feat(identity): register status.userUID as valid field selector

Add field label conversion functions for UserIdentity and Session
resources to enable status.userUID as a supported field selector.
This allows the API server to validate field selector queries before
passing them to the backend provider.

Changes:
- Add UserIdentityFieldLabelConversionFunc for UserIdentity resources
- Add SessionFieldLabelConversionFunc for Session resources
- Register both conversion functions in addKnownTypes
- Support field selectors: metadata.name, metadata.namespace, status.userUID

This fixes the error:
  "status.userUID" is not a known field selector: only "metadata.name", "metadata.namespace"

Now staff users can successfully query:
  kubectl get useridentities --field-selector=status.userUID=<user-id>

Related: PR feedback on field selector validation

Author: OscarLlamas6

pkg/apis/identity/v1alpha1/register.go

@@ -1,6 +1,8 @@
 package v1alpha1
 
 import (
+	"fmt"
+
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -35,5 +37,60 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 		&UserIdentityList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+
+	// Register field label conversions for UserIdentity
+	// This enables field selectors like status.userUID=<user-id> for staff users
+	userIdentityGVK := SchemeGroupVersion.WithKind("UserIdentity")
+	if err := scheme.AddFieldLabelConversionFunc(userIdentityGVK,
+		UserIdentityFieldLabelConversionFunc); err != nil {
+		return err
+	}
+
+	// Register field label conversions for Session
+	// This enables field selectors like status.userUID=<user-id> for staff users
+	sessionGVK := SchemeGroupVersion.WithKind("Session")
+	if err := scheme.AddFieldLabelConversionFunc(sessionGVK,
+		SessionFieldLabelConversionFunc); err != nil {
+		return err
+	}
+
 	return nil
 }
+
+// UserIdentityFieldLabelConversionFunc converts field selectors for UserIdentity resources.
+// This allows staff users to filter user identities by fields beyond the default metadata.name.
+func UserIdentityFieldLabelConversionFunc(label, value string) (string, string, error) {
+	switch label {
+	// Metadata fields (default Kubernetes fields)
+	case "metadata.name",
+		"metadata.namespace":
+		return label, value, nil
+
+	// Status fields (custom field selector for staff users)
+	case "status.userUID":
+		return label, value, nil
+
+	default:
+		return "", "", fmt.Errorf("%q is not a known field selector: only %q are supported",
+			label, []string{"metadata.name", "metadata.namespace", "status.userUID"})
+	}
+}
+
+// SessionFieldLabelConversionFunc converts field selectors for Session resources.
+// This allows staff users to filter sessions by fields beyond the default metadata.name.
+func SessionFieldLabelConversionFunc(label, value string) (string, string, error) {
+	switch label {
+	// Metadata fields (default Kubernetes fields)
+	case "metadata.name",
+		"metadata.namespace":
+		return label, value, nil
+
+	// Status fields (custom field selector for staff users)
+	case "status.userUID":
+		return label, value, nil
+
+	default:
+		return "", "", fmt.Errorf("%q is not a known field selector: only %q are supported",
+			label, []string{"metadata.name", "metadata.namespace", "status.userUID"})
+	}
+}