feat(approval): implement FourEyes approval strategy with Semigranted state (#299)

Author: ron96g

approval/api/v1/approval_types.go

@@ -28,15 +28,16 @@ type ApprovalSpec struct {
 	Decider Decider `json:"decider,omitempty"`
 
 	// Decisions contains information about who or what changed this approval
-	Decisions []Decision `json:"decisions,omitempty"`
+	// +kubebuilder:default={}
+	Decisions []Decision `json:"decisions"`
 
 	// Strategy defines the strategy that was used to approve the request
 	// +kubebuilder:validation:Enum=Auto;Simple;FourEyes
 	// +kubebuilder:default=Auto
 	Strategy ApprovalStrategy `json:"strategy"`
 
 	// State defines the state of the approval
-	// +kubebuilder:validation:Enum=Pending;Granted;Rejected;Suspended
+	// +kubebuilder:validation:Enum=Pending;Semigranted;Granted;Rejected;Suspended
 	// +kubebuilder:default=Pending
 	State ApprovalState `json:"state"`
 
@@ -56,7 +57,7 @@ type ApprovalStatus struct {
 	AvailableTransitions AvailableTransitions `json:"availableTransitions,omitempty"`
 
 	// LastState defines the last state of the approval
-	// +kubebuilder:validation:Enum=Pending;Granted;Rejected;Suspended
+	// +kubebuilder:validation:Enum=Pending;Semigranted;Granted;Rejected;Suspended
 	// +kubebuilder:default=Pending
 	LastState ApprovalState `json:"lastState,omitempty"`
 

approval/api/v1/approvalrequest_types.go

@@ -27,7 +27,8 @@ type ApprovalRequestSpec struct {
 	Decider Decider `json:"decider,omitempty"`
 
 	// Decisions contains information about who or what changed this approval
-	Decisions []Decision `json:"decisions,omitempty"`
+	// +kubebuilder:default={}
+	Decisions []Decision `json:"decisions"`
 
 	// Strategy defines the strategy that was used to approve the request
 	// +kubebuilder:validation:Enum=Auto;Simple;FourEyes

approval/api/v1/builder/builder.go

@@ -168,7 +168,21 @@ func (b *approvalBuilder) Build(ctx context.Context) (finalResult ApprovalResult
 
 		if approvalReq.Spec.Strategy == v1.ApprovalStrategyAuto {
 			approvalReq.Spec.State = v1.ApprovalStateGranted
+			if len(approvalReq.Spec.Decisions) == 0 {
+				approvalReq.Spec.Decisions = append(approvalReq.Spec.Decisions, v1.Decision{
+					Name:           "System",
+					Comment:        v1.AutoApprovedComment,
+					ResultingState: v1.ApprovalStateGranted,
+				})
+			}
 		}
+
+		v1.SetApprovalLabels(approvalReq, approvalReq.Spec.Target,
+			approvalReq.Spec.Requester.TeamName,
+			approvalReq.Spec.Decider.TeamName,
+			approvalReq.Spec.Action,
+			string(approvalReq.Spec.Strategy))
+
 		return nil
 	}
 

approval/api/v1/builder/builder_test.go

@@ -117,6 +117,20 @@ var _ = Describe("Approval Builder", Ordered, func() {
 				g.Expect(ar.Spec.Strategy).To(BeEquivalentTo("Auto"))
 				g.Expect(ar.Spec.State).To(BeEquivalentTo("Granted"))
 
+				By("Checking the AUTO-approved decision was added")
+				g.Expect(ar.Spec.Decisions).To(HaveLen(1))
+				g.Expect(ar.Spec.Decisions[0].Name).To(Equal("System"))
+				g.Expect(ar.Spec.Decisions[0].Comment).To(Equal(approvalv1.AutoApprovedComment))
+				g.Expect(ar.Spec.Decisions[0].ResultingState).To(Equal(approvalv1.ApprovalStateGranted))
+
+				By("Checking the filtering labels were set on the ApprovalRequest")
+				g.Expect(ar.Labels[approvalv1.TargetKindLabelKey]).To(Equal("testresource"))
+				g.Expect(ar.Labels[approvalv1.TargetNameLabelKey]).To(Equal("apisub"))
+				g.Expect(ar.Labels[approvalv1.RequesterTeamLabelKey]).To(Equal("max"))
+				g.Expect(ar.Labels[approvalv1.DeciderTeamLabelKey]).To(Equal(""))
+				g.Expect(ar.Labels[approvalv1.ActionLabelKey]).To(Equal(""))
+				g.Expect(ar.Labels[approvalv1.ApprovalStrategyLabelKey]).To(Equal("auto"))
+
 				testutil.ExpectConditionToBeFalse(g, meta.FindStatusCondition(builder.GetOwner().GetConditions(), ConditionTypeApprovalGranted), "Pending")
 
