[KGLOBAL-6770] Add cluster-link namespace to rbac role commands

[Yuan (yhe-confluent)]

Release Notes

New Features

• Add the cluster-link namespace to confluent iam rbac role list and confluent iam rbac role describe, so ClusterLink RBAC roles (e.g. ClusterLinkConnection) are listed and described in Confluent Cloud.
• Introduce a new LaunchDarkly feature flag cluster.link.rbac.namespace.cli.enable (default false) that gates the cluster-link namespace. The roles stay hidden until the flag is enabled per environment.

Checklist

• I have successfully built and used a custom CLI binary, without linter issues from this PR.
• I have clearly specified in the What section below whether this PR applies to Confluent Cloud, Confluent Platform, or both.
• I have verified this PR in Confluent Cloud pre-prod or production environment, if applicable.
• I have verified this PR in Confluent Platform on-premises environment, if applicable.
• I have attached manual CLI verification results or screenshots in the Test & Review section below.
• I have added appropriate CLI integration or unit tests for any new or updated commands and functionality.
• I confirm that this PR introduces no breaking changes or backward compatibility issues.
• I have indicated the potential customer impact if something goes wrong in the Blast Radius section below.
• I have put checkmarks below confirming that the feature associated with this PR is enabled in:
  • Confluent Cloud prod
  • Confluent Cloud stag
  • Confluent Platform
  • Check this box if the feature is enabled for certain organizations only

What

Applies to: Confluent Cloud only.

Adds the cluster-link namespace to the CCloud allowlist for confluent iam rbac role list and confluent iam rbac role describe, so customers can discover and describe ClusterLink RBAC roles via the CLI.

The namespace is defined in cc-role-definitions:
role-definitions/src/main/resources/role-definitions/ClusterLinkConnection.yaml has namespace: cluster-link.

The namespace addition mirrors #3186 (which added the usm namespace), and the new flag gating mirrors how the Flink RBAC namespaces are gated in role describe (flink.rbac.namespace.cli.enable):

• internal/iam/command_rbac.go — declare clusterLinkNamespace
• internal/iam/command_rbac_role_describe.go — append cluster-link to namespacesList when cluster.link.rbac.namespace.cli.enable is enabled
• internal/iam/command_rbac_role_list.go — fetch and append cluster-link roles in ccloudList when the flag is enabled
• test/test-server/ccloud_handlers.go — mock LD response returns the flag enabled so integration goldens exercise the on path

The new LaunchDarkly flag cluster.link.rbac.namespace.cli.enable lives in the default (Confluent Cloud) LD project, defaults to false, and is currently enabled in devel only (off in stag/prod) — keeping ClusterLink roles hidden where the ClusterLink resource type is not yet deployed.

Phase 1 of the Cluster Link RBAC project: source-initiated cluster link service account authorization. Companion UI change in confluentinc/frontend-vault (#26611).

Blast Radius

Minimal. Strictly additive and gated behind a LaunchDarkly flag that defaults to false, so there is no customer-visible change until the flag is enabled per environment. When enabled, the change adds one extra namespace fetch to two CCloud-only commands. Worst case if cc-rbac returns an error for the cluster-link namespace query, the command would fail with that error instead of returning the rest of the roles. Existing namespaces (public, usm, dataplane, etc.) are unaffected.

References

• JIRA: KGLOBAL-6770 — Enable new roles in CLI
• Related: KGLOBAL-917 — Phase 1 epic
• Pattern reference: [APIE-587] Add USM namespace for role bindings #3186 (USM namespace); Flink namespace flag gating (flink.rbac.namespace.cli.enable)
• LaunchDarkly flag: cluster.link.rbac.namespace.cli.enable (project default)
• Role definition: confluentinc/cc-role-definitions PR #418
• Companion UI PR: confluentinc/frontend-vault#26611

Test & Review

Integration tests

• TestCLI/TestIamRbacRole_Cloud/iam_rbac_role_list — pass
• TestCLI/TestIamRbacRole_Cloud/iam_rbac_role_describe_* — pass
• TestCLI/TestIamRbacRole_OnPrem — pass
• test/fixtures/output/iam/rbac/role/list-cloud.golden updated via -update. The mock test server is now namespace-aware: returns a distinct ClusterLinkConnection role only when ?namespace=cluster-link is requested (addresses Copilot's review feedback on test fidelity).

