Application Domain
The Application domain provides a Kubernetes-native abstraction for managing applications within the Control Plane. An Application logically groups together all the API exposures, subscriptions, and event configurations for a single service.
Custom Resources
Application
Application is the Schema for the applications API
Group: application.cp.ei.telekom.de · Version: v1 · Scope: Namespaced
ApplicationSpec
Appears in: Application
ApplicationSpec defines the desired state of Application
| Field | Type | Default | Validation |
|---|---|---|---|
externalIds | ExternalId[] | — | Optional, maxItems: 16 |
failoverZones | FailoverZone[] | — | Optional |
needsClient | boolean | true | Required |
needsConsumer | boolean | true | Required |
rotatedSecret | string | — | Optional |
secret | string | — | Required, minLength: 1 |
security | Security | — | Optional |
team | string | — | Required, minLength: 1, maxLength: 64 |
teamEmail | string | — | Required, Format: email, minLength: 1, maxLength: 64 |
zone | FailoverZone | — | Required |
ExternalId
Appears in: ApplicationSpec
ExternalIds carries business identifiers (e.g. PSI, ICTO) propagated from the owning Rover. Each entry is tagged with a scheme. Format and presence are validated per-zone via the zone's ExternalIdPolicies.
| Field | Type | Default | Validation |
|---|---|---|---|
id | string | — | Required, minLength: 1, maxLength: 128 |
scheme | string | — | Required, minLength: 1, maxLength: 32, pattern: ^[a-z][a-z0-9]*$ |
FailoverZone
Appears in: ApplicationSpec, ApplicationStatus, SentNotification
FailoverZones are the zones which can be used by the application in case of a failure in the primary zone
| Field | Type | Default | Validation |
|---|---|---|---|
name | string | — | Required |
namespace | string | — | Required |
uid | string | — | Optional |
Security
Appears in: ApplicationSpec
Security defines the security configuration for the application
| Field | Type | Default | Validation |
|---|---|---|---|
ipRestrictions | IpRestrictions | — | Optional |
IpRestrictions
Appears in: Security
| Field | Type | Default | Validation |
|---|---|---|---|
allow | string[] | — | Optional |
deny | string[] | — | Optional |
ApplicationStatus
Appears in: Application
ApplicationStatus defines the observed state of Application
| Field | Type | Default | Validation |
|---|---|---|---|
clientId | string | — | Required |
clientSecret | string | — | Required |
clients | FailoverZone[] | — | Optional |
conditions | Condition[] | — | Optional |
consumers | FailoverZone[] | — | Optional |
currentExpiresAt | string | — | Optional, Format: date-time |
rotatedClientSecret | string | — | Optional |
rotatedExpiresAt | string | — | Optional, Format: date-time |
sentNotifications | SentNotification[] | — | Optional |
Condition
Appears in: ApplicationStatus
| Field | Type | Default | Validation |
|---|---|---|---|
lastTransitionTime | string | — | Required, Format: date-time |
message | string | — | Required, maxLength: 32768 |
observedGeneration | integer | — | Optional, Format: int64, minimum: 0 |
reason | string | — | Required, minLength: 1, maxLength: 1024, pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ |
status | string | — | Required, Enum: True \| False \| Unknown |
type | string | — | Required, maxLength: 316, pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ |
SentNotification
Appears in: ApplicationStatus
SentNotifications tracks all reminder notifications that have been sent for this application's secret expiry, keyed by threshold. This is used to prevent duplicate notifications and to track repeat intervals.
| Field | Type | Default | Validation |
|---|---|---|---|
ref | FailoverZone | — | Required |
sentAt | string | — | Required, Format: date-time |
threshold | string | — | Required |
Provisioning
When an Application is created with needsClient: true and needsConsumer: true, the operator:
- Creates an Identity Client with the client ID
{team}--{application-name} - Creates a Gateway Consumer so the application can be identified at the API gateway
Secret Rotation
When graceful secret rotation is enabled for the zone, the Application operator manages the rotation lifecycle:
- Detects that a rotated (old) secret exists after a rotation is triggered
- Tracks the
SecretRotationcondition throughInProgress→Success - Sends notification emails at configured thresholds before expiry and upon completion
- Manages reminder state to avoid duplicate notifications
See Graceful Secret Rotation (User Guide) and Secret Rotation (Admin Guide) for details.
Domain Interactions
- Rover domain — Rover files create Application resources as part of the reconciliation process.
- Identity domain — The Application operator creates identity clients.
- Gateway domain — The Application operator creates gateway consumers.
- Secret Manager — Handles credential storage for application clients.