 				appr := &approvalv1.Approval{}
@@ -213,6 +227,18 @@ var _ = Describe("Approval Builder", Ordered, func() {
 			// Verify that the strategy was overridden to Auto
 			Expect(ar.Spec.Strategy).To(Equal(approvalv1.ApprovalStrategyAuto))
 			Expect(ar.Spec.State).To(Equal(approvalv1.ApprovalStateGranted))
+
+			By("Checking the AUTO-approved decision was added for trusted requester")
+			Expect(ar.Spec.Decisions).To(HaveLen(1))
+			Expect(ar.Spec.Decisions[0].Name).To(Equal("System"))
+			Expect(ar.Spec.Decisions[0].Comment).To(Equal(approvalv1.AutoApprovedComment))
+			Expect(ar.Spec.Decisions[0].ResultingState).To(Equal(approvalv1.ApprovalStateGranted))
+
+			By("Checking the filtering labels reflect the overridden Auto strategy")
+			Expect(ar.Labels[approvalv1.TargetKindLabelKey]).To(Equal("testresource"))
+			Expect(ar.Labels[approvalv1.TargetNameLabelKey]).To(Equal("apisub"))
+			Expect(ar.Labels[approvalv1.RequesterTeamLabelKey]).To(Equal("trustedteam"))
+			Expect(ar.Labels[approvalv1.ApprovalStrategyLabelKey]).To(Equal("auto"))
 		})
 	})
 
@@ -261,6 +287,18 @@ var _ = Describe("Approval Builder", Ordered, func() {
 			res, err := builder.Build(ctx)
 			Expect(err).NotTo(HaveOccurred())
 			Expect(res).To(Equal(ApprovalResultGranted)) // There were no changes and Approval is granted
+
+			By("Checking the filtering labels on the ApprovalRequest")
+			ar := &approvalv1.ApprovalRequest{}
+			err = k8sClient.Get(ctx, client.ObjectKey{
+				Name:      builder.GetApprovalRequest().Name,
+				Namespace: testNamespace,
+			}, ar)
+			Expect(err).ToNot(HaveOccurred())
+			Expect(ar.Labels[approvalv1.TargetKindLabelKey]).To(Equal("testresource"))
+			Expect(ar.Labels[approvalv1.TargetNameLabelKey]).To(Equal("apisub"))
+			Expect(ar.Labels[approvalv1.RequesterTeamLabelKey]).To(Equal("max"))
+			Expect(ar.Labels[approvalv1.ApprovalStrategyLabelKey]).To(Equal("auto"))
 		})
 
 		It("should handle an already rejected Approval", func() {

approval/api/v1/common_types.go

@@ -6,9 +6,11 @@ package v1
 
 import (
 	"encoding/json"
+
 	ctypes "github.com/telekom/controlplane/common/pkg/types"
 
 	"github.com/pkg/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 )
 
@@ -20,6 +22,9 @@ const (
 	ApprovalStrategyFourEyes ApprovalStrategy = "FourEyes"
 )
 
+// AutoApprovedComment is the comment added to auto-approved ApprovalRequests.
+const AutoApprovedComment = "Auto-approved: The approval strategy does not require manual review."
+
 type ApprovalAction string
 
 const (
@@ -123,4 +128,14 @@ type Decision struct {
 
 	// Comment provided by the person making the decision
 	Comment string `json:"comment,omitempty"`
+
+	// Timestamp of when the decision was made
+	// +optional
+	Timestamp *metav1.Time `json:"timestamp,omitempty"`
+
+	// ResultingState is the state the resource transitioned to as a result of this decision.
+	// Automatically set by the defaulting webhook to match Spec.State when not provided.
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Enum=Pending;Semigranted;Granted;Rejected;Suspended;Expired
+	ResultingState ApprovalState `json:"resultingState"`
 }

