Admin Domain

The Admin domain manages the foundational infrastructure of the Control Plane — environments, zones, and remote organizations (planned feature). These resources define where applications are deployed and how different cloud environments are connected.

This domain is typically managed by platform administrators, not application teams.

Custom Resources

Environment

Environment is the Schema for the environments API

Group: admin.cp.ei.telekom.de · Version: v1 · Scope: Namespaced

EnvironmentSpec

Appears in: Environment

EnvironmentSpec defines the desired state of Environment

Field	Type	Default	Validation
`foo`	string	—	Optional

EnvironmentStatus

Appears in: Environment

EnvironmentStatus defines the observed state of Environment

Field	Type	Default	Validation
`conditions`	Condition[]	—	Optional

Condition

Appears in: EnvironmentStatus, RemoteOrganizationStatus, ZoneStatus

Field	Type	Default	Validation
`lastTransitionTime`	string	—	Required, Format: date-time
`message`	string	—	Required, maxLength: 32768
`observedGeneration`	integer	—	Optional, Format: int64, minimum: 0
`reason`	string	—	Required, minLength: 1, maxLength: 1024, pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
`status`	string	—	Required, Enum: True \\| False \\| Unknown
`type`	string	—	Required, maxLength: 316, pattern: ^([a-z0-9]([-a-z0-9][a-z0-9])?(\.[a-z0-9]([-a-z0-9][a-z0-9])?)/)?(([A-Za-z0-9][-A-Za-z0-9_.])?[A-Za-z0-9])$

RemoteOrganization

RemoteOrganization is the Schema for the remoteorganizations API

Group: admin.cp.ei.telekom.de · Version: v1 · Scope: Namespaced

RemoteOrganizationSpec

Appears in: RemoteOrganization

RemoteOrganizationSpec defines the desired state of RemoteOrganization

Field	Type	Default	Validation
`clientId`	string	—	Required
`clientSecret`	string	—	Required
`id`	string	—	Required
`issuerUrl`	string	—	Required
`url`	string	—	Required
`zone`	ObjectRef	—	Required

ObjectRef

Appears in: RemoteOrganizationSpec, ZoneStatus

ObjectRef is a reference to a Kubernetes object It is similar to types.NamespacedName but has the required json tags for serialization

Field	Type	Default	Validation
`name`	string	—	Required
`namespace`	string	—	Required
`uid`	string	—	Optional

RemoteOrganizationStatus

Appears in: RemoteOrganization

RemoteOrganizationStatus defines the observed state of RemoteOrganization

Field	Type	Default	Validation
`conditions`	Condition[]	—	Optional
`namespace`	string	—	Required

Zone

Zone is the Schema for the zones API Group is the Schema for the groups API.

Group: admin.cp.ei.telekom.de · Version: v1 · Scope: Namespaced

ZoneSpec

Appears in: Zone

ZoneSpec defines the desired state of Zone

Field	Type	Default	Validation
`externalIdPolicies`	ExternalIdPolicy[]	—	Optional, maxItems: 16
`gateway`	Gateway	—	Required
`identityProvider`	IdentityProvider	—	Required
`permissions`	Permissions	—	Optional
`redis`	Redis	—	Required
`teamApis`	TeamApis	—	Optional
`visibility`	string	—	Required, Enum: World \\| Enterprise

ExternalIdPolicy

Appears in: ZoneSpec

ExternalIdPolicies configures, per identifier scheme, the format and presence requirements for externalIds on Rovers and Applications bound to this zone. Empty means no enforcement for any scheme.

Field	Type	Default	Validation
`pattern`	string	—	Required, minLength: 1
`required`	boolean	`false`	Required
`scheme`	string	—	Required, minLength: 1, maxLength: 32, pattern: ^[a-z][a-z0-9]*$

Gateway

Appears in: ZoneSpec

Field	Type	Default	Validation
`admin`	Admin	—	Required
`circuitBreaker`	boolean	—	Required
`url`	string	—	Required

Admin

Appears in: Gateway

Field	Type	Default	Validation
`clientSecret`	string	—	Required
`url`	string	—	Optional

IdentityProvider

Appears in: ZoneSpec

Field	Type	Default	Validation
`admin`	ZoneAdmin	—	Required
`secretRotation`	SecretRotation	—	Optional
`url`	string	—	Required

ZoneAdmin

Appears in: IdentityProvider

Field	Type	Default	Validation
`clientId`	string	—	Required
`password`	string	—	Required
`url`	string	—	Optional
`userName`	string	—	Required

SecretRotation

Appears in: IdentityProvider

SecretRotation contains the config for rotating secrets related to the default identity provider realm of this zone. If not set, secret rotation will be disabled.

