API Domain

The API domain manages the full lifecycle of APIs within the Control Plane — from registration through exposure to subscription. It acts as an abstraction layer above the Gateway domain, handling the business logic of who can access which APIs and under what conditions.

Custom Resources

Api

Api is the Schema for the apis API

Group: api.cp.ei.telekom.de · Version: v1 · Scope: Namespaced

ApiSpec

Appears in: Api

ApiSpec defines the desired state of Api

Field	Type	Default	Validation
basePath	string	—	Required
category	string	—	Required
oauth2Scopes	string[]	—	Optional
version	string	—	Required
xVendor	boolean	—	Required

ApiStatus

Appears in: Api

ApiStatus defines the observed state of Api

Field	Type	Default	Validation
active	boolean	—	Required
conditions	Condition[]	—	Optional

Condition

Appears in: ApiStatus, ApiCategoryStatus, ApiExposureStatus, ApiSubscriptionStatus, RemoteApiSubscriptionStatus

Field	Type	Default	Validation
lastTransitionTime	string	—	Required, Format: date-time
message	string	—	Required, maxLength: 32768
observedGeneration	integer	—	Optional, Format: int64, minimum: 0
reason	string	—	Required, minLength: 1, maxLength: 1024, pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
status	string	—	Required, Enum: True \| False \| Unknown
type	string	—	Required, maxLength: 316, pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$

ApiCategory

ApiCategory is the Schema for the apicategories API

Group: api.cp.ei.telekom.de · Version: v1 · Scope: Namespaced

ApiCategorySpec

Appears in: ApiCategory

spec defines the desired state of ApiCategory

Field	Type	Default	Validation
active	boolean	—	Optional
allowTeams	AllowTeams	—	Optional
description	string	—	Optional, maxLength: 256
labelValue	string	—	Required, minLength: 1, maxLength: 20
linting	Linting	—	Optional
mustHaveGroupPrefix	boolean	true	Optional

AllowTeams

Appears in: ApiCategorySpec

Field	Type	Default	Validation
categories	string[]	—	Optional
names	string[]	—	Optional

Linting

Appears in: ApiCategorySpec

Field	Type	Default	Validation
enabled	boolean	—	Optional
ruleset	string	—	Optional

ApiCategoryStatus

Appears in: ApiCategory

status defines the observed state of ApiCategory

Field	Type	Default	Validation
conditions	Condition[]	—	Optional

ApiExposure

ApiExposure is the Schema for the apiexposures API

Group: api.cp.ei.telekom.de · Version: v1 · Scope: Namespaced

ApiExposureSpec

Appears in: ApiExposure

ApiExposureSpec defines the desired state of ApiExposure

Field	Type	Default	Validation
apiBasePath	string	—	Required
approval	Approval	—	Required
security	Security	—	Optional
traffic	Traffic	—	Required
transformation	Transformation	—	Optional
upstreams	Upstream[]	—	Required
visibility	string	—	Required, Enum: World \| Zone \| Enterprise
zone	Zone	—	Required

Approval

Appears in: ApiExposureSpec

Field	Type	Default	Validation
strategy	string	Auto	Required, Enum: Auto \| Simple \| FourEyes
trustedTeams	string[]	—	Optional, minItems: 0, maxItems: 10

Security

Appears in: ApiExposureSpec

Security defines the security configuration for the Rover Security is optional, but if provided, exactly one of m2m or h2m must be set

Field	Type	Default	Validation
m2m	M2M	—	Optional

M2M

Appears in: Security

M2M defines machine-to-machine authentication configuration

Field	Type	Default	Validation
basic	Basic	—	Optional
externalIDP	ExternalIDP	—	Optional
scopes	string[]	—	Optional, maxItems: 10

Basic

Appears in: M2M, ExternalIDP, ApiSubscriptionM2M

Basic defines basic authentication configuration

Field	Type	Default	Validation
password	string	—	Required, minLength: 1
username	string	—	Required, minLength: 1

ExternalIDP

Appears in: M2M

ExternalIDP defines external identity provider configuration

Field	Type	Default	Validation
basic	Basic	—	Optional
client	Client	—	Optional
grantType	string	—	Optional, Enum: client_credentials \| authorization_code \| password
tokenEndpoint	string	—	Required, Format: uri
tokenRequest	string	—	Optional, Enum: body \| header

