feat(identity): register status.userUID field selector

Register AddFieldLabelConversionFunc for UserIdentity and Session
resources to enable status.userUID field selector, following the
same pattern as Activity API.

This allows staff users to query other users' identities and sessions
using fieldSelector=status.userUID=<user-id>.

The field selector validation happens at the API server level, and
authorization is enforced by the backend (auth-provider-zitadel)
which checks if the user is in the staff-users group.

Removed the HTTP filter approach in favor of proper scheme registration.

Author: OscarLlamas6

cmd/milo/apiserver/config.go

@@ -403,7 +403,6 @@ func DefaultBuildHandlerChain(apiHandler http.Handler, c *server.Config, loopbac
 	handler = datumfilters.UserContactGroupMembershipListConstraintDecorator(handler)
 	handler = datumfilters.UserContactGroupMembershipRemovalListConstraintDecorator(handler)
 	handler = datumfilters.ContactGroupVisibilityWithoutPrivateDecorator(handler)
-	handler = datumfilters.IdentityFieldSelectorPassthrough(handler)
 	handler = genericapifilters.WithRequestInfo(handler, c.RequestInfoResolver)
 	handler = genericapifilters.WithRequestReceivedTimestamp(handler)
 	// handler = genericapifilters.WithMuxAndDiscoveryComplete(handler, c.lifecycleSignals.MuxAndDiscoveryComplete.Signaled())

pkg/apis/identity/v1alpha1/register.go

@@ -1,6 +1,8 @@
 package v1alpha1
 
 import (
+	"fmt"
+
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -36,11 +38,59 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 
-	// NOTE: We do NOT register field label conversion functions for UserIdentity and Session.
-	// These are virtual/proxy resources (not CRDs) that delegate to an external backend.
-	// Field selector validation is handled by the backend (auth-provider-zitadel), not by
-	// the Milo API server. Registering conversion functions here would cause the API server
-	// to validate field selectors and reject unknown ones before they reach the backend.
+	// Register field label conversions for UserIdentity
+	// This enables field selectors like status.userUID=<user-id> for staff users
+	userIdentityGVK := SchemeGroupVersion.WithKind("UserIdentity")
+	if err := scheme.AddFieldLabelConversionFunc(userIdentityGVK,
+		UserIdentityFieldLabelConversionFunc); err != nil {
+		return err
+	}
+
+	// Register field label conversions for Session
+	// This enables field selectors like status.userUID=<user-id> for staff users
+	sessionGVK := SchemeGroupVersion.WithKind("Session")
+	if err := scheme.AddFieldLabelConversionFunc(sessionGVK,
+		SessionFieldLabelConversionFunc); err != nil {
+		return err
+	}
 
 	return nil
 }
+
+// UserIdentityFieldLabelConversionFunc converts field selectors for UserIdentity resources.
+// This allows staff users to filter user identities by fields beyond the default metadata.name.
+func UserIdentityFieldLabelConversionFunc(label, value string) (string, string, error) {
+	switch label {
+	// Metadata fields (default Kubernetes fields)
+	case "metadata.name",
+		"metadata.namespace":
+		return label, value, nil
+
+	// Status fields (custom field selector for staff users)
+	case "status.userUID":
+		return label, value, nil
+
+	default:
+		return "", "", fmt.Errorf("%q is not a known field selector: only %q are supported",
+			label, []string{"metadata.name", "metadata.namespace", "status.userUID"})
+	}
+}
+
+// SessionFieldLabelConversionFunc converts field selectors for Session resources.
+// This allows staff users to filter sessions by fields beyond the default metadata.name.
+func SessionFieldLabelConversionFunc(label, value string) (string, string, error) {
+	switch label {
+	// Metadata fields (default Kubernetes fields)
+	case "metadata.name",
+		"metadata.namespace":
+		return label, value, nil
+
+	// Status fields (custom field selector for staff users)
+	case "status.userUID":
+		return label, value, nil
+
+	default:
+		return "", "", fmt.Errorf("%q is not a known field selector: only %q are supported",
+			label, []string{"metadata.name", "metadata.namespace", "status.userUID"})
+	}
+}