Skip to content

Kubeconfig

Kubeconfig CRD schema reference (group operator.kcp.io)

Kubeconfig is the Schema for the kubeconfigs API
Full name:
kubeconfigs.operator.kcp.io
Group:
operator.kcp.io
Singular name:
kubeconfig
Plural name:
kubeconfigs
Scope:
Namespaced
Versions:
v1alpha1

Version v1alpha1

Properties

.apiVersion

string

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

.kind

string

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

.metadata

object

.spec

object

KubeconfigSpec defines the desired state of Kubeconfig.

.spec.certificateTemplate

object

CertificateTemplate allows to customize the properties on the generated certificate for this kubeconfig.

.spec.certificateTemplate.metadata

object

.spec.certificateTemplate.metadata.annotations

object

Annotations is a key value map to be copied to the target Certificate.

.spec.certificateTemplate.metadata.labels

object

Labels is a key value map to be copied to the target Certificate.

.spec.certificateTemplate.spec

object

.spec.certificateTemplate.spec.dnsNames

array

Requested DNS subject alternative names. The values given here will be merged into the DNS names determined automatically by the kcp-operator.

.spec.certificateTemplate.spec.dnsNames[*]

string

.spec.certificateTemplate.spec.duration

string

Requested ‘duration’ (i.e. lifetime) of the Certificate. Note that the issuer may choose to ignore the requested duration, just like any other requested attribute.

If unset, this defaults to 90 days. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.

.spec.certificateTemplate.spec.ipAddresses

array

Requested IP address subject alternative names. The values given here will be merged into the DNS names determined automatically by the kcp-operator.

.spec.certificateTemplate.spec.ipAddresses[*]

string

.spec.certificateTemplate.spec.privateKey

object

Private key options. These include the key algorithm and size, the used encoding and the rotation policy.

.spec.certificateTemplate.spec.privateKey.algorithm

string

Algorithm is the private key algorithm of the corresponding private key for this certificate.

If provided, allowed values are either RSA, ECDSA or Ed25519. If algorithm is specified and size is not provided, key size of 2048 will be used for RSA key algorithm and key size of 256 will be used for ECDSA key algorithm. key size is ignored when using the Ed25519 key algorithm.

.spec.certificateTemplate.spec.privateKey.encoding

string

The private key cryptography standards (PKCS) encoding for this certificate’s private key to be encoded in.

If provided, allowed values are PKCS1 and PKCS8 standing for PKCS#1 and PKCS#8, respectively. Defaults to PKCS1 if not specified.

.spec.certificateTemplate.spec.privateKey.rotationPolicy

string

RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed.

If set to Never, a private key will only be generated if one does not already exist in the target spec.secretName. If one does exist but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is Never for backward compatibility.

.spec.certificateTemplate.spec.privateKey.size

integer

Size is the key bit size of the corresponding private key for this certificate.

If algorithm is set to RSA, valid values are 2048, 4096 or 8192, and will default to 2048 if not specified. If algorithm is set to ECDSA, valid values are 256, 384 or 521, and will default to 256 if not specified. If algorithm is set to Ed25519, Size is ignored. No other values are allowed.

.spec.certificateTemplate.spec.renewBefore

string

How long before the currently issued certificate’s expiry cert-manager should renew the certificate. For example, if a certificate is valid for 60 minutes, and renewBefore=10m, cert-manager will begin to attempt to renew the certificate 50 minutes after it was issued (i.e. when there are 10 minutes remaining until the certificate is no longer valid).

NOTE: The actual lifetime of the issued certificate is used to determine the renewal time. If an issuer returns a certificate with a different lifetime than the one requested, cert-manager will use the lifetime of the issued certificate.

If unset, this defaults to 13 of the issued certificate’s lifetime. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration. Cannot be set if the renewBeforePercentage field is set.

.spec.certificateTemplate.spec.secretTemplate

object

Defines annotations and labels to be copied to the Certificate’s Secret. Labels and annotations on the Secret will be changed as they appear on the SecretTemplate when added or removed. SecretTemplate annotations are added in conjunction with, and cannot overwrite, the base set of annotations cert-manager sets on the Certificate’s Secret.

.spec.certificateTemplate.spec.secretTemplate.annotations

object

Annotations is a key value map to be copied to the target Kubernetes Secret.

.spec.certificateTemplate.spec.secretTemplate.labels

object

Labels is a key value map to be copied to the target Kubernetes Secret.

.spec.certificateTemplate.spec.subject

object

Requested set of X509 certificate subject attributes. More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6

.spec.certificateTemplate.spec.subject.countries

array

Countries to be used on the Certificate.

.spec.certificateTemplate.spec.subject.countries[*]

string

.spec.certificateTemplate.spec.subject.localities

array

Cities to be used on the Certificate.

.spec.certificateTemplate.spec.subject.localities[*]

string

.spec.certificateTemplate.spec.subject.organizationalUnits

array

Organizational Units to be used on the Certificate.

.spec.certificateTemplate.spec.subject.organizationalUnits[*]

string

.spec.certificateTemplate.spec.subject.organizations

array

Organizations to be used on the Certificate.

.spec.certificateTemplate.spec.subject.organizations[*]

string

.spec.certificateTemplate.spec.subject.postalCodes

array

Postal codes to be used on the Certificate.

.spec.certificateTemplate.spec.subject.postalCodes[*]

string

.spec.certificateTemplate.spec.subject.provinces

array

State/Provinces to be used on the Certificate.

.spec.certificateTemplate.spec.subject.provinces[*]

string

.spec.certificateTemplate.spec.subject.serialNumber

string

Serial number to be used on the Certificate.

.spec.certificateTemplate.spec.subject.streetAddresses

array

Street addresses to be used on the Certificate.

.spec.certificateTemplate.spec.subject.streetAddresses[*]

string

.spec.groups

array

Username defines the groups embedded in the TLS certificate generated for this kubeconfig.

.spec.groups[*]

string

.spec.secretRef

object Required

SecretRef defines the v1.Secret object that the resulting kubeconfig should be written to.

.spec.secretRef.name

string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

.spec.target

object Required

Target configures which kcp-operator object this kubeconfig should be generated for (shard or front-proxy).

.spec.target.frontProxyRef

object

LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.

.spec.target.frontProxyRef.name

string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

.spec.target.rootShardRef

object

LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.

.spec.target.rootShardRef.name

string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

.spec.target.shardRef

object

LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.

.spec.target.shardRef.name

string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

.spec.username

string Required

Username defines the username embedded in the TLS certificate generated for this kubeconfig.

.spec.validity

string Required

Validity configures the lifetime of the embedded TLS certificate. The kubeconfig secret will be automatically regenerated when the certificate expires.

.status

object

KubeconfigStatus defines the observed state of Kubeconfig