Client

Appears in: ExternalIDP, ApiSubscriptionM2M

Client defines client credentials for the OAuth2 token request

Field	Type	Default	Validation
clientId	string	—	Required, minLength: 1
clientKey	string	—	Optional
clientSecret	string	—	Optional

Traffic

Appears in: ApiExposureSpec

Field	Type	Default	Validation
circuitBreaker	CircuitBreaker	—	Optional
failover	Failover	—	Optional
rateLimit	RateLimit	—	Optional

CircuitBreaker

Appears in: Traffic

CircuitBreaker defines the Kong circuit breaker configuration

Field	Type	Default	Validation
enabled	boolean	—	Optional

Failover

Appears in: Traffic, ApiSubscriptionTraffic

Failover defines the failover configuration for the API exposure.

Field	Type	Default	Validation
zone	Zone[]	—	Required

Zone

Appears in: Failover, ApiExposureSpec, ApiExposureStatus, Requestor, ApiSubscriptionSpec, ApiSubscriptionStatus, RemoteApiSubscriptionStatus

Zone is the zone to which the traffic should be failed over in case of an error.

Field	Type	Default	Validation
name	string	—	Required
namespace	string	—	Required
uid	string	—	Optional

RateLimit

Appears in: Traffic

RateLimit defines request rate limiting for this API

Field	Type	Default	Validation
provider	Provider	—	Optional
subscriberRateLimit	SubscriberRateLimit	—	Optional

Provider

Appears in: RateLimit

Provider defines request rate limiting for this API

Field	Type	Default	Validation
limits	Limits	—	Required
options	RateLimitOptions	—	Optional

Limits

Appears in: Provider, Default, Overrides

Limits defines the actual rate limit values for different time windows

Field	Type	Default	Validation
hour	integer	—	Optional, minimum: 0
minute	integer	—	Optional, minimum: 0
second	integer	—	Optional, minimum: 0

RateLimitOptions

Appears in: Provider

RateLimitOptions defines additional configuration options for rate limiting

Field	Type	Default	Validation
faultTolerant	boolean	true	Optional
hideClientHeaders	boolean	false	Optional

SubscriberRateLimit

Appears in: RateLimit

SubscriberRateLimit defines request rate limiting for this API per subscriber

Field	Type	Default	Validation
default	Default	—	Optional
overrides	Overrides[]	—	Optional, maxItems: 10

Default

Appears in: SubscriberRateLimit

Default defines the rate limit applied to all consumers not specifically overridden

Field	Type	Default	Validation
limits	Limits	—	Required

Overrides

Appears in: SubscriberRateLimit

Overrides defines consumer-specific rate limits, keyed by consumer identifier

Field	Type	Default	Validation
limits	Limits	—	Required
subscriber	string	—	Required, minLength: 1

Transformation

Appears in: ApiExposureSpec

Transformation defines request/response transformations for an API This is shared object for both subscriptions and exposures

Field	Type	Default	Validation
request	Request	—	Optional

Request

Appears in: Transformation

Request defines transformations applied to incoming API requests

Field	Type	Default	Validation
headers	Headers	—	Optional

Headers

Appears in: Request

Headers defines HTTP header modifications for requests

Field	Type	Default	Validation
add	string[]	—	Optional, minItems: 1, maxItems: 5
remove	string[]	—	Optional, minItems: 1, maxItems: 5

Upstream

Appears in: ApiExposureSpec

Field	Type	Default	Validation
url	string	—	Required
weight	integer	—	Optional

ApiExposureStatus

Appears in: ApiExposure

ApiExposureStatus defines the observed state of ApiExposure

Field	Type	Default	Validation
active	boolean	—	Required
conditions	Condition[]	—	Optional
failoverRoute	Zone	—	Optional
route	Zone	—	Optional

