme(),
+				Engine: &engine,
 			}
 
 			_, err := controllerReconciler.Reconcile(ctx, reconcile.Request{
 
@@ -1,6 +1,8 @@
 package rules
 
 import (
+	"fmt"
+
 	"github.com/octopusdeploy/octopus-permissions-controller/api/v1beta1"
 )
 
@@ -17,14 +19,21 @@ type Scope struct {
 	Step        string `json:"step"`
 }
 
+func (s Scope) String() string {
+	return fmt.Sprintf("projects=%s,environments=%s,tenants=%s,steps=%s",
+		s.Project,
+		s.Environment,
+		s.Tenant,
+		s.Step)
+}
+
 type Rule struct {
 	Permissions v1beta1.WorkloadServiceAccountPermissions `json:"permissions"`
 }
 
 type Engine interface {
 	GetServiceAccountForScope(scope Scope, agentName AgentName) (ServiceAccountName, error)
-	AddScopeRuleset(scope Scope, rule Rule, targetNamespace Namespace) error
-	RemoveScopeRuleset(scope Scope, rule Rule, targetNamespace Namespace) error
+	RegenerateFromWSAs(wsas []v1beta1.WorkloadServiceAccount) error
 }
 
 type InMemoryEngine struct {
@@ -38,7 +47,7 @@ func NewInMemoryEngine() InMemoryEngine {
 	}
 }
 
-func (i InMemoryEngine) GetServiceAccountForScope(scope Scope, agentName AgentName) (ServiceAccountName, error) {
+func (i *InMemoryEngine) GetServiceAccountForScope(scope Scope, agentName AgentName) (ServiceAccountName, error) {
 	if agentRules, ok := i.rules[agentName]; ok {
 		if sa, ok := agentRules[scope]; ok {
 			return sa, nil
@@ -47,12 +56,21 @@ func (i InMemoryEngine) GetServiceAccountForScope(scope Scope, agentName AgentNa
 	return "", nil
 }
 
-func (i InMemoryEngine) AddScopeRuleset(scope Scope, rule Rule, targetNamespace Namespace) error {
-	// TODO: Implement me
-	return nil
-}
+func (i *InMemoryEngine) RegenerateFromWSAs(wsas []v1beta1.WorkloadServiceAccount) error {
+	// TODO: Support scoping WSAs to specific agents
+	const defaultAgent = AgentName("default")
+
+	scopePermissionsMap := GenerateAllScopesWithPermissions(wsas)
+	// TODO: Optimize by comparing with existing rules and only updating changed ones
+
+	i.rules[defaultAgent] = make(map[Scope]ServiceAccountName)
+
+	for scope := range scopePermissionsMap {
+		serviceAccountName := GenerateServiceAccountName(scope)
+		i.rules[defaultAgent][scope] = serviceAccountName
+	}
+
+	// TODO: Create or update Kubernetes resources (ServiceAccounts, Roles, RoleBindings) based on the generated rules
 
