feat(admin,organization): add realm claims, rover realm, and refactor TeamApis to ManagedRoutes

admin/README.md

@@ -64,7 +64,7 @@ This CRD represents a physical or logical deployment target with gateway and ide
 - Each Zone creates its own dedicated namespace (stored in `status.namespace`) for managing related resources.
 - Zones define gateway configuration, identity provider settings, and Redis connection details.
 - The `visibility` field controls subscription behavior and can be either `World` or `Enterprise`.
-- Zones can optionally define Team APIs through the `teamApis` field, which creates routes on the gateway.
+- Zones can optionally define managed routes through the `managedRoutes` field. Each route has a `type`: `TeamAPI` (authenticated, no ACL) or `Proxy` (passthrough reverse proxy).
 - The Zone controller creates and manages related resources in its handlers.
 - All managed resources are labeled with both `cp.ei.telekom.de/environment` and `cp.ei.telekom.de/zone` labels.
 

admin/api/v1/zone_types.go

@@ -78,7 +78,23 @@ type GatewayConfig struct {
 	CircuitBreaker bool `json:"circuitBreaker"`
 }
 
-type ApiConfig struct {
+// ManagedRouteType defines the type of a managed route.
+// +kubebuilder:validation:Enum=TeamAPI;Proxy
+type ManagedRouteType string
+
+const (
+	// ManagedRouteTypeTeamAPI creates a route with authentication (PassThrough=false)
+	// and disabled access control on the zone's team-api gateway realm.
+	// Used for team APIs that require token validation but no per-consumer ACLs.
+	ManagedRouteTypeTeamAPI ManagedRouteType = "TeamAPI"
+
+	// ManagedRouteTypeProxy creates a fully passthrough route (PassThrough=true)
+	// on the zone's default gateway realm that acts as a pure reverse proxy
+	// without any authentication or authorization.
+	ManagedRouteTypeProxy ManagedRouteType = "Proxy"
+)
+
+type ManagedRouteConfig struct {
 	// Name is the name of the created route. It must be unique within the zone.
 	// +kubebuilder:validation:Required
 	// +kubebuilder:validation:Pattern=^[a-z0-9]+(-?[a-z0-9]+)*$
@@ -91,10 +107,18 @@ type ApiConfig struct {
 	// +kubebuilder:validation:Required
 	// +kubebuilder:validation:Format=uri
 	Url string `json:"url"`
+	// Type selects the route behavior: TeamAPI (authenticated, no ACL) or Proxy (passthrough reverse proxy).
+	// +kubebuilder:validation:Required
+	Type ManagedRouteType `json:"type"`
 }
 
-type TeamApiConfig struct {
-	Apis []ApiConfig `json:"apis"`
+// ManagedRoutesConfig defines the configuration for managed routes in a zone.
+// Managed routes are automatically created and managed by the system based on this configuration.
+type ManagedRoutesConfig struct {
+	// Routes is the list of routes to be created for this zone.
+	// It may be used to create additional routes that are required for operating the zone
+	// +optional
+	Routes []ManagedRouteConfig `json:"routes"`
 }
 
 type PermissionsConfig struct {
@@ -142,7 +166,7 @@ type ZoneSpec struct {
 	IdentityProvider IdentityProviderConfig `json:"identityProvider"`
 	Gateway          GatewayConfig          `json:"gateway"`
 	Redis            RedisConfig            `json:"redis"`
-	TeamApis         *TeamApiConfig         `json:"teamApis,omitempty"`
+	ManagedRoutes    *ManagedRoutesConfig   `json:"managedRoutes,omitempty"`
 	// +kubebuilder:validation:Enum=World;Enterprise
 	// Visibility controls what subscriptions are allowed from and to this zone. It's also relevant for features like failover
 	Visibility ZoneVisibility `json:"visibility"`
@@ -194,9 +218,10 @@ type ZoneStatus struct {
 	// +optional
 	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"`
 
-	Namespace        string           `json:"namespace,omitempty"`
-	IdentityProvider *types.ObjectRef `json:"identityProvider,omitempty"`
-	IdentityRealm    *types.ObjectRef `json:"identityRealm,omitempty"`
+	Namespace             string           `json:"namespace,omitempty"`
+	IdentityProvider      *types.ObjectRef `json:"identityProvider,omitempty"`
+	IdentityRealm         *types.ObjectRef `json:"identityRealm,omitempty"`
+	InternalIdentityRealm *types.ObjectRef `json:"internalIdentityRealm,omitempty"`
 
 	Gateway         *types.ObjectRef `json:"gateway,omitempty"`
 	GatewayRealm    *types.ObjectRef `json:"gatewayRealm,omitempty"`
@@ -205,7 +230,7 @@ type ZoneStatus struct {
 
 	TeamApiIdentityRealm *types.ObjectRef  `json:"teamApiIdentityRealm,omitempty"`
 	TeamApiGatewayRealm  *types.ObjectRef  `json:"teamApiGatewayRealm,omitempty"`
-	TeamApiRoutes        []types.ObjectRef `json:"teamApiRoutes,omitempty"`
+	ManagedRoutes        []types.ObjectRef `json:"managedRoutes,omitempty"`
 	Links                Links             `json:"links,omitempty"`
 