Field	Type	Default	Validation
`enabled`	boolean	—	Required
`expirationPeriod`	string	—	Required
`gracePeriod`	string	—	Required
`notificationThresholds`	NotificationThresholds[]	—	Required, minItems: 1

NotificationThresholds

Appears in: SecretRotation

NotificationThresholds defines the schedule of reminder notifications before secret expiry. Each entry triggers a notification when the remaining time-to-expiry crosses that threshold. Only the tightest (smallest) matching threshold is evaluated per reconciliation cycle to avoid spamming. Example: [{before: "720h"}, {before: "168h", repeat: "24h"}] → single reminder at 30 days, then daily reminders starting at 7 days.

Field	Type	Default	Validation
`before`	string	—	Required
`repeat`	string	—	Optional

Permissions

Appears in: ZoneSpec

Permissions configuration for permission service integration

Field	Type	Default	Validation
`apiBasePath`	string	—	Required, pattern: ^/.*
`consoleUrl`	string	—	Optional, Format: uri

Redis

Appears in: ZoneSpec

Field	Type	Default	Validation
`enableTLS`	boolean	—	Required
`host`	string	—	Required
`password`	string	—	Required
`port`	integer	—	Required

TeamApis

Appears in: ZoneSpec

Field	Type	Default	Validation
`apis`	Api[]	—	Required

Api

Appears in: TeamApis

Field	Type	Default	Validation
`name`	string	—	Required, pattern: ^[a-z0-9]+(-?[a-z0-9]+)*$
`path`	string	—	Required, pattern: ^/.*$
`url`	string	—	Required, Format: uri

ZoneStatus

Appears in: Zone

ZoneStatus defines the observed state of Zone

Field	Type	Default	Validation
`conditions`	Condition[]	—	Optional
`features`	Features[]	—	Optional
`gateway`	ObjectRef	—	Optional
`gatewayClient`	ObjectRef	—	Optional
`gatewayConsumer`	ObjectRef	—	Optional
`gatewayRealm`	ObjectRef	—	Optional
`identityProvider`	ObjectRef	—	Optional
`identityRealm`	ObjectRef	—	Optional
`links`	Links	—	Optional
`namespace`	string	—	Optional
`teamApiGatewayRealm`	ObjectRef	—	Optional
`teamApiIdentityRealm`	ObjectRef	—	Optional
`teamApiRoutes`	ObjectRef[]	—	Optional

Features

Appears in: ZoneStatus

Features is a list of features that are enabled or disabled for this zone. This can be used to control the availability of certain features in the zone

Field	Type	Default	Validation
`enabled`	boolean	—	Required
`name`	string	—	Required

Links

Appears in: ZoneStatus

Field	Type	Default	Validation
`gatewayIssuer`	string	—	Required, Format: uri
`gatewayLmsIssuer`	string	—	Optional, Format: uri
`gatewayUrl`	string	—	Required, Format: uri
`permissionsUrl`	string	—	Optional, Format: uri
`teamApiIssuer`	string	—	Optional, Format: uri

Domain Interactions

Gateway domain — Zones define which gateway instance is used. The Gateway operator reads the zone's gateway configuration when provisioning routes.
Identity domain — Zones define which identity provider is used. The Identity operator reads the zone's IDP configuration when provisioning clients and realms.
Organization domain — Teams are created within environments. Zones determine where team resources are provisioned.
Event domain — EventConfig resources reference zones for event routing and meshing.

Custom Resources​

Environment​

EnvironmentSpec​

EnvironmentStatus​

Condition​

RemoteOrganization​

RemoteOrganizationSpec​

ObjectRef​

RemoteOrganizationStatus​

Zone​

ZoneSpec​

ExternalIdPolicy​

Gateway​

Admin​

IdentityProvider​

ZoneAdmin​

SecretRotation​

NotificationThresholds​

Permissions​

Redis​

TeamApis​

Api​

ZoneStatus​

Features​

Links​

Domain Interactions​

Related Pages​

Custom Resources

Environment

EnvironmentSpec

EnvironmentStatus

Condition

RemoteOrganization

RemoteOrganizationSpec

ObjectRef

RemoteOrganizationStatus

Zone

ZoneSpec

ExternalIdPolicy

Gateway

Admin

IdentityProvider

ZoneAdmin

SecretRotation

NotificationThresholds

Permissions

Redis

TeamApis

Api

ZoneStatus

Features

Links

Domain Interactions

Related Pages