crossplane-contrib · henrysachs · May 26, 2026 · Apr 12, 2026 · Apr 12, 2026 · Apr 13, 2026
diff --git a/apis/cluster/instance/v1alpha1/zz_generated.deepcopy.go b/apis/cluster/instance/v1alpha1/zz_generated.deepcopy.go
diff --git a/apis/cluster/instance/v1alpha1/zz_serviceaccount_type.go b/apis/cluster/instance/v1alpha1/zz_serviceaccount_type.go
diff --git a/apis/common/v1alpha1/serviceaccount.go b/apis/common/v1alpha1/serviceaccount.go
@@ -48,4 +48,6 @@ type CommonServiceAccountObservation struct {
 	Username string `json:"username"`
 	// Email represents the email of the service account.
 	Email string `json:"email"`
+	// Admin represents whether the service account has admin privileges.
+	Admin bool `json:"admin"`
 }
diff --git a/apis/namespaced/instance/v1alpha1/serviceaccount_type.go b/apis/namespaced/instance/v1alpha1/serviceaccount_type.go
@@ -33,11 +33,30 @@ import (
 // ServiceAccountParameters defines the desired state of Gitlab Instance ServiceAccount
 type ServiceAccountParameters struct {
 	commonv1alpha1.CommonServiceAccountParameters `json:",inline"`
+
+	// Admin represents whether the service account has admin privileges.
+	// +optional
+	Admin *bool `json:"admin,omitempty"`
+	// BaselinePermissions represents the minimal permissions level for all top level groups.
+	// WARNING: If this field is set to a value other than "no-access", the service account will be added to all groups with at least the specified access level. This can lead to unintended consequences if not used carefully.
+	// WARNING: This DOES NOT remove the service account from groups if changed from a higher access level to a lower access level. It only adds the service account to groups if changed from a lower access level to a higher access level.
+	// +optional
+	// +kubebuilder:validation:Enum=no-access;minimal-access;guest;planner;reporter;security-manager;developer;maintainer;owner
+	BaselinePermissions *string `json:"baselinePermissions,omitempty"`
 }
 
 // ServiceAccountObservation represents the observed state of the Gitlab Instance ServiceAccount
 type ServiceAccountObservation struct {
 	commonv1alpha1.CommonServiceAccountObservation `json:",inline"`
+
+	// ServiceAccountBaselinePermissionsObservation represents the observed state of the service account's baseline permissions, which is used to determine if the service account is missing permissions for any top level groups or has the wrong permissions for any top level groups.
+	ServiceAccountBaselinePermissionsObservation `json:",inline"`
+}
+
+// ServiceAccountBaselinePermissionsObservation represents the observed state of the service account's baseline permissions, which is used to determine if the service account is missing permissions for any top level groups or has the wrong permissions for any top level groups.
+type ServiceAccountBaselinePermissionsObservation struct {
+	MissingMemberShipGroups []int64 `json:"missingMembershipGroups,omitempty"`
+	WrongPermissionsGroups  []int64 `json:"wrongPermissionsGroups,omitempty"`
 }
 
 // A ServiceAccountSpec defines the desired state of a GitLab instance service account.

diff --git a/apis/namespaced/instance/v1alpha1/zz_generated.deepcopy.go b/apis/namespaced/instance/v1alpha1/zz_generated.deepcopy.go
diff --git a/examples/instance/serviceaccount.yaml b/examples/instance/serviceaccount.yaml
@@ -13,3 +13,7 @@ spec:
     username: example-service-account
     # WARNING: field is immutable after creation
     # email: example@example.com
+    # WARNING: dangerous field, it will grant admin permissions to the service account
+    # admin: true
+    # WARNING: dangerous field, it will grant developer permissions on all top level groups to the service account
+    # baselinePermissions: developer
diff --git a/package/crds/groups.gitlab.crossplane.io_serviceaccounts.yaml b/package/crds/groups.gitlab.crossplane.io_serviceaccounts.yaml
@@ -258,6 +258,10 @@ spec:
               atProvider:
                 description: Represents the observed state of the ServiceAccount.
                 properties:
+                  admin:
+                    description: Admin represents whether the service account has
+                      admin privileges.
+                    type: boolean
                   email:
                     description: Email represents the email of the service account.
                     type: string
@@ -273,6 +277,7 @@ spec:
                       account.
                     type: string
                 required:
+                - admin
                 - email
                 - id
                 - name