-func (i InMemoryEngine) RemoveScopeRuleset(scope Scope, rule Rule, targetNamespace Namespace) error {
-	// TODO: Implement me
 	return nil
 }
@@ -0,0 +1,154 @@
+package rules
+
+import (
+	"github.com/octopusdeploy/octopus-permissions-controller/api/v1beta1"
+)
+
+// GenerateAllScopesWithPermissions creates ServiceAccounts for all unique scope combinations
+func GenerateAllScopesWithPermissions(wsas []v1beta1.WorkloadServiceAccount) map[Scope]v1beta1.WorkloadServiceAccountPermissions {
+	if len(wsas) == 0 {
+		return nil
+	}
+
+	result := make(map[Scope]v1beta1.WorkloadServiceAccountPermissions)
+
+	// Get all unique scope values (including wildcards)
+	projectSet, environmentSet, tenantSet, stepSet := getAllScopeValues(wsas)
+
+	// Generate all possible scope combinations
+	allScopeCombinations := generateAllScopeCombinations(projectSet, environmentSet, tenantSet, stepSet)
+
+	// For each scope combination find WSAs that match the scope and merge their permissions
+	// If no WSAs match the scope, no ServiceAccount is created for that scope
+	for _, scope := range allScopeCombinations {
+		matchingWSAs := getMatchingWSAsForScope(scope, wsas)
+		if len(matchingWSAs) > 0 {
+			var mergedPermissions v1beta1.WorkloadServiceAccountPermissions
+			for _, wsa := range matchingWSAs {
+				mergedPermissions = mergePermissions(mergedPermissions, wsa.Spec.Permissions)
+			}
+			result[scope] = mergedPermissions
+		}
+	}
+
+	return result
+}
+
+// getAllScopeValues extracts all unique scope values from all WSAs
+func getAllScopeValues(wsas []v1beta1.WorkloadServiceAccount) (projects, environments, tenants, steps map[string]struct{}) {
+	projects = make(map[string]struct{})
+	environments = make(map[string]struct{})
+	tenants = make(map[string]struct{})
+	steps = make(map[string]struct{})
+
+	hasWildcardProjects := false
+	hasWildcardEnvironments := false
+	hasWildcardTenants := false
+	hasWildcardSteps := false
+
+	for _, wsa := range wsas {
+		processScopeValues(wsa.Spec.Scope.Projects, projects, &hasWildcardProjects)
+		processScopeValues(wsa.Spec.Scope.Environments, environments, &hasWildcardEnvironments)
+		processScopeValues(wsa.Spec.Scope.Tenants, tenants, &hasWildcardTenants)
+		processScopeValues(wsa.Spec.Scope.Steps, steps, &hasWildcardSteps)
+	}
+
+	if hasWildcardProjects {
+		projects["*"] = struct{}{}
+	}
+	if hasWildcardEnvironments {
+		environments["*"] = struct{}{}
+	}
+	if hasWildcardTenants {
+		tenants["*"] = struct{}{}
+	}
+	if hasWildcardSteps {
+		steps["*"] = struct{}{}
+	}
+
+	return projects, environments, tenants, steps
+}
+
+func processScopeValues(slice []string, valueSet map[string]struct{}, hasWildcard *bool) {
+	if !*hasWildcard && len(slice) == 0 {
+		*hasWildcard = true
+	} else {
+		for _, value := range slice {
+			valueSet[value] = struct{}{}
+		}
+	}
+}
+
+// generateAllScopeCombinations generates all possible scope combinations
+func generateAllScopeCombinations(projects, environments, tenants, steps map[string]struct{}) []Scope {
+	capacity := len(projects) * len(environments) * len(tenants) * len(steps)
+	scopes := make([]Scope, 0, capacity)
+
+	for project := range projects {
+		for environment := range environments {
+			for tenant := range tenants {
+				for step := range steps {
+					scope := Scope{
+						Project:     project,
+						Environment: environment,
+						Tenant:      tenant,
+						Step:        step,
+					}
+					scopes = append(scopes, scope)
+				}
+			}
+		}
+	}
+
+	return scopes
+}
+
+// getMatchingWSAsForScope returns all WSAs that apply to the given concrete scope
+func getMatchingWSAsForScope(scope Scope, wsas []v1beta1.WorkloadServiceAccount) []v1beta1.WorkloadServiceAccount {
+	var matchingWSAs []v1beta1.WorkloadServiceAccount
+
+	for _, wsa := range wsas {
+		if scopeMatchesWSA(scope, wsa) {
+			matchingWSAs = append(matchingWSAs, wsa)
+		}
+	}
+
+	return matchingWSAs
+}
+
+// scopeMatchesWSA checks if a WSA applies to a concrete scope
+func scopeMatchesWSA(scope Scope, wsa v1beta1.WorkloadServiceAccount) bool {
+	return hasMatchingScopeValue(wsa.Spec.Scope.Projects, scope.Project) &&
+		hasMatchingScopeValue(wsa.Spec.Scope.Environments, scope.Environment) &&
+		hasMatchingScopeValue(wsa.Spec.Scope.Tenants, scope.Tenant) &&
+		hasMatchingScopeValue(wsa.Spec.Scope.Steps, scope.Step)
+}
+
+// hasMatchingScopeValue checks if a WSA dimension matches a concrete scope value
+func hasMatchingScopeValue(wsaScopes []string, scopeValue string) bool {
+	// Empty WSA scope list means wildcard (matches any value)
+	if len(wsaScopes) == 0 {
+		return true
+	}
+
+	for _, value := range wsaScopes {
+		if value == scopeValue {
+			return true
+		}
+	}
+
+	return false
+}
+
+// mergePermissions combines permissions from multiple WSAs for the same scope
+func mergePermissions(existing, new v1beta1.WorkloadServiceAccountPermissions) v1beta1.WorkloadServiceAccountPermissions {
+	merged := v1beta1.WorkloadServiceAccountPermissions{
+		ClusterRoles: append(existing.ClusterRoles, new.ClusterRoles...),
+		Roles:        append(existing.Roles, new.Roles...),
+		Permissions:  append(existing.Permissions, new.Permissions...),
+	}
+
+	// TODO: Deduplicate identical roles and permissions
+
+	return merged
+}