 	// Features is a list of features that are enabled or disabled for this zone.

admin/config/crd/bases/admin.cp.ei.telekom.de_zones.yaml

@@ -189,6 +189,46 @@ spec:
                 - admin
                 - url
                 type: object
+              managedRoutes:
+                description: |-
+                  ManagedRoutesConfig defines the configuration for managed routes in a zone.
+                  Managed routes are automatically created and managed by the system based on this configuration.
+                properties:
+                  routes:
+                    description: |-
+                      Routes is the list of routes to be created for this zone.
+                      It may be used to create additional routes that are required for operating the zone
+                    items:
+                      properties:
+                        name:
+                          description: Name is the name of the created route. It must
+                            be unique within the zone.
+                          pattern: ^[a-z0-9]+(-?[a-z0-9]+)*$
+                          type: string
+                        path:
+                          description: Path is the path of the route exposed on the
+                            gateway.
+                          pattern: ^/.*$
+                          type: string
+                        type:
+                          description: 'Type selects the route behavior: TeamAPI (authenticated,
+                            no ACL) or Proxy (passthrough reverse proxy).'
+                          enum:
+                          - TeamAPI
+                          - Proxy
+                          type: string
+                        url:
+                          description: Url is the upstream URL of the route.
+                          format: uri
+                          type: string
+                      required:
+                      - name
+                      - path
+                      - type
+                      - url
+                      type: object
+                    type: array
+                type: object
               permissions:
                 description: Permissions configuration for permission service integration
                 properties:
@@ -223,34 +263,6 @@ spec:
                 - password
                 - port
                 type: object
-              teamApis:
-                properties:
-                  apis:
-                    items:
-                      properties:
-                        name:
-                          description: Name is the name of the created route. It must
-                            be unique within the zone.
-                          pattern: ^[a-z0-9]+(-?[a-z0-9]+)*$
-                          type: string
-                        path:
-                          description: Path is the path of the route exposed on the
-                            gateway.
-                          pattern: ^/.*$
-                          type: string
-                        url:
-                          description: Url is the upstream URL of the route.
-                          format: uri
-                          type: string
-                      required:
-                      - name
-                      - path
-                      - url
-                      type: object
-                    type: array
-                required:
-                - apis
-                type: object
               visibility:
                 description: Visibility controls what subscriptions are allowed from
                   and to this zone. It's also relevant for features like failover
@@ -458,6 +470,25 @@ spec:
                 - name
                 - namespace
                 type: object
+              internalIdentityRealm:
+                description: |-
+                  ObjectRef is a reference to a Kubernetes object
+                  It is similar to types.NamespacedName but has the required json tags for serialization
+                properties:
+                  name:
+                    type: string
+                  namespace:
+                    type: string
+                  uid:
+                    description: |-
+                      UID is a type that holds unique ID values, including UUIDs.  Because we
+                      don't ONLY use UUIDs, this is an alias to string.  Being a type captures
+                      intent and helps make sure that UIDs and names do not get conflated.
+                    type: string
+                required:
+                - name
+                - namespace
+                type: object
               links:
                 properties:
                   gatewayIssuer:
@@ -491,6 +522,27 @@ spec:
                 - gatewayIssuer
                 - gatewayUrl
                 type: object
+              managedRoutes:
+                items:
+                  description: |-
+                    ObjectRef is a reference to a Kubernetes object
+                    It is similar to types.NamespacedName but has the required json tags for serialization
+                  properties:
+                    name:
+                      type: string
+                    namespace:
+                      type: string
+                    uid:
+                      description: |-
+                        UID is a type that holds unique ID values, including UUIDs.  Because we
+                        don't ONLY use UUIDs, this is an alias to string.  Being a type captures
+                        intent and helps make sure that UIDs and names do not get conflated.
+                      type: string
+                  required:
+                  - name
+                  - namespace
+                  type: object
+                type: array
               namespace:
                 type: string
               teamApiGatewayRealm:
@@ -531,27 +583,6 @@ spec:
                 - name
                 - namespace
                 type: object
-              teamApiRoutes:
-                items:
-                  description: |-
-                    ObjectRef is a reference to a Kubernetes object
-                    It is similar to types.NamespacedName but has the required json tags for serialization
-                  properties:
-                    name:
-                      type: string
-                    namespace:
-                      type: string
-                    uid:
-                      description: |-
-                        UID is a type that holds unique ID values, including UUIDs.  Because we
-                        don't ONLY use UUIDs, this is an alias to string.  Being a type captures
-                        intent and helps make sure that UIDs and names do not get conflated.
-                      type: string
-                  required:
-                  - name
-                  - namespace
-                  type: object
-                type: array
             type: object
         type: object
         x-kubernetes-validations:

admin/config/samples/admin_v1_zone.yaml

@@ -28,9 +28,10 @@ spec:
     host: bla
     port: 0
     password: password
-  teamApis:
-    apis:
+  managedRoutes:
+    routes:
       - name: my-first-team-api
         path: /my/first/team/api
         url: https://somewhere.com/other/api/path
+        type: TeamAPI