crossplane-contrib · dariozachow · May 7, 2026 · Apr 16, 2026 · Apr 16, 2026 · Apr 16, 2026
diff --git a/apis/cluster/groups/v1alpha1/zz_accesstoken_types.go b/apis/cluster/groups/v1alpha1/zz_accesstoken_types.go
diff --git a/apis/cluster/groups/v1alpha1/zz_generated.deepcopy.go b/apis/cluster/groups/v1alpha1/zz_generated.deepcopy.go
diff --git a/apis/cluster/projects/v1alpha1/zz_accesstoken_types.go b/apis/cluster/projects/v1alpha1/zz_accesstoken_types.go
diff --git a/apis/cluster/projects/v1alpha1/zz_generated.deepcopy.go b/apis/cluster/projects/v1alpha1/zz_generated.deepcopy.go
diff --git a/apis/namespaced/groups/v1alpha1/accesstoken_types.go b/apis/namespaced/groups/v1alpha1/accesstoken_types.go
@@ -25,6 +25,7 @@ import (
 
 // AccessTokenParameters define the desired state of a Gitlab access token
 // https://docs.gitlab.com/ee/api/access_tokens.html
+// +kubebuilder:validation:XValidation:rule="(has(self.expiresAt) ? 1 : 0) + (has(self.renewalPeriodDays) ? 1 : 0) == 1",message="exactly one of expiresAt or renewalPeriodDays must be set"
 type AccessTokenParameters struct {
 	// GroupID is the ID of the group to create the deploy token in.
 	// +optional
@@ -40,12 +41,20 @@ type AccessTokenParameters struct {
 	// +optional
 	GroupIDSelector *xpv1.NamespacedSelector `json:"groupIdSelector,omitempty"`
 
-	// Expiration date of the access token. The date cannot be set later than the maximum allowable lifetime of an access token.
-	// If not set, the maximum allowable lifetime of a group access token is configured to the maximum allowable lifetime limit.
-	// Expected in ISO 8601 format (2019-03-15T08:00:00Z)
-	// +nullable
-	// +immutable
-	ExpiresAt *metav1.Time `json:"expiresAt"`
+	// ExpiresAt is the expiration date of the access token in ISO 8601 format (2019-03-15T08:00:00Z).
+	// The date cannot be set later than the maximum allowable lifetime of an access token.
+	// Since GitLab 16.0, tokens must have an expiration date.
+	// Mutually exclusive with RenewalPeriodDays.
+	// +optional
+	ExpiresAt *metav1.Time `json:"expiresAt,omitempty"`
+
+	// RenewalPeriodDays is the number of days each token generation should live.
+	// When the token becomes inactive the provider rotates it, setting the new expiry to
+	// RenewalPeriodDays days from the rotation time.
+	// Mutually exclusive with ExpiresAt.
+	// +kubebuilder:validation:Minimum=1
+	// +optional
+	RenewalPeriodDays *int `json:"renewalPeriodDays,omitempty"`
 
 	// Access level for the group. Default is 40.
 	// Valid values are 10 (Guest), 20 (Reporter), 30 (Developer), 40 (Maintainer), and 50 (Owner).
@@ -62,14 +71,28 @@ type AccessTokenParameters struct {
 	// Name of the group access token
 	// +required
 	Name string `json:"name"`
+
+	// Description of the group access token
+	// WARNING: this field is only reconciled on expiration / revokation of the token
+	// +optional
+	Description *string `json:"description,omitempty"`
 }
 
 // AccessTokenObservation represents a access token.
 //
 // GitLab API docs:
 // https://docs.gitlab.com/ee/api/group_access_tokens.html
 type AccessTokenObservation struct {
-	TokenID *int64 `json:"id,omitempty"`
+	ID          int64        `json:"id"`
+	Name        string       `json:"name"`
+	Description string       `json:"description"`
+	UserID      int64        `json:"userId"`
+	Scopes      []string     `json:"scopes"`
+	ExpiresAt   *metav1.Time `json:"expiresAt,omitempty"`
+	Active      bool         `json:"active"`
+	CreatedAt   *metav1.Time `json:"createdAt"`
+	Revoked     bool         `json:"revoked"`
+	AccessLevel int64        `json:"accessLevel"`
 }
 
 // A AccessTokenSpec defines the desired state of a Gitlab group.

diff --git a/apis/namespaced/groups/v1alpha1/zz_generated.deepcopy.go b/apis/namespaced/groups/v1alpha1/zz_generated.deepcopy.go