diff --git a/package/crds/groups.gitlab.m.crossplane.io_serviceaccounts.yaml b/package/crds/groups.gitlab.m.crossplane.io_serviceaccounts.yaml
@@ -222,6 +222,10 @@ spec:
               atProvider:
                 description: Represents the observed state of the ServiceAccount.
                 properties:
+                  admin:
+                    description: Admin represents whether the service account has
+                      admin privileges.
+                    type: boolean
                   email:
                     description: Email represents the email of the service account.
                     type: string
@@ -237,6 +241,7 @@ spec:
                       account.
                     type: string
                 required:
+                - admin
                 - email
                 - id
                 - name

diff --git a/package/crds/instance.gitlab.crossplane.io_serviceaccounts.yaml b/package/crds/instance.gitlab.crossplane.io_serviceaccounts.yaml
@@ -73,6 +73,26 @@ spec:
               forProvider:
                 description: Defines the desired state of the ServiceAccount.
                 properties:
+                  admin:
+                    description: Admin represents whether the service account has
+                      admin privileges.
+                    type: boolean
+                  baselinePermissions:
+                    description: |-
+                      BaselinePermissions represents the minimal permissions level for all top level groups.
+                      WARNING: If this field is set to a value other than "no-access", the service account will be added to all groups with at least the specified access level. This can lead to unintended consequences if not used carefully.
+                      WARNING: This DOES NOT remove the service account from groups if changed from a higher access level to a lower access level. It only adds the service account to groups if changed from a lower access level to a higher access level.
+                    enum:
+                    - no-access
+                    - minimal-access
+                    - guest
+                    - planner
+                    - reporter
+                    - security-manager
+                    - developer
+                    - maintainer
+                    - owner
+                    type: string
                   email:
                     description: email represents the email of the service account.
                     type: string
@@ -177,21 +197,36 @@ spec:
               atProvider:
                 description: Represents the observed state of the ServiceAccount.
                 properties:
+                  admin:
+                    description: Admin represents whether the service account has
+                      admin privileges.
+                    type: boolean
                   email:
                     description: Email represents the email of the service account.
                     type: string
                   id:
                     description: ID is the unique identifier of the service account.
                     format: int64
                     type: integer
+                  missingMembershipGroups:
+                    items:
+                      format: int64
+                      type: integer
+                    type: array
                   name:
                     description: Name represents the display name of the service account.
                     type: string
                   username:
                     description: Username represents the user @ name of the service
                       account.
                     type: string
+                  wrongPermissionsGroups:
+                    items:
+                      format: int64
+                      type: integer
+                    type: array
                 required:
+                - admin
                 - email
                 - id
                 - name

diff --git a/package/crds/instance.gitlab.m.crossplane.io_serviceaccounts.yaml b/package/crds/instance.gitlab.m.crossplane.io_serviceaccounts.yaml
@@ -59,6 +59,26 @@ spec:
               forProvider:
                 description: Defines the desired state of the ServiceAccount.
                 properties:
+                  admin:
+                    description: Admin represents whether the service account has
+                      admin privileges.
+                    type: boolean
+                  baselinePermissions:
+                    description: |-
+                      BaselinePermissions represents the minimal permissions level for all top level groups.
+                      WARNING: If this field is set to a value other than "no-access", the service account will be added to all groups with at least the specified access level. This can lead to unintended consequences if not used carefully.
+                      WARNING: This DOES NOT remove the service account from groups if changed from a higher access level to a lower access level. It only adds the service account to groups if changed from a lower access level to a higher access level.
+                    enum:
+                    - no-access
+                    - minimal-access
+                    - guest
+                    - planner
+                    - reporter
+                    - security-manager
+                    - developer
+                    - maintainer
+                    - owner
+                    type: string
                   email:
                     description: email represents the email of the service account.
                     type: string
@@ -135,21 +155,36 @@ spec:
               atProvider:
                 description: Represents the observed state of the ServiceAccount.
                 properties:
+                  admin:
+                    description: Admin represents whether the service account has
+                      admin privileges.
+                    type: boolean
                   email:
                     description: Email represents the email of the service account.
                     type: string
                   id:
                     description: ID is the unique identifier of the service account.
                     format: int64
                     type: integer
+                  missingMembershipGroups:
+                    items:
+                      format: int64
+                      type: integer
+                    type: array
                   name:
                     description: Name represents the display name of the service account.
                     type: string
                   username:
                     description: Username represents the user @ name of the service
                       account.
                     type: string
+                  wrongPermissionsGroups:
+                    items:
+                      format: int64
+                      type: integer
+                    type: array
                 required:
+                - admin
                 - email
                 - id
                 - name

diff --git a/pkg/cluster/clients/groups/fake/zz_fake.go b/pkg/cluster/clients/groups/fake/zz_fake.go