Manual verification — devel environment

Verified against devel.cpdev.cloud (the environment where cc-role-definitions v8.3.0-57 defining ClusterLinkConnection in the cluster-link namespace is deployed).

Before (stable CLI v4.34.0, Git Ref 3911a5b0 — no cluster-link namespace queried):

$ confluent iam rbac role describe ClusterLinkConnection
Error: unknown role "ClusterLinkConnection"

Suggestions:
    The available roles are "AccountAdmin", "Assigner", "CloudClusterAdmin", "DataDiscovery", "DataSteward", "DeveloperManage", "DeveloperRead", "DeveloperWrite", "EnvironmentAdmin", "FlinkAdmin", "FlinkDeveloper", "FlinkFunctionDeveloper", "KsqlAdmin", "MetricsViewer", "Operator", "OrganizationAdmin", "ResourceKeyAdmin", "ResourceOwner", and "UsmOperator".

$ confluent iam rbac role list -o json | jq '.[] | select(.name=="ClusterLinkConnection")'
(empty — role not visible)

After (custom binary built from this branch at commit bb89541b):

$ confluent iam rbac role describe ClusterLinkConnection
+---------------+----------------------------------------+
| Name          | ClusterLinkConnection                  |
| Access Policy | [                                      |
|               |   {                                    |
|               |     "bindingScope": "cluster",         |
|               |     "bindWithResource": true,          |
|               |     "allowedOperations": [             |
|               |       {                                |
|               |         "resourceType": "ClusterLink", |
|               |         "operations": [                |
|               |           "Describe",                  |
|               |           "AcceptInboundConnection",   |
|               |           "StartOutboundConnection"    |
|               |         ]                              |
|               |       }                                |
|               |     ]                                  |
|               |   }                                    |
|               | ]                                      |
|               |                                        |
+---------------+----------------------------------------+

$ confluent iam rbac role list -o json | jq '.[] | select(.name=="ClusterLinkConnection")'
{
  "name": "ClusterLinkConnection",
  "policies": [
    {
      "bindingScope": "cluster",
      "bindWithResource": true,
      "allowedOperations": [
        {
          "resourceType": "ClusterLink",
          "operations": [
            "Describe",
            "AcceptInboundConnection",
            "StartOutboundConnection"
          ]
        }
      ]
    }
  ]
}

Both behaviors match expectations: the role is invisible to the stable CLI (no cluster-link namespace queried) and fully visible to the custom binary (queries cluster-link and surfaces the role).

[confluent-cla-assistant]

🎉 All Contributor License Agreements have been signed. Ready to merge.
_{Please push an empty commit if you would like to re-run the checks to verify CLA status for all contributors.}

[Copilot]

Pull request overview

This PR extends the Confluent Cloud RBAC role commands to include the cluster-link namespace so Cluster Link RBAC roles can be surfaced by confluent iam rbac role list and confluent iam rbac role describe.

Changes:

• Added cluster-link to the namespace allowlist used by RBAC role describe.
• Added an additional namespace fetch in RBAC role list for cluster-link.
• Updated the cloud golden output fixture to reflect the additional namespace fetch.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File	Description
internal/iam/command_rbac.go	Adds clusterLinkNamespace constant for reuse across RBAC commands.
internal/iam/command_rbac_role_list.go	Fetches and appends roles from the cluster-link namespace during cloud role listing.
internal/iam/command_rbac_role_describe.go	Includes cluster-link in the set of namespaces searched for role details in cloud mode.
test/fixtures/output/iam/rbac/role/list-cloud.golden	Updates expected output for iam rbac role list in cloud tests after adding a third namespace fetch.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Daniel Ayaz (danielayaz)]

Looks good; just need the manual verification done and I can approve

[Yuan (yhe-confluent)]

Daniel Ayaz (@danielayaz) manual verification done — captured against devel.cpdev.cloud and added to the PR body's Test & Review section. Summary:

• Stable CLI v4.34.0: role describe ClusterLinkConnection → Error: unknown role; role list | jq → empty.
• Custom binary from this branch (commit bb89541b): role describe returns the full ClusterLinkConnection role detail; role list -o json includes it.

Both checklist items now ticked: "successfully built and used a custom CLI binary" + "verified in Confluent Cloud pre-prod" + "attached manual CLI verification results". Ready for your approval whenever you have a minute.

[Cynthia Qin (cqin-confluent)]

LGTM 👍 Let’s hold off on merging for now while we align on the rollout plan.