Kubeconfig
Kubeconfig CRD schema reference (group operator.kcp.io)
Version v1alpha1
Example CR
apiVersion: operator.kcp.io/v1alpha1
kind: Kubeconfig
metadata:
labels:
app.kubernetes.io/name: kcp-operator
app.kubernetes.io/managed-by: kustomize
name: kubeconfig-kcp-admin
spec:
username: kcp-admin
groups:
- system:kcp:admin
validity: 8766h
secretRef:
name: sample-kubeconfig
target:
frontProxyRef:
name: frontproxy-sample
Properties
.apiVersion
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
.kind
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
.metadata
.spec
KubeconfigSpec defines the desired state of Kubeconfig.
.spec.certificateTemplate
CertificateTemplate allows to customize the properties on the generated certificate for this kubeconfig.
.spec.certificateTemplate.metadata
.spec.certificateTemplate.metadata.annotations
Annotations is a key value map to be copied to the target Certificate.
.spec.certificateTemplate.metadata.labels
Labels is a key value map to be copied to the target Certificate.
.spec.certificateTemplate.spec
.spec.certificateTemplate.spec.dnsNames
Requested DNS subject alternative names. The values given here will be merged into the DNS names determined automatically by the kcp-operator. If DNSNames is used together with IssuerRef, DNSNames will be uses as-is and not merged. If IssuerRef is not set, DNSNames will be merged with the defaults. This is to avoid trying to guess what DNSNames configued issuer might support.
.spec.certificateTemplate.spec.dnsNames[*]
.spec.certificateTemplate.spec.duration
Requested ‘duration’ (i.e. lifetime) of the Certificate. Note that the issuer may choose to ignore the requested duration, just like any other requested attribute.
If unset, this defaults to 90 days. Minimum accepted duration is 1 hour. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
.spec.certificateTemplate.spec.ipAddresses
Requested IP address subject alternative names. The values given here will be merged into the DNS names determined automatically by the kcp-operator.
.spec.certificateTemplate.spec.ipAddresses[*]
.spec.certificateTemplate.spec.issuerRef
IssuerRef is a reference to the issuer for this certificate.
.spec.certificateTemplate.spec.issuerRef.group
Group of the object being referred to.
.spec.certificateTemplate.spec.issuerRef.kind
Kind of the object being referred to.
.spec.certificateTemplate.spec.issuerRef.name
Name of the object being referred to.
.spec.certificateTemplate.spec.privateKey
Private key options. These include the key algorithm and size, the used encoding and the rotation policy.
.spec.certificateTemplate.spec.privateKey.algorithm
Algorithm is the private key algorithm of the corresponding private key for this certificate.
If provided, allowed values are either RSA, ECDSA or Ed25519.
If algorithm is specified and size is not provided,
key size of 2048 will be used for RSA key algorithm and
key size of 256 will be used for ECDSA key algorithm.
key size is ignored when using the Ed25519 key algorithm.
.spec.certificateTemplate.spec.privateKey.encoding
The private key cryptography standards (PKCS) encoding for this certificate’s private key to be encoded in.
If provided, allowed values are PKCS1 and PKCS8 standing for PKCS#1
and PKCS#8, respectively.
Defaults to PKCS1 if not specified.
.spec.certificateTemplate.spec.privateKey.rotationPolicy
RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed.
If set to Never, a private key will only be generated if one does not
already exist in the target spec.secretName. If one does exist but it
does not have the correct algorithm or size, a warning will be raised
to await user intervention.
If set to Always, a private key matching the specified requirements
will be generated whenever a re-issuance occurs.
Default is Never for backward compatibility.
.spec.certificateTemplate.spec.privateKey.size
Size is the key bit size of the corresponding private key for this certificate.
If algorithm is set to RSA, valid values are 2048, 4096 or 8192,
and will default to 2048 if not specified.
If algorithm is set to ECDSA, valid values are 256, 384 or 521,
and will default to 256 if not specified.
If algorithm is set to Ed25519, Size is ignored.
No other values are allowed.