ApiSubscription

ApiSubscription is the Schema for the apisubscriptions API

Group: api.cp.ei.telekom.de · Version: v1 · Scope: Namespaced

ApiSubscriptionSpec

Appears in: ApiSubscription

ApiSubscriptionSpec defines the desired state of ApiSubscription

Field	Type	Default	Validation
apiBasePath	string	—	Required
organization	string	—	Optional
requestor	Requestor	—	Required
security	SubscriberSecurity	—	Optional
traffic	ApiSubscriptionTraffic	—	Required
zone	Zone	—	Required

Requestor

Appears in: ApiSubscriptionSpec

Field	Type	Default	Validation
application	Zone	—	Required

SubscriberSecurity

Appears in: ApiSubscriptionSpec, RemoteApiSubscriptionSpec

SubscriberSecurity defines the security configuration for the Rover SubscriberSecurity is optional, but if provided, exactly one of m2m or h2m must be set

Field	Type	Default	Validation
m2m	ApiSubscriptionM2M	—	Optional

ApiSubscriptionM2M

Appears in: SubscriberSecurity

M2M defines machine-to-machine authentication configuration

Field	Type	Default	Validation
basic	Basic	—	Optional
client	Client	—	Optional
scopes	string[]	—	Optional, maxItems: 10

ApiSubscriptionTraffic

Appears in: ApiSubscriptionSpec

Field	Type	Default	Validation
failover	Failover	—	Optional

ApiSubscriptionStatus

Appears in: ApiSubscription

ApiSubscriptionStatus defines the observed state of ApiSubscription

Field	Type	Default	Validation
approval	Zone	—	Optional
approvalRequest	Zone	—	Optional
conditions	Condition[]	—	Optional
consumeRoute	Zone	—	Optional
failoverConsumeRoutes	Zone[]	—	Optional
failoverRoutes	Zone[]	—	Optional
remoteApiSubscription	Zone	—	Optional
route	Zone	—	Optional

RemoteApiSubscription

RemoteApiSubscription is the Schema for the remoteapisubscriptions API

Group: api.cp.ei.telekom.de · Version: v1 · Scope: Namespaced

RemoteApiSubscriptionSpec

Appears in: RemoteApiSubscription

RemoteApiSubscriptionSpec defines the desired state of RemoteApiSubscription

Field	Type	Default	Validation
apiBasePath	string	—	Required
requester	Requester	—	Required
security	SubscriberSecurity	—	Optional
sourceOrganization	string	—	Optional
targetOrganization	string	—	Required

Requester

Appears in: RemoteApiSubscriptionSpec

Requester is the entity that is requesting the subscription

Field	Type	Default	Validation
application	string	—	Required
team	Team	—	Required

Team

Appears in: Requester

Team is the team that is requesting the subscription

Field	Type	Default	Validation
email	string	—	Required
name	string	—	Required

RemoteApiSubscriptionStatus

Appears in: RemoteApiSubscription

RemoteApiSubscriptionStatus defines the observed state of RemoteApiSubscription

Field	Type	Default	Validation
apiSubscription	Zone	—	Optional
application	Zone	—	Optional
approval	RemoteApiSubscriptionApproval	—	Optional
approvalRequest	RemoteApiSubscriptionApproval	—	Optional
conditions	Condition[]	—	Optional
gatewayUrl	string	—	Required
route	Zone	—	Optional

RemoteApiSubscriptionApproval

Appears in: RemoteApiSubscriptionStatus

Field	Type	Default	Validation
approvalState	string	—	Required
message	string	—	Required

Reconciliation Flow

Rover file applied
    │
    ├──▶ Api created (registered)
    ├──▶ ApiExposure created (gateway route configured)
    │
    └──▶ ApiSubscription created (by subscribing team)
            │
            ├──▶ Approval created (if strategy ≠ auto)
            ├──▶ Approval granted
            └──▶ Gateway ConsumeRoute created (access granted)

Domain Interactions

• Rover domain — Creates Api, ApiExposure, and ApiSubscription resources.
• Gateway domain — The API operator creates Route and ConsumeRoute resources on the gateway.
• Approval domain — Subscriptions trigger approval workflows.
• File Manager — OpenAPI specifications are stored and retrieved for API metadata.

Related Pages

• User Journey: Exposing APIs
• User Journey: Subscribing to APIs