approval/api/v1/labels.go

@@ -0,0 +1,37 @@
+// Copyright 2025 Deutsche Telekom IT GmbH
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package v1
+
+import (
+	"github.com/telekom/controlplane/common/pkg/config"
+	"github.com/telekom/controlplane/common/pkg/types"
+	"github.com/telekom/controlplane/common/pkg/util/labelutil"
+)
+
+// Label keys for filtering ApprovalRequest and Approval resources.
+var (
+	TargetKindLabelKey       = config.BuildLabelKey("target.kind")
+	TargetNameLabelKey       = config.BuildLabelKey("target.name")
+	RequesterTeamLabelKey    = config.BuildLabelKey("requester.team")
+	DeciderTeamLabelKey      = config.BuildLabelKey("decider.team")
+	ActionLabelKey           = config.BuildLabelKey("action")
+	ApprovalStrategyLabelKey = config.BuildLabelKey("approval.strategy")
+)
+
+// SetApprovalLabels sets filtering labels on an ApprovalRequest or Approval resource.
+// These labels allow discovering resources without knowing their exact (hashed) name.
+func SetApprovalLabels(obj types.Object, target types.TypedObjectRef, requester, decider, action, strategy string) {
+	labels := obj.GetLabels()
+	if labels == nil {
+		labels = map[string]string{}
+	}
+	labels[TargetKindLabelKey] = labelutil.NormalizeLabelValue(target.Kind)
+	labels[TargetNameLabelKey] = labelutil.NormalizeLabelValue(target.Name)
+	labels[RequesterTeamLabelKey] = labelutil.NormalizeLabelValue(requester)
+	labels[DeciderTeamLabelKey] = labelutil.NormalizeLabelValue(decider)
+	labels[ActionLabelKey] = labelutil.NormalizeLabelValue(action)
+	labels[ApprovalStrategyLabelKey] = labelutil.NormalizeLabelValue(strategy)
+	obj.SetLabels(labels)
+}

approval/api/v1/zz_generated.deepcopy.go

@@ -103,6 +103,7 @@ spec:
                     type: string
                 type: object
               decisions:
+                default: []
                 description: Decisions contains information about who or what changed
                   this approval
                 items:
@@ -116,8 +117,25 @@ spec:
                     name:
                       description: Name of the person making the decision
                       type: string
+                    resultingState:
+                      description: |-
+                        ResultingState is the state the resource transitioned to as a result of this decision.
+                        Automatically set by the defaulting webhook to match Spec.State when not provided.
+                      enum:
+                      - Pending
+                      - Semigranted
+                      - Granted
+                      - Rejected
+                      - Suspended
+                      - Expired
+                      type: string
+                    timestamp:
+                      description: Timestamp of when the decision was made
+                      format: date-time
+                      type: string
                   required:
                   - name
+                  - resultingState
                   type: object
                 type: array
               requester:
@@ -230,6 +248,7 @@ spec:
                 type: object
             required:
             - action
+            - decisions
             - requester
             - state
             - strategy

approval/config/crd/bases/approval.cp.ei.telekom.de_approvalrequests.yaml

@@ -121,6 +121,7 @@ spec:
                     type: string
                 type: object
               decisions:
+                default: []
                 description: Decisions contains information about who or what changed
                   this approval
                 items:
@@ -134,8 +135,25 @@ spec:
                     name:
                       description: Name of the person making the decision
                       type: string
+                    resultingState:
+                      description: |-
+                        ResultingState is the state the resource transitioned to as a result of this decision.
+                        Automatically set by the defaulting webhook to match Spec.State when not provided.
+                      enum:
+                      - Pending
+                      - Semigranted
+                      - Granted
+                      - Rejected
+                      - Suspended
+                      - Expired
+                      type: string
+                    timestamp:
+                      description: Timestamp of when the decision was made
+                      format: date-time
+                      type: string
                   required:
                   - name
+                  - resultingState
                   type: object
                 type: array
               requester:
@@ -200,6 +218,7 @@ spec:
                 description: State defines the state of the approval
                 enum:
                 - Pending
+                - Semigranted
                 - Granted
                 - Rejected
                 - Suspended
@@ -248,6 +267,7 @@ spec:
                 type: object
             required:
             - action
+            - decisions
             - requester
             - state
             - strategy
@@ -332,6 +352,7 @@ spec:
                 description: LastState defines the last state of the approval
                 enum:
                 - Pending
+                - Semigranted
                 - Granted
                 - Rejected
                 - Suspended

approval/config/crd/bases/approval.cp.ei.telekom.de_approvals.yaml

@@ -0,0 +1,29 @@
+# Copyright 2025 Deutsche Telekom IT GmbH
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: approval.cp.ei.telekom.de/v1
+kind: ApprovalRequest
+metadata:
+  labels:
+    app.kubernetes.io/name: approval
+    app.kubernetes.io/managed-by: kustomize
+    cp.ei.telekom.de/environment: default
+  name: foo-bar-v1--my-foureyes-app
+spec:
+  requester:
+    email: workspace-b@telekom.de
+    name: Workspace-b
+
+  target:
+    kind: ApiExposure
+    name: foo-bar-v1
+    namespace: default
+  source:
+    kind: ApiSubscription
+    name: my-app--foo-bar-v1
+    namespace: default
+
+  strategy: FourEyes
+  state: Pending
+  reason: "I need to access the API foo-bar-v1 (requires two approvals)"