Skip to main content

Admin Domain

The Admin domain manages the foundational infrastructure of the Control Plane — environments, zones, and remote organizations (planned feature). These resources define where applications are deployed and how different cloud environments are connected.

This domain is typically managed by platform administrators, not application teams.

Custom Resources

Environment

Environment is the Schema for the environments API

Group: admin.cp.ei.telekom.de · Version: v1 · Scope: Namespaced

EnvironmentSpec

Appears in: Environment

EnvironmentSpec defines the desired state of Environment

FieldTypeDefaultValidation
foostringOptional

EnvironmentStatus

Appears in: Environment

EnvironmentStatus defines the observed state of Environment

FieldTypeDefaultValidation
conditionsCondition[]Optional

Condition

Appears in: EnvironmentStatus, RemoteOrganizationStatus, ZoneStatus

FieldTypeDefaultValidation
lastTransitionTimestringRequired, Format: date-time
messagestringRequired, maxLength: 32768
observedGenerationintegerOptional, Format: int64, minimum: 0
reasonstringRequired, minLength: 1, maxLength: 1024, pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
statusstringRequired, Enum: True \| False \| Unknown
typestringRequired, maxLength: 316, pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$

RemoteOrganization

RemoteOrganization is the Schema for the remoteorganizations API

Group: admin.cp.ei.telekom.de · Version: v1 · Scope: Namespaced

RemoteOrganizationSpec

Appears in: RemoteOrganization

RemoteOrganizationSpec defines the desired state of RemoteOrganization

FieldTypeDefaultValidation
clientIdstringRequired
clientSecretstringRequired
idstringRequired
issuerUrlstringRequired
urlstringRequired
zoneObjectRefRequired

ObjectRef

Appears in: RemoteOrganizationSpec, ZoneStatus

ObjectRef is a reference to a Kubernetes object It is similar to types.NamespacedName but has the required json tags for serialization

FieldTypeDefaultValidation
namestringRequired
namespacestringRequired
uidstringOptional

RemoteOrganizationStatus

Appears in: RemoteOrganization

RemoteOrganizationStatus defines the observed state of RemoteOrganization

FieldTypeDefaultValidation
conditionsCondition[]Optional
namespacestringRequired

Zone

Zone is the Schema for the zones API Group is the Schema for the groups API.

Group: admin.cp.ei.telekom.de · Version: v1 · Scope: Namespaced

ZoneSpec

Appears in: Zone

ZoneSpec defines the desired state of Zone

FieldTypeDefaultValidation
externalIdPoliciesExternalIdPolicy[]Optional, maxItems: 16
gatewayGatewayRequired
identityProviderIdentityProviderRequired
managedRoutesManagedRoutesConfigOptional
permissionsPermissionsOptional
redisRedisRequired
visibilitystringRequired, Enum: World \| Enterprise

ExternalIdPolicy

Appears in: ZoneSpec

ExternalIdPolicies configures, per identifier scheme, the format and presence requirements for externalIds on Rovers and Applications bound to this zone. Empty means no enforcement for any scheme.

FieldTypeDefaultValidation
patternstringRequired, minLength: 1
requiredbooleanfalseRequired
schemestringRequired, minLength: 1, maxLength: 32, pattern: ^[a-z][a-z0-9]*$

Gateway

Appears in: ZoneSpec

FieldTypeDefaultValidation
adminAdminRequired
circuitBreakerbooleanRequired
urlstringRequired

Admin

Appears in: Gateway

FieldTypeDefaultValidation
clientSecretstringRequired
urlstringOptional

IdentityProvider

Appears in: ZoneSpec

FieldTypeDefaultValidation
adminZoneAdminRequired
secretRotationSecretRotationOptional
urlstringRequired

ZoneAdmin

Appears in: IdentityProvider

FieldTypeDefaultValidation
clientIdstringRequired
passwordstringRequired
urlstringOptional
userNamestringRequired

SecretRotation

Appears in: IdentityProvider

SecretRotation contains the config for rotating secrets related to the default identity provider realm of this zone. If not set, secret rotation will be disabled.