.spec.certificateTemplate.spec.renewBefore
How long before the currently issued certificate’s expiry cert-manager should
renew the certificate. For example, if a certificate is valid for 60 minutes,
and renewBefore=10m, cert-manager will begin to attempt to renew the certificate
50 minutes after it was issued (i.e. when there are 10 minutes remaining until
the certificate is no longer valid).
NOTE: The actual lifetime of the issued certificate is used to determine the renewal time. If an issuer returns a certificate with a different lifetime than the one requested, cert-manager will use the lifetime of the issued certificate.
If unset, this defaults to 1⁄3 of the issued certificate’s lifetime.
Minimum accepted value is 5 minutes.
Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
Cannot be set if the renewBeforePercentage field is set.
.spec.certificateTemplate.spec.secretTemplate
Defines annotations and labels to be copied to the Certificate’s Secret. Labels and annotations on the Secret will be changed as they appear on the SecretTemplate when added or removed. SecretTemplate annotations are added in conjunction with, and cannot overwrite, the base set of annotations cert-manager sets on the Certificate’s Secret.
.spec.certificateTemplate.spec.secretTemplate.annotations
Annotations is a key value map to be copied to the target Kubernetes Secret.
.spec.certificateTemplate.spec.secretTemplate.labels
Labels is a key value map to be copied to the target Kubernetes Secret.
.spec.certificateTemplate.spec.subject
Requested set of X509 certificate subject attributes. More info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
.spec.certificateTemplate.spec.subject.countries
Countries to be used on the Certificate.
.spec.certificateTemplate.spec.subject.countries[*]
.spec.certificateTemplate.spec.subject.localities
Cities to be used on the Certificate.
.spec.certificateTemplate.spec.subject.localities[*]
.spec.certificateTemplate.spec.subject.organizationalUnits
Organizational Units to be used on the Certificate.
.spec.certificateTemplate.spec.subject.organizationalUnits[*]
.spec.certificateTemplate.spec.subject.organizations
Organizations to be used on the Certificate.
.spec.certificateTemplate.spec.subject.organizations[*]
.spec.certificateTemplate.spec.subject.postalCodes
Postal codes to be used on the Certificate.
.spec.certificateTemplate.spec.subject.postalCodes[*]
.spec.certificateTemplate.spec.subject.provinces
State/Provinces to be used on the Certificate.
.spec.certificateTemplate.spec.subject.provinces[*]
.spec.certificateTemplate.spec.subject.serialNumber
Serial number to be used on the Certificate.
.spec.certificateTemplate.spec.subject.streetAddresses
Street addresses to be used on the Certificate.
.spec.certificateTemplate.spec.subject.streetAddresses[*]
.spec.groups
Username defines the groups embedded in the TLS certificate generated for this kubeconfig.
.spec.groups[*]
.spec.secretRef
SecretRef defines the v1.Secret object that the resulting kubeconfig should be written to.
.spec.secretRef.name
Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
.spec.target
Target configures which kcp-operator object this kubeconfig should be generated for (shard or front-proxy).
.spec.target.frontProxyRef
LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.
.spec.target.frontProxyRef.name
Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
.spec.target.rootShardRef
LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.
.spec.target.rootShardRef.name
Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
.spec.target.shardRef
LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.
.spec.target.shardRef.name
Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
.spec.username
Username defines the username embedded in the TLS certificate generated for this kubeconfig.
.spec.validity
Validity configures the lifetime of the embedded TLS certificate. The kubeconfig secret will be automatically regenerated when the certificate expires.
.status
KubeconfigStatus defines the observed state of Kubeconfig
.status.conditions
.status.conditions[*]
Condition contains details for one aspect of the current state of this API Resource.
.status.conditions[*].lastTransitionTime
lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
.status.conditions[*].message
message is a human readable message indicating details about the transition. This may be an empty string.
.status.conditions[*].observedGeneration
observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
.status.conditions[*].reason
reason contains a programmatic identifier indicating the reason for the condition’s last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
.status.conditions[*].status
status of the condition, one of True, False, Unknown.
.status.conditions[*].type
type of condition in CamelCase or in foo.example.com/CamelCase.
.status.phase
Phase represents the current phase of kubeconfig lifecycle.
.status.targetName
TargetName represents the name of the target resource (RootShard, Shard, or FrontProxy).