FieldTypeDefaultValidation
enabledbooleanRequired
expirationPeriodstringRequired
gracePeriodstringRequired
notificationThresholdsNotificationThresholds[]Required, minItems: 1

NotificationThresholds

Appears in: SecretRotation

NotificationThresholds defines the schedule of reminder notifications before secret expiry. Each entry triggers a notification when the remaining time-to-expiry crosses that threshold. Only the tightest (smallest) matching threshold is evaluated per reconciliation cycle to avoid spamming. Example: [{before: "720h"}, {before: "168h", repeat: "24h"}] → single reminder at 30 days, then daily reminders starting at 7 days.

FieldTypeDefaultValidation
beforestringRequired
repeatstringOptional

ManagedRoutesConfig

Appears in: ZoneSpec

ManagedRoutesConfig defines the configuration for managed routes in a zone. Managed routes are automatically created and managed by the system based on this configuration.

FieldTypeDefaultValidation
routesRoutes[]Optional

Routes

Appears in: ManagedRoutesConfig

Routes is the list of routes to be created for this zone. It may be used to create additional routes that are required for operating the zone

FieldTypeDefaultValidation
namestringRequired, pattern: ^[a-z0-9]+(-?[a-z0-9]+)*$
pathstringRequired, pattern: ^/.*$
typestringRequired, Enum: TeamAPI \| Proxy
urlstringRequired, Format: uri

Permissions

Appears in: ZoneSpec

Permissions configuration for permission service integration

FieldTypeDefaultValidation
apiBasePathstringRequired, pattern: ^/.*
consoleUrlstringOptional, Format: uri

Redis

Appears in: ZoneSpec

FieldTypeDefaultValidation
enableTLSbooleanRequired
hoststringRequired
passwordstringRequired
portintegerRequired

ZoneStatus

Appears in: Zone

ZoneStatus defines the observed state of Zone

FieldTypeDefaultValidation
conditionsCondition[]Optional
featuresFeatures[]Optional
gatewayObjectRefOptional
gatewayClientObjectRefOptional
gatewayConsumerObjectRefOptional
gatewayRealmObjectRefOptional
identityProviderObjectRefOptional
identityRealmObjectRefOptional
internalIdentityRealmObjectRefOptional
linksLinksOptional
managedRoutesObjectRef[]Optional
namespacestringOptional
teamApiGatewayRealmObjectRefOptional
teamApiIdentityRealmObjectRefOptional

Features

Appears in: ZoneStatus

Features is a list of features that are enabled or disabled for this zone. This can be used to control the availability of certain features in the zone

FieldTypeDefaultValidation
enabledbooleanRequired
namestringRequired

Appears in: ZoneStatus

FieldTypeDefaultValidation
gatewayIssuerstringRequired, Format: uri
gatewayLmsIssuerstringOptional, Format: uri
gatewayUrlstringRequired, Format: uri
permissionsUrlstringOptional, Format: uri
teamApiIssuerstringOptional, Format: uri

Domain Interactions

  • Gateway domain — Zones define which gateway instance is used. The Gateway operator reads the zone's gateway configuration when provisioning routes. Managed routes (TeamAPI and Proxy) are created directly by the zone handler on the appropriate gateway realm.
  • Identity domain — Zones define which identity provider is used. The Identity operator reads the zone's IDP configuration when provisioning clients and realms. The zone handler creates a default identity realm with token claims (originZone, originStargate, clientId) and a dedicated internal "rover" realm for admin-config clients.
  • Organization domain — Teams are created within environments. Zones determine where team resources are provisioned. If a zone has TeamAPI-type managed routes, a team-api identity realm and gateway realm are created for team-facing APIs.
  • Event domain — EventConfig resources reference zones for event routing and meshing.